Abstract interpretation of trace semantics for concurrent calculi

Information Processing Letters 70 (1999) 69–78

Abstract interpretation of trace semantics for concurrent calculi Roberto Barbuti a , Nicoletta De Francesco b , Antonella Santone b,∗ , Gigliola Vaglini b a Dipartimento di Informatica, Università di Pisa, I-56126 Pisa, Italy b Dipartimento di Ingegneria dell’Informazione, Università di Pisa, I-56126 Pisa, Italy

Received 20 July 1998; received in revised form 26 January 1999 Communicated by A. Tarlecki

Abstract In this paper we show how the Cousots’ approach to abstract interpretation can be easily and profitably applied to the analysis of concurrent calculi. Actually, when dealing with concurrent processes, a number of interesting properties are independent from the computed values, while they strongly depend on the behavior of processes in terms of performed sequences of actions. In this paper abstract interpretation is applied to the analysis of such a behavior. For this reason, we refer to a quite basic concurrent language: Calculus of Communicating Systems (CCS) without values. The analysis we want to perform can be called interesting actions analysis: the behavior of a process P is observed in an “abstract” way, disregarding all the non-interesting actions. This abstraction can be used as a method for efficiently verifying properties of CCS processes. The abstract semantics we present for such language is able to build a reduced transition system which maintains, with respect to the set of interesting actions, the behavior of the original CCS process. We show how the use of our abstract semantics leads to a reduced transition system on which the properties can be equivalently checked. We consider, as the meaning of CCS processes, the well-known trace semantics, which describes the sequences of actions which can be performed by a process. The interesting actions analysis is seen as an abstraction of such a concrete semantics.  1999 Elsevier Science B.V. All rights reserved. Keywords: Abstract interpretation; Concurrency; Formal semantics

1. Introduction Concurrent calculi are used to specify systems composed by agents acting concurrently and communicating to perform a given task. Due to the rapid development of technology in the last years, we are faced with an increasing number of systems implemented by concurrent agents, and often the complexity of the systems grew accordingly. As a consequence, the use of methods both for the design and the verification of concurrent systems becomes more and more important. ∗ Corresponding author. Email: [email protected].

Abstract interpretation [11,17] is a method for analyzing programs in order to collect approximate information about their run-time behavior; this information can be used as a guide to the construction of reliable and efficient systems. More formally, the abstract interpretation is based on a non-standard semantics, that is a semantic definition in which the standard (concrete) domain is replaced by a simpler (abstract) one, and the operations are interpreted on the new domain. One of the most popular approaches to abstract interpretation is defined in [8,9] by Cousot and Cousot. Using this approach a variety of different analyses can be systematically defined. Moreover, the proof of the correctness of the analysis can be done in a standard way.

0020-0190/99/$ – see front matter  1999 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 0 - 0 1 9 0 ( 9 9 ) 0 0 0 4 2 - 3

70

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

In this paper we show how the Cousots’ approach can be easily and profitably applied to the analysis of concurrent calculi. The idea of applying abstract interpretation techniques to concurrent calculi is not new, see, for example, [2,6,7,12–14]. However, in these works, the abstraction is applied only to computed values, and not to the “behavior” of the processes. Actually, when dealing with concurrent processes, a number of interesting properties are independent from the computed values, while they strongly depend on the behavior of processes in terms of performed sequences of actions. In this paper abstract interpretation is applied to the analysis of such a behavior. For this reason, we refer to a quite basic concurrent language: Calculus of Communicating Systems (CCS) without values. However, we claim that the approach can be applied to other concurrent calculi. The analysis we want to perform can be called interesting actions analysis: the behavior of a process P is observed in an “abstract” way, disregarding all the non-interesting actions. This abstraction can be used as a method for efficiently verifying properties of CCS processes. These properties are usually checked on the transition system describing the behaviour of a process. Many properties of systems depend only on the behaviour of the system with respect to a small subset of actions: thus, they can be more efficiently checked on a transition system which contains only the actions in this subset and which behaves, with respect to them, as the original one. The interesting actions analysis can be also useful in the composition of programs to obtain more complex systems. For composing subsystems in a correct way it is important to know if they can communicate by means of particular actions: thus only communicating actions are taken as interesting in the analysis of subsystems. The abstract semantics we present is able to build a reduced transition system which maintains, with respect to the set of interesting actions, the behaviour of the original CCS process. An example of application of such an analysis is shown in Section 5 where a CCS process is presented together with some classical properties. We show how the use of our abstract semantics leads to a reduced transition system on which these properties can be equivalently checked. We consider, as the meaning of CCS processes, the well-known trace semantics [16,19,15], which describes the sequences of actions which can be per-

