Formal verification of OIL component specifications using mCRL2

To aid in making software bug-free, several high-tech companies are moving from coding to modelling. In some cases model checking techniques are explored or have already been adopted to get more value from these models. This also holds for Canon Production Printing, where the language OIL was developed for modelling control-software components. In this paper, we present OIL and give its semantics. We deﬁne a translation from OIL to mCRL2 to enable the use of model checking techniques. Moreover, we discuss validity requirements on OIL component speciﬁcations and show how these can be formalised and veriﬁed using model checking. To test the feasibility of these techniques, we apply them to two models of systems used in production.


Introduction
To better understand a software system, developers can create abstract models during the design phase. One such model is a behavioural model, which describes the executions of the system. To prove that this model meets the requirements the software should satisfy, one can use model checking, which enables checking of requirements for all executions of the model. While model checking holds great promise, industry so far seems reluctant to adopt the technique. One reason is that most model checking tools build on academic languages, not tailored to the needs of the average engineer.
One company that has shown an interest in using formal methods in the development of their software is Canon Production Printing. Within Canon Production Printing, modelling is a key part of system development for many This work was carried out as part of the VOICE-B project, which is funded by Canon Production Printing. Tim A.C. Willemse t.a.c.willemse@tue.nl 1 Eindhoven University of Technology, Eindhoven, Netherlands 2 Canon Production Printing, Venlo, Netherlands years already, including the development of domain specific modelling languages [38]. The Open Interaction Language (OIL) is an example of such a language. Its original purpose was to model software interface communication protocols and enable automatic analysis of event log files (trace simulation). Later it has been extended to enable the modelling of control-software components, including the generation of executable code. This has been used to (re)implement several behaviourally complex software components that run on Canon's high-end print systems.
OIL's trace simulation can be used to automatically test a specification by means of a set of pass and fail traces. This is a useful tool to for example reduce risk of regression when the specification evolves. Testing does not always suffice however as several requirements are not feasible to check using testing methods alone. This typically concerns requirements that state the complete absence of some type of undesired behaviour. In this paper, we use OIL as a use case to show how the use of formal methods can help to meet such requirements.
While OIL was designed to have unambiguous semantics, these semantics were previously not formally defined. As a first contribution of this paper, we define a formal operational semantics that corresponds to the behaviour of OIL component specifications. Next we introduce a number of validity requirements over these semantics, ones for which testing is not a feasible approach.
Having a formal semantics opens the door to the use of formal methods such as model checking. As our second contribution, we define a translation from OIL component specifications to mCRL2 [22], using the operational semantics as reference. We chose to define both an operational semantics and a translational semantics to separate the concerns of the formalisation of OIL and the translation of OIL to mCRL2. The flexibility of mathematical notation allows the definition of the operational semantics to stay close to the concepts of OIL, while the translational semantics only needs to focus on the translation from mathematical concepts to mCRL2. The target language mCRL2 is supported by a powerful toolset [13] offering model checking and equivalence checking facilities. We have implemented the translation in the Spoofax language workbench [44].
To formally verify the validity requirements on a translated OIL specification, we define the validity requirements in terms of the mu-calculus. For two validity requirements we also define algorithms to check them, as the mu-calculus does not fit these requirements very well. To test the feasibility of our methods, we apply these techniques to some OIL specifications of software components that are used in production at Canon Production Printing. This paper extends [12] as follows. We previously only described the semantics of OIL, the validity requirements and the translation to mCRL2 informally. In this extended version we define these formally as well. Also, we provide an alternative way for checking two of the validity requirements.
Related work There is a large body of work reporting on the successful application of model checking to industrial cases. These works typically focus on specific business domains, such as for example railway management [3,4,6,9,31,33], automotive [28,29,39,42] and biomedical [26,36]. The modelling languages Statemate, UML and SysML can be used to model systems of any business domain. A lot of research has gone into verification of models written in these languages, see for example [8,17,41], [16,24,30,35,37,47] and [10,29,45] respectively and the references therein.
Works on modelling control software that are close to ours are those on the FSM language used at CERN [25] and on the Dezyne language developed by the company Verum [7]. The FSM language used at CERN enforces a strict architecture that is tailored to the specific application domain; for general use, this architecture is often too rigid. Using the Dezyne language, a software engineer can model a software system and automatically verify that such a model adheres to the interfaces it uses or implements. Compared to Dezyne, OIL is primarily a modelling language, focussing on ease of use, flexibility and an unambiguous visualisation, whereas Dezyne was designed with verification as the primary focus.
Outline In Sect. 2 we first introduce OIL informally. Then in Sect. 3 we fix some definitions which we then use to define the formal semantics of an OIL specification in Sect. 4. In Sect. 5 we define what it means for an OIL specification to be valid. We give a translation from OIL to mCRL2 specifications in Sect. 6 and show how validity of an OIL specification can be verified in Sect. 7. In Sect. 8 we show the results of some experiments on OIL models of systems used in production. Lastly, we discuss our techniques and results in Sect. 9 and conclude in Sect. 10.

An introduction to OIL
OIL (Open Interaction Language) was created by Van Gool as a language to specify, analyse and visualise the (communication) behaviour of control-software systems, partly based on [21]. Using dedicated tooling, one can visualise and analyse OIL specifications. OIL is a textual language, originally based on XML. However, as XML is not very user friendly due its verbosity, a DSL has been designed by Denkers and syntactic sugar was added to OIL [18]. Both the syntax definitions of the XML (OILXML) and the DSL (OILDSL) variants of OIL and the desugaring steps have been implemented in the Spoofax language workbench [44].
While printing is the primary business domain of Canon Production Printing, OIL contains no logic or language constructs specifically tailored to this domain and can therefore also be used in other business domains. Moreover, OIL follows a philosophy of separation of concerns, which helps the engineer to cope with complex behaviour by enabling one to model separate aspects of the system separately in a concise way. This philosophy also allows for a readable and unambiguous visual representation, which is often deemed an indispensable tool in discussions among engineers.
With OIL one can create both component and protocol specifications. A component specification models the behaviour of a software component, whereas a protocol specification models the desired communication behaviour between components. Although the semantics of both types of specifications is similar, we only focus on component specifications in this paper.
See Fig. 1 for the visualisation of an example OIL specification that models a printer with overheating issues. See A.1 for the corresponding desugared textual OILDSL specification. In the rest of this section we give an informal view of OIL and intuitively explain its main concepts using this specification as running example.
Each OIL component specification consists of a number of instance variables, areas and transitions.

Instance variables
Instance variables store the state information of an OIL component specification. We call an instance of such state information an instance state, which associates every instance variable with a value. Each instance variable has an initial value, resulting in an initial instance state. In OIL component specifications, instance variables are prepended with the keyword 'this' to indicate that these belong to the scope of the modelled component instance.

Example 1
The running example defines four instance variables, namely power, job, tmp and sheets. They can be found in the visualisation prepended with the keyword this, which indicates that this variable is part of the instance state. Instance variable power stores whether the component is on using enum values o f f and on . Instance variable job stores whether the component is busy with a print job using enum values idle and busy . Instance variable tmp stores the temperature of the component as an integer value. Instance variable sheets stores how many sheets are left to print as an integer value. The initial instance state maps power to o f f , job to idle , tmp to 20 and sheets to 0. For brevity of notation, we denote such an instance state by o f f , idle , 20, 0 .

Areas
OIL has three types of areas: regions, states and scopes. A region corresponds to an instance variable and is used to model behaviour for this variable. Each region contains a number of states which represent values that this variable can have. In the context of the state we refer to this variable as the variable for this state. A scope contains a boolean expression that serves as an invariant and is typically used to restrict possible behaviour. Areas are organised as multiple (directed) trees, so an area is either a root area or has a parent. An area may also have so-called super areas, which introduce more parent-child like relations. Super areas relax the strict tree structure to a directed acyclic graph and are typically used for the creation of areas that represent a collection of other areas.

Example 2
The running example has eight areas: two regions, each containing two states, and two scopes. Regions are drawn as dotted boxes, states as ovals and scopes as solid boxes. Areas are directly contained in their parent area. No area in this example has super areas. The two regions refer to the instance variables power and job and contain states for each value in the domain of these variables. The scope in the middle models that the component may only handle jobs when it is switched on. An alternative way of modelling this restriction would be to make the region that refers to job a child of state on in the tree structure. The scope on the bottom models that the temperature should stay below 45. In the visualisation, a state is filled with a colour if the current instance state maps the variable for this state to the value of this state. The visualisation shows the initial instance state and therefore the states with values o f f and idle are filled.
Every area is associated with a condition (the area condition) and an update (the area update). The area condition of an area is a boolean formula. It is true for a given instance state iff it is a root area or the area condition of its parent area is true, in conjunction with the area conditions of its super areas and -In case the area is a state: the variable for this state equals the value of this state. -In case the area is a scope: its invariant.
We say that an area is active given an instance state iff its area condition is true for this instance state. The area update of an area is a set of assignments to instance variables. It is empty if it is a root area or equal to the area update of its parent, in union with the area updates of its super areas and in case the area is a state, the value of this state is assigned to the variable for this state.

Example 3
In the running example there are three active areas in the initial instance state, coloured green. The region referring to power is active since it is a root area. The state with value o f f is active since its parent area is active and the initial instance state maps power to o f f . The bottom scope is active since it is a root area and its invariant is true for the initial instance state. An example of an area update is the one for state o f f , which consists of only one assignment, namely this.power := o f f .

