# **Formal Semantics of CCS**

Moonzoo Kim School of Computing, KAIST





### **Review of the Previous Class**

- Sequential system v.s. Reactive system
  - ♣ Ex1. Mathematical functions with given inputs generate outputs
    - Usually no environment consideration and timing consideration.
  - Ex2. Ad-hoc On-Demand Vector routing protocol
    - Should model multiple concurrent nodes (environment)
    - Should model communication among the nodes
    - Should model timely behavior (e.g. time-out, etc)
- Modeling of a complex system
  - Concurrency => interleaving semantics
  - Communication => synchronization
  - Hierarchy => refinement





## **Process Algebra**

- A process algebra consists of
  - a set of operators and syntactic rules for constructing processes
  - a semantic mapping which assigns meaning or interpretation to every process
  - a notion of equivalence or partial order between processes
- Advantages: A large system can be broken into simpler subsystems and then proved correct in a modular fashion. Also, correctness can be checked
  - A hiding or restriction operator allows one to abstract away unnecessary details.
  - Equality for the process algebra is also a congruence relation; and thus, allows the substitution of one component with another equal component in large systems.



## Notations (1/2)

- A system is described as a set of communicating processes
  - Each process executes a sequence of actions
  - Actions represents either inputs/outputs or internal computation steps
- A set of actions/events Act = L U L' U {τ}
  - ↓ L ={a,b,...} is a set of names and L' ={a',b',...} is a set of co-names
    - a∈ L can be considered as the act of receiving a signal
    - a'∈ L' can be considered as the act of emitting a signal
    - *T* is a special action to represent internal hidden action
  - +  $Act \{\tau\}$  represents the set of externally visible actions:



## Notations (2/2)

- Operational (transitional) semantics of CCS process
  - Define the "execution steps" that processes may engaged in
  - ♣ P –a-> P' holds if a process P is capable of engaging in action a and then behaving like P'
  - ♣ Define –a-> inductively using inference rules for operators
    - premises----- (side condition)conclusion

Example 1:

Choice<sub>R</sub> 
$$Q - \alpha - > Q'$$
  
P+Q - $\alpha - > Q'$ 

Example 2:

Prefix 
$$\alpha.P-\alpha-P$$



# **Operators for Sequential Process**

The idea: 7 elementary ways of producing or putting together labelled transition systems

- 1.Nil

Prefix ------
$$\alpha.P - \alpha-> P$$

3. Defn A = P

No transitions (deadlock)





Buffer = in.out.Buffer

Buffer-in->out.Buffer-out->Buffer







# Operators for Sequential Process (cont.)

**4.Choice** 
$$P + Q$$

BadBuf = in.( $\tau$ .0 + out.BadBuf)



BadBuf  $\leq in > \tau.0 + out.BadBuf$ 





Obs: No priorities between  $\tau$ 's, a's or a's !

May use  $\Sigma$  notation to comactly represent sequential

$$P = \sum_{i \in I} \alpha_i . P_i$$





# **Example: Boolean Buffer of Size 2**

#### Action and Process Def.

in<sub>0</sub> :0 is coming as input in<sub>1</sub> :1 is coming as input

out<sub>0</sub>:0 is going out as output out<sub>1</sub>:1 is going out as output

Buf<sup>2</sup>: Empty 2-place buffer

Buf<sup>2</sup><sub>0</sub>: 2-place buffer holding 0

Buf<sup>2</sup><sub>01</sub>: 2-place buffer holding

0 at head and 1 at tail



$$Buf^{2} = in_{0}.Buf^{2}_{0} + in_{1}.Buf^{2}_{1}$$

$$Buf^{2}_{0} = out_{0}.Buf^{2} + in_{0}.Buf^{2}_{00} + in_{1}.Buf^{2}_{01}$$

$$Buf^{2}_{1} = out_{1}.Buf^{2} + in_{0}.Buf^{2}_{10} + in_{1}.Buf^{2}_{11}$$

$$Buf^{2}_{00} = out_{0}.Buf^{2}_{0}$$

$$Buf^{2}_{01} = out_{0}.Buf^{2}_{0}$$

$$Buf^{2}_{10} = out_{1}.Buf^{2}_{0}$$

 $Buf^{2}_{11} = out_{1}.Buf^{2}_{1}$ 





# **Operators for Concurrent Process**

### 5. Composition

Par<sub>L</sub> 
$$\frac{P - \alpha - > P'}{P|Q - \alpha - > P'|Q}$$

Par<sub>R</sub>  $\frac{Q - \alpha - > Q'}{P|Q - \alpha - > P|Q'}$ 

P-a->P', Q-a'->Q'

