An interpretation of Erlang into value-passing Calculus

Huang, H.; Yang, F.

Published in:Journal of Networks

DOI:10.4304/jnw.8.7.1504-151

Published: 01/01/2013

Document VersionPublisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the author's version of the article upon submission and before peer-review. There can be important differencesbetween the submitted version and the official published version of record. People interested in the research are advised to contact theauthor for the final version of the publication, or visit the DOI to the publisher's website.• The final author version and the galley proof are versions of the publication after peer review.• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

Citation for published version (APA):Huang, H., & Yang, F. (2013). An interpretation of Erlang into value-passing Calculus. Journal of Networks, 8(7),1504-1513. DOI: 10.4304/jnw.8.7.1504-151

General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ?

Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.

Download date: 01. Jul. 2018

An Interpretation of Erlang into Value-passingCalculus

Hao Huang1 and Fei Yang11 Department of Computer Science

Shanghai Jiaotong UniversityMOE-MS Key Laboratory for Intelligent Computing and Intelligent Systems

Email: mengxi@sjtu.edu.cn

Abstract— In this paper we present a new process calculusVPCΣ and an interpretation for core Erlang. VPCΣ isat least as expressive as VPC and it is more effectivefor verification with some built-in functions. The well-established symbolic bisimulation in value-passing calculusis now helpful for solving the infinite-state space problemof data values in equivalence checking and verfication.Compared to the previous formalization work of modelingcore Erlang in π-calculus, the new interpretation has thefollowing main merits: some essential features for Erlangare implemented faithfully; and above all the soundness ofthe interpretation is proved with respect to late symbolicbisimulation.

Index Terms— verification, value-passing calculus, symbolicbisimulation

I. INTRODUCTION

The relation between process calculi and programminglanguages has been discussed extensively. Some impor-tant conceptions in programming language have beenexplained in π-calculus, such as: function [1], object [2],typed λ-calculus [3] etc. They all depend on the name ex-change ability of π-calculus [4] to characterize concurrentprogramming languages. However, it is difficult to usethe semantics and equivalence relations [5] in π-calculusto guide the implementation of call-by-value languages.One of the main reasons is that they pay little attention tothe infinite values, which are the actual data exchangedbetween processes [6].

The practical applications of process calculi are mainlyin the design (e.g. [7]) and verification (e.g. [8], [9])of concurrent programming languages. Semantics of pro-gramming languages into process calculi [8], [2] aremostly focused in π-calculus (not in CCS [10]). In ouropinion, the infinite values should be considered firstlyno matter for the design of a programming language orfor the formalization of a model-checking method. In π-calculus, the main approaches to handle infinite valuescontain the following:• Make use of a fixed name [8] or infinite names to

characterize natural numbers [3]. This is not practicaland cannot ensure the correctness.

This work is supported by National Natural Science Foundationof China (Grant Nos. 61202023,61033002), Science and Technol-ogy Commission of Shanghai Municipality (STCSM) (Grant No.11XD1402800) and the Doctoral Fund of Ministry of Education ofChina (20120073120031).

• All constant values are encoded as processes [11].e.g. the integer “10000” would be encoded asx. ... .x︸ ︷︷ ︸

10000 times

.z. Clearly this is inefficient and impractical.

• The language Pict adds some built-in types, such asboolean, character, string,integer, to the syntax ofπ-calculus [7]. It does not allow the communicationof channel constants except channel variables. Thesyntax of Pict is more like a combination of π-calculus and VPCΣ.

If we want to improve the state-of-the-art of programsverification by using extensions of the π-calculus withintegers, tuples and others, the existing equivalence re-lations in π-calculus cannot be used, like strong, weakbisimulation [10] and so on. An equivalence relation thatis a criteria to judge the correctness of formalization needsto be redefined. This equivalence relation may involvetype restrictions and infinite-state spaces problem [5] forverification. Comparatively, many proof tools are for basiccalculus with primitive actions and do not consider dataand types, for example the Concurrency Workbench [12]and the Mobility Workbench for π-calculus [13]. Howeverthe symbolic bisimulation [5] in value-passing calculuscan be utilized to handle the infinite-state spaces prob-lem in equivalence checking. And we need not considertypes because the exchange of channel names betweenprocesses is not allowed in values-passing calculus. Averification tool VPAM for value-passing processes basedon symbolic bisimulation has been presented in [14].

Erlang is a concurrent functional programming lan-guage with high performance and always used to imple-ment some complicated real-time concurrent systems, forexample communication switches or routers and mobilebase stations. The popular usage of Erlang in telecommu-nication systems requires the development of the verifi-cation and analysis for concurrent communication [15].To improve the Erlang formalization work in [8], [9]and handle the infinite-state spaces problem by symbolicbisimulation, we propose a VPCΣ as a variant of value-passing calculus in Section III. Some built-in functionsthat make VPCΣ more effective for practical verificationare added. In our paper the value-space of VPC presentedby Milner in [10] is N, the set of natural numbers. Therelation between Turing complete process calculi [16] is:

1504 JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013

© 2013 ACADEMY PUBLISHERdoi:10.4304/jnw.8.7.1504-1513

VPCΣ

⇓Interpretation of Core Erlang

⇓Operational semantics

⇓Soundness

Figure 1. Roadmap of this paper

• π-calculus: more abstract level calculus. But it isalways inefficient.

• VPC: less abstract and not readable calculus forprogrammers. But it may be efficient for verification.

• VPCΣ: trade-off between abstraction and readability,for example, a message in VPC may be coded by anatural number and this natural number is encodedas a lengthy term in π-calculus as above, however inVPCΣ, an explicit message can be transfered. Thedetail of VPCΣ is in Section 3.

Fig. 1 describes the outline of our work. Comparedwith the previous work [8], [9], our interpretation has thefollowing advantages:• Call-by-value is simulated effectively, which is im-

portant for efficiency;• The high-order and single assignment feature [17]

are supported;• The deterministic executions of case expressions are

specified in [18];• Some functions based on the built-in functions in

VPCΣ, such as SPF() for pattern matching expres-sions, make the formalization more effective thanthat in [8], [9];

• We prove the soundness of our interpretation bygiving the operational correspondence result betweenformalized operational semantics and our interpreta-tion under the late symbolic bisimulation.

The rest of the paper is organized as follows: SectionII states the syntax of Core Erlang. Section III presentsVPCΣ, including its semantics and expressiveness. Sec-tion IV gives the VPCΣ interpretation for Core Erlang.Section V formalizes the operational semantics of CoreErlang. Section VI proves the soundness of our interpre-tation. Section VII concludes our work.

II. SYNTAX OF CORE ERLANG

Core Erlang is an intermediate representation of Erlang.It has more regular structures and simpler semantics thanErlang. Core Erlang is designed to make program analysis[18] easier. The syntax of Core Erlang is given in Fig 2.The entities of of Core Erlang mainly include:

1. Modules: all functions must be in a module withsome attributes. A complex algorithm can be easily im-plemented for its modularity.

2. Expressions: variables, functions (name or ab-straction), literals, tuple and list are some basic ex-pressions in Core Erlang. In addition, let expressionsbinds variables to values; do expressions are for se-quencing executions; apply, call, primop expressions

are for functions calls, for example a call of function:call m : f1(const1,..., constn) can be evaluated onlywhen there is an export function f1 with arity n defined inmodule m; pattern matching are used for case branching;asynchronous communication between processes are byreceive expressions in concurrent environment; try ex-pressions are for error handling.

