![Page 1: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/1.jpg)
Japan Advanced Institute of Science and Technology
JAIST Repositoryhttps://dspace.jaist.ac.jp/
TitleA Complete Axiomatic Semantics for the CSP
Stable-Failures Model
Author(s) Isobe, Yoshinao
Citation
Issue Date 2006-11-30
Type Presentation
Text version publisher
URL http://hdl.handle.net/10119/8308
Rights
Description
Theorem Proving and Provers Meeting(2nd TPP)での
発表資料, 開催:2006年11月29日~30日, 開催場所
:JAIST 情報科学研究科棟II・Collaboration Room 7
(5F)
![Page 2: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/2.jpg)
1
A Complete Axiomatic Semanticsfor the CSP Stable-Failures Model
Yoshinao Isobe, AIST, Japan
in cooperation with Markus Roggenbach, University of Wales Swansea, UK
TPP 2006 (30/11/2006) (also see CONCUR 2006)
![Page 3: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/3.jpg)
2
Overview
1
Process algebra
Introduction
Syntax of unbounded ND
Non-determinism (ND)2
Differences from finite version
Axiom system AF3
4
A deep-encoding of CSP in Isabelle
CSP-Prover
5 Conclusion
Summary and future work
Motivation
Sequentialisation and Normalisation
![Page 4: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/4.jpg)
3
Introduction
![Page 5: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/5.jpg)
4Process algebra
comin out
P
P1 P2
a formal framework to describe and analyze concurrent processes.
P1 = in → com → STOPP2 = com → out → STOP
P = (P1 |[com]| P2)\com
3 styles of semantics
• Operational semantics• Denotational semantics• Axiomatic semantics
in Q out
Q = in → out → STOP
?
P Q?
![Page 6: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/6.jpg)
5Operational semantics
|[com]|in
com
com
out
\com
in
out
in
τ
out
P1 = in → com → STOPP2 = com → out → STOP
P = (P1 |[com]| P2)\comQ = in → out → STOP
Graph
![Page 7: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/7.jpg)
6Denotational semantics
P1 = in → com → STOPP2 = com → out → STOP
P = (P1 |[com]| P2)\comQ = in → out → STOP
traces(P1) = { 〈〉, 〈in〉, 〈in.com〉}
traces(P2) = { 〈〉, 〈com〉, 〈com.out〉}
traces(P) = { (t1 |[com]| t2)\com | t1∈traces(P1), t2 ∈traces(P2)}= { 〈〉, 〈in〉, 〈in.out〉}
traces(Q) = { 〈〉, 〈in〉, 〈in.out〉}
Domain(traces model)
![Page 8: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/8.jpg)
7Denotational semantics
P1 = in → com → STOPP2 = com → out → STOP
P = (P1 |[com]| P2)\comQ = in → out → STOP
traces(Q) = { 〈〉, 〈in〉, 〈in.out〉}failures(Q) = {(〈〉,{out}), (〈in〉,{in}), (〈in.out〉,{in,out})}
Domain(stable-failuresmodel)
traces(P) = { 〈〉, 〈in〉, 〈in.out〉}
failures(P) = { (〈〉, {out}), (〈in〉, {in}), (〈in.out〉, {in,out})}
refusals (refused events)
![Page 9: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/9.jpg)
8Axiomatic semantics
= (P1 |[com]| P2)\com= ((in → com → STOP) |[com]| (com → out → STOP))\com= (in → ((com → STOP) |[com]| (com → out → STOP)))\com= in → ((com → STOP) |[com]| (com → out → STOP))\com= in → ( com → (STOP |[com]| (out → STOP)))\com= in → (STOP |[com]| (out → STOP))\com= in → (out → (STOP |[com]| STOP))\com= in → out → (STOP |[com]| STOP)\com= in → out → STOP\com= in → out → STOP = Q
P
(a → P)\a = P\a (b → P)\a = b → (P\a)
(a → P) |[b]| (b → Q) = a → (P |[b]| (b → Q))[para2](a → P) |[a]| (a → Q) = a → (P |[a]| Q)[para1]
[hide1][hide2]…
axiom system:
P1 = in → com → STOPP2 = com → out → STOP
P = (P1 |[com]| P2)\com
Q = in → out → STOP
by [para2]by [hide2]by [para1]by [hide1]…
![Page 10: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/10.jpg)
9Process algebra (CSP)
DenotationalSemantics
OperationalSemantics
AxiomaticSemantics
CSP
Definition
Model checking (e.g. FDR)
Theorem proving (e.g. CSP-Prover)
The best known results apply forfinitely nondeterministic CSP overa finite alphabet. [Brooks(1983) , Roscoe (1998)]
c.f.
open question of CSP
Completeness ?for unbounded nondeterministic CSP over an arbitrary alphabet
![Page 11: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/11.jpg)
10Process algebra (CSP)
DenotationalSemantics
OperationalSemantics
AxiomaticSemantics
CSP
Definition
Model checking (e.g. FDR)
Theorem proving (e.g. CSP-Prover)
open question of CSP
The best known results apply forfinitely nondeterministic CSP overa finite alphabet. [Brooks(1983) , Roscoe (1998)]
c.f.
