Mobile CSP||B. by Vajar, Beeta.
8799902 
llllllllllllllllllllllllllllllllllllllllllllll 
UNIVERSITY OF SURREY LIBRARY 
ＭｾＭＭＭＭ --------- -



ProQuest Number:




All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that  the author did not send a complete manuscript
and  there  are missing pages, these will be noted. Also, if material had  to be removed,
a note will indicate the deletion.




ProQuest

Published  by ProQuest LLC ( ). Copyright of the Dissertation is held  by the Author.

All rights reserved.
This work is protected against unauthorized copying under  Title 17, United  States Code
Microform Edition © ProQuest LLC.


ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor,  MI 48106 - 1346
10131252
10131252
2017
-.· . 
, , · 
ｾｾ Ｎ＠ : _- ! 
Mobile CSPjjB 
by 
Beeta Vajar 
Ph.D. Thesis 
Department of Computing 
Faculty of Engineering & Physical Sciences 
University of Surrey 
December 2009 
Declaration 
This thesis and the work to which it refers are the results of my own efforts. 
Any ｩ､･｡ｾ＠ data/ images or text resulting from the work of others (whether 
published or unpublished) are fully identified as such within the work and 
attributed to their originator in the ｴ･ｸｾ＠ bibliography or in footnotes. This 
thesis has not been submitted in whole or in part for any other academic 
degree or professional qualification. I agree that the University has the right 
to submit my work to the plagiarism detection service TurnitinUK for 
originality checks. Whether or not drafts have been ｳｯＭ｡ｳｳ･ｳｳ･ｾ＠ the 
University reserves the right to require an electronic version of the final 
document (as submitted) for assessment as above. 
Contents 
Contents 
1 Introduction 
1.1 Motivation 
1.2 Technical Background 
1.2.1 The B-Method 
1.2.2 CSP (Communicating Sequential Processes) 
1.2.3 Cmnbining CSP and the B-Nlethod . 
1.2.4 CSP II B 
1.3 Objectives ... 
1.4 Thesis Outline . 
2 New results for CSP II B 
2.1 Deadlock freedom and hiding communication channels 
2.2 Deadlock freedmn of two combined cmnponents .. 
2.3 Deadlock freedom of the whole system ...... . 
2.4 Consistency of a mixed machine and its controller 
2.5 
2.4.1 Divergence freedom 
2.4.2 Deadlock freedmn 
Discussion . . 
3 Mobile CSP II B 
3.1 CSP se1nantics of B 1nachines 
3.2 Mobile CSP II B . . . . . . . 
3.3 Developing B n1achines . . . . 
3.4 Developing a CSP Controller 
3.5 Parallel combination ..... 
3.6 Divergence freedom of a controller and its machines 
3.6.1 Conditions for divergence freedom 
3.6.2 Verification of divergence freedom 
5 
5 
7 
7 
10 
15 
15 
21 
23 
25 
25 
27 
33 
35 
36 
41 
42 
45 
46 
50 
52 
52 
55 
59 
61 
63 
ii 
3.7 Divergence freedom of the whole system 
3.8 Deadlock freedmn ........... . 
3.9 Refinement· ............... . 
3.9.1 Refinements of CSP controllers 
3.9.2 Refinements of B machines 
3.10 Discussion ............ . 
4 Case Study 
4.1 Flight tickets sale systmn 
4. 2 Design and specification of B 1nachines . . . . . 
4.3 System design and specification in 111obile CSP 
4.3.1 Data types 
4.3.2 Sets ... 
4.3.3 
4.3.4 
4.3.5 
4.3.6 
4.3.7 
Function .. 
Channels 
Sell agencies 
The Return office . 
Controller . . . . . 
4.4 Coding mobility into standard CSP . 
4.5 Verification of the syste1n divergence freedom 
4.5.1 Assertions on control points ..... . 
4.5.2 Control Loop Invariants in Sell agencies 
4.5.3 Establishing Sell agencies are CLI preserver 
4.5.4 Control Loop Invariants in the Return office . 
4.5.5 Establishing the Return office is CLI preserver 
4.5.6 Divergence freedon1 establishment 
4.6 Verification of the systen1 deadlock freedom 
4. 7 Discussion . . . . . . . . . . . . . . . . . . . 
5 Related works and co1nparison 
5.1 SPIN(Simple Promela Interpreter) 
5.2 Sl\IIV ..... . 
5.3 VeriSoft . . . 
5.4 l\!Iobile UNITY 
5.5 Occam-7f . 
5.6 PiOZ ... 
5.7 zccs .. 
5.8 CSP-OZ . 
5.9 Object-Z/CSP 
5.10 Circus 
5.11 7f I B .. 
5.12 CSP2B. 
CONTENTS 
. 101 
. 107 
. 109 
. 110 
. 112 
. 118 
121 
. 121 
. 123 
. 127 
. 127 
. 128 
. 128 
. 128 
. 130 
. 135 
. 138 
. 138 
. 139 
. 140 
. 141 
. 142 
. 147 
. 148 
. 153 
. 153 
. 153 
159 
. 159 
. 161 
. 161 
. 162 
. . 163 
. 164 
. 164 
. 165 
. 166 
. 167 
. 168 
. 169 
5.13 ProB ............ . 
6 Conclusion and Future Work 
6.1 Conclusion ............. . 
6.2 Future Work . . . . . . . . . . . . . 
6.2.1 Mobile control point cham1els 
6.2.2 Extension for Deadlock freedom verification 
6.2.3 New machine creation . . . . . . . . . . . . 
Bibliography 
A AMN specification of a flight 1nachine 
B CSP specification of Flight tickets sale syste1n 
C wp proofs of Flight tickets sale system 
iii 
. 170 
173 
. 173 
. 175 
. 176 
. 177 
. 177 
179 
187 
189 
197 
Acknowledgements 
First and foremost, I would like to express my sincerest gratitude to my principal 
supervisor, Professor Steve Schneider, for his invaluable guidance and comments 
and his great support at every step of n1y research. 
l\!Iy warmest thanks also go to my co-supervisor, Dr Helen 'I\·eharne, who kindly 
supported me in tllis work. 
I am also very grateful to my friend Dr Zhe Xia for all his help and assistance. 
My love and appreciation go to my parents for their continuous encouragement 
and endless support. 
I am forever indebted to my brother without whom I would never be at this stage 
of my life. It is to him that I dedicate this thesis. 
1 
Abstract 
Formal methods are mathematically based languages for producing verifiabie, 
consistent and 1nore reliable formal specifications which leads to the construction 
of trustworthy and maintainable computer programs. 
1\IIost formaln1ethods can be classified as state-based or event-based formal meth-
ods. State-based formal1nethods, such as the B-1\IIethod, are capable of describing 
data aspects of the system but they are not able to describe behavioural aspects 
or concurrency. On the other hand, by using event-based fonnal1nethods, such 
as CSP, we are not able to describe data aspects of the system which results in 
difficulty to describe systems which contain state transitions. Over the years, the 
idea of combining state and event based formal n1ethods has been proposed in 
order to design systems in which both data and behavioural aspects are described. 
The idea of creating a combination of state and event based fonnal methods which 
is able to describe mobility and dynamic patterns has also been raised in formal 
1nethod integration. This additional functionality is suitable for modelling agent 
systems or peer-to-peer networks where consideration of mobility is important. 
CSP II B is a combination of CSP and B in which CSP processes are used as 
control executives forB machines. This architecture enables a B machine and its 
controller to interact and com1ntmicate with each other while working in parallel. 
The architecture has focused on sequential CSP processes as dedicated controllers 
for B machines. 
This thesis introduces Mobile CSP II B, a forn1al fran1ework based on CSP II B 
which enables us to specify and verify concurrent systems with mobile architec-
ture as well as the previous static architecture. In Mobile CSP II B, a parallel 
combination of CSP processes act as the controller for the B machines and these B 
machines can be transferred between CSP processes during the system execution. 
3 
Chapter 1 
Introduction 
In this chapter, we present the motivations for the development of our work. 
In addition, the technical background of this· thesis is reviewed in section 1.2. 
Furthermore, we discuss the objectives of our work in section 1.3. Finally, an 
overview of this document is presented in section 1.4. 
1.1 Motivation 
As our lives get more dependent on con1puters, the need for better quality soft-
ware increases. Computers with high quality software are better able in satisfying 
the user requirements. There have ｡ｬｷ｡ｹｾ＠ been problems in software development 
such as: long development thnes, higher cost than originally calculated and in-
ability to meet all the user needs. The more complex a progran1 is, the more 
errors may occur in progranuning. Programmers claim that most of the pro-
gramming time is taken up by debugging and 1nore often, removing an error will 
cause other new errors. 
One significant reason that software does not work properly is that the user re-
quirements may not have been clearly explained or understood before producing 
the software. This is why we need specification as the first step before writing a 
program. Specifying a system1neans that we provide a concise as well as correct 
description for the required system. A specification defines the system in a precise 
way. It describes what the progrmn should do and how it is expected to behave. 
The success in developing a correct program begins with an unambiguous, consis-
tent and con1plete specification. Specifications which use mathematical notations 
are called formal specifications. Formal methods are mathematically based lan-
guages for producing formal specifications. Their available software tools can be 
5 
6 CHAPTER 1. INTRODUCTION 
then used to check the specified systems. As a result, formal methods are able 
to produce verifiable, consistent and more reliable specifications which leads to 
construct trustworthy and 1naintainable computer programs. 
There are a variety of formal 1nethods used for fonnal specification and verifica-
tion of systems. Most of these forn1al methods can be classified as state-based or 
event-based formal methods. State-based fonnal n1ethods, such as VDM (Vienna 
Development Method) [38, 10, 53, 48), Z [65, 52] and the B-Method (57, 73, 41), 
focus on data aspects of systems. They are concerned with describing the state 
of the systems and a number of operations describe state transitions in the sys-
tem. Event-based formal methods are concerned with behavioural aspects of 
the systems. They describe the events happened in the syste1n, without being 
concerned with the state transitions. A1nong the event-based fonnal methods 
are CCS (Calculus of Communicating Systems) (49, 28], 1r-calculus [55] and CSP 
(Com1nunicating Sequential Processes) [56, 36] which are all process algebras (or 
process calculus). Process algebras are mathematical formalisms used to model 
concurrent systems. 
Despite the advantages 1nentioned above, using a single kind of formal method is 
not capable to cover all program1ners' desires. Each formal1nethod is designed 
to describe some specific aspects of systems. State-based formal methods are 
capable to describe data aspects of the system but they are not able to describe 
behavioural aspects or concurrency. On the other hand, by using event-based 
formal methods, we are not able to describe data aspects of the system which 
results difficulty to describe syste1ns which contain state transitions. 
Over the years, the idea of combining fonnal methods has been raised in order 
to describe systems with 1nore aspects. Following frmn this idea, combining 
state and event based formaltnethods has been created in software development. 
The main result of this idea is to create a reliable ai1d consistent 1nodel for 
concurrent, complex and critical systmns. System designers are interested to 
design 1nore accurate systems and this combination enables the creation of a 
fonnal system description concerning both data and behavioural aspects. There 
have been some attempts in combining state and event based formal methods in 
a system description which go some way to realising the potential of integrating 
fonnal methods in system development. Some combined languages have already 
been proposed in formaltnethods integration. However, most of forn1al methods 
integration efforts are concentrated on combining Z or Object-Z [62] with process 
algebras. Some of these are ZCCS, CSP-OZ, Object-Z/CSP and Circus. There 
have been some attempts in combining the B-lVIethod with process algebras such 
as: CSP2B, ProB and CSP II B. 
The idea of creating a combination of state and event based formal methods which 
is able to describe mobility and dynamic patterns has also been raised in formal 
1.2. TECHNICAL BACKGROUND 7 
1nethods integration. This additional functionality is suitable for 1nodelling agent 
systems or peer-to-peer networks where consideration of 1nobility is hnportant. 
This idea appears in two fonnal r:n:ethods integration approaches: PiOZ and 1f I B. 
As 1r-calculus is natural for expressing mobile structures, both approaches use 1f-
calculus in their architecture. All approaches above except for CSP II B are 
described further in Chapter 5. CSP II B will be described in detail later in this 
chapter. 
In addition to formal methods integrations, some other approaches have also 
been created for describing and n1odeling concurrency or both concurrency and 
state transitions. Some of these approaches are Input/Output Automata [45], 
1/Iazurkiewicz traces [46), event structures [51] and vector languages [60, 59, 61]. 
Also, RAISE [35] is a formal method created for describing both data and be-
havioural aspects of the systems especially concurrent systems. 
This thesis introduces lvfobile CSP II B, a· new combination between the B-
Nlethod and CSP which is used for specification and verification of mobile com-
bined communicating syste1ns. 
1.2 Technical Background 
This section is the technical background to our work. We first present a brief 
description of the B-Method and CSP. We then explain in detail the CSP II B 
framework and we review all the previous achievements in this work. 
1.2.1 The B-Method 
The B-Method was invented by Jean-Raymond Abrial who also invented the 
Z notation. It is based on the smne principles as the Z notation plus guarded 
com1nands and refine1nent. B is capable to be applied for modelling safety critical 
systems. By using the existing B tools, it is possible to prove and ensure the 
required safety properties in the syste1n. The usage of B has been raised in 
industry and academic envirmunents. It is believed as a suitable formal1nethod 
for specifying and verifying rail transport systems and has been used in the Paris 
Ivletro Line 14, Meteor project [15], the first driverless metro in the city of Paris. 
In this project, the B-:Nlethod has been used to develop the safety critical software 
of the automatic pilots. 
The B-Method has also been used in s1nart cards applications. BSmart [23) is a 
tool based on the B-:Nlethod to develop Java Card [21] applications (applications 
run on smart cards are written in the Java programming language). In BSmart, 
the user is able to produce the abstract B specification and the refinement of the 
8 CHAPTER 1. INTRODUCTION 
card services. BSmart is then able to automatically generate the Java Card code 
frmn the B refine1nent. 
The B-Method is a state-based fonnal method which produces reliable and consis-
tent progra1n code in 3 stages: abstract specification, refine1nent and implemen-
tation. In the B-Method, specifications are presented as a mathematical1nodel 
called abstTact machines . The method uses a state-based formal specification 
language called Abstract Machine Notation (AMN) as a common language in all 
three steps. An abstract machine describes the state of the systmn in terms of 
mathematical notations such as: sets, relations, functions and sequences. The 
local state information of the machine is presented by its variables. All of the 
machine's variables are introduced in the VARIABLES clause. All the informa-
tion about the variables such as their types, their relationships with each other 
and any restrictions on their possible values is presented in the INVARIANT 
clause. It describes the properties of the variables which the machine must always 
maintain during the execution. 
An abstract 1nachine also consists of operations which change the state of the 
system. The operations of a B 1nachine are introduced in the OPERATIONS 
clause. Each operation has a precondition or guard. Pre-conditioned operations 
have the form PRE P THEN S END, where P is the precondition and S is 
the body of the operation. A precondition represents a predicate on the state of 
the 1nachine which should hold when the operation is executed in order t·o ensure 
that the operation behaves as what it is expected to behave. A pre-conditioned 
operation is able to be executed when its precondition is not satisfied, but there 
will not be any guarantees about the resulting execution. Guarded operations 
have the form SELECT G THEN REND, where G is a guard and R is the 
body of the operation. A guard is a predicate on the state of the 1nachine which 
must hold in order to enable the operation to be executed. A guarded operation 
is not able to be executed when its guard is not satisfied. 
An abstract machine consists of the INITIALISATION clause which represents 
the initial state of the machine before its operations are executed. It contains 
some assignments in which all variables are assigned some value initially. 
If E is an A:NIN state1nent and Q is a predicate, the notation [ E] Q denotes all 
conditions which must be true when executing E to guarantee to achieve a post 
condition in which Q is true. As (E] Q contains all preconditions which guarantee 
to achieve Q when executing E, it is called the weakest precondition for E 
to achieve Q. The weakest precondition for E to achieve Q is also written as: 
wp(E, Q). 
If S and T are two AMN statements, then sequential composition S; T is a 
statement in which S is executed first and if S terminates, then T is executed 
from the resulting state. In this case, the final state of S; T is the state that T 
1.2. TECHNICAL BACKGROUND 9 
reaches after execution. If S does not terminate, then S; T does not tenninate 
and T will not be executed. The weakest precondition for S; T to achieve the 
post condition Q is calculated as: wp(S; T, Q) = wp(S, wp(T, Q)). 
The machine we aTe working with should be internally consistent. It must be con-
sistent in its initial state and also in all possible states it achieves after executing 
its operations. To ensure the initial consistency of the machine,, the INITIALI-
SATION clause T must establish the invariant J. In other words, [T]I must be 
true. In addition, for any pre-conditioned or guarded operations which are called 
inside their precondition or guard ｲ･ｳｰ･｣ｴｩｶ･ｾｹＬ＠ the state reached after their exe-
cution must always establish the invariant J. In other words, I 1\ P * [S)I and 
I 1\ G =} [ R] I must always be true for any pre-conditioned or guarded operations 
respectively. 
Refinements are the intermediate stage of a program development process from 
abstract specification machine to implementation. A refinement is a n1achine 
which is more concrete than the original abstract specification. Refinement is a 
technique that is repeated several times to refine the previous machine. In each 
step of refinement, we make the previous machine less abstract and more close 
to hnplementation 1nachine. However, all properties of the abstract machine are 
preserved by a refinen1ent. 
The B software developn1ent process is terminated at implementation. An im-
plementation is a 1nachine, derived frmn the refinement stage, from which the 
program code can be generated. 
The B-1\IIethod is a formal method supported by many comprehensive tools de-
scribed below: 
• B-Toolkit 
B-Toolkit [2] provides the facilities smne of which are described below: 
- Editor: to enter the 1nachine definition 
- Syntax checking 
- Type checking 
- Animation: A way to check if the machine behaves in accordance with 
what the user wants and expects frmn the syste1n 
- Ability to generate proof of internal consistency obligations in a ma-
chine - part of these proof obligations are automatically proven and 
the remaining can be proved by the user 
- Creation of refinement and proof of the correctness of the refinement 
- Creation of implementation 
- Automatic code generation inC 
10 CHAPTER 1. INTRODUCTION 
• ProB 
Some of the facilities provided by ProB [7, 42, 43] are listed below: 
- Interactive or fully automatic graphical animation 
- Analysing 
- Deadlock checking 
• Atelier B 
Atelier B [1] provides the facilities some of which are listed below: 
- Syntax analysing 
- Type checking 
- Generating proof obligations- automatically proving part of proof obli-
gations - interactive prover allows user to prove the remaining proof 
obligations 
- Automatic code generation in C or Ada 
Exa1nple: Student Debtors 
In this chapter, we use a simple example to demonstrate the difference in speci-
fying a system in B, CSP and CSP II B. The Student Debtors example is about 
a nmnber of students in a university who have borrowed student loan from the 
university during their study and they have now finished their study and are 
going to graduate. Each student can only graduate after the loan has been fully 
paid up. The system clears the students' debt and certifies the1n as graduates. 
The B specification of the Student Debtors syste1n is shown in Figure 1.1. The 
student number of all debtors is given to the system by the set StudentNumber. 
The set graduate contains the student nmnber of those who have paid up their 
loan and have now been certified as graduates. The set loan contains the student 
number of those who have not paid up their loan yet. Operation settle is used to 
clear a student's debt. It receives the student number of a student and removes 
the number frmn the debtor's list. Operation graduation is used to certify a 
student as a graduate. It receives the student number of a student and adds the 
number to the graduates list. Initially no debtor has paid up his or her loan. As 
a result, all students are in debt at the beginning of the system execution and 
none has yet been certified as a graduate. 
1.2.2 CSP (Communicating Sequential Processes) 
CSP was originally developed by C. A. R. Hoare as a concurrent pro.gramming 
language. However, the original version has been widely developed since then 
1.2. TECHNICAL BACKGROUND 
MACHINE StudentDebtors 
SETS StudentNumber 
11 ARIABLES loan, graduate 
INVARIANT ｬｯ｡ｮｾ＠ StudentNumber & 
gTaduate ｾ＠ StudentNumbeT & 
loan n gTaduate = {} 
INITIALISATION loan := StudentNumber II 
gTaduate : = {} 
OPERATIONS 
settle (number) ｾ＠
PRE 
number E loan 
THEN 
loan := loan - {number} 
END; 
gTaduation (number) ｾ＠
PRE 
numbeT E StudentNumber - loan 
THEN 
graduate := graduate U {number} 
END 
END 
Figure 1.1: B specification of Student Debtors system 
11 
and it is still a research interest subject for increasing its capability of describing 
concurrent systems. 
CSP is a theoretical notation or language for specifying and verifying concurrent 
systems. Concurrent systems are known as complex systems whose program1ning 
and analysing has been always an ilnportant issue in software development. CSP 
provides a framework for describing and analysing interacting aspects of concur-
rent systems. Concurrent systems consist of interacting components known as 
processes. Each process works independently and may interact with its environ-
ment and other processes in the syste1n. A process performs various events which 
describe its behaviour. CSP is an event-based formal language for designing and 
analysing a system behaviour by events happened in the system. 
The simplest process in CSP is STOP, a process which does nothing. Process 
12 CHAPTER 1. INTRODUCTION 
SKIP is a process which does nothing but it indicates successful termination. 
If P is a process and a is an event, then the prefixing expression a ｾ＠ P is a 
process which can perform the event a and then behave like the process P. 
Recm·sion can be defined in CSP specifications. To describe a process which runs 
forever, we can use a recursive definition. For instance, in a recursive definition 
P = a ---+ P, the process P can perform the event a repeatedly. It is also possible 
to define a collection of processes by mutual recursion. For instance, we can 
define a mutual recursive definition as described below: 
In this definition, the process P can perform the event a and then behave like 
the process Q. Also, the process Q can perfon11 the event b and then behave like 
the process P. 
In CSP, two operators, external choice and internal choice can be used to pro-
vide a choice between a number of processes in the system. An external choice 
expression P D Q is a process which is ready to behave either like P or Q. In 
external choice, the process whose first event is offered first by the environment 
will be chosen to be executed. An internal choice expression P n Q is also a 
process which is ready to behave either like P or Q, but the environment has 
no control over the choice. It is a non-deterministic choice made by the process 
p n Q internally. 
The hiding operator \ can be used to make some events internal to a process. If 
P is a process and A is a set of events, then P \ A is process P in which the 
events in A become internal. 
In CSP, processes are able to pass messages to each other by using channels. A 
channel can carry values of a special type. If cis a channel which can carry values 
of type T, then c?x ｾ＠ P(x) is a process which can input any value x of type 
T along channel c and then behave like the process P ( x). c! v ｾ＠ P is a process 
which can output v along channel c and then behave like the process P. If a 
process inputs or outputs a value t along channel c, it corresponds to performing 
the event c. t. The set of all events associated with channel c is denoted by {I c I}. 
In other words: {I c I}= { c.t I t E T}. 
A trace tr of a process P is a finite sequence of events which P is able to perform. 
The set of all possible traces of process P is denoted by traces ( P). The set I; is 
denoted as the universal set of all possible events. 
If S ( tr) is a predicate on tr and P is a process, then P satisfies S ( tr) if S ( tr) 
holds for all traces tr of P. This is denoted by P sat S ( tr). In other words: 
P sat S(tr) = V tr E traces(P) • S(tr). 
1.2. TECHNICAL BACKGROUND 13 
A divergence of a process P is a sequence of events tr after which P can do 
an infinite sequence of internal events. The set of all possible divergences of a 
process P is denoted by V[PD . 
A pair ( tr, X) is a stable failure of a process P if P can perform trace tr and 
then reaches a stable state in which it refuses all events in X. In this case, the 
set X is called a refusal of process P. The set of all possible stable failures of a 
process P is denoted by SF[PD. 
A failure of a process P is a pair ( t1·, X) in which either tr is a divergence of P 
or ( tr, X) is a stable failure of P. As a result, if a process P is divergence free 
then all failures of P are the stable failures of P . The set of all possible failures 
of a process P is denoted by F[PD or failuTes(P). 
For any two processes P and Q, ifV[P] = V[QD and F[P] = F[QD, then P and 
Q are said to be equivalent in the failures/divergences model which is denoted 
byP=FvQ. 
For any two processes P and Q, if failuTes( Q) ｾ＠ failures(P) and traces( Q) ｾ＠
tTaces(P), then Q is said to be a failure refine1nent of P which is denoted by 
P ｾｆ＠ Q. It 1neans that all behaviour Q can do, P is able to do. 
Processes can interact with each other by working in parallel. The parallel combi-
nation of processes means that they execute concurrently and should synchronise 
on the common events. Processes may work in parallel with each other in two 
different ways: Alphabetized paTallel and Interface parallel. 
A set of all possible events that a process is able to perform is called the interface 
of that process. If the interfaces of processes P and Q are A and B respectively, 
then an Alphabetized parallel combination of the two processes is denoted by 
P A II B Q. In this cmnbination, P and Q must synchronise on the events in the 
intersection of A and B. 
An Interface parallel combination of two processes P and Q is denoted by P II Q. 
A 
In this combination, the two processes synchronise only on the events in the 
interface A. 
Processes may execute concurrently in the systen1 without synchronisation on 
cmn1non events. In this concurrent execution, processes do not interact with 
each other and each process execute independently. This combination is called 
Interleaving. The interleaving of two processes P and Q is denoted by P Ill Q. 
Parallel combinations can result in deadlock in concurrent systems. Deadlock 
state is a situation in which no 1nore event is able to be executed next in the 
system. As processes l11l1St synchronise on the common events, a situation may 
occur in which each process is only able to do one or n1ore conunon events but 
some of other processes in the syste1n are not able to execute any of those common 
14 CHAPTER 1. INTRODUCTION 
events at that point. Therefore the deadlock state is the state in which the 
execution of the system is blocked. 
CSP is supported by software tools described below: 
• ProBE(Process Behaviour Explorer) 
ｐｾﾷｯｂｅ＠ [5] is an anin1ator for CSP 1nodels. It is used to explore the be-
haviour of the CSP processes and their interaction with other processes in 
the systmn. While a process is executing, in each stage, ProBE displays 
the trace of events which have happened until that stage. It also displays 
the possible events which can happen next and the user can select one to 
perfonn next. 
• FDR(Failures-Divergence Refine1nent) 
FDR [5] is known as a 1nodel and refinement checker. It offers automatic 
analysis of the CSP processes and also it permits autmnatic refinement 
checking between the processes. FDR provides the opportunity to prove 
safety and liveness properties in the system by checking divergence, dead-
lock, trace refinen1ent, and failures refine1nent. 
• ProB 
In ｡ｾ､ｩｴｩｯｮ＠ to being a B software tool, ProB also accepts CSP specifications 
and can be used as a CSP tool. It can be used for animation and for checking 
the deadlock freedom of a CSP specification. However, deadlock freedmn 
can be checked for a limited nun1ber of executions which can be chosen by 
the user. In addition, ProB is ·not able to check the divergence freedom of 
the CSP specifications. 
CSP has been applied to various industrial applications such as an industrial ver-
ification project for the International Space Station (ISS) [16, 17]. In this project 
deadlock freedom and divergence freedom of a fault-tolerant data management 
systern used by the ISS has been verified by using CSP specifications and the 
CSP tool FDR. 
CSP has also been used to design and verify the sectuity protocols such as the 
Needham-Schroeder public-key protocol [44]. The protocol contains an initiator 
A and a responder B which communicate with each other over an insecure network 
in which an attacker can intercept all messages going between A and B and even 
inject false messages between them. In [44], the protocol is first specified in 
CSP. Then, FDR is used to check the sectu·ity of the protocol and to correct the 
protocol in order to ensure that no intruder can attack the protocol. 
Exa1nple: Student Debtors 
The CSP specification of the Student Debtors system is shown in Figure 1.2. The 
student number of all debtors is given to the system by the set StudentNumber. 
1.2. TECHNICAL BACKGROUND 
StudentNumber = {1, ... , 100} 
channel in : StudentNumber 
channel settle, graduation 
P = in?no ｾ＠ settle ｾ＠ graduation ｾ＠ P 
Figure 1.2: CSP specification of Student Debtors system 
15 
After receiving a student number, the system first clears the student's debt and 
then certifies the student as a graduate. 
1.2.3 Combining CSP and the B-Method 
Using CSP and the B-Method together gives us the ability to describe and analyse 
a computer system in a better way because they are each good for different views 
of the system. As a result, it is worthwhile using a combination of CSP and B 
in formal development of cmnputer systmns to achieve different aspects of the 
system description. 
Combining CSP and B specifications is an approach which has been achieved in 
order to use both advantages of these two formal methods in system development. 
By using CSP, we will be able to control the behaviour and the execution order 
of B machines' operations. Up to now, there have been several approaches in 
combining CSP and the B-Tvlethod such as: CSP2B, ProBand CSP II B. Both 
CSP2B and ProB are described in detail in Chapter 5. 
1.2.4 CSP II B 
In [70], TI·eharne and Sclmeider introduce CSP II B, a parallel combination be-
tween CSP and B in which a CSP process is used as a control executive for a 
B 1nachine. Each operation in B machine corresponds to a channel with the 
same name in the body of CSP controller. For each B machine's operation 
bb ｾ＠ op( aa) there is a channel op in the body of the CSP controller which 
carries data types the smne as the types of aa and bb. This provides the means 
for CSP controller and its controlled B machine to synchronise with each other 
and also to com1ntmicate with each other while working in parallel. The architec-
ture of the parallel combination of a B machine and its controller is illustrated in 
Figure (3. For each B operation, there is one channel between the CSP controller 
and the B 1nachine. This architecture enables the CSP controller to interact and 
communicate with its controlled B machine through these channels. A B 1nachine 
and its controller can send or receive values frmn each other through these chan-
nels. For instance, the CSP controller sends the value of aa to the B machine 
16 CHAPTER 1. INTRODUCTION 
and receives the B machine's output, bb, through channel op. This means that in 
addition to control the execution order of the B operations, CSP controller and 
B machine can communicate with each other and they can exchange data and 
infonnation through these channels while working in parallel in the syste1n. 
In general the CSP controller, LOOP, is defined by a family of processes S(p) as 
below: 
ｌｏｏｐｾ＠ S(O) 
S(O) ｾ＠ Ro 
S(n) ｾ＠ Rn 
where each Rp is a CSP process expression in which S(p)s may subsequently be 
reached. 
________ _t ___ j ________  
CSP 
B 
ｾ＠
Figure 1.3: Architecture of a B 1nachine in parallel with a CSP controller 
After developing a CSP control executive for a particular B 1nachine, the next 
step is to ensure that this control executive is suitable for the B n1achine. It is 
a suitable control executive if we can prove that the controller is consistent with 
its controlled B machine. 
Operations in a B machine can be pre-conditioned or guarded. If an operation 
is called when its precondition or guard is true, it will behave as described by 
the operation body. On the other hand, if an operation is called outside its 
precondition, it 1nay execute but there are no guarantees about the resulting 
execution. This is 1nodelled as a divergence. If an operation is called when its 
guard is false, it will not execute. If all the next possible operations are the 
1.2. TECHNICAL BACKGROUND 17 
operations whose guard is false, it is m.odelled as a deadlock. l\IIore information 
and details about divergence and deadlock of a B machine is discussed in Chapter 
3. 
A CSP process is a suitable execution controller for a B machine if it does not 
call any B operation outside its precondition, and at each stage, the guard of at 
least one of the operations enabled by the controller 1nust be true. Thus, in order 
to prove the consistency of a CSP control executive and its controlled B machine, 
we need to prove that the combined system is divergence free and deadlock free. 
[70) introduces a technique to prove the divergence freedom in a combined system 
containing a recursive (non-terminating) CSP process as the controller and a B 
machine which contains only pre-conditioned operations. In this technique, a 
control loop invariant, CLI, is used in order to ensure consistency in the system. 
A theorem is presented in [70) which states that if a CLI can be found with the 
following two conditions, then the system is divergence free. Firstly, CLI should 
be true at the beginning of the system execution after initialisation of the B 
machine. Secondly, CLI must be established at every recursive call. 
Continuing on from this achieve1nent, Treharne and Schneider [58) provide a 
theorem to prove deadlock freedom in the above system. Their theorem is based 
on the fact that the system should have .already been proved to be divergence 
free. This theorem states that if the CSP controller is non-discriminating on all 
operations of its controlled B machine, which n1eans that whenever it calls an 
operation of the B machine it is able to accept any output from the B machine, 
and the B machine is open on its all operations, in other words it is non-blocking, 
then if CSP controller is deadlock free then the whole system is deadlock free. 
The definitions of non-discriminating and open are as follows in [58): 
Definition 1. A CSP process P is non-discriminating on a set of partial events 
PE if for any failure (t?·, X) E SF[P] and subset CV ｾ＠ PE, we have that 
(V c.v E cv. 3 w. c.v.w EX)=} (t7·, Xu {I cv I}) E SF[P] 
Definition 2. A process Q is open on a set of partial events PE if given any 
(tr,X) E SF[Q] and e E PE, there is some w such that e.w ¢:.X. 
In large and complex systems, we usually need abstraction in order to make the 
system considerably simplified and 1nore understanding. Abstraction can happen 
in the system by hiding the control channels, which are the channels correspond-
ing to B operations. In (58], a theore1n is provided to establish divergence freedom 
in these kind of abstract systems. This theorem states that if the original com-
bined system is divergence free, then the divergence freedom of the combined 
system with hidden control channels will be resulted following by the divergence 
freedom of the CSP controller whose control channels are hidden. 
18 CHAPTER 1. INTRODUCTION 
All the previous methods for establishing consistency have been focused on a 
parallel combination of a single CSP controller and a single B machine which 
contains only pre-conditioned operations. However, the systems we are generally 
concerned with are a collection of parallel cmnbinations which interact with each 
other. These kind of systems have the forn1 of IIi (Pi II Mi), in which each Pi 
is a CSP controller for B machine Mi. (69) proposes an architecture for sys-
tems containing cmnbined cmnponents. This architecture is illustrated in Figure 
1.4. In this architecture, each B machine interacts only with its CSP controller. 
CSP controllers interact with each other and with environment on separate chan-
nels excluding the control channels. In (58, 69), Treharne and Schneider provide 
theorems to prove the divergence freedom and deadlock freedmn of parallel com-
binations of controlled cmnponents in which the B machines contain only pre-
conditioned operations. They prove that if each Pi II Mi is ､ｩｶ･ｲｾ･ｮ｣･＠ free, then 
the whole combined syste1n, IIi (Pi II Mi), is divergence free. Also, if the whole 
cmnbined syste1n is divergence free, to establish the overall deadlock freedom, it is 
sufficient to check that the parallel combination of controllers, IIi Pi, is deadlock 
free. 
CSP 
B 
Figure 1.4: Architecture of parallel con1bination of controlled cmnponents 
In (68), Treharne and Schneider introduce a condition which is sufficient to estab-
lish deadlock freedmn for a non-terminating CSP process controlling a B n1achine 
which contains only guarded operations. This condition states that for each pro-
cess expression Rp of the controller LOOP if the B machine invariant and CLI 
hold before the body of Rp is executed, then for all traces of Rp which are before 
a rectu·sive call the state reached after that trace establishes the guard of at least 
one of the next possible operations. A theore1n is proved in [68) which states that 
if this condition holds for the body of LOOP, then the parallel combination is 
deadlock free. 
1.2. TECHNICAL BACKGROUND 19 
The condition above was for a recursive (non-terminating) CSP controller. [68] 
also discusses about checking deadlock freedom of the combination of a CSP con-
troller containing STOP with a B machine containing only guarded operations. 
It provides a way to show that whenever the trace reached at the stage in which 
STOP is the next event, this blocking is acceptable and it does not mean the 
deadlock we consider. In other words, reaching the event STOP means that the 
CSP process has been successfully tenninated. [68] uses a new event called block 
which is situated before STOP in the body of the CSP controller. This new event 
corresponds to a new guarded operation block in the B machine which does noth-
ing but skip. Whenever the CSP process reaches the event block, termination 
is acceptable at this stage. By using this technique, deadlock is unacceptable at 
any point of the execution but only at the point in which event block is the next 
event. A condition is introduced in [68) which is sufficient to establish deadlock 
freedom. This condition states that for each process expression Rp of the con-
troller LOOP if the B machine invariant and CLI hold before the body of Rp is 
executed, then for all traces of Rp which are before a recursive call and do not 
contain block and cannot be followed by block, the state reached after that trace 
establishes a guard of at least one of the next possible operations. A theorem is 
proved in [68] which states that if this condition holds for the body of LOOP, · 
then the parallel cmnbination is deadlock free. 
In [27], Evans, Schneider and Treharne present the usage of CSP II B approach in 
developing distributed systems. They use CSP II B combination for developing 
a file transmission protocol. The protocol controls the transfer of data files from 
a sender to a receiver over a mediu1n. The medium is unreliable and it has the 
potential to lose the files. The sender accepts different files from the external 
environment and then sends the files to the receiver over the 1nedium. The 
protocol has been modelled in CSP II B in such a way that the sender and the 
receiver are each a pair of a CSP controller and its controlled B machine. The 
medium is modelled as a CSP process. Therefore, the whole system is the parallel 
combination of the two combined components and the medium. After designing 
the protocol in CSP II B architecture, the system has been checked for divergence 
freedom and deadlock fi·eedmn. Divergence freedom verification in this system 
n1eans to establish that whenever the sender is to send a file, there must always 
be smne unsent files to send to the receiver. Deadlo"ck freedmn verification 1neans 
to establish that while three parts of the system (the sender, the n1edium and 
the receiver) are working in parallel, the execution of the systmn will never be 
blocked. 
CSP II B framework has recently been used successfully in specifying and verify-
ing a large complex system with a mixtm·e of distributed and embedded systems. 
In [22), a platoon of Cristal vehicles has been specified based on CSP II B archi-
tecture and then the consistency of the systen1 has been ensured and established 
20 CHAPTER 1. INTRODUCTION 
by using the theorems provided in CSP II B approach for consistency verification. 
A platoon is a set of Oris tal vehicles which n1ove following the path of the leader 
in a row. Each Cristal vehicle is designed as two combined cmnponents: engine 
1nachine in parallel with engine controller, and driving system machine in parallel 
with driving system controller. The divergence freedmn and deadlock freedom of 
the parallel cmnbination of these two cmnbined components has been successfully 
established by using the theorems. This results the consistency of each Cristal in 
the system. With each Cristal, a CSP process Net is associated which receives 
information frmn the CSP part of that Cristal and then sends it to the CSP part 
of the following Cristal. In other words, each process Net in the system is a CSP 
process which does not have any machine and it communicates and synchronises 
with other CSP processes in the system. Therefore, the whole platoon is the 
parallel combination of all the Cristals and all the processes Nets. By using the 
theorems, the divergence freedom and deadlock freedom of the whole platoon has 
been successfully verified and established. 
Recently, a translater tool has been introduced in (71] which automatically trans-
lates an xUML model into CSP II B. The intention is that the generated CSP II B 
specification can then be checked and verified for divergence freedom and dead-
lock freedom. The tool is able to take an xUML model as an input and then to 
generate and output a CSP II B specification. It generates machine readable B 
machines and CSP controllers. So, the generated B and CSP specifications can 
then be separately checked by the B and CSP software tools for internal consis-
tency and then we can use the theorems for establishing the divergence freedmn 
and deadlock freedom of the whole system. At the time of writing this thesis, 
the specification of smne B machines generated by the translator may not be 
completed and the user needs to complete their specification. 
Example: Student Debtors 
To specify the Student Debtors syste1n in CSP II B, the B machine should be 
specified as described before in Section 1.2.1. The CSP controller DEBTORS 
should be specified as shown in Figure 1.5. The student number of all debtors 
is given to the systen1 by the set StudentNumber. \iVhenever the system receives 
a student nmnber, if the received student number belongs to one of the debtors, 
then the system first clears the student's debt and then certifies the student as 
a graduate. Otherwise, the system does not do anything and it will be ready to 
receive another student number. 
To verify the syste1n divergence freedom, we assign the control loop invariant for 
P(S) as below: 
CLI: S =loan 
This CLI holds at the beginning for S = StudentNumber and at every recursive 
1.3. OBJECTIVES 
StudentNumber = {1, ... , 100} 
channel in : StudentNumber 
channel settle : StudentNumbe'l· 
channel graduation : StudentNumbe7· 
P(S) = in?no --7 if no E S 
then settle!no --7 graduation I no --7 P(S- {no}) 
else P(S) 
DEBTORS = P(StudentNumber) 
Figure 1.5: CSP controller of Student Debtors system 
21 
call. In other words, all the student numbers in S are always all the debtors of 
the system. So, the parallel combination is divergence free. 
The CSP controller DEBTORS is non-discrhninating as there is no output from 
the B machine. Also, it is established to be deadlock free by using FDR. In 
addition, the B machine is open as it contains only pre-conditioned operations 
with no blocking statement in. their body. Therefore, the parallel combination is 
deadlock free. 
The parallel combination is divergence free and deadlock free, thus the system is 
consistent. 
1.3 Objectives 
Previous CSP II B research has not covered the consistency verification of all 
possible kinds of systems which we can design in accordance with the CSP II B 
architecture. For instance, deadlock freed01n verification of the whole combined 
systen1 has been focused on the syste1ns whose B machines contain only pre-
conditioned operations. Having B machines containing guarded operations, we 
are only able to check the deadlock freedmn of the parallel c01nbination between 
each B machine and its controller. In addition, there has been no consideration of 
a system whose B 1nachines contain both pre-conditioned and guarded operations. 
This thesis aims to c01nplete the consistency verification in CSP II B. We provide 
theorems and techniques to establish the consistency of parallel combinations 
of controlled components containing any kinds of B machine operations. This 
includes the systems in which each B 1nachine can contain both pre-conditioned 
and guarded operations. 
22 CHAPTER 1. INTRODUCTION 
In CSP II B, each CSP process can be the control executive of only one B machine 
and each B machine has only one CSP process as its controller. The architecture 
has focused on sequential CSP processes as dedicated controllers forB 1nachines. 
The main objective of this thesis is to generalise CSP II B architecttu·e in design-
ing a new fran1ework which enables us to describe and verify syste1ns in which 
a parallel combination of CSP processes are the controller of B machines and 
each single B 1nachine can be controlled by different CSP processes during the 
execution. 
Our work begins with providing a new architecture in which a single CSP process 
can be the control executive of one or n1ore B machines. We then extend our 
approach to design a system which contains parallel combination of several CSP 
controllers each controlling several B 1nachines. 
In order to let CSP processes work with different B 1nachines during the execu-
tion, we have introduced 1nobility in our new architecture which means that a 
parallel combination of CSP processes is the control executive of the B machines 
and these B 1nachines can be transferred between CSP processes during the sys-
tem execution. In other words, each CSP process can receive a 1nachine or give a 
1nachine to another CSP process during the execution. This new mobile architec-
ture is shown in Figure 1.6. An example of these kinds of systems is peer-to-peer 
networks in which data (B 1nachines) can be transferred between the connected 
nodes ( CSP controllers). 
P1 cp12 P2 cp23 P3 
M1 M2 M3 M4 
Figure 1.6: :Mobile CSP II B architecture 
The following step is the consistency verification. We first prove a theorem for es-
tablishing divergence freedom of the parallel combination between each controller 
and its controlled B machines. This includes the machines it owns initially and 
the machines it receives frmn other controllers during the execution. We then 
provide theorems in order to establish divergence freedom and deadlock freedom 
1.4. THESIS OUTLINE 23 
of the whole mobile systen1 containing several CSP controllers each controlling 
several B machines. 
The final contribution of thif3 thesis is a case study which de1nonstrates all our 
achievements in developing an example of a peer-to-peer network. 
In sum1nary, by the end of this document, we intend to have provided a formal 
framework based on GSP II B which enables us to specify and verify concurrent 
systems with 1nobile architecture as well as the previous static architecture. 
1.4 Thesis Outline 
In Chapter 2, we present new techniques and theorems proved during this research 
for consistency verification of the systems that have not been covered before in 
static GSP II B. 
Iviobile GSP II B is introduced in Chapter 3. We start this chapter by describing 
how we are able to define CSP semantics for a B machine which then results 
in the fact that a B machine can be seen as a CSP process. The rmnainder of 
tllis chapter presents our Mobile GSP II B framework. We describe how CSP 
controllers can be combined and communicate with each other in the system and 
how they can exchange B machines during the system execution. In addition, 
we provide theorems which are sufficient to establish the divergence freedom and 
deadlock freedmn of the 1nobile combined comn1unicating syste1ns. 
Chapter 4, presents a flight tickets sale system: a case study on Iviobile CSP II B 
architecture. First, we describe the system and present its B and CSP speci-
fications. Then, we describe the consistency verification strategy by using the 
theorems and wp technique, introduced in Chapter 3. 
A comparison with other related works is given in Chapter 5. 
Finally, conclusions and ideas for future research are presented in Chapter 6. 
Chapter 2 
New results for CSP II B 
This chapter presents new results in consistency verification of CSP II B specifi-
cations. All techniques and theorems for establishing consistency in the CSP II B 
approach have been focused on systems in which B machines contain only pre-
conditioned operations, or a parallel combination of a single CSP process con-
trolling a single B 1nachine which contains only guarded operations. However, 
we would like to be able to check consistency in all possible kinds of combined 
systems involving both guards and preconditions. 
In this chapter, we present new techniques and theorems proved during this re-
search in order to check the consistency of syste1n configurations that have not 
been covered before. First, we present two theormns to establish that in an indi-
vidual CSP II B controlled component containing any kind of B machine opera- . 
tions, hiding the CSP events which are not B machine operations does not affect 
the deadlock properties of the parallel combination. Next, we present theorems 
for establishing deadlock freedmn of systmns which contain parallel combinations 
of controlled cmnponents containing any kind of B machine operations. Finally, 
we introduce theorems and techniques in order to establish consistency of a single 
CSP process controlling a single B 1nachine containing both pre-conditioned and 
guarded operations. 
2.1 Deadlock freedom and hiding communication 
channels 
In this section, we consider a parallel con1bination of a CSP controller and its 
controlled B machine. We also consider the same parallel combination where 
25 
26 CHAPTER 2. NEHT RESULTS FOR CSP II B 
the communication channels of the CSP controller are hidden. By providing two 
theorems, we prove that deadlock freedmn of either of these parallel combinations 
implies the deadlock freedom of the other parallel combination. 
Theore1n 1. Supposing P is a CSP controller for B machine M, and A ｾ＠
(a(P)- a(l\II)) . If (P \A) II !vi is deadlock j1·ee, then P II !vi is deadlock free. 
Proof. The two parallel combinations are shown in Figures 2.1 and 2.2. We prove 
this theorem by contradiction: 
\¥e assume that P II lv! has a deadlock. 
Then 3 tr E traces(P II 111) • (tr, a(P)) is a failure of P II !vi 
So, according to CSP semantics of hiding: (tr \A, a(P \A)) is a failure of 
(P lllvi) \A 
But An a(111) = 0 =} (P II !vi)\ A= (P \A) II !vi 
So, (tr \A, a(P \A)) is a failure of (P \A) II !vi 
So, (P \A) 11 M has a deadlock. 
We obtain a contradiction, thus establishing the theore1n. 
P\A 
p 
M 
p 
M 
Figure 2.1: P II :rvr · Figure 2.2: (P\ A) II :rvr 
0 
Theormn 2. Supposing P is a CSP controller fo1· B machine M, and A ｾ＠
(a( P) - a( M)). If P II M is deadlock free, then ( P \ A) II lv! is deadlock free. 
Proof. The two parallel cmnbinations are shown in Figures 2.1 and 2.2 (these are 
the same Figures as used in Theorem 1). ·y...re prove this theorem by contradiction: 
We assume that ( P \ A) 11 111 has a deadlock. 
2.2. DEADLOCK FREEDOlvf OF Tv\10 COlviBINED CO!viPONENTS 
Then 3 tr' E traces((P \A)' 11111) • (tr', a(P \A)) is a failure of (P \A) II M 
V tr' E traces((P \A) 11111) 3 tr E traces(P II M) • tr' = tr \A 
So, (tr \A, a(P \A)) is a failure of (P \A) II M 
But An a(M) = 0 ==> (P II M) \A = (P \A) II !vi 
So, (tr \A, a(P \A)) is a failure of (P II M) \A 
So, according to CSP semantics of hiding: ( tr, a( P)) is a failure of P II M 
So, P II M has a deadlock. 
We obtain a contradiction, thus establishing the theorem. 
2.2 Deadlock freedom of two combined components 
27 
D 
In this section, we present three different conditions each in the context of a 
theore1n for deadlock freedom verification of a system containing two combined 
components. If any of these three conditions is satisfied in a system containing 
two combined components, then the system is ensured to be deadlock free. 
Theore1n 3. Supposing P 1 is a CSP controller forB machine ｍｾＬ＠ and P2 is a 
CSP controller forB machine lv/2. If (Pt lllvft) and (P2 II M2) are deadlock free, 
and #(a(Pt) n a(P2)) = 1, then (Pt II Mt) II (P2 II M2) is deadlock free. 
P1 c P2 
M1 M2 
Figure 2.3: Parallel combinations with one common event between two controllers 
Proof. The systen1 is shown in Figure 2.3. We prove this theorem by contradic-
tion: 
28 CHAPTER 2. NEVI RESULTS FOR CSP II B 
VIe assmne that (P1 IIIVI1) II (P2 II M2) is not deadlock free. So: 
3 tr E traces((P1 lllllh) II (P2 II M2)) • (tr, E) E failures((Pl II M1) 1l (P2 II M2)) 
We asstnne cis the common event between P1 and P2. So: a(P1) n a(P2) = { c} 
tr1 = tr t a(P1) 
tr2 = tr t a(P2) 
tr3 = tr I a(lkli) 
tT'4 = tr I a(..ik£2) 
( tr1, X1) E failures ( P1) 
(tr2, X2) E failures(P2) 
(tr3, X3) E failures(MI) 
(tr4, X4) E jailures(M2) 
X1 u x2 u X3 u X4 = E (1) 
xl u x3 is what pl II Ml refuses. pl II Ml is deadlock free. So: 
3 a E (a(P1) U a(M1)) • a tj_ (X1 U X3) 
We consider each of these possibilities in turn: 
1. If a is not event c : 
a E a(P1) } 
a(PI) n a(P2) = { c} ======> a (j. a(P2) ======> a (j. X2 
(a (j. a(P2)) 1\ (a(lVh) ｾ＠ a(P2)) ======>a rf. a(M2) ======>a (j. X4 
(a (j. X2) 1\ (a (j. X4) => a (j. (X2 U X4) 
(a tj_ (X2 U X4)) 1\ (a tj_ (X1 U X3)) ======>a rf_ (.X1 U X2 U X3 U X4) 
(art (X1 u X2 u X3 u X4)) 1\ (a E E)=> (X1 u X2 u X3 u X4) =1= :E 
This contradicts (1). So it contradicts the fact that (P1 II M1) II (P2 II M2) has 
deadlock. 
2. If a is event c : 
(c E a(P1)) 1\ (a(P1) n a(M2) = 0) => c tJ_ a(IVI2) ==::::> c tJ_ X4 
(c rf_ (X1 U X3)) 1\ (c (j. XlJ) ======> c (j. (X1 U X3 U X4) 
(crt (X1 u X3 u X4)) A (X1 u X2 u X3 u X4 =E)======> c E X2 
2.2. DEADLOCK FREEDOl\II OF TWO COlviBINED 001\IIPONENTS 29 
On the other hand, x2 u x4 is what p2 II lv12 refuses. p2 II M2 is deadlock free. 
So: 3 b E (a:(P2) U a:(l\lh)) • b (j (X2 U X4) 
c E x2 } · b 
b (j ( x2 u X4) => i= c 
(bE a:(P2)) 1\ (b-/= c)=> bE (a:(P2)- {c}) 
Similar to what have been proved for a in section 1, we can achieve the same 
result for b: 
b fl. (XI U X2 U X3 U X4) => (XI U X2 U X3 U X4) -/= E 
This result also contradicts (1). So, it contradicts the fact that (PI II MI) II (P2 II 
M2) has deadlock. 
