An Input/Output Semantics for Distributed Program Equivalence Reasoning  by Bertran, Miquel et al.
An Input/Output Semantics for Distributed
Program Equivalence Reasoning
Miquel Bertran1 Francesc-Xavier Babot2 August Climent3
Informatica La Salle, Universitat Ramon Llull, Barcelona
Abstract
A new notion of input/output equivalence of distributed imperative programs, with synchronous
communications, is introduced. It preserves the input/output relation, encompassing both, ini-
tial/ﬁnal state and communication channel values. For its mathematical justiﬁcation, the semantic
framework of Manna and Pnueli, based on ﬁnite transition systems and reduced behaviors, is ex-
tended with the notion of input/output behavior. A set of laws for the equivalence is overviewed.
A deduction rule for the substitution of references to input/output equivalent procedures is deﬁned
and justiﬁed in the new semantics. The rule is applied to decompose distributed program simpliﬁ-
cation proofs, introduced in a prior work, which use the laws to establish the equivalence between
a sequential and a parallel communicating program. They include communication elimination as
one of their steps. An outline of one of such proofs, for a pipelined processor model, is included.
Keywords: Distributed programs, parallel programs, input/output equivalence, equivalence
preserving transformations, veriﬁcation, program simpliﬁcation, synchronous communications,
laws of distributed programs.
1 Introduction
Imperative languages with explicit parallelism and communication statements
provide an intuitive, explicit, and complete framework to express distributed
and concurrent programs and system models, with the clarity required for
veriﬁcation. OCCAM [11,12,13], the simple programming language, SPL, of
Manna and Pnueli [15,16], PROMELA of the SPIN model checker [10], and
1
Email: miqbe@salleURL.edu
2
Email: fbabot@salleURL.edu
3
Email: augc@salleURL.edu
Electronic Notes in Theoretical Computer Science 137 (2005) 25–46
1571-0661 © 2005 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.01.038
Open access under CC BY-NC-ND license. 
the shared-variable language++, SVL++, in [7] are representatives of these im-
perative notations.
Equivalence reasoning is heavily used for numbers, matrices, and other
ﬁelds. However, for imperative programs, although having the potentiality of
being a very intuitive veriﬁcation activity, it has not been explored in concur-
rency and distribution. Simpliﬁcation via internal communication elimination
[2] is an equivalence proof that, since it decreases the size of the state vector,
could complement other proof methods, such as model checking [10,17,5] and
interactive veriﬁcation [3,14]. It is based on the application of a set of laws,
suitable for that purpose, as reductions to a program. The laws depend on
the notion of equivalence and on the fairness assumptions [15].
A set of laws for OCCAM was given in [18]. Rather than simpliﬁcation via
communication elimination, the focus there was to obtain normal forms and to
deﬁne the semantics of the notation. Some laws for SPL are given in [15], with
an SPL semantics based on fair transition systems (FTS), but communication
elimination laws are not given there. In the framework of SVL++, some laws
are given in [7] but they do not suﬃce for communication elimination.
The ﬁrst set of relations suitable for communication elimination was given
and proved sound in [2], showing the necessity of avoiding strong fairness. A
communication elimination proof of a distributed fast Fourier transform was
outlined there as well. In this earlier work, the notion of equivalence was
assimilated to congruence, a very strong equivalence. This had the draw-
back of limiting the formulation of most communication elimination laws to
unidirectional reﬁnements. Clearly, the need of working with a weaker equi-
valence, where all laws could be formulated with it, avoiding the asymmetry
of reﬁnement relations, was outstanding.
This paper introduces a notion of equivalence, input/output equivalence,
weaker than congruence, but strong enough to preserve the input/output re-
lation of the programs and to lead to laws for communication elimination.
It is justiﬁed in a semantics which extends the Manna-Pnueli framework as
the main contribution of the paper, where each statement denotes a set of
input/output behaviors. They extend the notion of reduced behavior given in
[15]. In order to capture the complete input/output relation, the former adds
to the latter a recording of the values traversing synchronous channels, in
addition to the usual data state variables. This reﬂects the fact that values
may be input or output via channels, as well as via proper variables. In this
context, the grounding work with streams introduced in [4] is related, but in
our concrete imperative program context we needed a new model where both
channel and variable values are taken into account. The work on compatibility
of components [6] is also related.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4626
An important ingredient of equivalence reasoning is substitution of proce-
dure reference statements of two equivalent procedures. It would allow proof
decomposition. Conditions for the validity of such substitutions are also given
and their justiﬁcation outlined. This establishes the necessary base theory for
formal input/output equivalence reasoning with distributed programs.
The paper is organized as follows. After a section on the notation, in-
cluding modular procedures, and some notions needed later in the paper, the
concept of input/output behavior is introduced. Composition rules to obtain
io-behaviors of sequential, parallel and selection compositions are detailed, in
preparation for the justiﬁcation of the substitution rule. Input/output equiva-
lence of procedures is covered next, with the substitution rule and its justiﬁca-
tion. These sections contain the main contributions of the paper. A summary
of the laws and of distributed program simpliﬁcation proofs follows, together
with their application to a pipelined processor model. This is an overview
without proofs for illustrative purposes only. A brief section on conclusions
and further work ends the paper.
2 Programming Notation
2.1 Syntax of the Basic Notation
Programs will be written in a reduced version of SPL, which is general enough
to express any practical program. Its syntax is presented now. The basic
statements are Skip, Nil, Stop, the assignment u:= e, send α ⇐ e, and
receive α ⇒ u. We limit our work to synchronous channels α, which will be
referred to as channels. In them both the sender and the receiver wait for
each other before exchanging a value and continuing execution. Communica-
tion statements will be referred to more simply as communications. The skip
statement involves a transition in the underlying fair transition system, but
without any eﬀect on the data variables. The nil statement makes its pre and
post control locations equivalent, involving no transition. The stop statement
has neither the transition nor the label equivalence relation. Both channels
and variables are declared globally before their usage. The rest of the notation
is deﬁned recursively.
Concatenation is n-ary: [S1; · · · ;Sn] . The iterations are [while c do S] ,
where c is a boolean expression, and [loop forever do S] , which is deﬁned
as [while true do S]. The cooperation statement is also n-ary: [S1|| · · · ||Sn] .
