PERMISSION-BASED SEPARATION LOGIC FOR MESSAGE-PASSING
CONCURRENCY

ADRIAN FRANCALANZA, JULIAN RATHKE, AND VLADIMIRO SASSONE

ICT, University of Malta
e-mail address: adrian.francalanza@um.edu.mt

ECS, University of Southampton, UK
e-mail address: jr2@ecs.soton.ac.uk

ECS, University of Southampton, UK
e-mail address: vs@ecs.soton.ac.uk

ABSTRACT. We develop local reasoning techniques for message passing concurrent programs based on ideas from separation logics and resource usage analysis. We extend processes with permission-resources and define a reduction semantics for this extended language. This provides a foundation for interpreting separation formulas for message-passing concurrency. We also define a sound proof system permitting us to infer satisfaction compositionally using local, separation-based reasoning.

1. Introduction

Reasoning about concurrent programs is widely acknowledged to be a difficult business due to the intricate interferences between threads scheduled non-deterministically and to the intrinsic difficulty of scaling reasoning techniques to account for these. The use of local reasoning techniques in the guise of separation logic \[31\] represents a promising advance for this area. Here, the state of resources acted upon by threads are reasoned about independently, where possible. This approach has spawned numerous papers \[8, 6, 41, 12, 17, 32, 11\] targeting the shared-variable concurrency model.

An alternative, albeit slightly higher-level, model of concurrency is that of message-passing whereby the only shared resources allowed are the message-passing channels themselves. Access to these shared resources is controlled by the message-passing programming interface and so interfering behaviour is more explicit and therefore can be tracked more readily. This paradigm has been extensively studied using process calculi \[23, 29, 30, 37\] but has also been efficiently implemented and deployed in more programming oriented settings \[18, 35, 3\].

In this paper we develop a local reasoning proof system for message-passing concurrent programs, based on ideas from both concurrent separation logics \[31\] and permission-based resource analyses \[7, 6\]. Our initial step towards the broader and ambitious goal of local reasoning for
message-passing systems focus on the study of confluent value-passing programs, a class large enough to present a significant theoretical challenge while still being of considerable practical interest.

Our approach to using processes as a model for separation-based Hoare-style reasoning centers around the conceptual partitioning of message-passing programs into ‘program state’, i.e., the values emitted on asynchronous outputs, and ‘program code’, i.e., the remaining parallel processes acting on this state. For instance, one way to view the program

\[ c_1!4 \ || \ c_2!2 \ || \ c_1?x.c_2?y. \text{if } x = y \text{ then } (c_1!(x, y, x+x)||d!) \text{ else } (c_2!(x, y, x+y)||d!) \] (1.1)

would be to consider the asynchronous outputs

\[ c_1!4 \ || \ c_2!2 \] (1.2)

as the ‘state’, holding values 4 and 2 at ‘addresses’ \(c_1\) and \(c_2\) and the process

\[ c_1?x.c_2?y. \text{if } x = y \text{ then } (c_1!(x, x+x)||d!) \text{ else } (c_2!(x, y, x+y)||d!) \] (1.3)

as the ‘code’, or state transformer, consuming the values on channels \(c_1\) and \(c_2\) and producing a new state holding the previous values consumed from \(c_1\) and \(c_2\) together with their summation on either of the previously used channels \(c_1\) and \(c_2\), depending on whether these values were equal or not, and signals on channel \(d\). Using such an analogy, we can decompose our analysis and reason about sub-programs independently. We can interpret assertions over processes such as

\[ c_1(4) \ast c_2(2) \] (1.4)

This assertion, a conjunction, describes a process reducing to a ‘soup’ of two asynchronous outputs on channels \(c_1\) and \(c_2\), holding values 4 and 2, respectively; the process in (1.2) would satisfy this assertion. This state-based process view also permits an intuitive formulation of Hoare-style sequents of the form

\[ \{c_1(4) \ast c_2(2)\} \implies \{c_2(4, 2, 6) \ast d()\} \] (1.5)

Such a sequent describes a process that, once composed with the state described by the precondition \(c_1(4) \ast c_2(2)\), reduces to some other stable state described by the postcondition \(c_2(4, 2, 6) \ast d()\), with values 4, 2, 6 on channel \(c_2\) and an empty tuple on channel \(d\) acting as a signal, indicating that the data on channel \(c_2\) can now be accessed; the process in (1.3) would satisfy this sequent. In compositional fashion, we can then determine that the entire program of (1.1) reduces to a stable state satisfying \(c_2(4, 2, 6) \ast d()\) from separate analyses relating to the two sub-programs.

This state-based logical view of processes lends itself well to the specification of deterministic computation whose operation can be decomposed into asynchronous parallel subcomponents. Application examples range from parallel processing of data, [25], to distributed agreement problems, [28]. State-based specifications would allow a more natural expression of the expected behaviour of these algorithms because they are agnostic wrt the specific temporal order of the generation and consumption of this state. For instance, as opposed to temporal logics such as [38], the formula (1.4) does not specify whether the sub-state \(c_1(4)\) is to be produced before \(c_2(2)\) or vice-versa. Dually, sequents such as (1.5) do not necessarily specify if and how this data on channels is to be consumed. The temporal agnosticism in ‘spatial’ specifications is also more amenable to intuitive decompositions and composition of analysis; we can verify that a process \(P\) satisfies the formula (1.4) from sub-processes making up \(P\) that satisfy \(c_1(4)\) and \(c_2(2)\).

The state-based logical process view is also appealing because the specifications of the algorithms we are considering are also, in some sense, more data-centric rather than control-centric and focus more on the relationships between data at the beginning and the end of computation. One
can in fact view the sequent in (1.5) as a description on how the data on channels $c_1$ and $c_2$ in the precondition changes to the data on $c_2$ in the postcondition; the dependencies between such data will be made more explicit later on once we introduce value variables. Finally, data-centric applications such as in-place sorting also tend to reuse data-placeholders during computation, possibly at different types and formats e.g., the code in (1.3), in order to minimise resource usage. Correctness specifications such as the sequent in (1.5) handle this aspect rather naturally as opposed to traditional correctness analysis for message passing programs, such as type systems in [5, 39], which often limit channel usage to one form of data.

A central assumption underlying our process interpretations is the absence of program interference and the deterministic reduction of processes. In a message-passing paradigm, program interference is caused by races for values, through multiple outputs or inputs competing for shared channels. In cases such as (1.1) above, where channels are reused, rudimentary analysis based on the free names of processes e.g., $\{c_1\}$ are too coarse for adequate race detection. Moreover, these type based safety analyses e.g., [5, 39] tend to avoid reasoning about data, approximating control over branching as a result.

To reason about such interferences in the presence of channel reuse, we define a resource-semantics for processes, based on linear input and output permissions. Every process is embellished with a set of permissions, $[P]_\rho$, denoting that process $P$ ‘owns’ the permissions in set $\rho$ (cf. ownership hypothesis, [31]). The resource-semantics limits communication to the permissions owned by a process. Thus, for example, for the following reduction to occur

$$\left[\langle c_1!4 \parallel c_1?x.P \rangle \mu \right]_{\rho,\mu} \rightarrow \left[\langle P\|/x\rangle \right]_{\rho,\mu} \tag{1.6}$$

the output process, $c_1!4$, (resp. the input process, $c_1?x.P$), must have the permission to output (resp. to input) on channel $c_1$ in its permission-set $\rho$ (resp. $\mu$). Since permissions are not part of the original process semantics (they are only added in the resource-semantics to aid reasoning) the above enriched reduction also describes the implicit transfer of permissions $\rho$ from the output process, $c_1!4$, to the input process, $c_1?x.P$, i.e., adding $\rho$ to the already owned permissions $\mu$, as a result of their synchronisation (cf. ownership transfer [31]).

$$\{c_1\{4 \ast c_2\{2\}\} \left[ c_1?x.c_2?y. \text{if } x = y \text{ then } c_1!(x, x+x)\|d! \right. \left. \text{ else } c_2!(x, y, x+y)\|d! \right]_{\{c_1,\{c_2,\{d\}\}\}} \{ c_2\{4, 2, 6 \ast d\} \} \tag{1.7}$$

The earlier sequent (1.5) can now be stated in terms of the process of (1.3) confined by the permissions $\downarrow c_1$, $\downarrow c_2$ and $\uparrow d$, as shown in (1.7). Note how channel reuse manifests itself through the fact that our permission-confined process in (1.7) does not own the output permissions $\uparrow c_1$ and $\uparrow c_2$, even though they are clearly used in this code. These however will be obtained from the precondition; from a permission perspective, the inputs on channels $c_1$ and $c_2$ act as guards, masking the use of the permissions $\uparrow c_1$ and $\uparrow c_2$.