In both cases we obtain a contradiction, thus establishing the theormn. D 
Theore1n 4. Supposing PI is a CSP controller for B machine M11 P2 is a CSP 
controller for B machine l\if2, (PI II Nh) and (P2 II M2) are deadlock free, and 
theTe is only one common channel between PI and P2. If at least one of the CSP 
controlleTs is non-discriminating on the channel common to PI and P2, then 
(PI IIJvii) II (P2 IIJvi2) is deadlock free. 
PI c.T P2 
M1 M2 
Figure 2.4: Parallel combinations with one common channel between two con-
trollers 
Pmof. The system is shown in Figure 2.4. We assume cis the common channel 
between PI and P2, and P2 is non-discriminating on channel c. According to 
[58], if P2 is non-discriminating on channel c, it 1neans that at any stage of the 
execution, P2 can either refuse all events in {I c I} or none of them (Definition 1, 
page 17). We prove this theorem by contradiction: 
30 CHAPTER 2. NEW RESULTS FOR CSP II B 
We asstnne that (P1 II M1) II (P2 II M2) is not deadlock free. So: 
:3t'l· E traces((P1 II M1) II (P2 II lVh)) • ＨｴｲＬｾＩ＠ Ejailures((PliiiVIr) II (P2II M2)) 
tr1 = tr ｾ＠ a(P1) 
tr2 = t'l· ｾ＠ a(P2) 
tr3 = t1· t a(M1) 
t'14 = tr t a(M2) 
( tr1, X1) E jailuTeS ( P1) 
(tT2, X2) E jailures(P2) 
(tT3, X3) E failu?·es(Ml) 
(tr4, X4) E failuTes(lVh) 
Without loss of generality X1, X2, Xg, X4 are maximal refusals 1\ 
xl u Xg is what pl II Ml refuses. pl II lVfr is deadlock free. So: 
:3 a E (a(P1) U a(M1)) • a (j. (X1 U X3) 
We consider each of these possibilities in turn: 
1. u a (j. {I c I} : 
a E a(PI) ====? a (j. a(P2) ====? a (j. X2 
(a (j. a(P2)) 1\ (a(IVI2) ｾ＠ a(P2)) ====?a (j. a(M2) ====?a (j. X4 
(a (j. X2) 1\ (a (j. Xtl) ====? a (j. (X2 U X4) 
(a (j. (X2 U X4)) 1\ (a (j. (X1 U X3)) =}a (j. (X1 U X2 U X3 U Xl1) 
(a (j. (XI U X2 U X3 U X4)) 1\ (a E ｾＩ］ＪＨｘｉ＠ U X2 U X3 U X4)-:/= ｾ＠
This contradicts (1). So it contradicts the fact that (P1 II MI) II (P2 II lltf2) has 
deadlock. 
2. If a E {I c I} : 
We assume T is the type of channel c. So: 3 v E T • a = c. v 
(c.v E a(P1)) .1\ (a(PI) n a(M2) = 0) =:::} c.v rj a(M2) ====} c.v rj X4 
(c.v (j. (X1 U X3)) 1\ (c.v (j. X4) =* c.v (j. (XI U X3 U X4) 
(c.v (j. (X1 u X3 u X4)) 1\ (XI u X2 u Xg u X4 = ｾＩ＠ =* c.v E X2 
2.2. DEADLOCK FREEDOIYI OF TliVO COlviBINED COlviPONENTS 31 
On the other hand, x2 u x4 is what p2 II M2 refuses. p2 II M2 is deadlock free. 
So: 3 bE (a(P2) U a(N/2)) • b rf. (X2 U X4) 
c.v E x2 
P2 is non - discriminating on c 
b rf. x2 
x2 is the maximal refusal of p2 
(b rf. a(P1)) 1\ (a(NI1) ｾ＠ a(PI)) ===? b rf. a(M1) ===? b rf. X3 
(b rf. x1 A b rf. X3) ===? b rJ x1 u x3 
(b rf. (X2 U X4)) 1\ (b rf. (X1 U X3)) ===? b rf. (XI U X2 U X3 U X4) 
(b rf. (XI U X2 U X3 U X4)) 1\ (bE I;) ===? (XI U X2 U X3 U X4) =/=I; 
This result also contradicts (1). So, it contradicts the fact that (PI II NI1) II (P2 II 
Nh) has deadlock. 
In both cases we obtain a contradiction, thus establishing the theore1n. D 
Theore1n 5. Supposing P1 is a CSP controller forB machine Nh, P2 is a CSP 
controller for B machine JVI2, and (P1 II M1) and (P2 II 111!2) are deadlock free. 
If one of the CSP controllers is open on the channels common to P1 and P2, 
and the other controller is non-discriminating on the common channels, then 
(P1 II Nit) II (P2 II M2) is deadlock free. 
P1 P2 
M1 M2 
Figure 2.5: Parallel combinations with 1nore than one common channels between 
two controllers 
32 CHAPTER 2. NEW RESULTS FOR CSP II B 
Proof. The system is shown in Figure 2.5. We assume P2 is open on the channels 
com1non to PI and P2, and PI is non-discriminating on the common channels. 
According to [58], if P2 is open on a channel, it means that at any stage of the 
execution, at least one of the events associated with that channel is not refused 
by P2 (Definition 2, page 17). We prove this theorem by contradiction: 
We assume that (PI II MI) II (P2 II N/2) is not deadlock free. So: 
3 tr E traces((PI II lvh) II (P2 llll//2)) • (t?·, ｾＩ＠ E failures((PI II MI) II (P2 II M2)) 
t?·I = tr I a(PI) 
tr2 = tr I a(P2) 
tr3 = tr t a( 1\di) 
tr4 = tr t a(M2) 
( tri, XI) E failures (PI) 
(tr2, X2) E failures(P2) 
( tr3, X3) E failures ( MI) 
( tr4, X4) E failures(M2) 
Without loss of generality XI, x2, x3, x4 are maximal refusals 1\ 
XI u x3 is what PI II NII refuses. PI II MI is deadlock free. So: 
3 a E (a(PI) U a(MI)) • a fj (XI U X3) 
We consider each of these possibilities in ttu·n: 
1. If a rj. (a(PI) n a(P2)) : 
a E a(PI) ==> a fj a(P2) ==> a fj X2 
(a rj. a(P2)) 1\ (a(M2) ｾ＠ a(P2)) ===>a rj. a(M2) ===>a rj. X4 
(a rj. X2) 1\ (a rj. X4) ==>a fj (X2 U X4) 
(a fj (X2 U X4)) 1\ (a fj (XI U X3)) ==>a rj. (XI U X2 U X3 U X4) 
(a rj. (XI U X2 U X3 U X4)) 1\ (a E ｾＩ］］］＾Ｈｘｉ＠ U X2 U X3 U X4) =f- L: 
This contradicts (1). So, it contradicts the fact that (PI [I Nh) II (P2 II M2) has 
deadlock. 
2.3. DEADLOCK FREEDONI OF THE HTHOLE SYSTENI 33 
2. If a E (a(Pl) n a(P2)) : 
It follows that a = c. v such that c is one of the com1non channels between PI 
and P2 , and Tis the type of channel c. 
( c.v E a( PI)) 1\ (a( PI) n a(M2) = 0) ===} c.v (j a(l\lh) ===} c.v (j X4 
(c.v (j (XI U X3)) 1\ (c.v rf_ X4) ===} c.v (j (XI U X3 U X4) 
( c.v r;. (XI u X3 u X4)) 1\ (X1 u X2 u X3 u X4 = ｾＩ＠ ===} c.v E x2 
On the other hand, P2 is open on channel c. So: 3 w E T • c.w (j X2 (2) 
c.w rf. a(l\1!2) ===} c.w (j x4 (3) 
c.w (j a(M1) ===} c.w (j X3 (4) 
c.v rt. x1 } 
P1 is non- discriminating on channel c ===}{I c I} rf. x1 ===* c.w (j x1 (5) 
X1 is the maximal refusal of P1 
(2), (3), (4), (5) ===* c.w rf. (X1 u x2 u x3 u X4) 
(c.w rf. (X1 U X2 U X3 U X4)) 1\ (c.w E ｾＩ＠ ===} (X1 U X2 U X3 U X4) f= ｾ＠
This result also contradicts (1). So, it contradicts the fact that (P1 II M1) II (P2 II 
Jv/2) has deadlock. 
In both cases we obtain a contradiction, thus establishing the theorem. 0 
2.3 Deadlock freedom of the whole system 
In this section, we present some conditions in the context of a theorem which 
guarantee the deadlock freedmn of the whole cmnbined communicating system. 
If these conditions are satisfied in a systmn containing parallel combinations of 
controlled components, then the system is ensured to be deadlock free. 
In the following theoren1, synchronisation is restricted under particular condi-
tions. Condition 3 states that it should not be more than one synchronisation 
event that a pair of controlled components shares with the rest of the system. 
34 CHAPTER 2. NEW RESULTS FOR CSP II B 
Theoretn 6. If a system can be divided into n different parts (n ｾ＠ 2), each called 
si (1 ｾ＠ i ｾ＠ n), such that: 
1. Each Si contains at most two CSP controllers and their controlled B ma-
chines. 
then the system is deadlock free. 
Proof. An example of a systmn divided into n different parts is shown in Figure 
2.6. Y..,Te prove this theorem by contradiction: 
V\Te assume that the syste1n, SYS, is not deadlock free. 
So: :3 tr E traces(SYS) • (tr, ｾＩ＠ E failures(SYS) 
We introduce tn, tr2, ... , trn, X1, X2, ... , Xn as described below: 
t1·1 = tr I a(S1) 
t1·2 = tr f a(S2) 
trn = tr f a(Sn) 
( tr1, X1) E failures(Sl) 
(tr2, X2) E failures(S2) 
Without loss of generality V 1 ｾ＠ i ｾ＠ n • Xi is the maximal refusal of Si 1\ 
Xi is what Si refuses. Si is deadlock free. So: 3 a E a(Si) • a rJ_ Xi 
We consider each of these possibilities in turn: 
｡ｾ＠ uxk 
k¥=i 
a¢ xi 
2.4. CONSISTENCY OF A lviiXED M1tCHINE AND ITS CONTROLLER 35 
This contradicts (1). So it contradicts the fact that the syste1n has deadlock. 
2. If a E (aSi n (a81 U aS2 U ... U aSi-1 U aSi+l U aSi+2 U ... U aSn)): 
So, 3j f= i • (a E (aSi n aSj) 1\ a E Xj) 
Sj is deadlock free. So: 3 b E aSj • b tj. Xj 
(a E Xj) 1\ (b (j Xj) ==> b f= a 
#(aSi n ( U aSk)) ｾ＠ 1 ) 
k;fj 
(aS· n aS.) ={a} ==> b (j U aSk ==> b (j U Xk J t k.J.. k.J.. b =I= a -rJ -rJ 
b tj. u xk } n n 
k=Ai ==> b tJ. U xk ==> U xk t= ｾ＠
b tj. Xj k=l k=l 
This result also contradicts (1). So, it contradicts the fact that the system has 
deadlock. 
In both cases we obtain a contradiction, thus establishing the theorem. 0 
S1 
ｾ＠ｾｾ＠
82 53 
ｾｾ＠
ｾｾｲｨｬｊｾ＠
Figure 2.6: Parallel combinations of controlled components divided into pairs 
2.4 Consistency of a mixed machine and its controller 
As we described before in Chapter 1, an operation in a B machine is either 
pre-conditioned or guarded. Pre-conditioned operations have the form PRE S 
THEN TEND, where Sis the precondition and Tis the body of the operation. 
A pre-conditioned operation is able to be executed when its precondition is not 
satisfied, but there will not be any guarantees about the resulting execution. 
Guarded operations have the form SELECT G THEN REND, where G is a 
36 CHAPTER 2. NEW RESULTS FOR CSP II B 
guard and R is the body of the operation. A guarded operation is not able to be 
executed when its guard is not satisfied. 
In this section, we present our proof strategy in order to establish divergence 
freedom and deadlock freedom of a parallel cmnbination between a CSP controller 
P and a 1nixed B n1achine NI. A mixed B machine is a B machine which contains 
both pre-conditioned and guarded operations. For instance, a 1nixed machine NI 
containing two pre-conditioned operations and two guarded operations can be 
specified as below: 
l\IIACHINE M 
OPERATIONS 
a= PRE p(a) THEN body( a) END; 
b =PRE p(b) THEN body(b) END; 
c =SELECT g(c) THEN body(c) END; 
d =SELECT g(d) THEN body(d) END 
END 
where: 
p (a): precondition of operation a 
body( a): body of operation a 
p( b): precondition of operation b 
body( b): body of operation b 
g( c): guard of operation c 
body( c): body of operation c 
g(d): guard of operation d 
body( d): body of operation d 
Assuming a system containing NI (described above) as the B machine and a CSP 
process P as the CSP controller, P II Jr.![ is shown in Figure 2.7. 
In our proof strategy, we change guarded operations of the mixed B 1nachine 
to pre-conditioned operations and we introduce a new machine which then the 
divergence freedom of the original system results frmn the divergence freedom of 
the new system. For deadlock freedom verification, we drop the precondition of 
the pre-conditioned operations in the 1nixed B machine and we introduce a new 
1nachine which then the deadlock freedom of the original system results from the 
deadlock freedom of the new system. 
2.4.1 Divergence freedom 
If we change any guarded operation SELECT G THEN R END in a mixed B ma-
chine M to pre-conditioned operation PRE TRUE THEN IF G THEN REND END, 
2.4. CONSISTENCY OF A !\!fiXED lviACI-IINE AND ITS CONTROLLER 37 
.. 
p 
a b c d 
M 
Figlu·e 2.7: P II M 
we will have a new·machine M1 which has only pre-conditioned operations. For 
instance, if we assume the 1nixed B machine M as described above, 1nachine lvft 
will be specified as below: 
MACHINE M1 
OPERATIONS 
a= PRE p(a) THEN body( a) END; 
b =PRE p(b) THEN body(b) END; 
c = PRE TRUE THEN 
IF g(c) THEN body(c) 
END 
END; 
d = PRE TRUE THEN 
IF g(d) THEN body(d) 
END 
END 
END 
In fact, we add a precondition TRUE to the guarded operations and we also 
change the guarded statement SELECT to the statement IF. The reason of 
changing the statement SELECT to IF is because SELECT is not allowed to be 
used in the body of B machine operations in CSP II B. This is explained more in 
Chapter 3. Precondition TRUE is always correct, so new operations will always 
be called inside their precondition and they cannot make any divergence in B 
n1achine M1 . The re1nainder of this section presents the steps towards proving 
38 CHAPTER 2. NEW RESULTS FOR CSP II B 
that the divergences of M is a subset of the divergences of M1 which then enables 
us to establish the divergence freedmn of P II !vi by establishing the divergence 
freedom of P II 1111. 
Lmn1na 1. lftr is a finite sequence of opm·ations, then wp(tr, Q)M1 :=;. wp(tr, Q)M, 
where wp(tr, Q)Ath and wp(tr, Q)M represent the weakest precondition for tr to 
achieve post condition Q according to the specifications of the operations in 1111 
and M respectively. 
Proof. We prove this le1nma by using the Principle of Induction on tr. 
Base case : tr = () 
This case is easily proved as wp( (), Q)M1 = wp( (), Q)M = Q 
Inductive case : ( op) '""' tr' 
Assume Inductive Hypothesis for tr'. tr' is a finite sequence of operations and 
op is an operation. There are two possibilities for op: 
Situation 1 : op is a pre-conditioned operation in M 
1 wp( ( op) r-. tr', Q)Jvh = 
wp((op), wp(tr', Q)M1 )M1 
2 wp(tr', Q)lvh ==? wp(tr', Q)M 
3 wp ( ( op) , wp ( tr', Q) lvh ) lvh ==? 
wp((op), wp(tr', Q)M)M1 
4 wp ( ( op) '""' tr', Q) Jvh ==? 
wp ( ( op), wp ( tr', Q) M) lvh 
5 wp((op), wp(tr', Q)M)M1 = 
wp((op), wp(tr', Q)M )M 
6 wp ( ( op) '""' tr', Q) Jvh ==? 
wp((op), wp(tr', Q)M)M 
7 wp((op) r-. tr', Q)M1 ==> 
wp( ( op) r-. tr', Q)M 
wp in 1111 
Induction assumption 
2 
1, 3 
op in M is the same as op in M1 
4, 5 
6 
2.4. CONSISTENCY OF A 1\IIIXED !viACHINE AND ITS CONTROLLER 39 
Situation 2 : op is a guarded operation in M 
We assume op = SELECT G THEN R END in !vi. Therefore, 
op =PRE TRUE THEN IF G THEN R END END in M1. 
1 wp((op) r'\ tr', Q).A,h = wp((op), wp(tr', Q)lvh)M1 wp in M1 
2 wp(tr', Q)M1 =? ｷｰＨｴ＿ｾＧＬ＠ Q)M Induction assumption 
3 wp((op), wp(tr', Q)MJM1 =? 2 
wp( (op), wp(tr', Q)M )M1 
4 wp((op) r'\ tr', Q)M1 =? wp((op), wp(tr', Q)M)M1 1, 3 
5 wp((op), wp(tr', Q)M)M1 = op in lvh 
wp(IF G THEN R END,wp(tT1 , Q)M) 
6 wp((op), wp(tr', Q)M)M1 = 5 
G =? wp ( R, wp ( tr', Q) M) 1\ -. G =? wp ( tr', Q) M 
7 Wp ( ( Op), Wp ( tT1, Q) M) M1 =} 6 
G =? wp(R, wp(tT', Q)M) 
8 wp((op) """'tr', Q)M1 =? 4, 7 
G =? wp(R, wp(tr', Q)M) 
9 wp((op) """'tr', Q)M = wp((op), wp(tr', Q)M)M wp in M 
10 wp((op) r'\ t'l'', Q)M = 9, op in M 
G =? wp(R, wp(tr', Q)M) 
11 wp((op)"""' tr', Q)M1 =? wp((op) """'tr', Q)M 8, 10 
Since we have proved the Base case and the Inductive case, it establishes the 
lemma. 
The corollary below follows immediately from Lemma 1 using true for Q. 
Corollary 1. If tr is a finite sequence of opeTations, then: 
wp(t'l', true)lvh =? wp(tr, true)M 
D 
40 CHAPTER 2. NEW RESULTS FOR CSP II B 
Now, we are able to present the next lmnma stating that the divergences of M is 
a subset of the divergences of lvh. 
Proof. We introduce tr as an arbitrary sequence of operations. 
wp(init; tr, true)lvh = wp(init, wp(tr, true)MJ (1) 
Corollary 1 ==::} (wp(init,wp(tr,true)MJ => wp(init; wp(tr,true)M)) (2) 
wp(init; wp(tr, true)M) = wp(init; k, true)M (3) 
(2), (3) ==::} (wp(init,wp(tr,true)MJ => wp(init; tr,true)M) (4) 
(1), (4) ==::} (wp(init; tr, true)M1 => wp(init; tr, true)M) 
Up to now, we have proved that if tr is not a divergence of M1 , then it is not a 
divergence of M. This result implies the fact that if tr is a divergence of M, then 
it is also a divergence of M1. In other words: 
-, wp(init; tr, true)M => • wp(init; tr, true)Mi 
But, we introduced tr as an arbitrary sequence of operations. Therefore: 
V tr • (tr E V[MD => tr E 1J[Md) 
Thus: V[.l\IID ｾ＠ V[.l\IItD 
The next corollary follows from Lemma 2. 
Corollary 2. 1J[P II M] ｾ＠ V[P II MtD 
The next theorem follows ilnmediately from Corollary 2. 
0 
Theore1n 7. Supposing Pis a CSP controller fm· a mixed B machine M. (P II M) 
is divergence free if (P II Mt) is divergence free, where Mt is the same B machine 
as M except any guarded operation SELECT G THEN R END in M is changed 
to PRE TRUE THEN IF G THEN REND END in Mt. 
[70] has already proved a theorem to establish the divergence freedom of a par-
allel con1bination between a CSP controller and its controlled B machine which 
contains only pre-conditioned operations. By using this theorem, if (P II Mt) is 
established to be divergence free, then (P II 1\II) is also divergence free. 
2.4. CONSISTENCY OF A 1\lfiXED 1\lfACHINE AND ITS CONTROLLER 41 
2.4.2 Deadlock freedom 
Om· proof of deadlock freedom is based on that ( P II M) is divergence free. 
This condition ensures that the system is always in the stable state during the 
execution. If (P II M) is not divergence free, there is no point to check dead-
lock freedmn because there is no guarantee about its behaviour after reaching 
divergent state and it always may have deadlock after the divergent state. 
If an operation contains precondition, whatever the precondition is, it will execute 
whenever it is called even if its precondition is not satisfied. If we change any 
pre-conditioned operation PRE S THEN T END in a mixed B machine M to 
guarded operation SELECT TRUE THEN TEND, we will have a new machine, 
Jv12, which has only guarded operations. For instance, if we assume the mixed 
B machine M as described at the beginning of Section 2.4, 1nachine M2 will be 
specified as below: 
IVIACHINE M2 
OPERATIONS 
a= SELECT TRUE THEN body( a) END; 
b =SELECT TRUE THEN body(b) END; 
c =SELECT g(c) THEN body(c) END; 
d =SELECT g(d) THEN body(d) END 
END 
The new guarded operations in ｾＯＱＱＱＲ＠ contain the guard TRUE and we know there 
is no guar'ded statement in the body of operations in B machines (see Chapter 
3 for more information). Therefore, these new guarded operations are always 
accepted by 1\12 and they can never be refused for execution. The rest of the 
operations are not changed, so their acceptance or refusal is the same in lv1 and 
M2. Thus, we obtain the following corollary: 
Corollary 3. If (P II M) is diveTgence fTee, then (P II M) =pn (P II M2) 
The next theorem follows im1nediately from Corollary 3. 
ｾｨ･ｯｲ･Ｑｮ＠ 8. Supposing P is a CSP controller for a mixed B machine M and 
(P II M) is divergence free. (P II !vi) is deadlock free if (P II M2) is deadlock free, 
where M2 is the same B machine as M except any pre-conditioned operation PRE 
S THEN TEND in M is changed to SELECT TRUE THEN TEND in 1\112 • 
[68] has already proved a theorem to establish deadlock freedom of a parallel 
con1bination between a CSP controller and its controlled B machine which con-
42 CHAPTER 2. NEW RESULTS FOR CSP II B 
tains only guarded operations. By using this theorem, we can check the deadlock 
freedmn of (P 11 M2) and the result is the same for (P II M). 
2.5 Discussion 
CSP 11 B is among the method integrations in which the consistency verification 
of the combined specification is considered and some verification strategies had 
already been proved expressing the conditions required for divergence freedmn 
and deadlock freedom of the systems specified in CSP II B architecture. However, 
the consistency verification efforts did not cover all possible kinds of systems 
which can be specified in CSP II B. The previous theorems and techniques had 
provided the conditions which ensure the consistency of a single CSP process 
controlling a single B 1nachine which contains only pre-conditioned operations, 
or the whole combined com1nunicating syste1n in which the B 1nachines contain 
only pre-conditioned operations, or systems containing a parallel cmnbination of 
a single CSP process controlling a single B machine which contains only guarded 
operations. 
In this chapter, we extended the consistency verification in CSP 11 B and suc-
cessfully provided new theorems which express the conditions which must hold 
to ensure the consistency of the systems which had not been covered before. Sec-
tion 2.4 presents theorems and techniques to establish the consistency of a parallel 
con1bination between a CSP controller and its controlled B machine which con-
tains both pre-conditioned and guarded operations. This section in addition to 
the other two theorems which had already been proved for consistency verifica-
tion of single controlled components now enable us to check the consistency of 
all possible kinds of single controlled components in a combined communicating 
syste1n. F\nthermore, in this chapter we provided conditions which must hold 
to establish the deadlock freedmn of the whole cmnbined communicating system. 
The previous deadlock freedom verification of the whole system had only provided 
the conditions required for establishing deadlock freedom for the whole systmn 
in which B machines contain only pre-conditioned operations which is extremely 
straightforward. 
We believe the significant advantage of our work in this chapter is that the theo-
rmns we provided for consistency verification of systems containing two or more 
combined cmnponents do not depend on the kind of operations in B machines. 
The previous work for proving the consistency of the whole syste1n. was based 
on the fact that the operations in all B 1nachines are only pre-conditioned. The 
theorems we proved in this chapter can be used for the systems containing all 
possible kinds of B machines: B machines with pre-conditioned operations, or B 
machines with guarded operations, or even B machines with both pre-conditioned 
2.5. DISCUSSION 43 
and guarded operations. In our verification strategy provided in this chapter, the 
kind of B machine operations are only in1portant in proving the consistency of 
each combined component separately, which with our work in section 2.4 we 
are now able to prove it for all kinds of B machine operations in a combined 
component. To establish the dea:dlock freedom of the whole system, there is no 
restriction in the kind of B machine operations in the system. 
In consistency proof of the whole systen1, we need to prove the consistency of each 
individual combined component separately. If a parallel combination of a con-
troller and its controlled B 1nachine in a large system has already been proved to 
be deadlock free, then if we abstract this large system by hiding some of the com-
munication channels of that combined cmnponent, then according to Theorem 2 
it is guaranteed that the new fonn of the combined component is also deadlock 
free. Therefore, we do not need to check the deadlock freedmn of the new form 
of combined cmnponent again. On the other hand, Theorem 1 is helpful in the 
opposite way: when a system has been abstracted and then we need to have some 
or all of con1munication channels of a controller visible in the syste1n. In this case, 
if the abstract version of the cmnbined cmnponent has already been established 
to be deadlock free, then we do not need to check the deadlock freedom of the 
same combined component when its com1nunication channels are now visible. In 
addition, in a large system with several nun1bers of channels between controllers, 
if a controller contains lots of communication channels, then it is much easier to 
check the deadlock freedom of the parallel combination between that controller 
and its controlled B machine in an abstracted version when the cmnmunication 
channels are hidden. Then according to Theoren1 1, the result is true for the 
original version. 
To conclude this chapter, we presented theorems and techniques to provide the 
conditions which can establish the consistency of the systems containing all pos-
sible kinds of B n1achine operations in GSP II B architecture. Our achievmnents 
besides previous works enable us to check and verify the consistency of any sys-
tem specified in GSP II B. The theorems we provided in this chapter can also be 
applied in consistency verification of any futtu·e approaches which are based on 
the parallel combination of CSP and Event-B [4). 
Chapter 3 
Mobile CSP II B 
This chapter presents the Mobile CSP II B framework. We start this chapter by 
giving a detailed discussion about Morgan's CSP semantics for action systems 
which allows a B machine to be considered as a CSP process which then enables B 
machines and CSP processes to work in parallel with each other in a system. We 
then prove some lemmas detecting when divergence can happen in a B 1nachine 
during the execution. 
Section 3.2 provides an introduction to the structure of Mobile CSP II B. In 
sections 3.3 and 3.4, we define how a B machine and a CSP controller is developed 
in our mobile architecture respectively. Section 3.5 describes the whole mobile 
cmnbined communicating system. In this section, we explain how CSP controllers 
can work in parallel, com1nunicate with each other and exchange their owned B 
1nachines dm·ing the system execution. Section 3.6 presents a proof strategy 
containing lemmas and corollaries which lead to prove a theore1n for establishing 
the divergence freedom of the parallel combination between a controller and the 
machines it works with during the execution. The next two sections provide 
the theorems to establish the divergence freedmn and deadlock freedom in the 
whole mobile combined communicating systmn. In Section 3.9, we provide some 
proofs to establish that a refinement of a component can be used instead of the 
component in the systen1 and the substitution does not have any effect on the 
system consistency properties. Finally, Section 3.10 presents a summary and 
some final considerations. 
45 
46 CHAPTER 3. lviOBILE CSP II B 
3.1 CSP semantics of 8 machines 
In (50], Morgan presents a semantic link between CSP and action systems. He 
introduces traces, failures and divergences semantics of CSP for action systems 
by using weakest precondition formulae. 
An action system consists of variables, an initialisation and a set of actions. An 
action G ｾ＠ com consists of a guard, G, and a command, com. The guard 
is a predicate and the cmnmand is a statement on the system's variables. An 
action is executed by executing its com1nand which can only happen if its guard 
holds. An action is called enabled if it is able to be executed. An action syste1n 
is represented by a pair (A, ini), where A is the set of actions and ini is the 
initialisation. 
The weakest precondition semantics for an action G ｾ＠ com to achieve the post-
condition a is given in (50] as follows: 
Definition 1. wp( G ｾ｣ｯｭＬ＠ ｡Ｉｾ＠ G =?- wp(com, a) 
Actions do not satisfy Dijkstra's Law of the Excluded Miracle (25]. In other 
words, they do not satisfy wp( G ｾ＠ com, false) =false. However, the cmnmand 
part com and the initialisation satisfy this law. 
(50] also introduces wp( com, a) which denotes the states in which it is possible 
that com establishes a. In other words, wp( com, a) denotes the states in which 
it is not certain that com will establish 1 a. The definition is as follows in (50]: 
Definition 2. For any command com and postcondition a: 
wp( com, a) ｾ＠ 1 wp( com, 1 a) 
If tr ｩｾ＠ a sequence of actions, then tr is the sequential composition of its elements, 
with() =skip. The weakest precondition for a sequence of actions tr to achieve a 
postcondition Q means the weakest precondition for the sequential composition 
of its elmnents to achieve the postcondition Q. In other words: 
wp(tr, Q) = wp(tr, Q). 
A trace of the action system (A, ini) is a finite sequence of actions. Supposing 
the set A* to be the set of all finite sequences of members of A, then the traces 
of the action system. is given in [50] as follows: 
Definition 3. The traces tr E A* of the action system (A, ini) are those for 
which wp ( ini; tr, true) is tr11,e. 
A pair ( t1·, R) is a failure of an action system if after execution of the sequence of 
actions t1·, the action system reaches a state in which none of the guards of the 
3.1. CSP SElviANTICS OF B lviACHINES 47 
actions in R holds. In this case, the set R is called a refusal of the action system. 
The failures of an action system are defined in (50] as follows: 
Definition 4. Supposing R ｾ＠ A and tr E A*. The fail'ures (tr, R) of the action 
system (A, ini} are those for which wp(ini; tr,---, gd(R)) is true, where gd{R} is 
the disjunction of the guards of the actions in R. 
Divergence happens in an action syste1n when an enabled action G ｾ＠ com is 
executed but the execution of its cmnmand does not terminate. As stated in [50), 
wp( com, true) implies termination of com. Therefore, divergence happens in an 
action system when an enabled action G ｾ＠ com is executed in a state where 
wp( com, true) is not true. The divergences of an action systmn are defined in [50) 
as follows: 
Definition 5. The divergences tr E A* of the action system (A, ini} are those 
for which wp(ini; tr,false) is true. 
Finally, [50] presents a theorem which states that an action system with traces, 
failures and divergences based on definitions 3, 4, 5 can be seen as a CSP process. 
Operations in a B machine can be understood as actions. A guarded oper-
ation SELECT G THEN R END can be understood as an action in which 
G is the guard and R is the com1nand. In other words, a guarded operation 
SELECT G THEN R END can be understood as the action G ｾ＠ R. A pre-
conditioned operation PRE P THEN S END can be understood as an action 
whose guard is the predicate true and command is PRE P THEN S END. In 
other words, a pre-conditioned operation PRE P THEN S END can be un-
derstood as the action true ｾ＠ PRE P THEN S END. As a pre-conditioned 
operation is understood as an action whose guard is always true, it is always an 
enabled action and can always be executed. As the command part com of actions 
and the initialisation must satisfy Dijkstra's Law of the Excluded Miracle, the 
body of B operations and the initialisation are not allowed to contain SELECT 
or ANY (or Let which is a special kind of ANY) statements. 
The explanations above yield that a B machine is an action system in which 
operations take the role of actions. Therefore, we are able to define CSP semantics 
of traces, failures and divergences for B machines. Thus, a B machine can be 
seen as a CSP process. This result makes it possible for B machines to work 
in parallel with CSP processes in a system. CSP II B is an approach based on 
this achievmnent. Morgan's work in (50) enables us to have a system which is a 
parallel combination of CSP processes and B machines. 
48 CHAPTER 3. lviOBILE CSP II B 
Now, we present the following corollary: 
Corollary 1. For a pre-conditioned opeTation PREP THEN SEND and post-
condition Q, 
wp(tTue ｾｐｒｅ＠ P THEN S END, Q) = wp(PRE P THEN SEND, Q) 
PToof. The equivalence above is made precise since according to Definition 1: 
wp(true ｾｐｒｅｐ＠ THEN SEND, Q) = tTue ==? wp(PRE P THEN SEND, Q) 
D 
In fact, we have established that in the weakest precondition formulas of 1\!Ior-
gan's CSP semantics for a B machine, we can use the pre-conditioned operation 
PREP THEN SEND instead of the action ｴｲｵ･ｾ＠ PREP THEN SEND. 
This is what we do from now on for all wp fonnulas we use. 
Lmnma 1. If init is the Initialisation clause of B machine M, then: 
Vtr E tTaces(IYI) • (wp(init; tr, true){:} tT tj. V[M]) 
Proof. This lemma is a result of Definition 5. 
1 wp(init; tT,false) {::} tr E 'D[M] Definition 5 
2 --, wp(init; tT, true){:} tT E 'D[M] 1, Definition 2 
3 wp(init; ｴｔＬｴｲｵ･ＩｻＺＺ＿ｴｲｾｖ｛ｬ｜Ｑ｝＠ 2 
D 
Le1n1na 2. The execution of guaTded opeTations can neveT cause any divergence 
in a B machine if theTe is no pTe statement in their body. 
Proof. We assume tT is a trace of B machine M and it is not a divergence. We 
also assume that op = SELECT G THEN R END is a guarded operation in IYI. 
Now we prove that tT" (op) also is not a divergence of M. 
3.1. CSP SElviANTICS OF B lviACHINES 49 
1 wp (in it; tr, true) Initial assumption, 
Lemma 1 
2 wp(SELECT G THEN REND, true)= ( G ==;.true) wp(R, true)= true 
3 wp(init; tr; SELECT G THEN REND, true)= 2 
wp( in it; tr, G ==;. true) 
4 wp(init; tr; SELECT G THEN REND, true)= 3 
wp( in it; tr, true) 
5 wp( in it; tr; SELECT G THEN R END, true) 4, 1 
6 wp( init; tr r"\ ( op), true) 5 
6, Lem1na 1 
D 
Len1.ma 3. If there is no p1·e statement in the body of pre-conditioned opera-
tions in a B machine, then divergence happens in this B machine when a pre-
conditioned operation is called outside its precondition. 
Proof. We assume tr is a trace of B 1nachine !vi and it is not a divergence. We 
also assume that op = PRE P THEN S END is a pre-conditioned operation in 
M. Now we prove that tr r"\ (op) is a divergence of M if P does not hold when 
the operation op is called. 
1 wp(PRE P THEN SEND, true)= P 1\ true wp(S, true) =true 
2 wp(PRE P THEN SEND, true)= P 1 
3 wp(init; tr; PREP THEN SEND, tTue) = 2 
wp(init; tr, P) 
4 wp(init; tr; PREP THEN SEND, true) <==> Lem1na 1 
trr"\(op) ｾｖ｛ｍ｝＠
5 wp(init; tr, P) <==> tr r"\ (op) Et V[lVl] 4, 3 
6 •wp(init; tr,P) <==> trr"\(op) E'D[M] 5 
50 CHAPTER 3. IviOBILE CSP II B 
This result shows that if P is not guaranteed when the operation op is called, 
then divergence happens in the B machine. Thus, divergence happens in M when 
an operation is called outside its pre-condition. 
D 
3.2 Mobile CSP II B 
In standard CSP II B, a controlled con1ponent consists of a CSP controller P in 
parallel with a B machine 111. Operations op with inputs s and outputs t are 
declared in ｭ｡｣ｨｨｾ･ｳ＠ M as t +--- op ( s) . In the cmnbination they are treated as 
CSP channels op.s.t. Standard CSP II B has a static architecture in which one B 
machine works in parallel with only one CSP controller and each CSP controller 
can be the controller of only one B machine. So, the behaviour of the parallel 
cmnbination is predictable as we have fixed controlled components during the 
system execution. 
In Mobile CSP II B, we intend to create a mobile architecture in which B ma-
chines are able to be transferred from one controller to another controller and 
each controller can work with more than one B machine at the san1e thne. As 
controllers can exchange B 1nachines between each other, B machines can have 
different controllers dm·ing their execution. 
For each B machine in the systmn, we introduce a unique 1nachine channel called 
machine Tejerence. CSP controllers use machine references as the link to interact 
with B machines. A machine reference is the only channel through which a CSP 
controller and a B machine can communicate with each other. As a result, a 
controller is only able to work with a machine if it owns that machine's reference. 
In other words, possession of a machine means having that machine's reference. 
This makes it clear that in order for 1nachines to be exchanged between con-
trollers, machine references 1nust be passed around between controllers in the 
syste1n. Therefore, when a machine is going to be passed from one controller 
to another, the sender controller passes that B machine's reference to the other 
controller, as illustrated on the right in Figm·e 3.1. It shows that B machine 
M1 is passed frmn CSP controller P1 to P2. The figure also shows the difference 
between Static CSP II B architecture and l\!Iobile CSP II B architecture. 
B machine lvf with machine reference z is presented in the systmn as z : M. Each 
variable n in M is replaced with z. n. All operations op in M are replaced with 
z.op. So, operation calls of the machine z : 111 correspond to the communication 
z.op.s.t, and the machine reference z can itself be passed between controllers. · 
3.2. 1\IIOBILE CSP II B 51 
Figure 3.1: Static CSPIIB architecture and Mobile CSPIIB architecture 
In order to pass machine references between controllers, we introduce special 
channels called control points on which machine references are passed around. 
When a n1achine is passed from one controller to another, the sender controller 
passes that B machine's reference to the other controller through the control 
point channel which exists between those two controllers. 
We require that only one CSP controller is in possession of z at any one thne, so 
that when z is passed frmn P1 to P2 then P 1 is no longer able to use z to call the 
operations of the 1nachine. This will be the cornerstone for reasoning about the 
action of controllers on a 1nobile machine: that a controller has exclusive control 
over a machine it is using, and other controllers cannot interfere with its use of 
the machine. 
We introduce MR as the set of machine references, CP as the set of control points, 
and C as the set of regular CSP channels. Each channel c in the set of regular 
channels C has a type denoted type (c). The type of channels in CP (control 
points, which pass 1nachine references) is MR: in other words, they pass values 
from the set MR. Each machine reference in lviR is associated with a particular B 
machine. The type of a machine reference z is the set of operations (with inputs 
and outputs) of the unique machine NI that is associated with z. 
Each control point can carry one specific type of B machines. If a syste1n con-
tains only one type of B machines, then we introduce one set l\IIR as the set of 
n1achine references. If a system contains different types of B machines, then we 
introduce different sets MRs, each for one particular type of B 1nachines. In this 
situation, the type of control point channels in CP may be different frmn each 
other according to the type of the machines they can carry. For instance, if a 
syste1n contains two different types of B 1nachines, then we introduce MR1 as 
the set of machine references for one type of machines and MR2 as the set of 
1nachine references for the other type of machines. Therefore, the type of each 
control point in this system can be either MR1 or MR2. As a result, if two types 
of machines should be passed frmn one controller P1 to another controller P2 in 
the system, two control points should be introduced, one for passing machine 
52 CHAPTER 3. At!OBILE CSP II B 
references of lv!R1 and the other one for passing 1nachine references of MR2 from 
P1 to P2 . In this chapter, we use the general fonn NIR as the type of control 
points in our system. This can be then changed to the type of each control point 
if there are different sets of 1nachine references in the system. 
3.3 Developing B machines 
In Mobile CSP II B, B 1nachines can be specified as the normal B machine 
specification. However, as explained before in Section 3.1, a B machine is used 
as an action system. So, the initialisation and the body of its operations must 
satisfy Dijkstra's Law of the Excluded Niiracle. 
In addition, we are going to provide consistency verification of our fra1nework 
later in this chapter. In our divergence freedmn verification, we are going to 
use Lmnma 2 and Lemma 3. Therefore, the B machines in our systmn must 
be specified in such a way to use these two lemmas for verification. Also, in 
our divergence freedom proof strategy, we will use wp formulae for operations in 
the body of CSP controllers. As it is not possible to predict all the 1nachines a 
controller is going to work with during the execution, operations with the same 
name in different machines must have an identical specification. 
According to all explanations above, the rules for B machines are as follows : 
1. The body of operations and the initialisation are not allowed to contain 
SELECT or ANY (or Let which is a special kind of ANY) state1nents. 
2. The pre state1nent is not allowed to appear in the body of operations, either 
in pre-conditioned or in guarded operations. A pre statement can only be 
used as the precondition statement of a pre-conditioned operation. 
3. If different machines in the system have an operation with the same name, 
the specification of those operations must be identical in all those B ma-
chines. 
3.4 Developing a CSP Controller 
Consider LOOP as a mutual recursive CSP process. A family of processes Ni is 
used to define LOOP. 
3.4. DEVELOPING A CSP CONTROLLER 
ｌｏｏｐｾ＠ N1 
N1 ｾ＠ P1 
53 
where each Pi is a CSP process expression in which the possible Nis can subse-
quently be reached. 
The static channels x(LOOP) of CSP process LOOP are given by its commu-
nication channels and control points. Any particular control point in the alpha-
bet of LOOP will be either incoming or outgoing with respect to LOOP, and 
ｩｾ＠ not permitted to be both. We identify the incoming control points within 
x(LOOP) as Xi(LOOP). The outgoing control points within x(L90P) are de-
noted Xo(LOOP). The communication channels within x.(LOOP) are denoted 
Xc(LOOP). These three sets ru:e pairwise disjoint, and their union is x(LOOP): 
Xi(LOOP) n Xo(LOOP) = 0 
Xi(LOOP) n Xc(LOOP) = 0 
Xo(LOOP) n X.c(LOOP) = 0 
X.i(LOOP) U Xo(LOOP) U Xc(LOOP) = x.(LOOP) 
The syntax of the processes Pis is defined by the following BNF: 
P "= SJ(JP I c?x---+ P(x) I c!v---+ PI cp1?w---+ P(w) 
I z.op!s?t---+ P(t) I cp2!z---+ P (z (j. s(P)) 
I P' D P" I P' n P" I if b then P' else P" I e---+ P I N(E1, ... , Ek) 
where b .is a boolean expression, e is an atomic CSP event which is not a B 
operation, c E Xc(LOOP), cpr E Xi(LOOP), cp2 E Xo(LOOP), .v and x are 
variables of type type (c), z and w are variables of type MR, t ｾ＠ op ( s) is an 
operation of the B machine associated with z, s ( P) is the set of 1nachine references 
owned by P (Definition 8, page 55). 
Control points are introduced as the only channels which can carry other channels, 
1nachine references. The type of con1munication channels are not allowed to refer 
to machine references. In other words, type( c) n MR = 0 1\ type( c) n JP> l11IR = 0. 
In N(E1 , ... , Ek), the type of each expression Ei is either of these below: 
1. type(Ei) = NIR 
2. type(Ei) = JlD MR 
3. type(Ei) =A • (An MR = 0 A An JP> !viR= 0) 
54 CHAPTER 3. lviOBILE CSP II B 
Each expression Ei referring to machine references should not be repeated among 
E1 , ... , Ek. In addition, each variable referring to machine references should not 
be repeated in expressions E1, ... , Ek. In other words: 
1. \1'1 ｾ＠ i,j ｾ＠ k • ((type(Ei) = type(Ej) = MR) => ({Ei} n {Ej} = 0)) 
2. \1'1 ｾ＠ i,j ｾ＠ k • ((type(Ei) = type(Ej) = IP MR) => (Ei n Ej = 0)) 
3. \1'1 ｾ＠ i,j ｾ＠ k • ((type(Ei) =!viR 1\ type(Ej) = IP 1\IIR) => ({Ei} n Ej = 0)) 
Definition 6. The set of free variables in a CSP pmcess is defined as below: 
fv (SKIP) = 0 
fv(c?x--> P(x)) = fv(P(x))- {x} 
fv(c!v--> P) = {v} Ujv(P) 
fv ( cp1? w --> P ( w)) = fv ( P ( w)) - { w} 
fv(cp2!z--> P) = {z} Ujv(P) 
fv(z.op!s?t--> P(t)) = {z} U {s} U (fv(P(t))- {t}) 
fv(P' D P") = fv(P') U fv(P") 
jv(P' n P") = fv(P') U fv(P") 
fv(if b then P' else P") = var(b) Ujv(P') Ufv(P") 
fv( e --t P) = fv(P) 
k k 
fv(N(El, ... ,Ek)) = ( U {Ei} • Ei is not a set) U ( U Ei • Ei is· a set) 
i=l i=l 
where var( b) is a set which contains all the variables of predicate b. 
Sequential processes are then defined recursively as follows: 
In valuation, para1neters Yil, ... , Yik are given a value of their type. The type of 
each parameter Yij is either of these below: 
1. type(Yij) = MR 
2. type(yij) = JP> 1\IIR 
3. type(Yij) = A • (An 1\1R = 0 1\ An IP MR = 0) 
In Ni(Yil, ... , Yik), each parameter Yij referring to machine references should not 
be repeated among Yil, ... , Yik. In addition, each variable referring to machine 
references should not be repeated in para1neters Yil, ... , Yik. In other words: 
3.5. PARALLEL CO!vfBINATION 55 
1. 'v'l ｾ＠ j, q ｾ＠ k • ((type(Yij) = type(Yiq) =!viR)==* ({Yij} n {Yiq} = 0)) 
2. 'v'l ｾ＠ j, q ｾ＠ k • ((type(Yij) = type(Yiq) = JP> MR) ==* (Yij n Yiq = 0)) 
3. 'v'l ｾ＠ j, q ｾ＠ k • ((type(Yii) = 1\IJR 1\ type(yiq) = JP> !viR)==* ({Yij}nyiq = 0)) 
Controller LOOP is then defined as LOOP(mb ... , mk) for values m1, ... , mk. 
Now, we introduce the following function mr which maps values to either them-. 
selves or a set. This function is then used to define the set of 1nachine references 
owned by a CSP process. 
Definition 7. If LOOP is a CSP process defined as LOOP(m1, ... , mk), then 
{ 
{mi} if mi E lv.IR 
'v' 1 ｾ＠ i ｾ＠ k • mr(mi) = mi if mi E JP> MR 
{} othe1·wise 
No machine reference should be repeated among values m1, ... , mk. In other 
words: 
\/1 ｾ＠ i,j ｾ＠ k • mr(mi) n mr(mj) = 0 
Definition 8. Fo1· a CSP process LOOP defined as ｌｏｏｐＨｭｾＬ＠ ... , mk), the set 
of machine references, s, owned by LOOP can be defined as follows: 
k 
s(LOOP) = U mr(mi) 
i=l 
Exa1nple 1. Assume 5 is the value of a variable which is not a machine reference 
and mel, mc2 and mc3 are machine Teferences. For each of cases below, machine 
references that CSP process LOOP owns can be defined as below: 
s(LOOP(5, mel, mc2)) = m7·(5) U mr(mcl) U mr(mc2) = {} U {mel} U {mc2} = 
{mel, mc2} 
s(LOOP(5, {mel, mc2})) = mr(5) U mr({mcl, mc2}) 
{mel, mc2} 
{} U {mcl,mc2} 
s(LOOP(5,mcl,{mc2,mc3})) = mr(5) U mr(mcl) U mr({mc2,mc3}) = {} U 
{mel} U {mc2, mc3} ={mel, mc2, mc3} 
3.5 Parallel combination 
A mobile combined communicating system including n controllers and m B ma-
chines is represented as: 
LOOP1 II LOOP2 II··· II LOOPn II Zl : M1 II Z2: lvf2 II··· II Zm: Mm 
56 CHAPTER 3. lviOBILE CSP II B 
where z1, z2, ... Zm are the machine references for B machines M1, lv/2, ... 111m 
respectively, and \11 ｾ＠ i, j ｾ＠ m • ( i =I= j => Zi =I= Zj). 
lVIutual recursive CSP processes can be composed in parallel, provided they have 
no machine references in common. They must also differ on their incoming control 
points and their outgoing control points. In addition, each control point in the 
system must have both a sender and a receiver. In other words, any outgoing 
(or incoming) control point in one controller must be an incoming (or outgoing) 
control point of one of the other controllers in the system. 
According to all explanations above, the rules for parallel combination of con-
trollers are as follows: 
1. Vl ｾ＠ i,j ｾ＠ n • s(LOOPi) n s(LOOPj) = 0 
2. Vl ｾ＠ j, k ｾ＠ n • Xi(LOOPj) n Xi(LOOPk) = 0 
3. 'v'l ｾ＠ i,j ｾ＠ n • Xo(LOOPi) n Xo(LOOPj) = 0 
n n 
4. U Xi(LOOPi) = U Xo(LOOPi) j=l i=l 
The free variables of the parallel combination of controllers is given as follows: 
n 
jv(LOOP1 II LOOP2 II ... II LOOPn) = Ufv(LOOPi) 
i=l 
When a systen1 is constructed, each variable referring to machine references must 
be given a different concrete value. 
The incoming control points, outgoing control points and communication chan-
nels for the parallel cmnbination of controllers are given as follows: 
n 
Xi(LOOPl II LOOP2 II .. · II LOOPn) = U Xi(LOOPj) 
j=l 
n 
Xo(LOOPl II LOOP2 II · · · II LOOPn) = U Xo(LOOPi) 
i=l 
n 
Xc(LOOPl II LOOP2 II ···II LOOPn) = U Xc(LOOPi) 
i=l 
Note that incoming and outgoing control points need not be disjoint in paral-
lel combinations: a control point that is both incoming and outgoing has both 
ends within the parallel combination and hence connects two of the controllers. 
The rules 2 and 3 for parallel combination of controllers ensm·es that no further 
controllers will use that control point. 
The language of process terms and the rules for parallel combination of controllers 
have been designed to ensure that at any point in the system execution, only one 
3.5. PARALLEL CO!v'IBINATION 57 
controller has possession of any machine reference. Controllers do not share any 
ｭｾ｣ｨｩｮ･＠ references to begin with, and when a machine reference is passed along 
a control point to another controller, it is not retained by the sending controller. 
In order to define the traces of parallel composition, it is necessary to keep track 
of the n1achine references as they are used and passed between controllers. We 
can define the projection of a trace onto a particular controller LOOP given the 
channels Xi(LOOP), Xo(LOOP), Xc(LOOP), provided we also know the set of 
machine references s owned by the controller. 
