Using Hoare logic in a process algebra setting
J. A. Bergstra, C. A. Middelburg

TL;DR
This paper explores integrating Hoare logic with process algebra, specifically extending ACP to reason about data changes within processes and complement equational reasoning.
Contribution
It introduces an extension of ACP with data features and develops a Hoare logic tailored for reasoning about data modifications in process algebra.
Findings
Extended ACP with data features
Developed a Hoare logic for data reasoning
Complemented equational reasoning with Hoare logic
Abstract
This paper concerns the relation between process algebra and Hoare logic. We investigate the question whether and how a Hoare logic can be used for reasoning about how data change in the course of a process when reasoning equationally about that process. We introduce an extension of ACP (Algebra of Communicating Processes) with features that are relevant to processes in which data are involved, present a Hoare logic for the processes considered in this process algebra, and discuss the use of this Hoare logic as a complement to pure equational reasoning with the equational axioms of the process algebra.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: Informatics Institute, Faculty of Science, University of Amsterdam
Science Park 904, 1098 XH Amsterdam, the Netherlands
11email: [email protected],[email protected]
Using Hoare Logic in a Process Algebra Setting
J.A. Bergstra
C.A. Middelburg
Abstract
This paper concerns the relation between process algebra and Hoare logic. We investigate the question whether and how a Hoare logic can be used for reasoning about how data change in the course of a process when reasoning equationally about that process. We introduce an extension of ACP (Algebra of Communicating Processes) with features that are relevant to processes in which data are involved, present a Hoare logic for the processes considered in this process algebra, and discuss the use of this Hoare logic as a complement to pure equational reasoning with the equational axioms of the process algebra. rocess algebra, data parameterized action, assignment action, guarded command, asserted process, Hoare logic.
1998 ACM Computing Classification: D.1.3, D.1.4, D.2.4, F.1.2, F.3.1.
Keywords:
p
1 Introduction
ACP (Algebra of Communicating Processes) and its extensions provide a setting for equational reasoning about processes of some kind. The processes about which reasoning is in demand are often processes in which data are involved. It is quite common for such a process that the data that are involved change in the course of the process and that the process proceeds at certain stages in a way that depends on the changing data. This means that reasoning about a process often involves reasoning about how data change in the course of that process. The question arises whether and how a Hoare logic can be used for the second kind of reasoning when reasoning equationally about a process. After all, processes of the kind described above are reminiscent of the processes that arise from the execution of imperative programs.
This paper is concerned with the above-mentioned question. We investigate it using an extension of ACP [10] with features that are relevant to processes in which data are involved and a Hoare logic of asserted processes based on this extension of ACP. The extension concerned is called -D. Its additional features include assignment actions to deal with data that change in the course of a process and guarded commands to deal with processes that proceed at certain stages in a way that depends on certain data. In the Hoare logic concerned, an asserted process is a formula of the form , where is a term of -D that denotes a process and and are terms of -D that denote conditions.
We define what it means that an asserted process is true in such a way that is true iff a set of equations that represents this judgment is derivable from the axioms of -D. Such a definition is a prerequisite for an affirmative answer to the question whether and how a Hoare logic can be used for reasoning about how data change in the course of a process when reasoning equationally about that process. The set of equations that represents the judgment expresses that a certain equivalence relation holds between processes determined by the asserted process. The equivalence relation concerned may be a useful equivalence relation when reasoning about processes in which data are involved. However, it is not a congruence relation, i.e. it is not preserved by all contexts. This complicates pure equational reasoning considerably. The presented Hoare logic can be considered to be a means to get partially round the complications concerned.
This paper is organized as follows. We begin with presenting , an extension of ACP with the empty process constant and the binary iteration operator , and -D, an extension of with features that are relevant to processes in which data are involved (Sections 2 and 3). We also present a structural operational semantics of -D, define a notion of bisimulation equivalence based on this semantics, and show that the axioms of -D are sound with respect to this bisimulation equivalence (Section 4). After that, we present a Hoare logic of asserted processes based on -D, define what it means that an asserted process is true, and show that the axioms and rules of this Hoare logic are sound with respect to this meaning (Section 5). Following this, we go further into the connection of the presented Hoare logic with -D by way of the equivalence relation referred to in the previous paragraph (Section 6). We also go into the use of the presented Hoare logic as a complement to pure equational reasoning with the axioms of -D by means of examples (Section 7). Finally, we discuss related work and make some concluding remarks (Sections 8 and 9).
2 ACP with the Empty Process and Iteration
In this section, we present , ACP [10] extended with the empty process constant as in [7, Section 4.4] and the binary iteration operator as in [8]. In , it is assumed that a fixed but arbitrary finite set of basic actions, with , and a fixed but arbitrary commutative and associative communication function , such that for all , have been given. Basic actions are taken as atomic processes. The function is regarded to give the result of synchronously performing any two basic actions for which this is possible, and to be otherwise. Henceforth, we write for .
