

Application Conditions for Reactive Systems  with Applications to Bisimulation Theory


Electronic Communications of the EASST
Volume 38 (2010)

Proceedings of the Fifth International Conference on
Graph Transformation - Doctoral Symposium

(ICGT-DS 2010)

Application Conditions for Reactive Systems
with Applications to Bisimulation Theory

Mathias Hülsbusch

14 pages

Guest Editor: Andrea Corradini
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Application Conditions for Reactive Systems
with Applications to Bisimulation Theory

Mathias Hülsbusch1∗

1 Abteilung für Informatik und Angewandte Kognitionswissenschaft,
Universität Duisburg-Essen, Germany

mathias.huelsbusch@uni-due.de

Abstract: This paper presents generalized application conditions (GACs), a new
formalism for nested application conditions. GACs are not only suitable for DPO
rewriting, but for rewriting in reactive systems as well. The main theorem states that
it is possible to construct an equivalent reactive system rule with a GAC for a DPO
rule with application conditions under very mild conditions. The resulting reactive
system rules live in the cospan category of the category C, in which the DPO rules
live.
It turns out that these GACs for reactive systems provide a slightly more powerful
way to control the application of a rewriting rule, than it is possible in the original
DPO setting.
At the end, we give a short outlook on the applications of this formalism to the field
of bisimulation theory, sketch our latest results and discuss future work.

Keywords: FOL on Graphs, Application Conditions, Reactive Systems, Cospan
Category, DPO

1 Introduction

The analysis of dynamic systems is an important and useful task in many domains such as soft-
ware analysis, MDD (model driven development) and software security. A successful approach
to model such systems is to model the system as a graph and to implement system evolution
via graph rewriting rules. We consider the DPO approach to rewriting in an adhesive category
C [Roz97, LS05]. This modeling technique allows to represent concurrent behavior, changing
topologies, etc. and features all the benefits of a graphical modeling language. According to the
actual developments, the complexity of systems that software and hardware engineers will face
in the future will grow rapidly. For this reason, graphical modeling languages are very likely to
play a key role in development approaches.

When modeling real-world processes, one wants to be able to limit the applicability of rules by
application conditions. Even if the basic setting is Turing complete (such as graph transformation
systems), the process of modeling can be extremely simplified by using application conditions.

To motivate this, here is a short (running-)example, that shows how useful application condi-
tions are: In a file system, a user U wants to delete an object O, that the user owns. This deletion
is only allowed if the object is not marked as protected. This is a negative application condition.

∗ Partially supported by DFG project BehaviorGT

1 / 14 Volume 38 (2010)

mailto:mathias.huelsbusch@uni-due.de


Application Conditions for Reactive Systems

But even if the object is protected, a user with root permissions is still allowed to delete it. This
second part disables the negative application condition.

The mechanisms of application conditions also gives rise to the idea of pre- and postconditions
for rules allowing the use of verification techniques inspired by Hoare logic.

So far, (nested) application conditions have been studied mainly for DPO rewriting.
Another approach to analyze dynamic systems is the theory of reactive systems. DPO rewrit-

ing in adhesive categories and reactive systems rewriting are related very closely . Nevertheless,
there is no theory of application conditions for reactive systems. In this paper, we will present
a new way to describe application conditions that is suitable for DPO rewriting and for reactive
systems rewriting, called generalized application conditions (GACs). Instead of describing con-
ditions on the match, in reactive systems rewriting a GAC gives the conditions the context, the
reaction takes place in, has to fulfill

This new approach to application conditions allows to adapt the borrowed context technique
to rules with application conditions, giving transition labels that are describing the conditions a
borrowed context has to fulfill in order to make the rule applicable. We will give some more
detailed information about these ideas in Section 5.

The second Section gives some preliminary definitions. In Section 3, we will present the
definition of generalized application conditions (GACs). Section 4 states the main theorem of this
paper, describing the relation between GACs for DPO rewriting and GACs for reactive systems.
In order to illustrate the presented techniques, we will introduce a running example.

