Abstract

Compositional abstraction of CSP_Z processes

Adalberto Farias; Alexandre Mota; Augusto Sampaio

Centre of Informatics Federal University of Pernambuco P.O. Box 7851, Cidade Universitária, Zip 50732-970 - Recife - PE - BRAZIL {acf|acm|acas}@cin.ufpe.br

ABSTRACT

Data abstraction is a powerful technique to overcome state explosion in model checking. For CSP_Z (a formal integration of the well-known specification languages CSP and Z), current approaches can mechanically abstract infinite domains (types) as long as they are not used in communications. This work presents a compositional and systematic approach to data abstract CSP_Z specifications even when communications are based on infinite domains. Therefore, we deal with a larger class of specifications than the previous techniques. Our approach requires that the domains (used in communications) being abstracted do not affect the behaviour of the system (data independence). This criteria is used to achieve an internal partitioning of the specification in such a way that complementary techniques for abstracting data types can be applied to the components of the partition. Afterwards, the partial results can be compositionally combined to abstract the entire specification. We propose an algorithm that implements the partitioning and show the application of the entire approach to a real case study.

Keywords: Formal Methods, Model Checking, Data Abstraction, CSP, Z, Compositionality.

1. INTRODUCTION

Integrated notations are powerful to provide separation of concerns when describing systems. The language CSP_Z [9], for example, integrates the process algebra CSP [18] and the model-based language Z [22] in such a way that behavioural and data aspects are modelled simultaneously but orthogonally; while control flow is described in CSP (the behavioural part), data aspects are modelled in Z (the data part). The syntax and semantics of the constituent languages are almost fully reused in CSP_Z, which also provides flexibility for applying techniques to perform compositional refinement and analysis. For example, process and data refinement techniques can be used relatively independently to achieve more concrete specifications. Concerning analysis, theorem proving [13] (Z proofs) or model checking [5] (CSP proofs) can be used for verifying properties in CSP_Z. The former method requires user intervention in general, whereas the latter is fully automatic, but unable to analyse systems with infinite state-spaces (the state explosion problem). To overcome such a limitation, several state-space compression techniques [5], like data abstraction, for instance, have been applied.

Abstracting a system means finding an approximation that preserves desirable properties. This simpler representation can be safe or optimal with respect to the original system [6]. Safe abstraction does not preserve all properties, whereas optimal abstraction represents the original system more faithfully. This work considers only optimal abstractions of CSP_Z specifications. The language yields infinite state-space systems very naturally because infinite domains are allowed as types of state and communication variables. In the first situation, the infiniteness is already handled by the data abstraction approach reported in [8, 16]. However, the infiniteness occurring in communications is still an open problem.

The approach presented in this work is based on a syntactic splitting to isolate the infiniteness problem. This originates two internal parts that can be data abstracted by specific techniques. Afterwards, the resulting abstract parts are combined to originate the abstraction for the entire system. Thus, our technique increases the class of problems handled by data abstraction through the application of a decomposition and reusing existing techniques to analyse the originated parts separately. After that, we integrate the results and obtain a more complex abstraction. We have observed that this is simpler than analysing the entire specification.

We emphasize that our approach is applied to a CSP_Z process in isolation; we split the data (Z) part into a data dependent and a data independent part. We can also apply the approach to all CSP_Z processes (components) of a network of processes, provided the communication of the analysed component does not affect the behaviour of the other processes. In this sense, the state explosion of the entire network can be handled by applying our strategy to its components.

We also point out that our approach is related to refinement checking [18] rather than to classical model checking [5]. Thus, instead of proving a specific property in a given model, we aim at finding an optimal abstraction (S^A) that preserves almost all properties of the original specification (S). The unique distinction between S and S^A occurs when communicated values are abstracted; however, if these values do not affect the behaviour of other processes, we can consider S^A instead of S (in isolation or in a network of processes) . Furthermore, as the equivalence between S and S^A is given in terms of the failures-divergences model of CSP [18], our approach allows the verification of safety and liveness properties as well as application specific properties.

The main contributions of this work are:

• a systematic strategy for partitioning Z specifications into a data independent and a data dependent components;

• the algorithmic implementation for the partitioning strategy;

• the reuse of existing techniques to overcome the state explosion problem;

• a compositional approach for abstracting infinite domains of state and communication variables in CSP_Z;

• application of the strategy to a realistic case study.

Although our strategy is developed for CSP_Z, it can be extended to other notations that associate events with state change, such as CSP_OZ [9] or CSP-B [19].

This work is organised as follows. Section 2 provides an overview of CSP_Z and presents part of the specification of a real system that is used as our case study; this system cannot be mechanically analysed by existing data abstraction approaches because it presents infinite communications. We propose an approach to deal with such a problem in Section 3. The approach is based on a syntactic splitting, which is described algorithmically in Section 4. Afterwards, we discuss related work in Section 5 and present our final remarks and future directions for this work in Section 6. The proofs of all lemmas and theorems presented in this work can be found in Appendix A.

2. BACKGROUND ON CSP_Z

The notation CSP_Z provides a convenient way for modelling concurrent systems with state information. Its semantics is defined in such a way that developers can reason about behavioural (CSP) and data (Z) aspects orthogonally. This section introduces several aspects of CSP_Z: syntax, semantics, model checking and data abstraction. We introduce CSP and Z separately.

2.1 THE CSP NOTATION

The process algebra CSP [18] can be viewed as a notation for describing concurrent systems whose component processes interact with each other by communication, or as a collection of mathematical models that help one to reason about processes formally.

The most fundamental element in CSP is a communication event, which can be viewed as an atomic transaction (or a possible synchronisation point) between two or more processes; an event is also an abstract way of representing a real computation such as a method/function call, statement, input/output, internal action, an so on. An event occurs in a communicating channel, which can support data types. For example, if a channel a does not support types, it defines the event a; otherwise, it defines a family of events. The communication a?x involves an input on channel a, whereas a!y represents an output on the same channel. Inputs and output are generically denoted by ch.v, where ch is a channel and v is a value. Thus, if v Є , the communication a.v corresponds to the infinite set of events {a.1,a.2,...}.

On the other hand, processes are used to describe some behaviour; each process has an associated alphabet, which is the set of all events occurring in process's body. Thus, a process P has the alphabet αP.

The most basic processes in CSP are STOP and SKIP. The former represents a deadlock and do not communicate any observable event; the latter denotes successful termination after performing the special event √, which is also used to synchronise processes upon successful termination.

The construction of more complex processes is also possible by using operators. Table 1 provides a brief explanation of the main operators.

