revTPL : THE REVERSIBLE TEMPORAL PROCESS LANGUAGE

. Reversible debuggers help programmers to find the causes of misbehaviours in concurrent programs more quickly, by executing a program backwards from the point where a misbehaviour was observed, and looking for the bug(s) that caused it. Reversible debuggers can be founded on the well-studied theory of causal-consistent reversibility, which only allows one to undo an action provided that its consequences, if any, are undone beforehand. Causal-consistent reversibility yields more efficient debugging by reducing the number of states to be explored when looking backwards. Till now, causal-consistent reversibility has never considered time, which is a key aspect in real-world applications. Here, we study the interplay between reversibility and time in concurrent systems via a process algebra. The Temporal Process Language (TPL) by Hennessy and Regan is a well-understood extension of CCS with discrete-time and a timeout operator. We define revTPL , a reversible extension of TPL, and we show that it satisfies the properties expected from a causal-consistent reversible calculus. We show that, alternatively, revTPL can be interpreted as an extension of reversible CCS with time.


Introduction
Recent studies [Viz20,BJCC13] show that reversible debuggers ease the debugging phase, and help programmers to quickly find the causes of a misbehaviour.Reversible debuggers can be built on top of a causal-consistent reversible semantics [GLM14, LNPV18, FLS21, LLS + 22], and this approach is particularly suited to deal with concurrency bugs, which are hard to find using traditional debuggers [Gra86].By exploiting causality information, causalconsistent reversible debuggers allow one to undo just the steps which led (that is, are causally related) to a visible misbehaviour, reducing the number of steps/spurious causes and helping to understand the root cause of the misbehaviour.More precisely, one can explore backwards the tree of causes of a visible misbehaviour, possibly spread among different processes, looking for the bug(s) causing it.In the last years several reversible semantics for concurrency have been developped, see, e.g., [DK04, PU07, CKV13, LMS16, MMU19, GLMT17, LM20, BM20, MMPY20, MMP21a].However, none of them takes into account time 1 .Time-dependent behaviour is an intrinsic and important feature of real-world concurrent systems and has many applications: from the engineering of highways [MP20], to the manufacturing schedule [GZT20] and to the scheduling problem for real-time operating systems [Ber05].
Time is instrumental for the functioning of embedded systems where some events are triggered by the system clock.Embedded systems are used for both real-time and soft real-time applications, frequently in safety-critical scenarios.Hence, before being deployed or massively produced, they have to be heavily tested, and hence possibly debugged.Actually, debugging occurs not only upon testing, but in almost all the stages of the life-cycle of a software system: from the early stages of prototyping to the post-release maintenance (e.g., updates or security patches).Concurrency is important in embedded systems [FGP12], and concurrency bugs frequently happen in these systems as well [Koo10].To debug such systems, and deal with time-dependent bugs in particular, it is crucial that debuggers can handle both concurrency and time.
In this paper, we study the interplay between time and reversibility in a process algebra for concurrency.In the literature, there exists a variety of timed process algebras for the analysis and specification of concurrent timed systems [NS91].We build on the Temporal Process Language (TPL) [HR95], a CCS-like process algebra featuring an idling prefix (modelling a delay) and a timeout operator.The choice of TPL is due to its simplicity and its well-understood theory.We define revTPL, a reversible extension of TPL, and we show that it satisfies the properties expected from a causal-consistent reversible calculus.Alternatively, revTPL can be interpreted as an extension of reversible CCS (in particular CCSK [PU07]) with time.
A reversible semantics in a concurrent setting is frequently defined following the causalconsistent approach [DK04,LMT14] (other approaches are also used, e.g., to model biological systems [PUY12,PP18]).Causal-consistent reversibility states that any action can be undone, provided that its consequences, if any, are undone beforehand.Hence, it strongly relies on a notion of causality.To prove the reversible semantics of revTPL causal-consistent, we exploit the theory in [LPU20], whereby causal-consistency follows from three key properties: Loop Lemma: any action can be undone by a corresponding backward action; Process A (lines 1 − 7) waits for a message; if a message is received within 200 ms, then process A calls function handleMsg(), otherwise it calls function handleTimeout().Process B (lines 8 − 11) sleeps for 500ms and then sends a message to Pid, where Pid is a parameter of the function executed by process B (line 8).The code in line 13 spawns an instance of process A and uses its process identifier PidA as a parameter to spawn an instance of process B (line 14).The two process instances are supposed to communicate, but the timeout in process A (line 4) triggers after 200 ms, while process B will only send the message after 500 ms (lines 9 − 10).In this example, the timeout rules out the execution where process A communicates with process B, which would be possible in the untimed scenario.Namely, an execution can become unviable because of a time dependency, without any actual interaction between the two involved processes.⋄ From a technical point of view, the semantics of TPL does not fit the formats for which a causal-consistent reversible semantics can be derived automatically [PU07,LM20], and also the generalisation of the approaches developed in the literature for untimed models [DK04, CKV13,LMS16] is not straightforward and is the objective of this work.
The rest of the paper is structured as follows.Section 1 gives an informal overview of TPL and reversibility.Section 2 introduces the syntax and semantics of the reversible Temporal Process Language (revTPL).In Section 3, we relate revTPL to TPL and CCSK, while Section 4 studies the reversibility properties of revTPL.Section 5 concludes the paper and discusses related and future work.A formal background on CCS, TPL and CCSK (for the readers that wish a more rigorous overview than the informal one in Section 1), as well as longer proofs and additional technical details are collected in Appendix.
This paper is an extended and revised version of [BLMY22].The semantics has been revised since the one in [BLMY22] failed to capture some time dependencies when going back and forward (cf.Example 4.19).We now also provide a better characterisation of the causality model of revTPL (cf.Proposition 4.10 and Theorem 4.18).Further technical improvements include the formulation of the correspondences between revTPL, TPL, CCSK and CCS in terms of (bi)simulations (Theorems 3.4 and 3.8).We now also provide full proofs of all results as well as additional explanations and examples.Finally, the whole presentation has been carefully refined.