Making ownership explicit also simplifies the detection of races in the model and provides an immediate notion of process separation in terms of owned permissions. For instance, in (1.6) we determine that there are no races across the two processes $[c_1!4]_\rho$ and $[c_1?x.P]_\mu$ without having to analyse the actual structure of the respective confined processes $c_1!4$ and $c_1?x.P$: instead we simply check that their permission sets are disjoint i.e., $\rho \cap \mu = \emptyset$ (cf. separation property [31]). This assumed disjunction of permissions will also play a major role in the semantic definition of (1.7), as it allows us to give a separation interpretation to our sequents.
Another pleasing property of this embellishment is that, in the absence of races, this resource-semantics corresponds to the standard (permission-less) reduction semantics. Thus the permission semantics can be used as a narrative to support reasoning about confluent reductions of processes. This therefore means that we can abstract over the existence of such a narrative in our sequents and express (1.7) simply as the permission-less sequent in (1.8), thereby returning to our original aim and obtaining Hoare-triple specifications in terms of processes.

We define a sound proof system for the aforementioned logic and resource-confined processes with judgements of the form:

$$\Gamma; b \vdash \{\varphi\} S \{\psi\}$$

The environment, $\Gamma$, associates channels with ownership transfer invariants of permissions, and $S$ denotes a system of processes confined by permissions. These sequents depart slightly from previous work on concurrent separation logic [31], as value-domain assertions - assertions interpreted exclusively in terms of the domain of values communicated and thus independent of the process structure, $S$ - are extracted from the pre and post-conditions, $\varphi$ and $\psi$, and consolidated as a boolean expression, $b$. Correctness proofs in this proof system weave together two inter-dependent mechanisms. On the one hand, they verify, in sequential fashion, the satisfaction of the post-condition $\psi$ for system $S$, assuming the precondition $\varphi$; the soundness of this sequential analysis stems from the non-interference properties guaranteed by the resource semantics of $S$. On the other hand, sequents construct race-free systems $S$, using assumptions from the environment, $\Gamma$, and the pre-condition, $\varphi$.

We have already argued for the naturality of our specifications wrt. deterministic message-passing programs and how our analysis can handle more refined branching control analysis, even when this is data dependent as in (1.1). Another, perhaps even more crucial advantage of our approach over existing analysis techniques for message-passing concurrency (e.g., [22, 2, 14]) is locality of reasoning. By concentrating on deterministic code, our reasoning need not take into account the different interleaving of concurrent code executing in context; this facilitates substantially proof compositionality and induces a lightweight sequential form of analysis. Explicit permission ownership simplifies interference delineation, even in the presence of channel reuse; such delineation is a major obstacle when defining manageable compositional proof rules (e.g., [14]).

The paper is structured as follows. We introduce our language in Section 2. In Section 3 we define a resource-semantics for permission-confined processes and state its key properties. We define our assertion logic and interpret it using a separation model over confined processes in Section 4. In Section 5 we present our proof system and declare its soundness whereas in Section 6 we apply this system to prove properties about message-passing programs. Finally, in Section 7 we make concluding remarks regarding related and future work.

2. Language

Our language, an asynchronous value-passing CCS, is described in Figure 1 and consists of three syntactic categories. Values, $v, u \in \text{VALUES}$, are numerals denoting integers. Side-effect free expressions, $e$, denote integer operations that may contain variables $x, y \in \text{VARS}$. We assume an evaluation function from closed expressions to values, $e \Downarrow v$. We also assume a denumerable set of
Values, Expressions, Boolean Expressions and Processes

\[
\begin{align*}
v, u & ::= 0 \mid 1 \mid \ldots \\
e & ::= v \mid x \mid e + e \mid e - e \\
b & ::= e \leq e \mid \neg b \mid b \land b \\
P, Q & ::= c!\vec{e} \mid c?\vec{x}.P \mid \text{if } b \text{ then } P \text{ else } Q \mid K(\vec{c})[\vec{c}^\dagger] \mid \text{nil} \mid P \parallel Q \mid (\text{new } c)P
\end{align*}
\]

Structural Equivalence Rules

<table>
<thead>
<tr>
<th>Rule</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>sCom</td>
<td>(P \parallel Q \equiv Q \parallel P)</td>
</tr>
<tr>
<td>sAss</td>
<td>(P \parallel (Q \parallel R) \equiv (P \parallel Q) \parallel R)</td>
</tr>
<tr>
<td>sNew</td>
<td>((\text{new } c)\text{nil} \equiv \text{nil})</td>
</tr>
<tr>
<td>sExt</td>
<td>(P \parallel (\text{new } c)Q \equiv (\text{new } c)(P \parallel Q)) if (c \notin \text{fn}(P))</td>
</tr>
</tbody>
</table>

Reduction Rules

\[
\begin{align*}
r\text{uns} & \quad \frac{b \parallel tt}{\text{if } b \text{ then } P \text{ else } Q \rightarrow P} \\
r\text{els} & \quad \frac{b \parallel ff}{\text{if } b \text{ then } P \text{ else } Q \rightarrow Q} \\
r\text{com} & \quad \frac{c!\vec{e} \parallel c?\vec{x}.P \rightarrow P[\vec{v}/\vec{x}]\|]}{c!\vec{e} \parallel c?\vec{x}.P} \\
r\text{prc} & \quad \frac{K(\vec{c}) \triangleq P}{K(\vec{c})[\vec{c}^\dagger] \rightarrow P[\vec{v}/\vec{x}]\|]} \\
r\text{res} & \quad \frac{P \rightarrow P'}{(\text{new } c)P \rightarrow (\text{new } c)P'} \\
r\text{par} & \quad \frac{P \rightarrow P'}{P \parallel Q \rightarrow P' \parallel Q} \\
r\text{str} & \quad \frac{P \equiv P' \rightarrow Q' \equiv Q}{P \rightarrow Q}
\end{align*}
\]

Figure 1: Processes, Structural Equivalence and Reduction

channel names \(c, d \in \text{Names}\) and process names \(K \in \text{PNames}\) and denote lists of values, variables and channels as \(\vec{v}, \vec{x}\) and \(\vec{c}\) respectively.

2.1. Syntax. The main syntactic category is that of processes which can asynchronously send the evaluation of expressions on a channel, \(c!\vec{e}\), receive values on a channel, \(c?\vec{x}.P\), and branch on the evaluation of boolean expressions, \(\text{if } b \text{ then } P \text{ else } Q\). Processes may assume a number of parameterised (possibly recursive) process definitions, \(K(\vec{c}) \triangleq P\); these can be invoked by the call \(K(\vec{c})[\vec{c}^\dagger]\), instantiating the process variables \(\vec{x}\) with the evaluation of \(\vec{e}\) and renaming the names \(\vec{d}\) to \(\vec{c}\). Finally, processes may also be inactive, \(\text{nil}\), execute in parallel, \(P \parallel Q\), and can restrict the scope of channels to subsets of processes, \((\text{new } c)P\).

2.2. Reduction Semantics. The rules for the judgement \(P \rightarrow Q\) in Figure 1 describe the dynamics of closed processes i.e., processes whose message variables \(\vec{x}\) are all bound by input constructs \(c?\vec{x}\), and process names are all defined. Closed boolean expressions, i.e., boolean formulas without free variables, have a classical interpretation over the boolean domain \(\{tt, ff\}\), characterised by the two judgements \(b \parallel tt\) and \(b \parallel ff\). Although this is entirely standard, we explicitly stated here in Definition 2.1 due to its central role in subsequent development (cf. Section 5).

