Process Algebra with Combinators Contents 1 ... - Semantic Scholar

Process Algebra with Combinators

Jan A. Bergstra1;2

Inge Bethke1

Alban Ponse1

1 University of Amsterdam, Programming Research Group

Kruislaan 403, 1098 SJ Amsterdam, The Netherlands 2 Utrecht University, Department of Philosophy Heidelberglaan 8, 3584 CS Utrecht, The Netherlands E-mail: [email protected] - [email protected] - [email protected]

Abstract

We introduce typed combinatory process algebra, a system combining process algebra with types and combinators. We describe its syntax and semantics, and by way of example, verify within this framework the Simple Alternating Bit Protocol. Key Words & Phrases: protocol veri cation, process algebra, typed combinatory logic. 1991 Mathematics Subject Classi cation: 69C20, 69M10, 03B15, 03B40. Note: The rst author acknowledges the support of ESPRIT Basic Research Action CONFER no. 6454.

Contents 1 2 3 4 5 6

Introduction Types and combinators Combinatory process algebra A working example: the Simple Alternating Bit Protocol Semantical issues State combinators

1 2 5 11 23 25

1 Introduction System speci cation and veri cation in process algebra always combines data structuring (e.g. using abstract data types) and control structuring which is done by means of the primitives of a suitable process algebra. There are several languages that link a notation suggested by process algebra to some abstract data type notation. We mention: LOTOS ([BB87],[B88]), PSF ([MV90],[M91]), CRL ([GP90], [GP91]). In each of these cases a rudimentary form of typed -calculus is used to organize the distribution of data within a process expression. In this paper we intend to clarify in detail the type structure of data dependent actions and processes. In addition we propose to employ typed combinators (cf. e.g. [S24],[HS86]) in order to stay entirely within typed equational logic. As an illustration SABP, the Simple Alternating Bit Protocol, taken from [P85] and adopted to ACP syntax in [BKO87] is veri ed in a purely equational way. This improves all previous veri cations, e.g. the ones in [B90], by not using conditional equations. Our analysis of SABP essentially uses the 1

2

Types and combinators

single exit iteration operator (Kleene star) of [BBP93] and the corresponding version of Koomen's fair abstraction rule. As to the relevance of this work, we state the following (i) we have developed a purely equational style of reasoning about protocols in process algebra that applies at least in some simple cases; (ii) we have elaborated on a reasonable typing schema that can underly process speci cations such as can be given e.g. in CRL; (iii) we think that much work on process algebra comprises rudimentary forms of type theory and typed -calculus that could be made explicit and phrased in terms of existing type theoretical primitives. In doing so, process algebra is reduced to its essential content which will improve its clarity. Here is an entire research programme visible of which the present paper is one of the more obvious steps. The paper is organized as follows. In Section 2 we collect the basic de nitions concerning typed combinatory logic, and its accompanying Extensionality Theorem. Our exposition is based in part on [HS86], [CF58] and [S67]. In Section 3 we introduce the formal language of combinatory process algebra including the operator  for arbitrary sum formation, and give an axiomatization based on ACP  . Moreover, we prove a number of logical consequences of this axiomatization which we then apply in the next section. Section 4 is devoted entirely to the veri cation of SABP. Here we enforce due rigour in order to illustrate in detail the ins and outs of the system of combinatory process algebra. In Section 5 we describe informally a natural semantics of combinatory process algebra, and nally, in Section 6, we discuss brie y how the state operator can be tted into this framework.

2 Types and combinators The type structure that seems to be appropriate for various process algebra systems is the polymorphic type structure generated by a partially ordered set of basic types (B; ) that contains the sets of core atoms, atoms, processes and data, and their natural subset relation.

De nition 2.1. (T (B), 6) Let B = (B; ) be a partially ordered set containing (fAc; A; P; Dg; Ac  A  P ). (i) The set of types, T (B), is de ned as follows. T (B) := B j T (B) ! T (B) (ii) The pre-order on T (B), 4, is de ned by the following clauses. (a) If  0 , then 4 0 , for all ; 0 2 B . (b) If  4 0 and  4 0 , then 0 !  4  ! 0 . (iii) The subtype relation on T (B), 6, is the re exive, transitive closure of 4. A, the set of atoms, is intended to comprise the core atoms together with deadlock and the silent step. Each compound type  !  is intended to denote the set of functions from  to . More precisely, these are functions whose domain is the set denoted by , and whose range is a subset of the set denoted by . For example, D ! P denotes the set of functions from data to processes, and, written linearly, D ! (Ac ! P ) denotes the set of binary functions mapping pairs consisting of a datum and a core atom to processes. The order on compound types is, in a natural way, induced by the order on basic types. To give an

Types and combinators

3

example, observe that, with the interpretation of types given so far, every core atom is an atom and every atom is a process. A function from processes to core atoms, for example, corresponds therefore uniquely to a function from atoms to atoms and to a function from atoms to processes: namely to its restriction to A. This de nes an embedding  A from P ! Ac to A ! A and A ! P . In this way, we may consider P ! Ac to be a subtype of A ! A and A ! P . If  4 A ( 4 P ), we say that 1 ! (2 ! (


(n ! )


) is an atom valued type (a process valued type). A T (B)-typed signature  = (B; F ) consists of a poset B of basic types and a set F of function symbols, each with a xed type in T (B). The set of terms of typed combinatory logic over , T (), is the set of expressions generated in the following way: For each type  2 T (B), we assume that there is a denumerable in nity of variables V = fx ; y ; z  ;


g of that type; we also assume, for all types ; 0 ; 00 2 T (B), that there are combinators I of type  ! , K; of type  ! (0 ! ), and S; ; of type ( ! (0 ! 00 )) ! (( ! 0 ) ! ( ! 00)). From these basic expressions together with the function symbols in F we build up terms inductively. De nition 2.2. (T ()) S Let  = (B; F ) be a T (B)-typed signature. Then we de ne T () = 2T (B) T () as follows. For all ; 0 ; 00 ;  2 T (B), (i) V  T () (ii) I 2 T ()! ; K; 2 T ()!( !) ; S; ; 2 T ()(!( ! ))!((! )!(! )) (iii) If f 2 F is of type , then f 2 T () . (iv) If t 2 T ()! and t0 2 T () with 0 6 , then tt0 2 T () . We write t :  or t to indicate that t is a term of type . If t : , t0 : 0 , we say that t; t0 are compatible i there exists  with  6 , 0 6 , and incompatible i no such  exists. Type super- and subscripts will be often omitted when clear from the context. Parentheses will be omitted too in such a way that, for example, tt0t00 denotes (tt0 )t00. This convention is called association to the left. Combinatory logic is an equational theory. Its fundamental axioms, that de ne the applicative behaviour of the elementary identi cator1 I , the elementary cancellator K , and the anonymous combinator S , are listed in Table 1. In addition, there are the usual axioms and rules of equational logic with S V substitution respecting subtypes. That is, a substitution is now a function  : 2T (B)  ! T () S such that [V ]   6 T () . 0

0

0

0

0

00

0

00

0

00

00

0

0

0

(I ) I x = x K; xy = x (K; ) (S; ; ) S; ; xyz = xz (yz ) 0

0

0

00

0

00

Table 1: The axioms of combinatory logic. With the aid of the fundamental combinators and their de ning equations, one can de ne abstraction terms [x] t for each x and t, with the property that ([x] t)t0 = t[x := t0] where t[x := t0 ] denotes the result of substituting t0 for every occurrence of x in t. In contrast to  in the -calculus, [x] is not part of the formal language of -terms; [x] t will be a combination of I 's, K 's and S 's and parts of t, built up as follows. 1 The nomenclature is taken from [CF58]

4

Types and combinators

De nition 2.3. (Abstraction) Let t :  and x 2 V . The [x] t :  !  is de ned by the following clauses. (i) If t  x, then [x] t , I . (ii) If t is a variable distinct from x, or t 2 F [ fI; K; S g, then [x] t , Kt. (iii) If t  t0 t00, then [x] t , S ([x] t0)([x] t00). The preceding de nition can be generalized for several variables: [x0; : : :; xn+1] t , [x0; : : :; xn] [xn+1] t. Note that abstraction variables do not occur anymore in the abstraction terms. Combinatory logic is not extensional. That is, terms having the same applicative behaviour are not in general proved equal. In order to obtain an extensional theory, the following axioms, taken from [S67], have to be added. Note that the terms in axioms (E1)-(E5) do not contain variables. (E1) [x; y] S (S (KK )x)y (E2) [x; y; z ] S (S (S (KS )x)y)z (E3) S (KI ) (E4) [x] S (Kx)I (E5) [x; y] K (xy)

= = = = =

K [x; y; z ] S (Sxz )(Syz ) I I [x; y] S (Kx)(Ky)

Table 2: The axioms of extensionality. The variables appearing in the notation are used only to make explicit the reduction properties of the terms involved. Note also that each of the axioms is only a schema; proper axioms are obtained by an assignment of type to the variables and subscripts to the combinators. Given such an assignment, the terms of the equations take some type. Henceforth, the system comprising the axioms (I ), (K; ), (S; ; ), (E1)-(E5) will be called CLext . Theorem 2.4. (Extensionality) If tx = t0 x is derivable in CLext , then t = t0 is derivable in this system, provided x does not occur in t or t0 . 0

0

00

Proof. See [S67].

