On expanding protocol conformance checking to exception handling

Abstract

Components or services must often be compliant to organizatorial or legal regulations. Furthermore, they should avoid unwanted behaviour such as abortion of the execution of a service without notification of the client. Violation of both might happen due to unintended uses of services. In general, the intention is specified by contracts. In this work, we consider a special form of contracts: service protocols. These specify for a service legal sequences of operation calls. We propose an approach for checking whether such protocols are obeyed in a service composition. For this, it is necessary to define a conservative abstraction of the behaviour of service-oriented systems and a contract based on interactions (named service protocol) to be verified. In our previous work, we have modelled unbound concurrency, unbound recursion, and synchronization. This article briefly presents the previous results and extends them by exception handling mechanisms. In particular, it takes into account that the execution of service may raise an exception and allows the clients to react on the exception.

Appendix A: Proof of Theorem 1

This appendix contains the complete proof of Theorem 1 and the formalization of the notion of top-of-stack elements. Before Theorem 1 is being proven, we have to introduce some notions and properties of these notions to be used in the proof. The first subsection discusses properties of process-algebraic expressions in general and shows formally how process rewrite rules are applied. The second subsection discusses properties of the Combined Abstraction \(K\) of PRS \(U_s\) and a protocol \(A_s\). In particular, process-algebraic expressions of \(K\) are related to process-algebraic expressions of \(U_s\) and protocol states of \(A_s\). The last subsection contains the proof of Theorem 1.

1.1 A.1 Properties of process-algebraic expressions

Let \(Q\) be a set of atomic processes and \(e \in {\textit{PEX}}(Q)\) be a process-algebraic expression over \(Q\). Although the operators . and \(\parallel \) are associative, we assume for the purpose of this appendix a left associative bracketing. Furthermore, we assume that expressions containing the empty process are being simplified.

An occurrence is a finite sequence \(o \in \{ 0,1 \}^{*}\). Figure 14 shows some notations on occurrences. \(\mathsf {+\!\!+}\) is an associative operator with identity \([]\).

Fig. 14

Some notions on sequences

Occurrences are used to navigate in process-algebraic expressions, to denote specific sub-expressions, and to replace specific sub-expressions by other sub-expressions. The following definitions are the usual definitions used for general terms over a given signature and are specialized to process-algebraic expressions.

Definition 1

(Navigation by Occurrences) Let \(Q\) be a set of atomic expressions and \(\bot \not \in Q\) (it represents the symbol for undefined). The subexpression of \(e \in {\textit{PEX}}(Q)\) at occurrence \(o \in \{ 0, 1 \}^{*}\) is a process-algebraic expression \(e[o] \in {\textit{PEX}}(Q)\) inductively defined as follows:

1. (i)

   \(\varepsilon [o]\triangleq \bot \) and \(q[o]\triangleq \bot \) for \(q \in Q,\,o \ne []\)

2. (ii)

   \(e[[]] \triangleq e\) for \(e \ne \varepsilon \)

3. (iii)

   \((e_1 \circ e_2)[0:o] \triangleq e_1[o]\) for \(e_1,e_2 \ne \varepsilon ,\,\circ \in \{ . , \parallel \}\)

4. (iv)

   \((e_1 \circ e_2)[1:o] \triangleq e_2[o]\) for \(e_1,e_2 \ne \varepsilon ,\,\circ \in \{ . , \parallel \}\)

Definition 2

(Replacement) Let \(Q\) be a set of atomic expressions, \(e \in {\textit{PEX}}(Q)\) and \(o \in \{ 0,1 \}^{*}\) be such that \(e[o] \ne \bot \). The replacement of \(e\) at \(o\) by \(e'\in {\textit{PEX}}(Q)\) is a process-algebraic expression \(e[e'/o] \in {\textit{PEX}}(Q)\) inductively defined by:

1. (i)

   \(e[e'/[]] \triangleq e'\)

2. (ii)

   \((e_1 \circ e_2)[e'/0:o] \triangleq e_1[e'/o] \circ e_2\) for \(e_1,e_2 \ne \varepsilon ,\circ \in \{ . , \parallel \}\)

3. (iii)

   \((e_1 \circ e_2)[1:o] \triangleq e_1\circ e_2[e'/o]\) for \(e_1,e_2 \ne \varepsilon ,\,\circ \in \{ . , \parallel \}\)

Example 6

(Occurrences) Let \(e \triangleq (((q_{28}\!\!\parallel \!\!q_{23}).q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\). Then, \(e[[0,0,0,0,0,0,0]]=q_{28}\), \(e[[0,0,0,0,0,0,1]]=q_{21}, \,e[[0,0,1]]=q_{\mathsf{Exc}_1},e[[1,1]]=\bot ,\,e[[0,0,0]]=(q_{28}\!\!\parallel \!\!q_{21}).q_{32}.q_9)\), and \(e[[0,0,0,0,0,0]]=q_{28}\!\!\parallel \!\!q_{23}\). Furthermore \(e[q_{29}/[0,0,0,0,0,0])=((q_{29}.q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\).

Figure 15 shows the expression tree of the expression in Example 6 and the result of the replacement. In general, an occurrence \(o\) defines a path in \(e \in {\textit{PEX}}(Q)\) from the root to a sub-tree, \(e[o]\) is the expression corresponding to this sub-tree and \(e[e'/o]\) replaces this subtree by the tree corresponding to expression \(e'\).

Fig. 15

Expression tree and cactus stack to \((((q_{28}\!\!\parallel \!\!q_{21}).q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\), an occurrence, and its replacement

Informally, Proposition 1(i) states that if \(e\) is replaced by \(e'\) at \(o\) then each occurrence \(\bar{o}\) with prefix \(o\) refers to a subexpression of \(e'\), in particular to those where \(o'\) is the suffix obtained by removing \(\bar{o}\) from \(o\). Note that \(o\) refers to the root of \(e'\). Proposition 1(ii) states that replacing twice an expression by a sub-expression, the last replacement overrides the first replacement. Proposition 1(iii) states that if an expression is replaced at occurrence \(o\) the sub-expression of \(e\) at \(o\), then \(e\) remains unchanged. Proposition 1(iv) states that a sub-expression at an occurrence \(o'\) is independent of a replacement if \(o'\) does not refer to a sub-tree of \(o\). Note that \(o'\) refers to a sub-tree of \(e[o]\) iff \(o \sqsubseteq o'\). Proposition 1(v) states for this case, the replacements can be exchanged.

Proposition 1

(Properties of Occurrences and Replacements) Let \(Q\) be a set of atomic processes, \(e,e',e'' \in {\textit{PEX}}(Q)\) be process-algebraic expressions over \(Q\), and \(o,o' \in \{0, 1 \}^*\) such that \(e[o]\ne \bot \) and \(e[o'] \ne \bot \). Then, the following properties hold:

1. (i)

   \(e[e'/o][o\mathsf {+\!\!+}o']=e'[o']\). In particular \(e[e'/o][o]=e'\).

2. (ii)

   \(e[e'/o][e''/o]=e[e''/o]\)

3. (iii)

   If \(e[o]=e'\) then \(e[e'/o]=e\)

4. (iv)

   If \(o \not \sqsubseteq o'\) and \(o' \not \sqsubseteq o\) then \(e[e'/o][o']=e[o']\)

5. (v)

   If \(o \not \sqsubseteq o'\) and \(o' \not \sqsubseteq o\) then \(e[e'/o][/e''/o']=e[e''/o'][e'/o]\)

Proof

(i) The proof is by induction on \(o\)

• Case 1: \(o=[]\). Then,

  $$\begin{aligned} \begin{array}{lll} e[e'/[]][[]\mathsf {+\!\!+}o'] &{}=e[e'/[]][o'] &{} \quad []~\text {is identitiy of}~\mathsf {+\!\!+}\\ &{}= e'[o] &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^{*}\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Hence,

  $$\begin{aligned} \begin{array}{ll} (e_1\circ e_2)[e'/0:\bar{o}][(0:\bar{o})\mathsf {+\!\!+}o'] \\ \quad = (e_1\circ e_2)[e'/0:\bar{o}][0:(\bar{o}\mathsf {+\!\!+}o')] &{}\quad \text {associativity of}~\mathsf {+\!\!+}\\ \quad =(e_1[e'/\bar{o}] \circ e_2)[0:(\bar{o}\mathsf {+\!\!+}o')] &{}\quad \text {Definition 2(ii)}\\ \quad =e_1[e'/\bar{o}][\bar{o}\mathsf {+\!\!+}o'] &{}\quad \text {by Definition 1(iii)}\\ \quad =e'[o'] &{}\quad \text {by induction hypothesis} \end{array} \end{aligned}$$

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^{*}\). The proof is analogous to Case 2.

