(*<*) theory "paper" imports "Isabelle_DOF.scholarly_paper" begin open_monitor*[this::article] declare[[ strict_monitor_checking = false]] declare[[ Definition_default_class = "definition"]] declare[[ Lemma_default_class = "lemma"]] declare[[ Theorem_default_class = "theorem"]] define_shortcut* csp \ \CSP\ holcsp \ \HOL-CSP\ isabelle \ \Isabelle/HOL\ (*>*) title*[tit::title]\Philosophers may Dine - Definitively!\ author*[safouan,email="\safouan.taha@lri.fr\",affiliation="\LRI, CentraleSupelec\"]\Safouan Taha\ author*[bu,email= "\wolff@lri.fr\",affiliation = "\LRI, Université Paris-Saclay\"]\Burkhart Wolff\ author*[lina,email="\lina.ye@lri.fr\",affiliation="\LRI, Inria, LSV, CentraleSupelec\"]\Lina Ye\ abstract*[abs, keywordlist="[\Shallow Embedding\,\Process-Algebra\, \Concurrency\,\Computational Models\]"] \ The theory of Communicating Sequential Processes going back to Hoare and Roscoe is still today one of the reference theories for concurrent specification and computing. In 1997, a first formalization in \<^isabelle> of the denotational semantics of the Failure/Divergence Model of \<^csp> was undertaken; in particular, this model can cope with infinite alphabets, in contrast to model-checking approaches limited to finite ones. In this paper, we extend this theory to a significant degree by taking advantage of more powerful automation of modern Isabelle version, which came even closer to recent developments in the semantic foundation of \<^csp>. More importantly, we use this formal development to analyse a family of refinement notions, comprising classic and new ones. This analysis enabled us to derive a number of properties that allow to deepen the understanding of these notions, in particular with respect to specification decomposition principles in the infinite case. Better definitions allow to clarify a number of obscure points in the classical literature, for example concerning the relationship between deadlock- and livelock-freeness. As a result, we have a modern environment for formal proofs of concurrent systems that allow to combine general infinite processes with locally finite ones in a logically safe way. We demonstrate a number of resulting verification-techniques for classical, generalized examples: The CopyBuffer and Dijkstra's Dining Philosopher Problem of an arbitrary size. If you consider citing this paper, please refer to @{cite "HOL-CSP-iFM2020"}. \ text\\ section*[introheader::introduction,main_author="Some(@{docitem ''bu''}::author)"]\ Introduction \ text*[introtext::introduction]\ Communicating Sequential Processes (\<^csp>) is a language to specify and verify patterns of interaction of concurrent systems. Together with CCS and LOTOS, it belongs to the family of \<^emph>\process algebras\. \<^csp>'s rich theory comprises denotational, operational and algebraic semantic facets and has influenced programming languages such as Limbo, Crystal, Clojure and most notably Golang @{cite "donovan2015go"}. \<^csp> has been applied in industry as a tool for specifying and verifying the concurrent aspects of hardware systems, such as the T9000 transansputer @{cite "Barret95"}. The theory of \<^csp> was first described in 1978 in a book by Tony Hoare @{cite "Hoare:1985:CSP:3921"}, but has since evolved substantially @{cite "BrookesHR84" and "brookes-roscoe85" and "roscoe:csp:1998"}. \<^csp> describes the most common communication and synchronization mechanisms with one single language primitive: synchronous communication written \_\_\_\. \<^csp> semantics is described by a fully abstract model of behaviour designed to be \<^emph>\compositional\: the denotational semantics of a process \P\ encompasses all possible behaviours of this process in the context of all possible environments \P \S\ Env\ (where \S\ is the set of \atomic events\ both \P\ and \Env\ must synchronize). This design objective has the consequence that two kinds of choice have to be distinguished: \<^enum> the \<^emph>\external choice\, written \_\_\, which forces a process "to follow" whatever the environment offers, and \<^enum> the \<^emph>\internal choice\, written \_\_\, which imposes on the environment of a process "to follow" the non-deterministic choices made. \ text\ Generalizations of these two operators \\x\A. P(x)\ and \\x\A. P(x)\ allow for modeling the concepts of \<^emph>\input\ and \<^emph>\output\: Based on the prefix operator \a\P\ (event \a\ happens, then the process proceeds with \P\), receiving input is modeled by \\x\A. x\P(x)\ while sending output is represented by \\x\A. x\P(x)\. Setting choice in the center of the language semantics implies that deadlock-freeness becomes a vital property for the well-formedness of a process, nearly as vital as type-checking: Consider two events \a\ and \b\ not involved in a process \P\, then \(a\P \ b\P) \{a,b}\ (a\P \ b\P)\ is deadlock free provided \P\ is, while \(a\P \ b\P) \{a,b}\ (a\P \ b\P)\ deadlocks (both processes can make "ruthlessly" an opposite choice, but are required to synchronize). Verification of \<^csp> properties has been centered around the notion of \<^emph>\process refinement orderings\, most notably \_\\<^sub>F\<^sub>D_\ and \_\_\. The latter turns the denotational domain of \<^csp> into a Scott cpo @{cite "scott:cpo:1972"}, which yields semantics for the fixed point operator \\x. f(x)\ provided that \f\ is continuous with respect to \_\_\. Since it is possible to express deadlock-freeness and livelock-freeness as a refinement problem, the verification of properties has been reduced traditionally to a model-checking problem for finite set of events \A\. We are interested in verification techniques for arbitrary event sets \A\ or arbitrarily parameterized processes. Such processes can be used to model dense-timed processes, processes with dynamic thread creation, and processes with unbounded thread-local variables and buffers. However, this adds substantial complexity to the process theory: when it comes to study the interplay of different denotational models, refinement-orderings, and side-conditions for continuity, paper-and-pencil proofs easily reach their limits of precision. Several attempts have been undertaken to develop a formal theory in an interactive proof system, mostly in Isabelle/HOL @{cite "Camilleri91" and "tej.ea:corrected:1997" and "IsobeRoggenbach2010" and "DBLP:journals/afp/Noce16"}. This paper is based on @{cite "tej.ea:corrected:1997"}, which has been the most comprehensive attempt to formalize denotational \<^csp> semantics covering a part of Bill Roscoe's Book @{cite "roscoe:csp:1998"}. Our contributions are as follows: \<^item> we ported @{cite "tej.ea:corrected:1997"} from Isabelle93-7 and ancient ML-written proof scripts to a modern Isabelle/HOL version and structured Isar proofs, and extended it substantially, \<^item> we introduced new refinement notions allowing a deeper understanding of the \<^csp> Failure/Divergence model, providing some meta-theoretic clarifications, \<^item> we used our framework to derive new types of decomposition rules and stronger induction principles based on the new refinement notions, and \<^item> we integrate this machinery into a number of advanced verification techniques, which we apply to two generalized paradigmatic examples in the \<^csp> literature, the CopyBuffer and Dining Philosophers@{footnote \All proofs concerning the HOL-CSP 2 core have been published in the Archive of Formal Proofs @{cite "HOL-CSP-AFP"}; all other proofs are available at \<^url>\https://gitlri.lri.fr/burkhart.wolff/hol-csp2.0\. In this paper, all Isabelle proofs are omitted.