More detailed specifications can be found in [19], [18].module ::= module Atom [ fnamei1 , . . . ]

attributes [Atom1 = const1, . . . ]fname1 = fun1 . . . fnamen = funn end

fname ::= Atom / Integerconst ::= lit | [ const1 | const2 ] | { const1, . . . , constn }lit ::= Integer | Float | Atom | Char | String | [ ]fun ::= fun (var1, . . . , varn) −> exprsvar ::= V ariableNamevars ::= var | < var1, . . . , varn>

expr ::= var | fname | lit | fun| [ exprs1 | exprs2 ] | { exprs1, . . . , exprsn }| let vars = exprs1 in exprs2 | do exprs1 exprs2| letrec fname1 = fun1 . . . in exprs| apply exprs0(exprs1, . . . , exprsn)| primop Atom(exprs1,..., exprsn)| call exprsn1 : exprsn2 (exprs1,..., exprsn)| try exprs1 catch (var1, var2)−> exprs2| case exprs of clause1 . . . clausen end| receive clause1 . . . clausen after exprs1−> exprs2

exprs ::= expr | < expr1, . . . , exprn>

clause ::= pats when exprs1−> exprs2pats ::= pat | < pat1, . . . , patn>

pat ::= var | lit | [ pat1 | pat2 ] | { pat1, . . . , patn}| var = pat

Figure 2. Syntax of Core Erlang

III. THE VPCΣ CALCULUS

In π-calculus the content of a communication is onlya channel, while in VPC the content of a communicationcan never be a channel [10]. This feature has differentiatedthese two calculi fundamentally. The main motivation ofproposing VPCΣ as a variant of VPC is for practicalverification but not for a novel one.

A vocabulary Σ=(V,C,F,R,na) contains five disjointdenumerable subsets. V is the set of variables, rangedover by x,y, z . . .. C is the set of alphabet, numeral andsymbol constants, ranged over by a,b, c,1,2,3 . . .. F isthe set of functions, ranged over by F ,G,H . . .. R is theset of relations, ranged over by P,Q,R . . . and na: F ∪R→ N is the set of arity function for the elements of Fand R.

Σ-terms, ranged over by l,m, n, are constructed fromconstants, variables and functions. Some built-in functionsfor Σ-terms are as follows.• SYi(l) return the ith symbol of l;• C(l,m) returns the concatenation of l and m.

A string list is defined by dl1 p l2 . . . plne = C(. . . (C(C(d, l1), p)) . . .e) with the symbol-s “d , p , e”, a string tuple bl1, l2, . . . , lnc and set{l1, . . . , ln} are defined similarly;

• The function PJLi(l) or PJT i(l) returns the ithelement of a list or a tuple;

• CT (l,m) returns the number of m occurring in l;• Σ∗type = {l | IsType(l) = 1 and l ∈ Σ∗} is defined

by IsType(l) : Σ∗ → {0, 1}. RT (m, n) is a typebinding where m ∈ Σ∗ − Σ∗type and n ∈ Σ∗type.

JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013 1505

© 2013 ACADEMY PUBLISHER

N is a set of names ranged over by a, b, c. The set N ofco-names is {a | a ∈ N}. The union N ∪ N is rangedover by ζ, η. The set of all actions A = {a(x), a(l) |a ∈ N} ∪ {τ} is ranged over by λ, ι. A name cannotbe passed around and is not a Σ-term. x is a sequence ofdistinct variables x1 . . .xn and l is a sequence of Σ-termsl1 . . . lm. m,n are their length.VPCΣ-terms, ranged over by S, T . . . , are defined as

follows.

T ::= 0 |∑i∈I

[ϕi]a(x).Ti |∑i∈I

[ϕi]a(li).Ti | T |T ′ |

(c)T | [ϕ]T | D(x1, . . . ,xk)

where ϕ is a conditional expression and I is a finiteindexing set. The input α(x) binds variables x1 . . .xn

in T . Otherwise a variable is free in T . A VPCΣ-term isclosed if it does not contain any free variables. The set offree variables of T is denoted by free(T ). The abbrevi-ation of [ϕ]λ.0 is [ϕ]λ. A parametric definition is givenby the equation D(x1, . . . ,xk) = T . The x1, . . . ,xk areparameter variables. If neither x nor l occurs in T ofa(x).T and a(l).T , we take the abbreviation a.T and a.T .In this paper we require that free(T ) ⊆ {x1, . . . ,xk}.Conditional expressions, ranged over by ϕ,ψ, . . ., aredefined as follows.

ϕ ::= > | ⊥ | ¬ψ | m = n | m 6= n | ϕ ∧ ψ | ϕ ∨ ψwhere m = n and m 6= n stand for match and mismatchrespectively. > and ⊥ are respectively logical true andfalse. The relation < for natural numbers can be definedby a finite set of matches between numerals(m < n ⇔(0 = m) ∨ (1 = m) ∨ . . . ∨ (n− 1 = m)).

The symbolic semantics of VPCΣ is defined in Fig.3. The parallel operator is associative and commutative.The symmetric rules are omitted. The preconditions setBExp includes some conditional expressions ϕ,ψ, . . ..A symbolic action is a tuple (ϕ, λ) ranged over by λs, ιs,and the λ is executed if BExp ` ϕ. We do not takethe asynchronous version [6], for a complete axiomaticsystem with an additional asynchronous theory can beused for asynchronous VPCΣ similarly in [20]. The sub-bisimilarity v [16] is used to compare the expressivenessbetween process calculi.

Lemma 1: VPCΣ v VPC and VPC v VPCΣ ⇒VPCΣ ≡ VPC

Proof: The subbisimilarity v and similar proofcould be found in [16].

IV. A VPCΣ INTERPRETATION FOR CORE ERLANG

A challenge is that we cannot use the capability ofname passing in π-calculus to formalize Core Erlang.The choice operator

∑is excluded [7], [21] because its

implementation is unnecessary and expensive [22].A program called shell with prompt > is used for

evaluating expressions in Erlang. The interpretation de-notes this by [[> pce]] : Σ∗ → T . We will use someinfrastructure services that can actually be obtained bya process. S = {S1, S2, . . .} is the set of infrastructureservices. Each Si in S is a process that maintains some

Action Localization

∑i∈I [ϕi]λi.Ti

ϕi,λi−→ s Ti

i ∈ I Tϕ,λ−→s T

′

(c)Tϕ,λ−→s (c)T ′

c is not in λ

Composition

Sϕ,λ−→s S

′

S | T ϕ,λ−→s S′ | T

Sϕ,a(x)−→ s S

′ Tψ,a(l)−→ s T

′

S | T ϕ∧ψ,τ−→ s S′{l/x} | T ′

x, l have the same length

Condition Parametric definition: Given D(x1, . . . ,xk) = Tthen

Tϕ,λ−→s T

′

[ψ]Tψ∧ϕ,λ−→ s T

′ψ ⇔ >

T{l1/x1, . . . , lk/xk}ϕ,λ−→s T

′

D(l1, . . . , lk)ϕ,λ−→s T

′

Figure 3. symbolic LTS of VPCΣ

string lists `1, `2, . . . as above. The common elementaryoperations of the services in S are: querying, allocationand release. A service Si can have some other specificoperations. For example the computing services can do aset of basic arithmetic and shift operations for evaluation.The encoding uses following basic operations for list`=dl1 p l2 . . . p lne:

SEARCH(`, l) = jINSERT (`,m, i) = dl1 p l2 . . . p li−1 p m p li . . . p lne

ADD(`,m) = dl1 p l2 . . . p ln p meDEL(`, i) = dl1 p l2 . . . p li−1 p li+1 . . . p lne

where j is the first position which l occur in ` and 0 ≤i ≤ size(`) = CT (`, p) + 1.

The computing and storage services are denoted bySc(`c) and Ss(`s) respectively where `c = dlc1 p . . . plcme. Each lci is a triple bindex, addr, corrc. `s is similar.The index is the keyword for searching. We assume thatindexi 6= indexj where 1 ≤ i ≤ m, 1 ≤ j ≤ m, i 6= j inthe list. The addr is the position in the list. The corr arerelevant terms, for example assigned values and functionbodies.Ss(`s) = qus(x).( [¬ϕ1]dequs (x,′unallocated′).Ss(`s)

| [ϕ1]dequs (x, corrsi ).Ss(`s)) |

ins(x,y).( [¬ϕ1]deins (x,′unallocated′).Ss(`s)| [ϕ1]deins (x,′updated′).

