Linking Predicates from Circus to CSP

TR-ABeg-Aug2017

Linking Predicates from Circus to CSPM

∗

Arshad Beg1 and Andrew Butterfield2 1

FAST National University of Computer and Emerging Sciences Faisalabad, Pakistan [email protected] 2 Department of Computer Science, Trinity College Dublin, Ireland [email protected]

Abstract. In this paper, we present the semantic justification of formal translation from imperative language, Circus to well known process algebra, CSPM . The paper includes the mathematical proofs for the semantic justification of the translation. The semantics of the languages are expressed in the common framework of Unifying Theories of Programming (UTP). This work resulted in a linking predicate from the construct of the former to the latter. Here, some linking pairs are proved through equality and other are done through refinement construct. Keywords: Process algebras, formal Languages, formal verification, model checking; semantic justification, automatic code generation.

1.

Introduction

Formal verification plays a vital role in proving the correctness of the software/hardware system implementation. The tools like model-checkers, theorem provers and model simulators make the formal verification process possible. The work [1] describes our effort of translating from state-rich to state-poor process algebras. In our previous work [3], we proposed the idea of linking Circus and CSPM . In our work [2], we presented the development of a prototype in Java to have translation from Circus LaTeX based specification to CSPM script. Here, we present our mathematical work for defining linking pairs from Circus to CSPM . In UTP, the language semantics are described using observation variables with their undashed and dashed versions i.e. initial and final observation variables. Each programming construct is given by a relation between the initial and final observation variables. ok, ok0 depict the successful start and termination of a program. tr, tr0 depict the initial and final traces (list of events) of a program. ref , ref 0 depict the initial and final refusal set for a program. wait, wait0 depict the waiting status of a program for an interaction with its environment. The theory being studied has three essential parts: 1. Alphabets: the collection of names for the theory. ∗

The content of technical report is extracted from my PhD thesis available on URL: ‘https://www.scss.tcd.ie/publications/theses/phd/TCD-SCSS-PHD-2016-03.pdf’’

2

Arshad Beg and Andrew Butterfield

2. Signature: the set of syntax rules. 3. Healthiness Conditions: identification of important properties. Each healthiness condition captures an important fact of the computational model of the theory under study. In design theory of UTP, P ` Q depicts a design with pre-condition P and post-condition Q. It is defined as: (P ` Q) = (ok ∧ P ⇒ ok0 ∧ Q) So, the design definition states that if a program starts in a state satisfying P, then it will terminate, and on termination Q will be true. 1.1.

Healthiness Conditions: Reactive Processes

Healthiness Condition R1 (P) = P ∧ tr ≤ tr0 R2(P) = ∃ s • P[s, s a (tr0 − tr)/tr, tr0 ] R3 (P) = IIrea C wait B P

R = R1 ◦ R2 ◦ R3 1.2.

Meaning A process does not change the past history of events. The behaviour of a reactive process is oblivious to what has gone before. If previous process is unfinished, then P should not start. Here, IIrea = b DIV ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref and DIV = b ¬ok ∧ tr ≤ tr0 The composition of above three healthiness conditions is R.

Healthiness Conditions: CSP Processes

Healthiness Condition Meaning CSP1 (P) = P ∨ (¬ok ∧ tr ≤ tr0 ) The extension of the trace is the only guarantee on divergence. CSP2 (P) = P; J A process may not require non-termination. CSP3 (P) = SKIP; P A process does not depend on ref . CSP4 (P) = P; SKIP A terminating process does not restrict ref 0 . CSP5 (P) = P ||| SKIP CSP5 states that a deadlocked process that is refusing some events offered by the environment is still deadlocked in an environment that offers even fewer events. In CSP2, J = (ok ⇒ ok0 ) ∧ tr0 = tr ∧ wait0 = wait ∧ ref 0 = ref .

1.3.

Healthiness Conditions: Circus Processes

Healthiness conditions for Circus processes are explained below: C1 (A) = A; Skip

Linking Predicates from Circus to CSPM

∗∗

3

This condition is similar to CSP4 which states that the value of the variable ref 0 has no relevance after termination. C2 (A) = A |[ v | ∅ ]| Skip This condition is similar to CSP5. The third healthiness condition for Circus processes, C3 states that the precondition of a process expressed as a reactive design contains no dashed variables.

C3(A) = R(¬Aff ; true ` Atf ) 1.4.

Alphabets of Circus in UTP Semantics

According to [10], the UTP semantics of Circus contains the alphabet set of okay, wait, ref and tr with their dashed versions. In order to denote the state variables, the predicate v0 = v is used to denote x10 = x1 ∧ . . . ∧ xn0 = xn . 1.5.

Guarded Action in Circus : An Example

The semantics of Circus actions are given in [10]. One out of the Circus actions i.e. a guarded action has its semantic explanation provided here for an example. The guarded action: g & A deadlocks if the guard g is false and performs action A if g is true. In the definition of the guarded action below, A[b/ok0 ][c/wait] is abbreviated as Abc . So, Aff depicts A[false/okay0 ][false/wait]. It means that the observation variables ok0 and wait are false. Similarly, Atf = A[true/ok0 ][false/wait], meaning if A is not waiting for a previous process to finish, then it does not diverge.

g&A = R

1.6.



g ⇒ ¬Aff



`



 g ∧ Atf ∨ (¬g ∧ tr0 = tr ∧ wait0 )

Dealing with Z Schemas and Assignment Command in Circus

In our work, we shall view a process as a collection of action definitions, along with a designated action called the process main action. The action definitions associate a name and possibly some formal parameters with an action body, whose syntax is basically that of CSP processes or Circus actions, including calls by name to actions. The Circus action syntax covers those of CSP, with the addition of an assignment statement and a state-partitioning parallel construct. As Circus descriptions freely mix state information through Z and behavioural aspects through CSP actions, so dealing with these two things are of importance. Below, we will describe the handling of Z schemas and assignment commands in previous works.

4

1.7.

Arshad Beg and Andrew Butterfield

Z Schemas in Circus

The denotational semantics for schema expressions in [9] is based on a conversion rule given in [6] which transforms the schema expressions into specification statements. The schema expression is first normalised. In Circus, the Z notations for input (?) and output (!) are syntactic sugar for dashed and undashed variables, respectively. So, the schema contains actual undashed variables (udecl), dashed variables (ddecl’) and the predicate explaining the effect of the schema. The definition of schema expression in this work is as follows: Definition: [udecl; ddecl0 | pred] = b ddecl : [∃ ddecl0 • pred, pred] In [9], the laws of schemas describe the interaction between the Z and CSP part of a Circus specifications. The functions named usedV and wrtV are additionally defined to specify the laws. The usedV function gives the set of used variables i.e. the variables which are only read, but not written. The wrtV function gives the set of variables which are written. Furthermore, in case of schema expressions, the wrtV function gives the set of variables that are constrained by the schema. v0 is used the describe the list of dashed v01 , . . . , v0n free variables (DFV) of schema expressions SExp. Similarly, v0 : T notations describe the list of variables with their respective types, defined in the schema expression. The definition for wrtV function is given as: wrtV(SExp) = {v0 : DFV(SExp) | SExp 6= (∃ v0 : T • SExp) ∧ [v, v0 : T | v0 = v] • v} Here, all the dashed free variables are hidden first and then they are declared again. Their types are constrained to be of the same type as defined in the schema. If the schema expression is changed, it means that their actual values have been changed and these should be in the set of written variables.

1.8.