The algebraic theory has one sort: the sort of processes. We make this sort explicit to anticipate the need for many-sortedness later on. The algebraic theory has the following constants and operators to build terms of sort :
- •
the inaction constant ;
- •
the empty process constant ;
- •
for each , the basic action constant ;
- •
the binary alternative composition operator ;
- •
the binary sequential composition operator ;
- •
the binary iteration operator ;
- •
the binary parallel composition operator ;
- •
the binary left merge operator ;
- •
the binary communication merge operator ;
- •
for each , the unary encapsulation operator .
We assume that there is a countably infinite set of variables of sort , which contains , and . Terms are built as usual. We use infix notation for the binary operators. The following precedence conventions are used to reduce the need for parentheses: the operator binds stronger than all other binary operators and the operator binds weaker than all other binary operators.
The constants and operators of are the constants and operators of [7, Section 4.4] and additionally the iteration operator . Let and be closed terms, , and .111As usual, a term in which no variables occur is called a closed term. Then the constants and operators of can be explained as follows:
- •
the constant denotes the process that is not capable of doing anything, not even terminating successfully;
- •
the constant denotes the process that is only capable of terminating successfully;
- •
the constant denotes the process that is only capable of first performing action and next terminating successfully;
- •
a closed term of the form denotes the process that behaves either as the process denoted by or as the process denoted by , but not both;
- •
a closed term of the form denotes the process that first behaves as the process denoted by and on successful termination of that process next behaves as the process denoted by ;
- •
a closed term of the form denotes the process that behaves either as the process denoted by or as the process that first behaves as the process denoted by and on successful termination of that process next behaves as again;
- •
a closed term of the form denotes the process that behaves as the processes denoted by and taking place in parallel, by which we understand that, each time an action is performed, either a next action of one of the two processes is performed or a next action of the former process and a next action of the latter process are performed synchronously;
- •
a closed term of the form denotes the process that behaves the same as the process denoted by , except that it starts with performing an action of the process denoted by ;
- •
a closed term of the form denotes the process that behaves the same as the process denoted by , except that it starts with performing an action of the process denoted by and an action of the process denoted by synchronously;
- •
a closed term of the form denotes the process that behaves the same as the process denoted by , except that actions from are blocked.
The axioms of are the equations given in Table 1.
In these equations, and stand for arbitrary constants of that differ from and stands for an arbitrary subset of . So, CM3, CM7, and D0–D4 are actually axiom schemas. Axioms A1–A9, CM1T, CM2T, CM3, CM4, CM5T, CM6T, CM7–CM9, and D0–D4 are the axioms of (cf. [7, Section 4.4]). Axioms BKS1 and RSP* have been taken from [9].
The iteration operator originates from [8], where it is called the binary Kleene star operator. The unary counterpart of this operator can be defined by the equation . From this defining equation, it follows, using RSP*, that and also that .
Among the equations derivable from the axioms of are the equations concerning the iteration operator given in Table 2.
In the axiom system of given in [8], the axioms for the iteration operator are BKS1–BKS4 instead of BKS1 and RSP*. There exist equations derivable from the axioms of that are not derivable from the axioms of with BKS1 and RSP* replaced by BKS1–BKS5. For example, the equation is derivable with BKS1 and RSP*, but not with BKS1–BKS5 (cf. [28]). Moreover, we do not see how Theorem 5.3 of this paper can be proved if RSP* is replaced by BKS2–BKS5 (see the remark following the proof of the theorem).
3 Data Enriched
In this section, we present -D, data enriched . This extension of has been inspired by [12]. It extends with features that are relevant to processes in which data are involved, such as guarded commands (to deal with processes that only take place if some data-dependent condition holds), data parameterized actions (to deal with process interactions with data transfer), and assignment actions (to deal with data that change in the course of a process).
In -D, it is assumed that the following has been given with respect to data:
- •
a (single- or many-sorted) signature that includes a sort of data and constants and/or operators with result sort ;
- •
a minimal algebra of the signature .
Moreover, it is assumed that a countably infinite set of flexible variables has been given. A flexible variable is a variable whose value may change in the course of a process.222The term flexible variable is used for this kind of variables in e.g. [27, 20]. Flexible variables are found under the name program variables in imperative programming. We write for the set of all closed terms over the signature that are of sort . An evaluation map is a function from to where, for all , if . Let be an evaluation map and let be a finite subset of . Then is a -evaluation map if, for all , iff .
Evaluation maps are intended to provide the data values assigned to flexible variables of sort when a term of sort is evaluated. However, in order to fit better in an algebraic setting, they provide closed terms over the signature that denote those data values instead. The requirement that is a minimal algebra guarantees that each data value can be represented by a closed term. The possibility to map flexible variables to themselves may be used for partial evaluation, i.e. evaluation where some flexible variables are not evaluated.
