## A CSP Approach To Action Systems (1992)

Citations: | 24 - 7 self |

### BibTeX

@TECHREPORT{Butler92acsp,

author = {Michael J. Butler},

title = {A CSP Approach To Action Systems},

institution = {},

year = {1992}

}

### Years of Citing Articles

### OpenURL

### Abstract

The communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an event-based approach to distributed computing. The action-system formalism, introduced by Back & Kurki-Suonio [BKS83], is a state-based approach to distributed computing. Using weakest-precondition formulae, Morgan [Mor90a] has defined a correspondence between action systems and the failures-divergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of [Mor90a], Woodcock & Morgan [WM90] have shown that simulation is sound and complete in the CSP failures-divergences model. In this thesis, Morgan's correspondence is extended to the CSP infinite-traces model [Ros88] in order to deal more properly with unbounded nondeterminism. It is shown that simulation is sound in the infinite-traces model, though completeness is lost in certain cases. The new correspondence is then extended to include a notion of internal action. This allows the ...

### Citations

3643 | Communicating Sequential Processes
- Hoare
- 1985
(Show Context)
Citation Context ...College Thesis submitted for the degree of Doctor of Philosophy at the University of Oxford, Michaelmas Term, 1992 Abstract The communicating sequential processes (CSP) formalism, introduced by Hoare =-=[Hoa85]-=-, is an event-based approach to distributed computing. The action-system formalism, introduced by Back & Kurki-Suonio [BKS83], is a state-based approach to distributed computing. Using weakest-precond... |

3430 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...pters. 1.1 Communicating Processes Well-known event-based approaches to concurrency include Hoare's communicating sequential processes (CSP) [Hoa85], Milner's calculus for communicating systemss(CCS) =-=[Mil89]-=-, and Bergstra & Klop's algebra for communicating processes (ACP) [BK85]. In each of these approaches, a process communicates with its environment by engaging in atomic events, and the behaviour of a ... |

1535 |
A Discipline of Programming
- DIJKSTRA
- 1976
(Show Context)
Citation Context ...operties enjoyed by f , e.g. if f is -continuous then f is -continuous. 2.3 Specification Language The specification language used in this thesis is an extension of Dijkstra's guardedcommand language =-=[Dij76]-=-. The meaning of a statement S in this language is given by the weakest-precondition predicate-transformer: S transforms postcondition OE into the precondition wp(S ; OE). We write the predicate trans... |

1165 |
The Z Notation: A Reference Manual
- Spivey
- 1989
(Show Context)
Citation Context ...he statement S with the variable x localised. Then we say that "S is datarefined by S 0 under Rep" if Rep can be used to show that (var a ffl S ) is refined by (var c ffl S 0 ). The VDM [Jon=-=86] and Z [Spi89]-=- methods are closely related to the refinementcalculus approach. Both provide rich specification notations, based on predicate calculus and set theory, that allow abstract programs to be specified in ... |

774 |
Parallel program design : a foundation
- Chandy, Misra
- 1988
(Show Context)
Citation Context ...and the initialisation and transitions are represented by statements in Dijkstra's guarded commandlanguage. Typical examples include Back's action system formalism [BKS83], and Chandy & Misra's UNITY =-=[CM88]-=-. In Back's action systems, an action (transition) is a statement of the form g ! com; where g is a guard (condition on the state variables) and com is a command (program statement). An action is enab... |

674 |
Systematic Software Development Using VDM
- Jones
- 1990
(Show Context)
Citation Context ...x ffl S ) be the statement S with the variable x localised. Then we say that "S is datarefined by S 0 under Rep" if Rep can be used to show that (var a ffl S ) is refined by (var c ffl S 0 )=-=. The VDM [Jon86]-=- and Z [Spi89] methods are closely related to the refinementcalculus approach. Both provide rich specification notations, based on predicate calculus and set theory, that allow abstract programs to be... |

