Equivalence checking of Petri net models of programs using static and dynamic cut-points

Abstract

Extensive optimizing and parallelizing transformations are carried out on programs, both by (untrusted) compilers and human experts, before deploying them on some platform architecture which is by and large parallel. It is therefore important to devise some suitable modelling paradigm which is capable of capturing parallelism in such a way that proving equivalence of the source programs and their transformed versions becomes easier. In the present work, an untimed Petri net model with data constraints, called CPN model (Coloured Petri net), is used to model the parallel behaviours. Being value based, such models depict more vividly the data dependencies which lie at the core of such transformations; accordingly, they are likely to provide more suitable internal representations (IRs) of both the source and the transformed programs than the IRs like sequential control flow graphs (CFGs). A path based equivalence checking method for CPN models with rigorous treatment of the complexity and correctness issues have been presented. Experimental results show the effectiveness of the approach.

Appendix

1.1 Termination of the equivalence checking algorithm

The path construction algorithm terminates as shown in [13]. Therefore, the respective path covers \({\varPi }_{0}^{'}\) and \({\varPi }_{1}^{'}\) of \(N_0\) and \(N_1\) produced by this algorithm are finite and the equivalence checking phase starts with finite \({\varPi }_{0}^{'}\) and \({\varPi }_{1}^{'}\). The following lemma establishes that they remain finite in the equivalence checking phase. The termination of the equivalence checking phase hinges upon this property.

Lemma 1

Both the initial path covers \({\varPi }_{0}^{'}\) and \({\varPi }_{1}^{'}\) of \(N_0\) and \(N_1\), respectively, remain finite across all the functions (Algorithms 3–10) in the equivalence checking phase.

Proof

Only deletion takes place from \({\varPi }_{0}^{'}\)\(\left( {\varPi }_{1}^{'}\right) \) in the functions trimPrePaths and checkEqDCP (Algorithms 7 and 10). If they start with finite values of \({\varPi }_{0}^{'}\)\(\left( {\varPi }_{1}^{'}\right) \), the finiteness is preserved. Both deletion from and addition to the set \({\varPi }_{0}^{'}\)\(\left( {\varPi }_{1}^{'}\right) \) takes place in the function prepareForExtension (Algorithms 9). Step 10 of the function prepareForExtension (Algorithm 9) updates \({\varPi }_{0}^{'}\)\(\left( {\varPi }_{1}^{'}\right) \) by deleting the set \({\varGamma }_P\) of trimmed pre-paths of \(\gamma ^{'}\), the path \(\gamma ^{'}\) itself and adding the extended path \(\gamma _e = {\varGamma }_P.\gamma ^{'}\). So, \(\left| {\varPi }_{0}^{'}\right| \left( \left| {\varPi }_{1}^{'}\right| \right) \) decreases by \(\left| {\varGamma }_P\right| +1\) and increases by 1, i.e., an effective decrease by \(\left| {\varGamma }_P\right| \). However, \(\left| {\varGamma }_P\right| \ge 0\). If \(\left| {\varGamma }_P\right| =0\); then it remains the same. Hence, in each iteration (step 3 to 12) \(\left| {\varPi }_{0}^{'}\right| \left( \left| {\varPi }_{1}^{'}\right| \right) \) either decreases or remains the same. Outside the loop, since in step 1 there is a decrease by 1, \(\left| {\varPi }_{0}^{'}\right| \left( \left| {\varPi }_{1}^{'}\right| \right) \) decreases in every invocation of function. No other function changes \({\varPi }_{0}^{'}\left( {\varPi }_{1}^{'}\right) \). \(\square \)

Theorem 4

checkEqDCP function (Algorithm 10) always terminates.

Proof

The function checkEqDCP (Algorithm 10) consists of a loop which depends on \(|{\varPi }_{0}^{'}|\) and there is no recursive call also. Hence, the loop always terminates as given in Lemma 1. Therefore, the above mentioned function terminates. \(\square \)

1.2 Soundness of the equivalence checking algorithm

The soundness proof hinges upon the following two lemmas.