The algebraic theory -D has three sorts: the sort of processes, the sort of conditions, and the sort of data. -D has the constants and operators from and in addition the following constants to build terms of sort :
- •
for each , the flexible variable constant .
-D has the following constants and operators to build terms of sort :
- •
the binary equality operator ;
- •
the truth constant ;
- •
the falsity constant ;
- •
the unary negation operator ;
- •
the binary conjunction operator ;
- •
the binary disjunction operator ;
- •
the binary implication operator ;
- •
the unary variable-binding universal quantification operator that binds a variable of sort ;
- •
the unary variable-binding existential quantification operator that binds a variable of sort .
-D has the constants and operators of and in addition the following operators to build terms of sort :
- •
the binary guarded command operator ;
- •
for each , for each , the -ary data parameterized action operator ;
- •
for each , a unary assignment action operator ;
- •
for each evaluation map , a unary evaluation operator .
We assume that there are countably infinite sets of variables of sort and and that the sets of variables of sort , , and are mutually disjoint and disjoint from . The formation rules for terms are the usual ones for the many-sorted case (see e.g. [26, 29]) and in addition the following rule:
- •
if is a variable-binding operator that binds a variable of sort , are terms of sorts , respectively, and is a variable of sort , then is a term of sort (cf. [25]).
We use the same notational conventions as before. We also use infix notation for the additional binary operators. Moreover, we use the notation , where and is a term of sort , for the term .
We use the notation , where and are terms of sort , for the term . Moreover, we use the notation , where and are terms of sort , for the term .
We write for the set of all closed terms of sort , for the set of all closed terms of sort , and for the set of all closed terms of sort .
Each term from can be taken as a formula of a first-order language with equality of by taking the flexible variable constants as additional variables of sort . We implicitly take the flexible variable constants as additional variables of sort wherever the context asks for a formula. In this way, each term from can be interpreted as a formula in . The axioms of -D (given below) include an equation for each two terms and from for which the formula holds in .
Let be a term from , be a term from , and and be terms from . Then the additional operators can be explained as follows:
- •
the term denotes the process that behaves as the process denoted by under condition ;
- •
the term denotes the process that is only capable of first performing action and next terminating successfully;
- •
the term denotes the process that is only capable of first performing action , whose intended effect is the assignment of the result of evaluating to flexible variable , and next terminating successfully;
- •
the term denotes the process that behaves the same as the process denoted by except that each subterm of that belongs to is evaluated using the evaluation map updated according to the assignment actions that have taken place at the point where the subterm is encountered.
Evaluation operators are a variant of state operators (see e.g. [3]).
The guarded command operator is often used to construct -D terms that are reminiscent of control flow statements of imperative programming languages. For example, terms of the form are reminiscent of if-then-else statements and terms of the form are reminiscent of while-do statements. The following -D term contains a subterm of the latter form ():
[TABLE]
This term is reminiscent of a program that computes the quotient and remainder of dividing two integers by repeated subtraction. That is, the final values of and are the quotient and remainder of dividing the initial value of by the initial value of . An evaluation operator can be used to show that this is the case for given initial values of and . For example, consider the case where the initial values of and are and , respectively. Let be an evaluation map such that and . Then the following equation can be derived from the axioms of -D given below:
[TABLE]
This equation shows that in the case where the initial values of and are and the final values of and are and (which are the quotient and remainder of dividing by ).
An evaluation map can be extended homomorphically from flexible variables to terms of sort and terms of sort . These extensions are denoted by as well. We write for the evaluation map defined by if and .
The axioms of -D are the axioms of and in addition the equations given in Table 3.
In these equations, and stand for arbitrary terms from , , , and , stand for arbitrary terms from , stands for an arbitrary flexible variable from , stands for an arbitrary evaluation map, and stand for arbitrary constants of -D that differ from , stands for an arbitrary constant of -D that differ from and , and stands for an arbitrary subset of . Axioms GC1–GC11 have been taken from [4] (using a different numbering), but with the axioms with occurrences of conditional expressions of the form replaced by simpler axioms. Axioms CM3D, CM7Da, CM7Db, D1D, and D2D have been inspired by [12].
The set of actions of -D is inductively defined by the following rules:
- •
if , then ;
- •
if and , then ;
- •
if and , then .
The elements of are the processes that are considered to be atomic.
The set of head normal forms of -D is inductively defined by the following rules:
- •
;
- •
if , then ;
- •
if , , and , then ;
- •
if , then .
The following lemma about head normal forms is used in later sections.