\footnote{Our language does not allow channel names to be communicated, as in the piCalculus \[30, 37\].}
Definition 2.1 (Boolean Condition Interpretation).
\[
\begin{align*}
e_1 \leq e_2 \downarrow & \begin{cases} 
\text{tt} & \text{if } e_1 \downarrow v_1, \ e_2 \downarrow v_2 \text{ and } v_1 \leq v_2 \\
\text{ff} & \text{if } e_1 \downarrow v_1, \ e_2 \downarrow v_2 \text{ and } v_2 < v_1 \\
\neg b \downarrow & \begin{cases} 
\text{tt} & \text{if } b \downarrow \text{ff} \\
\text{ff} & \text{if } b \downarrow \text{tt} \\
\end{cases}
\end{cases} \\
\end{align*}
\]

A number of shorthand conventions are used. We write \(c!\) for \(c!\overline{c}\) and \(?P\) for \(?\overline{P}\) when \(|\overline{c}| = 0\) (resp. \(|\overline{P}| = 0\)). We elide arguments and renaming from process calls, resp. \(K[\overline{c}/\overline{d}]\) and \(K(\overline{c})\), whenever these are empty lists. We also write \(e_1 = e_2\) for \((e_1 \leq e_2) \land (e_2 \leq e_1)\), \(e_1 < e_2\) for \((e_2 - e_1)\), true for \(0 \leq 1\), false for \(1 \leq 0\), \(b \lor b_2\) for \((\neg b_1 \land \neg b_2)\) and \(b_1 \Rightarrow b_2\) for \(\neg b_1 \lor b_2\). Finally, we use the shorthand \(\overline{c} || \overline{d}\) for the evaluation of lists of expressions \(e_1 || v_1 \ldots e_n || v_n\) whenever \(\overline{c} = e_1 \ldots e_n\) and \(\overline{v} = v_1 \ldots v_n\).

Substitutions, \(\sigma \in \text{Sub}\), are total maps from variables to values, \(\text{Vars} \rightarrow \text{Values}\), and are used to define the semantics of rules \(\text{rCom}\) and \(\text{rPrc}\). They are finitely denoted as \(\overline{\sigma}[\overline{c}]\), meaning that every \(x_i \in \overline{x}\) is mapped to its respective \(v_i \in \overline{v}\), while abstracting over all the other variable mappings in the substitution. In the case of \(\text{rPrc}\) only, we abuse this notation to express the renaming of \(\overline{d}\) to \(\overline{e}\). In Section 5 we abuse again this notation to describe substitutions from variables to expressions, \(\overline{\sigma}[\overline{c}]\). Our semantics assumes the following property of expression evaluations, which will be useful later in Section 5.

Assumption 2.2. \(e_1 \overline{\sigma}[\overline{c}] \downarrow v_1\) and \(\overline{e} \overline{\sigma}[\overline{d}]\) implies \(e_1 \overline{\sigma}[\overline{c}] \downarrow v_1\)

A brief note on some conventions used. To improve readability we have attempted to minimise the use of universal and existential quantifiers in our statements. Thus, unless explicitly stated, free variables introduced to the left of an implication are to be understood as universally quantified, whereas free variables introduced to the right of an implications are understood as existentially quantified.

As is standard in process calculi presentations \([30,37]\), the definition of the reduction semantics is kept compact through the rule \(\text{rSt}\) and the use of process structural equivalence rules, \(P \equiv Q\), defined also in Figure 1. Later on, this structural equivalence will play a role in abstracting away from the precise structure of processes when describing the satisfaction of our logic (cf. Section 4).

2.3. Process Determinism. The reduction semantics of Figure 1 induces the following definitions relating to stability, evaluation and determinism, where \(\rightarrow^*\) denotes the reflexive transitive closure of \(\rightarrow\).

Definition 2.3 (Stability). \(P \rightarrow Q \defeq \exists Q. P \rightarrow Q\)

Definition 2.4 (Evaluation). \(P \downarrow Q \defeq \exists Q'. P \rightarrow^* Q' \text{ and } Q' \rightarrow P\)

Our definition of process determinism, Definition 2.6 differs from that given in \([29]\) in that it requires convergence, \(P \downarrow\), cf. Definition 2.5. We also define divergence, as the dual of convergence in standard fashion, in order to describe the existence of an infinite reduction path. Defining determinism in terms of convergence carries other advantages apart from the obvious relevance of termination in resource-aware settings of computation; it arguably allows for a more intuitive definition of determinism in terms of the comparison of the stable processes evaluated to (the second clause in Definition 2.6). Moreover, it fits well with our running theme of a state-based view of processes.
Definition 2.5 (Convergence and Divergence). \( P \Downarrow \) is the least predicate over processes satisfying the conditions:

\[
P \Downarrow = P \not\rightarrow \text{ or } (\forall Q. P \rightarrow Q \text{ implies } Q \Downarrow)
\]

Divergence, \( P \Updownarrow \), denotes the inverse, \( P \not\Downarrow \).

Definition 2.6 (Determinism). \( P \) is deterministic iff:

1. \( P \Downarrow \)
2. \( P \parallel Q_1 \) and \( P \parallel Q_2 \) implies \( Q_1 \equiv Q_2 \)

Concurrent code is notoriously hard to analyse. One major source of complication is the potential non-deterministic behaviour of this code, which impacts the ability to tractably define manageable compositional proof rules (e.g., [14]). More precisely, generic non-deterministic code requires one to take into account the various interleaving of concurrent code executing in its context potentially affecting its execution.

Although message passing concurrency minimises this interference to well defined interfaces, problems persist due to races on shared channels. Channel reuse together with the lack of an explicit account of resource usage makes interference hard to delineate.

Example 2.7. The (composite) process \( P_{rg} \) takes two inputs \( x_1, x_2 \) on channels \( c_1, c_2 \) respectively. It discards \( x_2 \) and, if \( x_1 \) is less than 10, outputs the value \( x_1 \) itself together with its double on \( c_1 \) while using \( c_4 \) as a signal. Otherwise, it uses \( c_4 \) to output \( x_1 \) by itself.

\[
P_{rg} \triangleq (\text{new } c_3) (\text{Fltr} \parallel \text{Dbl})
\]

\[
\text{Dbl} \triangleq c_2, x_3, c_4, c_1 ! (x_4 + x_4)
\]

\[
\text{Fltr} \triangleq \begin{cases} c_1 ! x_1 \text{ if } x_1 \leq 9 & \text{then } c_3 ! x_1 \parallel c_1 ! x_3, (c_1 ! (x_1, x_3)) \parallel c_4 ! x_1 \text{ else } c_4 ! x_1 \end{cases}
\]

Internally, \( P_{rg} \) is composed of two sub-processes, \( \text{Fltr} \) and \( \text{Dbl} \), sharing a scoped channel, \( c_3 \). Process \( \text{Fltr} \) filters whether \( x_1 \) is less than 10 and forwards the value to process \( \text{Dbl} \) on channel \( c_3 \) which, in turn, \( \text{reuses} \) channel \( c_1 \) to return the doubled value.

The process \( P_{rg} \) trivially converges as it is stable. When placed in the context of race-free outputs such as \( c_1 ! v_1 \parallel c_2 ! v_2 \), \( P_{rg} \) still converges and evaluates deterministically to

\[
P_{rg} || c_1 ! v_1 || c_2 ! v_2 \Downarrow c_4 ! || c_1 !(v_1, 2 \times v_1)
\]

when \( v_1 \leq 9 \) and;

\[
P_{rg} || c_1 ! v_1 || c_2 ! v_2 \Downarrow c_4 ! v_1 || (\text{new } c_3) (c_3 ? x_4, c_1 !(x_4 + x_4))
\]

when \( v_1 > 9 \)

On the other hand, races on, for example, channel \( c_1 \) make \( P_{rg} \) behave non-deterministically. For instance, when placed in the context of two outputs on \( c_1 \), such as \( c_1 ! 1 || c_2 ! v_2 || c_1 ! 3 \), we have a race for the processing of \( P_{rg} \) yielding two possible outcomes;

\[
P_{rg} || c_1 ! 1 || c_2 ! v_2 || c_1 ! 3 \Downarrow c_4 ! || c_1 !(1, 2) || c_1 ! 3
\]

or;

\[
P_{rg} || c_1 ! 1 || c_2 ! v_2 || c_1 ! 3 \Downarrow c_4 ! || c_1 !(3, 6) || c_1 ! 1
\]

