BIB-VERSION:: CS-TR-v2.0
ID:: CORNELLCS//TR93-1369
ENTRY:: 1993-10-14
ORGANIZATION:: Cornell University, Computer Science Department
LANGUAGE:: English
TITLE:: Proceedings of the North American 
        Process Algebra Workshop 1993 - Ithaca, NY
AUTHOR:: Bloom, Bard
DATE:: August 1993
PAGES:: 149
ABSTRACT::
This contains the papers presented at the second North American
Process Algebra Workshop, August 15, 1993, at Cornell University.

Contents:
 * A Semantic Theory for ML Higher Order Concurrency Primitives
   (Dominique Bolignano and Mourad Debabi) 
 * An Operational Semantics of Value Passing (Rance Cleaveland)
 * An Information Flow Security Property for CCS (Riccardo Focardi and
   Roberto Gorrieri) 
 * Concurrent Kripke Structures (Vineet Gupta)
 * Specification of Instruction-Level Parallelism (Ed Harcourt and Jon
   Mauney and Todd Cook) 
 * Specification of Transition Systems with Negation (Remi Lissajoux) 
 * A Comparison of Simulation and Algebraic Techniques for Verifying
   Concurrent Systems (Nancy Lynch and Roberto Segala) 
 * A note on Model Checking Context Free Processes (S. Purushothaman
   Iyer)
 * State Refinement in Process Algebra (Andrew Uselton and Scott
   Smolka) 
 * Parametric Preorders for Process Description Languages (Daniel
   Yankelevich)
END:: CORNELLCS//TR93-1369
BODY::
Proceedings ot the North American
Process Algebra Workshop 1993
Ithaca, NY
Bard Bloom*
TR 93-1369
August 1993
Department of Computer Science
Cornell University
Ithaca, NY 14853-7501
* Other members of the committee include: R Cleaveland, R. van Glabbeek, I. Lee, N.
Lynch, and F. Vaandrager.
Proceedings of the
North American
Process Algebra Workshop
1993
Ithaca, NY
PROGRAM COMMITTEE:
B. Bloom (chair)
R. Cleaveland
R. van Glabbeek
I. Lee
N. Lynch
F. Vaandrager
Contents
A Semantic Theory for ML Higher Order Concurrency Primitives
Dominique Bolignano and Mourad Debabi
An Operational Semantics of Value Passing
Rance Cleaveland
An Information Flow Security Property for CCS
Riccardo Focardi and Roberto Gorrieri
Concurrent Kripke Structures
Vineet Gupta
Specification of Instruction-Level Parallelism
Ed liarcourt and Jon Mauney and Todd Cook
Specification of Transition Systems with Negation
Remi Lissajoux
A Comparison of Simulation and Algebraic Techniques for Verifying Concurrent Systems
Nancy Lynch and Roberto Segala
A note on Model Checking Contet Iree Processes
5. Purushothaman Iyer
State Refinement in Process Algebra
Andrew Uselton and Scott Smolka
Parametric Preorders for Process Description Languages
Daniel Yankelevich
2
A Semantic Theory for ML Higher Order Concurrency
Primitives
Dominique Bolignano
Mourad Debabi
Bull Corporate Research Center
78340 Les Clayes-Sous-Bois, FRANCE
D .Bolignano?frd.bull.fr, M.Debabi?frcl.bull.fr
Abstract
In this paper we deal with the theoretical founda-
tions of the unification of concurrent, functional and
imperative programming paradigms. The intent is to
present a denotational model for a language that is
aimed to integrate all the three paradigms. Concur-
rency is supported through the embedding of a CSP-like
process algebra into a functional language. Expres-
sions may communicate through unidirectional chan-
nels and can also be composed through some concur-
rency combinators. The notion of reference is used to
support imperative aspects. References, channels, and
functions are made first-class citizens. Following an
informal presentation of the language we will describe
its static semantics. This semantics is effect-based i.e.
for each expression it yields a type, the side effects and
the communication effects. The use of types and ef-
fects allows a safe and efficient integration of the three
programming paradigms and also solves some technical
problems related to the foundations of the dynamic do-
mains. Then the dynamic semantics is presented. It
is denotational and rests on an extension of the math-
ematical model of acceptance trees.
1 Motivation and Background
The intent of this paper is to provide theoretical
foundations for the unification of three computational
paradigms which we refer to as concurrent, functional
and imperative programming. A great deal of interest
has been expressed in each of this programming styles
and the underlying models have been deeply investi-
gated, albeit generally separately.
Concurrency models have been a focus of interest
for a great number of researchers. Accordingly, this
gave rise to plenty of calculi and models. Prominent
calculi are those that corresponds to process algebra
such as: CCS (Calculus for Communicating Systems)
[28, 27] and CSP (Communicating Sequential Pro-
cesses) [17, 18] for which mathematically well-behaved
models have been advanced. One can cite the failure-
sets model of Brooks, Hoare and Roscoe [7, 8, 9] or
the acceptance-trees model of Hennessy [13,14]. How-
ever, in spite of the large activity of the concurrency
community, it remains that formalisms and techniques
devised for concurrent and distributed systems are
generally relevant to pure processes, in other words,
they focus on control aspects rather than data as-
pects. Thus, in such frameworks, there is no data, no
communication, no states,.. .etc. These simplifications
are generally adopted in order to put the emphasis
on the difficulties inherent to concurrent systems, for
instance, nondeterminism, the semantics of combina-
tors,...etc.
On the other hand, functional programming has
been extensively studied. Consequently, many power-
ful, general-purpose programming languages emerged
such as ML dialects. The latter rests on secure the-
oretical foundations that are exemplified by the large
body of results on pure and typed A-calculus. Gen-
erally, functional languages are endowed with impera-
tive features for efficiency reasons. Also programming
without such facilities becomes quickly tedious and
cumbersome in many situations.
There is an increasing need for programming lan-
guages and environments that combine all the three
paradigms. This need is justified by the growing num-
ber of applications that operate in distributed envi-
ronments. In addition, multiprocessor machines are
very common today and the challenge is to develop
appropriate languages that can take advantage from
the computing power of such systems.
The work that will be presented hereafter, is meant
to explore whether programming styles and conve-
niences evolved as part of Concurrent, Functional and
Imperative programming could be somehow brought
together to coexist in a single language. More ac-
curately, the intention is to experiment our ideas on
an ML-like language extended with concurrency fea-
tures. Thus, the language described here supports
polymorphic types. It supports also both functional
and process abstractions as in CML [31, 32, 33] and
FACILE [10]: functions may be used to describe inter-
nal computations of concurrent processes. Functions,
processes, references and communication channels are
first-class values and thus can be passed along chan-
nels. Consequently, the mobility of these values is sup-
ported.
At the theoretical level, we will present the static
semantics of this language as well as the dynamic se-
mantics. The type inference system is based on an
extension of the type and effect discipline: a new ap-
proach to implicit typing that can be viewed as an ex-
tension of the ML-style type discipline. In addition to
that, as shown in [36], effect-based type disciplines are
more appropriate for integrating safely and efficiently
functional and imperative programming. In this paper
we will show that it contributes also significantly to
the integration of concurrency features. The dynamic
semantics presented here is denotational. It is based
on an extension of both the RSL (Raise Specification
Language [12]) models and VPLA (Value Passing Lan-
guage with Assignment) of Hennessy [15, 16]. Thus,
the presented model can be viewed as a CCS without
T1S version.
The rest of the paper is organized as follows, A
comparison with related approaches is given in Sec-
tion 2. Then an informal description of the language
is presented in Section 3. Section 4 is devoted to the
denotational model as well as its algebraic properties.
A few concluding remarks and a discussion of further
research are ultimately sketched as a conclusion in Sec-
tion 5. Part of the denotational definition of the lan-
guage is given in the appendix.
2 Related Work
During the last decade, many proposals have been
advanced for concurrent programming languages. OC-
CAM [19] is a parallel imperative programming lan-
guage that is an incarnation of the pioneering work of
Hoare on CSP [17]. Recently, more modern languages
have been proposed that reconcile the functional, con-
current and imperative styles. For instance one can
cite CML [31, 32, 33], FACILE [10] and LCS [3]. All
the three languages emerged from the idea of com-
bining an SML-like language [30, 29] as a functional
and imperative core, with a CCS or a CSP-like pro-
cess algebra for process abstraction. They supports
polymorphism, functional and process abstractions,
dynamic behaviors and higher order objects.
These languages are quite expressive and as re-
ported in [1], there is a need to have a semantic theory
that enables one to reason about the programs and to
grasp the meaning of sophisticated constructions. A
structural operational semantics have been proposed
for both CML [33] and FACILE [10]. Another descrip-
tion of FACILE semantics has been developed using
the CHAM [2] (CHemical Abstract Machine) frame-
work [21]. In [5] we presented a structural operational
semantics for our language.
2.1 Typing
The static semantics (typing semantics) in CML,
FACILE and LCS rests on the type inference disci-
pline. It is well known that this discipline, is problem-
atic in the presence of non referentially transparent
constructs. More precisely, the problem is relevant to
type generalization in the presence of mutable data.
Therefore, many extensions of the initial work of Mil-
ner [26] have been proposed.
The classical way to deal with this issue, is the im-
perative type discipline [37]. An extension of this
approach has been used in the implementation of
Standard ML of New Jersey. It is based on weak
type variables: these type variables have an attached
strength information, denoting the number of applica-
tions needed to get a non trivial effect. In [20], another
method is proposed that consists in detecting some so
called dangerous type variables (the ones occurring in
the types of imperative objects), and labeling function
types accordingly.
Later, in [36], the type and effect discipline is intro-
duced. The latter yields as a result of the static evalu-
ation of an expression, not only its principal type, but
also all the minimal side effects. It should be noted
that the idea of considering the effects as part of the
static evaluation of an expression, has been suggested
in [22] and adopted in the FX project [11, 23].
In [5] we proposed a new inference typing system
that computes in addition to the principal types of ex-
pressions and their side effects, the minimal communi-
cation effects generated by the concurrent constructs.
We have also presented an adequate operational se-
mantics for our language and we proved that our typ-
ing system is consistent w.r.t. the static semantics.
2
2.2 Denotational Models
We are not aware of the existence of any denota-
tional model for the previously mentioned languages,
except for OCCAM. A denotational description of the
latter is presented in [34]. However, we are interested
here in some issues such as polymorphism, implicit
typing and higher order objects, that are not sup-
ported by OCCAM. Another important issue we are
dealing with here consists in providing a semantics for
a language that allows process and functional abstrac-
tions.
Denotational models are first important to get a
well understood foundations of the language. They
also allow the semantics designer to extract the proof
theory. They finally can serve as a model for the proof
theory.
As pointed out before, in the literature, the two
prominent denotational models for concurrency are
the failure-sets model [7, 8, 9] and the acceptance-
trees model [13, 14]. The failure-sets model has been
designed as a semantic theory for a quite abstract
version of CSP usually referred to as TCSP (Theo-
retical CSP). It supports only pure processes. The
acceptance-trees model is very similar to the failure-
sets model and has been devised as a model for TCSP
or CCS-like abstract languages.
To deal with data aspects that are value-passing,
assignment, return of results, store sharing as well
as some control aspects such as sequencing, Robert
Milne proposed an extension of the acceptance-trees
model [24] as part of the RSL models. The whole RSL
denotational semantics is presented in [25]. Inspired
by [24], Hennessy and Ing6lfsd6ttir investigated value-
passing and proposed a fully abstract model [15]. The
same authors [16] proposed a semantic theory for an
imperative language referred to as VPLA that sup-
ports value passing and assignments. In both [15] and
[16] the authors presented three semantic approaches
(i.e. denotational, axiomatic and operational) and
proved their equivalence. The foundations as well as
the algebraic properties of the RSL denotational mod-
els presented in [25] are detailed in [6].
To sum up, the language we present here, compares
with CML or FACILE, (1) by the use and the exten-
sion of the "type and effect discipline" to obtain a
more efficient type system, and (2) by the presentation
of a denotational semantics. The primary objective of
our work is to build upon the work done essentially
by Hennessy, Ing6lfsd6ttir and Milne, respectively on
VPLA and RSL, in order to get a denotational model
for a real-life concurrent, functional and imperative
language. Compared to RSL and VPLA we add in
particular (1) implicit typing, (2) full higher order pro-
cesses (which allows in particular to communicate ref-
erences and channel values through channels) (3) and
we take advantage of the effects provided by the type
inference system for the denotational semantics defi-
nition.
3 Informal presentation
The syntactic constructions allowed in our language
are close to those allowed in CML and FACILE. The
set of expressions includes:
Literals such as integers, booleans true and false,
a distinguished value (), a constant skip which
models an expression that immediately termi-
nates successfully.
o+ Three binding operations that are the A-
abstraction, the recursion and the let definition.
Imperative aspects are supported through the no-
tion of reference. Expressions of the form ref ()
stands for the allocation of a new reference and
assigns to it the value obtained by evaluating the
expression E. We will use the unary operator
for dereferencing and the binary operator := for
assignment.
o+ Expressions may communicate through channels.
The expression channel() means allocate a new
channel. The expression E!E' means: evaluate
E', evaluate E and send then the result of E'
evaluation on the channel resulting from the eval-
uation of E. The whole expression evaluates then
to (). The expression E? evaluates to any value
received on the channel resulting from the evalu-
ation of . Notice that the communications are
synchronized as in CCS and CSP.
o+ Three concurrency combinators:
-? Nondeterministic (internal) choice.
?B?: External choice.
Parallel composition of two expressions.
o+ A sequencing operator: [?;?:].
More formally the BNF syntax of our language is:
E ::= () true false Number n ident x skip I
AxeE E E I E\\E I E[]E I ElIE I E;E I
ref E I E E channel() I I E!E I
if E then E else E I let x --H--H E in E
rec x . E
3
In the following, we will use P? to stand for the fi-
nite powerset, A ? B for the set of all finite mappings
(maps for short) from A to B and m ? m' for the over-
writing of the map m with the map m'. We will use
the notation [a1 b1a? ? bn] to denote the map
that associates the elements bi'S to a?'s.
4 Static semantics
As we pointed out before, we propose hereafter an
extension of the type and effect discipline to give a
static semantics to our language. The reader may refer
to [5] for the main motivations underlying this choice.
We define the following static domains:
o+ The domain of Reference regions: The notion of
reference regions is introduced to abstract mem-
ory locations. Every data structure corresponds
to a region. Two values are in the same region if
they may share some memory locations. The do-
main consists in the disjoint union of a countable
set of constants and variables noted ?. We will
use p,p',... to represent reference regions.
o+ The domain of Reference effects: Reference effects
abstracts the memory side-effects. We define the
following basic effects: ? for the absence of effect,
? for a reference effect variable, init(p, T) for the
reference allocation, read(p) for reading in the
region p and write(p) for assignments of values
to references in the region p. We introduce also a
union operator u for effects.
a ::= ?i?Iinit(p, T)iread(p)iwrite(p)ia U a
We will write a ? a' <=> ?a11 .a = a1Ua". Equal-
ity on reference effects is modulo ACI (Associa-
tivity, Commutativity and Idempotence) with ?
as the neutral element.
o+ The domain of Channel regions: As with reference
regions, channel regions are intended to abstract
channels. Their domain consists in the disjoint
union of a countable set of constants and variables
noted 6. We will use ?,?`,... to represent values
drawn from this domain.
We will use ?1 to stand for a channel effect vari-
able. The basic channel effect chan(?, r) repre-
sents the creation of a channel of type T in the
channel region ?. in(x) denotes the effect result-
ing from an input on a channel of the channel
region ? while ont(?) denotes an output on the
channel of the region ?. We will write ? _
= ?` U':". Equality on effects is modulo
ACI with ? as the neutral element.
o+ The domain of types: It is inductively defined by:
T ::= UnitIBoolIIntI?Irefp(T)ichanx(T)IT ?? T
Unit is a type with only one element "()", ? a
type variable, refp(T) is the type of references
in the region p to values of type T, chanx(T) is
the type of channels in the communication region
? that are intended to be mediums for values of
type T, T Th? T? is the type of functions that take
parameters of type T to values of type T1 with a
latent reference effect a and a latent channel effect
?. We mean by latent effect, the effect generated
when the corresponding expression is evaluated.
We also define type schemes of the form Vv1, ..., Vn ?
T where Vi can be type, reference region, channel re-
gion, reference effect and channel effect variable. A
type ?`is an instance of Vv1, ..., V? o+ T noted T? ?
Vv1, ..., V? o+ T, if there exists a substitution 0 defined
over v1V? such that T1 = OT. Our static semantics
contain sequents of the form: ? ? E : T, a, K; which
state that under some typing environment g the ex-
pression E has a type T, a reference effect a and a
channel effect ?. Notice that type environments ?
map identifiers to type schemes.
Type generalization in this type system states that
a variable cannot be generalized if it is free in the type
environment ? or if it is present in the observed refer-
ence effect, or present in the observed communication
effect. The first condition is classical while the two
others are due to the fact that types are bound to re-
gions in the effects. The reader should refer to [36j for
a detailed explanation of this issue.
let (vi, ..vn? = fv(r)\(fv(?) u fv(a) u fv(?))
in VVi...Vn ? ?end
o+ The domain of Channel effects: It is defined in- where:
ductively by:			fv(?)			=			u(fV(T) ?X ? x T ?
?I?Ichan(x,?)Iim(?)Iovt(x)I?u?			fv(a)			=			UffV(T) I ?p?irnt(p,?) C a?
4
H Etfp(T),Q?
(deref) ?????????,
(unit)			 H () : Unit,??
(true)			C H true : Boot,?,?			EHE:?efp?T),u,??HE':T,CT1 ,?
(false)			C H false: Booi, ?, ?			(ass)			e H E := E' : Unit, CT U CT' U write(p), tc u ?
(num)			? H Nitmber n : Int,?,?			(in) EHEchan?(r),u,?
P H			T a I
(chan)			E H channel() : chanx(r),?,chan(x,r)
EHE:chan?(r),?,?EHE':T,CT',??
(skip)			E H skip: Unit,?,?			(out) ? H E!E' : Unit,CTUCT',?U? uo?t(x)
r ?
HE:T,CT,?tHE':Y,CT',?'
(var)			SHx:r,?,?			(seq) ?"HE;E':Y,CTUCT'?U?
H E
(abs)			?"t?ly1,,,			(if)			?H:Boo?,CT,?trE':r,CT',??HE":r,a" ,?`
E H Ar . E:			?HEifEthenE'elseE":CTUCT1UCT1,,U??U?
(app) CT, PC'EHE':T,CT11PC?' (let) ?HE':r'1?',?'E?t[x?Gen(CT',?,?)(r')lHE:m?,pc
CH(EE):r,?u?u?,?u?u?			? H let			E' in E: ?, CT U CT1, U PC'
(op) ?HET,CT,PC?HE1:ThCTPC
EHE?opE':ThCTUCT',PCuPC'			(rec)			pt?r?efficTzo???7,,CT?
where: op=?,[],
(obs)
? H E			` ? Observe(
HE:T,CT,?			?ob3eTvew?,'
(ref) ? H ref E : ref,(r), CT U init(p, r), PC			TH E : T, CT', PC'
T,CT,CT - T,CT), T,PC)
= Uffv(?) I a? e chan(x, T) ?
fV(T) = fx I x appears free in T)
Table 1: The static semantics
The observation criterion has been introduced in or-
der to report only reference effects that can affect the
context of an expression.
Observe(?,mo) =f? ? aI? E fv(?) u fv(T)?u
finit(p, T'), read(p), write(p) ? a
pE frr(?)Ufrr(T)Y
Observe(?, T, ?) =?? E ?I? E fv(S) u fv(r)Ju
?chan(?, 7"), in(?), out(x)in?I
yE ftc(?)Ufr?(?))
where frr(?) and frc(?) stand respectively for free
reference regions and free communication regions in
ft,,(P			=			ufp I ?x.x?? T E ?Ap E fv(?))
frc(?)			=			I a? ? x:: 7' E ? A y E fv(?))
In what follows let us give some examples on the
static evaluation of the expressions.
5
Example 4.1 Let us consider a process that creates
a reference to the number 1, a channel and then put in
parallel an output expression and an input expression
followed by an assignment.
let x=ref 1
in
let c=channel ()
in x:=c? IIc!7
end
end
Let us denote by P the previous process. Without
using the observation criterion the type of the previous
expression under an empty typing environment is
Unit,
init(p, int) u write(p),
chan(y, int) u in(y) u out(y)
After application of the observation criterion the type
of P becomes:
[]? P :Unit, ?, ?
Example 4.2 If we consider an expression similar to
the previous one that returns the created channel value
after the parallel composition:
let x=ref 1
in
let c=channel ()
in (x:=c? IIc!7);c
end
end
Let us denote by Q the previous process. Without using
the observation criterion the type of Q under an empty
typing environment is
[]H Q :chanx(Int),
init(p,Int) u write(p),
chan(y, Int) u in(x) u out(x)
After application of the observation criterion:
[]H Q :chanx(Int),
chan(x, Int) u in(?) u out(?)
5 Denotational Semantics
One of the main novelties of this work, is to pro-
vide a denotational model for such a language that
can be easily adapted for other concurrent functional
languages such as Facile or CML. The technique con-
sidered here takes advantage of the existing work on
more abstract process algebra. More precisely, by im-
porting the acceptances model[13][14] which is known
to be mathematically well-behaved in the applicative
world of process algebra, and extending this model for
handling input, output, imperative aspects and higher
order objects.
It should be noticed that many adaptations of this
model have been proposed in the literature. The first
one has been proposed by [24], further explained in
[25] whose foundations are detailed and proven in in
[6], in order to design the models of RSL [12]. Also
inspired by the original RSL denotational description
[24], [15] and [16] proposed other accommodations re-
spectively for their languages VPL and VPLA.
5.1 Acceptance-trees Model
The intention hereafter is to recall briefly the gen-
eral model of acceptances trees. Let ? be a set of
events which the processes can perform. In the rest
of this section , we need the notion of saturated sets.
Thus a set A c ??(?), is said to be saturated if it
satisfies the following closures:
1.			UA ? Aunion closure.
2. A,B?AandACCC?BimpllesCeA convex
closure.
The set of all saturated finite subsets of ??(?), all
saturated sets over ?, is denoted by sat(?). Let c(A)
be the saturated closure of a set A c ??(?), defined
as the least set which satisfies:
1. AC?c(A)
2. UAcc(A)
3. A,B ? c(A) and A c cc B implies C ? c(A)
The process space D is then defined as:
D =f(m,S) I (m,S) ?
x
dom(m)			US
u
Thus D is a set of pairs, each of which represents
a process. The first component of a pair is an as-
sociation (a map) between finitely many members of
? and members of D, while the second one is an ac-
ceptance set. It should be noted that the definition
given above is recursive, but such a domain exists and
satisfies elegant algebraic properties such as the Scott-
domainhood property [13].
Now, let us come back to the underlying intuition.
A process can be modeled as a pair (m, 5) which stip-
ulates that the process is waiting to engage in one
event, say e, chosen from dom(m), and once chosen,
the process continues progressing as the process m(e).
We will refer to m(e) as the sequel of the process.
6
The choice of the event is governed by the correspond-
ing acceptance set. In fact S stands for the set of
the possible internal states that can be reached non-
deterministically. The actions in a set A from S, are
those which the process can perform when in that
state.
The special element 1 corresponds to the most non-
deterministic process, known in the literature as chaos.
In other words it models divergent processes. We con-
sider here a bounded non-determinism , so at any
given time, a process can be waiting to participate
in one of only finitely many events. That it is why
dom(m) and the relevant internal states of an accep-
tance set are restricted to be finite.
5.2 The Adapted Model
In the sequel of this section, the aim is to recall
briefly this model. In the latter, the processes are
able to perform one-to-one communications through
uni-directional channels. The adapted model makes
distinction between events in order to handle input
and output. Thus, events are not simply assumed to
range over an alphabet of actions, but are split into
two categories according to their direction. So input
and output events are distinguished and correspond
respectively to inputs and outputs from certain chan-
nels.
Another adaptation, due to communication and se-
quencing handling, consists of two kinds of sequel pro-
cesses (or just sequels). In fact sequels are not sim-
ply identified, as previously, with processes, but are
also classified according to the nature of the relevant
event that just occurred. The sequel attached to an
input communication is modeled as a A-abstraction
that takes a value of the associated channel's type,
together with some store, to some process that repre-
sents the continuation process. The value received on
the channel is accompanied with some store, simply
because the value may contain some references that
are bounded to some values in the store. An output
sequel is modeled as a map that associates to the val-
ues that may be communicated (together with their
corresponding stores) some continuation processes.
We will consider as a result of a process execution
a pair composed of a value and a store. But since pro-
cesses may be nondeterministic, then we will consider
the set of possible outcomes i.e. the set of possible
results. The semantic technique used in the construc-
tion of the dynamic domains makes a dependence be-
tween the static and the dynamic semantics. Making
the dynamic domains depend on the static domains
means that dynamic domains are henceforth typed ac-
cording to the hierarchy laid down by the static do-
mains. Thus, dynamic spaces are restricted such that,
for example, dynamic value domains are not obliged
to contain as elements, functions that take members
of these domains as parameters. In addition to that,
the static constraints relevant to the well-formedness
of an expression will be used in the dynamic seman-
tics. This ensures that the dynamic domains are all
that are needed. In what follows, we present the con-
struction of the dynamic spaces, from the static ones.
The value dynamic domain is inductively defined by
table 2. All the types used in these dynamic domains
are ground i.e. without any type, region or effect vari-
able.
We define the following functions on effects:
rw(a) = frefp(T)I(read(p,T) or write(p,?) E a) and
init(p, r) ?
wr(a) = ?refp(r)Iwrite(p,T) E a and init(p,T) ? aJ
= (chanx(T)Iin(x,T) E ??
ottt(?) = 1chanx(T)Iont(?,r) E ??
where rw(a) and wr(a) stand respectively for the
read/written and written references of the reference
effect a, ?n(K) and out(?) stand respectively for the
input and output channels of the communication effect
Now let us turn to the process dynamic domain:
A process can be viewed as a 4-uple, where the first
component is the set of possible results. The second
component maps an input event to the corresponding
continuation process (a A-abstraction) while the third
component maps an output event to the corresponding
continuation process. At any given time, a process can
be waiting to participate in one of only finitely many
events. The choice of the event is governed by the
fourth component (acceptance set). In fact it is a set
of subsets of events and stands for the set of possible
internal states that can be reached nondeterministi-
cally.
(?f(VT x Srw(?)) X
Inpttt?map?,?,? x
Ontpnt?map??,? x
Acceptance?set?,?,?)
ufly
7
where:
v
Vunit			=
VB001			=
Vint			=
Vrefp(r)			=
Vchanx(r)			=
s
Ur VTthe set of all dynamic values
the dynamic unit value
(true, f?1se)the dynamic boolean values
integer dynamic values
(r(p,mi)ii ? N)dynamic reference values of type T
(c(x,mi)Ii ? `N)dynamic channel values of type T
VT H Srw?ref(a) DT ,?,tc dynamic functions or just processes
U? S?the set of all dynamic stores
(U?efp(?)?? Vrejp(?)) Wt (Ure?p(?)?: Vr)dynamic stores
with the following invariant:
Vs ? o+ Vr(p, T, i) c dom(s) ? s(r(p, T, i)) E VT
Table 2: The value dynamic domain
o+ The domain of input maps IflPnt?map?,?,, is de-
fined as the set of all maps:
(Uchanx(T')Ein(?) Vchanx(T?)) ?
(Uchan?(r?)Ein(?(VT x			Dma??)
which satisfies:
VI ? rThp?t?maPm?? . Vc(y, T', i) ? dom(I).
C (Vr x S)
where S = U? S?
o+ The domain of output maps Ontput?mapr,a,? is
defined as the set of all maps:
(Uchanx(r')Eont(?) vChanx(?')) ?
(Uchanx(?')?out(?) VT' X 5 ? Dr,a,?)
which satisfies:
VO E Outputinap?,?,? .Vc(?,?',i) E dom(O).
O(c(?,?',i)) E (Vr x 5) ?Dma,? A
o+ The			domain			of			acceptance
sets Acceptance?setr,?,? is defined as the set of
all sets:
?f(Uchanx(r')??n(? Vchanx(r?))X
?f (Uchanx(r')Eout(? Vchanx(r?)) X
8
which satisfies:
VA ? AccentaThce?seta,?,? . Vx E A.
Vy E (Pf (Uchanx(r')E?n?chan(?) vChanx(?')) X
?f (Uchanx(r') E out?chan( ?) Vchanx(??)) X
C U(?(z) z E A) A
C U(?(z) z ? A) A
C U(r3(z) z e A) A
C ri(y) A
C v?(y) A
C 1r3(y)
? y E A)
The latter complicated condition on the acceptance
set is just the combination of the convex and the union
closures, Notice that I corresponds to the most non-
deterministic process, known in the literature as chaos.
it models divergent processes. We introduced also a
special event denoted by "?" (pronounced tick) to sig-
nal the successful termination of a process. When such
an event occurs, the process immediately terminates
and then returns some value.
We define the following preorder on the dynamic
process domain:
1, VPE DT,???I Era? P
2. (R, I, 0, A) ?ET,?? (R', F,0', A') iff:
(a) R' C R A A' C A
(b) dom(I') C dom(I) A dom(O') C dom(O)
(c) Vx E dorn(I') .1(x) <
ie : V(v,s) E V x S . I(x)(v,s) ?Er,a,?
I'(x)(v, s)
(d) Vy ? dorn(O') .0(y) <
ie : dorn(O'(y)) C dorn(O(y)) A V(v,s) E
dorn(O'(y)) . 0(y) (v, s) E?ThQ? O'(y)(v, s)
The process domain is reflexive, Its existence as
well as its algebraicity can be easily derived from the
proof of the process domain presented in [6]. The lat-
ter uses the general theory of domains [35]. In fact,
we have a recursive domain specification of the form
D = F(D). In order to show both the existence as
well as the algebraicity, we have to show that our tree
constructor "F" can be turned into a continuous func-
tor in the category of cpo's CPO and then define the
process domain D as the least fixpoint of the functor F
(i.e. the initial object in the category of F-algebras).
Afterwards, we have to show that F preserves alge-
braicity.
Proposition 5.1 VT, a, ?? (Dr,??, E?D?.?,?) is an al-
gebraic cpo whose compact elements are the processes
d E Dr,?,? satisf'ing the following conditions:
1. d is I or,
?. d is of finite depth, and all the input mappings
that are subterms of d associate non I processes
to only a finite number of elements.
5.3 Handling Polymorphism
The presence of polymorphism in the studied lan-
guage introduces additional complexity. In the ab-
sence of polymorphism the semantics of an expression
can be modeled as a function that takes an environ-
ment, and some current store to the process that repre-
sents the computation associated with the expression.
For instance, the monomorphic expression 1 + 2 can
be modeled as:
AF . As. ((3, s), [ ], [ ], f(?, ?, f?1)1)
This means that the expression 1+2 can be viewed
as a function that takes an environment, and some ini-
tial store and then returns the value 3 without chang-
ing the initial store and without communicating. It
terminates afterwards immediately.
Since expressions may be polymorphic, then the se-
mantics depends on the considered instance. To ex-
press such a dependence, the technique we used, bor-
rows one form of dependent types "general product"
noted fl from constructive type theory. In doing this
we associate a standard denotation to each completely
instanciated type.
5.4 Semantics Presentation
In order to describe type and effect instanciation
we will use ground substitutions. ?s?(x), where X is
a set of type and effect variables, is meant to be the
set of ground substitutions whose domains include X.
?S?(?) will stand for the identity substitution written
0Id.
Then for an expression E of type T, a, ?, under some
static environment ?, the signature of the semantic
function that performs its dynamic denotational eval-
uation is:
E 1 :fl0 E ?S4fv(?)).
flO' E ?S?(fv(0r) U fv(()a) U fv(0?).
DynEnv?(0?) 5
with,
DynEnv?O?) =
fFidom(F) dom(O?) A
Vx c dom(P).
let
Vv1Vn?T=O?(X)
in
? rio' c ?S((vivnJ)?Ve'r
end
which means that we consider a ground instance
0'OT, O'Oa, 0'0? of the principal type T, a,,i and then we
take an environment and an initial store to some pro-
cess that represents the computation associated with
the expression.
As pointed before, the description technique used
relies on a dependence between the static and the
dynamic semantics. Accordingly, the semantic rules
hereafter will be structured in two parts. The first
part expresses the static evaluation i.e. it gives the
typing of both the expression and the corresponding
subexpressions.
The second part of the semantic rules is devoted to
the denotational dynamic evaluation.
6 Conclusion
We have reported in this paper the complete defini-
tion of an implicitly strongly typed polymorphic con-
9
current and functional language that supports data
accepting in-place modification. We have presented a
complete static semantics that rests on an extension of
the type and effect discipline to handle communication
effects. Afterwards we have presented a denotational
interpretation by accommodating the model of accep-
tance trees.
It should be noted that an operational semantics
was also defined for this language in [5]. The full ab-
stractness of the denotational model w.r.t. the oper-
ational semantics is under way. As future research,
we plan to investigate the structuring and modularity
mechanisms. We are particularly interested in experi-
menting some new approaches in modularity from the
algebraic specification world such as the loose strati-
fied semantics proposed by [4].
References
[1]
[2]
[3]
[4]
[5]
[6]
D.' Berry, A.J.R.G. Milner, and D. Thrner. A se-
mantics for ML concurrency primitives. In Proc.
17th A CM Symposium on Principles of Program-
ming Languages, 1992.
G. Berry and G. Boudol. The chemical abstract
machine. In Proceedings of the seventeenth A CM
Symposium on Principles of Programming Lam-
guages, 1991.
B. Berthomieu. Implementing CCS, the LCS ex-
periment. Technical Report 89425, LAAS CNRS,
1989.
M. Bidoit. The stratified loose approach: A gen-
eralization of initial and loose semantics. In Pro-
ceedings of the 5th Workshop on Specification of
Abstract Data Types, Springer Verlag, 1987.
D. Bolignano and M. Debabi. A coherent type
inference system for a concurrent, functional and
imperative programming language. In Proceed-
ings of the AMAST'93 Conference. Springer Ver-
lag, June 1993.
D. Bolignano and M. Debabi. Higher order com-
municating processes with value-passing, assign-
ment and return of results. In Proceedings of
the ISAAC'92 Conference, Lecture Notes in Com-
puter Science 650. Springer Verlag, December
1992.
[7] S.D. Brooks. On the relationship of CCS and
CSP. Technical report, Carnegie-Mellon Univer-
sity, 1985.
[8]
[9]
[10]
[11]
S.D. Brooks, C.A.R. Hoare, and A.W. Roscoe.
A theory of communicating sequential processes.
ACM? 31(3):560--H599, July 1984.
S.D. Brooks and A.W. Roscoe. An improved
failure set model for communicating processes.
In Seminar on Concurrency, pages 281--H305.
Springer-Verlag, 1985.
A. Giacalone, P. Mishra, and 5. Prasad. Facile:
A symmetric integration of concurrent and func-
tional programming. International Journal of
Parallel Programming, 18(2): 121--H160, April 1989.
D.K. Gifford, P. Jouvelot, J.M. Lucassen, and
M.A. Sheldon. Fx-87 reference manual. Techni-
cal Report MIT/LCS/TR-407, MIT Laboratory
for Computer Science, September 1987.
[12] RAISE Language Group. The RAISE Specifica-
tion Language. Prentice-Hall, 1992.
[13] M. Hennessy. Acceptance trees. ACM, 32:896--H
928, October 1985.
[14] M. Hennessy. Algebraic Theory of Process. MIT
Press, 1988.
[15]
[16]
M. Hennessy and A. Ing6lfsd6ttir. A theory of
communicating processes with value passing. In
Proc. 17th ICALProgramming, LNCS. Springer
Verlag, 1990.
M. Hennessy and A. Ing6lfsd6ttir. Communicat-
ing processes with value-passing and assignments.
Technical report, University of Sussex - Draft,
June 1991.
[17] C.A.R. Hoare. Communicating sequential pro-
cesses. Communications of ACM, 21(8), 1978.
[18] C.A.R. Hoare. Communicating Sequential Pro-
cesses. Prentice-Hall, 1985.
[19] Inmos. The Occam Programming Manual.
Prentice-Hall, 1984.
[20]
X. Leroy and P. Weis. Polymorphic type inference
and assignment. In Proceedings of the seventeenth
ACM Symposium on Principles of Programming
Languages, 1991.
[21] L. Leth and B. Thomsen. Some Facile chem-
istry. Technical Report ECRC-92-14, European
Computer-Industry Research Center, 1992.
10
[22]
[23]
[24]
[25]
[26]
J.M. Lucassen. Type and Effects: Towards an In-
tegration of Functional and Imperative Program-
ming. PhD thesis, Laboratory of Computer Sci-
ence, MIT, 1987.
J.M. Lucassen and D.K. Clifford. Polymorphic
effect systems. In Proc. 15th A CM Symposium
on Principles of Programming Languages, 1988.
R.E. Mime. Concurrency models and axioms.
Technical Report RAISE/CRI/DOC/4/V1, CR1,
1988.
R.E. Mime. Semantic foundations of RSL.
Technical Report RAISE/CRI/DOC/4/V1, CR1,
1990.
A.J.R.G. Milner. A theory of type polymorphism
in programming. Computer and systems sciences,
17:348--H375, 1978.
[27] A4.R.G. Milner. Communication and Concur-
rency. Prentice-Hall, 1989.
[28] A.J.R.G. Milner. A calculus of communicating
systems. In Lecture Notes in Computer Science
9? pages 281--H305. Springer-Verlag, 1991.
[29] A.J.R.G. Milner and M. Tofte. Commentary on
Standard ML. MIT Press, 1991.
[30] A.J.R.G. Milner, M. Tofte, and R. Harper. The
Definition of Standard ML. MIT Press, 1990.
[31]
[32]
[33]
[34]
J.H. Reppy. First-class synchronous operations
in standard ML. Technical Report TR89-1068,
Dept. of Computer Science, Cornell University,
1989.
J.H. Reppy. CML: A higher-order concurrent lan-
guage. In Proceedings of the A CM SICPLAN `91
PLD1, pages 294--H305. SIGPLAN Notices 26(6),
1991.
J.H Reppy. An operational semantics 0 first-class
synchronous operations. Technical Report TR 91-
1232, Department of Computer Science, Cornell
University, August 1991.
A.W. Roscoe. Denotational semantics for occam.
In Proc. Seminar on Concurrency, LNCS 197,
pages 306--H329. Springer Verlag, 1985.
[35] M.B. Smyth and G.D. Plotkin. The category-
theoretic solution of recursive domain equa-
tions. SIAM Journal of Computing, 11(4):761--H
783, November 1982.
[36]
[37]
J. Talpin and P. Jouvelot. The type and effect
discipline. In Proc, Logic in Computer Science,
1992.
11
M. Tofte. Operational semantics and polymorphic
type inference. PhD thesis, Department of Com-
puter Science, University of Edinburgh, 1987.
Appendix A: Some Semantic Function
Hereafter some semantic functions that are used in
the semantic description and that contribute to the
concision of the presentation.
Some Useful Semantic Functions
/? The function "pass" takes a value and a store, and
returns a process that has the two arguments as a result.
The process does not communicate in input or in output,
it just terminates immediately and returns the result ?/
pass : V S D
pass = Av E V.As E So
(f(v,s)1,[ ],[ i,f(l,?,f?)1)
/? The function "processset" takes a process to a set
of deterministic processes, thus with only one acceptance
state, such that the application of \\ on this set yields the
original process?/
process?et: D?,?,
process?et(I) = I
process?et(R,1,0,A) =
H 1(e) e E dom(I) flr1(x)],
H 0(e) e E dom(O) flr2(x) J,
acceptance(x)
xEA?
acceptance :(Pf(Uc?anx(ri)???(?) Vch??x(??))X
?f(Uc???x??'?c??t??? V???,'x(??))X
)? Acceptance?set?,,,?
acceptance(r) =
case x of
-,??)			?x)u f(I,I,f?)1
else ?r?
end
/? The function "" can be seen as a piping operator.
It evaluates its first argument and passes the value and the
store that are the result of the evaluation to the second
argument. It is like a sequencing operator. */
f g = As E So
f(s)  Av E V?o
As' E 5.g(v)(s1)
-? -:Dr,?, x
(V S?4D?',,???'))
P  g case P of
I?I
(R,I,0,A)
?flet
internai?process?et = ?9(v)(s)I(v,s) E R),
externaiprocess (I,
Ii  9,
01  9,
A1
in
if interna'p?ocess?et = I
then externaiprocess
else
(externa1?process []
(p ?nternat?process?et)
(?interna1?process?et)
end
end
I (R1,Ii,01,A1) E process?et(R,1,0,A)?