In CSP, process definitions are similar to equations, where the left-hand-side is the process name (possibly parameterised) and the right-hand-side is the process body. For example, the specification

channel tick, tack

Clock = tick → Clock □ tack → Clock

describes the behaviour of a clock that infinitely offers tick or tack (defined by non-typed channels) using recursion. Its graphic representation is given in terms of a Labelled Transition System (Figure 1).

The set initials(P) denotes the set of acceptances (events) that can be performed by the process P in a specific context. For example, initials(Clock) = {tick,tack} and initials(a → b → SKIP) = {a}.

The meaning of a CSP process is defined according to three models [18]: traces, failures or failures-divergences. The traces model () is based on the observable behaviour, where a process is represented by a set of traces (sequences of events). For example, the processes STOP and SKIP are represented by {‹›} and {‹›, ‹√›}, respectively. The process a → b → STOP is represented by {‹› ‹a ›,‹a,b ›}; ‹› means no event has been performed yet, ‹a › denotes only a was performed, and ‹a,b › means the process performed a followed by b.

It is worth noting that the traces model captures what a process "can" do. Actually, processes can reject events, originating the notion of refusals (the events a process can reject in a context). The failures model () captures this and represents a process as a set of failures; each one is defined as a pair (s,X) where s is a trace and X is a set of refusals after performing s. For example, the processes a → STOP □ b → STOP and a → STOP ∏ b → STOP are represented by the same set of traces ({‹›, ‹ a ›, ‹b›}). However, the second process can nondeterministically reject a before performing any event. The failures of these processes are respectively given by {(‹›,Ø),(‹a ›,{a,b}),(‹b›,{a,b})} and {(‹›,Ø),(‹›,{a}),(‹›,{b}),(‹a ›,{a,b}),(‹b›,{a,b})}. Note that the first process is more predictable (deterministic) than the second in because it has less failures. Intuitively, a process that offers the external choice (□) of certain events is better than (a refinement of) a process that "decides" internally (∏) on which events to engage.

Besides traces and refusals, processes can perform internal actions that are not captured by or . The failures-divergences model () gives meaning to processes based on their failures and divergences. A divergence is a trace (and all its extensions) for which a process is not deadlocked and does not show any observable behaviour (it infinitely performs internal actions). A divergent behaviour is similar to an infinite loop doing nothing.

According to [18], process refinement () is defined in terms of set inclusion and the equivalence (≡) is defined in terms of refinement. That is,

Concerning tool support, CSP specifications can be analysed by the refinement checker FDR [10]. The tool is able to prove properties of specifications by applying the above refinement definitions. To achieve that, the left-hand specification P must satisfy the desired property. Then an arbitrary specification Q also satisfies the same property if P Q. Because FDR calculates all traces, failures and divergences of processes, it is not able to deal with systems with an infinite state-space.

2.2 THE Z NOTATION

The Z language [22] presents powerful structuring and abstraction mechanisms for describing data and sequential aspects. It is based on set theory and first-order logic, and provides two internal languages: the mathematical and the schema languages. The former is used to describe various aspects of a design: objects (abstract data types, functions, predicates, etc.), and the relationships between them; the latter is intended to structure and compose descriptions: collating pieces of information, encapsulating them, and naming them for reuse.

There are many ways of defining new types in Z. Table 2 shows the main type constructors.

A Z schema is a construction where declarations and predicates are combined for defining new objects, with the general form,

Schemas have a name and are suitable for modelling state, initialisation and operations. When modelling the state, the declarative part defines all state elements and the predicate establishes an invariant that must be preserved. When representing operations, the declarative part contains all manipulated variables (state, inputs and outputs) and the predicate establishes "what" a schema does (post-condition) as long as "certain" conditions (preconditions) are satisfied. When a precondition is not valid, the post-condition of a schema might generate an arbitrary state.

In this sense, schemas are relations from a before state and an input to an after state and an output. This allows one to manipulate them using operators over relations. Table 3 shows some operators and their semantics. R₁, R₂ and R are relations, whereas s is a set. The relevant operators are relational composition , domain restriction () and subtraction (), and range restriction () and subtraction ().

A Z specification is represented as a triple containing a state, an initialisation and a set of operations; that is, (State,Init,Ops). The following specification describes a simple clock, whose state contains a natural number as internal counter (x : ). The initialisation assigns 0 to the next value of the state variable (x' = 0).

Regarding operations, the simple clock presents two schemas: tick and tack. Both of them can change the state (ΔState) by incrementing the state variable (x' = x + 1). However, they are enabled for different range of values: while tick is enabled for even numbers (x mod 2 = 0), tack is enabled for odd ones (x mod 2 = 1).

Note that, while the above Z specification describes state change, the CSP description (represented by Figure 1) establishes a random execution of tick's and tacks's without considering any state information. In the next section we show how to integrate these complementary features and associate behaviour with state manipulation.

2.3 INTEGRATING CSP AND Z

The orthogonal and complementary characteristics of CSP and Z were the motivation for integrating them in a framework for describing behavioural and data aspects simultaneously. In this sense, CSP_Z reuses as much as possible the existing syntaxes and semantics to provide a more expressive language. We first present the syntactic integration of CSP and Z before giving an informal view of its operational semantics.

Figure 2 illustrates the general form of a CSP_Z specification. It may contain global data types and the process description that is composed by two parts: CSP and Z. The global types are defined before the keywords spec/end_spec, which are used to limit the scope of the process; ProcessName is the name of the process.

In the CSP part, the Interface contains channel declarations; they define all events the process can perform. The behavioural description contains process definitions; they are used to define the control flow of the entire process starting in a main process equation.

The data part is a Z specification that works conjointly with the CSP part. A CSP_Z specification is basically the union of a behavioural description with a data one. For example, the specification of Figure 3 describes the simple clock with control flow and state information together.

Note that the names of the Z operations were changed by adding the prefix com_. This associates a Z schema with a CSP channel in order to synchronise events with schema executions. Thus, the CSP part performs an event if, and only if, the Z part executes the associated operation. This allows the Z part to affect the behaviour of the CSP one (and vice-versa): invalid preconditions cause event refusal (the blocking view of CSP_Z [9]). Note that this is different of the pure Z semantics and originates an LTS affected by control flow and state information together (Figure 4). The Init schema yields the initial state while the CSP part performs an internal action (). Transitions are labelled with an event and the execution of the corresponding schema is implicit. The state (possibly) changes after each transition according to the associated operation schema.