Events and transitions
An event represents the visible behaviour of the system and typically corresponds to a method call. In the context of an OIL component, there are two types of events: reactive events, which are received from the environment, and proactive events, which are produced by the component itself, either sent to the environment or kept internally (the latter are called silent events). Proactive events are also known as locally controlled events in the world of IO automata [32]. Like typical methods, events can have parameters which can be used to exchange data between components.

Example 4
The running example has six distinct events: turn_off, turn_on, add_job, \sheet_printed, \job_printed and cool_down. Only events \sheet_printed and \job_printed are proactive, indicated by the backslash that precedes the event name. Event \job_printed is also silent, indicated by [silent] in the visualisation. Events add_job and \sheet_printed have integer parameters nrsheets and sheetnr, respectively.
Transitions have a source and target area and an event.
Although it is possible, regions are typically not used as source or target since it does not have any added value to do so. Optionally, a transition can have a guard, a collection of assignments and an assert. If the event of the transition has parameters, the transition may also have arguments, which specify fixed values for these parameters.

Example 5
The running example has seven transitions, each drawn as an arrow from its source area to its target area. The event of a transition is the first element in the transition label. This event is followed by a number preceded by a hash symbol, which is used to be able to identify transitions by their event and this number alone. This number is not part of the OIL specification, but generated. The arc of the arrow is dotted if the event of the transition is silent, otherwise it is solid. Below the event, guards are shown between square brackets and assignments are shown following a backslash. The assignments in this example are used to update the instance variables tmp and sheets. There are no transitions with asserts in this example. Only the transition with event \sheet_printed has an argument, which specifies that sheetnr must be equal to this.sheets.
With every transition we associate a transition precondition, a transition update and a transition postcondition. The transition precondition determines whether the transition can fire and is true iff its source area is active, its guard is true and the values for the event parameters are consistent with the transition's arguments. The transition update defines how the instance state changes whenever this transition fires and consists of the area update of its target area and its assignments. The transition postcondition determines whether the firing of the transition was successful and is true iff its target area is active and its assert is true. If the transition postcondition is false after the transition has fired, we say that the transition has failed.

Example 6
For the transition in the running example with event \sheet_printed, the transition precondition is this.power = on ∧ this.job = busy ∧ this.sheets > 0 ∧ sheetnr = this.sheets, the transition update is {this.job := busy , this.sheets := this.sheets − 1} and the transition postcondition is this.power = on ∧ this.job = busy .

Updating the instance state
An update of an instance state is triggered by the occurrence of an event. Whenever an event occurs, all transitions with this event that can fire, do fire. All updates of transitions that fire are applied simultaneously, resulting in a new instance state. Afterwards, the postconditions of the transitions that fired are checked in this new instance state. If any postcondition is not met (a transition failed), we say that the event fails, resulting in an inconsistent instance state (typically a crash of the component). An event also fails if the transition updates of firing transitions are incompatible, that is if two assignments in these updates assign different values to the same variable.
Note that having two OIL transitions with the same source state and event does not indicate a non-deterministic choice: if both can fire and the event occurs, they fire simultaneously.

Example 7
Suppose that in the initial instance state of the running example the event turn_on occurs. This event corresponds to two transitions, identified as turn_on #1 and turn_on #2. Both transitions fire since both transitions' preconditions are true. This causes turn_on #1 to update power to on and turn_on #2 to update tmp to tmp+5, resulting in instance state on , idle , 25, 0 . In this instance state both transitions' postconditions are true and therefore the event succeeds.
It is possible for an event to fail in the running example. When turn_on occurs in instance state o f f , idle ,40, 0 , both transitions fire which results in instance state on , idle , 45, 0 . Since in this resulting instance state it does not hold that tmp < 45, transition turn_on #2 (and therefore the event turn_on) fails. This failure models a crash of the component due to overheating. To make this restriction more explicit to the user of the component, a guard [this.temp < 40] can be added to turn_on #2.
There are no events with incompatible transition updates in the running example.

Concerns
As mentioned in the introduction, OIL follows the separation of concerns philosophy. This philosophy enables one to model different aspects of a system separately, which helps keeping OIL specifications of complex systems compact. The running example shows this philosophy. There are three different parts visible in the visualisation of the specification that each model a different aspect of the component: the top part models the power aspect, the middle part models the job aspect and the bottom part models the temperature aspect. The separation of concerns philosophy also allows one to easily change the specification if an aspect of the system changes. For instance, if more detailed job handling is required for the running example, the middle part that models the handling of jobs can be easily replaced with a more refined one.
Such separate parts of an OIL specification can interact with each other by means of references to instance variables. For instance, instance variable power is referred to by both the region in the top part and the scope in the middle part. Parts can also interact with each other by synchronising on the same event. Synchronisation can occur whenever separate parts of an OIL specification contain transitions with the same event. When these transitions can fire and the corresponding event occurs, the transitions fire simultaneously, causing these separate parts to proceed simultaneously.
We can force such synchronisation, that is make sure that separate parts only proceed with an event if all involved parts can proceed, by restricting the possible combinations of transitions for an event that can fire simultaneously. In OIL this is done by giving transitions one or more concerns. Typically, every separate part of an OIL model is associated with a unique concern. We say that an event is part of a concern if one of its transitions has that concern. Then an event may only occur if for each concern this event is part of, at least one of its transitions with that concern can fire. We refer to this as the concern condition. Example 8 In the running example there are three concerns defined, namely POWER, JOB and HEAT, shown after the event in the transition label. The two transitions of event turn_on have different concerns, namely POWER and HEAT, which makes event turn_on only allowed if both transitions can fire. This synchronisation enforces that the temperature increases every time the component is turned

Scheduling and communication of events
The execution of an OIL specification is done by a scheduler, which prioritises proactive events over reactive events. Only when there are no proactive events to execute, the scheduler considers reactive events received from the environment. We call this run-to-completion semantics. To check which proactive events can be produced by the component, the scheduler checks the concern conditions of all proactive events. If this results in more than one possible proactive event, the scheduler chooses arbitrarily.

Example 9
Since only events \sheet_printed and \job_printed are proactive, no other event is considered while any of these two are possible when the running example is executed with a run-to-completion scheduler. This causes the printer to not listen to the environment whenever it is busy printing a job. If we would not have a run-to-completion scheduler, it would for instance be possible to turn the printer off while it is busy printing. Note that if we would put scopes around the top region and bottom scope with the invariant job = idle , the behaviour with or without run-to-completion scheduler would be the same.
Communication between components is done asynchronously. To realise this, each component has an input FIFO queue in which reactive events are stored that the component receives from the environment. Whenever the scheduler is ready to receive a reactive event, it picks the next one from this queue.
We can view a component as having three layers; see Fig. 2 for a visualisation. The first layer L 1 defines the behaviour that the component is capable of as described by the OIL specification. The second layer L 2 defines the behaviour of the run-to-completion scheduler that receives and executes events consistent with the behaviour defined in layer L 1 . Note that L 2 actually has less behaviour than L 1 as runto-completion only puts restrictions on the behaviour of L 1 . The third layer L 3 defines the behaviour of the component as seen from the outside, which includes an input queue to store reactive events and supply them to layer L 2 . As we primarily focus on OIL components in isolation, we will only consider layers L 1 and L 2 for the remainder of this paper.

Formal preliminaries
Before we introduce the semantics of OIL formally, we need to introduce some definitions concerning updates and transition systems, which we only mentioned informally in the preceding section.

Valuations and updates
We define V as the set of all values. Given a set X of variables, a valuation over X is a function X → V that associates each variable in X with a value. We denote V X as the set of all valuations over X .

Definition 1
Let v ∈ V X and w ∈ V Y be valuations over some disjoint sets of variables X and Y . Then the union of v and w is a valuation v ∪ w ∈ V X ∪Y , defined as: Definition 2 Let X and X be sets of variables such that X ⊆ X and let v ∈ V X be a valuation. Then, we define the restriction v| X ∈ V X as: In an OIL specification one can create expressions from constants, variables and operators to define for instance invariants or guards.

Definition 3
Let X be a set of variables. Then, we define an expression f with the following grammar: where c is a constant, x ∈ X a variable and op an n-ary operator for n > 0. We define E XP X as the set of all expressions over variables X .
Given a valuation over the variables in an expression and the interpretation of constants and operators (in boldface), the expression can be evaluated to a single value. Definition 4 Let X be a set of variables. Then, the evaluation of an expression f ∈ E XP X given valuation v ∈ V X , denoted by f v, is defined as follows: where c is some constant, c ∈ V is the interpretation of c, x ∈ X is some variable, op is some n-ary operator for n > 0 and op : V n → V is the interpretation of op.
An expression is ground if it does not contain variables. When we evaluate a ground expression, we can leave the valuation out of the notation. For instance, the evaluation of a constant c can be written as c .
A valuation can be changed with an update, which is a set of assignments to variables. We assume type correctness of all expressions and assignments in this paper.

Definition 5
Let X be a set of variables. Then, an update U over variables X is a set of assignments of the form x := f for x ∈ X and f ∈ E XP X .
There is no restriction on how many assignments an update can have for the same variable. However, the application of an update on a valuation can only result in a single value for each variable in the domain of the valuation. If two assignments to the same variable would result in different values, we say that the update is incompatible with the valuation.

Definition 6
Let X be a set of variables, v ∈ V X a valuation and U an update. Update U is compatible with v, denoted by CP(v, U ), iff for every two assignments x := f , x := g ∈ U for x ∈ X , it holds that f v = g v.
When an update is compatible with a valuation we can apply it to obtain a new valuation.

