Communicating B Machines. by Schneider, S & Treharne, H
Communicating B Machines
Steve Schneider and Helen Treharne
Department of Computer Science  Royal Holloway 
University of London  Egham  Surrey  TW EX  UK
Email fsteve helengcsrhulacuk
Abstract  This paper describes a way of using the process algebra CSP
to enable controlled interaction between concurrent B machines This
approach supports compositional verication each of the controlled ma
chines  and the combination of controller processes  can be analysed and
veried separately in such a way as to guarantee correctness of the com
bined communicating system Reasoning about controlled machines sep
arately is possible due to the introduction of guards and assertions into
description of the controller processes in order to capture assumptions
about other controlled machines and provide guarantees to the rest of
the system The verication process can be completely supported by
dierent tools The use of separate controller processes facilitates the
iterative development and analysis of complex control 	ows within the
system The approach is motivated and illustrated with a nontrivial
running example
Keywords  B Method CSP Combining Formalisms Concurrency
  Introduction
This paper introduces a new approach to combining concurrent B machines in
a veriable way One of the main motivations for the approach is the desire
to make use of existing tool support for all aspects of the verication and for
the generation of executable code within the B Method This builds on previ 
ous work 	 using the process algebra CSP 
	 to describe controllers for
B machines in order to express and reason about complex ows of control in a
natural way Previous work has been concerned with a single controller process
P encapsulating a single ow of control for a B machine M  M can be a single
machine or be comprised of a hierarchy of machines We also focussed on meth 
ods for proving that a controller is consistent with its underlying machine In
this paper we consider how a collection of such combinations of B machines M
i
and their controllers P
i
 can interact The controllers play a key role in enabling
communication between the machines We propose an architecture pictured in
Figure  which forces all interaction between machines to be through the con 
trollers The architecture is therefore appropriate both when controlled machines
are distributed across a network and when they are executed on the same proces 
sor This enables deadlock and divergence freedom of a combined communicating
system to be veried in a compositional way simply by analysing smaller parts of
the system the individual controlled machines P
i
kM
i
 and the parallel combi 
nation of only the P
i
without theM
i
 Overall correctness follows automatically
from Lemma  and Theorem  presented in Section  This means that existing
tools for the B Method and for process algebra can be used to verify our system
descriptions Other properties of the combined communicating system can also
be specied within the process algebra and established using existing tools
In practice we nd that the correctness of particular controlled machines
within the system rests on the behaviour of other controlled machines and as 
pects of the rest of the systems behaviour must be incorporated into the ver 
ication We achieve this by extending the language of controllers to include
guards which block unwanted inputs and assertions which diverge on unex 
pected communications Guards on an input channel of a controller P are used
to describe the inputs expected from the rest of the system and thus capture
the assumptions about the process environment This enables P to be analysed
in the absence of the rest of the system Assertions on outputs to the rest of
the system describe what the process itself should guarantee Assertions are also
used to encapsulate the expectations on inputs to a controller P from its asso 
ciated machine M  This enables the combination of controllers to be analysed
together independently of the machines they control and hence entirely at the
level of process algebra
The development of a combined communicating system proposed in this pa 
per will involve the following steps
 Dene the individual B machines
 Give CSP controllers for them that describe the ow of control for their use
 Prove consistency between the B machines and their controllers
 Prove deadlock freedom of the combination of the controllers
 Rene and implement the machines and controllers independently
This process will be illustrated by the running example
This paper is organised as follows Section  introduces the CSP controller
language and semantics Section  describes the running example used to mo 
tivate and illustrate the approach Section  is concerned with the consistency
results which underpin the approach and the use of assertions and guards and
Section  ends with a discussion The paper assumes familiarity with AMN
further details can be found in 	
 CSP Controllers and B Machines
 Notation
Communicating Sequential Processes CSP is a language for describing pro 
cesses of concurrent systems and their patterns of interactions The unit of in 
teraction is the atomic event which processes perform and on which they syn 
chronise Events can be unstructured such as start or they can have some
M 
 M 
P

P






   
 
 
communication channel
machine channel
synchronisation channel
Key
Fig    An architecture for concurrent B machines
structure generally of the form of a channel name c and some values v that are
passed along a channel Thus the occurrence of c   may be understood as the
passing of the values  and  along the channel c The occurrence of events is
atomic The set of all events is denoted 
We will use a subset of CSP to describe the controllers for B machines The
language we use is based on the language in 	 and is given by the following
pseudo BNF rule
P  a   P j cx hE x i   P j d vfE vg   P j ev xfE x g   P j
P
 