Informal Overview of TPL and Reversibility
In this section we give an informal overview of Hennessy & Regan's TPL (Temporal Process Language) [HR95] and introduce a few basic concepts of causal-consistent reversibility [DK04,LPU20].For a more rigorous introduction, the interested reader can find the syntax and semantics of TPL in Appendix A.3 and the syntax and semantics of the reversible calculus CCSK [PU07] in Appendix A.2.The syntax and semantics of CCS, which is at the basis of both TPL and CCSK, is in Appendix A.1.
1.1.Overview of TPL.Process ⌊pid.P ⌋(Q) models a timeout: it can either immediately do action pid followed by P or, in case of delay, continue as Q.In transition (1.1) the timeout process is in parallel with co-party pid.0 that can immediately synchronise with action pid, and hence the timeout process continues as P .
In transition (1.2), ⌊pid.P ⌋(Q) is in parallel with process σ.pid.0 that can synchronise only after a delay of one time unit σ (σ is called a time action).Because of the delay, the timeout process continues as Q: σ.pid.0 ∥ ⌊pid.P ⌋(Q) 2) The processes on the left-hand side of transition (1.2) describe the interaction structures of the Erlang program in Example 0.1.More precisely, the timeout of 200 time units in process A can be encoded using nested timeouts: while process B can be modelled as the sequential composition of 500 actions σ followed by action pid, as follows: Using the definition above, ⌊pid.P ⌋(A(200)) models a process that executes pid and continues as P if a co-party is able to synchronise within 200 time units, otherwise executes Q.Hence, Example 0.1 is rendered as follows: The design of TPL is based on (and enjoys) three properties [HR95]: time-determinism, patience, and maximal progress.Time-determinism means that time actions from one state can never reach distinct states, formally: if A consequence of time-determinism is that choices can only be decided via communication actions and not by time actions, for example α.P + β.Q can change state by action α or β, but not by time action σ.Process α.P + β.Q can make an action σ, by a property called patience, but this action would not change the state, as shown in transition (1.3).
Patience ensures that communication processes like α.P can indefinitely delay communication α with σ actions (without changing state) until a co-party is available.For example, by patience, process α.P in (1.4) can delay the communication on α until the other process σ.α.Q is ready to communicate: Maximal progress states that (internal/synchronisation) τ actions cannot be delayed, formally: if Namely, a delay can only be attained either via explicit σ prefixes or because synchronisation is not possible.Basically, patience allows for time actions when communication is not possible, and maximal progress disallows time actions when communication is possible: 1.2.Overview of causal-consistent reversibility.Before presenting revTPL, we discuss the reversing technique we adopt.In the literature, two approaches to define a causalconsistent extension of a given calculus or language have been proposed: dynamic and static [LMM21].The dynamic approach (as in [DK04, CKV13, LMS16]) makes explicit use of memories to keep track of past events and causality relations, while the static approach (originally proposed in [PU07]) is based on two ideas: making all the operators of the language static so that no information is lost and using communication keys to keep track of which events have been executed.In the dynamic approach, constructors of processes disappear upon transitions (as in standard calculi).
For example, in the following CCS transition: a.P a − → P the action a disappears as an effect of the transition.The dynamic approach prescribes to use memories to keep track of the discarded items.In static approaches, such as [PU07], actions are syntactically maintained, and process a.P can perform the transition below where P is decorated with the executed action a and a unique key i.The term a[i].P acts like P in forward transitions, while the coloured part decorating P is used to define backward transitions, e.g., − − → a.P Keys are important to correctly revert synchronisations.Consider the process below.It can take two forward synchronisations with keys i and j, respectively: both the choice operator "+" and the discarded branch b.Q disappear as an effect of the transition.In static approaches, the choice operator and the discarded branch are syntactically maintained, and process a.P + b.Q can perform the transition below: where a[i].P +b.Q acts like P in forward transitions, while the coloured part allows one to undo a[i] and then possibly proceed forward with an action b[j].
In this paper, we adopt the static approach since it is simpler, while the dynamic approach is more suitable to complex languages such as the π-calculus, see the discussion in [LMM21,LP21].

The Reversible Temporal Process Language
In this section we define revTPL, an extension of Hennessy & Regan TPL (Temporal Process Language) [HR95] with causal-consistent reversibility following the static approach in the style of [PU07].
2.1.Syntax of revTPL.We denote with X the set of all the configurations generated by the grammar in Figure 1.
Processes (P, Q, . ..) describe timed interactions following [HR95].We let A be the set of action names a, A the set of action conames a.We use α to range over a, a and internal actions τ .We assume a = a.In process π.P , prefix π can be a communication action α or a time action σ, and P is the continuation.Timeout ⌊P ⌋(Q) executes either P (if possible) or Q (in case of timeout).P + Q, P ∥ Q, P \ a, A, and 0 are the usual choice, parallel composition, name restriction, recursive call, and terminated process from CCS.For each recursive call A we assume a recursive definition A def = P .We also assume recursion to be guarded, hence recursive variables can only occur under prefix.
Configurations (X, Y, . ..) describe states via annotation of executed actions with keys following the static approach.We let K be the set of all keys (k, i, j, . ..).Configurations are processes with (possibly) some computational history (i.e., prefixes marked with keys): π[i].X is the configuration that has already executed π, and the execution of such π is identified by key i.Configuration ⌊X⌋[ i ← − ](Y ) is executing the main branch X whereas ⌊X⌋[ i − → ](Y ) is executing Y .Some TPL processes, namely patient processes like α.P illustrated earlier in (1.4), allow time to pass without changing their own structure.This is an issue in revTPL, since it may lead different parallel components to have a different understanding of the passage of time, while we want time to pass at the same pace for each parallel component.For this reason, to record that time has passed for a patient process, we use a special prefix σ ⊥ [i].X.Namely, σ ⊥ [i].X is the configuration which has patiently registered the passage of time along with key i.Prefix σ ⊥ [i] differs from σ[i] since the former is only for the current execution (patient delays may happen but do not always have to), while the latter requires time to pass in each possible execution (see Example 2.4).We will discuss this issue in more detail in Section 4. We use ρ to denote either π or σ ⊥ .