Lemma 2

Let C be a parallel combination of concatenated paths which is of the form \(\gamma _1 ||\gamma _2||\ldots ||\gamma _t\) such that \(^{\circ }(\gamma _i) \cap {}^{\circ }(\gamma _j) = \emptyset \), \(1 \le i \ne j \le t\). For any i, \(1 \le i \le t\), let the concatenated path \(\gamma _i\) be of the form \(C_{i}^{'}. \gamma _{i}^{'}\), where \(\gamma _{i}^{'}\) is also a concatenated path contained in \(\gamma _i\) and \(C_{i}^{'} = \{\gamma _{1,i}^{'}|| \gamma _{2,i}^{'}|| \ldots || \gamma _{n_i,i}^{'}\}\) is a set of parallel concatenated paths such that \((C^{'})^{\circ }\) = \(^{\circ }\gamma _{i}^{'}\). Then \((C-\{\gamma _{i}^{'}\}).\gamma _{i}^{'} \equiv C, 1 \le i \le t\).

Proof

\(C-\{\gamma _{i}^{'}\} = \gamma _1 || \gamma _2 || \ldots || \gamma _{i-1} || (\gamma _{1,i}^{'} || \gamma _{2,i}^{'}|| \ldots || \gamma _{n,i}^{'})||\gamma _{i+1} || \ldots || \gamma _t\)

\(=(\gamma _1 || \gamma _2 || \ldots || \gamma _{i-1} || \gamma _{i+1} || \ldots || \gamma _t) || (\gamma _{1,i}^{'} || \gamma _{2,i}^{'}|| \ldots || \gamma _{n,i}^{'})\) (by commutativity of parallel paths)

Hence,

\((C-\{\gamma _{i}^{'}\}).\gamma _{i}^{'} = \{(\gamma _1 || \gamma _2 || \ldots || \gamma _{i-1} || \gamma _{i+1} || \ldots || \gamma _t) || (\gamma _{1,i}^{'} || \gamma _{2,i}^{'}|| \ldots || \gamma _{n,i}^{'})\}.\gamma _{i}^{'}\)

\(= (\gamma _1 || \gamma _2 || \ldots || \gamma _{i-1} || \gamma _{i+1} || \ldots || \gamma _t) || \{(\gamma _{1,i}^{'} || \gamma _{2,i}^{'}|| \ldots || \gamma _{n,i}^{'}).\gamma _{i}^{'}\}\)

\(= (\gamma _1 || \gamma _2 || \ldots || \gamma _{i-1} || \gamma _{i+1} || \ldots || \gamma _t || \gamma _i) = C\) (by commutativity pf parallel paths). \(\square \)

Lemma 3

If \({\varPi }_{0}^{'}\) (\({\varPi }_{1}^{'}\)) is a path cover of \(N_0\)\((N_1)\) and the function checkEqDCP (Algorithm 10) reaches step 29, then so is \({\varPi }_{0}\) (\({\varPi }_{1}\)).

Proof

The lemma is proved for \({\varPi }_0\); proof for \({\varPi }_1\) follows identically. Consider any computation \(\mu _{0,p}\) of an out-port p of \(N_0\). If \(\mu _{0,p}\) can be expressed as a concatenation of parallelizable paths taken from \({\varPi }_0\), then we are done. Since \({\varPi }_{0}^{'}\) is a path cover of \(N_0\), \(\mu _{0,p}\) can be expressed as a concatenation, \(C_{0}^{'}\) say, of parallelizable paths taken from \({\varPi }_{0}^{'}\). The function constructConcatenatedParallelizablePath (Algorithm 11) constructs the (desired) concatenation \(C_0\) of parallelizable paths of \({\varPi }_0\) from \(C_{0}^{'}\). The inputs to this function are \(C_{0}^{'}\) and the set E of pairs of equivalent paths of \(N_0\) and \(N_1\) obtained from the equivalence checking phase. The output of the function is \(C_0\).

