# HHLPar: Automated Theorem Prover for Parallel Hybrid Communicating Sequential Processes

Xiangyu Jin<sup>1,2</sup>, Bohua Zhan<sup>3</sup>, Shuling Wang<sup>4,2</sup>, and Naijun Zhan<sup>5</sup>

<sup>1</sup> Key Laboratory of System Software and State Key Lab. of Computer Science, ISCAS
<sup>2</sup> University of Chinese Academy of Sciences
<sup>3</sup> Huawei Technologies Co., Ltd.

Abstract. We introduce HHLPar, a tool for verifying hybrid systems modeled in Hybrid Communicating Sequential Processes (HCSP). HHLPar is based on a Hybrid Hoare Logic for HCSP, which enables reasoning about both the continuoustime properties of differential equations and the communication and parallel composition of HCSP processes. This is achieved through the use of specialized trace assertions and their synchronization. The logic has been formalized and proven sound in Isabelle/HOL, providing a reliable foundation for the verification. HHLPar implements the logic in Python and supports automated verification: On one hand, it provides functions for symbolically decomposing HCSP processes, generating assertions for individual sequential processes, and then composing them via synchronization to obtain the final specification for the entire parallel HCSP process; On the other hand, it is integrated with external solvers for handling differential equations and real arithmetic properties. The resulting assertions are sufficiently expressive to deduce both the state properties at termination and the continuous-time invariants maintained throughout the execution of processes, which are critical for ensuring system safety. Finally, we present the main issues related to the implementation of HHLPar and demonstrate its applicability through a case study involving a simplified cruise control system.

**Keywords:** Hybrid System, Hybrid Hoare Logic, Interactive and Automated Theorem Proving.

## 1 Introduction

Hybrid systems involve complex interactions between continuous-time evolving physical processes and discrete control systems. In networked applications such as cyber-physical systems, communication and parallel composition play a critical role in enabling interactions among distributed components, to facilitate the coordination of concurrent behaviors and the exchange of data across subsystems. However, ensuring the safety of such systems is highly challenging due to their inherent complexity, which stems from the interplay of continuous dynamics, discrete transitions, and the need for synchronization between parallel components. Formal verification has been widely recognized in both academic community and industry as an important approach to ensure correctness of hybrid systems. Especially, a verification tool that is sound and capable

<sup>&</sup>lt;sup>4</sup> National Key Laboratory of Space Integrated Information System, ISCAS
<sup>5</sup> School of Computer Science, Peking University

of producing trustworthy results and meanwhile supporting automation in verification process is essential for the practical design of safety-critical systems.

There are two mainstream verification techniques of hybrid systems: model checking and deductive verification. Model checking verifies a system model, typically represented as hybrid automata [1], by exhaustively computing and checking all reachable system states. However, this approach faces intrinsic challenges due to the infinite state domains and the increasing complexity of hybrid systems. On the other hand, deductive verification conducts proof via logical reasoning by induction on system models and reasons about continuous evolution represented as ordinary differential equations (ODEs) with the help of differential invariants [16, 10, 11]. A prerequisite for deductive verification of hybrid systems is to have a compositional modelling language for hybrid systems and meanwhile a specification logic for reasoning about the formal models such that the verification of a complex system can be reduced to the verification of decomposed components of the system. Differential dynamic logic  $(d\mathcal{L})$  [12, 13, 2, 15] is a first-order dynamic logic proposed for specifying and verifying hybrid systems modelled as hybrid programs. Its soundness has been proved in Isabelle/HOL and Coq in [3]. Its prover KeYmaera [17] supports automatic proof search of rules of  $d\mathcal{L}$  and integrates with computer algebra tools for solving differential equations and real arithmetic formulas. Its successor KeYmaera X [7] enhances automation and provides stronger soundness guarantees through a small, trusted prover kernel. However,  $d\mathcal{L}$  lacks direct support for communication and parallel composition, which are ubiquitous in practical cyber-physical systems. The verification of hybrid systems with communication and parallel composition poses additional challenges due to the need to account for concurrent interactions, synchronization and the resulting complex, non-deterministic behaviors arising from distributed components.

Hybrid CSP (HCSP) [8, 27] extends Hoare's CSP [9] by including ODEs to model continuous dynamics. It leverages the communication and parallel composition features of CSP to enable the flexible interactions between continuous physical processes and discrete control systems. The specification logic and verification of HCSP have been studied by extending the classical Hoare logic to handle both continuous evolution and communication based parallel composition. One line of the work [10, 21] utilizes Duration Calculus (DC), which is an interval-based temporal logic with binary modality chop and was extended to specify continuous-time properties, but the DC-based reasoning system is quite complicated and in consequence the tool support for verifying HCSP under this approach is limited to interactive theorem proving in Isabelle/HOL [22], which imposes a significant proof burden on users. To overcome these limitations, an alternative Hybrid Hoare Logic (HHL) was developed by introducing trace-based assertions into first-order logic [26]. This logic proposes traces composed of both communication and continuous-time events, and handles parallel composition of processes through trace synchronization. Building on this logic, the HHL prover was implemented, as illustrated in Fig. 1, providing a more automated and user-friendly verification tool for HCSP.

As shown by Fig. 1, the HHL prover comprises four parts: an Invariant Generator for synthesizing differential invariants of ODEs and supplying them to other modules; HHLPy [20], an automatic verifier for verifying sequential HCSP, particularly ODEs,



Fig. 1. Architecture of HHLProver.

based on differential invariants; HHLPar, an automatic verifier for HCSP with communication and concurrency; and Isabelle/HHL, an interactive theorem prover for HHL. Both HHLPar are designed to automate verification, while unproven conditions are passed to the interactive mode of HHL prover, i.e. Isabelle/HHL.

In this paper, we present HHLPar, the automated theorem prover for HCSP in concurrent setting, including its assertions, inference rules and implementation. HHLPar builds upon the HHL in [26] but differs in several key aspects. The HHL in [26] defines a generalized trace-based logic and a weakest precondition-style proof system, which is proved to be relative complete and very expressive, but faces difficulty in automating the verification of parallel composition. Instead, HHLPar proposes an explicit assertion language for specifying traces, and provides a set of inference rules for constructing assertions of sequential processes and a set of synchronization rules for constructing assertions of parallel processes constituting their specification. This constructive style logic enables the automation of HCSP reasoning. HHLPar achieves soundness, as its underlying logic has been formally proven sound in Isabelle/HOL. Meanwhile, it supports automated theorem proving by symbolically decomposing and reasoning about HCSP based on the logic's inference rules. It also inherits HHLPy's integration with the Wolfram Engine for solving ODEs and reasoning about logical formulas.

The assertions in specification generated by HHLPar are sufficiently expressive to describe the behavior of processes. Also, it is strong enough to enable the derivation of logical formula properties over process variables. In this paper we have developed a set of inference rules specifically for deriving two different forms of properties from the generated assertions automatically. The first class is properties of final states at termination which is also a concern of classical Hoare logic and HHLPy [20]. The second class is continuous-time invariants held throughout the execution which ensure that the system meets the requirements over all continuous time intervals. These properties are crucial for assessing system safety. To demonstrate the usability of HHLPar, we applied it to verify a simplified cruise control system, successfully automating the verification of its safety requirement.

After reviewing the related work, the remainder of the paper is structured as follows. Sect. 2 provides a brief overview of HCSP. Sect. 3 introduce the assertions we proposed and its corresponding specification modified from HHL. Sect. 4 and Sect. 5 introduce inference rules of how to construct assertions in specification for both sequential and parallel HCSP, respectively. Sect. 6 gives the rules for proving properties of specific forms from assertions. Sect. 7 discusses the key implementation aspects in both Isabelle/HOL and HHLPar, and demonstrates the application of HHLPar through a case study. The accompanying code, including the formalization and soundness proof of the logic in Isabelle/HOL, the Python implementation and the case study, is available at https://github.com/AgHHL/gHHL2024.git.

#### 1.1 Related Work

Model checking tools of hybrid systems endeavor to compute reachable states of continuous dynamics efficiently in an algorithmic approach, by achieving high scalability while maintaining high accuracy, e.g. the representative PHAVer [5] for linear hybrid automata, HSolver [19] and SpaceEx [6] for both linear and non-linear dynamics. Deduction verification tools are developed upon program logics and conduct proofs via theorem proving. KeYmaera [17] and its successor KeYmaera X [7] are automated and interactive theorem provers built upon differential dynamic logic  $(d\mathcal{L})$  [12, 13, 15], which proposes a complete set of rules [14, 18] for reasoning about continuous dynamics such as differential invariants, differential weakening, differential cut, and differential ghosts. Both the tools combine deductive reasoning of  $d\mathcal{L}$ , real algebraic and computer algebraic provers for automated verification. Foster et al. [4] proposed a semantic verification framework for hybrid systems using the Isabelle/HOL proof assistant and then extended it to IsaVODEs [25]. The related work on specification and verification of HCSP have been discussed in the introduction. In contrast, HHLPar extends HHLPy [20] to support the parallel fragment of HCSP, encompassing communication, parallel composition and continuous evolution. HHLPar inherits HHLPy's integration with external solvers for real arithmetic and ODEs, and further enables automated deductive verification of communication and parallel composition through specialized assertions and synchronization. Both HHLPy and HHLPar are integrated to HHL prover in order to improve its automation, as indicated in Fig. 1.

#### 2 An Overview of HCSP

As an extension of Communicating Sequential Processes (CSP [9]), Hybrid CSP (HCSP) is a formal modeling language for hybrid systems. It introduces Ordinary Differential Equations (ODEs) to model continuous evolution and interrupts. In HCSP, communication is the sole mechanism for data exchange between processes, and shared variables among parallel processes are explicitly prohibited. This section is extracted from [26], which plays the foundation of the logic in this paper. For self-containedness, we provide a brief overview.

Syntax. Below, we present the syntax for HCSP. Here c and  $c_i$  denote sequential processes, while pc and  $pc_i$  denote parallel processes.  $\dot{x}$  represents the first-order derivative of x w.r.t. time,  $\overrightarrow{x}$  (resp.  $\overrightarrow{e}$ ) denotes a vector of variables (expressions). ch refers to a channel name, and  $ch_i*$  denotes either an input event  $ch_i?x$  or output event  $ch_i!e$ . L is a non-empty set of indices, cs is a set of channel names. B and e represent Boolean and arithmetic expressions, respectively.

```
c ::= \underset{\langle \overrightarrow{x} = \overrightarrow{e} \& B \rangle}{\text{skip}} \mid x := e \mid ch?x \mid ch!e \mid c_1 \sqcup c_2 \mid c_1; c_2 \mid c^* \mid \text{if } B \text{ then } c_1 \text{ else } c_2 \mid c^* \mid \overrightarrow{x} = \overrightarrow{e} \& B \rangle \mid \text{wait } e \mid \langle \overrightarrow{x} = \overrightarrow{e} \& B \propto c \rangle \trianglerighteq []_{i \in L}(ch_i * \to c_i)
pc ::= c \mid pc_1||_{cs}pc_2
```

The input ch?x receives a value through channel ch and assigns it to variable x, while the output ch!e sends the value of e through ch. Both statements may block, waiting for the corresponding dual party to be ready. The continuous evolution  $\langle \overrightarrow{x} = \overrightarrow{e} \& B \rangle$  evolves continuously according to the given ODE  $\overrightarrow{x} = \overrightarrow{e}$  as long as the open domain B holds, and terminates whenever B becomes false. The wait statement wait e keeps variables unchanged except that a period of time determined by e progresses. Communication interruption  $\langle \overrightarrow{x} = \overrightarrow{e} \& B \propto c \rangle \trianglerighteq \|_{i \in L} (ch_i * \to c_i)$  evolves according to the ODE  $\overrightarrow{x} = \overrightarrow{e}$  until it is preempted by one of the communication events  $ch_i *$ , followed by the corresponding  $e_i$ ; or until it violated the domain condition  $e_i$ , followed by the execution of  $e_i$ . The parallel composition  $e_i + e_i + e_i$  and  $e_i + e_i + e_i$  independently, except that all communication events over the common channels in  $e_i + e_i + e_i$  and  $e_i + e_i + e_i$  in the meaning of other statements such as assignment, internal choice, sequential composition, and so on, follow their standard definitions.

The following example models a moving vehicle operating in parallel with its discrete controller. The vehicle's motion is governed by an ODE, where s represents the trajectory, v the velocity and a the acceleration. Every d time units, the continuous evolution is interrupted by the controller. During each interruption, the controller senses the trajectory and the velocity of the vehicle through input p2c?x, computes the new acceleration and sends it to the vehicle via c2p!contl(x). The vehicle then follows this updated acceleration in the next time period.

$$(\dot{s} = v, \dot{v} = a \ge [(p2c!(s, v) \to c2p?a))^* | (\text{wait } d; p2c?x; c2p!contl(x))^*$$

Semantics Fig. 2 presents part of the big-step semantics of HCSP, defined as a set of transition rules. Each transition takes the form  $(c,s)\Rightarrow (s',tr)$ , indicating that c carries initial state s to final state s', producing a trace tr. Here states  $s,s'\in Vars\to Values$  are mappings from variables to values. A trace tr is an ordered sequence of events generated during the execution of an HCSP process. It can be an empty trace  $\epsilon$ , a single event, or the concatenation  $tr_1^\smallfrown tr_2$  of two traces  $tr_1$  and  $tr_2$ , defined recursively. An event describes an observable step in the behavior of a process. There are two types of events: A communication event  $\langle ch \triangleright, v \rangle$ , where  $\triangleright$  is ? or !, indicating input and output, and v is a value transmitted during the communication; a continuous event  $\langle d, \overrightarrow{p}, rdy \rangle$ , where d is a positive value specifying the duration of this event,  $\overrightarrow{p}$  a continuous function from [0,d] to states, describing the evolution of states over time, and rdy is the set of channels that are waiting for communication during this duration.