  P

j P
 
u P

j
u
x jEx 
P j if b then P
 
else P

end j S p
where a   and is a synchronisation event c is a communication channel
accepting inputs d is a communication channel sending output values e is a
machine channel x represents all data variables on a channel v represents all
data values being passed along a channel E x  is a predicate on x it may be
elided in which case it is considered to be true b is a boolean expression and
p is a process expression
All the terms in the above grammar have established CSP semantics and can
be modelled in a CSP model checker such as FDR 	 without any extensions
We will explain each expression shortly but before doing so we need to clarify
our use of channels
In our language we want to distinguish between communication via indi 
vidual CSP processes and the inter communication of CSP processes with their
underlying B machines as shown in Figure 
Synchronisation events and communication channels serve as communication
mediums between two CSP controllers and they have no correspondence with B
operations Conversely a machine channel corresponds to a B operation with
the same types for inputs and outputs The machine channel comprising of input
and output also admits degenerate cases in which either or both the  and  
may be dropped These cases are all treated as special instances of the machine
channel and do not require separate treatment For example a machine channel
with no input and outputs will simply correspond to a B operation with no
parameters
The expression a   P  means that a process is prepared to engage in the
event a and subsequently behave as P  It is used to provide a way of synchro 
nising on atomic events
Another expression which makes use of the prex operator   is the expres 
sion cx hE x i   P  It denotes a process that is initially prepared to accept any
value x on the communication channel c that meets the guard predicate E x 
after which it behaves as the process P which may depend on the value of x 
but it will not accept any x that fails to meet that predicate Guards can be
modelled in FDR using standard CSP syntax
The expression d vfE vg   P is initially prepared to perform the event d  v
ie pass values v along the communication channel d If the assertion E v is
true then its subsequent behaviour is that of P  if E v is false then it diverges
Divergent behaviour will be discussed below Assertions are simply coded in
FDR as follows
d vfE vg   P  d v   if E v then P else DIV 
where DIV represents a divergent process
The expression ev xfE x g   P is initially prepared to allow a process to
interact on machine channel e This channel will be used to communicate with a
B machine via its corresponding operation x  ev so it provides v as input
to the B machine indicated by the  and accepts x as output indicated by
the   If the value x it receives meets the predicate E x  then it behaves as the
process P which may depend on the value of x  otherwise it diverges Observe
that the CSP semantics of this term will be the same as an event communicating
over an output and input channel in standard CSP for example evxfE x g
The external choice P
 
  P

is initially prepared to behave either as P
 
or
as P

 with the choice being made on occurrence of the rst event The choice of
the rst event is made by the environment of the choice Conversely the choice
P
 
u P

chooses internally whether to behave as P
 
or as P

 and its environment
has no control over the way the choice is resolved Indexed internal choice 
u

chooses a value x such that is meets the predicate E x  and then behaves as
the process P which may depend on the value of x  Another form of choice is
controlled by the value of a boolean expression in an if expression
S p is a process name where p is an expression Each process expression
contains a recursive call S p For example a process which manages a set of
values can be described by a recursive family indexed by sets
SetS   inx hx  S i   SetS  fxg
  
u
v S
out v   SetS  fvg
Observe the use of the guard on the input channel in to block the input of any
value which is already in the set S  and that some arbitrary member of S is
selected for output
Note that the dierence with the above language and the one used in our
previous work is the inclusion of an output communication channel  internal
choice u and indexed internal choice 
u
 Furthermore the use of the input
channel  and the atomic event a have been restricted to describing communi 
cation between CSP controllers and they no longer correspond to underlying B
operations We have also augmented machine and communication channels with
assertions and guards This rationalisation of the notation is necessary because
we need to deal with concurrency cleanly In this paper we have also restricted
the language to non terminating controllers but the inclusion of terminating
loops is discussed in 	
In addition to the language for controllers CSP provides a number of other
operators including parallel composition P
 
