An Extended cCSP with Stable Failures Semantics

UNU-IISTInternational Institute forSoftware Technology

UNU-IIST Report No. 431 R

An Extended cCSP

with Stable Failures Semantics

Zhenbang Chen and Zhiming Liu

June 2010

UNU-IIST and UNU-IIST Reports

UNU-IIST (United Nations University International Institute for Software Technology) is a Research andTraining Centre of the United Nations University (UNU). It is based in Macao, and was founded in1991. It started operations in July 1992. UNU-IIST is jointly funded by the government of Macao andthe governments of the People’s Republic of China and Portugal through a contribution to the UNUEndowment Fund. As well as providing two-thirds of the endowment fund, the Macao authorities alsosupply UNU-IIST with its office premises and furniture and subsidise fellow accommodation.

The mission of UNU-IIST is to assist developing countries in the application and development of softwaretechnology.

UNU-IIST contributes through its programmatic activities:

1. Advanced development projects, in which software techniques supported by tools are applied,

2. Research projects, in which new techniques for software development are investigated,

3. Curriculum development projects, in which courses of software technology for universities in devel-oping countries are developed,

4. University development projects, which complement the curriculum development projects by aimingto strengthen all aspects of computer science teaching in universities in developing countries,

5. Schools and Courses, which typically teach advanced software development techniques,

6. Events, in which conferences and workshops are organised or supported by UNU-IIST, and

7. Dissemination, in which UNU-IIST regularly distributes to developing countries information oninternational progress of software technology.

Fellows, who are young scientists and engineers from developing countries, are invited to actively partic-ipate in all these projects. By doing the projects they are trained.

At present, the technical focus of UNU-IIST is on formal methods for software development. UNU-IISTis an internationally recognised center in the area of formal methods. However, no software technique isuniversally applicable. We are prepared to choose complementary techniques for our projects, if necessary.

UNU-IIST produces a report series. Reports are either Research R , Technical T , Compendia C or

Administrative A . They are records of UNU-IIST activities and research and development achievements.Many of the reports are also published in conference proceedings and journals.

Please write to UNU-IIST at P.O. Box 3058, Macao or visit UNU-IIST’s home page: http://www.iist.unu.edu,if you would like to know more about UNU-IIST and its report series.

Peter Haddawy, Director

UNU-IISTInternational Institute forSoftware Technology

P.O. Box 3058

Macao

An Extended cCSP

with Stable Failures Semantics

Zhenbang Chen and Zhiming Liu

Abstract

Compensating CSP (cCSP) is an extension to CSP for modeling long-running transactions. Itcan be used to specify programs of service orchestration written in a programming language likeWS-BPEL. So far, only an operational semantics and a trace semantics are given to cCSP. Inthis paper, we extend cCSP with more operators and define for it a stable failures semanticsin order to reason about non-determinism and deadlock. We give some important algebraiclaws for the new operators. These laws can be justified and understood from the stable failuressemantics. A case study is given to demonstrate the extended cCSP.

Zhenbang Chen was a former fellow of UNU-IIST. He is currently a lecturer at the NationalLaboratory for Parallel and Distributed Processing in China. His research interests includeformal methods for component-based systems and Service-Oriented Computing, new networkcomputing techniques, and software verification. Email: [email protected]

Zhiming Liu is a Senior Research Fellow at UNU-IIST. His research interests include the-ory of computing systems, emphasizing sound methods and tools for specification, verificationand refinement of fault-tolerant, realtime and concurrent systems, and formal techniques forobject-oriented development. Email: [email protected]

The authors acknowledge support from the project HTTS funded by Macau Science and Tech-nology Development Fund.

Copyright c© 2010 by UNU-IIST

Contents 5

Contents

1 Introduction 7

2 Compensating CSP 82.1 Basic notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Trace semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Extended cCSP and its stable failures semantics 113.1 Semantics of standard process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.1.1 Atomic and basic processes . . . . . . . . . . . . . . . . . . . . . . . . . . 123.1.2 Internal choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.1.3 External choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.1.4 Sequential composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.1.5 Parallel composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.1.6 Exception handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.1.7 Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.1.8 Renaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2 Semantics of compensable process . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.2.1 Compensation pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.2.2 Transaction block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.2.3 Sequential composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.2.4 Internal choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.2.5 External choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383.2.6 Parallel composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.2.7 Hiding and renaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4 Case study 49

5 Conclusions and future work 55

Report No. 431, June 2010 UNU-IIST, P.O. Box 3058, Macao

Introduction 7

1 Introduction

Long-Running Transactions (LRT) are attracting increasing research attention recently becauseof their importance in Service-Oriented Computing (SOC) [9]. A transaction in SOC usuallylasts for a long period of time, and involves interactions with different organizations. The notionof atomic transaction is too strict for this scenario due to some requirements such as isolation[9]. LRT are therefore introduced to cope with this problem by using compensation to recoverfrom a failure to ensure the required atomicity and consistency.

Industrial service composition languages, such as WS-BPEL [1] and XLANG [13] are now de-signed and implemented for programming LRT in service orchestration. For specification andverification of LRT, formalisms have been being proposed and they include StAC [4], Sagas [3],cCSP [6], etc. Formalisms can provide formal semantics to an industrial language and serve asthe foundation for the understanding of LRT and the development of tool support to verificationand analysis.

Compensating CSP (cCSP) extends the process calculus of Communicating Sequential Process(CSP) [12] with mechanisms of interruption and recovery from exceptions for describing LRT.The recovery mechanism in cCSP is the same as the backward recovery proposed in Sagas [8].There are two types of processes in cCSP, and they are called respectively standard processes andcompensable processes. A standard process is a subset of a CSP process extended with exceptionhandling and transaction block. A compensable process specifies the behavior of the recoverywhen an exception occurs. A trace semantics is presented in [4] and an operational semantics isin [7], and the consistency between them is studied in [11]. However, without non-deterministic(internal) choice and hiding, cCSP is not expressive enough for relating specifications at differentlevels of abstraction. It is important to note that abstraction (via hiding) is the main source ofnon-determinism and non-determinism can causes deadlocks when composing processes.

Internal choice and hiding are motivated in the definition of StAC [4, 5], a formal notationfor LRT that supports synchronized parallel composition, internal and external choices, hiding,and programmable compensation. A serious drawback of StAC compared to cCSP is that StACdoes not support compositional reasoning. A thorough comparative study between Sagas [3] andcCSP is presented in [2] and shows two equivalent subsets of them. The paper also comparesthe policies of the interruption and compensation in Sagas and cCSP, and finds that the revisedSagas [3] is more expressive than cCSP [6]. There is an attempt to extend cCSP [10], but onlywith synchronized parallel composition.

In this paper, we extend cCSP by bringing back the CSP operators of hiding, internal choice fornon-determinism, and synchronized parallel composition for general composition. Accordinglyto characterize non-determinism and deadlock, we define a stable failures semantics for theextended language. We show most algebraic laws in the trace semantics of the original cCSPstill hold in the stable failures semantics. Also, we show that a few laws that were claimed tohold for the original trace semantics do not hold there, but they hold for the semantics we definein this paper. We study the laws for the newly introduced operators.


Compensating CSP 8

The rest of this paper is organized as follows. Section 2 gives a brief introduction to the syntaxand semantics of the original cCSP. Section 3 presents the extended cCSP including the syntax,semantics and laws. Section 4 gives a case study to demonstrate the extended cCSP. Section 5concludes the paper and reviews the related work.

2 Compensating CSP

The syntax of cCSP [6] is as follows, where P and PP represent a standard process and acompensable process, respectively.

P ::= A | P ; P | PP | P ‖ P | SKIP | THROW | YIELD | P B P | [PP ]

PP ::= P ÷ P | PP ; PP | PPPP | PP ‖ PP | SKIPP | THROWW | YIELDD

Process A denotes the process that terminates successfully after performing event A. Thereare three operators on both the standard processes and the compensable processes: sequentialcomposition (;), deterministic choice () and parallel composition (‖). SKIP is the process thatimmediately terminates successfully. THROW indicates the occurrence of an exception, and theprocess will be interrupted. YIELD can terminate successfully or yield to an interrupt fromenvironment to result in an interruption. P B Q executes process Q after an exception is thrownfrom P , otherwise it behaves like P . [PP ] is a transaction block specifying a long-runningtransaction, in which a compensable process is defined to specify the transaction.

A compensable process is constructed from compensation pairs of the form P ÷Q, where theexecution of process Q can compensate the effects after executing P . SKIPP immediately ter-minates successfully without the need to be compensated. THROWW throws an exception andYIELDD either terminates successfully or yields to an interrupt. We use P and PP to denotethe set of standard processes and the set of compensable processes, respectively.

2.1 Basic notations

Let Σ be the set of all the normal events that all processes can perform, called alphabet ofprocesses, and Σ∗ be the set of the finite traces over Σ. In cCSP, three more events X, ! and ? notin Σ are used. Event X, called the success terminal event, represents that the process terminatessuccessfully. Event !, called the exception terminal event, represents that the trace terminateswith an occurrence of an exception. Event ?, called the yield terminal event, represents thatthe execution terminates by yielding to an interrupt from environment. We use Ω = X, !, ? todenote the set of the terminal events, and define ΣΩ = Σ ∪ Ω. In addition, we use s t to representthe concatenation of traces s and t, and define

• Σ∗O = s 〈ω〉 | s ∈ Σ∗ ∧ ω ∈ O: for an O ⊆ Ω.


Compensating CSP 9

Let Σ∗O = Σ∗ ∪ Σ∗O, and we call traces in Σ∗Ω terminating traces and traces in Σ∗X successfullyterminating traces.

2.2 Trace semantics

In contract to the CSP convention [12], the trace set of a standard process in cCSP is notprefix closed. The trace semantic function T : P → P(Σ∗Ω) assigns each process P a set T (P ) ofterminating traces. Fig. 1 shows the definition of T , where p and q are terminating traces, andp1 9 q1 represents the set of interleavings of traces p1 and q1, whose formal definition can berefereed to Section 2.3 in [12]. The processes in a parallel composition only synchronize on theterminal events, performing other events in an interleaving manner. An exception occurs in thecomposition if any sub-process throws an exception, and the composition terminates successfullyonly if both sub-processes do.

Atomic process For all A ∈ Σ, T (A) = 〈A,X〉

Sequential composition

p ; q =

p1 q p = p1 〈X〉p p = p1 〈ω〉 ∧ ω 6= X

T (P ; Q) = p ; q | p ∈ T (P ) ∧ q ∈ T (Q)

Choice T (PQ) = T (P ) ∪ T (Q)

Parallel compositionp1 〈ω1〉 ‖ q1 〈ω2〉 = r 〈ω1&ω2〉 | r ∈ (p1 9 q1) where ω1 X X X ! ! ?T (P ‖ Q) = r | r ∈ (p ‖ q) ∧ p ∈ T (P ) ∧ q ∈ T (Q) ω1 X ? ! ! ? ?

ω1&ω2 X ? ! ! ! ?Exception handling

p B q =

p1 q p = p1 〈!〉p p = p1 〈ω〉 ∧ ω 6=!

T (P B Q) = p B q | p ∈ T (P ) ∧ q ∈ T (Q)

Basic processes T (SKIP) = 〈X〉, T (THROW) = 〈!〉, T (YIELD) = 〈?〉, 〈X〉

Figure 1: The semantics of standard process

A compensable process is defined by a set of pairs of traces, called the forward trace andcompensation trace, respectively. It is necessary to note that the semantics of the sequentialcomposition conforms to the semantics of the classical Sagas [8], and compensation actions areexecuted in the reverse order of their corresponding forward actions. For example, the forwardbehavior of A1 ÷B1 ; A2 ÷B2 will perform A1 followed by A2, but the compensation behaviorwill perform B1 after B2 in case of an exception occurred later. Fig. 2 defines the trace semanticfunction Tc : PP → P(Σ∗Ω × Σ∗Ω) of the compensable processes.

To allow a compensable process PP to implicitly yield to an interrupt from the environment atthe beginning, in the definition of a compensation pair P ÷Q in Fig. 2, the trace pair (〈?〉, 〈X〉)is included. On the other hand, YIELD can be used in any place in a process if one would like


Compensating CSP 10

Compensation pair

p÷ q =

(p, q) p = p1 〈X〉(p,X) p = p1 〈ω〉 ∧ ω 6= X

Tc(P ÷Q) = p÷ q | p ∈ T (P ) ∧ q ∈ T (Q) ∪ (〈?〉, 〈X〉)

Compensable sequential composition

(p, p′) ; (q, q′) =

(p1 q, q′ ; p′) p = p1 〈X〉(p, p′) p = p1 〈ω〉 ∧ ω 6= X

Tc(PP ; QQ) = (p, p′) ; (q, q′) | (p, p′) ∈ Tc(PP ) ∧ (q, q′) ∈ Tc(QQ)

Compensable choice Tc(PPQQ) = Tc(PP ) ∪ Tc(QQ)

Compensable parallel composition(p, p′) ‖ (q, q′) = (r, r′) | r ∈ (p ‖ q) ∧ r′ ∈ (q ‖ q′)Tc(PP ‖ QQ) = rr | rr ∈ (pp ‖ qq) ∧ pp ∈ Tc(PP ) ∧ qq ∈ Tc(QQ)

Compensable basic processesSKIP = SKIP÷ SKIP, THROWW = THROW÷ SKIP, YIELDD = YIELD÷ SKIP

Figure 2: The semantics of compensable process

to explicitly specify a yield to an interrupt at that place. The semantics of a transaction block[PP ] is defined below.

T ([PP ]) = p p′ | (p 〈!〉, p′) ∈ Tc(PP ) ∪ p 〈X〉 | (p 〈X〉, p′) ∈ Tc(PP )

It says that after an exception occurs, the compensation trace will be executed to recover fromthe failure. Otherwise, the compensation trace is not executed.

2.2.1 Discussion

In paper [6] some laws are given for the trace semantics. However, our careful investigationfinds that some of them do not actually hold there. The first is PP ;SKIPP = PP . For ex-ample, according to the semantic definition in Fig. 2, the semantics of the process A÷B is(〈A,X〉, 〈B,X〉), (〈?〉, 〈X〉), but the semantics of A÷B ; SKIPP is (〈A,X〉, 〈B,X〉), (〈?〉, 〈X〉),(〈A, ?〉, 〈B,X〉). The law is not valid because of the extra trace pair (〈?〉, 〈X〉) added to a com-pensation pair in the semantic definition.The laws [P ÷Q]=P and [P ÷Q;THROWW]=P ;Q donot hold either when P does not terminate with the yield terminal event ?. It is because thetransaction block will remove the exception terminal event ! of the forward trace. Intuitively,we expect these laws to hold. Indeed, we will see later they become valid in the stable failuressemantics in this paper.


