A UTP semantics for communicating processes with shared variables and its formal encoding in PVS

CSP# (communicating sequential programs) is a modelling language designed for specifying concurrent systems by integrating CSP-like compositional operators with sequential programs updating shared variables. In this work, we define an observation-oriented denotational semantics in an open environment for the CSP# language based on the UTP framework. To deal with shared variables, we lift traditional event-based traces into mixed traces which consist of state-event pairs for recording process behaviours. To capture all possible concurrency behaviours between action/channel-based communications and global shared variables, we construct a comprehensive set of rules on merging traces from processes which run in parallel/interleaving. We also define refinement to check process equivalence and present a set of algebraic laws which are established based on our denotational semantics. We further encode our proposed denotational semantics into the PVS theorem prover. The encoding not only ensures the semantic consistency, but also builds up a theoretic foundation for machine-assisted verification of CSP# specifications.Full Tex

Object-Z / TCOZ and Timed automata; Projection and integration

Ph.DDOCTOR OF PHILOSOPH

rCOS: A refinement calculus for object systems

This article presents a mathematical characterization of object-oriented concepts by defining an observation-oriented semantics for a relational objectoriented language with a rich variety of features including subtypes, visibility, inheritance, type casting, dynamic binding and polymorphism. The language is expressive enough for the specification of object-oriented designs and programs. We also propose a calculus based on this model to support both structural and behavioral refinement of object-oriented designs. We take the approach of the development of the design calculus based on the standard predicate logic in Hoare and He’s Unifying Theories of Programming (UTP). We also consider object reference in terms of object identity as values and mutually dependent methods

Comparative Studies, Formal Semantics and PVS Encoding of CSP#

Ph.DDOCTOR OF PHILOSOPH

Extending and Relating Semantic Models of Compensating CSP

Business transactions involve multiple partners coordinating and interacting with each other. These transactions have hierarchies of activities which need to be orchestrated. Usual database approaches (e.g.,checkpoint, rollback) are not applicable to handle faults in a long running transaction due to interaction with multiple partners. The compensation mechanism handles faults that can arise in a long running transaction. Based on the framework of Hoare's CSP process algebra, Butler et al introduced Compensating CSP (cCSP), a language to model long-running transactions. The language introduces a method to declare a transaction as a process and it has constructs for orchestration of compensation. Butler et al also defines a trace semantics for cCSP. In this thesis, the semantic models of compensating CSP are extended by defining an operational semantics, describing how the state of a program changes during its execution. The semantics is encoded into Prolog to animate the specification. The semantic models are further extended to define the synchronisation of processes. The notion of partial behaviour is defined to model the behaviour of deadlock that arises during process synchronisation. A correspondence relationship is then defined between the semantic models and proved by using structural induction. Proving the correspondence means that any of the presentation can be accepted as a primary definition of the meaning of the language and each definition can be used correctly at different times, and for different purposes. The semantic models and their relationships are mechanised by using the theorem prover PVS. The semantic models are embedded in PVS by using Shallow embedding. The relationships between semantic models are proved by mutual structural induction. The mechanisation overcomes the problems in hand proofs and improves the scalability of the approach

Unifying Theories of Logics with Undefinedness

A relational approach to the question of how different logics relate formally is described. We consider three three-valued logics, as well as classical and semi-classical logic. A fundamental representation of three-valued predicates is developed in the Unifying Theories of Programming (UTP) framework of Hoare and He. On this foundation, the five logics are encoded semantically as UTP theories. Several fundamental relationships are revealed using theory linking mechanisms, which corroborate results found in the literature, and which have direct applicability to the sound mixing of logics in order to prove facts. The initial development of the fundamental three-valued predicate model, on which the theories are based, is then applied to the novel systems-of-systems specification language CML, in order to reveal proof obligations which bridge a gap that exists between the semantics of CML and the existing semantics of one of its sub-languages, VDM. Finally, a detailed account is given of an envisioned model theory for our proposed structuring, which aims to lift the sentences of the five logics encoded to the second order, allowing them to range over elements of existing UTP theories of computation, such as designs and CSP processes. We explain how this would form a complete treatment of logic interplay that is expressed entirely inside UTP

Inputs and outputs in CSP : a model and a testing theory

This article addresses refinement and testing based on CSP models, when we distinguish input and output events. In a testing experiment, the tester (or the environment) controls the inputs, and the system under test controls the outputs. The standard models and refinement relations of CSP, however, do not differentiate inputs and outputs and are not, therefore, entirely suitable for testing. Here, we consider an alphabet of events partitioned into inputs and outputs, and we present a novel refusal-testing model for CSP with a notion of input-output refusal-traces refinement. We compare that with the ioco relation often used in testing, and we find that it is more widely applicable and stronger. This means that mistakes found using traditional ioco testing do indicate mistakes in the development. Finally, we provide a CSP testing theory that takes into account inputs and outputs. With our theory, it becomes feasible to develop techniques and tools for automatic generation of realistic and sound tests from CSP models. Our work reconciles the normally disparate areas of refinement and (formal) testing by identifying how ioco testing can be used to inform refinement-based results and vice-versa