A configuration can be thought of as a context with actions that have already been executed, each associated to a key, containing a process P , with actions yet to execute and hence with no keys.Notably, keys are distinct but for actions happening together: an action and a co-action that synchronise, or the same time action traced by different processes, e.g., by two parallel delays.A configuration P can be thought of as the initial state of a computation, where no action has been executed yet.We call such configurations standard.Definition 2.1 formalises this notion via function keys(X) that returns the set of keys of a given configuration.
Definition 2.1 (Standard configuration).The set of keys of a configuration X, written keys(X), is inductively defined as follows: Basically, a standard configuration is a process.To handle the delicate interplay between time-determinism and reversibility of time actions, it is useful to distinguish the class of configurations that have not executed any communication action (but may have executed time actions).We call these configurations not-acted and characterise them formally using the predicate nact(•) below.Definition 2.2 (Not-acted configuration).The not-acted predicate nact(•) is inductively defined as: Basic standard configurations are always not-acted (first line of Definition 2.2).Indeed, it is not possible to reach a configuration π.X where X is acted.In the second line, a configuration that has executed communication actions is acted.In particular, we will see that ⌊X⌋[ i ← − ](Y ) is only reachable via a communication action.The configurations in the third line are not-acted if their continuations are not-acted.For parallel composition and choice, nact(•) is defined as a conjunction.For example nact(α[i].P ∥ β.Q) = ff and nact(α[i].P + β.Q) = ff.Note that in a choice configuration X + Y , at most one between X and Y can be acted.Whereas std(X) implies nact(X), the opposite implication does not hold.For example, std(σ The set of rules also includes symmetric versions of rules [Par] and [Cho]. Figure 2: revTPL forward LTS 2.2.Semantics of revTPL.We denote with A t the set A ∪ A ∪ {τ, σ} of actions and let π to range over the set A t .We define the set of all the labels L = A t × K.The labels associate each π ∈ A t to a key i.The key is used to associate the forward occurrence of an action with its corresponding reversal.Also, instances of actions occurring together (synchronising action and co-action or the effect of time passing in different components of a process) have the same key, otherwise keys are distinct.
Definition 2.3 (Semantics).The operational semantics of revTPL is given by two Labelled Transition Systems (LTSs) defined on the same set of all configurations X , and the set of all labels L: a forward LTS (X , L, − →) and a backward LTS (X , L, − →).We define − →=− → ∪ − →, where − → and − → are the least transition relations induced by the rules in Figure 2 and Figure 3, respectively.
Given a relation R, we indicate with R * its reflexive and transitive closure.We use notation X ̸ τ − → (resp.X ̸ τ − →) when there are no configuration X ′ and key i such that We now discuss the rules of the forward semantics (Figure 2).Rule [PAct] describes patient actions: in TPL process α.P can make a time step to itself.This kind of actions allows a process to wait indefinitely until it can communicate (by patience [HR95]).However, in revTPL we need to track passage of time, hence rule [PAct] adds a σ ⊥ [i] prefix in front of the configuration, with a key i.Rule [RAct] executes actions α[i] or σ[i] on a prefix process.Observe that, unlike patient time actions on α.P , a time action on σ.P corresponds to a deliberate and planned time consuming action and, therefore, it executes the σ prefix, hence no σ ⊥ prefix needs to be added.Rule [Idle] registers passage of time on a 0 configuration by adding a σ ⊥ [i] prefix to it.Rule [Act] lifts actions of the continuation X on configurations where prefix ρ[i] has already been executed.Side condition j ̸ = i ensures freshness of j is preserved.Rules [STout] and [SWait] model timeouts.In rule [STout], if X is not able to make τ actions then Y is executed; this rule models a timeout that triggers only if the main configuration X is stuck.The negative premise on [Stout] can be encoded into a decidable positive one as shown in Appendix B. In rule [Tout] instead the main configuration can execute and the timeout does not trigger.Rule [SWait] (resp.[Wait]) models transitions inside a timeout configuration where the Y (resp.X) branch has been previously taken.The semantics of timeout construct becomes clearer in the larger context of parallel configurations, when looking at rule [SynW].Rule [SynW] models time passing for parallel configurations.The negative premise ensures that, in case X or Y is a timeout configuration, timeout can trigger only if no synchronisation may occur, that is if the configurations are stuck.[SynW] requires time to pass in the same way (an action σ is taken by both components, with the same key i) for the whole system.Rules [Par] (and symmetric) and [Syn] are as usual for communication actions and allow parallel configurations to either proceed independently or to synchronise.In the latter case, the keys need to coincide.Defining the semantics of choice configuration X + Y requires special care to ensure time-determinism (recall, choices are only decided via communication actions).Also, we need to record time actions to be able to reverse them correctly (cfr.Loop Lemma, discussed later on in Lemma 4.1).Rule [ChoW] describes the passage of time along a choice configuration X + Y .Since time does not decide a choice, both branches have to execute the same time action with the same key.Rule [Cho] allows one to take one branch, or continue executing a previously taken branch.The choice construct is syntactically preserved, to allow for reversibility, but the one branch that is not taken remains non-acted (i.e., nact(Y )).This ensures that choices can be decided by a communication action only.Let us note that even in case of a decided choice, that is a choice configuration in which one of the two branches has performed a communication action, time actions are registered by both configurations.For example, the configuration a.0 + σ.0 can execute the following transitions: After the a[i] action, even if the left branch of the choice has been selected, both branches participate to the time action σ[j ].Rules [Hide] and [Const] are standard.
