not prove them independent, i.e. not de nable in terms of the other operators. We prove many of the operators in SCCS and CCS to be independent. 1 ...
On the Non-Derivability of Operators in CCS K.V.S.Prasad
Dept. of Computer Sciences, Chalmers Univ. of Technology and University of Goteborg, S-412 96 Goteborg, SWEDEN December 1989
Abstract If a new operator is to be added to a calculus, de ned directly by axioms or operational semantics, the question arises whether it can be derived from the other operators. While it is easy to show that an operator is derived, it is usually di�cult to prove non-derivability. The general technique is to nd a property preserved by all the other operators of the calculus, but not by the new one. We present a simple new technique, a special case of the general one, which consists of looking for congruences preserved by all operators except the new one. The new technique is particularly applicable if we use operational semantics rather than axioms to de ne operators, as in our application area, CCS-like calculi for reasoning about concurrent systems. A good way to use these calculi in practice is to use new operators that re ect the structure of the problem at hand. These new operators are often de ned without reference to the existing ones, and derivability is a natural question. [Milner83] introduces combinators with intuitively distinct roles, but does not prove them independent, i.e. not de nable in terms of the other operators. We prove many of the operators in SCCS and CCS to be independent.
1
1 How to prove operators non-derivable When de ning a calculus, we usually make sure not to include any operators that can be derived in terms of the others. This has obvious advantages when proving theorems about all terms in the calculus. While the primitive operators of a calculus are chosen to have intuitively distinct roles [Milner83], it is only seldom that we actually prove them to be independent. To do so would not only be satisfying, it would also give us greater insight into our operators. And of course our intuition might be incorrect! This paper presents a simple technique to prove operators non-derivable. The only general method the author knows to prove an operator � nonderivable from a signature � is to nd a property that is preserved by equality and by all the operators of �, but which is not preserved by the new operator �. Examples are easy to nd: Given N, the set of natural numbers, and add2 : N � N ! N, the function that adds 2 to any number, we can show that the successor function succ cannot be derived because any expression we build with add2 preserves oddness or evenness, while succ does not. No composition of bishop's moves on a chessboard will ever give a knight's move because the former preserve colour while the latter does not. Using only the operators of CCS other than \ x", we can only produce agents with nite derivations; this proves that we cannot derive \ x" from the others. And so on. Formally, the version we need for CCS is this. We need to nd a property � of agents preserved by strong congruence, i.e. if � (P) and P � Q then � (Q). We also demand that for any binary operator � 2 �, � (P) and � (Q) should imply � (� (P; Q)). Similarly for other arities. Then any expression E (binary, say) composed of the operators in � will have the property that � (P) and � (Q) imply � (E (P; Q)). If we claim that E is the derived form of �, we must have E (P; Q) � � (P; Q) and therefore � (� (P; Q)). If � does not preserve �, so that we know that for some P and Q, � (� (P; Q)) does not hold despite � (P) and � (Q), we have a contradiction, and there cannot exist any such E ; � is non-derivable. 2
Strong congruence in this argument is our \equality"; it is the equivalence relation we use in our de nition of derivability. In this paper, we will present a simple special case of this general technique that seems particularly well suited to transition systems. The technique itself is trivial, and the most surprising thing about it is that it has not been used before, to the best of the author's knowledge. But even the use of the general mathematical technique seems comparatively rare, at least in the author's experience. This might explain why some of the observations we make in this paper have apparently not been made before, even though they follow very simply from the literature, and are statements we would like to prove, since they have often been claimed informally; proving operators non-derivable appears not to have been a concern, though proving them derivable is common enough. We use the new technique as well as other versions of the general technique, to prove several of the operators we have encountered non-derivable from various others. The applicability of our technique is a su�cient but not necessary condition for non-derivability, so there are many interesting questions we will not be able to answer. Those we do tell us more about the relationships between the calculi SCCS, ASCCS and CCS.
1.1 A new technique for non-derivability proofs This is to nd an equivalence relation that is preserved by all the operators in � but not by �. That is to say, we nd a congruence wrt � that the new operator sees through.
Theorem 1.1 Let � be a signature generating expressions E and agents P, and let ./ be a congruence relation, �� ./. Let � be an n-ary operator. If there
exist P; Q and i such that P./Q but not � (P1; : : :; Pi?1; P; Pi+1; : : :; Pn) ./� (P1 ; : : :; Pi?1; Q; Pi+1; : : :; Pn), then � is non-derivable from �. Proof: This is just a special case of our general argument above. If � were derivable, we would have had an n-ary context E such that E � �. Then since E would preserve ./, we would get 3
� (P1; : : :; Pi?1; P; Pi+1; : : :; Pn) �E (P1; : : :; Pi?1; P; Pi+1; : : :; Pn) ./E (P1; : : :; Pi?1; Q; Pi+1; : : :; Pn) �� (P1; : : :; Pi?1; Q; Pi+1; : : :; Pn) Since �� ./, we can replace � by ./ in the above equation, and we have our contradiction. As an immediate corollary, let us name the most well known case.