Rules (Out-1) and (Out-2) define two cases for communication: one where the communication occurs immediately, and another where it occurs after a delay of d time

Fig. 2. Part of big-step semantics of HCSP

units. During the waiting period,  $I_s$  represents an identity function that maps time to the initial state. Rule (Cont) defines the behavior of the continuous evolution, which terminates after time d due to the violation of domain B. This results in a continuous event with duration d and function  $\overrightarrow{p}$ , where  $\overrightarrow{p}$  is a solution of the ODE  $\overrightarrow{x}=\overrightarrow{e}$  satisfying the initial condition  $\overrightarrow{p}(0)=s(\overrightarrow{x})$ . Rule (int-1) defines that the ODE is interrupted after d>0 time duration, by the occurrence of a communication over channel ch, and then the subsequent process  $c_i$  is executed; Rule (int-2) defines that the ODE terminates due to the violation of B, without any communication among  $\{ch_i\}$  being able to occur, and then the subsequent process c is executed. Other similar cases, e.g. interruption by an input event, are not listed here. Rule (Par) defines the semantics of the parallel composition, which results in the disjoint union of the states (denoted by  $s_1 \uplus s_2$ ) and the synchronization of the traces (denoted by  $tr_1 \Vert_{cs} tr_2 \Downarrow tr$ ), of the two respective processes.

Especially, the trace synchronization relation  $tr_1\|_{cs}tr_2 \Downarrow tr$  can be derived according to the structures of traces  $tr_1$  and  $tr_2$ . Part of the derivation rules is given below. An output event synchronizes with the corresponding input event (SyncIO). When an external communication event occurs on one side, it does not need to synchronize with the other side (NoSyncIO); When both sides are continuous events, then the continuous events of the same length will synchronize if they have compatible ready sets (SWait), denoted by compat, meaning that no input and output along a same channel occur simultaneously in the two ready sets (otherwise the corresponding communication must occur immediately).

$$\frac{ch \in cs \quad tr_1 \parallel_{cs} tr_2 \Downarrow tr}{\langle ch!, v \rangle^{\smallfrown} tr_1 \parallel_{cs} \langle ch!, v \rangle^{\smallfrown} tr_2 \Downarrow tr} \text{SyncIO} \quad \frac{ch \notin cs \quad tr_1 \parallel_{cs} tr_2 \Downarrow tr}{\langle ch \triangleright, v \rangle^{\smallfrown} tr_1 \parallel_{cs} tr_2 \Downarrow tr} \text{NoSyncIO} \quad \frac{\langle ch \triangleright, v \rangle^{\smallfrown} tr_1 \parallel_{cs} tr_2 \Downarrow tr}{\langle ch \triangleright, v \rangle^{\smallfrown} tr_1 \parallel_{cs} tr_2 \Downarrow tr} \text{NoSyncIO} \quad \frac{\langle ch \triangleright, v \rangle^{\smallfrown} tr_1 \parallel_{cs} tr_2 \Downarrow tr}{\langle ch \triangleright, v \rangle^{\smallfrown} tr_1 \parallel_{cs} \langle d, \overrightarrow{p}_1, rdy_2 \rangle^{\smallfrown} tr_2 \Downarrow \langle d, \overrightarrow{p}_1 \uplus \overrightarrow{p}_2, (rdy_1 \cup rdy_2) - cs \rangle^{\smallfrown} tr} \text{SWait} \quad \frac{\langle ch \mid v \mid v \mid v \mid tr_2 \parallel tr_2 \parallel tr_2 \parallel tr_3 \parallel t$$

# 3 Assertions and Specifications

We will introduce an assertion language for explicitly specifying traces, which serves as the foundation for the inference rules of constructing specifications of HCSP in the following sections. The assertion language, with its explicit syntactic forms, enables automated processing of inference rules for verifying HCSP processes. Building on these assertions, we further propose a novel specification form tailored for HCSP.

## 3.1 Syntax and Semantics

The syntax of the assertion language is defined below: P,Q represent assertions, cm is a list of tuples recording the assertion information for channels, I is a path condition.

```
\begin{array}{l} P,Q ::= \mathsf{true} \mid \mathsf{false} \mid P \bar{\wedge} Q \mid P \bar{\vee} Q \mid \uparrow b \mid P[\overrightarrow{x} := \overrightarrow{e}] \mid \mathsf{init} \\ \mid \mathsf{wait\_in}(I,ch,\{\mathsf{d},\mathsf{v} \Rightarrow P\}) \mid \mathsf{wait\_outv}(I,ch,e,\{\mathsf{d} \Rightarrow P\}) \mid \mathsf{wait}(I,e,\{\mathsf{d} \Rightarrow P\}) \\ \mid \mathsf{interrupt}(I,e,\{\mathsf{d} \Rightarrow P\},cm) \mid \mathsf{interrupt}_{\infty}(I,cm) \mid \mathsf{Rec}\ R.\ P \bar{\vee} F(R) \\ cm \quad ::= \epsilon \mid (ch?,\{\mathsf{d},\mathsf{v} \Rightarrow P\}) \cdot cm \mid (ch!,h,\{\mathsf{d} \Rightarrow P\}) \cdot cm \\ I \quad ::= \mathsf{id} \mid \overrightarrow{x} \rightarrowtail f(\overrightarrow{x},t) \mid \mathsf{inv} \mid I[\overrightarrow{x} := \overrightarrow{e}] \mid I_1 \uplus I_2 \end{array}
```

where b and inv are boolean expressions, e is a real expression,  $\{d, v \Rightarrow P\}$  represents a function mapping from real valued variables d and v to assertions( $\{d \Rightarrow P\}$  is similar), for example,  $\{d, v \Rightarrow \text{init}[x := x + d][y := v]\}$ . Here, d and v are two special bounded variables introduced to synchronize communication between parallel processes. They denote the transmitted value and its time of occurrence respectively, which will be resolved when the dual events in parallel processes synchronize. cm is a list of tuples or triples recording the communication branches used in interrupt. Rec defines a recursive assertion where P acts as the guard ensuring the recursion terminates. Here F is a generator function defined inductively according to the syntax of the assertion language which can be atomic or non-atomic assertion containing a hole indicating the position where a recursion happens. For example, F(R) can be R[x := 0] or wait  $(I, e, \{d \Rightarrow R[x := x + 1]\})$ .

We first define the semantics of path conditions. A path condition I is a predicate interpreted over a starting state, time and state, denoted by  $(s_0,t,s)\models I$ . It describes the relationship between the starting state  $s_0$  and the state s at time t during the evolution. As defined by the semantics, id states that s keeps the same as the initial state  $s_0$ ;  $\overrightarrow{x} \mapsto f(\overrightarrow{x},t)$  substitutes  $\overrightarrow{x}$  to the value defined by f at time f; inv means that state f at f satisfies the invariant inv; the substitution  $f[\overrightarrow{x}:=\overrightarrow{e}]$  updates the value of  $\overrightarrow{x}$  at initial state to be the one of  $\overrightarrow{e}$ . Intuitively, we use id to describe the constant duration and use f and inv to handle the ODE with explicit solutions or with differential invariants.

$$(s_0,t,s) \models \operatorname{id} \triangleq s = s_0 \\ (s_0,t,s) \models \overrightarrow{x} \rightarrowtail f(\overrightarrow{x},t) \triangleq s = s_0[\overrightarrow{x} \mapsto f(s_0(\overrightarrow{x}),t)] \\ (s_0,t,s) \models \operatorname{inv} \triangleq \operatorname{inv}(s) \\ (s_0,t,s) \models I[\overrightarrow{x} := \overrightarrow{e}] \triangleq (s_0[\overrightarrow{x} \mapsto s_0(\overrightarrow{e})],t,s) \models I \\ (s_0,t,s) \models I_1 \uplus I_2 \triangleq \exists \, s_{01} \, s_{02} \, s_1 \, s_2. \, s_0 = s_{01} \uplus \, s_{02} \land s = s_1 \uplus s_2 \land \\ (s_{01},t,s_1) \models I_1 \land (s_{02},t,s_2) \models I_2$$

Next, we introduce the semantics of the assertions. An assertion P is interpreted over an initial state, current state and a trace, denoted by  $(s_0, s, tr) \models P$ . The assertions true, false,  $P \bar{\wedge} Q$ ,  $P \bar{\vee} Q$  are defined as usual.  $\uparrow b$  lifts a boolean expression on starting state as a boolean assertion, i.e. b holds at the starting state.  $P[\overrightarrow{x} := \overrightarrow{e}]$  means that P

holds under the starting state updated by assigning  $\overrightarrow{x}$  to  $\overrightarrow{e}$ , init means that the state equals starting state and the trace is empty.

$$\begin{aligned} (s_0,s,tr) &\models \uparrow b \triangleq b(s0) \\ (s_0,s,tr) &\models P \bar{\land} Q \triangleq (s_0,s,tr) \models P \land (s_0,s,tr) \models Q \\ (s_0,s,tr) &\models P \bar{\lor} Q \triangleq (s_0,s,tr) \models P \lor (s_0,s,tr) \models Q \\ (s_0,s,tr) &\models P[\overrightarrow{x} := \overrightarrow{e}] \triangleq (s_0[\overrightarrow{x} \mapsto s_0(\overrightarrow{e})],s,tr) \models P \\ (s_0,s,tr) &\models \text{ init } \triangleq s_0 = s \land tr = \epsilon \end{aligned}$$

We then introduce the semantics of assertions specifying the behavior of input, output, continuous evolution and interrupt respectively:

```
 \begin{array}{l} \textbf{-} \ (s_0,s,tr) \models \mathsf{wait\_in}(I,ch,\{\mathsf{d},\mathsf{v}\Rightarrow P\}) \ \text{iff one of the following is satisfied:} \\ 1. \ (s_0,s,tr') \models P|_{\mathsf{d}=0,\mathsf{v}=v} \land tr = \langle ch?,v\rangle^\smallfrown tr' \\ 2. \ (s_0,s,tr') \models P|_{\mathsf{d}=d,\mathsf{v}=v} \land d > 0 \land \overrightarrow{p}(0) = s_0 \land \forall \, t \in [0,d]. \ (s_0,t,\overrightarrow{p}(t)) \models I \\ \land tr = \langle d,\overrightarrow{p},\{ch?\}\rangle^\smallfrown \langle ch?,v\rangle^\smallfrown tr' \\ \end{array}
```

-  $(s_0, s, tr) \models \mathsf{wait\_outv}(I, ch, e, \{\mathsf{d} \Rightarrow P\})$  iff one of the following is satisfied:

1. 
$$(s_0, s, tr') \models P|_{d=0} \land tr = \langle ch!, s_0(e) \rangle \hat{t}r'$$
  
2.  $(s_0, s, tr') \models P|_{d=d} \land d > 0 \land \overrightarrow{p}(0) = s_0 \land \forall t \in [0, d]. (s_0, t, \overrightarrow{p}(t)) \models I \land tr = \langle d, \overrightarrow{p}, \{ch!\} \rangle \hat{t}/\langle ch!, s_0(e) \rangle \hat{t}r'$ 

–  $(s_0, s, tr) \models \mathsf{wait}(I, e, \{\mathsf{d} \Rightarrow P\})$  iff one of the following is satisfied:

```
1. (s_0, s, tr) \models P|_{\mathsf{d}=0} \land s_0(e) \leq 0
2. (s_0, s, tr') \models P|_{\mathsf{d}=s_0(e)} \land s_0(e) > 0 \land \overrightarrow{p}(0) = s_0 \land \forall t \in [0, s_0(e)]. (s_0, t, \overrightarrow{p}(t)) \models I
\land tr = \langle s_0(e), \overrightarrow{p}, \{ \} \rangle ^\smallfrown tr'
```

-  $(s_0, s, tr) \models \mathsf{interrupt}(I, e, \{d \Rightarrow P\}, cm)$  iff one of the following is satisfied:

```
1. (s_0, s, tr) \models P|_{\mathsf{d}=0} \land s_0(e) \leq 0
2. (s_0, s, tr') \models P|_{\mathsf{d}=s_0(e)} \land s_0(e) > 0 \land \overrightarrow{p}(0) = s_0 \land \forall t \in [0, s_0(e)]. (s_0, t, \overrightarrow{p}(t)) \models I
\land tr = \langle s_0(e), \overrightarrow{p}, rdy(cm) \rangle ^ tr'
3. (s_0, s, tr') \models P_i|_{\mathsf{d}=0, \mathsf{v}=\mathsf{v}} \land cm[i] = (ch_i?, \{\mathsf{d}, \mathsf{v} \Rightarrow P_i\}) \land tr = \langle ch_i?, \mathsf{v} \rangle ^ tr'
```

$$4. (s_0, s, tr') \models P_i|_{\mathsf{d} = d, \mathsf{v} = v} \land cm[i] = (ch_i?, \{\mathsf{d}, \mathsf{v} \Rightarrow P_i\}) \land 0 < d \leq s_0(e) \\ \land \overrightarrow{p}(0) = s_0 \land \forall t \in [0, d]. (s_0, t, \overrightarrow{p}(t)) \models I \land tr = \langle d, p, rdy(cm) \rangle \land \langle ch_i?, v \rangle \land tr'$$

6. 
$$(s_0, s, tr') \models P_i|_{\mathsf{d}=d} \land cm[i] = (ch_i!, h, \{\mathsf{d} \Rightarrow P_i\}) \land 0 < d \leq s_0(e)$$
  