(ii) The claim is proved by induction on \(o\).

• Case 1: \(o=[]\). Then,

  $$\begin{aligned} \begin{array}{lll} e[e'/[]][e''/[]] &{}= e'' &{} \quad \text {by Definition 2(i)}\\ &{}= e[e''/[]] &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$

• Case 2: \(o=0:\bar{o}\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Hence,

  $$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][e''/0:\bar{o}] \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[e''/0:\bar{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =(e_1[e'/\bar{o}][e''/\bar{o}] \circ e_2) &{}\quad \text {by Definition 2(ii)}\\ \quad =(e_1[e''/\bar{o}] \circ e_2) &{}\quad \text {by induction hypothesis}\\ \quad =(e_1 \circ e_2)[e''/0:\bar{o}] &{}\quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.

(iii) Let be \(e[o]=e'\). Then, it must be shown that \(e[e'/o]=e\). The proof is also an induction on \(o\).

• Case 1: \(o=[]\). Then, it holds

  $$\begin{aligned} \begin{array}{lll} e[e'/[]] &{}= e' &{} \quad \text {by Definition 2(i)}\\ &{}=e[[]] &{}\quad \text {since}~e[o]=e'\\ &{}=e &{}\quad \text {by Definition 1(ii)} \end{array} \end{aligned}$$

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Hence,

  $$\begin{aligned} \begin{array}{lll} e_1[\bar{o}] &{}=(e_1.e_2)[0:\bar{o}] &{}\quad \text {by Definition 1(iii)}\\ &{}=e' &{}\quad \text {since}~e[o]=e'. \end{array} \end{aligned}$$

  Thus, by induction hypothesis it is \(e_1[e'/\bar{o}]=e_1\). Then, it holds:

  $$\begin{aligned} \begin{array}{lll} (e_1 \circ e_2)[e'/0:\bar{o}] &{}= (e_1[e'/\bar{o}] \circ e_2) &{}\quad \text {by Definition 2(ii)}\\ &{}= e_1 \circ e_2 &{} \quad \text {by induction hypothesis} \end{array} \end{aligned}$$

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.

(iv) The proof is by induction on the longest common prefix of \(o\) and \(o'\).

• Case 1: \([]\) is the longest common prefix of \(o\) and \(o'\). Then, it is \(o=[c_1:\bar{o}]\) and \(o'=[c_2:\bar{\hat{o}}]\) for \(c_1,c_2 \in \{ 0,1 \},\,c_1 \ne c_2,\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\). Since \(e[o] \ne \bot \), it is \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Let be \(c_1=0\) and \(c_2=1\) (the case \(c_1=1\) and \(c_2=0\) is proven analogously). Then,

  $$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][1:\hat{o}] &{}\\ \quad = (e_1[e'/\bar{o}] \circ e_2)[1:\hat{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =e_2[\hat{o}] &{}\quad \text {by Definition 1(iv)}\\ \quad =(e_1 \circ e_2)[1:\hat{o}] &{}\quad \text {by Definition 1(iv)} \end{array} \end{aligned}$$

• Case 2: The longest common prefix of \(o\) is \(c:o''\) for a \(o'' \in \{ 0, 1 \}^*\). Then, it is \(o=[c:\bar{o}]\) and \(o'=[c:\bar{\hat{o}}],\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\) and \(o''\) is the longest common prefix of \(\bar{o}\) and \(\hat{o}\). We prove the case \(c=0\) (the case \(c=1\) is proven analogously):

  $$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][0:\hat{o}] &{} \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[0:\hat{o}]&{}\quad \text {by Definition 2(ii)}\\ \quad =e_1[e'/\bar{o}][\hat{o}]&{}\quad \text {by Definition 1(iii)}\\ \quad =e_1[\hat{o}] &{}\quad \text {by induction hypothesis}\\ \quad =(e_1 \circ e_2)[0:\hat{o}] &{}\quad \text {by Definition 1(iii)} \end{array} \end{aligned}$$

(v) The proof is also by induction on the longest common prefix of \(o\) and \(o'\).

• Case 1: \([]\) is the longest common prefix of \(o\) and \(o'\). Then, it is \(o=[c_1:\bar{o}]\) and \(o'=[c_2:\bar{\hat{o}}]\) for \(c_1,c_2 \in \{ 0,1 \},\,c_1 \ne c_2,\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\). Since \(e[o] \ne \bot \), it is \(e=e_1 \circ e_2\) for a \(\circ \in \{ . , \parallel \}\). Let be \(c_1=0\) and \(c_2=1\) (the case \(c_1=1\) and \(c_2=0\) is proven analogously). Then,

  $$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][e''/1:\hat{o}] &{} \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[e''/1:\hat{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad = (e_1[e'/\bar{o}] \circ e_2[e''/ \hat{o}]) &{}\quad \text {by Definition 2(iii)}\\ \quad = (e_1 \circ e_2[e''/\hat{o}])[e'/0:\bar{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad = (e_1 \circ e_2)[e''/1:\hat{o}][e'/0:\bar{o}] &{}\quad \text {by Definition 2(iii)} \end{array} \end{aligned}$$

• Case 2: The longest common prefix of \(o\) is \(c:o''\) for a \(o'' \in \{ 0, 1 \}^*\). Then, \(o=[c:\bar{o}]\) and \(o'=[c:\bar{\hat{o}}]\,\bar{o}, \hat{o} \in \{ 0, 1 \}^*\) and \(o''\) is the longest common prefix of \(\bar{o}\) and \(\hat{o}\). We prove the case \(c=0\) (the case \(c=1\) is proven analogously):

  $$\begin{aligned} \begin{array}{ll} (e_1 \circ e_2)[e'/0:\bar{o}][e''/0:\hat{o}]&{} \\ \quad = (e_1[e'/\bar{o}] \circ e_2)[e''/0:\hat{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =e_1[e'/\bar{o}][e''/\hat{o}] \circ e_2 &{}\quad \text {by Definition 2(ii)}\\ \quad =e_1[e''/\hat{o}][e'/\bar{o}] \circ e_2 &{}\quad \text {by induction hypothesis}\\ \quad =(e_1[e''/\hat{o}] \circ e_2)[e'/0:\bar{o}] &{}\quad \text {by Definition 2(ii)}\\ \quad =(e_1 \circ e_2)[e''/0:\hat{o}][e'/0:\bar{o}] &{}\quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$

\(\square \)

The following definition defines for process-algebraic expressions the occurrences for the top-of-stack elements of the corresponding cactus stacks, respectively.

Definition 3

(Top-of-Stack Occurrences) Let \(Q\) be a set of atomic processes and \(e \in {\textit{PEX}}(Q)\). The set \({\textit{TOP}}(e)\) of top-of-stack occurrences of \(e\) is inductively defined by:

1. (i)

   \({\textit{TOP}}(\varepsilon ) \triangleq \emptyset \)

2. (ii)

   \({\textit{TOP}}(q) \triangleq \{ [] \}\) for \(q \in Q\)

3. (iii)

   \({\textit{TOP}}(e_1.e_2) \triangleq 0: {\textit{TOP}}(e_1)\)

4. (iv)

   \({\textit{TOP}}(e_1\!\!\parallel \!\!e_2) \triangleq (0: {\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2))\)

Example 7

(Top-of-Stack Elements) For the process-algebraic expression \(e \triangleq (((q_{28}\!\!\parallel \!\!q_{23}).q_{32}.q_9) \!\!\parallel \!\!q_{\mathsf{Exc}_1}).q_{16}. q_{35}.q_3\), it is

$$\begin{aligned}&{\textit{TOP}}(e) =\nonumber \\&\quad \{ [0,0,0,0,0,0,0], [0,0,0,0,0,0,1],[0,0,0,1] \}. \end{aligned}$$

This expression corresponds to the cactus stack in Fig. 15c.