Proposition 1.2 + is non-derivable from the other operators of CCS. Proof: All the other operators preserve �, the weak bisimulation equivalence that abstracts from silent actions; + doesn't.
The technique is not necessarily applicable. Consider the natural numbers generated by 0 and succ. Suppose we try to prove that + is not derivable from this signature. Let ./ be any equivalence relation over N, such that =�./ and preserved by succ, i.e. n./m implies succ (n) ./succ (m). That n./m implies (p + n) ./ (p + m) can be shown by induction on p. (Obviously, we have to have a de nition of + for all of this to make sense. It could be axiomatic, or operational, in terms of succ.) Thus addition cannot see through any equivalence preserved by succ. But + is not derivable from succ because from just 0 and succ we cannot generate a context with two holes in it! Now observe that in our technique we need to show that the erstwhile congruence ./ is not preserved by the new operator. Thus we need an equivalence relation for which there is a failure test. So an equivalence de ned by equational axioms will not do, for they can tell us when two terms are equal, but never when they are unequal. However, an axiomatisation of ./ over the signature � can be useful to show that the example agents P and Q are in fact ./-related. We shall see such an application later. This is why our technique is particularly suited to use with any formal system where the equivalences are set up operationally, for then we have a simple way to prove that two agents are not related. For example to show that a:0 +b:0 �= a:0, we just have to nd one action, b, that prevents the bisimulation conditions from 4
being ful lled. Milner shows in [Milner83] that � is preserved by the operators of SCCS, i.e. that it is a congruence. The only di�cult part of this proof is the case of the \ x" construct. To show that the other operators preserve � is easy. This is because � is in fact preserved by any operator de ned by the usual transition semantics. Consider an n-ary operator �, and let Q � R. Then � (P1; : : :; Pi?1; Q; Pi+1; : : :; Pn) � � (P1; : : :; Pi?1; R; Pi+1; : : :; Pn). For every action of the left hand side that is not a derivation from an action of Q, the right hand side can do the same action by an identical derivation. If Q contributes to the left hand side, R can match this action, thus ensuring that the right hand side has an exactly similar derivation. Further, the resulting states on both sides continue to have the same form, and so lead back into the bisimulation.
2 Di�erent notions of derivability Before we go further, we must make precise the notion of derivability. It turns out there are several subtly di�erent notions. It is easiest to begin by considering operators explicitly set up in terms of others. Such derived operators are essential in applications. Examples of derived operators in SCCS or ASCCS, [Milner83], are �P � xX (1:X + P) and P jQ � P � �Q + �P � Q. Here � is the usual strong bisimulation equivalence. The action pre x in ASCCS is de ned in terms of that in SCCS: a:[ ] � a: �[ ]. In all these cases, we have an expression not involving the new operator that is strongly congruent to an expression with the new operator outermost. As the last example emphasises, we have a context, not involving the new operator, and with as many holes as the operator's arity, that is strongly congruent to a context involving just the new operator with holes for its parameters. This is a purely algebraic notion of derivability. We only need remember that it is parametrised by �; any other equivalence will do just as well. However, we will not need this generality, and we keep our notation simple by ignoring this aspect. Thus we will only say \derivable", not \�-derivable". 5
De nition 2.1 Let � be any signature, and � 2= � be an operator of arity n. Then � is said to be derivable from � if there is a context E , with n holes and generated by �, such that E [P1; : : :; Pn] � � (P1; : : :; Pn) for all P1 ; : : :; Pn. If no such E exists1 , � is said to be non-derivable from �. Thus the three operators �, j and a: above are straightforward examples
of derived operators according to our de nition. Now consider the following operator, which is useful in applications involving restartable systems. De nition 2.2 The operational semantics of the displace operator. j is a binary in x operator. a A0 A ?! Normal a A0 j B A j B ?! b B0 B ?! Displace b B0 A j B ?! Now consider the following proof of derivability. Proposition 2.3 j is derivable in SCCS. Proof: Assume that the elements of Act are a1; a2; : : :. Let b1; b2; : : :; c1; c2; : : : be new names. Then P j Q� (P[bi=ai ]jQ[ci=ai ]jZ) nnfbi; cig P P where Z ( i b?i 1ai :Z + i c?i 1ai :Z 0 P and Z 0 ( i c?i 1ai :Z 0 In the expression equivalent to P j Q, P and Q have their action translated into b's and c's respectively by the morphism operators. Z is a synchroniser which picks up these translated actions and retranslates them into a's; P and Q cannot act except through Z because of the restriction. After the rst action by Q, Z moves to a state where it refuses to pass on any actions by P. It is easy to formally show the bisimulation. The expression replacing the j operator is strikingly di�erent from our three examples at the start because of the condition it poses on the action set. As
1 We allow E to use new names not in Act; in that case, we extend Act to include these new names, and correspondingly adjust the de nition of �, which depends on Act.