  $\land \overrightarrow{p}(0) = s_0 \land \forall t \in [0, d]. (s_0, t, \overrightarrow{p}(t)) \models I \land tr = \langle d, \overrightarrow{p}, rdy(cm) \rangle \land \langle ch_i!, h(d) \rangle \land tr'$ 

-  $(s_0, s, tr) \models \mathsf{interrupt}_\infty(I, cm)$  iff one of the following is satisfied:

$$\begin{array}{l} 1.\left(s_{0},s,tr'\right)\models P_{i}|_{\mathsf{d}=0,\mathsf{v}=\mathsf{v}}\wedge cm[i]=\left(ch_{i}?,\{\mathsf{d},\mathsf{v}\Rightarrow P_{i}\}\right)\wedge tr=\langle ch_{i}?,v\rangle^{\smallfrown}tr'\\ 2.\left(s_{0},s,tr'\right)\models P_{i}|_{\mathsf{d}=d,\mathsf{v}=\mathsf{v}}\wedge cm[i]=\left(ch_{i}?,\{\mathsf{d},\mathsf{v}\Rightarrow P_{i}\}\right)\wedge 0< d\\ \wedge\overrightarrow{p}\left(0\right)=s_{0}\wedge\forall\ t\in[0,d].\left(s_{0},t,\overrightarrow{p}\left(t\right)\right)\models I\wedge tr=\langle d,p,rdy(cm)\rangle^{\smallfrown}\langle ch_{i}?,v\rangle^{\smallfrown}tr'\\ 3.\left(s_{0},s,tr'\right)\models P_{i}|_{\mathsf{d}=0}\wedge cm[i]=\left(ch_{i}!,h,\{\mathsf{d}\Rightarrow P_{i}\}\right)\wedge tr=\langle ch_{i}!,h(0)\rangle^{\smallfrown}tr'\\ 4.\left(s_{0},s,tr'\right)\models P_{i}|_{\mathsf{d}=d}\wedge cm[i]=\left(ch_{i}!,h,\{\mathsf{d}\Rightarrow P_{i}\}\right)\wedge 0< d\\ \wedge\overrightarrow{p}\left(0\right)=s_{0}\wedge\forall\ t\in[0,d].\left(s_{0},t,\overrightarrow{p}\left(t\right)\right)\models I\wedge tr=\langle d,\overrightarrow{p},rdy(cm)\rangle^{\smallfrown}\langle ch_{i}!,h(d)\rangle^{\smallfrown}tr' \end{array}$$

As defined by wait\_in, the first case corresponds to communicating immediately, so the delay d is 0, the input value v can be any real number v which can't be determined by itself. We use the notation  $P|_{\mathsf{d}=0,\mathsf{v}=v}$  to represent the assertion obtained by replacing the appearance of d and v in P with value 0 and v. The second case corresponds to communicating after waiting for time d>0. The path taken by the state during waiting is given by  $\overrightarrow{p}$ , which satisfies the path condition I. wait\_out is defined similarly, but unlike the input case, the output value is determined by e and the map  $\{\mathsf{d}\Rightarrow P\}$  is only

over the delay d. For the wait assertion, e is a real expression specifying the wait time and the map in this assertion only has one argument over delay d.

For the interrupt assertion, it specifies multiple cases including the ODE evolves for zero or positive time units and then terminates by violating the domain, or being interrupted by an input or output event. Here we list the two cases corresponding to (Int-1) and (Int-2) as defined previously in the semantics of HCSP. In the definition of interrupt assertion, e specifies the maximum waiting time of the interrupt, P specifies the remaining behavior if the waiting stops upon reaching the time bound e, e specifies the list of communications that can happen at any time not exceeding  $s_0(e)$ . e is given by a list of elements like  $\langle ch_i?, \{d, v \Rightarrow P_i\} \rangle$  or  $\langle ch_i!, g, \{d \Rightarrow P_i\} \rangle$ , which specifies what happens after the corresponding interrupt is triggered, where g is a function mapping from delay to the output value and rdy(em) denotes the ready set of communications in e. There is an important special case: often we know the maximum waiting time may be infinite, for example when the domain of the ODE is true, the system can only execute the next command when a communication occurs. We denote this case by assertion interrupt  $\infty(I, em)$ .

At the end, we give the definition of recursion assertion:

$$(s_0, s, tr) \models \operatorname{Rec} R. P \nabla F(R) \text{ iff } (s_0, s, tr) \models P \text{ or } (s_0, s, tr) \models F(\operatorname{Rec} R. P \nabla F(R))$$

We can deduce that  $(s_0, s, tr) \models \text{Rec } R$ .  $P \vee F(R)$  iff  $\exists n. (s_0, s, tr) \models F^n(P)$  where  $F^n \triangleq F(F^{n-1}(P))$  and n is a natural number.

#### 3.2 Specification

In previous HHL [26], the specification of a HCSP process pc takes the form of Hoare triple  $\{Pre\}$  pc  $\{Post\}$ , where Pre and Post are predicates on state and trace. We use  $(s,tr) \models Pre$  to denote that the state s and the trace tr satisfy the predicate Pre (Post is similar). Note that, an assertion Q is a predicate over three elements: initial state  $s_0$ , current state s and a trace tr, thus  $Q(s_0)$  can be seen as a predicate on state and trace, e.g.  $(s,tr) \models Q(s_0) \equiv (s_0,s,tr) \models Q$ . The validity of a Hoare triple is defined in terms of big-step semantics as follows:

$$\{Pre\}\ pc\ \{Post\} \triangleq$$
  
 $\forall s_1\ s_2\ tr\ tr'.\ (s_1,tr) \models Pre \longrightarrow (pc,s_1) \Rightarrow (s_2,tr') \longrightarrow (s_2,tr^\smallfrown tr') \models Post$ 

In this paper, we utilize a new method of specification definition named spec\_of based on Hoare triples:

$$\operatorname{spec\_of}(pc, Q) \triangleq \forall s_0. \{s = s_0 \land tr = \epsilon\} pc \{(s, tr) \models Q(s_0)\}$$

where the assertion Q describes the relationship between the initial state  $s_0$ , the final state s and the produced trace tr. This specification means that if this process starts with a state  $s_0$ , then when the process terminates, the end state and the trace produced should meet the predicate  $Q(s_0)$ .

Next, we give some useful characteristics and lemmas on predicates and assertions. Given two predicates  $G_1$  and  $G_2$ , we define the entailment between  $G_1$  and  $G_2$  as:

$$G_1 \Longrightarrow_a G_2 \triangleq \forall s \ tr. (s, tr) \models G_1 \longrightarrow (s, tr) \models G_2$$

Obviously, this entailment relationship satisfies the transitivity and reflexivity. There are some common entailment rules, for example introduction and elimination rules for

conjunction or disjunction. Some special notes of entailment related to monotonicity and substitution of assertions are stated in the following.

The assertions wait\_in, wait\_outv, wait, etc. all satisfy monotonicity rules on the initial state  $s_0$ , that reduce entailment relations among assertions to entailments on its components. For example, monotonicity of wait\_in take the following form:

$$\forall d \ v. \ P_1|_{\mathsf{d}=d,\mathsf{v}=v}(s_0) \Longrightarrow_a P_2|_{\mathsf{d}=d,\mathsf{v}=v}(s_0)$$
 wait\_in( $I, ch, \{\mathsf{d}, \mathsf{v} \Rightarrow P_1\}$ )( $s_0$ )  $\Longrightarrow_a$  wait\_in( $I, ch, \{\mathsf{d}, \mathsf{v} \Rightarrow P_2\}$ )( $s_0$ )

This rule permits deducing entailment between two wait\_in assertions that differ only in the ensuing parameters. There are similar rules for wait\_outv, wait, interrupt and interrupt $_{\infty}$ . By these rules, we can assert that all the functions from assertions to assertions constructed by the forms introduced satisfies monotonicity.

The commutativity with existential quantifier for assertions is like the following:

$$\mathsf{wait\_in}(I, ch, \{\mathsf{d}, \mathsf{v} \Rightarrow \exists x. P\})(s_0) \Longrightarrow_a \exists x. \mathsf{wait\_in}(I, ch, \{\mathsf{d}, \mathsf{v} \Rightarrow P\})(s_0)$$

Other forms of assertions in our logic have similar results. So far, both the monotonicity and commutativity conditions are proved to hold for the assertions defined at the beginning of this section. We proved in Isabelle that the Rec assertion is the least fixed point under the assumption that F is monotonic with respect to logical implication and commutative with existential quantifier.

Besides, performing substitution [x:=e] on assertions such as wait\_in can be reduced to performing the same operations on its components. For example, the entailment rule for wait\_in is:

$$\mathsf{wait\_in}(I, ch, \{\mathsf{d}, \mathsf{v} \Rightarrow P\})[x := e](s_0) \Longrightarrow_a \mathsf{wait\_in}(I[x := e], ch, \{\mathsf{d}, \mathsf{v} \Rightarrow P[x := e]\})(s_0)$$

## 4 Inference Rules for Sequential HCSP

In this section, we introduce the inference rules for generating assertions of sequential HCSP processes. For each sequential HCSP construct, we define the rule for it where it is followed by a subsequent process c. This is because different processes can have varying effects on the traces of the sequentially composed c. Notably, the rules for the constructs alone can be derived by substituting c with skip and applying the skip rule.

For skip, assignment, input, output, wait and if commands, we have following rules:

$$\frac{\operatorname{spec\_of}(c,Q)}{\operatorname{spec\_of}(\operatorname{skip},\operatorname{init})} \frac{\operatorname{spec\_of}(c,Q)}{\operatorname{spec\_of}(\operatorname{skip};c,Q)} \frac{\operatorname{spec\_of}(c,Q)}{\operatorname{spec\_of}(x:=e;c,Q[x:=e])} \\ \frac{\operatorname{spec\_of}(\operatorname{if} B \operatorname{then} c_1 \operatorname{else} c_2;c,(\uparrow(B)\bar{\land} P)\bar{\lor}(\uparrow(\neg B)\bar{\land} Q))}{\operatorname{spec\_of}(c,Q)} \\ \frac{\operatorname{spec\_of}(ch?x;c,\operatorname{wait\_in}(\operatorname{id},ch,\{\operatorname{d},\operatorname{v}\Rightarrow Q[x:=\operatorname{v}]\}))}{\operatorname{spec\_of}(ch?e;c,\operatorname{wait\_outv}(\operatorname{id},ch,e,\{\operatorname{d}\Rightarrow Q\}))} \\ \frac{\operatorname{spec\_of}(ch!e;c,\operatorname{wait\_outv}(\operatorname{id},ch,e,\{\operatorname{d}\Rightarrow Q\}))}{\operatorname{spec\_of}(\operatorname{wait} e;c,\operatorname{wait}(\operatorname{id},e,\{\operatorname{d}\Rightarrow Q\}))} \\ \frac{\operatorname{spec\_of}(\operatorname{wait} e;c,\operatorname{wait}(\operatorname{id},e,\{\operatorname{d}\Rightarrow Q\}))}{\operatorname{spec\_of}(\operatorname{wait} e;c,\operatorname{wait}(\operatorname{id},e,\{\operatorname{d}\Rightarrow Q\}))}$$

For the nondeterministic repetition command, we have the following rule:

$$\frac{\mathsf{spec\_of}(c',P) \quad \forall \ cc \ Q. \ \mathsf{spec\_of}(cc,Q) \longrightarrow \mathsf{spec\_of}(c;cc,F(Q))}{\mathsf{spec\_of}(c^*;c',\mathsf{Rec} \ R. \ P \bar{\vee} F(R))}$$

In this rule, P represents the assertion of proceeding directly to subsequent processes without executing the loop and F represents the change in assertion resulting from executing once loop. This recursion assertion can be seen as the loop invariant of repetition.

We now state the rules for continuous evolution. If the (unique) solution to the ODE is known, the predicate paramODEsol( $\overrightarrow{x} = \overrightarrow{e}, B, f, e$ ) is introduced:  $\overrightarrow{x} = \overrightarrow{e}$  is an equation between variables and their derivative expressions; B is a predicate on the state, specifying the open boundary condition;  $f(\overrightarrow{x}, t)$  is the solution of  $\overrightarrow{x} = \overrightarrow{e}$  at time t; e maps the starting state to the length of time for the unique solution of the ODE reaching the boundary. We can then state the inference rule for the continuous evolution as follows:

$$\frac{\mathsf{paramODEsol}(\overrightarrow{x} = \overrightarrow{e}, B, f, e) \ \mathsf{lipschitz}(\overrightarrow{x} = \overrightarrow{e}) \ \mathsf{spec\_of}(c, Q)}{\mathsf{spec\_of}(\langle \overrightarrow{x} = \overrightarrow{e} \& B \rangle; c, \mathsf{wait}(\overrightarrow{x} \rightarrowtail f(\overrightarrow{x}, t), e, \{\mathsf{d} \Rightarrow Q[\overrightarrow{x} := f(s_0(\overrightarrow{x}), \mathsf{d})]\}))}$$

The meaning of this rule is as follows. Suppose  $\overrightarrow{x} = \overrightarrow{e}$  with boundary condition B has solution f with time given by e (both functions of  $s_0$ ) and the lipschitz predicate ensures that there is a unique solution to this ODE, then the specification of  $\langle \overrightarrow{x} = \overrightarrow{e} \& B \rangle$ ; c first evolves along the path  $\overrightarrow{p}(t) = s0[\overrightarrow{x} \mapsto f(s_0(\overrightarrow{x}),t)]$  for time  $s_0(e)$ , then followed by the behavior of c as specified by Q starting from the updated state  $s_0[\overrightarrow{x} := f(s_0(\overrightarrow{x}), d)]$ .