-:1nput?map?,?, x
(V			(S??D??,,?,??))??
Input?map??,???`, u,"
I  g = [e (Av E V(I(v)  9)) e E dom(I)]
-:0utpnt?map???? x
(V			(5
0utput?map? ,,u?',?u?
0  9 =[e ?4[v (0(e)(v)  9) v E dom(0(e))]
e E dom(I)
/*Internal choice of two processes*I
H?:D?,, xD??,
P?Q = case P,Q of
12
D??
(R1,11,01,A1),
(R2,12, 02, A2)
(R1 UR2,
li Hi?,
01H02,
A1HA2
Appendix B: Some Semantic Rules
/? In what follows the denotational semantics of some
syntactical constructions allowed in the language.*/
Constants
else I
end
-H- :Input?map?,g??x
Inptt?map,?? ?
Input?map?,?u?
jiHI2 =[e Ii(e) e E dom(Ii)]t
H I?(e) e E dom(j?)]t
[e ?let
e =
in
AvE V' oli(e)(v)HIi(e)(v)
end
le E dom(I1) fl dom(12)
-H - :Output?map?, , >c
Output?map?, `,
Output?map???u,,'. u?'
01H02 =[e H Oi(e) e E dom(O1)it
:` O?(e) e E dom(O?)it
[e H+[v :` Oi(e)(v)HO?(e)(v)]
le E dom(O1) fl dom(02)
-H- :Acceptance?set?,?, x
Acceptance?set?,
Acceptance?set?,?u?? `
A1 HA2 =fx x E Pf(Pf(Uccin??an??? V?)x
?f(UcEo????h??(?) V)x
C ufri(y) ? E A u A'y A
1r2(x) C Ufr2(y) yEA u k? A
(?yE AuA'.
D iri(y) A
D r?(y)
0
Unit, 1,1
I () 1 =
AO E ?S?(fv(?)).
A()' E ?S4l).
AF E DynEnv?(O?).
As E S epass(())(s)
0
SFtrue Boot, I, ?
true 1 =
AO E ?S?(fv(S)).
A()' E gs?(?).
AF E DynEnv?(O?).
As E 8. pass(true)(s)
0
??skip: Unit, I, I
1 skip J =
AO E ?S?(fv(?)).
AO' E gs?(I).
AF E DynEnv?(O?).
As E 8 .pass(())(s)
13
J
Abstraction
& t [x			r]HE r
C?Ax 0 T Th' r',l,l
I Ax . E j =
AO E ?S?(fv(S)).
AO' E ?S?(fv(Oa) U fv(O?) u fv(Or)).
Al' E DynEnv?(OS).
let
Application
v = Av' E Ve'e? .? E J(O)(O')(F t (x v'])
in
As E So pass(v)(s)
end
C?E1 : r ?+ r',a' ,?`
?HE2 : T, a", ?"
C?E1 E2 : T1,a U a' U a", ? U ? U ?`
I(EiE2)i =
AO E ?S?(fv(?)).
AO' E ?S?(fv(()(a U a' U a"))u
fv(O(? u ? u ?`))u
Jv(Or)U
fv(8r')
Al' E DynEnv?(O?).
? E2 1(ft)(o')(l')
(Av E Ve'e . [ E1 J(O)(O')(F) 
Af			o(f v))
Sequencing
S?E1 :Ti,ai,?i
SFE2 : T2,a2,?2
??E1;E2 : T2,al Ua?,?i Un2
IEi;E21 =
AO E ?S?(fv(?)).
AO' E ?S?(fv(8(a1 U a?))U
fv(O(ni U n2))U
fv(OTi )U
Al' E DynEnv?(O?).
? E1 J(())(O')(l') 
Av E V?'on ?1 E2 1(?)(o')(l')
Output
?HE1 : chanx(T)ai,n1
?HE2 : T,a2,n2
C?E1 !E2 : Unit, al U a2, ni U n2 U out(?)
1E2E21 =
A()' E ?S?(fv(O(ai U a?))U
fv(()(ni U n2))U
fv(Ochanx (Or)
Al' E DynEnv?(OC).
? E2 1(O)(O')(l')  Av E V0?0?o
? E1 j(O)(O')(l')  Ac E
As E 5.
(I,
[c ?[(v,s)			pass(v)(s)]]
I(l,?c1,l)1
14
Lookup
0
Ixi =
AO E ?S?(fv(S)).
letVv1v?.r
In
AO' E ?O2 O2 E ?S?(fv(Or)) A ?()i ?OT = Oir').
let 0" such that O'Or = O"r'
in Al' E DynEnv?(OC).
As E S .pass(F(x)(O"))(s)
end
end
Internal choice
?FE1 : T, a1, ?i
gHE2 : r,a2,?2
?HE1 ?E2 : T,al U a2,? U ?
I E1\\E2 I =
AO E ?S?(fv(C)).
AO' E ?S4fv(O(ai U a?))U
fv(O(? u?))u
fv(Or)
Al' E DynEnv?(0C).
As E S.
(I E1 j(0)(O')(F)  Av E Ve'? 0 As' E So pass(v)(s'))s
(I E2 1(O)(O')(F)  Av E V0'0 . As' E 5 .pass(v)(s'))s
15
All Operatio?al Semaiitics of Value Passiiig*
Rance Cleaveland
Department of Computer Science
North Carolina State University
Raleigh, NC 27695-8206
USA
tel: +1 919 515 7862
fax: +1 919 515 7896
e-mail: rance?csc . ncsu. edu
July 16, 1993
Abstract
This paper develops an operational semantics for concurrent languages with value
passing. An operation analogous to substitution in the A-calculus is given, and an
operational equivalence is defined and shown to coincide with Milner's bisimulation
equivalence. In contrast with existing process-algebraic approaches to value passing,
this semantics does not reduce data exchange to pure synchronization over (potentially
infinite) families of ports indexed by data.
1 Introduction
Process algebras such as CCS [13], CSP [10] and ACP [2] have been proposed as theories that
highlight fundamental notions in concurrency in the same way that the A-calculus [3] does
for functional programming. Although the latter essentially focuses on only one program-
ming construct, function application, it has proven very useful as a framework for studying
numerous issues, both implementational as well as theoretical, in functional programming
languages. In the search for similarly foundational operations in concurrency, process algebra
researchers have typically focused on modeling synchronization between, and the simultane-
ous execution of, processes. Appropriate equivalences and preorders [4, 5, 6, 7, 11, 12, 16]
have been defined that relate concurrent systems on the basis of their externally visible
*Research supported by NSF/DARPA grant ccR-9o14775, NSF grant CCR-9120995, 0NR Young In-
vestigator Award N00014-92-J-1582, and NSF Young Investigator Award ccR-9257963.
behavior, and the theories have been successfully applied to the verification of concurrent
systems. llowever, researchers in process algebra have devoted relatively little attention to
the operational aspects of the exchange of data between processes. This attention to "flow
of values" is central in the A-calculus, where notions of ?-reduction and substitution form
the basis for understanding function application. When value passing has been modeled in
process algebra, it has typically been done via a reduction to simple synchronization, with
data values in essence encoded in the "name" of the ports that synchronizing processes use.
While adequate at an abstract level, this approach obscures details associated with ensur-
ing that the correct transmission of data from one process to another. Consequently, it is
difficult to use these semantics to guide the development of implementations--Hspecffically,
interpreters of value-passing languages.
The goal of this paper is to formulate an implementable semantics for process algebras
with value passing. To this end, we present a semantics that accounts for operational con-
cerns associated with the exchange of data between processes while maintaining a degree
of abstraction from specific implementational details. The central difficulty to overcome is
that, in contrast to the situation in the A-calculus, where the syntactic structure of a re-
ducible expression (redex) determines the subexpressions involved in a step of P-reduction,
the emitters and consumers of values in concurrent programs may be arbitrarily separated,
syntactically. Consequently, exchanging a value requires, at some level, the use of some kind
of routing information to determine where the datum is to be delivered.
The remainder of the paper is structured as follows. The next section describes more
precisely the intuitive motivation for the work presented in this paper. The section following
then outlines a version of Milner's CCS with value-passing, defines its operational seman-
tics according to the standard approach, and defines an associated behavioral equivalence,
bisimulation equivalence. Section 4 then remarks on a shortcoming of the traditional se-
mantics, gives a semantics for value-passing designed to remedy this difficulty, and presents
a new notion of semantic equivalence. The section following establishes that the semantic
equivalences coincide, and the final section presents our conclusions and directions for future
research.
2 Reduction and the Flow of Values
The aim of this paper is to give a semantics for concurrent processes that pass values; the
semantics should be implementable, and therefore account for issues associated with the
transmission of data, while remaining abstract with respect to more concrete implemen-
tational details. In this section we outline aspects peculiar to concurrent languages that
complicate the development of such a semantics. We begin by first reviewing relevant intu-
itions from the A-calculus, some familiarity with which will be assumed on the part of the
reader.
The A-calculus is built on the notion of P-reduction, which in turn is based on the
operation of substitution. P-reduction can be thought of as specifying how an argument to
2
a function is to be distributed inside the body of the function; in the reduction step
(Ax.M)N M[N/x],
the relation in essence states that the expression N should be "sent" to all (free) occur-
rences of x in M. It should be noted that this "flow" of data is local to the redex (Ax.M)N
in the sense that places in the term where datum N is to be "sent" can only be within M;
any context that might surround the term cannot alter the possible destinations of N. This
affords a syntactic characterization of redexes a term can be a redex if and only if it is of the
form M N (i.e. M and N are syntactically adjacent) and M has the form Ax.M1. Different
operational accounts of the A-calculus exploit this definition of redex to define evaluation
relations that have direct implementations as interpreters.
In concurrent languages, by way of contrast, the locality of data flow present in the A-
calculus is, by design, absent, since these languages are meant to model systems consisting of
entities that exchange data without necessarily being adjacent to one another. For example,
consider the following term in a putative process algebra.
?X.P ... -?KQ
This system consists of some number of subsystems running in parallel. Process --H?E.Q wishes
to output expression E on port ? and then behave like Q, while ?X.F is awaiting an input
on port 0 which it will then "assign" to X throughout P. What is notable here is the
nonlocal flow of information; aE.Q and oX.P in some sense form a "redex" even though
they are not syntactically adjacent and may in fact be separated arbitrarily far apart in the
term. Additionally, other processes (subterms) may also wish to communicate using o, and
these may interfere with the exchange between the two processes above. Both of these fea-
tures complicate the development of an "implementable" semantics for languages supporting
concurrency and value passing; the work reported in this paper aims at circumventing these
difficulties.
3 CCS and Value Passing
This section presents the syntax and traditional semantics for a language with value passing.
In the interests of notational simplicity, values and processes will be distinct (in contrast
with the language found in [14]), and a common mechanism, recursive definition, for building
processes will be omitted. Including these is not problematic, but we have chosen to exclude
them in the interests of notational simplicity.
The language CCS with Value Passing (CCS-VP)--His parameterized with respect to
several sets of syntactic entities. Let V be a (countably infinite) set of variables ranged
over by V, V', V1,... and & be a set of value expressions ranged over by E, E', E1,...; these
expressions may contain occurrences of variables Vj. Also let A be a (countably infinite) set
of ports, or labels, ranged over by o,PWe use L, L',L1,... to represent finite subsets
3
of A, and f to denote a (relabeling) function in A A. The syntax of CCS-VP may now be
given using the following grammar.
P			nil ?VP			?E.P			P+P			PP			P\L			P[f
In the sequel we use ? to denote the set of all terms in CCS-VP, with P, Q, P', Q', P1, Qi,
ranging over ?. We sometimes refer to elements of ? as processes.
In order to give the standard operational semantics of CCS-VP we first define the fol-
lowing notions. We call expressions of the form cF and cF, where c C A and F ?
actions. We also let T ? A denote a special internal action and use A = f cF c ? A A F E
C?U[?cF c ? AAF ? &JUfT? to represent the set of all actions. a, a', a1,... are used to
range over A. Intuitively, a process can perform cE when it is capable of receiving F as an
input on c from its environment, while it can perform cF when it may output F on c to
its environment. We extend a to actions as follows: if a = cF then a = ?cF, and if a = ?cF
then a = cF. The function ? ? A A u tTl returns the ?port component" of an action;
so ?(cF) = it(cF) = c, and 1r(T) = T. Also, if f ? A A and a C A, then apply(f, a)
"re?abels" the port component of a by f; formally, this is given by
f(c)F if a = cF
apply(f,a)=			f(c)F ifa=cF
T			otherwise (i.e. a =
We also assume that C is equipped with notions of free variable and substitution of expres-
sions for variables; we use fv(F) C V to represent the free variables in F and E1 [V := F2] ?
to denote the expression F1 with all occurrences of V replaced by F2. We further assume
that for any F ? S, fv (F)I < oo and that there exists a function ? ? 2? V with the
property that for any finite V' C V, n(V') ? V'. We now define substitution for CCS-VP as
follows.
Definition 3.1 Let V ? V and F c ?. Then P[F/V] for P c Pis defined inducftvely as
follows.
. nil[F/V] = nil.
cV'.P			if V =- V'
o+ (cV'.P)[F/V] =			cV'.(P[F/V])			if V ? V' and V' ?fv(F)
cV" . (P [V"/V'j [F/V])			otherwise
where V" = r(fv(F)u[Vl). Notice that the final clause handles the problem of variable
capture in the usual fashion by renaming bound variables as necessary.
o+ (?cF'.P)[F/V] = c(F'W := Fj).(P[F/V]).
o+ (P1 t P2)[F/V] = (P1[F/V]) + (P2[F/V]).
4
?vP OHE P[E/V] for any E c ?
oLE.P?QHEP
PHd
QHa
PHa
Q
P
P
P$QHaPJ
?			P+QHaQI
PI			?			PQHdPlQ
HaQI			?			PQHaPIQ!
H? P',Q 4Q'			?			P Q HT PI QI
HaPI,?a)?L			?			P#HaPI#
P ?? P'			?			P[fJ aPPi??(fa)PI[f]
Figure 1: The Traditional Semantics of CCS-VP.
o+ (PiIP2)[E/v] (P1[E/vi)I(P2[E/vi)
o+ P\L[E/V] =
o+ P[f][E/V] =
The traditional semantics of CCS-VP is given as a relation HC ? x A x ?, where, P Hd PI
holds if P is capable of executing action a and evolving to P' as a result. The formal definition
of H appears in Figure 1. Intuitively, ?UP is a process waiting for an input on channel ?;
upon receiving an expression it evolves to P with occurrences of V replaced by this value.
?QE.P first outputs E on ? and then behaves like P. Operator + is a choice operator; P1 + P2
is initially capable of the actions of either P1 or P2, with the process thereafter behaving
like the process whose initial action was chosen. P1 P2 models the parallel composition of
P1 and P2 by interleaving the actions available to each; in addition, if one of the processes
is capable of outputting a value on a port that the other is capable of receiving on the same
port, then the two processes synchronize, with an internal action resulting. In P\L the ports
in L become local; no interaction can take place between P and its environment using these
channels. Finally, in P[f] f is used to rename the labels that P interacts on.
Having defined the operational semantics of CC5-VP processes, we now present the defi-
nition of bisimulation equivalence [13], which is designed to related processes on the basis of
the behavior they exhibit to their environments. The definition is given in terms of bisimu-
lations, which are relations that require related processes to have "matching transitions"
Definition 3.2 A relation 1z c ? x ? is a bisimulation 4, whenever P ? Q, then the
following holds for all a ? A.
1. If P ?? P' then there is a Q' such that Q ?? Q' and P' ?Q1
2. If Q ?? Q' then there is a P' such that P ?? P' and P' 1?Q1.
Bisimulation equivalence, NC P x ?, is defined by: P Q if and only if there is a bisimu-
lation 1Z such that P ?
5
4 An Effective Semantics for Value Passing
While elegant, the semantics of CCS-VP is not directly implementable, in a certain sense.
To see this, consider how one might try to implement an interpreter for CCS-VP on the
basis of the rules given in Figure 1. Given a process term P, such an evaluator would need
first to compute the set
P 4
However, this set will in general be infinite when P is capable of any input action and the
set of value expressions is infinite, and thus the interpreter would not, in general, terminate.
The problem with the semantics is that it is in a certain sense too abstract with respect
to modeling the exchange of values. In essence, the semantics works by replacing a given
input port name by a number of port names indexed by the possible values that may be
received on it. For example, suppose that ? = Nat, the set of natural numbers, and consider
a process of the form P =--H aV.P'. From the operational semantics given in the previous
section it is the case that P H?? P'[i/Vj for any natural number i. The same behavior could
be deduced for the following process in a non-value-passing calculus: ?iENat?i.P'[?IV]. This
has the effect of obscuring how the transfer of values between P and Q =--H ?E.Q' should be
achieved in the system ?IQ.
In this section, we develop an alternative operational semantics for CCS-VP that is
computable; it also aims to expose what we feel is a main operational consideration in the
implementation of communicating concurrent systems: the routing of data from senders to
receivers. The new semantics relies on the introduction of a new syntactic category of input-
enabled terms and an operation analogous to substitution that "channels" an input into one
of these terms. Using the new semantics, we define a notion of behavioral equivalence that,
as the next section shows, corresponds to bisimulation equivalence.
The set 1 of input-enabled terms is given by the following grammar.
I::=V.P liP P[I I I\L I I[f]
Here P ? ? is as defined in Section 3. As was the case there L c A and f ? A A. We
use I, I', I.,... to range over 1 and K,K',K1,... to range over ? U 1.
Intuitively, an input-enabled term results when a process has indicated that it is ready to
receive an input on a particular channel and is awaiting the value that it will substitute for
the appropriate variable occurrences. In V.P, for example, all occurrences V in the process
P are to be replaced by the value that eventually arrives. Ii P results when process Q in
Q P signals a desire for an input; the ? indicates that when the value arrives, it should be
routed into the left component. Operator [ plays the symmetric role to 1. Finally, \L and
are as in Section 3.
In order formally to specify the new semantics, we first introduce the new set of actions
we consider. The set A,n = A and represents the set of input actions. A0 = ?
A A E ? ? U fT? contains the "noninput actions"; then A' = A?n U A0. We use a, a', a1,...
to range over A'. The functions ir' c A' A u ?ir? and apply! ? (A A) ? A' A' are now
6
defined by:
if a = o
? if a=?E
T otherwise
f(o)			ffa=?
opply'(L a) =			f(?)E if a =
T			otherwise (i.e. a =
We now define the routing operation that "delivers" a value to the appropriate places in
an input-enabled term.
Definition 4.1 Let I ? I and E c ?. Then I ? E is defined inductively as follows.
o+ (VP) ? E = P[E/V].
o+ (I]P)?E=(I?E)IP.
o+ (P[I)?E=P(I?E).
o+ (I\L) ? E = (I ?
o+
It is straightforward to establish the following.
Lemma 4.2 LetI ?I andE E ?. Then (I?E) ?
The operational semantics is given in terms of a relation ?C (? x A' x (? u I)).
The formal definition appears in Figure 2; the rough intuition underlying the rules is the
following. The operations t, \L, and [f] behave essentially as they do the old semantics,
as does ?E.P (i.e. prefixing by an output action). A process of the form ?VP signals its
desire for an input on ? by executing the action c and then evolving to the input-enabled
term V.P, where it awaits a value to be routed to it from the environment. The rules for
are slightly more complicated than before, since terms must be decorated with appropriate
routing information. Thus, if P requests an input on ? and evolves to input-enabled term
I, then ?IQ must evolve to the input-enabled term IiQ to indicate that its left subterm
is awaiting a value. If P wishes to perform an output without synchronizing with P, then
PjQ behaves as in the old semantics. Finally, if P signals a desire for an input on c and Q
is willing to perform an output on the same port, then the two may synchronize, with a T
resulting and the appropriate value expression being routed to P. The dual situation holds
for Q.
As an illustration of semantics, consider the following term.
P =--H (?X.PX.niliPY.nil)i?E.nil
7
oLV?R ?a
?E.P?QH+EP
PH"K			?			P+QHaK
QHaK			?			P+Q??>K
P?I			?			PIQ??I1Q
P ???			?			PIQ???ThIQ
Q?I			?			PQH+?F[I
?aE
PIQHPW
p?Qf,Q?Q?Q!			?			PQ4*(I?E)Q'
p?Q?pI,Q?J			?
P?K,?(a)?L			?			P\L?K\L
P ?? K			?			P[fj aPPL??'(ft) K[f]
Figure 2: A New Semantics for Value Passing.
By applying the above rules, we may deduce the following transitions for P
p
?aE
(X.PX. nill PY. nil)1 ?E. nil
(?x.px. nil[Y. nil)? --H?E. nil
(?X.px. nil j?Y. nil) nil
(X.PX.nil]PYnil) ? E nil
((X.PX.nil) ? E PY. nil) nil
(PE.nilIpynil)Inil
The last of these transitions illustrates how the [and 1 operators to guide incoming values to
the appropriate subterm, where they are then substituted for the indicated variable. Notice
also that in the transfer of data in this transition, the routing procedure does not "touch"
the process PY.ni4 no attempt is made to substitute E into it.
4.1 Implementing the Semantics
That the semantics implementable stems from the following result.
Theorem 4.3 Let P c?, and let ? = f (a, K? P ? K ?. Then TI ? 00.
On the basis of this theorem, it is relatively straightforward to implement a routine that
computes the transitions available to a term. Given a term an input, the procedure would
recursively compute the transitions of its subterms and combine them appropriately, as
indicated by the applicable rules, to obtain the transitions of the over-all term. As the
theorem guarantees that these sets are finite, the routine is effectively computable.
8
4.2 A Semantic Equivalence
As transitions are not defined for elements of I, we cannot directly apply the definition of
given in Section 3. Instead, we define the following.
Definition 4.4 A relation ? C (? x ?) u (I x I) is an input-sensitive bisimulation if,
whenever K1?K2 then the following hold.
1. Jf(K1,K2? ??x? then for aUa?A':
(a) K1 ?? K1, implies there is a K2, such that K2 ?a K21 and K117?K2,.
(b) K2 ? K2, implies there is a K11 such that K1 ? K1, and K11?K2,.
2. If (K1, K2? ? I x I then for all E e ?, (K1 ? E)9Z(K2 ?
K1 N K2 if there is an input-sensitive bisimulation 1z such that K11?K2.
it is straightforward to establish that is itself an input-sensitive bisimulation, and is
in fact the largest such relation.
5 The Equivalences Are Equivalent
This section establishes that, when restricted to ? X ? relates exactly the same processes
as N The importance of this result lies in the fact that it in some since licenses the use
of either form of operational semantics for CCS-VP. If one is not interested in the specific
mechanisms of data exchange, then one may use the traditional, more abstract semantics; if
on the other hand one is interested in more implementational considerations, then one may
use the new semantics. In either case, the equivalences deduced between processes at one
level will hold at the other.
The correspondence between equivalences rests on the following lemmas.
aE
Lemma 5.1 Let P ? P, ? ? A, and E ? ?. Then P H P' if and only if there exists an
I ?I such thatP?0 I andP'			I?E.
Proof. Proceeds by induction on the derivations of P ?Z p' and F ? I. ?
Lemma 5.2 Let P ? Proc and a E A0. Then P ?? P' if and only if P ?a ??
Proof. Proceeds by induction on the derivations of P ?? P' and P ? P'. E]
Using these lemmas, we can now prove the following theorem.
Theorem 5.3 Let P1,P2 ??. Then P1 N ?2 if and only if P1 P2.
Proof. Using Lemmas 5.1 and 5.2, one can show that every input-respecting bisimulation
is also a bisimulation and that every bisimulation may be extended into an input-respecting
bisimulation. The proof then follows. E)
9
6 Conclusions
In this paper we have presented an alternative semantics for a concurrent language with
value passing. Inspired by the operational considerations that are evident in the reduction-
style semantics given to the A-calculus, this semantics attempts more faithfully to reflect
abstractly the operations concerns associated with the exchange of values between processes
distributed in space. A notion of operational equivalence is defined and shown to coincide
with the well-known bisimulation equivalence of CCS. Thus the new semantics maintains
consistency with the traditional semantics given to value-passing languages while providing
more information about how data is passed between processes.
There are a number of directions in which this work can be extended. In this paper we
only considered binary synchronous communication in the style of CCS. One could also alter
the framework slightly to support synchronous multi-party communication; one way to do so
would involve the introduction of an additional "routing" operator for input-enabled terms
that would indicate that a data value should be routed to both subterms. It would also be
interesting to examine the semantics in this paper in light of the criteria proposed in [15] for
an operational semantics to be effective. This could lead to a formalization of the informal
argument of implementability given here. Another direction for future research would involve
extending the syntax of process terms to permit explicit ?outings and substitutions in the
same way that the A-calculus has been extended with explicit substitutions in, e.g., [1]. In
the A-calculus, explicit substitutions permit a finer study of the cost of reducing one term
to another. In addition to enabling a more detailed study of "communication costs" a' la the
A-calculus, explicit routings could also be used as a basis for giving a reduction-like semantics
for asynchronous communication in which senders need not wait for receivers. To see how
this might be done, consider the process
T (?x.PIpY;Q) ?E.R.
With terms of the form 1 ? E allowed as processes, one could imagine defining a semantics
in which T could have the following transition.
T ?? ((QX.ThPY?Q) ? E) 1?
Thus, before the ?E operation is fully resolved, R could engage in another transition. A
number of details would need to be worked out, but the approach appears promising.
Finally, it would also be interesting to extend the language in this paper by considering
different types of values and permitting data variables to have types ascribed to them. One
could alter the reduction semantics for value-passing by introducing a sensitivity to type:
input actions could be labeled by the type of the variable they bind, and a reduction would
take place only if the type of the output expression matches that of the variable. In this way
one could obtain a (first-order) typed reduction system for concurrent processes. Several
interesting directions for further inquiry would then present themselves. One would be to
investigate the development of a higher-order typed language for processes. Another would
be the extraction of "pure" (finite-state) process algebra terms from typed terms that would
10
retain some of the behavioral properties of the original (infinite-state) terms. For example,
one could imagine taking a term of the form QV : Int.P and generating a term of the form
?mt.T(P), where T(P) is the "type" for P. To the extent that such a procedure would
yield a term reflecting at an abstract level the behavior and types of passed values of the
original term, useful behavioral information could be automatically computed for concurrent
programs.
Related Work
Traditionally, researchers in process algebra have defined the semantics of value-passing by
"reducing" it to pure synchronization in the fashion described in Section 3 [11,13,14]. One
approach to avoiding the attendant infinite number of transitions that this entails can be
found in [8, 9]. There the semantics dictates that processes such as ?X.P may engage in
the single transition ???p a4 P; when processes synchronize, then, data transfer is handled
via substitution in the usual sense. The approach is similar to ours, although it differs in
that unnecessary substitutions can be performed, with an attendant need to rename bound
variables on occasion. For example, consider the term ?X.PIPX.Q; note that X is free in
the right-hand processes. If this system is allowed to engage in the transition
oX.FjPX.Q QHX P ?X.Q
then X is now free in both the left-hand and right-hand sides. However, since their seman-
tics requires that a value arriving to this term as the result of a synchronization on ? be
substituted X into both processes, the free occurrence of X in the right-hand side process
would incorrectly be replaced. To ensure this does not happen, the X in the left-hand pro-
cess must be renamed. In contrast, our semantics would not require the renaming of X in
here, because the routing operation would ensure that substitution is only performed for
occurrences of X on the left.
Acknowledgements. I would like to thank Bard Bloom and 5. Purushothaman for their
insightful comments on an earlier version of this paper.
References
[1]
M. Abadi, L. Cardelli, P.-L. Curien, and J.-J. Levy. Explicit substitutions. In Eighteenth
Annual ACM Symposium on Principles of Programming Languages, pages 31--H46, San
Francisco, January 1990. Computer Society Press.
[2] J. Baetan and W. Weijland. Process Algebra, volume 18 of Cambridge Tracts in Theo-
retical Computer Science. Cambridge University Press, Cambridge, 1990.
[3] II. Barendregt. The Lambda Calculus, volume 103 of Studies in Logic and the Founda-
tions of Mathematics. North-Holland, Amsterdam, 1984.
11
[4] J. Bergstra and J. Kiop. Algebra of communicating processes with abstraction. Theo-
retical Computer Science, 37:77--H121, 1985.
[5] 5. Brookes, C. Hoare, and A. Roscoe. A theory of communicating sequential processes.
Journal of the Association for Computing Machinery, 31(3):560--H599, July 1984.
[6] R. De Nicola and M. Hennessy. Testing equivalences for processes. Theoretical Computer
Science, 34:83--H133, 1983.
[7] M. Hennessy. Algebraic Theory of Processes. MIT Press, Boston, 1988.
[8] M. Hennessy and II. Lin. Proof theories for symbolic bisimulation. Technical report,
Sussex University, forthcomming 1992,
[9] M. Hennessy and II. Lin. Symbolic bisimulations. Technical Report 1/92, Sussex Uni-
versity, 1992.
[lot C. Hoare. Communicating Sequential Processes. Prentice-Hall, London, 1985.
[11] R. Milner. A Calculus of Communicating Systems, volume 92 of Lecture Notes in Com-
puter Science. Springer-Verlag, Berlin, 1980.
[12] R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer Science, 25:267--H
310,1983.
[13] R. Milner. A Calculus of Communicating Systems, Prentice-Hall, London, 1989.
[14] B. Thomsen. A calculus of higher-order communicating systems. In Siwteenth Annual
ACM Symposium on Prn'nciples of Programming Languages, pages 143--H154, Austin,
Texas, January 1989. Computer Society Press.
[15] F. Vaandrager. Expressiveness results for process algebras. Technical Report CS-R9301,
University of Amsterdam, Programming Research Group, 1993.
[16] D. Walker. Bisimulation and divergence in CCS. In Third Annual Symposium on Logic
in Computer Science, pages 186--H192, Edinburgh, July 1988. Computer Society Press.
12
All Iiiforrnatioii Flow Security Property for CCS
(Extended Abstract)
Riccardo Focardi			Roberto Gorrieri
Umversita' di Bologna, Dipartimento di Matematica
Piazza di Porta San Donato 5,1 --H 40127 Bologna (Italy)?
e?ail:gorrieri?cs.unibo.it
Abstract
Multilevel security has been introduced to limit the activity of Trojan Horses --H malicious pro-
grams which try to broadcast secret information. Every information is classified with a security
level and the multilevel secure system must guarantee that information can not flow from a level
to a lower one. So a Trojan Horse, which operates at a certain level, has no way to downgrade
information and the effect of its execution is restricted into such a level.
In this paper, a formal property of security, called Non Ded?c?b?1?ty on Composit?ons (NDC),
is proposed and defined on CCS agents. We assume, for the sake of simplicity, to have two
security levels only: high and low. In this context, a Tr?an Horse is a high level process which
tries to pass information to the low level. NDC is based on the following intuition: a system is
NDC secure if, when connected to all possible high level processes, the computations of the low
level users are not affected. So, such a property guarantees that no information flow from the
high level to the low one can occur. An alternative formulation of NDC, which exploits only
local information, is presented. It has the merits of being algorithmically test able for finite-state
systems. Moreover, it is useful for modular verification of secure systems: indeed, NDC is a
composable property w.r.t. the CCS operators of parallel composition and restriction. Moreover,
through an example, it is shown how NDC can be applyed to reason about realistic systems.
Finally, we show that NDC, based on trace semantics, may be insufficient in some cases. Hence,
NDC is formulated also assuming the finer (weak) bis?mnlat?on as basic underlying semantics.
1 Introduction
Security is a crucial property of system behaviour. It requires that there is a strict control over the
information flow among parts of the system. The main problem is to limit, and possibly avoid, the
damages produced by malicious programs, usually called Trojan Thorses, which tries to broadcast
*This work has been partially supported by Esprit Basic Research project BROADCAST n. 6360 and by Italian
CNR, grant n. 92.00069.CTl2.115.25585
secret information. There are several approaches to security, most of which based on some access
control policy.
In the Discretionary Access Control security (DAC for short), every subject (i.e., an active agent
such as a user), decides the access properties of its objects (i.e., passive agents such as files). An
example of DAC is the file management in Unix where a user can decide the access possibilities of
her/his files. So, if a user executes a Trojan Horse program, this can modify the security properties
of user's objects (usually, a program inherits executor's capabilities).
A solution to this problem is the Mandatory Access Control (MAC for short), where access
rules are imposed by the system. An example of MAC is Multilevel Security [1]: every object is
bound to a security level, and so every subject is; information can flow from a certain object to a
certain subject only if the level of the subject is greater then the level of the object. So a Trojan
Horse, which operates at a certain level. has no way to downgrade information and its action is
restricted inside such a level. There are two access rules (see figure i):
No i?ead Up : A subject cannot read data from an upper level object.
No Write Down : A subject cannot wnte data to a lower level object.
However these access rules do not guarantee an absence of information flow froni upper levels
to lower ones. It could be possible to indirectly transmit information using some system side effect.
For example, if two levels `high' and low' share some finite storage resource (e.g., a hard disk), it
is possible to transmit data from level `high' to level `low' by using the `resource full' error message.
It is sufficient, for a high level transmitter,to alternatively fill or empty the resource in order to
transmit a `1' or a `0' data. Simultaneously, the low level receiver tries to write on the resource,
decoding every error message with a `1' and every succesfull write with a `0'.
It is clear that such indirect ways of transmission, called covert channels, do not violate the two
multilevel access rules. Therefore, to guarantee a correct information flow control, it is necessary
to integrate a MAC discipline with a covert channel analysis [9,16,10,14].
An alternative, more general approach to security requires to control directly the whole flow of
information, rather than the accesses of subjects to objects. To make this, it is necessary to
choose a formal model of system behaviour and to define the information flow on such a model.
By imposing some information flow rule, we can control any kind of transmission, be it direct or
indirect.
Our proposal is based on labelled transition systems [8] (lts for short), a very general and simple
model, used to give semantics to many concurrent languages. In particular, a variant of CCS [13]
is used in this paper to specify the behaviour of concurrent systems.
We assume, for the sake of simplicity, to have two security levels1 only: high and low. Each
action will be bound to a security level; hence, it will be sufficient to partition the CCS action set in
two sets Act? (the low level actions) and ActH (the high level ones). Agents built with high (low)
1The generailsation of the approach to n levels can be easily done.
Write
si			ol
Read
Level ntk
Read-down
S2
Level n
Read
Figure 1: Legal accesses in N4ultilevel Security. Arrows represent information flow: a read operation
is an information flow from an object to a subject, whilst a write from a subject to an object.
Information can flow only towards higher levels.
level actions only are often called high (low) level agents. In this context, an information flow from
the high level to the low one takes place when the effects of high level actions are visible by low
level users. So, a Trojan Horse is a high level agent which tries to modify the low level executions.
In the literature, there are already many different definitions of this kind, based on several
system models [4,15,11,7,17,12]. In [3] we have unified them under the lts model, then compared
and classified, leading to the general notion presented in this abstract: Non Deducibility on Corn-
positions (NDC, for short).
NDC is a transposition on lts's of Non Deducibility on Strategies (NDS), originally defined [17]
over a very restrictive model. It assumes two security levels and is based on the following intuition:
a system is NDC secure if, when connected to all possible high level agents (or Trojan Horses),
the computations of the low level users are not affected. So, such a property guarantees that no
information flow from the high level to the low one can take place. N\'e also show that NDC is
closed with respect to system composition. This property is very useful in verification and permits
to write a new system as a composition of subsystems satisfying NDC. This is the subject of Section
3.
An example of application of the theory is reported in Section 4. It presents an acess monitor,
which is proved to be NDC secure.
It is then shown - Section 5 that a system which satisfies the NT)C property may show up a
non secure behaviour. This is due to the fact that NDC has been defined exploiting a rather weak
semantics, trace semantics, which equates systems when they have the same set of execution traces.
We extend NDC to the finer equivalence of weak bisirnulation [13], hence obtaining a much finer
security property which, in our opinion, seems to be a reasonable candidate to express formally
security constraints over CCS-like languages.
2 Preliminary Definitions
We assume the reader familiar with the CCS language and the its model, shortVv presented in the
following (see [13] for a comprehensive treatment).
Definition 2.1 A labelled transition system (lis) is a triple (5, T, ??) such that:
o+ 5 is a set of states
o+ T is a set of labels (actions)
o+ C 5 x T x 5 is a set of Iabelied transitions
(5i, a, 52) ? (or equivalently Si H? 52) means that the system can move from the state Si to
the state 52 through the action a. CCS syntax is based on the following elements:
o+ A set I = [a, b,.. .? of input actions, a set 0 = fa?,b,..4 of output actions, and a set  = IuO
of visible actions.
o+ A function  such that Va E A, a C A and Va? ? A, a = a, a C A.
o+ A set Act =  U [r? (r is the internal action) of actions or signals.
o+ A set K of constants
The syntax of a CCS agent is defined as follows:
E ::= 0 M.E E + E ElE E \ L E[f] Z
where ? E Act, L C I Z ? K and f : Act Act is such that f(a) = f(a), f(T) = T. Moreover,
for every constant Z ? K there must be the corresponding definition: Z %?ef E. Intuitively, 0 is
the empty process, which cannot do any action; ?.E can perform action ? and then behaves like
E; E1 + E2 is a process which can nondeterministically dioose to behave like E1 or E2; E11E2 is
the parallel composition of E1 and E2, where the executions of the two systems are interleaved,
possibly synchronised on complementary input/output actions; E \ L can execute all the actions
E is able to do, provided that they do not belong to L U L; finally, if E can execute action ?, then
E[f] performs f(?).
Let C be the set of CCS agents, ranged over by E, F (possibly indexed); in general if we say ?a
certain system E' we mean the CCS agent E. Let (E) denote the sort of process E, i.e., the set
of actions executable by E. Then, the operational semantics of CCS is the its (1, Act, ?+) where
the transition relation (C C x Act x C) is not reported for lack of space (see [13]).
A widely used system composition operator requires that two systems are composed in parallel
by forcing the synchronisation on their common (complementary) actions. This can be implemented
in CCS by means of parallel composition (which permits synchronizations) and restriction (which
forbids asynchronous moves, hence forcing synchronizations):
Definition 2.2 The system composition of two agents E and F is (EjF) \ ((E) n
Now we firstly introduce execution traces and trace equivalence on CCS process terms; then,
we report the definition of the standard notion of equivalence on CCS agents: observationj equiv-
alence, based on weak bisimulation.
Definition 2.3 Let t .1... O1? ? Act* be a sequence of actions; then E # E' if and only f
? (HT)* ... (m4)* Ot? (?)*E'. For all E ? C the set TE C (I u O)* of traces associated with
E is defined as follows: given a sequence ? = a1
? ?TE ?? E (IUO)*,?E1,...,En? C such thatE? E1 ? ..? E?
Two systems are trace equivalent if they have the same set of traces: E T F ? TE = TF
Definition 2.4 If t ? Act*, then t E (I u O)* is the sequence gained by deleting all occurences of
r from t. A binary relation B C ? x ? over agents is a weak bisimulation if (P, Q) E B implies,
for all a ? Act,
(i) If P4 P' then, ao' :Q A Q'A(P',Q') ? B
(ii) If Q 4 Q' then, ?P' : F ? P'A(P',Q') c B
We say that P is observation equivalent to 9, denoted P E 9, if there exists a weak bisimulation
B such that (P,9) E B
A few auxiliary definitions will be useful in the following.
Definition 2.5 Let A be a set. Let ?y, E A* be two sequences of elements in A. ?` is a subse-
quence of ? ? ?) if and only if ? and ?` are in the form:
= .1... 0Ln, ?`=ak(i)... ak(m) with m ? n
where k : [1, m] [1, n], is an increasing monotone function.
Notation: With abuse of notation a? E ? denotes that a? is an element of the sequence ?. Let
?, ?? be two sequences such that ?` ? ?, then k??,? denotes the subsequence function in definition
2.5.
A set C of observable actions is complete iff for every input i E I in C the corresponding output
i E 0 is still in C. The set of all the complete sets of actions is denoted with U def c (I u 0)
U is complete?.
The following functions will be used to define NDC. They are connected to the idea of security
levels and assume that the set of actions Act has been partitioned in two complete sets Act?, Act? e
It which represent the sets of high and low level actions, respectively.
The first function, low, extracts from a sequence of actions the subsequence composed only of
low level actions. The second function, lou'views returns the set of low traces of a certain system.
Definition 2.6 Let ActH, ActL ? IA. The functions low and lowviews are defined as follows:
o+ low : Act* Act?*; for every? ? Act*, ?` ? Act?*,?' low(?) is such that:
? A VQ ? ?, oLi E Act? ? : i =
o+ lowviews : C P(AdL*). For every agent E E ?:
def
lowviews(E) =			? Act?* ??` ? TE, ? = low(?))
In the following, we assume that Act? e AdL are a partition of input and output actions.
