
TL;DR
This paper introduces reward testing to process semantics, providing a finer equivalence that captures conditional liveness properties beyond traditional safety and liveness properties.
Contribution
It proposes reward testing as a new semantic equivalence that refines existing testing equivalences and captures conditional liveness properties.
Findings
Reward testing is strictly finer than may- and must-testing equivalences.
Reward testing captures conditional liveness properties.
It extends the semantic framework for process equivalences.
Abstract
May and must testing were introduced by De Nicola and Hennessy to define semantic equivalences on processes. May-testing equivalence exactly captures safety properties, and must-testing equivalence liveness properties. This paper proposes reward testing and shows that the resulting semantic equivalence also captures conditional liveness properties. It is strictly finer than both the may- and must-testing equivalence.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Reward Testing Equivalences for Processes
Rob van Glabbeek Data61, CSIRO, Sydney, AustraliaSchool of Computer Science and Engineering, University of New South Wales, Sydney, Australia [email protected]
Abstract
May and must testing were introduced by De Nicola and Hennessy to define semantic equivalences on processes. May-testing equivalence exactly captures safety properties, and must-testing equivalence liveness properties. This paper proposes reward testing and shows that the resulting semantic equivalence also captures conditional liveness properties. It is strictly finer than both the may- and must-testing equivalence.
Abstract
This paper is dedicated to Rocco De Nicola, on the occasion of his 65th birthday. Rocco’s work has been a source of inspiration to my own.
Introduction
The idea behind semantic equivalences and refinement preorders on processes is that says, essentially, that for practical purposes processes and are equally suitable, i.e. one can be replaced for by the other without untoward side effects. Likewise, says that for all practical purposes under consideration, is at least as suitable as , i.e. it will never harm to replace by . To this end, must have all relevant good properties that enjoys. Among the properties that ought to be so preserved, are safety properties, saying that nothing bad will even happen, and liveness properties, saying that something good will happen eventually.
In the setting of the process algebra CCS, refinement preorders and , and associated semantic equivalences and , were proposed by De Nicola & Hennessy in [DH84]. In [vG10] I argue that and are the coarsest equivalences that enjoy some basic compositionality requirements111Namely being congruences for injective renaming and partially synchronous interleaving operators, or equivalently all operators of CSP, or equivalently the CCS operators parallel composition, restriction and relabelling. and preserve safety and liveness properties, respectively. Yet neither preserves so-called conditional liveness properties.
This is illustrated in Figure 1, showing two processes that are identified under both may and must testing. From a practical point of view, the difference between these two processes may be enormous. It could be that the action comes with a huge cost, that is only worth making when the good action happens afterwards. Only the right-hand side process is able to incur the cost without any benefits, and for this reason it lacks an important property that the left-hand process has. I call such properties conditional liveness properties. A conditional liveness property says that
under certain conditions something good will eventually happen.
This paper introduces a stronger form of testing that preserves conditional liveness properties.
1 General setting
It is natural to view the semantics of processes as being determined by their ability to pass tests [DH84, henn]; processes and are deemed to be semantically equivalent unless there is a test which can distinguish them. The actual tests used typically represent the ways in which users, or indeed other processes, can interact with . This idea can be formulated in the following general testing scenario [DGHMZ07], of which the testing scenarios of [DH84, henn] are instances. It assumes
- •
a set of processes ,
- •
a set of tests , which can be applied to processes,
- •
a set of outcomes , the possible results from applying a test to a process, and
- •
a function , representing the possible results of applying a specific test to a specific process.
Here denotes the collection of non-empty subsets of ; so the result of applying a test to a process , , is in general a set of outcomes, representing the fact that the behaviour of processes, and indeed tests, may be nondeterministic.
Moreover, some outcomes are considered better then others; for example the application of a test may simply succeed, or it may fail, with success being better than failure. So one can assume that is endowed with a partial order, in which means that is a better outcome than .
When comparing the result of applying tests to processes one needs to compare subsets of . There are two standard approaches to make this comparison, based on viewing these sets as elements of either the Hoare or Smyth powerdomain [Hen82, AJ94] of . For let
- (i)
if for every there exists some such that 2. (ii)
if for every there exists some such that .
Using these two comparison methods one obtains two different semantic preorders for processes:
- (i)
For let if for every test 2. (ii)
Similarly, let if for every test .
