Science of Computer Programming

Transcription

1 Science of Computer Progrmming 81 (2014) 3 52 Contents lists vilble t ScienceDirect Science of Computer Progrmming journl homepge: CSP-bsed counter bstrction for systems with node identifiers Tomsz Mzur, Gvin Lowe Deprtment of Computer Science, University of Oxford, Wolfson Building, Prks Rod, Oxford OX1 3QD, United Kingdom h i g h l i g h t s We consider the Prmeterised Model Checking Problem for CSP. Systems re built from similr node processes, which my use one nother s identities, embedded in context. We build bstrct models for this sitution, using the technique of counter bstrction. We show these models form bstrctions of the considered systems, in both the trces nd stble filures models. We show how this cn be used to deduce correctness of the considered systems. r t i c l e i n f o b s t r c t Article history: Received 7 September 2011 Received in revised form 13 August 2012 Accepted 28 Mrch 2013 Avilble online 19 April 2013 Keywords: Model checking PMCP Type reduction CSP Counter bstrction The Prmeterised Model Checking Problem sks whether n implementtion Impl(t) stisfies specifiction Spec(t) for ll instntitions of prmeter t. In generl, t cn determine numerous entities: the number of processes used in network, the type of dt, the cpcities of buffers, etc. The min theme of this pper is utomtion of uniform verifiction of subclss of PMCP with the prmeter of the first kind, i.e. where it determines the number of processes used in network. We use CSP s our formlism. Counter bstrction is technique tht replces concrete stte spce by n bstrct one, where ech bstrct stte is tuple of integer counters (c 1,..., c k ) such tht for ech i, c i counts how mny node processes re currently in the i-th stte. Ech counter c i is given finite threshold z i nd we interpret c i = z i s there being z i or more processes in the i-th stte. Stndrd counter bstrction techniques require ll processes to be identicl, which mens tht nodes cnnot use node identifiers. In this pper we present how counter bstrction techniques cn be extended to processes tht mke use of node identifiers in symmetricl wy. Our method cretes process Abstr tht is independent of t nd is refined by φ(impl(t)) for ll sufficiently lrge T, where φ mps ll (sufficiently lrge) instntitions T of the prmeter to some fixed type. By trnsitivity of refinement, testing if Abstr refines Spec(φ(t)) implies tht Spec(φ(t)) is refined by φ(impl(t)). Then, using the type reduction theory from Mzur nd Lowe (2012) [29], we cn deduce tht Spec(T) is refined by Impl(T) for ll sufficiently lrge T, thus obtining positive nswer to the originl verifiction problem Elsevier B.V. All rights reserved. 1. Introduction It is often the cse tht either specifictions or implementtions of systems contin free vribles. These free vribles cn be prmeters tht ffect the topology of the system (e.g. the number of nodes in network or the number of users of Corresponding uthor. E-mil ddresses: tomsz.mzur@gmil.com (T. Mzur), gvin.lowe@cs.ox.c.uk (G. Lowe) /$ see front mtter 2013 Elsevier B.V. All rights reserved.

2 4 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) 3 52 system), the types of dt vribles (e.g. dt types of dtbse records or memory contents), performnce prmeters (e.g. bndwidths, response times, clock speeds), or cpcities of buffers or queues used. Given prmeterised pir Spec nd Impl, the Prmeterised Verifiction Problem (PVP) sks whether Impl cn be uniformly verified ginst Spec, i.e. does Impl stisfy Spec for ll instntitions of the prmeters. The Prmeterised Model Checking Problem (PMCP) is subclss of PVP, where the verifiction is done vi model checking [6,7,9,10,1]. PMCP is, in generl, undecidble [2], s the Hlting Problem cn be shown to reduce to it. Therefore, we focus on sound, but incomplete, verifiction methods. Our formlism is CSP [17,34,37]; see Section 2. In this pper we concentrte on subclss of PMCP, where specifictions nd implementtions contin single prmeter t, clled the distinguished type, which denotes the type of identities of node processes running concurrently to form network, possibly within some lrger system. More precisely, every fmily of implementtions tht we consider is of the form 1. Impl(t) = C t myid t [A(myId, t)] NmyId (t), where N myid (t) models single, finite-stte node with identity myid nd tht cn receive, store nd send node identities from t; A(myId, t) is the set of ll visible events tht N myid (t) cn communicte (its lphbet); C t [ ] is some CSP context, for exmple tht plces nodes in prllel with controller (possibly prmeterised by t) nd hides some communiction. Our im, then, is to verify tht for ll sufficiently lrge instntitions T of t: Spec(T) Impl(T), where Spec(t) is suitble specifiction process. (Here S I is the norml CSP refinement reltion: every behviour of I is behviour of S; see Section 2.2.) Throughout this pper we ssume tht every instntition T of type t is non-empty nd finite. In ddition, without loss of generlity, we ssume tht every instntition T is n initil segment of the nturl numbers, i.e. of the form {0.. n 1} for some n 1. Our results nd techniques extend to other finite types T of size n vi simple bijections from {0.. n 1} to T. We llow processes to contin other prmeters in their syntx, but their vlues must be known nd fixed t the time of writing the process definition, or n dditionl technique for hndling prmeters (e.g. dt independence [20,34]) must be used for complete correctness nlysis. In this pper we tckle this uniform verifiction problem using the technique of counter bstrction [31]. Briefly, the min ide is to replce the concrete stte spce by n bstrct stte spce, where ech stte is tuple of integer counters (c 1,..., c k ) such tht for ech i, c i counts how mny node processes re currently in the i-th stte. This my be extended by plcing threshold z i on ech counter c i tht determines the mximum ttinble vlue for every counter: if the vlue of the i-th counter reches the corresponding threshold z i, then we interpret this s there being z i or more processes in the i-th stte. We give more detiled introduction in Section 3. In [28] we described how to pply counter bstrction to CSP. In tht pper in common with most other pproches to counter bstrction we ssumed tht ll node processes were identicl, nd so node s behviour could not depend on its identity. This is quite severe restriction s it mens tht node process my not use chnnels prmeterised by its nme: but in most pplictions we would like to llow node i to use chnnel such s c.i to communicte with the outside world, or chnnel d.i.j to communicte with nother node j. The min contribution of this pper is to lift this restriction: we llow node process to send, receive nd store its own identity nd identities of other node processes (treting those identities symmetriclly). This mkes counter bstrction somewht more difficult: if node s behviour depends on its identity, then (t lest initilly) no two nodes cn be in precisely the sme stte; hence nïve pproch to counter bstrction would men tht the number of counters depends upon the number of nodes, mking uniform verifiction impossible. Our pproch is to build t-independent bstrction process Abstr tht cptures the behviours of ll the Impl(T) processes, in sense tht we now explin. The lphbets of Impl(T) re (in generl) unbounded s function of T ; however, the lphbet of Abstr needs to be fixed. Therefore, the construction of Abstr must collpse T to some fixed type ˆT = {0.. B} for some non-negtive integer B, treting ll identities in {0.. B 1} fithfully, but mpping ll other identities onto B. More precisely, for ll sufficiently lrge instntitions T of type t, Abstr is such tht 2 Abstr φ(impl(t)) holds by construction, where φ is B-collpsing function: (1) (2) 1 The process i I [A(i)]P(i) denotes the prllel composition of the processes P(i) for i I, where A(i) is the lphbet of P(i), nd where nodes synchronise on ll events in common between their lphbets; see Section 2. 2 The process f (P) is process tht cts like P, except every event is renmed to f (); see Section 2.