3 Non Deducibility on Compositions
Non Deducilibity on Compositions (NDC) is a transposition on the its model of Non Deducibility
on Strategies (ND 5) [17]. The basic idea of NDS is the following: A Trojan Horse is viewed as
a high level input "strategy" [17] (or high level process) II which chooses a new input for the
system depending on the sequence of previous input/output actions; hence, a system is NDS if, for
a certain strategy II, all the low level views are still possible, i.e, if 11 does not restrict the possible
low executions (hence, it does not "inteftere" with low level).
The original definition [17] is based on a very restn'ctive system model in which, at every clock
signal, a system takes an input from every input channel and emits an output to every output one.
In such a model, a strategy is simply a function which at time n computes a new input using a
n --H 1 long sequence of previous input/output actions. In a CCS-like setting, a strategy cannot be
represented as a function. In fact, when a system emits an output, it must wait for a corresponding
external input which could never arrive: a deadlock may arise on a system output, because of the
synchronous nature of CCS communication. A strategy can be represented as a function of previous
input/output signals only if all such outputs have been accepted by the external user (in particular
by a Trojan Horse).
A strategy may be seen as a process Ii which uses only high level actions. To fix a certain
strategy on a system E, it is sufficient to consider the system (Elfi) \ Act?. So a system E is NDC
if for every high level process II the low level view sets of E and (EIH) \ Act? are the same. In
other words, a system E is NDC if the composition of E with all possible Trojan Horses does not
change its set of low level views.
Definition 3.1 NDCH (Non Deducible on Compositions for actions in H).
Let H C Act?. Then,
E c NDCH			lowviews(E) = lowviews((EJII)\ H),
VII			? ?,(H) C AdH U fT?
NDC is defined as NDCH where H = Act?: NDC def ?DCActH
This definition states that there is no way of altering the low level executions of a system E by
composing with it a high level agent II which communicates with E only through actions in H.
Of course, this definition is difficult to use in practice: it is not possible to verify the security of a
system connecting to it all Trojan Horses and observing their effect on low level computations (it is
an exhaustive procedure which does not terminate, in general). N\Q need an alternative formulation
of NDC, which exploits local information, only. It is based on the following theorem, whid? asserts
that the property of `transparence with respect to all Trojan Horse attacks' corresponds to a static
property of an agent E, namely, to a property that can be verified by examinating the traces of
system E only.
Theorem 3.1 (Static characterization of NDCH)
E ? NDCH			lowviews(E) lowviews(E \ H)
This characterisation of NDCH has the merits of being algoritlimically test able (at least, for
finite state systems) and useful for modular verification of secure systems. Indeed, NDC is a
composable property w.r.t. the CCS operators of parallel composition and restriction; hence, a new
NDC secure system may be described as a composition of NDC secure subsystems.
Theorem 3.2 Let E and E' be two NDCH agents, 5 C H and 5' C ActL. The following hold:
i) E E' ? NDCH,
ii) E \ 5 ? NDCH,
iii) E \ 5' ? NDCH,
(iv) (El E')\((E)n?(E')) ? NDCH, f((E)flfl(E')flAct?) C H.
Finally, the following theorem states that the NDCH sets are partially ordered w.r.t. set-
theoretic (reversed) inclusion over the sets H.
Proposition 3.1 H, H' C Act?: H' C H ? NDCn C NDCHI
4 An Example: Access Monitor
In this section, the NDC property is illustrated through an example: an Access Monitor (AM for
short, see figure 2), which is a process managing accesses to a certain resource. As a resource can
be viewed as a set of objects containing information, then an AM is a very important element in
the implementation of a multilevel security policy (it is sufficient to know all security levels of all
subjects and objects to correctly manage every access).
Let us consider the usual multilevel policy (Read-down, ?`rite-up). Let SL be the set of security
levels and `<` C SL x SL be a total order relation. Let ID, ranged over by id, be the set of user
Monitor
Figure 2: Access monitor
Objects
User 1
I			I
I			I
User k
identifiers; let also 0, ranged over by x, be the set of object identiflers. Finally, let lvi: IDuO SL
be a function which returns the security level of a certain user id or object x. If objects are variables
(every object contains a value), then AM can be implemented as follows:
def
Monitor --H
z accessri?(x). (if lvl(x) ? lvl(id) then read?(y).(va1uej?(y) Monitor)
idEID			else (valueid(ERROR) Monitor))
+ z acceSs?wid(x, z).(if lvl(x) > lvl(id) then write?(z)).Monitor
?dEID
Signals read and write are used by the Monitor for accesses to objects, They are parametrized
w.r.t. the names of the objects. Signal access?,?(x) represents a request for a read operation to
object a' made by the user with identifier id. The request is always accepted and a value is always
returned to the user. however, the value stored in the object a' is returned only if the security
level of a' is less than, or equal to, the security level of the user id; otherwise, an error message is
transmitted.2 Note that the Monitor is ready to accept new signals before delivering the value to
the user, because ofthe (inner) parallel composition. Signal aCCeSS?Wid(a',z) represents a request,
made by a user id, to write the value z into object a'. This request is alw?ys accepted, but the
write operation is really performed only if the level of a' is greater than the level of id.
The objects can be implemented as follows:
def
065x(Y) = read:(?). Objx(?) + write?(z). Objx( z)
If there are n variables then the system is:
Acces&monimr def (Monitor Obj1(O) ... Objn(O)) \ L
where
L = ? Acs( Obj?)
2Obviously a user must get the replay to a certain read request before asking monitor for another read: a restriction
we consider for the sake of simplicity.
ACS(Objx) def frea?,write?Y
By restricting the executions on set L, we make objects not directly accessible by a user, but filtered
through the interactions with the Monitor. So the user id which interacts with the Monitor can
execute this set of actions:
Acsj?(Access?monitor) [accessr?'?, access?w?d, va1uej?]
The set of all the actions accepted by the monitor is:
Acs(Access?monitor)			? Ac?d( Access?monitor)
tdEID
Since NDC is closed with respect to composition of systems then there are two different approaches
to verify if Access?monitor is NDC secure:
(i) Verify if the whole system is NDC, or
(ii) decompose system in subsystems and verify if everyone is NDC (a possible decomposition is
suggested by system definition itself: Monitor and Objx's).
fn the full paper (and in [2]), we prove that AM is NDC (following the first approach), while
Monitor is not secure for every kind of object. In particular, we report an example of finite storage
device management in whid? a user can transmit information using the resource full error message.
However, the compositionality property of NDC is important when the monitor is used: as a user
is an agent which executes only actions of the same level, then it is NDC. So, by connecting to AM
any number of users, we obtain an enlarged system which is still NJ)C secure.
5 Extending the Approach to Bisimulation Semantics
NDC is based on trace semantics: it requires that a system, to be secure, gives to a low user the
same low trace sets for every high execution. More precisely, this statement is formalized through
the following theorem.
Theorem 5.1
EENDC E\ActH??(EIfl)\Act?,VflE?,(?[)C?Ad?uftY
Unfortunately, trace semantics is rather weak; it is unable to distinguish systems which give
different observations to a user. For instance, systems A = ab + a and B = ab are trace equivalent
but the first can deadlock after a signal a. Hence, a low user could distinguish two low trace
equivalent systems and so have information about high level users. As a simple example, let us
implement the monitor as follows:
Monitor d=ef
z accessr??(x).
`dEID
idEID
Monitor
(if lvl(x) ? lvl(id) then rea?(y).va1uei?(y)
else va1uei?(ERROR))
access?wjd(x, z).(if lvl(x) > lvl(id) then write?(z))
Surprisingly enough, it still satisfies the NDC property, but, of course, it is not multilevel secure.
Indeed, a high level user can block the monitor --H and so interfere with low level users --H by making
a read request and then refusing to accept the corresponding answer. Trace equivalence does
not detect this kind of `attaks' and so it is necessary to substitute it with a stronger one. One
possibility is weak bisimulation [13] which is the `standard' CCS equivalence and implies other
important equivalences such as testing [5] and failure [6]. ?Ve denote it with ? (see section 2).
The new security notion is called ?NDC.
Definition 5.1
EE BNDC E\ActH E (EJ R)\ActH, VII ? ?,(fl)C? ActHU??
One can easily verify that the second version of Monitor does not enjoy the BNDC property.
A static characterization of BNDC which does not involve composition with every processes
II --H is not immediate. A first idea could be to elaborate on the same condition we proposed for
NDC. The resulting proposal is the following:
EIActH B E \ ActH
where `I' denotes a hiding operator which transforms all high actions in internal T'5. Unfortunately,
it is easy to see that it is only a necessary condition for E to be BNDC. At present, we have not
yet found a static characterization of BNDC. ?Ve think this is a very interesting problem, left for
future research.
To conclude this paper we propose a sufficient condition to BNI)C. which is static and compo-
sitional (with E ? we denote that E' is reachable from E, that is ?? such that E ?
Definition 5.2 Static Bisimulation NDC (SBNDC):
E ? SBNDC ? VE' : E ? E', VE": ?h e ActH, E' Hh E" then E' \ ActH B E" \ ActH
Proposition 5.1 The following hold:
(i) SBNDC 0 BNDC,
(ii)			E, F ? SBNDC			(EIF) E SBNDC,
(iii) E ? SBNDC ? E \ 5 E SBNDC, if 5 0 I.
6 Conclusions
This paper presents a formal approach to information flow security. ND(l. is a security property
which guarantees that no information flow from high level to low level can occur (no covert chan-
nels). It is closed with respect to system composition arid can be used to verify if a CCS agent
represents a multilevel secure system.
It has been observed that such a property may be too weak in sonie cases, essentially because it
is related to trace equivalence; hence, a stronger property, based on bisimulation [13], has been pro-
posed. Future research is concerned with a static characterization of BNDC and flirther extensions
to other equivalences (e.g., testing [5], failure [6], ...).
The final goal of the present research is the implementation of a verification tool, in order to
test such extensions on a number of significative examples.
References
[1] D. E. Bell and L. J. La Padula. "Secure Computer Systems: Unified Exposition and Multics Interpre-
tation" ESD- TR-75-306, MITRE MTR-?997, March 1976.
[2] R. Focardi. "Metodi Formali per la Descrizione di Sistemi Sicuri". Master's thesis, Universita' degli
Studi di Bologna, March 1993.
[3] R. Focardi and R. Gorrieri. "A Classification of Security Properties". Submitted for publication.
[4] J. A. Goguen and J. Meseguer. "Security Policy and Security Models". In Proceedings of the 198?
Symposium on Security and Privacy, pages 11--H20. IEEE Computer Society, 82CH1753-3, April 1982.
[5] M. Hennessy. Algebraic Theory of Processes. The MIT Press, 1988.
[6] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall.
[7] D. M. Johnson and F. J. Thayer. "Security and the Composition of Machines". In Proceedings of the
Computer Security Foundations Workshop, pages 72--H89. The MITRE Corporation, M88-37, June 1988.
[8] R. Keller. "Formal Verification of Parallel Programs". Communications of the ACM, 19 (7):561--H572,
1976.
[9] R. A. Kemmerer and P. A. Porras. "Covert Flow Trees: A Visual Approach to Analyzing Covert Storage
Channels". IEEE Transactions on Sofiware Engineering, pages 1166--H1185, November 1991.
[10] T. F. Lunt, D. E. Denning, R. R. Schell, M. Heckman, and W. R. Shockley. "The Sea View Security
Model". IEEE Thansactions on Sofiware Engineering, pages 593--H607, June 1990.
[11] D. McCullough. "A Hookup Theorem for Multilevel Security". IEEE Transactions on Sofiware Engi-
neering, pages 563--H568, June 1990.
[12] J.K. Millen. "Hookup Security for Synchronous Machines". In Proceedings of The Computer Security
Foundation Workshop IlL The MITRE Corporation, IEEE Computer Society, 90TH0315-2, 1990.
[13] R. Milner. Communication and Concurrency. Prentice-Hall.
[14] N.E. Proctor and P.G. Neumann. CArchitectural Implications of Covert Channels". In Proc. 15th
Nat?onal Compitter Security Conference, Baltimore, Maryland, pages 2843, 13-16 October 1992.
[15]
D. Sutherland. "A Model of Information". In Proceedings of the 9th National Computer Security
Conference, pages 175-183. National Bureau of Standards and National Computer Security Center,
September 1986.
[16] C. R. Tsai, V. D. Gligor, and C. 5. Chandersekaran. "On the Identification of Covert Storage Channels
in Secure Systems". lEEB' Thansactions on Sofiware Engineemng, pages 569--H580, June 1990.
[17]
J. T. Wittbold and D. M. Johnson. "Information Flow in Nondeterministic Systems". In Proceedings
of the 1990 IEEE Symposium on Research in Security and Privacy, pages 144--H161. IEEE Computer
Society, 90CH2884-5, 1990.
Concurrent I&ripke Structures
Vineet Gupta
Dept. of Computer Science
Stanford University, CA 94305
vgupta4cs.stanlord.edu
July 15,1993
Abstract
?`e consider a class of Kripke Structures in which the atomic propositions are events. This
enables us to represent worlds as sets of events and the transition and satisfaction relations of
Kripke structures as the subset and membership relations on sets. We use this class, called event
Kripke structures, to model concurrency. The obvious semantics for these structures is a true
concurrency semantics. We show how several aspects of concurrency can be easily defined and
in addition get distinctions between causality and enabling, and choice and nondeterminism.
We define a duality for event Kripke structures, and show how this duality enables us to convert
between imperative and declarative views of programs, by treating states and events on the
same footing. We provide pictorial representations of both these views each encoding all the
information to convert to the other.
We define a process algebra of event Kripke structures, showing how to combine them in
the usual ways parallel composition, sequential composition, d?oice. interaction and iteration.
Various properties of these connectives like associativity and distributivity are proved. We then
show that Wiuskel's event structures can be embedded in the class of event l<ripke structures,
and define partial synchronous composition, the primary connective for event structures, for
event Nripke structures, and show its equivalence to Wiuskel's definition.
Note: This work was done jointly with Vaughan Pratt, Stanford tJniversity.
1 Event Kripke Structures
In the past decade, various desirable properties of models of concurrent processes have been dis-
cussed: branching time, true concurrency, action wfinement, disjunctive enabling, conflict, in-
terchangeable state and event based views, real time consistency etc. Various models, having
many of these properties have been proposed: Fetri nets [Pet62], synchronization trees F?Iil8O],
Mazurkiewicz traces [Maz77], pomsets [Gra8i, Pra82], event structures [NP"'t781, ?Vin86], causal
automata [Gun9l, Gun92] etc.
A careful examination of these models reveals that most of them exhibit concurrent behavior by
explicitly inserting concurrency into a basically sequential model, such as by having many tokens
This work was supported by ONR. under grant number N00o14-92-J-1974, a gift from Mitsubishi and an Accel
Partners Fellowship.
in a network or multiple strings being read concurrently. Thus thQV end up defining concurrency
instead of modelling it, and one can never be sure whether the definition is good enough. For
example, in event structures conflict and enabling are primitives, but other primitives could be
necessary to capture concurrency fully. In this paper we attempt to discover what true concurrency
is from a model of concurrency, rather than defining it a priori, in the same vein as discovering logic
as the theory of Boolean algebras rather than trying to characterize it with a long list of equations.
?Ve start from a wAl known model-for temporal logic, a Kripke structure, and use it to derive our
model.
A Kripke structure (?`\ #, `1o, ?) consists of a binary transition relation W ? W? between states
W, w' E lY, and a binary satisfaction relation ti' ? p between states in IY and atomic propositions
p E 11o, extended by induction on the height of formulas to compound propositions pAq, ?p,... E fi.
We study a special class of Kripke structures which looks more like event structures[NPW81j.
The relevant property of an event here is that once it becomes true, it stays true. We restrict
the elements of Ho to events, that is VW, W? e W W ? p and w ? W1 implies w' ? p. Now
the transition relation between states can be derived from the satisfaction relation by w ?
iff Vp, w ? p =s w' ? p. In fact we can treat each state as a set of the atomic propositions
which are true in it (we identify states which have the same sets of propositions true in them, by
extensionality). Thus we define an event Knpke structure, referred to as an eks, as a pair (F,
where E is a set of events and Q ? 2E a set of states. Then q ? e iff e e q and q ?+ q' iff q C q
An equivalent way of describing an eks is as a x IQI boolean matrix, with each column being
the characteristic function of a state.
In addition to having all the desirable properties of models of concurrency mentioned above,
eks's can distinguish between enabling an action and causing an action, a distinction which has
not been made in any of the above models. In fact in some of the above models, causality has
been deliberately erased by insisting on algebraic lattices [Dro89], presumably to match Petri nets
and domain theory. Our model shows that not only is this unnecessary, it actually simplifies
mathematics to allow this distinction. One has only to compare the definition of an event domain
in [Dro89] with the definition of an eks to be convinced of this.
In the next sections, we will study some properties of event Kripke strutures. We show how
aspects of concurrent behavior are naturally present in an eks, and give a process algebra to
combine eks's in various ways, showing how these operations correspond to the usual operations
for concurrent processes. Finally we connect them with event structures, showing how any event
structure can be represented as an eks.
These structures have previously been studied by Barr[Bar79], as instances of Chu's construction
on sets, and by Lafont and Streicher[LS9f] as games over 2. Brown and Gurr[BG90] have used
similar structures to study Petri nets.
1.1 Theoryofaneks
An eks (E, Q) is a set Q of subsets of 2L We can therefore write it out as a formula in Disjunctive
Normal Form in propositional logic, with variables E and clauses Q, with each clause corresponding
to a q ? Q containing all the variables in E, negating all the ones that are not present in q. We
call this formula F. For example, F((?a, b, c), ?6, ?a), fab), ?abc)))) a?6e?V a6cT V abc V abc, wflting
2
a for ma and abc for a A b A c. Since there is no bound on the cardinality of the sets F and Q,
we will allow infinite conjunctions and disjunctions in our formulas. So an eks can be equivalently
represented as an infinitary boolean propositional formula F. This is usually the most compact
representation of an eks, though the matrix representation is computationally the most efficient.
The theory of an eks is now defined to be all infinitary propositional logic formulae ? such that
F ? ? is a tautology. For example, the formula mcV b is in the theory of the eks mentioned above.
If a formula ? is in the theory, we write F ?
In later sections we shall show how the theory of an eks expresses all the interesting facts about
the eks. In particular, we can determine whether an event precedes or loliows another, whether
two events are in conflict etc.
2 Duality
In the definition, we represented an event structure as a set. of events, which were primitive, and a
set of states formed from those events. However, there is nothing special about events we could as
well take the states as primitive, leading to a duality between states and events, which we discuss
in this section.
Pictorial Representation of an EK5. An eks (E, Q) is any subset Q of 2L Thus we can draw
it as an E dimensional cube, and then mark the elements of Q on the cube as dots. This is called
the partial boolean algebra representation of an eks, as the set 2E forms a boolean algebra. In the
infinite case this is a complete atomic boolean algebra, a CABA'. For example, the eks mentioned
above, (ta, b, c?, ??, faj, ?abJ, tabc?J) can be represented as follows
E abc
E ab
Ea
EO
Partial Boolean Algebra Partial flistributive Lattice
Figure 1
From the above description of a partial boolean algebra, the dots may occupy only a few
dimensions of the boolean algebra. Since the dots are all the useful information of the eks, there
seems no point in carrying around the other dimensions, which we dump by insisting that all eks's
we consider must have the T0 property2- the formula a ?? b must not be present in the theory
of the eks for any pair of events a, b, since a ? b means these are equivalent events which can be
identified. As a result of this identification, the boolean algebra cannot be very large, because it
must be generated from the dots using the logical operations3. H'e will assume the T0 property for
all eks's henceforth.
1In the finite case, `?omplete atomic" is automatic and hence redundant.
2This terminology comes from topology, by considering E as the set of points and Q as the set of open sets. Ets's
are a generaiization of topological spaces in that they do not impose any conditions on the open sets.
3If the eks is T0, then for each event in some state, we can take the intersection of all the states containing this
event and the complements of all the states not containing it to get a singleton set containing this event. There may
3
The information given in the partial boolean algebra can be more succinctly and transparently
given in the figure on the right. That figure was obtained by taking the dots and retaining only those
holes which can be formed from the dots using unions and intersections but not complements (In
this case no holes could be thus generated). The resulting structure is called a partial distributive
lattice (pdlat), by analogy with partial boolean algebras. The lattice made up of the dots and
holes is a profinite distributive lattice.4 Note that we do not always achieve such succiuctuess, for
example, when the partial boolean algebra is made up of dots only the pdlat is just the partial
boolean algebra.
It is possible for us to use pdlats to represent eks's because of the following proposition
Proposition 1 Partial Boolean algebras are in 1-1 correspondence with partial distributive lattices.
Proof: The distributive lattice may be obtained from the CABA as the lattice of order filters of
the set of dots as partially ordered by the CABA, which is embedded in the CABA; equivalently,
the complete sublattice of the CABA generated by the set of dots. Conversely the CABA may be
obtained from the profinite distributive lattice as the power set of its dimensions or primes, which
embeds that lattice by embedding each element as the set of primes below it; equivalently, generate
the Boolean complements of each dot and close up under meets and joins. I
Duality between 5tates and Events. Thus far we have considered events as primary and states
as sets of events. However we can alternatively consider states as atomic, and events as sets of
states, with a state belonging to an event iff the event belongs to that state. If we are willing to
be more adventurous with f6undations of set theory, we may do both the resulting circularity in
the membership relation can be coped with by dropping the Foundation Axiom of ZF set theory
and repladug it by e.g. Aczel's Anti-Foundation Axiom. This results in states and events being
treated on the same footing, something which has not been done in previous models.
5chedules and Autornata. The operational interpretation of an eks A (E, Q) is as an au-
tomaton, which does events in E and advances from one state in Q to another, according to the
transition relation (which is just the subset relation, as stated above). We call the states in Q
the real states of A and the holes in the undeilying lattice the forbidden states, namdy the states
in which the automaton should never -find itself. Thus the automaton can rest and make choices
only in the real states, while it must rush through the forbidden states. We take the view the any
choices made in the forbidden states are made by the environment. The dimensions of the lattice,
defined as equivalence classes by Droste[Dro?9], are the events of E.
We can dualise A = (E,?) by defining A' = (Q,F), where Q is the set of states, and E is the
set of events each of which is taken to be a set of states. We give a few examples of this in figure 2,
be at most one event not in any state, and this is the complement of the union of all the states. Then the rest of the
boolean algebra may be generated by the singletons. Conversely, if it is not T0 as a ? 6 is in the theory, the singleton
set ?aJ cannot be obtained by any logical operations.
4In the finite case this is just a distributive lattice. In the infinite case it is most easily noderstood as a lattice iso-
morohic to the lattice of order filters or upward-dosed sobsets of a partial order. This is an even stronger requirement
than being a complete and completely distributive lattice. witness the unit interval [0 11 of reals standardly ordered,
which meets that condition hut is too connected to be profinite. Dedekind cuts as order filters in the um.t interval of
rationals however is by definition profinite, the difference being that the rationals appear twice. Eliminating the extra
copies connects up the real interval and eliminates profiniteness, along with the means for recovering the rationals.
4
drawing the eks's as pdlats. Drawn as its dual5, the eks is a schedule. The dots now represent the
events which have to be performed, and the lattice structure represents the constraints on these
events, some of which we will discuss in the next section.
In fact the schedule and automaton are different ways of looking at the same eks. We can
also write the theory of an eks in terms of the state variables, and the two theories have exactly
the same information because they are derived from the same boolean formula written in terms of
different variables. However, in a schedule, the direction of time is downwards, as indicated by the
little arrow on the side, whereas in an automaton, time flows upwards. This is the only wQy to
determine whether an unlabeled pdlat is a schedule or an automaton: any pdlat can be interpreted
in either way.
We can label the events of an eks by a labelling function A : E ? Act going from events to
actions. This allows us to consider the case when multiple instances of the same action occur.
will not go into this any further except to remark that we can have complementary action labels
and silent actions, allowing synchronization, hiding and relabelling as in CCS[Mil9O].
Time and Information Duality. The duality between states and events enables us to see a
similar duality between time and information. Events are regarded as instantaneous, occurring at
a particular time, and they add to the total accumulated information. Dually, no information is
accumulated in a state, which however adds to the total amount of time that has passed since the
beginning of the process. Thus we can plot the progress of a behavior on an graph with time on
the x-axis and information on the y-axis. The states are then horizontal line segments, and the
events are vertical. The graph is monotonically increasing, and we shall have more to say about
this in the conclusion. The graph is also piecewise horizontal and vertical but as the number of
events grows to infinity it starts looking like a monotonically increasing curve.
3 Modelling Concurrent Behavior
We now show how various concurrent phenomena can be represented in an eks. The different forms
of formulae in the theory of the eks A represent different forms of constraints on the events. We
can also use the theory of the dual eks to represent constraints on states, and some constraints are
easier to comprehend this way. We use F' for the formula of the dual eks A'.
Temporal precedence. For any two events a, b, if F ? b ? a, then no state contains b and not a.
This means that b can be executed only after a has been executed. This means that a precedes b
in time, and the collection of all such constraints defines a temporal order on the events of G'. We
write a < b for any such pair of events. Note that the temporal order is the converse of the logical
order, and this is the reason for the dowuwards flow of time for the schedule. (We always have the
logical order going up.)
Conflict. If F ? ??(a A b), then no state contains both a and b. This means that we can never
execute both a and b, which is interpreted as a conflict between a and b. This can be generalised
to conflict between arbitrary numbers of events. While this notion has been explicitly introduced
in event structures [NPW8l, Win86], it follows quite naturally from our definition. it is illustrated
5In terms of the matrix representation forming the dual corresponds to transposing the matrix. This is true
because in taking the dual we interchange the states with events., and take thc conversc of the membership relation.
5
in Figure 2(c-d), where b and e are in conflict.
t
Schedule			Automaton			Schedule			Automaton
(a)			Causality			(b) Enabling
c			b			c			b
a			b			c			w			vt
b			c
b			c			b			c			u
a			a
Schedule			Automaton
(c) Blind choice
Schedule			Automaton
(d) Guarded choice
Figure 2
Causality and enabling. If F ? a *? b A c then any state containing b arid e must also have a.
We interpret this as b and c together cause a. This can be generalized to an arbitrary formula on
the right side of the implication. Note that the T0 condition does not allow an event to be caused
by a single event, as the two events are identified.
The above eks is distinct from the eks in which F ? a ? b A c. Then b and c just enable
a, which means that while it is necessary for them to be done to do a, it is not sufficient, as a
need not be done immediately. This can also be generalized to an arbitrary condition, including
the singleton event, when it becomes temporal precedence. The difference between these is like the
difference between the necessary and sufficient conditions for a theorem, while the enabling formula
represents the necessary conditions, the causing formula is both necessary and sufficient.
Nondeterminisni. Dual to the above notion is the notion of guarded vs. blind choice. If
F ? a ++ b v c, then as soon as a is done, one of b or e must be done immediately. This means
that any information obtained by doing a could not be used in selecting between b and c, making
this a blind choice. This is more clearly visible from the automai?n side in Figure 2(c). The choice
between states v and w has to be made at the forbidden state above u. We interpret this as being
made by the environment, making this a nondeterministic choice for the automaton.
Just having F ? b v c ? a wouM make it a guarded choice, whence any information obtained
from a can be used to make a deliberate choice. On the automaton side, the choice between v and
w is made in the state tt, as v ? v A w, and this state contains the information gathered by
doing a to decide which way to go. This is like a conditional branch in a program, where the event
a checks some condition, arid then either one of two alternatives is chosen.
If b and c were not in conflict here, then this wouM not be a real choice. The hole at the top
of the automaton would be a permitted state, and then b and e could be executed concurrently,
showing that this model has true concurrency. In fact interleaving semantics would not work here
at all, as is clear from Figure 2(a), when a has to be done concurrently with either b or e.
6
Remark. The reader may have noticed that when a meet is present in the schedule, a corre-
sponding join is absent in the automaton, and vice versa, and similarly for joins. For example, a
is the join of b and c in Figure 2(c), and the meet of v and w is not present (it is a hole). This is
a general principle, so the dual of a set (which has no structure) is a highly structured object, a
CABA, and the dual of a meet semilattice is another meet sernilattice, as it can have no joins.
D4unctive Enabling. If F ? c ?+ a V b, then in order for c to happen, at least one of a
or b must have happened. For example, in a candy machine, inserting either a dollar bill or
4 quarters will enable the machine to supply a candy bar. This is called disjunctive enabling
[Win86, Gun91, Gun92]. The dual behavior is postponed concurrency, given by F ? a A b ?
whereby a and b can be done concurrently only after c is completed.
If we draw an automaton for disjunctive enabling with three events, i.e. one which has F ?
c ? a V b, then it looks like a 3-dimensional cube, with all vetices marked by dots except the vertex
c, which is the only vertex which does not satisfy the formula c ? a V b. This illustrates a general
method for programming an automaton on n events from a logical specification from the n-cube,
mark with dots only those vertices which satisfy all the equations. The resulting structure gives a
partial boolean algebra for the specification, and this can be converted into a pdlat or eks.
Action Refinement. Given an eks (E,Q), and another eks (E1,?1) where ? ? Qi and E1 ? Qi,
(i.e it is conflict free), we can refine any event e in (E,Q) by (E1,Q1) to get a new eks (E',Q') as
follows: E' = E --H ?e? U E1, and the set Q' is obtained from Q. If q e Q, and e ? q, then q e
If e E q, then q --H ?e) U E1 E Q'. AlsQ for these q, if Va e q, a ? =5 e ? a, Awn for each q' e Qi,
q --H ?e? U q' E Q'.
What this means is that instead of doing e, we do the eks (E1,Q1). The third clause assures
that the intermediate states of (E1, Qi) are added iff no event in the state is preceded by e, since
otherwise the event e must have been completed in some previous state. Thus if we looked upon
events as intervals, a dot means that the event before it and the event after it are disjoint in time,
whereas a hole means that they overlap.
4 Process Algebra
We now define a process algebra for combining various eks's. The operations considered are par-
allel composition AIB, sequential composition A; B, choice or summation AUB, iteration A and
interaction A ? B. In order to define sequential composition and iteration, we add the concept of
final states to the definition of an eks. An eks now is (E, Q, F), where F c Q. If A = (E, Q, F)
is an eks, we define functions E(A) = E,Q(A) Q and F(A) F, giving respectively the events,
states and final states of A. Note: in the following expressions, the set union operator has the
lowest precedence.
Parallel composition AIB of A and B is the independent execution of A and B. We assume
E(A)flF(B)=? DefineE(AIB) =E(A)uE(B),Q(AlB) =?q q=q1Uq2,q1 eQ(A),q2 ?Q(B)J
and F(AIB) = fq I q = q1 U q2, q1 e F(A), q? C F(B)?. This is an eks as F(AIB) c Q(AjB) c
2E(AIB) Note that any events which can be executed from a state in A can be executed from any
corresponding state in AIB, and similarly for B, showing that this represents independent execution
of A and B. A state in the composition is final iff both A and B are in their final states.
7
The symbol for parallel composition used here is to conform to the usage in the process algebra
community. However our preferred symbol for it is + [GP93], since this is a coproduct in an
appropriate category. Consequently we prefer 0 for the eks 1 delined below, since it is an initial
object in that category.
Sequential composition A; B represents the execution of B after completing the execution of A,
i.e. after A has reached a final state. Once B starts executing, A may not execute any further.
Define E(A; I?) E(A) u E(B) x F(A), i.e. have one copy of B for each final state of A. Then
Q(A; B) = Q(A) U fq q = qi U q? x ?q'?, qi E F(A), q? ? Q(B)?, saying that the automaton can
be in a state of A, or having reached a final state of A, execute events in the copy of B associated
with that final state of A. F(A; B) = q = qi U q? x (qi ?, q1 ? F(A), q? c F(B)?, saying that a
final state is one in which A in a final state and B has also reached a final state afterwards.
Choice or summation AUB is the execution of A or B but not both. We define E(AUB) =
E(A) U E(B), Q(AUB) = Q(A) u Q(B), F(AUB) = F(A) U F(B). If E(A) and F(B) are disjoint,
this executes either one of A or B but not both, and once having started A, no event in B can be
executed, since there is no state containing both events of A and events of B. However we do not
insist on the disjointness, since we wish to include the possibility of choosing between two copies
of A etc.
Define the null eks ? to be (?, ?, ?), the eks which does nothing. Also define the eks 1 to be
(?, (??, f??), which will be the identity for A; B and AjB.
Proposition 2 The following properties hold
(1)			AHA			=			A
(2)			AUB			=			BuA
(3)			AU(BUC)			=			(AUB)UC
(4)			AU?			=			A
(5)			All			A
(6)			AIB			?N			BjA
(7)			Al(BiC)			N?			(AlB)lC
(8)			A;l			?N			1;AN=A
(9)			?;A			=
(10)			A;(B;C)			?N			(A;B);C
(11)			(AUB)lc			N=			AICUBIC
(12)			(AHB);C			=N			A;CUB;C
(13)			C; (AUB)			?N			C; AUC; B
Proof: The first seven properties follow from the properties of set union. The eighth follows as
the cartesian product of any set with the singleton is isomorphic to itself. The ninth holds as the
product of an empty set with anything is empty. In the next 4 properties, the arguments for the
equality or isomorphism of F are similar to the respective arguments for Q, and so are omitted.
(10) E(A; (BC)) = E(A) U E(B; C) x F(A) = E(A) U E(B) x F(A) U E(C) x F(B) x
But F(B) x F(A) N F(A; B), so we get F(A; (B;())) =N E((A; B);E').
Q(A;(B;C)) =
Q(A)u?q?q=q1uq2x(q1?,q1EF(A),q2?Q(B;C)J
Q(A) U?q q= qi Uq2 x fqij,qi E F(A),q2 ?
ufq q = q1 U q? x (qij U q3 X ?qiJ X (q??, qi E F(A), q? E F(B), q3 E Q(C)?
Q(A;B) u?q q= qi Uq2 x ?qi?,qi ? F(A;B),q2 e Q(C)J
Q((A; B); C)
(11) E((AHB)tC) = F(A) u E(B) u E(C) = E((AjC)H(BjC)).
Q((AHB)Ic) =
q = q1 U q2 q1 E Q(AuB), q2 E Q(C)J
q = qi U q?, q? e Q(A), q? E Q(c)Ju
q=g'?Uq?,q'1 EQ(AuB),q2 ?Q(C)J
Q((AJC)H(B C))
(12) E((AHB);C) = E(A) u E(B) u E(C) x F(ALJB) = F((A;C)u(B;C)), as F(AHB) =
F(A) u F(B).
Q((AHB);C) =
Q(AuB)u?q q=qiuq2x?q1?,qiEF(A[JB),q2EQ(C)?
Q(A)u?q q=q1Uq2 x tqiY,qi c F(A),q2 eQ(C)Ju
Q(B)u?q q=qiU?2x?qi?,qieF(B),q2E?(C)J
Q(A;C) uQ(A;C)
Q((A; C)H(B; C))
(13) Similar to (12). These distributive laws can be extended to ail infinite summation also. I
The iteration of A, denoted A* represents the repeated execution of A finitely many times, as
proved below. Define E(A*) = ?(a, i) a e F(A), i ? NJ, where N is the set of natural numbers.
Then Q(A*) = ??J U ?q q = U0<?<?(q?,?) u (q?,n),q? ? F(A) for i < fl,4n E Q(A),n ? NJ,
where (q, i) = ?(a,?) a E qJ. The set of final states is defined similarly, F(A*) = ??J U fq q =
U0<?<?(q?,i),q?E F(A) for ? ? n n E NJ.
Proposition 3 A* =N 1 U A u A; A H A; A; Au...
Proof: Since the event sets E(A) and F(B) must be disjoint for A; B, we index the events
of A; A; A... with the number of the occurrence of A. Then the event sets on both sides of the
equation are identical.
Consider the states in A? = A; A, i.e. A repeated ii times. For n = 1 these are just
Q(A) = q = U0<?<?(q?,?) u (q?,n),q? E F(A) for i < n,q? ? Q(A),n = 1J and F(A) =
q = U0<?<?(q?,i),q? E F(A) for i < n,q? E Q(A),n = 1J. Assume this is true for n =
Then Q(Am+i) --H Q(A?) U fq q = qi U (qm+i, rn + 1), qi e F(Am), qm+i E AJ by definition.
But F(A?) = q = Uj<m(qj,?),q? ? F(A)J. So we get the required form for Q(Am+i), i.e.
q = Uo<i<n(4%' i) u (q?, n), q? ? F(A) for i ? n, q? ? Q(A), n < mJ, and similarly for F(Am+i).
Since Q(A?) is just the union of all these state sets, and F(A*) is the union of all the final state
sets, we get an isomorphism between the state sets and the final state sets on both sides. I
This gives us all the necessary properties of A*. In particular, we can prove that (A?)* N
A*, A?; A? =N A* and (AUB) =N (A*; B?)*. A* is the least fixed point of the function f(A) =
1uA; f(A). We can similarly define At as the fixed point of f(A) = 1HA f(A), mentioned earlier
in [Pra86].
interaction, A 0 B, earlier known as orthocurrence or fiow[Pra86, CC?iP91j, represents one
9
process flowing through another. For example, if process A is three trains running sequentially,
and process B represents four stations on the track, then there are 3 X 4 = 12 events, corresponding
to each train arriving at eadi station. For each train, the stations must arrive in the same order, and
for each station the trains must arrive in the same order too. This leads us to deline F(A ? =
F(A)xE(B),andQ(A?B)=?qC?F(A?B) IVbEF(B),if q?=fa (a,b)EqJ,thenq?EQ(A),
and similarly for events in E(A)J. F(A ? B) is defined similarly, by replacing Q by F in this
definition.
Proposition 4 The following properties hold
(1)			AoB			--H			B?A
(2)			Ao (B?C)			=N			(A? B) c?C
(3)			(AIB)oC			=
Proof:
We omit the proofs of the first two identities, as they follow from the definition.
(3) E((AjB) OC) = F((AD?C)I(BYcC)), as x distributes over set union.
Q((AjB)?C) =
Vc ? E(C)?q? ? Q(AIB),Vd c F(AjB),q? c
Vc E E(C)[q? = (q0)i u (qc)?, (gc)i C Q(A) (qc)? e
Va ? E(A)[qa ? Q(C)],Vb E E(B)[q6 e Q(C)]?
q = qi u q2,Vc e E(C)[(qi)? ? Q(A), (q?)c ?
Va E E(A)[(qi)a ? Q(C)],Vb ? E(B)[(q2)t E
Q((A?C)J(B 0C))
In the third step, we separated out the q into two states, one whose first components came from
A, and the other, whose first components came from B. Then we used the fact that q? is the same
as (q?)?, and same for q?. The proof for the final states is similar. Interaction does not distribute
over sequential composition or choice.			I
5 Relationship with Event Structures
We show that eks's subsume the most general case of event structures as defined by Winskel
[Win88b]. As we have shown above, conflict and enabling of events can be expressed in an eks.
Since these are the only two concepts required in the definition of an event structure, we can show
that event structures can be modeled by eks's for what amount to trivial reasons. However event
structures cannot distinguish causality and enabling, showing that eks's are strictly more general
than event structures.
An event structure is a set of events E, with a conflict relation ? and an enabling relation F,
defined in [Win88a]. A configuration is any subset of events which could have occurred in the event
structure, so it must be confiict free, and every event must be caused by some previous events in
the set according to the enabling relation. Given an event structure E = (E, #, H), let f(F) be
its set of configurations. We form the eks (; = (E f(E)), which is clearly equivalent to the event
structure, and this leads us to the following theorem.
10
Proposition 5 For every event structure that is formed from its family of configurations, there zs
an eks which has the same properties:
1. If e#e' in the event structure, then F(G') # rn(a A b).
2. If X1 Fe,. .,Xn Fe in the event structure, Then F(G') # e ? VXi, where Xj is taken to be
the conjunction of the events in Xt?.
The labelling of eks's enables this embedding to respect the labelling function of labelled event
structures too. The definition of sum in `viuskel corresponds to the definition of (disjoint) sum
above:
Proposition 6 Let E0 and E1 be two event structnres, and C0 and Gi be their corresponding eks `s.
Then G G0HG1 is the eks corresponding to E E0 + F1 as defrned by ??nskel.
Proof: The sum of E0 and E1 is the disjoint union of their events along with their individual
conflict and enabling relations, such that every event of E0 is in conflict with E1. Then E(G)
corresponds to the events of E. Also, awv configuration of E is a configuration of E0 or of E1, as
no mixed configuration is possible. This is exactly the state set of C;. I
There is no universally accepted definition of sequential composition for event structures. Baeten
and Vaandrager[BV92] define sequential composition, and our definition does agree with theirs
operationally. They define a special event, a ?which is interpreted as the last event of the process
executing the event structure. Sequential composition E0; E1 is then defined by refining each ? of
E0 with E1. We can mimic this by letting each configuration in which a can be performed next
as a final state of G0, the eks corresponding to E0, and omitting ? from the set of events. The
correspondence between the states of G0; G'1 and the configurations of F0; F1 is then clear.