The projection of a trace tr onto x(LOOP) and a set of machine references s can 
be defined inductively as follows where tr t x(LOOP), s means the projection of 
tr onto alphabet of controller LOOP who owns the set of machine references s : 
() t x(LOOP), s = () 
( (cp.z) "tr) t x(LOOP), s 
( (c) " t7·) t x(LOOP), s 
(cp.z) "(tr t x(LOOP),s U {z}) 
if cp E Xi(LOOP) 1\ z rj. s 
(cp.z)" (tr f x(LOOP), s- {z}) 
if cp E Xo(LOOP) 1\ z E s 
tr t x(LOOP), s 
if cp t/ Xi(LOOP) U Xo(LOOP) 1\ z t/ s 
undefined otherwise 
{ 
(c)" (tr t x(LOOP), s) if c E Xc(LOOP) 
tr t x(LOOP), s if c rj. Xc(LOOP) 
((z.op) "tr) t x(LOOP), s = { (z.op) "(tr t x(LOOP), s) ｾｦ＠ z E s 
tr t x(LOOP), s 1f z rj. s 
This enables a definition of the traces of the parallel combination of controllers 
to be given: 
traces(LOOP1 II ... II LOOPn) = {tr I \;11 ｾ＠ i ｾ＠ n • 
tr I x(LOOPi), s(LOOPi) E traces(LOOPi)} 
Exa1nple 2. Assume a mobile combined communicating system, SYS, containing 
two controllers LOOP1 and LOOP2 and one B machine M with machine reference 
me as shown in Figure 3.2. cp is a control point such that cp E Xo(LOOP1 ) and 
58 
.MACHINE M 
VARIABLES n 
INVARIANT n E 0 .. 1 
INITIALIS4TION n := 0 
OPERATIONS 
up= 
PRE n =0 
THEN n := 1 
END; 
down= 
PRE n = 1 
THEN n := 0 
END 
END 
CHAPTER 3. IviOBILE CSP II B 
LOOPr(z) = Pr(z) 
Pr(z) = z.up ---t cp!z ---t P2 
P2 = dp? w ---t Pr ( w) 
LOOP2 = Qr 
Qr = cp?x ---t x.down ---t Q2(x) 
Q2(x) = dp!x ---t Qr 
SYS = LOOPr (me) II LOOP2 II me : M 
Figure 3.2: An example of a system containing two controllers and one machine 
cp.mc ) 
Before cp.mc After cp.mc 
Figure 3.3: Transfer of machine M through control point cp 
cp E Xi(LOOP2)· Wheneve1· these two ·controllers synchronise on cp, LOOP1 
gives the machine reference to LOOP2 through cp which means that the machine 
is transfe?Ted from LOOPr to LOOP2. This is shown in Figure 3.3. The fig-
ure illustrates that the machine whose reference is me is passed from LOOPr to 
LOOP2 when the event cp.mc happens in the system during the execution. In 
this system, t1· = (me. up, cp.mc, mc.down) is a trace of the parallel combination 
of controllers, LOOPr(mc) II LOOP2, and the trace of each controller is as below: 
t?· [ x(LOOPr(mc)), {me}= (mc.up, cp.mc) 
tr I x(LOOP2), 0 = (cp.mc, me. down) 
Definition of the failures of the parallel cmnbination of CSP processes in Ivlobile 
CSP II B is given as below: 
3.6. DIVERGENCE FREEDOivi OF A CONTROLLER AND ITS IviACHINES 59 
Definition 9. If P1, ... , P n are CSP processes, then 
failures(Pl II ... II Pn) = 
n 
{(tr, X) I Vl ｾ＠ i ｾ＠ n. ((tr I x(Pi), s(Pi)), Xi) E failures(Pi) 1\ u xi= X} 
i=l 
3.6 Divergence freedom of a controller and its machines 
In this section we present theorems and techniques for establishing divergence 
freedom of the parallel combination between a CSP controller, LOOP, and the 
1nachines it works with during the execution. The machines that LOOP works 
with are the machines it owns initially and the 1nachines it receives from other 
controllers during the execution. 
If LOOP is not divergence free, then the parallel combination between LOOP 
and any machine might have divergence. Therefore, the first step is to establish 
that LOOP is divergence free. 
If LOOP is divergence free, then any divergence in the parallel cmnbination 
between LOOP and a machine can only arise from that machine. Thus, the 
divergence freedom verification strategy should then focus on the behaviour of 
the machines while working in parallel with LOOP. According to Lemma 2, 
Lemma 3 and the second rule presented in Section 3.3 forB machines, a machine 
will have divergence when it contains at least one pre-conditioned operation and 
its pre-conditioned operations are called outside their preconditioaby LOOP. As 
a result, we should establish that LOOP always calls the operations of all the 
1nachines it works with during the execution within their precondition. 
The key point is that we are allowing B machines to be passed from one controller 
to another. The divergence freedmn verification technique developed for the 
earlier static case uses the fact that a B machine is completely controlled by a 
single controller and so the state of the machine at any particular point is only 
dependent on what that controller has done. This made proof easier because the 
1nachine was bound to a particular controller. However, with mobile 1nachines 
this is no longer the case. A controller typically receives a n1achine from another 
controller without knowing its state in advance, and so the divergence freedom 
between a machine and a controller needs to take the combined behaviour of the 
controllers into account. 
In order to keep proofs manageable we want to develop ways of considering the 
contribution of each controller separately. We need to check the state of the 
machines while passing frmn one controller to another as when a B machine is 
passed from one controller to another, the target controller does not have any 
control over the current state of the 1nachine. Therefore, we need to ensure that 
a machine is always transferred to another controller in a correct state where its 
60 CHAPTER 3. lviOBILE CSP II B 
operations are called appropriately. In order to achieve this, for each control point 
we assign an assertion on the state of the machine whose reference is passed along 
that control point. The intention is that whenever a machine reference is passed 
to a CSP controller along a control point, it is guaranteed that the assertion is 
satisfied. 
The notation assert ( cpz) denotes the assertion of the control point cp for a ma-
chine whose reference is z. For instance, assert( cpz) : z.n = 0 means that the 
variable n of the machine with machine reference z must be zero when passing 
through cp. For each control point, one assertion is assigned which is used for all 
1nachines being passed through it. This means that for a machine with machine 
reference w, the assertion of cp is assert( cpz) with w substituted for z which is 
w.n=O. 
In order to establish that the parallel combination between LOOP and any ma-
chine it works with during the execution is divergence free, we translate the body 
of CSP processes Ni into a sequence of AMN (page 8) statements. Each process 
Ni is defined in terms of a process expression Pi as stated before. We translate 
each process expression Pi into a sequence of AMN statements. So, we define an 
AMN construct, trans( Pi), to be the translation of the body of each process Ni. 
Definition 10. The translation of each CSP expression into an AMN statement 
is defined as below: 
trans(SKIP) =SELECT false THEN skip END 
trans(c?x ｾ＠ P(x)) =ANY x TtVHERE x: type(c) THEN trans(P(x)) END 
trans(c!v ｾ＠ P) =PRE v: type(c) THEN skip END; trans(P) 
trans(cp?z ｾ＠ P(z)) = ANY z WHERE z: MR THEN 
SELECT assert( cpz) THEN trans(P(z)) END 
END 
trans(cp!z ｾ＠ P) =PRE assert(cpz) THEN skip END; trans(P) 
trans(z.op!s?t ｾ＠ P(t)) = t ｾ＠ z.op(s); trans(P(t)) 
trans(P' o P") = CHOICE trans(P') OR trans(P") END 
trans(P' n P") = CHOICE trans(P') OR trans(P") END 
trans (if b then P' else P") = IF b THEN trans ( P') ELSE trans ( P") END 
trans( e ｾ＠ P) = skip; trans(P) 
trans(N(E1, . . . , Ek)) = rec := N(E1, ... , Ek) 
The last clause introduces a program counter rec to handle recursive calls. Ob-
serve that inputs c?x and cp?z are translated to the ANY statement, which 
1nodels an asstnnption that the value being received is of the correct type. In 
the case of a machine reference, cp?z also contains a SELECT statement, which 
1nodels an extra assumption that the machine is in a state satisfying assert(cpz). 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 61 
Outputs c!v and cp!z are translated to PRE statement rather than ANY and 
SELECT statements. v in c!v and z in cp!z are the parameters of the process 
so there are already some predicates on their value before this stage. Therefore, 
there is no need to have ANY in the translation. Instead, we use the PRE 
state1nent, which models a guarantee that the condition is met on output values. 
In the case of a machine reference, there is also no SELECT statement in the 
translation of cp!z. This is because we are going to use weakest precondition 
fonnulae in our consistency verification strategy and the PRE state1nent is the 
suitable statement in order to detect when the assertion is not ensured by the 
sender process, which corresponds to divergence in the syste1n. 
Note that the translation of external and internal choices are the sa1ne. The 
reason is that we want to check that if each of the branches P' or P" happens, 
the syste1n is divergence free. So we do not care if the branches happened with 
our choice or without om· control. We are just concerned that there are two 
possible branches which either can happen. 
Exatnple 3. Assuming the system of Figure 3.2. If assert(cpz) : z.n = 1 and 
assert(dpw): w.n = 0, then the translation of Pt(z) and P2 are as follows: 
trans(Pt(z)) =PRE z.n = 0 THEN z.n := 1 END; PRE z.n = 1 THEN skip END; 
rec := P2 
tTans(P2) =ANY w WHERE w: MR THEN 
SELECT w.n = 0 THEN rec := P1 (w) END 
END 
3.6.1 Conditions for divergence freedom 
·Supposing for a process Ni in LOOP we can find an invariant referring to all free 
variables in Ni such that if this invariant is true then whenever Ni is called to 
be executed, it calls the operations of all the machines it owns at the beginning 
of that recursive call through their precondition. If we can establish that this 
invariant holds at every recursive call of Ni, and if the state of the machines Ni 
receives always satisfy the related assertions, then Ni always calls the operations 
of all the machines it works with through their precondition at all the time during 
the execution. 
If we can establish the conditions above for each process Ni (1 ｾ＠ i ｾ＠ n) in 
LOOP, then the parallel combination between LOOP and any 1nachine it works 
with during the execution is ensured to be divergence free. As this invariant 
should be true at each recursive call, we call it Control Loop Invariant, CLI. 
We now present the definition below for LOOP which contains the conditions we 
explained above: 
62 CHAPTER 3. lviOBILE CSP II B 
Definition 11. LOOP is called CLI preserver if for each Ni (1 ｾ＠ i ｾ＠ n) in 
LOOP, a Control Loop Invariant, CLii, can be found such that: 
1. [init1; init2; ... ; initm; rec := N1]( CLh) 
2. V 1 ｾ＠ i ｾ＠ n • ( ( rec = Ni 1\ CLii) => 
[trans(Pi)](V1 ｾ＠ j ｾ＠ n • (rec = Nj => CLij))) 
where Nh, ... , lVIm are the machines that LOOP owns at the beginning of the ex-
ecution and init1, ... , initm a're the Initialisation clause of machines M1, ... , Mm 
respectively. 
Exa1nple 4. In continuation of Example 3, LOOP1 in Figure 3.2 is CLI pre-
server as we can introduce CLip1 (z) : z.n = 0 and CLlp2 : true such that the two 
conditions in Definition 11 hold: 
Condition 1: 
[mc.n := 0; rec := P1(mc)](CLip1 (mc)) = 
[mc.n := 0; rec := P1(mc)](mc.n = 0) =true ./ 
Condition 2: 
[trans(P1(z))](rec = P2 => CLip2 ) = z.n = 0 
(rec = P1(z) 1\ CLip1 (z)) = (rec = P1(z) 1\ z.n = 0) 
(rec = P1 (z) 1\ z.n = 0) => z.n = 0 ./ 
[trans(P2)](rec = P1( w) ==?- CLip1 (w)) = 
V w • (wE lVIR ==?-[SELECT w.n = 0 THEN rec := P1(w) END] 
(rec = P1(w) => CLlp1 (w))) 
[SELECT w.n = 0 THEN rec := P1(w) END](rec = P1(w) => CLip1 (w)) 
= ( w.n = 0 => CLip1 (w)) 
= (w.n = 0 => w.n = 0) 
= t?·ue 
[trans(P2)}(rec = P1(w) ==?- CLip1 (w)) = Vw • (wE MR =>true)= true 
( rec = P2 1\ true) ==?- true .f 
According to all explanations above, we now provide the following theorem which 
demonstrates all the conditions needed for establishing divergence freedom of the 
parallel con1bination between LOOP and the machines it works with during the 
execution. 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS IviACHINES 63 
Theore1n 1. If LOOP is a divergence free CSP controller and it is CLI preserver, 
then: 
1. The parallel combination between LOOP and any machine it owns initially 
is divergence free. 
2. The parallel combination between LOOP and any machine it receives during 
the execution with the correct state (according to the assertion of that control 
point) is divergence free provided the machine does not have diveryence until 
the point it is being passed to LOOP. 
3.6.2 Verification of divergence freedom 
In this section we present the following definitions, lemmas and corollaries as 
the steps towards proving Theormn 1. The results achieved in this section can 
be then used for the verification of the whole 1nobile combined communicating 
syste1n. 
For each CSP process Pi in LOOP, we define a special process TPi. The body of 
TPi is the san1e as Pi but the call to the indexed processes in Pi is replaced by 
update -t SKIP. For instance, if in the body of Pi there is a call to the indexed 
process Nj, Nj is replaced by updateNi -t SKIP in TPi. In other words, process 
TPi is the terminating version of the process Pi. SI(JP in the body of Pi remains 
the same and will not be changed in T Pi. 
We introduce a function, called term, which produces the tern1inating version of 
a process. It defines termination for recursive calls and distributes over all other 
operators. In other words, term is a function which produces the process TPi for 
each process Pi. Thus, TPi = term(Pi)· 
Definition 12. The teTminating version of a CSP contToller is defined as below: 
term(SKIP) = SJ(IP 
teTm(c?x -t P(x)) = c?x -t term(P(x)) 
term(c!v ｾ＠ P) = c!v--+ term(P) 
te1·m(cp1?w -t P(w)) = cp1?w -t teTm(P(w)) 
term(cp2!z -t P) = cp2!z -t term(P) 
term(z.op!s?t -t P(t)) = z.op!s?t -t term(P(t)) 
term(P' 0 P") = term(P') 0 teTm(P") 
term(P' n P") = term(P') n teTm(P") 
te·rm(if b then P' else P") =if b then term(P') else term(P") 
term( e -t P) = e -t teTm( P) 
term(N(E1, ... , Ek)) = updateN(E1 , •.. ,Ek) -t SKIP 
... -"" 
64 CHAPTER 3. !viOBILE CSP II B 
Whenever a CSP controller is working with a B machine, the sequence of that 
machine's operations which are executed is always a subsequence of the events 
perfonned by that controller during this parallel combination. This is the con-
troller who controls the execution order of the operations of the machine while 
they are working with each other in parallel. As we described before, the diver-
gences of a B 1nachine are defined in (50] in terms of the weakest precondition 
fonnulae for machine's traces. In this section, we introduce the weakest precon-
dition semantics for traces of a CSP process. We then use these semantics in our 
proof strategy for divergence freedom verification of machines while working with 
a CSP controller in parallel. 
Definition 13. The weakest precondition semantics for traces of a CSP process 
Pare as follows: 
wp((), Q) = Q 
wp ( (c. x) ""' tr, Q) = wp ( tr, Q) 
wp((z.op.s.t) ""'tr, Q) = wp(t (- z.op(s), wp(tr, Q)) 
wp ( (e) ""' tr, Q) = wp ( tr, Q) 
wp( (updateN(E1 , ••• ,E1J) ""'tr, Q) = wp(rec := ｎＨｅｾＬ＠ ... , Ek), wp(tr, Q)) 
wp((.f), Q) = Q 
(( ) ---. t Q) _ { assert(cpz) 1\ wp(tr, Q) if cp E Xo(P) wp cp.z r, -
assert(cpz) => wp(tr, Q) if cp E Xi(P) 
Lemtna 4. If tr""' (.f) E traces(TPi) and 31 ｾ＠ j ｾ＠ n • foot(tr) = updateNi 
then wp(trans(Pi), Q) => wp(tr, Q) where 1 ｾ＠ i ｾ＠ n. 
P1·ooj. We prove this lmnma by using the Principle of Induction on Pi. 
Base case 1 : Pi = SJ(JP 
1 Pi= SJ(JP Initial assumption 
2 TPi = SJ(JP 1, Definition 12 
3 t?' = 0 2, t?·""' (.f) E traces ( TPi) 
4 ｾＱ＠ ｾ＠ j ｾ＠ n • foot(()) = updateNi 3 
5 The condition part does not hold 3,4 
6 Lemma is true 5 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 65 
Base case 2: Pi = N(Et, ... , Ek) 
1 Pi= N(Et, . .. , Ek) Initial assumption 
2 TPi = updateN(E1, ... ,Ek) ｾ＠ SKIP 1, Definition 12 
3 tr = ( updateN(E1 , .. . ,Ek)) 2, tr"" ( ./) E traces( TPi) 1\ 
foot(tr) = updateN(E1 , .. . ,Ek) 
4 wp(tr, Q) = 3, Definition 13 
wp(1·ec := N(Et, . .. , Ek), Q) 
5 trans( Pi)= rec := N(Et, . . . , Ek) 1, Definition 10 
6 wp(trans(Pi), Q) = 5 
wp(1·ec := N(Et, ... , Ek), Q) 
7 wp(trans(Pi), Q) = wp(t1·, Q) 6,4 
8 wp(trans(Pi), Q) => wp(tr, Q) 7 
Inductive case 1 : e ｾ＠ P' 
Assume Inductive Hypothesis for P'. 
1 term(e ｾ＠ P') = e ｾ＠ TP' Definition 12 
2 tr"" (./) E traces(e ｾ＠ TP') 1\ Initial assumption 
31 ｾ＠ j ｾ＠ n • foot(tr) = updateN3 
3 tr = (e) "" t1·' • tr' E traces ( TP') tr E traces( e ｾ＠ TP') 
4 tr'"" ( ./) E traces( TP') 1\ 2, 3 
31 ｾ＠ j ｾ＠ n • foot(tr') = updateN3 
5 wp(trans(P'), Q) => wp(tr1, Q) 4, Induction assumption 
6 wp ( t?·, Q) = wp ( (e) "" tr', Q) 3 
7 wp ( (e) "" tr', Q) = wp ( tr', Q) Definition 13 
.----------·----------- - -------- -
66 
8 wp(tT, Q) = wp(tT', Q) 
9 tTans( e ｾ＠ P') = skip; tTans(P') 
10 wp(tTans(e ｾ＠ P'), Q) = 
wp(skip; tTans(P'), Q) 
11 wp(tTans(e ｾ＠ P'), Q) = 
wp(skip, wp(tTans(P'), Q)) 
12 wp(trans(e ｾ＠ P'), Q) = wp(tTans(P'), Q) 
13 wp(trans(e ｾ＠ P'), Q) => wp(tT1, Q) 
14 wp( tTans( e ｾ＠ P'), Q) => wp( tT, Q) 
Inductive case 2 : c!v ｾ＠ P' 
Assume Inductive Hypothesis for P'. 
1 term( c!v ｾ＠ P') = c!v ｾ＠ TP' 
2 tT"' (-/) E iTaces(c!v ｾ＠ TP') 1\ 
31 ｾ＠ j ｾ＠ n • foot(tT) = updateNJ 
3 tr = (c. v) "'tr' • tr' E traces( TP') 
4 t?·'"' ( ./) E iTaces( TP') 1\ 
3 1 ｾ＠ j ｾ＠ n • foot( i't 1) = updateNJ 
5 wp(trans(P'), Q) => wp(tT1, Q) 
6 wp ( tr, Q) = wp ( (c. v) "' iT1 , Q) 
7 wp((c.v) "'tr', Q) = wp(tr', Q) 
8 wp(tr, Q) = wp(tr', Q) 
CHAPTER 3. NIOBILE GSP II B 
6, 7 
Definition 10 
9 
10 
11 
12, 5 
13, 8 
Definition 12 
Initial assumption 
iT E tTaces( c!v ｾ＠ TP') 
2, 3 
4, Induction assumption 
3 
Definition 13 
6, 7 
9 iTans( c!v ｾ＠ P') = Definition 10 
PRE v : type( c) THEN skip END; trans(P') 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 67 
10 wp(trans(c!v -7 P'), Q) = 
v: type(c) 1\ wp(trans(P'), Q) 
11 wp(trans(c!v -7 P'), Q):::;. wp(t1·ans(P'), Q) 
12 wp(trans(c!v -7 P'), Q):::;. wp(tr', Q) 
13 wp(trans(c!v -7 P'), Q):::;. wp(tr, Q) 
Inductive case 3 : cp!z -7 P' 
Assume Inductive Hypothesis for P'. 
9 
10 
11, 5 
12, 8 
1 term( cp!z -7 P') = cp!z -7 TP' Definition 12 
2 tr,...... ( ./) E traces( cp!z -7 TP') 1\ Initial asstnnption 
:31 ｾ＠ j ｾ＠ n • foot(tr) = updateNi 
3 tr = (cp.z),...... tr' • tr' E traces(TP') tr E traces(cp!z -7 TP') 
4 tr',...... ( ./) E traces( TP') 1\ 2, 3 
:31 ｾ＠ j ｾ＠ n • foot(tr') = updateNi 
5 wp(trans(P'), Q) => wp(tr', Q) 4, Induction assumption 
6 wp( t1·, Q) = wp( ( cp.z) ,...... t1·', Q) 3 
7 wp((cp .z),...... tr', Q) = Definition 13 
assert(cpz) 1\ wp(tr', Q) 
8 wp(tr, Q) = assert(cpz) 1\ wp(tr', Q) 6, 7 
9 trans(cp!z -7 P') = Definition 10 
PRE assert(cpz) THEN skip END; trans(P') 
10 wp(trans(cp!z -7 P'), Q) = 9 
assert ( cpz) 1\ wp (trans ( P'), Q) 
68 CHAPTER 3. lviOBILE CSP II B 
11 wp(trans(cp!z -t P'), Q) => 10, 5 
assert( cpz) 1\ wp( tr', Q) 
12 wp(trans(cp!z ---4 P'), Q) => wp(tr, Q) 11, 8 
Inductive case 4: z.op!s?t ---4 P'(t) 
Assume Inductive Hypothesis for P'(t). 
1 term(z .op!s?t -t P'(t)) = 
z.op!s?t -t TP'(t) 
2 t1·" (.f) E traces(z.op!s?t -t TP'(t)) 1\ 
3 1 ｾ＠ j ｾ＠ n • foot( tr) = updateNi 
3 3 t1·', x • ( tr = (z.op.s.x) " tr' 1\ 
: t1·' E traces(TP'(x))) 
4 tr'" (.f) E traces( TP' (x)) 1\ 
31 ｾ＠ j ｾ＠ n • foot(tr') = updateNi 
5 wp(trans(P'(x)), Q) => wp(tr', Q) 
6 wp(tr, Q) = wp((z.op.s.x) "tr', Q) 
7 wp( (z.op.s.x) "tr', Q) = 
wp(x t-- z.op(s), wp(t1·', Q)) 
8 wp(tr, Q) = wp(x t-- z.op(s), wp(t1·', Q)) 
9 trans(z .op!s?t -t P'(t)) = 
t t-- z.op(s); trans(P'(t)) 
10 wp(trans(z.op!s?t -t P'(t)), Q) = 
wp(t t-- z.op(s); trans(P'(t)), Q) 
11 wp(trans(z.op!s?t ---4 P'(t)), Q) = 
wp(t t-- z.op(s), wp(trans(P'(t)), Q)) 
Definition 12 
Initial asstnnption 
tr E traces(z.op!s?t -t TP'(t)) 
2, 3 
Induction assu1nption 
3 
Definition 13 
6, 7 
Definition 10 
9 
10 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 69 
12 wp(t <-- z.op(s), wp(trans(P'(t)), Q)) = Same inputs 
wp(x <-- z.op(s ), wp(trans(P'(x)), Q)) 
13 wp(trans(z.op!s?t ｾ＠ P'(t)), Q) = 11, 12 
wp(x <-- z.op(s), wp(trans(P'(x)), Q)) 
14 wp(x <-- z.op(s), wp(trans(P'(x)), Q)) => 5 
wp(x <-- z.op(s), wp(tr', Q)) 
15 wp(trans(z.op!s?t ｾ＠ P'(t)), Q) => 13, 14 
wp(x <-- z.op(s), wp(tr', Q)) 
16 wp(trans(z.op!s?t ｾ＠ P'(t)), Q) => wp(tr, Q) 15, 8 
Inductive case 5: c?v ｾ＠ P'(v) 
Assume Inductive Hypothesis for P' ( v). 
1 term(c?v ｾ＠ P'(v)) = c?v ｾ＠ TP'(v) Definition 12 
2 tr r-. (.f) E traces(c?v ｾ＠ TP'(v)) 1\ Initial assmnption 
31 :S; j :S; n • foot( tT) = updateNJ 
3 3tT1,x • (x E type(c) 1\ tT = (c.x) r-. tT' tr E traces(c?v ｾ＠ TP'(v)) 
1\ tT1 E traces( TP' (x)) 
4 tr' r-- ( .() E traces ( T P' ( x)) 1\ 2, 3 
31 :S; j :S; n • foot( t1·') = updateNi 
5 wp (trans ( P' ( x)), Q) => wp ( tr', 9) Induction assmnption 
6 wp ( tr, Q) = wp ( (c. x) r-. tr', Q) 3 
7 wp((c.x) r-. tT', Q) = wp(tr', Q) Definition 13 
8 wp(tr, Q) = wp(tr', Q) 6, 7 
70 CHAPTER 3. 1\IIOBILE CSP II B 
9 trans(c?v ｾ＠ P'(v)) = Definition 10 
ANY v WHERE v: type(c) 
THEN trans(P'(v)) END 
10 wp(trans(c?v ｾ＠ P'(v)), Q) = 9 
V v • ( v E type (c) => wp (trans ( P' ( v)), Q)) 
11 wp (trans ( c? v ｾ＠ P' ( v)), Q) => 
wp(trans(P'(x)), Q) 
12 wp(trans(c?v ｾ＠ P'(v)), Q) =} wp(tr', Q) 
13 wp (trans ( c? v ｾ＠ P' ( v)), Q) => wp ( tr, Q) 
Inductive case 6 : cp?z ｾ＠ P'(z) 
Assume Inductive Hypothesis for P' ( z). 
1 term(cp?z ｾ＠ P'(z)) = cp?z ｾ＠ TP'(z) 
10, X E type (c) 
11, 5 
12, 8 
Definition 12 
2 tr r"\ (./) E traces(cp?z ｾ＠ TP'(z)) 1\ Initial assumption 
31:::;; j:::;; n • foot(tr) = updateN; 
3 3 tr', x • (x E MR 1\ tr = (cp.x) r"\ tr' 1\ tr E traces(cp?z ｾ＠ TP'(z)) 
tr' E traces ( T P' ( x)) 
4 tr' r"\ ( ./) E traces( TP' ( x)) 1\ 2, 3 
31 :::;; j :::;; n • foot( t1·') = updateNi 
5 wp(t7·ans(P'(x)), Q) => wp(tr', Q) 
6 wp ( tr, Q) = wp ( ( cp . x) r"\ tr', Q) 
7 wp( ( cp.x) r"\ tr', Q) = 
(assert( CPx) => wp( t?·', Q)) 
Induction assumption 
3 
Definition 13 
3.6. DIVERGENCE FREEDOl\tJ OF A CONTROLLER AND ITS 1\IIACHINES 71 
8 wp(tr, Q) = (assert(cpx) ｾ＠ wp(tr', Q)) 
9 trans(cp?z --t P'(z)) = 
10 
11 
12 
13 
ANY z WHERE z : lv!R THEN 
SELECT assert( cpz) THEN 
trans(P'(z)) END 
END 
wp(t7·ans(cp?z --t P'(z)), Q)" = 
Vz • (z E MR ｾ＠
(assert( cpz) ｾ＠ wp( trans(P' (z) ), Q))) 
wp(trans(cp?z --t P'(z)), Q) ｾ＠
(asse1·t(cpx) => wp(trans(P'(x)), Q)) 
wp( trans( cp? z --t P' (z) ), Q) =} 
(assert( CPx) => wp( tr', Q)) 
wp(trans(cp?z --t P'(z)), Q) => wp(tr, Q) 
Inductive case 7 : P' 0 P" 
Assume Inductive Hypothesis for P' and P". 
1 term(P' D P") = TP' o TP" Definition 12 
6, 7 
Definition 10 
9 
10, X E MR 
11, 5 
12, 8 
2 tr""' (.f) E traces( TP' 0 TP") Initial assumption 
3 31 ｾ＠ j ｾ＠ n • foot(tr) = updateNi Initial assu1nption 
4 tr ""' (.f) E traces ( TP') v 2 
tr"' (.f) E tTaces ( TP") 
5 tr"' (.f) E tTaces( TP') => 3, Induction assumption 
(wp(trans(P'), Q) => wp(tr, Q)) 
72 CHAPTER 3. 1\([0BILE CSP II B 
6 tr r- ( /) E traces( TP") ｾ＠ 3, Induction assumption 
(wp(trans(P"), Q) ｾ＠ wp(tr, Q)) 
7 t?uns ( P' o P") = Definition 10 
CHOICE trans(P') OR t?·ans(P") END 
8 wp(trans(P' o P"), Q) = 7 
wp(trans(P'), Q) 1\ wp(trans(P"), Q) 
9 wp(trans(P' 0 P"), Q) ｾ＠ wp(trans(P'), Q) 8 
10 wp(t1·ans(P1 D P"), Q) ｾ＠ wp(trans(P"), Q) 8 
11 trr- (/) E traces(TP') ｾ＠ 5, 9 
(wp(trans(P' 0 P"), Q) => wp(tr, Q)) 
12 tr r- ( ./) E traces ( TP") => 6, 10 
(wp(trans(P' D P"), Q) ｾ＠ wp(tr, Q)) 
13 wp(trans(P' 0 P"), Q) ｾ＠ wp(t1·, Q) 11, 12, 4 
Inductive case 8 : P' n P" 
Assume Inductive Hypothesis for P' and P". 
The proof has the same structure as the proof of Inductive case 7. 
Inductive case 9 : if b then P' else P" 
Assume Inductive Hypothesis for P' and P". 
1 term( if b then P' else P") = if b then TP' else TP" Definition 12 
2 tr r- ( /) E traces( if b then TP' else TP") Initial asstnnption 
3 :31 ::;;;; j ::;;;; n • foot(tr) = updateNi Initial assumption 
4 b ｾ＠ tr r- ( ./) E traces( TP') 2 
3.6. DIVERGENCE FREEDOl\!J OF A CONTROLLER AND ITS 1\tiACI-IINES 73 
5 • b ==? tr" ( ./) E traces ( TP") 2 
6 b ==? ( wp (trans ( P'), Q) =* wp ( tr, Q)) 4, 3, 
Induction assumption 
7 --, b ==? ( wp (trans ( P"), Q) ==? wp ( tr, Q)) 5, 3, 
Induction assumption 
8 trans(if b then P' else P") = Definition 10 
IF b THEN trans(P') ELSE trans(P") END 
9 wp(trans(if b then P' else P"), Q) = 8 
b ==? wp(trans(P'), Q) 1\ • b ==> wp(trans(P"), Q) 
10 wp(trans(if b then P' else P"), Q) ==> 9 
b ==? wp(trans(P'), Q) 1\ • b ==> wp(trans(P"), Q) 
11 wp(trans(if b then P' else P"), Q) ==> 10, 6, 7 
b ==> wp ( t1·, Q) 1\ --, b ==? wp ( tr, Q) 
12 wp(trans(if b then P' else P"), Q) ==? wp(tr, Q) 11 
Since we have proved the Base case and the Inductive case, it establishes Lemma 
4. 
D 
Le1n1na 5. If R ==? wp(trans(Pi), Q) then 
Vtr • ((t1·" (./) E traces(TPi) 1\ foot(tr) = updateNi) =* (R ==? wp(tr, Q))) 
where 1 ｾ＠ i,j ｾ＠ n. 
Proof. This follows frmn Lemma 4. 
1 R ==? wp(trans(Pi), Q) Initial asstunption 
2 t1·" (./) E traces(TPi) 1\ foot(tr) = updateN; Initial assmnption 
3 wp(trans(Pi), Q) ==? wp(t?·, Q) 2, Le1nma 4 
4 R ==? wp(tr, Q) 1, 3 
D 
74 CHAPTER 3. lviOBILE CSP II B 
Corollary 2. If (rec = Ni 1\ CLii) ::::? wp(trans(Pi), rec = Nj ::::? CLij) then 
\:1 tr • (( tr"' ( ./) E traces( TPi) 1\ foot( tr) = updateNi) ::::? 
((rec = Ni 1\ CLii)::::? wp(tr, rec = Nj::::? CLij))) 
where 1 ｾ＠ i,j ｾ＠ n. 
Proof. This follows frmn Lemma 5 using ( rec = Ni 1\ CLii) for R and 
(rec = Nj::::? CLij) for Q 
0 
Recall that this section is concerned with proving Theorem 1, we are therefore 
restricting our attention to LOOP that is CLI preserver. For such LOOP the 
next corollary follows im1nediately. 
Corollary 3. Vtr • ((tr"' (./) E traces(TPi) 1\ foot(tr) = updateNi)::::? 
((rec = Ni 1\ CLii)::::? wp(tr,'rec = Nj::::? CLij))) 
where 1 ｾ＠ i,j ｾ＠ n. 
Now, we present the next lemma for the traces of TPi which are followed by ( ./) 
but their last element is not updateN(E1 , ... ＬｅｾＺＩﾷ＠
Lmn1na 6. If t?'"' (./) E traces(TPi) and \:11 ｾ＠ j ｾ＠ n • foot(tr) i= updateNi 
then wp(trans(Pi), true)::::? wp(tr, true) where 1 ｾ＠ i ｾ＠ n. 
Proof. We prove this lemma by using the Principle of Induction on Pi. 
Base case 1 : Pi = SJ(JP 
1 Pi = SI(JP Initial assumption 
2 trans(Pi) = 1, Definition 10 
SELECT false THEN skip END 
3 wp(trans(Pi), true)= true 2 
4 TPi = SKIP 1, Definition 12 
5 tr = () 4, tr"' ( ./) E traces( TPi) 1\ 
Vl ｾ＠ j ｾ＠ n • foot(tr) f. updateNi 
6 wp ( tr, true) = true 5, Definition 13 
7 wp(trans(Pi), true)::::? wp(tr, true) 3, 6 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 75 
Base case 2 : Pi = ｎＨｅｾＬ＠ ... , Ek) 
1 Pi = N ( E1, ... , Ek) Initial assumption 
2 TPi = updateN(E1 , •.. ＬｅｾＮＺＩ＠ ｾ＠ SJ(JP 1, Definition 12 
4 foot(tr) = updateN(E1 , . .• ＬｅｾＮ［Ｉ＠ . 3 
5 The condition part does not hold 3, 4 
6 Lemma is true 5 
The proof of Inductive cases 1, 2, 3, 4, 5, 6, 7, 8, 9 has the same structure 
as the proof of Lemma 4 but we consider true instead of Q. 
0 
Le1n1na 7. \:1 tr • ( tr" (.f) E traces ( TPi) ::::} ( ( rec = Ni 1\ CLii) ::::} wp( tr, true))) 
where 1 ｾ＠ i ｾ＠ n. 
Proof. As LOOP is CLI preserver, the lem1na is proved as below: 
1 tr" (.f) E traces( TPi) Initial assumption 
2 ( rec = Ni 1\ CLii) ::::} Definition 11 
wp(trans(Pi), \:/1 ｾ＠ j ｾ＠ n • (rec = Nj::::} CLij)) 
3 (rec = Ni 1\ CLii)::::} wp(trans(Pi) , true) 2 
There are two possibilities for tr: 
Case 1: 31 ｾ＠ j ｾ＠ n • foot(tr) = updateNJ 
4 wp(t?·ans(Pi), Q)::::} wp(tr, Q) 1, Le1nma 4 
5 wp (trans (Pi), true) =? wp ( tr, true) 4, using tr'ue for Q 
6 (rec = Ni 1\ CLii) =? wp(tT, true) 3, 5 
76 CHAPTER 3. JviOBILE CSP II B 
Case 2: \f 1 ｾ＠ j ｾ＠ n • foot( tr) f. updateNJ 
7 wp(trans(Pi), true) ==> wp(tr, true) 1, Lemma 6 
8 (rec = Ni 1\ CLii) ==> wp(tr, true) 3, 7 
D 
Lmn1na 8. \f tr • (( tr E traces( TPi) 1\ foot( tr) f. ( ./)) ==> 
3 tT1 • tT,...... tT1 ,...... (./) E traces(TPi)) 
where 1 ｾ＠ i ｾ＠ n. 
PToof. We prove this lemma by using the Principle of Induction on Pi. 
Base case 1 : Pi = SKIP 
1 Pi= SI<IP Initial assumption 
2 TPi = SI<IP 1, Definition 12 
3 tr = 0 2, tr E traces( TPi) 1\ foot(tr) f.(./) 
4 tr,...... () ,...... ( ./) E traces( TPi) 2, 3 
5 3 tr' = 0 • tr"' tr'" ( ./) E tTaces( TPi) 4 
Base case 2: Pi= N(E1, ... , Ek) 
1 Pi = ｎＨｅｾＬ＠ ... , Ek) Initial assu1nption 
2 TPi = updateN(E1 , ••• ,Ek) -t SI<IP 1, Definition 12 
Situation 1 : t?' = () 
4 tr = () 3, Situation 1 
2,4 
3.6. DIVERGENCE FREEDOivi OF A CONTROLLER AND ITS lviACHINES 77 
Situation 2 : tr = ( updateN(E1, ... ＬｅｾＮＺＩＩ＠
3, Situation 2 
8 tr r.. () r.. ＨｾＩ＠ E traces(TPi) 2, 7 
9 3 tr' = () • tr r.. tr' r.. ＨｾＩ＠ E tTaces(TPi) 8 
Inductive case 1 : e ｾ＠ P' 
Asslnne Inductive Hypothesis for P'. 
1 term(e ｾ＠ P') = e ｾ＠ TP' 
2 V tr1 • ( ( tr1 E traces( TP') 1\ foot( tTI) =/= ( ｾＩＩ＠ ==> 
3 tr" • tr1 r.. tr" r.. ＨｾＩ＠ E traces(TP')) 
3 tr = () V 
iT = (e) r.. tTl • 
(tr1 E tTaces(TP') 1\ joot(tr1) =/= ＨｾＩＩ＠
Situation 1: If tr = () 
4 tr = () 
5 3 tr" • tr" r.. ( ｾＩ＠ E traces( TP') 
6 3 tr" • (e) r.. tr" r.. ( ｾＩ＠ E traces( e ｾ＠ TP') 
7 3 tr" • () r.. (e) r.. tT11 r.. ( ｾＩ＠ E traces( e ｾ＠ TP') 
8 3 tr" • tr r.. (e) r.. t?·" r.. ＨｾＩ＠ E tTaces(e ｾ＠ TP') 
Definition 12 
Induction assumption 
t1· E tTaces( e ｾ＠ TP') 1\ 
foot(tr) =/= ＨｾＩ＠
3, Situation 1 
2, ass luning tr1 = () 
5 
6 
7, 4 
9 3 tr' = (e) r.. tT11 • tr r.. tr' r.. ( ｾＩ＠ E traces ( e ｾ＠ T P') 8 
78 CHAPTER 3. IVIOBILE CSP II B 
Situation 2: If tr =(e)""" t71 • (tr1 E traces(TP') 1\ joot(tr1) =/= (/)) 
10 tr =(e)""" tr1 • (t1·1 E traces(TP') 1\ joot(tr1) f=. (/)) 3, Situation 2 
11 3 tr" • tr1 """ tr" """ ( /) E traces ( TP') 10, 2 
12 3 tr" • (e) " tr1 " tr" """ ( /) E traces ( e -> TP') 11 
13 3 tr" • t1·" tr"""" (/) E traces(e --t TP') 12, 10 
14 3 tr' = tr" • tr""" tr'""" ( /) E traces( e --t TP') 13 
Inductive case 2 : c!v --t pi 
Assume Inductive Hypothesis for P'. 
1 term( c! v --t P') = c! v -t TP' Definition 12 
2 Vtr1 • ((tr1 E traces(TP') 1\ joot(tr1) f=. (/)) => Induction assun1ption 
3 tr" • tr1 """ tr" " (.,!) E traces ( T P')) 
3 tr=() V 
tr = (c.v) """tr1 • 
(tr1 E traces(TP') 1\ foot(trl) '# (/)) 
Situation 1: If tr = () 
4 tr = () 
5 3 tr" • tr" """ ( /) E traces ( T P') 
6 3 tr" • 
(c. v) "tr"""" ( /) E traces( c! v -t TP') 
7 3 t?·" • 
() """ (c. v) """tr"""" ( /) E traces( c! v -t TP') 
8 3 tr" • 
t1·""" (c. v) """ tr" """ ( /) E traces( c!v -t TP') 
tr E traces(c!v --t TP') 1\ 
foot( tr) '# ( /) 
3, Situation 1 
2, assuming tr1 = () 
5 
6 
7, 4 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 79 
9 3 tr' = (c. v) """' tr" • 8 
tr"""' tr'" (./) E traces(c!v -t TP') 
Situation 2: If tr = (c.v)" t?·1 • (t1·1 E traces(TP') 1\ foot(trt) # (./)) 
10 tr = (c. v) """'tr1 • ( tr1 E tTaces( TP') A foot( tT1) # ( ./)) 3, Situation 2 
11 :3 tr" • tTl """' tr" """' ( ./) E traces ( T P') 
12 3 tr" • (c. v) """' tr1 """' tT11 """' ( ./) E tTaces ( c! v -t TP') 
13 3 tr" • tr"""' tr""""' (./) E traces(c!v -t TP') 
14 3 tr' = tr" • tr"""' t1·'" ( ./) E traces( c!v -t TP') 
Inductive case 3 : cp!z -t P' 
Assume Inductive Hypothesis for P'. 
1 term( cp!z -t P') = cp!z -t TP' 
2 V tr1 • ( ( tT1 E traces ( TP') A foot( tr1) # ( ./)) =?-
3 tr" • tn_ """' tr" """' ( ./) E traces( TP')) 
3 t'l' = () v 
tr = ( cp .z) " tn • 
( tT1 E traces( TP') 1\ foot( tn) # ( ./)) 
Situation 1: If tr = () 
10, 2 
11 
12, 10 
13 
Definition 12 
Induction assumption 
t1· E traces( cp!z -t TP') 1\ 
foot( tr) # ( ./) 
4 tr = () 3, Situation 1 
5 3 t1·" • t1·"" ( ./) E traces( TP') 2, assuming t1·1 = () 
6 3 t?'11 • 5 
(cp.z)"""' tT11 """' (./) E traces(cp!z -t TP') 
80 CHAPTER 3. IviOBILE CSP II B 
7 3 tr" • 6 
0 ""'(cp.z) ""'tT11 ,...... (./) E tTaces(cp!z---+ TP') 
8 3 tr" • 7, 4 
tr""' (cp.z),...... tr",...... (./) E traces(cp!z---+ TP') 
9 3 tT1 = ( cp.z) ,...... tr" • 8 
tr""'tr'..-...(-1) E traces(cp!z-+ TP') 
Situation 2: If tr = ( cp.z) ,...... tn • ( tr1 E traces( TP') 1\ foot( tT1) =/=- ( ./)) 
10 tr = (cp.z),...... tTl • (tT1 E tTaces(TP') 1\ foot(t?'I) =/=- (./)) 3, Situation 2 
11 3 tT" • tTl ,...... tr"""' ( ./) E traces( TP') 10, 2 
12 3 t1·" • (cp.z),...... tr1 ,...... tr",...... (./) E t?·aces(cp!z---+ TP') 11 
13 3 t?·" • tr r-. tr" r-. (./) E traces(cp!z---+ TP') 12, 10 
14 3 tr' = t1·" • tr r-. tr' r-. ( ../) E traces( cp!z ---+ TP') 13 
Inductive case 4 : c?v ---+ P' ( v) 
Assun1e Inductive Hypothesis for P' ( v). 
1 term(c?v---+ P'(v)) = c?v---+ TP'(v) 
2 V x, tr1 • 
((x E type(c) 1\ tr1 E traces(TP'(x)) 1\ 
foot( tn) =/=- ( ./)) => 
3 t1·" • tr1 r-. tr" r-. ( ./) E traces ( TP' ( x))) 
3 tr = () V 
tr = (c.x) r-. t1·1 • 
( tr1 E traces( TP' (x)) 1\ foot( tr1) =/=- ( ./)) 
Definition 12 
Induction assumption 
tr E traces( c?v ---+ TP' ( v)) 
1\ 
foot( tr) =/=- ( ./) 
3.6. DIVERGENCE FREEDO!vi OF A CONTROLLER AND ITS NfACHINES 81 
Situation 1: If tr = () 
4 t?· = () 3, Situation 1 
5 Vx E type(c) 3tr11 • tr" r-.. (/) E traces(TP'(x)) 2, assuming tr1 = () 
6 V x E type (c) 3 tr" • 5 
( c.x) r-.. tr""""' ( /) E traces( c?v -t TP' ( v)) 
7 't/ X E type (C) 3 tT11 • 6 
() r-.. (c. x) r-.. tT" r-.. ( /) E tTaces ( c? v -t T P' ( v)) 
8 \j X E type (C) 3 tT11 • 7, 4 
t?· r-.. (c.x) """'tr""""' (/) E t1·aces(c?v -t TP'(v)) 
9 Vx E type(c) 3t?'1 = (c.x) r-.. tr"• 8 
tr """' tr' r-.. ( /) E traces ( c? v -t T P' ( v)) 
Situation 2: If t?' = (c.x) """'tr1 • (tr1 E traces(TP'(x)) 1\ foot(trl) f= (/)) 
10 tr = (c.x) r-.. tr1 • (t7'I E traces(TP'(x)) 1\ joot(tr1) f= (/)) 3, Situation 2 
11 3 t?'11 • tr1 r-.. tr" r-.. ( /) E traces( TP' ( x)) 10, 2 
12 3 tr" • (c.x) r-.. tr1 r-.. tr" r-.. (/) E traces(c?v -t TP'(v)) 11 
13 3 t1·" • tr r-.. tr" r-.. ( /) E traces ( c? v -t T P' ( v)) 12, 10 
14 3 tr' = tr" • tr r-.. tT1 r-.. ( /) E t?·aces ( c? v -t T P' ( v)) 13 
82 CHAPTER 3. 1\IIOBILE CSP II B 
Inductive case 5 : cp? z ｾ＠ P' (z) 
Assume Inductive Hypothesis for P' ( z). 
1 term(cp?z ｾ＠ P'(z)) = cp?z ｾ＠ TP'(z) 
2 V x, tr1 • 
((x E MR 1\ tr1 E traces(TP'(x)) 1\ 
joot(tr1) =/= (v"')) => 
3 tr" • tr1 """tr"""" ( v"') E traces( TP' (x) )) 
3 tr = () V 
t?' = ( cp.x) """ t?'l • 
(tn E traces(TP'(x)) 1\ joot(tr1) =/= (v"')) 
Situation 1: If tr = () 
4 tr = () 
5 V x E MR 3 tr" • tr"""" (v"') E traces(TP'(x)) 
Definition 12 
Induction assumption 
tr E traces 
( cp?z ｾ＠ TP' (z)) 1\ 
foot ( tr) =/= ( v"') 
3, Situation 1 
2, assuming tr1 = () 
6 V x E MR 3 tr" • 5 
( cp.x) """ tr" """ ( /) E traces( cp? z ｾ＠ TP' (z)) 
7 V x E MR 3 tr11 • 6 
() " ( cp.x) " tr11 """ ( /) E traces( cp? z ｾ＠ TP' (z)) 
8 V x E MR 3 tr" • 7, 4 
tr " ( cp. x) """ tr" """ ( /) E traces ( cp? z ｾ＠ T P' ( z)) 
9 V x E ll!fR 3 tr' = (cp.x) """tr" • 8 
tr""" tr'""" (/) E tTaces(cp?z ｾ＠ TP'(z)) 
3.6. DIVERGENCE FREEDOivi OF A CONTROLLER AND ITS lvfACHINES 83 
Situation 2: If tr = (cp.x) "tr1 • (tr1 E traces(TP'(x)) 1\ foot(tn) =/=- (./)) 
10 tr = ( cp. x) " tn • ( tr1 E traces ( T P' ( x)) 1\ foot( tr1) -:/- ( ./)) 3, Situation 2 
11 3 tr" • tn " tr" ..-.. ( ../) E traces ( T P' ( x)) 
12 3 tr" • (cp.x) "tr1 ..-.. tr" ..-..(.f) E traces(cp?z-+ TP'(z)) 
13 3 tr" • tr" tr"" (.f) E traces(cp?z-+ TP'(z)) 
14 3 tr' = tr" • tr " tr' ..-.. (.f) E traces ( cp? z -+ T P' ( z)) 
Inductive case 6 : z.op!s?t-+ P'(t) 
Assume Inductive Hypothesis for P' ( t). 
1 term(z .op!s?t-+ P'(t)) = z.op!s?t -4 TP'(t) 
2 Vx, tr1 • (((z.op.s .x) E traces(z.op!s?t -4 TP'(t)) 
3 tr = () V 
1\ tr1 E traces( TP' (x)) 1\ foot( tr1) -:/- (.f)) 
=> 3 tr" • tr1 ..-.. tr" ..-.. (.f) E traces ( TP' ( x))) 
tr = (z.op .s.x) ..-.. tr1 • 
(tr1 E traces(TP'(x)) 1\ foot(tr1) =/=- (./)) 
Situation 1: If tr = () 
10, 2 
11 
12, 10 
13 
Definition 12 
Induction assumption 
tr E traces 
(z.op!s?t-+ TP'(t)) 1\ 
foot( tr) =/=- ( ./) 
4 tr = () 3, Situation 1 
5 V x • ( (z. op.s.x) E traces(z. opis?t -+ TP' ( t)) => 2, asstuning tr1 = () 
:3 tr" • tr" ..-.. (.f) E traces( TP' ( x))) 
6 Vx • ((z.op.s .x) E traces(z.op!s?t-+ TP'(t)) => 5 
3 t?·" • (z.op.s .x) ..-.. tr"" (.f) E 
traces(z.op!s?t-+ TP'(t))) 
84 CHAPTER 3. !viOBILE CSP II B 
7 Vx • ((z.op.s.x) E traces(z.op!s?t---+ TP'(t)) ==> 6 
3 tr" • () "(z.op.s.x) "t?'11 " (.() E 
traces(z.op!s?t---+ TP'(t))) 
8 Vx • ((z.op.s.x) E traces(z.op!s?t---+ TP'(t)) ==> 7, 4 
3 tr" • t?' " ( z. op. s. x) " tr11 " (.f) E 
traces(z. op!s?t ---+ TP' ( t))) 
9 Vx • ((z.op.s.x) E traces(z.op!s?t---+ TP'(t)) ==> 8 
3 tr' = (z.op.s.x) "tr" • 
t?'" tr'" (./) E traces(z.op!s?t---+ TP'(t))) 
Situation 2: If tr = (z.op.s.x) "tr1 • (tn E traces(TP'(x)) 1\ joot(tr1) i= (./)) 
10 tr = (z.op.s .. x)" tr1 • 
(tr1 E traces(TP'(x)) 1\ foot(trt) =f.(./)) 
11 3 tr" • tr1 "tr"" (./) E traces(TP'(x)) 
12 3 tr" • (z.op.s.x)" tr1 "tr" r- (.f) E 
traces(z.op!s?t---+ TP'(t)) 
3, Situation 2 
10, 2 
11 
13 3 tr" • tr r- tr" r- (./) E traces(z.op!s?t---+ TP'(t)) 12, 10 
14 3 t1'1 = tT" • tr r- tr' r- (./) E tTaces(z.op!s?t---+ TP'(t)) 13 
Inductive case 7 : P' D P" 
Asstnne Inductive Hypothesis for P' and P". 
1 term(P' D P") = TP' D TP" Definition 12 
2 tr E traces(TP' D TP") 1, Initial assumption 
3 foot( tT) =f. ( ./) Initial assumption 
3.6. DIVERGENCE FREEDOl\II OF A CONTROLLER AND ITS 1\IIACHINES 
4 tr E traces(TP') V t1· E traces(TP") 2 
5 tr E traces( TP') ==> 3, Induction asstunption 
:3 tr' • tr" tr'" (../) E t1·aces(TP') 
6 tr E traces ( TP') ==> 5 
:3 tr' • tr" tr'" ( ../) E traces( TP' D TP") 
7 tr E traces( TP") ==> 3, Induction assumption 
:3 tr' • tr" tr'"" ( ../) E traces( TP") 
8 t1· E traces( TP") ==> 7 
3 tr' • tr" tr'" ( ../) E traces( TP' 0 TP") 
9 3 tr' • tr" tr'"" ( ../) E traces( TP' 0 TP") 4, 6, 8 
Inductive case 8 : P' n P" 
Assmne Inductive Hypothesis for P' and P". 
The proof has the same structure as the proof of Inductive case 7. 
Inductive case 9 : if b then P' else P" 
Asstune Inductive Hypothesis for P' and P". 