2 Preliminaries

In this section, we will give some basic definitions that are needed later on. First, we will define
the rewriting approaches we concider in this paper:

Definition 1 (DPO Rewriting) Let C be an adhesive category. An object G can be rewritten to
H via a DPO rule p = L

l← I r→R, whenever the exists the following diagram, where both squares
are pushouts. Note that we work in a setting where the vertical morphisms must be monos.

L I R

G D H

l r

Definition 2 (Rewriting in reactive systems) A reactive system S over a category C is a set RS
of rewriting rules. Each rule s is a pair of arrows (l,r) from C l,r : J → I. An arrow a is rewritten
to an arrow b (a,b : J → K) via a rule s, iff there exists an arrow c, such that a = l; c and b = r; c
(see diagram below).

J I J

K

sl sr

a b
c

Proc. Doctoral Symposium ICGT 2010 2 / 14


ECEASST

In this paper, we will consider only categories that have an initial object 0 and rules, where J
is the initial object of C.

Definition 3 (Cospan category) Let C be a category with pushouts. A cospan c : A a→ B b← C
is a pair of C-arrows with the same codomain. Here, A is the domain of c and C is the codomain.
The identity cospan for an object E is the cospan consisting of twice the identity arrow of E. The
composition z = x; y of two cospans x = A

a→ B b← C and y = C c→ D d← E is done via a pushout
construction, as shown in the diagram below (where f = d; b′ and e = a; c′):

C B A

D F

E

ab

c

d

c′
b′

e

f

x

y

z

A semi-abstract cospan is an equivalence class of cospans, where we take the middle object
of the cospan up to isomorphism. Now the cospan category cospan(C) is defined as follows:
The objects of cospan(C) are the objects of C, the arrows of cospan(C) are the semi-abstract
cospans.

Reactive systems rewriting over the category cospan(C) coincides with DPO rewriting in C
[SS05]. Since we work in a setting, where the vertical morphisms in the DPO diagram must
be monos, we consider the category cospanl (C), where all the cospans must be left-linear (the
left leg must be a mono) in this paper. Since pushouts preserve monos in adhesive categories
and monos are closed under composition, cospanl (C) is a category. The idea how rules can be
translated is illustrated in the following image. The thick black arrows depict the reactive system
diagram, the thin gray arrows show the double pushout diagram and the dotted arrows are some
additional morphisms from C. The objects that are rewritten in C are the inner objects of the
cospans a and b (G is rewritten to H via the rule (l′,r′)).

0 L I R 0

G D H

0

l’ r’

l r

a b

c

3 / 14 Volume 38 (2010)


Application Conditions for Reactive Systems

3 Generalized Application Conditions

The formalism of graph predicates and graph conditions [Ren04] is equivalent to first order
logic on graphs and based on morphisms. We exploited this approach to give a definition for
application conditions that is suitable for DPO rewriting and for reactive systems as well. It
turned out that in some cases, this new definition is slightly more powerful then the standard and
well studied approach to nested1 application conditions [Pen08]. The following definition for
application conditions works in both cases. It can be used to describe application conditions for
DPO rewriting as well as application conditions for reactive system. It is not restricted to any
category.

Definition 4 (Generalized Application Condition (GAC)) Let A be an object of a category C.
GACA is the set of all triples (A,Q,S) where Q ∈{∀,∃}, and S is a set of pairs (ϕi,Ai), where
ϕi : A → Ai and Ai ∈GACAi . Let c : A → B be an arrow of C and A an element of GACA. c |= A
if and only if:

• c |= (A,∀,S) if for all (ϕi,Ai)∈ S and for all d : Ai → B with ϕi; d = c it holds that d |= Ai.

• c |= (A,∃,S) if there exists a pair (ϕi,Ai) ∈ S and a morphism d : Ai → B with ϕi; d = c
and d |= Ai holds.