Proposition 2 defines some properties on top-of-stack elements. The first property states that if an expression \(e\) is replaced at a occurrence \(o\) by a sub-expression \(e'\) and \(e[o]\) contains top-of-stack elements, a top-of-stack element of \(e[e'/o]\) is a top-of-stack element of \(e\) outside of \(e[o]\) or a top-of-stack element of \(e'\) (adjusted for \(e[/e'/o]\)). The second property states that if \(e[o]\) doesn’t contain top-of-stack elements then the top-of-stack elements of \(e\) are not affected by replacements at \(o\). Furthermore, each top-of-stack elements refers to an atomic expression and two top-of-stack elements cannot be proper sub-expressions of each other.

Proposition 2

(Properties of Top-Of-Stack Elements) Let \(Q\) be a set of atomic processes, \(e,e' \in {\textit{PEX}}(Q)\) be process-algebraic expressions over \(Q\), and \(o,o' \in \{ 0,1 \}^*\) be occurrences. Then, the following properties hold:

1. (i)

   If \(e[o] \ne \bot \) and \({\textit{TOP}}(e) \cap {\textit{PREF}}(o) \ne \emptyset \) then \({\textit{TOP}}(e[e'/o])={\textit{TOP}}(e) \setminus {\textit{PREF}}(o) \cup (o \mathsf {+\!\!+}{\textit{TOP}}(e'))\).

2. (ii)

   If \(e[o] \ne \bot \) and \({\textit{TOP}}(e) \cap {\textit{PREF}}(o) = \emptyset \) then \({\textit{TOP}}(e[e'/o])={\textit{TOP}}(e)\).

3. (iii)

   For each \(o\in {\textit{TOP}}(e)\) it is \(e[o] \in Q\)

4. (iv)

   If \(o \sqsubseteq o'\) for a \(o' \in {\textit{TOP}}(e)\) then \(e[o]\ne \bot \).

5. (v)

   If \(o,o' \in {\textit{TOP}}(e)\) and \(o \ne o'\), then \(o \not \sqsubseteq o'\) and \(o'\not \sqsubseteq e\).

Proof

(i) The proof is by induction on \(o\).

• Case 1: \(o=[]\). Then, \(e \ne \varepsilon \) since otherwise \(e[o]=\bot \). Furthermore, it holds \({\textit{PREF}}([]) = \{ 0, 1 \}^*\). Then,

  $$\begin{aligned} \begin{array}{ll} {\textit{TOP}}(e) {\setminus } {\textit{PREF}}([]) \!\cup \! ([] \mathsf {+\!\!+}{\textit{TOP}}(e'))&{}\\ \quad = {\textit{TOP}}(e) {\setminus } \{ 0, 1 \}^* \cup {\textit{TOP}}(e') &{}\quad \text {by definition of}~\mathsf {+\!\!+}~\text {for sets}\\ \quad = \emptyset \!\cup \! {\textit{TOP}}(e')&{} \\ \quad = {\textit{TOP}}(e') = {\textit{TOP}}(e[e'/[]]) &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\). Then, \(e=e_1.e_2\) or \(e=e_1 \!\!\parallel \!\!e_2\). Otherwise it would be \(e[o]=\bot \). By induction hypothesis it holds

  $$\begin{aligned} {\textit{TOP}}(e_1[e'/\bar{o}]) = {\textit{TOP}}(e_1) \setminus {\textit{PREF}}(\bar{o}) \cup (\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e')) \nonumber \\ \end{aligned}$$

  (1)

  and

  $$\begin{aligned} {\textit{PREF}}(0:\bar{o}) = 0:{\textit{PREF}}(\bar{o}) \end{aligned}$$

  (2)

• Case 2.1: \(e=e_1.e_2\). Then,

  $$\begin{aligned} \begin{array}{ll} {\textit{TOP}}((e_1.e_2)[e'/0:\bar{o}])&{}\\ \quad \!=\!{\textit{TOP}}(e_1[e'\bar{o}].e_2) &{}\quad \text {by Definition 2(ii)}\\ \quad \!=\! 0\!:\!{\textit{TOP}}(e_1[e'/ \bar{o}]) &{}\quad \text {by Definition 3(iii)}\\ \quad \!=\! 0\!:\!({\textit{TOP}}(e_1) {\setminus } {\textit{PREF}}(\bar{o}) \!\cup \! (\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e'))&{} \quad \text {by}~(1)\\ \quad \!=\!(0\!:\!{\textit{TOP}}(e_1)) {\setminus } (0\!:\!{\textit{PREF}}(\bar{o})) \!\cup \! (0:(\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \\ \quad \!=\!(0\!:\!{\textit{TOP}}(e_1)) {\setminus } ({\textit{PREF}}(0\!:\!\bar{o})) \!\cup \! (0:(\bar{o} \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by}~(2)\\ \quad \!=\!(0\!:\!{\textit{TOP}}(e_1)) {\setminus } ({\textit{PREF}}(0\!:\!\bar{o})) \!\cup \! ((0\!:\!\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by associativity of}~\mathsf {+\!\!+}\\ \quad \!=\! {\textit{TOP}}(e_1.e_2) {\setminus } ({\textit{PREF}}(0\!:\!\bar{o})) \!\cup \! ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$

• Case 2.2: \(e=e_1 \!\!\parallel \!\!e_2\). Then,

  $$\begin{aligned} \begin{array}{ll} {\textit{TOP}}((e_1\!\!\parallel \!\!e_2)[e'/0:\bar{o}])&{}\\ \quad ={\textit{TOP}}(e_1[e'\!\!\parallel \!\!o].e_2)&{} \quad \text {by Definition 2(ii)}\\ \quad = 0:{\textit{TOP}}(e_1[e'/\bar{o}]) \cup (1:{\textit{TOP}}(e_2)) &{}\quad \text {by Definition 3(iii)}\\ \quad =(0:{\textit{TOP}}(e_1)) \setminus ({\textit{PREF}}(0:\bar{o})) \cup ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) \cup (1:{\textit{TOP}}(e_2)) &{}\quad \text {analogous to Case 2.1}\\ \quad =((0:{\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2)) \setminus ({\textit{PREF}}(0:\bar{o})) \cup ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e'))\\ \quad = {\textit{TOP}}(e_1\!\!\parallel \!\!e_2) \setminus ({\textit{PREF}}(0:\bar{o})) \cup ((0:\bar{o}) \mathsf {+\!\!+}{\textit{TOP}}(e')) &{} \quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\). Then, \(e=e_1 \!\!\parallel \!\!e_2\). Otherwise it would be \(e[o]=\bot \) or \({\textit{TOP}}(e) \cap {\textit{PREF}}(1:\bar{o})=\emptyset \). The case is proven analogously to Case 2.2

(ii) For the case \(o=[]\), it always holds \({\textit{TOP}}(e) \cap {\textit{PREF}}([]) = {\textit{TOP}}(e) \ne \emptyset \). Similarly, if \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\) and for \(e=e_1 \circ e_2,\, \circ \in \{ . \parallel \}\) it holds \({\textit{TOP}}(e) \supseteq 0:{\textit{TOP}}(e_1) \ne \emptyset \). If \(e=e_1\!\!\parallel \!\!e_2\), it holds \({\textit{TOP}}(e) \supseteq 1:{\textit{TOP}}(e_2) \ne \emptyset \). Hence, it remains \(e=e_1.e_2\) and \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^{*}\). Then, it holds

$$\begin{aligned} \begin{array}{lll} {\textit{TOP}}((e_1.e_2)[e'/1:\bar{o}]) &{}= {\textit{TOP}}(e_1.e_2[\bar{o}]) &{}\quad \text {by Definition 2(iii)}\\ &{}= 0:{\textit{TOP}}(e_1) &{}\quad \text {by Definition 3(iii)}\\ &{}= {\textit{TOP}}(e_1.e_2) &{}\quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$

(iii) Suppose \(e[o] \not \in Q\) for a \(o \in {\textit{TOP}}(e)\). Then, \(e=e_1.e_2\) or \(e=e_1\!\!\parallel \!\!e_2\). We prove by induction on \(o\) that \(o \not \in {\textit{TOP}}(e)\).