In [Win88b], ?Tinskel defined the partial synchronous composition of two event structures. It
is possible to define this for eks's also, in a way that respects the above ernbedding.
We let AlIB stand for the partial synchronous product of A and B. Then F(AJIB) = E(A) u
E(B) u E(A) x E(B). Q(AIlB) is a set of subsets of E(A B), each element q of which satisfies the
following properties:
1. The sets q fl E(A), and for each b ? F(B)?a (a, b) ? are pairwise disjoint. Similarly, the
sets q fl E(B), and for each a E E(A)fb (a, b) E q? are pairwise disjoint.
2. Define q? = (qnE(A)) uPr16(qnF(A) x E(B)) and q? = (qnE(B)) uPr2(qnE(A) x
Then q? E Q(A) and q? ?
3. If q' C q? and q' ? Q(A) then ?q11 ? ?(A B)[q" C q and q' = ?`?`j and the same for B.
The first property says that an event of A may either occur alone or may synchronize with
exactly one event of B. The second condition says that if we extract all the events of A which have
happened in a state q, then these must form a state of A, called q?. The third condition says that
6Pri (X) is the set of first components of elements ??f X.
11
if can reach the state q? in A by doing some events, then we should be able to do the same events
(some synchronized with events in B) to reach the state q. This prevents some undesirable states,
eg the state ?(a,d), (b,c)? is not allowed when forming (a;b)jI(c;d). It is eliminated as there is no
way to reach it by first doing a and then b, as that wouM lead to doing d before c. The only states
allowed in the above example are7 (?a,a+b,c,c+d,a+c,a+c+d,a+c+b,a+b+c+d,ac,ac$
b,ac+d,ac+btd,ad+?ad+c+b,cb+a,cb?a?d,a+c$bd,ac+bd1. Ailtheotherstatesare
ruled out as they do not satisfy one or more of the conditions.
This definition agrees with that of ?Vinskel[?Vin88b].
Proposition 7 Let E1 and E2 be two event structures, and A1 and A2 the eks's corresponding to
them. Then the eks A1 A2 corresponds to the event structure E formed by the partial synchronous
composition of E1 and E2.
Proof: Outline: The events of E match the events of A1iiA2, by definition. Each state in
A111A2 is conflict free, by the first condition. Also, if any two events were in conflid in E1, then
they would not occur in any state of A1, so they would remain in conflict in states of A111A2, by
condition 2. Finally we can use the third condition to prove by induction that all states in A1 A2
are.secured. Conversely, since the only states that were dropped were the ones that did not satisfy
these conditions, the remaining states are exactly the configurations of E. I
Another model which is superficially similar to eks's is Gunawardena's causal automata[Gun9l,
Gun 92]. However the semantics for causal automata are quite different from that of eks's, in that
if a ? b is true in a causal automaton, then b must have occurred before a, whereas in eks's,
this condition means only that a cannot occur before b. As a result, causal automata can express
deadlock, which we have not been able to express using eks's. The logical constraints that causal
automata can express on events are a strict subset of the constraints expressible in eks's, for example
causal automata cannot distinguish between choice and non-determinism, or between causality and
enabling.
6 Summary
?Ve have defined a process algebra of eks's, and given various properties for the connectives. ?Ve
have also shown a duality for eks's which enables us to look at each eks as a declarative program, a
schedule or as an imperative program, an automaton. This would enable a programmer to choose
the point of view in which it is easier to write any program, and also allows for all easy conversion
between the two views. This duality is a form of Stone duality[Joh82], and we will discuss this
connection elsewhere.
The natural semantics for eks's is a true concurrency semantics, as in event structures and Petri
nets. However eks's also enable us to specify nondeterminism and choice, and causality, which the
other two models do not.
The major limitation of our approach is that choosing conflicting alternatives ensures that we
are in different branches of the automaton, and can never come together again. This seems to
??" wnte ac+b for ?(a,c),b).
12
be a feature of all existing schedule automaton dualizations[NPW81, Win86, Pra92]. It makes it
necessary to unfold any loops in an automaton, and duplicating the actions, as in our definition of
A?. This may have undesirable consequences for algoritlims using eks's, and complicate decision
problems. It also does not take into account the fact that some conflicts, like in mutual exclusion,
are temporary. This permanence of conflict is the reason why the information-time graphs for eks's
are monotonically increasing. In other words, eks's never forget any information about any choices
made in the past, even if some of this information is useless.
We hope to overcome this problem by extending schedule automaton duality to structures in
which conflict is not so permanent. One approach for doing this seems to be higher dimensional
automata[Shi85, Pra91, GJ92], which distinguish a mutex b from ab + ba by representing the
former as a square with no interior, and the latter as in eks's with labelling. Eks's cannot make this
distinction now, but higher dimensional automata do not yet have the schedule automata duality,
and we hope to reconcile the two.
We have not shown completeness of the properties of the eks connectives, and plan to address
this in the future. The set of connectives can be embellished with the other operators from linear
logic, and eks's then form a model for it, but this model is also not complete. However it does give
us a logic to reason with eks's, and is useful in constructing a verification language for concurrency.
This connection is explored in[Pra93].
References
[Bar79] NI. Barr. *-Autonornous categories, LNA? 752. Springer-Verlag, 1979.
[BG9O] C. Brown and D. Gurr. A categorical linear framework for petri nets. In J. Mitchell,
editor, Logic in Computer Science, pages 208 218. JEEE Computer Society, June J990.
[BV92] J.C.M. Baeten and F.W. Vaandrager. An algebra for process creation. Acta Informatica,
29(4) :303--H334,1992.
[CCMP91] R.T Casley, R.E. Crew, J. Meseguer, and V.R. Pratt. Temporal structures. Alath.
Structures in Comp. Sci., 1(2):179--H213, July 1991
[Dro89] M. Droste. Event structures and domains. Theoretical Computer Science, 68:37--H47,
1989.
[GJ92]
E. Goubault and T.P. Jensen. Homology of higher dimensional automata. in Proc.
of CONCUR `92, LNCS 630, pages 2.54-268, Stonybrook, New York, August 1992.
Springer-Verlag.
[GP93] V. Gupta and V.R. Pratt. Gates accept concurrent behavior. In Proc. 34th Ann. IFEE
Symp. on Foundations of Comp. Sci., November 1993. To Appear.
[Gra81] J. Grabowski. On partial languages. Fundamenta Informaticae, IV.2:427--H498, 1981.
[Gun91] J. Gunawardena. Geometric logic, causality and event structures. In J. C. M. Baeten
and J. F. Groote, editors, CONCUR `91 - 2nd International Confrrence on Concurrency
Theory, pages 266--H280. Springer LNCS 527,1991.
13
[Gun92] 3. Gunawardena. Causal automata. Theoretical Computer Science, 101:265 288,1992.
[Joh82] P.T. Johnstone. Stone Spaces. Cambridge University Press, 1982.
[LS91] Y. Lafont and T. Streicher. Games semantics for linear logic. In Proc. 6th Annual JEEE
Symp. on Logic in Computer Science, pages 43 49, Amsterdam, July 1991.
[Maz77] A. Mazurkiewicz. Concurrent program schemas and their interpretation. In Proc.
Aarhus ?Jork5hop on Verification of Parallel Programs, 1977.
[Mil8O] R. Milner. A Calculus of Communicating Systems, LNCS 92. Springer-Verlag, 1980.
?Mil90j R. Milner. Operational and algebraic semantics of concurrent processes. In J. van
Leeuwen, editor, Handbook of Theoretical Computer Science, chapter 19, pages 1201--H
1242. Elsevier Science Publishers B.V. (North-Holland), 1990.
[NPW81] `vii. Nielsen, G. Plotkin, and G. ?Vinskel. Petri nets, event structures, and domains, part
I. Theoretical Computer Science, 13,1981.
[Pet62] C.A. Petri. Fundamentals of a theory of asynchronous information ?ow. in Proc. JEIP
Congress 62, pages 386--H390, Munich, 1962. North-Ilolland, Amsterdam.
[Pra82] V.R. Pratt. On the composition of processes. In Proceejings of the ATinth Annual ACAl
Symposium on Principles of Programming Languages, January 1982.
[Pra86] V.R. Pratt. Modeling concurrency with partial orders. Int. J. of Parallel Programming,
1.5(1):33--H71, February 1986.
[Pra91] V.R. Pratt. Modeling concurrency with geometry. In Proc. 18th Ann. ACAiSymposium
on Principles of Programming Languages, pages 311-322, January 1991.
[Pra92] V.R. Pratt. Arithmetic + logic + geometry concurrency. In Proc. FThst Latin Amer-
ican Symposium on Theoretical Jnformatics, L1VCS 583, pages 430--H447, Sa?o Paulo,
Brazil, April 1992. Springer-Veilag.
[Pra93] V.R. Pratt. The second calculus of binary rdations. In MFCS'93, Gdan'sk, Poland,
1993.
[Shi85]
[Win86]
[?Vin88a]
M. Shields. Deterministic asynchronous automata. In E.J. Neuhold and G. Chroust,
editors, Formal ModeTh in Programming. Elsevier Science Publishers, B.V. (North Hol-
land), 1985.
G. ?Vinskd. Event structures. In Petri iVets: Applications and Relationships to Other
Models of Concurrency, Advances in Petri NeL? 1986, LNCS 255, Bad-Honnef, Septem-
ber 1986. Springer-Verlag.
G. ?Vinskel. A category of labelled Petri nets and compositional proof system. In Proc.
3rd Annual Symposium on Logic in Computer Science, Edinburgh, 1988. Computer
Society Press.
G. Winskel. An introduction to event structures. In Linear Time, Branching Time and
Partial Order in Logics and Models for Concurrency, REX `88, LNCS 354, Noordwjjk-
erhout, June 1988. Springer-Verlag.
[?Vin88b]
14
Specificatiori of Instruction-Level Parallelism
Ed Harcourt*			Jon Mauney*			Todd C00kt
*Department of Computer Science
tDepartment of Electrical and Computer Engineering
North Carolina State University
Raleigh, NC 27695
July 15,1993
Abstract
We present a technique for formally describing, at a high-level, the timing properties of Super-
scalar/RISC instruction set processors. We illustrate the technique by specifying a hypothetical
processor that shares many properties of commercial processors including delayed loads and
branches, interlocked floating-point instructions, and multiple instruction issue (Superscalar).
As our mathematical formalism we use SCCS, a synchronous process algebra used for specifying
timed concurrent systems. Timing properties are specified at an abstract level without resort-
ing to implementation detail. Such high-level specifications are useful for timing-level simulator
generation, synthesis and verification of hardware and software (e.g. compilers, schedulers), and
predse documentation. We have implemented our specification within the framework of the
Concurrency Workbench, a tool for simulating and analyzing SCCS specifications.
1 Introduction
In modern computer architecture the temporal and concurrent properties of the instructions &e
often visible to the user of the processor. Consequently, such properties should be included in
any behavioral architecture specification. We present a technique for formally describing, at a
high-level, the tirning properties of Superscalar/RISC instruction set processors [PH9O, Joh91].
We illustrate the technique by specifying a hypothetical RISC that shares many properties of
commercial RISCs including delayed loads and branches, interlocked floating-point instructions,
and multiple instruction issue (Superscal&).
As our mathematical formalism we use SCCS, a synchronous process algebra designed for spec-
ifying timed concurrent systems [Mil89, Mil83j. SCOS allows us to explicitly specify the temporal
and concurrent properties of a processor (and instructions). In contrast, a functional approach
only allows us to specify final computations [Pai9O]. We have implemented our specification on
the Concurrency Workbench [OP593, Mol92] allowing us to interactively experiment with, analyze,
and simulate our processor description. This research is in conjunction with research to design a
specification language for instruction set architecture [CFHM93].
1.1 Levels of Abstraction
There are many views of an instruction set processor a common hierarchy is:
o+ The architect?re level is a functional view that represents the processor as seen by the assembly
language programmer.
o+ The organization level includes the general structure of the processor in terms of functional
units (e.g., integer and floating-point pipelines, caches, and busses).
o+ The logic level contains the low level implementation detail of the functional units.
The user of a processor is concerned with the architectural level, as they must have information
to write correct programs. However the user would also llke to use the processor most efficiently.
For example, in some RISO architectures the following instruction sequence may possibly be pro-
grammed more efficiently.
(I)			Load RI, (R2)			;RI			Mem(R2)
(2)			Add			R2, R2, RI			;R2			R2 + RI
(3)			Add			R3, R3, #1			;R3 & R3 + I
Instruction (2) will usually cause an interlock (on the MIPS this is an incorrect program) which
wastes cycles. However, instructions (2) and (3) may be switched without altering the meaning of
the program. This switch would most likely eliminate the interlock caused by (2).
2
There isno hard line that determines where one processor view ends and another begins. Usually
the architecture level does not contain timing information and the organization level does. But the
organization level also contains a considerable amount of other detail that is of no concern to the
user.
A motivating example comes from the MIPS manual which states that for the load-word in-
struction, LW rt, offset (base), "... the contents of general register rt are nudefined for time T
of the instrnction immediately following this load instruction" [KH92]. Such informal descriptions
are vague and imprecise and demonstrate the kind of timing constraint we wish to formalize at an
abstract level --H that is, hides organization detail. There may be any number of reasons for the
delay in the load instruction and we ouly wish to specify the delay and not the underlying cause.
The user should not be expected to infer the delay by studying low-level organization.
The goal of this research, then, is to develop a mathematical model of instruction timing at an
abstract level that hides irrelevant detail of organization.
1.2 Extensions to SCCS
It is assumed that the reader is familiar with SCCS as presented in [Mil83, Mil89]. We use two
extensions to SCCS that wffi aid us in writing processor specifications.
Frequently we wish to execute two agents A and B in parallel where B begins executing one
clock cycle after A (e.g., issuing instructions on consecutive cycles). This is modeled by the agent
A x 1 : B and the expression A Next B denotes this agent.
Another useful operator is the priority snm operator, ? [CW9l]. ff in A ? B both A and B
can execute then A is preferred.
2 Specifying a Processor
A processor is a system of interacting processes where registers and memory interact with one or
more functional units. Equation 1 represents such a system at the highest level.
Processor			def			(Instruction Unit x Memory x Registers) ? I			(1)
where I			?Instructions from section 2.4.?
3
Before we proceed in specifying instructions and their interaction it is necessary to develop an
appropriate model of registers and memory.
2.1 Defining the Registers
In this section we develop an abstract model of storage in which storage cells are modeled as agents.
The agent Regl(y) defines one register holding a value y, such that an action putr(x) executed at
time t stores x in the register which is available for use at time t + 1. The action getr(y) retrieves
the value stored in the register and assigns this to y. Another action, a product of two particulate
actions, putr(x)getr(y), allows Regi to be read and written simultaneously. The value read is the
old value in Regi not the new one being written. Since reading a register does not alter its value,
multiple getr actions are allowed on the same register. The action getr(y)getr(y) represents
reading the register twice, which we abbreviate to getr(y)2.
Regl(y) dffif ? getr(y)d : Reg(y) t ? getr(y)Jputr(x): Reg(x) + I : Reg(y) (2)
jE(1,2?			,E(o,1,2)
2.1.1			Register Locking
The actions getr and putr are atomic. It may be that a register is going to be updated some
time in the future (e.g., delayed loads) and any attempt to read or write the register by another
agent should result in an error. We augment equation 2 by allowing an agent to reserve a register
for future writing using the action lockreg and then, at some point in the future, by writing the
register (with putr) and releasing it with the action releasereg. When an agent locks a register
the register goes into a state LockedJ?eg where the ouly allowable action is putr(x)releasereg.
All other combinations of getr and putr in the locked state lead to the inactive agent 0. This need
to trap all of the other illegal action sequences complicates matters so we have factored them into
equation 4.
Reg(ij) %ef Regl(y) + lockreg: Locked?Reg(y)
LockedJ?eg(y) def ll1ega1Acces??) + putr(x)releasereg: Reg(x)
+ 1 : LockedJ?e?y)
4
(3)
def
lltegal4ccess(y)
getr(y)5: 0 + ?
jE?1,2J
? getr(y?putr(x)re1easereg: 0
jE?1,2J
getr(y)iputr(x) : 0
+			(4)
Given the definition of one register a family of registers (Reg1, Reg2, etc.) is now defined by
subscripting each of the actions by a register number. For example, the action putr? represents
writing register i. Thirty-two registers are constructed by
31
Registers def fi Re?(y)			(5)
0
Notice that when no putr or getr action is requested the registers are idiing.
2.2 Defining Memory
Given the definition of the register Regi (non-locking version), a similar definition of an agent
Memory is straightforward. Analogously, actions geti and puti read and write memory cells and
the agent Memory is defined to be a product of individual memory cells.
2.3 Instruction Pipeline
Instruction pipelines are usually described in terms of its stages of execution, for example: fetch,
decode, execute, memory access, write back (abbreviated IF, ID, EX, MEM, WB). IPL (for in-
struction pipeline) defines a model of an instruction pipeline.
IPL %?ef IFx ID x EXx MEMx WB
This is a reasonable and obvious representation, but if we are interested otily in e?ternat behavior it
is over specified. We should resist attempting to specify an architecture's timing behavior in terms
of individual stages as this commits us to describe the functionality of each individual stage which
would have to include, for example, forwarding hardware and latches. We should strive for a more
abstract specification.
5
2.4 ToyP, a Toy Processer
To construct a specification of a processor we present the instructions of a hypothetical RISC,
ToyP, that shares many features of commercial RISCs. ToyP is loosely based on the MIPS archi-
tecture [KH92]. ToyP instructions, memory word size, registers, and addresses are thirty two bits.
ToyP is a Load/Store architecture with three-operand arithmetic instructions.
Here is an informal description of the semantics and timing behavior of some ToyP instructions.
o+ Add Rj, Rj, Rk adds registers j and k and puts the result in register i. The instruction
executing immediately after an Addmay use register i.
o+ Load Rj, Rj, #Const is a delayed load instruction. Register i is being loaded from memory
at the base address in register j with offset #Const. The instruction executing immediately
after Load cannot use register t.
o+ BZ R,?, #Locr is a delayed branch instruction. The instruction immediately after the branch
is always executed before the branch is taken (if Rj 0). If the branch is not taken then
instruction after the branch is not executed. Another HZ instruction may not appear in the
branch delay slot.
o+ Fadd FRi, FRj, FRk is an interlocked floating-point add that takes six cycles before the result
can be used. If another Fadd instruction tries to use the result before the current Fadd is
finished then instruction execution stalls until the result is ready.
2.5 Instruction Issue
Given our definitions of Registers and Memory we now describe an agent Instr(PC) (equation 6)
that specifies the behavior of ToyP instructions off of program counter PC. Instructions are divided
into four classes: arithmetic, load and store, branch, and floating-point and are described by agents
Alu, Loadtore,Branch, and Float.
Instr(PC)			d=ef			(Non?Branch(PC) Ne?t Instr(PC +4))
+			Branch(PC) ? Stalt(PC)			(6)
Non?Branch(PC)			%?ef			Alu(PC) + Load?Store(PC) + Float(PC)			(7)
Stall(PC)			def			1 : Instr(PC)			(8)
6
There are three possible execution paths of Instr(PC).
o+ A non-branch instruction executes and the next instruction to execute is at PC + 4.
o+ A branch instruction may execute. Here, the decision on what instruction to execute next is
deferred.
o+ If no instruction can execute then the processor must stall. The ? operator (section 1.2) is
used here because the processor should stall only when no other alternative is available.
2.5.1 Arithmetic Instructions
All Von Neumann architectures are based on the "stored program model" and fetch instructions
from memory using a program counter which we call, PC. The action
getm??(Add Rj,Rj,Rh)
represents fetching an Addinstruction from memory. And in fact, from a user's view, an instruction
Add Ri, Rj, Rk appearsto take one cycle to execute. In the following instruction sequence,
Add RI, R2, R3
Nov R2, RI
the Add instruction executes at time t and the Nov executes at time t + 1. From a behavioral view
there is no problem with writing RI and reading RI in consecutive instructions. The user does not
and should not need to understand bypass hardware in order to discover that the above instruction
sequence is legal.
The agent
Aln(PC) def getm??(Add Ri,Rj,R?)getrj(x)getrk(y)putrto+(x + y): DONE
represents the execution of the Addinstruction specifying that registers are accessed and the result is
written atomically. The agent DONE is the idle agent and has the effect of representing termination
of the instruction. (In [Mil83, Mil89] the idle agent is called 1. We use DONE to avoid confusion
with the idle action I.)
7
2.5.2 Load and Store Instructions
The following instruction sequence,
Load RI, R2, #8
Mov R3, RI
is fflegal in ToyP because of the use of RI immediately after the Load. The Load instruction accesses
memory at time t and the result of the load is available at time t + 2. This is represented by,
Load?Store(PC) d=ef
getinp0(Load Rj, Rd, A)getr?(B)get?+?(V)1ockregi : putr?(V)re1easeregj : DONE
The Store instruction is similarly defined except that the result is ready immediately (presum-
ably because of forwarding hardware).
2.5.3 The Branch Instruction
Equation 9 specifies the behavior of the delayed branch instruction, BZ.
def
Branch(PC)			getmp?(BZ Rj, Locn)getr?( v):
if V = 0 then
Non?Branch(PC + 4) Ne?t Instr(Locn))
+ getnip?+4(BZ Rj, Loen): 0
else
Instr(PC+ 8)			(9)
The BZ instruction has the effect that
o+ at time t, a BZ instruction is fetched and register R, is accessed.
o+ at time t + 1, if the value of Rj is not zero then execution continues with the instruction after
the branch delay slot.
o+ at time i + 1, if the value of Ri is zero then a non-b?anch instruction is executed in the branch
delay slot and execution continues with the instruction at Locn at time t + 2.
8
o+ If another BZ instruction is in the delay slot then we reach the inactive agent 0, which
represents an error state.
2.6 Interlocked Floating-Point Instructions
The floating-point add instruction Fadd takes six cycles to compute its result. For instructions that
have a large latency it is generally unreasonable to expect the programmer (or scheduler) to find
enough independent instructions to execute until the Fadd is complete. Inserting Nop instructions
would significantly increase code size, therefore, floating-point instructions are typically interlocked.
2.6.1 Floating-Point Registers
We associate a lock with each floating-point register as in the integer registers. The difference
though is that an attempt to read or write an integer register while it is locked is illegal while
reading or writing a floating-point register while it is locked causes the processor to stall. ToyP has
a separate set of thirty two floating-point registers that are defined similarly to the integer registers
except that we add two new actions, lockfreg and releasefreg. Actions putfr and getfr are
the two actions that write and read a floating-point register.
Fre?(y) %ef lockfre&: Wriie? + ? getfr,.(y? : Fre?(y) + 1: Freg,.(y)
jE?1?2)
Write? def putfr?(x)re1easefregj: Fre?(x) + 1: Write?
2.6.2 The Fadd instruction
Having defined interlocked fp-registers we can specify the behavior of the Fadd instruction. The
Fadd instruction must (1) access its source registers and lock its destination register using the action
lockreg; (2) compute the addition; (3) write the result in the destination register and release the
destination register using the action releasereg. Equation 10 specifies ToyP's Fadd instruction.
Float(PC) def get??(Fadd, FRi, FRj, FRk)1Ockfregigetfrj(X)getfr?(Y)
(1 :)?putfr?(x + y)re1easefreg?: DONE			(10)
The processor stalls when an instruction wishes to access a locked fp-register. Since the action
will not be available the execution of the instruction is suppressed and the only available action
9
then is to execute the idie action of agent Stall.
3 A Two-Issue Superscalar ToyP
This section describes variations of ToyP that can issue and execute multiple instructions per cycle.
Such multiple issite processors are commonly referred to as snperscalar processors. Two or more
instructions can be executed in parallel if they are data independent and can also be issued to
separate functional units.
Usually, one floating-point and one integer instruction can be issued in parallel as they use
separate functional units. Also, if they use disjoint register ffles, they are guaranteed to be data
independent. Two integer instructions can be issued in parallel only if there are two or more integer
functional units. Ia this case, the problem is complicated somewhat because data dependencies
between two integer instructions can arise inhibiting their parallel execution.
3.1 A Float x Integer Superscalar
In this variant of ToyP one integer and one floating point instruction can be issued in parallel.
Branch and Load/Store instructions must be issued sequentially.
If two instructions can be issued in parallel then it must be an integer instruction followed by
a floating point instruction or vice-versa.
(Float(PC) x Aln(PC + 4)) + (Aln(PC) x Float(PC + 4))
We can rewrite this using summation and also to include continuing execution at PC + 8.
Do?Two(PC)			dffif			Next Instr(PC +8)
i&%?osi(Aln(PC + i) X Float(PC + j))
Do?Two assumes, justffiably, that an instruction cannot be both an integer and a floating-point
instruction. This implies that when i = j the agent Aln(PC + i) X Float(PC + j) reduces to zero.
There are no data dependencies to worry about because each instruction accesses separate register
ffies.
10
3.1.1 Instruction Issue
Our top-level instruction issue equation 6 must be modified to reflect this new two-issue capability.
Renarning equation 6 from Instr to Do?One our processor can now execute two, one, or zero
stall) instruction(s) per cycle which we capture in equation 11.
def
Insir(PC)			Do?Two(PC) ? Do?One(PC) ? Stalt(PC)			(11)
Notice the use of ? (section 1.2) instead of +. Whenever it is possible to do Do?Two it is also
possible to do Do?One and issuing two instructions should take priority over issuing one, when
possible.
3.2 An Integer x Integer Superscalar
In this section we specify a version of ToyP that can execute two integer ALU instructions in
parallel. At first glance, it would seem that
AIn(PC) x Atn(PC +4)			(12)
specifies the abillty to execute two integer instructions in parallel. However, because both instruc-
tions use the same register file we now have the possibility of data hazards existing between the
two integer instructions. Hence, sometimes parallel execution is thwarted.
Using particle restriction (A\\S where S is a set of particles) we can force equation 12 to apply
ouly to legal integer instruction sequences of length two. In a legal instruction sequence the first
integer instruction can write register i and the second integer instruction cannot write or read
register?.
ffi(AIn(Pc)\\A
x AIn(PC + 4)\\B)
where			A--Hfputr?,getr0...getr31?
B ?getr0. . .getr31,putr0 . . .putr31? --H ?putr,.,getr??			(13)
Equation 13 represents all of the allowable integer instruction sequences of length two that may
execute in parallel.
11
4 Simulation
A simulation ofour ToyP specification amounts to runmug an agent that represents a ToyP program
with our agent that represents ToyP. That is, ToyP x Progra? We observe the behavior of the
program by calculating the transition graph of an agent. We do not have room to reproduce a
transition graph here. We only note that our simulation takes place within the framework of the
Concurrency Workbench which allows us to experiment with our processor specification.
5 Conclusions and Comments
In this paper we have presented a technique for specifying the timing properties of instruction-level
parallel processors using SCCS, a synchronous process calculus. The timing properties specified are
delayed loads and branches, interlocked floating-point operations, and multiple instruction issue.
With the plethora of formal specification languages (especially for hardware), the question arises
why we should prefer our approach to another. The answer, as is often the case, depends on what
one is interested in, and is, in our case, e?phcit specification of both timing and conc?rrency. The
reason that this is important, is that, if the programmer wants to use the processor the most
efficiently, timing and concurrency must be specified. Our SCCS processor description specifies a
processor for what it really is; a communicating system of functional units.
In future research, we plan to derive instruction scheduling parameters (e.g., latencies) from pro-
cessor specifications allowing us to automatically synthesize instruction schedulers. The transition
graphs of instructions clearly indicate when instructions begin executing. Latency information is
derived by appropriately testing the specification and observing when instructions begin execution.
References
[CFHM93] Todd A. Cook, Paul D. Franzon, Ed A. Harcourt, and Thomas K. Miller. System-
level specification of instruction sets. In To appear in. ICCD 93, Proceedings of the
International Conference on Compnter Design, 1993.
12
[CPS93] Rance Cleaveland, Joachim Parrow, and Bernhard Steffan. The Concurrency Work-
bench: A semantics-based tool for the verification of concurrent systems. A CM Trans-
actions on Programming Langnages and Systems, 15(1):36--H72, January 1993.
[CW91j Juarito Camilleri and Glynn Winskel. CCS with priority choice. In LICS 91: IEEE
Symposinm on Logic in Comp?ter Science, pages 246--H255, 1991.
[Joh91] Mike Johnson. Snperscalar Microprocessor Design. Prentice Hall, 1991.
[KH92] Gerry Kane and Joe Heinrich. MIPS RISC Architectnre. Prentice Hall, 1992.
[Mi183] Robin Milner. Calculi for synchrony and asynchrony. Jonrnal of Theoretical Compnter
Science, 25:267--H310, 1983.
[Mil89] Robin Milner. Commnnication and Concnrrency. Prentice Hall, 1989.
[Mol92] Faron Moller. The Edinburgh Concurrency Workbench (Version 6.1). University of
Edinburgh, 1992.
[Pai9O] Jean-Luc Paillet. Functional semantics of microprocessors at the machine instruction
level. In Computer Hardware Description Languages and Their Applications, pages
87--H101, 1990.
[PH9O] David A. Patterson and John L. Hennessy. Computer Architecture: A Quantitative
Approach. Morgan Kauftnan, San Mateo, CA, 1990.
13
Specification of Transition Systems
with Negation
(Extended Abstract)
R?e'mi Lissajoux
Thomson-CSF/LCR
91404 Orsay Cedex
France
July 2, 1993
Abstract
We define new conditions to specify transitions systems with nega-
tion on process algebras, with a SOS a la Plotkin. These conditions
lie strictly between those given in [Bloom et al.88] and [Groote9l].
They ensure both existence and unicity of a model and congruence
of the bisimulation. They are based on a generalization of guard-
edness of terms (and of recursion) which is defined modulo a set
of Structural Transition Rules, and not only with the prefix opera-
tor [Vaandrager93]. Therefore, they are applicable to any (free) alge-
bra.
1			Introduction
In the field of concurrent systems theory, some recent work has been de-
voted to the use of negation in transition systems specifications. Nega-
tion is used to specify priority relations between process transitions (see
[Groote9l, Cleaveland et al.88, Okulicka9o] for some examples). This allows
the specification of testing processes (contexts) which cannot be expressed
in classical process algebras [Bloom et al.88, Bloom et al.92J.
Transition systems specifications (TSS) with negation do not "specify"
a transition system (TS) in a straightforward way as SOS a' la Plotkin
does [Plotkin8l]. [Groote9i] uses syntactical conditions on TSS (stratifi-
cation) to ensure existence of models without ambiguity. [Bloom et al.88J
give similar conditions to their GSOS format.
The format given in [Groote9l] is quite general. It applies to any TSS
which is a set of (ground) rules of the form:
ftk%?t'kk?K?uft1%iicLJ (1)
A,
t?et
[xkA?Yktk?fl..K],?cj?Ju[xkA?1kctl..K]1?LkJ
t(xi, , XK) HA ti
where I are ground terms of a free algebra on a given signature.
Moreover, stratification is a syntactic condition. But it is very general,
and is not simple and direct to apply to most TSS we may encounter.
GSOS format of [Bloom et al.88] applies to algebras of the form:
T ::= aT op(T1,.' ,Tn) 1 fix?.T
To ensure the existence and unicity of a model of a GSOS, only classical
guarded recursion is required. The problem here is that we are restricted to
algebras with prefix operator, and that guarded terms are defined with this
operator.
2 Existence and unicity of a model
We propose new conditions on TSS which lie strictly between GSOS and
stratified TSS. We keep from GSOS the simplicity of the format based on
Structural Transition Rules (STR) and the generality of stratified TSS ap-
plicable on any free algebra. For this, we generalize the notion of guarded
term following [Vaandrager93j.
In our formalism, a term is guarded for a set of STR. STR are of the form
(2)
where Xk, Yki are distincts variables which include variables in t'.
For each constructor f in the signature, we call def(f) the subset of a set
S of STR which "defines" f:
def(f) = [r c 8 concl(r) = f(x1,... , xaq?))J
DEFINITION 1 We say f is guarded in k relatively to a set of STR F iff for
every rules in def(f) we have (with the notations of (2)) Lk = 1k =
Intuitively, if f is guarded in k, then transitions of terms f(t1,... , 1K) do
not depend on transitions of tk.
For any free algebra, without recursion, any TSS composed of STR has
a trivial stratification based on the size of terms. Therefore, there exists a
2
unique model. With recursion, size of terms is no longer stratified any more,
and we need guarded terms.
To introduce recursion in our framework, we use special constants in
the signature (supposed not "defined" by any STR) that we call procedures
and a function D (a declaration) which maps procedures to terms. To each
procedure we associate an operational rule
D(v)?'X
A
v?X
So, a set 8 of STR? and a declaration D define a TSS on a free algebra
with recursion.
For a declaration D and a set 8 of STR, we define w* the least relation
satisfying
1. for any procedure v, v `?
2. for any procedure v, for any f(t1,.. ,tn) such that v f(t1,..
if f is not guarded in i relatively to 8, then v
? is the restriction of to procedures.
DEFINITION 2 A declaration D is guarded relatively to a set 8 of STR iff 1,'
is well-founded.
If the sets of STR and procedures are finite, guardedness is decidable.
Moreover, we can prove that a set of STR and a declaration guarded relatively
to this set define a (strictly) stratified TSS. So, we get the following result
(from [Groote9l]):
THEOREM 1 Given a set 8 of STR and a declaration D, f D is guarded
relatively to 8, then a model exists and is unique.
3 Bisimulation as a congruence
Given a model for TSS, we are confronted by the problem of defining to
process equivalence. Moreover, we look for a congruence to ensure that
equivalent processes may not be distinguished when plugged in an appropri-
ate context. Bisimulation [Park8OJ is one of the finest process equivalence,
and has nice mathematical properties [Milner89J. Following [Groote9l], we
show that with the conditions of the theorem 1, (strong) bisimulation is a
congruence. We can use [Groote9l] results because a set of STR rules and
a guarded declaration define clearly a stratified, well-founded, ntyft format
TSS.
THEOREM 2 Given a set 8 of STR and a declaration D, if D is guarded
relatively to 8, then, for the unique model, bisimulation is a congruence,
3
4 Related works
Our formalism is more general than GSOS. For an algebra with prefix oper-
ation, we can define a pseudo constructor 6A for each label A. Informally, for
each term t, 6A(t) is A.t. Rule for 6 is
6A(X)?X
6A is guarded in 1 to any TSS extended with these rules. It is straightforward
to see that guarded recursion in the sense of GSOS implies guarded recursion
in our sense.
We are less general than format of [Groote9lj. Because of the (necessary)
restriction that variables in STR must be distinct, we don't have copying and
lookahead facilities of ntyft/ntyxt TSS. So, we loose the main result that with
operators defined in the ntyft/ntyxt, completed trace congruence is bisimu-
lation.
Acknowledements: I would like to thank referees for pointing me out the
work by F.W. Vaandrager.
References
[Bloom et al.88]
[Bloom et al.92]
[Cleaveland et al.88]
[Groote9i]
Bloom (Bard), Istrail (S.) et Meyer (Albert R.). --H Bis-
simulation can't be traced: preliminary report. In:
Symposium on Principles of Programming Languages.
ACM, pp. 229--H239. --H San Diego, Ca. Usa, 1988.
Bloom (Bard) et Meyer (Albert R.). --H Experiment-
ing with process equivalence. Theoretical Computer Sci-
ence, vol. 101(2), July 1992, pp. 223--H237.
Cleaveland (Rance) et Hennessy (Matthew C.). --H Pri-
orities in process algebra. In: 3rd Annual Symposium
on Logic in Computer Science. IEEE, pp. 193--H202.
Groote (Jan Friso). --H Process algebra and structured
operationnal semantics. --H PhD thesis, University of
Amsterdam, November 1991.
Milner (Robin). --H Communication and Concurrency. --H
Prentice-Hall, 1989.
4
[Milner89]
[Okulicka9o]
[Park80]
[Plotkin8 1]
Okulicka (Felicia). --H On priority in COSY. Theoretical
Computer Science, vol. 74 (2), August 1990, pp. 199--H
216.
Park (D. M. R.). --H Concurrency and automata on in-
finite sequences. In: LNCS 104. --H Springer-Verlag,
1980.
Plotkin (Gordon). --H A structural approach for opera-
tionnal semantics. --H Technical Report Daimi FN-19,
Aarhus University, 1981.
Vaandrager (Frits W.). --H Expressiveness Results for
Process Algebra. --H Technical Report 9301, CWI, 1993.
5
[Vaandrager93]
A Comparison of Simulation TeA?ni??es and Algebra?c
Techniques for Verif\?ing Concurrent Systems*
Nancy Lynch and Roberto Segala
NIlT- Laboratory for Computer Science
July 15, 1993
Abstract
Simulation-based assertional techniques and process algebraic techniques are two of the
major methods that have been proposed for the verification of concurrent and distributed
systems. It is shown how each of these techniques can be applied to the task of verifying
systems described as input/output automata; both safety and liveness properties are con-
sidered. A small but typical circuit is verified in both of these ways, first using forward
simulations, an execution correspondence lemma, and a simple fairness argument and sec-
ond using deductions within the process algebra DI0A for 1/0 automata. An extended
evaluation and comparison of the two methods is given
1 Introduction
Simulation-based assertional techniques and process algebraic techniques are two of the major
methods that have been proposed for the verification of concurrent and distributed systems.
Although the two methods are used for the same task, the proofs that are carried out in the
two styles seem to be quite different. Indeed, the two methods have been developed by largely
disjoint research communities, using different semantic models. The literature contains many
examples of proofs using the two methods: some typical examples of simulation proofs appear
in [LT87, LLSc3], while examples of algebraic proofs appear in [13ae9O, Jos92].
In this paper, we unify, evaluate arid coinpare the simulation-based and process algebraic
verification techniques in terms of the input/output automaton (1/0 automaton) model of
Lynch and Tuttle [LT87]. This framework has been used extensively for the verification of
complex algorithms and pieces of distributed systems [`vLLSS, LS92, LP92, LLS93], and has
already been given a process algebraic characterization [Vaa9l, Seg92, DS92]. We show how
*Supported by NSF grant CCR-89-15206 by DARPA contracts N()0()l4-89-J-1958 and N()o014-92-J-4033.
and by ONR contract N00014-91-J-1046.
each of these techniques can be applied to the common task of verifying both safety and
liveness properties of systems described as 1/0 automata. We then use each technique to
verify a small but typical delay insensitive circuit taken from [Jos92j: a Niuller C element
[MB59] implemented in terms of a majority element and a wire. Both the implementation and
the specification are described as 1/0 automata, and the verification consists of showing that
the fairpreorderrelation (i.e., fair trace inclusion) holds between the implementation and the
specification automata.
The two proofs proceed very differently. First, the simulation proof uses a forward simula-
tion [LV9i] from the implementation to the specification, then invokes an execution correspon-
dence lemma [LLS93] to obtain a correspondence between executions of the implementation
and the specification. Then a simple argument about fairness is made, based on the corre-
spondence between executions; this fairness argument uses the convenient notion of a forcing
condilion for an 1/0 automaton fairness class. The fairness argument could easily be formal-
ized using a temporal logic of states and actions [Sta84, LLS93], although we do not do this
in this paper.
The algebraic proof uses deductions within the process algebra DIOA [Seg92] for 1/0 au-
tomata. This process algebra contains a collection of axioms (i.e., sound proof rules) asserting
that the quiescentpreorderrelation holds for a pair of 1/0 automata. fhe quiescent preorder
is defined in [Vaa9t] and consists of trace inclusion and quiescent trace inclusion. It is an
approximation, based on finite traces only, of the fair preorder. The reason for the use of the
quiescent preorder rather than the fair preorder is that quiescence fits nicely into a process
algebraic theory containing recursion whereas fairness does not. We state conditions (proved
in [Seg93]) giving some circumstances under which the quiescent preorder is equivalent to the
fair preorder. Since these circumstances hold in our example, the DIOA deductions that prove
quiescent trace inclusion are also sufficient to prove the needed fair trace inclusion.
We emphasize that our two proofs are constructed to prove exactly the same theorem. To
make this clear we first give a "neutral" description of the verification problem in terms of 1/0
automata. Then we describe and verify the same problem in terms of an assertional repre-
sentation of 1/0 automata and in terms of r)IOA expressions, using simulation and algebraic
techniques, respectively. We show formally that the two proofs are both solving the problem
given in the "neutral" description. This last step is essential in order to ensure sure that,
although we are using different formalisms, we are actually solving the same problem.
We then give an extended comparison of the two verification methods, based on our ex-
periences in carrying out this research and on our other experiences with related examples.