Its substatements Sj are the top parallel statements of the cooperation state-
ment, which is the minimal common ancestor of them. It will be assumed
throughout the paper that the Sj ’s are disjoint, in the sense that they only
share read variables, and that they communicate values through synchronous
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 27
channels only. The regular selection and the communication selection state-
ments are non-deterministic and have, respectively, the forms
[b1, S1 or · · ·or bn, Sn] and [b1, c1, S1 or · · ·or bn, cn, Sn] , where the bi’s
are boolean expressions referred to as boolean guards, and the ci’s are syn-
chronous communication statements referred to as communication guards.
2.2 Modular Procedures
This notion was introduced in [2] combining the notions of SPL module [15,8]
and procedure. As modules, modular procedures can be composed in parallel,
but may be invoked by procedure reference statements, which make explicit
the names of all the interface channels and variables. Common variables are
prohibited. The notation r ::= P (p) will be used for a procedure reference,
where r and p stand for the result and parameter lists of the interface, and P
is the procedure name. Modular procedures will be referred to more simply as
procedures. An example of procedure is given below. Its procedure reference
stands at the left, and the procedure body at the right.
(r, cr) ::= Pc(p, cp) ::
2
66666666666666666664
out r : integer
out cr : channel of integer
external in p : integer
external in cp : channel of integer
local a1, a2 : integer
local c : channel of integer2
66664
cp⇒ a1;
a1 := a1 + p;
c⇐ a1;
skip
3
77775 ||
2
66664
cp⇒ a2;
c⇒ r;
a2 := r + a2;
cr ⇐ a2
3
77775
3
77777777777777777775
Notice that r and p are variables whereas cr and cp are channels. r and
cr are the results, and p and cp are the parameters of the procedure. The
exact meaning of modes out and external in is not important here, since
processes are disjoint and communication is point to point and half-duplex.
The declaration at the head of a procedure body will be omitted often in this
work. No common variables or channels are allowed.
Semantics of the reference statement It is unchanged with the re-
placement of the reference by the procedure body, with a renaming of variables
and channels when necessary. It has to be consistent with the reverse opera-
tion of encapsulation of a part of a program within a procedure.
The set O of observed variables of a procedure Contains all proper
variables in the interface, and an auxiliary channel variable for each channel
in the interface. The set O is also referred to as interface set.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4628
A channel variable records, as a triplet, the value passed at a communi-
cation event, a count reﬂecting the order of the channel event, and an in-
put/output mark (i,o). When the event is internal, a dot replaces the in-
put/output mark. For the above procedure, this set is O : {r, p, cr, cp},
where cr and cp are the auxiliary variables associated to the channels.
2.3 Basic Notions for the Semantics
The semantics of the speciﬁc SPL variant which we use follows the style of
Manna and Pnueli, based on fair transition systems (FTS) [15,16]. In the
following, some of its elements are summarized. A full account is in [2].
A computation is a sequence of states starting at an initial state with a
transition taking any state to its successor. A reduced behavior, with respect to
a set O of observed variables, is a computation where both its components of
variables outside the observed set and stuttering steps (i.e. idling transitions)
are deleted. The set O contains only proper variables. Transitions correspond
to atomic actions, which are associated to statements. A program context P [ ]
is a program P one of whose statements corresponds to a hole to be ﬁlled-in
with an arbitrary statement S. With some abuse of notation P [S] will denote
a program context, where S denotes the arbitrary statement placed in the
hole. Some laws are congruence relations between statements. Statement S1
reﬁnes S2, written S1 O S2, when for any program context P [·], any reduced
behavior of P [S1] is also a reduced behavior of P [S2]. S1 is congruent to S2,
written S1 ≈O S2, when S1 O S2 and S2 O S1. These relations are deﬁned
with respect to a set O of observed variables.
Some extended notions, needed in the paper are introduced next. An
input/output computation (io-computation) records the value histories of both
the variables and the channels of the procedure body during an execution. It
has a row for each value change and a column for each variable or channel.
An io-computation adds to a computation a column for each channel.
Whereas a computation is a sequence of states only, an io-computation is a se-
quence of states where the values crossing channels are also recorded. Groups
of computations will be represented as schemas, which have value variables.
Computations have just values (integers, booleans, etc...). A triplet (value,
count, i/o indication) is associated to each new value of a channel variable.
The following is an io-computation schema of the procedure above.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 29
r p cr cp a1 a2 c
0 initial x p1 xT xT x x xT
1 cp ⇒ a1 x p1 xT cp1, 1, i cp1 x xT
2 cp ⇒ a2 x p1 xT cp2, 2, i cp1 cp2 xT
3 a1 := a1 + p x p1 xT cp2, 2, i cp1 + p1 cp2 xT
4 c ⇐ a1||c ⇒ r cp1 + p1 p1 xT cp2, 2, i cp1 + p1 cp2 cp1 + p1, 1, ·
5 a2 := r + a2 cp1 + p1 p1 xT cp2, 2, i cp1 + p1 cp1 + p1 + cp2 cp1 + p1, 1, ·
6 cr ⇐ a2 cp1 + p1 p1 cp1 + p1 + cp2, 1, o cp2, 2, i cp1 + p1 cp1 + p1 + cp2 cp1 + p1, 1, ·
x denotes any value and xT any triplet. p1 , cp1 , cp2 , etc ... are value
variables, whereas a1, a2, r, and p are program variables. cp, cr, and c are
auxiliary channel variables. Giving integer values to p1, cp1, and cp2, speciﬁc
io-computations would be obtained. Leaving aside the initial row, each row
corresponds to the state resulting from the transition of the statement at
the second column. The transition of row 4 is the joint transition of the
synchronous communication over channel c. All computations are of inﬁnite
length. Thus the last row corresponds to a terminal state, repeating itself
implicitly by idle transition ﬁrings. A computation schema could be obtained
by deleting the cr, cp, c, and the two left columns, and then deleting, as in
[15], any row which equals its predecessor but not all of its successors.
3 Input/Output Behaviors
3.1 Basic Notions
An input/output behavior is a procedure execution trace seen from its outside.
Deﬁnition 3.1 (Input/Output behavior of a procedure) An input/out-
put behavior of a procedure, also referred to as io-behavior, is the result of
deleting from an io-computation all columns of variables not belonging to
O, and then deleting any row which equals its predecessor but not all of its
successors.
The condition in the last deletion is necessary since the inﬁnite implicit
repetitions of the last row should not be deleted. Due to event counters,
consecutive events are not deleted when their values are equal. This should
be so since they may correspond to two inputs of the procedure function. Thus
all channel events are represented in a io-behavior by at least one row.