Completeness ?for unbounded nondeterministic CSP over an arbitrary alphabet
Our question is:
Is it possible to prove the equality of two CSP-processes by algebraic laws without using denotational semantics?
![Page 12: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/12.jpg)
11
Non-determinism
![Page 13: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/13.jpg)
12External choices
a → b → STOP □ a → c → STOP a → (b → STOP □ c → STOP)
a a
b c b c
a
external choice □
F
We focus on the stable-failures model suitable for describing infinite systems and deadlock analysis.
{a,c} {a,b}{a}
![Page 14: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/14.jpg)
13Internal choices
a → (b → STOP П c → STOP)
note
a → b → STOP □ a → c → STOP
a a
b c τ τ
a
internal choice П
b c
note
F
{a,c} {a,b}{a,b},{a,c}
![Page 15: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/15.jpg)
14Unbounded non-determinism
binary internal choice
Random Number Generatorn ∈ {0, 1}
rand(n)
RNG = (rand(0) → STOP) П (rand(1) → STOP)
general internal choice
Random Number Generatorn ∈ Nat = {0,1,2,...}
rand(n)
RNG = П {rand(n) → STOP | n ∈ Nat }
a set of processes
![Page 16: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/16.jpg)
15
Standard CSP
Syntax
Proc ::= STOP | a → Proc | Proc □ Proc | П (Proc Set) | …
a set of processes
⇒ cardinality mismatch
datatype ‘a proc = STOP| Act_prefix “ ’a” “ ‘a proc” ( _ → _ )| Ext_choice “ ’a proc” “ ‘a proc” ( _ □ _ )| G_Int_choice “ ‘a proc set” (П _ )| …
Isabelle type ‘a : type of alphabet (events) Σ
![Page 17: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/17.jpg)
16
CSPTP
Syntax
Proc ::= STOP | a → Proc | Proc □ Proc | П (Proc Fun) | …
process function
Isabelle type
datatype ‘a proc = STOP| Act_prefix “ ’a” “ ‘a proc” ( _ → _ )| Ext_choice “ ’a proc” “ ‘a proc” ( _ □ _ )| Set_Int_choice “ ‘a set ⇒ ‘a proc” (Пset _ )| Nat_Int_choice “ nat ⇒ ‘a proc” (Пnat _ )| …
note these types
![Page 18: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/18.jpg)
17Relation to ‘Standard CSP’
Stable failuresdomain F
surjective surjective
Expressive power
CSPTP
‘a set ⇒ ‘a procnat ⇒ ‘a proc
syntax
semantics
П (Proc Fun)
Standard CSP
‘a proc set
П (Proc Set)
![Page 19: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/19.jpg)
18Div: The bottom element(in semantic domain)
Recursive processes
П {Loop(n) | n∈Nat }
a
Diva Diva a Diva a a Div
τ
Loop(0) = DivLoop(n+1) = a → Loop(n)
Loop = a → Loop
Loop F
F
![Page 20: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/20.jpg)
19
Axiom system
![Page 21: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/21.jpg)
20Axiom system AF
Important differences from the standard axioms for finite processes appearin the laws for
AF├ P = Q P Q
(1) parallel composition in combination with timeout (corrected)
(2) internal choice in combination with Skip (extended with infinity)
(3) depth restriction operator (new)
∀P,Q∈Proc. ⇔
axiom system AF
AF is sound and complete for the stable failures equivalence over unbounded nondeterministic processes with an arbitrary alphabet.
F
![Page 22: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/22.jpg)
21Depth restriction
P↓n : depth restriction by the nth step
examples
(a1→a2→a3→ a4→Stop)↓2 a1→a2→DivF
(a1→a2→Stop)↓2 a1→a2→DivF
(a1→Stop)↓2 a1→STOPF
(a1→a2→a3→Stop)↓2 a1→a2→DivF
(Stop)↓2 STOPF
all the executions are cut off at the 2nd step
Пnat (λn ● (P↓n))P F
![Page 23: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/23.jpg)
22How to normalise
note
any process
(extended) full normal form
key point : remove Hiding operators by a function recursivelydefined on the process structure.
key point : normalise ((Пset P(X))↓n) by a function recursivelydefined on the depth n.
Induction on the process structure cannot be applied to a family of processes P(X) (X ⊆Σ)
full sequential form
![Page 24: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/24.jpg)
23How to normalise
note
any process
(extended) full normal form
key point : remove Hiding operators by a function recursivelydefined on the process structure.
key point : normalise ((Пset P(X))↓n) by a function recursivelydefined on the depth n.
Induction on the process structure cannot be applied to a family of processes P(X) (X ⊆Σ)
full sequential form
However, Σ can be infinite!
Пset P(X)
∀X⊆Σ. P(X)∈FNF
can be normalized if Σ is finite.