The function starts by initializing the concatenation \(C_0\) to empty. Let \(last(C_{0}^{'})\)\((last (C_0))\) represent the last set of parallelizable paths of \(C_{0}^{'}\) (\(C_0\)). To start with, last(\(C_{0}^{'}\)) is a singleton. Dynamically, for each path \(\gamma ^{'}\) in last(\(C_{0}^{'}\)), the function checks whether \(\gamma ^{'}\) occurs as the first member of some pair in E. If so, the function updates \(C_{0}^{'}\) by deleting \(\gamma ^{'}\) from \(C_{0}^{'}\) (i.e., from last(\(C_{0}^{'}\))) and concatenating \(\gamma ^{'}\) with \(C_0\) (i.e., ahead of \(C_0\)). Otherwise, the function searches for an extended path \(\gamma _e\) containing \(\gamma ^{'}\), occurring as the first member of some pair in E. The fact that such a path surely exists follows from the fact that the function checkEqDCP (Algorithm 10) reaches step 29 and hence the loop (steps 2 to 27) of the function terminates, i.e., \({\varPi }_{0}^{'}\) is rendered empty; it is given that \({\varPi }_{n,0}\) is \(\emptyset \); hence, every path of \({\varPi }_{0}^{'}\), either individually or in extended form, has been put as a first member in E. On finding \(\gamma _e\), the function updates \(C_{0}^{'}\) by deleting all the paths of \({\varPi }_{0}^{'}\) occurring in \(\gamma _e\) from \(C_{0}^{'}\); it then updates \(C_0\) by concatenating \(\gamma _e\) with \(C_0\).

The fact that \(C_0\) comprises only the first members of the pairs in E is clear from the conditions associated with the if statement in step 3 and the assignment in steps 5 and 11 of (Algorithm 11) which are the only steps where addition to \(C_0\) takes place; so, for any paths of \({\varPi }_{0}^{'}\), the function has found an equivalent path, either for itself or after extending it. The first members of E belong to \({\varPi }_0\). Hence, \(C_0\) contains only paths of \({\varPi }_0\).

Now, it is required to show that \(C_0 \equiv C_{0}^{'}\). Let \(C_{0,i}^{'}\) (\(C_{0,i}\)) be the value of \(C_{0}^{'}\) (\(C_{0}\)) after the \(i^{th}\) iteration of the loop (steps 2 – 13); note that \(C_{0,0}^{'} = C_{0}^{'}\) and \(C_{0,0} = \emptyset \) are the initial values of \(C_{0}^{'}\) and \(C_{0}\), respectively. Let the loop (steps 2 – 13) iterate \(f+1\) times. We show that \(C_{0}^{'} \equiv C_{0,i}^{'}.C_{0,i}, 0 \le i \le f\). In the loop, \(C_{0}^{'}\) shrinks in size (in steps 4 and 9), by losing its paths from its last set \(last(C_{0}^{'})\). So when the loop terminates, \(last(C_{0}^{'})\) must be empty and hence \(C_{0,f}^{'} = \emptyset \). Hence, once the above equivalence is proved, for \(i=f\), \(C_{0}^{'} \equiv C_{0,f}^{'}. C_{0,f} \equiv C_{0,f} \equiv C_0\) and we have the desired \(C_0\). We now show the equivalence \(C_{0}^{'} \equiv C_{0,i}^{'}. C_{0,i}, 0 \le i \le f\), by induction on i.

• Basis (\(i =0\)): \(C_{0,0}^{'}. C_{0,0} \equiv C_{0,0}^{'}. \emptyset \equiv C_{0,0}^{'} \equiv C_{0}^{'}\).

• Induction hypothesis: Let \(\forall i, 0 \le i \le k\), the statement \(C_{0}^{'} \equiv C_{0,i}^{'}. C_{0,i}\) be true, for any \(k < f\).

• Induction step:

  • Case 1: Let the \((k+1)\)th iteration find the condition associated with step 3 to hold, i.e., \(\gamma ^{'}\) occurs as the first member of some pair in E whereupon it goes through steps 4 and 5. From step 4, \(C_{0,k+1}^{'}= C_{0,k}^{'} - \{\gamma ^{'}\}\) and from step 5, \(C_{0,k+1} = \gamma ^{'}.C_{0,k}\), where \(\gamma ^{'}\) has an equivalence with some path in \(N_1\) (by construction of E). From the definition of set of parallelizable paths (Definition 18) and Lemma 2,

