A Polynomial Translation of pi-calculus FCPs to Safe Petri Nets

We develop a polynomial translation from finite control pi-calculus processes to safe low-level Petri nets. To our knowledge, this is the first such translation. It is natural in that there is a close correspondence between the control flows, enjoys a bisimulation result, and is suitable for practical model checking.


Introduction
Many contemporary systems -be it software, hardware, or network applications -support functionality that significantly increases their power, usability, and flexibility: Interaction Mobile systems permeate our lives and are becoming ever more important.Indeed, the vision of pervasive computing, where devices like mobile phones and laptops are opportunistically engaged in interaction with a user and with each other, is quickly becoming a reality.Reconfiguration Systems implement a flexible interconnection structure, e.g.cores in Networks-on-Chip temporarily shut down to save power, resilient systems continue to deliver (reduced) functionality even if some of their modules develop faults, and ad-hoc networks build-up and destroy connections between devices at runtime.Resource allocation Many systems maintain multiple instances of the same resource (e.g.network servers, or processor cores in a microchip) that are dynamically allocated to tasks depending on the workload, power mode, and priorities of the clients.
The common feature of such systems is the possibility to form dynamic connections between individual modules.It is implemented using reference passing: a module can become aware of another module by receiving a reference (e.g. in form of a network address) to it.This reference enables subsequent communication between the modules, and can be understood as a dynamically created connection.We will refer to this class of systems as Reference Passing Systems (RPS).
As people are increasingly dependent on the correct functionality of Reference Passing Systems, the costs incurred by design errors can be extremely high.However, even the conventional concurrent systems are notoriously difficult to design correctly because of the complexity of their synchronisation behaviour.Reference passing adds another layer of complexity by making the interconnect structure dynamic.Hence, formal verification has to be employed to ensure the correct behaviour of RPSs.
While the complexity of systems increases, the time-to-market is reducing.To address this, system design has changed from a holistic to a compositional process: the system is usually composed from pre-existing modules.This change in the design process has to be mirrored in the verification process.Verification has to focus on the inter-modular level rather than on individual modules.Indeed, it is reasonable nowadays to assume that individual modules are well-tested or formally verified by their vendors.Moreover, the inter-module communication fabric (e.g. a computer network) is usually built of standard components and uses standard protocols, and so can be assumed to be correct.This means bugs primarily arise in the interaction between modules, and here verification is required to ensure correctness of the system as a whole.
When we verify the interaction between modules, we take advantage of this separation of verification concerns.We only have to model the modules' interfaces but can abstract away from their internal behaviour as well as low-level communication concerns (e.g.network behaviour), which we assume to be checked by the vendor.Traditionally, the interface behaviour is verified using rely/guarantee techniques, potentially supported by theorem provers.Due to undecidability reasons, however, theorem proving generally requires substantial manual intervention to discharge some of the proof obligations.In the interest of a short time to market, our ambition is to lift fully automatic model checking to the inter-modular level.
There are several formalisms suitable for modelling the interface behaviour of RPSs.The main considerations in choosing such a formalism are its expressiveness and the tractability of the associated verification problems.Expressive formalisms like π-calculus [20] and Ambient Calculus [5] are Turing powerful and so undecidable in general.Fortunately, the ability to pass references per se does not lead to undecidability.One can impose restrictions on the communication capabilities [1,16], control flow [6,24], or interconnection shape [14,16] to recover decidability while retaining a reasonable modelling power.
Finite Control Processes (FCP) [6] are a fragment of π-calculus where the system is modelled as a parallel composition of a fixed number of sequential entities (threads).The control of each thread is represented by a finite automaton, and the number of threads is bounded in advance.The threads communicate synchronously via channels that they create, exchange and destroy at runtime.These capabilities are often sufficient to faithfully model the interface behaviour of RPSs.The appeal of FCPs is in combining this modelling power with decidability of verification [6,17].
In this paper, we contribute to FCP verification, following an established approach.We translate the FCP under study into a safe low-level Petri net (PN).This translation bridges the gap between expressiveness and verifiability: While π-calculus is suitable for modelling RPSs but difficult to verify due to the complicated semantics, PNs are a low-level formalism equipped with efficient analysis algorithms.With the translation, all verification techniques and tools that are available for PNs can be applied to analyse the (translated) process.

A polynomial translation.
There is a large body of literature on π-calculus to Petri net translations (cf.Sect.1.2 for a detailed discussion).Complexity-theoretic considerations, however, suggest that they are all suboptimal for FCPs -either in terms of size [3,11,16,17] or because of a too powerful target formalism [1,7,12].The following shows that a polynomial translation of FCPs into low-level safe PNs must exist.
Since the state of an FCP can always be described by a string of length linear in the process size, an FCP can be simulated by a Turing machine (TM) with a tape of linear length.Moreover, a TM with bounded tape can be modelled by a safe PN of polynomial size (in the size of the control and the tape length), see e.g.[9].Finally, a linear translation from safe PNs to FCPs is described in Sect.10.That is, the three formalisms can simulate each other with only polynomial overhead.This argument is in fact constructive, and shows PSPACE-completeness of FCP model checking.Even more, it shows that we can use safe PNs to verify FCPs.The problem with this translation via TMs is that the safe PN resulting from an FCP would be large and contrived, and thus of limited use for practical verification.
These considerations motivated us to look for a direct polynomial translation of FCPs to safe PNs, which is the main contribution of this paper.We stress that our translation is not just a theoretical result, but is also quite practical: • it is natural in the sense that there is a strong correspondence between the control flow of the FCP and the resulting PN; • the transition system of the FCP and that of its PN representation are bisimilar, which makes the latter suitable for checking temporal properties of the former; • the resulting PN is compact (polynomial even in the worst case); • we propose several optimisations that significantly reduce the PN's size in practice; • we propose several extensions of the translation, in particular to polyadic communication, polyadic synchronisation, and match/mismatch operators; • experiments demonstrate that the translation is suitable for practical verification.Technically, our translation relies on three insights: (i) the behaviour of an FCP νr.(S 1 | S 2 ) coincides with the behaviour of (S 1 {n/r} | S 2 {n/r}) where the restricted name r has been replaced by a fresh public name n (a set of fresh names that is linear in the size of the FCP will be sufficient); (ii) we have to recycle fresh names, and so implement reference counters for them; and (iii) we hold substitutions explicit and give them a compact representation using decomposition, e.g., {a, b/x, y} into {a/x} and {b/y}.