Our comparisons consider the power of the two methods, their ability to model fairness, the
style of their representation of system components, their suitability for mechanization, and the
byproducts yielded by the proofs.
The rest of the paper is organized as follows. Section 2 contains a brief description of the
1/0 automaton model. Section 3 contains a formal statement of the circuit problem to be
solved, i.e., showing that the fair preorder relation holds between a particular implementation
and a Niluller C element specificatiou. Section 4 contains the verification using the simulation
2
method. Section 5 contains the verification using process algebra. Section 6 contains an
extended comparison between the two methods; Section 7 contains some additional conclusions.
2 The Input/Output Automaton Model
We begin with a brief review of the 1/0 automaton model, whid? will be used as the basis of
the rest of the work in this paper. For a complete account, we refer the reader to [LT87].
Definition 2.1 (Notation for sequences) Given an alphabet A, let A be the set of finite
length sequences made of elements of A and let AW be the set of infinite length sequences made
of elements of A. Finally, let A u Aw be denoted by A?. I
Definition 2.2 (1/0 automata) An 1/0 autorna?on A consists of five components:
o+ a set states(A) of states.
o+ a nonempty set start(A) C slatcs(A) of start states.
0
0
an action signature s?g(A) = (?n(A), out(A), int(A)) where ??(A) out(A) and int(A) are
disjoint sets of input, output and internal actions, respectively. ?`e denote with ext(A)
the set ?n(A) u oul(A) of external actions, and by iocal(A) the set out(A) u int(A) of
locally controlfrdactions. We denote by ads(A) the set ext(A) u ?ut(A) of actions. We
call (?n(A), out(A), ?) the external action signature of A.
a transition relation steps(A) C states(A) X acts(A) x states(A) with the property that
for each state q and each input action a there is a step from q with action a. We say
that A is input enabled.
o+ A partition part(A) of local(A).
A transition (q, a,q') e steps(A) is also denoted with q a q'. We extend the notion of
transition to finite sequences of symbols by saying that
qa?a q' iff ?......, q? with q0 = q and q? = q' such that q0 al q1 a2 ...
Similarly, for infinite sequences, we write
a			a2			a2
q a?? if ?(qi)i?? such that q			q1			q2
Two derived transition relations, abstracting from internal computations, are
q ? q' iff ?s1?s2Ein??(A)? 3ifl2
a			?			s1a ?
q?q 1ff?21?int??q?q.
The last two transition relations can be extended to finite and infinite sequences of actions in
the same way as for steps(A).
3
Definition 2.3 (Executions and traces) An execution fragment of an 1/0 automaton A is
a (finite or infinite) sequence of alternate states and actions starting with a state and, if the
execution fragment is finite ending hi a state
= q0a1q1a2q2
where each (q?,a?+1,q?+1) E steps(A). We denote by frag?(A)fragW(A) and frag(A) the sets
of finite, infinite and all execution fragments of A, respectively. An execution is an execution
fragment whose first state is a start state. We denote by exec?(A), execw(A) and exec(A) the
sets of finite, infinite and all execution of A, respectively.
The trace of an execution fragment o of an 1/0 automaton A, wn'tten trace?(o), or just
trace(a) when A is clear, is the hst obtained by projecting 0 onto the set of external actions of
A, i.e., trace(o) = o[ext(A).' We say that 3 is a trace of an 1/0 automaton A if there exists
an execution o of A with trace(o) = 3 `Vt'e denote by troces?(A), tracesw(A) and traces(A)
the sets of finite, infinite and all traces of A, respectively. I
A key feature of the 1/0 automaton model is that the behavior of 1/0 automata is observed
through their fair executions, i.e., those executions in which each "subcomponent" which is
continuously willing to perform some of its locally controlled actions will eventually do so.
Definition 2.4 (Fair executions) A feir execution fragment of an 1/0 automaton A is an
execution fragment a E execs(A) such that for all X E part(A)
o+ If a is finite then no action of A is enabled from the final state of a.
o+ If a is infinite then either actions from X appear infinitely often in a or states from
which no action of X is enabled appear infinitely often in a.
A fair execution is a fair execution fragment whose first state is a start state. A fair trace
is the trace of a fair execution. We denote the set of fair traces of an 1/0 automaton A by
ftraces(A).			I
Now we can define the usual preorder relation for 1/0 automata.
Definition 2.5 (Fair preorder) Given two 1/0 automata A and B with the same external
action signature, the fair preorder is defined as
A EF B iff flraces(A) C ftraces(B).
1Our definition of trace coincides with the usual definition of behavior for 1/0 automata, We have changed
the terminology in the interests of consistency with the usual notation of process algebra
4
The fair preorder is the relation that is used to model implementation in the 1/0 automa-
ton model. Since input enabling ensures that any implementation must accept any external
stimulus at any time, this preorder ensures that the implementation must contain a "rich"
set of traces - enough to describe responses to ally possible input pattern. Fairness ensures
that the correctness of a solution is judged only on the basis of those behaviors in which the
system is actually given the chance to make progress. Note that this preorder ensures that the
implementation must provide output whenever the specification must do so.
Three main operators are defined on 1/0 automata: hiding. renaming and parallel compo-
sition.
Definition 2.6 (Hiding) Given an 1/0 automaton A = (Q, Qo 5,1, P) and a set of actions
I : IA ?n(A) = ?, we define H?e1(A) to be the 1/0 automaton (Q, Qo, 5', t, P) where 5' differs
from 5 in that
o+ out(Hidei(A)) = out(A)\! and
o+ ?nt(H?dej(A)) = ?nI(A) u (ads(A) A I).
The hiding operator transforms external actions into internal ones, i.e., it hides some locally
controlled actions from the external environment. The only difference between the original
and the resulting 1/0 automaton is in the signature. The executions stay the same, but the
traces change.
Definition 2.7 (Renaming) An injective mapping f is applicable to an 1/0 automaton A if
acts(A) C dom(f). Given an 1/0 automaton A = (Q Qo, 5,1, I)) and a mapping f applicable
to it, we define f(A) to be (Q, Q0, 5', I', P') where S',t' and P' are defined as follows
o+ in(S) = f(in(A)), oul(S) = f(out(A)), int(S) = f(int(A)),
o+ t = ?(q, f(a), q') : (q, a, q') E st6ps(A)), and
o+ P = ?(f(a), f(a1)) : (a, a') E part(A)?. I
Thus, the renaming operator simply renames actions of its operand. For the parallel compo-
sition we need a notion of compatibility for action signatures.
Definition 2.8 (Strong compatibility of 1/0 automata)
1. A set of action signatures (5? : i ? are sirongly compatibfr iff for all `i,j e I
(a) oUt(Si) A out(Sj) = ?, and
(b) int(Si) A acts(5?) =
2.			A set of 1/0 automata tAi :			E 11 are strongly compatible iff their action signatures are
strongly compatible.			I
Definition 2.9 (Composition of 1/0 automata) The composition A HiEl Aj of strongly
compatible 1/0 automata 4Aj : i E lY is defined to be the 1/0 automaton with
1. states(A) = Hi?iStatCS(Ai),
2. start(A) = fIstart(Ai),
jEl
3.
s?g(A) = HiEl sig(a?),
where composition 5 = Hici 5 of strongly compatible action signatures fS? : ? C I? is
defined by
(a)
in(S) = UjEl in(S?) --H UjEl 0Ut(Sj),
out(S) = UiEI0Ut(Si),
int(S) = UjEl int(Sj),
4. part(A) = Ui?iPart(Ai),
5. steps(A) = ? ((q?)??i, a, (%`)iEI) : Vi ? I
a e ads(A?) implies (q?,a,q?) ? steps(Aj), a ? acts(Ai) implies q? =
3 The Problem
In this section, we define the problem that we are going to solve using both the simulation
and algebraic methods. This problem is that of verifying the correctness of a particular circuit
implementation. ?Ve begin with an informal description, then present the formal version in
several pieces.
3.1 Informal Description
The example consists of a simple delay insensitive circuit, taken from [Jos92], called the Muller
C element [NI1359j. Its interface is shown in Figure 1. A Muller C element has two input ports
a,b and one output port c. Once it is in its initial state with all input and output voltage
levels low, a Muller C element waits for both its inputs to reach the high voltage level for then
raising its output voltage level. It then waits for both its inputs to reach the low voltage level
for then reaching again its initial state. In our specification no changes on the input ports are
allowed whenever the voltage level of an output port has to change. Real implementations may
exhibit unexpected behaviors (such as the glitch phenomenon) in such cases. For the above
6
Figure 1: `fhe Muller C element
b
c
a
Figure 2: A majority element arid a wire implementing a Muller C element
reason we do not specify the behavior of any element whenever an output voltage level has to
change and an input occurs.
A Muller C element can be implemented by a majority ei?ment and a wire as shown in
Figure 2. A majority element is a device with three input ports and one output port. The
voltage level of its output port is that of the majority of its input ports. For the majority
element we allow the change of level of an input port even if the output port has to change
level. The required condition is that tlie new input does riot affect the ports that have to
change voltage level.
A wire is simply a device with one input and one output. It waits for a change of level on
its input port for then changing the voltage level of its output port.
Our problem is to verify that a Muller C element can really be implemented by a majority
element and a wire.
7
3.2 Formal Description
3.2.1 Actions as Voltage Level Transitions
In our formalization we use actions to model changes of voltage level (either from low to high or
from high to low) at a port. The observation of an action does not give any information whether
the voltage transition is from high to low or vice versa. Our use of actions is a consequence of
the fact that the elements of the problem we are analyzing can be simply described in terms
of voltage level transitions.
3.2.2 Specifications of the Elements
The specification S of an element is a tuple (Q, Qo, 5, T, P) consisting of a set of states Q, a set
of start states Qo, an interface 5 consisting of three disjoint sets of input, output and internal
actions respectively, a transition table T, and a partition of the locally controlled actions I).
The transition table gives, for each state and action, the future state, or not specified (NS),
Or not enabled (NE). The entry not specified is reserved for input actions and stands for ``the
environment is not supposed to provide iliput at this point"; the entry not enabled is reserved
for local actions and stands for "this action cannot occur at this point".
The specification style outlined above does not define 1/0 automata directly, however it
allows specifications that are very close to the informal specifications of Section 3. Later in
this section we will formally define how to interpret the specifications below as 1/0 automata.
The Muller C element, the wire and the inajority element specifications are denoted by CN,
iVN and MN, respectively. here, i\T stands for `?neutral" in the sense these specifications are
not biased toward either of the representation methods or verification techniques we introduce
later. ??e start with the formal specification of a Muller C element.
Specification 3.1 (Muller C element) A Muller C element CN is defined as follows.
5 =
Q =
P=tIcYl
The transition relation is defined by the following table:
a			b			c
?			?a?			fb?			NE
fa?			?			ta,b? NE
?bJ (a,b?			?			NE
?a,b1			NS			NS			?
8
It is easy to check that the above specification corresponds to the informal one given in Sec-
tion 3. Starting from a state ? where the voltage level of each port is the same (say low), the
occurrence of an input action would cause the system to move to a new state in which the new
voltage level of the given input port is considered. ?7hen the voltage level of both the input
ports is different from the voltage level of the output port (state ?a, b?) the output action c is
enabled and no input is allowed to occur.
Specification 3.2 (Wire) A wire W% is defined as follows.
5 = (?m?, ?c?, ?)
Q = ?,mJ
Qo =
The transition relation is defined by the following table:
m			c
A			m			NE
m			NS			A
Specification 3.3 (Majority element) A majority element AIN is defined as follows.
5 = (fa,b,c1,fm1,?
Q --H
P=ffm?J
The transition relation is defined by the following table:
ffi a			- b			c			m
?			?a?			?61			tcl			NE
tal ?a,b? ??c? NE
fb? fa,b?			?b,c? NE
tc?			?a,c?			?b,c?			NE
?a,bJ			NS			NS			?a.b,c1			?c?
?a,cJ			NS			ta,b,c?			NS			fb?
(b,cJ fa?b,c?			NS			NS			?a?
?a, b, cJ			(b, c?			(a., c?			(a, bJ			?
9'
3.2.3 From Specifications to 1/0 Automata
The formal specifications of Section 3.2.2 are not 1/0 automata since their transition relations
are not input enabled. In particular it is necessary to define carefully the meaning of the two
special symbols NE and NS. The meaning of NE is trivial since T(q, a) NE for a state q and
an output action a means that no transition with action 0 occurs from state q. If T(q, a) = NS
for a state q and an input action a, then, since an 1/0 automaton is input enabled, a transition
from q with action a must be defined. Intuitively we do not wish to constrain the behavior
of any implementation in the presence of an unspecified input. In other words we want any
implementation to be correct independently of the behaviors it exhibits in the presence of
some input that is not specified in the specification. Since the implementation relation of 1/0
automata is the fair preorder, the above intuition is captured by introducing a new special state
Q, and, whenever T(q, a) = NS, by introducing a transition q a ? The transition relation
on Q has to be defined in such a way that given any sequence of actions P, it is possible to
find a fair execution fragment u' whose first state is ? and such that trace(o) =
Definition 3.4 (Automaton associated with a specification) Given a specification 5 =
(Q,Q0,(in,out,?nt),T,P) the 1/0 automaton A = A(S) is defined as
o+ states(A) = Q u ?Q?.
o+ start(A) = Qo'
o+ s'ig(A) = (in, out, int U (TpIp ?
o+ (q,a,q') E steps(A) iff
--H T(q,a)=q'or
--H T(q, a) = NS and q' = or
- q = q' =
o+ part(A) = ?p U ?rpYIP ?
The following proposition shows that everything is possible whenever ? is reached, i.e., any
choice of implementation is correct whenever the specification reaches state ?.
Proposition 3.5 Given a specification 5 and given any (possibly infinite) sequence 4 of Cx-
ternal actions of 5 there exists a fair execution fragment o of A(S) whose first state is ? such
that trace(?) = 4.
Proof. The execution fragment Ct interleaves the actions of 4 with one internal action from
each class of part (A(S)). If 4 is finite then 0 fairly loops forever on the internal actions from
each class of part (A(S)) after 4 is completed. By construction we know that each class has at
least one internal action. Moreover ? has a self loop with each action. I
Now we can state the problem formally: verify that
Hide?m?(A(?t?)IIA(?4$v)) EF A(CN).
4 A Verification using Siniulation
In this section we carry out the verification required in Section 3.2 using simulation-based
assertional techniques. ?`e begin by presenting the relevant theory, then give variants 0 the
specifications 0 Section 3.2 that are better suited for carrying out a simulation proof, and
finally carry out the steps of the proof.
4.1 The Theory
In order to prove that an 1/0 automaton A implements another 1/0 automaton B, it is
necessary to prove that each fair trace of A is also a fair trace of B. Our strategy for doing this
is to first obtain a strong correspondence between each execution of A and some execution of
one way of obtaining such a correspondence is by using a forward simulation. The proof of
fair trace inclusion can then be carried out in terms of the correspondence between executions.
In the fairness proof, it is notationally advantageous to use a generalization of 1/0 automata
known as forcing 1/0 automata; this generalization does not increase the expressive power of
the model, but does allow more concise representations.
Below, we define forward simulations., state the Execution Correspondence Lemma, and
give the needed definitions are results for forcing ?/0 automata.
4.1.1 Forward Simulations and the Execution Correspondence Lemma
The notion of forward simulation that we use is taken from the comprehensive paper by Lynch
and Vaandrager [Lv9l].
Definition 4.1 (Forward simulation) A forwaril simulation from an 1/0 automaton A to
an 1/0 automaton B is a relation f over states(A) and states(B) that satisfies:
1. If q ? start(A) then f[q] n start(B) # ?.
2. If q A+ q' and p e f[qj, then there exists a state pJ E f[q'] such that p ?? I
The usual conclusion that is drawn from the existence of a forward simulation is trace inclusion:
Lemma 4.2 Given two 1/0 automata A, B, if there is a forward simulation from A to B,
then traces(A) C traces(B).			I
However, since we would like to base our proof of fair trace inclusion on our proof of trace
inclusion, it is useful to have a stronger consequence of the existence of a forward simulation.
This lemma is proved in [LLS93].2
2In [LLS93], it is aiso shown that a similar leinma holds for other types of simulation relations such as
backward simulations.
11
Lemma 4.3 (Execution correspondence) Let f be a forward simuThtThn from an 1/0 au-
tomaton A to an 1/0 automaton B. Then, for each execution 0 = q0a1q1a2q2 of A
there is an execution 0' = q0,b1q1,b2%' of B and a total monotone nondecreasing mapping
c : ?O,. ., lolY ?o,. . ., Io'!Y such that
1. c(O) =
2. ?c'?) E f(q?) for all 0 < i < 10
3. bc(i)+i bc(i+i) [ext(B) = a?+1 [ext(A) for all 0 ? i r 101, and
4.			for all			there exists an ?` such that c(?) > j.
If the forward simulation is well chosen, Proposition 4.3 can be used as the basis of a proof
of fair trace inclusion, as follows. For each fair execution 0 of A, first produce a corresponding
execution 0' of B. Then show that the fairness of 0 implies the fairness of any corresponding
execution of B. This is the general strategy we will follow in our proof.
4.1.2 Forcing 1/0 Automata
In carrying out the proof of fairness, it turns out to be notationally convenient to use a slight
generalization of 1/0 automata that we call forcing 1/0 automata [LLS93]. The generalization
consists of associating a set of states called a forcing set with each class of part(A). Forcing
1/0 automata are no more expressive than ordinary 1/0 automata, in terms of the sets of
fair traces they can represent; they are useful, however, because they sometimes admit more
concise representations.
Definition 4.4 (Forcing 1/0 automata) A forcing 1/0 automaton A is an 1/0 automaton
with the following additional structure:
a function force(A) associating a set of states with each partition of part(A) such that,
for each partition p E part(A) and each state q E force(A)(p), there exists an action of p
which is enabled from q. The set force(A)(p) is called the forcing set of p. It is a subset
of the states enabling some action of p. The set of states enabling some action from p is
denoted by enabling(p).			I
The notion of fair execution for forcing 1/0 automata differ from that of ordinary 1/0 automata
is that fairness is now expressed only with respect to states in the forcing set of each class p of
local actions.
Definition 4.5 (Fair executions) A fair execution fragment of a forcing 1/0 automaton A
is an execution fragment 0 E exees(A) sucb that for all X e part( A)
12
o+ If ci is finite then the final state of ci is not in the forcing set of X.
o+ If ci is infinite then either actions from X appear infinitely often in ci or states riot in the
forcing set of X appear infinitely often in ci.
A fair execution is a fair execution fragment whose first state is a start state.
The following proposition says that forcing 1/0 automata do not add any new expressive power
to the 1/0 automatori model; moreover, it gives a particular transformation from forcing 1/0
automata to 1/0 automata.
Proposition 4.6 Given a forcing 1/0 aummaton A, consider an 1/0 automaton f(A) where
o+ states(?(A)) = states(A)
o+ start(?(A)) = start(A)
o+ s?g(?(A)) = (?n(A), out(A), ?nt(A) U ?TpIP ? part(A)?)
o+ steps(?(A)) = steps(A) u ?(q,r?,q)p E part(A), q ? (enabiing(p)\force(p))J
o+ part(?(A)) = fp u ??J;p ? part(A)J
Then ftraces(A) = flraces(f(A)).
The standard operators of 1/0 automata can be easily extended to forcing 1/0 automata. The
only nontrivial extension is that of the parallel operator, where the forcing set of each class
has to be modified to take into account the states of the other forcing 1/0 automata. Consider
for example a forcing 1/0 automaton A composed in parallel with a forcing 1/0 automaton
B and let q be in the forcing set of some class p of A. ?TheneVer A reaches state q in the
composition AlIB, we want the global state of AlIB to be in the forcing set of p. Therefore all
states of fqj x states(B) have to be in the new forcing set of p.
Definition 4.7 (Composition of forcing 1/0 automata) The composition A = HiEl Aj
of strongly compatible forcing 1/0 automata ?Aj : i e I? is the composition of their ordinary
part augmented with new forcing sets as follows: for each class p E part(p?), force(A)(p) =
force(A?)(p) X HiEI\j Aj.
Proposition 4.8 Given two forcing 1/0 a?tomata A, B
1. ?(Hidej(A)) and Hidej(?(A)) are the same 1/0 automaton;
2. ?(AllB) and ?(A)llft'(B) are the same 1/0 automaton.
13
4.2 Specification of the Components
In Section 3.2 we described the system components using a "neutral" formalism that is not
biased toward either verification method. Each of the two methods, however, has its own
characteristic language for describing system components. In this section, we represent each
element of Section 3.2 using a variant of the precondition-effect language of [LT87j that is
suitable for describing forcing 1/0 automata. We also relate the new specifications to the
neutral ones.
In our precondition-effect language a forcing 1/0 automaton is described by means of its
action signature, its states, its initial states, its transition relation, and its classes with forcing
sets. The transition relation is specified by means of the preconditions for the execution of
each action and the effect each action produces on the state. The precondition of an action
gives the set of states from which it is enabled or from which it is expected; the effect gives the
next state. If an input action occurs when its precondition is not satisfied, then the system
moves to a special state Q. The state ? implicitly has a transition to itself for each action and
it does not appear in the forcing set of awy class of local actions.
Note that this representation can be more concise than the neutral representation, because
states need not all be listed explidtly. Rather, they are described in terms of values of a
collection of state variables.
In order to simplify the notation we introduce an operator D on sets corresponding to the
symmetric difference operator. Note that the transition relations of the forcing 1/0 automata
we introduce below differ from those of Section 3.2 only in the definition of state ?. As a
consequence, the specifications of this section and those of Section 3.2 denote 1/0 automata
with the same set of fair traces. In fact, the connection between the 1/0 automata is much
closer than this; we give a formal statement of the connection after the specifications.
Specification 4.9 (Muller C element) A Muller C element CF is defined as follows.
5 = (?a,b1,tc1,?)
Q =
Qo =
P = ?fc?? where tcl has forcing set ??a,b??
Transitions:
Action a
Precondition: q # ?a, b?
Effect: q':=qe(a?
14
Action b
Precondition: q # ?a, b?
Effect:			q':=qo?b?
Action c
Precondition:
Effect:
q= ?a,b1
Specification 4.10 (Majority element) A majority element AIF is defined as follows.
s =
Q --H 2?a???c1 u ?Q?
Qo=??1
P = t?m11 where Irni has forcing set t?a, by, Ia, c?, Ib, cJ, Ia,b, cyy
Transitions:
Action a
Precondition: q ? Ila, by, Ia, cyy
Effect:
Action b
Precondition: q ? Ila, by, Ib, cyy
Effect: q':=qeIb?
Action c
Precondition: q? IIa,c?,Ib,c??
Effect: q':=qeIc?
Adion m
Precondition: qj > 2
Effect:			:= Ia,b,c?\q
Specification 4.11 (Wire) A wire ?% is defined as follows.
3 =
Q =
Qo =
P = IIc?? where Ic? has forcing set ??m??
Transitions:
Action rn
Precondition: q = A
15
Effect:			4' := m
Action c
Precondition: (I = m
Effect:			:= A
Proposition 4.12
1. A(CN) and ?(CF) denote the same 1/0 automaton
2. A(MN) and ?(A1F) denote the same 1/0 automaton.
3. A(WN) and f(lVF) denote the same 1/0 automaton.
4.3 The Verification
We finally prove that a Muller C element is implemented by a majority element and a wire,
We first prove a proposition expressing this claim for forcing 1/0 automata. At the end of this
subsection, we show how to derive the precise claim of Section 3.2.
Proposition 4.13 H?dC4m?(AiFII??) EF CF,, i.e., a Afuller C element can be implemented
by a majority element and a wire.
Proof. ?`e define a mapping from the implementation to the specification and show that
it is a forward simulation. We then use the Execution Correspondence I?emma to obtain
corresponding executions and use this correspondence to prove fair trace inclusion.
More precisely, the mapping f to use is the iollowing:
(?a?, A)			??a?, ??
(?by,A)? ??b?,Qy
(?a,bJ,A)? ?fa,b1,?Y
(fc?,m)? ?ta,bY,QY
all other pairs
We first prove that the above relation is a forward simulation. I?he condition on the initial
states is immediate to verify since the initial state (?, A) is mapped to the initial state ?. For
the transition relation we proceed by cases analysis on action names.
Action a: We distinguish the following cases:
o+ If a occurs from (x, A) where x ? ??, ?a?, fb?? then (x, A) ff4 (r 0 ?aJ, A) and
x ff4 x ?
o+ If a occurs from (?a., bJ, A) then (ta, bi A) a ??, A). ?Ioreover (a, bJ ff4 ? and
? ff4 ?.
o+ If a occurs from ((cJ,m) then ((c?,m) ff4 (?,m). Nioreover (a,b? ff4 ? and
? ff4 ?.
0
0
If a occurs from any state (x, A) where x ? (?, (a?, (b?, (a, b?? then (x, A) ff4 (x', A)
and x' ? (?, (a?, (b?, (a, byj. Moreover ? ff4 ?.
If a occurs from any state (x, m) where x $ (cJ then (r. m) a (x', m) and ? ff4 ?.
Note that, since for x = (a,cl we have x? = (c?, we need ? in the mapping for
((c?, m').
Action b: This case is the same as the case for action a.
Action c: This action is enabled only from states of the forni (x, m) and yields a new
state (x?, A). If x = (c? then x' = ? and (a, b? ff4 ?. In all other cases can be anything
but ?. This is the case for which we need to map ((a?. A), ((bJ, A) and ((a, b?, A) to ?.
Action m: This action is enabled from each state (x, A) and (x, rn) with Ixi < 2. If the
starting state is (x, m) then the final state is (xt, ?). Moreover both starting and final
states are mapped to ?. If the starthig state is (x, A) with x $ (a, bJ then the final state
is (x', m) and both starting and final states are mapped to ?. If the starting state is
((a, bi, A) then ((a, bi, A) ? ((cJ, m) and both starting and final states are mapped to
(a,bJ and ?.
The existence of the above forward simulation allows us to conclude that each trace of
HidC?ml(A?FIIWF) is a trace of CF. ?`e now use the same simulation to argue that each
fair trace of H?de?m?(A/I?II?7?) is a fair trace of CF. Consider a generic fair execution 0 of
Hide1m?(M?II?7?). By the Execution Correspondence Lemma, there is an execution a' of CF
corresponding to a through the mapping f. It is sufficient to argue that a' is fair to conclude.
Suppose that a' is not a fair execution of CF. The only way the fairness for CF can be
violated is for the states in a' to be (a, b? for some point on without c ever occurring. (In fact
(a, b? is the only state in the forcing set for (c?.) Then in a, the correspondence says that the
states are all either (ab, b) or (c, m) from that point on. If there is any occurrence of a (c, ni)
state, then the fairness condition for W? says that eventually c occurs in a, so also in a', a
contradiction. So the state must be (ab, 9) forever. But then the fairness condition for MF
says that eventually m occurs, changing the state to (c, n?), again a contradiction. I
Note that the fairness part of the proof above is done somewhat less formally than the sim-
ulation part; the fairness part can be formalized using a temporal logic of states and actions
[Sta84, LLS93].
Now we can give the main result:
17
Theorern 4.14 Hide?mj(A(J1I?)IIA(1'V?)) EF A(CN).
Proof. From Propositions 4.13 and 4.6 we derive ?(H?deIm?(A'iFII1'VF)) EF f(CF). From
Proposition 4.8 we derive H?de?m?(?(MF)IIf'(1'VF)) EF ?(CF). From Proposition 4.12 we
obtain 1Iide???(A(iN4y)tIA(147iv)) EF A(CN).			I
5 A Verification using Process Algebras
In this section we carry out the verification required in Section 3.2 using process algebra.
Again, we begin by presenting the relevant theory, then give flew specifications, and finally
carry out the steps of the proof.
5.1 The Theory
As before, our job is to prove a fair trace inclusion relationship between two 1/0 automata. In
general, process algebra is not well suited for proving results about fairness, because fairness
does not fit nicely into the theory of a process algebra containing recursion. However, process
algebra can be used to reason about an approximation to fairness known as quiesceuce, and
under certain circumstances, this may be enough.
Below, we define quiescence and relate it to fairness. N\& then define DIOA (?`DemoMc 1/0
Automata"), a process algebra for proving quiescent trace inclusion relationships between 1/0
automata. ?
5.1.1 From the Quiescent Preorder to the Fair Preorder
Definition 5.1 (Quiescent executions and traces) A q?tiescent execution of an 1/0 au-
tomaton A is a finite fair execution of A. A quiescent trace is the trace of a quiescent execution.
?Te denote the set of quiescent traces of an 1/0 automaton A by qtraces(A). I
Definition 5.2 (Qujescent preorder) C4iven two 1/0 autoitiata A and B with the sante
external action signature, the quiescent preorder is defined as
A EQ B iff traces?(A) C ttaas?(B) and qtroces(A) C qlraces(B).
3The adjective ?demonic" is pictorially used in [Seg92] to emphasize the fact that demonic 1/0 automata
behave catastrophically in the presence of unexpected inputs. It is in contraposition to thc approach of [Vaa9l]
which is caiied "angelic" in [Seg92].
18
The quiescent preorder was first introduced in [Vaa9i] and is an attempt at approximating
the fair preorder by only looking at the finite executions of an 1/0 automaton. As pointed
out through some examples in [Seg92j, the quiescent preorder is not an intuitively reasonable
notion of implementation in general, however [Seg93j gives some sufficient conditions for the
quiescent preorder to coincide with the fair preorder. BAow we present some of the results of
[Seg93]. ?Ve start with some definitions.
Definition 5.3 (Quiescent detectability) An 1/0 automaton A is quiescent detectable if
each finite fair trace of A is also a quiescent trace of A.			I
Quiescence detectability requires each divergence to be detected through a quiescent trace.
The fair preorder, in fact, does not distinguish between divergence and quiescence, while the
quiescent preorder does.
Definition 5.4 (Quiescent continuity) An 1/0 automaton A is quiescent continuous if the
limit of any chain of quiescent traces of A is a fair trace of A.			I
The quiescent preorder deals only with finite executions, while the fair preorder also considers
infinite ones. A condition for the two preorders to coincide is that the information about
infinite executions be captured by the information on the finite ones. To guarantee the above
fact we also need finite internal nondeterminism.
Definition 5.5 (Finite internal nondeterminism) An 1/0 automaton A has finite inter-
nal nondeterminism (FIN) if V??acts????tq!?90?staq??)qo ? q? is finite.			I
The above definition of FIN is weaker than the defimtion given in [I;V91]. The definition
of [LV91] requires, for every trace h, the set of reachable states with h to be finite. In our
definition we only require a smaller set to be finite, i e the set of states reachable through h
with its last external transition.
Definition 5.6 (Input quiescent detectability) An 1/0 automaton A is input quiescent
detectable if each infinite fair trace of A with finitely many output actions has infinitely many
prefixes that are quiescent for A.			I
An infinite fair trace made of input actions only can be obtained from an execution containing
infinitely many internal transitions. The quiescent preorder, on the other hand, can detect
only quiescent states.
19
Theorem 5.7 (Relationship between the quiescent and fair preorder) Given two 1/0
automata A1, A2 with the same external action signature such that parl(A1) = flocal(A1)J and
part(A2) = ?Thcai(A2)?, if A1 is quiescent detectable and input quiescent detectable, and A2 is
fair continuous and has FIN, then
If A2 is quiescent detectable then
A1 ?? A2 implies A1 E?F A2.
A1 EF A2 impkies A1 E?Q T2.
Qujescent detectability and FIN are generally met by practical systems. Note, in fact, that
systems without any infinite internal computation are qujescent detectable. Also quiescent
continuity is generally true. In [Seg93] it is shown that, if an 1/0 automaton has FIN and
is input deterministic (for each state q and each input action a there exists a unique state q'
such that q ? q'), then it is quiescent continuous. It is not clear yet to us how general input
quiescent detectability is.
Theorem 5.7 shows how the quiescent preorder can capture the fair preorder of some 1/0
automata with a single class of locally controlled actions. This is not the case for general 1/0
automata. However, there are cases in which the quiescent preorder is sufficient for concluding
fair trace inclusion in the presence of muftiple classes. When an 1/0 automaton has more than
one class of locally controlled actions, the quiescent preorder is not of great help in deriving
the fair preorder. The following proposition is of help whenever the specification automaton
has a single class and the implementation automaton has multiple classes.
Proposition 5.8 Let A be an 1/0 automatan. If for each transition q ? q' of steps(A)
where a is an input action and each class x of part(A), an action of x is enabled from q' if
and action of x is enabfrdfrom q (i.e., input actions do not disable any class of part(A)), then
ftraces(A) C ftraces(A') where A' differs from A only in that part(A') = ?iocai(A)? I
II an 1/0 automaton A with multiple classes implements an 1/0 automaton B with a single
class, and if the involved automata satisfy the conditions of Theorem 5.7, then the proposition
above gives a sufficient condition for deriving the full fair preorder from the quiescent preorder.
In fact, from A' E?Q B, where A' is the 1/0 automaton A with a single class, we derive A' EF B,
and, from Proposition 5.8, we derive A EF B. Examples of systems satisfying the condition of
Proposition 5.8 are the monotone 1/0 automata of [Sta9O], which can model a large class of
datafiow networks, and the semi-modular, speed-independent circuits of [MB59j. Our problem
is based on delay insensitive circuits.
NameOp.DomainRange Restrictions
quiescent			nil5			A			5
omega			??			A			5
prellxing			a.5			5			5			a E ?x1(5)
ichoice			e5			5, 5			5
echoice			1+?5			5,5			5			I, J C in(S)
parallel			511152			51,52			53
int(S1) A acts(S2) = acts(S1) A int(52) =
out(S1) A out(S2) =
out(S3) = aut(51) u out(S2)
in(S3) = (in(S1) u in(52))\out(53)
int(53) = `int(5i) u int(S2)
hiding			r??			5			5'			I C ovt(S)?S' (in(5),out(5)\J,int(S)U J)
renaming Ps			5			5'			for each injective p : acts(S)			acts(5')
5, = (p(in(S)),p(a"t(S)),p(?nt(5)))
process			X5			A			5			X5 e X5
Table 1: The signature of DIOA
5.1.2 The Calculus of Demonic 1/0 Automata
The calculus of Demonic 1/0 Automata (DIOA) is a process algebra for 1/0 automata [Seg92].
Each 1/0 automaton is an expression which is obtained by applying operators to basic au-
tomata. Each expression is sorted and each sort represents an external action signature, Each
DIOA expression has a unique internal action T. Muhiple internal actions, in fact, are used
within 1/0 automata for expressing fairness with respect to different internal tasks; however,
DIOA does not deal with fairness. In this paper we present a slightly modified version of DIOA
in which we consider multiple internal actions. Each sort represents a full action signature with
multiple internal actions. Our modification does not change the algebraic properties of DIOA
(the axioms do not change), but it makes it easier to relate DIOA proofs to simulation proofs.
?Ve assume that the sort of each DIOA expression contains at least one internal action and we
use r to denote a generic internal action. This assumption is necessary to model some of the
operators.
Table 1 contains all the operators of DIOA and Table 2 contains their operational semantics
in terms of transition systems. The operators of DIOA recall the standard operators of CCS
21
nPl			nils ?			Va c ?`n(S)
ome1			A4			a e ext(S)
pre1			a .? e			e
ich1			?1 OS e2			e1
ich3			e1e'1			Va E `in(5)
e1 Os e2			e1
ech1			e1e1
?1 I+5j e2 a, e'1
e2			e2
ec2			a
e1 j+?5 e2			e2
ech3			e1 i+?5 e2 ?
Va ? I u out(5)
Va c J u oul(S)
ome2 ?s T, n?15
pre2			a .? - A* ??			Vb c ?n(S)\fa?
ich2			e1 ?? (:2 T,
ich4			?2(a'2,			a e in(S)
?1 ?5 ?2
Va e ?i?(S)\(I u J)
ech4			?1M+?`1			ech5			?2T,
?1 I+J5 ?2 ? ?`1 I+5j ?2			?1 I+j5 ?2 T ??1 I+j5 ?`2
e			e			rho
tau1			T?(() ? r15(e')
ps(e)			ps(e')
?1			?2
par1
?1 Si 1152 ?2 ? (? 511152
par2			?1
?1 Sills2 ?2 ? ?`1 511152 ?2 a C acts(S1)\ext(S2)
I par3			e1Sills2?22			a e acts(S2)\c'xt(S1)
Me ?1 S? 1152 ?2
e
Table 2: The transition rules for DJOA. T is any internal action.
22
si(n?i) =			so(n'il) =
=			so(?) = out(Q)
si(a = faj A ?n(c)			so(a . = fa? A out(e)
si(e1 0 ?2) = si(e1) A si(e2)			so(e1 `0 c'2) = sO(ei) U so(e2)
si(e1 j+j e2) = (IA si(E1)) Li (J A si(?2))			so(?? I+J ?2) = so(?i) u 80(62)
si(X) = si(E(X))			so(X) =
Table 3: Definition of si and so for DJOA.
[Mil89]; however they are different in the sense that they also guarantee input enabling by
moving an automaton to the state ? whenever some unexpected input is provided. The
expression nil models a quiescent automaton that moves to ? for any input. The prefixing
operator allows the specification of an automaton which first perform a specific action a.
The internal choice operator models nondeterministic choice independently of the external
environment. Particularly unfamiliar to the process algebraic community is the external choice
operator, which is parameterized by two sets of input actions. The two parameters describe
which arguments of the operator deal with different input actions. Consider the expression
6.xp = a. e ?,?+?b1 b. J. The subexpression a. 6 IS describing the behavior of 6X? in the presence
of input action a while the subexpression b . J is describing the behavior of crp in the presence
of input action b. The parameters are necessary since a .6 also reacts to input b although that
reaction is not desired. The meaning of an expression like a .6 + b. J, however, is intuitively
clear. Although this intuition is not expressible for general DIOA expressions, Table 3 defines a
function si(e) (Specified inputs) which is capturing our intuitive idea for DIOA expressions of
the kind a1. 6j +... a? . 6?. Function si allows us to define an unparameterized choice operator
by writing 6 + f for 6s?(e)+s?(f) J, where function si is defined in Table 3. The interested reader
is referred to [Seg92] for a more detailed description of si and its generalization to all DIOA
expressions.
Given a DIOA expression, there is a natural way of associating an I/() automaton with it.
?Ve arbitrarily choose not to partition its locally controlled actions. In this w?y Theorem 5.7
directly applies.
Definition 5.9 Given a DIOA expression 6, the associated 1/0 automaton D(6) is defined as
o+ states(D(e)) = E ads(?)?, 6 M+ 611
o+ start(D(?)) =
o+ sig(D(e)) = (`in(e), out(6), int(6))
23
Ec7 Quiet(f) if si(e) C 1 and si(e) A J =
e i+j f LQ e
13 Ti(a . e) =? a. ?i(e) if a ? I
14 T1(e H+K f) =Q 7i(e) H+K T1(f) if so(e) A I = so(f) A 1 =
Iii 71(i . e) iiiQ T1(e) if si(e) =
Table 4: Some axioms for the quiescent preorder of DIOA.
o+ steps(D(e)) = f(e',a,e11)!e' ? states(D(e)),e' a
o+ part(D(e)) = flocal(e)J			I
Proposition 5.10 Given two DIOA expressions e, f,
1. D(r1(e)) and Hide1(D(e)) are the same 1/0 automaton;
2. D(eIIf) and D(e)IID(f) only differ in that part(D(e11f)) = ?local(e) U local(f)? and
part(D(e)IID(f)) = ?Thcal(e), Thcal(f)?.			I
The implementation relation for DIOA is the quiescent preorder, which is a weak congruence
for all the operators but tite unparameterized +. A weak congruence is a relation that is
preserved under legal contexts, i.e., x ? y implies C[x] Pt C[y] if C[.] is a legal context for both
x and y. Table 4 contains some axioms for the quiescent preorder over DIOA. The axioms we
present are just a some of those of [Seg92], however they are sufficient for our examples. They
are sound in the sense that they state true properties of the 1/0 automata associated with
the expressions. Axiom Ec7 uses a function Quiet(f) whidi is true only if f is a quiescent
expression, i.e., D(f) enables only input actions in its start state. Ec7 models the idea that,
whenever a specification e does not say anything about some hiput actions, any choice of
implementation f in the presence of those actions is correct. Axiom 13 allows us to move
external actions out of the hiding operator. Axiom 14 uses a function so in its side condition.
Function so (Specified Outputs) is defined in Table 3 and gives those output actions of its
argument that can be performed up to internal transitions. The side condition for Axiom 14 is
necessary since an external choice context is not resolved with internal actions (see transition
rules ech4,5). Axiom Iii allows us to eliminate initial internal computation from 1/0 automata
whenever no input is expected (si(e) = ?). Two other important axioms deal with the parallel
operator and with recursion. The expansion axiom allows to unfold a parallel expression into
a nondeterministic sequential one; the recursive substitutivity rule states conditions for which
a set of equations have unique fixpoint, and gives a method for proving that a process is
implementing the fixpoint of a set of equations. In Section 5 the recursive substitutivity rule
plays a fundamental role.