k P

 There is also an indexed form
k
i
P
i
 A parallel combination executes P
 
and P

concurrently requiring that
they synchronise on events in both their alphabets and allowing independent
performance of events outside their alphabets In this paper the alphabet of a
process will be all the events that it can perform This allows messages to pass
along channels
For example if the processes Copy and Copy are dened as follows
Copy  inx   out x   Copy
Copy  outy   downy   Copy
then Copy k Copy can input values v on in have both components synchronise
on out  v which passes the value to Copy and then have Copy independently
output v on down
 Semantics
CSP processes are identied with the observations that can be made of them
thus the semantics of a CSP process will be a set of observations The precise form
of the observations will describe the CSP model The traces model uses traces
as observations The stable failures model uses traces along with subsequent
refusals The failures divergences model uses traces divergences and failures
We briey describe them here A fuller explanation can be found in 	
A trace tr of a process P is a nite sequence of events that it may be observed
to engage in The traces model identies a process with its set of traces
A divergence of a process P is a sequence of events tr such that P reaches a
divergent state which may be thought of as entering a non terminating loop or
in specication terms as a specication which allows any behaviour during the
performance of the sequence of events tr  A process is divergencefree if it has no
divergences Divergence denotes undesirable behaviour and it is generally useful
to establish that a process is divergence free
A refusal of a process P is a set X of events that P might be initially prepared
to refuse A stable failure of a process P is a tracerefusal pair tr X  such that
P can initially perform the sequence of events tr  and reach a non divergent
state in which every event in X is refused The stable failures of P is denoted
F
SF
P 		
If for some tr tr    F
SF
P 		 then P can reach a state in which no event
at all is possible and we say that P has a deadlock If there is no such stable
failure then P is deadlockfree
The CSP model checker FDR allows checks for deadlock and divergence free 
dom to be made automatically for processes
 Example
We describe and motivate the approach of this paper through an illustrative ex 
ample This section illustrates the use of the above control language in specifying
CSP controllers to drive underlying B machines Each individual controller acts
as an interface for its underlying machines and provides a possible pattern of
execution The aim is to compose a collection of controlled machines in order to
specify a large combined communicating system
For the purposes of presentation we rst describe the machines and then the
associated controllers In practice we develop both alongside each other since
both impact on each others specication as we shall see in Section  when we
discuss the particular controllers The B Toolkit 	 and FDR source les for the
example can be downloaded at
http wwwcsrhulacukhomehelenpaperszbsourcestargz
 Machines
Consider two B machines CustomerData and CheckoutData which are dened
in Figures  and  respectively The purpose of these machines is to capture infor 
mation about customers who are shopping and process them through checkout
queues in a supermarket The separation of customers and checkout processing
illustrates our approach of modelling dierent parts of the specication sepa 
rately
The customer information is captured in the CustomerData machine It in 
troduces the variable customer to track whether an individual customer is either
shopping or paying ie the customers status The set of all possible customers
CUSTOMERS is declared in a separate context machine Types as shown in
Figure  Similarly the set dening the customers status STATUS  is declared
in the same context machine This allows more than one machine to use static
information and is typical of B developments
Four operations are oered by CustomerData beginshopping allows a cus 
tomer to become a shopper whatstate queries the status of a customer proceed
tocheckout updates a customer from being one who is shopping to one who is
MACHINE CustomerData
SEES Types
VARIABLES customer
INVARIANT customer   CUSTOMERS  STATUS
INITIALISATION customer   
OPERATIONS
beginshopping  cust  b
PRE cust   CUSTOMERS  customer  cust   paying THEN
customer  cust   shopping
END 
ss  whatstate  cust  b
PRE cust   CUSTOMERS THEN
IF customer    THEN ss  idle ELSE
ss  customer  cust 
END
END 
proceedtocheckout  cust  b
PRE cust   CUSTOMERS  customer  cust   shopping THEN
customer  cust   paying
END 
 nished  cust  b
PRE cust   CUSTOMERS  customer  cust   paying THEN
customer  f cust g C customer
END
END
Fig    CustomerData Machine
waiting to pay and nished removes a customer from being considered by the
system once goods have been paid for
The queue of customers is tracked in the CheckoutData machine
 
 This ma 
chine has a number of checkout counters some of which will be open with a
queue of customers It introduces two variables opencounters and queues The
variable opencounters keeps track of the counters that are currently open The
set of all possible counters COUNTERS is again dened in the separate context
machine Types Only counters that are open can have a queue of customers as 
sociated with them and this information is captured by the queues variable The
invariant of the machine provides constraints on a queue of customers stating
that customers should only ever appear in at most one queue and in at most
one position
Six operations are oered by the machine The operation do open opens a
new counter provided that not all counters are already open The operation
do close closes a counter and removes any customers who are queueing at that
counter The operation serve processes the customer at the head of the queue
at a given counter The operation join allows a new customer to join the queue
at a particular open counter The operation drop out allows a customer to leave
a queue The operation choose non deterministically selects an open counter
whenever possible
 
originally inspired by an example in 


MACHINE CheckoutData
SEES Types  Bool TYPE
VARIABLES queues  opencounters
INVARIANT
opencounters  COUNTERS 
queues   opencounters  iseq  CUSTOMERS  
  cc  dd    cc   COUNTERS 
dd   COUNTERS  cc  dd 	
ran  queues  cc   
 ran  queues  dd      
INITIALISATION
queues    k opencounters   
OPERATIONS
rep co  do open b
BEGIN
IF opencounters  COUNTERS THEN
ANY co
WHERE co   opencounters
 co   COUNTERS THEN
opencounters  opencounters  f co g k
queues  co    	 k rep co  co
END
ELSE
rep co  def counter
END
END 
rep set  do close b
BEGIN
IF opencounters    THEN
ANY co
WHERE co   opencounters THEN
rep set  ran  queues  co   k
queues  f co g C queues k
opencounters  opencounters  f co g
END
END
END 
cu  rep  serve  co  b
PRE co   COUNTERS THEN
IF co   dom  queues  
queues  co    	 THEN
cu   rst  queues  co   k
queues  co   tail  queues  co   k
rep  TRUE
ELSE
rep  FALSE k
cu   CUSTOMERS
END
END 
join  co  cu  b
PRE cu   CUSTOMERS 
co   COUNTERS 
co   opencounters
cu  
S
cc 
 cc   dom  queues  j
ran  queues  cc   
THEN
queues  co   queues  co   cu
END 
drop out  cu  b
PRE cu   CUSTOMERS THEN
ANY co
WHERE co   COUNTERS 
cu   ran  queues  co   THEN
LET ss
BE ss  queues  co  IN
queues  co  
ss  ss
  