Related work.
There are two main approaches to FCP verification.The first is to directly generate the state space of the model, as is done (on-the-fly) by the Mobility Workbench (MWB) [26].This approach is relatively straightforward but has a number of disadvantages.In particular, its scalability is poor due to the complexity of the πcalculus semantics, which restricts the use of heuristics for pruning the state space, and due to the need for expensive operations (like equivalence checks [13]) every time a new state is generated.Furthermore, some efficient model checking techniques like symbolic representations of state spaces are difficult to apply.
The alternative approach, and the one followed here, is to translate a π-calculus term into a simpler formalism, e.g. a Petri net, that is then analysed.This method does not depend on a concrete verification technique for π-calculus but can adapt any such technique for PNs.In particular, RPSs often are highly concurrent, and so translating them into a true concurrency formalism like PNs opens the door for partial-order reductions in verification.This alleviates the problem of combinatorial state space explosion, that is, a small specification often has a huge number of reachable states that is beyond the capabilities of existing computers.
Although several translations of π-calculus to Petri nets have been proposed, none of them provides a polynomial translation of FCPs to safe PNs.The verification kit HAL [10] translates a model into a History Dependent Automaton -a finite automaton where states are labelled by sets of names that represent restrictions [21,24].For model checking, these automata are further translated to finite automata [10].Like in our approach, the idea is to replace restrictions with fresh names, but the translation stores full substitutions, which may yield an exponential blow up of the finite automaton.Our translation avoids this blow up by compactly representing substitutions by PN markings.This, however, needs careful substitution manipulation and reference counting.
Amadio and Meyssonnier [1] replace unused restricted names by generic free names.Their translation instantiates substitutions, e.g.(x 1 y 1 .x 2 y 2 ){a, b, a, b/x 1 , y 1 , x 2 , y 2 } is represented by a b .ab .This creates an exponential blow up: since the substitutions change over time, m public names and n variables may yield m n instantiated terms.Moreover, since the number of processes to be modified by replacement is not bounded in [1], Amadio and Meyssonnier use PNs with transfer.(Their translation handles a subset of πcalculus incomparable with FCPs.)As this paper shows, transfer nets are an unnecessarily powerful target formalism for FCPs -e.g.reachability is undecidable in such nets [8].
Busi and Gorrieri study non-interleaving and causal semantics for the π-calculus and provide decidability results for model checking [3].(That work has no bisimilarity proof, which is provided in [11].)The translations may be exponential for FCPs, again due to the instantiation of substitutions.
Devillers, Klaudel and Koutny [7] achieve a bisimilar translation of π-calculus into highlevel Petri nets, thus using a Turing complete target formalism where automatic analyses are necessarily incomplete.In [12], this translation is used for unfolding-based model checking; to avoid undecidability, the processes are restricted to be recursion-free -a class of limited practical applicability.
Peschanski, Klaudel and Devillers [23] translate π-graphs (a graphical variant of πcalculus) into high-level PNs.The technique works on a fragment that is equivalent to FCPs.However, the target formalism is unnecessarily powerful, and the paper provides no experimental evaluation.
Our earlier translation [16] identifies groups of processes that share restricted names.In [17], we modify it to generate safe low-level PNs, and use an unfolding-based model checker.The experiments indicate that this technique is more scalable than the ones above, and it has the advantage of generating low-level rather than high-level PNs.However, the PN may still be exponentially large.We denote the firing relation by M t → M ′ or by M → M ′ if the identity of the transition is irrelevant.The set of reachable markings of N is denoted by Reach(N ).The transition system of N is and every place p ∈ P , and safe if it is 1-bounded.This paper focuses on safe PNs.A set of places in a PN is mutually exclusive if at any reachable marking at most one of them contains tokens.A place p is a complement of a set Q of mutually exclusive places if at any reachable marking p contains a token iff none of the places in Q contains a token.If Q = {q}, the places p and q are complements of each other.
2.2.Finite control processes.In π-calculus [19,25], threads communicate via synchronous message exchange.The key idea in the model is that messages and the channels they are sent on have the same type: they are just names from some set Φ df = {a, b, x, y, i, f, r, . ..}.This means a name that has been received as a message in one communication may serve as a channel in a later interaction.To communicate, processes consume prefixes The output prefix a b sends name b along channel a.The input prefix a(x) receives a name that replaces x on channel a. Prefix τ stands for a silent action.Threads, also called sequential processes, are constructed as follows.A choice process i∈I π i .S i over a finite set of indices I executes a prefix π i and then behaves like S i .The special case of choices over an empty index set I = ∅ is denoted by 0. This process terminates a thread.A restriction νr.S generates a name r that is different from all other names in the system.To implement parameterised recursion, we use calls to process identifiers K⌊ã⌋.We defer their explanation for the moment.To sum up, threads take the form S ::= K⌊ã⌋ i∈I π i .S i νr.S.
We use S to refer to the set of all threads.A finite control process (FCP) F is a parallel composition of a fixed number of threads: Here, ν r with r = r 1 . . .r k denotes a (perhaps empty) sequence of restrictions νr 1 . . .νr k .
We use P to refer to an arbitrary process, be it a thread, an FCP, or a term obtained by structural congruence defined below.We denote iterated parallel compositions by i∈I P i .
Our presentation of parameterised recursion using calls K⌊ã⌋ follows [25].Process identifiers K are taken from some set Ψ df = {H, K, L, . ..} and have a defining equation K( f ) := S. Thread S can be understood as the implementation of K.The process has a list of distinct formal parameters f = f 1 , . . ., f k that are replaced by factual parameters ã = a 1 , . . ., a k when a call K⌊ã⌋ is executed.Note that ã and f have the same length.When talking about an FCP specification F , we mean process F with all its defining equations.
To implement the replacement of formal parameters f by ã in calls to process identifiers, we use substitutions.A substitution is a function σ : Φ → Φ that maps names to names.If we make domain and codomain explicit, σ : A → B with A, B ⊆ Φ, we require σ(a) ∈ B for all a ∈ A and σ(x) = x for all x ∈ Φ \ A. We use {ã/ f } to denote the substitution σ : f → ã with σ(f i ) df = a i for i ∈ {1, . . ., k}.The application of substitution σ to S is denoted by Sσ and defined in the standard way [25].
Input prefix a(i) and restriction νr bind the names i and r, respectively.The set of bound names in a process P is bn (P ).A name which is not bound is free, and the set of free names in P is fn (P ).We permit α-conversion of bound names.Therefore, wlog., we make the following assumptions common in π-calculus theory and collectively referred to as no clash (NC) henceforth.For every FCP specification F , we require that: (i) a name is bound at most once, a name f is used at most once in a formal parameter list, bound and free names are disjoint, bound names and formal parameters are disjoint, formal parameters and free names in F are disjoint; and (ii) if σ = {ã/x} is applied to S then bn (S) ∩ (ã ∪ x) = ∅.
Assuming (NC), the names in an FCP specification F and the corresponding defining equations can be partitioned into the following sets: set R of names bound by restriction operators, set I of names bound by input prefixes, set F of names used as formal parameters in defining equations, and set P of all the other names -they are called public.
We are interested in the relation between the size of an FCP specification and the size of its PN representation.The size of an FCP specification is defined as the size of its initial term plus the sizes of the defining equations: Intuitively, we count the operations, process identifiers, and names in each element of the specification, e.g. the factor 3 in 3|I| refers to a send or receive prefix of size two, followed by a plus.
To define the behaviour of a process, we rely on the structural congruence relation ≡ on process terms.It is the smallest congruence satisfying the axioms in Fig. 1, i  ν can be eliminated when applied to 0, is commutative, and its scope can be extended to include a concurrent process not containing free occurrences of the bound name.
The behaviour of π-calculus processes is determined by reaction relation → between terms [19,25], see Fig 2. It has the axioms for consuming silent prefixes, identifier calls and communications, and is defined to be closed under |, ν, and ≡.By Reach(F ) we denote the set of all processes reachable from F .The transition system of F factorises the reachable processes along structural congruence, where F denotes the congruence class of F wrt. ≡ and That is, structurally congruent processes are collapsed into a single state, and the transition relation is amended appropriately.
Normal form assumptions.To ease the definition of the translation and the corresponding correctness proofs, we make assumptions about the shape of the FCP specification.These assumptions are not restrictive, as any FCP can be translated into the required form.First, we require that the sets of identifiers called by different threads (both directly from F and indirectly from defining equations) are disjoint.This ensures that the threads have disjoint descriptions of their control flows and corresponds to the notion of a safe FCP in [17].
The assumption can be achieved by replicating some defining equations.The resulting specification F ′ is bisimilar with F and has size O(n F ) = O( F 2 ), where n is the number of threads.We illustrate the construction on the FCP specification F = K⌊a, b⌋ | L⌊a, c⌋ (left) together with its replicated version We can also ensure that defining equations do not call themselves, i.e. that the body of K( f ) := S does not contain any calls of the form K⌊ã⌋. Indeed, we can replace any such call with K ′ ⌊ã⌋, using a new defining equation K ′ ( f ′ ) := K⌊ f ′ ⌋.This increases the size of the FCP only linearly, and ensures we do not have to remap parts of f to f when passing the parameters of a call, which simplifies the translation.

Principles of the translation
This section informally explains the polynomial translation of FCPs to safe PNs.The main idea is to replace restricted names by fresh public ones.Indeed, F = ν r.(S 1 | . . .| S n ) behaves like S 1 {ñ/r} | . . .| S n {ñ/r}, provided the names ñ are fresh.These new names are picked from a set N , and since for FCP specifications there is a bound on the number of restricted names in all processes reachable from F , a finite N suffices.But how to support name creation and deletion with a constant number of free names?The trick is to reuse the names: n ∈ N may first represent a restricted name r 1 and later a different restricted name r 2 .To implement this recycling of names, we keep track of whether or not n ∈ N is currently used in the process.This can be understood as reference counting.
The translation takes the set of names N as a parameter.Already a fairly large set N RIF of cardinality |R| + |I| + |F| is sufficient to prove polynomiality of the translation.The rationale is that there should be enough values to map each bound name to a unique value.Indeed, one can provide a domain function dom : P ∪ R ∪ I ∪ F → 2 P∪N that gives, for each name x of F , an overapproximation of the set of possible values of x.The rough overapproximation above employs We explain how to compute better domains by static analysis in Sect.7.
The translation is then defined to be the composition The first net N Subst compactly represents substitutions σ : R ∪ I ∪ F → P ∪ N and implements reference counting.It only consists of places and is detailed in Sect.Initialisation of a restricted name It should be possible to find a value val ∈ N to which no bound name or formal parameter is currently mapped, and map a given restricted name r to val .
Remapping When name v is communicated to a thread, some input name i has to be mapped to σ(v).Similarly, a formal parameter f has to be mapped to σ(v) during a process call that uses v as a factual parameter.Since v can occur several times in the list of factual parameters, one should be able to map several formal parameters to σ(v) in one step, i.e. by one PN transition.
Unmapping When a bound name or formal parameter v is forgotten, its mapping has to be removed.During a process call, it often happens that σ(v) is assigned to one or more formal parameters and simultaneously v is forgotten.Therefore, it is convenient to be able to remap and unmap v in one step.
Ideally, the three kinds of operations described above should not interfere when applied to names in distinct threads, so that they can be performed concurrently; note that due to (NC) the bound names and formal parameters are always different.This prevents the introduction of arbitration, and so has a beneficial effect on the performance of some model checking methods (e.g.those using partial order techniques).
In what follows, we describe a representation of substitutions that satisfies all the formulated requirements.This safe PN, which is depicted in Fig. 3, only consists of places.A place [var = val ], when marked, represents the fact that var ∈ R ∪ I ∪ F is mapped to val ∈ P ∪N .Our translation will maintain the following invariants.(iii) For each var ∈ R ∪ I ∪ F, the places [var = val ] are mutually exclusive (i.e. a name can be mapped to at most one value), where val runs through dom(var).
The choice of the cardinality of N is of crucial importance.As explained above, it should be sufficiently large to guarantee that there will always be a name that can be used to initialise a restriction.But taking an unnecessary big value for this parameter increases the size of the PN as well as the number of reachable states.
The operations on the substitution are implemented as follows: Initialisation of a restricted name To find a value val ∈ N that is not referenced, and to map a given restricted name r to val , the transition has to: • test by read arcs that the places have tokens (i.e.no input name or formal parameter is currently mapped to val); • consume the token from [r * = val ] (checking thus that no restricted name is currently mapped to val ); • produce a token at [r = val] (mapping thus r to val ).
Remapping When a communication binds the value of a name v to an input name i, the corresponding transition consumes the token from In the case of identifier calls, v may occur several times in the list of factual parameters, and so several formal parameters f k 1 , . . ., f k l have to be bound to σ(v).This can be handled by a single transition consuming the tokens from [f k j = σ(v)] and producing tokens in [f k j = σ(v)] for j ∈ {1, . . ., l}.The same transition can unmap v if necessary.
Unmapping When a bound name or formal parameter var that is mapped to val is forgotten, the mapping should be removed.This is modelled by a transition consuming the token from [var = val ] and, if val ∈ N , producing a token in