Note that and are reflexive and transitive, and hence preorders. I use and to denote the associated equivalences.
The terminology may and must refers to the following reformulation of the same idea. Let be an upwards-closed subset of , i.e. satisfying , thought of as the set of outcomes that can be regarded as passing a test. Then one says that a process may pass a test with an outcome in Pass, notation “ may ”, if there is an outcome with , and likewise must pass a test with an outcome in Pass, notation “ must ”, if for all one has . Now
[TABLE]
where is the set of upwards-closed subsets of .
The original theory of testing [DH84, henn] is obtained by using as the set of outcomes the two-point lattice
\bot$$\top
with representing the success of a test application, and failure.
2 CCS: The Calculus of Communicating Systems
CCS [ccs] is parametrised with a set of names; is the set of actions, where is a special internal action and is the set of co-names. Complementation is extended to by setting \bar{\bar{\mbox{c}}}=c. Below, ranges over and over . A relabelling is a function ; it extends to by and . Let be a set , , …of process variables. The set of CCS expressions is the smallest set including:
[TABLE]
The expression is often written as , as , and as . Moreover, one abbreviates by , and by . A partial function is called a recursive specification, and traditionally written as . A CCS expression is closed if each occurrence of a process variable in lays within a subexpression of with ; , ranged over by , denotes the set of closed CCS expressions, or processes.
The semantics of CCS is given by the labelled transition relation , where transitions P\mathrel{\mathrel{\hbox{\mathop{\hbox to15.00002pt{\rightarrowfill}}\limits^{\hbox to15.00002pt{\hfil\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}\hfil}}}}}Q are derived from the rules of Table 1. Here denotes the expression (written ) with substituted for each free occurrence of , for all , while renaming bound variables in as necessary to avoid name-clashes.
The process performs the action first and subsequently acts as . The choice operator may act as any of its arguments , depending on which of these processes is able to act at all. The parallel composition executes an action from , an action from , or in the case where and can perform complementary actions and , the process can perform a synchronisation, resulting in an internal action . The restriction operator inhibits execution of the actions from and their complements. The relabelling acts like process with all labels replaced by . Finally, the rule for recursion says that a recursively defined process behaves exactly as the body of the recursive equation , but with recursive calls substituted for the variables .
3 Classical may and must testing for CCS
Let , where is a special action reporting success. A CCS test is defined just like a CCS process, but with ranging over . So a CCS process is a special kind of CCS test, namely one that never performs the action . To apply the test to the process one runs them in parallel; that is, one runs the combined process —which is itself a CCS test.
Definition 3.1**.**
computation A computation is a finite or infinite sequence of tests, such that (i) if is the final element in the sequence, then for no , and (ii) otherwise .
A computation is successful if it contains a state with for some .
For , , let be the set of computations whose initial element is .
Let \mathcal{A}\it pply(T,P):=\{\top\mid\exists\mbox{ successful \pi\in\textit{Comp}(T,P)}\}\cup\{\bot\mid\exists\mbox{ unsuccessful \pi\in\textit{Comp}(T,P)}\}.
Using this definition of it follows that holds unless there is a test such that has (that is, is the initial state of) a successful computation but has not. Likewise holds unless there is a test such that has only successful computations but has not.
4 Dual may and must testing
A liveness property [Lam77] is a property that says that something good will eventually happen. In the context of CCS, any test can be regarded to specify a liveness property; a process is defined to have this property iff all computations of are successful. Now holds iff all liveness properties that are enjoyed by also hold for .
A safety property [Lam77] is a property that says that something bad will never happen. When thinking of the special action as reporting that something bad has occurred, rather than something good, any test can also be regarded to specify a safety property; a process is defined to have this property iff none of the computations of are catastrophic; here catastrophic is simply another word for “successful”, when reversing the connotation of . Now holds iff all safety properties that are enjoyed by also hold for .
A labelled transition system (LTS) over a set is a pair where is a set of processes or states and a set of transitions. In [vG10] preorders and are defined on LTSs. Specialised to the LTS induced by CCS, coincides with , and is exactly the reverse of , in accordance with the reasoning above.