2.4 CSP_Z MODEL CHECKING

The simultaneous and synchronised execution of the behavioural and the data parts of a CSP_Z specification has been the key point for the development of a model checking strategy [17]: the CSP and the Z parts are translated into pure CSP processes (P_CSP and P_Z, respectively) that synchronise on all events from the Interface, as formalised by Equation 1.

The component processes have the same alphabet as imgt01; that is, αimgt01 = αimgt01 = αP_Z. Therefore, P_CSP and P_Z are in full synchronisation where P_Z(State) is responsible only for state manipulation and has the normal form given by Definition 2.1.

Definition 1 Let P_Z(State) be the process representing the Z specification (State,Init,Ops). The normal form of P_Z(State) is given by

The process P_Z(State) is defined by a recursion whose body is an external choice of all operations (□_{com_evЄ Ops}). As long as a guard \pre com_ev is valid, P_Z performs ev (in synchronisation with P_CSP) and recurses using an updated state (com_ev(State)).

Once a CSP_Z specification is represented as a process, its analysis can be carried out using any CSP model. The standard model is adopted in this work.

Although Equation 1 is a concise CSP representation of a CSP_Z specification, it cannot always be directly analysed by model checking because State may assume infinite values in P_Z or because αimgt01 can be infinite. For instance, in the process Clock the state variable x is incremented at each transition indefinitely. This originates an infinite LTS representation (Figure 4). An alternative way to avoid such a problem is using data abstraction, which is able to determine a finite range of values for x such that the behaviour of the process is preserved.

2.5 CSP_Z DATA ABSTRACTION

Data abstraction [8, 16, 18, 21] is a powerful state-space compression technique, suitable for systems that manipulate data. It allows one to calculate simpler models that preserve desirable properties and are analysable via model checking.

The underlying theory of data abstraction is abstract interpretation [6]. It is a general framework for establishing correspondence between semantics. In this theory, elements of a concrete domain have an abstract meaning given by abstraction relations, such that values and operations over concrete domains are interpreted as values and operations over abstract ones. The theory allows one to find an approximation (safe or optimal) for a given concrete semantics (value, operation, etc.). They are simpler models that keep information about the actual (concrete) semantics. Safe abstractions preserve some properties, whereas optimal abstractions preserve all properties.

In CSP_Z, abstract interpretation has been used to determine the minimum values of the state variables that preserve the behaviour of the entire process. For example, recall the process Clock from Figure 3. There is an essential information that affects the occurrence of tick or tack: x is even or odd. Intuitively, the values 0 and 1 would be sufficient to preserve this observable behaviour. The approach proposed in [8, 16] assures this by using model checking and theorem proving; it expands the process and checks if a repeated trace is infinitely allowed by the CSP part via model checking, and by the Z part via theorem proving. For example, the trace ‹tick, tack› is allowed by the CSP part because it performs any sequence of tick's and tack's. In the Z part, the execution of the corresponding schema composition comp com_tick com_tack enables the composition again (infinitely), as captured by the stability theorem (Equation 2).

If Equation 2 is valid, the future states can be represented by the previous ones (an equivalence relation). For example, in the process Clock, the natural numbers are partitioned according to

E_tick = {n : | n mod 2 = 0 • n n + 2}*

E_tack = {n : | n mod 2 = 1 • n n + 2}^*

where ^* means the reflexive closure operator of relations.

The equivalence classes E_tick and E_tack are used to define the abstraction function h: → {0,1} as follows.

The function h is used to abstract the types of the variables, the constants and the post-conditions of schemas; concrete preconditions are reused by the abstract schemas. The application of h to the process Clock originates the abstract specification of Figure 5. Note that the abstract domain is given by the range of h; the original preconditions are preserved; and the abstract post-conditions are obtained by simply applying h to the expressions assigned to the state variable. Thus, h(0) and h(x+1) (where x Є {0,1}) do not yield values outside {0,1}. This means that the abstract domain is closed under initialisation and under the operation + 1.

The LTS representation of Clock^A is depicted in Figure 6, where the state explosion caused by the state variable x was overcome. If this same variable were involved in communications, the approach of [8, 16] could not be applied. In the next section we show an example that belongs to this class of problems.

2.6 A REAL EXAMPLE

In this section we present a process that describes a module of the on-board computer of a Brazilian artificial microsatellite [16]. Figure 7 shows the specification.

The process uses some global data types. The free-type Message is defined in terms of the element nullMsg (used for initialisation purposes) and the constructors TC and TM (used for classifying messages as telecommands or telemetries, respectively). Both TC and TM messages have a parameter Fields that is defined as the cartesian product of Data and integers (). Data is another free-type with three values (nullData denoting an empty message, sendTM standing for messages that should be sent to the Earth, and extra to represent other kinds of messages). The integer is used for recording the message ordering. Therefore, Message is an infinite type.

The process Telemetry is responsible for maintaining the most recent telemetry data (temperature, voltage, some process status, etc.) and sending them to the Earth.

In the CSP part, the channel FTR_TM is used for inputting the most recent telemetry message captured by the other processes, whereas the channel sendEarth is used to communicate the stored telemetry data to the Earth. The remaining channels do not support data communication.

The behaviour of Telemetry is established by its main equation: it first accepts an input value on FTR_TM (FTR_TM?msg) and sends data from the satellite to the Earth (SEND) or stores the new message (STORE). Sending data depends on whether an internal buffer is empty or not. If it is empty, the process performs emptyTM and behaves like main; otherwise, the process performs moreTM, sends a stored data to the Earth (sendEarth!msg) and behaves like SEND again.

Storing a new message also depends on the buffer status: if it is full, the process performs storeTMFull; otherwise it performs storeTMNotFull.

Concerning the data part, the state of Telemetry contains a variable (currMsg) that keeps a new message and a finite buffer of messages (represented by the sequence STM: seq Message), whose size is limited by an invariant (# STM < 3). The initialisation assigns nullMsg to currMsg and the empty sequence to the component STM.

The operations com_emptyTM and com_moreTM do not change the state; they use their preconditions to simply check whether STM is empty or not, respectively.

To make our decomposition strategy clear later on, we declare the components explicitly instead of using the Z conventions ΔState and ΞState as state change and preservation, respectively.

The remaining operations possibly yield state change. In com_FTR_TM, the state change is due to the input of a new message (currMsg' = msg?). When the internal buffer is full (# STM = 3), com_storeTMFull discards the oldest message and stores the newest one in the last position (STM' = tail STM ‹currMsg›). Otherwise (# STM < 3), com_storeTMNotFull simply appends the storage with currMsg (STM' = STM ‹currMsg›).