The rules of the backward semantics, in Figure 3, undo communication and time actions executed under the forward semantics.Backward rules are symmetric to the forward ones.Now that we have introduced both the forward and the backward rules we can clarify the difference between σ ⊥ and σ.
Example 2.4.Let us consider the patient process a.P .We can have the following derivation: The set of rules also includes symmetric versions of rules [Par] and [Cho].
Figure 3: revTPL backward LTS where a.P executes forwards in two different ways: first by letting time pass, later on by interacting on a.Notice that for these interactions to be possible in a larger context we need the context to have changed as well.
We can try to have a similar derivation using process σ.a.P instead, but the final outcome is not the same: Indeed, at this stage σ.a.P cannot interact on a.In general, σ requires time to pass in every possible computation, while σ ⊥ does not.⋄ Definition 2.5 (Reachable configurations).A configuration X is reachable if there exist a process P and a derivation P − → * X.
Basically, a configuration is reachable if it can be obtained via forward and backward actions from a standard configuration.

Relations with TPL and reversible CCS
We can consider revTPL as a reversible extension of TPL, but also as an extension of reversible CCS (in particular CCSK [PU07]) with time.First, if we consider the forward semantics only, then we have a tight correspondence with TPL.To show this we define a forgetful map which discards the history information of a configuration.Definition 3.1 (History forgetting map).The history forgetting map ϕ h : X → P is inductively defined as follows: The definition above deletes all the information about history from a configuration X, hence it is the identity on standard configuration P .Even more, each configuration is mapped into a standard one.Notice that in a non-standard timeout, only the chosen branch is taken.In TPL time cannot decide choices.This is reflected into the definition of ϕ h (X + Y ), where a branch disappears only if the other one did at least a communication action.
Notably, the restriction of ϕ h to untimed configurations (namely configurations containing neither timeouts nor σ prefixes nor σ ⊥ prefixes) is a map from CCSK [PU07] to CCS.Following the notation of Appendix A, we will indicate with → t the semantics of TPL [HR95], reported in Appendix A.3, and with → k the semantics of CCSK [PU07], reported in Appendix A.2. Proposition 3.2 (Embedding of TPL).Let X be a reachable revTPL configuration: − − → Y , with a case analysis on the last applied rule.We detail a few sample rules.
If the move is by rule [PAct] then we have , and in TPL we have a corresponding state-preserving move with label σ derived using rule Act 2 in Figure 12.If the last applied rule is [Cho], then we have that ).We consider the case nact(X 1 ), the other one is simpler.By definition, we have 1 , by applying the inductive hypothesis we also have that ϕ h (X 1 ) α − → t ϕ h (X ′ 1 ).Also, since the label is not a σ action, in TPL we can use rule Sum 1 in Figure 12 that from ϕ h (X 1 ) ) with X 1 and X 2 standard, and X 1 that can not perform τ steps.By inductive hypothesis ϕ h (X 1 ) can not perform τ steps in TPL, hence in TPL we can use rule THEN 2 in Figure 12 to derive (2) : by induction on the definition of ϕ h (X) (structural induction on X).Let us first assume X standard, hence ϕ h (X) = X.Let us consider X = α.P .In TPL, α.P can make a state preserving transition σ and the corresponding revTPL configuration can The thesis follows since α.P The other cases are similar, but using the induction hypothesis.
Let us now assume X non standard.The most interesting case is when X = X 1 +X 2 .Let us consider X 1 acted (the case where X 2 is acted is symmetric).In this case ϕ h (X 1 + X 2 ) = ϕ h (X 1 ) hence the thesis follows by inductive hypothesis using rule [ChoW] for σ actions and [Cho] for communication actions.If both X 1 and X 2 are not acted, then ϕ h (X 1 + X 2 ) = ϕ h (X 1 ) + ϕ h (X 2 ).We now have two cases, either π = σ or π = α.If π = σ we have that by rule SUM 3 in Figure 12 ϕ By inductive hypotheses we have that there exist X ′ 1 and X ′ 2 such that X 1 We can then apply rule [ChoW] to derive 1 and X ′ 2 are still not-acted we can conclude by noticing that ϕ The case for π = α is similar.
We can describe the above correspondence between revTPL and TPL in a more abstract way by adapting the notion of (strong) timed bisimulation [LY97] to relate configurations from two calculi.Definition 3.3 (Timed bisimulation).A binary relation R on X × P is a strong timed bisimulation between revTPL and TPL if (X, The largest strong timed bisimulation is called strong timed equivalence, denoted ∼.
We can now relate revTPL and TPL as follows: Theorem 3.4.For each reachable revTPL configuration X we have that X ∼ ϕ h (X).Also, TPL is a conservative extension of CCS.This is stated in [HR95], albeit not formally proved.Hence, we can define a forgetful map which discards all the temporal operators of a TPL term and get a CCS one.We can obtain a stronger result and relate revTPL with CCSK [PU07].That is, if we consider the untimed part of revTPL what we get is a reversible CCS which is exactly CCSK.To this end, we define a time forgetting map ϕ t .We denote with X k the set of untimed reversible configurations of revTPL, which coincides with the set of all CCSK configurations (which is defined in Appendix A.2).The set inclusion X k ⊂ X holds.Definition 3.5 (Time forgetting map).The time forgetting map ϕ t : X → X k is inductively defined as follows: Notably, the restriction of ϕ t to standard configurations is a map from TPL to CCS.The most interesting aspect in the definition above is that the timeout operator ⌊X⌋(Y ) is rendered as a sum.This also happens for the decorated configurations . We will further discuss this design decision after Proposition 3.6.Also, since we are relating a timed semantics with an untimed one (CCSK), the σ actions performed by the timed semantics are not reflected in CCSK.