3 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) Definition 1. A B-collpsing function is function φ : T {0.. B} such tht φ(v) = v for v {0.. B 1}; φ(v) = B for v {B.. #T 1}. Defining this bstrction nd proving Eq. (2) will be the focus of most of this pper. Hence our overll construction employs two distinct bstrction techniques: The bstrction of node identities, collpsing them to some fixed type; The thresholds plced upon the counters. Hving constructed such n Abstr, we cn use CSP model checker, such s FDR [13], to verify tht Spec(ˆT) Abstr. Trnsitivity of refinement then llows us to deduce tht Spec(ˆT) φ(impl(t)) for ll sufficiently lrge T. The type reduction theory from [27,29] llows us to bridge the gp between (1) nd (3). Under suitble ssumptions on the specifiction nd implementtion processes, the theory llows us to clculte suitble vlue for B such tht if Eq. (3) holds (for the vlues of φ nd ˆT corresponding to B), then Eq. (1) holds for ll T such tht #T > B (smller vlues of T cn be tested directly). The rest of this pper is structured s follows. In Section 2 we introduce the syntx of the CSP process lgebr, describe two of its denottionl semntics models (trces nd stble filures) nd briefly tlk bout FDR, model checker for CSP. Section 3 introduces the ide of counter bstrction. In Section 4 we stte our ssumptions nd definitions, nd provide some generl observtions; in pssing, we note tht the verifiction problem is undecidble in generl. Section 5 presents n extension of stndrd counter bstrction techniques to processes tht use node identifiers; we consider only processes tht contin no equlity tests on t in this section. We prove tht the bstrct model forms n ntirefinement of the prllel composition of ll node processes, renmed under φ. Unfortuntely, the obtined models re still dependent upon T. In Section 6 we present n improved bstrction technique, which produces bstrct models independent of T, by using threshold functions tht limit the rnge of vlues tht counters within bstrct models cn ttin. We prove tht threshold-bsed counter bstrction models form nti-refinements of φ-renmed prllel compositions of ll nodes, thus estblishing (2). Section 7 presents results nlogous to those from Sections 5 nd 6, but for processes tht might contin equlity or inequlity tests on t. In Section 8 we extend our results to implementtions in which node processes run in prllel with controller process, possibly with some communiction hidden. We lso link these result with the type reduction theory from [29] to llow us to perform single refinement check in order to deduce refinement of infinitely mny specifiction/implementtion pirs. In Section 9 we describe TomCAT, tool tht helps with utomtion of the bstrct model building process; we lso present smll exmple to illustrte how the theory cn be pplied in prctice, nd briefly review student project [25] tht used these techniques, nd outline the lessons lernt from tht project. We conclude, review relted work nd give n overview of future work in Section 10. For ese of reding, we relegte most of the proofs nd severl stepping-stone lemms in ppendices. We present results for both the trces nd stble filures models of CSP. However, it turns out tht the results for stble filures often require dditionl conditions or ssumptions. 2. Introduction to CSP CSP [17,34,37] is process lgebr used for modelling nd verifiction of concurrent rective systems with communiction bsed on synchronous messge pssing. CSP processes interct with ech other, nd the environment within which they operte, by communicting events. We let Σ be the set of ll visible events. We let τ denote specil, internl event (not in Σ), nd write Σ τ to men Σ {τ}. We lso write Σ to men the set of ll finite sequences of events from Σ. Events occur on chnnels; for exmple, c..3 is n event over chnnel c, pssing dt nd 3. We ssume tht ech chnnel hs fixed type (i.e. cn pss fixed number of pieces of dt, nd the type of the dt pssed in ech position is fixed). The nottion { c } represents the set of events pssed over chnnel c Syntx In this pper we use the frgment of CSP with the following syntx. P ::= STOP α P P P P P P P if b then P else P N P \ X P R P X Y P i I [A(i)] P(i) P P X STOP is dedlocked process, i.e. it cnnot perform ny events. (3)

4 6 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) 3 52 The process α P cn perform ny event tht the construct α describes, nd then subsequently behves like P. The construct α is n expression of the form cğ 1 x 1 :X 1... ğ k x k :X k, where c is chnnel nme; ğ i {$,?,!} is n input/output symbol 3 ; if ğ i {$,?}, then x i is n input vrible, otherwise it is n output vlue; if ğ i {$,?}, then X i is type prmeter or type of input, otherwise it is null. The! symbol denotes n output;? denotes n input; $ denotes nondeterministic choice (which we sometimes cll nondeterministic input). The? nd $ opertors both bind vribles to concrete vlues. For exmple, the process c$x:{0, 1}?y:{2, 3}!4 d!(x+y) STOP nondeterministiclly chooses vlue v {0, 1} nd binds the vrible x to tht vlue; it is then willing to perform ny event of the form c.v.w.4 for w {2, 3}, nd binds the vrible y to the vlue w; it then performs the event d.(v+w), nd dedlocks. For constructs where ğ i =! for every i, we use the more trditionl. output symbol insted, e.g. we write c.v 1.v 2.v 3 to men c!v 1!v 2!v 3. Whenever X i is null, we omit it in prctice, e.g. we write c!v insted of c!v:null. The only wy process cn communicte visible event is vi prefix construct. For two processes P nd Q, the externl (or deterministic) choice P Q is process tht offers the environment the choice of performing ny initil event of P or Q ; if n initil event of P is performed, then the choice is resolved to P, nd if n initil event of Q is performed, then the choice is resolved to Q. P Q represents n internl (or nondeterministic) choice, where the process behves either like P or like Q, where the choice is mde by some mechnism tht we do not model nd which cnnot be influenced by the environment. The sliding choice (or timeout) P Q is process tht behves like P for nondeterministiclly long period of time, but if the environment does not engge in ny ctivity with P within this time, it switches to behving