1 term( if b then P' else P") = 
if b then TP' else TP" 
Definition 12 
85 
2 tr E traces(if b then TP' else TP") 1, Initial assumption 
3 foot( tr) f= ( ../) Initial asstunption 
4 b ==> tr E t1·aces(TP') A • b => tr E traces(TP") 2 
5 tr E traces( TP') ==> 3, Induction assumption 
3 tr1 • tr"" tr'"" ( ../) E traces( TP') 
6 b ==> :3 tr' • tT" tr'"' ( ../) E traces( TP') 4, 5 
86 CHAPTER 3. lviOBILE CSP II B 
7 b ==?- 3 t?·' • tT ,-,. tT1 ,-,. (..f) E 6 
tTaces(if b then TP' else TP") 
8 tT E traces( TP") ==> 3, Induction assumption 
3 tr' • tr ,-,. tr''"' ( ../) E traces( TP") 
9 ---, b ==> 3 tr' • tT ,-,. tr''"' (../) E traces(TP") 4, 8 
10 -, b ==?- 3 tT1 • t?· '"' tr1 '"' (..f) E 9 
traces( if b then TP' else TP") 
11 3 tT' • tr ,-,. tr' ,-,. ( ..() E 7, 10 
traces(if b then TP' else TP") 
Since we have proved the Base case and the Inductive case, it establishes the 
lemma. 0 
Letntna 9. V 1 :::;;; i:::;;; n • TPi sat ((Tee= Ni 1\ CL!i) ==> wp(tT, true)) 
Proof. There are two possibilities for tT: 
Case 1 : foot(tr) = (../) 
1 (Tee= Ni 1\ GLii) ==> wp(!Tont(tT), true) Lemma 7 
2 wp(fmnt(tr)'"' (../),true) = wp(front(tr), true) Definition 13 
3 wp(tr, true) = wp(front(tr), true) 2 
4 (Tee = Ni 1\ GL!i) ==> wp( tr, tTue) 1, 3 
Case 2 : foot( tr) #- ( ../) 
1 3 t1·' • tr'"' tr' ,-,. ( ../) E traces( TPi) Lemma 8 
2 (Tee = Ni 1\ GL!i) ==> wp( tr ,-,. tr', true) Lemma 7 
3 (1·ec = Ni 1\ GL!i) ==> wp(tT, wp(tT', true)) 2 
4 (rec = Ni 1\ GL!i) ==> wp(tr, tnte) 3, wp( tr', true) ==> true 
D 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS 1\IIACHINES 87 
Le1n1na 10. \:1 i'l' E traces(LOOP) • tr = tr1 r-. t'l'2 r-. •.• r-. trk 1\ 
tr1 r-. (update Ni2 ) r-. ( ..() E traces ( T Pj1 ) 1\ 
=> 
tr2 r-. (updateNi
3
) r-. (../) E traces(TPj2 ) 1\ 
trk r-. ( updateNik+1) r-. ( ../) E traces( TPj1J 1\ 
Jl = 1 1\ 1 ｾ＠ j2, ... ,jk,Jk+l ｾ＠ n 
wp ( init1; ... ; initm; tr r-. ( updateNiHt), rec := Nik+ 1 1\ CLijk+ 1 ) 
Proof. We prove this lmnma by using the Principle of Induction on k. 
Base case : k = 1 
1 wp(init1; ... , initm; rec := N1, CLh) Definition 11 
2 wp(init1; 
... ' initm; rec := N1, rec = N11\ CLI!) 1 
3 ( rec = N1 1\ CLI1) => Corollary 3 
wp( tr1 r-. ( updateNh), rec = Nh => CLij2 ) 
4 wp(init1; ... ; initm; rec := Nb 2, 3 
wp(tr1 r-. (updateNh), ?'ec = Ni2 => CLij2 )) 
5 wp( init1; ... ; initm; rec := N1; tr1, 4 
wp((updateN;
2
), rec = Nh => CLij2 )) 
6 wp ( init1; ... ; initm; rec : = N1; tn, 5, Definition 13 
wp(rec := Ni2, rec = Ni2 => CLih)) 
8 wp( init1; ... ; initm; tr1; rec := N1, 6, 7 
wp(rec := ｾ Ｍ Ｒ Ｌ＠ rec = Nh => CLih)) 
9 wp( init1; ... ; initm; tr1, 8 
wp(rec := N1; rec := Nj2 , rec = Nj2 => CLij2 )) 
10 wp( init1; ... ; initm; tr1, 9 
wp(rec := Nh, rec = Nj2 => CLij2 )) 
88 
11 
12 
13 
wp(init1; ... ; initm; tr1, 
wp(rec := NJ·2 , rec = Nh 1\ CLih)) 
wp ( init1; ... ; initm; tr1, 
wp((updateN12 ), rec = Nj2 1\ CLih)) 
wp ( init1; ... ; initm; tr1 r-. (update Nh ) , 
rec = Nh 1\ CLij2 ) 
Inductive case : 
CHAPTER 3. lviOBILE CSP II B 
10 
11, Definition 13 
12 
Assume Inductive Hypothesis for k = q. We prove that the len11na is true for 
k=q+l. 
1 Induction assumption 
2 (Tee := Njq+l 1\ CLijq+l) =? Corollary 3 
wp(trq+l r-. (updateNiq+ 2 ), rec := Niq+ 2 => CLij11+2 ) 
3 ( rec := Niq+l 1\ CLijq+l) => 2 
wp(trq+b wp((updateNiq+2 ), rec := Niq+ 2 => CLijq+ 2 )) 
4 ( rec := Njq+1 1\ CLijq+I) => 3, Definition 13 
wp(trq+I, wp(rec := Niq+2 , rec := Niq+ 2 => CLij11+2 )) 
5 ( rec := Niq+l 1\ CLiiq+l) => 4 
wp(trq+I, wp(rec := Niq+2 , rec := Niq+2 1\ CLijq+2)) 
6 ( rec := Niq+l 1\ CLiiq+1) => 5 
wp(trq+Ii rec := Niq+ 2 , rec := NJq+ 2 1\ CLijq+2) 
7 1, 6 
8 7 
9 7.tpdateN ｾ＠ x(LOOP) 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 89 
10 
11 
12 
13 
14 
15 
wp( init1; ... ; initm; tn "' ... "'trq "'trq+l, 
wp((updateNiq+); rec := Njq+2 , 
rec := Niq+2 1\ CLijq+2 )) 
wp(inih; ... ; initm; tr1 "' ... "'trq "'tTq+l, 
wp(rec := Njq+ 1 ; rec := Njq+2 , 
rec := Njq+2 1\ CLijq+2 )) 
wp(init1; ... ; initm; tr1 "' .. _."' trq"' trq+l, 
wp(rec := Niq+ 2 , rec := Njq+ 2 1\ CLijq+2 )) 
wp( init1; ... ; initm.; tr1 ""' ... ""' trq""' trq+l, 
wp((updateNiq+2 ), rec := Njq+ 2 1\ CLijr1+2 )) 
The following lemma follows from Lem1na 10. 
Le1n1na 11. LOOP sat wp(inii}; ... ; initm; tr, true) 
8, 9 
10 
11, Definition 13 
12 
13, Definition 13 
14 
0 
Proof. V tr E traces( LOOP) 3 x ｾ＠ 1, j1 = 1, 1 :::;;; j2, ... ,jx :::;;; n • 
tr1 "' ( updateN12 ) "' ( ./) E traces ( TPj1 ) 1\ 
t12"' (updateNJ
3
)"' (.f) E traces(TPj2 ) 1\ 
trx-l""' (updateNJJ"' (./) E traces(TPjx_ 1 ) 1\ 
t?'x E traces( TPiaJ 
90 CHAPTER 3. lviOBILE CSP II B 
There are two possibilities for x: 
Case 1: x = 1 
1 tr E traces ( TPl) Case 1 
2 wp(init1; 
... ' Definition 11 
3 wp(init1; ... ' initm; rec := N1, rec = N1 A CLI1) 2 
4 (rec = N11\ CLI1)::::::} wp(tr, true) 1, Lemma 9 
5 wp(init1; ... , initm; Tee:= N1, wp(tT, tTue)) 3,4 
6 wp(inih; ... ) initm; rec := N1; tr, tTue) 5 
7 updateN1 ¢ a(tT) updateN1 ¢ x(LOOP) 
8 wp(init1; ... ) initmi tr; Tee := N1, true) 6, 7 
9 wp(init1; ... ) initmi tr, wp(Tec := N1, true)) 8 
10 wp(init1; ... , initm; tr, tTue) 9 
Case 2: x ｾ＠ 2 
1 wp(init1; ... ; initm; tr1 r-. ••• r-. trx-1 r-. (updateN;J, 
Tee = Njx A ｃｌｩｪｾｊ＠
Lemma 10 
2 (Tee= Njx 1\ CLijx) ::::::} wp(trx, true) Lem1na 9 
3 wp(init1; ... ; initm; tr1 r-. ... r-. tTx-1 r-. (updateNh), 1, 2 
wp( tTx, true)) 
4 wp(init1; ... ; initm; tr1 r-. ••• r-. tTx-1, 
wp( ( updateNiJ r-. tTx, tTue)) 
5 wp( init1; ... ; initm; tTl r-.. ••• r-.. trx-b 
wp ( rec : = Nj:r. , wp ( tr x, true))) 
3 
4, Definition 13 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS lviACHINES 91 
6 wp( init1; ... ; initm; tn " ... r-. trx-b 5 
wp(rec := Nixi tr.--c, true)) 
7 wp(init1; ... ; initm; tn r-. ••• " trx-Ii 6 
rec : = Nix ; trx , true) 
9 wp(init1; ... ; initm; tn r-. ••• r-. trx-l r-. trx; 7, 8 
rec := Nix, true) 
10 wp ( init1; ... ; initm; tn r-. ••• r-. trx-l r-. trx, 9 
wp(rec :=Nix' true)) 
11 wp(init1; ... ; initm; tr1 r-. ..• r-. trx-l r-. trx, true) 10 
D 
Le1n1na 12. If t?· is a sequence of events in LOOP such that ｾ｣ｰＮｺ＠ E CJ(t?·) • 
cp E CP, and lVI is a B machine with machine reference z, then wp(t1·, Q) ::::? 
wp(tr t z.alvf, Q) where Q is a predicate on the state of M. 
Proof. Vve prove this lemma by using the Principle of Induction on tr. 
Base case : tr = () 
1 tr = 0 Initial assumption 
2 wp(tr, Q) = Q 1, Definition 13 
3 t?· I z.alvf = 0 1 
4 wp(tr I z.alvf, Q) = Q 3, Definition 13 
5 wp(t1·, Q) = wp(t?· I z.alvf, Q) 2, 4 
6 wp(tr, Q)::::? wp(tr t z.aM, Q) 5 
92 CHAPTER 3. lviOBILE CSP II B 
Inductive case 1: (e) ,.-.., tr' 
Assume Inductive Hypothesis for tr' . 
1 wp( (e) ,.-.., tr', Q) Initial asstunption 
2 wp(tr', Q) 1, Definition 13 
3 wp(tr', Q) =} wp(tr' f z.alv!, Q) Induction assumption 
4 wp( tr' I z.a.Atf, Q) 2, 3 
5 t1·' I z.cv.AI/ =((e),.-.., t1·') I z.a.AI/ e f/:. z.cv.M 
6 wp(((e) ,.-.., tr') f z.a.Jv!, Q) 4, 5 
Inductive case 2: (c.x) ,.-.., tr' 
Assume Inductive Hypothesis for tr'. The proof has the same structure as the 
proof of Inductive case 1 but we consider c.x instead of e. 
Inductive case 3: (cp.w) ,.-.., tr' 
Asstune Inductive Hypothesis for tr'. There are two possibilities for cp: 
1. cp E Xo(LOOP) 
2. cp E Xi(LOOP) 
Situation 1: cp E Xo(LOOP) 
1 cp E Xo(LOOP) Situation 1 
2 wp ( ( cp. w) ,.-.., tr', Q) Initial assumption 
3 assert( cpw) 1\ wp( tr', Q) 2, 1, Definition 13 
4 wp ( tr', Q) 3 
5 wp(tr', Q) =} wp(tr' f z .a.Jv!, Q) Induction assumption 
6 wp(tr' f z.cv.M, Q) 4, 5 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS IviACHINES 93 
7 tr' ｾ＠ z.aNI = ((cp.w) r'. tr') ｾ＠ z.aAif cp.w ¢:. z.aM 
8 wp(((cp.w) r'. tr') f z.aM, Q) 6, 7 
Situation 2: cp E Xi(LOOP) 
We assume w is the reference oflnachine 1111 . In addition, we assume VAR(z : lv!) 
and VAR( w : Aifl) are the set of all variables in z : Aif and w : M1 respectively. 
1 cp E Xi(LOOP) 
2 wp ( ( cp. w) r'. tr', Q) 
3 asser·t(cpw) ==> wp(tr', Q) 
4 wp(tr', Q) ==> wp(tr' f z.aM, Q) 
5 assert( cpw) ==? wp( tT1 ｾ＠ z .aNI, Q) 
6 wp(tT' ｾ＠ z.aNI, Q) 
7 tT1 f z .aNI = ( ( cp. w) r'. tr') f z .aNI 
8 wp(((cp.w) r'. tr') ｾ＠ z.aM, Q) 
Inductive case 4: (z.op.s.t) r'. tr' 
Assume Inductive Hypothesis for tr'. 
1 wp ( ( z. op. s. t) r'. tr', Q) 
2 wp(t f-- z.op(s), wp(tT1 , Q)) 
3 wp(tT1, Q) ==? wp(tr' ｾ＠ z.aNI, Q) 
Situation 2 
Initial assumption 
2,1, Definition 13 
Induction assumption 
3, 4 
5, var(Q) n vaT(asseTt(cpw)) = 0 
VAR(z: M) n VAR(w: M1) = 0 
asser·t(cpw) = True V asseTt(cpw) =False 
cp.w tJ. z.aM 
6, 7 
Initial assumption 
1, Definition 13 
Induction assumption 
4 wp(t f-- z.op(s), wp(tr·' f z.aM, Q)) 2, 3 
5 wp((z.op.s.t) r'. (tr' f z.alltf), Q) 4, Definition 13 
94 CHAPTER 3. lvfOBILE CSP II B 
6 (z.op.s.t) "'(tr' f z.cdvi) = ((z.op.s.t) "'tr') I z.aM z.op.s.t E z.aM 
7 wp( ( (z. op.s. t) "' tr') f z.alv!, Q) 5, 6 
Inductive case 5: (w.op.s.t)"' tr' • w f= z 
Assume Inductive Hypothesis for tr'. We assume w is the reference of machine 
M1. In addition, we assume VAR(z : l\1!) and VAR( w : Ml) are the set of all 
variables in z : !vi and w : M1 respectively. 
1 wp((w.op.s.t) "'tr', Q) Initial assumption 
2 wp(t ｾ＠ w.op(s), wp(tr', Q)) 1, Definition 13 
3 wp ( t1·', Q) => wp ( tr' I z. al\11, Q) Induction assumption 
4 wp(t ｾ＠ w.op(s), wp(tr' I z.al\11, Q)) 2, 3 
5 wp ( tr' r z .al\11) Q) 4, VAR(z : M) n VAR( w : l\1!1) = 0 
6 t?'1 t z .al\11 = ( ( w. op .s. t) "' tr') t z .aM w.op.s.t f/. z.alvf 
7 wp(((w.op.s.t) "'tr') I z.al\II, Q) 5, 6 
D 
Corollary 4. If tr is a sequence of events in LOOP such that ｾ｣ｰＮｺ＠ E (J"(tr) • 
cp E CP, and M is a B machine with machine reference z, then wp ( tr, true) =? 
wp(tr I z.al\11, true). 
Proof. This corollary follows from Lemma 12 using true for Q. 
D 
Lmnn1a 13. LOOP sat 
(foot(t1·) = cp.z 1\ cp E Xo(LOOP)) =? wp(init1; ... ; initm; tr, assert(cpz)) 
Proof. This le1nma follows from Lenuna 11. 
3.6. DIVERGENCE FREEDOlvl OF A CONTROLLER AND ITS 1\tJACHINES 95 
1 wp( init1; ... ; initm; t1·, true) Lemma 11 
2 wp(init1; ... ; initm; front(tr) ""(cp.z), true) 1 
3 wp(init1; ... ; initm; front(tr), wp((cp.z), true)) 2 
4 wp( ( cp.z), true) = assert( cpz) Definition 13, 
cp E Xo(LOOP) 
5 wp((cp.z), assert(cpz)) = assert(cpz) Definition 13, 
cp E Xo(LOOP) 
6 wp((cp.z), t?'Ue) = wp((cp.z), assert(cpz)) 4, 5 
7 wp(init1; ... ; initm; front(tr), wp((cp.z), assert(cpz))) 3, 6 
8 wp(init1; ... ; initm; front(tr)"" (cp.z), assert(cpz)) 7 
9 wp(init1; ... ; initm; tr, assert(cpz)) 8 
D 
Lmn1na 14. If z1 , z2, ... Zm are the machine references forB machines M1, M2, ... !VIm. 
respectively, then: V 1 ｾ＠ i ｾ＠ m • LOOP sat 
foot(tr) = cp.Zi } 
cp E Xo(LOOP) ==} wp(init1; ... ; initm; tr I Zi.alvfi, assert(cpzJ) 
ｾ､ｰ＠ E CP • dp.zi E (J(jront(tr)) 
Proof. This lemma follows from Lem1na 12 and Lemma 13. 
1 wp(initt; ... ; initm.; t1·, assert(cpzi)) Lemma 13 
2 wp(init1; ... ; initm; fTont(tr)"" (cp.zi), asse?·t(cpzi)) 1 
3 wp(init1; ... ; initm.; front(tr), wp((cp.zi), assert(cpzJ)) 2 
4 wp( ( cp.zi), assert( cpzi)) = assert( cpZi) Definition 13, 
cp E Xo(LOOP) 
96 CHAPTER 3. JviOBILE CSP II B 
5 wp(init1; ... ; initm; front(tr), assert(cpzJ) 3, 4 
6 wp(init1; ... ; initm, wp(front(tr), assert(cpzi))) 5 
7 wp(front(tr), assert(cpzJ) => Lemma 12 
wp(jront(tr) f Zi.a]llfi, assert(cpzJ) 
8 wp(init1; ... ; initm, wp(front(tr) f Zi.aNii, assert(cpZi))) 6, 7 
9 wp(init1; ... ; initm; front(t?·) I Zi.aMi, assert(cpzJ) 8 
11 wp(init1; ... ; initm; (front(tr) ,-,. (cp.zi)) f Zi.aMi, 9, 10 
assert(cpZi)) 
0 
The lemma above establishes that whenever LOOP is giving one of the 1nachines 
it owns initially to another controller through a control point, the state of the 
machine satisfies the assertion of that control point. 
Le1uma 15. If z1, z2, ... Zm are the machine- references for B machines l!vh, ｾｦｴＯｨＬ＠ ... JI/Im 
respectively, then: V 1 ｾ＠ i ｾ＠ m • LOOP sat 
Proof. This lemma is a result of Lemma 11, Corollary .4 and Lemma 1. 
1 wp(init1; ... ; initm; tr, true) Lemma 11 
2 wp(init1; ... ; initm , wp ( tr, true)) 1 
3 wp(init1; ... ; initm, wp(tr I Zi.O!Mi, true)) 2, Corollary 4 
4 wp( init1; ... ; initm; tr f Zi.aMi,true) 3 
5 wp(initi; tr I Zi.al!v.li, true) 4 
6 tr f Zi.odv.li ¢ V[zi : Mi] 5, Lemma 1 
0 
3.6. DIVERGENCE FREEDOlvi OF A CONTROLLER AND ITS l11IACHINES 97 
Lmn1na 16. If z1, z2, ... Zm are the machine references for B machines Ivh, lvf2, ... !Ylm 
respectively, then: V 1 ｾ＠ i ｾ＠ m • LOOP sat 
foot(tr) = cp.zi } 
cp E Xo(LOOP) ==> tr t Zi.O'.Mi rJ. V[zi : .1\fi] 
ｾ､ｰ＠ E CP • dp.Zi E a(front(tr)) 
Proof. This lemma follows frmn Lem1na 14. 
1 wp(init1; ... ; initm; tr t Zi.CV.Mi, assert(cpzJ) Lemma 14 
2 wp ( initi; tT t Zi .al\1i, assert ( cpzi)) 1 
0 
The next corollary follows ilnmediately frmn ｌ･ｭｮｾ｡＠ 15 and Lemma 16. 
Corollary 5. The pa1·allel combination between LOOP and any machine it owns 
initially is divergence free from the beginning of the execution and as long as they 
are working with each otheT. If LOOP gives one of these machines to another 
controller, the parallel combination between LOOP and that machine is divergence 
free from the beginning of the execution until it gives it to another controller. 
Le1n1na 17. If M is a B machine with machine reference z, then: LOOP sat 
tr = tn "' ( cp. z) "' tr2 } 
cp E Xi(LOOP) ==> (assert(cpz) => wp(tr2 t z.al\1, true)) 
ｾ､ｰＮｺ＠ E a(tr2) • dp E CP 
Proof. This lemma follows from Corollary 4 and Lemma 11. 
98 CHAPTER 3. l\IIOBILE CSP II B 
1 wp(tT2 1 true)=> wp(tr2 f z.aJvf, true) Corollary 4 
2 wp(init1; ... , initm; tr, t?·ue) Lem1na 11 
3 wp(init1; 
... ' initm; tr1 r-. ( cp. z) r-. tr2, true) 2 
4 wp(init1; ... , initm; tr1 r-. (cp.z), wp(tr2, true)) 3 
5 wp(init1; • • • l initm; trl r'\ (cp.z), wp(tr2 r z.alllf, true)) 4, 1 
6 wp(init1; ... , initm; tr1 r-. (cp.z) r-. (tr2 f z.aA1), true) 5 
7 wp(init1; ... , initm; ｴｲｾＬ＠ wp((cp.z) r-. (tr2 ｾ＠ z.alvi), true)) 6 
8 wp(init1; ... , initm; tr1, assert(cpz) => wp(tr2 f z.aM, true)) 7, Definition 13, 
cp E Xi(LOOP) 
9 assert( Cpz) ｾ＠ Wp( tr2 f Z .aJvf, i?'Ue) 8 
D 
Le1n1na 18. If lvf is a B machine with machine ?'eference z and trz is the trace 
of M when it is given to LOOP and trz is not a divergence, then: LOOP sat 
tr = tr1 r-. ( cp.z) r-. t?·2 } _...._ 
cp E Xi(LOOP) -7 (assert(cpz) => trz r-.(tr2 f z.a.M) ¢ V[z: 111]) 
ｾ､ｰＮｺ＠ E o-(tr2) • .dP E CP 
Proof. This lemma follows from Lenuna 17. We asstnne in it is the Initialisation 
clause of 1nachine lvf. 
1 asse1·t( cpz) =? wp( init; t?·z, assert( cpz)) Definition of trz 
2 assert(cpz) => wp(t12 f z.alvf, true) Lemn1a 17 
3 assert(cpz) => wp(init; trz, wp(t72 r z.alvf, true)) 1, 2 
4 asse?·t(cpz) => wp(init; trz r'\ (tr2 r z.a.lvi), tnte) 3 
5 assert ( cpz) => trz r-. ( t12 f z .a !vi) ¢ V[ z : lv!] 4, Le1nma 1 
D 
3.6. DIVERGENCE FREEDOl\1 OF A CONTROLLER AND ITS JMACHINES 99 
Le1nma 19. If M is a B machine with machine 1·ejerence z, then: LOOP sat 
tr = tn r-- ( cp. z) r-. trz 
cp E Xi(LOOP) 
foot(tr2) = dp.z ===? (assert(cpz) ==? wp(tr2 f z.aM, asseTt(dpz))) 
dp E Xo(LOOP) 
ｾ･ｰＮｺ＠ E a(front(tr2)) • ep E CP 
PToof. This lemma follows fr01n Lemma 12 and Lemma 13. 
1 wp(init1; ... ; initm; t·r, assert(dpz)) Lemma 13 
2 wp(init1; ... ; initm; tr1 r-. (cp.z) r-. tr2, assert(dpz)) 1 
3 wp(init1; . .. ; initm; t1·1 r-. (cp.z) r-. front(tr2), 2 
wp( ( dp.z), assert( dpz))) 
4 wp((dp.z), assert(dpz)) = assert(dpz) Definition 13, 
dp E Xo(LOOP) 
5 wp(init1; ... ; initm; tn r-. (cp.z) r-. jTont(t72), asseTt(dpz)) 3,4 
6 wp(init1; ... ; ini4ni tr1 r-. (cp.z), wp(fmnt(tr2), assert(dpz))) 5 
7 wp(jTont(tT2), assert(dpz)) ==? Lemma 12 
wp(jTont(tT2) f z.cv.M, asseTt(dpz)) 
8 wp( init1; ... ; initm; tTl r-. ( cp.z), 6, 7 
wp(front(t72) f z.cv.M, asseTt(dpz))) 
9 wp ( init1; ... ; initm; tTl, 8 
wp((cp.z) r-. (front(tr2) f z.cv.M), asseTt(dpz))) 
10 wp( init1; ... ; initm; tr1, 9, Definition 13, 
assert(cpz) ==? wp(front(tr2) f z.cv.lvf, assert(dpz))) cp E Xi(LOOP) 
11 assert(cpz) ==? wp(front(trz) f z .alvf,assert(dpz)) 10 
12 jmnt(tr2) f z.cv.lvf = (front(tr2) r-. (dp.z)) f z .aM dp.z ｾ＠ z.cv.M 
-- - - ----------------- -----------
100 CHAPTER 3. !viOBILE CSP II B 
13 assert(cpz) =* wp((front(t12),....... (dp.z)) t z.aM, assert(dpz)) 11, 12 
14 assert( Cpz) =* wp( t12 r z.aM, asse?·t( dpz)) 13 
D 
The le1nma above establishes that if LOOP receives a machine with the correct 
state according to the assertion of that control point, then whenever it passes that 
machine to another controller through a control point, the state of the machine 
satisfies the assertion of that control point. 
Le1nn1.a 20. If M is a B machine with machine reference z, then: LOOP sat 
tr = tr1 ,....... ( cp.z) ,....... tr2 
cp E Xi(LOOP) 
foot(tr2) = dp.z ==> (assert(cpz) =* wp(tr2 t z.aM, true)) 
dp E Xo(LOOP) 
ｾ･ｰＮｺ＠ E O"(front(tr2)) • ep E CP 
Proof. This len1.n1.a follows frmn Lemn1.a 19. 
1 assert(cpz) =* wp(tr2 t z.al\1, assert(dpz)) Lemma 19 
2 assert(cpz) =* wp(tr2 I z.aM, true) 1, assert(dpz) =*true 
D 
Le1n1na 21. If Ill[ is a B machine with machine 1·ejerence z and trz is the trace 
of Ill[ when it is given to LOOP and trz is not a divergence, then: LOOP sat 
tr = tr1 ,....... ( cp.z) ,....... tr2 
cp E Xi(LOOP) 
foot(tr2) = dp.z ==> (assert(cpz) =* trz "(t12 t z.aM) t/:. V[z: M]) 
dp E Xo(LOOP) 
ｾ･ｰＮｺ＠ E (J'(front(tr2)) • ep E CP 
Proof. This le1nma follows frmn Lemma 20. We assume init is the Initialisation 
clause of machine /1!1. 
3. 7. DIVERGENCE FREEDOlVf OF THE VII-IOLE SYSTElvi 101 
1 asseTt( cpz) => wp( init; trz, assert( cpz)) Definition of trz 
2 assert(cpz) => wp(tr2 f z.alvl, t?·ue) Lemma 20 
The rest of the proof has ·the same structure as Lemma 18. 
0 
The next corollary follows frmn Le1nma 18 and Len1ma 21. 
Corollary 6. If LOOP receives a machine with the correct state according to the 
assertion of that control point and if the machine does not have divergence until 
the point it is being passed to LOOP, then the parallel combination between LOOP 
and that machine is divergence free as long as they are working with each other. If 
LOOP gives that machine to another controller, the parallel combination between 
LOOP and that machine is divergence free 'until LOOP gives that machine to 
another contmller. 
Corollary 5 and Corollary 6 establish Theorem 1. Hence according to Theorem 
1, if LOOP is a divergence free CSP controller and if for each Ni (1 ｾ＠ i ｾ＠ n) in 
LOOP, a Control Loop Invariant, CLii, can be found such that the two conditions 
in Definition 11 are satisfied, then the parallel combination between LOOP and 
any machine it works with during the execution is divergence free as long as the 
state of the machines LOOP receives always satisfy the related assertions and 
they do not have divergence until the point they are passed to LOOP. 
Exatnple 5. Consider LOOP1 and lvl in Figu?·e 3.2 in which LOOP1 owns M 
initially. LOOP1 is established to be divergence free (e.g. by using FDR, see 
Chapter 4). In addition, in Example 4, we have established that LOOP1 is CLI 
p?·ese'rver. Therefore according to Theorem 1, the parallel combination between 
LOOP1 and !vi is divergence free from the beginning of the execution until LOOP1 
passes lvl to another contmller through control point cp. Also, if the variable n of 
the machines it receives during the execution through contml point dp are always 
0, then the parallel combination between LOOP1 and any machine it receives 
through dp is diveryence free. In Figure 3.2, we assumed that the system contains 
only one B machine, lvf. Therefore, if the variable n of M is 0 whenever it is 
passed to LOOP1 through dp, then the parallel combination between LOOP1 and 
lvf is divergence free until LOOP1 gives lvl to LOOP2 through cp. 
3. 7 Divergence freedom of the whole system 
In this section we discuss how divergence freedom of a mobile combined commu-
nicating system can be established. If the parallel cmnbination of CSP controllers 
102 CHAPTER 3. lviOBILE CSP II B 
is not divergence free, then the whole system will have divergence. Therefore, 
the first step is to establish that the CSP part of the system is divergence free. If 
the CSP part is divergence free, then ｡ｲｾＮｹ＠ divergence in the systen1 can only arise 
from the B machines. Thus, the second step in divergence freedmn verification is 
to establish that the operations of all machines in the system are always called 
inside their precondition by the controllers during the execution. 
If the CSP controllers in a syste1n have the following four conditions, then the 
operations of all B machines in the syste1n will always be called inside their 
precondition at all the thne during the execution: 
1. If a controller has a 1nachine initially, it always calls the machine's opera-
tions inside their precondition. 
2. If a controller receives a machine with the correct state according to the 
related assertion, then it always calls the n1achine's operations inside their 
precondition. 
3. Whenever a controller gives a machine it owns initially to another controller, 
it always passes that n1achine to the receiver ·controller with the correct state 
according to the related assertion. 
4. If a controller receives a machine with the correct state according to the 
assertion of that control point, then whenever it gives that machine to 
another controller, it always passes that machine to the receiver controller 
with the correct state according to the related assertion. 
We have already proved in previous section that all four conditions above exist 
in a CSP controller if it is CLI preserver. Therefore, if all CSP controllers in the-
system are CLI preserver, then the operations of all B machines are always called 
inside their precondition during the execution which then results the divergence 
freedom of the whole systen1. 
The remainder of this section presents the steps towards proving that in order 
to establish the divergence freedon1 of the overall combination, it is sufficient to 
establish that the parallel combination of the CSP controllers is divergence free 
and all controllers in the system are CLI preserver. 
The lemma below establishes that in a system containing only one B machine, if 
the parallel combination of controllers is divergence free and all controllers are CLI 
preserver, then whenever this machine is exchanged between two controllers, it 
will always be exchanged with the correct state according to the related assertion. 
3. 7. DIVERGENCE FREEDOlvi OF THE H'I-IOLE SYSTElvi 103 
Lem1na 22. Supposing LOOP1 , LOOP2, ... , LOOP11 are the CSP controllers and 
M is the only B machine in a mobile combined communicating system. If the 
parallel combination of controllers is diveTgence fTee and all controlleTs aTe CLI 
preserve?", then: LOOP1 II LOOP2 II .... II LOOPn II z : M sat 
V cp E CP • (cp.z E u(tT) => wp(init; tT1 t z.aM, assert(cpz))) 
wheTe z is the reference of machine NI, init is the Initialisation clause of machine 
IV! and t?·' :::;; t1· 1\ foot( tr') = cp.z. 
PToof. We prove this lemma by using the Principle of Induction on the nmnber 
of control points CPk in tr. cpk is the k th control point in tT. 
Base case: k = 1 
we want to prove that the le1nma is true for the first control point cp1. In other 
words, we want to prove that: 
wp(init; tTl t z.aNI, asseTt(cplz)) where tn:::;; tr 1\ foot(tTl) = cp1.z 
Vve assume cp1 E Xo(LOOPj)· LOOPj is the first controller which works with 111 
frmn the beginning of the execution until it gives NI to another controller along 
CPl· 
1 tTl :::;; tT 1\ foot(trl) = Cpl.Z Initial assumption 
2 cp1 E Xa(LOOPj) Initial assumption 
3 ｾ｣ｰ＠ E CP • cp.z E u(!Tont(tTl)) Initial assumption 
4 tr{ = tT1 f x(LOOPj), s(LOOPj) Introducing tT{ 
5 wp( init; tT{ r z.aNI' assert( CPlz)) 1, 2, 3, 4, Le1nma 14 
6 tT{ f z.a111 = tTl f z.aNI 1, 2, 3, 4 
7 wp(init; tr1 t z.aM, assert(CPlz)) 5, 6 
Inductive case: 
we want to prove that if the len1ma is true for the first k number of control points 
cpkl then it is true for the first k + 1 number of control points CPk+l· In other 
words, we want to prove that: 
wp( in it; tTk f z .aNI, assert( CPkz)) => wp( init; trk+l f z .all([, assert( CPk+lz)) 
where trk:::;; tT 1\ foot(trk) = cpk.z 1\ trk+l:::;; tT 1\ foot(trk+l) = CPk+l·z· 
We assume cpk E Xi(LOOPx)· '\Vhen LOOPx receives M along cpk, it is the only 
controller which works with M until it gives M to another controller along CPk+l· 
-----------------------'----------'-- ------- _j 
104 CHAPTER 3. 1\IIOBILE CSP II B 
4 wp(init; trk t z.aJ!.1, assert(cpkz)) 
6 ｾ｣ｰＮｺ＠ E cr(front(a)) • cp E CP 
7 assert(cpkz) ==> 
wp((a t x(LOOPx), s(LOOPx)) t z.alVI, 
assert ( CPk+ 1 z)) 
8 (a t x(LOOPx), s(LOOPx)) t z.alVI = a t z.aM 
9 assert(cPkz) ==> wp(a t z.alv!, assert(CPk+Iz)) 
10 wp( init; trk t z.aM, wp(a t z.aM, assert(CPk+lz))) 
11 wp(init; (trk t z.all1) r-.. (a t z.aM), assert(cPk+Iz)) 
12 wp( init; (trk r-.. a) t z.aM, assert(CPk+Iz)) 
13 wp( init; trk+l t z.alVI, assert(CPk+Iz)) 
Initial assumption 
Initial assumption 
Initial assumption 
Induction assumption 
Introducing a 
Initial assmnption 
1, 2, 3, 5, 6, Lemma 19 
1, 2, 3, 5, 6 
7, 8 
4, 9 
.10 
11 
12 
D 
Now, we are able to provide a theorem that demonstrates the conditions for 
divergence freedmn of mobile combined com1nunicating syste1ns containing only 
one B machine. 
Theore1n 2. Supposing LOOP1, LOOP2, ... , LOOPn a·re the CSP controllers and 
!VI is the only B machine in a mobile combined communicating system. If the 
parallel combination of controllers is divergence free and all controllers are CLI 
pTeserver, the.n the whole system, SYS = LOOP1 II LOOP2 II .... II LOOPn II z : 
M, is divergence free where z is the Teference of machine M. 
Proof. This theorem follows fron1. Lemn1.as 1, 15, 17 and 22. 
3. 7. DIVERGENCE FREED ON£ OF THE WIIOLE SYSTElvi 105 
1 D[LOOP1 II LOOP2 II .... II LOOPn] = 0 Initial assun1ption 
2 tr E traces ( SYS) Introducing arbitrary tr 
3 ｾ｣ｰＮｺ＠ E a(tr) • cp E CP V 3 cp.z E a(tr) • cp E CP 2 
Situation 1: ｾ｣ｰＮｺ＠ E a(tr) • cp E CP 
4 ｾ｣ｰＮｺ＠ E a(tr) • cp E CP Situation 1 
5 31 ｾ＠ j ｾ＠ n • z E s(LOOPj) Initial owner of M 
6 (tr I x(LOOPj), s(LOOPj)) I z.aM tf: V[z: M] 4, 5, Lem1na 15 
7 (tr I x(LOOPj), s(LOOPj)) I z.alvf = tr I z.afl;J 4, 5 
8 tr I z.aM rJ. D[z: M] 6, 7 
9 \f tr E traces(SYS) • 2, 4, 8 
ＨＨｾ｣ｰＮｺ＠ E a(t?·) • cp E CP) =? tr I z.aM tf: V[z : M]) 
Situation 2: 3 cp.z E a(tr) • cp E CP 
10 3 cp.z E a(tr) • cp E CP Situation 2 
11 3 cp E CP • 10 
(tr =a,...... b 1\ foot( a)= cp.z 1\ ｾ､ｰＮｺ＠ E a( b) • dp E CP) 
12 wp(init; a I z.alv!, assert(cpz)) 11, Lemma 22 
13 31 ｾ＠ x ｾ＠ n • cp E Xi(LOOPx) cp E CP 
14 assert(cpz) =? wp((b I x(LOOPx), s(LOOPx)) I z.aM, true) 11, 13, Lemma 17 
15 (b I x(LOOPx), s(LOOPx)) f z.alt;f = b f z.aM 11, 13 
16 assert(cpz) =? wp(b I z.alv!, true) 14, 15 
17 wp( init; a I z .aM, wp( b I z .aM, true)) 12, 16 
18 wp(init; (a I z.aM),...... (b I z.aM), true) 17 
106 CHAPTER 3. lviOBILE CSP II B 
19 wp(init; (a,...... b) I z.cxl\11, true) 18 
20 wp(init; tr I z.aM, true) 19 
21 tr I z.aM tj.V[z: M] 20, Lemn1a 1 
22 V tr E traces(SYS) • 2, 10, 21 
((3 cp.z E CJ(tr) • cp E CP) * tr I z.aM tj. V[z : N£]) 
Now, we can achieve the following result from Situations 1 and 2: 
23 V tr E traces(SYS) • tr I z .aM tj. V[z : M] 9, 22 
24 V[SYS] = 0 1, 23 
0 
The next theoren1 follows immediately from Theore1n 2. It states the conditions 
which are sufficient to establish the divergence freedom of a mobile combined 
comn1unicating system containing more than one B machines. 
Theore1n 3. Supposing LOOP1, LOOP2 , ... , LOOPn are the CSP controllers 
and 1\lh, M2, ... , Mm are the B machines in a mobile combined communicating 
system. If the parallel combination of controlle1·s is divergence free and all con-
trollers are CLI prese1·ver, then the whole system, SYS = LOOP1 II LOOP2 II 
.... II LOOPn II z1 : l\111 II Z2 : Aif2 II ... II Zm : Mm, is diveryence free where 
z1 , Z2, ... Zm a1·e the machine references for B machines l\if1, J\112, ... Mm respec-
tively. 
Proof. We prove this theorem by contradiction. \Tile assume that the system is 
not divergence free. 
1 V[SYS] # 0 Contradictory assumption 
2 tr E V[SYS] 1, Introducing arbitrary tr 
3 V[LOOP1 II LOOP2 II .... II LOOPn] = 0 Initial assun1ption 
4 V 1 ｾ＠ j ｾ＠ m • Theorem 2 
V[LOOP1 II LOOP2 II .... II LOOPn II Zj : Mj] = 0 
4 
6 tr tj. V[ SYS] 3, 5 
3.8. DEADLOCK FREEDOlvi 107 
This result is a contradiction, thus establishing the theorem. D 
3.8 Deadlock freedom 
This section establishes conditions-on controllers and B 1nachines which are suf-
ficient to ensure the deadlock freedom of our mobile syste1n. 
Deadlock can occur because of two different reasons during the execution of the 
syste1n. One of these reasons is in CSP part and the other one is in B part as 
described below: 
1. The parallel cmnbination of CSP controllers is not deadlock free. Therefore, 
deadlock occurs during the system execution while controllers are working 
in parallel. 
2. During the execution, we achieve a situation in which one or more opera-
tions are the only possible events which can happen next but the execution 
of all of them is blocked. These operations can either belong to one sin-
gle B machine or can belong to different B machines in the ｳｹｳｴ･ｾｮＮ＠ In 
other words, deadlock can occur when all the machines whose one or more 
operations are the only next possible events are not able to execute those 
operations. The execution of an operation can be blocked because of one 
of the reasons below: 
• The guard is false so the execution is blocked. 
• The guard is true, but there is blocking statement in the body of the 
operation which is blocked and so the execution is blocked. 
• The operation is pre-conditioned, so there is no guard to be false, 
but there is blocking stateinent in the body of the operation which is 
blocked while the precondition is true and so the execution is blocked .. 
According to the first rule presented in Section 3.3 for B machines, the body of 
operations in B 1nachines are not allowed to contain blocking staten1ents. There-
fore, if all B 1nachines in the systen1 contain only pre-conditioned operations, 
then the B machines do not contribute to any deadlocking behaviour. This is 
because preconditions do not block, and we are not allowing blocking statements 
within the bodies of operations. 
According to all explanations above, the theore1n below is presented for estab-
lishing the deadlock freedom of a systen1 in which the CSP part is deadlock free 
and the operations in all B 1nachines are pre-conditioned. In addition, the theo-
renl is based on the fact that the systen1 should have already been proved to be 
108 CHAPTER 3. NIOBILE CSP II B 
divergence free. The reason for adding this condition is that if a divergent state 
is reached, there is no guarantee about the behaviour of the system afterwards. 
A divergent systen1 may refuse all events and stay in the divergent state. In other 
words, the set of all possible events might be the refusal of the system. If the 
syste1n has divergence, the deadlock 1nay always occur after the syste1n reaches 
divergent state. So, a non divergence free system may always have deadlock. 
Therefore, there is no point to check deadlock freedom of a non divergence free · 
system because it always 1nay have-deadlock after the divergent state. As a result, 
we concentrate here to prove the deadlock freedom of a mobile system which is 
divergence free. The failures of a system consists of both stable failures and the 
faihu·es resulted by divergences. Thus, if the system is divergence free, then the 
failures are the same as the stable failures. We have already proved Theorem 3 
for establishing the divergence freedmn in mobile combined cmnmunicating sys-
tems. By using Theormn 3, we are able to establish the divergence freedom of 
the system. 
Theore1n 4. Supposing LOOP1, LOOP2 , ••• , LOOPn are the CSP controllers 
and lvf1, l\1!2, ... , Mm are the B machines in a mobile combined communicating 
system such that all B machines contain only pre-conditioned operations and the 
system is divergence free. If the parallel combination of controllers is deadlock 
free, then the whole system, SYS = LOOP1 II LOOP2 II .... II LOOPn II Zt : 
Mt II z2 : lvf2 II ... II Zm : Mm, is deadlock free where z1, z2, ... Zm are the machine 
references forB machines Mt, M2, ... Mm respectively. 
Proof. We prove this theorem by contradiction. We assume that the systmn is 
not deadlock free. 
So: 3 tr E traces(SYS) • (tr, E) E failures(SYS) 
We. introduce tr1, ... , trn, trM1 , ••• , trMm, Xt, ... , Xn, XM1 , •.. , XMm. as described 
below: 
trn = tr f x(LOOPn), s(LOOPn) 
ｴｮＬｾｨ＠ = tr f z1. a!Vft 
3.9. REFINElviENT 
(t?'n, Xn) E failures(LOOPn) 
(trMll XMJ E failures(l\1!1) 
(tr.Mm, XM11J E failures(Mm) 
xl u ... u Xn u XMl u ... u XMm = L: 
109 
1 X1 U ... U Xn U Xtvh U ... U XMm = L: Contradictory assumption 
2 V 1 ｾ＠ i ｾ＠ m • XMi = 0 Initial assun1ption 
4 3 a E L: • a lf. X1 U ... U Xn Initial assumption 
6 X1 U ... U Xn U XM1 U ... U XMm -f=. 2:.: 5 
This result is a contradiction, thus establishing the theorem. 
0 
3. 9 Refinement 
One important issue which is considered in our work is to allow the refine1nents 
of the components into our fran1ework. The intention is to be able to substitute a 
component by its refinement in such a way that the substitution does not violate 
the system consistency properties. In this section we prove that if we have a 
mobile combined communicating syste1n and this system is divergence free and 
deadlock free, then if we use a refinement of B machines or CSP controllers instead 
of the1n in the system, the system remains divergence free and deadlock free. This 
enables us to use a refinement of a cmnponent instead of the component in the 
system. 
110 CHAPTER 3. lviOBILE CSP II B 
3.9.1 Refinements of CSP controllers 
In this section, we prove that LOOP' a refine1nent of a CSP controller LOOP can 
be used instead of LOOP in the system. To achieve this, we should prove that 
all behaviour LOOP' can do in the system, LOOP is also able to do. Therefore, 
the substitution does not introduce any new behaviour in the system. Each CSP 
controller is working in parallel with other CSP controllers and with B machines 
in the system during the execution. Thus, we should prove that LOOP' does not 
introduce any new behaviour while working in parallel with other CSP controllers 
and with B machines in the systen1. 
Le1n1na 23. If P and Q are two CSP processes, then: 
ｸＨｐｾ＠ = x(P) ==> traces(P' II Q) ｾ＠ traces(P II Q) p c::: P' } 
s(P') = s(P) 
Proof. We introduce tr as an arbitrary trace of P' II Q. 
1 tr E traces(P' II Q) 
2 tr f x(P'), s(P') E traces(P') 1\ 
tr f X ( Q) , s ( Q) E traces ( Q) 
3 traces(P') ｾ＠ traces(P) 
Introducing arbitrary tr 
1 
p ｾｆ＠ P' 
4 tr f x(P'), s(P') E traces(P) 2, 3 
5 tT f x(P'), s(P') = tT f x(P), s(P) x(P') = x(P) 1\ s(P') = s(P) 
6 tT f x(P), s(P) E t1·aces(P) 4, 5 
7 tr f x(P), s(P) E traces(P) 1\ 2, 6 
tr f X( Q), s( Q) E traces( Q) 
8 tT E traces(P II Q) 7 
9 traces(P' II Q) ｾ＠ traces(P II Q) 1,8 
D 
3.9. REFINElviENT 111 
Le1n1na 24. If P and Q are two CSP processes, then: 
p .!;p P' } 
x(P') = x(P) ====> failures(P' II Q) ｾｦ｡ｩｬｵｲ･ｳＨ＿＠ II Q) 
s(P') = s(P) 
Proof. We introduce (tr, X) as an arbitrary failure of P' II Q. 
1 (tr, X) E failures(P' II Q) Introducing arbitrary ( tr, X) 
2 ((tr I x(P'), s(P')), Xpt) E failures(?') 1\ 1, Definition 9 
((tr ｾ＠ x( Q), s( Q)), Xq) E failures( Q) 1\ 
Xp,UXq=X 
3 failu'res(P') ｾｦ｡ｩｬｵｲ･ｳＨ＿Ｉ＠ p !;p P' 
4 ((tr f x(P'), s(P')), Xp,) E failures(P) 2, 3 
5 tr ｾ＠ x(P'), s(P') = tr I x(P), s(P) x(P') = x(P) 1\ s(P') = s(P) 
6 ((tr ｾ＠ x(P), s(P)), Xp') E failures(?) 4, 5 
7 ((t1· ｾ＠ x(P),s(P)),Xpt) Efailures(P) 1\ 2, 6 
((tr f X( Q), s( Q)), Xq) E failures( Q) 1\ 
XptUXq =X 
8 (tr, X) E failures(P II Q) ·7, Definition 9 
9 failures(?' II Q) ｾｦ｡ｩｬｵｲ･ｳＨ＿＠ II Q) 1, 8 
The next corollary follows hn1nediately from Lem1na 23 and Len1ma 24. 
Corollary 7. If P and Q are two CSP processes, then: 
P c P' } ｸＨｐｾ＠ = x(P) ====> P II Q !;p P' II Q 
s(P') = s(P) 
Now, we are able to present the following corollary. 
0 
112 CHAPTER 3. lviOBILE CSP II B 
Corollary 8. If LOOP1 , LOOP2, ... , LOOPn aTe the CSP controlleTs and M1, 
M 2 , ..• , li/Im are the B machines in a mobile combined communicating system, 
then: V 1 ｾ＠ i ｾ＠ n • 
LOOPi ｾｆ＠ ｌｏｏｐｾ＠ } 
x(LOOPD = x(LOOPi) ===> 
s(LOOPD = s(LOOPi) 
LOOPi II ( lljE({l, ... ,n}-{i}) LOOPj) II ( lljE{l, ... ,m} Zj : Mj) bF 
LOOP: II ( lliE({l, ... ,n}-{i}) LOOPj) II ( lljE{l, ... ,m} Zj : Mj) 
wheTe zr, z2, ... Zm aTe the machine TefeTences for B machines M1, M2, ... Mm 
respectively. 
Proof. This corollary follows from Corollary 7 and the fact that B n1achines are 
understood in our system as CSP processes. 
0 
Theorem 5. If a mobile combined communicating system is divergence free and 
deadlock free, then any refinement LOOP' of a CSP controller LOOP which 
has the same static channels as LOOP and owns the same machines initially 
as LOOP can be a substitute of LOOP in the system and the new system is 
guaranteed to be divergence j?·ee and deadlock free. 
Proof. This theorem follows from Corollary 8. 
0 
3.9.2 Refinements of B 1nachines 
As the refinement of a B machine is created in B environment, in this section 
we prove that a refinement machine created in B enviromnent is also a failure 
refinement of its abstract 1nachine in CSP environment. In order for a refinement 
machine !vi' to be a failure refinement of an abstract machine !vi, the traces and 
the failures of !vi' must be the subset of traces and failures of M respectively. 
At the beginning of this chapter, we described that a B machine can be seen as 
a CSP process if the body of its operations do not contain SELECT or ANY (or 
Let which is a special kind of ANY ) statements. This has been introduced in 
Section 3.3 as the first rule forB machines. Therefore, in order for a refinement 
machine to be used in our architecture, the body of its operations 1nust not 
contain SELECT or ANY (or Let which is a special kind of ANY) statements. 
As we mentioned at the beginning of Section3.9, we are considering a mobile com-
bined communicating system which has already been established to be divergence 
3.9. REFINENIENT 113 
free and deadlock free. According to our deadlock freedom verification strategy 
presented in Section 3.8, deadlock freedom is established in a system whose B 
1nachines contain only pre-conditioned operations. This results in the fact that 
all abstract B machines in the established deadlock free system contain only pre-
conditioned operations which also means that their refinement 1nachines contain 
only pre-conditioned operations. Continuing fron1 now, we will concentrate our 
proof on this. In addition, according to the second rule presented in Section 3.3 
forB n1achines, there must be no pre statement in the body of operations in any 
refinement machine which is used in our system. 
When an abstract 1nachine M is refined, the specification of its operations may 
change in its refinement 1nachine !vi'. As a result, the weakest precondition for a 
sequence of operations to achieve a post condition Q may be different in M and 
M'. Therefore, while using wp fonnulas, we should indicate that a wp is calculated 
according to the specification of operations in which one of the machines: !vi or 
!vi'. Thus, we introduce the definition below which is used to differ between the 
wp fonnulas in M and M' while using them in our proofs in this section. 
Definition 14. If M is a B machine with initialisation clause init and tr is a 
finite sequence of operations, then wp(tr, Q)M and wp(init; tr, Q)M represent 
the weakest precondition which is calculated according to the specification of op-
erations in 111. 