6
it happens, this way of showing derivability is often used; [Milner83] uses it to show the derivability of the -conjunction operator, and [de Simone85] uses it as the basis of his proof that any new operator whose operational semantics is given by structured inference rules is derivable from MEIJE-SCCS. A third, and this time apparently di�erent, notion of derivability is used by [Milner83]. To prove that morphism is derivable, we note that \for any morphism � : Act ! Act, the actions of E[�] are characterised as follows: �(a) 0 a E 0 , then E[�] ???! (1) if E ?! E [�], b a 0 (2) if E[�] ?! G , then E ?! E 0 for some a and E 0 such that b = � (a) and G0 � E 0 [�]. Therefore we must nd a derived operator satisfying these two properties". The derived operator is a syntactic form using other operators of the calculus, so it would appear that our contexts would be acceptable, and the two conditions above then are no more than a restatement of a strong congruence relation between the new and old forms. We conclude that there is no real di�erence between our notion of derivability and this one. In passing, we note that the proof of derivability of morphism also needs to extend Act.
3 Some derivability and non-derivability results Before we begin on our results, we quote a result from [de Simone85], which says that SCCS augmented with the � operator gives a complete calculus from which any operator de ned by structured inference rules can be derived, using a technique rather like our proof of the derivability of j . The � operator is de ned by the rules a E0 E ?! Persistent Delay a ��E 0 �E ?! We shall refer to SCCS augmented with this operator as SCCS�. We organise our results by operator, and prove non-derivability from the rest of the calculus if possible, or from smaller subsets of the rest if that is of interest. 7
Proposition 3.1 The action pre x operator a: is non-derivable from the rest of SCCS�, ASCCS and CCS. Proof: An agent P is said to be idle if P � �P. The property of asynchrony is this: P is asynchronous if all its proper derivatives are idle. a : is the only operator that does not preserve asynchrony. (The action pre x operator a: of ASCCS is derived from that of SCCS, and is designed to do so.) The other operators all preserve asynchrony. Example: If P and Q are asynchronous, we have P � Q ?! P 0 � Q0, where P 0 and Q0 are both idle. Then so is P 0 � Q0. Therefore P � Q is asynchronous.
In any calculus, we can show that the action pre x used in that calculus is non-derivable from the rest of it simply because all other operators preserve the property \has no actions" of any agent. We know that + is not derivable from the rest of CCS. Its derivability from the rest of ASCCS and SCCS is not clear. [de Simone85] remarks that it can be derived from SCCS�, but does not give a proof. The following proof uses the notion of contexts as transducers [Larsen86]. They accept actions from inside, and present other actions to the environment. Thus [ ]nnfag will not accept the action a; if we put P in the hole, we cannot a P 0. derive an action for P nnfag from P ?!
Proposition 3.2 Restriction is not derivable from the other operators of SCCS (or any of the other calculi). Proof: Because the rest only build contexts that will accept all actions.
Proposition 3.3 � is not derivable from the rest of SCCS, ASCCS or CCS. Proof: All we need to do is to observe that � can detect any delay discrepancies, and therefore can see through �c , the largest congruence contained in �. A similar proof goes through for CCS. ASCCS is interesting in this regard, because we de ne asynchronous contexts as those without � for precisely this reason. Consider �cA , the largest congruence contained in �. If we allow any context, including SCCS contexts, this is the same as �, because � sees through delay discrepan8
cies. But if we allow only asynchronous contexts we get a larger relation. We have P + 1:P �cA 1:P but taking P � a:0 and R � b:0, we have R � (1:P + P) ??ab! 0 but R � (1:P) has no such move. Now a couple of comments on the particulate calculus of Section 9 of [Milner83]. Readers unfamiliar with this can skip over the next two propositions. Consider the operator j as de ned by the equation P jQ � P � �Q + �P � Q. Note that while the ASCCS operator has the following semantics a E0 a E0 E ?! E ?! Parallel a E0 j F a F j E0 E j F ?! F j E ?! a 0 b 0 Synchronisation E ?! E ab F ?0 ! F0 E j F ??! E j F the CCS operator allows only communication rather than synchronisation in general. ?1
� 0 � 0 Communication E ?!E ��?F1 ???! F E j F ????! E 0 j F 0
To distinguish the two, let us temporarily call the ASCCS operator jA , and the CCS one jC . jA is de ned as a derived operator from SCCS. But jC can also be derived. If P and Q do only a's, we extend Act to b's and c's and then P jC Q� ((P[bi=ai] � �Q[ci =ai] + �P[bi=ai] � Q[ci=ai]) Z) nnfbi; ci g P P P P where Z ( i b?i 1ai :Z + i c?i 1ai :Z 0 + i b?i 1ci :Z + i bi c?i 1:Z Either P or Q is allowed to act alone and have its actions relayed through Z, but they can also act together by the third and fourth terms, when they must do complementary actions. jC can also be derived from jA by a very similar method: P jC Q � (P[bi=ai ]jA Q[ci=ai]jZ) nnfbi; cig where Z is the same as for the derivation from SCCS. It is obvious that jA cannot be derived from jC ; within CCS there is no way of inferring non-particulate actions. This is con rmed by the following:
Proposition 3.4 jA is not derivable from CCS. 9
Proof:
The rest of the operators preserve �� but jM does not. Here �� is the strong bisimulation equivalence de ned over the particulate calculus for observers who can only see one particle at a time.