like Q. The process if b then P else Q is conditionl choice between processes P nd Q. If b evlutes to True, then this process behves like P; otherwise it behves like Q. In exmples, we use b & P s syntctic sugr for if b then P else STOP, i.e. P is enbled if nd only if gurd b is true. We sy conditionl choice on t to men conditionl choice whose boolen condition involves only vribles nd/or vlues of type t. Processes re often defined using recursive equtions, e.g. P = Q, Q = b P. The term N represents nme, bound to some CSP syntx by such definition. For ny set X Σ, P \ X is process which behves like P except tht whenever P would normlly communicte n event from set X, P \ X performs the internl ction, τ, insted. The process P R, where R is reltion over Σ, is process tht behves like P except tht whenever P would perform n event, the renmed process performs n event b such tht R b insted. We sometimes define the renming reltion using substitution nottion: P b / is process tht behves like P except tht whenever P would normlly perform, the renmed process performs b insted. If R is function, we sometimes write the renming using functionl nottion, R(P). The notion of prllel composition of processes is key to CSP, llowing one to model concurrency. The process P X Y Q is prllel composition of P nd Q, where P is llowed to communicte only members of the set of visible events X, Q is llowed to communicte only members of the set of visible events Y, nd synchronistion occurs on ll common events (i.e. those in X Y ). We cn define its replicted version: i I [A(i)] P(i) is the prllel composition of processes P(i) indexed over finite, non-empty set I, where ech P(i) is llowed to perform only events from A(i), nd synchronises on event e A(i) with ech process P(j) such tht e A(j). The process P Q is the prllel composition of P nd Q with X hndshken synchronistion on ll the members of the set of visible events X. Finlly, P Q is the interleving of P nd Q : the processes run in prllel, but do not synchronise on ny event; we consider this s syntctic sugr for P Q. {} In exmples, we my use replicted versions of the externl choice, internl choice nd interleving opertors: i I P(i), i I P(i), nd i I P(i), respectively. In ech cse I in some finite indexing set (non-empty in the cse of internl choice); we consider these s syntctic sugr for repeted use of the binry opertor. So fr we hve used the term process loosely. We now mke n importnt distinction between process syntxes (lso clled process definitions) nd concrete processes. A process syntx is n open CSP term (i.e. one with free vribles). On the other hnd, every closed CSP term represents process. For exmple, if Proc(t) is term where t is free, then it is process syntx; it represents fmily of processes Proc(T), one for ech concrete instntition T Semntics CSP cn be given n opertionl semntics. We write P Q to men tht process P cn perform event Σ τ nd then behve like process Q. We give few opertionl semntics rules in Appendix A for lter reference. Also, given sequence of events s (Σ τ ) s, we write P Q to men tht P cn perform the sequence s to become Q. Finlly, given sequence tr Σ tr of visible events, we write P = Q to men tht there is some s (Σ τ ) such tht s s \ {τ} = tr nd P Q. We sy tht tr is trce of P. We write trces(p) for the trces of P. 3 Stndrd CSP commonly lso uses the. symbol, but this is only syntctic sugr nd cn lwys be replced by one of $,?,!.

5 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) Given trce tr nd set of events X, we sy tht (tr, X) is stble filure of P if P cn perform tr to rech stble stte Q tr (i.e. where no τ -trnsition is vilble), nd refuse X (i.e. no event from X is vilble); formlly P = Q nd Q ref X, where: Q ref X x X {τ} Q. x We write filures(p) for the stble filures of P. The trces nd stble filures of CSP processes cn lso be obtined using congruent denottionl semntics rules, which cn be found, for exmple, in [34, Chpter 8]. CSP specifictions re expressed in the sme formlism s implementtions, i.e. s processes. An implementtion Impl is sid to stisfy specifiction Spec if it refines it, which we denote by writing Spec Impl. Intuitively, process Q refines process P (or P is refined by Q ) if Q does not exhibit ny behviour tht is not behviour of P. In the trces nd stble filures models refinement is defined by: P T Q P F Q trces(q ) trces(p), trces(q ) trces(p) filures(q ) filures(p). If P M Q nd Q M P, where M is either T or F, then we sy tht P nd Q re equivlent in model M, denoted P M Q. Exmple 2. Let Then P = P b P, Q 1 = STOP, Q 2 = STOP, Q 3 = Q 3, Q 4 = b STOP. trces(p) = {,, b,,,,, b,,,,...}, trces(q 1 ) = { }, trces(q 2 ) = {, }, trces(q 3 ) = {,,,,...} trces(q 4 ) = {,,, b }. Hence, P T Q 1, P T Q 2 nd P T Q 3, but P T Q 4. Further, (, {, b}) filures(q 1 ) filures(p), (, {}) filures(q 2 ) filures(p), so P F Q 1 nd P F Q 2. However (ssuming Σ = {, b}) so P F Q 3. filures(q 3 ) = {( n, X) n N, X {b}} filures(p), The FDR (Filures/Divergences Refinement) model checker [13] llows one to utomticlly perform refinement checks. When CSP script with process definitions, sy P nd Q, is loded, FDR cn utomticlly test for refinements P T Q nd P F Q. 3. Introduction to counter bstrction Counter bstrction is simple nd well-known bstrction method. In its generl form, it is specil cse of predicte bstrction [12,15,19], which, in turn, is specil cse of finitry bstrction [18], frmework for trnsforming infinite-stte systems into finite-stte bstrctions. Counter bstrction pplies to uniform verifiction problems where the prmeter specifies how mny similr node processes re present in the system. The min ide is to replce the concrete stte spce by n bstrct stte spce, where ech stte is tuple of integer counters (c 1,..., c k ) such tht for ech i, c i counts how mny node processes re currently in the i-th stte. This is clled counter bstrction with unbounded counters (or counter bstrction without thresholds). Such bstrct models still depend on the number of nodes present in the system, so they re not suitble for use in uniform verifiction. However, they help reduce the effects of the globl stte explosion problem, becuse symmetriclly equivlent globl sttes re identified. In this pper we use counter bstrction