More subtly, \( P_{rg} || c_1 ! 1 || c_2 ! v_2 || c_1 ! 3 \) may also behave in unexpected ways, since we have a second race condition when channel \( c_1 \) is reused internally in \( P_{rg} \), i.e., when \( \text{Dbl} \) sends back its answer to \( \text{Fltr} \) on \( c_1 \), thereby obtaining

\[
P_{rg} || c_1 ! 1 || c_2 ! v_2 || c_1 ! 3 \Downarrow c_4 ! || c_1 !(1, 3) || c_1 ! 2
\]

or;

\[
P_{rg} || c_1 ! 1 || c_2 ! v_2 || c_1 ! 3 \Downarrow c_4 ! || c_1 !(3, 2) || c_1 ! 6
\]
When placed in the context of two outputs on $c_1$ with values that are less than 10 and also values that are bigger or equal to 10, such as $c_1!1||c_2!v_2||c_1!10$, non-deterministic behaviour varies even more widely in structure. In fact we can have:

$$\text{Prg} \parallel c_1!1||c_2!v_2||c_1!10 \Downarrow c_1!(1, 2)||c_1!10 \quad \text{or;}$$

$$\text{Prg} \parallel c_1!1||c_2!v_2||c_1!10 \Downarrow c_4!10||\text{(new } c_3)) \langle c_3?x_4, c_1!(x_4+x_4)\rangle ||c_1!1$$

Dually, when $\text{Prg}$ is placed in the context of $c_1!1||c_2!v_2||c_1?x.nil$, which introduces another input competing for the output on $c_1$, we have even more non-deterministic behaviour. We can have:

$$\text{Prg} \parallel c_1!1||c_2!v_2||c_1?x.nil \Downarrow c_4!||c_1!(1, 2)||c_1?x.nil \quad \text{or;}$$

$$\text{Prg} \parallel c_1!1||c_2!v_2||c_1?x.nil \Downarrow \langle\text{new } c_3\rangle \langle Fltr||c_3?x_4, c_1!(x_4+x_4)\rangle \quad \text{or even;}$$

$$\text{Prg} \parallel c_1!1||c_2!v_2||c_1?x.nil \Downarrow c_1?x_3\langle c_1!(1, x_3)||c_4!\rangle$$

In practice, a substantial body of concurrent code is expected to behave deterministically under some form of non-interference assumptions. One example is the in-place quicksort algorithm, which can be encoded in our language as shown in Example 2.8. In this example, determinism is even harder to ascertain because, apart from channel reuse, the code is also recursively defined. This gives us scope for developing refined analysis techniques for deterministic code which lend themselves better to compositionality.

**Example 2.8 (In-Place Quicksort).** The process definition $Qck(i, j)$ defines a quicksort algorithm, sorting arrays of values *in-place* and signalling on channel $r$ once sorting completes. Arrays of integers $a = [v_1, v_2, \ldots, v_n]$ are represented as a set of messages $a_1!v_1\parallel\ldots\parallel a_n!v_n$ on an indexed set of channels $a_1\ldots a_n$. When arrays are of length 1, $Qck(i, i)$ signals immediately on channel $r$. Otherwise, it chooses the value at the lowest index, $a_i!v_i$, as the pivot, partitions the array, and then calls quicksort recursively on the two partitions, renaming the returning signal to a fresh channel name in each case. Once the two sub-sortings signal back, the process can signal back on $r$.

$$Qck(i, j) \triangleq \begin{cases} 
\text{if } i = j \text{ then } r! & \text{Pr}(i, j)[(r^3|r)] \parallel r_3?x.((\text{new } r_1, r_2) \langle Qck(i, x-1)[(r^3|r)] \parallel Qck(x+1, j)[(r^2|r)] \parallel r_1?.r_2?.r! \rangle) \\
\text{else (new } r_3) \end{cases}$$

At the heart of quicksort is $\text{Pr}(i, j)$, which partitions an array into two sub-arrays separated by a pivot cell, $a_p!v_p$, and signals completion by outputting the partition index as a value, $r!p$. After partitioning completes, the values in the first sub-array (i.e., indexes less than $p$) are less than $v_p$ and the values of the second sub-array (i.e., indexes greater than $p$) are bigger or equal to $v_p$. Partitioning calls the array traversal process $\text{Trv}(l, h, x, p, c)$, initialising the pivot value $x$ to $v_i$, the pivot index $p$ to $i$, the counter index $c$ to $i+1$ and low and high array boundaries $l, h$ to $i$ and $j$ respectively.

$$\text{Pr}(i, j) \triangleq a_i?x. \text{Trv}(i, j, x, i, i+1)$$

Traversal loops through the indexes $i + 1$ up to $h$, (6) then (1), comparing their values with the pivot value, (2). If the current value is greater or equal to $x$, in-place partitioning restores the cell and increments the counter, (3). Otherwise, it increments the pivot index to $p + 1$, swaps the current value with the value at the new pivot index, and proceeds to the next index, (4). Since reads are destructive in value passing concurrency, swapping occurs only when the two indexes are distinct, (5). Once traversal exceeds the highest index of the array, (6), the pivot value at the lowest index $l$.
is swapped with the value at the current pivot index \( p \) and the pivot index is returned as the return value \( r!p \), (7); again swapping is avoided if these two indexes are the same.

\[
\text{Trv}(l, h, x, p, c) \triangleq \begin{cases} 
(6) & \text{if } c > h \text{ then if } l = p \text{ then } (a_l!x || r!p) \text{ else } a_p?y. (a_l!y || a_p!x || r!p) \\
(1) & \text{else } a_c!y. \\
(2) & \text{else if } x \leq y \text{ then } a_c!y \parallel \text{Trv}(l, h, x, p, c+1) \\
(3) & \text{else if } c = p + 1 \text{ then } (a_c!y \parallel \text{Trv}(l, h, x, p+1, c+1)) \\
(4) & \text{else } a_{p+1}?z. \begin{cases} 
(5) & (a_c!z || a_{p+1}!y || \\
& \text{Trv}(l, h, x, p+1, c+1) 
\end{cases}
\end{cases}
\]

We note that the splitting of the array during recursive calls in \( Qck(i, j) \) in Example 2.8 is data dependent, based on the pivot value returned after a call to \( Prt(i, j) \). This fact complicates confluence analysis through static techniques such as type systems for resource usage (e.g., \([5, 39]\)). To be able to deal with the refined analysis required for this example, we define a resource-semantics for our processes in Section 3, which does not approximate over data dependent branching. This extended semantics then serves as a model for a resource-aware separation logic for processes, given in Section 4. In Section 5 we then define a compositional proof system for verifying properties in this logic.

3. Resourcing for Processes

We define a reduction semantics for our programs by confining their behaviour through linear permissions for channel input and output. This confined-process semantics helps us to reason about deterministic behaviour of processes and lays the foundation for the semantics of the logic to be presented in Section 4. In particular, it (1) gives us a basis for process separation, in terms of the permissions owned by processes, (2) assists race detection, and (3) acts as a narrative as to why a process is deterministic.

3.1. Systems. We start by defining permission sets. These are used as logical embellishments to readily track channel usage and detect race conditions through conflicting permission usage.

**Definition 3.1 (Permissions).** The set of permissions is \( \text{Perm} \overset{\text{def}}{=} \{\downarrow, \uparrow\} \times \text{Names} \), where \( \downarrow c \) (resp. \( \uparrow c \)) represents the permission to input (resp. output) on channel \( c \). A permission-set, ranged over by the variables \( \rho, \mu \), is a subset of permissions, \( \rho \subseteq \text{Perm} \).

Permissions are linear in the sense that there is at most one output permission and one input permission per channel. This is not to be confused with linear (resp. affine) assumptions\([19]\) or types \([26]\), which restrict channel usage to exactly (resp. at most) once. In our case, permissions are not consumed once used, but are instead transferred around and reused. Thus, instead of restricting the number of uses of a particular channel, they ensure that, at any stage during computation, there is at most one processes that can output (resp. input) on a particular channel.