Lemma 1
For all terms , there exists a term such that is derivable from the axioms of -D*.*
Proof
This is straightforwardly proved by induction on the structure of . The cases where is of the form , or () are trivial. The case where is of the form follows immediately from the induction hypothesis. The case where is of the form follows immediately from the case that is of the form and the case that is of the form . Each of the other cases follow immediately from the induction hypothesis and a claim that is easily proved by structural induction. In the case where is of the form , each of the cases to be considered in the inductive proof demands an additional proof by structural induction. ∎
Some earlier extensions of ACP include Hoare’s ternary counterpart of the binary guarded command operator (see e.g. [4]). This operator can be defined by the equation . From this defining equation, it follows that . In [15], a unary counterpart of the binary guarded command operator is used. This operator can be defined by the equation . From this defining equation, it follows that and also that and . In [15], the processes denoted by closed terms of the form are called guards.
4 Structural Operational Semantics and Bisimulation Equivalence
In this section, we present a structural operational semantics of -D, define a notion of bisimulation equivalence based on this semantics, and show that the axioms of -D are sound with respect to this bisimulation equivalence.
We write for the set of all terms for which . As formulas of a first-order language with equality of , the terms from are the formulas that are satisfiable in .
We start with the presentation of the structural operational semantics of -D. The following transition relations on are used:
- •
for each , a unary relation ;
- •
for each , a binary relation .
We write instead of and instead of . The relations and can be explained as follows:
- •
: is capable of terminating successfully under condition ;
- •
: is capable of performing action under condition and then proceeding as .
The structural operational semantics of -D is described by the transition rules given in Table 4.
In this table, , , and stand for arbitrary basic actions from , stands for an arbitrary flexible variable from , and stand for arbitrary terms from , and stand for arbitrary terms from , stands for an arbitrary term from , stands for arbitrary subset of , and stands for an arbitrary evaluation map.
Two process are considered equal if they can simulate each other. In order to make this precise, we will define the notion of bisimulation equivalence on the set below. In the definition concerned, we need an equivalence relation on the set .
Two actions are data equivalent, written , iff one of the following holds:
- •
there exists an such that and ;
- •
there exist an and such that , , and ;
- •
there exist a and such that , , and .
We write , where , for the equivalence class of with respect to .
A bisimulation is a binary relation on such that, for all terms with , the following conditions hold:
- •
if , then there exists a finite set such that and, for all , there exist an and a such that and ;
- •
if , then there exists a finite set such that and, for all , there exist an and a such that and ;
- •
if , then there exists a finite set such that and, for all , ;
- •
if , then there exists a finite set such that and, for all , .
Two terms are bisimulation equivalent, written p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}q, if there exists a bisimulation such that . Let be a bisimulation such that . Then we say that is a bisimulation witnessing p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}q.
The above definition of a bisimulation deviates from the standard definition because a transition on one side may be simulated by a set of transitions on the other side. For example, the transition is simulated by the set of transitions consisting of and . A bisimulation as defined above is called a splitting bisimulation in [11].
Bisimulation equivalence is a congruence with respect to the operators of -D of which the result sort and at least one argument sort is .
Theorem 4.1 (Congruence)
For all terms and all terms , p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime} and q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}q^{\prime} only if p\mathbin{+}q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime}\mathbin{+}q^{\prime}, p\cdot q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime}\cdot q^{\prime}, p\mathbin{{}^{*}}q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime}\mathbin{{}^{*}}q^{\prime}, \phi\mathbin{:\rightarrow}p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}\phi\mathbin{:\rightarrow}p^{\prime}, p\mathbin{\parallel}q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime}\mathbin{\parallel}q^{\prime}, p\mathbin{\lfloor\lfloor}q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime}\mathbin{\lfloor\lfloor}q^{\prime}, p\mathbin{\mid}q\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p^{\prime}\mathbin{\mid}q^{\prime}, {\partial_{H}}(p)\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}{\partial_{H}}(p^{\prime}), and {\mathsf{V}_{\sigma}}(p)\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}{\mathsf{V}_{\sigma}}(p^{\prime}).
Proof
We can reformulate the transition rules such that:
- •
bisimulation equivalence based on the reformulated transition rules according to the standard definition of bisimulation equivalence coincides with bisimulation equivalence based on the original transition rules according to the definition of bisimulation equivalence given above;
- •
the reformulated transition rules make up a transition system specification in path format.
The reformulation is similar to the one for the transition rules for BPAps outlined in [5]. The proposition follows now immediately from the well-known result that bisimulation equivalence according to the standard definition of bisimulation equivalence is a congruence if the transition rules concerned make up a transition system specification in path format (see e.g. [6]). ∎
The underlying idea of the reformulation referred to above is that we replace each transition by a transition for each valuation of variables such that , and likewise . Thus, in a bisimulation, a transition on one side must be simulated by a single transition on the other side. We did not present the reformulated structural operational semantics in this paper because it is, in our opinion, intuitively less appealing.
The axioms of -D are sound with respect to \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}} for equations between terms from .