The object A is called root object of A (RO(A )).

This definition shows that GACs can be seen as trees, where the nodes are labeled with pairs
(O,Q), where O is an object of C and Q is in {∀,∃} and the edges are labeled with morphisms
of C. The domain and codomain of every morphism are the objects at the corresponding nodes.

For a (general) DPO rule L ← I → R, a GAC in GACL restricts the matching morphism
m : L → G. For a reactive system rule (l : 0 → I,r : 0 → I), a GAC in GACI restricts the possible
contexts c, the reaction takes place in.
In our DPO rewriting, we want certain morphisms to be monos. Therefore, the following defini-
tion of MonoGACs is useful.

Definition 5 (MonoGAC) MonoGACA is the set of all triples (A,Q,S) from GACA, where for
every pair (ϕi,Ai) in S holds: ϕi is a mono and Ai ∈MonoGACAi . A MonoGAC is evaluated like
a normal GAC but all the morphisms d from the objects in the MonoGAC into the codomain of
the morphism, the GAC is evaluated on, must be monos.

Recall the example from the introduction: In a file system, there is a user U that owns an object
O and wants to delete this object. The deletion of objects is only allowed whenever the object is
not protected, or (if the object is protected) the user has administrator privileges (is root). This
example can be modeled in the category Graph. The rule del for deleting an object is defined as
follows:

del :
UO

owns
`←

U r→
U

1 Nested application conditions allow nesting of quantifiers.

Proc. Doctoral Symposium ICGT 2010 4 / 14


ECEASST

The GAC A , describing the required conditions looks as follows (The mappings of ϕ1 and ϕ2
are induced by the node- and edge-labels):




UO
owns

,∀,







ϕ1→,




UO
owns

protected

,∃,







ϕ2→,




UO
owns

protected root

,∀, /0






















To understand how this GAC models the wanted condition, it is helpful to spell out the condition
in the following way:

1. In all cases that the object that should be deleted is marked as protected (if the object is
not protected, the rule is applicable),

2. ensure that there exists a marking (root loop) that the user has administrator rights.

3. If the user is root, the rule is applicable in all cases.

While constructing application conditions, one usually faces the problem of composing two
GACs by a boolean operation or of negating a GAC. The following definition will give the needed
constructions for the standard set of boolean operations.

Definition 6 (Operations on GACs) Let A = (A,Q,S) and B be from GACA and c : A → K.

Negation: ¬A

¬A =

{
(A,∃,S′) if Q =∀
(A,∀,S′) if Q =∃

where S′ ={(ϕi,¬Ai) | (ϕi,Ai)∈ S}

Conjunction: A ∧B
A ∧B = (A,∀,{(idA,A ),(idA,B)})

Disjunction: A ∨B
A ∨B = (A,∃,{(idA,A ),(idA,B)})

Note: since every identity is a mono, MonoGACs are closed under negation (where no mor-
phism is changed or added), conjunction and disjunction.

4 GACs for Reactive Systems

The definition of GACs is not restricted to special categories. This allows the usage of GACs in
other settings, too. In this section, we will show that GACs provide a way to describe application

5 / 14 Volume 38 (2010)


Application Conditions for Reactive Systems

condition for reactive systems as well. The main theorem states, that every application condition
for a DPO rule for an adhesive category C can be translated into a GAC for the corresponding
reactive system rule in cospanl (C).

Theorem 1 Every DPO rule p = L ← I → R with MonoGAC A = (L,Q,S) in an adhesive cat-
egory C can be converted into an equivalent reactive system rule p̃ with GAC ˜A in cospanl (C).

The rules p and p̃ and the corresponding GACs are equivalent if for every rewriting step
G →p G′, the step (0→G←0)→p̃ (0→G′ ←0) is possible and vice versa.

