sign in sign up
<<
Home , Structural semantics

SOS 2007 Preliminary Proceedings of the 4th Workshop on Structural Operational Wrocław, Poland, 9th July 2007

Editors: Rob van Glabbeek and Matthew Hennessy Contents

Preface ...... 1

Pawe lSobocinski´ (Invited Speaker) A well-behaved LTS for the Pi-calculus (abstract) ...... 3

Traian Serbanuta, Grigore Rosu & Jose Meseguer A Rewriting Logic Approach to (extended abstract) 10

Patrick Cousot & Radhia Cousot Bi-inductive Structural Semantics ...... 25

David Frutos Escrig & Carlos Gregorio Rodrguez Simulations up-to and Canonical Preorders (extended abstract) ...... 40

Harald Fecher & Heiko Schmidt Process Algebra Having Inherent Choice: Revised Semantics for Concurrent Systems ...... 55

Astrid Kiehn An operational semantics for shared messaging communication ...... 70

Iain Phillips & Irek Ulidowski Reversibility and models for concurrency ...... 85

MohammadReza Mousavi & Michel Reniers A Congruence Rule Format with Universal Quantification ...... 100

Jesper Bengtson & Joachim Parrow A completeness proof for bisimulation in the pi-calculus using Isabelle . . . . 115

Front cover design: Anna Tito SOS 2007 Preliminary Version

Preface

This volume contains the preliminary proceedings of SOS 2007, the Fourth Work- shop on Structural Operational Semantics, held on the 9th of July 2007 in Wroc law, Poland, as a affiliated workshop of LICS 2007, the Twenty-Second Annual IEEE Symposium on Logic in Computer Science, and ICALP 2007, the 34th International Colloquium on Automata, and Programming. Structural operational semantics (SOS) provides a framework for giving opera- tional semantics to programming and specification languages. A growing number of programming languages from commercial and academic spheres have been given us- able semantic descriptions by means of structural operational semantics. Because of its intuitive appeal and flexibility, structural operational semantics has found consid- erable application in the study of the semantics of concurrent processes. Moreover, it is becoming a viable alternative to in the static analysis of programs, and in proving compiler correctness. Recently, structural operational semantics has been successfully applied as a formal tool to establish results that hold for classes of process description languages. This has allowed for the generalisation of well-known results in the field of process algebra, and for the development of a meta-theory for process calculi based on the realization that many of the results in this field only depend upon general semantic properties of constructs. The SOS workshop series aims at being a forum for researchers, students and practitioners interested in new developments, and directions for future investigation, in the field of structural operational semantics. One of the specific goals of the series is to establish synergies between the concurrency and programming language communities working on the theory and practice of SOS. It also aims at widening the knowledge of SOS among postgraduate students and young researchers worldwide. The first SOS workshop took place on the 30th of August 2004 in London (UK) as a satellite event of CONCUR 2004, the Fifteenth International Conference on Concurrency Theory, and marked the publication of two special volumes (60–61) of the Journal of Logic and Algebraic Programming devoted to SOS; the proceedings appeared as ENTCS volume 128, issue 1. The second SOS workshop took place on the 10th of July 2005 in Lisbon (Portugal) as a satellite event of ICALP 2005, the The 32nd International Colloquium on Automata, Languages and Programming; its proceedings appeared as ENTCS volume 156, issue 1, and a special issue of The- This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science oretical Computer Science based on selected papers appeared in 2007. The third SOS Workshop occurred on the 26th of August 2006 in Bonn as a satellite workshop of CONCUR 2006, the Seventeenth International Conference on Concurrency The- ory, and its proceedings appeared as ENTCS volume 175, issue 1. A special issue of Information and Computation on Structural Operational Semantics inspired by SOS 2006 is in preparation.

Programme committee:

• Luca Aceto (Aalborg, DK; Reykjav´ık, IS)

• Rocco De Nicola (Florence, IT)

• Rob van Glabbeek (NICTA, AU, co-chair)

• Reiko Heckel (Leicester, UK)

• Matthew Hennessy (Sussex, UK, co-chair)

• Bartek Klin (Warsaw, PL)

• Ugo Montanari (Pisa, IT)

• MohammadReza Mousavi (Eindhoven, NL)

• Prakash Panangaden (Montreal, CA)

• Grigore Rosu (Urbana-Champaign IL, USA)

• Simone Tini (Insubria, I)

• Shoji Yuen (Nagoya, JP) The submitted papers were carefully refereed by the programme committee and by several outside referees, whose help is gratefully acknowledged.

Invited speaker: Pawel Sobocinski (Southampton, UK) will address SOS 2007 on A well-behaved LTS for the Pi-calculus.

Publication: The final versions of the papers in these preliminary proceedings will be published in ENTCS, Electronic Notes in Theoretical Computer Science. ENTCS is published electronically through the facilities of Elsevier Science B.V. and under its auspices. We are grateful to ENTCS for their continuing support, and in particular to Mike Mislove, Managing Editor of the series.

Organisation: We are grateful to Marcin Bie´nkowski for taking care of the local organisation, and for mediating in the printing of these preliminary proceedings. Support from National ICT Australia and the University of Sussex is also gratefully acknowledged.

Rob van Glabbeek (National ICT Australia) Matthew Hennessy (University of Sussex)

2 SOS 2007 Preliminary Version

A well-behaved LTS for the Pi-calculus (Abstract)

Pawe lSoboci´nski1

ecs, University of Southampton, UK

The Pi-calculus [2,10] is one of the most well-known and widely-studied process calculi – roughly, it extends the binary synchronisations along a channel/name, familiar from ccs, with the ability to pass names as arguments. Thus, the input prefix becomes a binder and the synchronisation itself results in a substitution of the communicated name for the bound variable. The Pi-calculus inherits another binder from ccs – the restriction operator. The ability to pass names as part of a synchronous communication means that it behaves rather differently in this setting - in particular, the scope of a restriction, static in ccs, becomes dynamic essentially because restricted names can be communicated along public channels. Additionally, it behaves somewhat like a global generator of new-names - since α-conversion ensures that whichever concrete name is chosen for a restricted name, it is different from all other names in the term – in fact, the global nature of new names is also enforced in the definition of bisimulation as we shall recall below. See also [12]. The (reduction) semantics of the Pi-calculus is very similar to that of css, in fact, in the sum-free fragment we can express it essentially as the axiom

a!b.P k a?x.Q → P k Q[b/x] (1) closed under evaluation contexts: parallel composition and restriction – reduction is not allowed under prefix. The reduction semantics naturally leads to a contextually defined equivalence: the barbed congruence. While canonical, contextually defined equivalences are difficult to reason about directly and for this reason it is helpful to define another “semantics”: the so-called early labelled transition system (lts). The labels of the transition system aim at classifying the possible interactions with the environment. Early congruence coincides with barbed congruence, but the lts

1 Research partially supported by EPSRC grant EP/D066565/1. This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science P. Sobocinski´ is much easier to use because of the power of coinduction.

a!b a?b (In) (Out) P −−→ P ′ Q −−→ Q′ a?b a!b (Comm) a?xP −−→ P [b/x] a!bP −−→ P τ P kQ −→ P ′kQ′

a!b a!(b) P P a6=b a?b −−→ ′ P −−−→ P ′ Q −−→ Q′ b/∈fn(Q) (Open) (Close) a!(b) τ P kQ −→ νb(P ′kQ′) νbP −−−→P ′ α α P −→ P ′ bn(α)∩fn(Q)=∅ P −→ P ′ b/∈n(α) (Par) α α (Res) P kQ −→ P ′kQ νbP −→ νbP ′

The so-called early lts, presented above for the finite, sum-free fragment without match or mismatch, is widely known and can be presented and used by humans in a fairly simple way provided that a number of conventions is followed – we shall discuss these in more detail below. In order to save space we omitted the symmetric versions of (Comm), (Close) and (Par); one normally works with an abstract syntax in which k is associative and commutative – such an equivalence relation on syntax is usually referred to as structural congruence. It is worth mentioning that rules (Open) and (Close) perform two roles: scope extrusion and generation of new name observable (the bound output label a!(b)). The side-conditions on the derivation rules deserve some further consideration. The requirements on (Res) and (Open) are fairly obvious and inherited from ccs – they ensure that ν behaves like ccs restriction in that one cannot communicate on a restricted channel from outside its scope. The conditions required of (Close) and (Par) merit more attention – in particular they make sure that the (Open)/(Close) mechanism for scope extrusion functions correctly. Indeed, consider the process P = (νb a!b) k b?x where the scope of the restriction encompasses only the left component. If the side-condition on (LPar) was lifted one a!(b) would be able to derive the label P −−−→ b?x. But, using (Close), one would then τ be able to derive P k a?y −→ νb b?x with the result that the freely occurring b in right component of P would have become incorrectly bound after the interaction. The side condition on (Close) exists for similar reasons. Even with the side-conditions, the definition of bisimulation has to be altered. In a!(b) particular, in the bisimulation game played on (P,Q), if P challenges with P −−−→ P ′ then Q must respond if and only if b∈ / fn(Q). Technically this is due to the side condition in the (Par) rule: consider the processes

νb a!b and (νb a!b) k νcc!b which are clearly equivalent; the second component of the second process has no observable behaviour – but clearly the first process can perform a a!(b) action while the second cannot. Intuitively, this phenomenon demonstrates ν’s global behaviour as a fresh name generator – whichever name is present in the system, the fresh name observed (witnessed by the bound output label) will be different. Sangiorgi and Walker [11, Convention 1.4.10] argue that all such problems can be solved by making sure that “... the bound names of any process or actions under 4 P. Sobocinski´ consideration are chosen to be different from the names free in any other entities under consideration ...”. This is certainly true, but the convention is arguably a strong one and, conventions aside, the definition of bisimulation has been tampered with. It has also been noticed by a number of authors that conventions which are fine for humans are non-trivial to implement when using proof-assistants or theorem-provers. There have been several works [1, 6, 4] which aim at formalising these conventions, roughly the idea is to index the processes with the set of names which can appear within and consider bisimulation as a name-indexed relation. See [5] for an overview and a comparison of the approaches. As outlined above, the lts can be considered as a tool for reasoning about a contextually defined equivalence on the reduction semantics; following this line of reasoning raises a natural question as to whether the lts can be derived in some systematic way from the reduction semantics; research in this direction was com- menced by Leifer and Milner [8] and continued by Klin, Sassone and the author [7]. In Leifer and Milner’s work, the labels of the resulting transition system are cer- c[−] tain contexts c[−] of the language. Roughly, for a closed term t, t −−→ t′ when c[−] allows t to reduce to t′ in one step, ie c[t] → t′ and c[−] is the minimal such context, in other words it doesn’t contain any redundant information in order for the reduction to occur. The minimality condition is expressed categorically; if the underlying category of terms and contexts satisfies certain assumptions then bisim- ilarity (defined in the usual way) on the lts is a congruence. One of the limitations of the framework is that the underlying reduction system is required to consist of ground rules, which practically rules out calculi such as ccs and Pi because the reduction rules contain parameters – eg P and Q in (1). A generalisation of the theory which aims at overcoming this problem was studied in [7] – reduction rules are open terms, and given another open term, one can compute both a minimal context and a minimal parameter which allows reduction. While work in progress, in a ccs-like setting a possible label would be of the form

−1ka?x−2 ha!bP,−1i −−−−−−→ P k−1 where the context forms an (unsubstantiated) part of the term and the labels are able to modify the context. Another feature is that the information in the labels is restricted by what can be observed in one reduction step – this rules out Pi labels which also contain the name being transmitted. We can use some of the intuitions gained from the work described in the para- graph above to develop a new lts for the Pi-calculus. To do this we expand the calculus with a typed meta-syntax for holes and contexts, the idea is that such con- texts can form a part of a term after interaction. The meta-syntax is a simply-typed lambda calculus, with β-reduction forming a part of the structural congruence. We start with an untyped syntax on which we give type rules, starting with two base types; a name type N and a process type P. Types in this setting are included only to make the meta-syntax formal, they certainly have less structure than usual Pi-calculus type systems based on channel types. Differently from the classical presentation, we treat ν as a standard binder which binds variables of name 5 P. Sobocinski´ type. We assume a countable supply of variables of each type. In all these choices, our presentation more similar to Engberg and Nielsen’s eccs [2,3], the “precursor” to the Pi-calculus. Actually, all the basic ingredients of the theory (scope extrusion, fresh name generation) were already present in the aforementioned work; the main novelty of the Pi-calculus was the collapse of the syntactic classes of variables and names. It can be argued that the resulting simplicity is deceptive. We use the syntactic convention of a, b for name constants, k, l for terms of name type, x,y for variables (including name variables), P,Q for terms of process type, X,Y for variables of function type. Type contexts are finite maps from variables to types. We shall consider only typed terms.

Types

σ ::= N | P | σ → σ

Syntax

M ::= x | a | 0 | M k M | M!MM | M?xM | νxM | λx : σ.M | M(M)

Type rules

(:Name) (:Zero) Γ⊢a:N Γ⊢0:P Γ⊢M:P Γ⊢M ′:P Γ⊢M:P Γ⊢k:N Γ⊢l:N (:Par) (:OutPref) Γ⊢MkM ′:P Γ⊢k!l.M:P Γ,x:N ⊢M:P Γ,x:N ⊢M:P Γ⊢k:N (:Nu) (:InPref) Γ⊢νxM:P Γ⊢k?x.M:P

Γ(x)=σ Γ,x:σ⊢M:σ′ Γ⊢M1:σ→σ′ Γ⊢M2:σ (:Var) (:λ) (:App) Γ⊢x:σ Γ⊢λx:σ.M:σ→σ′ Γ⊢M1(M2):σ′

We give a brief outline of the part of the lts concerned with communication and scope extrusion below. The lts is defined structurally. Because we operate in a typed setting, the states of the lts are pairs of typed context and term. We denote such pairs syntactically as hΓ | V i where Γ is a type context and V is a term. The interplay between the type context and the term is explained by a type preservation result, described following an intuitive account of the transitions. The labels in the fragment are the usual ccs labels. The intuitive idea is that a process offering an output on a channel k can perform the interaction with a context, and evolve into a process consisting of its continuation in parallel with the interacting context, which has been passed the communicated name. This context is explicitly described in the resulting state as a lambda abstraction which binds a variable of type I = N → P (cf (Out)). On the other hand, a process offering an input on a channel k can perform the communication with the context and obtain some name – the result is a lambda abstraction which binds a variable of type N (cf (In)). A process with a capability to input on k in parallel composition 6 P. Sobocinski´ with a process which has a capability to output on the said channel can perform the synchronisation without the need for an external context – the abstractions are combined via an application (cf (Tau)). There is a technical similarity to the presentation of the late semantics using abstractions and concretions [9]; see the (Comm) rule below. Notice, however, that we do not say anything about the actual nature of the name transmitted in the labels.

LTS - Communication fragment

(In) (Out) k? k! hΓ | k?xP i −→ hΓ | λx:N .P i hΓ | k!lP i −→ hΓ | λX:I .P kX(l)i k? k! hΓ | P i −→ hΓ | Ui hΓ | P i −→ hΓ | T i (kIn) (kOut) k? k! hΓ | P kQi −→ hΓ | λx:N .U(x)kQi hΓ | P kQi −→ hΓ | λX:I .T (X)kQi k? k! hΓ,y:N | P i −→ hΓ,y:N | Ui (k6=y) hΓ,y:N | P i −→ hΓ,y:N | T i (k6=y) (νIn) (νOut) k? k! hΓ | νyP i −→ hΓ | λx:N .νyU(x)i hΓ | νyP i −→ hΓ | λX:I .νyT (X)i k! k? hΓ | P i −→ hΓ | T i hΓ | Qi −→ hΓ | Ui τ (Tau) hΓ | P kQi −→ hΓ | T (U)i τ τ hΓ | P i −→ hΓ | P ′i hΓ,y:N | P i −→ hΓ,y:N | P ′i τ (kTau) τ (νTau) hΓ | P kQi −→ hΓ | P ′kQi hΓ | νyP i −→ hΓ | νyP ′i

In the rules (kIn) and (νIn), the variable x in the right hand side of the result is chosen fresh for U. Similarly, in (kOut) and (νOut) the variable X is chosen fresh for T . The lts has a regular structure – there is one axiom for each kind of label - (In), (Out) and (Tau) for input, output and τ respectively. Further, there is precisely one rule for each syntactic constructor and each kind of label. We give a brief example in order to demonstrate how scope-extrusion is handled by the above rules. First observe that we can derive the following transition:

(Out) a! hx:N | a!x.P i −→ hx:N | λX:I .P kX(x)i (νOut) a! I I h∅ | νxa!x.P i −→ h∅ | λX: .νx(λX′: .P kX′(x))Xi but λX : I .νx(λX′ : I .P k X′(x))X ≡ λX : I .νx(P k X(x)), and so, using (Tau) we obtain the correct extrusion of scope:

(In) a? a! h∅ | a?y.Qi −→ h∅ | λy.Qi h∅ | νxa!x.P i −→ h∅ | λX:I .νx(P kX(x))i τ (Tau) h∅ | a?y.Qkνx.a!x.P i −→ h∅ | νx.(P k(λy.Q)(x))i since νx.(P k (λy.Q)(x)) ≡ νx(P k Q[x/y]). One can prove a type preservation result about the lts – in particular demon- strating that the result of applying the (Tau) rule is typeable. Indeed, suppose that Γ ⊢ P : P. Then the following hold: 7 P. Sobocinski´

k? • if hΓ | P i −→ hΓ | Ui then Γ ⊢ U : N → P; k! • if hΓ | P i −→ hΓ | T i then Γ ⊢ T : I → P; τ ′ • if hΓ | P i −→ hΓ | P ′i then Γ ⊢ P : P.

The lts presented above is only a fragment and bisimilarity does not give a satisfactory equivalence; it is presented here only to give a basic idea of the tech- niques involved. In particular, there is no observation of the identity of the name communicated (input, output, or fresh output). The full lts contains extra labels and derivation rules which take care of such observables by suitably evaluating λ- abstracted terms, yielding the standard early equivalence. The two functions (scope extrusion and fresh name generation) of the ν operator are thus dealt with sepa- rately. Intuitively, transitions which arise out of process terms, as presented here, represent the part of the interaction which is controlled by the process; transitions out of lambda-abstracted terms, omitted in this presentation, represent the part con- trolled by the context. The full lts does not require complicated side-conditions, variable conventions and the resulting equivalence is obtained using ordinary bisim- ulation indexed by type contexts. The reader will notice that in fact the lts resembles closely that for ccs – in particular one could give a complete lts for that calculus in a similar style (without passing the name to the context in the result of (Out) and without awaiting a name in the result of (In)). This demonstrates one feature and a design principle associated with the lts – modularity. The idea is that the semantics for different features of a calculus should be given by standard lts modules which fit together in a largely orthogonal way: the Pi-calculus extends ccs with extra features and thus it shouldn’t be surprising that the synchronous communication feature of Pi is handled with a ccs-like subsystem. Contrast this situation with the standard lts in which communication is more complicated - there are two different kinds of output labels (free and bound) and two different axioms for τ. While presentations such as [1] reduce this difference, it may prove that the technique advocated in this paper generalises well to other calculi – eg higher order Pi-calculus or the ambient calculus.

References

[1] G. L. Cattani and P. Sewell. Models for name-passing processes: interleaving and causal. Information and Computation, 190:136–178, 2004. [2] U. Engberg and M. Nielsen. A calculus of communicating systems with label passing. Technical Report DAIMI PB-208, University of Aarhus, May 1986. [3] U. Engberg and M. Nielsen. A calculus of communicating systems with label passing - ten years after. In Proof, Language, and Interaction; Essays in Honour of Robin Milner, pages 599–622. MIT Press, 2000. [4] G. U. Ferrari, U. Montanari, and M. Pistore. Minimising transition systems for name passing calculi: a co-algebraic formulation. In FoSSaCS ’02, pages 129–158, 2002. [5] M. P. Fiore and S. Staton. Comparing operational models of name-passing process calculi. Information and Computation, 204(4):435–678, 2006.

[6] M. P. Fiore and D. Turi. Semantics of name and value passing. In LiCS ’01, pages 93–104, 2001.

[7] B. Klin, V. Sassone, and P. Soboci´nski. Labels from reductions: towards a general theory. In Algebra and Coalgebra in Computer Science, Calco ’05, volume 3629 of LNCS, pages 30–50. Springer, 2005. 8 P. Sobocinski´

[8] J. Leifer and R. Milner. Deriving bisimulation congruences for reactive systems. In International Conference on Concurrency Theory Concur ’00, volume 1877 of LNCS, pages 243–258. Springer, 2000.

[9] R. Milner. Communicating and Mobile Systems: the Pi-calculus. Cambridge University Press, 1999.

[10] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, ii. Information and Computation, 100(1):41–77, 1992.

[11] D. Sangiorgi and D. Walker. The π-calculus: a Theory of Mobile Processes. Cambridge University Press, 2001.

[12] L. Wischik. Old names for Nu. In Dagstuhl Seminar 04241, 2004.

9 SOS 2007 Preliminary Version

A Rewriting Logic Approach to Operational Semantics – Extended Abstract

Traian Florin S¸erb˘anut¸˘a, Grigore Ro¸su, Jos´eMeseguer

Department of Computer Science, University of Illinois at Urbana-Champaign. {tserban2,grosu,meseguer}@cs.uiuc.edu

Abstract This paper shows how rewriting logic semantics (RLS) can be used as a computational logic framework for operational semantic definitions of programming languages. Several operational semantics styles are ad- dressed: big-step and small-step structural operational semantics (SOS), modular SOS, reduction semantics with evaluation contexts, and continuation-based semantics. Each of these language definitional styles can be faithfully captured as an RLS theory, in the sense that there is a one-to-one correspondence between computational steps in the original language definition and computational steps in the corresponding RLS theory. A major goal of this paper is to show that RLS does not force or pre-impose any given language definitional style, and that its flexibility and ease of use makes RLS an appealing framework for exploring new definitional styles.

1 Introduction

This paper is part of the rewriting logic semantics (RLS) project (see [25,26] and the references there). The broad goal of the project is to develop a tool-supported computational logic framework for modular programming language design, seman- tics, formal analysis and implementation, based on rewriting logic [22]. Any logical framework worth its salt should be evaluated in terms of its expressiveness and flexibility. Therefore, a very pertinent question is: how does RLS express other approaches to operational semantics? In particular, how well can it express various approaches in the SOS tradition? The goal of this paper is to answer these ques- tions. Partial answers, giving detailed comparisons with specific approaches have appeared elsewhere. For example, [21] and [43] provide comparisons with standard SOS [34]; and [23] compares RLS with both standard SOS and Mosses’ modular structural operational semantics (MSOS) [31]. However, no comprehensive compar- ison encompassing most approaches in the SOS tradition has been given to date. To make our ideas more concrete, in this paper we use a simple programming lan- guage, show how it is expressed in each different definitional style, and how that

1 Supported in part by NSF grants CCF-0234524, CCF-0448501, CNS-0509321, and CNS-05-24516; and by ONR Grant N00014-02-1-0715. This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science S¸erbanut¸˘ a,˘ Ros¸u, Meseguer style is captured as a rewrite theory in the RLS framework. We furthermore give correctness theorems showing the faithfulness of the RLS representation for each style. Even though we exemplify the ideas with a simple language for concreteness’ sake, the process of representing each definitional style in RLS is completely gen- eral and automatable, and in some cases like MSOS has already been automated [6]. The range of styles covered includes: big-step (or natural) SOS semantics; small- step SOS semantics; MSOS semantics; context-sensitive reduction semantics; and continuation-based semantics. Any logical framework for operational semantics of programming languages has to meet strong challenges. We list below some of them and sketch how they are met in RLS; for a more thorough discussion see [38]. • Handling of SOS Definitions. As illustrated in Sections 4, 5, and 6, both big- step and small-step SOS, and also MSOS definitions can be expressed as rewrite theories in RLS; see also [21,43,23]. • Handling of context-sensitive reduction. In Section 7 we sketch a general method to express in RLS semantic definitions based on evaluation contexts (e.g., [47]). • Handling higher-order syntax. Higher-order syntax admits first-order representa- tions, e.g., [1,2,40]. Using CINNI [40], all this can be done keeping essentially the original higher-order syntax. • Handling continuations. Continuations [12,35] are traditionally understood as higher-order functions. In Section 8 we present an alternative view of continua- tions that is intrinsically first-order. • Handling concurrency. One of the strongest points of rewriting logic is precisely that it is a logical framework for concurrency. Unlike standard SOS, which forces an interleaving semantics, true concurrency is directly supported. • Expressiveness and flexibility. RLS does not force on the user any particular definitional style. This is illustrated in this paper by showing how quite different definitional styles can all be faithfully and naturally captured in RLS. • Mathematical and operational semantics. Rewriting logic has both a compu- tational proof theory and an initial model semantics, which provides inductive reasoning principles to prove properties. Therefore RLS programming language definitions have both an operational rewriting semantics, and a mathematical ini- tial model semantics. • Performance Issues. High-performance systems supporting rewriting can be used to directly execute RLS semantic definitions as interpreters. In Section 9 we present encouraging experimental performance results for our example language using various systems and different definitional styles. Besides the good features mentioned above, another advantage of RLS is the availability of generic tools for: (i) syntax; (ii) execution (already mentioned); and (iii) formal analysis. For example, languages such as ASF+SDF [41] and Maude [7] support user-definable syntax. There is a wealth of theorem proving and model checking tools for rewriting/equational-based specifications, which can be used di- rectly to prove properties about language definitions. The fact that these formal analysis tools are generic, should not fool one into thinking that they must be in-

11 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer efficient. For example, the LTL model checkers obtained for free in Maude from the RLS definitions of Java and the JVM compare favorably in performance with state-of-the-art Java model checkers [11]. Another advantage of RLS is what we call the “abstraction dial,” which can be used to reach a good balance between abstraction and computational observability in semantic definitions. The point is which computational granularity is appropriate. A small-step semantics opts for very fine-grained computations. But this is not nec- essarily the only or the best option for all purposes. The fact that an RLS theory’s axioms include both equations and rewrite rules provides the useful “abstraction dial,” because rewriting takes place modulo the equations. That is, computations performed by equations are abstracted out and become invisible. This has many advantages, as explained in [25]. For example, in Sections 4 and 5, we use equations to define the semantic infrastructure (stores, etc.) of SOS definitions; in Section 7 equations are also used to hide the extraction and application of evaluation contexts, which are “meta-level” operations, carrying no computational meaning; in Section 8, equations are also used to decompose the evaluation tasks into their correspond- ing subtasks; finally, in Section 6, equations of associativity and commutativity are used to achievemodularity of language definitions. 2 Rewriting Logic

Rewriting logic [22] is a computational logic that can be efficiently implemented and that has good properties as a general and flexible logical and semantic framework, in which a wide range of logics and models of computation can be faithfully repre- sented [21]. In particular, for programming language semantics it provides the RLS framework, of which we here only emphasize the operational semantics aspects. Two key points are: (i) how rewriting logic combines equational logic and term rewriting; and (ii) what the intuitive meaning of a rewrite theory is. A rewrite theory is a triple R = (Σ,E,R) with Σ a signature, E a set of (conditional) Σ-equations, and R a set of Σ-rewrite rules, with conditions involving both equations and rewrites. ′ ′ That is, a rule in R can have the general form (∀X) t −→ t if (Vi ui = ui) ∧ ′ (Vj wj −→ wj). Alternatively, such a rule could be displayed with an inference- ′ ′ (V ui = u ) ∧ (V wj −→ w ) rule-like notation as i i j j . t −→ t′ Therefore, the logic’s atomic sentences are equations and rewrite rules. Equa- tional theories and traditional term rewriting systems then appear as special cases. An equational theory (Σ, E) can be represented as the rewrite theory (Σ, E, ∅); and a rewriting system (Σ, R) can be represented as the rewrite theory (Σ, ∅, R). Of course, if the equations of an equational theory (Σ, E) are confluent, there is −→ −→ another useful representation, namely, as the rewrite theory (Σ, ∅, E ), where E are the rewrite rules obtained by orienting the equations E as rules. This representation is at the basis of much work in term rewriting, but by implicitly suggesting that rewrite rules are just an efficient technique for equational reasoning it can blind us to the fact that rewrite rules can have a more general non-equational semantics. This is the raison d’ˆetre of rewriting logic. In rewriting logic a theory R = (Σ,E,R) ax- iomatizes a concurrent system, whose states are elements of the algebraic data type (Σ, E), that is, E-equivalence classes of ground Σ-terms, and whose atomic transi- 12 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer tions are specified by the rules R. The inference system of rewriting logic allows us to derive as proofs all the concurrent computations of the system axiomatized by R: concurrent computation and rewriting logic deduction coincide. There are many systems that either specifically implement term rewriting effi- ciently, so-called as rewrite engines, or support term rewriting as part of a more complex functionality. Any of these systems can be used as an underlying platform for execution and analysis of programming languages defined using the techniques proposed in this paper. Without attempting to be exhaustive, we here only men- tion (alphabetically) some engines that we are more familiar with, noting that many functional languages and theorem provers provide support for term rewriting as well: ASF+SDF [41], CafeOBJ [10], Elan [4], Maude [7], OBJ [16], and Stratego [44]. Some of these engines can achieve remarkable speeds on today’s machines, in the order of tens of millions of rewrite steps per second.

3 A Simple Imperative Language

To illustrate the various operational semantics, we have chosen a small imperative language having arithmetic and boolean expressions with side effects (increment expression), short-circuited boolean operations, assignment, conditional, while loop, sequential composition, blocks and halt. Here is its syntax: AExp ::= Var|# Int|AExp + AExp|AExp - AExp|AExp * AExp|AExp / AExp| ++ Var BExp ::= # Bool|AExp <= AExp|AExp >= AExp|AExp == AExp|BExp and BExp| not BExp Stmt ::= skip |Var := AExp|Stmt ; Stmt| if BExp then Stmt else Stmt| while BExp Stmt Pgm ::= Stmt . AExp The result of running a program is the evaluation of AExp in the state after executing Stmt. This BNF syntax is entirely equivalent to an algebraic order-sorted signature having one (mixfix) operation definition per production, terminals giving the name of the operation and non-terminals the arity. For example, the production for if- then-else can be seen as an algebraic operation if then else : BExp × Stmt × Stmt → Stmt. We will use the following conventions for variables throughout the remaining of the paper: X ∈ Var, A ∈ AExp, B ∈ BExp, St ∈ Stmt, P ∈ Pgm, I ∈ Int, T ∈ Bool = {true, false}, S ∈ Store, any of them primed or indexed. The next sections will use this simple language and will present definitions in various operational semantics styles (big step, small step SOS, MSOS, reduction using evaluation contexts, and continuation-based), as well as the corresponding RLS representation of each definition. We will also characterize the relation between the RLS representations and their corresponding definitional style counterparts, pointing out some strengths and weaknesses for each style. The reader is referred to [19,34,31,47] for details on the described operational semantics styles. We assume equational definitions for basic operations on booleans and integers, and assume that any other theory defined from here on includes them. One of the reasons why we wrapped booleans and integers in the syntax (using “#”) is precisely to distinguish them from the corresponding values, and thus to prevent the “builtin” equations from reducing expressions like 3 + 5 directly in the syntax. We wish to have full control over the computational granularity of the language, since we aim for the same computational granularity of each different style. Unlike in various operational semantics, which usually abstract stores as func- 13 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer tions, in rewriting logic we explicitly define the store as an abstract datatype: a store is a set of bindings from variables to values, together with two operations on them, one for retrieving a value, another for setting a value. Well-formed stores correspond to partially defined functions. Having this abstraction in place, we can regard them as functions for all practical purposes from now on. We let s ≃ σ denote that well-formed state s corresponds to partial function σ.

4 Big-Step Operational Semantics

Introduced as natural semantics in [19], also named relational semantics in [28], or evaluation semantics, big-step semantics is “the most denotational” of the op- erational semantics. One can view big-step definitions as definitions of functions interpreting each language construct in an appropriate domain. Big step semantics can be easily represented within rewriting logic. For example, consider the big-step rule defining the while loop: ′ ′ hB, σi ⇓ hfalse, σ i hB, σi ⇓ htrue, σ1i, hSt, σ1i ⇓ hσ2i, hwhile B St, σ2i ⇓ hσ i hwhile B St, σi ⇓ hσ′i hwhile B St, σi ⇓ hσ′i This rule can be automatically translated into the rewrite rules: hwhile B St,Si → hS′i if hB,Si → hfalse,S′i ′ ′ hwhile B St,Si → hS i if hB,Si → htrue,S1i ∧ hSt,S1i → hS2i ∧ hwhile B St,S2i → hS i To give a rewriting logic theory for the big-step semantics, one needs to first de- fine the various configuration constructs, which are assumed by default in BigStep, as corresponding operations extending the signature. Then one can define the cor- responding rewrite theory RBigStep entirely automatically. Due to the one-to-one correspondence between big-step rules in BigStep and rewrite rules in RBigStep, it is easy to prove by induction on the length of derivations the following result: Proposition 4.1 For any p ∈ Pgm and i ∈ Int, the following are equivalent: 1 (i) BigStep ⊢ hpi ⇓ hii; and (ii) RBigStep ⊢ hpi→ hii.

The only apparent difference between BigStep and RBigStep is the different no- tational conventions they use. However, as the above result shows, there is a one- to-one correspondence also between their corresponding “computations” (or exe- cutions, or derivations). Therefore, RBigStep actually is the big-step operational semantics BigStep, not an “encoding” of it. Strengths. Big-step semantics allows straightforward recursive definition when the language is deterministic. It can be easily and efficiently interpreted in any recursive, functional or logical framework. It is useful for defining type systems. Weaknesses. Due to its monolithic, single-step evaluation, it is hard to debug or trace big-step semantic definitions. If the program is wrong, no information is given about where the failure occurred. It may be hard or impossible to model concurrent features. It is not modular, e.g., to add side effects to expressions, one must redefine the rules to allow expressions to evaluate to pairs (value-store). It is inconvenient (and non-modular) to define complex control statements; consider, for example, adding halt to the above definition – one needs to add a special “halting signal” configuration and rules to propagate it. 14 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer

5 Small-Step Operational Semantics

Introduced by Plotkin in [34], also called transition semantics or reduction seman- tics, small-step semantics captures the notion of one computational step. One inherent technicality involved in capturing small-step operational semantics as a rewrite theory in a one-to-one notational and computational correspondence is that the rewriting relation is by definition transitive, while the small-step relation is not transitive (its transitive closure is defined a posteriori). Therefore, we need to devise a mechanism to “inhibit” rewriting logic’s transitive and uncontrolled application of rules. An elegant way to achieve this is to view a small step as a modifier of the current configuration. Specifically, we consider “·” to be a modifier on the config- uration which performs a “small-step” of computation; in other words, we assume an operation · : Config → Config. Then, a small-step semantic rule, e.g. the one for defining while, · hwhile B St, σi → hif B then (St; while B St) else skip, σi is translated, again automatically, into a rewriting logic rule, e.g.,

·hwhile B St,Si → hif B then (St; while B St) else skip,Si As for big-step semantics, the rewriting under context deduction rule for rewrit- ing logic is again inapplicable, since all rules act at the top, on configurations. However, in SmallStep it is not the case that all right hand sides are normal forms (this actually is the specificity of small-step semantics). The “·” operator intro- duced in RSmallStep prevents the unrestricted application of transitivity, and can be regarded as a token given to a configuration to allow it to change to the next step. We use transitivity at the end (rules for smallstep) to obtain the transitive closure of the small-step relation by specifically giving tokens to the configuration until it reaches a normal form. Again, there is a direct correspondence between SOS-style rules and rewriting rules, leading to the following result, which can also be proved by induction on the length of derivations:

Proposition 5.1 For any p ∈ Pgm and i ∈ Int, SmallStep ⊢ hp, ⊥i →∗ hskip.i, σi for some state σ iff RSmallStep ⊢ eval(p) → i.

Strengths. Small-step operational semantics precisely defines the notion of one computational step. It stops at errors, pointing them out. It is easy to trace and debug. It gives interleaving semantics for concurrency. Weaknesses. Each small step does the same amount of computation as a big step in finding the next redex. It does not give a “true concurrency” semantics, that is, one has to chose a certain interleaving (no two rules can be applied at the same time), mainly because reduction is forced to occur only at the top. It is still hard to deal with complex control – for example, consider adding halt to this language. One cannot simply do it as for other ordinary statements: instead, one has to add a corner case (additional rule) to each statement to propagate the halt. Moreover, by propagating the “halt signal” through all the statements and expressions, one fails to capture the intended computation granularity of halt: it should just terminate the execution in one step! 15 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer

6 MSOS Semantics

MSOS [31] was introduced to deal with the non-modularity issues of SOS. The solution proposed in MSOS involves moving the non-syntactic state components to the arrow labels, plus a discipline of only selecting needed attributes from states. u A transition in MSOS is of the form P −→ P ′, where P and P ′ are program ex- pressions and u is a label describing the structure of the state both before and after the transition. If u is missing, then the state is assumed to stay unchanged. Specifi- cally, u is a record containing fields denoting the semantic components. Modularity is achieved by the record comprehension notation “. . .” which indicates that more fields could follow but that they are not of interest for this transition. Fields of a label can fall in one of the following categories: read-only, read-write and write-only. Read-only fields are only inspected by the rule, but not modified. Read-write fields come in pairs, having the same field name, except that the “write” field name is primed. They are used for transitions modifying existing state fields. Write-only fields are used to record things not analyzable during the execution of the program, such as the output or the trace. Their names are always primed and they have a free monoid semantics – everything written on then is added at the end. Since the part of the state not involved in a certain rule is hidden through the “. . .” notation, language extensions can be made modularly. Consider, e.g., adding halt to the language. What needs to be done is to add another read-write record field, say halt?, along with the possible values halted(i), to signal that the program halted with value i, and false, as the default value, along with a construct stuck to block the execution of the program. To represent MSOS in rewriting logic, we here follow the methodology in [23]. Using the fact that labels describe changes from their source state to their des- tination state, one can move the labels back into the configurations. That is, a transition P −→u P ′ is modeled as a rewrite step ·hP, uprei → hP ′, uposti, where upre and upost are records describing the state before and after the transition. Note again the use of the “·” operator to emulate small steps by restricting transitivity. State records can be specified equationally as wrapping (using a constructor “{ }”) a set of fields built from fields as constructors, using an associative and commutative concatenation operation “ , ”. Fields are built from state attributes; e.g., the store can be embedded into a field by a constructor “σ : ”. Records upre and upost are computed from u as follows. For unobservable transitions, upre = upost. Read-only fields of u are added to both upre and upost. Read-write fields of u are translated by putting the read part in upre and the (now unprimed) write part in upost. Notice that the “. . .” notation gets replaced by a generic field-set variable W . For example, the rules for assignment in MSOS style,

S A −→ A′ unobs{σ = σ0,...} {σ=σ0,σ =σ0[I/X],...} S ′ X:=A −→ X:=A′ X:=I −−−−−−−−−−−−−−−−→ skip are translated into the following rewrite rules (R, R′ stand for records and W stands for the remaining of a record):

·hX:=A, Ri → hX:=A′, R′i if ·hA, Ri → hA′, R′i

·hX:=I, {σ : S0,W }i → hskip, {σ : S0[X ← I],W }i Write-only fields i′ = v of u are translated as follows: i : L, with L a fresh new 16 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer variable, is added to upre, and i : Lv is added to upost. When dealing with observable transitions, both state records meta-variables and . . . operations are represented in upre by some variables, while in upost by others. Modularity is preserved by this translation. What indeed makes MSOS defini- tions modular is the record comprehension mechanism. A similar comprehension mechanism is achieved in rewriting logic by using sets of fields and matching modulo associativity and commutativity. That is, the extensibility provided by the “. . .” record notation in MSOS is here captured by associative and commutative matching on the W variable, which allows new fields to be added. The relation between MSOS and RMSOS definitions assumes that MSOS defini- tions are in a certain normal form [23] and is made precise by the following theorem, strongly relating MSOS and modular rewriting semantics. Theorem 6.1 [23] For each normalized MSOS definition, there is a strong bisim- ulation between its transition system and the transition system associated to its translation in rewriting logic. This translation is the basis for the Maude-MSOS tool [6], which was used to define and analyze complex language definitions. Strengths. As it is a framework on top of any operational semantics, it inher- its the strengths of the semantic for which it is used; moreover, it adds to those strengths the important new feature of modularity. Weaknesses. Control is still not explicit in MSOS, making combinations of control-dependent features (e.g., call/cc) harder to specify [31, page 223]. 7 Reduction Semantics with Evaluation Contexts

Introduced in [47], also called context reduction, the evaluation contexts style im- proves over small-step definitional style in two ways: (i) it gives a more compact semantics to context-sensitive reduction, by using parsing to find the next redex rather than small-step rules; and (ii) it provides the possibility of also modifying the context in which a reduction occurs, making it much easier to deal with control- intensive features. For example, defining halt is done now using only one rule, C[halt I] → I, preserving the desired computational granularity.