2

Inspection of the proof of Theorem 2.4 shows that it holds in fact for any extension of CLext with closed axioms, i.e. equations containing no variables. In particular, it holds for the extensions described in the next sections. We end this section with the introduction of two special combinators which we shall use frequently in the sequel.

De nition 2.5. For ; 0; 00 2 T (B), de ne 00

,

[x! ; y ! ; z  ] x(yz )

00

,

[x!( ! ) ; y ; z  ] xzy

(i) B; ; 0

(ii) C; ; 0

Observe that

00

0

0

00

00

0

Combinatory process algebra

5

(i) B;  : ( ! 0 ) ! ((00 ! ) ! (00 ! 0 )) (ii) C; ; : ( ! (0 ! 00 )) ! (0 ! ( ! 00 )) Going back to [CF58], B; ; and C; ; are called elementary compositor and elementary permutator, respectively. B , C , K and I interact as follows: Proposition 2.6. The following schemata are derivable in any extension of CLext with closed axioms: (a) BCC = I (b) BC (BK ) = K 0

0

00

00

0

00

0

00

Proof. By repeated application of Theorem 2.4. We prove (b). Observe that BC (BK )xyz = C (BKx)yz = BKxzy = K (xz )y = xz = Kxyz . Thus BC (BK ) = K .

3 Combinatory process algebra

2

Given a T (B)-typed signature  = (B; F ), combinatory process algebra (over ) is, as is usual, a family of sets together with a collection of operators on these sets, and is axiomatized by an equational theory extending extensional combinatory logic. The family of sets is the type structure T (B). The collection of operators consists of the combinators, F and, (i) for process valued types, { the binary operators + (alternative composition),
(sequential composition), k, k and j (parallel merge, left merge and communication merge), and  (iteration); { the unary operators  (for arbitrary sums), @H (encapsulation) and I (hiding); (ii) for atom valued types, the constants  (deadlock) and  (silent step). We refer to [BW90] for a detailed explanation of these operators except  for which we refer to [BBP93]. The precise basic signature of combinatory process algebra is given in Table 3. Here, B = (fAc ; A; P; Dg; Ac  A  P ) and T (B) = f1 ! (


(n ! ))


) j i 2 T (B)g. + ;
 ; k  ; k  ; j  ;   ; @H; ; I;  ;   0

: : : :

 ! ( ! ) ( ! 0 ) ! 0 ! 

for all  2 T (B)P for all 0 2 T (B)P S for all  2 T (B)P ; all H; I  2T (B)Ac T () for all  2 T (B)A

Table 3: The basic signature of combinatory process algebra. We shall use the following notational conventions. (a) Binary operators will be written in x.

6

Combinatory process algebra

(b) Opposed to the usual convention in process algebra, we will not omit the operator
. That is, we write t
t0 for sequential composition, and tt0 for function application. Moreover, we take function application to be most binding. To give an example of a process expression within this framework, we consider the following informal speci cation of a one-element buer, that buers elements of some data set D: Buer = (d2D r(d)
s(d))  . In combinatory process algebra, this buer has the following formal description Buer = (r
s)  where we assume r; s : D ! Ac and Buer: P . The axioms of combinatory process algebra, in addition to those of extensional combinatory logic, are divided into ve groups. The rst group, listed in Table 4, consists of the axioms of argumentwise evaluation. These axioms are self-explanatory except for, perhaps, AE;; ! , which de nes 0

AE2 [x; y; z ] (x2y)z AE [x; y] xy AE2 [x; y] 2xy AE2 2

= = = =

00

[x; y; z ] (xz 2yz ) for 2 2 f+;
; k; k ; j; g [x; y] (Cxy) [x; y] 2(xy) for 2 2 f@H ; I g [x] 2 for 2 2 f;  g

Table 4: The axioms of argumentwise evaluation. evaluation to be argumentwise for arbitrary sums. To give an intuitive explanation of this axiom, we consider the instance were we let r be a binary function from D to P and d : D. Here D;D!P rd, the left-hand term, denotes (rd1 + rd2 + : : :)d, where we let d1; d2; : : : range over D. The term on the right, D;P (Crd), however denotes Crdd1 + Crdd2 + : : :, which after application of the permutator C reduces to rd1d + rd2d + : : :. In extensional combinatory logic one can derive from the axioms of argumentwise evaluation the following distribution schemata for so-called deferred cancellators, permutators and compositors. De nition 3.1. For 3 2 fK; C; Bg and n 2 IN we de ne 3n recursively by: (i) 30  3, (ii) 3n+1  B 3n . With this de nition, taken from [CF58], we have e.g. that K0  K , K1  BK0  BK , K2  BK1  B (BK ),


Proposition 3.2. Let 3 2 fK; C; Bg. Then the following schemata are derivable in any extension of CLext and the axioms of argumentwise evaluation with closed axioms: (a) for 2 2 f+;
; k; k ; j; g, 3n (x2y) = (3nx)2(3n y); (b) 3n (x) = (3n+1 x) (c) for 2 2 f@H ; I g, 3n(2x) = 2(3nx); (d) for 2 2 f;  g, 3n2 = 2.

Proof. By induction on n employing repeatedly Theorem 2.4. By way of example we shall prove (b) for 3  K . For n = 0 observe that

Combinatory process algebra

7

K0 (x)y = K (x)y = x = (Kxy) = (BC (BK )xy) by 2:6(b) = (C (BKx)y) = (BKx)y = (K1 x)y by AE : Hence K0 (x) = (K1 x). For the induction step we rst prove (y) Kn+1(Cxy) = C (Kn+2 x)y: Kn+1 (Cxy)z = Kn(Cxyz ) = Kn (xzy) = Kn+1(xz )y = Kn+2 xzy = C (Kn+2x)yz: So (y) holds. We now have that Kn+1 (x)y = Kn(xy) = Kn((Cxy)) = (Kn+1 (Cxy)) by IH = (C (Kn+2x)y) = (Kn+2 x)y by y: Thus Kn+1(x) = (Kn+2 x).

2

The second group of axioms consists of the ACP -axioms introduced in [BK85] and extending the ACP-axioms of [BK84]. The schemata, from which the axioms can be obtained by a type assignment to the variables and operators, are listed in Table 5. They dier from all the other schemata in so far as only restricted type assignment is permitted. That is, the labels of these schemata all carry a subscript which refers to the kind of the types of the abstracted variables in that order. To be more precise, in a schema of the form LA;P [x; y]  = [x; y] ; x is assumed to be of atom-valued type whereas y is assumed to be of process-valued type. For example, a properly typed instance of CM5A;P;A, with all its type super- and subscripts shown, is e.g. [xA; yP ; z A ] (xA
P yP ) jP z A = [xA; yP ; z A ] (xA jP z A )
P yP : Likewise, [xD!A; yD!P ] xD!A k D!P yD!P = [xD!A ; yD!P ] xD!A
D!P yD!P is a correctly typed instance of CM2A;P . The third group of axiom schemata comprises the Single Exit Iteration axioms introduced in [BBP93]2 . The schemata, listed in Table 6, give the basic interaction properties of the process valued object t t0 that chooses between t and t0, and upon termination of t has this choice again. The fourth group of axiom schemata, listed in Table 7, de nes the operator . Recalling that x denotes xd1 + xd2 + : : :, the rst schema,  + , is obvious. The remaining schemata are versions of A3, A4, CM4, CM8, CM9, D3 and TI3, where binary sums are replaced by arbitrary ones. There are three derived schemata for so-called powers of , which will prove useful in the sequel. De nition 3.3. For 3 2 f; K g and n 2 IN we de ne 3n recursively by: (i) 30  I , (ii) 3n+1  B 33n . This de nition is again taken from [CF58]. For , we have e.g. that 0  I , 1  B 0  B I , 2  B 1  B (B I ),


Proposition 3.4. The following schemata are derivable in any extension of CLext and the -axioms with closed axioms:

2 It should be noted that we deviate from the original numbering of the SEI-axioms: the axioms SEI4 and SEI5 of Table 6 correspond in fact to the axioms SEI5 and SEI6 in [BBP93]; we omit SEI4 of [BBP93], since it can be proved in BPA + SEI3.

