The theory and practice of refinement-after-hiding by Burton, Jonathan
University of ~ e\\'castle upon Tyne 
School of Computing Science 
The 
Theory and Practice of 
Refinement-After-Hiding 
by 
Jonathan Burton 
N[WCA~TL[ UNIV[~~ITY LICRARY 
203 0~780 1 
-
\'v--- -E....S"\ 'S L I "- - "S s.:; 
PhD Thesis 
June 2004 
Contents 
Acknow ledgements 
Abstract 
1 Introduction 
1.1 Need for formal verification ............. . 
1.1.1 Constituent elements of a verification method 
IX 
X 
1 
1 
1 
1.2 Types of "reification" . 2 
1.3 Further motivation . . . . . . . . . . . . . . . . . . . 4 
1.4 Correctness in context . . . . . . . . . . . . . . . . . 6 
1.4.1 External behaviour decomposition from fault tolerance 7 
1.5 A new notion of correctness-in-context 8 
1.6 Organisation of the thesis 11 
1. 7 Contributions of the thesis . . 12 
2 Modelling concurrent systems 
2.1 Brief introduction to CSP 
2.2 Processes and syntax . 
2.2.1 Operators ..... 
2.2.2 Syntactic sugar . . 
2.2.3 Finite non-determinism. 
2.3 Notation......... 
2.4 Process semantics . . . . . . . . 
2.4.1 The traces model .... 
2.4.2 The stable failures model. 
2.4.3 The failures divergences model. 
2.4.4 Process denotations and refinement 
13 
13 
15 
16 
17 
17 
18 
20 
20 
22 
23 
26 
2.4.5 Semantics of recursion . . . . . . . 26 
2.4.6 Indexing operators . . . . . . . . . 28 
2.4.7 Parallel composition, hiding and network composition. 28 
2.4.8 Relationships between denotations ........... 29 
CONTENTS ii 
2.4.9 Alternative denotations in the failures divergences model 30 
2.5 Process alphabets . . . . . . 30 
2.6 Useful algebraic laws . . . . . 31 
2.7 Contexts and environments 32 
2.8 Maximality and monotonicity 34 
2.8.1 Maximality of failures 34 
2.8.2 Monotonicity 34 
2.9 Determinism........ 35 
2.10 Constructing processes . . 36 
2.10.1 Finite set of traces 37 
2.10.2 Single failure and finite set of traces. 37 
2.10.3 Refusal-maximal failure and traces of specified process 38 
2.10.4 Refusal-maximal failure, finite set of traces and process 39 
2.11 Further consideration of parallel composition. 39 
2.11.1 Traces . . . . . 40 
2.11.2 Stable failures. . . . 40 
2.12 Model-checking CSP . . . . 42 
2.12.1 Additional operators 42 
2.12.2 Channels and data types 43 
2.12.3 Immediately diverging process 44 
2.13 Running example . . . . . . . . . . . 44 
3 Towards a theory of refinement-after-hiding 46 
3.1 The basic framework . . . . . . . . . . 47 
3.1.1 Applying>. in the traces model 51 
3.2 Sets used in the theory . . . . . 51 
3.2.1 ~imp" ~spec and BTrace. . . . . 53 
3.2.2 Considering AllBet . . . . . . . 53 
3.2.3 Implementation processes and process alphabets . 55 
3.2.4 Basic results regarding MinBet, AllBet and>. . 56 
3.2.5 Using [[X]] for X ~ ~impl 58 
3.2.6 Restrictions..... 58 
3.2.7 Finally visible events . . . 60 
3.2.8 Summary .. . . . . . . . 60 
3.3 RAH1-3 in the traces model and applying>. to operators 61 
3.3.1 Applying>. to operators . . . . . 62 
3.4 Sufficient conditions in the traces model 63 
3.4.1 Additional comments . . . . . . . 65 
3.5 The stable failures model . . . . . . . . . 66 
3.5.1 Applying>. to process denotations in the stable failures 
model . . . . . . . . . . . . . . . . . 66 
3.5.2 Working in the stable failures model .......... 67 
CONTENTS iii 
3.5.3 Parallel composition . . . . . . . . . . . . . . . 68 
3.5.4 From processes to individual behaviours .... 68 
3.5.5 Sufficient conditions for refinement-after-hiding 70 
3.5.6 Further comment regarding SFS4 72 
3.5.7 A comment on process alphabets . . . . . . 72 
3.6 The failures divergences model. . . . . . . . . . . . 73 
3.7 Further consideration of B Trace and related issues . 76 
3.7.1 The role of restriction R1 and proposition 3.11 76 
3.7.2 The role of BTrace . . . . . . . . . . . . . I I 
3.7.3 Deriving the statement in definition 3.5(2) 78 
3.8 Conclusion.................... 78 
4 A concrete notion of refinement-after-hiding 80 
4.1 Extraction patterns in the traces model. . . . 81 
4.1.1 Universe of extraction patterns .... 83 
4.1.2 Implementation and specification contexts 8.! 
4.1.3 Implementation processes and their interpretation 84 
4.1.4 Process alphabets . . . . . . . . . . . . . 85 
4.1.5 Communication capabilities . . . . . . . 86 
4.1.6 Restrictions on implementation networks 87 
4.1. 7 Extraction pattern for running example. 87 
4.2 Refinement-after-hiding in the traces model 88 
4.2.1 Introducing a rely-guarantee condition . 88 
4.2.2 Defining refinement-after-hiding . . . . . 91 
4.3 Extraction patterns in the stable failures model 92 
4.3.1 Mapping refusals when An Fvis = 0 93 
4.3.2 Mapping refusals when A ~ Fvis . 96 
4.3.3 From "local" to "global" definitions . 96 
4.3.4 Running example . . . . . . . . . . . 96 
4.4 Refinement-after-hiding in the stable failures model 97 
4.4.1 Role of Dom-SF -check . . . . . . . . 98 
4.4.2 Soundness of refinement-after-hiding 100 
4.5 The failures divergences model. . . . . . . . 100 
4.6 Equivalence . . . . . . . . . . . . . . . . . . 101 
4.7 The absence of BTrace and defining implementation alphabets 102 
4.8 Discussion............. 104 
4.8.1 General role of the theory . 109 
5 Related work 110 
5.1 Action refinement and related approaches. . . . . . . . . 110 
5.2 Choosing a semantic over a syntactic mapping . . . . . . 113 
5.3 External behaviour decomposition (interface refinement) II.! 
CONTENTS IV 
5.4 Abstraction through hiding 115 
5.5 Relaxation of atomicity. . 116 
5.6 Data reification in Z . 119 
6 Automatic verification 121 
6.0.1 Algorithms for automatic verification 121 
6.0.2 Verification using FDR2 . 122 
6.1 Preliminary detail. . . . . 123 
6.1.1 Useful notation . . . 123 
6.1.2 Process alphabets. . 124 
6.1.3 Recursive definitions 124 
6.2 Verifying Dom-T-check . . . 125 
6.2.1 Alternative means of constructing QProj 126 
6.3 Preprocessing the implementation process 127 
6.4 The traces model . . . . . . . . . 128 
6.4.1 Constructing the TEi . '" .. : . 129 
6.4.2 Extracting the traces of Q . 132 
6.4.3 Example.......... . 133 
6.4.4 Further comments on defining Di and TEj 134 
6.5 Verifying Dom-SF-check . . . . . . . . . . . . . . 135 
6.5.1 Defining the "tester" process. . . . . . . . 136 
6.5.2 Transforming the implementation process. 137 
6.5.3 The verification . . 138 
6.5.4 Example.............. . 138 
6.6 The stable failures model. . . . . . . . . . 140 
~ 
6.6.1 Interpreting the behaviours of Q . . 143 
6.6.2 Preprocessing the specification process P 146 
6.6.3 Final result . . . . . . . 147 
6.6.4 Example......... 148 
6.7 The failures divergences model. 150 
6.8 Conclusion............ 151 
7 Case study 153 
7.1 Asynchronous communication . 153 
7.1.1 Simpson's 4-slot mechanism . 154 
7.2 Verifying the 4-slot mechanism. . . 156 
7.2.1 Standard approaches . . . . 157 
7.2.2 Checking these conditions . 158 
7.3 Modelling the 4-slot in CSP 160 
7.3.1 The process used . . . . . 160 
7.3.2 A simple environment .. 164 
7.3.3 The register and a corresponding environment 164 
CONTENTS 
7.3.4 Issues related to modelling the 4--slot in CSP . 166 
7.4 Restricting the (traces) extraction mapping. 168 
7.5 The traces model . . . . . . . . 170 
7.5.1 The extraction mapping . . . . . . . 171 
7.5.2 Defining extr ar ............ 173 
7.6 Automatic verification in the traces model using FDR2 176 
7.6.1 Deriving extraction mappings . . . . . . . . . . 176 
7.6.2 The CSP version of extr ar and applying it to T FSlot 178 
7.6.3 Verifying the environment . . . . . . . . . . . 181 
7.6.4 A comment on compositionality . . . . . . . . 182 
7.7 The stable failures and failures divergences models. . 183 
7.7.1 Refusal bounds and environments 186 
7.8 Data independence . . . . . . . . . 186 
7.9 Discussion................. 187 
7.9.1 What the verification means . . . 188 
7.9.2 Lessons learned and further work . 188 
8 Conclusion 193 
8.1 Further work ....................... . 195 
8.1.1 Refinement-after-hiding and "completeness" . . . 195 
8.1.2 Barbed congruence and refinement-after-hiding 195 
8.1.3 Mapping refusals . . . . . . . . . . . . . . . . 195 
8.1.4 Improving the means of automatic verification 196 
8.1.5 Further case studies. . . . . . . . . . . . . . . 196 
A Proofs from chapter 3 197 
A.l Proofs from section 3.2 . 197 
A.2 Proofs from section 3.3 . 200 
A.3 Proofs from section 3.4 . 203 
A.4 Proofs from section 3.5 . 208 
A.5 Proofs from section 3.6 . 230 
B Proofs from chapter 4 
B.l Proofs from section 4.1 
B.2 Example processes used in proofs 
B.3 Proofs from section 4.2 
B.4 Proofs from section 4.4 
B.5 Proofs from section 4.5 
C Proofs from chapter 6 
C.l Proofs from sections 6.2 and 6.3 
C.2 Proofs from section 6.4 
C.3 Proofs from section 6.5 ..... 
237 
· 237 
.238 
.239 
.246 
· 253 
258 
· 258 
· 262 
· 267 
CONTENTS 
CA Proofs from section 6.6 
C . .5 Proofs from section 6.7 
D Processes used in verification from chapter 7 
D.1 Explaining TEar further .......... . 
· 268 
· 281 
282 
· 292 
E Lists of conditions, notations and processes 294 
E.1 General notation . . . . . . . . . . . . . . 29-1 
E.2 List of labelled conditions and definitions . 296 
E.3 List of processes. . . . . . . . . . . . . . . 298 
EA Notation from chapter 3 . . . . . . . . . . 300 
E.5 Notation from concrete notion of refinement-after-hiding . 300 
E.6 Notation from chapter 6 . 301 
E.7 Semantic notations . 302 
E.8 Operators . . . . . . 303 
Bibliography 304 
Index 311 
List of Figures 
1.1 Fault-tolerant communication . . . . . . . . . . . . . . . . . . 
2.1 Composing traces in parallel, where s, u E I:*, y, y' E Y ~ I: 
and z, z' E I: - Y . . . . . . . . . . . . . . . . .. 21 
2.2 Semantics of processes in the traces model, where G ~ I: x I: 
and A, Y ~ I: . . . . . . . . . . . . . . . . . . . . 22 
2.3 Semantics of processes in the stable failures model, where 
G ~ I: x I: and A, Y ~ I: . . . . . . . . . . . . . 24 
2.4 Semantics of operators in the failures divergences model, where 
A, Y ~ I: 25 
2.5 Deriving alphabets . . . . . . . . . . . . . . . . . . . . . . . . 31 
3.1 Defining A over contexts, where V, VI, V2 are process variables 
and A, Y ~ I: . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 
3.2 Conditions from which the theory will be derived, where P, Q 
are implementation processes, X E {T, SF, FD} and A, Y ~ I: 50 
3.3 Rendering RAH1-3 in the traces model, where P and Q are 
implementation processes . . . . . . . . . . . . . . . . . . . .. 62 
3.4 Sufficient conditions. . . . . . . . . . . . . . . . . . . . . . .. 64 
3.5 Rendering RAH1-3 in the stable failures model, where P and 
Q are implementation processes . . . . . . . . . . . . . . . .. 68 
3.6 Sufficient conditions in the stable failures model, where t is a 
trace, R, S ~ I: and A E MinSet . . . . . . . . . . . . 71 
3.7 Rendering RAH2 in the failures divergences model. . 74 
3.8 Sufficient conditions in the failures divergences model 1'5 
4.1 Conditions on extraction patterns. . . . . . . . . . . . 81 
4.2 Considering the universe of extraction patterns. . . . 83 
4.3 Global definitions in the traces model, ,,,here Q is an imple-
mentation process . . . . . . . . . . . . . . . . . . . . . . . . . 85 
4.4 A rely-guarantee condition in the traces model, where Q is an 
implementation process . . . . . . . . . . . . . . . . . . . . .. 90 
4.5 Defining refinement-after-hiding in the traces model, where Q 
is an implementation process and P is a process . . . . . . .. 92 
vii 
LIST OF FIGURES viii 
4.6 Conditions on extraction patterns in the stable failures model 93 
4.7 Mapping refusals when A ~ Fvis ................ 96 
4.8 Global definitions in the stable failures modeL where Q is an 
implementation process. . . . . . . . . . . . . . . . . . . . . . 97 
4.9 Extra condition on failures, where Q is an implementation 
process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 
4.10 Defining refinement-after-hiding in the stable failures model, 
where Q is an implementation process and P is a process . .. 99 
4.11 A final condition on extraction patterns ............. 101 
4.12 Defining refinement-after-hiding in the failures divergences mo-
del, where Q is an implementation process and P is a process 102 
7.1 Simpson's 4-slot mechanism ... 
7.2 A register . . . . . . . . . . . .. 
7.3 Data type and channel definitions 
704 Representing the bit variables latest and reading. 
7.5 Representing slot . . . . . . . . . . . . 
7.6 Representing the data array . . . . . . 
7.7 Ordering behaviour of global variables 
7.8 An environment for FSlot ...... . 
7.9 A CSP version of the register .... . 
7.10 A corresponding environment for the register. 
7.11 Simpson's 4-slot mechanism annotated 
7.12 Defining extr ar .......... . 
B.1 Processes in proofs from chapter 4 
D.1 A copy of the data array ..... . 
D.2 A copy of Slots .......... . 
D.3 Process used to extract write events - part 1 
Do4 Process used to extract write events - part 2 
D.5 Process used to extract read events - part 1 
D.6 Process used to extract read events - part 2 
D.7 Defining prePar .. 
D.8 Defining extractar . 
D.9 Defining domainar . 
155 
157 
· 161 
· 161 
· 162 
163 
· 164 
· 165 
· 165 
· 166 
· 172 
· 177 
· 238 
.284 
.284 
.285 
· 286 
.288 
.289 
.290 
· 291 
· 292 
Acknowledgements 
The work which appears in chapter 7 grew out of initial discussions with 
Steve Paynter and Neil Henderson and benefited from further conversations 
with Ian Clark and Fei Xia. Thanks are due to the ASL group at Newcastle 
who listened to talks on earlier versions of some of the work which appears in 
this thesis. I would also like to thank my supervisor, ~Iaciej Koutny, for the 
time and effort he put into collaborating on early work, providing valuable 
advice and guidance and then reading drafts of this thesis. Finally, I would 
like to thank Cathy for her support and understanding during the long hours 
it took to complete this thesis. 
IX 
Abstract 
In software or hardware development, we take an abstract view of a process 
or system - i.e. a specification - and proceed to render it in a more 
implement able form. The relationship between an implementation and its 
specification is characterised in the context of formal verification using a 
notion called refinement: this notion provides a correctness condition which 
must be met before we can say that a particular implementation is correct 
with respect to a particular specification. For a notion of refinement to be 
useful, it should reflect the ways in which we might want to make concrete our 
abstract specification. In process algebras, such as those used in [28,50,63]' 
the notion that a process Q implements or refines a process P is based on the 
idea that Q is more deterministic than P: this means that every behaviour 
of the implementation must be possible for the specification. 
Consider the case that we build a (specification) network from a set of 
(specification) component processes, where communications or interactions 
between these processes are hidden. The abstract behaviour which con-
stitutes these communications or interactions may be implemented using a 
particular protocol, replication of communication channels to mask possible 
faults or perhaps even parallel access to data structures to increase perfor-
mance. These concrete behaviours will be hidden in the construction of the 
final implementation network and so the correctness of the final network 
may be considered using standard notions of refinement. However, we can-
not directly verify the correctness of component processes in the general case, 
precisely because we may have done more than simply increase determinism 
in the move from specification to implementation component. Standard (pro-
cess algebraic) refinement does not, therefore, fully reflect the ways in which 
we may wish to move from the abstract to the concrete at the level of such 
components. This has implications both in terms of the state explosion prob-
lem and also in terms of verifying in isolation the correctness of a component 
which may be used in a number of different contexts. 
We therefore introduce a more powerful notion of refinement, which we 
shall call refinement-after-hiding: this gives us the power to approach ver-
ification compositionally even though the behaviours of an implementation 
component may not be contained in those of the corresponding specification, 
x 
Xl 
provided that the (parts of the) behaviours which are different will be hidden 
in the construction of the final network. We explore both the theory and 
practice of this new notion and also present a means for its automatic verifi-
cation. Finally, we use the notion of refinement-after-hiding, along with the 
means of verification, to verify the correctness of an important algorithm for 
asynchronous communication. The nature of the verification and the results 
achieved are completely new and quite significant. 
Chapter 1 
Introduction 
1.1 Need for formal verification 
In software or hardware development, we take an abstract view of a process 
or system - i.e. a specification - and render it in a more implementable 
form. An integral part of the development process is then gaining confidence 
that the implementation derived is valid with respect to its specification. 
The most common way of doing this is using testing, whereby inputs to the 
implementation are generated and the resulting behaviour is compared with 
what the specification requires on those inputs. It may often be difficult to 
test processes exhaustively, however, because of the large state spaces which 
they may have. An alternative approach is to employ formal verification: 
this is the process of showing, using mathematical methods, that an imple-
mentation meets its specification. 
Formal verification is of particular interest when we corne to develop 
concurrent systems, which are systems composed of components operating in 
parallel with each other. This is for a number of reasons. To begin with, the 
behaviours of such systems are extremely complex due to the many different 
possible interactions in which their components can engage. This means that 
concurrent systems can be very difficult to design, while the importance of 
guaranteeing their correctness is increased by the fact that they are being 
used more and more in safety critical applications. Yet testing is of limited 
value here: the non-determinism inherent in the executions of such systems, 
along with the state explosion from which they may suffer, means that it is 
impossible to test more than a small proportion of their possible behaviours. 
1.1.1 Constituent elements of a verification method 
Four elements are necessary in order to carry out formal verification. 
These are: 
1 
1.2. Types of "reification" 2 
• A means of representing the specification. 
• A means of representing the implementation. 
• A notion of what it means for the implementation to be correct with 
respect to the specification. 
• A method for checking whether or not the implementation is, in fact. 
correct. 
Process algebras, such as those in [28,50,63], are intended for the descrip-
tion and verification of concurrent systems, coming equipped with a language 
for process description ~ the same language is used to describe both spec-
ification and implementation processes ~ and a semantics which ascribes 
meaning to processes expressed in that language. In general, although dif-
ferent process algebras take different approaches, that an implementation 
process is correct with respect to a particular specification process means 
that the implementation is more deterministic than the specification. (We 
say that the implementation refines the specification according to a par-
ticular notion of refinement.) :yforeover, since the primary focus is on the 
interactions which occur between concurrent processes, the semantics ab-
stracts away from the internal behaviour of processes, focusing only on their 
externally observable behaviour. 
1.2 Types of "reification" 
We shall refer to the process of transforming an abstract specification into 
an (more concrete) implementation as reification. 1 In order to classify the 
limitations of existing methods of refinement in process algebras and to en-
able comparison of the work presented in this thesis with related work, it is 
necessary to present a taxonomy of types of reification. The purpose of this 
taxonomy is simply to provide a useful framework for discussion and other 
taxonomies may legitimately be proposed. Note that each type of reification 
may also be classified as either internal or external: this distinction is useful 
due to the distinguished role played by external behaviours in process alge-
braic semantics. The effects of external reification are directly visible to any 
observer since they alter the (externally visible) behaviours of the process; 
those of internal reification may be observed only indirectly. 
• Data reification. Data abstraction is a useful tool in system specifica-
tion: for example, at the specification level we may store some data 
IThis will avoid a confusing mUltiple use of the term refinement. 
1.2. Types of "reincation" 3 
as a set because we are not interested in duplicates or in any ordering 
information relating to the individual data items. In any final im-
plementation, we shall need to represent this set in a structured way, 
perhaps as a tree, and so it will be necessary to show that the concrete 
data representation is a correct implementation of the abstract data 
representation. The standard approach taken is to regard two differ-
ent data representations as equivalent if they induce the same external 
behaviours. For example, data reification in [30] is characterised us-
ing a homomorphism and a similar approach is taken in VDM ([33]) 
and Z ([70]). In process algebras, data structures are represented as 
processes or parameters to processes and the behavioural view of data 
types is forced on us by the interest only in external behaviours. Data 
reification, by its definition, is classified as internal reification . 
• Behaviour decomposition. Behaviour abstraction is fundamental to the 
process of producing a specification. In the move from a specification to 
an implementation we will often wish to implement abstract, high-level 
actions and behaviours at a lower level of detail and in a more con-
crete manner. For example, an abstract communication event may be 
implemented using a series of events which implement a particular com-
munication protocol (see example in section 1.4.1 below). Behaviour 
decomposition can occur both internally and externally. 
• Relaxation of atomicity. The complexity introduced by concurrency 
may be managed at the specification stage by assuming the atomic ex-
ecution of certain sequences of events: for example, we may assume 
that database read and write transactions are executed atomically -
i.e. the executions of distinct transactions do not overlap - whereas 
this will not be guaranteed at the implementation level. We may then 
reason about the (less complex) sequential specification and only later 
introduce concurrency. Relaxation of atomicity may also arise through 
the use of behaviour decomposition, since the respective implementa-
tions of discrete abstract events may interleave at the implementation 
level. Relaxation of atomicity may occur both internally and externally. 
If these different types of reification are to be employed in system de-
velopment, we need corresponding notions of refinement in order that we 
may verify the correctness of any particular implementation against the rel-
evant specification. Standard notions of process algebraic refinement can be 
used to show correctness in all cases that reification is internal, since the 
semantics is concerned only with externally visible behaviours. However, it 
is not possible in the general case to use such notions to verify correctness 
1.3. Further motivation 4 
when an implementation has been derived from a specification using exter-
nal behaviour decomposition and/or external relaxation of atomicity, even 
though such types of reification are an integral part of the process of stepwise 
development. 
This has the following consequences. Consider a (specification) network 
which we may build from a set of (specification) component processes, where 
communications or interactions between these processes are hidden. The 
abstract behaviour which constitutes these communications or interactions 
may be reified using (external) behaviour decomposition and/or (external) 
relaxation of atomicity.2 These reified behaviours will be hidden in the con-
struction of the final implementation network and so the correctness of the 
final network may be considered using standard notions of refinement. How-
ever, since standard (process algebraic) refinement does not fully reflect the 
ways in which we may wish to move from the abstract to the concrete at 
the level of component processes, we cannot verify directly the correctness 
of individual component processes in the general case. This has implications 
in terms of the state explosion problem and also in terms of verifying in 
isolation the correctness of a component which may be used in a number of 
different contexts. 
In the remainder of this thesis, we are specifically interested in the pro-
cess algebra CSP [8,9,31,63] (see chapter 2 for a presentation of the language 
and semantics of CSP). The semantics of CSP focuses only on external be-
haviours and CSP refinement generally equates to an increase in determinism. 
More specifically, refinement in CSP is defined in terms of containment of 
behaviours: that is, Q implements P if and only if the behaviours of Q are 
contained within those of P (it follows immediately that CSP refinement 
cannot generally show correctness when external behaviour decomposition 
and/or external relaxation of atomicity have occurred). 
1.3 Further motivation 
We have discussed different types of reification and shown that a number 
of these are not compatible with standard process algebraic refinement, in-
cluding CSP refinement. Before proceeding, we comment further on the 
desirability of developing a notion of correctness which can deal with these 
types of reification; otherwise, it is simply an academic curiosity that CSP 
cannot deal with them. The most obvious justification is that they are a 
standard part of the software or hardware development process: the more 
concrete a process representation becomes, the more concrete data represen-
tation becomes, the more specifically external behaviours are defined and the 
2These reifications are external to the particular component under consideration. 
1.3. Further motivation 5 
greater the likelihood that behaviours which were originally specified to be 
atomic can now overlap and potentially interfere with each other. 
Although many examples abound to illustrate this point, we take one from 
the paper [24], which paper was concerned with a problem similar to that 
which we address here (see discussion in chapter 5). Kote that the interface 
events referred to in the following example are simply external events in our 
approach. 
Consider a network of server tills that interfaces with customers. 
At an abstract level, it might be convenient to describe a bank-
ing transaction at some till as a single atomic interface event that 
checks the banking card and PIN code, dispenses the requested 
amount and charges the account. During subsequent reification 
steps, such events will be broken up. Inserting the card, checking 
the PIN code, obtaining the amount to be dispensed need to ap-
pear as separate and new interface events. :'vfore interesting, the 
need for a centralized database of client accounts will have to be 
recognized, which has an asynchronous interface with the tills (at 
least if one aims for a standard implementation). Consequently, 
although from the point of view of a client his transaction ends 
with the money being dispensed, the system will view the trans-
action's end only when the account has been charged. However, 
because these updates occur asynchronously it is now possible 
that a client, possibly the same, initiates a second transaction 
before the first one is completed. Clearly, there is a big difference 
between the computations that are described by the top-level 
specification and the corresponding low-level ones. If one looks 
at what happens at a single server till, then the high-level be-
haviour will be a sequence of atomic transaction events and the 
state in between events will always describe properly balanced 
accounts. The low-level behaviour looks different: first of all, 
the low-level events that "implement" some high-level transac-
tion appear distributed along the sequence of events; moreover, 
the states in between events may now show unbalanced accounts 
because money may have been dispensed without the account yet 
showing it. 
If it is agreed that an example such as this makes sense, then we need 
a notion of refinement which may be used to formalize the above reification 
steps, something which cannot be done with standard CSP refinement. Al-
though we do not consider this example any further, the types of reification 
used here reappear in the example from chapter 7: high-level, atomic read 
and write transactions are implemented at a lower-level as a series of events; 
1.4. Correctness in context 6 
moreover, the read and write implementations may overlap since communi-
cation is now asynchronous at the lower level. 
1.4 Correctness in context 
Standard CSP refinement has an extremely useful property, in that it is 
"context-insensitive". This means that, if Q refines P, there is no restricton 
on the context into which we might place Q to give a correct implementa-
tion network: whatever the context, the resulting implementation network 
will always refine the specification network which results from placing P 
in the same context. This follows from the fact that CSP refinement is a 
pre-congruence with respect to the operators of the language (the operators 
are monotonic with respect to the ordering induced by behaviour contain-
ment). More formally, if S[P] returns the semantic meaning of a syntac-
tic process term P, F denotes a CSP context taking n process arguments, 
WI, ... , Wn is a set of syntactic CSP terms and Vi is a process term for 
some 1 ::; i ::; n where S[Vi] ~ S[Wi ], then S[F(Wl, ... , Vi, ... , Wn)] ~ 
S[F(Wl' . .. , Wi, ... ,Wn)]. However, it is precisely this property of context-
insensitivity which is incompatible with the types of reification which we 
would like to apply at a component process level. 
In general, we do not use particular components independently of a par-
ticular context. It is therefore possible to consider a notion of correctness 
which may be called correctness-in-context, whereby we prove the correctness 
of a particular implementation component in relation to a restricted set of 
contexts. Correctness will be preserved if the context is "valid" but may not 
be if this is not the case. Such a notion has been considered previously in [45] 
with respect to bisimulation equivalence (see [50] for more details on bisimu-
lation equivalence). The approach to verification of concurrent systems used 
by the rely-guarantee method (see [18] or [23] for example) also uses a notion 
of correctness-in-context to an extent: we rely on the fact that the context 
in which our component is placed meets certain properties and, in the event 
that it does, we can guarantee correct behaviour of our component. If the 
context does not have the properties it is meant to then we cannot guarantee 
the correctness of our component. Dingel's thesis ([21]) also uses a similar 
notion of correctness-in-context as he develops a refinement calculus to be 
used in the derivation of parallel programs. 
We now give a smaller but more fully realised example than that discussed 
in the previous section (it will later be used to illustrate new concepts and 
techniques as they are introduced). It constitutes an instance where stan-
dard CSP refinement fails to show correctness but we do have correctness 
when placed in context. From this example we shall move to give a general 
1.4. Correctness in context 7 
statement of the problem which we attempt to solve in this thesis and shall 
distinguish from those described above the notion of correctness-in-context 
which is required here. (Note that the example used here is deliberately 
simple in order to convey the basic premise behind the work in this thesi~. 
See chapter 7 for a more significant example, where we have to deal simul-
taneously with data reification, external behaviour decomposition and also 
external relaxation of atomicity.) 
1.4.1 External behaviour decomposition from fault tol-
erance 
in 
-I LeftImpl 
data 
aCK 
: out RightImpl r--~--=-'::''----o 
Figure 1.1: Fault-tolerant communication 
Figure 1.1 shows a specification network and a corresponding implementa-
tion network, each consisting of two component processes where the commu-
nication between those two processes is hidden. The abstract communication 
between the two processes in the specification network has been rendered in 
the implementation network in a more concrete fashion using a particular 
communication protocol. The specification network consists of two single 
slot buffers, Lejt8pec and Right8pec, connected by a channel send. The spec-
ification network, where communication on send is hidden, thus gives us a 
2-slot buffer.3 In the implementation network, we assume that data trans-
mission between the buffers is actually unreliable: therefore, we have the 
(unreliable) channel data and also a channel which transmits acknowledge-
ments. We assume that transmission of a single data item can fail at most 
once - failure is signified by the transmission of no on the channel ack - and 
3We shall give a proper CSP definition of these processes in chapter 2 once we have 
defined and explained the syntax of the language. 
1.5. A new notion of correctness-in-context 8 
so retransmission is guaranteed to succeed. When a value is received on the 
channel in by Leftlmpl, it attempts to send that value on the channel data. 
If the transmission is successful - i.e. the value yes is transmitted on ad 
- then Leftlmpl is ready to receive input again. If transmission fails, then 
the value is resent on data and Leftlmpl is once again ready for input. Once 
RightImpl has successfully received a value on channel data, it outputs that 
value on channel out. The implementation network, where behaviour on the 
channels data and ack is hidden, has the same behaviour as the specification 
network, where behaviour on channel send is hidden, and this can be shown 
using standard CSP refinement. However, we could not use standard CSP 
refinement to show that Leftlmpl implements LeftSpec, nor that RightImpl 
implements RightSpec since we have used external behaviour decomposition 
in the move from specification component to corresponding implementation 
component. 
This can be illustrated using the following example. Let us assume that 
the data values being transmitted are bit values. Then (in.O, data.O, ack.yes) 
would be a possible trace4 of Leftlmpl. The corresponding trace of LeftSpec 
would be (in.O, send.O). Refinement would obviously fail because the two 
traces are different. Yet, intuitively, they are doing the same thing and would 
both cause the value a to be transmitted on channel out in their respective 
networks. 
To verify correctness in such a case we need some way, for example, of 
interpreting (in.O, data.O, ack.yes) as (in.O, send.O). To do this requires an 
interpretive mapping from traces to traces and so the existing operators in 
CSP of hiding and renaming are not powerful enough to perform the neces-
sary interpretation in the general case. For example, as well as interpreting 
(in.O, data.O, ack.yes) as (in.O, send.O), (in.O, data.O, ack.no) would have to 
be interpreted as (in.O). 
1.5 A new notion of correctness-in-context 
The notions of correctness-in-context from other authors which are described 
above are based on a simple premise. This is the fact that, when we compose 
processes in parallel, the resulting behaviours are compatible with each other 
according to the synchronization scheme used. In other words, the nature 
of the context forces the removal of certain behaviours from the implemen-
tation: the remaining behaviours will meet certain properties according to 
the restrictions placed upon the behaviours of the context and so ''incorrect'' 
implementation behaviours will be discarded. Crucial, therefore, is the use 
4 A trace is a sequence of visible actions which may be performed by a process. Traces 
are denoted using a sequence of actions contained within a pair of angled brackets ( ... ). 
1.5. A new notion of correctness-in-context 9 
of parallel composition to join the implementation with any suitable con-
text. In the example given in figure 1.1, the components are also joined 
using parallel composition. Of most importance, however, is the fact that, in 
the construction of the final implementation network, we hide those parts of 
the implementation components where external behaviour decomposition has 
taken place. We therefore aim to develop a notion of correctness-in-context 
based primarily on hiding rather than on parallel composition (although par-
allel composition will still play an important role), which notion we shall call 
refinement-afer-hiding. 
Central to the development of such a notion is the ability to partition the 
events of both implementation and specification components into potentially 
finally visible - referred to hereafter as finally visible - and finally invisible 
events.5 The set of finally visible events are those which may be left visible 
when we construct our final networks; in general, they are the same for both 
specification and implementation components. (They need not all be left 
visible, however, and some may still be hidden.) Finally invisible events must 
be hidden when we construct our final networks, whether implementation or 
specification. The events on channels data and ack would be the finally 
invisible events in the implementation network from figure 1.1; the events 
on channel send would be the finally invisible events from the corresponding 
specification network. The events on channels in and out would be the finally 
visible events. 
We now give a more formal, though rather abstract, characterisation of 
what it means to constitute a notion of refinement-after-hiding. Let Fspec 
and Fimp/ be two process contexts, each taking n process arguments, where 
Fspec is a specification context and Fimp/ is the corresponding implementa-
tion context.6 Fimp/(QI,"" Qn) is then an implementation network and 
Fspec(g, . .. , Pn) the corresponding specification network, where ~ is in-
tended to specify Qi in some sense for 1 ~ i ~ n. Fimp/ must hide all finally 
invisible events from the processes QI, ... ,Qn and F spec must hide all finally 
invisible events from PI,' .. , Pn . For the example in figure 1.1, Fimp / would 
hide the events on the channels data and ack; Fspec would hide the events on 
the channel send. It should then be the case that, if Qi refines-after-hiding 
Pi for 1 ~ i ~ n, Fimp/(QI,"" Qn) refines F spec(P1 , • •• , Pn) according to 
standard CSP refinement.7 
SIt is possible that a particular component may engage only in finally visible events or 
only in finally invisible events. 
6The relation between these two contexts will be made more formal in the next chapter; 
intuitively, however, they contain the "same" operators, although those operators may be 
parameterised with different sets of events according to the external reification which has 
taken place. 
7This is a kind of soundness requirement. The issue of completeness - i.e. that 
Qi should refine-after-hiding Pi for 1 ~ i ~ n whenever Fimp/(Ql, ... , Qn) refines 
1.5. A new notion of correctness-in-context 10 
Using this simple definition, we are able to present some basic conditions 
which should be met by any notion of refinement-after-hiding. Rendering 
these in each of the models used to give a semantics to CSP allows us to 
derive in each model a theory of this notion ofrefinement. Using these results, 
it was possible to modify and extend a previously published ([12]) concrete 
notion of refinement-after-hiding.8 In view of the theory, it is much easier to 
identify those aspects of the concrete notion which are the result of choice 
and those which are crucial to the fact of presenting a notion of refinement-
after-hiding. One of those crucial properties is that of compositionaZity: that 
is, the operator allowed for process composition9 is monotonic with respect 
to the ordering induced by the new refinement relation. 
Intuitively, our concrete notion of refinement-after-hiding requires the in-
terpretation of the behaviours of the implementation, leaving finally visible 
events as they are and manipulating finally invisible events. \Ve then check 
for containment of these interpreted behaviours in the behaviours of the 
specification. For example, we would interpret (in.D, data.D, ack.yes) from 
Leftlmpl in figure 1.1 by leaving events on channel in unchanged - events 
on this channel are finally visible - and interpreting events on data and ack 
as occurring on send. This would allow us to interpret (in.D, data.D, ack.yes) 
as (in.D, send.D), that is, as a trace of the corresponding specification. We 
are therefore able to verify the correctness of the implementation components 
Leftlmpl and RightImpl and thereby infer the correctness of the implementa-
tion network without actually having to build it or the specification network 
(this, of course, relies on the compositionality of the scheme presented). And, 
more generally, we can verify correctness when external behaviour decom-
position and/or external relaxation of atomicity occur in tandem with any 
internal reification such as data reification. 
Tool support is crucial to the successful application of any means of verifi-
cation, although tool development may be a very lengthy process. Encoding 
as a CSP context the interpretive mapping used in our notion of refinement-
after-hiding allows us to use the existing tool FDR210 as a means of auto-
matic verification. This confers a number of the benefits of a mature tool 
without requiring the effort usually needed to reach this level of maturity, 
Fspec(Pl, . .. ,Pn) according to standard CSP refinement - is not considered in this thesis, 
although it is identified in chapter 8 as an area for further work. Nonetheless, the work 
presented in chapter 3 is important with respect to this in that it attempts to establish a 
framework which allows the refinement-after-hiding relation to be as large as possible. 
8By "concrete" notion of refinement-after-hiding we simply mean one that may be used 
in practice, in contrast to the more abstract notion given by the theory. 
9 A single operator, combining both parallel composition and hiding, is used for com-
position in the concrete notion. The reason for following this approach in practice is 
discussed in chapter 4. 
laThe tool is produced by Formal Systems; see [63] or [64] for more details. 
1.6. Organisation of the thesis 11 
which effort would have been beyond the scope of this thesis. Finally, we use 
this means of automatic verification to verify that a particular mechanism 
for asynchronous communication is a correct implementation of a register 
or variable. Since moving from the register to the asynchronous commu-
nication mechanism uses data reification, external behaviour decomposition 
and external relaxation of atomicity, we are able to employ the notion of 
refinement-after-hiding to show correctness where we could not have done so 
using standard esp refinement. 
1.6 Organisation of the thesis 
The thesis is organised as follows: 
• Chapter 2 gives detail on the syntax and semantics of esp, along 
with a more formal description of the processes given in figure 1.1, 
which processes are used as a running example. Useful notation and 
concepts are also introduced. 
• Chapter 3 presents a theory of refinement-after-hiding in each of the 
three semantic models of esp. 
• Chapter 4 gives a concrete notion of refinement-after-hiding for each 
semantic model. 
• Chapter 5 considers related work. 
• Chapter 6 details the manner in which the existing tool FDR2 may be 
used to verify automatically the concrete notions of refinement-after-
hiding presented in chapter 4. 
• Chapter 7 uses this means of automatic verification to verify the cor-
rectness of an asynchronous communication mechanism as described 
above. 
Note also the following: 
• For the purposes of presentation, proofs generally appear in the ap-
pendix. Where they do not appear in the appendix, they will appear 
in the main body of the text alongside the relevant result or an informal 
justification of the result will be given instead. 
• A list of notation and page numbers of the various definitions used in 
the thesis can be found in appendix E. 
1.7. Contributions of the thesis 12 
1.7 Contributions of the thesis 
An earlier version of chapter 4 was published as [12] and formed part of 
the book chapter [15]. An updated version of the work in [12] appeared as 
a technical report ([13]), a version of which report has been published in 
Fundamenta Informaticae ([16]). The algorithms for automatic verification 
which are discussed in chapter 6 were published as [ll] and appear in an 
updated form in [16]. Other than these algorithms, the work in chapters 3, 6 
and 7 is solely that of the author. Chapter 4 gives more detail on the aspects 
of the work there which are new. 
Chapter 2 
Modelling concurrent systems 
As indicated in chapter 1, we shall use the process algebra CSP to describe 
and give meaning to concurrent systems. We first give a brief and informal 
introduction to esp and its semantics before proceeding to consider these 
areas in more detail. 
2.1 Brief introduction to CSP 
esp is a process algebra, which comes equipped with a language for process 
description and a denotational semantics which ascribes meaning to processes 
expressed in that language. It is intended for the description and verification 
of concurrent systems and is consequently equipped with operators for defin-
ing processes which are suited to that task. In particular, both specification 
and implementation processes are described using the same language. Since 
the primary focus of the formalism is on the interactions which occur be-
tween concurrent processes, the semantics abstracts away from the internal 
behaviour of processes, focusing only on externally observable behaviour. As 
a result, the behaviour of a process is characterised by the events which it 
may offer to any environment. A tool, FDR2([62-64]) , is available for the 
purposes of automatically verifying the correctness of processes expressed 
using esp. 
The denotational semantics of CSP is designed to enable us to reason 
about both safety and liveness properties of processes. 1 Traces - execution 
sequences which abstract from the occurrence of internal actions - are used 
to reason about safety properties. Divergences - traces after which a pro-
cess may engage in an infinite sequence of internal actions - are used to 
1 Informally, a safety property stipulates that "bad" things do not happen during a 
process execution and a liveness property stipulates that "good" things do eventually 
happen ([41]). 
13 
2.1. Brief introduction to cSP 14 
model the possibility of livelock. Trace/refusal pairs (failures) are used to 
model the possibility of deadlock: if a process P may refuse a set of events R 
after a particular trace t, and the environment after the execution of t only 
offers events from within R (where that environment must synchronize with 
P on every event in R), then deadlock may arise when P is composed in par-
allel with the environment. Divergences and failures may be used together 
to reason about liveness properties. Intuitively, the CSP semantics was de-
signed in order to allow us to detect (and thereby avoid) the possibility of 
deadlock and also of livelock. In this sense, the liveness issue with which we 
are primarily concerned is that of ensuring that a process will always make 
progress, rather than of the exact nature of that progress. 
There are three semantic models in which the behaviours of CSP processes 
may be denoted: these are the traces, stable failures and failures divergences 
models.2 The traces model is sufficient for reasoning about safety properties. 
The stable failures model allows us to reason about both safety properties and 
the possibility of deadlock. The failures divergences model allows us to reason 
about safety properties, the possibility of deadlock and also the possibility of 
livelock. In each of these models, a (semantic) specification consists of a set of 
behaviours in the relevant semantic model. An implementation also consists 
of a set of behaviours. Refinement in CSP is defined in terms of containment 
of behaviours: that is, Q implements P if and only if the behaviours of Q are 
contained within those of P. If Q implements P in the failures divergences 
model, then Q is at least as deterministic as P. 
If Q implements P in the traces model, we know that Q will never execute 
any traces which P cannot execute; if Q implements P in the stable failures 
model, after any trace t Q cannot refuse any more than P refuses after t; 
and Q may not livelock after t if that is not also possible for P when Q 
implements P in the failures divergences model. Intuitively, if we may place 
P in a context and the resulting network will suffer from neither deadlock 
nor livelock, then the same will be true of the network resulting from the 
placing of Q in the same context. (This latter only holds, of course, if Q 
implements P in the failures divergences model.) 
We now consider in more detail the syntax and semantics of the language. 
Note that our treatment of CSP is based firmly on that flavour of it presented 
in [63]. However, the treatment in [63] models the fact of termination by 
including a distinguished termination event in the semantics; it also includes 
a sequential composition operator, ; , the semantics of which is defined in 
terms of this termination event. We do not model the fact of termination 
here - its consideration is orthogonal to the issues in which we are primarily 
2Each of these models denotes processes using a different combination of traces, failures 
and divergences. The failures divergences model - as the name suggests - uses failures 
and divergences, giving the fullest and most accurate picture of processes. 
2.2. Processes and syntax 15 
interested - and so do not use the sequential composition operator. 
2.2 Processes and syntax 
A CSP process may be regarded as a black box which can communicate with 
its external environment. Atomic instances of this communication are called 
events or actions and must be elements of the universal alphabet, ~. ~ is a 
finite set containing all events or actions which may be communicated by any 
process in the universe of processes under consideration. In semantic models 
incorporating failures, a process will refuse all those events from ~ which 
it does not offer. The most important assumptions about (communication) 
events in CSP are the following: 
• An event occurs only when all of its participants are ready to execute 
it. As soon as all of the participants are ready to execute an event then 
it (or some other event) must occur. 
• Event occurrences are instantaneous, as we abstract their duration into 
single moments. They are non-overlapping as we use an interleaving 
semantics. 
We shall say that a process may engage in a particular event when it is 
possible for it to communicate that event at some point during its lifetime. 
Events in CSP occur on communication channels. The type of a channel c 
is given by a (possibly empty) sequence of data types T 1, ... , Tk (note that 
the product T 1.T2 . .. Tk-1.Tk may itself be regarded as a data type and so 
the type of c is also T1.T2 .•. Tk-1.Tk). Events which may be communicated 
on channel c are then of the form 
where Vi E Ti for 1 ::; i ::; k. In the event that k = 0, c denotes a simple 
event with no explicit data content. It will also be useful to be able to refer 
to ac, the alphabet of channel c, which gives all events which may occur on 
that channel: 
It is required that ac ~ ~ for any channel which is defined. By the 
finiteness of ~, this means that channels may be defined using only finite 
types. We may also use a to "complete" partially defined events on channel 
c, where 1 ::; j ::; k and Vi E Ti for 1 ::; i ::; j: 
2.2. Processes and syntax 16 
2.2.1 Operators 
The nullary operator STOP is used to denote the deadlocked process, while 
DIV is used to denote the immediately diverging process. a --+ P (referred 
to as the prefix operator) gives the process which first engages in the event a 
(where a E ~) and then proceeds to behave like P. D denotes deterministic 
choice; PDQ is a process where the initial events of P and Q are offered 
simultaneously. n denotes non-deterministic choice; in P n Q we may be 
offered the initial events of P or the initial events of Q but not both. :\Iore-
over, we have no control over which is offered. The operators D and n are 
both commutative and associative in each of the three semantic models used 
here and thus may be indexed over finite sets. (This issue of indexing is 
considered further in section 2.4.6 below.) 
Let P be a process and A ~ ~; then P\A is a process that behaves like 
P with the actions from A made invisible (\ is the hiding operator and \.4. 
hides the events in A). \A is left associative: i.e. P \ A \ A' is defined as 
(P\A) \A'. Parallel composition P Ily Q (where Y ~ ~) models synchronous 
communication between P and Q in such a way that each of them is free 
to engage independently in any action which is not in Y but they have to 
engage simultaneously in all actions that are in Y. (We say that the parallel 
composition synchronizes on the set of events Y or that P and Q synchronize 
on Y.) The interleaving operator III is used to denote 110. III is commutative 
and associative in all three semantic models and so may be indexed by finite 
sets. 
Let G ~ ~ x ~ be a relation (called a renaming relation) and P a process. 
Then P[G] is a process that behaves like P except that every action a has 
been replaced by 
G(a) t. {b I a G b}. 
Wherever the action a might have been enabled in P, each of the events in 
G(a) will be enabled in its place in P[G]. Note that the relation G need not 
be (explicitly) total over the events of P: for a not in the domain of G, we 
assume that G(a) = {a}. (This mirrors the way in which renaming relations 
are used in FDR2.) 
Recursion is introduced using a special equational style of definition. In 
the simplest case, we may define the process N in terms of the arbitrary 
CSP term P using N = P, where this simply means that N is taken to be 
the process defined by P. This gives rise to a single recursion if the name N 
occurs somewhere in P. More generally, mutual recursion may be introduced 
using a collection of equational definitions Ni = Pi for 1 ~ i ~ l, where each 
Pi may contain zero, one or more of the process names N j for 1 ~ j ~ l. 
We assume that all process names which appear in any syntactic definition 
to which a semantics is to be given are defined exactly once. In other words, 
2.2. Processes and syntax 17 
we deal only with closed tenns. (Note that such equational definitions need 
not only be used to introduce recursion and they are often used simply to 
make clearer the presentation of syntactic definitions.) 
The notation N x = P or N(x) = P is used to represent the family of 
processes N v or N(v) such that N v = P[v/x] (respectively N(v) = P[v/x]) 
where v is a concrete data value and P[v/x] denotes the process P with all 
occurrences of the parameter x replaced by v. This notation generalizes in 
the obvious way to parameterization with multiple data values. 
2.2.2 Syntactic sugar 
From chapter 4 onwards, we use an operator which is not part of the standard 
CSP syntax and which is, in fact, shorthand for a particular combination of 
two operators already seen. The network composition operator, 0y, is such 
that 
In view of this, we need not define specifically the semantics of this oper-
ator and will derive it where necessary from the semantics of the parallel 
composition and hiding operators. 
2.2.3 Finite non-determinism 
In the failures divergences model, divergence is introduced in P \ X when 
P can perform an infinite consecutive sequence of events in X. However, 
the failures divergences model only includes information on finite traces, not 
infinite ones. If a process possesses an infinite trace t, then u will be a (finite) 
trace of that process for all u < t. However, in the general case, the converse 
may fail: it may be possible that t is not an infinite trace of the process even 
though u is a trace of the process for all u < t. If this latter case is allowed 
to arise, then it is not possible to give an exact definition of the semantics of 
hiding in the failures divergences model. 
It is possible to represent a CSP process operationally as a labelled tran-
sition system or LTS (see [63] for details). If, for any node P in an LTS C, 
there are only finitely many nodes we can reach from P under a single ac-
tion, then C is said to be finitely non-deterministic. In other words, for any 
particular action that we engage in, there are only a finite number of possible 
states we can end up in. By Koenig's Lemma, if the LTS representation of 
a CSP process is finitely non-deterministic, then t is an infinite trace of that 
process if and only if u is a (finite) trace of the process for all u < t. (For 
proof see [63].) 
Since ~ is finite, none of the operators which we use are capable of intro-
ducing infinite non-determinism. As a result, all processes under consider-
2.3. Notation 18 
ation may be represented operationally by a finitely non-deterministic LTS 
and so it is possible to define exactly the semantics of the hiding operator. 
2.3 Notation 
The following notations will prove to be useful, where t, u, t l , t2 , .. . are traces; 
A is a set of actions; 7, T are non-empty sets of traces; G ~ E x E is a 
relation; and X is a set of sets. Note that traces are assumed to be finite 
unless otherwise stated. 
• t = (aI, ... ,an) is the trace whose i-th element is action ai, and length, 
Itl, is n. Moreover, events(t) 6. {al,"" an} and, provided that n ~ 1, 
tail(t) 6. an. If n = 0 then t is the empty trace, denoted O. 
• A, IAI denotes the cardinality of A. 
• tau is the trace obtained by appending u to t. 
• A * is the set of all traces - i.e. sequences - of actions from A, 
including the empty trace, (). 
• AW is the set of all infinite traces of actions from A. 
• 7* is the set of all traces t = tl 0" ·otn (n ~ 0) such that t l ,···, tn E 7 
(note that t = 0 when n = 0). 
• ::; denotes the prefix relation on traces, and t < u if t ::; u and t =1= u. 
• Pref(T) 6. {u I (::It E 7) u ::; t} is the prefix-closure of 7. (In the 
event that 7 is the singleton set {t}, we may use Pref(t) in lieu of 
Pref(T)·) 
• 7 is prefix-closed if 7 = Pref(T)· 
• t fA is a trace obtained by deleting from t all the actions that do not 
occur in A. 
• t \ A is a trace obtained by deleting from t all the actions that do occur 
in A. 
• The definitions of f and \ may be lifted to sets of traces in the obvious 
way: 7fA 6. {tfA I t E 7} and 7\A 6. {t\A I t E 7}. 
• t l , t2 , ••• is an w-sequence of traces iftl ::; t2 ::; ••• and lim;--too Itil = 00. 
2.3. Notation 19 
• A mapping f : T ~ T' is monotonic if t, u E T and t ~ u implies 
f(t) ~ f(u), and strict if 0 E T and f(O) = O. 
• The definition of G may be lifted to sets of events, traces and sets of 
traces: 
- G(A) [). U{G(a) I a E A}. 
- (al,"" an) G (bl , ... , bm ) {:} n = m /\ 'Vi ~ n, O-j G bi . 
- G (T) [). {u I (3t E T) t G u}. 
In the event that T is the singleton set {t}, we may use G (t) in lieu of 
G(T). Moreover, if G(t) = {u} for some trace u then we shall denote 
this G(t) = u. Similarly, if G(a) = {b} for some action a then we write 
G(a) = b. 
• G-I [). {(b, a) I a G b} is the inverse of G. 
• Sub(X) [). {W ~ X I X E X} is the subset-closure of X. 
• X is subset-closed if X = Sub(X). 
• 28 [). {X I X ~ S} gives the power set of S. For purposes of presenta-
tion, we will sometimes use lP(S) in lieu of 28 . 
• We introduce containment and equality between pairs of sets in the 
obvious way. Let B, B', C, C' be sets. 
- (B, C) ~ (B', C') if and only if B ~ B' and C ~ C'. 
- (B, C) = (B', C') if and only if B = B' and C = C'. 
• For an arbitrary set of objects 0 and a partial ordering; j over the 
elements of 0, 
max ~ (0) [). {e E 0 I (,tid E 0) e j d /\ e # d}. 
In the event that max~(O) = {e} for some element e, we shall write 
max~(O) = e. 
3 A partial ordering is reflexive, transitive and antisymmetric. 
2.4. Process semantics 20 
2.4 Process semantics 
In this section we consider each of the three semantic models in more detail , 
including the semantic definitions in each model of the operators introduced 
so far and how the semantics of (syntactic) processes may be derived using 
these definitions. Before doing this, however, we make the following impor-
tant observations. 
At various points in this thesis, we will work with (syntactic) processes, 
semantic denotations of such processes in anyone of three semantic models 
and sets of behaviours which may not be derivable as the semantics of any 
process. It is only necessary to explicitly calculate the semantics of processes 
in chapter 6, as we show how to use FDR2 for automatic verification of 
our notion of refinement-after-hiding; moreover, we only derive semantics 
in the failures divergences model in that chapter with respect to the hiding 
operator. For this reason, semantic definitions for the full range of operators 
are given only for the traces and stable failures models. Chapters 3 and 4 
use only the hiding and parallel composition operators and this is why only 
the semantics for these two operators are given for the failures divergences 
model. 4 Chapter 3 deals primarily with sets of behaviours and pairs of sets of 
behaviours and so requires the definition of hiding and parallel composition 
over such sets and over such pairs. As a result, we define three different 
versions of the parallel composition and hiding operators. The first version 
gives a semantic operator which may be applied to a set or sets of behaviours 
as appropriate; the second gives a semantic operator which may be applied to 
pairs of sets of behaviours; the third version gives a syntactic operator which 
is used in process definitions.5 Note that we have already defined in the 
previous section the effect of applying the hiding operator to sets of traces. 
Note also that the semantic and syntactic versions of a particular operator 
will be indistinguishable textually and the particular version being used will 
be clear from the nature of the object or objects to which it is being applied. 
In what follows, the semantics of recursion is left until all other operators 
have been considered, since it is treated in a rather different manner. 
2.4.1 The traces model 
In the traces model, a process is denoted by a (possibly infinite) set of finite 
execution sequences of visible actions (i.e. actions from ~). For any process 
P, we denote the traces of Pas rP. The following condition always holds of 
4The interested reader may find the omitted definitions in [63]. 
5In the traces model, we actually define hiding and parallel composition over individual 
traces, sets of traces and processes. In the failures divergences model, we define the 
operators only over pairs of sets of behaviours and over processes. 
2.4. Process semantics 21 
s lIy u u Ily s. 
o IlyO ~ {O}· 
() Ily (y) ~ 0. 
() Ily (z) ~ { (z)}. 
(y) 0 s Ily (z) 0 u ~ {(Z) 0 v I v E ((y) 0 s lIy u)}. 
(y) 0 S Ily (y) 0 U ~ {(y) 0 v I v E (s lIy u)}. 
(y) 0 s Ily (y') 0 u ~ o if y i- y'. 
(z) 0 s Ily (z') 0 u c, {(z) 0 v I v E (s Ily (z') 0 u)} u 
{(z') 0 v I v E ((z) 0 s Ily u)}. 
Figure 2.1: Composing traces in parallel, where s, u E ~*, y, y' E Y ~ ~ 
and z, z' E ~ - y 
Tl T P is non-empty and prefix-closed. 
Figure 2.1 shows how the effect of parallel composition is defined in terms 
of its effect on individual traces. This operator has the following important 
property: 
TRP For traces sand u and Y ~ ~,ift E (s Ily u) then try = sry = ury. 
Where T and T' are sets of traces7 , we may define (semantic) parallel 
composition over such sets in the following manner (we assume Y ~ ~): 
T Ily T' c, U{ s Ily u I sET /\ u E T}. 
The semantics of any process (minus recursion) in the traces model may then 
be derived according to the detail in figure 2.2. 
6This condition and others like it which are introduced in the remainder of this chapter 
are theorems which may be derived in the algebra of CSP processes and their denotations. 
7Neither need be the denotation of a particular process in the traces model and so they 
need not meet condition Tl. In general, none of the sets of behaviours or pairs of such 
sets to which semantic operators may be applied need be (a component of) the denotation 
of a process. 
2.4. Process semantics 22 
r8TOP ~ {O}· 
rDIV ~ {O}· 
r(a -+ P) ~ {O} U {(a) 0 sis E rP}. 
r(P 0 Q) ~ rPUrQ. 
r(P n Q) f),. rPUrQ. 
r(P \ A) ~ (rP) \ A. 
r(P Ily Q) ~ rP Ily rQ. 
r(P[G)) ~ G(rP). 
Figure 2.2: Semantics of processes in the traces model, where G ~ E x E 
and A,Y ~ E 
2.4.2 The stable failures model 
In the stable failures model, a process P is denoted by a pair (r P, ¢P), where 
¢P - the stable failures8 of P - is a subset of E* x 2E. If (t, R) E ¢P then P 
is able to refuse Rafter t. Intuitively, this means that if the environment only 
offers R as a set of possible events to be executed after t (and the environment 
must synchronize with P on every event in R) then P can deadlock when 
placed in parallel with the environment. A process P is deadlock-free if and 
only if, for every (t, R) E ¢P, R is a proper subset of E. 
The following conditions always hold of r P and ¢P: 
SFl r P is non-empty and prefix-closed. 
SF2 (t, R) E ¢P =* t E rP. 
SF3 (t,R) E ¢P /\ S ~ R =* (t,S) E ¢P. 
SF4 (t,R) E ¢P /\ to (a) ¢ rP =* (t,RU {a}) E ¢P. 
We will consider a set of stable failures F to be subset-closed if: 
(t,R) E F /\ S ~ R ~ (t,S) E F. 
8 Intuitively, a failure is stable if no invisible events are enabled at the state which 
generates the failure. Invisible events are classed as urgent in CSP and do not require 
synchronization with the environment before they occur. This means that we can never 
deadlock at a state at which an invisible event is enabled. Since the stable failures model 
is primarily interested in the possibility of deadlock, we need not record information on 
states at which it can never occur. 
2.4. Process semantics 23 
Where F and F' are sets of stable failures and Aye L we may define , -, .. 
semantic operations of hiding and parallel composition as follows: 9 
F\A 
F Ily F' 
{(t\A,X) I (t,XUA) E F}. 
{(t,XUZ) IX-Y=Z-Y /\ ((:3s,u) (s,X) EF/\ 
(u, Z) E F' /\ t E s Ily un. 
These definitions then lift to pairs of sets of behaviours in a straightfor-
ward manner, where T, T' are sets of traces, F, F' are sets of stable failures 
and A,Y ~ L: 
(T, F) \ A (T\A,F\A). 
(T, F) Ily (T', F') (T Ily T', F Ily F'). 
The stable failures of any process (minus recursion) may be derived ac-
cording to the detail in figure 2.3 (the traces of the process may still be 
derived according to the detail in figure 2.2 10). The following equalities then 
hold, where P, Q are processes and A, Y ~ L: 
• (r(P \ A), ¢(P \ A)) = (rP, ¢P) \ A . 
• (r(P lIy Q), ¢(P Ily Q)) = (rP, ¢P) Ily (rQ, ¢Q). 
2.4.3 The failures divergences model 
In the failures divergences model, a process P is denoted as a pair (¢l..P, r5P), 
where r5P - the divergences of P - is a subset of L* and ¢ l..P - the failures 
of P - is a subset of L* x 2L. If t E r5P then P is said to diverge after t. In the 
CSP model this means that the process behaves in a totally uncontrollable 
and unpredictable way: ¢l..DIV = L* x 2L and r5DIV = L*. Semantically, 
divergence obscures all other behaviours after it arises and we can make no 
guarantees post-divergence regarding what a process will offer or refuse at 
any point in time: this is reflected in conditions FD4 and FD5 below. 
We introduce the notation rl..P and define it as rl..P [),. {t I (t,0) E ¢l..P}. 
As we shall see in section 2.4.8 below, rl..p = rP U r5P. The following 
conditions then always hold of r.l..P, ¢.l..P and r5P: 
9The particular definition of parallel composition used here reflects the following in-
tuition. If two processes are composed in parallel, synchronizing on the set of events Y, 
then the composition can refuse after a particular trace all events from Y which at least 
one process refuses, along with all events which both refuse. 
lOIn other words, for any process P, TP has the same meaning whether we are working 
in the traces model or in the stable failures model. 
2.4. Process semantics 
¢>STOP ~ {((),X) I X ~ ~}. 
¢>DIV ~ 0. 
¢>(a ---* P) ~ {( (), X) I a ¢ X ~ ~} U 
{( (a) 0 s, X) I (s, X) E ¢>P}. 
¢>(P 0 Q) 6. {((),X) I ((),X) E ¢>pn¢>Q} U 
{(s,X) I (s,X) E ¢>PU ¢>Q A s i= ()}. 
¢>(P n Q) ~ ¢>P U ¢>Q. 
¢>(P \ A) 6. (¢>P) \ A. 
¢>(P Ily Q) 6. ¢>P Ily ¢>Q. 
¢>(P[G]) ~ {(s', X) I (3s) s G s' A (s, G- 1 (X)) E ¢>P}. 
Figure 2.3: Semantics of processes in the stable failures model, where 
G ~ ~ x ~ and A, Y ~ ~ 
FDl TJ..P is non-empty and prefix-closed. 
FD2 (t, R) E ¢>J..P A S ~ R ~ (t, S) E ¢>J..P. 
FD3 (t,R) E ¢>J..P A to (a) ¢ TJ..P ~ (t,RU {a}) E ¢>J..P. 
FD4 s E oP AtE ~* ~ sot E OP. 
FD5 t E oP ~ (t,R) E ¢>J..P for R ~~. 
We now define semantic operators of parallel composition and hiding in 
this model. By their nature, they can only be defined over pairs of sets of 
behaviours rather than over single sets of behaviours. Where:F is a set of 
failures, we use TJ..:F 6. {t I (t,0) E :F}. In the following definitions, :F, :F1 , 
:F2 and :F' are sets of failures, V, Vi, V 2 and V' are sets of divergences and 
A,Y~~ . 
• (:F1 , Vd Ily (:F2, V 2) 6. (:F, V) where: 
- V = {tov I (3s E TJ..:Fi,U E TJ..:F2) t E s Ily U A 
(s E Vi VuE V2)}' 
2.4. Process semantics 25 
rS(P Ily Q) ~ {tovl (3SETl.P,UETl.Q) tEsllyu A 
(s E rSP VuE rSQn. 
¢l.(P Ily Q) ~ {(t, Xu Z) I X - y = Z - Y A ((3s, u) 
(S,X) E ¢l.P A (u,Z) E ¢l.Q AtE s Ily un U 
{(t,X) It E rS(P lIy Q) A X ~ I;}. 
rS(P \ A) ~ {(s \ A) 0 tis E rSP} U 
{(u \ A) 0 t I u E I;w A (u \ A) is finite 
A ((\Is < u) s E Tl.pn. 
¢l.(P \ A) 6- {(t \ A, X) I (t, X U A) E ¢l.P} U 
{(t, X) It E rS(P \ A) A X ~ I;}. 
Figure 2.4: Semantics of operators in the failures divergences model, where 
A, Y ~ I; 
- F = {(t, Xu Z) I X - Y = Z - Y A ((3s, u) 
(s,X) E F1 A (u,Z) E F2 AtE s Ily un U 
{(t, X) It E V A X ~ I;}. 
• (F, V) \ A 6- (F', V') where: 
- V' = {(s \ A) 0 tis E V} U 
{( u \ A) 0 t I u E I;w A (u \ A) is finite A 
((\Is < u) s E Tl.Fn. 
- F' = {(t \ A, X) I (t, X U A) E F} U 
{(t,X) It E V' A X ~ I;}. 
Figure 2.4 gives the semantic definitions of the syntactic operators of hid-
ing and parallel composition. They are not defined in terms of the semantic 
operators so that it is easier to see how the individual components of a par-
ticular denotation pair may be derived. However, since Tl.(¢l.P) = Tl.P, the 
following equalities hold, where P, Q are processes and A, Y ~ I;: 
• (¢l.(P Ily Q), rS(P Ily Q)) = (¢l.P, rSP) Ily (¢l.Q, rSQ). 
• (¢l.(P \ A), rS(P \ A)) = (¢l.P, rSP) \ A. 
2.4. Process semantics 26 
2.4.4 Process denotations and refinement 
[P] x denotes the semantic meaning of the process P in the model X E 
{T, SF, FD} (T gives the traces model, SF the stable failures model and FD 
the failures divergences model). In other words: 
• [P]T TP. 
• [P]SF = (TP, ¢P). 
• [P]FD - (¢.LP,8P). 
We shall also use the shorthand P =x Q to indicate that ~P~x = [Qh. 
That Q is an implementation of (or refines) P in a particular semantic model 
X E {T, SF, FD} is denoted Q ~x P. This means that the behaviours of Q 
in the relevant model are contained in those of P. In other words: 
• Q ~T P if and only if [Q] T ~ [P] T (i.e. TQ ~ TP). 
• Q ~SF P if and only if [Q]SF ~ [P]SF (i.e. TQ ~ TP and ¢Q ~ of). 
• Q ~FD P if and only if [Q]FD ~ [P]FD (i.e. ¢.LQ ~ ¢.LP and 8Q ~ 
8P). 
2.4.5 Semantics of recursion 
We now show how to define the semantics of recursive terms. Since we 
never have to calculate the semantics of recursive processes in the failures 
divergences model, we deal explicitly here only with the traces and stable 
failures models. We will consider a single recursion N = P and also a mutual 
recursion Ni = ~ for 1 :::; i :::; k. The fundamental law of recursion is given 
by the following condition, which effectively states that a recursively defined 
process satisfies the equation defining it. 
REC If N = P is a recursive definition, then N =x P for X E {T, SF, FD}. 
Before proceeding, we introduce some notation which will be useful. 
• N denotes the set of natural numbers. 
• For any function Sand n 2: 2, sn(x) l!;. s(sn-1(X)), where S1 l!;. S. 
• P[Y/N] denotes the process P with the process Y substituted for the 
name N. 
• -.IT is used to give the denotation of STOP in the traces model: i.e. 
-.IT l!;. [STOP]T = {O}. 
2.4. Process semantics ·r 
-I 
• l..SF is used to give the denotation of DIV in the stable failures model: 
i.e. l..SF f), [D1l1sF = ({O},0). 
• (Xl"'" X k ) will be used to denote the vector with elements Xl, ... ,Xk . 
We then assume: 
- Y is a vector of processes (YI , •.• , Yk ). 
- N is the vector of names (NI , ... , Nk ). 
- P is the vector of processes (P1, ... , Pk ). 
- ~[Y / N] denotes the process ~ with the process }j substituted 
for the name Nj for all 1 :::; j :::; k such that Nj occurs somewhere 
in ~. 
Single recursion 
The single recursion N = P induces a (syntactic) function, F, which maps 
syntactic terms to syntactic terms such that, for any process Y, F(Y) f), 
P[Y/N]. In the model X E {T, SF}, S is the (semantic) function from 
process denotations to process denotations such that, for any process Q, 
S([Q]x) f), [F(Q)]x. For example, S(rQ) f), rF(Q). [N]x is then given by 
UnEN sn(l..x). 
If N does not occur anywhere in P then S is a constant and its value 
gives directly the semantic interpretation of N: i.e. [N]x = S. 
Mutual recursion 
The mutual recursion Ni = ~ for 1 :::; i :::; k induces a set of syntactic 
functions Fi such that, for any vector of processes Y, Fi(Y) f), ~[Y / N]. In 
the model X E {T, SF}, S may then be taken to be the (semantic) function 
from vectors of process denotations to vectors of process denotations such 
that, for any vector of processes Q = (Q1,"" Qk), 
[Ni]x is then given by the ith element of UnEN sn( (l..x, . .. , l..x)). 
Guardedness 
A process name N is guarded in process expression P if either: 
• N does not appear in P or; 
• P does not contain the hiding operator and every occurrence of X is 
within the scope of an occurrence of the prefix operator. 
--
2.4. Process semantics 28 
If all names occurring in P are guarded then we say that P itself is 
guarded. If P is guarded, then all recursive equations used to define the 
semantics of P have a unique solution. All recursive processes for which 
we have to derive semantics in chapter 6 are guarded and this justifies the 
inductive derivation of semantics which is used there. ll 
Guardedness and divergence 
Guarded processes have the following important property: 
DF If Ni = ~ for 1 :::; i :::; k and all processes Pi are guarded, then 
oNi = 0 for 1 :::; i :::; k. 
2.4.6 Indexing operators 
Further comment is required with respect to the indexing of the operators 
0, n and III. We consider the generic process 
EBzEZP(z), 
where EB E {D, n, III} and Z is a finite set. In the event that IZI ~ 2, then 
EBzEZP(z) may be represented in an obvious and straightforward manner 
using the binary version of EB. However, it is less clear what should be the 
semantics of EBzEZP(z) if IZI = 1 or Z = 0. We first observe that the non-
deterministic choice operator, n, may not be indexed by the empty set (this 
is disallowed by FDR2). For our purposes, we also assume that III may not 
be indexed by the empty set. The remainder of the relevant cases are covered 
by the following definition. 
Definition 2.1. Let EB E {D, n, III} and X E {T, SF, FD}. Then the follow-
ing hold: 
1. If Z = {v}, then EBzEZP(z) =x P(v). 
2. If Z = 0, then DZEZP(z) =x STOP. 
2.4.7 Parallel composition, hiding and network com-
position 
We shall also need a semantic version of the network composition operator, 
®y, which is defined as follows for processes P and Q, y ~ L: and X E 
{T, SF, FD}: 
11 Note that the definition of guardedness given here is stronger than the usual definition, 
namely that every occurrence of N in P is prefixed by an action that cannot be hidden. 
However, the definition given suffices for our purposes and is simpler to present. 
-
2.4. Process semantics 29 
The following important results then show the consistency in all models 
of the syntactic and semantic versions of hiding, parallel composition and 
network composition. They may be proved easily using the definitions given 
so far in section 2.4. 
Proposition 2.1. The following hold, where P and Q are processes, A, Y ~ 
~ and X E {T, SF, FD}: 
1. [Q\A]x = [Q]x \A. 
2. [P Ily Q]x = [P]x Ily [Q]x· 
Corollary 2.2. Let P and Q be processes, Y ~ ~ and X E {T, SF, FD}. 
Then [P 0y Q]x = [P]x 0y [Q]x· 
2.4.8 Relationships between denotations 
The following conditions always hold and concern relationships which exist 
between denotations in the various semantic models. 
DR! TJ.P = TP U oP. 
DR2 ¢J.P = ¢P U {(t, R) I t E oP 1\ R ~ ~}. 
DR3 TP = {t I (t,0) E ¢P} U (TP n oP). 
Note that T P n oP gives those divergent traces which are actually gen-
erated operationally by P. In view of these conditions, the following result 
holds: 
Proposition 2.3. If oP = 0 then: 
1. ¢P = ¢J.P. 
2. TJ.P = TP = {t I (t,0) E ¢P}. 
2.5. Process alphabets 30 
2.4.9 Alternative denotations in the failures divergen-
ces model 
For a number of different reasons, we would prefer to work only with stable 
failures and traces even when working in the failures divergences model. 12 To 
facilitate this, we consider the notion of minimally-divergent traces, defined 
as follows for any process P: 
Definition 2.2. min6P c. {t I t E 6P A (,Bu E 6P) u < t}. 
The minimally-divergent traces are a subset of those divergent traces 
which are generated operationally by the process under consideration rather 
than being present only by virtue of FD4. The following property always 
holds of them: 
MD For any process P, min6P ~ TP. 
Using min6P allows us to deal with divergent traces in the same way as 
ordinary traces from T P. It is easy to see, by definition 2.2 and FD4, that 
the following result holds. 
Proposition 2.4. 6P = {t a V It E min6P A V E ~*}. 
Using this result and DR2, 1>l.P and 6P may be reclaimed from ¢P and 
min6P. 
2.5 Process alphabets 
Process alphabets do not play any semantic role in the the treatment of CSP 
used here. Instead, they are simply used to define an upper bound on the set 
of events in which any process may engage and so a lower bound on the set 
of events which any process will always refuse. The alphabet of a process P, 
denoted aP, must always be such that f3(P) ~ aP, where f3(P) is calculated 
according to the rules in figure 2.5. 13 We are free to assign to aP any value 
we wish, provided that f3(P) ~ aP, although we will always explicitly state 
what we take the alphabet of a particular process to be before that alphabet 
is used for any purpose. Since f3(P) ~ aP, the following two conditions hold: 
PAl TP ~ (aP)*. 
12The reasons for this choice are discussed at the relevant points in chapters 3 and 4. 
13Process alphabets are used only (with respect to denotations) in the traces and stable 
failures models, which is why (J(DIV) = 0. The particular treatment given to recursive 
processes is necessary so that the procedure for deriving the alphabet of such a process 
will terminate. 
2.6. Useful algebraic laws 
f3(STOP) ~ 0. 
f3(DIV) ~ 0. 
f3(a -+ P) ~ {a}Uf3(P). 
f3(PO Q) ~ f3(P) U f3(Q). 
f3(P n Q) ~ f3(P) U f3(Q). 
f3(P Ily Q) ~ f3(P) U f3(Q). 
f3(P \ A) ~ f3(P) - A. 
f3(P[G]) ~ G(f3(P)). 
Let Ni = Pi for 1 ~ i ~ k be a recursive definition and let 
STOP denote the vector (STOP, ... , STOp) of length k. 
Then: 
Figure 2.5: Deriving alphabets 
PA2 (t, R) E ¢P => (t, R U (~ - o:P)) E ¢P. 
31 
PA2 is a consequence of PAl and SF4 (impossible events can always be 
refused). 
2.6 Useful algebraic laws 
We include here some useful equivalences which exist between syntactic terms 
in all three semantic models, some of which have already been mentioned. 
Although they are not used formally, they are important in allowing us to 
provide as input to FDR2 process definitions which are less likely to suf-
fer from state explosion when their operational semantics is calculated. (= 
is used in the following equations to denote semantic equality in all three 
models.) 
• 0, n and III are commutative and associative in all three models, mean-
ing that they may be indexed by finite sets . 
• Hiding is associative in that (P \ A) \ A' = P \ (A U A'). 
2.7. Contexts and environments 32 
• P \ A = P if aP n A = 0. 
• (P Ily Q) \ A = (P \ A) lIy (Q \ A) if Y n A = 0. 
Parallel composition is symmetric but not associative in the general case. 
As a result, expressions involving parallel composition should always be 
bracketed appropriately.14 It is, however, possible to define a weak asso-
ciativity property, if we can guarantee that the two participants in a parallel 
composition will synchronize on at least those events that they have in com-
mon: 
P IIA (Q liB R) = (P lie Q) liD R 
where 
• A = apna(Q liB R) and a(Q liB R) = aQUaR. 
• B = aQnaR. 
• C=apnaQ. 
• D = a(P lie Q) n aR and a(P lie Q) = aP U aQ. 
A similar result holds with the network composition operator, ®, substi-
tuted for II. 
2.7 Contexts and environments 
The term "environment" will be used to denote a cSP process with which 
another CSP process might be composed. The term "environment" is to 
be distinguished from the term "context", where a context is a process term 
containing free process variables for which particular processes might be sub-
stituted. A component process is therefore composed with an environment 
(using an additional operator to combine the two processes) while a compo-
nent is placed in a context (using substitution). 
For our purposes, a process context F represents a syntactic term con-
taining exactly one instance of each of the free process variables V1 to Vn and 
only the parallel composition and hiding operators (or the network compo-
sition operator, ®y, which may be represented using only hiding and par-
allel composition). F(Pt, ... , Pn ) is used to denote the process where, for 
1 :::; i :::; n, process Pi has been substituted for variable Vi. This means that 
14In chapter 3 we are usually able to dispense with such brackets and do so for the 
purposes of presentation; however, they are always used in chapter 7 and appendix D in 
the definition of processes to be used with FDR2. 
2.7. Contexts and environments 33 
F(PI , . .. , Pn) is a closed term and so contains no further free (process) vari-
ables (although the l1 may contain process names which have been defined). 
Strictly speaking, [F]x for X E {T, SF, FD} should be used to denote the 
semantic meaning of F (which is a mapping from a set of n process deno-
tations to a process denotation). However, we shall simply denote it using 
F. This is because the defining expression VI Ily V2 makes sense whether 
VI and Y2 represent syntactic terms or semantic objects; the same applies to 
VI \ A and VI 0y V2 . In moving from the defining expression of (syntactic) 
F to the defining expression of [F] x' all that has changed is the type of the 
free variables. It will always be clear when it is used what sort of object is 
represented by F. 
We also introduce a useful notation to be used with respect to pro-
cesses built around a context F. During evaluation of the semantics of 
F(PI , ... , Pn ), we evaluate the subterms of F(PI , . .. , Pn) in a unique or-
der and this ordering may be used to define a set of intermediate processes 
which are used to construct F(PI , ... , Pn). For example, in constructing 
(P Ily Q) liz P', the intermediate processes would be P, Q, P Ily Q and 
(P Ily Q) liz P' itself. We therefore define Imp(F(PI , ... , Pn)) in order 
to return this set of processes for F(Pl, ... , Pn). (Note that l±J denotes the 
disjoint union operator.) 
Definition 2.3. For processes PI"'" Pn, and A, Y ~ L:, Imp(F(PI, ... , Pn)) 
is defined inductively as follows: 
Imp(PI \ A) 6 { PI, (PI \ A)}. • 
Imp(Pt Ily P2 ) ~ {PI,P2 , (PI Ily P2 )}. 
Imp(PI 0y P2) 6 {P1,P2 , (PI 0y P2 )}. 
Imp(F(PI, ... ,Pn ) \ A) ~ {F(PI, ... ,Pn)\A} U 
Imp (F(PI , ... , Pn)). 
• Where F', F" are contexts, 
F(Pt, . .. , Pn) = F'(Pill . .. , l1m ) Ily F"(Pill · .. , Pile) 
and {I, ... , n} = {il , ... , im } l±J {jl,'" ,jk}: 
{(F(P1, .. . , Pn)} U 
Imp(F'(l1!, .. . ,Pim )) U 
Imp (F"(PiI , ... , Pile))' 
• Where F', F" are contexts, 
F(Pt, . .. ,Pn) = F'(l1ll' .. , l1m ) 0y F"(Pill · .. ,Pile) 
and {I, ... , n} = {il , ... , im } l±J {jl,'" ,jk}: 
2.8. Maximality and monotonicity 34 
- Imp (F(P1 , ... , Pn )) I). {(F(P1, .•• , Pn )} U 
Imp (F' (Pill ... , ~m)) U 
Imp (F"(Pj1 , ... '~k)). 
This notation will be used to reclaim the operators and processes which 
are used to define any process F(P1 , ... ,Pn ). 
2.8 Maximality and monotonicity 
2.8.1 Maximality of failures 
Let F be a set of failures. We define two notions of maximality with regard 
to the elements of that set . 
• (t, R) E F is refusal-maximal if and only if there does not exist (t, X) E 
F such that ReX . 
• (t, R) E F is maximal if and only if there does not exist (s, X) E F 
such that t < s or such that t = sand ReX. 
We shall denote max(F) = {(t, R) E F I (t, R) is maximal }. In the event 
that max(F) = {(t, R)} for some failure (t, R), we write max(F) = (t, R). 
Refusal-maximality is mainly used in the statement and proofs of results 
from chapter 3. Its important property is captured by the following result, 
which follows directly from SF2 and SF4: 
Proposition 2.5. If (t, R) E cpQ is refusal-maximal, then to (a) E rQ for 
every a E (~ - R). 
The notion of maximality is also used in the proofs of results from chap-
ter 3. 
2.8.2 Monotonicity 
The following are standard results which may be proved straightforwardly. 
Proposition 2.6. For traces sand u and A ~ ~, if s :S u then s \A :S u \A. 
We define the ordering j over sets of traces T, T' such that T j T' if 
and only if, for every t E T, there exists u E T' such that t :S u. 
Proposition 2.7. Let Y ~ ~ and s, u, v, w be traces such that v :S s, w :S u 
and s Ily u =1= 0. Then (v Ily w) j (s Ily u). 
2.9. Determinism 35 
Proposition 2.8. Let A, Y E ~ and P, P', Q, Q' be either sets of traces; 
pairs of sets of traces and sets of stable failures; or pairs of sets of failures 
and sets of divergences. 
1. If P ~ P', then P \ A ~ P' \ A. 
2. IfP ~ P' and Q ~ Q', then P Ily Q ~ P' Ily Q'. 
3. If P ~ P' and Q ~ Q', then P ®y Q ~ P' ®y Q'. 
Corollary 2.9. Let P, P, Q, Q' be processes, X E {T, SF, FD} and A, Y E ~. 
1. If [P]x ~ [P']x, then [P \ A]x ~ [P' \ A]x. 
2. If [P]x ~ [P']x and [Q]x ~ [Q']x, then [P Ily Q]x ~ [P' Ily Q']x. 
3. If [P]x ~ [P']x and [Q]x ~ [Q']x, then [P ®y Q]x ~ [P' ®y Q'h· 
2.9 Determinism 
Definition 2.4 (Determinism). A process P is deterministic if: 
1. 8P = 0. 
2. ¢P = {(t, R) It E TP 1\ R ~ (~ - {a Ito (a) E TP})}. 
If P is deterministic, it is completely characterised by T P; in particu-
lar, it always responds in the same manner to the same external stimulus. 
We are interested in the property of determinism with respect to processes 
which might be used during verification using FDR2 and so which can be 
represented operationally using a finite-state LTS. (Note that FDR2 may be 
used to check for the determinism of any such process.) Any such "finite-
state" process which is deterministic may be represented syntactically using 
only indexed deterministic choice, the prefix operator, recursion and STOP. 
Before showing how to construct such a representation, we introduce some 
additional notation, where T is a prefix-closed set of traces: 
• init(T) f). {a I (a) 0 s E (T - {O})} gives the initial events of all traces 
from T . 
• aft(T, a) f). {s I (a) 0 sET} gives the set of traces from T which are 
possible after the "execution" of a. 
For a prefix-closed set of traces T, NT is defined as: 
NT = DaEinit(T) (a -+ Naft(T,a)) where N{()} = STOP. 
The following condition always holds for "finite-state" P: 
DE If P is deterministic, then P =x NTP for X E {T, SF, FD}. 
2.10. Constructing processes 36 
2.10 Constructing processes 
In the proofs of results from chapter 3, it is sometimes necessary to construct 
syntactic processes with exactly specified semantics (in the traces or stable 
failures models). In this section, we show how to do this. Before proceeding 
to define the specific processes which we shall need, we define some useful 
sub-processes. In the following definitions, a E E is an event, s is a trace and 
R ~ E is a set of events. 
• TPO = DIV. 
• TP(a)os = (a ~ TP s) ° DIV. 
• FP((),R) = 0aE(I:-R) (a ~ DIY). 
• FP((a)os,R) = (a ---t FP(s,R)) 0 DIV. 
TP and FP are standard constructions taken from [63] (this is why the 
statements of their semantics in propositions 2.10 and 2.11 below are given 
without proof). Before proceeding to give the semantics of these processes 
we observe an important property of DIV in the stable failures model, which 
is important to us here and also in the construction of processes which are 
used in chapter 6 for the purposes of automatic verification. Recall that 
¢DIV = 0 and, according to figure 2.3, the stable failures semantics of ° is 
defined as follows: 
¢(P ° Q) t:, {(O,X) I (O,X) E ¢pn ¢Q} U 
{(s, X) I (s, X) E ¢P U ¢Q 1\ s =f. O}. 