Extended cCSP and its stable failures semantics 11

3 Extended cCSP and its stable failures semantics

We extend cCSP with operators of internal and external choices, hiding, renaming and general-ized parallel composition for both the standard and compensable processes. The syntax of theextended cCSP is defined as follows, where A ∈ Σ, X ⊆ Σ, and R ⊆ Σ× Σ.

P ::= A | P ; P | P u P | PP | P ‖X

P | SKIP | THROW | YIELD |

STOP | P \X | P JRK | P B P | [PP ]

PP ::= P ÷ P | PP ; PP | PP u PP | PPPP | PP ‖X

PP | SKIPP |

THROWW | YIELDD | PP \X | PP JRK

P uQ and PQ represent internal and external choices, respectively. In the generalized parallelcomposition P ‖

X

Q, processes P and Q synchronize on the events in X, as well as on the terminal

events in Ω. P \X is the process with the events in X being restricted from happening duringthe execution of P , and P JRK the process obtained from P by renaming its events according tothe renaming relation R.

We extend the compensable processes similarly by introducing the same operators. The internaland external choices in the compensable processes are made during the execution of the forwardbehaviors of the sub-processes. PP and QQ in PP ‖

X

QQ synchronize on the events in X between

both the forward behaviors and the compensation behaviors of the two sub-processes.

3.1 Semantics of standard process

The semantics of a standard process is slightly different from the stable failures semantics ofa CSP process in [12], due to the two new terminal events ! and ?. The stable failures modelof a standard process P is a pair (T, F ), where T ⊆ Σ∗Ω is the trace set and F ⊆ Σ∗Ω × P(ΣΩ) isthe stable failure set. The domain of the pairs of traces and failures should satisfy the followingaxioms.

T is non-empty and prefix closed (1)

(s,X) ∈ F ⇒ s ∈ T (2)

(s,X) ∈ F ∧ Y ⊆ X ⇒ (s, Y ) ∈ F (3)

(s,X) ∈ F ∧ ∀a ∈ Y • s 〈a〉 /∈ T ⇒ (s,X ∪ Y ) ∈ F (4)

s 〈ω〉 ∈ T ⇒ (s,ΣΩ \ ω) ∈ F, where ω ∈ Ω (5)

s 〈ω〉 ∈ T ⇒ (s 〈ω〉, X) ∈ F, where ω ∈ Ω ∧X ⊆ ΣΩ (6)

In what follows we define the trace set function TS : P → P(Σ∗Ω) and the stable failure set functionFS : P → P(Σ∗Ω × P(ΣΩ)) for the standard processes in the extended cCSP.



3.1.1 Atomic and basic processes

Process A can perform event A and terminate successfully. The semantic functions are as follows.

TS(A) = 〈〉, 〈A〉, 〈A,X〉FS(A) = (〈〉, X) | X ⊆ ΣΩ ∧A /∈ X ∪ (〈A〉, X) | X ⊆ ΣΩ ∧X /∈ X∪

(〈A,X〉, X) | X ⊆ ΣΩ

The trace and failure sets of processes SKIP, THROW, YIELD and STOP are defined below.

TS(SKIP) = 〈〉, 〈X〉 TS(THROW) = 〈〉, 〈!〉TS(YIELD) = 〈〉, 〈X〉, 〈?〉 TS(STOP) = 〈〉FS(SKIP) = (〈〉, X) | X ⊆ ΣΩ ∧X /∈ X ∪ (〈X〉, X) | X ⊆ ΣΩ

FS(THROW) = (〈〉, X) | X ⊆ ΣΩ∧ ! /∈ X ∪ (〈!〉, X) | X ⊆ ΣΩ

FS(YIELD) = (〈〉, X) | X ⊆ ΣΩ∧ ? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ∪(〈〉, X) | X ⊆ ΣΩ ∧X /∈ X ∪ (〈X〉, X) | X ⊆ ΣΩ

FS(STOP) = (〈〉, X) | X ⊆ ΣΩ

In what follows, we use INTERRUPT to represent the process whose semantics is(〈〉, 〈?〉, (〈〉, X) | X ⊆ ΣΩ∧ ? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ).

3.1.2 Internal choice

P uQ can refuse an event set after performing a trace s if P or Q can refuse the event set after s.The semantic of internal choice is same as that in [12], i.e. the traces and failures of an internalchoice are the unions of the traces and failures of its sub-processes, respectively.

TS(P uQ) = TS(P ) ∪ TS(Q) FS(P uQ) = FS(P ) ∪ FS(Q)

Theorem 1(1) SKIP u INTERRUPT = YIELD

(2) YIELD u SKIP = YIELD

(3) P uQ = Q u P(4) P u P = P

(4) P u (Q uR) = (P uQ) uR

Proof.(1) The law can be proved directly by the semantic definitions.

(2) From the preceding semantic definitions of YIELD and SKIP, we can get the following results:TS(SKIP) ⊆ TS(YIELD) and FS(SKIP) ⊆ FS(YIELD). By the definition of internal choice, we canget TS(YIELD u SKIP) = TS(YIELD) and FS(YIELD u SKIP) = FS(YIELD), i.e. YIELD u SKIP = YIELD.



(3) The law can be proved by using the commutativity of set union.

(4) The law can be proved by using the idempotency of set union.

(5) The law can proved by using the associativity of set union.

3.1.3 External choice

External choice is different from internal choice on the empty trace (〈〉), at which PQ canrefuse an event set only if both P and Q refuse it. The failure set of external choice needs totake the terminal events ? and ! into account to make axiom (1) on page 5 hold.

TS(PQ) = TS(P ) ∪ TS(Q)

FS(PQ) = (〈〉, X) | (〈〉, X) ∈ FS(P ) ∩ FS(Q)∪(s,X) | (s,X) ∈ FS(P ) ∪ FS(Q) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(Q) ∧ ω ∈ Ω

The internal and external choices are indistinguishable on the basic processes.

Theorem 2(1) SKIPYIELD = YIELD

(2) SKIPTHROW = SKIP u THROW

(3) YIELDTHROW = YIELD u THROW

Proof.(1) From the semantic definitions of the basic processes and the internal and external operators,we can get TS(SKIPYIELD) = 〈〉, 〈X〉, 〈?〉, which is equal to TS(YIELD). Besides that, the fail-ure set of TS(SKIPYIELD) is calculated as follows:

FS(SKIPYIELD) = (〈〉, X) | X ⊆ ΣΩ ∧X /∈ X∪(〈X〉, X) | X ⊆ ΣΩ ∪ (〈?〉, X) | X ⊆ ΣΩ∪(〈〉, X) | X ⊆ ΣΩ \ X ∪ (〈〉, X) | X ⊆ ΣΩ \ ?

= (〈〉, X) | X ⊆ ΣΩ∧ ? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ∪(〈〉, X) | X ⊆ ΣΩ ∧X /∈ X ∪ (〈X〉, X) | X ⊆ ΣΩ

= FS(SKIP uYIELD) = FS(YIELD)

So, we can get SKIPYIELD = YIELD.

(2) The proof is similar to that of (1).




Theorem 3(1) PP = P

(2) PQ = QP(3) STOPP = P

(4) P(Q uR) = (PQ) u (PR)

(5) P(QR) = (PQ)R

Proof.(1) The law can be proved by using the definition of external choice and the idempotency of setunion and set intersection.

(2) The law can be proved by using the commutativity of set union and set intersection.

(3) TS(STOPP ) = TS(STOP) ∪ TS(P ) = 〈〉 ∪ TS(P ) = TS(P ). Next, we prove the equivalencebetween the failure sets.

FS(STOPP )

=(〈〉, X) | (〈〉, X) ∈ FS(STOP) ∩ FS(P )∪(s,X) | (s,X) ∈ FS(STOP) ∪ FS(P ) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(STOP) ∪ TS(P ) ∧ ω ∈ Ω

=(〈〉, X) | (〈〉, X) ∈ FS(P )∪(s,X) | (s,X) ∈ FS(P ) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∧ ω ∈ Ω

=FS(P )

(4) TS(P(Q uR)) = TS(P ) ∪ (TS(Q) ∪ TS(R)) = (TS(P ) ∪ TS(Q)) ∪ (TS(P ) ∪ TS(R)) = TS(PQ)∪TS(PR) = TS((PQ) u (PR)). Next, we prove the equivalence between the failure sets.

FS(P(Q uR))

=(〈〉, X) | (〈〉, X) ∈ FS(P ) ∩ FS(Q uR)∪(s,X) | (s,X) ∈ FS(P ) ∪ FS(Q uR) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(Q uR) ∧ ω ∈ Ω

=(〈〉, X) | (〈〉, X) ∈ FS(P ) ∩ FS(Q)∪(s,X) | (s,X) ∈ FS(P ) ∪ FS(Q) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(Q) ∧ ω ∈ Ω∪(〈〉, X) | (〈〉, X) ∈ FS(P ) ∩ FS(R)∪(s,X) | (s,X) ∈ FS(P ) ∪ FS(R) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(R) ∧ ω ∈ Ω

=FS(PQ) ∪ FS(PR) = FS((PQ) u (PR))

(5) The law can be proved by using the associativity of set union and set intersection.



3.1.4 Sequential composition

The definition of sequential composition is different from the classic CSP [12] due to the terminalevents ! and ?.

TS(P ; Q) = s | s ∈ TS(P ) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(P ) ∧ t ∈ TS(Q)FS(P ; Q) = (s,X) | s ∈ Σ∗!,? ∧ (s,X ∪ X) ∈ FS(P )∪

(s t,X) | s 〈X〉 ∈ TS(P ) ∧ (t,X) ∈ FS(Q)

However, the following two laws in [6] still hold here. The first law ensures the exception-stopsemantics that is adopted in many modern languages.

Theorem 4(1) SKIP ; P = P

(2) P ; SKIP = P

(3) THROW ; P = THROW

(4) YIELD ; YIELD = YIELD

(5) INTERRUPT ; P = INTERRUPT

Proof.(1)

TS(SKIP ; P )

=〈〉 ∪ 〈〉 t | t ∈ TS(P )=〈〉 ∪ TS(P )

=TS(P )

FS(SKIP ; P )

=(〈〉 t, X) | (t,X) ∈ FS(Q)=FS(P )

In the result, the law is proved.

(2)

TS(P ; SKIP)

=(TS(P ) ∩ Σ∗!,?) ∪ (s t | s 〈X〉 ∈ TS(P ) ∧ t ∈ 〈〉, 〈X〉)=TS(P )

FS(P ; SKIP)

=(s,X) | s ∈ Σ∗!,? ∧ (s,X ∪ X) ∈ FS(P )∪(s t,X) | s 〈X〉 ∈ TS(P ) ∧ (t,X) ∈ FS(SKIP)

=FS(P )



In the result, the law is proved.

(3) Because TS(THROW) = 〈〉, 〈!〉, from the definition of sequential definition, we can getTS(THROW ; P ) = 〈〉, 〈!〉 = TS(THROW). On the other hand, because the failure set of THROW

is (〈〉, X) | X ⊆ ΣΩ∧ ! /∈ X ∪ (〈!〉, X) | X ⊆ ΣΩ, we can directly get that the failure setFS(THROW ; P ) is equal to FS(THROW). So, we can get the theorem THROW ; P = THROW.

(4) By the definition of sequential composition, we can calculate the semantics of YIELD ; YIELD

as follows:

TS(YIELD ; YIELD) = 〈〉, 〈?〉 ∪ 〈X〉, 〈?〉 = 〈〉, 〈X〉, 〈?〉 = TS(YIELD)

FS(YIELD ; YIELD) = (〈〉, X) | X ⊆ ΣΩ∧ ? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ∪(〈〉, X) | X ⊆ ΣΩ∧ ? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ∪(〈〉, X) | X ⊆ ΣΩ ∧X /∈ X ∪ (〈X〉, X) | X ⊆ ΣΩ

= (〈〉, X) | X ⊆ ΣΩ∧ ? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ∪(〈〉, X) | X ⊆ ΣΩ ∧X /∈ X ∪ (〈X〉, X) | X ⊆ ΣΩ

= FS(YIELD)

In the result, we can get YIELD ; YIELD = YIELD.


Theorem 5(1) P ; (Q1 uQ2) = (P ; Q1) u (P ; Q2)

(2) (Q1 uQ2) ; P = (Q1 ; P ) u (Q2 ; P )

(3) P ; (Q ; R) = (P ; Q) ; R

Proof.(1)

TS(P ; (Q1 uQ2))

=s | s ∈ TS(P ) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(P ) ∧ t ∈ TS(Q1 uQ2)=s | s ∈ TS(P ) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(P ) ∧ t ∈ TS(Q1) ∪ TS(Q2)=s | s ∈ TS(P ) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(P ) ∧ t ∈ TS(Q1)∪s | s ∈ TS(P ) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(P ) ∧ t ∈ TS(Q2)

=TS(P ; Q1) ∪ TS(P ; Q2)

=TS((P ; Q1) u (P ; Q2))

The equivalence between the failure sets can be proved similarly.



(2)

TS((Q1 uQ2) ; P )

=s | s ∈ TS(Q1 uQ2) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(Q1 uQ2) ∧ t ∈ TS(P )=s | s ∈ TS(Q1) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(Q1) ∧ t ∈ TS(P )∪s | s ∈ TS(Q2) ∩ Σ∗!,? ∪ s t | s 〈X〉 ∈ TS(Q2) ∧ t ∈ TS(P )

=TS(Q1 ; P ) ∪ TS(Q2 ; P )

=TS((Q1 ; P ) u (Q2 ; P ))


(3) The law can proved by using the associativity of set union and (s t) r = s (t r).

3.1.5 Parallel composition

The parallel composition has to take care of the synchronization of the terminal events. We firstgive the definition of the synchronization between two traces, where x, x′ ∈ X, y, y′ ∈ Σ \X, ω,ω1 and ω2 are terminal events, and s, t ∈ Σ∗.

s ‖X

t = t ‖X

s , 〈〉 ‖X

〈〉 = 〈〉 , 〈〉 ‖X

〈x〉 = , 〈〉 ‖X

〈y〉 = 〈y〉

〈x〉 s ‖X

〈y〉 t = 〈y〉û | u ∈ 〈x〉 s ‖X

t

〈x〉 s ‖X

〈x〉 t = 〈x〉û | u ∈ s ‖X

t

〈x〉 s ‖X

〈x′〉 t = if x 6= x′

〈y〉 s ‖X

〈y′〉 t = 〈y〉û | u ∈ s ‖X

〈y′〉 t ∪ 〈y′〉û | u ∈ 〈y〉 s ‖X

t

s 〈ω〉 ‖X

t = , t ‖X

s 〈ω〉 =

s 〈ω1〉 ‖X

t 〈ω2〉 = u 〈ω1&ω2〉 | u ∈ s ‖X

t

This definition says that as well as on the terminal events, the traces need to synchronize on theevents in X. Following are some examples for terminating traces.