Dealing of Assignment Command

In [9], for assignment command, the semantics suggest non-divergence resulting a successful termination, leaving the trace unchanged. The assignment sets the final value of the variables in the left hand side to their new values. Remaining values, denoted by u in the definition, remain unchanged. The symbol u is defined as (u = b v \ {x1 , . . . , xn }). The definition for assignment command is as follows: x1 , . . . , xn := e1 , . . . , en = b R(true ` tr0 = tr ∧ ¬wait0 ∧ x10 = e1 ∧ . . . ∧ xn0 = en ∧ 0 u = u) In [8], a mechanical strategy to transform an infinite CSPZ process, composed of Z and CSP constructs into a form suitable for model-checking, was proposed. To allow the infiniteness of CSPZ process, two theories are integrated together: one is data independence of the behavioural aspects and second is abstract interpretation of the data structure aspects. The goal defined in the work [8] was to propose a strategy for analysis of infinite CSPZ processes in which the user intervenes only in the theorem proving step. The strategy is based on the integration of model checking and theorem proving. The strategy was a combination of data independence and abstract interpretation. In the proposed strategy of this work, the authors had considered data independent CSPZ processes and data dependencies in the Z part using abstract interpretation.

Linking Predicates from Circus to CSPM

2.

∗∗

5

Semantics

We have selected a subset of the target languages and named them as SimpleCSP and SimpleCircus. First, the UTP semantics of the languages are formulated, having its basis in [10, 7]. The meaning of language constructs considered in SimpleCSP and SimpleCircus are explained through informal text. Following is a description of approach adopted for establishing the link between the languages. The section concludes by including the proofs of the theorems and lemmas suggested for the link. 2.1.

Semantics of SimpleCSP

Here, we list them again for SimpleCSP. Observations for SimpleCSP: ok, ok0 : B wait, wait0 : B tr, tr0 : Σ ∗ ref , ref 0 : P Σ Healthiness conditions of CSP, with their informal meaning, were briefly introduced on page 2, section 1.2. Healthiness for SimpleCSP: R1(P) = b P ∧ tr ≤ tr0 R2(P) = b ∃ s • P[s, s a (tr0 − tr)/tr, tr0 ] R3(P) = b II CwaitB P

II = b DIV ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref

DIV = b ¬ok ∧ tr ≤ tr0

R= b R3 ◦ R2 ◦ R1 CSP1(P) = b P ∨ DIV CSP2(P) = b P o9 J CSP4(P) = b P; SKIP

J= b (ok ⇒ ok0 ) ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref

CSP = b CSP1 ◦ CSP2 ◦ CSP4

P ` Q= b ok ∧ P ⇒ ok0 ∧ Q,

ok, ok0 ∈ / P, Q

Having expansions of R are useful. Given that R1 and II are R2 healthy, and II is R1healthy the most useful expansion is: R(P) = R3(R1(R2(P))) = II CwaitB (∃ s • P[s, s a (tr0 − tr)/tr, tr0 ]) ∧ tr ≤ tr0

6

Arshad Beg and Andrew Butterfield

In most case, our language definition fragments are R2-healthy so we often ignore it quite safely, to get the following “standard expansion” of R(P): R(P) = II CwaitB P ∧ tr ≤ tr0 2.2.

Exploring the Semantics of Parameters

The key idea is that we have named, parameterised action definitions of the form: N(x1 , x2 , . . . , xn ) = bA Here the xi are parameters that denote expressions. We can view the meaning of this as: λ x1 , x2 , . . . , xn • A Then the meaning of an invocation of N N(e1 , e2 , . . . , en ) is A[e1 , e2 , . . . , en /x1 , x2 , . . . , xn ] When recursion is involved, things get a little more complicated: R(x1 , x2 , . . . , xn ) = b F(R) We obtain the following fixpoint equation: R = µ X • λ x1 , . . . , xn • F(X) Regardless of which fixed point we use, the following is a fold/unfold law: R = F(R) If recursion is guarded, then we should also have a unique fixed-point principle, so: guarded(F) ∧ R = F(R) ∧ S = F(S) ⇒ R = S Now we introduce the formal semantics for SimpleCSP.

N(x1 , . . . , xn ) = b A ≡ N = µ X • λ x1 , . . . , xn • A[X/N] N = A[λ x1 , . . . , xn • A/N] The deadlock or Stop cannot engage in any event and is always waiting. So, here the final trace tr0 will be equal to the initial trace tr and the variable wait0 will be true. Stop must refuse all the events as it represents a deadlock. The definition of Stop allows any possible

Linking Predicates from Circus to CSPM

∗∗

7

refusal set, including the one that contains all events, by not mentioning ref or ref 0 in the definition. Stop = b R(true ` wait0 ∧ tr0 = tr) Skip is an action which terminates immediately. Here the final trace tr0 is equal to the initial trace tr. The final waiting status wait0 will be false. Skip = b R(∃ ref • II)

≡ R(true ` ¬wait0 ∧ tr0 = tr)

The CSP prefixing action is CSP1 healthy. It never diverges. On termination, it establishes the result of doA , defined below. In doA , while waiting (wait0 = true), it simply requires that a is not being refused, while, once waiting is over (wait0 = false), then the trace has been extended with a. a → Skip = b CSP1(ok0 ∧ doA (a))

doA (a) = b Φ(a ∈ / ref 0 Cwait0 B tr0 = tr a hai) Φ(A) = b R(A) ∧ B = R(A ∧ B)

B= b tr0 = tr Cwait0 B tr < tr0

The definition of prefix, in which after an event a, the action A is invoked, can be split into a sequential composition of a → Skip followed by the action A. Similar definition can be devised for input and output prefixing action. An event can be defined as a pair (c, e) where c is the channel and e is the value to be communicated on the channel. a→A= b a → Skip o9 A c!e → A = b c.e → Skip o9 A

c?v → A = b 2k • c.k → A[k/v],

k ∈ type(v)

The sequential composition is defined as a relational sequence, instead of being defined as reactive design. Here, the relational sequence is defined as an existential quantifier over the intermediate state of the UTP observation variables i.e. ok, wait, tr, ref . A o9 B = b ∃ Obsm • A[Obsm /Obs0 ] ∧ B[Obsm /Obs] where Obs = {ok, wait, tr, ref } Internal choice operator is defined as a disjunction between the actions A and B, showing that either of the actions can proceed. AuB= b A∨B The external choice is CSP2 healthy. If a deadlock (Stop) occurs, it is a conjuction of actions A and B. If deadlock does not occur, it is a disjunction of actions A and B. Stop being true means we are healthy but waiting. During this time, we want A and B to agree on refusals (see definition of doA (a) above), when wait0 is true. When Stop no longer holds, wait0 is false and so we want the behaviour of whichever of A and B can do the event offered by the environment. A2B= b CSP2((A ∧ B) CStopB (A ∨ B))

8

Arshad Beg and Andrew Butterfield

For hiding operator, if action A reaches such a stable state, in which it cannot perform any further events in H, then the action A \ H has also reached such state. Here, trH − tr and tr0 − tr depict the new events of action A during hiding. Skip is to ensure the inclusion of possible divergences by hiding actions. A\H = b R(∃ trH • A[trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H) o9 Skip The parallel construct is defined as existensial quantifier of observation variables of actions A and B over the conjuction of the actions. Here, both A and B run together, but we rename their after-observations so we can distinguish their outcomes. We then merge these outcomes to give the overall parallel outcome.