C ::= [] | hC,Si I1 + I2 → (I1 +Int I2) | skip.C | C.A hP, σi[X:=I] → hP, σ[I/X]i[skip] | X:=C | I + C | C + A while B St → if B then (St; while B St) else skip E → E′ C[halt I] → hIi C[E] → C[E′] C[skip.I] → hIi

·(C[R]) → C[R′] if ·(R) → R′ ·(Cfg) → c2s(C[R]) if ·(s2c(Cfg)) → C[R]

·(I1 + I2) → (I1 + I2) Int eval(P )= reduction(hP, ∅i) ·(hP,Si[X:=I]) → hP,S[X ← I]i[skip] reduction(Cfg)= reduction(·(Cfg’)) ·(while B St) → if B then (St; while B St) else skip reduction(hIi) = I ·(C[halt I]) → hIi[[]] Table 1: CxtRed-like rules and their corresponding rewriting logic variants An important part of a context reduction semantics is the definition of evaluation contexts, which is typically done by means of a context-free grammar. A context is a program with a “hole”, the hole being a placeholder where the next computational 17 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer step takes place. If C is such a context and E is some expression whose type fits into the type of the hole of C, then C[E] is the program formed by replacing the hole of C by E. The characteristic reduction step underlying context reduction is “C[E] → C[E′] when E → E′,” capturing the fact that reductions are allowed to take place only in appropriate evaluation contexts. Table 1 presents a definition of selected evaluation contexts and some context reduction semantics rules together with their representation within rewriting logic. By making the evaluation context explicit and changeable, context reduction is, in our view, a significant improvement over small-step SOS. In particular, one can now define control-intensive statements like halt modularly and at the desired level of computational granularity. Even though the definition gives one the feeling that evaluation contexts and their instantiation come “for free”, the application of the “rewrite in context” rule presented above can be expensive in practice. This is because one needs either to parse/search the entire configuration to put it in the form C[E] for some appropriate C satisfying the grammar of evaluation contexts, or to maintain enough information in some special data-structures to perform the split C[E] using only local information and updates. Direct implementations of context reduction such as PLT-Redex cannot avoid paying a significant performance penalty, as the performance numbers in Section 9 show 2 . Context reduction is trickier to faithfully capture as a rewrite theory, since rewriting logic, by its locality, always applies a rule in the context, without ac- tually having the capability of changing the given context. In order to have an algebraic representation of contexts we extend the signature by adding a constant [], representing the hole, for each syntactic category. The operation s2c, has an ef- fect similar to what one achieves by parsing in context reduction, in the sense that given a piece of syntax it yields C[R]. In our rewriting logic definition, C[R] is not a parsing convention, but rather a constructor conveniently representing the pair (context C, redex R). The operation c2s, is defined as a morphism on the syntax, but we get (from the defining equations) the guarantee that it will be applied only to “well-formed” contexts (i.e., contexts containing only one hole). The rewrite theory RCxtRed is obtained by adding the rewrite rules in Table 1 to the equations of s2c and c2s. The RCxtRed definition is a faithful representation of context reduction semantics. Also, since parsing issues are abstracted away using equations, the computational granularity is the same, yielding a one-to-one corre- spondence between the computations performed by the context reduction semantics rules and those performed by the rewriting rules. Theorem 7.1 If s ≃ σ 3 , the following hold: (i) hp,σi parses in CxtRed as hc, σi[r] iff RCxtRed ⊢ s2c(hp,si) = hc, si[r]; (ii) RCxtRed ⊢ c2s(c[r]) = c[r/[]] for any valid ′ ′ context c and appropriate redex r; (iii) CxtRed ⊢ hp,σi → hp ,σ i iff RCxtRed ⊢ 1 ′ ′ ′ ′ 1 ·(hp,si) → hp ,s i and s ≃ σ ; (iv) CxtRed ⊢ hp,σi → hii iff RCxtRed ⊢ ·(hp,si) → ∗ hii; (v) CxtRed ⊢ hp, ⊥i → hii iff RCxtRed ⊢ eval(p) → i. Strengths. Context reduction semantics distinguishes small-step rules into com- putational rules and rules needed to find the redex (the latter are transformed into

2 Refocusing [9] proposed automatically generating abstract machines for overcoming this problem. 3 We let s ≃ σ denote the fact that equationally defined state s represents the store σ. 18 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer grammar rules generating the allowable contexts). This makes definitions more com- pact. It improves over small step semantics by allowing the context to be changed by execution rules. It can deal easily with control-intensive features. Weaknesses. It still only allows “interleaving semantics” for concurrency. Al- though context-sensitive rewriting might seem to be easily implementable by rewrit- ing, in fact all current implementations of context reduction work by transforming context grammar definitions into traversal functions, thus being as (in)efficient as the small-step implementations (one has to perform an amount of work linear in the size of the program for each computational step).

8 A Continuation-Based Semantics The idea of continuation-based interpreters for programming languages and their relation to abstract machines has been well studied (see, for example, [12]). In this section we propose a rewriting logic semantics based on a structure that provides a first-order representation of continuations; this is the only reason why we call this structure a “continuation”; but notice that it can just as well be regarded as a post-order representation of the abstract syntax tree of the program, so one needs no prior knowledge of continuations [12] in order to understand this section. We will show the equivalence of this theory to the context reduction semantics theory. Based on the desired order of evaluation, the program is sequentialized by trans- forming it into a list of tasks to be performed in order. This is done once and for all at the beginning, the benefit being that at any subsequent moment in time we know precisely where the next redex is: at the top of the tasks list. The top level configuration is constructed by an operator “ ” putting together the store (wrapped by a constructor store) and the continuation (wrapped by k). Also, syntax is added for the continuation items. The continuation is defined as a list of tasks, where the list constructor “ y ” is associative, having as identity a constant “nothing”. We also use lists of values and continuations, each having an associative list append constructor “ , ” with identity “.”. We use variables K and V to denote continuations and values, respectively; also, we use Kl and Vl for lists of continuations and values, respectively. We call the list of tasks a continuation because it resembles the idea of continuations as higher-order functions. However, our continuation is a pure first order flattening of the program. For example aexp(A1 + A2) = (aexp(A1), aexp(A2)) y + precisely encodes the order of evaluation: first A1, then A2, then sum the values. Also, stmt(while B St) = bexp(B) y while(bexp(B), stmt(St)) says that the loop is dependent on the value of B for its evaluation. pgm, stmt, bexp, aexp are used to flatten the program to a continuation, taking into account the order of evaluation 4 . The most important benefit of this transformation is that of gaining locality. Now one needs to specify from the context only what is needed to perform the computation. This gives the possibility of achieving “true concurrency”, since rules which do not act on the same parts of the context can be applied in parallel. We here only discuss the sequential variant of our continuation-based semantics, because our language is sequential. In

4 The effect of these functions is somehow similar to what one would obtain in a higher order world by means of CPS transformations [46] or conversions to monadic normal form [30]. 19 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer

[36] we show how the same technique can be used, with no additional effort, to define concurrent languages: as expected, one continuation structure is generated for each concurrent thread or process. Then rewrite rules can apply “truly concurrently” at the tops of continuations. Table 2 presents some rewrite rules from the continuation- based definition of our language. aexp(A1 + A2) = (aexp(A1), aexp(A2)) y + k((I1,I2) y + y K) → k(I1 +Int I2 y K) stmt(X := A)= aexp(A) y write(X) k(I y write(X) y K) store(Store) → k(K) store(Store[X ← I]) stmt(while B St)= bexp(B) y while(bexp(B), stmt(St)) k(false y while(K1,K2) y K) → k(K) k(true y while(K1,K2) y K) → k(K2 y K1 y while(K1,K2) y K) stmt(halt A)= aexp(A) y halt k(I y halt y K) → k(I) pgm(St.A)= stmt(St) y aexp(A) hP i = result(k(pgm(P )) store(empty)) result(k(I) store(Store)) = I using the (equationally defined) mechanism for evaluating lists of expressions: k((V l,Ke,Kel) y K)= k(Ke y (V l, nothing,Kel) y K) Note. Because in rewriting engines equations are also executed by rewriting, one would need to split the rule for evaluating expressions into two rules: k((V l,Ke,Kel) y K)= k(Ke y (V l, nothing,Kel) y K) k(V y (V l, nothing,Kel) y K)= k((V l,V,Kel) y K)

Table 2: Rewriting logic theory RK (continuation-based definition of the language) There exists a close connection between definitions of languages using reduction semantics with evaluation contexts and the style promoted in this section: ′ ′ Theorem 8.1 Suppose s ≃ σ. Then: (i) If CxtRed ⊢ hp,σi → hp ,σ i then RK ⊢ k(pgm(p)) store(s) →≤1 k(pgm(p′)) store(s′) and s′ ≃ σ′, where →≤1=→0 ∪ →1; ′ ′ ′ ′ (ii) If RK ⊢ k(pgm(p)) store(s) → k(k ) store(s ) then there exists p and σ such ∗ ′ ′ ′ ′ ′ ′ that CxtRed ⊢ hp,σi→ hp ,σ i, RK ⊢ k(pgm(p )) = k(k ) and s ≃ σ ; ∗ (iii) CxtRed ⊢ hp, ⊥i → i iff RK ⊢ hpi→ i for any p ∈ Pgm and i ∈ Int. Strengths. No need to search for a redex anymore, since the redex is always at the top. It is more efficient than direct implementations of evaluation contexts or small-step SOS. Also, it greatly reduces the need for conditional rules/equations; conditional rules/equations might involve inherently inefficient reachability analysis to check the conditions and are harder to deal with in parallel environments. An important “strength” specific to the rewriting logic approach is that reductions can now apply wherever they match, in a context-insensitive way. Additionally, continuation-based definitions in the RLS style above are very modular (particularly due to the use of matching modulo associativity and commutativity). Weaknesses. The program is now flattened in the continuation; several new operations (continuation constants) need to be introduced, which “replace” the corresponding original language constructs. 9 Experiments

RLS specifications can be turned into interpreters for the specified language. To analyze the efficiency of this approach, we wrote the RLS definitions above in two rewrite engines, namely ASF+SDF 1.5 (a compiler) and Maude 2.2 (a fast inter- preter with good tool support), and in several programming languages with built-in support for matching, namely Haskell, Ocaml and Prolog. For each definitional style tested (except small-step SOS), we have included for comparison interpreters 20 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer in Scheme, adapting definitions from [13], chapter 3.9 (evaluation semantics) and 7.3 (continuation based semantics) and a PLT-Redex definition given as example in the installation package (for context reduction). Since RLS representation of MSOS re- lies intensively on matching modulo associativity and commutativity, which is only supported by Maude, we performed no experiments for it. One tested program consists of 15 nested loops, each of 2 iterations. The other program verifies Collatz’ conjecture up to 300. The following table gives for each definitional style the running time of the various interpreters (first column – nested loops; second column – Collatz). Times are expressed in seconds. A limit of 700mb was set on memory usage; “-” found in a table cell means the memory limit was reached; an empty cell means the combination was not attempted. For Haskell we used the ghc compiler. For Ocaml we used the ocamlcopt compiler. For Prolog we compiled the programs using gprolog. For Scheme we used the PLT-Scheme interpreter. Tests were done on a Pentium 4@2GHz with 1GB RAM, running Linux.

Language Bigstep SmallStep Reduction Continuations ASF+SDF 1.7 265.1 11.9 769.6 88.7 891.3 2.5 344.7 Haskell 0.3 32.1 3.2 167.4 5.8 157.2 0.6 41.1 Maude 3.8 184.5 63.4 >1000 552.1 >1000 8.4 483.9 Ocaml 0.5 10.2 1.0 21.0 1.8 11.0 0.5 10.9 Prolog 1.6 - 7.0 - 9.4 - 3.0 - Scheme 3.8 122.3 - - 5.9 323.6 Table 3: Experiments (times in seconds) Prolog yields pretty fast interpreters. However, for backtracking reasons, it needs to maintain the stack of all predicates tried on the current path, thus the amount of memory grows with the number of computational steps. The style promoted in [13] seems to also take into account efficiency. The only drawback is the fact that it looks more like an interpreter of a big-step definition, the representational distance to the big-step definition being much bigger than in interpreters based on RLS. The PLT-Redex implementation of context reduction ran out of memory for the presented inputs (for 9 nested loops it finished in 198 seconds). The rewriting logic implementations seem to be quite efficient in terms of speed and memory us- age, while keeping a minimal representational distance to the operational semantics definitions. In particular, RLS definitions interpreted in Maude are comparable in terms of efficiency with the interpreters in Scheme, while having the advantage of being formal definitions.

10 Related Work

There is much related work on frameworks for defining programming languages. Without trying to be exhaustive, we mention some of them. Algebraic denotational semantics. This approach, (see [17,42] for two recent books), is a special case of RLS, namely, the case in which the rewrite theory RL defining language L is an equational theory. While algebraic semantics shares a number of advantages with RLS, its main limitation is that it is not well-suited for concurrent language definitions. Other RLS work. RLS is a collective international project. Through the efforts of various researchers, there is by now a substantial body of work demonstrating the 21 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer usefulness of this approach. A first snapshot of the RLS project was given in [26], and a second in [25]. This paper can be viewed as third snapshot focusing on the variety of definitional styles supported. A substantial body of experience in giving programming language definitions, and using those definitions both for execution and for analysis purposes has already been gathered; an up-to-date list of references on RLS can be found in the companion tech report [38]. Higher-order approaches. The most classic higher-order approach, although not exactly operational, is denotational semantics [37]. Denotational semantics has some similarities with its first-order algebraic cousin mentioned above, since both are based on semantic equations. Two differences are: (i) the use of first- order equations in the algebraic case versus the higher-order ones in traditional denotational semantics; and (ii) the kinds of models used in each case. A related class of higher-order approaches uses higher-order functional languages or higher- order theorem provers to give operational semantics to programming languages. Without trying to be complete, we can mention, for example, the use of Scheme in [13], the use of ML in [33], and the use of Common LISP within the ACL2 prover in [20]. There is also a body of work on using monads [29,45] to implement language interpreters in higher-order functional languages; the monadic approach has better modularity characteristics than standard SOS. A third class of higher- order approaches are based on the use of higher-order abstract syntax (HOAS) and higher-order logical frameworks, such as LF or λ-Prolog [32], to encode languages as logical systems. For recent work in this direction see [27] and references there. Other approaches. Going back to the Centaur project [5,8], logic programming has been used as a framework for SOS definitions. Note that λ-Prolog [32] belongs both in this category and in the higher-order one. Abstract State Machine (ASM) [18] can encode any computation and have a rigorous semantics, so any program- ming language can be defined as an ASM and thus implicitly be given a semantics. Both big- and small-step ASM semantics have been investigated. The semantics of various programming languages, including, for example, Java [39], has been given using ASMs. The Chemical Abstract Machine [3] avoids some of the limitations of SOS in defining concurrent programming languages and was introduced in the same journal volume as Rewriting Logic; as shown in [22], any chemical abstract machine definition is a rewrite logic theory. Tile logic [14] also supports definitions of concurrent languages and has been compared to and translated into rewriting logic [24,15]. 11 Conclusions

We have tried to show how RLS can be used as a logical framework for operational semantics definitions of programming languages. By showing how it can faithfully capture big-step and small-step SOS, MSOS, context reduction, and continuation- based semantics, we hope to have illustrated what might be called its ecumenical character: flexible support for a wide range of definitional styles, without forcing or pre-imposing any given style. We think that this flexibility makes RLS useful as a way of exploring new definitional styles. For highly-concurrent languages, such as mobile languages, or for languages involving concurrency, real-time and/or probabilities, a centralized approach forcing an interleaving semantics is unnatural. 22 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer

We have, of course, refrained from putting forward any specific suggestions in this regard. But we think that new definitional styles are worth investigating; and hope that RLS in general, and this paper in particular, will stimulate such investigations.

References

[1] Abadi, M., L. Cardelli, P.-L. Curien and J.-J. L´evy, Explicit Substitutions, in: Proc. POPL’90 (1990), pp. 31–46.

[2] Benaissa, Z.-E.-A., D. Briaud, P. Lescanne and J. Rouyer-Degli, lambda-nu, a calculus of explicit substitutions which preserves strong normalisation., J. Funct. Program. 6 (1996), pp. 699–722.

[3] Berry, G. and G. Boudol, The chemical abstract machine, Theoretical Computer Science 96 (1992), pp. 217–248.

[4] Borovansk´y, P., H. Cirstea, H. Dubois, C. Kirchner, H. Kirchner, P.-E. Moreau, C. Ringeissen and M. Vittek, “ELAN V 3.4 User Manual,” LORIA, Nancy (France), fourth edition (2000).

[5] Borras, P., D. Cl´ement, T. Despeyroux, J. Incerpi, G. Kahn, B. Lang and V. Pascual, Centaur: The system., in: Software Development Environments (SDE), 1988, pp. 14–24.

[6] Chalub, F. and C. Braga, Maude MSOS tool, in: G. Denker and C. Talcott, editors, 6th International Workshop on Rewriting Logic and its Applications (WRLA’06), Electronic Notes in Theoretical Computer Science (to appear).

[7] Clavel, M., F. Dur´an, S. Eker, P. Lincoln, N. Mart´ı-Oliet, J. Meseguer and J. F. Quesada, Maude: specification and programming in rewriting logic., Theor. Comput. Sci. 285 (2002), pp. 187–243.

[8] Cl´ement, D., J. Despeyroux, L. Hascoet and G. Kahn, Natural semantics on the computer, in: K. Fuchi and M. Nivat, editors, Proceedings, France-Japan AI and CS Symposium, ICOT, 1986 pp. 49–89, also, Information Processing Society of Japan, Technical Memorandum PL-86-6.

[9] Danvy, O. and L. R. Nielsen, Refocusing in reduction semantics, Technical Report BRICS RS-04-26, University of Aarhus (2004).

[10] Diaconescu, R. and K. Futatsugi, “CafeOBJ Report. The Language, Proof Techniques, and Methodologies for Object-Oriented Algebraic Specification,” AMAST Series in Computing 6, World Scientific, 1998.

[11] Farzan, A., F. Cheng, J. Meseguer and G. Ro¸su, Formal analysis of Java programs in JavaFAN, in Proc. CAV’04, Springer LNCS, 2004.

[12] Felleisen, M. and D. P. Friedman, Control operators, the secd-machine, and the lambda-calculus, in: 3rd Working Conference on the Formal Description of Programming Concepts, Ebberup, Denmark, 1986, pp. 193–219.

[13] Friedman, D. P., M. Wand and C. T. Haynes, “Essentials of Programming Languages,” The MIT Press, Cambridge, MA, 2001, 2nd edition.

[14] Gadducci, F. and U. Montanari, The tile model, in: G. Plotkin, C. Stirling and M. Tofte, editors, Proof, Language and Interaction: Essays in Honour of Robin Milner, MIT, 2000 Also, TR-96-27, C.S. Dept., Univ. of Pisa, 1996.

[15] Gadducci, F. and U. Montanari, Comparing logics for rewriting: Rewriting logic, action calculi and tile logic, Theoret. Comput. Sci. 285 (2002), pp. 319–358.

[16] Goguen, J., T. Winkler, J. Meseguer, K. Futatsugi and J.-P. Jouannaud, Introducing OBJ, in: J. Goguen, editor, Applications of Algebraic Specification using OBJ, Cambridge, 1993 .

[17] Goguen, J. A. and G. Malcolm, “Algebraic Semantics of Imperative Programs,” MIT Press, 1996.

[18] Gurevich, Y., Evolving algebras 1993: Lipari Guide, in: E. B¨orger, editor, Specification and Validation Methods, Oxford University Press, 1994 pp. 9–37.

[19] Kahn, G., Natural semantics., in: F.-J. Brandenburg, G. Vidal-Naquet and M. Wirsing, editors, STACS, Lecture Notes in Computer Science 247 (1987), pp. 22–39.

[20] Kaufmann, M., P. Manolios and J. S. Moore, “Computer-Aided Reasoning: ACL2 Case Studies,” Kluwer Academic Press, 2000.

[21] Mart´ı-Oliet, N. and J. Meseguer, Rewriting logic as a logical and semantic framework, in: D. Gabbay and F. Guenthner, editors, Handbook of Philosophical Logic, 2nd. Edition, Kluwer Academic Publishers, 2002 pp. 1–87, first published as SRI Tech. Report SRI-CSL-93-05, August 1993. 23 S¸erbanut¸˘ a,˘ Ros¸u, Meseguer

[22] Meseguer, J., Conditional rewriting logic as a unified model of concurrency, Theoretical Computer Science 96 (1992), pp. 73–155.

[23] Meseguer, J. and C. Braga, Modular rewriting semantics of programming languages, in Proc. AMAST’04, Springer LNCS 3116, 364–378, 2004. [24] Meseguer, J. and U. Montanari, Mapping tile logic into rewriting logic, in: F. Parisi-Presicce, editor, Proceedings of WADT’97, 12th Workshop on Recent Trends in Algebraic Development Techniques, LNCS 1376 (1998), pp. 62–91.

[25] Meseguer, J. and G. Ro¸su, The rewriting logic semantics project, Theoretical Computer Science to appear (2006).

[26] Meseguer, J. and G. Rosu, Rewriting logic semantics: From language specifications to formal analysis tools., in: D. A. Basin and M. Rusinowitch, editors, IJCAR, Lecture Notes in Computer Science 3097 (2004), pp. 1–44.

[27] Miller, D., Representing and reasoning with operational semantics., in: U. Furbach and N. Shankar, editors, IJCAR, Lecture Notes in Computer Science 4130 (2006), pp. 4–20.

[28] Milner, R., M. Tofte, R. Harper and D. MacQueen, “The Definition of Standard ML (Revised),” MIT Press, 1997. [29] Moggi, E., An abstract view of programming languages, Technical Report ECS-LFCS-90-113, Edinburgh University, Department of Computer Science (1989).

[30] Moggi, E., Notions of computation and monads, Inf. Comput. 93 (1991), pp. 55–92.

[31] Mosses, P. D., Modular structural operational semantics, J. Log. Algebr. Program. 60–61 (2004), pp. 195–228. [32] Nadathur, G. and D. Miller, An overview of λProlog, in: K. Bowen and R. Kowalski, editors, Fifth Int. Joint Conf. and Symp. on Logic Programming (1988), pp. 810–827.

[33] Pierce, B., “Types and Programming Languages,” MIT Press, 2002.

[34] Plotkin, G. D., A structural approach to operational semantics., J. Log. Algebr. Program. 60-61 (2004), pp. 17–139, original version: University of Aarhus Technical Report DAIMI FN-19, 1981. [35] Reynolds, J. C., The Discoveries of Continuations, LISP and Symbolic Computation 6 (1993), pp. 233– 247. [36] Ro¸su, G., K: a Rewrite-based Framework for Modular Language Design, Semantics, Analysis and Implementation, Technical Report UIUCDCS-R-2005-2672, Department of Computer Science, University of Illinois at Urbana-Champaign (2005).

[37] Scott, D., Outline of a mathematical theory of computation, in: Proceedings, Fourth Annual Princeton Conference on Information Sciences and Systems, Princeton University, 1970 pp. 169–176, also appeared as Technical Monograph PRG 2, Oxford University, Programming Research Group. [38] S¸erb˘anut¸˘a, T. F., G. Ro¸su and J. Meseguer, A rewriting logic approach to operational semantics, Technical Report UIUCDCS-R-2007-2820, University of Illinois, Department of COmputer Science (2007).

[39] St¨ark, R. F., J. Schmid and E. B¨orger, “Java and the Java Virtual Machine: Definition, Verification, Validation,” Springer, 2001. [40] Stehr, M.-O., CINNI - a generic calculus of explicit substitutions and its application to lambda-, sigma- and pi-calculi (2000), proc. 3rd. Intl. Workshop on Rewriting Logic and its Applications.

[41] van den Brand, M., J. Heering, P. Klint and P. A. Olivier, Compiling language definitions: the asf+sdf compiler., ACM Trans. Program. Lang. Syst. 24 (2002), pp. 334–368.

[42] van Deursen, A., J. Heering and P. Klint, “Language Prototyping: An Algebraic Specification Approach,” World Scientific, 1996. [43] Verdejo, A. and N. Mart´ı-Oliet, Executable structural operational semantics in maude., J. Log. Algebr. Program. 67 (2006), pp. 226–293.

[44] Visser, E., Program transformation with Stratego/XT: Rules, strategies, tools, and systems in Stratego/XT 0.9., in: C. Lengauer, D. S. Batory, C. Consel and M. Odersky, editors, Domain-Specific Program Generation, Lecture Notes in Computer Science 3016 (2003), pp. 216–238.

[45] Wadler, P., The essence of functional programming., in: POPL, 1992, pp. 1–14.

[46] Wand, M., Continuation-based program transformation strategies., J. ACM 27 (1980), pp. 164–180.

[47] Wright, A. K. and M. Felleisen, A syntactic approach to type soundness, Inf. Comput. 115 (1994), pp. 38–94.

24 SOS 2007 Preliminary Version

Bi-inductive Structural Semantics (Extended Abstract)

Patrick Cousot1

Département d’informatique, École normale supérieure, 45 rue d’Ulm, 75230 Paris cedex 05, France Radhia Cousot2

CNRS & École polytechnique, 91128 Palaiseau cedex, France

Abstract We propose a simple order-theoretic generalization of set-theoretic inductive definitions. This general- ization covers inductive, co-inductive and bi-inductive definitions and is preserved by abstraction. This allows the structural operational semantics to describe simultaneously the finite/terminating and in- finite/diverging behaviors of programs. This is illustrated on the structural bifinitary small/big-step trace/relational/operational semantics of the call-by-value λ-calculus.

Keywords: fixpoint definition, inductive definition, co-inductive definition, bi-inductive definition, structural operational semantics, SOS, trace semantics, relational semantics, small-step semantics, big-step semantics, divergence semantics, abstraction.

1 Introduction

The connection between the use of fixpoints in denotational semantics [17]andthe use of rule-based inductive definitions in [10]andstructural operational semantics (SOS) [19,20,21] can be made by a generalization of inductive definitions [1] to include co-inductive definitions [8]. It is then possible to generalize natural semantics describing finite input/output behaviors [12]soastoalsoinclude infinite behaviors [7]. This is necessary since the definition of the infinite behaviors cannot be derived from the finite big-step SOS behaviors.

Example 1.1 Let us consider the choice operator E1 E2 where the evaluation of | E1 either terminates (returning the value a, written E1 = a) or does not termi- ⇒ nate (written E1 = ). Similarly, the big-step semantics of E2 is E2 = b for a ⇒⊥ ⇒ 1 Piatsr cuek.Co so.tr@ n f , www.di.ens.fr/˜cousot/ 2 Road.hhiuafCln.siout@poqytc e e r, www.polytechnique.edu/Radhia.Cousot/ This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science P. Cousot & R. Cousot

terminating evaluation returning b or E2 = for non-termination. Let us consider ⇒⊥ several possible semantics for the choice operator:

• Nondeterministic: an internal choice is made initially to evaluate E1 or to evaluate E2;

• Parallel: evaluate E1 and E2 concurrently, with an unspecified scheduling, and return the first available result a or b;

• Mixed left-to-right: evaluate E1 and then either return its result a or evaluate E2 and return its result b;

• Mixed right-to-left: evaluate E2 and then either return its result b or evaluate E1 and return its result a;

• Eager: evaluate both E1 and E2 and return either results if both terminate. The corresponding finite big-step behaviors, as described in natural semantics [12], are all defined as follows:

a b = aab = b. | ⇒ | ⇒ But for the case = , the infinite behaviors are all different: ⊥|⊥ ⇒⊥ Non-deter- Parallel Mixed left- Mixed right- Eager ministic to-right to-left b = b b = b b = b ⊥| ⇒ ⊥| ⇒ ⊥| ⇒ b = b = b = b = ⊥| ⇒⊥ ⊥| ⇒⊥ ⊥| ⇒⊥ ⊥| ⇒⊥ a = a a = a a = a |⊥ ⇒ |⊥ ⇒ |⊥ ⇒ a = a = a = a = |⊥ ⇒⊥ |⊥ ⇒⊥ |⊥ ⇒⊥ |⊥ ⇒⊥ Since the natural semantics defines the finite behaviors but not the diverging behav- iors, an interpretation of the big-step evaluation rules as Horn clauses implemented in Prolog [2,9] will have its diverging behaviors determined by the implementation (e.g. Prolog interpreter with left-to-right evaluation). 2 The paper develops and illustrates the use of "bi-inductive" definitions in opera- tional semantics which enable both finitary and infinitary behaviors to be described simultaneously [7,8]. The general methodology consists in extending Hilbert proof systems [1]byre- placing the powerset ℘(U), of the universe U by a partial order , .Beyond  ⊆ D  the classical inductive definitions ℘(U), , this extension includes the co-inductive  ⊆ definitions ℘(U), and bi-inductive definitions mixing inductive and co-inductive  ⊇ definitions [7,8]. This extension also copes with compositional structural definitions as found in denotational semantics or SOS. This is illustrated by definitions of the semantics of the call-by-value λ-calculus. We introduce an original big-step trace semantics that gives operational meaning to both convergent and divergent behaviors of programs. The compositional struc- tural definition mixes induction for finite behaviors and co-induction for infinite behaviors while avoiding duplication of rules between the two cases. This big-step 26 P. Cousot & R. Cousot trace semantics excludes erroneous behaviors that go wrong. The other semantics are then systematically derived by abstraction. The big-step trace semantics is first abstracted to a relational semantics and then to the standard big-step or natural semantics. These abstraction are sound and complete in that the big-step trace and relational semantics describe the same converging or diverging behaviors while the big-step trace and natural semantics describe the same finite behaviors. The big-step trace semantics is then abstracted into a small-step semantics, by collecting transitions along traces. This abstraction is sound but incomplete in that the traces generated by the small-step semantics describes convergent, divergent, but also erroneous behaviors of programs. This shows that trace-based operational semantics can be much more informative that small-step operational semantics.

2 Bi-inductive structural definitions and their abstrac- tion

2.1 Structural order-theoretic inductive definitions We introduce different forms of structural order-theoretic inductive definitions and prove their equivalence. We formalize the syntax of a language L as a binary relation on L to be ≺ understood as the “strict syntactic subcomponent” relation on L. L, is therefore  ≺ a well-founded set, is irreflexive (inducing the reflexive 4), and has finite left ≺ ≺ images  L :  L   N ( S is the cardinality of set S, N is the set ∀ ∈ |{ ∈ | ≺ }| ∈ | | of natural numbers). Hence we can write  ::= 1,...,n for the tuple of elements  = 1,...,n such that 1,...,n =  L   .   { } { ∈ | ≺ } For≺ example, for the language L of lambda terms a, b, ... ::=x λ x . a ab,we | | can define a λ x . a, a aband b abso ab::= a, b. In case no structural i.e. ≺ ≺ ≺ syntax-directed reasoning is needed, L canbechosenasasingletonand as false. ≺ For each “syntactic component”  L, we consider a semantic domain , , ∈ D  ,  which is assumed to be a directed complete partial order (dcpo). ⊥  For each “syntactic component”  L, we consider variables X, Y, . . . ranging ∈ over the semantic domain . We drop the subscript  when the corresponding D semantic domain is clear from the context (e.g. the semantic domain is the same for all “syntactic components” i.e.  L :  = ). ∀ ∈ D D For each “syntactic component”  L,weletΔ be indexed sequences (totally ∈ ordered sets). We write xi when considering the sequence xi,i Δ i Δ  ∈ ∈ Δ S of elements of a set ∈S as a vector of S.  i Δ → ∈ i For each element i Δ of the sequence, we consider transformers F  ∈  ∈D × 1 ... n  where n =  L   and 1,...,n =  L  D ×D −→ D i |{ ∈ | ≺ }| { } { ∈ | ≺  . When n =0,wehaveF  . }  ∈D −→ D The transformers are assumed to be -monotone in their first parameter, that  is i Δ, 1,...,n , X, Y ,X1 1 ,...,Xn n : X  Y = i∀ ∈ ≺i ∈D ∈D ∈D  ⇒ F (X, X1,...,Xn)  F (Y,X1,...,Xn).    For each “syntactic component”  L,thejoin g (Δ )  is ∈ ∈ −→ D −→ D assumed to be componentwise -monotone ( Xi,i Δ : Yi,i Δ :( i  ∀ ∈  ∀ ∈  ∀ ∈ 27 P. Cousot & R. Cousot

Δ : Xi  Yi)= ( Xi)  ( Yi)). The join operator is used to gather  ⇒    i Δ i Δ  ∈  ∈ g( X )= X alternatives in formal definitions. For brevity, we write i  i, leaving i Δ i Δ ∈ ∈ implicit the fact that the Xi should be considered in the total order given by the sequence Δ. Most often, the order of presentation of these alternatives in the formal definition is not significant. In this case, Δ is just a set and the join may often be defined in term of a binary join g (  ) , which is assumed to be associative, ∈ D ×D −→ D commutative, and -monotone, as g( Xi) , Xi. The binary join may be   i Δ i Δ ∈ ∈ different form the least upper bound (lub)  of the semantic domain . D A fixpoint definition has the form

i  L : f  = lfp λ X . F (X, f  ) ∀ ∈ S   S i Δ   ∈ ≺     where lfp is the partially defined -least fixpoint operator on a poset P, .To    emphasize structural composition, we also let 1,...,n =  L   and { } { ∈ | ≺ } write

i  L : f  ::= 1,...,n = lfp λ X . F (X, f 1 ,..., f n ) . ∀ ∈ S   S S i Δ ∈      

Lemma 2.1  L : f  is well defined. ∀ ∈ S Definitions needing no fixpoint or join can withal be encompassed as fix- i   i points such as F ( f 1 ,..., f n ) = lfp λ X . F ( f 1 ,..., f n )   S S   S S i Δ i Δ ∈ ∈ i i or without join F ( f 1 ,..., f n ) = lfp λ X . F ( f 1 ,..., f n ).  S S   S S i i ∈{ } An equational definition  has the  form:    

e  , L is the componentwise -least X, L satisfying the system of S ∈    ∈  equations   X = F i(X , X )        ≺ i Δ ⎧ ∈ ⎨⎪  L . ∈ A constraint-based definition⎩⎪ has the form:

e  , L is the componentwise -least X, L satisfying the system of Sconstraints∈ (inequations)   ∈    F i(X , X ) X         ≺  i Δ ⎧ ∈ ⎨⎪  L . ∈ ⎪ ⎩ 28 P. Cousot & R. Cousot

A rule-based definition is a sequence of rules of the form

X  L,i Δ i ∈ ∈ F (X, r  )  S   ≺   where the premise and conclusion are elements of the , cpo. When under- D  standing the rule in logical form (where the premise is a statement that is assumed to be true and from which a conclusion can be drawn), the following form might be preferred.

X  r   S  L,X ,i Δ i ∈ ∈D ∈ F (X, r  ) r   S    S   ≺     i If F does not depend upon the premise X, it is an axiom. In such presentations, g 3 the join of the alternatives is left implicit . To make it explicit, we rewrite such definitions in the form

X  r   S (1)  L,X  . i ∈ ∈D F (X, r  ) r    S    S i Δ   ∈ ≺     The formal definition of the join makes explicit whether the order of presentation of the rules does matter, or not. When it doesn’t, the join can be defined using a binary associative and commutative join. This binary join can even be left implicit and, by associativity and commutativity, the rules can be given in any order. This will be the case for our examples. 4 A D  is provable if and only if it has a proof that is a transfinite sequence ∈D D0,...,Dλ of elements of  such that D0 = , Dλ = D and for all 0 <δ6 λ, Dδ i D ⊥  F ( Dβ, r  ).     S i Δ β<δ   ∈ ≺ The meaning of a rule-based  definition (1)is

r  , D  D is provable . S  { ∈D | } The above order-theoretic  inductive definitions are all equivalent:

Theorem 2.2  L :  , f  = e  = c  = r  . ∀ ∈ S S S S S This generalization of [1] could also include a game-theoretic version. The           closure-condition version [1] is also easy to adapt.

