An Unbounded Nondeterministic Model for CSP-like Languages

The main contribution of this paper is the introduction of unbounded nondeterminism into CSP-like languages with speciﬁcation, which increases the expressive power of the speciﬁcation language. This is achieved by extending the ﬁnite message set of such mixed languages to an inﬁnite one. A denotational semantics and a reﬁnement order are deﬁned for such a language and the CSP constructors are proved to be monotone on the speciﬁcation space and continuous on the process space, which are needed for a simple treatment of iterations on both spaces of the mixed CSP-like language


Introduction
There already exist a number of models for CSP-like languages, e.g., [6,7,10,11,12].To exclude unbounded nondeterminism (or discontinuity of language constructors), the communication alphabets, i.e., the set of channels and messages, are restricted to be finite sets.This restriction becomes a nuisance especially when the language is extended to include specification.For example, with an infinite message set, the Fermat Theorem can be specified as follows (we know now such a specification is infeasible): (which can also be specified in CSP using an infinitary parallel composition constructor [5].) var n; a; b; c : N n; a; b; c : true; a n + b n = c n ^2 n ^0 a; b; c : Research has been done in recent years to handle unbounded nondeterminism in the CSP theory, e.g., [5,11].Unbounded nondeterminism refers to the ability of a process to choose locally one from an infinite set of possible behaviours.The difficulties encountered with unbounded nondeterminism in CSP is the loss of the fixed-point theory for defining recursions.Roscoe first tackled this problem in [11] by introducing a complete but coarser partial order on the failures-divergence model in [3].The resulting model can successfully model a process which will, on its first step, nondeterministically choose any integer, but cannot tell between a process which can communicate any finite number of a's and one which may also choose to communicate an infinite number.To overcome this problem, the failures-divergence model is extended to include infinite traces so that any CSP process is represented by F ; D; I where F is its failures (still with finite traces), D is its set of (finite) divergence traces and I is the set of infinite traces it can communicate.The refined mode can model unbounded nondeterminism properly but with the loss of completeness and monotonicity.To cure this, advanced mathematics was used resulting in more difficult proofs and clumsy mathematical treatment.
In [5] Kumar and Pandya extended CSP to include an infinitary parallel composition operator to increase the expressive power of CSP.The well-formedness of the operator in the failures-divergence model was established under the syntactic restriction that an event can occur only in the alphabet of finitely many processes.Therefore, unbounded nondeterminism is excluded without the sacrifice of the elegance of the CSP theory.
In CSP's failures-divergence model, processes can have infinite alphabets without violating the continuity of CSP constructors if no infinitary nondeterministic choice operator is used and the hiding operator does not hide an infinite 2nd Irish Workshop on Formal Methods, 1998 set of communication events.In this paper we follow the same route to extend the finite message set of a CSP-like language to an infinite one to increase the expressive power of the language extended with specifications.We do not, however, want to introduce unbounded nondeterminism into the CSP-like language itself because it cannot be implemented and also causes discontinuity of the program constructors and thus may need some advanced but, in practice, cumbersome techniques such as transfinite induction in [2,9].To avoid unbounded nondeterminism, some syntactic restriction is placed on the hiding operator which can only be used to hide internal channels of a concurrent process, which is the case for most CSP-like languages.Otherwise, unbounded nondeterminism is unavoidable.
For example, with an infinite message set, the following program is equivalent to choosing any value for x.This, therefore, introduces unbounded nondeterminism into the language, resulting the discontinuity of some of the language constructors.c?x nc: By restricting the hiding operator to internal channels, we prove that unbounded nondeterminism can be avoided in the CSP-like language without specification and iterations (also recursions) can be treated in the usual way.
In this paper we follow Morgan's example [8] and treat specifications like program statements, so that there is a unified framework for modelling specifications and programs [7].Doing so, an infinite alphabet will increase the expressive power of the specification language.However, the extended model including the specification statement contains unbounded nondeterminism, resulting in discontinuity of some of the CSP constructors.We prove that all the CSP-like language constructors are monotonic with respect to the refinement order on the extended model.Therefore, the semantics of iterations can still be defined as a fixed point over all ordinals instead of only finite ones.
This paper is organised as follows.Section 2 provides a brief introduction to the mathematics used in the paper.Section 3 defines the model for the CSP-like language.Section 4 introduces a specification statement and extends the above model to include mixed terms.In Section 5 the syntax and semantics of the CSP-like language with specification are defined.Section 6 proves the monotonicity of all the CSP-like constructors.Section 7 concludes the paper.