formed by a process. The interesting actions analysis is seen as an abstraction of such a concrete semantics. First we show how the trace semantics for a CCS process P can be obtained as the minimal fixpoint of a function, TP , defined over a suitable semantic domain. This is a quite new approach, and it has some advantages with respect to the previous ones. The first one is that the Cousots’ approach is trivially applicable; this advantage is in common with the approach in [10]. The second one is that the traces are built from the beginning, unlike in [10], where the traces are constructed backwards. This allows us to stop the semantic based analysis at any point to have an approximation of the initial part of the traces. The TP function is defined in terms of the set of rules giving the concrete operational semantics of CCS processes. Then, we characterize an abstract semantic domain and the corresponding ab] stract transformations, TP , defined in terms of a set of “abstract rules”. The abstract rules define in a simple and clear way the abstract operational semantics of a process.

2. Preliminaries Given a finite set S, S ∗ is the set of all finite sequences of elements in S. The empty sequence is denoted by λ. The concatenation of an element a with the sequence δ is denoted by juxtaposition (aδ), while the concatenation of a sequence δ with a sequence ψ is denoted by δ :: ψ. Given a set S, we denote by ℘ (S) the powerset of S, that is the set of all subsets of S. A complete partial order (cpo) Shv, ⊥, ti is a set partially ordered by v such that every increasing chain Y has a least upper bound, tY , and there exists a bottom element ⊥ ∈ S. A complete lattice Shv, ⊥, >, t, ui is a cpo where every subset Y has a least upper bound, tY , the bottom element is ⊥ = uS and the top element is > = tS. Let X ⊆ S, X is directed iff every finite subset of X has an upper bound in X. Given a cpo S, a function f : S → S is monotonic if and only if ∀x, y ∈ S.x v y ⇒ f (x) v f (y). f is continuous if and only if for each directed set Y ⊆ S,  t f (y): y ∈ Y = f (tY ).

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

71

An element x ∈ S is a fixpoint of f if and only if x = f (x). If f is monotonic there exists its least fixpoint denoted by lfp(f ). We define the iterations of f : S → S (S is a cpo) as follows: f↑0 = ∅, f↑i+1 = f (f↑i ) for every ordinal < ω, G f↑ω = f↑β for the first limit ordinal ω. β<ω

Given a continuous function f on a cpo S, f : S → S, we have: f↑ω = lfp(f ). The Cousots’ approach to abstract interpretation is based on the concept of Galois connection. Given two cpo’s Dhv, ⊥, ti and D] hv] , ⊥] , t] i, a Galois connection is a pair of functions α : D → D] and γ : D] → D such that: (i) α and γ are monotonic, (ii) ∀y ] ∈ D] .α(γ (y ] )) v] y ] , and (iii) ∀y ∈ D.y v γ (α(y)). α and γ are called abstraction and concretization, respectively. If there exists a Galois connection hα, γ i between D and D] we say that D] is an abstract domain with respect to D, the concrete one. Let us consider the usual case in which the semantics of a program P is given as the least fixpoint of a function associated to it, FP : D → D, over a semantic ] domain Dhv, ⊥, ti. We say that FP : D] → D] is an abstract interpretation of FP if there is a Galois ] connection hα, γ i between D and D] , and FP satisfies the correctness condition

] ∀y ∈ D.α FP (y) v FP α(y) . All the above results hold when replacing cpo’s with complete lattices. Let us now quickly recall the main concepts about the Calculus of Communicating Systems (CCS) [18]. The syntax of process expressions (processes for short) is P ::= nil |X|µ.P |P + P | P |P |P \L|P [f ], where µ ranges over a denumerable set of actions A = {τ, a, a, b, b, . . .}, τ is called the internal action. The set of visible actions, V, is defined as A − {τ }. Each action µ ∈ V has a complementary action µ. Given a set S ⊆ V, S = {µ: µ ∈ S} and in the following we use µ ∈ S as shorthand for µ ∈ (S ∪ S). X ranges over a set of constant names: each constant X is defined