• Case 1: \(o=[]\): Then, \(e[o]=e\).

• Case 1.1: \(e=e_1.e_2\). Then, \({\textit{TOP}}(e) = 0:{\textit{TOP}}(e_1) \not \ni []\).

• Case 1.2: \(e=e_1\!\!\parallel \!\!e_2\). Then, \({\textit{TOP}}(e) = (0:{\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2) \not \ni []\).

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\).

• Case 2.1: \(e=e_1.e_2\). Then, \(e[o]=e_1[\bar{o}]\). By induction hypothesis \(\bar{o} \not \in {\textit{TOP}}(e_1)\). Hence, \(0:\bar{o} \not \in 0:{\textit{TOP}}(e_1) = {\textit{TOP}}(e_1.e_2)\)

• Case 2.2: \(e=e_1\!\!\parallel \!\!e_2\). By induction hypothesis \(\bar{o} \not \in {\textit{TOP}}(e_1)\). Hence, it is \(0:\bar{o} \not \in (0:{\textit{TOP}}(e_1)) \cup (1:{\textit{TOP}}(e_2)) = {\textit{TOP}}(e_1.e_2)\)

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1 \}^*\). Hence, \(1:\bar{o}\not \in 0:{\textit{TOP}}(e_1) = {\textit{TOP}}(e_1.e_2)\)

• Case 3.1: \(e=e_1.e_2\). Hence, \(1:\bar{o}\not \in 0:{\textit{TOP}}(e_1) = {\textit{TOP}}(e_1.e_2)\)

• Case 3.2: \(e=e_1\!\!\parallel \!\!e_2\). The proof is analogous to the proof of Case 2.2.

(iv) By (iii), \(e[o] \ne \bot \) for a \(o \in {\textit{TOP}}(e)\). Hence, by Definition 1(i), \(e[o'] \ne \bot \) for each prefix \(o' \sqsubseteq o\).

(v) Let \(o \sqsubset o'\) for a \(o' \in {\textit{TOP}}(e)\). By (iii): \(e[o'] \in Q\). Hence, by Definition 1(ii) \(e[o] \not \in Q\) is a composed expression. \(\square \)

The following Lemma states that the application of a process rewrite rule \(l\rightarrow r\) to a process-algebraic expression replaces \(l\) by \(r\) at an occurrence \(o\) where \(e[o]\) contains TOP-of-stack elements.

Lemma 1

(Application of Process Rewrite Rules) Let \(\varPi \triangleq (\varSigma , Q,\rightarrow ,q_0,F)\) be a process rewrite system, \(e \in {\textit{PEX}}(Q)\) be a process-algebraic expression, \(l {\mathop {\rightarrow }\limits ^{a}} r\) be a process rewrite rule, and \(o \in \{ 0, 1 \}^*\) be an occurrence with \({\textit{TOP}}(e) \cap {\textit{PREF}}(o) \ne \emptyset \) and \(e[o]=l\). Then, it holds \(e {\mathop {\Rightarrow }\limits ^{a}} e[r/o]\).

Proof

The proof is an induction on \(o\).

• Case 1: \(o=[]\). Then,

  $$\begin{aligned} \begin{array}{lll} e[[]] &{}=l &{}\quad \text {by assumption}\\ &{}{\mathop {\Rightarrow }\limits ^{a}} r &{}\quad \text {by inference rule (R)}\\ &{}=e[r/[]] &{} \quad \text {by Definition 2(i)} \end{array} \end{aligned}$$

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0,1 \}^*\). Then, \(e=e_1 \circ e_2\) for a \(\circ \in \{ ., \parallel \}\). Then, it holds

  $$\begin{aligned} \begin{array}{lll} e_1[\bar{o}] &{}= e[0:\bar{o}] &{} \quad \text {by Definition 1(iii)} \\ &{}=l &{} \quad \text {by assumption} \end{array} \end{aligned}$$

  Hence, by induction hypothesis, it is

  $$\begin{aligned} e_1 {\mathop {\Rightarrow }\limits ^{a}} e_1[r/\bar{o}] \end{aligned}$$

  (3)

• Case 2.1: \(e=e_1.e_2\). Then,

  $$\begin{aligned} \begin{array}{lll} e_1.e_2 &{}{\mathop {\Rightarrow }\limits ^{a}} e_1[r/\bar{o}].e_2 &{} \quad \text {by (3) and inference rule (S)}\\ &{}= (e_1.e_2)[r/0:o] &{} \quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$

• Case 2.2: \(e=e_1\!\!\parallel \!\!e_2\). Then,

  $$\begin{aligned} \begin{array}{lll} e_1\!\!\parallel \!\!e_2 &{}{\mathop {\Rightarrow }\limits ^{a}} e_1[r/\bar{o}] \!\!\parallel \!\!e_2 &{} \quad \text {by (3) and inference rule (P1)}\\ &{}= (e_1 \!\!\parallel \!\!e_2)[r/0:o] &{} \quad \text {by Definition 2(ii)} \end{array} \end{aligned}$$

• Case 3: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0,1 \}^*\). Then, \(e=e_1\!\!\parallel \!\!e_2\) since \({\textit{TOP}}(e) \cap {\textit{PREF}}(o)=\emptyset \) for \(e=e_1.e_2\). The proof for this case is analogous to Case 2.2. \(\square \)

1.2 Appendix 1.2 Properties of the combined abstraction

Throughout this subsection, let \(U_s \triangleq (\varSigma _s,Q,\rightarrow ,q_0,F)\) be a process rewrite system specifying an abstraction for the use of service \(s,\,R_s \triangleq (\varSigma _s,R_s,\rightarrow _s,q_o^s,\bar{F}_s)\) be a finite state machine without \(\lambda \)-transitions specifying an (inverted) protocol for \(s\), and \(K \triangleq (\varSigma _s, Q_K, \rightarrow _K, q_0^K, F_K)\) be the Combined Abstraction of \(U_s\) and \(R_s\) as defined in Sect. 4.

Definition 4

(Stripping Protocol States and Protocol States on Top of Stacks) Let \(e \in {\textit{PEX}}(Q_K)\) a process-algebraic expression over the atomic processes of the Combined Abstraction. The stripping of protocol state from \(e\) is a process-algebraic expression \(\pi (e) \in {\textit{PEX}}(Q)\) over the atomic processes of \(U_s\), inductively defined by:

1. (i)

   \(\pi (\varepsilon ) \triangleq \varepsilon \) and \(\pi ((r,q)) \triangleq q\)

2. (ii)

   \(\pi (e_1 \circ e_2) \triangleq \pi (e_1) \circ \pi (e_2)\) for \(\circ \in \{ ., \parallel \}\)

The set \({ TOS}(e) \triangleq \{ r : \text {there is a} o \in {\textit{TOP}}(e)\) and \(q \in Q\) such that \(e[o]=(r,q) \}\) is the set of top-of-stack protocol states of \(e \in {\textit{PEX}}(Q_K)\). The process-algebraic expression \(e\) is inconsistent with \(r\) iff \({\textit{TOP}}(e) \ne \{r\}\).

The cactus stack corresponding to \(\pi (e)\) has the same shape as the cactus stack corresponding \(e\), and if a stack element of \(e\) contains \((r,q)\) then the stack element of \(\pi (e)\) contains \(q\). The top-of-stack protocol states is the set of protocol states on the top-of-stack elements of the cactus stack corresponding to \(e\).

Example 8

Let \(e \triangleq ((r_1,q_1)\!\!\parallel \!\!(r_2,q_2)).(r_3.q_3)\).