Hence, for any process P, 
¢(PDDIy) = {(t, R) I (t, R) E ¢P 1\ t =f. O}· 
We can therefore use DIV, along with the deterministic choice operator, 
to effectively remove (stable) failures when necessary. The traces, stable 
failures and alphabets15 of TPt and FP(t,R) are then as follows. 
Proposition 2.10. Let t be a trace. Then the following hold: 
1. TTPt = Pref(t). 
2. ¢TPt = 0. 
3. f3( TPt) = events(t). 
15 Alphabets are calculated here using f3 and so using the detail in figure 2.5 
2.10. Constructing processes 3, 
Proposition 2.11. Let (t, R) be a failure. Then the following hold: 
1. TFP(t,R) = Pref(t) u {t 0 (a) I a E (~- R)}. 
2. <jJFP(t,R) = {(t,X) I X ~ R}. 
3. (3(FP(t,R)) = events(t) U (~ - R). 
Note that, in deriving results on the remainder of the constructions given 
here, we shall always appeal implicitly to the detail from section 2.4 and that 
from figure 2.5. 
2.10.1 Finite set of traces 
Where T is a finite, non-empty set of traces (not necessarily prefix-closed), 
FST(T) 6 0tETTPt . 
The identifier FST is used to indicate finite set of traces. In the event that T 
is the singleton set {t}, we may use FST(t) in lieu of FST(T). The necessary 
properties of FST(T) are then given by the following result, which follows 
easily from proposition 2.10. 
Proposition 2.12. Let T be a finite, non-empty set of traces. Then the 
following hold: 
1. T FST(T) = Pref(T). 
2. (3(FST(T)) = UtET events(t). 
2.10.2 Single failure and finite set of traces 
We now show how to construct a process around a single failure and a finite, 
non-empty set of traces. We use the identifier SFT here to indicate single 
failure and traces and, where T is a finite, non-empty set of traces and (t, R) 
is a failure, define: 
SFT((t, R), T) 6 FP(t,R) n (OuETTPu). 
The necessary properties of SFT((t, R), T) are given by the following 
result, which follows from propositions 2.10 and 2.11. 
Proposition 2.13. Let T be a finite, non-empty set of traces and (t, R) be 
a failure. Then the following hold: 
1. TSFT((t, R), T) = Pref(T) U Pref(t) U {t 0 (a) I a E (~ - R)}. 
2. <jJSFT((t,R), T) = {(t,X) I X ~ R}. 
3. (3(SFT((t, R), T)) = events(t) U (~ - R) U U{ events(u) I u E T}. 
2.10. Constructing processes 38 
2.10.3 Refusal-maximal failure and traces of specified 
process 
Before proceeding to give the definition of the process which is used here, we 
observe the following standard result (recalling that III denotes 1I.I2J)' 
Proposition 2.14. The following hold: 
1. T(PIIIDIV) = TP. 
2. 4>(PIIIDIV) = 0. 
3. ,8(PIIIDIV) = ,8(P). 
We now show how to construct a process around a single failure (which 
will be refusal-maximal in practice) and the traces of a specified process. 
We use the identifier MFP here to indicate maximal failure and process and, 
where P is a process and (t, R) is a failure, define: 
MFP((t, R), P) /). FP(t,R) n (PIIIDIV). 
The necessary properties of MFP((t, R), P) are given by the following result. 
Proposition 2.15. Let P be a process and (t, R) E 4>P be refusal-maximal. 
Then the following hold: 
1. TMFP((t, R), P) = TP. 
2. 4>MFP((t, R), P) = {(t, X) 1 X ~ R}. 
3. ,8(MFP((t, R), P)) = ,8(P). 
Proof. 1. By proposition 2.11 (1) and proposition 2.14(1), we observe that 
TMFP((t, R), P) = TP U Pref(t) U {t 0 (a) 1 a E (~- Rn· 
Since (t, R) E 4>P, we have that t E TP by condition SF2 and so Pref(t) ~ TP 
by SF 1. Moreover, we have that {t 0 (a) I a E (~- Rn ~ T P by proposition 
2.5. The proof of this part follows. 
2. The proof of this part follows by proposition 2.11(2) and proposition 
2.14(2). 
3. By proposition 2.11(3) and proposition 2.14(3), we observe that 
,8(MFP((t, R), P)) = ,8(P) U events(t) U (~ - R). 
By the proof of part 1 of the proposition, 
{t} U {t 0 (a) 1 a E (~ - Rn ~ T P. 
If we take aP = ,8(P), it follows by PAl that TP C ,8(P)* and hence 
events(t) U (~ - R) ~ ,8(P). 0 
2.11. Further consideration of parallel composition 39 
2.10.4 Refusal-maximal failure, finite set of traces and 
process 
Finally, we show how to construct a process around a single failure (which 
will be refusal-maximal in practice), a finite, non-empty set oftraces, and the 
traces and failures of a specified process. \\Te use the identifier MFTP here 
to indicate maximal failure, traces and process and, where P is a process. T 
is a finite, non-empty set of traces and (t, R) is a failure, define: 
MFTP((t, R), T, P) 6 SFT((t, R), T) n P 
The necessary properties of MFTP((t, R), T, P) are given by the following 
result. 
Proposition 2.16. Let P be a process and T a finite, non-empty set of 
traces. Let the failure (t, R) be such that (t, X) E c/JP is refusal-maximal and 
X ~ R. Then the following hold: 
1. TMFTP((t,R), T, P) = Pref(T) U TP 
2. c/JMFTP((t, R), T, P) = {(t, Z) I Z ~ R} U c/JP. 
3. (3(MFTP((t, R), T, P)) = (3(P) U U{events(u) I u E T}. 
Proof. 1. By proposition 2.13(1), 
TMFTP((t,R), T, P) = Pref(T) U Pref(t) U {t 0 (a) I a E (E - R)} U TP. 
By a proof similar to that of part 1 of proposition 2.15 and since X ~ R, we 
have that Pref(t) U {t 0 (a) I a E (E - R)} ~ TP. 
2. The proof of this part follows by proposition 2.13(2). 
3. By proposition 2.13(3), (3(MFTP((t, R), T, P)) is given by: 
(3(P) U events(t) U (E - R) U U{events(u) I u En. 
By a proof similar to that of part 3 of proposition 2.15 and since X ~ R, we 
have that events(t) U (E - R) ~ (3(P). 0 
2.11 Further consideration of parallel compo-
sition 
In the traces and stable failures models, we almost always use a restricted 
form of parallel composition, where processes (and sets of behaviours) have 
to synchronize on at least those events in which they can both engage. The 
following results concern the semantics of this restricted form of parallel 
composition. In general, they will be appealed to implicitly when needed. 
.... 
2.11. Further consideration of parallel composition 
-10 
2.11.1 Traces 
Theorem 2.17. Let P, Q be processes and Y = aP n aQ. Then: 
T(P Ily Q) = {t E (aPU aQ)* I (3s E TP,U E TQ) traP = s 
1\ tr aQ = u}. 
Proof. The proof in both directions proceeds by a straightforward induction 
on the length of traces using PAl, the definition of Ily given in figure 2.2 and 
the fact that: 
• If a E Y then a E aP and a E aQ . 
• If a ¢ Y then a cannot be in both aP and aQ. 
2.11.2 Stable failures 
A similar result is given here with respect to the stable failures of (syntactic) 
parallel compositions. However, we first give a more generic result in terms 
of parallel composition of sets of failures. This allows us to prove what we 
need here and is also reused in chapter 3. Since alphabets are calculated 
syntactically and so cannot be generated as such for an arbitrary set of 
failures, R is used to capture the property of process alphabets which is 
crucial here. 
Definition 2.5. Let F be a set of stable failures. Then R(F) is the set of 
all A ~ ~ such that 
(t,R) E F~ (t,RU (~- A)) E F. 
The following result shows that any parallel composition of subset-closed 
sets of failures also enjoys the property of subset-closure. 
Proposition 2.18. If F1, F2 are subset-closed sets of stable failures and 
Y ~ ~, then F1 Ily F2 is also subset-closed. 
Proof. Let (t, R) E F1 Ily F2 and Z ~ R. We show that (t, Z) E Filly F2. 
By definition of Ily in section 2.4.2, there are (s,5) E F1, (u, U) E F2 such 
that: 
t E (s Ily u), R = 5 U U and 5 - Y = U - Y. 
Let 5' = 5 n Z and U' = un Z. Then 5' - Y = U' - Y. Moreover, since 
Z ~ 5 U U, 5' U U' = (5 n Z) U (U n Z) = (5 U U) n Z = Z. Hence, the only 
thing left to prove is that (s,5') E F1 and (u, U') E F2, which follows by the 
subset-closure of F1 and F2. 0 
2.11. Further consideration of parallel composition 41 
We now give the generic result, before using it to prove the final result 
we want. 
Proposition 2.19. Let F1, F2 be subset-closed sets of stable failures, Al E 
R(F1), A2 E R(F2) and Al n A2 = Y. Then: 
FIlly F2 = {(t, S U U U Z) I Z ~ (~ - (AI U A2)) /\ 
((3(8, S) E F1 , (u, U) E F2 ) t E (8 Ily u) /\ 
S ~ Al /\ U ~ A2 )} 
Proof. (~) Let (t, R) E (FIlly F2). Moreover, let C = R n (AI U A2), D = 
R - (AI U A2) and so CUD = R. By proposition 2.18, (t, C) E (FIlly F2). 
By definition of Ily in section 2.4.2, there are (8, S') E Fl and (u, U') E F2 
such that: 
t E (8 Ily u), C = S' U U' and S' - Y = U' - Y. 
The latter and Al n A2 = Y means that S' - Al = U' - Al and S' - A2 = 
U' - A2 • 
Let S = S' - (A2 - AI) and U = U' - (AI - A2). We have S ~ Al 
and U ~ A2 and, by the subset-closure of F1 and F2, (8, S) E Fl and 
(u, U) E F2. Hence, since D ~ (~ - (AI U A2)), the only thing to prove is 
that S' U U' = S U U. We have: 
SUU (S' - (A2 - AI)) U (U' - (AI - A2)) 
(S' - A2) U (S' n Al n A2) U (U' - Ad 
U (U' n Al n A2) 
(S' - A2) U (U' - A2) U (S' n Al n A2) U 
(U' - AI) U (S' - AI) U (U' n Al n A2) 
S'uU'. 
(2) Let t, (8, S), (u, U), Z be as in the definition of X. We have to show 
that (t, S U U U Z) E (FIlly F2), where Ily is as defined in section 2.4.2. 
Let S' = Z uS U (U - Y) and U' = Z U U U (S - Y). Since U ~ A2 and 
Y = Al n A2, (U - Y) n Al = 0. Hence, (Z U (U - Y)) ~ (~ - Ad and 
so (8, S') E F1 by definition 2.5 and by the subset-closure of Fl. Similarly, 
(u, U') E F2 • Moreover, 
S' U U' = Z U S U (U - Y) U Z U U U (S - Y) = Z U S U U. 
Hence, the only thing we need to show is that S' - Y = U' - Y. In other 
words, that 
(Z uS U (U - Y)) - Y = (Z U U U (S - Y)) - Y 
2.12. Model-checking CSP 
which is equivalent to 
Z U (S - Y) U (U - Y) = Z U (U - Y) U (5 - Y) 
which clearly holds. 
Theorem 2.20. Let P and Q be processes and Y = aP n aQ. Then: 
c/J(P Ily Q) = {(t, 5 U U U Z) I Z ~ (~- (aP U aQ)) A 
((:3(s, 5) E c/JP, (u, U) E c/JQ) t E (s Ily u) A 
5 ~ aP A U ~ aQ)} 
42 
o 
Proof. By the definition in figure 2.3, c/J(P Ily Q) = c/JP Ily c/JQ. By SF3, c/JP 
and c/JQ are both subset-closed. By PA2, aP E R(c/JP) and aQ E R(c/JQ). 
The proof follows by proposition 2.19. 0 
2.12 Model-checking CSP 
The tool FDR2 may be used to perform model-checking of CSP processes. 
Specifically, we may check whether or not one process refines another in each 
of the three semantic models, as well as performing checks for determinism, 
deadlock-freedom and divergence-freedom. The tool takes as input a text 
file containing process descriptions written in the machine-readable dialect 
of esp. (See [63J or the FDR2 manual ([64]) for details.) Any operators used 
in this thesis to define processes to be supplied as input to FDR2 have a 
direct counterpart in the machine-readable syntax. 
2.12.1 Additional operators 
There are two operators and one construct which are used in defining pro-
cesses in chapter 7 and appendix D which have not yet been introduced. 
(Note that they are not used in any processes for which we have to derive a 
formal semantics.) 
if B then P else Q is the process which behaves like P if the boolean 
expression B evaluates to true and otherwise behaves like Q. (In defining 
boolean expressions, we use tests for equality, ==, tests for inequality, ! =, 
and the connectives "and" and "or".) 
Where c is a channel and x is a variable, c?x -+ P(x) denotes the process 
which waits for input on channel c; when it receives a value v on c, it then 
proceeds to behave as P with v substituted for x in P. Due to the finiteness 
of channel data types, c?x -+ P(x) may be represented as Dc.xEacC.x -+ P(x). 
A more general version of this construct is also used, where data transfer can 
2.12. Model-cbecking CSP 
.13 
be in several directions at once. For example, where the type of channel C 
is given by the types T I , .•• ,T5 , and Xi is a variable and Vj E Tj a concrete 
value for 1 ::; i, j ::; 5, 
may be used to input values into the variables Xl and X4 and to communicate 
the concrete data values V2, V3 and V5: in such a data transfer, ? is used to 
denote the input of a value into the variable immediately to its right; ! is used 
to denote the communication or output of the concrete value immediately to 
its right. C?XI!V2!V3?X4!V5 -+ P(XI,X4) may be represented as: 
Note also that ! should only be used to the right of the first occurrence 
of? Thus, 
C.VI·V2· V3 ?X4!V5 -+ P(X4) 
is the correct way to write the process which, on its first event, communicates 
the concrete values VI, V2, V3 and V5 and reads data into the variable X4, while 
is incorrect. 
The other new construct used is the let ..... within notation, used to make 
definitions local to an expression. It is generally used in the following manner: 
P(X,y, V) 
let P(v) = ... 
within P(V). 
In such a case, we are effectively defining the process P( v), which will have V 
initialised to V and within which X and yare constants, for example channel 
names. It allows us to easily define a family of processes which differ only in 
the values stored by the constants X and y. (See chapter 7 for examples of 
this. ) 
Further details on all of these language features can be found in [63J. 
2.12.2 Channels and data types 
The following are the constructs which we shall need to declare channels and 
data types in FDR2. A channel C with data type d is declared as follows: 
channel c: d 
2.13. Running example 44 
A set may be assigned an identifier as in the construct: 
data = {O, I} 
data is then regarded as a data type. The data type d which consists of 
the product of the data types d1, d2 ... ,dn may be declared: 
Note also that d1.d2 •.. dn-1.dn may be regarded itself as a data type. 
Finally, the data type d which consists of the constants C1 , C2 , ... ,Cn may 
be declared: 
datatype d = C1 I C2 I ... I Cn 
Note that none of the constants Ci need exist prior to such a declaration. 
2.12.3 Immediately diverging process 
The immediately diverging process does not have a distinguished syntactic 
representation in FDR2 and so we define DIV thus: 
DIV 6. X \ {a} where X=a~X. 
Processes which include DIV in their definition may still be treated as 
guarded (even though the definition given here for it introduces hiding), since 
we have a direct statement of its semantics and so may still regard it as a 
syntactic constant. 
2.13 Running example 
We are now in a position to give a CSP rendering of the example processes 
given in figure 1.1. They are used in the remainder of the thesis as an 
aid to explanation. We assume that channels in, out, send and data all 
communicate values from {O, I}; we also assume that all events which may 
be communicated on channels in and out are finally visible. The specification 
network from the figure, which we denote SpecNet, is defined as follows 
SpecNet 6. LejtSpec @Q:send RightSpec 
where 
• LejtSpec = DvE{O,l} (in.v ~ send.v ~ LejtSpec) . 
• RightSpec = DvE{O,l} (send.v ~ out.v ~ RightSpec). 
2.13. Running example 
The specification network effectively functions therefore as a two-slot , , 
buffer. The implementation network, ImplNet, is defined as: 
ImplNet t:. LejtImpl0(QdatauQack) RightImpl 
where 
LejtImpl = DVE{o,l} (in.v ~ data.v ~ LI(v)) 
LI(x) = (ack.yes ~ LejtImpl) 0 (ack.no ~ data.x ~ LejtImpl) 
and 
RightImpl = DvE{o,l} (data.v ~ (RI(v) n RI')) 
RI(x) = ack.yes ~ out.x ~ RightImpl 
RI' = ack.no ~ DWE{O,l} (data.w ~ out.w ~ RightImpl). 
Here, LejtImpl sends on the channel data the value it has just received; 
in the event that a negative acknowledgement is subsequently received (Le. 
ack. no occurs) then the value is resent on data. The non-deterministic choice 
operator in RightImpl is used to model the possibility that the message trans-
mission on data may be lost or corrupted: if it is lost or corrupted, then 
RightImpl communicates the event ack.no and waits for the value to be re-
sent; otherwise it communicates ack.yes and outputs on the channel out the 
value it has just received. 
Chapter 3 
Towards a theory of 
refinement-after-hiding 
In the papers [39], [40] and [12] one can observe the evolution of a notion of 
refinement-after-hiding which has its roots in [49] and an attempt to present 
a formal notion of what it means for one process to be a valid implemen-
tation of another when replication 1 is used as a reification technique. Two 
main issues were raised on completion of the work in [12]. Firstly, the notion 
of refinement-after-hiding presented there could not be used to verify compo-
sitionally that an implementation network refined a specification network in 
terms of standard CSP refinement in anything other than the traces model. 
Once failures were introduced, the refinement relation whose existence could 
be proved was non-standard. Secondly, the conceptualisation of the existing 
notion was based quite closely on the fault-tolerance mechanisms, such as 
replication, which had inspired it originally. This had the effect that there 
was no characterisation in the most general sense of what it meant to be a 
notion of refinement-after-hiding. One of the major consequences of this was 
that it was not clear which parts of the existing framework were absolutely 
necessary and which could be dispensed with or altered. 
The work in this chapter aims, therefore, to address each of these issues. 
We take from [12] the most fundamental features of the treatment given 
there. These are essentially the use of an interpretive mapping, along with 
certain restrictions on the sets which may be hidden and on which paral-
lel composition may occur as we build our implementation networks (these 
restrictions are stated in section 3.2.6). We then present a statement of 
what it means to constitute a notion of refinement-after-hiding in a gen-
eral sense, along with a basic set of conditions on our interpretive mapping 
which are sufficient to guarantee that it may be used as a basis for such a 
notion. From these rather abstract conditions we derive in each of the three 
lSee [49] for a description ofreplication. 
46 
3.1. The basic framework 47 
semantic models a set of more detailed conditions which themselves define 
a notion of refinement-after-hiding. At a stroke this generates a solution to 
the problems encountered when working in models incorporating failures. It 
also gave, among other things, a framework within which extensions and im-
provements to the work in [12] could be considered; this issue is discussed 
at greater length in chapter 4, where such extensions and improvements are 
presented. 
3.1 The basic framework 
We assume the existence of a semantic mapping,2 ,x, from process denotations 
to sets of behaviours or pairs of sets of behaviours as appropriate.3 Intuitively, 
,x transforms an implementation process so that the resulting behaviours may 
be compared directly with those of the specification.4 It is best regarded as a 
meta-mapping, representing all possible concrete mappings which we might 
use in practice. We use Q ~1c P to indicate that the process Q refines-
after-hiding the process P, under the mapping ,x, in the semantic model 
X E {T, SF, FD} and define it as follows. 
Definition 3.1. Q ~1c P if and only if ,x([Q]x) is defined and ,x([Q]x) ~ 
[P]x' 
Component processes will be placed in context to form a network and we 
shall restrict the form of the contexts which may be used so that networks 
may be built only from component processes and the hiding and parallel 
composition operators. A (syntactic) context, Con, may be defined using 
the following grammar, where V, Vb V2 represent process variables and A, Y 
represent sets of events. 5 
2We choose to work with a semantic rather than a syntactic mapping for a number of 
reasons. These are considered in chapter 5, in the context of a discussion of related work. 
3The sets of behaviours returned will be traces, failures or divergences as appropriate. 
4This implies that A is an interpretive mapping which makes behaviours more abstract, 
since "specification behaviours" are usually abstract and "implementation behaviours" 
more concrete. However, there is nothing in the theory developed here which requires this 
and so A may also be used to interpret abstract behaviours at a more concrete level: this 
might be necessary if we wanted to show that a particular specification network refined 
the corresponding implementation network in order to show that the two were equivalent. 
As a result, it is perhaps best to view "implementations" as simply those processes which 
are interpreted using A and "specifications" as those processes in whose behaviours we 
check for containment of those interpreted "implementation" behaviours. 
5Strictly speaking, brackets should also be placed around any parallel composition. 
However, their absence will not cause us any problems in this chapter and so we omit 
them for purposes of presentation. (Recall that the hiding operator is left-associative and 
so it need not be bracketed.) 
.. 
3.1. The basic framework 48 
Con = V\A I Vi Ily V2 ICon \A I ConllyCon I Con Ily V I V Ily Con. 
In order to relate an implementation context to the corresponding spec-
ification context, we overload the mapping, A, and apply it to that imple-
mentation context. This means that A must be defined over contexts, which, 
in turn, necessitates its definition over the parallel composition and hiding 
operators. The effect of applying A to a context is defined recursively in 
figure 3.1; for A, Y ~ ~, A(\A) returns \B for some set of events B and 
A(lly) returns liz for some set of events Z (we shall see in section 3.3 how to 
characterize Band Z exactly). 
Definition 3.2. Let A, Y ~~. Then A(\A) = \B and A(lly) =liz, for some 
B,Z~~. 
Effectively, A transforms a context by transforming in turn each operator 
contained therein: more specifically, it transforms the set of events with which 
the relevant operator is parameterized to reflect the fact that implementation 
processes may be expressed at a different level of abstraction to specification 
processes. Note that definition 3.2 defines A over both the syntactic and 
semantic operators6 of hiding and parallel composition, since the textual 
representation of the syntactic version of either hiding or parallel composition 
is the same as that of its semantic counterpart. Of course, we assume that 
A applied to a syntactic operator returns a syntactic operator and A applied 
to a semantic operator returns a semantic operator. 
We introduce the notation Fvis to denote the set of finally visible events, 
in which both implementation and specification processes may engage. In 
order for ~1 for X E {T, SF, FD} to constitute an acceptable notion of 
refinement-after-hiding, the following condition must then be met, where 
Fimpl and Fspec - each containing n process variables - are implementation 
and specification contexts respectively and Fspec b. A(Fimpl ); also, QI, ... , Qn 
and PI, ... ,Pn are processes. 
Condition 1. If Qi ~1 Pi for 1 ::; i ::; nand aFimp/ (QI, Q2, ... ,Qn) ~ Fvis, 
then Fimpl(QI, Q2, ... , Qn) ~x Fspec(PI, P2, ... , Pn). 
For 1 ::; i ::; n, Qi is a component implementation process and Pi is the 
corresponding component specification process. Fimpl(Qb Q2, . .. , Qn) then 
gives an implementation network and F spec (PI , P2, . .. , Pn) the correspond-
ing specification network.7 Intuitively, if the implementation network may 
6Recall that syntactic operators take processes as arguments and semantic operators 
take sets of behaviours or pairs of sets of behaviours as arguments. 
7Note that we will use the generic term implementation process to refer to any Q E 
Imp(Fimpl(QI, Q2, ... , Qn». (Imp is defined in definition 2.3 in section 2.7.) What it 
means to constitute an implementation process will be made more formal in section 3.2. 
... 
3.1. The basic framework 49 
A(V \ A) ~ V A(\A). 
A(Vt Ily Y;) ~ VI A(lIy) Y;. 
A(Con \A) ~ A( Con) A(\A). 
A( Con Ily Con) ~ A(Con) A(lIy) A(Con). 
A(Con Ily V) ~ A(Con) A(lIy) V. 
A(V Ily Con) ~ V A(lly) A( Con). 
Figure 3.1: Defining A over contexts, where V, VI, V2 are process variables 
and A, Y ~ E 
engage only in finally visible events then any external behaviour decomposi-
tion and/or relaxation of atomicity which was used in deriving Qi from Pi, 
where 1 ~ i ~ n, has been hidden. This means that the implementation and 
specification networks may be related using standard CSP refinement. 
In view of condition 1, the main problem in defining a notion of refinement-
after-hiding in practice lies not in giving a general definition of A which has 
the required properties.8 Rather, it is to define equations on A such that 
the property of condition 1 is met and our refinement-after-hiding relation 
is as large as possible. This is another significant factor leading us to derive 
a notion of refinement-after-hiding rather than building from the bottom up 
a set of conditions which happen to imply condition l. 
We therefore need an appropriate high-level approximation of condition 1 
which is as weak as possible and from which such a set of equations may 
be derived. The conditions RAHl-3 given in figure 3.2 fulfil this role: by 
theorem 3.1 below they are sufficient to imply condition 1, while imposing 
few restrictions on A and so on any notion of refinement-after-hiding based 
thereon. 
Theorem 3.1. If conditions RAHl-3 hold of A, then condition 1 also holds. 
Proof. Let Ql,"" Qn and PI"'" Pn be processes; let Fimpl and F spec be 
contexts each containing n process variables such that A(Fimpl) = F spec' We 
assume Qi ;;;;)1 ~ for 1 ~ i ~ n - i.e. A([Qi]X) is defined and A([Qi]X) ~ 
8For example, the identity mapping would suffice here but would not give us any extra 
power: in fact, in this case, our notion of refinement-after-hiding would be equivalent to 
standard CSP refinement. 
.. 
3.1. The basic framework 50 
RAHI If aQ ~ Fvis then A([Q]X) is defined and A([Q]X) = [Q]x. 
RAH2 If A([Q]X) is defined and A(\A) = \B, then A([Q \ A]x) 
is defined and A([Q \ A]x) = A([Q]X) \ B. 
RAH3 If A([P]X)' A([Q]X) are defined and A(lIy) =lIz then: 
- A([P lIy Q]x) is defined. 
- A([P lIy Q]x) = A([P]X) liz A([Q]X) 
Figure 3.2: Conditions from which the theory will be derived, where P, Q 
are implementation processes, X E {T, SF, FD} and A, Y ~ ~ 
[Pi]x - and aFimpl(Ql, Q2, ... , Qn) ~ Fvis. By induction on the number of 
operators in Fimpl using conditions RAH2 and RAH3 and also the information 
in figure 3.1, we have 
A([Fimpl(Ql, Q2, ... ,Qn)]x) = Fspec(A([Qdx), A([Q2]X),· .. ,A([Qn]x))· 
By inductive application of proposition 2.8, 
Fspec(A([Qdx), A([Q2]X)' ... ,A([Qn]x)) ~ Fspec([Pdx, [P2] x , ... , [Pn] x ). 
By inductive application of proposition 2.1, 
Fspec([P1]x, [P2]x,· .. ,[Pn]x) = [Fspec(Pl' P2, . .. , Pn)]x· 
Hence, by RAH1, 
[Fimpl(Ql, Q2, ... , Qn)]x ~ [Fspec(Pl' P2, .. ·, Pn)]x· 
Comments on RAHl-3 
D 
The roles of the conditions RAHl-3 are made clear by their use in the proof 
of theorem 3.1 and this proof also makes clear the role of the finally visible 
events from Fvis. That RAHl-3 are stated in terms of equalities - for exam-
ple, we have A([Q\A]x) = A([Q]x)\B rather than A([Q\A]x) ~ A([Q]x)\B 
- is crucial as we derive the theory which is presented in this chapter. How-
ever, the detailed conditions which form this theory are only sufficient in 
general to imply versions of RAH2 and RAH3 with ~ substituted for =. 
Were they to imply the original versions of these conditions, they would 
place restrictions on A which would make it difficult to use in practice. This 
is why condition 1 uses containment and refinement rather than equality and 
equivalence. These issues are discussed at greater length at the appropriate 
points below. 
3.2. Sets used in the theory 51 
3.1.1 Applying A in the traces model 
In general, we define the effect of applying>. to a particular process deno-
tation in terms of applying it to the individual behaviours which constitute 
that denotation. Since it is needed in the next section, we give here the 
necessary definition for the traces model. 
Definition 3.3. Let T be a set of traces and u a trace. If >.( u) is defined, 
then >. ( u) Tetums a trace. Moreover: 
1. >.(7) is defined if and only if >.(t) is defined for every t E T. 
2. If >'(7) is defined, >.(7) e:, {>.(t) I t E T}. 
We shall also require the monotonicity of >. defined over traces and the 
fact that the domain of >. over traces is prefix-closed: 
TR-MONO If >.(t) and >.(u) are defined and t ~ u, then 
>.(t) ~ >.(u). 
PREF-CLOS If >.(u) is defined and t ~ u, then >.(t) is defined. 
The fact of monotonicity means that receiving more information regard-
ing a particular implementation trace cannot reduce our knowledge about 
the corresponding specification trace. ~10reover, condition PREF-CLOS is a 
natural requirement once we have assumed monotonicity. In the proofs of 
results from this chapter, we sometimes have traces t, u such that >.(u) is 
defined, t ~ u and we wish to show that >.(t) ~ >.(u). In order to do this, 
it is necessary to appeal to both TR-MoNO and PREF-CLOS. However, in 
practice, we usually appeal explicitly only to TR-MoNO and assume it is 
understood that PREF-CLOS is also appealed to. 
3.2 Sets used in the theory 
This section introduces a number of different sets which will be used in the 
derivation of the theory in this chapter, along with certain restrictions to be 
placed on implementation networks if they are to be verified using refinement-
after-hiding. One of the most important of these sets is AllSet, a set of sets 
of events: we shall require that all alphabets of implementation processes 
used in this chapter are taken from AllSet and that any hiding operator used 
to define an implementation context, Fimpl , must be parameterized by a set 
from AllSet; we shall also impose a restriction on the parallel composition 
to be used in building an implementation network from a set of component 
processes, so that the composition always synchronizes on a set from AllSet. 
3.2. Sets used in the theory 52 
Further details on AllSet and on these restrictions are given in the remainder 
of this section. 
Before proceeding to the derivation of the theory proper, therefore, we 
fix some notions regarding the nature of the sets we shall use. There are six 
main sets which we shall need to deal with, two of which have already been 
introduced. The sixth of these sets is introduced after the other five. (In 
general, these should be viewed as meta sets, representing all possible such 
sets with which we might work in practice.) 
• Eimp/, denoting the set of events in which implementation processes 
may engage. 
• E spec , denoting the set of (specification) events which may be "engaged" 
in by sets of behaviours produced by applying>. to (the denotation of) 
an implementation process. 
• Fvis, denoting the set of finally visible events. 
• A llSet , containing all possible sets with which we may parameterize 
the hiding and parallel composition operators used to construct imple-
mentation networks. That we will restrict the sets with which these 
operators may be parameterized reflects the approach of [12]. 
• BTrace, a non-empty finite 9 set of implementation traces such that >.(t) 
is defined for every t E BTrace. 
Intuitively, BTrace contains only implementation traces which may be 
regarded as "atoms" or as indivisible in some sense: that is, implementa-
tion traces which it does not make sense to decompose further into sub-
traces. lO More specifically, we assume that each specification action in Espec 
may be implemented by a (finite) number of implementation traces and 
that BTrace consists of exactly those traces. For example, send.D from 
the running example may be implemented by both (data.D, ack.yes) and 
(data.D, ack.no, data.D) and both traces would be members of BTrace. It 
does not make sense to decompose further into sub-traces these particular 
implementation traces since it is not possible to decompose the high-level 
action which they are being used to implement. 
9 Although the proofs of certain results in this chapter as they are presented at the 
moment require the property of finiteness, it has been realised that they may be presented 
in such a way that this property is not needed. In any case, the property of finiteness is 
not needed at all as we prove the sufficiency as a notion of refinement-after-hiding of the 
conditions which are derived in this chapter. 
lONote, however, that we do not assume these traces to be "atomic" in the sense that 
they will execute as indivisible entities: i.e. it is not the case that, when one "atom" is 
executing, no others may be executing. In practice, they may be interleaved with each 
other and with other traces not contained in BTrace. 
• 
3.2. Sets used in the theory 53 
3.2.1 E impZ , Espec and BTrace 
For any implementation process Q, the possibility should exist that "\(7Q) 
is defined. In view of this and definition 3.3, ~impl and ~spec may be char-
acterised more formally as follows. (That Fvis ~ ~impl in the following 
definition reflects the intuition that implementation processes should be free 
to engage in any of the finally visible events.) 
Definition 3.4. We assume that Fvis ~ ~impl ~ ~, Fvis =f=. 0 and ~spec ~ ~. 
Moreover: 
1. ~impl 6 U{events(t) I "\(t) is defined} 6 U{events(t) It E BTrace}. 
2. ~spec 6 U{ events ("\(t)) I "\(t) is defined} 6 U{ events("\(t)) I t E 
BTrace }. 
Conditions are also imposed on BTrace as part of this definition: namely 
that the traces it contains cover exactly the events from ~impl and, after the 
application of "\, exactly the events from ~spec. We note that this definition 
is consistent with the intuition given above with respect to the members of 
BTrace. With respect to part 2 of the definition, we assume that, for every 
a E ~spec, there exists at least one trace, t, such that "\(t) = (a): i.e. such 
that t implements a. By the intuition given above, BTrace would consist 
of all such tY With respect to part 1 of the definition, we assume that all 
traces which an implementation process may execute can be built in some 
way from the "atoms" in BTrace and so the events of these "atoms" will give 
exactly the events in ~impl. However, it must also be noted that definition 
3.4 gives the only formal statement we have of the properties of BTrace -
other than the statement in the previous subsection that it is finite and that 
"\(t) is defined for every t E BTrace - and so the intuition that it contains 
only "atoms" is not recorded formally. In other words, this intuition plays 
no role in this chapter in the derivation of conditions sufficient to define 
a notion of refinement-after-hiding, nor does it appear in those conditions 
themselves. In fact, it is used solely to justify (informally) the restrictions on 
hiding and parallel composition which have been mentioned above and which 
are imposed in section 3.2.6. Further consideration of the nature of BTrace 
is given in section 3.7, once the theory has been presented in its entirety. 
3.2.2 Considering AllSet 
We now consider AllSet and its definition. In doing so, MinSet is introduced, 
the sixth of the sets with which we will have to deal: ~impl may be partitioned 
11 Since we assumed above that each a E ~8pec is implemented by a finite number of 
traces and since ~8pec is finite, then BTrace constructed in this way would also be finite. 
• 
3.2. Sets used in the theory 54 
using the traces of BTrace as a basis and MinBet is defined as the set of sets 
comprising this partition. 
Definition 3.5. MinBet is a partition of ~impl such that, if t, U E BTrace 
and A, B E MinBet where A =1= B: 
1. If events(t) n A =1= 0, then events(t) ~ A. 
2. If events(t) ~ A and events(u) ~ B, events('\(t)) n events('\(u)) = 0. 
The sets from MinBet essentially group together (the events from) the 
traces from BTrace into disjoint sets, where the events from any particular 
trace in BTrace are contained in only one of the sets. Moreover, the sets in 
MinBet also enjoy a property of disjointness after applying ,\ to the traces 
from BTrace whose events they contain. Each set in AllBet is then defined 
as the union of a number of sets from MinBet (although AllBet also contains 
the empty set). 
Definition 3.6. AUBet 6 {U X I X E lP(MinBet)}. 
By virtue of definitions 3.4 and 3.5, the events of each "atom" in Brr·ace 
are totally contained in exactly one set from MinBetP Definition 3.6 then 
means that, for each t E BTrace and A E AUBet, either events(t) ~ A or 
events(t) n A = 0. Due to the restrictions which are imposed on imple-
mentation processes and networks in section 3.2.6, the hiding and parallel 
composition operators used to build implementation networks from compo-
nent implementation processes may be parameterized only with sets from 
AUBet, which means that those operators will regard the traces from BTrace 
as indivisible entities. That is, either all events from such a trace will be 
hidden or none will; either we require synchronization in parallel on all the 
events of such a trace or on none of them. In general, MinBet defines the 
smallest sets which may be hidden or on which we may synchronize in parallel 
while still regarding the traces from BTrace as indivisible. 13 
In view of definition 3.6, A = UiEI Ai for any set A E AllBet, where I is 
an indexing set into MinBet and so Ai E MinBet for every i E I. In the event 
that A = 0, then I = 0. Moreover, MinBet ~ AUBet and so A E AllBet 
for any A E MinBet. The following notation, used to define the smallest set 
12In terms of the running example, {data.D, data.I, ack.yes, ack.no} could constitute 
a set from MinSet: this set contains all events from the atoms (data.D, ack.yes), 
(data.I, ack.yes), (data.D, ack.no, data.D) and (data.I, ack.no, data.I). 
13We have considered here only the consequences ofthe restriction imposed by definition 
3.5(1). That we ignore definition 3.5(2) is simply because it may actually be derived as 
part of the theory (see section 3.7). It appears as a definition rather than as a derived 
theorem since the fact that it could be derived was realised only on a final revision of this 
thesis. 
3.2. Sets used in the theory 55 
from AllSet in which another specified set is contained, will also prove useful. 
(In respect of this, note that E impl E AllSet by definitions 3.5 and 3.6.) 
Definition 3.7. For X ~ E impl , [[X]] denotes the smallest set A E AIlSet 
such that X ~ A. 
When the notation [[X]] is used in what follows, we will only show explic-
itly that X ~ E impl if it is not clear from the context that this is the case. 
In respect of this, we observe that the following hold by definition 3.4. 
• events(s) ~ E impl for s E BTrace. 
• events(t) ~ E impl for any trace t such that events(t) ~ Fvis. 
• events (u) ~ E impl for any trace u such that >.( u) is defined. 
We also define the application of >. to sets from AllSet. This will prove 
to be useful when considering the effect of applying>. to operators. 
Definition 3.8. >'(A) 6 U{ events (>.(t)) I t E BTrace A events(t) ~ A)} 
for A E AllSet. 
3.2.3 Implementation processes and process alphabets 
The following definition is used to characterise implementation processes in 
terms of Eimpl . 
Definition 3.9. Let Q be a process. Q is an implementation process if and 
only if f3(Q) ~ E impl · 
In view of this, the following result is immediate. 
Proposition 3.2. Let P, Q be implementation processes and A, Y C E. 
Then: 
1. P \ A is an implementation process. 
2. P Ilv Q is an implementation process. 
Proposition 3.2 shows that, for an implementation context Fimpl and com-
ponent implementation processes Ql, ... , Qn. Q E Imp (Fimpl (Ql , Q2, ... , Qn)) 
is also an implementation process. (Recall that the notation Imp is defined 
in definition 2.3 in section 2.7.) The alphabet of any implementation process 
is then defined as follows. 
3.2. Sets used in the theory 56 
Definition 3.10. Let Q be an implementation process. Then QQ 6 [[,B(Q)]] 
and so QQ E AllSet.14 
Since ,B(Q) ~ ~impl for any implementation process Q, then QQ is defined 
for any such process. In the proofs of some of the results in this chapter, it 
is necessary to construct, using the definitions in section 2.10, processes Q' 
which have a certain pre-defined semantics. All of these processes are such 
that,B( Q') ~ ~impl and it will be clear from the relevant definitions that this is 
the case. We will therefore regard them as implementation processes without 
further comment and consider that QQ' is defined for any such Q'. Indeed, as 
a general rule, definition 3.9 and proposition 3.2 regarding implementation 
processes will only be appealed to implicitly in proofs of results from the 
remainder of this chapter. 
The following result shows that the alphabets of implementation pro-
cesses relate to those of their components in the way that we would expect 
in view of the detail in figure 2.5, provided that the hiding and parallel com-
position operators used are parameterized with sets from AllSet. This latter 
restriction will be imposed in general in section 3.2.6. 
Proposition 3.3. Let P, Q be implementation processes and A, Y E AllSet. 
1. Q(P\A) = (aP) -A. 
2. Q(P Ily Q) = Qp U QQ. 
It is possible that we may have an implementation process Q where 
,B( Q) ~ ~imp/, even though ).([Q]x) is defined. This can arise due to the 
use of parallel composition: for example, ,B(P Ily P') = ,B(P) U ,B(P'), while 
it is possible that (P Ily P') never engages in any events from ,B(P') due to 
the nature of P and the choice of Y. In such a case, in lieu of Q, we would as-
sume the implementation process to be Q \ Z, where Z = ~ - (~impl n,B(Q)). 
All events in which Q may engage are contained in ~impl since ).([Q]x) is 
defined (this will turn out to hold in general); moreover, all events in which 
it may engage are also contained in ,B(Q). As a result, [Q]x = [Q \ Z]x, 
while ,B(Q \ Z) ~ ~impl' 
3.2.4 Basic results regarding MinSet, AllSet and A 
We are now able to give some basic results characterising the sets from 
MinSet and AllSet and the application to them of).. The first reflects the 
14That aQ for any implementation process Q is taken from AllSet reflects the approach 
of [12). Taken with restriction R2 from section 3.2.6 below, it means that any parallel 
composition operator used to build an implementation network from component processes 
must be parameterized by a set from AllSet (see proposition 3.11, also in section 3.2.6). 
3.2. Sets used in the theory 57 
fact that each set in AllSet is constructed from a number of sets in .'!inSet 
and distinct sets in MinSet are disjoint. 
Proposition 3.4. Let A E MinSet and B E AllSet be such that An B =1= 0. 
Then A ~ B. 
The following result shows a useful way of characterising any set from 
AllSet. 
Proposition 3.5. A = U{events{t) I t E BTrace 1\ events(t) ~ A} for 
A E AllBet. 
The next result shows that A distributes across the set union operator 
when the latter is used to compose sets from MinSet. 
Proposition 3.6. A(UiEI Ai) = UiEI A(Ai), where I is an indexing set into 
MinSet. 
The following result shows that if we apply A to disjoint sets then the 
results of that application are also disjoint. 
Proposition 3.7. If A n A' = 0 for A, A' E AllSet then A(A) n A(A') = 0. 
The next result shows that AllSet is closed under the application of the 
set operators of subtraction, union and intersection; moreover, A distributes 
across the same operators when they are applied to sets from AllSet. 
Proposition 3.B. Let A, BE AllSet and EB E {-, u, n}. Then: 
1. A EB B E AllSet. 
2. A(A EB B) = A(A) EB A(B). 
This final result further characterises the relationship between Eimp/, Espec 
and AllSet. 
Proposition 3.9. The following hold: 
1. E imp/ E AllSet. 
2. Espec = UAEMinSet A(A). 
3. For every A E AllSet, A ~ Eimp/ and A(A) ~ Espec. 
3.2. Sets used in the theory 58 
3.2.5 Using [[X]] for X C Eimp1 
The following result concerns the [[Xl] notation, used to return the smallest 
set A E AllSet such that X ~ A. It will usually be appealed to implicitly 
whenever it is needed. 
Proposition 3.10. Let A E AIlSet and R, S, X ~ Eimpl . 
1. If X ~ A then [[Xl] ~ A. 
2. [[R U 8]] = [[Rl] U [[8]]. 
3.2.6 Restrictions 
In the remainder of this chapter, we impose the following restrictions on all 
implementation networks Fimpl (Ql, ... ,Qn), where Ql, ... ,Qn are compo-
nent implementation processes. (Recall that the notation Imp is defined in 
definition 2.3 in section 2.7.) 
Rl Let \A be used in the definition of Fimpl ' Then A E AllSet. 
R2 Let (P Ily Q) E Imp (Fimpl (Ql, ... , Qn)). Then Y = o:P n o:Q. 
These are essentially the restrictions imposed in [12], although they are 
not stated explicitly as such in that paper; similar restrictions are also im-
posed in [59], which presents an implementation relation that is effectively a 
notion of refinement-after-hiding.15 Condition R2 enforces the requirement 
that the parallel composition operator used to build any implementation 
network is that given by Tony Hoare in [31] and used in [12]. The following 
important result follows from condition R2. 
Proposition 3.11. Let Ql, . .. , Qn be component implementation processes 
and Fimpl (Ql, ... , Qn) an implementation network. Let lIy be such that it is 
used in the definition of Fimpl ' Then Y E AllSet. 
Condition R1 and the result from proposition 3.11 are essential for the 
derivation of the theory presented in this chapter: their most immediate prac-
tical effect is that we are able to characterise exactly the result of applying A 
to the hiding and parallel composition operators respectively (see theorems 
3.16 and 3.17 in section 3.3). This characterisation then has far-reaching 
implications in the remainder of the chapter (this issue is discussed further 
15Note that Rl and R2 are restrictions only on the operators which are used to build 
implementation networks from component implementation processes. They do not restrict 
the nature of the operators which may be used to construct the component implementation 
processes themselves. 
• 
3.2. Sets used in the theory 59 
in section 3.7). Moreover, the restrictions imposed by R1 and proposition 
3.11 make sense in practice, as has been discussed above: since the traces in 
BTrace are to be regarded as atoms, then they should be treated as such by 
hiding and parallel composition. (Recall that by definitions 3.5 and 3.6, for 
any t E BTrace and A E AllSet, either events(t) ~ A or events(t) n A = 0.) 
For example, consider the case that t E BTrace is used to implement the 
specification event a E ~BPec. When hiding behaviours in any specification 
process in which a appears, it is only possible to hide all of a or to leave it 
visible. Thus, it does not make sense to be able to hide a non-empty subset of 
the events of t, as this could leave a partial implementation for a still-visible 
a or a "dangling" partial implementation which no longer has a correspond-
ing specification event. Similarly, when composing specification processes in 
parallel, it is only possible to either synchronize on all of a or not synchronize 
on it at all. If we are able to synchronize on a non-empty subset of the events 
of t, then we may end up with an implementation trace which is neither a 
single execution of t nor two interleaved executions of t: it is not clear how 
this relates to what is possible for a in the specification (i.e. a single occur-
rence of a if we have to synchronize on it or two occurrences of a if we do not 
have to synchronize on it). For example, the trace (data.D, ack.yes) is used 
to implement send.D in the running example. If we were to able to compose 
two instances of (data.D, ack.yes) in parallel, synchronizing only on {data.D}, 
then the resulting trace would be (data.D, ack.yes, ack.yes). It would not 
make much sense to view this as an implementation of (send.D, send.D) -
i.e. the composition in parallel of two instances of (send.D) when we do not 
synchronize on {send.D} - but nor does it make sense to regard it as an 
implementation of (send.D), which would arise if we did have to synchronize 
on {send.D}. 
We choose to impose condition R2 and then derive proposition 3.11 rather 
than simply imposing directly the statement from the proposition because 
R2 is useful in its own right. In particular, the semantic definition of parallel 
composition in the stable failures model without the assumption of R2 is 
difficult to work with; by virtue of R2 the definition becomes much more 
tractable (see theorem 2.2D in chapter 2). In any case, R2 simply means we 
work with the parallel composition operator which is defined in Hoare's book 
on CSP ([31]). 
In the statement of the conditions RAH1-3 in figure 3.2, the only restric-
tion placed on the sets A and Y used there is that they should be subsets 
of~. In view of R1, we impose the further restriction that A E AllSet for 
the set A used in the statement of RAH2; in view of R2, we impose the 
restriction that Y = apnaQ in the statement of RAH3. We do this because 
we wish RAH1-3 to be as weak as possible. These additional restrictions will 
be reflected in the rendering of RAHl-3 as necessary in each of the three 
3.2. Sets used in the theory 60 
semantic models. 
3.2.7 Finally visible events 
We impose one extra condition on AllSet, in relation to finally visible events. 
This reflects the intuition that, given an implementation process, it should 
be possible to hide exactly the finally invisible events, leaving visible exactly 
those events from Fvis in which the process may engage. 
HIDE-INVIS Let Q be an implementation process. If >.([Qj r) is 
defined, there exists A E AllSet such that 
aQ - A = aQ n Fvis. 
In view of this condition, we are able to derive the following result, namely 
that Fvis is a set in AllSet. 
Proposition 3.12. Fvis E AllSet. 
3.2.8 Summary 
In the following sections, we present the derivation of the theory proper in all 
three semantic models. In particular, the conditions RAHl-3 are rendered 
in each of the semantic models and conditions are then derived which refer 
to the effect of >. defined over individual behaviours rather than over process 
denotations as a whole. Before proceeding, we recall the sets which have 
been introduced in this section. 
• ~impl denotes the set of events in which implementation processes may 
engage. 
• ~spec denotes the set of (specification) events which may be "engaged" 
in by sets of behaviours produced by applying>. to (the denotation of) 
an implementation process. 
• Fvis denotes the set of finally visible events. 
• BTrace is a set of traces, each of which may be regarded as an "atom" 
and so as an indivisible entity which may not be decomposed further 
into sub-traces. 
• MinSet is a set of sets of events. It partitions the events of ~impl in 
such a way that, for each trace in BTrace, the events of that trace are 
fully contained in one of the sets of the partition. 
3.3. RAHl-3 in the traces model and applying,X to operators 61 
• Each set in AllBet is the union of a number of sets from MinBet and, 
in building implementation networks, we may only hide or compose in 
parallel on members of this set. (Recall, though, that AllBet also con-
tains the empty set.) This essentially means that any set to be hidden 
or synchronized on during parallel composition as we build implemen-
tation networks regards traces from BTrace as indivisible. 
3.3 RAHl-3 in the traces model and applying 
A to operators 
As indicated above, we shall define our notion of refinement-after-hiding in 
terms of the effect of applying ,X to individual behaviours. In order to move 
towards that goal in the traces model, in this section we derive counterparts 
to RAHI and RAH2 which refer to individual traces in place of process deno-
tations. (It turns out that a counterpart to RAH3 is not needed.) These are 
used in the next section to derive the final conditions defining refinement-
after-hiding in the traces model. In addition, we prove results which show 
how to define exactly the result of applying ,X to the hiding and parallel 
composition operators respectively. 
As a first step, we render the conditions RAHl-3 in the traces model 
(recall that the original statement of the conditions in figure 3.2 was param-
eterized by the variable X to denote one of the three semantic models; here 
we substitute T for X). We also impose here the restrictions on hiding and 
parallel composition that were introduced in section 3.2.6. This means that 
any set to be hidden (from RAH2) will be taken from AllBet and any two 
processes composed in parallel (in RAH3) must synchronize on the events in 
the intersection of their respective alphabets. The new conditions, denoted 
TIl, TI2 and TI3, are given in figure 3.3. Using TIl and TI2, we are able 
to derive conditions RAHl-T and RAH2-T below which refer to the applica-
tion of ,X to individual traces rather than to process denotations as a whole. 
There is no equivalent condition given in relation to parallel composition and 
derived from TI3, since we do not need such a condition in any of the proofs 
which follow. This is not to say, however, that TI3 is redundant, since it is 
used in the proof of theorem 3.17 below and in the proof of a result from the 
next section. 
Theorem 3.13 (RAH1-T). Let t be a trace such that events(t) ~ Fvis. 
Then ,X(t) is defined and ,X(t) = t. 
Theorem 3.14. ,X( () is defined and ,X( ( ) = (). 
Proof. Since events(O) = 0, events(O) ~ Fvis. The proof follows by 
RAHl-T. 0 
3.3. RAHl-3 in the traces model and applying A to operators 
Til If aQ S;;; Fvis, then A([Q]T) is defined and A([Q]T) = [Q]T. 
TI2 If A([Q]T) is defined, A E AllSet and A(\A) = \B, then 
A([Q \ A] T) is defined and A([Q \ A] T) = A([QIT) \ B. 
TI3 If A([P]T)' A([Q]T) are defined, Y = aP n aQ and A(lIy) =lIz, 
then: 
- A([P lIy Q] T) is defined. 
- A([P Ily Q]T) = A([P]T) liz A([Q]T)· 
62 
Figure 3.3: Rendering RAHl-3 in the traces model, where P and Q are 
implementation processes 
Theorem 3.15 (RAH2-T). Let t be a trace and A E AllSet, where A(\A) = 
\B. If A(t) is defined, then: 
• A(t \ A) is defined . 
• A(t\A)=A(t)\B. 
3.3.1 Applying A to operators 
We now show how the application of A to operators is defined. Before prcr 
ceeding, we first require a condition to reflect the intuition that mapped-to 
sets of behaviours may only engage in events from Espec and so mapped-to 
operators should only be parameterised by subsets of Espec. 
Definition 3.11. By definition: 
1. Let A(\A) = \B. Then B S;;; Espec. 
2. Let A(lly) =llz. Then Z S;;; Espec. 
The following results playa crucial role in the remainder of this chapter 
and also in general. For they tell us that, provided we use in practice only 
sets which have the properties of those from AllSet, we have no discretion in 
defining the effect of A applied to the operators we use. 
Theorem 3.16. Let A E AIlSet. Then A(\A) = \A(A). 
Theorem 3.17. Let Y E AllSet. Then A(lly) =lb.(Y). 
When we appeal to RAH2-T in what follows, we shall implicitly use the-
orem 3.16 as well: that is, we shall use A(A) in place of B from RAH2-T. 
3.4. Sufficient conditions in the tra.ces model 63 
3.4 Sufficient conditions in the traces model 
In this section, we present the sufficient conditions which must be met by our 
mapping if it is to function as a basis for a notion of refinement-after-hiding 
in the traces model. We will need the following additional results, which 
concern the application of A to traces. 
Theorem 3.18. Let A E MinSet be such that A £; Fvis. Let t be a trace 
such that events(t) £; A. Then A(t) is defined and A(t) = t. 
Proof. The proof is immediate by RAHI-T. o 
Theorem 3.19. Let to (a) be a trace such that a E A E MinSet. 
1. A(t) and A((t 0 (a))f A) are defined if and only if A(t 0 (a)) is defined. 
2. If A(t 0 (a)) is defined then A(t 0 (a)) = A(t) 0 r, where the trace r is 
such that: 
(aj A((t 0 (a))fA) = A(trA) 0 r. 
(bj events(r) £; A(A). 
Figure 3.4 then presents those conditions which are sufficient to define a 
notion of refinement-after-hiding in the traces model. Note the compositional 
nature of the definition of A - encapsulated in conditions 85 and Ts4 -
which means that it need only be defined directly over sets from MinSet and 
over traces t such that events(t) £; A E MinSet. 16 One of the main roles 
played by the sets in MinSet is illustrated by condition Ts4. By Ts4, we 
define A(t 0 (a)), where a E A E MinSet, in terms of A(t) and A((t 0 (a))fA). 
In a sense, A((to (a))fA) is a function from a trace, trA, and an event, a, to 
the trace extension r which is used in the statement of Ts4. This means that 
A tells us what we need to know of t in order to determine the additional 
information which is given to us by the occurrence of a after t. 
A comment is also required with regard to condition 81(d) and what 
it means to constitute an implementation process. In order to simplify the 
proofs of results in the remainder of this chapter, 81 (d) is only appealed to 
implicitly whenever it is needed. In particular, for any implementation pro-
cess Q we will assume without further comment that f3(Q) £; ~imp" meaning 
that [[f3(Q)]] and so aQ are defined. Moreover, on the basis of proposition 
3.2, it is implicit that any new process constructed from an implementation 
process or processes using hiding and parallel composition will also be an 
implementation process. 
16Examples given in chapter 4 show how we may then define in practice the result of 
applying the mapping to such a trace t. 
3.4. Sufficient conditions in the traces model 
81 (a) BTrace is a non-empty set of traces such that A(t) is 
defined for every t E BTrace. 
(b) I: imp/ and I:spec are as defined in definition 3.4. 
(c) MinSet and AllSet are as defined in definitions 3.5 
and 3.6. 
(d) Q is an implementation process if and only if 
(3(Q) ~ I: impl . 
82 If Q is an implementation process, then aQ (). [[(3(Q)]] 
and so aQ E AllSet. 
83 Fvis E AllSet and Fvis i:- 0. 
84 For A E MinSet, 
A(A) (). U{ events(A(t)) It E BTrace /\ events(t) ~ An. 
85 Let A E AllSet be such that A = UiEI Ai, where I is an 
indexing set into MinSet. Then A(A) = UiEI A(Ai). 
86 If A E AllSet, then A(\A) = \A(A). 
87 If Y E AllSet, then A(lly) =II.>.(Y). 
(a) Conditions on sets. 
T81 Let T be a set of traces and u a trace. If A(U) is defined, 
then A ( u) returns a trace. Moreover: 
- A(T) is defined if and only if A(t) is defined for every t E T. 
- If A(T) is defined, A(T) (). {A(t) It E T}. 
T82 Let t be a trace, A E MinSet such that events(t) ~ A ~ Fvis. 
Then A(t) is defined and A(t) = t. 
T83 Let to (a) be a trace such that a E A E MinSet. Then A(t) 
and A((t 0 (a))f A) are defined if and only if A(t 0 (a)) is 
defined. 
T84 Let to (a) be a trace such that a E A E MinSet. If A(t 0 (a)) 
is defined then A(t 0 (a)) = A(t) 0 r, where: 
- A((t 0 (a))fA) = A(trA) 0 r. 
- events(r) ~ A(A). 
(b) Conditions on traces 
Figure 3.4: Sufficient conditions 
64 
3.4. Sufficient conditions in the traces model 65 
That the conditions in figure 3.4 are sufficient to define a notion of 
refinement-after-hiding follows from theorem 3.2D. In order to prove this 
result, we use only the conditions SI-7 and Tsl-4 and no other results or 
conditions which have already appeared in this chapter. 17 To emphasise this 
fact, some necessary supporting results which have already appeared are re-
stated and reproved (in the appendix) using only SI-7 and Tsl-4. Recall 
also before we proceed that conditions Rl and R2 are imposed on any im-
plementation network Fimp/(Ql, Q2, ... , Qn). 
Theorem 3.20. Let Fimp/ and Fspec be implementation and specification con-
texts respectively, containing n process variables, such that >.(Fimp/) = F spec. 
Let Ql, ... Qn be component implementation processes and P1 , . .• , Pn be pro-
cesses. Assume that conditions Sl-7 and TSl-4 from figure 3.4 all hold. 
If Qi ~~ Pi for 1 ::; i ::; nand aFimp/ (Ql, Q2, ... ,Qn) ~ Fvis, then 
Fimp/(Ql, Q2, ... , Qn) ~T Fspec(P1, P2, ... , Pn). 
3.4.1 Additional comments 
Proposition A.15 in the appendix is weaker than its counterpart TI3, since 
the former uses set containment, ~, in its statement while the latter uses 
equality, =. The reason for this is the form taken by proposition A.12, which 
effectively states that, where >.(8) and >.(u) are defined: 
t E 8 Ily u ===} >.(t) E >.(8) liz >.(U). 
In other words, we are only able to prove that >.(8 Ily U) ~ >.(8) liz >.(u) 
rather than >.(8 Ily u) = >.(8) liz >.(u). However, this limitation is a positive 
benefit since the latter result would place requirements on >. which are too 
restrictive to be of use in practice. Consider the case that>. is a mapping 
which makes behaviours more abstract. For traces 8, u, it may be that 
8 Ily u = 0, while >.(8) liz >.(u) =/:. 0 - i.e. >.(8 Ily u) =/:. >.(8) liz >.(u) -
for an otherwise sensible mapping >.. For example, consider the traces 8 = 
(data.D, ack.no, data.D) and u = (data.D, ack.ye8) from the running example. 
If we attempt to compose in parallel on Y = adata U aack, then 8 Ily u = 0 
and so >.(8 Ily u) = 0. However, we would expect that >.(8) = >.(u) = 
(send.D) (data retransmission always succeeds) and so >.(8) liz >.(u) will be 
non-empty whatever the value of z. It is also difficult to avoid the fact in 
general that >.(v Ily w) c >.(v) liz >.(w) for traces v, w when>. is being used 
to make behaviours more concrete. 
17We do, however, assume that definitions 3.1, 3.2 and 3.7 still hold. 
3.5. The stable failures model 66 
3.5 The stable failures model 
In our consideration of refinement-after-hiding in the stable failures model, 
we assume that we work within the same framework of definitions and re-
strictions employed in the traces model. The only changes are the fact that 
we now have to define >. over process denotations in this new model and 
also have to render RAH1-3 in this model. This means that all definitions, 
conditions and restrictions which were stated in sections 3.1 and 3.2 are still 
in force here. As a result, we may appeal here to any and all results proved 
in those sections. 
3.5.1 Applying A to process denotations in the stable 
fail ures model 
Consider an implementation process Q. In order to apply>. to [Q]sp we 
effectively apply it separately to TQ and ¢Q. The necessary detail is given 
in the following definition. 
Definition 3.12. Let Q be an implementation process. 
1. >.([Q]sp) is defined if and only if >'(TQ) is defined and >.(¢Q) is defined. 
2. If >.([Q]sp) is defined then >.([Q]sp) f). (>'(TQ) , >.(¢Q)). 
3. Let (t, R) be a failure. >.(R, t) is defined if and only if R ~ ~impl and 
>.(t) is defined. If >.(R, t) is defined, then >.(R, t) ~~. Moreover: 
(a) >.(¢Q) is defined if and only if >'(R n aQ, t) is defined for every 
(t,R) E ¢Q. 
(b) If >.( ¢Q) is defined then: 
>.(¢Q) f). ((>.(t) , X) I (3(t, R) E ¢Q) R ~ aQ A 
X ~ >.(R, t) u (~- >.(aQ))). 
We present the definition of >. here in terms of process denotations, rather 
than in terms of arbitrary sets of behaviours as is done in definition 3.3, sim-
ply because we need to use the syntactic notion of an alphabet. In order 
to compute >.(¢Q), we apply>. separately to the trace component and the 
refusal component respectively of each of the failures (t, R) E ¢Q such that 
R ~ aQ. In actual fact, we apply>. to each refusal/trace pair (R, t), since 
what it means for a process to refuse a particular set of events may differ 
according to the trace after which they are refused. In terms of the running 
example, it would make no sense for LejtImpl to offer either ack.yes or ack.no 
after the trace (in.O) - i.e. before it had attempted any communication 
3.5. The stable failures model 67 
along channel data - and so it should be perfectly acceptable for it to ex-
hibit the failure (( in.D), {ack.yes, ack. no}). However, were LeftImpl to refuse 
{ack.yes, ack.no} after (in.D, data.D) then that would be more significant: it 
would signify that the implementation process was refusing to progress its 
implementation of send.D and so we might need to refuse {send.D} at the 
corresponding point in the specification. As a result, it may be necessary to 
allow t from any failure (t, R) to influence what R is mapped to. 
Only refusals contained in the alphabet of the process under consideration 
have the mapping applied to them and we then close up the refusal sets 
returned using L; - >.(aQ). This reflects the fact that our mapped-to set 
of behaviours will only engage in events from >.(aQ) - if events(t) ~ A. 
for A E AllSet then events(>.(t)) ~ >'(.4.) - and so may refuse all other 
events. Note also that the failures of >.(¢Q) are subset-closed. This plays 
an important role in allowing RAHI to be met in this model: if aQ ~ Fvi8 
then >.(¢Q) = ¢Q and so >.(¢Q) must meet the consistency condition SF3, 
requiring the subset-closure of failures. 
We also impose some additional conditions on the mapping applied to 
refusal/trace pairs. REF-MoNO makes the mapping over refusal/trace pairs 
monotonic in the refusal argument. REF-BoUND simply guarantees that, for 
a failure (t, R), >'(R, t) is bounded according to the nature of t and R; this 
will prove to be useful in what follows. Note that >'(R, t) is not required to 
be defined in the statement of REF-MoNO. This is simply because, if >'(S, t) 
is defined and R ~ S, then >'(R, t) will be defined by definition 3.12(3). 
REF-MONO Let t be a trace, R, S ~ L; and >'(S, t) be defined. 
If R ~ S then >'(R, t) ~ >'(S, t). 
REF-BOUND Let t be a trace, R ~ L; and A E AllSet be such 
that >.(.4.) = B and >'(R, t) is defined. If 
events(t) U R ~ A, then >'(R, t) ~ B. 
3.5.2 Working in the stable failures model 
We now render in the stable failures model the conditions RAHl-3, under 
the restrictions on hiding and parallel composition that were introduced in 
section 3.2.6. The new conditions, denoted SFIl-3, are given in figure 3.5. 
They may be used to show that the conditions TII-3 hold in this model. 
Theorem 3.21. If conditions SFIl-3 hold then conditions TIl-3 also hold. 
Theorem 3.21 allows us to derive in the stable failures model all results 
given in sections 3.3 and 3.4 and so means that we can appeal to them here. 
Among other things, this means that we are able to reuse the conditions 
3.5. The stable failures model 
SFIl If aQ ~ Fvis, then: 
- ..\([Q]sp) is defined. 
- ..\([Q]sp) = [Q]sp· 
SFI2 If ..\([Q]sp) is defined, A E AllSet and "\(\A) = \B, then: 
- ..\([Q \ A]sp) is defined 
- ..\([Q \ A]sp) = ..\([Q]sp) \ B. 
SFI3 If ..\([P]sp), ..\([Q]sp) are defined, Y = aP n aQ and 
..\(lly) =llz, then: 
- "\([P lIy Q]sp) is defined. 
- "\([P lIy Q]sp) = "\([P]sp) liz ..\([Q]sp)· 
68 
Figure 3.5: Rendering RAHl-3 in the stable failures model, where P and Q 
are implementation processes 
from figure 3.4 when stating conditions sufficient for refinement-after-hiding 
in this model. 
3.5.3 Parallel composition 
In certain circumstances, for implementation processes P and Q we shall 
need to evaluate the result of composing "\(¢P) in parallel with ..\(¢Q). The 
following result lets us do that in terms of the alternative semantics of parallel 
composition given in section 2.11. It will generally be appealed to implicitly 
whenever it is needed. 
Theorem 3.22. Let P and Q be implementation processes such that ..\( ¢P) 
and ..\(¢Q) are defined. Let Y = aP n aQ and Z = "\(Y). Then: 
"\(¢P) liz ..\(¢Q) = {(t, S U U U R) I R ~ (~- (..\(aP) U ..\(aQ))) A 
((3(s, S) E "\(¢P), (u, U) E ..\(¢Q)) t E (s liz u) A 
S ~ ..\(aP) A U ~ ..\(aQ))}. 
3.5.4 From processes to individual behaviours 
We now move on to to derive conditions governing the application of ..\ to 
individual refusal/trace pairs. In order to do this, we require equations gov-
erning the application of ..\ to sets of failures rather than to complete process 
3.5. The stable failures model 69 
denotations. We therefore derive the following results, which effectively re-
cast conditions SFI1-3 in terms offailures alone (these restatements also take 
advantage of theorems 3.16 and 3.17). 
Proposition 3.23. Let Q be an implementation process. If aQ ~ Fuis, then 
)..(¢JQ) is defined and )..(¢JQ) = ¢JQ. 
Proposition 3.24. Let Q be an implementation process. If )..([Q]SF) is 
defined, A E AllSet and )"(A) = B, then: 
1. )..(¢J(Q \ A)) is defined. 
2. )..(¢J(Q \ A)) = )..(¢JQ) \ B. 
Proposition 3.25. Let P, Q be implementation processes. If )..([P]SF)' 
)..([Q]SF) are defined, Y = aP n aQ and )"(Y) = Z, then: 
1. )..(¢J(P Ily Q)) is defined. 
2. )..(¢J(P Ily Q)) = )..(¢JP) liz )..(¢JQ). 
These results are used to derive conditions RAHI-SF, RAH2-SF and 
RAH3-SF below, which are the counterparts at the level of refusal/trace 
pairs of RAH1-3. RAH1-SF gives with regard to refusal/trace pairs the 
standard result that).. is the identity (in the refusal argument) where be-
haviours contained in Fvis are concerned. RAH3-SF shows that).. applied 
to refusal/trace pairs enjoys a distributivity property with respect to set 
union (by theorem 2.20, the effect of parallel composition on sets of refusals 
is given by set union). RAH2-SF(1) ensures that an implementation failure 
will be destroyed by hiding A only if the corresponding specification fail-
ure is destroyed by hiding )"(A). RAH2-SF(2) will allow us to define )..(R, t) 
compositionally (for certain R, t) in terms of )"(RnA
'
, tr A') for A' E MinSet. 
Theorem 3.26 (RAHl-SF). Let t be a trace and R ~ 'E be such that 
events(t) U R ~ Fvis. Then )..(R, t) is defined and )"(R, t) = R. 
Before giving the other two results, we make the following observation. 
Let P be a process and (t, X) E ¢Jp be refusal-maximal. Then, by PA2, 
'E - aP ~ X. As a result, we may partition any such X into X n aP and 
'E - aP. We take advantage of this fact in the statement and proofs of the 
following two results. 
Theorem 3.27 (RAH3-SF). Let P and Q be implementation processes 
such that ),,([P]SF) and )..([Q]SF) are defined. Let (8, 8u ('E - aP)) E ¢Jp be 
a refusal-maximal failure such that 8 ~ aP. Let (u, U U ('E - aQ)) E ¢JQ be 
a refusal-maximal failure such that U ~ aQ. Moreover, let 8, u be such that 
8 Ily u = it}, where Y = aP n aQ. Then ),,(8 U U, t) = ),,(8,8) U )"(U, u). 
3.5. The stable failures model 70 
Theorem 3.28 (RAH2-SF). Let P be an implementation process such that 
-X([P]SF) is defined. Let (t, Ru (E - uP)) E ¢P be a refusal-maximal failure 
such that R ~ aP. Let A E AllSet and -X(A) = B. Then: 
1. If A ~ R then B ~ -X(R,t). 
2. -X(R - A, t \ A) is defined and -X(R - A, t \ A) = -X(R, t) - B. 
In the proofs of RAH2-SF and RAH3-SF, we construct processes such that 
the (refusal-maximal) failures given in the respective theorem statements are 
maximal in those constructed processes; moreover, it is also necessary that 
-X is defined over the denotation in the stable failures model of any such 
constructed process. It is for this to be possible that the failures given in the 
respective statements of RAH2-SF and RAH3-SF are required to be refusal-
maximal. Note also that RAH2-SF(2) contains a result on definedness; this 
is simply to ease the proof of theorem 3.32(1) below. This is why RAH3-SF 
lacks a similar result. In general, it is not necessary to deal explicitly in 
such results with the definedness of -X over refusal/trace pairs, since this can 
usually be established using definition 3.12(3) and results derived in previous 
sections with respect to the traces model. 
3.5.5 Sufficient conditions for refinement-after-hiding 
Using conditions RAH1-SF, RAH2-SF and RAH3-SF, we are able to derive 
conditions sufficient to define a notion of refinement-after-hiding. Theo-
rems 3.29 and 3.30 give conditions which must hold of -X applied to re-
fusal/trace pairs at the level of MinSet. They are the counterparts at this 
level of RAH1-SF and RAH2-SF(1) respectively. 
Theorem 3.29. Let t be a trace, R ~ E and A E MinSet be such that 
events(t) U R ~ A ~ Fvis. Then -X(R, t) is defined and -X(R, t) = R. 
Proof. The proof is immediate by RAH1-SF. 0 
Theorem 3.30. Let t be a trace such that events(t) ~ A E MinSet. If 
-X(A, t) is defined then -X(A, t) = -X(A). 
Theorems 3.31 and 3.32 then give two different compositional rules with 
respect to defining -X over refusal/trace pairs. The requirement in each of 
them that -X(to(a)) is defined for every a in a certain set of events is essentially 
the counterpart here to the requirement in RAH2-SF and RAH3-SF that the 
failures under consideration are refusal-maximal. If (t, R U (E - aP)) E ¢P 
is refusal-maximal, where R ~ aP, then to (a) E TP for every a E aP - R. 
Moreover, if -X([P]SF) is defined then A(TP) is defined and so A(t 0 (a)) is 
defined for every a E aP - R. In theorem 3.31, A plays the role of aP while, 
in theorem 3.32, it is played by [[events(t) U RJ]. 
3.5. The stable failures model 
SFSI The conditions in definition 3.12 are assumed to hold. 
SFS2 If events(t) U R ~ A ~ Fvis, then )..(R, t) is defined and 
)..(R, t) = R. 
SFS3 If events(t) U R ~ A and )..(R, t) is defined then 
)..(R, t) ~ )"(A). 
SFS4 If events(t) ~ A and )..(A, t) is defined then )"(A, t) = )"(A). 
SFS5 If )"(S, t) is defined and R ~ S, then )..(R, t) ~ )"(S, t). 
SFS6 If )..(R, t), )"(S, t) are defined, events(t) U R U S ~ A and 
)..(t 0 (a)) is defined for every a E (A - R) U (A - S) 
then )..(R US, t) = )..(R, t) U )"(S, t). 
SFS7 If )..(R, t) is defined and )..(t 0 (a)) is defined for every 
a E [[events(t) U R]]- R then: 
- )"(RnA',tfA') is defined for every A' E MinSet. 
- )..(R, t) = UA'EMinSet )..(R n A', tf A'). 
71 
Figure 3.6: Sufficient conditions in the stable failures model, where t is a 
trace, R, S ~ ~ and A E MinSet 
Theorem 3.31. Let t be a trace and R, S ~ ~ be such that )..(R, t), )"(S, t) are 
defined and events(t)URUS ~ A E MinSet. Moreover, assume that )..(to(a)) 
is defined for every a E (A-R)u(A-S). Then )"(RUS, t) = )..(R, t)U)..(S, t). 
Theorem 3.32. Let t be a trace and R ~ ~ such that )"(R, t) is defined and 
)..(t 0 (a)) is defined for every a E [[events(t) U R]]- R. Then: 
1. )..(R n A, tf A) is defined for every A E MinSet. 
2. )..(R, t) = UAEMinSet )..(R n A, tfA). 
Figure 3.6 gives those conditions which, along with the conditions from 
figure 3.4, are sufficient to define a notion of refinement-after-hiding in the 
stable failures model. That this is the case is shown by theorem 3.33. Note 
also that SFs3 from figure 3.6 is a restatement of REF-BoUND at the level 
of sets from MinSet; moreover, SFs5 is simply REF-MoNO. The part of 
condition SFs7 - taken from theorem 3.32(1) - which refers to definedness 
is not strictly necessary since it can be derived from other conditions in 
figures 3.4 and 3.6. However, it is included because it makes certain of the 
proofs more straightforward. 
3.5. The stable failures model 72 
Theorem 3.33. Let Fimpl and Fspec be implementation and specification 
contexts respectively, containing n process variables, such that ..\(Fimpl ) = 
Fspec. Let Ql, ... Qn be component implementation processes and PI, ... ,Pn 
be processes. Assume that the conditions in figures 3.4 and 3.6 all hold. 
If Qi ~~F I{ for 1 ~ i ~ nand o:Fimpl(Ql, Q2, ... , Qn) ~ Fvis, then 
Fimpl(Ql, Q2,···, Qn) ~SF Fspec(Pr, P2,···, Pn). 
3.5.6 Further comment regarding SFS4 
Proposition A.28 in the appendix is weaker than its counterpart SFI2, since 
the former uses set containment, ~, in its statement while the latter uses 
equality. This is for the following reason. It is possible to derive a version of 
RAH2-SF(1) as follows: 
A ~ R if and only if "\(A) ~ ..\(R, t). 
Had we proved this stronger version, then we could have derived a stronger 
version of SFs4 as follows, where we assume that events(t)UR ~ A E MinSet 
and ..\(R, t) is defined: 
..\(R, t) = "\(A) if and only if R = A. 
And had such a condition been given in figure 3.6, then it would have been 
possible to prove a version of proposition A.28 which uses = in place of ~ and 
so which is equivalent to SFI2. However, had we used the stronger version 
of SFs4, it would have placed restrictions on ..\ which would have been too 
restrictive to be of use in practice. In particular, the means given in chapter 
4 to define ..\ over refusal/trace pairs does not meet this condition. This is 
because, in the approach from chapter 4, ..\(R, t) for events(t) U R ~ A E 
MinSet such that An Fvis = 0 can only return 0 or "\(A). Thus, it is 
often the case that, in order to guarantee (an equivalent condition to) SFs6 
is always met, ..\(R, t) = "\(A) even though RcA. 
3.5.7 A comment on process alphabets 
By SFsl (definition 3.12(3b)), it can be seen that the value of ..\(l/JQ) is 
dependent on the value of o:Q. It may be the case that processes with the 
same stable failures have different alphabets. However, the result of applying 
..\ to the respective sets of stable failures will yield the same result whatever 
the alphabet. This is illustrated by the following result. 
Theorem 3.34. Let P and Q be implementation processes such that ..\(rP), 
..\(rQ) are defined and l/JP = l/JQ. Then ..\(l/JP) = ..\(l/JQ). 
3.6. The failures divergences model 73 
We require here, for example, that .>t( T P) is defined rather than that 
.>t([P]sp) or .>t(¢P) are defined, because the latter two can be reclaimed from 
the former. Moreover, as is shown by proposition A.34, if .>t([PjpD) is defined 
then .>t( T P) is also defined. This therefore makes clear the fact that theorem 
3.34 is still valid in the failures divergences model: i.e. if .>t([P]PD) and 
.>t([Q]PD) are defined and ¢P = ¢Q, then theorem 3.34 may be used to show 
that .>t(¢P) = .>t(¢Q). 
3.6 The failures divergences model 
We now move to consider the failures divergences model. The approach we 
take here is different to that followed with regard to the other two semantic 
models. In particular, our goal here is not to derive a theory as such. Rather, 
it is simply to derive a condition or conditions which may be used to augment 
those in figures 3.4 and 3.6 in order to define a notion of refinement-after-
hiding in the failures divergences model. As a result, we assume that all of 
the conditions and restrictions imposed in section 3.5 still hold here. This 
means we can assume that all of the results derived earlier with respect to 
the stable failures and traces models still hold. The reason for this change of 
approach is that, were we to render RAHl-3 in this model, it is not clear how 
we would proceed. In sections 3.4 and 3.5, we relied on the fact that processes 
could be constructed in which there was a unique maximal behaviour, as a 
result of which an equality expressed in terms of process denotations - such 
as that given by TI2 - could be translated into an equality expressed in 
terms of individual behaviours, such as RAH2-T. This is no longer possible 
in the failures divergences model, partly because of the additional behaviours 
which are automatically generated by the closure conditions Fn4 and Fn5 
and partly because the immediately divergent process can no longer be used 
to obscure failures as in the stable failures model. In relation to this latter 
point, recall that the process constructions used in the derivations of RAH2-
SF and RAH3-SF in the previous section use extensively the fact that DIV 
can be used to obscure failures in the stable failures model. 
The definition of applying .>t to processes in the failures divergences model 
is therefore given in terms of its application to stable failures and minimally 
divergent traces (since mintSP ~ T P for any process P by Mn, this means 
that minimally divergent traces may effectively be treated in the same way 
as non-divergent traces). In any case, this allows for a cleaner treatment 
since, by Fn4 and Fn5, it is unlikely that .>t would be defined over all di-
vergent traces and with respect to all (non-stable) failures of any particular 
implementation process. 
Definition 3.13. Let Q be an implementation process. 
3.6. The failures divergences model 
FDI Let Q be an implementation process such that A([Q]PD) is 
defined. Moreover, let A E AllSet where A(\A) = \B. Then 
A([Q \ A]FD) is defined and A([Q \ A]FD) = A([Q]FD) \ B. 
Figure 3.7: Rendering RAH2 in the failures divergences model 
1. A([Q]PD) is defined if and only if A(¢>.LQ) and A(8Q) are defined. 
2. If A([Q]PD) is defined then A([Q]FD) I:. (A(¢>.lQ), A(8Q)). 
74 
3. A(8Q) is defined if and only if A(TQn8Q) is defined. If A(8Q) is defined, 
then A(8Q) I:. {A(t) 0 u I t E min8Q /\ U E ~*}.18 
4· A(¢>.LQ) is defined if and only if A(¢>Q) and A(8Q) are defined. If 
A(¢>.LQ) is defined, A(¢>.LQ) I:. A(¢>Q) u {(t, R) It E A(8Q) /\ R ~ ~}. 
It turns out that we need only render RAH2 in this model and the rele-
vant condition, FDI, is given in figure 3.7. However, it is necessary to impose 
the following additional condition. 19 
SEQ Let ... , ti, . .. be an w-sequence such that each A(tj) is defined. 
Then there exists a deterministic implementation process Q 
such that TQ = Pref({ ... ,ti, ... }). 
This reflects the intuition that any w-sequence with which we might have 
to deal in practice may be generated by a syntactic term. That this condition 
is rather strong and is simply imposed is not so significant now that we are 
no longer aiming to derive a theory as such. 
18Note that minc5Q ~ (rQ n c5Q) by MD and since minc5Q ~ c5Qj thus, >'(minc5Q) is 
defined if >.( rQ n c5Q) is defined. We require that >.( rQ n c5Q) is defined rather than simply 
that >.( minc5Q) is defined because it allows us to infer the definedness of >.( rQ) from 
the definedness of >'([Q]FD) (see proposition A.34 in appendix A.5). This is necessary 
if we are to define refinement-after-hiding in the failures divergences model using the 
conditions and results presented with respect to the stable failures model. In any case, 
minimally divergent traces are used here because the minimality property eases the proofs 
significantlYj in practice - i.e. if defining algorithms for verification over (variants of) 
transition systems - we would work with rQ n c5Q because of the difficulty of establishing 
the minimality of any particular divergent trace and so would require>' to be defined over 
rQ n c5Q. The notion of definedness used in the failures divergences model in chapter 4 is 
similar in that it, too, requires definedness over divergent traces to which the mapping is 
not actually applied. Note that, by TR-MoNo and the definition of >'(c5Q) , working with 
rQ n c5Q in place of minc5Q would not alter the result of any verification. 
19 { ... , ti, ... } is used to denote the set of traces which constitute the w-sequence 
... , ti," .. 
3.6. The failures divergences model 
FDSI The conditions in definition 3.13 hold. 
FDS2 Let A E MinSet. Let ... , ti , ... be an w-sequence such that 
A(ti) is defined and events(ti ) ~ A for each ti. Then 
... ,A(ti), ... is also an w-sequence. 
Figure 3.8: Sufficient conditions in the failures divergences model 
75 
Using Fm and SEQ, we are able to derive the following result, which is the 
only extra condition we need - other than those relating to the definition of >. 
applied to process denotations in this model- in order to define refinement-
after-hiding in the failures divergences model. 
Theorem 3.35. Let A E MinSet. Let ... , ti , ... be an w-sequence such that 
>.(ti ) is defined and events(ti ) ~ A for each k Then ... , >.(ti), . .. is also an 
w-sequence. 
This result is essentially used to guarantee that if a sequence of traces 
in an implementation process may lead to the presence of divergence after 
hiding then the corresponding sequence of traces in the specification process 
will also give rise to divergence after hiding. Note again the fact that we 
need only enforce the condition at the level of sets from MinSet. 
The extra conditions from the failures divergences model are given in 
figure 3.8. We are then able to prove that these conditions, along with those 
used in the traces and stable failures models, are sufficient to define a notion 
of refinement-after-hiding in this model. Note that, in the results used in the 
proof of theorem 3.36, we sometimes introduce explicit specification processes 
rather than dealing only with mapped-to sets of behaviours. This is intended 
to simplify the presentation and to avoid the need to introduce additional 
notation in order to extract the failures and divergences respectively of any 
arbitrary failures/divergences pair. (Previously we avoided this problem by 
proving separately results relating to traces and to stable failures; however, 
it is not possible to separate the treatment of failures and divergences, due 
to the way in which they are calculated.) 
Theorem 3.36. Let Fimp/ and Fspec be implementation and specification con-
texts respectively, containing n process variables, such that A(Fimpl ) = Fspec. 
Let QI, ... Qn be component implementation processes and PI, ... ,Pn be pro-
cesses. Assume that the conditions in figures 3.4, 3.6 and 3.8 all hold. 
If Qi ~~D Pi for 1 ~ i ~ nand aFimp/(QI, Q2, . .. , Qn) ~ Fvis, then 
Fimp/(QI, Q2, ... , Qn) ~FD Fspec(PI' P2, ... , Pn). 
