Unfold/Fold Transformations ofConcurrent Processes 1Nicoletta De Francesco and Antonella SantoneDipartimento di Ingegneria dell'InformazioneUniversit�a di Pisa, ItalyAbstract. Program transformation is a technique for obtaining, start-ing from a program P, a semantically equivalent one, which is "better"than P with respect to a particular goal. Traditionally, the main goalof program transformation was obtaining more e�cient programs, but,in general, this technique can be used to produce programs written in asyntactic form satisfying some properties. Program transformation tech-niques have been extensively studied in the framework of functional andlogic languages, where they were applied mainly to obtain more e�cientand readable programs. All these works are based on the Unfold/Foldprogram transformation method developed by Burstall and Darlingtonin the context of their recursive equational language. The use of Un-fold/Fold based transformations for concurrent languages is a relevantissue that has not yet received an adequate attention. In fact the existingproposals of transformations of concurrent programs are not based on ageneral Unfold/Fold transformation theory. The aim of this paper is tode�ne such a theory for the concurrent calculus CCS and to prove itcorrect.1 Introduction and OverviewProgram transformation is a technique for obtaining, starting from a programP , a semantically equivalent one, which is \better" than P with respect to aparticular goal. Traditionally, the main goal of program transformation was ob-taining more e�cient programs, but, in general, this technique can be used toproduce programs written in a syntactic form satisfying some properties.Program transformation techniques have been extensively studied in theframework of functional and logic languages [5, 9, 19, 24, 25, 26], where theywere applied mainly to obtain more e�cient and readable programs. All theseworks are based on the Unfold/Fold program transformation method developedby Burstall and Darlington [5] in the context of their recursive equational lan-guage. The method is based on a set of rules manipulating a set of mutuallyrecursive de�nitions. It consists in building a sequence of equivalent programs,each obtained by the preceding ones by means of the application of a rule. Therules are based on Unfolding and Folding, i.e., expansion and contraction ofsub-expressions of a program, using the de�nitions of the preceding programs.1 This work has been partially funded by Progetto Coordinato CNR ANATRA.

The use of Unfold/Fold based transformations for concurrent languages isa relevant issue that has not yet received an adequate attention. In fact theexisting proposals of transformations of concurrent programs (see, for example,[20, 29]) are not based on a general Unfold/Fold transformation theory. The aimof this paper is to de�ne such a theory for the concurrent calculus CCS [22] andto prove it correct. A CCS program is a set of mutually recursive de�nitionsthat can be manipulated by syntactic transformations to obtain a semanticallyequivalent program in which a particular property is syntactically evident.In this paper we de�ne a set of transformation rules for CCS. These area specialization of classical program transformation rules, such as Folding andUnfolding. It is well known [27] that, while Unfolding preserves program equiv-alence, its inverse, i.e. Folding, when used without restriction, can cause loss ofinformation. The study of conditions to ensure folding safeness is a major topicin program transformation. In the functional and logic programming areas manyproposals have been made of safe folding rules: the �rst one was that of Tamakiand Sato [27], in which the set of de�nitions is partitioned into \old" and \new"ones, and unrestricted folding is allowed only for old de�nitions, while it is con-strained when applied to the new ones. Subsequent proposals (see, for example,[15, 23]), were devoted to �nd weaker conditions for the application of folding,still maintaining its safeness. In this paper we introduce an elegant safe foldingrule for CCS, based on a well-known process algebra notion, i.e. Guardedness.Besides being very simple, this rule is very general and powerful and, di�erentlyfrom most proposals for logic programs, the condition it imposes do not dependon the transformation history, but