8

Combinatory process algebra

[x; y] x + y [x; y; z ] x + (y + z ) [x] x + x [x; y; z ] (x + y)
z [x; y; z ] (x
y)
z [x] x +  [x] 
x

= = = = = = =

[x; y] y + x [x; y; z ] (x + y) + z I [x; y; z ] (x
z ) + (y
z ) [x; y; z ] x
(y
z ) I 

(CM1P;P ) [x; y] x k y (CM2A;P ) [x; y] x k y (CM3A;P;P ) [x; y; z ] (x
y) k z (CM4P;P;P ) [x; y; z ] (x + y) k z (CM5A;P;A ) [x; y; z ] (x
y) j z (CM6A;A;P ) [x; y; z ] x j (y
z ) (CM7A;P;A;P ) [x; y; z; u] (x
y) j (z
u) (CM8P;P;P ) [x; y; z ] (x + y) j z (CM9P;P;P ) [x; y; z ] x j (y + z )

= = = = = = = = =

[x; y; z ] (x k y) + (y k x) + (x j y) [x; y] x
y [x; y; z ] x
(y k z ) [x; y; z ] (x k z ) + (y k z ) [x; y; z ] (x j z )
y [x; y; z ] (x j y)
z [x; y; z; u] (x j z )
(y k u) [x; y; z ] (x j z ) + (y j z ) [x; y; z ] (x j y) + (x j z )

(A1P;P ) (A2P;P;P ) (A3P ) (A4P;P;P ) (A5P;P;P ) (A6P ) (A7P )

(T1P ) (T2P ) (T3A;P;P )

[x] x
 = I [x] 
x = [x] (
x) + x [x; y; z ] x
((
y) + z ) = [x; y; z ] (x
((
y) + z )) + (x
y)

(TC1P ) (TC2P ) (TC3P;P ) (TC4P;P )

[x]  j x [x] x j  [x; y] (
x) j y [x; y] x j (
y)

= = = =

  [x; y] x j y [x; y] x j y

(D0) (D1) (D2) (D3P;P ) (D4P;P )

@H 2 @H a @H a [x; y] @H (x + y) [x; y] @H (x
y)

= = = = =

2 for 2 2 f;  g a for a 2 F ? H  for a 2 F \ H [x; y] @H x + @H y [x; y] @H x
@H y

(TI0) (TI1) (TI2) (TI3P;P ) (TI4P;P )

I 2 I a I a [x; y] I (x + y) [x; y] I (x
y)

= = = = =

2 for 2 2 f;  g a for a 2 F ? I  for a 2 F \ I [x; y] I x + I y [x; y] I x
I y

Table 5: The ACP -axioms of combinatory process algebra.

Combinatory process algebra

9

(SEI1) [x; y] x
(x y) + y (SEI2) [x; y; z ] x(y
z )  (SEI3) [x; y; z ] x (y
((x + y) z ) + z ) (SEI4) [x; y] @H (x y) (SEI5) [x; y] I (x y)

= = = = =

[x; y] xy [x; y; z ] (xy)
z [x; y; z ] (x + y) z [x; y] @H (x) @H (y) [x; y] I (x) I (y)

Table 6: The SEI-axioms of combinatory process algebra. ( + ) [x; y] (x) + (y) (K ) [x] (Kx) (K ) [x] x + K (x) (2) [x; y] (x)2y (j ) [x; y] x j (y) (2) [x] 2(x)

= = = = = =

[x; y] (x + y) I [x] K (x) [x; y] (x2(Ky)) for 2 2 f
; k ; jg [x; y] (Kx j y) [x] (2x) for 2 2 f@H ; I g

Table 7: The -axioms of combinatory process algebra. (i) K n+1 = BK n K ; (ii) for 2 2 f
; k ; jg, n x2y = n(x2(K n y)); (iii) for 2 2 f@H ; I g, 2(nx) = n (2x); (iv) for 2 2 f;  g, n 2 = 2:

Proof. By induction on n. We prove (i) and (ii). (i) For n = 0 we have that K 1 x = BKIx = K (Ix) = Kx = I (Kx) = BIKx = BK 0 Kx: Hence K 1 = BK 0 K by Theorem 2.4. For n > 0, K n+1 x = BKK n x = K (K n x) IH = K (BK n?1 Kx) = K (K n?1 (Kx)) = BKK n?1 (Kx) = K n (Kx) = BK n Kx: Thus K n+1 = BK n K by Theorem 2.4. For n = 0, (ii) is immediate. For n > 0, n x2y = (B n?1 x)2y = = = = = =

(n?1x)2y ((n?1x)2(Ky)) by 2 (n?1(x2(K n?1(Ky)))) by IH (n?1(x2(BK n?1 Ky))) (n?1(x2(K n y))) by (i) B n?1(x2(K n y)) = n(x2(K n y))

2

10

Combinatory process algebra

The last group of schemata, listed in Table 8, de nes communication merge for atom-valued elements of

F . The rst and second of these schemata state that for a; b of equal arity ax1 : : :xn j by1 : : :yn =  , if for some 1  i  n, xi = 6 yi . Here a distinction is made between compatible and incompatible a; b. The third schema deals with a; b of dierent arity, say n and m. In that case ax1 : : :xn j by1 : : :ym =  . Note that these schemata are inspired by the rule CF20 and the axiom schema CF200 of CRL in [GP91]. Observe also that the cases without x or y can be derived by appropriate substitution of (ja;b;n) [x; y] (a
x) j K n (n(b
y)) = [x; y] (a j b)
(x k y) for compatible a; b 0 (ja;b;n) [x; y] (a
x) j K n (n(b
y)) =  for incompatible a; b (ja;b;n;m) [x; y] (a
x) j K n (m (b
y)) =  for n 6= m Table 8: The jF -axioms of combinatory process algebra where a; b 2 F \ T (B)A .

 . The commuted cases are derivable using [x; y] x j y = [x; y] y j x, one of the axioms of standard concurrency that will be added lateron. Proposition 3.5. The following schemata are derivable in any extension of CLext, the -axioms and the jF -axioms with closed axioms: for a; b 2 F \ T (B)A and n; m 2 IN, (i) n (a
x) j n(b
y) = n ((a j b)
(x k y)), provided a; b are compatible; (ii) n (a
x) j m (b
y) =  , provided n 6= m.

Proof. (i) and (ii) follow from Proposition 3.4: (i) n (a
x) j n (b
y) 3:4(ii) = n((a
x) j K n (n(b
y))) ja;b;n = n ((a j b)
(x k y)) 3 : 4(ii) = n 3:4(iv) =  (ii) n(a
x) j m (b
y) = n ((a
x) j K n (m (b
y))) ja;b;n;m

2

There are three additional consequences of the axiom schemata above which we shall employ in the next section. Proposition 3.6. The following schemata are derivable in any extension of CLext, the -axioms and the jF -axioms with closed axioms: for a; b 2 F \ T (B)A and l; m; n 2 IN, (i) BCK n+2 = K n+2 , (ii) (K l a
x) j K n+l (m (b
y)) =  , provided n 6= m; (iii) (BKa
x) j K n+2 (m (b
y)) =  , provided n + 1 6= m; (iv) Ka j BKb =  , provided a; b are incompatible.

Proof. For (i) observe that

BCK n+2 xyz = C (K n+2 x)yz = K n+2 xzy = K n x = K n+2 xyz: For (ii) note that ((K l a
x) j K n+l (m (b
y)))z1 : : :zl = (K l a
x)z1 : : :zl j K n(m (b
y) by AEj = (a
xz1 : : :zl ) j K n(m (b
y)) by AE
=  = K l z1 : : :zl by ja;b;n;m :

A working example: the Simple Alternating Bit Protocol

11

=  . Thus (K l a
x) j K n+l (m (b
y)) = K l  AE (iii) (BKa
x) j K n+2 (m (b
y)) = BCC ((BKa
x) j K n+2 (m (b
y))) = C (C ((BKa
x) j K n+2(m (b
y)))) = C ((C (BKa)
Cx) j C (K n+2 (m (b
y)))) = C ((BC (BK )a
Cx) j BCK n+2 (m (b
y))) = C ((Ka
Cx) j K n+2 (m (b
y))) = C =  (iv) First observe that

by 2:6(a) by 3:2(a) by 2:6(b); (i) by (ii) by 3:2(d)

T1;ja;b;1

2(b) (y) (Ka j BKb) j= a j (BKb) 3:= a j K (b) Hence Ka j BKb = (Ka j BKb) +  = (Ka j BKb) + K = (Ka j BKb) + K ((Ka j BKb)) = K ((Ka j BKb)) = K = 

0

= : by A6 by AE by y by K  by y by AE :

2

This ends the description of the formal system of combinatory process algebra. A combinatory process speci cation consists of a T (B)-typed signature, , together with a set E of combinatory process algebra equations over . We shall write E ` t = t0 , if t = t0 is derivable from E and the axioms listed in Table 1, 2, 4, 5, 6, 7 and 8 by means of equational logic.

