No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Invariants in Process Algebra with Data
Abstract
We provide rules for calculating with invariants in process algebra with data, and illustrate these with examples. The new rules turn out to be equivalent to the well known Recursive Specification Principle which states that guarded recursive equations have at most one solution. In the setting with data this is reformulated as ‘every convergent linear process operator has at most one fixed point’ (CL-RSP). As a consequence, one can carry out verifications in well-known process algebras satisfying CL-RSP using invariants.
... The language prCRL contains a carefully chosen minimal set of basic operators, on top of which syntactic sugar can be defined easily, and allows data-dependent probabilistic branching. To enable symbolic reductions, we provide a two-phase algorithm to transform prCRL terms into LPPEs: a probabilistic variant of linear process equations (LPEs) [13], which is a restricted form of process equations akin to the Greibach normal form for string grammars. We prove that our transformation is correct, in the sense that it preserves strong probabilistic bisimulation [14]. ...
... As a consequence of this simplicity, the LPE format was essential for theory development and tool construction. It lead to elegant proof methods, like the use of invariants for process algebra [13], and the cones and foci method for proof checking process equivalence ( [17], [18]). It also enabled the application of model checking techniques to process algebra, such as optimisations from static analysis [19] (including dead variable reduction [20]), data abstraction [21], distributed model checking [22], symbolic model checking (either with BDDs [23] or by constructing the product of an LPE and a parameterised µ-calculus formula ( [24], [25])), and confluence reduction [26] (a form of partial-order reduction). ...
This paper presents a novel linear process-algebraic format for probabilistic automata. The key ingredient is a symbolic transformation of probabilistic process algebra terms that incorporate data into this linear format while preserving strong probabilistic bisimulation. This generalises similar techniques for traditional process algebras with data, and - more importantly - treats data and data-dependent probabilistic choice in a fully symbolic manner, paving the way to the symbolic analysis of parameterised probabilistic systems.
... As such, it has been formally studied from different viewpoints using a wealth of formal techniques. They include process algebra [3,4], temporal Petri nets [27], the Calculus of Constructions [11], and timed rewriting logic [26], among many others. ...
The InvA tool supports the deductive verification of safety properties of infinite-state concurrent systems. Given a concurrent system specified as a rewrite theory and a safety formula to be verified, InvA reduces such a formula to inductive properties of the underlying equational theory by means of the application of a few inference rules. Through the combination of various techniques such as unification, narrowing, equationally-defined equality predicates, and SMT solving, InvA achieves a significant degree of automation, verifying automatically many proof obligations. Maude Inductive Theorem Prover (ITP) can be used to discharge the remaining obligations which are not automatically verified by InvA. Verification of the reliable communication ensured by the Alternating Bit Protocol (ABP) is used as a case study to explain the use of the InvA tool, and to illustrate its effectiveness and degree of automation in a concrete way.
... The original motivation behind the LPO format was that several properties of a system can be uniformly expressed by first-order formulae. Effective proof methods for LPOs have been developed, incorporating the use of invariants [3] and state mappings [16]. Also the confluence property of an LPO can be expressed as a large first-order formula [15]. ...
μCRL is a language for specifying and verifying distributed systems in an algebraic fashion. It targets the specification of system behaviour in a process-algebraic style and of data elements in the form of abstract data types. The μCRL toolset (see http://www.cwi.nl/~mcrl/) supports the analysis and manipulation of μCRL specifications. A μCRL specification can be automatically transformed into a linear process operator (LPO). All other tools in the μCRL toolset use LPOs as their starting point. The simulator allows the interactive simulation of an LPO. There are a number of tools that allow optimisations on the level of LPOs. The instantiator generates a labelled transition system (LTS) from an LPO (under the condition that it is finite-state), and the resulting LTS can be visualised, analysed and minimised.
... Thus, the xed point formula is false for all v 2 N and b 2 Bool. 3. We show that this formula is satis ed by the initial state of the system. ...