\}. \ (* % Moreover, decomposition rules of the form: % \begin{center} % \begin{minipage}[c]{10cm} % @{cartouche [display] \C \ A \\<^sub>F\<^sub>D A' \ B \\<^sub>F\<^sub>D B' \ A \S\ B \\<^sub>F\<^sub>D A' \S\ B'\} % \end{minipage} % \end{center} % are of particular interest since they allow to avoid the costly automata-product construction % of model-checkers and to separate infinite sub-systems from finite (model-checkable) ones; however, % their side-conditions \C\ are particularly tricky to work out. Decomposition rules may pave the % way for future tool combinations for model-checkers such as FDR4~@{cite "fdr4"} or % PAT~@{cite "SunLDP09"} based on proof certifications.*) section*["pre"::tc,main_author="Some(@{docitem \bu\}::author)"] \Preliminaries\ text\\ subsection*[cspsemantics::tc, main_author="Some(@{docitem ''bu''})"]\Denotational \<^csp> Semantics\ text\ The denotational semantics (following @{cite "roscoe:csp:1998"}) comes in three layers: the \<^emph>\trace model\, the \<^emph>\(stable) failures model\ and the \<^emph>\failure/divergence model\. In the trace semantics model, a process \P\ is denoted by a set of communication traces, built from atomic events. A trace here represents a partial history of the communication sequence occurring when a process interacts with its environment. For the two basic \<^csp> processes \Skip\ (successful termination) and \Stop\ (just deadlock), the semantic function \\\ of the trace model just gives the same denotation, \<^ie> the empty trace: \\(Skip) = \(Stop) = {[]}\. Note that the trace sets, representing all \<^emph>\partial\ history, is in general prefix closed.\ text*[ex1::math_example, status=semiformal] \ Let two processes be defined as follows: \<^enum> \P\<^sub>d\<^sub>e\<^sub>t = (a \ Stop) \ (b \ Stop)\ \<^enum> \P\<^sub>n\<^sub>d\<^sub>e\<^sub>t = (a \ Stop) \ (b \ Stop)\ \ text\These two processes \P\<^sub>d\<^sub>e\<^sub>t\ and \P\<^sub>n\<^sub>d\<^sub>e\<^sub>t\ cannot be distinguished by using the trace semantics: \\(P\<^sub>d\<^sub>e\<^sub>t) = \(P\<^sub>n\<^sub>d\<^sub>e\<^sub>t) = {[],[a],[b]}\. To resolve this problem, Brookes @{cite "BrookesHR84"} proposed the failures model, where communication traces were augmented with the constraint information for further communication that is represented negatively as a refusal set. A failure \(t, X)\ is a pair of a trace \t\ and a set of events \X\ that a process can refuse if any of the events in \X\ were offered to him by the environment after performing the trace \t\. The semantic function \\\ in the failures model maps a process to a set of refusals. Let \\\ be the set of events. Then, \{([],\)} \ \ Stop\ as the process \Stop\ refuses all events. For Example 1, we have \{([],\\{a,b}),([a],\),([b],\)} \ \ P\<^sub>d\<^sub>e\<^sub>t\, while \{([],\\{a}),([],\\{b}),([a],\),([b],\)} \ \ P\<^sub>n\<^sub>d\<^sub>e\<^sub>t\ (the \_\_\ refers to the fact that the refusals must be downward closed; we show only the maximal refusal sets here). Thus, internal and external choice, also called \<^emph>\nondeterministic\ and \<^emph>\deterministic\ choice, can be distinguished in the failures semantics. However, it turns out that the failures model suffers from another deficiency with respect to the phenomenon called infinite internal chatter or \<^emph>\divergence\.\ text*[ex2::example, status=semiformal] \ The following process \P\<^sub>i\<^sub>n\<^sub>f\ is an infinite process that performs \a\ infinitely many times. However, using the \<^csp> hiding operator \_\_\, this activity is concealed: \<^enum> \P\<^sub>i\<^sub>n\<^sub>f = (\ X. a \ X) \ {a}\ \ text\where \P\<^sub>i\<^sub>n\<^sub>f\ will be equivalent to \\\ in the process cpo ordering. To distinguish divergences from the deadlock process, Brookes and Roscoe proposed failure/divergence model to incorporate divergence traces @{cite "brookes-roscoe85"}. A divergence trace is the one leading to a possible divergent behavior. A well behaved process should be able to respond to its environment in a finite amount of time. Hence, divergences are considered as a kind of a catastrophe in this model. Thus, a process is represented by a failure set \\\, together with a set of divergence traces \\\; in our example, the empty trace \[]\ belongs to \\ P\<^sub>i\<^sub>n\<^sub>f\. The failure/divergence model has become the standard semantics for an enormous range of \<^csp> research and the implementations of @{cite "fdr4" and "SunLDP09"}. Note, that the work of @{cite "IsobeRoggenbach2010"} is restricted to a variant of the failures model only. \ subsection*["isabelleHol"::tc, main_author="Some(@{docitem ''bu''})"]\Isabelle/HOL\ text\ Nowadays, Isabelle/HOL is one of the major interactive theory development environments @{cite "nipkow.ea:isabelle:2002"}. HOL stands for Higher-Order Logic, a logic based on simply-typed \\\-calculus extended by parametric polymorphism and Haskell-like type-classes. Besides interactive and integrated automated proof procedures, it offers code and documentation generators. Its structured proof language Isar is intensively used in the plethora of work done and has been a key factor for the success of the Archive of Formal Proofs (\<^url>\https://www.isa-afp.org\). For the work presented here, one relevant construction is : \<^item> \<^theory_text>\typedef (\\<^sub>1,...,\\<^sub>n)t = E\ It creates a fresh type that is isomorphic to a set \E\ involving \\\<^sub>1,...,\\<^sub>n\ types. Isabelle/HOL performs a number of syntactic checks for these constructions that guarantee the logical consistency of the defined constants or types relative to the axiomatic basis of HOL. The system distribution comes with rich libraries comprising Sets, Numbers, Lists, etc. which are built in this "conservative" way. For this work, a particular library called \<^theory_text>\HOLCF\ is intensively used. It provides classical domain theory for a particular type-class \\::pcpo\, \<^ie> the class of types \\\ for which \<^enum> a least element \\\ is defined, and \<^enum> a complete partial order \_\_\ is defined. For these types, \<^theory_text>\HOLCF\ provides a fixed-point operator \\X. f X\ as well as the fixed-point induction and other (automated) proof infrastructure. Isabelle's type-inference can automatically infer, for example, that if \\::pcpo\, then \(\ \ \)::pcpo\. \ section*["csphol"::tc,main_author="Some(@{docitem ''bu''}::author)", level="Some 2"] \Formalising Denotational \<^csp> Semantics in HOL \ text\\ subsection*["processinv"::tc, main_author="Some(@{docitem ''bu''})"] \Process Invariant and Process Type\ text\ First, we need a slight revision of the concept of \<^emph>\trace\: if \\\ is the type of the atomic events (represented by a type variable), then we need to extend this type by a special event \\\ (called "tick") signaling termination. Thus, traces have the type \(\+\)\<^sup>*\, written \\\<^sup>\\<^sup>*\; since \\\ may only occur at the end of a trace, we need to define a predicate \front\<^sub>-tickFree t\ that requires from traces that \\\ can only occur at the end. Second, in the traditional literature, the semantic domain is implicitly described by 9 "axioms" over the three semantic functions \\\, \\\ and \\\. Informally, these are: \<^item> the initial trace of a process must be empty; \<^item> any allowed trace must be \front\<^sub>-tickFree\; \<^item> traces of a process are \<^emph>\prefix-closed\; \<^item> a process can refuse all subsets of a refusal set; \<^item> any event refused by a process after a trace \s\ must be in a refusal set associated to \s\; \<^item> the tick accepted after a trace \s\ implies that all other events are refused; \<^item> a divergence trace with any suffix is itself a divergence one \<^item> once a process has diverged, it can engage in or refuse any sequence of events. \<^item> a trace ending with \\\ belonging to divergence set implies that its maximum prefix without \\\ is also a divergent trace. More formally, a process \P\ of the type \\ process\ should have the following properties: @{cartouche [display] \([],{}) \ \ P \ (\ s X. (s,X) \ \ P \ front_tickFree s) \ (\ s t . (s@t,{}) \ \ P \ (s,{}) \ \ P) \ (\ s X Y. (s,Y) \ \ P \ X\Y \ (s,X) \ \ P) \ (\ s X Y. (s,X) \ \ P \ (\c \ Y. ((s@[c],{}) \ \ P)) \ (s,X \ Y) \ \ P) \ (\ s X. (s@[\],{}) \ \ P \ (s,X-{\}) \ \ P) \ (\ s t. s \ \ P \ tickFree s \ front_tickFree t \ s@t \ \ P) \ (\ s X. s \ \ P \ (s,X) \ \ P) \ (\ s. s@[\] \ \ P \ s \ \ P)\} Our objective is to encapsulate this wishlist into a type constructed as a conservative theory extension in our theory \<^holcsp>. Therefore third, we define a pre-type for processes \\ process\<^sub>0\ by \ \

(\\<^sup>\\<^sup>* \ \

(\\<^sup>\)) \ \

(\\<^sup>\)\. Forth, we turn our wishlist of "axioms" above into the definition of a predicate \is_process P\ of type \\ process\<^sub>0 \ bool\ deciding if its conditions are fulfilled. Since \P\ is a pre-process, we replace \\\ by \fst\ and \\\ by \snd\ (the HOL projections into a pair). And last not least fifth, we use the following type definition: \<^item> \<^theory_text>\typedef '\ process = "{P :: '\ process\<^sub>0 . is_process P}"\ Isabelle requires a proof for the existence of a witness for this set, but this can be constructed in a straight-forward manner. Suitable definitions for \\\, \\\ and \\\ lifting \fst\ and \snd\ on the new \'\ process\-type allows to derive the above properties for any \P::'\ process\. \ subsection*["operator"::tc, main_author="Some(@{docitem ''lina''})"] \\<^csp> Operators over the Process Type\ text\ Now, the operators of \<^csp> \Skip\, \Stop\, \_\_\, \_\_\, \_\_\,\_\_\_\ etc. for internal choice, external choice, prefix and parallel composition, can be defined indirectly on the process-type. For example, for the simple case of the internal choice, we construct it such that \_\_\ has type \'\ process \ '\ process \ '\ process\ and such that its projection laws satisfy the properties \\ (P \ Q) = \ P \ \ Q\ and \\ (P \ Q) = \ P \ \ Q\ required from @{cite "roscoe:csp:1998"}. This boils down to a proof that an equivalent definition on the pre-process type \\ process\<^sub>0\ maintains \is_process\, \<^ie> this predicate remains invariant on the elements of the semantic domain. For example, we define \_\_\ on the pre-process type as follows: \<^item> \<^theory_text>\definition "P \ Q \ Abs_process(\ P \ \ Q , \ P \ \ Q)"\ where \\ = fst \ Rep_process\ and \\ = snd \ Rep_process\ and where \Rep_process\ and \Abs_process\ are the representation and abstraction morphisms resulting from the type definition linking \'\ process\ isomorphically to \'\ process\<^sub>0\. Proving the above properties for \\ (P \ Q)\ and \\ (P \ Q)\ requires a proof that \(\ P \ \ Q , \ P \ \ Q)\ satisfies the 9 "axioms", which is fairly simple in this case. The definitional presentation of the \<^csp> process operators according to @{cite "roscoe:csp:1998"} follows always this scheme. This part of the theory comprises around 2000 loc. \ subsection*["orderings"::tc, main_author="Some(@{docitem ''bu''})"] \Refinement Orderings\ text\ \<^csp> is centered around the idea of process refinement; many critical properties, even ones typically considered as "liveness-properties", can be expressed in terms of these, and a conversion of processes in terms of (finite) labelled transition systems leads to effective model-checking techniques based on graph-exploration. Essentially, a process \P\ \<^emph>\refines\ another process \Q\ if and only if it is more deterministic and more defined (has less divergences). Consequently, each of the three semantics models (trace, failure and failure/divergence) has its corresponding refinement orderings. What we are interested in this paper is the following refinement orderings for the failure/divergence model. \<^enum> \P \\<^sub>\\<^sub>\ Q \ \ P \ \ Q \ \ P \ \ Q\ \<^enum> \P \\<^sub>\\<^sub>\ Q \ \ P \ \ Q \ \ P \ \ Q\ \<^enum> \P \\<^sub>\ Q \ \ P \ \ Q, \\{\,\,\}\ Notice that in the \<^csp> literature, only \\\<^sub>\\<^sub>\\ is well studied for failure/divergence model. Our formal analysis of different granularities on the refinement orderings allows deeper understanding of the same semantics model. For example, \\\<^sub>\\<^sub>\\ turns out to have in some cases better monotonicity properties and therefore allow for stronger proof principles in \<^csp>. Furthermore, the refinement ordering \\\<^sub>\\ analyzed here is different from the classical failure refinement in the literature that is studied for the stable failure model @{cite "roscoe:csp:1998"}, where failures are only defined for stable states, from which no internal progress is possible. \ subsection*["fixpoint"::tc, main_author="Some(@{docitem ''lina''})"] \Process Ordering and HOLCF\ text\ For any denotational semantics, the fixed point theory giving semantics to systems of recursive equations is considered as keystone. Its prerequisite is a complete partial ordering \_\_\. The natural candidate \_\\<^sub>\\<^sub>\_\ is unfortunately not complete for infinite \\\ for the generalized deterministic choice, and thus for the building block of the read-operations. Roscoe and Brooks @{cite "Roscoe1992AnAO"} finally proposed another ordering, called the \<^emph>\process ordering\, and restricted the generalized deterministic choice in a particular way such that completeness could at least be assured for read-operations. This more complex ordering is based on the concept \<^emph>\refusals after\ a trace \s\ and defined by \\ P s \ {X | (s, X) \ \ P}\.\ Definition*[process_ordering, short_name="''process ordering''"]\ We define \P \ Q \ \\<^sub>\ \ \\<^sub>\ \ \\<^sub>\ \, where \<^enum> \\\<^sub>\ = \ P \ \ Q \ \<^enum> \\\<^sub>\ = s \ \ P \ \ P s = \ Q s\ \<^enum> \\\<^sub>\ = Mins(\ P) \ \ Q \ \ text\The third condition \\\<^sub>\\ implies that the set of minimal divergent traces (ones with no proper prefix that is also a divergence) in \P\, denoted by \Mins(\ P)\, should be a subset of the trace set of \Q\. %One may note that each element in \Mins(\ P)\ do actually not contain the \\\, %which can be deduced from the process invariants described %in the precedent @{technical "processinv"}. This can be explained by the fact that we are not %really concerned with what a process does after it terminates. It is straight-forward to define the least element \\\ in this ordering by \\(\)= {(s,X). front_tickFree s}\ and \\(\) = {s. front_tickFree s}\ \ text\While the original work @{cite "tej.ea:corrected:1997"} was based on an own --- and different --- fixed-point theory, we decided to base HOL-\<^csp> 2 on HOLCF (initiated by @{cite "muller.ea:holcf:1999"} and substantially extended in @{cite "huffman.ea:axiomatic:2005"}). HOLCF is based on parametric polymorphism with type classes. A type class is actually a constraint on a type variable by respecting certain syntactic and semantics requirements. For example, a type class of partial ordering, denoted by \\::po\, is restricted to all types \\\ possessing a relation \\:\\\\bool\ that is reflexive, anti-symmetric, and transitive. Isabelle