Mathematical preliminaries
A relation on a set C is a "partial ordering" of C if it is reflexive, anti-symmetric, and transitive; it is a "total ordering" if in addition each pair of elements in C are comparable.We denote the structure consisting of set C and a partial ordering v on C by C ; v.However, when the partial ordering is understood or when the context makes clear whether we are regarding C as a set or as a set with a partial ordering, we do not distinguish between C and C ; v.
A set B C , with C and hence B partially ordered by v, has an "upper bound" u 2 C if x v u for all x 2 B; u is a "least upper bound"-"lub" for short-if in addition u v v for every upper bound v of B. The lub of B when it exists is denoted by F B. An element ? 2 C is a "bottom" or "least element" of C if ?v x for all x 2 C , and 2 C is a "top" or "greatest element" of C if x v for all x 2 C .An element m 2 C is a "minimal element" of C if x v m x = m for all x 2 C .If sets C and D are partially ordered by v C and v D , respectively, then the Cartesian product C D is partially ordered by v, defined by x; y v w; z x v w and y v z for all x; w 2 C and y; z 2 D. Definition (1) can be generalised to n-fold Cartesian products in the obvious way.The product sets in this paper will always be partially ordered by (1) and we will not state this explicitly in each case.
Given sets C and D with D partially ordered by v D , the set C ! D of functions from C to D is partially ordered by v, defined by f v g f x v D gx for all x 2 C : In this paper, functions will be partially ordered by (2) only and we will not state this explicitly in each case.If, in addition C is partially ordered by v C , then f : C ! D is said to be "monotone" if x v C y f x v D f y for all x; y 2 C : 2nd Irish Workshop on Formal Methods, 1998

An Unbounded Nondeterministic Model for CSP-like Languages
We denote by C ! D the set of monotone functions from C to D.
A "complete lattice" is a partially ordered set in which each subset has a lub.It can be shown that every complete lattice has a bottom and a top.We now give some well-known properties of complete lattices, omitting proofs; the reader looking for more details should refer to literature such as [1].

Lemma 1 Any finite totally ordered set is a complete lattice.
Lemma 2 If C and D are complete lattices, then so is C D. Moreover, for B C D, G B = G fx : 9 y : x; y 2 Bg; G fy : 9 x : x; y 2 Bg : Lemma 2 can be generalised to n-fold Cartesian products in the obvious way.
As is conventional we will use small Greek letter to denote ordinals; ! will denote the first infinite ordinal, i.e., the set of natural numbers.For any complete lattice C and f : C ! C , we define f 0 = the identity function on C ; f +1 = f f (functional composition) for successor ordinals +1; f = G ff : g for limit ordinals :

f c v f c for all ordinals and ;
2. There exists a least ordinal such that In Lemma 4 (2) is called the "closure ordinal" of f in C .
As we can safely replace the closure ordinal in f c with any ordinal , we can conveniently work with one "super-closure" ordinal 1 f for each f ; for 1 f take any ordinal containing all closure ordinals of f .For brevity, we will write simply 1, letting context supply the implicit subscript.
Any c satisfying f c = c is called a "fixed point" of f ; if in addition c v d for every fixed point d of f , then c is a "least fixed point" of f .The least fixed point of f when it exists, is denoted by x:f x .
Lemma 5 Given f : C ! C for C a complete lattice with bottom ?, f has a least fixed point satisfying x:f x = f 1 ?.
Monotonicity also applies to sequences in the obvious way: a (possibly transfinite) sequence x 0 ; x 1 ; ; x ; with elements drawn from a set partially ordered by v is said to be "monotone" if x v x for all and .
In the rest of this paper we will employ only v to denote a partial ordering, letting context resolve any ambiguity that might otherwise arise.
2nd Irish Workshop on Formal Methods, 1998