Fig. 1. The concrete rules.

def

by a constant definition X = P . We denote the set of processes by E. An operational semantics for CCS is a set of inference rules defining a relation → ⊆ E × A × E. Each rule has a conclusion and zero or more hypotheses. The relation is the least relation satisfying the µ rules. If (P , µ, Q) ∈ →, we write P → Q. The rules defining the concrete semantics of CCS [18] are in Fig. 1. By rule Act the process µ.P performs the action µ and then becomes the process P . The Sum rule (the symmetric one is not shown) states that P and Q are alternative choices for the behavior of P + Q. The Par rule (with its symmetric) shows how processes in a parallel composition can behave autonomously, while the Com one shows how they can interact: if the two processes can simultaneously execute two complementary actions (µ and µ), ¯ a handshake occurs and the produced action is τ . Restriction (rule Res) prevents the actions in L ⊆ V to be done. Relabeling (rule Rel) renames actions by means of a total relabeling function f : A → A, such that f (µ) = f (µ) and f (τ ) = τ . The Con rule says that the meaning of the

72

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

constant X is defined by P , if the defining equation def

of X is X = P . Given a relation →, if δ ∈ A∗ and δ = µ1 . . . µn , µ1

δ

µn

n > 1, we write P → Q to mean P −→ · · · −→ Q. λ For the empty sequence of actions we have P → P . δ

With D→ (P ) = {Q : P → Q} we denote the set of the derivatives of P by →. A (labeled) transition system is a quadruple (S, T , R, s0 ), where S is a set of states, T is a set of transition labels, s0 ∈ S is the initial state, and R ⊆ S × T × S is a set of transitions. Given a process P , (D→ (P ), A, →, P ) is the transition system of P built by means of the relation → defined by a set of rules corresponding to an operational semantics. The traces of a process [16,19] are defined as the set of all the finite sequences of actions (including the partial ones) the process can perform. Definition 2.1 (traces of a process). Given a process P ,  δ Traces(P ) = δ ∈ A∗ : ∃Q.P → Q . Two processes P and Q are trace equivalent if and only if Traces(P ) = Traces(Q). 3. Trace semantics

Given a set T of expandable traces, the concrete semantic function TP adds to T , for each expandable µ trace hβ, P 00 i ∈ T and for each transition P 00 → P 0 , the expandable trace hβ :: µ, P 0 i. This corresponds intuitively to perform a move from each process occurring in an expandable trace of T and to append this move to the corresponding trace. Definition 3.2 (TP ). Given a process P , we define the concrete semantic function TP : ℘ (EtA) → ℘ (EtA ) as follows:   δ = λ and P 0 = P , or       0 µ TP (T ) = T ∪ hδ, P i hβ, P 00 i ∈ T , P 00 → P 0 , .       and δ = β :: µ Proposition 3.2. TP is continuous. Proof. First note that TP is monotonic. Let Y be any directed subset of ℘ (EtA ). Then S ∈ TP (tY ) iff {definition of TP }   δ = λ and P 0 = P , or       0 µ S ∈ tY ∪ hδ, P i hβ, P 00 i ∈ tY, P 00 → P 0 ,       and δ = β :: µ iff {definition of ∪}

In order to define the trace semantics as the minimal fixpoint of a semantic function, we need a suitable semantic domain. The domain is composed of sets of pairs (expandable traces): the first item of a each pair is a sequence of actions and the second a process.