3.7. Further consideration of BTrace and related issues 76 
3.7 Further consideration of B Trace and re-
lated issues 
In this section, we revisit some of the issues which have been highlighted 
through the course of this chapter, mainly in relation to BTrace and the 
restrictions that are imposed on sets by R1 and R2. 
3.7.1 The role of restriction R1 and proposition 3.11 
In section 3.2.6, we impose restrictions R1 and R2 on the hiding and parallel 
composition operators which may be used to build implementation networks 
from component implementation processes. R2 is then used to derive propo-
sition 3.11 and both R1 and proposition 3.11 are of crucial importance in 
the derivation of the theory which has been presented in this chapter. 20 We 
here give further consideration to the roles which they play. 
In the first instance, they allow us to characterise exactly the effect of 
applying .\ to the hiding and parallel composition operators which may be 
used to build implementation networks (see theorems 3.16 and 3.1 I) . .\fore 
specifically, we are able to take advantage of the property that, for t E BTrace 
and A E AUSet, either events(t) ~ A or events(t) n A = 0 by definitions 3.5 
and 3.6. This allows the resolution of unknowns in certain equations, which 
then allows the use of those equations in the respective proofs of theorems 
3.16 and 3.17. For example, RAH2-T states that .\(t \ A) = .\(t) \ B for any 
trace t such that .\(t) is defined and A E AllSet, where '\(\A) = \B. In 
this equation, there are two unknowns, namely .\(t \ A) and B. If we take 
t to be a member of BTrace, we can resolve .\(t \ A) into either .\( ()) = () 
or .\(t) and so can derive useful results on the nature of B. This approach 
is used in the proof of theorem 3.16, where we show that '\(\A) = \'\(A) 
for A E AUSet. If it were possible for A to be an arbitrary set, then this 
resolution of unknowns would not be possible. Similar comments apply with 
respect to the use of TI3 in the proof of theorem 3.17, which result shows 
that .\(lly) =11>.(y) for Y E AUSet. 
The derivation of theorems 3.16 and 3.17 then has two main effects. 
Firstly, theorem 3.16 allows us to translate condition RAH2-T which refers to 
hiding into an equivalent condition which refers to projection: in other words, 
we are able to derive that .\(trA) = .\(t)P(A) for trace t and A E AllSet (see 
proposition A.3 in appendix A.3). This then lets us derive condition Ts4 
from figure 3.4, which gives a straightforward, compositional way to define 
the effect of .\ applied to traces. Secondly, theorems 3.16 and 3.17 allow us 
20 Recall that Rl and proposition 3.11 require that the hiding and parallel composition 
operators which may be used to build implementation networks can be parameterized only 
by sets from AIlSet. 
3.7. Further consideration of BTrace and related issues 77 
to apply). to the operators of hiding and parallel composition in what is 
effectively the same manner: we simply apply ). to the set with which the 
relevant operator is parameterized. This has the consequence that, in prov-
ing the sufficiency of the conditions from figure 3.4, condition Ts4 can be 
used to define the effect of ). when applied to traces generated using either 
hiding or parallel composition. This is significant because Ts4 is derived 
only from conditions - such as TI2, RAH2-T and theorem 3.16 - which 
refer to the interaction between). and the hiding operator: one would expect 
that a similar condition would have to be derived from conditions like TI3 
which refer specifically to the parallel composition operator. 
3.7.2 The role of BTrace 
In section 3.2, a very specific intuition behind BTrace was presented, namely 
that each specification action in ~spec may be implemented by a (finite) 
number of implementation traces and that BTrace consists of exactly those 
traces. Thereafter, BTrace is used in the definition of MinSet and so AllSet, 
and so plays a role in restricting those sets which are candidates for AllSet. 
Since implementation networks may be built using only hiding and parallel 
composition operators which are parameterized with sets from AllSet, the 
nature of BTrace plays a very significant role in determining the range of 
systems to which the theory presented in this chapter might be applied. 
There are, however, a number of comments to be made with regard to this. 
Firstly, the intuition recalled above regarding the nature of BTrace is not 
recorded formally anywhere and plays no role in this chapter in the derivation 
of conditions sufficient to define a notion of refinement-after-hiding, nor does 
it appear in those conditions themselves. Although we would expect the 
intuition given to make sense in most cases where refinement-after-hiding 
might be used, it does not limit the systems to which the theory might be 
applied. Of course, we would still expect the traces contained in BTrace 
to be "atoms" or indivisible to the extent that it would not make sense to 
decompose them further into sub-traces, so that the restrictions imposed 
by Rl and proposition 3.11 may still be justified. Furthermore, there is 
no explicit counterpart to BTrace in the concrete notion of refinement-after-
hiding which is presented in chapter 4, although such a notion may sometimes 
be used implicitly. The reasons for and consequences of this fact are discussed 
more fully in that chapter, once the concrete notion has been presented. It 
should be noted, however, that the absence of BTrace as an explicit notion 
in practice does not indicate a mismatch with the theory, nor does it mean 
that the sets in MinSet and AliSet could be made smaller in practice than is 
possible in the theory: i.e. it does not mean that the restrictions on hiding 
and parallel composition may be made lighter in practice. 
3.8. Conclusion 78 
3.7.3 Deriving the statement in definition 3.5(2) 
Definition 3.5 states that MinSet is a partition of ~impl such that, if t, u E 
BTrace and A, B E MinSet where A =f:. B then: 
1. If events{t) n A =f:. 0, then events{t) ~ A. 
2. If events{t) ~ A and events{u) ~ B, events{A{t)) n events{A{u)) = 0. 
In section 3.2, we stated that definition 3.5(2) may actually be derived as 
part of the theory, although this was realised only on a final revision of the 
thesis. Here, we show how to do that using only results which do not use 
definition 3.5(2) in their respective proofs. 
Proposition 3.37. Let t, u E BTrace and A, B E MinSet, where A =f:. B. If 
events{t) ~ A and events{u) ~ B then events{A{t)) n events{A(u)) = 0. 
Proof. By RAH2-T and theorem 3.16, A(t \ A) = A(t) \ A(A) and '\(u \ 
B) = '\(u) \ '\(B). Hence, events(A(t)) ~ A(A) and events('\(u)) ~ '\(B) by 
theorem 3.14. We prove that events('\(t)) n events('\(u)) = 0 by assuming 
there exists a E events(A(t)) n events(,\(u)). Hence, a E '\(A). Again by 
RAH2-T and theorem 3.16, '\(u \A) = '\(u) \A(A). Thus, A(U) \A(A) =f:. '\(u) 
since a E '\(u) n '\(A) and so '\(u \ A) =f:. A(U). Hence, events(u) n A =I 0 
and so An B =f:. 0, which contradicts the fact that MinSet is a partition by 
definition 3.5(1). 0 
We observe that three results are appealed to in the proof of proposition 
3.37: RAH2-T and theorems 3.14 and 3.16, none of the proofs of which refer 
to definition 3.5(2). The only derived results referred to in the proof of 
RAH2-T are from chapter 2. The only derived results referred to in the proof 
of theorem 3.16 are RAH2-T and theorem 3.14. Theorem 3.14 is a special 
case of RAH1-T and that part of the proof of RAH1-T which deals with this 
special case uses only a single derived result, from chapter 2. Hence, there 
is no circularity involved in the use of these results to derive the condition 
from definition 3.5(2). 
3.8 Conclusion 
Starting from a high-level statement of what it means to constitute a notion 
of refinement-after-hiding, we have presented in each of the three semantic 
models a set of conditions sufficient to define such a notion. Of particular 
significance is the fact that we need define directly the result of applying the 
mapping only at the level of sets from MinSet and any conditions imposed 
on it are enforced at this level. This allows any mapping used in practice 
3.B. Conclusion 79 
to be defined compositionally and so allows for reuse of predefined mapping 
components. In the next chapter, we present a concrete notion of refinement-
after-hiding which may be used in practice and in the development of which 
the conditions given here played a role. Since this was the intended purpose 
of the work in this chapter, we postpone until then a detailed discussion of 
its significance. 
Chapter 4 
A concrete notion of 
refinement-after-hiding 
We now move on to present a concrete notion of refinement-after-hiding which 
may be used in practice. If we are to follow the template laid out in the 
previous chapter, we need three main things in order to proceed: 
• counterparts to the sets from MinSet and counterparts, at the level of 
those sets, to the mapping defined over sets, traces and refusal/trace 
pairs. 
• a set of compositional rules to allow general definitions to be built up 
from these component definitions. 
• a structure within which these components can actually be defined. 
The compositional rules used here are direct counterparts of 85 and Ts4 
from figure 3.4 and 8FS7 from figure 3.6. For the rest, we introduce the 
notion of extraction pattern. l An extraction pattern consists of a tuple and a 
set of conditions imposed on the constituent elements of that tuple; the exact 
nature of the tuple and these conditions depends on the semantic model in 
which we are working. 
We first introduce extraction patterns in the traces model. All of the 
detail presented with respect to that model will continue to be relevant when 
we consider the other two semantic models. In particular, this is true of 
the detail on constructing a universe of extraction patterns, defining process 
alphabets and considering implementation networks and contexts. 
1 Extraction patterns appear in [16,39,40] among other papers; the name refers to the 
fact that they are used to "extract" specification behaviours from an implementation. 
Modifications made here to the notation are explained and highlighted in section 4.8. 
80 
4.1. Extraction patterns in the traces model 
EPI A is a non-empty set of events, called the implementation 
alphabet and B is a non-empty set of events called the 
specification alphabet. Moreover, if A n Fvis =1= 0 then 
A ~ Fvis. 
EP2 e is a possibly empty set of events such that 8 ~ A. 
EP3-T Dom is a non-empty, prefix-closed set of traces over the 
implementation alphabet. 
EP4 extr is a strict, monotonic mapping defined for traces in 
Dom; for every t E Dom, extr(t) is a trace over the 
specification alphabet. 
(a) General conditions. 
If A ~ Fvis then: 
EPI-FVI A = B. 
EP3-FVI Dom = A*. 
EP4-FVI If events(t) ~ A then extr(t) = t. 
(b) Over finally visible events. 
Figure 4.1: Conditions on extraction patterns. 
81 
4.1 Extraction patterns in the traces model 
An extraction pattern in the traces model is a tuple 
ep t:. (A, B, 8, Dom, extr) 
satisfying the conditions given in figure 4.1. (We assume that Fvis still 
denotes the set of finally visible events, as in the previous chapter.) The 
conditions from figure 4.1(a) relate to extraction patterns in the general case. 
Ep3-T is used to denote the third condition there, rather than Ep3, because 
it will be superseded by a different condition when working in the stable 
failures and failures divergences models. The conditions from figure 4.1(b) 
relate to the specific case that the extraction pattern is being used to interpret 
behaviours over finally visible events. They are labelled so as to relate each 
one to the corresponding condition from figure 4.1(a). We now relate these 
components and conditions to the sufficient conditions from the previous 
4.1. Extraction patterns in the traces model 82 
chapter where that is possible.2 
The general case 
The extraction pattern component A gives a set from MinSet, while B effec-
tively gives A(A). Moreover, extr gives the mapping over traces from A*; it is 
defined for all t E Dom. The domain, Dom, of the mapping extr is given ex-
plicitly because it is used as part of the condition of refinement-after-hiding 
in all three semantic models. e is used as part of a condition relating to 
traces which makes our refinement-after-hiding relation larger than it would 
otherwise be: without it, it would be significantly more difficult to use the 
relation successfully in practice. Both of these features are discussed further 
where they are used. 
Condition 84 from figure 3.4 implies that B should be fully characterised 
by extr and Dom in the following way: 
B = U{ events ( extr(t)) I t E Dom}. 
By Ep4, however, we may only infer that 
U{events(extr(t)) It E Dom} ~ B. 
Similarly, we only have by Ep3-T that U{ events(t) I t E Dom} ~ A rather 
than U{ events(t) I t E Dom} = A. Proceeding in this way simply gives 
greater flexibility and makes it easier to define these sets in practice: for 
example, if every event from any trace t over which extr is defined occurs on 
a channel b, it is easier to set A as ab even if not all of the events from ab 
are used. Finally, the part of Ep4 which states that extr(t) is a trace over 
the specification alphabet B is a counterpart to the second part of Ts4 in 
figure 3.4. 
The reader may observe that no explicit counterpart to BTrace is used 
in the definition of the extraction pattern components A and B; moreover, 
no such counterpart plays any role in the formal definition of the notion of 
refinement-after-hiding which is presented in this chapter. The reasons for 
this and other related issues are considered in section 4.7 at the end of the 
chapter. 
Finally visible events 
TIuning to figure 4.1(b), EpI-FvI is a direct result of conditions 81(c) (def-
inition 3.5), 84 and Ts2 from figure 3.4. It is necessary because we state B 
2Where this is not possible, it is generally the case that a feature which does not appear 
in the theory has been introduced in order to make things work better in practice. 
4.1. Extraction patterns in the traces model 
EP-UNIl Let ep, ep' E EP be such that ep i= ep'. Then 
ep.A n ep'.A = 0 and ep.B n ep'.B = 0. 
EP-UNI2 Let a E Fvis. Then there exists ep E EP such that 
a E ep.A. 
Figure 4.2: Considering the universe of extraction patterns 
83 
directly and do not give a means of deriving it from A. Ep3-FvI recognises 
the fact that, by Ts2, if events(t) ~ A and A ~ Fvis then extr(t) is defined. 
Ep4-FvI also comes from condition Ts2. Note that, for any extraction pat-
tern ep such that ep.A ~ Fvis, we may dispense with the component 8. The 
reason for this will become clear when its role is discussed in section 4.2. 
4.1.1 Universe of extraction patterns 
During any verification procedure, we assume the existence of a universe of 
extraction patterns, EP, containing all extraction patterns which may be 
used in the current verification. We impose on this universe the conditions 
Ep-UNI1 and Ep-UNI2 given in figure 4.2.3 That ep.A n ep'.A = 0 in Ep-
UNI1 comes from 81(c) (definition 3.5) in figure 3.4; that ep.B n ep'.B = 0 
comes from 81(c) (definition 3.5(2)) and 84. In the absence of an (explicitly 
stated) equivalent notion to ~imp/, Ep-UNI2 essentially gives the fact that 
Fvis ~ ~impl' as stated in 81(b)(definition 3.4). 
EP may be used to define a counterpart to AllSet, as in the manner of 
81(c) (definition 3.6), which we shall call here ImplSet. 
Definition 4.1. ImplSet [), {U C ICE JP( {ep.A I ep E EP} n· 
We shall also need the equivalent of 'x(A) for any A E ImplSet. We denote 
this extrset(A) and define it as follows. 
Definition 4.2. Let A E ImplSet be such that A = UiEI ePi.A, where I is 
an indexing set into EP. Then extrset(A) [), UiEI ePi·B . 
This effectively gives us the mapping applied to sets which is given in 
condition 85. Finally, Ep-UNI2, definition 4.1 and Ep1 effectively give a 
counterpart to 83: i.e. Fvis E ImplSet. 
3Note that we use ep.A to denote the implementation alphabet, A, of the extraction 
pattern ep. Similarly, we may refer to ep.B, ep.0 and so on. 
4.1. Extraction patterns in the traces model 84 
4.1.2 Implementation and specification contexts 
We again use Fimpl and Fspec to denote corresponding implementation and 
specification contexts, each containing n free process variables, although they 
are slightly different to those used in chapter 3. In particular, Fimp/ may 
be defined using only the network composition operator, ®y, where Y E 
ImplSet. 4 Where Vi, ... , Vn and Wi, ... , Wn are free process variables:5 
• Fimp/ A (Vi ®Yl 112 ®Y2 ... ®Yn- 1 Vn) 
• Fspec A (Wi ®Zl W2 ®Z2 ... ®Zn-l Wn), where extrset(Yi) 
1 :::; i :::; (n - 1). 
Implicit in the definition of Fspec are the conditions S6 and S7 from 
figure 3.4: we have mapped the operator we use by simply applying the nec-
essary mapping to the sets with which it is parameterised. Since F imp/ may 
only be defined using network composition, as soon as two implementation 
processes are composed in parallel during the construction of an implemen-
tation network, the set of events on which synchronization has occurred must 
be hidden. This has two effects, both of which are necessary. The first is that 
events may only be hidden after they have been synchronized on during par-
allel composition. This is relevant due to an issue raised when working with 
traces. The second is that only two processes in a particular network may 
synchronize on any particular set of events. The reason for this is bound up 
with the way in which the mapping is applied to refusals in practice. These 
issues are discussed further in sections 4.2 and 4.3 respectively. 
4.1.3 Implementation processes and their interpreta-
tion 
We define implementation processes as follows. 
Definition 4.3. Q is an implementation process if and only if, for every 
a E {3(Q), there exists ep E EP such that a E ep.A. 
This definition is a counterpart to Sl(d) from figure 3.4 in the absence 
of an equivalent notion to ~impl; as in the case of S 1 (d), it will generally 
be appealed to implicitly. The following result states that the composition 
of any two implementation processes is also an implementation process and 
may be proved easily using definition 4.3 and the detail in figure 2.5. 
4That Y E ImplSet does not pose a restriction in practice due to corollary 4.4 below 
and the restriction REPI which is imposed on implementation networks in section 4.1.6. 
5For the purposes of presentation, we have not bracketed here the expressions denoting 
the two contexts. In general, however, this would be necessary because of the fact that 
network composition, like parallel composition, is not associative. 
4.1. Extraction patterns in the traces model 
TR-GLOBALI DOmEP(Q) is the set of t E (Al U ... U Am)· 
such that tf ~ E Domi for 1 ~ i ~ m. 
TR-GLOBAL2 - extrEP(Q)(O) ~ O. 
- Let to (a) E DOmEP(Q) be such that a E Ai 
for epi E EP(Q). Then 
extrEP(Q)(t 0 (a)) ~ extrEP(Q)(t) 0 u, where U 
is such that extri(tf~ 0 (a)) = extri(tfAi) 0 u. 
85 
Figure 4.3: Global definitions in the traces model, where Q is an implemen-
tation process 
Proposition 4.1. Let P, Q be implementation processes and Y ~ E. Then 
P ®y Q is also an implementation process. 
For any implementation process, Q, we shall need a set of extraction 
patterns with which to interpret its behaviour. For such a process Q we shall 
denote this set EP(Q), defined as follows.6 
Definition 4.4. EP(Q) ~ {ep E EP I ep.An,B(Q) =I- 0}. 
For every event a in which Q may engage, there will therefore be ep E 
EP(Q) such that a E ep.A. We assume throughout this chapter and chapter 
6 that m gives the cardinality of EP(Q) and EP(Q) = {epi 11 ~ i ~ m} (m 
gives this cardinality only for implementation processes with the label Q). 
Moreover, the various components of the extraction patterns in EP(Q) can 
be subscripted to avoid ambiguity, giving ePi = (Ai, Bi, Gi , Domi, extri) for 
ePi E EP(Q). We then lift some of the notions introduced with respect to 
individual extraction patterns to the set EP(Q). These are given in figure 4.3. 
TR-GLOBALI is similar in character to Ts3 from figure 3.4 and describes 
a domain of traces DOmEP(Q)' TR-GLOBAL2 is a counterpart to Ts4 and 
describes a mapping extrEP(Q) which is defined for all traces in DOmEP(Q)' 
4.1.4 Process alphabets 
For any implementation process, Q, the alphabet of Q is defined as follows. 
Definition 4.5. aQ ~ U{Ai I ePi E EP(Q)}. 
6It can be seen that EP(Q) depends on the syntactic form of Qj as in the previous 
chapter, however, the outcome of any verification will be the same for two processes with 
the same denotation. 
4.1. Extraction patterns in the traces model 86 
In view of definitions 4.4 and 4.1, this definition effectively gives 82 from 
figure 3.4. The following important result is easy to prove using definitions 
4.3, 4.4 and 4.5. 
Proposition 4.2. If Q is an implementation process then f3(Q) ~ QQ. 
Since the network composition operator is used only in a restricted way in 
the building of implementation networks - which restriction is imposed in 
section 4.1.6 as REP1- we are able to show, among other things, that EP(Q) 
is effectively defined compositionally (proposition 4.5) and aQ behaves in the 
way one would expect according to the detail in figure 2.5 (proposition 4.6). 
Proposition 4.3. Let P, Q be implementation processes and Y = apnaQ. 
Then Y = U{Ai I ePi E EP(P) n EP(Q)}. 
Corollary 4.4. Let P, Q be implementation processes. Then aP n aQ E 
ImplSet. 
Proposition 4.5. Let P, Q be implementation processes and Y = apnaQ. 
Then EP(P ®y Q) = (EP(P) U EP(Q)) - (EP(P) n EP(Q)). 
Proposition 4.6. Let P, Q be implementation processes and Y = apnaQ. 
Then a(P ®y Q) = (aP U aQ) - (aP n aQ). 
4.1.5 Communication capabilities 
We shall also need an additional notion relating to the sets of events in 
which any implementation process Q may engage, which will be used to 
restrict the nature of compositions which can occur. For any ePi E EP(Q), 
we identify the communication capability of Q with respect to A, given by 
Comm(Ai, Q), as either Left or Right. We will then require that two processes 
may synchronize on Ai only if it is labelled as Left in one and Right in the 
other. Further discussion of what this labelling actually means and is used 
for appears in sections 4.2 and 4.3.7 
It is also necessary to define Comm compositionally with respect to the 
network composition operator (that we refer in this definition only to extrac-
tion patterns in EP(P)-EP(Q) and EP(Q)-EP(P) follows from proposition 
4.5). 
Definition 4.6. Let P, Q be implementation processes and Y = aP n aQ. 
7The designation of a set of events as either Left or Right with respect to a particular 
process is arbitrary to an extent. However, extraction pattern components whose use in 
defining refinement-after-hiding is dependent on this designation must be defined with it 
in mind. This applies to 0 and ref, the latter being introduced in section 4.3. 
4.1. Extraction patterns in the traces model 
1. Let ePi E EP(P) - EP(Q). Then 
Comm(~, P ®y Q) /),. Comm(~, P). 
2. Let ePj E EP(Q) - EP(P). Then 
Comm(Aj, P ®y Q) /),. Comm(Aj, Q). 
4.1.6 Restrictions on implementation networks 
87 
Where Ql,"" Qn are component implementation processes, the following 
restrictions are imposed on any implementation network Fimp/(Qb"" Qn). 
(Recall that the notation Imp is defined in definition 2.3 in section 2.7.) 
REPl Let (P ®y Q) E Imp(Fimp/(Ql, ... , Qn)). Then Y = Qp n QQ. 
REP2 Let (P ®y Q) E Imp(Fimp/(Ql,"" Qn)) and ePi E EP(P) n EP(Q). 
Then Comm(Ai, P) i= Comm(Ai, Q). 
Condition REPI is similar to R2 from chapter 3. REP2 is imposed for 
reasons bound up with the way in which the mapping is applied in practice to 
sets of refusals (see section 4.3 for further details), although it is also used in 
part of the condition for defining refinement-after-hiding in the traces model. 
4.1.7 Extraction pattern for running example 
We show here how we may construct an extraction pattern, ep ack' to interpret 
in the traces model the behaviours of the processes LeftImpl and RightImpl 
from figure 1.1.8 We first assume Comm(QdataUQack, LeftImpl) = Left and 
Comm(Qdata U Qack, RightImpl) = Right. We also define: 
Complete /),. {(data.D, ack.yes), (data.D, ack.no, data.D), 
(data.l, ack.yes), (data.l, ack.no, data.l))*. 
The components of ePack = (Aack, Back, Sack, DOmack, extrack) are then 
defined as follows: 
• Aack = Qdata U Qack . 
• Back = Qsend. 
8We do not explicitly give an extraction pattern to interpret the behaviours over chan-
nels in and out, since ainUaout ~ Fvis and so the relevant structures may be constructed 
from the conditions in figure 4.1(b) and the fact that the e component is null in such cases. 
In any case, when we come to consider automatic verification in chapter 6, we need never 
explicitly construct such extraction patterns. 
4.2. Refinement-after-hiding in the traces model 88 
• Sack = 0 (the reason for this choice is explained in section 4.2) . 
• Domack = Pref( Complete). 
extr ack is defined as follows, where t E Complete and t 0 u E Dom: 
o iftou=O 
extrack(t) 0 (send. v) if u = (data.v, ack.yes) 
or u = (data.v, ack.no, data.v) 
extr ack (t) otherwise 
Here, intuitively, (send.O) may be implemented by two sequences of com-
munications: (data.O, ack.yes) and (data.O, ack.no, data.O) (and similarly for 
(send.I) ). 
4.2 Refinement-after-hiding in the traces mo-
del 
We now move on to consider refinement-after-hiding proper in the traces mo-
del. The way in which processes are interpreted in this model is virtually 
the same as in the previous chapter. However, there is one significant dif-
ference. In chapter 3, A([Q]T) was defined if and only A(t) was defined for 
every t E TQ and verification could only proceed in the event that A([Q]T) 
was actually defined. Here, a less restrictive approach is taken. 
4.2.1 Introducing a rely-guarantee condition 
In order to explain this change of approach, consider RightImpl from the 
running example. In particular, we observe that RightImpl may engage in 
the trace (data.O, ack.no, data.I): this trace may arise when a communi-
cation on channel data has been lost - hence the receipt of the negative 
acknowledgement - and RightImpl is ready to receive a retransmission of 
the data.9 Since RightImpl should not know anything of the content of the 
failed transmission, then it must be ready to receive any possible retrans-
mission: i.e. either data.O or data.1. However, (data.O, ack.no, data.I) is 
not a member of Domack (see definition in section 4.1.7), since it is not 
clear what such a trace should be intended to implement. This means that 
extrack is not defined for (data.O, ack.no, data.I) and so, by TR-GLOBAL2, 
extrEP(Rightlmpl) is not defined for that trace either. Yet Lejtlmpl can never 
9See process definitions in section 2.13. 
4.2. Rennement-after-hiding in the traces model 89 
perform a trace of which (data.D, ack.no, data.I) is a sub-trace and so all 
such "problem" traces from RightImpl will disappear after composition with 
LeftImpl (recall that LeftImpl and RightImpl synchronize on Aack = o:data U 
o:ack). Moreover, LeftImpl ®Aack RightImpl is a correct implementation of 
LeftSpec ®Back RightSpec, even though extrEP(Rightlmpl) is not defined over ev-
ery trace of RightImpl. Thus, we shall allow an implementation process Q to 
engage in behaviours which are outside of the domain DOmEP(Q) , provided 
that composition with suitable implementation processes would remove these 
problem behaviours. 1o The extraction pattern components 8 i and Domi and 
the notation Comm(~, Q) for epj E EP(Q) are used for this purpose. 
If Comm(Ai, Q) = Left, then 8 i denotes those actions from Ai on which 
Q may go outside of the domain Domj. If Comm(Ai, Q) = Right, then 
(Ai - 8 i) denotes the actions from Ai on which Q may go outside of the 
domain Domi. If implementation processes P and Q are composed during the 
building of an implementation network then Comm(~, P) =j:. Comm(Ai, Q) 
for ePi E EP(P) n EP(Q), because of condition REP2. This means that the 
traces of P and Q respectively may move outside of Domj only on different 
events. As a result, composition will remove all behaviours which move 
outside ofthe domain on any ofthe events from Ai for epj E EP(p)nEP(Q): 
i.e. it will remove all behaviours which move outside of the domain on events 
on which we have to synchronize during the composition. Proj EP(Q) , from the 
following definition, is used to give the set of actions from the entire process 
Q on which we may legitimately move outside of the domain DOmEP(Q). 
Definition 4.7. The following hold by definition, where Q is an implemen-
tation process and epj E EP (Q): 
1. If Ai ~ Fvis then Projj /),. 0. 
2. If Ai n Fvis = 0, 
3. ProjEP(Q) /),. U{Projj I epj E EP(Q)}. 
if Comm(Aj, Q) = Left 
if Comm(Aj, Q) = Right 
lONote that a single composition need not remove all non-domain behaviours; however, 
all such behaviours will have been removed by the time that the implementation network 
under consideration engages only in finally visible events. I\" ote also that the use of the 
network composition operator - instead of allowing the separate application of hiding 
and parallel composition - means a particular set of events can only be hidden after we 
have composed in parallel on them: this is necessary in order to make the proofs work in 
this section now that behaviours need not be contained in DOmEP(Q). 
4.2. Refinement-alter-hiding in the traces model 
Dom-T-check IftrprojEP(Q) E (DomEP(Q)rProjEP(Q») for t E TQ 
then t E DOmEP(Q). 
90 
Figure 4.4: A rely-guarantee condition in the traces model, where Q is an 
implementation process 
Condition Dom-T -check from figure 4.4 is then imposed on implementa-
tion processes; it is essentially a rely-guarantee condition in the sense of [18]. 
Provided that it holds of an implementation process Q, if we can rely on the 
fact that a particular trace t E TQ does not stray outside of DOmEP(Q) on 
the set of events on which it is allowed to, then we can guarantee that t is a 
member of the domain DOmEP(Q). By definition 4.7(1), we are able to ignore 
events from Fvis when considering Dom-T -check: this is acceptable because, 
by Ep3-FvI, ep.Dom = (ep.A)* if ep.A ~ Fvis. 
If we return to the running example, we have that e ack = 0. Since 
Comm(Aack' Leftlmpl) = Left, then Proj EP(Leftlmpl) is given by 0 (recall that 
ain ~ Fvis). Thus, Dom-T-check for Leftlmpl becomes: 
• If () E {()} for t E T Leftlmpl, then t E DOmEP(Left1mpl). 
In other words, every trace of Leftlmpl has to be in DOmEP(Leftlmpl) 
and this does, in fact, hold. Since Comm(Aack, RightImpl) = Right, then 
Proj EP(Rightlmpl») is given by Aack - 8 ack = Aack (recall that aout ~ Fvis) 
and so Dom-T -check for RightImpl becomes: 
• IftrAack E (DomEP(Rightlmpl)rAack) = Domack for t E TRightImpl, then 
t E DOmEP(Rightlmpl). 
This holds trivially by Ep3-FvI and TR-GLOBALI and so Dom-T-check 
places no restriction at all on RightImpl. Because Dom-T-check requires 
that t E DOmEP(Left1mpl) for every t E TLeftlmpl, then trAack E Domack for 
all such t by TR-GLOBALl. Thus, for u E TRightImpl, we need not require 
that U E Dom EP(Rightlmpl) - i.e. that u r Aack E Domack - because no u for 
which this does not hold will be able to synchronize in parallel with any trace 
from Leftlmpl and so any u for which it does not hold will be destroyed by 
composition with Leftlmpl. 
In general, Dom-T-check makes our notion of refinement-after-hiding 
larger than it would otherwise be: without it, we might dismiss component 
processes such as RightImpl as being incorrect, even though they may be used 
to build networks which are themselves correct. It is of most importance with 
respect to the input channels of any implementation process Q, which may 
4.2. Refinement-after-hiding in the traces model 91 
be ready to receive all possible values that they can communicate, while 
DOmEP(Q) may not permit this.ll This is acceptable in practice provided 
that the correponding output channel - to which the input channel will be 
connected - may only engage in the allowed behaviours. In such a situation, 
if Comm(Ai, Q) = Left for ePi E EP(Q) such that ~ n Fvis = 0, we may 
define 8 i to be the set of all input events from Q which are contained within 
Ai· Thus, Dom-T-check will allow Q to move outside the domain DomEP(Q) 
on the events in 8 i , while any process, P, with which Q might be composed 
would be allowed to move outside its domain on events in Ai - 8 i .12 If 
Comm(Ai, Q) = Right, then we could define 8 i to be such that A.i - 8 i was 
the set of all input events from Q which are contained within Ai: i.e. 8 i 
would be the set of all output events contained within Ai. Note, however, 
that we do not define 8 ack to be aack, even though ack is an input channel 
in Leftlmpl and Comm(Aack, Leftlmpl) = Left: this is because RightImpl 
fails to meet Dom-T-check when 8 ack = aack. 
4.2.2 Defining refinement-after-hiding 
The use of Dom-T -check means that, when we interpret the traces of an 
implementation process Q, we refer only to those which are also contained in 
DOmEP(Q) and these are given using the notation TDomEP(Q)Q. (The following 
definition will generally be appealed to implicitly in proofs of results from 
this chapter.) 
Definition 4.8. TDomEP(Q)Q ~ TQ n DOmEP(Q). 
The mapping extr EP(Q) is then overloaded to apply it to process denota-
tions in the traces model and the fact that Q refines-after-hiding P in the 
traces model according to the set of extraction patterns EP (Q) is denoted 
as Q ~~P(Q) P. Condition TR-DEF1 from figure 4.5 shows how we interpret 
process denotations in the traces model and TR-DEF2 shows how refinement-
after-hiding is defined here. Note that neither of these conditions contain any 
reference to the issue of definedness. Where Q is an implementation process, 
extrEP(Q)(t) is always defined for t E TDomEP(Q)Q by definition 4.8 and so 
extrEP(Q)(TQ) is always defined by TR-DEFl. 
Using these conditions, we are able to show that ~~P(Q) does indeed con-
stitute a valid notion of refinement-after-hiding (see theorem 4.8). (Theorem 
4.7 shows that we have generalised standard CSP refinement in the traces 
model, under the assumption that aQ contains only finally visible events.) 
11 This is the problem faced by RightImpl with respect to the channel data and the trace 
(data.O, ack.no, data. I). 
12The events from 0 i would occur on output channels in Pj the events from Ai - 0 j 
would occur on output channels in Q and so on input channels in P. 
4.3. Extraction patterns in the stable failures model 
TR-DEFI extrEP(Q)(rQ) lJ. {extrEP(Q)(t) It E rDomBP(Q)Q}. 
TR-DEF2 Q ::J~P(Q) P if and only if extrEP(Q) (rQ) ~ rP and Q 
meets Dom-T -check. 
92 
Figure 4.5: Defining refinement-after-hiding in the traces model, where Q is 
an implementation process and P is a process 
Recall also before we proceed that conditions REP1 and REP2 are imposed 
on any implementation network Fimpl(Ql, Q2, . .. , Qn). 
Theorem 4.7. Let Q be an implementation process such that aQ ~ Fvis 
and let P be a process. Then Q ~~P(Q) P if and only if Q ~T P. 
Theorem 4.8. Let Fimpl and Fspec be implementation and specification con-
texts respectively, as defined in section 4.1.2. Let Ql, ... Qn be component 
implementation processes and PI, . .. ,Pn be processes. If Qi ~~P(Qi) Pi for 
1 ~ i ~ nand a Fimpl (Ql, Q2, ... , Qn) ~ Fvis, then 
Fimpl(Ql, Q2, ... , Qn) ~T Fspec(P1, P2, ... , Pn). 
4.3 Extraction patterns in the stable failures 
model 
We now move on to consider the stable failures model and the notion of 
extraction pattern which must be used there. An extraction pattern in the 
stable failures model is a tuple 
ep lJ. (A, B, 8, dom, extr, rej), 
where the component dom replaces Dom and we add the component ref. All 
conditions from figure 4.1 are assumed to hold as before, except that Ep3-
SF from figure 4.6 is used instead of Ep3-T from figure 4.1; note, however, 
that Ep3-SF implies Ep3-T. Moreover, we assume that Pref(dom) returns 
the original Dom used in the traces model; in other words, we start with 
Dom and construct dom such that dom ~ Dom and, for every t E Dom, 
there exists t ~ U E dom. In addition, conditions Ep3A-FvI and Ep5 from 
figure 4.6 are also imposed. 
Neither dom nor ref are features of the theory from the previous chapter 
and both are introduced for the purposes of mapping refusal/trace pairs in 
practice. dom denotes those traces from Dom which are "complete" in some 
sense, while ref effectively defines a set of upper bounds on the refusals which 
4.3. Extraction patterns in the stable failures model 
EP3-SF dom is a non-empty set of traces over the 
implementation alphabet; Dom is given by its 
prefix-closure. 
EP3a-FVI If A ~ Fvis, then Dom = dom. 
EP5 ref is a mapping defined for traces in Dom such that 
for every t E Dom: 
ref(t) is a non-empty, subset-closed family of 
proper subsets of A. 
- if a E A and to (a) rf- Dom then 
Ru {a} E ref(t), for all R E ref(t). 
93 
Figure 4.6: Conditions on extraction patterns in the stable failures model 
a process may exhibit after a particular trace (the roles of both of these com-
ponents are discussed in more detail below). Ep3A-FvI from figure 4.6 states 
that behaviour over finally visible events is always complete, the significance 
of which will become clearer below. The second part of Ep5 is a counterpart 
in terms of refusal bounds to SF4, which guarantees that impossible events 
can always be refused. We now define extrreJ , the mapping applied to re-
fusal/trace pairs whose events are contained in A (this is effectively >'(R, t) 
for events(t) U R ~ A' E MinSet). 
4.3.1 Mapping refusals when An Fvis = 0 
In order to define the mapping of refusal-trace pairs when An Fvis = 0, we 
use the notion of refusal bound, given by the extraction pattern component 
ref. Intuitively, refusal bounds are used to enforce progress after composi-
tion: if both participants in a parallel composition respect a particular set 
of bounds at some point in their joint evolution, then there will be at least 
one event which they both offer at that point and so on which they may 
synchronize in parallel (of course, due to the use of the network composition 
operator, this event would immediately be hidden after synchronization had 
occurred) .13 If a bound should be breached by a process Q - i.e. if Q should 
refuse too much at a particular point in time - then this places an obligation 
on the corresponding specification process to refuse a certain set of events. 
These issues are illustrated below using the running example. For reasons 
also explained below, the bounds used with respect to the two participants in 
a composition are asymmetric: that is, ref will be used to define the bounds 
13See section 4.4.1 for a discussion of the significance of enforcing progress in this way. 
4.3. Extraction patterns in the stable failures model 94 
for one of the participants, while another set of bounds is generated for the 
other process. Thus, for t E Dom, we also introduce the notation ref(t) and 
define it as follows. 
Definition 4.9. ref(t) 6 {X ~ A I (V Y E ref(t)) Xu Y i- A}. 
As a result, X E ref(t) if and only if X ~ A and, for every Y E ref (t), 
there exists a E A - Y such that a E A - X. In section 4.3.4 below, we 
define ref ack' the set of refusal bounds used in the verification of the running 
example. ref ack ( ( )) is given by: 
{R E 2a:dataua:ack I a data C£. R}. 
In other words, in order for this set of bounds to be respected, the relevant 
process must offer at least one event on channel data if it has not yet engaged 
in any communication on channels data and ack: 14 intuitively, the process 
must be ready to output a value on data. By definition 4.9, ref ack (()) is given 
by {R I R ~ aack} and so an implementation process must offer both events 
on channel data if these bounds are to be respected: intuitively, it must be 
ready to input a value on data. As a result of this, if one participant in a 
communication on channels data and ack respects the refusal bounds defined 
by ref ack ( ( )) and the other respects the bounds defined by ref ack ( ( ) ), then 
the processes will be able to synchronize in parallel on at least one event on 
channel data. Likewise, if one of the processes breaches its refusal bounds, 
then it may be the case that parallel composition leads to (a local) deadlock 
on channels data and ack. 
The refusal bounds defined by ref and ref are then used in the definition 
of extrreJ , the mapping applied to refusal-trace pairs whose events are con-
tained in A. For t E Dom, R ~ A and implementation process Q such that 
ep E EP(Q), extrreJ (R, t, Q) is defined as follows. 
Definition 4.10. If An Fvis = 0: 
extrreJ (R, t, Q) 6 
o if (Comm(A, Q) = Left /\ R E ref(t)) V 
(Comm(A, Q) = Right /\ R E ref(t)) 
B if (Comm(A, Q) = Left /\ R ¢ ref(t)) V 
(Comm(A, Q) = Right /\ R ¢ ref(t)) 
This definition is asymmetric in the sense that the outcome of applying 
the mapping to R, t is affected by whether Q is the "left" or "right" partic-
ipant in any communication using the events A. In particular, the refusals 
14That the process has not yet engaged in any communication on channels data and ack 
is indicated by the use of () as an argument to ref ac/,· 
4.3. Extraction patterns in tbe stable failures model 95 
of Q will be considered with respect to ref if it is the left-hand participant 
and with respect to ref if it is the right-hand participant. ~oreover, if a 
particular process breaches the bounds imposed on it, then extr rej will force 
the corresponding specification process to refuse B at the appropriate point: 
we have seen above in reference to the running example that a breach of 
refusal bounds may lead, after composition, to deadlock on the set of events 
Aack and so extrrej would force the specification to deadlock on Back if this 
should occur. 15 
That the definition of extr rej (R, t, Q) is asymmetric in the sense described 
above is necessary since communication is generally asymmetric in nature. 
If b is regarded as an input channel in a particular process, then that process 
will usually offer all of the events on b; if it is an output channel, then the 
process may only offer a single event on b. As a result, the two parties to a 
communication may refuse very different sets of events from ab and so may 
respect very different refusal bounds, while still guaranteeing the progress 
after composition which we want. 
This fact of asymmetricity is one of the reasons why we compose pro-
cesses using only the network composition operator. Consider two imple-
mentation processes P and Q, where ePi E EP(P) n EP(Q), Y = aP n aQ 
and Comm(Ai, P) =1= Comm(Ai, Q). Then it is not clear whether we should 
take Comm(Ai, (P Ily Q)) = Left or Comm(Ai, (P Ily Q)) = Right. In fact, 
neither makes much sense and so Ily may not be used in the definition of 
implementation contexts. In P ®y Q, by contrast, all events from A are 
hidden16 and, by proposition 4.5, ePi tJ. EP(P ®y Q). 
We now consider how the definition of extr rej relates to the conditions 
given in figure 3.6. We first note that it meets implicitly condition SFs3. 
Condition SFs4 may be translated here to mean that extr rej (A, t, Q) = B 
and it is easy to show that it is met. By Ep5 from figure 4.6, any set 
in ref(t) must be a proper subset of A and so A tJ. ref(t). By definition 
4.9, it cannot be the case that A E ref(t). Hence, extr rej (A, t, Q) = B 
whether Comm(A, Q) = Left or Comm(A, Q) = Right. Condition SFs5 on 
the monotonicity of the mapping in the refusal argument is met since both 
ref(t) and ref(t) are subset-closed (the former follows by Ep5 and the latter 
by definition 4.9). 
That processes may be combined using only the network composition op-
erator means condition SFs6 is not meaningful in the approach we takeY 
151n some circumstances, we will actually disallow any breaching of refusal bounds: see 
condition Dom-SF-check in figure 4.9 and the related discussion in section 4.4.l. 
16This is similar to the approach taken in ees (see [50]): communication there is 
asymmetric since we can only synchronize an action a with its complement a and the 
result of the synchronization is hidden from view. 
17Let P, Q be implementation processes. 'x(RU S, t) from SFs6 refers to R and S where 
4.3. Extraction patterns in the stable failures model 
EP5-FVI Let Q be an implementation process. If A ~ Fvis and 
events{t) U R ~ A, then extrre/ (R, t, Q) l!. R. 
Figure 4.7: Mapping refusals when A ~ Fvis 
96 
However, extrre/ meets a similar condition which is sufficient in view of 
the restrictions placed on process composition. The condition is the fol-
lowing, where P, Q are implementation processes, ep E EP(P) n EP(Q), 
Comm{A, P) =J Comm(A, Q), R U 5 ~ A and t E Dom: 
if R U 5 = A, then extr re/ (R, t, P) U extr re/ (5, t, Q) = B. 
If RU 5 = A then, by definition of ref and ref, either extr re/ (R, t, P) = B or 
extr re/ (5, t, Q) = B. A possible alternative means of defining the mapping 
applied to refusals is given in section 4.8 below. It was suggested by the 
nature of condition SFs6 and so does meet it. 
4.3.2 Mapping refusals when A C Fvis 
In this case, the necessary definition is given by condition Ep5-FvI in fig-
ure 4.7. It is a direct counterpart of condition SFs2 from figure 3.6. 
4.3.3 From "local" to "global" definitions 
As with Dom in TR-GLOBALI, the notion of dom is lifted to the set of 
extraction patterns EP ( Q). It is also necessary to do the same with extr ref . 
The relevant definitions are given in figure 4.8. Condition SF-GLOBAL2 is a 
counterpart of SFs7 from figure 3.6. When dealing with sets of extraction 
patterns, note that the components dom, ref, ref and extrre/ may all be 
subscripted as in the traces model in order to avoid ambiguity. 
4.3.4 Running example 
We extend here the extraction pattern ep ack so that it may be used to inter-
pret in the stable failures model the processes Leftlmpl and RightImpl from 
figure 1.1. domack is defined as follows: 
domack l!. {(data.D, ack.yes), (data.D, ack.no, data.D) , 
(data.I, ack.yes), (data.I, ack.no, data.I))·. 
R is part of a refusal from P, S is part of a refusal from Q and R U S is part of a refusal 
from P Ily Q for Y = aP n aQ. 
4.4. Retinement-after-hiding in the stable failures model 
SF-GLOBAL! dOmEP(Q) is the set of t E (AI U ... U Am)· 
such that tr Ai E domi for 1 :::; i :::; m. 
SF-GLOBAL2 Let R ~ aQ and t E DomEP(Q). Then 
extr~~(Q)(R, t, Q) /), Ul~i~m extr':' (R n Ai, trAi , Q). 
97 
Figure 4.8: Global definitions in the stable failures model, where Q is an 
implementation process 
"Completeness" here - i.e. membership of domack - means that a par-
ticular communication over the channels data and ack has been completed. 
Since Domack is given as the prefix-closure of domack, its definition has not 
changed (see section 4.1.7). The component ref ack' where t E domack and 
t 0 u E Domack, is defined as: 
{ 
20data if u = (data.v) 
ref ack(t 0 u) /), {R E 2odataUoack I adata ~ R} if u = 0 
{R E 2odataUoack I data.v ¢ R} if u = (data.v, ack.no) 
Recall that Comm(adata U aack, Leftlmpl) = Left and Comm(adata U 
aack, RightImpl) = Right. This means that Leftlmpl is considered with re-
spect to ref ack and RightImpl is considered with respect to ref ack. Assuming 
that both processes always respect the refusal bounds, then the following 
will hold. When behaviour is complete, Leftlmpl will offer at least one event 
on the channel data; RightImpl will be ready to receive any event on that 
channel (see statement of ref ack( 0) in section 4.3.1 above). After a single 
data transmission, Leftlmpl will accept any event on channel ack and so, 
by definition 4.9, RightImpl need only offer one of those events. Finally, af-
ter a negative acknowledgement has been communicated, Leftlmpl will offer 
the necessary data retransmission and RightImpl will be ready to receive it. 
Thus, if both implementation components respect the refusal bounds, they 
will always synchronize on at least one event from the channels data and ack 
when they are composed in parallel. 
4.4 Refinement-after-hiding in the stable fail-
ures model 
We now move on to consider how the above detail may be used to define 
a notion of refinement-after-hiding in the stable failures model. Before pro-
ceeding, note that all definitions, conditions and restrictions from sections 
4.4. Refinement-after-hiding in the stable failures model 
Dom-SF-check Let (t, R) E ¢DomEP(Q)Q be such that R ~ aQ. Let 
ePi E EP(Q) be such that Ai n Fvis = 0. If 
extrre! (R n Ai, tr~, Q) = Bi then tr Ai E domi. 
98 
Figure 4.9: Extra condition on failures, where Q is an implementation process 
4.1 and 4.2 are assumed to still apply in this model. Where Q is an imple-
mentation process, we shall not wish to consider those failures of Q whose 
trace component is not in DOmEP(Q). In addition, it will also be necessary to 
isolate those failures whose trace component is from dOmEP(Q). We therefore 
introduce the following notation. (As for definition 4.8, this definition will 
generally be appealed to implicitly in proofs of results from this chapter.) 
Definition 4.11. Let Q be an implementation process. Then the following 
hold by definition. 
1. ¢DOmEP(Q) Q is the set of those stable failures of Q in which the trace 
component belongs to DOmEP(Q). 
2. ¢dom EP(Q) Q is the set of those stable failures of Q in which the trace 
component belongs to domEP(Q). 
In chapter 3, >..(¢Q) was defined by applying>.. to R, t for all (t, R) E ¢Q 
(provided that R ~ aQ). Here, however, we shall apply extr~~(Q) only to 
refusal/trace pairs from failures in ¢dOmEP(Q)Q: that is, those failures whose 
trace components are complete in some sense. It is for this reason that the 
dom component is introduced (see section 4.4.1 for more details). In tandem 
with taking this approach, we also require that condition Dom-SF -check from 
figure 4.9 is met. As a result of this, the notion of refinement-after-hiding 
used in the stable failures model - ~~;(Q) - is as defined in figure 4.10. 
(extr EP(Q) is again overloaded and may be applied to denotations in the 
stable failures model or to sets of stable failures.) As in the traces model, 
and for similar reasons, we do not consider explicitly issues of definedness 
in the conditions in figure 4.10. Note also that, by proposition B.14 in ap-
pendix B, domEP(Q) ~ DOmEP(Q) for any implementation process Q and so 
extr~~(Q)(R, t, Q) is defined in the statement of SF-DEF2. 
4.4.1 Role of Dom-SF-check 
We first discuss briefly how the condition Dom-SF -check actually works be-
fore considering why it is necessary to use it. This will highlight the need for 
the dom component. 
4.4. Refinement-after-hiding in the stable failures model 
SF-DEFt extrEP(Q)([Q]sp) 6 (extrEP(Q) (TQ), extrEP(Q) (4)Q)). 
SF-DEF2 extrEP(Q)(4>Q) 6 {(extrEP(Q) (t), X) I (t,R) E 4>domEP(Q)Q 
/\ R r;, aQ /\ 
99 
X r;, extrr;~(Q) (R, t, Q) U (~ - extrset(aQ))}. 
SF-DEF3 Q ~~;(Q) P if and only if extrEP(Q) ([Q]sp) r;, [P]sp and 
Q meets Dom-T -check and Dom-SF -check. 
Figure 4.1D: Defining refinement-after-hiding in the stable failures model, 
where Q is an implementation process and P is a process 
Dom-SF -check amounts to the requirement that refusal bounds may only 
be breached when behaviour is complete (recall that, by Ep3A-FvI, be-
haviour over finally visible events is always complete) .18 This forces progress 
- that is, the enabling of at least one event - after parallel composition on 
the set of events ep.A, where ep.A n Fvis = 0, when behaviour is not com-
plete with respect to ep. dom. 19 Since all events on which synchronization 
occurs are immediately hidden, this enabled event will be hidden and so the 
corresponding state will not contribute to a stable failure of the composition. 
This is why, by SF-DEF2, it is only necessary to find a matching failure in the 
specification component when behaviour in the implementation is complete 
according to domEP(Q). 
It would be possible to define a sound notion of refinement-after-hiding 
in this model where domEP(Q) in condition SF-DEF2 in figure 4.10 was 
replaced by DOmEP(Q) and condition Dom-SF-check was dispensed with. 
Were we to do such a thing, however, then the practical applicability of the 
method would be much reduced.2o This can be illustrated using the follow-
ing small example. We assume a (deterministic) specification process which 
executes the trace (in.D, send.D, out.D) and which refuses all other events. 
All events on the channels in and out are assumed to be contained in Fvis. 
Consider an (deterministic) implementation process, Q, which executes the 
trace (in.D, aI, ... ,ak, out.D) E DOmEP(Q) and refuses all other events, where 
(al,' .. ,ak) implements (send.D) in some way. In the general case, where 
t = (in.D, al, . .. ,a,) for 1 < k, it is possible that extrEP(Q)(t) = (in.D, send.D). 
In other words, it may be the case that we interpret send.D as having oc-
ISIf extr;ef (RnAi , tf Ai, Q) = Bi as in the statement of the condition, then this signifies, 
by definition 4.10, that the relevant refusal bounds have been breached. 
19See the discussion in section 4.3.4 of the refusal bounds used in relation to the running 
example. 
20 A similar issue is considered in [56] in a bisimulation-type setting; see chapter 5 for 
further details. 
4.5. The failures divergences model 100 
curred before its implementation has actually completed; although this seems 
counter-intuitive, it can be necessary in practice and examples of the need for 
this can be seen in chapter 7. After executing a" the implementation process 
refuses all events but a'+I. If we consider R to be the largest set refused 
after t in Q such that R ~ aQ, then out.O E R. It follows by SF-GLOBAL2 
and Ep5-FvI that out.O E extr';~(Q)(R, t, Q). But the specification does not 
refuse out.O after extrEP(Q)(t) = (in.O, send.O) and so this verification would 
fail. However, if we use condition Dom-SF-check and a set of refusal bounds 
which allow us to refuse after t everything but a,+! then the verification could 
succeed.2I 
The problem therefore stems from the interaction between the possibil-
ity of interpreting that a high-level event has occurred before its low-level 
implementation has completed and the fact that finally visible events must 
be preserved when refusal sets have the mapping applied to them. Thus, 
we only relate implementation to specification failures when behaviour is 
complete according to domEP(Q). Behaviours over finally visible events are 
regarded as always complete by Ep3A-FvI since this problem cannot arise 
with regard to them. 
4.4.2 Soundness of refinement-after-hiding 
We now proceed to show that -;;;J~;(Q), defined in figure 4.10, does indeed 
constitute a valid notion of refinement-after-hiding in the stable failures mo-
del, after first showing that it generalises standard CSP refinement when 
aQ ~ Fvis. 
Theorem 4.9. Let Q be an implementation process such that aQ ~ Fvis 
and let P be a process. Then Q -;;;J~;(Q) P if and only if Q -;;;JSF P. 
Theorem 4.10. Let Fimp/ and Fspec be implementation and specification con-
texts respectively, as defined in section 4.1.2. Let QI,.·· Qn be component 
implementation processes and PI, . .. ,Pn be processes. If Qi -;;;J~;(Qi) Pi for 
1 ::; i ::; nand aFimp/(QI, Q2, ... , Qn) ~ Fvis, then 
Fimp/(QI, Q2, . .. ,Qn) -;;;JSF Fspec(P1, P2, ... ,Pn). 
4.5 The failures divergences model 
We finally consider the case of the failures divergences model. We assume 
that an extraction pattern is defined here as in the stable failures model and 
that all conditions and restrictions imposed in that model still hold here. We 
21 We would assume that behaviour in the implementation was incomplete according to 
domEP(Q) after the execution of a1 and prior to the execution of ale· 
4.6. Equivalence 
EP6 Let ep E EP. If ... , tj, ... is an w-sequence in Dom, then 
... , extr(tj) , ... is also an w-sequence. 
Figure 4.11: A final condition on extraction patterns 
101 
then impose an extra condition on the mapping over traces, as a counterpart 
to condition FDS2 in figure 3.B. This condition is given in figure 4.1l. 
Behaviours in this model are interpreted in a manner directly analogous 
to that given in definition 3.13 in the previous chapter: see figure 4.12 for 
details.22 We denote the fact that Q refines-after-hiding P in the failures 
divergences model as Q ~~~(Q) P; its definition is given as condition FD-
DEF4 in figure 4.12. We show that ~~~(Q) generalises standard CSP refine-
ment when aQ ~ Fvis before showing that it constitutes a valid notion of 
refinement-after-hiding in the failures divergences model. 
Theorem 4.11. Let Q be an implementation process such that aQ ~ Fvis 
and let P be a process. Then Q ~~~(Q) P if and only if Q ~FD P. 
Theorem 4.12. Let Fimpl and Fspec be implementation and specification con-
texts respectively, as defined in section 4.1.2. Let Q1, . .. Qn be component 
implementation processes and PI, . .. ,Pn be processes. If Qi ~~~(Qi) Pi for 
1 ::::; i ::::; nand aFimpl (Q1, Q2, ... , Qn) ~ Fvis, then 
Fimpl (Q1, Q2, ... , Qn) ~FD Fspec(P1, P2, ... , Pn)· 
4.6 Equivalence 
Thus far, we have defined conditions in each of the three semantic models 
which allow us to show that an implementation network refines the corre-
sponding specification network. If we wish to show that the two networks 
are equivalent, it is simply necessary to show that each specification com-
ponent refines-after-hiding the corresponding implementation component, as 
well as the fact that each implementation component refines-after-hiding the 
corresponding specification component.23 (Different - though not neces-
sarily disjoint - sets of extraction patterns would be used in each case of 
22 As in chapter 3, the use of stable failures and minimally divergent traces allows us 
to build refinement-after-hiding in the failures divergences model on top of the treatment 
presented for the traces and stable failures models. Also as in chapter 3, it allows for a 
cleaner treatment due to the difficulty of making sure that any mapping used is defined 
over arbitrary divergent traces and with respect to arbitrary (non-stable) failures of any 
particular implementation process. 
23With regard to the notion of refinement-after-hiding presented here, and as in the 
previous chapter, the terms "implementation component" and "specification component" 
4.7. The absence of BTrace and defining implementation alphabets 102 
FD-DEFI extrEP(Q)([QhD) tJ. (extrEP(Q) (<I>.lQ) , extrEP(Q) (c5Q)). 
FD-DEF2 extrEP(Q)(c5Q) tJ. {extrEP(Q)(t) 0 u I t E DOmEP(Q) 
1\ t E minc5Q 1\ u E ~.}. 
FD-DEF3 extrEP(Q)(<I>.lQ) tJ. extrEP(Q)(<I>Q) U 
{(t, R) It E extrEP(Q)(c5Q) 1\ R ~ ~}. 
FD-DEF4 Q ~~~(Q) P if and only if extrEP(Q)(1Q~FD) ~ [P]PD and 
Q meets Dom-T-check and Dom-Sf-check. 
figure 4.12: Defining refinement-after-hiding in the failures divergences mo-
del, where Q is an implementation process and P is a process 
course.) When verifying a specification process against an implementation 
process in either the stable failures or failures divergences models, it should 
generally be possible to regard all behaviours as complete (i.e. to assume that 
DOmEP(Q) = dOmEP(Q)). As a result, and by SF-GLOBAL1, Dom-Sf-check 
would be met trivially and so could be dispensed with. This is possible since 
the problem which Dom-SF-check is intended to address should not arise. 
4.7 The absence of BTrace and defining im-
plementation alphabets 
In chapter 3, BTrace is used to provide an exact characterisation of the sets 
which constitute MinSet and of the effect of applying), to members of that 
set. These precise characterisations are necessary in order to derive certain 
results which are part of the theory presented in that chapter. However, 
when working in practice, we simply impose as a condition or definition any 
results which were previously derived and so these exact characterisations are 
no longer needed; thus, BTrace need not be an explicit part of the treatment 
in practice. For example, for ep, ep' E EP such that ep i= ep', ep.A and 
ep'.A are effectively sets from MinSet, while ep.B and ep'.B give ),( ep.A) and 
),(ep'.A) respectively. In chapter 3, the use of BTrace plays an important role 
in the derivation of the requirement that ep.B n ep'.B = 0. Here, however, 
we simply impose that condition directly using Ep-UNI1 from figure 4.2. 
indicate respectively the process whose behaviours are to be interpreted and the process 
in whose behaviours we will check for containment of those interpreted behaviours. They 
have no further significance than this and an extraction mapping may function either to 
make behaviours more abstract or to make them more concrete (or it may leave the level 
of abstraction the same if we are dealing only with relaxation of atomicity). 
4.7. The absence of BTrace and denmng implementation alphabets 103 
BTrace also plays a role in chapter 3 in defining those sets which are 
possible candidates for MinSet (and so thereby restricts the sets which can be 
used to parameterize the operators used to build implementation network(24 ). 
Nonetheless, the absence of BTrace as an explicit notion in practice does not 
indicate a mismatch with the theory. In order to explore this issue further, 
we consider how extraction pattern implementation alphabets - which are 
the counterpart here to sets from MinSet - might be constructed in practice. 
Assume that we are engaged on the verification of an implementation 
process, Q, and so it is necessary to define a set of extraction patterns, 
EP(Q), to interpret Q's behaviours. In particular, we wish to make the 
implementation alphabets of these extraction patterns as small as possible, so 
that the restriction on building implementation networks which is imposed by 
REPl becomes as light as possible.25 TR-GLOBAL2 from figure 4.3 consitutes 
one of the main conditions from this chapter which is in opposition to this 
desire, as it effectively places a lower bound on the size of any particular 
implementation alphabet. Let t 0 (a) E DOmEP(Q) be such that a E Ai 
for ePi E EP(Q) and extrEP(Q)(t 0 (a)) = extrEP(Q)(t) 0 u. Then, by TR-
GLOBAL2, u is evaluated according to the following equation: extri(trAi 0 
(a)) = extri(tr Ai) 0 u. Thus, Ai must be large enough so that is possible 
to evaluate extri(trAi 0 (a)) in practice. In other words, Ai must be large 
enough so that t r A?6 gives sufficient information to allow us to intepret 
what additional information - i.e. u - is given to us by the occurrence of 
a after t (this issue was discussed briefly in section 3.4). This means that 
the implementation alphabets to be used in any particular verification in 
practice must be built around (the events of) traces in terms of which we 
are able to evaluate directly the result of applying the extraction mapping. 
Moreover, in order to make those alphabets as small as possible, the traces 
around which they are built must be "atoms" or ''indivisible'' in the sense 
that they cannot be decomposed further for the purposes of interpretation: 
this reflects the use of BTrace - containing traces which may be regarded 
as atoms or as indivisible in some sense27 - in defining MinSet in section 
24Recall that AliSet is defined in terms of MinSet. 
25By definition 4.5, the bigger the implementation alphabets of the extraction patterns 
used then the bigger the alphabets of the implementation processes to be composed and 
so, by REPl, the bigger the sets on which they have to synchronize in parallel. 
26Recall that a E Ai by definition. 
27The particular intuition given in section 3.2 with respect to BTrace - namely that 
each specification action in Espec may be implemented by a (finite) number of implemen-
tation traces and that BTrace consists of exactly those traces - may best be regarded as 
an aid to explanation. The significant property of BTrace is the fact that it consists only 
of traces which may be regarded as indivisible in some sense. As mentioned in section 3.7, 
it is this property which is necessary if the restrictions imposed in section 3.2.6 by Rl and 
proposition 3.11 are to make sense. Konetheless, even if we do make the assumption that 
4.8. Discussion 104 
3.2. Thus, there is no inconsistency between the use of BTrace as a device 
to aid the derivation of the theory presented in chapter 3 and the fact that 
it does not appear as part of the notion of refinement-after-hiding which is 
given in this chapter. 
The previous paragraph gives some indication of how the implementation 
alphabets used in any particular verification may be arrived at. In practice, 
we would probably have a different implementation alphabet for each ''por-
tion" of communication in which our process engaged. For example, we might 
have (at least) a different implementation alphabet - and so a different ex-
traction pattern - for each process with which our implementation process 
communicated: if that part of the behaviour of our implementation process 
which is visible at the relevant interface makes sense to the process on the 
other side of that interface, then it should usually be possible to define an 
extraction mapping to interpret those behaviours. However, the process of 
deriving implementation alphabets to be used in practice is still very much 
an area for further work and development of a methodology with respect 
to this will rely on the application of refinement-after-hiding to a far wider 
range of case studies than has so far been considered. 
As a final comment, note that BTrace may appear implicitly in the defi-
nition of extraction mapping domains and in the definition of the mappings 
themselves. For example, the traces used in the definition of Complete in 
section 4.1.7 could constitute traces from BTrace were such a notion to be 
used explicitly here and both Domack and extr ack are defined in terms of 
them. Indeed, the definition of extr ack shows one way of giving a composi-
tional definition of an extraction mapping over traces whose events fall com-
pletely within a particular implementation alphabet (the formal definition of 
refinement-after-hiding is silent on this issue). 
4.8 Discussion 
We now proceed to discuss the way in which the concrete notion of refinement-
after-hiding presented in this chapter relates to its predecessors and the 
way in which its development has been impacted on by the theory devel-
oped in the previous chapter. Predecessors of the work in this chapter in-
clude [10,12,16,39,40]. [39] and [40] treat differently the case of cyclic and 
acyclic implementation networks and impose on specification components a 
number of restrictions, such as the fact of never refusing any input. These 
treatments were combined into a single notion of implementation relation in 
each specification action in E8pec may be implemented by a (finite) number of implemen-
tation traces, we would generally expect each such trace to be regarded as indivisible for 
the purposes of interpretation. 
4.8. Discussion 105 
[10] (on which [12] is based) and the presentation in these latter two papers 
formed the beginning of the work in this thesis. 
In addition to the extensions and modifications discussed below - which 
were contributed solely by the author - there is a major difference of pre-
sentation between the work given here and its predecessors. Previously, the 
treatment was confined to the failures divergences model, whereas here we 
deal individually with each of the three semantic models. In addition, the mo-
tivation behind this earlier work was to develop an implementation relation 
which could be used to relate an implementation component to its corre-
sponding specification component in the event that the communications of 
the latter had been implemented in the former using some form of fault tol-
erance, possibly replication. In fact, considering the correctness of replicated 
processes was the main motivation behind [39]. The conception of the work 
was therefore far less general than it is here. 
Mapping refusals and finally visible events The implementation rela-
tion given in [12] was lacking in one important property: it effectively failed 
to meet the condition that >.(cjJQ) = cjJQ when aQ ~ Fvis. This problem was 
solved immediately due to condition SFs2 from figure 3.6 and this constitutes 
one of the most important contributions made by the theory from the pre-
vious chapter. Previously, the mapping of refusal/trace pairs at the level of 
individual extraction patterns was carried out in the same manner whatever 
the implementation alphabet of the extraction pattern under consideration. 
More specifically, there was no equivalent of condition Ep5-FvI from fig-
ure 4.7. Although given in a different form to Ep5-FvI, this modification to 
the presentation in [12] first appeared in [13] and [16]. 
An alternative means of mapping refusals We consider here the issue 
of mapping refusal/trace pairs at the level of individual extraction patterns 
and consider an arbitrary extraction pattern epj. (Note that the following 
detail is simply sketching out a possible approach and is not intended to 
be a fully realised and formal presentation.) Although condition SFs6 from 
figure 3.6 deals only with refusals which are maximal in a certain sense, 
the means of mapping refusals given in definition 4.10 does not impose this 
restriction. If we remove from SFs6 the condition relating to maximality 
and translate to the notation used in this chapter, then we are given the 
following: 
This immediately suggests the following way of mapping refusal/trace 
pairs in practice, where t E Domj and R ~ Ai: 
4.8. Discussion 106 
extr,('(R,t) 6 U extr;e'({a}~t). 
aER 
Once we have adopted this compositional definition, SFs6 will be met how-
ever we proceed. Condition SFs2, requiring that extr,(' (R, t) = R if Ai ~ 
Fvis, can be met easily by simply requiring that 
extr'('({a},t) 6 {a} for a E Ai ~ Fvis. 
The question remains, therefore, of what extr;e' ({ a}, t) should return in 
the general case. Before presenting a possibility, we define the set Rfi(t), 
which gives all those events from Bi which cannot extend extri(t) when we 
apply extri to any to x E Domi. For t E Domi, 
Rfi(t) 6 {b E Bi I (,Bx E An to x E Domi /\ extri(t) 0 (b) ~ extri(t 0 x)}. 
As a counterpart to SF4, we first require that Rfi(t) ~ extr,(' (R, t) for 
any R ~ Ai: in other words, events which are impossible after the extraction 
of t must be contained in the extracted refusals. Then, for to (a) E Domi, 
it is possible to relate a to the high-level event or events which it is being 
used to implement when it occurs after t. extr,(' ({ a}, t) would return this 
set of high-level events along with Rfi(t). For a E Ai such that to (a) ¢ 
Domi, extr'('({a},t) would simply return Rf·(t). In terms of the running 
example from figure 1.1, we would take extr~({data.j}, 0) to be {send.j} 
for j E {O, 1}. This is because data.j is being used to implement send.j 
when it occurs after () (of course, it is used to implement send.j whenever 
it occurs). Moreover, Rf~~k would be empty. 
It is immediate that such an approach would meet SFs3, which requires 
that extr,(' (R, t) ~ Bi and it is also immediate that SFs5, requiring the 
monotonicity of the mapping, would be met. It is also easy to show that 
SFs4 is met; that is, that extr,(' (Ai, t) = Bi. In order to show this, by SFs3 
it is only necessary to show that Bi ~ extr,(' (Ai, t). For b E Bi n Rfi(t) , the 
proof is immediate. For b E Bi - Rfi(t), there must be an event a E ~ such 
that to (a) E Domi and a is used to implement b. Thus, b E extr,(' (~, t) in 
this case as well. 
The intuition behind this possible approach is as follows: if we can refuse 
a after t at the implementation level, then we may be unable to offer, after 
extri(t) at the specification level, any b which this occurrence of a is being 
used to implement. Whether this intuition makes sense in terms of practical 
verification is something that would need to be assessed on concrete examples. 
Note that refusal bounds would still need to be retained in order to deal with 
condition Dom-SF -check. 
4.8. Discussion 107 
Dealing with divergence In [12] and [16], it is assumed that specifica-
tion components are divergence-free and that they will be composed in such 
a way that the resulting specification network will also be divergence-free. 
Moreover, one of the conditions imposed on any implementation component 
Q is that no trace from TDomEP(Q)Q should also be a member of 8Q. Finally, 
the condition is imposed that applying the extraction mapping over traces 
to an w-sequence from TDomEP(Q)Q should return another w-sequence. This 
guarantees that divergence will not be introduced on composition of the im-
plementation components since it is not introduced when the corresponding 
specification components are composed. 
The move from this treatment to that used here, which allows us to deal 
smoothly with divergences, was again indicated by the theory in the previous 
chapter, specifically condition FDS2 from figure 3.8 and the detail from sec-
tion 3.6. Once we have removed the restriction that implementation and spec-
ification networks/component processes must be divergence-free and have 
applied the extraction mapping to (minimally) divergent traces, the original 
condition on w-sequences is actually sufficient to give us what we need, since 
it is effectively equivalent to FDS2. Nonetheless, the move to imposing the 
condition on individual extraction patterns rather than on component imple-
mentation processes is important: it saves on verification effort by making 
the check part of the construction of the extraction pattern rather than part 
of the verification of the process. Moreover, the role played by minimally 
divergent traces - which do not appear in earlier work - in the proofs of 
results from this chapter is crucial to extending refinement-after-hiding to 
the failures divergences model. 
Role of implementation alphabet That events occur on channels was 
an explicit part of the presentation in [12] and [16] and was integral to the 
notion of refinement-after-hiding presented there. Channels in specification 
components were partitioned into input and output channels and the spec-
ification alphabet of any particular extraction pattern could only contain 
events from input channels or events from output channels but not both. 
This led to two main differences to the treatment given here. Firstly, it was 
not necessary to introduce communication capabilities or the fact that com-
position over a particular implementation alphabet could only occur if one 
participant was denoted as Left and the other as Right; composition was 
controlled implicitly, at the specification level, by the fact that input chan-
nels may only be connected to output channels and vice versa. In addition, 
the extraction pattern component e was not used: an extraction pattern 
dealing with input events allowed deviation from the domain on any of the 
events in its implementation alphabet, while an extraction pattern dealing 
with output events did not allow any deviation at all. 
4.8. Discussion 108 
The decision was made to abandon this treatment for two connected rea-
sons, one more theoretical and the other practical. Condition Ts4 from 
figure 3.4 was present in the predecessors of the work in this chapter (it is 
given here as TR-GLOBAL2 in figure 4.3). However, its appearance in the 
theory as a necessary condition served to highlight with a certain amount 
of clarity the role played by the implementation alphabets of the extraction 
patterns used in any particular verification (represented in the previous chap-
ter by the sets contained in MinSet). Assume that Q is an implementation 
process, to (a) E DOmEP(Q) and a E Ai for ePi E EP(Q). By TR-GLOBAL2, 
we define extrEP(Q)(t 0 (a)) in terms of extrEP(Q)(t) and extri((t 0 (a))fAJ 
In a sense, as discussed in section 3.4, extri((t 0 (a))fAi) is a function from 
a trace, tr~, and an event, a, to the trace extension u which is used in the 
statement of TR-GLOBAL2. This means that Ai tells us what we need to 
know of t in order to determine the additional information which is given to 
us by the occurrence of a after t. 
As a result, the aforementioned partitioning of extraction patterns only 
makes sense if we can always interpret a when it is used to implement input 
events by only knowing about the other events contained in t which are also 
used to implement input events, and similarly for output events. In the 
general case, however, this is not true and a specific example arose during 
the verification of the asynchronous communication mechanism described 
in chapter 7. At the specification level, the mechanism engages in read 
(output) and write (input) events: however, in order to interpret events used 
to implement a write it is necessary to know about the read behaviour of the 
mechanism so far and similarly for events used to implement a read. Using 
the approach from [12] and [16], it was therefore not possible to successfully 
verify the mechanism. 
Equivalence Although the detail does not appear in the conference pa-
per [12], [10] defines additional extraction pattern components and extra 
conditions which can be used to prove "equivalence" of an implementation 
and specification network.28 An additional trace mapping, inv - a partial 
inverse of the extraction mapping - is provided to relate abstract traces 
to concrete traces. It is required that it is a trace homomorphism: in other 
words, inv((al, ... , an)) = inv((al))o ... oinv((an)). The restriction is placed 
on specification components that after any trace, on any input channel, either 
all events must be refused or all events must be offered. Finally, an additional 
condition relating to the mapping of refusals from the specification is also 
imposed. Together, these last two conditions amount to using the standard 
28The equivalence which may be proved is not standard CSP equivalence because of 
issues relating to mapping refusals, as detailed above. 
4.8. Discussion 109 
notion of refusal bounds but with a fixed set of bounds to be applied regard-
less of the particular specification process under consideration. It became 
clear in deriving the conditions in chapter 3 that there were no theoretical 
reasons for treating the verification of specification against implementation 
differently from that of implementation against specification. 1foreover, the 
requirement on inv that it be a homomorphism would be too restrictive if we 
were to deal with equivalence during the verification presented in chapter 7: 
there, communication events in the specification are implemented in different 
ways depending on the (specification) events which have preceded them. In 
other words, the full generality of a mapping from traces to traces is needed. 
4.8.1 General role of the theory 
We have highlighted above a number of areas in which the notion of refinement-
after-hiding presented here differs from earlier versions, which changes were 
all introduced under the influence of the work in the previous chapter. In 
general, where changes were not suggested, the conditions derived in chapter 
3 were useful in that they confirmed the soundness of earlier work and clar-
ified our understanding of that work. For example, the results on mapping 
operators by simply mapping the sets with which they are parameterised, 
and on the way in which the mapping is to be applied to such sets, were very 
important. They confirmed that the approach taken in practice in earlier 
work was correct and not subject to alteration. Where the change required 
was not so great, such as in the case of divergences, the impact of the the-
oretical treatment should not be underestimated since it pinpointed exactly 
the approach to be taken and saved time and effort in the search for possible 
alternative ways of proceeding. 
The issue of mapping refusals perhaps illustrates most fully the role which 
the theory can play. It highlighted immediately a solution to an earlier 
problem. It gave a framework for analysis within which the current use of 
refusal bounds in the mapping of refusal/trace pairs could be easily assessed 
and understood. Finally, the theoretical treatment suggested a new approach 
to the mapping of refusals and gave, in conditions SFs2-6, a straightforward 
way of assessing the soundness of any new method chosen. 
Chapter 5 
Related work 
When behaviour decomposition and relaxation of atomicity are referred to 
in what follows, it is assumed we mean the external forms of these types of 
reification, since the internal versions can always be dealt with quite straight-
forwardly (at least in CSP). 
5.1 Action refinement and related approaches 
Action refinement (see [25] for a survey of this approach) is one of the main 
approaches which allows us to perform behaviour decomposition in a process 
algebraic setting and a great deal of work has been done in this area. In gen-
eral, each action in the specification process under consideration is replaced 
by a precise, low-level behaviour which is defined by a refinement function. 
In this respect, it is related to the idea of top-down design in sequential sys-
tems, where high-level instructions are expanded into a lower-level module 
until the result is an implementation that may be executed. Action refine-
ment is primarily concerned, therefore, with the derivation of an (correct) 
implementation and not with verification after the fact, in contrast to our 
notion of refinement-after-hiding. It suffers from two problems, however. 
Only a single implementation is possible for any particular specification and 
refinement function pair. Moreover, causal relations between events in the 
specification must be preserved in the implementation. For example, if a 
precedes b in the specification, then all of the events which form the im-
plementation of a must precede in the implementation all of those events 
which form the implementation of b. Some forms of action refinement are 
able to perform relaxation of atomicity to the extent that, if a and b occur 
concurrently in the specification, then their respective implementations may 
interleave. However, this is the limit of the relaxation of atomicity which is 
possible. 
[32] and [60,71] use a dependency relation and a weak form of sequential 
110 
5.1. Action refinement and related approaches 111 
composition in order to allow additional relaxation of atomicity in an action 
refinement framework. Any action of the first argument to the new com-
position operator must precede all actions from the second argument with 
which it is dependent. However, an action from the second argument may 
precede one from the first provided that the two actions are independent. 
Nonetheless, there is still only one possible implementation for a particular 
specification (for any given refinement function and dependency relation). 
In order to deal with these twin problems of action refinement - only 
a single implementation possible and only restricted relaxation of atomicity 
allowed - Rensink and Gorrieri presented the work in [59] (earlier versions 
appeared as [57] and [58]; an alternative presentation of some of the material 
appeared in [25]). The paper [59] works in the process algebraic context and 
details a notion of refinement termed vertical implementation, which may be 
used to verify correctness when behaviour decomposition has occurred in the 
move from specification to implementation, along with a degree of relaxation 
of atomicity. We first list some of the aims behind this work, taken from [59], 
to illustrate the fact that it is similar in concept to ours. 
• the vertical implementation relation is parametric with respect to a 
mapping. 
• flexibility: multiple implementations are allowed for a given specifi-
cation and a strict ordering is not dictated for the low level actions 
implementing a high level one; 
• simplicity: the introduction of a concurrency model more complex than 
any of the standard interleaving ones is not required; 
• the vertical implementation relation "collapses" to a standard notion 
of refinement when the mapping is the identity; 
• deadlock properties carryover from the abstract to the concrete level; 
• compositional verification is allowed in the same sense as our approach. 
The fact that the vertical implementation relation "collapses" to a stan-
dard notion of refinement when the mapping is the identity, along with the 
way in which the operators used interact with the refinement mapping, means 
that the notion of vertical implementation is essentially a form of refinement-
after-hiding, although it is not presented in such terms. However, there are 
important differences in terms of concept and also in terms of technical exe-
cution which exist between the work in this thesis and that in [59]. 
The motivation behind our work was to explore a means of generalising 
refinement in CSP in order that both behaviour decomposition and relax-
ation of atomicity could be accommodated in the general case. Rensink and 
5.1. Action refinement and related approaches 112 
Gorrieri start from the premise that action refinement has the shortcom-
ings described above and seek to remedy them. Inherent in their treatment, 
therefore, is the restriction that the vertical implementation relation is to be 
parameterized with an action refinement mapping. This means that the do-
main of the mapping contains only individual (specification) events, although 
each event may be mapped to a process. Although we map to individual be-
haviours rather than processes, there do seem benefits to be gained from 
using our more general type of mapping. In particular, we can (attempt to) 
verify correctness in the event that relaxation of atomicity has occurred with-
out behaviour decomposition: it is not obvious how the same thing could be 
done using an action refinement mapping. Moreover, in the general case, it 
need not be true that the same high-level action is always implemented in the 
same way wherever it occurs: this certainly applies to the asynchronous com-
munication mechanism whose verification is considered in chapter 7. This 
suggests the need for an abstraction mapping and one which takes account 
of the history of any particular event to which it is applied. As a general 
point, if the aim is to allow multiple implementations for a single specifi-
cation then using an abstraction mapping from possible implementations to 
specifications seems a more sensible way to proceed than using a mapping to 
make behaviours more concrete. 
Where our treatment is based around a semantic mapping, Rensink and 
Gorrieri provide as a foundation of their notion of vertical implementation 
a set of (syntactic) proof rules. If a concrete relation is to be viewed as a 
valid vertical implementation relation, then these rules must be sound with 
respect to that relation. As a result, the rules define both what it means to 
be a vertical implementation relation and also give a proof system for any 
such concrete relation: this latter is something we are lacking with respect 
to refinement-after-hiding. Many of these rules playa similar role to the 
conditions RAHl-3 from chapter 3, although they are given with respect to 
the full range of operators. In addition, a rule is given on relaxing causality 
when refining actions (in addition to the interleaving which is allowed when 
the events being implemented are independent at the specification level). 
In [59], communication is treated symmetrically: both parties to a com-
munication are required to offer all of the relevant events used to implement 
a particular high-level event. However, [25] does introduce a version of ver-
tical implementation whereby one party to a communication must offer all 
relevant events, while the other party need only offer some of those events. 
Such a treatment is similar to the use of refusal bounds in our concrete no-
tion of refinement-after-hiding, although it is not quite as general as using 
(the equivalent of) refusal bounds: it seems similar to disallowing the refusal 
of any events on one side of the communication and simply requiring the 
offering of one of the possible events on the other. 
5.2. Choosing a semantic over a syntactic mapping 113 
Similar conditions on readiness to communicate are also a feature of the 
paper [56]. Using a notion of abstraction, it sets out to answer the question 
of when a set of fine-grain execution steps may be contracted into an abstract 
atomic action and so aims to explore notions of correctness which are useful 
when considering relaxation of atomicity. It does this in a restricted setting, 
considering the interactions between a client or agent and a server: the 
client may invoke a method of the server, to which invocation the server will 
(eventually) respond. The aim is for the relevant notion of ''implements'' 
to hold whenever the client cannot see the difference between the "atomic" 
and the "non-atomic" servers: that is, whenever the result of composing the 
respective servers with the same client is two "equivalent" systems. This is 
similar to our initial characterisation of refinement-after-hiding. 
Of most interest, however, is the operational characterisation of the de-
sired notion of implementation, which is based on coupled simulation ([52, 
53]). The choice of such a basis on which to build the notion of abstraction 
is justified in the following terms. Intuitively, if the concrete state s "imple-
ments" the abstract state Sf, standard bisimulation relations such as weak 
bisimulation might also require that Sf "implements" s. The use of coupled 
simulation allows that the abstract Sf need only implement the concrete s 
when behaviour at s is complete in a sense similar to that used in our no-
tion of refinement-after-hiding. This feature of the relation is not needed for 
soundness, rather it makes it weaker and allows more systems to be verified 
as correct. It seems that it may fulfil a similar requirement to the use of con-
dition Dom-SF-Check in our work; in any case, it is an issue which invites 
further exploration. In particular, it may have implications for any future 
attempt to transfer the work presented here to a bisimulation setting. 
5.2 Choosing a semantic over a syntactic map-
• pIng 
In this thesis, we have chosen to use a semantic rather than a syntactic 
mapping. Here, we consider reasons behind this choice, with some reference 
to the discussion above on action refinement and vertical implementation. 
Were we to use a syntactic mapping, it would effectively have to be de-
fined over individual events due to the difficulty of defining it directly over 
arbitrary processes. As a result, using a syntactic mapping would mean 
using a refinement mapping to make behaviours more concrete. However, 
as discussed above in relation to the notion of vertical implementation, it 
seems more sensible to (be able to) use an abstraction mapping if we wish 
to allow multiple implementations for a single specification. :\1oreover, also 
as mentioned above, defining a mapping over individual events means that 
5.3. External behaviour decomposition (interface reEnement) 114 
each specification event must be implemented in the same way whenever it 
occurs. This need not be true in general and is certainly not the case wi th 
regard to the asynchronous communication mechanism whose verification is 
considered in chapter 7. Of course, we could deal with this problem by ann~ 
tating different instances of the same event and having events with different 
annotations implemented in different ways: however, determining how a par-
ticular event should be annotated - at least in the case of the asynchronous 
communication mechanism from chapter 7 - would rely on knowledge of the 
history of the process up to its occurrence. This would effectively require a 
mapping over sequences of events rather than over individual events and so 
would require a semantic mapping. ::.. 1 ore over , the same syntactic occurrence 
of an event may have different histories on different executions and so may 
be implemented in different ways in different executions: thus, it may not be 
possible to give a particular syntactic event a unique annotation. 
5.3 External behaviour decomposition (inter-
face refinement) 
Two papers which explicitly set out to deal with the issue of interface refine-
ment are [7] and [24]. 