〈?〉 ‖X

〈X〉 = 〈?〉〈!〉 ‖X

〈X〉 = 〈!〉〈!〉 ‖X

〈?〉 = 〈!〉

To define the semantics of P ‖X

Q, we first define its trace set, and then its failure set. The trace

set of P ‖X

Q is as follows based on the cases defined above.

TS(P ‖X

Q) = u | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ s ‖X

t (7)



P ‖X

Q can refuse an event in X ∪ Ω if either P or Q can. However, because both P and Q

can perform the events outside X ∪ Ω independently, P ‖X

Q refuses an event outside X ∪ Ω only

if both P and Q refuse it. For a failure (s, Y ) in P and (t, Z) in Q, the following set is theirsynchronized failure set under the classical CSP definition.

(s, Y )⊕ (t, Z) = (u, Y ∪ Z) | Y \ (X ∪ Ω) = Z \ (X ∪ Ω) ∧ u ∈ s ‖X

t (8)

However, this definition has to be modified for the extended cCSP, to take into account thedifferent cases of synchronization on the terminal events in Ω.

• If P or Q cannot perform a terminal event after executing s or t, then P ‖X

Q cannot

terminate because P and Q need to synchronize on the terminal events. We can usethe definition (8) for this case. For example, if Σ is A,B, consider processes A andB ; THROW. We have the failure (〈〉, B,X, !, ?) of A and the failure (〈B〉, B,X, ?) ofB ; THROW, and thus the failure (〈B〉, B,X, !, ?) of A ‖

(B ; THROW).

• If both P and Q can terminate, the synchronized terminal event should be removed from therefusal set of the synchronized failure. For example, if Σ is A, consider processes A andA;THROW. A has the failure (〈A〉, A, !, ?), and A ; THROW has the failure (〈A〉, A,X, ?).We can see that X is the terminal event A can perform, and ! is the terminal eventA ; THROW can perform. The synchronization of these two terminal events is !, whichshould not be contained in the refusal set of the synchronized failure in A ‖

A(A;THROW),

i.e. (〈A〉, A,X, ?). If we use the definition (8), the synchronized failure set will contain(〈A〉, A,X, ?, !), which indicates A ‖

A(A;THROW) will deadlock after executing 〈A〉.

The synchronized failure set of two failures is defined as follows.

(s, Y )⊕ (t, Z) =

(u, Y ∪ Z) | Y \ (X ∪ Ω) = Z \ (X ∪ Ω) ∧ u ∈ s ‖X

t

if (s, Y ∪ Ω) ∈ FS(P ) ∨ (t, Z ∪ Ω) ∈ FS(Q)

(u, (Y ∪ Z) \Θ) | Y \ (X ∪ Ω) = Z \ (X ∪ Ω) ∧ u ∈ s ‖X

t∧

Θ = rf(ω1, ω2)otherwise

(9)

where ω1 is the terminal event that P can engage in after performing s, i.e. ∀(s, Y1) ∈ FS(P )•Y ⊆ Y1 ⇒ (ω1 ∈ Ω ∧ ω1 /∈ Y1), ω2 is the terminal event that Q can engage in after performing t,and the function rf synchronizing the terminal events is defined as follows, in which ω1&ω2 is



defined in Fig. 1.

rf(ω1, ω2) =

ω1&ω2 ω1 ∈ Ω ∧ ω2 ∈ Ωω1 ω1 ∈ Ω ∧ ω2 = εω2 ω2 ∈ Ω ∧ ω1 = ε ω1 = ε ∧ ω2 = ε

(10)

If P or Q can terminate with different terminal events after executing a trace, ω1 or ω2 may notexist for some failures, e.g. (〈〉, ?) in the failure set of the process SKIP u THROW. If ω1 or ω2

does not exist, we use ε to represent it. Now the failure set of P ‖X

Q is defined below.

FS(P ‖X

Q) = (u,E) | (u,E) ∈ (s, Y )⊕ (t, Z) ∧ ∃s, t • (s, Y ) ∈ FS(P ) ∧ (t, Z) ∈ FS(Q) (11)

For example, the trace and failure sets of the process A ‖A

(A;THROW ) in the last exam-

ple are 〈〉, 〈A〉, 〈A, !〉 and (〈〉, X) | X ⊆ Ω ∪ (〈A〉, X) | X ⊆ A,X, ? ∪ (〈A, !〉, X) | X ⊆ ΣΩ, re-spectively.

Theorem 6(1) P ‖

X

Q = Q ‖X

P

(2) P ‖X

(Q ‖X

R) = (P ‖X

Q) ‖X

R

(3) P ‖X

(Q1 uQ2) = (P ‖X

Q1) u (P ‖X

Q2)

Proof.(1) Because the synchronization between two traces is commutative, and the operator ⊕ is alsocommutative, based on the definitions of trace and failure sets of parallel composition, we candirectly get the law.

(2) Because the synchronization between two traces is associative, and the operator ⊕ is alsoassociative, based on the definitions of trace and failure sets of parallel composition, the law canbe proved.

(3) The trace set of P ‖X

(Q1 uQ2) is as follows:

u | ∃s ∈ TS(P ), t ∈ TS(Q1 uQ2) • u ∈ s ‖X

t

=u | ∃s ∈ TS(P ), t ∈ (TS(Q1) ∪ TS(Q2)) • u ∈ s ‖X

t

=u | ∃s ∈ TS(P ), t ∈ TS(Q1) • u ∈ s ‖X

t ∪ u | ∃s ∈ TS(P ), t ∈ TS(Q2) • u ∈ s ‖X

t

=TS(P ‖X

Q1) ∪ TS(P ‖X

Q2)

=TS((P ‖X

Q1) u (P ‖X

Q2))



The equivalency between the failure sets can be proved similarly.

The laws in the following theorem for parallel composition reflect the termination policies in aparallel composition.

Theorem 7(1) SKIP ‖

X

INTERRUPT = INTERRUPT

(2) SKIP ‖X

SKIP = SKIP

(3) YIELD ‖X

SKIP = YIELD

(4) THROW ‖X

SKIP = THROW

(5) THROW ‖X

INTERRUPT = THROW

(6) THROW ‖X

YIELD = THROW

(7) THROW ‖X

THROW = THROW

Proof.(1) From the semantic definitions of the basic processes and the Equation 7, we can get thatTS(SKIP ‖

X

INTERRUPT) = 〈〉, 〈?〉 = TS(INTERRUPT). For the failure set, the failure sets of

SKIP and INTERRUPT are as follows:

FS(SKIP) = (〈〉, X) | X ⊆ ΣΩ ∧X /∈ X ∪ (〈X〉, X) | X ⊆ ΣΩFS(INTERRUPT) = (〈〉, X) | X ⊆ ΣΩ∧? /∈ X ∪ (〈?〉, X) | X ⊆ ΣΩ

Each failure set can be divided into two parts. For the first part, considering each element(s, Y ) from that of SKIP, i.e., (〈〉, X) | X ⊆ ΣΩ ∧X /∈ X, and each element (t, Z) from that ofINTERRUPT, i.e., (〈〉, X) | X ⊆ ΣΩ∧? /∈ X, the ω1 of (s, Y ) is X, and ω2 of (t, Z) is ?. So, the Θ inthe calculation of (s, Y )⊕ (t, Z) (c.f. Equation 9) is ?. In the result of it, we can get that synchro-nization between the first parts of two failure sets is (〈〉, X) | X ⊆ ΣΩ∧? /∈ X. For the secondpart, the synchronization between elements from those parts of two process can be calculatedby using the first case in Equation 9. And the result is (〈?〉, X) | X ⊆ ΣΩ. Besides that, thesynchronization between the first part and the second part is empty because of the emptiness ofthe synchronization set between a terminating trace and a non-terminating trace. In the result,we can get that the synchronization between two failure sets is equal to FS(INTERRUPT). So,the law SKIP ‖

X

INTERRUPT = INTERRUPT is proved.

(2) The prove of the law is simpler but similar to that of (1).



(3)

YIELD ‖X

SKIP

=SKIP ‖X

YIELD

=SKIP ‖X

(SKIP u INTERRUPT)

=(SKIP ‖X

SKIP) u (SKIP ‖X

INTERRUPT)

=SKIP u INTERRUPT

=YIELD

(4) The proof of the law is similar to that of (1).

(5) The proof of the law is similar to that of (1).

(6)

THROW ‖X

YIELD

=THROW ‖X

(SKIP u INTERRUPT)

=(THROW ‖X

SKIP) u (THROW ‖X

INTERRUPT)

=THROW u THROW

=THROW

(7) The prove of the law is simpler but similar to that of (1).

If P does not terminate with an yield terminal event, i.e. ∀s ∈ TS(P ) • s /∈ Σ∗?, the parallelcomposition ‖ without synchronization agrees with the composition ‖

and it enjoys the following

laws.

Theorem 8 If P does not terminate with an yield terminal event, then(1) THROW ‖ P = P ; THROW

(2) THROW ‖ (YIELD ; P ) = THROW u (P ; THROW)

Proof.(1) There is no need for P to synchronize on the non-terminal events. If a trace t in TS(P )

is non-terminating, t is also in TS(THROW ‖ P ) because t ‖ 〈〉 = t. If t is terminating, it canonly synchronize with 〈!〉 in TS(THROW). So, the terminating traces in TS(THROW ‖ P ) will allterminating with the exceptional terminal event.

For each s in TS(THROW ‖ P ), if s is a non-terminating trace, then s is also in TS(P ), so s mustbe in TS(P ; THROW) according to the semantics of sequential composition; if s is a terminating



trace and s = s1 〈!〉, then there must exist a trace s1 〈ω〉 in TS(P ) such that ω is X or !, for bothcases TS(P ; THROW) contains s1 〈!〉 according to the semantics of sequential composition, so s

is also in TS(P ; THROW). So we have TS(THROW ‖ P ) ⊆ TS(P ; THROW).

For each s in TS(P ; THROW), if s is a non-terminating trace, then s ∈ TS(P ) according tothe semantics of sequential composition, so s is also contained in TS(THROW ‖ P ); if s is aterminating trace, then s = s1 〈!〉 because P will not terminate with ?, then there must exista trace s1 〈ω〉 in TS(P ) such that ω is X or !, for both cases TS(THROW ‖ P ) contains s1 〈!〉according to the semantics of parallel composition, so s is also in TS(THROW ‖ P ). In the result,we have TS(P ; THROW) ⊆ TS(THROW ‖ P ).

Finally, we can have TS(THROW ‖ P ) = TS(P ; THROW). Similarly, we can proveFS(THROW ‖ P ) = FS(P ; THROW).

(2)

THROW ‖ (YIELD ; P )

=THROW ‖ ((SKIP u INTERRUPT) ; P )

=THROW ‖ ((SKIP ; P ) u (INTERRUPT ; P ))

=THROW ‖ (P u INTERRUPT)

=(THROW ‖ P ) u (THROW ‖ INTERRUPT)

=(P ; THROW) u THROW

=THROW u (P ; THROW)

The second law says that a process can be interrupted by an interrupt from the environment,but the interruption does not have priority over other events.

Theorem 9 If A ∈ X, then (A ; P ) ‖X

(A ; Q) = A ; (P ‖X

Q).



Proof. We can prove the law by using the trace law 〈A〉 s1 ‖X

〈A〉 s2 = 〈A〉 (s1 ‖X

s2).

TS((A ; P ) ‖X

Q)

=u | ∃s ∈ TS(A ; P ), t ∈ TS(A ; Q) • u ∈ s ‖X

t

=u | ∃s ∈ 〈〉, 〈A〉, t ∈ TS(A ; Q) • u ∈ s ‖X

t∪

u | ∃s ∈ 〈A〉 t | t ∈ TS(P ), t ∈ TS(A ; Q) • u ∈ s ‖X

t

=〈〉 ∪ u | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ (〈A〉 s) ‖X

(〈A〉 t)

=〈〉 ∪ 〈A〉û | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ s ‖X

t

=〈〉, 〈A〉 ∪ 〈A〉û | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ s ‖X

t

=TS(A ; (P ‖X

Q))


We use α(P ) to denote the set of all the non-terminal events appearing in the standard pro-cess P . We use fe(P ) to denote the set of all the non-terminal events first appearing inthe standard process P , i.e., fe(P ) = e | ∃s • 〈e〉 s ∈ TS(P ) ∧ e /∈ Ω. If a process P will ter-minate, we use le(P ) to denote the set of all the non-terminal events appearing last in P , i.e.,le(P ) = e | ∃s • s 〈e〉〈ω〉 ∈ TS(P ) ∧ ω ∈ Ω.

Theorem 10 If A /∈ X and fe(Q) ⊆ X, then (A ; P ) ‖X

Q = A ; (P ‖X

Q).

Proof. We can use (〈A〉 s1) ‖X

s2 = 〈A〉 s | s ∈ s1 ‖X

s2 in which s2 ∈ TS(Q) to prove the law.

TS((A ; P ) ‖X

Q)

=u | ∃s ∈ TS(A ; P ), t ∈ TS(Q) • u ∈ s ‖X

t

=u | ∃s ∈ 〈〉, 〈A〉, t ∈ TS(Q) • u ∈ s ‖X

t∪

u | ∃s ∈ 〈A〉 t | t ∈ TS(P ), t ∈ TS(Q) • u ∈ s ‖X

t

=〈〉 ∪ u | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ (〈A〉 s) ‖X

t

=〈〉 ∪ 〈A〉û | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ s ‖X

t

=〈〉, 〈A〉 ∪ 〈A〉û | ∃s ∈ TS(P ), t ∈ TS(Q) • u ∈ s ‖X

t

=TS(A ; (P ‖X

Q))




Theorem 11 If A /∈ X, P and Q will both terminate successfully, le(P ) ⊆ X, le(Q) ⊆ X, andP ‖

X

Q will also terminate successfully, then (P ; A) ‖X

Q = (P ‖X

Q) ; A.

Proof. The law can be proved by using the trace equation (s1 〈A〉) ‖X

s2 = s 〈A〉 | s ∈ s1 ‖X

s2

where s1 〈X〉 ∈ TS(P ) and s2 〈X〉 ∈ TS(Q) .

Theorem 12 If α(P ) ∩X = , then (P ‖ Q) ‖X

R = P ‖ (Q ‖X

R).

Proof. The law can be proved by using the fact that the set s | ∃s4 • s4 ∈ (s1 ‖s2) ∧ s ∈ s4 ‖

X

s3

is equal to s | ∃s4 • s4 ∈ (s2 ‖X

s3) ∧ s ∈ s1 ‖s4 where s1 \X = s1.