is checkable only by inspecting the programto be folded.In the paper the transformation rules are proved correct with respect to theCCS semantics. The detailed proof we show is built di�erently from the proof ofanalogous theorems for logic programs (see [25, 27]), since it uses bisimulationtechniques.Finally, we show two examples of application of Unfold/Fold transformationsof CCS. First we use our rules to transform, if possible, a full CCS programinto an equivalent program whose semantics is a �nite transition system. Thisis achieved by trying to obtain a program in which the \growing" operators,such as parallel composition and restriction, do not occur. If the transformationsucceeds, it becomes feasible to use the existing veri�cation environments [1, 4,7, 8, 13, 14], which are based on an internal �nite state representation of theprogram. Moreover, the transformation process can be seen as a way to prove�niteness of CCS programs. As a second example, we show how it is possible toprove the equivalence between two BPP programs by transforming one into theother, where BPP [6] is a subset of CCS for which equivalence is decidable. Thus,our transformational approach can be seen as unifying in a common frameworka set of di�erent techniques of program analysis.This paper is the �rst attempt, to our knowledge, of formally de�ning andproving correct a general Unfold/Fold program transformation methodology fora concurrent calculus. The results we have achieved suggest that this area of

research is very promising.Section 2 recalls some notions related to CCS and program transformationmethodology. Section 3 de�nes our methodology, while Section 4 shows someapplications. Section 5 compares the work with existing ones, concludes andillustrates future work.2 Preliminaries2.1 CCSWe assume that the reader is familiar with the basic concepts of process algebrasand CCS. We summarize the most relevant de�nitions below, and we refer to[22] for more details. The CCS syntax we consider is the following:p ::= �:p j nil j p+ p j pjp j pnA j x j p[f ]Terms generated by p (Terms) are called process terms (called also processes orterms); x ranges over a set fx; y; : : :g of constants (Const). A constant is de�nedby a constant de�nition x def= px, (px is called the body of x).As usual, there is a set of visible actions V is = fa; a; b; b; :::g over which �ranges, while �; � range over Act = V is [ f�g, where � denotes the so-calledinternal action. We denote by � the action complement: if � = a, then � = a,while if � = a, then � = a. By nil we denote the empty process.The operators to build process terms are pre�xing (�:p), summation (p+ p),parallel composition (pjp), restriction (pnA) and relabelling (p[f ]), where A �V is and f : V is ! V is such that f(�) = f(�). We also extend f to Act bydecreeing that f(� ) = � and we assume that V is is �nite. The precedence of theoperators is given by the following list, in increasing order: + ; j ; : ; nA ; [f ](parentheses will be avoided wherever possible).A CCS program is a pair hD; pi , where p 2 Terms and D is a �nite setof constant de�nitions. Given a term p, a sub-term of p is weakly guarded (orsimply guarded) in p if it occurs in a term q such that �:q is a sub-term of p.We say that a CCS program hD; pi is standard if: i) there is only one de�nitionfor each constant; ii) p and each constant body are closed, i.e. contain onlyconstants de�ned in D; and iii) each constant occurrence is weakly guarded ineach constant body.The operational semantics of a CCS term p with a set D of constant de�ni-tions is given by a set of inference rules de�ning a relation!D � Terms�Act�Terms. The relation is the least relation satisfying the rules. If (p; �; q) 2 !D,we write p �!D q. The SOS rules [22] are recalled in �gure 1.A labelled transition system (or simply transition system) TS is a quadruple(S; T;!; s0), where S is a set of states, T is a set of transition labels, s0 2 S isthe initial state, and ! � S � T � S. If (s; �; s0) 2 !, we write s �! s0. Givena program P = hD; pi, the operational semantics of P is the transition systemSOS(P ) = (Terms;Act;!D; p), where !D is the relation de�ned by SOS.