'$ &%

'$ &%

4 A working example: the Simple Alternating Bit Protocol 1

-

 HH Y j 4HH

S

2 M

R

*    5

- 3

Figure 1: The Simple Alternating Bit Protocol The Simple Alternating Bit Protocol (SABP), essentially due to [P85] and reconsidered in [BKO87], is an idealized communication protocol providing reliable transmission of data through an unreliable

12

A working example: the Simple Alternating Bit Protocol

medium. Externally, the behaviour of the protocol is that of a buer reading data from some input and subsequently writing the data to some output. Its internal behaviour, however, is determined by a more complex interaction between a sender S , a medium M and a receiver R, which are connected via directed communication channels as depicted in Figure 1. The sender inputs data from channel 1 and forwards frames consisting of a datum and a bit into the medium via channel 4. These actions are represented by r1 : D ! Ac and s4 : D ! (B ! Ac ). The medium forwards frames to the receiver via channel 5 or sends an error indication, representing loss or corruption of a datum, to the sender along channel 4. These actions are represented by s5 : D ! (B ! Ac ) and s? : Ac . The receiver writes data to the output via channel 3 and acknowledges receipt along channel 2. These actions are represented by s3 : D ! Ac and s2 : B ! Ac . A read or send action in a component along a certain channel has a send or read counterpart in the component with which the channel in question is shared. Communication is synchronous, i.e. only occurs when complementary r=s actions are executed simultaneously through the same channel. The resulting actions are denoted by c? ; c2; c4; c5. The SABP roughly works as follows: S reads a datum d from the input and sends a frame (b; d) via M to R. If S gets the acknowledgement bit b from the receiver, it can input the next datum d0 and forward it together with the switched bit b0 along channel 4. If, however, S receives an error indication ? from the medium, S retransmits the present frame before inputting a new one. It should be clear that the alternating bit is essential to distinguish new frames from old ones. 0; 1 i; r? ; s? ; c? r1 ; s 3 r2 ; s 2 ; c 2 r4 ; s 4 ; c 4 ; r 5 ; s 5 ; c 5 S; M; R; SABP G T

: : : : : : : :

B

Ac D ! Ac B ! Ac D ! (B ! Ac ) P B !P D ! (B ! P )

Table 9: The function symbols of SABP. The speci cation of SABP in combinatory process algebra consists of the signature SABP where

BSABP = (fB ; Ac ; A; D; P g; Ac  A  P ) and FSABP is listed in Table 9, together with the axioms ESABP listed in Table 10. Observe that we pre x the send actions of the medium with an atomic

action i in order to make the choice non-deterministic: that is, the decision whether or not a frame will be corrupted is internal to the medium, and cannot be in uenced by the environment. The question is now whether SABP is speci ed correctly: does the entire process, apart from its internal actions, behave as a one-element buer? Or, to put it dierently, can we prove that I;P (SABP ) = D;P (r1
s3 )  where I = fc? ; c2; c4; c5; ig? As is usual (cf. e.g. [BK86], [V90], [BG93]), we assume that the following principles are satis ed in the algebra in which we model SABP: Standard Concurrency (SC), Fair Abstraction and the Recursive Speci cation Principle (RSP). The latter principle may be problematic but certainly not in the case of nite data types. Standard Concurrency is an extension of process algebra originally due to [BT84]. We list its axiom schemata in Table 11. All axioms SC1-SC6 hold in fact for nite processes from ACP . In [BW90] these axioms are proved with induction on term formation. We will not need here SC2 and SC4. Fair Abstraction is the principle that certain abstracted process steps will be fairly scheduled in such a way that eventually a unabstracted step is performed. In the case of weak bisimulation semantics, the

A working example: the Simple Alternating Bit Protocol

(M)

M = B;P (D;B!P (r4
( K (Ki)
s5 + K (K (i
s? )) ))) 

(T)

T = (K (Kr? )
s4 ) (Kr2 )

(G)

G = D;B!P (BKr1
s4
T )

(S) (R) (jc ) (j )

13

S = (G0
G1) 

R = B;P (D;B!P (r5
BKs3
Ks2 ))  sj j rj = cj a j a0 = 

for j 2 f?; 2; 4; 5g for all non ? complementary actions a; a0 2 F

(SABP) SABP = @H;P ((S k M ) k R) for H = fr? ; s? ; r2; s2; r4; s4 ; r5; s5 g Table 10: The axioms of SABP.

(SC1) (SC2) (SC3) (SC4) (SC5) (SC6)

[x; y; z ] (x k y) k z [x] x k  [x; y] x j y [x; y; z ] (x j y) j z [x; y; z ] x j (y k z ) [x; y; z ] x k (y k z )

= = = = = =

[x; y; z ] x k (y k z ) [x] x
 [x; y] y j x [x; y; z ] x j (y j z ) [x; y; z ] (x j y) k z [x; y; z ] (x k y) k z

Table 11: The axioms of Standard Concurrency (SC).

14

A working example: the Simple Alternating Bit Protocol

principle is guaranteed by Koomen's Fair Abstraction Rules KFARn , introduced in [BK84]. KFAR1 , which is sucient in the case of SABP, reads as follows: x = ix + y (i 2 I ) I (x) = 
I (y) (so the in nite  sequence induced by ix is reduced to a single  step). In the presence of  , however, we can replace this rule by the Fair Iteration Axiom FIR1 of [BBP93]. The closed axiom schema corresponding to this axiom is given in Table 12. (FIR1) [x]  x = [x] 
x Table 12: The Fair Iteration Axiom Schema FIR1. The important principle RSP, introduced in [BK86], expresses the fact that each guarded recursive equation has at most one solution. In a setting without  , a  -adaptation of RSP can be given by (RSP ) x = y
x + z x = y z:  However, in the presence of  , the rule RSP as such is not sound and anyhow a too heavy tool for our purposes. Here its weaker version (wRSP ) x = t
x+ y x=t y suces where y is replaced by a  -free term, that is a closed term containing no occurrences of  or of an operator I . As we wish to stay within the framework of pure equational reasoning, we shall not adopt this rule here. Instead, we extend our signature by two new operators, EQ : P ! (P ! B )) and < > : P ! (B ! (P ! P )), and use the wRSP -axioms listed in Table 13. Observe that applying (EQ0) [x] EQxx (EQ1) [x; y] EQxy (< > 0) [x; y] x < 0 > y (< > 1) [x; y] x < 1 > y (< > 2) [x; y] x < (EQxy) > y (< > 3) [x; y] (ty) < (EQx(t
x + y)) > x

= = = = = =

[x] 0 [x; y] EQyx [x; y] x [x; y] y [x; y] y [x; y] x

Table 13: The axioms for the Weak Recursive Speci cation Principle where t is  -free. these axioms indeed yields Proposition 4.1. Let wRSP  E , and let t be a  -free term and t0; t00 be arbitrary (open or closed) terms. If E ` t00 = t
t00 + t0, then E ` t00 = t t0 . Proof. Assume (y) t00 = t
t00 + t0 . Then t00 = (t t0) < (EQt00(t
t00 + t0 )) > t00 by < >3 = (t t0) < (EQt00t00) > t00 by y by EQ0 = (t t0) < 0 > t00 = t t0 by < >0

2

A working example: the Simple Alternating Bit Protocol

15

It is thus rather the following consequence of which we shall verify the proof: ESABP [ SC [ FIR1 [ wRSP ` I;P (SABP ) = D;P (r1
s3 )  . The proof is headed by ve linearization steps, the propositions 4.3, 4.4, 4.6, 4.8 and 4.10, each of which, except for Proposition 4.4, is preceded by a lemma comprising a few subcalculations. The preparatory steps are combined in Theorem 4.11. We present all calculations rather detailed - almost nicky - in order to illustrate thoroughly the application of the axioms of combinatory process algebra. The linearization of the speci cation of SABP constitutes the main part of the proof. For the rst step, the following equalities are needed.

Lemma 4.2. (i) ESABP ` Gx
y = (r1
C (s4
T )x
Ky) (ii) ESABP ` M = 2 (r4
( K 2 i
s5 + K 2 (i
s? ) )
K 2 M ) (iii) ESABP ` R = 2 (r5
BKs3
Ks2
K 2 R) (iv) For t 2 fM; Rg, ESABP ` (Gx
y) j t =  . (v) ESABP ` R j M =  (vi) For t 2 fM; Rg, ESABP ` @H (M k x) =  .

Proof. (i)

Gx y = (BKr1 s4 T)x y by G = (C(BKr1 s4 T)x) y by AE = ((C(BKr1) C(s4 T))x) y by 3:2(a) = (C(BKr1 )x C(s4 T)x) y by AE = (BC(BK)r1x C(s4 T)x) y = (Kr1 x C(s4 T)x) y by 2:6(b) = (r1 C(s4 T)x) y = (r1 C(s4 T)x Ky) by  The proofs of (ii) and (iii) follow a same pattern. We prove (ii). M = ((r4 (K(Ki) s5 + K(K(i s )))))  by M = 2 (r4 (K 2i s5 + K 2 (i s )))  = 2 (r4 (K 2i s5 + K 2 (i s ))) (2 (r4 (K 2 i s5 + K 2(i s ))) ) +  by SEI1 = 2 (r4 (K 2i s5 + K 2 (i s ))) M +  by M = 2 (r4 (K 2i s5 + K 2 (i s ))) M by A6 = 2 (r4 (K 2i s5 + K 2 (i s )) K 2M) by 3:4(ii) We prove (iv) for t  M . (Gx y) M = (r1 C(s4 T)x Ky) 2 (r4 (K 2i s5 + K 2 (i s )) K 2 M) by (i); (ii) =  by 3:5(ii) (v) R M = 2 (r5 BKs3 Ks2 K 2 R) 2 (r4 (K 2 i s5 + K 2(i s )) K 2 M) by (ii); (iii) = 2 ((r5 r4 ) ((BKs3 Ks2 K 2R) ((K 2i s5 + K 2 (i s )) K 2M))) by 3:5(i) = 2 ( ((BKs3 Ks2 K 2R) ((K 2i s5 + K 2 (i s )) K 2 M))) by  = 2  by A7 =  by 3:4(iv) We prove (vi) for t  M .


























































































? 










?










?













?













?










?

j




j










j



























?















j




j







k

k






















?




?










?