Ss(ADD(DEL(`s, addrsi ), bx,yc))) |

res(x) . ([¬ϕ1]deres (x,′unallocated′).Ss(`s)| [ϕ1]deres (x,′released′).Ss(DEL(`s, addrsi ))) |

als(x).( [¬ϕ1 ∧ (size(`s) < MAX`s )]deals (x, size(`s) + 1).Ss(ADD(`s, bx, εc))

| [¬ϕ1∧¬(size(`s) < MAX`s )]deals (x,′overflow′).Ss(`s)

| [ϕ1]deals (x, addrsi ).Ss(`s))

Sc(`c) = quc(x). . . . |

rec(x). . . . |

alc(x).([x =′new′ ∧ size(`c) < MAX`c ](als(NEWPID·mb).deals (x1,y1).[x1 = NEWPID·mb∧ y1 6=′overflow′]

(dealc (NEWPID, size(`c) + 1).Ss(ADD(`c, bNEWPID,y1c))))

| [x =′new′ ∧ ¬(size(`s) < MAX`c )]dealc (′fail′,′overflow′).Sc(`c)) |

evc(xc).deevc (VALUE(xc)).Sc(`c)

where ϕ1 = ((x = indexs1) ∨ . . . ∨ (x = indexsn)).If ϕ1 ⇔ >, The corrsi is obtained by the first matchindexsi . The definition of Sc(`c) is similar to Ss(`s)in querying and release. The update operation is notpermitted since the fixed identifier of a proces would notchange during the execution. The NEWPID could have

1506 JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013

© 2013 ACADEMY PUBLISHER

some position information in distributed environments.The input xc for the evaluation of computing servicesshould be decidable without any function calls or appli-cations and the VALUE(xc) is the evaluation result ofxc. Based on the set of infrastructure services, additionalservices such as the definitions for modules and functions,the encoding is defined as follows:

SMi(pce) = [[> pce]] | Sc(`c) | Ss(`s) | SMi(pce)

An exported function declaration f = fun(var1, . . . , varn) −> es within module can be anadditional service. We let it range over Smod : f .

[[> mod : f = fun]]def= Smod:f =

als(mod : f).deals (x,y).[x = mod : f∧y 6=′overflow′].ins(x, es)

[[>module mod [fi1 , . . . ] attributes [ a1 = c1, . . . ]

f1 = fun1 . . .

]]def= S

mod=

(m, ef1, . . . , efk)(als(mod).deals (x,y).([x=mod∧y 6=′overflow′](ins(x, dba1, c1c p bf localj1

, esj1c p . . .e).deins (y1, z1).

[y1 = mod ∧ z1 =′updated′]m | m.Smod : fi1 .deins (y2, z2).

[y2 = mod : fi1 ∧ z2 =′updated′]ef1 | . . . | efk.evc(′ok′))))

A module declaration is a set of additional ser-vices defined by exported functions and local functions.We let it range over Smod = {Smod:fi1 , . . . , Smod:fik

, {att1, . . . , attm, fdlocalj1, . . . , fdlocaljl

}}. An element inthe list for a module records some attributes and localfunctions.

[[>lit]]def= evc(lit), [[>const]]

def= evc(const), [[>fun]]

def= evc(fun)

The evaluation would directly output itself through thelink deevc . An abstraction is a value and a normal form[23] in call-by-value lambda calculus.

[[> var]]def= qus(var).dequs (y1, z1).

([y1 = var∧PJT 2(z1) =′bound′]evc(PJT1(z1)) |

[y1 = var∧PJT 2(z1) 6=′bound′]evc(′illegal′) |[y1 = var ∧ z1 =′unallocated′](als(var).deals (y2, z2).

[y2 = var ∧ z2 6=′overflow′]evc(′illegal′)))

A term is bound if all free variables have been assignedto a closed value. Variables in Erlang have the property ofsingle assignment: an assignment to a variable can onlybe made once [17]. Destructive assignment may happenin the translation given by Thomas Noll [8].

[[> a/im]]def= qus(m : a/i).dequs (y1, z1).

([y1 = m : a/i∧z1 6=′unallocated′]evc(fun (var1, . . .)−>z1) |[y1 = m : a/i ∧ z1 =′unallocated′](qus(m).dequs (y2, z2).

([y2 = m∧ j 6= 0]evc(fun (var1, . . .)−>PJT 2(PJLj(z2))) |

[j = 0 ∨ z2 =′unallocated′]evc(′undefined′))))

where SUB(`, k) = dPJT k(PJL1(`)) p . . . p PJT k(PJLn(`))e

that is a sub list for the attributes and local functions and j =

SEARCH(SUB(z2, 1), a/i).

The higher-order property can be achieved throughevaluating a fname or fun to an abstraction. To simplifysome notations, an evaluation macro em(T, S) is asfollows.

em(T,S)=

0 if T is 0[ϕ]evc(l).S if T is [ϕ]evc(l).0[ϕ]λ if T is [ϕ]λ.0 and λ 6= evc(l)[ϕ]λ.em(T1,S) if T is [ϕ]λ.T1 and T1 is not 0em([ϕ1]T1,S) |em([ϕ2]T2,S) if T is [ϕ1]T1 | [ϕ2]T2

(c)em(T1,S) or [ϕ]em(T1,S) if T is (c)T1 or [ϕ]T1

D′(x) = em(T1, S)if T is D(x) = T1 andem(D(l), S) = D′ (l)

We mainly use S to record the evaluation result of T .

[[> [ es1| es2 ] ]]def=

em(em([[> es1 ]], deevc (x1).[[> es2 ]]), deevc (x2).evc([ x1 | x2 ]))[[> {es1, . . . , esn} ]]

def= (v1, . . . , vn)

(em([[>es1]], deevc(x1′).v1(x1

′))|. . .|em([[>esn]], deevc(xn′).vn(xn

′))

| v1(x1). . . . .vn(xn).evc({x1, . . . , xn}))

The evaluation of the list or the tuple can terminateonly if all elements are convergent.

[[> let vars = es1 in es2 ]]def= (v1, . . . , vn)

(als(var1).deals (y1, z1).[y1 = var1 ∧ z1 6=′overflow′ ∧ PJT 2(z1) 6=′bound′]

(em([[> e1]], deevc (x1′).ins(y1, bx1

′,′bound′c).deins (y2, z2).[y2 = var1 ∧ z2 =′updated′]v1(x1

′))) | . . . |

v1(x1)...vn(xn).[[> es2]])

where vars := < var1, . . . , varn> and es1 := < e1, . . . , en>.

[[> do es1 es2 ]]def= (v)(em([[> es1 ]], deevc (x1).v) | v.[[> es2 ]])

The subsequent evaluation can be done only after thefirst evaluation in computing services has an output value.

[[> call esn1: esn2

(es1, . . . ) ]]def= (v1, . . . , vn+2)

(em([[> esn1]], deevc (xn1

′).vn+1(xn1′)) |

em([[> esn2]], deevc (xn2

′).vn+2(xn2′)) |

vn+1(xn1 ).vn+2(xn2 ).qus(xn1 : xn2/n).dequs (y1, z1).([y1 = xn1 : xn2/n ∧ z1 =′unallocated′]evc(

′undefined′) |[y1 = xn1 : xn2/n ∧ z1 6=′unallocated′]

(em([[> es1 ]], deevc (x1′).v1(x1

′)) | . . . |

v1(x1). . . . .vn(xn).[[> z1{x1/var1, . . .}]])))

The replacement of fname for a recursive functioncan be the fname itself. A divergence may be caused byinfinite self replacements.

[[> apply es0(es1, . . . ) ]]def= (v0, v1, . . . , vn)

(em([[> es0 ]], deevc (x0′).v0(x0

′)) | v0(x0).[ISABS(x0) = 1] (em([[> es1 ]], deevc (x1

′).v1(x1′)) | . . . |

v1(x1). . . . .vn(xn).