Act �:p �!D p Sum1 p �!D p0p+ q �!D p0 Sum2 q �!D q0p+ q �!D q0Com1 p �!D p0pjq �!D p0jq Com2 q �!D q0pjq �!D pjq0 Com3 p �!D p0 q �!D q0pjq �!D p0jq0Res p �!D p0pnA �!D p0nA �; � 62 A Rel p �!D p0p[f ] f(�)! D p0[f ] Con px �!D p0x �!D p0 (x def= px 2 D)Figure 1: Operational Semantics of CCSA �nite computation of a CCS term p with D is a sequence �1�2 � � ��n oflabels such that p0 �1!D � � � �n!D pn with p = p0. A term q such that there isa computation p �1!D � � � �n!D q is a derivative of p with D. If n = 1, q is animmediate derivative of p.Let TS1 = (S1; T1;!D1 ; s01) and TS2 = (S2; T2;!D2 ; s02) be transitionsystems and let s1 2 S1 and s2 2 S2. s1 and s2 are strongly equivalent (or simplyequivalent) (s1 �= s2) if there exists a strong bisimulation that relates s1 and s2.B � S1 � S2 is a strong bisimulation if 8(r; s) 2 B (where � 2 T1 [ T2){ r �!D1 r0 implies 9s0 : s �!D2 s0 and (r0; s0) 2 B;{ s �!D2 s0 implies 9r0 : r �!D1 r0 and (r0; s0) 2 B.TS1 and TS2 are said to be equivalent (TS1 �= TS2) if a strong bisimulation existsrelating s01 and s02 . Given two CCS programs P = hD; pi and Q = hD0; qi, wesay that P is equivalent to Q (P �= Q) if SOS(P ) �= SOS(Q).In [22] a set of laws is de�ned, which axiomatize strong equivalence, forexample pnAnA �= pnA. An important law is the Expansion Law: for each q =(p1 j � � � j pn)nA, with n � 1, it holdsq �=Pf�:(p1 j � � � j p0i j � � � j pn)nA : pi �! p0i; � 62 (A [A)g+Pf�:(p1 j � � � j p0i j � � � j p0j j � � � j pn)nA : pi �!p0i; pj �! p0j; i < jgIt holds that, if each constant occurrence is guarded in q, then the summationis �nite.2.2 Program TransformationThe Unfold/Fold transformation approach was introduced in [5] to manage func-tional programs and then used for logic programs [25, 26]. This approach isbased on the construction, by means of a strategy, of a sequence fPkg of pro-grams each obtained by the preceding ones using of a transformation rule. Therules are based on unfolding and folding, i.e. expansion and contraction of a sub-expression of Pk using the de�nitions of Pk or of a preceding program. Other

rules are used, as, for example, de�nition elimination and introduction. Eachprogram in the sequence is related with the preceding ones by a particular se-mantic notion. In general, the methodologies may di�er in the rules they adoptand/or in the strategy they follow, and each methodology is proved correct withrespect to a particular semantics of the language.3 The Transformation RulesIn this section we present the transformation rules of our methodology. Theyallow us to build a sequence fPkg, k � 0, of CCS programs each one obtained bythe preceding ones by the application of a rule. All the programs of the sequencefPkg are strongly equivalent.We use the following de�nition. Given the terms q and r, the pair [q=r] de-notes substitution. If r is a sub-term of a term p, the application of a substitutionto p, denoted as p[q=r], results in the term obtained from p by substituting q forr in p.The �rst rule is Unfolding and substitute a constant name x with the bodyof the de�nition of x belonging to a preceding or to the same program.Unfolding. Let Pk = hD; pi be a program and let D 2 D be the constantde�nition x def= px such that the constant y occurs in px. Suppose that thede�nition D0 : y def= q belongs to a program Pj , with 0 � j � k. If we unfoldD using D0 in Pj, we obtain the program Pk+1 = h(D�fDg)[fx def= px[q=y]g; pi.For example, suppose that P0 = hfx def= c:y j a:nil; y def= b:yg; xi. After anunfolding step we obtain the program P1 = hfx def= c:b:y j a:nil; y def= b:yg; xi.It is well known that the Unfolding rule is safe, in the sense that it producessemantically equivalent programs. Its inverse, the Folding rule, is harmful in gen-eral. In the Folding rule we substitute a term p with a constant name x suchthat there is a de�nition x def= p in a preceding or in the same program. But it iswell known [24, 25, 27] that unrestricted folding may cause loss of information,as in the case of the program hfx def= a:nilg; xi which can be folded, obtaininghfx def= xg; xi. However, information can be lost also in non trivial cases: considerthe program P0 = hfx def= a:nil; y def= a:nilg; xi; after a folding step we obtainthe program P1 = hfx def= a:nil; y def= xg; xi. If now we re-apply folding usingthe de�nition of y in P0, we obtain the program P2 = hfx def= y; y def= xg; xi suchthat P2 6�= P0. A safe solution is to allow folding of a program Pk using only thede�nitions of Pk and not those of the preceding programs (provided we do notuse self-folding). But in this way most of the power of the approach is lost. Forthese reasons, in the functional and logic programming areas many proposalswere made of weaker conditions for the application of folding, still maintaining