Par  $\tau$   $\frac{P - \alpha - > P'|Q'}{P|Q - \tau - > P'|Q'}$ 

Buf<sub>1</sub> = in.comm'.Buf<sub>1</sub> Buf<sub>2</sub> = comm.out.Buf<sub>2</sub> Buf = Buf<sub>1</sub> | Buf<sub>2</sub>

 $\begin{array}{c|c} & \text{Buf} \\ \hline & \text{Par}_{\tau} \\ & \text{-}in\text{--} > \text{comm'}.\text{Buf}_1 \mid \text{Buf}_2 \\ \hline & \text{-}\tau > \text{Buf}_1 \mid \text{out}.\text{Buf}_2 \\ & \text{-}out\text{--} > \text{Buf}_1 \mid \text{Buf}_2 \end{array}$ 



comm'.Buf<sub>1</sub>|Buf<sub>2</sub>





Buf<sub>1</sub>|out.Buf<sub>2</sub>

# **Operators for Concurrent Process (cont.)**

### 6. Restriction P\L

Res 
$$P - \alpha - P'$$
  
 $P \setminus L - \alpha - P' \setminus L$ 



$$Buf_1 = in.comm.Buf_1$$
  
 $Buf_2 = comm'.out.Buf_2$   
 $Buf=(Buf_1 | Buf_2)\setminus\{comm\}$ 

Buf  $-in-> (comm.Buf_1 | Buf_2) \ comm$   $-\tau-> (Buf_1 | out.Buf_2) \ comm$   $-out-> (Buf_1 | Buf_2) \ comm$ 

Buf
-comm'-> Buf<sub>1</sub> | out.Buf<sub>2</sub>

(Buf1 | Buf2)\{comm} : a design for buffer with separated input/output ports ReqBuf = in.out.ReqBuf : a requirement for buffer design

(Buf1 | Buf2)\{comm} == ReqBuf means that buffer design satisfies the requirement



# **Operators for Concurrent Process (cont.)**

## 7. Relabelling

Rel 
$$P - \alpha - P'$$
  
P[f]  $-f(\alpha) - P'[f]$ 

$$Buf_1 = Buf[comm/out]$$

Relabelling function f must preserve complements:

$$f(a') = f(a)'$$

Relabelling function often given by name substitution as above





# **Example: 2-way Buffers**

#### 1-place 2-way buffer:

$$Buf_{ab} = a_{+}.b_{-}'.Buf_{ab} + b_{+}.a_{-}'.Buf_{ab}$$
  
 $Buf_{bc} = b_{-}.c_{-}'.Buf_{bc} + c_{+}.b_{+}'.Buf_{bc}$ 

#### LTS:





Buf<sub>bc</sub> =
$$Buf_{ab}[c_{+}/b_{+},c_{-}/b_{-},b_{-}/a_{+},b_{+}/a_{-}]$$
(Obs:simultaneous substitution!)

$$Sys = (Buf_{ab} \mid Buf_{bc}) \setminus \{b_+, b_-\}$$



But what's wrong? Deadlock occurs In other words, Sys == Buf<sub>ac</sub>?





## **Summary of CCS Semantics**

Act 
$$\sim P - \sim P$$

Choice<sub>L</sub> 
$$P-\alpha->P'$$
  $P-\alpha->P'$   $P+Q-\alpha->P'$  Choice<sub>R</sub>  $P+Q-\alpha->Q'$  in.P + out.Q -in-> P or -out-> Q

$$P - \alpha - > P'$$
  
 $P - \alpha - > P'$   
 $P - \alpha - P'$   
 $P - \alpha -$ 

$$P$$
- $a$ - $>$  $P$ ',  $Q$ - $a$ '- $>$  $Q$ '
 $P$ ar $\tau$  ------
 $P$ | $Q$ - $\tau$ - $>$  $P$ '| $Q$ '

in.P | in'.Q - 
$$\tau$$
-> P|Q

Res 
$$P - \alpha - P'$$
  
 $P \setminus A - P' \setminus A \notin L \cup L'$ 

(in.P | in'.Q)\{in} - 
$$\tau$$
-> (P|Q)\{in} only

Rel 
$$P - \alpha - P'$$
  
P[f]  $-f(\alpha) - P'[f]$ 



### Inference of Process Execution

Proof of 
$$((a.E + b.0)| a'.F) \setminus \{a\} - \tau -> (E|F) \setminus \{a\}$$



Derive following process execution from the inference rules

```
# (a.E + b.0) | a'.F -a-> E | a'.F
# (a.E + b.0) | a'.F -a'-> (a.E + b.0) | F
# (a.E + b.0) | a'.F -b-> 0 | a'.F
# ((a.E + b.0) | a'.F)\{a} -b-> (0 | a'.F)\{a}
```