One requirement for a machine to be a refinement of an abstract machine is that 
whenever the abstract and refinement 1nachines are in linked states (the states 
that meet both the invariant of abstract machine and the invariant of refinement 
machine), then if the precondition of an operation is true in the abstract ma-
chine, it is guaranteed that the precondition of that operation is also true in the 
refinement machine. In other words, in any states ｴｬｾ｡ｴ＠ the abstract machine and 
its refinement can jointly be in, the precondition of an operation in a refinement 
machine should be true if the operation is within its abstract precondition. This 
is expressed formally as I 1\ J 1\ P:::} P' in [57] where I and J are the invariant of 
the abstract machine and the refinement machine respectively, and P and P' are 
the precondition of an operation in the abstract machine and in the refinement 
machine respectively. More details can be found in [57) Chapter 14. Based on 
this fact, we are able to present the following lemma. 
Le1n1na 25. Supposing M' is a refinement machine of abstract machine M and 
initM' and initM are the initialisation clauses of M' and M respectively. If tr is 
a finite sequence of operations in 1111 , then: 
wp(initM; tr, true)M:::} wp(initM'; tr, true)M' 
114 CHAPTER 3. l\IIOBILE CSP II B 
Proof. We prove this le1nma by using the Principle of Induction on tr. 
Base case : tr = () 
This case is easily proved as wp(initM, true)M = wp(initM'' true)M' =true 
Inductive case : tr' ,--,. ( op) 
Assume Inductive Hypothesis for tr'. tr' is a finite sequence of operations and 
op is an operation. We assume that the operation op is specified as op = 
PRE P THEN S END in M and as op = PRE P' THEN S' END in M'. 
We also assume that I is the invariant of the abstract machine M and J is the 
invariant of the refine1nent machine !vi'. 
1 wp(initM; tr', true)M::::} wp(initM'i tr', true)M' Induction asstunption 
2 wp(initM; tr', true)M::::} wp(initM; tr', I)M Internal consistency 
3 wp(initM'i tr', true)M'::::} wp(initM'i tr', J)M' Internal consistency 
4 wp(initM; tr', true)M::::} wp(initM'i tr', J)M' 1, 3 
5 wp(initM; tr', P)M::::} wp(initM; t1·', true)M P =*true 
6 wp(initM; t?·', P)M::::} wp(initM'i tr', P')M' 5, 2, 4, 
I 1\ J 1\ P * P' 
7 wp(initM; tr'; op, true)M = wp in M 
wp(initM; tr', wp(op, true)M)M 
8 wp( op, true)M = P wp(S, true)= true 
9 wp(initM; tr'; op, true)M = wp(initM; t1·', P)M 7, 8 
10 wp( init1v1; tr'; op, true)M::::} wp(initM'; tr', P')M' 9, 6 
11 wp(op, true)M' = P' wp(S', true)= t?'ue 
12 wp(initM; tr'; op, true)M::::} 10, 11 
wp(initM'i tr', wp(op, true)M')M' 
3.9. REFINElviENT 
13 
14 
15 
wp(initM'i tr', wp(op, true)M')M' = 
wp(initM'i tr'; op, true)M' 
wp(initM; tT'; op, true)M =? 
wp(initM'i tr'; op, true)M' 
wp(initM; tr'" (op), true)M =? 
wp(initM'i tT'" (op), true)M' 
115 
wp in M' 
12, 13 
14 
D 
Le1n1na 26. Supposing ll!f' is a refinement machine of abstract machine M and 
initM' and initM are the initialisation clauses of M' and lvl respectively. If tr is 
a finite sequence of operations in M', then: 
wp(initM; tr,false)M * wp(initM'i tr,false)M' 
Proof. We prove this lemma by using the Principle of Induction on tr. 
Base case : tr = () 
This case is easily proved as wp(initM,false)M = wp(initM',false)M' =false 
Inductive case : tr' " ( op) 
Assume Inductive Hypothesis for tr'. tr' is a finite sequence of operations and 
op is an operation. We assume that the operation op is specified as op 
PRE ｾ＠ THEN S END in M and as op = PRE P' THEN S' END in M'. 
1 wp(initM; tr'; op,false)M = wp in M 
wp(initM; tr', wp( op,false)M )M 
2 wp(op,false)M =false wp(S,jalse) =false 
3 wp(initM; tr'; op,false)M = 1, 2 
wp(initM; tr', false) M 
4 wp (in it M; tr' ,false) M =? Induction assumption 
wp( initM'; tr' ,false) M' 
5 wp(initM; tr'; op,false)M =? 3,4 
wp(initM'i tT',false)M' 
116 CHAPTER 3. 1\IIOBILE CSP II B 
6 wp( op, false )M' =false 
7 wp(initM'i tr'; op,false)M' = 
wp( ini(rvi'; tr', wp( op, false) M') M' 
8 wp(initM'i tr'; op,jalse)M' = 
wp( initM'; tr', false) M' 
9 wp(initM; tr'; op,false)M => 
wp(initM'i tT'; op,false)M' 
10 wp(init.M; t?·' ｾ＠ (op),false)M => 
wp( init.M'; tr' ｾ＠ ( op) ,false) M' 
wp(S',false) =false 
wp in lvf' 
6, 7 
5, 8 
9 
D 
The next three lemmas state that the traces, divergences and failures of a refine-
ment machine are always the subset of the traces, divergences and failures of its 
abstract machine respectively. 
Lem1na 27. If M' is a refinement machine of abstTact machine M, then: 
traces(M') ｾ＠ traces(lvf) 
Proof. This lemma follows from Lemma 26. We introduce tr as an arbitrary 
finite sequence of operations in lv/1• 
1 wp(initM; tr,false)M => Lenuna 26 
wp ( init.M'; tT, false) M' 
2 1 wp ( initM'; · tT, false) M' => 1 
1 wp(initM; t?',jalse)M 
3 wp( initM'; tr, tTue) M' => 2, Definition 2 
wp(initM; tr, tTue)M 
4 tr E traces(lvi') => tr E traces(M) 3, Definition 3 
5 traces(lv!') ｾ＠ traces(Jv!) 4, tr introduced arbitrarily 
0 
3.9. REFINElviENT 117 
Le1n1na 28. If M' is a refinement machine of abstract machine M, then: 
1J[Nl'] ｾ＠ V[l\1] 
Proof. This lemn1a follows from Lemma 25. We introduce tr as an arbitrary 
finite sequence of operations in Jvi'. 
1 wp(initM; tr, true)M ==> wp(initM'i tr, true)M' Lemma 25 
2 • wp(initM'i tr, true)M' ==> 1 
-, wp(initM; tr, true)M 
3 wp(initM'i tr,false)M' ==> wp(initM; tr,false)M 2, Definition 2 
4 tr E 1J[lvf'] ::::> tr E 1J[lvi] 3, Definition 5 
5 1J[ 1\11] ｾ＠ 1J[ Jvf] 4, tr introduced arbitrarily 
The next len1ma follows from Lem1na 27 and Lemma 28. 
Le1nma 29. If 1\11 is a refinement machine of abstract machine lvf, then: 
failures(M') ｾ＠ failures(M) 
0 
Proof. As lvf and M' contain only pre-conditioned operations with no guarded 
statements in their body, whenever one of their operations is called inside its pre-
condition in an stable state, they do not refuse the execution of that operation. 
In other words, all operations will always be executed in M and 1\111 if they are 
in a stable state. 
1 failures ( M) = { ( tr, {}) I tr E traces ( lvf)} U Initial assumption 
{(tr, X) I tr E 1J[M] 1\ ｘｾ＠ aM} 
2 failures(l\1') = {(tr, {})I tr E traces(l\11)} U Initial assmnption 
{(tr, X) I tr E 1J[M'] 1\ ｘｾ＠ alvi'} 
3 traces(M') ｾ＠ traces(M) Lemma 27 
4 {(tr, {})I tr E traces(M')} ｾ＠ 3 
{(tr, {})I tr E traces(M)} 
5 V[Jvi'] ｾ＠ 1J[M] Lemma 28 
118 CHAPTER 3. lviOBILE CSP II B 
6 alvf' 5; aM 
7 {(tr, X) I tr E V[JvJ'] 1\ ｘｾ＠ alvi'} ｾ＠
{(tr, X) I tr E V[M] 1\ ｘｾ＠ aM} 
8 failures(M') ｾｦ｡ｩｬｵｲ･ｳＨ＠ !vi) 
Refinement 1nachine 
5,6 
1, 2,4, 7 
The next corollary follows from Lemma 27 and Lemma 29. 
Corollary 9. If M' is a refinement machine of abstract machine Jvl, then: 
Jvf ｾｆ＠ Jvf' 
D 
Corollary 10. If LOOP1, LOOP2, .. . , LOOPn are the CSP controllers and M1, 
lvf2, . .. , kim are the B machines in a mobile combined communicating system, 
then: 
V 1 ::::; i ::::; m • Mi ｾｆ＠ Mf => 
LOOP1 II LOOP2 II ... II LOOPn II Zi : Mi II ( lljE({l, ... ,m}-{i}) Zj : Mj) ｾｆ＠
LOOP1 II LOOP2 II ... II LOOPn II Zi: M{ II ( lljE({l, ... ,m}-{i}) Zj : Mj) 
where z1, z2, ... Zm are the machine references for B machines M1, Nh, ... Mm. 
respectively. 
Proof. This corollary follows from Corollary 7 and the fact that B machines are 
understood in our system as CSP processes. 
D 
Theore1n 6. If a mobile combined communicating system is divergence fTee and 
deadlock free, then any refinement machine lvi' of an abstract machine M which 
satisfies the first and second rules pTesented in Section 3.3 forB machines can be 
a substitute of M in the system and the new system is guaranteed to be divergence 
free and deadlock free. 
Proof. This theorem follows from Corollary 9 and Corollary 10. D 
3.10 Discussion 
In this chapter we introduced otu· Mobile CSP II B framework. In the previ-
ous static version of CSP II B, for each operation in a B machine, there is one 
channel between that machine and its controller. However in our work, a ma-
chine's reference is the only channel through which a CSP controller and that B 
3.10. DISCUSSION 119 
machine can interact with each other. Despite static CSP II Bin which each con-
troller is dedicated for one B machine, we designed otu· framework in such a way 
that controllers are able to work with different machines during the execution. 
Controllers exchange 1nachines between each other by exchanging the 1nachine 
references. This results in two facts about our system architecture: 
1. In Tviobile CSP II B, we have introduced mobile channels: machine refer-
ences are n1obile channels and they can 1nove around the syste1n dm·ing the 
execution. 
2. In Jviobile CSP II B, 1nobile channels (1nachine references) are allowed to 
be passed between processes through static channels (control points) in the 
system. In other words, machine references are channels but they are also 
treated as value and they can be passed between processes through control 
point channels in the system. 
In addition, in this chapter we defined and verified the conditions which guar-
antee the divergence freedon1 and deadlock freedmn consistency of the systems 
specified and designed in Mobile CSP II B. However, the deadlock freedmn ver-
ification presented in this chapter has been focused on the systems in which the 
operations of B machines are all pre-conditioned. The CLI preserver definition 
which we introduced in this chapter as Definition 11 has a key role in consistency 
verification of the systems. In om· consistency verification strategy, all CSP con-
trollers must be CLI preserver which 1neans that the conditions in Definition 11 
1nust hold for all CSP controllers in the system. 
Refinements of the components are allowed into our Mobile CSP II B framework. 
In Section 3.9, we proved that a refinement of a cmnponent (either a CSP con-
troller or a B 1nachine) can be used instead of the component in the system and 
the substitution does not have any effect on the system consistency properties. 
In Jviobile CSP II B, we can also design systems in which control points carry 
more than one machine reference. In other words, controllers can exchange 1nore 
than one machine between each other at once and through one single control point 
channel. However, it should be ren1embered that all machines are passed in one 
direction from one sender to one receiver. In consistency verification, for this 
kind of control point we n1ust assign an assertion on the state of all the machines 
whose reference is passed along that control point. For instance, assume a system 
in which cp!z!w is in the body of controller LOOP1 and cp?x?y is in the body 
of controller LOOP2. In this system, whenever these two controllers synchronise 
on cp, two machines are passed frmn LOOP1 to LOOP2 at the san1e time and 
through one single control point channel cp. To verify the consistency of this 
system, for the control point cp we should assign an assertion on the state of 
both machines. 
120 CHAPTER 3. lviOBILE CSP II B 
B machines in l\!Iobile CSP. II B can be dropped from the system during the 
execution. This can be used to design systems in which some B machines might 
not be used anymore or should not be used any1nore during the execution and so 
they can be dropped from the system .. We are able to specify it in the body of 
CSP controllers. Whenever a n1achine should be dropped frmn the system, the 
variable referring to its reference should be dropped from the set of free variables 
in its controller. For instance, a CSP controller LOOP can be specified as below: 
LOOP= P1(z, w) 
P1(z, w) = z.op---+ P2(w) 
P2( w) = w. op---+ cp?x---+ P1 ( w, x) 
In the CSP controller LOOP above, process P 1 calls the operation op of a B 
machine with machine reference z and then z does not appear in the free variables 
in P2. Frmn now on, LOOP does not have access to z. Also, no other controller 
in the system has received z, so no other controller can access to that machine 
in the syste1n. This means that the B machine with machine reference z is no 
longer accessible in the system. 
Our 1nobile architecture enables us to design systems in which CSP controllers 
can terminate during the system execution. This can happen when SJ(JP appears 
in the body of a process. SJ(JP can be used in our framework to design systems 
in which controllers can finish their work dm·ing the system execution or even 
leave the system after finishing their work. It can be assumed that whenever 
a controller tenninates, the communication channels and control point channels 
between that controller and other controllers are automatically deleted from the 
system. This is because other controllers cannot synchronise with that controller 
any1nore on their com1non events so those cmnmon events can never happen again. 
This results in the fact that other controllers cannot communicate with that 
controller anymore on their cmnn1on com1nunication channels and they cannot 
also exchange machines with that controller any1nore on their common control 
point channels. 
Furthermore, it can be assumed that whenever a controller terminates, its ma-
chines will be dropped from the systen1 with their machine reference channel. 
The reason is that no other controller can ever access those 1nachines. In other 
words, other controllers can never receive any of those machines from that con-
troller as they cannot work with that controller anymore. This results in the fact 
that whenever a controller terminates, if it owns some machines, its 111achines 
will be no longer accessible in the system. If it is required to design a system in 
which all n1achines should ren1ain in the systmn at all times during the system 
execution, we can specify OlU' CSP controllers in such a way that they give all 
their 1nachines to other controllers before tennination. 
Chapter 4 
Case Study 
In this chapter, we pre.sent a case study within the Mobile CSP II B frmnework. 
The case study is a flight tickets sale system which is described in Section 4.1. It 
presents the usage of Mobile CSP II B architecture in designing and developing 
peer-to-peer networks. We first provide a Mobile CSP II B model of a flight 
tickets sale ｳｹｾｴ･ｭ＠ and then we verify the consistency of our model by using 
the theorems proved in Chapter 3. The specifications of B machines and CSP 
part of the systen1 are described in sections 4.2 and 4.3 respectively. Section 4.4 
demonstrates how the mobile CSP specification in Section 4.3 can be coded into 
a standard CSP specification. Section 4.5 presents the processes of divergence 
freedom verification of our system. Deadlock freedom is verified in section 4.6. 
Finally, we present some conclusions on the case study in Section 4. 7. 
A simplified version of this case study was presented in [72). 
4.1 Flight ｴｩ｣ｫ･ｴｾ＠ sale system 
This case study is designed as a flight tickets sale system in which tickets of 
different flights are sold or cm1celled by agencies. 
The system contains a nun1ber of sell agencies which sell tickets of different flights 
to customers, and it contains one Return office which cancels customers' tickets. 
Sell agencies can only sell flight tickets and they are not able to cancel any tickets 
of the flights. The Return office is only responsible for cancelling tickets and it 
is not able to sell any flight tickets. 
If sell agencies or the Return office want to sell or ca11cel a ticket of a flight, they 
should have access to the information of that flight. Otherwise, they are not 
121 
122 CHAPTER 4. CASE STUDY 
able to sell or cancel any tickets. This description of the system makes it clear 
what should be n1odelled as the B machines and what should be modelled as the 
CSP controllers in the system. The B machines in our system are the individual 
flights. They manage all the booking information of the flights. So, each 1nachine 
represents one of the flights in the system. Sell agencies and the Rettu·n office 
play the role of the CSP controllers in our system. The Return office is one CSP 
controller and each Sell agency is also one CSP controller in the systmn. 
Each flight machine is given a unique 1nachine reference which is the channel 
used by sell agencies and the Return office to contact and comn1tmicate with 
that flight machine. A Sell agency or the Return office can sell or cancel a ticket 
of a flight only if they own that machine's reference. If they want to sell or 
cancel a ticket of a flight but they do not have that machine's reference, they ask 
others in the system to give them that machine's reference. Receiving a machine's 
reference 1neans receiving the channel of com1nunication with that machine. In 
other words, the receiver becmnes the owner of that machine. So, after receiving 
the machine's reference, the Sell agency or the Return office can wqrk with the 
machine to sell or cancel tickets. 
When a customer wants to buy a ticket of a flight from a Sell agency, if the Sell 
agency already owns that flight 1nachine, it sells a ticket of that flight to that 
customer. If the Sell agency does not own that machine, it asks other Sell agencies 
and the Return office to pass the machine to it. If it receives the machine, it can 
then sell a ticket of the machine to that custmner. 
When a customer wants to cancel a ticket of a flight and asks the Return office 
for cancellation, if the Return office owns that flight machine, it cancels that 
customer's ticket. But if it does not have that machine, it asks sell agencies to 
pass the machine to it. If it receives the machine, it then cancels the customer's 
ticket. 
Sell agencies and the Return office behave in such a way so that they do not keep 
the machines when they cannot use them anyn1ore. A full machine cannot be 
used anymore by sell agencies as all the tickets have already been sold and there 
is no more ticket available to be sold next. So, if a flight owned by a Sell agency 
is full after selling a ticket, the Sell agency passes that full machine to the Return 
office. On the other hand, an empty 1nachine cannot be used anymore by the 
Return office as there is no sold ticket in the machine to be cancelled next. So, if 
a flight owned by the Return office is empty after cancelling a ticket, the Return 
office passes that empty machine to one of the sell agencies. In other words, a 
Sell agency does not. keep full1nachines with itself and the Return office does not 
keep e1npty machines with ·itself. 
A Sell agency asks for a machine in order to sell a ticket of that flight. So, the 
n1achine it receives must not be already full. On the other hand, the Return office 
4.2. DESIGN AND SPECIFICATION OF B lviACI-IINES 123 
asks for a n1achine in order to cancel a ticket of that flight. So, the 1nachine it 
receives 1nust not be empty. The receiver does not have any control on the state 
of the 1nachine it receives. So, our system should be designed such that these 
conditions are always ensured by the sender. If a Sell agency receives a request 
from the Return office for passing one of its machines, it should first check the 
current state of the machine to ensure it is not empty. It then passes that machine 
to the Return office only if the 1nachine is not empty. If a Sell agency receives a 
request from another Sell agency for passing one of its machines, it passes that 
machine to the requester only if the 1nachine is not full. On the other hand, if 
the Return office receives a request for passing one of its machines, it should first 
check the current state of the machine to ensure it is not full. It then passes that 
1nachine to the requester Sell agency only if the machine is not full. 
We introduce a parameter i which is used to identify each Sell agency. Also, a 
set S is introduced for each Sell agency and for the Return office which contains 
all the 1nachine references owned by the process. As a result, SellAgency( i, S) 
represents the Sell agency i which currently owns the 1nachine references in S, and 
ReturnOffice(S) represents the Return office which currently owns the 1nachine 
references in S. 
For the purposes of our case study, we will use two flight machines: flightl and 
fiight2, two sell agencies: SellAgencyl and SellAgency2, and a Return office. We 
also asstune that at the beginning of the syste1n execution, each Sell agency owns 
one of the flight machines. Therefore, the whole system is as below: 
ReturnOffice( {}) II SellAgency(l, { m7'1}) II SellAgency(2, { mr2}) II m7'1 : fiightl II mr2 : fiight2 
where mrl and mr2 are the machine references of machines flightl and fiight2 
respectively. The initial configuration of the system is shown in Figure 4.1. 
4.2 Design and specification of 8 machines 
Each B machine manages the infon11ation of one flight in the system. The struc-
ture of all flights in our system are the sa1ne so the B machines have the same 
specification but with different names. 
Each B machine contains the information about that particular flight such as: the 
nu1nber of seats of the flight, and the number of tickets which have already been 
sold. It also contains some operations for state transitions in the flight such as 
selling or cancelling tickets and some other operations for finding out the current 
state of the flight such as whether it is e1npty or full. 
124 CHAPTER 4. CASE STUDY 
Figure 4.1: Initial configuration of flight tickets sale system 
SETS 
A set RESPONSE is introduced whose elements are used by the 1nachine as the 
messages which are sent to the controllers. 
SETS RESPONSE= {Full, Empty, Available, YES, NO, Incorrectlnput} 
CONSTANTS and PROPERTIES 
Each B machine contains 2 constants: Passport and seats. Passport is a set defin-
ing all valid passport nun1bers which can be accepted as the customers' passport 
number. seats is a number representing the total number of seats in the flight to 
be sold to customers. 
CONSTANTS 
PROPERTIES 
Passport, seats 
Passport ｾ＠ ｬｾｨ＠ & 
seats E ｬｾＺｨ＠
VARIABLES and INVARIANT 
There are 2 variables in each B machine: customer and sold . customer is a 
set which records the passport number of people who have bought a ticket of 
the flight. sold is a number which represents the number of tickets which have 
already been sold. 
4.2. DESIGN AND SPECIFICATION OF B !viACHINES 
V"ARIABLES 
INVARIANT 
customer, sold 
｣ｵｳｴｯｭ･ｲｾ＠ Passport & 
sold EN 
INITIALISATION 
125 
Initially, the flight is e1npty. In other words, no ticket has been sold to anybody 
at the beginning of the execution. As a result, the INITIALISATION clause sets 
custome1· to e1npty set and it sets sold to 0. 
INITIALISATION 
OPERATIONS 
customer:={} II 
sold:= 0 
Each B machine has 4 operations which are described below: 
• sell: The operation receives a customer's passport number as an input to 
sell a ticket of the flight. As the precondition, the input 1nust be a valid 
passport 1_1umber and the flight must not be full. If the input passport 
number has not already been used to purchase a ticket, the operation sells 
a ticket and it also outputs a n1essage informing its controller whether the 
machine becomes full after selling that ticket or there are still some unsold 
tickets available. If the input passport number has ah·eady been used to 
purchase a ticket, the operation outputs a 1nessage informing its controller 
that the passport number is an incorrect input. 
response +--- sell (pp) ｾ＠
PRE 
pp E Passport & 
sold f=- seats 
THEN 
IF pp E Passport - customer 
THEN 
customer := customer U {pp} II 
sold :=sold+ 1 II 
IF sold + 1 = seats 
THEN response:= Pull 
ELSE response := Available 
END 
ELSE response := Incorrectlnput 
END 
END; 
126 CHAPTER 4. CASE STUDY 
• cancel: The operation receives a customer's passport nmnber as an input to 
cancel the custon1er's ticket. As the precondition, the input must be a valid 
passport number and the flight 1nust not be empty. If the input passport 
number has already been used to purchase a ticket, the operation cancels 
the customer's ticket and it also outputs a message informing its controller 
whether the machine becomes empty after cancelling that ticket or there are 
still some sold tickets in the flight machine. If the input passport number 
has not already been used to purchase a ticket, the operation outputs a 
message informing its controller that the passport number is an incorrect 
input. 
response ｾ＠ cancel (pp) ｾ＠
PRE 
pp E Passport & 
sold =/= 0 
THEN 
IF pp E customeT 
THEN 
customeT := customer - {pp} II 
sold :=sold- 1 II 
IF sold -1 = 0 
THEN response := Empty 
ELSE response := Available 
END 
ELSE response:= IncoTrectlnput 
END 
END; 
• empty: It is the query operation which checks to find out whether the 
flight is currently empty. It then informs the contr?ller about the result of 
its search by outputting the 1nessage YES or NO. 
response ｾ＠ empty ｾ＠
BEGIN 
IF sold= 0 
THEN response := YES 
ELSE response := NO 
END 
END; 
• full: It is the query operation which checks to find out whether the flight is 
currently full. It then informs the controller about the result of its ｾ･｡ｲ｣ｨ＠
by outputting the message YES or NO. 
4.3. SYSTEl\11 DESIGN AND SPECIFICATION IN 1\!IOBILE CSP 
response t- full ｾ＠
BEGIN 
IF sold = seats 
THEN response := YES 
ELSE response := NO 
END 
END 
The full AMN specification of a flight machine is attached in Appendix A. 
127 
After specifying the flight machines in AMN, we used ProB to verify the internal 
consistency of our B machines and to explore the behaviour of their operations. 
As all B machines have the same structure in our system, a single B machine 
specification was checked, analysed and animated in ProB. The B machine was 
proved to be internally consistent and its behaviour was in accordance to what 
we expected it to be. 
4.3 System design and specification in mobile CSP 
In this section, we describe the CSP specification of our system according to our 
mobile architecture. The Return office and sell agencies are each specified as a 
CSP process which describes their behaviour in the system. All control points 
are introduced as channels in the CSP part of the systmn. The CSP specification 
also defines which control point is used to pass the flight machines between which 
controllers. 
The connection between flight 1nachines and controllers is described in this sec-
tion. A unique machine reference is introduced for each flight machine. In ad-
dition, it is defined which controller is the controller of each machine at the 
beginning of the execution. 
4.3.1 Data types 
Four data types should be introduced in the system: 
• Flights: introduces the flights which exist in the system. 
• RESPONSE: contains the messages that sell agencies and the Return 
office may receive frmn the flight 1nachines. 
• Operations: represents the B operations with their possible inputs and 
outputs which may happen during the execution. 
128 CHAPTER 4. CASE STUDY 
• MR: introduces the machine references in the system. 
data type Flights = flight 1 I flight2 
datatype RESPONSE= Full I Empty I Available I YES I NO I Incorreetlnput 
datatype Operations = sell.Passport.RESPONSE I cancel.Passport.RESPONSE I 
empty.RESPONSE I full.RESPONSE 
data type !viR = mr 1 I m?'2 
4.3.2 Sets 
There are two sets to be introduced: 
• Agencies: introduces the number of the sell agencies which exist in the 
system. 
• Passport: defines all valid passport numbers which can be accepted in the 
system as the customers' passport number. 
Agencies = {1, 2} 
Passport= {1, 2, 3} 
As we are going to use ProBE to execute the CSP part of the system and to 
check the behaviour of the CSP controllers, we use small sets of Agencies and 
Passport in our system. The system can be easily extended after the behaviour 
of the systmn is checked in its small version. 
4.3.3 Function 
A function ref is used to assign a unique machine reference for each 1nachine in 
the system. By mapping each machine to a machine reference, the flight 1nachines 
are given a unique 1nachine reference which then can be used to cmnmunicate 
with the CSP processes. 
ref (flight 1) = m?' 1 
ref (flight2) = mr2 
4.3.4 Channels 
• 1nrl: the machine reference of flight1 through which the machine's opera-
tions are called. 
• mr2: the machine reference of fiight2 through which the machine's opera-
tions are called. 
4.3. SYSTENI DESIGN AND SPECIFICATION IN NIOBILE CSP 129 
• cp.i.j I i,j E Agencies: a control point channel used to pass the flight 
1nachines between sell agencies. 
• dp.i I i E Agencies: a control point channel used to pass the flight machines 
from the Return office to sell agencies. 
• ep.i I i E Agencies: a control point channel used to pass the flight machines 
from sell agencies to the Return office. 
• custo1nerToBuy: a channel through which a customer asks a Sell agency 
to buy a ticket. 
• custo1nerToCancel: a channel through which a customer asks the Return 
office to cancel a ticket. 
• request: a channel through which sell agencies ask each other for a Ina-
chine. 
• ask: a channel through which the Return office asks the sell agencies for a 
1nachine. 
• require: a channel through which sell agencies ask the Return office for a 
machine. 
• sorry: a channel througl::t which a Sell agency informs another Sell agency 
that it does not own the 'requested machine. 
• notHaveit: a channel through which a Sell agency informs the Return 
office that it does not own the requested machine. Also, the Return of-
fice informs a Sell agency through this channel that it does not own the 
requested 1nachine. 
• e1nptyMachine: a channel through which a Sell agency informs the Re-
turn office that the requested machine is currently empty. 
• fullMachine: a channel through which the Return office inf9rms a Sell 
agecy that the requested 1nachine is currently full. 
• MachinelsFull: a channel through which a Sell agency informs another 
Sell agency that the requested machine is currently full. 
mr 1 : Ope1·ations 
mr2 : Operations 
cp.i.j I i,j E Agencies : MR 
dp.i I i E Agencies: MR 
ep. i I i E Agencies : lviR 
130 
customerToBuy: Agencies.Flights.Passport 
customerToCancel : Flights .Passport 
Tequest : Agencies. Agencies. Flights 
ask : Agencies. Flights 
1·equiTe : Agencies. Flights 
sorry : Agencies .Agencies 
notHaveit: Agencies 
emptyMachine: Agencies 
fullM achine : Agencies 
MachineisPull : Agencies .Agencies 
The whole systmn is shown in Figure 4.2. 
customerToBuy 
I 
cp.1.2 
cp.2.1 
Sel1Agency1 request 
sorry 
MachinelsFull 
mr1 Q) c ! Ｍｾ＠ ｾ＠ .g ｾ＠..c::: ｾ＠u I ci.. ci.. 
"' 
c- "' Q) 
;?; ｾ＠ g ｾ＠ "' "C Hight1 ｾ＠;a 
ReturnOffice 
I 
customerToCancel 
CHAPTER 4. CASE STUDY 
customerToBuy 
I 
Sel1Agency2 
Q) 
mr2 c 
Q) ! :.c e! u c C'l N ｾ＠ ﾷｾ＠ ｾ＠ :.c _g. g. I u 
"' "' f:! c 
;:.... 
:::2Ec c. flight2 E ｾ＠Q) 
Figure 4.2: Flight tickets sale system 
4.3.5 Sell agencies 
A Sell agency can perform the following behaviours repeatedly during the execu-
tion: 
1. A customer wants to buy a flight ticket. The Sell agency is informed of 
which flight the custon1er wants to buy a ticket and it also receives the 
customer's passport number. If the Sell agency owns that flight machine, 
4.3. SYSTElvi DESIGN AND SPECIFICATION IN MOBILE CSP 131 
it sells one ticket of that flight to the customer. In the case that the flight 
is full after that sale, the Sell agency does not keep the machine anymore 
and it passes the full machine to the Return office. If the Sell agency does 
not have that flight machine, it performs one of the behaviours below: 
• It asks the other Sell agency for that machine. There could be three 
responses. It either receives the machine from that Sell agency, or it 
receives a message from that Sell agency saying that the machine is 
full, or it receives a message frmn that Sell agency saying that it does 
not have that 1nachine. In the latter case, it asks the Rettu·n office for 
that 1nachine. 
• It asks the Return office for that n1achine. There could be three re-
sponses. It either receives the machine from the Retm·n office, or it 
receives a message from the Return office saying that the machine is 
full, or it receives a message from the Return office saying that it does 
not have that machine. In the latter case, the Sell agency asks the 
other Sell agency for that machine. 
2. The Sell agency receives a request from the other Sell agency for a flight 
machine. Depending on the requested machine, the Sell agency perfonns 
one of the behaviours below: 
• If the 1nachine is the Sell agency's full1nachine, in other words the Sell 
agency is waiting to pass it to the Retm·n office, the Sell agency sends 
a 1nessage to the requester Sell agency saying that the machine is full 
and it does not send the machine to the requester Sell agency. 
• If the Sell agency owns that machine and the 1nachine is not its full 
machine, it gives the machine to the requester Sell agency. 
• If it does not own that machine, it sends a message to the requester 
Sell agency saying that it does not have that machine. 
3. The Sell agency receives a request from the Retm·n office for a flight ma-
chine. Depending on the requested 1nachine, the Sell agency performs one 
of the behaviotu·s below: 
• If the machine is the Sell agency's full machine, in other words the Sell 
agency has already been waiting to pass it to the Return office, the 
Sell agency gives that full machine to the Return office immediately 
and without checking the current state of the machine. 
• If the Sell agency owns that machine and the machine is not its full 
machine, it first checks whether the machine is currently empty or not. 
If the 1nachine is e1npty, it sends a message to the Return office saying 
that the 1nachine is e1npty, and it does not send that n1achine to the 
132 CHAPTER 4. CASE STUDY 
Return office. If the machine is not empty, then it gives that machine 
to the Return office. 
• If it does not own that 1nachine, it sends a message to the Return office 
saying that it does not have that machine. 
4. The Sell agency receives an empty 1nachine frmn the Return office. 
A Sell agency gives a machine to another Sell agency only if the receiver has 
already asked the sender for that particular 1nachine. If a Sell agency does not 
receive a request from the other Sell agency for a machine, it never passes any 
machine to the other Sell agency. In addition, a Sell agency gives a non full 
machine to the Return office, only if the Rettun office has already asked the Sell 
agency for that particular n1achine. If a Sell agency does not receive a request 
frmn the Return office for a non full n1achine, it does not pass any non full 
1nachine to the Return office. However, if a Sell agency sells a ticket of a flight 
and the flight becmnes full after that sale, it passes that full machine to the 
Return office without having already received any request from the Return office 
for that machine. 
On the other hand, a Sell agency receives a machine from another Sell agency only 
if it has already asked the sender for that particular machine. It never receives a 
1nachine from the other Sell agency without asking for that machine in advance. 
In addition, a Sell agency never receives a non empty machine from the Return 
office if it does not ask the Return office for that 1nachine in advance. However, a 
Sell agency n1ay receive an mnpty 1nachine from the Return office without having 
already asked the Return office for that empty machine. 
The structure of the sell agencies in our system are the same. So, they have the 
san1e specification but with different parmneter i and different set S. The speci-
fication of the Sell agency i which owns the machine references in S is described 
as below: 
SellAgency( i, S) = P1 ( i, S) 
P1(i, S) = customerToBuy.i?ftight?pn ｾｩｦ＠ ref(ftight) E S 
0 
then P2 ( i, S, flight, pn) 
else P3( i, S, flight, pn) 
request?j!i?fiight ｾ＠ if ref(fiight) E S 
then P 4 ( i, S, j, flight) 
else (sorry.i.j ｾ＠ P1(i, S)) 
0 
4.3. SYSTEl\tf DESIGN AND SPECIFICATION IN :MOBILE CSP 
ask.i?fiight ----7 if ref(fiight) E S 
then P5(i, S,fiight) 
else (notHaveit.i ----7 P1(i, S)) 
0 
dp. i? z --> pl ( i' s u { z}) 
P2(i, S,fiight, pn) = ref(fiight).sell!pn?resp ----7 if 1·esp =Full 
then PB(i, S,flight) 
else P1 ( i, S) 
P3(i, S,fiight,pn) = (request.i?j!fiight ----7 
0 
((cp.j.i?w--> P2 (i, S U { w}, ref-1(w),pn)) 
0 
(sorry.j. i ----7 P3( i, S, flight, pn)) 
0 
(MachinelsFull.j.i ----7 P1(i, S)))) 
133 
(require.i.flight ----7 ((dp.i?w ----7 P2(i,SU{w},ref-1(w),pn)) 
0 
0 
(notHavelt.i ----7 P3(i,S,jlight,pn)) 
0 
(fullMachine. i ----7 P1 ( i, S)))) 
(request?j!i?f--> 
(if ref(!) E S 
0 
then cp.i.j!ref(f) ----7 P3(i, S- {ref(f)},flight, pn) 
else (sorry.i.j ----7 P3(i, S,flight,pn)))) 
(ask.i?f ----7 (if ref(!) E S 
then Pw(i, S,fiight,pn,j) 
else (notHavelt.i--> P3(i, S,fiight, pn)))) 
0 
(dp.i?w ----7 if w = ref(flight) 
then P2 ( i, S U { w}, flight, pn) 
else P3(i, S U { w },flight, pn)) · 
-- - -- -- --- - ---- ----------------- ---------------------- ＭＭ ｾ＠
134 CHAPTER 4. CASE STUDY 
P4(i, S ,j ,flight) = cp.i.j!ref(fiight) ｾ＠ P1 ( i, S- { ref(fiight)}) 
Ps ( i, S, flight) = ref (flight). empty? resp ｾ＠
if resp = YES 
then (emptyMachine.i ｾ＠ P1(i, S)) 
else (ep.i!ref(flight) ｾ＠ P1(i,S- {ref(fiight)})) 
P6( i, S, flight) = ( ep. i!ref(flight) ｾ＠ P1 ( i, S- { ref(fiight)})) 
0 
(request?j!i?f ｾ＠ if ref(!) = ref(fiight) 
D 
then ( lvl achineisPull. i .j -t P6 ( i, S, flight)) 
else P7(i, S,fiight,j,f)) 
(ask.i?f -t if 'ref(!) = ref(flight) 
D 
then ( ep. i!ref(flight) -t P1 ( i, S- { ref(flight)})) 
else Ps(i, S,flight,f)) 
(dp.i?w -t PG(i,SU {w},flight)) 
P7(i, S,fiight,j,f) =if ref(!) E S 
then (cp.i.j!ref(f) ｾ＠ P5(i,S- {ref(f)},fiight)) 
else (sorry.i.j -t P5(i, S,fiight)) 
Ps(i, S,flight,f) =if ref(!) E S 
then Pg(i, S,flight,f) 
else (notHavelt.i -t P5(i, S,flight)) 
Pg(i, S,flight,f) = ref(f).empty?resp -t 
if resp = YES 
then (emptylvfachine.i -t P5(i, S,fiight)) 
else (ep.i!ref(f) -t P5(i, S- {ref(f)},fiight)) 
I 
I 
t1.3. SYSTENI DESIGN AND SPECIFICATION IN lviOBILE CSP 
P10( i, S, flight, pn,j) = Tej(f).empty?resp --? 
if resp =YES 
then (emptylVIachine.i -t P3(i,S,[light,pn)) 
else (ep.i!ref(f)--? P3(i, S- {ref(f)},fiight,pn)) 
4.3.6 The Return office 
135 
The Rettu·n office can perfonn the following behaviours repeatedly during the 
execution: 
1. A cust01ner wants to cancel a ticket of a flight. The Return office is informed 
of which flight the customer wants to cancel the ticket and it also receives 
the customer's passport number. If the Return office owns that flight ma-
chine, it cancels the cust01ner's ticket. In the case that the machine is · 
empty after that cancellation, the Return office does not keep the machine 
anymore and it passes the empty machine to one of the sell agencies. If the 
Return office does not have that flight 1nachine, it asks a Sell agency for 
that particular machine. There could be three responses. It either receives 
the 1nachine from that Sell agency, or it receives a message from that Sell 
agency saying that the machine is en1pty, or it receives a message from that 
Sell agency saying that it does not have that machine. In the latter case, 
the Retm·n office asks another Sell agency for that machine. 
2. It receives a request from a Sell agency for a flight machine. Depending on 
the requested 1nachine, the Return office performs one of the behaviours 
below: 
• If the machine is the Return office's empty machine, in other words the 
Return office has ah·eady been waiting to pass it to a Sell agency, the 
Return office gives that empty machine to the requester Sell agency 
im1nediately and without checking the ctuTent state of the 1nachine. 
• If the Return office owns that machine and the machine is not its 
empty machine, it first checks whether the machine is currently full 
or not. If the machine is full, it sends a message to the requester 
Sell agency saying that the machine is full, and it does not send the 
n1achine to that Sell agency. If the machine is not full, it gives that 
1nachine to the Sell agency. 
• If it does not own that machine, it sends a message to the Sell agency 
saying that it does not have that 1nachine. 
3. It receives a full1nachine from a Sell agency. 
136 CHAPTER 4. CASE STUDY 
The Return office gives a non empty machine to a Sell agency only if the receiver 
Sell agency has already asked the Return office for that particular machine. If 
the Return office does not receive a request from a Sell agency for a non empty 
1nachine, it does not pass any non en1pty machine to the sell agencies. However, 
if the Return office cancels a ticket of a flight and the flight becomes empty after 
that cancellation, it passes that empty 1nachine to a Sell agency without having 
already received any request from that Sell agency for that particular machine. 
On the other hand, the Return office receives a non full machine from a Sell agency 
only if it has ah·eady asked the sender Sell agency for that particular machine. 
It never receives a non full machine frmn a Sell agency without asking for that 
1nachine in advance. However, the Return office may receive a full machine frmn 
the sell agencies without having already asked the sender for that full n1achine. 
The specification of the Retm·n office which owns the machine references in S is 
described as below: 
ReturnOffice(S) = R1 (S) 
R1 (S) = customerToCancel?fiight?pn -7 if ref(fiight) E S 
then R2 ( S, flight, pn) 
else R3(S,flight,pn) 
0 
require?y'?flight -7 if ref(flight) E S 
then Rs(S,jlight,y') 
else (notHavelt.j ｾ＠ R1 (S)) 
D 
0 'EA . ep.j?z -7 R1(S U {z}) J genczes 
R2(S,flight,pn) = ref(flight).cancel!pn?resp -7 if resp =Empty 
then R4 ( S, flight) 
else R1(S) 
4.3. SYSTEivi DESIGN AND SPECIFICATION IN lv'IOBILE CSP 
R3(S,flight,pn) = ask?j!flight--+ (ep.j?w--+ R2(SU {w},ref- 1 (w),pn) 
0 
D 
notH avelt .j --t R3 ( S, flight, pn) 
0 
emptyl\1! a chine .j --t R1 ( S)) 
require?j?f --t if ref(!) E S 
then RlO(S,flight,pn,j,f) 
else (notHavelt.j --t R3(S,flight,pn)) 
0 
D. A . ep.j?w --+ if w = ref(flight) JE ｧ･ｮ｣ｾ･ｳ＠
then R2(S U {w}, ref-1(w),pn) 
else R3 ( S U { w}, flight, pn) 
R4(S,flight) = 0 'EA . dp.j!ref(flight)--+ R1(8- {ref(flight)}) J genczes 
0 
reqttire?j?f --t if ref(!) = ref(flight) 
D 
then dp.jlref(flight) --t R1 (S- { ref(flight)}) 
else Rs(S, flight,j, f) 
D .EA . ep.j?w --t R4(S U {w},flight) J genctes 
R5(S,flight,j) = ref(flight).full?resp --t if resp = YES 
then R6(S,j) 
else R7(S,flight,j) 
R5(S,j) = fullll1achine.j --t R1(S) 
R1(S, flight,j) = dp.j!ref(flight) --+ R1 (S- { 1'ef(flight)}) 
137 
138 CHAPTER tJ. CASE STUDY 
Rs(S,fiight,j,f) =if ref(!) E S 
then Rg(S,fiight,j,f) . 
else (notHaveft .j ｾ＠ R4(S,ft,ight)) 
Rg(S,fiight,j,f) = ref(f).full?resp ｾｩｦ＠ resp = YES 
then fulllvfachine.j ｾ＠ R4(S,ft,ight) 
else dp.j!ref(f) ｾ＠ R4(S- {ref(!)}, flight) 
RlO(S,fiight,pn,j,f) = ref(f).full?resp ｾ＠
if resp =YES 
then fullM achine .j ｾ＠ R3 ( S, flight, pn) 
else dp.j!ref(f) ｾ＠ R3(S- {ref (f)}, flight, pn) 
4.3.7 Controller 
A CSP process, Controller, is introduced which is the parallel combination of sell 
agencies and the Return office. As we said before, we assume that at the beginning 
of the system execution, each Sell agency owns one of the flight machines. As a 
result, Controller is specified as shown below: 
Controller= Return Office({}) II SellAgency(l, { mrl}) II SellAgency(2, { mr2}) 
4.4 Coding mobility into standard CSP 
In this section we describe how n1obile CSP specification of our syste1n can be 
coded as a standard CSP specification which can be then accepted by the CSP 
software tools: ProBE and FDR. 
In our system's CSP specification, we first introduce mrl and mr2 as the elements 
of the data type MR. In standard CSP, we are not allowed to introduce them 
again in the CSP specification as the channels since they are data elements. 
To solve this proble1n, we use a new channel, MC, to represent the call of the 
n1achine operations through the machine references. As a result, channel MC is 
a channel which carries the values of MR and Operations and it is introduced in 
the standard CSP specification as shown below: 
channel lv!C : l\1/R. Operations 
4.5. VERIFICATION OF THE SYSTElvi DIVERGENCE FREEDOlvi 139 
By using channel MC, any call of a machine operation ref(fiight).op!s?t in the 
body of the CSP controllers is modelled as MC.ref(fiight).op!s?t in the standard 
CSP description of our system. Channel !viC does not change the architecture 
of our system. It is only used to create a CSP specification which can be then 
accepted by ProBE and FDR. 
In order to model ref-1 in standard CSP specification, we introduce a new func-
tion refinv which is the inverse of function ref. Function refinv is introduced in 
standard CSP specification as below: 
refinv ( mr 1) = flight 1 
refinv(mr2) = fiight2 
By using function refinv, any ref-1(w) in the body of the CSP controllers is 
modelled as Tefinv ( w) in the standard CSP description of our system. 
In mobile CSP specification of our system, control point channels were introduced 
in the form of cp.i.j, dp.i and ep.i where i,j E Agencies. However, in standard 
CSP specification, there are three control point channels: cp, dp and ep. Any 
0. A . ep.j?w and 0. A . dp.j!ref(fiight) in the body of the Return of-J E genczes J E genczes 
fice are modelled as ep?j?w and dp?j!Tej(fiight) respectively in the standard CSP 
description of our system. 
The full standard CSP specification of our flight tickets sale system is attached 
in Appendix B. 
After coding the syste1n in standard CSP, the behaviour of each Sell agency and 
the Return office was checked individually by using ProBE. We then used ProBE 
to explore the execution of ControlleT in order to check their behaviour while 
working in parallel in the system. In addition, Controller was established to be 
divergence free and deadlock free by using FD R. 
4.5 Verification of the system divergence freedom 
In this section we verify the divergence freedom of our syste1n by using Theorem 
3 presented in Chapter 3. Verification of divergence freedmn contains two steps: 
1. The parallel cmnbination of sell agencies and the Return office must be 
established to be divergence free. 
2. Sell agencies and the Return office must be CLI preserver. 
Controlle?' has already been established to be divergence free by using FDR. As a 
result, the first step in our system divergence freedom verification is established. 
140 CHAPTER 4. CASE STUDY 
The next step is to establish that the sell agencies and the Return office are 
CLI preserver . .In other words, conditions 1 and 2 of Definition 11 in Chapter 3 
must be established for sell agencies and the Return office. In order to achieve 
this, we should first assign assertions for control points in our syste1n. Then, 
we should define control loop invariants for the processes in sell agencies and in 
the Return office. The rest of this section presents the steps towards proving 
that sell agencies and the Retm·n office are CLI preserver which then results the 
divergence freedom of the system at the end of this section. 
4.5.1 Assertions on control points 
If a machine is passed from a Sell agency to another Sell agency, it should not be 
already full as there is no more ticket available to be sold next. In addition, if a 
machine is passed from a Sell agency to the Return office, it should not be empty 
as there is no sold ticket in the machine to be canceled. Moreover, if a 1nachine 
is passed from the Return office to a Sell agency, it should not be already full 
as there in no more ticket available to be sold next. Thus, the important issues 
which should be considered as the safety properties of our system are as below: 
ｾＦ＠ A Sell agency should never pass a full 1nachine to another Sell agency. 
J& The Return office should never pass a full machine to a Sell agency. 
J& A Sell agency should never pass an empty machine to the Return office. 
There are three fan1ilies of control points in our system: cp, dp and ep. cp is the 
fmnily of control points where the machines are passed between sell agencies, dp 
is the family of control points where the machines m·e passed frmn the Return 
office to a Sell agency, and ep is the fmnily of control points where the machines 
are passed from a Sell agency to the Return office. Note that there is one family of 
control points cp for passing 1nachines between sell agencies. However, there are 
two separate fa1nilies of control points, dp and ep, for passing machines between 
sell agencies and the Return office. The reason is that when a 1nachine is passed 
frmn a Sell agency to the Return office, the machine should not be empty. On the 
other hand, when a machine is passed from the Return office to a Sell agency, the 
1nachine should not be full. As a result, there should be two different assertions 
each for one direction between a Sell agency and the Return office. Therefore, 
we introduce two separate families of control points each for one direction. 
The assertions we assign for each control point depends on which controller is 
the receiver at that point. If the receiver is a Sell agency, the assertion should 
be something to ensure that the machine is not full. If the receiver is the Return 
4.5. VERIFICATION OF THE SYSTElvi DIVERGENCE FREEDOM 141 
office, the assertion should be son1ething to ensure that the 1nachine is not empty. 
To summarise, the assertions of control points should be categorised as below: 
1. Assertion of the control point which passes the machines from a Sell agency 
to another Sell agency: 
+ Machine is not full 
2. Assertion of the control point which passes the machines from the Return 
office to a Sell agency: 
+ Machine is not full 
3. Assertion of the control point which passes the machines from a Sell agency 
to the Return office: 
+ 1vlachine is not en1pty 
According to what was discussed above, the assertions of control points should 
be assigned as below: 
1. assert(cp.i.jz) : z.sold =/= z.seats 
2. assert(dp.iz): z.sold =/= z.seats 
3. assert(ep.iz) : z.sold =/= 0 
4.5.2 Control Loop Invariants in Sell agencies 
We introduce the Control Loop Invariant, CLI, for each process Px (1 ｾ＠ x ｾ＠ 10) 
in a Sell agency. We introduce the CLI for each process according to the be-
haviour of the process. Each CLI includes predicates on the type of parameters 
and on the current state of the para1neters at the beginning of each recursive 
call. For instance, process P2 ( i, S, flight, pn) sells a ticket of machine flight. As a 
result, P2(i, S,flight 1 pn) should own flight at the beginning of the recursive call. 
So, ref(flight) E S is one of the predicates we introduce in CLlp2 (i,S,flight,pn)· In 
addition, all the n1achines owned by P2 ( i, S, flight, pn) as well as flight should 
not be full. This is expressed by V k E S • k.sold I= k.seats. 
CLlp1 (i,S) : i E Agencies 1\ S ｾ＠ MR 1\ V k E S • k.sold =/= k.seats 
CLlp2 (i,S,flight,pn) : CL1p1 (i,S) 1\ flight E Flights 1\ ref(flight) E S 1\ 
pn E Passport 
142 CHAPTER 4. CASE STUDY 
CLlp3 (i,S,flight,pn) : CLlp1(i,S) 1\ flight E Flights 1\ Tef(flight) E (MR-S) 1\ 
pn E Passport 
CL!p,1(i,S,j,ftight) : CLip1 (i,s) 1\ j E Agencies 1\ flight E Flights 1\ ref(flight) E S 
CLlp5 (i,S,ftight) : CLlp1(i,s) 1\ flight E Flights 1\ Tef(flight) E 8 
CLlp6 (i,S,ftight) : i E Agencies 1\ S ｾ＠ 111R 1\ flight E Flights 1\ 
V k E (S- { ref(fiight)}) • k.sold "# k.seats 1\ 
ref(flight) E S 1\ ?·ef(flight).sold # 0 
CLip7(i,S,ftight,j,f) : CL!p6 (i,S,ftight) 1\ j E Agencies 1\ ref(!) E MR 1\ 
ref(flight) # ref(!) 
CL!p8 (i,S,ftight,J) : CLip6 (i,S,fiight) 1\ ref(!) E JI!JR 1\ ref(flight) # ref(!) 
CL!p9 (i,S,ftight,J) : CLip6 (i,S,fiight) 1\ ref(!) E S 1\ ref(fiight) # Tej(f) 
CL!p10 (i,S,ftight,pn,f) : CL!p3 (i,S,flight,pn) 1\ ref(!) E S 
4.5.3 Establishing Sell agencies are CLI preserver 
We assmne initr and init2 are the initialisation of machines flightl and flight2 
respectively. As the sell agencies have the smne structure in our system, we 
check conditions 1 and 2 of Definition 11 in Chapter 3 for a smnple Sell agency: 
S ellAgency ( i, { mri}) • i E Agencies. 