Then,

$$\begin{aligned} \pi (e)&= (q_1 \!\!\parallel \!\!q_2).q_3\\ { TOS}(e)&= \{ r_1, r_2 \} \end{aligned}$$

The following proposition states some properties on \(\pi \). The first one states that stripping and navigation by occurrences can be interchanged. The second states that stripping a replacement can be interchanged by stripping the expression and the replacing expression. The third property states that the set of top-of-stack occurrences are not affected by stripping. The fourth proposition and fifth property are technical ones. They relate replacements on a stripped expression to stripping a replacement. The fifth property is a generalization of the fourth as it considers the states at the top-of-stack occurrences.

Proposition 3

(Stripping Protocol States) Let \(e',e'',e''' \in {\textit{PEX}}(Q_K)\) process-algebraic expressions over the atomic processes of the Combined Abstraction of \(U_s\) and \(R_s,\,e, e_1, e_2 \in {\textit{PEX}}(Q)\) be process-algebraic expressions over the atomic states of \(U_s\), and \(o \in \{ 0, 1 \}^*\) be an occurrence such that \(e'[o]\ne \bot \) (and \(e[o] \ne \bot \)). Then, it holds:

1. (i)

   \(\pi (e'[o]) = \pi (e)[o]\)

2. (ii)

   \(\pi (e'[e''/o]) = \pi (e')[\pi (e'')/o]\)

3. (iii)

   \({\textit{TOP}}(\pi (e')) = {\textit{TOP}}(e')\)

4. (iv)

   If \(e[o]=e_1,\,\pi (e'')=e[e_2/o],\,\pi (e''')=e_1\), and \(e'=e''[e'''/o]\), then \(\pi (e')=e\)

5. (v)

   Let \(o_1,\ldots ,o_k \in {\textit{TOP}}(e),\,o \not \in \{ o_1,\ldots , o_k \}\) and \(q_i \triangleq e[o_i],\,i=1,\ldots ,k\). Then, it holds for any protocol states \(r_1,\ldots ,r_k \in R_s\): If \(e[o]=e_1,\pi (e'')=e[e_2/o],\,\pi (e''')=e_1\), and \(e'=e''[(r_1,q_1)/o_1]\cdots [(r_k,q_k)/o_k][e'''/o]\), then \(\pi (e')=e\)

Proof

(i) The proof is an induction on \(o\).

• Case 1: \(o=[]\). Then, by Definition 1(ii), it holds

  $$\begin{aligned} \pi (e'[[]]) = \pi (e') =\pi (e')[[]]. \end{aligned}$$

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). Then, \(e'=\bar{e}_1 \circ \bar{e}_2\) for a \(\circ \in \{ ., \parallel \}\). Hence,

  $$\begin{aligned} \begin{array}{ll} \pi ((\bar{e}_1 \circ \bar{e}_2)[0:\bar{o}])&{} \\ \quad =\pi (\bar{e}_1[\bar{o}]) &{} \quad \text {by Definition 1(iii)}\\ \quad = \pi (\bar{e}_1)[\bar{o}] &{} \quad \text {by induction hypothesis}\\ \quad = (\pi (\bar{e}_1) \circ \pi (\bar{e}_2))[0:\bar{o}] &{} \quad \text {by Definition 1(iii)}\\ \quad =\pi (\bar{e}_1 \circ \bar{e}_2)[0:\bar{o}] &{}\quad \text {by Definition 4(ii)} \end{array} \end{aligned}$$

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.

(ii) The proof is an induction on \(o\).

• Case 1: \(o=[]\). Then, by Definition 2(i), it holds

  $$\begin{aligned} \pi (e'[e''/[]]) = \pi (e'') =\pi (e')[\pi (e'')/[]]. \end{aligned}$$

• Case 2: \(o=0:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). Then, \(e'=\bar{e}_1 \circ \bar{e}_2\) for a \(\circ \in \{ ., \parallel \}\). Hence,

  $$\begin{aligned} \begin{array}{ll} \pi ((\bar{e}_1 \circ \bar{e}_2)[e''/0:\bar{o}]) &{} \\ \quad = (\pi (\bar{e}_1) \circ \pi (\bar{e}_2))[e''/0:\bar{o}] &{} \quad \text {by Definition 4(ii)}\\ \quad =\pi (\bar{e}_1)[e''/\bar{o}] \circ \pi (\bar{e}_2) &{} \quad \text {by Definition 2(ii)}\\ \quad = \pi (\bar{e}_1)[\pi (e'')/\bar{o}] \circ \pi (\bar{e}_2) &{} \quad \text {by induction hypothesis}\\ \quad = (\pi (\bar{e}_1) \circ \pi (\bar{e}_2))[\pi (e'')/0:\bar{o}] &{} \quad \text {by Definition 2(ii)}\\ \quad =\pi (\bar{e}_1 \circ \bar{e}_2)[\pi (e'')/0:\bar{o}] &{}\quad \text {by Definition 4(ii)} \end{array} \end{aligned}$$

• Case 3: \(o=1:\bar{o}\) for a \(\bar{o} \in \{ 0, 1\}^*\). The proof is analogous to Case 2.

(iii) The proof is by induction on \(e'\).

• Case 1: \(e'=\varepsilon \) or \(e'=(r,q)\). Then, (iii) follows directly from Definition 4(i) and Definition 3(i), (ii).

• Case 2: \(e'=\bar{e}_1 . \bar{e}_2\). Then,

  $$\begin{aligned} \begin{array}{ll} {\textit{TOP}}(\pi (\bar{e}_1 . \bar{e}_2)) &{}\\ \quad = {\textit{TOP}}(\pi (\bar{e}_1) . \pi (\bar{e}_2)) &{}\quad \text {by Definition 4(ii)}\\ \quad ={\textit{TOP}}(\pi (\bar{e}_1)) &{}\quad \text {by Definition 3(iii)}\\ \quad ={\textit{TOP}}(e_1) &{} \quad \text {by induction hypothesis}\\ \quad ={\textit{TOP}}(e_1.e_2) &{}\quad \text {by Definition 3(iii)} \end{array} \end{aligned}$$

• Case 3: \(e'=\bar{e}_1 \!\!\parallel \!\!\bar{e}_2\). Then,

  $$\begin{aligned} \begin{array}{ll} {\textit{TOP}}(\pi (\bar{e}_1 \!\!\parallel \!\!\bar{e}_2)) &{} \\ \quad = {\textit{TOP}}(\pi (\bar{e}_1) \!\!\parallel \!\!\pi (\bar{e}_2)) &{}\quad \text {by Definition 4(ii)}\\ \quad ={\textit{TOP}}(\pi (\bar{e}_1)) \cup {\textit{TOP}}(\pi (\bar{e}_2)) &{}\quad \text {by Definition 3(iv)}\\ \quad ={\textit{TOP}}(e_1) \cup {\textit{TOP}}(e_2)&{}\quad \text {by induction hypothesis}\\ \quad ={\textit{TOP}}(e_1\!\!\parallel \!\!e_2) &{}\quad \text {by Definition 3(iv)} \end{array} \end{aligned}$$

(v)

$$\begin{aligned} \begin{array}{lll} \pi (e') &{}= \pi (e''[e'''/o]) &{} \quad \text {since}~e'=e''[e'''/o]\\ &{}=\pi (e'')[\pi (e''')/o] &{} \quad \text {by (i)}\\ &{}=e[e_2/o][e_1/o] &{}\quad \text {since}~\pi (e'')=e[e_2/o]\hbox { and }\pi (e''')=e_1\\ &{}=e[e_1/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}=e &{}\quad \text {by Proposition 1(iii) and}~e[o]=e_1 \end{array} \end{aligned}$$

(iv)

$$\begin{aligned} \begin{array}{ll} \pi (e') &{}\\ \quad \!\!= \pi (e''[(r_1,q_1)/o_1]\cdots [(r_k,q_k)/o_k][e'''/o]) &{} \!\!\quad \text {by assumption on}~e'\\ \quad \!\!=\pi (e'')[q_1/o_1]\cdots [q_k/o_k][\pi (e''')/o] &{} \quad \!\!\text {by (i)}\\ \quad \!\!=\!e[e_2/o][q_1/o_1]\cdots [q_k/o_k][e_1/o] &{}\quad \!\!\text {since}~\pi (e'')\!=\!e[e_2/o]\text { and }\pi (e''')\!=\!e_1\\ \quad \!\!=\!e[q_1/o_1]\cdots [q_k/o_k][e_2/o][e_1/o] &{}\!\quad \!\text {by Proposition 1(v)}\\ \quad \!\!=\!e[e_2/o][e_1/o] &{}\quad \!\!\text {by Proposition 1(iii) and}~e[o_i]\!=\!q_i\\ \quad \!\!=\!e[e_1/o] &{}\quad \!\!\text {by Proposition 1(ii)}\\ \quad \!\!=\!e &{}\quad \!\!\text {by Proposition 1(iii) and}~e[o]\!=\!e_1\\ \end{array} \end{aligned}$$

\(\square \)

The following properties for the top-of-stack protocol states are direct consequence of Proposition 2. The first property states that an atomic process of the Combined Abstraction can be deduced from the top-of-stack elements and the stripped process-algebraic expression. The second states that a protocol state is a top-of-stack protocol state in \(e[e'/o] \in {\textit{PEX}}(Q_K)\) if it is a top-of-stack protocol state outside of \(o\) or it is a top-of-stack protocol state of \(e'\). The third and fourth property are special cases of the second.