The model
There already are some models for CSP-like languages, e.g., [6,7,10,11,12].In this paper we take the notations in [7] (the reader may also refer to the textbook by Hoare [4]) and model a process as a set of quadruples s 0 ; tr; ref ; s; where the first and last components s 0 ; s2 State are machine states, which map a variable in Var (may be infinite) to a value in Val (may be infinite), i.e., s 0 ; s : Var  2 Property P4 states that selective input is not allowed.This property is not needed in the CSP theory because CSP deals with individual communication events.But it is essential for CSP-like languages where refusals are sets of channels.Property P5 states that if a process has a proper internal state after the current trace, it can terminate successfully in that state without doing any further communications.Property P6 states that if a process does not diverge after a trace tr, it can have only finitely many internal states.This excludes unbounded nondeterminism in processes and also makes sequential composition continuous on the process space Proc.
2nd Irish Workshop on Formal Methods, 1998

Specification statement
A specification of a communicating process with state describes not only its communication behaviours, but also the relationships between communications, initial states and final states.
In this paper we regard a communicating processes with state as a generalised-state tr ; s transformer as in [12], which takes a process from an initial state tr 0 ; s 0 to a final state tr 0 tr; s after having performed the communications in tr.
The where " p " represents successful termination and A a = A f ag.
The intuitive meaning of the specification statement is as follows.Sp, when started in one of the initial generalisedstates satisfying pretr 0 ; s 0 , must be able to engage in any communications tr satisfying I tr 0 ; tr 0 tr; ref ; if Sp terminates, it does so in one of the final states satisfying posttr 0 ; tr 0 tr; s 0 ; s, with the terminating trace tr satisfying I tr 0 ; tr 0 tr; fg; if Sp cannot start in an initial state s 0 , i.e., 8 tr 0 : :pretr 0 ; s 0 , it diverges immediately.A special symbol " p " is added to the domain of the refusals of specification statements, which indicates termination.If f p g is a possible refusal of a specification statement after tr, it may refuse to terminate successfully.The precise meaning of " p " will be given when the semantics of the specification statement is defined.Specifications can also be defined as a set of computations in Comp.The set of all mixed terms, which are a mixture of specifications and programs, is defined as MixT b = PComp, which also contains all the processes defined in Def. 1.Of course, not every mixed term possesses all the properties P1 to P7 and the empty set is an example.
The refinement ordering v on MixT is defined the same as that on Proc: M 1 v M 2 ; if and only if M 2 M 1 ; so that the least element on MixT is also the same as that on Proc, i.e., ?. Theorem 1 MixT ; v; ?and Proc; v; ?are complete partial orders.
Proof.See Appendix.

5 The CSP-like language and its semantics
To demonstrate the effect of introducing unbounded non-determinism into a CSP-like language, we choose the following simple language.

Definition 2 The syntax of mixed terms
The CSP-like language with specification statements, MProg, is defined as follows: M ::= I ; w : pre; post j skip j stop j div j x := e j c?x j c!e j M 1 ; M 2 j if b then M 1 else M 2 j M 1 k M 2 j while b do M od; where the parallel composition construct M 1 k M 2 is the same as the usual CSP construct except that the linked channels between M 1 and M 2 are hidden.
2nd Irish Workshop on Formal Methods, 1998