Definition 7
Let X be a set of variables, v ∈ V X a valuation and U an update compatible with v. Then applying update U on v by means of simultaneous assignment, denoted by v[U ], results in a new valuation w ∈ V X such that for all x ∈ X : -for all assignments x := f ∈ U : w(x) = f v, -in case there exists no assignment x := f ∈ U for variable x: To be able to define asserts on transitions in OIL specifications that can reason over both the state before and after the occurrence of an event, we extend expressions with 'old' variables. In such expressions, variables x refer to the state after the event occurred and variables x old refer to the state before the event occurred. Definition 8 Let X be a set of variables, f ∈ E XP X be some expression and v, w ∈ V X two valuations. Then f v w is the evaluation of f using valuation w and the 'old' valuation v, defined as: where c is some constant, c ∈ V is the interpretation of c, x ∈ X is some variable, op is some n-ary operator for n > 0 and op : V n → V is the interpretation of op.
For example, to check whether an integer variable x has increased after applying an update U on a valuation v one can check whether We define E XP old X ⊇ E XP X as the set of all expressions over variables X that may include 'old' variables.

Transition systems
A transition system is a model with states and transitions that models the behaviour of a system. We define L * as the set of sequences of actions in L. We write for the empty sequence and concatenate two sequences with +.

Definition 10
Let S, s 0 , L, − → be an LTS. We define − → * ⊆ S × L * × S as the transition relation over sequences such that for states s, s ∈ S, action a ∈ L and sequence w ∈ L * : Often the only states of an LTS that are of interest are states that can be reached via transitions starting from the initial state.

Definition 11
Let S, s 0 , L, − → be an LTS, s ∈ S a state and L ⊆ L a set of action labels. Then, a state t ∈ S is reachable from s along L iff ∃ w∈L * : s w − → * t. We define S s,L R ⊆ S as the set of all reachable states from s along L . In case s = s 0 and L = L we abbreviate to S R .
When one considers a system to be communicating with an environment, it is useful to distinguish between actions that are sent to the system and actions that the system sends itself. To model this distinction, we introduce the notion of an IOLTS. Any definitions on LTSs so far also hold for IOLTSs. To indicate whether a system is stable and thus waiting for an input, there is the notion of quiescence. A single threaded system can only do one thing at a time: either wait for input or create outputs. Such a system is known as an internal choice system [46].

Definition 14
An internal choice input-output labelled transition system (IOLTS ) is an IOLTS where ∀ s∈S : s I − → ⇒ s ∈ S δ , that is input actions are only enabled in quiescent states.
We say that two (IO)LTSs with initial states s 0 and s 0 are behaviourally equivalent iff their initial states are bisimilar, denoted as s 0 s 0 .

Definition 15
Let S, s 0 , L, − → be an LTS and R ⊆ S × S a relation. We say that R is a strong bisimulation relation iff it is symmetric and for every s, t ∈ S such that s Rt and for every a ∈ L, if s a − → s for some s ∈ S, then there must exist a t ∈ S such that t a − → t and s Rt . We use to denote the largest strong bisimulation relation.

Formal OIL semantics
In this section, we formally define the semantics of an OIL (component) specification. In Sect. 4.1 we first lay out the formal definition of an OIL specification after which we define its acceptor semantics in the form of an IOLTS that corresponds with layer L 1 in Fig. 2. Lastly in Sect. 4.2 we define the execution semantics of an OIL specification that corresponds with layer L 2 in Fig. 2, in which a run-to-completion scheduler handles the events. We again use the example OIL specification of Fig. 1 as running example.

Semantics of an OIL component specification
We first formally define the OIL specification itself. This definition is independent of the syntactical representation used for OIL specifications. We typically use italic capital letters to denote sets and calligraphic capital letters to denote functions.

Definition 16
An OIL specification is defined as a tuple X, A, T where -X = X , I concerns the variables of the OIL specification, where -X is a set of variables. We partition X into a set of instance variables X I and a set of parameters X P . -I ∈ V X I associates each instance variable with its initial value.
-A = A, , RE, EX P concerns the areas of the OIL specification, where -A is a set of areas. We partition A into a set of regions A Re , a set of states A St and a set of scopes A Sc . -is a partial order over A such that a a iff a is the parent area of a or a is a super area of a.
-RE : A St → A Re associates each state with the region it belongs to. -EX P : A → E XP X I associates each area a with an expression, which is a variable in X I in case a ∈ A Re , a constant in E XP in case a ∈ A St and a boolean expression in E XP X I in case a ∈ A Sc .
-T = E, PAR, T , CO, CO concerns the transitions of the OIL specification, where -E is a set of events. We partition E into a set of reactive events E R and a set of proactive events E P . Additionally, we define E H ⊆ E P as the set of silent events. -PAR : E → P(X P ) associates each event with a set of parameters.
where indicates a partial function. For a transition so, gu, e, ARG, AG, ta, ar ∈ T , so is its source area, gu is its boolean guard, e is its event, ARG defines its arguments for parameters in PAR(e), AG is its collection of assignments (an update), ta is its target area and ar is its boolean assert.
-CO is a set of concerns.
-CO : T → P(CO) \ {∅} associates each transition with a non-empty set of concerns. We define CO also on sets of transitions: let T ⊆ T , then CO(T ) = t∈T CO(t).
We define * as the reflexive transitive closure of . The function RE follows from the tree structure of the areas in the OIL specification. A state belongs to a region if this region is the closest ancestor region of the state. We assume that the tree structure of areas in the OIL specification is such that for each state such a region exists. Let X, A, T be an OIL specification. For every area a ∈ A we define its area condition AC(a) and area update AU (a). The area condition determines whether an area is active.

Definition 17 The area condition AC(a) of an area a ∈ A is a boolean expression defined as AC(a) = {EX
The area update defines changes to the instance state that are necessary for the area to become active. Note that these changes may not be enough as they do not consider invariants of scopes.

Definition 18
The area update AU(a) of an area a ∈ A is an update defined as AU(a) = {EX P(RE(a )) : For every transition t ∈ T we define its transition precondition PRC(t), transition update U(t) and transition postcondition POC(t). The transition precondition determines whether a transition can fire, which depends on the source area condition AC(so), guard gu and arguments ARG of the transition.

Definition 19
Let t = so, gu, e, ARG, AG, ta, ar ∈ T be a transition. Then its transition precondition PRC(t) is a boolean expression defined as The transition update indicates how the instance state changes when this transition fires, which depends on the target area update AU(ta) and assignments AG of the transition.

Definition 20
Let t = so, gu, e, ARG, AG, ta, ar ∈ T be a transition. Then its transition update U(t) is an update defined as The transition postcondition must be true after a transition has fired, otherwise the transition has failed and we have arrived in an inconsistent state. It depends on the target area condition AC(ta) and assert ar of the transition.

Definition 21
Let t = so, gu, e, ARG, AG, ta, ar ∈ T be a transition. Then its transition postcondition POC(t) is a boolean expression defined as POC(t) = AC(ta) ∧ ar. For T ⊆ T a set of transitions, we define

Example 12
The transition preconditions for transitions turn_on #1 and turn_on #2 are defined as this.power = o f f and this.tmp < 45 respectively. A more interesting transition precondition is that of the transition with event \job_printed, which equals this.power = on ∧ this.job = busy ∧ this.sheets = 0. The transition updates for transitions turn_on #1 and turn_on #2 are defined as {this.power := on } and {this.tmp := this.tmp+ 5} respectively. The transition postconditions for transitions turn_on #1 and turn_on #2 are defined as this.power = on and this.tmp < 45, respectively.
The states of the transition system are the instance states of the OIL specification, which are valuations over X I . A transition in the transition system corresponds to the occurrence of an event. Each event e corresponds to a set of OIL transitions T e , defined as T e = { so, gu, e , ARG, AG, ta, ar, CO ∈ T | e = e}. For e to be allowed, a transition must be able to fire for each concern that the event is part of. This restriction is enforced by the concern condition. Definition 22 Let e ∈ E be an event. Let T e,c ⊆ T e be the set of transitions of event e that have concern c, defined as T e,c = {t ∈ T e | c ∈ CO(t)}. Then, the concern condition CC(e) is a boolean expression defined as: Then T e is the set with the two transitions identified as turn_on #1 and turn_on #2. As mentioned previously in Example 8 and Example 10, these two transitions have different concerns. For this event the concern condition is then defined as CC(e) = this.power = o f f ∧ this.tmp < 45. As the concern condition must be true for an event to be allowed to occur, turn_on may only occur if both transitions can fire.
To associate parameters of an event with values we use a valuation over these parameters. Given an event e ∈ E and a valuation p ∈ V PAR(e) , we write e( p) as the event e with values for its parameters according to valuation p. In case PAR(e) = ∅ there is only one such p (the empty valuation).
It depends on the current instance state and on values for parameters which transitions of an event e can actually fire. Given a valuation v ∈ V X , T v e is the set of transitions of event e that can fire, defined as T v e = {t ∈ T e | PRC(t) v}. Whenever event e occurs, all OIL transitions in T v e fire and apply their transition updates simultaneously. After the updates have been applied, we need to check whether the event succeeded. If not, we arrive in a failure state denoted as F . This is described in the acceptor semantics of an OIL specification defined below.

Definition 23
Let X, A, T be an OIL specification. Then the acceptor semantics of the OIL specification is given by the IOLTS S, s 0 , The failure of an event is explicitly modelled using failure state F with a self loop with action fail to indicate that a failure occurred. An event fails if the update is incompatible ). Note that this IOLTS is deterministic. This is because all transitions in OIL with the same event that can fire are combined into one transition in the IOLTS. Also note that in case an instance variable has an infinite domain (such as an integer variable), the state space may be infinite. Similarly, in case a parameter without an argument has an infinite domain (such as an integer parameter), the transition system may be infinitely branching.