[[>let VARABS(x0) = < x1, . . .> in BODYABS(x0)]])))

Function ISABS() that judges whether a string is anabstraction, VARABS() that returns parameters of anabstraction and BODYABS() that returns the body ofan abstraction can be implemented by built-in functionsin section 3. We omit the details of implementation.

[[ > primop Atom(es1,...) ]]def= (v1, . . . , vn)

(qus(Atom/n).dequs (y1, z1).([y1 = Atom/n ∧ z1 =′unallocated′]evc(

′undefined′) |[y1 = Atom/n ∧ z1 6=′unallocated′]

(em([[> es1 ]], deevc (x1′).v1(x1

′)) | . . . |

v1(x1). . . . .vn(xn).[[> z1{x1/var1, . . . ,xn/varn}]])))

The function Atom/n has been defined explicitly.

[[> case es of cl1 . . . end ]]def= (c1, . . . , cn, v1, . . . , vn, suc)

(em([[> es]], deevc (x).c1(x)) |

([[> cl1]] | v1.c2(x)) | . . . |([[> cln]] | vn.evc(′fail′)))

The case expressions use pattern matching in Er-lang. The value of es is sequentially matched againstpat1, . . . , patn. Function SPF(yi, patsi) return 1 whenyi and patsi have the same syntactic structure that meansthe elements at each position of their parser trees areboth constants or a value assignment to variable. It canalso be constructed by built-in functions in section 3.

JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013 1507

© 2013 ACADEMY PUBLISHER

{〈yi1 , constpj1〉, . . . , 〈yim , constpim〉} is the set of com-parisons between constants, and {〈yj1 , varpj1〉, . . . , 〈yjl ,varpil〉} is the set of variable bindings.

[[> cli ::= patsi when gdi−> esi]]def= (gi)(ci(yi).

([¬ϕp]vi |[ϕp]em([[>let<varpj1 , . . .>=<yj1 , . . .> in gdi]], deevc (gi

′).gi(gi′))|

gi(gi).([gi = ’false’]vi |[gi = ’true’](suc |

[[> let < varpim+1, . . .> = < yim+1 , . . .> in esi]]))))

where ϕp = ((SPF(yi, patsi)) = 1∧(yi1 = constpi1 )∧. . .∧(yim =

constpim )).

[[> try es1 catch (var1,var2)−> es2]]def= (v1)

(em([[> es1 ]], deevc (x1′).v1(x1

′)) | v1(x1).[PJT 1(x1)=’EXIT’∨PJT 1(x1)=’THROW’∨PJT 1(x1)=’ERROR’]

[[>let <var1,var2> = <PJT 1(x1),PJT 2(x1)> in es2]])

Exceptions are tagged by ’EXIT’, ’THROW’ or ’ER-ROR’.

[[> letrec fname1 = f1 . . . in es]] def= [[> es{fun′1/fname1, . . .} ]]

where fi := fun (var1i , . . . , varni )−> esi and for i ∈ {1, . . . , n},

fun′i := fun (var1i , . . . , varni ) −> letrec fname1 = f1 . . . in esi.

The local function fi is maintained by the modified funabstraction in the evaluation of letrec expressions.

[[> call ’erlang’ : ’spawn’(mod, f , [es1, . . . , esn]) ]]def= (v1, . . . , vn)

(qus(mod : f/n).dequs (y1, z1).([y1 = mod : f/n ∧ z1 =′unallocated′]evc(

′undefined′) |[y1 = mod : f/n ∧ z1 6=′unallocated′](em([[> es1 ]], deevc (x1

′).v1(x1′)) | . . . | v1(x1). . . . .vn(xn).

alc(′new′).dealc (pid, add1).als(pid ·mb).deals (y′1, add2).

[y1′ = pid ·mb ∧ add1 6=′overflow′ ∧ add2 6=′overflow′]

(evc(pid) |(self)(SP |em([[>z1{x1/var1,. . .}]], RE))))))

where SP = SP | self(pid), pid ·mb = C(C(pid, · ),mb) and

RE :=self(pid).rec(pid).derec(y2,z2).res(pid·mb).deres (y3,z3).

A call to spawn returns a new pid rather than theevaluation result of the function call. The process releasesits pid and mailbox after its evaluation. The restrictedname self is for BIF self() that returns the processidentifer of the current calling process.

[[> call ’erlang’ : ’ ! ’(es1, es2) ]]def= (v1, v2)

(em([[> es1 ]], deevc (x1′).v1(x1

′)) |em([[> es2 ]], deevc (x2

′).(v2(x2)′ | evc(x2′)) |

v1(x1).v2(x2).qus(x1 ·mb).dequs (y1, z1).[y1 = x1 ·mb ∧ z1 6=′unallocated′]

ins(y1,ADD(z1,x2)).deins (y2, z2))

Sending a message is an asynchronous operation.

[[>receive cl1 . . . after es1−>es2]]def= (ot,c1,. . . ,cn, v1,. . . ,vn, suc, st)

(em([[> es1 ]], deevc (t′).ot(t′)) | self(pid).ot(t).(ST | [t 6= ’infinity’∧t ≥ 0]RMF | [t = ’infinity’]RMI))

ST = ST | st(Tstart)

RMF = qus(pid ·mb).dequs (y1, z1).[y1 = pid ·mb ∧ z1 6=′unallocated′]c1(M1)|([[>clause1]] |suc.ins(y1,DEL(z1,1)).deins(y

11,z

11) |v1.c2(M1))

| . . .|([[>clausen]] |suc.ins(y1,DEL(z1,1)).deins(y

n1,z

n1) |vn.c1(M2))

| . . . |vn.st(st).([Tnow≥st + t][[ > es2]] | [Tnow<st + t]RMF )

RMI = qus(pid ·mb).dequs (y1, z1).[y1 = pid ·mb ∧ z1 6=′unallocated′]c1(M1)|([[>clause1]] |suc.ins(y1,DEL(z1,1)).deins(y

11,z

11) |v1.c2(M1))

| . . .|([[>clausen]] |suc.ins(y1,DEL(z1,1)).deins(y

n1,z

n1) |vn.c1(M2))

| . . .| vn.RMI

where Mi = PJLi(z1), i ∈ {1, . . . ,m} that is a message in mailbox.

RMI is for the infinite timeout case. Tstart, Tnow can beobtained from a time service St that relies on operatingsystem or hardware. Our deterministic interpretation iscoincident with the specification [18].

V. OPERATIONAL SEMANTICS

To prove the soundness, we give the internal semanticsthat mainly describes the evaluation way and communi-cation semantics that formalizes message passing in CoreErlang. The values ranged over U, V, . . ., are:

V ::= const | vars | funWe only consider closed values ranged over

U0, V 0, . . ..Definition 5.1: An environment EN = 〈MDefs, As, P〉

records the entire computation and communication situa-tion:• A function definition FDeff is a mapping from

a function name f to a tuple 〈var1, . . . , varn,EB,

′Emark′〉 and var1, . . . , varn are parameter-s, EB is the body expression using variables invar1, . . . , varn, ′Emark′ is either ′exported′ or′local′. A set of function definition is denotedby FDefs.

• An attribute At is a finite partial function fromatoms to const. A module definition MDefm isa mapping from an atom m to a tuple 〈At, Fdefs〉.A set of module definition is denoted by MDefs.

• An assignment As is a finite partial function fromvars to closed values: {var1 7→ V 0

1 , ...}. An As1can compose with another As2 only if dom(As1) ∩dom(As2) = ∅ for single assignment. The composi-tion is denoted by As1 · As2.

• A runtime P is a finite set of current processesand P =

⋃i∈Ip psi where Ip is an index set for

processes and psi is a tuple 〈PE, pid,mb〉 and PE isthe expression that needs to be evaluated, pid is theprocess identifier and mb is the mailbox. Each psiin P has an exclusive pid.

A readiness Rd = 〈pce, pid〉 gives the description of theprogram pce ready to be evaluated and the identifier ofthe process pspce that calls pce. The empty pce is denotedby ε and the identifier of a terminate process is null.