591 |
A lattice-theoretical fixed point theorem and its applications
- Tarski
- 1955
(Show Context)
Citation Context ...cases. Firstly, we look at some fixed-point theory. 3.2 Fixed-Point Theory A set A with partial order V is a complete lattice if every subset B of A has a least upper bound and a greatest lower bound =-=[Tar55]-=-. We have that the set of all predicates, with the entailment ordering V, forms a complete lattice. 35 A fixed-point of a predicate transformer f is any predicate X satisfying f (X ) j X : We write th... |

561 | Conjoining specifications - Abadi, Lamport - 1993 |

509 | Programming from Specifications - Morgan |

489 |
Computation: Finite and Infinite Machines
- Minsky
- 1967
(Show Context)
Citation Context ...t (it PB ti ; PC ) ti ; it PB ti: 2 45 Each of these lemmas is proven in Appendix B. Observation: Lemmas 4.4 and 4.5 illustrate a similarity between our specification language and regular expressions =-=[Min67]. If " ; ", "[]-=-", and "it S ti" correspond to the regular-expression operators for sequencing, choice, and iteration respectively, then these lemmas are also satisfied by regular expressions. Backhous... |

465 | The existence of refinement mappings
- ABADI, LAMPORT
- 1988
(Show Context)
Citation Context ...ms [CM88], and a distributed Electronic Funds-Transfer system [Sta88]. 1.3.3 Internal State When developing systems it is convenient to be able to make part of the state unobservable. Abadi & Lamport =-=[AL88]-=- use the notion of external and internal state to achieve this in transition systems. Elements of the state-space consist of pairs of the form (e; h), where e is the external component and h is the in... |

395 | Hierarchical correctness proofs for distributed algorithms
- Lynch, Tuttle
- 1987
(Show Context)
Citation Context ...tems in the manner of [He89, Jos88]. Morgan's CSP semantics for action systems, along with simulation, will be described in Chapter 2. 17 1.4.3 I/O-Automata I/O-automata, introduced by Lynch & Tuttle =-=[LT87]-=-, are labelled transitionsystems with some fairness requirements. The labels of an I/O-automaton are partitioned into input events, output events, and internal events. Fairness requirements are usuall... |

333 |
An axiomatic proof technique for parallel programs
- OWICKI, GRIES
- 1976
(Show Context)
Citation Context ...re to be composed, then P1 should satisfy E2 and P2 should satisfy E1 . Abadi & Lamport also describe some compositional proof-rules for proving the correctness of decomposition steps. Owicki & Gries =-=[OG76]-=- have developed proof rules for reasoning about parallel programs in a Dijkstra-like language that share variables. These rules involve reasoning about preconditions and postconditions of statements i... |

322 |
Speci and development of reactive systems
- Pnueli
- 1986
(Show Context)
Citation Context ...t originally motivated the work described in this thesis are forms of reactive systems. Reactive systems maintain an on-going interaction with their environment and may consist of parallel subsystems =-=[Pnu86]-=-. In this chapter, we look at some existing formalisms for modelling and reasoning about reactive systems. We shall be interested in how these formalisms deal with specification, refinement, and compo... |

239 |
Predicate Calculus and Program Semantics
- Dijkstra, Scholten
- 1990
(Show Context)
Citation Context ...foundedness theorem for IT-loops is introduced to ensure non-divergence of the internal actions of the 54 concrete action system Q which is similar to Dijkstra's well-foundedness theorem for DO-loops =-=[DS90]-=-. A set WF , with irreflexive partial order !, is well-founded if each non-empty subset of WF contains a minimal element under !. For example, the natural numbers with the usual ordering, or the carte... |

238 |
Algebra of communicating processes with abstraction
- Bergstra, Klop
- 1985
(Show Context)
Citation Context ...oncurrency include Hoare's communicating sequential processes (CSP) [Hoa85], Milner's calculus for communicating systemss(CCS) [Mil89], and Bergstra & Klop's algebra for communicating processes (ACP) =-=[BK85]-=-. In each of these approaches, a process communicates with its environment by engaging in atomic events, and the behaviour of a process is defined in terms of the temporal ordering of events. The use ... |