3 This is the case in classical Hilbert’s formal systems. 4 Intheclassicalcase[1], the fixpoint operator is continuous whence proofs are finite. 29 P. Cousot & R. Cousot

Example 2.3 The classical inductive definition [1] of the subset of a universe U by S X rules Pi i I where P U and c U, i I can be written ⊆S , ci i i ⊆ ∈ ⊆ ∈ ∈ ci Pi X { | ⊆ }⊆S Pi X, X Pi i I or ⊆ ⊆S , i I that is ⊆S , i I for short. So L, 4 , , = , ⊆ ⊆ • ∈ ci ∈ ci ∈     ∈S ∈S i i , , , , ℘( ), , ?, , Δ , I, F ℘(U) ℘(U) is F (X) , ci D• • ⊥• •  U ⊆ ∪ • • ∈ → • { | Pi X and , thus defining = lfp⊆ λ X . ci i I Pi X . 2 ⊆ } • S { | ∈ ∧ ⊆ }  2.2 Bi-semantic domains To account for terminating/finite and diverging/infinite program behaviors, we con- sider bi-semantic domains consisting, for each  L, of a finitary semantic domain ∈ (of finite program behaviors) +, +, +, + and a infinitary semantic codomain D  ⊥   (of infinite program behaviors) −, −, −, which are assumed to be dc- D  ⊥ − pos [17] (respectively complete lattices). They are combined into a bi-semantic + + domain (of bifinite program behaviors)  thanks to a projection π   , D + ∈D →D a coprojection π−  −, and a constructor π  −  sat- + ∈D →D + ∈D ×D →D isfying x  ,y − : π (π(x, y)) = x and π−(π(x, y)) = y while ∀ ∈D+ ∈D X : π(π (X),π−(X)) = X. Examples are the Cartesian product, disjoint ∀ ∈D   union or union of disjoint sets. The bi-semantic domain , , ,  is then + ,D +  ⊥ , a dcpo (respectively a complete lattice) by defining X π (X), X − π−(X), + + + + + X  Y , (X Y ) (X − Y ),and Xi , π( X , X −).   ∧ −  −   i − i i I i I i I ∈ ∈ ∈ 2.3 Abstraction We consider a simple form of abstraction based on a continuous abstraction function α [6], which includes the particular case of a Galois connection [5] (denoted P, γ γ  4 Q, ,or P, 4 Q, when α is onto, where P, 4 and Q,  ←−−α−     ←−−−α −       are− posets,−−→ and x P : y−−−−→Q →: α(x) y x 4 γ(y)). ∀ ∈ ∀ ∈  ⇐⇒ i For all  L,welet , , ,  be dcpos, F   ...   ∈ D  ⊥   ∈ D × D 1 × D n −→ D i Δ be monotone in their first parameter, and define the abstract semantics f  ∈ S in one of the equivalent forms of Th. 2.2. If α  , we say that the abstract semantics  , L is sound with  ∈D −→ D S ∈  respect to the concrete semantics  , L if and only if  L : α(  )  S ∈  ∀ ∈ S   .Ifiscomplete whenever  L :   α(  ).   S ∀ ∈ S  S     3  Structural order-theoretic  inductive  definitions of the semantics of the call-by-value λ-calculus

The syntax of the λ-calculus with constants is

x, y, z,... X variables ∈ c C constants (X C = ?) ∈ ∩ c ::= 0 1 ... | | 30 P. Cousot & R. Cousot

v V values ∈ v ::= c λ x . a | e E errors ∈ e ::= ca ea | a, a, a1,...,b,,... T terms ∈ a ::= x v aa | |

We write a[x b] for the capture-avoiding substitution of b for all free occurrences ← of x within a.WeletFV(a) be the free variables of a. We define the call-by-value semantics of closed terms (without free variables) T , a T FV(a)=? . { ∈ | } The application (λ x . av) of a function λ x . a toavaluev is evaluated by sub- stitution a[x v] of the actual parameter v for the formal parameter x in the ← function body a. This cannot be understood as induction on the program syntax since a[x v] is not in general a strict syntactic subcomponent of (λ x . av). Hence ← the various semantics below cannot be defined by structural induction of the syntax of λ-expressions. So the framework of Sect. 2.1 is instantiated with L = and {•} ≺ is defined to be false on L which prevents the use of structural induction on program syntax. For brevity we omit the void syntactic component writing e.g. F for F , • • for , Δ for Δ ,etc. D D• • We introduce a maximal trace semantics describing terminating and diverging  computations. The trace semantics is then abstracted into a relational [20] and then an operational semantics [15]. Each semantics can be defined using small steps or big steps of computation. Each semantics can be defined in fixpoint or rule-based form. Semantics Fixpoint definition Rule-based definition big-step small-step big-step small-step

Trace S lfp F lfp f = ñ ñ ñ ⇒ ⇒⇒ Relational S lfp F lfp f = ⇒⇒⇒ Operational S lfp⊆ f = gfp⊆ f A . −

4 Big-step maximal trace semantics of the call-by-value λ-calculus

 + ω We let T (resp. T , T , T∝ and T∞) be the set of finite (resp. nonempty finite, infinite, finite or infinite, and nonempty finite or infinite) sequences of terms where is the empty sequence σ = σ = σ.Welet σ N ω be the length of σ T . • • ∝ + | |∈ ∪{ } ω ∈ =0.Ifσ T then σ > 0 and σ = σ0 σ1 ... σ σ 1.Ifσ T then σ = ω | | ∈ | | • • • | |− ∈ | | and σ = σ ... σ ....GivenS, T ℘(T ), we define S+ , S T+, Sω , S Tω 0 • • n • ∞ + + ω ω ∈ ∩ ω ∩ + and S T , S T S T , so that the trace domain ℘(T∞), , T , T ,  ⊆ ∧ ⊇   , is a complete lattice. For a T and σ T , we define a@σ to be σ T  ∈ ∈ ∞ ∈ ∞ such that i< σ : σ = aσi and similarly σ@a is σ such that i< σ : σ = σi a. ∀ | | i ∀ | | i 31 P. Cousot & R. Cousot

4.1 Fixpoint big-step maximal trace semantics

The bifinitary trace semantics S ℘(T∞) of the closed call-by-value λ-calculus T ∈ can be specified in fixpoint form

S , lfp F where the set of traces transformer F ℘(T∞) ℘(T∞) describes big steps of ∈ → computation

F (S) , v T∞ v V (a) { ∈ | ∈ }∪ (λ x . a) v a[x v] σ v V a[x v] σ S (b) { • ← • | ∈ ∧ ← • ∈ }∪ σ@b σ Sω (c) { | ∈ }∪ + (σ@b) (vb) σ σ = σ v S v V (vb) σ S (d) { • • |  ∧ • ∈ ∧ ∈ ∧ • ∈ }∪ a@σ a V σ Sω (e) { | ∈ ∧ ∈ }∪ + (a@σ) (av) σ a, v V σ = σ v S (av) σ S . (f) { • • | ∈ ∧  ∧ • ∈ ∧ • ∈ }

The definition of F has (a) for termination, (b) for call-by-value β-reduction, (c) and (d) for left reduction under applications and (e) and (f) for right reduction under applications, corresponding to left-to-right evaluation. (b), (d) and (f) cope both with terminating and diverging traces. In the framework of Sect. 2.1,wehave Δ , a, b, c, d, e, f where F i(S), i Δ is defined by equation (i).Thejoin • { } • ∈ • operator is chosen in binary form as g , . • ∪ We observe that (S+ , S T+, Sω , S Tω so S+ Sω = ?) ∩ ∩ ∩

S = S+ Sω ∪ + + + + + (2) ⎧ S = F ( S )=lfp⊆ F where F (S) , F (S ) ⎪ ⎨⎪ ω + ω ω ω ω + ω ω S =(F ( S S )) = gfp⊆ F where F (S) , (F ( S S )) . ∪ ∪ ⎪ ⎩⎪ The bifinitary trace semantics S is suffix-closed in that

σ T∞ : a σ S = σ S . ∀ ∈ • ∈ ⇒ ∈

The bifinitary trace semantics S is total in that it excludes intermediate or result errors

a T : σ, σ T∝, e E : a σ e σ S . ∀ ∈  ∃ ∈ ∈ • • • ∈ The finite maximal traces are blocking in that the result of a finite computation is always a final value

+ σ T∞ : σ b S = b V . ∀ ∈ ∪{ } • ∈ ⇒ ∈ 32 P. Cousot & R. Cousot

4.2 Rule-based big-step maximal trace semantics

The maximal trace semantics S can also be defined as follows

a[x v] σ S ← • ∈ v S, v V , v V ∈ ∈ (λ x . a) v a[x v] σ S ∈ • ← • ∈ ω + σ S σ v S , (vb) σ S ∈ • ∈ • ∈ , v V ∈ σ@b S (σ@b) (vb) σ S ∈ • • ∈ ω + σ S σ v S , (av) σ S ∈ , a V • ∈ • ∈ , v, a V . ∈ ∈ a@σ S (a@σ) (av) σ S ∈ • • ∈

Defining S a , a σ a σ S , S+ a , a σ a σ S+ ,and Sω a , a σ { • | • ∈ } { • | • ∈ } { • | a σ Sω , we can also write for brevity • ∈ }       σ S a[x v] ∈ ← v S v , v V , v V ∈ ∈ (λ x . a) v σ S (λ x . a) v ∈ •  ∈   ω + σ S a σ v S a ,σ S vb ∈ • ∈ ∈ , v V ∈ σ@b S ab (σ@b) σ S ab ∈   •  ∈   ω + σ S b σ v S b ,σ S av ∈   , a V • ∈ ∈  , a, v V . ∈ ∈ a@σ S ab (a@σ) σ S ab ∈   •  ∈  

Observe that the inductive definition of S a should neither  be understood as a structural induction on a (since a[x v] (λ x . a) v) nor as action induction ← ≺ [16] (because of infinite traces). The definition  could be split in inductive rules for termination and co-inductive rules for divergence, as shown in (2), but the above bi-inductive definition avoids the duplication of common rules. Defining a = σ , ⇒ σ S a , we can also write ∈    a[x v] = σ ← ⇒ v = v, v V , v V ⇒ ∈ (λ x . a) v = (λ x . a) v σ ∈ ⇒  •  a = σ a = σ v, vb= σ ⇒ ,σT ω ⇒ •  ⇒ , v V,σ T + ∈ ∈ ∈ ab= σ@b ab= (σ@b) σ ⇒  ⇒ • b = σ b = σ v, av= σ ⇒ , a V,σ T ω ⇒ • ⇒ , a, v V,σ T + . ∈ ∈ ∈ ∈ ab= a@σ ab= (a@σ) σ ⇒  ⇒ •  33  P. Cousot & R. Cousot

5 Abstraction of the big-step trace semantics into the big-step relational semantics of the call-by-value λ- calculus

The relational abstraction of sets of traces is

(3) α ℘(T∞) ℘(T (T )) ∈ → × ∪{⊥} α(S) , σ0,σn 1 σ S σ = n σ0, σ S σ = ω { − | ∈ ∧| | }∪{ ⊥ | ∈ ∧| | } γ ℘(T (T )) ℘(T∞) ∈ × ∪{⊥} → γ(T ) , σ T∞ ( σ = n σ0,σn 1 T ) ( σ = ω σ0, T ) { ∈ | | | ∧ − ∈ ∨ | | ∧ ⊥ ∈ } so that γ ℘(T∞), ℘(T (T )), .  ⊆ ←−−−→−−−α−→−  × ∪{⊥} ⊆ ñ The bifinitary relational semantics S , α( S) ℘(T (T )) is the relational ∈ × ∪{⊥} abstraction of the trace semantics mapping an expression to its final value or in ⊥ case of divergence.

5.1 Fixpoint big-step bifinitary relational semantics ñ The bifinitary relational semantics S , α( S)=α(lfp F ) can be defined in fixpoint ñ ñ form as lfp F where the big-step transformer F ℘(T (T )) ℘(T (T ∈ × ∪{⊥} → × ∪ )) is {⊥} ñ F (T ) , v, v v V { | ∈ }∪ (λ x . a) v,r v V a[x v],r T { | ∈ ∧ ← ∈ }∪ (ab), a, T { ⊥ |  ⊥ ∈ }∪ (ab),r a, v T + v V (vb),r T { | ∈ ∧ ∈ ∧ ∈ }∪ (ab), a V b, T { ⊥ | ∈ ∧ ⊥ ∈ }∪ (ab),r a, v V b, v T + (av),r T . { | ∈ ∧ ∈ ∧ ∈ }

ñ ñ Theorem 5.1 We have α(F (S)) = F (α(S)) and so S , α( S)=α(lfp F )= ñ lfp F .

5.2 Rule-based big-step bifinitary relational semantics The big-step bifinitary relational semantics = is defined as a = r , a,r ⇒ ⇒  ∈ α( S a ) where a T and r T .Itis ∈ ∈ ∪{⊥}   a[x v]= r ← ⇒ v = v, v V , v V,r V ⇒ ∈ (λ x . a) v = r ∈ ∈ ∪{⊥} ⇒ 34 P. Cousot & R. Cousot

a = a = v, vb= r ⇒⊥ ⇒ ⇒ , v V,r V ab= ab= r ∈ ∈ ∪{⊥} ⇒⊥ ⇒ b = b = v, av= r ⇒⊥ ⇒ ⇒ , a V , a V, v V,r V . ab= ∈ ab= r ∈ ∈ ∈ ∪{⊥} ⇒⊥ ⇒ Again this should neither be understood as a structural induction (since a[x v] ← ≺ (λ x . a) v) nor as action induction (because of infinite behaviors). The abstraction α(T ) , T (T T) yields the classical natural semantics [12] (where all rules ∩ × with are eliminated and becomes in the remaining ones). The abstraction ⊥  ⊆ α(T ) , T (T ) yields the divergence semantics (keeping only the rules with ∩ ×{⊥} , is ,anda = is written a =∞ in [15]). ⊥  ⊇ ⇒⊥ ⇒ Observe that both the maximal trace semantics of Sec. 4.1 and the above bifini- tary relational semantics of Sec. 5 define the semantics of a term that “goes wrong” as empty. The above big-step bifinitary relational semantics = is equivalent but not iden- ⇒ tical to the standard big-step semantics which bifinitary generalization would be

a = λ x . c, b = v, c[x v]= r v = v, v V ⇒ ⇒ ← ⇒ , v, v V, ⇒ ∈ ∈ ab= r r V ⇒ ∈ ∪{⊥} a = a = v, b = ⇒⊥ ⇒ ⇒⊥ , v V ab= ab= ∈ ⇒⊥ ⇒⊥ We have chosen to break evaluations of applications in smaller chunks instead so as to enforce evaluation of the function before that of the arguments and to make explicit the reduction step in the trace semantics.

6 Abstraction of the big-step trace semantics into the small-step operational semantics of the call-by-value λ-calculus

The one-step reduction semantics abstracts the trace semantics by collecting all transitions along any trace. The small-step abstraction of traces is

αs ℘(T∞) ℘(T T) ∈ → × αs(S) , σi,σi+1 σ S 0 6 i i +1< σ . { | ∈ ∧ ∧ | |} Since the bifinitary trace semantics is suffix-closed, we can also use

α ℘(T∞) ℘(T T) ∈ → × α(S) , σ0,σ1 σ S σ > 1 { | ∈ ∧| | } 35 P. Cousot & R. Cousot

so that we have αs(S)=α(S) whenever S is suffix-closed. By defining ℘(T∞) to be the set of suffix-closed and blocking subsets of T∞ and γ(τ) to be the set of maximal traces generated by the transition relation τ ℘(T T) that is ∈ × + + γ (τ) , σ T i< σ : σi,σi+1 τ a T : σ< σ 1, a τ { ∈ |∀ | |  ∈ ∧∀ ∈  | |−  ∈ } ω ω γ (τ) , σ T i N : σi,σi+1 τ { ∈ |∀ ∈  ∈ } γ(τ) , γ+(τ) γω(τ) , ∪ we have γ ℘(T∞), ℘((T V) T), .  ⊆ −←−−−−−α−→ →−  \ × ⊆ 6.1 Small-step operational semantics The small-step operational semantics or transition semantics S is defined by α- overapproximation αs( S) = α( S) of the bifinitary trace semantics S.

(4) S , lfp⊆ f

f(τ) , (λ x . a) v, a[x v] a0 b, a1 b a0, a1 τ { ← } ∪ { | ∈ }∪ vb0, vb1 b0, b1 τ . { | ∈ } The rule-based presentation of (4) has a call-by-value β-reduction axiom plus two context rules for reducing under applications, corresponding to left-to-right evalua- tion [20]. a A b stands for a, b S. −  ∈

a0 A a1 b0 A b1 ((λ x . a) v) A a[x v] − − . − ← ⊆ ⊆ a0 b A a1 b vb0 A vb1 − −

The inductive definition of S can also be understood as co-inductive since lfp⊆ f = gfp⊆ f. We have α F γ ˙ f. Indeed α F γ ˙ f since a single transition ◦ ◦ ⊆ ◦ ◦ cannot anticipate whether the future computation can “go wrong”. For example ((λ x . x0) 0) A (00) f f(?) while ((λ x . x0) 0) A (00) α F γ − ∈ ◦ − ∈ ◦ ◦ ◦ α F γ(?) since there is no trace of the form σ ((λ x . x0) 0) (00) σ in ◦ ◦ • • • F γ α F γ(?). It follows that the small-step operational semantics or ◦ ◦ ◦ ◦ transition semantics S is sound but incomplete in that the set γ(S) of maximal traces generated by the transition relation S includes the bifinitary trace semantics S plus spurious traces for computations that can “go wrong” that is terminate with a runtime error e E. ∈ 7 Small-step maximal trace semantics of the call-by- value λ-calculus

The small-step maximal trace semantics ∞A of a transition relation A is defined − − as 36 P. Cousot & R. Cousot

n + A , σ T σ = n>0 i :06 i0  ω ω A , σ T i N : σi A σi+1 infinite execution traces − { ∈ |∀ ∈ − } + ω ∞A , A A maximal finite and diverging execution traces. − − ∪ − 7.1 Fixpoint small-step maximal trace semantics

To express the small-step maximal trace semantics ∞A in fixpoint form, let us define − the junction ; of set of traces as

, ω + S ; T S σ0 ... σ σ 2 σ σ S σ σ 1 = σ0 σ T , ∪{ • • | |− • | ∈ ∧ | |− ∧ ∈ } and the small-step set of traces transformer f ℘(T∞) ℘(T∞) ∈ → 2 (5) f (T ) , v T∞ v V A ; T { ∈ | ∈ }∪− describing small steps of computation. We have 

∞A = lfp f. − The big-step and small-step trace semantics are the same

S = ∞A . − 7.2 Rule-based small-step maximal trace semantics

The maximal trace semantics S = ∞A = lfp f where f is defined by (5)canbe − defined inductively with small-steps as

a A b, b σ S − • ∈ v S, v V ∈ ∈ a b σ S • • ∈ that is, writing a σ for σ S and σ0 = a ⇒⇒ ∈  a A b, b σ − ⇒⇒ v v, v V ⇒⇒ ∈ a a σ ⇒⇒ •   8 Small-step bifinitary relational semantics of the call- by-value λ-calculus

ñ The bifinitary relational semantics was defined as S , α( S) (where α is the relational abstraction of sets of traces (3)) and given in big-step form in Sec. 5.Itcanbe 37 P. Cousot & R. Cousot given in small-step form by abstraction of the small-step bifinitary maximal trace semantics of Sec. 7.1.

8.1 Fixpoint small-step bifinitary relational semantics ñ The bifinitary relational semantics S , α( S)=α(lfp f ) can be defined in fixpoint ñ ñ form as lfp f where the small-step transformer f ℘(T (T )) ℘(T (T ∈ × ∪{⊥} → × ∪ )) is {⊥} ñ f (R) , v, v v V { | ∈ }∪ (λ x . a) v,r v V a[x v],r R { | ∈ ∧ ← ∈ }∪ a0 b,r a0 A a1 a1 b,r R { | − ∧ ∈ }∪ vb0,r b0 A b1 vb1,r R . { | − ∧ ∈ }

8.2 Rule-based small-step bifinitary relational semantics ñ The bifinitary rule-base form is (a b stands for a, b S and r V ) ⇒⇒  ∈ ∈ ∪{⊥}

a A b, b r − ⇒⇒ v v, v V ⇒⇒ ∈ a r ⇒⇒ 9Conclusion

Divergence/nonterminating behaviors are needed in static program analysis [18]or typing [3,15]. Such divergence information is part of the classical order-theoretic fix- point denotational semantics [17] but not explicit in small-step/abstract-machine- based operational semantics [19,20,21] and absent of big-step/natural operational semantics [12]. A standard approach is therefore to generate an execution trace se- mantics from a (labelled) transition system/small-step operational semantics, using either an order-theoretic [4] or metric [23] fixpoint definition or else a categorical definition as a final coalgebra for a behaviour functor (modeling the transition re- lation) up to a weak bisimulation [11,14,22] or using an equational definition for recursion in an order-enriched category [13]. However, execution traces are not al- ways at an appropriate level of abstraction. Finite and infinite behaviors can be both handled by SOS when extended to bi-inductive structural bifinitary small/big-step trace/relational/operational semantics. Sound (and sometimes complete) abstrac- tions are essential to establish this hierarchy of semantics [4]. This should satisfy the need for formal finite and infinite semantics, at various levels of abstraction and us- ing various equivalent presentations (fixpoints, equational, constraints and inference rules) needed in static program analysis.

Acknowledgements We thank the anonymous referees for their helpful comments and suggestions. 38 P. Cousot & R. Cousot

References

[1] P. Aczel. An introduction to inductive definitions. In J. Barwise, editor, Handbook of Mathematical Logic,volume90ofStudies in Logic and the Foundations of Mathematics, pages 739–782. Elsevier, 1977.

[2] I. Attali, J. Chazarain, and S. Gilette. Incremental evaluation of natural semantics specifications. In M. Bruynooghe and M. Wirsing, editors, Proc. 4th Int. Symp. PLILP ’92, Leuven, BE, 26–28 Aug. 1992, LNCS 631, pages 87–99. Springer, 1992.

[3] P. Cousot. Types as abstract interpretations, invited paper. In 24th POPL, pages 316–331, Paris, FR, Jan. 1997. ACM Press.

[4] P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theoret. Comput. Sci., 277(1—2):47–103, 2002.

[5] P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In 6th POPL, pages 269–282, San Antonio, TX, 1979. ACM Press.

[6] P. Cousot and R. Cousot. Abstract interpretation frameworks. J. Logic and Comp., 2(4):511–547, Aug. 1992.

[7] P. Cousot and R. Cousot. Inductive definitions, semantics and abstract interpretation. In 19th POPL, pages 83–94, Albuquerque, NM, US, 1992. ACM Press.

[8] P. Cousot and R. Cousot. Compositional and inductive semantic definitions in fixpoint, equational, constraint, closure-condition, rule-based and game-theoretic form, invited paper. In P. Wolper, editor, Proc. 7th Int. Conf. CAV ’95, Liège, BE, LNCS 939, pages 293–308. Springer, 3–5 Jul. 1995.

[9] Th. Despeyroux. TYPOL: a formalism to implement natural semantics. Tech. rep. RT-0094, INRIA Sophia Antipolis, Mar. 1988.

[10] C.A.R. Hoare. An axiomatic basis for computer programming. Comm. ACM, 12(10):576–580, Oct. 1969.

[11] B. Jacobs and J. Rutten. A tutorial on (co)algebras and (co)induction. EATCS Bulletin, 62:222–269, 1997.

[12] G. Kahn. Natural semantics. In K. Fuchi and M. Nivat, editors, Programming of Future Generation Computers, pages 237–258. Elsevier, 1988.

[13] B. Klin. Adding recursive constructs to bialgebraic semantics. J. Logic and Alg. Prog., 60-61:259–286, Jul.–Dec. 2004.

[14] B. Klin. Bialgebraic methods in structural operational semantics. ENTCS, 175(1):33–43, May 2007.

[15] X. Leroy. Coinductive big-step operational semantics. In P. Sestoft, editor, Proc. 15th ESOP ’2006, Vienna, AT, LNCS 3924, pages 54–68. Springer, 27–28 Mar. 2006.

[16] R. Milner. Operational and algebraic semantics of concurrent processes. In J. van Leeuwen, editor, Formal Models and Semantics, volume B of Handbook of Theoretical Computer Science, chapter 19, pages 1201–1242. Elsevier, 1990.

[17] P.D. Mosses. Denotational semantics. In J. van Leeuwen, editor, Formal Models and Semantics, volume B of Handbook of Theoretical Computer Science, chapter 11, pages 575–631. Elsevier, 1990.

[18] A. Mycroft. The theory and practice of transforming call-by-need into call-by-value. In B. Robinet, editor, Proc. 4th Int. Symp. on Programming, Paris, FR, 22–24 Apr. 1980, LNCS 83, pages 270–281. Springer, 1980.

[19] G.D. Plotkin. A structural approach to operational semantics. Technical Report DAIMI FN-19, Aarhus University, DK, Sep. 1981.

[20] G.D. Plotkin. The origins of structural operational semantics. J. Logic and Alg. Prog., 60–61:3–15, Jul.–Dec. 2004.

[21] G.D. Plotkin. A structural approach to operational semantics. J. Logic and Alg. Prog., 60–61:17–139, Jul.–Dec. 2004.

[22] D. Turi and G.D. Plotkin. Towards a mathematical operational semantics. In Proc. 12th LICS ’1997, pages 280–291, Warsaw, PL, 29 June – 2 Jul. 1997. IEEE Comp. Soc. Press.

[23] F. van Breugel. An introduction to metric semantics: operational and denotational models for programming and specification languages. Theoret. Comput. Sci., 258:1–98, 2001.

39 SOS 2007 Preliminary Version

Simulations up-to and Canonical Preorders (extended abstract)

David de Frutos Escrig1 ,3

Departamento de Sistemas Inform´aticos y Computaci´on Universidad Complutense de Madrid Madrid, Spain Carlos Gregorio Rodr´ıguez2 ,4

Departamento de Sistemas Inform´aticos y Computaci´on Universidad Complutense de Madrid Madrid, Spain

Abstract In this paper we define simulations up-to a preorder and show how we can use them to provide a coinductive, simulation-like, characterization of semantic preorders for processes. The result applies to a wide class of preorders, in particular to all semantic preorders coarser than the ready simulation preorder in the linear time-branching time spectrum. An interesting but unexpected result is that, when built from an equivalence relation, the simulation up-to is a canonical preorder whose kernel is the given equivalence relation. These canonical preorders have several nice properties, the main being that since all of them are defined in a homogeneous way, their properties can be proved in a generic way. In particular, we present an axiomatic characterization of each of these canonical preorders, that is obtained just by adding a single axiom to the axiomatization of the original equivalence relation. This gives us an alternative axiomatization for every axiomatizable preorder in the linear time-branching time spectrum, whose correctness and completeness can be proved once and for all.

Keywords: processes, semantic preorders, simulations up-to, linear time-branching time spectrum.

1 Introduction and Related Work

Whenever a semantic framework is introduced to define the meaning of some kind of formal language, an equivalence relation is also introduced that equates two terms if they have the same semantics. Reciprocally, an equivalence relation provides a way to define an abstract semantics by associating to each term the equivalence class to which it belongs.

1 Partially supported by the Spanish MEC project DESAFIOS TIN2006-15660-C02-02 and the project PROMESAS-CAM S-0505/TIC/0407. 2 Partially supported by the Spanish MEC project WEST/FAST TIN2006-15578-C02. 3 Email: [email protected] 4 Email:[email protected] This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science De Frutos Escrig, Gregorio Rodr´ıguez

Process algebras have been largely used to specify and study the behaviour of reactive systems and have given rise to well known languages such as CSP, CCS or ACP. Many different semantics and their respective equivalence relations have been proposed for reactive systems. Most of them were collected in the linear time- branching time spectrum (ltbt for short), which was thoroughly studied by Van Glabbeek [9]. There he presented a nearly exhaustive collection of semantics, each of which was characterized by a natural testing scenario, a modal logic to identify the set of equivalent processes, and a finite axiomatization to compare any pair of finite processes. Bisimulation semantics is the strongest of all the equivalence semantics in the spectrum and also one of the most important. Bisimulation equivalence can be easily defined due to its coinductive flavour and thus coalgebraic techniques can be applied, which provides a fruitful alternative to the classic approach based on induction and continuity arguments. Besides, bisimilarity can be easily established by an efficient algorithm based on which several tools that can effectively check process bisimilarity [5] have been developed. Despite the fact that bisimulation has been thoroughly studied since it was proposed by David Park [21] (see [24] for a recent historic presentation on the subject), it is still the topic of quite a number of recent papers such as [17]. But sometimes bisimulation equivalence is too strong and many other interesting semantics weaker than bisimilarity have been proposed, most of them appearing in the ltbt spectrum. Traces, for instance, is the weakest reasonable semantics for processes. However, non-deterministic behaviours are not properly described by means of traces, since deadlock information is not accurately captured. Failure semantics were proposed in [12] to solve this problem. An even finer semantics is that defined by readiness. Failures and ready sets can be combined with traces, thus getting stronger semantics as described in [9]. Unfortunately, in general these equivalences cannot be so easily studied as the bisimulation semantics, mainly because of their lack of a direct coalgebraic defini- tion. However, it is possible to relate bisimulation and the rest of the semantics so that these coalgebraic techniques can be of use for their study. In [6] we have proved that all the semantics in the ltbt spectrum can be characterized as quotients of bisimulation. This is done by relaxing the proof obligations of bisimulation, so that when playing the new game the defender can modify the following transitions of the process when he makes his move, thus becoming easier to prove the corre- sponding equivalence. Preorders and equivalence relations are closely related, the latter being just a particular (symmetric) case of the former, while any preorder defines an induced equivalence relation by means of its kernel. Although semantics of processes are defined by equivalence relations, we need also order relations to compare non- equivalent processes that correspond to several order relations such as “is an im- plementation of” [3] , “is faster than” [16], or “has less amortised cost than” [14]. Besides, an order relation is also needed to specify continuity requirements in seman- tic domains, by means of which we can define the semantics of recursive processes. These orders have been thoroughly studied, and in particular they also appear in [9], where they are introduced using a classical testing approach: “given two pro-

41 De Frutos Escrig, Gregorio Rodr´ıguez cesses p and q, we have that p is better than q whenever p passes as many tests as q does”, following the ideas in [20,11]. In this paper we focus on the study of semantic preorders for processes and their coalgebraic characterization. We can find in [19,4] recursive definitions of testing semantics which can be considered a first step in the desired direction, but in both cases the authors used the after construction in their characterizations, which means a too global approach. Instead, we want a more local characterization where bisimulation steps solve the choices in the compared processes. One may think that this is not a difficult task given the results in [6] for process equivalences, but this is not the case: bisimulation is the strongest of the semantic equivalences and thus the idea of relaxing the bisimulation requirements allows, in principle, to get weaker equivalences. However, there exists no proper preorder whose kernel is the bisimulation equivalence; in fact, the simulation preorder (the most natural coinductively defined preorder) is not stronger than many of the semantic preorders in the ltbt spectrum and the equivalence relation it induces is much weaker than the bisimulation equivalence. Fortunately, we can overcome this handicap by reinforcing simulations, that is, by imposing some additional condition to be satisfied by the pairs of processes being related. In particular ready simulations [15,2] are simulations constrained by the condition that the set of initial actions of the processes should be the same; the ready simulation preorder is finer than any other finitely axiomatizable preorder in the ltbt spectrum. As we will see in the rest of the paper, we have indeed obtained coalgebraic char- acterizations of the preorders, together with interesting results relating equivalences and preorders, and therefore, bisimulations up-to with simulations up-to. One of these results was quite unexpected, but also extremely nice: for any equivalence relation (under sensible assumptions) there exists a canonical preorder (non-trivial, that is, different from the equivalence itself) whose kernel is the original equivalence relation. This is the cause behind many pleasant properties, in particular, we can obtain a complete axiomatization for finite processes for any of these canonical pre- orders from the axiomatization for the corresponding equivalences in a systematic way, so that completeness and correctness of these axiomatizations can be proved once and for all. Besides, for all of the equivalences coarser than the ready simu- lation in Van Glabbeek’s spectrum, our canonical preorders define the same order relations as the ones in the literature for those semantics. It has been a nice surprise to know that in [1] the authors 5 have found the way to establish the opposite relation between the axiomatizations of the preorders that are weaker than the ready simulation and those of the corresponding equivalences, for the semantics in the Van Glabbeek’s spectrum. We agree with them on the fact that is more natural to look for the axiomatization of the induced equivalence starting from that of a preorder, than the other way around. Nevertheless, it is also nice to have a canonical way to obtain a non-trivial preorder whose kernel is a given equivalence relation, as we have done.

5 We want to thank specially to Wan Fokkink for some useful indications, including those in the discussion on a previous version of this paper that is lengthly commented on in [1]. In fact, following the suggestions there we have slightly improved some of the results in this final version, so that you could find some inconsistencies between their comments and the printed text here. 42 De Frutos Escrig, Gregorio Rodr´ıguez

The rest of the paper is structured as follows. In Section 2 we introduce the basic definitions and notations on processes and preorders and we recall some results from [6]. In Section 3, we define simulations up-to and prove some results that characterize behaviour preorders with simulations up-to a preorder and simulations up-to an equivalence. These results are presented in two steps, first for preorders coarser than the simulation preorder and then for preorders coarser than the ready simulation, that require more elaborated proofs (although nice auxiliary results emerge). In Section 4 we shift the focus from preorders to equivalences and show some results that allow us to characterize equivalences as kernels of simulations up-to. Building on this, we characterize a canonical coinductive preorder whose kernel is a given equivalence relation. In Section 5, as an example of application of the theory developed in the paper, we provide alternative axiomatic definitions of the preorders in the linear time-branching time spectrum. The proof of their completeness is easy and simple, using the ideas of simulation up-to developed in the paper. Finally, in Section 6 we present some conclusions and lines for future work.

2 Preliminaries

The usual way to describe the behaviour of processes is by means of an opera- tional description. As usual, we provide it by using the well-established formalism of labelled transition systems, or LTS for short, introduced by Plotkin (reprinted in [22]). Definition 2.1 A labelled transition system is a structure T = (P, Act, →) where P is a set of processes, agents or states; Act is a set of actions; and →⊆ P×Act×P is a transition relation. A rooted LTS is a pair (T ,p0) with p0 ∈ P. The set Act denotes the alphabet of actions that processes can perform and the relation → describes the process transitions after the execution of actions. Any a triple hp,a,qi in the transition relation → is represented by p −→ q, indicating that process p performs action a and evolves into process q. A rooted LTS describes the semantics of a concrete process: that corresponding to its initial state p0. a Some usual notations on LTSs are used along the paper. We write p −→ if there a exists a process q such that p −→ q. The function I calculates the set of initial a actions of a process, I (p)= {a | a ∈ Act and p −→}. LTS’s for finite processes are just directed graphs which become finite trees 6 if expanded. These finite trees can be syntactically described by the basic process algebra BCCSP, which was also used, for instance, in [9,6]. Definition 2.2 Given a set of actions Act, the set of BCCSP processes is defined by the following BNF-grammar:

p ::= 0 | ap | p + q where a ∈ Act. 0 represents the process that performs no action; for every action

6 We obtain a tree if we generate the states on the fly introducing a new state for each transition generated by the application of the rules defining the operational semantics, see for instance [18]. 43 De Frutos Escrig, Gregorio Rodr´ıguez in Act, there is a prefix operator; and + is a choice operator. All the definitions we present in the paper are valid for arbitrary processes, that is, for arbitrary rooted LTSs, either finite or infinite. The proofs that we provide in Sections 3 and 4 make extensive use of inductive reasoning and therefore they are only valid for BCCSP processes, that is, for finite processes. However, as we did in [6], by using the standard Approximation Induction Principle [8], we can extend all our results first to infinite depth finitary branching tree processes, and then to arbitrary finitely branching transition systems, since by unfolding any of them we can get an equivalent finitary tree process. The operational semantics for the BCCSP terms is defined in Figure 1. The depth of a BCCSP process is the depth of the tree it denotes.

a ′ a ′ a p −→ p q −→ q ap −→ p a a p + q −→ p′ p + q −→ q′

Fig. 1. Operational Semantics for BCCSP Terms

Trailing occurrences of the constant 0 are omitted: we write a instead of a0. As usual (see for instance [9]), since the operational semantics of choice defines it as a commutative and associative operator, and any other semantics in which we are interested is based on that, we can use the n-ary choice operator P to write i any process as Pa Pi apa. This corresponds to the transition tree of each process, and the fact that we use sets as indexes makes that operator commutative and associative by definition. a A process aq′ is an a-summand of the process q if and only if q −→ q′. We define p|a as the (sub)process we get by adding all the a-summands of p. That is, i i if p = Pa Pi apa, then p|a = Pi apa. Preorders are reflexive and transitive relations that we represent by ⊑. For the sake of simplicity, we use the symbol ⊒ to represent the preorder relation ⊑−1. Every preorder induces an equivalence relation that we denote by ≡, that is p ≡ q if and only if p ⊑ q and q ⊑ p. Definition 2.3 A preorder relation ⊑ over processes is a behaviour preorder if • it is weaker than the bisimulation equivalence, i.e. p =B q ⇒ p ⊑ q, • and it is a precongruence with respect to the prefix and choice operators, i.e. if p ⊑ q then ap ⊑ aq and p + r ⊑ q + r. Table 1, borrowed from [9], shows a complete axiomatization for some of the semantics in the ltbt spectrum, with the corresponding axioms for each preorder (column) marked with “+”. Axioms marked with “v” are satisfied but not required. The shorthands on top of the columns refer to the different semantics, B stands for bisimulation equivalence, and similarly for the rest of the preorders that appear on the linear time-branching time spectrum. The first four axioms on top left of Table 1 characterize bisimulation equivalence. They also belong to any other axiomatic characterization and therefore are assumed and usually omitted when talking about other semantics with less discriminatory 44 De Frutos Escrig, Gregorio Rodr´ıguez

B RS PW RT FT R F CS CT S T (x + y)+ z = x + (y + z) + + + + + + + + + + + x + y = y + x + + + + + + + + + + + x +0= x + + + + + + + + + + + x + x = x + + + + + + + + + + + ······································· ··· ··· ··· ··· ··· ··· ··· ··· ··· ··· ··· ax ⊑ ax + ay + + + + + + v v v v a(bx + by + z)= a(bx + z)+ a(by + z) + v v v v v v I(x)= I(y) ⇒ ax + ay = a(x + y) + v v v v v ax + ay ⊒ a(x + y) + v v v a(bx + u)+ a(by + v) ⊒ a(bx + by + u) + v v v ax + a(y + z) ⊒ a(x + y) + v v ······································· ··· ··· ··· ··· ··· ··· ··· ··· ··· ··· ··· ax ⊑ ax + y + + v v a(bx + u)+ a(cy + v)= a(bx + cy + u + v) + v ······································· ··· ··· ··· ··· ··· ··· ··· ··· ··· ··· ··· x ⊑ x + y + + ax + ay = a(x + y) + Table 1 Axiomatization for the Preorders in the Linear Time-Branching Time Spectrum I [9] power. We can see, for instance, that the ready simulation preorder is characterized by the four axioms of the bisimulation equivalence plus the axiom (RS) ax ⊑ ax+ay. Analogously, axioms for bisimulation together with axiom (S) x ⊑ x+y, characterize the simulation preorder. Let us conclude this preliminary section with some results about semantic equiv- alences. In [6] we introduced bisimulations up-to a preorder in order to weaken the definition of bisimulations in such a way that weaker equivalences could be captured by a coinductive definition. Definition 2.4 Let ⊑ be a behaviour preorder. Then a binary relation S over processes is a bisimulation up-to ⊑ if pSq implies that: a a • ′ ′ ′ ′ ′ ′ ′ For every a, if p −→ pa, then there exist q and qa, q ⊒ q −→ qa and paSqa; a a • ′ ′ ′ ′ ′ ′ ′ For every a, if q −→ qa, then there exist p and pa, p ⊒ p −→ pa and paSqa.

Two processes are bisimilar up-to ⊑, written p h⊑ q, if there exists a bisimulation up-to ⊑, S, such that pSq. The added capability introduced by the ⊑-reduction generalizes the original definition of bisimulation, so that we have now more chances of proving equivalence between processes. To understand the conditions in Theorem 2.6 below we need the following defi- nitions. Definition 2.5 A behaviour preorder ⊑ is initials preserving when p ⊑ q implies I(p) ⊆ I(q). It is action factorised (or just factorised) when p ⊑ q implies p|a ⊑ q|a, for all a ∈ I(p). Initials preservation and factorisation are properties that are satisfied by any “natural” process semantics, in particular by any of the behaviour preorders in the ltbt spectrum, from trace preorder to ready simulation preorder. Theorem 2.6 ([6]) Let ⊑ a behaviour preorder that is initials preserving, action 45 De Frutos Escrig, Gregorio Rodr´ıguez factorised and satisfies the axiom (RS), and ≡ the induced equivalence, we have that h⊑ and ≡ are the same relation. This result is rather general and applies to a wide class of process semantics. In particular, any of the preorders in Table 1 satisfies the conditions of the theorem. Therefore, for any of these semantic preorders the corresponding bisimulation up-to characterizes the induced equivalence. Corollary 2.7 ([6]) For every behaviour preorder ⊑ that is initials preserving, ac- tion factorised and satisfies the axiom (RS), we have ≡ = h⊑ = h≡. Although our results in [6] are quite promising, they do not provide a com- plete answer to the problem of finding coinductive characterizations of semantics for processes. Why? As we mentioned above, preorders are even more important than equivalences for defining semantics of process algebras, and therefore it is also interesting to get coinductive characterizations for them.