1508 JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013

© 2013 ACADEMY PUBLISHER

Definition 5.2: A transition system of Core

Erlang TSce = (Rd, EN, A,λc→CE, R) with Rd a

readiness, EN an environment, A a set of actions,λc→CE⊆ (Rd, EN) × (Rd, EN) the transition relation underλc ∈ A and R some rules of the form:

{(Rdi, ENi)λci→CE (Rd′i, EN

′i) | i ∈ It}

(Rd, EN)λc→CE (Rd′, EN′)

(Φ)

where λc, λci ∈ A, i ∈ It and It is an indexset for transition relations. An action λc is either anempty action τ or a visible action. The elements of

{(Rdi, ENi)λci→CE (Rd′i, EN

′i) | i ∈ It} are called premises

and (Rd, EN)λc→CE (Rd′, EN′) is the conclusion. If the

premises set of a rule r ∈ R is ∅, then r is an axiom. Φis a set of preconditions.

A. Internal semantics

An expression substitution is denoted bye{e′1/e1, . . . , e

′n/en}. We denote a substitution according

to an assignment As by e[As]. A transformation ofP(or EN = 〈MDefs, As, P〉) caused only by expressionchanging from e to e′ in a process psj is denoted byPI = (P−psj)∪〈e′, pid,mb〉(or ENI = 〈MDefs, As, PI〉).The internal semantics rules are given in Fig. 4:

Mod:(〈module m. . . end, pidj〉, EN)

τ→CE

(〈ok, null〉, 〈MDefs ∪ MDefm, As, P− {psj}〉)

(m is an fresh atom of module name)

VarEva:(〈var, pidj〉, EN)

τ→CE

(〈V 0, null〉, 〈MDefs, As, P−{psj}〉) (As(var) = V 0 in EN)

FnameEva:(〈a/i, pidj〉, EN)

τ→CE

(〈fun (var1, . . . ) −> EB, null〉, 〈MDefs, As, P− {psj}〉)

(∃FDefa/i, FDefs, Mdefm in Mdefs such that: FDefa/i ∈ FDefs,Mdefm ∈ Mdefs, MDefm = 〈At, Fdefs〉 and FDefa/i =

〈var1, . . . , varn, EB,′Emark′〉)

Sequencing:(〈e1, pidj〉, EN)

λc→CE (〈e′1, pidj〉, EN′)

(〈do e1 e2, pidj〉, EN)λc→CE (〈do e′1 e2, pidj〉, EN

′)

(〈do V 0 e2, pidj〉, EN)τ→CE (〈e2, pidj〉, ENI)

VarAssign:(. . . , 〈e′i, pidj〉, . . . , EN)

λcn→CE (. . . , 〈V 0i , null〉, . . . , EN

′)

(〈let vars=e1 in e2, pidj〉, EN)τ→CE (〈e2, pidj〉, 〈MDefs, As · As′, P′〉)

(e1 := < . . . , e′i, . . . >, vars := < . . . , vari, . . . , >,

As′={. . . ,vari 7→ V 0i , . . .} and dom(As)∩dom(As′) = ∅)

LocRec:(〈letrec . . . fni = funi . . . in e, pidj〉, EN)

τ→CE

(〈e{. . . fun′i/fni . . .}, pidj〉, ENI)(For i, k ∈ {1, . . . , n}, funi := fun (var1i , . . .)−> ei and

fun′i := fun (var1i, . . .)−> letrec . . . fnk=funk . . . in ei)

Call:(〈call an+1 : an+2(V 0

1 . . . ), pidj〉, EN)τ→CE

(〈EB{V 01 /var1 . . .}, pidj〉, ENI)

(∃FDefan+2/n, FDefs, Mdefan+1

such that: Mdefan+1∈Mdefs,

FDefan+2/n∈FDefs, Mdefan+1

= 〈At, Fdefs〉,

FDefan+1/n=〈var1, . . . , varnEB,′exported′〉)

App:(〈apply fun (var1 . . . ) −> EB (V 0

1 . . . ), pidj〉, EN)τ→CE

(〈EB, pidj〉, 〈MDefs, As · As′, PI〉)

(As′ = {var1 7→ V 01 , ...} and dom(As) ∩ dom(As′) = ∅)

PriOp:(〈primop a( . . . V 0

i . . . ), pidj〉, EN)τ→CE

(〈EB{. . . V 0i /vari . . .}, pidj〉, ENI)

(∃FDefa/n, FDefs, MdefErlang such that: FDefa/n ∈ FDefs,MdefErlang ∈ Mdefs, MdefErlang = 〈At, Fdefs〉,FDefa/n = 〈var1, . . . , varn, EB,′exported′〉)

Try:(〈try V 0 catch (var1, var2)−> e2, pidj〉, EN)

τ→CE

(〈e2, pidj〉, 〈MDefs, As · As′, PI〉)

(V 0 = {a, U0}, (a = ’EXIT’) ∨ (a = ’THROW’)∨(a = ’ERROR’), As′ = {var1 7→ a, var2 7→ U0} and

dom(As) ∩ dom(As′) = ∅)Match:

(〈case V 0 of c1 . . . cn end , pidj〉, EN)τ→CE

(〈ei2 , pidj〉, 〈MDefs, As · Asp, PI〉)

(∀j < i,Match(V 0, patj) = 0 and Match(V 0, pati) =Asp, Asp is as below, ci := pati when ei1−> ei2 and

dom(As) ∩ dom(Asp) = ∅.)

MisMatch:(〈case V 0 of c1 . . . cn end , pidj〉, EN)

τ→CE

(〈′fail′, null〉, 〈MDefs, As, P− {psj}〉)

(∀j≤n,Match(V 0, patj)=0,ci :=pati when ei1−> ei2 )

Figure 4. Internal semantics of Core Erlang

The sequential evaluations in list(or tuple) is similarto Sequencing. The method in [24] is not effective sincethe assignment to the pattern p could be infinite. TheMatch() based on a structural comparison SPF() is:

Match(V 0, pat)=

{Asp if SPF(V 0, pat) = 1∧. . .∧V 0

im= constpim

0 otherwise

B. Communication semantics

We give the communication semantics of Core Erlanglanguage in Fig. 5:

Spawn:(〈call ’erlang’ : ’spawn’(mod, f , [V 0

1 , . . . ]) , pidj〉, EN)spawn−−−−−→CE (〈pidn, null〉, 〈MDefs, As,(P− {psj}) ∪ 〈EB{V

01 /vari . . .}, pidn,mbn〉)

(pidn is a fresh process identifier in P and mbn is its mailbox.∃FDeff/n, FDefs, Mdefmod such that: FDeff/n ∈ FDefs,Mdefmod ∈ Mdefs, Mdefmod = 〈At, Fdefs〉,FDeff/n = 〈var1, . . . , varn, EB,′exported′〉))

Send:(〈call ’erlang’ : ’ ! ’(pid, V 0), pidj〉, EN)

!(pid,V 0)−−−−−−−→CE

(〈V 0, null〉, 〈MDefs, As,(P− {psj , pspid}) ∪ 〈PE, pid,ADD(mb, V 0)〉)

(V 0 is a new message in mb and pspid = 〈PE, pid,mb〉 ∈ P)

MatchRec:(〈receive c1 . . . cn after V 0

1 −> e2, pidj〉, EN)rec(ms)−−−−−−→CE

(〈ei2 , pidj〉, 〈MDefs, As · Asp,(P− {psj}) ∪ 〈ei2 , j,DEL(mb, s)〉)

(timeout < V 01 or V 0

1 = ’infinity’, mb is a messagesequence {m1, . . . ,ml}, dom(As)∩ dom(Asp) = ∅, j is thepid of psj and ci := pati when ei1−> ei2 , ∃s 6 l, ∃q 6 nsuch that: ∀t < s, ∀j ∈ {1 . . . n}Match(mt, patj) = 0and ∀k < q Match(ms, patk) = 0,

Match(ms, patq) = Asp, Asp is as above)

MisMatchRec:(〈receive c1 . . . after V 0

1 −> e2, pidj〉, EN)timeout−−−−−−→CE

(〈e2, pidj〉, 〈MDefs, As, PI〉)