Proof. (1) : by induction on the derivation X α[i]
− − → Y , with a case analysis on the last applied rule.The proof goes along the lines of the proof of Proposition 3.2, using the rules reported in Figures 8 and 9 in Appendix A.2.
(2) : similar to the case above, using X (3) : by induction on the derivation of X − − → Y (the case of backward transitions is analogous), with a case analysis on the last applied rule.Basic cases are (i) rules [Pact] and [Idle], creating a σ ⊥ , (ii) σ prefixes, and (iii) timeouts.In case (i) we )) as desired.Inductive cases follow by inductive hypothesis.Notably, it is not always the case that transitions of the underlying untimed configuration can be matched in a timed setting.Think, e.g., of the Erlang program in Example 0.1 (and its formalisation in Section 1.1), for a counterexample.Indeed, in the example, the communication between the two processes A and B is allowed in the underlying untimed model, but ruled out by incompatible timing constraints.Also, let us consider the simple process X = ⌊a⌋(b) and its untimed version ϕ t (X) = a + b.The untimed process can execute the right branch as follows To match this action, X has first to perform a time action and only afterwards it can take the b action, as follows: Moreover, there are also cases where actions cannot be matched, not even after time actions.Indeed, the timeout operator ⌊P ⌋(Q) acts as a choice with left priority.For example, let us consider the process X = ⌊(a ∥ a)⌋(b).We have that ϕ t (X) can perform the b action as follows but this action can never be matched by X, as revTPL maximal progress forces the internal synchronisation over time passage.Hence we can only apply rule STout in Figure 2: and the resulting configuration cannot execute b.
Due to the examples above, we cannot characterise the relation between X and ϕ t (X) as a bisimulation, as for ϕ h , but we can only prove that ϕ t (X) simulates X.As before, we need to modify notions of simulation for reversible configurations from the literature (e.g., [NMV90,LP21]) to relate configurations from two calculi, and to keep time into account.
Definition 3.7 (Back and forward simulation).A binary relation R on X × X k is a back and forward simulation if (X, R) ∈ R implies that The largest back and forward simulation is denoted by ≾.
Theorem 3.8.For each reachable revTPL configuration X we have that X ≾ ϕ t (X).
Proof.It is sufficient to show that the relation R = {(X, R) | ϕ t (X) = R} is a back and forward simulation.It is easy to check the conditions of Definition 3.7 using Proposition 3.6.Figure 4 summarises our results: if we remove the timed behaviour from a revTPL configuration we get a CCSK term, with the same behaviour apart for timed aspects, thanks to Proposition 3.6.On the other side, if from revTPL we remove history information we get a TPL term (matching its forward behaviour thanks to Proposition 3.2).Note that the same forgetful maps (and properties) justify the arrows in the bottom part of the diagram, as discussed above.This is in line with Theorem 5.21 of [PU07], showing that by removing reversibility and history information from CCSK we get CCS.Notably the two forgetting maps commute.Proposition 3.9.For each reachable revTPL configuration X we have ϕ h (ϕ t (X)) = ϕ t (ϕ h (X)).
Proof.By structural induction on X.

Reversibility in revTPL
In a fully reversible calculus any computation can be undone.This is a fundamental property of reversibility [DK04, LPU20], called the Loop Lemma, and revTPL enjoys it.Formally: We have two directions.The forward one trivially holds, since for each forward rule of Figure 2 there exists a symmetric one backwards in Figure 3.The backward case requires more attention, and we proceed by induction on X − − → Y , with a case analysis on the last applied rule.We can further distinguish the cases according to whether π = σ, π = τ or π = α.We will just consider one instance of each case, the others are similar.
Since by reachability of X we have the reachability of X 1 and X 2 , by inductive hypothesis we have that − − → X 2 , so we can apply the forward version of rule [ChoW], as desired.π = τ : using rule [Syn] by hypothesis we have that X By applying the inductive hypothesis we get and we can derive − − → X ′ 1 and nact(X 2 ).By applying the inductive hypothesis we have that Another fundamental property of causal-consistent reversibility is the so-called causalconsitency [DK04, LPU20], which essentially states that we store the correct amount of causal information.In order to discuss it, we now borrow some definitions from [DK04].We use t, t ′ , s, s ′ to range over transitions.In a transition t : X the transition, and Y the target of the transition.Two transitions are said to be coinitial if they have the same source, and cofinal if they have the same target.Given a transition t, we indicate with t its reverse, that is if t : − − → X).The notions of source, target, coinitiality, and cofinality naturally extend to paths.We let χ, ω to range over sequences of transitions, which we call paths, and with ϵ X we indicate the empty sequence starting and ending at X.We denote as |χ| the number of transitions in path χ.Moreover, we indicate with χ 1 χ 2 the composition of the two paths χ 1 and χ 2 when they are composable, that is when the target of χ 1 coincides with the source of χ 2 .Definition 4.2 (Causal Equivalence).Let ≍ be the smallest equivalence on paths closed under composition and satisfying: (1) if t : (2) tt ≍ ϵ and tt ≍ ϵ Intuitively, paths are causal equivalent if they differ only for swapping independent transitions (we will discuss independence below) and for adding do-undo or undo-redo pairs of transitions.
Intuitively, if coinitial paths are cofinal then they have the same causal information and can reverse in the same ways: we want only causal equivalent paths to reverse in the same ways.
4.1.Independence.We now define a notion of independence between revTPL coinitial transitions, based on a causality preorder (inspired by [LP21]) on keys.Intuitively, independent transitions can be executed in any order (we will formalise this as Property 4.11), while transitions which are not independent represent a choice: either one is executed, or the other.Definition 4.4 (Partial order on keys).The function po(•) : X → 2 (K×K) is inductively defined below.It takes a configuration X ∈ X and computes a set of ordered pairs of keys which is the set of causal relations among the keys in X.