    $$\begin{aligned}&C_{0,k+1}^{'}.C_{0,k+1} \equiv (C_{0,k}^{'} - \{\gamma ^{'}\}). (\gamma ^{'}.C_{0,k})\hbox { (by steps 4 and 5 of Algorithm} 11) \\&\equiv ((Prefix (C_{0,k}^{'}). last (C_{0,k}^{'})) - \{\gamma ^{'}\}).(\gamma ^{'}.C_{0,k}) \\&\quad (\hbox {where} Prefix(C_{0}^{'})\hbox { is the concatenation }C_{0}^{'}\hbox { minus }last(C_{0}^{'})) \\&\equiv (Prefix (C_{0,k}^{'}). (last (C_{0,k}^{'}) - \{\gamma ^{'}\})). (\gamma ^{'}.C_{0,k}) \\&\quad (\hbox {since }\gamma ^{'} \in last(C_{0,k}^{'}),\hbox { deleting }\gamma ^{'}\hbox { from }C_{0,k}^{'}\hbox { only affects }last(C_{0,k}^{'})) \\&\equiv (Prefix (C_{0,k}^{'}). ((last (C_{0,k}^{'}) - \{\gamma ^{'}\}).\gamma ^{'})).C_{0,k} \\&\quad \hbox {(by associativity of concatenation)} \\&\quad \equiv (Prefix (C_{0,k}^{'}). (last (C_{0,k}^{'}))).C_{0,k} \\&\quad (\hbox {by Lemma }~2\hbox { applied on last}(C_{0,k}^{'})\hbox { which is a} \\&\quad \hbox {set of parallel paths containing a single path }\gamma ^{'}) \\&\equiv C_{0,k}^{'}.C_{0,k} \\&\equiv C_{0}^{'}\hbox { (by induction hypothesis)}. \end{aligned}$$

  • Case 2: Let the \((k+1)^{th}\) iteration find the negation of the condition associated with step 3 to hold. Let the concatenated path \(\gamma _e\) containing \(\gamma ^{'}\) found in step 7 be of the form \((\gamma _{e,1} || \gamma _{e,2} || \ldots || \gamma _{e,l}).\gamma ^{'})\). After the loop (steps 8–10),

    $$\begin{aligned} C_{0,k+1}^{'}=C_{0,k}^{'} - \{\gamma _e\}. \end{aligned}$$

    (1)

    From lemma 2, applied repeatedly for each execution of step 9 in the loop, we have,

    $$\begin{aligned} C_{0,k}^{'} \equiv (C_{0,k}^{'} - \{\gamma _e\}).\gamma _e \equiv C_{0,k+1}^{'}.\gamma _e.(from ~(1)) \end{aligned}$$

    (2)

    After execution of step 11,

    $$\begin{aligned} C_{0,k+1} \equiv \gamma _e.C_{0,k}. \end{aligned}$$

    (3)
    $$\begin{aligned}&\hbox {Hence, } C_{0,k+1}^{'}.C_{0,k+1} \equiv (C_{0,k}^{'} -\{\gamma _e\}).(\gamma _e.C_{0,k})\hbox { (from 1 and 3)} \\&\equiv \{(C_{0,k}^{'} -\{\gamma _e\}).\gamma _e\}.C_{0,k}\hbox { (associativity of concatenation)} \\&\equiv C_{0,k}^{'}.C_{0,k}\hbox { (from 2)} \\&\equiv C_{0}^{'}\hbox { (by induction hypothesis)} \end{aligned}$$

\(\square \)

Theorem 5

If the function checkEqDCP (Algorithm 10) reaches step 30 and (a) returns \({\varPi }_{n,0} = \emptyset \), then \(N_0 \sqsubseteq N_1\) and (b) if it returns \({\varPi }_{n,1}=\emptyset \), then \(N_1 \sqsubseteq N_0\).

Proof

We give the proof of part (a) below; that of part (b) follows identically. From Lemma 3, we can conclude that \({\varPi }_{0}\) gives a path cover of \(N_0\). Hence, for any out-port p of \(N_0\), any computation \(\mu _{0,p}\) can be represented as a concatenation, \(Q_{0,0}.Q_{0,1}. \ldots . Q_{0,l}\) say, of sets of parallel paths, such that \(p \in Q_{0,l}^{\circ }\), \(^{\circ }Q_{0,0} \subseteq inP_0\), \(Q_{0,l}\) is a singleton \(\{\alpha _l\}\), say, and \(Q_{0,i}\) contains only paths from \({\varPi }_0\), \(0\le i \le l\). Whenever a path \(\alpha \) is introduced in \({\varPi }_{0}\) (only in steps 5 and 12 of Algorithm 10) an entry \(\langle \alpha , \beta \rangle \) is introduced in E (with \(\alpha \simeq \beta \)). Hence, for any path \(\alpha \in Q_{0,i}\) for some i, there exists a path \(\beta \) of \(N_1\) such that \(\langle \alpha , \beta \rangle \in E\). Hence, we can construct a concatenation, \(C_{1,p'}\) say, of parallel paths of \(N_1\) such that \(C_{1,p'}= Q_{1,0}.Q_{1,1}. \ldots . Q_{1,l}\), where \(Q_{1,i} = \{\beta \mid \langle \alpha , \beta \rangle \in E\) and \(\alpha \in Q_{0,i}\}\). We show that \((1)\,C_{1,p'}\) is a computation of \(f_{out}(p)\) in \(N_1\) and \((2)\,C_{1,p'} \simeq \mu _{0,p}\).