Next, we show how to use differential invariants to reason about continuous evolution. We define predicate paramODEInv( $\overrightarrow{x} = \overrightarrow{e}, inv, pp$ ), meaning that if the starting state of ODE satisfies the condition pp, then all the states along the ODE  $\overrightarrow{x} = \overrightarrow{e}$  satisfy the invariant inv. Before applying this rule, we should have inv and corresponding differential methods provided. The predicate is verified using the technology introduced in [15, 20].

$$\begin{aligned} \mathsf{paramODEInv}(\overrightarrow{\dot{x}} = \overrightarrow{e}, B, inv, pp) \quad \mathsf{lipschitz}(\overrightarrow{\dot{x}} = \overrightarrow{e}) \quad \mathsf{spec\_of}(c, Q) \\ & \mathsf{spec\_of}(\langle \overrightarrow{\dot{x}} = \overrightarrow{e} \& B \rangle; c, (\uparrow (\neg B) \bar{\land} Q) \bar{\lor} \uparrow (\neg pp \land B) \bar{\lor} \\ \exists \, T \, \overrightarrow{nx}. \, (\uparrow (pp \land B) \bar{\land} \mathsf{wait}(inv, T, \{d \Rightarrow (\uparrow (inv \land bound(B)) \bar{\land} Q) [\overrightarrow{x} := \overrightarrow{nx}]\}))) \end{aligned}$$

This rule includes three cases via disjunction: (1) If the boundary is violated at the beginning, then the ODE terminates at once and satisfies the specification of c. (2) The second case is when the condition pp does not hold. Although we do not desire this situation to arise, it must be included to ensure the correctness of the specification. We expect  $\neg pp$  to conflict with other conditions in the subsequent verification and counteract this case, indicating that this case will not happen. (3) The last case states that it will stop at some state satisfying both the invariant and the boundary of B. (During implementation, we will introduce new variables T and  $\overrightarrow{nx}$  to avoid Existential quantifier.)

The inference rules for interrupt command can be seen as the combination of rules for ODE, input, and output. We put them in Appendix B for page limitation. Below we give an example to illustrate how to generate the specifications of sequential HCSP processes by applying these rules.

Example 1. This example illustrates handling of delay and communication events.

$$c \triangleq ch_2?x$$
; wait 1;  $ch_1!x$ 

The specification of c is generated by the following steps:

```
\begin{split} 1: & \mathsf{spec\_of}(ch_1!x, \mathsf{wait\_outv}(\mathsf{id}, ch, x, \{\mathsf{d1} \Rightarrow \mathsf{init}\})) \\ 2: & \mathsf{spec\_of}(\mathsf{wait}(1); ch_1!x, \mathsf{wait}(\mathsf{id}, 1, \{\mathsf{d2} \Rightarrow \mathsf{wait\_outv}(\mathsf{id}, ch_1, x, \{\mathsf{d1} \Rightarrow \mathsf{init}\})\})) \\ 3: & \mathsf{spec\_of}(ch_2?x; \mathsf{wait}(1); ch_1!x, \mathsf{wait\_in}(\mathsf{id}, ch_2, \{\mathsf{d3}, \mathsf{v3} \Rightarrow \mathsf{wait}(\mathsf{id}, 1, \{\mathsf{d2} \Rightarrow \mathsf{wait\_outv}(\mathsf{id}, ch_1, x, \{\mathsf{d1} \Rightarrow \mathsf{init}\})\})[x := \mathsf{v3}]\})) \\ 4: & \mathsf{spec\_of}(ch_2?x; \mathsf{wait}(1); ch_1!x, \mathsf{wait\_in}(\mathsf{id}, ch_2, \{\mathsf{d3}, \mathsf{v3} \Rightarrow \mathsf{wait}(\mathsf{id}[x := \mathsf{v3}], 1, \{\mathsf{d2} \Rightarrow \mathsf{wait\_outv}(\mathsf{id}[x := \mathsf{v3}], ch_1, \mathsf{v3}, \{\mathsf{d1} \Rightarrow \mathsf{init}\})\})))) \end{split}
```

At Step 4, we obtain the final specification of c, which can be understood as follows: Starting from state  $s_0$ , first waits for input along channel  $ch_2$ , after receiving input value v3 at time d3, then waits for time 1 with state  $s_0[x := v3]$ , then waits for output along channel  $ch_1$  with state  $s_0[x := v3]$ , that occurs at time d1. The output value is v3, and the final state after output is  $s_0[x := v3]$ .

# 5 Inference Rules for Parallel HCSP

In this section, we introduce the inference rules for constructing assertions of parallel processes by synchronization. In order to handle parallel processes, we define operator  $\operatorname{sync}(chs, P_1, P_2)$  denoting the synchronization if given two assertions  $P_1$  and  $P_2$  for two processes and the set of common channels chs through which communications occur between them:

```
(s_0, s, tr) \models \mathsf{sync}(chs, P_1, P_2) \text{ iff } \exists \, s_{01} \, s_{02} \, s_1 \, s_2 \, tr_1 \, tr_2 . s_0 = s_{01} \uplus s_{02} \land s = s_1 \uplus s_2 \land (s_{01}, s_1, tr_1) \models P_1 \land (s_{02}, s_2, tr_2) \models P_2 \land tr_1 \|_{chs} tr_2 \Downarrow tr
```

By the above definition of sync, we can easily obtain the following conclusion:

$$\frac{\mathsf{spec\_of}(c_1, P_1) \ \ \mathsf{spec\_of}(c_2, P_2)}{\mathsf{spec\_of}(c_1 \|_{chs} c_2, \mathsf{sync}(chs, P_1, P_2))}$$

However, we can't intuitively derive valid information from the definition of this operator. Our objective is to find an assertion Q within our assertion language that can replace  $\operatorname{sync}(\operatorname{chs}, P_1, P_2)$ , ensuring that Q is logically implied by  $\operatorname{sync}(\operatorname{chs}, P_1, P_2)$  and thus satisfies the above specification. We conclude this motivation to reach the following inference rule for parallel composition:

$$\frac{\operatorname{spec\_of}(c_1,P_1) \quad \operatorname{spec\_of}(c_2,P_2) \quad \forall \ s_0. \operatorname{sync}(chs,P_1,P_2)(s_0) \Longrightarrow_a Q(s_0)}{\operatorname{spec\_of}(c_1\|_{chs}c_2,Q)}$$

We hope that Q reserves the whole behaviour of parallel process to facilitate verification of the system in subsequent steps. For example, the trivial true is always satisfactory, but we can't get any valid information from it. Thus, our proof system contains a set of inference rules for reasoning about the parallel synchronization of assertions in the form of  $\operatorname{sync}(\operatorname{chs}, P, Q)(s_0) \Longrightarrow_a Q(s_0)$ .

By repeatedly using synchronization rules (as well as monotonicity rules and other entailments among assertions), we can gradually reduce an assertion headed by sync into one without sync operators. For page limit, we select a representative case to illustrate the synchronization rules. The following rule states that, when the channels of two sides match, the communication occurs immediately, determining the time variable d with 0 and the value variable v with  $e(s_0)$ , and then the procedure of synchronization continues to the tail assertions  $P_1$  and  $P_2$ .

$$\frac{ch_1 \in chs \quad ch_2 \in chs \quad ch_1 = ch_2}{\operatorname{sync}(chs, \operatorname{wait\_in}(I_1, ch_1, \{\operatorname{d}, \operatorname{v} \Rightarrow P_1\}), \operatorname{wait\_outv}(I_2, ch_2, e, \{\operatorname{d} \Rightarrow P_2\}))(s_0) \Longrightarrow_a} \operatorname{InOutl}_{\operatorname{sync}(chs, P_1|_{\operatorname{d=0}, \operatorname{v=}s_0(e)}, P_2|_{\operatorname{d=0}})(s_0)} \operatorname{InOutl}_{\operatorname{d=0}, \operatorname{v=}s_0(e)}$$

We present other rules in Appendix C and explain their intuitive meanings. The soundness of these rules have been formally proven by combining the definition of operator sync and the trace synchronization relation as introduced in Sect. 2.

Example 2. This example demonstrates the handling of communication synchronization and loop. It repeatedly sends the same value x from the left to the right, with z received on the right, and then sends z+1 back from the right to the left.

$$c_1 \triangleq (ch_1!x; ch_2?y)^*$$
  $c_2 \triangleq (ch_1?z; ch_2!(z+1))^*$ 

By applying the rules for input, output, sequential composition and repetition, we can derive  $spec\_of(c_1, P_1)$  and  $spec\_of(c_2, P_2)$  with

```
\begin{split} P_1 &\triangleq \mathsf{Rec}\ R_1.\ \mathsf{init} \bar{\vee} \mathsf{wait\_outv}(\mathsf{id}, ch_1, x, \{\mathsf{d}_1 \Rightarrow \\ & \mathsf{wait\_in}(\mathsf{id}, ch_2, \{\mathsf{d}_2, \mathsf{v}_2 \Rightarrow R_1[x := \mathsf{v}_2]\})\}) \\ P_2 &\triangleq \mathsf{Rec}\ R_2.\ \mathsf{init} \bar{\vee} \mathsf{wait\_in}(\mathsf{id}, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow \\ & \mathsf{wait\_outv}(\mathsf{id}[\mathsf{z} := \mathsf{v}_1], ch_2, \mathsf{v}_1 + 1, \{\mathsf{d}_2 \Rightarrow R_2[z := \mathsf{v}_1]\})\} \end{split}
```

According to the rule for synchronization of two recursion assertions, we can derive

$$sync(\{ch_1, ch_2\}, P_1, P_2)(s_0) \Longrightarrow_a Rec R. init \overline{\vee} R[z := s_0(x)][y := s_0(x) + 1](s_0)$$

As indicated by the final specification, the internal communications over the common channel set  $\{ch_1, ch_2\}$  are hidden and unobservable. The effect of the parallel composition of  $c_1$  and  $c_2$  is to repeatedly assign z the value of x and assign y the value of x+1 to their joint state  $s_0$ , iterated any number of times.

## 6 Property Verification

Till now, we have introduced the inference rules of generating the assertion Q satisfying spec\_of(pc,Q), for either sequential or parallel processes pc. As defined by the semantics of assertions in Sect. 3, Q captures the trace execution history of pc over time up to the termination of pc. However, it is not straightforward to discern from assertions Q what properties of variables the process pc have during the execution. In this section, we present how to verify properties of a process in a fixed form of  $(s,tr) \models Post \triangleq q_1(s) \land trl(tr,q_2)$  where s and tr represent the final state and trace at termination,  $q_1$  and  $q_2$  are boolean expressions on state, and

$$\mathsf{trl}(tr,q) \triangleq \forall i.\, tr[i] = \langle d, \overrightarrow{p}, rdy \rangle \longrightarrow (\forall t \in [0,d].\, q(\overrightarrow{p}(t)))$$

Intuitively speaking, Post holds for final state s and trace tr, iff  $q_1$  holds for the final state s, and  $q_2$  holds for each continuous state in tr, i.e. it holds almost everywhere during the whole execution of pc (except for some discrete events). In the following, we will call  $q_1$  and  $q_2$  postcondition and trace invariant respectively. Together with the definition of specification, we conclude the following inference rule:

$$\frac{\forall \, s_0 \, s \, tr. \, p(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow (s, tr) \models Post \quad \mathsf{spec\_of}(pc, Q)}{\{Pre\} \, pc \, \{Post\}}$$

where  $(s, tr) \models Pre \triangleq p(s) \land tr = \epsilon$  which represents that the process pc starts from an initial state satisfying precondition p and an empty trace. Next, we present

how to derive the first antecedent of the above rule for different forms of assertions. We only consider closed processes pc for which all communications are internal, thus no communications are contained in Q any more as all internal communications are reduced during synchronization, as shown in rule InOut1.

For init assertion, we have:

$$\frac{\forall s. \, p(s) \longrightarrow q_1(s)}{p(s_0) \longrightarrow (s_0, s, tr) \models \mathsf{init} \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2)}$$

since init $(s_0, s, tr)$  implies  $s = s_0$  and  $tr = \epsilon$ .

For wait assertion, we have

$$\begin{array}{l} p(s_0) \wedge s_0(e) > 0 \wedge t \geq 0 \wedge t \leq s_0(e) \longrightarrow (s_0,t,s) \models I \longrightarrow q_2(s) \\ p(s_0) \wedge s_0(e) > 0 \longrightarrow (s_0,s,tr) \models P|_{\mathsf{d}=s_0(e)} \longrightarrow q_1(s) \wedge \mathsf{trl}(tr,q_2) \\ p(s_0) \wedge s_0(e) \leq 0 \longrightarrow (s_0,s,tr) \models P|_{\mathsf{d}=0} \longrightarrow q_1(s) \wedge \mathsf{trl}(tr,q_2) \\ \hline p(s_0) \longrightarrow (s_0,s,tr) \models \mathsf{wait}(I,e,\{\mathsf{d}\Rightarrow P\}) \longrightarrow q_1(s) \wedge \mathsf{trl}(tr,q_2) \end{array}$$

where the wait time is evaluated (either positive or not) to determine the remaining part and check the trace invariant from the path condition.

We introduce other rules in Appendix D and demonstrate the usage of these rules by the following example involving delay and loop.