Figure 2 defines the syntax and semantics of systems of confined processes, \( S, T, R \in \text{Sys} \), whereby processes, \( P \), are confined by permission sets, \( \rho \), and denoted as \([P]_{\rho} \). Systems can also be composed in parallel and their channels can also be scoped.
Confined Processes (Systems)

\[ S, T, R ::=[P]\_p \mid S \parallel T \mid (\text{new } c) S \]

Permission Violation Detection Rules

\[
\begin{align*}
& \text{eOut} \quad \uparrow c \notin \rho \quad [c?]_p \rightarrow_{\text{err}} \\
& \text{eIn} \quad \downarrow c \notin \rho \quad [c?\xi.P]_p \rightarrow_{\text{err}} \\
& \text{ePAR} \quad S \rightarrow_{\text{err}} \\
& \text{eRES} \quad (\text{new } c) S \rightarrow_{\text{err}} \\
& \text{eSTR} \quad T \equiv S \rightarrow_{\text{err}}
\end{align*}
\]

Structural Equivalence Rules

\[
\begin{align*}
\text{scCom} & \quad S \parallel T \equiv T \parallel S \\
\text{scAss} & \quad S \parallel (T \parallel R) \equiv (S \parallel T) \parallel R \\
\text{scNew} & \quad (\text{new } c)[\text{nil}]_\emptyset \equiv [\text{nil}]_\emptyset \\
\text{scSwp} & \quad (\text{new } c)(\text{new } d)S \equiv (\text{new } d)(\text{new } c)S \\
\text{scNil} & \quad S \parallel [\text{nil}]_\emptyset \equiv S \\
\text{scExt} & \quad S \parallel (\text{new } c)T \equiv (\text{new } c)(S \parallel T) \quad \text{if } c \notin \text{fn}(S)
\end{align*}
\]

Reduction Rules

\[
\begin{align*}
\text{cTIn} & \quad b\parallel tt \quad [\text{if } b \text{ then } P \text{ else } Q]_p \rightarrow [P]_p \\
\text{cTff} & \quad b\parallel ff \quad [\text{if } b \text{ then } P \text{ else } Q]_p \rightarrow [Q]_p \\
\text{cCom} & \quad \bar{c}\parallel \bar{v} \quad \uparrow c \in \rho \quad \downarrow c \in \mu \\
& \quad [c?]_p \parallel [c?\xi.P]_\mu \rightarrow [P[\bar{v}\mid \bar{c}]_p]_\mu \\
\text{cPrC} & \quad \xi(x) \triangleq P \quad \bar{c}\parallel \bar{v} \\
& \quad [\text{K}(\bar{c})[\bar{v}]_p]_p \rightarrow [P[\bar{v}\mid \bar{c}]_p]_p \\
\text{cRes} & \quad S \rightarrow S' \quad (\text{new } a)S \rightarrow (\text{new } a)S' \\
\text{cPar} & \quad S \rightarrow S' \quad S \parallel T \rightarrow S' \parallel T \\
\text{cStr} & \quad S \equiv S' \quad S' \rightarrow T' \quad T' \equiv T \\
\text{cSpL} & \quad [P \parallel Q]_{\rho \cup \mu} \rightarrow [P]_p \parallel [Q]_\mu \quad \text{cLCl} \\
& \quad [(\text{new } c)P]_p \rightarrow (\text{new } c)[P]_{\rho \cup \{c, \xi, \bar{c}\}} \\
\text{cTGH} & \quad \downarrow c, \uparrow c \cap \rho \neq \emptyset \quad c \notin \text{fn}(P) \\
& \quad (\text{new } c)[P]_p \parallel S \rightarrow [P]_{\rho \cup \{c, \xi, \bar{c}\}} \parallel (\text{new } c)S \\
\text{cDsc} & \quad \rho \neq \emptyset \\
& \quad [\text{nil}]_p \rightarrow [\text{nil}]_\emptyset
\end{align*}
\]

Figure 2: A Permission-Confined CCS

Confinement allows us to define separation across systems, \( S \perp T \) on the basis of the (visible) permissions owned by a system, Definition \[^{3.2}\]. In what follows, we assume systems of confined processes to always be well-resourced, meaning that all confined parallel processes are separate, i.e., there is no overlap across owned permission sets, and that permissions are linear. System well-resourcing, denoted \( \vdash S \), is formalised in Definition \[^{3.4}\]. It can be easily checked statically by induction on the structure of systems.
Definition 3.2 (Visibly Owned Permissions).

\[
\text{perm}(S) = \begin{cases} 
\rho & \text{if } S = [P]_\rho \\
\text{perm}(T) \cup \text{perm}(R) & \text{if } S = T || R \\
\text{perm}(T) \setminus \{\downarrow c, \uparrow c\} & \text{if } S = (\text{new } c)T 
\end{cases}
\]

Definition 3.3 (Separation). \( S \perp T \triangleq \text{perm}(S) \cap \text{perm}(T) = \emptyset \)

Definition 3.4 (Well-Resourced System). A system \( S \) is well-resourced, denote as \( \vdash S \), if it is included in the least set defined by the following three rules.

\[
\begin{align*}
& \text{wPrc} & \vdash [P]_\rho \\
& \text{wPar} & \vdash S \vdash T \vdash S \parallel T \\
& \text{wRes} & \vdash (\text{new } c)S
\end{align*}
\]

Process confinement also facilitates the detection of races, which leads to non-deterministic behaviour in the process semantics of Section 2. The judgement \( S \rightarrow \text{err} \) defined by the rules in Figure 2 describes the detection of permission violations. As we shall see later on in Section 3.3 and Section 3.4, the absence of permission violations also implies the absence of channel communication races.

The reduction rules in Figure 2 enforce proper permission usage. Rule \text{cCom} imposes additional restrictions to \( \text{rCom} \) of Figure 1 the output process (resp. the input process) is required to own the permission to output, \( \uparrow c \) (resp. input, \( \downarrow c \)) on channel \( c \). Confined processes cannot arbitrarily create permissions but need to transfer them to other processes at specific interaction points (i.e., communication through \text{cCom}). The new rules \text{cSp} and \text{cCl} enforce this resourcing of permissions: \text{cSp} requires that newly spawned processes partition the parent permissions amongst them whereas \text{cCl} ensures that scoped names generate a single pair of input-output permissions for every channel. Note that \text{cSp} is inherently non-deterministic as it does not specify how the permissions are partitioned amongst the parallel processes: cf. Section 3.6 for a discussion of this. Rules \text{cThn}, \text{cEl}, \text{cPrc}, \text{cRes}, \text{cPar} and \text{cStr} in Figure 2 are analogous to those in Figure 1. Structural equivalence extends to systems directly with \([\text{nil}]_\rho \) as the parallel composition identity.

The rule \text{cDis} allows systems to discard permissions whenever it is clear that they will not be used anymore, whereas \text{cToh} is a convenient rule that allows us to tighten name scoping irrespective of permissions; together with \text{cStr} and \text{scNilt} and \text{scNwit} it allows us to discard redundant scoping of channels as computation progresses (cf. Example 3.32 for an example on how this rule is used.) These last two rules are not essential for determining whether a process is deterministic but help de-clutter extraneous permissions. This enables us to express eventual stable systems more succinctly which, in turn, permits simpler definitions for assertion satisfaction later on in Section 4.

3.2. Dynamic Properties of Systems. Reductions preserve locality. This means that the permissions owned by a process provide a footprint for its reductions and that any process it reduces to will be confined to these permissions. This property is key for compositional reasoning when ensuring that global properties, such as that of being well-resourced, are preserved. For instance, if the system \( S \parallel T \) is well-resourced, then by Definition 3.4 it must be the case that the two sub systems are separate i.e., \( S \perp T \). If \( S \rightarrow S' \), locality i.e., \( \text{perm}(S') \subseteq \text{perm}(S) \) immediately implies that \( S' \perp T \) and therefore, that the global system \( S' \parallel T \) is still well-resourced. Thus reduction also preserves well-resourcing.

Lemma 3.5 (Locality). \( S \rightarrow T \) implies \( \text{perm}(T) \subseteq \text{perm}(S) \)

Lemma 3.6 (Resourcing). \( \vdash S \) and \( S \rightarrow T \) implies \( \vdash T \)
(Proof for Lemma 3.6 & Lemma 3.5). The proof is by rule induction on $S \rightarrow T$. The main cases are:

- **cCom**: $S = [c!\bar{c}]_ρ||[c()?\bar{x}.P]_μ$, $T = [P||\bar{v}].S]_μ$, where $\bar{c} = \bar{v}$. It is immediate that $\text{prm}(S) = \text{prm}(T)$. Moreover, $\vdash T$ by wPrc.

- **cPar**: We have $S = R_1 || R_2$, $T = R'_1 || R_2$ and $R_1 \rightarrow R'_1$. Moreover, $\vdash S$ implies $\text{prm}(R_1) \cap \text{prm}(R_2) = \emptyset$, $\vdash R_1$ and $\vdash R_2$. Also recall that $\text{prm}(S) = \text{prm}(R_1) \cup \text{prm}(R_2)$ and that $\text{prm}(T) = \text{prm}(R'_1) \cup \text{prm}(R_2)$.