• Proof of (1): \(C_{1,p'}\) is alternatively rewritten as a sequence of sets of places, namely, \(\langle ^{\circ }Q_{1,0}, ^{\circ }Q_{1,1}\), \(\ldots , ^{\circ }Q_{1,i}, ^{\circ }Q_{1,i+1},\)\(\ldots , ^{\circ }Q_{1,l}, Q_{1,l}^{\circ }\rangle \). It is required to prove \((a) {}^{\circ }Q_{1,0} \subseteq inP_1\), \((b) f_{out}(p) \in Q_{1,l}^{\circ }\), \((c) Q_{1,i+1}^{\circ } = (Q_{1,i}^{\circ })^{+}, 0 \le i \le l\).

  • Proof of (a): A pair \(\langle \alpha , \beta \rangle \) of paths is put in E by the function checkEqDCP (Algorithm 10) (steps 5,12 and 16) if they are ascertained to be equivalent by the function findEqvDCP (Algorithm 4); the latter will examine their equivalence only if they are found to satisfy the property \(^{\circ }\alpha \subseteq inP_0 \Rightarrow ^{\circ }\beta \subseteq inP_1\) and \(^{\circ }\beta = f_{in}(^{\circ }\alpha )\) by the function findCandidate (Algorithm 3 – step 7). Hence, \(^{\circ }Q_{0,0} \subseteq inP_0 \Rightarrow {}^{\circ }Q_{1,0} \subseteq inP_1\) and \(^{\circ }Q_{1,0} = f_{in}({}^{\circ }Q_{0,0})\).

  • Proof of (b): By construction of \(C_{1,p'}\) from \(\mu _{0,p}\), \(Q_{1,l} = \{\beta _l\}\) is a singleton and if \(Q_{0,l}=\{\alpha _l\}\), then \(\langle \alpha _l, \beta _l \rangle \)\( \in E\) (by construction of \(C_{1,p'}\)). Again, by a similar reasoning as in proof of (a), we find that findCandidate (Algorithm 3) ensures in steps 26-30, that \(\alpha _{l}^{\circ } \in outP_0 \Rightarrow \beta _{l}^{\circ } (= Q_{1,l}^{\circ }) \in f_{out}(\alpha _{l}^{\circ }) = f_{out}(p)\).

  • Proof of (c): Given \(C_{1,p'} = Q_{1,0}.Q_{1,1}. \ldots . Q_{1,l}\). We construct the corresponding sequence of subsets of marking \(\varrho = \langle M_0, M_1, \ldots , M_l, M_{l+1} \rangle \) such that

    $$\begin{aligned} P_{M_0} = {}^{\circ }C_{1,p'} \end{aligned}$$

    (4)
    $$\begin{aligned}&\forall i, 0 \le i \le l, P_{M_{i+1}} = \{p \mid p \in Q_{1,i}^{\circ } \cap {}^{\circ }Q_{1,i+1}\} \ldots \hbox { (a)} \\&\cup \{p \mid p \in Q_{1,i}^{\circ } - {}^{\circ }Q_{1,i+1}\} \ldots \hbox { (b)} \\&\cup \{p \mid p \in P_{M_{i}} - {}^{\circ }Q_{1,i}\} \ldots \hbox { (c)} \end{aligned}$$
    $$\begin{aligned} P_{M_l} = Q_{1,l}^{\circ } \end{aligned}$$

    (5)

    Now, \(C_{1,p'}\) is a computation of \(N_1\) if \(\varrho \) is a computation of \(p'\) (by alternate definition of computation, Sect. 2.2); hence it is required to prove \((I) P_{M_0} \subseteq inP_1\), \((II) P_{M_{l+1}} = \{p'\}\), \((III) P_{M_{i+1}} = P_{M_{i}^{+}}, 0 \le i <l\).