S ∈ tY ∨   δ = λ and P 0 = P , or       0 µ S ∈ hδ, P i hβ, P 00 i ∈ tY, P 00 → P 0 ,       and δ = β :: µ

Definition 3.1 (expandable traces). Given a set S ⊆ A, an expandable trace or ε-trace on S is a pair hδ, P i, where δ ∈ S ∗ and P is a process. We denote as ℘ (EtS ) the set of subsets of the expandable traces on S.

iff {definition of t, Y is directed}

F : ℘ (EtA ) → ℘ (A∗ ) is defined as:  F(T ) = δ | hδ, P i ∈ T . Proposition 3.1. ℘ (EtA )h⊆, ∅, EtA , ∪, ∩i is a complete lattice. Proof. Obvious. 2

∃I ∈ Y.S ∈ I ∨   δ = λ and P 0 = P , or       0 µ S ∈ hδ, P i hβ, P 00 i ∈ I, P 00 → P 0 ,       and δ = β :: µ iff {definition of ∪}  δ = λ and P 0 = P , or    0 µ ∃I ∈ Y.S ∈ I ∪ hδ, P i hβ, P 00 i ∈ I, P 00 → P 0,    and δ = β :: µ

      

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

iff {definition of TP }

We now define a function to remove all noninteresting actions (i.e., those in A − I) from a trace in A∗ .

∃I ∈ Y.S ∈ TP (I ) iff {definition of t, monotonicity of TP } S ∈ tTP (Y ).

73

2

As a consequence of the previous proposition we have that, given a process P and the associated semantic function TP , TP ↑ω = lfp(TP ). TP ↑0 = ∅, while the first iteration of TP includes the ε-trace hλ, P i only. TP ↑i+1 is obtained from TP ↑i by adding the ε-traces obtained by expanding each ε-trace hδ, P 0 i ∈ TP ↑i with the actions that P 0 performs by →.

Definition 4.2. Given a sequence δ ∈ A∗ , and I ⊆ V, we define the function delI : A∗ → I ∗ as follows:  if δ = λ, λ if δ = aψ, and a ∈ / I, delI (δ) = delI (ψ)  adelI (ψ) if δ = aψ, and a ∈ I. The abstraction function, given a set S of ε-traces, deletes the non-interesting actions from the first items of the pairs in S, while leaves unaffected the second items (the processes).

Definition 3.3 (concrete trace semantics). The concrete trace semantics of a process P is defined as F(TP ↑ω ), that is the set of sequences on A obtained by ignoring the second items of the ε-traces in TP ↑ω .

Definition 4.3 (abstraction function αI ). Given I ⊆ V, the abstraction function

The following proposition states the consistency of our semantic definition with the usual trace semantics of CCS.

is defined as  α(T ) = hδ, P i: hψ, P i ∈ T , and δ = delI (ψ) .

Proposition 3.3. Let P be a process.
F TP ↑ω = Traces(P ).

In order to define the concretization function, we use the insI function, which, given a sequence δ with actions in I, inserts, in any position of δ, finite sequences of non-interesting actions in A − I.

Proof. Let us define  δ Tracesn (P ) = δ ∈ A∗ : ∃Q.P → Q ∧ |δ| = n , where |δ| is the length of the sequence δ. It is easy to see that, for each natural number,
[ F TP ↑n = Tracesi (P ). i6n

The proposition follows from the continuity of TP .

2

4. Abstract semantics In order to perform the interesting actions analysis, we define the expandable traces containing only sequences composed of interesting actions. Definition 4.1 (abstract domain). Given a set I ⊆ V of interesting actions, we define the abstract domain for the interesting actions analysis as the complete lattice ℘ (EtI )h⊆, ∅, EtI , ∪, ∩i.

αI : ℘ (EtA ) → ℘ (EtI )

Definition 4.4. Given I ⊆ V and a sequence δ ∈ I ∗ , we define the function insI : I ∗ → ℘ (A∗ ) as  insI (δ) = ψ ∈ A∗ : δ = delI (ψ) . Definition 4.5 (concretization function γI ). Given I ⊆ V, the concretization function γI : ℘ (EtI ) → ℘ (EtA ) is defined as  γI (T ) = hδ, P i: hψ, P i ∈ T , and δ ∈ insI (ψ) . Proposition 4.1. The functions αI and γI , as defined in Definitions 4.3 and 4.5, form a Galois connection between ℘ (EtA ) and ℘ (EtI ). Proof. It is easy to see that αI and γI are monotonic. Let us show that ∀y ∈ ℘ (EtI ).αI (γI (y)) ⊆ y:
αI γI (y)  = αI hδ, P i: hψ, P i ∈ y and δ ∈ insI (ψ)