(timeout > V 01 , mb is a message sequence {m1, . . . ,ml},

ci := pati when ei1−> ei2 and

∀t ∈ {1 . . . l}, ∀j ∈ {1 . . . n}Match(mt, patj) = 0)

JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013 1509

© 2013 ACADEMY PUBLISHER

Figure 5. Communication semantics of Core Erlang

VI. CORRECTNESS

We modify the definition of late symbolic bisimulations[5] slighty and prove the correctness of our interpreta-tion. The →∗s,→∗CE are transitive reflexive closures oftransitions in VPCΣ and Core Erlang respectively. If

T∧ϕτi ,τ−→∗s

λs→s

∧ϕτj ,τ−→∗s T ′ then T

λs⇒s T′. T1 ;s T2 means

that T1 cannot reach T2, the same as λc⇒ce,;ce.Definition 6.1: A symmetric relation Rϕ on VPCΣ is a

late symbolic bisimulation and SRϕT if whenever Sϕ1,λ1−→

S′ and there is a collection of branching conditionalexpressions Br = {ϕbri | i ∈ I} such that

ϕ∧ϕ1 ⇒∨i∈I

ϕbri , ϕbri ∧ϕbrj ⇒ ⊥ (∀i, j ∈ I, i 6= j)

and for each ϕbri ∈ Br, ∃T ϕ2,λ2−→ T ′ that holds ϕbri ⇒ ϕ2

and the following properties:• If λ1 = τ then λ2 = τ and S′Rϕ

bri T ′.

• If λ1 = α(l) then λ2 = α(l′), ϕbri ⇒ l = l′ andS′Rϕ

bri T ′.

• If λ1 = α(x) then λ2 = α(y), andS′{z/x}Rϕbri T ′{z/y} where z is a variable not inS′, T ′ and x, y, z have the same length.

The late symbolic bisimilarity 'ϕLS is the largest latesymbolic bismulation for VPCΣ. ⇒ means the logicimplication relation.

Lemma 2 (strict lemma): For all closed programs pcein Core Erlang, one of the following cases holds:

1) if pce is a module definition (〈pce, pidj〉, EN)τ→CE

(〈ok, null〉, EN′) then for some `′c, `′s such that:

[[> pce]] | Sc(`c) | Ss(`s)λs⇒s 0 | Sc(`′c) | Ss(`′s)

where λs = ϕλs , deevc(′ok′).

2) if pce is an expression expce such that(〈expce, pidj〉, EN)

λc⇒ce (〈V 0, null〉, EN′) thenfor some `′c, `

′s such that:

[[> expce]] | Sc(`c) | Ss(`s)λs⇒s 0 | Sc(`′c) | Ss(`′s)

where λs = ϕλs , deevc(V0).

3) if pce is an expression expce with divergent evalu-ation such that(〈expce, pidj〉, EN);CE(〈V 0, null〉, EN′) then forany `′c, `

′s such that:

[[> expce]] | Sc(`c) | Ss(`s) ;s 0 | Sc(`′c) | Ss(`′s).Proof: The proof of case 1 is obtained directly

from the interpretation. The proof of cases 2 and 3 areby induction on programs which reduce to a value. Theinfinite replacements of recursive function body wouldcause divergence.

Definition 6.2: A specific running system is RS ={Rd1, . . . , Rdt, EN} where Rdi = 〈pcei , pidi〉 and pidi 6=null. RS could evolve to RS′ by the two following rules:Parallel:

(〈pcei , pidi〉, EN)λc→CE (〈p′cei , pidi〉, EN

′)

{. . . Rdi . . . , EN}λc→CE {. . . Rd′i . . . , EN

′}Strict:

(〈pcei , pidi〉, EN)λc→CE (〈l, null〉, EN′)

{. . . Rdi, EN}λc;tm(l)−−−−−−→CE {. . . , Rdi−1, Rdi+1 . . . , EN

′}

(Rdi = 〈pcei , pidi〉, Rd′i = 〈p′cei , pidi〉, l is either ε, a pid or a V 0)

The premises are the rules defined in section 5.1,5.2.The action set of running system ARS = A∪{λc; tm(l)}ranges over ω.

[[> pcei ]]RE def= (self)(SPi | em([[> pcei ]], REi)).

[[RS]]def= (sn)([[>pce1 ]]RE |. . . | [[> pcet ]]

RE |Sc(`c) |Ss(`s))

(REi=deevc (x′).self(pid).rec(pid).derec (y

′1, z′1).res(pid ·mb).

deres (y′2, z′2) and SPi = SPi | self(pidi).)

All labels and co-labels in Ss(`s),Sc(`c) are denotedby sn = qus, qus, quc, quc, . . .. The condition ∧ϕτ is fora sequence of τ actions.

The following two theorems establish the correctnessof our interpretation and we give the detailed proofs ofthem in Appendix.

Theorem 6.1 (Correspondence 1): For a runningsystem RS of Core Erlang, if RS

ω−→CE RS′ then[[RS]]

∧ϕτ ,τ===⇒s T 'ϕ

c

LS [[RS′]].

Theorem 6.2 (Correspondence 2): For a runningsystem RS of Core Erlang, if [[RS]] ⇒s T , thenthere exists an RS′ such that RS

ω−→CE RS′ andT ⇒s T ′ 'ϕ

c

LS [[RS′]] where ω is an action sequenceω1, . . . , ωk.

VII. CONCLUSION AND FUTURE WORK

In this paper we proposed an intermediate calculusVPCΣ to improve the state-of-the-art of practical lan-guages verification by process calculi. And we give anew interpretation of Core Erlang. The community of theErlang language can have the following benefits:

• thereafter model checking tools such as µ-calculus[25] can be used to automatically verify some spec-ifications of Erlang system that be described bya logic formulae and guide the implementation ofspecifications [26]. We need to embed the VPCΣ inµ-calculus;

• the proven correspondence result can establish cor-rectness properties of complex systems implement-ed in Erlang for industry’s testing. Some previouswork in π-calculus [8] have not this property partlybecause the equivalence relations of π-calculus paylittle attention to infinite values.

In the future we would like to extend our work further.Practically we should embed the VPCΣ in µ-calculus thatis a model checking tool of value-passing processes [25]. Theoretically, the interpretive ability of π-calculus andVPCΣ for programming languages could be examined.

ACKNOWLEDGMENTS

We appreciate Prof. Yuxi Fu for his advice and sugges-tions. Sandy Harris has helped in improving the paper’squality. This work is supported by NSFC (Grant No.61033002) and STCSM (Grant No. 11XD1402800).

1510 JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013

© 2013 ACADEMY PUBLISHER

REFERENCES

[1] R. Milner, “Functions as processes,” Automata, Languagesand Programming, pp. 167–180, 1990.

[2] D. Walker, “Objects in the pi-Calculus,” Information andComputation, vol. 116, no. 2, pp. 253–271, 1995.

[3] J. Hyland and C. Ong, “Pi-calculus, dialogue games andPCF,” in Proceedings of the seventh international confer-ence on Functional programming languages and computerarchitecture. ACM, 1995, pp. 96–107.

[4] R. Milner, J. Parrow, and D. Walker, “A calculus of mobileprocesses, Parts I and II,” Information and computation,vol. 100, no. 1, pp. 1–77, 1992.

[5] M. Hennessy and H. Lin, “Symbolic bisimulations,” The-oretical Computer Science, vol. 138, no. 2, pp. 353–389,1995.

[6] R. Cleaveland and D. Yankelevich, “An operational frame-work for value-passing processes,” in Proceedings of the21st ACM SIGPLAN-SIGACT symposium on Principles ofprogramming languages. ACM, 1994, pp. 326–338.

[7] B. Pierce and D. Turner, “Pict: A programming languagebased on the pi-calculus,” Proof, language and interaction:Essays in honour of Robin Milner, pp. 455–494, 2000.