As long as the storage is not empty (STM diferente_symbol ‹›), the operation com_sendEarth sends the oldest message to the Earth (msg! = head STM) and discards it from the storage (STM' = tail STM).

The operations com_FTR_TM and com_sendEarth present an input and output, respectively. In the latter operation, the output assumes the value of a stored message. On the other hand, in com_FTR_TM, the input msg?:Message is not specified and can be any value of type Message. This naturally originates state explosion that cannot be handled by any existing approach for CSP_Z, including [8, 16]. Fortunately, as the behaviour of Telemetry is not affected by the type Message, we can determine a minimum subset of it that is relevant to capture the behaviour of the system. Thus, data abstraction is still possible even when communications are based on infinite domains. In the next section we present an approach for handling such a class of problems.

3 DATA ABSTRACTION BASED ON DATA INDEPENDENCE

The theory of data independence [14] is able to abstract infinite types based on syntactic properties (restrictions); it can be used in any context where these restrictions are related to the type being abstracted. We have observed that, for some systems, variables with infinite types can be isolated, even when they participate in communications. This has been the key point of our approach: using syntactic restrictions to achieve a separation of concerns and applying complementary techniques to abstract infinite types. In this sense, our approach uses decomposition and compositional reasoning in the context of data abstraction.

The decomposition uses the data independence criteria (reproduced in Definition ) to originate an internal partition of the Z part. This allows one to isolate the infiniteness problem occurring in variables (state and communication), in such a way that data independence can be used to abstract their domains. The remaining variables are analysed according to our data abstraction approach.

Definition 3.1 A system P is data independent with respect to a data type X if, and only if:

(1) it must not contain constants, only input/output variables of type X;

(2) it may contain only equality tests and polymorphic operations involving type X;

(3) it may contain more complex operations, as long as they are defined in terms of equality tests and polymorphic operations;

(4) no replicated constructs (such as indexed parallelism) over the data type may appear, other than replicated nondeterministic choices.

◊

The items of Definition 3.1 define degrees of independence of a process P with respect to a data type X. Based on these items, it is possible to calculate the minimum cardinality of X to preserve P's behaviour: the threshold of P with respect to X or tld(P,X), for short. For instance, if P satisfies (1) then tld(P,X) = 1. Thus, the type X must have at east 1 element, or # X > 1 is the unique constraint the type X must satisfy to preserve P's behaviour. This is the key idea we use to abstract the data type manipulated by a CSP_Z specification. For instance, in Figure 1 the Z part is data independent with respect to the state variable, whereas in Figure 7 the data independence property is related to the communication (input/output) variables.

Actually, data independence does not distinguish state from communication variables. Concerning the latter, there is preservation of behaviour, but communications (with concrete values) involving the process and its environment are lost when restricting the cardinality of the domain. Therefore, our approach is only applicable to a CSP_Z system, as long as its communicated values do not affect the other CSP_Z components it interacts with (so-called closed systems). Furthermore, the reduction of the communicated values (of type X) of a process is achieved by applying a renaming of events that reduces the data communicated by P to a set whose cardinality is greater than or equal to tld(P,X). In this case, the renaming preserves P's behaviour (Lemma 3.1). For example, let P be a process that performs ch.x (x Є ) and tld(P, ) = 1. Suppose that, by data independence analysis, we restrict to the set {0}. Thus, ch.x is replaced with ch.0 and P's behaviour is preserved because # {0} > tld(P, ).

Lemma 3.1Let P be a CSP process. Let c be a channel of P with type T_c and R: A → B a renaming function, such that A = {c.v Є αP} and B = {c.v' Є Σ}. If P is data independent with respect to T_c and # \ran({c} R) > tld(P,T_c), then applying R preserves P's behaviour.

Lemma 3.1 follows directly from data independence [14] and extends the idea of preservation of behaviour considering all channels of a process; Σ represents the set of all events a process can perform, and is an extended version of the domain restriction operator of Z [22], used for filtering relations. The type of a channel ch is denoted by T_ch. As events have the form ch or ch.v, we use to filter the events occurring in a channel. Thus, : Σ × (Σ ↔S) (Σ ↔ Σ) such that

A S = {(x,y) | x Є A ((x,y) Є S∧∃v:T_x •(x.v,y) Є S)}

For example, let S = {(a.1,b),(a.2,c),(e,f),(c,f)}. Then, {a} S = {(a.1,b),(a.2,c)} and {c} S = {(c,f)}.

Note that, if no values are communicated by channel c, R becomes the identity map and, hence, P = P. Moreover, when specific (or data dependent) operations of the type being abstracted are used, data independence is not applicable. However, we can still isolate the data independent aspects to apply a complementary technique to deal with the data dependent aspects separately. This is achieved by using Definition 3.1 to factor out the Z part, originating a partition of it.

Figure 8 illustrates the steps of the complete strategy. Step 1 splits the Z part of a CSP_Z process, originating two internal subparts: one data independent (DI) and another data dependent (DD). Then, Step 2 translates all structures (CSP part, DI and DD subparts) into CSP processes according to the strategy proposed in [17]. This originates a compound process that can still have an infinite state-space. To overcome this problem, Step 3 applies data independence to the parallelism of the CSP part and the DI component, and data abstraction to the DD component. The latter task gives an abstract process () that is combined with the data independent part (P_CSP

To split the data part we introduce some definitions.

Definition 3.2 A Z specification is DI if it is data independent with respect to the types of its variables (state and communication).

Note that a DI specification is classified according to Definition 3.1 and, therefore, can be data abstracted by data independence. The other category of specifications (Definition 3.3) is also used when values of the type being abstracted occur in data dependent operations.

Definition 3.3 A Z specification is DD if it is not DI and has no infinite inputs (communicatd to the environment) in data dependent operations.

◊

Note that Definitions 3.2 and 3.3 are almost complementary. Actually, Definition 3.3 is complementary to Definition 3.2 with an extra restriction: infinite inputs are not allowed. This is necessary because our data abstraction strategy is able to deal only with finite data dependent communications. The essential advantage of using Definitions 3.2 and 3.3 is to provide a partition of a Z specification, where infinite communications are data independent. Thus, if a Z specification can be decomposed into two specifications such that Definitions 3.2 and 3.3 are satisfied by each resulting specification separately, a simple bi-partition is originated (Definition 3.4). We assume that a schema sch belongs to the specification (State,Init,Ops) if it is the state, the initialisation or one of the operations (sch Є ({State} ∪ {Init} ∪ Ops)), and that two schemas are disjoint if they do not have variables in common.