Proposition 4

(Top-Of-Stack Protocol States) Let \(e,e' \in {\textit{PEX}}(Q_K)\) be process-algebraic expressions over the atomic processes of the Combined Abstraction, \(o \in \{ 0, 1 \}^*\) be an occurrence with \(e[o] \ne \bot \), and \(o_1,\ldots ,o_k \in \{ 0, 1 \}^*\) be occurrence such that \({\textit{TOP}}(e) \setminus {\textit{PREF}}(e) = \{ o_1 , \ldots , o_k \}\). Then,

1. (i)

   If \({ TOS}(e)=r,\,o \in {\textit{TOP}}(e)\) then \(e[o]=(r,q)\) where \(q=\pi (e)[o] \in Q\).

2. (ii)

   Let be \((r_i,q_i) \triangleq e[o_i],\,i\!=\!1,\ldots ,k\). Then, \({ TOS}(e[e'/o]) = \{ r_1, \ldots , r_k \} \cup { TOS}(e')\).

3. (iii)

   If there is a \(r \in R_s\) and \(q_1, \ldots , q_k \in Q\) such that \(e[o_i]=(r,q_i),\,i=1, \ldots , k\) and \({ TOS}(e')=\{ r \}\) then \({ TOS}(e[e'/o])=\{ r \}\).

4. (iv)

   If \({ TOS}(e')=\{ r \}\) then \({ TOS}(e[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][e'/o])=\{ r \}\) for all \(q_1, \ldots , q_k \in Q\).

Proof

(i) follows directly from Definitions 3 and 4. Proposition 2(i) and Definition 4 directly imply (ii). (iii) and (iv) are special cases of (ii) (just choosing \(r_i=r\) for \(i=1,\ldots ,k\) \(\square \)

1.3 Appendix 1.3 Proof of the main theorem

For this subsection, let \(U_s \triangleq (\varSigma _s,Q,\rightarrow ,q_0,F)\) be a process rewrite system specifying an abstraction for the use of service \(s,\,R_s \triangleq (\varSigma _s,R_s,\rightarrow _s,q_o^s,\bar{F}_s)\) be a finite state machine without \(\lambda \)-transitions specifying an (inverted) protocol for \(s\), and \(K \triangleq (\varSigma _s, Q_K, \rightarrow _K, q_0^K, F_K)\) be the Combined Abstraction of \(U_s\) and \(R_s\) as defined in Sect. 4.

The application of process rewrite rule in \(T_{11} \cup T_{1S} \cup T_{S1} \cup T_{1P} \cup T_{P1}\) to a consistent \(e \in {\textit{PEX}}(Q_K)\) may change the protocol state on a top-of-stack element from a protocol state \(r\) to \(r'\). Thus, if \(e {\mathop {\Rightarrow }\limits ^{a}}_{K} e'\) then \({ TOS}(e')=\{r,r'\}\) is possible, i.e., \(e'\) is inconsistent. With following lemma it is possible to rewrite \(e'\) into \(e''\) with the same shape and \({\textit{TOP}}(e'') = \{ r' \}\).

Lemma 2

(Construction of Consistent Process-Algebraic Expressions) Let be \(e\in {\textit{PEX}}(Q_K),\,o\in {\textit{TOP}}(e),e[o]=(r,q)\). If \(r {\mathop {\rightarrow }\limits ^{a}}_{s} r'\) then \(e {\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e[(r',q)/o]\).

Proof

Since \(r {\mathop {\rightarrow }\limits ^{a}}_{s} r'\), it is \((r,q) {\mathop {\rightarrow }\limits ^{\lambda }}_{K}(r,q') \in T_0\). Thus, Lemma 1 implies \(e {\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e[(r',q)/o]\). \(\square \)

The following Theorem is the same as Theorem 1 where (i) and (ii) are rephrased using Definition 4

Theorem 1

Let be \(e \in {\textit{PEX}}(Q_K)\) be a process-algebraic expression over \(Q\) and \(r \in R_s\) a protocol state, and \(x \in \varSigma _{s}^{*}\) such that there is a \(f \in F\) and \(\bar{r} \in \bar{F}_s\) with \(e {\mathop {\Rightarrow }\limits ^{x}} f\) and \(r {\mathop {\Rightarrow }\limits ^{x}}_{s} \bar{r}\). Then, there is a \(e' \in {\textit{PEX}}(Q_K)\) and a \(f_k \in F_K\) such that the following properties are satisfied:

1. (i)

   \(\pi (e')=e\)

2. (ii)

   \({\textit{TOP}}(e')=\{ r \}\)

3. (iii)

   \(e' {\mathop {\Rightarrow }\limits ^{x}}_{K} f_k\)

Proof

The proof is by induction on the number of applications of process rewrite rule \(\rightarrow \) of PRS \(U_s\) in \(e {\mathop {\Rightarrow }\limits ^{x}} f\).

Base Case:: No PRS-rule is being applied. Then, \(e=f\) and \(r=\bar{r}\) because \(R_s\) doesn’t contain rules \(r {\mathop {\rightarrow }\limits ^{\lambda }}_{s} r'\).Thus \(r \triangleq \bar{r} {\mathop {\Rightarrow }\limits ^{\lambda }}_{s} \bar{r}\). By definition of the combined abstraction, it holds \(f_k \triangleq (\bar{r}, f) \in F\). Define \(e' \triangleq f_k\). Then, \(\pi (e')=f (=e)\) by Definition 4(i), \({ TOS}(e') = \{ \bar{r} \} (= \{ r \}\)), and \(e' = f_k {\mathop {\Rightarrow }\limits ^{\lambda }}_{K} f_k\), i.e., it holds (i), (ii), and (iii) if no PRS-rule has been applied.

Inductive Case: Let \(lhs {\mathop {\rightarrow }\limits ^{a}} rhs\) be the first PRS-rule being applied in \(e {\mathop {\Rightarrow }\limits ^{x}} f\). Let \(o \in \{ 0,1\}^*\) be the occurrence where it is applied. Hence, by Lemma 1 it holds:

$$\begin{aligned}&e[o] = lhs \end{aligned}$$

(4)

$$\begin{aligned}&e {\mathop {\Rightarrow }\limits ^{a}} e[rhs/o] {\mathop {\Rightarrow }\limits ^{y}} f \end{aligned}$$

(5)

$$\begin{aligned}&r {\mathop {\Rightarrow }\limits ^{a}}_{s} r' {\mathop {\Rightarrow }\limits ^{y}} \bar{r} \end{aligned}$$

(6)

$$\begin{aligned}&r' \triangleq \left\{ \begin{array}{cc} r &{} \quad \text {if}~a=\lambda \\ \hat{r} &{} \quad \text {if}~r {\mathop {\rightarrow }\limits ^{a}}_{s} \hat{r} \end{array}\right. \end{aligned}$$

(7)

$$\begin{aligned}&x=ay \end{aligned}$$

(8)