The proof of this theorem has two main parts. The first part will show, that for a DPO rule p, a
MonoGAC A = (L,Q,S) can be transformed into an equivalent MonoGAC ˆA = (I,Q,Ŝ), where
L is the LHS of p and I is the interface of p. This part basically recalls results from [Pen08] for
the definition of MonoGACs. It is straightforward to connect application conditions to rules via
the interface I, and not via the LHS L, since there is everything known about L. The parts of a
graph that are of interest, concerning the application condition, are not in L and can be reached
via the interface I as well. The main construction of part I is given by the following definition:

Definition 7 (MonoGAC shifting) Given a MonoGAC A = (L,Q,G) from MonoGACL and a
morphism ` : I → L, the shifting A `← of A via ` is defined as follows:

A `←
=
(
I,Q,G′

)
, where

G′ ={
(ϕ′,A ′

`′←
) | I

ϕ
′

� D
`′→ RO(B) is the pushout complement of I `→ L

ϕ

� RO(B) and (ϕ,B)∈ G
}

For every (ϕ,B)∈ G, one constructs all pushout complements for I `→ L
ϕ

� RO(B) and takes
only the ones into account, that start with a mono. For a GAC B = (B,Q,S), RO(B) is B, the
root object of B. Note that both GACs A and A `← are defined over the same category.

The second part will then show how ˆA = A `← is translated into
˜A over cospanl (C). Note that

the second part works for all GACs. Only the first part needs MonoGACs. The corresponding
construction is defined by:

Definition 8 (GAC conversion) A MonoGAC A = (I,Q,S) over an adhesive category C is
converted into a GAC A co over the category cospanl (C) by the following construction:

A co = (I,Q,S′), where

S′ =
{(

X
ϕi→Y id←Y,A coi

)
| (ϕi,Ai)∈ S

}

Proc. Doctoral Symposium ICGT 2010 6 / 14


ECEASST

Part I

Proof.
Let the following pushout diagram be given (h and m are monos) and let A be from MonoGACL

I K

L Gm

h

g`

We will now show (by induction over the structure of A ) that the following holds:

(m |= A )⇔
(

h |= A `←
)

Base of induction Assume that the GAC has the form (L′,Q, /0).

Q =∀: Given a GAC A ′ = (L′,∀, /0) and a morphism `′ : I′ → L′, then, A ′
`′←

is (I′,∀, /0). For
every morphism m′ m′ |= A holds. And for every h′ h′ |= A ′

`′←
. Therefore, A ′ and

A ′
`′←

are equivalent.

Q =∃: Given a GAC A ′ = (L′,∃, /0) and a a morphism `′ : I′ → L′, then, A ′
`′←

is (I′,∃, /0).
There is no morphism m′ such that m′ |= A holds , and there is no h′, such that
h′ |= A ′

`′←
holds. Therefore, A ′ and A ′

`′←
are equivalent.

Induction step Assume the following situation: A = (L′,Q,{(ϕi,Ai) | 1 ≤ i ≤ n}), `′ : I′ → L′
and (`′,m′,h′,g) is a pushout (see diagram below). Let the index set C be defined as fol-
lows:

C =
{

i | Ai
ϕi
� L′

`′← I′ has a pushout complement
}

. For each i ∈ C, the situation is de-

picted in the figure below (I′ � Bi → Ai is a corresponding pushout complement):

I′ Bi K

L′ Ai G
ϕi

m′

h′

`′′`
′ g

m′′

h′′

Note: The pushout splitting property in adhesive categories [LS05] implies: Whenever
there exists a m′′ : Ai � G, making (ϕi,m′′,m′) a commuting triangle, the outer pushout can
be split at Ai (by taking the pullback of m′′ and g) and therefore the pushout complement
I′ � Bi → Ai must exist. Since pullbacks preserve monos, h′′ is a mono.
To avoid index overloading, we set A `← = B

7 / 14 Volume 38 (2010)


Application Conditions for Reactive Systems

1:(m′ |= A )⇒ (h′ |= B)

Q =∃: Following the definition of GACs, (m′ |= A ) implies the existence of a mono
m′′ and a natural number i, such that m′ = ϕi; m′′ and m′′ |= Ai. The existence
of m′′ implies i ∈ C (the pushout complement must exist, see note above). Let
h′′ : Bi � K be the morphism that must exist due to the pushout splitting. Sice
h′′ |= Bi holds by induction, h′ |= B holds as well.