To explain the reversal of when dealing with safety properties, I propose a variant of CCS testing where in Definition LABEL:df:computation the word “catastrophic” is used for “successful” and is redefined by
[TABLE]
An equivalent alternative to redefining is to simply invert the order between and . Let and be the versions of the may- and must-testing preorders obtained from this alternative definition. It follows immediately from the definitions that iff and that iff . Based on this, it may be more accurate to say that coincides with .
A possibility property [Lam98] is a property that says that something good might eventually happen. A test can be regarded to specify a possibility property; a process is defined to have this property iff some computation of is successful. Now holds iff all possibility properties that are enjoyed by also hold for . Lamport argues that “verifying possibility properties tells you nothing interesting about a system” [Lam98]. As an example, consider the following models of coffee machines:
[TABLE]
where is the act of dispensing coffee. The machine surely will not make coffee, makes a nondeterministic choice between making coffee or not, and surely makes coffee. Under may testing, systems and are equivalent—both have the possibility of making coffee—and each of them is better than : . The relevance of this indeed is questionable. It takes must testing to formalise that is better than : only guarantees that coffee will eventually be dispensed.
When employing dual testing, the same example applies, but with denoting a catastrophe. Now is safe, whereas and are not: . Dual may testing would argue that is better than because a catastrophe might be avoided. This however, can be deemed a weak argument.
In view of these considerations, I will focus on the preorders and (or ). The (dual) may preorders simply arise as their inverses, and hence do not require explicit treatment.
5 Reward testing for CCS
A CCS reward test is defined just like a CCS process, but with ranging over , the valued actions. A valued action is an action tagged with a real number, the reward for executing this action. A negative reward can be seen as a penalty. Let be the set of CCS reward tests. The structural operational semantics for CCS reward tests has the following modified rules:
\begin{array}[]{c@{\qquad}c@{\qquad}c}\displaystyle\frac{P\mathrel{\mathrel{\hbox{\mathop{\hbox to15.66374pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime},~{}Q\mathrel{\mathrel{\hbox{\mathop{\hbox to18.06363pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}Q^{\prime}}{P|Q\mathrel{\mathrel{\hbox{\mathop{\hbox to28.80948pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime}|Q^{\prime}}\hypertarget{lab:Comm'}{\ \mbox{{\scriptsize\sc(Comm{}^{\prime})}}}&\displaystyle\frac{P\mathrel{\mathrel{\hbox{\mathop{\hbox to16.44153pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime}}{P\backslash L\mathrel{\mathrel{\hbox{\mathop{\hbox to16.44153pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime}\backslash L}~{}~{}(\alpha,\bar{\alpha}\not\in L)\hypertarget{lab:Res'}{\ \mbox{{\scriptsize\sc(Res{}^{\prime})}}}&\displaystyle\frac{P\mathrel{\mathrel{\hbox{\mathop{\hbox to16.44153pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime}}{P[f]\mathrel{\mathrel{\hbox{\mathop{\hbox to26.06656pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime}[f]}\hypertarget{lab:Rel'}{\ \mbox{{\scriptsize\sc(Rel{}^{\prime})}}}\end{array}
Thus, in synchronising two actions one reaps the rewards of both. In all other rules of Table 1, is simply replaced by , with . A valued action is simply denoted , so that a CCS process can be seen as a special CCS reward test, namely one in which all rewards are [math]. To apply a reward test to a process one again runs them in parallel.
Definition 5.1**.**
reward computation A reward computation is a finite or infinite sequence of reward tests, such that (i) if is the final element in , then T_{\_}n\mathrel{\mathrel{\hbox{\mathop{\hbox to15.00002pt{\rightarrowfill}}\limits^{\hbox to15.00002pt{\hfil\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}\hfil}}}}}T for no and , and (ii) otherwise T_{\_}n\mathrel{\mathrel{\hbox{\mathop{\hbox to30.61424pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}T_{\_}{n+1}.
The reward of a finite computation ending in is . The reward of an infinite computation is
[TABLE]
*For , , let be the set of reward computations with initial element .
Let .*
This defines reward preorders and on . It will turn out that iff . As a consequence I will focus on , and simply call it .