3.2.
Petri net representation of the control flow.We elaborate on the translation of a thread S i into the net N (S i ) that reflects the control flow.Each subterm st of S i corresponds to a subnet of N (S i ) with a unique entry place p st .This place is initially marked if st corresponds to the thread's initial expression.The communication prefixes are modelled by transitions.These transitions are labelled with synchronisation actions as well as commands to explicitly introduce and remove name bindings in the substitution net.At this point, however, the transitions are just stubs.The synchronisation between threads is introduced by parallel composition , the synchronisation between threads and substitution net is performed by the implementation operator ⊳.
The subnets corresponding to terms st are defined as follows (note that each thread is a sequential process, so | does not occur in the term): Initialisation of restricted names The subnet corresponding to νr.S maps r to some currently unused n ∈ N , cf.Fig. 5.More precisely, for each n ∈ N we create a transition t r n consuming a token from the entry place of νr.S, producing a token in the entry place of the subnet implementing S, and performing the initialisation of the restricted name r with the value n as explained in Sect.3.1.Note that the transitions t r n arbitrate between the names in N , allowing any of the currently unused names to be selected for the initialisation of r.
If such an arbitration is undesirable,1 separate pools of values can be used for each thread, as described in Sect.7.
Handling 0 The subnet for 0 is comprised of the entry place only, which means an execution of 0 terminates a thread.An alternative for implementing termination is to also unmap all the bound names and formal parameters in whose scope this 0 resides.We note that this unmapping is not necessary, as the used resources (in particular, the values from N to which these variables are mapped) will not be needed.
Handling calls Consider K⌊ã⌋ with K( f ) := S. The entry place of K⌊ã⌋ is followed by a subnet that maps f to the values of ã.All the other bound names and formal parameters in whose scope this call resides become unmapped.Finally, the control is transferred to the entry place of the translation of S.
To make this idea precise, let B denote the set of bound names and formal parameters that are forgotten in the call.Let A be the set of names occurring in ã (perhaps multiple times).The required change in the substitution can be modelled by the assignments Here, X i is the set of formal parameters to which the value of the factual parameter a is assigned.So the X i are disjoint non-empty sets whose union is f .An assignment X ← a (where X can be empty) simultaneously maps all the variables in X to σ(a) and, if a ∈ B, unmaps a.Since no two assignments reference the same name, they cannot interfere and thus can be executed in any order or concurrently.The subnet implementing an assignment X ← a has one entry and one exit place and is constructed as follows.For each val ∈ dom(a) we create a transition t val which: • consumes a token from the entry place and produces a token on the exit place; • for each f ∈ X, consumes a token from [f = val ] (provided this place exists, i.e. val ∈ N ) and produces a token on [f = val ]; • if a ∈ B, consumes a token from [a = val ], and, in case val ∈ N , produces a token on [a = val ] (or on [r * = val ] if a is a restricted name).Such subnets can be combined in either sequential or parallel manner (in the latter case additional fork and join transitions are needed).
Handling sums We assume that sums are guarded, i.e. have the form i∈I π i .S i .The entry place of the subnet is connected to the entry places of the translations of each S i by transitions.In case of communication actions π i = τ , these transitions are stubs that carry appropriate synchronisation actions and name binding commands.
Parallel composition and hiding Given two stub transitions t ′ and t ′′ in different threads representing prefixes a b and x(y), parallel composition adds a set of transitions implementing the communication, cf.Fig. 6.If static analysis (see Sect. 7) shows that the prefixes are potentially synchronisable, we create for each i ∈ dom(a) ∩ dom(x) and j ∈ dom(b) ∩ dom(y) a transition t ij which: • consumes tokens from the input places of the stubs t ′ and t ′′ and produces tokens on their output places; • checks by read arcs that [a = i] and [x = i] are marked, i.e. the substitution maps a and x to the same value i and thus the synchronisation is possible (if a and/or x are in P then the corresponding arc is not needed); • checks by a read arc that [b = j] is marked, consumes a token from [y = j] (if this place exists) and produces a token on [y = j] (mapping thus y to the value of b).If the synchronisation is possible, exactly one of these transitions is enabled (depending on the values of a, b, and x); else none of these transitions is enabled.After all such synchronisations are performed, the stub transitions are removed from the net by hiding H.The meanings of the places in N Subst are as in Fig. 3, and the places in the control flow are labelled by the corresponding subterms.
As the FCP has two bound names, r and x, we take N = {n 1 , n 2 }.The initialisation of r is represented by two transitions, corresponding to the values n 1 and n 2 .The only possible communication in this example is between the prefixes p r and p(x).Note that the communication is over the public channel p, and the communicated values are from dom(r) ∩ dom(x) = {n 1 , n 2 } ∩ {p, n 1 , n 2 } = {n 1 , n 2 }.Hence there are two transitions modelling this communication.

Size of the resulting FCP
We now evaluate the contributions of various parts of the translation to the size of the final safe PN. (Note that the asymptotic size of a safe PN is fully determined by its total number of places, transitions and arcs, as the size of the initial marking is bounded by the number of places.)Recall that we use N RIF as the set of names from which the values for restricted names are picked.Stop processes A single place is created for each occurrence of 0, i.e. the total contribution is O( F ) in the worst case.

Calls
In the worst case all the calls have O( F ) parameters in total, which have to be mapped and unmapped.Hence the contribution is O( F 2 ).
Restrictions In the worst case the number of restrictions is O( F ), and the corresponding names have to be initialised and then unmapped.For initialisation of a restricted name, a separate transition is created for each value in N RIF , and this transition has O(|I| + |F|) incident arcs, see Fig. 5. Hence the contribution is Choices and communication Implementing the branching resulting from sums contributes O( F ) to the final total.Furthermore, τ -prefixes also contribute at most O( F ).In the worst case the numbers of sending and receiving prefixes are O( F ), and almost all pairs of send/receive actions can synchronise; thus the total number of such synchronisations is O( F 2 ).Recall that for a pair of actions x 1 y 1 and x 2 (y 2 ), a separate transition with O(1) incident arcs is generated for each pair of values in P ∪ N RIF , see Fig. 6.Hence, the contribution is ), dominating thus the other parts of the translation.However, the communication splitting optimisation described in Sect.7 reduces this contribution down to O( F 3 ).
Totaling the above contributions shows that the size of the resulting PN is O( F 3 ).Furthermore, converting a general FCP into a safe one can increase the size by a factor bounded by the number of threads, i.e. quadratically in the worst case, see Sect. 2. Therefore, the translation is polynomial for general FCPs too.
It should also be noted that the worst case size computed above is rather pessimistic: the translation admits several practical optimisations, see Sect. 7. The experimental results in Sect.9 demonstrate that for realistic FCPs the sizes of the resulting PNs are moderate.