3 Simulations Up-to a Preorder

When we first addressed the problem of finding coinductive characterizations for process equivalences we had a clear starting point: bisimulation equivalence. Bisim- ulation is the strongest equivalence and therefore by weakening its definition (Def- inition 2.4) we could obtain weaker semantics (Theorem 2.6). Finding out how to define coinductive characterizations for the semantic preorders is not such an easy task. We start by modifying the classical definition of simulation to get the following definition of simulations up-to a preorder. Definition 3.1 For ⊑ a behaviour preorder, we say that a binary relation S over processes is a simulation up-to ⊑, if pSq implies that: a a • ′ ′ ′ ′ ′ ′ ′ For every a, if p −→ pa there exist q and qa, q ⊒ q −→ qa and paSqa. We say that process p is simulated up-to ⊑ by process q, or that q simulates p up-to p ⊏ q S pSq ⊑, written ∼⊑ , if there exists a simulation up-to ⊑, , such that . ⊏ ⊏ For the sake of simplicity, we often just write ∼ instead of ∼⊑ when the behaviour preorder is clear from the context. Example 3.2 Let us consider the processes s = a(b(d + e)+ cd) and t = abf + a(be + bd + cd). It is clear that for the simulation preorder we have s 6⊑S t because after executing ab in s we arrive to a state in which the choice d + e is possible, but after executing ab in t it is not. By contrast, for the trace preorder we clearly have s ⊑T t, since the set of traces of s, {abd, abe, acd}, is included in the set of traces of t,{abf, abe, abd, acd}). Let us see how we could check that s ⊏ t, by constructing the corresponding simulation ∼⊑T up-to ⊑T . If process s performs action a and arrives to s′ = b(d+e)+cd, then process t does not need to apply any preorder reduction, it just simulates the move by performing action a and evolving into t′ = be + bd + cd. Now we have to check that s′ ⊏ t′: ∼⊑T if s′ performs action c then t′ can trivially emulate that move arriving to the same state. The only non trivial case to check happens when s′ performs action b and 46 De Frutos Escrig, Gregorio Rodr´ıguez evolves into d + e. In that case, t′ should take advantage of the possibility of trace ′ reduction, t ⊒T b(e + d)+ cd, and then action b is executed to arrive to d + e as well, thus completing the verification of the simulation up-to obligations. Certainly, if we know in advance that s ⊑T t, we could directly reduce t into s when checking s ⊏ t, but what we want to illustrate here is how we would use ∼⊑T in practice our coalgebraic characterization: we do not want to use any complicate information about the corresponding order, ⊑T in this case, but only some easier to obtain pairs of the relation, as we have done when reducing t′ above. The next result shows that simulations up-to are correct with respect to the corresponding base preorder. p q p ⊏ q Proposition 3.3 For every preorder ⊑, if ⊑ then ∼⊑ . The next theorem states the completeness of the definition of simulations up- to a preorder with respect to any preorder satisfying the axiom (S), i.e., for any preorder that is weaker than the simulation preorder, ⊑S. Theorem 3.4 For every behaviour preorder ⊑ that satisfies the axiom (S), we have p ⊏ q p q ∼⊑ if and only if ⊑ . S ⊏ ⊏ Note that the given preorder must satisfy the axiom ( ), since we have ⊑S=∼∅⇒∼⊑. Theorem 3.4 characterizes semantic preorders in the same way that semantic equivalences were characterized in Theorem 2.6, though in both cases we use pre- orders for the up-to relation. It would be nice to have a dual characterization where the equivalences were used to characterize the semantic preorder. That is indeed possible, as stated in the following proposition. Proposition 3.5 For every behaviour preorder ⊑ that satisfies the axiom (S), we p q p ⊏ q have that ⊑ ⇒ ∼≡ . Corollary 3.6 For every behaviour preorder ⊑ that satisfies the axiom (S), we ⊏ ⊏ have that the relations ⊑, ∼⊑ and ∼≡ are the same. Considering both bisimulations and simulations up-to we can draw the diagram of equivalences in the following corollary. Corollary 3.7 For every behaviour preorder ⊑ that satisfies the axiom (S) the following equivalences hold:

p ≡ q ⇔ p h⊑ q ⇔ p h≡ q ⇔ ⇔ ⇔

p q p q p ⊏ q p ⊐ q p ⊏ q p ⊐ q ⊑ ∧ ⊒ ⇔ ∼⊑ ∧ ∼⊑ ⇔ ∼≡ ∧ ∼≡

Considering the semantics in the ltbt spectrum, (only) trace and simulation pre- orders (see Table 1) satisfy the axiom (S) and thus fulfil the hypothesis of Corol- lary 3.7. Therefore, in both cases mutual simulation up-to and bisimulation up-to define the same equivalence relation as the kernel of the preorder. Thus we pro- vide two alternative characterizations of each of these preorders and four alternative characterizations of the induced equivalences. 47 De Frutos Escrig, Gregorio Rodr´ıguez

These results, although interesting, fall short of the generality that we achieved ⊏ in [6]. This limitation comes from the fact that the definition of ∼ is based on the simulation semantics, that has a rather weak discriminatory power. In order to get more general results, similar to those in Theorem 3.4, for other stronger semantics such as failures or readiness, we need to add more discriminating power to the simulations we start from. The ready simulation semantics is stronger than any other of the axiomatized semantics in [9]. It will serve as the basis to define an stronger notion of simulation up-to. ¿From now on, we will consider the binary relation I defined over pairs of processes by pIq ⇔ I (p)= I (q). Definition 3.8 For ⊑ a behaviour preorder, we say that a binary relation S over processes is an I -simulation up-to ⊑, if S ⊆ I (that is, pSq ⇒ pIq), and S is a simulation up-to ⊑. Or, equivalently, in a coinductive way, whenever we have pSq, we also have: a a • ′ ′ ′ ′ ′ ′ ′ For every a, if p −→ pa there exist q ,qa such that q ⊒ q −→ qa and paSqa; • pIq. We say that process p is I-simulated up-to ⊑ by process q, or that process q I p p ⊏I q I -simulates process up-to ⊑, written ∼⊑ , if there exists an -simulation up-to ⊑, S, such that pSq. ⊏I ⊏I For the sake of simplicity, we sometimes just write ∼ instead of ∼⊑ when the behaviour preorder is clear from the context. The following proposition relates a behaviour preorder with the corresponding I-simulation up-to. I p q p ⊏I q Proposition 3.9 For every preorder ⊑ such that ⊑⊆ , if ⊑ then ∼⊑ . Now we can use I-simulations up-to to prove a similar result to that in Theo- rem 3.4 for semantic preorders with more discriminating power. Note that a pair of processes related by any preorder relation ranging from failure preorder to ready simulation preorder (see Table 1) in the ltbt spectrum satisfies the I condition. Theorem 3.10 For every behaviour preorder ⊑ verifying the axiom (RS) and ⊑ I p ⊏I q p q ⊆ , we have ∼⊑ if and only if ⊑ . RS ⊏I ⊏I Note that the given preorder must satisfy the axiom ( ), since ⊑RS=∼∅⇒∼⊑, where ⊑RS is the ready simulation preorder. We also need the second proviso I ⊏I I ⊑⊆ , because we always have ∼⊑⊆ . The original technique of bisimulation up-to in the works by Milner and San- giorgi [18,23] aims to decrease the size of the relations that prove that two processes are bisimilar. Without going into detail, it is possible to use a small (known) part of the bisimilarity relation to generate other less obvious bisimilar pairs. Our (bi)simulations up-to can be used exactly in the same way: by using a part of the ⊏I relation ⊑ we can generate, via ∼⊑, other pairs in the relation. Next we will see that we can also characterize a preorder in terms of simulation up-to its kernel equivalence, so that the characterized preorder disappears from the definition of the characterizing one. We first present an auxiliary result relating a preorder with the induced equivalence relation. In our opinion this result, even if

48 De Frutos Escrig, Gregorio Rodr´ıguez rather simple, is quite interesting by itself. Lemma 3.11 For every behaviour preorder ⊑ verifying the axiom (RS) and that is either action factorised or weaker than I, we have that p ⊑ q ⇒ q ≡ q + p. All the preorders defining the semantics in the ltbt spectrum that are coarser than the ready simulation satisfy the hypothesis of this lemma, since all of them are action factorised. We have also considered the other alternative proviso in order to get a more general result. Besides, it is interesting to note that the converse of the previous result is not true in general. In order to have it we need to impose an additional condition. Proposition 3.12 For every behaviour preorder ⊑ verifying the axiom (RS) and ⊑⊆ I, we have that p ⊑ q ⇔ q ≡ q + p ∧ pIq. Although we will not use the previous result in this section, it is a clear inspiration for one of the main results in Section 4, namely Corollary 4.7. By using Lemma 3.11 we can now easily prove the following result. Proposition 3.13 For every behaviour preorder ⊑ verifying the axiom (RS) and I p q p ⊏I q ⊑⊆ , we have ⊑ ⇒ ∼≡ . The following corollaries summarize the previous results. Corollary 3.14 For every behaviour preorder ⊑ verifying the axiom (RS) and ⊑ I ⊏I ⊏I ⊆ , we have that the relations ⊑, ∼⊑ and ∼≡ are the same. Corollary 3.15 For every behaviour preorder ⊑ verifying the axiom (RS) and ⊑ ⊆ I, the following equivalences hold:

p ≡ q ⇔ p h⊑ q ⇔ p h≡ q ⇔ ⇔ ⇔

p q p q p ⊏I q p ⊐I q p ⊏I q p ⊐I q ⊑ ∧ ⊒ ⇔ ∼⊑ ∧ ∼⊑ ⇔ ∼≡ ∧ ∼≡

Corollaries 3.14 and 3.15 apply to a wide class of process preorders. Considering the ltbt spectrum, any behaviour preorder between failure and ready simulation satisfies the conditions and therefore we can apply these results to them. There- fore, Corollary 3.15 provides for any of the preorders between failure and ready simulation, and the corresponding equivalences, a characterization both in terms of bisimulation-like relations and in terms of mutual simulation-like relations. In fact, from our results about simulations up-to we can now prove in an indirect way Theorem 2.6, that was our main result in [6]. • Corollary 3.7 is true for any preorder satisfying axiom (S), in particular, for trace and simulation preorders in the ltbt spectrum. • Corollary 3.15 can be applied to any behaviour preorder satisfying (RS) and such that p ⊑ q ⇒ I(p) = I(q), in particular, this is the case for the preorders in the ltbt spectrum between failure preorder and ready simulation preorder, as one can immediately conclude looking at the defining axioms in Table 1. • There are only two other semantics in the linear time-branching time spectrum, 49 De Frutos Escrig, Gregorio Rodr´ıguez

completed trace and completed simulation, whose preorders satisfy neither the conditions of Corollary 3.7 nor those of Corollary 3.15. However, for these pre- orders the corresponding results can be easily proved by restricting the simulation by means of the relation CI given by I (p) = ∅ ⇔ I (q) = ∅, and defining CI- ⊏CI simulations up-to ⊑, that induce the order relation ∼⊑ . As a matter of fact, in this case the results would be true for any behaviour preorder satisfying the (CS) axiom, ap ⊑ ap + q. Theorem 2.6 imposes to the preorders the condition of being initials preserving and action factorised and the result is valid for any behaviour preorder satisfying the axiom (RS). By contrast, when using simulations up-to we do not need to ask for action factorisation, while initials preservation was only assumed when we imposed ⊑⊆ I, in Corollary 3.15. Therefore to obtain our results we have classified the semantic preorders in the ltbt spectrum in three different slices. These slices are separated in Table 1 by dotted lines. Each slice corresponds, respectively, to any of the axioms (S), (CS) and (RS).

4 Simulations Up-to an Equivalence

All the results we have presented in the previous sections are based on the existence of a semantic preorder which satisfies certain properties. In many cases, these results relate a given preorder and its induced equivalence. However, as we will show in this section, the technique of simulations up-to produces some interesting results even if we do not have such a preorder to start with. As we have discussed at the end of Section 3 the results for simulations up-to come in slices determined by the basic class of simulations we consider in each case. In this section we just state and prove the most difficult case, that corresponding to the slice determined by the ready simulation semantics. To start with, we extend the definition of behaviour preorder to equivalence relations in a natural way. Definition 4.1 An equivalence relation ≡ over processes is a behaviour equivalence when it is weaker than bisimulation equivalence, i.e. p =B q ⇒ p ≡ q, and it is a congruence with respect to the prefix and choice operators, i.e. if p ≡ q then ap ≡ aq and p + r ≡ q + r. We will be specially interested in all the behaviour equivalences coarser than the ready simulation equivalence. They are those that satisfy the following axiom:

(RS≡) I (x)= I (y) ⇒ a(x + y) ≡ a(x + y)+ ay

In Table 2 a complete axiomatization for the semantic equivalences in the ltbt spectrum can be found. The first result that we present relates I-simulations up-to and equivalences, and the application of choice to the processes related by it.

Lemma 4.2 For every behaviour equivalence ≡ satisfying (RS≡) and ≡ ⊆ I, we p ⊏I q q q p have that ∼≡ ⇒ ≡ + . 50 De Frutos Escrig, Gregorio Rodr´ıguez

Now we can state and prove the characterization of a given equivalence relation by means of the corresponding simulations up-to.

Theorem 4.3 For every behaviour equivalence ≡ satisfying (RS≡) and ≡⊆ I, we p q p ⊏I q p ⊐I q have ≡ ⇔ ∼≡ ∧ ∼≡ . As a consequence, we also get a characterization of the equivalences in terms of bisimulations up-to.

Corollary 4.4 For every behaviour equivalence ≡ satisfying (RS≡) and ≡⊆ I, we p q p ⊏I q p ⊐I q p q have ≡ ⇔ ∼≡ ∧ ∼≡ ⇔ h≡ . The characterization in Theorem 4.3 tells us that any behavior equivalence can be defined by means of simulations up-to. Besides, and this is even more important, in this way a preorder is defined whose kernel is the original equivalence. Moreover, this preorder satisfies some interesting properties.

Proposition 4.5 For every behaviour equivalence ≡ satisfying (RS≡) and ≡⊆ I, ⊏I RS ⊏I I we have that ∼≡ is a behaviour preorder that satisfies ( ), ∼≡⊆ , and whose kernel is ≡. As a consequence, given an equivalence, we have a way to characterize a partic- ular preorder whose kernel is that equivalence.

Theorem 4.6 For every behaviour equivalence ≡ satisfying (RS≡) and ≡⊆ I, the ⊏I RS preorder ∼≡ is the only behaviour preorder that satisfies ( ) and is contained in I, whose kernel is ≡. ⊏I This means that ∼≡ is the canonical preorder generated by ≡ fulfilling all the conditions above. This canonical preorder can be characterized in a simple way in terms of the corresponding equivalence and the condition I that all of them satisfy.

Corollary 4.7 For every behaviour equivalence ≡ satisfying (RS≡) and ≡⊆ I, the preorder defined as p ⊑ q ⇔ q ≡ q + p ∧ I(p)= I(q) is another characterization of the canonical preorder generated by ≡. It is nice to find out that the “classical” preorders that appear in the literature for the different semantics in the linear time-branching time spectrum coincide with our canonical preorders. Corollary 4.8 For every semantic equivalence ≡ in the ltbt spectrum between fail- ure equivalence and the ready simulation equivalence, the corresponding preorder ⊑ is the canonical preorder generated by the given equivalence ≡. Quite a number of results follow from the previous propositions and announce a rich underlying algebraic theory. We would like to point out the following ones:

Corollary 4.9 For every behaviour equivalence ≡ that satisfies the property (RS≡) ⊏I ⊏I I I I and ≡⊆ , we have ≡ = h⊏ , and ∼≡ = ∼⊏ . ∼ ∼ ≡ ≡ To conclude this section we would like to comment on the results in our Corol- laries 4.7 and 4.8. There are several preorders whose kernels are a given behaviour equivalence. Amongst them we have the canonical preorder, as defined above, the equivalence itself, or the so called canonical preorder in terms of lattice theory,

51 De Frutos Escrig, Gregorio Rodr´ıguez that is defined as p ⊑′ q ⇔ q ≡ q + p. It can be seen that ⊑′ is not the same as our canonical preorder, which here we will just denote by ⊑, for all the behaviour equivalences satisfying the hypothesis of Theorem 4.6. For instance, for the preorders induced by the ready simulation equivalence we have 0 ⊑′ p for any process p, but if p 6= 0 then 0 6⊑ p. Applying Corollary 4.7 we have that p ⊑ q ⇔ p ⊑′ q ∧ I(p) = I(q), therefore the only difference between ⊑ and ⊑′ is in the set of initial actions of the processes, but this is crucial to get the characterization of the corresponding preorders in Corollary 4.8.

5 A Few Results on Axiomatic Characterizations

As an example of the possibilities that the up-to technique offers, in this section we prove some results on the axiomatic characterization of behaviour preorders. Corollary 3.14 states that a behaviour preorder (under some conditions) can I ⊏I be characterized by the -simulation up-to the kernel of that preorder, ⊑ = ∼≡. This result suggested to us the possibility of finding an axiomatization for the pre- order from that of the equivalence. More concretely, if AE is a set of axioms that characterizes a given equivalence ≡, we can easily define an axiomatization for the ⊏I canonical preorder ∼≡. The new set of axioms can be obtained by just adding the (RS) axiom to the axioms for the equivalence: AP = AE ∪ {ax ⊑ ax + ay}. We formalise this in the following theorem.

Theorem 5.1 For every behaviour equivalence ≡ satisfying (RS≡) and ≡⊆ I, for which we have an axiomatization AE, we have that AP = AE ∪ {ax ⊑ ax + ay} is ⊏I an axiomatization of the relation ∼≡.

B RS PW RT FT R F CS CT S T (x + y)+ z = x + (y + z) + + + + + + + + + + + x + y = y + x + + + + + + + + + + + x +0= x + + + + + + + + + + + x + x = x + + + + + + + + + + + I(x)= I(y) ⇒ a(x + y) = a(x + y)+ ay + v v v v v v v v v a(bx + by + z)= a(bx + z)+ a(by + z) + v v v v v v I(x)= I(y) ⇒ ax + ay = a(x + y) + + v v v v ax + ay = ax + ay + a(x + y) + v v v a(bx + u)+ a(by + v)= a(bx + by + u)+ a(by + v) + + v v ax + a(y + z)= ax + a(x + y)+ a(y + z) + v v a(x + by + z)= a(x + by + z)+ a(by + z) + v v v a(bx + u)+ a(cy + v) = a(bx + cy + u + v) + v a(x + y) = a(x + y)+ ay + v ax + ay = a(x + y) +

Table 2 Axiomatization for the Equivalences in the Linear Time-Branching Time Spectrum I [9]

We can directly apply Theorem 5.1 to those equivalences in the ltbt spectrum that satisfy the right conditions. In Table 2 appears an axiomatization for the equivalences of the ltbt spectrum. From these axioms we can define an alternative axiomatization of the preorders in Table 1.

52 De Frutos Escrig, Gregorio Rodr´ıguez

Corollary 5.2 Let us consider O ∈ {F,R,FT,RT,PW,RS}, we have a finite ax- iomatization for the preorders ⊑O just by adding the axiom (RS) to the axioms for ≡O. It is interesting to note that in [9], to prove the completeness of the axiomati- zations in Table 1 elaborated proofs were needed, whereas here we get all these completeness results, once for all, based on the completeness of the axiomatization of the corresponding equivalence.

6 Conclusions and Future Work

In this paper we have introduced the notion of simulation up-to by means of which we have got coalgebraic characterizations of semantic preorders. In particular we have characterized all the preorders associated to the semantics in the linear time- branching time spectrum, in a similar way to the corresponding characterizations of the semantic equivalences using bisimulations up-to [6]. Besides, we have obtained several new results connecting semantic preorders with the corresponding equivalences, and also some others relating bisimulations up-to with mutual simulations up-to. In fact, for large families of semantics, in- cluding those in the ltbt spectrum coarser than ready simulation, the results for bisimulations up-to arose as a corollary for the corresponding ones for simulations up-to (see Corollaries 3.7 and 3.15). A rather unexpected result was that given an equivalence relation we can obtain a canonical preorder whose kernel is precisely the equivalence relation, by means of the simulation up-to it. It is clear that we can obtain the same equivalence as the kernel of many different preorders, but now we can distinguish among them a canonical preorder which can be defined in a systematic way and has some interest- ing properties that come from the homogeneous way in which it was defined. It is nice to find that for all the semantics in the ltbt spectrum the so obtained canonical preorders are the same as the ones we already knew from the literature. As a consequence of our characterization we have discovered new properties that provide us with new proof techniques to produce generic proofs valid for all these canonical preorders. In particular, we have obtained an axiomatization of the canonical preorder from the axiomatization of the corresponding equivalence. Besides, we plan to continue with our work relating bisimulations and simu- lations, and we are particularly interested in translating our results to the pure coalgebraic world, comparing them to those presented by Hughes and Jacobs in [13] and Hasuo in [10]. Some related steps in this direction already appeared in [7], where we present several bisimulation-like semantics for distributed systems that can be formalised as categorical simulations, and therefore inherit all their nice coalgebraic properties.

Acknowledgements

We would like to express our gratitude to Miguel Palomino for all his comments on a previous version of this paper. 53 De Frutos Escrig, Gregorio Rodr´ıguez

References

[1] Luca Aceto, Wan Fokkink, and Anna Ing´olfsd´ottir. Ready to preorder: get your BCCSP axiomatization for free! In Proc. 2nd Conference on Algebra and Coalgebra in Computer Science - CALCO’07, volume to appear of Lecture Notes in Computer Science. Springer, 2007. [2] Bard Bloom, Sorin Istrail, and Albert R. Meyer. Bisimulation can’t be traced. Journal of the ACM, 42(1):232–268, 1995.

[3] E. Brinksma. A theory for the derivation of tests. In Protocol Specification, Testing and Verification VIII, pages 63–74. North Holland, 1988. [4] Rance Cleaveland and Matthew Hennessy. Testing equivalence as a bisimulation equivalence. Formal Aspects of Computing, 3:1–21, 1992. [5] Rance Cleaveland, Joachim Parrow, and Bernhard Steffen. The concurrency workbench: a semantics- based tool for the verification of concurrent systems. ACM Trans. Program. Lang. Syst., 15(1):36–72, 1993. [6] David de Frutos-Escrig and Carlos Gregorio-Rodr´ıguez. Bisimulations up-to for the linear time- branching time spectrum. In CONCUR 2005 - Concurrency Theory, 16th International Conference, volume 3653 of Lecture Notes in Computer Science, pages 278–292. Springer, 2005. [7] David de Frutos-Escrig, Fernando Rosa-Velardo, and Carlos Gregorio-Rodr´ıguez. New bisimulation semantics for distributed systems. In FORTE 2007, volume to appear of Lecture Notes in Computer Science. Springer, 2007. [8] Rob J. van Glabbeek. Bounded nondeterminism and the approximation induction principle in process algebra. In STACS 87, volume 247 of Lecture Notes in Computer Science, pages 336–347. Springer, 1987. [9] Rob J. van Glabbeek. Handbook of Process Algebra, chapter The Linear Time – Branching Time Spectrum I: The Semantics of Concrete, Sequential Processes, pages 3–99. Elsevier, 2001. [10] Ichiro Hasuo. Generic forward and backward simulations. In International Conference on Concurrency Theory (CONCUR 2006), volume 4137 of Lecture Notes in Computer Science, pages 406–420. Springer, Berlin, 2006. [11] Matthew Hennessy. Algebraic Theory of Processes. MIT Press, 1988.

[12] C.A.R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.

[13] Jesse Hughes and Bart Jacobs. Simulations in coalgebra. Theoretical Computer Science, 327(1–2):71– 108, 2004. [14] Astrid Kiehn and A. Arun-Kumar. Amortised bisimulations. In Formal Techniques for Networked and Distributed Systems-FORTE 2005, volume 3235 of Lecture Notes in Computer Science, pages 320–334. Springer, 2005. [15] Kim G. Larsen and Arne Skou. Bisimulation through probabilistic testing. Information and Computation, 94(1):1–28, 1991.

[16] Gerald L¨uttgen and Walter Vogler. Bisimulation on speed: A unified approach. In FOSSACS 2005, volume 3341 of Lecture Notes in Computer Science, pages 79–94. Springer, 2005. [17] Massimo Merro and Matthew Hennessy. A bisimulation-based semantic theory of safe ambients. ACM Trans. Program. Lang. Syst., 28(2):290–330, 2006.

[18] Robin Milner. Communication and Concurrency. Prentice Hall, 1989.

[19] Rocco De Nicola. Extensional equivalences for transition systems. Acta Informatica, 24(2):211–237, 1987. [20] Rocco De Nicola and Matthew Hennessy. Testing equivalence for processes. In ICALP’83 – 10th International Colloquium on Automata, Languages and Programming, volume 154 of Lecture Notes in Computer Science, pages 548–560. Springer, 1983. [21] David M.R. Park. Concurrency and automata on infinite sequences. In Theoretical Computer Science, 5th GI-Conference, volume 104 of Lecture Notes in Computer Science, pages 167–183. Springer, 1981. [22] Gordon D. Plotkin. A structural approach to operational semantics. Journal of Logic and Algebraic Programming, 60-61:17–139, 2004. [23] Davide Sangiorgi. On the bisimulation proof method. Journal of Mathematical Structures in Computer Science, 8(5):447–479, 1998.

[24] Davide Sangiorgi. Bisimulation and coinduction: from the origins to today. In Algebraic Process Calculi: The first 25 years and beyond, BRICS NS-05-3, pages 229–233, 2005.

54 SOS 2007 Preliminary Version

Process Algebra Having Inherent Choice: Revised Semantics for Concurrent Systems 1

Harald Fecher2 and Heiko Schmidt3

Institut f¨ur Informatik Christian-Albrechts-Universit¨at zu Kiel Germany

Abstract Process algebras are standard formalisms for compositionally describing systems by the dependencies of their observable synchronous communication. In concurrent systems, parallel composition introduces resolvable nondeterminism, i.e., nondeterminism that will be resolved in later design phases or by the operating system. Sometimes it is also important to express inherent nondeterminism for equal (communication) labels. Here, we give operational and axiomatic semantics to a process algebra having a parallel operator interpreted as concurrent and having a choice operator interpreted as inherent, not only w.r.t. different, but also w.r.t. equal next-step actions. In order to handle the different kinds of nondeterminism, the operational semantics uses µ-automata as underlying semantical model. Soundness and completeness of our axiom system w.r.t. the operational semantics is shown.

Keywords: nondeterminism, process algebra, axiom system, expansion theorem, µ-automata

1 Introduction

Process algebras, see [2] for an overview, are standard formalisms for composition- ally describing systems based, e.g., on synchronous communication on an abstract level by the dependencies of their observable communication. They serve as a do- main for semantical foundations of programming or modeling languages and are also used as modeling languages [6]. Example 1.1 Suppose there are two processes running concurrently on a single processor computer that both have the possibility to send print jobs to a printer. Prior to sending the data to the printer, any process must gain exclusive access to the printer by synchronizing on an action request. After that, the print job can be sent. In our example, the first process sends a photo (sendPhoto), whereas the second sends a document (sendDoc). Furthermore, the first process can be disrupted by a

1 This work is in part financially supported by the DFG project Refism (FE 942/1-1) 2 Email: [email protected] 3 Email: [email protected] This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science Fecher, Schmidt

/  ØÙ OO request /  ØÙ OOsendPhoto /  ØÙ OO /  ØÙ OO requestOO requestOO requestOO requestOO cancel ' ØÙ OO request /'  ØÙ OOsendPhoto /'  ØÙ OO cancel ' ØÙ OO request /  ØÙ OOsendPhoto /  ØÙ OO  sendDocO sendDocO sendDocO  sendDocO sendDocO sendDocO  ØÙ OO cancel O' O' O'  ØÙ OO cancel O' O' O' request  ØÙ request /  ØÙ sendPhoto /  ØÙ request  ØÙ request /  ØÙ sendPhoto /  ØÙ OO'  OO'   ØÙ OO cancel  ØÙ OO cancel sendDocOO sendDocOO M rs ' ØÙ  M ' ØÙ  ref c c Fig. 1. The transition system M corresponding to the semantics of (1) and a refinement M rs of M w.r.t. c cref c ready simulation user via action cancel. This simplified concurrent system (in a parallel environment) can be modeled in process algebra based on synchronous communication by (1) (request.sendPhoto + cancel)k(request.sendDoc) where the printer and the user that can disrupt belong to the environment. Here, operator k denotes parallel composition, a.B denotes action prefix, and + denotes the choice operator. The semantics of (1) in terms of transition system is given by M of Figure 1. c In the transition system of the above example two kinds of choice can be dis- tinguished: (i) External choice represented by outgoing edges with different labels. This choice occurs in implementations and remains undecided until in an execution the environment decides which of the possible actions is performed. (ii) Internal (nondeterministic) choice represented by outgoing edges with the same labels. This nondeterminism is resolved by the scheduler 4 of the operating system, since the two processes run on a single processor computer: The scheduler will decide which process may perform its request action, i.e., synchronize to get exclusive access to the printer. This refinement, performed by adding the scheduler, is formally made precise by ready simulation [5], which essentially allows the removal of multiple outgoing edges with the same label, as long as one remains (see Figure 1). Nondeterminism that will be removed in later design phases or by the operating system is called resolvable nondeterminism, whereas nondeterminism that has to re- main in implementations and is decided independently for each execution (e.g., by random), is called inherent nondeterminism. Consequently, the nondeterminism in- troduced by abstracting from schedulers in a concurrent setting is resolvable. Note, however, that in standard semantics based on bisimulation the abstraction from schedulers can be regarded as inherent (since transition systems with bisimulation cannot express resolvable nondeterminism). We consider this to be counterintuitive in most cases, because schedulers usually do not show “random” behaviour that is determined independently for each execution. Branching time logics, like the modal µ-calculus [17], are often used for describ- ing properties of process algebras. Unfortunately, they are not preserved under refinement based on ready simulation. Consider, e.g., the statement that there is an immediate request action enabled such that afterwards no document can be sent to the printer. This property is described by the µ-calculus formula (2) hrequesti ([sendDoc] false ). rs Property (2) holds in M of Figure 1, but not in its refinement Mref of Figure 1. This c c 4 In a generative rather than reactive setting, different outgoing labels can also express internal choice and thus be resolved by the scheduler. However, this paper only considers reactive systems. 56 Fecher, Schmidt illustrates that branching times properties applied to a concurrent setting need to be interpreted w.r.t. sets of schedulers: hai φ requires the existence of a scheduler such that φ holds after the execution of a, and [a] φ states that, independent of which scheduler is chosen, φ will hold after the execution of a. Consequently, property (2) has to be understood as follows: There is a scheduler for the next step such that request is enabled and its execution (which is deterministic if the scheduler is given) leads to a state where sendDoc is for any scheduler disabled. Since the refinement in Figure 1 specializes schedulers, µ-calculus formula (2) is not preserved. In Example 1.1, we illustrated that resolvable nondeterminism naturally arises through parallel composition. In the following examples we argue that also inher- ent nondeterminism, i.e., internal choice that remains in running implementations, occurs in applications: Example 1.2 In the situation of Example 1.1, assume a faulty channel between the first process and the printer. Then it is possible that a signal request (e.g., encoded as 1) can be turned into a signal cancel (e.g., encoded as 0). This is reflected by the process algebra term (3) (request.sendPhoto + request + cancel)k(request.sendDoc) . We get inherent nondeterminism w.r.t. the same label request, because in case of a faulty transmission it has to be handled as an action cancel. The nondeterminism is inherent, because refinement cannot decide on the existence of a fault, this is decided for every execution. Example 1.3 In the situation of Example 1.1, consider request to be an abstract action [25] for more refined labels like requestLowRes and requestHighRes, where the first establishes access to the low resolution printing features of the printer, and the second gains access to the high resolution features. Then, based on the printing capabilities offered by the printer, the usual photo can be sent (sendPhoto) or a low resolution alternative (sendLowResPhoto). This is reflected by the following process algebra term having inherent nondeterminism w.r.t. the same label request: (4) (request.sendPhoto + request.sendLowResPhoto + cancel)k(request.sendDoc) .

Note that in these scenarios we have both inherent nondeterminism, introduced by the choice operator of the first process, and resolvable nondeterminism, intro- duced by the unknown scheduler of the parallel composition. In case there is no resolvable nondeterminism, i.e., if we consider concrete systems only with inherent nondeterminism, transition systems together with bisimulation as underlying equiv- alence notion is an appropriate semantical model. Here, bisimulation equivalence is a specialization of ready simulation for concrete systems, i.e., a ready simulation between concrete systems implies bisimilarity. The µ-calculus yields a suitable logic, since it characterizes transition systems up to bisimulation. Nevertheless, transition systems are not an appropriate model whenever inher- ent and resolvable nondeterminism occur in a single setting, like in Examples 1.2 and 1.3. This is because a choice for an underlying equivalence or preorder has to be made: Bisimulation interprets nondeterminism as inherent, ready simula- tion as resolvable. Furthermore, when using resolvable nondeterminism, we expect a three-valued satisfaction interpretation over the µ-calculus, with the possibil- 57 Fecher, Schmidt ity that a formula is neither satisfied nor falsified. For example, we expect that hrequesti ((hsendDoci true ) ∨ (hsendLowResPhotoi true )) holds in (4), since all its implementations do, but property (2) is “unknown” for (4), since there are imple- mentations that satisfy the property and there are implementations that do not. Contribution. We give an operational and an axiomatic semantics to a pro- cess algebra having a parallel operator interpreted in a concurrent (rather than distributed) setting and a choice operator interpreted as inherent, not only w.r.t. different, but also w.r.t. equal next-step actions. In particular, we adjust the se- mantics of [3], which has an inherent as well as a resolvable choice operator, to our interpretation of parallel composition, since in their interpretation parallel compo- sition yields inherent nondeterminism. In order to handle the two kinds of nonde- terminism adequately, a semantical model with two kinds of transition relations, as in [3] and [14], is used, namely µ-automata [16] with their standard refinement notion and their three-valued satisfaction relation over the µ-calculus. The two transition relations are defined using structural operational semantics. One rela- tion corresponds to the execution of actions, the other corresponds to the removing of the underspecification for the next action execution, which is called concretiza- tion. In order to develop an axiomatic semantics, the process algebra is extended by further operators, especially by a choice operator corresponding to resolvable nondeterminism. From our axiom system, we derive an expansion theorem, which expresses the parallel composition operator in terms of choice operators. Soundness and completeness of this axiom system w.r.t. the operational semantics is shown.

2 Syntax

In order not to distract from the technical problems and their solutions, we only present a simple process algebra that does not have recursion, sequential compo- sition, and parallel composition with a synchronization mechanism. Our process algebra consists of action prefix, inherent nondeterminism, parallel composition, and action renaming. Note that a (CSP-based) hiding operator is a special case of a renaming operator, where the action is renamed to the internal action. Here, we follow the philosophy that internal actions are observable. In other words, we do not consider weak equivalence or weak refinement notions. Furthermore, we assume that nondeterminism obtained via “mixed choices” is resolved inside the environ- ment: For example, if the system provides actions a and b and the environment their corresponding counterparts, then the environment decides if a or b is executed. 5 The renaming/hiding operator is also of special interest in our setting, since it intro- duces nondeterminism, too. For example, the process that provides action a leading to B1 and that provides action b leading to B2 does not contain nondeterminism, but after hiding a and b, i.e., renaming a and b to the internal action, a nondeter- minism occurs, since now an internal step either leads to B1 or to B2. Again, the two interpretations of inherent or resolvable nondeterminism are possible for the renaming operator. But in our setting the nondeterminism obtained through hid-

5 Otherwise, the system has to resolve this nondeterminism in which case two communications instead of one have to be modeled: The environment sends its provided actions and the system answers which action it chooses. 58 Fecher, Schmidt ing (and therefore implicitly for renaming) should be a resolvable nondeterminism, which is argued as follows: The system has a stimulus for any hidden action. These can be considered to be provided by an additional component continuously provid- ing hidden actions. Then the scheduler of the parallel composition decides, which parallel component executes next. Consequently, hiding (and therefore renaming) yields resolvable nondeterminism with our interpretation of schedulers of parallel components, which assumes that schedulers do not behave randomly. Before we formally present our process algebra, we introduce some notations. Let Act denote the set of all actions, let |S| denote the cardinality of a set S, and let P(S) denote its power set. Furthermore, ◦ denotes relational composition. For a binary relation ρ ⊆ S × I with subsets X ⊆ S and Y ⊆ I we write X ◦ ρ for {i ∈ I | ∃x ∈ X : (x, i) ∈ ρ} and ρ ◦ Y for {s ∈ S | ∃y ∈ Y : (s,y) ∈ ρ}. For a a a ternary relation ;⊆ S ×Act × I we write s ; i for (s, a, i) ∈;, and we write ; a a a for the binary relation {(s, i) | s ; i}, thus {s}◦ ;= {i ∈ I | s ; i}. Furthermore, a a we write s 6;, iff {s}◦ ;= ∅. PA, the set of all basis process algebra terms, is generated by B ::= 0 | a.B | B + B | BkB | Bha/bi , where a, b ∈Act. Process 0 describes a deadlocked process, i.e., no further actions can be executed. We sometimes omit symbol 0 by writing a instead of a.0. Process a.B allows the execution of action a resulting in the process B. Inherent choice is described by B1 + B2, and B1kB2 describes parallel composition. The parallel com- position has implicit resolvable nondeterminism, introduced by abstraction from a scheduler favoring one of the two sides. Bha/bi describes the process where the execution of a in B becomes the execution of b. All other action execution, includ- ing action b, remains unaffected. Note that this renaming process also introduces resolvable nondeterminism as described in the beginning of this section.

3 Operational Semantics

3.1 µ-automata As underlying semantical model we use µ-automata [16] in the notation of [9], except that we omit fairness constraints and that we do not consider propositions.

Definition 3.1 [µ-automata] A µ-automaton M w.r.t. Act is a tuple (S, S,si, ⇉, 7−→) such that (s ∈)S is the set of OR-states, (˜s ∈)S the set of BRANCH-statese (disjoint from S), si ∈ S its initial element, ⇉ ⊆ S ×eS the OR-transition relation, and 7−→⊆ S ×Act × S the BRANCH-transition relation.e e The BRANCH-states do not contain underspecification for the next action ex- ecution, whereas OR-states can be underspecified in that sense. This underspeci- fication is resolved via the OR-transition relation (for this reason also called con- cretization relation), which is made precise by the standard refinement notion of µ-automata:

Definition 3.2 [µ-refinement] A relation R ⊆ (S1 ×S2)∪(S1 ×S2) is a µ-refinement i i between two µ-automata M1 and M2 if (s1,s2) ∈ R and e e 59 Fecher, Schmidt

• ∀(s1,s2) ∈ R, s˜1 ∈ ({s1}◦ ⇉) : ∃s˜2 ∈ ({s2}◦ ⇉):(˜s1, s˜2) ∈ R, a a • ∀(˜s1, s˜2) ∈ R, a ∈Act,s1 ∈ ({s˜1}◦ 7−→) : ∃s2 ∈ ({s˜2}◦ 7−→) : (s1,s2) ∈ R, and a a • ∀(˜s1, s˜2) ∈ R, a ∈Act,s2 ∈ ({s˜2}◦ 7−→) : ∃s1 ∈ ({s˜1}◦ 7−→) : (s1,s2) ∈ R.

M1 µ-refines M2 if there exists a µ-refinement R between M1 and M2. Labeled transition systems are straightforwardly embedded into µ-automata by using OR-states having exactly one outgoing transition. The restriction of µ- refinement onto these systems coincides with bisimulation. As commonly known, µ-refinement yields a partial order. Furthermore, µ-automata come with a three- valued satisfaction relation over the µ-calculus, which is preserved under refinement.

3.2 Operational semantics rules In order to define the operational semantics we use two different kinds of expressions: one where underspecification for the next step is allowed (PA, corresponding to the OR-states) and one where it is not (PAcon, corresponding to the BRANCH- states), i.e., where the resolvable nondeterminism for the next execution is resolved. Then additionally to the step transition relation (7−→, corresponding to BRANCH- transition relation) from PAcon to PA, a concretization relation (⇉, corresponding to the OR-transition relation) from PA to PAcon, which resolves the resolvable nondeterminism for the next execution, is used. Formally, PAcon denotes the set of all process algebra terms generated by

P ::= [0] | [a.B] | P + P | P |iB,A,BP | P ha/b, vi , b b e where a, b ∈ Act, A ⊆ Act, B, B ∈ PA, and v ∈ {d, s}. The intuition of the operators is similar to the oneb ofe the operators given in Section 2, except that here the scheduler of the parallel composition and of the renaming operator is determined for the next step. First, we explain the intuition of parallel composition

P1|iB1,A,B2 P2, at first neglecting B1 and B2, which will be explained later, and using the notation P1|iAP2 instead. Here, A specifies a scheduler, which is not necessary in standard semantics based on ready simulation, since there schedulers are adequately handled via the ready simulation. However, the scheduler needs to be modeled if both resolvable nondeterminism and inherent choice should appear in one setting. The scheduler information is interpreted as follows: The right side is favored in P1|iAP2 for actions from A, whereas the left side is favored for actions from Act\A. This favoring concerns only the next step, i.e., after the execution of an action, any scheduling is allowed again. This is even the case if an action in parallel to P1|iAP2 is executed, e.g., if P3 executes action a leading to B3 in (P1|iAP2)|iAP3 the resulting process is, roughly speaking, (P1kP2)kB3, where all next step scheduling is removed. Note that this approach is more appropriate than the approach where the partial scheduler is kept (in which case (P1|iAP2)kB3 would be the result), since the scheduler is global and therefore can depend on any past execution. 6 Furthermore, associativity of k would be lost in the alternative approach, which is illustrated later in Example 3.5. In order to model the undoing of the scheduler

6 The approach where the partial scheduler is kept makes only sense if each parallel component has its own scheduler and there is an additional global scheduler which decides which of the parallel components is favored. 60 Fecher, Schmidt

B1 ⇉ P1 B2 ⇉ P2 0 ⇉ [0] a.B ⇉ [a.B] B1 + B2 ⇉ P1 + P2

B1 ⇉ P1 B2 ⇉ P2 A ⊆Act B ⇉ P v ∈ {d, s} ⇉ ⇉ B1kB2 P1|iB1,A,B2 P2 Bha/bi P ha/b, vi

a i ∈ {1, 2} Pi 7−→ B a a [a.B] 7−→ B P1 + P2 7−→ B a a c P1 7−→ B1 a ∈ A ⇒ P2 67−→ P 7−→ B c∈ / {a, b} c a P ha/b, vi 7−→ Bha/bi P1|iB3,A,B4 P2 7−→ B1kB4 a P2|iB4,Act\A,B3 P1 7−→ B4kB1

b a a b P 7−→ B v = s ⇒ P 67−→ P 7−→ B v = d ⇒ P 67−→ b b P ha/b, vi 7−→ Bha/bi P ha/b, vi 7−→ Bha/bi

Table 1 Upper section: Resolving of the next-step-underspecification via relation ⇉⊆ PA × PAcon. Lower section: Action executions via 7−→⊆ PAcon × Act × PA. information efficiently, the parallel composition stores the original processes of its components (here B1 and B2) and replaces the non-executing component by its stored original one, where no scheduler information is present. This will be clarified by the transition rules. The scheduler information of the next execution v is added to the renaming operator: The execution of the action corresponding to the source label a of the renaming, which becomes b, is favored in Bha/b, si, whereas the execution of the ac- tion corresponding to the destination label b is favored in Bha/b, di. Here, favoring means that for Bha/b, di, process B may only execute a (which will be renamed to b) if B cannot execute b and analogously for Bha/b, si, where a is favored. Again, this scheduling of the renaming operator only applies for the next action execution, i.e., after the execution of any action, possibly different from b, the current favoring is removed. The concretization relation ⇉ is given in the upper section of Table 1, where the underspecification of the next step is resolved, and the step transition relation 7−→ is presented in the lower section of Table 1, where actions are executed resulting in processes having underspecification for the next step executions. We give some comments on ⇉: The resolution of next-step-underspecification has to take place in every subpart that can potentially make the next execution, consequently resolution does not take place for B in a.B. In the parallel composition, however, the next- step-underspecification is resolved by choosing an arbitrary scheduler. The parallel composition operator stores the original processes such that it can efficiently undo the concretization. In the renaming operator, the next-step-underspecification is resolved by either favoring the action corresponding to the source label (s) or fa- voring the action corresponding to the destination label (d) of the renaming. We proceed with some comments on 7−→: The rules for [a.B] and P1 + P2 are standard.