24
Proposition 5.11 (Expansion axiom) The following axion? is sound for the quiescent pre-
order.
E2 Let e e1 lie2u IIe? where each Cj iS of the forn? Zi a?? %j For each action a E ext(e)
let
--H			?e??ja??			a?			if a ? ads(?)
a --H			?e??			otherwise
Let oui(a) be the index j such that a is an output action of I (0 otherwise) and let
if aut(a) ? 0 and EaaUt(a) --H
a--H			?fiIIII]4:j??a?V(Fa=?AftE?)Y			otherwise
Then e =? ZaE?t(e)(ZJEE a.f).
Theorem 5.12 (Recursive substitutivity) Let X %ef L?(x) be a set of equations ?j %?
z,?(a? .Xj2)?, and let P be a set of DJOA expressions. 1fF Eq LTh[F/A] then P EQ A'. I
5.2 Specification of the Components
In this section we specify the components of Section 3.2 using DIOA expressions. In this way
we can use the DIOA axioms for the actual verification. The new specifications will exph.citly
consider only specified input actions at each state. The demonic approach guarantees the
existence of a transition to ? for each non-specified input action. The 1/0 automata of this
section differ from those of Section 3.2 in the definition of ?. Since I)tOA deals with finite
and quiescent traces only, we need any fair trace of D(?) to be a quiescent trace of D(?),
we need D(?) to be quiescent detectable. Quiescent detect ability is obtained through
the transition ? ff nil. Note that each sequence of external actions is a fair trace of V(?);
moreover the 1/0 automata we specify in this section and those of Section 3.2 differ only in
the transitions for state Q. As a consequence the specifications of this section and those of
Section 3.2 denote the same objects in the sense that the corresponding 1/0 automata exhibit
the same fair traces. A formal equivalence statement will be given after the specifications.
Specification 5.13 (Muller C element) A XIuller C element is specified as follows:
C			4ef			a. Cat b Ct
Ca			%cf			a.Ctb.Cat
C6			%ef			a. Cab t bC
Cat			4?			cC
where a, b are input actions and c is an output action.
25
The DIOA specification of a Muller C element is represented by the process variable C. In
order to be consistent with the specifications of the previous sections the process variable
name should be CD, however, we decided to drop the parameter D to avoid confusion with the
parameters of the other process variables, The subscripts in the process variables represent
the input ports that have changed voltage level. When both the inputs have changed (state
Cat) the output voltage level is changed. Note that in state Cat no inputs are accepted. The
underspecification of the Muller C element in such cases is implicit in the structure of DIOA.
Note that D(C) has FIN and is input deterministic.
Specification 5.14 (Majority element) A majority element is specified by the following
equations
M
%ef a . Ma + b . Mt + c. Mc
Ma			%?ef			a . M + b. Mat + c. Mac
Mat			%?ef			m . AL + c. Matc
Matc def
= m.M+a.Mtc+b.Mac+c.Mat
where a, b, c are input actions and m is an output action. The equations for A?, Mc, Mac and
Mtc are similar to the equations above and can be easily derived.
The process variable M represents the majority element where the voltage levels of its input
ports are the same as the voltage level of its output port. The process variables containing
subscripts represent the majority element where only the voltage levels of the input ports not
appearing as subscripts are the same as the voltage level of the output port. Note that the
equation for Mat specifies that no inputs causing a variation in the output voltage level can
occur when the output voltage level afready has to change. If such inputs occur then the
system implicitly moves to ?.
Specification 5.15 (Wire) A wire is specified by the following equation:
lt? %?ef rn . c. iV
where m is an input action and c is an output action.
Proposition 5.16 A(CN) =F D(C). A(AiN) =F D(M). A(WN) =F D(w).
Remark 5.17 A stronger equivalence statement than the one of Proposition 5.16 hold, namely
that the involved 1/0 automata are isomorphic if we do not consider states ? and nil. We do
not need this strong statement for this paper, therefore we are not formal here.
26
5.3 The Verification
We now formally prove that a Muller C element can be implemented using a majority element
and a wire. The implementation relation that we use is the quiescent preorder; however it
is easy to verify that all the specified elements satisfy the hypothesis of Theorem 5.7 and
Proposition 5.8, therefore we can conclude fair trace inclusion from quiescent trace inclusion.
We first prove the statement concerning the quiescent preorder, the DIOA verification; then
we show how the formal statement of Section 3.2 is derived.
Proposition 5.18 r?m?(WIiI??) ?? C i.e. a ?Juiier C efrment C can be implemented using
a majority element and a wire.
Proof. We show that Thm?(?1II?') E?Q C. For doing that we consider a famfly of processes
I, Ja, It, `at where I %ef Tim?(?III?V) and show that they satisfy the equations of C with E?Q. It
is then enough to use the recursive substitutivity axiom to conclude.
By applying the expansion axiom and the hidiiig axioms we obtain
by expanding AIII1?'
EQ			by Axiom E2
=9			by substituting W for E(I4')
=9			by Axiom 14
=9			by Axiom 13
9			by definition of Ia and It
--H9
where we define
T1m1(I?jjW)
rimj((a.?Ia+b.Ait+c.Wc.)II(m.c.?V))
T?rn?(a. (i?aII(? c i?J)) + b . (i?itII(m c .
r1,a?(a. (Ala 11W) + b.
r1m1(a. (AlalIW)) + T?m?(b. (AltIlly))
a . T?m?(MalIW) + b r?m?(AItllW)
a.Ia+b.It
Ia d4f 7?m)(AJallW)
1? %Qi T?rnJ(i?tllW)
With the same method we have
Ia =9 mm?(MallW) =? a . Thmi(?N1llW) + b. Thm?('?atllW) =? a .1 + b . 1at
and
It =? T?m?(MtIlW) =? a. T?m?(AiatlII'v) + b . 7?rnj(i?IlIW) =? a. 1at + b .1
where we define
1at %c? r?m?(AiatlIW)
We now proceed with the analysis of i;?t. Step by step comments are below.
1at =9 ?rn?(AIatllW)
=9 Thrn?(a . (?IIw) + b . (?llW) + Tn . (?I?llc . Iv))
E9ThmJ(?fl. (Alcile. 147))
27
=Q T?mj(Th . (a. (?IacIIc. ??) + b. (AI?cIIc. W) + c.
EQ Thmj(m . c. (1111w))
=9 C. T?my(MIIW)
=9 c. I
The first step follows the lines of the previous derivations by expanding process variables,
applying the expansion theorern, and reconverting untouched expanded expressions to their
corresponding process variable; the second step is an application of Axiom Ec7 where inputs
a and b are eliminated. According to the specification of Ca?t, in fact, no input should occur
before output c occurs. The expression on the second line specifies an implementation choice
ill the presence of inputs a and b while the expression on the third line does not specify any
implementation choice. The third step is similar to the first one while the fourth step consists
of successive applications of the hiding axioms. Action m is eliminated through Axiom Iii and
action c is brought outside the scope of the hiding operator through Axiom 13. The last step
is a direct consequence of the definition of I.
We can now apply the recursive substitutivity axiom and conclude Thm?(i11II?) E?9 C.
The fair trace inclusion follows from Theorem 5.7 and Proposition 5.8. All the involved 1/0
automata, in fact, are quiescent detectable, quiescent continuous. input quiescent detectable
and have FIN. Moreover no input action disables any output action. I
Theorem 5.19 Thde1m? (A(MN)IIA( WN)) EF A(CN).
Proof. From Proposition 5.18, the soundness of the DIOA proof system, and Theorem 5.7,
we derive D(Thmi(JIIIIW)) EF D(C). From Proposition 5.10 we derive Hide?m?(D(AiII?)) EF
D(C). From Proposition 5.10 and Proposition 5.8 we have D(A/I)IID(w) EF D(iwIIw), there-
fore we derive Hide?m?(D(M)IID(W)) E? D(C). Finally, from Proposition 5.16 we derive
iiide?mi(A(M?)IIA(W?)) Ep A(Cjv).			I
6 Comparison of tlie Algebraic and tlie Simniation Tecliniqnes
In this section, we compare the simulation and algebraic proof techniques for their usefulness
in carrying out verifications of the sort outlined in this paper. The first thing to note is that
both of the outlined proofs were fairly easy to carry out, once the machinery described in the
"theory" sections had been developed. Naturally, people more familiar with one style of proof
or the other will find it somewhat easier to use, but we did not find any appreciable difference
for this example. The interesting question is whether both methods will scale equally well to
a wide range of more complex examples. here we think there are important differences and
similarities, which we have tried to identify below.
28
6.1 Power of the Proof Method
There is a strong similarity between our reasoning in the simulation proof and in the algebraic
proof. It seems that the recursive substitutivity rule is used in this example somewhat as
an algebraic version of the notion of forward simulation. That is, we consider the process
variables of the set of equations comprising the specification as representing states of the
specification. Then we consider the processes that we substitute for the process variables as
representing states of the implementation that are related to the process variables for which
they are substituted.
This leads to the question of whether the simulation and algebraic methods we have used
might not be equivalent in general; however, it turns out that they are incomparable.
Let a, b, c be output actions and consider the processes
X d4 a . b. X + a . c . X
Y			a . (b . Y + c.
It is easy to prove that Y E?Q a. b . Y + a. c . Y by using the axioms of [Seg92] and the recursive
substitutivity rule; however there is no forward simulation from the transition system associated
with Y and that associated with X. State Yin fact, would be mapped to X. State b.Y+c.Y,
instead, should be mapped to either b. X or c. X or both since Y can move with a only to
those states. Unfortunately each of the choices above gives problems on the next transition.
The difference between the systems X and Y arises when the decision about whether to
perform b or c is made: X decides before Y. A forward simulation between two processes A
and B exists only if B does not decide before A. Y can be proved to implement X by using a
different simulation technique based on a notion of backward simuThtion [Lv9l]. However, there
are also examples that can be proved using DIOA deductions but not by backward simulations.
One example is
X %nf a. cX + b. Z			Z			cX
Y			a. Z' + b. Z'			Z' %4			y
where a, b and c are output actions. It is easy to algebraically show that Y and Z' satisfy the
equations for X and Z, however there is no backward simulation from Y to X.
There are also cases in which there is a forward simulation between two processes but
quiescent trace inclusion cannot be proved using DIOA, because the recursive substitutivity
rule cannot be applied. Consider, for example, the processes
X %nf a. X			and			Xj 44 a. Xj+1
for an infinite set of process variables Xi : i E At. The mapping that maps each Xj into X is
trivially a forward simulation from X0 to X; however, since none of the given equations relates
some Xi to Xj with j < ?, we cannot prove that X0 < a . Xo, so the recursive substitutivity
29
rule does not apply. The above mapping is also a backward simulation from X0 to X, therefore
also backward simulation is incomparable with DIOA deduction.
All the examples above also work for the simple trace preorder. The reader is referred to
[DS92] for its axiomatization.
6.2 T?eatment of Fairness
In the given example, a separate argument about fairness is made in the simulation proof,
whereas no such argument is needed in the algebraic proof. In the given algebraic proof, fair
trace inclusion is a consequence of quiescent trace inclusion, and the deductions within DIOA
are strong enough to prove quiescent trace inclusion. However, the algebraic framework, as it
stands, does not provide a fully general model for proving fair trace inclusion: the connection
between the quiescent and fair preorders holds only under some special conditions. We argued
in Section 5.1.1 that the properties of quiescent detectability, finite internal nondeterminism
and quiescent continuity seem to be sufficiently general for representing physical systems;
on the other hand we do not have a clear idea yet about the generality of input quiescent
detectabihty. An example of a non-input quiescent detectable device is an infinite buffer which
performs some internal update after receiving some input. An infinite fair execution leading
to an infinite trace with input actions only can be obtained by interleaving each input with
the internal update, however, if the buffer enables some output whenever it is not empty, no
finite sequence of input actions is a quiescent trace.
For systems in which these properties fail, it is unclear how to use the algebraic approach to
reason about fair trace inclusion. It is worth remarking that all the DIOA &xioms presented in
[Seg92] exceptfor the recursive substitutivity rule are sound for the fair preorder as well as the
quiescent preorder. (The recursive substitutivity rule is sound for all 1/0 automata satisfying
the conditions of Theorem 5.7.) So if we deal with non-recursive definitions, the axioms for
DIOA provide a method for directly proving fair trace inclusion. However, this is of limited
use since almost any nontrivial 1/0 automaton contains loops that have to be specified using
recursion. Even our small example cannot be specified without using recursion.
It is also unlikely that a result similar to the Execution Correspondence Lemma could
be used together with an algebraic proof. Even by axiomatizing a different preorder relation
such as "existence of a forward simulation", an algebraic proof would prove the existence of a
simulation without exhibiting it. The fairness part of our simulation proof, on the other hand,
is strongly based on the actual forward simulation from the implementation to the specification.
The simple knowledge that a forward simulation exists is not sufficient. It is possible that new
techniques, perhaps based on the structure of an algebraic proof, could be developed, but this
remains to be done.
The generality of our approach to fairness in the simulation proof also remains to be
considered; however, in this case there is already good evidence that this approach works well
in practice [LS92, LLS93]. The approach based on the Execution Correspondence Lemma
30
provides a convenient way to base a fairness proof on a simulation proof; it may be that there
are some fairness proofs that are inherently unable to be split in this way, but we do not know
of any such examples. The use of forcing conditions provides a useflil generalization of the
usual 1/0 automaton fairness notion, but it seems likely to us that further generalizations will
be required in order to describe some realistic liveness requirements. N\7hat those extensions
might be, and whether they will work well in conjunction with the Execution Correspondence
Lemma, remain to be seen.
Note that the arguments of this subsection only hold for fairness sensitive semantics such
as the semantics of 1/0 automata. If the semantics is not based on a fairness sensitive relation,
then the problems of this subsection disappear. Examples of non fairness sensitive relations
are bisimulation [?Ill89] and testing [Dll?4, 11en88].
6.3 Representation of Automata
The two different proof methods typically use very different ways of representing automata,
each best suited for carrying out the corresponding type of proof. in order to give a fair
comparison between the two methods, we began with a neutral representation, which is basi-
cally just a state-transition table that enurnerates the results of all transitions performed in all
states. N\,e then gave two other representation methods, and asserted their equivalence with
the neutral method.
The precondition-effect language represents an automaton in an action-based way. That is,
the information associated with each action is given in one place; this iriformation consists of
the set of enabling states and the allowed transitions for that action. In terms of the neutral
representation, we can think of this language as presenting the automaton by columns.
On the other hand, DIOA represents an automaton in a state-based way. That is, the
information associated with each state is given in one expression; this information consists of
a list of the enabled transitions from that state. We can think of this language as presenting
the automaton by rows of the neutral automaton.
In our small example, the state-based method gives a more elegant and concise represen-
tation of the circuits than the action-based method, but this will not be true in general. The
choice of which representation is better will vary among different automata, depending upon
whether the automaton table is most easily described by columns or by rows. Our experience
shows that, for complex systems, the action-based description is usually the better one [LLS93].
There is one main reason for this. The states of a complex automaton can usually be
described in terms of a small number of state variables or data objects, which permits a
description to be parameterized by the values of those objects. A typical complex automaton
exhibits locality of activity: each action typically involves only a small portion of the state, i.e.,
its occurrence depends on the values of a small number of data objects, and its results affect
only a small number of objects. This locality leads to concise descriptions for each action,
31
but it is unclear how a state-based description might take advantage of it. Note that parallel
decomposition cannot be used in general to describe this kind of locality.
Although the action-based representation method generally works better than the state-
based one, there is complete freedom in the choice of the representation style for an 1/0
automaton whenever a simulation proof technique is used, i.e., it is always possible to use a
description language like the state-based one in conjunction with assertional reasoning. On the
other hand the description language for DIOA is strictly determined by the algebra itself, so
there is apparently no way to use an action-based representation method in process algebras.
?4oreover, the pure DIOA calculus does not provide tools to deal with structured states.
A standard technique to deal with structured states within process algebras makes use
of parameterized process variables [Hoa?5, Mil89, Bae90j. For example, a counter can be
represented by a process variable X parameterized over a natural number n in the following
way:
%?ef ??
4ef down. X??1 + up. X?+1 if v > 0.
Such a technique is generally used when the size of a system is large [Bae9O] since a specification
would become unreadable otherwise. Our example, although small, makes use of parameters.
It is also possible to add standard programming languages constructs and define a new equation
of the form
X? 44 ?? X?+1 + (if v >0 then down. Xn?1).
By means of the above ideas it is possible to directly encode an action-based represented
automaton A into DIOA. The encoding consists of one process variable X parameterized over
states(A). The equation for X is then of the form
if pvecondition(a1) then effcct(a1) else
if precondition(a2) then effect(a2) else...
Unfortunately, the more structure we add to the algebraic notation, the more complicated
it is to apply the DIOA axioms to carry out a proof. Also, the recursive substitutivity rule
requires one to find a set of processes that satisfy a given set of inequations. ?rhen states
are parameterized, finding those processes is often tantamount to finding a simulation relation
between states of the implementation and states of the specification, which is consistent with
the initial observation of Section 6.1. In this case, the task of applying the axioms becomes the
equivalent of proving that a given simulation is a forward simulation. For example, consider
the counter we specified before and consider an implementation as follows:
Yio def up.Xii
44 down X??1 + up . Xr+i if n > 10.
The recursive substitutivity rule requires us to show that each y satisfies the equation for
Xi?io. The association h : Yj Xj?10 is a sort of simulatioii. and the algebraic proof shows
its correctness.
32
6.4 Mechanization
The process of carrying out either a simulation proof or an algebraic proof can be long and
tedious, and therefore error-prone, when the involved automata are large. A simulation proof
typically involves a cases analysis based on actions; each case involves logical deduction based
on descriptions of the state transitions in both the implementation and specification automata
and on a description of the forward (or other kind of) simulation relation. An algebraic proof
involves a series of deductions using the algebraic axioms. In both cases, it should be possible
to check the correctness of the deduction steps using an automatic prover. However, we would
also like some help from an automatic prover in actually carrying out these tedious steps.
An automatic prover can help in the production of a simulation proof, but we do not expect
that the proof process will be completely automatic since the problem is undecidable in general.
In addition to descriptions of the two automata, the writer of such a proof will have to provide
a description of the simulation relation and possibly some invariances. Once this information
is provided, an automatic prover can be used to help in filling in enough details to verify that
the simulation is correct. As described in [SGG+93], the Larch prover has been successfully
used for this purpose. Also the theorem prover Isabelle was used for the same purpose in
[Nip89]. The work on mechanical simulation-based verifications is still under development,
and [Nip89, SGG+93] are just the first attempts at solving the problem.
It seems unlikely that an automatic prover will be of much help in defining the simulation
relation in a simulation proof. In small cases, essentially when there are finitely many states
as in our example, a model-checking approach might be helpful. The task of defining the
simulation relation by hand will often not be easy; its difficulty is comparable to that of defining
an invariant assertion. However, usually ?he designer of a system has enough intuitions about
the design to be able to define a relation that is almost correct, and this can be used as a
starting point for constructing the correct relation.
In the process algebraic proof given in this paper the axioms that have to be applied during
each step are partially determined by the equations defining the specification automaton. Our
proof steps were essentially repeated applications of the expansion axiom followed by some
simplifications based on the given specification. This heuristic is generally applicable when
dealing with (finite state) circuit descriptions. It is also applied in [Jos92, Seg92] and in several
of the examples of [Bae9O]. In these cases, algebraic manipulators like those of [?Iv91, Lin9l]
can be used. However, when the problem becomes large or is described by an infinite state
machine, the remarks at the end of Section 6.3 show that some form of simulation has to be
defined even for an algebraic proof, therefore the difficulties involved in the mechanization of
simulation and algebraic proofs are comparable.
6.5 Additional Benefits Obtained from the Proof
Experience with large simulation-based verifications [wLLss, LP92, LLS93] has shown that
the formal description of the simulation relation in a simulation proof constitutes an important
33
piece of documentation of the key ideas of the implementation, in much the same way that an
invariant assertion does; invariants and simulations typically express the key intuitions that
make the implementation work. Similarly, due to the remarks at the end of Section 6.3, an
algebraic proof can embed some form of mapping which can be used as a documentation.
Because of the Execution Correspondence Lemma, a simulation-based proof provides a cor-
respondence between executions rather than just trace inclusion. This correspondence enables
us, for example, to base proofs of fairness on proofs of ordinary trace inclusion. A process al-
gebraic proof, on the other hand, proves only the properties for which the axioms are certified
to be sound. In our example we were able to prove liveness because the quiescent preorder
coincides with the fair preorder under some particular conditions: however, if those conditions
are not met, or if we need to prove other properties (e.g., based on forcing sets) the algebraic
proof provides no help.
In our experience simulation proofs are flexible in the sense that a given proof can usually
be modified fairly easily in order to verify new properties of an implementation. A typical
verification task, for example the one in [LLS93], involves the definition of specification and
implementation automata and the proof that the implementation meets the specification. Dur-
ing the proof some errors might be discovered and the involved automata might need to be
modified. Also, after the proof is completed, the specification and/or implementation automata
might be slightly modified in order to make them cleaner and more general. The simulation
relation and the correctness proof might then have to be correspondingly modified. In general
the structure of the simulation proof seems to provide us with a lot of guidance in carrying
out such modifications, since its general structure is usually preserved. To the extent that
an algebraic proof embeds a simulation proof, the same advantages for modifiability would
accrue.
7 Collclusioll
Ltsing a simple example based on delay insensitive circuits, we have compared two widely used
verification techniques for concurrent and distributed systems. The assertional methods based
on 1/0 automata have been successfully used for the verification of very complex systems
[LT87, WLL88, LP92, LLS93] while the algebraic techniques of process algebras [Mil89] have
generally been used for relatively small examples [Bae90, Jos92].
We have verified the correctness of the implementation of a Muller C element taken from
[Jos92] both in the assertional framework and in the process algebraic framework. The algebraic
proof is based on DIOA [Seg92], a process algebra for 1/0 automata.
The example we have used is one of the typical examples of the process algebraic community;
therefore, it should not be surprising that tlte process algebraic analysis looks shorter than the
simulation-based one. Starting from the presented example, however, our discussion has shown
that scaling algebraic proofs to more complex systems leads to the use of simulation-based
verification techniques.
34
Although we have emphasized verification in this paper, it is important to remember that
verification is not the only purpose, nor even the main purpose, of process algebra. Rather,
process algebra is intended to provide compositional semantics for programs. Of course, one
important use for such a semantics is to provide a basis for carrying out formal correctness
proofs for systems. Since one of the most practical verification methods is simulation, it is
important that all algebraic semantics be designed with a view toward compatibility with
simulation proofs. Given a program that is supposed to implement a given specification,
a process algebraic characterization of the semantic model can be used to compositionally
compute the semantics of the given program, then a simulation-based ted?nique can be used
to prove the correctness of the implementation. Perhaps, we could also add an intermediate
step in which the meaning of a program is algebraically simplified before starting with the
assertional part of the correctness proof.
References
[Bae90]
[DH84]
[DS92j
[Hen88]
[Hoa85]
J.C.M. Baeten. Applications of Process Algebra. Cambridge ?Yacts in Theoretical Computer
Science 18, Cambridge University Press, 1990.
R. De Nicola and M. Hennessy. Testing equivalences for processes. Theoretical Coniputer
Science, 34:83?133, 1984.
R. De Nicola and R. Segala. A process algebraic view of 1/0 automata. Technical Re-
port 51-92/05, Dipartimento di Scienze dell'Infbrmazione, Universita' degli studi di Roma La
Sapienza, September 1992.
M. Hennessy. Algebraic Theory of Processes. MVf Press, Cambn'dge, Massachusetts, 1988.
C.A.R. Hoare. Communicating Seqnential Processes. Prentice-Hall International, Englewood
Cliffs, 1985.
[Jos92] M.B. Josephs. Receptive process theory. Acta hifonnatica. 29:17-31,1992.
[Lin9l] H. Lin. PAM: A Process Algebra Mampulator. In Larsen and Skou [LS9i], pages 136?146.
[LLS93j B. Lampson, N. Lynch, and J.F. S?gaard-Andersen. Reliable at-most-once message delivery
protocols. Tech. report under preparation, Laboratory for Computer Science, Massachusetts
Institute Technology, 1993.
[LP92] N. Lynch and B. Patt-Shamir. Distributed Algorithins. i?all 1992 Lecture Notes for 6.852,
1992.
[L591]
[L592]
[LT87]
K.G. Larsen and A. Skou, editors. Proceedings of the third international workshop on Corn-
puter Aided Verification, volume 575 of Lecture Notes in Computer Science. Spunger-Verlag,
1991.
N. Lynch and I. Saias. Distributed Algorithms. Fall 1990 Lecture Notes for 6.852.
MIT/LCS/RSS 16, MIT, February 1992.
N.A. Lynch and M.R. Tuttle. Hierarchical correctness proofs for distributed algorithms.
In Proceedings of the 6th Annual ACAf Symposium on Principles of Distributed Computing,
pages 137--H151, Vancouver, Canada, August 1987. A full version is available as MIT Technical
Report MIT/LCS/TR-387.
35
[LV91] N.A. Lynch and F.W. Vaandrager. Forward and backward simulations for timing-based
systems. In J.'v. de Bakker, C. Huizing, `v.P. de Roever and G. Rozenberg., editors, Pro-
ceedings of the REX 147orkshop "Real-Time: Theory in Practice", volume 600 of Lecture
Notes in Computer Science, pages 397--H446. Springer-Verlag, 1991.
[MB59] D.F. Muller and W.S. Bartky. A theory of asynchronous circuitsnals of the Computation
Laboratory of Harvard University. Volume XXLk': Proceedings of an Jnternational Symposium
on the Theory of Switching, Part 1' pages 204--H243,1959.
[Mil89] R. Milner. Communication and Concurren cy. Prentice- Hall International, Englewood Cliffs,
1989.
[MV91] 5. Mauw and G.J. Veltink. A proof assistant for PSF. In Larsen and Skou [L591], pages
158--H168.
[Nip89]
[5eg92]
[5eg93]
T. Nipkow. Formal verification of data type refinement - theory and practice. In I
de Bakker, , "v.P. de Roever, and G. Rozenberg editors, Proceedings of the REX Workshop
"Stepwise Refinement of Distributed Systems", volume 430 of Lecture Notes in Computer
Science, pages 561--H591. Spunger-Verlag, 1989.
R. Segala. A process algebraic view of 1/0 automata. Technical Memo MIT/LCS/TR-557,
Laboratory for Computer Science, MIT, Cambridge, MA 02139, October 1992.
R. Segala. Quiescence, fairness, testing and the notion of implementation. In E. Best,
editor, Proceedings CONCUR 93, Hildesheim, Germany, Lecture Notes in Computer Science.
Springer-Verlag, 1993.
[SGG+93] J?rgen S?gaard-Andersen, Stephen I. Garland, John V. Guttag, Nancy A. Lynch, and
Anna Pogosyants. Computer-assisted simulation proofs. In Proceedings of the Conference on
Computer-Aided Verification, Heraklion, Crete, Greece, June 1993.
[Sta84]
[5ta90]
[Vaa9 1]
[WLL88]
E.W. Stark. Foundations of a theory of specification for Distributed Systems. PhD the-
sis. Department of Electrical Engineering and Computer Science, Massachusetts Institute of
Technology, August 1984. Available as Technical Report MIT/LCS/TR-342.
E.'v. Stark. On the relations computable by a class of concurrent automata. In Proceedings
of the 1990 SIGACT-SIGPLAN Symposium on Principles of Programming Languages, 1990.
F.'v. Vaandrager. On the relationship between process algebra and input/output automata.
In Proceedings of the Sixth Annual Symposium on Logic in Computer Science, 1991.
J.L. Welch, L. Lamport, and N. Lynch. A lattice-structured proof tedinique applied to a
minimum spanning tree algorithin. Technical Report MIT/LCS/TM?361, Laboratory for
Computer Science, MIT, June 1988.
36
A note on Model Checking Context Free Processes
(Preliminary Report)
5. Purushothaman Iyer*
Dept of Computer Science
NC State University
Raleigh, NC 27695-8206
June 1,1993
Abstract
We consider the problem of model checking context free processes against Buchi automaton
on infinite strings as specifications. We show that computation of context free processes are
definable using PDA on infinite trees. By adopting a automata theoretic framework we provide
solution that does not need the notion of "higher-order" semantics as used in the literature [1, 3].
Furthermore it allows us to consider a generalization of context free processes called macr0
process?s.
1 Introduction
There has been a lot of interest lately in context free processes, given that bisimulation is decidable
for such processes [4]. Spurred by the bisimulation result, the problem of model-checking context
free processes against alternation-free modal ?calculus formulas have been considered [1, 3]. In
the former the authors consider an iterative version of model-checking and in the latter a tableau
based techulque. Part of the motivation for this paper is to explore the third alternative, that
of automata-theoretic based techhique. in this paper we wffl consider the problem of model-
checking context free processes against specification expressed using Biichi-automaton on infihite
strings. The automata-theoretic approach allows us to provide a simple solution that does not
involve the notion of "higher-order" semantics as used in [1, 3]. Along the way we provide a tight
characterization that unfoldings of context free processes (considered as trees) are definable using
Pushdown automaton on infinite trees. Finally, we also consider the problem of model checking a
generalization of context free processes called macro processes.
In [1, 3] the authors present context free processes as a set of procedural graphs, one for each
procedure or (equivalently) non-terminal. The graphs that define the procedure are transition
systems whose transitions are labeled by either actions or procedure names. In this context the
procedures can be thought of as parameterless procedures. We generalize these procedural graphs
*Supported in part by NSF under grant NSF CCR-9o-o412
to take parameters and call the new process calculus as macro processes. Under the natural
restriction that these parameters are context free processes, viz. procedure graphs that do invoke
only parameterless procedures, we show that the computation of macro processes are definable
using stack automaton on infinite trees. These representations pave the way for stating modal
checking as emptiness problems of appropriate automaton. As the specification is defined using
Biichi automaton on infinite strings, the model checking problem for context free (macro) processes
reduces to emptiness of pushdown automaton (stack automaton, respectively) over infinite strings.
The central contributions of the paper are, therefore, (a) the concept of macro processes, (b)
the representation of the computation of context free and macro processes as trees definable by
pushdown automaton and stack automaton, respectively, and (c) model checking for context free
and macro processes usmg an uniform automata theoretic technique, as suggested in [9].
In Section 2 we provide the necessary definitions regarding automata on linite objects and
recall some results. In Section 3 we show how the computational trees of context free processes can
be represented using Pushdown automaton on infinite trees and in Section 4 we do the same for
macro processes.
2 Pushdown Automaton
Let ? be an alphabet. Let [k] be the set (0, 1,..., (k --H 1)]. A k-ary tree t over ? is a partial
mapping [k]* ? such that the following condition is satisfied:
If t(?.i) is defined, where ? ? [k]* and 0 < i < (k --H 1), then t(?) and t(z.j), where
0 < j < i, are also defined.
A Biichi automaton on infinite trees over ? is a 4-tuple (S, qo, 6, F), where S is the set of states,
qo is the start state, 6 is the transition function and F is the set of final states. There are two rules
among the transition function 6: the read rule and the ? rule. The read rule is of the form:
(po,pi,...,p?i)E6(q,a), wherea??,qESandV0<i<k:pj?S
The e rule, on the other hand, is of the form:
p C 6(q,e)
Given a tree t, a run of the tree is obtained by decorating each node ? of the tree by a finite sequence
of states ....... q?? satisfying some conditions. Formally, a run is a flinction r : [k]* S* such
that:
o+ r(e) ....... q?, where qo is the start state.
o+ VO < i < n? q?:. ? 6(q???1??)? i.e., state q?? is reached by using an e-rule from q,?1.
o+ Let ? be a node of the tree with children ?.0 ? 1 x (k --H 1), and let t(x) = a. Let
r(z) = a.q??, where Q ? S*, and r(?.?) = q0:.i.a? Vo < i < (k --H 1), such that Qj ? S*. Then
we should have the relation (q0??0,... , q0Z?(k?l)) c 6(q???, t(?)). Put differently the first state of
siblings are obtained from the last state decorating the parent node by the use of a read rule.
2
A path through a tree is all infinite sequence of nodes p = f?i1o<i such that ?i+1 = ?i.?, j c
A ?U path through the tree is a path such that ?o = ? Given an infinite sequence of states fq?i0<?,
define infinity((q??o<?) as the set of states that occur innnitely often in that sequence.
Let fxiio<i be a fill' path of a run r. Define the state trace r of the fill' path ? = (?i1o<i as
llo<?r(??), where II denotes concatenation. A run r is acceptabLe provided the trace of every full
path of r contains final states that appear mfinitely often. Formally, a run is acceptable provided
for every full path p, of r, infinity(r(p)) A F # $. A tree T is accepted by the a Biichi automaton
provided the tree has an acceptable run.
Note that the definition of Biichi automaton we use is different from the standard definition.
The ? rules, the only addition to the standard definition, do not increase the expressive power as
they can be removed by subset construction.
A Biichi automaton on infite strings is a special case where the arity k of the tree is 1.
A pushdown automaton on infinite trees works similar to a Biichi automaton, except that it has
the stack to deal with. A w-PDA that accepts innnite trees over ? is a 6-tuple (5, F, qo, Z0, 6, F),
where F is the set of stack symbols, Z0 is the bottom stack marker and F is the set of final states.
The transition function 6 again has read transitions and e transitions. An e transition is now of
the form:
e 6(q,Y,?),
whereq,q'?S, ?cf*, andYEF
A read rule is of the form
((qo,?o),(qi,?i),..., (q?--Hi, ?k--H1)) ? 6(q, Y, a), where
Vi?[k]q,q?eS,Vi?[kj??P*,YcF,anda??
Much like earlier, given a tree t, a run r, oft, is a mapping from nodes of the tree to finite sequences
of pairs of the form (qo,?o)(qi,?) . .(q?,??) where q? are states and ? e P* are sequences of stack
symbols. The (q?,?) are related to (q?--Hi,?--Hi) by e transitions. Furthermore, if ? is a node with
children ...... . ?.(k --H 1), then the first pair for each of the children are related to the last pair of
r(x) by a read rule. Formally, we have
o+ r(e)= (qo,Zo)(qi,?i)...(q?,??) where Vi <i <n:? e
o+ ifr(?) = (pc,?)(p1,?)...(p?,??)thenwehaveV? e			--H ?Y? ?+i = ?`?, and(p?+1,?) e
6(pi, Y, ?).
o+ ff t(z) = a and r(?) = Q.(p, ?Y) then Vi ? [k]r(?.i) = (pi, ??).Qi such that (po,?)... (Pk-1, ?k--H1) ?
6(p,Y,a) and ?,?i e (5 x F*)*.
Define the state trace for a node as r(?) = qo. . .q?, where r(x) = (qo,?o) . . .(q?,??), and for a
fill' path ? = (xi?o<i as r(p) = Ho<ir(xi). A run is considered acceptable provided the state trace
of every fill' path has final states infinnitely often in it.
The following example from [5] illustrates the power of PDA on infinite trees.
3
A			A
MAMA
a
00o
Example
= An infinite binary tree labelled by c at every node.
Figure 1: An w-tree
Consider the PDA on irliulte trees M = (S,?,F,qo,Zo,6,F) over = [a,b,c], where S =
fqo,qi,q?1, r = [B,z0], and ? is defined by (1) 6(qo,a,Zo) = f(q1,BZc)(q2,BZ0)]; (2)
6(q1,b,B) = [(qi,?)(qi,e)]; (3)6(qi,c,Zo) = ((q1,Zo)(qi,Zo)]; (4)6(q2,a,B) = ((q1,BB)(q2,BB)]
(this example is an modified version of Example 1 from [7j). Let F = [q1, q21. T(M) contains
only one 2-ary tree t where the right most branch of t contains the w-word aW, and each of
other branches begins with i(> 0) a's, followed by i b's, and then followed by irninitely many
c's (refer to Figure 1).			I
We recall some results that we will make use of in the rest of the paper. The first result we
need is regarding the emptiness for PDA:
Theorem 2.1 (Harel and ILaz [2]) The emptiness problem of PDA on infinite trees is solvable
in triple-e?ponential time.
The proof by Harel and Raz is based on a pumping lemma for the trees accepted by a PDA. In
contrast, by a direct analysis of context free term grammars, it can be shown that
Theorem 2.2 ( [5]) The emptiness problem of PDA on infinite trees can be solved in single e?
ponential (in the nnmber of states and the n?mber of stack symbols) time.
Theorem 2.3 The class of trees acceptable by PDA on infinite trees is closed nnder intersection
with the class of trees acceptable by Bn"chi antomaton.
4
Proof (sketch): By a simple product of the two machines. The states of the new machine are
product states, and the final states of the new machines are obtained as the product of the final
states of the two machines.			I
Finally, we also need the following result regarding complementation:
Theorem 2.4 ( [8]) The etass of sets of infinite strings accepted by Bn"chi antomaton is ctosed
nnder comptementation.
3 Context Free Processes
Context free processes arise by treating a context free grammar (in Greibach Normal form) as a
process specification. An alternative characterization has been used in [1, 3] (which we will follow)
where a context free process is specified as a set of parameterless procedures. Each procedure can
be thought of as an extended finite state process where the transitions can be labeled by actions
and by procedure names.
Let V be the set of actions symbols and P be the set of procedures that make up a process.
A context free process will be represented by a set of procedure graphs [1, 3]. Each procedure
P ? ? is represented by a procedure graph PGp as a 5-tuple (Sp, Vp, 6p, ip, ep) where Sp is the
set of states, Vp is the set of action symbols, 6p C Sp x (Vp U P) x Sp is the transition relation,
ip is the initial state and ep is the end state. We will assume, without loss of generality, that
VP,Q E P: Spfl S? =
We also make the following additional assumptions [1, 3]:
o+ The indegree of the node representing the state ip is zero, and the outdegree of the node
representing ep is also zero.
o+ Each use of a procedure name is guarded by an action.
o+ V = UpE?Vp.
Finally, we can now define a context free process as ([PGpjP ? P],V,P0), where P0 is the root
procedure.
The computational graph of a context free process is obtained by expanding on the procedural
calls. Starting with P0, a sequence of graphs can be obtained by substituting for procedure calls.
Formally,
Definition 3.1 The compntation graph associated with a context free process is the one ob-
tained as a result of repeated expansions such that it does not contain any transitions labeled
p
by procedure names. The substitution of a procedural graph PGp for a transition u v can
be carried by identifying the start state ip, of PGp, with the state u and the end state ep, of
PGp, with v.			I
A compntational tree corresponding to a context free process can be obtained by unrolling the
computational graph corresponding to that process. ff a node ? has successor nodes x1,x2,..., ??
then by creating fresh copies of the nodes x_ 1 <i < n, we can obtain the computational tree.
5
3.1 Tbe Translation
In this subsection we will show that corresponding to every context free process there exists a PDA
on innnite trees that accepts precisely the computation tree of that process. Clearly, the arcs of the
computation tree of a context free process are labeled by actions, whereas the arcs of trees accepted
by a PDA are not labeled. This apparent distinction can be taken care of easily by encoding both
the arcs and the nodes of the computation tree as labels of the tree being accepted by the PDA. But
in the following we wffi only preserve the states of the computational tree in the translation. Our
motivation for doing so is that we consider Biichi specifications to be the outgrowth of translating
formulae in a linear time temporal logic which are defined over a single program letter. As any
logic which allows more than one program letter and whose models are Biichi automaton definable
can be easily handled, our assumption is reasonable.
In order to discuss the properties that hold at a particular state, we will use a finite set of
propositions fl, and a labeling of states by these propositions. Consider the Biichi specification we
are given. Clearly, given our assumption above, the strings accepted by these Biichi specification can
be thought of as being labeled by subsets of propositions from fl. By doing so, we are concentrating
more on the temporal unfolding of the properties (or propositions) that hold over a period of time,
rather than the identity of the state reached. Thus in the rest of the paper, we wffi take the set of
input symbols ?, over which the computational trees and automaton (specification) are defined, to
be 2?.
Consider a states E Sp --H (ip, ep? in some procedure P of a context free process P. The state
. appears in a number of places in the computational tree, say ?i, ?2???, 5m Clearly, all of these
states Sj have the same computational content as the original copy.. Formally, we have
Definition 3.2 Let S be the set of all states of a computational tree. An assigument function
: S fl is Legal provided for all. c S and .? e S which are instances of the same state of a
procedural graph we have t(.) = e(.').			I
Note that none of the start or end states of any procedural graph would find its way into the
computational tree. Thus, given a legal assignment function e on a computation tree for a context
free process ?, there exists an unique assignment 1': UpE?(Sp --H ?ip,ep1) C such that image
of state . under t' is the same as the image of any instance .`, of., under e.