Draw corresponding labeled transition diagrams

```
♣ (a.E + b.0) | a'.F
```

$$A = a.c'.A, B = c.b'.B$$

A|B, (A|B)\{c}





### **Proofs**

#### **Proof 1**

Prefix 
$$a.E -a-> E$$
Choice  $(a.E + b.0) -a-> E$ 
Par  $(a.E + b.0) | a'.F -a-> E | a'.F$ 

#### **Proof 2**

Par<sub>R</sub> 
$$\frac{a'.F - a'-> F}{(a.E + b.0) | a'.F - a'-> (a.E + b.0) | F}$$

#### **Proof 3**

Prefix 
$$b.0 -b-> 0$$
Choice<sub>R</sub>  $(a.E + b.0) -b-> 0$ 
Par<sub>L</sub>  $(a.E + b.0) | a'.F -b-> 0 | a'.F$ 





## **Labeled Transition Systems**











### **Example: Faulty Mutual Exclusion Protocol**

```
byte cnt, byte x,y,z;
active[2] proctype user()
     byte me = pid +1; /* me is 1 or 2*/
again:
      x = me;
      :: (y ==0 || y== me) -> skip
      :: else -> goto again
      z = me;
      :: (x == me) -> skip
      :: else -> goto again
      y=me;
If
      :: (z==me) -> skip
      :: else -> goto again
      /* enter critical section */
      cnt++
      assert( cnt ==1);
      cnt --:
      goto again
```

```
proc Sys = (P1|P2|X0|Y0|Z0|CNT0){x [0-2],y [0-2],z [0-2],
test x [0-2],test y [0-2],test z [0-2], inc cnt,dec cnt}
proc P1 = x_1.(test_y_0.P1' + test_y_1.P1' + test_y_2.P1)
proc P1' = z 1.(test x 0.P1 + test x 1.P1" + test x 2.P1)
P1'' = y \cdot 1.(test z \cdot 0.P1 + test z \cdot 1.P1''' + test z \cdot 2.P1)
proc P1" = inc cnt.dec cnt.P1
proc P2 = x_2.(test_y_0.P2' + test_y_1.P2 + test_y_2.P2')
P2' = z \cdot 2.(test \times 0.P2 + test \times 1.P2 + test \times 2.P2")
proc P2" = y 2.(test z 0.P2 + test z 1.P2 + test z 2.P2")
proc P2" = inc cnt.dec cnt.P2
* Variable x, y,z, and cnt
proc UpdateX = 'x 0.X0 + 'x 1.X1 + 'x 2.X2
proc X0 = 'test_x_0.X0 + UpdateX
proc X1 = test x 1.X1 + UpdateX
proc X2 = 'test x 2.X2 + UpdateX
proc UpdateY = 'y 0.Y0 + 'y 1.Y1 + 'y 2.Y2
proc Y0 = 'test y 0.Y0 + UpdateY
proc Y1 = 'test y 1.Y1 + UpdateY
proc Y2 = 'test y 2.Y2 + UpdateY
proc UpdateZ = 'z 0.Z0 + 'z 1.Z1 + 'z 2.Z2
proc Z0 = 'test z 0.Z0 + UpdateZ
proc Z1 = 'test z 1.Z1 + UpdateZ
proc Z2 = 'test z 2.Z2 + UpdateZ
proc CNT0 = 'inc cnt.cnt 1.CNT1
proc CNT1 = 'inc cnt.cnt 2.CNT2 + 'dec_cnt.cnt_0.CNT0
proc CNT2 = 'dec cnt.cnt 1.CNT1
```





### Homework #1: Due Sep 21

- Draw LTS diagrams
  - ♣ Buf<sup>2</sup> in the slide 6
  - $\blacksquare$  Sys in the slide 10 (specify which two actions make  $\tau$  if any)
- Minimize Sys of slide 14 by using relabelling functions
- Specify Peterson's mutual exclusion protocol for 2 processes

```
/* Peterson's solution to the mutual exclusion problem - 1981 */
boolean turn, flag[2];
byte ncrit;
active [2] proctype user(){
again: flag[pid] = 1;
        turn = pid;
        while(!(flag[1 - _pid] == 0 || turn == 1 - _pid));
        ncrit++;
        assert(ncrit == 1); /* critical section */
        ncrit--;
        flag[pid] = 0;
        goto again;
```





### **CWB-NC Commands**

- help <command>
- load <ccs filename>
- cat crocess>
- compile compile compile
- es <script file> <output file>
- eq -S <trace|bisim|obseq> proc1>
- le –S may <proc1> <proc2> /\* Trace subset relation \*/
- quit
- sim process>
  - semantics <bisim|obseq>
  - ♣ random <n>
  - back <n>
  - break <act list>
  - history
  - quit