 ∃ ObsA , ObsB •   A[ObsA /Obs0 ] ∧ B[ObsB /Obs0 ]    ∧ ok0 = okA ∧ okB   o9 Skip A kS B = b R  ∧ wait0 = waitA ∨ waitB     ∧ ref 0 ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S  ∧ tr0 − tr ∈ (trA − tr) kS (trB − tr) In a guarded action, if the condition given in expression e is true, the action A will take place, otherwise, it will deadlock. e&A = b A CeB Stop The parameterised call to an action is through calling the action and replacing the corresponding expressions into the parameter list. N(e1 , . . . , en ) = b B[e1 , . . . , en /x1 , . . . , xn ] given N(x1 , . . . , xn ) = bB In above, two auxiliary functions are used: t S trace t with all elements in S removed t1 kS t2 set of all interleavings of t1 , t2 that synchronise on S 2.3.

Semantics of SimpleCircus

The main difference between observation variables of SimpleCircus and SimpleCSP is the inclusion of additional state, state0 which depict the status of the state variables in the program. Here, it is defined as a partial function from a variable to its value. Observations for SimpleCircus: ok, ok0 : B wait, wait0 : B tr, tr0 : Σ ∗ ref , ref 0 : P Σ state, state0 : Var → 7 Value

Linking Predicates from Circus to CSPM

∗∗

9

In the definition of healthiness conditions of SimpleCircus, R and CSP are renamed to S and CXS, to avoid confusion. Now we give the definitions of healthiness conditions of SimpleCircus.

S1(P) = b P ∧ tr ≤ tr0 S2(P) = b ∃ s • P[s, s a (tr0 − tr)/tr, tr0 ] S3(P) = b (∃ state0 • II) CwaitB P

II = b DIV ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ state0 = state

DIV = b ¬ok ∧ tr ≤ tr0 S= b S3 ◦ S2 ◦ S1 CXS1(P) = b P ∨ DIV CXS2(P) = b P o9 JX CXS4(P) = b P o9 Skip

JX = b (ok ⇒ ok0 ) ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ state0 = state

P ` Q= b ok ∧ P ⇒ ok0 ∧ Q,

ok, ok0 ∈ / P, Q

Here, JX definition includes state, state0 as well. The “standard expansion” of S(P):

S(P) = (∃ state0 • II) CwaitB P ∧ tr ≤ tr0

An “alternate expansion” of S(P):

S(P) = (∃ state0 • II) CwaitB (P ∧ tr ≤ tr0 )

The work in [5] explains the motivation behind S3 (R3 with state-hiding). [5] investigated the interactions between program variable state visibility and communication behaviour in state-rich CSP-like processes, using the UTP framework. This gave the result that, if the variable state is visible during the wait state of communication, ordinary programs put together in a normal way ended up with miraculous behaviour — to be avoided in a theory of feasible programming. Now the formal semantics for SimpleCircus is given. Here, many of the definition of the language constructs involve state, state0 observation variables, which were not there in the case of SimpleCSP. Most of the definitions are essentially the same as those for SimpleCSP, and we only really need to consider the assignment command, and the parallel

10

Arshad Beg and Andrew Butterfield

construct. N(x1 , . . . , xn ) = b A ≡ N = µ X • λ x1 , . . . , xn • A[X/N] N = A[λ x1 , . . . , xn • A/N] Stop = b S(true ` wait0 ∧ tr0 = tr)

Skip = b S(true ` ¬wait0 ∧ tr0 = tr ∧ state0 = state)

A o9 B = b ∃ Obsm • A[Obsm /Obs0 ] ∧ B[Obsm /Obs]

where Obs = {ok, wait, tr, ref , state}   0  tr = tr ∧ c ∈ / ref 0  c → Skip = b S true `  Cwait0 B 0 0 a tr = tr hci ∧ state = state c→A= b (c → Skip) o9 A c!e → A = b (c.e → Skip) o9 A

c?x → A = b 2v∈typeof (x) c.v → x := v o9 A AuB= b A∨B

A2B= b CXS2((A ∧ B) CStopB (A ∨ B))

A\H = b S(∃ trH • A[trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H) o9 Skip

N(e1 , . . . , en ) = b B[e1 , . . . , en /x1 , . . . , xn ] given N(x1 , . . . , xn ) = bB e&A = b A CeB Stop In the SimpleCircus model of parallelism, both sides run on their own copy of the initial state, and the two final states are merged at the end. A requirement is that the set of variables written by each side are disjoint from each other. Also note that changes to variables done by one side are not visible to the other side. A[U|S|V ]B = b ∃ ObsA , ObsB •

A[ObsA /Obs0 ] ∧ B[ObsB /Obs0 ]

∧ ok0 = okA ∧ okB ∧ wait0 = waitA ∨ waitB ∧ tr0 − tr ∈ (trA − tr) kS (trB − tr)   ref 0 ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S  Cwait0 B ∧ 0 state = state \ (U ∪ V) ⊕ stateA  U ⊕ stateB  V The assignment command was not included in SimpleCSP. In SimpleCSP, these assignment commands turn into the parameterised call to an action, where the corresponding expressions are substituted in the parameter list. The UTP definition of the assignment command in SimpleCircus is defined as a reactive design. Here, the final status of state variables i.e. state0 is equal to the sum of unchanged state variables and the changed one having a mapping from x to expression e, evaluated in the before-state.

Linking Predicates from Circus to CSPM

∗∗

11

x := e = b S(true ` ¬wait0 ∧ tr0 = tr ∧ state0 = state ⊕ {x 7→ estate }) We use the following auxiliary functions that act on states: state \ V state with all variables in V removed state  V state with only variables in V retained

3.

Mathematical Proofs

Here, we make a distinction between the notation of constructs of SimpleCircus and SimpleCSP. The subscript C is used to distinguish the CSP version of a construct e.g. (StopC ) from the Circus version of the construct i.e. (StopX ). Here, X is the subscript for the Circus version of the construct. The observation variables defined for SimpleCircus and SimpleCSP have as a difference the presence of the variables stateX and state0X in SimpleCircus. So, the link between SimpleCircus and SimpleCSP has to deal with this difference. The need here is a linking predicate that connects these: LXC = b okC = okX ∧ okC0 = okX0 ∧ ...refC0 = refX0 ∧ relationship of stateX and state0X Here, we do some pilot proofs of concrete translations, to explore the usefulness of the semantics and to get some idea of useful laws that might help simplify proofs. First we introduce some notation: PX A SimpleCircus program T The translation predicate transformer PC A SimpleCSP program If PC is the translation of PX , then we want to prove that they have the same behaviour, when we ignore state. So, given PC = T PX we want to show that PC = (∃ state, state0 • PX ) But after mathematical investigation, it turned out that the best we can get is a refinement relation, so that PC v (∃ state, state0 • PX ) This effectively defines the connecting link between Circus and CSP UTP theories. So, the big theorem for the translation between SimpleCircus and SimpleCSP is Conjecture 1. For all SimpleCircus programs PX : T (PX ) v (∃ state, state0 • PX )

12

Arshad Beg and Andrew Butterfield

We want to show that the CSPM description produced by the translation covers the behaviour of the original Circus process with the state hidden. It would be very nice if simply hiding the state was enough, but we find the issue is more complex. Here are some possible “linking pairs” in SimpleCircus and SimpleCSP worlds: PC StopC SkipC a →C SkipC (AC o9C BC ) AC u BC AC o9C JC AC 2 BC AC k BC a → AC AC \C H Rn(AC ) CSPn(AC )

Rel PX Theorem Proof? = ∃ state, state0 • StopX 9 Pg. 23 = ∃ state, state0 • SkipX 1 Pg. 12 = ∃ state, state0 • a →X SkipX 8 Pg. 20 v (∃ state, state0 • AX o9X BX ) 2 Pg. 13 0 v (∃ state, state • AX u BX ) 3 Pg. 14 v (∃ state, state0 • AX o9X JX ) 11 Pg. 26 v (∃ state, state0 • AX 2 BX ) 4 Pg. 14 v (∃ state, state0 • AX S||T BX ) 5 Pg. 15 v (∃ state, state0 • a → AX ) 6 Pg. 17 v (∃ state, state0 • AX \X H) 7 Pg. 17 v ∃ state, state0 • Sn(AX ), n ∈ 1 . . . 3 12 Pg. 28 v ∃ state, state0 • CXSn(AX ), n ∈ 1 . . . 5 13 Pg. 29

Note: In the mathematical proofs, the sequential composition case was not trivial. Here, the left and right hand side were shown to be non-equivalent. Instead, the relationship between o9X and o9C is proved to be a refinement, not an equality. Because we obtained a refinement for the o9 operator, all other results on general predicates A, B are forced to be refinements as well, by the monotonicity of the operators.