?




j

16

A working example: the Simple Alternating Bit Protocol @H (M x) = = = = = = = = k

@H (2(r4 (K 2i s5 + K 2 (i s )) K 2M) x) @H (2((r4 (K 2i s5 + K 2 (i s )) K 2M) K 2 x)) 2 (@H ((r4 (K 2i s5 + K 2 (i s )) K 2M) K 2 x)) 2 (@H (r4 (((K 2i s5 + K 2(i s )) K 2M) K 2x))) 2 (@H r4 @H (((K 2i s5 + K 2 (i s )) K 2 M) K 2 x)) 2 ( @H (((K 2i s5 + K 2(i s )) K 2M) K 2x)) 2  



































?










k k




?







k

?










?




k




?

k




?

k

by (ii) by 3:4(ii) by 3:4(iii) by CM3 by D4 by D2 by A7 by 3:4(iv)

2

Proposition 4.3. ESABP [ SC ` @H (((Gx
y) k M ) k R) = (r1
C (@H ((s4
T
K 2 y) k K 2(M k R)))x) Proof. @H (((Gx y) M) R) = @H (((Gx y) M + M (Gx y)) R) = @H (((Gx y) M + M (Gx y)) R) + @H (((Gx y) M + M (Gx y)) R) = @H (((Gx y) M) R + M ((Gx y) R)) + @H (((Gx y) M + M (Gx y)) R) = @H (((Gx y) M) R) + @H (((Gx y) M + M (Gx y)) R) = @H ((Gx y) (M R)) + @H ((R M) (Gx y) + ((Gx y) R) M) = @H ((Gx y) (M R))


k

k




k

k




k




k

k




k







k







j




j

k

k




k

k




j

by CM4; SC1

k




j

by D3; 4:2(vi); A6

k

k




k




j

k

k

@H ((r1 C(s4 T)x Ky)) (M R)) @H (((r1 C(s4 T)x Ky) K(M R))) (@H ((r1 C(s4 T)x Ky) K(M R))) (@H (r1 ((C(s4 T)x Ky) K(M R)))) (@H r1 @H ((C(s4 T)x Ky) K(M R))) (r1 @H ((C(s4 T)x Ky) K(M R))) (r1 @H ((C(s4 T)x K22yx) K2 2 (M R)x)) (r1 @H (((C(s4 T) K y) K (M R))x)) (r1 @H ((C(s4 T) K 2y) K 2(M R))x) (r1 @H ((C(s4 T) BCK 2y) BCK 2(M R))x) (r1 @H ((C(s4 T) C(K 2y)) C(K 2(M R)))x) (r1 @H (C((s4 T K 2y) K 2(M R)))x) (r1 C(@H ((s4 T K 2y) K 2(M R)))x)





k










k

k










k

k


































k




k




k







k

k

k







k

k







by CM1; D3; 4:2(vi); A6

k

k

k







k

k




= = = = = = = = = = = = =

k

k

by CM1; 4:2(iv); A6

k

k

k

k

k










k










k

k

k










k

k










k

k

by CM8; SC1; 3; 5 by 4:2(iv); (v); CM2; A6; 7; D0 by 4:2(i) by  by @ by CM3 by D4 by D1 k

by AE ; AE by AE@ by 3:6(i)


by 3:2(a) by 3:2(c)

k

2

The second linearization step looks like this.

Proposition 4.4. ESABP [SC ` @H ((s4
T
K 2y) k K 2 (M k R)) = c4
@H (((T
K 2 y) k ((K 2 i
s5 +K 2 (i
s? ))
K 2 M )) k K 2R) Proof. Put ?  (K 2i
s5 + K 2(i
s? ))
K 2 M and ?0  (BKs3
Ks2
K 2R). Then

A working example: the Simple Alternating Bit Protocol

17

@H ((s4 T K 2y) K 2(M R)) = @H ((s4 T K 2 y) K 2(M R + R M))





k

by CM1; 4:2(v); A6 @H ((s4 T K 2 y) (K 2M K 2 R + K 2R K 2M)) by 3:2(a) @H ((s4 T K 2 y) (K 2M K 2 R) by CM9 + (s4 T K 2y) (K 2R K 2 M)) @H (((s4 T K 2 y) K 2M) K 2 R by SC5 + ((s4 T K 2y) K 2R) K 2 M) @H (((s4 r4 ) ((T K 2y) ?)) K 2 R + ((s4 r5 ) ((T K 2 y) ? )) K 2 M) by 4:2(ii); (iii); s4 ;r4 ;2 ; s4 ;r5 ;2 @H (((s4 r4 ) ((T K 2y) ?)) K 2 R +  K 2 M) by  ; A7 @H (((s4 r4 ) ((T K 2y) ?)) K 2 R) by CM2; A6; 7 @H ((c4 ((T K 2y) ?)) K 2R) by c @H (c4 (((T K 2y) ?) K 2R)) by CM3 @H c4 @H (((T K 2 y) ?) K 2R) by D4 c4 @H (((T K 2y) ?) K 2R) by D1

k




= =










j

k




j

k







j

k

j







j

k

k




j

k

k

j







=

k







=

j

k




k




0

k

k

j

= = = = = =

j







k

k

j







k

k










k




k













k

j

j

k

j

k

k

k

k

k

2

In the third linearization step we apply the equalities below.

Lemma 4.5. (i) ESABP ` T
x = (K 2 r?
s4
T
x) + (Kr2
x) (ii) ESABP ` (T
x) j (K 2 i
y + K 2 i
z ) =  (iii) ESABP ` @H ((T
x) k y) =  (iv) ESABP ` @H ((K 2 i
x + K 2 i
y) k z ) = K 2 i
@H (x k z ) + K 2 i
@H (y k z ) (v) For t 2 fM; Rg, ESABP ` (T
x) j K 2 t =  . (vi) ESABP ` (K 2 i
x + K 2 i
y) j K 2 R =  (vii) For t 2 fM; Rg, ESABP ` @H (K 2 k x) =  . Proof. (i)

T x = ((K(Kr ) s4 ) (Kr2 )) x by T = ((K 2r s4 ) (Kr2 )) x = (((K 2r s4 ) ((K 2r s4 ) (Kr2 ))) + Kr2 ) x by SEI1 = ((K 2r s4 T) + Kr2) x by T = (K 2r s4 T x) + (Kr2 x) by A4 (ii) We abbreviate s4
T
x by ?. (T x) (K 2 i y + K 2i z) = ((K 2 r ?) + (Kr2 x)) (K 2i y + K 2 i z) = (K 2 r ?) (K 2i y) + (K 2 r ?) (K 2i z) + (Kr2 x) (K 2 i y) + (Kr2 x) (K 2i z) = (K 2 r K 2 i) (? y) + (K 2r K 2i) (? z) + (Kr2 K 2i) (x y) + (Kr2 K 2 i) (x z) = K 2 (r i) (? y) + K 2 (r i) (? z) + K(r2 Ki) (x y) + K(r2 Ki) (x z) = K 2  (? y) + K 2 (? z) + K (x y) + K (x z)


?

?

?

?




j















?


















?



























?

?




?

j

?

j







j




j




j

k




j




j

?




j

k

?

k

k










k







j




?







j




j




j







k

k

k

j




k







k

k




=  (? y) +  (? z) +  (x y) +  (x z) = 


k




k




k




k

k

by (i) by CM8; 9 by CM7 by 3:2(a) by  ; T1; j

1;0

jr2 ;i;

by 3:2(d) by A6; 7

18

A working example: the Simple Alternating Bit Protocol

(iii) @H ((T x) y) = = = = = = = = k




@H (((K 2r s4 T x) + (Kr2 x)) y) @H ((K 2r s4 T x) y) + @H ((Kr2 x) @H (K 2r ((s4 T x) y)) + @H (Kr2 (x @H (K 2r ) @H ((s4 T x) y) + @H (Kr2 ) K 2(@H r ) @H ((s4 T x) y) + K(@H r2 ) K 2 @H ((s4 T x) y) + K @H (x y)  @H ((s4 T x) y) +  @H (x y)  ?

?

?




























k

k







k

k




k

?










k




?










k






















k




k




k

k

by (i) y) by CM4; D3 y)) by CM3 @H (x y) by D4 @H (x y) by 3:2(c) by D2 by 3:2(d) by A6; 7 k

k

(iv) @H ((K 2i x + K 2i y) z) = = = = =





@H ((K 2i x) z) + @H ((K 2i y) z) by CM4; D3 @H (K 2i (x z)) + @H (K 2i (y z)) by CM3 @H (K 2i) @H (x z) + @H (K 2i) @H (y z) by D4 K 2 (@H i) @H (x z) + K 2(@H i) @H (y z) by 3:2(c) K 2 i @H (x z) + K 2 i @H (y z) by D1

k




k







k




k

k




k




k




k




k




k




k

(v) and (vi) are proved similarly. We prove (v). (T x) K 2R = ((K 2r s4 T x) + (Kr2 x)) K 2 (2(r5 BKs3 Ks2 K 2R)) by (i); 4:2(iii) = (K 2r s4 T x) K 2 (2 (r5 BKs3 Ks2 K 2R)) + (Kr2 x) K 2(2 (r5 BKs3 Ks2 K 2 R)) by CM8 =  by 3:6(ii); A6


j

?