  By $\vdash R_1$, $R_1 \rightarrow R'_1$ and I.H. we obtain $\vdash R'_1$ and $\text{prm}(R'_1) \subseteq \text{prm}(R_1)$. By, $\text{prm}(R'_1) \subseteq \text{prm}(R_1)$ and $\text{prm}(R_1) \cap \text{prm}(R_2) = \emptyset$, we deduce $\text{prm}(R'_1) \cap \text{prm}(R_2) = \emptyset$ and by $\vdash R'_1$ and $\vdash R_2$ we deduce $\vdash T$. Moreover, by $\text{prm}(R'_1) \subseteq \text{prm}(R_1)$ we obtain $\text{prm}(T) \subseteq \text{prm}(S)$.

- **cStp**: $S = [P||Q]_ρ μ$ and $T = [P]_ρ || [Q]_μ$. $ρ \uplus μ$ implies $\text{prm}([P]_ρ) \cap \text{prm}([Q]_μ) = \emptyset$ and since $\vdash [P]_ρ$ and $\vdash [Q]_μ$ (by wPrc), we get $\vdash T$. Moreover $\text{prm}(T) = \text{prm}(S)$.

- **cDsc**: $S = [\text{nil}]_ρ$ and $T = [\text{nil}]_μ$. Trivially, $\vdash T$ (by wPrc) and $\text{prm}(T) = \emptyset \subseteq \text{prm}(S)$.

Another important property of our resource semantics is that reductions do not hide prior permission violations i.e., permission violations are preserved by reductions. This allows us to ignore intermediary steps during the evaluation of a confined process (cf. Definition 3.8) and simply inspect the resulting stable system to determine whether that evaluation resulted in any permission violations. In what follows, we shall refer to evaluations without permission violations as **safe**.

**Lemma 3.7** (Violation Preservation). $S \rightarrow^* T$ and $S \rightarrow_{\text{err}}$ implies $T \rightarrow_{\text{err}}$

**Proof.** First we show $S \rightarrow T$ and $S \rightarrow_{\text{err}}$ implies $T \rightarrow_{\text{err}}$ by rule induction on $S \rightarrow T$. The main cases are:

- **cCom**: $S = [c!\bar{c}]_ρ || [c()?\bar{x}.P]_μ$, $\vdash c \in ρ$ and $\downarrow c \in μ$. By case analysis, if $S \rightarrow_{\text{err}}$ then either $[c!\bar{c}]_ρ \rightarrow_{\text{err}}$ because $c \notin ρ$ (by eOut) or $[c()?\bar{x}.P]_μ \rightarrow_{\text{err}}$ because $c \notin μ$ (by eIn); both cases lead to a contradiction.

- **cPar**: $S = R_1 || R_2$, $T = R'_1 || R_2$ and $R_1 \rightarrow R'_1$. By $S = R_1 || R_2$, ePar, eStr and scCom we know $S \rightarrow_{\text{err}}$ because either:

  - $R_1 \rightarrow_{\text{err}}$: By $R_1 \rightarrow R'_1$ and I.H. $R'_1 \rightarrow_{\text{err}}$ and by $T = R'_1 || R_2$ and ePar we get $T \rightarrow_{\text{err}}$.

  - $R_2 \rightarrow_{\text{err}}$: By $T = R'_1 || R_2$, ePar, eStr and scCom we obtain $T \rightarrow_{\text{err}}$.

The second part of the proof is by induction on the number $n$ of reductions used i.e., $S \rightarrow^n T$.

### 3.3. System Determinism

The first two main results of our resource semantics establish that system evaluation is deterministic up-to the terminal permissions owned (cf. Theorem 3.11 and Theorem 3.12).

We first lay the ground for these results by giving the following definitions. Systems evaluation in Definition 3.8, $S \parallel T$, is limited to safe-stability, $T \check{\downarrow}$, and excludes reductions to racy systems. The operation $|−|$ denotes a permission-erasure function whereby $|S|$ returns the process in $S$ stripped of all its confining permissions; it allows us to express equivalence up-to owned permissions in Theorem 3.11 System Convergence. Definition 3.10 is the least set of systems that converge to a stable state (but not necessarily a safe one) and is used for Theorem 3.12.

**Definition 3.8** (Safe-Stability and Evaluation).

$$S \check{\downarrow} \overset{\text{def}}{=} S \rightarrow^* \text{ and } S \rightarrow_{\text{err}}$$

$$S \parallel T \overset{\text{def}}{=} \exists T'. S \rightarrow^* T' \text{ and } T' \check{\downarrow} \text{ and } T \equiv T'$$
**Definition 3.9** (Permission Confinement Erasure).

\[ |S| \overset{\text{def}}{=} \begin{cases} P & \text{if } S = [P]_\rho \\ |T| \parallel |R| & \text{if } S = T \parallel R \\ (\text{new } c) |T| & \text{if } S = (\text{new } c)T \end{cases} \]

**Definition 3.10** (System Convergence). \( S \downarrow = S \nrightarrow \) or (\( \forall T. S \rightarrow T \implies T \downarrow \))

In conformance with Definition 2.6, by system determinism we understand that (1) no system can evaluate to two distinct safely-stable systems, up-to owned permissions i.e., Theorem 3.11 and that (2) no system can evaluate to a safely-stable system and, at the same time, diverge along a different execution path i.e., Theorem 3.12.

**Theorem 3.11** (Evaluation Determinism). \( S \parallel T_1 \) and \( S \parallel T_2 \) implies \( |T_1| \equiv |T_2| \)

**Theorem 3.12** (System Evaluation implies System Convergence). \( S \parallel \) implies \( S \downarrow \)

These properties follow, at an intuitive level, from the partial-confluence property, as stated in Lemma 3.13.

**Lemma 3.13** (Partial Confluence). \( S \rightarrow T_1 \) and \( S \rightarrow T_2 \) implies either of the following:

1. \( |T_1| \equiv |T_2| \) or;
2. \( \exists T_3. T_1 \rightarrow T_3 \) and \( T_2 \rightarrow T_3 \)

However, the full technical details of the proofs for Theorem 3.11 and Theorem 3.12 are more delicate; on first reading, the reader may skip them and progress to Section 3.4. Before though, we highlight Proposition 3.14 which establishes sufficient and necessary conditions on the structure of safely-stable systems; these conditions will then act as a guiding principle when formulating our logic formulas. In essence, safely stable systems consist of mismatching asynchronous outputs and input-blocked processes composed in parallel, each owning the respective output and input permissions so as not to generate an error.

**Proposition 3.14** (Safe-Stability and System Structure).

\[ S \checkmark \iff S \equiv (\text{new } d) \left( ||_{i=0}^n [c_i]_{\rho_i} \parallel ||_{j=0}^m [c_j]_{\mu_j} \right) \]

where

- \( \{c_1, \ldots, c_n\} \cap \{c'_1, \ldots, c'_m\} = \emptyset \)
- \( \bigwedge_{i=0}^n c_i \in \rho_i \)
- \( \bigwedge_{j=0}^m c_j \in \mu_j \)

and where \( ||_{i=0}^n [c_i]_{\rho_i} \) and \( ||_{j=0}^m [c'_j]_{\mu_j} \) denote \( [\text{nil}]_\emptyset \).

The proofs for Theorem 3.11 and Theorem 3.12 require us to work at a tighter relation than process structural equivalence for the intermediary steps of an evaluation, namely \( \overset{\approx}{=} \) defined in Definition 3.15 because process structural equivalence, \( \overset{=}{} \), loses information wrt. the currently owned permissions of a system. The relation \( \overset{\approx}{=} \) lies between system structural equivalence and the respective process structural equivalence after confinement erasure (cf. Proposition 3.16).
Definition 3.15 (Equivalence up-to owned permissions). $S \equiv T$ is defined as the least relation satisfying the following rules:

- $[P]_p \equiv [P]_u$
- $S_1 \equiv S_2 \quad T_1 \equiv T_2 \implies S_1 \parallel T_1 \equiv S_2 \parallel T_2$
- $(\text{new } c)S_1 \equiv (\text{new } c)S_2$
- $S_1 \equiv S_2 \iff T_2 \equiv T_1$

Proposition 3.16. $S \equiv T$ implies $S \equiv T$ implies $|S| \equiv |T|$

Note that $|S| \equiv |T|$ does not imply $S \equiv T$. For instance, $|\lceil P \parallel Q \rceil| \equiv |\lceil P \rceil| \parallel |\lceil Q \rceil|$ but $\lceil P \parallel Q \rceil \not\equiv \lceil P \rceil \parallel \lceil Q \rceil$.

Lemma 3.17 (Properties of $\equiv$ with respect to reductions).