74

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

 = hγ , P i: hφ, P i ∈  hδ, P i: hψ, P i ∈ y and δ ∈ insI (ψ) and γ = delI (φ)  = hγ , P i: hψ, P i ∈ y and φ ∈ insI (ψ) and γ = delI (φ)   = hγ , P i: hγ , P i ∈ y = y. To prove that ∀y ∈ ℘ (EtA ).y ⊆ γI (αI (y)) it is sufficient to recall that y ∈ insI (delI (y)). 2 In order to define the abstract semantic function ] TP , we introduce the relation →I between processes, indexed by a set I ⊆ V, defined by the rules in Fig. 2. The abstract semantics defined by these rules gives the meaning of a process by means of a transition system the transitions of which are labeled only by actions in I. The basic idea underlying the abstract rules is the skipping of all actions not belonging to I; for this purpose, some “look ahead” is performed until an action belonging to I is found. While the rules Sum, Con and Par of the abstract semantics look like the corresponding ones in the concrete semantics, the

other rules are modified to deal with the actions in I. Given a process µ.P , Act2 behaves as rule Act of the concrete semantics only if µ ∈ I; otherwise, Act1 looks ahead for an action ν performed by P and belonging to I, if any. Rule Res imposes to inspect the moves of P with →I ∪L in order to generate a transition of P \L with →I . In fact, we cannot ignore the actions belonging to L performed by P , even if they do not belong to I. Let us clarify this point by an example: consider the process P = (a.b. nil)\{a} and I = {b}. If we ignore a, we obtain that b is an action performed by P . Actually, b cannot appear in the abstraction of an ε-trace of P , since Traces(P ) = {λ}. Rule Com allows a communication to occur when two complementary actions are performed by the partners of the parallel composition, but the τ action generated by the communication is skipped (recall that τ ∈ / ρ), and look-ahead is performed as in rule Act1 . Finally, in order to observe the interesting actions I of P [f ], rule Rel imposes to observe the actions of P the image of which is in I. Given I ⊆ V and f : A → A, we define  f −1 (I) = µ: ∃ν ∈ I, and f (µ) = ν . Definition 4.6. Given a process P ,  δ TracesI (P ) = δ ∈ A∗ : ∃Q.P →I Q . It is easy to prove that TracesI (P ) ⊆ I ∗ . To prove some properties of the abstract semantics, first we extend to sequences the operators on processes. Definition 4.7. Let δ, γ ∈ A∗ and µ, ν ∈ A. • µ.δ = {µδ}, •    {γ } if δ = λ,       {δ} if γ = λ,   δ|γ = {µψ: ψ ∈ (δ 0 |νγ 0 )} ∪ {νψ: ψ ∈ (µδ 0 |γ 0 )}      ∪ {τ ψ: ψ ∈ (δ 0 |γ 0 ) and µ = ν}      if δ = µδ 0 , γ = νγ 0 ,

Fig. 2. The abstract rules.

• δ + γ = {δ, γ },

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

•

•

   {λ} if δ = λ,     {λ} if δ = µδ 0 and µ ∈ L, δ\L = {µψ}       if δ = µδ 0 and µ ∈ / L and ψ ∈ (δ 0 \L),  {λ} if δ = λ, δ[f ] = {f (µ)ψ: δ = µδ 0 and ψ ∈ δ 0 [f ]}.

The following lemma states that the traces of a process P by the abstract rules coincide with the abstraction of the traces in Traces(P ). In the proof we use the definition of the operators on traces extended (in the usual way) to sets of sequences. Lemma 4.2. Let I ⊆ V and P be a CCS process.
delI Traces(P ) = TracesI (P ). Proof. By induction on the structure of the processes. Base step nil: straightforward. Inductive Step. – µ.P
delI Traces(µ.P )  = concrete semantics (Act)
delI µ. Traces(P )  = property of delI  µ. delI (Traces(P )) µ ∈ I, delI (Traces(P )) µ∈ / I,  = inductive hypothesis  µ.(TracesI (P )) µ ∈ I, TracesI (P ) µ∈ / I,  = abstract semantics (Act1, Act2 ) TracesI (µ.P ) – P |Q


delI Traces(P |Q)  = concrete semantics (Par, Com)
delI Traces(P )| Traces(Q)  = property of delI