?

























j

j







j






















We prove (vii) for t  M . Let ?  (K 2 i
s5 + K 2(i
s? ))
K 2 M . Then @H (K 2M x) = = = = = = = = = = = = = k

@H (K 2(2 (r4 ?)) x) @H (K(K(2(r4 ?))) x) @H (2 (K1 (K1(r4 ?))) x) @H (2 (K1 (K1(r4 ?)) K 2 x)) @H (2 ((K1 (K1r4 ) K1(K1 ?)) K 2x)) @H (2 (K1 (K1r4 ) (K1(K1 ?) K 2x))) 2 (@H (K1 (K1r4 ) (K1(K1 ?) K 2x))) 2 (@H (K1 (K1r4 )) @H (K1 (K1?) K 2x)) 2 (K1 (K1(@H r4 )) @H (K1 (K1?) K 2x)) 2 (K1 (K1) @H (K1(K1 ?) K 2x)) 2 ( @H (K1 (K1 ?) K 2 x)) 2  


k




k

k







k




k




k




k




k




k







k

k

by 4:2(ii) by 3:2(b) by 3:4(ii) by 3:2(a) by CM3 by 3:4(iii) by D4 by 3:2(c) by D2 by 3:2(d) by A7 by 3:4(iv)

2

Proposition 4.6. Let ?  @H (((T
K 2 y) k ((K 2i
s5 + K 2(i
s? ))
K 2M )) k K 2R). Then ESABP [ SC ` ? = K 2 i
@H ((s5
K 2 M ) k ((T
K 2 y) k K 2R)) + K 2 i
@H ((K 2 s?
K 2 M ) k ((T
K 2 y) k K 2R))

Proof.

A working example: the Simple Alternating Bit Protocol

19

? = @H (((T K 2 y) ((K 2i s5 + K 2(i s )) K 2M)) K 2 R) + @H (((T K 2 y) ((K 2i s5 + K 2(i s )) K 2M)) K 2 R) by CM1; D3; 4:5(vii); A6 = @H (((T K 2 y) (K 2i s5 K 2M + K 2 i K 2s K 2M)) K 2 R) + @H (((T K 2 y) (K 2i s5 K 2M + K 2 i K 2s K 2M)) K 2 R) by 3:2(a); A4 = @H (((T K 2 y) (K 2i s5 K 2 M + K 2i K 2s K 2 M)) K 2 R) + @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) (T K 2y)) K 2 R) + @H (((T K 2 y) (K 2i s5 K 2M + K 2i K 2s K 2 M)) K 2R) + @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) (T K 2y)) K 2R) by CM1; 4:5(ii); A6; CM4; 8; D3 = @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) (T K 2y)) K 2 R) + @H (((T K 2 y) (K 2i s5 K 2M + K 2i K 2s K 2 M)) K 2R) + @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) (T K 2y)) K 2R) by SC1; 4:5(iii); A1; 6 = @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) (T K 2y)) K 2 R) + @H (((T K 2 y) K 2 R) (K 2i s5 K 2M + K 2 i K 2s K 2M)) + @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) K 2R) (T K 2y)) by SC3; 5 = @H (((K 2i s5 K 2 M + K 2i K 2 s K 2 M) (T K 2y)) K 2 R) by 4:5(v); (vi); CM2; A6; 7 = K 2 i @H ((s5 K 2 M) ((T K 2y) K 2R)) + K 2i @H ((K 2 s K 2 M) ((T K 2y) K 2 R)) by SC1; 4:5(iv)


k































k



















j




?

k




k

?




?

k










?

j




j

k




j

k




j










k







k







?







?










k







k

k




?

j




?













?




k










?













?

k

?










j










k




?










?







k










k

k




?




k







k

k







?

j




k




k







k

k

k

The fourth and fth linearization step are quite alike. They are dealt with in Proposition 4.8.

Lemma 4.7. (i) For t 2 fs5 ; K 2 s? ; Ks2 g, ESABP ` @H ((t
x) k y) =  . (ii) ESABP ` (s5
x) j (T
y) =  (iii) ESABP ` (K 2 s?
x) j K 2 R =  (iv) ESABP ` (s5
x) j K 2R = c5
(x k (BKs3
Ks2
K 2 R)) (v) ESABP ` (T
x) j (K 2 s?
y) = K 2 c?
((s4
T
x) k y) Proof. We prove (i) for t  s5 . @H ((s5 x) y) = = = =

@H (s5 (x y)) @H s5 @H (x y)  @H (x y) 

(s5 x) (T y) = = = =

(s5 x) ((K 2r s4 T y) + (Kr2 y)) by 4:5(i) (s5 x) (K 2r s4 T y) + (s5 x) (Kr2 y) by CM9 + by s5 ;r ;2;0 ; s5;r2 ;1;0  by A6




(ii)




(iii)

j







by CM3 by D4 by D2 by A7

k




k




k




j




j

?

?

























j




j

?

(K 2 s x) K 2 R = (K 2s x) K 2(2 (r5 BKs3 Ks2 K 2 R)) by 4:2(iii) =  by 3:6(ii) ?

(iv)

k




j

?




j










(s5 x) K 2R = (s5 x) K 2 (2 (r5 BKs3 Ks2 K 2R)) by 4:2(iii) = (s5 r5 ) (x (BKs3 Ks2 K 2 R)) by s5;r5 ;2 = c5 (x (BKs3 Ks2 K 2R)) by c


j




j

j










k

k



















j

j

j

2

20

A working example: the Simple Alternating Bit Protocol

(v) (T y) (K 2 s x) = = = =


j

?

s4 T x) + (Kr by 4:5(i) 2 x)) (K 2s y) 2 s4 T x) (K s y) + (Kr2 x) (K 2s y) by CM8 K 2s ) ((s4 T x) y) + (Kr2 K 2 s ) (x y) by CM7 s ) ((s4 T x) y) by 3:2(a); 3:6(ii); A6; 7 = K 2c ((s4 T x) y) by c




((K22r (K r (K 2r K 2(r

?

?




?

j

?

j

?



















j




?







?













j













?




?

k

j

?

j

?







k

k

k

j

2

Proposition 4.8. Let ?  T
K 2y. Then (i) ESABP [ SC ` @H ((s5
K 2 M ) k (? k K 2 R)) = c5
@H ((K 2 M k (BKs3
Ks2
K 2 R)) k ?) (ii) ESABP [ SC ` @H ((K 2 s?
K 2M ) k (? k K 2 R)) = K 2 c?
@H ((s4
?) k K 2 (M k R)) Proof. (i) @H ((s5 K 2 M) (? K 2R)) = @H ((? K 2R)2 (s5 K 2 M)) + @H ((s5 K M) (? K 2 R)) by CM1; 4:7(i); A1; 6; D3 = @H ((? K 2 R + K 2R ?) (s5 K 2 M)) + @H ((s5 K 2 M) (? K 2R + K 2 R ?)) by CM1; 4:5(v); A6 = @H ((s5 K 2 M) (? K 2R)) + @H ((s5 K 2 M) (K 2R ?)) by CM4; 9; SC1; D3; 4:5(iii); (vii); A1; 6 = @H (((s5 K 2 M) ?) K 2R) + @H (((s5 K 2 M) K 2R) ?) by SC5 = @H (((s5 K 2 M) K 2R) ?) by 4:7(ii); CM2; A1; 6; 7; = @H ((c5 (K 2 M (BKs3 Ks2 K 2 R))) ?) by 4:7(iv) = c5 @H ((K 2 M (BKs3 Ks2 K 2 R)) ?) by CM3; D1; 4


k

k

k

k







j

k

k

k




j




k

k

k

j




j




k

k

j




j




k

j




k

k







k




k

k










k

(ii) @H ((K 2s K 2M) (? K 2 R)) = @H ((? K 2 R) (K 2s K 2M)) + @H ((K 2s K 2M) (? K 2R)) ?




k

k

k

k

?




?




j

by CM1; 4:7(i); A1; 6; D3

k

= @H ((? K 2R + K 2 R ?) (K 2s K 2M)) + @H ((K 2s K 2M) (? K 2 R + K 2R ?)) by CM1; 4:5(v); A6 = @H ((K 2s K 2M) (? K 2 R)) by CM4; 9; SC1; D3 + @H ((K 2s K 2M) (K 2 R ?)) 4:5(iii); (vii); A6 = @H (((K 2s K 2M) ?) K 2 R) + @H (((K 2s K 2M) K 2 R) ?) by SC5 by 4:7(iii); CM2; = @H ((? (K 2s K 2M)) K 2 R) A6; 7 by 4:7(v) = @H2((K 2c ((s4 ?) K22M)) 2K 2 R) = K c @H (((s4 ?) K M) K R) by CM3; D4; 3:2(c); D1 = K 2c @H ((s4 ?) (K 2M K 2 R)) by SC6 = K 2c @H ((s4 ?) K 2(M R)) by 3:2(a) k

k

?

?







j

?

?

?

?

k

j




k

j










k

k










k

j




?

?

k




?

j

k

k

j

k

k

k

k

?







k

k

?







k

k

2

A working example: the Simple Alternating Bit Protocol

21

A last linearization step and we are almost done!

Lemma 4.9. (i) ESABP ` (BKs3
x) j K 2 M =  (ii) ESABP ` (T
x) j (BKs3
y) =  (iii) ESABP ` (Ks2
x) j K 2 M =  (iv) ESABP ` (Ks2
x) j (T
y) = Kc2
(x k y)

Proof. (i) and (iii) follow from 4.2(ii) and 3.6(iii) and (ii), respectively.