 cu    
a
ss  ss
  
 cu 
END
END
END 
out co  rep  choose b
BEGIN
IF opencounters    THEN
rep  FALSE k
out co  def counter
ELSE
ANY cc
WHERE cc   opencounters
THEN
rep  TRUE k
out co  cc
END
END
END
END
Fig    Checkout Machine
MACHINE Types
SETS COUNTERS  CUSTOMERS  STATUS  f shopping  paying  idle g
CONSTANTS def counter
PROPERTIES COUNTERS           CUSTOMERS          
def counter   COUNTERS
END
Fig    Types Machine
initiate
process
errorerror
pickcounter
com

com
remove
whatstate
beginshopping
proceedtocheckout
 nished
do open
do close
serve
choose
join
drop out
CustomerProc CheckoutProc
CustomerData CheckoutData
Fig    Example Architecture
 Controllers
In order to compose two B machines into a combined communicating system we
introduce CSP controllers for each of them which communicate with one another
To be consistent with the B machines the controllers must ensure that operations
are always called within their preconditions In this section we present the con 
trollers which drive the CustomerData and CheckoutData machines Specifying
the controllers CustomerProc and CheckoutProc below allows us to build the
system CustomerProc k CustomerData k CheckoutProc k CheckoutData
Figure  illustrates the overall architecture of the whole system and highlights
all the channels involved
CustomerProc is a controller which deals with customer requests and is given
in Figure 
 The process CustomerProc is dened in terms of a parameterised
recursion The parameter custset holds the set of customers currently paying
Initially there will be no such customers and the set is empty Note that the
state carried around in this controller is more abstract than the state in the
underlying B machine In practice our aim is to minimise the amount of state in
the CSP controller However some state may be necessary in order to determine
the ow of control in a process andor for use in specifying assertions and guards
as is the case with custset 
CustomerProc Q
 
Q
custset  initiatecchcc   CUSTOMERS  custseti  beginshoppingcc 
Q
custset
  process cc  whatstatecc ss 
if ss  shopping then
proceedtocheckoutcc  com
ccfcc   custsetg 
Q
fccg  custset
else
error cc  Q
custset
  comcchcc   custseti   nishedcc  Q
custset  fccg
Fig    Customer Process
There are three main paths of execution which are controlled by external
choice The rst path accepts customers provided they are not already pay 
ing This is ensured by the guard of the communication channel initiate cc 
CUSTOMERScustset We proceed after accepting an appropriate customer to
observe a communication of that customer value along the beginshopping chan 
nel which corresponds to the underlying B operation assigning hisher status
to be shopping Allowing only certain customers means that the precondition of
the beginshopping operation will be discharged when invoked It is true that the
above constraint on customers could have been modelled as a select statement in
B but our philosophy is never to block B operations so that we can implement
the operations in ANSI C within the B Toolkit The role of guards and assertions
will be examined in more detail in Section 
The second path processes a customer If the customer is already shopping
then the underlying B state of that customer is updated followed by a message
being passed along com communicating to CheckoutProc that the customer
can now join a queue Note that the assertion denotes the assumption that the
customer is not already paying Note also that the parameter in the recursive call
updates the custset to include the new customer In the case where the customer
is not shopping an error is reported and no underlying B state is aected
Observe that a request to process a customer could occur even before heshe
has begun shopping and thus impacting on the specication of the whatstate
operation Initially we had used a simple assignment and a precondition stating
that cust  domcustomer The operation in Figure  is far more robust and
allows the operation to be called with any customer as its input In order to
achieve this particular style of specication we augment the datatype STATUS
to include an extra enumeration idle as shown in Figure 
The third path records the fact that a customer has nished shopping The
particular customer whose status is to be updated will be communicated along
com The guard on the channel reects our understanding that the customer
will be one who is currently paying Here again the guard is used to dischargee
CheckoutProcQ 
Qcustque  do open out co  Qcustque
  do close out quefout que  custqueg Qcustque out que
  