Example 3.

$$c \triangleq (\text{wait } 1; x := x + 1)^*$$

For process c, it's easy to find that if the initial state  $s_0$  satisfies x=1, then x>0 will hold for the final state at termination and also for each continuous state during the execution. This property can be described in Hoare triples as:

$$\{p(s) \wedge tr = \epsilon\} c \{q_1(s) \wedge \mathsf{trl}(tr, q_2)\}$$

where we define  $p \triangleq x = 1$ ,  $q_1 \triangleq x > 0$  and  $q_2 \triangleq x > 0$ . To prove this triple, we apply the main inference rule resulting in two premises.

$$spec\_of(c, Rec\ R.\ init \overline{\lor} wait(id, 1, \{d \Rightarrow R[x := x + 1]\}))$$

which can be derived by the sequential inference rules in Sect. 4, and

$$p(s_0) \longrightarrow (s_0, s, tr) \models (\mathsf{Rec}\ R.\ \mathsf{init} \nabla \mathsf{wait}(\mathsf{id}, 1, \{\mathsf{d} \Rightarrow R[x := x+1]\})) \longrightarrow q_1(s) \wedge \mathsf{trl}(tr, q_2)$$

which can be derived by rules in this section according to the structures of assertions by providing the loop invariant  $loop \triangleq x > 0$ . The detailed proof is shown in Appendix D.

## 7 Implementation and Case Study

In this section, we present the implementation of HHLPar and demonstrate its application through a case study. We formalize the underlying logic and establish its soundness using Isabelle/HOL, thereby ensuring the correctness of the proof system. In addition to providing a correctness guarantee for the HHL logic, the Isabelle implementation also enables the interactive verification of HCSP by applying the appropriate inference rules. HHLPar is built on this logic and aims to enhance the automation of proof procedures.

## 7.1 HHLPar in Python

We introduce HHLPar from two aspects: the overall structure, and the main implementation issues in Python.

**HHLPar in a Nutshell** The architecture of the HHLPar tool is illustrated in Fig. 1. The tool takes as input Pre containing a precondition, a HCSP process pc to be verified and Post containing a postcondition and a trace invariant, as well as additional invariants for ODEs and loops, if they are present. The verification process is carried out through three main steps: Sequential Generation, Parallel Synchronization, and Property Verification. The first step processes the sequential components of pc and generates their assertions, and then the second step generates the assertion of pc through synchronization of sequential ones. After these two steps, an assertion Q satisfying  $pc_0f(pc, Q)$  will be obtained. The last step verifies whether postcondition and trace invariant hold for given precondition, with a result returned.

**Implementation in Python** HHLPar implement the following three functionalities correspond to the three steps in the structure.

Sequential Generation We implemented the function for generating assertions of sequential HCSP satisfying the specification. When dealing with ODEs, this function invokes Wolfram Engine to compute solutions in symbolic form and compute the maximum waiting time based on constraint. For the sake of expressiveness and convenience, we choose to create a fresh time variable representing the length of this duration and record the constraints of this time variable in a boolean expression. For example,  $\langle \dot{x} = 1\&x < 5 \rangle$  corresponds to  $\uparrow (t_1 = 5 - x) \bar{\land}$  wait $(x \mapsto x + t, t_1, \{d \Rightarrow \text{init}[x := x + d]\})$ .

Parallel Synchronization We implemented the synchronization function which accepting two assertions and the communication channel set and producing the parallel assertion. Note that variables in different processes are independent and cannot be shared in HCSP. Consequently, when same variable names occur in parallel processes and subsequently in their specifications, we consider them different. Therefore, before synchronization of assertions, we assign process names to different parallel processes and their corresponding assertions in the implementation.

Property Verification We implemented the verifying function which takes three boolean expressions representing the precondition on initial state  $s_0$ , the postcondition on final state s and trace invariant on trace tr separately, and an assertion (the result of the previous step) as inputs. When applying the rules, the expression on initial state  $s_0$  will be constantly updated. When the assertion is a recursion, we need to prove that the loop invariant maintains is maintained over each loop iteration. This function will invoke Wolfram Engine to check all the logical formulas in premises. If all of them are valid, the algorithm will stop successfully, indicating that this property is indeed satisfied with respect to the assertion and precondition, and in consequence it holds for the process being verified with the given Hoare triples.

## 7.2 Case Study

We experimented with a series of examples to test HHLPar across various situations. In this section, we illustrate its ability to handle simple branches in bulk through one case study, demonstrating how HHLPar can effectively verify processes with ODEs, interrupts, communications, repetition and parallel composition involved.

The simplified case study on a cruise control system (CCS) is taken from [23], for which the verification was performed via interactive theorem proving. Compared to [24], we have implemented the algorithm from assertions to prove final properties of the process, and the whole procedure of verification is automated. The model of the CCS comprises two parts: a controller (Control) and a physical plant (Plant). The Plant process models the vehicle's movement, continuously evolving along a given ODE. The evolution is periodically interrupted by the transmission of velocity  $\boldsymbol{v}$  and position  $\boldsymbol{p}$  to the Control, followed by the reception of updated acceleration  $\boldsymbol{a}$ .

```
Plant \triangleq ch1!v; ch2!p; (ch3?a; \langle \dot{p} = v, \dot{v} = a\&true \propto skip \rangle \supseteq [[ch1!v \rightarrow ch2!p])^*
```

The Control process computes and sends the appropriate vehicle acceleration, determined by the received velocity and position, with respect to a period T.

```
\begin{split} \textit{Control} &\triangleq \textit{ch1?v}; \textit{ch2?p}; (pp := p + v \cdot T + \frac{1}{2} \cdot \textit{da} \cdot T^2; \textit{vv} := \textit{v} + \textit{da} \cdot T; \\ & (\text{if } 2 \cdot \textit{am} \cdot (\textit{op} - \textit{pp}) \geq \textit{vm}^2 \text{ then } \textit{vlm} := \textit{vm}^2 \text{ else} \\ & \text{if } \textit{op} - \textit{pp} > 0 \text{ then } \textit{vlm} := 2 \cdot \textit{am} \cdot (\textit{op} - \textit{pp}) \text{ else } \textit{vlm} := 0); \\ & (\text{if } \textit{vv} \leq 0 || \textit{vv}^2 \leq \textit{vlm} \text{ then } \textit{a} := \textit{da} \text{ else } (\textit{pp} := \textit{p} + \textit{v} \cdot T; \\ & (\text{if } 2 \cdot \textit{am} \cdot (\textit{op} - \textit{pp}) \geq \textit{vm}^2 \text{ then } \textit{vlm} := \textit{vm}^2 \text{ else} \\ & \text{if } \textit{op} - \textit{pp} > 0 \text{ then } \textit{vlm} := 2 \cdot \textit{am} \cdot (\textit{op} - \textit{pp}) \text{ else } \textit{vlm} := 0); \\ & \text{if } \textit{v} \leq 0 || \textit{v}^2 \leq \textit{vlm} \text{ then } \textit{a} := 0 \text{ else } \textit{a} := -\textit{am})); \\ & \textit{ch3!a}; \text{ wait } T; \textit{ch1?v}; \textit{ch2?p})^* \end{split}
```

where constants T, op, ad, am represent the time period, the position of obstacle, the fixed acceleration during speeding up and deceleration separately, and the variable vlm is the upper limit of velocity based on the concept of Maximum Protection Curve.

In this case, the parallel process  $Plant|_{ch1,ch2,ch3}Control$  is provided to the tool HHLPar. The tool automatically gives Plant (and Control) and all the variables appearing in them a prefix name A (and B) and the loop invariant inv are provided below:

```
BT>0 \land Bam>0 \land Bda>0 \land Bvm>0 \land Ap\leq Bop \land Av=Bv \land Ap=Bp\\ \land ((2 \cdot Bam \cdot (Bop-Ap)\geq Bvm^2 \land Av\leq Bvm) \lor\\ (2 \cdot Bam \cdot (Bop-Ap) < Bvm^2 \land (Av\leq 0 \lor Av^2 \leq 2 \cdot Bam \cdot (Bop-Ap)))) \text{ under the following provided precondition, denoted by } \textit{Init:}
```

```
\begin{split} BT > 0 \wedge Bam > 0 \wedge Bda > 0 \wedge Bvm > 0 \wedge Ap \leq Bop \\ \wedge \left( (2 \cdot Bam \cdot (Bop - Ap) \geq Bvm^2 \wedge Av \leq Bvm) \vee \\ (2 \cdot Bam \cdot (Bop - Ap) < Bvm^2 \wedge (Av \leq 0 \vee Av^2 \leq 2 \cdot Bam \cdot (Bop - Ap)))) \end{split}
```

indicating the requirements on constants and that the initial position does not exceed the obstacle and the initial velocity is within the MPC, and  $Ap \leq Bop$  provided as both the postcondition and trace invariant, denoted by Safe, HHLPar finally returns "pass". This indicates that the following specification is proved:

```
{Init(s) \land tr = \epsilon} Plant|_{ch1,ch2,ch3} Control {Safe(s) \land trl(tr, Safe)}
```

#### 8 Conclusion

We presented HHLPar, an automated theorem prover for verifying parallel HCSP processes, which cover basic ingredients of hybrid and cyber-physical systems including discrete control, continuous dynamics, communication, interrupts and parallel composition. HHLPar implements a Hybrid Hoare Logic, that is composed of a set of inference rules for reasoning about sequential HCSP processes and a set of inference rules for reasoning about parallel HCSP processes, with the help of specialized assertions and their

synchronization. HHLPar provides both guarantee to soundness from the formalization of the logic in Isabelle/HOL and automation via symbolically decomposing and executing HCSP processes according to the logic and the integration with external solvers to handle differential equations and real arithmetic properties. In the future, we will consider to develop more efficient rules for reasoning about ODEs and loops in HHLPar and also apply HHLPar to a wider range of practical case studies.

## References

- 1. R. Alur, C. Courcoubetis, T. A. Henzinger, and P.-H. Ho. Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems. In *Hybrid Systems'92*, *LNCS 736*, pages 209–229. Springer, 1993.
- R. Bohrer, V. Rahli, I. Vukotic, M. Völp, and A. Platzer. Formally verified differential dynamic logic. In *Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and Proofs*, pages 208–221, 2017.
- Rose Bohrer, Vincent Rahli, Ivana Vukotic, Marcus Völp, and André Platzer. Formally verified differential dynamic logic. In *Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and Proofs, CPP 2017, Paris, France, January 16-17, 2017*, pages 208–221. ACM, 2017.
- Simon Foster, Jonathan Julián Huerta y Munive, Mario Gleirscher, and Georg Struth. Hybrid systems verification with isabelle/hol: Simpler syntax, better models, faster proofs. In Formal Methods - 24th International Symposium, FM 2021, Virtual Event, November 20-26, 2021, Proceedings, volume 13047 of Lecture Notes in Computer Science, pages 367–386. Springer, 2021.
- G. Frehse. Phaver: algorithmic verification of hybrid systems past hytech. *Int. J. Softw. Tools Technol. Transf.*, 10(3):263–279, 2008.
- G. Frehse, C. Le Guernic, A. Donzé, S. Cotton, R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang, and O. Maler. Spaceex: Scalable verification of hybrid systems. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings 23, pages 379–395. Springer, 2011.
- N. Fulton, S. Mitsch, J.-D. Quesel, M. Völp, and A. Platzer. Keymaera X: an axiomatic tactical theorem prover for hybrid systems. In *CADE-25*, volume 9195 of *LNCS*, pages 527– 538. Springer, 2015.
- 8. J. He. From CSP to hybrid systems. In *A classical mind*, pages 171–189. Prentice Hall International (UK) Ltd., 1994.
- 9. C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985.
- J. Liu, J. Lv, Z. Quan, N. Zhan, H. Zhao, C. Zhou, and L. Zou. A calculus for hybrid CSP. In APLAS 2010, LNCS 6461, pages 1–15. Springer, 2010.
- 11. J. Liu, N. Zhan, and H. Zhao. Computing semi-algebraic invariants for polynomial dynamical systems. In *EMSOFT'11*, pages 97–106. ACM, 2011.
- 12. A. Platzer. Differential dynamic logic for hybrid systems. *J. Autom. Reason.*, 41(2):143–189, 2008.
- 13. A. Platzer. Logical Analysis of Hybrid Systems. Springer, 2010.
- 14. A Platzer. A complete uniform substitution calculus for differential dynamic logic. *Journal of Automated Reasoning*, 59(2):219–265, 2017.
- 15. A. Platzer. Logical Foundations of Cyber-Physical Systems. Springer, 2018.
- A. Platzer and E. M. Clarke. Computing differential invariants of hybrid systems as fixedpoints. In CAV'08, LNCS 5123, pages 176–189, 2008.