Example 14
The IOLTS that describes the acceptor semantics of the running example has 51 states and 126 transitions. Due to its size we will not show this IOLTS, but in the following subsection we will show the IOLTS of the so-called execution semantics of the running example instead.

Execution semantics
The IOLTS in Definition 23 describes the behaviour a component is capable of, that is the behaviour of layer L 1 in Fig. 2. To execute this behaviour (layer L 2 ) a scheduler is needed. As mentioned previously in Section 2, the scheduler used for OIL components has run-to-completion semantics, which prioritises proactive events over reactive events. This puts some restrictions on the possible behaviour of the component.   (3) add (2) add (1) sp (3) sp (2) sp (1)  In case M is the IOLTS that describes the acceptor semantics of some OIL specification according to Definition 23, we say that γ (M) describes the execution semantics of this OIL specification.
The execution semantics is internal choice due to the runto-completion semantics of the scheduler. As the scheduler prioritises proactive over reactive events, reactive events are only enabled whenever no proactive events are enabled, that is when quiescence can be observed, which is according to the definition of an IOLTS (Definition 14).

Lemma 2 Let M be some IOLTS. Then γ (M) is an IOLTS .
Example 15 The IOLTS that describes the execution semantics of the running example has 31 states and 54 transitions. See Fig. 3 for a visualisation of this IOLTS .

Validity of OIL specifications
To avoid undesirable behaviour of the scheduled component, we introduce a number of requirements on an OIL specification. If at least one of these requirements is not met, we say that the OIL specification is invalid. Note that since all validity requirements are about the execution of a model, we only (need to) consider the reachable states. Let S, s 0 , I , O, H , − → be an IOLTS that describes the execution semantics of an OIL specification.
When the scheduler checks what proactive events it can produce, it only checks the concern condition of these proactive events (as mentioned at the end of Section 2). Checking whether an event can fail would require to execute the event, check the postcondition and then roll back to the original state. As this might need to be done for many proactive events, this may be computationally very expensive and is therefore undesirable. Still, we would not want that a scheduler may actively crash the system by producing a failing proactive event. We do allow reactive events to fail, as this indicates misuse of the component by the environment. To prevent the scheduler from producing a failing proactive event, we have the following requirement:

Requirement 1 (Safe lookaheadlessness)
Proactive actions cannot fail. More formally, requirement R1 is defined as: Due to the run-to-completion semantics of the scheduler, proactive events have priority over reactive events. If a component would contain an infinite path of proactive events, such as a loop, the scheduler would never consider a reactive event any more once it enters this path. This would result in a component that never reacts to events from the environment. To ensure that a component can eventually engage in communication, we have the following requirement: Requirement 2 (Finite proactivity) Any sequence of proactive events must be finite. More formally, requirement R2 is defined as: When the scheduler has the choice between multiple proactive events, there are multiple routes of proactive events the scheduler can take until it reaches a quiescent state. Since the scheduler chooses between proactive events arbitrarily, the choice between these routes is non-deterministic. If some of these routes would end up in different quiescent states, this non-determinism may permeate the whole component, which is undesired. To prevent the choice of the scheduler affecting the instance state after having run to completion, we have the following requirement: Requirement 3 (Confluent proactivity) All possible sequences of proactive events from a state that end up in a quiescent state, end up in the behaviourally same state. More formally, requirement R3 is defined as: Lastly, it may be the case that some possible routes that the scheduler can take, consist of different events. This would mean that whether an event is produced or not is determined non-deterministically. This is especially undesired for proactive events, as these may be needed for other components to proceed. The scheduler is free to choose the order in which the event are produced however. To prevent the choice of the scheduler affecting what proactive events will be produced, we have the following requirement: Requirement 4 (Predictable proactivity) All possible sequences of proactive events from a state that end up in a quiescent state, consist of the same multiset of events. More formally, requirement R4 is defined as: where w ≈ w iff w and w have the same multiset of actions.

Translating OIL to mCRL2
To verify the above requirements on an OIL specification, or any requirement for that matter, we can make use of model checking techniques [14]. To avoid reimplementing the wheel, we can largely reuse the model checking capabilities of the mCRL2 tool set [13] in the context of OIL by creating a translation from OIL specifications to mCRL2 specifications. We first elaborate on mCRL2, after which we describe how OIL is translated to mCRL2. Afterwards we describe how we have implemented this translation so that it can be applied in practice. The proofs of lemmas and theorems presented in this section can be found in Appendix B.1.

mCRL2
The language mCRL2 [22] is a behaviour modelling language based on process algebra. Every mCRL2 specification consists of two parts: a data specification and a process specification. The data specification typically contains type definitions and definitions of mappings by means of rewrite rules. The process specification contains definitions of actions and of one or more processes, which use these actions to describe behaviour.
In the context of mCRL2, we typically reason with vectors of variables instead of sets of variables. We denote a vector with a bar on top and use indexing for projection such that x = x 1 , .., x n . When applicable, we may use the notationx to denote the set {x 1 , .., x n } of all variables inx.
Each mCRL2 specification can be (automatically) rewritten to a normal form called a Linear Process Specification (LPS). We use the latter format as the target for our translation. Each LPS contains exactly one process in the form of a linear process equation.

Definition 25
Let L be a set of actions. A Linear Process Equation (LPE) is of the following form: where P is a process name, I is some index set,d andē i are vectors of variables, D and E i are data types, c i is a boolean expression, a i ∈ L is an action,f i is a vector of expressions that gives values for the parameters for a i andḡ i is a vector of expressions that represents the next state. Expression c i and expressions inf i andḡ i can depend on variables ind andē i .
From an LPS an LTS can be easily extracted.

Definition 26
Let there be an LPS with an LPE that defines a process P(d : D) as in Definition 25. Letī d be a vector of ground expressions in E X P that represents the initial value ofd. Then, the process expression The language mCRL2 also comes with a tool set with which one can apply numerous model checking techniques on mCRL2 specifications [13]. See Fig. 4 for the basic work

OIL in mCRL2
In this subsection, we define the translation from an OIL specification to an mCRL2 specification. This translation depends on multiple definitions from Section 4 that were also used to define the acceptor semantics of OIL in terms of an IOLTS (Definition 23). We again use the example OIL specification of Fig. 1 as running example.
To be able to represent instance states, we define a structured sort ISt in the mCRL2 data specification, which defines a constructor IS that accepts a tuple of expressions, representing values for the instance variables. We also add (data) type definitions of (instance) variables where necessary. Along with this structured sort we define projection functions GET x to query the value of an instance variable x. We call an expression of type ISt an instance struct. In mCRL2, an instance state is then represented with a ground instance struct, that is an instance struct without variables.

Example 16
For the running example we define the instance state type as follows: ISt = struct IS( GET_power :power_type, GET_job :job_type, GET_tmp :Int, GET_sheets :Int); where the types power_type and job_type are defined separately. The initial instance state o f f , idle , 20, 0 is represented in mCRL2 as the ground instance struct IS(power_off, job_idle, 20, 0).
To translate an expression f ∈ E XP X to an mCRL2 expression, we define σ s ( f ) for some instance struct s, which translates each constant and operator to its mCRL2 counterpart and each x ∈ X I to GET x (s). In case f ∈ E XP old X we define σ s us ( f ) for instance structs s and us, which translates each constant and operator to its mCRL2 counterpart and for each x ∈ X I , x old to GET x (s) and x to GET x (us). To translate the evaluation of expressions to the context of mCRL2 too, we need to translate an evaluation over instance variables to a valuation over an instance struct variable. Given a valuation s ∈ V X I and an instance struct variable s, we define s s as the valuation over s such that GET x (s) s s = s(x) for all x ∈ X I .
As mentioned before, the global state of an OIL component changes by the application of an update. To formalise this in mCRL2, we first define a setter map SET x : ISt × Bool × T → ISt with corresponding rewrite rules for each instance variable x, where T is the data type of x. The first parameter of type ISt is the instance struct to be updated, the second parameter is a boolean expression that indicates whether the change should be applied and the third parameter of type T is the new value for x. The boolean parameter effectively makes this a conditional assignment. If this boolean parameter evaluates to true, the entry for x in the instance struct is overwritten with the new value, otherwise no changes are made. Why this boolean parameter is useful will be shown later on.

Definition 27
Let the variables in X I be indexed such that X I = {x 1 , .., x n }. Let x i ∈ X I be some instance variable, s some instance struct and f and g 1 , .., g n some mCRL2 expressions. Then, SET x i is defined with the following rewrite rules: (IS(g 1 , .., g i , .., g n ), true, f) = IS(g 1 , .., f, .., g n ) The result of a setter is an instance struct of expressions. Note that f may contain variables and therefore the resulting instance struct too. If it does, it depends on a valuation for these variables which instance state the instance struct actually represents.
Whenever an event occurs, all transitions for this event that can fire are involved in updating the instance state. Instead of applying the assignments of the update simultaneously, in mCRL2 we apply them in a sequential way, which means we need an ordering on these assignments. Which transitions for this event can actually fire, and with that, which assignments need to be considered, can only be determined during runtime. Instead of creating updates in mCRL2 for every possible combination of transitions for an event, we use one update that consists of a conditional assignment for each assignment, whose application depends on the transition precondition PRC(t) of the transition t, for which the assignment is part of the transition update U(t).