We define a value-based modal µ-calculus, built from firstorder formulas, modalities, and fixed point operators parameterized
by data variables, which allows to express temporal properties involving data. We interpret this logic over µCrl terms defined by linear process equations. The satisfaction of a temporal formula by a µCrl term is translated to the satisfaction of a first-order formula containing parameterized fixed point operators. We provide
proof rules for these fixed point operators and show their applicability on various examples.
... Improving the proof theory of CRL, see e.g. BG94b]. Improving the proof techniques of this paper, in particular linearization and the veri cation of the premisses of CFAR. ...
This paper reports on the first steps towards the formal verification of correctness proofs of real-life protocols in process algebra. We show that proofs can be verified, and partly constructed, by a general purpose proof checker. The process algebra we use is CRL, ACP augmented with data, which is small enough to make the verification feasible, and at the same time expressive enough for the specification of real-life protocols. The proof checker we use is Coq, which is based on the Calculus of Constructions, an extension of simply typed lambda calculus. The focus is on the translation of the proof theory of CRL and CRL-specifications to Coq. As a case study, we verified the Alternating Bit Protocol. Keywords: formal verification, process algebra, ACP, CRL, Coq Calculus of Constructions, Alternating Bit Protocol. 1 Introduction This paper reports on the first steps towards the formal verification of correctness proofs of reallife protocols in process algebra. We show that p...
We study three simple hybrid control systems in timed μCRL[6]. A temperature regulation system, a bottle filling system and a railway gate control system are specified component-wise and expanded to linear process equations. Some basic properties of the systems are analysed and a few correctness requirements are proven to be satisfied. Although not designed for this purpose, timed μCRL seems to allow detailed analysis and verification of hybrid systems. The operators for parallelism and encapsulation are handled using some basic results from [10]. It turns out that the expansion and encapsulation of a parallel composition of processes generally leads to a considerable number of potential time deadlocks, which generally turn out to be harmless. Also inherent to parallelism are the multiple time dependencies between the summands of the separate components. As a consequence, expansions tend to lead to large numbers of terms. Various techniques, such as the use of invariants [5], have to be employed to master these complications.
We develop an algebraic theory of synchronous dataflow networks. First, a
basic algebraic theory of networks, called BNA (Basic Network Algebra), is
introduced. This theory captures the basic algebraic properties of networks.
For synchronous dataflow networks, it is subsequently extended with additional
constants for the branching connections that occur between the cells of
synchronous dataflow networks and axioms for these additional constants. We
also give two models of the resulting theory, the one based on stream
transformers and the other based on processes as considered in process algebra.
We provide several notions of confluence in processes and we show how these relate to
s\xrightarrowts¢s\xrightarrow{\tau }s'
, then s and s are equivalent. Using deterministic linear processes we show how these notions can conveniently be used to reduce the size of state spaces and simplify the structure of processes while preserving equivalence.
Nowadays, due to increasing system complexity and growing competition and costs, industry makes high demands on powerful techniques used to design and analyze manufacturing systems. One of the most popular techniques to do performance analysis is simulation. However, simulation-based analysis cannot guarantee the correctness of a system, so it is less suitable for functional analysis. Our research focuses on examining other methods to do performance analysis and functional analysis, and trying to combine the two. One of the approaches is to translate a simulation model that is used for performance analysis to a model written in an input language of an existing verification tool. We translate a χ [D.A. van Beek, K.L. Man, M.A. Reniers, J.E. Rooda, R.R.H. Schiffelers, Syntax and Consistent Equation Semantics of Hybrid Chi, CS-Report 04-37, Eindhoven University of Technology, 2004] simulation model of a turntable system into models written in the input languages of the tools CADP [J.-C. Fernandez, H. Garavel, A. Kerbrat, L. Mounier, R. Mateescu, M. Sighireanu, CADP—a protocol validation and verification toolbox, in: Proceedings of the 8th Conference on Computer Aided Verification (CAV’96), Lecture Notes in Computer Science, vol. 1102, 1996, pp. 437–440], Spin [G.J. Holzmann, The SPIN Model Checker, Addison-Wesley, 2003] and Uppaal [K.G. Larsen, P. Pettersson, W.Yi, Uppaal in a nutshell, Int. J. Software Tools for Technology Transfer 1 (1–2) (1997) 134–152] and do a functional analysis with each of them. This allows us to evaluate the usefulness of these tools for the functional analysis of χ models. We compare the input formalisms, the expressiveness of the temporal logics, and the algorithmic techniques for model checking that are used in those tools.