Q =∀: Assume there exists a mono h′′, that does not satisfy Bi. Splitting the outer
pushout in the diagram above at Bi implies the existence of a morphism m′′ and
by induction we get: m′′ 6|= Ai. This contradicts (m′ |= A ), since there is a
morphism m′′ from Ai to G, and m′ = ϕi; m′′ holds, but m′′ |= Ai does not hold.
But by definition for every morphism m′′, such that m′ = ϕi; m′′ holds, m′′ |= Ai
holds.

2:(m′ |= A )⇐ (h′ |= B)

Q =∃: (h′ |= B) implies the existence of a mono h′′ : Bi � K. The morphism m′′ is
now obtained as the mediating morphism from the left pushout square in the
diagram above, considering the morphisms m′ and h′′; g. By induction, we know
that h′′ |= Bi ⇔ m′′ |= Ai. Therefore m′ |= Ai

Q =∀: Assume there exists a mono m′′ : Ai � G and m′′ 6|= Ai. By the construction
given above, there must be a h′′, not satisfying Bi. This contradicts that every
possible morphism h′′ : Bi → K satisfies Bi, as the induction hypothesis states.

Consider the running example:
It is easy to see, that there is no pushout complement for • `→•

ϕ1→• (dangling edges), and

therefore A `← is the trivial GAC


 U ,∀, /0


, which is satisfied by every morphism m that has

a single user node as domain.
This does not contradict Theorem 1, since rule del is never applicable to protected objects

due to the dangling edge condition for the protected loop. In order to make the example more
interesting, we introduce a new rule delp, deleting protected objects. The application condition
now ensures that the user is root. 2

delp :
UO

owns

protected

`←
U r→

U

2 This case can be modeled by a DPO rule without application condition, by simply adding the root loop to the user
node in the LHS, the interface and the RHS, but due to space limitations, we have chosen this small example.

Proc. Doctoral Symposium ICGT 2010 8 / 14


ECEASST

B :




UO
owns

protected

,∃,







ϕ
→,




UO
owns

protected root

,∀, /0













This GAC can be spelled out as: Whenever one wants to delete a protected object, there must
exist a root loop at the user node.
In this situation, exactly one pushout complement of • `→•

ϕ
→• exists. It is:

U ϕ′
→

U

root

`′→
UO

owns

protected root

This pushout complement results in:

B `←
:




U
,∃,







ϕ
′
→,




U

root

,∀, /0













Part II

Proof.
Let m = I � H be a mono from C, A ∈ GACI and let c := I

m
� H ← 0 be a morphism from

cospanl (C). It is left to show3, that the following holds:

(m |= A )⇔ (c |= A co)

The proof will use induction over the structure of A .

Base of induction Let A be (I′,Q, /0). By construction A co is (I′,Q, /0).

Q =∃: No morphism from C satisfies (I′,∃, /0) and no cospan from cospan(C) satisfies
(I′,∃, /0). Therefore the two GACs are equivalent.

3 The proof works even for classical DPO rewriting (the vertical morphisms are not necessarily monos), but in this
setting the constructed cospans are no longer left-linear.

9 / 14 Volume 38 (2010)


Application Conditions for Reactive Systems

Q =∀: Every morphism from C satisfies (I′,∀, /0) and every cospan from cospan(C) sat-
isfies (I′,∀, /0). Therefore the two GACs are equivalent.

Induction step Assume A = (I′,Q,S) with S =
⋃n

i=1(ϕi,Ai) and for all Ai holds:

(m′ |= Ai)⇔ (c′ |= A coi ), whenever c
′ is I

m′→ H ← 0.