An io-behavior has one row for each value change of a result variable
v ∈ O. A parameter variable never changes its value, unless it is also a result.
Input and output channel variables exhibit value changes. The following io-
behavior schema results from the io-computation schema above.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4630
r p cr cp
0 x p1 xT xT
1 x p1 xT cp1, 1, i
2 x p1 xT cp2, 2, i
4 cp1 + p1 p1 xT cp2, 2, i
6 cp1 + p1 p1 cp1 + p1 + cp2, 1, o cp2, 2, i
Rows 3 and 5 have been deleted since they are equal to their predecessors
2 and 4 respectively. Suppose now that cp1 = cp2, then row 2 would not be
deleted due to the new value, 2, of the counter ﬁeld of the cp column.
Deﬁnition 3.2 (Component of an io-behavior) An io-behavior compo-
nent is the list of values, a column, corresponding to a variable of O. But any
value in the list which equals its predecessor but not all of its successors is
deleted. There are both proper and channel variable components.
Deﬁnition 3.3 (Equivalence of io-behaviors) Two io-behaviors are equi-
valent when they share the same interface set, and the two components of the
same variable of both are equal.
The order of value changes among diﬀerent components is lost in io-
behaviors, but not the order of changes within the same component. Equiva-
lence only requires equality of homologous component lists.
3.2 Composition of io-behaviors
This subsection introduces operations between io-behaviors, needed later for
the justiﬁcation of the substitution rules.
3.2.1 Sequential composition
The io-behaviors of a sequential composition are formed by post-coupling an
io-behavior of its second statement to an io-behavior of the ﬁrst. In the binary
composition [r1 := P1(p1)] ; [r2 := P2(p2)] , in general, O1 = O2, andO1∩O2
may or may not be empty. Given schema b1 of P1, the schema b2 of P2 depends
on the values of the last row of b1. The schema b1;2 of P1;P2 corresponding to
b1 and b2 has as many components as variables in O1 ∪ O2. It is formed by
post-coupling b2 after b1. Informally, the components of b2 go after the ones of
b1 , but certain values of the ﬁrst row of b2 have to equal their homologous ones
in the last row of b1. More speciﬁcally, the post-coupling is done as follows:
(i) Proper variable components. Cases:
(a) v ∈ O1 ∩ O2 : b2 has to be such that the values of the ﬁrst positions
(initial row) of the components of such v’s equal the last value of their
homologous components of b1. Such a b2 can always be found, since
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 31
corresponding values share the same type, when v is a parameter of
P2, and undeﬁned values (x) can be changed to any value, when v is
a result of P2.
(b) v ∈ O1 ∩O2 and v ∈ O1 : The last values of such v components of b1
are propagated into the future, over the b2 selected as in (a).
(c) v ∈ O1 ∩ O2 and v ∈ O2 : The ﬁrst values of such v components of
the b2 above are propagated into the past, over b1.
(ii) Channel variable components. Cases:
(a) c ∈ O1 ∩ O2 : Any undeﬁned initial triplets of such c components of
b2 are set equal to the last triplets of their homologous components
of b1. The counts of the rest of the triplets are increased accordingly.
(b) c ∈ O1 ∩ O2 and c ∈ O1 : The last triplets of such c components of
b1 are repeated into the b2 portion, in other words into the future.
(c) c ∈ O1 ∩ O2 and c ∈ O2 : The b1 portions of such c components are
ﬁlled in with undeﬁned triplets.
Example 3.4 In the composition [cr1, r := P1(cp1, p)] ; [cr2, p := P2(cp2, r)],
a result variable r of the ﬁrst is a parameter of the second, and a parameter
p of the ﬁrst is a result of the second. The respective interface sets are O1 :
{cr1, r, cp1, p} and O2 : {cr2, p, cp2, r}. No channel is shared. In addition,
O1 ∩ O2 = {r, p} and we assume that O : O1 ∪ O2 : {cr1, r, cp1, p, cr2, cp2}.
The following schemas, where the vij ’s are program variables, are meant to be
the io-behaviors b1 of P1, b2 of P2, and their post-coupling b1; b2.
b1
cr1 r cp1 p
0 initial xT x xT x2
1 cp1 ⇒ v11 xT x x3, 1, i x2
2 cr1 ⇐ v21 x4, 1, o x x3, 1, i x2
3 r := v31 x4, 1, o x5 x3, 1, i x2
b2
cr2 p cp2 r
0 initial xT x xT y2
1 p := v12 xT y3 xT y2
2 cp2 ⇒ v22 xT y3 y4, 1, i y2
3 cr2 ⇐ v32 y5, 1, o y3 y4, 1, i y2
b1;b2
cr1 r cp1 p cr2 cp2
0 initial xT x xT x2 xT xT
1 cp1 ⇒ v11 xT x x3, 1, i x2 xT xT
2 cr1 ⇐ v21 x4, 1, o x x3, 1, i x2 xT xT
3 r := v31; initial x4, 1, o (y2 :=)x5 x3, 1, i (x :=)x2 xT xT
4 p := v12 x4, 1, o x5 x3, 1, i y3 xT xT
5 cp2 ⇒ v22 x4, 1, o x5 x3, 1, i y3 xT y4, 1, i
6 cr2 ⇐ v32 x4, 1, o x5 x3, 1, i y3 y5, 1, o y4, 1, i
Within b1; b2, the y2 of b2 becomes x5, and the x of b2 is coerced to x2.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4632
3.2.2 Parallel Composition
The io-behaviors of parallel compositions are formed by side-coupling io-be-
haviors of their component statements. In the following parallel composition
[r1 := P1(p1)] || [r2 := P2(p2)] , in general O1 = O2 and O1 ∩O2 may or may
not be empty. Given schemas b1 of P1 and b2 of P2 , the io-behavior schema
b1||2 of P1||P2 corresponding to b1 and b2 has as many components as variables
in P : (O1 ∪O2)−OI where OI ⊆ (O1 ∪O2) is the set of proper and channel
variables declared as internal, non-observable, in the composition. Channels
in OI give rise to internal communication events. We assume disjointness
of P1 and P2 and deadlock-freeness of their parallel composition. In this
work, deadlock-freeness of P means internal deadlock-freeness, disregarding
interaction with any environment where P may be embedded.