3.1.6 Exception handling

P B Q behaves similarly to P ; Q, but Q starts to execute only after an exception is thrown in P .

TS(P B Q) = s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q)FS(P B Q) = (s,X) | s ∈ Σ∗X,? ∧ (s,X ∪ !) ∈ FS(P )∪

(s t,X) | s 〈!〉 ∈ TS(P ) ∧ (t,X) ∈ FS(Q)

Theorem 13(1) P B THROW = P (6) P B (Q uR) = (P B Q) u (P B R)

(2) THROW B P = P (7) (P uQ) B R = (P B R) u (Q B R)

(3) SKIP B P = SKIP (8) P B (Q B R) = (P B Q) B R(4) YIELD B P = YIELD

(5) STOP B P = STOP

Proof.(1) From the semantic definition of exception handling, we can see that the process P B THROW

will catch all the exceptions in P and directly re-throw them. If a trace s in TS(P ) is not ter-minating, it is also contained in TS(P B THROW) with respect to the semantic definition. Ifs is a terminating trace, because of the catching and re-throwing of exceptions, s is kept inTS(P B THROW). So the trace set of P B THROW is the same as that of P . Similarly, we canget the equivalence between the failure sets of those two processes.

(2) From the semantics of THROW, we can see that TS(THROW B P ) is equal to 〈〉 ∪ 〈〉 t | t ∈ TS(P ),



which is equal to TS(P ) because of 〈〉 ∈ TS(P ) and 〈〉 t = t. The failure set of THROW B P is equalto (〈〉 t, X) | (t,X) ∈ FS(P ), which is equal to FS(P ). In the result, THROW B P = P is proved.

(3) Because SKIP will not throw any exception, the semantics of SKIP B P is equal to thatof SKIP.

(4) Similar to (3)

(5) Because STOP will not terminate, from the semantics of exception handling, we can getthat P will never execute. So the behavior of STOP B P is the same as that of P .

(6) The equivalence between the trace sets can be proved as follows:

TS(P B (Q uR))

=s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q uR)=s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q) ∪ TS(R)=s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q)∪s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(R)

=s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q)∪s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(R)

=TS(P B Q) ∪ TS(P B R)

=TS((P B Q) u (P B R))


(7) Similar to (6).



(8)

TS(P B (Q B R))

=s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q B R)=s | s ∈ TS(P ) ∩ Σ∗X,?∪s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ s | s ∈ TS(Q) ∩ Σ∗X,?∪s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ s t | s 〈!〉 ∈ TS(Q) ∧ t ∈ TS(R)

=s | s ∈ TS(P ) ∩ Σ∗X,?∪s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q) ∩ Σ∗X,?∪s s1 t | s 〈!〉 ∈ TS(P ) ∧ s1 〈!〉 ∈ TS(Q) ∧ t ∈ TS(R)

=s | s ∈ s | s ∈ TS(P ) ∩ Σ∗X,? ∩ Σ∗X,?∪s | s ∈ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q) ∩ Σ∗X,?s t | s 〈!〉 ∈ s | s ∈ TS(P ) ∩ Σ∗X,? ∧ t ∈ TS(R) (it is )s t | s 〈!〉 ∈ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(Q) ∧ t ∈ TS(R)

=s | s ∈ TS(P B Q) ∩ Σ∗X,?∪s t | s 〈!〉 ∈ TS(P B Q) ∧ t ∈ TS(R)

=TS((P B Q) B R)

Similarly, we can prove the equivalence between the failure sets.

3.1.7 Hiding

P \X behaves like P except hiding the events in X from the behavior of P . The semantics isdefine as follows, in which X ⊆ Σ and s \X denotes the trace after removing all the members inX from s.

TS(P \X) = s \X | s ∈ TS(P )FS(P \X) = (s \X,Y ) | (s, Y ∪X) ∈ FS(P )

Theorem 14(1) (P uQ) \X = (P \X) u (Q \X)

(2) (P \X1) \X2 = P \ (X1 ∪X2)

(3) (P \X1) \X2 = (P \X2) \X1

(4) P \ = P

(5) (A ; P ) \X =

P \X if A ∈ XA ; (P \X) if A /∈ X

(6) (P ; Q) \X = (P \X) ; (Q \X)

(7) (P ‖ Q) \X = (P \X) ‖ (Q \X)



Proof.(1)

TS((P uQ) \X)

=s \X | s ∈ TS(P uQ)=s \X | s ∈ TS(P ) ∪ s \X | s ∈ TS(Q)=TS(P \X) ∪ TS(Q \X)

=TS((P \X) u (Q \X))

The equivalence between the failure sets can also be proved similarly.

(2) The law can be proved by using the fact that (s \X1) \X2 = s \ (X1 ∪X2).

(3) The law can be proved by using the fact that (s \X1) \X2 = (s \X2) \X1.

(4) The law can be proved by using the fact that s \ = s.

(5) We prove the law in the following two cases.

• A ∈ X.

TS((A ; P ) \X) =s \X | s ∈ TS(A ; P )=(〈A〉 s) \X | s ∈ TS(P ) ∪ 〈〉, 〈A〉 \X=s \X | s ∈ TS(P ) ∪ 〈〉 = TS(P \X)

FS((A ; P ) \X) =(s \X,Y ) | (s, Y ∪X) ∈ FS(A ; P )=(s \X,Y ) | (s, Y ∪X) ∈ (〈〉, X) | X ⊆ ΣΩ \ A(s \X,Y ) | (s, Y ∪X) ∈ (〈A〉 t, X) | (t,X) ∈ FS(P )

=(t \X,Y ) | (t, Y ∪X) ∈ FS(P ) = FS(P \X)

• A /∈ X.The prove is similar to that of the first case except using the following trace hiding condition(〈A〉 s) \X = 〈A〉 (s \X).



(6) The equivalence between the trace sets can be proved by using the trace law (s1 s2) \X =

(s1 \X) (s2 \X). Next we prove the equivalence between the failure sets.

FS((P ; Q) \X) =(s \X,Y ) | (s,X ∪ Y ) ∈ FS(P ; Q)=(s \X,Y ) | s ∈ Σ∗!,? ∧ (s,X ∪ Y ∪ X) ∈ FS(P )∪((s \X) (t \X), Y ) | s 〈X〉 ∈ TS(P ) ∧ (t,X ∪ Y ) ∈ FS(Q)

=(s \X,Y ) | (s \X) ∈ Σ∗!,? ∧ (s,X ∪ Y ∪ X) ∈ FS(P )∪((s \X) (t \X), Y ) | s 〈X〉 ∈ TS(P ) ∧ (t,X ∪ Y ) ∈ FS(Q)

=(s,X) | s ∈ Σ∗!,? ∧ (s,X ∪ X) ∈ FS(P \X)∪(s t,X) | s 〈X〉 ∈ TS(P \X) ∧ (t,X) ∈ FS(Q \X)

=FS((P \X) ; (Q \X))

(7) The prove is similar to (6) by using s \X | s ∈ s1 ‖s2 = (s1 \X) ‖

(s2 \X).

3.1.8 Renaming

The behavior of P JRK is the behavior after renaming the events in the behavior of P with re-spect to the renaming relation R. In the following semantic definition, the renaming relation R

is extended by mapping any terminal event to itself, and R−1(X) = a | ∃a′ • (a, a′) ∈ R ∧ a′ ∈ X.

TS(P JRK) = s′ | ∃s • s R s′ ∧ s ∈ TS(P )FS(P JRK) = (s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ FS(P )

Theorem 15(1) (P uQ)JRK = (P JRK) u (QJRK)(2) (PQ)JRK = (P JRK)(QJRK)(3) (P JR1K)JR2K = P JR1 R2K

Proof.(1)

TS((P uQ)JRK)=s′ | ∃s R s′ ∧ s′ ∈ TS(P uQ)=s′ | ∃s R s′ ∧ s′ ∈ TS(P ) ∪ s′ | ∃s R s′ ∧ s′ ∈ TS(Q)=TS(P JRK) ∪ TS(QJRK)=TS((P JRK) u (QJRK))




(2) The prove of the equivalence between the trace sets is similar to that of (1). Next, weprove the equivalence between the failure sets.

FS((PQ)JRK)

=(s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ FS(PQ)=(s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ (〈〉, X) | (〈〉, X) ∈ FS(P ) ∩ FS(Q)∪(s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ (s,X) | (s,X) ∈ FS(P ) ∪ FS(Q) ∧ s 6= 〈〉∪(s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ (〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(Q) ∧ ω ∈ Ω

=(〈〉, X) | (〈〉, R−1(X)) ∈ FS(P ) ∩ FS(Q)∪(s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ FS(P ) ∪ FS(Q) ∧ s 6= 〈〉∪(〈〉, X) | R−1(X) ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(Q) ∧ ω ∈ Ω

FS(P JRKQJRK)=(〈〉, X) | (〈〉, X) ∈ FS(P JRK) ∩ FS(QJRK)∪(s,X) | (s,X) ∈ FS(P JRK) ∪ FS(QJRK) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P JRK) ∪ TS(QJRK) ∧ ω ∈ Ω

=(〈〉, X) | (〈〉, X) ∈ (s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ FS(P ) ∩ FS(Q)∪(s,X) | (s,X) ∈ (s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ FS(P ) ∪ FS(Q) ∧ s 6= 〈〉∪(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ s′ | ∃s • s R s′ ∧ s ∈ TS(P ) ∪ TS(Q) ∧ ω ∈ Ω

=(〈〉, X) | (〈〉, R−1(X)) ∈ FS(P ) ∩ FS(Q)∪(s′, X) | ∃s • s R s′ ∧ (s,R−1(X)) ∈ FS(P ) ∪ FS(Q) ∧ s 6= 〈〉∪(〈〉, X) | R−1(X) ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(P ) ∪ TS(Q) ∧ ω ∈ Ω

In the result, we can get FS((PQ)JRK) = FS(P JRKQJRK).

(3)

TS((P JR1K)JR2K)=s′ | ∃s • s R2 s

′ ∧ s ∈ TS(P JR1K)=s′ | ∃s • s R2 s

′ ∧ s ∈ s′ | ∃s • s R2 s′ ∧ s ∈ TS(P )

=s′ | ∃s, s1 • s1 R2 s′ ∧ s R1 s1 ∧ s ∈ TS(P )

=s′ | ∃s • s R1 R2 s′ ∧ s ∈ TS(P )

=TS(P JR1 R2K)




3.2 Semantics of compensable process

The semantics of a compensable process PP is to be defined as a triple (T, F,C), where T andF are the trace and failure sets of the forward behavior, and C ⊆ Σ∗Ω × P(Σ∗Ω)× P(Σ∗Ω × P(ΣΩ))

defines the compensation behavior. The reason for the separation of forward and compensationbehaviors is the compensation behavior needs to be recorded during the execution of the forwardbehavior. An element in C is (s, T c, F c), which shows that the behavior defined by the traceset T c and the failure set F c can compensate the effects caused by executing the terminatingtrace s from the forward behavior. Therefore, both the forward behavior (T, F ), denoted byPP f , and the compensation behavior (T c, F c) of each element in C, denoted by PP c, satisfy theaxioms of the semantics of the standard processes given in Section 3.1. We can thus overloadthe semantic functions TS and FS and the operators on standard processes and apply them toPP f and PP c. For examples, FS(PP f ) = F and FS(PP c) = F c, and later when we define thesemantics of PP ; QQ, we will use the notations TS(PP f ; QQf ) and FS(PP f ; QQf ) as if PP f

and QQf are standard processes. In addition, (T, F,C) is required to satisfy the following axiom.

∀(s, T c, F c) ∈ C • s ∈ Σ∗Ω ∩ s | (s,X) ∈ F (12)

It means the trace s of each element in C is a stable terminating trace in the forward behavior.

We define the triple (T, F,C) for a PP by three semantic functions: the forward trace set functionT c : PP → P(Σ∗Ω), the forward failure set function Fc : PP → P(Σ∗Ω × P(ΣΩ)), and the compen-sation behavior set function C : PP→ P(Σ∗Ω × P(Σ∗Ω)× P(Σ∗Ω × P(ΣΩ))).

3.2.1 Compensation pair

If the forward behavior terminates successfully, the behavior of Q is recorded such that it canbe executed to compensate the effect of P when triggered by an exception later. Otherwise,Q will not be executed. The semantics of a compensation pair P ÷Q attaches the successfullyterminating trace in the forward behavior, i.e. s ∈ T ∩ Σ∗X, with the trace and failure sets ofQ, and the others terminating traces (the traces in Σ∗!,?) with those of SKIP.

T c(P ÷Q) = TS(P ) Fc(P ÷Q) = FS(P )

C(P ÷Q) = (s, T c, F c) | ∃s ∈ T ∩ Σ∗Ω•(s = t 〈X〉 ∧ T c = TS(Q) ∧ F c = FS(Q))∨(s ∈ Σ∗!,? ∧ T

c = TS(SKIP) ∧ F c = FS(SKIP))

The compensation behavior set of the compensable processes STOP÷ P is empty. In the follow-ing, we use STOPP to denote the compensable processes whose forward behaviors are STOP.

Theorem 16 (1) Q1 = Q2 ⇒ P ÷Q1 = P ÷Q2 (2) P1 = P2 ⇒ P1 ÷Q = P2 ÷Q

Proof. Two laws can be gotten directly from the definition of compensation pair.



The definitions of the basic compensable processes are the same as those in Section 2.2. Followingtable shows some examples, where (s, e /∈ X) represents the failure set (s,X) | X ⊆ ΣΩ ∧ e /∈ X,and (s,X) represents (s,X) | X ⊆ ΣΩ.

T F C

s T c F c

SKIPP 〈〉, 〈X〉 (〈〉,X /∈ X) ∪ (〈X〉, X) 〈X〉〈〉, 〈X〉 (〈〉,X /∈ X) ∪ (〈X〉, X)

THROWW 〈〉, 〈!〉 (〈〉, ! /∈ X) ∪ (〈!〉, X) 〈!〉〈〉, 〈X〉 (〈〉,X /∈ X) ∪ (〈X〉, X)

YIELDD 〈〉, 〈X〉, (〈〉,X /∈ X) ∪ (〈〉, ? /∈ X) 〈X〉〈〉, 〈X〉 (〈〉,X /∈ X) ∪ (〈X〉, X)

〈?〉 ∪(〈X〉, X) ∪ (〈?〉, X) 〈?〉〈〉, 〈X〉 (〈〉,X /∈ X) ∪ (〈X〉, X)

A÷B 〈〉, 〈A〉, (〈〉, A /∈ X) ∪ (〈A〉,X /∈ X)∪ 〈A,X〉〈〉, 〈B〉, (〈〉, B /∈ X) ∪ (〈B〉,X /∈ X)

〈A,X〉 (〈A,X〉, X) 〈B,X〉 ∪(〈B,X〉, X)

In what follows, we use INTERRUPTT to represent the compensable process INTERRUPT÷ SKIP.