We define a cones and foci proof method, which rephrases the question whether two system specifications are branching bisimilar in terms of proof obligations on relations between data objects. Compared to the original cones and foci method from Groote and Springintveld [22], our method is more generally applicable, and does not require a preprocessing step to eliminate τ-loops. We prove soundness of our approach and give an application.
We dene a cones and foci proof method, which rephrases the ques- tion whether two system specications are branching bisimilar in terms of proof obligations on relations between data objects. Compared to the original cones and foci method from Groote and Springintveld, our method is more generally applicable, and does not require a preprocessing step to eliminate -loops. We prove soundness of our approach and present a set of rules to prove the reachability of focus points. Our method has been formalized and proved correct using PVS. Thus we have established a framework for mechanical protocol verication. We apply this framework to the Concurrent Alternating Bit Protocol.
A process is calledcomputable if it can be modelled by a transition system that has a recursive structure—implying finite branching. The equivalence relation between transition systems considered is strong bisimulation equivalence. The transition systems studied in this paper can be associated to processes specified in common specification languages such as CCS, LOTOS, ACP and PSF. As a means for defining transition systems up to bisimulation equivalence, the specification languageμCRL is used. Two simple fragments of,μCRL are singled out, yielding universal expressivity with respect to recursive and primitive recursive transition systems. For both these domains the following properties are classified in the arithmetical hierarchy:bisimilarity, perpetuity (both ∏
10),regularity (having a bisimilar, finite representation, Σ
20),acyclic regularity (Σ
10), anddeadlock freedom (distinguishing deadlock from successful termination, ∏
10). Finally, it is shown that in the domain of primitive recursive transition systems over a fixed, finite label set, a genuine hierarchy in bisimilarity can be defined by the complexity of the witnessing relations, which extends r.e. bisimilarity. Hence, primitive recursive transition systems already form an interesting class.
A simple specification language based on CRL (Common Representation Language)and therefore called μCRL (micro CRL) is proposed. It has been developed to study processes with data. So the language contains only basic constructs with an easy semantics. To obtain executability, effective
μCRL has been defined. In effective μCRL equivalence between closed data-terms is decidable and the operational behaviour is finitely branching and computable. This makes effective μCRL a good platform for tooling activities.
In this paper a "UNITY Format" for process specifications is introduced. The format is based on conditions on process states and process data. Several aspects of this format are discussed: a straightforward normalisation of the parallel composition of processes, the relation between the ACP priority operator ` and conditions and the correspondence with a term rewriting system, which opens certain perspectives with respect to the validation and verification of a specification. Throughout the paper the simple and well-known PAR protocol serves as a running example. Keywords & phrases: process algebra, formal specification, data oriented, UNITY. 1987 CR Categories: D.1.3, D.2.10, F.1.2. 1 Introduction Different "specification styles" can be chosen for the specification of processes. In the field of ACP traditionally a process oriented style is used: a set of process names, possibly parameterised with data, is used to represent different process states. For each process name a defining...
We provide a treatise about checking proofs of distributed systems by computer using general purpose proof checkers. In particular, we present two approaches to verifying and checking the verification of the Sequential Line Interface Protocol (SLIP), one using rewriting techniques and one using the so-called cones and foci theorem. Both verifications are carried out in the setting of process algebra. Finally, we present an overview of literature containing checked proofs. Note: The research of the second author is supported by Human Capital Mobility (HCM). 1 Proof checkers Anyone trying to use a proof checker, e.g. Isabelle [67, 68], HOL [29], Coq [20], PVS [78], Boyer-Moore [14] or many others that exist today has experienced the same frustration. It is very difficult to prove even the simplest theorem. In the first place it is difficult to get acquainted to the logical language of the system. Most systems employ higher order logics that are extremely versatile and expressive. ...