with thresholds, which extends bsic counter bstrction with (often constnt) threshold function tht determines the mximum ttinble vlue for every counter. If the vlue of the i-th counter reches the corresponding threshold, z i, then we interpret this s there being z i or more processes in the i-th stte. Abstrct models creted in such wy from systems of sufficiently lrge size (t lest of some size N clculted by the theory) re independent of the number of node processes. This mens tht single refinement check solves the verifiction problem for ll vlues of the prmeter (except for those of size less thn N). In [28] we showed how one cn use counter bstrction in uniform verifiction of prmeterised systems, where: the specifiction is independent of T ; ll node processes re identicl, so, in prticulr, they cnnot use node identifiers; nd the nodes run in n interleving (i.e. they do not synchronise with ech other). The obtined bstrct model Abstr is such tht Abstr Impl(T)

6 8 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) 3 52 for ll sufficiently lrge T by construction. Then, checking for single refinement, Spec Abstr, using model checker, like FDR, combined with smll number of direct refinement checks for smll T, llows us to conclude tht Spec Impl(T), for ll T. Unfortuntely, in most systems node processes use node identifiers, nd pss those identifiers in events. The biggest problem this cretes is tht the lphbets of processes become unboundedly lrge. The rest of this pper ddresses this issue by extending the stndrd counter bstrction methods to systems tht mke use of node identifiers. We give here simple exmple (lso given in [29]), to illustrte counter bstrction nd the problem we re ddressing in this pper. Consider very simple token-bsed mutul exclusion protocol for collection of nodes. Ech node i obtins the token (event gettoken.i), enters the criticl section (event entercs.i), leves the criticl section (event levecs.i), nd returns the token (event returntoken.i): Node(i) = gettoken.i Entering(i), Entering(i) = entercs.i CS(i), CS(i) = levecs.i Leving(i), Leving(i) = returntoken.i Node(i). The nodes re interleved; recll tht we use the vrible t to denote the type of ll node identities: Nodes(t) = i : t Node(i). The nodes re combined with controller tht controls the token, repetedly giving it to node nd receiving it bck. The communictions corresponding to pssing the token re considered internl so re hidden. Controller(t) = gettoken?i:t returntoken?j:t Controller(t), Impl(t) = (Nodes(t) Controller(t)) \ { gettoken, returntoken }. { gettoken,returntoken } We would like to verify tht t most single node is in the criticl section t time. We cn cpture this using the specifiction process Spec(t) = entercs$i:t levecs!i Spec(t). Our requirement, then, is Spec(T) T Impl(T), for ll instntitions T of t. (4) The pproch tken in this pper is to form n bstrction of Nodes(t) bsed on counter bstrction. In the process NodesAbst(n, e, c, l), below, the four counter prmeters n, e, c nd l represent the number of nodes in the Node, Entering, CS nd Leving sttes, respectively. We cp ech of the prmeters t the vlue z = 2; hence, counter vlue of 2 represents tht there re 2 or more processes in the corresponding stte. The definition of NodesAbst, below, is bsed on the trnsitions within single Node process. For most trnsitions, the counter for the prior Node stte is decremented, nd the counter for the new stte is incremented, but not beyond z; we define the following function to perform this: inc(x) = min(x + 1, z). However, if the counter for the prior stte ws t the cp z, then there might hve been strictly more thn z processes in this stte before the trnsition, so the counter should (nondeterministiclly) be ble to sty t z. NodesAbst(n, e, c, l)(t) = (n > 0 & gettoken$i:t if n < z then NodesAbst(n 1, inc(e), c, l)(t) else NodesAbst(n 1, inc(e), c, l)(t) NodesAbst(n, inc(e), c, l)(t)) (e > 0 & entercs$i:t if e < z then NodesAbst(n, e 1, inc(c), l)(t) else NodesAbst(n, e 1, inc(c), l)(t) NodesAbst(n, e, inc(c), l)(t)) (c > 0 & levecs$i:t if c < z then NodesAbst(n, e, c 1, inc(l))(t) else NodesAbst(n, e, c 1, inc(l))(t) NodesAbst(n, e, c, inc(l))(t))

7 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) (l > 0 & returntoken$i:t if l < z then NodesAbst(inc(n), e, c, l 1)(t) else NodesAbst(inc(n), e, c, l 1)(t) NodesAbst(inc(n), e, c, l)(t)). We cn then build Abst from NodesAbst(z, 0, 0, 0) in the sme wy tht we built Impl from Nodes: Abst(t) = (NodesAbst(z, 0, 0, 0)(t) { gettoken,returntoken } Controller(t)) \ { gettoken, returntoken }. In this pper we show tht the process built in this wy is n bstrction of the Impl process in the following sense: for every non-negtive integer B: Abst( ˆT) T φ(impl(t)), for ll instntitions T of t with #T B + z, where ˆT = {0.. B}, nd φ is B-collpsing function (see Definition 1). We pick B = 1 in this cse. We cn then use FDR to verify tht Spec( ˆT) T Abst( ˆT), nd so deduce Spec( ˆT) T φ(impl(t)), for ll instntitions T of t with #T B + z = 3, by trnsitivity of refinement. The results in [29] will llow us to deduce our requirement (4) from this. We stress, though, tht the technique in this pper is rther more generl thn the bove exmple illustrtes. The technique llows node processes to store the identities of other nodes, nd to pss them on in subsequent events; much of the difficulty of the theory concerns treting these identities correctly. 