1:(m |= A )⇒ (c |= A co)
Q =∃: From the definition of GACs it follows that there exists a morphism m′ and

an index i such that m = ϕi; m′ and m′ |= Ai. By induction, we know that
c′ = Ai

m′→H←0 satisfies A coi . The following diagram shows (since the inner
square is a pushout) that for the cospan ϕ′i = I

′ ϕi→Ai
id←Ai the following holds:

ϕ
′
i ; c
′ = c. Since c′ |= A coi , c satisfies A

co.

Ai Ai I′

H H

0

id ϕi

m′ m′ m
id

ϕ
′
i

c

c′

Q =∀: Assume there exists a cospan c such that c 6|= A co. By definition we get the
existence of an index i and a morphism c′ such that ϕi; c′ = c and c′ 6|= A coi . The
diagram above shows that there exists a morphism m′ : Ai → H. Since m |= A ,
m′ must satisfy Ai. Using the induction hypothesis, this means that c′ |= A coi ,
which contradicts the assumption.

2:(m |= A )⇐ (c |= A co)

Q =∃: From the definition of GACs, there must be a cospan c′ = Ai
m′→H←0 and an

index i, such that c = ϕ′i ; c
′ and c′ |= A coi . By the induction hypothesis, m

′ |= Ai.
Therefore, m satisfies A .

Q =∀: Assume there exists a morphism m′ and an index i, such that m = ϕi; m′

and m′ 6|= Ai. By the induction hypothesis, the cospan c′ = Ai
m′→ H ← 0 can-

not satisfy A coi . Since ϕ
′
i ; c
′ = c, c cannot satisfy A co, which contradicts the

assumption.

Using these results, the following construction gives an equivalent reactive system rule p̃ with
GAC ˜A over cospanl (C) for a DPO rule p = L

`← I r→ R with a MonoGAC A ∈ MonoGACL

Proc. Doctoral Symposium ICGT 2010 10 / 14


ECEASST

over C.

p̃ =
(
0→L `← I,0→R r← I

)
˜A =
(
A `←

)co
We have shown that A is equivalent to A `← and that A `← is equivalent to

(
A `←

)co
. Therefore,

A and ˜A are equivalent.
The construction for the running example:

First, we build the rule d̃elp = (s`,sr) by constructing s` and sr.

s` = 0→
UO

owns
`←

U

sr = 0→
U r←

U

The GAC B̃ is finally constructed as:

B̃ :




U
,∃,







ϕ̃ =




U ϕ′
→

U

root

id←
U

root


,




U

root

,∀, /0













GACs in cospanl (C) allow slightly more control over the application of a rule, than the cor-
responding GACs in C. As induced by the results above, these cases must use GACs, where at
least one cospan is not of the form A→B id←B.

Definition 9 (finite GAC) A GAC A = (I,Q,S) is called finite, whenever the object I is finite,
all GACs in S are finite and S is finite.

An object I is finite iff the numbers of monos (up to isomorphism) with codomain I is finite.

Lemma 1 There exists a finite GAC A in cospanl (C), such that there is no finite GAC B in C
with Bco ≡ A .

Proof. Let C be the category of graphs with an infinite alphabet Σ of edge labels, where mor-
phisms must preserve labels. Let A be defined as (0,∀,{(0→◦←0,(0,∃, /0))}). This represen-
tation shows: A is finite. If a cospan c satisfies A , D (the inner object of the cospan c) contains
no isolated node.
Assume a finite GAC B exists, such that A ≡ Bco. Let L be the set of all edge labels of all the

11 / 14 Volume 38 (2010)


Application Conditions for Reactive Systems

graphs, contained somewhere in B. Since B is finite, L is finite. Therefore, there is a label e in
Σ, that is not in L. Since there is no edge label e in B, whenever m = 0 → (◦ ◦) satisfies B, so
does me = 0 → (◦

e→◦). This holds, because the edge cannot be in the image of any morphism
originating from objects in B, since labels must be preserved. Let c be 0 → (◦ e→◦) ← 0. This
gives: c 6|= A , but m |= B, which implies: A 6≡ Bco. This contradicts the assumption.