Definition 28
Let e ∈ E be an event. Then we defineÛ (e) as the list containing all pairs from the set {(PRC(t), u) | u ∈ U(t), t ∈ T e } in some order.
We update an instance struct s in a sequential way by nesting setter applications on the first parameter of the setters. To properly model a simultaneous update, we need to use the original instance struct s to retrieve the values for instance variables in the right-hand sides of assignments. In mCRL2, we generate this nesting as follows: Definition 29 Let s be some instance struct, l be a list of pairs (b, u), where b is a boolean expression and u is an assignment to an instance variable. Then, the updated instance struct US(l, s) that results from applying the conditional assignments in l on s is an mCRL2 expression constructed as follows: Using the above definitions, US(Û (e), s) defines the updated instance struct after the occurrence of event e in s. The boolean parameter of the setters are used to make sure that exactly the assignments of transitions that fire are applied.
With the following two lemmas we can compare the definition and application of updates in mCRL2 with the formal OIL semantics defined in Sect. 4. Lemma 3 shows that for every event e, the set of assignments U(T v e ) of transitions of e that can fire corresponds to the list of assignmentsÛ (e). Lemma 4 shows that the value for every variable x ∈ X I after the applying the update U(T v e ) is the same as after applying the corresponding update expression US(Û (e), s).

Lemma 3 Let X, A, T be an OIL specification. Let e ∈ E,
Note that in case more than one assignment to the same instance variable is considered, only the last of these assignments in the order has effect, as it overwrites the previous one. In case the assignments are compatible it does not matter for the end result in which order the assignments are applied, since assignments to the same variable assign the same value. In case the assignments are incompatible, different orders may lead to different resulting instance states. This is not an issue however, since incompatibility should result in failure of the event. To check whether the assignments are compatible, we add compatibility checks after the update has been done. These compatibility checks check for every assignment x := f whether the value of x in the updated instance struct equals f . Since these checks need the updated instance struct, they can be done together with the postconditions.

Definition 30
Let t ∈ T be some transition and let s and us be two instance structs that represent the state before, respectively, after an update. Then, the transition's compatibility checks CP(t, s, us), the transition's altered postcondition POC(t, s, us) and their combination PCP(t, s, us) under the assumption that the transition's precondition holds are mCRL2 expressions constructed as follows:

Example 19
For the assignments that correspond to event turn_on, we add the compatibility checks GET_power(us) == power_off and GET_tmp(us) == GET_tmp(s) + 5, where s and us are the instance structs before, respectively, after updating.
The main reason we check compatibility after the update is due to the complexity of checking it before the update. Since in general we need to accommodate any instance state, we do not know beforehand which combinations of transitions can fire. If in the worst case each transition of an event has an assignment to the same variable, we would need to check compatibility for this variable for every pair of transitions, which results in a number of checks quadratic to the amount of transitions of an event. If we check after the update as part of the postconditions we do not need to compare between transitions. Note that in either case the transition preconditions are needed to only check the compatibility checks and postconditions of transitions that can fire or have fired.
With the following two lemmas, and the corollary that follows from them, we can compare checking compatibility and checking postconditions as done in the operational semantics (Definition 23) to checking them in mCRL2. Lemma 5 shows that checking compatibility with CP(v, U(T v e )) corresponds to checking compatibility with CP(t, s, US(Û (e), s)). Lemma 5 shows that checking postconditions with POC(T v e ) corresponds to checking postconditions with POC(t, s, US(Û (e), s)).
Corollary 1 combines the two lemmas.
In the process specification, the behaviour of an OIL model is encoded using a single monolithic process P with an instance struct parameter to record the instance state and a boolean parameter which is false iff an event has failed. The body of process P is a non-deterministic choice between a number of summands, one for each event in the OIL specification. Additionally, to model the failure state, we have a summand with a self-loop labelled with action fail. We definep e as the vector of variables in PAR(e) and τ e as the data type of this vector for some event e. Definition 31 Let X, A, T be an OIL specification and let is be a ground instance struct that represents the initial instance state as defined by I. Then the acceptor semantics described in mCRL2 of this OIL specification is defined as the process expression P(is, true) where P is a process defined with the LPE: For the purpose of testing the translation to mCRL2, a version of the translation was created that defined auxiliary variables in each summand, one for every transition precondition and one for the updated state. This was done to make the generated mCRL2 specification more readable. Somewhat to our surprise, experiments showed that this version required considerably more time for model checking because more rewriting effort was needed. The tool lpssumelm from the mCRL2 toolset can eliminate these auxiliary variables.
An adjustment that did improve the efficiency for model checking was not adding unnecessary compatibility checks. From experience, it is often the case that incompatibility is not possible in the context of an event for an instance variable, because there is only one assignment that assigns to it. Adding the compatibility check for this assignment only adds more unnecessary rewriting effort for the mCRL2 toolset. Therefore, we first analyse the OIL specification to check for possible incompatibilities, that is whether there is more than one assignment to the same instance variable in transitions of an event, and then we only add the incompatibility checks for such assignments in the translation.
Example 20 See Fig. 5 for part of the main process P of the running example, showing only the summand for the event turn_on with auxiliary variables. On line 4 we define auxiliary variables f1, f2 and us, which represent the transition preconditions of the transitions turn_on #1 and turn_on #2 and the updated instance state respectively. This is done using the sum-operator to declare the variables, followed by conditions to fix their values (lines 4-5). The variables f1 and f2 are supplied to the setters so that only the updates of transitions that can fire are applied. The boolean b and the concern condition are checked on line 6. On line 7 the action turn_on is done and then the process recurses with the updated instance state and the postconditions. One could expect a compatibility check GET_tmp(us) ==  Fig. 5 Part of process P of the mCRL2 specification generated from the OIL specification visualised in Fig. 1, showing only the summand for the event turn_on with auxiliary variables GET_tmp(s) + 5 here due to the update SET_tmp(.., f2, GET_tmp(s) + 5), but since there is only one assignment to tmp defined for event turn_on, this check is not necessary so it is left out.
Given an OIL specification, its acceptor semantics described as an IOLTS and its acceptor semantics described in mCRL2 have the same behaviour.

Execution semantics
In Definition 24 the execution semantics is acquired from the acceptor semantics by prioritisation of proactive events. Such prioritisation is however at the time of writing not available in the mCRL2 tool set. Therefore we choose to create a direct translation from an OIL component specification to its execution semantics in mCRL2. For this we define the proactive priority condition, which, given an event and an instance state, is true iff the event is proactive or there are no proactive events possible in the given instance state. Whether proactive events are possible is checked by checking the concern conditions of each proactive event.
Definition 32 Let X, A, T be an OIL specification, e ∈ E an event and s some instance struct. Then the mCRL2 expression encoding the proactive priority condition PPC(e, s) is constructed as follows:

Example 21
The two events \sheet_printed and \job_printed are the only proactive events in the running example. Therefore, the proactive priority condition for the running example in some instance struct s is defined in mCRL2 as: !((exists snr : Int.GET_job(s) == job_busy && GET_sheets(s) > 0 && snr == GET_sheets(s)) || (GET_job(s) == job_busy && GET_sheets(s) == 0)) Along with the concern condition, the proactive priority condition must also hold for an event to be allowed, as described below.

Definition 33 Let X, A, T be an OIL specification and let
is be a ground instance struct that represents the initial instance state as defined by I. Then the execution semantics described in mCRL2 of this OIL specification is defined as the process expression P(is, true) where P is a process defined with the LPE: where us = US(Û (e), s).
Given an OIL specification, its execution semantics described as an IOLTS and its execution semantics described in mCRL2 have the same behaviour.  The transformation pipeline implemented in Spoofax from OIL specification to mCRL2 specification. NORM refers to the normalised AST and DES refers to the desugared AST

Implementation of the translation to mCRL2
The translation from OIL to mCRL2 has been implemented in the Spoofax language workbench [44] using the model transformation language Stratego [11]. It makes use of the already available Spoofax implementations of OIL by Denkers [18] and mCRL2 by Van Antwerpen 1 . A total of 20 separate consecutive transformations are used to translate an OIL specification to an mCRL2 specification. See Fig. 6 for a visualisation of this pipeline. An OIL specification is first transformed to the normalised AST, which serves as a middle ground between OILXML and OILDSL. On this normalised AST a number of desugaring and explication transformations have been defined, which are required for the transformation to the desugared AST. This desugared AST is semantically equivalent to the normalised AST, reduced to basic constructs. To annotate variables with types, static analysis is applied on the desugared AST. Inspired by the work of Although the formal definition of the semantics of OIL described in mCRL2 is proven to correctly correspond to the formal semantics of OIL, the same is not guaranteed for the translation to mCRL2 implemented in Spoofax. Nevertheless, we are confident that it is correct. Firstly, the OILSEM representation was designed to contain the same data used in the definition of the operational semantics (Definition 23). For instance, each transition defines its precondition, update and postcondition (Definition 19-21). Because Stratego is a functional language, the definitions in Stratego correspond 1 See https://github.com/MetaBorgCube/metaborg-mcrl2 closely to the formal definitions. Additionally, all transformations up to OILSEM are quite small and straightforward and most desugaring transformations are equipped with postconditions that check whether the desugaring was applied correctly.
During the development of the more complex transformation from OILSEM to mCRL2 we have relied on the mCRL2 toolset to check for regressions and correctness of the translation. Whenever a new concept of OIL was added to the translation, an OIL specification illustrating this concept was translated to mCRL2. Then the corresponding LTS was generated using the mCRL2 toolset to check whether the implementation of the new concept resulted in expected behaviour. Also, we used equivalence checking to test whether a refactoring in the translation to mCRL2, such as the one that adds auxiliary variables to summands, did not change the behaviour of generated mCRL2 specifications. This was done by comparing the LTS before with the LTS after the refactoring, for a test set of OIL specifications. In a few occasions this has revealed subtle errors in refactorings that might have been overlooked otherwise. Equivalence checking was also applied to test whether mCRL2 specifications generated from the current translation and from one written in Python, developed in an exploratory phase of this project, have the same behaviour. This showed that there was a subtle mistake in the original Python translation that resulted in faulty behaviour in some generated mCRL2 specifications. In general, the use of formal methods during the development process has given us more confidence regarding the correctness of the translation implemented in Spoofax.