6 Characterising reward testing
Assuming a fixed LTS , labelled over a set , the ternary relation \mathord{\mathrel{\stackrel{{\scriptstyle\_\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}}\subseteq\mathbb{P}\times\A^{*}\times\mathbb{P} is the least relation satisfying
P\mathrel{\stackrel{{\scriptstyle\epsilon\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}P , \rule{0.0pt}{17.07164pt}\begin{array}[]{c}P\stackrel{{\scriptstyle\tau}}{{\longrightarrow}}Q\\[0.43057pt] \hline\cr\rule{0.0pt}{11.62494pt}P\mathrel{\stackrel{{\scriptstyle\epsilon\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q\end{array} , \rule{0.0pt}{17.07164pt}\begin{array}[]{c}P\stackrel{{\scriptstyle a}}{{\longrightarrow}}Q,~{}a\not=\tau\\[0.43057pt] \hline\cr\rule{0.0pt}{11.62494pt}P\mathrel{\stackrel{{\scriptstyle a\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q\end{array} and \rule{0.0pt}{17.07164pt}\begin{array}[]{c}P\mathrel{\stackrel{{\scriptstyle\sigma\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q\mathrel{\stackrel{{\scriptstyle\rho\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}r\\[0.43057pt] \hline\cr\rule{0.0pt}{11.62494pt}P\mathrel{\stackrel{{\scriptstyle\sigma\rho\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}r\end{array} .
For and write for “ is a prefix of ”, i.e. “”.
Definition 6.1**.**
traces Let .
- •
* is an infinite trace of if there are such that P\mathrel{\stackrel{{\scriptstyle a_{\_}1\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}P_{\_}1\mathrel{\stackrel{{\scriptstyle a_{\_}2\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}P_{\_}2\mathrel{\stackrel{{\scriptstyle a_{\_}3\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}\cdots.*
- •
* denotes the set of infinite traces of .*
- •
* diverges, notation , if there are for all such that .*
- •
{\it divergences}(P):=\{\sigma\in\A^{*}\mid\exists Q.\;P\mathrel{\stackrel{{\scriptstyle\sigma\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q{\Uparrow}\}* is the set of divergence traces of .*
- •
**.
- •
{\it deadlocks}(P):=\{\sigma\in\A^{*}\mid\exists Q.\;P\mathrel{\stackrel{{\scriptstyle\sigma\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q\wedge{\it initials}(Q)=\emptyset\}* is the set of deadlock traces of .*
- •
* is the set of complete traces of .*
- •
{\it ptraces}(P):=\{\sigma\in\A^{*}\mid\exists Q.\;P\mathrel{\stackrel{{\scriptstyle\sigma\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q\}* is the set of partial traces of .*
- •
{\it failures}(P):=\{\langle\sigma,X\rangle\in\A^{*}\times\Pow(\A)\mid\exists Q.\;P\mathrel{\stackrel{{\scriptstyle\sigma\ }}{{\raisebox{0.0pt}[4.0pt][0.0pt]{\Longrightarrow}}}}Q\wedge{\it initials}(Q)\cap(X\cup\{\tau\})=\emptyset\}**.
- •
.
- •
.
- •
.
- •
.
- •
.
Note that for any . (*)
A path of a process is an alternating sequence of processes/states and actions, starting with a state and either being infinite or ending with a state, such that P_{\_}i\mathrel{\mathrel{\hbox{\mathop{\hbox to23.83395pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P_{\_}{i+1} for all relevant . Let be the sequence of actions in , and the same sequence after all s are removed. Now iff has an infinite path with . Likewise, iff has a finite path with . Finally, iff has an path with .
Any transition P|Q\mathrel{\mathrel{\hbox{\mathop{\hbox to15.00002pt{\rightarrowfill}}\limits^{\hbox to15.00002pt{\hfil\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}\hfil}}}}}R derives, through the rules of Table 1, from
- •
a transition P\mathrel{\mathrel{\hbox{\mathop{\hbox to15.00002pt{\rightarrowfill}}\limits^{\hbox to15.00002pt{\hfil\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}\hfil}}}}}P^{\prime} and a state , where ,
- •
two transitions P\mathrel{\mathrel{\hbox{\mathop{\hbox to15.20012pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}P^{\prime} and Q\mathrel{\mathrel{\hbox{\mathop{\hbox to16.50002pt{\rightarrowfill}}\limits^{\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}}}}}Q^{\prime}, where ,
- •
or from a state and a transition Q\mathrel{\mathrel{\hbox{\mathop{\hbox to15.00002pt{\rightarrowfill}}\limits^{\hbox to15.00002pt{\hfil\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}\hfil}}}}}Q^{\prime}, where .