4. Preliminries For the rest of this pper we let B be fixed, non-negtive integer. B will be prmeter used in the construction of bstrct models, where it will describe the number of node processes tht re modelled explicitly; we will explin the resons for this in Section 5. As mentioned in the Introduction, we will combine counter bstrction techniques with the type reduction theory from [29]. Recll tht the type reduction theory produces vlue B such tht if Eq. (3) holds (for the vlues of φ nd T corresponding to B), then Eq. (1) holds for ll T such tht #T > B. In our finl theorem (Theorem 43) we will choose B to be the vlue given by the type reduction theory (Theorems 6.4 nd 6.11 from [29], reproduced s Theorems 42 nd 50 of the current pper). Throughout this pper, we will often require sets to be regulr with respect to the distinguished type, in the sense defined s follows. Definition 3. We define the set definition {c.x 1... x n x 1 X 1 (t),..., x n X n (t)}, where c is some chnnel nme, to be simply polymorphic in t if x 1,..., x n re ll distinct, nd for ech i in {1.. n}, either X i (t) = t or X i (t) is independent of t. In ddition, we define the union of ny number of set definitions tht re simply polymorphic in t nd tht use distinct chnnel nmes to be polymorphic in t Conditions on processes In [29] we defined number of conditions for processes to stisfy nd presented number of relted results nd remrks, which we will use throughout this pper. We recll these definitions below for convenience. In Section 9.1 we will describe tool support, which includes utomted tests for the relevnt properties. Intuitively, we sy tht process syntx trets type t dt independently if it inputs nd outputs vlues of type t, possibly storing them for lter use, but does not perform ny opertions on these vlues tht could influence either its control flow or the instntitions of type t tht cn be used. Definition 4. We sy tht CSP process syntx is dt independent with respect to type t if it does not contin: (i) replicted constructs indexed over ny set depending on t, except for replicted nondeterministic choice ( ) indexed over the whole of t; however, we llow the use of deterministic nd nondeterministic input selections,? nd $, over t; (ii) conditionl choices on t, except for equlity nd inequlity tests; (iii) constnts of type t; (iv) functions whose domins or co-domins involve type t; (v) opertions on t, including polymorphic opertions, (e.g. tupling or lists); (vi) selections from sets involving t, unless the selection is over the whole of t; nd (vii) ny opertions tht would extrct informtion bout t, e.g. crd(t). Exmple 5. The Node(i), Controller(t) nd Spec(t) processes from Section 3 re dt independent in t. However, Nodes(t) is not dt independent becuse it uses n indexed interleving over t. (5)

8 10 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) 3 52 Remrk 6. Cluses (v) nd (vi) of Definition 4 together imply tht, for ll constructs cğ 1 x 1 :X 1... ğ k x k :X k of given dt independent process syntx, ech X i is either type not relted to t or precisely the type prmeter t, unless ğ i =!, in which cse X i = null. We will require tht ech node process stisfies the condition Seq. Definition 7. A process syntx Proc(t) stisfies Seq if (i) it is dt independent; (ii) it is sequentil nd contins no renming or hiding; (iii) it contins no replicted externl or nondeterministic choice (but we do llow deterministic nd nondeterministic selections through the use of the? nd $ symbols); (iv) ll gurds of conditionl choices within Proc(t) contin either only vribles of type t, or only vribles nd vlues of types other tht t; (v) in (binry or replicted) externl nd sliding choices, Proc(t) contins no nme clshes between type t nondeterministic-selection vribles of one rgument nd free vribles of nother rgument, e.g. c$x:t STOP d.x STOP is not llowed; (vi) constructs of Proc(t) do not contin multiple occurrences of the sme input vrible of type t, e.g. c!x!x nd c?x:x!x for X not relted to t re llowed, but c$x:t?x:t nd c?x:t!x re not. Note tht cluses (ii) nd (iii) men tht Seq processes re tken from those with syntx P ::= STOP α P P P P P P P if b then P else P b & P N. As rgued in [29], nerly ll dt independent processes cn be rewritten into form tht stisfies Seq; for exmple, lgebric lws from [34] cn be used to eliminte prllel composition, renming nd hiding, so s to ensure cluse (ii) is stisfied. The only cluse tht does slightly restrict expressiveness is cluse (vi). However, the Seq property plces restrictions on the wy tht processes re presented. When working with specifiction processes, it is desirble to ensure their clrity nd conformnce to certin stndrd (normlity), to mke nlyses of their behviours esier. The SeqNorm condition, defined below, chieves this without mjor expressiveness reduction. We begin with n uxiliry definition. Given sequentil, dt independent process syntx P, we define Chnnels(P) to be the set of chnnel nmes of the initil constructs of P. Formlly, Chnnels(STOP) = {}, Chnnels(cğ 1 x 1 :X 1... ğ k x k :X k P) = {c}, Chnnels(P Q ) = Chnnels(P) Chnnels(Q ), Chnnels(P Q ) = Chnnels(P) Chnnels(Q ), Chnnels(P Q ) = Chnnels(P) Chnnels(Q ). Definition 8. A process syntx Proc(t) stisfies SeqNorm if it stisfies Seq, nd in ddition for ll externl choices P(t) Q (t), internl choices P(t) Q (t) nd sliding choices P(t) Q (t) within Proc(t) we hve tht Chnnels(P(t)) Chnnels(Q (t)) = {}; every conditionl choice on t in P(t) nd Q (t) is fter prefix. Throughout this pper we ssume tht ll specifictions stisfy SeqNorm. The first cluse does restrict expressiveness. It bns processes such s c!x P c!y Q. This is necessry to ensure tht unique construct gives rise to ech event (fter given trce), nd tht process reches unique stte fter prticulr trce; for exmple, without this condition, the bove process could perform the event c.0 resulting from either construct (ssuming x nd y hve vlue 0), nd could rech either stte P or Q fter this event. If prticulr process syntx fils SeqNorm becuse of the second subcluse of cluse (iv), then the following lgebric lws cn be used to convert it to n equivlent process definition, stisfying this subcluse: P (if b then Q else R) if b then (P Q ) else (P R), (if b then Q else R) P if b then (Q P) else (R P), where is one of, or. Thus, most processes cn be rewritten into form tht stisfies SeqNorm. (A similr observtion bout the relted Norm condition is mde in [34, Section 15.2].) Indeed, we re not wre of ny specifiction used in prctice tht cnnot. Conditionl choices ply n importnt role in control flow of processes. We introduce condition tht bns equlity tests on t (i.e. tests of the form x = y where x nd y re vribles of type t), nd so bns conditionls on t ltogether. Definition 9. A sequentil process syntx Proc(t) stisfies condition NoEqT t if it does not possess ny equlity or inequlity tests on t. Throughout this pper we ssume tht ll specifictions stisfy NoEqT t. In Sections 5 nd 6 we ssume tht the node processes stisfy NoEqT t ; we relx this ssumption in Section 7.

