On automating process algebra proofs

2 Preliminaries
2.1 Linear process operators
We recapitulate some terminology that has been introduced in 3]. Especially the notion of a linear process operator forms the cornerstone for the developments in this paper. De nition 2.1. A linear process operator (LPO) over data type D is an expression of the form X X c (f (d; e )) p(g (d; e )) b (d; e ) (p; d) = i i i i i i i
henri@cwi.nl alex@fwi.uva.nl
Recently, Groote and Springintveld incorporated several model-oriented techniques { such as invariants, matching criteria, state mappings { in the process-algebraic framework of CRL for structuring and simplifying protocol veri cations. In this paper, we formalise these extensions in Coq, which is a proof development tool based on type theory. In the updated framework, the length of proof constructions is reduced signi cantly. Moreover, the new approach allows for more automation (proof generation) than was possible in the past. The results are illustrated by an example in which we prove two queue representations equal.
On Automating Process Algebra Proofs
Henri Korver
y
M.P.A. Sellinky
CWI, P.O. Box 94079, 1090 GB Amsterdam, The Netherlands University of Amsterdam, Programming Research Group, P.O. Box 41882, 1009 DB Amsterdam, The Netherlands
the matching criteria can be generated fully automatically. Second, often it occurs that a considerable part of the generated data facts can be solved directly by the proof tool. In this paper, we formalise the theory discussed above in Coq. This is a a proof checker, c.q. theorem prover, based on the Calculus of Constructions (higher-order type theory) 5], extended with inductive types 14]. The new theory has been placed on top of the basic proof system of CRL that has already been implemented in Coq (see 15]). Moreover, we have extended the theory of 9] with a symbolic representation format for LPOs. In this format, LPOs can be mechanised more e ciently. We have chosen Coq (version V5.10.14.a) as our proof development tool for the following reasons. First, we have some experience with the tool in which we already implemented the proof system of CRL and carried out several computer-checked veri cations (see 11, 10]). Second, the system is highly expressive, i.e. supports higher-order reasoning. This is important because we need higher-order constructs for de ning the notion of LPO. Our work contributes in the following aspects. First, we have built a uniform software framework in which one can reason with model-oriented techniques (LPOs, invariants, matching criteria, state mappings) and process-algebraic techniques (process equations, compact algebraic notation and manipulation) at the same time. Second, in the new approach, larger parts of the proof development can be automated. The paper is organised as follows. In Section 2, we quickly review notions as LPOs, matching criteria, state mappings, etc, as introduced in 9]. Moreover, Section 2 contains a veri cation example that is used throughout the paper. In Section 3, we formalise the new theory including the running example in Coq. We draw the conclusions of our work in Section 4.
i2I ei Ei
:
for some nite index set I , actions ci 2 Act f g, data types Ei; Dci , and functions fi : D ! Ei ! Dci , gi : D ! Ei ! D , bi : D ! Ei ! Bool. (We assume that has no parameter.) We will give an example below. The operation (sequential composition) is standard in process algebra (see 2]). The symbol denotes deadlock. The operation P corresponds with the then-if-else construct. The operation allows for summation over a data type. It is a generalisation of the well-known + P operator (alternative composition). , and + We have the convention that binds stronger than , followed by binds weakest. Note that, writing I = f1; : : : ; ng, we use a meta-sum notation i I pi for p1 + p2 + + pn; the pi's are called summands of i I pi.
Abstract
Introduction
In 9] the proof theory of CRL 8] is extended with several model-oriented techniques such as invariants, matching criteria and state mappings. With the new theory many correctness proofs such as given in 3, 7] can be simpli ed and structured. The new approach can be considered as a re nement of classical process algebra veri cations such as the ones given in the two papers just mentioned. One of the re nements is that process expressions are considered in a linear form. Such expressions are called linear process operators or LPOs. An LPO combines the advantages of a compact and easy to manipulate algebraic notation with the advantages of precondition/e ect style such as found in 12]. The linear format is not a restriction as every CRL process can be transformed into an LPO. In the new approach, processes are in linear format, and the task of proving two LPOs, say and equal, is reduced to nding a state mapping satisfying certain constraints, the matching criteria. Here, \matching" means that the external actions of both processes correspond modulo internal actions. The matching criteria can be compared to the de ning clauses of weak re nements 13]. The criteria are simple formulas over the data parameters and conditions occurring in and . In such a way, instead of manipulating large process expressions, a large part of the equivalence proof is reduced to a number of mostly trivial data facts. Besides simplifying proofs, the new approach is very suited for mechanical assistance and automation. There are two main reasons. First, given two LPOs and a state mapping,