Validation of OIL specifications
To verify whether an OIL specification is valid, that is whether all four requirements defined in Sect. 5 are met, we can express these requirements in terms of mu-calculus formulae and check them on the corresponding mCRL2 specification described in Definition 31 using the mCRL2 tool set. The proofs of lemmas presented in this section can be found in Appendix B.2.

Mu-calculus
The mu-calculus is an algebra used to define properties over an LTS. In this document we only consider a subset of the mu-calculus as defined in [22].

Definition 34
Let S, s 0 , L, − → be an LTS. Then a mucalculus formula φ has the following grammar: where b is a boolean expression, Z is a fixpoint variable,ē is a vector of expressions, a ∈ L is an action,d is a vector of data variables and D is data type. In case a fixpoint variable or an action does not have any parameters, the parentheses are omitted. To ensure monotonicity of fixpoint operators, we do not allow fixpoint variables in formulae on the left-hand side of an implication operator ⇒.
To ease notation, we extend the modal operators over a set of actions L ⊆ L or a set of sequences of these actions L * . We define the following short-hand notations: Given an LTS and a mu-calculus formula, one can extract the set of states in the LTS on which this formula is true, which is defined as follows:

Definition 35
Let be the set of all mu-calculus formulae, η a valuation over fixpoint variables, v a valuation over data variables and S, s 0 , L, − → an LTS. Then, the semantics φ ηv ⊆ S of a mu-calculus formula φ is defined as: where D is the set of all values that correspond to data type D, The operators and are the infimum, respectively, supremum operators corresponding to the subset order lifted to functions in a pointwise fashion.
A state s satisfies a mu-calculus formula φ, denoted as s | φ, iff s ∈ φ ηv for all valuations η and v. We say a mu-calculus formula is closed iff every variable reference is within the scope of its declaration. We only consider closed mu-calculus formulae in this paper. Note that for a closed mu-calculus formula it holds that φ ηv = φ η v for all valuations η, η , v and v .
When checking a mu-calculus formula on an LTS, one is usually only interested in whether the initial state satisfies the formula. As mentioned in [1], to check whether a mucalculus formula φ is satisfied by all states reachable from some state s, one can check the formula [L * ]φ on s, where L is the set of all actions in the LTS, see Lemma 7 below. Whenever we say that a mu-calculus formula φ is true on a transition system, we mean that s 0 | φ where s 0 is the initial state of the transition system.

Checking the validity requirements
In this section, we show how each validity requirement can be checked on an OIL specification by formalising them in the mu-calculus. For Requirement 3 and 4 we also define algorithms to check them directly on an IOLTS, since the mu-calculus isn't well suited for these requirements. Let S, s 0 , I , O, H , − → be the IOLTS that describes the execution semantics of an OIL specification. We assume that S and − → are finite.

Confluent proactivity
For Requirement 3 we need to know whether sequences end up in the behaviourally same (quiescent) state, which is something that cannot be expressed with the mu-calculus directly. We can work around this by first reducing the resulting transition system modulo strong bisimulation and then marking every quiescent state with a unique action a from some action set Q by means of a self-loop. Then Requirement 3 can be formalised in the mu-calculus with the formula:

Predictable proactivity
For Requirement 4 we need to know what sequences of proactive events are possible, which can be collected by adding data to fixpoint variables. This requirement can be formalised in the mu-calculus with the formula: The structure of this mu-calculus formula is similar to that of the mu-calculus formula of confluent proactivity. Instead of checking for the existence of a particular quiescent state (action in Q), in this formula we check for the existence of a particular multiset w, also known as a "bag" in mCRL2 (∃ w∈Bag(O∪H ) ). To collect all possible sequences of proactive events, we start with the empty multiset (ν X (w : Bag(O ∪ H ) := ∅)) and then add (unique representations of) events one by one while following the sequences ([a]X (w + {a})). When we reach a quiescent state ([O ∪ H ] false), we require that the constructed multiset w equals w (w = w ).

Lemma 11 Let M
= S, s 0 , I , O, H , − → be the IOLTS that describes the execution semantics of an OIL specification. Then R4 is met on M iff s 0 | φ R4 .
Note that checking this mu-calculus formula does not terminate due to the existential quantification over an infinite domain. This can be solved by adding information (in the form of a self loop) to each non-quiescent state in the IOLTS that provides a multiset of actions corresponding to a possible proactive sequence. This information can then be used in the mu-calculus formula by adding a diamond operator to give the existential quantifier a value to pick. It is also possible to check this requirement without the need to adapt the IOLTS, namely by checking multiset equality for every pair of proactive sequences. First, using a fixpoint operator and a universal quantifier over proactive actions, we can recursively compute all possible proactive sequences. Then, for each proactive sequence w found, we can go through all possible proactive sequences again and compare them to w, similarly to φ R4 . However, this is very inefficient since a quadratic number of comparisons are done. This can be improved by defining an ordering on actions, which induces a topological ordering on sequences. Then, we can compute the "largest" (or "smallest") possible proactive sequence initially to compare to all other sequences. Note that finite proactivity is required to make sure that computing possible proactive sequences terminates.

Alternative methods of checking confluent and predictable proactivity
To be able to effectively check Requirement 3 and 4 using the mu-calculus, the IOLTS needs to be adapted or a complex mu-calculus formula is needed, which indicates that the mu-calculus is not a great fit for these requirements. Therefore we propose an alternate way of checking these requirements, namely by means of an algorithm that works directly on the IOLTS. See Algorithm 1 for the algorithm to check Requirement 3 and Algorithm 2 for the algorithm to check Requirement 4.
Both algorithms are very similar in structure. They both have an initialisation phase followed by a recursive depth first search function that returns false if a violation of the requirement has been found. For confluent proactivity we first reduce the IOLTS modulo strong bisimulation (line 2) to make sure that two states are bisimilar iff they are equal. Then we declare a map to store values for states. In Algorithm 1 we declare a map R to store reachable quiescent states (line Reduce M modulo strong bisimilation 3: Declare R as an empty map from S to S δ 4: R[s] = s for every s ∈ S δ 5: P = S δ 6: for s ∈ S R do 7: if ¬IsConfDFS(s) then 8: return false 9: return true 10: 11: function IsConfDFS(s) 12: if s / ∈ P then 13: for (s, a, s )  3) and in Algorithm 2 we declare a map B to store multisets that represents possible proactive sequences (lines 2-3). Both maps are initialised for quiescent states (line 4). We also initialise a set P, which stores all states that have already been processed. Then for every reachable state (line 6) we call the recursive function (line 7). If some recursive call has found a violation of the requirement we return false (line 8), otherwise we return true (line 9).
In the recursive functions (line 11), we first check if state s was not already processed (line 12). Then for every transition from s to some state s with some action a (line 13), we call the recursive function on s (line 14). If the recursive call returns false because a violation was found, we propagate this back up immediately (line 15). Otherwise, if we do not have a value for s (line 16), namely in the first iteration, we create and store a value based on the value for s , that was just computed by the recursive call (line 17). In Algorithm 1 the new value for s is the quiescent state that s can reach and in Algorithm 2 the new value for s is the multiset computed for s with an increment for action a that was needed to reach s from s. If there was a value stored for s already, we compare this to the new value (line 18) and return false in case they are not equal (line 19), since this is a violation of the requirement. After all outgoing transition have been considered and no violation was found, we add s to the set P of processed states (line 20) and return true to indicate that no violation was found (line 21).
Correctness of Algorithm 1 can be shown by adding postconditions to IsConfDFS(s) depending on what it returns. In case IsConfDFS(s) returns true, we have the following postcondition: At the end of the algorithm, if no violations have been found, we know that IsConfDFS(s) was called and returned true for every s ∈ S R . From the postcondition it then follows that P ⊇ S R and that Requirement 3 is fulfilled. In case a violation is found and IsConfDFS(s) returns false, we have the following postcondition: which says that state s violates the requirement. The correctness for Algorithm 2 can be shown similarly with the postcondition if IsPredDFS(s) returns true, where w ≈| B[t] iff w as a multiset of actions equals B[t], and the postcondition if IsPredDFS(s) returns false, where w ≈ w iff w and w do not have the same multiset of actions.
Finite proactivity (Requirement 2) is required for these algorithms to terminate. We show termination for Algorithm 1; the same arguments can be made for Algorithm 2. The function IsConfDFS(s) terminates if s ∈ S δ since S δ ⊆ P due to line 5. In case s / ∈ S δ , IsConfDFS(s) may call IsConfDFS(s ) for successor states s on line 14. Given that finite proactivity holds, we know that there are no infinite sequences of proactive actions and therefore the recursion always eventually ends in a quiescent state t ∈ S δ , for which IsConfDFS(t) is known to terminate. From this it follows that line 14 always terminates. Since we assume that S and − → are finite, we know that the for loops on lines 6 and 13 always terminate, from which we can conclude that Algorithm 1 always terminates.
Apart from the reduction modulo strong bisimulation, which can be done in O(| − → | log |S|) [43], both algorithms run in O(|S| + | − → |). We will show this for Algorithm 1; the arguments are the same for Algorithm 2. The initialisation on line 4 runs in O(|S|) in the worst case. The function IsConfDFS(s) runs in constant time if s ∈ P, which is always the case for s ∈ S δ due the initialisation on line 4. If s / ∈ P, we call IsConfDFS(s ) for every outgoing transition s a − → s . After such a call returns, in the worst case, a value is assigned to R[s] right after. Since finite proactivity holds, we know that a call of IsConfDFS(s) cannot eventually lead to another call of IsConfDFS(s) and must eventually lead to a call IsConfDFS(t) for some t ∈ S δ . Therefore, for each s ∈ S, IsConfDFS(s) runs linear to the number of its outgoing transitions at most once. Since each transition can only have one source state, it follows that each transition in − → is only considered once, in all calls of IsConfDFS combined. This implies that the loop on lines 5-7 runs in O(| − → |), so the total algorithm (excluding the reduction modulo strong bisimulation) runs in O(|S| + |− →|).