An Unbounded Nondeterministic Model for CSP-like Languages
We use to denote the main semantic function: which maps a mixed terms to a set of computations.We first define the semantics of the specification statement.
Equation ( 5) defines the terminating computations of Sp, as well as its divergent computations.The specification statement is a total-correctness formula in the sense that, if Sp has some terminating computation s 0 ; tr; ref ; s, there must exist some initial trace tr 0 such that pretr 0 ; s 0 holds for s 0 and its terminating trace tr and final state s, together with tr 0 , satisfies the communication invariant I tr 0 ; tr 0 tr; fg and the postcondition posttr 0 ; tr 0 tr; s 0 ; s.
The state transition from s 0 to s can only be achieved by changing those alterable variables in w.Whenever there exists some proper final state, termination can happen; we have, therefore, no constraints on ref in (5).If there is no initial trace satisfying pretr 0 ; s 0 for an initial state s 0 , Sp diverges.In this case, (5) = ?.
Equation ( 6) defines the non-terminating computations of Sp.To do so, a new element " p " is introduced into the domain of refusals in the communication invariant I .Without it, unwanted nonterminating computation s 0 ; tr; ref ; would also be included in Sp for every terminating computation s 0 ; tr; ref ; s in Sp .If Sp diverges in some s 0 , then 5 = 6.
The semantics of the rest of the language constructs are defined as follows.For expressions e (including Boolean expressions), the value of e, evaluated in a state s 0 , is denoted by es 0 .If anything goes wrong, such as a variable being undefined, the value of es 0 is error.Whenever this happens, produces a divergent process.The divergent process div is an unspecified process on whose behaviour there is no constraint whatsoever.It is identified with the least element ? on MixT : div b = ?: The definitions for skip and stop are already given in (3) and (4) in Section 3, respectively.The assignment statement, x := e, can be defined as follows: x := e b = fs 0 ; ; ref ; s 0 es 0 =x j s 0 2 Stateg; where es 0 6 = error and s v=x is the same as s except that the value of x is v. f s 0 ; tr; ref ; s j : bs 0 ^s 0 ; tr; ref ; s 2 M 2 g: (11) provided that bs 0 6 = error The parallel composition constructor M 1 k M 2 is the key constructor in any parallel language.It is used to construct concurrent systems from individual ones.We stipulate that M 1 and M 2 do not share any program variable other than read-only ones.The communication alphabet of M 1 k M 2 is the union of the communication alphabets of M 1 and M 2 .The common channels of M 1 and M 2 are linked channels on which M 1 and M 2 can communicate.Linked channels are hidden from outside.Therefore, the parallel constructor is a combination of the CSP parallel constructor k and hiding operator n.We define it as follows: i;j2f1;2g^i6 =j fs 0 ; tr; ref ; s j 9 tr 0 tr: s 0 ; tr 0 M i ; fg; ? 2 M i tr 0 M j 2 tracesM j ; s 0 g; where tr A is a trace obtained from tr by removing all the events that happened on channels not in A and is defined as follows: f s 0 ; tr ^tr 0 ; ref ; s j f tr 00 j tr 00 nc = tr tr 00 2 tracesM ; s 0 g is infiniteg; (16) where trnc = tr M , f cg.
The first clause claims that if M is ready to communicate with its environment along some channels other than c, then so can M nc; the second clause states that if M engages in an infinite unbroken sequence of communications along channel c, then M nc diverges.This also includes the case where M diverges.
The while statement has the usual meaning as that in sequential languages except that it also involves communications and may not terminate.It is defined as a fixed-point of the following equation: X = if b then M ; X else skip: 2nd Irish Workshop on Formal Methods, 1998

An Unbounded Nondeterministic Model for CSP-like Languages
However, as our extended model contains unbounded non-determinism, some of the language constructors are no longer continuous.In [2], Boom showed how Dijkstra's definition of the weakest precondition for the while loop can be adapted to permit unbounded nondeterminism.We use the same idea to adapt the definition for recursion so that unbounded nondeterminism is permitted.The basic idea is to take the infinite join over the set of all ordinals, rather than just over the set of finite ordinals.The existence of the fixed-point then depends on the monotonicity of all the language constructors which have been proved in Theorem 3.
We defined the fixed-point over ordinals by Lemma 5: where where is a limit ordinal: However, the CSP-like language without specification statement is continuous with respect to the refinement order on the process space Proc, as indicated in Theo. 2. Therefore, the fixed-point of the the above recursive definition does exist over the set of all finite ordinals and the traditional loop definition works.
Theorem 2 All the processes without specification are well-defined and continuous.
Proof.Since the only differences between our CSP-like language and others, such as those in [6,12], are the infinite message set and the hiding operator which hides only internal channels, the proofs of the well-definedness and continuity of the language constructors are the same as those in [6] except for the hiding operator.We only give details for the proof of the well-definedness of the hiding operator n.The proof of continuity of hiding follows a similar argument and is omitted here.
We prove that Pnc, where c is a linked channel, satisfies conditions P1 to P7.We only give details for P6 which is affected by an infinite message set.
Assume s 0 ; tr; ref ; s 2 Pnc and s 0 ; tr; fg; ?6 2 Pnc .By definition, there exist some traces tr 0 such that tr = tr 0 nc and s 0 ; tr 0 ; ref f cg; s 2 P .P, being a process, has property P6.Hence, fs 0 j s 0 ; tr 0 ; fg; s 0 2 P g is finite for every tr 0 .As tr is finite, it has the form tr = a 1 a 2 a n ; where a i is a communication event on a channel other that c.Therefore, each trace tr 0 must have the form tr 0 = tr 1 c a 1 tr 2 c a 2 a n tr n+1 c ; where tr i c is a finite trace from f c:v j v 2 Valg .As tr 0 is not a diverging trace of P by definition and c is not an input channel (see P4), there exist only finitely many tr i c 's such that tr = tr 0 nc.Hence, tr 0 :tr=tr 0 nc fs 0 j s 0 ; tr 0 ; fg; s 0 2 P g is finite; so is fs 0 j s 0 ; tr; fg; s 0 2 Pnc g as required. 2