The left side of the parallel composition P1|iB3,A,B4 P2 can execute a if (i) the left side is favored for a by the scheduler (a∈ / A) or (ii) the right side does not provide 61 Fecher, Schmidt

{[a]+[a.b]|i [a],  {[a]+[a.b]|i [a], a+a.b,Act,a ks (a+a.b)ka +3 a+a.b,{b},a [a]+[a.b]|i [a]} [a]+[a.b]|i [a]} a+a.b,{a},a ii a+a.b,∅,a iiii a iiii a  tiiii (a+a.b)k0 bka a    {([a]+[a.b])|ia+a.b,A,0[0]| b {[b]|ib,A,a[a]|A∈ (Act)} / 0ka ii P GF A∈P(Act)} iiii iiii a iii a  iiii a tiiii  bk0 +3 {[b]|ib,A, [0]|A∈ (Act)} {[0]|i0,A,a[a]|A∈ (Act)} 0 P fff P b fffff @A  fffff a rfffff / 0k0 +3 {[0]|i0,A,0[0]|A∈P(Act)}

Fig. 2. The operational semantics for (a + a.b)ka, where Act = {a, b}. OR-states of the µ-automaton have double-lined frames, whereas BRANCH-states have single-lined frames. OR-transitions are drawn as double-line arrows, whereas BRANCH-transitions are drawn as labeled single-line arrows. A state described by a set stands for a set of states, described by the elements of the set and having the same incoming and outgoing transitions as the state labeled with the set.

a a (P2 67−→). Symmetric constraints hold for the execution of a on the right side of

P1|iB3,A,B4 P2. As already mentioned before, the next-step-underspecification reso- lution has to be undone for the parallel component that did not make the execution. Therefore, process B3, resp. B4 replaces the non-executed side. In P ha/b, vi an ac- tion c different from a and b can be executed leading to Bha/bi, whenever P can execute c leading to B. This is stated in the first rule. Furthermore, P ha/b, vi can execute b, leading to a process Bha/bi, where B can be obtained after executing b in P , whenever v favors the destination label (v = d) or no action a is provided by P . Similarly, P ha/b, vi can execute b, leading to a process Bha/bi, where B can be obtained after executing a in P , whenever v favors the source label (v = s) or no action b is provided by P . In all these three cases, the scheduler is removed after the execution. Note that by definition, the target processes of 7−→ do not contain any scheduling information.

Definition 3.3 [Operational semantics] The operational semantics of a process al- gebra term B ∈ PA is the µ-automaton (PA, PAcon, B, ⇉, 7−→), where ⇉ and 7−→ are given in Table 1. We say that a process algebra term B from PA refines another one B′, written B ≤ B′, if the operational semantics of B µ-refines the operational semantics of B′. Furthermore, B is refinement equivalent to B′, written B ≡ B′, if B refines B′ and B′ refines B.

Example 3.4 The operational semantics for (a + a.b)ka is illustrated in Figure 2.

Example 3.5 We illustrate that associativity of the parallel composition does not hold, if the resolution of underspecification in the parallel composition rule of Table 1 is not undone, i.e., if the original process does not replace the current process in case of non-execution. Under this assumption, B˜1 = a.bk(aka.c) does not refine B˜2 = (a.bka)ka.c: By definition B˜1 ⇉ [a.b] |iAct([a] |iAct[a.c]). Since action c has to be possible afterwards, this process can only be adequately matched by B˜2 via a process that is refinement equivalent to ([a.b] |i{a}[a])|i{a} [a.c] or to ([a.b] |i∅[a])|i{a} [a.c]. Thus after the execution of a we would need that a.bk(akc) refines ([a.b] |i{a}[a])k [c] 62 Fecher, Schmidt

or refines ([a.b] |i∅[a])k [c]. Furthermore, a.bk(akc) can be concretized such that either b is possible after the execution of a or no b is possible after the execution of a. But only one of these concretizations is possible in ([a.b] |i{a}[a])k [c] and in ˜ ˜ ([a.b] |i∅[a])k [c]. Hence, B1 does not refine B2.

Example 3.6 Process a.(B1k(a.B2)) refines (a.B1)k(a.B2), but not vice versa. This illustrates that refinement over PA does not yield an equivalence relation. Theorem 3.7 Refinement is preserved under all process algebra operators, i.e., if ′ ′ ′ ′ ′ ′ ′ B1 ≤ B1 ∧ B2 ≤ B2 then a.B1 ≤ a.B1 ∧ B1 + B2 ≤ B1 + B2 ∧ B1kB2 ≤ B1kB2 ∧ ′ B1ha/bi≤ B1ha/bi. Note that the straightforward extension of ≤ to PAcon is also preserved under all process algebra operators for PAcon.

4 Axiomatic Semantics

In this section, we present a sound and complete axiom system for the refinement over PA.

4.1 Process algebra extension In order to define the axioms, further terms are introduced: The most interesting one is the resolvable nondeterminism operator ⊕, which is also of interest for modeling by itself. The intuition of resolvable nondeterminism B1 ⊕ B2 is that either B1 or B2 is implemented, but not both. Thus, B1 + B2 is in general not an allowed implementation. Further added terms are: (i) A next step restriction process B \ a, where B may not execute action a as its next step. Note that action a may be executed if an action different from a is executed before. (ii) A conditional prefix term c.B1 >a B2, which is equivalent to c.B1 whenever B2 cannot execute action a in its next step and it is equivalent to 0 if B2 can execute action a in its next step. (iii)

A parallel composition B1|iB3,A,B4 B2 where the scheduler information for the next execution and the replacing processes for non-execution are already given. (iv) A renaming operator Bha/b, vi, where the scheduler information for the next execution is already present. Also some counterparts of these new expressions are added to the process algebra terms where the next-step-underspecification is resolved. Formally, we define PA to be the set of all process algebra terms generated by f B ::= 0 | a.B | B + B | BkB | Bha/bi | B ⊕ B | B \ a | c.B >a B | B|iB,A,BB | Bha/b, vi con and we define PA to be the set of all process algebra terms generated by f P ::= [0] | [a.B] | P + P | P |iB,A,BP | P ha/b, vi | P \ a | c.B >a P b b e b where a, b, c ∈ Act, A ⊆ Act, B, B ∈ PA and v ∈ {d, s}. The previous transition rules (Table 1) are extended byb thosee f from Table 2. We give some comments on ⇉: the resolvable nondeterminism ⊕ is resolved by choosing either the right or the left side and resolving this term. In B1|iB3,A,B4 B2 only B1 and B2 have to be 63 Fecher, Schmidt

i ∈ {1, 2} Bi ⇉ P B2 ⇉ P2 B1 ⊕ B2 ⇉ P c.B1 >a B2 ⇉ c.B1 >a P2

B ⇉ P B1 ⇉ P1 B2 ⇉ P2 B ⇉ P ⇉ ⇉ ⇉ B \ a P \ a B1|iB3,A,B4 B2 P1|iB3,A,B4 P2 Bha/b, vi P ha/b, vi

a a P2 67−→ P 7−→ B b 6= a c a c.B1 >a P2 7−→ B1 P \ b 7−→ B Table 2 Additional transition rules for the extended process algebra. resolved, since no next step analysis takes place in term B3 and B4. By the same argument, only B2 has to be resolved in c.B1 >a B2. Now some comments on 7−→: In c.B1 >a P2 a c-step to B1 is possible iff the right hand side cannot execute a. In P \ b all executions of P that differ from b can take place as next step, in which case \b is removed, since this restriction only holds for the next step execution. Remark 4.1 For terms of PA, after every ⇉-step the same set of provided actions is obtained. This does not hold for terms of PA, as, e.g., illustrated by a ⊕ 0. f The operational semantics of terms in PA and refinement (equivalence) over PA are defined as in Definition 3.3 except thatf the extended concretization and stepf transition relations are used.

4.2 Equations Before we present the axiom system, we discuss some of the (standard) axioms that do not hold in general, i.e., where refinement equivalence cannot be guaranteed, which is denoted by 6≃: B + B 6≃ B, since the left hand side allows more kinds of resolution of under- specification. For example, (a ⊕ b) + (a ⊕ b) can be resolved to a + b, which provides a as well as b. On the other hand, a ⊕ b cannot be resolved such that both actions are provided. By similar arguments,

(5) (B1kB2) + (B1kB3) 6≃ B1k(B2 + B3), since the underspecification in B1 can possibly be resolved in two different ways such that it cannot be matched by a single resolution of B1. More precisely, after ⇉, it is possible that the left hand side of (5) can provide more actions than the right hand side. In case B1 is next-step-underspecification-free, e.g., if B1 is of form ai.Bi for some I, ai, and Bi, we do not have this problem. Predicate nuf on Pi∈I PA, which is formally defined in Table 3, collects those next step underspecification ffree processes. Resolution of next-step-underspecification yields a unique term if nuf holds: Lemma 4.2 Suppose B ∈ PA and Act 6= ∅. If nuf(B), then B has a unique target w.r.t. ⇉, i.e., nuf(B) ⇒ |{Bf}◦ ⇉ | = 1.

Nevertheless, the processes of (5) are not equivalent even if nuf(B1) holds, since the resolvable nondeterminism of the parallel composition can be resolved in dif- ferent ways. For example, after applying ⇉ on (a.b)k(a.c + 0) there is exactly one 64 Fecher, Schmidt

nuf(B1) nuf(B2) nuf(B) nuf(0) nuf(a.B1) nuf(B1 + B2) nuf(B \ a)

nuf(B2) nuf(B1) nuf(B2) nuf(B)

nuf(c.B1 >a B2) nuf(B1|iB3,A,B4 B2) nuf(Bha/b, vi) Table 3 Definition of predicate nuf. transition t labeled with a and either b or c is possible afterwards. On the other hand a ⇉ step from ((a.b)k(a.c)) + ((a.b)k0) exists where two transitions t1, t2 la- beled with a are possible such that b is possible after t1 and c is possible after t2. We remedy this problem by resolving the resolvable nondeterminism of the paral- lel operator before the parallel composition is expanded. This motivates why we introduced the term B1|iB3,A,B4 B2 already in PA. In Table 4 axioms for the refinement relationf  over PA are presented, where we assume for simplicity that Act is finite. f

Theorem 4.3 The axioms from Table 4 are sound and complete, i.e., ∀B1,B2 ∈ PA : B1  B2 ⇐⇒ B1 ≤ B2. f Example 4.4 By using Axiom A32, we get a.(b ⊕ c)  (a.(b ⊕ c)) ⊕ (a.b). Further- more, by using Axiom A32 and then Axiom A3 we get (a.(b ⊕ c)) ⊕ (a.b)  (a.(b ⊕ c)) ⊕ (a.(b ⊕ c)) ≃ a.(b ⊕ c). Thus we have shown that a.(b ⊕ c) ≃ (a.(b ⊕ c)) ⊕ (a.b). Note that this cannot be shown by using only Axioms A1 – A31, since the necessary removal of ⊕ becomes impossible. This illustrates that Axiom A32 is also essential for the completeness of our Axiom system w.r.t. ≡.

How the parallel composition can be expressed in terms of nondeterminism, known as the expansion theorem [23,4], is one of the most important rules. In our setting the expansion theorem is more complicated than usually, since resolvable as well as inherent nondeterminism has to be handled. It is directly derived from our −1 axiom system and illustrated in the following, where Bj yields 0: Pj=0 Theorem 4.5 (Expansion theorem) n n′ ′ ′ ′ ′ BkB ≡ a .(B kB )+ a ′ ′ .(BkB ′ ′ ) M M M  X i,j i,j X i ,j i ,j  A⊆Act i=0 i′=0 j∈J ′ j′∈J′ (A,i,i ) (A,i,i′) ′ ′ m −1 n m(i)−1 ′ n (i) ′ ′ where B = ai,j.Bi,j, B = a .B , Li=0 Pj=0 Li=0 Pj=0 i,j i,j ′ ′ ′ J(A,i,i′) = {j

Here, (i) the scheduler (A ⊆ Act) is determined by a resolution of resolvable nondeterminism, (ii) any combination of resolutions of both sides is considered, and (iii) the complete inherent nondeterminism of a component for a is taken if this component is favored by the scheduler or if the current resolution of the other component cannot provide a. 65 Fecher, Schmidt

(A1) B1 ⊕ B2 ≃ B2 ⊕ B1 (A2) B1 ⊕ (B2 ⊕ B3) ≃ (B1 ⊕ B2) ⊕ B3 (A3) B ⊕ B ≃ B (A4) B1 + B2 ≃ B2 + B1 (A5) B1 + (B2 + B3) ≃ (B1 + B2)+ B3 (A6) a.B + a.B ≃ a.B (A7) B + 0 ≃ B (A8) B1 + (B2 ⊕ B3) ≃ (B1 + B2) ⊕ (B1 + B3)

(A9) B1kB2 ≃ (B1|iB ,A,B B2) LA⊆Act 1 2 (A10) B1|iB4,A,B5 B2 ≃ B2|iB5,Act\A,B4 B1

(A11) B1|iB4,A,B5 (B2 ⊕ B3) ≃ (B1|iB4,A,B5 B2) ⊕ (B1|iB4,A,B5 B3)

(A12) B1|iB4,A,B5 (B2 + a.B3) ≃ ((B1 \ a)|iB4,A,B5 B2)+ a.(B4kB3) if a ∈ A

(A13) B1|iB4,A,B5 (B2 + a.B3) ≃ (B1|iB4,A,B5 B2) + (a.(B4kB3) >a B1) if a∈ / A ∧ nuf(B1)

(A14) 0 |iB4 ,A,B5 0 ≃ 0 (A15) Bha/bi≃ Bha/b, di⊕ Bha/b, si (A16) (B1 ⊕ B2)ha/b, vi≃ B1ha/b, vi⊕ B2ha/b, vi (A17) (B1 + c.B2)ha/b, vi≃ B1ha/b, vi + c.(B2ha/bi) if c∈ / {a, b} (A18) (B1 + a.B2)ha/b, di≃ B1ha/b, di + (b.(B2ha/bi) >b B1) if nuf(B1) (A19) (B1 + b.B2)ha/b, di≃ (B1 \ a)ha/b, di + b.(B2ha/bi) (A20) (B1 + a.B2)ha/b, si≃ (B1 \ b)ha/b, si + b.(B2ha/bi) (A21) B1 + b.B2ha/b, si≃ B1ha/b, si + (b.(B2ha/bi) >a B1) if nuf(B1) (A22) 0ha/b, vi≃ 0

(A23) (B1 ⊕ B2) \ a ≃ (B1 \ a) ⊕ (B2 \ a) (A24) (B1 + B2) \ a ≃ (B1 \ a) + (B2 \ a) (A25) 0 \ a ≃ 0 (A26) (a.B) \ a ≃ 0 (A27) (b.B) \ a ≃ b.B if b 6= a

(A28) c.B1 >a (B2 ⊕ B3) ≃ (c.B1 >a B2) ⊕ (c.B1 >a B3) (A29) c.B1 >a (B2 + a.B3) ≃ 0 (A30) c.B1 >a (B2 + b.B3) ≃ c.B1 >a B2 if b 6= a (A31) c.B >a 0 ≃ c.B

(A32) B1  B1 ⊕ B2

Table 4 Axioms for , where ≃=∩. Here, Li∈{j} Bi is defined to be Bj and for I finite, Li∈I Bi is defined ′ to be Bi ⊕ (L Bi) where i ∈ I (by the associativity and commutativity of ⊕ the definition is ′ i∈I\{i′} independent of the chosen i′). Note that we assume that Act is finite. Otherwise, more complex formulas have to be used in order to remain in PA. f

66 Fecher, Schmidt

5 Related Work

An overview on algebraic approaches to nondeterminism is given in [27]. Nondeter- minism is often interpreted as angelic (chosen positively w.r.t. to a desired property) or demonic (chosen by an adversary). In [22], both nondeterminism interpretations are modeled in a single setting. The angelic/demonic view is orthogonal to our view, leading to the following four interpretations: (i) The task of resolving resolv- able, angelic nondeterminism is a satisfiability check, i.e., an abstraction has an implementation satisfying the desired property if there is an angelic resolution. (ii) On the other hand, the task of resolving resolvable, demonic nondeterminism is a satisfaction check on the abstract level: the property holds if a demonic resolution satisfies it. (iii) Inherent, angelic nondeterminism ensures the existence of a step such that the desired property holds, whereas (iv) inherent, demonic nondetermin- ism ensures that all possible next steps satisfy the property. In alternating-time temporal logic [1], interpretations (iii) and (iv) are generalized to multiple actors. In [3], both our choice operators (inherent and resolvable) are used in a process algebra and an operational semantics in terms of µ-automata as well as an axiomatic semantics is given. The difference to our work consists in the semantics of the parallel operator, since the semantics of the parallel operator in [3] is based on inherent instead of resolvable scheduling choice, i.e., schedulers behave “randomly” also at the concrete level, which is in most applications, like schedulers in operating systems, not the case. If the scheduler can prefer different parallel components per action, we cannot apply the usual approach to split the parallel composition by using the left merge operator, as it is also made in [3]. Therefore our axiom system becomes more complicated by using additional operators and by using predicate nuf. A further choice operator is presented in [3]. The interpretation of this choice operator ⊕′ is similar to our resolvable choice operator ⊕, except that the resolving can be moved outwards, e.g., a.(b ⊕′ c) is equivalent to a.b ⊕′ a.c, which is not the case for ⊕. The choice operator ⊕′ has the same expressiveness as ⊕ w.r.t. the describable sets of concrete systems, i.e., replacing ⊕′ by ⊕, or vice versa, does not change the set of concrete systems that refine the corresponding expressions. A difference arises in the refinement relation between different abstract levels, i.e., the refinement relation between non-concrete systems is different. In [26] a process algebra having our resolvable choice operator together with a choice operator that is only resolvable w.r.t. the same action, which harmonizes with ready simulation, is presented. Thus full inherent nondeterminism is not handled there. The semantics is given as possible worlds, i.e., sets of concrete systems. No parallel operator is considered at all. This process algebra is extended by recursion in [21], but still no parallel composition is considered. Different kinds of choice operators are considered in hybrid systems, see, e.g., [7], but those choice operators concentrate on underspecification (i.e., resolvable nondeterminism) resulting from time aspects. Other abstract models that can express inherent as well as resolvable nondeter- minism are, e.g., (disjunctive) modal transition systems [18,19], hypermixed Kripke structures [11], generalized Kripke modal transition systems [24], modal automata [9] and ν-automata [12]. These models are often used as abstract models for tran- 67 Fecher, Schmidt sition systems in order to improve verification of full branching time properties, as in [13,10]. In some settings the scheduler can be restricted by further constraints, like priority or fairness assumptions. They can be interpreted as a refinement of an abstract level where no constraint on the scheduler is enforced. This allowance to describe a more detailed scheduler is orthogonal to the problem of handling the interaction of inherent nondeterminism with the resolvable nondeterminism of an underspecified scheduler. In probabilistic process algebras, see [20] for an overview, choice operators are extended with a distribution determining the way the different sides are favored. Randomized choice operators are special kinds of inherent nondeterminism. Never- theless, it is important to examine inherent choice operators, which do not contain a distribution, for their own, since sometimes the distribution is not known and sometimes it does not exist at all (cf. Examples 1.2 and 1.3). Note that approaches trying to embed pure inherent nondeterminism into probabilistic settings lead to unnecessarily complex models and thus unnecessarily increase the cost of verifica- tion.

6 Conclusion

We have presented the structural operational semantics of a process algebra that handles choice operators corresponding to inherent nondeterminism as well as re- solvable nondeterminism obtained by abstraction from the scheduling of the paral- lel composition or the renaming/hiding operator. In particular, µ-automata, which have two kinds of transition relations (one for action execution and one for resolu- tion of resolvable nondeterminism), are used as underlying model for the structural operational semantics. In order to avoid any restriction on schedulers, the resolu- tion of the resolvable nondeterminism has to be made undone if it was not affected by the previous execution step. A sound and complete axiom system has been presented, where in particular a choice operator representing resolvable nondeter- minism is used. Note that the increased complexity of our semantics, compared to the standard semantics, is unavoidable if µ-calculus formulas should be preserved under refinement. Our operational semantics can be straightforwardly adapted to process algebra having parallel composition with a CSP-based synchronization [15], sequential com- position, or recursion. The only problem arises for unguarded recursion, i.e., if there exists a variable that is bound without being behind an action prefix: There the definition of the concretization relation ⇉ yields problems, since infinite derivation trees can be generated. This is not very critical, because usually process algebras without unguarded recursion are sufficient for applications.

References

[1] R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. J. ACM, 49(5):672–713, 2002.

[2] J. C. M. Baeten. A brief history of process algebra. Theor. Comput. Sci., 335(2-3):131–146, 2005. 68 Fecher, Schmidt

[3] J. C. M. Baeten and J. A. Bergstra. Process algebra with partial choice. In B. Jonsson and J. Parrow, editors, CONCUR, volume 836 of LNCS, pages 465–480. Springer, 1994.

[4] J. A. Bergstra and J. W. Klop. Algebra of communicating processes with abstraction. Theor. Comput. Sci., 37:77–121, 1985.

[5] B. Bloom, S. Istrail, and A. Meyer. Bisimulation can’t be traced. J. ACM, 42(1):232–268, 1995.

[6] T. Bolognesi and E. Brinksma. Introduction to the ISO specification language LOTOS. Computer Networks and ISDN Systems, 14:25–59, 1987.

[7] S. Bornot and J. Sifakis. On the composition of hybrid systems. In T. A. Henzinger and S. Sastry, editors, HSCC, volume 1386 of LNCS, pages 49–63. Springer, 1998.

[8] R. Cousot, editor. Verification, Model Checking, and Abstract Interpretation, 6th International Conference, VMCAI 2005, Paris, France, January 17-19, 2005, Proceedings, volume 3385 of LNCS. Springer, 2005.

[9] D. Dams and K. S. Namjoshi. Automata as abstractions. In Cousot [8], pages 216–232.

[10] L. de Alfaro, P. Godefroid, and R. Jagadeesan. Three-valued abstractions of games: Uncertainty, but with precision. In LICS, pages 170–179. IEEE Computer Society Press, 2004.

[11] H. Fecher and M. Huth. Ranked predicate abstraction for branching time: Complete, incremental, and precise. In S. Graf and W. Zhang, editors, ATVA, volume 4218 of LNCS, pages 322–336. Springer, 2006.

[12] H. Fecher, H. Schmidt, and J. Sch¨onborn. Refinement sensitive formal semantics of state machines having inherent nondeterminism. In MODELS, 2007. Available at http://www.informatik.uni-kiel.de/~hsc/models07.pdf, submitted for publication.

[13] O. Grumberg, M. Lange, M. Leucker, and S. Shoham. Don’t know in the µ-calculus. In Cousot [8], pages 233–249.

[14] H. Hansson and B. Jonsson. A calculus for communicating systems with time and probabilities. In Proc. 11th IEEE Real-Time Systems Symposium (RTSS), Orlando, Fl., January 1990.

[15] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.

[16] D. Janin and I. Walukiewicz. Automata for the modal mu-calculus and related results. In J. Wiedermann and P. H´ajek, editors, Mathematical Foundations of Computer Science, volume 969 of LNCS, pages 552–562. Springer, 1995.

[17] D. Kozen. Results on the propositional µ-calculus. Theor. Comput. Sci., 27:333–354, 1983.

[18] K. G. Larsen and B. Thomsen. A modal process logic. In LICS, pages 203–210. IEEE Computer Society Press, 1988.

[19] K. G. Larsen and L. Xinxin. Equation solving using modal transition systems. In LICS, pages 108–117. IEEE Computer Society Press, 1990.

[20] N. L´opez and M. N´u˜nez. An overview of probabilistic process algebras and their equivalences. In C. Baier, B. R. Haverkort, H. Hermanns, J.-P. Katoen, and M. Siegle, editors, Validation of Stochastic Systems, volume 2925 of LNCS, pages 89–123. Springer, 2004.

[21] M. E. Majster-Cederbaum. Underspecification for a simple process algebra of recursive processes. Theor. Comput. Sci., 266:935–950, 2001.

[22] C. E. Martin, S. A. Curtis, and I. Rewitzky. Modelling nondeterminism. In D. Kozen and C. Shankland, editors, MPC, volume 3125 of LNCS, pages 228–251. Springer, 2004.

[23] R. Milner. A Calculus for Communicating Systems, volume 92 of LNCS. Springer-Verlag, 1980.

[24] S. Shoham and O. Grumberg. 3-valued abstraction: More precision at less cost. In LICS, pages 399–410. IEEE Computer Society Press, 2006.

[25] B. Thomsen. An extended bisimulation induced by a preorder on actions. Master’s thesis, Aalborg University Centre, 1987.

[26] S. Veglioni and R. De Nicola. Possible worlds for process algebras. In D. Sangiorgi and R. de Simone, editors, CONCUR, volume 1466 of LNCS, pages 179–193. Springer, 1998.

[27] M. Walicki and S. Meldal. Algebraic approaches to nondeterminism: An overview. ACM Comput. Surv., 29(1):30–81, 1997.

69 SOS 2007 Preliminary Version

An Operational Semantics for Shared Messaging Communication

Astrid Kiehn

Department of Computer Science and Engineering Indian Institute of Technology Delhi New Delhi 110016, India

Abstract Shared Messaging Communication (SMC) has been introduced in [8] as a model of communication which reduces communication costs (both in terms of communication latency and memory usage) by allowing tasks to communicate data through special shared memory regions. Sending a reference to an otherwise inaccessible memory regions rather than the data itself, the model combines the advantages of message passing and shared memories. Experimental results have shown that SMC in case of large data payloads clearly outperforms the classical message passing. In this paper we give a formal operational semantics to SMC exhibiting unambiguously the effect of executing an SMC command on local and shared memories. Based on this semantics we show that any program using message passing can be proved to be weakly bisimilar to one based on SMC and that with respect to communication costs the latter is amortised cheaper, [6].

Keywords: Shared messaging communication, operational semantics, cost evaluation, message-passing.

1 Introduction

To achieve high performance, modern computer applications are executed on net- works of (multi)processors. Those with a high data rate like digital signal processing are most efficiently implemented on micro-architectures employing shared memory as a means of interprocess communication. However, shared memory programming has to deal explicitly with correct data access and data integrity and the negligence of these cause faulty computations. Architectures based on message-passing pre- vent such errors by barring shared address space and by their clear separation of computation and communication. But message-passing has the drawback of high data latency and redundancy of data transfer. Shared messaging communication (SMC) aims at combining the advantages of message passing while utilizing the availability of shared memory to reduce the cost of communication. In an SMC-architecture communication is performed via references (called tokens) to shared memory which are provided by the network and which ensure mutually exclusive access. To communicate, a process asks for a token (by get unused memory), writes its data to the granted memory region and This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science Kiehn then sends the token to the target node (send token) by message-passing. On the receiving side, the process receives the token (receive token), reads or writes on the assigned memory region and then either sends the token to another node or releases it (usage over). In general, when the volume of data transferred is very high, compared to the expense of granting, releasing, sending or receiving a token, the overall performance of shared-messaging communication can be significantly better than direct data communication. The SMC-model of communication 1 has been introduced in [8]. It describes the semantics of the SMC communication primitives by the pre- and postconditions in Figure 1 and reports experimental results showing that SMC outperforms message- passing if large data items are to be communicated. SMC supports a system level design where certain features of a class of imple- mentations has been abstracted to a level which is amenable to a formal verification (cf. [5]). Employing SMC one goes beyond the purely qualitative behaviour de- scription. A current program using SMC as model of communication does not only specify the (qualitative) computation with respect to functionality but also makes (quantitative) assumptions by taking the decision that the underlying mode of data transfer should rely on shared memory. The contribution of this paper is a formal operational semantics for a class of concurrent programs of which the set of constituting sequential components is partitioned into regions and where communication within a region is performed via SMC. The partitioning into regions mirrors the (quantitative) assumption of an expected efficient implementation. The use of SMC as a model of communication guarantees that conceptually it can be considered as message passing (which is formally proved in this paper). The semantics is based on the clear separation between local and shared memory and shows how tokens are administered and dealt with when sent to or received by other processes of the same region. Based on this semantics we are able to prove the claim made in [8] that the new SMC model of computation does not introduce non- determinism due to the shared memory region allocation by the underlying network. In particular, we show that any program based on message-passing can be rewritten to one based on SMC such that the two programs are observation equivalent ([7]). Moreover, we show that if communication costs are taken into account the message- passing program is (amortised) more expensive than the SMC-based counterpart underpinning the experimental results of [8]. The latter comparison is based on the notion of amortised bisimilarity introduced in [6]. Other bisimulation-based behavioural preorders like the efficiency preorder of [9] and [2] turned out not to be capable of expressing this relation adequately.

2 Shared Messaging Communication (SMC)

An SMC-program consists of a finite set of sequential programs partitioned into so-called regions. The processes of a region – which in analogy to networks we call nodes – communicate with each other using the SMC communication primitives.

1 The variant for broadcasting given in [8] is not dealt with in this paper. 71 Kiehn

Access Method Pre-conditions Post-conditions Invoked Operation on token handle on token handle by get unused me- should not hold holds a token sender blocks if an unused memory is mory any token with RW not available, else a token to an (token handle) privilege unused memory region is created send token should hold a does not hold sender blocks if the token buffer is full, (token handle) token with RW any token else token is transferred from privilege the token handle to token buffer receive token should not hold holds a token receiver blocks if the token buffer is empty, (token handle) any token with RW else any earliest token from privilege token buffer is transferred to token handle usage over should hold a does not hold receiver token is destroyed and the (token handle) token with RW any token associated memory region is privilege marked unused

Fig. 1. Semantics of SMC-commands as given in [8].

Intuitively, a region comprises those nodes which in the final mapping to a network should be located such that they can efficiently communicate via shared memories. We right here make the assumption that we deal with one universal region, only, to keep the notational overhead as small as possible. The general case will be discussed in the conclusions. To describe the behaviour of a single node we use the core commands of an imperative language and intersperse them with the SMC communication primitives. So an SMC-program (assuming one global region) is a set of sequential programs p1,...,pn derived from the following grammar:

pi :== skip | l := a | pi; pi | if b then pi else pi | while b do pi | j i gumi(t, k) | uoi(t, k) | sti (t, k) | rtj(t, k) | cpsi(t, a) | csmi(t, l)

Each node operates on its private memory space while interprocess commu- nication is based on SMC which affects the shared memory of the entire region. Accordingly, the operational semantics is given in two layers. First we define the semantics of single nodes and based on that the semantics of regions is given.

2.1 The Operational Semantics of Nodes The semantics of the commands in the first line of the grammar for SMC-programs is completely standard (see e.g. [10]) and we assume familiarity with its presentation by a set of rules. In notation we use a for an arithmetic expression, b for a boolean expression and l ∈ Loci for a location. For these expressions we assume a relation ; which evaluates an arithmetic expression a to a (non-specified) value v and a boolean expression b to true or false wrt a given assignment of locations σ: a, σ ; v and b, σ ; true or b, σ ; false. The state of a node is given by a pair hpi,σii where pi is the program that remains to be executed and σi is a mapping providing the actual values of locations. To simplify the behaviour analysis later on we decorate transitions with the assignments 72 Kiehn or evaluation that is performed with an execution step.

a, σi ; v skip l:=v hskip,σii −→ σi hl := a, σii −→ σi{l := v}

α ′ ′ α ′ hpi,σii −→ hpi,σii hpi,σii −→ σi α ′ ′ α ′ hpi; qi,σii −→ hpi; qi,σii hpi; qi,σii −→ hqi,σii

b, σi ; true b, σi ; false b=true b=false hif b then pi else qi,σii −→ hpi,σii hif b then pi else qi,σii −→ hqi,σii

b, σi ; true b, σi ; false b=true b=false hwhile b do pi,σii −→ hpi; while b do pi,σii hwhile b then pi,σii −→ σi Token handles form a third syntactic category and are ranged over by t. By Thdlsi we denote the token handles of node πi. The SMC-commands intuitively have the following meaning where we assume the view of a node i:

gumi(t) give unused memory (to be bound to t)

uoi(t) usage over (of the memory given by t) j sti (t) send token to node j i rtj(t) receive token from node j

cpsi(t, a) compose token: write the value of a to the memory specified by t

csmi(t, l) consume token: write the contents of the memory specified by t to location l.

2 Formally, a node is a pair πi = hpi,σii where

σi : (Loci ∪ Thdlsi ) → (Values ∪{⊥}∪ SM )

σi(Loci) ⊆ Values ∪ {⊥} and σi(Thdlsi ) ⊆ SM ∪ {⊥}. The symbol ⊥ denotes undefinedness of a local location or an SMC location.

As we have left expressions and locations unspecified one may also assume con- current assignments and by this we may assume non-scalar data structures. This modelling admittedly dilutes a crucial property of SMC, namely, that not all the data written to the shared memory by a source process will actually be accessed by the target process (by csm). However, as the emphasis of our modelling is the ad- ministration of tokens we do not give a refined model here. The model as described in [8] assumes tokens of a predefined size.

2 If a program has completely been executed the semantics simply yield a state σi. We identify this with the pair hnil, σii to ensure that we can always assume the result has two components. 73 Kiehn

GUMi (σi(t)= ⊥) gumi(m) hgumi(t),σii −→ σi{t := m}

UOi (σi(t)= m) uoi(m) huoi(t),σii −→ σi{t := ⊥}

j STi j (σi(t)= m) j sti(m) hsti(t),σii −→ σi{t := ⊥}

i RTj rti(m) (σi(t)= ⊥) i j hrtj(t),σii −→ σi{t := m}

a, σi ; v CPSi (σi(t)= m) cpsi(m,v) hcpsi(t, a),σii −→ σi

CSMi (σi(t)= m) csmi(m,v,l) hcsmi(t, l),σii −→ σi{l := v}

Fig. 2. Node Rules

The state of the shared memory is given by σ. It is not residing at a particular node but somewhere in the region. It will only be visible when we describe the semantics of an entire region. The remaining rules required to describe the semantics of nodes are the rules for SMC-commands, Figure 2. Some comments on the rules: Rule CPSi: With the execution of cpsi(t, a) the shared memory cell m bound to t will be updated to σi(a) but since m is not local to π this updating is visible only in the context of its region. j j Rules UOi, STi : The effect of executing either uoi(t) or sti (t) is the same, locally. Rule CSMi: The side condition of this rule expresses that a token handle has been assigned a shared memory location.

2.2 Regions

A region consists of a set of nodes {π1,...,πn} which share a local memory SM . For each (unidirectional) channel from a node i to a node j of the region there is a j j channel variable ci in C = {ci | i, j ∈ {1,...,n}, i 6= j}. For simplicity, again, we assume that the channel capacity is one token item only and we do not consider channels leading outside the region. Channels also act as buffers (the token-buffers mentioned in Figure 1); if the capacity is bounded the data rate of the sending process can be forced to respect the processing time of the receiver. This is a characterizing feature of blocking networks. Assuming capacity one allows us to describe the channel by a simple variable which eases the overall needed notation.

74 Kiehn

Formally, a region R is given by

R = h(π1 k···k πn),σi where σ provides the current state of the shared memory and the channel variables: σ : SM ∪ C → Values ∪ {⊥} ∪ {available}∪ SM ∪ {empty} satisfying σ(SM) ⊆ Values ∪{⊥}∪{available} and σ(C) ⊆ SM ∪{empty}. The set of all state mappings σ is given by ΣSM . The operational semantics is such that a memory cell m is given the value available by σ if m is not bound to a token handle or contained in one of the channels. For a given region with n nodes, the state mapping σ and its local counterparts σi should be consistent for all nodes i, j, i 6= j:

(a) σi(t)= m implies σ(m) 6= available j ′ (b) σ(ci )= m implies σi(t) 6= m 6= σj(t ) and σ(m) 6= available ′ ′ (c) σi(t) 6= ⊥= 6 σj(t ) implies σi(t) 6= σj(t ) where t and t′ are any token handles, m ∈ SM.

Consistency expresses the key property of SMC: at any state of the execution of a program a token can be bound at most to one token handle, property (c), and if it is residing in a channel, (b), it is not bound to any handle neither it is j available. Obviously, initial programs – which satisfy σi(t)= ⊥ and σ(ci )= empty for all token handles and channels – are consistent, and we will prove later that consistency is preserved by the operational semantics. The transition rules for SMC-commands for regions are given in Figure 3. Some comments on the rules: ′ Let σ denote the updated state mapping. In R − GUMi tokem m is granted to node πi which changes its status from being available to ⊥. In R − UOi token m ′ j is released thus σ (m) = available. In R − STi the token is sent to node πj i.e. j to the conecting channel ci provided the latter is empty. As we assumed channel capacity 1, non-emptyness coincides with that the channel is full. With R − CPSi the updating of m to σi(a) due to the local execution of cpsi(t, a) is implemented. Finally, R − CSMi dscribes the access to contents of token m; it does not change the state mapping. Let PROGSMC denote the set of all shared messaging communication programs (which may be in their initial state or have been executed for some while). Formally, PROGSMC is the least set containing the initial state programs which is closed under j transitions. The initial state of a program is given by σ(ci )= empty, σi(l)= ⊥ and j σ(m)= available for all all ci , l, m. Proposition 2.1 (Well-Definedness of the Operational Semantics)

(i) All programs in PROGSMC are consistent. (ii) The conditions on SMC-commands in Figure 1 are satisfied by the operational semantics. 75 Kiehn

gumi(m) ′ πi −→ πi σ(m)= R − GUMi ( available ) gumi(m) ′ h(···k πi k···),σi −→ h(···k πi k···),σ{m := ⊥}i

uoi(m) ′ πi −→ πi R − UOi uoi(m) ′ h(···k πi k···),σi −→ h(···k πi k···),σ{m := available}i

stj(m) i ′ πi −→ πi R − STj (σ(cj )= empty) i stj(m) i i ′ j h(···k πi k···),σi −→ h(···k πi k···),σ{ci := m}i

rtj(m) i ′ πj −→ πj R − RTj (σ(cj )= m) i rtj(m) i i ′ j h(···k πj k···),σi −→ h(···k πj k···),σ{ci := empty}i

cpsi(m,v) ′ πi −→ πi R − CPSi cpsi(m,v) ′ h(···k πi k···),σi −→ h(···k πi k···),σ{m := v}i

csmi(m,v,l) ′ πi −→ πi R − CSMi (σ(m)= v) csmi(m,v,l) ′ h(···k πi k···),σi −→ h(···k πi k···),σi

Fig. 3. Region Rules

Proof. of (i) by induction on the length of the transition sequence establishing membership in PROGSMC . (ii) is easily verified by inspecting the respective transition rules. 2

Note that the given conditions on channels might seem stronger than required in Figure 1, however, this is only due to the fact that we assumed channels of capacity one.

3 Moving from Message Passing to SMC

For an application with a high data rate it is feasible to employ shared messaging communication in its final implementation. In this section we formally prove that any program using message-passing as communication mechanism can be rewrit- ten as an SMC-program such that the two programs are weakly bisimilar (up to some renaming of communication actions) which shows, in particular, that the (non)deterministic structure of the MP-program is preserved by the translation. We first give a formal description of the message passing model and then relate it in terms of bisimilarity to the SMC-presentation.

3.1 The Message-Passing Model The syntax of programs using message-passing is a straightforward variation of that of SMC-programs: 76 Kiehn

j i pi := skip | l := a | if b then pi else pi | while b do pi | pi; pi | smi (a) | rmj(l)

The intuitive meaning of MP-commands is

j smi (a) send message: send the value of a to node j, i rmj(l) read/save message from node j at location l . j As before, a region consists of a set of nodes {π1,...,πn} and C = {ci | i, j ∈ {1,...,n}, i 6= j} is the set of (unidirectional) channels between nodes. We adopt the same simplicifations as for SMC by assuming channel capacity one, no channels leading outside a region and one universal region, only. The current states of the channels are given by mapping σ : C → Values ∪ {⊥} ∪ {empty}. To describe the operational semantics the rules for SMC-commands are replaced by rules for message passing for nodes and regions, respectively.

a, σi ; v j i SM j RM i i sm v j rm (v,l) j i ( ) i j hsmi(a),σii −→ σi hrmj(l),σii −→ σi{l := v}

smj(v) i ′ πi −→ πi R − SMj (σ(cj )= empty) i smj(v) i i ′ j h(···k πi k···),σi −→ h(···k πi k···),σ{ci := v}i

rmj(v,l) i ′ πj −→ πj v σ cj , R − RMj ( = ( i ) ) i rmj(v,l) 6=empty i ′ j h(···k πj k···),σi −→ h(···k πj k···),σ{ci := empty}i

In accordance with the definitions for SMC the set PROGMP denotes the least set containing the initial state MP-programs which is closed under transitions. Ini- j tially, σi(ci )= empty for all j.

