Reducing Complex CSP Models to Traces via Priority

Hoare’s Communicating Sequential Processes (CSP) [6] admits a rich universe of semantic models. In this paper we study ﬁnite observational models, of which at least six have been identiﬁed for CSP, namely traces, failures, revivals, acceptances, refusal testing and ﬁnite linear observations [11]. We show how to use the recently-introduced priority operator ([12], ch.20) to transform reﬁnement questions in these models into trace reﬁnement (language inclusion) tests. Furthermore, we are able to generalise this to any (rational) ﬁnite observational model. As well as being of theoretical interest, this is of practical signiﬁcance since the state-of-the-art reﬁnement checking tool FDR3 [4] currently only supports two such models.


Introduction
A number of different forms of process calculus have been developed for the modeling of concurrent programs, including Hoare's Communicating Sequential Processes (CSP) [6], Milner's Calculus of Communicating Systems (CCS) [7], and the π-calculus [8]. Unlike the latter two, CSP's semantics are traditionally given in behavioural semantic models coarser than bisimulation.
In this paper, we study finite linear-time observational models for CSP; that is, models where all observations considered can be determined in a finite time by an experimenter who can see the visible events a process communicates and the sets of events it can offer in any stable state. While the experimenter can run the process arbitrarily often, he or she can only record the results of individual finite executions. Thus each behaviour recorded can be deduced from a single finite sequence of events together with the sets of events accepted in stable states during and immediately after this trace.
At least six such models have been considered for CSP, but the state-of-the art refinement checking tool, FDR3 [4], currently only supports two, namely traces and failures (it also supports the failures-divergences model, which is not finite observational).
We present a construction which produces a context C such that refinement questions in the failures model correspond to trace refinement questions under the application of C. We are able to generalise this to show (Theorem 5.4) that a similar construction is possible not only for the six models which have been studied, but also for any sensible finite observational model (where 'sensible' means that the model can be recognised by a finite-memory computer, in a sense which we shall make precise).
We first briefly describe the language of CSP. We next give an informal description of our construction for the failures model. To prove the result in full generality, we first give a formal definition of a finite observational model, and of the notion of rationality. We then describe our general construction. Finally we discuss performance and optimisation issues.

The CSP language
We provide a brief outline of the language, largely taken from [11]; the reader is encouraged to consult [12] for a more comprehensive treatment.
Throughout, Σ is taken to be a finite nonempty set of communications that are visible and can only happen when the observing environment permits via handshaken communication. The actions of every process are taken from Σ ∪ {τ }, where τ is the invisible internal action that cannot be prevented by the environment. Note that the usual treatment of CSP permits sequential composition by including another un-preventable event to represent termination; this adds slight complications to each model and we omit it for simplicity. It could be added back without any significant alteration to the results of this paper.
The constant processes of CSP are • STOP which does nothing-a representation of deadlock.
• div which performs (only) an infinite sequence of internal τ actions-a representation of divergence or livelock.
• CHAOS which can do anything except diverge.
The prefixing operator introduces communication: • a → P communicates the event a before behaving like P .
There are two forms of binary choice between a pair of processes: • P Q lets the process decide to behave like P or like Q: this is nondeterministic or internal choice.
• P 2 Q offers the environment the choice between the initial Σ-events of P and Q. If the one selected is unambiguous then it continues to behave like the one chosen; if it is an initial event of both then the subsequent behaviour is nondeterministic.
The occurence of τ in one of P and Q does not resolve the choice (unlike CCS +). This is external choice.
We only have a single parallel operator in our core language since all the usual ones of CSP can be defined in terms of it as discussed in Chapter 2 etc. of [12].
• P X Q runs P and Q in parallel, allowing each of them to perform any action in Σ \ X independently, whereas actions in X must be synchronised between the two.
There are two operators that change the nature of a process's communications.
• P \ X, for X ⊆ Σ, hides X by turning all P 's X-actions into τ s.
There is another operator that allows one process to follow another: • P Θ A Q behaves like P until an event in the set A occurs, at which point P is shut down and Q is started. This is the throw operator.
The final CSP construct is recursion: this can be single or mutual (including mutual recursions over infinite parameter spaces), can be defined by systems of equations or (in the case of single recursion) in line via the notation μ p.P , for a term P that may include the free process identifier p. Recursion can be interpreted operationally as having a τ -action corresponding to a single unwinding. Denationally, we regard P as a function on the space of denotations, and interpret μ p.P as the least fixed point of this function.
We also make use of the interleaving operator |||, which allows processes to perform actions independently and is equivalent to ∅ , and the process RUN X , which always offers every element of the set X and is defined by RUN X = 2 x∈X x → RUN X .