u
d COUNTERS
pickcounter d 
served cust repfcust   custque rep  falseg 
if rep  true then
comcust  Qcustque fcustg
else
Qcustque
  com
custhcust   CUSTOMER  custquei 
choose out co rep 
if rep  true then
joinout cocust  Qcustque  fcustg
else
do open out co  joinout cocust  Qcustque  fcustg
  removecc
if cc   custque then
drop outcc  comcc  Qcustque  fccg
else
error cc  Qcustque
Fig    Checkout Process
the associated precondition in the nished operation The set substraction in the
recursive call keeps the set of paying customers up to date
CheckoutProc is a controller which controls the opening and closing of su 
permarket counters and the processing of customers in queues associated with
those counters The process CheckoutProc is dened in Figure  in terms of
a parameterised recursion The parameter custque holds the set of customers
currently in a queue Initially there are no such customers
There are ve main possible execution paths in CheckoutProc The rst path
eectively invokes the underlying B operation to open a counter if at all possible
The second path closes a counter The assertion on the output set out que
serves to arm our belief that the customers in the set are queueing customers
The third path illustrates how the choice of which counter will be serviced
next is resolved by the controller The information regarding counters is not cap 
tured in the controller at this stage though it may be included in a renement
at a later stage and so it could be the case that an empty counter is passed as
an input to the B operation serve Therefore the B operation needs to be robust
enough to allow for this possibility It achieves this by outputting a report value
indicating success or failure of the operation The report value is used to control
the ow of execution so that either com communicates that the customer was
served successfully or no such communication occurs Note that there is only one
assertion on the output values of the machine channel serve This is essential
since the cust value may not always be in the queueing set
The fourth path allows a new customer to join a queue A synchronisation
along the communication channel com provides the particular customer wishing
to join a queue The guard on the input channel means that we never want
to follow this path of execution if the customer is already in a queue Once
a customer is received we then proceed to choose a counter whose queue the
customer can join If there are no open counters then we must open one before
the customer is allowed to join its queue Otherwise heshe is simply appended
to the queue of the chosen counter The operation joinco cu corresponding to
joinout cocust has a precondition stating that the customer can only join
provided heshe is not already present in any of the queues of the open counters
The guard on the communication channel com ensures that the cust value meets
that precondition
We originally specied the do open operation with no parameters During
the development of the fourth main execution path we realised that an output
parameter was necessary Consider the following scenario after performing a
choose operation the control process reads the rep variable in order to decide
whether an open counter has been successfully chosen or whether no counters
are open and so a failure is reported by the operation In the latter case we then
proceed to non deterministically choose to open a counter using the do open
operation and then allow the customer to join a queue The problem is that
the counter being passed to the join operation may not be the same as the
one opened by the do open operation This inconsistency problem is solved by
augmenting the do open operation with an output parameter and passing this
output value to the join operation The repercussions of this change on process
Q is that the do open operation in the rst branch of the choice needs to be
consistent in its signature In the rst path the value being passed along the
output channel is never used but this is allowable
The fth path of process Q either removes a customer from the queue or
reports an error If the customer is successfully removed from the queue then
Q forces a synchronisation to occur on channel com so that the information
about the particular customer is also updated as we described above
The above example demonstrates that specifying how the operations are used
in controllers forces us to consider their interface and robustness very carefully
If the operations are not robust that is they contain preconditions then those
preconditions must be discharged by the CSP controller Furthermore the con 
trollers themselves enable us to clearly visualise the ow of information between
controlled machines in a combined communicating system In the example all
interactions between CustomerProc and CheckoutProc have been along machine
channels com and com passing values However in general the language pre 
sented in Section  also allows pure synchronisations such as a start event
 Consistency of Combined Communicating Systems
In this section we discuss how consistency ie divergence and deadlock free 
dom of combined communicating systems can be established in a compositional
way There are two separate steps involved in the verication process steps
 and  in the overall development process outlined in Section  First in
Section  we check that each individual controlled machine is divergence 
free Second we check deadlock freedom of the combination of the individ 
ual controllers without their underlying machines In the case of our exam 
ple these steps involve checking that CustomerProc k CustomerData and
CheckoutProc k CheckoutData are both divergence free and then checking
that CustomerProc k CheckoutProc is deadlock free These two steps can be
supported by the B Toolkit and FDR respectively The results presented in
Section  verify that these two separate steps are enough to ensure dead 
lock and divergence freedom of a combined communicating system in our case
CustomerProc k CustomerData k CheckoutProc k CheckoutData divergence 
and deadlock free
 Consistency of Single Controlled Machine
When we consider a controller P for a machine M  we have previous results
which establish when the CSP controller is appropriate for the B machine it
must not call operations which fail to meet their preconditions This means that
within the failuresdivergences semantics for P andM  the parallel combination
P kM  must be divergence free The following is the essence of the result from
	 giving a sucient condition to guarantee divergence freedom
Theorem  If CLI control loop invariant is a predicate such that
CLI  I  fBBODY
Sp
g	CLI
for each BBODY
Sp
in P then P kM  is divergencefree
The theorem states that the invariant CLI need not necessarily hold after
each individual operation but must hold at each recursive call of a controller As
in 	 we dene a maximum sequence of operations fBBODY
Sp
g to be
the translation of a process expression associated with S p up to and including
reaching a recursive call If such a sequence of operations can establish the CLI
then we know that all the operations are called within their preconditions and
terminate Thus if the CLI holds for all such process expressions within P then
we have a way of checking whether any machine M acting under its controller
P can diverge
The above result also holds for this papers CSP controller language which
allows P to have additional channels which are independent of M  and to have
assertions and guards on the values passed along channels In order to ensure
this we have to provide extra cases in the translation of process expressions to
their corresponding sequences of operations and simplify some existing cases For
example the translation of communication channels which have no underlying
operations from M are outlined as follows
fcx hE x i   Pg  ANY xWHERE E x THEN fPgEND
fd vfE vg   Pg  PREE vTHEN fPgEND
Indexed internal choice
u
x jEx 
P is also translated using an ANY clause and
is akin to a guard on a communication channel The fully formal treatment can
be found in 	
Note that the translation rules above reveal why the annotations of CSP
channels were termed assertions and guards We wanted to model predicates on
inputs as guards which when violated would be identied in the CSP analysis
in the second step of verication when checking deadlock freedom On the other
hand we wanted to model predicates on outputs as assertions which would be
discharged in step one when checking the individual controlled machines P
i
k
M
i
 using the above result
In our example an appropriate CLI for CustomerProc k CustomerData is
custset  customer
 