3.2 Weak Bisimilarity of MP- and SMC-programs

The translation of PROGMP into PROGSMC is straightforward. We replace each command

j j smi (a) by gumi(t); cpsi(t, a); sti (t) and j j rmi (l) by rti (t); csmj(t, l); uoj(t) where for each node just one token handle is used. This substitution is described by the mapping T which we later on generalize to a relation between states of MP- and SMC-regions. As stated above, an MP-program will be related to their SMC- counterpart by weak bisimilarity. So far we have only considered so-called strong 77 Kiehn

h(π1, k . . . k πn),σi T h(T (π1), k . . . k T (πn)), σ˜i where πi = hpi,σii, T (πi)= hT (pi), T (σi)i, T (σi)(l)= σi(l) for l ∈ Loci and T (σi)(t)= ⊥,

empty if σ(cj)= empty σ˜(cj)=  i i  j some m such thatσ ˜(m)= σ(ci ) otherwise  σ˜, T (σ1),...,T (σn) are consistent j j and |{m | σ˜(m) 6= available}| = |{ci | σ(ci ) 6= empty}|.

Fig. 4. relation T ⊆ PROGMP × PROGSMC transitions opposed to weak transitions which are transitions preceded and followed by an arbitrary number of internal actions. In our setting internal actions are those concerning the administration of token handles, only. Let Act denote the set of all transition labels occurring in Section 1 and

j j Act adm = {gumi(t), sti (t), rti (t), uoj(t) | i, j ≤ n, i 6= j},

Act SMC = Act adm ∪ {cpsi(m, a), csmi(v, l) | i ≤ n,m,a,v,l arbitrary}

For β ∈ Act ∪ Act SMC − Act adm weak transitions are given by

β β p =⇒ p′ if p ⇒−→⇒ p′ where p ⇒ p′ if p →∗ p′ and ′ α ′ p → p if there is α ∈ Act adm such that p −→ p .

For the message-passing model, we define

j j Act MP = {smi (v), rmi (v, l) | i, j ≤ n, i 6= j, v, l arbitrary}

The substitution T described above is extended to relation T in Figure 4. It associates MP-programs with computationally equivalent programs based on SMC. The relation is not one-to-one as the memory cell for a particular token handle is chosen arbitrarily. Note, that by T all m ∈ SM which are in use (that is σ˜(m) 6= available) represent a message in one of the channels. This is due to the j j fact that smi and rmi are atomic actions. States corresponding to the “halfway execution” of such an action on the SMC side will be added later. Restricted to initial MP-programs, T is a function and we use T(Πmp) to denote the unique SMC-program. The main result of this section is that an initial program Πmp ∈ PROGMP is weakly bisimilar to T (Πmp). Actually, we establish a stronger result namely that Πmp and T (Πmp) are in the efficiency preorder-relation , [2] (adapted to our setting). Intuitively, this means – apart from their weak bisimilarity – that the message-passing model is more efficient than 78 Kiehn the SMC-model while the experimental results suggest the converse. However, this is not a contradiction as we neglected the cost associated with sending big data items over channels.

Proposition 3.1 (Efficiency relation between MP- and SMC-programs) Let ΠMP ∈ PROGMP, ΠSMC ∈ PROGSMC . Then ΠMP  ΠSMC , ΠMP is more efficient than ΠSMC , if there is a relation R ⊆ PROGMP × PROGSMC such that for all (Πmp, Πsmc) ∈ R

γ ′ ′ γ ′ ′ ′ (i) if Πmp −→ Πmp, γ ∈ Act then ∃Πsmc : Πsmc =⇒ Πsmc and (Πmp, Πsmc) ∈ R, smj v i ( ) ′ ′ cpsi(m,v) ′ ′ ′ (ii) if Πmp −→ Πmp then ∃Πsmc,m : Πsmc ===⇒ Πsmc and (Πmp, Πsmc) ∈ R, rmj v,l i ( ) ′ ′ csmi(m,v,l) ′ ′ ′ (iii) if Πmp −→ Πmp then ∃Πsmc,m : Πsmc ===⇒ Πsmcand (Πmp, Πsmc) ∈ R, ′ ′ (iv) if Πsmc −→ Πsmc then (Πmp, Πsmc) ∈ R, γ ′ ′ γ ′ ′ ′ (v) if Πsmc −→ Πsmc, γ ∈ Act then ∃Πmp : Πmp −→ Πmp and (Πmp, Πsmc) ∈ R. smj v cpsi(m,v) ′ ′ i ( ) ′ ′ ′ (vi) if Πsmc −→ Πsmc then ∃Πmp : Πmp −→ Πmp and (Πmp, Πsmc) ∈ R. rmj v,l csmi(m,v,l) ′ ′ i ( ) ′ ′ ′ (vii) if Πsmc −→ Πsmc then ∃Πmp : Πmp −→ Πmp and (Πmp, Πsmc) ∈ R.

and (ΠMP , ΠSMC ) is contained in R. Proof. follows directly from the definition of the efficiency preorder given in [2] where we match sm-actions with cps-actions and, respectively, rm-actions with csm-actions. Actually, what we consider here is an instantiation of a ρ-σ-preorder as defined in [1]. 2

By a tedious case analysis which is outlined in the next section one can establish the preorder result for a MP-program and its representation as an SMC-program. As, finally, our aim is to prove that the SMC-program is more cost-efficient than the original MP-program, and the efficiency preorder suggests the opposite result, we do not phrase it as a theorem. However, the following straightforward corollary shows the correctness of our translation.

Theorem 3.2 Let Π= h(p1 k . . . k pn),σi be a message passing program and SM a shared memory of size at least n. Then Π is weakly bisimilar to its SMC-translation T(Π) where internal transitions are only those concerning the administration of token handles.

3.2.1 Proof of the Theorem We define a relation R which satisfies the seven conditions of Proposition 3.1. This proves Πmp  Πsmc. For principal reasons, every pair of processes which satisfy the efficiency preorder  is weakly bisimilar, see [2]. So this proves the theorem. For R we verify case (ii) in detail. ¿From a respective analysis for the other items of Proposition 3.1 it follows Πmp  Πsmc. 79 Kiehn

We define R to be the least set containing T which is closed under the following conditions:

j If (Πmp , Πsmc) ∈ R and Πmp = h(. . . k hsmi (a); pi,σii k . . .),σi, j Πsmc = h(. . . k hT (smi (a)); T (pi), T (σi)i k . . .), σ˜i then

j (Πmp,h(. . . k hcpsi(t, a); sti (t); T (pi), T (σi){t := m}i k . . .), σ˜{m := ⊥}i) ∈ R, ′ j (Πmp,h(. . . k hsti (t); T (pi), T (σi){t := m}i k . . .), σ˜{m := σi(a)}i) ∈ R

′ where Πmp = h(. . . k hpi,σii k . . .),σi andσ ˜(m)= available.

j If (Πmp , Πsmc) ∈ R and Πmp = h(. . . k hrmi (l); pj,σji k . . .),σi, j Πsmc = h(. . . k hT (rmi (l)); T (pj), T (σj )i k . . .), σ˜i then

j (Πmp,h(. . . k hcsmj(t, l); uoj(t); T (pj ), T (σj){t := m}i k . . .), σ˜{ci := empty}i) ∈ R, ′ j (Πmp,h(. . . k huoj(t); T (pj), T (σj){l := σ(m)}i k . . .), σ˜{ci := empty}i) ∈ R

′ j where Πmp = h(. . . k hpj,σji k . . .),σi andσ ˜(ci )= m.

smj v i ( ) ′ ′ Lemma 3.3 Let hpi,σii be an MP-node such that hpi,σii −→ hpi,σii. Then there 1 2 3 1 2 3 are processes qi , qi , qi and local state mapping σi , σi and σi such that

stj gumi(m) 1 1 cpsi(m,v) 2 i (m) 3 3 hT (pi), T (σi)i −→ hqi ,σi i −→ hqi ,σii −→ hqi ,σi i

3 ′ 3 ′ and qi = T (pi) and σi = T (σi)= T (σi) and m is some shared memory cell. j Proof. We show the lemma for pi = smi (a). The general case is easily derived. j j smi (v) As hsmi (a),σii −→ σi we have σi(a)= v. Now, for the three transitions j gumi(m) j 1 1. hgumi(t); cpsi(t, a); sti (t), T (σi)i −→ hcpsi(t, a); sti (t),σi i j 1 cpsi(m,v) j 2 2. hcpsi(t, a); sti (t),σi i −→ hsti (t),σi i stj m j 2 i ( ) 3 3. hsti (t),σi i −→ σi . 1 it is easily proved by inspecting the corresponding transition rules that σi = 2 1 3 2 T (σi){t := m}, σi = σi and σi = σi {t := ⊥} = T (σi){t := ⊥} = T (σi). 2 We show next, that this local transition sequence is also possible in the context of a region provided there is a free shared memory cell available.

80 Kiehn

Lemma 3.4 Let Πmp = h(. . . k πi k . . .),σi∈ PROGMP and (Πmp, Πsmc) ∈ T. If smj i (v) ′ ′ h(. . . k πi k . . .),σi −→ h(. . . k πi k . . .),σ i and m ∈ SM is such that σ(m)= available then

Πsmc = h(T (π1) k . . . k T (πi) k ...... k T (πn)), σ˜i

gumi(m) 1 1 1 −→ h(. . . k hqi ,σi i, k . . .),σ i cpsi(m,v) 2 2 2 −→ h(. . . k hqi ,σi i, k . . .),σ i stj m i ( ) 3 3 3 −→ h(. . . k hqi ,σi i, k . . .),σ i

j j 3 j where the qi and σi are given by the previous lemma and σ =σ ˜{m := v, ci := 3 m} and T (σ1),...,T (σn) and σ are consistent.

Proof. The first transition is possible by the choice of m and rule R − GUMi. Thus, σ1 =σ ˜{m := ⊥}. The second transition follows from the previous lemma and rule 1 2 1 R − CPSi as σi (t)= m. So, σ = σ {m := v}. The last transition can be deduced j 2 j with rule R − STi as its side condition is satisfied for σ because σ(ci ) = empty – j otherwise the local smi (v)-transition had been impossible – and the definition of 3 j T. So, σ =σ ˜{m := v, ci := m}. 2

Lemma 3.5 Let Π ∈ PROGSMC such that each node uses at most one token han- dle. If Π has n nodes and global state mapping σ and n nodes then n ≥ |{m ∈ SM | σ(m) 6= available}|. Proof. by induction on the length of the transition sequence establishing member- ship in PROGSMC . The crucial rules are R − GUMi and R − UOi in conjunction with the underlying node transitions. 2

Proposition 3.6 Let Πmp = h(. . . k πi k . . .),σi ∈ PROGMP and (Πmp, Πsmp) ∈ T. Let, |SM|≥ n. If smj i (v) ′ ′ h(. . . k πi k . . .),σi −→ h(. . . k πi k . . .),σ i Π | {z′mp } cps (m,v) Π = h(. . . k T (π ) k . . .), σ˜i ===i ⇒ h(. . . k T (π′) k . . .), σ˜′i then smc i | Πsmc{z ′ } ′ ˜ ′ ′ j and (Πmp, Πmp) ∈ T where σ˜ =σ ˜{m := v, ci := m}. Proof. By Lemma 3.5 and Lemma 3.4. 2

4 Cost Analysis

The discussion in the previous section has shown that a comparison based on match- ing actions, only, does not capture the different performance of systems but rather 81 Kiehn suggests a relation which on intuitive grounds one would reject. However, if one assigns costs to actions and matches actions while keeping track of the current cost balance, the quantitative performance can also be observed. To this end, amortised bisimilarity has been introduced in [6]. In short, it combines bisimilarity with an quantitative cost evaluation. The main idea is to consider actions together with their costs and to modify bisimulation equivalence in such a way that actions are matched with ”function- ally equivalent” actions. The difference in their costs adds to the credit which is accumulated during the mutual simulation. For a system p to be considered less ex- pensive than another system q, the amortised bisimulation containing (p,q) should have nonnegative credit everywhere. We are interested in applications where some additinal internal activity – like the administration of tokens in SMC – increases the performance of the system in some way. It is weak amortised bisimilarity that is of interest in this setting as the internal activity corresponds to invisible τ-actions. So we allow a visible action to be simulated by an action which is preceded and followed by a sequence of costly actions which are functionally equivalent to τ. Functional equivalence is given by relation ρ. In general, it is only a small set of actions for which ρ does not reduce to identity and costs are considered different from 0. A uav weak transition is a sequence p =⇒ p′ where a is a visible action and u and v are actions which are functionally equivalent to τ, that is u = b1 ...bn, v = d1 ...dm and biρτ, djρτ for all i, j. In short, uρε and vρε. Every action a is equipped with N a nonnegative cost ca ∈ . For words u = u1 ...un we have cu = cu1 + · · · + cun .

Definition 4.1 Let hP, Aτ , −→i be a labelled transition system with transition labels in Aτ = A ∪ {τ}, ρ ⊆Aτ ×Aτ and every action a ∈Aτ carries costs ca (by definition cτ = 0). A family (Ri)i∈N of binary relations over P is a weak amortised ρ-bisimulation, if for all i ∈ N, (p,q) ∈ Ri:

a uˆbv (i) p −→ p′ implies ∃q′, b, u, v [aρb, ερ uv, q =⇒ q′ and (p′,q′) ∈ R ], i+cuˆbv−ca b ′ ′ uavˆ ′ ′ ′ (ii) q −→ q implies ∃p , a, u, v [aρb, uvρ ε, p =⇒ p and (p ,q ) ∈ Ri+cb−cuavˆ ], ∗ where a, b ∈Aτ and u, v ∈A anda ˆ = a if a 6= τ andτ ˆ = ε. Process p is (weakly) ρ amortised cheaper (more cost efficient) than q up to credit i, p≺≺i q, if (p,q) ∈ Ri for some weak amortised ρ-bisimulation (Ri)i∈N.

The costly actions in our applications which are functionally equivalent to τ are those in Act adm. Actions of type cps and csm are mapped to sm and rm, respectively, but to the former we assign cost 1 as they are local read and write operations opposed to the latter channel operations which we give cost 2. One should note here that due to the simplification in the formal modelling of SMC the real benefit of SMC gets diluted. However, the reader should readily see that if large data packets are sent over the channels then the credit in the amortised bisimulation will increase significantly. We also neglect that in case of very small data items the cost of token administration might exceed the cost of simply sending the data by message passing. The transition system we consider is the disjoint union of the transition systems induced by the operational semantics of MP- and SMC-programs. We define an 82 Kiehn amortised bisimulation which for each pair (Πsmc, Πmp) ∈ Ri satisfies

α ′ ′ (i) if Πsmc −→ Πsmc, α ∈ Act adm, then (Πsmc, Πmp) ∈ Ri−1, γ ′ ′ (ii) if Πsmc −→ Πsmc, γ ∈ Act then there exist Πmp : γ ′ ′ ′ Πmp −→ Πmp and (Πsmc, Πmp) ∈ Ri. cpsi(m,v) ′ ′ (iii) if Πsmc −→ Πsmc then there exist Πmp, j, v : smj v i ( ) ′ ′ ′ Πmp −→ Πmp and (Πsmc, Πmp) ∈ Ri+2. csmi(m,v,l) ′ ′ (iv) if Πsmc −→ Πsmc then there exist Πmp, j, v, l : rmj v,l i ( ) ′ ′ ′ Πmp −→ Πmp and (Πsmc, Πmp) ∈ Ri+2. γ ′ ∗ ′ (v) if Πmp −→ Πmp, γ ∈ Act then there exist u ∈ Act adm, Πsmc : uγ ′ ′ ′ Πsmc =⇒ Πsmc and (Πsmc, Πmp) ∈ Ri−cu , smj v i ( ) ′ ∗ ′ (vi) if Πmp −→ Πmp then there exist u, w ∈ Act adm, Πsmc,m : u cpsi(m,v) w ′ ′ ′ Πsmc =⇒ −→ =⇒ Πsmc and (Πsmc, Πmp) ∈ Ri+2−cuw , rmj v,l i ( ) ′ ∗ ′ (vii) if Πmp −→ Πmp then there exist u, w ∈ Act adm, Πsmc,m : u csmi(m,v,l) w ′ ′ ′ Πsmc =⇒ −→ =⇒ Πsmc and (Πsmc, Πmp) ∈ Ri+2−cuw .

Note, that (i) – (iv) and (v) – (vii) directly correspond to conditions (iv) – (vii) and (i) – (iii) given in Proposition 3.1. The two groups are swapped here as we consider a reverse ordering. Since all actions in Act adm are mapped to τ by ρ it suffices to verify conditions (i) – (vii) to prove that (Ri)i∈N is an amortised bisimulation. Using relation R defined in the last section we set up the family (Ri)i∈N:

(Πsmc, Πmp) ∈ Ri if and only if (Πmp, Πsmc) ∈ R and i ≥ D(Πsmc) n where D(Πsmc) is defined as D(Πsmc)= D(pi) and Pi=1

cpsi(m,v) csmi(m,v)  0 if pi −→ or pi −→ for some m, v j  st (m) uo m D p  i i( ) ( i)=  2 if pi −→ or pi −→ for some j, m  1 otherwise  

D(pi) gives the maximal credit demand that is necessary to perform the initial token administration. It is easily verified that conditions (i) – (vii) indeed hold. As every initial program Π with n nodes has maximal demand n in its SMC version the following proposition is straightforward.

Theorem 4.2 If Πmp is an initial MP-program with n sequential components and Πsmc is its SMC-presentation that is Πsmc = T (Πmp) then Πsmc is amortised cheaper ρ than Πmp with credit n: T (Π) ≺≺n Π where ρ is defined as after Definition 4.1.

83 Kiehn

5 Conclusions

We have given an operational semantics for concurrent programs whose sequential processes are partionened into regions to facilitate an efficient implementation. The processes forming a region are assumed to communicate via shared memory in the final implementation. We have restricted the formal model to one region, only, but the set-up is easily generalized. In that case the whole system is described 1 1 1 m m m i by h h(π1 k . . . k πn1 ),σ i,..., h(π1 k . . . k πnm ),σ i,C i where each h(π1 k . . . k i i πni ),σ i is a region as described in Section 2. Mapping C provides the current state for each inter-region channel. The semantics of inter-region channels is defined as in the section on message-passing and the channel access operations are SAM and rm. SMC-programs support a system design methodology – called orthogonalization of concerns in [5] – which separates functional correctness from other, quantitative aspects. A program using message-passing as model of communication (only) can be proved functionally correct independently of any concern with respect to an efficient transfer of data. Once this has been established one may address the question of performance. We have shown in this paper that one may move from message- passing to shared messaging communication without loosing functional correctness but with higher efficiency if the volume of data transferred is high. As the program transformation step is still on a high level of abstraction in the overall design process, it also supports reusability of specifications which do incorporate decisions on final implementations. SMC has been developed for high data rate applications typical for digital signal processing. The relationship to work aiming at efficiently implementing message- passing on different levels of abstraction (architectures like FLASH [3] or lazy im- plementations of value passing languages [4]) is subject of ongoing work.

References

[1] S. Arun-Kumar. On bisimilarities induced by relations on actions. In Conference on Software Engineering and Formal Methods. IEEE, 2006. [2] S. Arun-Kumar and M. Hennessy. An efficiency preorder for processes. Acta Informatica, 1(29):737– 760, 1992. [3] Kushin et. al. The Stanford FLASH multiprocessor. Proceedings of the 21st International Symposium on Computer Architecture, 1994. [4] A. Ing´olfsd´ottir and R. Pugliese. Towards verified lazy implementation of concurrent value-passing languages. In W. Brauer, editor, Net Theory and Application, volume 27 of Electronic Notes in Theoretical Computer Science. Elsevier, 1999. [5] K. Keutzer, S. Malik, R. Newton, J. M. Rabaey, and A. Sangiovanni-Vincentelli. System-level design: orthogonalization of concerns and platform-based design. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 19(12):1523–1543, 2000. [6] A. Kiehn and S. Arun-Kumar. Amortised bisimulations. In Proceedings of FORTE 2005, number 3731 in Lecture Notes in Computer Science, pages 320–334. Springer–Verlag, 2005. [7] R. Milner. Communication and Concurrency. Prentice-Hall, 1989. [8] Satya Kiran M.N.V., Jayram M.N., Pradeep Rao, and S.K. Nandy. A complexity effective communication model for behavioral modeling of signal processing applications. In Proceedings of DAC 2003, 2003. [9] F. Moller and C. Tofts. Relating processes with respect to speed. In Proceedings of CONCUR 91, number 527 in Lecture Notes in Computer Science, pages 424–438. Springer–Verlag, 1991. [10] G. Winskel. The Formal Semantics of Programming Languages. MIT-Press, 1993.

84 SOS 2007 Preliminary Version

Reversibility and Models for Concurrency

Iain Phillips1

Department of Computing Imperial College London 180 Queen’s Gate, London, SW7 2AZ, United Kingdom

Irek Ulidowski2

Department of Computer Science University of Leicester University Road, Leicester, LE1 7RH, United Kingdom

Abstract

There is a growing interest in models of reversible computation driven by exciting application areas such as bio-systems and quantum computing. Reversible process algebras RCCS [2] and CCSK [8] were developed and general techniques for reversing other process operators were proposed. The paper shows that the notion of reversibility can bridge the gap between some interleaving models and non-interleaving models of concurrency, and makes them interchangeable. We prove that transition systems associated with reversible process algebras are equivalent as models to labelled prime event structures. Furthermore, we show that forward-reverse bisimulation corresponds to hereditary history-preserving bisimulation in the setting with no auto-concurrency and no auto-causation.

Keywords: Reversible computation, labelled transition systems, prime event structures, hereditary history-preserving bisimulation

1 Introduction

CCS with Communication Keys (CCSK) [8] is a reversible version of CCS which can be used to model and analyse bidirectional behaviour of systems, for example the binding and unbinding of molecules in biochemical reactions. The definition of CCSK is given in the Structural Operational Semantics (SOS) style, and the SOS approach is also employed to give a procedure for converting operators of other pro- cess algebras into reversible operators [8]. The main idea is that dynamic operators (which can be destroyed in the course of a transition) are converted by the proce- dure into static operators (which are preserved), using new auxiliary operators. For instance, both sides of a choice P + Q are retained. As a result process terms in the

1 Email: [email protected] 2 Email: [email protected] This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science Phillips and Ulidowski new reversible language do not change their overall structure during computation. A crucial component of the procedure is the notion of communication keys. These are unique identifiers that are assigned to, and are recorded in the syntax of, past actions and are vital for the communication mechanism to work correctly in the forward and reverse directions. In contrast, in RCCS [2] past behaviour, including communication, is stored on external devices such as memories. A process algebra of reversible operators produced by the procedure from [8] gives rise to a forward labelled transition relation (ltr) → and a reverse ltr , which is the inverse of →. These ltrs enjoy a number of intuitive properties that arise directly in the presence of reversibility. Some of the properties, for example the Reverse Diamond property (see Definition 2.3), can be thought of as intrin- sic properties of reversible transition systems. Other properties, for example the Non-repeating property (see Section 2.1), are more specific and a consequence of using the communication keys mechanism. In this paper we investigate properties of this sort and propose an abstract definition of reversible transition systems by identifying several properties that must be satisfied. We find that reversible tran- sition systems are rich enough to express such true concurrency (non-interleaving) notions as events, concurrency, causality and conflict. Consequently, we show that reversible transition systems are equivalent as models to prime event structures. Hence, we can study and work with true within the purely interleaving setting of reversible transition systems. This result leads naturally to questions regarding the distinguishing power of the standard interleaving equivalences defined over reversible transition systems. For instance: What true concurrency bisimulation is the forward-reverse (FR) bisimu- lation relation [8] “closest” to? FR bisimulation, a natural notion of bisimulation over reversible transition systems, is clearly finer than the standard bisimulation as it distinguishes between a | b and ab + ba. It is also finer than the two versions of history-preserving bisimulation as given in [5] since it does not satisfy the absorp- tion law: (a | (b + c)) + (a | b) + ((a + c) | b) = (a | (b + c)) + ((a + c) | b). We show that FR bisimulation coincides with hereditary history-preserving (HHP) bisimula- tion, which is regarded as the canonical true concurrency equivalence [1,5,7,3]. The result holds for reversible transition systems with no auto-concurrency and with no auto-causation, and since CCSK gives rise to such transition systems the result holds for CCSK.

2 Prime ltrs and prime graphs

We propose a class of transition systems that are equivalent to labelled prime event structures. Previously, Sassone, Nielsen and Winskel [9] introduced occurrence tran- sition systems with independence relation (oTSI). The independence relation is de- fined on transitions by giving the conditions it satisfies; it says which transitions are concurrent. It is rich enough to express the causality and conflict relations of event structures. Sassone et al. show that prime event structures with binary con- flict are equivalent to oTSIs which satisfy an extra property (E) [9]. Independently, van Glabbeek defines history-preserving process graphs [4] by setting a number of properties relating to concurrent history of processes that must be satisfied. These 86 Phillips and Ulidowski

b Q PQa a b a b a b R I c c a c a b b c R I b P a a Fig. 1. graphs are as expressive as event structures. In this work we follow van Glabbeek’s approach and do not use independence relations. In the literature, a labelled transition system, or lts for short, may or may not have an initial state. Let us deem an ltr to be a structure that specifies a transition relation with no initial state and an lts to be an ltr with an initial state. Thus an lts can be seen as a rooted ltr. Definition 2.1 A labelled transition relation is a structure (Proc, Lab, →), where Proc is the set of processes, Lab is the set of action labels and →⊆ Proc×Lab×Proc is a transition relation. Given →, a reverse transition relation is the inverse of →. A labelled transition system is a structure (Proc, Lab, →,I) where I ∈ Proc is the initial state.

We let P,Q,S,T,... be typical processes and a, b, c, d be typical action labels. We shall keep Lab fixed throughout the paper. Definition 2.2 [6] Let (Proc, Lab, →) be an ltr. Let ∼ be the smallest equivalence a b b a relation satisfying: if P → Q → S and P → R → S and Q 6= R then (P,a,Q) ∼ (R,a,S). The equivalence classes, written [P,a,Q], are the events. Define a labelling function ℓ from → / ∼ to Lab by setting ℓ([P,a,Q]) = a. Definition 2.3 A prime ltr is an ltr (Proc, Lab, →) satisfying the following: • WF (well-founded) there is no infinite reverse computation; a b • UT (unique transition) if P → Q and P → Q then a = b; a a • ED (event-deterministic [9,4]) if P → Q and P → R, and (P,a,Q) ∼ (P, a, R), then Q = R; a b • RD (reverse diamond) if Q → P , R → P and Q 6= R, then there is S such that a b S → R, S → Q; a b • FD (forward diamond) if P → Q →∗ T , P → R →∗ T , and Q 6= R, then there is b a S such that Q → S, R → S and S →∗ T .

It can be checked that all five properties are independent of each other. The most interesting cases are showing that ED and FD are not derivable from the others: see Figures 1 and 2 respectively. Note that the transitions in all figures ought to be read from left to right when the arrowheads are not displayed. In Figure 1 we a a see that in each graph P → Q, P → R and the two transitions represent the same event. Note that reverse ED can be derived from RD and (forward) ED. We now show that the ltr of [8] which we briefly outlined in the introduction 87 Phillips and Ulidowski

c

a b a c

b b a

c

Fig. 2. is an example of a prime ltr. Unfortunately space does not permit us to give the fairly lengthy definition of the ltr here. Proposition 2.4 The ltr of [8] is a prime ltr. Proof. This is shown in [8] for RD and FD. WF is clear. For UT: it is clear that a b if P → Q and P → Q then the transitions have the same key. For ED, note that terms do not change structure during a computation, except that some static operators f become auxiliary operators fr. So any fr[m] must have been created in exactly the same position by two transitions on opposite sides of a diamond. This must also hold for ∼. Hence the result. 2 Next, we give several definitions and results that will be crucial in proving our main results. Definition 2.5 Let (Proc, Lab, →) be an ltr. A path from P to Q is a finite forward computation from P to Q. Definition 2.6 [4, Definition 3.1] Say that two paths in a ltr are adjacent if one a b b a can be got from the other by replacing some segment P → R → Q by P → S → Q. Say that two paths are homotopic if they are related by the reflexive and transitive closure of adjacency. Note that we can assume that R 6= S in the definition of adjacency when dealing with prime ltrs, by UT. So homotopic paths have the same events. Let (Proc, Lab, →) be a prime ltr. Then the irreversible processes are Irr = {P ∈ Proc : P 6 }; let der(P )= {Q ∈ Proc : P →∗ Q}. Lemma 2.7 Suppose that (Proc, Lab, →) is a prime ltr. Suppose that P ∈ Proc, Q, R ∈ Irr and s,t are paths from Q, R to P . Then Q = R and s,t are homotopic. Proof. By RD and UT. 2 Proposition 2.8 Any two paths in a prime ltr with the same endpoints are homo- topic. Proof. ¿From Lemma 2.7 by extending backwards to an irreversible process, using WF. 2 Proposition 2.8 tells us that any two paths with the same endpoints have the same multiset of events. We want to show that any path cannot have repeated 88 Phillips and Ulidowski

PQa a a T a U a RSa Fig. 3.

PQa P a Q c b b a c a a VW T U T U b c b c R a S R a S Fig. 4. events. If this is the case then any P ∈ Proc is associated with a well-defined set of events, namely the set of events in any path from some Q ∈ Irr to P .

Lemma 2.9 Let (Proc, Lab, →) be a prime ltr. If (P,a,Q) ∼ (R,a,S) then there are T, U as in Figure 3 such that the processes on opposite sides of each diamond are unequal, and the events in the paths from T to P, R and from U to Q,S are all different from [P,a,Q].

Proof. The essence of the proof is to show that if one has P,Q,R,S,T,U as in the first graph in Figure 4, with the transitions from P, R to T and from Q,S to U, then there exist V,W and the appropriate dotted transitions (for example from V to P, R). We use reverse ED and RD. 2

Proposition 2.10 Let (Proc, Lab, →) be a prime ltr. In any path there are no repeated events.

Proof. Suppose we have a path from P to S via Q, R as in the second graph in Figure 4, with (P,a,Q) ∼ (R,a,S). Then by Lemma 2.9 we have T, U as in Figure 3. But now there are two different paths from T to R, one containing [P,a,Q] and one not. This contradicts Proposition 2.8. 2

a1 a2 an A rooted path is a forward computation P0 → P1 → ··· → Pn where P0 ∈ Irr. Define e < e′ if and only if e 6= e′ and all rooted paths that contain a representative of e′ also contain a representative of e. (Note that we are generalising the [6] definition to ltrs rather than process graphs with a single initial state.)

a b Lemma 2.11 (Sideways diamond) In a prime ltr, if P → Q → R and [P,a,Q] 6< b a [Q, b, R] then there is S such that P → S → R. 89 Phillips and Ulidowski

Proof. (Sketch, with abuse of notation between events and labels of events) Since [P,a,Q] 6< [Q, b, R] there is a rooted path that contains b but no a before b. Using Lemma 2.9, we connect the two instances of b back to their common earliest b. On the path back from R via the earliest b there must be an occurrence of a (extend back to the coomon root and use Proposition 2.8). Hence, there is a path π with b a b before a. Now we apply RD to P → Q → R and the transitions of the top segment of π starting with the a transition. Then we use FD to promote the a along π towards R, eventually obtaining the result. 2

Definition 2.12 A process graph, or graph, is an lts where every process is reach- able via the transition relation from the initial state.

Proposition 2.13 Suppose that (Proc, Lab, →) is a prime ltr. If P ∈ Irr then der(P ) is closed under .

Proof. By Lemma 2.7. 2

Finally, we are ready to define the central structure of the paper.

Definition 2.14 A prime (process) graph is a graph G = (G, Lab, →,I) such that (G, Lab, →) is a prime ltr.

The components of a prime graph G will be denoted by GG, →G, and IG. We shall omit the subscript G when it is clear from the context, and we shall use this naming convention with other structures given as tuples. The property WF guarantees that prime graphs are acyclic.

Proposition 2.15 Let (G, Lab, →) be a prime ltr, and let I ∈ Irr. Then (der(I), Lab, (→∩ der(I)2),I) is a prime graph.

Proof. We use Proposition 2.13. It is easy to check that the properties of prime ltrs hold for der(I). 2

2.1 Process graphs for CCSK

We proved in Proposition 2.4 that the process graphs that we get for CCSK are prime graphs. Moreover, CCSK process graphs satisfy an additional property: NR (non-repeating) there are no repeated labels in forward computations. NR and WF imply what is called the nonrepetitive property in [4]. CCSK graphs satisfy NR as a consequence of using the keys mechanism mentioned in the intro- duction:

Proposition 2.16 The ltr of [8] satisfies NR.

Prime graphs that satisfy NR are called non-repeating prime graphs. We shall show in Section 4 that prime event structures that correspond to non-repeating prime graphs enjoy the properties of no auto-concurrency [1] and no auto-causation. 90 Phillips and Ulidowski

2.2 Local characterisation of prime graphs

Several of the properties of prime graphs, notably ED and FD, are global in char- acter: in order to verify them one may need to inspect an arbitrarily large portion of a graph. The global character, however, makes them very useful in proving other properties and results for prime graphs. An open question was posed by Sassone et al. in [9]: Can one find a set of properties that involve only local information that characterise a form of transition systems that are equivalent to prime event struc- tures (with binary conflict)? We answer this question for prime event structures with general (not necessarily binary) conflict by proposing local versions of the ED and FD properties: • ED2 (event-deterministic 2) b b a if P S Q then P=Q b a a

• FD2 (forward diamond 2) b a b a

c c c c if then c b a P a b a b

Note that ED2 could be seen as a form of a forward diamond property: if a b b a S →→ P and S →→ P is a forward diamond and there is another ab diamond from S to Q, then P = Q. In other words, if there a forward diamond from S to P , then such P is unique.

Definition 2.17 A prime2 graph is defined as a prime graph except that its ltr component satisfies ED2 and FD2 instead of ED and FD, respectively.

Note that the graph in the definition of ED2 is isomorphic to the first graph in Figure 1. Looking back at RD, the state S is the unique such S for prime2 graphs. This can be proved using RD three times and then ED2. We shall denote RD with unique S by RD2. We also have that P in FD2 is the unique such P , as can be proved using FD2 and ED2. We can define reverse Event Determinism (reverse ED2) property by reversing the arrows in ED2. Then reverse ED2 follows easily from RD2.

Proposition 2.18 Prime graphs are prime2 graphs and vice versa.

Proof. Omitted. 2 91 Phillips and Ulidowski

3 Prime event structures

We would like to map prime graphs into prime event structures, and vice versa, so that we can then compare our FR bisimulation with HHP bisimulation. The definition below of a prime event structure is taken from [6] and is consistent with the original definition by Winskel [10]. It generalises prime event structures with binary conflict relation.

Definition 3.1 A labelled prime event structure is a tuple E = (E,<,♯,ℓ), where E is the set of events, < ⊆ E × E is a partial order, called the causality relation, satisfying the principle of finite causes: {e′ ∈ E | e′ < e} is finite for each e ∈ E, and ♯ ⊆ P(E) is a set of finite, nonempty, non-singleton subsets of E, called the conflict relation, satisfying the principles of extension:

♯X and Y ⊆fin E implies ♯(X ∪ Y ) and conflict heredity:

♯(X ∪ {e}) and e < e′ implies ♯(X ∪ {e′}), and ℓ : E → Lab is a labelling function.

A set of events X is conflict-free if X∈ / ♯. A prime event structure has a binary conflict if for every X such that ♯X there is Y with only two elements, Y ⊆ X and ♯Y . Given a set of events X of E, the set of events below X, written as X↓, is defined as {e′ ∈ E |∃e ∈ X. e′ ≤ e}. X is downwards-closed if X = X↓. Two prime event structures are isomorphic if and only if there exists a bijection between their sets of events which preserves and reflects the causality relation, the conflict relation and the labelling.

Example 3.2 Consider the event structure with events {a, b, c} and where ♯{a, b, c}, with no other conflict and no causation. This event structure is equivalent to no prime event structure with binary conflict.

The behaviour of a prime event structure is represented in terms of configura- tions: finite subsets of events which are conflict-free and downwards-closed. Given a prime event structure E, cfs(EE ) is the set of its configurations. The configuration graph for E, written as cg(E), has configurations of EE as its states and is got by a taking ∅ as the initial state and setting X →cg(E) Y if Y \ X = {e} with ℓ(e) = a. Such configuration graphs are ranged over by C, D and have the sets of configu- rations CC, DD; the associated transition relations are →C, →D, respectively. The reverse transition relations are C, D, respectively.

Proposition 3.3 The configuration graph of a prime event structure is a prime graph.

Proof. Let C be the configuration graph of a prime event structure. It suffices to check all the properties of prime graphs hold for C. 92 Phillips and Ulidowski

(i) WF follows from the fact that configurations are finite subsets of events, and when we compute in reverse we decrease the size of configurations. a (ii) UT follows from the definition of →C: X →C Y implies Y \ X has just one event and its label is a.

(iii) ED follows by the definition of configurations and →C. (iv) RD is due to the fact that intersection of two configurations is also a config- uration for prime event structures [4]. For configurations P,Q,R and S we have P = Q ∪ {a}, P = R ∪ {b}, so there is S such that Q = S ∪ {b} and R = S ∪ {a}. The intersection of Q and R is a configuration, meaning that S is a configuration. (v) FD follows from a reachability property of configurations [4], namely that if X,Y,Z are configurations and X ∪ Y ⊆ Z then X ∪ Y is a configuration. For configurations P,Q,R and T we have Q = P ∪{a}, R = P ∪{b} and Q∪R ⊆ T , so Q ∪ R is a configuration and S = Q ∪ R. 2

The configuration graph of the event structure in Example 3.2 forms three faces of a cube. It is a prime graph. The configuration graph corresponding to an event structure in full generality (i.e. not necessarily prime) may not satisfy some of the properties of prime graphs:

Example 3.4 Consider the parallel switch of [10, Example 1.1.7], where the bulb will light if either of two switches is closed. This is an example of so-called or- causation where a disjunction of events causes an event. We have event b (bulb) caused by either of the switch events 0 or 1, and {0, b} →1 {0, 1, b}, {1, b} →0 {0, 1, b}. But {b} is not a configuration, so that we cannot complete the reverse diamond and, hence, RD does not hold. A “non-repeating” condition for prime event structures concerns events: Definition 3.5 A labelled prime event structure is non-repeating if for any events e, e′, if ℓ(e)= ℓ(e′) then e = e′ or ♯{e, e′}. The reason for the name is that no two events that occur in a configuration can have the same label. Another way to look at this is that a configuration gives rise to a set of labels, rather than a multiset of labels, as would otherwise be the case in general. It is equivalent to no auto-concurrency [1] and no auto-causation: if e < e′ then ℓ(e) 6= ℓ(e′). Proposition 3.6 No two events of a configuration of a non-repeating prime event structure have the same label.

4 Correspondence of prime graphs and prime event structures

Van Glabbeek and Vaandrager [6] give a method for assigning to a process graph G (with initial state) a labelled prime event structure es(G). The method is as 93 Phillips and Ulidowski follows. Take any process graph G = (G, Lab, →,I). The relation ∼ and the events [P,a,Q] are defined as in Section 2. Let E = →/∼. Define a labelling function ℓ : E → Lab by setting ℓ([P,a,Q]) = a. A rooted path is a forward computation a1 a2 an ′ ′ I = P0 → P1 → ··· → Pn starting at the root. Define e < e if and only if e 6= e and all rooted paths that contain a representative of e′ also contain a representative of e. Let X ⊆ E be finite. We define ♯X if and only if G does not have a rooted path containing representatives of all events in X. Then E = (E,<,♯,ℓ) is a prime event structure. Van Glabbeek and Vaandrager show in [6] that if E is a prime event structure then es(cg(E)) = E. Here we do not distinguish isomorphic process graphs. This shows that prime event structures are embeddable in process graphs. Proposition 4.1 Given a prime event structure E, es(cg(E)) = E.

We shall show that any prime graph is the configuration graph of the event structure got from the prime graph by the procedure described above, namely: Theorem 4.2 Given a prime graph G, cg(es(G)) = G.