The approach followed in [7] is termed there "interface displacement". In 
this approach, the aim is to take the abstract interface of two specification 
components, P and Q, and transform it into a more concrete one. The 
interface change is then encoded in a process I: I is composed in parallel with 
P on the set of abstract interface actions and these actions are then hidden 
to give the implementation process pI, with the more concrete interface. In 
order to give to Q the concrete interface, the process I is "subtracted" from 
Q in a sense, giving the implementation process Q'. Q' is such that, if I were 
composed in parallel with it on the concrete actions of the (new) interface 
and those concrete actions hidden, then the result would be the original 
process Q. It is in this sense that the interface is "displaced". [7] therefore 
gives a means of carrying out the process of interface refinement rather than 
verifying its correctness after the fact. There is an interesting similarity with 
predecessors of the work in this thesis: namely, the interface transducers play 
a role comparable to that of the disturbers and extractors of [39], although 
there is no notion of "displacement" in [39] and all interfaces are treated in 
a uniform manner. 
There are, however, a number of differences between the approach pre-
sented here and that in [7]. The latter is focused on the refinement of a 
(specification) compound system, where the components interact through a 
well-defined interface, into a compound implementation system, where that 
5.4. Abstraction through hiding 115 
interface has been refined. This interface refinement is then justified on the 
grounds that the compound implementation system is guaranteed to be a 
correct implementation of the specification system in terms of a standard 
implementation relation such as traces or failures inclusion. There is no 
notion of being able to relate individual implementation and specification 
components - refinement of a particular process interface must be done 
in tandem with that of its environment - and so no notion of any sort of 
vertical implementation relation in the terminology of [59]. 
The paper [24] gives an initial formulation of a notion of interface re-
finement which is similar in outline to our notion of refinement-after-hiding. 
Working in a temporal logic framework, low-level (infinite) behaviours are 
related to high-level (infinite) behaviours using a device which is similar to 
our extraction mapping. Moreover, according to the examples discussed, it 
seems that the method has the power to deal simultaneously with both be-
haviour decomposition and relaxation of atomicity. However, it lacks the 
power of compositionality: that is, it is not shown that any operators on 
processes are monotonic with respect to this relation. This means that, if 
the interface between two components composed in parallel is to be refined, 
it is necessary to verify the composed implementation against the composed 
specification (the interface actions are not hidden in this composition). 
It is the avowed intention of the authors in [24] to define a notion of inter-
face refinement which is as unrestricted as possible. The result of this appears 
to be, however, that it is not clear what it actually means that one system 
implements another nor what properties are preserved from specification to 
implementation. Lack of compositionality may be crucial in this respect: for 
example, in our treatment, compositionality (conditions RAH2 and RAH3) 
and the condition RAH1 (expressing a kind of "collapse" property) are the 
criteria against which the validity of any notion of refinement-after-hiding is 
judged and they essentially invest such notions with meaning. 
5.4 Abstraction through hiding 
Looking at the general issue of behaviour abstraction, some approaches (for 
example, that described in [1]) describe system behaviour by sequences of 
state tuples with an internal component; they then require that, for every 
possible state sequence of a correct implementation, there should exist one 
of the specification such that the two sequences coincide after deleting the 
internal state component. A similar treatment is presented in [38], using 
infinite action sequences (i.e. infinite traces) instead of state sequences: the 
interface of the specification must be a subset of the interface of the imple-
mentation and it is required that every trace of the implementation can be 
5.5. Relaxation of atomicity 116 
turned into one of the specification by deleting actions not in the specifica-
tion's interface. These two approaches and other comparable ones, such as 
[47], are based on abstraction by hiding. In contrast, our notion of abstrac-
tion is essentially based on the interpretation of behaviours over a particular 
alphabet as behaviours over another alphabet. As illustrated by the example 
given in section 1.4.1 in chapter 1, abstraction by interpretation may not be 
reduced to abstraction by hiding in the general case. Nonetheless. abstrac-
tion through hiding is certainly useful and is comparable to our work to the 
extent that we expect to eventually hide any interpreted behaviour, leaving 
implementation and specification systems which may engage in the same set 
of visible events. However, refinement-after-hiding gives a means of verifying 
that abstraction through hiding will give correct behaviour before we actually 
compose the components of a system and hide the necessary behaviour: in 
this sense, it gives a compositional means of verifying a notion of abstraction 
through hiding. 
5.5 Relaxation of atomicity 
Some of the action refinement-related papers already discussed - such as 
[56], [59], [60J and [71J - have some capacity to deal with the issue of relax-
ation of atomicity, as did the work presented in [24J. Here we consider other 
work where managing relaxation of atomicity is/was the principal aim. 
One of the major areas of work where this issue has been addressed is that 
of databases and transaction-processing systems. In this area, a specification 
is given in terms of a set of sequential behaviours: this generally means that 
the transactions occurring in a particular specification behaviour are totally 
ordered and their executions do not overlap.l An implementation is then 
allowed to execute (parts of) some transactions in parallel, provided that 
the resulting parallel behaviour is equivalent in some sense to an acceptable 
sequential behaviour. In general, this notion of "equivalence" consists of two 
factors: the first is that, using some suitable dependency relation, the events 
of the implementation behaviour under consideration may be transformed 
into a (sequential) specification behaviour by commuting events regarded as 
independent; secondly, the result of executing the implementation behaviour 
is the "same" as the result of executing the corresponding specification be-
haviour. This latter point is generally framed as the requirement that an 
observer would be unable to distinguish the implementation behaviour from 
the specificiation behaviour. (This notion of observer may not always be 
1 Note, however, that a specification will not usually be given explicitly in the database 
domain and "specification" behaviours are usually those sequential behaviours which are 
possible for the implementation. 
5.5. Relaxation of atomicity 117 
treated explicitly, however.) Relevant notions from the literature include 
serializability (see, for example, [2]) and the notion of "atomicity" defined 
in [48]. Related notions in the more general context of managing paral-
lel access to shared memory in a multi-processor architecture are sequential 
consistency ([42]) and linearizability ([29]). Sequential consistency requires 
that the dependency relation used to commute implementation events to 
give sequential behaviours preserves the ordering of events which occur in 
the same process; linearizability requires in addition that we preserve the 
global (external) ordering of non-overlapping operations. 
Similar to an extent is the work by Lamport in [43], where executions of 
a low-level (non-atomic) system and those of a high-level (atomic) system 
are related on the basis of orderings which exist between events at a partic-
ular level of abstraction. Although Lamport's work effectively allows for the 
possibility of moving across levels of abstraction - we may contract a set of 
low-level actions into a single high-level action - that of the others does not: 
in general, sequential processes engage in the same events as non-atomic pr~ 
cesses. It is difficult to compare directly our notion of refinement-after-hiding 
and the work discussed in this section, not least because dependencies be-
tween events do not form part of our treatment. Nonetheless, an interesting 
avenue for future work might be to explore possible relationships between 
refinement-after-hiding and such dependency-based notions of correctness: 
for example, since dependencies between events play such a fundamental 
role in the move from sequential to parallel behaviours, how do they affect 
our ability to derive an extraction mapping which relates those behaviours? 
As indicated in chapter 1, Dingel's thesis ([21]) uses a notion of correctness-
in-context based on the rely-guarantee approach as he develops a refinement 
calculus to be used in the derivation of parallel programs. This work ob-
viously allows for the possibility of relaxation of atomicity. However, this 
relaxation is not permitted to manifest itself at the semantic level once those 
behaviours have been ignored which fail to meet the relevant rely condition. 
In other words, the behaviours of the implementation which will be pre-
served after it is placed in context can be compared directly with those of 
the specification and no alternative notion of refinement is needed. 
The papers [34,35,37] introduce transformations on objects that increase 
concurrency: these increases in concurrency are possible due to restrictions 
imposed on the visibility of references to object instances, which restrictions 
limit the extent of any interference which may occur. The papers also es-
sentially raise the challenge of proving the validity of these transformations, 
where a particular transformation may be regarded as ''valid'' if no context 
can tell the difference between the original sequential object and the "con-
current", transformed object.2 [36] presents informal reasoning in support of 
2The contexts under consideration are limited by the properties of the language in 
5.5. Relaxation of atomicity 118 
the validity of some of these transfonnations, using arguments in terms of 
the 7r-calculus (see [67] for further details on the 7r-calculus). 
In [66], Sangiorgi proves the correctness of one of these transfonnations 
using a typed version of the 7r-calculus and a typed notion of behavioural 
equivalence. The type discipline is that of uniform receptiveness (see [66] for 
a brief description), where the receptiveness part of the condition is similar 
to the input-enabledness property of the i/o automata in [47]. It is likely 
that the property of receptiveness plays a similar role in preserving liveness 
as do our conditions involving the consideration of refusal bounds, such as 
Dom-SF -Check. 
However, the most interesting part of Sangiorgi's treatment is the use of 
barbed congruence ([51]) as the notion of behavioural equivalence. The idea 
behind this is to equip an observer with a minimal ability to observe actions 
and/or process states, which ability induces an equivalence relation between 
processes. This equivalence relation induces in turn a congruence, namely 
equivalence in all contexts. In the notion of barbed bisimulation, an observer 
can observe invisible transitions and the state they lead to; he/she can also 
detect when a process offers a visible event but cannot see its identity or the 
state to which it takes us. Barbed bisimulation is then used to induce barbed 
congruence and it is shown in [51] that this congruence is equivalent to strong 
bisimulation. What is most interesting, however, is that barbed congruence 
is strictly weaker than strong bisimulation if the set of contexts into which 
a process may be placed is restricted; the same applies with respect to weak 
bisimulation and a weak notion of barbed congruence, the latter being used 
in [66].3 For example, the sequential object and the transformed, concurrent 
object from [66] are not even trace-equivalent; however, they can be related 
using the typed notion of barbed congruence. 
Our goal in this thesis was to develop a notion of behaviour refinement 
which related behaviours much more loosely than standard CSP refinement, 
by effectively reducing the set of events which could be directly observed 
of our processes (the "directly observable" events are those that are finally 
visible). This has the effect of giving a notion of refinement strictly weaker 
than standard CSP refinement but which implies refinement according to the 
standard semantics after processes are composed to fonn a suitable network. 
Moreover, the contexts into which processes can be placed when using the 
notion of refinement-after-hiding are also restricted, which is crucial to the 
success of the scheme. In the restriction of what is visible and the restriction 
which objects are described. 
3In [66], Sangiorgi restricts contexts in a once-and-for-all way using a notion of typing; 
our contexts are restricted in the sense that Dom-T-check and Dom-SF-check must be 
met and an implementation context must be correct with respect to the corresponding 
specification context. 
5.6. Data reification in Z 119 
of acceptable contexts, typed notions of barbed congruence may be related 
conceptually to our notion of refinement-after-hiding, although they do not 
allow us to cross levels of abstraction and their development was motivated 
by totally separate concerns. Further work is needed to explore in more detail 
the relationship between the two approaches - which itself may necessitate 
a transference of ours to a bisimulation setting - but it may be that aspects 
of the barbed congruence approach can be put to good use in developing an 
"improved" notion of refinement-after-hiding. Some areas for future work 
are: 
• Exploring ways in which barbed bisimulation could be adapted so that 
it may relate implementation and specification processes where the for-
mer has been derived from the latter using behaviour decomposition. 
• Verification for typed notions of barbed congruence is carried out using 
laws stating equivalences between sytactic terms. Might it be possible 
to characterise typed barbed congruence in the manner of standard 
bisimulation, which would allow for automatic verification? Might some 
notion of explicit mapping be needed then to relate implementation 
and specification behaviours, as in the presentation of our notion of 
refinement-after-hiding? 
• How weak can we make the restrictions on contexts and still use barbed 
congruence when relaxation of atomicity has occurred? How well will 
barbed congruence transfer to the general case of dealing with relax-
ation of atomicity, instead of just dealing with the specific example in 
[66]? 
• In our approach, what it means for one process to implement another 
is based firmly on the standard notion of refinement in esp, due to 
condition RAHI. Once contexts have been restricted and the relation 
given by barbed congruence is weaker than standard equivalences, what 
does it actually mean that one process implements another according 
to that relation? Might it be the case that, if all "finally invisible" 
events are hidden due to implementation and specification processes 
being placed in context, then we reclaim standard (weak) bisimulation 
or similar? 
5.6 Data reification in Z 
Z ([70]) is a specification language which considers each specification to de-
fine an abstract data type (ADT). That an abstract ADT A is refined by 
a more concrete ADT C is defined in terms of an input/output relation: C 
5.6. Data reification in Z 120 
refines A if, for every sequence of inputs, the outputs produced by C after 
executing a particular sequence of operations are a subset of those possible 
for A after executing the sequence of corresponding operations. Refinement 
is therefore quantified over all possible programs (sequences of operations); 
its verification is made tractable using the method of simulation (see [22]) 
and it is in this sense that it may be related to process algebraic refinement. 
Standard data refinement in Z requires that input and output must be the 
same in both specification and implementation; moreover, there should be a 
one-to-one correspondence between abstract and concrete operations. The 
papers [3,4,19,20] detail how these restrictions may be relaxed. It is shown 
how inputs and outputs may be refined so that a concrete ADT may input 
and output data using a different representation of it to the corresponding 
abstract ADT4; moreover, it is shown how an abstract operation may be 
implemented using a sequence of concrete operations, in a manner similar 
to action refinement. The setting in which this is carried out is sequen-
tial: because we are interested only in the input/output relation induced by 
programs, it is easy to justify splitting at the concrete level the operations 
which consitute those programs, as it is to justify the transformation of data 
in some way on the first and final steps of those (concrete) programs. In [5], 
results are given on representing CSP failures divergences refinement in a Z 
relational setting, one of the aims being to allow the use of Z refinement in 
a concurrent framework. It would be interesting to see the extent to which 
the results from [3,4,19,20] might also be transferred to such a setting. 
4The 1-0 transformers used for this purpose playa similar role to the extractors and 
disturbers from [39]. 
Chapter 6 
Automatic verification 
This chapter considers two different means of automatic verification of the 
notion of refinement-after-hiding presented in chapter 4. Firstly, we consider 
(briefly) algorithms for this purpose. Secondly, and at greater length, we 
consider the use of the tool FDR2 (see, for example, [63] or [64]). 
6.0.1 Algorithms for automatic verification 
Initial effort to verify automatically our notion of refinement-after-hiding 
was focused on the development of algorithms for this verification. Such 
algorithms were published in [11], referring to the implementation relation 
which appears in [12]. The paper [16] contains an updated set of algorithms 
to verify the notion of refinement-after-hiding which it describes. In these 
papers, both processes and extraction patterns are represented as (variants 
of) labelled transition systems. 1 The various components of the implementa-
tion relation are then given what is effectively a graph-theoretic restatement. 
For example, during the verification that extrEP(Q)(TQ) ~ TP, we extract 
the traces of Q by taking the product of the transition system representing 
Q itself and those representing the necessary extraction mappings. That the 
extracted traces of Q are contained in those of P can then be verified using 
a standard algorithm to check for trace containment. (Further details can be 
found in [16].) 
However, rather than provide an implementation of these algorithms (at 
least in the short term), the decision was taken to develop an alternative 
means of verification using FDR2. This was for a number of reasons. De-
veloping a usable and efficient tool is a costly undertaking in terms of time 
and would likely have been beyond the scope of this thesis. Having been 
in development for ten years or more, FDR2 is mature, bug-free (in the 
IThe representations of processes are similar to those employed in FDR2, these being 
described in [62) for example. 
121 
122 
author's experience) and has a number of means built-in of improving the 
space-efficiency of the tool. These have been of use when carrying out the 
verification detailed in chapter 7. Perhaps more importantly, FDR2 takes 
as input text files containing CSP process expressions; an implementation of 
the algorithms from [16] would have required the implementation of a CSP 
parser and compiler. Finally, the means of verification detailed below has 
allowed a rapid move to employing our notion of refinement-after-hiding in 
the verification of a real-world example: as mentioned in section 4.8 with 
respect to the role of implementation alphabets, this provided feedback for 
the development of that notion.2 
6.0.2 Verification using FDR2 
Since Domi for ePi E EP is simply a set of traces, one of the most obvious 
ways to define that set of traces is using the CSP language itself: that is, we 
define a process to represent Domi' It turns out that it is also possible to en-
code the extraction mapping over traces as a CSP context. The application 
of the mapping to refusals cannot be handled so cleanly and some modifi-
cations need to be made to the specification under consideration. However, 
once these modifications have been made, we are able to encode the mapping 
of refusals as a CSP context. This enables us to present the checking of our 
notion of refinement-after-hiding in the various semantic models as a series 
of standard CSP refinement checks, which in turn allows us to use FDR2 for 
the purposes of automatic verification.3 
Note, however, that the means of verification presented in this chapter 
may only be used under a certain restriction. For any implementation pro-
cess, Q, where to (a) E DOmEP(Q), it must be the case that: 
lextrEP(Q)(t 0 (a))1 ::; I extrEP(Q)(t) I + 1. 
In other words, the occurrence of a further implementation event can cause 
the occurrence of at most one extra specification event after extraction. The 
extraction mapping used in chapter 7 violates this restriction in a single case 
and it is explained there how the problem may be addressed for that case. 
Note also that this restriction precludes the use of the approach described 
in this chapter to verify a specification against its implementation, since 
the occurrence of any individual specification event will usually lead to the 
extraction of more than one implementation event. 
2The report [14] contains a preliminary version of the work in this chapter and this was 
used to verify the notion of refinement-after-hiding from [16]. 
3In the failures divergences model, we check only the restricted case that the relevant 
specification component process is divergence-free. See section 6.7 for more details. 
6.1. Preliminary detail 123 
6.1 Preliminary detail 
In the remainder of this chapter, we assume the existence of a fixed imple-
mentation process, Q, and a fixed specification process P, against which Q 
is to be verified. 
6 .1.1 Useful notation 
The following notation will prove to be useful. 
Definition 6.1. inv ~ {i I ePi E EP(Q) 1\ An Fvis = 0}. 
inv therefore gives the set of subscripts of those extraction patterns used 
to interpret behaviours over finally invisible events. 4 By Ep1, i ¢ inv will 
be used as shorthand for the fact that ePi E EP(Q) and Ai ~ Fvis. The 
extraction pattern components A, B, Dom and dom may then be lifted to 
the set inv. 
Definition 6.2. The following hold by definition: 
The following definition is a counterpart in terms of inv to conditions 
TR-GLOBAL1 and SF-GLOBALl in chapter 4. 
Definition 6.3. The following hold by definition: 
1. Dominv is the set oft E (Ainv)* such that tfAi E Domi for i E inv. 
2. dominv is the set of t E (Ainv)* such that t r Ai E domi for i E inv. 
The mapping Nexti : Domi -t 2A; is defined for every i E inv and gives 
the possible extensions to any trace t E Domi such that the resulting trace 
is still a member of Domi. It is defined as follows. 
Definition 6.4. Nexti(t) ~ {a Ito (a) E Domi}. 
Finally, Nexti can be lifted to Dominv in the following way, where Next inv : 
Dominv ----+ 2A;nv. 
4It will not be necessary to construct a CSP representation for those extraction patterns 
which are used to "interpret" finally visible events. 
6.1. Preliminary detail 12.,1 
6.1.2 Process alphabets 
During the course of this chapter, we will present a number of different 
CSP processes to be used in the means of verification which is detailed here. 
In general, it will be necessary to define an alphabet, a, for each of these 
processes. We first note that aQ is as defined in definition 4.5 in section 
4.1.4. For any other process, W, and by the detail in section 2.5, we are free 
to assign whatever alphabet we wish provided that ,B(W) ~ aW. Before the 
alphabet of any process is used for any purpose, we will always state what 
we take it to be. 
6.1.3 Recursive definitions 
In this chapter, we define a number of different CSP processes which are pa-
rameterized by the traces in Domj. As an example we introduce the simplest 
of these processes, Di for i E inv, which is used in the next section:5 
By definition 6.4 and since 0 E Domj by Ep3-T, then t E Domj for 
any t such that Di(t) is a term used in the definition of D j • Thus, Next j is 
defined whenever it is used in the definition of D j • Moreover, it is easy to 
see that T Di = Domi' However, since Domj may be an infinite set of traces 
in the general case, D j is a process with a potentially infinite description. 
This is not a problem for the following reason. For such a definition, we 
assume the existence of a finite equivalence relation over the traces in Domj 
such that processes parameterized by equivalent traces have the same seman-
tics.6 In fact, in practice, a single distinct process name would usually be 
used to represent each set of processes parameterized by equivalent traces, 
with the result that two processes parameterized by equivalent traces will 
actually have the same syntactic definition. As a result, the definition of D j 
used in practice in any verification would be finite: the representation given 
here is effectively the syntactic unfolding or unwinding of the definition used 
in practice. That the semantics of the finitely-represented process and its 
unwinding D j are the same stems from the detail given in section 2.4.5 (note 
that D j is guarded). Similar comments apply to the other processes which 
are defined in this chapter. 
5Note that we use ~ when we wish to assign a label to a particular syntactic term for 
ease of reference; as such, ~ should not be regarded as an operator of the language under 
consideration and is not to be confused with the recursion operator, =. 
6In the case of D i , the equivalence relation could be induced by the nature of the 
(necessarily finite) description of Domi: see, for example, the definition of DOmad, in 
section 4.1. 7. 
6.2. Verifying Dom-T-check 125 
For example, where ePl = ePack' the process Dl would be used in practice 
to represent Domack defined in section 4.1.7: 
where 
Dl(X) = (ack.yes ~ Dd D (ack.no -+ data.x -+ Dd. 
Sections 6.4.3, 6.5.4 and 6.6.4 define the other processes used to verify the 
running example: further insight into the points made here can be gained 
by relating those processes to the relevant generic process definitions given 
in sections 6.4, 6.5 and 6.6 respectively. 
6.2 Verifying Dom-T-check 
We first recall the definition of condition Dom-T -check from figure 4.4 before 
proceeding to show how it may be verified: 
Dom-T-check If tr Proj EP(Q) E (DomEP(Q) r Proj EP(Q)) for t E TQ 
then t E DOmEP(Q). 
Before proceeding, recall that Proj EP(Q) gives those events on which Q 
may move outside of the domain DOmEP(Q); it is defined in definition 4.7 in 
section 4.2. In order to verify Dom-T-check, it is necessary to define a process 
to encode Domi for each i E inv, along with another process which gives the 
set of traces t E TQ such that trProjEP(Q) E (DomEP(Q)rprojEP(Q)). The 
first process is D i , used in the previous section as an example, and defined 
as follows for i E inv: 
As mentioned above, it is easy to see that TDi = Domi for i E inv. The 
second process we must define here is Q Proj, in the definition of which the 
following auxiliary processes are used: 
DCi 6 Di \ (Ai - Proji) for i E inv and DC 6 IlliEinvDCi. 
TDCi for i E inv gives Domirproj/ and TDC gives DOmEP(Q) r Proj EP(Q)· 
Q Proj is then defined as follows: 
QProj 6 Q IlprojEP(Q) DC. 
7Recall that Proj i gives the set of events on which a process may move outside the 
domain Dom;. It is defined in definition 4.7 in section 4.2. 
6.2. Verifying Dom-T-check 126 
The following results give two different ways of verifying Dom-T -check 
using these processes. 
Theorem 6.1. QProj \ Fvis ~T (1IIiEinvDi) if and only if Q meets Dom-T-
check. 
Theorem 6.2. QProj \ (aQ - Ai) ~T Di for every i E inv if and only if Q 
meets Dom- T-check. 
The second of these results would most likely be used as the basis of any 
verification in practice because it avoids the need to construct the interleaving 
of the processes D i , the state space of which could be quite large. However, 
the choice is left to the user and, for smaller (1IIiEinvDi), the verification of 
Dom-T-check may be carried out using a single refinement check by virtue of 
theorem 6.1. (Note that, by proposition C.1 in appendix C and PAl, Fvis in 
the statement of theorem 6.1 could be replaced with aQ n Fvis = Uiiinv Ai.) 
By virtue of theorem 6.2 and using the definitions given above, process 
Dl defined in section 6.1.3 to encode Domack was used to successfully verify 
that both Leftlmpl and RightImpl from the running example meet condition 
Dom-T -check. 
6.2.1 Alternative means of constructing QProj 
Since (3(DCi ) ~ Proji for i E inv and (3(DC) ~ Proj EP(Q) - see proof of 
proposition C.1 in appendix C - we may take aDCi = Proji for i E inv and 
aDC = Proj EP(Q). Hence, by Ep2 and definitions 4.5 and 4.7, aDCi ~ aQ 
for i E inv and aDC ~ aQ. Moreover, for i,j E inv such that i -::j:. j, 
aDC in aDC j = 0 by Ep-UNI1. AB a result of this and the detail in section 
2.6 on the associativity of parallel composition, 
where inv = {jl,j2 ... ,jd. This latter syntactic construction would be used 
in practice because it avoids the need to create an intermediate process DC 
during verification in FDR2 which may be much larger than the final process 
Q Proj. The original construction is used in the text because it eases the 
necessary proofs. Similar comments apply in the remainder of this chapter 
wherever processes representing a particular extraction pattern component 
- such as extr or ref - are interleaved before being composed in parallel 
with another process. 
6.3. Preprocessing the implementation process 127 
6.3 Preprocessing the implementation process 
In this and subsequent sections in this chapter, we assume that Q has already 
been shown to meet condition Dom-T -check. During verification, we are 
interested only in behaviours (whose trace component is) from DomEP(Q). 
Q is therefore preprocessed in p-der to remove all non-domain behaviours, 
thereby creating a new process Q. Although this preprocessing actually adds 
some new failures, rather than simply taking a subset of the failures of Q, it 
does so in such a way that the answers to the verification questions in which 
we are interested are the same for Q as they are for Q (see theorem 6.5). In 
order to preprocess Q, it is composed in parallel with IlliEinvDi, where Di for 
i E inv is as defined in the previous section: 
We observe that, for i E inv, (3(Di) ~ Ai by Ep3-T and definition 6.4. By 
definitions 4.3 and 4.4, (3(Q) ~ Ul<i<m Ai and so (3(Q) ~ (3(Q) ~ Ul<i<m Ai· 
Thus, the following result holds by definitions 4.3, 4.4 and 4.5. - -
Proposition 6.3. The following hold: 
1. Q is an implementation process. 
2. EP(Q) = EP(Q). 
3. aQ = aQ. 
We also assume that Comm(Ai, Q) = Comm(Ai, Q) !or ePi E EP(Q). 
The following result then characterises the behaviours of Q. 
~ 
Proposition 6.4. The following hold of Q: 
~ 
2. ¢>Q {(t, S U U) I (t, S) E ¢>DomEP(Q)Q 1\ 
U ~ (Ainv - Nextinv(tfAinv))}. 
3. minoQ = {t I t E minOQ 1\ t E DOmEP(Q)}. 
Under the assumption that Q meets Dom-T -check, the following result 
allows us to verify that Q ~~P(Q) P for X E {T, SF, FD} by instead verifYing 
that the necessary conditions from figures 4.5, 4.10 and 4.12 hold of Q. p 
view of this and proposition 6.4, we shall always refer in what follows to TQ, 
¢>Q and minoQ in lieu of TDomEP(Q)Q, ¢>DomEP(Q)Q and minOQ n D0r;!EP(Q) 
respectively. (It will still be necessary to consider directly ¢>domEP(Q)Q how-
ever.) 
6.4. The traces model 128 
Theorem 6.5. The following hold: 
1. extrEP(Q)(TQ) = extrEP(Q)(TQ). 
2. Q meets Dom-SF-check if and only if Q meets Dom-SF-check. 
3. extr EP(Q) (c/>Q) = extr EP(Q) (c/>Q). 
4. extrEP(Q)(6Q) = extrEP(Q)(6Q). 
5. extrEP(Q)(c/>l..Q) = extrEP(Q)(c/>l..Q). 
Since EP(Q) = EP(Q) by proposition 6.3(2), we shall always refer to 
EP(Q) rather than EP(Q) in the remainder of this chapter; this serves to 
emphasise the fact that we do not alter any of our interpretive constructs 
simply because we work with Q rather than Q. 
6.4 The traces model 
We now show how to verify that extrEP(Q)(TQ) ~ TP. To do this, it is 
necessary to 2efine a process context which encodes the extraction mapping 
over traces. Q is then placed into that context, thus defining a process which 
has exactly the traces of extr EP( Q) (TQ). It is therefore necessary to encode a 
function from traces to traces as a CSP context, since extrEP(Q) over traces 
is such a function. 
The basic approach followed is similar to that employed to extract traces 
in the algorithms given in [11] and [16]. Intuitively, for each extraction pat-
tern ePi where i E inv, we wish to define a process TEi (Trace Extraction), 
the traces of which are essentially pairs of traces. The left-hand trace of 
each pair would be x E Domi and the right-hand trace would be extri(x). 
In practice, of course, it is not possible to define a process which has pairs 
of traces. However, a similar effect can be achieved by effectively defining 
events as pairs. Using this approach, if t E TTEi such that It I = k, 
We may then consider t to be given by (x, y), where x = (Xl, X2, . .. , Xk) and 
Y = (Yl, Y2, . .. , Yk); moreover, x E Domi and extri(X) = y.8 
8Note that, for 1 ~ j ~ k, it may be the case that Yi is effectively a "null" event. This 
will happen if extri((XI, ... ,Xi-I) = extri((Xb ... ,Xi)· In such a case, the event pair 
(Xj,Yj) would be represented by Xj alone and Yj would not appear in y. 
6.4. The traces model 129 
Events from Q are renamed in order that they may be synchronized during 
parallel composition with those from the set of TEi for i E inv. The result 
of this parallel composition is a process, S, where if 
U = ((Xl, Yd, (X2, Y2), ... , (Xl, Yl)) E 7S 
then (XI,X2, ... ,XI) E 7Q and (YI,Y2,.·.,YI) = extrEP(Q)((XI,X2, ... ,XI)). 
Finally, events in S are hidden and renamed as necessary so that, for such 
a u E 7 S, (YI, Y2, ... , Yl) is substituted for u. This means that the resulting 
process has exactly the traces of extr EP(Q) (7Q). 
6.4.1 Constructing the TEi 
We now show how to construct the processes TEi for i E inv. The first 
problem to address is the nature of the events that will be used to represent 
the pairs of events described above. Let (a, b) be an event pair. In the case 
that b is a null event - i.e. the occurrence of a does not cause the extraction 
of a specification event - the pair is simply encoded as a, as described above. 
If this is not the case, however, a pair of events have to be encoded by a single 
event occurring on a single channel. As a result, we are required to define a 
number of new channels, with corresponding new data types. The name of 
the new channel will encode the name of the channel on which the event a 
was transmitted; the data type of the new channel will need to represent the 
data type of the channel on which a was transmitted, along with both the 
name and data type of the channel on which b was transmitted. In general, 
the approach to be taken will be as follows. 
Let a = cna.dva and b = cnb.dvb. Thus, a is an event occurring on 
channel cna which transmits the data value dva. Similarly, b is an event 
occurring on channel cnb which transmits dVb. Moreover, assume that dta is 
the type of channel cna and dtb is the type of cnb. We define a new channel, 
called extmct cna , where the name of the original channel on which a occurred 
- i.e. cna - may be derived from the subscript of the new name.9 The 
data type of this new channel is dta.name.dtb, where name is a data type 
containing a single value, namely the label of the channel cnb.IO As a result, 
the event pair (a, b) would be encoded as: 
9Note that, in machine-readable esp, we cannot define channel names containing sub-
scripts. We use the device here for the purposes of presentation and, in practice, would 
define the new channel name to be the concatenation of the string "extract" and the string 
denoting the name of the original channel. 
IONote that, in machine readable esp, we may not actually define a data type containing 
a channel name as a data value: we take that approach here for ease of presentation in 
stating generic definitions and, in practice, name would store a capitalized or abbreviated 
version of the channel name (see the verification of the running example in section 6.4.3 
below). 
6.4. The traces model 13D 
If we consider the running example from figure 1.1 and ePack introduced 
in section 4.1.7, the trace (data.D, ack.yes) extracts to (send.D). If it were 
possible to use the notion of event pairs directly, we could encode this ex-
traction using the trace (data.D, (ack.yes, send.D)). (Note that data.D re-
mains in its original form since its occurrence does not cause the extrac-
tion of an additional event.) Since we cannot use such pairs directly, in 
the CSP representation of the extraction mapping this trace would become 
(data.D, extractack.yes.Send.D) (note that we use the label Send to repre-
sent the channel name send as a data value). As another example, con-
sider (data.D, ack.no, data.D) , also extracting to (send.D). In this case, us-
ing event pairs we would have (data.D, ack.no, (data.D, send.D)) In the ex-
traction mapping representation the trace would become (data.D, ack.no, 
extractdata.D.Send.D). Note that we have both an occurrence ofthe unchanged 
data.D and also an occurrence of data.D modified to allow the extraction func-
tion to be encoded. 
Defining TEi for i E inv 
Let i E inv. Then we define the process TEi to encode the extraction map-
ping extri, where TEi 6 TEi ( ()) and 
TEi(t) = OaE Next;(t) ?Ti (a, t) -+ TEi(t 0 (a)). 
For ease of expression, the function ?Ti is used here to encode the mod-
ifications that must be made to the events in Ai, although its effects must 
be implemented directly in any input supplied to FDR2, since it cannot be 
encoded as such in CSP (see the example below in section 6.4.3). It is defined 
as follows. 12 
Definition 6.6. Let to(a) E Domi such that a = cna.dva and let b = cnb.dvb. 
Then: 
11 Note, of course, that alternative encodings are also possible and a slightly different 
one is used in the verification which is presented in chapter 7. In that chapter, the channel 
name cnb is actually represented by appending it to the new channel name extractcn". 
12Recall that, by TR-GLOBAL2 and the restriction imposed in section 6.0.2, if t 0 (a) E 
Domi is such that extri(to (a}) = extri(t) or for some trace r, then either r = () or r = (b) 
for some event b. 
6.4. The traces model 131 
By definition 6.4 and since () E Domi by Ep3-T, t E Domi for any t such 
that TEi(t) is a term used in the definition of TEi. Moreover, to (a) E Domi 
for any a E Nexti(t). Thus, 1ri(a, t) is defined whenever it is used in the 
definition of TEi . Observe that 1ri(a, t) simply returns a if the extraction oft 
is identical to the extraction of t 0 (a). In the other case - namely that the 
extraction of t is a strict prefix of the extraction of t 0 (a) - we are effec-
tively encoding the fact that a is the left-hand component of an event pair 
and b is the right-hand component. We assume that any event of the form 
extractcn".dva.cnb.dvb which is returned by 1ri is distinct from all other events 
in UePi EEP ~ (recall that EP gives the universe of all extraction patterns). 
This assumption is encapsulated in the following condition. 
DIS Let to (a) E Domi for i E inv be such that 
extri(t 0 (a)) = extri(t) 0 (b) for some event b. 
Then 1ri(a, t) ¢ UePi EEP Ai' 
The following result on the events in which TEi may engage is due to the 
detail in figure 2.5, definition 6.4 and the fact that () E Domi by Ep3-T. 
Proposition 6.6. f3(TEi) = {1ri(a,t) I to (a) E Domi}' 
Renaming functions 
We now give the renaming functions13 which, for i E inv, can be used to 
reclaim Domi and {extri(t) I t E Domi} respectively from TTEi. The re-
naming domain: UiEinv f3( TEi) -+ Ainv will return the former and extract: 
UiEinv f3( TEi) ~ Binv will return the latter. 
Definition 6.7. The following hold by definition, for i E inv: 
1. Let t 0 (a) E Domi' Then domain(1ri(a, t)) 6 a. 
2. Let to (a) E Domi be such that extri(t 0 (a)) = extri(t) 0 (b). Then 
extract( 1ri (a, t)) 6 b. 
We first note that, as stated in chapter 2 (page 16), partial renam-
ings behave as the identity mapping when applied to any event over which 
they are not explicitly defined. By proposition C.4(1,2) in appendix C.2, 
T( TEi [domain]) = Domi for i E inv. extract is defined explicitly only for 
those events in UiEinv f3( TEi ) which encode an event pair with a non-null 
right-hand component: i.e. those event pairs (a, b) where the occurrence 
of a leads to the extraction of b. By proposition CA in appendix C.2, 
13 Although, in the general case, we use renaming relations, it happens that these are 
functions: this follows from definition 6.7 itself and also definition 6.6. 
6.4. The traces model 132 
T(( TEi \ ~)[ extract]) = {extri(t) I t E Domd for i E inv. (The hiding 
of events in Ai removes all those "event pairs" encoded by a single event: i.e. 
those which represent an implementation event occurrence which does not 
lead to the extraction of a specification event.) 
6.4.2 Extracting the traces of Q 
It is unnecessary to define processes TEi for ePi such that i ¢ inv, since extri 
is the identity mapping in such cases by Ep4-FvI (recall that Ai ~ Fvis if 
i ¢ inv). We thus define as follows the process TEintJ! which will be used to 
extract the traces of Q: 
TEinv t:,. IlliEinv TEi. 
Once TEinv has been defined, it must be composed in parallel with Q 
before applying the hiding and renaming which will mimic the application 
of the extraction mapping. In order for Q to synchronize in parallel with 
TEinv, its events must be renamed: each event from Ainv in which Q may 
engage is renamed to all those "event pairs" in f3( TEinv ) = UiEinv f3( TEi) of 
which it forms the left-hand component. The renaming used for this purpose 
is prep: Ainv X f3( TEinv ), which is defined as follows. 
Definition 6.B. Let i E inv and a E Ai be such that there exists a trace u 
such that u 0 (a) E Domj. Then: 
Note that, for t 0 (a) E TQ such that a E Ai for i E inv, t r Ai 0 
(a) E Domi by proposition 6.4(1) and TR-GLOBALl. The following pro-
cess, TraceExtract, then has exactly the traces of Q after extraction, which 
fact is shown by theorem 6.7. 
t:. '" ] TraceExtract= ((Q[preplllprep(A;nv) TEinv ) \ Ainv)[extract 
Theorem 6.7. extrEP(Q)(TQ) = TTraceExtract. 
Corollary 6.B. extrEP(Q)(TQ) ~ TP if and only if TraceExtract;;;;;!T P. 
Corollary 6.8 therefore allows us to verify automatically using FDR2 that 
extrEP(Q)(TQ) ~ TP. 
6.4. The traces model !33 
6.4.3 Example 
Here we show how to apply the results in this section to verify that the 
extracted traces of Leftlmpl are contained in those of LeftSpec. (Note that the 
components defined here can be used without modification to verify that the 
extracted traces of RightImpl are contained in those of RightSpec.) Let Q be 
Leftlmpl after the application of the necessary preprocessing. Let epi be ePacJc 
defined in section 4.1.7. Recall that Al = adata U aack and BI = asend. 
We then define TEl to encode extrl: 
TEl = DXE{O,I}data.x ~ TI(X) 
where TI(X) is defined as: 
((extractack.yes.Send.x ~ TEl) D (ack.no ~ extractdata.x.Send.x ~ TEd). 
The concrete renamings prep and extract used in this example are as follows: 
prep b. {(ack.yes, extractack.yes.Send.a), 
extract 
(ack.yes, extractack.yes.Send.!), (data.a, data.a), 
(data.!, data.!), (ack.no, ack.no), 
(data.a, extractdata .a. Send .a), (data.!, extractdata.1. Send.!)}. 
{(extractack.yes.Send.a, send.a), 
(extractack.yes.Send.!, send.!), 
(extractdata.a.Send.a, send.a), 
(extractdata.1.Send.!, send.!)}. 
Note that here TEinlJ = TEl and A inlJ = AI' Using the process expressions 
defined here, we were able to define TraceExtract as above and, by virtue of 
corollary 6.8, verify automatically using FDR2 that the extracted traces of 
Leftlmpl are contained in those of LeftSpec. In a similar manner, we were 
able to verify that the extracted traces of RightImpl are contained in those 
of RightSpec. Thus, since both Leftlmpl and RightImpl meet Dom-T -check, 
since almplNet ~ Fvis l4 and by theorem 4.8, we may infer that 
ImplNet ~T SpecNet. 
14Recall that £lin U £lout ~ Fvis. Recall also that 
- ImplNet £. LeftImpl ®(odataUoack) RightImpl. 
- SpecNet £. LeftSpec ®osend RightSpec. 
6.4. The traces model 134 
6.4.4 Further comments on defining Di and TEi 
Determinism Due to the need to calculate here the semantics of pro-
cesses Di and TEi from their syntactic representation, they are effectively 
presented in a particular normal form, namely using only (indexed) deter-
ministic choice, the prefix operator and recursion. Provided that a CSP 
process P to be used with FDR2 is deterministic then there is a process P' 
constructed using only indexed deterministic choice15 , prefix and recursion 
which is semantically indistinguishable from P (see condition DE in section 
2.9). As a result, candidates for Di and TEi respectively which are to be 
used in practice need only be deterministic, rather than defined using this 
restrictive syntax. (FDR2 can be used to check the determinism of CSP 
processes.) Of course, candidates for TEi should still be defined so that they 
engage only in event pairs which may be generated by 1l"i. 
Defining extraction mappings In practice, it need not be the case that 
the extraction pattern used in the verification of any particular implementa-
tion process will exist prior to that verification. In other words, extraction 
patterns may simply be created according to our needs during any particular 
verification. This is what happens in the verification of the asynchronous 
communication mechanism described in chapter 7. As a result, the only di-
rect definition of Domi for i E inv which we have may be given by the traces 
of the implementation process under consideration: this is one reason why it 
may not actually be possible to define Di and TEi using only choice, prefix 
and recursion. In the verification in chapter 7, a single extraction pattern, 
which we shall denote ePi' is used in the verification of the implementa-
tion process described there, which process we shall call Q'. Since we have 
no direct statement of Domi we take it to be TQ', which guarantees that 
any mapping used will be defined for all traces of Q'. Assuming the exis-
tence of a suitable renaming domain, it is difficult to define TEi such that 
T ( T Ei [domain]) = TQ', since to do so would require direct syntactic modifi-
cation of the implementation process itself. The approach taken, therefore, 
is to define TEi such that TQ' C T(TEi[domain]). Using such an approach, 
it is as if we take some larger mapping and assume that extr i is defined as its 
restriction to the domain Domi. The restriction to Domi will then occur au-
tomatically when the process TEi is composed in parallel with the renamed 
Q'. 
15If we index the deterministic choice operator with the empty set then this is semanti-
cally equivalent to STOP. 
6.5. Verifying Dom-SF-check 135 
6.5 Verifying Dom-SF-check 
y!'e now move on to consider the verification of condition Dom-SF -check for 
Q: 
Dom-SF-check Let (t, R) E 4>Q be such that R ~ o:Q. Let 
ePi E EP(Q) be such that Ai n Fvis = 0. If 
ref ....... 
extri (R n Ai, tr Ai, Q) = Bi then tr Ai E domi. 
We show in this section how the verification of this condition can be 
transformed into a check for deadlock freedom16 on a (number of) process(es) 
derived from QY This transformation is based on a simple consideration of 
the respective definitions of extrref , ref and ref. (Recall that, for i E inv and 
t E Domi, refi(t) gives the set of all X ~ Ai such that, for every Y E refi(t), 
X U Y =I Ad Before proceeding we define RefSeti for i E inv, which is used 
extensively in what follows: 
Definition 6.9. Let i E inv. Then: 
if Comm(Ai, Q) = Right 
if Comm(Ai, Q) = Left 
Note that RefSeti associates the communication capability Left with refi 
and Right with refi for i E inv; in contrast, the definition of extr;ef in 
definition 4.10 associates Left with refi and Right with refi. This will prove 
to be crucial in what follows: in particular, it allows us to characterise in 
terms of RefSeti whether or not Dom-SF-check is met. 
Let i E inv and (t, R) E 4>Q such that R ~ o:Q and tr A; ¢ domi. If Q 
meets Dom-SF -check, then extr;ef (R n A;, t r A;, Q) = 0. In the case that 
Comm (Ai, Q) = Right, this means that R n Ai E ref i (t r Ai) by definition 
4.10. Hence, by definitions 4.9 and 6.9, there does not exist X E refi(trA;) = 
RefSeti(tr Ai) such that XU (Rn Ai) = Ai. In the case that Comm(A;, Q) = 
Left then R n Ai E refi(tr Ai) and so, again by definitions 4.9 and 6.9, there 
does not exist Y E refi(tr Ai) = RefSeti(tr Ai) such that Y U (R n Ai) = A;. 
Consider, then, the case that Q does not meet Dom-SF-check. Then there 
exists (t, R) E 4>Q such that R ~ o:Q and i E inv such that tr A; ¢ domi, 
where extrr;ef (R n Ai, tr Ai, Q) = Bi· Hence, by definitions 4.9, 4.10 and 
6.9, there exists X E RefSeti(tr Ai) such that X U (R n A;) = Ai. In a 
16Recall that a process W is deadlock-free if and only if R c E for every (t,R) E tPW. 
17This is similar in some respects to the use of tester processes in [6], where the question 
of whether one process implements another is transformed into a question of deadlock-
freedom of the implementation composed in parallel with the tester process. 
6.5. Verifying Dom-SF-check 136 
suitable process, deadlock will occur due ~to the refusal of all events in A;, 
thus indicating that extr;el (R n~, tr Ai, Q) = Bi and so Dom-SF-check has 
been breached. We therefore define a process (to be interpreted in the stable 
failures model) for each i E inv such that its refusals after t E (Dom; -
domi) are given by Re!Seti(t) and where t E dom; does not form the trace 
component of any failure. Each such process for i E inv is composed in 
parallel with a modified Q so that the resulting process deadlocks - due to 
refusing all events in ~ - if and only if condition Dom-SF -check is not met 
with respect to ePi (Le. extr;el (R n Ai, tr Ai, Q) = B; while tr A; ~ dom;). 
6.5.1 Defining the "tester" process 
We first show how to define the "tester" process DSF; for i E inv (we need 
not define such a process for i ~ inv by the definition of Dom-SF -check). This 
definition makes use of the semantic definition of DIV - the immediately 
diverging process - in the stable failures model: recall that the meaning of 
DIV in this model is ({ O}, 0). Where P is a process and by the semantic 
definition of D in figure 2.3, we have that: 
¢(P D DIY) = {(t,R) E ¢P I t =1= O}. 
For example, ¢((a -+ STOP) D DIY) = {((a),R) I R ~~} (see the 
use of DIV in the definition of processes TP and FP in section 2.10). We 
may therefore use DIV to obscure failures in which we are not interested, 
specifically those where the trace component is t E dom; since these can be 
ignored by the definition of Dom-SF -check. We therefore define the process 
DSFi for i E inv, the failures of which are defined by Dom; - dom; and 
Re!Seti (see lemma 6.9 below). 
Let i E inv. For t E Domi, we define re!tt (t) as the set of sets from 
re!i(t) which are maximal in the subset-ordering. 
Definition 6.10. re!tt(t) 6 {R E re!;(t) I CllS E re!i(t)) ReS}. 
We first give the definition of DSF; when Comm(~, Q) = Right. (Note 
that t ~ domi is used as shorthand for the fact that t E Dom; - dom;.) In 
this case, DSF; 6 DSF~( ( )) and: 
{ 
(DaENext;(t)a -+ DSF~(t 0 (a))) D DIV 
DSF~(t) = ((DaENext;(t)a -+ DSF~(t 0 (a))) D DIY) n 
(nREre1r(t) (DaE(A;-R)a -+ DIY») 
if t E dom; 
if t ~ dom; 
We now give the definition of DSF; when Comm(A;, Q) = Left. In this 
case, DSF j 6 DSFf( 0) and: 
6.5. Verifying Dom-SF-check 137 
{ 
(OaENezti(t)a -t DSFf(t 0 (a))) ° DIV 
DSF~(t) = (( L 
, OaENezti(t)a -t DSFi (t 0 (a))) ° DIY) n 
(OREreft'(t) (naE(Ai-R)a -t DIY») 
if t E domi 
Note that, by Ep5 and definition 6.10, n is never indexed by the empty 
set in either of these definitions; similarly, 0 is never indexed by the empty 
set in the last line of the definition of DSFf(t) (this latter is important in 
the proof of lemma 6.9). By definition 6.4 and since () E Domi by Ep3-T, 
t E Domi for any t used to parameterise a term in the definition of DSFi . 
Hence, reftt is defined wherever it is used. The two versions of DSF i are 
almost identical: in fact, the only difference is the ordering of the operators 
o and n in the last line of the respective definitions. This line is used to 
encode (the refusals from) RefSeti and the difference reflects the fact that it 
is given by ref i in one case and by refi in the other. The stable failures of 
DSF i are characterised by the following lemma. 
Lemma 6.9. The following holds, for i E inv: 
4>DSFi = ((t,XUY) It E Domi-domi /\ X E RefSeti(t) /\ Y ~ (E-A i )}. 
Examples of such processes DSFi can be seen below in section 6.5.4. 
6.5.2 Transforming the implementation process 
Let i E inv. We now show how to transform the implementation process 
Q, such that its failures are projected onto~: that is, if (t, R) E 4>Q then 
(tr~, (R n ~) U (E - Ai)) is a failure of the transformed process. This 
transformation is effected using the process ProCj. 
ProCj = ((OaEaQa -t ProCj) 0 DIY) n (OaeA,a -t DIY). 
Q is composed in parallel with ProCj with the result that, for every failure 
(t, R) E 4>Q, the refusal R has aQ - Ai added to it. This means that 
the refusal R n Ai will survive the hiding of the events in aQ - ~: i.e. 
(tr Ai, R n Ai) will be a failure of the process resulting from the hiding of 
aQ - Ai. We therefore define the following process: 
Qi 6 (Q lIaQ ProCj) \ (aQ - Ai)· 
The stable failures of Qi are given by the following result. 
Lemma 6.10. The following holds, for i E inv: 
4>Qi = {(tr Ai, R) I (3(t, X) E 4>Q) R ~ (X n Ai) U (E - Ai)}. 
6.5. Verifying Dom-SF-check 138 
6.5.3 The verification 
We are now in a position to define the process FinaUmpl~, for i E inv, upon 
which the check for deadlock-freedomI8 will be carried out: 
...... 
Theorem 6.11. Q meets condition Dom-SF-check if and only if, for every 
i E inv, Finallmplei is deadlock-free. 
The above result allows us to proceed to automatic verification of condi-
tion Dom-SF -check. 
6.5.4 Example 
We now show how to define the relevant process expressions used to ver-
ify that Leftlmpl and RightImpl respectively meet condition Dom-SF -check. 
Note that, in both cases, the condition need be checked only with respect to 
the extraction pattern ePack, the relevant components of which are restated 
here. 
domack is defined as follows: 
domack [),. {(data.a, ack.yes), (data.a, ack.no, data.a), 
(data.1, ack.yes), (data.l, ack.no, data.l))-. 
Recall that Domack is given by the prefix-closure of domack' The ref ack 
component, where t E domack and to u E Domack, is given as: 
{ 
20data 
refack(tou) [),. {R E 2odataUoack I adata CZ:. R} 
{R E 2odatauoack I data.v ¢ R} 
if u = (data.v) 
ifu = 0 
if u = (data.v, ack.no) 
We assume ePI is epack' where Al = adata U aack. 
Verifying RightImpl: 
In this case, Comm(Al' RightImpl) = Right. Assume that Q is RightImpl 
after the application of preprocessing as described in section 6.3. We also 
assume the existence of an extraction pattern eP2 to ''interpret'' the events 
occurring on channel out (recall that aout ~ Fvis), where A2 = aout. Thus, 
by proposition 6.3(2) and definition 4.5, aQ = adata U aack U aout. Assume 
that Procl is defined according to the template given above in section 6.5.2, 
18Recall that a process W is deadlock-free if and only if R c E for every (t,R) E ¢W. 
6.5. Verifying Dom-SF-check 139 
by substituting adata U aack U aout for aQ and adata U aack for Ai-
..... t:. ..... 
We then define Q1 = (Q lIaQ Proc1) \ aout. The tester process DSF 1 used 
here is defined in terms of two auxiliary processes DSF~ (x) and DSF~ (x). 
DSF1 
DSF~(x) 
DSF~(x) 
(D XE {O,1}(data.x ~ DSF~(x)) ° DIV 
((ack.yes ~ DSF1 0 ack.no ~ DSF~(x)) ° DIV) n 
(nRE{adata}(DyE(A1-R) y ~ DIV)) 
(( data.x ~ DSF r) ° DIV) n 
(nRE{Al-{data.x}}(DyE(Al-R) y ~ DIV)). 
From these process expressions, we were able to define FinalImplel for 
eP1 = ePack and RightImpl, and check it for deadlock freedom using FDR2, 
as a result of which we successfully verified condition Dom-SF-check for 
RightImpl. 
Verifying Leftlmpl: 
In this case, Comm(A1' Left1mpl) = Left. Assume that Q is Leftlmpl after 
preprocessing. We also assume the existence of an extraction pattern eP2 
to "interpret" the events occurring on channel in (recall that ain r;; Fvis) , 
where A2 = ain. Thus, by proposition 6.3(2) and definition 4.5, aQ = 
adata U aack U ain. Assume that Procl is defined according ~ the 
template given above, by substituting adata U aack U ain for aQ and 
adata U aack for Ai' We then define Q1 t:. (Q IlaQ Procl) \ ain. The 
tester process DSF 1 used here is defined in terms of two auxiliary processes 
DSF~(x) and DSF~(x). 
DSF l 
DSF~(x) 
DSF~(x) 
(DXE{O,l} (data.x ~ DSF~(x)) ° DIV 
((ack.yes ~ DSFl 0 ack.no ~ DSF~(x)) ° DIV) n 
(DRE{adata}(nYE(Al-R) y ~ DIV)) 
((data.x ~ DSFl ) ° DIV) n 
(DRE{Al-{data.x}}(nyE(Al-R) y ~ DIV)). 
From these process expressions, we were able to define Finallmplel for 
ePl = ePack and Leftlmpl, and check it for deadlock freedom using FDR2, as a 
result of which we successfully verified condition Dom-SF-check for Leftlmpl. 
6.6. The stable failures model 140 
6.6 The stable failures model 
We now consider how to verify that extr EP(Q) ([Q]SF) ~ [P]SF' which requires 
the interpretation of both the traces and stable failures of Q. Section 6.4 
showed how to do the former. The challenge faced here, therefore, is to 
encode as a CSP context the mapping applied to refusal/trace pairs. Before 
we show how to do this, an important issue must be raised. 
Condition SF4 given in section 2.4.2 defines the following relationship 
which exists between the traces and failures of any process W in the stable 
failures model: 
(t, R) E </>W A to (a) ¢ TW ::::} (t, R U {a}) E </>W. 
But extr EP(Q) (TQ) and extr EP(Q) (</>Q) may not respect this relationship. 
Consider a refusal-maximal failure (w,X) E extrEP(Q) (</>Q). Then, by SF-
DEF2, there exists (t, R) E </>domEP(Q)Q such that 
extrEP(Q)(t) = w and X = extr~~(Q)(R, t, Q) U (L: - extrset(aQ)). 
It may be the case that, for ePi E EP(Q) where i E inv, X n B j = 0 since 
extrr;ef(Rn Ai, trAi , Q) = 0. However, it need not hold that extrEP(Q)(t) 0 
(b) E extr EP(Q) (TQ) for every b E Bi and usually it will not. This means 
that, in the general case, there need not be a (syntactic) process the se-
mantics of which is given by extr EP( Q) ([ Q] SF ). One consequence of this is 
that, although the extracted traces of Q are represented directly in the syn-
tactic term we define, its extracted failures are represented in an encoded 
form (see section 6.6.1 for further details). Another consequence is that the 
specification process P has to be modified before the verification question 
under consideration here can be framed as a refinement check in FDR2 (see 
section 6.6.2). 
The interdependency between traces and failures also gives rise to an-
other problem. In particular, if we apply to Q the machinery necessary to 
extract traces then this will modify the failures of the result~g process: we 
no longer have a (syntactic) record of the original failures of Q and so would 
be unable to apply further syntactic manipulations in order to encode the ex-
tracted failures of Q. Similarly, syntactic manipulations which are necessary 
to encode the extraction of the failures of Q will have possibly undesirable ef-
fects on the traces of the resulting process. For example, consider the simple 
implementation process W = a --+ STOP, where: 
• TW={O,(a)} and 
• </>W = {(O,R) I R ~ L: A a ¢ R} U {((a),R) I R ~ L:}. 
6.6. The stable failures model 141 
In the event that extr EP(W) ((a)) = (), we would have to hide {a} in order 
to extract the traces of W. However, the only failure of the resulting process 
would be {(O,R) I R ~ ~}. In the event that extrEP(W)((a)) = (b), then 
a would eventually be renamed to b and this would alter the refusals of the 
process. Similarly, any attempt to extract the refusals of W would im'olve 
some manipulation of the event a and so the traces of the process would also 
be affected. 
In order to solve this problem, we introduce the notion of primed events: 
this allows us to separate the events used to generate the traces of any process 
under consideration from those used to generate the refusals. For example, 
we could represent W as 
W' = ((a -t STOP) 0 DIV) n (a' -t DIV), 
where 
• TW' = {O, (a), (a' )} and 
• ¢W = {( 0, R) I R ~ ~ " a' ¢ R} U {( (a), R) I R ~ ~}. 
Thus, the event a could be manipulated as necessary in order to extract 
the traces of W' but this would not affect the refusals of the process (it 
would, of course, affect the trace component of one of the failures but that 
trace component would need to be extracted as well anyway). Similarly, a' 
could be manipulated during the extraction of refusals but this would not 
affect the trace (a) (the additional trace (a' ) can effectively be ignored). This 
approach of using primed events to generate refusals and unprimed events 
to generate traces is employed below in the definition of the processes REi 
for i E inv described in section 6.6.1 (these processes are used to extract the 
refusals of Q). 
Priming events and related issues 
Before proceeding, we introduce three renaming relations which will allow us 
to prime events. 
Definition 6.11. The following hold by definition: 
1. If a E Ainv U B inv then prime(a) 6 a' . 
2. If a E Ainv then pQ(a) 6 {a, a'l. 
3. If a E Binv then pP(a) 6 {a, a'l. 
6.6. The stable failures model 142 
prime converts an event from Ainv U Binv into its primed counterpart. pQ 
returns both the original event and its primed version for finally invisible 
implementation events; pP does the same for finally invisible specification 
events. It is assumed that the set of primed events contains only "fresh" 
events: i.e. it does not contain any events already used in defining Q, P or 
EP (Q), or which are used in any other capacity as part of the verification of 
Q. 
The act of priming an event cannot be done directly in (machine-readable) 
CSP and so the approach taken is as follows. We take the event to be primed 
and define a new channel with the same type as the original channel on which 
the event occurred and whose name is a concatenation of the original name 
and some other "reserved" word, such as prime. The new event will then 
occur on the new channel, whilst communicating the same data value as the 
original event. For example, if we were to "prime" the event data.O, the 
result could be dataprime.O (see section 6.6.4 for further examples). Note, of 
course, that we cannot use channel names containing subscripts in machine-
readable CSP: they are used here simply for the purposes of presentation 
and, in practice, we would use something like dataprime. 
In the course of extracting the refusals of Q, it will also be necessary to 
rename each event in prime(Aj) for i E inv to a distinguished event di . 19 
The set of such events is labelled dinv . 
Definition 6.12. dinv A {di liE inv}. 
The renaming of events in prime(Ai) to di for i E inv is carried out using 
the renaming aQ. (aP is also defined, to rename events in prime(Bi) to dj: 
it is used in preprocessing the specification). 
Definition 6.13. Let i E inv. 
1. If a E prime(Ai) then aQ(a) Adj. 
2. If a E prime(Bj) then aP(a) Adj. 
The events di for i E inv are used to encode the extraction of refusals. 
In order to relate this encoding to extr~~(Q)' we introduce the mapping 
extrFDR~~(Q). 
~ 
Definition 6.14. Let t E DOmEP(Q) and R ~ aQ. Then 
extrFDR~~(Q)(R,t,Q) A U extrFDRref(RnAi,tr~,Q), where: 
l~i~m 
19Each such c4 is assumed to be a "fresh" event not used or introduced elsewhere. 
6.6. The stable failures model 143 
1. Let i ¢ inv. Then extrFDR;-e' (R n~, tr~, Q) 6 R n Ai. 
2. Let i E inv. Then: 
(a) if extr;-e' (R n~, tr~, Q) = Bi then 
extrFDR;-e'(RnAi,trAi,Q) 6 {di}. 
(b) ifextr:-e'(RnAi,trAi,Q) =0, extrFDR;-e'(RnAj,trAi,Q) 6 0 . 
In relation to definition 6.14(1), recall that Ai ~ Fvis if i ¢ inv and so 
extr;-e' (R n Ai, tr Ai, Q) = R n Ai by Ep5-FvI. 
" 6.6.1 Interpreting the behaviours of Q 
In 1Jlis section, we show how to simultaneously extract the traces and failures 
ofQ. 
Extracting refusals 
The extraction of refusals uses a set of processes REi for i E inv which are 
similar to the DSFi defined in the previous section for verifying Dom-SF-
check. The only differences are that refusals are generated here using primed 
events and only traces in domi form the trace components of the stable 
failures of the process. This latter is because, by SF-DEF2 in figure 4.10, we 
are ultimately only interested in failures the trace component of which is in 
dOmEP(Q). 
Let i E inv and note that t ¢ domi is again used as a shorthand for the 
fact that t E (Domi - domi). We first give the definition of the process REi 
when Comm(Ai, Q) = Right. In this case, REi 6 Ref ( 0) and 
{ 
(OaENext;(t)a ---t REf(t 0 (a))) 0 DIV 
REf(t) = ((OaENext;(t)a ---t REf(to (a))) 0 DIV) n 
(nREre,nt) (OaEprime(A;-R)a ---t DIV)) 
if t E domi 
We now give the definition of REi when Comm(Ai, Q) = Left. In this 
case, REi 6 REf'( 0) and 
{ 
(OaENext;(t)a ---t REf'(t 0 (a))) 0 DIV 
REf'(t) = ((OaENext;(t)a ---t REf'(t 0 (a))) 0 DIV) n 
(0 REre,tt (t) (naEprime(A;-R)a ---t DIV)) 
if t ¢ domi 
if t E domi 
Similar comments apply to these definitions as were made with respect 
to the definitions of DSFi in the previous section. In particular, by Ep5 
6.6. The stable failures model 144 
and definition 6.10, n is never indexed by the empty set in either of these 
definitions; also, 0 is never indexed by the empty set in the last line of the 
definition of REf'(t). By definition 6.4 and since 0 E Domi by Ep3-T, then 
t E Domi for any t used to parameterise a term in the definition of REi and 
so ref:: is defined wherever it is used. Also as before, the two definitions of 
REi are similar: again, the only difference is the ordering of the operators 0 
and n in the last line of the respective definitions, due to the fact that this 
line encodes (the priming of) RefBeti. 
We also define the process, Trim. 
Trim is composed in parallel with I I liEinv REi in order to ensure that 
primed events only appear at the end of traces in the resulting process, 
REinv , which process will be used to extract the refusals of Q:20 
The following result characterises the behaviours of REinv (recall that, by 
definition 6.3, Dominv 6 (1IIiEinvDomi) and dominv 6 (1IIiEinv domi)).21 
Lemma 6.12. The following hold of REinv: 
1. TREinv = Dominv U T, where 
T ~ {t 0 (prime(a)) It E Dominv A ((::Ii E inv) a E Ai)}. 
2. ¢>REinv = {(t, prime (X) U Y) I t E dominv A X ~ Ainv A 
Y ~ (~ - prime(Ainv)) A 
((Vi E inv) X n Ai E RefBetj(trA;))}. 
Before composing REinv in parallel with Q, it is necessary to prime the 
events of Q using pQ. This essentially gives two copies of every event from 
Q which is in Ainv: after composition with REinv , the un primed events effec-
tively define the traces of the resulting process and the primed events define 
the refusals, as they do in REinv . Prior to composition with REinv it is also 
necessary to compose the renamed Q with the following process, Trim Two, 
to create the process Interim. TrimTwo plays a role similar to Trim defined 
20rr primed events could appear elsewhere in the traces of REinv , it would interfere with 
the extraction of the traces of Q. 
21 Note that, in the definition of T in lemma 6.12(1), dominv could have been used in 
place of Dominv without invalidating the result. We use Dominv because it is sufficient 
for our purposes in the remainder of this section and because it eases the proof of both 
this result and a later result. 
6.6. The stable failures model 145 
above: it ensures that events from prime (A jnv ) only occur at the end oftraces 
in Interim. We therefore define: 
TrimTwo = (OaEaQa --t TrimTwo) 0 (OaEPrime(Ai",,)a --t DIY) 
and 
Interim 6 Q[pQ) IlaQuprime(Ai",,) Trim Two. 
Consider a failure (t, R) E ¢JdomEP(Q)Q and let i E inv. Once REjnv has 
been composed in parallel with Interim, the resulting process will refuse 
prime(~) after t if extr';' (R n Ai, tr Ai, Q) = B j • (This behaviour is sim-
ilar to that induced when DSF j is composed in parallel with Qj, as de-
scribed in section 6.5.) Similarly, only a strict subset of prime(~) will be 
refused after t if extr';' (R n ~,tr~, Q) = 0. The events from prime(~) 
are then renamed to di using aQ . This has the result that {di } is refused 
after t if extr';' (R n Ai, t r Ai, Q) = Bj; moreover, {dj} is not refused after t 
if extr';' (R n~, tr~, Q) = 0.22 
We therefore define PreImple, a process which has the extracted refusals 
of Q but whose traces have not yet been extracted: 
PreImple 6 (Interim IIAi""Uprime(Ai",,) REjnv ) [aQ). 
We introduce the notation A Fvis as follows. 
Definition 6.15. AFvis 6 Ui!tinv Ai = o:Q n Fvis. 
The behaviours of PreImple are then given by the following result. 
Lemma 6.13. The following hold: 
1. TPreImple = TQ U T, where T ~ {t 0 (d j ) It E TQ /\ dj E dinv }. 
2. ¢JPreImple ={(t, XU Y) I (3(t, R) E ¢JdomEP(Q)Q) R ~ o:Q /\ 
X ~ extrFDR~~(Q)(R, t, Q) /\ Y ~ (~- (AFvis U dinv ))}. 
22 According to the detail in section 2.4.2, for some process W and renaming G, 
¢(W[G]) ~ {(81 , X) I (38) 8 G 81 /\ (8,G- 1(x)) E ¢W}. 
Since (aQ)-l ({ £4}) = prime (Ai) U {di} for i E inti, then prime(~) must be refused before 
renaming with aQ if {£4} is to be refused after renaming has been applied (note that {di } 
itself is always refused before application of the renaming). 
6.6. The stable failures model 146 
Extracting traces 
We now define the process FinalImple. This will constitute the implementa-
tion process supplied to the !efinement check in FDR2 which is used to verify 
whether or not extrEP(Q)([Q]SF) ~ [P]SF. This final syntactic transforma-
tion is used to "extract" the traces of PreImple. (Note that extract, prep and 
TEinv are as defined in section 6.4.) 
FinalImple 6 (((PreImple[prep]) Ilprep(A;nv) TEinv ) \ Ainv)[extract] 
The behaviours of FinalImple are given by the following result. 
Lemma 6.14. The following hold: 
1. TFinalImple = extrEP(Q)(TQ) U T, where 
T ~ {extrEP(Q)(t) 0 (di ) It E TQ /\ di E dinv }. 
2. fjJFinalImple =((extrEP(Q) (w), Xu Y) I (3(w, R) E fjJdomEP(Q)Q) 
~ f ~ 
R ~ aQ /\ X ~ extrFDRr;p(Q)(R, w, Q) 
/\ Y ~ (~ - (AFvis U dinv ))}. 
6.6.2 Preprocessing the specification process P 
Before proceeding, we introduce an additional notation which will prove use-
ful in characterising the behaviours of the preprocessed specification. 
Definition 6.16. Let (t, R) E fjJP. Then DB(R) 6 {di E dinv I Bi ~ R}. 
In addition, we assume the alphabet of P to be as follows: 
As indicated above, it is necessary to modify the specification process P 
before it is used in any refinement check in FDR2. There are two related 
reasons for this. Firstly, as indicated by lemma 6.14(1), certain traces from 
T FinalImple may be ended by an event di E dinv . It is therefore necessary to 
add di for i E inv to the end of every trace in the specification. Secondly, 
refusals in FinalImple are effectively defined only in terms of finally visible 
events and the events from dinv ; all other events are always refused. The 
refusals from the specification therefore have to be modified in order to reflect 
this fact. These changes are effected using the auxiliary process Proc. (Recall 
that Binv 6 UiEinv Bi by definition 6.2(2).) 
Proc = ((DaEaPa -+ Proc)) ° DIY) n 
(DaE((aP-B;nv)Uprime(B;nv))a -+ DIY) n 
((DYEd;nvY -+ DIY) ° DIY). 
6.6. The stable failures model 147 
The events from P are primed using pP in order to give two copies of each 
event in B inv - the primed events will be used to define refusals and the 
unprimed events to define traces - and Proc is then composed in parallel 
with the renamed P, synchronizing on aP U prime(Binv)' We refer to the 
resulting process as W. For every (t, R) E ¢Proc, t E (aP)* and 
Thus, W will always refuse all events in Binv since Binv ~ extr,et(aQ) ~ aP; 
however, refusals from P which are contained in B inv will appear in a primed 
form in W. In other words, if (t, R) E ¢P is such that R ~ Binv , then 
(t, prime(R)) E ¢W. Finally, the renaming uP is applied to W with the effect 
that all events from prime (Bi) for i E inv are renamed to di . This means that 
the new specification process, NewSpec, will refuse {d;} for i E inv after a 
trace t if and only if P could previously refuse Bi after t (see lemma 6.15(2) 
and recall the definition of DB in definition 6.16). NewSpec is therefore 
defined as follows. 
NewSpec will constitute the specification process supplied to the refine-
ment check in FDR2 which is used to verify whether or not extr EP(Q) ([Q]sp) ~ 
[P]sP. Its behaviours are characterised by the following result. 
Lemma 6.15. The following hold: 
1. rNewSpec = rP U {t 0 (di ) It E rP /\ di E dinv }. 
2. ¢NewSpec = {(t, R) I (3(t, X) E ¢P) 
R ~ (X n (aP - Binv )) U DB(X) U 
(~- ((aP - B inv ) U dinv ))} 
In this result, aP - Binv denotes a combination of finally visible events 
and "other" events. This reflects the fact that P may engage in events other 
than those in the specification alphabets of the extraction patterns used to 
interpret Q (Le. other than those in Ul~i~m Bi). 
6.6.3 Final result 
We now give the final result which lets us verify using FDR2 whether or not 
extrEP(Q)([Q]sp) ~ [P]sp· 
Theorem 6.16. extrEP(Q)([Q]sp) ~ [P]sp if and only if FinalImple ~sp 
NewSpec. 
6.6. The stable failures model 148 
6.6.4 Example 
We now show how the results given above can be used to define inputs 
to FDR2 to verify automatically that the extracted behaviours of Leftlmpl 
(respectively RightImpl) in the stable failures model are contained in the 
behaviours of LeftSpec (respectively RightSpec) in the same model. 
In both cases - i.e. in the verification of both Leftlmpl and RightImpl 
- let ep 1 be ep ack. We therefore have that inv = {I}. Also, dinlJ = {dt}, 
Al = A inlJ = adata U aack and Bl = B inlJ = asend. Assuming the existence 
of suitable extraction patterns to "interpret" events occurring on channel in 
in Leftlmpl and on channel out in RightImpl,23 we have: 
• aRightSpec = aout U asend . 
• aLeftSpec = ain U asend. 
We define new channels dataprime, ackprime and sendprime with the same 
types as data, ack and send respectively on which will occur the necessary 
primed events. The renaming prime which is used here is defined as:24 
pnme {(send.O, sendprime.O) , (send.l, sendprime .l), 
(data.O, dataprime.O), (data.l, dataprime.1), 
(ack.yes, ackprime.yes), (ack.no, ackprime.no)}. 
The renaming pQ used here is defined as: 
{( data.O, data.O), (data.O, dataprime.O), 
(data.l, data.l), (data.l, dataprime. 1) , (ack.yes, ack.yes), 
(ack.yes, ackprime.yes) , (ack.no, ack.no), (ack.no, ackprime.no)}. 
The renaming pP used here is defined as: 
{(send.O, send.O), (send.O, sendprime.O) , (send.1, send.1), 
(send.1, sendprime .l)}. 
The renaming (J"Q used here is defined as: 
{(dataprime.O, d1), (dataprime.1, dt), (ackprime·Yes, d1), 
(ack prime . no, d1)}. 
23These are the extraction patterns whose existence was assumed in section 6.5.4. 
24Note that all renamings used here are the same whether we are verifying Leftlmpl or 
RightImpl. 
6.6. The stable failures model 149 
The renaming uP used here is defined as: 
Using the detail above, NewSpec could be constructed for both LeftSpec 
and RightSpec after taking account of the following important point. In the 
generic syntactic definitions given in this section, the renaming prime is ap-
plied to different sets of events. However, renamings may not be applied to 
sets in FDR2 (that approach is used in definitions for ease of expression). In 
practice, we supply directly the events from the primed set under considera-
tion. For example, where a deterministic choice operator in Proc is indexed 
by a E ( ... U prime(Binv)), we would instead give directly the set of primed 
events: in the example here, we would use a E ( ... U asendprime ) rather than 
a E ( ... U prime(asend)). In the definition of REi in section 6.6.1, a choice 
operator is indexed by R E refr (t) and then a subsequent choice operator 
is indexed by a E prime(Ai - R). In practice, we take advantage of the fact 
that prime(Ai - R) = prime (Ai) - prime(R). The first of the two choice op-
erators is therefore indexed over the set of prime(R) such that R E refr (t), 
where the prime(R) are supplied directly. The second choice operator is then 
indexed by a E prime(Ai) - X, where prime(Ai) is supplied directly and X 
represents a member of the set of prime(R) such that R E refr (t). This 
approach is illustrated by the definition of the processes REI below. 
Below, X 6. aackprime U {dataprime.O} and Y 6. aackprime U {dataprime.1}. 
These sets are used to represent the primed maximal refusals bounds when 
behaviour is complete (recall that ref ack(t) = {R E 2adatauaack I adata Cl R} 
for t E domack). 
Verifying RightImpl: 
In this case, Comm(AI, RightImpl) = Right. Assume that Q is RightImpl 
after the application of preprocessing as described in section 6.3. Then, as 
shown in section 6.5.4, aQ = adata U aack U aout. The process REI 
for the extraction pattern epi = ePack is defined in terms of two auxiliary 
processes R~ (x) and REt (x): 
((OxE{o,l}data.x -t R~ (x)) ° DIY) n 
(nRE{X,y} (OYE((adataprimeUaackprime)-R) Y -t DIY)). 
R~(x) (ack.yes -t REID ack.no -t REt(x)) ° DIV. 
(data.x -t REI) ° DIV. 
6.7. The failures divergences model 150 
Verifying Leftlmpl: 
In this case, Comm(AI, Leftlmpl) = Left. Assume that Q is Leftlmpl after 
preprocessing. Then, as shown in section 6.5.4, a:Q = a:data U a:ack U a:in. 
The process REI for the extraction pattern ePI = ePack is defined in terms 
of the following two auxiliary processes REr (x) and RF1: (x): 
REr(x) 
RF1{(x) 
((D xE{o,l}data.x -t REr(x)) ° DIV) n 
(DRE{X,y}(nYE((adatapnmeuaackpnme)-R) y -t DIV)). 
(ack.yes -t REID ack.no -t RF1:(x)) ° DIV. 
(data.x -t REt) ° DIV. 
Using the components defined above, along with TEl, prep and extract 
described in section 6.4.3, we were able to define all necessary process ex-
pressions needed for the current verification. By supplying them as inputs 
to FDR2, we were then able to verify automatically that the extracted be-
haviours of Leftlmpl (respectively RightImpl) in the stable failures model are 
contained in the behaviours of LeftSpec (respectively RightSpec) in the same 
model. 
Thus, since both Leftlmpl and RightImpl meet Dom-T -check and Dom-
SF-check, since a:lmplNet ~ Fvis and by theorem 4.10, we may infer that 
ImplNet ;;;:;)SF SpecNet. 
6.7 The failures divergences model 
Finally,we show how to verify automatically that extrEP(Q)([Q]FD) ~ [P]FD 
when 8P = 0.25 By working under this restriction, the condition that is ver-
ified here is similar to the notion of refinement-after-hiding presented in [16]. 
Before proceeding to the verification of the condition proper, it is necessary 
to show how to verify condition Ep6. 
25This restriction is imposed because it lets us verify the condition while still working in 
the stable failures model: the use of DIV in extracting refusals would distort the outcome 
of any verification check in the failures divergences model. It is a minor restriction in any 
case, since one would usually expect a (component) specification process to be divergence-
free. Moreover, it should be stressed that the specification network may still contain 
divergent traces. 
6.8. Conclusion 151 
Verifying EP6 
We recall condition Ep6 from section 4.5 and observe that it must be verified 
for every extraction pattern ePi E EP(Q) such that Ai n Fvis = 0, that is, 
such that i E inv (it is met trivially when i ¢ inv by Ep4-FvI). 
EP6 Let ep E EP. If ... , tj , ... is an w-sequence in Dom, then 
... , extr (tj ), ... is also an w-sequence. 
In practice, Ep6 would be verified of the extraction patterns indepen-
dently of the actual system verification: in other words, it would be verified 
of any particular extraction pattern when that extraction pattern was first 
created. The following result shows how this verification may be carried out, 
where TEi is as defined in section 6.4. 
Theorem 6.17. Let ePi E EP(Q) be such that i E inv. Then ePi meets Ep6 
if and only if 6(TEi \ Ai) = 0. 
The verification proper 
...... 
We assume that Q has already been shown to meet conditions Dom-T-check 
and Dom-SF-check. As is shown by the following result, two checks are then 
required in FDR2 to verify that extrEP(Q)([Q]PD) ~ [P]FD when 6P = 0 
(NewSpec and FinalImple are as defined in section 6.6) . 
...... 
Theorem 6.18. Let 6P = 0 and assume that Q meets conditions Dom- T-
check and Dom-SF-check. Then extrEP(Q)([Q]PD) ~ [P]FD if and only if 
6Q = 0 and FinalImple ~SF NewSpec. 
Using the above detail, we were able to verify automatically that Leftlmpl 
refines-after-hiding LeftSpec and RightImpl refines-after-hiding RightSpec in 
the failures divergences model. Thus, by theorem 4.12, we may infer that 
ImplNet ~FD SpecNet. 
6.8 Conclusion 
We have presented here a means of automatic verification of our notion of 
refinement-after-hiding, albeit under certain restrictions.26 Moreover, it has 
been built on top of an existing industrial-strength tool, with all of the bene-
fits which that confers. This means of verification is used in the next chapter 
26The extraction mappings which may be used must be restricted as described in section 
6.0.2 and component specification processes must be divergence-free when working in the 
failures divergences model. 
6.8. Conclusion 152 
to verify the correctness of an algorithm for asynchronous communication 
and we postpone until then a more detailed discussion of it. 
Chapter 7 
Case study 
Thus far, we have considered the theory behind notions of refinement-after-
hiding in CSP, presented a concrete such notion and described a means of 
automatically verifying it using a pre-existing tool. The next step is to 
apply these latter two things in practice. To do this, we attempt to wrify 
the correctness of a particular asynchronous communication mechanism or 
ACM.l 
7.1 Asynchronous communication 
In an ideal world, where we could guarantee instantaneous, atomic2 data 
transfer - whatever the type of the data being transferred -- shared mem-
ory communication between two concurrent processes could be implemented 
directly using single variables or registers, without any attendant access con-
trol policies or mechanisms. However, such atomic data transfers are not 
possible and if, for example, a reader and writer process were allowed uncon-
strained access to such a variable or register, interference would occur due to 
the overlapping of read and write events. 
Usually, if communication is to take place between two concurrent pro-
cesses via a shared memory area, some form of synchronization3 will be re-
quired in order to avoid interference. Such synchronization may take the 
form of a critical section or handshake communication. However, this may 
1 Although the purpose of this case study is to apply in practice the machinery developed 
in previous chapters, it is also intended as an illustration of the general power of refinement-
after-hiding: the results given in this chapter are therefore important in their own right. 
2In this chapter, we shall describe (sequences of) events as "atomic" (with respect to 
each other) if their occurrences do not overlap in time and so their respecth'e executions 
cannot interfere with each other. 
3Synchronization here means that the two communicating processes have to co-ordinate 
their activities in some way, possibly via a third-party mechanism such as a critical section. 
It does not refer to communication which is regulated by some sort of global clock. 
153 
7.1. Asynchronous communication 154 
force one or both of the communicating processes to wait or block while the 
other completes a data transfer; this may be undesirable, particularly in a 
real-time environment. Even a buffer, unless of infinite capacity, is not fully 
asynchronous: if it becomes full, a writer process may have to wait and, if it 
becomes empty, a reader process may have to wait. 
It is to solve this problem that asynchronous communication mechanisms 
or ACMs have been introduced. Such mechanisms are characterised by the 
fact that, if used by a single reader and writer, neither the reader nor the 
writer will ever have to wait before it is allowed to interact with the mecha-
nism. As a result, a writer may always write to an ACM and the reader may 
always read from it: that is, writes are destructive and may overwrite data 
already written, while reads are non-destructive and so re-reading is allowed. 
In order to allow such unconstrained access, despite the reality of non-atomic 
data transfer, ACMs combine some sort of access logic with multiple data 
slots. The multiple data slots allow a read and a write to proceed concur-
rently without interfering with each other, while the access logic ensures the 
reader and writer processes never access the same slot at the same time. The 
specific ACM we consider here is Simpson's 4-slot mechanism ([68]). 
7.1.1 Simpson's 4-slot mechanism 
The software version of the mechanism from [68] is given in figure 7.1; we 
assume that it will be used to manage data transfer between a single reader 
and a single writer, which communicate with the mechanism using the read 
and write procedures respectively. It contains - as the name suggests -
four data slots, arranged into two pairs of two slots. Each of these slots stores 
a value of type datatype4 and together they constitute a 2-dimensional array, 
data, which is a global variable. The first dimension of the array represents 
the pair, the second the two slots within that pair. Intuitively, the writer 
tries to avoid the reader as it seeks to write into the mechanism, while the 
reader chases after the writer in order to read the last piece of data written. 
Three global variables are used in order to manage the behaviour of the 
reader and writer respectively. These are latest, reading and slot. latest is a 
bit variable indicating the pair to which the writer last wrote, while slot[iJ 
tells the reader which slot was last written to in pair i. The bit variable 
reading tells the writer the pair from which the reader is about to read or 
from which it has just read. Note also that pair and index are local variables. 
The behaviour of the reader is relatively straightforward to understand. 
It ascertains the pair to which the writer last wrote and places this value in 
4Jn the general case, datatype will be a complex type whose reading and writing are 
not guaranteed to be atomic by the underlying system on which the 4-slot mechanism is 
implemented. 
7.1. Asynchronous communication 
Global variables: reading, latest: bit 
slot: array of bit 
data: array of (array of datatype) 
procedure write 
var 
begin 
procedure 
end; 
read: 
var 
begin 
end 
(item : datatype); 
pair, index : bit; 
pair := not(reading); 
index := not(slot[pair)); 
data[pair, index] := item; 
slot[pair] := index; 
latest := pair; 
datatype; 
pair, index: bit; 
pair := latest; 
reading := pair; 
index := slot[pair]; 
read := data [pair, index]; 
Figure 7.1: Simpson's 4-slot mechanism 
155 
7.2. Verifying the 4-s1ot mechanism 156 
the local variable pair. It then indicates to the writer that it is going to read 
from this pair by storing the value in reading, before discovering the slot last 
written to in the pair by interrogating the variable slot. Finally, it reads the 
data item stored in data at the relevant pair and slot. Note that the data 
transfer from data which represents this read will not occur atomically in the 
general case. 
As indicated above, the writer aims to avoid the slot and pair combination 
in which the reader finds itself. It first decides to write to the pair in which the 
reader has not indicated an interest via reading (we assume that not(O) = 1 
and not(l) = 0). It then decides to write to the slot in that pair which 
contains the oldest value. This means that it is impossible to immediately 
overwrite the last data value written into the mechanism. It also means 
that the writer avoids the reader in the event that the latter is reading from 
this pair. (This may happen despite the efforts of the writer to choose the 
alternative pair due to the arbitrary interleaving of the commands contained 
in the respective read and write procedures.) The relevant data value is then 
written - non-atomically - into the correct pair and slot combination. slot 
is updated to indicate which slot was written to in the relevant pair before, 
finally, latest is updated to indicate to the reader the pair in which the last 
write occurred. 