its safeness. In [27] the set of de�nitions is partitioned into \old" and \new"ones, allowing folding only for old de�nitions and imposing restrictions on thenew ones: essentially, a new de�nition can be folded only if it has been unfoldedat least once. Other proposals can be found in [3, 15, 18, 23].For CCS we propose the following safe folding rule, which simply allows foldingonly for weakly guarded sub-terms.Guarded-Folding. Let Pk = hD; pi be a program and letD 2 D be the constantde�nition x def= px such that q is a weakly guarded sub-term of px. Suppose thatD0 : y def= q is a de�nition belonging to a program Pj, with 0 � j � k. If we foldD using D0 in Pj, we obtain the program Pk+1 = h(D�fDg)[fx def= px[y=q]g; pi.Intuitively, using Guarded-Folding we do not lose any information since the\�rst" events of each constant body remain unaltered and this has the same ef-fect achieved when the de�nition to be folded has been already unfolded, whichis the condition described in [27]. Note that the condition on folding does notdepend on the transformation history, as most of the existing conditions do, butis checkable by inspecting only the program to be folded.The De�nition Introduction rule adds a new constant de�nition:De�nition Introduction. Let be Pk = hD; pi. If there is no de�nition for theconstant x in P0; : : : ; Pk and q is a term in which all the occurring constantsare de�ned in D and are weakly guarded, we can introduce the de�nition of x,obtaining the program Pk+1 = hD [ fx def= qg; pi.We now de�ne a set containing the constants possibly reachable from a termp during the computations starting from p.De�nition1 (Reachable constants: RD(p)). Given a term p and a set D ofconstant de�nitions, we de�ne the set RD(p) � Const of constants reachablefrom a term p as RD(p) = �n(p), where n is the number of the constant de�ni-tions in D and, 8i � 0 �i : Terms ! 2Const is de�ned as follows:�i(nil) = ;�i(�:p) = �i(p)�i(p + q) = �i(p) [ �i(q)�i(p j q) = �i(p) [ �i(q)�i(pnA) = �i(p)�i(p[f ]) = �i(p)�i(y) = (; if i = 0�i�1(py) [ fyg if i � 1 and y def= py 2 D

For example, if D = fx def= c:b:y; y def= b:y; z def= a:nilg, then RD(a:xjb:nil) =fx; yg.The following lemma holds:Lemma2. Given a term p and a set D of constant de�nitions, for each constanty occurring in a derivative of p with D, y 2 RD(p).Proof. First note that, by de�nition,1. for each i � j,i � 0, �i(p) � �j(p);2. y 2 �i(x) and x 2 �1(p) implies y 2 �i+1(p).Consider y occurring in a derivative of p. If y occurs in p, then y 2 �1(p) and, by(1), y 2 �n(p) = RD(p). Otherwise, the set of constants C = fx1; : : : ; xkg; k � 1,exists, with xi 6= xj and xi 6= y, for each 1 � i; j � k, such that y 2 �1(pxk),x1 2 �1(p) and, if k > 1, xj 2 �1(pxj�1 ) for j 2 f2; : : : ; kg. By point (2) above,we have that y 2 �k+1(p). Since k < n (y 62 C), then y 2 �n(p) = RD(p). utNote that RD(p) is a super set of the set of constants that actually occur inthe derivatives of p: this means that it may occur that a constant in RD(p) isnot reached in any computation starting from p. However, it is not decidablewhether a constant can be actually reached from p.The De�nition Elimination rule deletes a de�nition, provided that the cor-responding constant is not reachable from p:De�nition Elimination. Let Pk = hD; pi be a program and let D 2 D bethe constant de�nition x def= px. If x 62 RD(p), we eliminate the de�nition of x,obtaining the program Pk+1 = hD � fDg; pi.The following lemma holds:Lemma3. If Pk+1 is obtained from Pk by means of an application of the De�-nition Elimination rule, then, Pk �= Pk+1.Proof. The proof follows from lemma 2.The following rule allows us to perform simple equivalence preserving rewritingsof terms occurring in the constant bodies.Simpli�cation. Let be Pk = hD; pi; D 2 D the constant de�nition x def= pxand q a sub-term of px. If for each D0, hD0; qi �= hD0; q0i, we simplify D in Pk,obtaining the program Pk+1 = h(D � fDg) [ fx def= px[q0=q]g; pi.Lemma4. If Pk+1 is obtained from Pk by means of an application of the Sim-pli�cation rule, then Pk �= Pk+1.Proof. By de�ning a suitable bisimulation.