(ii)

(T x) (BKs3 y) = = = =


j




((K 2 r s4 T x) + (Kr2 x)) (BKs3 y) by 4:5(i) (K 2 r s4 T x) (BKs3 y) + (Kr2 x) (BKs3 y) by CM8 (K 2 r BKs3) ((s4 T x) y) + (Kr2 BKs3 ) (x y) by CM7  by SC3; T1; 3:6(iii); (iv); A6; 7 ?

?




?

j



















j

j



















k

j




j




k

(iv) (T x) (Ks2 y) = = = =


j




((K 2r s4 T x) + (Kr2 x)) (Ks2 y) by 4:5(i) (K 2r s4 T x) (Ks2 y) + (Kr2 x) (Ks2 y) by CM8 (K 2r Ks2 ) ((s4 T x) y) + (Kr2 Ks2) (x y) by CM7 Kc2 (x y) by 3:6(ii); A1; 6; 7; 3:2(a); SC3; c ?

?




?

j

























j










j







k

j

j







k

k

j

2

Proposition 4.10. ESABP [ SC ` @H ((K 2 M k (BKs3
Ks2
K 2 R)) k (T
K 2 y)) = BKs3
Kc2
K 2 (@H ((y k M ) k R))

Proof. We put ?  Ks2
K 2R and ?0  T
K 2 y. Then

22

A working example: the Simple Alternating Bit Protocol

@H ((K 2M (BKs3 ?)) ? ) = @H ((K 2M (BKs3 ?)) ? ) + @H ((K 2M (BKs3 ?)) ? ) k




0

k

k

0

k




k




by CM1; D0; 3; 4:5(iii); A6

0

j

= @H ((K 2M (BKs3 ?) + (BKs3 ?) K 2 M) ? ) + @H ((K 2M (BKs3 ?) + (BKs3 ?) K 2 M) ? ) 2 = @H (K M ((BKs3 ?) ? ) + @H ((BKs3 ?) (K 2M ? )) + @H (? K 2 M) (BKs3 ?)) + @H (? (BKs3 ?)) K 2M) = @H ((BKs3 ?) (K 2M ? )) k




k




k




k




k

0

k

j

k

j







k

by CM1; SC3; 4:9(i); A6

0

j







0

0

k

0

0

k




by CM4; 8; SC1; 3; 5; D3 by 4:5(v); (vii); 4:9(ii); CM2; A6; 7; D0 by CM3; D1; 4; 3:2(c)

k

k

k

0

= BKs3 @H (? (K 2M ? )) = BKs3 @H ((Ks2 K 2 R) (K 2 M ? )) = BKs3 (@H ((K 2M ? ) (Ks2 K 2R)) + @H ((Ks2 K 2R) (K 2 M ? )) by CM1; D3; 4:7(i); A6 = BKs3 (@H (K 2M (? (Ks2 K 2 R))) + @H (? (K 2 M (Ks2 K 2R))) + @H (((Ks2 K 2 R) K 2 M) ? ) + @H (((Ks2 K 2 R) ? ) K 2 M)) by CM1; 4; 9; 4:5(v); SC1; 3; 5; D3; A6 = BKs3 @H ((Kc2 (K 2y K 2R)) K 2 M) by 4:5(iii); (vii); CM2; 4:9(iii); (iv); A1; 6; 7 = BKs3 @H (Kc2 ((K 2y K 2R) K 2 M)) by CM3 = BKs3 Kc2 K 2(@H ((y (R M)) by D1; 4; 3:2(a); (c); SC6


k

0

k







k




0

k

k




0




j

0

k










k

j

0

j




k




0

k

k

k




0




k







k

k

k







0

k

k

k

k

2

In the nal step of the correctness proof we combine the propositions 4.3, 4.4, 4.6, 4.8 and 4.10, and apply wRSP and FIR1 .

Theorem 4.11.

ESABP [ SC [ FIR1 [ wRSP ` I (SABP ) = (r1
s3 ) 

Proof. We abbreviate @H (((T
K 2 y) k ((K 2i
s5 + K 2(i
s? ))
K 2 M )) k K 2R) by ?.

First note that ? = K 2 i @H ((s5 K 2M) ((T K 2y) K 2 R)) + K 2 i @H ((K 2s K 2M) ((T K 2 y) K 2 R)) by 4:6 = K 2 i 2c5 @H2 ((K 2 M (BKs3 2Ks2 K2 2R)) (T K 2 y)) + K i K c @H ((s4 T K y) K (M R)) by 4:8 = K 2 i c5 BKs3 Kc2 K 2 (@H ((y M) R)) + K 2 i K 2 c c4 ? by 4:10; 4:4 = K 2 i K 2c c4 ? + K 2 i c5 BKs3 Kc2 K 2(@H ((y M) R)) by A1 So by Proposition 4.1 we obtain (1) ESABP [ SC [ wRSP ` ? = (K 2 i
K 2 c?
c4) (K 2 i
c5
BKs3
Kc2
K 2 (@H ((y k M ) k R))). It follows that I (?) = I ((K 2 i K 2 c c4 ) (K 2 i c5 BKs3 Kc2 K 2(@H ((y M) R)))) by (1) = (K 2 K 2  ) (K 2   BKs3 K K 2(I (@H ((y M) R)))) by SEI5; 3:2(c); TI1; 2; 4 = (  ) (  BKs3  K 2 (I (@H ((y M) R)))) by AE =  ( BKs3 K 2(I (@H ((y M) R)))) by T1 =  BKs3 K 2(I (@H ((y M) R))) by FIR1 ; T1





k







?




?




?













?
































k




k

k







k




k




k

k

k

?

k










k
















k

k










k

k







k

































k

k

k













k

k

k

Semantical issues

23

Hence

(2) ESABP [ SC [ FIR1 [ wRSP ` I (?) = 
BKs3
K 2 (I (@H ((y k M ) k R))). We can now calculate I (@H (((Gx y) M) R)) = I ((r1 C(@H ((s4 T K 2 y) K 2(M R)))x)) by 4:3 = I ((r1 C(c4 ?)x)) by 4:4 = I ((r1 Cc4 x C?x)) by 3:2(a); AE = (r1 I (Cc4 x) I (C?x)) by 3:4(iii); TI1; 4 = (r1 I (Cc4 )x I (C?)x) by AE = (r1  C( BKs3 K 2 (I (@H ((y M) R))))x) by 3:2(c); (d); (2); TI2;AE = (r1 Cx C(BKs3 )x C(K 2(I (@H ((y M) R))))x) by T1; 3:2(a); AE = (r1  Ks3 x K 2 (I (@H ((y M) R)))x) by 3:2(d); 2:6(b); 3:6(i) = (r1 s3 K(I (@H ((y M) R)))) by T1 = (r1 s3 ) I (@H ((y M) R)) by  Therefore (3) ESABP [ SC [ FIR1 [ wRSP ` I (@H ((Gx
y) k M ) k R)) = (r1
s3 )
I (@H ((y k M ) k R)). We have nally arrived at a position where we easily can compute


k

k













k




























k
















k




k




k







k




k

k











































k




k

k

k




k

k



k

k

k

I (@H ((S M) R)) I (@H ((((G0 G1) ) M) R)) I (@H (((G0 G1 S) M) R)) (r1 s3 ) I (@H (((G1 S) M) R)) (r1 s3 ) (r1 s3 ) I (@H ((S M) R)) (r1 s3 ) (r1 s3 ) I (SABP) (r1 s3 ) (r1 s3 ) I (SABP) + 


k

k







k

k







I (SABP) = = = = = = =







k

by SABP by S by SEI1; S; A6 by (3) by (3) by SABP by A6

So

(4) ESABP [ SC [ FIR1 [ wRSP ` I (SABP ) = ((r1
s3 )
(r1
s3 ))  by a second application of Proposition 4.1. The theorem now follows from the observation that (r1 s3 )  = (r1 s3 ) ((r1 s3 ) ) by SEI1; A6 = (r1 s3 ) (r1 s3 ) ((r1 s3 ) ) by SEI1; A6 = (r1 s3 ) (r1 s3 ) ((r1 s3 ) ) +  by A6 and hence also (5) ESABP [ SC [ FIR1 [ wRSP ` (r1
s3 )  = ((r1
s3 )
(r1
s3 ))  by a third application of Proposition 4.1.

















































2

5 Semantical issues In this section we brie y describe a natural semantics for the system of combinatory process algebra. We assume a combinatory process speci cation, ((B; F ); E ), to be given and let : T (B; F )A  T (B; F )A ! T (B; F )A be a communication function such that

24

State combinators

(x; y) =



cz1


zn if there are r; s 2 F with r j s = c 2 E & x  rz1


zn & y  sz1


zn A otherwise:

We start building our model by xing some family of nonempty sets (B )2B with

(i) BP is a model for ACP  (T (B; F )A ; ), e.g. a model in rooted  -bisimulation respectively weak bisimulation semantics (cf.[BK85], [BBP93]), and