187 | Recognizing Safety and Liveness
- Alpern, Schneider
- 1987
(Show Context)
Citation Context ... into safety and liveness, then satisfaction of a safety property can be proven using an invariance argument, while satisfaction of a liveness property can be proven using a well-foundedness argument =-=[AS87]-=-. Chandy & Misra [CM88] have also developed proof rules for verifying that a UNITY logic specification is refined (satisfied) by another, and that a specification is satisfied by a program. A transiti... |

185 | What good is temporal logic - Lamport - 1983 |

174 |
Specification and design of (parallel) programs
- Jones
- 1983
(Show Context)
Citation Context ...re atomic. However, the Owicki-Gries method is not truly compositional in that component programs must be constructed before the parallel proof-rule can be applied. The rely/guarantee method of Jones =-=[Jon83]-=- is a compositional extension of the Owicki-Gries method that is used to reason 14 about programs in the style of VDM. A specification has the form (P ; R; G;Q ), where P is a condition describing a s... |

162 |
A theoretical basis for stepwise refinement and the programming calculus
- Morris
- 1987
(Show Context)
Citation Context ...epresent those initial states from which statement S is guaranteed to terminate: Definition 2.7 For statement S , halt(S ) b = wp(S ; true). Sources: Miracles are introduced by Nelson [Nel89], Morris =-=[Mrr87], and Morg-=-an [Mor88b], and "naked" guarded-commands and choice are defined by each 25 author. Back [Bac80] introduced the weakest-precondition semantics of specification statements, though his specifi... |

160 | A model for communicating sequential processes
- Brookes
- 1983
(Show Context)
Citation Context ...al proof-rules are provided for transforming SL 0 specifications into occam programs. Back & Sere [BS90] have also investigated the transformation of action systems into occam programs. Reed & Roscoe =-=[RR86]-=- have developed a timed model for CSP, and Seidel [Sei92] has developed a probabilistic model for CSP. It may be possible to treat timing and probability in action systems using these models. The time... |

138 |
The specification statement
- Morgan
- 1988
(Show Context)
Citation Context ...ially composed with some other statement and write S [post ] for S ; [post ]. The effect is to reduce the nondeterminism of S by forcing it to take a path that satisfies post . 1 This is different to =-=[Mor88b]-=- where it is short for v : [ (9 v ffl post)[v 0 nv ]; post ]. 24 For example, (x : 2 fl)[x ! 10] assigns some natural number less than 10 to x : wp( (x : 2 fl)[x ! 10]; OE) j wp(x : 2 fl; x ! 10 ) OE)... |

136 |
A generalization of Dijkstraâ€™s calculus
- Nelson
- 1989
(Show Context)
Citation Context ...et of states. We interpret a predicate OE to be a subset of \Sigma and not, for instance a formula in a fixed langauge like first-order logic [Ham78]. Our view of predicates is found, for example, in =-=[Nel89], and avoids the nec-=-essity of higher-order logic when quantifying over predicates: with our approach, the statement "for all predicates OE" is interpreted as "for all subsets OE of \Sigma". Two predic... |

129 |
Fundamentals of Algebraic Specification I
- Ehrig, Mahr
- 1985
(Show Context)
Citation Context ...en used to specify several OSI layers, including the transport layer and the session layer. LOTOS consists of a process algebra based on CCS [Mil89], and an abstract-data-type algebra based on ACTONE =-=[EM85]-=-. The process algebra is used to describe ordering of communication events, while the abstract-data-type algebra is used to specify data structures and operations on them. Usually the event parts and ... |