The partial order ≤ X on keys(X) is the reflexive and transitive closure of po(X).
Let us note that function po computes a partial order relation, namely a set of pairs (i, j), denoted i < j to stress that they form a partial order.In particular, i < j means that key i causes key j.This takes into account both structural causality given by the structure of a configuration (e.g., a prefix causes its continuation) and causality raising from synchronisation and time, since synchronising actions and time actions corresponding to the same point in time have the same key.
Example 4.5.Let us compute the partial order on keys in and hence, looking at the parallel composition: We also need to understand whether two forward communication transitions are in conflict since either they involve a same prefix or they involve different branches of a choice.

Definition 4.6 (Forward communication conflict). Two forward communication transitions
For simplicity, the fcc predicate above is defined only for pairs of configurations which may arise from the same configuration.Notice that in the clause for choice, the only way for the two branches to be pairwise different, is that Y has chosen one of them, and Z the other.In this case the two actions are in conflict.However, in this case fcc may not be defined on the components.To avoid this issue, we consider the ∨ operator to be a short circuit operator.
Example 4.7.Let us consider the configuration X 1 = a[i].b.P and the two transitions Transitions σ[i] and b[j ] are in conflict: they cannot be swapped since action b is no longer possible after action σ, and vice versa.The second case of Definition 4.9 forbids either a same prefix or prefixes in different branches of a same choice operator to be consumed by the two transitions.For example let us consider the configuration a.0 ∥ a.0.The left configuration could execute an action a[i] while the entire configuration could synchronise by doing a τ [j ], as depicted below: It is clear, from the example above, that the two actions cannot commute.Another example of conflicting transitions captured by case 2 of Definition 4.9 is when transitions consume prefixes in different branches of a same choice operator.For example, let us consider the configuration a.0 + b.0.The left branch can do an action a[i] while the right one an action b[j ], as follows: and again it is clear that these two transitions cannot commute.The third clause of Definition 4.9 dictates that two transitions are in conflict when a reverse step eliminates some causes of a forward step.For example, the configuration a disables the action on b.
The last case of Definition 4.9 forbids two transitions to pick up the same key.Notably, backward transitions are never in conflict, yet it is never the case that a backward time action and a backward communication action are enabled together, as shown by the following proposition.
Proposition 4.10.Let X be a reachable revTPL configuration.Then it is never the case that X Proof.The proof is by structural induction on X.If X is standard there is nothing to prove.If X is a prefix ρ[k].Y and Y is standard then only communication actions are possible if ρ is a communication action, only time actions otherwise.If Y is not standard then the thesis follows by inductive hypothesis, since only rule [Act] is applicable.In the case of timeout, the thesis follows by noticing that at most on rule is applicable.In particular, for all the rules the thesis follows by inductive hypothesis but for rule [STout], for which it follows directly.The other cases follow by inductive hypothesis.
The Square Property tells that two coinitial independent transitions commute, thus closing a diamond.Formally: Property 4.11 (Square Property -SP).Given a reachable revTPL configuration X and two coinititial transitions t : Since both CCSK and TPL are sub-calculi of revTPL as discussed in Section 3, then the notions of conflict and independence above induce analogous notions on CCSK and TPL.To the best of our knowledge, no such notion exists for TPL.Notions of conflict and independence (dubbed concurrency) for CCSK have been recently proposed in [Aub22], but they rely on extended labels while we define them on standard ones.4.2.Causal consistency.We can now prove causal consistency, using the theory in [LPU20].The theory in [LPU20] ensures that causal consistency follows from SP, already discussed, and two other properties: BTI (Backward Transitions are Independent) and WF (Well-Foundedness).BTI generalises the concept of backward determinism used for reversible sequential languages [YG07].It specifies that two backward transitions from a same configuration are always independent.Property 4.12 (Backward Transitions are Independent -BTI).Given a reachable revTPL configuration X, any two distinct coinitial backward transitions t : BTI property trivially holds since (as mentioned above) by looking at the definition of conflicting and independent transitions (Definition 4.9) there are no cases in which two backward transitions are deemed as conflicting, hence two backward transitions are always independent.
We now show that reachable configurations have a finite past.
Then there is no infinite sequence such that Proof.WF follows since each backward transition removes a key.Given that the number |keys(X)| of keys in X is finite, only a finite amount of backward steps can be taken.
The Parabolic Lemma [DK04, Lemma 11], stated below, tells us that any path is causally equivalent to a path made by only backward steps, followed by only forward steps.In other words, up to causal equivalence, paths can be rearranged so as to first reach the maximum freedom of choice, going only backwards, and then continuing only forwards.We can now prove our main results thanks to the proof schema of [LPU20].).Suppose BTI and SP hold, then PL holds.
As a corollary of PL, reachable states are reachable via forward-only paths (cf.[LPU20]).
Corollary 4.17.A configuration X is reachable iff there exists a process P and a forwardonly path P − → * X.
Proof.From PL, by noticing that the backward path is empty since P cannot take backward actions.
The general theory above can help us in proving specific properties of revTPL, as we show below.
We have considered in this paper a global notion of time, as shown by the following theorem.
Theorem 4.18.For each reachable revTPL configuration X, the restriction of ≤ X to keys attached to time actions is a total order.Proof.From Corollary 4.17 we have that there exist a process P and a forward-only path P − → * X.Take two arbitrary keys i and j attached to time actions.Let i be the first one to occur in P − → * X, and X 1 − − → X 2 the transition introducing it (note that each step introduces a key).Since the path is forward, key j will be attached to some configuration which is standard in X 2 (or to a σ ⊥ just before a standard configuration).We show by induction on the derivation of X 1 − − → X 2 that this implies i < j.The thesis will follow.We have a case analysis on the last applied rule.