The io-behavior b1||2, resulting from side-coupling, is constructed as follows:
(i) Selection of matching behaviors. Since P1 and P2 are disjoint, the selec-
tion of b1 and b2, the io-behaviors of P1 and P2 respectively, is determined
by the internal channels. They are chosen so that the value components
of the two triplets, one in each io-behavior, giving rise to each internal
communication event are equal. This will be always possible since we
assume deadlock-freeness, which in our context means that any inter-
nal communication in P1 has a matching communication in P2, and vice
versa. Furthermore, under this assumption, the counts of corresponding
triplets can also be made equal, and one of them will have an i mark
and the other one an o mark, but not necessarily always in the same side
(io-behavior). We say that such corresponding triplets are matching.
(ii) Construction of the intermediate form b¯1||2.
(a) Its number of components equals the number of variables in O1∪O2.
(b) Its rows are separated in sublists by its internal communication event
rows, constructed ﬁrst as follows: their variable components are ﬁlled
in with the values of the corresponding variables of the matching rows
of the two io-behaviors, with the exception of the internal communi-
cation event triplet, constructed with the value and the count of the
two matching triplets. A dot will be placed in its third component,
replacing the i and the o. This assumes deadlock freeness.
(c) The rows of the sublists of b1 and b2, separated by communication
event rows, are interleaved in b¯1||2. Any interleaving is possible.
(iii) b1||2 is constructed by deleting the components of b¯1||2 not in P, and any
row of the result which equals its predecessor but not all of its successors.
Example 3.5 Consider the composition [r1, cr1 := S(p1, cp1)] || [r2, cp1 :=
A(p2, cr1)] of two disjoint processes, with set of internal channelsOI : {cr1, cp1}.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 33
The interface sets of S and A are Os : {r1, cr1, p1, cp1} and O :
{r2, cp1, p2, cr1}. Assume that the interface set of the composition is P :
(OS ∪ O) − OI : {r1, p1, r2, p2}. The following schemas correspond to the
io-behaviors bs of S, ba of A, and of their side-coupling intermediate form b¯s||a.
bs
r1 p1 cr1 cp1
0 initial x x2 xT xT
1 cr1 ⇐ v21 x x2 x3, 1, o xT
2 cp1 ⇒ v11 x x2 x3, 1, o x4, 1, i
3 r1 := v31 x5 x2 x3, 1, o x4, 1, i
ba
cr1 cp1 r2 p2
0 initial xT xT x y2
1 r2 := v12 xT xT y3 y2
2 cr1 ⇒ v22 y4, 1, i xT y3 y2
3 cp1 ⇐ v32 y4, 1, i y5, 1, o y3 y2
b¯
s||a
r1 p1 cr1 cp1 r2 p2
0 initial x x2 xT xT x y2
1 r2 := v12 x x2 xT xT y3 y2
2 cr1 ⇐ v21||cr1 ⇒ v22 x x2 (y4 :=)x3, 1, · xT y3 y2
3 cp1 ⇒ v11||cp1 ⇐ v32 x x2 x3, 1, · (y5 :=)x4, 1, · y3 y2
4 r1 := v31 x5 x2 x3, 1, · x4, 1, · y3 y2
The rows of matching internal communications, over channels cr1 and cp1,
and of internal communication evens have been isolated.
3.3 Selection Composition
For selection composition, [b1, c1; [r1 := P1(p1)] or · · ·or bn, cn; [rn := Pn(pn)]],
the set of io-behaviors is the union of the io-behaviors contributed by each of its
alternatives Ak. Each of them contributes with the subset of the io-behaviors
of [ck; [rk := Pk(pk)]] whose ﬁrst row satisﬁes boolean condition bk.
Let Ok be the interface set of procedure Pk. Then the interface set OAk of
alternative Ak is given by Ok ∪ var(ck) ∪ chan(ck) ∪ var(bk); where var(e) is
the set of variables of expression e, chan(c) is the singleton set containing the
channel variable of c. The interface set of the above selection may be any set
P such that P ⊆
⋃n
k=1OAk . All this is consistent with non-determinism.
4 Input/Output Equivalence
4.1 The Notion
Deﬁnition 4.1 (Io-equivalent procedures) Two procedures P1 and P2 are
io-equivalent with respect to their interface set O, written P1 =O P2, when
any io-behavior of any of them is equivalent to an io-behavior of the other.
Io-equivalence is weaker than congruence. Congruent procedures are al-
ways equivalent but not vice versa. The relative order of value changes in
distinct components is neglected in io-equivalence. Therefore, substitution of
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4634
a reference to a procedure by a reference to another procedure, io-equivalent
to the ﬁrst, may introduce deadlock. Consider the two procedures
(r1, r2) ::= P1(cp1, cp2) ::
h
cp1⇒ r1; cp2⇒ r2
i
(r1, r2) ::= P2(cp1, cp2) ::
h
cp2⇒ r2; cp1⇒ r1
i
with the same interface set O. Now P1 ≈O P2 , since if P1 is parallel to a
process which always oﬀers an output via channel cp1 before oﬀering another
output via cp2 within a program, and we replace P1 by P2 in that program,
deadlock is introduced. However, P1 =O P2.
4.2 Substitution rules
Substitution of reference statements to io-equivalent procedures is an essential
step of equivalence reasoning. The three ﬁrst lemmas, concerning concatena-
tion, cooperation and selection, are given in preparation for the general rule.
Only the post-concatenation case is treated, the other case would be carried
out similarly.
Lemma 4.2 (Substitution in concatenation) Let S; [r := A(p)] be
deadlock-free. Then, if [r := A(p)] =O [r := B(p)] , the equivalence S; [r :=
A(p)] =P S; [r := B(p)] holds, where P ⊆ O ∪OS , and O = OA = OB
Justiﬁcation The io-behaviors of S;A and S;B have the same interface set
P by deﬁnition, and since A and B have the same interface set O. Concerning
equality of component lists, io-behaviors of the concatenation are formed by
postcoupling an io-behavior of A, or of B, to an io-behavior of S. We show
equality of component lists recalling the postcoupling construction rules given
in subsection 3.2.
(i) Proper variable components. Cases:
(a) v ∈ OS∩O : The initial values of this group of components of bA (or of
bB) are equal to their corresponding last values of bS . Since A =O B,
a bB (or a bA) io-equivalent to bA (or to bB) with the same initial
values can always be found. Hence, the postcouplings of both sides
will give the same lists of values for each one of these v components.
(b) v ∈ OS∩O and v ∈ OS : For these components, the propagation into
the future only depends on bS, the io-behavior of S, which is equal
in both sides.