124 | A simple approach to specifying concurrent systems
- Lamport
- 1989
(Show Context)
Citation Context ...transitions (r 0 and r 1 ), while T2 has a single nondeterministic transition (r 2 ), yet we can show that tr(T1 ) = tr(T2 ). A transition system may be specified using properties as shown by Lamport =-=[Lam89] and -=-Pnueli [Pnu86]. A property is a set of state-traces, and a transition system T is said to satisfy a property P if tr(T ) ` P . Usually a property is specified as the intersection M "L of a safety... |

110 |
Correctness Preserving Program Refinements: Proof Theory and Applications, volume 131
- Back
- 1980
(Show Context)
Citation Context ...ent S , halt(S ) b = wp(S ; true). Sources: Miracles are introduced by Nelson [Nel89], Morris [Mrr87], and Morgan [Mor88b], and "naked" guarded-commands and choice are defined by each 25 aut=-=hor. Back [Bac80]-=- introduced the weakest-precondition semantics of specification statements, though his specification statements were restricted to be nonmiraculous. Morris [Mrr87] and Morgan [Mor88b] also define spec... |

88 | On the Refinement Calculus - Morgan, Vickers - 1994 |

86 |
Specification-oriented semantics for communicating processes
- Olderog, Hoare
- 1986
(Show Context)
Citation Context ... Sanders [HHS86] as a complete method for data refinement of sequential programs in the relational framework. 4 Also called forwards simulation. 5 Also called backwards simulation. 16 Olderog & Hoare =-=[OH86]-=- have shown how safety and liveness are represented in the CSP semantic model. The traces of a process represent safety, since they describe those event-traces that a process may safely engage in. Ref... |

74 |
J.W.: Data refinement refined
- He, Hoare, et al.
- 1986
(Show Context)
Citation Context ...lation from T # to T 0 . So using a combination of downwards and upwards simulation, it can be shown that T is refined by T 0 . Downwards and upwards simulation were introduced by He, Hoare & Sanders =-=[HHS86]-=- as a complete method for data refinement of sequential programs in the relational framework. 4 Also called forwards simulation. 5 Also called backwards simulation. 16 Olderog & Hoare [OH86] have show... |

61 |
Stepwise refinement of parallel algorithms
- Back, Sere
- 1990
(Show Context)
Citation Context ...a set of guarded commands, rather than being specified by a set 9 of properties. Examples specified using the formalism include a mutual-exclusion algorithm [Bac92b], a Gaussian-elimination algorithm =-=[BS89]-=-, and a telephone exchange [KSK88]. A UNITY program [CM88] is an action system in which each action is deterministic, non-aborting, and always enabled 2 . In addition, there is a fairness requirement ... |

61 |
Elements of Set Theory
- Enderton
- 1977
(Show Context)
Citation Context ...ollows: R b = fv 0 ; v j posts/g R 0 b = fv 0 ; v j postg: Let f and f 0 be functions such that f ` R dom(f ) = dom(R) f 0 ` R 0 dom(f 0 ) = dom(R 0 ) Note that f and f 0 exist by the Axiom of Choice =-=[End77]: (8 -=-relation R ffl (9 function f ffl f ` Rsdom(f ) = dom(R))): Finally, construct statement SP 0 : SP 0 b = v : " pre; OE[v nv o ] ) v = f (v 0 ) : OE[v nv o ] ) v = f 0 (v 0 ) # SP 0 is pre-determin... |

49 |
Superimposition for interacting processes
- Forman
(Show Context)
Citation Context ...nment, and we make no fairness assumptions about internal actions. Our decision to treat superposition as an operator between two action systems is similar to the approach taken by Francez and Forman =-=[FF90]-=-. They define a superposition operator for programs of the IP (interacting processes) language. The semantics of IP programs and of the superposition operator are given in terms of state transitions. ... |