Note that by the first and the second condition given earlier regarding the structure of proce-
dural graphs, the computational tree will be of finite degree. The outdegree of any node in the
computational tree is bounded by k2 where k is the maximum outdegree of any node in the pro-
cedure graphs (due to the restriction that every use of procedure should be guarded). Let T be a
transition (.,a, ??) Define count(T) = 1 if a is an action symbol, or k where k is the outdegree of
the node ?a, the start node of process a. Overloading the definition of count, define, for any node
count(s) = ?ki=icount(Tt.), Tj i. the jth transition out of node ..
Let P be a context free process. Let e: UpE?(Sp --H fip,epj) fl be an assigument function.
Define a PDA Mp = (5, F, ? 5o, Zo, F) corresponding to? as follows:
o+ The set of states 5 = UpE?(Sp --H fip, epl) u fso?, where 5o ?
6
o+ The stack symbols F = S u fzol. The stack symbols turn out to be return addresses, and
hence we use 5.
o+ The final set of states F = 5.
o+ The specification of 6 proceeds as follows:
Consider a procedure graph for P, and a state 5 $ ep in a procedure P. Let
..... ., s? be the successors of 5. For every stack symbol Z construct a read tran
sition for (pi,?i) .(pm,?,n) e 6(s, Z,?(s)), where m = count(s).
Let Tj = (s,a?,s?) be the jth transition out of 5. Let n = count(T1) t ... +
count(T??1).
--H--H If a? is an action symbol and 5j $ ep then Pn+1 = 5j and ?n+1 = Z. If a? is an
action symbol and Sj = ep then make Pn+1 --H Z the return address, and ?n+1 =
thus removing the return address from the stack.
--H--H Consider the case where a?, is not an action symbol but is a procedure name
In this case, corresponding to the single transition Tj we have to create count(i?)
transitions corresponding to jumping to each of the successors of the initial state ?Q
of procedure Q. Let, as in the earlier case, n = count(T1) + . . . + count(T??1) and
= count(iQ). Let these n' transitions be (iQ, b1, t1), . . ., (iQ, b??, tn1). Clearly,
bj, 1 <j < n' has to be either actions symbols or ?.
Let b1 be e. In which case we necessarily have tj = eQ. If 5j = ep then we not only
need to return from Q but also from P, and therefore, Pn+j = Z and ??+? =
If 5j $ ep then we return back to P immediately, and therefore, Pn+j = 5j and
Let bj be an action symbol. There are four cases depending upon whether 5j =
or not, and on whether tj = e? or not. We have:
(pn+j,?n+j) =
(Z,?) ifsj = ep and t5 =
(t,,Z) ifsj = ep and tj $ eQ
(sj,Z) if 5? $ ep and tj = eQ
(t3,sjZ) if Sj $ ep and tj $ eQ
--H--H Using the discussion above we also create a read transition for 6(so, Zo,?(so)),
where ?o corresponds to the start state ip0 of the root procedure Po.
o+ The set of final states F = 5.
By the discussion given above we have:
Theorem 3.1 The compntational tree of a conte?t free process is definable `Lsing a PDA on infinite
trees.
In all of this discussion we have considered PDA that accept infinite trees wherein on any branch
of a run the set of final states are visited infillitely often. In the string case (both fluite and irnite)
7
PDAs that accept by empty stack and PDAs that accept by final state are equally expressive. But
this is not so In the Innnite tree case. PDAs that accept Innnite trees by final states are more
powerflil than PDAs that accept by empty stack [5]. Furthermore, we have the hierarchy that trees
acceptable by B?chi automaton are strictly less powerful than those accepted by PDA with empty
stack condition. We now have the following tight characterization:
Theorem 3.2 There are contezt free processes P corresponding to which there is no PDA M? with
empty stack condition that wonid accept the compntation tree of P.
Based on the observation that the computation tree that corresponds to the context free process
given by
S			aSb ?
has an Innnite branch where the stack keeps growing unboundedly.
As we are Interested in model-checking the context free process against a Biichi-automaton
specification on irninite strings, we need to linearize the tree into strings. This is easily done as
follows:
Theorem 3.3 Let M (5, F, qo, Z0, 6, F) be a PDA on infinite trees over the alphabet ?. The
linearization of T(M) is precisely the set of infinite strings accepted by M' (5, F, qo, Z0, 6', F), a
PDA on infinite strings over alphavet ?, where 6' is defined as:
o+ For each e-transition (q',?) ? 6(q, Z,?) we have a e-transition (q',?) E 6'(q, Z,e).
o+ For each read transition ((qo,?o), ., (q?--Hi,??--Hi)) ? 6(q, Z,a) we have k read transitions
(q?,?) E 6'(q, Z,a),VO < i < (k --H 1).
Cle&ly, given that (a) Biichi automaton on innnite trees are closed under complementation,
and (b) PDA on innnite trees (strings) &e closed under intersection with Biichi automaton on
Innnite trees (strings), it is easy to see that a context free process can be model-checked agaInst a
specification in as Biichi automaton on innnite strings.
4 Macro Processes
In this section we will consider a generalization of context free processes, called macro processes,
whose trees are definable by a Stack automaton. Note that Stack automaton (on finite strings) can
accept languages such as a?b?c?.
A macro process is again specified using a set of procedural graphs. Each procedure, in addition
to beIng defined by a graph, can take parameters. The transitions can now be labeled by actions,
procedure names (or procedure calls), and formal parameters. There are two restrictions: The first
restriction is that a variable has to be guarded by an action symbol (much like procedure names
of context free processes). The second restriction is that the actual parameters to a procedure call
can only be a context free process, or equivalently the name of a context free process.
8
A stack automaton is a generalization of a PDA that can read into the stack. The main change
from the definition of a PDA is in the specification of the transition function 6. It is now of the
form
e 6(p,Z,a)
where d is the direction in (up, dawn?. Furthermore stack symbols can be added or removed only
when the stack head is at the top.
A stack automaton on rnfiiii?te trees [2] is simliar to PDA on infinite trees, except that the
stack head can read into the stack. Furthermore, to define the acceptance condition only those
configurations containing final states are taken into account where the stack head is at the top of
the stack.
The translation of macro processes to stack automaton on innnite trees works as follows:
o+ When a procedure is called not only the return address but also the address of the actual
parameters are stored.
o+ A transition that involves looking up a variable can be translated to a e transitions that looks
deep into the stack for the beginning address of the actual parameter under question.
o+ Finally, each actual parameter (being a context free process) can be represented by a set of
procedural graphs.
By the discussion above, we have the following:
Theorem 4.1 The computation trees of a macro process are definable by a stack automaton on
infinite trees.
Given that the emptiness problem for stack automaton is solvable, we have
Theorem 4.2 The problem of model checking macro processes against Bu?chi automaton specifica-
tions is solvable.
5 Conclusion
We have explored an automata theoretic approach to model checking in this paper, which allows us
to solve the problem of model checking context free processes and macro processes in an uniform
way. Importantly we have shown that a larger class of process specifications (viz. macro processes)
can be model checked. Finally, we have also offered characterizations of the computational trees of
context free processes and macro processes.
References
[1] 0. Burkart and B. Steffen. Model Checking for Contezt Free Processes. Proc. CONCUR 92,
LNCS 630 (1992), 123--H137.
9
[2] D. Harel and D. Raz, Deciding Properties of Nonregular Programs. IEEE 31st Symp. on
Fonnd. of Comp. Sci., 1990, pp.652-661.
[3] H. Hungar and B. Steffen. Local Model-Checking for Context Free Processes. To appear in
ICALP 93.
[4]
[5]
H. Hiittel and C. Stirling, Actions Speak Louder Than Words: Proving Bisimularity for
Context-Free Processes. Report ECS-LFCS-91-1?5, Dept. of Comp. Sci., Univ. of Edinburgh,
April 1991. Also in Proc. of 6th Symp. on Logic in Comp. Sci., 1991.
W. Peng and 5. Purushothaman, Empty Stack Pushdown ??-Tree Automata. 17th Colloqninm
on Trees in Algebra and Programming, Rennes, France, Feb. 1992. LNCS 581, pp.248-264,
Springer-Verlag, 1992.
[6] W. Peng and 5. Purushothaman, On the emptiness problem for w-Pushdown automaton on
infinite trees. Submitted for publication.
[7] A. Saoudi, Pushdown Automata on Infinite Trees and Omega-Kleene Closure of Context-Free
Tree Sets. Proc. of Math. Fonnd. of Comp. Sci., LNCS 379,
[8] P. Sistla, M. Vardi and P. Wolper. The Complementation problem of Bnchi antomaton. ICALP
85.
[9] M. Y. Vardi and P. Wolper, An Automata-Theoretic Approach to Automatic Program Verifi-
cation. Proc. of 1st Symp. on Logic in Comp. Sci., 1986, pp.332--H344.
10
State Refinement in Process Algebra
(Extended Abstract)
Andrew C. Uselton and Scott A. Smolka*
Department of Computer Science
SUNY at Stony Brook
Stony Brook, NY 11794-4400, USA
fuselion,sas??cs.sunysb.edu
Abstract
We introduce a state refinement operator into BPA with recursive specifications and present
a comprehensive technical development of the resulting theory, BPA + SR. Our main technical
results are that bisimulation is a congruence in BPA + SR and that guarded recursive specifica-
tions have unique solutions. We also have that bisimulation remains a congruence if the merge
operator of ACP is added to BPA + SR. This is significant since action refinement, another
approach to refinement in process algebra, does not in general preserve semantic equivalences
based on interleavings of atomic actions.
State refinement, to our knowledge, represents the first attempt to capture the essence of
Harel's statecharts --H vir., hierarchically structured state transition behavior --H within a purely
process algebraic setting. A succinct, hierarchical specification of an alarm clock is given to
illustrate the utility of state refinement in process algebra.
1 Introduction
Statechans [Har87j is a higbly structured and economical description language for complex systems,
such as commuaication protocols and digital control units. Statecharts extend conventional state
transition diagrams with three elements dealing with the notions of hie?rchy, concttrrency and
communication. The last two notions &e already present in classical process algebra (see, for
example, [Mil89j), but the statechart notion of hierarchy --H in which states can have substructure,
and substates can have subsubstructure, etc. -? has till now been lacking.
In this paper, we introduce a state refinement operator into BPA with recursive specifica-
tions [BK84, Bw9oJ, and present a comprehensive technical development of the resulting theory.
State refinement, to our knowledge, represents the first attempt to capture the essence of state-
ch&ts viz., hierarchically structured state transition behavior within a traditional process
algebraic setting.
Research supported in part by NSF grant CCR--H9120995.
State refinement is a binary operator 011 processes written s[t]. The intuitive meaning behind
this expression is that state t refines state s or, equivalently, s is a state with substructure t.
Operationally, the behavior of s[t] is given essentially by the following rules (but see Sections 2
and 3 for the complete set of action rules):
a, ?i			? a,, ??
s[t] a,, ?? s[t] A+
Intuitively, these rules say that s[t] can perform a transition of s, effectively bypassing the possibil-
ities offered by its substructure t, or s[tj can behave like its substructure, performing a transition
of t. The choice is nondeterministic.
Note that state refinement defies the traditional classification of process algebra operators into
static and dynamic: it is quintessentially a hybrid, the first rule capturing its dynamic behavior
and the second rule its static behavior.
State refinement bears an interesting relationship to the mode transfer operator of Bergstra [BerS9].
These operators were developed independently of one another and serve very different purposes, yet
they turn out to have similar (but not identical) action rules and, likewise, similar axiomatizations.
Mode transfer has its roots in the disabling operator of LOTOS [1nt87, BB87], and was proposed
by Bergstra to develop the idea of disabling in a process-algebraic setting.
Consider the state-refined process s[t], i.e., 5 has substructure t. The analogous expression in
mode transfer notation is t 5, representing the process for which t is the normal mode of behavior
and, at any instant before the termination of t, control can transfer to 5. Note that the order of the
operands is switched in the two expressions, reflecting the very different ways in which we think
about state refinement versus mode transfer.
One might try to place state refinement and mode transfer on equal footing by viewing s[t] as a
process whose substructure can be "interrupted" by a "higher level" transition, i.e., one of s. But
this does not quite work and the problem arises when we consider the termination of t. In the case
of t s, transfer of control to 5 is no longer an option, and the entire process comes to a halt.
This is not the case for state refinement: the termination of tin s[t] is not so fatal as 5 is still free
to proceed with its "own" transitions. Only its substructure has ceased to exist.
It is exactly this difference in behavior in response to t's termination that leads to the difference
in action rules (and, consequently, axioms) for state refinement and mode transfer. The rule in
question for state refinement is given by:
s[t] ? 5
while the corresponding rule for mode transfer is given by:
5 mA
Otherwise, the action rules for these two operators are the same.
2
As adroitly pointed out by Bergstra [Ber89], mode transfer (and hence disabling) is a "prac-
tical" operator in that it offers a succinct notation for an oft-occurring system behavior. In fact,
eliminating mode transfer from a specification in favor of sequential nondeterminism, in general,
results in an expression exponentially l&ger than the original (the "expansion theorem" for con-
currency witnesses the same phenomenon). For these same reasons, we believe state refinement
can be viewed as a desirable operator to add to a process algebra.
It is interesting to also comp&e state refinement to another approach to refinement in process
algebra: action refinement [AH89, vG9O, Gor91, Ace92]. Like state refinement, action refinement
supports hierarchical specifications of state transition behavior, this time through the refinement
of uninterperted actions into processes. Note that the homogeneity of state refinement, in which a
process is refined by a process, is not present in action refinement.
A problem that arises in the setting of action refinement is that semantic equivalences based
on an interleaving interpretation of concurrency are not preserved by action refinement [CdMP87].
For example, let 5 a b and ? d=4 a b + b a. In an interleaving model, 5 t yet p?(s) # pj(t)
where p? is a refinement operator that (syntactically) applies the map 1(a) c d, f(b) :, b to
atonuc actions.
Because of its non-preservation of interleaving-based equivalences, action refinement is usu-
ally coupled with a model of concurrency based on some notion of partial order semantics (see,
e.g., [NEL88, vGG88, DD9O, vG90, Vog90, JM92J). State refinement does not have this problem.
In the term model presented in this paper, and even in the presence of the merge operator of
ACP [BK84], bisimulation is a congruence for all operators, including state refinement.
Summary of Technical Results
The technical development of BPA + SR proceeds along fairly standard lines (see, e.g., [BW9O]) and
we encountered few technical difficulties in integrating state refinement into process algebra. This
is to be expected given the experience of Bergstra [Ber89] with the closely related mode transfer
operator. Seamless integration of the state refinement and mode transfer operators in process
algebra may be viewed as testimony to their "well behavedness."
Our maln technical results are as follows:
o+ We first present the axiom system BPA+SR, our extension of BPA to include state refinement,
and its initial algebra.
o+ A term model based on bisimulation is then given for BPA + SR, and we show that BPA + SR
is a sound and complete axiomatization of bisimulation for finite processes.
o+ We have that bisimulation is a congruence for all BPA + SR operators.
o+ Recursive specifications are added to BPA + SR, and we show that bisimulation remains a
congruence and recursive specifications have unique solutions.
The structure of the rest of this extended abstract is as follows. Section 2 presents the equational
specification BPA + SR and its term model. Section 3 adds recursive specifications to BPA +
3
SR. To illustrate the utility of state refinement ill process algebra, Section 4 presents a succinct,
hierarchical speciflcation of an alarm clock. Finally, Section 5 concludes and points out some
important directions for future work.
Further Related Work
Statecharts was given an operational semantics in [HLN+90]. In Statecharts concurrent components
synchronize through the broadcasting of all actions. In order to give a semantics to the multiple
simultaneous transitions that take place in a single change of state there are two notions of step. A
micr?step reflects a change from one local state to another. A macr?step is a maximal sequence
of micro-steps combined through the broadcast of the actions taking place in the micro-steps. The
semantics presented in this paper does not include either concurrent components or broadcast
actions. The introduction of a merge operator and the appropriate form of synchronization are left
to a future paper.
A compositional, denotational semantics for Statecharts was presented in [HGdR89]. In that
paper the Statecharts language was extended to include incomplete Statecharts, or Unvoltendettes.
Unvollendettes have unconnected incoming transitions to which control can arrive from outside.
Similarly, control can leave via unconnected outgoing transitions. The semantic domain is a space
of functions that can map histories of computation to histories of computation.
The Statecharts-inspired language Argos of [Mar91] uses an action refinement--Hlike operator
(schema) that applies a set of processes Pi,...,p?, one each to the n states of a finite automaton
q. Such refinement is written Aq(pi,... ,p?). The semantics is given in terms of reactive systems
in which inputs are enabled and the automata are all deterministic.
Hoare's CSP [Hoa85] also has an interrupt operator, whose defining equations are similar to
those for mode transfer and disabling.
The scope operator of the ACSR language [LBGG94] also supports an interrupt mechanism.
For processes P, Q, R, and S and action b and integer (time) t, the process PAbt(Q, R, 5) behaves
like P until either it terminates, in less than t seconds; its exit action b occurs, in which case it
behaves as Q; it times out at t seconds and then behaves as R; or it is interrupted by any action
of 5. Ignoring options Q and ft, the scope operator treats processes P and 5 in much the same
way that state refinement would. That is, S[P] is approximately modeled by PA6?(o, 0, 5), so
long as action b is not allowed to occur. Taking these restrictions into account, the SOS rules and
equational laws of the scope operator are virtually identical to those of state refinement.
Refinement and recursion also occur in the Petri Box Calculus of [BDH92]. The Box Calculus is
an algebra of Box expressions with many constructs in common with CSP. In particular recursion is
written ?X.B, and refinement is written B1[x H B2], where B1 and B2 are Box expressions. There
is a homomorphism from Box expressions to the semantic domain of Boxes eqnivalence classes
of Petri nets. The Petri Box Model is a true concurrency model in which causality information
is preserved. Recursion is treated in a standard way, and refinement should be understood to be
action refinement. The expression B1 [X B2] replaces all occurrences of transitions labeled X in
the Petri net for B1 with an appropriately structured Petri Net from the equivalence class for the
Box B2, resulting in more transitions.
4
Another notion of refinement in Petri Nets is place refinement [Vog9O] where a place replaced by
a net. Thus the connections coming to the place are 110W attached to the initial places of the net,
and likewise for the connections from the original place. This teclmique does admit of a modular
design methodology, but it differs from the hierachy of states in a Statechart that we pursue in the
present paper.
A previous effort by one of the authors [Use93] to give an operational semantics to Statechart-
like drawings differs from the present work in two significant respects. Syntactically that algebra,
Concurrent Hierarchical Automata (CHA), captured the ideas of boxes and arrows directly. Se-
mantically, CHA permitted &rows (transitions) that crossed the boundaries of boxes (states). The
current paper partly supersedes that work, since its treatment is more in keeping with traditional
process algebra. But CHA, being an algebra of diagrams, does retain some interest in its own right.
2 BPA+SR
2.1 Equational Specification
BPA [BK84, BW9Oj (Basic Process Algebra) is an equational specification upon which many other
process algebras have been constructed. In this paper, we add a state refinement operator to BPA
to obtain the equational specification BPA + SR.
Let A be a set of atomic actions with constants a, b,c,... E A. The signature of BPA + SR over
the sort P (for processes) is given by:
?(BPA + SR)			?:			Pja e Al Li f+ : P x P			PJ u f : P x P			Pl u
f[j : P x P H
As usual, the closed terms of BPA + SR are inductively defined as the constants and any finite
number of applications of the operators to terms afready in the language. We will use p, q,
possibly subscripted, to range over closed terms. Open terms are inductively generated from the
constants and a collection of variables (usually lower case as in x, y, z and possibly subscripted).
We will use 5, t, ..., possibly subscripted, to range over open terms
Intuitively, expressions 5 + t and 5 t represent the alternative composition and sequential
composition of 5 and t, while s[t] denotes 5 refined by t. The equational specification BPA + SR,
obtained by adding three axioms for state refinement to BPA, is now given:
x+y=y+x			Al
(x+y)+z			x+ (y+ z)			A2
x+x--x			A3
(x + y) z			x z + y z			A4
zx(y.z)A5
+
5
x[aj=x+a.x			SRi
x+a.(x[y]) SR2
x[y + z]			x[y] + x[z]			SR3
Axioms Al-5 are well-understood. The intuition behind the state refinement axioms is as
follows:
o+ Refinement elimination: SRi states that x refined by an atomic action a may choose to
perform a after which its only option is to behave as x, or it may choose to behave like x
immediately, forgoing the opportunity to perform a.
o+ Refinement and seqttence: in SR2, x is now refined by a y and if x[a. y] chooses to perform
a, then x continues to be refined, by y.
o+ Refinement distrnbites ove? choice: in SR3, x[y + z] initially has the choice to proceed as x
or as y + z. But this is the same as choosing between x[y] and x[z].
An associativity law and a qnasi-idempotency law can also be derived for state refinement by
appealing to the above axioms. For closed terms p, q, r, we have:
= p[q[rj]
and
+ x[y] = x[y]
The mode t'ansfe? operator of [Ber89] has axioms that, when transliterated into the syntax of
state refinement, would be identical to the state refinement axioms with the exception of SRi. The
mode transfer variant of SRi is:
x[a] = x + a
As discussed in Section 1, mode transfer was introduced with the intention of examining the
disabling operator of LOTOS in a process algebraic setting. Disabling provides a means of describ-
ing a process that may interrupt another process. Axiomatically, the only substantive difference
between state refinement and mode transfer is that in state refinement, a terminated refining ex-
pression "just goes away" and the refined expression may proceed. With mode transfer, and hence
disabling, the termination of an interruptible process precludes the interrupt from occurring.
The initial algebra I of BPA + SR is defined in the usual way. Equations Ai-5 and SRi--H3 say
what terms are equaL From the techniques of substitution, fo?ming contexts, as well as symmetry,
refiexivity, and transitivity, we get a notion of what terms in BPA + SR are p','vably equal, written:
BPA + SR H p = q
for closed terms p, q c BPA + SR. The equivalence over the terms of BPA + SR thus produced is
written =BPA+SR and defined as the smallest relation such that:
BPA+ SR ?p = q impliesp =BPA+sRq
6
Finally the set of equivalence classes of terms over BPA + SR defines the initial algebra
r = PI =BpA+sR:
I?p=q ? BPA+SRFp=q
where satisfaction, on the left, means p and q are elements of the same equivalence class of the
initial algebra.
Theorem 2.1 (Elimination of [ J) For any closed term p ? BPA + SR there is a closed term
E BPA that p can be proved equal to.
BPA+ SRFp=p'
Theorem 2.1 can be proven by showing that BPA + SR, treated as a term rewriting system, is
strongly normalizing and confluent with normal forms equal to BPA basic terms [BW9oj.
Theorem 2.2 (Conservative Extention) For closed terms p, q E BPA, any fact p q that is
provable in BPA + SR is also provable in BPA, and vice versa.
BPA + SR ? p = q			BPA F p = q
2.2 Term Model
We now consider a term model for BPA + SR based on bisimulation [Par81, Mil89j. Follow-
ing [BW9oj, we first define the action rules of BPA + SR which collectively constitute a transition
system specification (TSS), in the terminology of [Gv89]. The TSS is obtained by augmenting the
action rules for BPA with four rules for state refinement, and is given in Figure 1.
Bisimulation equivalence over P, the closed terms of BPA + SR, is defined as follows.
Definition 2.1 A bisimulation is a binary relation ? on P such that if < p, q >E ?, then:
o+ if ??# ?
o+ if q?q' there e6sts ap' such thatpA+p' and ?p',q' >c ?,
o+ andp? ? if and only if q? ?.
Two terms are bisimilar, written ptiq, if there is a bisimulation relating them, and ` is the largest
such relation.
Theorem 2.3 Bisimulation is a congruence relation on P in BPA + SR.
Our term model for BPA + SR is now given by P/H. Furthermore, BPA + SR is a sound and
complete axiomatization of bisimulation in P/? for finite processes:
Theorem 2.4
7
Act:
Alt 1--H2:
`/Ak1--H2:
Seq, ?Seq:
SR1--H2:
?SR1--H2:
A+
x + y a, ?,			? + ? a
a,,			ff4
x + yff4 ?			y+ x ff4
xff4XI			Xff4?
x			y ff4 X1 y			X y ff4 y
X ff4 X?			X ff4 XI
x[y] ff4 X?			y[XJ ff4
Xff4?			Xff4?
X[y]ff4?			y[X]ff4y
Figure 1: Transition system specification for BPA + SR.
1. P/? ? BPA + SR
2. Fo? all closed eXpressions p,q over ?(BPA + SR):
? BPA+SRFp-q.
Thus the term model is isomorphic to the initial algebra for BPA + SR. Soundness of axioms
SRi--H3 (part 1) can be established by formalizing the intuitive arguments given above (immediately
following the statement of the axioms). Completeness (p&t 2) is proved by resorting to Theorem
2.1 ([]-ehmination) and the completeness of BPA with respect to finite processes [Bw9o].
3 Recursive Specifications in BPA + SR
3.1 Recursive Specifications
As in BPA, a recttrsive specification E in BPA + SR is a system of mutually recursive equations of
the form:
Xi = si(Xi,. .
= sn(Xi,. ..,Xn)
where the Xj are process v&iables, X1 is the root variable, and s?(X1,..., Xn) is an open BPA + SR
term with free v&iables ..... . ,
8
A solution of a BPA + SR recursive equation X = s(X) is a process p, in some model, by
which the equation is satisfied, i.e., p = s(p) in the model. The notion of solution extends in the
natural way to a recursive specification E, with processes p? substituted for the Xt giving a set of
equations that are satisfied. The constant ? Xj E > denotes the solution to the ith equation,
and < 5 E > denotes the term 5 in which the solutions for the variables Xt in E are substituted
for the occurrences of the Xj in s.
As often happens, there can be a problem with an equation in which the variable X in the
term s(X) is unguarded. X is guarded in s(X) if it occurs in some subterm a t of 5, and a term
is completely guarded if all the variables of the term occur only guarded. Similarly, a collection of
mutually recursive equations E is completely guarded if all the occurrences of all the variables in
the right hand sides are guarded. Finally, E is guarded if we can use the axioms of BPA + SR and
use substitution of right hand sides for their variables to rewrite the right hand sides to make it
completely guarded. Thus the equations
are. completely guarded, and
X = (a.X)[b] andX = b[a.X]
X = a X[Y]
Y = b.Y
is guarded but not completely guarded. It is easy to tell if a recursive specification E is guarded by
looking for cycles of unguardedness in the equations. Such cycles would lead to infinite unwindings,
and the absence of cycles guarantees guardedness [BW9o].
3.2 The Term Model with Recursion
We now extend the sort P of process expressions to include the constants < Xj E >. We will
present the additional action relations needed and extend the results of the previous section to
demonstrate that bisimulation is still a congruence in the term model P/ti. A complete axiom-
atization for a model including recursive specifications is not possible in general, so this section
concludes by exploring the additional principles that are valid for the term model.
The TSS for BPA + SR with recursion has the additional action rules:
?s1E>A+? ?sjE>?y
<xtE> A+# <X E> A+y
X=seE
Theorem 3.1 Bisimulation is a congruence relation on P in BPA + SR.
and
Theorem 3.2 P/t=t is a model for BPA + SR.
9
We also have that:
Theorem 3.3 A guarded recu?ive specification E has a unique solution in P/?,
and it is<X
Following [BW9O], the proof of this last theorem proceeds as follows:
o+ We first note that the term model satisfies the Recursive Definition Principle (RDP) --H Every
recursive specification has a solution. A solution to the recursive specification E is < X E >.
o+ Next we introduce the notions of finite projections and bounded nondeterminism.
The finite projections ofa process may be expressed by (conservatively) extending BPA+
SR with the projection operator 7rn(P), which stops p after n steps. Projection can be
axiomatized in conjunction with BPA t SR, and the new axiom for state refinement is:
7rn(?[y]) 7rn(7rn(?)[7rn(y)])
--H A process p for which the predicate B(p) is true has bounded nondeterminism. p does
not exhibit infinitely wide branching.
o+ These two notions allows us to state the Restricted Approximation Induction Principle A1P?:
= 7rn(Y) & B(x) ? x = y Vn> 1
Our term model satifies AIP?: for a process p with bounded nondeterminism, whose finite
projections are all equal to those of a process q, we may conclude that p and q are themselves
equal.
o+ The principle AIP-, in turn, implies the Recursive Specification Principle RSP - a guarded
recursive specification has at most one solution.
o+ Finally, RDP and RSP together give the above theorem.
4 Example: The Stony Brook Alarm Clock
To illustrate the utility of state refinement in process algebra, we consider a simplified version
of H&el's Citizen quartz Multi-Alarm wristwatch [Har87j, namely, the Stony Brook Alarm Clock.1
The user interface to the alarm clock consists of a display, a buzzer, and three buttons labeled a,b,c,
and is depicted in Figure 2.
The clock has three major modes: Time, in which the time is displayed; Set Time, in which the
time can be set; and SetAlarm, in which the time at which the al&m buzzes can be set. The user
can switch between the major modes by pressing the a-button.
Each major mode has substructure to it. Time has three second&y modes: Display, the normal
mode of operation in which the time is displayed; Display?Buzz when the alarm goes off; and Blink,
1The Citizen Quartz Mutli-Alarm wristwatch is a product of the Citizen Watch Company of America, Inc., while
the Stony Brook Alarm Clock is vaporware.
10
a			b			c
I			I			I			I			____
I			lo+I __ I			I __I
STONY BROOK ALARM CLOCK
Figure 2: User interface to the Stony Brook Alarm Clock.
b\ Time
B?ink
wakeu			buzz
off
Di&ptay&Buzz
r
SetTime
SetAia?m
I			SetHour			I			SetHour
1 c 2 ?c?4T2?			1?2ffi.?
a			b			a
SetMinute
SetSecond
b
SetMinute
b
b
SetSecond
1 ? 2
a
Figure 3: State transition diagram of the Stony Brook Alarm Clock.
11
SBAC			=			Time[Display]
Time			a			SetTime[Setffonr[1]]
Set Time			a			SetAlarm[SetHo??[1j]
SetAlarm			a			Time[Display]
Display
Display?Btzz
Setliour
SetMinttte
SelSecond
2
60
--H			wake?p Display?Buzz + powe?glitch. Blink
--H			buzz?off. Display
--H			b			SetMin?te[1]
--H			b			SetSecond[1]
--H			b			Setffour[1]
--H c.2
--H c.3
--H c?1
Figure 4: Recursive BPA + SR specification of the Stony Brook Alarm Clock.
which is reached after a power glitch. In state Blink, the display blinks at 12:00 and the only option
left open to the user is to switch major modes.
SetTime also has three secondary modes SetHo??, SetMinttte, and SetSecond, in which the
hour, minute, and second of the displayed time can be adjusted. The substructure of SetAlarm is
identical to that of Set Time. The user switches between secondary modes by pressing the ?button.
Finally, secondary modes Setffou?, SetMinute, and SetSecond have substructure to them re
flecting the different numeric values the settings can take on. For example, SetHotr has 12 tertiary
modes reflecting the 12 possible settings (1--H12) for the hour. The user switches among these tertiary
modes via the c-button.
The hierarchical state transition structure of the alarm clock is depicted in Figure 3 and the
corresponding BPA + SR recursive specification is given in a top-down manner in Figure 4. Note
that the "twelfth" state of SetMinute and SetSecond is slightly different than the "twelfth" state
of Setilour: pressing the c button in state 12 of Setliour causes a transition back to state 1, while
pressing the c button in state 12 of SetMinute and SetSecond resuits in a transition to state 13.
5 Conclusions and Future Work
Classical process algebra allows hierarchy in system specifications through the use of nested parallel
compositions. State refinement adds a new dimension to such hierarchical descriptions, viz., within
a system's state transition structure. As such, state refinement represents the first attempt, of
12
which we are aware, to capture the essence of statecharts within a process algebraic setting.
We have presented a technical development of state refinement (axiomatization, initial algebra,
action relations, term model, unique solutions to guarded recursive specifications, etc.) within
the framework of BPA with recursion, and shown that this new feature introduces no new signif-
icant technical difficulties. This is to be desired and, moreover, expected given the experience of
Bergstra [Ber89] with the closely related mode transfer operator.
The next logical step in our technical development of state refinement is to introduce new
operators into our setup, such as merge, restriction, and abstraction. We also plan to incorporate
state refinement into the Concurrency Factory, a graphical CASE tool for concurrent systems under
development at Stony Brook and N.C. State.
Acknowledgements
The authors &e grateful to Gene Stark for valuable discussions on state refinement, Rob van
Glabbeek for helpful pointers to the literature, and Oleg Sokoisky for creation of the alarm clock
figures.
References
[Ace92] L. Aceto. Action Refinement in Process Atgebras. Distinguished Dissertations in Com-
puter Science. Cambridge University Press, 1992.
[A1189] L. Aceto and M. C. B. Hennessy. Toward action refinement in process algebra. In
Proceedings of the 4th IFEF Sympositm on Logic in Compvter Science, 1989.
[BB87J T. Bolognesi and E. Brinksma. Introduction to the ISO specification language LOTOS.
Computer Networks and ISDN Systems, 14:25--H59, 1987.
[BDH92]
E. Best, R. Devffiers, and J. Hall. The box calculus: a new causal algebra with multi-
label communication. In G. Rozenberg, editor, Advances in Petri Nets. Springer-Verlag,
1992.
[Ber89j J. A. Bergstra. A mode transfer operator in process algebra. Technical Report P8808b,
Programming Research Group, University of Amsterdam, 1989.
[BK84] J. A. Bergstra and J. W. Klop. Process algebra for synchronous communication. Infor-
mation and Computation, 60:109--H137, 1984.
[BW9o] J. C. M. Baeten and W. P. Weijland. Process Algebra. Cambridge Tracts in Theoretical
Computer Science 18. Cambridge University Press, 1990.
[CdMP87] L. Castellano, G. de Michelis, and L. Pomello. Concurrency vs interleaving: An instruc-
tive example. Bulletin of the EATCS, 31:12--H15, 1987.
[DD9O] P. Darondeau and P. Degano. Event structures, causal trees and refinements. Unpub-
lished manuscript, 1990.
13
[Gor91] R. Gorrieri. Refinement, Atomicity and Transactions for Process Description Languages.
PhD thesis, Dipartimento di Informatica, Universita' di Pisa, 1991.
[GV89] J. F. Groote and F. W. Vaandrager. Structured operational semantics and bisimulation
as a congruence (extended abstract). In Proceedings of 16th ICALP, 1989.
[H&87] D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer
Programming, 8:231--H274, 1987.
[HGdR89]
[HLN+ 90]
C. Huizing, R. Gerth, and W. P. de Roever. Modeling statecharts behavior in a fully
abstract way. Technical report, Eindhoven University of Technology, Eindhoven, The
Netherlands, 1989.
D. Harel, II. Lachover, A. Naamad, A. Pnueli, M. Politi, R. Sherman, A. Shtull-Trauring,
and M. Traktenbrot. Statemate: A working environment for the development of complex
reactive systems. IEEE Transactions on Software Engineering, 16(4):403--H414, April
1990.
[Hoa85] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, London, 1985.
[Int87] International Standards Organization, Report No. DIS 8807. LOTOS--HA Formal De-
scription Technique Based on the Temporal Ordering, 1987.
[JM92]
L. Jategaonkar and A. R. Meyer. Testing eqnivalences for Petri nets with action refine-
ment. In Proceedings of CONCUR `92 - Third International Conference on Concurrency
Theory, Lecture Notes in Computer Science, Volume 630, pages 17--H31. Springer-Verlag,
1992.
[LBGG94] I. Lee, P. Bremond-Gregoire, and R. Gerber. A process algebraic approach to the
specification and analysis of resource-bound real-time systems. Proceedings of the IEEE,
1994. To appear.
[Mar91] F. M&aninchi. The Argos language: graphical representation of automata and descrip-
tion of reactive systems. In IEEE Workshop on Visual Languages, 1991.
[Mil89] R. Milner. Communication and Concurrency. International Series in Computer Science.
Prentice Hall, 1989.
[NEL88]
[Par81]
M. Nielsen, U. Engberg, and K. 5. Larsen. Tully abstract models for a process language
with refinement. In Proceedings of REX Workshop 88, Lecture Notes in Computer
Science, Volume 354, pages 523--H548. Springer-Verlag, 1988.
D. M. R. P&k. Concurrency and automata on infinite sequences. In Proceedings of
5th G.L Conference on Theoretical Computer Science, volume 104 of Lecture Notes in
Computer Science, pages 167--H183. Springer-Verlag, 1981.
[Use93] A. C. Uselton. Structured operational semantics for concurrency and hier&chy. In 10th
STACS, Lecture Notes in Computer Science, 1993.
[vG90] R. J. van Glabbeek. Comparative Concurrency Semantics and Refinement of Actions.
PhD thesis, Pree University of Amsterdam, 1990.
14
[vGG88j
R. J. van Glabbeek and U. Goltz. Equivalence notions for concurrent systems and
refinement of actions. In mfcs88, Lecture Notes in Computer Science, Volume 379,
pages 237--H248. Springer-Verlag, 1988.
[Vog9Oj W. Vogler. Failure semantics based on interval semiwords is a congruence for refinement.
In P?ceedings of STA CS `90, Lecture Notes in Computer Science. Springer-Verlag, 1990.
15
Parametric Preorders for Process Description Languages*
Daniel Yankelevich
Dep. of Computer Science, N. C. State University
Raleigh, NC 27695-8206
email: dany?csc.ncsu.edu
Abstract
In this paper we introduce a parametric context for preorters of agents and we show how it
may be used to express that an agent respects the behaviour of another one, but it is, in some
sense, better.
Based on the parametric approach to concurrency semantics of [12,26], we here present a
fiamework which provides a common basis for preorders. Taking as a base a fixed transition system
and the same definition of prebisimutation, different observations yield many useful preorders: in
fact, the location preorder of [6], a preorder similar to the causal preorder of [1], a preorder
which refines the efficiency preorder of [3] and a preorder aiming to capture the efficiency of
a protocol when a particular architecture is taken into account are defined as instances of our
general f:amework. These relations formalize intuitive concepts such as to be more parallel than,
to be more distribvted than and to be more efficient than. The formal relation with the original
proposals is established.
A sounci an complete anomatlzation ofthe preorder
chosen, is also given.
1 Introduction
parametric with respect to the observation
Process Description Languages [20, 15] have been widely used for the specification and verification of
protocols and distributed systems. They are used both to describe specifications and implementations
in an abstract way.
Specifications and programs in this approach are terms of an algebra, called here agents. The
semantics of these languages are either defined by means of axioms or operationally, by means of a
bisimulation relation. Thus, the semantics define equivalence classes of agents.
In this approach the verification of the correctness of an implementation is usually done by proving
the equivalence of the agents describing the specification and the implementation respectively. This
means that all the possible implementations of a specification have to be equivalent to it. Since the
semantics of concurrent processes is very fine (and hence, each equivalence class is smaller than in
the sequential case), it would be mandatory, for practical applications, to use preorders instead of
equivalences.
For instance, in many examples a system is specified by a nondetermiuistic agent and the imple-
mentation is described by an agent with many parallel components. In spite of the many advantages
of truL? concnrrent semantics (see many papers in [13, 8]) the proof of correctness of such an im-
plementation cannot be done using a truly concurrent equivalence. This is not a weakness of true
concurrency, but rather of the use of equivalences instead of preorders.
Preorders may also be of help in a stepwise refinement strategy for the development of concurrent
systems. The notion of stepwise refinement has been of use in the sequential programming field for
*Research supported in part by Hewlett-Packard, Pisa Science Center and by NSF Grant CCR-9014775
a
a
o+ b
a			c
Figure 1: Three partial order observations
the development of complex programs and systems in a methodical way from formal specifications.
The main idea is that there is an order between formal objects (programs, specifications), and that
the "most abstract", initial specification can be substituted by a "more concrete" (and more efficient)
program. This program may not be equivalent to the specification, but it has to be at Least as good
as the specification. If there are many conceptual levels, this operation can be iterated many times.
In particular, if the same language is used for the specification, the design and the rmplementation1
this technique can be applied in all the development process.
Ill this paper we show how preorders may be used to express that an agent respects the behaviour
of another one, but it is, in some sense, better.
In general, the observer of a system is able to say that one run is better than another by per-
forming an evaluation. For instance, if (s)he is interested on spatial distribution, (s)he could prefer
a computation which is more distribnted than another, even if the two computations have the same
effects (in terms of sequences of actions or changes in data).