Theorem 4.2 (Soundness)
For all terms , is derivable from the axioms of -D* only if p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}q.*
Proof
Because {\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}} is a congruence, it is sufficient to prove the theorem for all substitution instances of each axiom of -D. We will loosely say that a relation contains all closed substitution instances of an equation if it contains all pairs such that is a closed substitution instance of the equation.
For each axiom, we can construct a bisimulation witnessing p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}q for all closed substitution instances of the axiom as follows:
- •
in the case of A1–A6, A8, A9, BKS1, CM3, CM4, CM7–CM9, D1, D3, D4, GC1, GC4–GC11, V1–V5, CM3D, CM7Da, D1D, CM3A, and D1A, we take the relation that consists of all closed substitution instances of the axiom concerned and the equation ;
- •
in the case of A7, CM2T, CM5T, CM6T, D0, D2, GC2, GC3, V0, CM7Db–CM7Dd, D2D, CM5A, and CM6A, we take the relation that consists of all closed substitution instances of the axiom concerned;
- •
in the case of CM1T, we take the relation that consists of all closed substitution instances of CM1T, the equation , and the equation ;
- •
in the case of RSP*, we take the relation that consists of all closed substitution instances of the consequent of RSP* for which r\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}p\cdot r\mathbin{+}q and all closed substitution instances of the equation . ∎
We have not been able to prove the completeness of the axioms of -D with respect to \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}} for equations between terms from . Such a proof would give an affirmative answer to an open question about the axiomatization of the iteration operator already posed in 1984 by Milner [23, page 465]. Until now, all attempts to answer this question have failed (see [14]).
5 A Hoare Logic of Asserted Processes
In this section, we present , a Hoare logic of asserted processes based on -D, define what it means that an asserted process is true, and show that the axioms and rules of this logic are sound with respect to this meaning.
We write for the set of all closed terms of sort in which the evaluation operators and the auxiliary operators and do not occur and we write for the set of all terms of sort in which variables of sort do not occur. Clearly, and .
An asserted process is a formula of the form , where and . Here, is called the pre-condition of the asserted process and is called the post-condition of the asserted process.
The intuitive meaning of an asserted process is as follows: if holds at the start of and eventually terminates successfully, then holds at the successful termination of . The conditions and concern the data values assigned to flexible variables at the start and at successful termination, respectively. Therefore, in general, one or more flexible variables occur in and . Unlike in , (logical) variables of sort may also occur in and . This allows of referring in to the data values assigned to flexible variables at the start, like in .
Below, we use the notion of equivalence under -evaluation to make the intuitive meaning of asserted processes more precise.
We write , where , for the set of all that occur in and likewise , where , for the set of all that occur in . We write , where , for the set of all that occur in subterms of that are of the form . Moreover, we write , where is a finite subset of , for the set .
Let be a finite subset of and let . Then and are equivalent under -evaluation, written , if, for all -evaluation maps , is derivable from the axioms of -D.
Notice that , where be a finite subset of , is an equivalence relation indeed. Notice further that, for all , and only if .
Let be an asserted process and let . Then is true if, for all closed substitution instances of , .
To justify the claim that the definition given above reflects the intuitive meaning given earlier, we mention that only if, for all -evaluation maps , there exists a -evaluation map such that {\mathsf{V}_{\sigma}}(\phi^{\prime}\mathbin{:\rightarrow}p)\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}{\mathsf{V}_{\sigma}}(\phi^{\prime}\mathbin{:\rightarrow}p)\cdot{\mathsf{V}_{\sigma^{\prime}}}(\psi^{\prime}\mathbin{:\rightarrow}\epsilon).
Notice that, using the unary guard operator mentioned in Section 3, we can write instead of .
Below, we will present the axioms and rules of . In addition to axioms and rules that concern a particular constant or operator of -D, there is a rule concerning auxiliary flexible variables and a rule for precondition strengthening and/or postcondition weakening.
We use some special terminology and notations with respect to auxiliary variables. Let , and let . Then is a set of auxiliary variables of if each flexible variable in occurs in only in subterms of the form with . We write , where , for the set of all sets of auxiliary variables of . Moreover, we write , where and , for with all occurrences of subterms of the form with replaced by .
The axioms and rules of are given in Table 5.
In this table, and stand for arbitrary terms from , , , , , and stand for arbitrary terms from , stands for an arbitrary basic action from , stands for an arbitrary flexible variable from , and and stand for arbitrary terms from . The parallel composition rule may only be applied if the premises are disjoint. Premises and are disjoint if
- •
, , and ;
- •
, , and .
In the consequence rule, the first premise and the last premise are not asserted processes. They assert that and are derivable from the axioms of -D.
Before we move on to the soundness of the axioms and rules of , we consider two congruence related properties of the equivalences that are relevant to the soundness proof.
Theorem 5.1 (Congruence)
For all finite , for all terms , and only if , , and . Moreover, for all finite , for all terms and all terms with , only if and .