Condition 1: 
[initi; rec := Pr ( i, { m1-i} ))( CLip1 (i,{m1·i} )) = [initi) ( CLlp1 (i,{mri} )) = 
[initi](i E Agencies 1\ {mri} ｾ＠ JI!JR 1\ mri.sold -:1 mTi.seats) = 
i E Agencies 1\ { mTi} ｾ＠ JI!JR 1\ 0 # mri. seats 
.( 
Condition 2: 
+ P1(i, S) 
P1 ( i, S) = 1 D 2 D 3 D 4 
tTans(Pr(i, S)) = CHOICE trans(1) OR tTans(2) OR trans(3) OR t?·ans(4) END 
4.5. VERIFICATION OF THE SYSTEf..if DIVERGENCE FREEDOf..if 143 
[trans(P1(i, S))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CL!px)) = 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlp3J) 1\ 
[trans(2)](V1 ｾ＠ x ｾ＠ 10 • (ree = Px => CLlpx)) 1\ 
[trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlpx)) 1\ 
[trans(4)]('7 1 ｾ＠ x ｾ＠ 10 • (Tee= Px => CLlp:.J) 
1 = customerToBuy.i?flight?pn -t if Tef(flight) E S 
then P2( i, S, flight, pn) 
else P3 ( i, S, flight, pn) 
(Tee= P1(i,S) 1\ CLlp1 (i,S}) => [trans(1)](Vl ｾ＠ x ｾ＠ 10 • (rec = Px => CLlpJ) 
2 = Tequest?j!i?flight -t if ref(flight) E S 
then Ptl(i, S,j,flight) 
else (soTTy.i.j -t P1(i, S)) 
(Tee= P1(i, S) 1\ CLlp1 (i,s)) => [trans(2)](V1 ｾ＠ x ｾ＠ 10 • (Tee= Px => CLlpJ) 
3 = ask.i?flight--+ if Tef(flight) E S 
then Ps(i, S,flight) 
else (notHavelt.i--+ P1(i, S)) 
(Tee= P1(i, S) 1\ CLlp1 (i,S}) => [tTans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px => ｃｌｩｰＺｾＺＩＩ＠
4 = dp.i?z -t P1(i, S U {z}) 
(Tee = P1 ( i, S) 1\ CLip1 (i,S)) => [trans( 4)]('7 1 ｾ＠ x ｾ＠ 10 • (Tee = Px => CLip :E)) 
(Tec=P1(i,S) 1\ CLip1(i,s))=> 
[trans(P1(i, S)))(\71 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlp:J;)) 
--%• P2 ( i, S, flight, pn) 
(ree = P2(i, S,fiight,pn) 1\ CLip2 (i,S,flight,pn)) => 
[trans(P2(i,S,fiight,pn))](Vl ｾ＠ x ｾ＠ 10 • (rec = Px => CLlpx)) 
./ 
144 CHAPTER 4. CASE STUDY 
+ Pg(i, S,flight, pn) 
P3 ( i, S, flight, pn) = 1 o 2 o 3 o 4 o 5 
trans(P3(i, S,flight,pn)) =CHOICE trans(1) 
OR trans(2) OR trans(3) 
OR trans(4) OR trans(5) 
END 
[trans(Ps(i,S,flight,pn))]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLipx)) = 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (1·ec = Px => CLipx)) 1\ 
[trans(2)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLJp:r.)) 1\ 
[trans(3)](Vl ｾ＠ x ｾ＠ 10 • (rec = Px => CLipx)) 1\ 
[trans(4)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLJp:c)) 1\ 
[trans(5)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLJpx)) 
1 = request.i?j!flight--} ((cp.j.i?w--} P2 (i,SU {w},ref-1(w),pn)) 
0 
( sorry.j. i --} Ps( i, S, flight, pn)) 
0 
( M achineisFull.j. i --} P1 ( i, S))) 
(rec = Ps(i, S,flight, pn) 1\ CLip3 (i,S,ftight,pn)) => 
[trans(1)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLip:J) 
2 = require.i.flight --} (( dp. i?w --} P2 ( i, S U { w }, ref-1 ( w ), pn)) 
0 
(notHaveit.i --} P3( i, S,flight, pn)) 
0 
(fullMachine.i ---4 P1 (i, S))) 
(rec = P3(i, S,flight,pn) 1\ CLip3 (i,S,ftight,pn)) => 
[trans(2)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLJpx)) 
3 = request?j!i?f ---4 (if ref(!) E S 
then cp.i.j!ref(f) ---4 P3( i, S- {ref(!)}, flight, pn) 
else (sorry.i.j ---4 Ps(i,S,fiight,pn))) 
4.5. VERIFICATION OF THE SYSTElvi DIVERGENCE FREEDOlvi 145 
(rec = P3(i, S,flight,pn) 1\ CLlp3 (i,S,ftight,pn)) => 
[trans(3)](V1::::; x::::; 10 • (rec = Px => CLlp3J) 
4 = ask.i?f ｾＨｩｦ＠ ref(!) E S 
then Pw( i, S, flight, pn, f) 
else (notHavelt.i ｾ＠ P3(i, S,flight,pn))) 
(rec = P3(i,S,flight,pn) 1\ CLlp3 (i,S,ftight,pn)) => 
[trans(4)](V1 ｾ＠ x::::; 10 • (rec = Px => CLlp:rJ) 
5 = dp.i?w ｾｩｦ＠ w = ref(flight) 
then P2 ( i, S U { w}, flight, pn) 
else P3( i, S U { w },flight, pn) 
(rec = P3(i, S,flight,pn) 1\ CLlp3 (i,S,ftight,pn)) =>-
[trans(5)](Vl::::; x::::; 10 • (rec = Px =>- CLipaJ) 
(rec = P3(i, S,flight,pn) 1\ CLip3 (i,S,ftight,pn)) =>-
[trans(P3(i,S,flight,pn))](V1::::; x:::;; 10 • (rec = Px => CLlp:J) 
•%- p4 ( i, s' j' flight) 
(rec = P4(i, S,j,flight) 1\ CLip4 (i,S,j,ftight)) =>-
[trans(P4(i, S,j,flight))](Vl::::; x:::;; 10 • (rec = Px => CLlpx)) 
./ 
--%• p5 ( i, s' flight) 
(rec = Ps(i, S,flight) 1\ CLlp5 (i,S,ftight)) => 
[t?·ans(Ps(i,S,flight))](Vl:::;; x ｾ＠ 10 • (rec = Px => CLipx)) 
146 CHAPTER 4. CASE STUDY 
+ P6( i, S, flight) 
PG(i, S,flight) = 1 0 2 0 3 0 4 
trans(P6 (i, S,flight)) = CHOICE trans(1) OR trans(2) 
OR trans(3) OR trans(4) 
END 
[trans(PG(i, S,flight))](\:11 ｾｘｾ＠ 10 • (rec = Px =} CLlpx)) = 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 1\ 
[trans(2)](\:fl ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 1\ 
(trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 1\ 
[trans(4)](\:f1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 
1 = ep. i! ref (flight) ---+ P1 ( i, S - {ref (flight)}) 
(rec = PG(i, S,flight) 1\ CLlp6 (i,S,flight)) =* 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px)) 
2 = request?j!i?f---+ if ref(!) = ref(flight) 
then (MachinelsFull.i.j---+ P6 (i, S,flight)) 
else P7(i, S,flight,j,J) 
(rec = P5(i, S,flight) 1\ CLip6 (i,S,flight)) =* 
[trans(2))(V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px)) 
3 = ask.i?f---+ if ref(!)= ref(flight) 
then ( ep. i!ref (flight) ---+ P1 ( i, S - {ref (flight)})) 
else Ps(i, S,flight,f) 
(rec = PG(i, S,flight) 1\ CLlp6 (i,S,flight)) =* 
[trans(3)]('v' 1 ｾ＠ x ｾ＠ 10 • ( rec = Px =} CL!px)) 
4 = dp.i?w---+ PG(i, 8 U { w },flight) 
(rec = PG(i, S,flight) 1\ GLlp6 (i,S,flight)) ==> 
[trans(4))(V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 
4.5. VERIFICATION OF THE SYSTEivi DIVERGENCE FREEDOivi 14 7 
(rec = P6(i, S,flight) 1\ CLlp6 (i,S,fiight)) =} 
[trans(PB(i,S,flight))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlp:J) 
.( 
+ Pr(i,S,flight,j,f) 
( rec = P7( i, S, flight,j ,f) 1\ CLlp1 (i,S,fiight,j,f)) =} 
[trans(P7(i, S,flight,j,f))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 
.( 
+ Ps ( i, S, flight, f) 
( rec = Ps( i, S, flight,!) 1\ CLip8 (i,S,fiight,f)) =} 
[trans(PB(i, S,flight,J))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 
.( 
+ Pg ( i, S, flight, f) 
( rec = Pg( i, S, flight, f) 1\ CLip9 (i,S,fiight,f)) ==> 
[trans(Pg(i, S,flight,f))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px)) 
.( 
+ P1o(i, S,flight, pn,f) 
(rec = Pto(i, S,flight, pn,f) 1\ CLlp10 (i,S,ftight,pn,f)) =} 
[trans(Pto(i,S,flight,pn,f))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 
.( 
The full wp proof for each process Px(1 ｾ＠ x ｾ＠ 10) is attached in Appendix C. 
4.5.4 Control Loop Invariants in the Return office 
We introduce the Control Loop Invariant, CLI, for each process Rx(1 ｾ＠ x ｾ＠ 10) 
in the Return office. We introduce the CLI for each process according to the be-
haviour of the process. Each CLI includes predicates on the type of parameters 
L.-------____;:;;..:;:;;.... _______________________________ - - - --
148 CHAPTER 4. CASE STUDY 
and on the current state of the parameters at the beginning of each recursive 
call. For instance, process R2 ( S, flight, pn) cancels a ticket of machine flight. As 
a result, R2(S,flight, pn) should own flight at the beginning of the recursive call. 
So, ref(flight) E S is one of the predicates we introduce in CLIR2 (SJlight,pn)· In 
addition, all the machines owned by R2(S,flight,pn) as well as flight should not 
be empty. This is expressed by V k E S • k.sold # 0. 
CLIR1 (S) : S ｾ＠ MR 1\ V k E S • k.sold # 0 
CLIR2 (S,fiight,pn) : CLIR1(S) 1\ flight E Flights 1\ ref(flight) E S 1\ pn E Passport 
CLIR3 (S,fiight,pn) : CLIR1 (S) 1\ flight E Flights 1\ ref(flight) E (lv!R- S) 1\ 
pn E Passport 
CLIR4 (S,fiight) : S ｾ＠ MR A flight E Flights 1\ ref(flight).sold = 0 1\ 
V k E (S- { ref(flight)}) • k.sold # 0 1\ ref(flight) E S 
CLIR5 (S,fiight,j) : CL!Rt(S} 1\ flight E Flights 1\ ref(flight) E S 1\ j E Agencies 
CLIR7 (S,fiight,j) : CL!Rs(S,fiight,j) 1\ ref(flight).sold # Tef(flight).seats 
CLIR8 (S,fiight,j,f) : CLIR4 (S,fiight) 1\ j E Agencies 1\ Tef(f) E MR 1\ 
Tef (f) # ref (flight) 
CLIR9 (S,fiight,j,f) : CLIR4 (S,fiight) 1\ j E Agencies 1\ ref(!) E S 1\ 
ref (f) # Tef (flight) 
CLIR10 (S,fiight,pn,j,f) : CLIR3 (S,fiight,pn) 1\ j E Agencies 1\ ref(!) E S 
4.5.5 Establishing the Return office is CLI preserver 
In this section, we establish conditions 1 and 2 of Definition 11 in Chapter 3 for 
the Return office. 
Condition 1: 
As the Return office does not have any machine initially, Condition 1 is established 
as below: 
[rec := R1({})](CLJR1 ({})) = {} ｾ＠ lv!R 
,( 
4.5. VERIFICATION OF THE SYSTElvi DIVERGENCE FREEDOlvi 149 
Condition 2: 
+ R1(S) 
RI(S) = 10 2 0 3 
trans(R1 (S)) = CHOICE trans(1) OR trans(2) OR trans(3) END 
[trans(RI(S))](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) = 
[trans(1)](V1 ｾｘｾ＠ 10 • (rec = Rx => CLIRx)) A 
[trans(2)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) A 
[trans(3)](V1 ｾｘｾ＠ 10 • (rec = Rx => CLIRx)) 
1 = customerToCancel?fiight?pn -4 if ref(fiight) E S 
then R2 ( S, flight, pn) 
else R3(S,fiight, pn) 
2 = require?j?fiight -4 if ref(fiight) E S 
then R5(S,fiight,j) 
else (notHaveit.j -4 R1(S)) 
(rec = R1(S) A CLIR1(s)) => [trans(2)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) 
3=0 . A . ep.j?z-4R1 (SU{z}) JE genctes 
(rec = R1(S) A CLin1(s)) ==? [trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) 
( rec = R1 (S) A CLIR1 (S)) => 
[trans(R1(S))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==? CLIRx)) 
,( 
150 CHAPTER 4. CASE STUDY 
+ R2(S,flight, pn) 
(rec = R2(S,flight, pn) 1\ CLIR2 (S,flight,pn)) =? 
[trans(R2(S,fiight,pn))](\ll ｾ＠ x ｾ＠ 10 • (rec = Rx =? CLIR:,J) 
+ Rs(S, flight, pn) 
R3(S,flight, pn) = 1 o 2 o 3 
trans(R3(S,jiight, pn)) = CHOICE trans(!) OR trans(2) OR trans(3) END 
[trans(R3(S,jiight,pn))](V 1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) = 
[trans(1)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 1\ 
[trans(2)](\ll ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 1\ 
[trans(3)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIRx)) 
1 = ask?j!fiight-+ (ep.j?w ｾ＠ R2(SU {w},ref-1 (w),pn) 
0 
notHavelt.j -+ R3(S,jlight, pn) 
0 
emptyMachine.j-+ R1(S)) 
(rec = R3(S,jiight,pn) 1\ CLIR3 (S,flight,pn)) ==> 
[trans(l)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 
2 = require?j?f-+ if ref(!) E S 
then R10(S, flight, pn,j ,f) 
else (notHavelt.j-+ R3(S,jiight,pn)) 
(rec = R3(S ,flight, pn) 1\ CLIR3 (S,fiight,pn)) ==> 
[trans(2)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 
3 = D .EA . ep.j?w ｾ＠ if w = ref(fiight) J gencles 
then R2(S U {w}, ref-1(w),pn) 
else R3(S U { w },flight, pn) 
L1.5. VERIFICATION OF THE SYSTEl\tf DIVERGENCE FREEDOl\11 151 
(rec = R3(S,flight, pn) 1\ CLIR3 (S,fiight,pn)) => 
[trans(3)](\11 ｾ＠ x ｾ＠ 10 • (me= Rx => CLIR3J) 
(rec = R3(S,flight,pn) 1\ CLIR3 (S,fiight,pn)) => 
[trans(R3(S,flight,pn))](\11 ｾｘｾ＠ 10 • (rec = Rx => CL!Rx)) 
•%• R4 ( S, flight) 
R4(S,flight) = 1 o 2 o 3 
trans(R<I(S,flight)) = CHOICE trans(1) OR trans(2) OR trans(3) END 
[trans(R4(S,flight))](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRJ) = 
[trans(1)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRJ) 1\ 
[trans(2)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) 1\ 
[t7·ans(3)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRJ) 
1 = 0. A . dp.j!ref(flight) -t R1(S- {ref(flight)}) JE genctes 
(rec = R4(S,flight) 1\ CLIR.1(S,fiight)) => 
[trans(1)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) 
2 = requi1·e? J.? f -t if ref (f) = ref (flight) 
then dp.j!ref(flight) -t R1 (S- { ref(fiight)}) 
else Rs(S, flight, j, f) 
(rec = R4(S,flight) 1\ CLIR4 (S,fiight)) => 
[trans (2) ](\11 ｾ＠ x ｾ＠ 10 • ( rec = Rx => CLIR:,J) 
3 = 0 'EA . ep.j?w -t R4(S U { w},flight) J gencws 
(rec = Rtt(S,flight) 1\ CLIR4 (S,fiight)) =* 
[trans(3)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx =* CL!Rx)) 
152 CHAPTER 4. CASE STUDY 
(rec = R4(S,jlight) 1\ CLIR4(S,flight)) => 
[trans(R4(S,flight))](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 
+ R5(S,flight,j) 
(rec = R5(S,flight,j) 1\ CLIR5 (S,flight,j)) => 
｛ｴｲ｡ｮｾＨｒＵＨｓＬｦｬｩｧｨｴＬｪＩＩ｝Ｈ｜ｦＱ＠ ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) 
.( 
+ R6(S,j) 
(rec = R6(S,j) 1\ CLIR6 (S,j)) => 
[trans(R6(S,j))](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) 
.( 
ｾﾷ＠ R1(S, flight, j) 
(rec = R7(S,flight,j) 1\ CLIR7 (S;flight,j)) ==> 
[trans(R7(S,flight,j))](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 
.( 
+ Rs(S,fiight,j,f) 
(rec = Ra(S,flight,j,J) 1\ CLIRs(S,flightJ,f)) ==> 
[trans(Rs(S,flight,j,J))]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLlpx)) 
.( 
+ Rg (S, flight, j, f) 
(rec = Rg(S,fiight,j,J) 1\ CLIR9 (S,flight,j,f)) ==> 
[trans(Rg(S,flight,j,J))](\71 ｾ＠ x ｾ＠ 10 • (Tee= Rx ==> CLIR:J) 
.( 
4.6. VERIFICATION OF THE SYSTENI DEADLOCK FREEDONI 
+ Rlo(S,fiight, pn,j,f) 
(rec = Rw(S,fiight,pn,j,J) 1\ CLIR1o(S,fiight,pn,j,f)) => 
[trans(Rw(S,fiight,pn,j,f))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CL1R9J) 
153 
The full wp proof for each process Rx(1 ｾ＠ x ｾ＠ 10) is attached in Appendix C. 
4.5.6 Divergence freedom establishment 
Sell agencies and the Return office have been successfully established to be CLI 
preserver in sections 4.5.3 and 4.5.5. All conditions in Them·en1 3 presented in 
Chapter 3 are true. Thus, according to Theorem 3 our system is divergence 
free. In other words, operations are always called within their precondition, as 
expected. 
4.6 Verification of the system deadlock freedom 
The deadlock freedom of om· syste1n is verified by using Theorein 4 presented in 
Chapter 3. First, all B machines should contain only pre-conditioned operations. 
The structure of the operations in B machines in otu· system has been designed 
such that they all contain only pre-conditioned operations. The second step in 
our verification is that the system should be divergence free. We have already 
proved in previous section that the system is divergence free. The final step is 
to establish that the parallel combination of sell agencies and the Return office 
is deadlock free. Controller has· already been established to be deadlock free by 
using FDR. All conditions in Theorem 4 are true. Thus, according to Theorem 
4 our syste1n is deadlock free. 
4. 7 'Discussion 
In this chapter, we used a case study to illustrate the key aspects of theoretical 
results of Chapter 3. The case study demonstrates the applicability of our Mobile 
CSP II B framework in specifying and verifying peer-to-peer networks. It shows 
that the theorems we proved dm·ing this research activity are sufficient and ca-
pable to verify the consistency of a mobile combined comn1unicating system. In 
this chapter, we illustrated all steps from developing a Mobile CSP II B model 
to verifying its consistency. We detailed how two separate parts of the system, 
Band CSP, should be designed and specified in order to communicate with each 
154 CHAPTER 4. CASE STUDY 
other during the execution. Using Jviobile CSP II B architecture, we were able to 
specify both behavioural and data aspects of the flight tickets sale system. 
As our framework can be coded into the original constructs of CSP and B, we 
are able to use the comprehensive and highly efficient software tools of CSP and 
the B-Method to analyse, animate and check the behaviour and the consistency 
of the two parts of a mobile system separately. This shows the advantage of 
using the B-Jviethod as our chosen state-based formal method ｾｮ､＠ CSP as the 
process algebra in our framework. In our case study, we used ProB to check, 
analyse and animate the specification of the B machines. In addition, we used 
powerful CSP software tools, ProBE and FDR, in the consistency verification. 
ProBE was used to explore the system execution to check the behaviour of the 
CSP controllers in the system during the execution. It was useful to check if the 
CSP part of the syste1n behaves according to what we expect. FDR was used 
to check divergence freedom and deadlock freedmn of the parallel con1bination 
of the controllers. These were the conditions in Theorems 3 and 4 presented in 
Chapter 3 which had to be true to establish the consistency of our systmn. 
At the beginning of our system develop1nent, we assumed a s1nall flight ticket sale 
system which contains two sell agencies and two flight machines. We can easily 
extend our systmn and develop a larger system with 1nore sell agencies and flight 
1nachines. In order to extend our system, we only need to change small parts of 
the CSP specification as listed below: 
• We should add the new flights to datatype Flights. 
• The new machine references should be added to datatype MR. 
• In mobile CSP specification of the syste1n, the new machine references 
should also be added as the new channels. 
• Set Agencies should be changed to the number of the sell agencies in the 
extended system. 
• Function ?'ef should be extended to map the new machines to their ｾｮ｡｣ｨｩｮ･＠
references. 
• The new sell agencies and 1nachine references should be added into the body 
of the process Controller. 
The rest of the system remains the same as before. 
During the consistency verification of our system, we found out that the weakest 
precondition proof 1night be difficult for people who do not have a good 1natli-
e1natics background. The person should be capable to work out and deal with 
4. 7. DISCUSSION 155 
logical proofs in order to do the wp proof correctly. The wp proof will be more 
difficult if operations of the machines are more complex. For instance, if there are 
several predicates as the precondition, or if the body of the operations contain 
several assignments, then it needs more effort to work out the weakest precon-
ditions. In addition, more effort is needed to work out the wp proof correctly if 
the body of CSP processes are n1ore complex. For instance, if the body of the 
CSP processes are long and contain lots of channels with inputs and outputs, or 
several external and internal choices, or several if then else statements, then it 
will be difficult to follow and track the proof of wp correctly. We believe that for 
the weakest precondition proof to be applicable on any large scale, tool support 
would be necessary. 
:rviobile CSP II B does not have dynamic con1ponent creation. It is a suitable 
frmnework for the systems whose components m·e the satne from the beginning 
and during the execution, or for the systems whose con1ponents may tenninate 
or leave the system during the execution. In a real flight tickets sale system, 
new flights are added into the system during the execution. Also, in reality, 
new agencies may be added into the system as the new sell agencies during the 
execution. However, in our flight tickets sale systmn there is no possibility for 
new flights or new sell agencies to be added into the system during the system 
execution. We will discuss this in Chapter 6. 
Assigning the correct assertion for control points is one of the key points in 
consistency verification. For each control point, the assertion should be assigned 
depending on who is the receiver and what the receiver is going to do with the 
1nachine it receives along that control point. In our flight tickets sale system, the 
receiver controllers are either sell agencies or the Return office. So, the assertions 
are easily assigned as either Ｂｮｾ｡｣ｨｩｮ･＠ is not full" or ''machine is not empty". 
However, in a large system which contains several controllers each doing different 
tasks, assigning a correct assertion for each control point will need more effort. 
Another key point in consistency verification is introducing control loop invari-
ants. CLI of each process should be chosen very carefully and according to the 
behaviour of that process. Our flight tickets sale system is a small system which 
contains three controllers two of which are sell agencies having the same structure. 
So, we only needed to define CLis for the processes in a sample of sell agencies 
and CLis for the processes in the Return office. However, defining correct CLis 
for the processes in controllers will need more work in large systems containing 
several controllers each having different structures. 
In our small flight tickets sale syste1n, if one of the controllers needs a machine, 
there are only two other processes to ask for that machine. However, if we extend 
om· system to a large one containing several numbers of sell agencies, it will not 
be as easy as om· small example. If a Sell agency needs a flight machine, it has 
156 CHAPTER 4. CASE STUDY 
to ask other sell agencies and the Return office one by one for that machine. In 
other words, the Sell agency has to continue asking each one until the owner of 
that 1nachine is found. Even in this case, after a long search for that 1nachine, 
the requester Sell agency might be finally told by the owner that the 1nachine is 
aheady full. The same proble1n can also occur for the Return office in the system 
during the execution: it has to ask each Sell agency one by one to find the owner 
of the machine and even then it might be told by the owner that the machine 
is empty. Another proble1n is if a controller needs a machine, the owner of that 
machine 1nay not be working with the machine and may not need that 1nachine 
but it is busy by doing son1ething else and cannot receive the request message to 
send its machine. In other words, the machine is ready to be used and no one is 
using it but the controller who wants that machine cannot access to it until the 
owner has finished its work and is free to receive the request message and then 
sends the machine. 
After doing this case study, a new idea raised that it would be a useful technique 
if we add a special process to our system which does not sell or cancel any 
tickets and it is only responsible for keeping the flight machines in the system. 
Initially, all the 1nachines 1nust be in possession of this machines keeper. Dtu·ing 
the execution, controllers should ask the machines keeper for any machine they 
need to work with. After controllers finish their work with a flight machine, they 
should give the machine back to the 1nachines keeper. This should happen even 
if a machine is full after selling a ticket or if a machine is empty after cancelling 
a ticket. In other words, sell agencies and the Return office do not pass any 
1nachine between each other during the execution. 
By using this method, whenever a Sell agency or the Return office needs to work 
with a flight machine, it only needs to ask one special process for that 1nachine 
instead of asking several controllers. If the machines keeper does not have that 
n1achine, it means that the machine is being used by one of the other controllers 
at the moment. Another advantage of this method is that no 1nachine is kept 
anywhere without being used while someone else needs to work with it. 
As the sell agencies and the Return office give all their machines back to the 
machines keeper after they finish their work with the machines, the machines 
keeper may own any kinds of machines during the execution such as full, empty,. 
or a n1achine with both sold tickets and unsold tickets. This also means that sell 
agencies and the Return office do not need to check the current state of their 
owned 1nachines when giving the1n back to the machines keeper. However, this is 
the machines keeper's responsibility to check the current state of machines before 
passing them to the sell agencies or to the Return office. \iVhenever a Sell agency 
wants a machine, the machines keeper should first check whether the machine is 
full or not and then it should give the machine to the requester Sell agency only 
if the 1nachine is not full. On the other hand, whenever the Return office wants a 
4. 7. DISCUSSION 157 
1nachine, the machines keeper should first check whether the machine is e1npty or 
not and then it should give the machine to the Return office only if the machine 
is not e1npty. 
If we have the machines keeper in om· flight tickets sale system, there will not 
be any control points between any two controllers. Control point channels will 
be only situated between the machines keeper and the controllers. So, we will 
have less channels in our system specification. There should be two control points 
each for one direction between any controller and the 1nachines keeper. This is 
because of different assertions which should be assigned for each direction. For 
all control points which passes the flight machines to the machines keeper, the 
assertion is the predicate True as any kind of machines can be passed to the 
machines keeper. However, when a machine is passed from the machines keeper 
to a Sell agency, it should not be full and when a machine is passed from the 
machines keeper to the Return office, it should not be empty. As the components 
would be essentially the same, wp proofs can be essentially reused. In a large 
system with several numbers of machines, we may need more than one machines 
keeper in the system. 
To conclude this chapter, we developed an example of a peer-to-peer network in 
l\IIobile CSP II B framework. In addition, by having the powerful tool supports 
and effective theorems proved in this thesis, we were able to successfully verify 
the consistency of our example. Furthermore, it was revealed that for a relatively 
small example like om· case study, a lot of proofs is required in consistency verifi-
cation of the system. Therefore, n1ore effort is needed in consistency verification 
of large systems. 1\IIoreover, by doing this case study we realised that in develop-
ing a large system containing several controllers and 1nachines, it would be more 
efficient if we design smne extra processes in our system as the machines keepers 
which do not work with machines and they are only used to keep the machines 
and to exchange the machines in the system during the execution. 
- .. -· -------- -·- ---··--·-] 
Chapter 5 
Related works and comparison 
In this chapter, some relevant frameworks, software tools and specification lan-
guages are reviewed and cmnpared with I\tJ:obile CSP II B. We begin with the 
review of verification software tools, 1nodel checkers and languages created for 
concurrent, distributed and dynamic systems. Then, we discuss how other com-
binations of a state-based formal 1nethod and a process algebra compare with 
our framework. Finally, we discuss how other two combinations of CSP and B 
compare with ours. 
5.1 SPIN(Simple Promela Interpreter) 
SPIN [9] is a software tool for fonnal verification of concurrent and distributed 
systems written in a modelling language called Prmnela (Process Meta Lan-
guage). The syntax notation of Prmnela is based on Dijkstra's guarded cmn-
mand language [24] and the CSP language. This combination is able to describe 
state transitions happening in order. In a Promela model, a number of processes 
execute concurrently in the systmn. They can communicate with each other by 
using shared variables and channels. SPIN is able to check the consistency of a 
model system specified in Promela and to detect different errors in the system 
such as deadlocks and assertion violations. 
Despite the fact that CSP processes can describe solely the behavioral aspects 
of the system without concerning state transitions, data aspects are described 
in Promela model in the body of processes. Promela accepts different types of 
variables such as integers, arrays and records. There are global variables which 
processes can s.hare with each other. Also, each process can have its own local 
159 
160 CHAPTER 5. RELATED 1VORKS AND COIVIPARISON 
variables which are used only by that process. The body of a process consists 
of a sequence of statements. If a state1nent contains a guard, it can be executed 
only if the guard is true. If a statement cannot be executed, the execution of 
that process is blocked until that statement can be executed. 
Processes can communicate with each other via channels such that one process 
can put a 1nessage into a channel and the other process can get a message out of 
that channel. This comn1unication can be either synchronous or asynchronous. 
In asynchronous cmn1nunication, processes execute independently and the state-
Inents of different processes do not occur at the same time. However, in syn-
chronous communication, sending a 1nessage by one process and receiving the 
message by another process should occur at the same thne. 
The communication between processes in SPIN has some differences with the 
original constructs of CSP. In SPIN, each channel has a particular capacity. As 
a result, a process can put a message into a channel if the channel is not already 
full and also a process can get a n1essage out of a channel if the channel is not 
mnpty. In addition, con1munications are limited through channels: each process 
can either send a 1nessage or receive a message through a channel. So, a prqcess 
cannot have both input and output through a single channel at the same time. 
Moreover, in synclu-onous communication, the synchronisation can only happen 
between two processes such that one should have the send statement and the 
other one should have the receive state1nent. As a result, more than two processes 
cannot synchronise with each other through 'a channel. F'luthermore, unlike CSP 
specifications in which the number of processes are fixed at the beginning and 
during the execution, in SPIN new processes can be dynamically created at any 
point during the execution. 
Given a 1nodel system specified in Prmnela, SPIN can be used as a simulator to 
find property violations in the systen1. In simulation, if there is a choice point 
at which there are 1nore than one enabled transitions, SPIN can either simulate 
the system by randomly choosing a transition branch or it can ask the user to 
choose a transition branch. In both cases, SPIN cannot search all possible traces 
to find the errors. The reason is that in random simulation mode, SPIN might 
not always find the errors as it shnulates the system randomly. Also, SPIN in 
guided shnulation mode might not always find the errors as the user, who chooses 
. a transition branch, may choose a transition branch which does not have an error. 
The main success factor of SPIN is its ability to verify Pron1ela 1nodels by auto-
matic exhaustive searching. SPIN can autmnatically search all possible transition 
branches in the system to find the errors. This means that at each choice point, 
SPIN chooses an unexplored. transition branch and after finishing the branch, it 
cmnes back to that choice point and chooses another transition branch which has 
not been explored before. If SPIN detects an error, it outputs the information 
5.2. SlviV 161 
about the error. In SPIN's output, the user can find the execution path and the 
nun1ber of execution steps in which that error occurs. The error that SPIN finds 
is not always the first error which occurs in the system. If it finds a long violating 
trace, it will be difficult for a user to follow the trace to find the reason of that 
error. To solve this problem, users .are able to tell SPIN to search for shorter 
violating traces or even to search for minimal length error traces. They 'can set a 
bound on the depth of SPIN's search. So, SPIN will then search for a particular 
length of traces to find errors. 
5.2 SMV 
SMV [8] is a model checker for concurrent syste1ns written in SMV input language. 
A program in the SMV input language consists of one or more modules and the 
system specification. A module contains a nmnber of assignment statements. 
SMV can be used as a tool for checking the progrmn against the specification. It 
checks whether the specification is satisfied. If SMV detects that the specification 
is violated, it produces a counterexample and shows an execution path to the 
violation. 
In a Sl\IIV progrmn, all of the assignment statements m·e executed in parallel and 
at the smne time. However, it is possible to define processes in a SMV progrmn in 
order to 1nake the111 execute asynchronously. A process is an instance of a module 
and like modules the body of a process contains of smne assignment statements. 
During the execution, the program chooses a process non-deterministically and 
executes all the assignment statements in that process in parallel. After finishing 
this process, the progra1n chooses another process again non-deterministically 
and starts to execute the new process. In other words, at each stage of the 
execution, only one process can be executed and this process is chosen non-
deterministically. Therefore, processes can be used for assignments which are not 
wanted to be executed concurrently in the system. However, the disadvantage 
is that there is no control on the order of the execution of the processes as the 
execution of the processes is chosen non-detenninistically. 
5.3 VeriSoft 
VeriSoft [11, 33, 32, 34] is a model checker which automatically searches for er-
rors such as: deadlocks, divergences and assertion violations in progra1ns written 
in different programming languages such as C, C++ and Tel. It is a tool for 
analysing and testing concurrent systems in which several processes execute con-
. currently in the system. In the case of detecting an error, VeriSoft details the 
cause of the error by performing a scenario leading to the error. 
162 CHAPTER 5. RELATED WORKS AND COl\IIPARISON 
The key difference between VeriSoft and our approach is that VeriSoft is used 
to test and check the correctness of software applications which have been de-
veloped in progTamming languages. However, our framework is an approach to 
verify system specifications and to check the consistency of the specifications be-
fore generating code. The verified specifications then can be written in different 
progra1n1ning languages. 
5.4 Mobile UNITY 
Iviobile UNITY [47), an extension of the parallel program design language UNITY 
[20], is a language and proof logic for specifying and reasoning about concurrent 
mobile systems. In Mobile UNITY, cmnponents can n1ove around and execute 
at different locations and they can interact and communicate with each other 
during the execution. In Iviobile UNITY notation, Inability is 1nodelled· as the 
change of the location of con1ponents. In other words, the change in the location 
of components provides means to model movement in the system. It allows the 
description of location-sensitive behaviour, e.g., interaction at the same place, or 
within a certain distance. Each cmnponent in Mobile UNITY has a distinguished 
location variable. The location of each component is modelled by assign1nent of 
a value to its location variable. The 1novement of a component is modelled by 
the change of value of its location variable. 
A lVIobile UNITY specification consists of a number of programs, a Components 
section and an Interactions section. A program consists of some variables and a 
set of assignment statements. The Components section introduces all the com-
ponents that exist in the system. In Iv!obile UNITY, dynmnic creation of new 
components is not allowed during the execution. Each component of the system 
is an instance of a progrmn. It is possible that some or all components to be 
the instances of the same program. The Interactions section contains statements 
which define how different components interact and communicate with each other 
in the system. 
Iv!obile UNITY proof logic is employed to verify the safety and liveness properties 
of a system expressed in the lVIobile UNITY notation. Iviobile UNITY has no 
notion of refinement. 
We believe using CSP language in our approach makes flow of control more 
expl.icit in contrast to approaches that use control variables. In addition, Mobile 
CSP II B framework supports a refinement approach: it enables the refinements 
of con1ponents to be a substitute of the original components in the systmn while 
the system consistency is guaranteed to remain. Furthermore, as our framework 
can be coded into the original constructs of CSP and B, we are able to use software 
5.5. OCCA!vi-1r 163 
tools of CSP and the B-Iviethod to analyse, animate and check the behaviour and 
the consistency of the two parts of a mobile system separately. 
5.5 Occam-1r 
Occa1n [12] is a programming language based on CSP in which a number of pro-
cesses execute concurrently and com1nunicate with each other through channels. 
An Occam process contains a munber of actions which are either an assigmnent, 
an input or an output. Unlike CSP, processes in an Occam progra1n are able to 
process data. 
Occam-1r [6, 13, 14] is an extension of Occam which uses 1r-calculus semantics as 
well as CSP in order to create 1nore dynamic syste1ns. In Occam-1r programs, 
1nobile data, mobile channels and mobile processes can be decla1·ed. 
In communication between processes in Occam-1r, whenever a process outputs a 
mobile variable, it loses that variable and does not have any access to it after-
wards. This is similar to otu· work in which machine references can be passed 
around the system and whenever a process passes a machine reference to another 
controller, it does not have any access to that machine reference afterwards. 
Iviobile processes in Occam-1r can move around the network through channels. A 
1nobile process is able to suspend itself, then move from its local environ1nent to 
another environment, and be reactivated in the new environment. After reacti-
vation, the process is executed frmn the same state at which it suspended. 
A channel in Occam has two ends which are two processes cmnmunicating with 
each other through that channel. Depending on the direction of the channel, 
one process is client and the other one is server process. In Occa1n-1r, a mobile 
channel is able to n1ove around the network. As a result, different processes can 
cmnmunicate with each other through a n1obile channel at run-time. 
The idea of moving channels in Occam-1r is similar to our Mobile CSP II B 
architecture in which machine references can move around the systen1 during the 
system execution. However, in our framework, B machines always have one end of 
their reference channel and this is only the other end which can belong to different 
processes in the system. Another difference is that in Mobile CSP II B, only 
machine references are mobile channels. Communication channels and control 
points are static channels in lVIobile CSP II B architecture and they are fixed 
in the systen1 frmn the beginning and during the execution. This enabled us 
to present theorems and techniques for establishing consistency in our mobile 
architecture. 
Despite Ivlobile CSP II B which does not have dynamic cmnponent creation, in 
Occam-71", new processes can be dynamically created at run-time. 
164 CHAPTER 5. RELATED WORKS AND CO!viPARISON 
Unlike in_ Occam-1r, we are able to verify the consistency of the systems specified 
in :rviobile CSP II B. In principle, our work can be coded into Occam-1r so a 
system can be first verified in :rviobile CSP II B and then the verified system can 
be coded into Occam-1r. 
5.6 PiOZ 
PiOZ (66] is a specification technique which is an integration of Object-Z and 
1r-calculus. This framework is used to 1nodel dynamic systems by embedding 
1r-calculus into Object-Z. In PiOZ, 1r-style process definitions are included into 
Object-Z classes such that a class has both Object-Z part and 1r process part. 
The 1r process part is an extension of the 1r-calculus process syntax in which 
the body of a process can include operations of that class and also include the 
Object-Z state guards. 
By using 1r-calculus, communication channels between components can be passed 
around the system and also new channels can be dynamically created between 
cmnponents in a system specified in PiOZ. Our :rviobile CSP II B framework also 
supports the movement of channels. However, in our approach, only channels 
for communicating with machines (machine references) are mobile and can be 
passed around the system. In addition, it is not possible to create new channels 
in :rviobile CSP II B. 
[66] states that invariant and liveness properties of systems in PiOZ can be verified 
by adopting an assertional-style proof logic presented in (26]. (66] provides an 
example and explain how the assertional-style proof can be used to prove the no 
message loss property in a syste1n specified in PiOZ. We believe the consistency 
verification strategy provided in our framework is more explicit. In addition, 
software tools in· CSP and B can also be used to reason and check different 
aspects of the system behaviour. 
One limitation of the PiOZ approach is that only monadic channels are used 
in this formal framework. This means that a message sent or received along a 
channel can consist of only one name. In addition, currently there is no tool 
support for PiOZ. 
5.7 zccs 
ZCCS (31) is a specification language which is a combination of Z and CCS. A 
ZCCS specification consists of two parts: Z part and CCS part. First, the data 
are introduced and defined in the Z part by using the Z language. These defined 
data are then used in the CCS part of the specification. 
. --· ﾷﾷＭﾷＭＭＭＭＭＭＭＭＭＭＭＭＭＭ ＭＭＭＭ ＭＭＭｾ＠
5.8. CSP-OZ 165 
One problem with ZCCS is that it is not possible to invoke Z operations directly 
by their name in CCS part of the specification. Instead, a group of agents should 
be used to apply an operation schema. So, using Z operation schemas in Z part 
can produce very complex CCS part of the ZCCS specification. 
Another problem is that in CCS specifications we only can have either input or 
output carried by a channel. So it is not possible to have both input and output 
in a single channel at the same time in a ZCCS specification. 
Ivlobile CSP II B framework enables us to specify and verify concurrent systems 
with 1nobile architecture. However, ZCCS do not support mobility. 
5.8 CSP-OZ 
CSP-OZ [29] is a combination of CSP and Object-Z. It is an extension of Object-Z 
in the way that an Object-Z class is defined by using the cmnmunication chan-
nels and CSP processes as well as the standard Object-Z class definitions. A 
CSP-OZ class contains of three parts: channel definitions (the interface of the 
class), CSP processes, and Z schemas which are defined the same as in Object-Z. 
Each operation schema corresponds to a channel. So the type of a channel is a 
schmna type. The CSP processes describe the behaviour of that class by using 
the channels defined in the interface. Therefore, each event in the body of the 
processes corresponds to an operation with its parameters. 
The 111ain strength of CSP-OZ is that CSP operators such as : parallel compo-
sition, hiding, interleaving, internal choice and external choice can be applied to 
CSP-OZ classes. However, CSP-OZ is not supported by any software tools. 
A failure-divergence semantics of CSP-OZ is defined in [29] in the way that it 
defines a failure-divergence semantics of CSP-OZ classes with e1npty CSP-part 
which contains only the channel definitions and the Z-part. Then, the semantics 
of a CSP-OZ class is given by the parallel composition of two CSP-OZ classes; 
one of them with empty CSP-part and only contains the channel definitions and 
the Z-part, and the other one with mnpty Z-part and only contains the channel 
definitions and the CSP-part. 
In contrast to l\llobile CSP II B, CSP-OZ does not support 1nobility. In CSP-OZ, 
each CSP-OZ class has its own CSP-part which describe the behaviour of the 
class. In other words, each class has a specific behaviour defined in CSP-part of 
its specification. Our approach, however, we believe has more dynamic architec-
ture. In Mobile CSP II B, as B machines can be exchanged between controllers, 
B machine's behaviour is controlled by different CSP controllers during the exe-
cution. As each controller may invoke different operations of a B 1nachine, the B 
166 CHAPTER 5. RELATED WORKS AND COlVIPARISON 
machine may have different behaviuors while working with different controllers 
during the execution. 
5.9 Object-Z/CSP 
Object-Z/CSP [64] is a combination of Object-Z and CSP for specifying, refining 
and verifying concurrent systems. In Object-Z/CSP, Object-Z classes are given 
CSP failures-divergences smnantics. This enables the creation of a combined 
specification in which Object-Z classes in Z part of the specification can be used 
as CSP processes in CSP part of the specification. After specifying the cmnponent 
processes as Object-Z classes, the whole syste1n .is then specified by using CSP 
operators to describe how the components interact with each other in the system. 
Classes can communicate and interact with each other on their common named 
operations. ·For instance, if two classes have an operation with the san1e name 
op, these two classes synchronise with each other on the operation op. This 
can be used to model1nessage passing com1nunication between classes. Message 
passing communication can be 1nodelled by renaming the two operations, each 
in one class, to a common name. For instance, assuming that an operation opl 
consisting of output in a class should synchronise with operation op2 consisting 
of input in another class. In order to model message passing between these two 
classes, operations opl and ap2 can be renamed to a common name so they can 
then synchronise with each other. If two classes have an operation with the same 
name op but we do not want them to synchronise with each other, the operation 
op can be renan1ed to different names in these two classes in order to prevent 
the1n frmn synchronising. 
[64) presents two methods to verify the refinements of Object-Z classes in the 
con1bined specifications. The first method uses the CSP definition of refinement. 
In this 1nethod, the failures of a class and the failures of its refinement are calcu-
lated and con1pared with each other. The result should establish that the failures 
of the refinement class is a subset of the failures of the abstract class. [64] also 
defines a state-based method to verify the refine1nents of the Object-Z classes. 
The method is based on the work presented in [39] where two refinement rela-
tions, called upward and downward simulations, are introduced and are proved 
to be sound and complete with respect to CSP refinement. [64] adapts the idea 
of upward and downward shnulations presented in [39) and introduces two up-
ward and downward simulation rules for classes in the integrated Object-Z/CSP 
notation. In order to establish that a class C is a refinement of a class A, these 
rules must be hold between two classes C and A. 
To verify properties of the CSP system specifications in Object-Z/CSP, both 
state and behavioural propertied are needed to be considered as Object-Z/CSP 
5.10. CIRCUS 167 
is a combination of Object-Z and CSP. [64] uses the laws of the CSP operators 
presented in [36] and the logic for Object-Z presented in [63] to verify the CSP 
syste1n whose components are Object-Z classes instead of CSP processes. 
ｏ｢ｪ･｣ｴＭｚＯｃｾｐ＠ is a close work to CSP-OZ as they are both integrations of Object-
z and CSP. Similar to CSP-OZ, Object-Z/CSP gives CSP failures-divergences 
se1nantics to Object-Z classes. However, in Object-Z/CSP there is no CSP-part 
inside of classes. In fact, Object-Z classes in Object-Z/CSP are specified in 
accordance to Object-Z notations and the specified classes are then used as CSP 
processes in CSP part of the systmn. This is similar to what we have done in our 
work: we define the CSP semantics for B machines which then enables us to use 
B machines as CSP processes in our system. In addition, like Object-Z classes in 
Object-Z/CSP, B machines in CSP II B are specified in accordance to B machine 
specification notations and then the specified B machines are considered as CSP 
processes in CSP part of the system and they can work in parallel with CSP 
processes in the system. 
Otu· Mobile CSP II B framework provides an extra ability in specifying and veri-
fying concurrent systems. It enables us to specify and verify concm-rent systems 
with 1nobile architecture as well as static architecture. 
In addition, we do not need to provide any methods to verify the refinements 
of cmnponents in om· system. Our system contains two kinds of components: B 
machines and CSP processes. A refinement of a B machine can be verified by 
using B tools such as BToolkit, and refinmnents of CSP processes can be verified 
by using FDR. As we have proved in Chapter 3, refinements of components can 
be used instead of cmnponents in the system and the substitution does not have 
any effect on the system consistency properties. 
5.10 Circus 
Circus [3] is a combination of CSP and Z for specifying concurrent systems. It is 
a language which is able to design and specify both state and behavioural aspects 
of a system. As a combination of Z and CSP, Circus describes the data aspects 
of the system by Z and the behavioural aspects of the system by CSP. It also 
includes a refinement technique which is used to refine the abstract Circus spec-
ｩｦｩ｣｡ｴｩｯｾｳＮ＠ Refinement can happen in different levels from abstract specification 
to an hnplementation. 
In [30], a translating tool called JCircus is presented which automatically trans-
lates a Circus program into Java. This translator accepts a Circus progra1n 
written in LATEX and automatically produces a Java program which can be 
then used for animation and simulation. 
168 CHAPTER 5. RELATED VVORKS AND CO!VIPARISON 
In contrast to Circus for which the software tools have to be specially created, 
we can code a Mobile CSP II B model into the original constructs of CSP and B 
and as a result we are able to use the comprehensive and highly efficient software 
tools of CSP and the B-:Niethod to verify the behaviour and the consistency of . 
each part of the systmn separately. 
In addition, :Niobile CSP It B provides the facility to describe the systems in 
which data aspects can be updated and accessible for different controllers in the 
system dtu·ing the execution. This is why we believe otu· 1nobile framework can 
be used to design peer-to-peer networks. However, this architecture cannot be 
designed in Circus specification. In other words, one important advantage of 
otu· work is the ability of modelling mobile systems which is not possible in the 
current version of Circus. Recently, [67] presented semantics of mobile processes 
in Hoare and He's Unifying Theories of Programming (UTP) [37]. The future 
objective of this work is to use the presented UTP semantics of n1obile processes 
to -include 1nobility into Circus in such a way that processes can move around in 
the system. 
5.11 7r I B 
[40] introduces 1r I B, a fra1nework which is based on a combination of 11"-calculus" 
and the B-Method. As 1r-calculus is used to describe mobile systems, this formal 
framewotk provides specifications in which the dynamic patterns of behaviour of a 
system is described by 1r-calculus, and the data aspects of the systen1 is described 
by the B-Method. [40] illustrates this mobile combination using an example of a 
peer-to-peer network in which B machines, like nodes in a peer-to-peer network, 
can join or leave the interaction regularly. 
The syste1n is allowed to dynamically create multiple instances of B machines 
and each instance has its own state. For each instance of a B machine, a unique 
channel is referred to as the machine reference. This channel is used to commu-
nicate with B machines. In order to execute operations of B machine instances, 
the 1r processes which communicate with the B 1nachine instances, referred to as 
mediators in [40], call operations of B 1nachine instances through machine refer-
ences. In other words, a B machine receives the requests to execute its operations 
via its unique n1achine reference. Similar to our work, 1nachine instances in 1r I B 
are 1nobile and they can be transferred between 1nediators along control point 
channels. 
[40] presents a theorem for establishing the divergence freedom of the cmnbined 
syste1n which means that all operations of B machine instances are called within 
their precondition. 
5.12. CSP2B 169 
The framework presented in [40] is similar to our Mobile CSP II B architecture. 
However, there are some major differences between 1r I B and our approach. 
Using 1r-calculus instead of CSP in system specification makes some differences 
in system behaviour. 1r -calculus is a formal n1ethod which is able to describe 
1nobile systems and explain their behaviours whereas, we have created mobility 
in CSP II B approach which had already been a static architecture. 
In 1r I B, different instances of B machines can be created in the system during 
the execution. However, in Mobile CSP II B architecture, all B machines which 
work in the system exist frmn the beginning and new machines cannot be created 
in the system during the execution. 
In order to establish the consistency of the cmnbined system, (40] has only consid-
ered the divergence freedom of the system. It provides a theorem for establishing 
divergence freedom in 1r I B architecture without concerning about deadlock in 
system verification. Whereas, we have been able to provide theorems and tech-
niques for establishing not only the divergence freedom but also deadlock freedom 
in our mobile system. 
In order to allow B machines to be considered in parallel with 1r processes, a 
1r-style operational semantics is provided for B machines in 1r I B. However, 
the semantics is only for B machines whose operations do not have input and 
output parameters. As a result, operations with inputs and outputs cannot be 
used in B machines in 1r I B. We believe the significant advantage of our work 
is that B already has a CSP -style semantics through Morgan's action systems 
[50]. In addition, in our 1\llobile CSP II B framework, B machines are allowed to 
have operations with inputs and outputs. Therefore, a B machille and its CSP 
controller can send or receive values ｦＱｾＰｮＱ＠ each other while working in parallel. 
5.12 CSP2B 
In [18), Butler presents CSP2B, a tool for describing a cmnbination of CSP and B 
in a systen1. CSP2B is a tool which accepts a CSP-like specification and converts 
it to a B machine. We write the CSP-like specification according to the source 
notation of CSP2B. Smne features of CSP such as internal choices and event 
hiding are not supported by CSP2B. After writing the CSP-like specification, 
CSP2B generates a B 1nachine from it. The generated B machine has the same 
information and its operations are nan1ed the same as events in the CSP-like 
specification. 
CSP2B is a tool to control the execution order of the operations in a B machine. 
To achieve this, we enter the B machine and the CSP-like specification. In the 
CSP-like specification, we should add a clause called CONJOINS with the name 
170 CHAPTER 5. RELATED \iVORKS AND COlviPARISON 
of the B machine. Clause CONJOINS signifies that the CSP-like specification 
controls the execution order of the operations in the B machine. CSP2B then 
generates a B machine from the CSP-like specification. This generated 1nachine 
includes the original B machine by using clause INCLUDES following by the na1ne 
of the original B machine. , Each operation of the generated n1achine includes 
a guarded call to the corresponding operation of the included machine. This 
guarding of the call in each operation of the generated machine ensures that the 
order of execution of operations is according to the CSP-like specification. 
