Priorities in tock-CSP
Pedro Ribeiro, James Baxter, Ana Cavalcanti

TL;DR
This paper develops a denotational semantics for prioritisation in tock-CSP, enabling sound reasoning about timed behaviours and refinement, supported by mechanisation in Isabelle/HOL.
Contribution
It introduces a denotational definition for prioritisation in tock-CSP, establishing a Galois connection to ensure sound, compositional reasoning about timed processes.
Findings
A Galois connection between models is established.
A denotational semantics for prioritisation is developed.
Mechanised proofs are provided in Isabelle/HOL.
Abstract
The -CSP encoding embeds a rich and flexible approach to modelling discrete timed behaviours in CSP where the event is interpreted to mark the passage of time. The model checker FDR provides tailored support for -CSP, including a prioritisation operator that has typically been used to ensure maximal progress, where time only advances after internal activity has stabilised. Prioritisation may also be used on its own right as a modelling construct. Its operational semantics, however, is only congruent over the most discriminating semantic model of CSP: the finite-linear model. To enable sound and compositional reasoning in a -CSP setting, we calculate a denotational definition for prioritisation. For that we establish a Galois connection between a specialisation of the finite-linear model, with and , that signals termination, as special events,…
| Name | Definition |
|---|---|
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsFormal Methods in Verification · Logic, programming, and type systems · Distributed systems and fault tolerance
Priorities in -CSP
Pedro Ribeiro
James Baxter
Ana Cavalcanti
Department of Computer Science, Univesity of York, UK
Abstract
The -CSP encoding embeds a rich and flexible approach to modelling discrete timed behaviours in CSP where the event is interpreted to mark the passage of time. The model checker FDR provides tailored support for -CSP, including a prioritisation operator that has typically been used to ensure maximal progress, where time only advances after internal activity has stabilised. Prioritisation may also be used on its own right as a modelling construct. Its operational semantics, however, is only congruent over the most discriminating semantic model of CSP: the finite-linear model. To enable sound and compositional reasoning in a -CSP setting, we calculate a denotational definition for prioritisation. For that we establish a Galois connection between a specialisation of the finite-linear model, with and , that signals termination, as special events, and --CSP, a model for -CSP that captures termination, deadlines, and is adequate for reasoning about timed refinement. Our results are mechanised using Isabelle/HOL.
keywords:
Semantics, Galois connections, process algebras, time, priorities
††journal: Information Processing Letters
1 Introduction
Process algebras like CSP [1] enable modelling of reactive systems via named events that correspond to atomic and instantaneous interactions of interest. To specify budgets and deadlines, and to reason about liveness and safety over time, an explicit notion of time is required. Roscoe introduced the -CSP encoding, where an event is used to mark the passage of discrete time. Extensive use of -CSP has been reported [2, 3, 4, 5, 6].
The CSP model-checker FDR [7] has operators tailored for -CSP. In addition, it implements a operator that can be used to prioritise events according to a partial order . The behaviour is that of , but changed so that whenever events and are available, then if is of strictly higher priority than , that is, , then , and the behaviour following , is pruned.
Example 1**.**
. Process offers an external choice () between behaving as a prefixing () on or , followed by immediate termination (). Prioritising , with yields the process .∎
Prioritisation can be used in FDR to enforce maximal progress, that is, that time can only advance after internal activity has stabilised, by prioritising , the internal action, and , which signals termination, over . also endows CSP with extra expressivity [8], and has been applied also in abstraction techniques [9], reducing refinement in different CSP semantics to traces refinement [10], or as a modelling construct on its own [5, 6].
The operator has an intuitive operational semantics. However, for to be congruent over denotational models of CSP, namely the finite-linear ( [1]) and refusal testing ( [11, 12]) models, the partial order needs to be constrained [8]. Thus, FDR actually implements a constrained form of , where, for example, and are maximal in the order. However, this is insufficient for to be congruent over weaker models such as - [13] and the stable-failures ( [1]).
Example 2**.**
[TABLE]
Process makes an internal choice () between offering events , or , and terminating, or waiting a time unit () and then behaving as again, specified using sequential composition (). Process also makes an internal choice, but the choice between and is external. Although it may seem that is more deterministic than , deadlocking for a time unit, before making an internal choice again that may lead to the refusal of and , is a possibility for . The - model does not distinguish and , just like the model does not distinguish and .
However, prioritising and , with , assuming and are maximal in the order and that is not prioritised over , yields different results. becomes equal to a process , whereas the prioritisation of bears no effect. The incongruence arises as a result of being defined over , where it distributes over internal choice. To reason about priorities in other models we need different definitions for .∎
In this paper we calculate a definition of for -CSP via a stepwise Galois connection between the model and the - model [13], the only sound model for -CSP that can be used to reason about timed refinement, and that captures deadlines, termination and erroneous Zeno behaviour. It is a faithful account of the -CSP dialect and is mechanised in Isabelle/HOL [14]. Included in this work is a mechanisation of the model, that handles termination, via the special event , and a specialisation that includes .
This paper is structured as follows. In Section 2.1 we describe - and . In Section 3 we formally define . In Section 4 we define a Galois connection between a specialisation of , which includes as event, and calculate the induced definition of . We conclude in Section 5.
2 Models
Here we describe the - and models by summarizing material from [13] and [1].
2.1 -
The - model is defined in terms of a set of events, not including and . The complete set is defined as . The semantics of processes is a set of sequences of observations of type , defined below. An observation is either an event in , or the refusal of some subset of , so has two constructor functions and .