Note that the property expressed in the rule ensures that the rule itself canbe applied independently from the constant de�nitions of a program. The ruleallows us to use the properties of the CCS operators to simplify the terms. Forexample, we can rewrite pnAnB as pnA [ B or (p + q)nA as pnA + qnA. Aparticular case is the application of the Expansion law when the partners of theparallel composition are weakly guarded.Note that all our transformation rules are applied to the constant de�nitionsof a program hD; pi and not to the term p. We do not lose generality, since we canconsider, instead of a program hD; pi, the equivalent program hD [ fx def= pg; xi,where x is di�erent from all constants occurring in D.3.1 Correctness of the transformation systemIn this section we prove that, by using the rules de�ned in the preceding section,we obtain a sequence of equivalent programs. The proof is built di�erently fromthe proof of analogous theorems for logic programs [18, 25, 27], since it usesbisimulation techniques.The following lemma states that all programs of a transformation sequence,starting from a standard program, are standard.Lemma5. Let be given a transformation sequence fPkg such that P0 is stan-dard; then each pi in fPkg is standard.Proof. By de�nition of the transformation rules.From now we assume transformation sequences such that P0 is standard.Let be given a transformation sequence fPkg. We denote as Di the constantde�nitions of program Pi belonging to the sequence and with pix the body ofconstant x in Di. Moreover, we use �!i instead of �!Di .We will use the following de�nitions. A �-substitution is a substitution [x=pix]or [pix=x], for each x and each i such that x is de�ned in Pi and Pi 2 fPkg. A�-substitution sequence � is a, possibly empty, �nite sequence of �-substitutions.With j�j we denote the length of �. The inverse of a �-substitution [pix=x] is[x=pix] and the inverse of [x=pix] is [pix=x]. Moreover, concatenation between se-quences is represented by juxtaposition and � denotes the empty sequence.The following lemma states that i) the bodies of a same constant in di�erentprograms of a transformation sequence can be transformed into each other by a�-substitution sequence; and ii) the same holds for the immediate derivatives ofthe constants.Lemma6. Let be given Pj and Pk belonging to a transformation sequence fPkgobtained with Unfolding, Guarded Folding and De�nition Introduction. For eachx 2 Dj \Dk, the following holds:

1. a �-substitution sequence �j;kx exists such that pjx�j;kx = pkx;2. x �!j p implies x �!k p�j;kx .Proof. (1) Let be j � k. If S is the sequence of transformation steps leading fromPj to Pk, let S0 be the sub-sequence of S containing Foldings and Unfoldingsmodifying the body of x, i.e. transforming pjx into pkx. We have that �j;kx is thesequence of the �-substitutions made by S0 and �k;jx is the inverse of the sequencecontaining the inverse of the �-substitutions made by S0.(2) �j;kx substitutes only weakly guarded sub-terms of pjx, since Folding is guardedand, by lemma 5, constant occurrences are guarded in each constant body. utFor example, given the following transformation sequence:P0 : hfx def= a:b:x; y def= b:xg; yiP1 : hfx def= a:b:a:b:x; y def= b:xg; yiP2 : hfx def= a:b:a:y; y def= b:xg; yiWe have: �0;2x = [a:b:x=x][y=b:x], and �2;0x = [b:x=y][x=a:b:x]The following lemma is the nucleus of our proof. It shows that a bisimulationexists between any two programs of a transformation sequence. The bisimulationcontains pairs composed of a process p and the process obtained by applying anysubstitution sequence to p.Lemma7. Let be given Pj and Pk belonging to a transformation sequence fPkgobtained with Unfolding, Guarded Folding and De�nition Introduction startingfrom the initial program hD; si. Then, for each j; k, Pj �= Pk.Proof. We de�ne the following set of pairs:S = f(p; p�)j� is a �-substitution sequence gWe are going to show that S is a strong bisimulation relating the states ofSOS(Pj) with those of SOS(Pk). More precisely, if p is a state of SOS(Pj) andp� is a a state of SOS(Pk), then i) p �!j q implies that a �-substitution sequence� exists such that p� �!k q�; and ii) p� �!k q implies that a �-substitution se-quence � exists such that p �!j q0 and q = q0�.The proof is made by induction on the length of �.{ Base. j�j = 0.1. p �!j q. If no constant is derived for executing �, then � = �. Otherwise,let x be the constant executing �. First note that x 2 Dk: in fact p is astate of SOS(Pk) and all programs in the transformation sequence areclosed, by lemma 5. Let �j;kx be the �-substitution sequence as de�ned bylemma 6, point (1). By lemma 6, point (2), if x �!j u, then x �!k u�j;kx .Thus we have � = �j;kx .The case of p �!j q can be proved in a similar way.