possesses a construct that allows to establish, that the type \nat\ belongs to this class, with the consequence that all lemmas derived abstractly on \\::po\ are in particular applicable on \nat\. The type class of \po\ can be extended to the class of complete partial ordering \cpo\. A \po\ is said to be complete if all non-empty directed sets have a least upper bound (\lub\). Finally the class of \pcpo\ (Pointed cpo) is a \cpo\ ordering that has a least element, denoted by \\\. For \pcpo\ ordering, two crucial notions for continuity (\cont\) and fixed-point operator (\\X. f(X)\) are defined in the usual way. A function from one \cpo\ to another one is said to be continuous if it distributes over the \lub\ of all directed sets (or chains). One key result of the fixed-point theory is the proof of the fixed-point theorem: @{cartouche [display, indent=25] \cont f \ \X. f(X) = f(\X. f(X))\} For most \<^csp> operators \\\ we derived rules of the form: @{cartouche [display, indent=20] \cont P \ cont Q \ cont(\x. (P x) \ (Q x))\} These rules allow to automatically infer for any process term if it is continuous or not. The port of HOL-CSP 2 on HOLCF implied that the derivation of the entire continuity rules had to be completely re-done (3000 loc). HOL-CSP provides an important proof principle, the fixed-point induction: @{cartouche [display, indent=5] \cont f \ adm P \ P \ \ (\X. P X \ P(f X)) \ P(\X. f X)\} Fixed-point induction requires a small side-calculus for establishing the admissibility of a predicate; basically, predicates are admissible if they are valid for any least upper bound of a chain \x\<^sub>1 \ x\<^sub>2 \ x\<^sub>3 ... \ provided that \\i. P(x\<^sub>i)\. It turns out that \_\_\ and \_\\<^sub>F\<^sub>D_\ as well as all other refinement orderings that we introduce in this paper are admissible. Fixed-point inductions are the main proof weapon in verifications, together with monotonicities and the \<^csp> laws. Denotational arguments can be hidden as they are not needed in practical verifications. \ subsection*["law"::tc, main_author="Some(@{docitem ''lina''})"] \\<^csp> Rules: Improved Proofs and New Results\ text\ The \<^csp> operators enjoy a number of algebraic properties: commutativity, associativities, and idempotence in some cases. Moreover, there is a rich body of distribution laws between these operators. Our new version HOL-CSP 2 not only shortens and restructures the proofs of @{cite "tej.ea:corrected:1997"}; the code reduces to 8000 loc from 25000 loc. Some illustrative examples of new established rules are: \<^item> \\x\A\B\P(x) = (\x\A\P x) \ (\x\B\P x)\ \<^item> \A\B\C \ (\x\A\P x \C\ \x\B\Q x) = \x\A\B\(P x \C\ Q x)\ \<^item> @{cartouche [display]\A\C \ B\C={} \ (\x\A\P x \C\ \x\B\Q x) = \x\B\(\x\A\P x \C\ Q x)\} \<^item> \finite A \ A\C = {} \ ((P \C\ Q) \ A) = ((P \ A) \C\ (Q \ A)) ...\ The continuity proof of the hiding operator is notorious. The proof is known to involve the classical König's lemma stating that every infinite tree with finite branching has an infinite path. We adapt this lemma to our context as follows: @{cartouche [display, indent=5] \infinite tr \ \i. finite{t. \t'\tr. t = take i t'} \ \ f. strict_mono f \ range f \ {t. \t'\tr. t \ t'}\} in order to come up with the continuity rule: \finite S \ cont P \ cont(\X. P X \ S)\. The original proof had been drastically shortened by a factor 10 and important immediate steps generalized: monotonicity, for example, could be generalized to the infinite case. As for new laws, consider the case of \(P \ A) \ B = P \ (A \ B)\ which is stated in @{cite "Roscoe:UCS:2010"} without proof. In the new version, we managed to establish this law which still need 450 lines of complex Isar code. However, it turned out that the original claim is not fully true: it can only be established again by König's lemma to build a divergent trace of \P \ (A \ B)\ which requires \A\ to be finite (\B\ can be arbitrary) in order to use it from a divergent trace of \(P \ A) \ B\ @{footnote \In @{cite "Roscoe:UCS:2010"}, the authors point out that the laws involving the hiding operator may fail when \A\ is infinite; however, they fail to give the precise conditions for this case.\}. Again, we want to argue that the intricate number of cases to be considered as well as their complexity makes pen and paper proofs practically infeasible. \ section*["newResults"::tc,main_author="Some(@{docitem ''safouan''}::author)", main_author="Some(@{docitem ''lina''}::author)", level= "Some 3"] \Theoretical Results on Refinement\ text\\ subsection*["adm"::tc,main_author="Some(@{docitem ''safouan''}::author)", main_author="Some(@{docitem ''lina''}::author)"] \Decomposition Rules\ text\ In our framework, we implemented the pcpo process refinement together with the five refinement orderings introduced in @{technical "orderings"}. To enable fixed-point induction, we first have the admissibility of the refinements. @{cartouche [display, indent=7] \cont u \ mono v \ adm(\x. u x \\<^sub>\ v x) where \\{\,\,\,\\,\\}\} Next we analyzed the monotonicity of these refinement orderings, whose results are then used as decomposition rules in our framework. Some \<^csp> operators, such as multi-prefix and non-deterministic choice, are monotonic under all refinement orderings, while others are not. \<^item> External choice is not monotonic only under \\\<^sub>\\, with the following monotonicities proved: @{cartouche [display,indent=5] \P \\<^sub>\ P' \ Q \\<^sub>\ Q' \ (P \ Q) \\<^sub>\ (P' \ Q') where \\{\,\,\\,\\}\} \<^item> Sequence operator is not monotonic under \\\<^sub>\\, \\\<^sub>\\ or \\\<^sub>\\: @{cartouche [display,indent=5] \P \\<^sub>\ P'\ Q \\<^sub>\ Q' \ (P ; Q) \\<^sub>\ (P' ; Q') where \\{\\,\\}\} %All refinements are right-side monotonic but \\\<^sub>\\, \\\<^sub>\\ and \\\<^sub>\\ are not left-side monotonic, %which can be explained by %the interdependence relationship of failure and divergence projections for the first component. %We thus proved: \<^item> Hiding operator is not monotonic under \\\<^sub>\\: @{cartouche [display,indent=5] \P \\<^sub>\ Q \ P \ A \\<^sub>\ Q \ A where \\{\,\,\\,\\}\} %Intuitively, for the divergence refinement of the hiding operator, there may be %some trace \s\\ Q\ and \s\\ P\ such that it becomes divergent in \Q \ A\ but %not in \P \ A\. %when the condition in the corresponding projection laws is satisfied, which makes it is not monotonic. \<^item> Parallel composition is not monotonic under \\\<^sub>\\, \\\<^sub>\\ or \\\<^sub>\\: @{cartouche [display,indent=5] \P \\<^sub>\ P' \ Q \\<^sub>\ Q' \ (P \A\ Q) \\<^sub>\ (P' \A\ Q') where \\{\\,\\}\} %The failure and divergence projections of this operator are also interdependent, similar to the %sequence operator. %Hence, this operator is not monotonic with \\\<^sub>\\, \\\<^sub>\\ and \\\<^sub>\\, but monotonic when their %combinations are considered. \ (* Besides the monotonicity results on the above \<^csp> operators, we have also proved that for other \<^csp> operators, such as multi-prefix and non-deterministic choice, they are all monotonic with these five refinement orderings. Such theoretical results provide significant indicators for semantics choices when considering specification decomposition. We want to emphasize that this is the first work on such substantial analysis in a formal way, as far as we know. %In the literature, these processes are defined in a way that does not distinguish the special event \tick\. To be consistent with the idea that ticks should be distinguished on the semantic