1. $S \equiv T$ and $T \rightarrow T'$ and $S \not\rightarrow \text{err}$ implies $S \rightarrow S'$ and $S' \equiv T'$
2. $S \equiv T$ and $T \not\rightarrow \text{err}$ implies $T \not\rightarrow$

Proof. See Appendix A.2

Lemma 3.18 (Partial Confluence). $S \rightarrow T_1$ and $S \rightarrow T_2$ implies either of the following:

1. $T_1 \equiv T_2$ or;
2. $\exists T_3. T_1 \rightarrow T_3$ and $T_2 \rightarrow T_3$

Proof. See Appendix A.2

Definition 3.19 (System Evaluation Predicates). $S \downarrow \text{def} \equiv \exists T. S \downarrow T$

Lemma 3.20 (Evaluation Preservation for $\equiv$).

$S \equiv T$ and $S \downarrow$ and $T \rightarrow T'$ implies $S \rightarrow S'$ where $S' \equiv T'$ and $S' \downarrow$

Proof. See Appendix A.2

Lemma 3.21 (Evaluation and $\equiv$).

$S \equiv T$ and $S \rightarrow^n S' \checkmark$ and $T \rightarrow^m T' \checkmark$ implies $S' \equiv T'$ and $n = m$

Proof. By (strong) induction on the number of reductions leading to a safely-stable system from any system $S \rightarrow^n S'$.

$n = 0$: By $S \not\rightarrow$ and Lemma 3.17(2) we know $T \not\rightarrow$ which implies $m = 0$ and $T' = T \equiv S$.

$n = k + 1$: We have $\exists S''$ such that $S \rightarrow S'' \rightarrow^k S'$.

Lemma 3.7 and $S' \checkmark$, $T' \checkmark$ implies $S \not\rightarrow \text{err}$ and $T \not\rightarrow \text{err}$ and $S \rightarrow S''$ and Lemma 3.17(1) implies that $m > 0$ i.e.,

$\exists T''$ such that $T \rightarrow T'' \rightarrow^{m-1} T'$.
Moreover, $S \rightarrow^n S'\checkmark$ and $T \rightarrow^m T'\checkmark$ imply $S \parallel S'$, $T \parallel T'$ respectively, and by $S \equiv T$, $S \rightarrow S''$ and Lemma 3.20 we obtain

\begin{equation}
\exists T_1, T_1', l \text{ such that } T \rightarrow T_1
\end{equation}

\begin{equation}
T_1 \equiv S''
\end{equation}

\begin{equation}
T_1 \rightarrow^l T_1'\checkmark
\end{equation}

By $S'' \rightarrow^k S'$ from (3.1), (3.4), (3.5) and I.H. we obtain

\begin{equation}
S' \equiv T_1'
\end{equation}

and $l = k$ (3.6)

i.e., $T_1 \rightarrow^k T_1'\checkmark$. Now by Lemma 3.18 (3.3) and $T \rightarrow T''$ from (3.2) we have two sub-cases:

$T_1 \equiv T''$: By (3.5) and (3.6) we know $T_1 \rightarrow^k T_1'\checkmark$ and by, $T'' \rightarrow^{m-1} T'$ from (3.2) I.H. we deduce $T' \equiv T_1'$ and $(m - 1) = k$

and by transitivity and (3.6) we conclude $T' \equiv S'$ and $m = (k + 1) = n$ as required.

$T_1 \rightarrow T_3$ and $T'' \rightarrow T_3$: We here have two further sub-cases:

$\exists T_3, T_1 \rightarrow T_3$ and $T'' \rightarrow T_3$: We here have two further sub-cases:

$\exists T_3', h$ such that $T_3 \rightarrow^h T_3'\checkmark$: This implies $T_1 \rightarrow^{h+1} T_3'\checkmark$ and by (3.1), (3.4) and I.H. we obtain

\begin{equation}
T_3' \equiv S' \text{ and } (h + 1) = k
\end{equation}

We also know that $T'' \rightarrow^{h+1} T_3'\checkmark$ and by (3.7) we obtain $T'' \rightarrow^k T_3'\checkmark$ and, since $T'' \equiv T''$ (reflexivity of $\equiv$), using (3.2) and I.H. we obtain

\begin{equation}
T_3' \equiv T' \text{ and } (m - 1) = k
\end{equation}

which, first implies $m = (k + 1) = n$ and then, by (3.7), implies $T' \equiv S'$ as required.

$T_3 \parallel$: By $T_1 \rightarrow T_3, T_1 \equiv T_1$ (reflexivity of $\equiv$), (3.5) and Lemma 3.20 we know

\begin{equation}
\exists T_4, T_4'$, i such that $T_1 \rightarrow T_4
\end{equation}

\begin{equation}
T_4 \equiv T_3
\end{equation}

\begin{equation}
T_4 \rightarrow^i T_4'\checkmark
\end{equation}

Similarly, by $T'' \rightarrow T_3, T'' \equiv T''$, (3.2), $T'\checkmark$ and Lemma 3.20

\begin{equation}
\exists T_5, T_5'$, j such that $T'' \rightarrow T_5
\end{equation}

\begin{equation}
T_5 \equiv T_3
\end{equation}

\begin{equation}
T_5 \rightarrow^j T_5'\checkmark
\end{equation}

Now (3.8) and (3.10) imply $T_1 \rightarrow^{i+1} T_4'\checkmark$ and by (3.6), $T_1 \equiv T_1$ and I.H. we obtain

\begin{equation}
T_4' \equiv T_1' \equiv S' \text{ and } (i + 1) = k \text{ i.e., } T_4 \rightarrow^{k-1} T_4'\checkmark
\end{equation}

Moreover, $T_4 \rightarrow^{k-1} T_4'\checkmark$ and transitivity imply $T_4 \equiv T_5$, and by (3.14), (3.13) and I.H. we obtain

\begin{equation}
T_5' \equiv T_4' \equiv S' \text{ and } j = (k - 1)
\end{equation}
By (3.11) and (3.15) we obtain $T'' \rightarrow^k T'_2$ and by $T'' \equiv T''$, (3.2) and I.H. we obtain

$$T' \equiv T'_2 \equiv S'$$ and $(m - 1) = k$

which also implies $m = (k + 1) = n$ as required.

**Theorem 3.11** (Evaluation Determinism). $S \Downarrow T_1$ and $S \Downarrow T_2$ implies $|T_1| \equiv |T_2|$

**Proof.** By reflexivity we know $S \equiv S$ and by Lemma 3.21 we know $T_1 \equiv T_2$ which, by Proposition 3.16, implies $|T_1| \equiv |T_2|$.

Convergence for systems, Theorem 3.12, largely follows from Lemma 3.20 and Lemma 3.21. We prove Theorem 3.12 by generalising the hypothesis to systems related by $\equiv$ in Lemma 3.22, so as to make the induction go through.

**Lemma 3.22.** $S \Downarrow$ and $S \equiv T$ implies $T \Downarrow$.

**Proof.** By induction on $n$ where $S \rightarrow^n R/\ell$ for some witness safely-stable $R$ justifying $S \Downarrow$.

$n = 0$: This means that $S \Downarrow$ and thus by Lemma (3.17) we have $T \rightarrow$ which implies $T \Downarrow$.

$n = k + 1$: We have

$$S \rightarrow S' \rightarrow^k R/\ell$$

We have two sub-cases. If $T \rightarrow$ then this trivially implies convergence. Otherwise, if $T \rightarrow T'$, by Lemma 3.20 we obtain

$$S \rightarrow S''$$ such that $S'' \equiv T'$ and $S'' \Downarrow$.

(3.17)

$S'' \Downarrow$ implies that for some $m$ and $R'$, $S \rightarrow^m R'/\ell$, and since $S \equiv S$, by (3.16) and Lemma 3.21 this implies that $m = k + 1$ which means that $S'' \rightarrow^k R'$. Thus by $S'' \equiv T'$ from (3.17) and I.H. we obtain $T' \Downarrow$ which implies $T \Downarrow$.