(c) v ∈ OS ∩ O and v ∈ O : The propagation into the past depends on
bA or on bB , which has been selected equivalent to bA in (a).
(ii) Channel variable components. Cases:
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 35
(a) c ∈ OS ∩ O : Since S is the same in both sides, the last triplets of
these components of bS will be the same in both sides. Since bB has
been selected equivalent to bA in (i-a), it will have the same pattern
of initial undeﬁned triplets, to be changed to the last values of the
c components of bS. Hence the io-behaviors of both sides will be
equivalent.
(b) c ∈ OS ∩ O and c ∈ OS : The last triplets of bS which have to be
repeated into the future, bA or bB region, are the same in both sides
since S stands in both sides. Hence, they will give equal propagations
into bA or bB.
(c) c ∈ OS ∩ O and c ∈ O : For these components, the lists of the two
sides are formed by concatenating an undeﬁned value with the lists
of bA and bB which are equal, since they are io-equivalent. 
We study now the preservation of equivalence in a substitution within a
cooperation, parallelism, statement. Let S||[r := A(p)] have internal channel
set I. If O is the interface set of [r := A(p)] , and OI is the set of internal
channel variables, corresponding to I, then OI ⊆ O . Channel variables in
O−OI correspond to external channels of S||[r := A(p)] . Similarly, OI ⊆ OS
, where OS is the interface set of S . Also, channel variables in OS − OI
correspond to external channels of S||[r := A(p)] . Actually, the interface set
P of the parallel composition is such that P ⊆ (OS ∪ O) − OI , since there
may be proper variables which are not declared as external.
Lemma 4.3 (Substitution in parallelism) Let S||[r := A(p)] be dead-
lock-free, and r := A(p) be disjoint with S . Let also [r := A(p)] =O [r :=
B(p)] , and S||[r := B(p)] be deadlock-free. Then [S||[r := A(p)]] =P
[S||[r := B(p)]] , where P ⊆ (OS ∪ O)−OI .
Justiﬁcation We will show that, in the construction of io-behaviors of S||A
and S||B, the steps of side-coupling, given in subsection 3.2, can be followed so
that equivalent io-behaviors result from the two statements. Deadlock-freeness
is required since it has been assumed in the construction.
(i) Selection of matching behaviors. Since bS is identical for both statements
and A =O B, any io-behavior bA matching bS can be replaced by an
equivalent bB, which will also be matching bS.
(ii) As a consequence, the intermediate forms b¯S||A and b¯S||B will be equivalent
with respect to set OS ∪ O.
(iii) Hence, the operations of 3.2.2(iii), with the P deﬁned above, starting
from either b¯S||A or from b¯S||B will give io-equivalent results.
Therefore, any io-behavior of S||A can be interpreted as an equivalent io-
behavior of S||B and vice ver
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4636
Lemma 4.4 (Substitution in selection) Let [ g, [r := A(p)] or R ]
be deadlock-free, where R stands for the rest of the selection statement, and
g is a boolean guard, for a selection, or both a boolean and a communication
guard, for a communications selection. Let also [r := A(p)] =O [r := B(p)] ,
and OR be the interface set of R. Then, with P ⊆ (OR ∪O)
[ g, [r := A(p)] or R ] =P [ g, [r := B(p)] or R ] .
Justiﬁcation Let IR , IAg , and IBg denote the sets of io-behaviors of R,
the alternative of A and the alternative of B, respectively, and IA and IB be
the sets of io-behaviors of A and B, respectively. If the statement is a regular
selection, then IAg and IBg are formed with the io-behaviors of IA and IB,
respectively, whose ﬁrst rows satisfy the boolean guard of g. However, if the
statement is a communications selection, each io-behavior of IAg is obtained
by post-coupling an io-behavior of the IAg of the last case to the io-behavior
of to the send or receive statement in the guard g. The same is true for IBg.
The set of io-behaviors of a selection statement is the union of the sets of
io-behaviors of each of its alternatives. Hence IR ∪ IAg and IR ∪ IBg are the
sets of io-behaviors of the l.h.s. and the r.h.s. , respectively.
Therefore, for any io-behavior bl of the l.h.s. there is an equivalent io-
behavior br in the r.h.s. and vice versa. This is so in the case that the
io-behavior belongs to IR since this set is included in both sides and equal
io-behaviors are io-equivalent as well. In the remaining case, where the io-
behavior is in IAg or in IBg the truth follows from the fact that [r := A(p)] =O
[r := B(p)] and the guard g is the same in both sides. 
The following result is needed for the organization of proofs around the
procedures of a distributed program, making proof decomposition possible.
Lemma 4.5 (Equivalence deduction by procedure substitution) Let
P [ ] be a loop free program context, P [r := A(p)] be deadlock-free, and r :=
A(p) be disjoint with all its parallel substatements in P [r := A(p)]. Then, if
[r := A(p)] =O [r := B(p)] , and P [r := B(p)] is deadlock-free, the equivalence
P [r := B(p)] =P P [r := A(p)] holds for any P.
Justiﬁcation The result follows from lemmas 4.2, 4.3, and 4.4. The mini-
mal ancestor of A in P [r := A(p)], or in P [r := B(p)], is either a concatena-
tion, a cooperation, or a selection. Then, equivalence between these ancestor
statements follows from one of the three lemmas, and the associativity laws
of both cooperation and concatenation compositions, as in next section. The
same reasoning can now be applied recursively to the ancestors of these an-
cestors until P [r := A(p)] and P [r := B(p)] are reached. 
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 37
5 Laws for Input/Output Equivalence
5.1 Introduction
A set of laws needed for communication elimination equivalence proofs of
some distributed programs is overviewed in this section. This is necessary in
order to present an example of io-equivalence reasoning. Both communication
elimination and the example are overviewed later in the paper.
There are both proper elimination and auxiliary laws. The latter, although
not eliminating any communication directly, are needed to transform a pro-
gram to a form where a proper communication elimination law can be applied.
Some intuitive auxiliary laws are available in [2], where it is shown that
many of them do not hold when strong fairness is assumed. Some of them are
Nil;S ≈ S, S; Skip ≈ S, S|| Skip ≈ S. In addition, both sequential and
parallel composition are associative. The latter is also commutative.
5.2 Laws for communication elimination
Attention will be restricted to statements whose communications are under
the scope of neither selections nor iterations. We will refer to these statements
as bounded communication (BC) statements. The number of communication
events generated by their execution is ﬁnite and constant.