9 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) The syntctic condition PosConjEqT formulted by Lzić in [20, Chpter 3] specifies tht for conditionl choice with n equlity test on t, the positive brnch is prefix nd the negtive brnch is simply STOP. The following is slight generlistion. Definition 10. We sy tht process syntx Proc(t) stisfies PosConjEqT T if for every conditionl choice on t of the form if cond then P(x 1,..., x k ) else Q (x 1,..., x k ) within Proc(t), we hve tht cond is positive conjunction of equlity tests on t (which gives rise to the nme of the condition); nd P(v 1,..., v k ) T Q (v 1,..., v k ) for ll vlues v 1,..., v k. In Section 8 we will consider the composition of the nodes with controller tht stisfies PosConjEqT T. Informlly, process syntx stisfies the TypeSym condition if the behviours of ech of its concretistions re invrint under permuttions of vlues of prmeter instntitions. The following expresses this formlly. Definition 11. A process syntx Proc(t) stisfies TypeSym if for every T nd every bijection π : T T, Proc(T) nd Proc(T) π(e) / e e Σ re bisimilr. Semntic definitions, like the one bove, tend to be hrd to check efficiently. The following result, from [29], provides sufficient syntctic conditions for TypeSym. Proposition 12. A process syntx Proc(t) stisfies TypeSym if it uses no (i) constnts of type t; (ii) opertions on type t, including polymorphic opertions (e.g. tupling or lists); (iii) functions whose domins or co-domins involve type t; (iv) selections or indexing from sets involving t, unless the selection or indexing is over the whole of t, except this restriction does not pply to the lphbets of nodes in prllel composition indexed over t; nd (v) conditionl choices on t, except for equlity nd inequlity tests. Remrk 13. Item (iv), bove, llows tht in prllel composition of the form i t [A(i, t)] P(i, t), the lphbets A(i, t) cn depend upon i in firly generl wy, for exmple A(i, t) = {send.i.j.k, send.j.i.k j t {i}, k t {i, j}}. Exmple 14. The Nodes(t) nd Impl(t) processes from Section 3 stisfy TypeSym. Definition 15. The implementtions we consider in this pper re of the form where Impl(t) = (Nodes(t) \ X(t)) Ctrl(t) \ Z(t), (6) Y(t) Nodes(t) is of the form myid t [A(myId, t)] NmyId (t); N myid (t) models single, finite-stte node with identity myid nd with wreness of ll node identities in t; we ssume tht N myid (t) stisfies Seq, nd never chnges the vlue of myid (i.e. it cnnot use constructs of the form?myid or N otherid (t), where myid otherid); we ssume tht ll node processes re generted from single templte; A(myId, t) is the lphbet of N myid (t), nd stisfies the conditions of Proposition 12; Ctrl(t) is dt independent controller process tht stisfies PosConjEqT; X(t), Y(t) nd Z(t) re definitions of sets of events tht re polymorphic in t; no constnts of type t re used nywhere within Impl(t). Most prmeterised systems one encounters in prctice cn be written in the bove form. Remrk 16. Proposition 12 implies tht Impl(t), s in Definition 15, stisfies TypeSym Decidbility As n side, we prove tht our uniform verifiction problem is undecidble. This lso cts s n illustrtion of the expressiveness of the systems we consider. Proposition 17. The problem of uniform verifiction of implementtions defined s in (6) with specifictions stisfying SeqNorm nd NoEqT t is undecidble.

10 12 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) 3 52 Proof. We prove the result by reduction to the Hlting Problem [39]. We cn simulte given Turing mchine M tht uses t most #t cells of its tpe using process s in (6). We ssume stndrd definition of Turing mchine. We let Q be the set of control sttes, with q 0 Q the initil stte nd q h Q the hlting stte. We let A be the tpe lphbet, with A being the blnk symbol. We let δ : Q A Q A {L, R} be the trnsition reltion: if δ(q, ) = (q, b, d) then, from control stte q with symbol under the tpe hed, the Turing mchine cn write symbol b to the tpe, move the tpe hed left if d = L or right if d = R, nd chnge to control stte q. Ech node process simultes one cell of the tpe nd remembers the contents of the cell; these nodes re orgnised into list, corresponding to the order of cells on the tpe. This list is formed on the fly, with n extr node being dded to the list when the Turing mchine s tpe hed would move to new squre for the first time. More precisely, once node hs performed n event, it remembers the identity j of its left-hnd neighbour (i.e. the node tht is simulting the squre to the left of its own squre); n exception is tht the node tht simultes the left-most squre insted stores (rbitrrily) its own identity; the flg hsleft is true if node hs left-hnd neighbour, (i.e. it is simulting squre other thn the left-most squre). Further, ech node hs boolen flg hsright to indicte whether its right-hnd neighbour hs yet been selected. Once node hs performed n event, it remembers the symbol written on its squre, initilly the blnk symbol. The node tht simultes the squre where the tpe hed currently is lso records the stte q of the finite control. The event strt.i represents node i being selected to simulte the left-most squre. In the initil stte, 4 Node(i) is willing to ccept this event, nd will then simulte the first squre on the tpe, with the control in the initil control stte q 0. The event movenew.j.i.q represents the tpe hed moving right from the squre simulted by node j to previously unvisited squre, which will be simulted by node i; q Q is the new control stte. In the initil stte, Node(i) is willing to ccept ny such event, nd will then simulte the previously unvisited squre, with the control in stte q. Node(i) = strt.i Active(i, i,, flse, flse, q 0 ) movenew?j:t!i?q:q Active(i, j,, true, flse, q). The stte Active(i, j,, hsleft, hsright, q) simultes the squre tht is the current position of the tpe hed. If q is the hlting stte q h, the node signls on chnnel hlt nd the simultion hlts. Otherwise, it clcultes the pproprite trnsition (q, b, d) = δ(q, ) giving the new stte q, the new symbol b, nd the direction d for the tpe hed to move. If the tpe hed should move to the left (d = L), it performs the event moveleft.i.j.q, signlling to its left-hnd neighbour j (unless i simultes the left-most squre, in which cse n error is signlled). If the tpe hed should move to the right, nd this node hs righthnd neighbour, it performs ny event of the form moveright.i.k.q ; only this node s right-hnd neighbour will ccept such n event (see below). If this node hs no right-hnd neighbour, it performs ny event of the form movenew.i.k.q ; node still in its initil stte (if there is such node) will ccept this event. Active(i, j,, hsleft, hsright, q) = if q = q h then hlt.i STOP else let(q, b, d) = δ(q, ) within if d = L then if hsleft then moveleft.i.j.q Pssive(i, j, b, hsleft, hsright) else error.i STOP else if hsright then moveright.i?k:t!q Pssive(i, j, b, hsleft, hsright) else movenew.i?k:t!q Pssive(i, j, b, hsleft, true). The stte Pssive(i, j,, hsleft, hsright) simultes previously visited squre, other thn the current position of the tpe hed. It ccepts ny event of the form moveleft.k.i.q nd becomes ctive; only the currently ctive node will send such n event (see bove). The node will lso ccept ny event of the form moveright.j.i.q from its left-hnd neighbour j. Pssive(i, j,, hsleft, hsright) = moveleft?k:t!i?q:q Active(i, j,, hsleft, hsright, q) moveright.j.i?q:q Active(i, j,, hsleft, hsright, q). We cn combine the nodes together in prllel. However, the bove definition llows node i to perform events movenew.i.i.q, moveleft.i.i.q nd moveright.i.i.q, i.e., where the node is pprently (nd erroneously) synchronising with itself; we prevent such events by omitting them from the node s lphbet. Nodes(t) = i t [A(i, t)] Node(i), A(i, t) = { movenew.i.j, movenew.j.i, moveleft.i.j, moveleft.j.i, moveright.i.j, moveright.j.i j t {i} } {strt.i, hlt.i, error.i}. 4 Formlly, the type prmeter t is prmeter of ll the processes below; we omit it in the interests of brevity.