Monotonicity
In this section we show that all the statement constructors, sequential composition, conditional composition, iteration, and parallel composition, are monotone with respect to the refinement order.
Sequential composition.Let P i and Q i be mixed terms satisfying P i v Q i for i = 1 ; 2. We prove that P 1 ; P 2 v Q 1 ; Q 2 , that is, Q 1 ; Q 2 P 1 ; P 2 .
2nd Irish Workshop on Formal Methods, 1998 ! Val; tr is a communication trace in Comm , which are finite sequences of communication events of the form c:v2 Comm b = Chan Val, including the empty one ; the third component ref is a set of channel names from Chan, called refusals.Therefore, the terminating process skip that changes nothing but terminates successfully, can be defined as follows: Notice that ref Chan in (3) can be omitted because it is always true.To model divergences, we introduce a special state ?. Thus, s 0 ; tr; ref ; ?represents a divergent computation after tr.To model non-termination, we introduce another special state .Thus, Processes For a given communication channels Chan, a variable set Var, and a value set Val, the process space Proc is a set of all subsets P of Comp, which satisfy the following conditions: For any s 0 2 State, P1 tracesP; s 0 = ftr j 9 s: s 0 ; tr; ref ; s 2 Pg is nonempty and prefix-closed: tr 6 = ^s 0 ; tr 0^t r; ref ; s 2 P = s 0 ; tr 0 ; fg; 2 P; P4 s 0 ; tr ^ c in :v ; ref ; s 2 P = 8 v 0 9 s 0 : s 0 ; tr ^ c in :v 0 ; ref ; s 0 2 P; P5 s 0 ; tr; ref ; s 2 P ^s 2 State = 8 ref 0 : s 0 ; tr; ref 0 ; s 2 P; P6 s 0 ; tr; ref ; s 2 P ^s 0 ; tr; fg; ?6 2 P = f s 0 j s 0 ; tr; fg; s 0 2 Pg is finite; P7 s 0 ; tr; ref ; ? 2 P = 8 tr 0 ; ref 0 ; s: s 0 ; tr ^tr 0 ; ref 0 ; s 2 P, where v and v 0 range over Val, tr and tr 0 over Comm , ref and ref 0 over PChan, s and s 0 over State ?, and c in is an input channel (not a linked channel).
s 0 ; tr; ref ;represents an unfinished computation where the final state is unobservable.The non-terminating and broken process stop can be defined as follows:(4)The enlarged state set is denoted by State ?.The processes are sets of computations ( Comp b = State Comm Chan State ?), which satisfy the following conditions.Definition 1 syntax of the specification statement Sp is defined as follows: Sp :: I ; w : pre; post ; where w is a list of alterable program variables, I , pre, and post are predicates of the types: The input process c?x inputs a message on channel c and stores it in x.Notice that the second set above is infinite as Val is infinite.The semantics of the output process c!e is similar to that of c?x and left with interested readers.If M 1 and M 2 are two mixed terms with the same alphabets, then M 1 ; M 2 is a mixed term which behaves like M 1 , except that if M 1 terminates successfully, it continues behaving like M 2 .b then M 1 else M 2 is the usual if-statement in the sequential language.If states are hidden, it behaves like the nondeterministic choice in CSP.Its definition is if 2 nflinked channelsg; where the parallel composition k and the hiding operator are defined as follow.
If s 1 and s 2 map x into different non-?values, the parallel combination is broken.The disjointness constraint of k guarantees that this won't happen.The hiding operator nc is defined as follows.Let M be a process with c 2 M .The communication alphabet of M nc is that of M minus c.