2. p �!k q. The proof is similar to that of case 1): either � = � or � = �k;jx .{ Induction step. j�j = n > 0.1. p �!j q. Suppose that � = �0� with j�0j = n � 1 and � = [r=t] is thelast �-substitution of �. By inductive step, we have that �0 exists suchthat p�0 �!k q�0. If t is not used by p�0 for executing � (the minimumsub-term of p�0 producing � is not a sub-term of t), then p�0� �!k q�0�.Otherwise, consider the two possible kinds of �.a. � = [x=pix], i.e. � is executed by the sub-term pix of p�0, i.e.p�0 �!k p�0[u=pix] and pix �!k u. We have pix �!i u, since the constant oc-currences are guarded in each constant body (lemma 5). Thus x �!i uand, by lemma6, point (2), we have x �!k u�i;kx . Thus we have � = �0�i;kx .b. � = [pix=x]. Similar to the previous point with � = �0�k;ix .The case of p �!j q can be proved in a similar way.2. p� �!k q. Similar to the previous case.The initial state, i.e. s, is always the same for all programs of the transfor-mation sequence, since the rules modify only the de�nitions. Thus (s; s) belongsto S (� = �) and thus SOS(Pj ) �= SOS(Pk). utWe are now ready to state the main theorem:Theorem8. Let be given a sequence fPkg, k � 0, of CCS programs each oneobtained from the preceding ones by means of the application of one of all thetransformation rules. Suppose that no rule di�erent from De�nition Eliminationis applied after a De�nition Elimination. Then, for each j; k, Pj �= Pk.Proof. The proof for the pre�x of fPkg starting at P0 and ending at the appli-cation of the �rst Elimination can be done using lemma 7 and lemma 4, whilefor the rest of the sequence it follows from lemma 3. ut4 Examples of applicationWe �rst apply the transformation rules for simplifying the syntactic structure ofCCS programs. In particular, given a program P , the aim of the transformationprocess is to obtain a program, say Q, semantically equivalent to P , in whichthe operators of restriction, relabelling and parallel composition are removed.If we succeed, we have that SOS(Q) is �nite [22], while SOS(P ) may be not�nite. This transformation is meaningful, since most of the existing veri�cationenvironments [1, 7, 13, 14] for CCS-like languages are based on an internal �nitestate representation of the processes, allowing the veri�cation of logical proper-ties and the application of e�cient algorithms to decide whether two processesare bisimilar [2, 16, 17]. Consider the program:P0 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(x j y)nfbg; zi

Note that SOS(P0) is in�nite.We unfold the de�nition of the constant z using the de�nitions of x and y in P0:P2 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(a:b:xnfcg+ c:x j b:y)nfbg; ziWe apply the Simpli�cation rule (Expansion law) to the constant de�nition z:P3 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(a:�:(xnfcg j y)nfbg + c:(x j b:y)nfbg); ziWe introduce two constant de�nitions, u and w, and we fold the de�nition ofz using the newly introduced de�nitions:P7 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(a:u+w);u def= �:(xnfcg j y)nfbg;w def= c:(x j b:y)nfbg; ziWe unfold the de�nitions of the constants u and w using the de�nitions of xand y in P0:P10 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(a:u+ w);u def= �:((a:b:xnfcg+ c:x)nfcg j b:y)nfbg;w def= c:(a:b:xnfcg+ c:x j b:y)nfbg; ziWe apply, to the constant de�nitions u and w, the Simpli�cation rule: Expansionlaw and the following strong equivalence laws [22]:(p+q)nA �= pnA+qnA, p+nil �= p, pnAnA �= pnA, (�:p)nA �= 8<:�:pnA if �; � 62 Anil otherwiseP11 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(a:u+ w);u def= �:a:�:(xnfcg j y)nfbg;w def= c:(a:�:(xnfcg j y)nfbg+ c:(x j b:y)nfbg); zi

We fold the de�nitions of the constants u and w using their de�nitions in P7:P14 : h x def= a:b:xnfcg+ c:x;y def= b:y;z def= d:(a:u+ w);u def= �:a:u;w def= c:(a:u+ w); ziWe eliminate the de�nition of the constants x and y, since they are not reachablefrom z, obtaining the �nal program, in which parallel composition, restrictionand relabelling do not occur:P16 : h z def= d:(a:u+ w);u def= �:a:u;w def= c:(a:u+ w); ziIn [11] we have de�ned a strategy, i.e an algorithm specifying the order of ap-plication of the rules, which is proved to be more powerful than many existingmethods for building �nite representations of CCS programs [10, 21, 28] (notbased on program transformation). The strategy cannot be used as a decisionprocedure for the �niteness of CCS programs, since this problem is undecidable.4.1 Proving bisimulation equivalenceAs second example of application of our transformation methodology, we showhow it is possible to prove the equivalence between two CCS programs by trans-forming one into the other. Let us consider the subset of CCS, denoted as BPP[6], not including restriction and relabelling and not allowing communication.It is well-known that for BPP bisimulation equivalence is decidable: in [6] amethod to prove equivalence is shown, using tableaux, which are a kind of prooftree. Consider the following two BPP programs P0 and Q (the example is in [6]):P0 : h x1 def= a:(x1jx4);x4 def= b:nil; x1iQ : h x2 def= a:x3;x3 def= a:(x3jx4) + b:x2;x4 def= b:nil; x2iWe introduce a constant de�nition y1 and we fold the de�nition of x1 of P0using the newly introduced de�nition:P2 : h x1 def= a:y1;y1 def= x1jx4;x4 def= b:nil; x1i