[8] T. Noll and C. Roy, “Modeling Erlang in the Pi-Calculus,”in ERLANG ’05 Proceedings of the 2005 ACM SIGPLANworkshop on Erlang, vol. ISBN:1-59593-066-3, 2005.

[9] F. Dagnat and M. Pantel, “Static analysis of communi-cations for Erlang,” in Proceedings of 8th InternationalErlang/OTP User Conference, 2002.

[10] R. Milner, Communication and concurrency. Prentice-Hall, Inc., 1989.

[11] ——, “The polyadic π-calculus: a tutorial,” Logic andalgebra of specification, vol. 94, 1991.

[12] R. Cleaveland, J. Parrow, and B. Steffen, “The Concurren-cy Workbench: A semantics-based tool for the verificationof concurrent systems,” ACM Transactions on Program-ming Languages and Systems, vol. 15, no. 1, pp. 36–72,1993.

[13] B. Victor and F. Moller, “The Mobility Workbenchatool for the π-calculus,” in Computer Aided Verification.Springer, 1994, pp. 428–440.

[14] H. Lin, “A verification tool for value-passing processes,” inProceedings of 13th International Symposium on ProtocolSpecification, Testing and Verification, IFIP Transactions.North-Holland, 1993.

[15] B. Meng, W. Huang, and D. Wang, “Automatic verificationof remote internet voting protocol in symbolic model,”JOURNAL OF NETWORKS, vol. 6 (9), pp. 1262–1271,2011.

[16] Y. Fu and H. Lu, “On the expressiveness of interaction,”Theoretical Computer Science, vol. 411, no. 11-13, pp.1387–1451, 2010.

[17] J. Armstrong, R. Virding, C. Wikstrom, and M. Williams,Concurrent Programming in ERLANG Second Edition.Prentice Hall, 1996.

[18] R. Carlsson, B. Gustavsson, E. Johansson, T. Lindgren,M. Nystrom, S.O. Pettersson, and R. Virding, “Core Er-lang 1.0.3 language specification,” Information TechnologyDepartment, Uppsala University, Tech. Rep., 2000.

[19] R. Carlsson, “An introduction to Core Erlang,” in Proceed-ings of the PLI01 Erlang Workshop. Citeseer, 2001.

[20] Y. Fu, “Theory by Process,” in CONCUR’10, vol. 6269,LNCS. Springer, 2010, pp. 403–416.

[21] U. Nestmann and B. Pierce, “Decoding choice encodings,”in CONCUR1996. Springer, 1996, pp. 179–194.

[22] P. Sewell, “Applied π: A Brief Tutorial,” Computer Labo-ratory, University of Cambridge, Tech. Rep., 2000.

[23] G. D. Plotkin, “Call-by-Name, Call-by-Value and the λ-Calculus,” Theor. Comput. Sci., vol. 1, pp. 125–159, 1975.

[24] M. Neuhaußer and T. Noll, “Abstraction and model check-ing of Core Erlang programs in Maude,” ENTCS, vol. 176,no. 4, pp. 147–163, 2007.

[25] H. Lin, “Model checking value-passing processes,” in Soft-ware Engineering Conference, 2001. Eighth Asia-Pacific.IEEE, 2001, pp. 3–10.

[26] J. Kriche, M. Hamdi, and N. Boudriga, “Heterogeneoussecurity policy validation: From formal to executable spec-ifications,” JOURNAL OF NETWORKS, vol. 3(8), pp. 55–69, 2008.

VIII. APPENDIX

A. An Example

We give a simple program of Core Erlang to describethe interpretation. The call of function format in themodule io provides standard input/output is very simpli-fied.

[[> call ′io′ : ′format′(l, [ ]) ]]def= evc(l)

where l is an input/output string that begins and ends with”.

module ’pingpong’ [’start’/0,’ping’/2,’pong’/0]attributes [ ]’ping’/2=

fun (N,Pong PID)−>case N of

0 when ’true’−>do

call ’Erlang’ : ’!’(Pong PID,’finished’)call ’io’ : ’format’(”ping finished∼n”,[ ])

X when ’true’−>do

docall ’Erlang’ : ’!’(Pong PID,{’ping’,

call ’Erlang’:’self’()})receive

’pong’ when ’true’−>call ’io’ : ’format’(”Ping

received pong∼n”,[ ])after ’infinity’−>’true’

apply ’ping’/2(X-1,Pong PID)

’pong’/0=fun()−>

receive’finished’ when ’true’−>

call ’io’ : ’format’(”Pong finished∼n”,[ ]){’ping’, Ping PID} when ’true’−>

dodo

call ’io’:’format’(”Pong receivedping∼n”,[ ])

call ’Erlang’ : ’!’(Ping Pid, ’pong’)apply ’pong’/0 ( )

after ’infinity’−>’true’

’start’/0=fun()−>

let Pong PID=call ’Erlang’ : ’spawn’(pingpong,pong,[ ])in call ’Erlang’ : ’spawn’(pingpong,ping,[2,Pong PID])

end

JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013 1511

© 2013 ACADEMY PUBLISHER

Execution Transition

> c(pingpong).def= [[>module ’pingpong’ . . . end]] |Sc(`c) |Ss(`s)

{ok,pingpong}∧ϕτ ,τ−→∗s

ϕ1,deevc (′ok′)−−−−−−−−−−→s(m, ef1, . . .)(0 |Sc(`c)

| Ss(`′s))> call ’pingpong’

: ’start’().def= [[>call ’pingpong’ : ’start’()]] |Sc(`c) |Ss(`′s)

< 0.36.0 >∧ϕτ ,τ−→∗s

ϕ2,deevc (pidping)−−−−−−−−−−−−−→s [[> E2]]RE |Sc(`′c)|Ss(`′s)|[[>E1{2/N,pidpong/Pong PID}]]RE

Pong received ping∧ϕτ ,τ−→∗s

ϕ3,deevc (”Pong received ping∼n”)−−−−−−−−−−−−−−−−−−−−→s

Ping received pong∧ϕτ ,τ−→∗s

ϕ4,deevc (”Ping received pong∼n”)−−−−−−−−−−−−−−−−−−−−→s

Pong received ping∧ϕτ ,τ−→∗s

ϕ5,deevc (”Pong received ping∼n”)−−−−−−−−−−−−−−−−−−−−→s

Ping received pong∧ϕτ ,τ−→∗s

ϕ5,deevc (”Ping received pong∼n”)−−−−−−−−−−−−−−−−−−−−→s

ping finished∧ϕτ ,τ−→∗s

ϕ6,deevc (”ping finished∼n”)−−−−−−−−−−−−−−−−−→s

Pong finished∧ϕτ ,τ−→∗s

ϕ7,deevc (”Pong finished∼n”)−−−−−−−−−−−−−−−−−−→s

∧ϕτ ,τ−→∗s 0 | Sc(`c) | Ss(`′s)

where E1 is the body expression of the function ’ping’/2and E2 is the body expression of the function ’pong’/0.

B. Proofs of Theorem 1 and Theorem 2Theorem 1 (Correspondence 1) For a running

system RS of Core Erlang, if RSω−→CE RS′ then

[[RS]]∧ϕτ ,τ===⇒s T 'ϕ

c

LS [[RS′]].Proof:

1) If ω = τ ; tm(l) and l = ok then we proof it by 1of Lemma 2.

2) If ω = λc; tm(l) and l = V 0 we proof it by 2 ofLemma 2.

3) If ω = λc; tm(l) and l = pid, then we needto consider the case that is derived by the rules[Spawn ], [Parallel ], [Strict ] in sequence and w =spawn; tm(pidn). We assume that the transition ωof RS = {. . . , Rdi . . . , EN} is caused by Rdi.[Spawn ]:RS

spawn;tm(pidn)−−−−−−−−−−−→CE

RS′={. . . ,Rdi−1,Rdi+1 . . . ,〈EB{V 01 /vari . . .},pidnew〉, EN′}

(sn)([[> call ’erlang’ : ’spawn’(mod, f , [V 01 , . . . ]) ]]RE |

Sc(`c) | Ss(`s) | ...)∧ϕτ ,τ====⇒s (sn)((self)(SPnew |em([[> z1{V 0

1 /var1, . . . , V0n /varn}]], REnew)) | Sc(`′c) |

Ss(`′s) | . . . | [[> pcei−1 ]] | [[> pcei+1 ]] | . . .) 'ϕc

LS [[RS′]]

where z1 is instantiated to the body of functionf/n in module mod and pidnew represents the newprocess identifiers.