48 |
Data refinement of predicate transformers
- Gardiner, Morgan
- 1991
(Show Context)
Citation Context ... . 2.6 Refinement of Statements Several authors have investigated refinement of statements in terms of weakest preconditions, [Bac90a, Nel89, Mrr87, GM88]. We use the definitions of Gardiner & Morgan =-=[GM88]-=- and write SsT for statement S is (algorithmically) refined by statement T : Definition 2.10 SsT if for each predicate OE, wp(S ; OE) V wp(T ; OE): 2 Clearly,sis a transitive ordering. Data refinement... |

40 |
Data refinement by calculation
- Morgan, Gardiner
- 1990
(Show Context)
Citation Context ...les specific to specification statements. Data-Refinement Conditions To check data-refinement conditions, we use the refinement calculator for specification statements introduced by Morgan & Gardiner =-=[MG88]-=-. The refinement calculator is given by the following rule: Rule 7.2 For post independent of c, a; z : [ pre; post ]srep c; z : [ (9 a ffl AIspre); (9 a ffl AIspost) ]: 2 However, Rule 7.2 does not tr... |

38 |
Probabilistic communicating processes
- Seidel
- 1992
(Show Context)
Citation Context ...ications into occam programs. Back & Sere [BS90] have also investigated the transformation of action systems into occam programs. Reed & Roscoe [RR86] have developed a timed model for CSP, and Seidel =-=[Sei92]-=- has developed a probabilistic model for CSP. It may be possible to treat timing and probability in action systems using these models. The timed model may allow us to specify that an action must termi... |

37 |
Decentralisation of process nets with centralised control
- Back, Kurki-Suonio
- 1983
(Show Context)
Citation Context ...he communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an event-based approach to distributed computing. The action-system formalism, introduced by Back & Kurki-Suonio =-=[BKS83]-=-, is a state-based approach to distributed computing. Using weakest-precondition formulae, Morgan [Mor90a] has defined a correspondence between action systems and the failures-divergences model for CS... |

36 | Laws of data refinement - Morris - 1989 |

35 |
Refinement of state-based concurrent systems
- Woodcock, Morgan
- 1990
(Show Context)
Citation Context ...ce between action systems and the failures-divergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of [Mor90a], Woodcock & Morgan =-=[WM90]-=- have shown that simulation is sound and complete in the CSP failures-divergences model. In this thesis, Morgan's correspondence is extended to the CSP infinite-traces model [Ros88] in order to deal m... |

34 |
A single complete rule for data refinement
- Gardiner, Morgan
- 1992
(Show Context)
Citation Context ...l cases of Definition 2.17, their completeness result means that Definition 2.17 is complete. Combining downwards and upwards simulation into a single definition follows the work of Gardiner & Morgan =-=[GM89]-=- which shows that Definition 2.11 is complete for data refinement of programs. 2.9 Internal and External Choice The definition of simulation used by us is similar to Back's rule for data refinement of... |

34 |
Of wp and CSP
- Morgan
- 1990
(Show Context)
Citation Context ...roach to distributed computing. The action-system formalism, introduced by Back & Kurki-Suonio [BKS83], is a state-based approach to distributed computing. Using weakest-precondition formulae, Morgan =-=[Mor90a]-=- has defined a correspondence between action systems and the failures-divergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of [... |

33 |
Logic for mathematicians
- Hamilton
(Show Context)
Citation Context ...ion systems. 2.1 Predicates Let \Sigma be some non-empty set of states. We interpret a predicate OE to be a subset of \Sigma and not, for instance a formula in a fixed langauge like first-order logic =-=[Ham78]. Our view-=- of predicates is found, for example, in [Nel89], and avoids the necessity of higher-order logic when quantifying over predicates: with our approach, the statement "for all predicates OE" is... |

32 |
Specification of the UNIX Filing System
- Morgan, Sufrin
- 1984
(Show Context)
Citation Context ...pdated as follows: fstore = fstore 0 \Phi f n 7! f g where (f ; r) = p(fstore 0 (n)); and the reply r will be passed back to the user. Formal specifications of several file operations can be found in =-=[MS87]-=-. The terminals of the file system are identified by the set Tid . We assume that Tid is finite. Corresponding to each terminal, there is a request channel and a response channel. Each request channel... |