Proposition 3.5 Non-particulate action pre xes are not derivable from particulate MCCS. Proof: Particulate MCCS cannot enforce synchronisation; with nonparticulate action pre xes, we can.
Now for an important proposition that shows that the distinction between SCCS� and SCCS is a signi cant one.
Proposition 3.6 (due to Robin Milner)
� is not derivable from the other operators of SCCS. Proof: Suppose � (X) � E (X). Pick a not used as a guard in E, i.e. a does not occur non-negatively in any guard in E. Let A ( a: 0. We show that � (A) �= E[A=X]. In fact we show that for any E, with Free (E) � fX g, such that a is not used as guard in E, that E[A=X] ??ab! P implies P � 0. Here ab is an action such that a occurs non-negatively in it. The proof is by induction on the inference E[A=X] ??ab! P. We show three cases. If E � b: E 0, then a does not occur non-negatively in it. So the inference is impossible. If E � E1 +E2 then we must infer the same for E1 or E2 by a shorter inference. ab Lastly consider E � xY:F. If Y � X, then E[A=X] � E. So F[E=X] ??! P ()(F[E=X])[A=X] ??ab! P. Hence P � 0. If Y 6� X, then this case is an application of the inference rule for x; and we need to assume the action for a shorter inference. Ruled out by induction hypothesis. Lastly a proof that demonstrates the usefulness of axiomatisation to set up congruences that we can then see through with the new operator. The following is particularly instructive since it clari es the importance of j in CCS;
10
just because there is an expansion theorem, we should not conclude that j is derivable, even in the absence of recursion.
Proposition 3.7 j is not derivable from + and action pre x in CCS. Proof: Without j, we can get a tighter congruence, [Hennessy and Milner85]. If we de ne � in terms of =�), where � = 6 1, the congruence contained in it can be characterised by a set of 6 axioms, of which we only quote the relevant one here.
�: (x + 1:y) = �: (x + y) + �:y This is not preserved by j. A counterexample is c:0ja: (b:0 + 1:0) �= c:0j (a: (b:0 + 0) + a:0); again please note that this uses � de ned by observations other than 1.
4 Conclusions We have presented a new technique to prove operators non-derivable, with particular application to CCS and related calculi: Look for a congruence preserved by all the operators, but which the new operator sees through. While our technique is very simple, and is of course only a special case of the general technique of looking for a property preserved by all the older operators but not by the new one, it seems to be a bit of a novelty because the whole issue of proving anything non-derivable seems to have received rather little attention in Computer Science. Our technique emphasises the importance of operational de nitions of both operators and equivalences, since the nub is to prove that a pair of agents are not (bisimulation) equivalent. We have shown several of the operators of CCS and SCCS to be independent. The basic operators of SCCS were chosen to be intuitively distinct, but were not formally shown to be independent. That this can be done is an important advance; that it can be done so easily is surprising.
11
5 Acknowledgements This paper forms one of the chapters of my Ph.D. thesis. I thank my supervisor, Robin Milner, for many years of discussions, inspiration and guidance. One of the theorems in this paper is due to him; he, as well as my examiners Colin Stirling and Mike Shields, are to be thanked for helping me to clean up the de nition of derivability with respect to the need to extend Act.
12
References [de Simone85]
R. de Simone. Higher Level Synchronising Devices in MEIJE-SCCS. Theoretical Computer Science, 37(3):245{268, 1985.
[Hennessy and Milner85] M. Hennessy and R. Milner. Algebraic Laws for Nondeterminism and Concurrency. JACM, 32(1):137{162, January 1985. [Larsen86]
K. Larsen. Context Dependent Equivalences in CCS. PhD thesis, University of Edinburgh, 1986.
[Milner83]
R. Milner. Calculi for Synchrony and Asynchrony. Theoretical Computer Science, 25:267{310, 1983.
13