- 17. A. Platzer and J.-D. Quesel. Keymaera: A hybrid theorem prover for hybrid systems (system description). In *IJCAR 2008*, volume 5195 of *LNCS*, pages 171–178. Springer, 2008.
- 18. A. Platzer and Y. K. Tan. Differential equation invariance axiomatization. *J. ACM*, 67(1):6:1–6:66, 2020.
- S. Ratschan and Z. She. Safety verification of hybrid systems by constraint propagationbased abstraction refinement. ACM Trans. Embed. Comput. Syst., 6(1):8, 2007.
- 20. H. Sheng, A. Bentkamp, and B. Zhan. HHLPy: Practical verification of hybrid systems using hoare logic. In *FM 2023*, volume 14000 of *Lecture Notes in Computer Science*, pages 160–178. Springer, 2023.
- S. Wang, N. Zhan, and D. Guelev. An assume/guarantee based compositional calculus for hybrid CSP. In *TAMC'12*, *LNCS 7287*, pages 72–83. Springer, 2012.
- S. Wang, N. Zhan, and L. Zou. An improved HHL prover: An interactive theorem prover for hybrid systems. In *ICFEM'15*, *LNCS 9407*, pages 382–399, 2015.
- X. Xu, S. Wang, B. Zhan, X. Jin, J.-P. Talpin, and N. Zhan. Unified graphical co-modeling, analysis and verification of cyber-physical systems by combining AADL and simulink/stateflow. *Theor. Comput. Sci.*, 903:1–25, 2022.
- 24. Xiong Xu, Shuling Wang, Zekun Ji, Qiang Gao, Xiangyu Jin, Bohua Zhan, and Naijun Zhan. Case Study: Modeling, Simulation, Verification, and Code Generation of an Automatic Cruise Control System, pages 226–246. Springer Nature Switzerland, Cham, 2024.
- Jonathan Julián Huerta y Munive, Simon Foster, Mario Gleirscher, Georg Struth, Christian Pardillo Laursen, and Thomas Hickman. Isavodes: Interactive verification of cyber-physical systems at scale. *J. Autom. Reason.*, 68(4):21, 2024.
- 26. N. Zhan, X. Jin, B. Zhan, S. Wang, and D. P. Guelev. A generalized hybrid hoare logic. *CoRR*, abs/2303.15020, 2023.
- C. Zhou, J. Wang, and A. P. Ravn. A formal description of hybrid systems. In *Hybrid systems, LNCS 1066*, pages 511–530. Springer, 1996.

## A Trace-based HHL

#### A.1 Trace Synchronization

The full definition of trace synchronization function is defined as following:

$$\frac{ch \in cs \quad tr_1 \|_{cs} tr_2 \Downarrow tr}{\langle ch!, v \rangle^\smallfrown tr_1 \|_{cs} \langle ch?, v \rangle^\smallfrown tr_2 \Downarrow \langle ch, v \rangle^\smallfrown tr} \text{SyncIO}$$

$$\frac{ch \notin cs \quad tr_1 \|_{cs} tr_2 \Downarrow tr}{\langle ch\triangleright, v \rangle^\smallfrown tr_1 \|_{cs} tr_2 \Downarrow \langle ch\triangleright, v \rangle^\smallfrown tr} \text{NoSyncIO} \quad \frac{ch \in cs}{\langle ch\triangleright, v \rangle^\smallfrown tr_1 \|_{cs} \epsilon \Downarrow \delta} \text{SyncEmpty1}$$

$$\frac{tr_1 \|_{cs} \epsilon \Downarrow tr}{\langle d, \overrightarrow{p}_1, rdy_1 \rangle^\smallfrown tr_1 \|_{cs} \epsilon \Downarrow \delta} \text{SyncEmpty2} \quad \frac{c}{\epsilon \|_{cs} \epsilon \Downarrow \epsilon} \text{SyncEmpty3}$$

$$\frac{tr_1 \|_{cs} tr_2 \Downarrow tr \quad \text{compat}(rdy_1, rdy_2) \quad d > 0}{\langle d, \overrightarrow{p}_1, rdy_1 \rangle^\smallfrown tr_1 \|_{cs} \langle d, \overrightarrow{p}_2, rdy_2 \rangle^\smallfrown tr_2 \Downarrow} \text{SyncWait1}$$

$$\frac{\langle d, \overrightarrow{p}_1, \overrightarrow{p}_1, \overrightarrow{p}_2, (rdy_1 \cup rdy_2) - cs \rangle^\smallfrown tr}{\langle d, \overrightarrow{p}_1, \overrightarrow{p}_1, rdy_1 \rangle^\smallfrown tr_1 \|_{cs} \langle d, \overrightarrow{p}_2, rdy_2 \rangle^\smallfrown tr_2 \Downarrow} \text{SyncWait2}$$

$$\frac{\langle d_1 - d_2, \overrightarrow{p}_1 (\cdot + d_2), rdy_1 \rangle^\smallfrown tr_1 \|_{cs} tr_2 \Downarrow tr}{\langle d_1, \overrightarrow{p}_1, rdy_1 \rangle^\smallfrown tr_1 \|_{cs} \langle d_2, \overrightarrow{p}_2, rdy_2 \rangle^\smallfrown tr_2 \Downarrow} \text{SyncWait2}$$

$$\frac{\langle d_2, \overrightarrow{p}_1 \uplus \overrightarrow{p}_2, (rdy_1 \cup rdy_2) - cs \rangle^\smallfrown tr}{\langle d_2, \overrightarrow{p}_1 \uplus \overrightarrow{p}_2, (rdy_1 \cup rdy_2) - cs \rangle^\smallfrown tr}$$

## A.2 Big-step Semantics

The full big-step semantics of HCSP process is defined by the following rules:

$$\frac{ (\operatorname{skip}, s) \Rightarrow (s, \epsilon)}{(\operatorname{ch!e}, s) \Rightarrow (s, \langle \operatorname{ch!}, \operatorname{s(e)} \rangle)} \operatorname{OutB1} \frac{ (x := e, s) \Rightarrow (s[x \mapsto e], \epsilon)}{(\operatorname{ch!e}, s) \Rightarrow (s, \langle \operatorname{ch!}, \operatorname{s(e)} \rangle)} \operatorname{OutB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s, \langle \operatorname{ch!}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{ch!}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{ch!}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e} \rangle) \wedge \langle \operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)}{(\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, \operatorname{s(e)} \rangle)} \operatorname{InB2}$$
 
$$\frac{ (\operatorname{ch!e}, s) \Rightarrow (s[x \mapsto v], \langle \operatorname{d}, I_s, \{\operatorname{ch!e}, I_s, \{\operatorname$$

$$\begin{array}{c} s_1(B) \quad (c_1,s_1) \Rightarrow (s_2,tr) \\ \hline (\text{if } B \text{ then } c_1 \text{ else } c_2,s_1) \Rightarrow (s_2,tr) \\ \hline (\text{if } B \text{ then } c_1 \text{ else } c_2,s_1) \Rightarrow (s_2,tr) \\ \hline (\text{if } B \text{ then } c_1 \text{ else } c_2,s_1) \Rightarrow (s_2,tr) \\ \hline (\text{if } B \text{ then } c_1 \text{ else } c_2,s_1) \Rightarrow (s_2,tr) \\ \hline (\text{if } B \text{ then } c_1 \text{ else } c_2,s_1) \Rightarrow (s_2,tr) \\ \hline (\text{if } B \text{ then } c_1 \text{ else } c_2,s_1) \Rightarrow (s_2,tr) \\ \hline ((\overrightarrow{x} = \overrightarrow{e} \& B), s) \Rightarrow (s,\epsilon) \\ \hline ((\overrightarrow{x} = \overrightarrow{e} \& B), s) \Rightarrow (s,\epsilon) \\ \hline (\overrightarrow{x} = \overrightarrow{e} \& B), s) \Rightarrow (s(\overrightarrow{x} + \overrightarrow{p}(d)), s(\overrightarrow{x} + \overrightarrow{x} + \overrightarrow{p}(d)), s(\overrightarrow{x} + \overrightarrow{x} + \overrightarrow{x} + \overrightarrow{x} + \overrightarrow{x}$$

# **B** Complement Sequential Rules

#### **B.1**

In this section, we first explain the rules for interrupt command with explicit solution in detail.

Given an interrupt command  $\langle \overrightarrow{x} = \overrightarrow{e} \& B \propto c' \rangle \trianglerighteq []_{i \in L}(ch_i * \to c_i)$ , where we use es to denote the list of communications in the form  $(ch?x \to c_i)$  or  $(ch!e \to c_i)$ , and f is a solution to  $\overrightarrow{x} = \overrightarrow{e}$ , the branches of assertions corresponding to the communication list is computed by rel\_cm(es, c, f), if for each  $es[i] = (ch?y \to c_i)$ , we have spec\_of $(c_i; c, Q_i)$  then

$$\mathsf{rel\_cm}(es, c, f)[i] = \langle ch?, \{\mathsf{d}, \mathsf{v} \Rightarrow Q_i[y := \mathsf{v}][\overrightarrow{x} := f(s_0(\overrightarrow{x}), \mathsf{d})]\} \rangle$$

and for each  $es[i] = (ch!e \rightarrow c_i)$ , we have  $spec\_of(c_i; c, Q_i)$  then

$$\mathsf{rel\_cm}(es,c,f)[i] = \langle ch!, \{\mathsf{d} \Rightarrow e(p(s_0,\mathsf{d}))\}, \{\mathsf{d} \Rightarrow Q_i[\overrightarrow{x} := f(s_0(\overrightarrow{x}),\mathsf{d})]\} \rangle$$

Then the inference rule for interrupt is:

$$\begin{aligned} \mathsf{paramODEsol}(\overrightarrow{\dot{x}} = \overrightarrow{e}, B, f, e) & \mathsf{lipschitz}(\overrightarrow{\dot{x}} = \overrightarrow{e}) \\ & \mathsf{spec\_of}(c'; c, P) & \forall i \in L, \, \mathsf{spec\_of}(c_i; c, Q_i) \end{aligned}$$
 
$$\mathsf{spec\_of}(\langle \overrightarrow{\dot{x}} = \overrightarrow{e} \& B \propto c' \rangle \trianglerighteq []_{i \in L}(ch_i * \to c_i); c, \mathsf{interrupt}(\overrightarrow{x} \rightarrowtail f(\overrightarrow{x}, t), e, \{\mathsf{d} \Rightarrow P[\overrightarrow{x} := f(s_0(\overrightarrow{x}), \mathsf{d})]\}, \mathsf{rel\_cm}(es, c, f))$$

The meaning of this rule is as follows: the specification of the interrupt first evolves along the path  $p(t) = s_0[\overrightarrow{x} \mapsto f(s_0(\overrightarrow{x}), t)]$ , and one of the following three situations occurs:

- If the evolution is interrupted by an input communication  $(ch?x \to c_i)$  at time d and with value v, then update the state to  $s_0[\overrightarrow{x} \mapsto f(s_0(\overrightarrow{x}), d)][x \mapsto v]$ , followed by the behavior of  $c_i$ ; c as specified by  $Q_i$ .
- If the evolution is interrupted by an output communication  $(ch!e \to c_i)$  at time d and with value  $v = e(s_0[\overrightarrow{x} \mapsto f(s_0(\overrightarrow{x}), d)])$ , and then update the state to  $s_0[\overrightarrow{x} \mapsto f(s_0(\overrightarrow{x}), d)]$ , followed by the behavior of  $c_i$ ; c as specified by  $Q_i$ .
- If no interrupt occurs before time  $d = s_0(e)$ , then update the state to  $s_0[\overrightarrow{x}] \mapsto f(s_0(\overrightarrow{x}), d)$ , followed by the behavior of c'; c as specified by P.

The above assumes that the ODE with boundary condition has a solution of finite length for any starting state. Another important case is when the ODE has a solution of infinite length, in particular when the boundary condition is true. In this case, the appropriate assertion is interrupt\_ $\infty$ . We first define predicate paramODEsolInf( $\overrightarrow{x} = \overrightarrow{e}, f$ ), meaning that f is the (infinite length) solution to  $\overrightarrow{x} = \overrightarrow{e}$ , then the corresponding rule is:

$$\frac{\mathsf{paramODEsolInf}(\overrightarrow{\dot{x}} = \overrightarrow{e}, \overrightarrow{p}) \quad \mathsf{lipschitz}(\overrightarrow{\dot{x}} = \overrightarrow{e}) \quad \forall \, i \in L, \, \mathsf{spec\_of}(c_i; c, Q_i)}{\mathsf{spec\_of}(\langle \overrightarrow{\dot{x}} = \overrightarrow{e} \, \& \mathsf{true} \, \propto c' \rangle \, \trianglerighteq \, \big[\!\big|_{i \in L} (ch_i * \to c_i); c, \\ \quad \mathsf{interrupt}_\infty(\overrightarrow{x} \rightarrowtail f(\overrightarrow{x}, t), \mathsf{rel\_cm}(es, c, f))\big]}$$

Next, we introduce the rules for interrupt with differential invariants.