28 |
Induction rules and termination proofs
- Hitchcock, Park
- 1972
(Show Context)
Citation Context ...n we only need to show that OE is a solution of (ii). If f is -continuous then it can be shown that ( X ffl f (X )) j ( i 2 fl ffl f i (false)) where f i is application of f i times. Hitchcock & Park =-=[HP72]-=- have improved on this in their Generalised Limit-Theorem, by extending the range of i to the ordinals so that -continuity is no longer required. We use the version presented by Nelson [Nel89]: Theore... |

27 | Unbounded nondeterminism in CSP
- Roscoe
- 1993
(Show Context)
Citation Context ..., Woodcock & Morgan [WM90] have shown that simulation is sound and complete in the CSP failures-divergences model. In this thesis, Morgan's correspondence is extended to the CSP infinite-traces model =-=[Ros88]-=- in order to deal more properly with unbounded nondeterminism. It is shown that simulation is sound in the infinite-traces model, though completeness is lost in certain cases. The new correspondence i... |

26 |
The probe: An addition to communication primitives
- Martin
- 1985
(Show Context)
Citation Context ...lementation is a more general graph-like array of processes, and a process may have to communicate with any number of neighbours, so that external choice is required. This is achieved by using probes =-=[Mar85]-=-. A probe is boolean flag associated with a channel that can be read by a process to check the readiness of its neighbour to communicate on that channel. A probe can be read without having to communic... |

25 |
Towards a Design Calculus for Communicating Programs, LNCS 527 (Springer-Verlag), p
- Olderog
- 1991
(Show Context)
Citation Context ...means that a system offering output to the environment on more than one output channel cannot be specified using his approach. The designers of the specification language SL 0 also treat this problem =-=[Old91]-=-. SL 0 is used for specifying communicating systems which are to be implemented in an occam-like programming language. The semantics of SL 0 are a variant of the readiness semantics for CSP [OH86]: th... |

20 |
Process simulation and refinement
- He
- 1989
(Show Context)
Citation Context ... of the state variables may depend on the initial values and on x ?. The problem of ensuring that the choice of output value is made internally has been considered by He Jifeng for transition systems =-=[He90]-=-. His approach is to explicitly identify which transitions represent output communications. Then the failures semantics are defined in such a way that the choice between all output transitions is alwa... |

20 | Types and invariants in the refinement calculus
- Morgan, Vickers
- 1990
(Show Context)
Citation Context ...the from internal h :-- u : [ post ]: Again, by convention, the action part will represent the action u : [ I 0sIspost ]: Note: Our treatment of types and invariants is similar to that used by Morgan =-=[Mor89]-=- for the guarded command-language. The difference is that in our case, a statement will be miraculous if the invariant is not satisfied initially, while in Morgan's case a statement will abort. Our tr... |

19 |
Programming in occam 2
- Jones, Goldsmith
- 1988
(Show Context)
Citation Context ...actly CSP hiding gives us the benefit of those properties enjoyed by the CSP hiding operator, such as monotonicity. Also, CSP hiding is implemented by some concurrent programminglanguages, e.g. occam =-=[JG88]-=-. One of the difficulties of using CSP hiding, however, is ensuring that divergence is not introduced. A well-foundedness theorem for the iterate construct will be given which allows a variant functio... |

19 |
Preordered Categories and Predicate Transformers
- Martin
- 1991
(Show Context)
Citation Context ...sition. Our characterisation was arrived at by a mixture of informal, operational consideration and experimenting with the proof of Theorem 5.17. 70 Based on category-theoretic considerations, Martin =-=[Mce91]-=- has developed a cross-product operator for predicate transformers written S \Theta T . This represents the parallel composition of statements S and T and doesn't require the variables of S and T to b... |