Priority
The prioritisation operator is discussed in detail in Chapter 20 of [12]. It allows us to specify an ordering on the set of visible events Σ, and prevents lower-priority events from occuring whenever a higher-priority event or τ is available.
The operator described in [12] as implemented in FDR3 [4] is parametrised by three arguments: a process P , a partial order ≤ on the event set Σ, and a subset X ⊆ Σ of events that can occur when a τ is available. We require that all elements of X are maximal with respect to ≤. Writing initials(P ) ⊆ Σ ∪ {τ } for the set of events that P can immediately perform, and extending ≤ to a partial order on Σ∪{τ } by adding y ≤ τ ∀ y ∈ Σ\X, we define the operational semantics of prioritise as follows: Note that prioritise is not compositional over denotational models other than the most precise model FL, so we think of it as an optional addition to CSP rather than an integral part of it; when we refer below to particular types of observation as giving rise to valid models for CSP, we will mean CSP without priority.

Example: the failures model
We first demonstrate our construction using the failures model: we will produce a context C such that for any processes P, Q, we have that Q refines P in the failures model if and only C[Q] refines C[P ] in the traces model.

The traces and failures models
The traces model T is familiar from automata theory, and represents a process by the set of (finite) strings of events it is able to accept. Thus each process is associated (for fixed alphabet Σ) to a subset of Σ * the set of finite words over Σ.
The failures model F also records sets X of events that the process is able to stably refuse after a trace s (that is, the process is able after trace s to be in a state where no τ events are possible, and where the set of initial events does not meet X). Thus a process is associated to a subset of Σ * × (P(Σ) ∪ {•}), where • represents the absence of a recorded refusal set. 3 Note that recording • does not imply that there is no refusal to observe, simply that we have not observed stability. The observation of the refusal ∅ implies that the process can be stable after the present trace, whereas • does not.
In any model M, we say that Q M-refines P , and write P M Q, if the set associated to Q is a subset of that corresponding to P .

Model shifting for the failures model
The construction is as follows:

Proof.
Step 1: We use priority to produce a process (over an expanded alphabet) that can communicate an event x if and only if the original process P is able to stably refuse x. This is done by expanding the alphabet Σ to Σ ∪ Σ (where Σ contains a corresponding primed event for every event in Σ), and prioritising with respect to a partial order which prioritises each x over the corresponding x . Recall that the definition of the priority operator means that this also causes τ to be promoted over the primed events.
We must also introduce an event stab to signify stability without requiring any refusals to be possible. This is necessary in order to be able to record an empty refusal set. Let the partial order ≤ 1 be defined by x < 1 x ∀ x ∈ Σ, and let the context C 1 be defined by This process has a state ξ for each state ξ of P , where ξ has the same unprimed events (and corresponding transitions) as ξ. Furthermore ξ can communicate x just when ξ is stable and can refuse X, and stab just when ξ is stable.
Step 2: We now recall that the definition of the failures model only allows a refusal set to be recorded at the end of a trace, and is not interested in (so does not record) what happens after the refusal set.
We gain this effect by using a regulator process to prevent a primed event (or stab) from being followed by an unprimed event. Let and define C by A trace of C[P ] consists of: firstly, a trace s of P ; followed by, if P can after s be in a stable state, then for some such state σ 0 any string formed from the events that can be refused in σ 0 , together with stab. The lemma clearly follows. 2 It is clear that any such context must involve an operator that is not compositional over traces, for otherwise we would have which is equivalent to P F Q, and this is not true for general P and Q (consider for instance P = a → STOP , Q = (a → STOP ) STOP ). It follows that only contexts which like ours involve priority can achieve this.