Similarly, we define the branches of assertions corresponding to the communication list, denoted by relinv\_cm(es, c, inv), if for each  $es[i] = (ch?y \rightarrow c_i)$ , we have spec of  $(c_i; c, Q_i)$  then

$$\mathsf{relinv\_cm}(es, c, inv)[i] = \langle ch?, \{\mathsf{d}, \mathsf{v} \Rightarrow (\uparrow inv \land Q_i[y := \mathsf{v}])[\overrightarrow{x} := \overrightarrow{nx_i}] \} \rangle$$

and for each  $es[i] = (ch!e \rightarrow c_i)$ , we have  $spec\_of(c_i; c, Q_i)$  then

$$\mathsf{relinv\_cm}(es, c, inv)[i] = \langle ch!, \{\mathsf{d} \Rightarrow e(s_0[\overrightarrow{x} := \overrightarrow{nx_i}])\}, \{\mathsf{d} \Rightarrow (\uparrow inv \land Q_i)[\overrightarrow{x} := \overrightarrow{nx_i}]\} \rangle$$

And then, we have the following rule:

$$\begin{aligned} \mathsf{paramODEInv}(\overrightarrow{x} = \overrightarrow{e}, B, inv, pp) & \mathsf{lipschitz}(\overrightarrow{x} = \overrightarrow{e}) \\ & \mathsf{spec\_of}(c'; c, P) \quad \forall i \in L, \, \mathsf{spec\_of}(c_i; c, Q_i) \\ \\ \hline \mathsf{spec\_of}(\langle \overrightarrow{x} = \overrightarrow{e} \& B \propto c' \rangle \trianglerighteq \llbracket_{i \in L}(ch_i * \to c_i); c, (\uparrow (\neg B) \bar{\land} P) \bar{\lor} \uparrow (\neg pp \land B) \bar{\lor} \\ & \exists T \overrightarrow{nx} \overrightarrow{nx_i}_{i \in L}. (\uparrow (pp \land B) \bar{\land} \mathsf{interrupt}(inv, T, \\ \{d \Rightarrow (\uparrow (inv \land bound(B)) \bar{\land} P) [\overrightarrow{x} := \overrightarrow{nx}]\}, \, \mathsf{relinv\_cm}(es, c, inv)))) \end{aligned}$$

If the ODE in interrupt command has infinite length, we have:

**B.2** 

In this section we give the all the sequential rules without subsequent process.

$$\overline{\operatorname{spec\_of}(x:=e,\operatorname{init}[x:=e])}$$

$$\operatorname{spec\_of}(c_1,P) \ \operatorname{spec\_of}(c_2,Q)$$

$$\operatorname{spec\_of}(\operatorname{if} B \operatorname{then} c_1 \operatorname{else} c_2, (\uparrow(B)\bar{\wedge}P)\bar{\vee}(\uparrow(\neg B)\bar{\wedge}Q))$$

$$\overline{\operatorname{spec\_of}(\operatorname{ch}?x,\operatorname{wait\_in}(\operatorname{id\_inv},\operatorname{ch},\{\mathsf{d},\mathsf{v}\Rightarrow\operatorname{init}[x:=\mathsf{v}]\}))}$$

$$\operatorname{spec\_of}(\operatorname{ch}?x,\operatorname{wait\_in}(\operatorname{id\_inv},\operatorname{ch},e,\{\mathsf{d}\Rightarrow\operatorname{init}\}))$$

$$\operatorname{spec\_of}(\operatorname{ch}!e,\operatorname{wait\_outv}(\operatorname{id\_inv},\operatorname{ch},e,\{\mathsf{d}\Rightarrow\operatorname{init}\}))$$

$$\operatorname{spec\_of}(\operatorname{wait} e,\operatorname{wait}(\operatorname{id},e,\{\mathsf{d}\Rightarrow\operatorname{init}\}))$$

$$\operatorname{spec\_of}((\overrightarrow{x}=\overrightarrow{e},B),f,e) \ \operatorname{lipschitz}(\overrightarrow{x}=\overrightarrow{e})$$

$$\operatorname{spec\_of}((\overrightarrow{x}=\overrightarrow{e},B),\operatorname{wait}(\overrightarrow{x}\to f(\overrightarrow{x},t),e,\{\mathsf{d}\Rightarrow\operatorname{init}[\overrightarrow{x}:=f(s_0(\overrightarrow{x}),\mathsf{d})]\}))$$

$$\underline{\forall} \ d \ Q. \ \operatorname{spec\_of}(d,Q) \to \operatorname{spec\_of}(c;d,F(Q))$$

$$\operatorname{spec\_of}(c',P) \to i \in L. \ \operatorname{spec\_of}(c;d,F(Q))$$

$$\operatorname{spec\_of}(c',P) \to i \in L. \ \operatorname{spec\_of}(c;a,Q_i)$$

$$\operatorname{spec\_of}((\overrightarrow{x}=\overrightarrow{e},B),f,e) \ \operatorname{lipschitz}(\overrightarrow{x}=\overrightarrow{e})$$

$$\operatorname{spec\_of}((\overrightarrow{x}=\overrightarrow{e},B)) \to \operatorname{spec\_of}(c_i,Q_i)$$

## C Complement Synchronization Rules

In this section we show the other synchronization rules.

First, we introduce the rules involving the common operators of assertions.

$$\frac{}{\operatorname{\mathsf{sync}}(\mathit{chs},\operatorname{\mathsf{false}},P)(s_0) \Longrightarrow_a \operatorname{\mathsf{false}}(s_0)}$$
 False

if one side is a false assertion, we obtain a result of false.

$$\frac{\operatorname{sync}(\operatorname{chs}, P_1, Q)(s_0) \Longrightarrow_a R_1(s_0) \quad \operatorname{sync}(\operatorname{chs}, P_2, Q)(s_0) \Longrightarrow_a R_2(s_0)}{\operatorname{sync}(\operatorname{chs}, P_1 \bar{\vee} P_2, Q)(s_0) \Longrightarrow_a (R_1 \bar{\vee} R_2)(s_0)} \operatorname{Disj}$$

if one side is a disjunction, we can eliminate this to its components.

$$\frac{b(s_1) \longrightarrow \operatorname{sync}(chs, P, Q)(s_0) \Longrightarrow_a R(s_0)}{\operatorname{sync}(chs, \uparrow b\bar{\land} P, Q)(s_0) \Longrightarrow_a (\uparrow b\bar{\land} R)(s_0)} \operatorname{Bool}$$

if one side is a conjunction with a boolean expression b, we perform synchronization on the rest part under b and pull out b lifted on a parallel state as a new condition.

$$\frac{}{\mathsf{sync}(chs,P[x:=e],Q)(s_0) \Longrightarrow_a \mathsf{sync}(chs,P,Q)[x:=e](s_0)} \mathsf{Subst}$$

if one side is a substitution assertion, the substitution can be pulled out after lifting.

In principle, wait\_out, wait\_in and wait are all special cases of interrupt (including interrupt\_ $\infty$ , by viewing interrupt\_ $\infty$ (I,cm) as interrupt( $I,\infty,\{d\Rightarrow false\},cm)$ ). Thus, the synchronization rule for interrupt assertion is complex and contains all the potential situations. We will first give some simple cases, and then introduce the rule for interrupt as a complete form.

While synchronizing two init assertions, we can easily infer that the state of each part remains the same and the traces on both sides are empty lists. Naturally, we have

$$\frac{}{\mathsf{sync}(chs,\mathsf{init},\mathsf{init})(s_0) \Longrightarrow_a \mathsf{init}(s_0)}$$
 InitInit

While synchronizing an init assertion and an wait assertion, if the wait time is greater than 0, we directly obtain a false assertion. Otherwise, if the wait time is Less than or equal to 0, the wait assertion turns to its tail by the definition.

$$\mathsf{sync}(chs,\mathsf{wait}(I,e,\{\mathsf{d}\Rightarrow P\}),\mathsf{init})(s_0) \Longrightarrow_a \uparrow (e \leq 0) \bar{\land} \mathsf{sync}(chs,P|_{\mathsf{d}=0},\mathsf{init})(s_0) \\ \\ \mathsf{WaitInit}(f,e,\{\mathsf{d}\Rightarrow P\}),\mathsf{init}(f,e,\{\mathsf{d}\Rightarrow P\}$$

While synchronizing an init assertion and an input assertion, if the communication channel belongs to the common channel set, we directly obtain a false assertion, Otherwise, this external communication must occur at once, since the init assertion does not support any waiting time. Thus, we have:

$$\frac{ch \in chs}{\mathsf{sync}(chs, \mathsf{wait\_in}(I, ch, \{\mathsf{d} \Rightarrow P\}), \mathsf{init})(s_0) \Longrightarrow_a \mathsf{false}(s_0)} \mathsf{InInit1}$$
 
$$\frac{ch \notin chs}{\mathsf{sync}(chs, \mathsf{wait\_in}(I, ch, \{\mathsf{d}, \mathsf{v} \Rightarrow P\}), \mathsf{init})(s_0) \Longrightarrow_a \mathsf{interrupt}(I \uplus \mathsf{id}, 0, \{\mathsf{d}, \mathsf{v} \Rightarrow \mathsf{false}\}, [\langle ch?, \mathsf{d}, \mathsf{v} \Rightarrow \mathsf{sync}(chs, P, \mathsf{init}) \rangle])(s_0)} \mathsf{InInit2}$$

The rules for synchronizing an init assertion and an output assertion are similar.

While synchronizing an output assertion and an input assertion, we need to consider the different cases of whether their channels belong to the common channel set. If they are both in the set and have the same name, then the handshake occurs at once. while if they have different names which means both sides are waiting for a handshake, but they don't match and this lead to a deadlock represented by a false assertion. So we have the following rules:

$$\frac{ch_1 \in chs \quad ch_2 \in chs \quad ch_1 = ch_2}{\operatorname{sync}(chs, \operatorname{wait\_in}(I_1, ch_1, \{\operatorname{d}_1, \operatorname{v}_1 \Rightarrow P_1\}), \operatorname{wait\_outv}(I_2, ch_2, e, \{\operatorname{d}_2 \Rightarrow P_2\}))(s_0)} \\ \Longrightarrow_a \operatorname{sync}(chs, P_1|_{\operatorname{d}_1 = 0, \operatorname{v}_1 = s_0(e)}, P_2|_{\operatorname{d}_2 = 0})(s_0)} \\ \\ \frac{ch_1 \in chs \quad ch_2 \in chs \quad ch_1 \neq ch_2}{\operatorname{sync}(chs, \operatorname{wait\_in}(I_1, ch_1, \{\operatorname{d}_1, \operatorname{v}_1 \Rightarrow P_1\}), \operatorname{wait\_outv}(I_2, ch_2, e, \{\operatorname{d}_2 \Rightarrow P_2\}))(s_0)} \\ \Longrightarrow_a \operatorname{false}(s_0)} \\ \operatorname{InOut2}$$

If at least one of them is an external communication, then it must happen before the internal communication, because the condition for the internal handshake to occur are not met. Thus, we have:

$$\begin{array}{c} ch_1 \in chs \ \ ch_2 \notin chs \\ \\ \text{sync}(chs, \mathsf{wait\_in}(I_1, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow P_1\}), \mathsf{wait\_outv}(I_2, ch_2, e, \{\mathsf{d}_2 \Rightarrow P_2\}))(s_0) \\ & \Longrightarrow_a \mathsf{wait\_outv}(I_1 \uplus I_2, ch_2, e, \{\mathsf{d}_2 \Rightarrow sync(chs, \mathsf{wait\_in}(I_1|_{t=t+d_2}, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow P_1|_{\mathsf{d}_1 = \mathsf{d}_1 + \mathsf{d}_2}\}), P_2))\})(s_0) \\ \\ \frac{ch_1 \notin chs \ \ ch_2 \in chs}{\mathsf{sync}(chs, \mathsf{wait\_in}(I_1, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow P_1\}), \mathsf{wait\_outv}(I_2, ch_2, e\{\mathsf{d}_2 \Rightarrow P_2\}))(s_0)} \\ & \Longrightarrow_a \mathsf{wait\_in}(I_1 \uplus I_2, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow sync(chs, P_1, \mathsf{wait\_outv}(I_2|_{t=t+\mathsf{d}_1}, ch_2, e, \{\mathsf{d}_2 \Rightarrow P_2|_{\mathsf{d}_2 = \mathsf{d}_2 + \mathsf{d}_1}\}))\})(s_0) \\ \\ & \underbrace{ch_1 \notin chs \ \ \ ch_2 \notin chs}_{sync(chs, P_1, \mathsf{wait\_outv}(I_2|_{t=t+\mathsf{d}_1}, ch_2, e, \{\mathsf{d}_2 \Rightarrow P_2|_{\mathsf{d}_2 = \mathsf{d}_2 + \mathsf{d}_1}\}))\})(s_0)}_{sync(chs, \mathsf{wait\_in}(I_1, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow P_1\}), \mathsf{wait\_outv}(I_2, ch_2, e, \{\mathsf{d}_2 \Rightarrow P_2\}))(s_0)}_{sync(chs, \mathsf{wait\_outv}(I_2|_{t=t+\mathsf{d}_1}, ch_2, e, \{\mathsf{d}_2 \Rightarrow P_2|_{\mathsf{d}_1 = \mathsf{d}_1 + \mathsf{d}_2}\}))\}), \\ & (ch_2!, \{\mathsf{d}_2 \Rightarrow e\}, \{\mathsf{d}_2 \Rightarrow \mathsf{sync}(chs, \mathsf{wait\_in}(I_1|_{t=t+\mathsf{d}_2}, ch_1, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow P_1|_{\mathsf{d}_1 = \mathsf{d}_1 + \mathsf{d}_2}\}), P_2)\})])(s_0) \\ \end{array}$$

Next, we consider synchronizing two interrupt assertions interrupt  $(I_1, e_1, \{d_1 \Rightarrow P_1\}, cm_1)$  and interrupt  $(I_2, e_2, \{d_2 \Rightarrow P_2\}, cm_2)$ . First, we need to determine whether there is a communication between two sides. The method of judgement is to check if there exists a channel name in the set chs, where its input is in the rdy set on one side and its output is in the rdy set on the other side. Define predicate compat to be the negation of this condition:

$$\mathsf{compat}(rdy(cm_1), rdy(cm_2)) \triangleq \neg \left( \exists ch \in chs. (ch! \in rdy(cm_1) \land ch! \in rdy(cm_2) \right) \\ \lor (ch! \in rdy(cm_1) \land ch! \in rdy(cm_2))$$