Experiments
To test the feasibility of our techniques, we have applied them on two OIL models representing systems used in production at Canon Production Printing. We refer to these two models as EPC and AGA. In the rest of this section we will give some results and experiences regarding experiments done on these models.
To obtain the size of the instance state space, we generate the LTS from the generated mCRL2 specification. This LTS is then reduced modulo bisimulation to remove any superfluous behaviour. See Fig. 4 for the tools used to generate an LTS and to check a property expressed in the mu-calculus. Since the generated mCRL2 specification is already an LPS, we can skip the use of mcrl22lps (and use txt2lps instead).
The experiments are done on a laptop with Windows 10, an Intel Core i7-56500U 2.50 GHz processor and 16 GB of RAM. Although the mCRL2 toolset tends to run slower on Windows machines, it is the main operating system used within Canon Production Printing. This way we can test whether we can achieve acceptable performance within the default engineering environment. With regard to time needed for translation, we split the transformation pipeline in two: the transformation from OIL specification to analysed desugared AST and from analysed desugared AST to mCRL2. This is done because the analysed desugared AST can easily be reused for translations. For all timings mentioned we have taken the average of at least five runs.

The EPC case
The EPC model is an OIL specification with a total of 10 instance variables, 5 regions, 1 scope, 26 states, 29 transitions and 27 events. It starts with an initialisation phase, then enters a loop and from this loop it can return to the initial state via a termination phase. It models a system used in production, but the code generated from the model itself is not used in production. The analysed desugared AST of the EPC OIL specification is generated in about 7 seconds. From this analysed model the mCRL2 specification is generated in about 2.7 seconds. The LTS can be generated from the mCRL2 specification in about 4.5 seconds. This LTS has 6466 states, 94 actions and 11491 transitions. After reduction modulo strong bisimulation, the LTS has 1178 states and 3207 transitions. All four validity requirements are met on this model. See Table 1 for the time needed to check each validity requirement on the reduced LTS.

The AGA case
The AGA model is an OIL specification with a total of 55 instance variables, 18 regions, 2 scopes, 179 states, 220 transitions and 185 events. It starts with an initialisation phase and then enters a loop. It models a system used in production and, unlike the EPC model, it is used to generate the actual code for this system. The analysed desugared AST of the AGA OIL specification is generated in about 26 seconds. From this analysed model the mCRL2 specification is generated in about 90 seconds. To be able to generate the LTS for this model within a reasonable amount of time, some changes needed to be made to the OIL specification: -We gave event parameters of reactive events with an infinite domain a fixed value. These parameters represent values received from the environment. In case such a parameter has an infinite domain, there would be an infinite number of transitions possible in the LTS, which causes the generation of the LTS to not terminate. Since the values of these parameters were only used to be passed on to other components, this change does not affect the control flow behaviour of the model. -We removed the assignments to instance variables that are at most only used to pass information on to other components. This keeps these variables at their initial values, which avoids creating multiple branches in the LTS for each value. Note that this effectively abstracts away some event parameters in proactive events, used to pass this information back to the environment. This is not an issue, since these branches are behaviourally the same except for the value for the instance variable and such event parameters and since we are (for now) only concerned with the behaviour of a single component. -We added assignments to reset instance variables to their initial value after their value becomes irrelevant. This makes the branches in the LTS that represent different values for this variable converge earlier.
After these changes, the LTS can be generated in about 14.6 minutes 2 . The resulting LTS has 113844 states and 177156 transitions. After reduction modulo strong bisimulation, the LTS has 23372 states and 40820 transitions. Some of this reduction is due to non-optimal placement of the resets. However, investigation shows that this is not the only reason for the observed reduction. For instance, we found that the value of a certain instance variable has no effect on the behaviour if another instance variable was set to false. All validity requirements are met on this model. See Table 1 for the times needed to check each requirement on the reduced LTS.
These validity requirements are of course not the only properties we can check on these models. For instance, we can check deadlock freedom with the μ-calculus formula [L * ] L true, which we can verify to be true on the AGA model. A more interesting property is whether it is always possible to go to the start of the loop in the AGA model. This requirement can be encoded with the μ-calculus formula [L * ] L * .start true, where start represents the event at the beginning of the loop. Checking this formula on the AGA model results in false, which is due to events in the loop that are deliberately put in the model to model a failure in the system. Removing these events from L and checking the 2 As mentioned earlier, the mCRL2 toolset tends to run slower on Windows machines. This is mostly because the compiling rewriter (passing option -rjittyc to lps2lts, the state space generation tool), which is typically much faster than the default rewriter, is not available on Windows machines. To experiment what improvement the compiling rewriter could bring we used a virtual machine running Ubuntu 20.04 and using half the laptop's memory. On this virtual machine the LTS can be generated in about 185 seconds from the mCRL2 specification using the option -rjittyc for lps2lts. formula again results in true. These formulae can be checked on the reduced LTS within a few seconds.

Discussion of results
Our translation from OIL to mCRL2 and the subsequent verification of two OIL specifications show that it is possible to model check OIL specifications. The current implementation of this translation comprises a large number of smaller transformations to bridge the large semantical gap between OIL and mCRL2. While this is beneficial for the maintainability and reusability of (parts of) the translation, a monolithic translation would be more efficient. However, the experiments show that for increasingly large models the current translation time is rather insignificant compared to the time needed for model checking.
At the same time, it is clear that improvements are necessary before model checking can be made available to the average engineer. These improvements concern both automating some of the preprocessing of OIL models needed to scale the analysis and enhancements to the back-end verification methodology we currently use.

Process structure
We have described the semantics of OIL in mCRL2 by using a single monolithic process. A drawback of having a monolithic approach over a compositional approach would be the inability to reuse processes whenever only a part of an OIL specification changes. In the monolithic approach, the whole process specification needs be generated anew. Also, the separate composable processes could be reduced before being combined which could speed up the state space generation of the whole model. Another typical benefit of a compositional approach is maintainability. OIL seems to be quite suitable for a compositional approach due to the separation of concerns. However, we think that a compositional approach for describing the semantics of OIL in mCRL2 would be more complex than the current monolithic approach, mainly for two reasons.
Firstly, processes defined in mCRL2 lack a notion of shared variables and can only exchange information via communication of actions. Since from every part in an OIL specification any instance variable can be read or assigned to, the instance state would need to be synchronised between all processes frequently. A possible alternative would be to model the instance state as a separate process, but such solutions typically scale poorly due to the overhead induced by the extra communications needed by the main process with this additional parallel process.
Secondly, it is complex to model the atomicity of simultaneously firing OIL transitions in mCRL2 in a compositional manner. Communications of actions in mCRL2 seem suitable to describe synchronisation on an event by means of concerns by creating a process for each concern. However, this synchronisation also requires updating the instance state, if these updates are found to be compatible, and checking whether the event fails. To share results and prevent race conditions between processes when checking compatibility, updating the instance state and checking the postconditions, additional communication would be needed.

Automating Preprocessing
As the AGA case clearly shows, the state space of an OIL specification has the potential to explode if it has many instance variables. To help the state space generator, we manually analysed the usage of these variables and adapted the OIL specification. This is both tedious and error-prone, and therefore a candidate for automation. We note that there is a wealth of literature on such static analysis; see for instance research in the fields of program slicing [40] and live variable analysis [19]. A more interesting challenge, however, is to investigate whether it is possible to implement such static analysis techniques at the meta-level in a language workbench such as Spoofax, so that such techniques become available to all languages defined in such a workbench.
We remark that the mCRL2 toolset already contains some tools that help reduce the state space by removing variables that have no effect on behaviour, such as lpsparelm and lpsstategraph [34]. However, experiments have shown that these tools are not very effective on mCRL2 specifications generated from OIL specifications. This is due to our monolithic representation of the instance state. To make these tools more effective, the structure of the generated mCRL2 will have to be redesigned or the tools have to be improved.

Enhanced Back-end
As shown in Sect. 7, the mu-calculus is a good fit for encoding Requirement 1 and 2, but not for Requirement 3 and 4. We do remark that this is the first time that we have come across a functional property that cannot be expressed in the first-order modal mu-calculus without adding non-trivial information to the model. It may be necessary to resort to an even more expressive logic, such as a higher-order fixed point logic [2] or some hybrid logic [27], to encode such properties in a logic without modifying the model. The downside of using such logics is that, as far as we are aware of, no toolset supports such logics. Alternatively, it may be possible to check these requirements more efficiently by encoding them directly in a Parameterised Boolean Equation System [23] (see PBES in Fig. 4), thereby sidestepping the limitations of the mucalculus.
Another aspect that could be exploited is that specifications such as the AGA model have a number of instance variables set during the initialisation phase. These basically create configurations for the behaviour that is defined in the loop after the initialisation phase. This could be exploited by modelling them as features instead and apply techniques in the context of software product lines [15]. Some research has already been done regarding model checking software product lines in the context of mCRL2 [5].