Semantic models
In order to generalise this construction to arbitrary finite observational semantic models, we must give formal definitions not only of particular models but of the very notion of a finite observational model.

Finite observations
We consider only models arising from finite linear observations. Intuitively, we postulate that we are able to observe the process performing a finite number of visible actions, and that where the process was stable (unable to perform a τ ) immediately before an action, we are able to observe the acceptance set of actions it was willing to perform.
Note that we are unable to finitely observe instability: the most we are able to record from an action in an unstable state is that we did not observe stability. Thus in any context where we can observe stability we can also fail to observe it by simply not looking.
We take models to be defined over finite alphabets Σ, and take an arbitrary ordering on each finite Σ to be alphabetical.
The most precise finite observational model is that considering all finite linear observations, and is denoted FL:

Definition 4.1 The set of finite linear observations over an alphabet Σ is
where the a i are interpreted as a sequence of communicated events, and the A i denote stable acceptance sets, or in the case of • failure to observe stability. Let the set of such observations corresponding to a process P be denoted FL Σ (P ).
(Sometimes we will drop the Σ and just write FL(P )). More formally, FL(P ) can be defined inductively; for instance (where X ∪ • := • for any set X). See Section 11.1.1 of [12] for further details.
Observe that FL has a natural partial order corresponding to extensions (where αˆ • ˆβ and αˆ A are both extended by αˆ A ˆβ for any set A and any α and β). Note that for any process P we have that FL(P ) is downwards-closed with respect to this partial order.

Finite observational models
We consider precisely the models which are derivable from the observations of FL, which are well-defined in the sense that they are compositional over CSP syntax (other than priority), and which respect extension of the alphabet Σ. For processes P and Q over alphabet Σ, if we have M Σ (Q) ⊆ M Σ (P ) then we say Q M-refines P , and write P M Q.
(As before we will sometimes drop the Σ). Note that this definition is less general than if we had defined a pre-model to be any equivalence relation on P (FL Σ ). For example, the equivalence relating sets of the same cardinality has no corresponding pre-model. Definition 4.2 agrees with that sketched in [12].
Without loss of generality, M Σ does not identify any elements of obs Σ (M); that is, only if x = y (otherwise quotient by this equivalence relation). Subject to this assumption, M Σ induces a partial order on obs Σ (M): Observe that for any process P it follows from this definition that M(P ) is downwards-closed with respect to this partial order (since FL(P ) is downwardsclosed).

Definition 4.4 A pre-model M is
compositional if for all CSP operators , say of arity k, and for all processes P 1 , . . . , P k and Q 1 , This means that the operator defined on processes in obs(M) by taking the pushforward of along M is well-defined: for any sets X 1 , . . . , X k ⊆ obs(M) which correspond to the images of CSP processes, take processes P 1 , . . . , P k such that X i = M(P i ), and let Definition 4.4 says that the result of this does not depend on the choice of the P i . Note that it is not necessary to require the equivalent of Definition 4.4 for recursion in the definition of a model, because of the following lemma which shows that least fixed point recursion is automatically well-defined (and formalises some arguments given in [12]): Proof. Using the fact that CSP contexts induce Scott-continuous functions on P(FL) (see [6], Section 2.8.2), the Kleene fixed point theorem gives that P i = ∞ n=0 C n i (⊥). Now any x ∈ M(P 1 ) is in the union taken up to some finite N , and since finite unions correspond to internal choice, and ⊥ to the process div, we have that the unions up to N of C 1 and C 2 agree under M by compositionality. Hence x ∈ M(P 2 ), so M(P 1 ) ⊆ M(P 2 ). Similarly M(P 2 ) ⊆ M(P 1 ). 2

Definition 4.7 A pre-model is a model if it is compositional and extensional.
In this setting, we now describe the five main finite observational models coarser than FL: traces, failures, revivals, acceptances and refusal testing.

The traces model
The coarsest model measures only the traces of a process; that is, the sequences of events it is able to accept. This corresponds to the language of the process viewed as a nondeterministic finite automaton (NFA).