## **Observational Trace Equivalence**

- Sys is a design for buffer with separated input/output ports

  Sys = (Buf<sub>1</sub>|Buf<sub>2</sub>)
  - $\blacksquare$  Sys= (Buf<sub>1</sub> | Buf<sub>2</sub>)\{comm<sub>1</sub>,comm<sub>2</sub>}
    - Buf<sub>1</sub> = in.comm<sub>1</sub>.Buf<sub>1</sub>', Buf<sub>1</sub>' = comm<sub>2</sub>.Buf<sub>1</sub>
    - Buf<sub>2</sub> = comm<sub>1</sub>'.Buf<sub>2</sub>,Buf<sub>2</sub> = out.comm<sub>2</sub>'.Buf<sub>2</sub>
- Spec is a requirement for the buffer design
- Sys =<sub>TR</sub> Spec?
  - ♣ No. Sys has τ which Spec does not
    - Exec(Sys) =  $\{in,in.\tau, in.\tau.out, in.\tau.out.\tau,...\}$
    - Exec(Spec) = {in, in.out, ...}
  - Yes. τ is an internal hidden action not visible outside (not observable). Thus, τ is not inc\_cntluded in an execution
    - If  $s \in Act^*$ , then  $\hat{s} \in (Act \{\tau\})^*$  is the action sequence obtained by deleting all occurrences of  $\tau$  from s.
      - Ex> s =  $a.\tau.b.\tau.c$ , then  $\hat{s} = a.b.c$
  - A set of observable executions: Exec'(P) = {\$ | s ∈ Exec(P)}
    - Exec'(Sys) = {in, in.out,...}

      Exec'(Spec) = {in, in.out, ...}





# **Observational Bisimulation Equivalence**

- P =  $\alpha$  => Q iff P(- $\tau$ ->)\*P'- $\alpha$ ->Q'(- $\tau$ ->)\*Q where  $\alpha \in Act$ -{ $\tau$ }
  - $\clubsuit$  Let s∈(Act-{τ})\*. Then q =s=> q' if there exists s' s.t. q-s'->q' and s=ŝ'
- $\mathbf{I}$  is an internal hidden action which affects internal behaviors, although itself is not visible outside.
  - P = a.P + b.P,  $Q1 = a.Q1 + \tau.b.Q1$ 
    - Suppose that 'a' means pushing button 'a'. Similarly for 'b'
      - P always allows a user to push any buttons.
      - Q1 allows a user to push button 'a' sometimes, button 'b' sometimes.
    - Thus, we need to distinguish P from Q1 (P and Q1 are not observationally bisimilar), which can be done using = $\alpha$ => instead of - $\alpha$ ->
      - Q1-a->Q1 implies Q1=a=>Q1. Similary Q2-b->Q1 implies Q2=b=>Q1
      - Q1-a->Q1-τ->Q2 implies Q1=a=>Q2. Q2-b->Q1- τ->Q2 implies Q2=b=>Q2



# **Observational Bisimulation Equivalence**

- Sys =<sub>BS</sub> Spec? (see slide 8)
  - **4** No. Sys has τ which Spec does not (i.e. not strongly bisimilar)
  - Yes. Sys is observationally bismilar to Spec
    - BS = { (s0,Spec), (s1,Spec'),(s3,Spec),(s2,Spec')}
      - s0 –in->s1 implies s0=in=> s1. Similarly, s2-out->s3 implies s2=out=>s3
      - s0 -in->s1 - $\tau$ ->s2 implies s0=in=>s2.
      - s2-out->s3- $\tau$ -> s0 implies s2=out=>s0





out



# **Example: Scheduler**

### Action and Process Def.

a<sub>i</sub>: start task<sub>i</sub>

b<sub>i</sub>: stop task<sub>i</sub>

### Requirements:

- $\blacksquare$   $a_1,...,a_n$  to occur cyclically
- a<sub>i</sub>/b<sub>i</sub> to occur alternately beginning with a<sub>i</sub>

## Sched<sub>i,X</sub> for $X \subseteq \{1,...,n\}$

- i to be scheduled
- X pending completion

Scheduler = Sched<sub> $i,\emptyset$ </sub>

### Sched<sub>i,X</sub>

= 
$$\sum_{j \in X} b_j$$
. Sched<sub>i,X-{j}</sub>, if  $i \in X$ 

$$= \sum_{j \in X} b_j.Sched_{i,X-\{j\}}$$

+ 
$$a_i$$
. Sched <sub>$i+1,X\cup\{i\}$</sub> , if  $i \notin X$ 