This transition/state, transition/transition or state/transition pair is called a decomposition of P|Q\mathrel{\mathrel{\hbox{\mathop{\hbox to15.00002pt{\rightarrowfill}}\limits^{\hbox to15.00002pt{\hfil\hbox{\vrule height=6.45831pt,depth=3.44444pt,width=0.0pt\hskip 2.5pt\hskip 2.5pt}\hfil}}}}}R; it need not be unique. Now a decomposition of a path of into paths and of and , respectively, is obtained by decomposing each transition in the path, and concatenating all left-projections into a path of and all right-projections into a path of —notation [GH15a]. Here it could be that is infinite, yet either or (but not both) are finite. Again, decomposition of paths need not be unique.
Theorem 6.2**.**
reward characterisation Let . Then P\sqsubseteq_{\_}{\rm reward}Q~{}~{}\Leftrightarrow~{}~{}\begin{array}[t]{@{}r@{~\supseteq~}l@{}}{\it divergences}(P)~{}\supseteq~{}&{\it divergences}(Q)\wedge\mbox{}\\ {\it inf}(P)~{}\supseteq~{}&{\it inf}(Q)\wedge\mbox{}\\ {\it failures\!}_{d}(P)~{}\supseteq~{}&{\it failures\!}_{d}(Q).\end{array}
Proof 6.3**.**
Let be the preorder defined by: iff the right-hand side of
7 Weaker notions of reward testing
Finite-penalty reward testing doesn’t allow computations that incur infinitely many penalties. A test has finite penalties if each infinite path has only finitely many transitions with . Let iff for every finite-penalty reward test .
Theorem 7.1**.**
finite-penalty reward characterisation Let . Then P\sqsubseteq_{\_}{\textrm{\scriptsize fp-reward}}Q~{}~{}\Leftrightarrow~{}~{}\begin{array}[t]{@{}r@{~\supseteq~}l@{}}{\it divergences}(P)~{}\supseteq~{}&{\it divergences}(Q)\wedge\mbox{}\\ {\it inf\!\!}_{d}(P)~{}\supseteq~{}&{\it inf\!\!}_{d}(Q)\wedge\mbox{}\\ {\it failures\!}_{d}(P)~{}\supseteq~{}&{\it failures\!}_{d}(Q).\end{array}
Proof 7.2**.**
Let be the preorder defined by: iff the right-hand side of
Single penalty reward testing doesn’t allow computations that incur multiple penalties. A test has the single penalty property if each path has at most one transition with . Let iff for every single penalty reward test . Obviously, coincides with . This follows because all test used in the proof of
Theorem 6**.**
finite-penalty reward characterisation have the single penalty property.
Analogously one might weaken reward testing and/or single penalty reward testing by requiring that in each computation only finitely many, or at most one, positive reward can be reaped. This does not constitute a real weakening, as the tests used in Theorems LABEL:thm:reward_characterisation and LABEL:thm:finite-penalty_reward_characterisation already allot at most a single positive reward per computation only.
Nonnegative reward testing* requires all rewards to be nonnegative. Let iff for every nonnegative reward test . Likewise requires all rewards to be [math] or negative.*
Theorem 7.3**.**
nonnegative reward characterisation Let . Then P\sqsubseteq_{\_}{+\textrm{\scriptsize reward}}Q~{}~{}\Leftrightarrow~{}~{}\begin{array}[t]{@{}r@{~\supseteq~}l@{}}{\it divergences\!}_{\bot}(P)~{}\supseteq~{}&{\it divergences\!}_{\bot}(Q)\wedge\mbox{}\\ {\it inf\!\!}_{\bot}(P)~{}\supseteq~{}&{\it inf\!\!}_{\bot}(Q)\wedge\mbox{}\\ {\it failures\!}_{\bot}(P)~{}\supseteq~{}&{\it failures\!}_{\bot}(Q).\end{array}
Proof 7.4**.**
Let be the preorder defined by: iff the right-hand side of
One might weaken nonnegative reward testing by requiring that in each computation only finitely many, or at most one, reward can be reaped. This does not constitute a real weakening, as the tests used in