Using model checking for OIL in practice
OIL still is in an early stage of development, so the number of cases where it has been applied for systems used in production within Canon Production Printing is limited. Currently, only two of these cases have been used for model checking experiments, namely the EPC and AGA case described in Sect. 8. We do feel that these two cases are sufficiently representative: the EPC case uses separation of concerns to its fullest extent, while the AGA case models one of the behaviourally most complex components available.
We envision that when OIL is used on a larger scale, we need to hide the complexities of the use of mCRL2 from the engineer. Checking the validity requirements would be done by the click of a button or automatically, and preferably return a counter example when violated. An engineer should also be able to specify custom requirements in a language that is simpler than the mu-calculus, and check these on an OIL specification in a similar fashion. Other uses of the generated mCRL2 would be conformance checking or regression checking, but this is future work.

Conclusion
We have presented the Open Interaction Language (OIL), a language for modelling the behaviour of software systems. By means of an example OIL component specification we have explained the semantics of OIL informally. We have also defined the operational semantics of OIL component specifications formally. This considers two layers: the first layer that defines the behaviour that a component is capable of and the second layer that defines the behaviour of a run-to-completion scheduler that executes the component. Both are defined in the form of an input-output labelled transition system. On the execution semantics we have introduced four validity requirements, which aim to prevent undesirable behaviour.
We have defined a translation from OIL to mCRL2, based on the formal operational semantics, to enable the use of model checking techniques on OIL specifications. The mCRL2 specifications generated with this translation have been shown to correspond to the operational semantics of OIL. Thanks to the definition of the operational semantics, the definition of the translation is rather straightforward; the main difficulties are how to apply the updates and how to represent the instance variables. Another benefit of having this separation is that we can easily experiment with alternate definitions for the translation to mCRL2. The translation has been implemented using the model transformation language Stratego in the language workbench Spoofax.
We have defined the four validity requirements in terms of the mu-calculus so that they can be verified using the mCRL2-toolset. For the last two validity requirements we have also proposed an algorithmic approach, which we find more suitable. We have checked these validity requirements on two OIL specifications of systems used in production at Canon Production Printing and with this showed that the application of model checking techniques on OIL specifications is feasible.
Acknowledgements We thank the reviewers for their helpful feedback.

Availability of data, material and code
The implementation of the translation from OIL to mCRL2 cannot be made available currently due to confidentiality, but progress is being made to make it publicly available. The code for Algorithm 1 and 2 used for the experiments can be made available upon request. The industrial models used in the experiments cannot be made available due to confidentiality.

Conflict of interest
The authors declare that they have no conflict of interest.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.

A.1 OILDSL
See below for the OILDSL specification of the OIL specification visualised in Fig. 1 in off on turn_on() go on concern POWER end in on on turn_off() go off concern POWER end in idle if nrsheets > 0 and nrsheets <= 3 on add_job() assign this.sheets := nrsheets go busy concern JOB end in busy if this.sheets == 0 do[silent] job_printed() go idle concern JOB end in busy if this.sheets > 0 do sheet_printed(sheetnr = this.sheets) assign this.sheets := this.sheets -1 go busy concern JOB end in heat on turn_on() assign this.tmp := this.tmp + 5 go heat concern HEAT end in heat if this.tmp > 20 on cool_down() assign this.tmp := 20 go heat concern HEAT end A.2 Formal semantics

A.2.1 Formal definition of the OIL specification
The OIL specification given in appendix A.1, visualised in

A.3 mCRL2
See below for the mCRL2 specification generated from the OIL specification visualised in Fig. 1

B.1 Proofs for Section 6
Lemma 3 Let X, A, T be an OIL specification. Let e ∈ E, Proof We prove the two implications separately: be some assignment. By Definition 20, there is a t ∈ T v e such that u ∈ U(t). By the definition of T v e , we know that t ∈ T e . Using this and Definition 28, it follows that (PRC(t), u) ∈Û (e). By the definition of T v e we also know that PRC(t) v, from which we can conclude that (b, u) ∈Û (e) ∧ b v. ⇐ : Let (b, u) ∈Û (e) be some pair. By Definition 28, there is a t ∈ T e such that u ∈ U(t) and b = PRC(t). Since b v, we know that PRC(t) v and therefore that t ∈ T v e using the definition of T v e . Using Definition 20 we can conclude that u ∈ U(T v e ). (US(Û (e), s)) v s for all x ∈ X I .

Proof
Pick some x ∈ X I and assume CP(v, U(T v e )) holds. The definitions of US (Definition 29) and SET x (Definition 27) show that setters for different instance variables do not influence each other, so only setters for x can influence the value of x after the update has been applied. Therefore, we only need to consider assignments to x. We distinguish two cases.
, we only need to consider one assignment x := f , as all assignments to x in U(T v e ) result in the same value. By Definition 5, this means that v[U(T v e )](x) = f v. Using Lemma 3, we know that there is a (b, x := f ) ∈ U (e) such that b v = true for each x := f ∈ U(T v e ). In the construction of US(Û (e), s) (Definition 29), each right-hand side of an assignment x := f is translated to an mCRL2 expression σ s ( f ) and then used to overwrite the entry in the instance struct for x. Since CP(v, U(T v e )) and f v = σ s ( f ) v s , we know that in the mCRL2 context we too only need to consider one assignment x := f , as all assignments will result in the same value. With only this assignment in mind, it fol- We prove the two implications separately: we know for every two assign- Proof Using Definition 21 and using the definition of T v e (in that order), we can derive: We can rewrite the right-hand side of the lemma to a similar form: Proof For the sake of notation, we denote states in S , which are valuations over the process parameters s and b, as (s s , b) for any s ∈ V X I and b ∈ B, where s s is the evaluation for s such that s(x) = GET x (s) s s and b is the value for b. Let R = {(s, (s s , true)) | s ∈ V X I } ∪ {((s s , true), s) | s ∈ V X I }∪{( F , (s s , false)) | s ∈ V X I }∪{((s s , false), F ) | s ∈ V X I }. Note that R is symmetric and that s 0 Rs 0 . We show that R is a strong bisimulation relation (see Definition 15). We distinguish three cases.
-Case s R(s s , true) for some s ∈ V X I . If there is some a ∈ L and s ∈ S F such that s a − → s , then according to Definition 23 there must be some e ∈ E and p ∈ V PAR(e) such that a = e( p) and CC(e) v where v = s ∪ p. Since CC(e) v = σ s (CC(e)) v s for v s = s s ∪ p, using Definition 26 and 31, there must also be a (u s , b) ∈ S such that (s s , true) e( pe v s ) −−−−−→ (u s , b) for some u ∈ V X I and b ∈ B. Sincep e is a vector of all parameters in PAR(e), it follows that p e v s corresponds to p and therefore e( p e v s ) = a. To show that this case satisfies the strong bisimulation condition, all is left to show is that s R(u s , b). We distinguish between two cases. -Case (s s , true)Rs for some s ∈ V X I . If there is some a ∈ L and (s s , b) ∈ S such that (s s , true) a − → (s s , b), according to Definition 26 and 31 there must be some e ∈ E and p ∈ V PAR(e) such that a = e( p e v s ) and σ s (CC(e)) v s where v s = s s ∪ p. Since σ s (CC(e)) v s = CC(e) v for v = s∪ p, using Definition 23, there must also be a u ∈ S such that s e( p ) −−→ u for some u ∈ V X I and p ∈ V PAR(e) . Sincep e is a vector of all parameters in PAR(e), it follows that p corresponds to p e v s (and p = p ) and therefore e( p ) = a. To show that this case satisfies the strong bisimulation condition, all is left to show is that (s s , b)Ru. We distinguish between two cases. . Since both transitions have the same action and since the target states of these transitions are related again (because they are the same as the source), we can conclude that R is a strong bisimulation relation in this case.
Since we have shown that every element satisfies the strong bisimulation condition, we know that R is a strong bisimulation relation. Since s 0 Rs 0 , we can conclude that s 0 s 0 .
Theorem 2 Let X, A, T be an OIL specification. Let S, s 0 , I , O, H , − → be the IOLTS that describes the execution semantics of this OIL specification (Definition 24). Let S , s 0 , L , − → be the LTS that corresponds to the LPE of P (Definition 26) where P(is, true) describes the execution semantics of this OIL specification in mCRL2 (Definition 33). Then s 0 s 0 .
Proof The only difference from Theorem 1, is that transitions in the IOLTS are additionally restricted by γ (Definition 24) and that transitions from the mCRL2 process are additionally restricted by PPC(e). Therefore, it suffices to prove that γ and PPC(e) put the same restrictions on the underlying LTSs. The rest of the proof can be reused from Theorem 1.
Let s ∈ V X , let e ∈ E and let a = e( p) for some p ∈ V PAR(e) . Then we need to prove that (a ∈ I ⇒ s O∪H − −− → ) ⇔ PPC(e) s s . In the case that e ∈ E P , it can trivially be shown that this is true, since both sides are then equal to true. In case that e ∈ E R , we know that a ∈ I and we can rewrite the left-hand side: The update of v with w := u is due to the repeated application of w + {a} by the fixpoint variable X , starting with the empty multiset ∅, while traversing a path consistent with u . Using this all left to prove is for any s ∈ S R for some u ∈ Bag(O ∪ H ) for all u ∈ Bag(O ∪ H ) and t ∈ S such that s u − → * t that: The right-hand side can be rewritten to t | [O ∪ H ] false ⇒ t ∈ w = w ηv[w := u, w := u ]. Using the definition of quiescence we know that t ∈ S δ ⇔ t | [O ∪ H ] false. Then it is only left to prove that u = u ⇔ t ∈ w = w ηv[w := u, w := u ], which is true since we can rewrite the righthand side to u = u , and we can therefore conclude that R4 ⇔ s 0 | φ R4 .