As indicated above, a call to the read procedure and a call to the write 
procedure may proceed concurrently and so the commands they contain can 
be arbitrarily interleaved. This is obviously necessary if we are to have non-
blocking - and so asynchronous - communication. And it is this fact of 
arbitrary interleaving, along with the fact that data transfers are non-atomic, 
which leads to the need for verification to ensure that the mechanism does, 
indeed, behave as desired. 
7.2 Verifying the 4-s1ot mechanism 
As hinted above, the 4-slot is intended to mimic the functionality of a register 
despite the fact that we cannot guarantee atomicity of read and write opera-
tions (see figure 7.2 for a procedure-based representation of a register, where 
it is assumed that the read and write procedures do execute atomically). In 
moving from the register to the 4-slot, a variety of types of reification have 
occurred:5 
• Data reification: The single memory slot of the register has been re-
placed by four data slots, along with a number of variables to control 
access to those slots. 
SIt is exactly this combination of different types of remcation, exhibited by a mechanism 
whose definition is relatively concise, which led us to choose the 4-s1ot as a case study. 
7.2. Verifying the 4-s1ot mechanism 157 
Global variable: data : datatype 
procedure write (item : data type); 
begin 
data := item; 
end; 
procedure read: datatype; 
begin 
read := data; 
end 
Figure 7.2: A register 
• (External) behaviour decomposition: The register transfers data in terms 
of individual read and write events, while the 4-slot uses a number of 
different events to implement a read or a write.6 
• (External) relaxation of atomicity: In the register, reads and writes 
are atomic; in the 4-slot, the read and write procedures may proceed 
concurren tly. 
Due to the nature of this reification, standard CSP refinement could not 
be used to verify that (our CSP representation of) the 4-slot is a correct im-
plementation of (our CSP representation of) the register. Using the concrete 
notion of refinement-after-hiding from chapter 4, however, we are able to 
show that the 4-slot implements the register and the remainder of this chap-
ter is concerned with doing so. Before proceeding, we look briefly at some 
other approaches which have been used to verify the correctness of the 4-slot; 
some of the concepts introduced thereby will be useful in what follows. We 
will also take advantage of one of the results that has been shown, in order 
to simplify our verification. 
7.2.1 Standard approaches 
The standard approach taken in the literature is not to consider correctness 
with respect to a register. Rather, certain intuitive properties are identified 
6The 4-slot mechanism given in figure 7.1 and the register from figure 7.2 present the 
same procedural interface to the outside world and so it does not seem that external 
behaviour decomposition has occurred. However, as can be seen below in section 7.3, we 
actually represent the 4-slot as a CSP process in which the events used to implement the 
read and write procedures are all externally visible. The reasons for this are discussed in 
section 7.3.4. 
7.2. Verifying the 4-s1ot mechanism 158 
which it is felt must hold ofthe 4-slot7 ifit is to work in an acceptable manner, 
which properties are expressed at the level of abstraction of the 4-slot itself. 
Arguably the three most important such properties are data coherence, data 
freshness and data sequencing (see, for example, [17]). 
Data coherence Data coherence is preserved if and only if a reader process 
and a writer process may not simultaneously access the same slot in the 4-
slot. It is essentially a mutual exclusion property - only one of the processes 
may be in a particular slot at anyone time - and is used to guarantee that 
the 4-slot behaves as if data items were actually transferred atomically. This 
means that reads and writes at the 4-slot level will behave as if they had 
been ordered atomically in some sequence. In this respect, the requirement 
for data coherence is similar to that of serializability in databases (see, for 
example, [2]). 
Data freshness When a read is executed, it is not enough to guarantee 
that the value read is a genuine value written into the mechanism; we also 
need to guarantee that it was written into the mechanism as recently as pos-
sible. The property of data freshness is therefore as follows: the oldest value 
which may be read by a read procedure is that written into the mechanism 
by the most recent write procedure whose execution had completed by the 
time at which the execution of this read procedure began.8 
Data sequencing This condition is concerned with the order in which 
values are read from the 4-s1ot. It stipulates that, once we have read a 
particular value, x, we cannot subsequently read a value, y, which was written 
into the mechanism earlier than x. Note that data freshness does not imply 
data sequencing, due to the fact that we can read an "old" value and still 
meet the data freshness condition. 
7.2.2 Checking these conditions 
A number of authors have considered the problem of checking these condi-
tions for the 4-slot and have approached it in various ways; moreover, the 
conditions have all been shown to be met, under the assumption that the 
7These properties have been used in the verification of a number of different ACMs but 
we shall concentrate here on the 4-slot. 
8We cannot simply give the definition as the read procedure must read the last value 
written into the mechanism: the last-but-one value written may be read if the read pro-
cedure begins interrogation of the necessary control variables before the current write has 
finished updating them after writing a particular data item into the mechanism. 
7.2. Verifying the 4-s1ot mechanism 159 
control variables used in the 4-slot will never suffer from metastability (see 
below). 
Simpson himself developed and presented the role-model approach in [69], 
which involves dynamically allocating (possibly multiple) 'roles' to the pairs 
and slots in the array which stores the data written into and read from the 
4-slot. On the occurrence of an event used in the implementation of a read or 
write procedure, the role of any pair or slot may change. A transition system 
is then constructed, the states of which are given by the roles allocated to the 
slots and pairs. Model-checking is carried out on this state space in order to 
determine that the relevant properties hold: for example, if the property of 
data coherence is met, no reachable state can exist where both reading and 
writing roles are assigned to the same slot. In his PhD thesis ([17]), Clark set 
out to present a unified means of checking the correctness of various ACMs 
(see [17] also for a survey of other approaches to this problem). This was 
accomplished using an approach involving Petri Nets ([55]) and the resulting 
method was used to successfully verify all three of the above properties for 
the 4-slot. In [65], Rushby uses model-checking to verify the same properties. 
All three of these approaches have in common the fact that they abstract 
from the data values transmitted by the 4-slot mechanism and specify the 
properties to be checked independently of these values. Since we verify the 4-
slot against a specification process, we are unable to employ data abstraction 
in such a way and have to address squarely the issue of the data values which 
we shall communicate in our model of the 4-slot (see section 7.3.4). 
These three authors also all highlight the issue of whether accesses to the 
control variables used in the 4-slot algorithm are atomic. The phenomenon 
of metastability (see [17] for an explanation and a list of references) ensures 
that they are not atomic in the general case. However, Simpson takes an 
engineering view and states that, in practice, it is possible to design and 
implement underlying hardware so that metastability is a negligible prob-
lem, from which the 4-slot can recover immediately in any case. As a result, 
he works from the assumption that accesses to control variables are atomic. 
Both Clark and Rushby carry out verification without this assumption and 
show that the 4-slot mechanism is not correct. (They relax it in different 
ways: Clark allows for the possibility of metastability while Rushby assumes 
that control variables are built using registers which may return any valid 
value if reads and writes overlap.)9 The choice which we make in our mod-
elling of the 4-slot is discussed in section 7.3.4. 
The recent papers [26,27] also concern themselves with the fact of verify-
ing that the 4-slot respects the property of data coherence. The first of these 
9Their results are challenged, however, by the paper [54]: the authors of this paper 
claim that a more accurate modelling of metastability allows them to show that the 4-slot 
is, in fact, correct under metastable operation. 
7.3. Modelling the 4-s1ot in CSP 160 
uses data refinement in VD:M ([33]) to carry out this verification, although it 
restricts the degree to which the events of the read and write procedures in 
the 4-slot may be interleaved. The second paper uses a rely-guarantee proof 
method in conjunction with data refinement and this allows the restrictions 
from the previous paper to be lifted. 
7.3 Modelling the 4-slot in CSP 
In order to verify the 4-slot using our notion of refinement-after-hiding, we 
need to render both it and the register in CSP.I0 In our modelling of the 4-
slot, we assume that the problem of metastable operation will not arise (see 
section 7.3.4 below). Under such an assumption, all of the authors discussed 
in the previous section have shown that the 4-slot enjoys the property of 
data coherence. As a result, the mechanism behaves as if it transfers data 
items atomically and we use this fact to simplify our CSP model: i.e. our 
model will transmit data items atomically. This simplifies considerably the 
extraction mapping which is needed to interpret the behaviours of the 4-slot. 
7.3.1 The process used 
Six basic processes are used in the CSP representation of the 4-slot. There 
is a process to represent each of the global variables latest, reading and slot, 
while another process represents the data array. Finally, two processes are 
used to impose the necessary ordering of event executions. 
Figure 7.3 details most of the data types and channels which are required 
in the construction of the processes which we shall use. Channel data is 
used for (atomic) data transmission: it has fields to indicate whether a read 
or write operation is occurring, to indicate the pair/slot combination where 
the data will be written to or read from and, finally, a field to store an 
integer value from dataintY The channels latest, reading and slot are used 
to communicate with the control variables. 12 Channel slot has an additional 
field to indicate which of the processes is carrying out the relevant action, 
since both the reader and writer need to read from the global variable slot. 
The operation not is defined as not(first) = second and not (second) = first. 
lOThe CSP model of the 4-slot is based partly on a model produced by Rod White of 
Matra BAe Dynamics. 
11 first and second are used in place of 0 and 1 to indicate a particular pair or slot in 
order to make process definitions easier to follow. 
12They are each given the name of the control variable that they are used to communicate 
with as this makes clearer the connection between the events of the CSP representation 
of the 4-slot and the events used in the description of the 4-slot in figure 7.1. 
7.3. Modelling the 4-s10t in CSP 
• dataint = {O .. 5} 
• datatype slots = first I second 
• datatype ops = rd I wr 
• datatype user = reader I writer 
• datatype dataslot = ops.slots.slots.dataint 
• channel data : dataslot 
• channel reading, latest : ops.slots 
• channel slot : user. slots. ops .slots 
Figure 7.3: Data type and channel definitions 
The process to represent the variable reading is as follows: 
• BitReading = Reading(first) 
• Reading (x) = reading.rd.x -+ Reading(x) 
o 
reading.wr?y -+ Reading(y) 
The process to represent the variable latest is as follows: 
• BitLatest = Last(first) 
• Last(x) = latest.rd.x -+ Last(x) 0 latest.wr?y -+ Last(y) 
Figure 7.4: Representing the bit variables latest and reading 
161 
7.3. Modelling the 4-s1ot in CSP 
• SLOT{x, Y) 
let S{y)= 
slot. writer.x. rd.y---+S{y) 
o 
slot. writer. x. wr ?val---+ S (val) 
o 
slot. reader.x. rd.y---+S{y) 
o 
slot. reader.x. wr?val---+S{val) 
within S{Y) 
• Slots =lllxE{first,second}SLOT{x,first) 
Figure 7.5: Representing slot 
162 
Figure 7.4 details the processes used to represent the control variables 
latest and reading respectively.13 The representation of the array slot can be 
seen in figure 7.5. It is given by interleaving the two processes SLOT{first,first) 
and SLOT{second,first), each of which represents an element of the array (a 
similar technique is used to represent the array data). Its definition relies on 
the fact that we may define generic processes which are parameterized by a 
data value or values indicating a particular position in an array. The chan-
nel on which this generic process communicates with the environment is also 
parameterized with these same values (see section 2.12). Therefore, we may 
communicate with the process of our choice - i.e. access the desired position 
in the array - by making sure that we communicate the "identifier/s" for our 
desired process when we communicate over the relevant channel. For exam-
ple, the writer is connected to the first position in the array (for the purposes 
of reading) by "channel" slot. writer.first. rd. It is connected to the second po-
sition in the array (for the purposes of reading) by slot. writer. second. rd and 
so on. In other words, the parameter x in the definition of SLOT denotes 
the position in the array which is represented by SLOT. 
The representation of the array data also consists of a number of pro-
cesses, each representing a particular position in the array. The definition 
of the relevant processes is given in figure 7.6. The process DataSlot is pa-
rameterized by three values. The first two of these, labelled by x and y, 
denote the slot in the array which this particular process will represent: we 
create a DataSlot process for every pair and slot combination. For example, 
DataSlot{first,second,O) will be the second slot in the first pair; similarly, 
13See section 2.12 for an explanation of the syntax used to represent multi-directional 
communication. 
7.3. Modelling the 4-s1ot in CSP 
• DataSlot{x,y, V)= 
let D{v)= 
data. wr.x. y'?val-+D{val) 
D 
data. rd.x. y. v-+ D (v) 
within D{V) 
• Data =llIxEADataSlot{/st{x),sec{x),O), where 
163 
A {(first,first), (first, second), (second,first), (second, second)}, 
/st((x, y)) = x and sec((x, y)) = y. 
Figure 7.6: Representing the data array 
DataSlot{second,second,O) is the second slot in the second pair. Each slot in 
the array - and so each DataSlot process - then contains a single integer 
value, denoted by the variable V (or v in the local definition D). 
The processes described so far - namely, BitReading, BitLatest, Slots 
and Data - represent the global variables of the 4-slot mechanism. The fi-
nal requirement is to provide a communication interface with these processes 
which reflects the nature of the read and write procedures given in figure 7.l. 
The processes used for this are given in figure 7.7: their purpose is to im-
pose an ordering on the events offered by the global variables. All of these 
processes are then composed in parallel, synchronizing on common actions, 
to give the process FSlot, the CSP representation of the 4-slot: 
((BitReading III BitLatest III Slots III Data) IIA Writer) liB Reader 
where 
• A = areading.rd U aslot.writer U adata.wr U alatest.wr. 
• B = alatest.rd U areading.wr U aslot.reader U adata.rd. 
In practice, we use the following equivalent construct to give FSlot, in 
order to avoid the state explosion which would arise from the interleaving of 
four different processes: 
((((BitReading IIA Writer) liB Reader) lie BitLatest) liD Slots) liE Data 
where A = areading.rd, B = areading.wr, C = alatest, D = aslot and 
E = adata. 
7.3. Modelling the 4-s1ot in CSP 
Ordering writer-side behaviour: 
Writer = reading. rd?p---t 
slot. writer. not(p). rd?i---t 
data. wr. not(p). not(i) ?val---t 
slot. writer. not(p). wr. not(i)---t 
latest. wr. not(p)---t Writer 
Ordering reader-side behaviour: 
Reader = latest. rd?p---t 
reading. wr.p---t 
slot. reader. p. rd?i---t 
data. rd. p. i ?val---t Reader 
Figure 7.7: Ordering behaviour of global variables 
7.3.2 A simple environment 
164 
We also present a simple environment with which FSlot might be composed. 
The purposes of this are twofold. Firstly, it allows us to carry out a basic 
compositional verification. Secondly, consideration of an environment such as 
the one we propose is very useful (at least in this case) in determining that the 
traces extraction mapping we have developed is acceptable: see section 7.4 
for a discussion of this issue. Figure 7.8 describes this environment: it may 
take a value from dataint on the channel in and write it into FSlot; it may 
also read a value from FSlot, before outputting the result on channel out. 
(Note that the channels in and out used here are assumed to be different 
to those used in the definition of the processes from the running example in 
figure 1.1.) 
7.3.3 The register and a corresponding environment 
The CSP version of the register is presented in figure 7.9. The variable data 
from figure 7.2 is represented as a parameter to the process. Since individ-
ual CSP events occur instantaneously and cannot occur concurrently, we are 
guaranteed to have atomic transfers of data. Figure 7.10 defines the specifi-
cation environment for which the 4-slot environment is an implementation: 
it is essentially a pair of single-slot buffers to be placed on the read and write 
channels of the register. Note that the events on channels in and out are re-
garded as finally visible; all other events - i.e. all those in both the register 
7.3. Modelling the 4-slot in CSP 
• channel in, out: dataint. 
• WriteEnviron = in?val ~ 
reading. rd ?p~ 
slot. writer. not{p}. rd?i~ 
data.wr. not{p}. not{i}. val~ 
slot. writer. not{p}. wr. not{i}~ 
latest. wr. not{p}~ WriteEnviron 
• ReadEnviron latest.rd?p~ 
reading. wr. p~ 
slot. reader.p. rd?i~ 
data.rd.p. i?val~ 
out. val ~ReadEnviron 
• FourSlotEnviron = WriteEnviron III ReadEnviron 
Figure 7.8: An environment for FSlot 
• channel read, write : dataint 
• Register = Reg (0) 
• Reg(x) = read.x ~ Reg(x) 0 write?y ~ Reg(y) 
Figure 7.9: A CSP version of the register 
165 
7.3. Modelling the 4-s1ot in CSP 166 
• RegWriteEnviron = in?val--t write.val --t RegWriteEnviron. 
• RegReadEnviron = read?val --t out. val --t RegReadEnviron. 
• RegisterEnviron = Reg WriteEnviron III RegReadEnviron. 
Figure 7.10: A corresponding environment for the register 
and FSlot - are finally invisible. 
7.3.4 Issues related to modelling the 4-slot in CSP 
We now consider issues relating to some of the choices we have made in 
modelling the 4-slot mechanism in CSP. 
The 4-s1ot, its environment and inter-process communication 
Although the 4-slot algorithm as presented in figure 7.1 implies that reader 
and writer processes would communicate with the mechanism using (pos-
sibly remote) procedure calls, we have taken a different approach with our 
CSP model. Essentially, we have assumed that all events of the 4-slot are 
visible to the environment - i.e. both events effecting data transfer and 
those concerned with manipulating control variables - and that the envi-
ronment engages in both types of event whenever it wishes to transfer data. 
It is possible to model the 4-slot and the register in CSP using a procedural 
interface which gives them both the same set of visible events. 14 However, 
relaxation of atomicity in the 4-slot means that its procedure invocations 
and returns may interleave in ways not possible for the register. This means 
that standard CSP refinement could not be used for verification here and so 
we need to use refinement-after-hiding. As can be seen in section 7.5, we 
always extract on the occurrence of events which either write to or read from 
a control variable, meaning that these events must be visible in our CSP 
representation of the 4-slot. As a result, it seems we need to see more than 
would be visible with a procedural interface if verification is to succeed. And 
since the CSP version of the 4-slot no longer has a procedural interface, there 
is no reason to retain such an interface in the CSP version of the register. 
This of course raises the question of the validity of the results generated 
here with respect to any real system which might use the 4-slot to transfer 
data. Although we have not explored this issue formally, we make the fol-
lowing points with respect to any environment with which the 4-slot might 
14 A procedure is modelled externally as an invocation event and a corresponding return 
event, each of which may communicate data as necessary. 
7.3. Modelling the 4-s1ot in CSP 167 
be composed. A procedural interface would be represented in CSP using an 
event to denote the procedure call and a corresponding event to denote the 
procedure return. Having made a procedure call, one would assume that the 
environment would always be ready to receive the return until it actually 
occurred (this is similar to the property of receptiveness which is described 
in [67]). Moreover, due to the assumption of a single reader and a single 
writer, the call event of a particular procedure would not be allowed if a 
return event for that procedure was pending. With our model, it is as if we 
have substituted for the call and return events all of the events in the relevant 
procedure: we would do this in general by assuming that the environment 
would always be ready to accept the next event from a procedure once it 
had begun to execute; moreover, only one event from a particular procedure 
would be enabled at anyone time. (This is the approach followed in defining 
the environment FourSlotEnviron.) 
The extra events added by eschewing a procedural interface would not 
actually interact at all with any other events in the environment: they would 
neither enable such events nor cause them to be disabled. Since all such 
interface events would be hidden anyway in the final network, the change in 
modelling approach should not have any impact in the traces model and it 
would certainly fail to introduce any new divergences. In the stable failures 
model, whichever modelling approach we used, no state between the start 
and termination of a particular procedure would contribute a stable failure 
due to offering at least one event which would be hidden in the final network. 
As a result, whichever modelling approach we used the (CSP) behaviour of 
any network built using the 4-slot should not change to any significant degree. 
(See also comments on this issue in section 7.9 at the end of this chapter.) 
Instantaneous events but no simultaneous events 
In [17], Clark raises the possibility that certain ACMs may execute two events 
a, b simultaneously with a different result to that which arises by executing 
either a then b or b then a. This is of significance because we have no means 
of modelling in CSP the actual concurrent execution of two different events. 
However, Clark showed that such a problem does not arise with respect to 
the 4-slot. 
Metastability 
In section 7.2, we mentioned the problem of metastability in relation to the 
question of whether or not control variables are modelled as being capable 
of atomic data transfers. Our CSP model of the 4-slot assumes that such 
data transfers will be atomic. This is for two main reasons: the first is that 
we accept Simpson's view that the problem of metastability is negligible in 
7.4. Restricting the (traces) extraction mapping 168 
practice (or can be made so). Secondly, we are concerned here with exploring 
how our notion of refinement-after-hiding may be applied in practice and 
modelling the possibility of metastability would complicate our model to a 
large degree. 
A concrete data type 
For the purposes of verification, specifically the need to use FDR2, it was 
necessary to choose a concrete data type to be written to and read from 
both the register and the 4-slot. We have chosen (a subset of) the integers 
- i.e. {O .. 5} - because they are a basic type. Since we are carrying out 
model-checking, it is also necessary to choose a finite type and the limits of 
the hardware on which FDR2 was run dictated the size of the type used. 
This issue is discussed at greater length in section 7.8, after the presentation 
of the processes used in the verification. 
7.4 Restricting the (traces) extraction map-
• pIng 
Before proceeding to the verification proper and the derivation of a suitable 
extraction pattern, it is necessary to consider an important methodological 
point regarding the use of refinement-after-hiding in practice. Namely, the 
verification of a particular implementation component may be regarded as 
ultimately successful only if we are able to verify the correctness of the envi-
ronment with which the component is to be composed. And the extraction 
pattern/s used to verify a particular component may have a significant im-
pact on the possibility of successful verification of the environment. This 
issue is considered in section 7.7.1 with regard to the refusal bounds which 
are used in the verification of the 4-slot. However, there are properties of 
sufficient importance that we need to guarantee they hold of our extraction 
pattern (specifically, of the mapping over traces). 
In verifying that FSlot refines-after-hiding the (CSP) register in the traces 
model, every trace of FSlot has to be mapped to a trace of the register. Since 
FSlot does not engage in any finally visible events, the only restrictions on 
the mapping used are that it must be strict, monotonic and return a trace 
over the alphabet of the register when applied to any trace from FSlot. As 
a result, it would be possible to define a mapping which simply returned 
the empty trace () for any trace to which it was applied. We could then 
very easily show that the extracted traces of FSlot were contained in those 
of the register. However, such a mapping would cause problems when it 
came to verifying any meaningful environment with which FSlot might be 
7.4. Restricting the (traces) extraction mapping 169 
composed. By definition, the mapping used to interpret the traces of FSlot 
will also be used in the interpretation of the traces of the environment and 
that environment will contain finally visible events in the general case. The 
presence of these events, along with the fact that finally visible events must be 
left unaltered by any extraction mapping - see conditions Ep4-FvI and TR-
G LOBAL2 in chapter 4 - will impose further restrictions on the mapping 
used in the verification of FSlot, which restrictions should be anticipated 
when that mapping is being developed. 
It is possible to define an environment which simply carries out a direct 
translation to and from the behaviours of FSlot: this is the environment pre-
sented in figure 7.8. 15 (The corresponding specification environment is given 
in figure 7.10.) In order for any extraction mapping to allow the successful 
verification of this environment, the way in which the mapping interprets the 
traces of FSlot must be consistent with the way in which the environment 
translates to and from those behaviours: this is illustrated by the following 
discussion. 
In the 4-s10t environment, every (low-level) write16 to FSlot will be pre-
ceded by an event in.x; moreover, the low-level write will also transmit the 
value x. Similarly, every (low-level) read from FSlot which transmits the 
value x will be followed by the event out.x. In the specification environment, 
every event write.x will be preceded by the event in.x; similarly, every event 
read.x will be followed by the event out.x. Since the events on channels in 
and out are finally visible, they must be unaltered by the application of any 
extraction mapping. This means that, if verification of the environment is 
to succeed, each low-level write must extract to write.x. Likewise, each low-
level read must extract to read.x. In other words, each low-level read or write 
must be extracted to exactly one high-level data transmission; moreover, that 
high-level data transmission must communicate the same data value as was 
transmitted by the low-level read or write. 
These conditions are therefore required to hold of any mapping we de-
velop here, since we should always expect to be able to verify successfully an 
environment of the simplicity of that in figure 7.8; moreover, if they do hold it 
is unlikely that verification of a more complex environment would fail simply 
because the extraction mapping developed to verify FSlot was unsuitable. 
That they do hold can be checked by attempting to verify the implementa-
tion environment from figure 7.8 against the specification environment from 
ISIt plays a role similar to that of the extractors and disturbers in [39]. 
16We shall use low-level write to mean the execution of the events in FSlot which im-
plement a call to the write procedure of the 4-slot; similarly, low-level read will be used to 
mean the execution of the events in FSlot which implement a call to the read procedure 
of the 4-slot. A high-level write will then simply be an event occurring on channel write; 
a high-level read will be an event occurring on channel read. 
7.5. The traces model 170 
figure 7.10, using the mapping under consideration. It may seem that this 
can also be checked simply by inspecting the mapping itself. However, as 
can be seen in the next section, high-level read events are always extracted 
to before the relevant data value has been transmitted at the lower-level. In 
such a case, it is no longer straightforward to see that the event extracted 
will transmit the correct data. 17 
7.5 The traces model 
We now move on to consider the extraction pattern needed for verification 
of refinement-after-hiding in the traces model. A single extraction pattern, 
denoted ep an is used to relate the behaviours of FSlot to those of the reg-
ister, where ar denotes the fact that we interpret behaviours of an ACM as 
behaviours of a Register. 1s AB a result, EP(FSlot) = {ePar}. Aan Bar, ear 
and Domar for ep ar are defined as follows: 
• Aar = alatest u areading U aslot U adata. 
• Bar = aread U awrite. 
• ear = 0. 
• Domar = T FSlot. 
First note that all events in Aar are assumed to be finally invisible -
i.e. Aar n Fvis = 0; we also assume that Comm(Aan FSlot) = Left. Since 
EP(FSlot) = {ePar}, we shall use Domar in lieu of DOmEP(FSlot) by TR-
GLOBALl. Note also that, by TR-GLOBAL2, extrEP(FSlot) is equivalent to 
extr ar in the case that the former is being used to denote the mapping over 
individual traces. That Domar = T FSlot means Dom-T -check is met trivially 
by FSlot. 19 It also means that FSlot does not need to be preprocessed as 
described in section 6.3 when we consider automatic verification (recall that 
17 An early version of the extraction mapping derived here was used in a successful 
verification of FSlot but verification of the environment failed for this reason. 
18 A single extraction pattern (and so a single traces mapping) is used to interpret both 
read and write events because the point at which write events are extracted depends partly 
on the behaviour of the reader and the point at which read events are extracted depends 
partly on the behaviour of the writer. 
19Since ear = 0 and Comm(Aar, FSlot) = Left, then Dom-T-check requires that t E 
Domar for every t E T FSlot: Le. there are no events on which FSlot is allowed to go 
outside the domain. This then means that Dom-T -check does not place any restrictions at 
all on FourSlotEnuiron. (See related discussion in section 4.2 with respect to verification of 
the running example and see also section 7.6.3, where the verification of FourSlotEnuiron 
is considered.) 
7.5. Tbe traces model 171 
this preprocessing would simply remove all traces of FSlot which are not 
contained in Domar). 
7.5.1 The extraction mapping 
According to the conditions discussed in section 7.4, our choice in defining 
extr ar is restricted to finding the particular event in each low-level read and 
write on the occurrence of which we \\1.11 extract to the relevant high-level 
event (which extracted event must transmit the same data value as the corre-
sponding low-level event). In addition, that we are mapping traces of FSlot 
to those of the register means any high-level read event to which we extract 
must transmit the same data value as the last high-level write to which we 
extracted. 
Mimicking the behaviour of the register after application of the mapping 
is complicated by two main factors (detail on how the relevant situations 
may arise can be found in section 7.5.2): 
• A low-level read may actually read data written into FSlot by a low-
level write that has not yet completed (that is, it has not yet updated 
both control variables to fully indicate where it wrote the data) . 
• The slot and pair from which data is to be read on a particular low-
level read may be fully determined before the identity of the relevant 
slot and pair has been discovered from the control variables. 
The first point has the consequence that we cannot al ways extract to a 
high-level write event at exactly the point at which the low-level write has 
completed (i.e. we cannot always extract on the occurrence of the event 
which updates the variable latest). If we were to do this, the reader side may 
have already read and extracted the value written and, at the specification 
level, we will get a trace which apparently manages to read a value before it 
has been written. However, we must also be careful not to extract the current 
write yet if the reader could still read the value written by the previous write. 
As soon as it is fully determined which slot and pair the reader will read 
from, the value to be read is also fully determined. This is because the writer 
will not be able to access the relevant slot of the data array until this read 
has finished, since the 4-slot maintains the property of data coherence. As 
a result, by the second point above, we may know exactly which value the 
reader is to read before it has completed interrogating the necessary control 
variables. And we must extract to a high-level read as soon as the value to 
be read is determined: if we did not do this, the reader could wait until an 
arbitrary number of further writes had been completed and extracted and 
only then complete and extract this read. This would give the apppearance 
7.5. The traces model 172 
The Writer: 
begin 
1 
pair := not reading; 
2 
index := not slot[pair]; 
3 
data[pair, index] := item; 
4 
slot [pair] := index; 
5 
latest := pair; 
end; 
The Reader: 
begin 
1 
pair := latest; 
2 
reading := pair; 
3 
index := slot[pair]; 
4 
read := data[pair, index]; 
end 
Figure 7.11: Simpson's 4-slot mechanism annotated 
of reading an old value and so of having more memory than the single slot 
of the register. 
Before proceeding, it is also necessary to observe that the event on the 
occurrence of which we actually extract to a high-level write is not always the 
same and depends on the way in which low-level reads and writes have been 
interleaved; a similar comment applies with regard to extraction to high-level 
read events. 
7.5. The traces model 173 
7.5.2 Defining extrar 
Figure 7.11 presents an annotated version of the 4-slot mechanism, using 
numbers to indicate positions within the read and write procedures.20 These 
annotations are used both in the presentation of the extraction mapping and 
in its explanation. Before presenting the mapping, we consider in greater 
detail the points at which a particular low-level read or write should be 
extracted. 
Considering the writer side in more detail 
We cannot extract a write by positions 2 and 3 in the writer, since we do not 
yet know the value to be written. If the writer is at position 4, it is impossible 
for the reader to read what has just been written since data coherence is 
preserved. Finally, we must have extracted once we return to position 1. 
This means that, if we have not already extracted on the current call to 
write, we must do so on the occurrence of latest.wr.not(p). 
We therefore consider position 5 in the write procedure and the condi-
tions under which we need to have extracted a high-level write event by the 
time that we reach it: in other words, when do we extract a write event on 
the occurrence of slot.writer.not(p).wr.not(i). In general, we need to have 
extracted by this point if the reader already knows, or can discover without 
any further writer action, the pair into which the writer has just written. If 
this is the case, the reader can proceed to find out which slot in the pair was 
written to and so read and extract the value just written. This can happen 
in the following circumstances: 
• If we have already extracted in the reader and the global variable latest 
stores the same value as the variable pair in the writer. (The value of 
pair in the writer tells us the pair which the writer has just written to.) 
• If we are at position 1 in the reader and the global variable latest stores 
the same value as the variable pair in the writer. 
• If we are at position 2 or 3 in the reader but have not extracted yet, 
and the value of pair in the reader is the same as the value of pair in 
the writer. (In the corresponding conditional branches in the extrac-
tion mapping definition given in figure 7.12, we do not actually state 
explicitly the requirement that the reader has not yet extracted. This 
is simply because, if the value of pair in the reader is the same as 
2°It is easier to annotate the original definition of the mechanism than the CSP version 
of it; in any case, the connection between this annotated wrsion and the CSP version 
should be clear enough. 
7.5. The traces model 174 
the value of pair in the writer, then the reader cannot have extracted 
yet. This can be seen from an inspection of the conditions below which 
let the reader be at either position 2 or 3 and have extracted by that 
point.21) 
Note that the reader must always have extracted by the time that it 
reaches position 4. 
Considering the reader side in more detail 
Recall that we will extract to a high-level read event as soon as we are certain 
of the pair and slot combination from which we will read on the current call 
to read. 
By position 2 in the reader, we know the pair we must read from. In 
order for it to be fully determined by this point the slot from which we will 
read, it has to be the case that the writer is unable to write again to this 
pair before we have completed the current read. (If the writer could write 
to this pair again, it would first write to the other slot of the pair, to which 
element the reader could then be directed.) If the writer is to be unable to 
write to this pair, it is necessary that the value of pair in the reader is the 
same as the value of reading. We therefore have to have extracted a read by 
position 2 in the reader - that is, extracted on the occurrence of latest.rd.p 
- in the following circumstances: 
• If the writer is at position 1 or position 5, and pair in the reader has 
the same value as reading . 
• If the writer is at positions 2, 3 or 4, the value of pair in the writer is 
not the same as the value of pair in the reader and pair in the reader 
has the same value as reading. 
In order to check these conditions in practice, we would use the value 
stored in latest in place of that stored in pair in the reader: the conditions 
21 First note that the decision on whether or not we will extract on the occurrence of 
slot.writer.not(p).wr.not(i) is taken when the writer is at position 4. By the detail on 
extracting read events, we consider each of two cases in which the reader may have already 
extracted and be at either position 2 or position 3. In the first case, the writer is at either 
position 1 or position 5 and the value of pair in the reader is the same as the value of 
reading when the extraction occurs. As a result, by the time that the writer reaches 
position 4 on this or any subsequent call to write (while the reader is still at position 2 
or position 3), it will have set the value of pair in the writer to the "negation" of reading 
and so to the "negation" of pair in the reader. A similar argument applies in the second 
case, when the writer is at position 2, 3 or 4 when the extraction of the read event occurs, 
except that here we start out with the fact that pair in the reader does not have the same 
value as pair in the writer. 
7.5. The traces model 175 
must be checked at position 1, when pair has not yet been updated with the 
value of latest. 
By position 3, we know the pair we will read from and have also indicated 
this to the writer. We have to have extracted by position 3 if the writer is at 
position 1 or position 5 or if the value of pair in the reader is not the same 
as the value of pair in the writer. These conditions are essentially the same 
as those given for position 2, when we bear in mind the fact that we have 
just assigned the value of pair in the reader to reading. 
Finally, we must always have extracted by position 4 since, at this point, 
we know both the slot and pair of the data item which we shall read. 
It can be seen from the above discussion that the position of the writer 
plays a role in whether or not we extract a read event. And, in fact, the 
writer moving to position 5 may necessitate the extraction of a read event. 
This means that the event slot.writer.not(p).wr.not(i) will, in some cases, be 
extracted to both a read and a write event. This can be seen in the definition 
of the extraction mapping in figure 7.12. 
The mapping 
We now proceed to define extr ar. Before giving the definition of this mapping, 
it is necessary to introduce some auxiliary notation. 
• For any trace t E T FSlot: 
- we take exR(t) = yes if and only if we have already extracted a 
read event during the current call to read and take exR(t) = no 
otherwise. 
- we take ex W (t) = yes if and only if we have already extracted a 
write event during the current call to write and have ex W (t) = no 
otherwise. 
• late gives the current value stored by the control variable latest. 
• rp gives the current value of the variable pair in the reader and wrp 
gives the value of the variable pair in the writer. 
• rPos gives the current position of the reader and wPos gives the current 
position of the writer. 
• rdng gives the value currently stored in the variable reading. 
• slotVal[i] gives the value currently stored at position i in the array slot. 
• w Val gives the last value written into the mechanism. 
7.6. Automatic verification in the traces model using FDR2 176 
• rVal[i]b] gives the data value stored by the mechanism in pair i, slot 
J. 
We then have that extr ar( 0) [), 0 and, for to (a) E T FSlot, 
extr ar(t 0 (a)) [), extr ar(t) 0 U, 
where u is as defined in figure 7.12. 
A brief comment is required on the clauses used for the extraction of 
write events, since at first sight some of them may not appear to be mutually 
exclusive. That they are mutually exclusive follows from the fact that, if the 
reader is at position 1, then it cannot yet have extracted, and, as observed 
above, the reader cannot yet have extracted if the value of pair in the reader 
is the same as the value of pair in the writer. 
7.6 Automatic verification in the traces mo-
del using FDR2 
We now move on to consider how we may verify automatically - using FDR2 
and the approach of chapter 6 - that extrEP(FSlot)(T FSlot) ~ T Register. The 
first step is to represent the traces mapping extr ar as a CSP process and to 
define the renamings which are also needed for the verification. This detail 
is given in appendix D. Before looking at that chapter, the reader is advised 
to first read the following comments on deriving extraction mappings. 
7.6.1 Deriving extraction mappings 
We comment on the methodology used to develop the extraction mapping 
extr ar. Due to the complexity of the mapping required, itself a consequence 
of the complexity of the behaviours of FSlot, it is virtually impossible to look 
at any candidate mapping and make a decision on its suitability solely by 
inspection. As a result, verification in FDR2 played an integral role in deter-
mining the mapping to be used: essentially, when a mapping was developed 
which allowed us to successfully verify both FSlot and its environment then 
that was the mapping to be used. In other words, the (CSP version of the) 
mapping was partly the outcome of a process of trial and error: verification 
was attempted using a particular mapping, verification failed, debugging in-
formation was inspected to find the cause of the failure, the mapping was 
modified, verification was attempted again. \Yhen verification succeeded, we 
had our mapping. 
Although we were in possession of some of the intuition given above to 
explain extr ar before embarking on the verification, a large part of that insight 
7.6. Automatic verification in the traces model using FDR2 
(write.wVal) if (a = slot.writer.x.wr.y) A 
(rPos = 1 A late = wrp) 
(write. w Val) if (a = slot. writer.x. wr.y) A 
(exR(t) = yes A late = wrp) 
(write.wVal) if (a = slot.writer.x.wr.y) A 
(rPos = 2 V rPos = 3) A 
(rp = wrp A rp =I- rdng) 
(write. w Val) if (a = latest. wr.x) A 
(exW(t) = no) 
(write.wVal, read.wVal) if (a = slot.writer.x.wr.y) A 
(rPos = 2 V rPos = 3) A 
(rp = wrp A rp = rdng) 
u /), (read. (r Val [x][slot Val [x]])) if (a = latest.rd.x) A 
(wPos = 1 V wPos = 5) A 
(late = rdng) 
(read. (r Val [x][slot Val [x]])) if (a = latest.rd.x) A 
(wPos = 2 V wPos = 3 V 
wPos = 4) A 
(wrp ! = late A late = rdng) 
(read. (r Val [x][slot Val [x]])) if (a = reading.wr.x) A 
( exR (t) = no) A 
(read.( r Val [x] [y])) 
o 
(wPos = 1 V wPos = 5 V 
wrp ! = rp) 
if (a = slot.reader.x.rd.y) A 
(exR(t) = no) 
otherwise 
Figure 7.12: Defining extr ar 
177 
7.6. Automatic verification in the traces model using FDR2 178 
was provided by working with FDR2. The definition of extr ar given in figure 
7.12 was then derived from the process used in the verification and this 
has a most important consequence. It may not be immediately clear to 
the reader that the process TEar from appendix D accurately encodes the 
mapping extr ar 22, which may in turn have cast doubt on the validity of 
the verification presented here. However, such a thing does not matter: by 
definition, TEar - after restriction to the appropriate domain - encodes 
the mapping used in the (successful) verification and the definition of extr ar 
in figure 7.12 may best be viewed as an attempt to present that mapping in 
a more easily understandable form.23 On a related point, the intuition given 
to explain extr ar is not intended to be complete in the sense that it fully 
defines the mapping; as indicated above, it is partly an attempt to explain 
after the fact the mapping which verification indicated was suitable. 
7.6.2 The CSP version of extrar and applying it to 
TFSlot 
The reader should now read appendix D. The process TEar is used, along 
with the renamings prePar and extractar, to encode the mapping extr ar and so, 
by TR-GLOBAL2 and TR-DEF1, to encode the application of extrEP(FSlot) to 
T FSlat. ExtFS is used to denote FSlat after the application of the extraction 
mapping and we have 
(Recall that Aar = adata U areading U aslat U alatest and also that 
it is not necessary to preprocess FSlat prior to renaming with prePar since 
Damar = TFSlat.) 
Extraction to non-singleton traces 
The means of automatic verification presented in chapter 6 assumes that we 
can extract to at most one high-level event on the occurrence of any individual 
low-level event. Here, however, we do extract to more than a single event in 
a particular case.24 We first discuss in more detail the problem which leads 
22Note that the mapping represented by TEar has a domain larger than Domar ; it is 
assumed that it represents extrar once it has been restricted to the domain Dom ar , which 
restriction will be effected by composition in parallel with FSlot[preparl during verification. 
23The author is convinced, however, that it does accurately reflect the mapping encoded 
by TEar! 
24We say that an extraction mapping, extr, extracts to non-singleton traces if there is 
at least one trace to (a) such that extr(t 0 (a) = extr(t) 0 u and lui ~ 2. If there is not at 
least one such trace then we say that the mapping extracts only to singleton traces. 
7.6. Automatic verification in the traces model using FDR2 179 
to the need for this restriction, before showing that it does not arise in the 
verification under consideration here.25 
During verification in the general case of an implementation process Q, 
we define a number of different processes TEj such that j E inv. Consider 
the case, for i E inv, that to (a) E Domi and extri(t 0 (a)) = extri(t) 0 u, 
where u is a non-singleton trace. In TEi , we would therefore haye a trace 
v 0 (b i ) o ... 0 (bk ), where domain( v) = t, domain( v 0 (b i ) 0 ... 0 (bk )) = to (a) 
and extract( (b i ) 0 ... 0 (bk )) = U (bh for 1 < h ::; k would represent an eWIlt 
pair with a null left-hand component and bi would represent an eyent pair 
with a as the left-hand component). Using TEi and the other TEj such that 
j E inv, we build TEinv ' Since the sets of events in which TEi and TEj 
may engage are disjoint for i =1= j, we cannot guarantee that (b i ) 0 ... 0 (bk ) 
will always execute atomically in TEinv and it is extremely unlikely that 
it will: the events from the TEj for i =1= j will interleave with it in an 
arbitrary fashion. (In fact, (b i ) 0 ... 0 (bk ) may not even execute atomically 
in TEi, depending on how TEi is defined syntactically.) This may haw 
the result that there exists WET TEinv such that domain( w) E Dominv 
but extract(w \ Ainv) =1= extrEP(Q) (domain(w)): a will occur somewhere in 
domain( w) where its occurrence should be extracted to u, while bi , ... , bk 
may not occur consecutively in wand so the events of u may be distributed 
across a number of other events in extract(w \ Ainv). Even if (b i ) 0 ... 0 (bk ) 
executes atomically in TEinv' it may not do so in Q[prep] Ilprep(A lnv ) TEinv : 
if Q contains finally visible events, these may interleave arbitrarily with 
(b i ) 0 ... 0 (bk ) and a similar problem will arise. This is why only extraction 
to singleton traces is allowed in the general case when we verify refinement-
after-hiding using the approach from chapter 6. However, if we can guarantee 
that all such sequences (b i ) 0 ... 0 (bk ) will execute atomically in TEinv and 
also in Q[prep] Ilprep(Ainv ) TEinv then it is acceptable to allow extraction to 
non-singleton traces. 
The extraction to a non-singleton trace which is used in the verification 
here is effected by the use of extract WriteSlotRead?x?y?val followed by ex-
tra. val in the definition of WrExt in figure DA in the appendix. And we 
can always guarantee in this restricted case that, for arbitrary values c, d, 
e, (extract WriteSlotRead.c.d.e, extra.e) will execute atomically whenever it 
occurs. This is for the following reasons. 26 In the composition in parallel 
of RdExt and WrExt, it is immediate that no other event but extra.e will 
be enabled after the execution of extract WriteSlotRead.c.d.e: see the way in 
which the two events appear in RdExt (see figure D.5 in the appendix) and 
25We refer now to the detail in section 6.4. 
26Recall that TEar is built by composing WrExt with RdExt, the result with EDATA 
and the result of that composition with SlotCopy, synchronizing on shared events in each 
composition. 
7.6. Automatic verification in the traces model using FDR2 180 
note also that these processes have to synchronize on aextractWriteSlotRead. 
After all further parallel compositions necessary to give TEar and then 
(FSlot[PreParl IlprePar(A ar ) TEar), it still holds that only extra.e will be en-
abled once we have executed extract WriteSlotRead. c.d.e. This is because, in 
each of these further compositions, synchronization occurs on all events in 
which the new process to be added can engage: for example, FSlot[preParl 
cannot engage in any events outside of prePar(Aar). AB a result, we have that 
(extract WriteSlotRead.c.d.e, extra.e) always executes atomically whenever it 
occurs and so it is acceptable to allow extraction to a non-singleton trace in 
this case.27 
The final verification 
In view of the points made in section 6.4.4, we observe that TEar is determin-
istic28 and also that it is acceptable that TEar defines a mapping which has a 
domain strictly larger than TFSlot29: the domain of the mapping will be re-
stricted as necessary by composition with FSlot[PreParl. By the above and the 
detail in section 6.4, we therefore have that TExtFS = extr EP (FSlot) (TFSlot). 
As a result, we are able to show that extrEP(FSlot)(TFSlot) ~ TRegister by 
verifying in FDR2 that ExtFS ~T Register. Due to the successful outcome 
of this verification and the fact that Dom-T-check is met by FSlot, we have 
that FSlot refines-after-hiding the register in the traces model. 
27Even if this trace were not to execute atomically as described above, it would simply 
mean that extr EP(FSlot) (r FSlot) was a strict subset of r ExtFS. Provided that verification 
is successful - as it is here - we would still get the result that we desire on containment 
of extrEP(FSlot) (rFSlot) in rRegister. In other words, once the requirement on extracting 
to singleton traces is relaxed, successful verification using this approach is only a sufficient 
indicator that the extracted traces of a particular implementation are contained in those 
of the corresponding specification rather than a necessary condition of it. A similar point 
also applies with respect to the verification of the environment which is described in section 
7.6.3. 
28FDR2 has been used to verify the determinism of RdExt, WrExt, EDATA and Slot-
Copy; moreover, parallel composition which synchronizes on common events cannot intro-
duce non-determinism. 
29That TEar does define a mapping which has a domain larger than r FSlot has been 
verified in FDR2, using the renaming domainar defined in figure D.9 in the appendix. In 
actual fact, we showed that the following holds: 
rFSlot ~ r(((FSlot[preParlllprep.,.(A or ) TEar) \ aextra)[domainar]). 
In other words, r FSlot is contained in the domain of the mapping defined by TEar once 
that domain has been restricted as necessary by composition with FSlot[preParl. 
7.6. Automatic verification in the traces model using FDR2 181 
7.6.3 Verifying the environment 
As indicated in section 7.4, it is necessary to use extr ar in the verification 
of the 4-slot environment in order to be sure that it (extr ar) is acceptable. 
In actual fact, we will show that FourSlotEnviron refines-after-hiding in the 
traces model RegisterEnviron. 
Since Comm{Aan FSlot) = Left, Comm(Aan FourSlotEnviron) = Right. 
Since FourSlotEnviron may engage in finally visible events - these are the 
events on channels in and out - it is necessary to assume the existence of 
an extraction pattern ep', where A' = ain U aout. We shall use EP as a 
shorthand for EP{FourSlotEnviron) = {ePar, ep'}. 
Verifying Dom-T-check Since ear = 0 and ain U aout ~ Fvis, we have 
by definition 4.7 in chapter 4 that Proj EP = Aar . As a result, Dom-T-check 
is equivalent to the following: 
If tf Aar E DomEP r Aar for every t E T FourSlotEnviron, then t E DomEP. 
That this holds is immediate by TR-GLOBAL1, the fact that DomEP r Aar = 
Domar and the fact that Dom' = A'·. 
Extracting traces In order to extract the traces of FourSlotEnviron, it 
is first necessary to preprocess it as described in section 6.3. This is done 
by composing FourSlotEnviron in parallel with FSlot, synchronizing on A ar . 
(Recall that Domar = TFSlot; moreover, FSlot has been shown to be deter-
ministic using FDR2.) The resulting process is denoted ModEnv. Since ep' 
is used to "interpret" finally visible events, it is not necessary to construct 
a process TE to represent the extraction mapping which it contains. We 
therefore construct the following process: 
According to the discussion in section 7.6.2, we have to show that, for arbi-
trary c, d, e, (extractWriteSlotRead.c.d.e, extra.e) executes atomically when-
ever it occurs in ModEnv[preParl IlprePar(Aar) TEar. We already know that 
it executes so in TEar: this means that extra.e is the only event enabled 
in TEar after we have executed extract WriteSlotRead.c.d.e. And since we 
synchronize on prep ar (Aar ), no events from prep ar (Aar) will be enabled in 
ModEnv[preParlllprepar(Aar) TEar immediately after the execution of 
extract WriteSlotRead .c.d.e. Moreover, no finally visible events will be en-
abled then either: when extra.e is enabled, the environment described by 
ModEnv must be in the middle of a call to read and in the middle of a call 
to write, while finally visible events are only enabled (in the environment) 
7.6. Automatic verification in the traces model using FDR2 182 
when there are no outstanding calls to either read or write. It follows that 
(extract WriteSlotRead.c.d.e, extra.e) does always execute atomically in this 
case. However, as discussed in section 7.6.2, even if we could not guaran-
tee this it would not matter provided that the necessary verification was 
successful, as it is here. 
On the basis of the detail in section 7.6.2 and that given in section 
6.4, we conclude that TExtEnv = extrEP{TModEnv) and so TExtEnv = 
extrEP{TFourSlotEnviron) by TR-DEFl. 
Refinement-after-hiding Using FDR2, we were able to successfully verify 
that ExtEnv ;;;;JT RegisterEnviron. This means that 
extr EP ( T Four SlotEnviron) ~ T Register En viron 
and so FourSlotEnviron refines-after-hiding RegisterEnviron in the traces 
model. 
Compositional verification 
We observe that a(FSlot ~Aar FourSlotEnviron) ~ Fvis. Thus, it follows by 
theorem 4.8 from section 4.2 that: 
(FSlot ~Aar FourSlotEnviron) ;;;;JT (Register ~Bar RegisterEnviron). 
Despite the fact that they have very different (trace) behaviours, this 
result illustrates that FSlot is a valid (trace) implementation of a register 
when placed in a simple environment. This is a non-trivial result in the 
sense that the composition of FSlot with the environment does not simply 
deadlock or refuse to do anything: recall that calls to read and write are 
non-blocking (in FSlot). (This latter issue is treated more formally in the 
next section.) 
7.6.4 A comment on compositionality 
So far in this chapter, we have shown how FSlot and FourSlotEnviron may be 
verified using refinement-after-hiding and have then inferred that FSlot ~Aar 
FourSlotEnviron refines Register ~Bar RegisterEnviron in the traces model 
according to standard CSP refinement. That we show this composition-
ally - i.e. by treating separately the verification of FSlot and that of 
FourSlotEnviron - is not something that would have been possible with 
standard CSP refinement. Indeed, it is the additional degree of composition-
ality which refinement-after-hiding allows in comparison to standard CSP 
refinement which is the main benefit provided by the former over the latter. 
7.7. The stable failures and failures divergences models 183 
In this case, however, it does not seem that this additional compositionality 
gives much of a benefit and, indeed, it is simple enough to verify directly using 
FDR2 that FSlot®Aar FourSlotEnviron refines Register®Bar RegisterEnviron 
according to standard CSP refinement. However, there are three points to 
be made with respect to this. 
Firstly, we verify the composition FSlot ®Aar FourSlotEnviron simply in 
order to show how a compositional verification using refinement-after-hiding 
might proceed. In practice, FSlot could be composed with a much bigger 
process, where direct verification using FDR2 and standard CSP refinement 
might be impossible due to the problem of state explosion. ~oreover, it need 
not be the case that the composition of FSlot with the component process 
into which it is to be embedded will result in a process which engages only 
in finally visible events: it may be that the interface between this process 
and the rest of the implementation network under consideration also needs to 
be interpreted using refinement-after-hiding. Finally, the use of refinement-
after-hiding allows FSlot to be verified in isolation: the direct use of standard 
CSP refinement would mean the duplication of effort, as FSlot would effec-
tively be re-verified during the verification of each implementation network 
of which it was a component process. 
7.7 The stable failures and failures divergen-
ces models 
We now move on to the verification of refinement-after-hiding in the sta-
ble failures and failures divergences models. In order to proceed, it is first 
necessary to define the extraction pattern components domar and ref ar (we 
assume that the extraction pattern used is still denoted ePar and that Aar , 
Bar, ear and extrar remain as before). The first ofthese is defined as follows: 
domar = {t E T FSlot I (::Ix, y E {first, second}) 
to (reading.rd.x) E TFSlot A to (latest.rd.y) E TFSlot}. 
In other words, behaviours are "complete" only if there is no call to either 
read or write currently outstanding. It is easy to see that Domar is still given 
by TFSlot even now that we have to define it as the prefix-closure of domar. 
Defining refusal bounds Two factors inform the choice of refusal bounds 
to be used here, one a condition to be met by any set of refusal bounds, the 
other based on more practical concerns. Since FSlot is deterministic, we have 
7.7. The stable failures and failures divergences models 184 
that 
4>FSlot = {(t,R) It E TFSlot /\ R ~ {a E Aar I to(a) ¢ TFSlot}U(~-Aar)}. 
By this, Ep5 and since Domar = T FSlot, then, where (t, R) E 4>FSlot, 
XU (R n Aar) E ref ar(t) for every X E ref ar(t). This effectively gives us a 
lower bound on the size of the refusal bounds to be used. It is then sensible to 
make our refusal bounds as small as possible while still allowing FSlot to be 
successfully verified. This is simply because the smaller the bounds contained 
in ref ar' the less restrictive those which appear in ref ar (see definition 4.9). 
This means that the conditions imposed on any environment if it is to be 
verified successfully will also be less restrictive (see section 7.7.1 below). As 
a result, for t E Domar = T FSlot, we take 
ref ar(t) 6 {R n Aar I (t, R) E 4>FSlot}, 
meaning that FSlot will never breach any bound from ref ar· 30 
Verifying Dom-SF-check Since EP(FSlot) = {epar}, aFSlot = Aar and 
Domar = DOmEP(FSlot) = TFSlot, Dom-SF-check reduces to the following: 
• Let (t, R) E 4>FSlot, where R ~ Aar . If extr';/ (R, t, FSlot) = Bar then 
t E domar. 
By definition 4.10, extrr;:/ (R, t, FSlot) = 0 for every (t, R) E 4>FSlot where 
R ~ Aar (recall that Comm(Aar, FSlot) = Left). As a result, Dom-SF-check 
is met trivially. 
Extracting failures We then have that the following result holds. 
Proposition 7.1. extrEP(FSlot)(4>FSlot) ~ 4>Register. 
Proof. Let (t, R) E 4>domEP(Fslot)FSlot be such that R ~ aFSlot = A ar · 
Then extr~~(FSlot)(R, t, FSlot) = extr';/(R, t, FSlot) = 0 by SF-GLOBAL2, 
definition 4.10 and since EP(FSlot) = {epar}. Moreover, since domar = 
dOmEP(FSlot) by SF-GLOBAL1 and domar ~ T FSlot = {t I (t, R) E 4>FSlot} , 
we have that: 
domar = {t I (t, R) E 4>domEP(FSlot)FSlot}. 
30By Ep5, it must be the case that each set in ref ar(t) is a proper subset of Aar; that 
this is the case here follows from the fact that FSlot is deadlock-free (verified in FDR2 and 
follows automatically from the definition of FSlot anyway) and always refuses all events 
from r: - A ar . 
7.7. The stable failures and failures divergences models 185 
Hence, by SF-DEF2, 
extrEP(FSlot)(c/>FSlot) = ((extrEP(FSlot) (t), Y) It E dom ar /\ Y ~ (E - Bar)}. 
We observe that TRegister = {t I (t,0) E c/>Register} by proposition 2.3(2) 
and since 8Register = 0. Since dom ar ~ TFSlot and extrEP(FSlot)(TFSlot) ~ 
T Register (see section 7.6.2), then, by TR-DEFl: 
{(extrEP(FSlot) (t), 0) It E domar } ~ c/>Register. 
That extrEP(FSlot)(c/>FSlot) ~ c/>Register follows by SF4 and since Bar -
aread U awrite. 0 
Refinement-arter-hiding We observe that 
extrEP(FSlot)([FSlot]SF) ~ [Register]SF 
since extr EP (FSlot) (TFSlot) ~ TRegister and by SF-DEFI and proposition 7.l. 
Moreover, FSlot meets conditions Dom-T-check and Dom-SF-check. Hence, 
by SF-DEF3, FSlot refines-after-hiding the register in the stable failures mo-
del. That it does so in the failures divergences model follows by FD-DEFl, 
FD-DEF4 and the following five points: 
• extr EP(FSlot) (c/>FSlot) ~ c/>Register and FSlot meets Dom-T-check and 
Dom-SF -check. 
• By DR2, c/>Register ~ c/>l.Register. 
• By FD-DEF2 and since 8FSlot = 0 31 , then extr EP (FSlot) (8FSlot) = 0. 
• extrEP(FSlot)(c/>l.FSlot) = extrEP(FSlot)(c/>FSlot) by FD-DEF3 and since 
extrEP(FSlot)(8FSlot) = 0. 
• extrar meets Ep6. (This has been verified using FDR2.32) 
Automatic verification using FDR2 is not needed in general here because 
of the nature of FSlot and of the refusal bounds used. In addition, the 
fact that FSlot gives the only definition of Domar which we have would 
have complicated the definitions of the processes DSF and RE needed for 
verification here. 
31 All component processes used to build FSlot are guarded and so divergence-free by 
OF; moreover, parallel composition cannot introduce divergence. That 8FSlot = 0 has 
also been verified using FOR2. 
32 Note that we verify it by checking for the divergence-freeness of 
(FSlot[preparJ Ilprepor(A or) TEar) \ Aar rather than the divergence-freeness of TEar \ Aar . 
7.B. Data independence 186 
7.7.1 Refusal bounds and environments 
The refusal bounds defined here will place constraints on the form of any 
environment which may be successfully verified and with which FSlot may be 
composed. If we consider Q to be such an arbitrary environment and P to be 
the corresponding specification environment (with which the register would 
be composed), then Q must meet Dom-SF-check and its extracted failures 
must be contained in those of P (we are considering only those conditions 
which involve the use of refusal bounds). We show that the refusal bounds 
presented here place only the lightest of restrictions on the behaviours of Q. 
We first observe that Comm(Aan Q) = Right, since Comm(Aar, FSlot) = 
Left. For t E Domar , we have that 
ref ar(t) = {RnAar I (t, R) E ¢FSlot} = Sub ( {{a E Aar I to (a) ~ TFSlot}}). 
By definition 4.9, ref ar(t) = {X ~ Aar I (\I Y E ref ar(t)) XuY -I A ar }. This 
means that for X E ref ar(t), for every Y E ref ar(t) there exists a E Aar - Y 
such that a E Aar - X. AB a result, for t E Domar , 
refar(t) = Sub({Aar - {a} I to (a) E TFSlot}). 
This means that the bounds given by ref ar will be breached after trace w 
by any environment with which FSlot might be composed only if that en-
vironment fails to offer after w at least one event which is valid according 
to TFSlot = Domar . As a result of this, Q will meet Dom-SF-check with 
respect to ep ar provided that, whenever it is in the middle of either a call 
to read or a call to write (and so behaviour over Aar is incomplete), it is 
always ready to communicate at least one event in which FSlot may engage 
at that point. And, according to the discussion in section 7.3.4, we would 
expect Q to be always ready to progress in some way a procedure call which 
it had already begun. Moreover, for t E domEP(Q) , SF-DEF2 will require 
P to refuse after extrEP(Q)(t) all events on channels read and write - i.e. 
to refuse all communication with the register - only if Q refuses after t all 
communication (valid with respect to Domar ) with FSlot. 
It can be seen by this discussion, therefore, that verification of a particular 
environment is unlikely to fail simply because the choice of ref ar described 
here is inappropriate. 
7.8 Data independence 
In this chapter, we have shown that FSlot refines-after-hiding Register in all 
three CSP semantic models. From this, we would like to infer that the 4-slot is 
a valid implementation of the register in general. However, such an inference 
7.9. Discussion 187 
is subject to the caveat that FSlot and the (CSP) register communicate data 
from a restricted set - i.e. dataint - while the 4-slot (and the register) may 
transmit data from much larger sets in practice.33 
The problem of data-independence with regard to refinement in CSP may 
be stated as follows: if processes Q and P are each parameterised by a data 
type T, when can we say that Q refines P whatever concrete data type is 
substituted for T? This problem has been considered in [46J and is also 
discussed in [63J: provided that values from T are used only in restricted 
ways in Q and P, a concrete data type containing only a small number of 
values - for example, one or two values - may be substituted for T in both 
Q and P. If Q refines P when this concrete data type is used in place of T, 
then we may conclude that Q refines P whatever data type is substituted 
for T. However, we are unable to apply the results from [46J here, nor could 
they be used in respect of any CSP process used to encode the extraction of 
a set of traces: renaming is used as part of that encoding and the renaming 
operator is not part of the language allowed by [46J. 
Nonetheless, it may be seen by inspection that extr an FSlot, Register and 
the processes and renamings used to encode extr ar neither refer explicitly to 
values from dataint 34 nor do they ever take action on the basis of the values 
held by variables or constants of that type. In view of this and the fact 
that T ExtFS ~ T Register when dataint is a 6-valued set, it is likely that 
T ExtFS ~ T Register whatever the range of integer values represented by 
dataint. By this and similar reasoning with regard to the stable failures 
and failures divergences models, we may draw the tentative conclusion that 
FSlot refines-after-hiding Register in all three semantic models whatever the 
range of integer values represented by dataint. We therefore conclude that, 
according to our scheme, the 4-slot is a valid implementation of the register, 
while also acknowledging the need for further work to treat in a proper and 
formal manner the issue of data independence. 
7.9 Discussion 
The work in this chapter had two main purposes. The first was to verify the 
correctness of the 4-slot mechanism in a novel manner and to derive thereby a 
result which had not been shown before. The second was to explore how our 
notion of refinement-after-hiding and our approach to its verification using 
33It is generally the issue of the size of the data set which is important, rather than the 
actual values which it contains. See, for example, [46). 
340 is a constant when it is used as the initial value stored in each slot in the data array 
or in the copy of the data array used in TEar. It could be dispensed with in any case by 
stipulating that the 4-slot should first complete a call to write before it is allowed to begin 
a call to read. 
7.9. Discussion 188 
FDR2 might fare when used in practice on a real-world example. We consider 
each of these areas in turn. 
7.9.1 What the verification means 
In this chapter we have shown that (our CSP representation of) the 4-slot is 
a valid implementation of a register. Due to the nature of refinement-after-
hiding, this means that we may build an implementation of a network which 
communicates data internally using a register by modifying in a suitable fash-
ion the necessary communication interface and then substituting the 4-slot 
for the register. This is a significant result for a number of reasons. Firstly, 
that the 4-slot has more than a single memory slot may be made apparent 
to a user: a read may begin, interrogate the necessary control variables and 
then wait for an arbitrary number of writes before completing, thereby ap-
pearing to read an old value. It is not immediately clear that such behaviour 
should be permissible in any valid implementation of a register, which has 
only a single memory slot. Nonetheless, the success of the verification de-
scribed here indicates that, once the 4-slot and register have been placed in 
suitable contexts and all communication hidden, it is effectively impossible 
for an observer to distinguish between them. 
That the 4-slot has been shown to implement a register is also important 
when it comes to reasoning about systems which might be built using it (the 
4-slot). If we may reason initially about a system built using a register, 
this is likely to be much simpler than considering directly the corresponding 
system built using the 4-slot. And any results proven about this simpler 
specification system will be valid for the corresponding system built using 
the 4-slot. Moreover, knowing that the 4-slot implements a register gives a 
much better intuition behind the behaviour which it will induce when used 
in a particular system than is gained by knowing that it meets the conditions 
of data coherence, data freshness and data sequencing. 
7.9.2 Lessons learned and further work 
We now consider issues which have been raised during the course of this 
verification. 
The 4-slot was chosen as a case study primarily for the types of reification 
it exhibits and because it is a real-world example. It was not chosen because 
it was felt in advance that it would be especially amenable to verification (in 
FDR2) using refinement-after-hiding. As a result, its study has highlighted 
a number of areas where further work is needed with respect to our means of 
verification, both in terms of extending the power of the approach and also 
in terms of developing a methodology for its use. 
7.9. Discussion 189 
Describing and deriving extraction mappings 
The extraction mapping which is used to interpret traces of FSlot as traces 
of the register is relatively complex, both in its incarnation as an abstract 
description and in its representation as a CSP process. Although the point 
has been made above that any process TEj used in a particular verification 
should be taken as the authoritative description of the extraction mapping 
extri, it would still be useful to have a more mechanical way of proceeding 
from an extraction mapping description to a CSP process: after all, we have 
to arrive somehow at an initial version of that CSP process. In order to 
facilitate a generic translation from mapping to CSP process, it would be 
useful to have a more structured notation within which extraction mappings 
could be expressed. In general, an extraction mapping is defined composi-
tionally over an event a and its history t: t is then effectively mapped into a 
particular information domain, its representation in that domain being used 
to determine the event to which a must be extracted. Although different 
information domains would be used for different verifications, a standard 
translation from information domain and mapping notation to CSP process 
would be very useful. (Such issues are also of relevance in terms of describing 
the mapping ref and representing it as necessary as a CSP process.) 
Deriving a mapping for successful verification 
The extraction mapping used here was developed as the verification pr~ 
ceeded and was not known in advance. In such circumstances, verification 
may fail either because the mapping used is unsuitable or because the pr~ 
cess being verified cannot be related to the specification under consideration. 
An interesting area to explore, therefore, is how it might be possible to tell 
that a particular verification will never succeed or, conversely, that a suitable 
mapping does, in fact, exist. (This is related to the issue of completeness: 
see brief discussion in chapter 8.) In the first instance, such work would be 
concerned with the notion of refinement-after-hiding itself, rather than with 
the actual means of verification. 
In addition, the process of developing the mapping used here was not 
straightforward and this raises a number of important issues. In particular, 
it casts doubt on the ease with which refinement-after-hiding might be used in 
practice and suggests the need for further work to explore how the process of 
developing mappings might be made easier. For example, one could explore 
the development and use of semi-automated tools for this purpose. However, 
we should perhaps reserve judgement on the ease of use of refinement-after-
hiding until it has been applied to a more extensive range of case studies. 
7.9. Discussion 190 
Considering the environment 
In section 7.4, it could be seen that the environment with which the 4-slot is 
to be composed plays a significant role in determining the form of the traces 
mapping to be used for verification. This role of the environment needs to 
be explored further, especially with respect to determining refusal bounds, 
and its consideration needs to be built firmly into any methodology for use 
of refinement-after-hiding in practice. 
Working with procedural interfaces 
Although the 4-slot is defined initially using a procedural interface, we have 
assumed in the verification presented in this chapter that all of its events are 
visible to the environment - i.e. both events effecting data transfer and those 
concerned with manipulating control variables - and that the environment 
engages in both types of event whenever it wishes to transfer data. This is 
because we always extract on the occurrence of events which either write to 
or read from a control variable, meaning that these events must be visible 
in our CSP representation of the 4-slot. This also means that such events 
should be visible in (our representation of) the environment. (This issue was 
discussed in section 7.3.4) 
This is an instance of a general problem faced by refinement-after-hiding 
if it is to be used in the verification of processes which communicate using 
procedural interfaces. In particular, any process Q which calls a procedure 
in another process will engage in an event to represent the procedure call and 
one to represent the procedure return, but will not engage in any events from 
the body of the procedure. If, during the verification of Q, we need to extract 
on the occurrence of an event which is part of the body ofthe procedure then 
this will not be possible without modification of Q. Further work is needed 
both to show how this modification may be carried out automatically and 
also to show formally that such modification does not affect the validity of 
any verification which may be carried out. 
Complex statement of domain of mapping 
In the development of our notion of refinement-after-hiding, including the 
development of its predecessors, it was implicitly assumed that the method 
would be applied when the extraction mapping to be used was known in 
advance, meaning that the domain of the mapping would also be known in 
advance. Moreover, it was assumed that the latter would be expressed in a 
relatively straightforward, syntactically simple form. These assumptions did 
not hold in the verification in this chapter, however, and FSlot itself was the 
7.9. Discussion 191 
only syntactic representation available of the domain of the mapping which 
we used. 
Due to the syntactic complexity of FSlot, it was difficult to modify directly 
the syntactic definition of Dom ar given by it. AB a result, the process TEar is 
constructed independently of FSlot and so defines a mapping with a domain 
strictly larger than 7 FSlot. And had we defined processes DSF ar and REar 
to deal with verification in the stable failures model, it would not have been 
possible to build them directly around FSlot, even though such a manner of 
construction is implicit in the definitions given in chapter 6. 
Further work is needed in the first instance to explore the sort of im-
plementation processes which might give rise to this problem of complex 
definitions of mapping domains. Specifically, we intend to consider fully the 
issue of constructing DSF i and REi in such cases: this is complicated by 
the fact that certain failures are obscured in these processes, depending on 
whether or not their trace component is in domi' In addition, the formal 
framework for verification using FDR2 may need to be extended to deal with 
this issue. 
Deriving refusal bounds and verifying Dom-SF -check 
Again due to the fact that the extraction pattern used here did not exist prior 
to this verification, its ref ar component was defined directly in terms of the 
failures of FSlot. A similar approach is likely to be necessary whenever we are 
not provided with refusal bounds in advance of a particular verification and 
it should guarantee that the implementation component under consideration 
meets condition Dom-SF-check. However, Dom-SF-check will also need to 
be verified of any environment with which that component may be composed 
and this could cause problems. If the refusal bounds to be used come directly 
from an implementation component, then it will be impossible in the general 
case to derive a statement of them without first calculating the semantics 
of that component. This means that it would be difficult to define directly 
any necessary process DSFi as described in section 6.5. Further work is 
therefore needed to consider the automatic verification of Dom-SF -check in 
such a situation. 
In addition, it is not clear in general how refusal bounds when behaviour is 
complete might be derived from the failures of the implementation component 
under consideration. This is due to the fact that, if verification is to be 
successful, the failures of the specification will also playa role in determining 
the nature of those bounds. 
7.9. Discussion 192 
Extracting to non-singleton traces 
An obvious area for further work is to explore how we might represent ex-
traction mappings as CSP processes in the general case that extraction to 
non-singleton traces is allowed. This is especially important if we are to be 
able to use FDR2 when verifying equivalence: this necessitates interpreting 
abstract behaviours in a more concrete form and so is generally going to 
require extraction to non-singleton traces. It is for this reason that we have 
not attempted to verify the "equivalence" of the 4-slot and the register. 
"Straightforward" case studies 
A case study or studies will be explored in future where the problems and 
issues identified above might not be expected to arise, for example where 
an implementation process communicates data using certain fault tolerant 
mechanisms or a particular communication protocol. In such cases, the ex-
traction mapping to be used should be determined in advance (by the nature 
of the fault tolerant mechanism or communication protocol) and the domain 
of that mapping should (hopefully) be stated explicitly. This will give a bet-
ter idea of how the method of automatic verification presented in chapter 
6 might perform when it is not being pushed to its limits. In addition, it 
should give us a better opportunity to explore the way in which automatic 
verification might work in the stable failures and failures divergences models, 
which thing is missing from the work in this chapter. 
Chapter 8 
Conclusion 
In the process algebraic framework, the meaning of processes is based firmly 
on the notion of an observer and what he/she may observe of the behaviour 
of a particular process. As a result, we abstract from internal actions since 
they cannot be observed: two processes are regarded as equivalent (within 
a suitable semantic framework) if they have the same external behaviours, 
regardless of the manner in which they perform computations internally. It 
is arguable, however, that this notion of observability is too stringent and 
should be relaxed, on the basis that processes are rarely used in isola tion. In 
other words, if we assume that an observer only observes complete systems or 
networks - rather than individual component processes - the set of visible 
events is immediately much reduced and the way is open for defining a more 
relaxed notion of equivalence or refinement. This suggests the development 
of a notion of correctness-in-context, where visible events are partitioned into 
those that an observer will be able to see in the final network built and those 
which will be invisible to him/her. 
Using these notions of correctness-in-context and the partitioning of visi-
ble events, along with the device of an interpretive mapping, chapter 3 gives 
an abstract formal statement of what it means for a particular implementa-
tion relation to constitute a notion of refinement-after-hiding: this is cap-
tured in the conditions RAHl-3. From these and a number of other basic 
conditions, we are able to derive a set of conditions which are sufficient to 
define refinement-after-hiding in practice. These are put to use in chapter 
4 as we modify and extend an existing such notion. Not only is the work 
from chapter 3 of fundamental importance in carrying out this modification, 
it also gives a clear and definite framework within which we are able to un-
derstand the form of our concrete notion of refinement-after-hiding and why 
exactly it works. The implementation relation defined in chapter 4 gives 
a generalisation of standard CSP refinement in all three semantic models 
and provides the ability to deal with a variety of types of reification in the 
193 
194 
move from specification to implementation: more specifically, it can deal with 
data reification, external behaviour decomposition and external relaxation of 
atomicity, as evidenced by the successful verification in chapter 7. 
Chapter 6 defines a means of automatic verification for our concrete no-
tion of refinement-after-hiding, using the existing industrial-strength tool 
FDR2. This is significant for a number of reasons: it allowed us to pro-
ceed more quickly to verification in practice of a real-world example; FDR2's 
state-space compression techniques are vital to our ability to perform verifi-
cation, as even the representation of the 4--slot from chapter 7 initially has a 
large number of states; its (FDR2's) debugging facilities proved crucial in the 
development of the extraction mapping used in the same chapter. Finally, 
chapter 7 shows that Simpson's 4--slot asynchronous communication mecha-
nism is a valid implementation of a register, using the notion of refinement-
after-hiding from chapter 4 and the means of verification from chapter 6. 
This is an important result both in this specific case and in terms of what 
it shows may be possible in general: in the move from register to (CSP rep-
resentation of the) 4-slot, data reification, external behaviour decomposition 
and external relaxation of atomicity have all occurred, yet verification may 
still be effected successfully. 
As a final comment, we note that the work presented in chapters 3, 4 
and 6 may be regarded as a whole which is greater than the sum of its parts. 
Using our means of automatic verification, we were able to proceed quickly to 
verification of a real-world example. The consideration of this example then 
fed back into the development of the implementation relation in chapter 4. 
For example, the requirement that any particular extraction pattern should 
deal only with input or only with output events proved to be too restrictive in 
practice, while the theory from chapter 3 indicated that such an approach was 
not necessary in order for refinement-after-hiding to work. It is also envisaged 
that these three components will playa similar, mutually supportive role in 
future work. In particular, we will consider alternative means of mapping 
refusals, such as that described in section 4.8 and suggested by the theory 
in chapter 3. Encoding any such alternative approaches as CSP processes in 
FDR2 (where that is possible) will allow for their rapid use in the verification 
of real-world examples, the success or failure of which verifications will reflect 
on their usefulness in practice. And if practice tells us that a particular means 
of mapping refusals should be modified, then the theory gives a framework 
within which those modifications may be assessed and carried out. 
8.1. Further work 195 
8.1 Further work 
At various points throughout this thesis, we have indicated areas in which 
further work is needed or in which such work might yield interesting and 
useful results. We identify here five main areas on which we shall concentrate. 
8.1.1 Refinement-after-hiding and "completeness" 
Assume that Fimp/(Ql, ... , Qn) is an implementation network and the corre-
sponding specification network is given by F speAPI, ... , Pn). Future work will 
address the question of whether it is always possible to come up with suitable 
extraction patterns such that Qi refines-after-hiding Pi for 1 ~ i ~ n in the 
event that Fimp/ (Ql, ... ,Qn) refines Fspec (PI, ... ,Pn) according to standard 
CSP refinement. In the event that refinement-after-hiding is not complete 
in this sense, we will aim to establish restrictions on implementation and 
specification networks such that the property of completeness is enjoyed in 
the restricted domain. 
8.1.2 Barbed congruence and refinement-after-hiding 
Chapter 5 (page 119) describes in some detail areas which might be ex-
plored concerning the relation between barbed congruence and refinement-
after-hiding. In particular, the ability to verify correctness when at least 
relaxation of atomicity has occurred without the need to construct an inter-
pretive mapping would be extremely desirable. 
8.1.3 Mapping refusals 
The approach to mapping refusals used in this thesis is based on the notion 
of refusal bounds and the treatment of communication as asymmetric in 
character. A possible alternative approach to mapping refusals is proposed 
in section 4.8. It is currently not clear what advantages one might possess 
over the other nor how one might decide the appropriateness of a particular 
approach in a particular set of circumstances. Further work, both in terms 
of theory and of practical examples, will look at the types of process where 
one approach might allow verification to succeed while the other might cause 
it to fail: this will help us to identify situations where it would be advisable 
to choose one approach over the other. 
Moreover, if an alternative means of mapping refusals could be developed, 
its use might avoid some of the problems which may arise when the necessary 
extraction patterns are not known in advance of a particular verification (see 
discussion in section 1.9). 
8.1. Furtber work 196 
8.1.4 Improving the means of automatic verification 
Section 7.9 contains a number of ways in which the means of automatic 
verification given in this thesis could be extended and improved. As a first 
step, a notation to represent extraction mappings will be explored, along 
with ways of mechanically translating from such a notation to a CSP process 
which represents the relevant mapping. 
8.1.5 Further case studies 
Finally, it is necessary to consider the verification of further example pro-
cesses and systems, both in order to fully evaluate the usefulness of our 
notion of refinement-after-hiding and also to develop a proper methodology 
regarding its use. 
Appendix A 
Proofs from chapter 3 
A.I Proofs from section 3.2 
Proof of proposition 3.3 
Proof. 1. a(P \ A) 
2. a(P Ily Q) 
[[,8(P \ A)ll (by definition 3.10) 
[[,8(P) - All (by figure 2.5) 
[[,8(P)]]- A (by def. 3.7 and since A E AUSet) 
(aP) - A (by definition 3.10) 
[[,8(P lIy Q)]] 
[[,8(P) U ,8(Q)ll 
[[,8(P)ll U [[,8(Q)ll 
aPUaQ 
(by definition 3.10) 
(by figure 2.5) 
(by definition 3.7) 
(by definition 3.10) 
Proof of proposition 3.4 
o 
Proof. Since An B =1= 0, it follows that B =1= 0. Hence, B = UiEI ~ where f 
is a non-empty indexing set into MinSet and so A n Ai =1= 0 for some i E f. 
By definition 3.5, A = Ai and so A ~ B. 0 
Proof of proposition 3.5 
Proof. The proof is immediate in the event that A = 0 and so we assume that 
A =1= 0. We use RHS to denote U{events(t) It E BTrace /\ events(t) ~ A} 
in this proof. It is immediate that RHS ~ A. We therefore show A ~ RHS, 
by assuming there exists a E A - RHS. By definitions 3.6, 3.5 and 3.4(1), 
there exists t E BTrace such that a E events (t); moreover, events(t) Cl A. 
197 
A.i. Proofs from section 3.2 198 
Since A = UiE1 ~ where I is a non-empty indexing set into MinSet, there 
exists i E I such that a E ~ but events(t) C1 Ai since events(t) C1 A. Hence, 
we have a contradiction by definition 3.5(1). 0 
Proposition A.1. A(0) = 0. 
Proof. We consider each of two cases in turn. 
Case 1: () E BTrace and so A( ()) is defined. By definition 3.8, it suffices 
to show that A( 0) = O. Let STOP be an implementation process (recall 
that we may assume STOP is an implementation process by definition 3.9 
and since (3(STOP) = 0 ~ ~impl). Since (3(STOP) = 0, then aSTOP = 0 
and so aSTOP ~ Fvis. Thus, by RAHl, A([STOP]x) = [STOPh for 
X E {T, SF, FD}. Hence, A(rSTOP) = rSTOP and so, by definition 3.3, 
A(O) = O· 
Case 2: 0 ~ BTrace. In this case, the proof is immediate by definition 
3.8. 0 
Proof of proposition 3.6 
Proof. In the event that I = 0, the proof is immediate by proposition A.l 
and so we consider the case that I =1= 0. By definition 3.8, A(UiEI Ai) is given 
by: 
U{events(A(t)) It E BTrace 1\ events(t) ~ UiEIAi} 
= U{ events(A(t)) It E BTrace 1\ (::Ii E I) events(t) ~ Ad (by def. 3.5(1)) 
UiEI(U{ events(A(t)) I t E BTrace 1\ events(t) ~ Ai}) 
= UiEI A(Ai) 
Proof of proposition 3.7 
(by definition 3.8) 
o 
Proof. Let A = UiEI Ai and A' = U jEJ Aj, where I, J are indexing sets into 
MinSet and I n J = 0 since A n A' = 0 (note that 0 ~ MinSet). We 
consider each of two cases in turn. 
Case 1: Either A = 0 =1= A', A =1= 0 = A' or A = 0 = A'. The proof in 
this case follows by proposition A.!. 
Case 2: A =1= 0 =1= A'. By proposition 3.6, A(A) = UiEI A(Ai) and A(A') = 
UjEJ A(Aj). Since In J = 0, Ai =1= Aj for all i E I, j E J. Thus, by 
definitions 3.5(2) and 3.8, A(Aj) n A(Aj) = 0 for all i E I,j E J and so the 
proof in this case follows. 0 
A.i. Proofs from section 3.2 199 
Proof of proposition 3.8 
Proof. Let I, J be indexing sets into MinSet such that A = UiEI Ai and 
B = UjEJAj. 
1. It is immediate by definition 3.5 that A EEl B = UkEIEtlJ Ak and so 
A EEl B E AIlSet by definition 3.6. 
2. We observe that: 
A(A EEl B) A(UiEI Ai EEl UjEJ Aj) 
A(UkEIEtlJ Ak ) 
UkEIEtlJ A(Ak) 
UiEI A(Ai) EEl UjEJ A(Aj) 
A(A) EEl A(B) 
Proof of proposition 3.9 
(by proposition 3.6) 
(by definitions 3.5 and 3.8) 
(by proposition 3.6) 
Proof. 1. The proof is immediate from definitions 3.5 and 3.6. 
2. We observe that: 
UAEMinSet A(A) 
A (UAEMinSet A) 
A(~impl) 
(by proposition 3.6) 
(by definition 3.5) 
U{ events (A(t)) I t E BTrace A events(t) ~ ~impl} (by def. 3.8) 
U{ events (A(t)) It E BTrace} (by definition 3.4(1)) 
~spec (by definition 3.4(2)) 
o 
3. Let A E AllSet. By definition 3.5, ~impl = UA'EMinSet A' and so 
A ~ ~impi by definition 3.6. By the proof of part 2 of the proposition, ~spec = 
A(~impl) and so A(A) ~ ~spec by definition 3.8 and since A ~ ~impl. 0 
Proof of proposition 3.10 
Proof 1. We assume that X ~ A. By definition 3.6, [[X]] = UiEI~' where 
I is an indexing set into MinSet. In the event that [[X]] = 0, the proof 
is immediate and so we consider the case that [[X]] =J. 0. Let i E I. By 
definition 3.7, X n Ai =1= 0 and so A n Ai =1= 0. Thus, Ai ~ A by proposition 
3.4. 
2. We show that [[R)) U [[8]] ~ [[R U 8]]; the proof that [[R U 8]] ~ 
[[R)) U [[8]] is similar. By definition 3.6, [[R)) = UiEI Ai, where I is an 
A.2. Proofs from section 3.3 200 
indexing set into MinBet. We show that [[R]] ~ [[RUS::: that ::S:] ~ [[RUSl] 
may be shown in a similar manner. In the event that [[R]] = 0, the proof 
is immediate and so we consider the case that [[R:: =I 0. Let i E I. By 
definition 3.7, Ai n R =I 0 and so Ai n [[R US]] i= 0. Hence, by proposition 
3.4, Ai ~ [[R US]]. 0 
Proof of proposition 3.11 
Proof. By definition of Imp in definition 2.3, there exists (P lIy Q) E 
Imp(Fimp/(Ql, ... , Qn)) such that, by R2, Y = aP n aQ. By definition 
3.10, aP, aQ E AUBet and so Y E AUBet by proposition 3.8(1). 0 
Proposition A.2. Let A E AUBet. 