11 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) We combine the nodes with controller tht simply ensures tht single strt event occurs. Ctrl = strt?i:t STOP, System(t) = Nodes(t) Ctrl \ (Σ { hlt }). { strt } By construction, System(T) performs hlt event if nd only if the Turing mchine M hlts fter using t most #T squres on the tpe; otherwise it performs no event. Let Spec be the specifiction tht no such event occurs: Spec(T) = STOP. So Spec(T) T System(T) iff M does not hlt fter using t most N squres on the tpe. So ( T Spec(T) T System(T)) iff M does not hlt. The right-hnd side is well-known to be undecidble; hence the left-hnd side is undecidble Types of events Throughout this pper we ssume tht ll synchronistions between node processes involve either exctly two processes or ll #T processes; the vst mjority of processes used in prctice do not require synchronistion with ny other rity. We llow events to contin node identities s pylods, i.e. tht nodes cn use in wys not relted to synchronistion. Thnks to such pylods contining node identities, events cn be used, for exmple, to trnsmit n identity from n externl controller to single node, pss n identity from one node to nother, or input the sme identity to ll nodes. The bove ssumptions men tht every event performed by node cn be clssified s of one of the following types. α-type: privte events of single nodes. Ech such event is of the form c.f α (me, pylodids) for some identity me, where c is some chnnel nme, nd f α (me, pylodids) is construct of the form v 1... v k such tht t lest one of the v i is equl to me, nd pylodids records the remining v i of type T. This represents privte event of node me: it is only in the lphbet of the node with identity me. β-type: events synchronised between two nodes. Ech such event is of the form c.f β (me, other, pylodids) for some distinct identities me nd other, where c is some chnnel nme, nd f β (me, other, pylodids) is construct of the form v 1... v k such tht t lest one of the v i is equl to me, t lest one of the v i is equl to other, nd pylodids records the remining v i of type T. This represents synchronistion of the nodes with identities me nd other: it is only in the lphbet of these two nodes. γ -type: events synchronised between ll nodes. Ech such event is of the form c.f γ (pylodids), where c is some chnnel nme, nd f γ (pylodids) is construct of the form v 1... v k, such tht pylodids records the v i of type T. This represents synchronistion of ll nodes: it is in the lphbet of ll nodes. We ssume tht the nodes lphbets re generted from such events in uniform wy. More formlly, we ssume tht there exist disjoint indexing sets A, B nd C such tht for ech me nd T : A(me, T) = {c α.f α (me, pylodids) α A, pylodids T n α } {c β.f β (me, other, pylodids), c β.f β (other, me, pylodids) β B, other T {me}, pids T n β } {c γ.f γ (pylodids) γ C, pylodids T n γ }, where ech c α, c β, c γ is chnnel, ech f α, f β, f γ is function, ech n α, n β, n γ is nturl number, nd the events in the three sets re, respectively, α-, β- nd γ -events, nd re ssumed disjoint. Remrk 18. We note tht: (i) our construction llows vlues of types different from t to be present in α-, β- nd γ -events; (ii) given type T nd some identity me in T, the lphbet A(me, T) is prtitioned by its α-, β- nd γ - events; nd (iii) the type of n event e cn be decided by choosing T of size t lest 3 nd counting the number of identities i for which e is in A(i, T) (this will be of prcticl importnce for the implementtion of tool presented in Section 9.1). We further ssume tht the functions re disjoint in the following sense: (iv) if two events gree on ll non-t prts, then they re generted using the sme function. Exmple 19. Let N me (t) =!me?i:t N me (t) c?x:x?i:t b!me!i N me (t) b?i:t!me N me (t) (7)

12 14 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) 3 52 for some type X not relted to t. Let f (me, i ) = me.i f b (me, other, ) = me.other f (c,x) ( i ) = x.i, for x X. Then A(me, T) = {.f (me, i ) i T} {b.f b (me, other, ), b.f b (other, me, ) other T {me}} {c.f (c,x) ( i ) x X, i T} is the lphbet of N me (T), where the three sets give the α-, β- nd γ -events, respectively. Note tht we block the events b.me.me by omitting them from the lphbet Concrete opertionl semntics with environments We will wnt to tlk bout the stte mchines representing nodes, nd will define our counter bstrction models s stte mchines. We consider stte mchine to be 4-tuple (S, s 0, A, ) where: S is the set of sttes; s 0 S is the initil stte; A Σ τ is set of lbels; nd S A S is the trnsition reltion. It is convenient to use slightly non-stndrd opertionl semntics for node processes, known s Concrete Opertionl Semntics with Environments (COSE), from [27,29]. The difference between COSE nd stndrd opertionl semntics concerns the wy tht vribles become bound to vlues. In stndrd opertionl semntics, the sttes re pieces of syntx with no free vribles. When trnsition cuses vrible to become bound, tht is represented by substitution of the vlue for the vrible in the subsequent syntx. For exmple, if N myid (t) = in?x:t out!myid!x STOP, then, ssuming 1, 3 T, N 1 (T) in.3 (out!1!3 STOP) out.1.3 STOP. By contrst, ech stte of the COSE semntics includes piece of syntx tht my contin free vribles of