3.2.2 Transaction block

The semantics of a transaction block [PP ] can be defined in terms of the semantics of the com-pensable process PP in the block.

TS([PP ]) = (T c(PP ) \ Σ∗!)∪s1 | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2

FS([PP ]) = (s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ Fc(PP )∪(s1, X1) | ∃(s, T c, F c) ∈ C(PP ) • (s ∈ Σ∗X,? ∧ s1 = s ∧X1 ⊆ ΣΩ)∨

(s = t 〈!〉 ∧ (s2, X2) ∈ F c ∧ s1 = t s2 ∧X1 = X2)

The compensation behavior of PP will be executed to recover from a failure occurred in theforward behavior. The trace set of [PP ] contains the traces of the forward behavior of PPand the traces of compensation behavior. The failure set FS([PP ]) contains the failures of theforward behavior that do not terminate with an exception terminal event. It also includes thefailures that extend the exception terminating traces of the forward behavior with the failuresof the compensation behavior. Different from the original cCSP, we keep the yield interruptionbehavior in the semantics of transaction block. The following laws hold.

Theorem 17(1) [SKIP÷ P ] = SKIP (4) [STOPP] = STOP

(2) [THROW÷ P ] = SKIP (5) [P ÷Q] = P B SKIP

(3) [YIELD÷ P ] = YIELD (6) PP1 = PP2 ⇒ [PP1] = [PP2]

Proof.(1) The semantics of SKIP÷ P is as follows.



T c(SKIP÷ P ) = 〈〉, 〈X〉Fc(SKIP÷ P ) = (〈〉, X) | X ⊆ Σ?,! ∪ (〈X〉, X) | X ⊆ ΣΩC(SKIP÷ P ) = (〈X〉, TS(P ),FS(P ))

Because there is only one terminating traces in TS(SKIP) terminated with the success terminalevent, from the semantics of transaction block, we can prove the equivalence between [SKIP÷ P ]

and SKIP as follows.

TS([SKIP÷ P ]) =T c(SKIP÷ P ) \ Σ∗!

=〈〉, 〈X〉 = TS(SKIP)

FS([SKIP÷ P ]) =(〈〉, X) | X ⊆ Σ?,! ∪ (〈X〉, X) | X ⊆ ΣΩ=FS(SKIP)

(2) The semantics of THROW÷ P is as follows.

T c(THROW÷ P ) = 〈〉, 〈!〉Fc(THROW÷ P ) = (〈〉, X) | X ⊆ Σ?,X ∪ (〈!〉, X) | X ⊆ ΣΩ

C(SKIP÷ P ) = (〈!〉, TS(SKIP),FS(SKIP))

There is only one terminating traces in TS(THROW) terminated with the exception termi-nal event, from the semantics of transaction block, we can prove the equivalence between[THROW÷ P ] and SKIP as follows.

TS([THROW÷ P ]) =(T c(THROW÷ P ) \ Σ∗!) ∪ 〈〉, 〈X〉

=〈〉, 〈X〉 = TS(SKIP)

FS([SKIP÷ P ]) =(〈〉 s, X) | (s,X) ∈ FS(SKIP)=FS(SKIP)

(3) The prove of the law is similar to that of (1).

(4) Because there is no terminating trace in STOP, C(STOPP) is empty. From the seman-tics definition of transaction block, we can get that TS([STOPP]) is equal to TS(STOP), andFS([STOPP]) is equal to FS(STOP).

(5)

TS([P ÷Q])

=(TS(P ) \ Σ∗!) ∪ s | s 〈!〉 ∈ TS(P ) ∪ s 〈X〉 | s 〈!〉 ∈ TS(P )

=s | s ∈ TS(P ) ∩ Σ∗X,? ∪ s t | s 〈!〉 ∈ TS(P ) ∧ t ∈ TS(SKIP)=TS(P B SKIP)



FS([P ÷Q])

=(s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ FS(P )∪(s,X) | (s,X) ∈ FS(P ) ∧ s ∈ Σ∗X,?∪

(s t,X) | s 〈!〉 ∈ TS(P ) ∧ (t,X) ∈ FS(SKIP)=(s,X) | s ∈ Σ∗X,? ∧ (s,X ∪ !) ∈ FS(P )∪(s t,X) | s 〈!〉 ∈ TS(P ) ∧ (t,X) ∈ FS(SKIP)

=FS(P B SKIP)

(6) The law can be gotten directly by the semantic definition of transaction block.

The law [P ÷Q] = P B SKIP fixes the problem of the original cCSP pointed out in Section 2.2,i.e. [P ÷Q] = P under the assumption that P does not terminate with the yield terminal event.

3.2.3 Sequential composition

In a sequential composition PP ; QQ, the forward behavior PPf and the forward behavior QQf

are composed first, and the compensation behavior PPc and the compensation behavior QQc arecomposed in the reverse direction, just like the model of Sagas [8].

T c(PP ; QQ) = TS(PP f ; QQf ) Fc(PP ; QQ) = FS(PP f ; QQf )

C(PP ; QQ) = (s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, QQc) ∈ C(QQ)•(s1 = t 〈X〉 ∧ s = t s2 ∧ T c = TS(QQc;PP c) ∧ F c = FS(QQc;PP c))∨(s1 6= t 〈X〉 ∧ s = s1 ∧ T c = TS(PP c) ∧ F c = FS(PP c))

For example, the compensation behavior of A1 ÷B1 ; A2 ÷B2 is (〈A1, A2,X〉, TS(B2 ; B1),

FS(B2 ; B1)), and that of A1 ÷B1 ; YIELDD contains two elements: (〈A1,X〉, TS(B1),FS(B1))

and (〈A1, ?〉, TS(B1),FS(B1)).

Theorem 18(1) SKIPP ; PP = PP

(2) PP ; SKIPP = PP

(3) THROWW ; PP = THROWW

(4) YIELDD ; YIELDD = YIELDD

(5) INTERRUPTT ; PP = INTERRUPTT



Proof.(1)

T c(SKIPP ; PP ) =TS(SKIP ; PP f )

=TS(PP f )

FS(SKIPP ; PP ) =FS(SKIP ; PP f )

=FS(PP f )

C(SKIP ; PP ) =(〈〉 s, T c, F c) | ∃(s, PP c) ∈ C(PP )•T c = TS(PP c ; SKIP) ∧ F c = FS(PP c ; SKIP)

=C(PP )

(2) Similar to (1)

(3)

T c(THROWW ; PP ) =TS(THROW ; PP f )

=TS(THROW)

FS(THROWW ; PP ) =FS(THROW ; PP f )

=FS(THROW)

C(THROWW ; PP ) =(〈!〉, T c, F c) | ∃(s, PP c) ∈ C(THROWW)•T c = TS(PP c) ∧ F c = FS(PP c)

=C(THROWW)

(4) The proof is similar to (1).

(5) The proof is similar to (3).

The second law fixes the right unit problem of the original trace model pointed out in Section 2.2.

Theorem 19 PP ; (QQ ; RR) = (PP ; QQ) ; RR

Proof. The proof can be done by using the law P ; (Q ; R) = (P ; Q) ; R.

Theorem 20 If the standard processes P , P1 and P2 will not terminate with an exception ter-minal event, then(1) [P ÷Q ; THROWW] = P ; Q

(2) [P1 ÷Q1 ; P2 ÷Q2 ; THROWW] = P1 ; P2 ; Q2 ; Q1

Proof.(1) We prove the law by dividing the assumption into three cases.



• P will not terminate. From the semantics of compensation pair, C(P ÷Q) is empty. Be-cause P will not terminate, P ; Q = P is valid for any Q from the semantics of sequentialcomposition. So, we can get [P ÷Q ; THROWW] = [P ÷Q], which is equal to P B SKIP

from the law in Theorem 17. Because P will not terminate, P B SKIP = P = P ; Q.

• P terminates with the yield terminal event. From the semantics of sequential composi-tion of standard processes, we can get P ; Q = P and P B Q = P . So, we can also get[P ÷Q ; THROWW] = [P ÷Q]. Based on it, we can prove as follows: [P ÷Q] = P B SKIP =

P = P ; Q.

• P terminates with the success terminal event.

TS([P ÷Q ; THROWW])

=(T c(P ÷Q ; THROWW) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(P ÷Q ; THROWW) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(TS(P ; THROW) \ Σ∗!)∪

s1 | ∃s ∈ TS(P ; THROW), s2 ∈ TS(Q) • s = t 〈!〉 ∧ s1 = t s2=s | s ∈ TS(P ) ∩ Σ∗!,?∪t s2 | t 〈X〉 ∈ TS(P ) ∧ s2 ∈ TS(Q)

=TS(P ; Q)


Because the law are valid for all the cases, we can conclude that the law is valid.

(2) We can prove the law by dividing the assumption into different cases.

• P1 will not terminate. The prove is similar to that of the first case in (1).

• P1 terminate with the yield terminal event. The prove is similar to that of the second casein (1).

• P1 terminate with the success terminal event. If P2 will not terminate, then[P1 ÷Q1 ; P2 ÷Q2 ; THROWW] = [P1 ÷Q1 ; P2 ÷Q2], and there is following equivalence:[P1 ÷Q1 ; P2 ÷Q2] = P1 ; P2 = P1 ; P2 ; Q2 ; P1. If P2 terminate with the yield terminalevent, then the prove is the same to that of the last case. Finally, if P2 terminate withthe success terminal event, from the semantics of sequential composition of compens-able processes, we can get [P1 ÷Q1 ; P2 ÷Q2] = [(P1 ; P2)÷ (Q2 ; Q1)], then we can get[P1 ÷Q1 ; P2 ÷Q2 ; THROWW] = P1 ; P2 ; Q2 ; Q1 by using the law (1).

In the conclusion, the law is proved.

The first law fixes the problem pointed out in Section 2.2, which is for ensuring [P ÷Q ; THROWW]

= P ; Q provided that P does not terminate with ?. The second laws are also valid in the case



that the standard processes terminate with ?, and it relaxes the assumption in the original cCSPthat requires all the standard processes terminate successfully.

3.2.4 Internal choice

The semantics of internal choice PP uQQ is as follows.

T c(PP uQQ) = TS(PP f uQQf ) Fc(PP uQQ) = FS(PP f uQQf )

C(PP uQQ) = C(PP ) ∪ C(QQ)

For example, the compensation behavior set of A÷B1 uA÷B2 is (〈A,X〉,TS(B1),FS(B1)),

(〈A,X〉, TS(B2),FS(B2)). We have the following laws hold for internal choice.

Theorem 21(1) PP u PP = PP (4) PP u (QQ uRR) = (PP uQQ) uRR(2) PP uQQ = QQ u PP (5) PP ; (QQ uRR) = (PP ; QQ) u (PP ; RR)

(3) [PP uQQ] = [PP ] u [QQ] (6) (QQ uRR) ; PP = (QQ ; PP ) u (RR ; PP )

Proof.(1) The law can be proved by using the law P u P = P and the idempotency of set union.

(2) The law can be proved by using the commutativity of set union.

(3)

TS([PP uQQ])

=(T c(PP uQQ) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PP uQQ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(T c(PP ) \ Σ∗!) ∪ (T c(QQ) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2∪s1 | ∃(s, T c, Dc) ∈ C(QQ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2

=TS([PP ]) ∪ TS([QQ]) = TS([PP ] u [QQ])


(4) The law can proved by using the associativity of set union.

(5)

T c(PP ; (QQ uRR))

=TS(PP f ; (QQf uRRf ))

=TS((PP f ; QQf ) u (PP f ; RRf ))

=T c((PP ; QQ) u (PP ; RR))



The equivalence between the forward failure sets can be proved similarly. Next, we prove theequivalence between the compensation behavior sets.

C(PP ; (QQ uRR))

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, SSc) ∈ C(QQ uRR)•(s1 = t 〈X〉 ∧ s = t s2 ∧ T c = TS(SSc ; PP c) ∧ F c = FS(SSc ; PP c))∨(s1 6= t 〈X〉 ∧ s = s1 ∧ T c = TS(PP c) ∧ F c = FS(PP c))

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, SSc) ∈ C(QQ)•(s1 = t 〈X〉 ∧ s = t s2 ∧ T c = TS(SSc ; PP c) ∧ F c = FS(SSc ; PP c))∨(s1 6= t 〈X〉 ∧ s = s1 ∧ T c = TS(PP c) ∧ F c = FS(PP c))∪(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, SSc) ∈ C(RR)•(s1 = t 〈X〉 ∧ s = t s2 ∧ T c = TS(SSc ; PP c) ∧ F c = FS(SSc ; PP c))∨(s1 6= t 〈X〉 ∧ s = s1 ∧ T c = TS(PP c) ∧ F c = FS(PP c))

=C(PP ; QQ) ∪ C(PP ; RR)

=C((PP ; QQ) u (PP ; RR))

(6) The proof the law is similar to that of (5) by using the law (Q1 uQ2) ; P = (Q1 ; P ) u (Q2 ; P ).

Theorem 22 (P uQ)÷R = (P ÷R) u (Q÷R)

Proof. The equivalence between the forward trace sets can be proved as follows.

T c((P uQ)÷R) = TS(P uQ) = TS(P ) ∪ TS(Q)

=T c(P ÷R) ∪ T c(Q÷R) = T c((P ÷R) u (Q÷R))


C((P uQ)÷R)

=(s, T c, F c) | ∃s ∈ TS(P uQ) ∩ Σ∗Ω • (s = t 〈X〉 ∧ T c = TS(R) ∧ F c = FS(R))∨(s ∈ Σ∗!,? ∧ T


=(s, T c, F c) | ∃s ∈ TS(P ) ∩ Σ∗Ω • (s = t 〈X〉 ∧ T c = TS(R) ∧ F c = FS(R))∨(s ∈ Σ∗!,? ∧ T

c = TS(SKIP) ∧ F c = FS(SKIP))∪

(s, T c, F c) | ∃s ∈ TS(Q) ∩ Σ∗Ω • (s = t 〈X〉 ∧ T c = TS(R) ∧ F c = FS(R))∨(s ∈ Σ∗!,? ∧ T


=C(P ÷R) ∪ C(Q÷R) = C((P ÷R) u (Q÷R))

Based on the the law, we can directly get YIELDD = SKIP u INTERRUPTT.



3.2.5 External choice

As in the case of the internal choice, the external choice is made during the forward behavior,but it is the environment to make the choice.