1. L.imp/ - A E AUBet. 
2. A(L.imp/ - A) = L.spec - A{A). 
Proof. 1. The proof follows by proposition 3.9(1) and proposition 3.8(1). 
2. We have: 
A(L.imp/ - A) A{L.imp/) - A(A) (by prop.s 3.9(1) and 3.8(2)) 
A(UA/EMinSet A') - A(A) (by definition 3.5) 
UA/EMinSet A{A') - A(A) (by proposition 3.6) 
L.spec - A(A) (by prop. 3.9(2)) 
Proof of proposition 3.12 
o 
Proof. Let Q t:. FBT(BTrace) be a (component) implementation process. 
By proposition 2.12(1), rQ = Pref{BTrace) and so, by PREF-CLOS and 
definition 3.3, A([Q]T) is defined. f3(Q) = UtEB1hlce events{t) by proposition 
2.12(2) and so f3(Q) = L.imp/ by definition 3.4(1). By definition 3.10 and 
proposition 3.9(1), aQ = L.imp/. Thus, by HIDE-INVIS, there exists A E 
AUBet such that L.imp/ - A = L.imp/ n Fvis = Fvis. Hence, Fvis E AllBet by 
proposition A.2(1). 0 
A.2 Proofs from section 3.3 
Proof of theorem 3.13 
Proof. Let Q t:. FBT(t) be a (component) implementation process. By 
proposition 2.12, rQ = Pref(t) and f3(Q) = events(t). Hence, aQ = 
A.2. Proofs from section 3.3 201 
[[events(t)]]. We show that aQ ~ Fvis by considering each of two cases 
in turn. 
Case 1: t = (). The proof is immediate in this case, since aQ = 0. 
Case 2: t =I O· In this case, aQ = [[events(t)]] = UiEI Ai where I is a 
non-empty indexing set into MinSet. Moreover, events(t) n Ai =I 0 and so 
Ai n Fvis =I 0 for every i E I. It follows by propositions 3.12 and 3.4 that 
Ai ~ Fvis for every i E I and so aQ ~ Fvis. 
Hence, by TIl, A(7Q) is defined and so, by definition 3.3, A(t) is defined. 
Also by TIl, A(7Q) = 7Q and so max«A(7Q)) = max«7Q). Hence, by 
definition 3.3 and TR-MoNO, A(t) = t. - - 0 
Proof of theorem 3.15 
Proof. We assume that A(t) is defined. Let Q t:. FST(t) be a (component) 
implementation process. By proposition 2.12(1), 7Q = Pref(t). By PREF-
CLOS and definition 3.3, A(7Q) is defined. By TI2, A(7(Q \ A)) is defined 
and so A(t \ A) is defined by definition 3.3. Also by TI2, A(7(Q \ A)) = 
A(7Q) \ B. Hence, by definition 3.3, TR-MoNO and the monotonicity of the 
hiding operator over traces (proposition 2.6): 
A(t \ A) = max~(A(7(Q \ A))) = max~(A(7Q) \ B) = A(t) \ B. 
o 
Proof of theorem 3.16 
Proof. Let B be such that A(\A) = \B. 
(~) We first show that B ~ A(A) by assuming there exists a E B -
A(A). By definition 3.11(1), B ~ Espec and so, by definition 3.4(2), there 
exists s E BTrace such that a E events(A(s)). By definition 3.B, A(A) = 
U{ events (A(t)) I t E BTrace A events(t) ~ An and so events(s) Cl A. 
Hence, by definitions 3.5(1) and 3.6, events(s) n A = 0. Since s E B Trace , 
then A(S) is defined. It follows by RAH2-T that A(S \ A) = A(S) \ B and so, 
since events(s) n A = 0, A(S) = A(S) \ B. Hence, events(A(s)) n B = 0. 
This, however, gives a contradiction, since a E events(A(s)) n B. 
(2) We now show that A(A) ~ B. In the event that there does not exist 
t E BTrace such that events(t) ~ A, the proof is immediate by definition 3.B. 
We therefore assume that there exists t E BTrace such that events(t) ~ A. 
By definition 3.B, it suffices to show that events(A(t)) ~ B. Since t E BTrace, 
then A(t) is defined. Hence, by RAH2-T, A( 0) = A(t \ A) = A(t) \ B. By 
theorem 3.14, A(t) \ B = 0 and so events(A(t)) ~ B. 0 
A.2. Proofs from section 3.3 202 
Proof of theorem 3.17 
Proof. We assume the following: 
• Ty = {v E BTrace I events(v) ~ Y} u {o}. 
• Q = FST(Ty) Ily STOP is a (component) implementation process. 
• Pw = FST(w) 11.0 Q is a (component) implementation process for w E 
BTrace. 
Before proceeding with the proof proper we prove (A.l) and (A.2), which 
relate to Q and Pw respectively. 
TQ = {()}, >'(TQ) is defined and aQ = Y (A.l) 
By proposition 2.12(1), TFST(Ty) = Pref(Ty). Since events(t) ~ Y 
for every t E TFST(Ty) and TSTOP = {O}, TQ = {O}. Thus, by def-
inition 3.3 and theorem 3.14, >'(TQ) is defined. By proposition 2.12(2), 
(3(FST(Ty)) = UtETy events(t). Hence, by proposition 3.5, (3(FST(Ty)) = 
Y. Since (3(STOP) = 0, (3(Q) = Y and, since Y E AllSet, aQ = [[Y]] = Y. 
Hence, we have shown (A.l). 
TPw = Pref(w), >'(TPw ) is defined and aPw = [[events(w)]] U Y (A.2) 
By proposition 2.12(1), TFST(w) = Pref(w) and, by (A.l), TPw = 
Pref(w). Since w E BTrace, >'(TPw ) is defined by definition 3.3 and PREF-
CLOS. By proposition 2.12(2), (3(FST(w)) = events(w). By the proof of 
(A.l), (3(Q) = Y and so (3(Pw ) = events(w) U Y. Hence, since Y E A llSet , 
aPw = [[events (w)]] U Y. Thus, we have shown (A.2). 
We now proceed with the proof proper, where Z is such that >'(lly) =llz. 
(~) We show that Z ~ >'(Y) by assuming there exists a E Z - >'(Y). By 
definition 3.11(2), we know that Z ~ Espec and so, by definition 3.4(2), there 
exists s E BTrace such that a E events (>.(s)). By definition 3.8, >'(Y) = 
U{ events (>.(t)) I t E BTrace /\ events(t) ~ Y)} and so events(s) ~ Y. 
Hence, by definitions 3.5(1) and 3.6 we have that events(s) n Y = 0. Let 
Ps be a (component) implementation process. By (A.2), TPs = Pref(s) and 
).(TPs) is defined. By (A.l), TQ = {()} and >'(TQ) is defined. By (A.l) 
and (A.2), aPs n aQ = Y. Hence, >'(T(Ps lIy Q)) = >'(TPs ) liz >'(TQ) 
by TI3. Since events(s) n Y = 0 and by theorem 3.14 and definition 3.3, 
>.(Pref(s)) = >.(Pref(s)) liz {O}· Hence, by definition 3.3, there exists v::; s 
such that >.(s) E >.(v) liz O. It follows by TRP (i.e. >.(sHZ = OrZ) that 
events(>.(s))nZ = 0 and so we have a contradiction since a E events(>.(s))n 
Z. 
A.3. Proofs from section 3.4 203 
G~) We now show >'(Y) ~ Z. In the event that there does not exist 
t E BTrace such that events(t) ~ Y, the proof is immediate by definition 
3.8. Thus, we assume there exists t E BTrace such that events(t) ~ Y. By 
definition 3.8, it suffices to show that events(>.(t)) ~ Z. Since events(t) ~ Y 
and Y E AllSet, [[events(t)]] ~ Y by definition 3.7. Let Pt be a (component) 
implementation process. By (A.2), 7Pt = Pref(t), >'(7Pt ) is defined and 
aPt = [[events(t)]] U Y = Y. Hence, >.(7(Pt Ily Pt )) = >'(7Pt ) liz >'(7Pt ) 
by TI3. Thus, since events(t) ~ Y, >.(Pref(t)) = >.(Pref(t)) liz >.(Pref(t)). 
Then, by definition 3.3 and TR-MoNO, 
{>'(t)} = max~(>'(Pref(t))) = max~(>'(Pref(t)) liz >.(Pref(t))). 
It holds trivially that >.(t)fZ = >'(t)fZ and so >.(t) liz >.(t) i= 0. Hence, by 
proposition 2.7, {>'(t)} = >.(t) liz >.(t) and so events(>.(t)) ~ Z. 0 
A.3 Proofs from section 3.4 
Proposition A.3. Let A E AllSet, B = >'(A) and let t be a trace such that 
>.(t) is defined. Then >'(tr A) is defined and >'(tr A) = >.(t) r B. 
Proof. Let A = ~imp/-A and B = ~spec-B. By proposition A.2, A E AIlSet 
and B = >'(A). By RAH2-T, >.(t \ A) is defined and >.(t \ A) = >.(t) \ B. 
By proposition 3.9(3), A ~ ~imp/ and B ~ ~spec. Hence, ~imp/ = Au A and 
Espec = BUB. Since events(t) ~ E imp/ by definition 3.4(1), then t\A = trA; 
hence, >'(tr A) is defined. Since events(>.(t)) ~ ~spec by definition 3.4(2), 
>.(t) \ B = >.(t) r B. Hence, >'(tr A) = >.(t) r B. 0 
Proof of theorem 3.19 
Proof. 1. (===» We assume that >.(t) and >.((to(a))fA) are defined. Let A = 
E imp/ - A and so A E AllSet by proposition A.2(1). By proposition 3.9(3), 
A ~ ~imp/ and so ~imp/ = Au A. We define the (component) implementation 
processes P and Q as follows: P = FST(trA) and Q = FST((t o (a))fA). By 
proposition 2.12, 7P = Pref(trA) and f3(P) = events(trA). Hence, aP ~ A 
since A E AllSet. Moreover, >.(7P) is defined by proposition A.3, PREF-
CLOS and definition 3.3. Similarly, 7Q = Pref((t 0 (a))f A), aQ ~ A and 
>.(7Q) is defined. As a result, aP n aQ = 0. Hence, by TI3, >.(7(P 11.0 Q)) 
is defined. By definition 3.4(1) and since >.(t) and >.((t 0 (a))f A) are defined, 
events(t 0 (a)) = events(t) U events ( (t 0 (a))f A) ~ ~imp/ 
and so, since ~imp/ = A u A, 
to (a) E (Pref(tr A) 11.0 Pref((t 0 (a))f A)) = 7(P 11.0 Q). 
A.3. Proofs from section 3.4 204 
Thus, ,X(t 0 (a)) is defined by definition 3.3. 
(~) We assume that ,X(t 0 (a)) is defined. Hence, ,X(t) is defined by 
PREF-CLOS and ,X((t 0 (a))fA) is defined by proposition A.3. 
2. Let B = 'x(A). We assume that ,X(t 0 (a)) is defined. By PREF-CLOS, 
,X(t) is defined and, by TR-MoNO, 
,X(to (a)) = ,X(t) ox 
for some trace x. Also by TR-MoNO, 
,X(t 0 (a)f A) = 'x(tr A) 0 r 
for some trace r. By proposition A.3, ,X(t 0 (a)fA) = ,X(t 0 (a))fB. Thus, 
'x(trA)or = (,X(t)ox)fB = 'x(t)fBoxrB. 
Hence, by proposition A.3, r = xrB. By RAH2-T, 
,X(t) \ B = ,X(t \ A) = ,X(t 0 (a) \ A) = ,X(t 0 (a)) \ B = (,X(t) 0 x) \ B. 
Thus, events(x) ~ B and so xrB = x = r. o 
Results used in the proof of theorem 3.20 
In all of the proofs in the remainder of this section, we assume that conditions 
SI-7 and Tsl-4 from figure 3.4 all hold. (Recall also that some necessary 
supporting results which have already appeared are restated and reproved 
here using only SI-7 and Tsl-4.) 
Proposition A.4. Let A E MinSet and B E AllSet be such that AnB =1= 0. 
Then A ~ B. 
Proof. Since AnB =1= 0, it follows that B =1= 0. Hence, B = UiEI~ where I 
is a non-empty indexing set into MinSet and so A n Ai =1= 0 for some i E I. 
By SI(c) (definition 3.5), A = Ai and so A ~ B. 0 
Proposition A.5. Let A, BE AllSet and EEl E {-, U, n}. Then: 
1. A EEl B E AllSet. 
2. 'x(A EEl B) = 'x(A) EEl 'x(B). 
Proof. Let I, J be indexing sets into MinSet such that A = UiEI ~ and 
B = UjEJAj. 
1. It is immediate by SI(c) (definition 3.5) that AEElB = UkElelJAk and 
so A EEl BE AliSet by SI(c) (definition 3.6). 
A.3. Proofs from section 3.4 
2. A(A EB B) A(UiEI ~ EB U jEJ Aj) 
A (UkElEElJ Ak) 
205 
UkElEElJ A(Ak) (by 85) 
UiEi A(~) EB UjEJ A(Aj) (by 81(c) (def. 3.5) and 84) 
- A(A) EB A(B) (by 85) 
o 
Proposition A.6. Let A, A' E AIlSet be such that A n A' = 0. Then 
A(A) n A(A') = 0. 
Proof· Let A = UiEI Ai and A' = U jEJ Aj , where I, J are indexing sets into 
MinSet and I n J = 0 since A n A' = 0 (note that 0 ¢ MinSet). We 
consider each of two cases in turn. 
Case 1: Either A = 0 i= A', A' = 0 i= A or A = A' = 0. Wlog, we 
assume that A = 0 and so 1=0. The proof follows in this case by 85. 
Case 2: A i= 0 i= A' and so I i= 0 i= J. By 85, A(A) = UiEI A(~) and 
A(A') = U jEJ A(Aj). 8ince In J = 0, Ai i= Aj for all i E I, j E J. By 81(c) 
(definition 3.5(2» and 84, A(~) n A(Aj) = 0 for all i E I,j E J and so the 
proof in this case follows. 0 
Proposition A.7. Let to (a) be a trace such that A(to (a) is defined. Then 
there exists A E MinSet such that a E A. 
Proof. 8ince A(t 0 (a) is defined, then events(t 0 (a) ~ ~impl by 81(b) 
(definition 3.4(1». Hence, by 81(c) (definition 3.5), there exists A E MinSet 
such that a E A. 0 
Proposition A.B. Let to (a) be a trace such that A(t 0 (a) is defined and 
A(to (a) = A(t) or. 
1. If a E A E AllSet, then events(r) ~ A(A). 
2. If a ¢ A E AllSet, then events(r) n A(A) = 0. 
Proof. By proposition A.7, there exists A' E MinSet such that a E A' and so 
events(r) ~ A(A') by Ts4. 
1. We assume a E A E AllSet. By proposition A.4, A' ~ A and so 
A(A') ~ A(A) by 81(c) (definition 3.5) and 85. 
2. We assume a ¢ A E AllSet. By proposition A.4, A' n A = 0. Hence, 
by proposition A.6, A(A') n A(A) = 0. 0 
Proposition A.9. A(O) is defined and A(O) = O· 
A.3. Proofs from section 3.4 206 
Proof. By S3 and Sl(c) (definition 3.6), there exists A E MinSet such that 
A ~ Fvis. Since events ( 0) = 0, we have that events ( 0) ~ A. The proof 
follows by Ts2. 0 
Proposition A.IO. Let t be a trace such that events(t) ~ Fvis. Then A(t) 
is defined and A(t) = t. 
Proof. We proceed by induction on the length of t. In the base case, when 
t = 0, the proof is immediate by proposition A.9. Let t = u 0 (a). By S3 
and Sl(c) (definition 3.6), there exists A E MinSet such that a E A and 
A ~ Fvis. Hence, A(tr A) is defined by Ts2. By the inductive hypothesis, 
A(U) is defined and so A(t) is defined by Ts3. By Ts4, A(t) = A(U) or, where 
A(tr A) = A(Ur A) 0 r, and so r = (a) by Ts2. By the inductive hypothesis, 
A(U) = u and so A(t) = u 0 (a) = t. 0 
Proposition A.I!. Let t be a trace such that A(t) is defined and let A E 
AllSet, where B = A(A). Then A(t \ A) is defined and A(t \ A) = A(t) \ B. 
Proof. We proceed by induction on the length of t. In the base case, when 
t = (), the proof is immediate by proposition A.9. Let t = u 0 (a). Hence, 
by proposition A.7, there exists A' E MinSet such that a E A'. We consider 
each of two cases in turn. 
Case 1: a E A. In this case, A(t \ A) = A(U \ A) and so A(t \ A) is 
defined by the inductive hypothesis. By Ts4, A(t) = A(U) 0 r such that, by 
proposition A.8, events(r) ~ B. Hence, by the inductive hypothesis, 
A(t \ A) = A(U \ A) = A(U) \ B = (A(U) 0 r) \ B = A(t) \ B. 
Case 2: a ¢ A. Since A' ~ A, A' n A = 0 by proposition A.4. Hence, 
(t \ AHA' = trA' and so A((t \ AHA') is defined by Ts3. Since A(U \ A) 
is defined by the inductive hypothesis, then A(t \ A) is defined also by Ts3. 
By Ts4, A(t) = A(U) 0 r such that A(tr A') = A(Ur A') 0 r. Also by Ts4, 
A(t\A) = A(u\A)ox, such that A((t\AHA') = A((u\AHA')ox. Thus, since 
A' n A = 0, A(t \ A) = A{U \ A) 0 r. By proposition A.8, events(r) n B = 0. 
Hence, by the inductive hypothesis, 
A(t \ A) = A(U \ A) 0 r = (A(U) \ B) 0 r = (A(U) 0 r) \ B = A(t) \ B. 
o 
Proposition A.12. Let s, U be traces such that A(S) and A(U) are defined. 
Let Y E AllSet be such that [[events (s)]] n [[events (u)]] ~ Y, where A(Y) = z. 
If t E s lIy u, then A(t) is defined and A(t) E A(S) liz A(U). 
A.3. Proofs from section 3.4 207 
Proof. Let t E (8 Ily u). Note by TRP that try = 8ry = ury. \\'e proceed 
by induction on the length of t. In the base case, when t = 8 = U = (), the 
proof is immediate by proposition A.9. Let t = P 0 (a). We consider each of 
two cases in turn. 
Case 1: a E Y. In this case, 8 = V 0 (a) and u = w 0 (a) for some 
v, w. Hence, by proposition A.7, there exists A E MinSet such that a E A. 
Since AnY =I 0, A ~ Y by proposition AA. Thus, trA = srA = urA. 
Hence, since >'(8) is defined, >,(trA) is defined by Ts3. By the inductive 
hypothesis, >,(p) is defined and so >,(t) is defined by Ts3. By Ts4 and since 
trA = 8rA = urA, >,(t) = >,(p) 0 r, >,(s) = >,(v) 0 r and >'(u) = >,(w) 0 r 
such that, by proposition A.8, events(r) ~ Z. By the inductive hypothesis, 
>,(p) E >,(v) liz >,(w) and so >,(p) 0 r E (>,(v) 0 r liz >'(w) 0 r). 
Case 2: a ~ Y. Wlog, we assume that 8 = V 0 (a). Hence, by proposition 
A.7, there exists A E MinSet such that a E A. Since A cz. Y, then AnY = 0 
by proposition AA. Since An events(8) =j:. 0, A ~ [[events(8)]] by propo-
sition AA. Since [[events(8)]] n [[events(u)]] ~ Y, then A cz. [[events(u)]]. 
Hence, by proposition AA, A n [[events (u)]] = 0 and so t r A = s r A. Since 
>'(s) is defined, >,(trA) is defined by Ts3. Thus, by Ts3 and the inductive 
hypothesis, >,(t) is defined. By Ts4 and since trA = srA, >,(t) = >'(P) 0 r 
and >'(8) = >,(v) 0 r such that, by proposition A.8, events(r) n Z = 0. By 
the inductive hypothesis, >,(P) E >,(v) liz >,(u). It therefore follows that 
>,(p) 0 r E (>,(v) 0 r liz >,(u)). 0 
Proposition A.13. Let Q be an implementation process. If o:Q ~ Fvis, 
then >'(TQ) is defined and >'(TQ) = TQ. 
Proof. We assume that o:Q ~ Fvis and so, by PAl, events(t) ~ Fvis for 
every t E TQ. The proof follows by Ts1 and proposition A.lO. 0 
Proposition A.14. Let Q be an implementation process. If >'(TQ) is defined, 
A E AllSet and >'(\A) = \B, then: 
1. >'(T(Q \ A)) is defined. 
2. >'(T(Q \ A)) = >'(TQ) \ B. 
Proof. We assume that >'(TQ) is defined, A E AllSet and >'(\A) = \B. By 
S6, B = >'(A). Let t E TQ. Then >,(t) is defined by Tsl. Also by Tsl, it 
suffices to show that >,(t \ A) is defined and >,(t \ A) = >,(t) \ B, which follows 
by proposition A.H. 0 
Proposition A.IS. Let P, Q be implementation processes. If >'(TP), >'(TQ) 
are defined and Y = o:P n o:Q, where >'(lly) =llz, then: 
1. >'(T(P Ily Q)) is defined. 
AA. Proofs from section 3.5 208 
2. A(r(P Ily Q)) ~ A(rP) liz A(rQ). 
Proof We assume that A(rP), A(rQ) are defined and Y = o:P n o:Q, where 
A(lIy) =llz. That Y E AllSet follows by S2 and proposition A.5(1). By S7, 
Z = A(Y). Let t E r(P Ily Q) be such that t E (s lIy u) for s E rP and 
u E rQ. By Tsl, A(S) and A(U) are defined. Also by Tsl, it suffices to 
show that A(t) is defined and A(t) E A(S) liz A(U). By PAl, events(s) ~ o:P 
and so [[events(s))) ~ o:P since o:P E AllSet. Similarly, [[events(u)]] ~ o:Q. 
Hence, [[events(s)]] n [[events(u))) ~ o:P n o:Q = Y. The proof follows by 
proposition A.12. D 
Proof of theorem 3.20 
Proof The proof is similar to that of theorem 3.1, using propositions A.13, 
A.14 and A.15 in place of conditions RAHl-3. D 
A.4 Proofs from section 3.5 
Proposition A.16. Let Q be an implementation process. A([Q]T) is defined 
if and only if A([Q]Sp) is defined. 
Proof (~) We assume that A([Q]T) is defined. Let (t,R) E ¢Q. By 
definition 3.12 (parts 1 and 3a), it suffices to show that A(R n o:Q, t) is 
defined. By SF2, t E rQ and so A(t) is defined by definition 3.3. Since 
o:Q E AllSet, R n o:Q ~ ~impl by proposition 3.9(3). Hence, by definition 
3.12(3), A(R n o:Q, t) is defined. 
(<==) We assume that A([Q]Sp) is defined. The proof follows immediately 
by definition 3.12(1). 0 
Proof of theorem 3.21 
Proof. We consider TIl, TI2 and TI3 in turn. 
1. Let Q be an implementation process such that o:Q ~ Fvis. By TIl, we 
have to show that A(rQ) is defined and A(rQ) = rQ. By SFI1, A((rQ, ¢Q)) 
is defined and A((rQ, ¢Q)) = (rQ, ¢Q). Hence, by definition 3.12(1), A(rQ) 
is defined. Moreover, by definition 3.12(2), (A(rQ), A(¢Q)) = (rQ, ¢Q). 
2. Let Q be an implementation process such that A( rQ) is defined. More-
over, let A E AllSet and A(\A) = \B. By TI2, we have to show that 
A(r(Q \ A)) is defined and A(r(Q \ A)) = A(rQ) \ B. By proposition A.16, 
A([Q]Sp) is defined. Hence, by SFI2, A([Q \ A]sp) is defined and so, by 
definition 3.12(1), A(r(Q \ A)) is defined. Also by SFI2, A([Q \ A]sp) = 
A([Q]Sp) \ B. Thus, by definition 3.12(2), 
(A(r(Q \ A)), A(¢(Q \ A))) = (A(rQ) \ B, A(¢Q) \ B). 
A.4. Proofs from section 3.5 209 
3. Let P, Q be implementation processes such that -X{rP) and -X{rQ) are 
defined. Moreover, let Y = aP n aQ and -X{lly) =lIz. By TI3, we have to 
show that -X{r(P Ily Q)) is defined and -X(r(P lIy Q)) = -X{rP) liz -X(rQ). 
By proposition A.16, -X([P]sp) and -X([Q]sp) are defined. Hence, by SFI3, 
-X([P Ily Q]sp) is defined and so, by definition 3.12(1), -X(r(P Ily Q)) is 
defined. Also by SFI3, -X([P Ily Q]sp) = -X([P]sp) liz -X([Q]sp). Thus, by 
definition 3.12(2), 
(-X(r(P Ily Q)), -X (¢>(P Ily Q))) = (-X(rP) liz -X(rQ) , -X(¢>P) liz -X(¢>Q)). 
D 
Proof of theorem 3.22 
Proof. By definition 3.12(3b), both -X(¢>P) and -X(¢>Q) are subset-closed. Also 
by definition 3.12(3b), 
(t, R) E -X(¢>P) ==> (t, R U (E - -X(aP))) E -X (¢>P). 
Hence, -X(aP) E R(-X(¢>P)) by definition 2.5 and, similarly, -X(aQ) E R(-X(¢>Q)). 
Since Y = apnaQ and aP, aQ E AllSet, then Z = -X(aP)n-X(aQ) by propo-
sition 3.8(2). The proof follows by proposition 2.19. D 
Proof of proposition 3.23 
Proof. Let Q be an implementation process such that aQ ~ Fvis. By SFIl, 
-X((rQ, ¢>Q)) is defined and -X((rQ, ¢>Q)) = (rQ, ¢>Q). Hence, by definition 
3.12(1), -X(¢>Q) is defined. Moreover, by definition 3.12(2), (-X(rQ), -X(¢>Q)) = 
(rQ, ¢>Q). D 
Proof of proposition 3.24 
Proof. Let Q be an implementation process such that -X([Q]sp) is defined. 
Moreover, let A E AllSet and -X(A) = B. By theorem 3.16, -X(\A) = \B. 
By SFI2, -X([Q \ A]sp) is defined and so, by definition 3.12(1), -X(¢>(Q \ A)) 
is defined. Also by SFI2, -X([Q \ A]sp) = -X([Q]sp) \ B. Thus, by definition 
3.12(2), 
(-X(r(Q \ A)), -X (¢>(Q \ A))) = (-X(rQ) \ B, -X(¢>Q) \ B). 
D 
AA. Proofs from section 3.5 210 
Proof of proposition 3.25 
Proof Let P, Q be implementation processes such that -X ([P]SF ) and -X([Q]sp) 
are defined. Moreover, let Y = aP n aQ and -X(Y) = Z. Since aP, aQ E 
AllSet, then Y E AllSet by proposition 3.8(1). By theorem 3.17, -X(lly) =lIz. 
By SFI3, -X([P lIy Q]SF) is defined and so, by definition 3.12(1), -X(4)(P lIy 
Q)) is defined. Also by SFI3, 
Thus, by definition 3.12(2), 
(-X(,(P lIy Q)), -X (4)(P lIy Q))) = (-X(,P) liz -X(,Q), -X (4)P) liz -X(4)Q)). 
o 
Proof of theorem 3.26 
Proof Before proceeding with the proof proper, we show the following result. 
-X(Fvis) = Fvis. (A.3) 
By proposition 3.12, Fvis E AllSet and so, by definition 3.8, 
-X(Fvis) = U{events(-X(t)) It E BTrace /\ events(t) ~ Fvis}. 
Hence, by RAH1-T and proposition 3.5, -X(Fvis) = Fvis. 
We now proceed with the proof proper. Let TFvis = {(a) I a E Fvis} (re-
call that Fvis =j:. 0 and so TFvis =j:. 0). Let Q = SFT((t, RU(E-Fvis)), TFvis } 
be a (component) implementation process. By proposition 2.13(3), 
f3(Q) = events(t) U (E - (R U (E - Fvis))) U U{ events(u) I u E Tpvis }. 
We then observe that: 
• events(t) ~ Fvis. 
• E - (R U (E - Fvis)) ~ Fvis. 
• U{ events(u) I u E TFvis } = Fvis. 
Hence, f3(Q) = Fvis and so aQ = Fvis by proposition 3.12. Thus, 
by proposition 3.23, -X(4)Q) is defined and -X(4)Q) = 4>Q. By proposition 
2.13(2), 4>Q = {(t, X) I X ~ R U (E - Fvis n. Thus, by definition 3.12(3a) 
and since R ~ Fvis = aQ, -X(R, t) is defined. By definition 3.12(3b) and 
REF-MONO, max(-X(4>Q)) = (-X(t), -X(R, t) U (E - -X(aQ))). We also observe 
A.4. Proofs from section 3.5 211 
that max(¢Q) = (t, R U (~ - Fvis)). Hence, since >.(¢Q) = ¢Q and since 
>.(aQ) = >'(Fvis) = Fvis by (A.3), 
R U (~- Fvis) = >'(R, t) U (~- Fvis). 
It is immediate that R n (~ - Fvis) = 0. By REF-BoUND, we observe 
that >'(R, t) ~ >'(Fvis) = Fvis and so >'(R, t) n (~ - Fvis) = 0. Hence, 
R = >'(R, t). 0 
Proof of theorem 3.27 
Proof. Let 
• M = MFP((s, 8 U (~- aP)), P) and 
• N = MFP((u, U U (~ - aQ)), Q) 
be (component) implementation processes. By proposition 2.15, 
• f3(M) = f3(P) and so aM = aP . 
• 7M=7P. 
• ¢M = {(s,X) I X ~ 8u (~- aP)} = {(s,X) I X ~ 8u (~- aM)}. 
Since >'([P]SF) is defined, then >.(7P) and >.(¢P) are defined by definition 
3.12(1). Hence, >.(7 M) is defined and so >.([M]SF) is defined by proposition 
A.16 (>'(¢M) is also defined by definition 3.12(1)). Similarly, 
• aN=aQ. 
• ¢N = {(u,X) I X ~ UU (~- aQ)} = {(u,X) I X ~ UU (~- aN)}. 
• >.([N]SF) is defined (and so >'(¢N) is defined). 
We observe that Y = aP n aQ = aM n aN and so Y E AllSet by 
proposition 3.8(1). Hence, >'(¢(M lIy N)) is defined by proposition 3.25(1). 
Since {t} = (s lIy u), 8 ~ aP = aM and U ~ aQ = aN, (t,8UU) E 
¢(M lIy N) by theorem 2.20. Moreover, a(M lIy N) = aM U aN by 
proposition 3.3(2). Thus, 8 U U ~ a(M lIy N). Hence, since >'(¢(M Ily N)) 
is defined and by definition 3.12(3a), >'(8 U U, t) is defined. 
We now show that >'(8 U U, t) = >'(8, s) U >'(U, u). For (w, X) E ¢M, 
X n aM ~ 8. Similarly, for (w,X) E ¢N, X n aN ~ U. Moreover, 
8 ~ aM, U ~ aN and Y = aM n aN. Hence, by theorem 2.20 and since 
{t} = (s lIy u), 
¢(M lIy N) = {(t,X) I X ~ 8uUu (~- (aMUaN))). 
g;z1",;;~ 
AA. Proofs from section 3.5 212 
Recall that a(M lIy N) = aM U aN and S U U ~ aM U aN. Thus, by 
definition 3.l2(3b) and REF-MoNO, 
max(>.(¢(M Ily N))) = {(>.(t), >'(S U U, t) U (~ - >.(aM U aN)))} (A.4) 
We then observe that, by definition 3.l2(3a,3b), REF-MoNO and since S ~ 
aM and U ~ aN: 
• >'(¢M) = ((>.(s), X) I X ~ >'(S, s) U (~ - >'(aM))) . 
• >'(¢N) = ((>.(u), X) I X ~ >'(U, u) U (~ - >.(aN))). 
Since >'(¢M) is defined, >'(S, s) is defined by definition 3.l2(3a). Similarly, 
>'(U, u) is defined. By SF2 and PAl, events(s) ~ aM and events(u) ~ aN. 
Hence, by REF-BoUND, >'(S, s) ~ >.(aM) and >'(U, u) ~ >.(aN). Let 
Z = >'(Y). Thus, by theorem 3.22, 
>'(¢M) liz >'(¢N) = {(w, X) I w E >.(s) liz >.(u) /\ 
X ~ >'(S, s) U >'(U, u) U (~ - (>.(aM) U >.(aN)))). 
It is then immediate that the following holds: 
max(>.(¢M) liz >'(¢N)) = {(w, >'(S, s) U >'(U, u) U ~ - (>.(aM) U >.(aN))) I 
W E >.(s) liz >.(u)} 
(A.5) 
By proposition 3.25(2), >'(¢(M lIy N)) = >'(¢M) liz >'(¢N). Moreover, by 
proposition 3.8(2), >.(aM U aN) = >.(aM) U >.(aN). Hence, by (A.4) and 
(A.5), 
>'(S, s) U >'(U, u) U (~ - >.(aM U aN)) = >'(S U U, t) U (~ - >.(aM U aN)). 
By SF2 and PAl, events(t) ~ a(M lIy N). Since a(M lIy N) = aM U 
aN, events(t) U S U U ~ aM U aN. Hence, since >'(S U U, t) is defined, 
>'(S U U, t) ~ >.(aM U aN) by REF-BoUND. Since >'(S, s) ~ >.(aM) and 
>'(U, u) ~ >.(aN), 
>'(S, s) U >'(U, u) ~ >.(aM) U >.(aN) = >.(aM U aN). 
Hence, >'(S, s) U >'(U, u) = >'(S U U, t). o 
Lemma A.l 7. Let P be an implementation process such that >. ([ P] SF) is 
defined. Let (t, R U (~ - aP)) E ¢P be a refusal-maximal failure such that 
R ~ aP. Let A E AliSet and >'(A) = B. If A ~ R then: 
1. B ~ >.(R, t). 
A.4. Proofs from section 3.5 213 
2. A(R - A, t \ A) is defined and A(R - A, t \ A) = A(R, t) - B. 
Proof. We assume that A ~ R. Let Q = MFP«(t, R U (~- aP)), P} be a 
(component) implementation process. By proposition 2.15, 
• f3(Q) = f3(P) and so aQ = aP. 
• TQ =TP. 
• ¢Q = {(t,X) I X ~ RU (~- apn = {(t,X) I X ~ Ru (~- aQn. 
Since A([P]SF) is defined, then A(TP) and A(¢P) are defined by definition 
3.12(1). Hence, A(TQ) is defined and so A([Q]SF) is defined by proposition 
A.16. By definition 3.12(1), this also means that A(¢Q) is defined. We now 
proceed with the proof proper. 
1. By proposition 3.24(1), A(¢(Q\A)) is defined. Since A ~ R, ¢(Q\A) # 
o and so, by definition 3.12(3b), A(¢(Q \ A)) i- 0. Hence, by proposition 
3.24(2), A(¢Q) \ B i- 0. By definition 3.12(3a,3b), REF-MoNO and since 
R~aQ, 
A(¢Q) = ((A(t), X) I X ~ A(R, t) U (~ - A(aQ)n. 
Thus, B ~ A(R, t) U (~- A(aQ)). Let I, J be indexing sets into MinSet such 
that A = UiEI Ai and aQ = UjEJ Aj . Since A ~ R ~ aQ and by definition 
3.5, I ~ J. Hence, by proposition 3.6, B ~ A(aQ) and so B ~ A(R, t). 
2. Since A ~ R ~ aQ and a(Q \ A) = aQ - A by proposition 3.3(1), 
¢(Q\A) = {(t\A,X) IX~RU(~-aQn 
= {(t \ A, X) I X ~ (R - A) U (~ - a(Q \ A)n. 
Since R ~ aQ and a(Q \ A) = aQ - A, then R - A ~ a(Q \ A). By 
proposition 3.24(1), A(¢(Q \ A)) is defined. Hence, by definition 3.12(3a), 
A(R - A, t \ A) is defined. Also, by definition 3.12(3b) and REF-MoNO, 
A(¢(Q \ A)) = {(A(t \ A), X) I X ~ A(R - A, t \ A) U (~- A(a(Q \ A))n· 
By proposition 3.8(2), A(a(Q\A)) = A(aQ-A) = A(aQ) -B. Moreover, 
by the proof of part 1 of the lemma, B ~ A(aQ). Hence, 
~ - A(a(Q \ A)) = (~ - A(aQ)) U (B n A(aQ)) = (~ - A(aQ)) U B. 
Thus, we have that 
A(¢(Q \ A)) = {(A(t \ A), X) I X ~ A(R - A, t \ A) U B U (~- A(aQ))}. 
A.4. Proofs from section 3.5 214 
and so it is immediate that 
max(>..(4J(Q \ A))) = (>..(t \ A), >"(R - A, t \ A) U B U (E - >..(o:Q))). (A.6) 
Since >..(4JQ) = ((>..(t) , X) I X ~ >"(R, t) U (E - >..(o:Q))} and B ~ >"(R, t) 
by (the proof of) part 1 of the lemma, 
>..(4JQ) \ B = ((>..(t) \ B, X) I X ~ >"(R, t) U (E - >..(o:Q))} 
and so 
max(>..(4JQ) \ B) = (>..(t) \ B, >"(R, t) U (E - >..(o:Q))). (A.7) 
By proposition 3.24(2), >..(4J(Q \ A)) = >..(4JQ) \ B and so, by (A.6) and 
(A.7), 
>"(R - A, t \ A) U B U (E - >..(o:Q)) = >"(R, t) U (E - >..(o:Q)). 
Since >..(4JQ) is defined and R ~ o:Q, then >"(R, t) is defined by definition 
3.12(3a); moreover, events(t) ~ o:Q by SF2 and PAL Hence, by REF-
BOUND, >"(R, t) ~ >..(o:Q). Recall that we have already shown that B ~ 
>..(o:Q). Since events(t \ A) U (R - A) ~ o:(Q \ A) and >"(R - A, t \ A) is 
defined, then >"(R-A, t\A) ~ >..(o:(Q\A)) = >..(o:Q)-B also by REF-BoUND. 
Hence, 
>"(R - A, t \ A) = >"(R, t) - B. 
o 
Proposition A.IB. We assume the following, where A E AllSet. 
• TA = {u E BTrace I events(t) ~ A} U {O}· 
• (t,RU(E-A)) is a failure such that events(t)UR ~ A, >..(t) is defined 
and >..(t 0 (a)) is defined for every a E A - R. 
• Q = SFT((t, R U (E - A)), TA ) is a (component) implementation pro-
cess. 
Then: 
1. >"([Q]SF) is defined. 
2. (t, R U (E - o:Q)) E 4JQ is refusal-maximal. 
3. o:Q = A and so R ~ o:Q. 
Proof. By proposition 2.13(3), 
13(Q) = events(t) U (E - (R U (E - A))) U U{ events(u) I u ETA}. 
We then observe the following: 
AA. Proofs from section 3.5 215 
• events(t) ~ A. 
• ~ - (R U (~ - A)) ~ A. 
• U{events(u) I u ETA} = A by proposition 3.5. 
Hence, [3(Q) = A and so aQ = A, which means that R ~ aQ. By proposition 
2.13(1,2), 
• cf>Q = {(t,X) I X ~ Ru (~- An = {(t,X) I X ~ Ru (~- aQn· 
• 7Q = Pref(TA) U Pref(t) U {to (a) I a E ~ - (RU (~- A)n. 
Hence, it is immediate that (t, R U (~ - aQ)) E cf>Q is refusal-maximal. 
By PREF-CLOS and theorem 3.14, A(U) is defined for every u E Pref(TA) U 
Pref(t). We know that A(t 0 (a}) is defined for every a E A - R. Hence, by 
definition 3.3 and since ~ - (R U (~ - A)) = A - R, A( 7Q) is defined. Thus, 
by proposition A.16, A([Q]Sp) is defined. 0 
Proof of theorem 3.28 
Proof. The proof of part 1 of the theorem is immediate by lemma A.17(1) 
and we therefore consider part 2. We assume the following: 
• TA = {u E BTrace I events(u) ~ A} U {OJ. 
• Q = MFTP((t, R U A U (~ - (aP U A))), TA, P} is a (component) 
implementation process. 
By proposition 2.16, 
• 7Q = 7P U Pref(TA). 
• cf>Q = cf>P U {(t, X) I X ~ R U A U (~- (aP U A)n· 
• [3(Q) = [3(P) U U{ events(u) I u ETA}. 
By proposition 3.5, [3(Q) = [3(P) U A and so aQ = aP U A. Hence, 
cf>Q = cf>P U {( t, X) I X ~ R U A U (~ - aQ)}. 
Since A([P]Sp) is defined, A(7P) is defined by definition 3.12(1). By theorem 
3.14 and PREF-CLOS, A(U) is defined for every u E Pref(TA) and so, by 
definition 3.3, A(7Q) is defined. Hence, A([Q]Sp) is defined by proposition 
A.16. 
A.4. Proofs from section 3.5 216 
Since (t, R U (~ - aP)) E ¢>P is refusal-maximal, it is also the case that 
(t, (R U A) U (~ - aQ)) E ¢>Q is refusal-maximal. Moreover, since R ~ aP, 
then R U A ~ aQ. Hence, by lemma A.17(2), >,((R U A) - A, t \ A) = 
>,(R - A, t \ A) is defined and 
>,(R - A, t \ A) = >,((R U A) - A), t \ A) = >,(R U A, t) - B. (A.8) 
We also assume that K = SFT((tf A, A U (~- A)), TA ) is a (component) 
implementation process. Since (t,0) E ¢>P, then t E rP by SF2. Thus, 
>,(t) is defined by definition 3.3 and so, by proposition A.3, >,(tf A) is defined. 
Thus, by proposition A.18, 
• >,([K]SF) is defined. 
• (t f A, A U (~ - aK)) E ¢>K is refusal-maximal. 
• aK = A. 
Let Y = aP n aK. By SF2 and PAl, events(t) ~ aP and events(tf A) ~ 
aK and so events(tfA) ~ Y. Moreover, since aK = A, we observe that 
Y ~ A and so events(t \ A) n Y = o. Hence, {t} = t Ily tfA. Recall that 
>'([P]SF) is defined, (t, RU (~- aP)) E ¢>P is refusal-maximal and R ~ aP. 
As a result, by RAH3-SF: 
>,(R U A, t) = >'(R, t) U >'(A, t fA). 
Thus, by (A.8), 
>,(R - A, t \ A) = (>'(R, t) - B) U (>'(A, tf A) - B). 
Since >,(tfA) is defined, >'(A,tfA) is defined by proposition 3.9(3) and defi-
nition 3.12(3). Hence, by REF-BOUND, >'(A, tf A) ~ B and so 
>,(R - A, t \ A) = >'(R, t) - B. 
o 
Proof of theorem 3.30 
Proof. We assume that >'(A, t) is defined and so >,(t) is defined by definition 
3.12(3). By REF-BOUND, >'(A, t) ~ >'(A). Hence, it suffices to show that 
>'(A) ~ >'(A, t). We assume the following: 
• TA = {u E BTrace I events(u) ~ A} U {()}. 
• Q = SFT((t, A U (~- A)), TA ) is a (component) implementation pro-
cess. 
AA. Proofs from section 3.5 217 
Thus, by proposition A.18, 
• .\([Q]sp) is defined. 
• (t, A U (~- aQ)) E ¢Q is refusal-maximal. 
• aQ = A and so A ~ aQ. 
Hence, by RAH2-SF(I), '\(A) ~ '\(A, t). o 
Proof of theorem 3.31 
Proof. We first observe that, by definition 3.12(3) and since .\(R, t) is defined, 
.\(t) is defined. We assume the following: 
• TA = {u E BTrace I events(u) ~ A} U {()}. 
• P = SFT((t, R U (~ - A)), TA) is a (component) implementation pro-
cess. 
• Q = SFT((t, SU(~-A)), TA ) is a (component) implementation process. 
Thus, by proposition A.18, 
• '\([P]sp) is defined. 
• (t, R U (~ - aP)) E ¢P is refusal-maximal. 
• aP = A and so R ~ aP. 
Similarly, 
• .\([Q]sp) is defined. 
• (t, S U (~ - aQ)) E ¢Q is refusal-maximal. 
• aQ = A and so S ~ aQ. 
We observe that aP n aQ = A and it} = t IIA t. The proof then follows 
by RAH3-SF. 0 
Lemma A.19. Let t be a trace and R ~ ~ such that .\(R, t) is defined and 
-X(to (a)) is defined for every a E [[ events(t) UR]]- R. Let A E AllSet, where 
'\(A) = B. Then: 
1 . .\(R n A, tr A) is defined. 
2. '\(RnA,trA)='\(R,t)nB. 
A.4. Proofs from section 3.5 218 
Proof. We first observe that, by definition 3.12(3) and since )..(R, t) is defined, 
)..(t) is defined. We assume the following: 
• T = {u E BTrace I events(u) ~ [[events(t) U R]]} U {O}. 
• Q = SFT((t, R U (~ - [[events(t) U R]])), T) is a (component) imple-
mentation process. 
Thus, by proposition A.18, 
• )..([Q]SF) is defined. 
• (t, R U (~ - aQ)) E ¢>Q is refusal-maximal. 
• aQ = [[events(t) U R]] and so R ~ aQ. 
Let A = ~impl - A and B = ~spec - B. By proposition A.2, A E AllSet 
and B = )"(A). Thus, by RAH2-SF(2), )..(R - A, t \ A) is defined and 
)..(R- A,t\A) = )..(R,t) - B. 
By proposition 3.9(3), A ~ ~impl and B ~ ~spec. Hence, ~impl = Au A and 
~spec = BUB. By definition 3.12(3), R ~ ~impl and so R-A = RnA. Since 
events(t) ~ ~impl by definition 3.4(1), then t\A = trA. Thus, )"(RnA,trA) 
is defined. By proposition 3.9(1,3), ~impl E AllSet and )..(E impl ) ~ Espec. 
Thus, by REF-BOUND, )..(R, t) ~ Espec and so )..(R, t) - B = )"(R, t) n B. 
Hence, )..(R n A, tr A) = )..(R, t) n B. 0 
Proof of theorem 3.32 
Proof. 1. The proof is immediate by lemma A.19(1). 
2. We observe that, by definition 3.12(3) and since >'(R, t) is defined, 
R ~ ~impl and )..(t) is defined. Thus, events(t) ~ E impl by definition 3.4(1). 
By proposition 3.9(1,3), E impl E AllSet and )..(Eimpl ) ~ Espec. Thus, by 
REF-BOUND, )..(R, t) ~ ~spec. Moreover, by proposition 3.9(2), Espec = 
UAEMinSet )"(A). We therefore observe that: 
)..(R, t) = )..(R, t) n UAEMinSet )"(A) 
UAEMinSet )..(R, t) n )"(A) 
= UAEMinSet )..(R n A, tr A) (by lemma A.19(2)). 
D 
A.4. Proofs from section 3.5 219 
Results used in the proof of theorem 3.33 
In all of the proofs in the remainder of this section, we assume that the 
conditions from figures 3.4 and 3.6 all hold. 
Proposition A.20. A(0, ()) is defined and A(0, ()) = 0. 
Proof. By S3, Fvis E AllSet and Fvis =I=- 0. Hence, by Sl(c) (definition 
3.6), there exists A E MinSet such that A ~ Fvis. It is immediate that 
events ( ()) U 0 ~ A and so the proof follows by SFS2. 0 
Lemma A.21. Let t be a trace and R ~ :E. If events(t) U R ~ Fvis, then 
A(R, t) is defined and A(R, t) = R. 
Proof. We assume that events(t) U R ~ Fvis. By S3, Fvis E AllSet and 
so Fvis ~ :Eimpl by Sl(c) (definitions 3.5 and 3.6). Thus, R ~ :Eimp/' By 
proposition A.1O, A(t) is defined and so A(R, t) is defined by SFsl (definition 
3.12(3)). Since Fvis E AllSet, we observe that [[events(t) U R]] ~ Fvis and 
so, by proposition A.IO, A(to (a)) is defined for every a E [[ events(t)UR]]- R. 
Hence, by SFS7, A(R, t) = UAEMinSet A(R n A, trA). Let A E MinSet. By 
proposition AA, either An Fvis = 0 or A ~ Fvis. We therefore show that 
A(R n A, tr A) = RnA by considering the following two cases in turn. 
Case 1: An Fvis = 0. In this case, by proposition A.20, 
A(RnA,trA) = A(0,0) = 0 = RnA. 
Case 2: A ~ Fvis. In this case, A(RnA,trA) = RnA by SFs2. 
Hence, 
A(R, t) UAEMinSet RnA 
R n UAEMinSet A 
Rn :Eimp/ 
R. 
(by Sl(c) (definition 3.5)) 
o 
Proposition A.22. Let P be an implementation process such that A([P]SF) 
is defined. Let (t, R U (:E - aP)) E 4>P be a ref'U.Sal-maximal failure such that 
R ~ aP. Then: 
1. A(t) is defined. 
2. A(R, t) is defined. 
3. A(t 0 (a)) is defined for every a E [[ events(t) U R]] - R. 
A.4. Proofs from section 3.5 220 
Proof. By SF2, t E TP. By SFsI (definition 3.12(1», ,x(TP) is defined and 
so, by TsI, ,x(t) is defined. Since R ~ aP and aP E AliSet, then R ~ Eimpl 
by Sl(c) (definitions 3.5 and 3.6). Thus, by SFsI (definition 3.12(3», ,x(R, t) 
is defined. to (a) E TP for every a E E - (R U (E - aP)) = aP - R by 
proposition 2.5. Hence, since ,x(TP) is defined and by Ts1, ,x(t 0 (a)) is 
defined for every a E aP - R. By PAl, events(t) ~ aP and so, since 
R ~ aP, [[events(t) U R]] ~ aP. Hence, ,x(t 0 (a)) is defined for every 
a E [[events(t) U R]] - R. 0 
Lemma A.23. Let P be an implementation process such that ,x([P]SF) is 
defined. Let (t, R U (E - aP» E ¢Jp be a refusal-maximal failure such that 
R ~ aP. Let A E AllSet and ,x(A) = B. Then: 
1. If A ~ R then B ~ ,x(R,t). 
2. ,x(R - A, t \ A) = ,x(R, t) - B. 
Proof. By proposition A.22(2,3), ,x(R, t) is defined and ,x(t 0 (a)) is defined 
for every a E [[events(t) U R]]- R. By Sl(c) (definition 3.6), A = UiEIAi' 
where I is an indexing set into MinSet. In the event that A = 0 and so 
I = 0, B = 0 by S5 and so the proof is immediate for both parts of the 
lemma. We therefore consider the case that A =1= 0. 
1. We assume that A ~ R. By SFs7, ,x(R n A', tr A') is defined for every 
A' E MinSet and ,x(R, t) = UA1EMinSet ,x(R n A', trA'). Let i E I. Since 
A ~ R and by SFs4, 
,x(R n Ai, tr Ai) = ,x(Ai' tr Ai) = ,x(Ai). 
Hence, and by S5, B = UiEI ,x (Ai) ~ ,x(R, t). 
2. By proposition A.22(1), ,x(t) is defined and so ,x(t\A) is also defined by 
proposition A.11. Since ,x(R, t) is defined then R ~ E impl by SFs1 (definition 
3.12(3)) and so (R - A) ~ E impl . Thus, ,x(R - A, t \ A) is defined by SFs1 
(definition 3.12(3)). 
Let J be an indexing set into MinSet such that A' E MinSet only if there 
exists j E J such that A' = A j . Then, by SFs7 and S5, 
jEJ iEI 
By SFs7, ,x(RnAj, tr Aj) is defined and so, by SFs3, ,x(RnAj, tr Aj) ~ ,x(Aj) 
for any j E J. Hence, for i E I, ,x(R n~, tr~) - ,x(Ai) = 0. Moreover, for 
j ¢ I and i E I, Aj n Ai = 0 by Sl(c) (definition 3.5). Thus, by proposition 
A.6, ,x(Aj ) n ,x(Ai) = 0 and so ,x(R n Aj , trAj) n ,x(Ai) = 0 for j ¢ I and 
i E I. Hence, 
,x(R,t)-B= U ,x(RnAj,trAj). (A.9) 
jEJ-I 
AA. Proofs from section 3.5 221 
It is immediate that [[events(t\A)U(R-A)]] ~ [[events(t)UR]]; moreover, 
[[events(t \ A) U (R - A))) n A = 0. Hence, 
[[events(t \ A) U (R - A)]] - (R - A) ~ [[events(t) U R)) - R 
and so A(t 0 (a)) is defined for every a E [[ events(t \ A) U (R - A))) - (R - A). 
Since [[events(t\A)U (R-A)]] nA = 0 and by proposition A.11, A(t\Ao (a)) 
is defined for every a E [[events(t\A)U(R-A))) - (R-A). We have already 
shown that A(R - A, t \ A) is defined. Hence, by SFs7, 
A(R-A,t\A) = UA((R-A)nAj,(t\AHAj). 
jEJ 
Let j E J. We consider each of two cases in turn. 
Case 1: j rf. I. In this case, and by Sl (c) (definition 3.5), Aj n A = 0. 
Thus, 
A((R - A) n Aj, (t \ A) rAj) = A(R n Aj , tr Aj). 
Case 2: j E I. In this case, Aj ~ A and so, by proposition A.20, 
A((R - A) n Aj, (t \ A) rAj) = A(0, ()) = 0. 
Hence, A(R-A,t\A) = UjEJ_IA(RnAj,trAj) and so the proof follows by 
(A.9). [] 
Lemma A.24. Let P and Q be implementation processes such that A([P]SF) 
and A([Q]SF) are defined. Let (s,8 U (~ - aP)) E 4>P be a refusal-maximal 
failure such that 8 ~ aP. Let (u, U U (~ - aQ)) E 4>Q be a ref'USal-maximal 
failure such that U ~ aQ. Moreover, let t E s Ily u, where Y = aP n aQ. 
Then A(8 U U, t) = A(8, s) U A(U, u). 
Proof. We first show the following: 
A(t) is defined. (A. 10) 
By proposition A.22(1), A(S) and A(U) are defined. By SF2 and PAl, 
events(s) ~ aP and so [[events(s))) ~ aP. Similarly, [[events(u))) ~ aQ and 
so 
[[events(s))) n [[events(u)]] ~ aP n aQ = Y. 
Since aP, aQ E A1l8et by S2, then Y E AllSet by proposition A.5(1). It 
follows by proposition A.12 that A(t) is defined and so we have shown (A.lO). 
We now show the following: 
A(t 0 (a)) is defined for every a E [[events(t) U 8 U U)) - (8 U U) (A.11) 
A.4. Proofs from section 3.5 222 
Let a E [[events(t)USUU]]-(SUU). Since [[events(t)USUU]] E AliSet, 
then, by Sl(c) (definition 3.6), there exists A E MinSet such that a E A. 
Since t E s Ily u, then events(t) = events(s) U events(u). Thus, 
[[events(s) U S]] U [[events(u) U U]] = [[events(t) U S U U]] 
and so we consider each of two cases in turn. 
Case 1: a E [[events(s) US]]. We consider each of two sub-cases in turn 
in order to show that to (aHA = so (aHA. 
Case 1a: a E Y. By TRP, try = sry. Since AnY =10, then A ~ Y by 
proposition A.4. Thus, trA = srA and so to (aHA = so (aHA. 
Case 1b: a ~ Y. In this case, A ~ Y and so AnY = 0 by proposition 
A.4. Since a E [[events(s) US]], then A ~ [[events(s) US]] by proposition 
A.4. By SF2 and PAl, events(s) ~ OtP and we already know that S ~ OtP. 
Hence, A ~ [[events(s) U S]] ~ OtP. Also by SF2 and PAl, events(u) ~ OtQ. 
Recall that OtP n OtQ = Y. Thus, since AnY = 0, An OtQ = 0 and so 
An events(u) = 0. This means that tr A = sr A and so to (a)f A = so (a)f A. 
Since a E [[events(s) US]] and a ~ (SUU), then a E [[events(s)US]]-S 
and so ,X(s 0 (a)) is defined by proposition A.22(3). Hence, 'x(s 0 (a) r A) is 
defined by Ts3. Thus, ,X(t 0 (a)f A) is defined and, since ,X(t) is defined by 
(A.lO), ,X(t 0 (a)) is defined by Ts3. 
Case 2: a E [[events(u) U U]]. The proof in this case is similar to that of 
Case 1. 
Hence, we have shown (A.ll) and so now proceed with the proof proper. 
By (A.10), ,X(t) is defined. By proposition A.22(2), 'x(S, s) and 'x(U, u) are 
defined; thus, by SFsl (definition 3.12(3)), S, U ~ Eimpl ' Hence, S U U ~ 
Eimpl and so 'x(S U U, t) is defined by SFsl (definition 3.12(3)). 
Let J be an indexing set into MinSet such that A' E MinSet only if 
there exists j E J such that A' = Aj. By proposition A.22(2,3), 'x(S, s) and 
'x(U,u) are defined, 'x(s 0 (a)) is defined for every a E [[events(s) U S]]- S 
and ,X(uo (a)) is defined for every a E [[events(u) U U]] - U. Thus, by SFs7, 
• 'x(S,s) = UjEJ,X(SnAj,srAj) and ,X(SnAj,srAj) is defined for every 
j E J . 
• 'x(U, u) = UjEJ 'x(UnAj, ur Aj) and 'x(UnAj, ur Aj) is defined for every 
j E J. 
Moreover, since 'x(S U U, t) is defined and by (A.ll) and SFs7, 
'x(S U U, t) = U 'x((S U U) n Aj, trAj). 
jEJ 
Thus, for j E J, it suffices to show that 
'x((S U U) n Aj , trAj) = 'x(S n Aj, SrAj) U 'x(U n Aj, ur Aj). 
AA. Proofs from section 3.5 223 
In order to do this, and by proposition AA, we consider the following two 
cases in turn. 
Case 1: Aj ~ Y. In this case, by TRP, trAj = srAj = UrAj. We consider 
each of two sub-cases in turn. 
Case 1a: S n Aj =I 0 and un Aj =I 0. By SFs6 and due to the fact 
that trAj = SrAj = UrAj, it suffices to show that 'x(trAj 0 (a)) is defined for 
every a E (Aj - (S n Aj)) U (Aj - (U n Aj)). Wlog, let a E Aj - (S n Aj). 
Since S n Aj =I 0 and by proposition AA, Aj ~ [[events(s) US]]. Hence, 
Aj - (SnAj) ~ [[events(s)US]]-S and so 'x(so(a)) is defined. Since a E Aj 
and tr Aj = sr Aj , 'x(s 0 (a)f Aj) = 'x(tr Aj 0 (a)) is defined by Ts3. 
Case 1 b: Either S n Aj = 0 or U n Aj = 0. Wlog, we assume that 
S n Aj = 0. Hence, and since trAj = UrAj, 
Moreover, by SFs5 and since tr Aj = sr Aj = ur Aj , 
and so the proof follows in this case. 
Case 2: AjnY = 0. Since apnaQ = Y, either AjnaP = 0 or AjnaQ = 
0. Wlog, we assume that AjnaP = 0 and so Ajn( events (s)US) = 0. Thus, 
by proposition A.20, 'x(SnAj, sr Aj) = 'x(0, 0) = 0. Since events(s) nAj = 
0, then tr Aj = ur Aj . As a result, 'x((S U U) n Aj , tr Aj) = 'x(U n Aj , ur Aj) 
and so the proof follows in this case. 0 
Proposition A.25. Let Q be an implementation process. If ,X (TQ) is defined 
then 'x([Q]SF) is defined. 
Proof. We assume that 'x(TQ) is defined. Let (t, R) E ¢>Q. By SFs1 (def-
inition 3.12 (parts 1 and 3a)), it suffices to show that ,X(R n aQ, t) is de-
fined. By SF2, t E TQ and so ,X(t) is defined by Tsl. Since aQ E A llSet , 
RnaQ ~ ~impl by S1(c) (definitions 3.5 and 3.6). Hence, by SFs1 (definition 
3.12(3)), ,X(R n aQ, t) is defined. 0 
Proposition A.26. Let Q be an implementation process. If aQ ~ Fvis, 
then 'x([Q]SF) is defined and 'x([Q]SF) = [Q]SF· 
Proof. We assume that aQ ~ Fvis. Before proceeding with the proof proper, 
we first show the following result. 
'x(aQ) = aQ. (A.12) 
By S2, aQ E AllSet and so, by S1(c) (definition 3.6), aQ = UiEI Ai 
where I is an indexing set into MinSet. By S5, ,X(aQ) = UiEI 'x(Ai). In the 
AA. Proofs from section 3.5 224 
event that aQ = 0 and so I = 0 the proof is immediate and so we assume 
that aQ # 0. Let i E I and so Ai ~ aQ ~ Fvis. By 81(c) (definition 
3.5), Ai ~ 1;impl and so, by proposition A.9 and definition 3.12(3), A(Ai' ()) 
is defined. Moreover, by 8FS2 and 8FS4, Ai = A(Ai' ()) = A(A;). Hence, 
A(aQ) = UiEI A; = aQ. 
We now proceed with the proof proper. By proposition A.13, A(rQ) is 
defined and so, by proposition A.25, A([Q]Sp) is defined. Thus, by 8FS1 (def-
inition 3.12(1)), A(¢Q) is defined. Also by proposition A.13, A(rQ) = rQ 
and so, by 8FS1 (definition 3.12(2)), we have to show that A(¢Q) = ¢Q. By 
8FS1 (definition 3.12(3b)), 
A(¢Q) = ((A(t), X) I (3(t, R) E ¢Q) R ~ aQ A 
X ~ A(R, t) U (1; - A(aQ))}. 
Let (t, R) E ¢Q be such that R ~ aQ ~ Fvis. By 8F2 and PAl, 
events(t) ~ aQ ~ Fvis. Thus, by proposition A.1O, A(t) = t. Moreover, by 
lemma A.21, A(R, t) = R. Hence, since A(aQ) = aQ by (A.12), 
A(¢Q) = ((t,X) I (3(t,R) E ¢Q) R ~ aQ A X ~ R U (1; - aQ)}. 
Thus, A(¢Q) = ¢Q by PA2 and 8F3. o 
Proposition A.27. Let P, Q be implementation processes and A, Y E 
AllSet. 
1. a(P \ A) = (aP) - A. 
2. a(P Ily Q) = aP U aQ. 
Proof. 1. a(P \ A) - [[,B(P \ A)]] 
- [[,B(P) - All 
- [[,B(P)]]- A 
- (aP) - A 
2. a(P Ily Q) - [[,B(P Ily Q)]] 
- [[,B(P) U ,B(Q)]] 
- [[,B(P)]] U [[,B(Q)]] 
= aPUaQ 
(by 82) 
(by figure 2.5) 
(since A E AllSet) 
(by 82) 
(by 82) 
(by figure 2.5) 
(by 82) 
o 
Proposition A.2B. Let Q be an implementation process. If A([Q]Sp) is 
defined, A E AliSet and A(\A) = \B, then: 
A.4. Proofs from section 3.5 225 
1. >.([Q \ A]sp) is defined. 
2. >.([Q \ A]sp) £;;; >.([Q]sp) \ B. 
Proof. We assume that >.([Q]sp) is defined, A E AllSet and >'(\A) = \B. 
By S6, B = >'(A). By SFs1 (definition 3.12(1)), >'(TQ) is defined and so, by 
proposition A.14(1), >'(T(Q\A)) is defined. Hence, >.([Q\A]sp) is defined by 
proposition A.25. By proposition A.14(2), >'(T(Q \ A)) = >'(TQ) \ B and so, 
by SFs1 (definition 3.12(2)), it suffices to show that >.(¢(Q\A)) £;;; >.(¢Q)\B. 
Let (t, X) E ¢(Q \ A) be refusal-maximal. By SF3, (t, X n a(Q \ A))) E 
¢(Q\A). Since >.([Q\A]sp) is defined, then >.(¢(Q\A)) is defined by SFs1 
(definition 3.12(1)) and so, by SFs1 (definition 3.12(3a)), >'(X n a(Q \ A), t) 
is defined. By SFs1 (definition 3.12(1)), >.(¢Q) is defined and so, by SFs1 
(definition 3.12(3b)), >.(¢Q) and >.(¢Q) \ B are subset-closed sets of failures. 
Hence, by SFs1 (definition 3.12(3b)) and SFs5, it suffices to show that 
(>.(t), >'(X n a(Q \ A), t) U (E - >.(a(Q \ A)))) E >.(¢Q) \ B. 
By proposition A.27(1), a(Q \ A) = aQ - A and so a(Q \ A) £;;; aQ. 
Hence, (E - aQ) £;;; (E - a(Q \ A)) and so, by PA2, (E - aQ) £;;; X. Thus, 
let R be such that R £;;; aQ and X = R U (E - aQ). Then, 
X n a( Q \ A) = (X n aQ) n a( Q \ A) = R n a( Q \ A) = R - A. 
By proposition A.5(2), >.(a(Q \ A)) = >.(aQ - A) = >.(aQ) - B. Hence, and 
since B - >.(aQ) £;;; (E - >.(aQ)), 
E - >.(a(Q \ A)) = (E - >.(aQ)) U (B n >.(aQ)) = (E - >.(aQ)) U B. 
As a result, we have to show that 
(>.(t), >'(R - A, t) U B U (E - >.(aQ))) E >.(¢Q) \ B. (**) 
Since (t, R U (E - aQ)) E ¢(Q \ A) is refusal-maximal, 
• A£;;; R U (E - aQ) . 
• (w, RU (E - aQ)) E ¢Q is refusal-maximal, where t = w \A. Moreover, 
by SF3, (w, R) E ¢Q. 
Since >.([Q]sp) is defined, >'(TQ) and >.(¢Q) are defined by SFs1 (defini-
tion 3.12(1)). By SF2, W E TQ and so, by Ts1, >.(w) is defined. Moreover, 
since >.(¢Q) is defined and R £;;; aQ, and by SFs1 (definition 3.12(3b)), 
(>.(w), >'(R, w) U (E - >.(aQ))) E >.(¢Q). 
AA. Proofs from section 3.5 226 
Since A ~ R U (~- aQ), then An aQ ~ R. By proposition A.5, An aQ E 
AllSet and A(A n aQ) = B n A(aQ). Thus, by lemma A.23(1), B n A(aQ) ~ 
A(R,w). Thus, since B-A(aQ) ~ (~-A(aQ)), B ~ A(R,w)U(~-A(aQ)). 
From this and proposition A.ll, 
(A(t), A(R, w) U (~ - A(aQ))) E A(¢Q) \ B 
and so 
(A(t), (A(R, w) - B) U B U (~ - A(aQ))) E A(¢Q) \ B. 
Thus, by lemma A.23(2), 
(A(t), A(R - A, t) U B U (~- A(aQ))) E A(¢Q) \ B. 
and the proof follows by (**). o 
Lemma A.29. Let t be a trace and R ~ ~ such that A(R, t) is defined and 
events(t) U R ~ A E AIlSet. If, for every a E [[events(t) U R]] - R, A(to (a)) 
is defined then A(R, t) ~ A(A). 
Proof. By S1(c) (definition 3.6), A = UiEI Ai, where I is an indexing set into 
MinSet. In the event that A = 0, A(R, t) = A(0, ()) = 0 by proposition 
A.20 and so we consider the case that A "# 0. We assume that A(t 0 (a)) 
is defined for every a E [[events(t) U R]] - R. Let J be an indexing set into 
MinSet such that A' E MinSet only if there exists j E J such that A' = Aj . 
By SFs7, A(RnAj,tfAj) is defined for every j E J and 
A(R, t) = U A(Rn Aj , tfAj ). 
JEJ 
Let j E J. It suffices to show that A(R n Aj , tf Aj) ~ A(A) and we consider 
each of two cases in turn. 
Case 1: j ¢ I. By S1(c) (definition 3.5), Aj n A = 0. As a result, 
A(Rn Aj , tfAj) = A(0, 0) = 0 by proposition A.20. 
Case 2: j E I. By SFs3 and 85, 
o 
Proposition A.30. Let P, Q be implementation processes. If A([P]Sp), 
A([Q]Sp) are defined and Y = aP n aQ, where A(lly) =liz, then: 
1. A([P Ily Q]sp) is defined. 
AA. Proofs from section 3.5 227 
2. ,\([P lIy Q]SF) S; ,\([P]SF) liz ,\([Q]SF)' 
Proof. We assume that ,\([P]SF)' ,\([Q]SF) are defined and Y = nP n nQ, 
where '\(lly) =llz. That Y E AliSet follows by S2 and proposition A.5(1). 
Thus, by S7, Z = '\(Y). By SFsl (definition 3.12(1)), ,\(rP) and '\(rQ) 
are defined and so, by proposition A.15(1), ,\(r(P lIy Q)) is defined. Hence, 
,\([P Ily Q]SF) is defined by proposition A.25. 
By proposition A.15(2), ,\(r(P lIy Q)) S; ,\(rP) liz '\(rQ). Thus, by 
SFsl (definition 3.12(2)), we show '\(¢>(P Ily Q)) S; '\(¢>P) liz ,\(¢>Q). Let 
(t, X) E ¢>(P Ily Q) be refusal-maximal. By proposition A.27(2), we have 
n(P Ily Q) = nP U nQ and so (~ - (nP U nQ)) S; X by PA2. Thus, let 
R be such that R S; nP U nQ and X = R U (~ - (nP U nQ)). By SF3, 
(t, R) E ¢>(P Ily Q). Since ,\([P lIy Q]SF) is defined, then '\(¢>(P Ily Q)) is 
defined by SFs1 (definition 3.12(1)) and so, by SFs1 (definition 3.12(3a)), 
'\(R, t) is defined. By SFs1 (definition 3.12(1)), '\(¢>P) and ,\(¢>Q) are defined. 
Thus, by SFs1 (definition 3.12(3b)), '\(¢>P) and ,\(¢>Q) are subset-closed 
sets of failures and so '\(¢>P) liz ,\(¢>Q) is subset-closed by proposition 2.18. 
Hence, by SFs1 (definition 3.12(3b)) and SFs5, it suffices to show that 
('\(t), '\(R, t) U (~- '\(nP U nQ))) E '\(¢>P) liz ,\(¢>Q). (**) 
By theorem 2.20, there exist (s, S) E ¢>P and (u, U) E ¢>Q such that: 
• S S; nP. 
• US; aQ. 
• Ru (~- (aPUaQ)) = Su UU (~- (aPUaQ)) and so R = SUU, 
since R, (S U U) S; aP U aQ. 
• t E s Ily u. 
We assume that Sand U are as large as possible such that the above 
conditions hold. By PA2, (s, SU(~-aP)) E ¢>P and (u, Uu(~-aQ)) E ¢>Q. 
Moreover, (s, S U (~- aP)) E ¢>P and (u, U U (~ - aQ)) E ¢>Q are refusal-
maximal, since otherwise (t, R U (~ - (aP U aQ))) E ¢>(P Ily Q) would not 
be refusal-maximal. Since ,\([P]SF) and ,\([Q]SF) are defined, '\(¢>P) and 
'\(¢>Q) are defined by SFsl (definition 3.12(1)). Thus, by SFsl (definition 
3.12(3b)), 
• ('\(s), '\(S, s) U (~ - ,\(aP)) E '\(¢>P). 
• ('\(u), '\(U, u) U (~- '\(aQ)) E ,\(¢>Q). 
A.4. Proofs from section 3.5 228 
By proposition A.22(2,3), '\(S, s) is defined and '\(s 0 (a)) is defined for 
every a E [[events(s) US]] - S. We know that S S; o:P and, by SF2 and 
PAl, events(s) S; o:P. Thus, by lemma A.29, '\(S, s) S; ,\(o:P). Similarly, 
'\(U, u) S; '\(o:Q). By proposition A.22(1), '\(s) and '\(u) are defined. Since 
events(s) S; o:P and, by SF2 and PAl, events(u) S; o:Q, we observe that 
[[events(s)]] n [[events(u)]] S; o:P n o:Q = Y. Thus, by proposition A.12, 
'\(t) E '\(s) liz '\(u). Hence, by theorem 3.22, 
('\(t), '\(S, s) u '\(U, u) U (~ - (,\(o:P) U '\(o:Q)))) E '\(¢>P) liz ,\(¢>Q). 
We observe that, by proposition A.5(2), '\(o:P U o:Q) = ,\(o:P) U '\(o:Q). 
The proof then follows by (**), the fact that R = S U U and lemma A.24. D 
Proof of theorem 3.33 
Proof. The proof is similar to that of theorem 3.1, using proposition A.26 in 
place of RAH1, proposition A.28 in place of RAH2 and proposition A.30 in 
place of RAH3. D 
Proposition A.31. The following hold: 
1. ~impl E AllSet. 
2. ~spec = UAEMinSet '\(A). 
3. For every A E AllSet, A S; ~impl and '\(A) S; ~spec. 
Proof. 1. The proof is immediate by Sl(c) (definitions 3.5 and 3.6). 
2. 
UAEMinSet '\(A) 
UAEMinSet U{ events ('\(t)) It E BTrace 1\ events(t) S; A} (by S4) 
U{ events ('\(t)) It E BTrace 1\ ((3A E MinSet) events(t) S; A)} 
U{events('\(t)) It E BTrace 1\ events(t) S; UAEMinSet A} 
(by (Sl)(c) (definition 3.5(1))) 
U{ events ('\(t)) It E BTrace 1\ events(t) S; ~impl} 
(by (Sl)(c) (definition 3.5)) 
U{events('\(t)) It E BTrace} (by Sl(b) (definition 3.4(1))) 
~spec (by Sl(b) (definition 3.4(2))) 
3. Let A E AllSet. By Sl(c) (definition 3.5), ~impl = UA'EMinSet A' and 
so A S; ~impl by Sl(c) (definition 3.6). Moreover, '\(A) S; '\(~impl) by S5. 
By part 2 of the proposition and S5, 
~spec = U '\(A') = ,\( U A') = '\(~impl) 
A'EMinSet A'EMinSet 
A.4. Proofs from section 3.5 229 
and so -X(A) ~ ~Bpec. o 
Proof of theorem 3.34 
Proof. By proposition A.25, -X([P]sp) and -X([Q]sp) are defined. Moreover, 
by SFsl (definition 3.12(1)), -X(¢P) and -X(¢Q) are defined. Let (t, R) E 
¢P = ¢Q be refusal-maximal and let Rp = R n o:P and Rq = R n o:Q. By 
SF3, (t, Rp) E ¢P and (t, Rq) E ¢Q. By PA2, ~-o:p ~ R and ~-o:Q ~ R. 
Thus, 
R = Rp U (~- o:P) = Rq U (~- o:Q). 
Note also that, by SFsl (definition 3.12(3a)), -X (Rp , t) and -X(Rq, t) are de-
fined. Thus, according to SFsl (definition 3.12(3b)) and SFs5, it suffices to 
show that 
-X(Rp, t) U (~ - -X(o:P)) = -X(Rq, t) U (~ - -X(o:Q)). 
By SI(b) (definition 3.4), ~Bpec ~~. Moreover, by proposition A.31(3), 
-X (o:P) , -X(o:Q) ~ ~spec. Thus, ~ - -X(o:Q) = (~- ~spec) U (~Bpec - -X(o:Q)) and 
~ - -X(o:P) = (~ - ~Bpec) U (~spec - -X(o:P)). Thus, it it suffices to show that 
-X(Rp, t) U (~Bpec - -X(o:P)) = -X(RQ , t) U (~Bpec - -X(o:Q)). 
In fact, we show that -X (Rp, t) U (~Bpec - -X(o:P)) ~ -X(Rq, t) u (~spec - -X(o:Q)) 
and the proof in the other direction is similar. 
Let I, K be indexing sets into MinSet such that o:P = UiEI Ai and o:Q = 
UkEK Ak · Let J be an indexing set into MinSet such that A E MinSet only 
if there exists j E J such that A = Aj . By proposition A.22(3), -X(t 0 (a)) is 
defined for every a E [[events(t) U Rqll- Rq. Thus, by SFs7, 
-X(RQ , t) = U -X(RQ n Aj, tr Aj) (A.13) 
jEJ 
and -X(RQ n Aj , tr Aj) is defined for every j E J. 
We first show that -X(Rp, t) ~ -X(Rq, t) U (~spec - -X(o:Q)). By proposition 
A.22(3), -X(t 0 (a)) is defined for every a E [[ events(t) U Rpll- Rp. Thus, by 
SFs7, 
jEJ 
and -X(Rp n Aj , tr Aj) is defined for every j E J. It therefore suffices to show 
that 
-X(Rp n Aj, tr Aj) ~ -X(Rq, t) U (~spec - -X(o:Q)) 
for j E J. Let j E J. We consider each of three cases in turn. 
A.5. Proofs from section 3.6 230 
Case 1: j E InK. In this case, Aj ~ o:P and Aj ~ o:Q. Thus. 
Rp n Aj = RQ n Aj and so )..(Rp n Aj, trAj) ~ )..(~, t) by (A.13). 
Case 2: j ~ K. In this case, by Sl(c) (definition 3.5), Ajno:Q = 0. Thus, 
)"(Aj) n )..(o:Q) = 0 by proposition A.6. By proposition A.31(3), )"(Aj) ~ 
~BPec and so )"(Aj) ~ (~8pec - )..(o:Q)). Since )..(Rp n A j , tr Aj) is defined and 
by SFs1 (definition 3.12(3)), )..(trAj) is defined. By Sl(c) (definition 3.5), 
Aj ~ ~impi and so )"(Aj, tr Aj) is defined also by SFs1 (definition 3.12(3)). 
Thus, by SFs4 and SFs5, 
)..(Rp n Aj , tr Aj) ~ )"(Aj, trAj ) = )"(Aj) 
and so )..(Rp n Aj, trAj) ~ (~8Pec - )..(o:Q)). 
Case 3: j ~ I. In this case, by Sl (c) (definition 3.5), Aj n o:? = 0. By 
SF2 and PAl, events(t) ~ o:P. Thus, )..(Rp n Aj , trAj) = )"(0, ()) = 0 by 
proposition A.20. 
We now show that (~8Pec - )..(o:P)) ~ )"(RQ' t) U (~spec - )..(o:Q)). By 
proposition A.31(2), ~spec = UAEMinSet )"(A) and so, by Sl(c) (definition 3.5) 
and S5, ~spec = )..(~impl)' Thus, by proposition A.5(2) and S5, 
~spec - )..(o:P) = )..(~impi - o:?) =)..( U Ai) = U )"(Ai)' 
jEJ-I jEJ-I 
It therefore suffices to show that )"(Aj) ~ )"(RQ' t) U (~spec - )..(o:Q)) for 
j E J - I. Let j E J - I. We consider each of two cases in turn. 
Case 1: j ~ K. In this case, by Sl(c) (definition 3.5), Aj n o:Q = 0 and 
so )"(Aj) n )..(o:Q) = 0 by proposition A.6. Thus, since )"(Aj) ~ ~spec by 
proposition A.31(3), )"(Aj) ~ (~spec - )..(o:Q)). 
Case 2: j E K. In this case, Aj ~ o:Q. Moreover, since j ~ I, Aj n 
o:P = 0. Since ~ - o:P ~ R, then Aj ~ R and so Aj ~ RQ. Thus, 
).. (RQ n Aj , t rAj) = ).. (Aj, t rAj) and the proof in this case follows by S Fs4 
and (A.13). 0 
A.5 Proofs from section 3.6 
Proof of theorem 3.35 
Proof. By SEQ, there exists a deterministic implementation process Q such 
that TQ = Pref( { ... , ti""})' Since Q is deterministic, then oQ = 0. Thus, 
by definitions 3.3 and 3.13(3), )..(oQ) is defined. By PREF-CLOS and defi-
nition 3.3, )..(TQ) is defined and so )..([Q]SF) is defined by proposition A.16. 
Hence, by definition 3.12(1), )..(¢Q) is defined and so )..(¢.LQ) is defined by 
definition 3.13(4). Thus, )..([Q]PD) is defined by definition 3.13(1). 
A.5. Proofs from section 3.6 231 
We now show the following: 
{A(W) I W E Pref( { ... ,ti,· .. })} = {t I (t,0) E A(4)-LQ)}. (A.14) 
Since A(4)Q) is defined and by definition 3.12(3b), 
{t I (t,0) E A(4)Q)} = {A(W) I (w,0) E 4>Q}. 
Since Q is deterministic and by definition 2.4(2), rQ = {w I (w,0) E 4>Q}. 
Thus, by definition 3.3, A(rQ) = {t I (t,0) E A(4)Q)}. Moreover, also by 
definition 3.3, we have that A(rQ) = {A(W) I W E Pref( { ... , t i , . .. })}. The 
proof of (A.14) follows by definition 3.13(4) and the fact that A(6Q) = 0 by 
definition 3.13(3) and since 6Q = min6Q = 0. 
By FDI, A([Q\A]PD) is defined and so A(6(Q\A)) is defined by definition 
3.13(1). We recall that 6Q = 0 and so A(6Q) = 0 by definition 3.13(3). 
Moreover, 6(Q \ A) =I- 0 and so A(6(Q \ A)) =I- 0 also by definition 3.13(3). 
Let .1" be a set of failures and V a set of divergences such that A ([ Q]PD) \ B = 
(.1", V), where A(\A) = \B. Thus, by definition 3.13(2) and FDI, 
(A(4>-L(Q \ A)), A(6(Q \ A))) = (A (4)-LQ) , A(6Q)) \ B = (.1", V). 
Hence, A(6(Q \ A)) = V and so V =I- 0. Since A(6Q) = 0, then, by 
(A.14), TR-MoNO and the detail in chapter 2.4.3, ... , A(ti ), . .. must be 
an w-sequence. 0 
Results used in the proof of theorem 3.36 
In all of the proofs in the remainder of this section, we assume that the 
conditions from figures 3.4, 3.6 and 3.8 all hold. 
Lemma A.32. Let t, u be traces. If A(t) is defined, then A(U) is defined for 
all u ~ t. 
Proof. The proof proceeds by induction on the length of t using proposition 
A.7 and Ts3. 0 
Proposition A.33. Let v, u be traces. If u ~ v and A(U) and A(V) are 
defined, then A(U) ~ A(V). 
Proof. The proof proceeds by induction on n = lvi-lui. In the base case, the 
proof is immediate. Let v = uowo (a). Since A(V) is defined, by lemma A.32 
we have that A(U 0 w) is defined. Thus, by the inductive hypothesis, A(U) ~ 
A(U 0 w). Moreover, by proposition A.7, there exists A E MinSet such that 
a E A. Thus, by Ts4, A(U 0 w 0 (a)) = A(U 0 w) 0 r (for some trace r) and so 
the proof follows. 0 
A.5. Proofs from section 3.6 232 
Proposition A.34. Let Q be an implementation process. A( rQ) is defined 
if and only if A([Q]PD) is defined. 
Proof. (===*) We assume that A( rQ) is defined. By proposition A.25, A([Q]Sp) 
is defined and so A(¢Q) is defined by SFs1 (definition 3.12(1)). Moreover, 
A(rQ n c5Q) is defined by Tsl. Thus, by FDS1 (definition 3.13(3)), A(c5Q) is 
defined. Hence, by FDS1 (definition 3.13(1,4)), A(¢l.Q) and then A([Q]PD) 
are defined. 
(<===) We assume that A([Q]PD) is defined. By FDS1 (definition 3.13), 
A(¢l.Q) is defined and so A(¢Q) is defined; moreover, A(c5Q) is defined. By 
DR3, we have that rQ = {t I (t,0) E ¢Q} U (rQn c5Q). By SFs1 (definition 
3.12(3)), A(W) is defined for every w E {t I (t,0) E ¢Q} and, by FDS1 
(definition 3.13(3)), A(rQ n c5Q) is defined. Thus, by Ts1, A(rQ) is defined. 
o 
Lemma A.35. Let Q be an implementation process. If aQ ~ Fvis, then 
A([Q]PD) is defined and A([Q]PD) = [Q]PD' 
Proof. By proposition A.13, A(rQ) is defined and so A([Q]PD) is defined 
by proposition A.34. By FDS1 (definition 3.13(1,2)), A(¢l.Q) and A(c5Q) 
are defined and it suffices to show that A(¢l.Q) = ¢l.Q and A(c5Q) = c5Q. 