5 Application to Bisimulation Theory and Future Work

We will now describe the applications of GACs to bisimulation theory. We are considering open
systems, that can interact with a context.

Context aware bisimulations:

The behavior of two systems might be different, if both systems are in a certain context, but
may be bisimilar under another set of contexts. Qur key idea is to use GACs to describe the
conditions a context has to satisfy such that the behavior of the systems is bisimilar under that
context. While exploiting this idea, there are several problems to solve:

1. Is the context of a system fixed forever, or may the context change over time? This includes
the problem that sometimes the application of a rule is possible and sometimes it is not.

2. Is the entire context visible to the system, or does a system only see the part of the context
that actually matters for the next step?

3. How can one model the different influences on the system, caused by the behavior of the
system itself or introduced by the context, the system is in? For example, some branching
decisions are made by the actual context, other branches offer the freedom of choice to the
system.

To analyze the behavior of a graph rewriting system (in an adhesive graph category C), one
could generate a labeled transition system (LTS), where the states of the LTS are graphs, and a
transition between two graphs GA and GB indicates the fact, that GA can be rewritten to GB by
a rewriting rule. In order to allow a more specific analysis, the transitions can be labeled with
additional information (such as the name of the rule etc.) One very successful mechanism to
create labels is the borrowed context technique [EK06]. The borrowed context label shows what
has to be added to GA, to make a rule applicable.
Transferring this idea to the setting of reactive systems, the borrowed context diagrams turn out
to be a special class of squares in cospanl (C), sharing some nice properties (they are GIPOS in
the corresponding 2-category [SS03]). This allows to adapt the borrowed context technique to
reactive system rules with application conditions.

We already have adapted (but not yet published) label generation via borrowed contexts to
rules with GACs, deriving a GAC the added context has to satisfy.

To analyze the behavior of the system, one can apply methods from bisimulation theory to
the generated LTSs. For negative application conditions on DPO rules, this has been done in
[RKE08]. We are currently working on the proof that the bisimulations obtained by our label

Proc. Doctoral Symposium ICGT 2010 12 / 14


ECEASST

generation process are congruences and are the coarsest bisimulations.

To find a more general approach to the problem of context-sensitive behavior analysis, we are
currently working on a setting that covers all of the cases above. Therefore, we have expanded
the following approach: An LTS can be seen as a coalgebra. If the final coalgebra Ω exists,
bisimilar states are mapped to the same state in Ω. Our idea is to hide the side-effects the con-
text gives in a monad and then apply this techniques to the resulting Kleisli category. We have
sketched an algorithm that computes not the complete final coalgebra, but only the part that is
needed to compare the behavior of the given states. The information what behavior a state has
under which context is given by the Kleisli arrow into Ω.

Applications to the Verification of Model Transformations:

The verification of model transformations is a well-studied (see [HKR+10, NK06, BHE08,
EKR+08]) and interesting playground for the techniques presented here. So far, we concentrated
on the in-situ transformations, where a part of the source model is replaced by a part of the target
model. Other approaches construct the target model while parsing the source model, but do not
destroy the source model (See [K0̈5, SK08, HKR+10]). For the verification of a model trans-
formation, three sets of rules are needed. The semantic rules of the source model, of the target
model and the set of in situ transformation rules. Our ideas can be used to cover for example:
NACs on the semantic rules [RKE08], GACs on the semantic rules and GACs on the transforma-
tion rules.
The last topic is not just interesting for classical model transformation, but also for system migra-
tion, where subsystems of a model are replaced by other systems. It might be possible to derive a
migration plan, that describes in which order the systems must be replaced (under which contexts
the systems must be), in order to obtain a behaviorally equivalent system after every migration
step. The in-situ approach fits perfect into this setting, since the entire system is not changed in
one big step, but in several smaller steps with longer periods between them. Processes like this
are a wide-spread source of errors and problems in the IT industry (changing the firewall / the
database, migrating to a new authentication mechanism, switch from POP3 to IMAP, from DNS
to DNSSEC, from IPv4 to IPv6, etc.).