The laws to be given below allow the elimination of communications from
BC statements. Communication elimination for some extended forms, with
indeﬁnite iterations, will also be covered in next section. For each BC state-
ment S we deﬁne a set I of internal channels, whose communications have
to be eliminated. The rest of the channels involved in S are external in the
sense that communication statements over these channels never match with
other communications in S. The following are two intuitive communication
elimination laws.
[ α⇐ e || α⇒ u ] ≈ [u := e]
[Hl;α⇐ e;T l]||[Hr;α⇒ u;T r ] ≈ [Hl||Hr];u := e; [T l||T r]
where H l and Hr do not contain communication substatements over channels
in I. As shown in [2], no bounded number of communication elimination
laws suﬃces for the elimination, in a single reduction, of a pair of matching
communications from a BC statement. The following schema of equivalences,
2
666666664
Hl
k
;
h
Gl
k
|| P l
k
i
;
T l
k
3
777777775
||
2
666666664
Hr
k
;
h
Gr
k
|| P r
k
i
;
T r
k
3
777777775
=O
2
6666666664
h
Hl
k
|| Hr
k
i
;
h
Gk || P
l
k
|| P r
k
i
;
h
T l
k
|| T r
k
i
3
7777777775
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4638
where k = 0, 1, · · · , deﬁnes an unbounded set of laws when we identify it with
[ Glk+1 || G
r
k+1] =O Gk+1
since then, the statements Glk, G
r
k, and Gk are deﬁned recursively for k =
1, 2, · · · The initial condition statements Gl0 and G
r
0 are α ⇐ e, and α ⇒ u,
respectively. G0 stands for u := e. There is a law for any ﬁnite integer k.
The former two laws are special cases for k = 0, 1 making some substate-
ments equal to Nil. The laws hold for io-equivalence only. A law is applied as
a reduction from left to right, in order to eliminate any matching pair of com-
munication statements in a single reduction. Observe, also, in the last laws
that some substatements are parallel in one side but not in the other. This
disordering may introduce deadlock. Therefore, a set of suitable applicability
conditions have to be checked for each law.
6 Applications to Veriﬁcation
6.1 Distributed program simpliﬁcation (DPS)
This is a proof procedure applying, amongst others, the laws given above.
The ﬁrst step is carried out by a communication elimination reduction algo-
rithm, which applies automatically the laws presented in last section. When
the algorithm terminates successfully, there is a guarantee that the original
statement is deadlock-free. The resulting io-equivalent form has parallelism
between disjoint substatements but no internal communication statements.
The following is a procedure resulting from Pc, of subsection 2.2, after
elimination of internal channel c. It has the same interface set.
(r, cr) ::= Pnc(p, cp) ::
2
4[cp⇒ a1||cp⇒ a2];
r := a1 + p;a2 := r + a2; cr ⇐ a2
3
5
Each io-behavior of Pc is an io-behavior of Pnc and vice versa, so Pc =O Pnc.
The next step of DPS, parallelism to concatenation transformation, is car-
ried out by applying permutation laws for transforming the parallel compo-
sitions of disjoint processes to io-equivalent sequential forms. A sequential
program io-equivalent to the initial one is obtained. The third and last step
of DPS is redundant variable elimination. State-vector reduction comes with
this last step.
6.2 DPS for non-BC statements
There exist more than one way to extend simpliﬁcation proofs to non-BC
statements, where communications appear within indeﬁnite loops. We will
center only in the following very common structure: S = [S1|| · · · ||Sm] ,
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 39
where the Sk’s are of the form Sk = loop forever do Bk. The Bk’s are BC
statements. Since they have communication statements and appear within
indeﬁnite iterations, the whole statement is non-BC.
Assume that we unfold nk times the loop of each top substatement Sk, thus
obtaining the statement Su = [B
n1
1 ;S1|| · · · ||B
nm
m ;Sm] , where the B
nk
k ’s
stand for the concatenation of nk copies of Bk : Bk; · · · ;Bk .
We can apply DPS to Su partially, only considering its internal communica-
tions in the Bnkk statements. Assume that we succeed and obtain B;E , where
B has no internal communication but the ending statement E is non-BC, it
may have both parallelism and inner communication. Assume also that B;E
is also reduced by DPS, partially as before, to B;B;E . Then, as a conse-
quence of ﬁnite induction, S =O [B
n;E] for any ﬁnite integer n, where Bn is
both inner parallelism and communication free. In the frequent case where the
ﬁrst elimination yields B;S, i.e. E = S, then S =O loop forever do B
and the right hand side statement has no inner communication. In many
practical systems this occurs already for nk = 1 ; k = 1 · · m.
6.3 Global structure of an equivalence proof
A brief account of a veriﬁcation of a DLX-like [9] processor model, shown in
the diagram below, will illustrate the utility of the reported results.
IF / ID EX / WBID / EX
Read
Address
Instruction
Memory
1
Add
Registers ALU
Read
Register 1
Read
Register 2
Write
Register
Write
Data
Read
Data 1
Read
Data 2PC
Forwarding
Unit
R
eg
W
rit
e
MUX
MUX
rs1
rs2
rd
func
a
b
rs1
rs2
func
rd
w
res
rd
wControl
fdRD / cdxRD
fdFUNC / cdxFUNC
fdRS2
cdxRS2
fdRS1
cdxRS1
cdxA
cdxB
cdxW
cfd
dxW cxwW
dxA
dxB
caluB
wxRESb
wxRESa
selMuxB selMuxA
caluA
dxFUNC
cxwRD
cxwRES
cwdW
wxRD
cwdRES
cwdRD
rd
res
}
cwx
wx
dxRS2
dxRS1
IF ID EX WB
The proof establishes io-equivalence between a program, pipeline2, with
two hierarchical levels of parallelism and internal communication, modeling
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4640
the pipeline processor, and the following sequential program,
reg ::= V NCycle(reg,mem) ::
2
6664
for k := 1..n do2
4ir := mem(pc);pc := pc + 1;
reg(ir.rd) := alures(ir.func, reg(ir.rs1), reg(ir.rs2))
3
5
3
7775
which captures the essential behavior of the pipelined processor software
model. As this program makes explicit, the processor interprets programs
with ALU register to register instructions only. The instruction register is
ir. The destination and source register indexes are ir.rd, ir.rs1 and ir.rs2.
Procedure alures gives the result of the ALU operation selected by ir.func.
Integer n is the length of the program in mem.