Definition 3.4 Let Z_spec = (State,Init,Ops), = (State^di,Init^di,Ops^di) and = (State^dd,Init^dd,Ops^dd) be Z specifications. If is DI, is DD and for all schema sch Є Z_spec there are two corresponding and disjoint schemas sch^diЄ and sch^ddЄ such that, sch = sch^di∧ sch^dd, then and form a simple bi-partition of Z_spec.

Definition 3 involves the notions of DI specification, DD specification and disjointness of schemas. This allows one to reason about compositional behaviour of Z specifications: executing an operation is similar to simultaneously executing (parallelism) its DI and DD components. We also use this idea when applying data abstraction: each component is analysed separately and the results are combined to yield a solution for the entire specification. Thus, before abstracting types, we convert each component into a process and capture the entire behaviour by the parallelism of such processes, considering all events from the Interface. This follows the same idea as that presented in [18], where parallelism captures conjunction of specifications. The correspondence between the original and the compound CSP representation of a Z specification is formalised by Theorem 3.1.

Theorem 3.1 Let Z_spec = (State,Init,Ops), = (State^di, Init^di, Ops^di) and = (State^dd, Init^dd, Ops^dd) be Z specifications such that and form a simple bi-partition of Z_spec. Let P_Z, and P_Z^dd be CSP processes capturing the behaviours of Z_spec, and , respectively. Then,

Using Theorem 3.1 in Equation 1, and the associativity of the parallel operator [18], we obtain

Note that Equation 3 separates a CSP_Z process into two component processes: one data independent (P_CSP (State^di)) and another data dependent ( (State)). This allows the application of data independence to the first component and data abstraction to the second one [16]. The results of this separated analysis can be compositionally combined to yield the abstraction for the entire process. Of course, because communicated data are abstracted, we must consider a more restricted set of events performed by the abstract process (an abstract interface); it is calculated by applying a special renaming (interface abstraction) to the concrete events. As events are associated to channels, we use a renaming function (r_ev) for each typed channel ev to map events involving values from an infinite domain (the type of the channel) to values from a finite one (the abstract type); if the channel is non-typed, the corresponding renaming is the identity over its name. For example, suppose that is the type of ev and h_ev: {0}, where stands for total surjections, is given by h_ev(x) = 0. Then, r_ev = {x : • ev.x → ev.h_ev(x)}.

The union of all renaming functions of a process originates a renaming for the entire interface, as captured by the following definition.

Definition 3.5 Let P_Z be the process representation of a Z specification. Let chs be the channels of P_Z and r_ev a renaming function for the channel ev (ev Є chs). The interface abstraction of P_Z is given by

The interface abstraction maps concrete events into abstract ones, by only restricting data (channel names are preserved). Its use in Equation 3 allows one to define the abstract version of a CSP_Zprocess, expressed as a parallelism of a data independent and a data dependent processes considering ran R as the abstract interface. This is formalised in [16] and reproduced in Theorem 3.2.

Theorem 3.2Let P_CSP be a CSP_Z process with interface I. Let P_di and P_dd be CSP processes such that P_dd is data dependent, P_di is data independent, and P = P_di P_dd. Let be an optimal abstraction for P with interface abstraction R. If R preserves Pdi's behaviour, then

According to Theorem 3.2 the abstract version of Equation 3 (obtained by Step 3 of Figure 8) is given by

It is worth pointing out that the partitioning strategy focuses on originating components whose schemas are disjoint (they do not have variables in common). Nevertheless, this is not true in general. In the next section we show how to deal with this for a specific (but significant) class of problems.

3.1. EXTENDING THE PARTITIONING STRATEGY

In the ideal scenario, the components originated by the partitioning strategy are disjoint and valid (all expressions in the predicate part of each schema refer to variables occurring in the declaration part). Nevertheless, this is not true in general. If there exist at least one schema whose components are non-disjoint, our data abstraction approach cannot be applied. On the other hand, if an expression of a component refers to a variable of the other (disjoint) component, we can still abstract domains, as long as the expression is data independent with respect to the type of the variable. Furthermore, we have to check, at the end, if the abstract domain respects the minimum cardinality required by the expression.

To validate two disjoint component schemas, we need to adjust them by adding a new declaration and applying a syntactic substitution. For example, consider the following state schemas State^di and State^dd (inv_yis a data dependent invariant over y), and the operation schema op, which contains a data dependent predicate p_ywith respect to the type T_y.

When partitioning op, the predicate py is placed into the data dependent component (op^dd) and the predicate x' = y is placed into op^di.

Note that op^di is not a valid schema because y has not been declared. To fix this problem we introduce a new input variable (in?: State^dd) in the declaration part op^di and replace all occurrences of y in the predicate part with in?.y; this is achieved through the syntactic substitution [in?.y/y]. Dually, the schema op^dd also receives State^di as an input parameter that is not used in the predicate part. This is similar to the idea adopted in [3], where new events between decomposed operations are created to solve dependencies and to maintain the original semantics (action refinement). In this work we just exchange the states between the component operations. Thus, op^di and op^dd become

We also point out that this technique is possible because x'= y is a data independent expression with respect to Ty. Therefore, the values of y can be abstracted and must respect the minimum cardinality required by x'= y. On the other hand, if an expression of a component is data dependent with respect to the type of the variable placed in the other partition, this adjustment cannot be applied. This is pointed as a topic for future work in Section 6.

To make the CSP representation of the Z part uniform, we consider the extended normal form given in Definition 3.6. It is obtained by substituting PZ with in Definition 2.1 and by adding a new event before offering all enabled events.

Definition 3.6Let PZ (State) be the process representing the Z specification (State,Init,Ops). Let (State^di ,Init^di ,Ops^di) and (State^dd ,Init^dd ,Ops^dd) be Z specifications such that Z^di and Z^dd form a simple bi-partition of (State,Init,Ops). The extended normal form of PZ (State) is given by,

The purpose of communicate.State^di .State^dd is only to communicate the components of State. Its occurrence does not affect the compound form of a simple bipartition, as stated by Theorem 3.3.

Theorem 3.3 Let Z_spec = (State,Init,Ops), = (State^di,Init^di,Ops^di) and = (State^dd,Init^dd,Ops^dd) be Z specifications such that and form a simple bi-partition of Z_spec. Let P_Zext, P_Zext^di and P_Zext^dd be CSP processes in the extended normal form capturing the behaviour of Z_spec, and , respectively. Then,

In Theorem 3.3, P^di (State^di)and P^dd (State^dd)are respectively given by

The way communicate.State^di .State^dd is used in allows the process to output its state (!State^di) and input the state of the data dependent component (?s^dd). Dually, it also allows to input the state of the data independent component (?s^di) and output its state (!State^dd). Although an operation com_ev has two disjoint states as parameters, it yields a new state for its corresponding component. Furthermore, as the events occurring on channel communicate are limited to the scope of

Theorem 3.4 Let and PZ be CSP process representations for the Z specification (State,Init,Ops)such that PZ is in the normal form and is in the extended normal form. Then,

In the next section we show the application of the splitting strategy to the process Telemetry.