4.

Mathematical Proofs

Here, for the proofs, the assumptions throughout are: AC v ∃ state, state0 • AX BC v ∃ state, state0 • BX Theorem 1. SkipC = (∃ state, state0 • SkipX ) Proof: Here, we adopt the strategy of reducing the left and right hand side of the equation to the same form. LHS = SkipC Now, according to the definition of the Skip construct in the CSP world, the left hand side will be equal to: = II CwaitB (true ` ¬wait0 ∧ tr0 = tr) ∧ tr ≤ tr0 Now, considering the right hand side: RHS = (∃ state, state0 • SkipX )

Linking Predicates from Circus to CSPM

∗∗

13

According to the definition of the Skip construct in the Circus world, the equation will be: = (∃ state, state0 • S(true ` ¬wait0 ∧ tr0 = tr ∧ state0 = state)) Expanding the above equation by applying the definition of the healthiness condition S, will make the above equation as: = (∃ state, state0 • (∃ state • IIX )) CwaitB (true ` ¬wait0 ∧ tr0 = tr ∧ state0 = state) ∧ tr ≤ tr0 Distributing the quantifier ∃: = (∃ state, state0 • (∃ state • IIX )) CwaitB (true ` ¬wait0 ∧ tr0 = tr ∧ (∃ state, state0 • state0 = state)) ∧ tr ≤ tr0 Now, we apply the definition of Lemma 1, available on page 24. = IIX CwaitB (true ` ¬wait0 ∧ tr0 = tr ∧ (∃ state, state0 • state0 = state)) ∧ tr ≤ tr0 Applying the one point rule will reduce the above equation to the following: = IIX CwaitB (true ` ¬wait0 ∧ tr0 = tr ∧ True) ∧ tr ≤ tr0 Simplifying above equation: = IIX CwaitB (true ` ¬wait0 ∧ tr0 = tr) ∧ tr ≤ tr0 This form of the equation makes the proof complete, as the left hand side also has the same form. Theorem 2. (AC o9C BC ) v (∃ state, state0 • AX

o 9X

BX )

Proof: Here, we show the left hand side is refined by the right hand side. This theorem is unique from others. Here, the left and right hand side were originally hoped to be equivalent. Instead, the relationship between o9X and o9C is emerged as a refinement, not an equality.

L.H.S = (AC o9C BC ) According to the definition of AC and BC : = (∃ state, state0 • AX ) o9C (∃ state, state0 • BX ) This prove completes by the application of theorem 10, on page 25. v

∃ state, state0 • AX

o 9X

BX

14

Arshad Beg and Andrew Butterfield

Theorem 3. AC u BC v (∃ state, state0 • AX u BX ) Proof: Here, we adopt the strategy of reducing the left and right hand side of the equation to the same form. L.H.S = AC u BC According to the definition of internal choice in CSP world, we get, = AC ∨ BC Expanding the definitions of AC and BC : v (∃ state, state0 • AX ) ∨ (∃ state, state0 • BX ) The distributive property of ∃ simplifies the above expression to the following: = ∃ state, state0 • (AX ∨ BX ) Now, we can apply the definition of internal choice construct in Circus world. = (∃ state, state0 • AX u BX ) Hence, the required form is acquired. Theorem 4. AC 2 BC v (∃ state, state0 • AX 2 BX ) Proof: Here, we adopt the strategy of reducing the left and right hand side of the equation to the same form. We start the proof by taking the right hand side of the theorem. R.H.S = (∃ state, state0 • AX 2 BX ) According to the definition of external choice in the Circus world, we get: = (∃ state, state0 • CXS2((AX ∧ BX ) CStopX B (AX ∨ BX ))) Expanding the above equation by applying the definition of the healthiness condition CXS2, will make the above equation become: = (∃ state, state0 • [((AX ∧ BX ) CStopX B (AX ∨ BX )) o9 JX]) Distributing the predicate ∃ state, state0 , we get: = ∃ state, state0 • ((AX ∧ BX ) CStopX B (AX ∨ BX )) o9 ∃ state, state0 • JX Expanding the above equation by applying the definition of J in Circus world will make the above equation be: = ∃ state, state0 • ((AX ∧ BX ) CStopX B (AX ∨ BX )) o9 ∃ state, state0 • (ok ⇒ ok0 ) ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ state0 = state

Linking Predicates from Circus to CSPM

∗∗

15

Applying the one point rule will reduce the above equation to the following: = ∃ state, state0 • ((AX ∧ BX ) CStopX B (AX ∨ BX )) o9 (ok ⇒ ok0 ) ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref Applying the definition of J in CSP world will reduce the equation as follows: = ∃ state, state0 • ((AX ∧ BX ) CStopX B (AX ∨ BX )) o9 JC Now, applying the definition of the CB construct: = ∃ state, state0 • (StopX ∧ (AX ∧ BX ) ∨ ¬StopX ∧ (AX ∨ BX )) o9 JC The distributive property of ∃ state, state0 will make the equation become: = ((∃ state, state0 • StopX ∧ (∃ state, state0 • AX ∧ ∃ state, state0 • BX )) ∨ (∃ state, state0 • ¬StopX ∧ (∃ state, state0 • AX ∨ ∃ state, state0 • BX ))) o9 JC Now we apply theorem 9, on page 23. = ((StopC ∧ (∃ state, state0 • AX ∧ ∃ state, state0 • BX )) ∨ (¬StopC ∧ (∃ state, state0 • AX ∨ ∃ state, state0 • BX ))) o9 JC Reducing above equation by using definitions of CB, AC and BC : v ((AC ∧ BC ) CStopC B (AC ∨ BC )) o9 JC Using the definition of healthiness condition CSP2, we get: = CSP2((AC ∧ BC ) CStopC B (AC ∨ BC )) Now, we can apply the definition of external choice construct in CSP world. = AC 2 BC This completes our proof as we have matched the expression of the left hand side of the theorem. Theorem 5. AC kS BC v (∃ state, state0 • AX [U|S|V ]BX ) Proof: Here, we adopt the strategy of reducing the left and right hand side of the equation to the same form. We start the proof by taking the left hand side of the theorem. L.H.S = AC kS BC Applying the definition of parallel construct in the CSP world, we get the following expression.   ∃ ObsCA , ObsCB •   AC [ObsCA /Obs0 ] ∧ BC [ObsCB /Obs0 ]    ∧ ok0 = okC ∧ okC  B A  o9C SkipC =  ∧ wait0 = waitC ∨ waitC  B A    ∧ ref 0 ⊆ (refAC ∪ refBC ) ∩ S ∪ (refAC ∩ refBC ) \ S  ∧ tr0 − tr ∈ (trAC − tr) kS (trBC − tr)