The cases of rules [PAct], [RAct] and [Idle] follow from the definition of po on prefix.The cases of rules [Act], [Hide] and [Const] follow by induction.The cases for timeout are similar, noticing that j could only be attached to the selected configuration.For parallel composition, only rule [SynW] needs to be considered, and the thesis follows by inductive hypothesis.Similarly, for choice only rule [ChoW] needs to be considered, and the thesis follows by induction as well.
As shown above, time actions are never independent, and only communication actions can be.Also, since time actions do not commute with communication actions (cf.clause 1 in Definition 4.9) then each communication action is bound to be executed between two fixed time actions.
One may wonder whether the global notion of time described above is too strict.This is a very good question, and indeed we plan in future work to investigate different notions of causality for TPL, which will induce a different causal-consistent reversible extension.
We show here just that dropping the σ ⊥ [i] prefix, which ensures time actions are recorded also by untimed configurations, would not solve the issue.We have pursued this approach in [BLMY22], but it leads to violations of the Loop Lemma and the Parabolic Lemma, two main properties in the causal-consistency theory, as shown by the following example.−−→ Z 1 , but this is impossible as Also, the Parabolic Lemma fails.Indeed if we consider the path which leads to Z 1 , according to the Parabolic Lemma, we can rewrite this path as a sequence of backward transitions followed by forward ones.If from Z 1 we undo all the actions and try to reach it by using just forward actions we fail since: By using σ ⊥ [i] prefixes we impose a total order among time actions, as shown in Theorem 4.18, as follows: Now from Y we cannot undo the time action σ[i], since now we need to undo action σ[k] first.With this machinery in place, we enforce a strict notion of causality in TPL, but we have been able to successfully build a causal-consistent reversible extension.⋄

Conclusion, Related and Future Work
The main contribution of this paper is the study of the interplay between causal-consistent reversibility and time.A reversible semantics for TPL cannot be automatically derived using well-established frameworks [PU07,LM20], since some operator acts differently depending on whether the label is a communication or a time action.For example, in TPL a choice cannot be decided by the passage of time, making the + operator both static and dynamic, and the approach in [PU07] not applicable.To faithfully capture patient actions in a reversible semantics we introduced σ ⊥ prefixes.Another peculiarity of TPL is the timeout operator ⌊P ⌋(Q), which can be seen as a choice operator whose left branch has priority over the right one.Indeed, if P can do a τ action then Q can not execute and it is discarded.Although we have been able to use the static approach to reversibility [PU07], adapting it to our setting has been challenging for the aforementioned reasons.Notably, our results have a double interpretation: as an extension of CCSK [PU07] with time, and as a reversible extension of TPL [HR95].As a side result, by focusing on the two fragments, we derive notions of independence and conflict for CCSK and TPL.To simplify the discussion, we build on the categorisation in [BM23] and focus our comparison on the following time-related design choices: Separated vs integrated semantics: In the first case, actions are instantaneous and time only passes in between actions; hence, functional behaviour and time are orthogonal.
In the second case, every action takes a certain amount of time to be performed and time passes only due to action execution; hence, functional behaviour and time are integrated.Relative time vs absolute delays: In the first case, each delay refers to the time instant of the previous observation.In the second case, all delays refer to the starting time of the system's execution.Global clock vs local clocks: In the first case, a single clock governs the pace of time passing in the system.In the second case, several clocks associated with the various system parts may have different views of the pace of time.If a model allows processes to have local clocks but time flows at the same pace for all of them (even if they hold different values due to resets, as in the case e.g. of Timed Automata [AD94]) we still classify the model as a global clock model.Eager vs lazy vs maximal progress: There are several interpretations of when a communication action can be executed or delayed.Eager semantics enforce actions to be performed as soon as they become enabled, i.e., without any delay, thereby implying that their execution is urgent.On the other hand, laziness allows the execution of an action to be delayed even if the action is enabled.Maximal progress is eager for internal actions and lazy otherwise: actions can be delayed only if they are waiting to synchronise with some external partner which is not yet available.Some calculi have primitives for both eager and lazy actions, so each action can be either lazy or eager.(integrated semantics).2In all the three calculi, time is specified from the beginning of the computation (absolute time).While mCRL relies on a global clock, CIPA and TIC allow parallel processes to go 'out of sync' (local clocks).In CIPA, global time synchronisation is only required for causally dependent actions (it has to be re-established before two processes can communicate with each other).TIC uses an 'age' function to record discrepancies between the time of parallel processes.mCRL has no silent actions, and time idling and communication actions can happen at any time, after they become ready (lazy).In CIPA, the timing of an action needs to exactly match its prescription so the action happens as soon as it is ready (eager).TIC allows delays of exact amounts of time (urgent/eager) as well as delays of times within an interval (lazy).The application of our approach using integrated semantics and/or absolute time should not present any particular challenge.In fact, separated and integrated semantics have been shown to be equivalent [BCT16] (i.e., they can be encoded into each other preserving weak barbed bisimilarity).Similarly for absolute instead of relative time thanks to the equivalence given in [Cor00].
Extending our framework to local clocks (e.g., as in CIPA) would be interesting but non-trivial in our integrated semantics.It may require us to record some live information on the different time perspective of parallel processes to rule out unwanted interleavings.An alternative could be to exploit the encoding of [BCT16] from TCCS to CIPA, and see whether the semantics is still preserved while considering reversible behaviours.
Building from the conference version of this article [BLMY22], the work in [BM23] has shown that our approach would apply also to a semantics with only eager actions and to a semantics with only lazy actions.However, the applicability of our approach to a scenario where each action can be statically set to be either lazy or eager (the 'either' option in the 'action' column of Table 1) needs to be further investigated.