We unfold the de�nition of the constant y1 using the de�nitions of x1 and x4 inP2:P4 : h x1 def= a:y1;y1 def= a:y1jb:nil;x4 def= b:nil; x1iWe apply the Simpli�cation rule, using the Expansion law and the law pjnil �= p[22], to the constant de�nition y1, obtaining:P5 : h x1 def= a:y1;y1 def= a:(y1jb:nil) + b:a:y1;x4 def= b:nil; x1iWe fold the de�nition of the constant y1 using the de�nitions of x1 and x4in P5:P7 : h x1 def= a:y1;y1 def= a:(y1jx4) + b:x1;x4 def= b:nil; x1iwhich is equal (isomorphic) to Q.We are going to investigate the possibility of de�ning a strategy able to decidewhether a BPP program is transformable into another one.5 ConclusionsWe have presented a transformation methodology for CCS, that can be used totransform CCS programs into equivalent ones with a particular structure. Aninteresting aspect of the approach is that it uni�es in a common framework a setof di�erent techniques of program analysis: di�erent applications are based onthe same rules, applied according to di�erent strategies. For example, we haveshown two applications of the methodology: obtaining �nite state representationsof processes and deciding bisimulation equivalence.We remark the novelty of the Guarded Folding rule, which uses the well-known notion of guardedness and is a very general and simple safe folding rulefor CCS. Moreover, the applicability of the rule depends only on a property ofthe program to be folded and not of the entire transformation sequence, as occursfor almost all known folding rules for functional and logic programming. We areactually de�ning strategies, i.e. algorithms de�ning an order of application of therules, with di�erent transformation goals [12].In [20] program transformation rules are de�ned for the LOTOS concur-rent speci�cation language, with the aim of supporting program design. Thisapproach di�ers from our methodology, since we are mainly based on Unfold-

ing and Folding, while this is not the case of [20], where the transformationsessentially consist in manipulations of terms by means of rewriting rules.In [29] transformation rules are de�ned, belonging to an environment for thespeci�cation of PSF programs, using, among others, some kind of unfolding andfolding. However, the notion of transformation sequence is not formalized and noattention is paid to the correctness of folding. In fact, a very restrictive versionof folding seems to be used, allowing using only the de�nitions occurring in theprogram to be folded.As future work, it is interesting to study the feasibility of de�ning transfor-mation rules and strategies which are correct with respect to other semantics forconcurrency, for example, weak bisimulation equivalence instead of strong one.Moreover, transformation rules and strategies can be de�ned to check prop-erties of programs, for example deadlock freeness. In these cases, the programsof the transformation sequence may be not equivalent to each other, since it onlyneeds to keep the property veri�ed.Acknowledgment. We are grateful to Roberto Barbuti for useful commentsand suggestions.References1. T. Bolognesi, M. Caneve. A tool for the analysis of Lotos speci�cations. InK. Turner (ed.) Formal description techniques, pp. 201-216. Amsterdam: North-Holland 1989.2. T. Bolognesi, S. Smolka. Fundamental results for the veri�cation of observationalequivalence: a survey. In Proc. IFIP WG 6.1 7th Conference on Protocol Speci�-cation, Testing and Veri�cation. Amsterdam: North-Holland 1987.3. A. Bossi and N. Cosso. Basic Transformation operations which preserve ComputerAnswer Substitutions of Logic Programs. Bulletin of the EATCS, n.54, October1994, pp.207-223.4. A. Bouali, S. Gnesi, S. Larosa. The integration Project for the JACK Environment.Bulletin of the EATCS, n.54, October 1994, pp.207-223.5. R.M. Burstall, J. Darlington. A Transformation System for Developing RecursivePrograms. J. ACM 24(1): pp. 44-67 (1977).6. S. Christensen, Y. Hirshfeld and F. Moller. Bisimulation is Decidable for all BasicParallel Processes. In Proceedings of CONCUR'93, number 715 in Lecture Notesin Computer Science, pp. 143-157. Springer-Verlag, 1993.7. R. Cleaveland, J. Parrow, B. Ste�en. The concurrency workbench: operating in-structions. Tech. Notes Sussex University, 1988.8. R. Cleaveland, J. Parrow, B. Ste�en. Model Checking and Abstraction. The Con-currency Workbench. Proceedings of Automatic Veri�cation Methods for FiniteState Systems. Lecture Notes in Computer Science 407, Springer-Verlag, 1990, pp.24-37.9. S.K. Debray. Unfold/Fold Transformations and Loop Optimization of Logic Pro-grams. In Proceedings of SIGPLAN '88, Conference on Programming LanguageDesign and Implementation. Atlanta, Georgia, SIGPLAN Not. 23(7): pp. 297-307(1988).