The problem of leader election in distributed systems is considered. Components communicate by means of buffered broadcasting as opposed to usual point-to-point communication. In this paper three leader election protocols of increasing maturity are specified. We start with a simple leader election protocol, where an initial leader is present. In the second protocol this assumption is dropped. Eventually a fault-tolerant protocol is constructed, where components may crash and revive spontaneously.
Both the protocols and the required behaviour are formally specified in ACP. Some remarks are made about a formal verification of the protocols.
A simple specification language based on CRL (Common Representation Language)and therefore called μCRL (micro CRL) is proposed. It has been developed to study processes with data. So the language contains only basic constructs with an easy semantics. To obtain executability, effective
μCRL has been defined. In effective μCRL equivalence between closed data-terms is decidable and the operational behaviour is finitely branching and computable. This makes effective μCRL a good platform for tooling activities.
ION The most substantial step in the correctness proof of the one-bit sliding window protocol is provided by the following lemma. It states, roughly, that the partial abstraction ø føc ;ø c 2 ;ø c 4 ;ø i g F equals the buffer B from Section 5., provided that the invariant and the focus condition are taken into account. This lemma is a direct application of the Concrete Invariant Corollary which has been defined in [2]. The proof of the lemma is lengthy. This has two reasons. The first one is that all calculations are spelled out in detail. Actually, the proof of this lemma becomes an easy exercise, once the recursion equation for X is provided and is shown guarded, provided the reader has some skill in process algebraic calculations. As we think that most readers are not skilled in this respect, we provide the full proof. Another reason for the length of the proof is a more serious one, and seems to be inherent to protocols. The description of the expanded protocol requires 14 lines...
My goal is to propose a set of questions that I think are important. J. Misra and I are working on these questions.
We extend process algebra with guards, comparable to the guards in guarded commands or conditions in common programming constructs. The extended language is provided with an operational semantics based on transitions between pairs of a process and a data-state. The data-states are given by a data environment that also defines in which data-states guards hold and how actions (non-deterministically) transform these states. The operational semantics is studied modulo strong bisimulation equivalence. For basic process algebra (without operators for parallelism) we present a small axiom system that is complete with respect to a general class of data environments. In case a data environment S is known, we add three axioms to this system, which is then again complete, provided weakest preconditions are expressible and S is sufficiently deterministic.
Then we study process algebra with parallelism and guards. A two phase-calculus is provided that makes it possible to prove identities between parallel processes. Also this calculus is complete. In the last section we show that partial correctness formulas can easily be expressed in this setting and we use process algebra with guards to prove the soundness of Hoare logic for linear processes by translating proofs in Hoare logic into proofs in process algebra.
In this paper processes specifiable over a non-uniform language are considered. The language contains constants for a set of atomic actions and constructs for alternative and sequential composition. Furthermore it provides a mechanism for specifying processes recursively (including nested recursion). We consider processes as having a state: atomic actions are to be specified in terms of observable behaviour (relative to initial states) and state transformations. Any process having some initial state can be associated with a transition system representing all possible courses of execution. This leads to an operational semantics in the style of Plotkin. The partial correctness assertion {α} p{β} expresses that for any transition system associated with the process p and having some initial state satisfying α, its final states representing successful execution satisfy β. A logic in the style of Hoare, containing a proof system for deriving partial correctness assertions, is presented. This proof system is sound and relatively complete, so any partial correctness assertion can be evaluated by investigating its derivability. Included is a short discussion about the extension of the process language with “guarded recursion”. It appears that such an extension violates the completeness of the Hoare logic. This reveals a remarkable property of Scott's induction rule in the context of non-determinism: only regular recursion allows a completeness result.
The utility of repetitive constructs is challenged. Recursive refinement is claimed to be semantically as simple, and superior for programming ease and clarity. Some programming examples are offered to support this claim. The relation between the semantics of predicate transformers and “least fixed point” semantics is presented.