T c(PPQQ) = TS(PP fQQf ) Fc(PPQQ) = FS(PP fQQf )

C(PPQQ) = C(PP ) ∪ C(QQ)

For example, C(STOPPA÷B) equals to C(STOPP uA÷B), and they are equal to (〈A,X〉,TS(B),FS(B)). But their forward failures sets are different: Fc(STOPPA÷B) is FS(A), andFc(STOPP uA÷B) is FS(A) ∪ FS(STOP). The following laws hold for external choice.

Theorem 23(1) PPPP = PP (4) [PPQQ] = [PP ][QQ]

(2) PPQQ = QQPP (5) PP(QQRR) = (PPQQ)RR(3) STOPPPP = PP (6) PP(QQ uRR) = (PPQQ) u (PPRR)

Proof.(1) The law can be proved by using PP = P and the idempotency of set union.

(2) The law can be proved by using PQ = QP and the commutativity of set union.

(3) The law can be proved by using STOPP = P and C(STOPP) = .

(4) The equivalence between trace sets can be proved as follows.

TS([PPQQ])

=(T c(PPQQ) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PPQQ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(TS(PP fQQf ) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PP ) ∪ C(QQ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(TS(PP f ) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2∪(TS(QQf ) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(QQ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=TS([PP ]) ∪ TS([QQ])

=TS([PP ][QQ])



Next, we prove the equivalence between the failure sets.

FS([PPQQ])

=(s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ Fc(PPQQ)∪(s1, X1) | ∃(s, T c, F c) ∈ C(PPQQ) • (s ∈ Σ∗X,? ∧ s1 = s ∧X1 ⊆ ΣΩ)∨

(s = t 〈!〉 ∧ (s2, X2) ∈ F c ∧ s1 = t s2 ∧X1 = X2)=(s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ FS(PP fQQf )∪(s1, X1) | ∃(s, T c, F c) ∈ C(PP ) ∪ C(QQ) • (s ∈ Σ∗X,? ∧ s1 = s ∧X1 ⊆ ΣΩ)∨

(s = t 〈!〉 ∧ (s2, X2) ∈ F c ∧ s1 = t s2 ∧X1 = X2)=(s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ (〈〉, X) | (〈〉, X) ∈ FS(PP f ) ∩ FS(QQf )∪(s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ (s,X) | (s,X) ∈ FS(PP f ) ∪ FS(QQf ) ∧ s 6= 〈〉∪(s,X) | s ∈ Σ∗ ∧ (s,X ∪ !) ∈ (〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(PP f ) ∪ TS(QQf ) ∧ ω ∈ Ω∪(s1, X1) | ∃(s, T c, F c) ∈ C(PP ) ∪ C(QQ) • (s ∈ Σ∗X,? ∧ s1 = s ∧X1 ⊆ ΣΩ)∨

(s = t 〈!〉 ∧ (s2, X2) ∈ F c ∧ s1 = t s2 ∧X1 = X2)=(〈〉, X) | (〈〉, X ∪ !) ∈ FS(PP f ) ∩ FS(QQf ) ∪ (a1)

(s,X) | (s,X ∪ !) ∈ FS(PP f ) ∪ FS(QQf ) ∧ s 6= 〈〉 ∪ (a2)

(〈〉, X) | (X ∪ !) ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS(PP f ) ∪ TS(QQf ) ∧ ω ∈ Ω ∪ (a3)

(s1, X1) | ∃(s, T c, F c) ∈ C(PP ) ∪ C(QQ) • (s ∈ Σ∗X,? ∧ s1 = s ∧X1 ⊆ ΣΩ)∨

(s = t 〈!〉 ∧ (s2, X2) ∈ F c ∧ s1 = t s2 ∧X1 = X2) (a4)

FS([PP ][QQ])

=(〈〉, X) | (〈〉, X) ∈ FS([PP ]) ∩ FS([QQ]) ∪ (b1)

(s,X) | (s,X) ∈ FS([PP ]) ∪ FS([QQ]) ∧ s 6= 〈〉 ∪ (b2)

(〈〉, X) | X ⊆ ΣΩ \ ω ∧ 〈ω〉 ∈ TS([PP ]) ∪ TS([QQ]) ∧ ω ∈ Ω (b3)

For any element (〈〉, X) in the set a1, from the semantics of transaction block, we can get that(〈〉, X) also belongs to the set b1. For any element (s,X) in the set a2, we can also get that (s,X)

belongs to the set b2 from the semantic definition of transaction block. For any element (〈〉, X)

in the set a3, we can get that (〈〉, X) belongs to b3. For any element (s1, X1) in the set a4, if s1

is not equal to 〈〉, then (s1, X1) belongs to the set b2; if s1 is equal to 〈〉, then (s1, X1) belongs tothe set b1 ∪ b3. In the result, we can get a1 ∪ a2 ∪ a3 ∪ a4 ⊆ b1 ∪ b2 ∪ b3.

On the other hand, we need to prove b1 ∪ b2 ∪ b3 ⊆ a1 ∪ a2 ∪ a3 ∪ a4. For any element (〈〉, X) inthe set b1, from the semantics of transaction block, we can get that (〈〉, X) belongs to a1 ∪ a4.For any element (s,X) in the set b2, we can get (s,X) ∈ a2 ∪ a4 from the semantics of transactionblock. Finally, for any element (〈〉, X) in the set b3, we can also get (〈〉, X) ∈ a3 ∪ a4.

In the result, we get a1 ∪ a2 ∪ a3 ∪ a4 = b1 ∪ b2 ∪ b3, based on which the equivalence FS([PPQQ])

= FS([PP ][QQ]) is proved.



(5) The law can be proved by using the associativity of the external choice of standard pro-cesses (c.f. Theorem 3) and the associativity of set union.

(6) The law can be proved by using the distributivity of the external choice over internal choiceof standard processes (c.f. Theorem 3) and the face that S ∪ (S1 ∪ S2) = (S ∪ S1) ∪ (S ∪ S2) whereS, S1 and S2 are sets.

Notice that external choice distributes over internal choice. From the laws for internal andexternal choices, we can see that a transaction block process of a choice between compens-able processes equals to a choice between the transaction block processes of the compensableprocesses.

3.2.6 Parallel composition

In a generalized parallel composition PP ‖X

QQ, the forward behaviors of PP and QQ synchronize

on X, so do their compensation behaviors:

T c(PP ‖X

QQ) = TS(PP f ‖X

QQf ) Fc(PP ‖X

QQ) = FS(PP f ‖X

QQf )

C(PP ‖X

QQ) = (s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, QQc) ∈ C(QQ)•

s ∈ (s1 ‖X

s2) ∧ T c = TS(PP c ‖X

QQc) ∧ F c = FS(PP c ‖X

QQc)

Here are two examples. First, [(A÷B1 ‖ A÷B2A

) ; THROWW] = A ; (B1 ‖ B2) shows the syn-

chronization between the forward behaviors, and then A1 ÷B1 ‖ A2 ÷B2A1,A2

= STOPP demonstrates

the case of a deadlock in the forward behavior. The following laws for parallel composition hold.

Theorem 24(1) PP ‖

X

QQ = QQ ‖X

PP

(2) PP ‖X

(QQ ‖X

RR) = (PP ‖X

QQ) ‖X

RR

(3) PP ‖X

(QQ uRR) = (PP ‖X

QQ) u (PP ‖X

RR)

Proof.(1) The law can be proved by using the law P ‖

X

Q = Q ‖X

P .

(2) The law can be proved by using the law P ‖X

(Q ‖X

R) = (P ‖X

Q) ‖X

R.



(3)

T c(PP ‖X

(QQ uRR))

=TS(PP f ‖X

(QQf uRRf ))

=TS((PP f ‖X

QQf ) u (PP f ‖X

RRf ))

=T c((PP ‖X

QQ) u (PP ‖X

RR))


C(PP ‖X

(QQ uRR))

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, SSc) ∈ C(QQ uRR)•s ∈ (s1 ‖

X


SSc) ∧ F c = FS(PP c ‖X

SSc)

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, SSc) ∈ C(QQ)•s ∈ (s1 ‖

X



SSc)∪

(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ), (s2, SSc) ∈ C(RR)•s ∈ (s1 ‖

X



SSc)

=C(PP ‖X

QQ) ∪ C(PP ‖X

RR)

=C((PP ‖X

QQ) u (PP ‖X

RR))

Theorem 25(1) INTERRUPTT ‖

X

THROWW = THROWW

(2) SKIPP ‖X

THROWW = THROWW

(3) SKIPP ‖X

INTERRUPTT = INTERRUPTT

(4) YIELDD ‖X

THROWW = THROWW

(5) YIELDD ‖X

SKIPP = YIELDD

Proof.(1) The law can be proved by using INTERRUPT ‖

X

THROW = THROW and SKIP ‖X

SKIP = SKIP.

(2) The law can be proved by using SKIP ‖X

THROW = THROW and SKIP ‖X

SKIP = SKIP.

(3) The law can be proved by using SKIP ‖X

INTERRUPT = INTERRUPT and SKIP ‖X

SKIP = SKIP.



(4) YIELDD ‖X

THROWW = (SKIPP ‖X

THROWW) u (INTERRUPTT ‖X

THROWW) = THROWW

(4) YIELDD ‖X

SKIPP = (SKIPP ‖X

SKIPP) u (INTERRUPTT ‖X

SKIPP) = SKIPP u INTERRUPTT

= YIELDD

Theorem 26 (P ÷ SKIP) ‖X

(Q÷ SKIP) = (P ‖X

Q)÷ SKIP

Proof. This law can be proved by directly using the definition of parallel composition and thelaw SKIP ‖

X

SKIP = SKIP.

Theorem 27 If all the standard processes will terminate successfully, then(1) (P1 ÷Q1) ‖

X

(P2 ÷Q2) = (P1 ‖X

P2)÷ (Q1 ‖X

Q2)

(2) [(P ÷Q) ‖ THROWW] = P ; Q

(3) [(P ÷Q ; INTERRUPTT) ‖ THROWW] = P ; Q

Proof.(1)

T c((P1 ÷Q1) ‖X

(P2 ÷Q2)) = TS(P1 ‖X

P2) = T c((P1 ‖X

P2)÷ (Q1 ‖X

Q2))

Fc((P1 ÷Q1) ‖X

(P2 ÷Q2)) = FS(P1 ‖X

P2) = Fc((P1 ‖X

P2)÷ (Q1 ‖X

Q2))

C((P1 ÷Q1) ‖X

(P2 ÷Q2))

=(s, T c, F c) | ∃(s1, PP c) ∈ C(P1 ÷Q1), (s2, QQc) ∈ C(P2 ÷Q2)•s ∈ (s1 ‖

X


QQc) ∧ F c = FS(PP c ‖X

QQc)

=(s, T c, F c) | ∃s1 ∈ TS(P1) ∩ Σ∗Ω, (s2, QQc) ∈ TS(P2) ∩ Σ∗Ω•s ∈ (s1 ‖

X

s2) ∧ T c = TS(Q1 ‖X

Q2) ∧ F c = FS(Q1 ‖X

Q2)

=(s, T c, F c) | ∃s ∈ TS(P1 ‖X

P2) ∩ Σ∗Ω • T c = TS(Q1 ‖X

Q2) ∧ F c = FS(Q1 ‖X

Q2)

=C((P1 ‖X

P2)÷ (Q1 ‖X

Q2))

(2) Because we assume that all the standard processes will terminate successfully, we can getP ‖ THROW = P ; THROW and Q ‖ SKIP = Q. So we can prove the equivalence between the



trace sets as follows.

TS([(P ÷Q) ‖ THROWW])

=(T c((P ÷Q) ‖ THROWW) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C((P ÷Q) ‖ THROWW) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(TS(P ‖ THROW) \ Σ∗!)∪

s1 | ∃s ∈ TS(P ‖ THROW), s2 ∈ TS(Q ‖ SKIP) • s = t 〈!〉 ∧ s1 = t s2=(TS(P ; THROW) \ Σ∗!)∪

s1 | ∃s ∈ TS(P ; THROW), s2 ∈ TS(Q) • s = t 〈!〉 ∧ s1 = t s2=s | s ∈ TS(P ) ∩ Σ∗!,?∪t s2 | t 〈X〉 ∈ TS(P ) ∧ s2 ∈ TS(Q)

=TS(P ; Q)


(3) Because we assume that all the standard processes will terminate successfully, we can get(P ; INTERRUPT) ‖ THROW = P ; THROW and Q ‖ SKIP = Q. The prove of the equivalencesbetween the semantics models is similar to that of (2).

Furthermore, parallel composition and sequential composition are related by the following laws,where all the standard processes are assumed to terminate successfully.

Theorem 28 If all the standard processes will terminate successfully, then the following lawshold.

(1) [(P1 ÷Q1 ‖X

P2 ÷Q2) ; THROWW] = (P1 ‖X

P2) ; (Q1 ‖X

Q2)

(2) [(P1 ÷Q1 ; P2 ÷Q2) ‖ THROWW] = P1 ; P2 ; Q2 ; Q1

(3) [(P1 ÷Q1 ; YIELDD ; P2 ÷Q2) ‖ THROWW] = (P1 ; Q1) u (P1 ; P2 ; Q2 ; Q1)

(4) [(YIELDD ; P1 ÷Q1 ; YIELDD ; P2 ÷Q2) ‖ THROWW] =

SKIP u (P1 ; Q1) u (P1 ; P2 ; Q2 ; Q1)

(5) [P1 ÷Q1 ‖ P2 ÷Q2 ‖ THROWW] = (P1 ‖ P2) ; (Q1 ‖ Q2)

(6) [(YIELDD ; P1 ÷Q1) ‖ (YIELDD ; P2 ÷Q2) ‖ THROWW] =

SKIP u (P1 ; Q1) u (P2 ; Q2) u ((P1 ‖ P2) ; (Q1 ‖ Q2))

Proof.(1)

[(P1 ÷Q1 ‖X

P2 ÷Q2) ; THROWW]

=[((P1 ‖X

P2)÷ (Q1 ‖X

Q2)) ; THROWW]

=(P1 ‖X

P2) ; (Q1 ‖X

Q2)



(2) Because all the standard processes are assumed to terminate successfully, we have[P1 ÷Q1 ; P2 ÷Q2] = [(P1 ; P2)÷ (Q2 ; Q1)]. So we can prove the law as follows.