(ii) B  B i   . The family (B )2B is intended to interpret the set of basic types B under preservation of its subtype relation. So, in the minimal case, (B )2B consists solely of the ACP  -model BP with subtypes BA and BAc , and a set BD . We now consider the so-called full type structure over (B )2B , that is the family of sets M = (D )2T (B) where (i) D = B, for  2 B, (ii) D! = D D , the collection of all set theoretic functions from D to D . M , F M and The combinators I , K; and S; ; can be interpreted in M by the functions FI; K;; M FS;; ; where M (x) = x, for all x 2 D, FI; M (x; y) = x, for all x 2 D ; y 2 D , and FK;; M (x; y; z ) = xz (yz ), for all x 2 D!( ! ) ; y 2 D! ; z 2 D . FS;; ; Given this interpretation of the combinators, M clearly satis es the axioms of combinatory logic (Table 1), and as M is extensional itself - that is, a function is uniquely determined by its graph - it also satis es the axioms of extensionality (Table 2). All the other operators of combinatory process algebra can be dealt with in the following way: here it suces to de ne their interpretation by induction on type formation based on the resources of BP . We give two examples: the operator k can be interpreted by FkM; where

FkM;P (x; y) = x k y

with the right-hand k denoting parallel merge in BP , the ACP  -model, and

FkM;! (x; y) = z 2 D : FkM; (xz; yz ); we can proceed similarly with ; by stipulating FM;;P (x) = y2D (xy) where the right-hand expression denotes the arbitrary sum in BP , and FM;; ! (x) = y 2 D : FM;; (z 2 D : xzy). It should be clear that the axioms of argumentwise evaluation (Table 4) are satis ed under this interpretation. Moreover, as BP is a model of the ACP -axioms (Table 5), the SEI-axioms (Table 6), the -axioms (Table 7) and the jF -axioms (Table 8) restricted to type P , it follows by induction on type formation, that the higher-order typed axioms hold in M. So, M is a model for combinatory process algebra and is a model for E , provided it satis es the equations contained in E .

State combinators

25

6 State combinators

The state operator , see e.g. [BB88], [BW90], describes processes with an independant global state. It is de ned such that (s; p) represents the execution of process p in state s and can be used to translate computer programs (in a higher order language) into process algebra. In this last section, we shall indicate how this operator can be tted into the framework of combinatory process algebra. In our setting,  is a rather unfortunate notation for a combinator since there is no direct link between its behaviour and -abstraction in general. However, as we do not wish to introduce yet another notation, we shall stick to it for the time being. Moreover, we shall not describe this combinator in its generality, but restrict its description to a fragment of the full type structure that is big enough to present the underlying ideas. We let S be a new type, the type of states. The execution of a core atomic action a will eect a speci c state, and so we obtain an equation of the form (s; a
p) = a0
(s0 ; p): Here, a0 is the action that occurs as the result of executing a in state s, and s0 is the state that ensues when executing a in state s. This a0 and s0 depend on a and s, and therefore we need in fact the following three combinators with their accompanying axioms.

ACT : Ac ! (S ! A) EF : Ac ! (S ! S )  : S ! (P ! P ) (SO1) [xc] x2 (SO2) [x; yA ] xy (SO3) [x; y] x(
y) (SO4) [x; yAc ; z ] x(y
z ) (SO5) [x; y; x] x(y + z ) (SO6) [x; y] x(y)

= = = = = =

the action combinator the eect combinator the state combinator

2 c for 2 2 f;  g A [x; y ] ACTyx [x; y] c
xy [x; yA ; z ] ACTyx
(EFyx)z [x; y; z ] xy + xz [x; y] (B (x)y)

Table 14: The signature and axioms for the state combinator. As an example of the use of the state combinator, we consider the (First in, First out) queue, transmitting incoming data while preserving their order. A speci cation of such a queue Qnm with input port n and output port m is given in Table 15. We end this last section with the following instructive question: two queues chained together should behave exactly like one single queue, as long as the internal communications are hidden (cf. e.g. [GV93]). Given the apparatus developed so far, can one prove that Q13 = I (@H (Q12 k Q23)) where c2 = r2 j s2 , I = fc2g and H = fr2 ; s2g?

References [B90]

J.C.M. Baeten (ed.). Applications of Process Algebra. Cambridge Tracts in Theoretical Computer Science 17. Cambridge University Press, 1990. [BW90] J.C.M. Baeten and W.P. Weijland. Process Algebra. Cambridge Tracts in Theoretical Computer Science 18. Cambridge University Press, 1990. [BB88] J.C.M. Baeten and J.A. Bergstra. Global renaming operators in concrete process algebra. Information and Computation, 78(3):205{245, 1988.

26

State combinators 0; 1 EQ  ENQ DEQ TOP rn ; s m Qnm

: : : : : : : : :

D ! (D ! B ) P ! (B ! (P ! P )) S (the initial state) D ! (S ! S ) S !S D ! (S ! B ) D ! Ac P

(EQ0) [x] EQxx (EQ1) [x; y] EQxy (< > 0) [x; y] x < 0 > y (< > 1) [x; y] x < 1 > y [x; y] x < (EQxy) > y (< > 2) (DEQ0) DEQ (DEQ1) [x] DEQ(ENQx) (DEQ2) [x; y; z ] DEQ(ENQx(ENQyz )) (TOP0) [x] TOPx (TOP1) [x; y] TOPx(ENQy) (TOP2) [x; y; z; u] TOPx(ENQy(ENQzu)) [x; y] ACT (rnx)y (ACTrn ) [x; y] ACT (sm x)y (ACTsm ) [x] EF (rnx) (EFrn ) [x] EF (smx) (EFsm ) (Qnm ) Qnm

= = = = = = = = = = = = = = = =

[x] 0 [x; y] EQyx [x; y] x [x; y] y [x; y] y   [x; y; z ] ENQx(DEQ(ENQyz )) [x] 1 EQ [x; y; z; u] TOPx(ENQzu) [x; y] rnx [x; y] sm x < TOPxy >  [x] ENQx DEQ ((rn + sm )  )

B

Table 15: The speci cation of Qnm . [BBP93] J. A. Bergstra, I. Bethke and A. Ponse. Process algebra with iteration. Report P9314, Programming Research Group, University of Amsterdam, 1993. [BK84] J.A. Bergstra and J.W. Klop. Process algebra for synchronous communication. Information and Control, 60(1/3):109{137, 1984. [BK85] J.A. Bergstra and J.W. Klop. Algebra of communicating processes with abstraction. Theoretical Computer Science, 37(1):77{121, 1985. [BK86] J.A. Bergstra and J.W. Klop. Veri cation of an alternating bit protocol by means of process algebra. In W. Bibel and K.P. Jantke, editors, Math. Methods of Spec. and Synthesis of Software Systems '85, Math. Research 31, pages 9{23, Berlin, 1986. Akademie-Verlag. [BKO87] J.A. Bergstra, J.W. Klop, and E.-R. Olderog. Failures without chaos: a new process semantics for fair abstraction. In M. Wirsing, editor, Formal Description of Programming Concepts { III, Proceedings of the 3th IFIP WG 2.2 working conference, Ebberup 1986, pages 77{103, Amsterdam, 1987. North-Holland. [BT84] J.A. Bergstra and J.V. Tucker. Top down design and the algebra of communicating processes. Science of Computer Programming, 5(2):171{199, 1984. [BG93] M. Bezem and J. F. Groote. A formal veri cation of the Alternating Bit Protocol in the Calculus of Constructions. Logic Group Preprint Series, no. 88, Department of Philosophy, University of Utrecht, 1993. [BB87] T. Bolognesi and E. Brinksma. Introduction to the ISO Speci cation Language LOTOS. Computer Networks and ISDN Systems,14:25-29. Elsevier Science Publishers, 1987. [B88] E. Brinksma. On the design of extended LOTOS - a speci cation language for open distributed systems. Ph.D. thesis, University of Twente, 1988. [CF58] H. B. Curry and R. Feys. Combinatory Logic. Volume I. North-Holland, Amsterdam, 1958.

State combinators

27

[GP90] J. F. Groote and A. Ponse. The syntax and semantics of CRL. Technical Report CS-R9076, CWI, Amsterdam, 1990. [GP91] J. F. Groote and A. Ponse. Proof theory for CRL. Technical Report DS-P9138, CWI, Amsterdam, 1991. [GV93] R.J. van Glabbeek and F.W. Vaandrager. Modular speci cations in Process Algebra. Theoretical Computer Science, 113(2):294-348, 1993. [HS86] J. R. Hindley and J. P. Seldin. Introduction to combinators and -calculus. London Mathematical Society Student Texts.1, Cambridge University Press, Cambridge, 1986. [MV90] S. Mauw and G. J. Veltink. A process speci cation formalism. Fundamenta Informaticae, XIII:85-139, 1990. [M91] S. Mauw. A process speci cation formalism. Ph.D. thesis, University of Amsterdam, 1991. [P85] J. Parrow. Fairness properties in process algebra - with applications in communication protocol veri cation. Ph.D. thesis, Dept. of Comp. Sci., Uppsala Univ., 1985. [S67] L. E. Sanchis. Functionals de ned by recursion. Notre Dame Journal of Formal Logic, VIII(3):161-174,1967. [S24] M. Schon nkel. U ber die Bausteine der mathematischen Logik. Mathematische Annalen, 92:305-316, 1924. [V90] F. W. Vaandrager. Two simple protocols. In J. C. M. Baeten, editor, Applications of Process Algebra, pages 23-44, Cambridge Tracts in Theoretical Computer Science 17, Cambridge University Press, 1990.