Definition of the translation
We now formalise the proposed translation.To do that, we add further assumptions on the form of the FCP.Again, these assumptions are not restrictive: any FCP can be transformed into the required form.However, the assumptions significantly simplify the correctness proofs by reducing the number of cases that have to be considered.5.1.Additional normal form assumptions.We augment the (NC) assumptions as follows: in a defining equation K( f ) := S, fn (S) = f , i.e. public names are not allowed in S.This assumption can be enforced by passing the required public names as parameters.
To avoid case distinctions for the initial process, we assume there are artificial defining equations K Init ,i ( fInit,i ) := S Init,i with fn (S Init,i ) = fInit,i ⊆ F, that are called by a virtual initialisation step.Their purpose is to guarantee that the S Init,i have the free names fInit,i .We then apply substitutions to assign the expected values to these parameters.This means we can write the given FCP as where σ i : fInit,i → r ∪ P. We additionally assume that the S Init,i are choices or calls and that the FCP does not contain the 0 process.Moreover, if we have an input x(y).S then we assume y ∈ fn (S), which can be achieved by adding an artificial parameter to the call at the end of the process.Similarly, for a restriction νr.S we assume r ∈ fn (S).Restrictions not satisfying this requirement can be dropped due to structural congruence.5.2.Construction of N Subst .To represent a substitution like {a, b/x, y}, we decompose it into elementary substitutions {a/x} ∪ {b/y} of single names.The substitution net has corresponding places [x=a] and [y=b] for each elementary substitution that may occur in such a decomposition.Moreover, there is a second set of places, [x =n] and [r * =n], keeping track of whether an input, a formal parameter, or a restriction is bound to n ∈ N .These places complement the corresponding substitution places, in particular [r * =n] indicates that no restricted name is bound to n. (Since at most one restriction can be bound to n, this one complement place is sufficient.)N Subst has no transitions.We defer the explanation of its initial marking for the moment.Formally, N Subst df = (P Subst ∪ P Ref , ∅, ∅, M 0 ) with Substitution markings and correspondence A marking M of N Subst is called a substitution marking if it satisfies the following constraints: (SM1) holds for every n ∈ N and states that at most one restricted name is bound to n.Moreover, there is a token on [r * =n] iff there is no such binding.(SM2) states that every name x ∈ I ∪ F ∪ R is bound to at most one a ∈ P ∪ N .The reference counter has to keep track of whether a name x ∈ I ∪ F maps to a fresh name n ∈ N , which motivates (SM3).
Consider now a substitution σ : (I ′ ∪ F ′ → P ∪ r) ∪ (R ′ → r) where I ′ ⊆ I, F ′ ⊆ F, R ′ ⊆ R, and the second component R ′ → r is injective.A substitution marking M of N Subst is said to correspond to σ if the following hold: The choice of n preserves the equality of names as required by σ: for all x, y ∈ dom(σ) with σ(x), σ(y) ∈ r, we have Recall that we translate the specification As the initial marking of N Subst , we fix some substitution marking that corresponds to σ 1 ∪ . . .∪ σ n .As we shall see, every choice of fresh names ñ for r indeed yields bisimilar behaviour.Note that (NC) ensures that the union of substitutions is again a function.Fig. 3 illustrates N Subst and the concepts of substitution markings and correspondence.

Construction of N (S Init
). Petri net N (S Init ) reflects the control flow of thread S Init .
To synchronise send and receive prefixes in different threads, we annotate its transitions with labels from To capture the effect that reactions have on substitutions, transitions also carry a set of commands from Using these sets, a control flow net is defined to be a tuple (P, T, F, M 0 , l, c), where (P, T, F, M 0 ) is a PN and l : T → L and c : T → P(C) are the transition labelling functions.
As S Init is a sequential process, transitions in N (S Init ) will always have a single input and a single output place.This allows us to understand N (S Init ) as a finite automaton, and hence define it implicitly via a new labelled transition system for S Init .Recall that S is the set of sequential processes.We augment them by lists of names, S × (I ∪ F ∪ R) * , carrying the names that have been forgotten and should be eventually unmapped in N Subst .Among such augmented processes, we define the labelled transition relation Each transition carries a label and a set of commands, and will yield a PN transition.
For restrictions νr.S, we allocate a fresh name.Since we can select any name that is not in use, such a transition exists for every n ∈ N : (TRANS ν ) Fig. 5 depicts the transition, together with the implementation of mapping defined below.Silent actions yield τ -labelled transitions with empty sets of commands as expected: where λ ′ = fn (τ.S + . ..) \ fn (S) contains the names that were free in the choice process but have been forgotten in S. With an ordering on P ∪ N , we can understand this set as a sequence.
Communications are more subtle.Consider x y .S + . . .that sends y on channel x.With appropriate tests, we find the names a and b to which x and y are mapped.These names then determine the transition label.So for all a, b ∈ P ∪ N , we have (TRANS snd ) There are similar transitions for the remaining prefixes π i with i ∈ I. Fig. 6(left) illustrates the transitions for send and receive actions.For a call K⌊x 1 , . . ., x n ⌋ with K(f 1 , . . ., f n ) := S, the idea is to iteratively update the substitution by binding the formal parameters to the factual ones.(Note that we assumed fn (S) = {f 1 , . . ., f n }.) Afterwards, we unmap the names in λ, which will then include the factual parameters.Since no equation calls itself, we do not accidentally unmap the just mapped formal parameters.The following transitions are created for each a ∈ P ∪ N : where (This case distinction ensures that we will unmap a factual parameter precisely once, even if it occurs multiple times in the list of factual parameters.)When all parameters have been passed, we unmap the names in λ = ε, by creating the following transitions for each a ∈ P ∪ N : (TRANS call 2 ) When λ = ε has been reached, we transfer the control to the body S of the defining equation: Petri net N (S Init ) is the restriction of (S × (I ∪ F ∪ R) * , − ։) to the augmented processes that are reachable from (S Init , ε) via − ։.The initial marking puts one token on place (S Init , ε) and leaves the remaining places unmarked.
5.4.Operations on nets.We now describe the operations composing the nets.

Parallel composition
Parallel composition of labelled nets is classical in Petri net theory.The variant we use is inspired by [2]: N 1 N 2 forms the disjoint union of N 1 and N 2 , and then synchronises the transitions t 1 in N 1 that are labelled by l 1 (t 1 ) = send (a, b) (resp.rec(a, b)) with the transitions t 2 in N 2 that are labelled by l 2 (t 2 ) = rec(a, b) (resp.send (a, b)).The result is a new transition (t 1 , t 2 ) labelled by τ , which carries the (disjoint) union of the commands for t 1 and t 2 .Note that the transitions of N 1 and N 2 are still available for further synchronisations with some N 3 .This in particular implies that is associative and commutative.
Hiding H The hiding operator removes from a PN N all transitions t with l(t) = τ .Since H(N ) contains only τ -labelled transitions, we can omit the labelling function from the result.The combination of parallel composition and hiding is illustrated in Fig. 6

(center).
Implementation operation ⊳ Consider the two Petri nets N 1 = N Subst = (P 1 , ∅, ∅, M 0,1 ) and N 2 = H(N (S Init ,1 ) . . .N (S Init,n )) = (P 2 , T, F 2 , M 0,2 , c) defined so far.The implementation operation yields a standard Petri net without labelling.Its purpose is to implement the commands labelling the transitions of N 2 by adding arcs between the two nets.We fix a transition t ∈ T and a command c ∈ c(t), and define the arcs that have to be added between t and some places of N 1 to implement c.We do the case analysis for the possible types of c: map(x, p), map(x, n), map(r, n) A map command differentiates according to whether the first component is an input name or a formal parameter x ∈ I ∪ F, or whether it is a restricted name r ∈ R. If x is assigned a public name, map(x, p) ∈ c(t) with p ∈ P, we add an arc producing a token in the corresponding place of the substitution net: (t, [x=p]) ∈ F .If x is assigned some n ∈ N , map(x, n) ∈ c(t), we additionally remove the token from the reference counter: (t, [x=n]), ([x =n], t) ∈ F .To represent the restricted name r ∈ R by a name n ∈ N , we first check that no other name is currently mapped to n using the reference counter for n.In case n is currently not in use, we introduce the binding