level, besides the above three processes, one can directly prove 3 since for both \CHAOS\ and \DF\, the version with \SKIP\ is constructed exactly in the same way from that without \SKIP\. And 4 is obtained based on the projection laws of internal choice \\\. Finally, for 5, the difference between \DF\ and \RUN\ is that the former applies internal choice while the latter with external choice. From the projection laws of both operators, the failure set of \RUN\ has more constraints, thus being a subset of that of \DF\, when the divergence set is empty, which is true for both processes. *) subsection*["processes"::tc,main_author="Some(@{docitem ''safouan''}::author)", main_author="Some(@{docitem ''lina''}::author)"] \Reference Processes and their Properties\ text\ We now present reference processes that exhibit basic behaviors, introduced in fundamental \<^csp> works @{cite "Roscoe:UCS:2010"}. The process \RUN A\ always accepts events from \A\ offered by the environment. The process \CHAOS A\ can always choose to accept or reject any event of \A\. The process \DF A\ is the most non-deterministic deadlock-free process on \A\, \<^ie>, it can never refuse all events of \A\. To handle termination better, we added two new processes \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P\ and \DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P\. %Note that we do not redefine \RUN\ with \SKIP\ because this process is supposed to never terminate, %thus must be without it. \ (*<*) (* a test ...*) text*[X22 ::math_content ]\\RUN A \ \ X. \ x \ A \ X\ \ text*[X32::"definition", mcc=defn]\\CHAOS A \ \ X. (STOP \ (\ x \ A \ X))\ \ Definition*[X42]\\CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \ \ X. (SKIP \ STOP \ (\ x \ A \ X))\ \ Definition*[X52::"definition"]\\CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \ \ X. (SKIP \ STOP \ (\ x \ A \ X))\ \ text\ The \RUN\-process defined @{math_content X22} represents the process that accepts all events, but never stops nor deadlocks. The \CHAOS\-process comes in two variants shown in @{definition X32} and @{definition X42} @{definition X52}: the process that non-deterministically stops or accepts any offered event, whereas \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P\ can additionally terminate.\ (*>*) Definition*[X2]\\RUN A \ \ X. \ x \ A \ X\ \ Definition*[X3]\\CHAOS A \ \ X. (STOP \ (\ x \ A \ X))\ \ Definition*[X4]\\CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \ \ X. (SKIP \ STOP \ (\ x \ A \ X))\\ Definition*[X5]\\DF A \ \ X. (\ x \ A \ X)\ \ Definition*[X6]\\DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \ \ X. ((\ x \ A \ X) \ SKIP)\ \ text\In the following, we denote \ \\

= {DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P, DF, RUN, CHAOS, CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P}\. All five reference processes are divergence-free. %which was done by using a particular lemma \\ (\ x. f x) = \\<^sub>i\<^sub>\\<^sub>\ \ (f\<^sup>i \)\. @{cartouche [display,indent=8] \ D (\ UNIV) = {} where \ \ \\

and UNIV is the set of all events\ } Regarding the failure refinement ordering, the set of failures \\ P\ for any process \P\ is a subset of \\ (CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV)\.% and the following lemma was proved: % This proof is performed by induction, based on the failure projection of \STOP\ and that of % internal choice. @{cartouche [display, indent=25] \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\ P\} \<^noindent> Furthermore, the following 5 relationships were demonstrated from monotonicity results and a denotational proof. %among which 1 and 2 are immediate corollaries, %4 and 5 are directly obtained from our monotonicity results while 3 requires a denotational proof. and thanks to transitivity, we can derive other relationships. \<^enum> \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \\<^sub>\ CHAOS A\ \<^enum> \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \\<^sub>\ DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P A\ \<^enum> \CHAOS A \\<^sub>\ DF A\ \<^enum> \DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P A \\<^sub>\ DF A\ \<^enum> \DF A \\<^sub>\ RUN A\ Last, regarding trace refinement, for any process P, its set of traces \\ P\ is a subset of \\ (CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV)\ and of \\ (DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV)\ as well. %As we already proved that \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P\ covers all failures, %we can immediately infer that it also covers all traces. %The \DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P\ case requires a longer denotational proof. \<^enum> \CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\ P\ \<^enum> \DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\ P\ \ text\ Recall that a concurrent system is considered as being deadlocked if no component can make any progress, caused for example by the competition for resources. In opposition to deadlock, processes can enter infinite loops inside a sub-component without never ever interact with their environment again ("infinite internal chatter"); this situation called divergence or livelock. Both properties are not just a sanity condition; in \<^csp>, they play a central role for verification. For example, if one wants to establish that a protocol implementation \IMPL\ satisfies a non-deterministic specification \SPEC\ it suffices to ask if \IMPL || SPEC\ is deadlock-free. In this setting, \SPEC\ becomes a kind of observer that signals non-conformance of \IMPL\ by deadlock. % A livelocked system looks similar to a deadlocked one from an external point of view. % However, livelock is sometimes considered as worse since the user may be able to observe the internal % activities and so hope that some output will happen eventually. In the literature, deadlock and lifelock are phenomena that are often handled separately. One contribution of our work is establish their precise relationship inside the Failure/Divergence Semantics of \<^csp>.\ (* bizarre: Definition* does not work for this single case *) text*[X10::"definition"]\ \deadlock\<^sub>-free P \ DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\ P\ \ text\\<^noindent> A process \P\ is deadlock-free if and only if after any trace \s\ without \\\, the union of \\\ and all events of \P\ can never be a refusal set associated to \s\, which means that \P\ cannot be deadlocked after any non-terminating trace. \ Theorem*[T1, short_name="\DF definition captures deadlock-freeness\"] \ \hfill \break \deadlock_free P \ (\s\\ P. tickFree s \ (s, {\}\events_of P) \ \ P)\ \ Definition*[X11]\ \livelock\<^sub>-free P \ \ P = {} \ \ text\ Recall that all five reference processes are livelock-free. We also have the following lemmas about the livelock-freeness of processes: \<^enum> \livelock\<^sub>-free P \ \ UNIV \\<^sub>\ P where \ \ \\