The parallel program has four processes connected in pipeline, modeling
the four stages above: IF, ID, EX, and WB. Processes ID and EX are modeled
with the following procedures which encapsulate a second level of parallelism.
(cxwW, cxwRES, cxwRD) ::= EXpar(cdxW, cdxA, cdxB, cdxRS1, cdxRS2, cdxFUNC, cdxRD, cwx) ::
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 41
2
6666666666666666666666666666666666666666666666666666666666666666666664
2
666664
loop forever do ( ID/EX (dx) register )2
664
dxA⇐ dx.a; dxB ⇐ dx.b; dxRS1⇐ dx.rs1; dxRS2⇐ dx.rs2; dxFUNC ⇐ dx.func;
xxw.w := dx.w; xxw.rd := dx.rd;
cdxW ⇒ dx.w; cdxA⇒ dx.a; cdxB ⇒ dx.b; cdxRS1⇒ dx.rs1; cdxRS2⇒ dx.rs2;
cdxFUNC ⇒ dx.func; cdxRD ⇒ dx.rd; cxwW ⇐ xxw.w; cxwRD ⇐ xxw.rd
3
775
3
777775
|| 2
664
loop forever do ( wx register )"
cwx⇒ wx;
wxRESa⇐ wx.res; wxRESb⇐ wx.res; wxRD ⇐ wx.rd
#
3
775
|| 2
666664
loop forever do ( Forwarding control )2
664
dxRS1⇒ rs1; dxRS2⇒ rs2;
wxRD ⇒ rd;
selA := (rs1 = rd); selB := (rs2 = rd);
selMuxA⇐ selA; selMuxB ⇐ selB
3
775
3
777775
|| 2
6664
loop forever do ( Multiplexor of ALU input A )2
4dxA⇒ a; wxRESa⇒ resA; selMuxA⇒ selA;if selA then aluA := resA else aluA := a;
caluA⇐ aluA
3
5
3
7775
|| 2
6664
loop forever do ( Multiplexor of ALU input B )2
4dxB ⇒ b; wxRESb⇒ resB; selMuxA⇒ selB;if selB then aluB := resB else aluB := b;
caluB ⇐ aluB
3
5
3
7775
|| 2
666664
loop forever do ( ALU )2
664
caluA⇒ a; caluB ⇒ b;
dxFUNC ⇒ func;
xxw.res := alures(func, a, b);
cxwRES ⇐ xxw.res
3
775
3
777775
3
7777777777777777777777777777777777777777777777777777777777777777777775
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4642
(reg, cdx w, cdx a, cdx b, cdx rs1, cdx rs2, cdx func, cdx rd) ::= IDpar(reg, cfd, cwdW, cwdRES, cwdRD) ::
2
6666666666666666666666666666666666666666666666666666664
2
66666664
loop forever do ( IF/ID (fd) register )2
66664
fdRS1 ⇐ fd.rs1;
fdRS2 ⇐ fd.rs2;
fdRD ⇐ fd.rd;
fdFUNC ⇐ fd.func;
cfd⇒ fd
3
77775
3
77777775
|| 2
66666666666666666666666666666664
loop forever do ( Registers )2
666666666666666666666666666664
cwdW ⇒ wd.w;
cwdRES ⇒ wd.res;
cwdRD ⇒ wd.rd;
control ⇒ w;
if (wd.w) then [reg(wd.rd) := wd.res] else nil;
(xdx.w, xdx.a, xdx.b, xdx.rs1, xdx.rs2, xdx.func, xdx.rd)
:=
(w, reg(ir.rs1), reg(ir.rs2), ir.rs1, ir.rs2, ir.func, ir.rd);
fdRS1 ⇒ ir.rs1;
fdRS2 ⇒ ir.rs2;
fdRD ⇒ ir.rd;
fdFUNC ⇒ ir.func;
cdxW ⇐ xdx.w;
cdxA⇐ xdx.a;
cdxB ⇐ xdx.b;
cdxRS1⇐ xdx.rs1;
cdxRS2⇐ xdx.rs2;
cdxFUNC ⇐ xdx.func;
cdxRD ⇐ xdx.rd
3
777777777777777777777777777775
3
77777777777777777777777777777775
|| 2
4loop forever do ( Control )h
control⇐ true
i
3
5
3
7777777777777777777777777777777777777777777777777777775
This detail is given not to be understood by the reader, but to illustrate
the non-triviality of the example. The proof establishes the io-equivalence
[reg ::= V NCycle(reg,mem)] =O [reg ::= Pipeline2(reg,mem)]
where O : {reg,mem}. This result is proved with three DPS proofs, and the
application of the io-equivalence reasoning rules introduced in this paper. Al-
though the pipelined structure has more stages, we illustrate the partitioning
of the proof only with the instruction decode (ID) and the execution (EX)
stages. The two are modeled as sequential procedures also, IDseq and EXseq.
With two DPS proofs, the following equivalences are established.