Correctness of the translation
To prove the translation correct, we relate F and N (F ) by a suitable form of bisimulation.The problem is that N (F ) may perform several steps to mimic one transition of F .The reason is that changes to substitutions (as induced e.g. by νr.S) are handled by transitions in N (F ) whereas F uses structural congruence, i.e. a substitution change does not necessarily lead to a step in the reaction relation of F .To obtain a clean relationship between the models, we restrict the transition system of N (F ) to so-called stable markings and race free transition sequences between them.Intuitively, stable markings correspond to the choices and process calls in F , and race free transition sequences mimic the reaction steps between them.We show below that this restriction is insignificant, as any transition sequence is equivalent to some race free one.
Place (S, λ) of N (F ) = N Subst ⊳ H(N (S Init,1 ) . . .N (S Init,n )) is called stable if S is a choice or a call to a process identifier with full parameter list.Marking M of N (F ) is called stable if, in every control flow net N (S Init ,i ), it marks a stable place.We denote by Reach Stbl (N (F )) the set of stable markings that are reachable in N (F ).
A transition sequence t 1 , . . ., t n between stable markings M, M ′ ∈ Reach Stbl (N (F )) is race free if exactly one t i is either of the form (TRANS τ ) for a silent action, of the form (t, t ′ ) for communication actions (TRANS snd ), (TRANS rec ), or of the form (TRANS call 3 ) for an identifier call, cf.Sect.5.3.Thus, a race free transition sequence corresponds to precisely one step in the reaction relation of F , characterised by t i , while the other transitions implement the substitution changes between M and M ′ .In particular, no intermediary marking is stable.We denote the fact that there is such a race free transition sequence by M ⇒ M ′ .
We now show that every transition sequence reaching a stable marking M can be replaced by a series of race free transition sequences.This means the restriction to race free sequences is inconsequential.Lemma 6.1.For every transition sequence ) and • the control flow parts of M 2 and M ′ 2 coincide, and • the substitution parts of M 2 and M ′ 2 correspond to a same substitution.Moreover, the latter sequence is a rearrangement of the former one, modulo transitions implementing map and unmap operations for restricted names using different values.Proof.To obtain M 1 ⇒ + M ′ 2 , we proceed as follows.We project the sequence M 1 → + M 2 to the transitions that reflect π-calculus reactions.After each such transition, we insert the required initialisations of restricted names by unused values (not necessarily the same as in the original sequence).Before each call to a process identifier, we insert the necessary unmapping operations (the ones for restricted names are amended to use the values given during the corresponding initialisations).The result is race free.To see that the sequence is enabled, note that initialisations of restricted names cannot be blocked because the pool of fresh names is large enough.Moreover, unmap operations can never be blocked.6.1.Bisimulation.Since the initial marking M 0 of N (F ) is stable by the assumption on S Init,i from Sect.5.1, we can define the stable transition system of N (F ) as Theorem 6.2.The transition system of F and the stable transition system of N (F ) are bisimilar, T (F ) ∼ T Stbl (N (F )), via the bisimulation B defined below.
We defer the proof for the moment.To define the bisimulation relation, we use the fact that every process reachable from F is structurally congruent to some ν r.
Here, S i is a choice or an identifier call that has been derived from some process S with K( f ) := S. Derived means (S, ε) − ։ + (S i , λ i ) so that no intermediary process is a call to a process identifier.As second requirement, we have This means the domain of σ i are the free names in S i together with the names λ i that have already been forgotten.The two sets are disjoint, fn(S i ) ∩ λ i = ∅.The above process actually is in Milner's standard form [19], but makes additional assumptions about the shape of threads and the domain of substitutions.
To relate T (F ) and the full transition system T (N (F )), consider a transition sequence M 1 → + M 2 between stable markings M 1 , M 2 ∈ Reach Stbl (N (F )) that need not be race free.Due to Lemma 6.1 it can be rearranged to a race free sequence With the above bisimilarity, this race free transition sequence is mimicked by a sequence of π-calculus transitions F → + G with (G, M ′ 2 ) ∈ B. With Lemma 6.1 and the definition of B, we also have (G, M 2 ) ∈ B. In the reverse direction, a single process transition is still mimicked by a sequence of PN transitions (that happens to be race free).Hence, the following holds: Theorem 6.3.The transition systems of F and N (F ) are weakly bisimilar, T (F )≈T (N (F )), taking B defined above as a weak bisimulation.
This result allows one to check temporal properties of FCPs using their PN representations.6.2.Bisimulation Proof.We now turn to the proof of Theorem 6.2.We have to show that for each pair (G, M ) ∈ B, every transition G ֒→ G ′ can be mimicked by a race free transition sequence in N (F ), i.e. there is a stable marking M ′ with M ⇒ M ′ such that (G ′ , M ′ ) ∈ B. Moreover and in turn, the race free transition sequences in N (F ) should be imitated in process F .The proof is split into two parts, formulated as Lemmas 6.4 and 6.5, for both directions respectively.Lemma 6.4.Consider (G, M ) ∈ B. For all G ′ with G ֒→ G ′ there is a stable marking Proof.Process G is structurally congruent to ν r.(S 1 σ 1 | . . .| S n σ n ).By the base cases of the reaction rules, transition G ֒→ G ′ exists iff (1) either two processes S i σ i and S j σ j with i = j ∈ {1, . . ., n} communicate, (2) we resolve a call to a process identifier in some S i σ i , i ∈ {1, . . ., n}, or (3) we have a τ action.Silent steps are easier than the former two and hence omitted in the proof.
Case 1: Communication For simplicity, we assume that: the first two threads communicate using the first prefixes; after the communication, the first thread yields choice or call S ′ 1 ; the second process creates precisely one restricted name before becoming a choice or a call S ′ 2 ; the communication is over restricted names and a restricted name is sent.The remaining cases are along similar lines.We thus have G ≡ ν r.(S 1 σ 1 | . . .| S n σ n ) with The process resulting from the communication is We argue that G ′ has the desired normal form.The processes S ′ 1 and S ′ 2 are choices or calls.Moreover, (S, ε) . This means S ′ 1 and S ′ 2 have been derived, as required.It remains to show (DOM).We do the proof for σ ′ 2 , the reasoning for σ 1 is simpler: We now argue that (1.a) there is so that M 1 is the substitution marking and M 2 is the control flow marking.Since (G, M 1 ∪M 2 ) ∈ B, we have M 2 ((S 1 , λ 1 )) = 1 = M 2 ((S 2 , λ 2 )).Moreover, M 1 corresponds to σ 1 ∪ . . .∪ σ n .In the following, we also use σ to refer to this union.Since σ 1 (x 1 ), σ 2 (x 2 ), σ 1 (y 1 ) ∈ r, by (COR3) we have fresh names It remains to show that there is a fresh name available in N which we can use to represent r.As r / ∈ dom(σ), we have With (COR1), for x / ∈ dom(σ) we have M 1 ([x=n]) = 0 for all n ∈ N .For x ∈ dom(σ), we have at most one place [x=a] marked by (SM2).Together, these mean there is a name Before parallel composition, the original net N (S Init,1 ) had the following transition sequence leaving place (S 1 , λ 1 ): Similarly, from (S 2 , λ 2 ) in N (S Init ,2 ) we get Parallel composition joins the communicating transitions of the two nets, and we denote the result by (t 1 , t 2 ).Then hiding removes the original transitions t 1 labelled by send (n 1 , n 3 ) We assume S already is a choice or a call.The process resulting from the call K⌊x⌋σ 1 is We argue that G ′ has the desired normal form.The process S is a choice or a call.It has been derived trivially as it is the defining process.For (DOM), we have as desired Moreover, by (DOM), we have x ∪ λ = dom(σ 1 ).Hence, for every name x i ∈ x ∪ λ we have a name a i ∈ P ∪ N so that M 1 ([x i =a i ]) = 1 by (COR2) and (COR3).Since an equation does not call itself and since all formal parameters are unique by (NC), we have f ∩ dom(σ) = ∅ by (DOM).This means M 1 ([f =a]) = 0 for all f ∈ f and all a ∈ N ∪ P.
By definition, Petri net N (S Init,1 ) has the following transition sequence: The first transition sequence introduces the bindings for f and moves the names in x to λ.The result is (K⌊−⌋, λ ′ ) with λ ′ = λ • x′ , where x′ is obtained from x by removing the duplicates.The next transition sequence unmaps all names in λ ′ .Finally, the token is moved to (S, ε).
We now show that the composed sequence is enabled.For the first sequence, the tests are enabled with M 1 ([x i =a i ]) = 1.For formal parameters, mapping map(f, p) with p ∈ P is always enabled, and map(f, n) with n ∈ N requires M 1 ([f =n]) = 1.This holds by the above argumentation.The second transition sequence removes the tokens from [x i =a i ].Since we do not repeat names in x′ and since x ∩ λ = ∅, all transitions are enabled.For The resulting marking M ′ puts a token on the stable place (S, ε), i.e.M ′ is stable.M ′ is reachable as M was reachable.Moreover, the transition sequence above is race free.
2 is the control flow marking.For the control flow, we moved the single token from (K⌊x⌋, λ) to (S, ε) as required.
For N Subst , we show that we obtain a substitution marking.We already argued that M 1 ([f =a]) = 0 for all a ∈ P ∪ N and hence M 1 ([f =n]) = 1 for all n ∈ N .We introduce a token M ′ 1 ([f i =a i ]) = 1, potentially consuming the complement marking if a i = n ∈ N .(SM2) holds: names are bound at most once.The second transition sequence manipulates the places for x′ ∪ λ.These names are disjoint from f due to f ∩ dom(σ 1 ) = ∅ explained above.We remove all tokens M 1 ([x i =a i ]) = 1 with x i ∈ x′ ∪ λ.The implementation of unmap ensures we reinstall complement markings.More precisely, if Since by (SM1), name r was the only restriction bound to n, So we assume the communication is on a fresh channel n 1 and sends a fresh name n 2 .The cases where x 1 or y 1 are mapped to public names are similar.
For marking M , the test commands that label transition (t 1 , t 2 ) allow us to conclude the marking in Line (6.8).
In the following Line (6.9), the implementation of mapping requires a token on [y 2 =n 2 ].By (SM3), this only gives M ([y 2 =n 2 ]) = 0. We derive that actually all [y 2 =a] are unmarked as follows.We have (G, M ) ∈ B, which means M is known to correspond to a process.This process has a substitution that does not contain y 2 in its domain.This is due to (DOM) in combination with the fact that y 2 is bound.Constraint (COR1) yields M ([y 2 =a]) = 0 for all a ∈ P ∪ N .
That t r is enabled gives the first marking in Line (6.10).With (SM1) and (SM3), we conclude that no name maps to n r .Like for y 2 , we get that r does not map to any fresh name, Line (6.11).
In the control flow, marking ) instead of (S 1 , λ 1 ) and (S 2 , λ 2 ) are marked in N (S Init ,1 ) and N (S Init ,2 ).For the substitution net, we only give the places on which the marking has changed.The following is immediate from the definition of implementation: Claim 1.a:There is G ′ ∈ Reach(F )/ ≡ so that G ֒→ G ′ We assume that G and M 1 ∪M 2 are related by B. Hence, there is a process in normal form that satisfies From marking M 1 ∪ M 2 , we now derive the following information: The equalities on S 1 and S 2 are due to the markings of the nets N (S Init,1 ) and N (S Init,2 ).For the substitution, we make use of the fact that M 1 corresponds to σ 1 ∪ . . .∪ σ n .We have ) with n 1 ∈ N .Since x 1 and x 2 are bound to at most one name by (SM2), this allows us to conclude that the markings of [x 1 =n] and [x 2 =n] coincide for all names n ∈ N .Hence, we get σ 1 (x 1 ) = σ 2 (x 2 ) by (COR4).By (DOM), we have that σ 1 (x 1 ) ∈ r ∪ P. If σ 1 (x 1 ) was in P, we had M 1 ([x 1 =σ 1 (x 1 )]) = 1 by (COR2).This is not the case, hence σ 1 (x 1 ) ∈ r.For y 1 , the reasoning is similar.We already mentioned above that {y 2 , r} / ∈ dom(σ 1 ∪ . . .∪ σ n ).The normal form process has a reaction to Hence, G ֒→ G ′ .Since G was reachable from F , we have G ′ reachable from F .Moreover, we already argued in the proof of Lemma 6.4 that G ′ has the required normal form.
For the threads, the reasoning is as in Lemma 6.4.We check that to (COR3) are as before.For (COR4), we consider r = x ∈ dom(σ ′ ).We have σ ′ (r) = σ ′ (x), which coincides with the fact that Proof of Theorem 6.2.We show that B relates F and M 0 .The transitions can be mimicked due to Lemmas 6.4 and 6.5.By our assumptions, we have Here, S Init,i are choices or calls that have been derived from artificial defining equations.Moreover, σ i : fInit,i → r ∪ P with dom(σ i ) = fInit,i = fn (S Init,i ) ∪ ∅.This shows (DOM), and concludes the proof that F is in normal form.For the initial marking M 0 = M 0,1 ∪ M 0,2 of N (F ), we have that M 0,1 corresponds to σ 1 ∪ . . .∪ σ n as needed.In the control flow nets N (S Init,i ), we have the necessary tokens on (S Init ,i , ε).