If we are interested in causality, a computation would be observed as a partial order of events
[11]. In this case, the computations observed as the partial orders of Figure ib and ic introduce more
causal constraints between events than the one observed as Figure la. Hence, we could say that the
computation of Figure la is (causally) more parallel than both the other computations. Following this
reasoning, we can induce a more parallel relation on CCS agents which, for instance, would say that
a.P.NILI?.NIL is more parallel than a.P.?.NIL + a.?.?.NIL from the point of view of causality.
There are some proposals in the concurrent field aiming to define notions ofpreorder capturing the
intuition given above. However, each proposal lays on a different formal context, and contalns some
particular features (for example a particular transition system, a variant of a bisimulation equivalence
or a particular language). Moreover, each approach has the explicit aim of formalizing one of the
possible relations between specifications: to be more parallel than [1], to be more distribitted than [6],
to be an implementation of [19], to be more nondeterministic than [9], to be more defined than [25],
to be more efficient than [3].
Moreover, in the author's opinion, it is quite possible that one preorder is not enough for the
analysis of protocols and systems. In general, one is interested in measuring a system in different
dimensions. A common context where these different notions may be ft?rmalized could permite to
reuse definitions and possible general algorithms to perform the evaluation.
Process Description Languages are abstract languages, which do not consider particular network
topologies, but leave open in which architecture the protocol or system is supposed to be used.
In some sense, process description languages consider that all point-to-point communications are
allowed, and moreover that all of them have the same complexity; while in a particular architecture
some communications may be more difficult or even forbidden. Information about routing costs
cannot be taken into account if the particular underlying network is not considered.
Based on the parametric approach to concurrency semantics of [12, 26], we here present a frame-
work which provides a common basis for preorders, with the explicit aim of formalizing issues such
as efficiency and performance. Ill such a framework, many of the concepts above can be formalized
for process description languages.
A general context for the definition of preorders would help in comparing different proposals,
factorizing common features and singling out the differences.
A parametric approach permits to take advantage of previous work: common issues are shared and
do not have to be redone. Many definitions are fixed once and for all, and one can concentrate on the
particular issues of a model. Moreover, it possibly leads to general results (theorems, axiomatizations
or parametric tools) for the common basis that may be re-used in each model. A parametric theory
could also help in the development of new preorders or in testing new ideas, since it is possible to
slightly change some parameters while leaving others fixed. The formalization of new measurements
can be simplified from the use of a common description formalism.
The only proposal for a common framework to formalize different preorders is, to the best of the
author's knowledge, the work of Thomsen [24], where a preorder on a process algebra is induced by
preorders on actions by means of an extended bisimniation. This paper extends the work of [24] by
inducing preorders on agents from preorders of observations instead of preorders of actions. This
implies that it is possible to specify a preorder between the observations of whole computations, and
not only between single actions. This extension is useful, because the preorder may capture some
information about how events are related (for instance, causal and spatial relations) and not only
about how they are labeled.
As an instance of the general methodology proposed in this paper different preorders can be ob-
tained. Taking as a base the same (fixed) transition system and the same definition ofprebisimniation
(an extension of bisimulation relations to deal with preorders, similar to the extended bisimulation
of [24] and to the ?-hisimulation of [1]) different observations yield many useful preorders.
Such a parametric framework gives an alternative characterization of known proposals and also
provides us with a context where it is possible to define and experiment different preorders between
specifications just by changing the assumptions about what is interesting for a particular observer.
In fact, some intuitive choices made in previous proposals can be better analyzed.
A sound an complete axiomatization of the preorder, parametric with respect to the observation
chosen, is given.
Section 3 presents the main definitions for preorders.
A (very simple) observation that could be used to capture the concept of efficiency of a protocol
is presented in Section 5. The preorder induced by this observation refines the efficiency preorder of
[3]. A formal comparison between the two preorders is also done.
Two preorders on terms, one based on localities [6] and the other on causality [10], expressing the
notion of distribntion and paraLlelism respectively are introduced in sections 6 and 7. These examples
show the usefulness of the approach, and also clarify the conceptual relation between both preorders.
In this context, the preorders induced by causal observations and by location observations express
the same basic idea, that of introdncing more dependencies between events. This relation does not
rise clearly from the original proposals, which have been done in rather different frameworks.
An example of the use of parametric preorders to formalize the notion of efficiency when a par-
ticular architecture is taken into account is given in Section 8.
Some conclusions and further work are discussed in Section 9.
Because of lack of space, we do not present here the formal proofs of the theorems. The inter-
ested reader can refer to [26], where the complete proofs are presented together with some extended
discussions.
2 A Parametric Approach to Concurrency Semantics
A parametric approach to the definition of concurrent systems has been proposed in [12], which, in
its general lines, can be described in four steps:
1.
Define a transition system capturing the operational behaviour of the system. This operational
description, which can be given by means of SOS rules [22], has to be very concrete, i.e. it has
to capture all the information about transitions that the language is intended to describe.
2. Build the computations of the system as paths in the transition system, and structure them as
an observation tree (ordering them by prefix).
3. Determine the observations of computations. These observations appear as labels of the nodes
of the observation tree, describing the relevant aspects to be considered.
4. Define an equivalence between observation trees, based on the observations defined.
In this section, the first, the second and the fourth step are fixed once and for all. We use CCS [20]
as our example language. The transition system is a variation of the original one, in which labels
are enriched in order to give some information about where an action takes place. We also show how
observation trees are defined and how bisimulation is defined over them, recalling definitions from
[12, 21].
The first step tells us that a transition system capturing the desired operational behaviour of the
system has to be defined. For CCS, such a transition system is very well known: it is the original
transition system as defined by Milner [20]. However, aiming to define different observations and to
reflect in an operational way information about the physical distribution of events, the labels of the
transitions have to be slightly extended. The SOS definition of the transition system has the same
rules as the original one, but the labels are of the form a?s (a at s), where a is an action, and 5 is
a term describing the spatial information of the event. This terms are called spatial terms, and have
been introduced, together with the transition system of Definition 2, in [21].
Definition 1 Spatial terms are defined by the following syntaz: 5 ::= . ? (515) and respect the
following a?om: (?I?)
Intuitively, spatial terms are here used to describe information about the physical distribution of
events. For instance, the term (.I?) describes a place having another idle component at the right,
and (?!?) describes the locality of an event which is performed simultaneously on both sides of the
system. The locality of the occurrence of the action a in (aJP)I?)\? is described by the term (.I?)I?
Definition 2 The spatial transition system for CCS is defined by the aziom and rsles of Table 1.
As ss?a4 ? denotes any label, and a an observable label (i.e. different from r).
?Cs1			?Cs2			??Cs
A compittation of the transition system is a sequence of transitions Po			Pi			...			pn.
In the second step of the general methodology, the computations from a state (corresponding to
an agent) are ordered by prefix, generating a tree-like structure. These structures are fixed, indepen-
dently of the observation, and are called observation trees. They have been introduced previously,
with the name of Nondeterministic Measurement Systems (NMS) in [10]. In [12] the theory has
been extended, in particular with the definition of a complete axiomatization of observational con-
gruence for the finite case, which is parametric with respect to the observation. Different semantics
are characterized according to the observations they utilize. Once the transition system has been
fixed, and choosing as the equivalence the same observational equivalence, different observations
yield very different semantic models [21]. The only requirement on observations is that they have to
be monotonic in the following sense: if one observes a computation and obtains some information,
observing a "longer" computation (i.e. a greater computation in the prefix ordering) one obtains
more information.
Spatial Transition Rules for c?&s?
Act)			pE ? 			Rel)			1 m4OI 2
Res)			1			2
I?ta,a?k
1\a Th 2\a
Os
S?m1)			1 ? 2
1 t  ? 2
Comi)			1			2
iI ?O??) 2i
1a? 2, l? ?
1i' r(??s') 2 2?
S?m2) 1 ? 2
+1
Com2)			1			2
?? ?C?s) I2
?[rec?. 1/?j ? 2
Rec) recz. 1 m4os 2
Table 1: CCS transition system
Definition 3 An observation obs is an observation domain (D, <), where D is a set (called set of
observations) and < is a partial order on D, together with a monotonic frnction 0 from compntations
ordered by prefi? to the observation domain.
We wffl say that 0 ? D is the observation of a computation c if o(c) = 0.
Observation domains are considered modulo isomorphism, i.e. two isomorphic observations are
identified.
Definition 4 The observation tree (N, <?, o? corresponding to a CCS agent  with observation obs
is the tree of all the compntations from E ordered by prefir, where each comp?tation is labeled by its
observation obs.
A node n' is an immediate successor of a node n if n < n' and there is no n" snch that n <n11 < n',
and it is a successor if n < n' and for all n11 snch that n ? n? < flI the observation of n" is eq?al to
the observation of n or to the observation of n'. A node n' is a proper successor of a node n if n' is
a s?ccessor of n and n' ?
Definition 5 Let t = (N, <, o? and t' = (N', <I, o? be two observation trees and R be a symmetric
binary relation on N u N'. The relation R is a bisimnlation iff n1 IL n2 implies that the observations
of n1 and n2 coincide and that for every immediate snccessor n'1 of n1 there e6sts a snccessor n12 of
n2 svch that n'1 IL n'2.
Two trees are bisimilar if there e:ists a bisimnlation snch that the roots of the trees are related in the
bisimnlation.
3 Parametric Preorders
In this section we define preorders of observations trees based on preorders of observations. With
this aim, each observation domain is enriched with a preorder. The intuition behind this preorder is
that 0 <?D 0' means that the observation 0' is at least as good as 0. In some sense, if an observer
expects to observe 0, (s)he can also accept to observe 0', but notices the difference of quality between
the observations (i.e. O? has some property which makes it "better").
Definition 6 An observation obs is an observation domain (D, <,<?D? snch that D and < are as
in Definition 3, and <?D is a preorder on D, together with a monotonic fnnction 0 from compntations
ordered by prefi? to the observation domain with the order <.
This preorder on observations induces a preorder on observation trees, by means ofa relation called
prebisim?lation. The intuition is the same as for bisimulation: the relation formalizes an experimental
context. The main difference is that there is a preorder between answers to experiments. This relation
is similar to the extended bisimulation of [24] and to the ?-bisimulation of [1].
Definition 7 Let t = (N, <, o? and t' = (N', <?`, o? be two observation trees with observation domain
D and R be a binary relation R C N x N'. The relation R is a prebisimnlation iff n1 R n2 implies
that
o+ o(n1) <?D o(n2) and
o+ for every immediate svccessor n'1 of n1 there e6sts a snccessor ??2 of n2 snch that n'1 R ??2 and
o+ for every immediate snccessor n'2 of n2 there e6sts a svccessor n'1 of n1 snch that n'1 R n'2.
Two trees T and T' are pre-bisimilar (and we write T?06aT') if there ezists a prebisimnlation snch
that the root of T is in prebisimnlation with the root of T'
Once a preorder on observations is given, it induces automatically a preorder on terms.
Notation 8 Given two agents E and E', we say that E?obsE' iff the obs observation trees of E and
are pre-bisimilar.
It is easy to see that the prebisimulation relation actually induces a preorder.
Proposition 9 For each observation obs the relation E?o6sE' between agents is a preorder.
In [12] many equivalences between observation trees besides weak bisimulation are introduced,
for example branching bisimulation and jnmping bisimulation. Each of them could be extended to
an associated prebisimulation. In this work, only the weak bisimulation is taken into account, but
all the results can be easily extended to each of the remalning equlvalences, in order to have a richer
class of preorders. The relation chosen corresponds to the fourth step of the parametric approach
outlined in the previous section. In this case the relation is not an equivalence but a preorder.
4 Proof System
In this section a complete axiomatization for the parametric preorder is given for finite observation
trees. The proof system extends the parametric axioms for bisimulation introduced in [12] with one
rule which lifts the preorder of the observation domain to the observation trees.
In [12] a particular syntax for representing (finite) observation trees as terms of an algebra is
introduced. Given a domain ofobservations D (in this case a domain oflabeled forests), an observation
term over D is defined in the following way:
P ::= NIL A.P P?P
where AeD.
In addition, the operations are partial, and this restriction is expressed via a type system. Typed
observation terms are denoted by P, Q, G and observations (which appear in the prefixing) with A,
The interpretation of the operations on trees is as follows. Constant NIL denotes the empty tree.
The operation A.P prefixes the tree P with a node labeled with A, and it is defined only if the root of
P (if any) is labeled with an observation equal or greater than A (because the observation function
has to be monotonic on computations ordered by prefix). The operation ? between observation trees
merges two nonempty trees by collapsing their roots, hence it is defined only if both trees have the
same observation associated to the root.
These requirements are established precisely with a typing system. Constant NIL has type *,
written NIL:*. ff P:B and A < B or B--H* then A.P:A. If P:A and Q:A, then P?Q:A.
The observation tree denoted by an observation term P will be written ?P]].
Observation terms, modulo axioms (A1), (A2) and (A3) of Table 2, are isomorphic to finite
observation trees. This means that [[P][ [Q][ 1ff (Al)-(A3)HP=Q.
In [12], a complete axiomatisation for branching congruence, (weak) bisimulation congruence and
strong bisimulation is given (which is parametric with respect to the observation). The set of axioms
(Al)-(W3) shown in Table 2, are sound and complete with respect to weak bisimulation. That is,
[[P]] and [[Q]] are observationally congruent 1ff (Ai)-(W3)HP=Q.
As expected, prebisimulation preorders are not always precongruences with respect to the op-
erations over observation trees. For the axiomatization we consider a precongruence, and not the
preorder. This precongruence corresponds to a rooted prebisimulation.
Definition 10 A prebisimnlation IL is rooted iff it relates root nodes to root nodes. That is, if IL is
a rooted prebisimniation between T and T' and n is the root of T and n' is the root of T', then n IL
and n IL n" implies n" = ?? and n?7 IL n' implies n11 = n.
Let T and T' be observation trees over an observation obs. We write T?0c68T1 if there is a rooted
bisimnlation relating T and T'.
A rooted prebisimulation induces a precongruence with respect to the operations over observation
trees, i.e. it is preserved by summation and prefixing.
Fact 11 Let P : A and P' : A' be observation terms snch that P?CDP?. Then, if B and B' are
observations snch that B < A and B' < A' and B <? B' we have that B.P?DCBI.PI, and Q : A and
: A' implies that P ? Q?P' e
The proof system for precongruences of observation trees consists of a set of inequations of the
form P E Q plus one inference rule. We will use implicitly some axioms and inference rules, namely
the ones expressing refiexivity, transitivity, and compatibility with the constructs. Also, we use the
equation P = Q to stand for the pair of inequations P E Q and Q E P.
These axioms give the basis for a rewriting-strategy to the bisimulation and the prebisimulation
problem. Axioms (Al)-(A4) have been used for implementing a rewriting decision procedure for
strong bisimulation in [17].
The proof of the completeness ot tfle anomatization is done in the vein of [14], where a standard
way of axiomatizing bisimulation-like relations over labelled trees is presented, and does not follow
the proof presented in [12]. Because of lack of space we do not present here the formal proof, it can
be found in [26].
The next theorem shows that the axioms and rules are sound for the precongruence.
Theorem 12 (Sonndness) Let P:A, Q:B be observation terms snch that P E Q. Then, [P??DC[Q]].
The proof of completeness of the system is simplified by the fact that observation terms are already
in sumform, i.e., they have sums, prefixing and NIL as the only constructs. In fact, an observation
term P of type A is always of the form P = ?iEI A.Pj.
Proof System for Preorder of Observation Trees
P?Q = Q?P
(P?Q)?G = P?(Q?G)
A.NIL?P = P
P?P = P
(Al)
(A2)
(A3)
(A4)
(Wi)
(W2)
(W3)
A.B.(BY?Q) = A.(B.PeQ)
A.P?P = A.P
A.(B.PeQ)?A.P = A.(B.P?Q)
PEQ
(Par)			A.P E B.
with P:B
provided that A <?D B
Table 2: Axioms for Parametric Preorder
Theorem 13 (Completeness) Let P:A and Q:B be observation terms over a domain D. If[P]]?CD[[Q?,
then P E Q.
5 Efficiency Preorder
We are particularly interested on preorders reflecting a measurement of efficiency, since they can
provide a formal basis to support design decisions and to choose particular implementations. The
definition of these preorders depends strongly on what kind of efficiency should be taken into account.
For instance, the following preorder, introduced in [3], measure the number of r actions performed.
Hence, it could be used to count the number of communications performed in a protocol.
We denote ? eff the preorder introduced in [3] to formalize the notion of efficiency, where T'5 are
supposed to have some duration in time. Now, we will introduce an observation domain to achieve a
sunilar (but not the same) formalization of the same intuitive concept.
Definition 14 The domain of observation eff for efficiency preorders is (D, <,<?? where
o+ D = fs : 5 ? IN (A . IN)*?, where is the constructor for seqnences.
o+ 5 < 5' iff 5 is a prefi? of 5'
o+ For ?,?? ? IN, n <? n' if n' < n and 5. (a. n) <? s? (a. n') ifs <? 5' and n' <n
?Csi ?Oa2 ?Oan
Given a compntation Po			Pi			p?, its observation is the seqnence n1 a1 n2 a2
am n?+1, where .... . a7n is the seqnence of visible actions in the compntation, n? is the
n?mber of r actions in the compntation that occnrs between a??1 and a?, n1 is the nnmber of initial
r's and n7n+1 is the nnmber of final r's.
The intuition is the following: let c1, c2 be two computations. Then, o(ci) <? o(c2) with efficiency
observations, iff c1 and c2 performs the same sequence of visible actions and c1 has possible more r`s
occurrences between two visible actions than c2.
Theorem 15 Let E, F be CCS agents. Then, E ? eff F implies that
The previous theorem shows that the preorder ?eff is coarser than ? eff Since ?eff relates more
terms, it is possible to establish more judgements of the form E is more efficient than Fusing it. The
following example shows that the converse is not true.
Example 16 Letp = a.r.r.(P + T.7) and q = ar. (P + r.r.?).
It is easy to check that P?e?' and thns that q is more efficient than p. Notice that for an e?ternal
observer, the "time" (nnmber of r `s) between the occnrence of any two observable actions is always
minor (or eqial) in q than in p. However, P ?
Moreover, consider the agents of the following example.
Example 17 Let sp = a.?.6 + ?.a.6 and i = (a.7JP.?.6)\?. Then, i?effSP and i ?eff ?P? while
?P ?e# and ep 4effi
The agent i is clearly a goo(1 implementation of the specification sp, since the two initial actions
can be done in parallel. However, ?P /? e?' showing that i is too inefficient to be chosen as an
implementation of sp. The claim is not that this preorder is not useful (in fact, in [3] a nice example
of the use of ? eff is presented) but rather that in general it is necessary to take into account more than
one preorder at time, i.e. to evaluate agents according to many preorders, taking care of parallelism,
distribution and efficiency. For the case of this example, we will have that i. is both more parallel and
more distributed than sp.
6 Location Preorder
Location equivalence has been presented in [5, 6] as a bisimulation based semantics able to take
into account the spatial distribution of processes. The intuitive idea is that each action occurs at a
location and locations may have sublocations (for example, a fork operation at some place may create
two sublocations of that place). For CCS, the assumption is that in ElE' the two subprocesses E
and E' are at different locations.
In addition, in [6] the authors extend the approach with a parametric location bisimnlation,
parametric with respect to a relation between locations. A particular relation between locations
gives rise to a preorder between terms, which expresses the intuitive fact of being more distribnted
than. A process E is greater than ?? in the preorder if ?? is a shnffie of E. For example, a.a.a is a
sequential shuffle of a.a!a and then the latter is greater than the former.
An alternative characterization of location equivalence in the context of observation trees has
been given in [21], where an observation domain has been presented for location observations. In
this section this observation domain is extended with a preorder in order to introduce a location
preorder between terms. A formal proof of the coincidence of the location preorder presented here
and a version of the location preorder of [6] can be found in [26].
First, the defluition of the location observation is recalled from [21]. With this aim, a partial
order between spatial terms is introduced, which represents the idea of sublocality: a spatial term is
a sublocality of another if the second is a refinement of the former, i.e. it can be obtalned from the
former by substituting the e with a spatial term.
Definition 18 Let ? be the least relation defined by the following ""les. It is only defined between
spatial terms with e:actly one occnrrence of a ..
 s2			5i  ?2
<? 52j?			?Jsi  ?
This relation defines a tree-llke partial order between spatial terms. The root is o and a spatial
term s is greater than s' ifs is obtained from s' by replacing the dot with a spatial term. This partial
order captures the intuitive idea that ? represents the whole system and terms of the form sj? or ?js
are parts of the system, or sublocalities.
Notice that this order is only defined for spatial terms having exactly one `,i.e. terms associated
to events occurring in one place, which do not correspond to communications.
The observation domain for localities consists of (labeled) forests of events, i.e. of structures
(E, <,?,?). This observation domain is called loc.
?m4Cs2 ... p?, we associate to it a strvct?re
< is a totat generation ordering on events, defined
Definition 19 Given a compntation Po Pi
(E, <,?, l?, where (E, ?? is a forest of events and
in the following way:
o+ E = (e?Ii = 1.. .n A a? ? r? is a set of (at most n) different events
o+ ? e? 4> (si <? s? A i <
o+ e? ? e? 4> i < j
o+ 1(4) = a,'
This observation is called loc.
In [21] it has been shown that the bisimuiation equivalence of observation trees with loc observations
coincides with location equivalence as defined in [6].
Now, the observation domain is enriched with a preorder between observations.
Definition 20 The observation domain for Location Preorder is (D, <, <?1oc?, where D is the set of
forests as defined above, < is the prefi? order on forests1, and <?1oc is defined in the following way:
(Ev, <, ?,?) <?1oc (Ev', <I, ?`,e'? iff there e6sts a bijectionf Ev' Ev preserving the ordering
<` and the fanction ?, and snch that e1 ?` e2 ? f(ei) ? f(e2)
This definition tells us that a forest is greater than another if the child-of relation of the former
(seen as a set ofpairs) is included in the relation of the latter. Intuitively, if 0 <?1oc 0', the forest of 0
introduces more constraints between the events than the forest of O?, and hence 0 is less distributed.
Fact 21 Relation <?1oc is a preorder.
The following theorem shows the correspondence of this preorder with the location preorder of
[6] (see [26]).
Theorem 22 Let E, F E CC5. Let ? be the preorder of [6]. Then, E ? F if and only if E??F.
The following examples show that location preorder provides a very natural concept of distribu-
tion. The definition given here, involving only the sublocation relation between occurrences of events
as reflected by the associated forest to each observation, is very direct and simple and does not require
previous definitions or derived relations.
Example 23 For any pair of agents E, E'; a. (EIP.E') + p.(a.E;E')?0?a.EIP.E'.
Example 24 We have that (a.(p+?)Ip.?)\P?0?(a.PIp.?)\P bnt (a.PIP.?)\P ?i0?(a.(p+?)Ip.?)\p.
The trees corresponding to these agents, labeled with observations in loc, are shown in Fignre 2.
Using the a?omatic system of section 4, it is possible to show that (a.(P+?)IP?.?)\P?10?(a.P!P.?)\P.
In fact, as it can be seen from the pictnre, the observation term corresponding to the agent
(a.(P+?)!P?)\P is ?.(a.a?aj??a.a?) and to the agent (a.Pjp.?)\P is ?.a.aI?, where ? denotes the
empty forest, a the tree with one node labeled a, a? the tree with two nodes, where ? is a snccessor
of a, and a j? the forest with two one-node trees, one labeled a and one labeled ?.
Using the a6omatization proposed, we can prove that
E			E			E
?.(a.a.aI? ? a.a?) P& ?.(a.a.aI? ? a.aJ?) W2 ?.a.a.aI? ?? ?.a.aI?
10 < 0' iff 0 is isomorpilic to a left-closed s'ibtorest of 0'
I7?			.7
(a.(P + 7)IP.7)\P			(a.PIp.?)\P
Figure 2: Two observation trees with loc observations
7 Causal Preorder
An observation domain reflecting the causal relationship between events is introduced. The elements
of this domain are mixed orders, that is, partial orders of events together with a total generation
ordering.
The equivalence induced by bisimulation of observation trees with this domain is the mixed or-
dering bisimulation [10], sometimes called history preserving bisimvlation or global canse bisimniation
(however all the definitions have been shown to coincide [2, 7, 18]).
First, a new relation between spatial terms is defined, which takes into account the crossed causes
inherited by means of r's. While localities are not affected by events labeled with r's, causes can
be inherited by means of communications. Hence, the sublocality relation has been extended to deal
with spatial terms with more than one 0.
Definition 25 Let c be the least relation defined by the j6llowing rttles.
5			?i c 52			5i c ?2
0 c 5			5i15' ?c 5??5i?			s'Jsi c 5?I52
This relation represents the idea of overlap: two spatial terms are overlapping if the events they
are associated with involve some common place of the system. Hence, some "active" position of one
spatial term coincides, or is a reflnement of, an active position of the other spatial term. The relation
tells us that there is a common location which is active in both events.
A particular case of overlapping localities is when both 5' and 5" in the rules are and ?i and ?2
are restricted to have exactly one e: in that case the sublocality order is obtained.
Now, the observation domain for mixed order equivalence can be presented. Elements of the
domain are mixed orders (labeled partial orders plus a total generation order).
Definition 26 Given a compntation Po			Pi			...			p?, we associate to it a mi?ed labeled
ordering (E, <,?, 1), where:
0 E = f4ji = 1... n1 is a set of different events
o+ 5j c Si and i < j implies e? ?
o+ e? ? ek and e? ? e? implies e? ?
o+ e? <e? ? i < j
o+ l(e?) = Qj
The mo observation is given by the mi?ed order obtained by restricting (E, <,?, 1) to events with
observable labels.
We extend the domain with a preorder. The intuition is that a mixed order is better (greater in
the preorder) than other if it corresponds to a "more parallel" computation.
Definition 27 The observation domain for Cansal Preorder is (D, <,<??o?, where D is the class of
labeled mi?ed orders as defined above, < is the prefi? order on mi?ed orders, and <?mo is the least
preorder on observations satisfring:
(Ev, <, ?, ?? <?mo (Ev', ?`, ?`, ?`) iff there e?ists a bijection f : Ev' H Ev that respects the
ordering <` and the labelling t' and snch that e1 e2 ? f(e1) ? f(e2)
The preorder between mixed orders can be understood as follows: if 0 <?mo 0', the partial order
of 0 introduces more causal dependencies between the events than the partial order of 0'.
Example 28 The following ineqnality holds: a.? + P.a??aIP +a.?+?.a
Notice that the definition is very similar to the preorder for localities. In fact, considering forests
as a special case of partial orders, the relations <?mo and <?1oc coincide. Hence, the definition of the
preorder above expresses the same basic idea in two different observational contexts.
A similar preorder for CCS has been introduced in [1] by means of an ?-bisimulation (which
resembles the prebisimulation above) and a very similar order between partial orders (expressing the
concept of being more seqnential than). However, both preorders do not coincide, since the one of [1]
is based on the pomset mechanism for bisimulation. Actually, the preorder ??? implies the preorder
of [1], i.e. it is a coarser relation.
Theorem 29 Let E, F ? CCS. Let ? can be the cansal preorder of [1]. Then, E <?mo F implies
E ?canF
The converse of the previous theorem is not true, as shown by the following example.
Example 30 Let p = a.(P + ?) + (cIP) + (aJ?) and q = ?I(P + ?) + p. Then, q ? canp, bnt q ?mo?
Since the loc equIvalence and the mo equivalence have been shown to be different (see [18, 21, 26]),
it can be expected that also location preorder and causal preorder are different, and hence they
actually capture different concepts. In fact, the following example shows that ?mo ? ?oc
Example 31 Letp = (a.?I?P)\?) and q = a.?. Then, p?rn0q bnt p ?1?q.
The following example shows that ?Loc ? ?mo
Example 32 Let p = aIP and q = (?.?I?.P)\? + (?.aIP.?)\? Then, P?0?q bnt p ??q.
8 Network Topologies
In this section we show how the formal framework presented ill this chapter can be instanciated in
order to describe efficiency with respect to particular architectures.
The efficiency of a particular protocol or system often depends on the structure of the architecture
where the protocol is supposed to be used. In CCS the assumption is that the underlying net is
completely connected, and any component can communicate with any other. Whilst this assumption
is useful in order to specify protocols and design systems abstractly, at some point in the development
of software it is necessary to take efficiency into account, and in particular the form of the network
used.
These requlrements are too concrete to be included in a specification or specification language,
and are better understood as an extra, a posteriori condition. Hence, we would like to keep the
specification language simple and abstract and to provide a mechanism to express the network infor-
mation in an orthogonal, independent way. This also implies that protocols are proved to be correct
independently of the network, and after that one can choose which protocol to use for a particular
network based on some formal reasoning.
The aim of this section is to include information about the underlying architecture in the obser-
vation. There are two components on the topological information:
o+ the description of the network, and
o+ the mapping from the (logical) sequential components of the specification, to the (actual) nodes
of the net.
Graphs have often been used to describe computer networks or parallel architectures. However,
such a description is not explicit enough for our purposes. In those descriptions, arcs of the graph
represent a physical connection (a wire) between two physical nodes. We seek for a representation
where all the information, also about routing of messages and communication costs can be expressed.
Moreover, we want to have a description of events such as one-to-many comunications. Thus we use
labeled hypergraphs.
Definition 33 A labeled hypergraph is a qnadrnple G = (V, E, lab, vert? snch that V and E are sets
(the set of nodes and edges of G), lab: E A assigns to each edge of G a label in the alphabet A,
and vert is a mapping associating to every edge e a se?ence of k vertices (v1,... ,
We consider complete2, labeled hypergraphs whose alphabets A are eqnipped with partial orders ?.
Actually, this presentation assumes a tw?step approach to the specification of protocols. In one
step (which may itsell be divided in many stages) the usual specification with no information about
topologies is done. In the second step, the relevant information about the underlying architecture
is given. For the latter step, we should need a language to linearize the hypergraph structures, in
order to define a specification language for this approach. It is not the aim of this section to discuss
in detail this methodology, but a language to describe these graphs, with compositional properties,
could be based on the graph expressions of [4].
The idea of the hypergraph definition is that the labeiling describes the desired information about
the nnderlying architecture, for instance the communication cost associated with each edge. Notice
that communication in CCS is just one-to-one, and thus only simple arcs are of interest, but in
general the synchionization algebra may allow one-to-many or many-to-many communications (see
for instance the language CBS [23]).
Example 34 A star architectitre with fonr nodes is represented by the graph of Fi?re 3. Notice
that only edges with a single sonrce and target are inclnded7 since are the only interesting ones for
2An hypergraph is complete iff for each sequence v of nodes, there exist and edge e such that vert(e) = v.
Figure 3: A star architecture and its communication costs.
the case of CCS. Labels are nsed to describe information abont ronting and commnnication cost. In
this e:ample, a commnnication between two neighbonr nodes has nnitary cost, while a commnnication
which pass throngh the center of the star costs 2. Arcs with two arrows represent edges in both
directions with the same label. Edges with only one node (snch that vert is a one element seqnence)
ha?;e as defanlt label a 0.
Notice that in this way we are able to treat non connected topologies also for the case of CCS, in
spite of the fact that a basic assumption of the language is that the underlying network is completely
connected.
A mapping just tells us how the sequential components of an agent are distributed over the
nodes of the net. Hence, each logical component is mapped into an actual node. Note that many
logical components can be assigned to the same node. These mappings make sense mostly for agents
describing networks of components: since logical components are here described by spatial terms, we
are forced to map all the components described by the same spatial term to the same actual node.
For instance, in the agent a.NILIP.NIL t ?.NILi6.NIL, the a.NIL and ?.NIL components must
be mapped to the same processor. For more complex agents the formal definitions can be extended
to deal also with choices. In that case, spatial terms need to be enriched with information about
choices.
Definition 35 Let G = (V, E, lab, vert) be a labelled hypergraph, and let STu be the set of spatial
terms with one bnllet.
A mapping is a fi'nction M: STu			V
Example 36 The fnnction M(?.) = c1,M((.J?)1?) = c2,M((?J.)I$) = c3, and M(st) = c3 other-
wise, defines a mapping from the agent (a.P16.P)Ia to the architectnre described above.
Definition 37 Given a labelled hypergraph G, the observation domain DG associated to it is (C, <
<?), snch that C is the set of seqnences of pairs of the form (i, a) with ? a label and a ? A (we write
these pairs ??a); < is the prefi? ordering on seqnences, and ?1?a1;...; ???a? <? ??a'1;...; i'm?a'm
if and only ifm=n and for eachie[1...n],i?=it,' anda???? a'?. We call snch seqnences mapped
computations.
Given a mapping M, the observation fnnction mapping compntations to mapped compntations is
defined in the following way: O?0(i1?s1;...in?sn)=i1?lab(M(s1));...in?lab(M(5n))
In this way, given a mapping and a graph, we have a canonical observation for them.
A strategy that can be followed to analyze the behaviour of protocols in a particular architecture
is to fix the graph (which describes the information about the architecture to be analyzed), fix the
Figure 4: The hypergraph of a hypercube
term describing the protocol, and change the observation function. Notice that for each mapping we
have a different observation function. For instance, it is possible to show which mapping in a class is
the best for a particular protocol and architecture or to study the behaviour of the same protocol in
different networks.
Example 38 Let ns speci? in CCS a protocol in which a controller sends a message to n compo-
nents, waits for a response and e?ecntes a concinding action. The controller is specified by the agent
a?.P?.?.NIL, where a is the message, ? are the responses and ? is the conclnding action. Each com-
ponent (snppose a failnre free system) is specified as a?.?.NIL. For n 3 we will formally analyze
this protocol for the star architectnre of the previons e?amples and for the architectnre described by
the (hyper)graph of Figure 4, an hypercnbe with f'vr nodes.
The controller is mapped to the 5 node, and the components to the nodes c1, c2, c3. Both observa-
tion trees have nine ma?imal compntations. In the observation tree corresponding to the star architec-
tnre all the ma:imal compntations have observation (r?l); (r?1); (r?1); (r?1); (r?1); (r?1); (??O),
while in the observation tree of the hypercnbe, there are two r?2 steps in each compntation. Hence,
it can be proven that the protocol behaves better in the star than in the hypercnbe with the given
mappings.
9 Conclusions and Further Work
In this context, many other preorders can be defined just by changing the observation for computa-
tions. Part of the work is fixed once and for all, and it is not redone. Moreover, general theorems
can be proved which automatically are valid for all the preorders defined in this way. For instance,
sufficient conditions on the observations can be identified under which the kernel of the preorder
coincides with the associated bisimulation equivalence.
The technique used in the definition of the preorders is standard and an axiomatization is also
provided.
An interesting point for further research is the use of parametric preorders to compare the perfor-
mance of agents in different topologies, or with different routing algorithms, etc. This research should
include the application of the technique outlined in section 8 to some examples, and the extension
of mappings to deal with dynamically placed processes and process migration. Notice that using the
simple observations of section 8 we can already prove that a given protoci is more efficient in an
hypercube than in a star network.
The framework of this work allow us to define many different preorders, experiment with them,
and take the most useful, or choose in each context which observation to use. The help offered by this
framework is increased with the development of parametric tools, such as the one proposed in [16],
because they provide, without much effort, an automatic support for reasoning in a particular theory.
In fact, tools for efficiency measurement performing the analisys in different dimensions, constitute
a potential application of this work.
This approach allows us also to combine different points of view just combining the observations
associated with them. For instance, it would be easy to define a preorder capturing both causal
dependencies and spatial distribution by combining the location and causal observations deilned in
section 6 and 7.
Acknowledgments: I wish to thank Luca Aceto, because of his encouragement and his help in the
completenes proof.
References
[1] L. Aceto. On relating concurrency and nondeterminism. Report 6/89, Computer Science, University of
Sussex, Brighton, 1989. An extended abstract will appear in the Proceedings of MFPS `91.
[2] L. Aceto. History preserving, causal and mixed-ordering equivalence for stable event structures (note).
Technical Memo HPL--HPSC--H91--H28, Hewlett-Packard Laboratories, Pisa Science Center, Pisa, 1991. To
appear in Fundamenta Informaticae.
[3] 5. Arun-Kumar and M. Hennessy. An efficiency preorder for processes. Technical Report 5/90, Computer
Science, University of Sussex, Brighton, 1990.
[4] M. Bauderon and B. Courcelle. Graph expressions and graph rewritings. MathematicaZ Systems Theory,
20:83--H127, 1987.
[5] G. Boudol, I. Castellani, M. Hennessy, and A. Kiehn. Observing localities. Technical Report 4/91,
University of Sussex, March 1991. An extended abstract appeared in the Proceedings of MFCS `91, LNCS
520.
[6] G. Boudol, I. Castellani, M. Hennessy, and A. Kiehn. A theory of processes with localities. Technical
Report 13/91, University of Sussex, December 1991.
[7]
[8]
P. Darondeau and P. Degano. Causal trees: interleaving + causality. In I. Guessarian, editor, Semantics of
Systems of Concurrent Processes, Proceedings LITP Spring Schoo? on Theoreticai Computer Science, La
Roche Posay, France, volume 469 of Lecture Notes in Computer Science, pages 239--H255. Springer-Verlag,
1990.
J. de Bakker, W. de Roever, and G. Rozenberg, editors. Linear Time, Branching Time and Partiai Order
in Logics and Modets for Concurrency, volume 354 of Lecture Notes in Computer Science. Springer-Verlag,
1989.
[9] R. De Nicola and M. Hennessy. Testing equivalences for processes. TheoreticaZ Comput. Sci., 34:83--H133,
1984.
[10]
[11]
[12]
P. Degano, R. De Nicola, and U. Montanari. Observational equivalences for concurrency models. In
M. Wirsing, editor, Format Description of Programming Concepts - 111, Proceedings of the 3th IPIP WC
2.2 working conference, Ebberup 1986, pages 105--H129. North-Holland, 1987.
P. Degano, R. De Nicola, and U. Montanari. Partial orderings descriptions and observations of nonde-
terministic concurrent processes. In J. d. Bakker, W.-P. d. Roever, and G. Rozenberg, editors, REX
School/Workshop on Linear Time, Branching Time and Partiat Order in Logics and Modets for Con
currency, Noordwijkerhout, volume 354 of Lecture Notes in Computer Science, pages 438?66. Springer-
Verlag, 1989.
P. Degano, R. De Nicola, and U. Montanari. Universal axioms for bisimulation, 1992. To appear in
Theoreticat Computer Science. An extended abstract appeared in Proc. of the Workshop on Concurrency
and Compositionality, Goslar.
I. Guessarian, editor. Semantics of Systems of Concurrent Processes, Proceedings LITP Spring Schoot
on Theoretical Computer Science, La Roche Posay, France, volume 469 of Lecture Notes in Computer
Science. Springer-Verlag, 1990.
[13]
[14] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. J. ACM, 32(1):137--H161,
1985.
[15] C. lloare. Commttnicating Sequential Processes. Prentice-llall International, Englewood Cliffs, 1985.
[16] P. Inverardi, C. Priami, and D. Yankelevich. A parametric verification tool for distributed concurrent
systems, 1992. To appear, Proc. of the ERCIM Workshop on Theory and Practice in Verification. Also
as llewlett Packard Pisa Science Center technical report, llPL-PSC-92-34.
[17] P. Inverardi, C. Priami, and D. Yankelevich. Verification of concurrent systems in SML. In Proceedings
A CM SIGPLAN Workshop on ML and its Applications, pages 169--H175, 1992.
[18] A. Kiehn. Local and global causes. Technical Report 342/23/91, Technische Universitat Munchen, 1991.
[19] K. Larsen and B. Thomsen. A modal process logic. In Proceedings 3th Annual Symposium on Logic in
Computer Science, Edinburgh, pages 203--H210, 1988.
[20] R. Milner. Commurn'cation and Concurrency. Prentice-llall International, Englewood Cliffs, 1989.
[21] U. Montanari and D. Yankelevich. A parametric approach to localities. In Proceedings 19th ICALP,
Vienna, volume 623 of Lecture Notes in Computer Science, pages 617--H628. Springer-Verlag, 1992.
[22] G. Plotkin. A structural approach to operational semantics. Report DAIMI FN-19, Computer Science
Department, Aarhus University, 1981.
[23) K. V. 5. Prasad. A calculus of broadcasting systems. Research Report 59, Chalmers Univ. of Technology
and Univ. of G5teborg, G5teborg, 5W, Feb. 1991.
[24] B. Thomsen. An extended bisimulation induced by a preorder on actions. Master's thesis, Aalborg
University Centre, Institute of Electronic Systems, 1987.
[25] D. Walker. Bisimulation and divergence. In!ormation and Computation, 85(2):202--H241, 1990.
[26] D. Yankelevich. Parametric Views of Process Description Languages. PhD thesis, Dipartimento di Infor-
matica, Universita' di Pisa, 1992. To appear, December 1992.