Definition 4.8
The traces model, T , is given by where trace is the equivalence relation which relates the observation A 0 , a 1 , A 1 , . . . , a n , A n to the string a 1 . . . a n .

Failures
The traces model gives us information about what a process is allowed to do, but it in some sense tells us nothing about what it is required to do. In particular, the process STOP trace-refines any other process.
In order to specify liveness properties, we can incorporate some information about the events the process is allowed to refuse, begining with the failures model. Intuitively, this captures traces s, together with the sets of events the process is allowed to stably refuse after s.

Definition 4.9
The failures model, F, is given by where fail Σ relates the observation A 0 , . . . , a n , A n to all pairs (a 1 . . . a n , X), for all X ⊆ Σ \ A n if A n = •, and for X = • otherwise.

Revivals
The next coarsest model, first introduced in [11], is the revivals model. Intuitively this captures traces s, together with sets X that can be stably refused after s, and events a (if any) that can then be accepted.

Definition 4.10
The revivals model, R, is given by where rev Σ relates the observation A 0 , a 1 , . . . , a n−1 , A n−1 , a n , A n to (i) the triples (a 1 . . . a n−1 , X, a n ), for all X ⊆ Σ \ A n−1 if A n−1 = • and for X = • otherwise, and (ii) the triples (a 1 . . . a n , X, •), for all X ⊆ Σ\A n if A n = • and for X = • otherwise.
A finite linear observation is related to all triples consisting of: its initial trace; a stable refusal that could have been observed, or • if the original observation did not observe stability; and optionally (part (i) above) a single further event that can be accepted.

Acceptances
All the models considered up to now refer only to sets of refusals, which in particular are closed under subsets. The next model, acceptances (also known as 'ready sets'), refines the previous three and also considers the precise sets of events that can be stably accepted at the ends of traces.

Definition 4.11
The acceptances model, A, is given by where acc Σ relates the observation A 0 , a 1 , . . . , a n , A n to the pair (a 1 . . . a n , A n ).

Refusal testing
The final model we consider is that of refusal testing, first introduced in [9]. This refines F and R by considering an entire history of events and stable refusal sets. It is incomparable to A, because it does not capture precise acceptance sets.

Definition 4.12
The refusal testing model, RT , is given by where rt Σ relates the observation A 0 , . . . , a n , A n to X 0 , . . . , a n , X n , for all

Rational models
We will later on wish to consider only models M for which the correspondence between FL-observations and M observations is decidable by a finite memory computer. We will interpret this notion as saying the the relation M Σ corresponds to the language accepted by some finite state automaton. In order to do this, we must first decide how to convert elements of FL Σ to words in a language. We do this in the obvious way (the reasons for using fresh variables to represent the A i will become apparent in Section 5). We now define a model to be rational (borrowing a term from automata theory) if its defining relation can be recognised (when suitably encoded) by some nondeterministic finite automaton. Definition 4.14 A model M is rational if for every alphabet Σ, there is some finite alphabet Θ and a map ψ Σ : obs Σ (M) → Θ * , such that there is a (nondeterministic) finite automaton A recognising {(φ Σ (x), ψ Σ (y)) : (x, y) ∈ M Σ }, and such that ψ Σ is order-reflecting (that is, ψ Σ (x) ≤ ψ Σ (y) only if x ≤ y), with respect to the prefix partial order on Θ * , and the partial order induced by M Σ on obs Σ (M).
What does it mean for an automaton to 'recognise' a relation? Note that recognisability in the sense of Definition 4.15 is easily shown to be equivalent to the common notion of recognisability by a finte state transducer given for instance in [16], but the above definition is more convenient for our purposes. Note also that FL itself (viewing FL Σ as the diagonal relation) is trivially rational. Note that not all relations are rational. For instance, the 'counting relation' mapping each finite linear observation to its length is clearly not rational. We do not know whether the additional constraint of being a finite observational model necessarily implies rationality; however, no irrational models are known. We therefore venture the following conjecture:

Model shifting
We now come to the main substance of this paper: we prove results on 'model shifting', showing that there exist contexts allowing us to pass between different semantic models and the basic traces model. The main result is Theorem 5.4, which shows that this is possible for any rational model.