Definition 1.
**
The type of valid traces is defined as , which is the set of all sequences with elements of type that satisfy three conjuncts, defined below.
Definition 2.
**
The first conjunct ensures that can only appear as the last event of . The second conjunct requires that every refusal before the last () is followed by a . Finally, the third conjunct ensures that every is preceded by a refusal.
The healthiness conditions of - [13], whose composition is named , ensure properties of the standard models of CSP in the context of traces. Namely, the empty trace is an observation of every process; prefix closure and subset closure of refusals; and an event that cannot be performed is refused. Finally, whenever there is a stable refusal in a trace, then there is always at least one (other) trace where the refusal includes .
2.2 Finite-linear
The model is characterised in [1] by finite sequences of alternating acceptances and events . An acceptance is either a set, recording the events being offered, or null () indicating the impossibility to observe such a set because of instability. An event necessarily belongs to if is not . Valid sequences end in an acceptance, or followed by . The healthiness conditions of ensure prefix closure, and require that, whenever an acceptance is observed, then any events in can also be performed.
The prefix relation for sequences in this model allows to precede a stable acceptance set, so that and are prefixes of , for example. Crucially, and unlike other CSP models, there is no upward-closure of acceptance sets.
3 Formalising the model
In Section 3.1 we define a recursive data type to capture traces. In Section 3.2 we formalise the healthiness conditions. Finally, in Section 3.3 we formally define . While Roscoe [1] characterises the model and studies in depth its relationship to other CSP models, here we define its data model and healthiness conditions with the level of formality required to mechanise it (as an Isabelle theory as presented in [15], for example).
3.1 Model
An acceptance is either a null acceptance or a set of events. It is defined by the type , which has two constructor functions and , respectively, where is the Z [16] syntax for constructors.
Definition 3.
**
We also define: to be exactly when is the result of applying for some set and ; and a prefix order on , where is the least element, and , which can be lifted to define the prefix order on traces.
An acceptance followed by an event is a pair of type associating elements of to .
Definition 4 (Acceptance-event).
[TABLE]
An acceptance-event pair is valid exactly when is a member of set . A pair imposes no condition on . Next we define the type of non-empty traces for as , a recursive data type with two constructors, and .
Definition 5.
**
The function takes a single acceptance while takes an acceptance-event pair and an trace. Processes in are defined by a set of traces, effectively finite non-empty sequences ending in an acceptance. Unlike the original presentation of , we consider as a regular event. This simplifies the type definition of and allows us to give a general account of where can be prioritised.
To facilitate presentation we abbreviate as , and as . Furthermore a recursive application of a number of times, such as is abbreviated as . This is a typical approach to encoding finite lists via recursive data types.
3.2 Healthiness conditions
The healthiness conditions are listed in Section 3.2. The first, , although not listed in [1, p.257], is required to ensure that every process has some behaviour. Together with (adopted from [1]), which ensures prefix closure, ensures that every process has at least the trace .
The next condition from [1] is restated using and a concatenation operator \mathbin{\smash{\raise 3.44444pt\hbox{\smallfrown}}}_{\mathcal{FL}} that is closed under , unlike the general sequence concatenation operator. states that whenever a trace concatenated with an acceptance is in , then for every event in there must be a trace in that performs . It is the result of concatenating with the trace consisting of the acceptance-event pair followed by .
To ensure is only possible after as the very last event of a trace, requires valid traces to be in a set . It consists of traces where is not offered in any acceptance and, if appears, it is as the last event followed by .
The model forms a complete lattice under the refinement order defined by subset inclusion. The top is the process whose only observation is the trace , while the bottom is , the set of all possible observations: the process .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Roscoe [2010] A. W. Roscoe, Understanding concurrent systems, Springer, 2010.
- 2Evans and Schneider [2000] N. Evans, S. Schneider, Analysing time dependent security properties in CSP using PVS, in: European Symposium on Research in Computer Security, Springer, 2000, pp. 222–237.
- 3Kharmeh et al. [2011] S. A. Kharmeh, K. Eder, D. May, A design-for-verification framework for a configurable performance-critical communication interface, in: International Conference on Formal Modeling and Analysis of Timed Systems, Springer, 2011, pp. 335–351.
- 4Isobe et al. [2012] Y. Isobe, F. Moller, H. N. Nguyen, M. Roggenbach, Safety and line capacity in railways–an approach in Timed CSP, in: International Conference on Integrated Formal Methods, Springer, 2012, pp. 54–68.
- 5Göthel and Bartels [2015] T. Göthel, B. Bartels, Modular design and verification of distributed adaptive real-time systems, in: P. C. Vinh, E. Vassev, M. Hinchey (Eds.), Nature of Computation and Communication, Springer International Publishing, Cham, 2015, pp. 3–12.
- 6Cavalcanti et al. [2019] A. Cavalcanti, A. Sampaio, A. Miyazawa, P. Ribeiro, M. Conserva Filho, A. Didier, W. Li, J. Timmis, Verified simulation for robotics, Science of Computer Programming (2019).
- 7Gibson-Robinson et al. [2014] T. Gibson-Robinson, P. Armstrong, A. Boulgakov, A. Roscoe, FDR 3 — A Modern Refinement Checker for CSP, in: E. brah m, K. Havelund (Eds.), TACAS, volume 8413 of Lecture Notes in Computer Science , 2014, pp. 187–201.
- 8Roscoe [2015] A. Roscoe, The expressiveness of CSP with priority, Electronic Notes in Theoretical Computer Science 319 (2015) 387–401.