[(P1 ÷Q1 ; P2 ÷Q2) ‖ THROWW]

=[(P1 ; P2)÷ (Q2 ; Q1) ‖ THROWW]

=P1 ; P2 ; Q2 ; Q1

(3)

[(P1 ÷Q1 ; YIELDD ; P2 ÷Q2) ‖ THROWW]

=[(P1 ÷Q1 ; (SKIPP u INTERRUPTT) ; P2 ÷Q2) ‖ THROWW]

=[((P1 ÷Q1 ; P2 ÷Q2) ‖ THROWW)u((P1 ÷Q1 ; INTERRUPTT ; P2 ÷Q2) ‖ THROWW)]

=[(P1 ÷Q1 ; P2 ÷Q2) ‖ THROWW]u[(P1 ÷Q1 ; INTERRUPTT) ‖ THROWW]

=(P1 ; Q1) u (P1 ; P2 ; Q2 ; Q1)

(4)

[(YIELDD ; P1 ÷Q1 ; YIELDD ; P2 ÷Q2) ‖ THROWW]

=[(SKIPP ; P1 ÷Q1 ; SKIP ; P2 ÷Q2) ‖ THROWW]u[(SKIPP ; P1 ÷Q1 ; INTERRUPTT ; P2 ÷Q2) ‖ THROWW]u[(INTERRUPTT ; P1 ÷Q1 ; YIELDD ; P2 ÷Q2) ‖ THROWW]u

=[(P1 ÷Q1 ; P2 ÷Q2) ‖ THROWW]u[(P1 ÷Q1 ; INTERRUPTT) ‖ THROWW]u[INTERRUPTT ‖ THROWW]

=SKIP u (P1 ; Q1) u (P1 ; P2 ; Q2 ; Q1)

(5)

[P1 ÷Q1 ‖ P2 ÷Q2 ‖ THROWW]

=[((P1 ‖ P2)÷ (Q1 ‖ Q2)) ‖ THROWW]

=(P1 ‖ P2) ; (Q1 ‖ Q2)

(6)

[(YIELDD ; P1 ÷Q1) ‖ (YIELDD ; P2 ÷Q2) ‖ THROWW]

=[P1 ÷Q1 ‖ P2 ÷Q2 ‖ THROWW]u[INTERRUPTT ‖ P2 ÷Q2 ‖ THROWW]u[P1 ÷Q1 ‖ INTERRUPTT ‖ THROWW]u[SKIPP ‖ SKIPP ‖ THROWW]

=SKIP u (P1 ; Q1) u (P2 ; Q2) u ((P1 ‖ P2) ; (Q1 ‖ Q2))



The 3rd and 4th laws say that a compensable process in a parallel composition can be inter-rupted by YIELDD, meaning that the process yields to an interrupt from the environment. Acompensable process will not be interrupted if no YIELDD is used (the 2nd and 5th laws). Thisis one of the differences from the original cCSP, where a compensable process can implicitly yieldto an interrupt from the environment (cf. Section 2.2). We believe that it is more reasonable tolet the designer to specify where a compensable process can yield to an interruption from theenvironment.

Theorem 29 Given two compensable processes PP and QQ, if A,B /∈ X, fe(QQf ) ⊆ X, and forany PP c and QQc in PP and QQ, PP c and QQc will both terminate successfully, le(PP c) ⊆ X,le(QQc) ⊆ X, and PP c ‖

X

QQc will also terminate successfully, then the following law holds:

(A÷B ; PP ) ‖X

QQ = A÷B ; (PP ‖X

QQ).

Proof. We can use (A ; P ) ‖X

Q = A ; (P ‖X

Q) to prove the law.

T c((A÷B ; PP ) ‖X

QQ) =TS((A ; PP f ) ‖X

QQf )

=TS(A ; (PP f ‖X

QQf ))

=T c(A÷B ; (PP ‖X

QQ))

The equivalence between the forward failure sets can be proved similarly. The equivalencebetween the compensation behavior sets can be proved by using (A ; P ) ‖

X

Q = A ; (P ‖X

Q) and

(P ; B) ‖X

Q = (P ‖X

Q) ; B.

3.2.7 Hiding and renaming

Hiding and renaming are defined by the standard hiding and renaming on the forward behaviorand the compensation behavior.

T c(PP \X) = TS(PP f \X) Fc(PP \X) = FS(PP f \X)

C(PP \X) = (s, T c, F c) | ∃(s1, PP c) ∈ C(PP ) • s = s1 \X ∧ T c = TS(PP c \X)∧F c = FS(PP c \X)

The renaming semantics is as follows.

T c(PP JRK) = TS(PP f JRK) Fc(PP JRK) = FS(PP f JRK)C(PP JRK) = (s, T c, F c) | ∃(s1, PP c) ∈ C(PP ) • s1 R s ∧ T c = TS(PP cJRK)∧

F c = FS(PP cJRK)



Theorem 30(1) [PP \X] = [PP ] \X(2) [PP JRK] = [PP ]JRK(3) (P ÷Q) \X = (P \X)÷ (Q \X)

(4) (P ÷Q)JRK = (P JRK)÷ (QJRK)(5) (PP ; QQ) \X = (PP \X) ; (QQ \X)

(6) (PP ‖ QQ) \X = (PP \X) ‖ (QQ \X)

Proof.(1)

TS([PP \X])

=(T c(PP \X) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PP \X) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(s \X | s ∈ T c(PP ) \ Σ∗!)∪

s1 \X | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=s \X | s ∈ (T c(PP ) \ Σ∗!)∪

s \X | s ∈ s1 | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=s \X | s ∈ (T c(PP ) \ Σ∗!)∪

s1 \X | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=TS([PP ] \X)


(2)

TS([PP JRK])=(T c(PP JRK) \ Σ∗!)∪

s1 | ∃(s, T c, Dc) ∈ C(PP JRK) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=(s′ | ∃s • s R s′ ∧ s ∈ T c(PP ) \ Σ∗!)∪

s′ | ∃s • s R s′ ∧ s ∈ s1 | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=s′ | ∃s • s R s′ ∧ s ∈ (T c(PP ) \ Σ∗!)∪

s′ | ∃s • s R s′ ∧ s ∈ s1 | ∃(s, T c, Dc) ∈ C(PP ) • s = t 〈!〉 ∧ s2 ∈ T c ∧ s1 = t s2=TS([PP ]JRK)


(3)

T c((P ÷Q) \X) = TS(P \X) = T c((P \X)÷ (Q \X))

Fc((P ÷Q) \X) = FS(P \X) = Fc((P \X)÷ (Q \X))



Next, we prove the equivalence between the compensation sets.

C((P ÷Q) \X)

=(s, T c, F c) | ∃(s1, PP c) ∈ C(P ÷Q) • s = s1 \X ∧ T c = TS(PP c \X) ∧ F c = FS(PP c \X)=(s \X,T c, F c) | ∃s ∈ TS(P ) ∩ Σ∗Ω • (s = t 〈X〉 ∧ T c = TS(Q \X) ∧ F c = FS(Q \X))∨

(s ∈ Σ∗!,? ∧ Tc = TS(SKIP) ∧ F c = FS(SKIP))

=(s, T c, F c) | ∃s ∈ TS(P \X) ∩ Σ∗Ω • (s = t 〈X〉 ∧ T c = TS(Q \X) ∧ F c = FS(Q \X))∨(s ∈ Σ∗!,? ∧ T


=C((P \X)÷ (Q \X))

(4) The prove is similar to that of (3).

(5) The law can be proved by using the law (P ; Q) \X = (P \X) ; (Q \X).

(6) The law can be proved by using the law (P ‖ Q) \X = (P \X) ‖ (Q \X).

In addition, hiding and renaming satisfy the following laws. In particular, both are distributiveamong internal choice, but the hiding operator is not distributive among external choice, e.g.((A ; A1)÷B(A ; A2)÷B) \ A is equal to the process A1 ÷B uA2 ÷B.

Theorem 31(1) (PP \X) \ Y = (PP \ Y ) \X (5) (PP uQQ)JRK = PP JRK uQQJRK(2) (PP \X) \ Y = PP \ (X ∪ Y ) (6) (PPQQ)JRK = PP JRKQQJRK(3) (PP uQQ) \X = (PP \X) u (QQ \X) (7) (PP JRK)JR′K = PP JR R′K(4) PP \ = PP

Proof.(1) The equivalence between forward trace sets can be proved by using the law (P \X) \ Y= (P \ Y ) \X, so does the equivalence between the forward failure sets. Next, we prove the



equivalence between the compensation behavior sets.

C((PP \X) \ Y )

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP \X) • s = s1 \ Y ∧ T c = TS(PP c \ Y ) ∧ F c = FS(PP c \ Y )=(s, T c, F c) | ∃(s1, PP c) ∈ (s, T c, F c) | ∃(s1, PP c) ∈ C(PP )•

s = s1 \X ∧ T c = TS(PP c \X) ∧ F c = FS(PP c \X)•s = s1 \ Y ∧ T c = TS(PP c \ Y ) ∧ F c = FS(PP c \ Y )

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ) • s = (s1 \X) \ Y ∧T c = TS((PP c \X) \ Y ) ∧ F c = FS((PP c \X) \ Y )

=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ) • s = (s1 \ Y ) \X∧T c = TS((PP c \ Y ) \X) ∧ F c = FS((PP c \ Y ) \X)

=(s, T c, F c) | ∃(s1, PP c) ∈ (s, T c, F c) | ∃(s1, PP c) ∈ C(PP )•s = s1 \ Y ∧ T c = TS(PP c \ Y ) ∧ F c = FS(PP c \ Y )•

s = s1 \X ∧ T c = TS(PP c \X) ∧ F c = FS(PP c \X) = C((PP \ Y ) \X)

(2) The prove is similar to that of (1) except using the laws (s \X) \ Y = s \ (X ∪ Y ) and(P \X) \ Y = P \ (X ∪ Y ).

(3) The prove of the equivalence between the forward trace sets can be done by using thelaw (P uQ) \X = (P \X) u (Q \X), so does the equivalence between the forward failure sets.We prove the equivalence between the compensation behavior sets as follows.

C((PP uQQ) \X)

=(s, T c, F c) | ∃(s1, SSc) ∈ C(PP uQQ) • s = s1 \X ∧ T c = TS(SSc \X) ∧ F c = FS(SSc \X)=(s, T c, F c) | ∃(s1, SSc) ∈ C(PP ) • s = s1 \X ∧ T c = TS(SSc \X) ∧ F c = FS(SSc \X)∪(s, T c, F c) | ∃(s1, SSc) ∈ C(QQ) • s = s1 \X ∧ T c = TS(SSc \X) ∧ F c = FS(SSc \X)

=C(PP \X) ∪ C(QQ \X)

=C((PP \X) u (QQ \X))

(4) The prove is similar to that of (1) except using the laws s \ = s and P \ = P .

(5) The prove of the equivalence between the forward trace sets can be done by using thelaw (P uQ)JRK = (P JRK) u (QJRK), so does the equivalence between the forward failure sets. Weprove the equivalence between the compensation behavior sets as follows.

C((PP uQQ)JRK)=(s, T c, F c) | ∃(s1, SSc) ∈ C(PP uQQ) • s1 R s ∧ T c = TS(SScJRK) ∧ F c = FS(SScJRK)=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ) • s1 R s ∧ T c = TS(PP cJRK) ∧ F c = FS(PP cJRK)∪(s, T c, F c) | ∃(s1, QQc) ∈ C(QQ) • s1 R s ∧ T c = TS(QQcJRK) ∧ F c = FS(QQcJRK)

=C(PP JRK) ∪ C(QQJRK)=C((PP JRK) u (QQJRK))


Case study 49

(6) The prove of the equivalence between the forward trace sets can be done by using the law(PQ)JRK = (P JRK)(QJRK), so does the equivalence between the forward failure sets. We provethe equivalence between the compensation behavior sets as follows.

C((PPQQ)JRK)=(s, T c, F c) | ∃(s1, SSc) ∈ C(PPQQ) • s1 R s ∧ T c = TS(SScJRK) ∧ F c = FS(SScJRK)=(s, T c, F c) | ∃(s1, PP c) ∈ C(PP ) • s1 R s ∧ T c = TS(PP cJRK) ∧ F c = FS(PP cJRK)∪(s, T c, F c) | ∃(s1, QQc) ∈ C(QQ) • s1 R s ∧ T c = TS(QQcJRK) ∧ F c = FS(QQcJRK)

=C(PP JRK) ∪ C(QQJRK)=C((PP JRK)(QQJRK))

(7) The prove of the equivalence between the forward trace sets can be done by using the law(P JRK)JR′K = P JR R′K, so does the equivalence between the forward failure sets. We prove theequivalence between the compensation behavior sets as follows.

C((PP JRK)JR′K)=(s, T c, F c) | ∃(s1, SSc) ∈ C(PP JRK) • s1 R

′ s ∧ T c = TS(SScJR′K) ∧ F c = FS(SScJR′K)=(s, T c, F c) | ∃(s1, SSc) ∈ (s, T c, F c) | ∃(s1, SSc) ∈ C(PP ) • s1 R s∧

T c = TS(SScJRK) ∧ F c = FS(SScJRK)•s1 R

′ s ∧ T c = TS(SScJR′K) ∧ F c = FS(SScJR′K)=(s, T c, F c) | ∃(s1, SSc) ∈ C(PP ) • s1 R R′ s ∧ T c = TS(SScJR R′K) ∧ F c = FS(SScJR R′K)=C(PP JR R′K)

4 Case study

This section will give a case study to demonstrate the extended cCSP. It is a business processof an online shop. The system is composed by four parties: a shop, a supplier, a shipperand a bank. The business behavior of each party is compensable, and will be specified by acompensable process.

After receiving a client request (ReceiveRequest), the shop contacts its supplier to ask(SupplierRequest) whether there exist enough goods. If the storage is not enough (NotEnough),the whole process will result in an exception. Otherwise, the shop will make an order (Order) ofthe goods. The shop then contacts the bank for authorizing the credit card of client (CreditCheck).If the credit card is valid, the shop processes payment for the client (Payment) and informs thesupplier (NotifySupplier) that the payment is made. For the sake of efficiency, after receivingthe notification, the supplier contacts the bank for checking the payment (PaymentCheck) andrequests the shipper to ship the goods (ShipRequest) to client concurrently. If the credit cardauthorization or payment checking fails (NotValid, NotPValid), the whole process will result


Case study 50

in an exception. After receiving the shipping request, the shipper schedules a shipping plan(Schedule), delivers the goods (Deliver) to the client of the shop, and notifies the supplier(ShipResult) about the shipping result. The alphabet Σ of the system is given as follows.

Σ = ReceiveRequest, ApologyMail, SupplierRequest, Enough, NotEnough,

Order, UndoOrder, CreditCheck, Valid, NotValid, Payment, Refund,

NotifySupplier, PaymentCheck, PValid, NotPValid, ShipRequest,

NotifyShopShip, ShipResult, Schedule, Deliver, ShipBack

The processes Shop, Supplier, Shipper and Bank are specified as follows.