The rest of this section is devoted to proving the theorem. Consider es(G). Clearly the configuration corresponding to P ∈ G is just the a1 a2 an set of events executed up to P . Let I = P0 → P1 → ··· → Pn = P be a path with endpoint P . So we define the configuration associated with P as cf(P ) = {[Pi, ai+1, Pi+1] : i

Proof. (Sketch, with abuse of notation between events and labels of events) Sup- a s t a t pose we have I → P ′ → P . Then we must have I → Q′ → Q′′ →′ Q with (I, a, P ′) ∼ (Q′,a,Q′′). Clearly any events in t cannot be below a, and so by repeated use of SD (Lemma 2.11) we can “promote” a to the front of t to get a t t I → Q′′′ → Q′′ →′ Q. Now we use ED to deduce that P ′ = Q′′′. Continuing this process along s we deduce that P = Q. 2 Proposition 4.4 Let G = (G, Lab, →,I) be a prime graph. If X ∈ cfs(es(G)) then there is P such that cf(P )= X

Proof. (Sketch, with abuse of notation between events and labels of events) Let s X ∈ cfs(es(G)). We show that if I → Q and X ⊆ cf(Q) with X downwards-closed t under < then there exist t, P such that cf(P ) = X and I → P →∗ Q. Suppose that a comes immediately before b in s, and a∈ / X, b ∈ X. Then a 6< b since X is downwards-closed. We can swap a and b by SD (Lemma 2.11). Continue this until all events in X occur before all events not in X. We have the desired t, P . 2 a Proposition 4.5 Let G = (G, Lab, →,I) be a prime graph. Then P → Q if and a only if cf(P ) →cg(es(G)) cf(Q). 94 Phillips and Ulidowski

Proof. (Sketch, with abuse of notation between events and labels of events) (⇒) Clearly cf(Q) = cf(P ) ∪ {[P,a,Q]}. Here we use the result that events cannot a be repeated along any path (Proposition 2.10). Then cf(P ) →cg(es(G)) cf(Q) by definition. s tat (⇐) We have cf(Q)= cf(P ) ∪ {e} where ℓ(e)= a. Suppose I → P and I →′ Q. Then for each b ∈ t′ we have a 6< b since b ∈ s and a∈ / s. So by SD (Lemma 2.11), tt a a can be permuted with each successive member of t′ and we have I →′ R → Q for some R. But then R = P by Proposition 4.3. 2

Finally, we show that if we add a condition on prime graphs that no path can include repeated labels, then we have a correspondence with event structures where events with the same label must be the same or in conflict.

Proposition 4.6 Let G be a non-repeating prime graph. Then es(G) is a non- repeating prime event structure.

Proof. Assume for contradiction that es(G) is not non-repeating: there are differ- ent events e, e′ with ℓ(e)= ℓ(e′) and {e, e′} ∈/ ♯. The last implies, by the definition of ♯, that e, e′ appear on a path. Hence, this path has repeated labels ℓ(e): contra- diction. 2 Proposition 4.7 Let E be a non-repeating prime event structure. Then cg(E) is a non-repeating prime graph.

Proof. A straightforward proof by contradiction using the fact that no path of a prime graph has repeated events (Proposition 2.10). 2

5 Correspondence of bisimulations

We recall a definition of a bisimulation relation for process graphs that takes both forward and reverse transitions into account [8]:

Definition 5.1 Let G and H be process graphs. A symmetric relation S ⊆ GG ×HH is a forward-reverse (FR) bisimulation between G and H if S(IG,IH) and whenever S(P,Q) then µ ′ ′ µ ′ ′ ′ • if P →G P then there is Q such that Q →H Q and S(P ,Q ); µ ′ ′ µ ′ ′ ′ • if P G P then there is Q such that Q H Q and S(P ,Q ).

We define G ∼FR H if and only if there is an FR bisimulation between G and H.

By abuse of notation we shall write P ∼FR Q if P,Q are states of G, H, respec- tively, and there exists an FR bisimulation S between G and H such that S(P,Q). A similar relation, called back-and-forth bisimulation was proposed by Bednar- czyk [1]. It uses forward transitions to mimic the effect of reverse transitions. Since in this paper is the inverse of →, the two bisimulations coincide. However, this does not hold for general transition systems where some transitions are irreversible. Example 5.2 FR bisimulation satisfies an intuitive equation a = a + a. Note that the graph of a + a is a non-repeating prime graph. 95 Phillips and Ulidowski

a a a a FR bisimulation is insensitive to auto-concurrency: Let I → P → R, I → Q → a a R with P 6= Q, and I′ → P ′ → R′. Consider the graphs with initial states I and I′, respectively. They are clearly FR bisimilar, and they have auto-concurrency and auto-causation, respectively. Note that CCSK processes a | a and a.a are not FR bisimilar: using the notation from [8] we have that after performing a, a we get to a[m] a[m] a[m] | a[n] and a[m].a[n]. Now, a[m] | a[n] and a[m].a[n] 6 . Finally, FR bisimulation does not satisfy the absorption law:

(a | (b + c)) + (a | b) + ((a + c) | b) = (a | (b + c)) + ((a + c) | b)

If one performs a and then b with the a | b component on the left, then these must be matched by the a and then the b of the ((a + c) | b) summand on the right. (Matching it with the a of (a | (b + c)) is wrong as after this a action is performed, no c is possible after a in a | b.) The right hand side can now reverse a and do a c (still using the same summand as all other summands are disabled). The left hand side cannot match this: the component a[m] | b[n] can regress by a[m] to a | b[n] but it cannot perform any c.

We have shown that the configuration graphs associated with prime graphs are prime graphs themselves (Theorem 4.2), and that the configuration graphs for prime event structures are prime graphs (Proposition 3.3). Hence, in the setting of prime graphs and prime event structures the definition of FR bisimulation generalises trivially to configuration graphs. Hereditary history-preserving bisimulation was proposed by Bednarczyk [1], and also appeared under a different name in an earlier version of [5] and in [7]. Here, we present a reformulation of the original definition due to van Glabbeek and Goltz [5] (but without termination). This particular bisimulation is defined over configura- tion graphs and, in addition to matching configurations and the transitions between configurations, it also keeps a history of the matched events along matching com- putations. This is achieved by means of a label-preserving and order-preserving isomorphism between the events of the two configuration graphs. Given two prime event structures E and F, their configuration graphs are cg(E) and cg(F). Let these graphs be called C and D, respectively, with C = cfs(E) and D = cfs(F ). In order to define the so-called “history” isomorphisms we need to consider the full sub-event structures determined by configurations. We shall write such event structures as (X,

Definition 5.3 Let C and D be configuration graphs. A relation R ⊆ C × D × P(EC × ED) is a hereditary history-preserving (HHP) bisimulation between C and D if R(∅, ∅, ∅), and whenever R(X,Y,f) then • f is an isomorphism between (X,

µ ′ ′ ′ µ ′ ′ ′ ′ ′ • if Y →D Y then ∃ X ,f such that X →C X , R(X ,Y ,f ) and f ↾ X = f; µ ′ ′ ′ µ ′ ′ ′ ′ ′ ′ • if X C X then ∃ Y ,f such that Y D Y , R(X ,Y ,f ) and f ↾ X = f ; µ ′ ′ ′ µ ′ ′ ′ ′ ′ ′ • if Y D Y then ∃ X ,f such that X C X , R(X ,Y ,f ) and f ↾ X = f .

We define C ∼HHP D if and only if there is an HHP bisimulation between C and D. The main result of this section is that FR bisimulation coincides with HHP bisimulation on configuration graphs for non-repeating prime event structures. A similar result was proved by Bednarczyk [1]. He considered configuration structures which arise from a smaller family of prime event structure with binary conflict. But instead of the non-repeating property his result holds under a less restrictive no auto-concurrency condition. Theorem 5.4 Let E and F be non-repeating prime event structures, and let C and D be their configuration graphs. Then, C ∼HHP D if and only if C ∼FR D. Example 5.5 The graphs for a and a + a are HHP bisimilar. Consider the graphs with initial states I and I′ from Example 5.2. Although they are FR bisimilar a a they are not HHP bisimilar: If we match the two a transitions I → P → R a a with the respective transitions in I′ → P ′ → R′, we obtain an order isomorphism a a a a {([(I, →, P )], [(I′, →, P ′)]), ([(P, →, R)], [(P ′, →, R′)]). Then, reversing a from R to Q cannot be matched by reversing the isomorphic transition from R′ since a a [(Q, →, R)] = [(I, →, P )]. The proof of Theorem 5.4 from left to right is by definition of FR bisimulation. The other direction requires first some auxiliary results. Since configurations of non-repeating prime event structures have no repeated events (Proposition 2.10) and no two events share the same label, the events in a configuration can be identified uniquely by their labels. And, the causality order on the events in a configuration reduces to the corresponding order on events’ labels. Hence, in the remainder the isomorphisms required in Definition 5.3 shall be called simply order isomorphisms. Proposition 5.6 Let C and D be configurations graphs of non-repeating prime event structures E and F. Let S be an FR bisimulation between C and D, and let S(C, D) for C ∈ C and D ∈ D. Then a map is(C, D), defined by is(C, D)(e) = e′ if ℓ(e)= ℓ(e′) and e ∈ C, e′ ∈ D, is an order isomorphism between C and D. Proof. The map is is clearly well-defined. since configurations of non-repeating prime event structures have no repeated events (Proposition 2.10) and no two events have the same label. One shows that the map is injective by using the above mentioned results. To show that is is surjective, namely for every e′ ∈ D there is e ∈ C such that is(C, D)(e) = e′, we consider S(C, D). A reverse computation t a ′ ′ D D D D , where ℓ(e ) = a and t is some sequence of labels for events in D, t a ′ implies C C C C by S(C, D). Because of the non-repeating property, there is a unique event e ∈ C with the label a, so is(C, D)(e)= e′. It remains to prove that is is order-preserving. We shall show a

The following result is a consequence of the non-repeating property for both prime event structures and prime graphs. It is proved similarly as the previous proposition. Proposition 5.7 Let C and D be configuration graphs of non-repeating prime event structures E and F. Let S be an FR bisimulation between C and D, and let S(C, D) for C ∈C and D ∈ D. a ′ ′ ′ a ′ (i) If C →C C with C \C = {e} and ℓ(e)= a then there is D such that D →D D with D′ \ D = {e′} and ℓ(e′) = a, and S(C′, D′) and is(C′, D′) is an order isomorphism between C′ and D′; a ′ ′ ′ ′ ′ (ii) If D →D D with D \ D = {e } and ℓ(e ) = a then there is C such that a ′ ′ ′ ′ ′ ′ C →C C with C \ C = {e} and ℓ(e) = a, and S(C , D ) and is(C , D ) is an order isomorphism between C′ and D′.

Proof of Theorem 5.4. Let E and F be non-repeating prime event structures, and let C and D be their configuration graphs. We show C ∼FR D implies C ∼HHP D. Let S be an FR bisimulation that relates the configurations of C and D. Define a relation R⊆ CC × DD × P(EC × ED) as follows: for all configurations C, D we let R(C,D,f) if S(C, D) and f = is(C, D). It remains to show that R is a hereditary history-preserving bisimulation between C and D. Clearly, R(∅, ∅, ∅). Assume R(C,D, is(C, D)). Then is(C, D) is an order iso- morphism, and the two conditions for the forward transitions follow from Proposi- tion 5.7. For the reverse transition conditions we consider the last one from Def- µ ′ ′ µ ′ inition 5.3. Let D D D . Then by S(C, D) there is C such that C C C and S(C′, D′). Clearly, C′ \ C = {e} with ℓ(e) = µ and D′ \ D = {e′} with ℓ(e′) = µ. Since is(C′, D′)(e)= is(C, D)(e) if e ∈ C and is(C′, D′)(e)= e′ if e ∈ C′ \C, we de- duce that is(C′, D′) is an order isomorphism. And we obtain R(C′, D′, is(C′, D′)).2

6 Conclusions and future directions

We have proposed prime graphs as an alternative and equivalent model to labelled prime event structures (with general conflict). Prime graphs are a subclass of re- versible transition systems that satisfy several properties relating to concurrency and reversibility. A concrete example of prime graphs are process graphs for CCSK processes. The communication mechanism of CCSK works correctly in both direc- tions thanks to the use of communications keys, and the keys, in turn, force an additional property of non-repeating on prime graphs for CCSK processes. The non-repeating property does not seem to be intrinsic to reversible transition systems. However, it seems to guarantee compositionality and it deals with auto- concurrency. It raises the question of whether non-repeating is necessary or not for concrete formulations. 98 Phillips and Ulidowski

In the second part of the paper we have investigated the distinguishing power of FR bisimulation and have shown that for non-repeating models, either prime graphs or prime event structures, FR bisimulation coincides with HHP bisimulation. Since CCSK gives rise naturally to such models, HHP bisimulation, and hopefully other true concurrency equivalences, can be verified by standard interleaving-based techniques. In future it would be interesting to study trace-based equivalences in reversible transition systems and identify the corresponding equivalences in true concurrency models.

Acknowledgements

We would like to thank Daniele Varacca, Sibylle Fr¨oschle, Reiko Heckel and the anonymous referees for helpful comments and suggestions.

References

[1] Bednarczyk, M., Hereditary history preserving bisimulations or what is the power of the future perfect in program logics, Technical Report ICS PAS, Polish Academy of Sciences (1991).

[2] Danos, V. and J. Krivine, Reversible communicating systems, in: P. Gardner and N. Yoshida, editors, Proceedings of the 15th International Conference on Concurrency Theory CONCUR 2004, LNCS 3170 (2004), pp. 292–307.

[3] Fiore, M. P., G. L. Cattani and G. Winskel, Weak bisimulation and open maps, in: Proceedings of the 14th Annual IEEE Symposium on Logic in Computer Science, IEEE (1999), pp. 67–76.

[4] van Glabbeek, R.J., History preserving process graphs (1996), http://boole.stanford.edu/~rvg/pub/history.draft.dvi.

[5] van Glabbeek, R.J. and U. Goltz, Refinement of actions and equivalence notions for concurrent systems, Acta Informatica 37 (2001), pp. 229–327.

[6] van Glabbeek, R.J. and F. Vaandrager, The difference between splitting in n and n + 1, Information and Computation 136 (1997), pp. 109–142.

[7] Joyal, A., M. Nielsen and G. Winskel, Bisimulation from open maps, Information and Computation 127 (1996), pp. 164–185.

[8] Phillips, I.C.C. and I. Ulidowski, Reversing algebraic process calculi, in: Proceedings of 9th International Conference on Foundations of Software Science and Computation Structures, FOSSACS 2006, LNCS 3921 (2006), pp. 246–260. Extended version accepted by Journal of Logic and Algebraic Programming.

[9] Sassone, V., M. Nielsen and G. Winskel, Models of concurrency: Towards a classification, Theoretical Computer Science 170 (1996), pp. 297–348.

[10] Winskel, G., Event structures, in: Advances in Petri Nets 86, LNCS 255 (1987), pp. 325–392.

99 SOS 2007 Preliminary Version

A Congruence Rule Format with Universal Quantification

MohammadReza Mousavi a,b,1 , Michel Reniers a

a Department of Computer Science, Eindhoven University of Technology, P.O. Box 513, NL-5600 MB Eindhoven, The Netherlands b Department of Computer Science, Reykjav´ık University, Kringlan 1, IS-103 Reykjav´ık, Iceland

Abstract

We investigate the addition of universal quantification to the meta-theory of Structural Operational Seman- tics (SOS). We study the syntax and semantics of SOS rules extended with universal quantification and propose a congruence rule format for strong bisimilarity that supports this new feature.

Keywords: Structural Operational Semantics (SOS), Universal Quantification, SOS Rule Formats, Bisimulation, Congruence.

1 Introduction

Structural Operational Semantics (SOS) [14] has been widely used in a variety of forms. Transition System Specification (TSS) [7] is a formalization of SOS which defines a rigorous syntactic and semantic framework for SOS. The notion of TSS paved the way for building up meta-theories around SOS [1,10]; theories about congruence rule formats [7,4] are examples of such meta-theories. The semantics of a TSS [4,5] comes with an implicit existential quantification of valuations of variables used in the rule: if there exists a substitution on variables (appearing in the rule) such that the premises of the rule are satisfied, then the conclusion (with the same substitution applied to it) follows. The following example illustrates this. Example 1.1 Consider the following TSS.

a b x y y 9 (aaa) a (aab) a (bbb) b (f) → ∧c a a a b b b f(x) y → → → → 1 Corresponding author: [email protected]. The work of this author has been partially supported by the project “The Equational Logic of Parallel Processes” (nr. 060013021) of The Icelandic Research Fund. This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science Mousavi, Reniers

c In the aforementioned TSS, it is possible to derive f(a) a from (f) using rule (aaa) → since there exists a substitution for x and y, namely, σ(x) = a and σ(y) = a such a b that σ(x) σ(y) and σ(y) 9 . The semantics of TSS neglects the fact that there is → another substitution σ′, with σ′(x)= a and σ′(y)= b such that the premises of (f) do not hold (which is justified due to the aforementioned existential quantification). From a purely theoretical viewpoint, there is no reason to only use existential quantification (implicitly) in the premises and it makes sense to study the meta- theory of an SOS framework in which universal quantification over (valuations of) variables is also allowed. Universal quantification in SOS rules appears in practice, too [2,3,11,15]. The following examples illustrate the use of universal quantification in practical instances of operational semantics. Example 1.2 In [2], the weak termination predicate is characterized as follows: p√√ iff τ (i) p 9 and p√, or τ τ (ii) p and for each q, p q implies q√√. → → A straightforward formalization of this definition by means of deduction rules gives

τ τ τ x 9 x√ x y(x y y√√) ∧ → ∧∀ → ⇒ x√√ x√√

By rewriting implication (and negation), this predicate can be conveniently formu- lated in terms of deduction rules as follows:

τ τ τ x 9 x√ x y(x 9 y y√√) ∧ → ∧∀ ∨ x√√ x√√

Example 1.3 Also in [2], semantical divergence p is defined formally by ⇓ τ τ x y(x y y ) x y(x 9 y y ) ↓ ∧∀ → ⇒ ⇓ or by ↓ ∧∀ ∨ ⇓ x x ⇓ ⇓ One may argue that universal quantification in the above examples (and other similar ones such as [15, Definition 33]) can be resolved by a semantics-preserving transformation which replaces universally quantified variables / terms with all their possible instantiations. This is not always desired. In a general framework, universal quantification can indeed be seen as an acronym for a (usually infinite) number of existentially quantified premises and / or rules. However, once due to the restrictions in the meta-theory, one restricts the framework to a certain form of rules (i.e., a certain congruence rule format such as the NTyft format), this transformation may change the shape of the rules and take the specification beyond the restricted framework. Hence, it is worth investigating a framework in which universal quantification is genuinely present and study how much of the meta-theory carries over to this setting. This has already been noted in [17, Section 2] where the author writes. 101 Mousavi, Reniers

... Moreover, we think it would be a better idea to study a format that allows universal quantification. This paper takes a step towards the addition of universal quantification to the SOS meta-theory. We slightly extend the syntax of SOS rules with one level of universal quantification. Inspired by examples such as those mentioned before, we also introduce the use of disjunction in the premises of a rule. We define the semantics of such SOS rules as expected. As the main contribution, we propose a congruence rule format for strong bisimilarity that supports these new features. To our knowledge no such format (supporting universal quantification) exists. Our meta-language for SOS rules is still restricted; one may consider a language in which an arbitrary first order predicate formula (thus, an arbitrary mix of existential and universal quantification) is allowed in the premises of deduction rules but this is an extremely complicated problem which we could not tackle in one go.

2 Universal Quantification in TSS

In this section, we first fix a syntax for TSS’s with universal quantification and then proceed with defining their semantics. There is little novelty concerning the notions presented here; most of the notions can be traced back to those presented in [15,5]. Fix a signature Σ, i.e., a collection of function symbols f, g, . . . with fixed arities (natural numbers), ar(f), ar(g), . . ., and a countable set X = x,y,z,x ,... of { 0 } variables. Function symbols a, b, c, . . . with arity 0 are also called constants. Open ′ terms t,t ,ti T are defined inductively using function symbols and variables (while ∈ respecting the arities of function symbols). We denote variables of a term t by (t). V Closed terms p,q... C are terms containing no variable. A substitution maps ∈ variables to terms and it is closed if its range is a subset of C. A (transition) clause Φ is defined by the following grammar.

p ′ p ′ Φ ::= t t t 9 t V Φi W Φi → | | i∈I | i∈I We restricted the syntax of clauses as given above to facilitate better presentation; adding implication and negation to the above syntax is straightforward but causes a more complicated presentation, especially for our congruence results. p p Clauses of the form t t′ and t 9 t′ are called positive and negative (transition) → formulae, respectively. The aforementioned formulae are said to deny each other, p ′ p ′ p ′ p ′ denoted by t t = t 9 t and t 9 t = t t . The formulae V Φi and W Φi ¬ → ¬ → i∈I i∈I denote conjunction and disjunction, respectively, over formulae parameterised by an index variable i quantified over a possibly infinite index set I. To unclutter presentation we do not treat predicate formulae in our framework (e.g., formulae of the form P (t) or P (t)) but allow for their presence and consider them as transition ¬ formulae with dummy labels and targets. The rest of this paper can be re-phrased in the genuine presence of predicate formulae without any substantial change in the formal development of the paper. We intend to add one level of universal quantification and this suffices for the applications we have encountered thus far in the literature. It seems reasonable to make the already existing and implicit existential quantification in rules explicit. 102 Mousavi, Reniers

This raises the question as to whether these existentially bound variables are bound outside or inside the universal quantification, i.e., whether the clause should be augmented as z0 z1 Φ or z1 z0 Φ where z0 represents the set of (formerly implicitly ∃ e ∀ e ∀ e ∃ e e bound) existentially quantified variables. We decided to go for maximum generality in our setting and avoid the design decision altogether. In other words, we allow for disjoint sets of existentially quantified variables appearing before as well as after the universal quantification. Of course, the ultimate goal would be to have a general first order language and allow for all sorts of nested quantifiers. Another decision we made is to write the quantifiers in front of the deduction rules since they may also apply to the occurrences of the quantified variables in the target of the conclusion. A TSS is a set of deduction rules of the form Φ (r) z0 z1 z2 , ∃ e ∀ e ∃ e φ where z0, z1, and z2 stand for sets of variables, Φ is a transition clause and φ is a e e e positive formula. Clause Φ is called the premises (each formula appearing in Φ is called a premise) and φ is a positive formula which is called the conclusion of deduc- p tion rule (r). Assume that φ = t t′; we call t the source of the above deduction → rule. A deduction rule (TSS) without universal quantification and disjunction is called a traditional deduction rule (TSS). For such traditional deduction rules one can represent the conjunction of transition formulae as a set (as we do in Definition 2.3 below). To avoid any ambiguity we assume that (r) (t) z0 z1 z2 V ⊆ V ∪ e ∪ e ∪ e (where (r) denotes all variables appearing in the premises and the conclusion of V the deduction rule (r)) and assume that (t), z0, z1 and z2 are all pairwise disjoint. V e e e We decided to quantify on valuations of variables only since intuitively, quan- tification over valuations of (open) terms reduces to quantification over variables. In the remainder of this paper, for better presentation, we assume that premises are in the disjunctive normal form, i.e., of the form Wi∈I Vj∈J φij where I and J are index sets, φij is a positive or negative formula. Note that in the absence of universal quantification, a rule with a number of disjuncts as premises can be rep- resented by a number of rules; one for each disjunct. However, in the presence of universal quantification, this cannot be done because z(φ ψ) is not equivalent to ∀ ∨ ( zφ) ( zψ). ∀ ∨ ∀ Example 2.1 The weak termination operator of Example 1.2 is rephrased in our syntax as follows.

τ τ τ τ x 9 y x√ (x y′ x 9 y) (x y′ y√√) y ∧ y′ y → ∧ ∨ → ∧ ∀ x√√ ∃ ∀ x√√ Example 2.2 The semantical divergence of Example 1.3 can be rewritten into the following extended TSS.

τ (x x 9 y) (x y ) y ↓∧ ∨ ↓∧ ⇓ ∀ x ⇓ 103 Mousavi, Reniers

2.1 Extended TSS: Semantics

Semantics of extended TSS’s do not defer much from traditional TSS’s. In [4,5], the following notion of three-valued stable model is defined for closed traditional TSS’s, i.e., TSS’s containing only traditional deduction rules which do not contain any variable. Φ Definition 2.3 A traditional deduction rule is provable from a closed traditional φ Φ TSS R, denoted by R , when there exists a well-founded upwardly branching tree ⊢ φ with formulae as nodes and of which • the root is labeled by φ; • if a node is labeled by ψ and the nodes above it form the set K then one of the following two cases hold: ψ Φ and K = ; · ∈ ∅ K ψ is a positive transition formula and R. · ψ ∈ l A negative transition formula φ = p 9 p′ is true for a set P F of positive formu- l lae, denoted by P F φ when p p′ / P F . A set NF of negative formulae is true  → ∈ for the set P F , denoted by P F NF when for all φ NF , P F φ.  ∈  When the TSS is known from the context, we omit it from the notation and just write Φ . ⊢ φ Definition 2.4 (Three-Valued Stable Models) A pair (C, U) of sets of posi- tive closed formulae (where C stands for Certain and U for Unknown; the third value is determined by the formulae not in U) is called a three-valued stable model for a TSS when C U and ⊆ N • for all φ C, for a set N of negative closed transition formulae such that ∈ ⊢ φ U  N; N • for all φ U, for a set N of negative closed transition formulae such that ∈ ⊢ φ C  N. In [16,5], it has been shown that every TSS admits a least three-valued stable model with respect to the information theoretic ordering (i.e., (C, U) (C′, U ′) ≤ when C C′ and U ′ U). A TSS is called complete [5] (or positive after reduction ⊆ ⊆ [4]) if for its least three-valued stable model (C, U), C = U. To define the semantics of traditional TSS’s in general, one has to instantiate the deduction rules with all closing substitutions and then use the above definition on the resulting closed TSS. A similar approach, as suggested in [15], can be used to define a meaning for TSS’s with universal quantifiers. First, each rule is replaced with a number of traditional rules, of which the premises contain all possible instan- tiations for the universally quantified variables and some instance of the existentially quantified ones (for each instance of the universally quantified variables, similar to the idea of Skolemization). Second, the remaining variables, i.e., the variables in the 104 Mousavi, Reniers source of the conclusion, are instantiated with all possible substitutions resulting in a closed traditional TSS. The following definitions formalize this idea. Φ Definition 2.5 For a traditional deduction rule r = φ , its closure, cl(r) is the set of deduction rules σ(Φ) σ : X C . Closure of a traditional TSS R, denoted by { σφ | → } cl(R) is defined by Sr∈R cl(r). The semantics of R is defined by the semantics of cl(R). For each deduction rule r of the following form,

Wi∈I Vj∈J φij (r) z0 z1 z2 l ∃ e ∀ e ∃ e t t′ → sk(r) is the set of all deduction rules sk(r, σ ,σ ,...,σ ,...,i ,... ij) for each 0 10 20 0 | substitution σ0 : z0 C, series of substitutions σ10,σ11,... : z1 C such that for e → e → each variable z z1, σ10(z),σ11(z),... = C, series of substitutions σ20,σ21,... : ∈ e { } z2 C, series of indices i0, i1,... I and each ij i0, i1,... which is defined as e → ∈ ∈ { } follows.

(V σ σ σ φi0j) (V σ σ σ φi1j) . . . j∈J 0 · 10 · 20 ∧ j∈J 0 · 11 · 21 ∧ l ′ σ σ i σ i (t t ) 0 · 1 j · 2 j →

In the above deduction rule denotes function composition. If any of the sets zi (for · e each i 0, 1, 2 ) is empty then one should drop all σij (σi, for i = 0) from the ∈ { } definition of sk(r). Also in the case of I = , all ij components should be dropped ∅ from the definition of sk(r). Note that the above deduction rule is traditional and hence, sets of such deduction rules can be given a semantics using traditional ways of assigning meaning to TSS’s. The meaning of a TSS R with universal quantification is defined as the meaning of

Sr∈R sk(r). The following simple example illustrates the semantics of extended TSS’s. Example 2.6 Consider the following TSS.

(aaa) a (aab) a (bab) a (bbb) b a a a b b b b b → → → →

a b x 9 y y z (f) y z ∨ c → ∀ ∃ f(x) c →

Assume A = (aaa), (aab), (bab), (bbb) ; it holds that A = S sk(r), i.e., since { } r∈A deduction rules in A do not contain quantified variables, their Skolemization yields the same deduction rules. However, (f) contains a universally quantified variable y and an existentially quantified variable z. (In terms of the notation used in Defini- a b tion 2.5, z0 = , z1 = y and z2 = z .) Let φ0 = x 9 y and φ1 = y z; sk(f) is e ∅ e { } e { } → 105 Mousavi, Reniers defined as follows.

Vj∈IN σ1j σ2jφij (sk(f,σ10 = [y p10],σ20 = [z p20],...,i0, i1,...,i)) ·c { 7→ 7→ f(x) c | → pkl C p ,p ,... = C il 0, 1 i 0, 1 ∀k∈{0,1},l∈IN ∈ ∧ { 10 11 } ∧ ∈ { }∧ ∈ { }}

For example, sk(f,σ ,σ ,...,i ,...,i) where ij = 0, for each j IN (for 10 20 0 ∈ arbitrary i, σ1j and σ2j) is the following deduction rule.

9a Vp∈C x p c f(x) c → The least three-valued stable model of the TSS is the pair (C, U) where C = U = a a a b c a a, a b, b b, b b, f(p) c p C a . Hence, the TSS is complete. { → → → → → | ∈ \ { }}

3 Universal NTyft

3.1 Bisimilarity and Congruence Strong bisimulation, as defined below, is a key notion of behavioral equivalence in concurrency theory. Definition 3.1 (Bisimulation and Bisimilarity) A symmetric relation R C ⊆ × C is a bisimulation relation when for all p,q C such that pRq, l C, and p′ C, l l ∈ ∈ ∈ if p p′ then there exists a q′, q q′ and p′ R q′. → → Two closed terms p and q are bisimilar, denoted by p q, when there exists a ↔ strong bisimulation relation R such that pRq. To treat bisimilarity compositionally and algebraically, it is essential to make sure that it is a congruence relation, i.e., one can replace equals by equals. Definition 3.2 (Congruence) An equivalence relation R is a congruence w.r.t. a function symbol f (with an arbitrary arity n), when for all −→p , −→q , if −→p R −→q then f(−→p ) R f(−→q ). R is a congruence w.r.t. a signature Σ when it is a congruence for all function symbols f Σ. ∈ 3.2 Rule Format and Its Proof In this section, the rule format is defined that should guarantee congruence of bisimilarity and this is proven. Definition 3.3 (Variable Dependency Ordering) For a deduction rule r of the following form,

l′ li ′ 9j ′ Wk∈K(Vi∈I ti yi Vj∈J tj yj) (r) k → ∧ k , z0 z1 z2 l ∃ e ∀ e ∃ e t t′ → 106 Mousavi, Reniers the variable dependency ordering

l′ li ′ 9j ′ Wk∈K(Vi∈I ti yi Vj∈J tj yj) (r) k → ∧ k , z0 z1 z2 l ∃ e ∀ e ∃ e t t′ → is in the UNTyft format when it satisfies the following conditions:

(i) t is of the form f(−→x ); ′ ′ ′ ′ ′ ′ (ii) ′ ′ (i = i j = j ) (yi = yi′ y = y ′ yi = y yi,y / ∀i,i ∈Sk∈K Ik ∀j,j ∈Sk∈K Jk 6 ∧ 6 ⇒ 6 ∧ j 6 j ∧ 6 j ∧ j ∈ (t)) (targets of all transitions are distinct variables and are all distinct from V variables in the source of the conclusion);

(iii) z1 yi i Ik, k K = (universally quantified variables cannot appear as e ∩ { | ∈ ∈ } ∅ targets of positive premises) ′ (iv) y j Jk, k K z1 (all targets of negative premises should be universally { j | ∈ ∈ }⊆ e quantified);

(v) z∈z0 k∈K i∈Ik z = yi u∈z1∪z2 (u

Proof. We prove the theorem for a TSS in the UNTyft format. For deduction rules in the UNTyxt format essentially the same proof technique can be adopted. We use the following auxiliary definition for our inductive proof. Definition 3.6 (Reduction Technique for SOS with Negative Premises) For 107 Mousavi, Reniers an ordinal α, define: . N Cα = φ β<αUβ  N { |⊢ φ ∧∃ } . N Uα = φ β<αCβ  N { |⊢ φ ∧∀ } N It follows from the above two items that C0 = , U0 = φ . ∅ { |⊢ φ } It follows from Tarski’s fixpoint theorem (observing that Cα Cβ and Uβ Uα ⊆ ⊆ for α β) that the above reduction procedure will reach a fixpoint at an ordinal, ≤ say λ and it follows from the above definition that (Cλ, Uλ) is indeed the least three-valued stable model. Define R to be the smallest congruence containing the bisimilarity associated ↔ with the TSS in the UNTyft format. If we show that R is a bisimulation relation, then the theorem follows. Instead, by an induction on α, we simultaneously prove that the following two statements hold for each (p,q) R, for each l,p′ C, and ∈ ∈ for each α. l ′ l ′ ′ ′ (i) p p Cα ′ q q Cλ (p ,q ) R; → ∈ ⇒∃q → ∈ ∧ ∈ l ′ l ′ ′ ′ (ii) p p Uλ q′ q q Uα (p ,q ) R; → ∈ ⇒∃ → ∈ ∧ ∈ Once we prove the above two statements, the transfer conditions for bisimulation (w.r.t. Cλ = Uλ) follow by taking α to be λ and from the fact that Cλ = Uλ (due to completeness of the TSS under consideration). Note that bisimilarity is an equivalence and so is R; thus, we assume the sym- metric statements for q without having to prove them. The above statements hold trivially for all p and q such that p q. Hence, we focus on terms of the form ↔ p = f(−→p ) and q = f(−→q ) where −→p R −→q . N (i) It follows from Definition 3.6 that l for some N and some β < α such ⊢ p p′ → that Uβ  N, and from Definition 3.4 that there exists a deduction rule r of the following form

l′ li ′ 9j ′ Wk∈K(Vi∈I ti yi Vj∈J tj yj) (r) k → ∧ k , z0 z1 z2 l ∃ e ∀ e ∃ e t t′ → C and (according to Definition 2.5) there exist substitutions σp : (−→x ) and C V →C σ0 : z0 such that σp(−→x )= −→p and for all substitutions σ1 : z1 , there e → C e → exists a substitution σσ1 : z2 and an index k K, such that all positive e → ∈ formulae with indices i and j with i Ik and j Jk under σ = σp σ σ σσ1 ∈ ∈ · 0 · 1 · Ni hold, i.e., with a smaller proof structure and Ni N for each li ⊢ σ(ti yi) ⊆ l → ′ j ′ i Ik, and σ(tj yj) N for each negative premise j Jk. We proceed with ∈ → ∈ N ∈ an induction on the proof structure for l . ⊢ p p′ In a traditional proof method for congruence→ rule formats (e.g., that of ′ ′ [7]), one aims at defining a new substitution σ such that σ (−→x ) = −→q and 108 Mousavi, Reniers

σ(u) R σ′(u) for each variable u X; furthermore, while completing the def- ∈ inition of σ′, one shows, using the induction hypothesis, that all the premises l also hold under σ′, thus, obtaining a proof for q q′, for some q′ such that → σ(t′) R q′ and q′ = σ′(t′). Our proof method is slightly more involved. Since we have a universal quantification over variables in z1, we are allowed to use the e fact that under all substitutions σ1 : z1 C at least one disjunct among the e → premises holds by choosing an appropriate σσ1 . Thus, during the construction ′ ′′ of σ , as explained below, we also change substitution σ into some σ = σp ′′ ′′ · σ σ σ ′′ (by choosing a σ which is appropriate for our proof obligation), 0 · 1 · σ1 1 while preserving σ′′(u) R σ′(u). Note that σ and σ′′ agree on the variables in ′ z0. Furthermore, σ and σ agree on the variables in z1. e C e Let σq : (−→x ) be such that σq(−→x ) = −→q . Given σ0 and for each σ1 V → ′ ′′ ′ as given above, we aim at constructing new substitutions σ0, σ1 and σσ1 such that σ′′(z ) R σ (z ) and σ′′(u) R σ′(u) for each z z and for each u X 1 1 1 1 1 ∈ 1 ∈ ′′ ′′ ′′ ′ ′ ′ e ′′ where σ = σp σ0 σ1 σσ1 and σ = σq σ0 σ1 σσ1 . Note that σσ1 need not · · ′′ · · · · be re-defined; given σ1 , it is determined by the deduction rule chosen to derive l ′ ′′ ′′ p p according to Definition 2.5, i.e., if σ1 = σ1j, for some j IN, σσ1 is σ2j. → ′ ′′ ′ ′ ∈ To define σ and σ , we start with σ11 where σ11(u)= σ(u) for each variable ′ in u (z0 z2) yi,yj i Ik′ , j Jk′ , k K and undefined otherwise, and ∈ e ∪ e \′′ { | ∈ ′′ ∈ ∈ } a substitution σ11 such that σ1u = σ(u) for each variable in u z1 yj j ′ ∈ e \ { | ∈ Jk′ , k K . ∈ } ′ ′′ Consider substitutions σ1i and σ1i and a variable u such that for each variable ′ ′′ x preceding u in the variable dependency graph either σ1i(x) or σ1i(x) is de- ′′ ′ fined. Furthermore, we assume that for all such variables x, σi (x) R σi(x) ′ ′ ′′ ′′ where σ = σq σ σ , σ = σp σ ρi σρ and ρi = σ σ where i · 1 · 1i i · 0 · · i 1 ↑ 1i (σ σ′′ )(x)= σ′′ (x) if σ′′ (x) is defined and σ (x) otherwise. 1 ↑ 1i 1i 1i 1 We define a procedure which takes any such variable u and substitutions ′ ′′ ′ ′ σ1i and σ1i and defines the substitution σ1i+1 which agrees with σ1i on the ′ ′ domain of σ1i and extends the domain of σ1i with u, if u z0 z2 in such ′′ ′ ∈ e ∪ e a way that σi (u) R σi+1(u). Furthermore, if u z1, we define a value for ′′ ′′ ∈ e (σ1i+1)(u), in such a way that σ1i(u) R ρ(σ1)(u), thus in both cases maintaining ′′ ′ ′ ′ ′′ σi+1 R σi+1(u). If u z1, then σ1i+1 is the same as σ1i; if u / z1, then σ1i+1 ′′ ∈ e ′ ′′ ∈ e is the same as σ1i. Then, substitutions σ and σ are defined as the greatest ′ ′′ fixed point of the chain σi’s and σi ’s (taking the above-mentioned procedure as a monotone function, with the subset relation on the union of the domains ′ ′′ of the substitutions σi and σ1i as the ordering). We make a case distinction based on the status of variable u with respect to set z0, z1 and z2. (We shall still use an induction on α and inside that an e e e induction on the structure of the proof in the following items.) ′ (a) Assume that u z0 z2; then, u can only be a variable yi′ for some i Ik ∈ e ∪ e ∈ and k K (i.e., the target of a positive premise). We distinguish the ∈ ′′ li′ following two cases based on the status of σ (ti′ yi′ ) with respect to Cα. i → ′′ li′ l ′ Assume that σ (t ′ y ′ ) is among the premises of the rule proving σ(t t ), i i → i → ′′ li′ i.e., σ (ti′ yi′ ) Cα with a proof structure which is smaller than the i → ∈ l ′ ′′ ′ ′ proof of σ(t t ). Considering that σ (t ′ ) Rσ (t ), the induction hypoth- → i i i i 109 Mousavi, Reniers

′ li′ esis on the structure of the proof applies and we have that σi(ti′ ) qi′ ′′ → ∈ Cλ for some qi such that σ(u) R qi′ (and thus, σi (u) R qi). Define ′ σ1i+1(u)= qi. ′′ li′ l ′ Otherwise, assume that σi (ti′ yi′ ) is not in the proof tree for σ(t t ). ′ → → Take σ1i+1(u)= σ(u). ′′ ′′ Note that since u / z1, in both cases σ = σ . ∈ e i+1 i (b) Assume that u z1; then, u = yj, for some j Jk and k K. We ∈ e ∈ ∈ distinguish the following two cases. ′′ lj Either β<α p σ(yj) R pj σ (tj) pj / Uβ; it follows from the ∃ ∀ j ⇒ i → ∈ ′ lj induction hypothesis (on α; contraposition of item (ii)) that σi(tj) pj / ′′ → ∈ Uλ. Define σ1i+1(u)= σ(u). l ′′ j Or β<α p σ(yj) R pj σ (tj) pj Uβ. It follows from the fact that ∀ ∃ j ∧ i → ∈ ′ ′ ′′ lj for all γ γ , Uγ Uγ that pj β<α σ(yj) R pj σi (tj) pj Uβ. ′′≤ ⊆ ∃ ∀ ∧ → ∈ Define σ1i+1(u)= pj. This way, we have completed the definition of σ′ and σ′′. There is a k K ∈ ′ ′′ li′ such that for all i Ik, σ (t ′ y ′ ) Cα and it follows from the construc- ∈ i → i ∈ ′ ′ li tion of σ that σ (ti yi) Cλ. Furthermore, it holds for all j Jk that l → ∈ ∈ ′′ j σ (tj yj) / Uβ, for some β α. It again follows from the above construc- → ∈ ≤ ′′ ′′ lj ′ tion of σ that σ (tj pj) / Uβ for all pj such that σ(uj) = σ (uj) R pj and l → ∈ ′ j l ′ ′ hence, σ (tj pj) / Uλ. This completes the proof for q σ (t ) Cλ and we → ∈ → ∈ have that σ′′(t) R σ′(t).