Proof
Assume and . Then follows immediately and and follow easily by induction on the number of proper subprocesses of , where use is made of Lemma 1. Assume . Then follows immediately and follows easily by induction on the number of proper subprocesses of , where use is made of Lemma 1. ∎
Theorem 5.2 (Limited Congruence)
For all finite , for all terms with , , , and , and only if .
Proof
Assume and , and , and . Then follows easily by induction on the number of proper subprocesses of , where use is made of Lemma 1. ∎
Theorem 5.3 (Soundness)
For all terms , for all terms , the asserted process is derivable from the axioms and rules of only if is true.
Proof
We will assume that . We can do so without loss of generality because, by the definition of the truth of asserted processes, it is sufficient to consider arbitrary closed substitution instances of and if . We will prove the theorem by proving that each of the axioms is true and each of the rules is such that only true conclusions can be drawn from true premises. The theorem then follows by induction on the length of the proof.
The proofs for the axioms and the consequence rule are trivial. Theorems 5.1 and 5.2 facilitate the proofs for the other rules. By these theorems, the proofs for the alternative composition rule, the sequential composition rule, and the guarded command rule are also trivial and the proofs for the parallel composition rule, the encapsulation rule, and the auxiliary variables rule are straightforward proofs by induction on the number of proper subprocesses, in which use is made of Lemma 1. The parallel composition rule is proved simultaneously with similar rules for the left merge operator and the communication merge operator. The proof for the iteration rule goes in a less straightforward way.
In case of the iteration rule, we assume that
- (1)
for all -evaluation maps , is derivable;
- (2)
for all -evaluation maps , is derivable;
and we prove that
- (3)
for all -evaluation maps , is derivable;
where . We do so by induction on the number of proper subprocesses of .
The basis step is trivial. The inductive step is proved in the following way. It follows easily from assumption (1), making use of BKS1, that
- (4)
for all -evaluation maps , for some evaluation map , is derivable.
We distinguish two cases: and .
In the case where , (3) follows easily from (4), the induction hypothesis, and assumption (2), making use of BKS1.
In the case where , it follows immediately from (4), making use of RSP*, that
- (5)
for all -evaluation maps , is derivable;
and (3) follows easily from (5) and assumption (2), making use of BKS1. ∎
In the proof of Theorem 5.3, RSP* is used in the part concerning the iteration rule. We do not see how that part of the proof can be done if RSP* is replaced by BKS2–BKS5.
The following is a corollary of the definition of the truth of asserted processes and Theorem 5.3.
Corollary 1
For all terms , for all terms , the asserted process is derivable from the axioms and rules of and is derivable from the axioms of -D* only if is true.*
If it is possible at all, equational reasoning with the axioms of a process algebra about how data change in the course of a process is often rather cumbersome. In many cases, but not all, reasoning with the axioms and rules of a Hoare logic is much more convenient. We have not strived for a Hoare logic that covers the cases where it does not simplify reasoning. Actually, the axioms and rules of are not complete (in the sense of Cook [13]). The side condition of the parallel composition rule precludes completeness. We have, for example, that the asserted process is true, but this cannot be derived by means of the axioms and rules of alone because a premise of the form and a premise of the form are never disjoint.
We could have replaced the disjointness side condition by an interference-freedom side condition to cover cases such as the example given above and perhaps this would lead to completeness. However, unless the disjointness side condition would suffice, fulfillment of the interference-freedom side condition generally needs a sophisticated proof. These interference-freedom proofs partly outweigh the advantage of using a Hoare logic for reasoning about how data change in the course of a process. As will be shown by means of an example in Section 7, equational reasoning with the axioms of -D offers an alternative without interference-freedom proofs. That is why we have chosen for the parallel composition rule with the disjointness side condition.
6 On the Connection between the Hoare Logic and -D
In this section, we go into the connection of with -D by way of the equivalence relations .
Let be an asserted process, and let . Suppose that has been derived from the axioms and rules of . Then, by Theorem 5.3, is true. This means that, for all closed substitution instances of , . In other words, for all closed substitution instances of , for all -evaluation maps , is derivable from the axioms of -D. Thus, the derivation of from the axioms and rules of has made a collection of equations available that can be considered to be derived by equational reasoning from the axioms of -D.
Let us have a closer look at the equivalence relation on . Clearly, this equivalence relation is useful when reasoning about processes in which data are involved. However, it is plain from the proof of Theorem 5.2 that is not a congruence relation on . This complicates the use of equational reasoning to derive, among other things, the collection of equations referred to above considerably. The presented Hoare logic can be considered to be a means to get partially round the complications concerned.
Dissociated from its connection with , remains an interesting equivalence relation on when it comes to reasoning about processes in which data is involved. Therefore, we mention below a result on this equivalence relation which is a corollary of results from Section 5 used to prove the soundness of . The fact that is not a congruence relation on , and consequently that is not preserved by all contexts, makes this corollary to the point. In order to formulate the corollary, we first define a set of contexts, using as a placeholder.