Alternative timed formalisms.Timed Petri nets are a relevant tool for analysing realtime systems.A step towards the analysis of real-time systems would be to encode revTPL into timed Petri nets [ZFH01] extended with reversibility, by building on the encoding of reversible CCS into reversible Petri nets [MMP21b].Also, we could think of encoding revTPL in timed automata [ACD93] extended with reversibility.Another possibility would be to study the extension of a monitored timed semantics for multiparty session types, as the one of [NBY17], with reversibility [MP21].
Maximal progress of TPL (as well as revTPL) has connections with Markov chains [BH00].For instance, in a stochastic process algebra, the process τ.P + (λ).Q (where λ is a rate) will not be delayed since τ is instantaneously enabled.This is similar to maximal progress for the timeout operator.A deep comparison between deterministic time, used by TPL, and stochastic time, used by stochastic process algebras, can be found in [BCT16].Further investigation on the relation between our work and [BM20], studying reversibility in Markov chains, is left for future work.The treatment of passage of time shares some similarities with broadcast [Mez18] as well: time actions affect parallel components in the same way.
Future directions.We have just started our research quest towards a reversible timed semantics.Beyond considering local notions of time, as discussed after Theorem 4.18, a first improvement would be to add an explicit rollback operator, as in [LMSS11], that could be triggered, e.g., in reaction to a timeout.Also, asynchronous communications (like in Erlang) could be taken into account.TPL is a conservative timed extension of CCS.Due to its simplicity, it has a very clear behavioural theory [HR95], including an axiomatization.A further step could be to adapt such behavioural theory to account for reversibility, by combining it with the one for CCSK developed in [LP21].However, the fact that reversibility breaks Milner's expansion law may limit the power of the axiomatisation.Also, we could consider studying more complex temporal operators [NS91].In TPL time is discrete, and the language abstracts away from how time is represented.Indeed, the idling prefix σ is meant to await one cycle of clock.A more fine-grained treatment of time in CCS was proposed in Timed CCS (TCCS) [Yi90,Yi91].In TCCS it is possible to express a process, say P, which awaits 3 time units directly by: ϵ(3).P Now the process above, in principle, can be rendered in TPL as the process σ.σ.σ.P by assuming that a cycle of clock lasts one time unit.But this is only possible if we consider TCCS with discrete time.Even if we restrict ourselves to discrete time, encoding the ϵ(•) operator in TPL would be troublesome to treat (from a reversible point of view) as a single step has to be matched by several ones.Also, TCCS obeys to time additivity (two actions taking times t 1 and t 2 can be turned into a single action taking time t 1 + t 2 ), while TPL does not.As shown in [BM23], time additivity poses a problem with our approach: in presence of time additivity, the proof schema proposed in [LPU20] does not hold anymore.In particular, because of time additivity BTI does not hold anymore and Loop Lemma has to be formalised in a weaker form.Hence, one has to redo all the proofs.For all these reasons, it will not be straightforward to adapt the approach in this paper to deal with TCCS.
Prospective applications.As discussed above, this work is a first step towards an analysis of reversible real-time systems and it has the purpose of clarifying the relationship between reversibility and time.Although the contribution of this work is theoretical, we envisage a potential application to debugging of real-time Erlang code.More concretely, we would like to extend CauDEr [LNPV18, GV21, Cau22], the only causal-consistent reversible debugger for a (fragment of a) real programming language we are aware of.The purpose of the extension would be to support timed Erlang programs.To this end we would first need to extend the reversible semantics of Erlang in [LLS + 22, FLS21] with a notion of time, imported from the present work, so to support constructs such as ' after ' and 'sleep', as used, e.g., in our Example 0.1.The ' after ' (i.e., timeout) construct, in particular, is very common in the Erlang programming practice.Even if Erlang timeouts are close to TPL ones, there are a number of challenges to be faced.First, Erlang communication is asynchronous, unlike revTPL.Second, and more importantly, Erlang delays can be explicit in the code, as in our Example 0.1, but they can also be generated by network delays or long computations.Therefore, in order to enable reversible debugging of timed programs, one needs to pair the code with a model, possibly computed in an automated way, that describes the delays that are likely to occur in the system of interest.The development of this prospective application goes beyond the scope of the formal setting given in the current work.
Another possible application is to bring our theory to timed Rebecca [KSS + 15] which is a timed actor based language with model checking support.This would enable us to exploit model checking for reversible behaviours.
revTPL: THE REVERSIBLE TEMPORAL PROCESS LANGUAGE 11:9 ) we are done.The cases for [Const] and [Hide] are similar by induction.The cases for [SynW] and [ChoW] follow by induction as well.

Proof.
It is sufficient to show that the relation R = {(X, P ) | ϕ h (X) = P } is a strong timed bisimulation.Let us check the conditions.If X π[i] − − → Y then thanks to Proposition 3.2 we have that ϕ h (X) π − → t ϕ h (Y ) with ϕ h (Y ) = Q, and we have that (Y, Q) ∈ R. If P π − → t Q, thanks to Proposition 3.2 we have that X π[i] − − → Y with ϕ h (Y ) = Q, and we have that (Y, Q) ∈ R, as desired.

Table 1
illustrates how the aforementioned timed calculi position with respect to the four criteria above.Most of the formalisms we have reviewed combine separated semantics, relative time, and global clock.The main difference is the urgency (or lack thereof) of [QdFA93]eneral approach is the one of urgent LOTOS[BL92], which provides primitives for urgent actions and primitives for non-urgent actions, hence enabling one to decide the semantics of each specific action.The remaining formalisms have integrated semantics combined with absolute time.In mCRL[GM14], CIPA[QdFA93], and TIC[QdFA93], the transition relation models both execution of actions and time elapsing

Table 1 :
Semantics can be separated or integrated; time can be relative or absolute; clocks can be global or local; actions can be eager, lazy, either of them, or maximal progress.