    • Proof of (I)and (II): (I) and (II) are already proved in part (a) and part (b).

    • Proof of (III): If \(p \in P_{M_{i+1}}\) by clause 4(a) or 4(b), then \(p \in Q_{1,i}^{\circ }\), where \(Q_{1,i} = T_{M_i}\), the set of enabled transitions from marking \(M_i\). If \(p \in P_{M_{i+1}}\) by clause 4(c), then \(p \in P_{M_i}\) and \(p \notin {}^{\circ }Q_{1,l}\)\(\Rightarrow p \in P_{M_i}\) and \(p \notin T_{M_{i}}\). Thus, the set \(P_{M_{i+1}}\) of places satisfies the first clause of definition (Definition 1) of place successor marking. Hence \(P_{M_{i+1}} = P_{M_{i}^{+}}\).

• Proof of (2): In \(C_{1,p'}\), \(\forall p_1 \in Q_{1,i}^{\circ }\) , \(0 \le i \le l\), there exists a concatenated path \(\gamma _{p_1}\) of the form \(Q_{1,0}^{(p_1)}.Q_{1,1}^{(p_1)}. \ldots . Q_{1,i}^{(p_1)}\) such that \((Q_{1,i}^{p_1})^{\circ } = \{p_1\}\) (by Definition 19 of concatenated paths in subsection 3.1). The path \(\gamma _{p_1}\) has a condition of execution \(R_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\) and the data transformation \(r_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\) (as explained in subsection 3.1). Similarly, in \(\mu _{0,p}\), \(\forall p_0 \in Q_{0,i}^{\circ }\), \(0 \le i \le l\), we can have a path \(\gamma _{p_0}\). So, to prove that \(C_{1,p'} \simeq \mu _{0,p}\), we have to show that \(\forall i, 0 \le i \le l\), \(\forall p_1 \in Q_{1,i}^{\circ }\), \(\exists p_0 \in Q_{0,i}^{\circ }\) such that \(\langle p_0,p_1\rangle \in \eta _p\), \(R_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\)\(\equiv \)\(R_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\) and \(r_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\)\(=\)\(r_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\) by induction on i.

  • Basis (\(i=0\)):\(\forall p_1 \in Q_{1,0}^{\circ }, \exists \beta \in Q_{1,0}\), such that \(\beta ^{\circ } = \{p_1\}\). So, \(\gamma _{p_1} = \beta \). By construction of \(C_{1,p'}\) from \(\mu _{0,p}\), \(\exists \alpha , \langle \alpha , \beta \rangle \in E\) and \(\alpha \in Q_{0,0}\). Let \(\{p_0\}\) be \(\alpha ^{\circ }\); so \(\alpha = \gamma _{p_0}\). As \(\langle \alpha , \beta \rangle \in E\), \(R_{\alpha }(f_{pv}(^{\circ }\alpha )\)\(\equiv R_{\beta }(f_{pv}(^{\circ }\beta )\) and \(r_{\alpha }(f_{pv}(^{\circ }\alpha ) = r_{\beta }(f_{pv}(^{\circ }\beta )\) (ensured by the function findEqvDCP (Algorithm 4)). Therefore, \(R_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\)\(\equiv \)\(R_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\) and \(r_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\)\(=\)\(r_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\); also, \(\langle p_0, p_1\rangle \in \eta _p\) as ensured by checkEqDCP.

  • Induction Hypothesis: Let \(\forall i, 0 \le i \le k < l\), \(\forall p_1 \in Q_{1,i}^{\circ }, \exists p_0 \in Q_{0,i}^{\circ }\) such that the properties \(R_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\)\(\equiv \)\(R_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\),

    \(r_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))= r_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\) and \(\langle p_0,p_1\rangle \in \eta _p\) hold.