\ \<^enum> @{cartouche [display]\livelock\<^sub>-free P \ DF\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\\<^sub>\ P \ CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\\<^sub>\ P\} \<^enum> \livelock\<^sub>-free P \ CHAOS\<^sub>S\<^sub>K\<^sub>I\<^sub>P UNIV \\<^sub>\\<^sub>\ P\ \ text\ Finally, we proved the following theorem that confirms the relationship between the two vital properties: \ Theorem*[T2, short_name="''DF implies LF''"] \ \deadlock_free P \ livelock_free P\ \ text\ This is totally natural, at a first glance, but surprising as the proof of deadlock-freeness only requires failure refinement \\\<^sub>\\ (see @{definition \X10\}) where divergence traces are mixed within the failures set. Note that the existing tools in the literature normally detect these two phenomena separately, such as FDR for which checking livelock-freeness is very costly. In our framework, deadlock-freeness of a given system implies its livelock-freeness. However, if a system is not deadlock-free, then it may still be livelock-free. % This makes sense since livelocks are worse than deadlocks. \ section*["advanced"::tc,main_author="Some(@{docitem ''safouan''}::author)",level="Some 3"] \Advanced Verification Techniques\ text\ Based on the refinement framework discussed in @{docitem "newResults"}, we will now turn to some more advanced proof principles, tactics and verification techniques. We will demonstrate them on two paradigmatic examples well-known in the \<^csp> literature: The CopyBuffer and Dijkstra's Dining Philosophers. In both cases, we will exploit the fact that HOL-CSP 2 allows for reasoning over infinite \<^csp>; in the first case, we reason over infinite alphabets approaching an old research objective: exploiting data-independence @{cite "Lazic1998ASS" and "AnZhangYou14"} in process verification. In the latter case, we present an approach to a verification of a parameterized architecture, in this case a ring-structure of arbitrary size. \ subsection*["illustration"::tc,main_author="Some(@{docitem ''safouan''}::author)", level="Some 3"] \The General CopyBuffer Example\ text\ We consider the paradigmatic copy buffer example @{cite "Hoare:1985:CSP:3921" and "Roscoe:UCS:2010"} that is characteristic for a specification of a prototypical process and its implementation. It is used extensively in the \<^csp> literature to illustrate the interplay of communication, component concealment and fixed-point operators. The process \COPY\ is a specification of a one size buffer, that receives elements from the channel \left\ of arbitrary type \\\ and outputs them on the channel \right\: @{theory_text [display,indent=5] \ datatype \ events = left \ | right \ | mid \ | ack definition COPY \ (\ X. left?x \ (right!x \ X))\} \<^noindent> From our HOL-CSP 2 theory that establishes the continuity of all \<^csp> operators, we deduce that such a fixed-point process \COPY\ exists and follows the unrolling rule below: @{theory_text [display,indent=5] \lemma COPY = (left?x \ (right!x \ COPY))\} \<^noindent> We set \SEND\ and \REC\ in parallel but in a row sharing a middle channel \mid\ and synchronizing with an \ack\ event. Then, we hide all exchanged events between these two processes and we call the resulting process \SYSTEM\: @{theory_text [display,indent=5] \ definition SEND \ (\ X. left?x \ (mid!x \ (ack \ X))) definition REC \ (\ X. mid?x \ (right!x \ (ack \ X))) definition SYN \ (range mid) \ {ack} definition "SYSTEM \ (SEND \SYN\ REC) \\ SYN"\} \<^noindent> We want to verify that \SYSTEM\ implements \COPY\. As shown below, we apply fixed-point induction to prove that \SYSTEM\ refines \COPY\ using the \pcpo\ process ordering \\\ that implies all other refinement orderings. We state: @{theory_text [display,indent=5] \lemma: COPY \ SYSTEM\} and apply fixed-point induction over \COPY\; this leaves us to the three subgoals: \<^enum> \adm (\a. a \ (SEND \SYN\ REC) \ SYN)\ \<^enum> \\ \ (SEND \SYN\ REC) \ SYN\ \<^enum> @{cartouche [display]\P \ (SEND \SYN\ REC) \ SYN \ left?x \ right!x \ P \ (SEND \SYN\ REC) \ SYN\} The first two sub-proofs are automatic simplification proofs; the third requires unfolding \SEND\ and \REC\ one step and applying the algebraic laws. No denotational semantics reasoning is necessary here; it is just an induct-simplify proof consisting of 2 lines proof-script involving the derived algebraic laws of \<^csp>. After proving that \SYSTEM\ implements \COPY\ for arbitrary alphabets, we aim to profit from this first established result to check which relations \SYSTEM\ has wrt. to the reference processes of @{docitem "processes"}. Thus, we prove that \COPY\ is deadlock-free which implies livelock-free, (proof by fixed-induction similar to \lemma: COPY \ SYSTEM\), from which we can immediately infer from transitivity that \SYSTEM\ is. Using refinement relations, we killed four birds with one stone as we proved the deadlock-freeness and the livelock-freeness for both \COPY\ and \SYSTEM\ processes. These properties hold for arbitrary alphabets and for infinite ones in particular. @{theory_text [display, indent=5] \ lemma DF UNIV \ COPY corollary deadlock_free COPY and livelock_free COPY and deadlock_free SYSTEM and livelock_free SYSTEM\} \ subsection*["inductions"::tc,main_author="Some(@{docitem ''safouan''}::author)"] \New Fixed-Point Inductions\ text\ The copy buffer refinement proof \DF UNIV \ COPY\ is a typical one step induction proof with two goals: \base: \ \ Q\ and \1-ind: X \ Q \ (_ \ X) \ Q\. Now, if unfolding the fixed-point process \Q\ reveals two steps, the second goal becomes \X \ Q \ _ \ X \ _ \ _ \ Q\. Unfortunately, this way, it becomes improvable using monotonicities rules. We need here a two-step induction of the form \base0: \ \ Q\, \base1: _ \ \ \ Q\ and \2-ind: X \ Q \ _ \ _ \ X \ _ \ _ \ Q\ to have a sufficiently powerful induction scheme. For this reason, we derived a number of alternative induction schemes (which are not available in the HOLCF library), which are also relevant for our final Dining Philophers example. These are essentially adaptions of k-induction schemes applied to domain-theoretic setting (so: requiring \f\ continuous and \P\ admissible; these preconditions are skipped here): \<^item> @{cartouche [display]\... \ \ii \) \ (\X. (\ii X)) \ P (f\<^sup>k X)) \ P (\X. f X)\} \<^item> \... \ \ii \) \ (\X. P X \ P (f\<^sup>k X)) \ P (\X. f X)\ \<^noindent> In the latter variant, the induction hypothesis is weakened to skip \k\ steps. When possible, it reduces the goal size. Another problem occasionally occurring in refinement proofs happens when the right side term involves more than one fixed-point process (\<^eg> \P \{A}\ Q \ S\). In this situation, we need parallel fixed-point inductions. The HOLCF library offers only a basic one: \<^item> @{cartouche [display]\... \ P \ \ \ (\X Y. P X Y \ P (f X) (g Y)) \ P (\X. f X) (\X. g X)\} \<^noindent> This form does not help in cases like in \P \\\ Q \ S\ with the interleaving operator on the right-hand side. The simplifying law is: @{cartouche [display, indent=3]\ (\x\A\P x \\\ \x\B\Q x) = (\x\A \ ( P x \\\ \x\B \ Q x) \ (\x\B \ (\x\A \ P x \\\ Q x))\} Here, \(f X \\\ g Y)\ does not reduce to the \(X \\\ Y)\ term but to two terms \(f X \\\ Y)\ and \(X \\\ g Y)\. To handle these cases, we developed an advanced parallel induction scheme and we proved its correctness: \<^item> @{cartouche [display] \... \ (\Y. P \ Y) \ (\X. P X \) \ \X Y. (P X Y \ P (f X) Y \ P X (g Y)) \ P (f X) (g Y) \ P (\X. f X) (\X. g X)\} \<^noindent> which allows for a "independent unroling" of the fixed-points in these proofs. The astute reader may notice here that if the induction step is weakened (having more hypothesises), the base steps require enforcement. \ subsection*["norm"::tc,main_author="Some(@{docitem ''safouan''}::author)"] \Normalization\ text\ Our framework can reason not only over infinite alphabets, but also over processes parameterized over states with an arbitrarily rich structure. This paves the way for the following technique, that trades potentially complex process structure against equivalent simple processes with potentially rich state. Roughly similar to labelled transition