CSP2B is a related work to our approach in the way that a CSP specification 
controls the execution order of the operations in a B machine. Also, similar to 
1\IIobile CSP II B, in CSP2B it is possible to have more than one CSP processes 
working in parallel with each other as a controller for a B machine. 
A major limitation with CSP2B is that a CSP process or a parallel composition of 
CSP processes ｣｡Ｑｾ＠ control the execution order of only one B machine's operations. 
However, in l\IIobile CSP II B, a CSP process or a parallel con1position of CSP 
processes can control the execution order of several B machines' operations. In 
addition, we are able to have mobile systems in which CSP controllers are able 
to exchange their controlled B machines during the execution. 
5.13 ProB 
ProB [7, 42, 19, 43] is a B software tool for anhnation, model checking and con-
sistency checking. ProB is an anhnator which can be used to manually check 
deadlock freedom of a B n1achine. The user can try execution of different se-
quences of operations to find out if there is a deadlock in the machine. There 
is an enabled operations list on the screen in which the name of some opera-
tions are appeared at each stage of the execution. This means that only one of 
the operations written in that list can be executed next. So, the user can only 
choose the next operation from one of these operations in the list. If there is no 
operation in the list, it means that deadlock has happened at that stage of the 
execution and no n1ore operation is able to be executed next. Also, ProB detects 
any divergence while checking deadlock in the B machine. It treats preconditions 
as guards in the system execution which means that whenever the precondition 
or guard of .an operation is not satisfied, this operation will not be appeared in 
the enabled operations list and it cannot be executed as the next operation. In 
other words, ProB is an animator which does not allow divergence to happen 
during the execution. 
ProB can autmnatically check the deadlock freedom of a B machine without 
execution which means that we do not need to try execution of sequences of 
operations to find out if there is a deadlock in the machine. However, deadlock 
5.13. PROB 171 
freedom can be checked for a limited number of executions which can be chosen 
by the user. 
As well as a software tool for B, ProB can be used as an animator and consistency 
checker for the previous static CSP II B approach. It is able to accept both B 
machine and its CSP controller specification together and check the consistency 
of the parallel cmnbination. Among the operations enabled to happen next by 
the controller at each stage, ProB only offers operations to be executed next in 
enabled operations list on the screen whose preconditions and guards are satis-
fied. ProB can also auton1atically check the consistency of the combined system. 
However, it is not possible to check the consistency in a combined system con-
taining non-terminating processes as ProB can only check the consistency for a 
limited number of executions as described above. Similar to CSP2B, ProB can 
solely check the consistency of the parallel combination of one B machine and its 
controller. It is not able to support n1ore dynamic and more interactive cmnbined 
systems in which a CSP process can work concurrently with n1ore than one B 
machine, and each 1nachine can be passed from one process to another process 
during the execution. 
Chapter 6 
Conclusion and Future Work 
In this chapter we present our conclusions, provide a summary of the major points 
and evaluate the contributions of tllis thesis. In addition, we present our ideas 
for future research directions. 
6.1 Conclusion 
CSP II B is an approach which cmnbines state and event based 1nodels. Its 
advantage is that cmnplex systems can be described and their verification ensures 
consistency of the models. 
The consistency verification which had been presented before in CSP II B did 
not cover all possible kinds of con1bined cmnmunicating systems which can be 
modelled in this architecture. For instance, there had been no consideration 
for consistency verification of a systen1 in which B machines contain both pre-
conditioned and guarded operations. Also, having B machines which contain 
only guarded operations, we were only able to check the deadlock freedom of 
each controlled con1ponent separately and it was not possible to check the dead-
lock freedmn of the whole system. In Chapter 2, we successfully cmnpleted the 
consistency verification of CSP II B by providing new theorems for establish-
ing divergence freedom and deadlock freedom of the systems that had not been 
covered before. 
The main contribution of this thesis is introducing Mobile CSP II B, a new 
version of CSP II B which supports the description of mobility. This additional 
functionality is suitable for modelling agent systems or peer-to-peer networks 
where consideration of mobility is important. In Chapter 3, we have extended 
173 
174 CHAPTER 6. CONCLUSION AND FUTURE HTORK 
CSP II B approach to include mobility and we have developed a formal framework 
so that we can verify the consistency of CSP II B specifications that include 
mobile aspects. This allows us to extend the range of specifications that we can 
write in CSP II B and retains our philosophy of not changing the underlying 
CSP and B semantics. In iVIobile CSP !! B architecture, each CSP controller can 
work with more than one B machine at the sa1ne thne during the execution. A 
parallel combination of CSP processes act as the controller for the B machines, 
and each single B 1nachine can be controlled by different CSP processes during 
the execution. By introducing 1nobility, each CSP process can receive a (mobile) 
machine or give it to another CSP process during the execution. Each machine 
has a unique machine channel called machine reference. It is the only channel 
through which a CSP controller and a B machine can communicate with each 
other. Machine references are mobile channels and can move around in the system 
during the execution. They can also be treated as data and can be passed between 
CSP processes through static channels (control points) in the system. Controllers 
exchange machines between each other by exchanging the machine references. 
In addition, in Chapter 3 we defined and verified the conditions which guarantee 
the divergence freedmn and deadlock freedm11 consistency of the systems specified 
and designed in iVIobile CSP II B. We provided a theorem to establish divergence 
freedmn of the whole mobile cmnbined communicating system containing several 
CSP controllers each controlling several B machines, by establishing properties 
for each CSP controller separately. In iVIobile CSP !I B, divergence freedom veri-
fication must include two steps. First, the CSP part (the parallel combination of 
CSP controllers) must be established to be divergence free. This can be done by 
using FDR. Next, it must be established that divergence will never arise from B 
1nachines while working in parallel with different CSP controllers in the system. 
Divergence arises in a B machine when its operations are called outside their 
precondition by the controllers. Thus, the second step in divergence freedom 
verification is to establish that the operations of all machines in the syste1n are 
always called inside their precondition by the controllers during the execution. 
In Chapter 3, we presented a proof strategy in which each controller is separately 
checked for divergence freedom on 1nachines it controls at some point during its 
execution, and then all of these individual checks are combined to an overall di-
vergence freedom result. \¥e also provided a theorem for establishing deadlock 
freedom of mobile cmnbined comn1unicating systems. However, our deadlock free-
dom verification is concerned with divergence free systems in which B machines 
do not contribute to any deadlocking behaviour. In other words, we restricted 
the B 1nachines to pre-conditioned operations. Our theorem states that deadlock 
freedom of the parallel combination of CSP controllers implies deadlock freedom 
of the overall syste1n. 
In Chapter 4, we used om· iVIobile CSP I! B frmnework to specify and verify 
6.2. FUTURE VVORK 175 
an example of a peer-to-peer network. We detailed all steps, from developing a 
Mobile CSP II B model of a flight tickets sale systen1, to verifying its consistency. 
The theorems we proved in Chapter 3 were successfully capable at verifying the 
consistency of our 1nobile combined com1nunicating system. The case study also 
demonstrated the ability of the language to describe CSP controllers interacting 
with nm11erous 111achines at the sa1ne th11e. During the consistency verification 
of our case study, it was revealed that for a relatively small system like our flight 
tickets sale systmn, a lot of logical proofs were required. This n1ight be difficult 
and complicated for people who do not have a good mathematics background. 
Consistency verification of large syste1ns or the systems with 111ore functionalities 
will require many 111ore and con1plex logical proofs. Therefore, we believe that for 
the weakest precondition proof to be applicable on any large scale, tool support 
would be necessary. 
Our 1\tlobile GSP II B fra1nework adopts sh11ilar concepts to the architecture 
proposed in 1f I B. However, 1f I B was limited to systems without inputs 
and outputs and was restricted to a framework to support divergence freed0111 
verification. In 1\tlobile CSP II B, we can deal with specifications that contain 
inputs and outputs and in addition to divergence freedom, we can check for 
deadlock freed0111. These two checks are the verification that should be carried 
out in order to ensure that a Mobile GSP II B specification is consistent. In [54] 
Roscoe introduces a new operator in the CSP+ language (a variant of CSP) which 
brings 1nobility into the systen1 in the way that the right to use particular events 
are transferred from one process to another along special rights channels. As a 
result, the alphabets of the processes change dynamically through the execution. 
Our approach is similar, in that channels can be transferred between processes. 
However, our work is n1otivated by the desire to retain access to the supporting 
CSP and B toolsets, and so we aim to 1ninimise the extension required to enable 
the fonn of mobility we ahn to 111odel. 
The approach taken in 1f I B also allows dyna111ic creation of 1nachines and 
channels, and reconfiguration of the network. In contrast, lV.Iobile GSP II B 
provides a more static network between the controllers. However, developing the 
framework to enable reconfiguration, and dynamic machine and channel creation 
would be an interesting avenue of future research which is discussed in the next 
section. 
6.2 Future Work 
In this section, possible extensions to 1\tiobile GSP II B are discussed. The major-
ity of future work plans listed below are concerned with bringing the description 
of dynamic patterns and more aspects of mobility into the framework. 
176 CHAPTER 6. CONCLUSION AND FUTURE WORK 
6.2.1 Mobile control point channels 
In Iviobile CSP II B, we have introduced mobile channels as the 1nachine refer-
ences which can move around in the system during the execution. One future 
work plan could be to extend the 1nobility in otu· current architecture and to 
include mobile control points instead of the static one in Mobile CSP II B. Our 
cmTent framework is focused on control points as dedicated channels between two 
controllers which pass tnachine references in one direction from one controller to 
another. In other words, a control point is a one way channel fixed between two 
controllers in the system. By letting control points move around in the system, 
they can be used by any two controllers for passing machine references. Therefore, 
fewer control points will be needed in the system which means we can abstract a 
large system to a smaller one with fewer channels. 
Similar to machine references, in this new architecture control points can also be 
passed between controllers in the system. In other words, control point channels 
can be passed as data values through communication channels. The difference is 
that B machines always have one end of their reference channel and the other end 
can be passed between controllers during the syste1n execution. However, both 
ends of a control point must be passed to the two controllers who want to use 
that control point to exchange a machine reference between each other. Also, like 
n1achine references, when a controller passes an end of a control point to another 
controller, it must not be able to use that control point anymore. This ensures 
that at any one tin1e, only two controllers can use a control point to exchange 
machine references between each other. 
As we intend to use CSP tools FDR and ProBE, we should describe the movement 
of control point channels in the systetn in standard CSP. For achieve this, we 
can use the same solution as machine references: introducing a new channel to 
represent the passing 1nachine references through control points. The system can 
be coded for tool analysis into standard CSP by treatiJ:?-g the control points as data 
values rather than as channels, and declaring a new channel CCP (Channel for 
Control Points) which carries control points as the first value, and then machine 
references as further value. This new channel can be introduced in standard CSP 
specification as shown below: 
channel CCP : CP .l11IR 
By using channel CCP, any cp!z and cp?z in the body of the CSP controllers 
will be modelled as CCP.cp!z and CCP.cp?z respectively in the standard CSP 
specification of our system. 
New theorems are needed to be proved and smne new proof strategies will be 
needed for consistency verification of this new architecture. Our consistency ver-
ification strategy presented in Chapter 3 is based on the fact that each control 
6.2. FUTURE Vi'ORK 171 
point has a unique sender and a unique receiver. This enabled us to assign asser-
tions for each control point in the systen1 and to introduce weakest precondition 
definition for traces of a controller. The assertion we assign for a control point 
is based on the receiver and what the receiver is going to do with the machine it 
receives along that control point. As the receiver controller is changed whenever 
. a control point moves around the system, we are not able to assign a unique 
assertion for each control point in the system. Therefore, more thought and jus-
tification are required for establishing the consistency of these kinds of systems. 
6.2.2 Extension for Deadlock freedom verification 
The deadlock freedom verification of our :Niobile GSP II B framework has been fo-
cused on the systems in which the operations of B machines are all pre-conditioned. 
An extension is required for deadlock freedom verification in order to allow B ma-
chines to have guarded operations or to have both pre-conditioned and guarded 
operations. This extension requires new theorems to be proved in order to es-
tablish the deadlock freedom of the whole system. The theorem we proved in 
Chapter 3, is based on the fact that any deadlock in the system can only arise 
from the CSP part of the system. So, if the parallel combination of controllers is 
deadlock free, then the whole systmn is deadlock free. However, this will not be 
the case anymore if B machines contain guarded operations. When the guard of a 
guarded operation is false, the execution of that operation is blocked. A theorem 
must be proved to say that: if at each stage of the system execution, there is at 
least one operation whose guard holds and this operation is one of the operations 
that can happen next in the system, then the whole systen1 is deadlock free. 
6.2.3 New machine creation 
One possible extension for the current architectm·e is that new machines could be 
dynamically created in the system during the execution. Having new machines 
in the syste1n means that new 1nachine references must be dynamically created 
in the system during the execution. 
In 1r I B, a machine generator is introduced which creates machine instances in 
the system. The binding operator v in 1r-calculus is used to create new machine 
references. We might be able to use this idea in our Mobile CSP II B fra1nework 
to create new 1nachine references in the system. 
We can design a special process in Olu· system which generates new machine 
references and gives then1 to the controllers. In other words, this process is a 
1nachine generator which generates new 1nachines during the execution. For each 
controller in the system, we should introduce a control point channel ｢ｾｴｷ･･ｮ＠
178 CHAPTER 6. CONCLUSION AND FUTURE WORK 
this controller and the 1nachine generator. The direction of this control point 
must be from the 1nachine generator to the cont1;oller. In other words, it 1nust be 
an incoming control point for the controller. This control point is then used for 
passing the new 1nachine references from the machine generator to the controller. 
In order to dynamically create new n1achine references in our architecture, we 
can bring the ?T-calculus binding operator v into the syntax of the processes in · 
Niobile CSP II B. This operator enables the machine generator to create a new 
machine reference which can then be used both as a channel and as data which is 
passed through other channels in the system. For instance, a machine generator 
P can be specified as: P = (vz)(cp!z ｾ＠ P). In this case, P creates a machine 
reference z and then it gives z to a controller through control point cp which is 
situated between P and the receiver controller. 
After adding the ?T-calculus binding operator v into our framework, we should 
investigate how to describe machine reference creation in standard CSP. We have 
already achieved a way to describe 1nobile channels in standard CSP specification. 
We 1night be able to find a solution for this new operator as well. Otherwise, 
we will not be able to use CSP tools FDR and ProBE to check the CSP part of 
the systmn which is crucial in establishing the divergence freedmn and deadlock 
freedom of the system as described in Chapter 3. In this situation, a new proof 
strategy must be provided for consistency verification of the syste1n. 
One solution for modelling the creation of new machines in standard CSP could 
be to define a finite set, for instance newMR, in advance whose elements can 
be then used during the execution as new machine references of new created 
lUachines in the system. By introducing this set, we can model the creation of 
new machines. However, we restrict the creation of new machines to a finite 
particular nun1ber of creation which is the number of elements in newMR. The 
machine generator above can be specified in standard CSP as shown below: 
channel create : newMR 
P(S) = create!z ｾ＠ cp!z ｾ＠ P(S- { z}) 
Generator = P ( newlVIR) 
The event create!z represents the creation of a new machine reference in the 
system. As the type of channel create is newMR, new created machine references 
will be always the elements of the set newMR. Also according to the specification 
of P(S), each time when a machine reference is created, it is chosen from one of 
the elements in newMR which has not been already used for any other 1nachines 
created before in the system. 
ｌＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭｾｾＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭ Ｑ＠
Bibliography 
[1] Atelier B. http:/ /www.atelierb.eu/index-en.php, December 2009. [cited at p. 10] 
[2) B-Core. http:/ /www.b-core.com/btoolkit.html, December 2009. (cited at p. 9] 
(3] Circus. http:/ /wvnv.cs.york.ac.uk/circus, December 2009. [cited at p. 167] 
[4) Event-B. http:/ /www.event-b.org, December 2009. (cited at p. 43] 
[5) Formal Systems. http:/ fwww.fsel.com/software.html, December 2009. (cited at p. 14] 
[6] occam-pi. http:/ foccam-pi.org, December 2009. (cited at p. 163] 
[7] ProB. http:/ fwww.stups.uni-duesseldorf.de/ProB/overview.php, December 2009. 
[cited at p. 10, 170] 
[8] The SMV system. http:/ /www-2.cs.cmu.edu/rvmodelcheck/smv.html, December 
2009. [cited at p. 161] 
[9] Spin. http:/ /spinroot.comfspin/whatispin.html, December 2009. (cited at p. 159] 
[10] VDM. http:/ /www.vdmportal.org/twiki/bin/view, December 2009. [cited at p. 6] 
[11] VeriSoft. http:/ fcm.bell-labs.com/who/godfverisoft, December 2009. [cited at p. 161] 
[12) occam 2.1 Reference Manual. Technical report, Inmos Limited, May 1995. 
[cited at p . 163] 
[13) F. R. M. Barnes. Dynamics and Pragmatics for High Performance Concurrency. 
PhD thesis, University of Kent, June 2003. (cited at p. 163] 
[14) F. R. M. Barnes and P. H. Welch. Communicating Mobile Processes. In: Com-
municating Process Architectures 2004, 2004, Oxford Brooks University, Oxford. 
(cited at p. 163] 
[15] P. Behm, P. Benoit, A. Faivre, and J-M. Meynadier. Meteor: A Successful Applica-
tion of Bin a Large Project. Proceedings of the Wold Congress on Formallvfethods 
in the Development of Computing Systems, pages 369-387, 1999. Springer-Verlag. 
(cited at p. 7] 
179 
180 BIBLIOGRAPHY 
[16] B. Buth, M. Kouvaras, J. Peleska, and H. Shi. Deadlock analysis for a fault-tolerant 
system. Proceedings of the 6th International Conference on Algebraic Methodology 
and Software Technology {AMAST}, pages 60-75, 1997. [cited at p. 14] 
(17] B. Buth, J. Peleska, and H. Shi. Combining methods for the livelock analysis of a 
fault-tolerant system. Proceedings of the 7th International Conference on Algebraic 
Methodology and Software Technology {AMAST}, pages 124-139, 1999. [cited at p. 14) 
[18) l\11. Butler. csp2B: A Practical Approach to Combining CSP and B. Formal Aspects 
of Computing, pages 182-196, 2000. (cited at p. 169] 
[19] ·M. Butler and :r-.11. Leuschel. Combining CSP and B for Specification and Property 
Verification. In Proceedings of Formal Methods 2005, 2005. [cited at p. 170] 
(20] K. M. Chandy and J. Misra. Parallel Program Design: A Foundation. Addison-
Wesley, 1988. [cited at p. 162] 
[21] Z. Chen. Java Card Technology for Smart Cards: Architecture and Programmer's 
Guide. Addison-Wesley, 2000. (cited at p . 7) 
[22] S. Colin, A. Lanoix, 0. Kouchnarenko, and J. Souquieres. Towards Validating 
a Platoon of Cristal Vehicles Using CSPIIB. Proceedings of the 12th international 
conference on Algebraic Methodology and Software Technology, pages 139-144, 2008. 
Springer-Verlag. (cited at p. 19] 
[23] D. Deharbe, B. E. G. Gomes, and A. M. Moreira. BSmart: A Tool for the De-
velopment of Java Card Applications with the B Method. Proceedings of the 1st 
international conference on Abstract State lvfachines, Band Z, pages 351-352, 2008. 
Springer-Verlag. (cited at p. 7) 
[24] E. W. Dijkstra. Gua1·ded commands, nondete1·minacy and formal derivation of 
programs. Communications of the ACM 18, New York, USA, 1975, 453-457. 
(cited at p. 159] 
[25] E. W. Dijkstra. A Discipline of Programming. Prentice-Hall, Englewood Cliffs, 
1976. [cited at p. 46] 
[26] A. Evans. Specifying & verifying concurrent systems using Z. In Proceedings of 
FME'94: Industrial Benefit of Formal Methods. pages 366-400. Springer-Verlag, 
1994. [cited at p. 164] 
[27] N. Evans, H. TI.-eharne, and S. Schneider. Investigating a file transmission proto-
col using CSP and B. ·workshop on State-oriented vs Event-oriented Thinking for 
Requirements Analysis, 2003. [cited at p. 19) 
[28] C. Fencott. Formal methods for concurrency. International Thomson Computer 
Press, 1996. [cited at p. 6] 
(29] C. Fischer. CSP-OZ: A combination of Object-Z and CSP. In H. Bowmann and 
J. Derrick, editors, Formal Methods for Open Object-Based Distributed Systems 
(FMOODS'97). pages 423-438. Chapman & Hall, 1997. [cited at p. 165) 
. -·· -· ------·-------- --------. 
181 
[30] A. F. Freitas and A. L. C. Cavalcanti. Automatic Translation from Circus to Java. In 
J. Misra, T. Nipkow, and E. Sekerinski, editors, FM2006: Formal Methods, volume 
4085 of Lecture Notes in Computer Science. pages 115-130. Springer-Verlag, 2006. 
(cited at p. 167] 
[31) A. J. Galloway and W. J. Stoddart. An operational semantics for ZCCS. In 
M. Hinchey and Shaoying Liu, editors, Int. Conf. of Formal Engineering Methods 
(ICFEM). IEEE, 1997. [cited at p. 164] 
[32] P. Godefroid. VeriSoft: A Tool for the Automatic Analysis of Concurrent Reac-
tive Software. Proceedings of the 9th Conference on Computer Aided Verification, 
Haifa, June 1997. Lecture Notes in Computer Science, volume 1254, pages 476-479, 
Springer-Verlag. (cited at p. 161] 
[33] P. Godefroid. Model-Checking Software with VeriSoft. PASTE 2004, June 2004. 
(cited at p. 161] 
[34] P. Godefroid. Model Checking for Programming Languages using VeriSoft. Proceed-
ings of the 24th AGM Symposium on Principles of Programming Languages, pages 
174-186, Paris, January 1997. [cited at p. 161] 
[35) The RAISE Language Group. The RAISE Specification Language. BCS Practitioner 
Series. Prentice-Hall, 1992. (cited at p. 7) 
[36) C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985. 
[cited at p. 6, 167] 
(37] C. A. R. Hoare and H. Jifeng. Unifying Theories of Programming. Prentice-Hall, 
1998. [cited at p. 168) 
[38) C. B. Jones. Systematic Software Development Using VDlv.I. Prentice Hall, 2nd 
edition, 1990. (cited at p. 6] 
[39] M. B. Josephs. A state-based approach to communicating processes. Distributed 
Gomp'uting, volume 3, pages 9-18, 1988. (cited at p . 166] 
[40] D. Karkinsky, S. Schneider, and H. Treharne. Combining mobility with state. 
IFM'07: Integrating Formal Methods, LNCS 4591, Springer, 2007. [cited at p. 168, 
169] 
(41] K. Lano and H. Haughton. Specification in B: an introduction using the B toolkit. 
Imperial College Press, 1996. [cited at p. 6] 
[42] lVI. Leuschel and M. Butler. ProB: A Model Checker for B. In Proceedings of Formal 
lv.I ethods Europe 2003, 2003. [cited at p . 10, 170] 
(43] M. Leuschel and M. Butler. ProB: An Automated Analysis Toolset for the 
B Method. Technical Report, Electronics and Computer Science, University of 
Southampton, 2006. [cited at p. 10, 170] 
(44) G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using 
FDR. Proceedings of the Second International Workshop on Tools and Algorithms for 
the Construction and Analysis of Systems (TACAS), pages 147-166, 1996. Springer-
Verlag. (cited at p . 14] 
182 BIBLIOGRAPHY 
[45] N. A. Lynch and M. R. Thttle. An Introduction to Input/Output Automata. lvfas-
sachusetts Instit·ute of Technology, Cambridge, Mass, November 1988. (cited at p . 7] 
[46] A. Mazurkiewicz. Basic Notions of Trace Theory. In de Bakker, de Roever, and 
Rozenberg, editors, Linear Time, Branching Time and Partial Orders in Logics 
and Models for Concurrency, volume 354. pages 285-363. Springer-Verlag, 1988. 
[cited at p. 7) 
[47] P. J. McCann and G. C. Roman. Mobile UNITY: A language and logic for concurrent 
mobile systems. Technical Report WUCS-97-01, Department of Comp·uter Science, 
Washington University in St. Louis, 1996. [cited at p. 162] 
[48] C. A. Middelburg. Logic and Specification: Extending VDlvf-SL for advanced formal 
specification. Chapman & Hall, 1993. [cited at p. 6] 
[49] R. Milner. Communication and Concurrency. Prentice Hall International (UK) Ltd, 
1989. [cited at p. 6) 
[50] C. C. Morgan. Of wp and CSP. In W. H. J. Feijen, A . J. lvf. van Gasteren, D. 
Gries, and J. Misra, editors, Beauty is our business: a birthday salute to Edsger W. 
Dijkstra. Springer- Verlag, 1990. [cited at p. t16, 47, 64, 169) 
[51] M. Nielsen, G. Plotkin, and G. Winskel. Petri Nets, Event Structures and Domains, 
part 1. Theoretical Computer Science, 13:85-108, 1981. [cited at p. 7) 
[52] B. Potter, J. Sinclair, and D. Till. An introduction to formal specification and Z. 
Prentice Hall, 2nd edition, 1996. [cited at p. 6} 
[53] F. D. Rolland. Programming with VDlvi. The Macmillan Press LTD, 1992. 
[cited at p . 6] 
[54] A.VV. Roscoe. On the expressiveness of CSP. 2008. Draft of October 23, 2008. 
[cited at p . 175] 
[55] D. Sangiorgi and D. Walker. The 1r-Calculus: A Theory of Mobile Processes. Cam-
bridge University Press, 2001. [cited at p. 6) 
[56] S. Schneider. Concurrent and Real-time Systems: the CSP approach. John \i\Tiley 
& Sons, Ltd, 2000. [cited at p. 6] 
[57] S. Schneider. The B-lvfethod: An Introduction. Palgrave Macmillan, 2001. 
[cited at p. 6, 113] 
[58] S. Schneider and H. Treharne. VeT'ifying Controlled Components. IFM'04: Inte-
grating Formal Methods, LNCS 2999, Springer-Verlag, 2004. [cited at p . 17, 18, 29, 
32} 
(59] M. W. Shields. Semantics of Parallelism. Springer-Verlag, London, 1997. 
[cited at p. 7) 
(60] lVI. W. Shields. Adequate Path Expressions. In Proceedings of Semantics for Concur-
rent Computation, volume 70 of Lecture Notes in Computer Science, pages 249-265, 
Springer-Verlag, 1979. [cited at p. 7) 
183 
(61] M. W. Shields and D. Pitt. Component-Based Systems I: Theory of a Single Compo-
nent. Technical Report SCOJVIP-TC-01-01, Department of Computing, University 
of Surrey, 2001. [cited at p. 7] 
(62] G. Smith. The Object-Z Specification Language. Advances in Formal Methods. 
Kluwer Academic Publishers, 2000. (cited at p. 6] 
[63] G. Smith. Extending W for Object-Z. In J. Bowen and 1\!I. Hinchey edito1·s, 9th 
International Conference of Z Users (ZUJ\!!'95}, Lecture Notes in Computer Science, 
volume 967, pages 276-295, Springer-Verlag, 1995. [cited at p. 167) 
[64] G. Smith and J. Derrick. Specification, Refinement and Verification of Concurrent 
Systems- An Integration of Object-Z and CSP. Formal :Methods in Systems Design, 
volume 18, pages 249-284, May 2001. (cited at p. 166, 167) 
[65] J. M. Spivey. The Z notation : a reference manual. Prentice Hall, 2nd edition, 1992. 
(cited at p. 6) 
[66) K. Taguchi, J. S. Dong, and G. Ciobanu. Relating 1r-calculus to Object-Z. In IEEE 
International Conference on Engineering Complex Computer Systems {ICECCS'04). 
IEEE Press, 2004. (cited at p. 164] 
(67] X. Tang. Mobile Processes in Unifying Theories. Technical Report. Computing 
Laboratory, University of J( ent, CanterbunJ, J( ent, UK, January 2004. (cited at p . 168) 
[68] H. Treharne and S. Schneider. How to drive a B Machine. ZB2000: 2nd International 
conference of Z and B Users, LNCS 1878, Springer-Verlag, 2000. (cited at p. 18, 19, 41) 
(69] H. Treharne and S. Schneider. Communicating B machines. ZB2002: International 
conference of Z and B Users, LNCS 2272, Springer-Verlag, 2002. (cited at p. 18] 
[70] H. Treharne and S. Schneider. Using a Process Algebra to control B OPERATIONS. 
In K. Araki, A. Galloway and K. Taguchi, editors, IFIVI'99: Integrated Formal 
Methods, Springer-Verlag, 1999. [cited at p . 15, 17, 40) 
[71] E. Turner, H. 'I\·eharne, S. Schneider, and N. Evans. Automatic Generation of CSP II 
B Skeletons from xUML Models. Proceedings of the 5th international colloq'uium on 
Theoretical Aspects of Computing, Istanbul, Turkey, pages 364-379, 2008. Springer-
Verlag. [cited at p. 20] 
[72] B. Vajar, S. Schneider, and H. Treharne. Mobile CSPjjB. In Liam O'Reilly and 
IVIarkus Roggenbach, editors, Ninth International Workshop on Automated Veri-
fication of Critical Systems {AVoCS'09}, Technical Report of Computer Science 
CSR-2-2009. Swansea University, Wales, UK, 2009. [cited at p. 121] 
[73] J. B. Wordsworth. Software Engineering with B. Addison Wesley Longman Limited, 
1996. [cited at p. 6) 
Appendices 
185 
Appendix A 
AM N ｳｰ･ｾｩｦｩ｣｡ｴｩｯｮ＠ of a flight 
machine 
1\!IA CHINE Flight 
SETS RESPONSE= {Full, Empty, Available, YES, NO, Incorrectinput} 
CONSTANTS PasspoTt, seats 
PROPERTIES PasspoTt <: NAT1 & 
seats: NAT1 
VARIABLES custome1·, sold 
INVARIANT customeT <: PasspoTt 
sold: NAT 
INITIALISATION customeT : = {} 
sold:= 0 
OPERATIONS 
Tesponse < - - sell (pp) = 
PRE 
pp : Passport & 
sold / = seats 
THEN 
IF pp : Passport - customer 
THEN 
customer := customer\/ {pp} II 
sold:= sold+ 1 II 
187 
& 
II 
188 APPENDIX A. AlVIN SPECIFICATION OF A FLIGHT lVIACHINE 
IF sold + 1 = seats 
THEN response := Pull 
ELSE response :=Available 
END 
ELSE response := Incorrectlnput 
END 
END; 
response < - - cancel (pp) = 
PRE 
pp: Passport & 
sold/= 0 
THEN 
IF pp : customer 
THEN 
customer := customer - {pp} II 
sold:= sold- 1 II 
IF sold -1 = 0 
THEN response := Empty 
ELSE response := Available 
END 
ELSE response := Incorrectinput 
END 
END; 
response < - - empty = 
BEGIN 
IF sold= 0 
THEN response:= YES 
ELSE response := NO 
END 
END; 
response < - - full = 
BEGIN 
IF sold = seats 
THEN response:= YES 
ELSE response := NO 
END 
END 
END 
Appendix B 
CSP specification of Flight 
tickets sale system 
datatype Flights = fiightl I fiight2 
datatype RESPONSE= Full I Empty I Available I YES I NO I Incorrectlnput 
datatype Operations = sell.Passport.RESPONSE I cancel.Passport.RESPONSE I 
empty. RESPONSE I full.RESPONSE 
data type J\I[R = mr 1 I mr2 
Agencies= {1, 2} 
Passport= {1, 2, 3} 
ref (fiightl) ｾ＠ mr 1 
ref (fiight2) = mr2 
refinv(mrl) = fiightl 
refinv(mr2) = fiight2 
channel MC : MR. Operations 
channel cp: Agencies.Agencies.MR 
channel dp : Agencies .MR 
channel ep : Agencies.l\IIR 
channel customerToBuy: Agencies.Flights.Passport 
channel customerToCancel: Flights.Passport 
channel request : Agencies. Agencies. Flights 
channel sorry : Agencies .Agencies 
189 
190 APPENDIX B. CSP SPECIFICATION OF FLIGHT TICKETS SALE SYSTElvl 
channel ask : Agencies .Flights 
channel require : Agencies.Flights 
channel notH avelt : Agencies 
channel fulllvl a chine : Agencies 
channel emptylvlachine : Agencies 
channel MachinelsFUll : Agencies .Agencies 
SellAgency(i, S) = Pl(i, S) 
Pl(i, S) = customerToBuy.i?fiight?pn- > (if member(ref(flight), S) 
then P2(i,S,flight,pn) 
else P3(i, S,jlight, pn)) 
0 
request?j!i?flight- >(if member(ref(flight), S) 
then P4(i, S,j,jlight) 
else (sorry.i.j- > Pl(i, S))) 
[] 
ask. i? flight - > (if ｭ･ｭ｢･Ｑｾ＠ (ref (flight), S) 
then P5(i, S,fiight) 
else (notHave!t.i- > Pl(i, S))) 
[] 
dp.i?z- > Pl(i, union(S, {z})) 
P2( i, S, flight, pn) = MC.?·ef(flight).sell!pn?resp - > if resp == FUll 
then· P6(i, S,flight) 
else Pl( i, S) 
191 
P3(i,S,fiight,pn) = (request.i?j!fiight- > 
[] 
(( cp.j .i?w - > P2( i, union(S, { w} ), refinv( w), pn)) 
[] 
(sorry.j.i- > P3(i, S,fiight,pn)) 
[] 
(ll!fachinelsFull.j .i - > P1( i, S)))) 
(require. i .flight - > 
[] 
(( dp.i?w - > P2( i, union(S, { w} ), refinv( w), pn)) 
[] 
(notHavelt.i - > P3(i, S,fiight,pn)) 
(] 
(fulll\fachine.i - > Pl(i, S)))) 
(request?j!i?f - > 
[] 
(if member( ref(!), S) 
then cp.i.j!ref(f)- > P3( i, diff(S, {ref(!)} ),flight, pn) 
else (sorry.i.j- > P3(i,S,flight,pn)))) 
(ask .i?f- >(if member(ref(f),S) 
then PlO( i, S, flight, pn, f) 
else (notHaveit.i - > P3(i, S,flight, pn)))) 
[J 
(dp.i?w ->if w == ref(flight) 
then P2( i, union(S, { w} ), flight, pn) 
else P3( i, union(S, { w} ),flight, pn)) 
P4( i, S ,j, flight) = cp.i.j!ref(flight) - > Pl( i, diff(S, { ref(flight)})) 
P5(i, S,flight) = !YIC.ref(fiight).empty?resp- > 
if resp == YES 
then (emptyll!fachine.i - > P1(i, S)) 
else (ep.i!ref(flight)- > Pl(i, diff(S, {ref(flight)}))) 
192 APPENDIX B. CSP SPECIFICATION OF FLIGHT TICKETS SALE SYSTEivi 
P6(i, S,fiight) = (ep.i!ref(fiight)- > Pl(i, diff(S, {?·ef(fiight)}))) 
[] 
(request?j!i?f ->if ref(!)== ref(fiight) 
[] 
then (lvfachinelsFull.i.j- > P6(i, S,fiight)) 
else P7(i, S,fiight,j,f)) 
(ask.i?f - > 
[] 
if ref (f) == ref (flight) 
then (ep.i!ref(fiight)- > Pl(i, diff(S, {ref(fiight)}))) 
else P8( i, S, flight, f)) 
(dp.i?w- > P6(i, union(S, {w}),fiight)) 
P7(i, S,fiight,j,f) =if member( ref(!), S) 
then (cp.i.j!ref(f) - > P6(i, diff(S, {Tef(f)}),fiight)) 
else (soTry.i.j - > P6(i, S,flight)) 
P8(i, S,fiight,J) =if membeT(ref(f), S) 
then P9(i, S,flightJ) 
else (notHavelt.i - > P6(i, S,flight)) 
P9(i, S,flightJ) = MC.?·ef(f).empty?resp - > 
if resp == YES 
then (emptyMachine.i- > P6(i,S,flight)) 
else (ep.i!ref(f) - > P6(i, diff(S, {ref(!)} ),flight)) 
PlO(i, S,fiight,pn,f) = MC.ref(f).empty?Tesp- > 
if resp == YES 
then ( emptyMachine.i - > P3(j, S,fiight, pn)) 
else (ep.i!ref(f)- > P3(i, diff(S, {ref(f)}),flight,pn)) 
ReturnOffice(S) = Rl(S) 
Rl(S) = custome?·ToCancel?fiight?pn- >(if membe?'(ref(ftight), S) 
then R2(S,flight, pn) 
else R3(S,flight,pn)) 
[] 
require? j? flight - > (if member (ref (flight), S) 
then R5(S,flight,j) 
else (notHavelt.j - > Rl(S))) 
0 
ep?j?z- > Rl(union(S, {z})) 
R2 ( S, flight, pn) = lvl C. ref (flight). cancel! pn? resp - > if resp == Empty 
then R4(S,flight) 
else Rl(S) 
193 
R3 ( S, flight, pn) = ask? j !flight - > ( ep .j? w - > R2 (union ( S, { w}), refin v ( w), pn) 
[] 
notHavelt.j - > R3(S,flight, pn) 
0 
emptyNJachine.j - > Rl(S)) 
0 
require?j?f - > (if membe1·(ref(f), S) 
then RlO(S,ftight,pn,j,j) 
else (notHavelt.j - > R3(S,flight, pn))) 
0 
ep?j?w - > if w == ?'ef(ftight) 
then R2( union(S, { w} ), refinv( w), pn) 
else R3(union(S, {w}),ftight,pn) 
194 APPENDIX B. CSP SPECIFICATION OF FLIGHT TICKETS SALE SYSTEl\!I 
R4(S,flight) = dp?j!ref(flight) - > Rl(diff(S, {ref(flight)})) 
[] 
1·equire?j?f ->(if ref(!)== ref(flight) 
[] 
then dp .j! ref (flight) - > Rl ( diff ( S, {ref (flight)})) 
else R8( S, flight, j, f)) 
ep?j?w- > R4(union(S,{w}),flight) 
R5(S,flight,j) = MC.ref(flight).full?resp - > if resp == YES 
then R6(S, j) 
else R7(S,flight,j) 
R6(S,j) = fullMachine.j - > Rl(S) 
R7 ( S, flight, j) = dp .j !?·ef (flight) - > Rl ( diff ( S, {ref (flight)})) 
R8(S,flight,j,f) =if member( ref(!), S) 
then R9(S, flight, j, f) 
else (notHavelt.j - > R4(S,flight)) 
R9(S,flight,j,j) = NIC.ref(f).full?resp- > 
if resp == YES 
then fullMachine.j - > R4(S,flight) 
else dp.j!ref(f) - > R4(diff(S, {ref(!)} ),flight) 
R10(S,flight,pn,j,f) = NIC.ref(f).full?resp- > 
if resp == YES 
then fulllYiachine.j - > R3(S,flight, pn) 
else dp.j!ref(f) - > R3(diff(S, {ref(f)}),flight,pn) 
A(i) ={I custome1·ToBuy.i, request.i, request.j.i, sorry.i, sorry.j.i, 
MachinelsFull.i.j, ask.i, require.i, notHaveit.i, dp.i, MC.z.sell, ep.i, 
cp.i, cp.j.i,fulllviachine.i, MC.z.empty, emptyMachine.i 
I j : {1..2}, z : !viR I} 
B = {I customerToCancel, ask, require, notHavelt, ep, NlC.z.cancel, 
emptyMachine, dp, MC.z.full,fulllviachine I z: !viR I} 
195 
ContToller = ReturnOffice({}) [B II union(A(l),A(2))] (SellAgency(l,{mrl}) 
[I {I request, sorry, MachinelsFull, cp I} I] SellAgency(2, {mr2})) 
Appendix C 
wp proofs of Flight tickets sale 
syste111 
+ P1(i, S) 
PI ( i, S) = 1 0 2 0 3 0 4 
trans(PI(i, S)) = CHOICE trans(1) OR trans(2) OR trans(3) 
OR t?·ans(4) END 
[trans(PI(i, S))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLip.J) = 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlpx)) 1\ 
[trans(2)](Vl ｾ＠ x ｾ＠ 10 • (rec = Px => CL!px)) 1\ 
(tTans(3)](Vl ｾ＠ x ｾ＠ 10 • (1·ec = Px => CLlpx)) 1\ 
[trans(4)](Vl ｾ＠ x ｾ＠ 10 • (rec = Px => CLipx)) 
1 = customeTToBuy.i?flight?pn ｾ＠ if Tef(flight) E S 
then P2(i, S,flight,pn) 
else P3 ( i, S, flight, pn) 
197 
198 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTEM 
trans(1) = 
PRE i E Agencies THEN 
END 
ANY flight, pn VI/HERE flight : Flights 1\ pn : Passpo7't THEN 
IF ref(flight) E S 
END 
THEN rec := P2(i, S,flight,pn) 
ELSE rec := P3(i, S,flight, pn) 
END 
[ 
IF ref (flight) E S l 
THEN rec := P2(i,S,flight,pn) (\1 1 ｾ＠ x ｾ＠ 10 • (rec = Px =>CLip))= 
ELSE rec := P3(i,S,flight,pn) x 
END 
( 
ｾ･ｦＨｪｬｴｧｨｴＩ＠ E 8 A CLlp2(i,S,J!ight,pn) ) = 
Ｑ･ｪＨｦｬｾｧｨｴＩ＠ f/. S 1\ CLip3 (i,S,ftight,pn) 
CLip1 (i,S) 1\ flight E Flights 1\ ref(flight) E MR 1\ pn E Passport 
[trans(1)](\fl ｾ＠ x ｾ＠ 10 • (1·ec = Px => CLipx)) = 
i : Agencies 1\ 
\1 flight, pn • (flight : Flights 1\ pn : Passport=> 
CLip1 (i,S) 1\ flight E Flights 1\ ref(flight) E MR 1\ pn E Passport) 
The result above shows that: 
( rec = P1 ( i, S) 1\ CLip1 (i,s)) => 
[trans(l)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLipx)) 
..( 
2 = request?j!i?flight --+ if ref(flight) E S 
then P4(i, S,j,fiight) 
else (sorry.i.j--+ P1(i, S)) 
trans(2) = 
PRE i E Agencies THEN 
END 
ANY j, flight WHERE j E Agencies 1\ flight E Flights THEN 
IF Tej(flight) E S 
END 
THEN Tee:= P4(i, S,j,fiight) 
ELSE trans (sorry. i .j ｾ＠ P1 ( i, S)) 
END 
trans(sor'ry.i.j ｾ＠ P1(i, S)) =PRE i E Agencies 1\ j E Agencies 
THEN skip 
END; rec := P1(i, S) 
[tTans(soTry.i.j --4 P1(i,S))](\il ｾ＠ x ｾ＠ 10 • (rec = Px => CLip:c )) = 
i E Agencies 1\ j E Agencies 1\ CLip1 (i,s) 
[ 
IF ref(fiight) E S l 
THEN rec := P4(i,S,j,jlight) (\7' 1 ｾ＠ x ｾ＠ lO • (rec = Px =>CLip)) 
ELSE trans(sorry.i.j ｾ＠ P1 (i, S)) x 
END 
( 
ref(flight) E S 1\ CLip4 (i,S,j,ftight) ) 
:ef(ftight) ｾ＠ S 1\ i E Agencies 1\ j E Agencies 1\ CLlp1 (i,s) 
= j E Agencies 1\ CLip1 (i,s) 
[trans(2)](\il ｾ＠ x ｾ＠ 10 • (Tee= Px => CLipx)) = 
i E Agencies 1\ V j, flight • (j E Agencies 1\ flight E Flights => 
j E Agencies 1\ CLip1 (i,s)) 
The result above shows that: 
(rec = P1(i, S) 1\ CLip1(i,S)) => 
[trans(2)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLip:c )) 
./ 
.. ---- ＭＭＭＭＭＭＭＭＭＭＭＭＭＭＭｾ＠
199 
200 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
3 = ask. i? flight -t if ref (flight) E S 
then P5(i, S,flight) 
else (notHaveit.i -t P1(i, S)) 
trans(3) = 
PRE i E Agencies THEN 
ANY flight WHERE flight E Flights '!HEN 
IF ref (flight) E S 
END 
END 
THEN rec := P5(i, S,flight) 
ELSE trans(notHaveit.i -t P1 (i, S)) 
END 
trans(notHaveit.i -t P1(i, S)) = 
PRE i E Agencies THENskip Ef'!D; rec := P1(i, S) 
[trans(notHaveit.i -t P1(i, S))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLlp3J) 
= CLlp1 (i,S) 
[ 
IF ref (flight) E S l 
THEN rec := P5(i,S,flight) (V 1 ｾ＠ x ｾ＠ 10 • (rec = Px =>CLip,)) 
ELSE trans( notHaveit. i -t P1 ( i, S)) .v 
END 
( 
V
ref(flight) E S 1\ CLip5 (i,S,ftight) ) 
= CLipi(i,S) 
ref(flight) tfi S 1\ CLlp1(i,S) 
[trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLip3J) = 
i E Agencies 1\ V flight • (flight E Flights =? CLlp1 (i,S)) 
The result above shows that: 
(rec = P1(i, S) 1\ CLlp1 (i,s)) => 
[trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLipx)) 
.( 
4 = dp.i?z ｾ＠ P1(i,S U {z}) 
trans(4) = 
ANY z WHERE z E A;JR THEN 
SELECT z.sold =/= z.seats 
THEN rec := P1 (i, S U {z}) 
END 
END 
[trans(4)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLipx)) = 
V z • (z E MR =? (z.sold =/= z.seats =? CLip1 (i,SU{z}))) 
The result above shows that: 
( rec = P1 ( i, S) 1\ CLip1 (i,s)) =? 
[trans(4)]('V1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLipx)) 
./ 
The results above show that: 
( rec = P1 ( i, S) 1\ ｃｾｉ＠ p 1 ( i,S)) =? 
[trans(P1(i, S))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =? ｃｌｩｰｾｊＩ＠
+ P2(i, S,fiight, pn) 
trans(P2(i,S,jlight,pn)) = resp ｾ＠ ref(fiight).sell(pn); 
IF resp = F'ull 
THEN rec := P5(i, S,fiight) 
ELSE rec := P1(i, S) 
END 
[ 
IF resp = Full l 
THEN rec := PG(i,S,fiight) (V 1 ｾ＠ ｾ＠ lO • ( = p CLI )) = ELSE rec := P1 (i, S) ｾ＠ x ｾ＠ rec x =? Px 
END 
201 
202 APPENDIX C. TVP PROOFS OF FLIGHT TICKETS SALE SYSTEl\tJ 
( 
:esp = Pull 1\ CLip6 (i,S,fiight} ) 
resp -=f Full 1\ CLip1 (i,S) 
[trans(P2(i, S,fiight, pn)))(VI ｾ＠ x ｾ＠ IO • (rec = Px => ｃｌｩｰｾ［ＩＩ］＠
( 
resp = Full 1\ CLip6 (i,S,fiight) ) 
[resp f-- ref(fiight).sell(pn)] V = 
resp 1=- Pull 1\ CLip1 (i,S) 
pn E Passport 1\ ref(fiight).sold 1=- ref(fiight).seats 1\ 
IF pn E Passport- customer THEN 
customer := ｣ｵｳｴｯｭ･＿ｾ＠ U {pn} II 
ref(fiight).sold := ref(fiight).sold +Ill 
IF ref(fiight).sold +I= ref(fiight).seats 
THEN resp :=Pull 
ELSE resp :=Available 
END 
ELSE resp := Incorrectlnput 
END 
( 
:esp = Full 1\ CLip6 (i,S,fiight} ) 
resp 1=- Full 1\ CLip1 (i,S) 
A= 
customer := customer U {pn} II 
ref(fiight).sold := ref(fiight).sold +Ill 
IF ref(fiight).sold +I= ref(fiight).seats 
THEN resp := Pull 
ELSE resp :=Available 
END 
( 
:esp =Full 1\ CLip6 (i,S,fiight) ) 
resp -=f Full 1\ CLip1 (i,S) 
= 
ref(fiight).sold + 1 = ref(fiight).seats 1\ i E Agencies 1\ S ｾ＠ MR 1\ 
Vk E (S- {ref(fiight)}) • k.sold f. k.seats 1\ ref(ftight) E S 
v 
Tej(ftight).sold + 1 f. ref(fiight).seats 1\ i : Agencies 1\ S ｾ＠ MR 1\ 
V k E S • k.sold =/=- k.seats 
IF pn E PasspoTt - customer THEN 
customeT := customer U {pn} II 
ref(fiight).sold := ref(fiight).sold + 1 II 
IF ref(fiight).sold + 1 = ref(ftight).seats 
THEN resp := Pull 
ELSE resp := Available 
END 
ELSE resp := Incorrectlnput 
END 
( 
:esp = Pull 1\ CLlp6 (i,S,flight) ) 
resp f. Pull 1\ CLlp1 (i,S) 
= 
( 
pn E Passport- customer 1\ A ) 
ｾｮ＠ ¢'Passport- customer A CLlp1(i,S) 
CLJp2(i,S,flight,pn) => 
( i E Agencies 1\ S ｾ＠ fJliR 1\ V k E (S- { ref(fiight)}) • k.sold =/=- k.seats 
1\ ref (flight) E S) 
CLlp2(i,S,flight,pn) => i : Agencies 1\ S ｾ＠ MR 1\ V k E S • k.sold f. k.seats 
( 
?'ef(fiight).sold + 1 = Tef(fiight).seats ) 
CLlp2(i,S,flight,pn) * V 
Tej(fiight).sold + 1 =/=- ref(fiight).seats) 
CLip2(i,S,fiight,pn) => A -
203 
204 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
CLip2(i,S,flight,pn) => CL!p1(i,S) 
CLip2(i,S,flight,pn) => (pn E Passport- customer V pn rJ. Passport- customer) 
The results above show that: 
( 
pn E PasspoTt - customer 1\ A ) 
CLIP2(i,S,jlight,pn) => V 
pn rJ. Passpo?'t- customer 1\ CLip1(i,S) 
CLip2(i,S,flight,pn) => (pn E Passport 1\ ref(fiight).sold i= Tef(fiight) .seats) 
The results above show that: 
(rec = P2(i, S,fiight, pn) 1\ CLip2(i,S,flight,pn)) => 
[trans(P2(i, S,fiight, pn))](\f 1 ｾｘｾ＠ 10 • (rec = Px => CLipx)) 
+ Ps(i, S,fiight,pn) 
P3(i, S,fiight,pn) = 1 D 2 D 3D 4 D 5 
tTans(P3( i, S, flight, pn)) = 
CHOICE trans(!) OR trans(2) OR trans(3) OR trans(4) OR trans(5) END 
[tTans(P3(i, S,fiight, pn))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CLip:c)) = 
[trans(1)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLipx)) 1\ 
· [trans(2)](\fl ｾ＠ x ｾ＠ 10 • (rec = Px =? CLipJ) 1\ 
[t7'ans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLipx)) 1\ 
[trans(4)](\fl ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLipx)) 1\ 
[trans(5)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px => ｃｌｩｰ Ｌｾ ＩＩ＠
1 = request.i?j!fiight-+ A 
t?·ans(1) = 
PRE i E Agencies 1\ flight E Flights THEN 
ANY j WHERE j E Agencies 
THEN trans(A) 
END 
END 
A= A.1 o A.2 o A.3 
trans(A) = CHOICE trans(A .1) OR trans(A .2) OR trans(A.3) OR END 
[trans(A)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} ｃｌｬｰｾｲｊＩ＠ = 
[trans(A.1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLip:n )) 1\ 
[trans(A.2))('v'l ｾ＠ x ｾ＠ 10 • (rec = Px => ｇｌｩｰ ｾ ｊＩ＠ 1\ 
[trans(A.3)]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLipx)) 
A.1 = cp.j.i?w-+ P2 (i,SU{w},ref- 1 (w),pn) 
trans(A.1) = 
ANY w WHERE w E ltlfR THEN 
SELECT w.sold =/= w.seats 
END 
THEN rec := P2 (i, S U { w }, ref-1 ( w), pn) 
END 
[trans(A.1)]('v' 1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLipx)) = 
'v'w • (wE !viR=> (w.sold =/= w.seats =} CLip2 (i,Su{w} ,reJ-l(w),pn))) 
A.2 = sorry.j.i-+ P3(i,S,fi,ight,pn) 
trans(A.2) = 
205 
PRE j E Agencies 1\ i E Agencies THEN skip END; rec := P3(i,S,fi,ight,pn) 
[t7·ans(A.2))(V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLipx)) = 
j E Agencies 1\ GLip3 (i,S ,fiight,pn) 
206 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElVI 
A.3 = MachinelsPull.j.i ---t P1(i, S) 
trans(A.3) = 
PRE j E Agencies 1\ i E Agencies THEN skip END; Tee := P1 ( i, S) 
[trans(A.3)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CL!pJ) = j E Agencies 1\ CL1p1 (i,S) 
[tTans(A)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CL!p:.J) = 
j E Agencies 1\ CL1p3 (i,S,fiight,pn) 1\ 
V W • ( w E MR ==> ( w.sold f=. w.seats ==> CL1p2 (i,SU{w},rej-l(w),pn))) 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px ==>CLip:,;)) 
i E Agencies 1\ flight E Flights 1\ 
Vj • (j E Agencies=} [trans(A)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px))) 
i E Agencies 1\ flight E Flights 1\ 
V j • (j E Agencies => 
j E Agencies 1\ CL1p3 (i,S,fiight,pn) 1\ 
Vw • (wE MR ==> (w.sold f=. w.seats ==> CL1p2 (i,SU{w},rej-l(w),pn)))) 
The result above shows that: 
(Tee= P3(i, S,flight,pn) 1\ CL1p3 (i,S,fiight,pn)) => 
[trans(1)](Vl ｾ＠ x ｾ＠ 10 • (Tee= Px =} CL!px)) 
.( 
2 = require. i.flight ---t B 
trans(2) =PRE i E Agencies 1\ flight E Flights THEN skip END; trans(B) 
B=B.1DB.2DB.3 
trans(B) =CHOICE trans(B.1) OR tTans(B.2) OR trans(B.3) END 
[t?·ans(B)](\11:::;;; x:::;;; 10 • (rec = Px => CLlp,r;)) = 
[trans(B.1)](\11:::;;; x:::;;; 10 • (rec = Px => CLlpx)) 1\ 
[trans(B.2)](\11 :::;;; x:::;;; 10 • (rec = Px => CLlpx)) 1\ 
[trans(B.3)](V1:::;;; x:::;;; 10 • (rec = Px => CLlpx)) 
B.l = dp.i?w ｾ＠ P2(i,SU{w},rej-1(w),pn) 
t?·ans(B.l) = 
ANY w liVHERE w : MR THEN 
SELECT w.sold-:/= w.seats 
END 
THEN rec := P2(i, S U {w}, rej-1 (w),pn) 
END 
[trans(B.l)](Vl :::;;; x:::;;; 10 •. (rec = Px => CLlpx)) = 
\lw • (wE MR => (w.sold-:/= w.seats => CLlp2 (i,SU{w},reJ-l(w),pn))) 
B.2 = notHavelt.i ｾ＠ P3(i, S,fiight,pn) 
trans(B.2) = 
PRE i E Agencies THEN skip END; rec := P3(i, S,fiight,pn) 
[trans(B.2)](\11:::;;; x:::;;; 10 • (1·ec = Px => CLlp,J) = CLlp3 (i,S,ftight,pn) 
B.3 = fullMachine.i ｾ＠ P1(i, S) 
trans(B .3) = 
PRE i E Agencies THEN skip END; Tee:= P1(i, S) 
[trans(B.3)](Vl:::;;; x:::;;; 10 • (rec = Px => CLlpx)) = CL1p1 (i,S) 
[trans(B)](\11:::;;; x:::;;; 10 • (rec = Px => CLlpx)) = 
CLlp3 (i,S,fiight,pn) 1\ 
Vw • (wE MR => (w.sold-:/= w.seats => CLlp2 (i,SU{w},reJ-l(w),pn))) 
207 
208 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
[trans(2)](\7'1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CL!p:J) = 
CL1p3 (i,S,ftight,pn) 1\ 
\7' w • ( w E MR =? ( w.sold =/=- w.seats =? CLip2 (i,Su{w},reJ-l(w),pn))) 
The result above shows that: 
(Tee= P3( i, S, flight, pn) 1\ CL1p3 (i,S,ftight,pn)) =? 