Shop = ReceiveRequest÷ ApologyMail ;

(SupplierRequest ; (Enough (NotEnough ; THROW)))÷ SKIP ;

Order÷ UndoOrder ; (CreditCheck ; (Valid (NotValid ; THROW)))÷ SKIP ;

Payment÷ Refund ; NotifySupplier÷ SKIP ; NotifyShopShip÷ SKIP

Supplier = (SupplierRequest ; (Enough u (NotEnough ; THROW)))÷ SKIP ;

Order÷ UndoOrder ; NotifySupplier÷ SKIP ;

((PaymentCheck ; (PValid (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; NotifyShopShip÷ SKIP)) ; ShipResult÷ SKIP

Shipper = ShipRequest÷ SKIP ; YIELDD ; Schedule÷ SKIP ;

YIELDD ; Deliver÷ ShipBack ; ShipResult÷ SKIP

Bank = ((CreditCheck ; (Valid u (NotValid; THROW)))÷ SKIP ; Payment÷ Refund) ‖(PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP

DetailGlobalProcess = [ Shop ‖X

Supplier ‖X

Shipper ‖X

Bank ]

X = SupplierRequest, Enough, NotEnough, Order, UndoOrder, CreditCheck, Valid,

NotValid, Payment, Refund, NotifySupplier, PaymentCheck, PValid,

NotPValid, ShipRequest, NotifyShopShip, ShipResult

The global process (DetailGlobalProcess) is a transaction block of the synchronized parallelcomposition of the four compensable processes. For convenience, we directly use a total set X todenote all the events that the four compensable processes should synchronize. Actually, for anevent e in X, we do not require all the four process should synchronize on e. If one process needsto synchronize on e, there must be another process in the four process that can execute e. If thecompensable parallel process in the global process results in an exception, a recovery should betaken, e.g. the credit card will be refunded and the shipper will ship back the delivered goods.


Case study 51

By using the law in Theorem 9, we can get the following result.

(SupplierRequest ; (Enough (NotEnough ; THROW))) ‖X

(SupplierRequest ; (Enough u (NotEnough ; THROW)))

=(SupplierRequest ; (Enough (NotEnough ; THROW)) ‖X

(Enough u (NotEnough ; THROW)))

=(SupplierRequest ; (Enough u (NotEnough ; THROW)))

Similarly, we can get the following result from the semantics of parallel composition.

(PaymentCheck ; (PValid (NotPValid ; THROW))) ‖PaymentCheck,PValid,NotPValid

(PaymentCheck ; (PValid u (NotPValid ; THROW)))

=(PaymentCheck ; (PValid u (NotPValid ; THROW)))

Based on it, we can get the following result by using the Theorem 12 and the Theorem 26.

((PaymentCheck ; (PValid (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; NotifyShopShip÷ SKIP)) ‖

PaymentCheck,PValid,NotPValid

(PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP

=((PaymentCheck ; (PValid (NotPValid ; THROW))) ‖(ShipRequest ; NotifyShopShip))÷ SKIP ‖

PaymentCheck,PValid,NotPValid

(PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP

=((PaymentCheck ; (PValid u (NotPValid ; THROW))) ‖(ShipRequest ; NotifyShopShip))÷ SKIP

=((PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; NotifyShopShip÷ SKIP))

Similarly, we can have the following result.

( Order÷ UndoOrder ;

NotifySupplier÷ SKIP ; ((PaymentCheck ; (PValid (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; NotifyShopShip÷ SKIP)) ; ShipResult÷ SKIP )

‖PaymentCheck,PValid,NotPValid

( ((CreditCheck ; (Valid u (NotValid; THROW)))÷ SKIP ; Payment÷ Refund) ‖(PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP )

=( Order÷ UndoOrder ;

NotifySupplier÷ SKIP ; ( (PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; NotifyShopShip÷ SKIP)) ; ShipResult÷ SKIP ) ‖

((CreditCheck ; (Valid u (NotValid; THROW)))÷ SKIP ; Payment÷ Refund)


Case study 52

This process synchronize with the process Shipper on the set ShipRequest, ShipResult. Wecan get the following process.

( Order÷ UndoOrder ;

NotifySupplier÷ SKIP ; ( (PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; (NotifyShopShip÷ SKIP) ‖

(YIELDD ; Schedule÷ SKIP ; YIELDD ; Deliver÷ ShipBack))) ;

ShipResult÷ SKIP) ‖((CreditCheck ; (Valid u (NotValid; THROW)))÷ SKIP ; Payment÷ Refund)

This process synchronize with the following process on the event setCreditCheck, Valid, NotValid, Payment, Refund, NotifyShopShip, NotifySupplier.


Payment÷ Refund ; NotifySupplier÷ SKIP ; NotifyShopShip÷ SKIP

We can get the following process.

(Order÷ UndoOrder ;

(CreditCheck ; (Valid u (NotValid ; THROW)))÷ SKIP ; Payment÷ Refund ;

( NotifySupplier÷ SKIP ; ( (PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; (NotifyShopShip÷ SKIP) ‖

(YIELDD ; Schedule÷ SKIP ; YIELDD ; Deliver÷ ShipBack)) ) ;

ShipResult÷ SKIP)

Based on it, we can reduce the process Shop ‖X

Supplier ‖X

Shipper ‖X

Bank as follows, in which

the Theorem 29 is used.


Case study 53

( ReceiveRequest÷ ApologyMail ;

(SupplierRequest ; (Enough (NotEnough ; THROW)))÷ SKIP ;


Payment÷ Refund ; NotifySupplier÷ SKIP ; NotifyShopShip÷ SKIP )

‖X

( (SupplierRequest ; (Enough u (NotEnough ; THROW)))÷ SKIP ;

Order÷ UndoOrder ; NotifySupplier÷ SKIP ;

((PaymentCheck ; (PValid (NotPValid ; THROW)))÷ SKIP ‖(ShipRequest÷ SKIP ; NotifyShopShip÷ SKIP)) ; ShipResult÷ SKIP )

‖X

ShipRequest÷ SKIP ; YIELDD ; Schedule÷ SKIP ;

YIELDD ; Deliver÷ ShipBack ; ShipResult÷ SKIP

‖X

((CreditCheck ; (Valid u (NotValid; THROW)))÷ SKIP ; Payment÷ Refund) ‖(PaymentCheck ; (PValid u (NotPValid ; THROW)))÷ SKIP

=ReceiveRequest÷ ApologyMail ;

(SupplierRequest ; (Enough u (NotEnough ; THROW)))÷ SKIP ;

Order÷ UndoOrder ;

((CreditCheck ; (Valid u (NotValid ; THROW)))÷ SKIP ;

Payment÷ Refund) ;



ShipResult÷ SKIP)

Because there is no synchronization in the resulted process, it will not deadlock, so the globalprocess will not deadlock. If we add the event ReceiveRequest to the synchronization set X,a deadlock will happen at the beginning. The reason is: besides Shop, no other process canexecute the event ReceiveRequest at the beginning.

We can get a more abstract process (AbstractGlobalProcess) by hiding some synchronizedevents.

AbstractGlobalProcess = DetailGlobalProcess \X1

X1 = (X ∪ Schedule) \ Payment, Refund, Order, UndoOrder


Case study 54

Based on the preceding resulted process and the laws, the abstract process can be reducedas follows, in which the laws in the Theorem 30 are used.

[Shop ‖X

Supplier ‖X

Shipper ‖X

Bank] \X1

=[(Shop ‖X

Supplier ‖X

Shipper ‖X

Bank) \X1]

=[( ReceiveRequest÷ ApologyMail ;

(SupplierRequest ; (Enough u (NotEnough ; THROW)))÷ SKIP ;

Order÷ UndoOrder ;

((CreditCheck ; (Valid u (NotValid ; THROW)))÷ SKIP ;

Payment÷ Refund) ;



ShipResult÷ SKIP) ) \X1]

=[ReceiveRequest÷ ApologyMail ;

(SKIP ; (SKIP u (SKIP ; THROW)))÷ SKIP ;

Order÷ UndoOrder ;

((SKIP ; (SKIP u (SKIP ; THROW)))÷ SKIP ;

Payment÷ Refund) ;

( SKIP÷ SKIP ; ( (SKIP ; (SKIP u (SKIP ; THROW)))÷ SKIP ‖(SKIP÷ SKIP ; (SKIP÷ SKIP) ‖

(YIELDD ; SKIP÷ SKIP ; YIELDD ; Deliver÷ ShipBack)) ) ;

SKIP÷ SKIP)]

=[ ReceiveRequest÷ ApologyMail ; SKIPP u THROWW ; Order÷ UndoOrder ;

SKIPP u THROWW ; Payment÷ Refund ;

(SKIPP u THROWW) ‖ (YIELDD ; Deliver÷ ShipBack) ]

The resulted process provides an abstract choreography view of the system. We can furthertransform the process as follows.


Conclusions and future work 55

[ ReceiveRequest÷ ApologyMail ; SKIPP u THROWW ; Order÷ UndoOrder ;

SKIPP u THROWW ; Payment÷ Refund ;

(SKIPP u THROWW) ‖ (YIELDD ; Deliver÷ ShipBack) ]

=[ (ReceiveRequest÷ ApologyMail ; THROWW)u(ReceiveRequest÷ ApologyMail ; Order÷ UndoOrder ; THROWW)u(ReceiveRequest÷ ApologyMail ; Order÷ UndoOrder ;

Payment÷ Refund ; THROWW)u(ReceiveRequest÷ ApologyMail ; Order÷ UndoOrder ;

Payment÷ Refund ; Deliver÷ ShipBack ; THROWW)u(ReceiveRequest÷ ApologyMail ; Order÷ UndoOrder ;

Payment÷ Refund ; YIELDD ; Deliver÷ ShipBack) ]

=(ReceiveRequest ; ApologyMail)u(ReceiveRequest ; Order ; UndoOrder ; ApologyMail)u(ReceiveRequest ; Order ; Payment ; Refund ; UndoOrder ; ApologyMail)u(ReceiveRequest ; Order ; Payment ; Deliver ;

ShipBack ; Refund ; UndoOrder ; ApologyMail)u(ReceiveRequest ; Order ; Payment ; YIELD ; Deliver)

According to the above resulted process, we can get the following results. If an exceptionoccurs, ApologyMail is the last event performed in the recovery. From the abstract process,we can see that there are four different cases of recovery: 1) if the storage is not enough, thenonly ApologyMail will be preformed; 2) if the credit card authorization fails, then the trace〈UndoOrder, ApologyMail〉 will be performed; 3) if the shipper yields to the exception fromthe supplier, and the goods delivery will be canceled, then 〈Refund, UndoOrder, ApologyMail〉will be performed; 4) if the payment checking fails after the goods delivery, then the executionsequence of the recovery is 〈ShipBack, Refund, UndoOrder, ApologyMail〉.

5 Conclusions and future work

LRT are important in SOC. It is important that LRT can be formally specified and verifiedwith tool support. The extension of CSP into cCSP is one of the useful attempts in thisdirection. However, cCSP does not provide the facilities for defining internal choice, hiding andsynchronization. This together with the only available trace semantics (and the operationalsemantics) severely limits the expressive power of the language that it does not specify andreason about non-determinism and dead-lock. In this paper, we have extended cCSP withinternal choice, hiding and synchronization in order to be able to specify behavior of LRT at


References 56

different levels of abstractions. Accordingly, we have provided a stable failures semantics for theextended notation for reasoning about non-determinism and deadlock.

Along with the semantic definitions of the operators, we present the important algebraic lawsof the operators. As a by-product of the investigation of the algebraic laws, we have discoveredsome laws which were claimed to hold but actually do not hold for the trace semantics of cCSP(cf. Section 2.2). In addition, we have proved those laws do hold for our stable failures semantics.

The separation of the forward behavior and compensation behavior in the semantic definition ofthe compensable processes allows us to understand and analysis the two kinds of computationsindividually. We can refine and reason about the two parts separately, but the price we arepaying is it makes the fixed point theory not clear when recursion is introduced.

From the perspective of theory, future work includes the study of recursion and divergence ofLRT, and thus to develop of a full theory of failure-divergence of LRT and their refinements.

References

[1] A. Alves, A. Arkin, S. Askary, B. Bloch, F. Curbera, Y. Goland, N. Kartha, Sterling,D. Konig, V. Mehta, S. Thatte, D. van der Rijn, P. Yendluri, and A. Yiu. Web servicesbusiness process execution language version 2.0. OASIS Committee Draft, May 2006.

[2] R. Bruni, M. J. Butler, C. Ferreira, C. A. R. Hoare, H. C. Melgratti, and U. Montanari.Comparing two approaches to compensable flow composition. In M. Abadi and L. de Alfaro,editors, CONCUR, volume 3653 of Lecture Notes in Computer Science, pages 383–397.Springer, 2005.

[3] R. Bruni, H. C. Melgratti, and U. Montanari. Theoretical foundations for compensations inflow composition languages. In J. Palsberg and M. Abadi, editors, POPL, pages 209–220.ACM, 2005.

[4] M. J. Butler and C. Ferreira. An operational semantics for StAC, a language for modellinglong-running business transactions. In R. D. Nicola, G. L. Ferrari, and G. Meredith, edi-tors, COORDINATION, volume 2949 of Lecture Notes in Computer Science, pages 87–104.Springer, 2004.

[5] M. J. Butler, C. Ferreira, and M. Y. Ng. Precise modelling of compensating businesstransactions and its application to BPEL. J. UCS, 11(5):712–743, 2005.

[6] M. J. Butler, C. A. R. Hoare, and C. Ferreira. A trace semantics for long-running transac-tions. In A. E. Abdallah, C. B. Jones, and J. W. Sanders, editors, 25 Years CommunicatingSequential Processes, volume 3525 of Lecture Notes in Computer Science, pages 133–150.Springer, 2004.


References 57

[7] M. J. Butler and S. Ripon. Executable semantics for compensating CSP. In M. Bravetti,L. Kloul, and G. Zavattaro, editors, EPEW/WS-FM, volume 3670 of Lecture Notes inComputer Science, pages 243–256. Springer, 2005.

[8] H. Garcia-Molina and K. Salem. SAGAS. In U. Dayal and I. L. Traiger, editors, SIGMODConference, pages 249–259. ACM Press, 1987.

[9] M. C. Little. Transactions and web services. Commun. ACM, 46(10):49–54, 2003.

[10] S. Ripon. Extending and Relating Semantic Models of Compensating CSP. PhD thesis,University of Southampton, 2008.

[11] S. Ripon and M. J. Butler. PVS embedding of cCSP semantic models and their relationship.Electr. Notes Theor. Comput. Sci., 250(2):103–118, 2009.

[12] A. W. Roscoe. The Theory and Practice of Concurrency. Prentice Hall PTR, Upper SaddleRiver, NJ, USA, 1997.

[13] S. Thatte. XLANG web services for business process design, 2001.


An Extended cCSP with Stable Failures Semantics

Documents

Transcript of An Extended cCSP with Stable Failures Semantics