In the case where this predicate holds true, both sides are waiting to be interrupted by external communication, thus its synchronization result should still be in the form of interrupt assertion, and its maximum waiting time is the smaller of  $e_1$  and  $e_2$ . While reaching the maximum waiting time, the shorter one will behave as the tail part and the longer one stays in an incomplete interrupt assertion denoted as  $delay(h, interrupt(I, e, \{d \Rightarrow P\}, cm))$ :

$$\begin{aligned} \mathsf{delay}(h,\mathsf{interrupt}(I,e,\{\mathsf{d}\Rightarrow P\},cm)) &\triangleq \mathsf{interrupt}(I|_{t=t+h},e-h,\\ &\{\mathsf{d}\Rightarrow P|_{\mathsf{d}=\mathsf{d}+h}\},\mathsf{delay\_cm}(cm,h)) \end{aligned}$$

where for input  $cm[i] = \langle ch?, \{d, v \Rightarrow Q_1\} \rangle$  or output  $cm[i] = \langle ch!, g, \{d \Rightarrow Q_2\} \rangle$ , we have

```
\begin{aligned} &\mathsf{delay\_cm}(cm,h)[i] = \langle ch?, \{\mathsf{d},\mathsf{v} \Rightarrow Q_1|_{\mathsf{d}=\mathsf{d}+h}\} \rangle \\ &\mathsf{delay\_cm}(cm,h)[i] = \langle ch!, \{\mathsf{d} \Rightarrow g(\mathsf{d}+h)\}, \{\mathsf{d} \Rightarrow Q_2|_{\mathsf{d}=\mathsf{d}+h}\} \rangle \end{aligned}
```

we can easily find that delay(0, interrupt( $I, e, \{d \Rightarrow P\}, cm$ )) = interrupt( $I, e, \{d \Rightarrow P\}, cm$ ). By performing synchronization on them, we get the new tail assertion. A potential external interruption from  $cm_1$  or  $cm_2$  that does not belong to the shared set chs may occur during the waiting. Then, one side will behave as the corresponding assertion recorded in  $cm_1$  or  $cm_2$ , the other side will remain its incomplete interrupt assertion. For this case, the synchronization produces the new communication list composed of two parts:  $\text{rel1}(cm_1|_{chs^c}, \text{interrupt}(I_2, e_2, \{d_2 \Rightarrow P_2\}, cm_2))$  and  $\text{rel2}(cm_2|_{chs^c}, \text{interrupt}(I_1, e_1, \{d_1 \Rightarrow P_1\}, cm_1))$  where  $cm_1|_{chs^c}$  and  $cm_2|_{chs^c}$  are lists of communications not in chs extracted from  $cm_1$  and  $cm_2$ . The list functions rel1 and rel2 are set as: if  $cm[i] = \langle ch?, \{d, v \Rightarrow Q_1\} \rangle$ ,

```
\begin{split} \operatorname{rel1}(cm,R)[i] &= \langle ch?, \{\mathsf{d}, \mathsf{v} \Rightarrow \operatorname{sync}(chs,Q_1,\operatorname{delay}(\mathsf{d},R))\} \\ \operatorname{rel2}(cm,R)[i] &= \langle ch?, \{\mathsf{d}, \mathsf{v} \Rightarrow \operatorname{sync}(chs,\operatorname{delay}(\mathsf{d},R),Q_1)\} \end{split} if em[i] = \langle ch!, g, \{\mathsf{d} \Rightarrow Q_2\} \rangle, \operatorname{rel1}(cm,R)[i] &= \langle ch!, \{\mathsf{d} \Rightarrow g(\mathsf{d})\}, \{\mathsf{d} \Rightarrow \operatorname{sync}(chs,Q_2,\operatorname{delay}(\mathsf{d},R))\} \\ \operatorname{rel2}(cm,R)[i] &= \langle ch!, \{\mathsf{d} \Rightarrow g(\mathsf{d})\}, \{\mathsf{d} \Rightarrow \operatorname{sync}(chs,\operatorname{delay}(\mathsf{d},R),Q_2)\} \end{split}
```

So far we can obtain the following rules:

Note that in the definition of interrupt assertion, if the expression of waiting time calculated as a negative value then it has equivalent meaning with 0. That is why we need to compare the expression with 0.

In the case when the compat function is false, there are three possible scenarios. The first is nondeterministicly executing one of the possible handshakes among all that could occur which we represent as  $\mathsf{comm}(cm_1, cm_2)$ . It is a disjunction of  $\mathsf{sync}(chs, Q_1|_{\mathsf{d}_1=0,\mathsf{v}_1=g(0)}, Q_2|_{\mathsf{d}_2=0})$  and  $\mathsf{sync}(chs, Q_1|_{\mathsf{d}_1=0}, Q_2|_{\mathsf{d}_2=0,\mathsf{v}_2=g(0)}))$  for all the pairs satisfying one of the following conditions:

```
ch \in chs \land cm_1[i] = \langle ch?, \{\mathsf{d}_1, \mathsf{v}_1 \Rightarrow Q_1\} \rangle \land cm_2[j] = \langle ch!, g, \{\mathsf{d}_2 \Rightarrow Q_2\} \ranglech \in chs \land cm_1[i] = \langle ch!, g, \{\mathsf{d}_1 \Rightarrow Q_1\} \rangle \land cm_2[j] = \langle ch?, \{\mathsf{d}_2, \mathsf{v}_2 \Rightarrow Q_2\} \rangle
```

The second is that if the maximum waiting time  $e_1$  or  $e_2$  is less than 0, then the corresponding side may immediately transit to the tail assertion. The last one is there is an external interrupt occurring at time 0. We obtain the following rule:

```
\neg \mathsf{compat}(rdy(cm_1), rdy(cm_2))
(s_1 \uplus s_2) \Longrightarrow_a \mathsf{interrupt}(I_1 \uplus I_2, 0, \{\mathsf{d} \Rightarrow \mathsf{comm}(cm_1, cm_2) \bar{\vee} )
        (\uparrow (e_1 \leq 0) \bar{\land} \operatorname{sync}(chs, P_1|_{d_1=0}, \operatorname{interrupt}(I_2, e_2, \{d_2 \Rightarrow P_2\}, cm_2))) \bar{\lor}
       (\uparrow (e_2 \leq 0) \bar{\land} \operatorname{sync}(chs, \operatorname{interrupt}(I_1, e_1, \{d_1 \Rightarrow P_1\}, cm_1), P_2|_{d_2=0}))\},
                     rel1(cm_1|_{chs^c}, interrupt(I_2, e_2, \{d_2 \Rightarrow P_2\}, cm_2))@
               rel2(cm_2|_{chs^c}, interrupt(I_1, e_1, \{d_1 \Rightarrow P_1\}, cm_1)))(s_1 \uplus s_2)
```

While synchronizing an interrupt assertion and an init assertion (representing the termination of one side), we have to consider whether there is an external interrupt occurring at time 0 and whether the interrupt assertion turns into the tail assertion at once. Thus, we have the rule:

```
\operatorname{sync}(chs,\operatorname{interrupt}(I,e,\{\mathsf{d}\Rightarrow P\},cm),\operatorname{init})(s_1\uplus s_2)\Longrightarrow_a
interrupt(I \uplus id_inv, 0, \{d \Rightarrow \uparrow (e \leq 0) \bar{\land} sync(chs, P, init)\}
                         rel_init1(cm|_{chs^c}, init))(s_1 \uplus s_2)
```

The list function rel\_init1 is obtained from rel1 by replacing delay(d, R) by init

Synchronization involving recursive assertions is typically very complex, often requiring inductive analysis tailored to specific cases. As such, here we only provide the rule for a specific scenario to facilitate automated implementation.

```
\forall s_0 Q. \operatorname{sync}(chs, P_1, F_2(Q))(s_0) \Longrightarrow_a \operatorname{false}(s_0)
                                                                                                                                                                      \forall s_0 Q. \operatorname{sync}(chs, F_1(Q), P_2)(s_0) \Longrightarrow_a \operatorname{false}(s_0)
                                                                                                                                                                                                                         \forall s_0. \operatorname{sync}(chs, P_1, P_2)(s_0) \Longrightarrow_a P(s_0)
 \forall s_0 \ Q_1 \ Q_2. \ \operatorname{sync}(chs, F_1(Q_1), F_2(Q_2))(s_0) \Longrightarrow_a F(\operatorname{sync}(chs, Q_1, Q_2))(s_0) \\ \operatorname{Rec}(s_0, Q_1, Q_2) = \operatorname{Rec}(s_0, Q_1, Q_2) + \operatorname{R
                                                                                                                   \operatorname{sync}(chs,\operatorname{Rec} R_1.\ P_1\overline{\vee}F_1(R_1),\operatorname{Rec} R_2.\ P_2\overline{\vee}F_2(R_2))(s_0)
                                                                                                                                                                                                                                                                                                      \Longrightarrow_a \operatorname{Rec} R. P \bar{\vee} F(R)(s0)
```

The first two conditions state that if one side loops while the other doesn't, synchronization results in false. The third condition specifies that when both sides don't loop, synchronization is achieved. The last condition states that if both sides loop, synchronization depends on their outermost loops finishing together. Meeting all four conditions results in a new recursive assertion. This requires consistent recursion counts and simultaneous start and end of each iteration for both sides.

## **Complement Property Verification Rules**

#### **D.1**

In this section we give property verification rules for other assertions. For pure assertion, we have:

$$\frac{p(s_0) \land b(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow (s, tr) \models Post}{p(s_0) \longrightarrow (s_0, s, tr) \models (\uparrow b \bar{\land} Q) \longrightarrow (s, tr) \models Post}$$

For substitution, we have:

$$\frac{\forall s_0 \, s \, tr. \, (\exists v. \, p[v/x] \land x = e[v/x])(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow (s, tr) \models Post}{p(s_0) \longrightarrow (s_0, s, tr) \models Q[x := e] \longrightarrow (s, tr) \models Post}$$

As shown in this rule, we change the initial state from  $s_0$  to  $s_0[x \mapsto e]$ , thus the precondition p needs to be rewritten on the new state while maintaining the equivalence. For disjunction, we have:

$$\begin{array}{c} p(s_0) \longrightarrow (s_0, s, tr) \models Q_1 \longrightarrow (s, tr) \models Post \\ p(s_0) \longrightarrow (s_0, s, tr) \models Q_2 \longrightarrow (s, tr) \models Post \\ \hline p(s_0) \longrightarrow (s_0, s, tr) \models Q_1 \bar{\vee} Q_2 \longrightarrow (s, tr) \models Post \end{array}$$

For recursion assertion, we have:

$$\forall s. p(s) \longrightarrow loop(s)$$

$$\forall s_0 s tr. loop(s_0) \longrightarrow (s_0, s, tr) \models P \longrightarrow (s, tr) \models Post$$

$$\forall Q s_0 s tr. (\forall s_0 s tr. loop(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow (s, tr) \models Post)$$

$$\longrightarrow loop(s_0) \longrightarrow (s_0, s, tr) \models F(Q) \longrightarrow (s, tr) \models Post$$

$$p(s_0) \longrightarrow (s_0, s, tr) \models (\text{Rec } R. P \overline{\lor} F(R)) \longrightarrow (s, tr) \models Post$$

where we need to provide a loop invariant loop and prove three conditions for loop to be an invariant. The first two conditions states the precondition implies the loop invariant and the base assertion P implies postcondition under the invariant. The intuitive meaning of the last one is that, for any assertion Q, F(Q) satisfying property Post under loop invariant loop can be deduced from that Q satisfying property Post under loop. From this condition, we can extend the property to the general recursion  $Rec\ R$ .  $P\overline{\lor}F(R)$ . Since once loop means once F applied to the assertion P, if we can prove F(Q) satisfying the property Post from any Q have already meets it, then we can extend to  $F^n(P)$  for any nature number n of the loop times.

## **D.2**

In this section we give the details of the proof procedure of the example in Sect. 6

According to the rule for recursion assertion, there are three premises to be checked:

$$\forall s. p(s) \longrightarrow loop(s)$$
 (1)

$$\forall s_0 \ s \ tr. \ loop(s_0) \longrightarrow (s_0, s, tr) \models \mathsf{init} \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2) \tag{2}$$

$$\forall Q \, s_0 \, s \, tr. \, (\forall s_0 \, s \, tr. \, loop(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow q_1(s) \wedge \mathsf{trl}(tr, q_2)) \longrightarrow$$

$$loop(s_0) \longrightarrow (s_0, s, tr) \models \mathsf{wait}(\mathsf{id}, 1, \{\mathsf{d} \Rightarrow Q[x := x + 1]\}) \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2)$$
 (3)

(1) is obvious and (2) is proved by the rule for init and the trivial fact  $\forall s. loop(s) \longrightarrow q_1(s)$ . To prove (3), we view (3a) as the assumption and we need to deduce (3b)

$$\forall s_0 \ s \ tr. \ loop(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2)$$
 (3a)

$$loop(s_0) \longrightarrow (s_0, s, tr) \models \mathsf{wait}(\mathsf{id}, 1, \{\mathsf{d} \Rightarrow Q[x := x + 1]\}) \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2)$$
 (3b)

By applying the rule for wait to (3b), we obtain the following two conditions. The first one:

$$loop(s_0) \land 1 > 0 \land t \ge 0 \land t \le 1 \longrightarrow s = s_0 \longrightarrow q_2(s)$$

is also obvious. The second one is:

$$loop(s_0) \land 1 > 0 \longrightarrow (s_0, s, tr) \models Q[x := x + 1] \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2)$$

By the rule for substitution, we have to prove for all  $s_0, s, tr$ :

$$(\exists v. loop[v/x] \land 1 > 0 \land x = v+1)(s_0) \longrightarrow (s_0, s, tr) \models Q \longrightarrow q_1(s) \land \mathsf{trl}(tr, q_2)$$

To make use of the assumption (3a), we need to prove:

$$\forall s. \ (\exists v. \ loop[v/x] \land 1 > 0 \land x = v+1)(s) \longrightarrow loop(s)$$

which is similar to that the loop invariant is still satisfied after executing one-round loop. Also this logic formula is obviously sound. So far, we have proved the property of this process.