4) If ω = λc, we give a proof by induction on thepcei that do the transition w and do not reduceto a value. The subcases include: [Sequencing],[VarAssign], [LocRec], [Call], [App], [PriOp], [Try],[Match], [MisMatch], [MatchRec ], [MisMatchRec].We discuss three subcases as below.

[VarAssign ]:RS = {. . . , 〈 let vars = < V 0

1 , . . . > in e2 , pidi〉, . . . , EN}τ−→CE RS′ = {. . . , 〈e2, pidi〉 . . . , EN′}(sn)([[> let vars = e1 in e2 ]]RE | Sc(`c) | Ss(`s) |. . .)

∧ϕτ ,τ====⇒s (sn)((self)(SPi | em([[> e2]], REi)) |

Sc(`c) | Ss(`′s) | . . .) 'ϕc

LS [[RS′]]

[Call ]:RS = {. . . , 〈call an+1 : an+2( . . . V 0

i . . . ), pidi〉, . . . , EN}τ−→CE RS′ = {. . . , 〈EB{. . . V 0

i /vari . . .}, pidi〉 . . . , ENI}(sn)([[> call an+1 : an+2( . . . V 0

i . . . ), pidi ]]RE | Sc(`c) |

Ss(`s) | . . .)∧ϕτ ,τ====⇒s

(sn)((self)(SPi | em([[> z1{V01/var1, . . .}]], REi)) |

Sc(`c) | Ss(`s) | . . .) 'ϕc

LS [[RS′]]

where z1 is instantiated to the body of functionan+2/n in module an+1.

[Match ]:RS = {. . . , 〈case V 0 of c1 . . . end , pidi〉, . . . , EN}τ−→CE RS′ = {. . . , 〈ei2 , pidi〉, . . . , 〈MDefs, As · Asp, PI〉}

( where dom(As) ∩ dom(Asp) = ∅, Asp = {varpim+1 7→V 0im+1

, ...} and ci := pati when ei1−>ei2 .)(sn)([[> case V 0 of c1 . . . end , pidi ]]

RE | Sc(`c) |Ss(`s) | ...)

∧ϕτ ,τ====⇒s (sn)((self, suc)

([[>let <varpim+1 , . . . >=<yim+1 , . . .> in ei2 ]], REi))

| em(SPi | suc | Sc(`c) | Ss(`s) | . . .)∧ϕ′τ ,τ====⇒s

(sn)((self, suc)(SP ′i | suc | em([[> e2]], REi)) | Sc(`c) |Ss(`′s) | . . .) '

ϕc

LS [[RS′]]

where `′s is modified by the assignment Asp andthe case [MatchRec ] is similar.

The remaining subcases are similar.

Theorem 2 (Correspondence 2) For a runningsystem RS of Core Erlang, if [[RS]]⇒s T , then there existsan RS′ such that RS ω−→CE RS′ and T ⇒s T

′ 'ϕc

LS [[RS′]]where ω is an action sequence ω1, . . . , ωk.

Proof: The proof is by induction on the count ofϕτ ,τ−−−→s actions denoted by nτ in [[RS]] ⇒s T . The nτ

could be 0 whereas it is no less than 1 in Theorem 1.1) If nτ = 0 then T ≡ [[RS]] and T ≡ T ′. In this case

the result is obvious.2) If nτ > 0 then we assume that [[RS]]⇒s T1

ϕτ ,τ−−−→s

T and Theorem 2 holds for T1. By the inductionhypothesis, we get that for some RS1 such that

RSω1

−−→CE RS1 and T1 ⇒s T′1 '

ϕc

LS [[RS1]] whereω1 is an action sequence ω′1, . . . , ω

′l. There are two

subcases for the count of τ actions denoted by mτ

in T1 ⇒s T′1:

a) If mτ = 0 then T1 ≡ T ′1 'ϕc

LS [[RS1]]. Weget RS1 = {Rd1′, . . . , Rds′, EN′} according tothe definition of running system RS and[[RS1]]

def= (sn)([[> p′ce1 ]]

RE | . . . | [[> p′ces ]]RE |

Ss(`′s) | Sc(`′c)).The descendant T of T1

ϕτ ,τ−−−→s T is latesymbolic bisimilar to the descendant T ′ of[[RS1]]

ϕτ ,τ−−−→s T′. Given a specific RS1, a direct

τ action for [[RS1]] could be an interaction be-tween [[> p′cei ]]

RE and Ss(`′s) (or Sc(`′c)). Theτ action between two [[> p′cei ]]

RE , [[> p′cej ]]RE

is indirect. The τ action between Ss(`′s) andSc(`′c) could happen only in the call spawnand are not the first one. The proof is byinduction on the structure of p′cei . One caseis as below:p′cei := module . . . end: The first direc-t τ is an interaction between [[> p′cei ]]

RE

and Ss(`′s). [[RS1]]ϕτ ,τ−−−→s T

∧ϕτ ,τ===⇒s

1512 JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013

© 2013 ACADEMY PUBLISHER

(sn)(. . . | [[> p′cei−1]]RE | [[> p′cei+1

]]RE |. . . | Ss(`′′s ) | Sc(`′′c )) 'ϕ

c

LS [[RS′]] andRS′ = {. . . , Rdi−1′, Rdi+1

′, . . . , EN′′}, ω =ω′1, . . . , ω

′l, τ .

The remaining cases are similar.b) If mτ > 1 and [[RS]] ⇒s T1

ϕτ ,τ−−−→s T ,then there is a fixed finite path [[RS]]

ϕτ ,τ−−−→s

T2 . . . Tmτϕτ ,τ−−−→s T1. By the induction hy-

pothesis, we also have RSω′1,...,ω

′l−−−−−→CE RS1.

The intermediate states of running systemare RS′1, . . . , RS

′l. There should exist a max-

imum pair i, j such that Ti ≡ [[RS′j]] for

i ∈ {0, . . . ,mτ}, j ∈ {0, . . . , l}, T0def=

[[RS]]def= [[RS′0]]. The latest intermediate state

RS′j = {Rd1j , . . . , Rdpj , ENj}. We discuss thepossibility of τ actions as follows:i) It is an internal τ action of a certain

[[> pjcei ]]RE in Rd

ji of RS′j to record a tem-

porary result of evaluation. By inductionon the structure of pjcei , the RS′j shouldchange to a certain RS′ after the execu-tion of pjcei in the process with pidi andT ⇒s'ϕ

c

LS [[RS′]].ii) It is an interaction between Ss(`js) andSc(`jc) caused by a call of spawn in Rd

ji

of RS. The last result for the call of spawnwould change the RS to RS′ that includesa new process with pidnew and T ⇒s'ϕ

c

LS

[[RS′]].iii) It is an interaction between [[> pjcei ]]

RE andSs(`js) (or Sc(`jc)). By induction on thestructure of pjcei similarly, the RS′j shouldchange to a RS′ after the execution of pjceiand T ⇒s'ϕ

c

LS [[RS′]].

Hao Huang is currently a Ph.D. candidate in department ofComputer Science, shanghai jiaotong university.

His research interests mostly lie in functional languages andprocess calculi, including the theory of functional programming,the verification of functional languages in process calculi, formalanalysis of program analysis.

Fei Yang is currently a M.S. student in department of computerscience, shanghai jiaotong university.

His research interests lie in concurrency theory, equivalencechecking problems in process calculi.

JOURNAL OF NETWORKS, VOL. 8, NO. 7, JULY 2013 1513

© 2013 ACADEMY PUBLISHER