16

Arshad Beg and Andrew Butterfield

Now, taking right hand side of the theorem and solving it to get the expanded form of left hand side. R.H.S = (∃ state, state0 • AX [U|S|V ]BX ) According to the definition of parallel construct in Circus world, we get:   ∃ ObsXA , ObsXB •   AX [ObsXA /Obs0 ] ∧ BX [ObsXB /Obs0 ]     ∧ ok0 = okX ∧ okBX A   0 X X   ∧ wait = waitA ∨ waitB  = ∃ state, state0 •    ∧ tr0 − tr ∈ (trX − tr) k (trBX − tr) A S     0 X X X X   ref ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S   0   ∧  Cwait B 0 X X state = state \ (U ∪ V) ⊕ stateA  U ⊕ stateB  V In the SimpleCircus model of parallelism, both sides run on their own copy of the initial state, and the two final states are merged at the end. A requirement is that the set of variables written by each side are disjoint from each other. Furthermore, the changes to variables done by one side are not visible to the other side. Therefore, we can partially apply the one-point rule, as there are no free occurrences of state’, which means the statement state0 = . . . reduces to true, but we keep the now-vacuous quantification of state’ because it makes later steps simpler.   ∃ ObsXA , ObsXB •   AX [ObsXA /Obs0 ] ∧ BX [ObsXB /Obs0 ]     ∧ ok0 = okX ∧ okBX A   0 X X   ∧ wait = wait ∨ wait 0 B A   = ∃ state, state •  0 X X  ∧ tr − tr ∈ (tr − tr) k (tr − tr) B A S     0 X X X X   ref ⊆ (ref ∪ ref ) ∩ S ∪ (ref ∩ ref ) \ S B B A A    ∧  Cwait0 B true Making use of theorem 4, on page 30, we get:   ∃ ObsXA , ObsXB •  AX [ObsXA /Obs0 ] ∧ BX [ObsXB /Obs0 ]    0 0  o9X SkipX okAX ∧ okBX = ∃ state, state •    ∧ ok =  ∧ wait0 = waitAX ∨ waitBX  ∧ tr0 − tr ∈ (trAX − tr) kS (trBX − tr) Now, using theorem 2, on page 13, the following equation is acquired.   ∃ ObsCA , ObsCB •   AC [ObsCA /Obs0 ] ∧ BC [ObsCB /Obs0 ]    ∧ ok0 = okC ∧ okC  B A  o9C SkipC  v 0 C C  = waitA ∨ waitB  ∧ wait   ∧ ref 0 ⊆ (refAC ∪ refBC ) ∩ S ∪ (refAC ∩ refBC ) \ S  ∧ tr0 − tr ∈ (trAC − tr) kS (trBC − tr) This form of the equation makes the proof complete, as the left hand side also has the same form.

Linking Predicates from Circus to CSPM

∗∗

17

Theorem 6. a → AC v (∃ state, state0 • a → AX ) Now, we provide the proof for prefixing action. Proof: Here, we adopt the strategy of reducing the left and right hand side of the equation to the same form. We start the proof by taking the left hand side of the theorem. L.H.S = a →C AC According to the definition of prefixing action in the CSP world, we get: = a →C SkipC o9C AC Now, taking the right hand side of the theorem and solving it to get the expanded form of left hand side. R.H.S = (∃ state, state0 • a →X AX ) According to the definition of prefixing action in the CSP world, we get: = (∃ state, state0 • a →X SkipX

o 9X

AX )

Distributing the existensial quantifier ∃, the above equation will get the following form: = (∃ state, state0 • a →X SkipX ) o9X (∃ state, state0 • AX ) Using the theorem 8, on page 20, will reduce the equation to the following form: = (a →C SkipC ) o9C (∃ state, state0 • AX ) Using theorem 2, on page 13, makes the proof complete, as the left hand side has also expanded to the same form v a →C SkipC o9C AC Theorem 7. AC \C H v (∃ state, state0 • AX \X H) Now, we provide the proof for the hiding construct. Proof: Here, we adopt the strategy of reducing the left and right hand side of the equation to the same form. We start the proof by taking the right hand side of the theorem. R.H.S = (∃ state, state0 • AX \X H) According to the definition of hiding in the Circus world, we get: = (∃ state, state0 • S(∃ trH • AX [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H) o9X SkipX )

18

Arshad Beg and Andrew Butterfield

Now, applying the definition of healthiness condition CXS4, we get the following equation: = (∃ state, state0 • (CXS4(S(∃ trH • AX [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)))) Now, taking left hand side of the theorem and solving it to get the expanded form of right hand side. L.H.S = AC \C H Applying the definition of hiding construct of CSP, we get: = R(∃ trH • AC [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H) o9C SkipC Now, applying the definition of healthiness condition CSP4, we get the following equation: = CSP4(R(∃ trH • AC [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)) According to the defintion of AC , we get following form: v CSP4(R(∃ trH • (∃ state, state0 • AX )[trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)) As the predicate here does not include state, state0 , so we can pull state, state0 out. = CSP4(R(∃ state, state0 • ∃ trH • AX [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)) Using theorem 12, on page 28, will give the following equation: = CSP4(∃ state, state0 • S(∃ state, state0 • ∃ trH • AX [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)) Now we use theorem 13, on page 29. = ∃ state, state0 • CXS4(∃ state, state0 • S(∃ state, state0 • ∃ trH • AX [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)) As state, state0 is not mentioned in the inner predicate, we can pull state, state0 out. = ∃ state, state0 • CXS4(S(∃ trH • AX [trH , H ∪ ref 0 /tr, ref 0 ] ∧ (tr0 − tr) = (trH − tr) H)) This makes the proof complete, as left and right hand side of the theorem have acquired the same form.

5.

Conclusions

First of all, the semantics of Circus and CSPM in the Unifying Theories of Programming (UTP) framework are specified for the selected constructs of the languages. The chosen subset of the original Circus and CSP languages are named as SimpleCircus and SimpleCSP. The semantical difference between the two is captured by the need for extra observation variables i.e. state, state0 , in case of SimpleCircus. A formal link was proposed

Linking Predicates from Circus to CSPM

∗∗

19

to connect the two theories. We proposed theorem 1, on page 11 for the linking pairs between the two languages. If PX is a SimpleCircus program and PC is a SimpleCSP program, then the transformation predicate (T ) will translate between the two. For all SimpleCircus programs PX , we define a link to the CSP world that hides the state. In effect, we view Circus and CSP processes as equivalent, if the translation is a refinement: T (PX ) v (∃ state, state0 • PX ) By mathematical proofs included in section 2, it is proved that this linking predicate preserves the semantics of most of the language operators, with the notable exception of sequential composition. We applied the theorem 1 for the constructs considered in SimpleCircus and SimpleCSP. The established link demonstrated the feasibility of the translation between the two languages, and justifies the close attention paid to translating sequential composition. This is novel work. The work of mathematical proofs of the link might have the following future directions: – The future enhancement in this area is to consider the remaining constructs of the target languages. – The proofs of link are done manually. Saoithin [4] is a theorem prover designed to support the UTP framework and do the proofs in an equational style. The mechanisation of the link proofs in Saoithin is a possible future direction of work.