fpayingg	 It states that the set carried in the parameter
of the process will match the set of customers who are paying and this will be
true at the start of the loop and hold at each recursive call A suitable CLI
for CheckoutProc k CheckoutData is custque 
S
cc cc  domqueues j
ranqueuescc It states that the set carried in the parameter will match the
set of all customers in all of the queues Again this will be true at the start of
the loop and hold at each recursive call
 Consistency of Multiple Controlled Machines
Here we consider two B machinesM
 
andM

under the control of their respective
CSP controllers P
 
and P

 whose overall architecture has been previously de 
picted in Figure  Formally we have the following constraints on the alphabets
of the controllers and machines
 M
 
  P
 

 M

  P


 M
 
 	 P

   
 M

 	 P
 
   
Thus each M
i
communicates only with its associated P
i
 and the various P
i
communicate with each other and with the environment of the combination on
separate channels not involving the M
i

The results below verify that in order to check deadlock and divergence free 
dom of the overall combination only two steps are needed ie it is sucient to
rstly check divergence freedom of each controlled machine separately and then
to check deadlock freedom only of the combination of the CSP controllers
Lemma  If P
 
k M
 
is divergencefree and P

k M

is divergencefree then
P
 
kM
 
 k P

kM

 is divergencefree
Proof This follows immediately from the semantics of parallel composition
in the failuresdivergences model parallel composition preserves divergence 
freedom
As noted above previous work provides techniques for establishing divergence
freedom of a P
i
kM
i

Theorem  If P
 
k M
 
 is divergencefree and P

k M

 is divergencefree
and P
 
k P

 is deadlockfree in the stable failures model then P
 
k M
 
 k
P

kM

 is deadlockfree in the stable failures and failures divergences model
Theorem  extends to any number of B machines to be combined in parallel
Thus Theorem  is proved for the general case in the appendix A The over 
riding principle is that each B machine should have its own CSP controller and
any interaction it has with its controller is private between them and no other
process participates in it Communication between controlled machines takes
place between the CSP controllers using channels which are independent of the
B machines Using this scheme all that needs to be checked to establish overall
divergence freedom is that each P
i
k M
i
is divergence free and all that then
needs to be checked to establish overall deadlock freedom is that the parallel
combination k
i
P
i
is deadlock free The above results also extend to divergence 
free controllers which do not have underlying B machines as we shall see in
Section 
 Role of Assertions and Guards
Assertions and guards allow the overall system to be split into pieces that can
each be independently veried They are used to carry the assumptions and
guarantees to decompose the proof obligations on the overall system to proof
obligations on small combinations of controlled machines within the system
Moreover they make explicit the designers understanding of why the controlled
machines should behave correctly when combined
The assertions on outputs along machine and communication channels give
conditions that any output value must have Since failure to meet such an asser 
tion results in a divergence a successful divergence freedom check of a P
i
k M
i
ensures that any output from P
i
meets the assertion Making such assertions
too strong however will result in P
i
k M
i
failing to be divergence free For ex 
ample if we had included in Figure  the simpler assertion cust  custque on
the serve communication channel then CheckoutProc k CheckoutData would
not be divergence free since we could not always guarantee that the output
provided by the serve operation in CheckoutData met the assertion required by
CheckoutProc
Using assertions on machine and communication channels means that values
failing such assertions will be ignored when k
i
P
i
is analysed for deadlocks in
the stable failures model since a divergence never reaches a stable state in order
to contribute to a deadlock
Guards on inputs on communication channels are also used when checking a
particular P
i
k M
i
for possible divergences Without the guards on inputs to the
P
i
s some inputs which are not possible within the system as a whole might give
rise to a divergence within some particular P
i
kM
i
when considered separately
Observe that without the guards and assertions in the example the machines
CustomerProc k CustomerData and CheckoutProc k CheckoutData would
not have been divergence free For example if we had omitted the guard on the
cust input value along com in the fourth branch of the choice in Q Figure 
then the precondition of the join operation can be violated on some inputs
Guards must also be taken into account in the deadlock freedom checks of
the combined controllers Making a guard too strong may result in a deadlock
when checking k
i
P
i