CSP as a Coordination Language. A CSP-based Approach to the Coordination of Concurrent Systems

Die Beherrschbarkeit komplexer nebenläufiger Systeme hängt in hohem Maße davon ab, mit welchen Methoden das System modelliert bzw. spezifiziert wird. Formale auf Nebenläufigkeit spezialisierte Methoden erlauben es, solche Systeme elegant auf einem hohen Abstraktionsniveau zu modellieren und zu analysieren. Ein Vertreter derartiger Methoden ist die in dieser Arbeit verwendete Prozess Algebra CSP. CSP ist ein weitverbreiteter, wohluntersuchter Formalismus, der es erlaubt, ein nebenläufiges System mathematisch präzise zu beschreiben und wichtige Eigenschaften, beispielsweise Verklemmungsfreiheit, zu verifizieren. Dennoch ist die Ableitung einer Systemimplementierung aus einem gegebenen CSP Modell immer noch ein aktueller Forschungsgegenstand. So ist zum Beispiel unklar, wie interne Aktionen eines Systems in einer Implementierung integriert werden können, da diese in CSP ununterscheidbar sind. Als Lösung wird in dieser Arbeit vorgeschlagen, CSP mit einer sequentiellen Zielsprache zu integrieren, so dass die Aktionen eines Systems in der sequentiellen Zielsprache implementiert werden und die Aktionen entsprechend eines CSP Prozesses koordiniert werden. Koordinationssprachen zielen ebenfalls darauf ab, Nebenläufigkeit von sequentiellen Aspekten eines Systems zu trennen, sie sind aber weniger auf automatisierte formale Verifikation ausgerichtet. In der Arbeit wird die Verwendung der Prozess Algebra CSP als formale Koordinationssprache für beliebige sequentielle Zielsprachen vorgeschlagen. Hierfür wird das formale Fundament einer Koordinationsumgebung entwickelt, die einen CSP Prozess zur Laufzeit simuliert und die Aktionen des Systems entsprechend ausführt. Besonderer Wert liegt auf der Koordination interner Aktionen und auf der Erkennung von Nebenläufigkeit zwischen extern synchronisierbaren und internen Aktionen. Durch Beweisverpflichtungen wird der Zusammenhang zwischen dem Koordinationsprozess und den Implementierungen der Aktionen hergestellt. Die Koordinationsumgebung wird konkret für die Zielsprache Java implementiert. Desweiteren wird eine Fallstudie vorgestellt, die sich mit der Entwicklung eines Workflow Servers beschäftigt, dessen interne Nebenläufigkeit einerseits selbst mittels CSP koordiniert wird und der andererseits CSP-basierte Workflows ausführen kann, die ebenfalls durch eine CSP Koordinationsumgebung gesteuert werden. Die Arbeit enthält wissenschaftliche Beiträge zur Theorie und der praktischen Verwendbarkeit von CSP, bezüglich der Konstruktion korrekter nebenläufiger Systeme, sowie zum Bereich der Modellierung und Verwaltung von Workflows.Complex concurrent systems are in general hard to understand, and equally hard to specify and to verify. The process algebra Communicating Sequential Processes (CSP) offers a way of taming the complexity of concurrent systems by focusing on the interaction behavior of systems and abstracting from synchronization mechanisms and other implementation details. CSP provides a mature intermediate level formalism that allows us to specify and model such systems in a mathematically precise way and to verify important properties, e. g., deadlock-freedom. However, the derivation of a system’s implementation from its CSP-based model is still a problem and sub ject to ongoing research. It is, for example, not obvious how to integrate CSP with internal actions of a system, because CSP abstracts from internal actions to a great extent. To overcome this problem, we propose to integrate CSP with a sequential host language such that the concurrency aspects of systems are captured on the CSP level and its actions are implemented in the sequential host language. This idea of separating concurrent and sequential aspects of a system is also known from coordination languages, but those are in general less amenable to automated verification. In this thesis, we present the use of CSP as a formal coordination language for arbitrary sequential host languages, allowing us to use CSP for the design, implementation, and verification of concurrent systems. To this end, we develop the model of a coordination environment that simulates a CSP process at runtime and performs the system’s actions accordingly. The coordination environment controls the system’s interaction with its environment as well as its internal actions. We present proof obligations to ensure that the properties proved on the CSP level also hold on the implementation level of the system. We also present an implementation of the coordination environment for the target language Java and a case study of constructing a workflow server as a coordinated concurrent Java program. This thesis contributes to the theory and practice of CSP, to the engineering of correct concurrent systems, and to the modeling and management of workflows. The main contribution of this thesis is a target language independent CSP-based framework for the construction of provably correct concurrent systems