systems, we provide for deterministic \<^csp> processes a normal form that is based on an explicit state. The general schema of normalized processes is defined as follows: @{cartouche [display,indent=20] \P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\\\<^sub>,\\ \ \ X. (\\. \e\(\ \) \ X(\ \ e))\} where \\\ is a transition function which returns the set of events that can be triggered from the current state \\\ given as parameter. The update function \\\ takes two parameters \\\ and an event \e\ and returns the new state. This normal form is closed under deterministic and communication operators. The advantage of this format is that we can mimick the well-known product automata construction for an arbitrary number of synchronized processes under normal form. We only show the case of the synchronous product of two processes: \ text*[T3::"theorem", short_name="\Product Construction\"]\ Parallel composition translates to normal form: @{cartouche [display,indent=5]\(P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\\\<^sub>1,\\<^sub>1\ \\<^sub>1) || (P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\\\<^sub>2,\\<^sub>2\ \\<^sub>2) = P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\\(\\<^sub>1,\\<^sub>2). \\<^sub>1 \\<^sub>1 \ \\<^sub>2 \\<^sub>2 , \(\\<^sub>1,\\<^sub>2).\e.(\\<^sub>1 \\<^sub>1 e, \\<^sub>2 \\<^sub>2 e)\ (\\<^sub>1,\\<^sub>2)\} \ text\ The generalization of this rule for a list of \(\,\)\-pairs is straight-forward, albeit the formal proof is not. The application of the generalized form is a corner-stone of the proof of the general dining philosophers problem illustrated in the subsequent section. Another advantage of normalized processes is the possibility to argue over the reachability of states via the closure \\\, which is defined inductively over: \<^item> \\ \ \ \ \ \\ \<^item> \\ \ \ \ \ \\<^sub>0 \ e \ \ \ \ \ \ e \ \ \ \ \\<^sub>0\ Thus, normalization leads to a new characterization of deadlock-freeness inspired from automata theory. We formally proved the following theorem:\ text*[T4::"theorem", short_name="\DF vs. Reacheability\"] \ If each reachable state \s \ (\ \ \)\ has outgoing transitions, the \<^csp> process is deadlock-free: @{cartouche [display,indent=10] \\\ \ (\ \ \ \\<^sub>0). \ \ \ {} \ deadlock_free (P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\\,\\ \\<^sub>0)\} \ text\ This theorem allows for establishing properties such as deadlock-freeness by completely abstracting from \<^csp> theory; these are arguments that only involve inductive reasoning over the transition function. Summing up, our method consists of four stages: \<^enum> we construct normalized versions of component processes and prove them equivalent to their counterparts, \<^enum> we state an invariant over the states/variables, \<^enum> we prove by induction over \\\ that it holds on all reachable states, and finally \<^enum> we prove that this invariant guarantees the existence of outgoing transitions. \ subsection*["dining_philosophers"::tc,main_author="Some(@{docitem ''safouan''}::author)",level="Some 3"] \Generalized Dining Philosophers\ text\ The dining philosophers problem is another paradigmatic example in the \<^csp> literature often used to illustrate synchronization problems between an arbitrary number of concurrent systems. It is an example for a process scheme for which general properties are desirable in order to inherit them for specific instances. The general dining philosopher problem for an arbitrary \N\ is presented in HOL-CSP 2 as follows %@{footnote \The dining philosopher problem is also distributed with FDR4, where \N = 6\.\}: @{theory_text [display,indent=5] \datatype dining_event = picks (phil::nat) (fork::nat) | putsdown (phil::nat) (fork::nat) | eat (phil::nat) definition LPHIL0 \ (\ X. (picks 0 (N-1) \ (picks 0 0 \ eat 0 \ (putsdown 0 0 \ (putsdown 0 (N-1) \ X))))) definition RPHIL i \ (\ X. (picks i i \ (picks i (i-1) \ eat i \ (putsdown i (i-1) \ (putsdown i i \ X))))) definition FORK i \ (\ X. (picks i i \ (putsdown i i \ X)) \(picks (i+1)%N i \(putsdown (i+1)%N i \ X))) definition "PHILs \ LPHIL0 ||| (|||\<^sub>i\<^sub>\\<^sub>1\<^sub>.\<^sub>.\<^sub>N RPHIL i)" definition "FORKs \ |||\<^sub>i\<^sub>\\<^sub>0\<^sub>.\<^sub>.\<^sub>N FORK i" definition DINING \ FORKs \picks, putsdown\ PHILs\} % this should be theory_text, but is rejected for lexical reasons Note that both philosophers and forks are pairwise independent but both synchronize on \picks\ and \putsdown\ events. The philosopher of index 0 is left-handed whereas the other \N-1\ philosophers are right-handed. We want to prove that any configuration is deadlock-free for an arbitrary number N. First, we put the fork process under normal form. It has three states: (1) on the table, (2) picked by the right philosopher or (3) picked by the left one: @{theory_text [display,indent=5] \definition trans\<^sub>f i \ \ if \ = 0 then {picks i i, picks (i+1)%N i} else if \ = 1 then {putsdown i i} else if \ = 2 then {putsdown (i+1)%N i} else {} definition upd\<^sub>f i \ e \ if e = (picks i i) then 1 else if e = (picks (i+1)%N) i then 2 else 0 definition FORK\<^sub>n\<^sub>o\<^sub>r\<^sub>m i \ P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\trans\<^sub>f i, upd\<^sub>f i\ \} To validate our choice for the states, transition function \trans\<^sub>f\ and update function \upd\<^sub>f\, we prove that they are equivalent to the original process components: \FORK\<^sub>n\<^sub>o\<^sub>r\<^sub>m i = FORK i\. The anti-symmetry of refinement breaks this down to the two refinement proofs \FORK\<^sub>n\<^sub>o\<^sub>r\<^sub>m i \ FORK i\ and \FORK i \ FORK\<^sub>n\<^sub>o\<^sub>r\<^sub>m i\, which are similar to the CopyBuffer example shown in @{technical "illustration"}. Note, again, that this fairly automatic induct-simplify-proof just involves reasoning on the derived algebraic rules, not any reasoning on the level of the denotational semantics. %Second we prove that the normal form process is equivalent to the original fork process %by proving refinements in both directions. We note here that the first refinement \FORK\<^sub>n\<^sub>o\<^sub>r\<^sub>m i \ FORK i\ %requires a two steps induction as unfolding the original fixed-point process brings two steps %\FORK i = picks \ putsdown \ FORK i\. After that we apply the same method %to get the philosopher process under a normal form. Thanks to @{theorem \T3\}, we obtain normalized processes for \FORKs\, \PHILs\ and \DINING\: @{theory_text [display,indent=5] \definition "trans\<^sub>F \ \fs. (\\<^sub>i\<^sub><\<^sub>N. trans\<^sub>f i (fs!i))" definition upd\<^sub>F \ \fs e. let i=(fork e) in fs[i:=(upd\<^sub>f i (fs!i) e)] lemma FORKs = P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\trans\<^sub>F, upd\<^sub>F\ ... lemma PHILS = P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\trans\<^sub>P, upd\<^sub>P\ ... definition trans\<^sub>D \ \(ps,fs). (trans\<^sub>P ps) \ (trans\<^sub>F fs) definition upd\<^sub>D \ \(ps,fs) e. (upd\<^sub>P ps e, upd\<^sub>F fs e) lemma DINING = P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\trans\<^sub>D, upd\<^sub>D\ \} The variable \ps\ stands for the list of philosophers states and \fs\ for the list of forks states, both are of size \N\. The pair \(ps, fs)\ encodes the whole dining table state over which we need to define an invariant to ensure that no blocking state is reachable and thus the dining philosophers problem is deadlock-free. As explained before, the proof is based on abstract reasoning over relations independent from the \<^csp> context. The last steps towards our goal are the following definitions and lemmas: @{theory_text [display,indent=5] \definition INV\<^sub>D\<^sub>I\<^sub>N\<^sub>I\<^sub>N\<^sub>G ps fs \ (\i. ((fs!i=1) \ ps!i \ 0) \ ... ) lemma (ps,fs) \ \ trans\<^sub>D upd\<^sub>D \ INV\<^sub>D\<^sub>I\<^sub>N\<^sub>I\<^sub>N\<^sub>G ps fs ... lemma INV\<^sub>D\<^sub>I\<^sub>N\<^sub>I\<^sub>N\<^sub>G ps fs \ trans\<^sub>D (ps, fs) \ {} ... corollary deadlock_free DINING \} To sum up, we proved once and for all that the dining philosophers problem is deadlock free for an arbitrary number \N \ 2\. Common model-checkers like PAT and FDR fail to answer for a dozen of philosophers (on a usual machine) due to the exponential combinatorial explosion. Furthermore, our proof is fairly stable against modifications like adding non synchronized events like thinking or sitting down in contrast to model-checking techniques. \ section*["relatedwork"::tc,main_author="Some(@{docitem ''lina''}::author)",level="Some 3"] \Related work\ text\ The theory of \<^csp> has attracted a lot of interest from the eighties on, and is still a fairly active research area, both as a theoretical device as well as a modelling language to analyze complex concurrent systems. It is therefore not surprising that attempts to its formalisation had been undertaken early with the advent of interactive theorem proving systems supporting higher-order logic @{cite "Camilleri91" and "tej.ea:corrected:1997" and "10.1007/978-3-642-16690-7_9" and "10.1007/978-3-642-27705-4_20" and "DBLP:conf/concur/IsobeR06" }, where especially the latter allows for some automated support for refinement proofs based on induction. However, HOL-CSP2 is based on a failure/divergence model, while @{cite "DBLP:conf/concur/IsobeR06"} is based on stable failures, which can infer deadlock-freeness only under the assumption that no lifelock occurred; In our view, this is a too strong assumption for both the theory as well as the tool. In the 90ies, research focused on automated verification tools for \<^csp>, most notably on FDR~@{cite "fdr4"}. It relies on an operational \<^csp> semantics, allowing for a conversion of processes into labelled transition systems, where the states are normalized by the "laws" derived from the denotational semantics. For finite event sets, refinement proofs can be reduced to graph inclusion problems. With efficient compression techniques, such as bisimulation, elimination and factorization by semantic equivalence @{cite "Roscoe95"}, FDR was used to analyze some industrial applications. However, such a model checker can not handle infinite cases and do not scale to large systems. %%Another similar model checking tool @{cite "SunLDP09"} implemented some more optimization techniques, %%such as partial order reduction, symmetric reduction, and parallel model checking, but is also %%restricted to the finite case. The fundamental limits of automated decision procedures for data and processes has been known very early on: Undecidability of parameterized model checking was proven by reduction to non-halting of Turing machines @{cite "Suzuki88"}. However, some forms of well-structured transitions systems, could be demonstrated to be decidable @{cite "FinkelS01" and "BloemJKKRVW16"}. HOL-CSP2 is a fully abstract model for the failure/divergence model; as a HOL theory, it is therefore a "relative complete proof theory" both for infinite data as well as number of components. (see @{cite "andrews2002introduction"} for relative completeness). Encouraged by the progress of SMT solvers which support some infinite types, notably (fixed arrays of) integers or reals, and limited forms of formulas over these types, SMT-based model-checkers represent the current main-stream to parametric model-checking. This extends both to LTL-style model-checkers for Promela-like languages @{cite "Cubicle" and "ByMC"} as well as process-algebra alikes @{cite "AntoninoGR19" and "AntoninoGR16" and "BensalemGLNSY11"}. However, the usual limitations persist: the translation to SMT is hardly certifiable and the solvers are still not able to handle non-linear computations; moreover, they fail to elaborate inductive proofs on data if necessary in refinement proofs. Some systems involve approximation techniques in order to make the formal verification of concurrent systems scalable; results are therefore inherently imprecise and require meta-level arguments assuring their truth in a specific application context. For example, in @{cite "AntoninoGR19"}, the synchronization analysis techniques try to prove the unreachability of a system state by showing that components cannot agree on the order or on the number of times they participate on system rules. Even with such over-approximation, the finiteness restriction on the number of components persists. Last but not least, SMT-based tools only focusing on bounded model-checking like @{cite "Kind2" and "JKind"} use k-induction and quite powerful invariant generation techniques but are still far from scalable techniques. While it is difficult to make any precise argument on the scalability for HOL-CSP 2, we argue that we have no data-type restrictions (events may have realvector-, function- or even process type) as well as restrictions on the structure of components. None of our paradigmatic examples can be automatically proven with any of the discussed SMT techniques without restrictions. \ section*["conclusion"::conclusion,main_author="Some(@{docitem ''bu''}::author)"]\Conclusion\ text\We presented a formalisation of the most comprehensive semantic model for \<^csp>, a 'classical' language for the specification and analysis of concurrent systems studied in a rich body of literature. For this purpose, we ported @{cite "tej.ea:corrected:1997"} to a modern version of Isabelle, restructured the proofs, and extended the resulting theory of the language substantially. The result HOL-CSP 2 has been submitted to the Isabelle AFP @{cite "HOL-CSP-AFP"}, thus a fairly sustainable format accessible to other researchers and tools. We developed a novel set of deadlock - and livelock inference proof principles based on classical and denotational characterizations. In particular, we formally investigated the relations between different refinement notions in the presence of deadlock - and livelock; an area where traditional \<^csp> literature skates over the nitty-gritty details. Finally, we demonstrated how to exploit these results for deadlock/livelock analysis of protocols. We put a large body of abstract \<^csp> laws and induction principles together to form concrete verification technologies for generalized classical problems, which have been considered so far from the perspective of data-independence or structural parametricity. The underlying novel principle of "trading rich structure against rich state" allows to convert processes into classical transition systems for which established invariant techniques become applicable. Future applications of HOL-CSP 2 could comprise a combination to model checkers, where our theory with its derived rules is used to certify the output of a model-checker over \<^csp>. In our experience, generated labelled transition systems may be used to steer inductions or to construct the normalized processes \P\<^sub>n\<^sub>o\<^sub>r\<^sub>m\\\<^sub>,\\\ automatically, thus combining efficient finite reasoning over finite sub-systems with globally infinite systems in a logically safe way. \ (*<*) subsection*[bib::bibliography]\References\ close_monitor*[this] end (*>*)