Optimisation of the translation
In this section, we propose optimisations of the translation, which can significantly reduce the size of the resulting safe PN and increase the efficiency of subsequent model checking.
7.1.Communication splitting.Recall the size of the PN resulting from our translation is dominated by the number of transitions modelling communication.We now propose a method to significantly decrease this number.It actually reduces the asymptotic worst case size from O( F 4 ) down to O( F 3 ).Furthermore, its straightforward generalisation yields a polynomial translation from polyadic π-calculus to safe PNs, see Sect. 8.
The idea is to model the communication between potentially synchronisable actions a b and x(y) not by a single step but by a pair of steps.The first checks that a and x are mapped to the same value by the substitution, and the second maps y to the value of b.
Assume a b and x(y) correspond to stub transitions t ′ and t ′′ .To implement the decomposition, we create a control place p middle 'in the middle' of the communication and two sets of transitions, t 1 i and t 2 j .The transitions t 1 i , created for each i ∈ dom(a) ∩ dom(x), work as follows.Each t 1 i • consumes tokens from the input places of t ′ and t ′′ and produces a token on p middle ; • checks by read arcs that [a = i] and [x = i] are marked (i.e. the substitution maps a and x to the same value i and thus the synchronisation is possible).The transitions t 2 j , created for each j ∈ dom(b) ∩ dom(y), work as follows.Each t 2 j • consumes a token from p middle and produces tokens on the output places of t ′ and t ′′ ; • checks by a read arc that [b = j] is marked, consumes a token from [y = j] (if this place exists) and produces a token on [y = j] (mapping thus in the substitution y to j, i.e. to the value of b).If the synchronisation is possible in the current state of the system (i.e. a and x have the same value), exactly one of the transitions t 1 i is enabled; else none of these transitions is enabled.Once some t 1 i fires, exactly one of the transitions t 2 j becomes enabled.
7.2.Abstractions of names.In the substitution net described in Sect.3.1, each bound name and formal parameter is represented by a separate row of places.In practice, it is often the case that some bound names and formal parameters can never be simultaneously active, and so can share the same row of places.
We have implemented a simple sharing scheme by introducing an equivalence ∼ on the set of bound names and formal parameters, such that if two names are equivalent then they cannot be simultaneously active.Then the rows of the substitution table will correspond to the equivalence classes of ∼, and for each bound name and formal parameter we will introduce the abstraction operator abs, mapping the name to the corresponding equivalence class of ∼.Now the operations on the substitution (initialisation of a restricted name, remapping and unmapping) can be performed on the abstractions of names rather than the names themselves.
A possible choice of equivalence ∼ and the related abstraction is as follows.For each name b ∈ R ∪ I ∪ F, we denote by thread (b) the thread where b is defined (note that due to (NC) and the assumption that threads do not share defining equations, thread (b) is unique).Furthermore, we define and two names are considered equivalent wrt.∼ iff their abstractions coincide.This equivalence ensures that two distinct names related by it belong to the same thread, and that their scopes lie within either different defining equations or different branches of some choice operator, and so the names cannot be simultaneously active.Other choices of ∼ and abs are also possible, and we plan to explore them in our future work.

7.3.
Better overapproximations for name domains.Recall that the domain of a bound name or formal parameter is an overapproximation of the set of values from P ∪ N that it can take.While the rough overapproximation proposed in Sect. 3 is sufficient to make the translation polynomial, its quality can be improved by static analysis, resulting in a much smaller PN.In particular, the number of synchronisations between communication actions as well as the number of transitions implementing each communication may be reduced significantly.Furthermore, the number of transitions implementing parameter passing in calls and the number of places in N Subst can also decrease substantially.We outline a simple iterative procedure to compute better overapproximations.We start by setting dom(p) df = {p} for each public name p.For each restricted name r we set dom(r) df = {r}, interpreting this as that the values of r are taken from the set N r of unique values (the procedure never looks inside N r , and only exploits the fact that the names from N r are different from all the other names).The domains of these names are fixed and will not be changed by the procedure.The domains of all other names occurring in the FCP are initialised to ∅; they will grow monotonically during the run of the procedure, converging to some overapproximations.
Each iteration of the procedure identifies two actions, a b and x(y), that satisfy the following conditions: (i) the actions belong to different threads of the FCP; (ii) dom(a) and dom(x) overlap; and (iii) dom(b) dom(y).If no two such actions can be found, the procedure stops, returning the current values of the domains.Otherwise, dom(y) is replaced by its union with dom(b).Intuitively, the above conditions check that the two actions can potentially synchronise, and so y can be mapped to the value of b, and so its domain has to include that of b.

7.4.
Better overapproximation for |N |.The cardinality of the set N is an important parameter of the translation, affecting the efficiency of almost all its aspects.While the rough overapproximation proposed in Sect. 3 (taking |N | to be the total number of bound names and formal parameters) is sufficient to make the translation polynomial, a better one can make the translation much more practical and amenable to model checking.
In the worst case, all names from R ∪ I ∪ F can be assigned different values from N .To improve the overapproximation of Sect.3, we observe that in many cases not all such names can be simultaneously active, i.e. it is enough to overapproximate the number of such names that can be simultaneously active.The number of names from R ∪ I ∪ F that can be simultaneously active in a thread can be computed by separately determining this parameter for each of the defining equations belonging to this thread, as well as the subterm of the main process corresponding to this thread, and taking the maximum of these values.Since these π-calculus expressions are sequential, their parse trees can only have the + operator in every node where a branching occurs, and so the sought value is simply the maximum of the numbers of active names from R ∪ I ∪ F in the leafs of this parse tree.Furthermore, the names whose domains contain no restricted names can be ignored by this analysis.7.5.Sharing subnets for unmapping names.When we call K⌊ã⌋, some names have to be unmapped in the substitution.The subnet for unmapping a particular name can be shared by all points where such unmapping is necessary.This reduces the size of the resulting PN.This optimisation is especially effective when name abstractions (see above) are used, as the sharing increases significantly in such a case.7.6.Re-ordering parameters of calls.Consider the FCP K⌊a, b⌋ with: With the definition on the left, when name abstractions are computed, the equivalence relation has two classes, {f 1 , f 3 } and {f 2 , f 4 }.Hence, the substitution has to be modified every time the calls are performed, as the call parameters keep getting flipped.If the order of the formal parameters in one of the defining equations is changed (together with the order of the factual parameters in the corresponding calls), as shown on the right, the substitution would not require any changes.This significantly reduces the size of the resulting net.This example illustrates that the order of formal parameters in the defining equations matters, and the translation can gain savings by changing this order.Searching for the best order of formal parameters can be formulated as an optimisation problem, with the cost function being the total number of changes required in the substitution for all the calls.7.7.Dropping the restrictions in the main term of the FCP.All restrictions in the main term of the FCP can be dropped, making the formerly restricted names public.Note that due to (NC), this does not introduce name clashes.The transformation yields a bisimilar π-calculus process, but the corresponding PN becomes smaller.7.8.Separate pools of values for restricted Creation of names introduces arbitration between the values in N (see Sect. 3.2): a name that is currently unused has to be chosen to initialise the given restricted name.Such arbitration can adversely affect the efficiency of some model checking methods.
It is possible to eliminate such arbitration by splitting N into several pools, one for each thread, and initialise restricted names only from the corresponding pool, by sequentially looking for the first unused value.This however increases the size of the resulting PN.Moreover, if symmetry reduction is used in model checking, the problem vanishes.7.9.Using symmetries.The translation introduces a number of symmetries in the PN: (i) the values in N , and thus the corresponding columns of the substitution (see Fig. 3), are interchangeable; and (ii) when enforcing the assumption that threads do not share defining equations as explained in Sect.2, some equations are replicated.
It is desirable to exploit these symmetries during model checking.In particular, this would efficiently handle the arbitration that arises when a value from N has to be chosen to initialise a restriction.If symmetries are used, all the immediate successor states of the arbitration are equivalent, and only one of them has to be explored further.Translation to coloured PNs In this case, the symmetries present in the PN can be used to fold it.In particular: • The values in N are interchangeable, and so the corresponding columns of the substitution can be folded into one column, by giving the tokens corresponding to the elements of N unique colours.• Instead of enforcing the assumption that the threads do not share defining equations (see Sect. 2), one can use coloured control tokens that are unique for each thread.