For each finite , the set of sequential evaluation supporting contexts for is the set , where the sets , for finite with , are defined by simultaneous induction as follows:
- •
;
- •
if , , , and , then ;
- •
if and , , then ;
- •
if , , , and , then ;
- •
if and , then .
We write , where and , for with the occurrence of replaced by .
The following is a corollary of Theorems 5.1 and 5.2.
Corollary 2
Let be a finite subset of . Then, for all , for all , only if .
Of course, Corollary 2 can be applied to results from using . Let be an asserted process, let , and let . Suppose that has been derived from the axioms and rules of . Then, for all closed substitution instances of , we have that .
7 On the Role of the Hoare Logic for -D
Process algebras focus on the main role of a reactive system, namely maintaining some ongoing interaction with its environment. Hoare logics focus on the main role of a transformational system, namely producing, without interruption by its environment, outputs from inputs.333The terms reactive system and transformational system were coined in [16]. However, actual systems are often reactive systems composed of reactive components and transformational components. -D provides a setting for equational reasoning about the behaviour of such systems, but it does not offer by itself the possibility to reason in Hoare-logic style about the behaviour of the transformational components.
Below, we will take the behaviour of a very simple transformational component and reason about how it changes data both in Hoare-logic style with the axioms and rules of and equationally with the axioms of -D. We assume that is the group of integers. We also assume that and are flexible variables from and and are variables of sort . Moreover, we use as an abbreviation of . The behaviour of the very simple transformational component concerned is described by the closed -D term .
We begin with showing by means of that this behaviour swaps the values of and . We derive
[TABLE]
using the assignment axiom and the consequence rule. Similarly, we derive
[TABLE]
and
[TABLE]
From these three asserted processes, we derive
[TABLE]
using the sequential composition rule twice.
We continue with showing the same by means of -D. This means that we have to derive from the axioms of -D, for all , for all -evaluation maps :
[TABLE]
We derive
[TABLE]
using axioms V3 and V5; and
[TABLE]
using axioms V0, V3, and V5.
We can derive the following equation for all -evaluation maps :
[TABLE]
In the case and , we derive using IMP2. From this, we derive equation (**) using axioms GC1 and A8.
In the case or , we derive using IMP2. From this, we derive equation (**) using axiom GC2.
Hence, we have for all -evaluation maps :
[TABLE]
Similarly, we find for all -evaluation maps :
[TABLE]
and
[TABLE]
From the last three equations, we derive equation (*) using axioms A5, A9, GC5, V3, and V5. By this we have finally shown by means of -D that the values of and are swapped by the process described by .
In this case, it is clear that Hoare-logic style reasoning with the axioms and rules of is much more convenient than equational reasoning with the axioms of -D. Because a single application of a rule of cannot be justified by a single application of an axiom of -D, we expect that this also holds for virtually all other cases of reasoning about how the behaviour of a transformational system changes data.
Now, we turn our attention to the rather restrictive side condition of the parallel composition rule of . As mentioned before at the end of Section 5, we have that the asserted process
[TABLE]
is true, but this cannot be derived by means of the axioms and rules of alone because a premise of the form and a premise of the form are never disjoint. However, we can derive the following equation from the axioms of -D:
[TABLE]
By Corollary 1, it is sound to replace in the above asserted process the left-hand side of this equation by the right-hand side of this equation. This yields the asserted process
[TABLE]
which can be derived using the assignment axiom, the alternative composition rule, the sequential composition rule, and the consequence rule of several times.
If the disjointness side condition of the parallel composition rule of is replaced by an interference-freedom side condition, like in [24], then the original asserted process becomes derivable using the axioms and rules of the Hoare logic alone (see e.g. [1, page 278]). The interference-freedom proof involved needs proof outlines (see [24]) for and . In this very simple case, the interference-freedom proof already amounts to seven interference-freedom checks. However, for two processes in which and assignment actions occur, the number of interference-freedom checks is at least . Therefore, we expect that interference-freedom proofs partly outweigh the advantage of using a Hoare logic.
8 Related Work
The approach to the formal verification of programs that is now known as Hoare logic was proposed in [17]. The illustration of this approach was at the time confined to the very simple deterministic sequential programs that are mostly referred to as while programs (cf. [1]). The axioms, the sequential composition rule, the iteration rule, the guarded command rule, and the consequence rule from our Hoare logic savour strongly of the common rules for while programs. The alternative composition rule is the or rule due to [21], the parallel composition rule was proposed in [18], and the auxiliary variables rule was first introduced in [24]. The parallel composition rules proposed in [2, 22, 24] are more complicated than our parallel composition rule.