Acknowledgements: The ideas and techniques, presented in this paper, were not discovered by
the author alone, but are part of a larger work package the author participates on. Therefore, the
author likes to thank Filippo Bonchi, Alexandra Silva, H.J. Sander Bruggink, Christoph Blume,
Jan Stückrath, Tobias Heindel and especially Barbara König for all the help, ideas and fruitful
discussions.

Bibliography

[BHE08] D. Bisztray, R. Heckel, H. Ehrig. Verification of Architectural Refactorings by Rule
Extraction. In FASE ’08. LNCS 4961, pp. 347–361. Springer, 2008.

13 / 14 Volume 38 (2010)


Application Conditions for Reactive Systems

[EK06] H. Ehrig, B. König. Deriving Bisimulation Congruences in the DPO Approach to
Graph Rewriting with Borrowed Contexts. MSCS 16(6):1133–1163, 2006.

[EKR+08] G. Engels, A. Kleppe, A. Rensink, M. Semenyak, C. Soltenborn, H. Wehrheim.
From UML Activities to TAAL - Towards Behaviour-Preserving Model Transfor-
mations. In ECMDA-FA ’08. LNCS 5095, pp. 95–109. Springer, 2008.

[HKR+10] M. Hülsbusch, B. König, A. Rensink, M. Semenyak, C. Soltenborn, H. Wehrheim.
Full Semantics Preservation in Model Transformation – A Comparison of Proof
Techniques. Technical report TR-CTIT-10-09, Centre for Telematics and Informa-
tion Technology, University of Twente, 2010.

[K0̈5] A. Königs. Model transformation with Triple Graph Grammars. In Workshop on
Model Transformations in Practice. 2005.

[LS05] S. Lack, P. Sobocinski. Adhesive and quasiadhesive categories. Theoretical Infor-
matics and Applications 39(2):522–546, 2005.
http://eprints.ecs.soton.ac.uk/13599/

[NK06] A. Narayanan, G. Karsai. Towards Verifying Model Transformations. In GT-
VMT ’06. ENTCS 211, pp. 185–194. 2006.

[Pen08] K.-H. Pennemann. Resolution-Like Theorem Proving for High-Level Conditions. In
ICGT ’08. LNCS 5214, pp. 289–304. Springer, 2008.

[Ren04] A. Rensink. Representing First-Order Logic using Graphs. In ICGT ’04.
LNCS 3256, pp. 319–335. Springer, 2004.

[RKE08] G. Rangel, B. König, H. Ehrig. Deriving Bisimulation Congruences in the Presence
of Negative Application Conditions. In FOSSACS ’08. LNCS 4962, pp. 413–427.
Springer, 2008.

[Roz97] Handbook of Graph Grammars and Computing by Graph Transformations. In
Rozenberg (ed.), Handbook of Graph Grammars. Volume Volume 1: Foundations.
World Scientific, 1997.

[SK08] A. Schürr, F. Klar. 15 Years of Triple Graph Grammars. In ICGT ’08. LNCS 5214,
pp. 411–425. Springer, 2008.

[SS03] V. Sassone, P. Sobociński. Deriving bisimulation congruences using 2-categories.
Nordic J. of Computing 10:163–183, May 2003.

[SS05] V. Sassone, P. Sobociński. Reactive systems over cospans. In LICS ’05. Pp. 311–320.
IEEE, 2005.

Proc. Doctoral Symposium ICGT 2010 14 / 14

http://eprints.ecs.soton.ac.uk/13599/

	Introduction
	Preliminaries
	Generalized Application Conditions
	GACs for Reactive Systems
	Application to Bisimulation Theory and Future Work