[reg, coutID ::= IDseq(reg, cinID)] =O [reg, coutID ::= IDpar(reg, cinID)]
[coutEX ::= EXseq(cinEX)] =O [coutEX ::= EXpar(cinEX)]
The cout and cin names denote the lists of output and input channels respec-
tively. Procedure Pipeline2 above has references to the procedures with inner
parallelism, Pipeline2 : Pipeline[IDPar, EXPar]. Pipeline is a procedure with
one level of parallelism and two holes for the references to ID and EX.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 43
An auxiliary procedure, Pipeline1, is deﬁned as Pipeline with the references
to the sequential procedures, Pipeline1 : Pipeline[IDSeq, EXSeq]. It has one
level of parallelism. It is the following:
reg ::= Pipeline1(reg,mem) ::
2
666666666666666666666666666666666666666666666666666666666666666666666664
local pc : integer
local w : boolean
local instr, ir : Typ IR
local xdx, dx : Typ DX
local wd, wx,xxw,xw : Typ XW
local cfd : channel of Typ IR
local cdx : channel of Typ DX
local cwd, cxw, cwx : channel of Typ XW
pc := 1;
(ir.rs1, ir.rs2, ir.rd, ir.func) := (0, 0, 0, 0);
(dx.w, dx.a, dx.b, dx.rs1, dx.rs2, dx.func, dx.rd) := (false, 0, 0, 0, 0, 0, 0);
(xw.w,xw.res,xw.rd) := (false, 0, 0);
(wx.w,wx.res,wx.rd) := (false, 0, 0);2
66666666666666666666666666666666666666666666664
IF ::
2
66664
loop forever do2
4instr := mem(pc);pc := pc + 1;
cfd⇐ instr
3
5
3
77775 ||
IDseq ::
2
666666666664
loop forever do2
666666664
cwd⇒ wd;
if (wd.w) then [reg(wd.rd) := wd.res] else nil;
(xdx.w,xdx.a, xdx.b, xdx.rs1, xdx.rs2, xdx.func, xdx.rd)
:=
(w, reg(ir.rs1), reg(ir.rs2), ir.rs1, ir.rs2, ir.func, ir.rd);
cfd⇒ ir;
cdx⇐ xdx
3
777777775
3
777777777775
||
EXseq ::
2
666666664
loop forever do2
666664
cwx⇒ wx;
if (dx.rs1 = wx.rd) then [dx.a := wx.res] else nil;
if (dx.rs2 = wx.rd) then [dx.b := wx.res] else nil;
(xxw.w,xxw.res,xxw.rd) := (dx.w, alures(dx.func, dx.a, dx.b), dx.rd);
cdx⇒ dx;
cxw ⇐ xxw
3
777775
3
777777775
||
WB ::
2
66664
loop forever do2
4cwd⇐ xw;cwx⇐ xw;
cxw⇒ xw
3
5
3
77775
3
77777777777777777777777777777777777777777777775
3
777777777777777777777777777777777777777777777777777777777777777777777775
The bodies of procedures IDseq and EXseq are given in it. Notice that groups
of channels in the parallel versions have been reduced to a single channel in
the sequential versions. A channel group hide/unhide equivalence rule, given
in [1], has been used in this part of the proof. Then, the equivalence
[reg ::= V NCycle(reg,mem)] =O [reg ::= Pipeline1(reg,mem)]
is established with a DPS proof. Finally, Pipeline1 =O Pipeline2 by
the substitution rule of lemma 4.5, and assuming that its deadlock-freeness
conditions hold. These hold since the success of the communication elimina-
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4644
tion algorithm guarantees deadlock-freeness of Pipeline1. Deadlock-freeness
of Pipeline2 follows from deadlock-freeness of Pipeline1 and conservation of
the order of the external communication oﬀers of the parallel and sequential
versions of the EX and ID procedures.
7 Conclusions and Future Work
A new semantics for distributed imperative programs has been presented as an
extension of the semantics of Manna and Pnueli. Auxiliary variables, recording
the list of values crossing channels, have been added to the state variables of
computations and reduced behaviors. A general formulation of input/output
equivalence of procedures, integrating values communicated through both vari-
ables and synchronous channels, and a procedure reference substitution rule,
have been formulated in the new semantics. A new set of laws for distributed
imperative programs, and the decomposition of distributed program simpliﬁ-
cation proofs, via communication elimination, have been made possible with
the new results. As an application example, a formal equivalence proof of a
pipelined processor model has been summarized.
Although other equivalence proofs for distributed programs have been car-
ried out already, this line of eﬀort should continue for other classes of such
programs. Soundness of the laws for io-equivalence was proved in a prior work.
Completeness should be studied in the future.
Acknowledgement
We thank the encouragement received during the last years from Zohar Manna,
Bernd Finkbeiner, and Tomas Uribe.
References
[1] Babot, F., M. Bertran, J. Riera, R. Puig and A. Climent, Mechanized Equivalence Proofs of
Pipelined Processor Software Models, in: Actas de las III Jornadas de Programacio´n y Lenguajes
(2003), pp. 91–104.
[2] Bertran, M., F. Babot, A. Climent and M. Nicolau, Communication and Parallelism
Introduction and Elimination in Imperative Concurrent Programs, in: P. Cousot, editor, Static
Analysis. 8th International Symposium, SAS 2001, LNCS 2126 (2001), pp. 20–39.
[3] Bjørner, N., A. Browne, B. F. M. Colo´n, Z. Manna, H. Sipma and T. Uribe, Verifying Temporal
Properties of Reactive Systems. A Step Tutorial, in: Formal Methods in System Design, 2000,
pp. 227–270.
[4] Broy, M., A logical basis for component-based systems engineering, in: M. Broy and
R. Steinbruggen, editors, Calculational System Design. (1999).
[5] Clarke, E., O. Grumberg and D. Peled, “Model Checking,” The MIT Press, 1999.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–46 45
[6] de Alfaro, L., Game Models for Open Systems, in: International Symposium on Veriﬁcation
(Theory and Practice), LNCS 2772 (2003).
[7] de Roever, W.-P., F. de Boer, U. Hanneman, Y. Lakhnech, M. Poel and J. Zwiers, “Concurrency
Veriﬁcation: Introduction to Compositonal and Noncompositional Methods,” Cambridge
University Press, 2001.
[8] Finkbeiner, B., Z. Manna and H. Sipma, Deductive Veriﬁcation of Modular Systems, in: In
Compositionality: The Signiﬁcant Diﬀerence, COMPOS’97, LNCS 1536 (1998), pp. 239–275.
[9] Hennessy, J. L. and D. A. Patterson, “Computer Architecture: A Quantitative Approach,”
Morgan Kaufmann Publishers Inc., San Mateo, California, 1990.
[10] Holtzmann, G., “Design and Validation of Computer Protocols,” Prentice Hall, 1991.
[11] INMOS-Limited, “Occam Programming Manual,” Prentice Hall, 1985.
[12] INMOS-Limited, “Occam 2 Reference Manual,” Prentice Hall, 1988.
[13] Jones, G., “Programming in Occam,” Prentice Hall, 1987.
[14] Kaufmann, M. and J. S. Moore, An Industrial Strength Theorem Prover for a Logic Based on
Common Lisp, IEEE Transactions on Software Engineering 23 (1997), pp. 203–213.
[15] Manna, Z. and A. Pnueli, “The Temporal Logic of Reactive and Concurrent Systems.
Speciﬁcation,” Springer, 1991.
[16] Manna, Z. and A. Pnueli, “Temporal Veriﬁcation of Reactive Systems. Safety,” Springer, 1995.
[17] McMillan, K. and D. Dill, “Symbolic Model Checking: An Approach to the State Explosion
Problem,” Kluwer Academic, 1993.
[18] Roscoe, A. and C. Hoare, The laws of OCCAM programming, Theoretical Computer Science
60 (1988), pp. 177–229.
M. Bertran et al. / Electronic Notes in Theoretical Computer Science 137 (2005) 25–4646