Model shifting for FL
We begin by proving the result for the finest model, FL. We show that there exists a context C FL such that for any process P , the finite linear observations of P correspond to the traces of C FL (P ). Lemma 5.1 (Model shifting for FL) For every alphabet Σ, there exists a context C FL over alphabet T := Σ ∪ Σ ∪ Σ ∪ {done}, and an order-reflecting map π : FL Σ → T * (with respect to the extension partial order on FL Σ and the prefix partial order on T * ) such that for any process P over Σ we have T (C FL [P ]) = pref(π(FL(P ))) (where pref(X) is the prefix-closure of the set X).
Proof. We will use the unprimed alphabet Σ to denote communicated events from the original trace, and the double-primed alphabet Σ to denote stable acceptances. Σ will be used in an intermediate step to denote refusals, and done will be used to distinguish ∅ (representing an empty acceptance set) from • (representing a failure to observe anything).
Step 1: We first produce a process which is able to communicate events x i , just when the original process can stably refuse the corresponding x i . Define the partial order ≤ 1 = x < 1 x : x ∈ Σ , which prevents refusal events when the corresponding event can occur.
Let the context C 1 be given by Note that the third argument prevents primed events from occurring in unstable states.
Step 2: We now similarly introduce acceptance events, which can happen in stable states when the corresponding refusal can't.
Similarly define the partial order ≤ 2 = x < 2 x : x ∈ Σ , which prevents acceptance events when the corresponding refusal is possible. Let the context C 2 be defined by Step 3: We now ensure that an acceptance set inferred from a trace is a complete set accepted by the process under examination. This is most straightforwardly done by employing a regulator process, which can either accept an unprimed event or accept the alphabetically first refusal or acceptance event, followed by a refusal or acceptance for each event in turn. In the latter case it then communicates a done event, and returns to its original state.
The done event is necessary in order to distinguish between a terminal ∅, which can have a done after the last event, and a terminal •, which cannot (observe that a ∅ cannot occur other than at the end). Finally, we hide the refusal events.
Let a and z denote the alphabetically first and last events respectively, and let succ x denote the alphabetical successor of x. Define the processes and let Step 4: We now complete the proof by defining the function π inductively as follows: where without loss of generality the x i are listed in alphabetical order. It is clear that this is order-reflecting, and by the construction above satisfies T (C FL [P ]) = pref(π(FL(P ))). 2 This result allows us to translate questions of FL-refinement into questions of trace refinement under C FL , as follows:

Model shifting for rational observational models
We now have essentially all we need to prove the main theorem. We record a folk result, that any NFA can be implemented as a CSP process (up to prefix-closure, since trace-sets are prefix-closed but regular languages are not): Proof. Let A be the automaton recognising (φ × ψ)(M) (as from Definition 4.14), and let P A be the corresponding process from Lemma 5.3. We first apply Lemma 5.1 to produce a process whose traces correspond to the finite linear observations of the original process, prefixed with left: let C FL be the context from Lemma 5.1, and let the context C 1 be defined by We now compose in parallel with P A , to produde a process whose traces correspond to the M-observations of the original process. Let C 2 be defined by Then the traces of C 2 [X] are precisely the prefixes of the images under ψ of the observations corresponding to X, as required. 2 By the same argument as for Corollary 5.2, we have

Implementation
We demonstrate the technique by implementing contexts with the property of Corollary 5.5; source code may be found at [1].
For the sake of efficiency we work directly rather than using the general construction of Theorem 5.4. The context C1 introduces refusal events and a stab event, which can occur only when the corresponding normal events can be refused. This implements the refusal testing model, and the context CF which allows only normal events optionally followed by some refusals (and stab) implements the failures model. This is however suboptimal over large alphabets, in the typical situation where most events are refused most of the time. FDR3's inbuilt failures refinement checking is able to compare acceptance sets (checking that the acceptances of the specification are a subset of those of the implementation), which are typically smaller than the refusal sets.
The context C' introduces acceptance events which can occur only in stable states where the corresponding refusal cannot, and then blocks all refusals. The problem then is: how to check that the acceptances of the specification are a subset of those of the implementation, despite the fact that trace refinement checks for inclusion the other way?
The answer is to use priority to prevent the stab event from happening while acceptances are still available, so that CFImpl' is able to communicate only its precise acceptance sets. We then form CFSpec' by parallel composition with RUN for all the acceptance events, so that CFSpec' can communicate any supersets of its acceptance set.
Similar constructions with slightly different restrictions on the permissible sequences of events produce efficient processes for the revivals and refusal testing models. For the acceptances model, we just want to check for inclusion of the implementation's acceptance sets in those of the specification, so the context CFImpl' works for both the specification and the implementation; finite linear observations works similarly with failures replaced by refusal testing.