In the case of [2, 22], the intention was to provide a Hoare logic for the first design of CSP [19]. In that design, one program may force another program to assign a data value sent by the former program to a program variable used by the latter program. This feature complicates the parallel composition rule considerably. Moreover, incorporating this feature in an ACP-like process algebra would lead to the situation that, in equational reasoning, certain axioms may not be applied in contexts of parallel processes (like in [15], see below). Because our concern is in the use of a Hoare logic as a complement to pure equational reasoning, we have not considered incorporating this feature.
In the case of [24], the rule is more complicated because, in the parallel programs covered, program variables may be shared variables, i.e. program variables that are assigned to in one program may be used in another program. Our process algebra also covers shared variables. However, covering shared variables in our Hoare logic as well would mean that the simple disjointness proof required by our parallel composition rule has to be replaced a sophisticated interference-freedom proof. We believe that this would diminish the usefulness of our Hoare logic as a complement to equational reasoning considerably. Therefore, we have not considered covering shared variables in the parallel composition rule.
In [15], an extension of ACP with the empty process constant and the unary counterpart of the binary guarded command operator is presented, the truth of an asserted sequential process is defined in terms of the transition relations from the given structural operational semantics of the presented extension of ACP, and it is shown that an asserted sequential process is true according to that definition iff \{\phi\}\cdot p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime}\{\phi\}\cdot p\cdot\{\psi\}, where \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime} is bisimulation equivalence as defined in [15] for sequential processes. Moreover, a Hoare logic of sequential asserted processes is presented and its soundness is shown. However, [15] does not go into the use of that Hoare logic as a complement to pure equational reasoning from the equational axioms.
Regarding the bisimulation equivalence \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime} defined in [15] for sequential processes, we can mention that, if the data-states are evaluation maps, p\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime}q iff {\mathsf{V}_{\sigma}}(p)\mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}{\mathsf{V}_{\sigma}}(q) for all -evaluation maps , where . Due to the possibility of interference between parallel processes, a different bisimulation equivalence \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime\prime}, finer than \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime}, is needed in [15] for parallel processes. As a consequence, in equational reasoning, certain axioms may not be applied in contexts of parallel processes. Moreover, \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}} together with the operators allows of dealing with local data-states, whereas the combination of \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime} and \mathrel{\mathchoice{\raisebox{1.29167pt}{\displaystyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\textstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptstyle\underline{{\leftrightarrow}}}{}}{\raisebox{1.29167pt}{\scriptscriptstyle\underline{{\leftrightarrow}}}{}}}^{\prime\prime} does not allow of dealing with local data-states.
9 Concluding Remarks
We have taken an extension of ACP with features that are relevant to processes in which data are involved, devised a Hoare logic of asserted processes based on this extension of ACP, and gone into the use of this Hoare logic as a complement to pure equational reasoning from the axioms of the extension of ACP.
We have defined what it means that an asserted process is true in terms of an equivalence relation () that had been found to be central to relating the extension of ACP and the Hoare logic. That this equivalence relation is not a congruence relation with respect to parallel composition is related to the fact that in the extension of ACP presented in [15] certain axioms may not be applied in contexts of parallel processes.
In this paper, we build on earlier work on ACP. The axioms of have been taken from [7, Section 4.4], the axioms for the iteration operator have been taken from [9], and the axioms for the guarded command operator have been taken from [4]. The evaluation operators have been inspired by [11] and the data parameterized action operator has been inspired by [12].
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Apt, K.R., de Boer, F.S., Olderog, E.R.: Verification of Sequential and Concurrent Programs. Texts in Computer Science, Springer-Verlag, Berlin, third edn. (2009)
- 2[2] Apt, K.R., Francez, N., de Roever, W.P.: A proof system for communicating sequential processes. ACM Transactions on Programming Languages and Systems 2(3), 359–385 (1980)
- 3[3] Baeten, J.C.M., Bergstra, J.A.: Global renaming operators in concrete process algebra. Information and Control 78(3), 205–245 (1988)
- 4[4] Baeten, J.C.M., Bergstra, J.A.: Process algebra with signals and conditions. In: Broy, M. (ed.) Programming and Mathematical Methods. NATO ASI Series, vol. F 88, pp. 273–323. Springer-Verlag (1992)
- 5[5] Baeten, J.C.M., Bergstra, J.A.: Process algebra with propositional signals. Theoretical Computer Science 177, 381–405 (1997)
- 6[6] Baeten, J.C.M., Verhoef, C.: A congruence theorem for structured operational semantics with predicates. In: Best, E. (ed.) CONCUR’93. Lecture Notes in Computer Science, vol. 715, pp. 477–492. Springer-Verlag (1993)
- 7[7] Baeten, J.C.M., Weijland, W.P.: Process Algebra, Cambridge Tracts in Theoretical Computer Science, vol. 18. Cambridge University Press, Cambridge (1990)
- 8[8] Bergstra, J.A., Bethke, I., Ponse, A.: Process algebra with iteration and nesting. Computer Journal 37, 243–258 (1994)