3.2. THE SPLITTING OF TELEMETRY

Considering the schema State of the process Telemetry (Figure 7), we analyse two declarations. As the invariant involves the variable STM in a data dependent operation, we place currMsg into State^di and STM into State^dd .

Regarding the initialisation, we expand State'and observe that the predicate of the invariant involves STM'. Therefore, the initialisation splitting yields

Concerning operations, com_emptyTM is split into two schemas (com_emptyTM^di and com_emptyTM^dd) that do not change their respective states. The variable in?is not used by the com_emptyTM^di because they are disjoint and do not access variables placed in com_emptyTM^dd (and vice-versa).

In com_FTR_TM the declarations currMsg :Message, currMsg': Message and msg?: Message and the predicate currMsg'= msg?are placed into com_FTR_TM^di , whereas the remaining declarations and predicates belong to com FTR TM^dd . This means that only State^di is changed by the input msg?.

The splitting of the operation com_sendEarth yields

Note that com sendEarth^di and com_sendEarth^dd are disjoint but the former is not valid because it uses a variable (STM) declared in the latter. To fix this, we replace all occurrences of STM in the predicate part with in?.STM. This is possible because head STM is a polymorphic (data independent) operation. Thus,

The splitting of com_storeTMFull and com_storeTMNotFull also needs this adjustment.

After partitioning the process Telemetry, we translated the components to CSP, using the extended normal form (Definition 3.6) for the Z part. Then we represented the entire process according to Equation 3.

The analysis of P_CSP

where the abstraction function h :Message → Message^A (also calculated by the approach) is given by

h(m)= nullMsg

Because Message is communicated on channel FTR TM and #({FTR TM}−≥ 1, R preserves the behaviour of PCSP _Z (State^di). The abstract version of Telemetry is then given by

where the types of the channels FTR_TM and sendEarth were changed from Message to Message^A .

The abstract version of the components of com FTR_TM are given by

We have verified safety and liveness properties of Telemetry using FDR [10] (see Figure 9). The Telemetry partitioned and renamed is the process

TelemetryPartRen =

Interface Interface

And the abstract Telemetry partitioned is given by

AbsTelemetryPart =

Both processes were deadlock-free, livelock-free and equivalent in

To provide a mechanisation of the partitioning strategy, we propose an algorithm that originates a simple bipartition of the Z part of a CSP_Zspecification.

4. A PARTITIONING ALGORITHM

The partitioning strategy presented in the previous section is systematic and syntactic-based. In this section we describe it algorithmically.

We use some auxiliary functions. The most important function determines if a given expression is data independent with respect to a given type. The function is_di : Exp × T → Boolean (Figure 10) implements the data independence classification according to Definition 3.1. Note that is_di could also be described in terms of syntactic analysis of expressions, as proposed in the literature of compilers [1]. However, such a representation would require a detailed description of all kinds of expressions that are allowed (a subset of the Z grammar). In this work we use a natural language style for conciseness.

We assume that schemas are normalised [22]; that is, declarations have the form v : Tv where v is a variable of type Tv, and all constraint information (including the invariant) appears in the predicate part, which must be in the conjunctive normal form. This is necessary because the declaration and the predicate parts are split, originating schemas whose conjunction must be equal to the original one (Definition 3.4). This is established by the semantics of the schema conjunction [22], where declarations are merged and predicates are combined by conjunction.

For a given normalised schema sch [D| P], the functions decl(sch) and pred(sch) give the declaration (D) and the predicate (P) parts of sch, respectively, as sets. The elements of decl(sch)have the form v : Tv and each element of pred(sch)is any kind of expression allowed in the predicate part. Thus, pred(sch)contains all conjuncts (propositional components of a conjunction) of the predicate part. For example,

New declarations and predicates are inserted into decl(Op)and pred(Op)by using set inclusion. For example, decl(Op)← decl(Op) ∪ {d} means the declaration d is included into decl(Op).

The function include (Figure 11) includes a schema sch into a Z specification (State,Init,Ops). The state schema (sch = State) is placed into the first component, the initialisation (sch = Init) is placed into the second one, and operations are included into Ops. We use the functions fst, snd and trd to capture the first, the second and the third components of a Z specification, respectively. Thus, fst(Z_spec)= State, snd(Z_spec)= Init and trd(Z_spec)= Ops.

The algorithm is presented in Figure 12 and starts by considering only the Z part of the given specification (line 1). Initially, the partitions Z^di and Z^dd (line 2) are empty (without state, initialisation and operations) and each original schema sch (line 3) is analysed subsequently. For each analysed schema, the corresponding data independent (sch^di) and data dependent (sch^dd) components are initialised as empty schemas (line 4). Then the declarations of the current schema are analysed (line 5). The type of the declared variable (Tv) is taken (line 6) and used to classify all expressions of the predicate part (line 7). We point out that there may be many expressions in the predicate part for a same declared variable. Because we analyse expressions separately, it may originate non-disjoint schemas (the same declaration is placed into different components). Thus, if the analysed expression is data independent with respect to Tv (line 8), both the declaration and the expression are placed into sch^di (lines 9 and 10). If the analysed expression is data dependent with respect to Tv, we check (line 13) if the schemas are disjoint (that is, if the declaration has not already been placed into sch^di). If so, the declaration and the expression are placed into the data dependent schema sch^dd (lines 14 and 15). Otherwise, sch^di and sch^dd are non-disjoint and the algorithm returns an error (line 18). Independently of sch^di and sch^dd being disjoint or not, the algorithm solves the dependence between variables and expressions placed into different schemas (lines 11 and 16) by calling the function link (Figure 13), which is defined in a pattern matching style and uses the function vars : Exp → VarName to obtain the set of all variables occurring in an expression. For example, vars(x'= x +y? * 100) = {x',x,y?}.

The function link receives a schema (sch^di or sch^dd), a declaration (d) and an expression (e). If the declared variable is referred by e and has not been declared in the schema, a new declaration (in?: State^dd or in?: State^di) is inserted and the substitution [in?.v/v]is applied to the predicate part.