75




delI delI Traces(P ) | delI Traces(Q)  = inductive hypothesis
delI TracesI (P )| TracesI (Q)  = abstract semantics (Par, Com) TracesI (P |Q) – P \L


delI Traces(P \L)  = concrete semantics (Res)
delI Traces(P )\L  = property of delI
delI ∪L (Traces(P )) \L  = inductive hypothesis
TracesI ∪L (P ) \L  = abstract semantics (Res) TracesI (P \L)

– P [f ],


delI Traces(P [f ])  = concrete semantics (Rel)
delI Traces(P )[f ]  = property of delI
delf −1 (I )(Traces(P )) [f ]  = inductive hypothesis
Tracesf −1 (I ) (P ) [f ]  = abstract semantics (Rel)
TracesI P [f ]

– P + Q, X proved analogously. 2 Now, we can define the abstract semantic function ] TP . It looks like TP , the only difference being the use of →I instead of →. ]

Definition 4.8 (TP ). Given a process P , the abstract ] semantic function TP : ℘ (EtI ) → ℘ (EtI ) is defined as follows:   δ = λ and P 0 = P , or       ] 0 µ TP (T ) = T ∪ hδ, P i hβ, P 00 i ∈ T , P 00 → P 0 , . I       and δ = β :: µ

76

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78 ]

The continuity of TP can be proved analogously to TP . Definition 4.9 (abstract trace semantics). The abstract trace semantics of a process P is defined as ] F(TP ↑ω ). Proposition 4.3. Let P be a process. ]

F(TP ↑ω ) = TracesI (P ). Proof. Analogous to the proof of Proposition 3.3. 2 As pointed out in Section 2, the correctness condition we should prove is

] ∀y ∈ ℘ (EtA ).αI TP (y) ⊆ TP αI (y) . Actually, due to the abstract rules, this condition does not hold, as the following example shows. Example 4.1. Consider I = {b}, and the set of εtraces  S = hλ, a.b. nili .

For (b), if µ ∈ / I, we have delI (δ :: µ) = delI (δ) and the proof is the same of (a). µ µ If µ ∈ I, Q → Q0 implies {Lemma 4.2} Q →I Q00 ] for some Q00 implies {definition of TP (αI (y))} ] 00 hdelI (δ) :: µ, Q i ∈ TP (αI (y)) implies {definition of ] F} delI (δ) :: µ ∈ F(TP (αI (y))) implies {delI (δ) :: ] µ = delI (δ :: µ) if µ ∈ I} γ ∈ F(TP (αI (y))). 2 The ⊆ in the previous proposition is due to the fact ] that TP can look ahead beyond several actions to find an interesting one, while TP proceeds “step by step”. However, in the least fixpoint they reach the same information over the interesting actions. Thus we can prove a stronger condition on the least fixpoints. Proposition 4.5. For every process P ,

] F αI (TP ↑ω ) = F TP ↑ω . Proof. By Propositions 3.3, 4.3 and Lemma 4.2. 2 Example 4.2. Consider the following CCS process P with the two constant definitions X and Y


 αI TP (S) = αI hλ, a.b. nili, ha, b. nili  = hλ, a.b. nili, hλ, b. nili

P = (X|Y )[b → a]\{d}, def X = b.d.X,

while

Y = c.d.Y.

def



] ] TP αI (S) = TP {hλ, a.b. nili}  = hλ, a.b. nili, hb, nili . However, we note that, by forgetting the processes in the ε-traces, we can still have a correctness condition which can be stated as follows. ]

Proposition 4.4 (correctness of TP ). For every process P

] ∀y ∈ ℘ (EtA ).F αI (TP (y)) ⊆ F TP (αI (y)) . Proof. Let y ∈ ℘ (EtA ). γ ∈ F(αI (TP (y))) implies {definition of TP , αI and F } there exists hδ, Qi ∈ y such that, either (a) γ = delI (δ); or µ (b) γ = delI (δ :: µ) if Q → Q0 . ] ] For (a) γ ∈ F(TP (αI (y))) by definition of TP .