References 1. Arshad: Translating from State-rich to State-poor Process Algebras. Ph.D. thesis, School of Computer Science, Trinity College Dublin (2016) 2. Beg, A., Butterfield, A.: Development of a prototype translator from circus to cspm. In: 2015 International Conference on Open Source Systems Technologies (ICOSST). pp. 16–23 (Dec 2015) 3. Beg, A., Butterfield, A.: Linking a state-rich process algebra to a state-free algebra to verify software/hardware implementation. In: Proceedings of International Conference on Frontiers of Information Technology, Islamabad, Pakistan. pp. 1–5. No. 47, ACM (2010) 4. Butterfield, A.: Saoithin: A theorem prover for UTP. In: Qin, S. (ed.) Unifying Theories of Programming, Third International Symposium, UTP 2010, Shanghai, China. Lecture Notes in Computer Science, vol. 6445, pp. 137–156. Springer, Shanghai, China (November 2010) 5. Butterfield, A., Gancarski, P., Woodcock, J.: State visibility and communication in unifying theories of programming. In: Chin, W.N., Qin, S. (eds.) Third IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE). pp. 47–54. IEEE Computer Society (2009), http://dx.doi.org/10.1109/TASE.2009.57 6. Cavalcanti, A.L.C.: A Refinement Calculus for Z. Ph.D. thesis, Oxford University Computing Laboratory, Oxford (1997) 7. Cavalcanti, A.L.C., Woodcock, J.: A tutorial introduction to CSP in Unifying Theories of Programming. In: Cavalcanti, A., Sampaio, A., Woodcock, J. (eds.) First Pernambuco Summer School on Software Engineering (PSSE). Lecture Notes in Computer Science, vol. 3167, pp. 220–268. Springer (2004), http://dx.doi.org/10.1007/118892296 8. Eriksson, L.H., Lindsay, P.A. (eds.): Mechanical Abstraction of CSPZ Processes, Lecture Notes in Computer Science, vol. 2391. Springer (2002), http://dx.doi.org/10.1007/3-540-45614-71 0

20

Arshad Beg and Andrew Butterfield

9. Oliveira, M.V.M.: Formal Derivation of State-Rich Reactive Programs using Circus. Ph.D. thesis, University of York (2005) 10. Oliveira, M.V.M., Cavalcanti, A.L.C., Woodcock, J.: A UTP semantics for Circus. Formal Asp. Comput 21(1-2), 3–32 (2009), http://dx.doi.org/10.1007/s00165-007-0052-5

A.

Mathematical Proofs Continued

Theorem 8. (a →C SkipC ) = (∃ state, state0 • a →X SkipX ) Proof. Strategy: reduce LHS and RHS to same form. LHS: a →C SkipC =

“ def of a → SkipC ” CSP1(ok0 ∧ doA (a))

=

“ def of CSP1 ” 0

ok ∧ doA (a) ∨ DIV = “ def of doA (a) ” ok0 ∧ Φ(a ∈ / ref 0 Cwait0 B tr0 = tr a hai) ∨ DIV =

“ def of Φ(A) ” ok ∧ R(a ∈ / ref 0 Cwait0 B tr0 = tr a hai) ∧ B ∨ DIV 0

=

“ re-arrange ” DIV ∨ ok0 ∧ B ∧ R(a ∈ / ref 0 Cwait0 B tr0 = tr a hai)

=

“ alternate expansion of R ”

DIV ∨ ok0 ∧ B ∧ (IIC CwaitB ((a ∈ / ref 0 Cwait0 B tr0 = tr a hai) ∧ tr ≤ tr0 )) = “ Distribute in tr ≤ tr0 , subsume by tr0 = tr a ” DIV ∨ ok0 ∧ B ∧ (II CwaitB (a ∈ / ref 0 ∧ tr ≤ tr0 Cwait0 B tr0 = tr a hai)) C

=

“ Push B into nested conditionals (∧-CB-distr) ” DIV ∨ ok0 ∧ (B ∧ IIC CwaitB (B ∧ a ∈ / ref 0 ∧ tr ≤ tr0 Cwait0 B B ∧ tr0 = tr a hai))

We pause here, to observe that we have interactions with B and conditionals involving wait0 . B ∧ wait0 = wait0 ∧ tr ≤ tr0 B ∧ ¬wait0 = ¬wait0 ∧ tr < tr0 B0 ∧ wait0 = wait0 ∧ tr = tr0 B0 ∧ ¬wait0 = ¬wait0 ∧ tr < tr0 So we can simplify B in the innermost conditional: DIV ∨ ok0 ∧ (B ∧ IIC CwaitB (tr ≤ tr0 ∧ a ∈ / ref 0 ∧ tr ≤ tr0 Cwait0 B tr < tr0 ∧ tr0 = tr a hai)) =

“ simplify, subsume ” DIV ∨ ok0 ∧ (B ∧ IIC CwaitB (a ∈ / ref 0 ∧ tr ≤ tr0 Cwait0 B tr0 = tr a hai))

Linking Predicates from Circus to CSPM

∗∗

21

At this point we can see clearly that B is simply wrong, because when wait is false (we are running) and wait0 is true (we are waiting to perform an event) we see that we assert only R1 regarding tr and tr0 , whereas we should assert tr0 = tr. So we should use B0 instead: DIV ∨ ok0 ∧ (B0 ∧ IIC CwaitB (tr = tr0 ∧ a ∈ / ref 0 ∧ tr ≤ tr0 Cwait0 B tr < tr0 ∧ tr0 = tr a hai)) =

“ subsume twice ” DIV ∨ ok0 ∧ (B0 ∧ IIC CwaitB (tr0 = tr ∧ a ∈ / ref 0 Cwait0 B tr0 = tr a hai))

We can now build the graphic form: ¬w ¬w w w 0 0 0 ¬o tr ≤ tr tr ≤ tr tr ≤ tr tr ≤ tr0 0 0 0 ¬o tr ≤ tr tr ≤ tr tr ≤ tr tr ≤ tr0 0 0 0 0 0 a o tr = tr hai tr = tr ∧ a ∈ / ref tr = tr ∧ ref = ref . o . . . . ¬w0 w0 w0 ¬w0

¬o0 o0 o0 ¬o0

RHS: ∃ state, state0 • a →X SkipX =

“ def of a →X SkipX ” 

 tr0 = tr ∧ a ∈ / ref 0  ∃ state, state0 • S true `  Cwait0 B 0 0 a tr = tr hai ∧ state = state = “ alternate expansion of S ” 

∃ state, state0 • (∃ state0 • IIX ) CwaitB 

  tr0 = tr ∧ a ∈ / ref 0 true `  Cwait0 B  ∧ tr ≤ tr0  0 0 a tr = tr hai ∧ state = state =



“ push ∃ state, state0 scope inwards ” (∃ state, state0 • (∃ state0 • IIX )) CwaitB 

  tr0 = tr ∧ a ∈ / ref 0  ∧ tr ≤ tr0  true `  Cwait0 B 0 0 0 a tr = tr hai ∧ (∃ state, state • state = state) =



“ merge scopes, 1pt state0 = state ” (∃ state, state0 • IIX ) CwaitB  

  tr0 = tr ∧ a ∈ / ref 0 true `  Cwait0 B  ∧ tr ≤ tr0  0 a tr = tr hai ∧ True

22

Arshad Beg and Andrew Butterfield

“ Lemma 1, ∧-unit, on page 24 ”

=

IIC CwaitB  

  tr0 = tr ∧ a ∈ / ref 0 true `  Cwait0 B  ∧ tr ≤ tr0  0 a tr = tr hai = “ Lemma 2, on page 24 ” IIC CwaitB 

  tr0 = tr ∧ a ∈ / ref 0 DIV ∨ ok0 ∧  Cwait0 B  ∧ tr ≤ tr0  0 a tr = tr hai =



“ distribute ∧ into CB ” IIC CwaitB 

 tr0 = tr ∧ a ∈ / ref 0 ∧ tr ≤ tr0 DIV ∨ ok0 ∧  Cwait0 B  0 0 a tr = tr hai ∧ tr ≤ tr 0 = “ tr = tr and tr0 = tr a both imply tr ≤ tr0 ”    0 tr = tr ∧ a ∈ / ref 0 0  IIC CwaitB DIV ∨ ok ∧  Cwait0 B tr0 = tr a hai = “ defn. IIC ” 