Testing
We test this implementation by constructing processes which are first distinguished by the failures, revivals, refusal testing and acceptance models respectively (the latter two being also distinguished by the finite linear observations model). The processes, and the models which do and do not distinguish them, are shown in Table 1 (recall the precision hierarchy of models: T ≤ F ≤ R ≤ {A, RT } ≤ FL). The correct results are obtained when these checks are run in FDR3 with the implementation described above. is the interrupt operator; see [12] for details.

Performance
We assess the performance of our simulation by running those examples from Table  1 of [5] which involve refinement checks (as opposed to deadlock-or divergencefreedom assertions), and comparing the timings for our construction against the time taken by FDR3's inbuilt failures refinement check (since F is the only model for which we have a point of comparison between a direct implementation and the methods developed in this paper). Results are shown in Table 2, for both the original and revised contexts described above; the perfomance of the FL check is also shown. As may be seen, performance is somewhat worse but not catastrophically so. Note however that these processes involve rather small alphabets; performance is expected to be worse for larger alphabets.

Example: Conflict detection
We illustrate the usefulness of richer semantic models than just traces and failures by giving a sample application of the revivals model. Suppose that we have a process P consisting of the parallel composition of two sub-processes Q and R. The failures model is able to detect when P can refuse all the events of their shared alphabet, or deadlock in the case when they are synchronised on the whole alphabet. However, it is unable to distinguish between the two possible causes of this: it may be that one of the composands is able to refuse the entire shared alphabet, or it may be that each accepts some events from the shared alphabet, but the acceptances of Q and R are disjoint. We refer to the latter situation as a 'conflict'. The absence of conflict (and similar situations) is at the core of a number of useful ways of proving deadlock-freedom for networks of processes running in parallel [14]. The revivals model can be used to detect conflicts. For a process P = Q X Y R, we introduce a fresh event a to represent a generic event from the shared alphabet, and form the process P = Q X Y R , where Q = Q [[{(x, x), (x, a) : x ∈ X}]], X = X ∪{a}, and similarly for R and Y . Conflicts of P now correspond to revivals (s, X ∩ Y, a), where s is a trace not containing a.

Conclusions
The result of Theorem 5.4 shows that the expressibility of all finite observational (rational) models can in some sense be simulated by the traces model using the priority operator. This provides a practical method of testing refinement over models that FDR does not directly support. While any such model could be implemented directly in the program itself, we have shown this is not necessary. This also serves to further demonstrate the power and usefulness of the priority operator (see also the previous work of the second-named author on the expressiveness of CSP with priority [13] and on 'slow abstraction' [15]).
Note that this type of construction can be used more generally. Firstly, it seems likely that the construction can be extended to non-finite models; for instance to reduce failures-divergences tests to traces-divergences, or infinite-traces-failuresdivergences to infinite-traces-divergences.
Secondly, the construction does not use the requirement that a model be compositional. This means that it will work for any rational set of observable behaviours, such as the singleton failures semantics presented in [3]. The techniques described here can also be used to support the Timed Failures model of Timed CSP in FDR3 [2].
The limitation to rational models is from a theoretical point of view rather unsatisfactory, although it may be of little practical significance since all known models (and probably all models one would be likely to come up with) are clearly rational. However, Conjecture 4.17 remains of interest since a resolution in either direction would undoubtedly yield insight into the structure of the 'clouds' of models lying above R set out in [11]. under agreement number FA8750-12-2-0247.