If the output assertion on a communication channel between two controllers
is the same as or stronger than the input guard then both assertion and guard
may be dropped from the controllers once the verication process is complete In
other words having proven that all messages passed around the system meet the
appropriate conditions they do not require checking at run time and so they can
be dropped from the controller implementations In the case of CustomerProc
this also means that we no longer need to keep track of the set of paying cus 
tomers in the recursion and as a result we obtain a simpler controller
Note that we have not included guards on input values along machine chan 
nels in our languageM is not analysed independently of P  so guards capturing
properties of inputs from P do not need to be given explicitly
 Developing Controllers
In Section  we developed two controllers In fact an analysis using FDR shows
that CustomerProc k CheckoutProc is not deadlock free In retrospect this is
not surprising given the complex interactions that occurs between the controllers
and some further development of the controllers was necessary
This parallel combination of processes can deadlock because CustomerProc
can follow a path starting with a process event which leads to a point where it
must synchronise withCheckoutProc on com to proceed HoweverCheckoutProc
can follow a path starting with remove or serve which lead to a point where it
must synchronise with CustomerProc on com to proceed If CustomerProc and
CheckoutProc both follow these paths at the same time then they can reach a
state in which they cannot synchronise on either com or com
Therefore if we are to guarantee deadlock freedom of the controllers one
solution is to introduce a regulator process REG in parallel which ensures that
only one of these paths is entered at any time Once one process has entered
such a critical path the other process will be blocked from entering a critical
path of its own until the relevant com has occurred An appropriate REG for
our example is given in Figure  and we can establish that CustomerProc k
CheckoutProc k REG is deadlock free now step two of the verication process is
REG  processx  com
y  REG
  removex  comy  REG
  pickcounterx  comy  REG
Fig  	  Regulator Process REG
nished The REG process has no assertions no guards and hence is divergence 
free It also has no underlying B machines or equivalently to apply Theorem 
it can be considered as having a vacuous B machine M


with no operations
Thus REG  REG jj M


 which is therefore divergence free Therefore all the
controlled machines in our example pass step one of the verication process In
turn the overall example is divergence  and deadlock free
In general if the REG process includes assertions and guards they would be
treated in exactly the same way as for controllers with underlying B machines
We would need to prove that REG was divergence free using our previous result
any assertions and guards would have to hold simply by virtue of the CSP
description
Observe that the regulator process forces a synchronisation on the pickcounter
communication channel In the original version of CheckoutProc in Figure  we
started the branch which serves a customer with a communication along the
serve machine channel The introduction of the regulator process meant that
we had to force the synchronisation on a communication channel and not on
a machine channel and so we introduced the pickcounter channel This is im 
portant since we do not allow two controllers to control the same underlying B
operation Our approach is to couple a single controller and a machine together
 Discussion
The B Method provides supports for the specication and development of soft 
ware system requirements in terms of a collection of operations which the system
must implement It is ultimately necessary to have some way of describing the
ow of control which directs operation calls We have outlined one way in this pa 
per Alternative approaches include the direct introduction of actions operations
with blocking guards within the B description 	 or the use of a process algebra
to describe a ow of control explicitly as a prelude to translation into B 	 Both
these approaches support the specication of such systems using tools However
the main dierence between their approaches and ours is the lack of a complete
development path to executable code using existing tool support due to select
not being implementable Our B machines can use the B Toolkit to generate
executable code Preliminary investigations also show that CSP controllers can
be naturally expressed in Java 	
In this paper we have shown how the complex interactions between B ma 
chines and ow of control of their operations can be naturally expressed using
CSP Through the observations made when presenting the papers example it is
clear that our approach to describing combined communicating systems is iter 
ative and compositional The benet of compositionality is that the verication
of controllers and their machines can be done separately This compositional 
ity is achieved by the addition of assertions and guards to the CSP controller
language and the distinct architecture used to build combined communicating
systems
A further benet of our approach is the ability to rene each controller and
machine separately whilst maintaining divergence and deadlock freedom For
example we could rene the CheckoutProc controller to keep track of the open
counters explicitly and thus rening the internal choice to be a choice over the
set of open counters
In this paper we have focused on verifying deadlock freedom of controllers
Using tool support in the verication process was useful and highlighted the
fact that it is not straightforward to specify deadlock free controllers Other
requirements on the communication patterns of combined communicating system
can also be checked using FDR These are generally specied either in terms of
the process algebra itself or as a predicate on the traces of the system This is
the subject of current research
AcknowledgementsThanks to Anna Fukshansky and Craig Saunders for com 
ments on an earlier draft of this paper
References

 Abrial J R The B Book Assigning Programs to Meaning  CUP 

 Abrial J R Extending B without Changing it for Developing Distributed Sys
tems In H Habrias  editor  Proc of the 
st B Conference  Nantes  France 

 Butler M J A CSP Approach to Action Systems  DPhil Thesis  Programming
Research Group  Oxford University 

 Butler M J An Approach to the Design of Distributed Systems with B AMN In
J Bowen  M Hinchey D Till  editors  ZUM  Springer 
  pp 

 Butler M J cspB A Practical Approach to Combining CSP and B  In JMWing 
J Woodcock  J Davies  editors  FM World Congress  Springer 

 Hoare C A R Communicating Sequential Processes  Prentice Hall 

 Morgan C C Of wp and CSP In WHJ Feijen  AJM van Gasteren  D Gries
and J Misra  editors  Beauty is our business a birthday salute to Edsger W Di
jkstra Springer 