Since minc5Q ~ rQ by MD, events(t) ~ aQ ~ Fvis for every t E minc5Q by 
PAL Thus, by FDS1 (definition 3.13(3)), proposition A.I0 and the extension 
closure of sets of divergent traces by FD4, A(c5Q) = c5Q. By proposition A.26 
and SFs1 (definition 3.12(2)), A(¢Q) = ¢Q. Hence, by FDS1 (definition 
3.13(4)) and since A(c5Q) = c5Q, A(¢l.Q) = ¢Q U {(t, R) I t E c5Q A R ~ E}. 
Thus, by DR2, A(¢l.Q) = ¢l.Q. 0 
Lemma A.36. Let ... , ti,' .. be an w-sequence such that A(ti) is defined for 
each ti' Then ... , A(ti), ... is also an w-sequence. 
Proof. Let w E EW be the least upper bound of the sequence ... , ti, .... Since 
A(ti) is defined for each ti and by S1(b) (definition 3.4(1)), events(ti) ~ Eimp/ 
for each ti' Thus, events(w) ~ Eimp/' Hence, by S1(c) (definition 3.5), there 
exists A E MinSet such that w rAE EW. It follows that ... , ti r A, . .. is 
an w-sequence and so ... , A(ti r A), ... is also an w-sequence by FDS2. By 
induction on the length of traces using proposition A.9 and Ts4, A(ti) E 
IIIA1EMinSetA(ti r A') for each ti' Thus, the length of the A(ti) increases un-
boundedly. It follows by proposition A.33 that ... ,A(ti), . .. is an w-sequence. 
o 
Lemma A.37. Let Q be an implementation process and P a process. Let 
A E AllSet, where A(\A) = \B. If A([Q]PD) is defined and A([Q]FD) ~ 
[P]PD' then: 
A.5. Proofs from section 3.6 233 
1. ,\([Q \ AhD) is defined. 
2. ,\([Q \ AhD) ~ [P \ BhD. 
Proof. We assume that ,\([Q]PD) is defined and P is a process such that 
,\([QhD) ~ [PhD· By proposition A.34, '\(TQ) is defined and so, by propo-
sition A.14, '\(T(Q \ A)) is defined. Hence, ,\([Q \ AhD) is defined also 
by proposition A.34. By FDS1 (definition 3.13(2)), '\(4)l.Q) ~ 4>l.P and 
'\(8Q) ~ 8P. Also by FDS1 (definition 3.13), '\(4)l.Q) is defined and so 
'\(4)Q) is defined; moreover, '\(8Q) is defined. 
By FDS1 (definition 3.13(2)), we show that '\(8(Q \ A)) ~ 8(P \ B) and 
,\(cpl.(Q \ A)) ~ CPl.(P \ B). We first show that '\(8(Q \ A)) ~ 8(P \ B). Let 
t E min8(Q \ A). By FDS1 (definition 3.13(3)) and FD4, it suffices to show 
that '\(t) E 8(P \ B). We note that B = '\(A) by S6 and then consider each 
of two cases in turn according to the semantics of the hiding operator in the 
failures divergences model. 
Case 1: There exists s E 8Q such that s E min8Q, where t = s \ A. (IT 
s ¢ min8Q then we have u < 8 such that u E min8Q and either u \ A = s \ A 
and we take t = u \ A or u \ A < s \ A and so t ¢ min8(Q \ A).) By FDS1 
(definition 3.13(3)) and since '\(8Q) ~ 8P, '\(8) E 8P. Hence, '\(s) \ B E 
8(P \ B). Since '\(8Q) is defined, then '\(s) is defined by FDS1 (definition 
3.13(3)), MD and Tsl. Thus, by proposition A.H, '\(8 \ A) = '\(8) \ B and 
so '\(t) E 8(P \ B). 
Case 2: There exists w E I;W such that t = w \ A and, for every u < w, 
u E Tl.Q = {z I (z,0) E 4>l.Q}. 
In the event that there exists u < w such that u E 8Q, then there exists 
u' ::; u such that u' E min8Q, where t = u' \ A, and the proof proceeds as 
for Case 1 (we know that t = u' \ A since, otherwise, t ¢ min8(Q \ A)). 
We therefore assume that, for every u < w, u ¢ 8Q and so, by DR2, that 
(u, o) E 4>Q. Recall that ,\(cpl.Q) ~ CPl.P. Thus, by FDS1 (definition 3.13(4)) 
and SFs1 (definition 3.12(3b)), ('\(u), o) E CPl.P and so '\(u) E Tl.P for every 
u < w. Moreover, since ,\(cpQ) is defined and by SFs1 (definition 3.12(3)), 
'\(u) is defined for every u < w. By lemma A.36, there exists x E I;W such 
that x is the least upper bound of the sequence of '\(u) where u < w. By the 
prefix-closure of Tl.P (FD1), we have that v E Tl.P for every v < x. Since 
w E I;W and w \ A is finite, we have that w = r 0 8, where r E I;*, s E AW 
and r \ A = w \ A. By proposition A.H, we know that for any trace k such 
that r ::; k < w, 
'\(t) = '\(w \ A) = '\(k \ A) = '\(k) \ B. 
Hence, x \ B = '\(t) and so '\(t) E 8(P \ B). 
A.5. Proofs from section 3.6 234 
We now show that )..(¢.L(Q \ A) ~ ¢.L(P \ B). By FDS1 (definition 
3.13(1)), )..(¢.L(Q \ A)) is defined and so, by FDS1 (definition 3.13(4)), 
)..(¢.L(Q \ A)) = )..(¢(Q \ A)) U {(t, R) It E )"(6(Q \ A)) /\ R ~ E}. 
Thus, since )"(6(Q \ A)) ~ 6(P \ B) and by FD5, it is sufficient to show 
that )..(¢(Q\A)) ~ )..(¢.LP) \B. Since )..(¢.LQ) is defined and )..(¢.LQ) ~ ¢.LP , 
we know that )..(¢Q) ~ ¢.LP by FDS1 (definition 3.13(4)). By definition, 
{(t \ B, R) I (t, RUB) E ¢.LP} ~ ¢.L(P \ B). 
Since )..(¢(Q)) \B is given by {(t\B, R) I (t, RUB) E )..(¢Q)}, it follows that 
)..(¢Q) \ B ~ ¢.L(P \ B). Since )..(TQ) is defined, then )..([Q]sp) is defined by 
proposition A.25. Hence, by proposition A.28 and SFs1 (definition 3.12(2)), 
)..(¢(Q \ A)) ~ ¢.L(P \ B). 0 
Lemma A.3B. Let Qll Q2 be implementation processes and Y = aQl naQ21 
where )..(lly) =lIz. Let P11 P2 be processes. If )..([Qi]pn) is defined and 
)..([Qihn) ~ [~hn for i = 1,2 then: 
1. )..([Ql Ily Q2hn) is defined. 
2. )..([Ql Ily Q2hD) ~ [P1 liz P2]pn' 
Proof. We assume that )..([Qihn) is defined and )..([Qihn) ~ [~hD for 
i = 1,2. By proposition A.34, )..(TQi) is defined for i = 1,2 and so, by 
proposition A.15, )..(T(Ql lIy Q2)) is defined. Hence, )..([Ql Ily Q2]PD) is 
defined also by proposition A.34. By FDS1 (definition 3.13(2)), )..(¢.LQi) ~ 
¢.L~ and )"(6Qi) ~ 6~ for i = 1,2. Also by FDS1 (definition 3.13) and for 
i = 1,2, )..(¢.LQi) is defined and so )..(¢Qi) is defined; moreover, )"(6Qi) is 
defined. 
By FDS1 (definition 3.13(2)), it suffices to show that: 
• )"(6(Ql Ily Q2)) ~ 6(P1 liz P2). 
• )..(¢.L(Ql Ily Q2)) ~ ¢.L(g liz P2). 
We first show that )"(6(Ql lIy Q2)) ~ 6(g liz P2). Let t E min6(Ql Ily 
Q2)' By FDS1 (definition 3.13(3)) and FD4, it is sufficient to show that 
)..(t) E 6(P1 liz P2). Since t E min6(Ql Ily Q2) and so t E 6(Ql IIY Q2), 
there exist s E T.LQ1, U E T.LQ2 such that t E (8 Ily u) and 8 E 6Ql or 
U E 6Q2. If 8 E 6Ql then 8 E min6Ql, since otherwise there exists w < t 
such that W E 6(Ql Ily Q2) and so t ¢ min6(Ql Ily Q2)' Similarly, if U E 6Q2 
then U E min6Q2' For i = 1,2, we observe that min6Qi ~ TQi by MD and 
A.5. Proofs from section 3.6 235 
7J.Qi = 7Qi U 8Qi by DRl. Thus, 8 E 7Q1, U E 7Q2 and either 8 E min8Q1 
or u E min8Q2' 
Wlog, we assume that 8 E min8Q1' By Fnsl (definition 3.13(3» and 
since A(8Q1) ~ 8P1, A(8) E 8g and so A(8) E 7J.P1 by DRl. We show that 
A(U) E 7J.P2 by considering each of two cases in turn. 
Case 1: u ¢ 8Q2 and so (u,0) E ¢Q2 by DR3. Recall that A(¢J.Q2) ~ 
¢J.P2. Thus, by Fnsl (definition 3.13(4» and SFsl (definition 3.12(3b», 
(A(u),0) E ¢J.P2 and so A(U) E 7J.P2. 
Case 2: u E 8Q2. We have seen above that, in this case, u E min8Q2' 
Thus, A(U) E 8P2 by Fnsl (definition 3.13(3» and since A(8Q2) ~ 8P2. The 
proof of this case then follows by DRl. 
Thus, A(8) liz A(U) ~ 8(P1 liz P2). Since 8 E 7Qb U E 7Q2 and A(7Qi) 
is defined for i = 1,2, A(8) and A(U) are defined by Tsl. Also since 8 E 7Q1 
and U E 7Q2, events(8) ~ aQ1 and events(u) ~ aQ2 by PAL Hence, 
[[events(8)]] ~ aQ1, [[events(u))) ~ aQ2 and so 
[[events(8)]] n [[events(u)]] ~ aQ1 n aQ2 = Y. 
Since aP, aQ E AllSet by S2, then Y E AllSet by proposition A.5(1). Hence, 
Z = A(Y) by S7. Thus, since t E 8 lIy u, A(t) E A(8) liz A(U) by proposi-
tion A.12 and so A(t) E 8(P1 liz P2). 
We now show that A(¢J.(Q1 Ily Q2» ~ ¢J.(P1 liz P2). By Fns1 (def-
inition 3.13(1», A(¢J.(Q1 Ily Q2» is defined and so, by Fnsl (definition 
3.13(4», 
A(¢J.(Ql Ily Q2» = A(¢(Ql Ily Q2»U{(t, R) It E A(8(Ql Ily Q2» A R ~ E}. 
Thus, since A(8(Ql Ily Q2» ~ 8(P1 liz P2) and by Fn5, it is sufficient 
to show that A(¢(Ql lIy Q2» ~ ¢J.(P1 liz P2). Since A(¢J.Qi) is defined 
and A(¢J.Qi) ~ ¢J.Pi, we know that A(¢Qi) ~ ¢J.P; for i = 1,2 by Fnsl 
(definition 3.13(4». By definition, ¢J.(P1 liz P2 ) contains the following: 
{(w, SUU) I (3(8, S) E ¢J.P1 , (u, U) E ¢J.P2) w E (8 liz u) A S-Z = U -Z}. 
Also by definition, A(¢Ql) liz A(¢Q2) is given by: 
{(w, SUU) I (3(8, S) E A(¢Qt}, (u, U) E A(¢Q2» w E (8 liz u) A S-Z = U -Z}. 
Thus, 
A(¢Qt} liz A(¢Q2) ~ ¢J.(P1 liz P2). 
Since A(7Qt}, A(7Q2) are defined, then A([QdsF)' A([Q2]SF) are defined by 
proposition A.25. Thus, by proposition A.30 and SFsl (definition 3.12(2», 
A(¢(Ql Ily Q2» ~ A(¢Q1) liz A(¢Q2) 
and so A(¢(Ql Ily Q2» ~ ¢J.(P1 liz P2). o 
A.5. Proofs from section 3.6 236 
Proof of theorem 3.36 
Proof. The proof is similar to that of theorem 3.1, using lemmas A.35, A.37 
and A.38 in place of conditions RAHl-3. 0 
Appendix B 
Proofs from chapter 4 
B.1 Proofs from section 4.1 
Proof of proposition 4.3 
Proof. We observe the following: 
Y = U{Ai I ePi E EP(P)} n U{Aj I ePj E EP(Q)} (by def. 4.5) 
- U{Ai I ePi E EP(P) n EP(Q)} (by Ep-UNI1) 
Proof of proposition 4.5 
Proof. EP(P Q9y Q) is given by the following: 
o 
{ePi E EP I Ai n f3(P Q9y Q) =I 0} (by def. 4.4) 
- {ePi E EP I Ai n ((f3(P) u f3( Q)) - Y) =I 0} (by figure 2.5) 
= {ePi E EP - (EP(P) n EP(Q)) : Ai n (f3(P) U f3(Q)) =l0} 
(by prop. 4.3 and Ep-UNI1) 
= {ePi E EP I Ai n (f3(P) U f3(Q)) =l0} - (EP(P) n EP(Q)) 
= (EP(P) U EP(Q)) - (EP(P) n EP(Q)) (by def. 4.4) 
o 
Proof of proposition 4.6 
Proof. a(P Q9y Q) is given by the following: 
237 
B.2. Example processes used in proofs 238 
U{ ~ I ePi E EP(P ®y Q)} (by def. 4.5) 
U{Ai I ePi E (EP(P) U EP(Q)) - (EP(P) n EP(Q))} 
(by prop. 4.5) 
U{Ai I ePi E (EP(P) U EP(Q))} -
U{Aj I ePj E (EP(P) n EP(Q))} (by Ep-UNIl) 
(aP U aQ) - (aP n aQ) (by def. 4.5 and prop. 4.3) 
o 
B.2 Example processes used in proofs 
~--:mml~:~:.I:t ~_mm:_mlm:;~:I_~m_~ 
: ............................................................................ _ ..: : ....................................................................... _ ....... : J 
Figure B.l: Processes in proofs from chapter 4 
The processes from figure B.l are used in the statement and proof of most 
of the results which follow in this chapter. Processes M and N are imple-
mentation processes; K and L are the corresponding specification processes. 
We also denote: 
• I = M IIAlnt N. 
• H = K IIBlnt L. 
• 0 = M ®Alnt N. 
• J = K ®B1nt L. 
The following are assumed to hold: 
• Comm(Ai, M) =1= Comm(Ai, N) for ePi E EP(M) n EP(N). 
• A1nt = aM naN. 
• B1nt = extrset(Alnt). 
As a result, the composition used to define 0 meets the restrictions REPl 
and REP2. In the proofs in the remainder of this chapter, M, N, K, L, H, 
I, J, 0 are as described here. 
B.3. Proofs from section 4.2 
B.3 Proofs from section 4.2 
Results used in the proof of theorem 4.8 
Proposition B.l. The following hold: 
1. A Int = U{~ I ePi E EP(M) n EP(N)}. 
2. B Int = U{Bi I ePi E EP(M) n EP(N)}. 
Proof. 1. The proof is immediate by proposition 4.3. 
239 
2. The proof is immediate by part 1 of the proposition and definition 
4.2. 0 
Proposition B.2. Let ePi E EP. If Ai n A Int =10, then Ai ~ AInt . 
Proof. We assume that Ai n AInt =1= 0. Hence, by proposition B.l(l), there 
exists ePj E EP(M) n EP(N) such that ~ n Aj =I 0. Thus, by Ep-UNIl, 
ePi = ePj and so Ai ~ A Int by proposition B.l(l). 0 
Proposition B.3. Let Q be an implementation process. Then the following 
hold: 
1. DOmEP(Q) is non-empty and prefix-closed. 
2. extr EP(Q) over traces is monotonic and strict. 
Proof. 1. The proof is immediate by Ep3-T and TR-GLOBAL1. 
2. That both properties hold follows from TR-GLOBAL2. 0 
Proposition B.4. Let Q be an implementation process such that aQ ~ Fvis. 
Moreover, let t E TQ. Then: 
1. t E DOmEP(Q)' 
2. extrEP(Q)(t) = t. 
3. extrEP(Q)(TQ) = TQ. 
Proof. We first show the following. 
DOmEP(Q) = (aQ)* (B.l) 
By definition 4.5, aQ = U{Ai I ePi E EP(Q)}. Hence, since aQ ~ Fvis, 
Ai ~ Fvis for every ePi E EP(Q). Thus, by Ep3-FvI, Domi = Ai for 
ePi E EP(Q) and so DOmEP(Q) = (aQ)* by TR-GLOBALl. 
Hence, we have shown (B.l) and now proceed with the proof proper. 
1. By PAl and (B.l), t E (aQ)* = DOmEP(Q)' 
B.3. Proofs from section 4.2 240 
2. By definition 4.5 and since aQ ~ Fvis, Ai ~ Fvis for every ePi E 
EP(Q). By part 1 of the proposition, t E DOmEP(Q). The proof then follows 
by a straightforward induction on the length of t using proposition B.3(1), 
TR-GLOBAL2 and Ep4-FvI. 
3. By PAl and (8.1), TQ ~ (aQ)* = DOmEP(Q). Thus, TDomEP(Q)Q = 
TQ by definition 4.8. Hence, by TR-DEF1 and part 2 of the proposition, 
extrEP(Q)(TQ) = TQ. 0 
Proof of theorem 4.7 
Proof. (~) We assume that Q ~~P(Q) P. Hence, by TR-DEF2 and propo-
sition B.4(3), TQ ~ TP. 
(<=) We assume that Q ~T P. Thus, extrEP(Q)(TQ) ~ TP by proposi-
tion B.4(3). By proposition B.4(l), t E DOmEP(Q) for all t E TQ and so Q 
meets Dom-T-check. Thus, by TR-DEF2, Q ~~P(Q) P. 0 
Proposition B.5. Let to (a) E DOmEP(I) be such that, for some trace r, 
extrEP(I)(t 0 (a)) = extrEP(I)(t) 0 r. 
1. If a E A1nt then events(r) ~ B 1nt . 
2. If a f/. A 1nt then events(r) n B 1nt = 0. 
Proof. By TR-GLOBAL1, there exists ePi E EP(I) such that a E Ai. Thus, 
by TR-GLOBAL2 and Ep4, events(r) ~ Bi. 
1. We assume a E A1nt and so ~ n A1nt =I 0. Thus, by proposition 
B.1(1), there exists ePj E EP(M) n EP(N) such that Ai n Aj =I 0. Hence, 
by Ep-UNIl, epi = ePj and so events(r) ~ Bi ~ Blnt by proposition B.1(2). 
2. We assume A f/. Alnt and so Ai Cl A1nt . Hence, by proposition 8.1(1), 
there does not exist ePj E EP(M) n EP(N) such that Ai = Aj and so ePi f/. 
EP(M) n EP(N). Thus, by Ep-UNl1 and proposition 8.1(2), Bi n B1nt = 0 
and so events(r) n Blnt = 0. 0 
Proposition B.6. Let s E TM, U E TN and t E (s IIAlnt u). 
1. If a E A1nt , then there exists ePi E EP(M) n EP(N) such that a E ~ 
and trAi = srAi = urAi. 
2. If a f/. A1nt and a E events(s), then there exists ePi E EP(M) - EP(N) 
such that a E Ai and tr~ = srAi; moreover, ~ n A1nt = 0. 
Proof. 1. We assume a E A1nt . By proposition 8.1(1), there exists epi E 
EP(M) n EP(N) such that a E Ai and Ai ~ A1nt . By TRP, trA1nt = 
srA1nt = urA1nt and so trAi = srAi = urAi . 
B.3. Proofs from section 4.2 241 
2. We assume a ¢ A1nt and a E events (s). By PAl and definition 
4.5, there exists ePi E EP(M) such that a E ~ and so Ai ~ A1nt . Thus, 
ePi ¢ EP(N) by proposition B.1(1). Hence, by PAl, definition 4.5 and Ep-
UNl1, Ai n events(u) = 0. Thus, trAi = srAi . Moreover, since Ai ~ A1nt , 
Ai n A1nt = 0 by proposition B.2. 0 
Proposition B.7. Let s E TDomEP(M)M, U E TDomEP(N)N and t E (s IIAlm u). 
Then t E DOmEP(I) and extrEP(I)(t) E (extrEP(M)(S) !!Blnt extrEP(N) (u)). 
Proof. Note by definition 4.4 that EP(I) = EP(M) U EP(N). We proceed 
by induction on the length of t. In the base case, when t = s = U = 0, 
the proof is immediate by proposition B.3(1,2). Let t = po (a). We consider 
each of two cases in turn. 
Case 1: a E A1nt . In this case, s = v 0 (a), u = w 0 (a) for some v, w. 
By proposition 8.3(1), v E TDomEP(M)M and W E TDomEP(N)N. Moreover, 
by proposition 8.6(1), there exists ePi E EP(M) n EP(N) such that a E 
Ai and t r Ai = s r Ai = u r Ai· We first show that t E Dom EP(I). By the 
inductive hypothesis, P E DOmEP(I) and so, by TR-GLOBAL1 and Ep-UNl1, 
tr Aj = pr Aj E Domj for ePj E EP(I) - {epi}. Thus, by TR-GLOBAL1, it 
suffices to show that tr Ai E Domi. This follows since s E DOmEP(M) and 
trAi = srAi. We now proceed with the remainder of the proof in this case. 
By TR-GLOBAL2 and since trAi = srAi = ur~, 
• extrEP(I)(t) = extrEP(I)(p) 0 r 
• extrEP(M)(S) = extrEP(M) (v) 0 r 
• extrEP(N)(U) = extrEP(N)(W) 0 r 
such that, by proposition B.5(1), events(r) ~ B 1nt . By the inductive hypoth-
esis, extrEP(I)(p) E (extrEP(M)(V) !!Blnt extrEP(N)(W)) and so 
extrEP(I)(p) 0 r E (extrEP(M) (v) 0 r !!Blnt extrEP(N)(W) 0 r). 
Case 2: a ¢ A1nt . In this case, wlog, we assume s = v 0 (a). Thus, 
by proposition B.6(2), there exists ePi E EP(M) - EP(N) such that a E 
Ai and trAi = srAi. Hence, by TR-GLOBAL1 and since s E DOmEP(M) , 
trAi E Domi. Thus, t E DOmEP(I) by TR-GLOBAL1 and Ep-UNll and 
since p E DOmEP(I) by the inductive hypothesis. By TR-GLOBAL2 and since 
trAi = sr Ai, 
• extrEP(I)(t) = extrEP(I)(p) 0 r 
• extrEP(M)(S) = extrEP(M) (v) 0 r 
B.3. Proofs from section 4.2 242 
such that, by proposition B.5(2), events(r) n B1nt = 0. By the inductive 
hypothesis, extrEP(I)(p) E (extrEP(M)(V) IIBInl extrEP(N)(U)) and so 
extrEP(I)(p) 0 r E (extrEP(M) (v) 0 r IIBInl extrEP(N) (u)). 
o 
Proposition B.8. Let t E DOmEP(I). Then t \ A1nt E DOmEP(O) and 
extrEP(O)(t \ A1nt ) = extrEP(I)(t) \ B1nt · 
Proof. We proceed by induction on the length of t. In the base case, when 
t = 0, the proof is immediate by proposition B.3(1,2). Let t = U 0 (a). 
Hence, by proposition B.3(1), U E DOmEP(I) and, by TR-GLOBAL1, there 
exists ePi E EP(I) such that a E Ai. We consider each of two cases in turn. 
Case 1: a E A 1nt . In this case, t \ A 1nt = U \ A1nt E DOmEP(O) by 
the inductive hypothesis. By TR-GLOBAL2, extrEP(I)(t) = extrEP(I)(u) 0 r 
such that, by proposition B.5(1), events(r) ~ B1nt . Hence, by the inductive 
hypothesis, 
extrEP(O)(t \ A1nt ) = extrEP(O)(U \ A 1nt ) = extrEP(I)(u) \ B1nt 
and so 
extrEP(O)(t \ A 1nt ) = extrEP(I)(u) 0 r \ B 1nt = extrEP(I)(t) \ B 1nt · 
Case 2: a rt. A 1nt . Since a rt. A1nt , Ai C£. A1nt and so Ai n A 1nt = 0 by 
proposition B.2. We first show that t \ A1nt E DOmEP(O). By TR-GLOBAL1, 
it suffices to show that (t \ A1nt ) rAj E Domj for every ePj E EP(O). Let 
ePj E EP(O). We consider each of two sub-cases in turn. 
Case 2a: j = i. Since t E DOmEP(I) , (t \ AlntHAi = trAi E Domi by 
TR-GLOBALI and since Ai n A 1nt = 0. 
Case 2b: j =1= i. By the inductive hypothesis, U \ A1nt E DOmEP(O). Thus, 
by TR-GLOBAL1 and Ep-UNI1, (t \ AlntHAj = (u \ AlntHAj E Domj. 
Hence, we have shown that t \ A 1nt E DOmEP(O). Thus, by TR-GLOBAL1 
and Ep-UNI1 and since a E events(t \ A1nt ), ePi E EP(O). We now show 
that extrEP(O)(t \ A 1nt ) = extrEP(I)(t) \ B1nt . By TR-GLOBAL2, 
• extrEP(I)(t) = extrEP(I)(u) 0 r, such that extri(tr~) = extri(urAi) 0 r . 
• extrEP(O) (t\A1nt ) = extrEP(O) (u\A1nt)ox, such that extri((t\AlntHAi) = 
extri( (u \ AlntH Ai) 0 x. 
Thus, since AinAlnt = 0, extrEP(o)(t\A1nt ) = extrEP(O)(U \ A1nt ) or. More-
over, by proposition B.5(2), events(r) n Blnt = 0. Hence, by the inductive 
hypothesis, 
extrEP(O)(t \ A 1nt ) = extrEP(O)(U \ A1nt ) 0 r = extrEP(I)(u) \ Blnt 0 T 
B.3. Proofs from section 4.2 243 
and so 
o 
Proposition B.9. Assume that both M and N meet condition Dom- T-check. 
Let t E TO be such that t E (s IIAlnt u) \ A1nt , where s E TM and u E TN. If 
t E DOmEP(O), then s E DOmEP(M) and u E DOmEP(N). 
Proof· We assume t E DOmEP(O). Let y be such that y E (s IIAlnl u) and 
y \ A1nt = t. We proceed by induction on the length of y. In the base case, 
when y = s = u = 0, the proof is immediate by proposition 8.3(1). Let 
y = x 0 (a). By proposition 8.3(1), x \ A1nt E DOmEP(O). We consider each 
of two cases in turn. 
Case 1: a E A1nt . In this case, s = v 0 (a) and u = W 0 (a) for some 
v, w. Hence, by proposition 8.6(1), there exists ePi E EP(M) n EP(N) such 
that a E ~ and s r Ai = u r ~. By definition 4.7 and since Comm (~, M) =I-
Comm(Ai, N), either a rt Proj EP(M) or a rt Proj EP(N) (this disjunction need 
not be exclusive by definition 4.7(1)). Wlog, we assume that art Proj EP(M). 
Thus, v r Proj EP(M) = sr Proj EP(M). Moreover, by the inductive hypothesis, 
v E DOmEP(M) and so 
sr Proj EP(M) = vr Proj EP(M) E DOmEP(M) r Proj EP(M)· 
Hence, since M meets Dom-T-check, s E DOmEP(M). Thus, by TR-GLOBAL1, 
urAi = srAi E Domi. AB a result, u E DOmEP(N) by TR-GLOBAL1 and Ep-
UNI1 and since w E DOmEP(N) by the inductive hypothesis. 
Case 2: a rt A1nt . In this case, wlog, we assume s = vo(a) and tail(u) =I- a. 
Thus, by the inductive hypothesis, u E DOmEP(N). By proposition B.6(2), 
there exists ePi E EP(M) - EP(N) such that a E ~, yr Ai = sr Ai and 
Ai n A1nt = 0. Thus, trAi = sr~ and, by proposition 4.5, ePi E EP(O). 
Hence, since t E DOmEP(O) and by TR-GLOBALl, sr Ai E Domi. By the 
inductive hypothesis, v E DOmEP(M) and so, by TR-GLOBALI and Ep-UNIl, 
s E DOmEP(M). 0 
Lemma B.lO. Let Q be an implementation process and t E TQ. Then 
tr Proj EP(Q) E DOmEP(Q) r Proj EP(Q) if and only if tr Proji E Domi r Proji for 
every ePi E EP(Q). 
Proof. (===}) We assume trProjEP(Q) E DOmEP(Q)rprojEP(Q)· Let ePi E 
EP(Q). By definition 4.7(3), tr Proji E Domi r Proji· 
({=) We assume trProji E DomirProji for every ePi E EP(Q). We first 
observe the following. 
B.3. Proofs from section 4.2 244 
• DOmEP(Q) = Illl::5i::5mDomi by TR-GLOBALI. 
• Proj EP(Q) = Ul::5i::5m Proji by definition 4.7(3) . 
• Let ePi E EP(Q). Then the following hold. 
- events(t) ~ ~ for every t E Domi by Ep3-T. 
- Proji ~ Ai by definition 4.7 and Ep2. 
- ~ n Aj = 0 for ePj E EP(Q) such that i =F j by Ep-UNIl. 
Hence, 
DOmEP(Q)rProjEP(Q) = Illl::5i::5m(DomirProji) 
and t r Proj EP(Q) E Illl::5i::5mt r Proj i' Thus, since t r Proj i E Domi r Proj i for 
every ePi E EP(Q), trProjEP(Q) E DOmEP(Q)rprojEP(Q)' 0 
Proposition B.11. Assume that both M and N meet condition Dom-T-
check. Then 0 meets Dom-T-check. 
Proof. Let t E TO be such that t E (s IIAInt u) \ Alnt , where s E TM, u E TN 
and s, u are the shortest such traces. By Dom-T -check, it suffices to show 
that 
tr Proj EP(O) E (DomEP(O) r Proj EP(O)) ~ t E DOmEP(O)' 
We assume that tr Proj EP(O) E (DomEP(O) r Proj EP(O)) and proceed by induc-
tion on the length of t. In the base case, when t = (), the proof is immediate 
by proposition B.3(1). Let t = x 0 (a). Since a E aO by PAl, by definition 
4.5 there exists ePi E EP(O) such that a E Ai' Wlog, and by proposition 
4.5, we assume ePi E EP(M) and ePi ¢ EP(N). Thus, by definition 4.5, 
Ep-UNIl and PAl, a ¢ events (u). Hence, since sand u are as short as 
possible, s = v 0 (a) for some trace v and so x E (v IIAInt u) \ Alnt . Before 
proceeding, we show the following. 
(B.2) 
Let y be such that y E (s IIAIn! u) and t = y\A1nt . Since epi ¢ EP(N) and 
by definition 4.5, Ep-UNIl and PAl, ~nevents(u) = 0. Thus, yrAi = srAi. 
Since ePi E EP(M) - EP(N), and by proposition B.l(l) and Ep-UNI1, 
Ai n Alnt = 0. Thus, trAi = (y \ A1ntHAi = yrAi = sr~. Hence, we have 
shown (B.2). 
Since tr Proj EP(O) E DOmEP(O) r Proj EP(O) and by proposition B.3(1), 
x r Proj EP(O) E Dom EP(O) r Proj EP(O)' Hence, by the inductive hypothesis, 
x E DOmEP(O)' Thus, by TR-GLOBALl and Ep-UNI1, it suffices to show 
that trAi E Domi. Moreover, by proposition B.9, v E DOmEP(M)' We now 
consider each of two cases in turn. 
B.3. Proofs from section 4.2 2-15 
Case 1: a E ProjEP(O)· Since trprojEP(O) E DOmEP(O)rprojEP(O)' then 
srProji = trProji E DomirProjj by lemma B.10, (B.2) and since Projj ~ A. j • 
Since v E DOmEP(M), then v r Proj EP(M) E DOmEP(M) r Proj EP(M) and so, by 
lemma B.lO, Ep-UNl1 and since Projj ~ Aj , 
srProj j = vrProjj E DomjrProjj 
for every ePj E EP(M) - {epJ. Thus, srProjEP(M) E DOmEP(M)rprojEP(M) 
by lemma B.10. Hence, since M meets Dom-T-check, s E DOmEP(M) and so, 
by TR-GLOBAL1 and (B.2), tr~ E Domj. 
Case 2: a ¢ Proj EP(O). By definition 4.7(3) and since a E A j , a ¢ Proj j 
and so a ¢ ProjEP(M) by Ep-UNIl. Hence, and since v E DOmEP(M), 
s r Proj EP(M) = V r Proj EP(M) E Dom EP(M) r Proj EP(M)· 
Since M meets Dom-T-check, S E DOmEP(M) and so, by TR-GLOBAL1 and 
(B.2), tr Ai E Domi· 0 
Proposition B.12. If M ~~P(M) K and N ~~P(N) L, extrEP(O)(TO) ~ T J. 
Proof. We assume M ~~P(M) K and N ~~P(N) L. Let t E TDomEP(O)O be 
such that s E TM, U E TN and t E (s IIA lnt u) \ A1nt . By TR-DEF1, it suffices 
to show that extrEP(O)(t) E TJ. By TR-DEF2, M and N meet Dom-T-check 
and so, by proposition B.9, S E TDomEP(M)M and U E TDomEP(N)N. Thus, by 
TR-DEF1 and TR-DEF2, extrEP(M)(S) E TK and extrEP(N)(U) E TL. Hence, 
(extrEP(M)(S) IIBlnt extrEP(N) (u)) \ Blnt ~ TJ. 
Thus, by propositions B.7 and B.B, 
extrEP(O)(t) E (extrEP(M)(S) IIBlnt extrEP(N)(U)) \ B1nt ~ TJ. 
o 
Lemma B.13. If M ~~P(M) K and N ~~P(N) L then 0 ~~P(O) J. 
Proof. We assume that M ~~P(M) K and N ~~P(N) L. By TR-DEF2 and 
proposition B.11, 0 meets Dom-T-check. Hence, by TR-DEF2, it suffices to 
show that extrEP(O)(TO) ~ TJ and so the proof follows by proposition B.12. 
o 
Proof of theorem 4.8 
Proof. We assume that aFimp/(Ql, Q2, ... , Qn) ~ Fvis and Qj ~~P(Qi) ~ for 
1 ::; i::; n. Let Q = Fimp/(Ql, Q2, ... , Qn) and P = Fapec(P1 , P2, ... , Pn). By 
induction on n using lemma B.13, Q ~~P(Q) P. Hence, by theorem 4.7 and 
since aQ ~ Fvis, Q ~T P. 0 
Bo4. Proofs from section 404 246 
B.4 Proofs from section 4.4 
Results used in the proof of theorem 4.10 
Proposition B.14. Let Q be an implementation process. Then DOmEP(Q) 
is the prefix-closure oj dOmEP(Q). 
Proof. By Ep3-SF, Domi = Prej(domi) for ePi E EP(Q). Thus, by SF-
GLOBALI andTR-GLOBALl, dOmEP(Q) ~ DomEP(Q) and, for t E DOmEP(Q), 
there exists U E dOmEP(Q) such that t ~ u. Finally, DOmEP(Q) is prefix-closed 
by proposition B.3(1). 0 
Proposition B.15. Let Q be an implementation process such that aQ ~ 
Fvis. Then extrEP(Q)(4>Q) = 4>Q. 
Proof. By definition 4.5, Ai ~ Fvis for every ePi E EP(Q). Thus, by defini-
tions 4.2 and 4.5 and Epl-FvI, 
extrset(aQ) = aQ. (B.3) 
We now show the following. 
Let (t, R) E 4>domEP(Q)Q such that R ~ QQ. Then extr~~(Q)(R, t, Q) = R. 
(8.4) 
By definition 4.11(2) and proposition 8.14, t E dOmEP(Q) ~ DOmEP(Q) 
and so: 
UlSiSm extrr;e' (R n Ai, tf Ai, Q) (SF-GLOBAL2) 
UlSism R n Ai (by Ep5-FvI) 
R n UlSiSm Ai 
RnaQ 
R. 
(by definition 4.5) 
Hence, we have shown (B.4). Recallthat Ai ~ Fvis for every ePi E EP(Q) 
by definition 4.5. Thus, by Ep3A-FvI, TR-GLOBALI and SF-GLOBAL1, 
DOmEP(Q) = dOmEP(Q). Moreover, for every (t, R) E 4>Q, t E TQ by SF2 
and so t E DOmEP(Q) = dOmEP(Q) by proposition B.4(l). Thus, by definition 
4.11(2), 
4>domEP(Q)Q = 4>Q. (B.5) 
Let (t, R) E 4>domEP(Q)Q. Then t E TQ by SF2 and so extrEP(Q)(t) = t by 
proposition B.4(2). Hence, and by (B.3), (B.4), (B.5) and SF-DEF2, 
extrEP(Q)(4>Q) = {(t,X) I (t,R) E 4>Q 1\ R ~ aQ 1\ X ~ RU (E - aQ)}. 
Thus, extrEP(Q)(4>Q) = 4>Q by PA2 and SF3. o 
Bo4. Proofs from section 404 247 
Proof of theorem 4.9 
Proof. (===» We assume that Q ;J~;(Q) P. Hence, by SF-DEF3 and SF-
DEF1, extrEP(Q)(rQ) ~ rP and extrEP(Q)(¢>Q) ~ ¢>P. Thus, by proposi-
tions B.4(3) and B.15, rQ ~ rP and ¢>Q ~ ¢>P. 
(¢=) We assume that Q ;JSF P. Thus, by propositions B.4(3) and B.15, 
extrEP(Q)(rQ) ~ rP and extrEP(Q)(¢>Q) ~ ¢>P. By proposition B.4(l), t E 
DOmEP(Q) for all t E rQ and so Q meets Dom-T-check. Q meets Dom-SF-
check since, by definition 4.5, ~ ~ Fvis for every epi E EP(Q). Thus, by 
SF-DEF1 and SF-DEF3, Q ;J~;(Q) P. 0 
Lemma B.16. Let (s,8) E ¢>DomEP(M)M and (u, U) E ¢>DomEP(N)N be such 
that 8 ~ aM, U ~ aN and (s IIAlnt u) =1= 0. If A rnt ~ 8 U U, then 
Brnt ~ extr';~(M)(8, s, M) U extr';~(N)(U, u, N). 
Proof. We assume that Arnt ~ 8uU. By SF-GLOBAL2, extr';~(M)(8, s, M)U 
extr';~(N) (U, u, N) is given by 
U extr;e' (8 n~, srAi, M) U U extrj' (U n A j , ur Aj , N). 
ep;EEP(M) epjEEP(N) 
Thus, and by proposition B.1(2), it suffices to show that 
Bi = extr;e'(8nAi,sr~,M) U extr;e'(UnAi,urAi,N) 
for every ePi E EP(M)nEP(N). Let ePi E EP(M)nEP(N). By proposition 
B.1(1), Ai ~ A rnt and so, since Arnt ~ 8 U U, 
By Ep1, we consider each of two cases in turn. 
Case 1: Ai ~ Fvis. In this case, by Ep5-FvI, 
extr;e' (8 n Ai, s r Ai, M) = 8 n Ai and extr;e' (U n Ai, u r~, N) = U n ~. 
Moreover, by Ep1-FvI, (8 n Ai) U (U n Ai) = Ai = Bi. 
Case 2: Ai n Fvis = 0. Since (s IIAlnt u) =1= 0, then sr A rnt = ur Arnt 
by TRP and so s r Ai = u r Ai since Ai ~ A1nt . Wlog, we assume that 
Comm(Ai, M) = Left and Comm(Ai, N) = Right. Since (8nAi)U(Un~) = 
Ai and sr Ai = ur Ai, and by definition 4.9, either 
8 n Ai ¢ refi(sr Ai) or un Ai ¢ refi(ur Ai). 
Hence, either extr;e'(8nAi,srAi,M) = Bi or extr;e'(UnAi,urAi,N) = Bi 
by definition 4.10. 0 
B.4. Proofs from section 4.4 248 
Proposition B .17. Let (t, R) E ¢O. Then there exist (s, S) E ¢M and 
(1.£, U) E ¢N such that: 
• t E (s IIAlnt 1.£) \ A1nt . 
• S ~ aM and U ~ aN. 
• R U A 1nt = (S U U) U Z, where Z ~ (~- (aM U aN)). 
Proof. By definition of the hiding operator in the stable failures model, there 
exists (w, R U A1nt ) E ¢J where w \ A1nt = t. Recall also that J = M IIAlnt N 
and A1nt = aM n aN. Hence, the proof follows by theorem 2.20. 0 
Proposition B.1S. Assume that M and N meet Dom-T-check and Dom-
SF-check. Then 0 meets Dom-SF-check. 
Proof. Let (t, R) E ¢DomEP(O)O be such that R ~ aO and let ePi E EP(O) be 
such that AinFvis = 0. Moreover, assume that extr;e' (RnAi, tr~, 0) = Bi. 
By definition of Dom-SF-check, it suffices to show that tr Ai E domi. By 
proposition B.17, there exist (s, S) E ¢M and (1.£, U) E ¢N such that: 
• t E (s IIAlnt 1.£) \ A1nt · 
• S ~ aM and U ~ aN. 
• R U A 1nt = (S U U) U Z, where Z ~ (~- (aM U aN)). 
By SF2, t E TO, S E TM and 1.£ E TN. Thus, by proposition B.9 and 
definition 4.11(1), (s, S) E ¢DOmEP(M)M and (1.£, U) E ¢DomEP(N)N. Wlog, and 
by proposition 4.5, we assume that ePi E EP(M) - EP(N). We then observe 
the following: 
• Ai n Alnt = 0 by proposition B.1(1) and Ep-UNIl. 
• By definition 4.5, Ai ~ aM and, also by Ep-UNl1, ~ n aN = 0. 
• Ai n events(1.£) = 0 by SF2, PAl and since ~ n aN = 0. 
Since Ainevents(1.£) = 0 and AinA1nt = 0, tr~ = srAi. Since~nAlnt = 
0, Ai ~ aM and ~ n aN = 0, 
R n Ai = (R U A1nt ) n Ai = (S U U U Z) n Ai = S n ~. 
By definition 4.6, Comm(Ai,O) = Comm(~, M). Thus, by definition 4.10, 
extr;e' (S n Ai, sr Ai, M) = extr;e' (R n Ai, tr Ai, 0) = Bi· 
Hence, t r Ai = s r Ai E domi since M meets Dom-SF -check. o 
B.4. Proofs from section 4.4 249 
Lemma B.19. Assume that M and N meet Dom-T-check and Dom-SF-
check. Let (t, R) E ¢domEP(O)O be such that R ~ aO. Let (s, S) E ¢M and 
(u, U) E ¢N be such that: 
• t E (s IIAlnt u) \ A1nt . 
• S ~ aM and U ~ aN. 
• R U A1nt = (S U U) U Z, where Z ~ (E - (aM U aN)). 
Then (s, S) E ¢domEP(M)M and (u, U) E ¢dOmEP(N)N. 
Proof. We show that (s, S) E ¢domEP(M)M; that (u, U) E ¢domBP(N)N may 
be proved in a similar way. By definition 4.11(2), it suffices to show that 
s E domEP(M)' Let ePi E EP(M). Then, by SF-GLOBAL1, it suffices to 
show that sf Ai E domi. By SF2, t E TO, S E TM and u E TN. By propo-
sition B.14, t E domEP(o) ~ DOmEP(O)' Thus, since M and N both meet 
Dom-T-check and by proposition B.9, s E DOmEP(M) and u E DOmEP(N)' 
We now consider each of three cases in turn. 
Case 1: Ai ~ Fvis. In this case, sf Ai E domi by Ep3-FvI and Ep3A-FvI. 
Case 2: Ai n Fvis = 0 and ePi E EP(N). By proposition B.1(1), Ai ~ 
A1nt and so, by TRP, sf Ai = ufAi. Recall that A1nt = aM n aN. Thus, 
since R U A1nt = (S U U) U Z, then Ai ~ A1nt ~ S U U and so 
Wlog, we assume that Comm(Ai, M) = Left and so Comm(Ai, N) = Right. 
By definition 4.9, either S n Ai ¢ refi(sf Ai) or Un Ai ¢ refi(uf Ai) and so, 
by definition 4.10, either 
extr~f (S n Ai, sf Ai, M) = Bi or extr~f (U n Ai, uf~, N) = Bi· 
Hence, since M and N both meet Dom-SF-check, sf~ = uf~ E domi' 
Case 3: Ai n Fvis = 0 and ePi ¢ EP(N). In this case, by proposition 
4.5, ePi E EP(O). By definition 4.5 and Ep-UNI1, Ai n aN = 0. Thus, 
Ai n events(u) = 0 by SF2 and PAL By proposition B.1(1) and Ep-UNI1, 
Ai n A1nt = 0. Hence, sf Ai = tf~ and so, since t E domEP(o), sf Ai = 
tf Ai E domi by SF-GLOBALL 0 
Lemma B.20. Assume that extr EP(M) (¢M) ~ ¢K and extr EP(N) (¢N) ~ 
¢L. Let (s, S) E ¢domEP(M)M and (u, U) E ¢domEP(N)N be such that S ~ aM 
and U ~ aN. Then (w, Y) E ¢H such that 
• wE (extrEP(M)(S) IIBlnt extrEP(N)(U)). 
• Y = extr';~(M)(S, s, M) U extr';~(N)(U, u, N) U (E - extrset(aMU aN)). 
BA. Proofs from section 404 250 
Proof. We shall use the following abbreviations in order to ease the presen-
tation: 
• 8 I:. extr;~(M)(S, s, M). 
• U I:. extr;~(N)(U, u, N). 
• Z I:. E - extrset(aM U aN). 
By SF-DEF2, 
• (extrEP(M) (s), 8 U (E - extrset(aM))) E lj)K. 
• (extrEP(N) (u),U U (E - extrset(aN))) E lj)L. 
We then observe that, by definitions 4.2 and 4.5, 
Z = E - (extr set (aM) U extrset (aN) ). 
Let 8' = 8 U Z U (U - B1nt ) and U' = U U Z U (8 - B 1nt ). By definition 
4.11(2) and proposition B.14, U E DOmEP(N)' Hence, by SF-GLOBAL2, def-
inition 4.10, Ep1-FvI and Ep5-FvI, U ~ U{Bi I ePi E EP(N)}. Thus, 
by definitions 4.2 and 4.5, U ~ extrset(aN). By proposition B.l(2), Ep-
UNIl and definitions 4.2 and 4.5, Blnt = extrset(aM) n extrset(aN). Thus, 
(U - B 1nt ) n extrset(aM) = 0. Hence, Z U (U - B 1nt ) ~ E - extrset(aM) 
and so (extrEP(M)(S),S') E lj)K by SF3. Similarly, (extrEP(N)(U),U') E lj)L. 
Moreover, 
8' U U' = 8 U Z U (U - B 1nt ) U U U Z U (8 - B 1nt ) = 8 U U U Z. 
Hence, by the definition of parallel composition in chapter 2.4.2, the only 
thing we need to show is that S' - B1nt = U' - B1nt . In other words, that 
(8 U Z U (U - B 1nt )) - B 1nt = (U U Z U (8 - B 1nt )) - B 1nt 
which is equivalent to 
which clearly holds. o 
Lemma B.21. Assume that M and N both meet Dom-SF-check and Dom- T-
check. Assume that extrEP(M)(lj)M) ~ lj)K and extrEP(N)(lj)N) ~ lj)L. Then 
extrEP(O)(lj)O) ~ lj)J. 
B.4. Proofs from section 4.4 251 
Proof. Let (t, R) E ¢>domgp(o)O be such that R ~ aO. By SF-DEF2 and SF3, 
it suffices to show that 
(**) 
By proposition B.17, there exist (s,8) E ¢>M and (u, U) E ¢>N such that: 
• t E (s IIA1nt u) \ A lnt . 
• 8 ~ aM and U ~ aN. 
• RUAlnt = (8UU) UZ, where Z ~ (E - (aMUaN)). 
Moreover, by lemma B.19, (s,8) E ¢>domgp(M)M and (u, U) E ¢>dOfflEP(N)N, 
and so, by proposition B.14, (s,8) E ¢>DOfflgP(M)M and (u, U) E ¢>DomBP(N)N. 
We first show that 
extr';~(O) (R, t, 0) ~ extr';~(M) (8, s, M) U extr';~(N) (U, u, N). (B.6) 
Let ePi E EP(O). Wlog and by proposition 4.5, we assume that epi E 
EP(M) - EP(N). Thus, by SF-GLOBAL2 and since t E dOmEP(O) C 
DOmEP(O) by proposition B.14, it suffices to show that 
extr;e'(Rn~,tr~,O) = extr;e'(8n~,srAi,M). 
We first show that R n Ai = 8 n Ai and t r ~ = s r ~ before considering 
each of two cases in turn. We observe the following: 
• Ai n Alnt = 0 by proposition B.1(1) and Ep-UNIl. 
• By definition 4.5, Ai ~ aM and, also by Ep-UNI1, ~ n aN = 0. 
• Ai n events(u) = 0 by SF2, PAl and since Ai n aN = 0. 
Since Ai n events(u) = 0 and Ai n Arnt = 0, trAi = sr~. Moreover, 
since Ai n Arnt = 0, Ai ~ aM and Ai n aN = 0, then 
R n Ai = (R U Arnt ) n Ai = (8 U U U Z) n Ai = 8 n ~. 
Case 1: Ai ~ Fvis. In this case, by Ep5-FvI, 
extr;e' (R n Ai, tr Ai, 0) = R n Ai = 8 n Ai = extr;e' (8 n Ai, sr Ai, M). 
Case 2: AinFvis = 0. By definition 4.6, Comm(Ai,O) = Comm(~, M). 
Thus, by definition 4.10, 
extr;e' (R n Ai, tr Ai, 0) = extr;e' (8 n Ai, sr Ai, M). 
Hence, we have shown (B.6). 
We now proceed with the remainder of the proof. By lemma B.20 and 
since (s,8) E ¢>domEP(M)M and (u, U) E ¢>domEP(N)N, then (w, Y) E ¢>H such 
that: 
B.4. Proofs from section 4.4 252 
• wE (extrEP(M)(S) IIBlnt extrEP(N) (u)). 
• Y = extrr;~(M)(8, s, M) U extrr;~(N)(U, u, N) U (L - extrset(aM U aN)). 
Since A1nt = aM n aN and R U A1nt = (8 U U) U Z, where Z ~ (L -
(aM U aN)), then A1nt ~ 8 U U. Thus, by lemma B.16, 
Blnt ~ extrr;~(M)(S,s,M) U extrr;~(N)(U,u,N) 
and so (w\B1nt , Y) E ¢>J for wE (extrEP(M)(S) IIBlnt extrEP(N) (u)). Thus, by 
SF2, propositions B.7 and B.8, and since S E DOmEP(M) and u E DOmEP(N), 
and so 
(extr EP(O) (t), Y) E ¢>J. 
Hence, by (8.6), (**) and SF3, it remains to show that (L-extrset(aO)) ~ Y. 
We know that Blnt ~ Y and so we show that (L - extrset(aO)) - B1nt ~ Y. 
This follows by the fact that, due to definitions 4.2 and 4.5 and propositions 
4.5 and B.l(2), 
o 
L B 22 ]r'M EP(M) K d N EP(N) L h 0 EP(O) J emma . . J ;;!SF an ;;!SF , t en ;;!SF . 
Proof. We assume that M ;;!:;(M) K and N ;;!:;(N) L. Hence, by SF-DEF3, 
both M and N meet Dom-T -check and Dom-SF -check. Thus, by proposi-
tions B.11 and 8.18, 0 meets conditions Dom-T-check and Dom-SF-check. 
By SF-DEF3 and SF-DEFl, extrEP(M)(7M) ~ 7K and extrEP(N)(7N) ~ 7L 
and so, by TR-DEF2, M ;;!~P(M) K and N ;;!~P(N) L. Thus, by proposi-
tion 8.12, extrEP(O)(70) ~ 7J. Also by SF-DEF3 and SF-DEFl, we observe 
that extrEP(M)(¢>M) ~ ¢>K and extrEP(N)(¢>N) ~ ¢>L. Thus, by lemma 
B.21, extrEP(O)(¢>O) ~ ¢>J and this concludes the proof by SF-DEF3 and 
SF-DEFl. 0 
Proof of theorem 4.10 
Proof. We assume that aFimp/(Ql, Q2, ... , Qn) ~ Fuis and Qi ;;!:;(Qi) P; for 
1 ~ i ~ n. Let Q = Fimp/(Ql, Q2, ... , Qn) and P = FspeAP1, P2, ... , Pn). By 
induction on n using lemma 8.22, Q ;;!:;(Q) P. Hence, by theorem 4.9 and 
since aQ ~ Fvis, Q ;;!SF P. 0 
B.5. Proofs from section 4.5 253 
B.5 Proofs from section 4.5 
Results used in the proof of theorem 4.12 
Lemma B.23. Let Q be an implementation process such that nQ ~ Fvis. 
Then: 
1. extrEP(Q)(c5Q) = c5Q. 
2. extrEP(Q)(¢>1.Q) = ¢>1.Q. 
Proof. 1. Let t E minc5Q. By MD, t E TQ and so, by proposition B.4(l,2), 
t E DOmEP(Q) and extrEP(Q)(t) = t. Thus, by FD-DEF2, FD4 and definition 
2.2, 
extrEP(Q)(c5Q) = {t 0 u It E minc5Q !\ U E E*} = c5Q. 
2. By proposition B.l5, extrEP(Q) (¢>Q) = ¢>Q and, by partl of the lemma, 
extrEP(Q)(c5Q) = c5Q. Thus, by FD-DEF3 and DR2, 
extrEP(Q)(¢>1.Q) = ¢>Q U {(t, R) It E c5Q !\ R ~ E} = ¢>1.Q. 
o 
Proof of theorem 4.11 
Proof. (===}) We assume that Q ~~~(Q) P. Hence, by FD-DEF4 and FD-
DEFl, extrEP(Q)(¢>1.Q) ~ ¢>1.P and extrEP(Q)(c5Q) ~ c5P. Thus, ¢>1.Q ~ ¢>1.P 
and c5Q ~ c5P by lemma B.23. 
('¢=)WeassumethatQ ~FD P. Thus, bylemmaB.23, extrEP(Q)(¢>1.Q) ~ 
¢>1.P and extrEP(Q)(c5Q) ~ c5P. By proposition B.4(l), t E DOmEP(Q) for all 
t E TQ and so Q meets Dom-T -check. Q meets Dom-SF -check since, by 
definition 4.5, Ai ~ Fvis for every ePi E EP(Q). Thus, by FD-DEFI and 
FD-DEF4, Q ~~~(Q) P. 0 
Lemma B.24. Let Q be an implementation process and ... , tj, . .. an w-
sequence in DOmEP(Q). Then ... , extrEP(Q) (tj ), ... is also an w-sequence. 
Proof. Let w E EW be the least upper bound ofthe sequence ... , tj, .... Thus, 
by TR-GLOBALl, there exists ePi E EP(Q) such that wr~ E EW. Hence, 
and also by TR-GLOBALl, ... , tjrAi' ... is an w-sequence in Domi and so 
... , extri(tj r Ai), . .. is an w-sequence by Ep6. By induction on the length 
of traces using TR-GLOBAL2, extrEP(Q)(tj) E 1111~k~mextrk(tjrAk) for each 
tj. Thus, the length of the extrEP(Q)(tj) increases unboundedly and so, by 
proposition B.3(2), ... , extrEP(Q) (tj), ... is an w-sequence. 0 
B.5. Proofs from section 4.5 254 
Proposition B.25. Let Q be an implementation process and P a process 
such that Q ;!~~(Q) P. 1ft E TDomEP(Q)Q, then extrEP(Q)(t) E Tl..P. 
Proof. By Fn-DEF4 and Fn-DEF1, we observe that extrEP(Q)(tSQ) ~ tSP and 
extrEP(Q)(¢>l..Q) ~ ¢>l..P. Moreover, by Fn-DEF3, extrEP(Q)(¢>Q) ~ ¢>l..P. Let 
t E TDomEP(Q)Q and so t E TQ. We now prove two auxiliary results. 
If t E dOmEP(Q) then extrEP(Q)(t) E Tl..P, (B.7) 
We assume that t E dOmEP(Q) and consider each of two cases in turn. 
Case 1: t E tSQ. In this case, there exists v E mintSQ such that v ~ t and 
so, by proposition B.3(1), such that v E TDomEP(Q)Q. Thus, extrEP(Q)(V) E tSP 
by Fn-DEF2 and since extrEP(Q)(tSQ) ~ tSP. Hence, by proposition B.3(2) 
and Fn4, extrEP(Q)(t) E tSP and so extrEP(Q)(t) E Tl..P by DRl. 
Case 2: t rt tSQ and so (t,0) E ¢>Q by DR3. Since extrEP(Q)(¢>Q) ~ ¢>l..P 
and by SF-DEF2, (extrEP(Q) (t), 0) E ¢>l..P. Thus, extrEP(Q)(t) E Tl..P by 
definition. 
Hence, we have shown (B.7). We now show the following. 
Either extrEP(Q)(t) E Tl..P or there exists a such that to (a) E TDomBP(Q)Q. 
(B.B) 
We consider each of two cases in turn. 
Case 1: t E tSQ. In this case, there exists v E mintSQ such that v ~ t and 
so, by proposition B.3(1), such that v E TDomEP(Q)Q. Thus, extrEP(Q)(V) E tSP 
by Fn-DEF2 and since extrEP(Q)(tSQ) ~ tSP. Hence, by proposition B.3(2) 
and Fn4, extrEP(Q)(t) E tSP and so extrEP(Q)(t) E Tl..P by DRl. 
Case 2: t rt tSQ and so (t,0) E ¢>Q by DR3. In the event that t E 
dOmEP(Q) then the proof is immediate by (B.7) and so we assume that t rt 
dOmEP(Q)' Hence, by SF-GLOBAL1, let ePi E EP(Q) be such that tr ~ rt 
domi' By Ep 1 we observe that Ai n Fvis = 0 since otherwise t r Ai E domi by 
Ep3-FvI and Ep3A-FvI. Let (t, R) E ¢>Q be refusal-maximal; by SF3 and 
since t E DOmEP(Q)' (t, R n aQ) E ¢>DomEP(Q)Q. By definition 4.5, Ai ~ aQ. 
Thus, since tr Ai rt domi and since, by Fn-DEF4, Q meets Dom-SF-check, 
The proof of (B.B) concludes by considering each of two sub-cases in turn. 
Case 2a: Comm(Ai, Q) = Left. In this case, R n Ai E refi(tr~) by 
definition 4.10. Let X E refi(trAi ) be maximal in the subset-ordering and 
such that R n Ai ~ X (if there is more than one such set we choose one 
arbitrarily.) Thus, by Ep5, there exists a E Ai such that a rt X and so, also 
by Ep5, tr Ai 0 (a) E Domi. Hence, to (a) E DOmEP(Q) by TR-GLOBAL1, 
Ep-UNI1 and since t E DOmEP(Q)' Moreover, a rt RnAi and so, since (t,R) 
is refusal-maximal, to (a) E TQ by SF4. 
B.5. Proofs from section 4.5 255 
Case 2b: Comm(Ai, Q) = Right. In this case, by definition 4.10, RnAi E 
refi(tr ~). Thus, by definition 4.9, there does not exist X E refi(tr Ai) such 
that (R n~) U X =~. Let W E refi(tr~) be maximal in the subset-
ordering. Thus, there exists a E ~ such that a ¢ W and a ¢ R n~. Hence, 
by Ep5, trAi 0 (a) E Domi and so to (a) E DOmEP(Q) by TR-GLOBAL1, 
Ep-UNll and since t E DOmEP(Q). Moreover, since a ¢ Rn ~ and (t,R) is 
refusal-maximal, to (a) E TQ by SF4. 
Hence, we have proved (B.8). By (B.7), (B.8) and proposition B.14, there 
exists a trace x such that extrEP(Q)(t 0 x) E TJ..P. The proof then follows by 
the monotonicity of extrEP(Q) over traces due to proposition B.3(2) and the 
prefix-closure of TJ..P by FDl. 0 
Lemma B.26. Assume that extrEP(M)(¢M) ~ ¢J..K and extrEP(N)(¢N) ~ 
¢J..L. Let (8, S) E ¢dOmEP(M)M and ('11., U) E ¢domEP(N)N be such that S ~ aM 
and U ~ aN. Then (w, Y) E ¢J..H such that 
• w E (extrEP(M)(8) IIBInt extrEP(N) ('11.)). 
• Y = extr~~(M)(S, 8, M) U extr~~(N)(U, '11., N) U (E - extrset(aMUaN)). 
Proof. The proof is the same as that of lemma B.20 except that: 
• ¢J..K and ¢J..L are substituted for ¢K and ¢L. 
• FD2 is used in place of SF3. 
• The relevant definition of parallel composition is taken from chapter 
2.4.3 rather than chapter 2.4.2. 
o 
Lemma B.27. Assume that M and N both meet Dom-SF-check and Dom-
T-check. Assume that extrEP(M)(¢M) ~ ¢J..K and extrEP(N)(¢N) ~ ¢J..L. 
Then extrEP(O)(¢O) ~ ¢J..J. 
Proof. The proof is the same as that of lemma B.21 except that: 
• ¢J..H and ¢J..J are substituted for ¢H and ¢J respectively. 
• FD2 is used in place of SF3. 
• Lemma B.26 is used in place of lemma B.20. 
o 
Lemma B.28. Let 8 E TJ..K and u E TJ..L. Then (8 IIBInt u) ~ TJ..H. 
B.5. Proofs from section 4.5 256 
Proof. By definition of 7.1, (8,0) E ¢.1K and (u,0) E ¢.1L. Thus, 
{(W,0) I W E (8 IIBlnt u)} E ¢.1H 
and so (s IIBlnt u) ~ 7.1H. o 
Lemma B.29. If M ~~~(M) K and N ~~~(N) L, then 0 ~~~(O) J. 
Proof. We assume that M ~~~(M) K and N ~~~(N) L. Hence, by Fn-
DEF4, both M and N meet Dom-T-check and Dom-SF-check. Thus, by 
propositions 8.11 and B.18, 0 meets conditions Dom-T-check and Dom-
SF-check. By Fn-DEF4 and Fn-DEFl, we therefore have to show that 
extrEP(o)(80) ~ 8J and extrEP(O)(¢.10) ~ ¢.1J. 
We first show that extrEP(o)(80) ~ 8J. Let t E DOmEP(O) and t E 
min80. By Fn-DEF2 and Fn4, it suffices to show that extrEP(O)(t) E 8J. 
According to the semantics of the hiding operator in the failures divergences 
model, we consider each of two cases in turn. Before we proceed, recall that 
o = 1\ Alnt and note that, by Fn-DEF4 and Fn-DEF1, extrEP(M)(8M) ~ 
8K and extrEP(N)(8N) ~ 8L. 
Case 1: There exists w E 81 such that t = w \ Alnt 0 y, for some trace y. 
In fact, t = W \ A 1nt since t E min80. Moreover, there exists v E min81 such 
that v ::; wand v \ A 1nt = W \ A 1nt since otherwise t ¢ min80. We therefore 
take t = v \ A1nt . Since v E min81 ~ 81, there exist s E 7.1M, u E 7.1N such 
that v E (s IIAlnt u) and s E 8M or u E 8N. If 8 E 8M, then s E min8M since 
otherwise there exists x < v such that x E 81 and so v ¢ min8I. Similarly, 
if u E 8N then u E min8N. By Mn, min8M ~ 7M and min8N ~ 7N; 
moreover, 7.1M = 7M U 8M and 7.1N = 7N U 8N by DRl. Thus s E 7M, 
u E 7 N and either s E min8M or u E min8N. Also by Mn, t E min80 ~ TO 
and so, by proposition B.9 and since t E DOmEP(O) , s E DOmEP(M) and 
u E DOmEP(N)' Wlog, we assume that s E min8M. Thus, by Fn-DEF2 
and since extrEP(M)(8M) ~ 8K, extrEP(M)(8) E 8K and so extrEP(M)(S) E 
T.1K by DRl. Since u E 7N and u E DOmEP(N) , extrEP(N)(U) E 7.1L by 
proposition B.25. Hence, (extrEP(M)(S) IIBlnt extrEP(N)(U)) ~ 8H and so, by 
propositions B.7 and B.8, 
Case 2: There exists W E ~w such that t = W \ A 1nt 0 x for some trace x 
and, for every y < w, 
Y E 7.11 = 71 U 81 
by DRl. Since t E min80, x = 0 and so t = w \ A 1nt . In the event 
that there exists y' < w such that y' E 81, then t = y' \ Alnt and the 
proof proceeds as for Case 1. (We know t = y' \ A 1nt in such a case since 
B.5. Proofs from section 4.5 257 
otherwise t ¢ min80.) We therefore assume that Y rt. M and so yETI 
for every y < w. Thus, for every y < w, y E (Py IIAlnt qy) such that 
py E TM and qy E TN. Let ty = Y \ Alnt for y < w. Then ty ~ t and 
so ty E TO for y < w; moreover, ty E DOmEP(O) by proposition B.14. Thus, 
for y < w, Py E DOmEP(M) and qy E DOmEP(N) by proposition B.9 and so, 
by proposition B.25, extrEP(M)(py) E T1..K and extrEP(N)(qy) E T1..L. Hence, 
by proposition B.7 and lemma B.28, y E DOmEP(I) and extrEP(I)(Y) E T1..H 
for every y < w. Hence, by lemma B.24, there exists k E ~w such that k is 
the least upper bound of the sequence of extrEP(I)(Y) for y < w. Moreover, 
by FD1, l E T1..H for every l < k. Since w E ~W and w \ A lnt is finite, then 
w = r 0 s where r E ~*, s E (Alnt)W and so r \ A lnt = w \ A lnt = t. Thus, by 
proposition B.8, for any trace h such that r ~ h < w, 
extrEP(O)(t) = extrEP(o)(w\Alnt ) = extrEP(o)(h\Alnt ) = extrEP(I)(h)\Blnt . 
Hence, k \ Blnt = extrEP(O)(t) and so extrEP(O)(t) E 8J. 
We now show that extrEP(O)(¢1..0) ~ ¢l.J. By FD-DEF3, 
extrEP(O)(¢1..0) = extrEP(O) (¢O) U {(t, R) It E extrEP(o)(80) A R ~ E}. 
Thus, since extrEP(o)(80) ~ 8J and by FD5, it is sufficient to show that 
extrEP(O)(¢O) ~ ¢1..J. By FD-DEF1, FD-DEF3 and FD-DEF4, we observe 
that extrEP(M)(¢M) ~ ¢1..K and extrEP(N)(¢N) ~ ¢1..L. Hence, by lemma 
B.27, extrEP(O)(¢O) ~ ¢1..J. 0 
Proof of theorem 4.12 
Proof. We assume that aFimpl(Ql, Q2, ... , Qn) ~ Fvis and Qi ~~~(Qi) ~ for 
1 ~ i ~ n. Let Q = Fimpl(Ql, Q2, ... , Qn) and P = Fspec(P1, P2, .. ·, Pn). By 
induction on n using lemma B.29, Q ~~~(Q) P. Hence, by theorem 4.11 and 
since aQ ~ Fvis, Q ~FD P. 0 
Appendix C 
Proofs from chapter 6 
C.l Proofs from sections 6.2 and 6.3 
Proposition C.l. The following holds: 
rQproj = {t E rQ I trProjEP(Q) E DOmEP(Q)rProjEP(Q)}· 
Proof. Let i E inv. By definition 6.4 and since 0 E Domi by Ep3-T, 
r Di = Domi· Also by Ep3-T, Domi ~ (Ai)" and so: 
By definition 4.7(1), Projj = 0 and so DomjrProjj = {O} for j rf- inv. 
Thus, r DC = 1111:Si:smDomi r Proji. We then observe the following . 
• DOmEP(Q) = 1111:Si:SmDomi by TR-GLOBALl. 
• Proj EP(Q) = U1:Si:sm Proji by definition 4.7(3) . 
• Let ePi E EP(Q). Then the following hold. 
- events(t) ~ Ai for every t E Domi by Ep3-T. 
- Proj i ~ Ai by definition 4.7 and Ep2. 
- Ai n Aj = 0 for ePj E EP(Q) such that i =f. j by Ep-UNIl. 
Hence, rDC = DOmEP(Q)rProjEP(Q). We then observe that f3(Di) ~ ~ 
for i E inv by Ep3-T and definition 6.4, and so f3(DCi) ~ Proji since 
Proji ~ Ai. Thus, and by definition 4.7, f3(DC) ~ Proj EP(Q) and so we take 
aDC = Proj EP(Q). By Ep2 and definitions 4.5 and 4.7, Proj EP(Q) ~ aQ and 
so Proj EP(Q) = aQ n aDC. Hence, the proof follows by theorem 2.17. 0 
258 
C.1. Proofs from sections 6.2 and 6.3 259 
Proof of theorem 6.1 
Proof· (===» We assume that Qpro; \ Fvis ::JT (1IIiEinvDi). Let t E TQ be 
such that tr Proj EP(Q) E DOmEP(Q) r Proj EP(Q). By Dom-T-check, it suffices 
to show that t E DOmEP(Q). By proposition C.1, t E TQproj and so 
t \ Fvis E T(lIliEinvDi) = IIliEinvDomi. 
Let i E inv. By definition 6.1, ~ n Fvis = 0. Thus, and by Ep3-T and 
Ep-UNl1, 
trAi = (t \ FvisH ~ E Domi. 
Moreover, tr Aj E Domj for j ¢ inv by Ep3-FVI and so t E DOmEP(Q) by 
TR-G LOBALI. 
C<===) We assume that Q meets Dom-T -check. Let w E T( Q Proj \ Fvis) 
be such that w = t \ Fvis where t E TQproj. By proposition C.1 and since 
Q meets Dom-T-check, t E DOmEP(Q). Let j E inv. By definition 6.1, 
Aj n Fvis = 0. Hence, and by TR-GLOBAL1, 
so 
Since t E DOmEP(Q), then events(t) ~ Ul~i~m Ai by TR-GLOBAL1 and 
events(w) ~ ( U ~) - Fvis. 
l~i~m 
Thus, by definition 6.1 and Ep1, events(w) ~ UiEinv Ai and so, by Ep-UNIl, 
w E T(lIliEinvDi). 0 
Proof of theorem 6.2 
Proof. By theorem 6.1, it suffices to show that QProj \ Fvis ;;;;)T (1IIiEinvDi) if 
and only if QProi \ (aQ - Ai) ;;;;)T Di for every i E inv. 
(===» We assume that Qproi \ Fvis ;;;;)T (1IIiEinvDi). Let i E inv and 
t E T(Qproi \ (aQ - Ai)), where w E TQproj is such that t = w \ (aQ - Ai). 
By proposition C.1 and PAl, events(w) ~ aQ and so t = wr~. We also 
observe that w \ Fvis E T(lIljEinvDj) and, by definition 6.1, ~ n Fvis = 0. 
Thus, and by Ep3-T and Ep-UNl1, t = wrAi = (w \ FvisH~ E TDi· 
(<===) We assume that QProj \ (aQ - Ai) ~T Di for every i E inv. Let 
t E T(QProi \ Fvis) be such that w E TQproj and t = w \ Fvis. Let j E inv. 
By proposition C.1 and PAl, events(w) ~ aQ. Thus, w \ (aQ - Aj) = wrAj 
and so wrAj E TDj . By definition 6.1, Aj n Fvis = 0. Hence, 
C.l. Proofs from sections 6.2 and 6.3 260 
Since events(w) ~ aQ, and by definition 4.5, events(w) ~ Ul~i~m Ai. 
Thus, 
events(t) ~ ( U Ai) - Fvis 
and so, by definition 6.1 and Ep1, events(t) ~ UiEinu Ai. Hence, by Ep-
UNl1, t E T(!!!iEinuDi). 0 
Lemma C.2. Let s E TQ, u E T(!!!iEinuDi) and t E (s II A inv u). Then t = s, 
t E DomEP(Q) and trAinu = u. 
Proof. We first observe that, for i E inv, {3(Di) ~ A; by Ep3-T and def-
inition 6.4, and so {3(!!!iEinuDi) ~ Ainu by definition 6.2(1). Thus, we as-
sume a(!!!iEinuDi) = Ainu and so events(u) ~ Ainu by PAl. Hence, t = s 
and, by TRP, trAinu = u E T(!!!iEinuDi). Thus, by Ep-UNl1 and Ep3-T, 
trAi E TDi = Domi for i E inv. Moreover, trAj E Domj for j ¢ inv by 
Ep3-FvI. Thus, t E DomEP(Q) by TR-GLOBALl. 0 
Lemma C.3. Let t E DomEP(Q). Then trAinu E T(!!!iEinuDi). 
Proof. By TR-GLOBAL1, trA; E Domi = TDi for i E inv. Thus, trAinu E 
T(!!!iEinuDi) by definition 6.2(1) and Ep-UNIl. 0 
Proof of proposition 6.4 
Proof. We first observe that, for i E inv, {3(Di) ~ Ai by Ep3-T and definition 
6.4, and so {3(!!!iEinuDi) ~ Ainu by definition 6.2(1). Thus, we assume aDi = 
Ai for i E inv and a(!!!iEinuDi) = Ainu. Hence, by definitions 4.5 and 6.2(1), 
a(!!!iEinuDi) = Ainu ~ aQ and so Ainu = aQ n a(!!!iEinuDi). We now proceed 
with the proof proper. 
1. We observe that 
Thus, by lemmas C.2 and C.3, 
TO = {t E TQ ! t E DomEP(Q)} = TDomEP(Q)Q· 
2. Let i E inv. We observe that 
Let ti E Dom; for i E inv. By Ep-UNI1, since Nexti(ti) ~ Ai for i E inv 
and by definition 6.2(1), then: 
iEinu iEinu 
C.l. Proofs from sections 6.2 and 6.3 261 
Hence, by definitions 6.2(1), 6.3(1) and 6.5, 
<f>(llliEinvDi) = {(t, R) I t E Dominv = T(llliEinvDi) /\ (C.1) 
R ~ (Ainv - Nextinv(t)) U (E - Ainv)}. 
Recall that Ainv = a(llliEinvDi) ~ aQ and Ainv = aQna(llliEinvDi). 
Thus, by theorem 2.20, 
<f>Q = {(t,SUUUZ) I Z~ (E-aQ) /\ 
((3(s, S) E <f>Q, (u, U) E <f>(1I liEinvDi)) t E (s IIA;nv u) /\ 
S ~ aQ /\ U £; Ainv)}. 
and so, by PA2 and SF3, 
<f>Q = {(t, S U U) I (3(s, S) E <f>Q, (u, U) E <f>(llliEinvDi)) 
t E (s IIAinv u) /\ U ~ Ainv}. 
The proof follows by this, (C.1), lemmas C.2 and C.3 and SF2. 
3. We observe that Di is guarded for i E inv and so, by DF, 8Di = 
0. Hence, 8(llliEinvDi) = 0 and so T_dllliEinvDi) = T(llliEinvDi) by DRl. 
Moreover, 8Q £; Tl.Q also by DRl. As a result, 
and so, by definition 2.2, 
min8Q = {t I (3s E min8Q,u E T(llliEinvDi)) t E (s IIA;nv u)}. 
Hence, by lemmas C.2 and C.3, and since min8Q ~ TQ by MD, 
min8Q = {t I t E min8Q /\ t E DOmEP(Q)}. 
Proof of theorem 6.5 
D 
Proof. We first show the following. Let (t, R) E <f>DomEP(Q)Q and, by propo-
sition 6.4(2), let (t, S) E <f>Q be such that S = R U U, where U ~ (Ainv -
Nextinv (t r Ainv)). 
Let ePi E EP(Q). Then extrre' (R n Ai, tr Ai, Q) = extrre' (S n Ai, tr Ai, Q). 
(C.2) 
We consider each of two cases in turn. 
C.2. Proofs from section 6.4 262 
Case 1: ~ ~ Fvis and so i rJ. inv. By definition 6.2(1) and Ep-U~Il, 
R n Ai = S n Ai and so the proof follows by Ep5-FvI. 
Case 2: ~ n Fvis = 0 and so i E inv. By Ep3-T and definition 6.4, 
Nextj(tr Aj) ~ Aj for j E inv. Thus, by definitions 6.2(1) and 6.5 and 
Ep-UNll, 
Hence, by Ep5 and definition 6.4, S n ~ E ref i (t r Ai) if and only if R n Ai E 
refi(trAi). Moreover, by Ep5 and definitions 4.9 and 6.4, SnAi E refi(tr~) 
if and only if R n Ai E refi(tr ~). Thus, the proof follows by definition 4.10 
and the fact that Comm(Ai, Q) = Comm(Ai, Q). 
Hence, we have shown (C.2) and now proceed with the proof proper. 
1. The proof follows by TR-DEFI and proposition 6.4(1). 
2. The proof follows by definition of Dom-SF-check, (C.2) and proposi-
tions 6.3(2,3) and 6.4(2). 
3. We first observe that, by proposition B.14, if (t, R) E <PdomEP(Q)Q 
then (t, R) E <PDomEP(Q)Q. The proof then follows by SF-DEF2, SF-
GLOBAL2, (C.2) and propositions 6.3(2,3) and 6.4(2). 
4. The proof follows by FD-DEF2 and proposition 6.4(3). 
5. The proof follows by FD-DEF3 and parts 3 and 4 of the theorem. 
o 
C.2 Proofs from section 6.4 
Note: Recall that m gives the cardinality of EP(Q) 
EP(Q) = {epi 11 ~ i ~ m}. 
EP(Q) and so 
Proposition CA. The following results hold, where i E inv: 
1. If w E TTEi , then domain(w) E Domi· 
2. 1ft E Domi, there exists wE TTEi such that domain(w) = t. 
3. If w E TTEi, then extract(w \ Ai) = extri(domain(w)). 
C.2. Proofs from section 6.4 263 
Proof. We first observe that 0 E Domi by Ep3-T and extri( 0) = 0 by 
Ep4. Moreover, recall that TEi A TEi(O). 
(1,2) The proof in both of these cases is by induction on the length of 
traces using definitions 6.4 and 6.7(1). 
(3) The proof is once more by induction on the length of traces, this time 
using DIS and definitions 6.4, 6.6 and 6.7 (note that extri(domain(w» is 
defined by part (1) of the proposition). 0 
Proposition C.5. The following hold: 
1. f3(TEi) ~ prep(Ai) fori E inv. 
2. f3 ( T Einv ) ~ prep( Ainv) . 
3. f3(Q[prep]) ~ prep(o:Q). 
Proof. By proposition 6.6, f3(TEi) = {1I"i(a,t) I to (a) E Domi} for i E inv. 
Thus, f3( TEi ) ~ prep(Ai) by Ep3-T and definition 6.8 and so f3( TEinv ) ~ 
prep(Ainv ) by definition 6.2(1). Since f3(Q) ~ o:Q, f3(Q[prep]) ~ prep(o:Q). 
o 
Lemma C.6. Let w E TTEinv ' Then w E prep(domain(w». 
Proof. We proceed by induction on the length of w. In the base case, 
when w = 0, the proof is immediate. Let w = U 0 (a). By the induc-
tive hypothesis, it suffices to show that a E prep( domain( a». We assume 
o:TEinv = f3(TEinv) = UiEinv f3( TEi). Thus, by proposition 6.6 and PAl, 
a = 1I"i(b, x) for some i E inv and x 0 (b) E Domi. Moreover, note that 
b E Ai by Ep3-T. Hence, by definition 6.7(1), domain(a) = b and so 
a E prep(domain(a» by definition 6.8. 0 
Proposition C.T. Let U 0 (a) E TQ. If bE prep(a) then domain(b) = a. 
Proof. By proposition 6.3(2), definition 4.5 and PAl, a E Ai for i such that 
1 :5 i :5 m. We consider each of two cases in turn. 
Case 1: i E inv. By proposition 6.4(1) and TR-GLOBAL1, ur A; 0 (a) E 
Domi' Thus, by Ep-UNI1 and definition 6.8, b = 1I"i(a, x) for some trace x 
such that x 0 (a) E Domi. Hence, by definition 6.7(1), domain(b) = a. 
Case 2: i fj. inv. By Ep-UNII and definition 6.8, prep(a) = {a} (Le. 
prep(a) is not defined explicitly). Thus, it suffices to show that domain(a) = a 
and we consider two sub-cases in turn. 
Case 2a: domain(a) is defined explicitly. We show that this case can 
never hold by proving a contradiction. In this case, by definition 6.7(1), 
a = 11" j ( C, x) for some trace x and j E inv such that x 0 ( c) E Domj. Then, by 
DIS and definition 6.6, c = a. Also, by Ep3-T, C E Aj and so Ai n Aj =1= 0. 
C.2. Proofs from section 6.4 264 
However, i #- j since i ¢ inv and j E inv and so we have a contradiction by 
Ep-UNIl. 
Case 2a: domain( a) is not defined explicitly. Then domain( a) = a. 0 
Proposition C.B. Let t E TQ and W E prep(t). Then domain(w) = t. 
Proof. We proceed by induction on the length of t. In the base case, when 
t = W = (), the proof is immediate. Let t = 11. 0 (a) and w = v 0 (b). By the 
inductive hypothesis, it suffices to show that domain(b) = a, which follows 
by proposition C.7. 0 
Proposition C.9. (Q[prep]lIprep(A;nv) TEinv)[domain] =T Q. 
Proof. We assume a TEi = f3( TEi) for i E inv and, by proposition C.5(2), 
that aTEinv = prep(Ainv). 
(~) Let t E T(Q[prep]llprep(A;nv) TEinv)[domain]. Then there exists 
W E T(Q[prep]llprep(A;nv) TEinv ) 
such that domain(w) = t. Thus, there exists 8 E T(Q[prep]) , 11. E TTEinv 
such that W E (8 Ilprep(A;nv) 11.). By PAl, events(11.) ~ prep(Ainv ) and so 
w = 8 E T(Q[prep]). Hence, by proposition C.8, t = domain(w) E TQ. 
(2) Let t E TQ. Thus, 11. E T(Q[prep]) for every 11. E prep(t). Moreover, by 
proposition C.8, domain( 11.) = t for all such 11.. Thus, it suffices to show that 
there exists 11. E prep(t) such that 11.rprep(Ainv ) E TTEinv. By proposition 
6.4(1) and TR-GLOBALl, tr Ai E Domi for i E inv. Hence, by proposition 
C.4(2) and for i E inv, there exists Wi E TTEi such that domain(wi) = tr~. 
Thus, by Ep-UNII and definition 6.2(1), trAinv E IlliEinvdomain(wi). Hence, 
trAinv E IlliEinvdomain(wi) = domain(llliEinvWi) 
and so there exists W E TTEinv such that domain(w) = tr Ainv . Thus, by 
lemma C.6, W E prep(trAinv). Let a E events(t) be such that a ¢ Ainv · 
Then prep(a) = a by definitions 6.2(1) and 6.8; moreover, a E Aj for some 
j ¢ inv by proposition 6.3(2), definition 4.5 and PAL Hence, prep(a) = 
a ¢ prep(Ainv) by DIS and definitions 6.6 and 6.8. Thus, since events(w) ~ 
prep(Ainv) by PAl, there exists w' E prep(t) such that w'rprep(Ainv ) = w E 
TTEinv. 0 
Proposition C.IO. Let 1 ~ i,j ~ m be such that i #- j. Then prep(Ai) n 
prep(Aj) = 0. 
Proof. The proof follows by DIS, Ep-UNII and definitions 6.6 and 6.8. 0 
Proposition C.II. Let 11. 0 (a) E T(Q[prep]llprep(A;nv) TEinv ) and i E inv. 
Then domain(a) E Ai if and only if a E prep(Ai). 
C.2. Proofs from section 6.4 265 
Proof. By proposition C.5(2), we assume aTEinv = prep(Ainv). \\'e observe 
there exists 8 E T(Q[prep]), v E TTEinv such that u 0 (a) E (8 IIprep(Ainv) v). 