![Page 25: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/25.jpg)
24
note
any process
(extended) full normal form
key point : remove Hiding operators by a function recursivelydefined on the process structure.
key point : normalise ((Пset P(X))↓n) by a function recursivelydefined on the depth n.
Induction on the process structure cannot be applied to a family of processes P(X) (X ⊆Σ)
full sequential form
How to normalise note
P↓n Q↓n=F (P\X)↓n (Q\X)↓n=F⇒
![Page 26: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/26.jpg)
25Full Sequential form
Full Sequential Form (FSF)
FSF contains only “sequential” operators such as □, !!, and Stop.
The following function Seq: Proc→FSF can be recursively defined over the process structure.
∀P∈Proc. AF├ P = Seq(P)Theorem 3
This theorem can be proven by structural induction on P.
The sequential process Seq(P) cannot be necessarily automaticallycomputed because Seq(P) often needs infinite computations, for example
Seq(Пs ● P(s))
requires to compute Seq(P(s)) for all s∈S, where S may be infinite.
note
![Page 27: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/27.jpg)
26
Full Normal form
Пs ● (Пs’ ● Pseq(s,s’))
Пs’ ● (Пs ● Pseq(s,s’))
∈ FSF
∈ FSF
semantically equal butsyntactically different
Syntactic equality?
Full Normal Form (FNF)
FNF is a more specialized form than FSF, for giving the syntactic equality.
∀P,Q∈FNF. P ≡ QP Q=F ⇔ (syntactic equality)Theorem 4
(similar to the standard FNF)
![Page 28: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/28.jpg)
27Full Normal form
The following function Norm: FSF→FNF can be recursively defined on the depth n and the structure over FSF.
∀P∈FSF. AF├ P↓n = Norm(n)(P)Lemma 2
This theorem can be proven by the induction on n and structural induction on P.
P may be (!! s:S ● P’(s))
∃P∈FSF. ∀P’∈FNF. P =F P’Theorem 5
There is no function Norm’ such that ∀P∈FSF. AF├ P = Norm’(P)
FNF does not capture all processes
![Page 29: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/29.jpg)
28П n ● (P↓n)=FP
reminder
Extended Full Normal Form
P = П n ● P’(n)(1) ∀n. P’(n) ∈ FNF and(2) ∀n. P↓n =F P’(n)
Extended Full Normal Form (XFNF)
if
infinite internal choice over fully normalised processes for finite depths
∀P,Q∈XFNF. P ≡ QP Q=F ⇔ (syntactic equality)
∀P∈Proc. ∃P’∈XFNF. AF├ P = Xnorm(P)
Theorem 6
Theorem 7
Xnorm(P) ≡ П n ● (Norm(n)(Seq(P))
![Page 30: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/30.jpg)
29Completeness
∀P,Q∈XFNF. P ≡ QP Q=F ⇔ (syntactic equality)
∀P∈Proc. ∃P’∈XFNF. AF├ P = Xnorm(P)
Theorem 6
Theorem 7
∀P,Q∈Proc.Corollary
AF├ P = Xnorm(P) ≡ Xnorm(Q) = Q
P Q=F ⇒ AF├ P = Q
Xnorm(P) ≡ П n ● (Norm(n)(Seq(P))
Let P Q, then=F
![Page 31: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/31.jpg)
30
CSP-Prover
![Page 32: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/32.jpg)
31CSP-Prover
CSP-Prover: a deep encoding of CSP in the generic theorem prover Isabelle
Isabelle
CSP
CSP_F
FNF_FVerification of infinite state systems
Establishing new theorems on CSP
e.g. EP2 (an electronic payment system)
e.g. Soundness and completeness of AF
fixed point theorems, definitions of syntax and semantics,CSP-laws, semi-automatic proof tactics, etc.
includes
Y.Isobe and M.Roggenbach, A Generic Theorem Prover of CSP refinment, TACAS 2005, LNCS 3440, pp.108-123, 2005
References:
http://staff.aist.go.jp/y-isobe/CSP-Prover/CSP-Prover.htmlWeb-site:
1.
Y.Isobe and M.Roggenbach, A complete axiomatic semantics for CSP stable failures model, CONCUR 2006, LNCS 4237, pp.158-172, 2006
2.
![Page 33: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/33.jpg)
32
Conclusion
![Page 34: dspace.jaist.ac.jp€¦ · a formal framework to describe and analyze concurrent processes. P1 = in →com →STOP P2 = com →out →STOP P = (P1 |[com]| P2)\com 3 styles of semantics](https://reader035.vdocuments.mx/reader035/viewer/2022070920/5fb968230eb067682566acf4/html5/thumbnails/34.jpg)
33Summary and Future Work
1. Complete axiomatic semantics of the stable failures model
2. Our CSP dialect is expressive with respect to the stable failures model
4. Correction of two well-known step laws
3. Implementation & Verification of all results in CSP-Prover
Summary
The errors as well as our corrections have been approved by Bill Roscoe, Oxford.
1. Improve proof tactics in CSP-Prover based on the normal forms
2. Develop completeness results for other CSP models
Future work