We have     hδ, ((X|Y )[b → a]\{d})i,           h(δ :: a, (d.X|Y )[b → a]\{d}i,     ω TP ↑ = h(δ :: c, (X|d.Y )[b → a]\{d}i,         h(δ :: ac, (d.X|d.Y )[b → a]\{d}i,       h(δ :: ca, (d.X|d.Y )[b → a]\{d}i where δ ∈ ({acτ } ∪ {caτ })∗ . Thus, the trace semantics of P is given by F(TP ↑ω ) = {δ, δ :: a, δ :: c, δ :: ac, δ :: ca}. By considering I = {a}, we have:   hλ, ((X|Y )[b → a]\{d})i, ] TP ↑ω = , hψ, (d.X|Y )[b → a]\{d}i  where ψ ∈ {a}∗ − {λ}.

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

Finally, we have:
] F αI (TP ↑i ) ⊆ F(TP ↑i ), i < ω
] F αI (TP ↑ω ) = F(TP ↑ω ).

and

5. Conclusions Analysis techniques based on abstractions from sets of actions are widely used in formal verification [3–5, 1,20]: in fact for many properties it is possible to detect the set of actions that are the only ones which may affect the satisfiability of the properties themselves (the interesting ones). Usually this abstraction is obtained by hiding the non-interesting actions, i.e., renaming them as τ , and reducing the system by means of suitable minimizations. However, these methods are not theoretically based on an abstract interpretation framework, and in many cases their correctness must be proved case by case. In this paper we have shown how the Cousots’ approach to abstract interpretation can be applied to the analysis of the behavior of concurrent processes in terms of performed actions, and in particular as a method for abstracting from actions that are considered non-interesting for a particular property. As an application example of the interesting actions analysis, let us consider the well-known task scheduler taken from [18]: the system is composed by n processes {C0 , . . . , Cn−1 }, which wish to perform a task repeatedly, and a scheduler ensuring that they begin the task in cyclic order starting with the first process. The different task performances need not exclude each other in time (for example, the second process can begin before the first one finishes), but the scheduler is required to ensure that each agent finishes one performance before it begins the following one. The action ai , 0 6 i < n, represents the initiation of the ith task, whereas bi signals its completion. The CCS process for a n tasks scheduler is: def

SCHEDn = STARTER | C0 | · · ·
· · · | Cn−1 \{c0 , . . . , cn−1 }, def

STARTER = c0 . nil,
def Ci = ci .ai . bi .ci⊕1 .Ci + ci⊕1 .bi .Ci , where ⊕ denotes the modulo n addition.

77

Two classical properties to prove about the scheduler are the following [18]. (1) the start-task actions a0 , . . . , an−1 are performed cyclically starting with a0 ; (2) for each i, the start-task action ai and the end-task action bi are performed alternately. The first property depends only on the actions a0 , . . . , an−1 and neither by the bi ’s nor by the τ actions occurring as a result of the communications. Then, if we want to check this property, we can consider as interesting actions only these ones. It is easy to prove that, if we take I = {a0 , . . . , an−1 }, the set of ] abstract traces F(TSCHEDn ↑ω ) is composed by all the prefixes of the traces in the language expressed by the regular expression (a0 a1 · · · an−1 )∗ ; thus the property holds. The second property, for each i, concerns only the two actions ai and bi : in this case, we have ] that F(TSCHEDn ↑ω ) includes all the prefixes of the language (ai bi )∗ , and thus the property is satisfied. Note that the concrete traces of SCHEDn have a more complex structure, since they contain all the actions: in fact the number of states of the standard transition system is exponential in n [1]. Instead, the transition system for SCHEDn , obtained by the abstract semantics, contains n states for I = {a0 , . . . , an−1 } and 2 states for I = {ai , bi }. In general, given a CCS process, the transition system corresponding to the abstract semantics may be much smaller, in terms of number of states, than the transition system corresponding to the concrete operational semantics. Thus the abstract operational semantics we have defined helps in reducing state explosion, which is one of the most serious problems in the verification of concurrent systems. Finally, let us remark that, to be usable in practice, our abstract semantics must be efficiently implemented. In particular, note that the “look ahead” process can diverge. This behaviour can be avoided in finite state systems by loop-checking. Because most of the real applications are modeled by finite state systems, this is not a real limitation. References [1] R. Barbuti, N. De Francesco, A. Santone, G. Vaglini, Selective mu-calculus: New modal operators for proving properties on reduced transition systems, in: Proc. of FORTE X/PSTV XVII ’97, Chapman & Hall, 1997, pp. 519–534.