We point out that the disjointness check performed by the algorithm can also be achieved by pre-processing the specification. However, this requires the same loops used in the partitioning. We perform the splitting and the disjointness check in the same processing.

After processing all schemas, the sch^di and the sch^dd instances are placed into the suitable partitions (lines 24 and 25), and the algorithm considers another schema. The final result is a pair of Z specifications that form a simple bi-partition of the Z part of a CSP_Zspecification (line 29).

It is worth pointing out that our algorithm always terminates when analysing a CSP_Zspecification. This is a direct consequence of the finiteness of Z specifications; they have a finite number of schemas, where each one also contains a finite number of declarations and predicates. Hence, the loops of lines 3, 5 and 7 have finite iterations. The other statements involve declarations, initialisations, set inclusion, set intersection, comparisons and the functions is_di, include, link, vars, fst, snd and trd; they do not introduce non-termination.

5. RELATED WORK

When abstracting systems, property preservation can be total or partial. In property-guided approaches, the abstract model depends on the properties to be verified. An example is predicate abstraction [11], which has been used in automatic verification [2, 4, 12]. In our approach, by using a refinement theory, the abstract model does not depend on the properties to be verified. Thus, more properties (safety and liveness) can be verified. Nevertheless, this makes automation much more difficult to achieve.

Compositional analysis is the focus of several works. In [20], safety and liveness properties can be compositionally verified in a network of CSP-B processes, whose components contain a control and a data part. The approach is based on the analysis of the control part of each process and on the analysis of each CSP-B component separately; it does not address any abstraction on data domains. Thus, if a CSP-B component presents state explosion, the entire network (and the component itself) cannot be directly verified. In this sense, we use compositionality differently from [20]; while that work focuses on all processes of a network, we focus on a single component. However, our approach can also be used in a network of CSP_Zprocesses, as long as the abstracted values are irrelevant in communications between components.

The strategy proposed in [15] combines splitting, symmetry and data type reductions (a specific kind of abstract interpretation) to deal with verification of structures of infinite size. It has been used in hardware verification and requires that the user specify refinement relations between the implementation and the abstract model. In our approach, the abstract model is equivalent (modulo renaming) to the original one by construction [16] and user interaction to define refinement relations is unnecessary.

The approach presented in [7] handles infinite communications by using the notion of IO transformers: special operations defined over inputs/outputs that map infinite domains to finite ones. Their constructions are based on an abstraction function that must be given by the user. The approach does not allow relations between state and output variables (outputs must depend only on the inputs). Moreover, abstractions can be calculated in terms of forward or backward simulations [22]. In our work, we consider only abstractions based on forward simulation and allow relations between state and communication variables. We also do not require user assistance to give the abstraction function explicitly; it is mechanically determined.

6. CONCLUSIONS

This work further extends a previous data abstraction approach [8, 16] to deal with CSP_Zprocesses that present infinite and data independent communications. Using the data independence criteria, we apply an internal partitioning to the Z part of a CSP_Z specification (Definition 3.4). This originates two components—a data independent (DI) and a data dependent (DD). Then we convert the entire specification (the CSP part and the components of the bipartition) to CSP and use data independence and data abstraction to analyse data independent and the data dependent parts of the resulting process. This yields abstraction functions that are used to calculate the abstract domains and the abstract versions of all operations (of the DI and the DD components). As long as the abstract domains satisfy the minimum cardinality of the parallel composition of the CSP and the DI component, the abstract process is valid and can be analysed in FDR. In this sense, data independence is used to factor out the Z part and to determine the minimal bounds on the relevant data types of its data independent components. The data dependent one is data abstracted systematically.

We showed that, even when partitioned, the Z part can be represented as a process (Theorem 3.1). Moreover, after all sub-processes (P_CSPconjointly with and ) have been analysed, the results can be combined in a compositional way to build the abstraction for the entire process (Theorem 3.2). The resulting abstraction is equivalent (modulo renaming) to the original specification [16].

We have also identified a particular kind of dependence between the components of the partition originated by our partitioning strategy. To solve this dependence we extended the normal form of the process representation of a Z specification (Definition 3.6) in such a way that the partitioning is still valid (Theorem 3.3). To assure this, we have proved that both process representations (according to Definitions 2.1 and 3.6) are equivalent when making their interfaces equal (Theorem 3.4).

We have proposed an algorithm to implement the partitioning strategy. The algorithm receives an original CSP_Zspecification and gives a simple bi-partition of its Z part; it decomposes schemas according to the data independence property of their internal expressions.

We point out that the splitting strategy is orthogonal to the technique used to analyse the data dependent partition. Thus, our approach allows the use of different techniques to abstract domains of the resulting partition. For example, in this work we used an existing mechanical data abstraction approach [8, 16] to analyse the data dependent partition because user intervention is required only to prove internal theorems automatically generated by that strategy. However, the technique presented in [7] could be used alternatively to increase the class of problems (data dependent and infinite communications), but it would require user intervention to be applied (calculation of the abstraction functions, calculation of the IO transformers, construction of the abstract schemas, etc.).

There might also be other kinds of dependencies between the components of a bi-partition that require a more elaborate analysis. For example, data dependence of expressions in one component with respect to variables placed into the other component has not been addressed by this work. We intend to investigate techniques that allow to deal with such a class of problems in the future. This improvement will certainly lead to a more general and elegant approach to abstract data types.

Concerning mechanisation, we intend to implement our syntactic-based splitting in the tool presented in [8]. Actually, this will require a module to apply the partitioning and a module to apply data independence. The data abstraction module is already implemented in [8].

A. AUXILIARY LEMMAS

This appendix provides auxiliary laws and lemmas that are necessary to prove Theorems 3.1, 3.3 and 3.4.

Laws A.1 to A.8 are reproduced from [18]. We have proposed and proved laws A.9 to A.11.

Law A.1 states how the generalised parallel operator works. In summary, there are three options of behaviour: both processes progress together, only one of them is non-deterministically chosen to progress, or only one of them is deterministically chosen to progress.

Law A.2 states the commutativity of parallelism and Law A.3 establishes deadlock as the result of synchronising any process with STOP.

Law A.4 establishes the behaviour of an external choice. It offers the initial events of both left-and right-hand-side processes. If the processes have any initial acceptance in common and the environment is ready to engage on it, the external choice behaves nondeterministically (∏). Otherwise, the external choice engages on some initial event and behaves accordingly.

Law A.5 defines the process STOP as the unit element of the external choice operator.

Laws A.6 and A.7 establish the semantics of the conditional choice based on the trivial values of its condition.

Law A.8 establishes the way the hide operator works for processes defined by prefixing.