10. N. De Francesco, P. Inverardi. Proving Finiteness of CCS Processes by Non-standard Semantics. Acta informatica, vol.31, n.1, 1994, pp. 55-80.11. N. De Francesco, A. Santone. A Program Transformations Methodology for CCS.In Proceedings of the Fifth Italian Conference of Theoretical Computer Science,Ravello, Italy, November 1995.12. N. De Francesco, A. Santone. Transforming Concurrent Processes. Internal ReportIR-2/94, Dipartimento di Ingegneria dell'Informazione, Univ. of Pisa.13. R. De Simone, D. Vergamini. Aboard AUTO. INRIA Technical Report 111, 1989.14. J. Fernandez.: Aldebaran. Un system de veri�cation par reduction de processuscommunicantes. Ph.D. Thesis, Universit�e de Grenoble, 1988.15. P.A. Gardner and J.C. Shepherdson. Unfold/Fold Transformations of Logic Pro-grams. in Computational Proofs: Essays in honour of G. Robinson (1991).16. J.F. Groote, F.W. Vaandrager. An e�cient algorithm for branching bisimulationand stuttering equivalence. In M. S. Paterson (ed.) Automata, languages and pro-gramming. Proceedings (Lect. Notes Comput. Sci., vol 443, pp. 626-638) Berlin,Heildelberg, New York: Springer 1990.17. P.C. Kanellakis, S.A. Smolka. CCS Expressions, �nite state processes and threeproblems of equivalence. Inf. Comput. 86 (1990).18. T. Kawamura and T. Kanamori. Preservation of stronger equivalence in unfold/foldlogic program transformation. In Theoretical Computer Science, vol. 75, pp.139-156 (1990).19. L. Kott. About Transformation System. A Theoretical Study, 3�eme Colloque In-ternational sur la Programmation, Dunod, Paris, 1978, pp. 232-247.20. Catalogue of LOTOS Correctness Preserving Transformations. ESPIT Project,Final Deliverable, April 1992.21. E. Madelaine, D. Vergamini. Finiteness conditions and structural construction ofautomata for all process algebras. In Proceedings, 2nd Workshop on Computer-Aided Veri�cation. DIMACS Technical report 90-31, June 1990.22. R. Milner. Communication and Concurrency. Prentice-Hall, 1989.23. A. Pettorossi, M. Proietti. The Loop Absorption and The Generalization Strategiesfor the Development of Logic Programs and Partial Deduction. Journal of LogicProgramming 1993, 16, pp. 123-161.24. A. Pettorossi, M. Proietti. Rules and Strategies for Program Transformation. InState-of-the-Art. Report on Formal Program Development, Rio de Janeiro, Brazil.Lecture Notes in Computer Science 755, Springer, New York, 1993, pp. 263-304.25. A. Pettorossi, M. Proietti. Transformation of Logic Programs: Foundations andTechniques. In J. Logic Programming 1994, 19,20: pp.261-320.26. A. Takeuchi. A�nity between Meta Interpreters and Partial Evaluation. In H.J.Kugler (ed.), Proceedings of Information Processing '86. North-Holland, Amster-dam, 1986, pp. 279-282.27. H. Tamaki, T. Sato. Unfold/Fold Transformation of Logic Programs. In:S.-�A. T�arnlund (ed.), Proceedings of the 2nd International Conference on Logic Pro-gramming, Uppsala, Sweden, 1984, pp.127-138.28. D. Taubner. Finite representations of CCS and TCSP programs by automata andPetri nets. Lecture Notes in Computer Science, vol. 369. Berlin, Heidelberg, NewYork: Springer 1989.29. G. Veltink. The PSF toolkit. Computer Networks and ISDN Systems, North Hol-land, 25, pp. 875-898 (1993).This article was processed using the LATEX macro package with LLNCS style