By PAl, event8(v) ~ prep(Ainv) and so 
u 0 (a) = 8 E T(Q[prep]). 
Thus, there exists w 0 (b) E TQ such that u 0 (a) E prep(w 0 (b}) and, by 
proposition C.7, domain(a) = b. Moreover, by proposition 6.3(2), definition 
4.5 and PAl, there exists ePj E EP(Q) such that b E Aj and so, since 
a E prep(b) , a E prep(Aj). We finally consider each of two cases in turn. 
Case 1: domain(a) = b E ~. Since a E prep(b), then a E prep(Ai). 
Case 2: domain(a) = b ¢ Ai. In this case, i i=- j. Thus, since a E 
prep(Aj ), a ¢ prep(Ai) by proposition C.lO. 0 
Lemma C.12. Letw E T(Q[prep]llprep(Ainv) TEinv). Then domain(w)fAi = 
domain(wrprep(Ai)) for i E inv. 
Proof. We proceed by induction on the length of w. In the base case, when 
w = (), the proof is immediate. Let w = v 0 (a). By proposition C.Il, we 
observe that 
domain((a})fAi = domain((a}fprep(Ai)). 
and so the proof follows by the inductive hypothesis. o 
Proposition C.13. Let w E T(Q[prep]llprep(Ainv) TEinv ) and domain(w) = 
t. Then extract(w \ Ainv) = extrEP(Q)(t). 
Proof. The proof proceeds by induction on the length of w. In the base case, 
when w = t = (), the proof is immediate by TR-GLOBAL2. Let w = uo (a). 
By proposition C.g, domain(w) = domain(u) 0 (domain(a)} E rQ. Hence, by 
proposition 6.4(1), domain(w) E DOmEP(Q). Thus, by TR-GLOBAL2, where 
domain(a) E Ai for ePi E EP(Q), 
extrEP(Q)(domain(w)) = extrEP(Q) (domain(u)) 0 r 
such that extr i (domain( w)f Ai) = extr i (domain( u)f Ai) 0 r. We also observe 
that 
extract( w \ Ainv) = extract( u \ Ainv) 0 extract( (a) \ Ainv) 
and so, by the inductive hypothesis, we show that extract( (a) \ Ainv) = r. 
We consider each of two cases in turn. 
Case 1: i ¢ inv. In this case, domain(a) ¢ Ainv by definition 6.2(1) and 
Ep-UNIl. Thus, domain(a) = a ¢ Ainv since, by Ep3-T and definitions 
6.2(1) and 6.7(1), domain(b) E Ainv for all b such that domain(b) is defined 
explicitly. Hence, a E Ai and so extract(a) = a by DIS and definition 6.7(2). 
C.2. Proofs from section 6.4 266 
Thus, extract( (a) ,Ainll ) = (a) and so it suffices to show that T = (a). Since 
i ¢ inv, then a E ~ ~ Fvi8. Thus, since domain( a) = a, we observe that 
extri(domain(uH~ 0 (a») = extri(domain(uHAi) 0 T 
and so, by Ep4-FvI, r = (a). 
Case 2: i E inv. By proposition C.5(1,2), we assume that aTEj 
prep(Aj) for j E inv and aTEinll = prep(Ainll ). By definition, there exists 
8 E r(Q[prep]), v E rTEinll such that w E (8 IIprep(A ..... ) v) and so, by TRP, 
wrprep(Ainll ) = vrprep(Ainll ). Thus, by PAl, wrprep(Ainll ) = v E rTEinll . 
By proposition C.lO, prep(Aj) nprep(Ak ) = 0 for j, k E inv such that j # k. 
Hence, by PAl, 
Moreover, since w = u 0 (a), urprep(Ai) E rTEi' We know that 
Thus, by lemma C.12, 
extri(domain(wrprep(~))) = extri(domain(urprep(~))) 0 T 
and so, by proposition C.4(3), 
extract((wrprep(Ai)) , Ai) = extract((urprep(Ai))'~) 0 T. 
Thus, r = extract(((aHprep(~)) 'Ai). By proposition C.lI and since 
domain(a) E Ai, then a E prep(Ai) and so r = extract( (a) ,~). Hence, we 
have to show that 
extract( (a) ,Ainll ) = extract( (a) 'Ai). 
Thus, it suffices to show that a E Ai if and only if a E Ainll . If a E Ai, 
then a E Ainll by definition 6.2(1). We therefore assume that a E Ainll and so 
a E Aj for some j E inv. Since wrprep(Ai) E rTEi and a E prep(Ai), then 
a E f3( TEi ) by PAL Hence, by proposition 6.6, there exists x 0 (b) E Domj 
such that a = 7fi(b, x). Moreover, b E ~ by Ep3-T. Thus, by DIS, definition 
6.6 and since a E Aj for some j E inv, a = b E Ai' 0 
Proof of theorem 6.7 
Proof. The proof follows by proposition 6.4(1), TR-DEFl, proposition C.g 
and proposition C.13. 0 
C.3. Proofs from section 6.5 267 
C.3 Proofs from section 6.5 
Lemma C.14. nRerelfl(t) (UaE(A;-R) {X ~ Ai I a ¢ X}) = refi(t) fori E inv 
and t E Domi. 
Proof. We first observe that ref~ (t) is non-empty by definition 6.10 and 
Ep5. 
(~) Let S E nRerelfl(t)(UaE(A;-R){X ~ ~ I a ¢ X}). Thus, for every 
R E ref~ (t), there exists a E (~ - R) such that a ¢ S. Hence, for every 
R E ref~ (t), SUR i=~. By definition 6.10, for every X E refi(t) there 
exists R E ref~ (t) such that X ~ R and so S E refi(t) by definition 4.9 
(note that S ~ ~). 
(;2) Let S E refi(t). Then, by definition 4.9, S ~ ~ and, for every 
R E refi(t), R uS i= Ai. Thus, for every R E ref~ (t), R uS i= Ai. Hence, 
for every R E ref ~ (t), there exists a E ~ - R such that a ¢ S and so the 
proof follows. 0 
Proof of lemma 6.9 
Proof. We consider each of two cases in turn. 
Case 1: Comm(Ai, Q) = Right. 
Case 1 a: t E domi. In this case, 
¢DSFf(t) = {( (a) 08, X) I a E Nexti(t) /\ (8, X) E ¢>DSF~(t 0 (a))}. 
Case 1b: t E Domi - domi. In this case, 
¢DSF~(t) ={( (a) 08, X) I a E Nexti(t) /\ (8, X) E ¢>DSF~(t 0 (a))} U 
URErelfl(t){(O, Y U Z) I Y ~ R /\ Z ~ (E - ~)}. 
By definition 6.10 and Ep5, refi(t) is the subset-closure of ref~ (t) and so, 
by definition 6.9, 
¢DSF~(t) ={( (a) 08, X) I a E Nexti(t) /\ (8, X) E ¢>DSF~(t 0 (a))} U 
{(o, Y U Z) lYE RefSeti(t) /\ Z ~ (E - Ai)}. 
Case 2: Comm(Ai, Q) = Left· 
Case 2a: t E domi. In this case, 
¢>DSFf(t) = (((a) 0 8, X) I a E Nexti(t) /\ (8, X) E ¢>DSFf(t 0 (a))}. 
Case 2b: t E Domi - domi. In this case, 
¢DSFf(t) ={( (a) 08, X) I a E Nexti(t) /\ (8, X) E ¢DSFf(t 0 (a))} U 
nRErelfl(t) (UaE(A;-R){(O,X) I a ¢ X}). 
Thus, by lemma C.14 and definition 6.9, 
¢DSFf(t) ={( (a) 08, X) I a E Nexti(t) /\ (8, X) E ¢>DSFf(t 0 (a))} U 
{( 0, Y U Z) lYE RefSeti(t) /\ Z ~ (E - Ai)}. 
C.4. Proofs from section 6.6 268 
We ob;erve tzat () E Domi b~ Ep3-T and recall that DSF j f). DSF~( ()) 
or DSFi = DSFi (()) as appropnate. The proof then follows from the above 
by induction on the length of traces using definition 6.4. 0 
Proof of lemma 6.10 
Proof By proposition 6.3(2) and definition 4.5, Ai ~ nQ. Thus, ~(Proci) = 
nQ and so we assume nProci = nQ. We then observe that 
¢ProCj = {(t, R) It E (nQV 1\ R ~ (1: - AJ} 
and so, by SF2 and PAl, 
Again by SF2 and PAl, events(t) ~ nQ and so t \ (nQ - Ad = tfAj for 
(t, X) E ¢Q and so the proof follows. 0 
Proof of theorem 6.11 
Proof Let i E inv. By definition 6.4 and Ep3-T, (3(DSF j) ~ A, and so WE' 
assume nDSFi = Ai. By proposition 6.3(2) and definition 4.5, A, ~ nQ and 
soj3(Proci) = nQ. Since (3(Q) ~ nQ, then (3(Qi) = Ai an~ so we assume 
nQi = Ai. Thus, by lemmas 6.9 and 6.10 and since Ai ~ nQ, ¢FinalImplej 
is given by: 
((trAi,R) I (:3(t,X) E ¢Q,Y E RejSeti(trAi)) trA i E Domi - domj 1\ 
X ~ nQ 1\ R ~ (X n Ai) U Y U (1: - Ai)}. 
We then observe that, for (t,X) E ¢Q, trAi E Domi by proposition 
6.4(2) and TR-GLOBALl. Thus, the proof follows by the definition of Dom-
SF-check and definitions 4.9, 4.10 and 6.9. 0 
C.4 Proofs from section 6.6 
Note: Recall that the set of primed events contains only "fresh" events: 
i.e. it does not contain any events already used in defining Q, P or EP(Ql, 
or which are used in any other capacity as part of the verification of Q. 
Recall also that the events in dinv are assumed to be ''fresh'' in the same 
sense. A similar condition also holds by DIS from section 6.4. These facts 
will generally be appealed to implicitly where they are needed in the proofs 
in this section. 
C.4. Proofs from section 6.6 269 
Proof of lemma 6.12 
Proof. By definition 6.4 and Ep3-T, f3(REi) ~ AiUprime(Ai) for i E inv and 
so we assume aREi = ~Uprime(Ai). Thus, by Ep-UNIl, aREjnaREk = 0 
for j =1= k, wherej,k E inv. Moreover, f3(llliEinvREi) ~ AinvUprime(Ainv) by 
definition 6.2(1) and so we assume a(llliEinvREi) = Ainv U prime(Ainv). We 
also assume a Trim = Ainv U prime (Ainv) since f3 ( Trim) = Ainv U prime (Ainv). 
(1) Let i E inv. Wlog, we consider the case that Comm(Ai, Q) = Right. 
In this case, for t E Domi, we observe that 
TREf(t)={O}U{(a)os!aENexti(t) " sETREf(to(a)n UX, 
where X ~ {(prime(a)) I a E Ai}. We observe that () E Domi by Ep3-T 
and recall that REi 6 REf ( ()). Then, by induction on the length of traces 
using the above and definition 6.4, we observe that 
TREj = Domi U Y, where Y ~ {t 0 (prime(a)) It E Domi /\ a E ~}. 
We then observe that Domi ~ (Ai)* ~ (Ainv)* by Ep3-T and definition 
6.2(1). Thus, by definitions 6.2(1) and 6.3(1), T(llljEinvREj) = Dominv U T, 
where 
T ~ {t E (Ainv U prime (Ainv))* I trAinv E Dominv}. 
We also observe that 
TTrim = (Ainv)* U {t 0 (prime(a)) It E (Ainv)* " a E Ainv} 
and so the proof of this part follows by definition 6.2(1) (recall also that 
Dominv ~ (Ainv)* by definition 6.3(1)). 
(2) Let i E inv. We begin by considering each of two cases in turn. 
Case 1: Comm(Ai, Q) = Right. 
Case 1a: t E Domi - domi. In this case, 
¢>REf(t) = {( (a) 0 s, X) I a E Nexti(t) " (s, X) E ¢>RE['-(t 0 (a) n· 
Case 1b: t E domj. In this case, 
¢>REf(t) = (((a) 0 s,X) ! a E Nextj(t) " (s,X) E ¢>REf(to (a)n U 
URErefr(t){(O,prime(S) U U) ! S ~ R " U ~ (~- prime(~)n· 
By definition 6.10 and Ep5, re!j(t) is the subset-closure of re!tt (t) and so, 
by definition 6.9, 
¢>REf(t) = (((a) 0 s, X) I a E Nexti(t) " (s, X) E ¢>REf(t 0 (a) n U {( 0, prime(S) U U) I S E Re!Setj(t) " U ~ (~ - prime(Aj)n· 
C.4. Proofs from section 6.6 
Case 2: Comm(Ai, Q) = Left. 
Case 2a: t E Domi - domi. In this case, 
¢>REf(t) = {( (a) 08, X) I a E Nexti(t) A (8, X) E ¢>REf(t 0 (a))}. 
Case 2b: t E domi. In this case, 
¢>REf(t) = (((a) 0 8, X) I a E Nexti(t) A (8, X) E ¢>REf(t 0 (a))} U 
nREreff!(t)(UbEPrime(Ai-R){(O,X) I b ¢ X}. 
270 
Thus, by a proof similar to that of lemma C.14 and also by definition 6.9, 
¢>REf(t) = (((a) 0 8, X) I a E Nextj(t) A (8, X) E ¢>REf(t 0 (a))} U {( 0, prime (X) U Y) I X E RefSetj(t) A Y ~ (I: - prime(Ai))}. 
We observe that () E Domi by Ep3-T and recall that REi ~ REf( ( )) or 
REi [),. REf ( ( )) as appropriate. Then, by induction on the length of traces 
using definition 6.4 and the above two cases, ¢>REj is given by: 
{(t,prime(X) U Y) It E domj A X E RefSetj(t) A Y ~ (I: - prime(~))}. 
Hence, by definitions 6.2(1) and 6.3(2), 
¢>(llljEinuREj) = ((t,prime(X) U Y) It E dominu A X ~ Ainu A 
Y ~ (I: - prime(Ainu)) A ((V'i E inv) X n Ai E RefSeti(tr Ai))}. 
We then observe that 
¢>Trim = {(t, R) I t E (Ainu)· A R ~ I: - (Ainu U prime(Ainu))}. 
and so the proof of this part follows by theorem 2.20 and SF3 (recall that 
dominu ~ (Ainu)· by definition 6.3(2)). 0 
Lemma C.IS. The following hold: 
1. Tlnterim = TQU {to (prime(a)) I to (a) E TQ A ((:3i E inv) a E ~)}. 
2. ¢>Interim = {(t, R) I (:3 (t, X) E ¢>Q) X n prime (A jnu ) = 0 A 
R ~ XU prime(X n Ainu)}. 
Proof. Since f3(Q) ~ aQ, then f3(Q[PQ]) ~ pQ(aQ). By proposition 6.3(2), 
definition 4.5 and definition 6.2(1), Ainu ~ aQ. Hence, by definition 6.11, we 
assume 
a(Q[pQ]) = pQ(aQ) = aQ U prime(Ainu). 
Moreover, we assume aTrimTwo = f3(TrimTwo) = aQ U prime(Ainu). 
(1) We observe that: 
C.4. Proofs from section 6.6 
• TTrimTwo = (aQ)* U {t 0 (prime(a)) It E (aQ)* /\ 
((3i E inv) a E Ai)}. 
• TQ ~ T(Q[PQ]) by definition 6.11(2). 
Hence, the proof follows by PAl and definition 6.11. 
(2) We first observe that 
¢(Q[pQ]) = {(t, R) I (3s) t E pQ(s) /\ (s, (pQ)-l(R)) E ¢Q}. 
271 
Let (t, R) E ¢Q. Then, by PA2 and SF3, (t, R U S) E ¢Q where 
S ~ prime(Ainv). Hence, by definition 6.11, 
¢(Q[pQ]) = {(t, R) I (3 (s, X) E ljJQ) t E pQ(s) /\ 
X n prime (Ainv) = 0 /\ 
R ~ XU prime (X n Ainv)}. 
We also observe that: 
ljJTrimTwo = {(t, R) It E (aQ)* /\ R ~ ~ - (aQ U prime(Ainv))}. 
Thus, the proof follows by definition 6.11(2), SF2, PAl, theorem 2.20 and 
SF3. 0 
Proof of lemma 6.13 
Proof. Since f3(Q) ~ aQ, then f3(Q[PQ]) ~ pQ(aQ). We also observe that, 
by proposition 6.3(2) and definition 4.5, aQ = Apvis U Ainv . Thus, by 
definition 6.11, f3(Q[PQ]) ~ aQ U prime(Ainv). Moreover, f3(TrimTwo) = 
aQ U prime (Ainv). Hence, we assume 
alnterim = aQ U prime(Ainv) = Apvis U Ainv U prime(Ainv)' 
Moreover, 
• f3(lIliEinvREi) ~ Ainv U prime(Ainv). 
• f3 ( Trim) = Ainv U prime (Ainv). 
Hence, we assume 
aREinv = Ainv U prime(Ainv). 
(1) By proposition 6.4(1), TR-GLOBAL1, Ep-UNll, definition 6.2(1) and 
definition 6.3(1), trAinv E Dominv for every t E TQ. Moreover, for such t, 
C.4. Proofs from section 6.6 272 
tr(Ainv u prime (Ainv)) = trAinv . Note also that, for s E TREinv , events(s) ~ 
Ainv U prime(Ainv) by PAL Thus, by lemmas 6.12(1) and C.15(1), 
T(Interim IIA;n"Uprime(A;nv) REinv ) = TQ U T, 
where T ~ {t 0 (prime(a)) I t E TQ A ((3i E inv) a E Ai)}. Hence, the 
proof follows by definition 6.13(1). 
(2) We observe that, if (t, R) E 4>Q, then tr(Ainv U prime (Ainv)) = trAinv 
by SF2 and PAl. Moreover, if trAinv E dominv, then t E dOmEP(Q) by SF-
GLOBAL1, definitions 6.2(1) and 6.3(1), and the fact that domi = Ai for 
i ¢ inv by Ep3-FvI and Ep3A-FvI. And if t E dOmEP(Q) then tr Ainv = 
tr(Ainv Uprime(Ainv)) E dominv. Also, if (w,X) E 4>REinv then, by SF2 and 
PAl, events(w) ~ Ainv U prime(Ainv). Thus, by lemmas 6.12(2) and C.15(2) 
and theorem 2.20, 4>(Interim IIA;nvUprime(A;nv) REinv ) is given by: 
((t,R) I (3(t,X) E 4>domEP(Q)Q,Z ~ Ainv) 
X n prime (Ainv) = 0 A (('Vi E inv) Z n Ai E RejSeti(tr Ai)) A 
R ~ ((X U prime(X n Ainv)) n alnterim) U 
Ainv U prime(Z) U (E - (A Fvis U Ainv U prime(Ainv)))}. 
Thus, 4>(Interim IIA;nvUprime(A;nv) REinv ) is given by: 
{(t, R) I (3(t, X) E 4>domEP(Q) Q, Z ~ Ainv) 
Xnprime(Ainv) = 0 A (('Vi E inv) zn~ E RejSeti(trAi)) A 
R ~ (X n (A Fvis U Ainv)) U prime (X n Ainv) U prime(Z) U 
(E - (AFvis U prime (Ainv)))} 
and so it is given by: 
{(t, R) I (3(t, X) E 4>domEP(Q)Q, Z ~ Ainv) 
X ~ aQ A (('Vi E inv) zn~ E RejSeti(tr~)) A 
R ~ (X n AFvis ) U prime(X n Ainv) U prime(Z) U 
(E - (AFvis U prime(Ainv)))}· 
Thus, by definition 6.13(1), 
C.4. Proofs from section 6.6 273 
cPPreImple = {(t, R) I (3 (t, X) E cPdomEP(Q)Q) X ~ o:Q A 
R ~ (X n A pvis ) U 
{di E dinv I (3Y E RefSeti(tr~)) 
(X n Ai) U Y = Ai} U 
(E - (A pvis U dinv ))}. 
Let (t, R) E cPdomEP(Q)Q be such that R ~ o:Q. Then, by definition 6.14 
and definitions 4.9, 4.10 and 6.9, extrFDR~~(Q) (R, t, Q) is given by: 
o 
Lemma C.16. The following hold: 
1. (PreImple[prep]lIprep(A;nv) TEinv)[domain] =r PreImple. 
2. Let W E T(PreImple[prep]lIprep(A;nv) TEinv ) be such that either: 
• W = 0 or; 
• W =1= 0 and tail(w) ¢ dinv · 
Then extract(w \ Ainv) = extrEP(Q)(domain(w)). 
3. Let w E T(PreImple[prep]lIprep(A;nv) TEinv ) be such that w = u 0 (~), 
where di E dinv . Then extract(w \ Ainv) = extrEP(Q) (domain(u)) 0 (di). 
Proof. By proposition C.5(2), we assume that o:TEinv = prep(Ainv). 
(1) The proof is similar to that of proposition C.9, using lemma 6.13(1). 
(2) By PAl, events(t) ~ prep(Ainv ) for t E TTEinv. Thus, and by lemma 
6.13(1) and TRP, W E T(Q[prep] IIprep(A;nv) TEinv). Hence, the proof 
follows by proposition C.13. 
(3) By lemma 6.13(1), PAl and TRP, u E T(Q[prep] IIprep(A;nv) TEinv). 
Hence, extract(u \ Ainv) = extrEP(Q)(domain(u)) by proposition C.13 
and so extract(w \ Ainv) = extrEP(Q) (domain(u)) 0 (d i ). 
o 
Proposition C.IT. If (t, R) E cPPreImple and S ~ Ainv U Binv U prep(Ainv ), 
then (t, R US) E cPPreImple. 
Proof. We observe the following: 
C.4. Proofs from section 6.6 27 -l 
• A inlJ n A pviB = 0 by Ep-UNIl and definitions 6.2(1) and 6.15. 
• By Ep1-FvI and definition 6.15, A pIJiB = U·a· A· = U·. B- and so ljl:mlJ I l~mlJ I 
B inlJ n A pIJiB = 0 by Ep-UNI1 and definition 6.2(2). 
• prep(AinlJ ) n A pvis = 0 by Ep-UNI1, DIS and definitions 6.2(1), 6.6, 
6.8 and 6.15. 
• By definition, (A inlJ U B inlJ U prep(AinlJ )) n dinlJ = 0. 
Hence, (A inlJ U B inlJ U prep(AinlJ )) n (A plJis U dinlJ ) = 0 and so the proof 
follows by lemma 6.13(2). 0 
Proposition C.18. The following holds: 
¢(Prelmple[prep]) = {(t, R) I (3s) t E prep(s) 1\ (s, R) E ¢Prelmple}. 
Proof. We first observe that 
¢(Prelmple[prep]) = {(t, R) I (3s) t E prep(s) 1\ (s, prep-l (R)) E ¢Prelmple}. 
Thus, the prooffollows by proposition C.17 and definitions 6.2(1) and 6.8. 0 
Lemma C.19. ¢(Prelmple[prep]) Ilprep(Ainv) TEinlJ ) is given by: 
{(t, R) I (t, R) E ¢(Prelmple[prep]) 1\ 
t E T(Prelmple[prep]) Ilprep(A inv ) TEinlJ )}. 
Proof. By proposition C.5(2), we assume that O'.TEinlJ = prep(AinlJ ). We also 
assume that O'.(Prelmple[prep]) = ,B(Prelmple[prep]) U prep(AinlJ ). 
(~) Let (t, R) E ¢(Prelmple[prep]) Ilprep(Ainv) TEinlJ ). Then, by theorem 
2.20, there exists (s, S) E ¢(Prelmple[prep]), (u, U) E ¢TEinlJ such that: 
• t E (s Ilprep(Ainv) u). 
• S ~ O'.(Prelmple[prep]) and U ~ O'.TEinlJ . 
• R = S U U U Z, where, since O'.TEinlJ ~ O'.(Prelmple[prep]), Z ~ (I: -
0'. (Prelmple [prep]) ). 
By SF2, t E T(Prelmple[prep)) Ilprep(Ainv ) TEinlJ ). Moreover, by SF2 and 
PAl, events(u) ~ prep(AinlJ)' Hence, t = s and so (t, S) E ¢(Prelmple[prepJ). 
Thus, by PA2 and SF3, (t, S U Z) E ¢(Prelmple[prep)). Moreover, by 
propositions C.17 and C.18, and since U ~ prep(AinlJ ), (t, S U U U Z) E 
¢(PreImple[prep]). 
C.4. Proofs from section 6.6 275 
(2) Let (t, R) E ¢(Prelmple[prep)) be such that 
t E T(Prelmple[prep)) IIprep(Ainv ) TEinlJ ). 
Thus, by TRP and PAl, trprep(AinlJ ) E TTEinlJ . We then observe that, 
for i E inv, TEi is guarded and so 6TEi = 0 by DF. Hence, 6TEinIJ = 
o and so TTEinlJ = {t I (t,0) E ¢TEinlJ } by proposition 2.3(2). Thus, 
(trprep(A inlJ ),0) E ¢TEinlJ . We also observe R = (Rna(PreImple[prep]))uZ, 
where Z ~ ~ - a(Prelmple[prep)). Moreover, (t, R n a(Prelmple[prep))) E 
¢(Prelmple[prep]) by SF3. Hence, by theorem 2.20 and since aTEinv ~ 
a (Prelmple[prep]) , 
(t, R) E ¢(PreImple[prep)) Ilprep(A inv ) TEinlJ ). 
o 
Lemma C.20. ¢(Prelmple[prep]) Ilprep(Ainv ) TEinlJ ) i8 given by: 
{(t, R) I (domain(t), R) E ¢Prelmple A 
t E T(Prelmple[prep]) Ilprep(A inv ) TEinlJ )}. 
Proof. By proposition C.5(2), we assume that aTEinlJ = prep(AinlJ ). 
(~) Let (t, R) E ¢(Prelmple[prep)) Ilprep(A inv ) TEinlJ ). Then, by lemma 
C.19, (t, R) E ¢(Prelmple[prep]) and t E T(Prelmple[prep)) Ilprep(Ainv) TEinlJ ). 
Thus, by proposition C.18, there exists 8 such that t E prep(8) and (8, R) E 
¢Prelmple. Hence, by lemma 6.13(2) and SF2, s E TO and so, by proposition 
C.8, domain(t) = s. 
(2) Let (t, R) be such that t E T(Prelmple[prep)) Ilprep(Ainv ) TEinlJ ) and 
(domain(t), R) E ¢Prelmple. Thus, by PAl, t E T(Prelmple[prep]) and so 
there exists 8 E TPrelmple such that t E prep(8). Moreover, by lemma 
6.13(2) and SF2, domain(t) E TO. Hence, ift =f. 0, then by definition 6.7(1) 
tail(t) ¢ dinlJ and so, by definition 6.8, tail(s) ¢ dinlJ . Moreover, if t = 0 
then s = O. As a result, by lemma 6.13(1), s E TO. Thus, by proposition 
C.8, domain(t) = 8 and so the proof follows by proposition C.18 and lemma 
C.19. 0 
Proof of lemma 6.14 
Proof. By proposition C.5(2), we assume that aTEinlJ = prep(AinlJ ). 
(1) The proof of this part follows by proposition 6.4(1), TR-DEF1 and 
lemmas C.16 and 6.13(1). (Note also that, by definition 6.7(1), domain(di) = 
di for di E dinlJ and domain( a) ¢ dinlJ for a ¢ dinlJ .) 
CA. Proofs from section 6.6 
(2) By lemma C.20, ¢(Prelmple[prep]) IlprepCAinv) TEinu ) is given by: 
{ (t, R) I (domain( t), R) E ¢Prelmple A 
t E T(Prelmple[prep]) IlprepCA;nv) TEinu)}. 
276 
Thus, by proposition C.17, ¢(Prelmple[prep]) IIprepCA;nv) TEinu ) \ Ainu is 
given by: 
{(t \ Ainu, R) I (domain(t) , R) E ¢Prelmple A 
t E T(Prelmple[prep]) IlprepCA;nv) TEinu)}. 
Hence, by proposition C.17, Ep3-T, Ep4 and definitions 6.2, 6.7(2) and 
6.8, 
¢FinalImple = {(extract(t \ Ainu), R) I (domain(t) , R) E ¢Prelmple A 
t E T(Prelmple[prep]) IIprepCA;nv) TEinu)}. 
Let (domain(t) , R) E ¢Prelmple. Thus, by lemma 6.13(2) and definition 
6.7(1), if t =1= () then tail(t) ¢ dinu . Hence, by lemma C.16(2), 
¢FinalImple = {(extrEPCQ)(domain(t)),R) I 
(domain(t), R) E ¢Prelmple A 
t E T(Prelmple[prep]) IIprepCA;nv) TEinu)}. 
Thus, ¢FinalImple = ((extrEPCQ) (w), R) I (w, R) E ¢Prelmple} by SF2 
and lemma C.16(1) and so the proof follows by lemma 6.13(2). 0 
Proposition C.21. extrset(aQ) = AFvis U Binu . 
Proof. By proposition 6.3(2) and definitions 4.2 and 4.5, extrset(aQ) -
Ul<i<m B i · Thus, the proof follows by EpI-FvI and definitions 6.2(2) and 
6.15.- 0 
Proof of lemma 6.15 
Proof. Since f3(P) ~ aP, then f3(P[rY]) ~ pP(aP). Moreover, by proposi-
tion C.21, Binu ~ aP. Hence, by definition 6.11, we assume 
We also assume aProc = f3(Proc) = aP U prime (Binu) U dinu · 
(1) We first observe that 
CA. Proofs from section 6.6 
TProC = (aP)* U 
{t 0 (a) It E (aP)* /\ a E (aP - B inv )} U 
{t 0 prime((a)) It E (aP)* /\ a E Binv } U 
{t 0 (d i ) It E (aP)* /\ di E dinv }. 
We also observe that T(P[PPJ) = {t I (:3s E TP) t E pP(s)} and so, 
by definition 6.11(3), TP ~ T(P[PPJ). Hence, by PAl and definition 6.11, 
T(P[PPlllo:puPrime(B;nv) Pro c) is given by: 
TP U {t 0 (prime(a)) Ito (a) E TP /\ a E Binv } 
U {to (di ) It E TP /\ di E dinv }. 
Thus, the proof of this part follows by definitions 6.2(2) and 6.13(2). 
(2) We first observe that 
</JProc = {(t, R) It E (aP)* /\ R ~ E - ((aP - Binv ) U prime(Binv))}. 
By definition, 
Let (t, R) E </JP. Then, by PA2 and SF3, (t, R U S) E </JP where 
S ~ prime(Binv). Hence, by definition 6.11, 
</J(P[PPJ) = {(t, R) I (:3 (s, X) E </JP) t E pP(s) /\ 
X n prime(Binv) = 0 /\ 
R ~ XU prime (X n Binv)}. 
Thus, by theorem 2.20, SF2, PAl and SF3, </J(P[PPlllo:puprime(Binv) Proc) 
is given by: 
{(t, R) I (:3(t, X) E </JP) X n prime(Binv) = 0 /\ 
R ~ ((X U prime (X n B inv )) n (aP U prime(Binv))) U 
((E - ((aP - B inv ) U prime(Binv))) n (aP U prime(Binv) U dinv )) 
U (E - (aP U prime (Binv) U dinv ))} 
and so, since Binv ~ aP by proposition C.21, it is given by: 
{(t, R) I (:3(t, X) E </JP) X n prime (Binv) = 0 /\ 
R ~ (X naP) U prime (X n B inv ) U B inv U dinv U 
(E - (aP U prime(Binv ) U dinv ))}. 
C.4. Proofs from section 6.6 
Hence, ¢(P[PP] lIaPUprime(Binv) Proc) is given by: 
{(t, R) I (:J(t, X) E ¢P) 
R ~ (X n (aP - B inv )) U prime(X n B inv ) U 
(~ - ((aP - B inv ) U prime (Binv)))} 
and so the proof of this part follows by definition 6.13(2). 
Proof of theorem 6.16 
Proof. We recall that aP = f3(P) U extrset(aQ). 
278 
o 
(===» We assume that extrEP(Q)([Q]sp ~ [P]sp. Thus, by SF-DEF1, 
extrEP(Q)(TQ) ~ TP and extrEP(Q)(¢Q) ~ ¢P. Hence, by TR-DEF1 and 
lemmas 6.14(1) and 6.15(1), TFinallmple ~ TNewSpec. We now show, there-
fore, that ¢Finallmple ~ ¢NewSpec. 
Let (t, X U Y) E ¢Finallmple, where, by lemma 6.14(2), there exists 
(w, R) E ¢domEP(Q)Q such that: 
• extrEP(Q)(W) = t and R ~ aQ. 
• X ~ extrFDR~~(Q)(R, w, Q). 
• Y ~ (~ - (A pvis U dinv )). 
Since extrEP(Q)(¢Q) ~ ¢P then, by SF-DEF2, (t, Z) E ¢P such that: 
Z = extr~~(Q)(R, w, Q) U (~- extrset(aQ)). 
Thus, by lemma 6.15(2), (t, S) E ¢NewSpec, where: 
S = (Z n (aP - Binv )) U DB(Z) U (~ - ((aP - Binv ) U dinv )). 
By proposition C.21 and definition 6.2(2), Bi ~ extrset(aQ) for i E inv. 
Moreover, for i E inv and by definition 4.10, Ep5-FvI, Ep1-FvI, SF-
GLOBAL2 and Ep-UNIl, Bi ~ extr';~(Q) (R, w, Q) if and only if extr':' (R n 
Ai, w r Ai, Q) = Bi. Thus, by definitions 6.14 and 6.16, 
DB( extr';~(Q)(R, w, Q)U(~-extrset(aQ))) = U extrFDR':' (Rn~, wr Ai, Q). 
iEinv 
By SF-GLOBAL2, Ep-UNI1, Ep1-FvI, Ep5-FvI and definitions 4.10 and 
6.2(2), 
C.4. Proofs from section 6.6 
Moreover, extr';~(Q)(R,w,Q) ~ extrBet(o:Q) ~ o:P. Thus, 
extr';~(Q)(R,w,Q)n(o:P-Binv)= U extrre/(RnAi,wrAi,Q) 
illinv 
and so, by Ep5-FvI and definition 6.14(1), 
279 
extr';~(Q) (R, w, Q) n (aP - Binv ) = U extrFDRrel (R n Ai, w r Ai, Q). 
illinv 
In addition, (aP - Binv ) n (~ - extrBet(aQ)) = aP - extrset(aQ), since 
Binv ~ extrBet(aQ) by proposition C.2l. Thus, and by definition 6.14, 
S = extrFDR';~(Q)(R, w, Q) U (aP - extrset(aQ)) U (~- ((aP -Binv)Udinv)). 
Moreover, since extrset(aQ) = A pviB U Binv by proposition C.21, since Apvis n 
Binv = 0 and since extrset (o:Q) ~ aP, 
(aP - extrset(aQ)) U (~ - ((aP - Binv ) U dinv )) = ~ - (A pvis U dinv ). 
Hence, S = extrFDR';~(QJ(R, w, Q) U (~- (A pvis U dinv )) and so the proof in 
this direction follows by SF3. 
(-¢=) We assume that FinalImple ~sp NewSpec. Thus, by lemmas 
6.14(1) and 6.15(1), extrEP(Q)('TQ) ~ 'TP. Hence, by SF-DEF1, it suffices 
to show that extrEP(Q)(¢Q) ~ ¢P. 
Let (t, R) E ¢dOmEP(Q)Q, where R ~ aQ. By SF-DEF2 and SF3, we 
rei .-
show that (extrEP(Q) (t), Xu Y) E ¢P, where X = extrEP(Q)(R, t, Q) and 
Y = ~ - extrset(aQ). By lemma 6.14(2) and since ¢FinalImple ~ ¢NewSpec, 
then (extrEP(Q) (t), V U W) E ¢NewSpec, where: 
rei .-
• V = extrFDREP(Q)(R, t, Q) . 
• W = ~ - (Apvis U dinv ). 
Thus, by lemma 6.15(2), there exists U such that (extrEP(Q) (t), U) E ¢P 
and: 
We observe that ~ ~ aP for i E inv since all such di are ''fresh'' events. 
Hence, UiEinv extrFDRrel (Rn Ai, tr Ai, Q) ~ DB(U) by definitions 6.12, 6.14 
and 6.16 and so, again by definitions 6.14 and 6.16, 
U I .-extrre (R n~, tr Ai, Q) ~ U. 
iEinv 
C.4. Proofs from section 6.6 280 
By proposition C.21, since extrset(olJ) ~ aP and since A pl1is n B inl1 = 0, 
then A pvis ~ (aP - B inl1 ). Hence, by definitions 6.14(1) and 6.15, 
U ertrFDRr;-1 (R n Ai, tr Ai, Q) ~ (aP - B inl1 ) 
i¢inl1 
and so, by definitions 6.14 and 6.16, and (**), 
U ertrFDRr;-1 (R n Ai, tr~, Q) ~ (U n (aP - B inl1 )). 
i¢inl1 
Thus, by definition 6.14(1) and Ep5-FvI, 
reI ~ Hence, by SF-GLOBAL2, ertrEP(Q)(R, t, Q) ~ U. 
By definition 6.16, we observe that DB(U) ~ dinl1 . Thus, by (**) and 
since (~ - (A pl1is U dinl1 )) n dinl1 = 0, 
If we subtract Binl1 from both sides, we have, by proposition C.21 and since 
ertrset (aQ) ~ aP: 
If we then add dinl1 to both sides, we have that: 
(~ - ertrset(aQ)) ~ (U n (aP - B inl1 )) U (~ - aP). 
Hence, (~- ertrset(aQ)) ~ U U (~ - aP). By PA2, 
(extrEP(Q) (t), U U (~- aP)) E ¢>P 
and so, by SF3, 
o 
C.5. Proofs from section 6.7 281 
C.5 Proofs from section 6.7 
Proof of theorem 6.17 
Proof. We first observe that TEi is guarded and so 6T.& = 0 by DF. 
(~) We assume that ePi meets Ep6 and proceed by assuming that 
6( TEi \~) =1= 0. Thus, since 6TEi = 0, there exists w E ~w such that w\~ 
is finite and, for every v < w, v E TJ.. TEi. Hence, v E TTEi for every v < w by 
DR!. Thus, the sequence of domain( v) for v < w is an w-sequence in Domi 
by proposition C.4(1). But, by proposition C.4(3) and the fact that w\Ai is 
finite, the sequence of extr i ( domain( v)) for v < w is not an w-sequence and 
so we have a contradiction. 
({:=) We assume that 6(TEi \ Ai) = 0. Let ... , tj, ... be an w-sequence 
in Domi. Let v, w E Dom; and, by proposition C.4(2), let x, y E TTEi 
be such that domain(x) = v and domain(y) = w. If v ~ w then x ~ y 
by the definition of TEi and definitions 6.4 and 6.7(1). Thus, there exists 
an w-sequence ... , Uj, ... in TTEi, where domain(uj) = tj for each Uj. We 
proceed by assuming that ... , extri(domain(uj)) , ... is not an w-sequence. 
Hence, by proposition C.4(3), ... , extract(uj \ Ai), ... is not an w-sequence 
and so ... , Uj \ Ai, . .. is not an w-sequence. Thus, since ... , Uj, ... is an 
w-sequence in TTEi = TJ..TEi by DR1, then 6(TEi \~) =1= 0 and so we have 
a contradiction. 0 
Proof of theorem 6.18 
Proof. We first observe that c/>J..P = c/>P by DR2 and since 6P = 0; moreover, 
TP = TJ..P by DRl. 
(~) We assume that extrEP(Q)([Q]FD) ~ [P]FD. Thus, by Fo-DEF1, 
extrEP(Q)(c/>J..Q) ~ c/>J..P = c/>P and extrEP(Q)(6Q) ~ 6P = 0. Hence, by Fo-
DEF3, extrEP(Q)(c/>Q) ~ c/>P. Moreover, by Fo-DEF2 and proposition 6.4(3), 
min6Q = 0. Thus, 6Q = 0 by definition 2.2. Since Q meets conditions 
Dom-T-check and Dom-SF-check, then Q ~~~(Q) P by Fo-DEF4. Hence, 
by propositions 6.4(1) and B.25, extrEP(Q)(t) E TJ..P = TP for every t E TQ 
and so extrEP(Q)(TQ) ~ TP by TR-DEFl. Thus, extrEP(Q)([Q]SF) ~ [P]SF 
by SF-DEF1 and the proof in this direction follows by theolem 6.16. 
({:=) We assume that FinalImple ~SF NewSpec and 6Q = 0. Thus, by 
definition 2.2 and Fo-DEF2, extrEP(Q)(6Q) = 0 ~ 6P. Hence, by Fo-DEF3, 
extrEP(Q)(c/>J..Q) = extrEP(Q) (c/>Q). Since FinalImple ~SF NewSpec then, by 
theorem 6.16 and SF-DEF1, 
extrEP(Q)(c/>J..Q) = extrEP(Q)(c/>Q) ~ c/>P = c/>J..p. 
Thus, the proof in this direction follows by Fo-DEFl. o 
Appendix D 
Processes used in verification 
from chapter 7 
The following channels are needed here. 1 
• channel extractWriteSlot : slots.slots.dataint 
• channel extract WriteSlotRead : slots. slots. dataint 
• channel extract W riteLatest : slots. slots. dataint 
• channel extractReadLatest : slots .slots. dataint 
• channel extractReadReading : slots. slots. dataint 
• channel extractReadSlot : slots. slots. dataint 
• channel extra : dataint 
Those channels containing Write as a substring of their identifier are used 
in the extraction of write events. extract WriteSlot is used when we extract 
to a single write event on the occurrence of slot.writer.x.wr.y. \Ve then 
observe that extract WriteSlotRead is used when we extract to both a read 
and a write event on the occurrence of slot. writer.x. Wi .y. extract WriteLatest 
is used when we extract on the occurrence of latest.Wi.x. Those channels 
containing Read as a substring of their identifier are used in the extraction 
1 Disregarding extra for the moment, these channels are used to represent "pairs of 
events" which will be used in the extraction of the events of FSlot. However, the respective 
types of these channels do not give sufficient information to allow us, as described in chapter 
6.4, to reclaim the name of the channel of the right-hand event of the pair: i.e the channel 
on which the (specification) event being extracted to will occur. This is acceptable since 
the new channel names themselves give us all the information we need: see the definition 
of extractar below. 
282 
283 
of read events. The implementation events which they are used to e.xtract 
are immediate from their respective identifiers. The channel extra is used 
when we must extract to a write event and a read event together. 
Four processes are composed in parallel- with each individual composi-
tion synchronizing on common events - to define the process TEar used in 
the extraction of the traces of FSlot. These are WrExt, RdExt, EDATA and 
SlotCopy (they are composed in that order). EDATA is given in figure D.1 
and is a copy of Data from figure 7.6. SlotCopy is given in figure D.2 and is a 
copy of the process Slots from figure 7.5. These two processes are needed for 
the following reason. According to the definition of extr ar from figure 7.12, 
we never extract on the occurrence of an actual data transfer event: when 
we do extract, we therefore need some means of discovering the data value 
which was transferred (in the case of write events) or will be transferred (in 
the case of read events). This is the purpose of the process EDATA. In order 
to use EDATA to find the relevant data value, it is necessary to know the 
pair and slot - i.e. the position in the 2-dimensional data array - at which 
it is to be found. On the reader side, although we always know the value of 
the necessary pair by the time that we must extract, we do not always know 
the value of the slot within that pair: SlotCopy is used to help us find it. 
More detail on how exactly these two processes are used may be found in 
section D.1 below, after all necessary processes have been presented. 
The processes which are directly responsible for extracting events are 
WrExt and RdExt. They are each presented over two figures because of 
the length of their respective descriptions and also because this split helps 
partition the clauses of each process in a useful way. WrExt, given in figures 
D.3 and D.4, is used to extract write events. RdExt, given in figures D.5 and 
D.6, is used to extract read events. 
WrExt has a number of parameters, corresponding to the variables used 
in the definition of extr ar in figure 7.12. They are explained as follows: 
• wrp - The value of pair in the writer. 
• wrs - The value of index in the writer (Le. the value of the slot into 
which we shall write or into which we have just written). 
• late - The value stored by the variable latest. 
• wrExtract - A variable to indicate whether or not we have extracted 
yet on the current call to write. 
• rp - The value of pair in the reader. 
• reading Val - The value stored by the variable reading. 
• ExtractData(x,y, V)= 
let ED(v)= 
data.wr.x.y?val~ED(val) 
D 
extractWriteSlot.x.y.v~ED(v) 
D 
extract WriteSlotRead.x.y. v~ ED (v) 
D 
extract WriteLatest. x. y. v ~ ED (v) 
D 
extractReadLatest. x. y. v ~ ED (v) 
D 
extractReadSlot.x.y.v~ED(v) 
D 
extractReadReading.x.y.v~ED(v) 
within ED(V). 
• EDATA =1 1 IxEAExtractData(jst(x),sec(x),O), where 
A = {(jirst, jirst) , (jirst, second), (second,jirst), (second, second)}. 
• SC(x, Y) 
Figure D.l: A copy of the data array 
let SY(y)= 
slot. writer.x. wr?new~SY(new) 
D 
extractWriteSlot.x?new?val~SY(new) 
D 
extractWriteSlotRead.x?new?val~SY(new) 
D 
extractWriteLatest.x.y?val~SY(y) 
D 
extractReadLatest.x.y?val~SY(y) 
D 
extractReadReading.x.y?val~SY(y) 
within SY(Y). 
• SlotCopy =1 1 IXE{first,serond}SC(x,jirst). 
Figure D.2: A copy of Slots 
284 
• WrExt = WE(jirst,jirst,jirst,no,jirst,jirst, no, 1). 
• WE (wrp, wrs, late, wr Extract, rp, reading Val, rdExtract,posn) = 
latest. rd?val -t 
WE (wrp, wrs, late, wr Extract, val, reading Val, rdExtract, 2) 
o 
extractReadLatest?x?y?val -t 
WE(wrp, wrs,late, wrExtract,x, reading Val,yes,2) 
o 
reading. wr?val -t WE(wrp, wrs,late, wrExtract, rp, val,rdExtract, 3) 
o 
extractReadReading ?x?y ?val -t 
WE(wrp, wrs,late, wrExtract, rp,x, yes, 3) 
o 
slot. reader ?x!rd ?y -t 
WE(wrp, wrs,late, wrExtract,rp, reading Val, rdExtract,4) 
o 
extractReadSlot ?x?y ?val -t 
WE(wrp, wrs,late, wrExtract,rp, reading Val,yes,4) 
o 
data. rd?x?y?val -t WE(wrp, wrs,late, wrExtract, rp,reading Val, no, 1) 
o 
reading. rd?p -t 
WE (not (p ), wrs, late, wr Extract, rp, reading Val, rdExtract,posn) 
o 
slot. writer?x!rd?s -t 
WE (wrp, not (s), late, wr Extract, rp, reading Val, rdExtract,posn) 
o 
data.wr?x?y?val -t 
WE(wrp, wrs,late, wrExtract, rp, reading Val, rdExtract,posn) 
o 
Figure D.3: Process used to extract write events - part 1 
285 
(if (rdExtract == yes and wrp == late) then 
(extract WriteSlot?x?y?val-t 
WE(wrp, wrs,late,yes, rp, reading Val, rdExtract,posn)) 
else 
o 
(if (posn == 1 and wrp == late) then 
(extract WriteSlot?x?y?val-t 
WE(wrp, wrs,late,yes, rp, reading Val, rdExtract,posn)) 
else 
(if ((posn == 2 or posn == 3) and rp == wrp) then 
(if (rp == reading Val) then 
(extract WriteSlotRead?x?y?val -textra. val-t 
WE(wrp, wrs,late,yes, rp, reading Val,yes,posn)) 
else 
(extract WriteSlot?x?y?val-t 
WE( wrp, wrs, late, yes, rp, reading Val, rdExtract,posn))) 
else 
(slot. writer ?x!wr ?y-t 
WE (wrp, wrs, late, wr Extract, rp, reading Val, rdExtract,posn) ) ) ) ) 
(if wrExtract == no then 
(extract WriteLatest?x?y?val-t 
WE( wrp, wrs,x, wrExtract, rp, reading Val, rdExtract,posn)) 
else 
(latest. wr?x-t WE(wrp, wrs,x, no, rp, reading Val, rdExtract,posn))) 
Figure D.4: Process used to extract write events - part 2 
286 
287 
• rdExtract - A variable indicating whether or not we have extracted 
yet on the current call to read. 
• posn - The current position of the reader. 
The part of WrExt which is given in figure D.3 is simply used to update 
these parameters (data. wr?x?y?val is included for ease of defining synchr<r 
nization with RdExt). The part of WrExt given in figure DA actually deals 
with the extraction proper and is related directly to the detail given in fig-
ure 7.12.2 In general, we offer the "extracted" version of an implementation 
event a - i.e. an "event pair" where a is the left-hand component and the 
right-hand component is non-null- if the necessary conditions are met; oth-
erwise, we offer a itself. If the original event a is offered, it indicates that its 
occurrence at this point does not cause extraction to a high-level write event 
(recall that a will be hidden in the construction of the final implementation 
process to be supplied as input to FDR2). Note also that extract WriteS-
lotRead?x?y?val followed by extra. val (from figure DA) is used when we 
must extract to both a read event and a write event on the occurrence of 
slot.writer.not(p).wr.not(i). The event occurring on extractWriteSlotRead 
is renamed to the write event and that occurring on extra is renamed to 
the read event; this uses the renaming extractor defined below. (When an 
event occurs on channel extra, it effectively represents an "event pair" with 
a null left-hand - i.e. implementation - component but with a non-null 
right-hand component.) 
Process RdExt is similar in concept to WrExt; its parameters are ex-
plained as follows: 
• rp - The value of pair in the reader. 
• rdng - The value of the variable reading. 
• wrp - The value of pair in the writer. 
• late - The value of the variable latest. 
• posn - The position of the writer. 
• extract - This indicates whether or not we have extracted yet on the 
current call to read. 
2Note that, in figure 7.12, wVal is used to give directly the value of the last data 
item written into the mechanism. Using that approach here would have required an extra 
parameter for WrExt and so we instead use the process EDATA - needed anyway for the 
extraction of read events - to provide the necessary information. 
• RdExt = RE (jirst,jirst,jirst,jirst, 1, no) . 
• RE(rp,rdng,wrp,late,posn,extract) = 
reading. rd?p-+ RE(rp, rdng, not(p ), late, 2, extract) 
o 
slot. writer ?x!rd? s-+ RE (rp, rdng, wrp, late, 3, extract) 
o 
data. wr?x?y?val-+RE(rp,rdng,wrp,late,4, extract) 
o 
extract WriteSlot?x?y?val-+ RE(rp, rdng, wrp,late, 5, extract) 
o 
extract WriteSlotRead?x?y ?val-+ extra. val-+ 
RE(rp,rdng,wrp,late,5,yes) 
o 
slot. writer ?x!wr ?y-+ RE(rp, rdng, wrp, late, 5, extract) 
o 
extractWriteLatest?x?y?val-+ RE(rp,rdng,wrp,x,l,extract) 
o 
latest. wr ?val-+ RE (rp, rdng, wrp, val, 1, extract) 
o 
data.rd?x?y?val-+ RE(rp,rdng,wrp,late,posn,no) 
o 
Figure D.5: Process used to extract read events - part 1 
288 
{if ({posn == 1 or posn == 5) and (late == rdng)) then 
(extractReadLatest?x?y?val---+ RE{x, rdng, wrp,late,posn, yes)) 
else 
o 
{if ({posn == 2 or posn == 3 or posn == 4) 
and (wrp != late) and (late == rdng)) then 
(extractReadLatest?x?y?val---+ RE{x, rdng, wrp,late,posn,yes)) 
else 
(latest. rd?p---+ RE{p, rdng, wrp,late,posn, extract)))) 
289 
{if ({extract == no) and (posn == 1 or posn == 5 or rp != wrp)) then 
{ extractReadReading?x?y ?val---+ RE (rp ,x, wrp, late, posn, yes)) 
else 
(reading. wr?val---+ RE{rp, val, wrp,late,posn, extract))) 
o 
{if extract == no then 
(extractReadSlot?x?y?val---+ RE{rp, rdng, wrp,late,posn, yes)) 
else 
(slot. reader?x!rd?y---+ RE{rp, rdng, wrp,late,posn, extract))) 
Figure D.6: Process used to extract read events - part 2 
We define prePar 6 Ul:$i:510prepr, where: 
• prepfr 6 {(slot.writer.x.wr.y, slot.writer.x.wr.y) I 
slot.writer.x.wr.y E aslot.writer}. 
• prepf{ 6 {(slot.writer.x.wr.y, extractWriteSlot.x.y.z) I 
slot.writer.x.wr.y E aslot.writer 1\ z E dataint}. 
• prepr 6 {(slot.writer.x.wr.y, extractWriteSlotRead.x.y.z) I 
slot.writer.x.wr.y E aslot.writer 1\ z E dataint}. 
• prepr 6 {(latest.x.y, latest.x.y) Ilatest.x.y E alatest}. 
• prepgr 6 {(latest.wr.x, extractWriteLatest.x.y.z) I 
latest.wr.x E alatest.wr 1\ y E {first, second} 1\ 
z E dataint}. 
• prepgr 6 {(latest.rd.x, extractReadLatest.x.y.z) I 
latest.rd.x E alatest.rd 1\ y E {first, second} 1\ 
z E dataint}. 
• prepr 6 {( reading. wr.x, reading. wr.x) I 
reading. wr.x E areading. wr}. 
• prepr 6 {(reading.wr.x, extractReadReading.x.y.z) I 
reading.wr.x E areading.wr 1\ y E {first, second} 
1\ z E dataint}. 
• prepgr 6 {(slot.reader.x.rd.y, slot.reader.x.rd.y) I 
slot.reader.x.rd.y E aslot}. 
• prepfo 6 {(slot.reader.x.rd.y, extractReadSlot.x.y.z) I 
slot.reader.x.rd.y E aslot 1\ z E dataint}. 
Figure D.7: Defining prePar 
290 
291 
We define extractar f). Ul::;i::;7 extracf(, where: 
• extracf( f). {(extract WriteSlot.x.y.z, write.z) I 
extract WriteSlot.x.y.z E a extract WriteSlot}. 
• extractf{ f). {(extract WriteSlotRead.x.y.z, write.z) I 
extract WriteSlotRead.x. y.z E a extract WriteSlotRead}. 
• extract3r f). {(extract WriteLatest.x.y.z, write.z) I 
extract WriteLatest.x.y.z E a extract WriteLatest}. 
• extract4r f). {(extractReadLatest.x.y.z, read.z) I 
extractReadLatest.x.y.z E aextractReadLatest}. 
• extractgr f). {( extractReadReading.x.y.z, read.z) I 
extractReadReading. x. y. z E a extractReadReading } . 
• extract6r f). {(extractReadSlot.x.y.z, read.z) I 
extractReadSlot.x.y.z E aextractReadSlot}. 
• extract!r f). {(extra.z, read.z) I extra.z E aextra}. 
Figure D.8: Defining extractar 
D.l. Explaining TEar further 
We define domainar 6 Ul~i~6 domainr, where: 
• domainrr 6 {(extractWriteSlot.x.y.z, slot. writer.x. wr.y) I 
extractWriteSlot.x.y.z E aextractWriteSlot}. 
292 
• domain:r 6 {(extractWriteSlotRead.x.y.z, slot.writer.x.wr.y) I 
extract W riteSlotRead.x. y. z E a extract W riteSlotRead}. 
• domain:r 6 {( extract W riteLatest. x. y.z, latest. wr .x) I 
extract W riteLatest. x. y.z E a extract WriteLatest} . 
• domainr 6 {( extractReadLatest.x.y.z, latest.rd.x) I 
extractReadLatest.x.y.z E aextractReadLatest}. 
• domain~r 6 {(extractReadReading.x.y.z, reading.wr.x) I 
extractReadReading.x. y.z E a extractReadReading } . 
• domain~/ 6 {(extractReadSlot.x.y.z, slot.reader.x.rd.y) I 
extractReadSlot.x.y.z E aextractReadSlot}. 
Figure D.9: Defining domainar 
The renaming prepar used here is given in figure D.7; the renaming 
extractar is defined in figure D.B.3 Each of the channels used for the ex-
traction of events (apart from extra) has three data fields, denoted x, y and 
z. Fields x and yare used to indicate the pair and slot combination in the 
data array at which the data value to be extracted is stored: these fields are 
used in the synchronization with EDATA. z denotes the data value itself and 
so extractar simply renames to read.z or write.z as appropriate. Finally, the 
renaming domainar is defined in figure D.9: it may be used to reclaim the 
domain of the mapping which is represented by TEar. 
D.I Explaining TEar further 
Further comment is necessary on the role played by EDATA and SlotCopy 
and the way they interact with the various channels used for extraction: i.e. 
those whose identifier begins with the string "extract". We use the extraction 
to a read event on the occurrence of latest.rd.p as an example. According to 
the renaming prepar' this event (in the implementation) will be renamed to 
3Those events on the occurrence of which we never extract to a high-level read or write 
event, such as those on channel data, need only be renamed to themselves by prePar and 
so are omitted from its definition. 
D.l. Explaining TEar further 293 
the set of extractReadLatest.p.y.z where y E {first, second} and Z E dataint. 
If a synchronization occurs between such an event extractReadLatest.p.y.z 
in the modified implementation and the same event in the process TEar, we 
know that we are to extract on the occurrence of latest.rd..p. More than that, 
however, we know that y gives us the value of slot[p], because synchroniza-
tion with TEar means that we have effectively synchronized with SlotCopy 
as well. This means that the reader, on this call to read, will read the data 
value stored at position (p, y) in the data array. In fact, z gives us the data 
value currently stored in that location because we have effectively synchro-
nized with EDATA as well. Extraction on the occurrence of other events 
works in a similar way. As a result, once we have renamed the implementa-
tion process and composed it with TEar, the events of the resulting process 
contain sufficient information that we may carry out extraction using only 
hiding and renaming. 
Appendix E 
Lists of conditions, notations 
and processes 
E.l General notation 
In the following, t, u, t l , t2 , .•. are traces; A is a set of actions; 7,7' are nOIl-
empty sets of traces; G ~ ~ x ~ is a relation; and X is a set of sets. Note 
that traces are assumed to be finite unless otherwise stated. 
• t = (aI, ... ,an) is the trace whose i-th element is action ai, and length, 
Itl, is n. Moreover, events(t) ~ {al, ... ,an} and, provided that n 2: 1, 
tail(t) t:. an. If n = 0 then t is the empty trace, denoted (). 
• IAI denotes the cardinality of A. 
• to U is the trace obtained by appending u to t. 
• A* is the set of all traces - i.e. sequences - of actions from A, 
including the empty trace, (). 
• AW is the set of all infinite traces of actions from A. 
• T* is the set of all traces t = tl 0·· ·otn (n 2: 0) such that t l,···, tn E 7 
(note that t = () when n = 0). 
• ~ denotes the prefix relation on traces, and t < u if t ~ u and t =1= u. 
• Pref(T) t:. {u I (::It E T) u ~ t} is the prefix-closure of 7. (In the 
event that 7 is the singleton set {t}, we may use Pref (t) in lieu of 
Pref(T)·) 
• 7 is prefix-closed if 7 = Pref(T)· 
294 
E.l. General notation 295 
• t fA is a trace obtained by deleting from t all the actions that do not 
occur in A. 
• t \ A is a trace obtained by deleting from t all the actions that do occur 
in A. 
• The definitions of f and \ may be lifted to sets of traces in the obvious 
way: TfA (:,. {tfA I t E T} and T\A (:,. {t\A I t E T}. 
• t l , t2, ... is an w-sequence of traces iftl ::; t2 ::; ... and liIIlj-+oo Itil = 00. 
• A mapping 1 : T ~ T' is monotonic if t, u E T and t ::; u implies 
I(t) ::; I(u), and strict if 0 E T and 1(0) = O. 
• The definition of G may be lifted to sets of events, traces and sets of 
traces: 
- G(A) (:,. U{G(a) I a E A}. 
- (al,"" an) G (bl , ... , bm ) {:::} n = m 1\ 'Vi ::; n, ai G bi. 
- G(T) (:,. {u I (3t E T) t G u}. 
In the event that T is the singleton set {t}, we may use G(t) in lieu of 
G (T). Moreover, if G (t) = {u} for some trace u then we shall denote 
this G(t) = u. Similarly, if G(a) = {b} for some action a then we write 
G(a) = b. 
• G-I (:,. {(b, a) I a G b} is the inverse of G. 
• Sub(X) (:,. {W ~ X I X E X} is the subset-closure of X. 
• X is subset-closed if X = Sub (X). 
• 2s (:,. {X I X ~ S} gives the power set of S. For purposes of presenta-
tion, we will sometimes use JP'( S) in lieu of 2s . 
• We introduce containment and equality between pairs of sets in the 
obvious way. Let B, B', C, C' be sets. 
- (B, C) ~ (B', C') if and only if B ~ B' and C ~ ct. 
- (B, C) = (B', C') if and only if B = B' and C = C'. 
• For an arbitrary set of objects 0 and a partial orderingl j over the 
elements of 0, 
max-«O) (:,. {e E 0 I (~d E 0) e j d 1\ e =I- d}. 
1 A partial ordering is reflexive, transitive and antisymmetric. 
E.2. List of labelled conditions and definitions 296 
In the event that max~ (0) = {e} for some element e, we shall write 
max~(O) = e. 
• max (F) = {( t, R) E F I (t, R) is maximal} for a set of failures F . 
• For X ~ ~imp/, [[X]] denotes the smallest set A E AllSet such that 
XcA. 
E.2 List of labelled conditions and definitions 
DE 
DF 
DIS 
DOM-SF-CHECK 
DOM-T-CHECK 
DR1-3 
Ep1 
Ep1-FvI 
Ep2 
Ep3A-FvI 
Ep3-FvI 
Ep3-SF 
Ep3-T 
Ep4 
Ep4-FvI 
Ep5 
Ep5-FVI 
Ep6 
Ep-UNI1-2 
FD1-5 
FD-DEF1-4 
Fm 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
page 35 
page 28 
page 131 
page 98 
page 90 
page 29 
page 81 
page 81 
page 81 
page 93 
page 81 
page 93 
page 81 
page 81 
page 81 
page 93 
page 96 
page 101 
page 83 
page 24 
page 102 
page 74 
E.2. List of labelled conditions and definitions 
FDS1-2 
HIDE-INVIS 
MD 
PA1-2 
PREF-CLOS 
R1-2 
RAH1-3 
RAH1-SF 
RAH1-T 
RAH2-SF 
RAH2-T 
RAH3-SF 
REC 
REF-BoUND 
REF-MoNO 
REP1-2 
S1-7 
SEQ 
SF1-4 
SF-DEF1-3 
SF-GLOBAL1-2 
SFI1-3 
SFs1-7 
T1 
TI1-3 
TR-DEF1-2 
TR-GLOBAL1-2 
TR-MoNO 
~ ........................................ . 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
page 75 
page 60 
page 30 
page 30 
page 51 
page 58 
page 50 
page 69 
page 61 
page 70 
page 62 
page 69 
page 26 
page 67 
page 67 
page 87 
page 64 
page 74 
page 22 
page 99 
page 97 
page 68 
page 71 
page 21 
page 62 
page 92 
page 85 
page 51 
297 
E.3. List of processes 298 
TRP ........................................... . . . . .. . .. page 21 
Tsl-4 ....................... '" . . . . . . .. . . . . . . . . . . . . . . . . .. page 6~ 
E.3 List of processes 
BitLatest 
BitReading 
Di 
Data 
DataSlot 
DC 
EDATA 
ExtEnv 
ExtFS 
ExtractData 
Fin a lImp le 
FinalImplei 
FourSlotEnviron 
FP 
FSlot 
FST 
ImplNet 
Interim 
LejtImpl 
LejtSpec 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
.......................................... 
page 161 
page 161 
page 125 
page 163 
page 163 
page 125 
page 125 
page 136 
page 284 
page 181 
page 178 
page 284 
page 146 
page 138 
page 165 
page 36 
page 163 
page 37 
page 45 
page 145 
page 45 
page 44 
E.3. List of processes 
MFP 
MFTP 
ModEnv 
NewSpec 
Prelmple 
Proc 
ProCj 
QProj 
Q 
RdExt 
REi 
REinv 
ReadEnviron 
Reader 
Register 
Register Environ 
RegReadEnviron 
Reg WriteEnviron 
RightImpl 
RightSpec 
SC 
SFT 
SLOT 
SlotCopy 
Slots 
SpecNet 
................................................................................... 
.................................................................................... 
.................................................................................... 
.................................................................................... 
.................................................................................... 
.................................................................................... 
.................................................................................... 
.................................................................................... 
.................................................................................... 
299 
page 38 
page 39 
page 181 
page 147 
page 145 
page 146 
page 137 
page 125 
page 127 
page 137 
page 288 
page 143 
page 144 
page 165 
page 164 
page 165 
page 166 
page 166 
page 166 
page 45 
page 44 
page 284 
page 37 
page 162 
page 284 
page 162 
page 44 
E.4. Notation from chapter 3 
TP 
TraceExtract 
Trim 
Trim Two 
WrExt 
WriteEnviron 
Writer 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
E.4 Notation from chapter 3 
[[X]] 
I;impl 
I; spec 
AllSet 
BTrace 
Fvis 
MinSet 
E.5 Notation from concrete notion of 
refinement-after-hiding 
::::JEP(Q) 
-FD 
::::JEP(Q) 
-SF 
::::JEP(Q) 
-T 
e 
300 
page 283 
page 130 
page 132 
page 36 
page 132 
page 1-1-1 
page 145 
page 285 
page 165 
page 164 
page 55 
page 47 
page 52 
page 52 
page 52 
page 52 
page 52 
page 53 
page 102 
page 99 
page 92 
page 81 
E.6. Notation from chapter 6 
TDomgp(Q)Q 
¢domgp(Q)Q 
¢Domgp(Q)Q 
A 
B 
Comm(A,Q) 
dom 
Dom 
domEP(Q) 
DomEP(Q) 
EP 
EP(Q) 
extr 
extrref 
ref 
extrEP(Q) 
extr set 
Fimp/ 
Fspec 
ImplSet 
Proj EP(Q) 
ref 
ref 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
............................................. 
E.6 Notation from chapter 6 
DB 
page 91 
page 98 
page 98 
page 81 
page 81 
page 86 
page 93 
page 81 
page 97 
page 85 
page 83 
page 85 
page 81 
page 93 
page 97 
page 83 
page 84 
page 84 
page 83 
page 89 
page 93 
page 94 
page 145 
page 123 
page 123 
page 142 
page 146 
301 
E.7. Semantic notations 
domain 
extract 
extrFDR';~(Q) 
inv 
prep 
prime 
rejtt 
RejSeti 
uP 
uQ 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
.......................................................................................... 
................................................................ 
............................................. 
E.7 Semantic notations 
min6P 
~FD 
302 
page 123 
page 123 
page 131 
page 131 
page 142 
page 123 
page 123 
page 123 
page 130 
page 141 
page 141 
page 132 
page 141 
page 136 
page 135 
page 142 
page 142 
page 15 
page 20 
page 23 
page 22 
page 23 
page 23 
page 30 
page 26 
page 26 
page 26 
page 26 
E.B. Operators 
~SF 
~T 
E.8 Operators 
STOP the immediately deadlocking process 
DIV the immediately diverging process 
a -+ P the prefix operator 
PDQ deterministic choice 
P n Q non-deterministic choice 
P \ A hiding 
P Ily Q parallel composition 
P ®y Q network composition 
P[G] renaming 
page 26 
page 26 
303 
Bibliography 
[1] M. Abadi and L. Lamport: The Existence of Refinement ~lappings. The-
oretical Computer Science 82 (1991) 253-284. 
[2] P. Bernstein, V. Hadzilacos and N. Goodman: Concurrency Control and 
Recovery in Database Systems. Addison-Wesley (1987). 
[3] E. A. Boiten and J. Derrick: 10 - refinement in Z. Proc. of :lrd BCS-FACS 
Northern Formal Methods Workshop, A. Evans, D. Duke and T. Clark 
(Eds.). Electronic Workshops in Computing, Springer Verlag (1998) . 
[4] E. A. Boiten and J. Derrick: Liberating data refinement. Proc. of Math-
ematics of Program Construction, 5th International Conference, R. C. 
Backhouse and J. N. Oliveira (Eds.). LNCS 1837 (2000) 144-166. 
[5] E. A. Boiten and J. Derrick: Unifying concurrent and relational refine-
ment. Proc. of REFINE 02: The BCS FACS Refinement Workshop, 
J. Derrick, E. Boiten, J. Woodcock and JDT von Wright (Eds.). volume 
70(3) of Electronic Notes in Theoretical Computer Science (2002) 38-75. 
[6] E. Brinksma: A Theory for the Derivation of Tests. In: Proto-
col Specification, Verification and Testing, VIII, S. Aggarwal and 
K. Sabnani(Eds.). North-Holland (1988) 63-74. 
[7] E. Brinksma, B. Jonsson and F.Orava: Refining Interfaces of Commu-
nicating Systems. Proc. of TAPSOFT '91: Proceedings of the Interna-
tional Joint Conference on Theory and Practice of Software Develop-
ment, Volume 2: Advances in Distributed Computing (ADC) and Collo-
quium on Combining Paradigms for Software Developmemnt (CCPSD) , 
S. Abramsky and T. S. E. Maibaum (Eds.). LNCS 494 (1991) 297-312. 
[8] S. D. Brookes, C. A. R. Hoare and A. W. Roscoe: A Theory of Communi-
cating Sequential Process. Journal of ACM 31 (1984) 560-599. 
[9] S. D. Brookes and A. W. Roscoe: An Improved Failures Model for Com-
municating Sequential Processes. Proc. of Seminar on Concurrency, 
304 
BIBLIOGRAPHY 305 
S. D. Brookes, A. W. Roscoe and G. Winskel (Eds.). Springer-Verlag, 
Lecture Notes in Computer Science 197 (1985) 281-305. 
[10] J. Burton, M. Koutny and G. Pappalardo: Modelling and Verification of 
Communicating Processes in the Event of Interface Difference. Technical 
Report 696, Dept. of Computing Science, University of Newcastle upon 
Tyne (2000). 
[11] J. Burton, M. Koutny and G. Pappalardo: Verifying Implementation Re-
lations in the Event ofInterface Difference. Proc. of FME 2001: Formal 
Methods for Increasing Software Productivity, J. N. Oliveira and P. Zave 
(Eds.). LNCS 2021 (2001) 364-383. 
[12] J. Burton, M. Koutny and G. Pappalardo: Implementing Communicat-
ing Processes in the Event of Interface Difference. Proc. of ACSD 2001: 
Second International Conference on Application of Concurrency to Sys-
tem Design, A. Valmari and A. Yakovlev (Eds.). IEEE Computer Society 
(2001) 87-96. 
[13] J. Burton, M. Koutny and G. Pappalardo: Compositional Verification of 
a Network of CSP Processes. Technical Report 757, Dept. of Computing 
Science, University of Newcastle upon Tyne (2002). 
[14] J. Burton: Compositional Verification of a Network of CSP Processes: 
Using FDR2 to Verify Refinement in the Event of Interface Difference. 
Technical Report 758, Dept. of Computing Science, University of New-
castle upon Tyne (2002). 
[15] J. Burton, M. Koutny, G. Pappalardo and M. Pietkiewicz-Koutny: Com-
positional Development in the Event of Interface Difference. In: Con-
currency in Dependable Computing, P. Ezhilchelvan and A. Romanovsky 
(Eds.). Kluwer Academic Publishers (2002) 1-20. 
[16] J. Burton, M. Koutny and G. Pappalardo: Relating Communicating Pro-
cesses with Different Interfaces. Fundamenta Informaticae 59(1) (2004) 
[17] 
[18] 
1-37. 
I. Clark: A Unified Approach to the Study of Asynchronous Commu-
nication Mechanisms in Real Time Systems. King's College, London 
University (PhD Thesis) (2000). 
P. Collette and C. B. Jones: Enhancing the Tractability of 
Rely /Guarantee Specifications in the Development of Interfering 
Operations. Technical Report CUMCS-95-10-3, Department of Com-
puting Science, Manchester University (1995). 
BIBLIOGRAPHY 306 
[19] J. Derrick and E. A. Boiten: Non-atomic refinement in Z. Proc. of FM'99 
World Congress on Formal Methods in the Development of Computing 
Systems, J. M. Wing, J. C. P. Woodcock and J. Davies (Eds.). LNCS 1708 
(1999) 1477-1496. 
[20] J. Derrick and E. A. Boiten: Refinement of objects and operations in 
Object-Z. Proc. of Formal Methods for Open Object-based Distributed 
Systems IV, S. F. Smith and C. L. Talcott (Eds.). K1uwer Academic Pub-
lishers (2000) 257-277. 
[21] J. Dinge1: Systematic parallel programming (PhD thesis). Technical Re-
port CMU-CS-99-172, School of Computer Science, Carnegie Mellon 
University (2000). 
[22] W. de Roever and K. Engelhardt: Data Refinement: Model-Oriented 
Proof Methods and their Comparison. CUP (1998). 
[23] W. de Roever et al: Concurrency Verification: Introduction to Com-
positional and Noncompositional Methods. Cambridge University Press 
(2001). 
[24] R. Gerth, R. Kuiper and J. Segers: Interface Refinement in Reactive Sys-
tems (Extended Abstract). Proc. of CONCUR '92, W. R. Cleaveland 
(Ed.). LNCS 630 (1992) 77-93. 
[25] R. Gorrieri and A. Rensink: Action Refinement. In: Handbook of Process 
Algebra, J. A. Bergstra, A. Ponse and S. A. Smolka (Eds.). Elsevier (2001) 
1047-1147. 
[26] N. Henderson and S. Paynter: The Formal Classification and Verification 
of Simpson's 4-S10t Asynchronous Communication Mechanism. Proc. 
of FME 2002: Formal Methods - Getting IT Right, L-H. Eriksson and 
P. Lindsay (Eds.). LNCS 2391 (2002) 350-369. 
[27] N. Henderson: Proving the Correctness of Simpson's 4-s10t ACM Using 
an Assertional Rely-Guarantee Proof Method. Technical Report 800, 
School of Computing Science, University of Newcastle upon Tyne (2003). 
[28] M. C. B. Hennessy: Algebraic Theory of Processes. MIT Press (1988). 
[29] M. Herlihy and J. Wing: Linearizability: a Correctness Condition for 
Concurrent Objects. A CM Transactions on Programming Languages and 
Systems 12(3) (1990) 463-492. 
[30] C. A. R. Hoare: Proof of Correctness of Data Representations. Acta In-
formatica 1 (1972) 271-281. 
BIBLIOGRAPHY 307 
[31] C. A. R. Hoare: Communicating Sequential Processes. Prentice Hall 
(1985). 
[32] W. Janssen, M. Poel and J. Zwiers: Action Systems and Action Refine-
ment in the Development of Parallel Systems - An Algebraic Approach. 
Proc. of CONCUR '91, J. C. M. Baeten and J. F. Groote (Eds.). LNCS 
527 (1991) 298-316. 
[33] C. B. Jones: Systematic Software Development Using VDM. Prentice 
Hall (1990). 
[34] C. B. Jones: An Object-Based Design Method for Concurrent Programs. 
Technical Report UMCS-92-12-1, Department of Computer Science, 
University of Manchester (1992). 
[35] C. B. Jones: Constraining Interference in an Object-Based Design 
Method. Proc. of TAPSOFT '93: Theory and Practice of Software De-
velopment, M-C. Gaudel and J-P. Jouannaud (Eds.). LNCS 668 (1993) 
136-150. 
[36] C. B. Jones: Process-Algebraic Foundations for an Object-Based Design 
Notation. Technical Report UMCS-93-10-1, Department of Computer 
Science, University of Manchester (1993). 
[37] C. B. Jones: Reasoning about Interference in an Object-Based De-
sign Method. Proc. of FME '93: Industrial Strength Formal Methods, 
J. Woodcock and P. Larsen (Eds.). LNCS 670 (1993) 1-18. 
[38] B. Jonsson: Compositional Specification and Verification of Distributed 
Systems. ACM TOPLAS 16 (1994) 259-303. 
[39] M. Koutny, L. Mancini and G. Pappalardo: Two Implementation Rela-
tions and the Correctness of Communicating Replicated Processes. For-
mal Aspects of Computing 9 (1997) 119-148. 
[40] M. Koutny and G. Pappalardo: Behaviour Abstraction for Communicat-
ing Sequential Processes. Fundamenta Informaticae 48 (2001) 21-54. 
[41] L. Lamport: Proving the Correctness of Multiprocess Programs. IEEE 
Transactions on Software Engineerin9 SE-3 2 (1977) 125-143. 
[42] L. Lamport: How to Make a Multiprocessor Computer that Correctly 
Executes Multiprocess Programs. IEEE Transactions on Computers 
28(9) (1979) 690-691. 
BIBLIOGRAPHY 308 
[43] L. Lamport: On interprocess communication: Part I - Basic formalism. 
Distributed Computing 1 (1986) 77-85. 
[44] L. Lamport: On interprocess communication: Part II - Algorithms. Dis-
tributed Computing 1 (1986) 86-10l. 
[45] K. G. Larsen: A context dependent equivalence between processes. The-
oretical Computer Science 49(2) (1987) 185-215. 
[46] R. Lazic: A Semantic Study of Data Independence with Applications to 
Model Checking. Oxford University Computing Laboratory (PhD The-
sis) (1999). 
[47] N. A. Lynch and M. R. Tuttle: Hierarchical Correctness Proofs for Dis-
tributed Algorithms. Proc. of 6th ACM Symposium on Principles of 
Distributed Computing, ACM (1987) 137-15l. 
[48] N. Lynch, M. Merritt, W. Weihl and A. Fekete: Atomic Transactions. 
Morgan Kaufmann (1994). 
[49] L. V. Mancini and G. Pappalardo: Towards a Theory of Replicated Pro-
cessing. Proc. of Symposium on Formal Techniques in Real- Time and 
Fault- Tolerant Systems, M. Joseph (Ed.). LNCS 331 (1988) 175-192. 
[50] R. Milner: Communication and Concurrency. Prentice Hall (1989). 
[51] R. Milner and D. Sangiorgi: Barbed Bisimulation. Proc. of 19th Interna-
tional Colloquium on Automata, Languages and Programming (ICALP 
'92), W. Kuich(Ed.). LNCS 623 (1992) 685-695. 
[52] J. Parrow and P. Sjoedin: Multiway Synchronization Verified with Cou-
pled Simulation. Proc. of CONCUR '92, W. R. Cleaveland(Ed.). LNCS 
630 (1992) 518-533. 
[53] J. Parrow and P. Sjoedin: The Complete Axiomatization of Cs-
Congruence. Proc. of 11th Annual Symposium on Theoretical As-
pects of Computer Science, STACS '94, R. Enjalbert, E. Mayr and 
K. Wagner(Eds.). LNCS 775 (1994) 557-568. 
[54] S. E. Paynter, N. Henderson and J. M. Armstrong: Ramifications of 
Metastability in Bit Variables Explored Via Simpson's 4-S1ot Mecha.-
nism. Technical Report 789, School of Computing Science, University of 
Newcastle upon Tyne (2003). 
[55] W. Reisig: Petri Nets: an Introduction. EATCS Monographs on Theo-
retical Computer Science (1985). 
BIBLIOGRAPHY 309 
[56] A. Rensink: Action Contraction. Proc. of CONCUR 2000 - Concur-
rency Theory, C. Palamidessi(Ed.). LNCS 1877 (2000) 290-304. 
[57] A. Rensink and R. Gorrieri: Action refinement as an implementation re-
lation. Proc. of TAPSOFT '97: Theory and Practice of Software Devel-
opment, M. Bidoit and M. Dauchet(Eds.). LNCS 1214 (1997) 772-786. 
[58] A. Rensink and R. Gorrieri: Vertical Bisimulation. Technical Report 
Hildesheimer Informatik-Bericht 9/98, University of Hildesheim (1998). 
[59] A. Rensink and R. Gorrieri: Vertical Implementation. Information and 
Computation 170 (2001) 95-133. 
[60] A. Rensink and H. Wehrheim: Dependency-based Action Refinement. 
Proc. of Mathematical Foundations of Computer Science 1997, I. Privara 
and P. Ruzicka (Eds.). LNCS 1295 (1997) 468-477. 
[61] A. W. Roscoe: Model-Checking CSP. In: A Classical Mind, Essays in 
Honour of C.A.R. Hoare. Prentice-Hall (1994) 353-378. 
[62] A. W. Roscoe, P. H. B. Gardiner, M. H. Goldsmith, J. R. Hulance, D. M. 
Jackson and J. B. Scattergood: Hierarchical Compression for ~odel­
checking CSP, or How to Check 1020 Dining Philosophers for Deadlock. 
Proc. of Workshop on Tools and Algorithms for The Construction and 
Analysis of Systems, TACAS, U. H. Engberg, K. G. Larsen and A. Skou 
(Eds.). BRICS Notes Series NS-95-2 (1995) 187-200. 
[63] A. W. Roscoe: The Theory and Practice of Concurrency. Prentice-Hall 
(1998). 
[64] FDR2 User Manual: Available at: 
http:// www .formal. demon. co. uk / fdr2manual 
[65] J. Rushby: Model Checking Simpson's Four-Slot Fully Asynchronous 
Communication Mechanism. Technical Report, Computer Science Lab-
oratory, SRI International (2002). 
[66] 
[67] 
[68] 
D. Sangiorgi: Typed 7r-calculus at work: a correctness proof of Jones's 
parallelisation transformation on concurrent objects. Theory and Prac-
tice of Object-Oriented Systems 5(1) (1999) 25-33. 
D. Sangiorgi and D. Walker: The 7r-calculus: a Theory of Mobile Pro-
cesses. Cambridge University Press (2001). 
H. R. Simpson: Four-slot Fully Asynchronous Communication ~echa­
nism. lEE Proceedings 137, Pt E(l) (January 1990) 17-30. 
BIBLIOGRAPHY 310 
[69] H. R. Simpson: Correctness Analysis for Class of Asynchronous Com-
munication Mechanisms. lEE Proceedings 139, Pt E(l) (January 1992) 
35-49. 
[70] J. M. Spivey: The Z Notation: A Reference Manual. Prentice-Hall 
(1992). 
[71] H. Wehrheim: Parametric Action Refinement. Proc. of Programming 
Concepts, Methods and Calculi - PROCOMET 'g4, E. -R. Olderog(Ed.). 
IFIP Transactions A-56, North Holland (1994) 247-266. 
Index 
alphabet 
channel, 15 
process, 30, 55, 85, 124 
atomic, 153 
channels, 15, 43 
choice 
deterministic, 16 
non-deterministic, 16 
communication capability, 86 
component implementation process, 
48 
component specification process, 48 
context, 32 
practice, 84 
theory, 47 
correctness-in-context, 6, 8 
data type, 15, 43 
deadlock, 14 
deadlock-free, 22 
denotational semantics, 13 
determinism, 35 
DIY, 16,44 
divergence, 17 
divergences, 13 
environment, 32 
extraction pattern, 80 
failures divergences model, 101 
stable failures model, 92 
traces model, 81 
failures, 14 
failures divergences model, 23 
FDR2, 10, 13, 42 
311 
finally invisible, 9 
finally visible, 9 
finite non-determinism, 17 
formal verification, 1 
guarded, 27 
hiding, 16 
implementation network, 48 
implementation process, 48 
practice, 84 
theory, 55 
interleaving, 16 
labelled transition system, 17 
liveness, 13 
machine-readable esp, 42 
maximal (failures), 34 
minimally-divergent traces, 30 
network composition, 17 
parallel composition, 16 
pre-congruence, 6 
prefix operator, 16 
process algebra, 2, 13 
recursion 
semantics, 26 
syntax, 16 
refinement, 26 
refinement-after-hiding, 9 
refines-after-hiding,47 
refusal-maximal, 34 
reification, 2 
INDEX 
behaviour decomposition, 3 
data reification, 2 
relaxation of atomicity, 3 
rely-guarantee, 6 
renaming, 16 
safety, 13 
specification network, 48 
stable failures model, 22 
STOP, 16 
subset-closed (failures), 22 
traces, 13 
traces model, 20 
312 