[trans(2)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px)) 
./ 
3 = request?j!i?f ---+ C 
trans(3) = 
PRE i E Agencies THEN 
END 
ANY j, f VVHERE j E Agencies 1\ f E Flights 
THEN trans( C) 
END 
[trans(cp.i.j!mf(f)---+ P3(i, S- {ref(f)},flight,pn))] 
(\11 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px)) 
= ref(f).sold =/=- ref(f).seats 1\ CL1p3 (i,S-{ref(f)},ftight,pn) 
[trans(sorry.i.j---+ P3(i, S,flight,pn))] 
(\:11 ｾ＠ x ｾ＠ 10 • (rec = Px =? CL!px)) 
= j E Agencies 1\ CL1p3 (i,S,ftight,pn) 
[trans(C)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px =? CL!p:J) = 
( 
:ef(f) E S 1\ ref(f).sold =/=- ref(f).seats 1\ CL1p3 (i,S-{ref(f)},ftight,pn) ) 
ref(!) tJ_ S 1\ j E Agencies 1\ CL1p3 (i,S,ftight,pn) · 
[trans(3)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CL!p:J) = 
i E Agencies 1\ \1 j, f • (j E Agencies 1\ f E Flights => 
[trans( C)](\1 1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CL!px))) 
CLlp3(i,S,jlight,pn) =} 
V j ,f • (j E Agencies 1\ f E Flights =9- CLip3(i,S-{ref(f)},fiight,pn)) 
CLlp3 (i,S,fiight,pn) :::? 
Vj',f • (j E Agencies 1\ f E Flights:::?} E Agencies 1\ CLip3(i,S,fiight,pn)) 
CLJp3(i,S,flight,pn) :::} 
V j', f • (j E Agencies 1\ f E Flights =9-
(Tej(f) E S 1\ Tej(f).sold =/= Tej(f).seats) V Tej(f) ｾ＠ S 
CLlp3 (i,S,fiight,pn) =9-
V j', f • (1' E Agencies 1\ f E Flights :::? 
[tTans(C)](Vl ｾ＠ x ｾ＠ 10 • (Tee= Px:::? CLlp3J)) 
The result above shows that: 
(rec = P3(i, S,fiight,pn) 1\ CLip3 (i,S,fiight,pn)):::? 
[tTans(3)](Vl ｾ＠ x ｾ＠ 10 • (Tee= Px:::? CLlpJ) 
.( 
4 = ask.i?f ｾ＠ D 
trans(4) = 
PRE i E Agencies THEN 
END 
ANY f WHERE f E Flights 
THEN tTans(D) 
END 
[trans(D)](Vl ｾ＠ x ｾ＠ 10 • (rec = Px =? CL!pJ) = 
( 
CLlp10(i,S,fiight,pn,f) ) 
V = . CLlp3(i,S,flight,pn) 
ref(!) ｾ＠ S 1\ CLlp3 (i,S,flight,pn) 
209 
210 APPENDIX C. vVP PROOFS OF FLIGHT TICKETS SALE SYSTEM 
[trans(4)](V 1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CL!p:r;)) = 
i E Agencies 1\ V f • (f E Flights ==> CLlp3(i,S,flight,pn)) 
The result above shows that: 
(rec = P3(i,S,jlight,pn) 1\ CL1p3 (i,S,flight,pn)) => 
[trans(4)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px ==? CL!p:r;)) 
.( 
5 = dp.i?w-+ E 
trans(5) = 
ANY w WHERE w E MR THEN 
SELECT w.sold -=/= w.seats 
THEN trans(E) 
END 
END 
[trans(E)](\11 ｾｘｾ＠ 10 • (rec = Px ==? CLlp,c)) = 
( 
w = ref(fiight) 1\ CLlp2 (i,SU{tu},flight,pn) ) 
ｾ＠ i ref(fiight) A CLip3 (i,Su(w},Jlight,pn) 
[trans(5)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px ==? CL!px)) = 
V w • (wE MR => (w.sold f= w.seats => 
[t?·ans(E)](\11 ｾ＠ x ｾ＠ 10 • (1·ec = Px => CLipx)))) 
CLlp3(i,S,flight,pn) => 
Vw • (wE MR => (w.sold-=/= w.seats => CLip2 (i,Su{w},flight,pn))) 
CL1p3(i,S,flight,pn) => 
V w • ( w E lviR ==? ( w.sold f= w.seats ==? 
w = 7'ef(fiight) V (w-=/= ref(fiight) 1\ CLip3(i,Su{w},flight,pn)))) 
The result above shows that: 
(rec = P3(i, S,fiight,pn) 1\ CLip3 (i,S,flight,pn)) =* 
[trans(5)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px::::;. CLip:J) 
.( 
The results above show that: 
(rec = P3(i, S,flight,pn) 1\ CLip3 (i,S,flight,pn)) =* 
[trans(P3(i, S,flight, pn))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px::::;. CLlp3J) 
+ P4( i, S, j, flight) 
trans ( P 4 ( i, S, j, flight)) = 
PRE ref(fiight).sold =f. ref(flight).seats 
THEN skip END; rec := Pr(i, S- {ref(flight)}) 
[tTans(P4(i, S,j,flight))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px::::;. CLip:,;))= 
ref(flight).sold f. ref(flight).seats 1\ CLlp1 (i,S-{ref(flight)}) 
The result above shows that: 
(rec = P4(i,S,j,jlight) 1\ CLip4 (i,S,j,flight)) =* 
[trans(P4(i, S,j,flight))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px =* CLipx)) 
•%• Ps ( i, S, flight) 
trans(Ps(i, S,flight)) = 
resp ｾ＠ ref (flight). empty; 
IF 1·esp = YES 
THEN trans(emptyMachine.i --4 P1(i, S)) 
ELSE trans ( ep. i! ref (flight) --4 P1 ( i, S - {ref (flight)})) 
END 
trans(emptyMachine.i --4 Pt(i, S)) = 
PRE i E Agencies THEN skip END; rec := P1 (i, S) 
[tTans(emptyJ..ifachine.i --4 P1(i,S)))(V1 ｾ＠ x ｾ＠ 10 • (rec = Px::::;. CLipx)) 
= CLIPI(i,S) 
211 
212 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
tTans( ep.i!Tej(flight) ｾ＠ P1 (i, S- { Tej(flight)} )) = 
PRE Tej (flight). sold -:/= 0 THEN skip END; Tee : = P 1 ( i, S - { Tej (flight)}) 
[ t1·ans ( ep. i b·ef (flight) ｾ＠ P1 ( i, S - { Tej (flight)}))] · 
(Vl ｾ＠ x ｾ＠ 10 • (Tee= Px::::} CL!p:J) 
= ref(flight).sold i= 0 1\ CLlp1 (i,S-{ref(fiight}}) 
[tTans(P5(i, S,flight))](\11 ｾ＠ x ｾ＠ 10 • (ree = Px::::} CL!px)) 
[ 
IF Tej(flight).sold = 0 l 
THEN Tesp := YES 
ELSE Tesp := NO 
END 
( 
resp = YES 1\ CLI p1 ( i,S) ) 
:esp oF YES 1\ ref(flight).sold oF 0 1\ CLip1(i,S-{ref(ftight))) 
( 
ref(flight).sold = 0 1\ CLlp1 (i,S) ) 
ｾ＠ f (flight). sold fo 0 1\ CLI p 1 ( i, s-{ref (flight)}) 
CLlp5 (i,S,flight) ::::} CLip1 (i,S) 
CLI p5 ( i,S ,flight) * CLI P 1 ( i,S -{ ref(ftight}}) 
CLip5 (i,S,flight)::::} (ref(flight).sold = 0 V ?'ef(flight) .sold-:/= 0) 
( 
ref(flight).sold = 0 1\ CLlp1 (i,S) ) 
0Llp5 (i,S,ftight) ::::} V 
ref(flight).sold-:/= 0 1\ CLip1 (i,S-{ref(fiight)}) 
l· 
The result above shows that: 
(rec = Ps(i, S,flight) 1\ CLlp5 (i,S,fiight)) ==> 
[trans(Ps(i, S,fiight))](\11 ｾ＠ x ｾ＠ 10 • (ree = Px ==> CLlp:J) 
+ PB(i, S,flight) 
P6(i, S,fiight) = 1 o 2 o 3 o 4 
trans(P6( i, S, flight)) = 
CHOICE trans(!) OR trans(2) OR trans(3) OR trans(4) END 
[trans(P6(i, ｓＬｦｩｩｧｬｾｴＩＩ｝Ｈ｜ＱＱ＠ ｾ＠ x ｾ＠ 10 • (ree = Px =::> CLlpJ) = 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (ree = Px =? CLlpx)) 1\ 
[trans(2)](Vl ｾ＠ x ｾ＠ 10 • (ree = Px ==> CLlpx)) 1\ 
[trans(3)](V1 ｾ＠ x ｾ＠ 10 • (ree = Px =::> CLlpx)) 1\ 
[trans(4)](V1 ｾ＠ x ｾ＠ 10 • (Tee= Px ==> CLlpx)) 
1 = ep.i!ref(fiight) ---+ P1 ( i, S- { ref(fiight)}) 
trans(1) = 
PRE ref(fiight).sold # 0 THEN skip END; ree := P1(i,S- {Tej(fiight)}) 
[trans(l)](Vl ｾ＠ x ｾ＠ 10 • (Tee= Px =::> CLlpx)) = 
ref(fiight).sold =I= 0 1\ CLlp1 (i,S-{ref(fiight)}) 
The result above shows that: 
(ree = P6(i, S,fiight) 1\ GLlp6 (i ,S,ftight)) ==> 
[trans(l)](\11 ｾ＠ x ｾ＠ 10 • (ree = Px =? CLlpaJ) 
./ 
213 
214 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
2 = request?j!i?f ｾａ＠
[trans(A)](V 1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLip$ ))= 
( 
:ef(f) = ref(f!zght) II j E Agencies II CLip6 (i,SJlight) ) = 
ref(!) =f. ref(fl'tght) 1\ CLip7 (i,S,flight,j,f) 
( 
ref(!) = ref(flight) 1\ j E Agencies 1\ CLip6 (i,S,flight) ) 
;ef(f) f ref(fiight) II CLlp6 (i,S,f!ight) II j E Agencies II ref(!) E MR 
[trans(2)](V1 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CL!p:J) = 
i E Agencies 1\ V j, f • (j E Agencies 1\ f E Flights ==> 
[trans(A)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px ==> CLJp:r;))) 
CLIPo(i,S,flight) ==> 
V j ,j • ( (j E Agencies 1\ f E Flights) ==> (j E Agencies 1\ CLip6 (i,S,flight))) 
CLIPo(i,S,flight) ==> 
V j, f • (j E Agencies 1\ f E Flights ==> 
CLip6 (i,S,flight) 1\ j E Agencies 1\ f E Flights) 
CLIPo(i,S,flights) ==> 
V j, f • (j E Agencies 1\ f E Flights ==> 
(ref(!) = 7'ef (flight) V ref(!) =f. ref (flight))) 
The results above show that: 
(rec = P5(i, S,flight) 1\ CLip6 (i,S,flight)) ==> 
[trans(2)](Vl ｾｘｾ＠ 10 • (rec = Px ==> CL!px)) 
../ 
3 = ask.i?f ｾ＠ B 
[b·ans(B)](V 1 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLlpx)) = 
( 
ｾ･ｦＨｦＩ＠ = ref(flight) 1\ ref(.flight).sold =/= 0 1\ CL1p1(i,S-{ref(ftight}}) ) = 
ref(!) =I= ref(.flight) 1\ CL1p8 (i,S,ftight ,f) 
( 
:ef(f) = ref(ftight) 1\ ref(ftight).sold f 0 1\ CLlp1(i ,S-{ref(fiight)}) ) 
ref(!) =I= ref(flight) 1\ CLlp6(i,S,ftight) 1\ ref(!) E MR 
[trans(3))(V1 ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) = 
i E Agencies 1\ V f • (! E Flights =? 
[trans(B))(\11 ｾ＠ x ｾ＠ 10 • (rec = Px =? CLlpx ))) 
CLIP6 (i,S,ftight) =? 
V f • (! E Flights=? (ref(flight).sold =/= 0 1\ CLlp1 (i,S-{ref(ftight}}))) 
CL1p6(i,S,ftight) ｾ＠
V f • (! E ｆｬｩｧｨｴｳｾ＠ ( CL1p6(i,S ,ftight) 1\ ref(!) E !viR)) 
CL1p6(i,S,ftight) ｾ＠
\if • (f E ｆｬｩｧｨｴｳｾ＠ (ref(!)= ref(.flight) V ref(!) =I= ref(.flight))) 
The results above show that: 
(rec = PG(i, S,flight) 1\ CLlp6 (i,S,ftight)) ｾ＠
[trans(3)](Vl ｾｘｾ＠ 10 • (rec = Px =} CLlpx)) 
..( 
4 = dp.i?w ｾ＠ P5(i, S U {w},.flight) 
[trans(4)](V1 ｾｘｾ＠ 10 • (rec = Px ｾ＠ CLlpx)) = 
Vw • (wE !viR==? (w.sold =/= w.seats =? CLlp6(i,Su{w},ftight))) 
215 
216 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTgfi!I 
The result above shows that: 
( rec = P6( i, S, flight) 1\ CL1p6 (i,S,fiight)) => 
[trans(4)](\11 ｾ＠ x ｾ＠ 10 • (rec = Px ==? CL!p:c;)) 
,( 
The results above show that: 
(1·ec = P5(i, S,fiight) 1\ CL1p6 (i,S,fiight)) ==? 
[trans(P5(i, S,fiight))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CL!px)) 
+ P1(i, S,flight,j,f) 
trans(P7(i, S,flight,j,J)) = 
IF ref(!) E S 
THEN trans(cp.i.j!ref(f) ｾ＠ P5(i, S- {ref(!)}, flight)) 
ELSE trans(sorry.i.j ｾ＠ P5(i, S,fiight)) 
END 
[trans(cp.i.j!ref(f) ｾ＠ P5(i, S- {ref(f)},fiight))] 
(\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CL!p:J) 
= 
1'ef(f).sold f= ref(f).seats 1\ CL1p6 (i,S-{ref(f)},flight) 
[trans(sorry.i.j ｾ＠ PG(i,S,fiight))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlp:J) 
= j E Agencies 1\ CLlp6 (i,S,fiight) 
[trans(P7(i, S,fiight,j,f))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CL!px)) = 
( 
:ef(f) E S II ref(f) .sold # •·ef(f).seats II GLlp6 (i,S-(ref(f)},fl;ght) ) 
7'ef(f) ｾ＠ S 1\ J E Agenc2es 1\ CL1p6 (i,S,fiight) 
CL1p7 (i,S,fiight,j,f) => CL1p6 (i,S-{ref(f)},jlight) 
CL1p7 (i,S,fiightd,f) => j E Agencies 1\ CL1p6 (i,S,flight) 
( 
Tej(f) E S 1\ Tej(f).sold i= Tej(f).seats ) 
CLlp1 (i,S,fiight,j,f) =? V 
Tej(f) rJ. S 
The results above show that: 
(Tee= P7(i, S,fiight,j,J) 1\ CLip1 (i,S,fiight,j,f)) =? 
[trans(P7(i, S,fiight,j,J))](\11:::;; x:::;; 10 • (Tee= Px =? ｃｌｬｰｾｊＩ＠
+ Ps ( i, S, flight, f) 
trans(Ps(i, S,fiight,J)) = 
IF Tej(f) E S 
THEN ree := Pg(i, S,fiight,j) 
ELSE t1·ans(notHaveit.i ｾ＠ P5(i, S,fiight)) 
END 
[trans(notHavelt.i ｾ＠ P5(i, S,fiight))] 
(V1:::;; x:::;; 10 • (ree = Px =? CL!px)) 
= CL!p6 (i,S,fiight) 
[tTans(Ps(i, S,fiight,f))](V 1 :::;; x:::;; 10 • (Tee= Px =? CLlpJ) = 
( 
:ef(f) E S 1\ CLlp9 (i,S,fiight,J) ) = 
1·ej(f) rj. S 1\ CL1p6 (i,S,fiight) 
( 
ｾｊＨｦＩ＠ E S 1\ CLlp6 (i,S,fiight) 1\ ref(fiight) i= Tej(f) ) 
ref(!) rJ. S 1\ CLlp6 (i,S,fiight) 
CLIP8 (i,S,fiight,J) =? CL!Po(i,S,fiight) 
CLlp8 (i,S,fiight,f) =? Tef(fiight) i= Tej(f) 
217 
218 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTEJvi 
CLip8 (i,S,ftight,f) =>(ref(!) E S V ref(!) tt. S) 
The results above show that: 
(rec = Ps(i, S,ftight,f) 1\ CLip8 (i,S,ftight,f)) => 
[trans(Ps(i, S,fiight,f))](Vl ｾ＠ x ｾ＠ 10 • (rec = Px =} CLlpx)) 
+ Pg(i,S,fiight,f) 
trans(Pg(i, S,fiight,f)) = 
resp ｾ＠ ref(f).empty; 
IF resp =YES 
THEN trans(emptyMachine.i ---t P5(i, S,fiight)) 
ELSE trans(ep.i!ref(f) ---t P5(i, S- {ref(!)}, flight)) 
END 
[trans(emptyMachine.i ---t P6(i,S,fiight))] 
(V1 ｾｘｾ＠ 10 • (rec = Px =} CL!px)) 
= CLlp6 (i,S,ftight) 
[trans( ep. i!ref(f) ---t P5( i, S- {ref(!)}, flight))) 
(V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlpx)) 
= ref(f).sold f:= 0 1\ CLlp6 (i,S-{ref(f)},ftight) 
[ 
ＺＺｈｾＢ［＠ ｴ［｡ｾｾＺｭｰｴｹｍ＠ achine. i --> Po ( i, S, flight)) ] 
ELSE trans(ep.i!ref(f) ---t P5(i, S- {ref(!)}, flight)) 
END 
(V1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlpx)) 
( 
resp = YES 1\ CLip6 (i,S,ftight) ) 
ｾ･ｳｰ＠ # YES II ref(f).sold # 0 II CLIP,(i,S-{ref(f)}.ftight) 
[trans(Pg(i, S,fiight,f))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => CLipx)) 
= 
[ 
IF ref(f).sold = 0 l 
THEN resp := YES 
ELSE resp :=NO 
END 
( 
:esp = YES 1\ CLip6 (i,S,fiight) ) 
resp i= YES 1\ ref(f).sold i= 0 1\ CLip6 (i,S-{ref(J)},ftight) 
= 
( 
ref(f).sold = 0 1\ CLip6 (i,S,ftight) ) 
ｾＡＨＡＩＮｳｯｬ､Ｃ＠ 0 1\ CL1p6 (i,S-{ref(f)}Jlight) 
CLip9 (i,S,ftight,f) => CLip6 (i,S,ftight) 
CLip9 (i,S,flight,f) => CLIPa(i,S-{ref(J)},ftight) 
CLlp9 (i,S,ftight,f) => (ref(f).sold = 0 V ref(f).sold i= 0) 
The results above show that: 
(rec = Pg( i, S, flight, f) 1\ CLip9 (i,S,ftight,f)) => 
[trans(Pg(i, S,flight,J))](\11 ｾ＠ x ｾ＠ 10 • (rec = Px => ｃｌｩｰｾｊＩ＠
-1• P1o ( i, S, flight, pn, f) 
trans(Pw(i,S,fiight,pn,J)) = 
resp f-- ref(f).empty; 
IF resp =YES 
THEN trans(emptyMachine.i -t P3(i,S,jlight,pn)) 
ELSE trans(ep.i!ref(f) -t P3(i, S- {ref(f)},flight,pn)) 
END 
219 
220 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTEM 
[trans ( emptyM achine. i ---t P3 ( i, S, flight, pn)] 
(\11 ｾ＠ x ｾ＠ 10 • (rec = Px::::} CLlpx)) 
= ｃｌｬｰ Ｓ ＨｩＬｓｾｦｬｩｧｨｴＬｰｮＩ＠
[trans(ep.i!ref(f) ---t P3(i,S- {ref(f)},flight,pn))] 
(\1'1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlp3J) 
= ref(f).sold f=. 0 1\ CL1p3 (i,S-{ref(f)},flight,pn) 
[ ;:H;:: ｴ［｡ｾｾｾｭｰｴｹｍ＠ achine. i --> Pa ( i, S, flight, pn)) ] ELSE trans(ep.i!ref(f) ---t P3(i, S- {ref(f)},jlight,pn)) 
END 
(\11 ｾ＠ x ｾ＠ 10 • (rec = Px::::} CLlpx)) 
( 
:esp = YES 1\ CL1p3 (i,S,flight,pn) ) 
resp f=. YES 1\ ref(f).sold f=. 0 1\ CLlp3 (i,S-{ref(f)},flight,pn) 
[trans(Pw(i, S,flight,pn,f))](\f1 ｾ＠ x ｾ＠ 10 • (rec = Px => CLlp:J) 
[ 
IF ref(f).sold = 0 l 
THEN resp := YES 
ELSE resp := NO 
END 
( 
:esp = YES 1\ CLlp3 (i,S,flight,pn) ) 
resp f=. YES 1\ ref(f).sold f=. 0 1\ CL1p3 (i,S-{ref(f)},flight,pn) 
( 
ref(f).sold = 0 1\ CLlp3 (i,S,flight,pn) ) 
:ef (f) .sold # 0 A CLI ? 3(;,8-{ ref {f)) ,ftiglot,pn) 
CLlp10 (i,S,jlight,pn,f) => CLJpJ(i,S,flight,pn) 
CLJ P10 ( i,S,flight,pn,J) => CLJp3( i,S-{ ref(f)},flight,pn) 
CLlp10 (i,S,ftight,pn,f) => (Tej(f).sold = 0 V Tej(f).sold # 0) 
The results above show that: 
(Tee= P10(i, S,fiight, pn,j) 1\ GL1p10 (i,S,ftight,pn,f)) => 
[tTans(PIO(i,S,fiight,pn,j))](V1 ｾ＠ x ｾ＠ 10 • (Tee= Px => CL!p:J) 
221 
222 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
+ R1(S) 
R1 (S) = 1 o 2 o 3 
trans(R1 (S)) = CHOICE trans(1) OR trans(2) OR trans(3) END 
[trans(Rl(S))](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRJ) = 
[trans(1)](\f1 ｾ＠ x ｾ＠ 10 • (1·ec = Rx ｾ＠ CLIRJ) 1\ 
[trans(2)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ｾ＠ CLIRx)) 1\ 
[trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ｾ＠ CLIRx)) 
1 = customerToCancel?flight?pn ｾｩｦ＠ ref(flight) E S 
then R2 ( S, flight, pn) 
else R3 ( S, flight, pn) 
[ 
IF ref (flight) E S ] 
THEN R2(S,flight,pn) (\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) = 
ELSE R3(S,flight, pn)END 
( 
ｾｦＨｦｬｴｧｨｴＩ＠ E S II GLIR,(S,J!ight,pn) ) = 
ref(flzght) tt S 1\ CLIR3 (S,fiight,pn) 
CLIR1 (s) 1\ flight E Flights 1\ ref(flight) E MR 1\ pn E Passport 
[trans(1)](\f 1 ｾｘｾ＠ 10 • (rec = Rx => CLIRx)) = 
\f flight, pn • ((flight E Flights 1\ pn E Pas sport) ｾ＠
( CLIR1(s) 1\ flight E Flights 1\ ref(flight) E !VIR 1\ pn E Passport)) 
The result above shows that: 
(rec = R1(S) 1\ CLIR1(s)) => [trans(l)](\fl ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRJ) 
.( 
2 = require? j? flight ｾ＠ if ref (flight) E S 
then R5(S,flight,j) 
else (notHaveit.j ｾ＠ R1(S)) 
223 
THEN rec := R5(S,flight,j) (V1:::;;; x:::;;; 10 • (rec = Rx =? OLin )) = 
[ 
IF ref(flight) E S l 
ELSE trans(notHaveit.j --4 R1(S)) x . 
END 
(v ref(flight) E S 1\ GLin5 (S,fiight,j) ) = GLin1 (S) 1\ j E Agencies 
ref(flight) ｾ＠ S 1\ j E Agencies 1\ GLin1 (s) 
[trans(2)](\fl:::;;; x:::;;; 10 • (rec = Rx =? GLinx)) = 
\f j, flight • ( (j E Agencies 1\ flight E Flights) =? ( GLin1 (S) 1\ j E Agencies)) 
The result above shows that: 
(rec = R1(S) 1\ GLin1 (s)) =? [trans(2)](\fl :::;;; x ｾ＠ 10 • (rec = Rx =? GLinJ) 
./ 
3 =D. A . ep.j?z --4 R1(S U {z}) JE ｧ･ｮ｣ｾ･ｳ＠
trans(3) =CHOICE trans(ep.1?z -4 R1 (SU {z})) 
OR trans(ep.2?z --4 R1(S U {z})) 
END 
[trans(ep.l?z --4 R1(S U {z}))](\fl:::;;; x:::;;; 10 • (rec = Rx =? CLinx)) = 
\f z • (z E J..1R =? (z.sold =/= 0 =? GLin1 (su{z}))) 
[trans(ep.2?z --4 R1(S U {z})))(\7'1:::;;; x:::;;; 10 • (rec = Rx =? CLinaJ) = 
\f z • (z E !viR=? (z.sold-=/= 0 * CLin1 (su{z}))) 
[trans(3)](\f1:::;;; x:::;;; 10 • (rec = Rx =? CLinx)) = 
\f z • (z E MR =? (z.sold-=/= 0 =? CLin1 (su{z}))) 
The result above shows that: 
(rec = R1(S) 1\ CLin 1(s)) =? [trans(3)](\fl :::;;; x :::;;; 10 • (rec = Rx =? CLinx)) 
./ 
The results above show that: 
(rec = R1(S) 1\ CLin1(s)) =? [trans(Rl(S))](\11:::;;; x:::;;; 10 • (rec = Rx =? CLin:r.)) 
./ 
224 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTEli!J 
+ R2(S,flight,pn) 
trans ( R2 ( S, flight, pn)) = resp ｾ＠ ref (flight). cancel (pn); 
IF 1·esp = Empty 
THEN rec := R4(S,flight) 
ELSE rec := R1(S) END 
[ 
IF resp =Empty ] 
THEN rec := Rtl(S,flight) (V 1 ｾ＠ x ｾ＠ 10 • (rec = Rx =? GLIR:J) = 
ELSE rec := R1 (S) END 
( 
ｾ･ｳｰ＠ =Empty 1\ CLIR4 (S,fiight) ) 
resp f:. Empty 1\ GLIR1 (S) 
[t·rans(R2(S,flight,pn))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =? GLIR:J) = 
(v resp = Empty 1\ GLIR,1(S,fiight) ) __ [ resp ｾ＠ ref (flight). cancel (pn)] 
resp f:. Empty 1\ GLIR1 (S) 
pn E Passport 1\ ref (flight) .sold f:. 0 1\ 
IF pn E ref(flight).customer THEN 
ref(flight).customer := ref(flight) .customer- {pn} II 
ref(flight).sold := ref(flight).sold- 1 II 
IF ref(flight).sold - 1 = 0 
THEN resp :=Empty 
ELSE resp :=Available 
END 
ELSE resp := Incorrectlnput 
END 
( 
ｾ･ｳｰ＠ = Empty 1\ GLIR4 (S,fiight) ) 
resp -=J Empty 1\ GLIR1 (S) 
A= 
ref (flight). customer : = ref (flight). customer - {pn} II 
ref(flight).sold := ref(flight).sold- 1 II 
IF Tef(flight).sold- 1 = 0 
THEN Tesponse :=Empty 
ELSE response :=Available 
END 
( 
ｾ･ｳｰ＠ = Empty 1\ CLIR4 (S,ftight) ) 
Tesp f= Empty 1\ CLIR!(S) 
= 
ref(flight).sold- 1 = 0 1\ S ｾ＠ MR 1\ flight E Flights 1\ 
V k E (S- { ref(fiight)}) • k.sold f= 0 1\ ref(fiight) E S 
v 
Tef(flight).sold- 1 f= 0 1\ S ｾ＠ Jv!R 1\ V k E S • k.sold f= 0 
IF pn E ref (flight). customeT THEN 
Tef (flight). customeT : = ref (flight). customeT - {pn} II 
Tef(fiight).sold := ref(flight).sold- 1 II 
IF ref(fiight).sold- 1 = 0 
THEN 1·esp := Empty 
ELSE Tesp :=Available 
END 
ELSE Tesp := IncoTrectlnput 
END 
( 
ｾ･ｳｰ＠ = Empty 1\ CLIR4 (S,ftight) ) 
resp f= Empty 1\ CLin1 (S) 
( 
ｾｮ＠ E ref (flight). customeT 1\ A ) 
pn c:J. ref(fiight).customer 1\ CLIR1 (s) 
225 
226 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
CLJR2(S,Jlight,pn) * 
(S ｾ＠ MR 1\ flight E Flights 1\ V k E (S- {ref(flight)}) • k.sold =f. 0 1\ 
ref (flight) E S) 
CLIR2(S,fiight,pn) =} (S ｾ＠ MR 1\ V k E S • k.sold f= 0) 
CLIR2(S,fiight,pn) =} (ref(flight).sold -1 = 0 V ref(flight).sold- 1 =f. 0) 
CLIR2(S,fiight,pn) =} A 
CLIR2 (S,fiight,pn) =} (pn E ref(fiight).customer V pn ｾ＠ ref(fiight).customer) 
The results above show that: 
( 
pn E ref (flight). customer 1\ A ) 
CLJR2 (S,fiight,pn) =} V 
pn ｾ＠ ref(fiight).customer 1\ CLIR1 (s) 
CLIR2(S,fiight,pn) =} (pn E Passport 1\ ref(fiight).sold f= 0) 
The results above show that: 
(rec = R2(S,jlight, pn) 1\ CLIR2(S,fiight,pn)) * 
[trans(R2(S,flight,pn))](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx =} CLIR:J) 
+ Ra(S,flight, pn) 
R3'(S,flight,pn) = 1 D 2 D 3 
trans(R3(S,flight,pn)) =CHOICE trans(!) OR trans(2) OR trans(3) END 
[trans(R3(S,flight,pn))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =} CLIRJ) = 
[t?·ans(l)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =} CL!Rx)) 1\ 
[tTans(2)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx =} CLIRJ) 1\ 
[trans(3)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx =} CL!Rx)) 
1 = ask?j!fiight--? A 
A = A.1 o A.2 o A.3 
[trans(A)] = CHOICE t1·ans(A.1) OR trans(A.2) OR trans(A.3) END 
[trans(A)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx =?- CLIR:J) = 
[trans(A.1)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx =?- CLIR:r:)) 1\ 
[trans(A.2)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx =?- CLIR:J) 1\ 
[trans(A.3)](\I 1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR3J) 
A.1 = ep.j?w -t R2(S U { w }, ref-1 ( w), pn) 
[trans(A.1)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx =?- CLIRx)) = 
Vw • (wE MR =?- (w.sold =f. 0 =?- CLIR2 (Su{w},ref-l(w),pn))) 
A.2 = notHavelt.j -t R3(S,jlight,pn) 
[trans(A.2)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) = 
j E Agencies 1\ CLIR3 (S,fiight,pn) 
A.3 = emptylVIachine.j --? R1 (S) 
[trans(A.3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =?- CLIR:J) = 
j E Agencies 1\ CLin1 (S) 
[trans(A)](V 1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) = 
j E Agencies 1\ CLIR3 (S,ftight,pn) 1\ 
Vw • (wE MR => (w.sold =/= 0 =?- CLIR2 (SU{w},reJ-l(w),pn))) 
trans (1) = PRE flight E Flights 
THEN ANY j WHERE j E Agencies 
THEN trans(A) 
END 
END 
227 
228 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIRaJ) = 
flight E Flights 1\ 
Vj • (j E Agencies==> [trans(A)](\11 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:c))) 
The result above shows that: 
(rec = R3(S,flight, pn) 1\ CLIR3 (S,flight,pn)) ==> 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 
2 = require?f?f-} if ref(!) E S 
then Rw(S,flight,pn,j,f) 
else ( notH avelt .j -} R3 ( S, flight, pn)) 
[ 
IF ref(!) E S THEN l 
1
·ec := Rw(S,flight,pn,j,f) ELSE (Vl ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR )) 
trans ( notH avelt .j -} R3 ( S, flight, pn)) x 
END 
( 
ref(!) E S 1\ CLIR1o(S,flight,pn,j,f) ) 
= ;ef(f) rfc S II j E Agencies II CLIR:i(S,flight,pn) 
= j E Agencies 1\ CLIR3 (S,flight,pn) 
[trans(2)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CL!Rx)) = 
Vj,f • ((j E Agencies 1\ f E Flights)==> (j E Agencies 1\ CLIR3 (S,flight,pn))) 
The result above shows that: 
(rec = R3(S,flight,pn) 1\ CLIR3 (S,flight,pn)) ==> 
[trans(2)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==> CLIR:J) 
./ 
229 
3 = D. A . ep.j?w ---t if w = ref(fiight) JE genczes 
then R2(S U { w}, ref-1(w),pn) 
else R3(S U { w },flight, pn) 
rec := R2(S U {w}, rej-l(w).,pn) (V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) 
[ 
IF w = ref(fiight) THEN l 
ELSE rec := R3(S U { w ｽＬｦｩｾｧｨｴＬ＠ pn) ·· 
END . 
( 
W = ref(fiight) 1\ CLIR2 (SU{w},ref-l(w),pn) ) 
= v =D 
w i= ref(fiight) 1\ ｃｌｉｒ Ｓ ＨｓｵｻｾｵｽＬｦｩｩｧｨｴＬｰｮＩ＠
[trans(3)](Vl ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIRx)) = 
Vw • (wE MR => (w.sold i= 0 =>D)) 
The result above shows that: 
(rec = R3(S,jlight,pn) 1\ CLIR3 (S,fiight,pn)) => 
[trans(3)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR3J) 
./ 
The results above show that: 
(rec = R3(S,jlight, pn) 1\ CLIR3 (S,fiight,pn)) => 
[trans(R3(S,jlight,pn))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:,J) 
+ R4(S,jlight) 
R4(S,jlight) = 1 o 2 o 3 
trans(R4(S,jlight)) = CHOICE t?·ans(1) OR trans(2) OR trans(3) END 
[trans(R4(S,fiight))](V 1 ｾ＠ x:::;;; 10 • (rec = Rx => CLIRJ) = 
[trans(1)](V1:::;;; x:::;;; 10 • (rec = Rx => CLIR3J) 1\ 
[tTans(2)](V1:::;;; X:::;;; 10 • (rec = Rx::::} CLIRJ) 1\ 
[trans(3)](V 1 :::;;; x:::;;; 10 • (rec = Rx ::::} CLIRx)) 
230 APPENDIX C. vVP PROOFS OF FLIGHT TICKETS SALE SYSTElvi 
1 = 0 .EA . dp.j!ref(fiight) ｾ＠ R1(S- {ref(fiight)}) J genctes 
trans(1) =CHOICE trans(dp.1!ref(fiight) ｾ＠ R1(S- {ref(fiight)})) 
OR trans(dp.2!ref(flight) ｾ＠ R1(S- {ref(flight)})) 
END 
[trans(1)](V 1 ｾ＠ x ｾ＠ 10 • (rec = Rx =} CLin,J) = 
ref(flight).sold =F ref(fiight).seats 1\ CLin1(S-{ref(fiight)}) 
The result above shows that: 
(rec = Rtl(S,flight) 1\ CLin4 (S,fiight)) * 
[trans(1)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =} ｃｌｩｮＺｾｊＩ＠
,( 
2 = requi?·e?j?f ｾ＠ if ref(!) = ref(fiight) 
then dp .j !?·ef (flight) ｾ＠ R 1 ( S - {ref (flight)}) 
else Rs(S, flight,j, f) 
[ 
IF ref(!) = ref(flight) THEN J 
dp.j!ref(flight) ｾ＠ R1 (S- { ref(flight)}) 
ELSE R8(S,fiight,j,f) 
(Vl ｾ＠ x ｾ＠ 10 • (rec = Rx =} CLIRJ) 
ref (f) = ref (flight) 1\ ref (flight). sold =F ref (flight). seats 1\ 
CLIR1 (S-{ref(fiight)}) 
v 
ref(!) =I= ref(fiight) 1\ CLIR4 (S,fiight) 1\ j E Agencies 1\ ref(!) E JvJR 
=E 
[trans(2))(V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =} CLin:r;)) = 
V j,f • (U E Agencies 1\ f E Flights)=} E) 
CLin4(S,fiight) => 
'\/ j, f • ( (j E Agencies 1\ f E Flights) => 
(ref(flight).sold i= ref(flight).seats 1\ CLin1 (S-{ref(fiight)}))) 
CLin4 (S,fiight) => 
'\/ j, f • ( (j E Agencies 1\ f E Flights) => 
( CLin4 (S ,fiight) 1\ j E Agencies 1\ ref(!) E MR)) 
The results above show that: 
(rec = R4(S,flight) 1\ CLin4 (S,fiight)) => 
[t?·ans(2)](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => ｃｌｩｮＺｾｊＩ＠
..( 
3 = 0 'EA . ep.j?w ｾ＠ R4(S U { w },flight) J genctes 
trans(3) =CHOICE trans(ep.1?w ｾ＠ R4(S U {w},flight)) 
OR trans(ep.2?w ｾ＠ R4(S U {w},flight)) 
END 
[trans(3)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx => ｃｌｩｮｴｾｊＩ＠ = 
\f w • ( w E MR => ( w.sold i= 0 => CLin4 (Su{w},fiight})) 
The result above shows that: 
( rec = R4(S, flight) 1\ CLin4 (S,fiight)) => 
[trans(3)](\f1 ｾ＠ x ｾ＠ 10 • (rec = Rx =* CLinx)) 
..( 
The results above show that: 
(rec = R4(S,jlight) 1\ CLin4(S,fiight)) =* 
[trans(R4(S,flight))](\fl ｾ＠ x ｾ＠ 10 • (rec = Rx =* CLIR:J) 
231 
232 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTE!vi 
+ R5(S,flight,j) 
trans(R5(S,flight,j)) = resp f-- ref(fiight).full; 
IF resp =YES 
THEN Tee:= R6(S,j) 
ELSE rec := R1(S,flight,j) 
END 
[trans(R5(S,flight,j))]('t/1 ｾｘｾ＠ 10 • (rec = Rx => CLinx)) = 
[ 
IF .Tef(fiight).sold = ref(fiight).seats l 
THEN resp := YES 
ELSE resp := NO 
END . 
( 
resp = YES 1\ CL1n6 (S,j) ) 
ｾｳｰ＠ # YES A CLin7 (S,Jlight,j) 
( 
ref(flight).sold = ref(fiight).seats 1\ CLina(S,j) ) 
= :ef (flight) . sold # ref (flight) . seats A CLI Rs ( s ,flight,;) 
CL1n5 (S,fiight,j) => CLin6 (S,j) 
( 
ref(flight).sold = ref(flight).seats ) 
CLln5 (S,fiight,j) => V 
ref (flight). sold =/= ref (flight). seats 
The results above show that: 
(rec = R5(S,flight,j) 1\ CL1n5 (S,fiight,j)) => 
[trans(R5(S,flight,j))]('v'1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLin:,J) 
+ R6(S,j) 
[trans(R6(S,j))]('v'l ｾ＠ x ｾ＠ 10 • (rec = Rx =? CLin:J) = 
j E Agencies 1\ CL1n1 (S) 
The result above shows. that: 
(rec = R5(S,j) 1\ CL1n6 (s,j)) => 
[trans(RG(S,j))]('t/1 ｾ＠ x ｾ＠ 10 • (rec = Rx =? CLinx)) 
.( 
+ R1(S, flight, j) 
[trans(R7(S,fiight,j))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx ==? CLIRx)) = 
ref(fiight).sold f=. ref(fiight).seats 1\ CLIR1(S-{ref(flight)}) 
The result above shows that: 
(rec = R7(S,[tight,j) 1\ CLIR7 (S,flight,j)) =? 
[trans(R7(S,fiight,j))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =? CLIRx)) 
+ Rs(S,fiight,j,f) 
trans(Rs(S,flight,j,f)) =IF ref(!) E S 
THEN rec := Rg(S,flight,j,j) 
ELSE trans(notHavelt.j ｾ＠ R4(S,[tight)) 
END 
[tTans(notHavelt.j ｾ＠ R4(S,fiight))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =? CLIRx)) = 
j E Agencies 1\ CLIR4 (S ,flight) 
[trans(Rs(S,fiight,j,j))](V1 ｾ＠ x ｾ＠ 10 • (rec = Rx =? CLIR:,J) = 
( 
ｾｦＨｦＩ＠ E S 1\ CLIR.1(S,flight) 1\ j E Agencies 1\ ref(!) f=. ref(fiight) ) 
ref(!) rJ. S 1\ j E Agencies 1\ CLIR4 (S,flight) 
CL!Rs(S,fiight,j,J) =? (j E Agencies 1\ CLIR4 (S,flight)) 
CLIRs(S,flight,j,J) =? (ref(!)=/= ref(fiight)) 
CLIRs(S,flight,j,f) ==? (ref(!) E S V ref(!) rJ. S) 
The results above show that: 
( rec = Rs(S ,fiight,j, f) 1\ CL!Rs(S,flight,j,f)) ==? 
[trans(Rs(S,fiight,j,f))](V1 ｾ＠ x ｾ＠ 10 • (rec = Px ==? CLlpx)) 
233 
234 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTRM 
+ Rg(S,flight,j,J) 
trans(Rg(S,flight,j,J)) = resp ｾ＠ ref(f) .full; 
IF resp =YES 
THEN trans (fullM achine .j ----t R4 ( S, flight)) 
ELSE trans ( dp .j! ref (f) ----t R4 ( S - {ref (f)}, flight)) 
END 
[trans(fulllllfachine.j ----t R4(S,flight))](\fl:::;; x:::;; 10 • (rec = Rx => CLIR:J) = 
j E Agencies 1\ CLIR4 (S,fiight) 
[trans(dp.j!ref(f) ----t R4(S- {ref(f)},flight))] 
(\11:::;; x:::;; 10 • (rec = Rx => CLin:J) 
= ref(f).sold-=/= ref(f).seats 1\ CLIR4 (S-{ref(f)},fiight) 
[ 
IF resp = YES l 
THEN trans(fullMachine.j ----t R4(S,flight)) 
ELSE trans(dp.j!ref(f) ----t R4(S- {ref(f)},flight)) 
END 
(V 1 :::;; x:::;; 10 • (rec = Rx =? CLin:J) 
( 
resp = YES 1\ j E Agencies 1\ CLIR4 (S,fiight) ) 
;esp ol YES II ref(f).sold # ref(f).seats II GLII4(S-{ref(f))Jlight) 
[trans(Rg(S,flight,j,J))](Vl:::;; x:::;; 10 • (rec = Rx =? CL!n:J) = 
[ 
IF ref(f).sold = ref(f).seats l 
THEN resp := YES 
ELSE 'resp :=NO 
END 
( 
resp = YES 1\ j E Agencies 1\ CLIR4 (S,fiight) ) 
ｾｳｰ＠ ol YES II ref(f).sold # ref(f).seats II GLII4(S-{ref(f)),J!ight) 
( 
ref(f).sold = ref(f).seats 1\ j E Agencies 1\ CLIR.t(S,fiight) ) 
ｾ･ｦ＠ (f). sold # ref(!). seats A CLI n. ( s _ {ref (f)} ,flight) 
CLin9 (S,fiight,J",f) ==? (j E Agencies 1\ CLin4 (S,ftight)) 
CLIR9 (S,jUght,j,f) =} CLIR.t(S-{ref(f)},fiight) 
CL1n9 (S,fiight,j,f) ==? (ref(f).sold = ref(f).seats V ref(f).sold =I= ref(f).seats) 
The results above show that: 
(rec = Rg(S,flight,y',f) 1\ CL1n9 (S,fiight,j,f)) =* 
[trans(Rg(S,fiight,y',j))](\11 ｾｘｾ＠ 10 • (rec = Rx => CLIRx)) 
•%• Rlo(S,flight,pn,j,f) 
trans(R10(S, flight, pn,j,f)) = 
resp f-- ref(!) .full; 
IF resp =YES 
THEN trans(fulllVIachine.j ---4 R3(S,flight, pn)) 
ELSE t?·ans(dp.j!ref(f) ---4 R3(S- {ref(f)},flight,pn)) 
END 
[trans (fulllVI achine .j ---4 R3 ( S, flight, pn))] 
(V 1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLin:,J) 
= j E Agencies 1\ CLIR3 (S,ftight,pn) 
[trans(dp.j!ref(f) ---4 R3(S- {ref(f)},flight,pn))] 
(V1 ｾ＠ x ｾ＠ 10 • (rec = Rx => CLIR:J) 
= ?'ef(f).sold f= ref(f).seats 1\ CLIR3 (S-{ref(f)},fiight,pn) 
[ 
ｾｈ［ＺＺ＠ ＺｾｾｾｬＡｍ｡｣ｨｩｮ･ＮｪＭＭ＾＠ R3(S,fl.ight,pn)) ] 
ELSE trans(dp.j!ref(f) ---4 R3(S- {ref(f)},flight,pn)) 
END 
(\7' 1 ｾｘｾ＠ 10 • (rec = Rx => CLIRx)) 
235 
·:' 
236 APPENDIX C. WP PROOFS OF FLIGHT TICKETS SALE SYSTEJvi 
( 
ｾ･ｳｰ＠ = YES !\ j E Agencies !\ CLIR3 (S,fiight,pn) ) 
Tesp -:f YES !\ Tej(f).sold # Tef(f).seats !\ CLIR3 (S-{ref(f)},fiight,pn) 
[tTans(Rw(S,fiight,pn,j,J))]('\11 ｾ＠ x ｾ＠ 10 • (Tee= Rx:::::} GLin:J) = 
[ 
IF Tej(f).sold = Tef(f).seats l 
THEN Tesp := YES 
ELSE Tesp := NO 
END 
( 
ｾ･ｳｰ＠ = YES !\ j E Agencies !\ GLIR3 (S,fiight,pn) ) 
Tesp # YES !\ Tef(f).sold # Tef(f).seats !\ ｃｌｉｒ Ｓ ＨｓＭｻｮｾｦＨｦＩｽＬｦｩｩｧｨｴＬｰｮＩ＠
( 
Tef(f).sold = Tef(f).seats !\ j E Agencies !\ GLIR3 (S,fiight,pn) ) 
ｾ･ｦ＠ (!).sold # r"ef (!).seats II CLI R, ( s _ {ref (f)) ,flight,pn) 
GLIR10(s,fiight,1m,j,f) ==> (j E Agencies !\ GLIR3(S,fiight,pn)) 
GLJ RIO(S,fiight,pn,j,f) ::::} GLIR3(S-{ ref(f)},fiight,pn) 
CLIRto(S,fiight,pn,j,f) ==> 
(Tef(f).sold = Tef(f).seats V ref(f).sold # Tef(f).seats) 
The results above show that: 
(Tee = R10(S, flight, pn,j ,J) !\ CLIR10 (S,fiight,pn,j,f)) ::::} 
[trans(Rw(S,flight,pn,j,f))]('\11 ｾ＠ x ｾ＠ 10 • (Tee= Rx:::::} CLin:,J) 