Law A.9 states the use of hiding in a guarded process.

Proof. By case analysis.

• For ¬ c: the hiding has no effect (STOP\X = STOP).

• For c:

Law A.10 states the idempotence of generalised parallelism, as also informally addressed in [18].

Law A.10Let P be a deterministic CSP process. Let X be a set of events such that αP ⊆ X. Then,

Proof. By case analysis where P is deterministic:

Prefixing a conditional choice is similar to prefixing each branch of the conditional choice (Law A.11).

Proof. By case analysis.

• For b:

• For ¬ b:

In the following we present some useful lemmas. Lemma A.1 allows one to represent a guarded process by using parallelism of the same process with weaker guards.

Lemma A.1 Let a and b be conditionals and ev be a CSP event. Let P,P_a and P_b be the processes given by

P =(a ∧ b)& ev → P

P_a= a & ev → P_a

P_b= b & ev → P_b

Then, P = P_a P_b

◊

Proof. By case analysis on the conditionals. We call Pa

• For a ∧ b:

Thus, (a ∧ b)& ev → P_ab= (a ∧ b) & ev → P [P_ab/P].

• For a ∧ ¬b:

Thus, (a ∧ b) & ev → P_ab=(a ∧ b) & ev → P[P_ab/P].

• For ¬a ∧ b: it is similar to a ∧ ¬b.

• For ¬a ∧ ¬ b:

Thus, (a ∧ b)&ev→Pab =(a ∧ b)&ev→P[Pab/P].

■

The external choice of processes without common initial acceptances can be represented as a conditional. If the environment is ready to engage into an event offered by the external choice, only one of the component processes will progress. This is precisely stated by Lemma A.2.

Lemma A.2Let P =?a : initials(P) → P' and Q =?c : initials(Q) → Q' be deterministic CSP processes such that initials(P) ∩ initials(Q)= Ø. Let x be an event from initials(P) ∪ initials(Q). Then,

Proof. Direct consequence of Law A.4, where A = initials(P) and B = initials(Q). We consider I = initials(P) ∪ initials(Q).

Lemma A.3 states the distribution of □ 2 over .

Lemma A.3Let P, Q and R be deterministic CSP processes such that αQ = αR, initials(Q)= initials(R)and initials(P) ∩ initials(Q)= initials(P)∩ initials(R)= Ø. Then,

Proof. From Law A.1 we calculate initials(P) ∪ initials(Q) as the initial acceptances of As initials(P) ∩ initials(Q)= Ø, we have two options to analyse:

• For x Є initials(P): by Law A.1, Q and R become unavailable and behaves like

• For x ∉ initials(P): by Law A.1, P becomes unavailable and behaves like

From the above case analysis we conclude that

When two external choices involving guarded processes are put into parallel, the guards are interchangeable. Lemma A.4 states this.

Lemma A.4Let P, Q, R1 and R2 be deterministic processes such that αP= αQ, αR1 = αR2, αP ∩ αR1 = Ø and initials(P) ∩ initials(R1)= initials(Q) ∩ initials(R2)= Ø. Let c₁,c₂be conditionals. Then,

Proof. By case analysis on the conditionals. Moreover, because αP = αQ, αR1 = αR2 and αP ∩ αR1 = Ø, we have that αQ ∩ αR1 = αP ∩ αR2 = Ø.

• For c1 ∧ c2:

• For ¬ c1 ∧¬ c2:

• For c1 and ¬ c2:

• For ¬ c1 and c2: similar to c1 and ¬ c2.

■

Recall from Lemma A.1 that a guarded process can be written as a parallelism of the same process with weaker guards. Analogously, the external choice of guarded processes can also be expressed as a parallelism of external choices. In this sense, Lemma A.5 extends Lemma A.1.

Lemma A.5 Let P, P_a and P_b be CSP processes given by

where a_i and b_i are conditionals and ev_i is an event. Then,

Proof. By induction on the index of the external choice. Base Case: i =1. Guaranteed by Lemma A.1.

Inductive Case. The lemma is valid for i = n (hypothesis) and we prove for i = n +1 (thesis). We rewrite the process P when i = n +1 to use the hypothesis. Thus,

Lemma A.6 allows one to distribute hide over an indexed external choice, as long as the hidden events are not initially accepted by the options.

Lemma A.6Let P be a CSP process and X a set of events. Let c_i be a conditional and ev_i an event such that ev_i∉ X. Then,

Proof. By induction on the index of the external choice. Base Case: i =1. Guaranteed by Law A.8.

Inductive Case. The lemma is valid for i = n (hypothesis) and we prove for i = n +1 (thesis). By rewriting • (ci &evi → P))\X to use the hypothesis, we have

Now we present the proof of Theorem 3.1. It is related to the process representation of a simple bi-partition. We point out that, because the component specifications of a simple bi-partition are disjoint, the preconditions of each schema and the state are also disjoint. As the theorem is related to behaviour, the state information is irrelevant in the proof and, therefore, can be omitted.

Theorem 3.1Let Z_spec= (State,Init,Ops), = (State^di ,Init^di ,Ops^di) and = (State^dd ,Init^dd ,Ops^dd) be Z specifications such that and form a simple bi-partition of Z_spec. Let P_Z , and be CSP processes Z capturing the behaviour of Z_spec, and , respectively. Then,

Proof. From Definition 3.4 we know that PZ, and have the same set of operations and the same alphabets. Thus,

In the following we show the proof of Theorem 3.3, which is related to the compound form of PZ using the extended normal form (Definition 3.6).

Theorem 3.3.Let Z_spec=(State,Init,Ops), = spec (State^di ,Init^di ,Ops^di) and = (State^dd ,Init^dd ,Ops^dd) be Z specifications such that and form a simple bi-partition of Z_spec. Let , and be CSP processes in the extended normal form capturing the behaviour of Zspec, and , respectively. Then,

Proof. It starts by considering (State).

In the following we present the proof of Theorem 3.4.

Theorem 3.4. Let and PZ be processes representations for the Z specification (State,Init,Ops) such that P_Z in the normal form and is in the extended normal form. Then,

Proof. From Definition 2.1 we know that αP_Z= α = α and from Definition 3.6 we know that α = α = α = α∪ {| communicate |}. We represent {| communicate |} by X and base the proof on syntactical equality, which means process equivalence [18].

Note that • pre com_ev & ev → (s')\X can also be given by • pre com_ev & ev → P_Z(s')[ \X/PZ ]. This simple syntactic substitution establishes the equality (and equivalence) between \X and P_Z.

Publication Dates