Extensions
We now generalise the translation to some often used extensions of π-calculus, viz. to polyadic communication and synchronisation, and to match and mismatch operators.A polynomial translation of this extension generalises the communication splitting idea described in Sect.7. We perform the communication in stages.At the first step, one checks that a and b are mapped to the same value by the substitution.The subsequent steps map, one-by-one, y i to the value of x i in the substitution.
Polyadic synchronisation captures, in a clean formalism, expressive features like locality.To extend our translation to polyadic synchronisation, we check, one-by-one, that the channel bindings of both processes match.
In the presence of polyadic synchronisation, the relationship between the FCP and its PN translation is subtle, since false deadlocks may be introduced.For example, in a 1 • a 2 (y) | b 1 • b 2 x the evaluation may find a 1 and b 1 bound to the same name, σ(a 1 ) = σ(b 1 ), while a 2 and b 2 do not match.In this case the resulting PN will get stuck in the middle of the evaluation.This does not happen in the original π-calculus process.Nevertheless, such false deadlocks can easily be distinguished from real ones, and so the resulting PN is still suitable for model checking.An alternative is to use the idea of the construction in Sect.10, which avoids false deadlocks.

Match and mismatch operators
The match and mismatch operators are a common extension of π-calculus.Intuitively, the process [x = y].S behaves as S if σ(x) = σ(y) and does nothing otherwise, and the process [x = y].S behaves as S if σ(x) = σ(y) and does nothing otherwise.To handle these operators, we extend the construction of N (S Init ) with the following transitions.For each a ∈ P ∪ N , we have where λ ′ contains the names from {x, y} \ fn (S).For the latter rule, new places [x =a] complementing [x=a] may have to be introduced to N Subst .The relationship between FCP and PN is similar to the case of polyadic synchronisation.

Experimental results
To demonstrate the practicality of our translation-based approach to π-calculus verification, we implemented the encoding of FCPs into safe PNs in the tool Fcp2Pn2 , and used the resulting nets for model checking a number of benchmark systems. 2  The NESS (Newcastle E-Learning Support System) series of benchmarks models an electronic coursework submission system [12].The model consists of a teacher process T composed in parallel with k students S (the system can be scaled up by increasing the number of students) and an environment process ENV .Every student has its own local channel for communication, h i , and all students share the channel h: The students are supposed to submit their work for assessment to NESS .The teacher passes the channel nessc of the system to all students, h i nessc , and then waits for the confirmation that they have finished working on the assignment, h i (x i ).After receiving the NESS channel, h i (nsc), students non-deterministically organise themselves in pairs.To do so, they send their local channel h i on h and at the same time listen on h to receive a partner, h h i . . .+ h(x) . . .When they finish, exactly one student of each pair sends two channels (the own channel h i and the channel received from the partner) to the support system, nsc h i .nscx , which give access to their completed joint work.These channels are received by the ENV process.The students finally notify the teacher about the completion of their work, h i fin .Thus, the system is modelled by: T (nessc, h 1 , . . ., h k ) := k i=1 h i nessc .hi (x i ).0 S (h, h i ) :=h i (nsc).(hh i .hi fin .0+ h(x).nsch i .nscx .hi fin .0)ENV (nessc) :=nessc(y 1 ). . . ..nessc(y k ).0 To distinguish proper termination from deadlocks (where some processes are stuck waiting for a communication), a new transition is added to the PN that creates a loop at the state corresponding to successful termination.Obviously, the system successfully terminates iff the number of students is even, i.e. they can be organised into pairs.
The DNESS model is a refined version of NESS , with deterministic pairing of students.Thus, the number of students is always even, and these benchmarks are deadlock-free.
The CS (m,n) series of benchmarks models a client-server system with one server, n clients, and the server spawning m sessions that handle the clients' requests: On a client's request, the server creates a new session using the getses channel, getses(s).A session is modelled by a SESSION process.It sends its private channel νses along the getses channel to the server.The server forwards the session to the client, y s , which establishes the private session, and becomes available for further requests.A communication on the channel ses terminates the private session.All these benchmarks are deadlock-free.
The GSM benchmark is a specification of the handover procedure in the GSM Public Land Mobile Network.We use the well-known π-calculus model from [22], with one mobile station, two base stations, and one mobile switching.We also studied a variant GSM ' where a restriction in the sender process is dropped: the sender keeps sending the same message instead of generating a new one every time.Since the content of the message is not important, this change is inconsequential from the modelling point of view.However, it significantly reduces the size of the PN.Indeed, the modified FCP is restriction-free, and so N = ∅.
The PHONES benchmark is a classical example taken from [19], modelling a handover procedure for mobile phones communicating with fixed transmitters, where the phones have to switch their transmitters on the go.
The experimental results are given in Table 1, with the columns showing from left to right: name of the case study ( † indicates deadlocks); sizes of the original FCP and its normal form (see Sect. 2), together with the cardinality of N determined by static analysis; number of places and transitions in the resulting safe PN; and deadlock checking time.
The experiments were conducted on a PC with an Intel Core 2 Quad Q9400 2.66 GHz processor (a single core was used) and 4G RAM.The deadlock checking was performed with the LoLA tool,3 configured to assume safeness of the PN (CAPACITY 1), use the stubborn sets and symmetry reductions (STUBBORN, SYMMETRY), compress states using P-invariants (PREDUCTION), use a light-weight data structure for states (SMALLSTATE), and check for deadlocks (DEADLOCK).The FCP to PN translation times were negligible (< 0.1 sec in all cases) and so are not reported.
The experiments indicate that the sizes of the PNs grow moderately with the sizes of the FCPs, and that the PNs are suitable for efficient verification: deadlock checking took less than a minute in all examples.

PN to FCP translation
We now study a translation in the reverse direction.We translate safe PNs into FCPs that are weakly bisimilar and thus do not introduce false deadlocks.Moreover, no livelocks are introduced.This improves over the translations in [1,15].
The motivation for proposing this translation is twofold.First, we obtain a PSPACE lower bound for verification problems on FCPs, see Sect.1.1.Second, the idea can be adapted to translate polyadic communication and match/mismatch operators into safe PNs in a faithful way, see Sect. 8.
The main difficulty is faithful modelling of n-ary synchronisations in PNs by a sequence of binary synchronisations in π-calculus.We address it in three steps.First, we give a folklore translation of PNs into FCPs [1,15], whose advantage is its simplicity.The drawback is that it can introduce false deadlocks.To fix this problem, we develop a second translation, which yields a weakly bisimilar FCP.This in particular implies the absence of false deadlocks.The translation may, however, introduce livelocks.We eliminate these livelocks in our third translation using scheduling.
All these translations are linear.Moreover, they use a very restricted set of π-calculus capabilities: communications do not pass information (in particular, no reference passing is used), no restricted names are used, the calls do not have any parameters, no τ actions are used, and the result is a safe FCP (see Sect. 2).As a consequence, the translations can be adopted to process calculi with weaker communication capabilities, such as CCS [18].
We fix N = (P, T, F, M 0 ) as the safe PN to be translated.All communications will pass a fixed public name ε, which is not used for any other purpose.Thus, the simplified syntax a and x is used instead of a ε and x(y), respectively.Similarly, since calls do not pass parameters, we write K for K⌊−⌋.