78

R. Barbuti et al. / Information Processing Letters 70 (1999) 69–78

[2] S. Bensalem, A. Bouajjani, C. Loiseaux, J. Sifakis, Property preserving simulations, in: Proc. Fourth Workshop on Computer Aided Verification, Lecture Notes in Computer Sci., Vol. 663, Springer, Berlin, 1992, pp. 260–273. [3] A. Bouajjani, J.C. Fernandez, S. Graf, C. Rodriguez, J. Sifakis, Safety for branching time semantics, in: Proc. 18th International Colloquium on Automata, Languages and Programming, Lecture Notes in Computer Sci., Vol. 510, Springer, Berlin, 1991, pp. 76–92. [4] G. Bruns, A case study in safety-critical design, in: Proc. Workshop on Computer Aided Verification (CAV’92), Lecture Notes in Computer Sci., Vol. 663, Springer, Berlin, 1992, pp. 220–233. [5] G. Bruns, Practical technique for process abstraction, in: Proc. International Conference on Concurrency Theory (CONCUR’93), Lecture Notes in Computer Sci., Vol. 714, Springer, Berlin, 1993, pp. 37–49. [6] E.M. Clarke, O. Grumberg, D.E. Long, Model checking and abstraction, ACM Trans. Programming Languages Systems 16 (5) (1994) 1512–1542. [7] R. Cleaveland, J. Riely, Testing-based abstractions for valuepassing systems, in: Proc. CONCUR’94, Lecture Notes in Computer Sci., Vol. 836, Springer, Berlin, 1994, pp. 417–432. [8] P. Cousot, R. Cousot, Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints, in: ACM Symp. on Principles of Programming Languages, 1977, pp. 238–252. [9] P. Cousot, R. Cousot, Systematic design of program analysis frameworks, in: ACM Symp. on Principles of Programming Languages, 1979, pp. 269–282. [10] P. Cousot, R. Cousot, Inductive definitions, semantics and abstract interpretations, in: ACM Symp. on Principles of Programming Languages, 1992, pp. 83–94.

[11] P. Cousot, R. Cousot, Abstract interpretation frameworks, J. Logic Comput. 2 (4) (1992) 511–547. [12] D. Dams, O. Grumberg, R. Gerth, Abstract interpretation of reactive systems: Abstractions preserving ACTL*, ECTL*, and CTL*, in: IFIP Working Conference and Programming Concepts, Methods and Calculi (PROCOMET’94), 1994, pp. 361– 381. [13] D. Dams et al., Model checking using adaptive state and data abstraction, in: Proc. 6th Int. Conf. on Computer Aided Verification (CAV’94), 1994, pp. 455–467. [14] D. Dams, O. Grumberg, R. Gerth, Abstract interpretation of reactive systems, ACM TOPLAS 19 (1997) 253–291. [15] R.J. van Glabbeek, The linear time-branching time spectrum, in: Proc. of CONCUR’90, Lecture Notes in Computer Sci., Vol. 458, Springer, Berlin, 1990, pp. 278–297. [16] C.A.R. Hoare, Communicating Sequential Processes, PrenticeHall, Englewood Cliffs, NJ, 1985. [17] N.D. Jones, F. Nielson, Abstract interpretation: a semanticbased tool for program analysis, in: S. Abramsky, D.M. Gabbay, T.S.E. Maibaum (Eds.), Handbook of Logic in Computer Science, Vol. 4, Oxford Univ. Press, Oxford, 1995, pp. 527– 636. [18] R. Milner, Communication and Concurrency, Prentice-Hall, Englewood Cliffs, NJ, 1989. [19] R. Milner, Operational and algebraic semantics of concurrent processes, in: J. van Leeuwen (Ed.), Handbook of Theoretical Computer Science, Elsevier, 1990, pp. 1201–1242. [20] U. Nitsche, P. Ochsenschlager, Approximately satisfied properties of systems and simple language homomorphisms, Inform. Process. Lett. 60 (1996) 201–206.