By induction hypothesis, there is a \(e''\in {\textit{PEX}}(Q_K)\) such that

$$\begin{aligned}&\pi (e'')=e[rhs/o] \end{aligned}$$

(9)

$$\begin{aligned}&e''{\mathop {\Rightarrow }\limits ^{y}}_{K} f_k\ \text {for a}~f_k \in F_K \end{aligned}$$

(10)

$$\begin{aligned}&{\textit{TOP}}(e'') = \left\{ \begin{array}{cc} \{ r \} &{}\text {if}~a=\lambda \\ \{ \hat{r} \} &{}\quad \text {if}~a \in \varSigma _{s} \end{array}\right. \end{aligned}$$

(11)

Case 1: \(q {\mathop {\rightarrow }\limits ^{\lambda }} q'\) has been applied, i.e. \(lhs=q,\,rhs=q'\), and \(a=\lambda \). Define

$$\begin{aligned} e' \triangleq e''[(r,q)/o] \end{aligned}$$

(12)

Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). It holds:

$$\begin{aligned} \begin{array}{lll} \pi (e''[o]) &{}= \pi (e'')[o] &{}\quad \text {by Proposition 3(i)}\\ &{}=e[q'/o][o] &{}\quad \text {by (9)}\\ &{}=q &{}\quad \text {by Proposition 1(i)} \end{array} \end{aligned}$$

Together with (11), Proposition 4(i) implies

$$\begin{aligned} e''[o]=(r,q') \end{aligned}$$

(13)

By definition of the combined abstraction, it is

$$\begin{aligned} (r,q){\mathop {\rightarrow }\limits ^{\lambda }}_{K} (r,q') \in T_{11} \end{aligned}$$

(14)

Hence,

$$\begin{aligned} \begin{array}{llll} e' &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e'[(r,q')/o] &{} \quad \text {by Lemma 1 and (14)}\\ &{}=e''[(r,q)/o][(r,q')/o] &{} \quad \text {by (12)}\\ &{}=e''[(r,q')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii) and (13)}\\ &{}{\mathop {\Rightarrow }\limits ^{x}}_{K} f_k &{} \quad \text {by (10)},~a=\lambda ,~\text {and (8)} \end{array} \end{aligned}$$

Thus (i), (ii), and (iii) hold for Case 1

Case 2: \(q {\mathop {\rightarrow }\limits ^{a}} q',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\) and \(rhs=q'\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e.

$$\begin{aligned}&{\textit{TOP}}(e) \setminus {\textit{PREF}}(o) = \{ o_1, \ldots , o_k \} \end{aligned}$$

(15)

$$\begin{aligned}&q_i = e[o_i],\ i=1,\ldots ,k, \text {and} \end{aligned}$$

(16)

$$\begin{aligned}&e' \triangleq e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q)/o] \end{aligned}$$

(17)

Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is

$$\begin{aligned} (r,q){\mathop {\rightarrow }\limits ^{a}}_{K} (\hat{r},q') \in T_{11} \end{aligned}$$

(18)

By Proposition 1(i), it is \(e[q'/o][o]=q'\). Together with (11) and Proposition 4(i), this implies

$$\begin{aligned} e''[o]=(\hat{r},q') \end{aligned}$$

(19)

Similarly, (11), (16), and Proposition 4(i) imply

$$\begin{aligned} e''[o_i]=(\hat{r},q_i), \end{aligned}$$

(20)

\(i=1,\ldots ,k\). Hence,

$$\begin{aligned} \begin{array}{lll} e' &{}{\mathop {\Rightarrow }\limits ^{a}}_{K} e'[(\hat{r},q')/o] &{} \quad \text {by Lemma 1 and (14)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q)/o][(\hat{r},q')/o] &{} \quad \text {by (17)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(\hat{r},q')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e''[(\hat{r},q_1)/o_1]\cdots [(\hat{r},q_k)/o_k][(\hat{r},q')/o] &{}\quad \text {by Lemma 2}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii), (19), and (20)}\\ &{}{\mathop {\Rightarrow }\limits ^{y}}_{K} f_k &{} \quad \text {by (10)} \end{array} \end{aligned}$$

Hence, (i), (ii), and (iii) hold also for Case 2.

Case 3: \(q {\mathop {\rightarrow }\limits ^{\lambda }} q'.q''\) has been applied, i.e. \(lhs=q,rhs=q'.q''\), and \(a=\lambda \). By (9) and Proposition 3(i) there is \(r''\in R_s\) such that

$$\begin{aligned} e''[o]=(r,q'),(r''.q'') \end{aligned}$$

(21)

Define \(e'\) as in Case 1, i.e. by (12). Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is

$$\begin{aligned} (r,q){\mathop {\rightarrow }\limits ^{\lambda }}_{K} (r,q').(r'',q'') \in T_{1S} \end{aligned}$$

(22)

Hence,

$$\begin{aligned} \begin{array}{llll} e' &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e'[(r,q').(r'',q'')/o] &{} \quad \text {by Lemma 1 and (22)}\\ &{}=e''[(r,q)/o][(r,q').(r'',q'')/o] &{} \quad \text {by (12)}\\ &{}=e''[(r,q').(r'',q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii), (8)}\\ &{}{\mathop {\Rightarrow }\limits ^{x}}_{K} f_k &{} \quad \text {by (10)},~a=\lambda ,~\text {and}~(8) \end{array} \end{aligned}$$

Thus, (i), (ii), (iii) is also satisfied for Case 3.

Case 4: \(q {\mathop {\rightarrow }\limits ^{a}} q'.q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\) and \(rhs=q'.q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and

$$\begin{aligned} e' \triangleq e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q)/o] \end{aligned}$$

(23)

Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is

$$\begin{aligned} (r,q){\mathop {\rightarrow }\limits ^{a}}_{K} (\hat{r},q').(r'',q'') \in T_{1S} \end{aligned}$$

(24)

The same arguments as in Case 3 show that (21) is satisfied. The same arguments as in Case 2 show that (20) holds. Hence,

$$\begin{aligned} \begin{array}{lll} e' &{}{\mathop {\Rightarrow }\limits ^{a}}_{K} e'[(\hat{r},q').(r'',q'')/o] &{} \quad \text {by Lemma 1 and (24)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q)/o] [(\hat{r},q').(r'',q'')/o] &{} \quad \text {by (23)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(\hat{r},q')(r'',q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e''[(\hat{r},q_1)/o_1]\cdots [(\hat{r},q_k)/o_k][(\hat{r},q').(r'',q'')/o] &{}\quad \text {by Lemma 2}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii), (20), and (21)}\\ &{}{\mathop {\Rightarrow }\limits ^{y}}_{K} f_k &{} \quad \text {by (10)} \end{array} \end{aligned}$$

Hence, (i), (ii), and (iii) hold also for Case 4.

Case 5: \(q.q' {\mathop {\rightarrow }\limits ^{\lambda }} q''\) has been applied, i.e. \(lhs=q.q',\,rhs=q''\), and \(a=\lambda \). Then, analogous to Case 1, it holds

$$\begin{aligned} e''[o]=(r,q'') \end{aligned}$$

(25)

Define for any \(r''\in R_s\):

$$\begin{aligned} e' \triangleq e''[(r,q).(r'',q')/o] \end{aligned}$$

(26)

Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is

$$\begin{aligned} (r,q)(r'',q'){\mathop {\rightarrow }\limits ^{\lambda }}_{K} (r,q'') \in T_{S1} \end{aligned}$$

(27)

Then,

$$\begin{aligned} \begin{array}{llll} e' &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e'[(r,q'')/o] &{} \quad \text {by Lemma 1 and (27)}\\ &{}=e''[(r,q).(r'',q')/o][(r,q'')/o] &{} \quad \text {by (26)}\\ &{}=e''[(r,q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii) and (25)}\\ &{}{\mathop {\Rightarrow }\limits ^{x}}_{K} f_k &{} \quad \text {by (10)},~a=\lambda ,\hbox { and }(8) \end{array} \end{aligned}$$

Thus, (i), (ii), (iii) is also satisfied for Case 5.