(DIV ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ) CwaitB 

 tr0 = tr ∧ a ∈ / ref 0 DIV ∨ ok0 ∧  Cwait0 B  0 a tr = tr hai 

=

“ (A ∨ B ∧ C) CwB (A ∨ B ∧ D) = A ∨ B ∧ (C CwB D) ”   (wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref )  CwaitB   0   0  tr = tr ∧ a ∈ / ref DIV ∨ ok0 ∧      Cwait0 B   tr0 = tr a hai

=

“ (w0 = w CwB . . .) ≡ (w0 CwB . . .) ”   (wait0 ∧ tr0 = tr ∧ ref 0 = ref )  CwaitB   0   0 0   / ref DIV ∨ ok ∧  tr = tr ∧ a ∈    Cwait0 B   0 a tr = tr hai

Linking Predicates from Circus to CSPM

∗∗

We now enter this into the graphical form: ¬w ¬w w w ¬o tr ≤ tr0 tr ≤ tr0 tr ≤ tr0 tr ≤ tr0 ¬o tr ≤ tr0 tr ≤ tr0 tr ≤ tr0 tr ≤ tr0 0 0 0 0 0 a o tr = tr hai tr = tr ∧ a ∈ / ref tr = tr ∧ ref = ref . o . . . . ¬w0 w0 w0 ¬w0

¬o0 o0 o0 ¬o0

Both diagrams are identical! Theorem 9. StopC = (∃ state, state0 • StopX ) Proof. Strategy: reduce both LHS and RHS to same LHS: StopC =

“ defn. ” R(true ` wait0 ∧ tr0 = tr)

=

“ standard expansion of R ” IIC CwaitB (true ` wait0 ∧ tr0 = tr) ∧ tr ≤ tr0

This looks like a good target—let’s see if we can get the RHS to transform to this. RHS: ∃ state, state0 • StopX =

“ defn. ” ∃ state, state0 • S(true ` wait0 ∧ tr0 = tr)

=

“ standard expansion of S ” ∃ state, state0 • (∃ state0 • IIX ) CwaitB (true ` wait0 ∧ tr0 = tr) ∧ tr ≤ tr0

=

“ state, state0 not free from CwaitB rightwards ” (∃ state, state0 • (∃ state0 • IIX )) CwaitB (true ` wait0 ∧ tr0 = tr) ∧ tr ≤ tr0

=

“ remove nested ∃ state0 ” (∃ state, state0 • IIX ) CwaitB (true ` wait0 ∧ tr0 = tr) ∧ tr ≤ tr0

=

“ Lemma 1, on page 24 ” IIC CwaitB (true ` wait0 ∧ tr0 = tr) ∧ tr ≤ tr0

23

24

Arshad Beg and Andrew Butterfield

Lemma 1. (∃ state, state0 • IIX ) = IIC Proof. Strategy: reduce LHS to RHS ∃ state, state0 • IIX =

“ defn. IIX ” ∃ state, state0 • ¬ok ∧ tr ≤ tr0 ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ state0 = state

=

“ restrict quantifier scope ” ¬ok ∧ tr ≤ tr0 ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ (∃ state, state0 • state0 = state)

=

“ 1-pt rule ” ¬ok ∧ tr ≤ tr0 ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ True

=

“ simplify ” ¬ok ∧ tr ≤ tr0 ∨ ok0 ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref

=

“ defn IIC ” IIC

Lemma 2. (true ` P) ∧ tr ≤ tr0 = DIV ∨ ok0 ∧ P ∧ tr ≤ tr0 Proof. Strategy: reduce LHS to RHS (true ` P) ∧ tr ≤ tr0 =

“ defn. ` ”

(ok ⇒ ok0 ∧ P) ∧ tr ≤ tr0 = “ defn. ⇒ ” (¬ok ∨ ok0 ∧ P) ∧ tr ≤ tr0 =

“ distributivity ” ¬ok ∧ tr ≤ tr0 ∨ ok0 ∧ P ∧ tr ≤ tr0

=

“ defn. DIV ” DIV ∨ ok0 ∧ P ∧ tr ≤ tr0

Linking Predicates from Circus to CSPM

∗∗

25

Theorem 10. AC o9C BC v (∃ state, state0 • AX where

o 9X

BX )

0

AC = ∃ state, state • AX BC = ∃ state, state0 • BX

This proof is based on distinguishing clearly between the reactive and state observations. We introduce the following shorthands: R = {ok, wait, tr, ref }, s and s0 for state and state0 , and note the following alternate formulations of both kinds of sequential composition: P o9C Q = ∃ Rm • P[Rm /R0 ] ∧ Q[Rm /R] P o9X Q = ∃ Rm , sm • P[Rm , sm /R0 , s0 ] ∧ Q[Rm , sm /R, s] Proof. Strategy: we show LHS refined by RHS by starting with the RHS and proving it implies the LHS, as per the definition of refinememt.

RHS = (∃ s, s0 • AX =

o 9X

BX )

“ alt. defn. of o9X ” ∃ s, s0 • (∃ Rm , sm • AX [Rm , sm /R0 , s0 ] ∧ BX [Rm , sm /R, s])

=

“ re-order and re-nest quantifiers ” ∃ Rm • (∃ sm , s, s0 • AX [Rm , sm /R0 , s0 ] ∧ BX [Rm , sm /R, s])

⇒

“ weakening ” ∃ Rm • (∃ sm , s, s0 • AX [Rm , sm /R0 , s0 ]) ∧ (∃ sm , s, s0 • BX [Rm , sm /R, s])

=

“ s0 not free in 1st conjunct, nor s in 2nd ” ∃ Rm • (∃ sm , s • AX [Rm , sm /R0 , s0 ]) ∧ (∃ sm , s0 • BX [Rm , sm /R, s])

=

“ independent substitutions ” ∃ Rm • (∃ sm , s • AX [sm /s0 ][Rm /R0 ]) ∧ (∃ sm , s0 • BX [sm /s][Rm /R])

=

“ move Rm substitution out ” ∃ Rm • (∃ sm , s • AX [sm /s0 ])[Rm /R0 ] ∧ (∃ sm , s0 • BX [sm /s])[Rm /R]

=

“ defn o9C ” (∃ sm , s • AX [sm /s0 ]) o9C (∃ sm , s0 • BX [sm /s])

=

“ α-renaming ” (∃ s0 , s • AX ) o9C (∃ s, s0 • BX )

26

Arshad Beg and Andrew Butterfield

Theorem 11.