type t. Ech stte lso includes n environment to store the vlues (i.e. identities of nodes) bound to such vribles. These environments re updted by trnsitions to record vribles becoming bound. (However, the COSE semntics still uses substitution for the binding of vribles of non-t type.) More precisely, ech stte of the COSE semntics is triple (cst, Γ, T), where: cst is control stte, i.e. syntctic term tht my contin free vribles of type t (but no vribles of types other thn t); Γ = {x 0 id 0,..., x n id n } is n environment tht stores the node identities id 0,..., id n in the vribles x 0,..., x n, respectively; nd T is the instntition of the type prmeter (included for technicl resons). When vribles become bound to vlues, the environment gets updted. We ssume tht environments re miniml, i.e. vlues not needed in the future re immeditely forgotten, except tht for node process, we ssume tht the vlue of myid (the node s identity) is never forgotten. For exmple (N myid (t), {myid 1}, T) in.3 (out!myid!x STOP, {myid 1, x 3}, T) out.1.3 (STOP, {myid 1}, T). In [27,29] it ws shown tht ny process tht stisfies Seq cn be given such semntics, nd tht this semntics is equivlent to firly stndrd opertionl semntics; the detils of the definitions re unimportnt for the current pper: it is enough to know tht semntics in this form exists. In prticulr, the semntics represents node process N me (T) using the COSE configurtion (N myid (t), {myid me}, T); note tht: the initil control stte is independent of me becuse ll node processes re generted from the single templte N myid (t); the initil control stte is independent of T becuse the node processes re dt independent; the initil environment stores just the node s identity me in the identity vrible myid. Exmple 20. Let N myid (t) = in?i:t (out 1.myId.i STOP in?j:t out 2.myId.i.j STOP),

13 T. Mzur, G. Lowe / Science of Computer Progrmming 81 (2014) nd let cst = out 1.myId.i STOP in?j:t out 2.myId.i.j STOP Then the COSE sttes of N 0 ({0, 1}) (strting with the initil stte) re (N myid (t), {myid 0}, {0, 1}), (cst, {myid 0, i 0}, {0, 1}), (cst, {myid 0, i 1}, {0, 1}), (STOP, {myid 0}, {0, 1}), (out 2.mydId.i.j STOP, {myid 0, i 0, j 0}, {0, 1}), (out 2.mydId.i.j STOP, {myid 0, i 0, j 1}, {0, 1}), (out 2.mydId.i.j STOP, {myid 0, i 1, j 0}, {0, 1}), (out 2.mydId.i.j STOP, {myid 0, i 1, j 1}, {0, 1}). We mke the nottionl convention tht if (cst, Γ, T) nd (cst, Γ, T) re two sttes such tht (cst, Γ, T) (cst, Γ, T) for some event, nd Γ (myid) = me (i.e. we del with node process with identity me), then we decorte the trnsition reltion symbol with me to indicte the identity of the process, nd write (cst, Γ, T) me (cst, Γ, T). For the rest of this pper let φ be B-collpsing function (see Definition 1). We write φ(γ ) for the imge of environment Γ under φ, i.e. φ(γ ) = {x φ(γ (x)) x dom Γ }. Definition 21. We define φ to be n equivlence reltion on the sttes of node processes by sying tht two sttes (cst, Γ, T) nd (cst, Γ, T ) re equivlent if their control prts re equl, cst = cst ; their environments re equl under φ, φ(γ ) = φ(γ ); nd their underlying types re equl under φ, φ(t) = φ(t ). Whenever φ is cler from the context, we simply write. The equivlence clss of stte (cst, Γ, T) under is [(cst, Γ, T)] = {(cst, Γ, T ) cst = cst φ(γ ) = φ(γ ) φ(t) = φ(t )}. The counter bstrction techniques described in this pper work by counting the number of node processes in φ - equivlent sttes. In this wy, we bstrct from the differences between identities tht re t lest B. One possible pproch would be to counter bstrct ll nodes. However, if the identity of node is less thn B, then this node s environment cn never equl tht of nother node under φ, since their myid vribles will lwys be mpped to vlues tht re different under φ. Thus, if we were to counter bstrct those nodes, we would be modelling their behviour explicitly. This is of no benefit over simpler pproch, where the nodes with identities in {0.. B 1} re modelled explicitly (with reduction of their wreness of node identities to fixed set, independent of t); we counter bstrct ll other nodes. 5. Defining counter bstrction models with unbounded counters In this section, given type T nd non-negtive integer B, we crete n bstrct model ABS T,B such tht for sufficiently lrge T, ABS T,B T φ(nodes(t)). As mentioned before, the bstrct model consists of two prts. The first is the prllel composition of the nodes 0.. B 1, i.e. i {0.. B 1} [A(i, {0.. B})] Ni ({0.. B}). (8) The second prt is counter stte mchine modelling the nodes B.. #T 1; we ssume tht #T B + 1, so there is t lest one such node. In effect, this counter stte mchine collpses the identities B.. #T 1 to the single identity B. However, we perform this collpse in two stges. We first build counter stte mchine ζ T (N B({0.. B + 1})) tht bstrcts the nodes N B ({0.. B + 1}),..., N #T 1 ({0.. B + 1}), i.e. where those nodes hve wreness of the nodes 0.. B + 1. We present this construction in Section 5.1. The counter stte mchine is constructed from the two stte mchines for N B ({0.. B + 1}) nd N B+1 ({0.. B + 1}); however, N B+1 ({0.. B + 1}) = N B ({0.. B + 1}) B,B+1 / B+1,B, so we write the counter stte mchine s function of just N B ({0.. B + 1}). We then pply renming R to replce every instnce of B + 1 by B.