Case 6: \(q.q' {\mathop {\rightarrow }\limits ^{a}} q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q.q'\) and \(rhs=q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and for any \(r''\in R_s\) be

$$\begin{aligned} e' \triangleq e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q).(r'',q'))/o] \end{aligned}$$

(28)

Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is

$$\begin{aligned} (r,q).(r'',q'){\mathop {\rightarrow }\limits ^{a}}_{K} (\hat{r},q'') \in T_{S1} \end{aligned}$$

(29)

The same arguments as in Case 5 show that (25) is satisfied. The same arguments as in Case 2 and Case 4 show that (20) holds. Hence,

$$\begin{aligned} \begin{array}{lll} e' &{}{\mathop {\Rightarrow }\limits ^{a}}_{K} e'[(\hat{r},q'')/o] &{} \quad \text {by Lemma 1 and (29)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q).(r'',q')/o] [(\hat{r},q'')/o] &{} \quad \text {by (28)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(\hat{r},q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e''[(\hat{r},q_1)/o_1]\cdots [(\hat{r},q_k)/o_k][(\hat{r},q'')/o] &{}\quad \text {by Lemma 2}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii), (20), and (21)}\\ &{}{\mathop {\Rightarrow }\limits ^{y}}_{K} f_k &{} \quad \text {by (10)} \end{array} \end{aligned}$$

Thus, (i), (ii), (iii) is also satisfied for Case 6.

Case 7: \(q {\mathop {\rightarrow }\limits ^{\lambda }} q'.\!\!\parallel \!\!q''\) has been applied, i.e. \(lhs=q,rhs=q' \!\!\parallel \!\!q''\), and \(a=\lambda \). By (9) and Proposition 3(i) it holds

$$\begin{aligned} e''[o]=(r,q')\!\!\parallel \!\!(r,q'') \end{aligned}$$

(30)

Define \(e'\) as in Case 1 and Case 3, i.e. by (12). Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is

$$\begin{aligned} (r,q){\mathop {\rightarrow }\limits ^{\lambda }}_{K} (r,q')\!\!\parallel \!\!(r,q'') \in T_{1P} \end{aligned}$$

(31)

Hence,

$$\begin{aligned} \begin{array}{llll} e' &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e'[(r,q')\!\!\parallel \!\!(r'',q'')/o] &{} \quad \text {by Lemma 1 and (31)}\\ &{}=e''[(r,q)/o][(r,q')\!\!\parallel \!\!(r,q'')/o] &{} \quad \text {by (12)}\\ &{}=e''[(r,q')\!\!\parallel \!\!(r,q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii) and (21)}\\ &{}{\mathop {\Rightarrow }\limits ^{x}}_{K} f_k &{} \quad \text {by (10)},~a=\lambda ,\hbox { and }(8) \end{array} \end{aligned}$$

Thus, (i), (ii), (iii) is also satisfied for Case 7.

Case 8: \(q {\mathop {\rightarrow }\limits ^{a}} q' \!\!\parallel \!\!q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\) and \(rhs=q' \!\!\parallel \!\!q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and \(e'\) be defined by (17) (as in Case 2 and 4). Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is

$$\begin{aligned} (r,q){\mathop {\rightarrow }\limits ^{a}}_{K} (\hat{r},q')\!\!\parallel \!\!(\hat{r},q'') \in T_{1P} \end{aligned}$$

(32)

The same arguments as in Case 3 show that (21) is satisfied. The same arguments as in Case 2 show that (20) holds.Hence,

$$\begin{aligned} \begin{array}{lll} e' &{}{\mathop {\Rightarrow }\limits ^{a}}_{K} e'[(\hat{r},q')\!\!\parallel \!\!(\hat{r},q'')/o] &{} \quad \text {by Lemma 1 and (32)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q)/o] [(\hat{r},q')\!\!\parallel \!\!(\hat{r},q'')/o] &{} \quad \text {by (17)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(\hat{r},q')(\hat{r},q'')/o] &{} \quad \text {by Proposition 1(ii)}\\ &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e''[(\hat{r},q_1)/o_1]\cdots [(\hat{r},q_k)/o_k][(\hat{r},q')\!\!\parallel \!\!(\hat{r},q'')/o] &{}\quad \text {by Lemma 2}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii), (20), and (21)}\\ &{}{\mathop {\Rightarrow }\limits ^{y}}_{K} f_k &{} \quad \text {by (10)} \end{array} \end{aligned}$$

Hence, (i), (ii), and (iii) hold also for Case 8.

Case 9: \(q \!\!\parallel \!\!q' {\mathop {\rightarrow }\limits ^{\lambda }} q''\) has been applied, i.e. \(lhs=q \!\!\parallel \!\!q',rhs=q''\), and \(a=\lambda \). Then, it holds (25) analogous to Case 5. Define

$$\begin{aligned} e' \triangleq e''[(r,q)\!\!\parallel \!\!(r,q')/o] \end{aligned}$$

(33)

Then, \(\pi (e') = e\) by Proposition 3(iv) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iii) and (11). By definition of the combined abstraction, it is

$$\begin{aligned} (r,q)\!\!\parallel \!\!(r,q'){\mathop {\rightarrow }\limits ^{\lambda }}_{K} (r,q'') \in T_{P1} \end{aligned}$$

(34)

Then,

$$\begin{aligned} \begin{array}{llll} e' &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e'[(r,q'')/o] &{} \quad \text {by Lemma 1 and (34)}\\ &{}=e''[(r,q)\!\!\parallel \!\!(r'',q')/o][(r,q'')/o] &{} \quad \text {by (33)}\\ &{}=e''[(r,q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii) and (25)}\\ &{}{\mathop {\Rightarrow }\limits ^{x}}_{K} f_k &{} \quad \text {by (10)}, a=\lambda , \hbox { and }(8) \end{array} \end{aligned}$$

Thus, (i), (ii), (iii) is also satisfied for Case 9.

Case 10: \(q\!\!\parallel \!\!q' {\mathop {\rightarrow }\limits ^{a}} q'',\,a \in \varSigma _s\), has been applied, i.e. \(lhs=q\!\!\parallel \!\!q'\) and \(rhs=q''\). Let \(o_1, \ldots , o_k\) be the top-of-stack occurrences in \(e\) outside of \(o\), i.e. (15) is satisfied, \(q_1,\ldots ,q_k\) be defined by (16) (cf. Case 2), and \(e'\) be defined by

$$\begin{aligned} e' \triangleq e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q)\!\!\parallel \!\!(r,q'=/o] \end{aligned}$$

(35)

Then, \(\pi (e') = e\) by Proposition 3(v) and \({ TOS}(e) = \{ r \} \) by Proposition 4(iv), (11), and (16). Furthermore, by definition of the combined abstraction it is

$$\begin{aligned} (r,q)\!\!\parallel \!\!(r'',q'){\mathop {\rightarrow }\limits ^{a}}_{K} (\hat{r},q'') \in T_{P1} \end{aligned}$$

(36)

The same arguments as in Case 5, 6, and 9 show that (25) is satisfied. The same arguments as in Case 2, 4, 6, and 8 show that (20) holds. Hence,

$$\begin{aligned} \begin{array}{lll} e' &{}{\mathop {\Rightarrow }\limits ^{a}}_{K} e'[(\hat{r},q'')/o] &{} \quad \text {by Lemma 1 and (36)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(r,q) \!\!\parallel \!\!(r,q')/o] [(\hat{r},q'')/o] &{} \quad \text {by (25)}\\ &{}=e''[(r,q_1)/o_1]\cdots [(r,q_k)/o_k][(\hat{r},q'')/o] &{}\quad \text {by Proposition 1(ii)}\\ &{}{\mathop {\Rightarrow }\limits ^{\lambda }}_{K} e''[(\hat{r},q_1)/o_1]\cdots [(\hat{r},q_k)/o_k][(\hat{r},q'')/o] &{}\quad \text {by Lemma 2}\\ &{}=e'' &{}\quad \text {by Proposition 1(iii), (20), and (21)}\\ &{}{\mathop {\Rightarrow }\limits ^{y}}_{K} f_k &{} \quad \text {by (10)} \end{array} \end{aligned}$$

Thus, (i), (ii), (iii) is also satisfied for Case 10.

With Case 1–10 all possibilities are considered, and for each case (i), (ii), (iii) are satisfied. This completes the proof \(\square \)