AC o9C JC = (∃ state, state0 • AX

o 9X

JX )

Proof. Strategy: Making R.H.S equal to L.H.S. Here we note that

ObsC = ok, wait, tr, ref ObsX = ok, wait, tr, ref , state ObsC = ObsX \state RHS : ∃ state, state0 • AX =

“ def of

o 9X

o 9X

JX

”

0

∃ state, state • (∃ ObsXm • AX [ObsXm /Obs0X ] ∧ JX [ObsXm /ObsX ]) =

“ flatten nested ∃ ” ∃ state, state0 , ObsXm • AX [ObsXm /Obs0X ] ∧ JX [ObsXm /ObsX ]

=

“ def of JX ” ∃ state, state0 , ObsXm • AX [ObsXm /Obs0X ] ∧ ((ok ⇒ ok0 ) ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref ∧ state0 = state)[ObsXm /ObsX ]

=

“ substitution ” ∃ state, state0 , ObsXm • AX [ObsXm /Obs0X ] ∧ (okm ⇒ ok0 ) ∧ wait0 = waitm ∧ tr0 = trm ∧ ref 0 = refm ∧ state0 = statem

=

“ one-pt rule, replacing state0 only ” ∃ state, ObsXm • AX [ObsXm /Obs0X ][statem /state0 ] ∧ (okm ⇒ ok0 ) ∧ wait0 = waitm ∧ tr0 = trm ∧ ref 0 = refm

=

“ All state0 in AX are now statem , so outer sub has no effect ” ∃ state, ObsXm • AX [ObsXm /Obs0X ] ∧ (okm ⇒ ok0 ) ∧ wait0 = waitm ∧ tr0 = trm ∧ ref 0 = refm

=

“ state only occurs, if at all, in AX so we can distr ∃ state in ” ∃ ObsXm • (∃ state • AX )[ObsXm /Obs0X ] ∧ (okm ⇒ ok0 ) ∧ wait0 = waitm ∧ tr0 = trm ∧ ref 0 = refm

=

“ substitution backwards ” ∃ ObsXm • (∃ state • AX )[ObsXm /Obs0X ] ∧ ((ok ⇒ ok0 ) ∧ wait0 = wait ∧ tr0 = tr ∧ ref 0 = ref )[ObsXm /ObsX ]

Linking Predicates from Circus to CSPM

=

∗∗

27

“ def JC ” ∃ ObsXm • (∃ state • AX )[ObsXm /Obs0X ] ∧ JC [ObsXm /ObsX ]

=

“ JC does not mention state or state0 so we can restrict to ObsC ” ∃ ObsXm • (∃ state • AX )[ObsXm /Obs0X ] ∧ JC [ObsCm /ObsC ]

=

“ factor statem out of ObsXm ” ∃ statem , ObsCm • (∃ state • AX )[statem , ObsCm /state0 , Obs0C ] ∧ JC [ObsCm /ObsC ]

=

“ can split substitution because statem is not in AX . ” ∃ statem , ObsCm • (∃ state • AX )[ObsCm /Obs0C ][statem , /state0 ] ∧ JC [ObsCm /ObsC ]

=

“ can bring state0 substitution out, as only poss. occurrences are in AX ” ∃ statem , ObsCm • ((∃ state • AX )[ObsCm /Obs0C ] ∧ JC [ObsCm /ObsC ])[statem , /state0 ]

=

“ (∃ x • P) = (∃ y • P[y/x], provided y ∈ / x, P ” ∃ state0 , ObsCm • ((∃ state • AX )[ObsCm /Obs0C ] ∧ JC [ObsCm /ObsC ])

=

“ state0 only in AX , if at all ” ∃ ObsCm • ((∃ state, state0 • AX )[ObsCm /Obs0C ] ∧ JC [ObsCm /ObsC ])

=

“ def o9C ” (∃ state, state0 • AX ) o9C JC

=

“ def AX ” AC o9C JC

LHS!

28

Arshad Beg and Andrew Butterfield

Theorem 12. Rn(AC ) v ∃ state, state0 • Sn(AX ),

n ∈ 1...3

Proof. For n=1, L.H.S = R1(AC ) =

“ def of R1 ” AC ∧ tr ≤ tr0

v

“ def of AC ” ∃ state, state0 • AX ∧ tr ≤ tr0

=

“ def of S1 ” ∃ state, state0 • S1(AX ) = R.H.S

For n=2, R2(AC ) =

“ def of R2 ” ∃ s • A [s, s a (tr0 − tr)/tr, tr0 ] C

v

“ def of AC ” ∃ s • ∃ state, state0 • AX [s, s a (tr0 − tr)/tr, tr0 ]

=

“ Re-arranging ” ∃ state, state0 • ∃ s • AX [s, s a (tr0 − tr)/tr, tr0 ]

=

“ def of S2 ” ∃ state, state0 • S2(AX ) = R.H.S

For n=3, R3(AC ) =

“ def of R3 ” II CwaitB AC

=

“ def of CB ” wait ∧ II ∨ ¬wait ∧ AC

v

“ def of AC ” (wait ∧ II) ∨ ¬wait ∧ (∃ state, state0 • AX )

=

“ ” ∃ state, state0 • II ∧ wait ∨ ¬wait ∧ AX

=

“ def of CB ” ∃ state, state0 • ∃ state0 • II CwaitB AX

=

“ def of S3 ” ∃ state, state0 • S3(AX ) = L.H.S

Linking Predicates from Circus to CSPM

Theorem 13. CSPn(AC ) v ∃ state, state0 • CXSn(AX ),

n ∈ 1...5

Proof. For n=1, L.H.S = CSP1(AC ) =

“ def of CSP1 ” AC ∨ DIV

v

“ def of AC ” ∃ state, state0 • AX ∨ DIV

=

“ def of CXS1 ” ∃ state, state0 • CXS1(AX ) = R.H.S

For n=2, L.H.S = CSP2(AC ) =

“ def of CSP2 ” AC o9C JC

=

“ By theorem 11, on page 26 ” ∃ state, state0 • AX

=

o 9X

JX

“ def of CXS2 ” ∃ state, state0 • CXS2(AX ) = R.H.S

For n=4, L.H.S = CSP4(AC ) =

“ def of CSP4 ” AC o9C SkipC

v

“ def of AC ” (∃ state, state0 • AX ) o9C SkipC

=

“ By theorem 1, on page 12 ” (∃ state, state0 • AX ) o9C (∃ state, state0 • SkipX )

=

“ By theorem 10, on page 25 ” ∃ state, state0 • (AX

=

o 9X

SkipX )

“ def of CXS4 ” ∃ state, state0 • CXS4(AX ) = R.H.S

∗∗

29

30

Arshad Beg and Andrew Butterfield

Lemma 3. Assuming that A and B are R-healthy:   ∃ ObsA , ObsB •   A[ObsA /Obs0 ] ∧ B[ObsB /Obs0 ]    ∧ ok0 = okA ∧ okB    R 0  = waitA ∨ waitB  ∧ wait   ∧ ref 0 ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S  ∧ tr0 − tr ∈ (trA − tr) kS (trB − tr)   ∃ ObsA , ObsB •   A[ObsA /Obs0 ] ∧ B[ObsB /Obs0 ]     ∧ ok0 = okA ∧ okB   = 0  ∧ wait = wait ∨ wait A B    ∧ ref 0 ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S  ∧ tr0 − tr ∈ (trA − tr) kS (trB − tr) Lemma 4. Assuming that A and B are R-healthy:   ∃ ObsA , ObsB •   A[ObsA /Obs0 ] ∧ B[ObsB /Obs0 ]    ∧ ok0 = okA ∧ okB    o9 Skip  ∧ wait0 = waitA ∨ waitB     ∧ ref 0 ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S  ∧ tr0 − tr ∈ (trA − tr) kS (trB − tr)   ∃ ObsA , ObsB •   A[ObsA /Obs0 ] ∧ B[ObsB /Obs0 ]    ∧ ok0 = okA ∧ okB     ∧ wait0 = waitA ∨ waitB    = 0  − tr ∈ (tr − tr) k (tr − tr) A B S  ∧ tr  0   ref ⊆ (refA ∪ refB ) ∩ S ∪ (refA ∩ refB ) \ S     ∧  Cwait0 B true Lemma 5. tr ≤ trA ∧ tr ≤ trB ∧ tr0 − tr ∈ (trA − tr) kS (trB − tr) ⇒ tr ≤ tr0