 Formal Systems Europe Ltd FailuresDivergences Re nement FDR User Man
ual 
  http wwwformaldemoncouk
 Neilson D  Sorensen I H The BTechnologies a system for computer aided pro
gramming  BCore UK Limited  Kings Piece  Harwell  Oxon  OX

 PA 
 
http wwwbcorecom

 Schneider S Concurrent and Realtime Systems The CSP approach Wiley 


 Schneider S The BMethod An Introduction  Palgrave to appear

 Treharne H  Schneider S Using a Process Algebra to control B OPERATIONS
In K Araki  A Galloway and K Taguchi  editors  IFM  York  Springer 


 Treharne H  Schneider S How to drive a B Machine ZB  York  LNCS 
 
Springer  September 

 Treharne HControlling Software Speci cations PhD Thesis  Royal Holloway  Uni
versity of London 

 Treharne H  Schneider S Communicating B Machines full version Technical
Report  RHUL 

A Proof of Theorem 
Theorem  general case If P
i
kM
i
 is divergence free for each i  and
k
i
P
i
is deadlock free in the stable failures model then
k
i
P
i
k M
i
 is deadlock free
in the stable failures and failuresdivergences model
The proof of this theorem requires some preliminary results about the failures
of B machines M  and of controllers P 
We rst establish that for any operation e of M  given any input v


 there is
some output w


that is not refused This result relies on the fact that operations
of M do not block execution
Lemma  Given an operation w  ev of M  if tr is a nondivergent trace
of M and tr X  is a failure of M  then for any input value v


there is some
output value w


such that e v


 w


 X 
Proof We use the failuresdivergences semantics for action systems and thus
B machines given in 	 extended to include inputs and outputs in 	
Given tr X  as a failure of M  then by denition 
tr 	
W
e X
g
e
 where
tr is considered as the sequential composition of the operations listed in it and
g
e
 
e	false expresses that e is enabled
Given e v


 w


 the guard g
e v

 w

is calculated for the operation e with input
v


and output coerced to w



g
e v

 w

 
w  ev


w  w


		false
 
w  ev


	w  w



Now assume for a contradiction that e v


 w


 X for all possible values of w


of output type T  say then we have

tr 	
 
e v

 w

 X
g
e v

 w

  
tr 	


w

 T

g
e v

 w


 
tr 	


w

 T
w  ev


	w  w



 
tr 	
w  ev


	

w

 T
w  w



 
tr 	
w  ev


	 false since w  T 
However operation e does not block which means that 
w  ev


	false
is true and so we obtain 
tr 	true On the other hand however tr is a non 
divergent trace of M  which means that tr 	true yielding a contradiction and
the result follows
The next lemma states that if a controller process can refuse some output w
from a B machine on a machine channel e with input v then it can refuse all
possible outputs It uses the notation fj CV jg  fc v  w j c v  CV  c v  w 
g
Lemma  Given a CSP controller P and one of its failures tr X  if CV is a
set of machine channels e and input values v such that  e v  CV   w   e v  w 
X  then tr X  fj CV jg  F
SF
P 		
Proof This follows by structural induction on the clauses of the controller The
proof requires consideration of the failures semantics of each language construct
and makes use of the fact that none of them enable a controller to partially block
output from a B machine ie no guards on such outputs
Proof of Theorem  We prove the contrapositive that if there is a deadlock
tr   of the entire system
k
i
P
i
k M
i
 then it must also be a deadlock of
k
i
P
i

The entire system is divergence free by Lemma  so there is a deadlock in the
failuresdivergences semantics of the system if and only if there is a deadlock in
its stable failures semantics We consider the stable failures semantics
Consider tr    F
SF

k
i
P
i
k M
i
		 Then there must be refusal sets
X
P
i
 P
i
 X
M
i
 M
i
 for each i  such that
S
i
X
P
i
X
M
i
   and such
that for each i
 tr   P
i
X
P
i
  F
SF
P
i
		
 tr   M
i
X
M
i
  F
SF
M
i
		
Consider M
i
 Dene CV to be the set containing all channels c v made up of an
operation name c and an input value v  By Lemma  for each c v  CV there
is some value w such that c v  w  X
M
i
 Thus for each c v  CV there is some w
such that c v  w  X
P
i
 since c v  w does not appear in the alphabets of any other
machines By Lemma  it follows that tr   P
i
X
P
i
 fj CV jg  F
SF
P
i
		
But M
i
  fj CV jg and so X
M
i
 fj CV jg Thus tr   P
i
X
P
i
X
M
i
 
F
SF
P
i
		
So it follows that
tr 

i
X
P
i
X
M
i
  F
SF

k
i
P
i
		
ie tr    F
SF

k
i
P
i
		 This means that
k
i
P
i
has a deadlock in the stable
failures model
Hence if
k
i
P
i
is deadlock free in the stable failures model then
k
i
P
i
k M
i

is deadlock free in the stable failures model and the failuresdivergences model