(ii) The case is dual to the above case. One just has to replace the sets Cα with Uλ and Cλ with Uα, simultaneously. 2

3.3 (Counter-)Examples In this section, we give a few (counter-)examples witnessing the generality of our rule format. First, we show that our format is general enough to cover our motivating examples. Example 3.7 The deduction rules for weak termination and divergence as specified, respectively, in Examples 2.1 and 2.2 are in the UNTyft/UNTyxt format. Next, we show that the syntactic constraints concerning the UNTyft format can- not be simply dropped or the congruence meta-result will be ruined. The first condi- tion in the UNTyft format concerns the source of the conclusion and it is among the conditions of the ordinary Tyft and NTyft formats. Thus, counter-examples given in [7,6] work in this case, as well. Constraint (ii) is about distinctness of variables appearing as targets of premises. Our addition to the traditional constraints of the NTyft format is that we prohibited the repetition of target variables among differ- ent disjuncts. The following counter-example shows that this additional constraint cannot be dropped. Example 3.8 The following specification conforms to all constraints of the UNTyft 110 Mousavi, Reniers format but constraint (ii) in that variable y is repeated in the target of the premises of the left-most deduction rule. Moreover, it is complete and is well-founded.

a b x 9 y x 9 y y ∨ c a b a b ∀ f(x) c a a a a b a b b → → → → → For the above specification, it holds that a b but it does not hold that f(a) f(b) a b ↔ a b a↔ since y b 9 y b 9 y but it does not hold that y a 9 y a 9 y, namely a a and b ∀ ∨ ∀ ∨ → a a. → Constraint (iii) states that universally quantified variables cannot appear as targets of positive premises. The following counter-example shows the role of this constraint in establishing congruence. Example 3.9 The following TSS is complete and well-founded and satisfies all constraints of the UNTyft format but constraint (iii).

a x y x y → a a a a c ∃ a x b a b c b f(a) ∀ f(x) a → → → → → c c It holds for the above TSS that a b but f(a) a while f(b) 9 a (since, for exam- a ↔ → ple, b 9 b). The fourth syntactic constraint states that targets of negative premises should be universally quantified. The following counter-example witnesses that this constraint cannot be dropped. Example 3.10 The following deduction rules satisfy the constraints of the UNTyft a format apart from constraint (iv) in that the negative premise x 9 y has an existen- tially quantified variable y as its target.

a a a b b a c a c′ b c c c c′ c → → → → → a b a x 9 y y y′ x y′′ y,y′,y′′ → → a ∃ f(x) c → The above TSS is complete and its associated transition relation is

a a a b b a a c, a c′, b c, c c, c′ c, f(b) c . { → → → → → → } Hence, we observe that a b but it does not hold that f(a) f(b). Thus, bisimi- ↔ ↔ larity is not a congruence.

The last constraint on the UNTyft format concerns the variables in z0 when e they appear as a target of a premise. Namely, such variables should not depend on variables in z1 or z2 (in the sense of Definition 3.3). The first counter-example e e given below shows that a direct dependency on variables in z1 can be damaging. e The second counter-example shows the same for a direct dependency on variables in z2. Both counter-examples can be easily adapted for indirect dependencies. e 111 Mousavi, Reniers

Example 3.11 The following deduction rules satisfy the constraints of the UNTyft format apart from constraint (v) in that variable z0 depends on a universally bound variable z1.

b f(z1,x) z0 (a) a (b) a (g) z0 z1 c→ a b b a ∃ ∀ g(x) c → → →

a a a a x0 9 y0 x1 y1 x0 y0 x1 y1 (f0) y0 y1 b→ (f1) y0,y1 → b→ ∀ ∃ f(x ,x ) y ∃ f(x ,x ) a 0 1 → 1 0 1 → First of all note that a b because they only afford a-transitions to each other. ↔ b Furthermore, from (f0), it follows that for all p / a, b , we have f(p, a) b and b ∈ { } b → b f(p, b) a. Thirdly, from (f1), we can deduce that f(a, b) a and f(b, b) a. → b → c → Thus, we conclude that for all p C, f(p, b) a. Hence, we have that g(b) c. ∈ →b → It does not hold that for all p C, f(p, a) p′ for any p′ C; the only possible ∈ → ∈ candidates for such p′ are a and b both of which fail (above-mentioned transitions to a cannot be derived from (f0) and transitions to b cannot be derived from (f1)). c Hence, we have that g(a) 9 which shows that the congruence result is ruined. Example 3.12 The following TSS is a modified version of the one specified in Example 3.11. The deduction rules satisfy the constraints of the UNTyft/UNTyxt format apart from constraint (v) in that variable z0 depends on an existentially bound variable z2.

(a) a (b) a (x) d a b b a x x → → →

a a a a x0 9 y0 x1 y1 x0 y0 x1 y1 (f0) y0 y1 b→ (f1) y0,y1 → b→ ∀ ∃ f(x ,x ) y ∃ f(x ,x ) a 0 1 → 1 0 1 →

d b z1 z2 f(z2,x) z0 (g) z0 z1 z2 → c → ∃ ∀ ∃ g(x) c → The transition relation induced by the above TSS is the same as the one in Example 3.11 except for that it also includes a d-self-loop on all closed terms. Thus, a b ↔ and it does not hold that g(a) g(b). ↔ 4 Conclusions

Results. We extended the syntax and the semantics of SOS specifications with one level of universal quantification, explicit notions of existential quantification (before and after the universal quantifier), conjunction and disjunction. We proposed a rule format with the above-mentioned features that guarantees the induced bisimilarity to be a congruence. 112 Mousavi, Reniers

Future Work. From a theoretical viewpoint, a much more challenging goal is to introduce a framework supporting the full first-order logic. We plan to investigate the possibility of relaxing the well-foundedness assumption in our congruence meta- results. Expressiveness of the UNTyft rule format with respect to the NTyft and the Tyft format is another topic for our future research. Our main point of inspiration for the introduction of universal quantification originated from our study of ordered SOS [13,8]. There, we observed that in order to translate general Tyft rules with ordering into the NTyft format, we need some extra expressive power, possibly modeled by universal quantification over variables. Otherwise, the ordered version of the Tyft format is strictly more expressive that the NTyft format and a direct translation (involving no auxiliary operators) is shown to be impossible in [9]. It remains thus to show that UNTyft format indeed gives us sufficient expressive power to remove ordering from ordered Tyft rules. Acknowledgments. Constructive discussions with Iain Phillips and Irek Ulidowski led to research questions which form the subject matter of this paper. Comments of the anonymous reviewers of the SOS workshop helped us improve the paper and are thus acknowledged.

References

[1] Aceto, L., W. J. Fokkink and C. Verhoef, Structural operational semantics, in: J. A. Bergstra, A. Ponse and S. A. Smolka, editors, Handbook of Process Algebra, Chapter 3, pp. 197–292.

[2] Aceto, L. and M. Hennessy, Termination, deadlock, and divergence, Journal of the ACM (JACM) 39 (1992), pp. 147–187.

[3] Baeten, J. C. M. and J. A. Bergstra, Processen en procesexpressies, Informatie 30 (1988), pp. 177–248, (In Dutch).

[4] Bol, R. and J. F. Groote, The meaning of negative premises in transition system specifications, Journal of the ACM (JACM) 43 (1996), pp. 863–914.

[5] van Glabbeek, R. J., The meaning of negative premises in transition system specifications II, Journal of Logic and Algebraic Programming (JLAP) 60-61 (2004), pp. 229–258.

[6] Groote, J. F., Transition system specifications with negative premises, Theoretical Computer Science (TCS) 118 (1993), pp. 263–299.

[7] Groote, J. F. and F. W. Vaandrager, Structured operational semantics and bisimulation as a congruence, Information and Computation (I&C) 100 (1992), pp. 202–260.

[8] Mousavi, M., I. C. C. Phillips, M. A. Reniers and I. Ulidowski, The meaning of ordered SOS, in: Proceedings of the 26th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’06), Lecture Notes in Computer Science 4337 (2006), pp. 334–345.

[9] Mousavi, M., I. C. C. Phillips, M. A. Reniers and I. Ulidowski, Semantics and expressiveness of ordered SOS, Technical Report CSR-07-07, Department of Computer Science, Eindhoven University of Technology, Eindhoven, The Netherlands (2007).

[10] Mousavi, M., M. A. Reniers and J. F. Groote, SOS formats and meta-theory: 20 years after, Theoretical Computer Science (TCS) 373 (2007), pp. 238–272.

[11] Mousavi, M., M. Sirjani and F. Arbab, Formal semantics and analysis of component connectors in Reo, in: Proceedings of the 4th International Workshop on the Foundations of Coordination Languages and Software Architectures (FOCLASA’05), Electronic Notes in Theoretical Computer Science 154, 2006, pp. 83–99.

[12] Park, D. M., Concurrency and automata on infinite sequences, in: Proceedings of the 5th GI Conference, Lecture Notes in Computer Science 104, pp. 167–183.

[13] Phillips, I. C. C. and I. Ulidowski, Ordered SOS rules and process languages for branching and eager bisimulations, Information and Computation (I&C) 178 (2002), pp. 180–213. 113 Mousavi, Reniers

[14] Plotkin, G. D., The origins of structural operational semantics, Journal of Logic and Algebraic Programming (JLAP) 60 (2004), pp. 3–15.

[15] van de Pol, J., Operational semantics of rewriting with priorities, Theoretical Computer Science (TCS) 200 (1998), pp. 289–312.

[16] Przymusinski, T. C., The well-founded semantics coincides with the three-valued stable semantics, Fundamenta Informaticae 13 (1990), pp. 445–463.

[17] Verhoef, C., A congruence theorem for structured operational semantics with predicates and negative premises, Nordic Journal of Computing 2 (1995), pp. 274–302.

114 SOS 2007 Preliminary Version

A completeness proof for bisimulation in the pi-calculus using Isabelle

Jesper Bengtson and Joachim Parrow

Department of Information Technology Uppsala University Uppsala, Sweden

Abstract We use the interactive theorem prover Isabelle to prove that the algebraic axiomatization of bisimulation equivalence in the pi-calculus is sound and complete. This is the first proof of its kind to be wholly machine checked. Although the result has been known for some time the proof had parts which needed careful attention to detail to become completely formal. It is not that the result was ever in doubt; rather, our contribution lies in the methodology to prove completeness and get absolute certainty that the proof is correct, while at the same time following the intuitive lines of reasoning of the original proof. Completeness of axiomatizations is relevant for many variants of the calculus, so our method has applications beyond this single result. We build on our previous effort of implementing a framework for the pi-calculus in Isabelle using the nominal data type package, and strengthen our claim that this framework is well suited to represent the theory of the pi-calculus, especially in the smooth treatment of bound names.

Keywords: pi-calculus, Theorem Provers, Isabelle, Bisimulation, Axiomatization

1 Introduction

We derive a soundness and completeness proof for the axiomatization of strong late bisimilarity in the pi-calculus [8]. The proof is machine checked in the interactive theorem prover Isabelle [9], using the nominal data type package [1]. It represents a continuation of our work [3] on formalizing the pi-calculus in Isabelle. The com- pleteness proof is the first formally verified proof of its kind. The original manual counterpart is little more than a sketch, and our mechanically verified proof follows it quite closely in structure. Therefore we regard our contribution as threefold: it clarifies exactly what is needed for the full formalization of this particular proof, it opens the possibility to check similar proofs more easily, and it supports our claim that the Isabelle formulation in the nominal data type package is very well suited for deriving this kind of result. The pi-calculus, like most similar calculi, is equipped with a structural operation semantics (SOS) that defines the meaning of agents in terms of the communication actions they can perform. This semantics is used to define bisimulation equivalence as, loosely put, the largest equivalence such that whatever an agent can do, any This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science Bengtson and Parrow equivalent agent can mimic and remain equivalent. There are several variants of this and we study one of the most basic ones, namely late strong bisimilarity. But there is also a completely different way to characterize an equivalence: pos- tulate a set of algebraic laws and say that two agents are equivalent precisely when they can be proved so from the laws and standard equational reasoning. This way does not use the SOS semantics at all. We here use algebraic laws from [8] and formalize the now well known result that they precisely capture late strong bisimilarity. The proof follows the standard structure and is partitioned into a soundness part (saying that each law is sound, i.e. that in all instances the right hand side is bisimilar to the left hand side) and a completeness part (saying that if two agents are bisimilar then there exists a proof of equivalence from the algebraic laws). As is typical in these situations the soundness proof is straightforward but tedious to write out in detail, while the completeness proof requires a bit more ingenuity. A common way, which we shall follow, is to define a subset of the agents to be so called head normal forms. These have their immediate communication abilities as the outmost syntactic operators, so in a sense the initial behaviour is apparent from the syntactic structure. We then conclude the result by first showing that each agent has a provably equivalent head normal form, and that two bisimilar head normal forms are provably equivalent. The original manual proof of this particular result dates back to the very first presentation of the pi-calculus [8] and its sketch occupies about one page (on pages 67 and 68) in the journal. The result was not controversial since it is one of many similar results on complete axiomatizations in process algebras, the first being by Hennessy and Milner on CCS [5]. Variants of the proof have been used in variants of the calculus, but never written down in full detail. It contains several sweeping statements which require quite some attention to detail to verify formally. An exam- ple is the claim that if two head normal forms have provably equivalent summands then the agents are provably equivalent using laws for commutativity, associativ- ity and idempotence of the sum operator (formalized as Lemma 4.10 in Section 4 below). In conclusion we regard this as one of the most extensive results from a mecha- nized theorem prover concerning the meta theory of process algebra. We go beyond other significant efforts on the pi-calculus [11,7,4,6] which do not treat completeness at all. There are today several other mechanized proofs from meta mathematics, for example on G¨odel’s incompleteness result [12] and on typing in system F in the PoplMark Challenge [2].

2 The pi-calculus and its complete axiomatization

2.1 Syntax

We assume the reader to be familiar with the basics of the pi-calculus. In this paper we use a standard variant of the monadic pi-calculus without recursion and replication. The syntax of the calculus is defined in Table 1. We let P,Q etc. range over agents and a, b, . . . , z over names. In the input Prefix a(x) . P is said to bind x in P , and occurrences of x in P 116 Bengtson and Parrow

Agents P ::= 0 Nil ax . P Output Prefix a(x) . P Input Prefix τ . P Silent Prefix P + P Sum P | P Parallel [x = y]P Match [x 6= y]P Mismatch (νx)P Restriction

Table 1 The syntax of the π-calculus. are then called bound. In contrast the output Prefix ax . P does not bind x. These Prefixes are said to have subject a and object x, where the object is called free in the output Prefix and bound in the input Prefix. The silent Prefix τ has neither subject nor object. The Restriction operator (νx)P also binds x in P . The free names fn(P ) are those with a not bound occurrence, and we say that is x is fresh for P to mean that x 6∈ fn(P ), or just that x fresh to mean it is fresh for all agents in the context of the discussion. Similarly the bound names bn(P ) are those with a bound occurrence. A substitution is a function from names to names. We write {x/y} for the substitution that maps y to x and is identity for all other names. The agent P {x/y} is P where all free names x are replaced by y, with alpha-conversion wherever needed to avoid captures. n A sum of several agents P1 + · · · + Pn is written Pi=1 Pi, or just Pj Pj when n is unimportant or obvious, and we here allow the case n = 0 when the sum means 0.

2.2 Structural Operational Semantics

The actions ranged over by α consist of four classes: (i) The internal action τ. (ii) The (free) output actions of kind ax. (iii) The input actions of kind a(x). (iv) The bound output actions aνx. We write x 6∈ α to mean that x does not occur in α. The structural operational semantics is given in Table 2. As can be seen it is a late version, without structural congruence. 117 Bengtson and Parrow

prefix α α . P −→ P

α P −→ P ′ sum α P + Q −→ P ′

α P −→ P ′ match α [x = x]P −→ P ′

α P −→ P ′, x 6= y mismatch α [x 6= y]P −→ P ′

α P −→ P ′, bn(α) ∩ fn(Q)= ∅ par α P |Q −→ P ′|Q

a(x) au P −→ P ′, Q −→ Q′ com τ P |Q −→ P ′{u/x}|Q′

α P −→ P ′, x 6∈ α res α (νx)P −→ (νx)P ′

ax P −→ P ′, a 6= x open aνx (νx)P −→ P ′

a(x) aνu P −→ P ′, Q −→ Q′ close τ P |Q −→ (νu)(P ′{u/x}|Q′)

Table 2 The operational semantics. The symmetric versions of sum, par, com and close are elided. Agents are identified up to alpha equivalence, i.e. choice of bound names.

2.3 Bisimulation

We recapitulate the definition of strong late bisimulation.

Definition 2.1 A bisimulation is a symmetric binary relation R on agents satisfy- α ing the following: P RQ and P −→ P ′ where bn(α) is fresh implies that a(x) (i) If α = a(x) then ∃Q′ : Q −→ Q′ ∧ ∀u : P ′{u/x}RQ′{u/x} α (ii) If α is not an input then ∃Q′ : Q −→ Q′ ∧ P ′RQ′ P and Q are bisimilar, written P ∼ Q, if they are related by a bisimulation.

118 Bengtson and Parrow

2.4 Axiomatization

The axioms for strong late bisimilarity are given in Table 3 and 4. We also implicitly use the laws of equational reasoning, i.e., that equality between agents is reflexive, symmetric and transitive. Note that substitutivity (that an agent can replace an equal agent in any expression) is not implied, since bisimilarity is not a congruence. Instead the congr laws define the substitutive properties. The first laws str1-5 are normally part of a structural congruence which also contains more laws. We here use only the structural laws that are actually needed for the completeness proof. In particular we will not need any structural laws for parallell since all instances of those can be derived from the expansion law. Incidentally, law str5 can be replaced by the two simpler laws (νx)0 = 0 and (νx)(νx)P = (νx)P . We say that two agents P and Q are provably equivalent, written P ≡ Q, if their equality can be established by these axioms and equational reasoning. The main result is the theorem that relates provable equivalence with bisimilarity:

Theorem 2.2 P ∼ Q iff P ≡ Q

This theorem has been known since the late 1980’s when the pi-calculus was first conceived. Its validity has never been in doubt, even though all proofs presented until now have used hand waving at several points. To give the reader an overview of the proof, and also to appreciate the level of detail this kind of proof usually is presented with, we here cite parts of the proof from [10]. Soundness, i.e. the implication from right to left, merits no more than “It is easily seen that all laws are sound, so if P = Q is provable then it must hold that P ∼ Q.” (The original proof in [8] is just a little more detailed; it goes on to postulate bisimulation relations for all algebraic laws without actually proving that these relations are bisimulations). Concerning the completeness part, on page 529 we read, for the subcalculus without the parallel operator: Let the depth of an agent be the maximal nesting of its Prefixes.

Proposition 7. Using the axioms every agent P is provably equal to a head normal form (hnf) of kind Pi αi . Pi of no greater depth.

The proof is by induction over the structure of the agent and all cases are easy. If P is a Match or Mismatch then m1–mm2 applies; if it is a Restriction then r3 is used to distribute it onto the summands and r1–r2 to push it through the Prefixes or form part of a bound output Prefix.

Proposition 8 If P ∼ Q then P = Q is provable from the axioms.

The proof is by induction on the depths of P and Q. By Proposition 7 we can assume P and Q are head normal forms. The base case P = Q = 0 is trivial. For the inductive step we prove that for each summand in P there is a provably equal summand in Q and vice versa. For example, take a summand a(x) . P ′ in P . Assume by alpha-conversion that all top-level input actions have the same 119 Bengtson and Parrow

str1 P + 0 = P str2 P + Q = Q + P str3 P + (Q + R) = (P + Q)+ R str4 (νx)(νy)P = (νy)(νx)P str5 x 6∈ fn(P ) → (νx)P = P

congr1 If P = Q then au . P = au.Q τ . P = τ.Q P + R = Q + R P |R = Q|R R|P = R|Q (νx)P = (νx)Q congr2 If P {y/x} = Q{y/x} for all y ∈ fn(P,Q,x) then a(x) . P = a(x) .Q

idem P + P = P m1 [x = x]P = P m2 [x = y]P = 0 if x 6= y mm1 [x 6= x]P = 0 mm2 [x 6= y]P = P if x 6= y r1 (νx)α . P = α . (νx)P if x 6∈ α r2 (νx)α . P = 0 if x is the subject of α r3 (νx)(P + Q) = (νx)P + (νx)Q

Table 3 Axioms for strong late bisimilarity, except for Parallel.

a(x) a(x) bound object x. Then from P ∼ Q and P −→ P ′ we get Q −→ Q′ such that P ′{u/x} ∼ Q′{u/x} for all u. By induction they are also provably equal for all u. So a(x) .Q′ is a summand of Q and from congr2 we get that it is provably equal to a(x) . P ′. The other cases are similar and simpler. So, each summand of P is provably equivalent to a summand of Q and therefore, by the laws idem (and str), P is provably equivalent to Q. The original proof in [8] uses the same idea and is just a little bit more detailed (writing out “the other cases” rather then saying they are “similar and simpler”). 120 Bengtson and Parrow

exp Let P = Pi αi . Pi and Q = Pj βj .Qj where bn(αi) ∩ fn(Q) = ∅ and bn(βj) ∩ fn(P )= ∅ for all i, j. Then

P |Q = X αi . (Pi|Q) + X βj . (P |Qj ) + X τ . Rij i j αi comp βj

where the relation αicompβj and Rij are defined through the follwing four cases:

(i) αi = a(x) and βj = au in which case Rij = Pi{u/x}|Qj ,

(ii) αi = a(x) and βj = (νu)au in which case Rij = (νu)(Pi{u/x}|Qj ), (iii) The converse of 1, (iv) The converse of 2.

Table 4 The traditional expansion law for strong bisimilarity. Here αi and βj range over the prefix forms (Input, Output and Silent) and also over the combination of bound output prefix (νu)au.

Both get the definition of depth wrong. In the quote above, “maximal nesting” is not correct if the agent is a parallel composition, and in [8] the definition only applies to head normal forms and is later used for all agents.

3 The implementation in Isabelle: Soundness

In our earlier work [3] we have implemented the semantics and various bisimulation definitions in Isabelle, and we refer the reader to that paper for details on the rep- resentation of the SOS semantics, associated induction rules, and the co-inductive definition of bisimulation. Our results include formal proofs of substitutivity prop- erties such as P ∼ R → P |Q ∼ R|Q, and many algebraic laws. Our implementation uses the nominal datatype package and treats bound names efficiently, so that we almost never have to worry about alpha variants of agents or actions. The only exceptions are when bound names are explicitly mentioned and argu- ments about their identities are part of the proofs. An example is in the algebraic law (νx)(νy)P = (νy)(νx)P , where the proof will split in one case for x = y and another case for x 6= y. In all other situations the implementation will guarantee that bound names are always suitably fresh, thus automatically formalizing the assumption that manual proofs often make. We will begin by showing soundness and completeness for the sub-calculus that only contains Nil, Prefix, Sum, Match and Mismatch. We will then expand our proof to encompass also Restriction and Parallel. To prove soundness of the axiomatization, we must prove that all provably equiv- alent pairs of processes are also bisimilar. In [3] we proved that strong bisimulation is preserved by all operators except input-prefix and that all structurally congruent terms are also bisimilar. This meant that the proofs for str and congr1 from Table 3 are already complete. The soundness proofs for the rest of the axioms are trivial, with the exception of congr2.

121 Bengtson and Parrow

Lemma 3.1 If P {y/x}∼ Q{y/x} for all y ∈ fn(P,Q,x) then a(x).P ∼ a(x).Q

Proof By definition of bisimulation and case analysis for the cases where x and y clash with the introduced name u. 2

We can then prove our theorem:

Theorem 3.2 If P ≡ Q then P ∼ Q

4 Completeness

At the core of the completeness proofs are head normal forms, or hnf for short. A term is in head normal form if it is a sum of prefixed processes. In Isabelle, we use the following function to determine whether or not a term is in hnf.

Definition 4.1 Definition of hnf. hnf(0) = True hnf(α.P ) = True hnf(P + Q) = hnf(P ) ∧ hnf(Q) ∧ P 6= 0 ∧ Q 6= 0 hnf = False

We will reason about hnfs in terms of their summands. The summand of a term is the set of its prefixed subterms that are composed by the +-operator.

Definition 4.2 Definition of summands summands(α.P ) = {α.P } summands(P + Q) = summands(P ) ∪ summands(Q) summands = {}

In the intuitive version of the completeness proof (Proposition 8 cited above), there is an appeal to the law idem to remove duplicate instances of provably equivalent summands. In order to reason formally about this we would like to let the summands be sets of equivalence classes (corresponding to ≡) of terms. In Isabelle it turns out to be more efficient to implement this by the notion of a unique hnf, or uhnf where only one representative of each equivalence class is kept in the set.

Definition 4.3 Definition of uhnf uhnf(P )= hnf(P ) ∧∀P ′ P ′′ ∈ summands(P ). P ′ 6= P ′′ −→ ¬(P ′ ≡ P ′′)

Our main proof will work by induction over the depth of the terms that are being proved equal. Intuitively, the depth of a term is an upper bound of the number of transitions it can make. We define the following function:

Definition 4.4 Depth of a term 122 Bengtson and Parrow depth(0) = 0 depth(α.P ) =1+ depth(P ) depth([a = b]P ) = depth([a 6= b]P )= depth((νx)P )= depth(P ) depth(P + Q) = max(depth(P ), depth(Q)) depth(P | Q) = depth(P )+ depth(Q)

For the rest of the completeness proof, we will mostly work with uhnf s. We therefore need to be able to show that every term can be rewritten as a provably equal uhnf. We must also make sure that the generated uhnfs have no larger depth than the original terms as this would otherwise break our induction on the depth in the main proof. In the following we present the sequence of lemmas needed for Isabelle to complete the proof, together with indications of the involved proof strategies. First, we will need the following auxiliary lemmas:

Lemma 4.5 If Q ∈ summands(P ) and Q ≡ Q′ then P + Q′ ≡ P . Proof By induction on the structure of P . 2 Lemma 4.6 If uhnf(P ) and uhnf(Q) then there exists an R such that uhnf(R), P + Q ≡ R and depth(R) ≤ depth(P + Q).

Proof By induction on the structure of P . In the base case, Lemma 4.5 is used to filter out the terms which are provably equal to some term in the summands(Q). Base case: P is of the form α.P ′. If Q = 0 then set R to P , otherwise if there is a Q′ ∈ summands(Q) s.t. Q′ ≡ P then Q + P ≡ Q by Lemma 4.5 so set R to Q, otherwise set R to P + Q. Inductive step: Since uhnf(P ), only the case where P is of the form P ′ + P ′′ applies: We have that uhnf(P ′ + P ′′) hence uhnf(P ′) and uhnf(P ′′). From IH twice we obtain a Q′ where uhnf(Q′), P ′′ + Q ≡ Q′ and depth(Q′) ≤ depth(P ′′ + Q). 2 With these lemmas in place we can prove: Lemma 4.7 For every P , there exists a Q s.t. uhnf(Q), P ≡ Q and depth(Q) ≤ depth(P ).

Proof By induction on the structure of P . In the case where P is of the form P ′ + P ′′, Lemma 4.6 is used. 2 In order to prove the correspondence between bisimilarity and the axioms, we need to form a link to the transition system. We find such a link in the summands. α Lemma 4.8 If hnf(P ) then P −→ P ′ iff α.P ′ ∈ summands(P ). Proof By induction on the structure of P . 2

The intuitive way to express equality using summands is that if there is a bi- jection f between the summands of two agents such that f(P ) ≡ P for all P , then the agents are provably equal. Clearly the way to prove this must be through 123 Bengtson and Parrow an induction over the summands, and there we shall need the following auxiliary lemma:

Lemma 4.9 If uhnf(Q) and P ∈ summands(Q) then there exists a Q′ s.t. P +Q′ ≡ Q and summands(Q′)= summands(Q) − {P }∧ uhnf(Q′). Proof By induction on the structure of P . str2 and str3 are used to pull P to the top level of Q. The intuition is that since the +-operator is commutative and associative, one can always pull any summand to the front of the term. Since the term is on uhnf, we know that no other provably equal sub terms exist and hence the summands of the remainder will be the summands of the original term with the pulled term removed. 2

We can now prove the following lemma: Lemma 4.10 If uhnf(P ) and uhnf(Q) and there exists a bijection f : summands(P ) → summands(Q) s.t. P ≡ f(P ) then P ≡ Q.

Proof By induction on summands(P ). Base case: summands(P )= {} Since f is a bijection, summands(Q) = {} and since uhnf(P ) and uhnf(Q), P = 0 and Q = 0. Hence P ≡ Q by reflexivity of ≡. Inductive step: summands(P )= {P ′}∪ S From Lemma 4.9 we obtain a P ′′ where P ′ + P ′′ ≡ P , summands(P ′′) = summands(P ) − {P ′} and uhnf(P ′′). Since uhnf(P ′′), S = summands(P ). Since f(P ′) ∈ summands(Q) we obtain a Q′′ where f(P ′)+ Q′′ ≡ Q, summands(Q′′) = summands(Q) − {f(P ′)} and uhnf(Q′′). Since f is a bijection and uhnf(P ′′) and uhnf(Q′′) there exists a bijective function f ′ : summands(P ′) → summands(Q′′), then by IH P ′′ = Q′′. Hence P ≡ P ′ + P ′′ ≡ f(P ′′)+ Q′′ ≡ Q. 2 In order to do induction we need to know that processes have greater depth than their derivatives. α Lemma 4.11 If uhnf(P ) and P −→ P ′ then depth(P ′) < depth(P ). α Proof By induction on the proof of P −→ P ′. 2 We can now prove completeness. Theorem 4.12 If P ∼ Q then P ≡ Q

Proof From Lemma 4.7 we can first convert P and Q to provably equal uhnfs. The proof is then done by induction over depth(P )+ depth(Q). The idea is to exhibit a bijection f satisfying the premises of Lemma 4.10. Base case: depth(P )+ depth(Q) = 0 The only case where this can hold is when P = 0 and Q = 0. Hence P ≡ Q by reflexivity of ≡. Inductive step: depth(P )+ depth(Q) ≤ n (where n is a natural number). Pick an arbitrary α.P ′ from summands(P ). We need to find f(α.P ′), i.e. a Q′ s.t. α.P ′ ≡ α.Q′. α If α is a free action, by Lemma 4.8 we have P −→ P ′. Since P ∼ Q, we know 124 Bengtson and Parrow

α that there is a Q′ s.t. Q −→ Q′ and P ′ ∼ Q′. From Lemma 4.7 we get a P ′′ where uhnf(P ′′), P ′ ≡ P ′′ and depth(P ′′) ≤ depth(P ′) and a Q′′ where uhnf(Q′′), Q′ ≡ Q′′ and depth(Q′′) ≤ depth(Q′). By transitivity and symmetry of ∼ and Theorem 3.2 we get that P ′′ ∼ Q′′ and thus by the fact that depth(P ′′)+depth(Q′′)

5 Restriction

We add restriction to the calculus and the three laws r1–r3. These laws are first proved sound in the expected way; the most tedious is r1 which requires a case analysis on α. For our completeness proof we need to expand our definitions of summands and hnf. When restriction is added to the calculus, we have the possibility of bound outputs. A process which generates a bound output is of form (νx)¯ax.P where x 6= a. We extend our definition of hnf with the following case: hnf((νx)P )= ∃a P ′. a 6= x ∧ P =ax.P ¯ ′ and our definition of summands with: summands((νx)P )= if (∃a P ′. a 6= x ∧ P =ax.P ¯ ′) then {(νx)P } else {}

We also have to expand our proofs that state that for every term there exists a provably equal uhnf. As with the +-operator we need an auxiliary lemma. Lemma 5.1 If uhnf(P ) then there exists a Q such that uhnf(Q), (νx)P ≡ Q and depth(Q) ≤ depth((νx)Q).

Proof By induction on the structure of P . In the base case a case analysis is done to check if the restricted name collides with any names in the prefix. 2

The extension to Lemma 4.7 now becomes quite simple, but in the restriction case, a second induction over P is required in order to prove how restriction behaves when paired with each of the other operators.

We will also need an expanded version of Lemma 4.8 to create our link between summands and transitions. aνx Lemma 5.2 If uhnf(P ) and a 6= x then P −→ P ′ iff (νx)¯ax.P ′ ∈ summands(P ). 125 Bengtson and Parrow

Proof By induction on the structure of P . 2

Theorem 4.12 has to be extended to take care of bound outputs. The summands will have the form (νx)¯ax.P and we find derivatives P ′ and Q′ s.t. P ′ ∼ Q′, hence ax.P¯ ′ ≡ ax.Q¯ ′ and (νx)¯ab.P ′ ≡ (νx)¯ab.Q′ by congr1.

6 Parallel

We complete our proof by adding the parallel operator. To do this we must en- code the expansion law in Isabelle. Unfortunately, the law as presented here and elsewhere is not completely formally correct. The reason is that it makes use of a function Σ which takes a set of agents as a parameter and returns the sum of them. However, such a function cannot be defined in the usual inductive way (as Σ({P }∪ S) = P +ΣS) since this does not define Σ uniquely (elements can be pulled from a set in different order, resulting in different order of the summands). The reason the expansion law nevertheless is considered valid is that it implicitly operates on equivalence classes of agents up to ≡ and here the sum operator is idempotent, associative and commutative. As there is no easy way to incorporate such functions in Isabelle we need to be a little more creative. We define a relation S on agent × agent set with the intuition that if F is a set of agents then S(P, F ) if P can be obtained as a sum of the agents in F .

Definition 6.1 The relation S.

(0, {}) ∈ S (P, {P }) ∈ S Q ∈ F ∧ (P, F − {Q}) ∈ S =⇒ (P + Q, F ) ∈ S

We must now create the set of all terms generated by the expansion law (Table 4).

Definition 6.2 The function expand which generates a set of all terms created by the expansion law. Symmetric versions have been elided. Here α.P ranges also over object restrictions of prefixes of kind (νx)¯ax.P . expand(P,Q)=

{α.(P ′ | Q) : α.P ′ ∈ summands(P ) ∧ bn(α) ∩ fn(Q)= ∅} ∪

{τ.(P ′{y/x} | Q′) : a(x).P ′ ∈ summands(P ) ∧ ab.Q¯ ′ ∈ summands(Q)}∪

{τ.(νy)(P ′{y/x} | Q′) : a(x).P ′ ∈ summands(P ) ∧ y 6∈ fn(P ) ∧ (νy)¯ay.Q′ ∈ summands(Q)}

We can now add the expansion law to our axioms in the following way:

Definition 6.3 The expansion law. hnf(P ) ∧ hnf(Q) ∧ (R, expand(P,Q)) ∈ S =⇒ P | Q ≡ R

126 Bengtson and Parrow

6.1 Soundness To prove soundness of Def. 6.3 we will need the following auxilliary lemmas. α α Lemma 6.4 If (P, F ) ∈ S, Q ∈ F and Q −→ Q′ then P −→ Q′. Proof By rule induction on the construction of S. 2 α α Lemma 6.5 If (R, F ) ∈ S and R −→ R′ then there is a P in F s.t. P −→ R′. Proof By rule induction on the construction of S. In the inductive step a case analysis is made on whether or not the inserted term can do the desired transition. If so, that term is picked, otherwise the term is obtained through the induction hypothesis. 2 α Lemma 6.6 If hnf(P ), hnf(Q) and (R, expand(P,Q)) ∈ S then P | Q −→ P ′ iff α R −→ P ′. Proof In this proof Lemma 4.8 is used to translate summands to transitions and vice versa. α =⇒ By case analysis of P | Q −→ P ′. Each case matches one construction in the expansion law and lemma 6.4 is used to prove that R can make the desired transition. 2 ⇐= Lemma 6.5 is used to find the summand in R in expand(P,Q) which can make the transition. A case analysis of R is made and each case is matched to its corresponding rule in the operational semantics.

We can now prove soundness. Lemma 6.7 hnf(P ) ∧ hnf(Q) ∧ (R, expand(P,Q)) ∈ S =⇒ P | Q ∼ R.

Proof Follows trivially from the definition of ∼ and Lemma 6.6. 2

6.2 Completeness All we need to do to show completeness is to prove that every expanded term has a provably equal uhnf of no lesser depth. We will need the following auxiliary lemmas.

Lemma 6.8 If (P, F ) ∈ S and for all Q in F , uhnf(Q) then there exists a P ′ s.t. uhnf(P ′), P ≡ P ′ and depth(P ′) ≤ depth(P ). Proof By rule induction over the construction of S. 2 Lemma 6.9 If uhnf(P ) and uhnf(Q) then there exists an R s.t. (R, expand(P,Q)) ∈ S and depth(R) ≤ depth(P | Q).

Proof By case analysis of the construction of expand(P,Q). 2

We finally need to modify Lemma 4.7. In the parallel case, we use the parallel congruence laws from congr1 and Lemma 6.9 to find an expanded R of no greater depth than depth(P | Q). Lemma 6.8 can then be used to convert R to a provably equal uhnf. 127 Bengtson and Parrow

In the restriction case one also has to take care of the situation when a restriction is done on a parallel composition. This is done by first applying the expansion law to the term and then Lemma 5.1.

7 Conclusion

We have presented a machine checked proof of the complete axiomatization of strong late bisimilarity in the pi-calculus. It is difficult to estimate the time this has re- quired since it was done in parallel with the development of the infrastructure in Isabelle. As an example, the effort corresponding to Section 6 (adding the paral- lel operator) turned out to be roughly one day, most of which was spent proving soundness. Our experience is that the Isabelle system with its nominal datatype package and our implementation of the pi-calculus [3] works well for this task, in that the treatment of bound names is facilitated. This is not really apparent from the presentation in this paper since the gain is in many low-level details. Ulti- mately such judgements must be subjective, and we refer to our previous paper for a comparison with other approaches. But our present result strengthens our claim: similar completeness proofs have been around for more than 20 years, and no such proof has been formalized inside a theorem prover before now. The Isabelle code can be obtained from our homepage http://www.it.uu.se/research/group/mobility/theorem There are several obvious continuations of this work. Strong late bisimilarity is but one of a large family of equivalences. There is the early variety and the weak varieties where the completeness proofs are more complex and rely on saturation of terms with summands, and there are the corresponding congruences where the hnfs are different since matching and mismatching cannot be reduced. The saturation technique could be adapted also to the proof in the present paper, with the idea to establish first that if P ∼ Q then Q ≡ Q + P by adding each of the summands of P to Q; this would obviate the need for uhnfs but it is unclear if it would give a shorter or more striking proof.

References

[1] http://isabelle.in.tum.de/nominal/

[2] http://fling-l.seas.upenn.edu/~plclub/cgi-bin/poplmark

[3] Jesper Bengtson and Joachim Parrow. Formalising the pi-calculus using nominal logic. In Proceedings of FOSSACS 2007, volume 4423 of Lecture Notes in Computer Science, pages 63–77. Springer Verlag, 2007.

[4] M. J. Gabbay. The π-calculus in FM. In Fairouz Kamareddine, editor, Thirty-five years of Automath. Kluwer, 2003.

[5] Matthew Hennessy and Robin Milner. Algebraic laws for nondeterminism and concurrency. J. ACM, 32(1):137–161, 1985.

[6] Daniel Hirschkoff. A full formalisation of pi-calculus theory in the calculus of constructions. In TPHOLs ’97: Proceedings of the 10th International Conference on Theorem Proving in Higher Order Logics, pages 153–169, London, UK, 1997. Springer-Verlag.

[7] Furio Honsell, Marino Miculan, and Ivan Scagnetto. π-calculus in (co)inductive type theory. Theoretical Computer Science, 253(2):239–285, 2001. 128 Bengtson and Parrow

[8] Robin Milner, Joachim Parrow, and David Walker. A calculus of mobile processes, I/II. Inf. Comput., 100(1):1–77, 1992.

[9] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL: a proof assistant for higher-order logic. Springer-Verlag, 2002.

[10] Joachim Parrow. An introduction to the pi-calculus. In Jan Bergstra et al, editor, Handbook of Process Algebra, pages 479–543. Elsevier, 2001.

[11] Christine R¨ockl and Daniel Hirschkoff. A fully adequate shallow embedding of the π-calculus in Isabelle/HOL with mechanized syntax analysis. J. Funct. Program., 13(2):415–451, 2003.

[12] Natarajan Shankar. Metamathematics, Machines and G¨odel’s Proof. Cambridge University Press, 1994.

129