Blocking translation
The following translation is inspired by [1,15].For each place p ∈ P , there is a separate public channel, also denoted by p, and a thread with two defining equations corresponding to the presence and absence of a token in p: Marked p := p.Empty p Empty p := p.Marked p A marked place can send a message over channel p, which models token consumption, and become empty.Similarly, an empty place can receive a message over p, which models token production, and become marked.
For each transition t ∈ T with • t = {p 1 , p 2 , . . ., p m } and t • = {q 1 , q 2 , . . ., q n }, we create a thread with the following defining equation: Tran t := p 1 .p 2 . . . ..p m .q 1 .q 2 . . . ..q n .Tran t Intuitively, the transition consumes tokens, one-by-one, from the places in • t by receiving messages over the corresponding channels.Then it produces tokens, one-by-one, in the places in t • , by sending messages over the corresponding channels.Since the PN is safe, it is guaranteed that the places in t • were empty.
The initial term of the FCP is as follows: The simulation is performed in rounds.In each round the scheduler tries to execute a single transition, trying them one-by-one in some non-deterministically chosen order.If none of them can be executed, the scheduler blocks.Otherwise, some transition is executed and a new round starts.
Assuming that T = {t 1 , t 2 , . . ., t k }, the specification of the scheduler is as follows: Scheduler := go.(failure.Scheduler + success.resett 1 .resett 2 . . . ..reset t k .Scheduler) In each round, the scheduler non-deterministically chooses a transition by communicating with a process Tran t over the public channel go.Upon receiving a message from the selected transition about a failed execution attempt, the scheduler chooses another available transition, or blocks if there is none (in which case the simulated PN has reached a deadlock state).Upon receiving a message about successful execution of a transition, the scheduler communicates over channels reset t with every transition process in some fixed order to make them available again.The transition processes that are still available also participate in this communication, but do nothing in response.Then a new round starts.The specification of the place process remains the same, and that of the transition process is amended as follows: Tran t := reset t .Tran t + go.TryCons 1 t Ret 0 t := failure.resett .Tran t Prod t := q 1 .q 2 . . . ..q n .success.Tran t The definitions of TryCons i t and Ret j t for j = 0 remain the same.Initially, Tran t may receive a reset request over the public channel reset t and return to the initial state.Alternatively, it competes with the other transitions to communicate over the go channel, which results in a non-deterministic selection of a transition to be executed.Note that the non-deterministic selection is essential here, as any fixed order of selection may perpetually ignore some enabled transition by always executing preceding transitions.The selected transition process then works as in the non-blocking translation above, but additionally communicates its failure or success to the scheduler.In case of failure, the transition is blocked until it is reset by the scheduler with a communication over reset t .
One can see that the resulting FCP is weakly bisimilar with the original PN, and the problem of livelocks is solved.

Conclusions
We developed a polynomial translation from finite control π-calculus processes to safe lowlevel Petri nets.To our knowledge, this is the first such translation.There is a close correspondence between the control flow of the π-calculus specification and the resulting PN, and the latter is suitable for practical model checking.The translation has been implemented in the Fcp2Pn tool, and the experimental results are encouraging.
We have also proposed a number of optimisations allowing one to reduce the size of the resulting PN.Moreover, we have shown how to generalise the translation to more expressive classes of processes.In particular, we discussed how to handle polyadic communication, polyadic synchronisation, and match/mismatch operators.
In future work, we plan to further improve the translation by a more thorough static analysis, and to incorporate it into different model checking tool-chains, in particular, ones based on PN unfolding prefixes and abstraction-refinement approaches.Moreover, it would be interesting to check if some analog of Theorem 6.2 holds for barbed bisimulation.Furthermore, we would like to consider the labelled semantics of π-calculus.

2. Basic notions 2 . 1 .
Petri nets.A Petri net (PN) is a tuple N df = (P, T, F, M 0 ) such that P and T are disjoint sets of places and transitions, F ⊆ (P × T ) ∪ (T × P ) is a flow relation, and M 0 is the initial marking of N , where a marking M : P → N df = {0, 1, 2, . ..} is a multiset of places in N .We draw PNs in the standard way: places are represented as circles, transitions as boxes, the flow relation by arcs, and a marking by tokens within circles.The size of N is N df = |P | + |T | + |F | + |M 0 |.We denote by • z df = {y | (y, z) ∈ F } and z • df = {y | (z, y) ∈ F } the preset and postset of z ∈ P ∪ T , respectively.A transition t is enabled at marking M , denoted by M t →, if M (p) > 0 for every p ∈ • t.Such a transition can fire, leading to the marking M ′ with M ′ (p) df = M (p) − F (p, t) + F (t, p) for every p ∈ P.

3 . 1 .
3.1.The second net H(N (S 1 ) . . .N (S n )) represents the control flow of the FCP.Each net N (S i ) is a finite automaton that reflects the control flow of thread S i .Importantly, the transitions of N (S i ) are annotated with synchronisation actions and sets of commands that explicitly handle the introduction and removal of name bindings.Parallel composition synchronises the subnets of all threads.The operator places the nets side by side and merges pairs of transitions with complementary synchronisation actions send (a, b) and rec(a, b).Hiding H then removes the original transitions.After hiding, transitions in the control flow net only carry name binding commands.The implementation operator ⊳ implements them by adding arcs between the control flow net and N Subst .We elaborate on the construction of the control flow in Sect.3.2, and Sect.3.3 illustrates the translation on an example.Petri net representation of substitutions.A substitution σ : R ∪ I ∪ F → P ∪ N maps the bound names and formal parameters occurring in the FCP to their values.The compact PN representation of substitutions is a key element of the proposed translation.It should efficiently support the following operations:
(i) For each var ∈ I ∪F and val ∈ N , place [var = val ] is complementary to [var = val ]. (ii) For each val ∈ N , the places [r 1 = val ], [r 2 = val], . . .are mutually exclusive, so that no two restricted names can be mapped to the same value.Moreover, [r * = val ] is complementary to all these places.
The substitution N Subst This net consists of(|I| + |F|) |P| + (2|I| + 2|F| + |R| + 1) |N RIF |places, with no transitions or arcs, see Fig.3, which is O( F 2 ) in the worst case.Mapping a name in I ∪ F A separate transition with O(1) incident arcs is created for each value in P ∪N RIF .Hence, the cost of mapping a single input name or formal parameter is O( F ) in the worst case.(The cost of initialising a restricted name is discussed later.)Unmapping a name in I ∪F ∪R A separate transition with O(1) incident arcs is created for each name in P ∪ N RIF (in case of an input name or formal parameter) or N RIF (in case of a restricted name).Hence the cost of unmapping a single name is O(|P|+|N RIF |) = O( F ) in the worst case.

Figure 5 :
Figure 5: Translation of a restriction with map(r, n) implemented.

Figure 6 :
Figure 6: Translation of communication (left), parallel composition and hiding (center), and implementation of commands (right).

Fig. 5
Fig. 5 illustrates the implementation of mapping for a restriction, map(r, n).Tests and mapping of an input name are shown in Fig. 6(right).
and depth(b) to be the number of names b ′ ∈ R ∪ I ∪ F in whose scope b resides and such that type(b) = type(b ′ ).Then the abstraction of b can be defined as a tuple abs(b) df = thread (b), type (b), depth(b) , Hence we propose the following improved overapproximation of |N |.If there are no occurrences of the restriction operator in the FCP, |N | df = 0. Else, for each thread we compute the maximal number of names from R ∪ I ∪ F that can be simultaneously active in it, max{|fn S ′ ∪ λ| | (S, ε) is a defining process and (S, ε) − ։ * (S ′ , λ)}, and set |N | to the sum of these numbers.

7. 10 .
Translation to different PN classes.Our translation produces a safe PN, as this PN class is particularly suitable for algorithmic verification.However, if the model checking method can cope with more powerful PN classes, the following changes can be made.Translation to bounded PNsFor each val ∈ N , we can fuse the places [var = val], where var ∈ {r * } ∪ I ∪ F, into one place [ * = val ].We thus replace |N | • (|I| + |F| + 1) safe places with |N | places of capacity |I| + |F| + 1.It is still possible to perform all the necessary operations with the substitution.In particular, to find a value val ∈ N to which no bound name or formal parameter is currently mapped, and map a given restricted name r k to val , the PN transition performing the initialisation has to: • consume by a weighted arc |I| + |F| + 1 tokens from [ * = val ] (checking thus that val is not assigned to any name) and return by a weighted arc |I| + |F| tokens; • produce a token at [r k = val ].

p∈M 0
Marked p | p∈P \M 0 Empty p | t∈T Tran tClearly, the size of the FCP is linear in the size of the original PN.However, this basic translation can introduce false deadlocks.Indeed, it is possible for a thread Tran t to Hence, the initial term of the FCP becomes p∈M 0 Marked p | p∈P \M 0 Empty p | t∈T Tran t | Scheduler .e. α-conversion of bound names is allowed, | is commutative and associative with 0 as the neutral element, and for choices associativity and commutativity are enforced by the notation i∈I π i .S i , νr.P ≡ νr ′ .P {r ′ /r} if r ′ / This is due to fn (νr.S ′ 2 ) \ {y 2 } ⊆ fn(S 2 ).Equation (6.5) is due to (fn νr.S ′ 2 \ {y 2 }) ∪ {y 2 , r} = fn S ′ 2 ∪ {y 2 , r}.Equation (6.6) holds by {y 2 , r} ⊆ fn(S ′ 2 ).Finally, Equation (6.7) holds by definition of the augmented transition relation − ։.