  • Induction Step: Required to prove that \(\forall p_1 \in Q_{1,k+1}^{\circ }\), \(\exists p_0 \in Q_{0,k+1}^{\circ }\) such that

    \(R_{\gamma _{p_1}}^{Q_{1,0}}\)\((f_{pv}(^{\circ }\gamma _{p_1}))\)\(\equiv \)\(R_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\), \(r_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))=\)

    \(r_{\gamma _{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }\gamma _{p_0}))\) and \(\langle p_0,p_1\rangle \in \eta _p\). Let \(\gamma _{p_1} = C_{1}^{'}.\beta \), where \(\beta ^{\circ } = \{p_1\}\) and \(C_{1}^{'}\) is a set of parallelizable paths such that \((C_{1}^{'})^{\circ } = {}^{\circ }\beta \). Let \(C_{1}^{'} = \beta _1 || \beta _2 || \ldots || \beta _{t_1}\). Now, \(\exists \alpha , \langle \alpha , \beta \rangle \in E\) (by construction of \(C_{1,p'}\) from \(\mu _{0,p}\)). Therefore, as ensured by the function findEqvDCP (Algorithm 4) \(R_{\alpha }(f_{pv}(^{\circ }\alpha )) \equiv R_{\beta }(f_{pv}(^{\circ }\beta ))\), \(r_{\alpha }(f_{pv}(^{\circ }\alpha )) = r_{\beta }(f_{pv}(^{\circ }\beta ))\) and \(\langle \alpha ^{\circ },\beta ^{\circ }\rangle \). Let \(p_0\) be \(\alpha ^{\circ }\). \(\gamma _{p_0}=C_{0}^{'}.\alpha \), where \(C_{0}^{'}\) is a set of parallelizable paths of the form \(\alpha _1 || \alpha _2 || \ldots ||\alpha _{t_1}\) such that \(\langle \alpha _i, \beta _i \rangle \in E, 1 \le i \le t_1\). Therefore,

    $$\begin{aligned}&R_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv}(^{\circ }\gamma _{p_1}))\\&\equiv \bigwedge _{i=1}^{t_1} R_{\beta _i}(f_{pv}(^{\circ }\beta _{i})) \wedge R_{\beta }(f_{pv}(^{\circ }\beta ))\{\overline{v_1} / f_{pv}(^{\circ }\beta )\} \\&\quad \hbox {where, }\overline{v_1} = \langle r_{\beta _1}(f_{pv}(^{\circ }\beta _1)), r_{\beta _2}(f_{pv}(^{\circ }\beta _2)), \ldots , r_{\beta _{t_1}}(f_{pv}(^{\circ }\beta _{t_1})) \rangle )\\&\quad \equiv \bigwedge _{i=1}^{t_1} R_{\alpha _i}(f_{pv}(^{\circ }\alpha _{i})) \wedge R_{\alpha }(f_{pv}(^{\circ }\alpha ))\{\overline{v_0} / f_{pv}(^{\circ }\alpha )\} \\&\quad \hbox {where, }\overline{v_0} = \langle r_{\alpha _1}(f_{pv}(^{\circ }\alpha _1)), r_{\beta _2}(f_{pv}(^{\circ }\alpha _2)), \ldots , r_{\alpha _{t_1}}(f_{pv}(^{\circ }\alpha _{t_1})) \rangle ; \\&\equiv R_{C_{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }C_{p_1})). \\&\quad \hbox {Since by induction hypothesis }r_{\alpha _j}(f_{pv}(^{\circ }\alpha _j)) = r_{\beta _j}(f_{pv}(^{\circ }\beta _j)), \\&\quad 1 \le j \le t_1\hbox {, and }R_{\alpha _i}(f_{pv}(^{\circ }\alpha _i))\equiv R_{\beta _i}(f_{pv}(^{\circ }\beta _i)), \\&\quad \hbox {since }R_{\beta }(f_{pv}(^{\circ }\beta )) \equiv R_{\alpha }(f_{pv}(^{\circ }\alpha ))) \\&\quad \hbox {Similarly, }r_{\gamma _{p_1}}^{Q_{1,0}}(f_{pv} (^{\circ }\gamma _{p_1})) \\&=r_{\beta }(f_{pv}(^{\circ }\beta ))\{\overline{v_1} / f_{pv}(^{\circ }\beta )\} \\&= r_{\alpha }(f_{pv}(^{\circ }\alpha ))\{\overline{v_0} / f_{pv}(^{\circ }\alpha )\} \\&\quad \hbox {since, }\langle \alpha , \beta \rangle \in E\hbox { and }\overline{v_1} = \overline{v_0}\hbox { by induction hypothesis} \\&= r_{C_{p_0}}^{Q_{0,0}}(f_{pv}(^{\circ }C_{p_0})). \end{aligned}$$

\(\square \)