**Theorem 3.12** (System Evaluation implies System Convergence). $S \Downarrow$ implies $S \Downarrow$.

**Proof.** Immediate by Lemma 3.22 and $S \equiv S$.

3.4. Process Determinism. The second main batch of results relate system evaluations in our resource semantics with process determinism in the unconstrained semantics of Section 2 (cf. Corollary 3.25). In particular, Theorem 3.23 states that any well-resourced permission allocation $S$ that allows the process $|S|$ to evaluate down to a safely-stable system, $T$, implies that any evaluation for process $|S|$ in the unconstrained semantics corresponds, up to structural equivalence, to this system $T$ stripped of its constraining permissions i.e., $|T| \equiv Q$ whenever $|S|\Downarrow Q$. On the other hand, Theorem 3.24 states that if $S$ evaluates successfully to a safely-stable process, then the corresponding process $|S|$ must be convergent. Together, these two theorems effectively state that finding a single allocation (narrative) of $S$ of linear permissions for a process $|S|$ that allows it to evaluate to some $T$ suffices to show that $|S|$ is deterministic in the unconstrained semantics (Corollary 3.25).

**Theorem 3.23** (Process Evaluation Determinism). $|S|\Downarrow Q$ and $S \Downarrow T$ implies $Q \equiv |T|$

**Theorem 3.24** (Process Convergence). $S \Downarrow$ implies $|S| \Downarrow$

**Corollary 3.25.** $S \Downarrow$ implies $|S|$ is deterministic.

**Proof.** By Definition 2.6, Theorem 3.23, transitivity of $\equiv$, and Theorem 3.24.
We next discuss in detail the proofs for Theorem 3.23 and Theorem 3.24; the reader may safely skip them on first reading and proceed to Section 3.5.

Theorem 3.23 relies heavily on Lemma 3.28. In essence, this lemma states that a system that evaluates to a safely stable system can match any sequence of reductions (in the unconstrained semantics) of the system stripped of its constraining permission. This lemma is based on Lemma 3.27, which proves the property for the case of a single unconstrained reduction, and also depends on the property of corrective reductions, Lemma 3.26. This lemma states that any system that can evaluate safely, $S \Downarrow$, is guaranteed to be able to “correct” wrong partitioning of permissions (cf. cStr in Figure 2) along a particular reduction path that results in systems that can not evaluate safely. Stated otherwise, this means that there must exist a permission partition that leads to a full evaluation along that particular execution path.

**Lemma 3.26 (Corrective Reductions).**

\[ S \Downarrow \text{ and } S \rightarrow^n T \text{ and } T \Downarrow \implies \exists R \text{ such that } S \rightarrow^n R \text{ and } R \equiv T \text{ and } R \Downarrow \]

**Proof.** Immediate from Lemma A.9 from Appendix A.2 and the fact that $S \equiv S$. 

**Lemma 3.27 (Reduction Correspondence).**

\[ S \Downarrow \text{ and } |S| \rightarrow Q \implies \exists R \text{ such that } S \rightarrow^+ R \text{ and } |R| \equiv Q \]

**Proof.** By rule induction on $|S| \rightarrow Q$; see Appendix A.2.

**Lemma 3.28 (Multi-step Reduction Correspondence).**

\[ |S| \rightarrow^n Q \text{ and } S \Downarrow \implies S \rightarrow^{n+m} R \text{ such that } R \Downarrow \text{ and } |R| \equiv Q. \]

**Proof.** Proof by induction on the number of reduction steps that lead to a stable process $|S| \rightarrow^n Q$:

\[ n = 0: \text{ Immediate since } Q = |S| \text{ and } S \rightarrow^0 S \text{ where } S \Downarrow. \]

\[ n = k + 1: \text{ This means that } \exists P \text{ such that } |S| \rightarrow P \rightarrow^k Q. \text{ By } S \Downarrow \text{ and Lemma 3.27 we know:} \]

\[ \exists T \text{ such that } S \rightarrow^l T, l > 0 \text{ and } |T| \equiv P \]

(3.18)

Thus by $P \rightarrow^k Q$, $|T| \equiv P$ from (3.18) and rStr we have

\[ |T| \rightarrow^k Q \]

(3.19)

At this point we have two cases:

\[ T \Downarrow: \text{ By I.H. implies we deduce that } T \rightarrow^{k+m} R \text{ such that } R \Downarrow \text{ and } |R| \equiv Q, \text{ and by } S \rightarrow^l T \text{ from (3.18) we obtain} \]

\[ S \rightarrow^{k+m+l} R \text{ such that } R \Downarrow \text{ and } |R| \equiv Q. \]

\[ T \Downarrow: \text{ By } S \rightarrow^l T \text{ from (3.18) and Lemma 3.26 we know} \]

\[ \exists T' \text{ such that } S \rightarrow^l T' \text{ and } T' \equiv T \text{ and } T' \Downarrow \]

(3.20)

Now, by Proposition 3.16 $T' \equiv T \text{ and implies } |T'| \equiv |T|$. Thus by (3.19) and rStr we deduce $|T'| \rightarrow^k Q$. Thus by $T' \Downarrow$ and I.H. we obtain $T' \rightarrow^{k+m} R \text{ such that } R \Downarrow \text{ and } |R| \equiv Q, \text{ and by } S \rightarrow^l T' \text{ from (3.20) we obtain} S \rightarrow^{k+m+l} R \text{ such that } R \Downarrow \text{ and } |R| \equiv Q$. 

Theorem 3.23 uses also Lemma 3.30 which maps stable processes to safely stable systems.

**Lemma 3.29 (Correspondence).** $S \rightarrow T \implies |S| \rightarrow |T| \text{ or } |S| \equiv |T|$.

**Proof.** The proof is by rule induction on $S \rightarrow T$ and we relegate this to Appendix A.2.
Lemma 3.30 (Correspondence and Termination). $|S| \rightarrow$ and $S \parallel T$ implies $|T| \equiv |S|$

Proof. By induction on $n$ where $S \rightarrow^n T$. The inductive case uses the contrapositive of Lemma 3.29. See Appendix A.2.

Theorem 3.23 (Process Evaluation Determinism). $|S| \parallel Q$ and $S \parallel T$ implies $Q \equiv |T|$.

Proof. $|S| \parallel Q$ implies that

$$|S| \rightarrow^n Q \rightarrow$$

for some $n$ (3.21)

By $|S| \rightarrow^n Q$, $S \parallel T$ and Lemma 3.28 we know that $S \rightarrow^{n+m} R$ such that $R \parallel |R|$ and $|R| \equiv Q$. Since $Q \rightarrow$, (3.21), then by Corollary A.2 we obtain $|R| \rightarrow$ and thus, by $R \parallel$ and Lemma 3.30 we know that $R \parallel T'$ for some $T'$ where $|T'| \equiv |R|$ (3.22)

By $S \rightarrow^{n+m} R$ and $R \parallel T'$ of (3.22) we deduce that $S \parallel T'$ and by $S \parallel T$ and Theorem 3.11 from Section 3.3 we know $|T| \equiv |T'|$. Thus by transitivity we obtain $|T| \equiv |T'| \equiv |R| \equiv Q$ as required.

Theorem 3.24 (Process Convergence). $S \parallel$ implies $|S| \parallel$

Proof. By contradiction. Assume that $|S| \parallel$. Since, by $S \parallel$ and Theorem 3.12 any reduction sequence starting from $S$ is finite, by $|S| \parallel$ there must exists a long enough reduction sequence

$$|S| \rightarrow^n Q \rightarrow \ldots$$

where, by Lemma 3.28 $S \parallel T$ and $|T| \equiv Q$. Now since $T \parallel$, then by Corollary 3.31 we must have $Q \rightarrow$ which contradicts our assumption. Thus $|S| \parallel$.}

3.5. Confined Semantics Application. The following examples expound on the use of linear permission allocations for reasoning about deterministic code.

Example 3.32. $Prg \parallel c_1!v_1 \parallel c_2!v_2$ can be shown to be deterministic by finding a permission assignment for every process below that permits a safe evaluation.

$$[Prg]_{\rho_1} \parallel [c_1!2]_{\rho_2} \parallel [c_2!5]_{\rho_3} \downarrow [c_1!(2,4)]_{\mu_1} \parallel [c_4!]_{\mu_2}$$

Two possible assignments for $\rho_1$, $\rho_2$ and $\rho_3$ that permit the above evaluation are:

$$\rho_1 = \{\downarrow c_1, \downarrow c_2, \uparrow c_4\}, \quad \rho_2 = \{\uparrow c_1\}, \quad \rho_3 = \{\uparrow c_2\} \quad \text{or; (3.23)}$$

$$\rho_1 = \{\downarrow c_1, \uparrow c_2\}, \quad \rho_2 = \{\uparrow c_1, \uparrow c_4\}, \quad \rho_3 = \{\uparrow c_2\} \quad \text{(3.24)}$$

Stated otherwise, we have at least two possible linear-permission based narratives explaining why $Prg \parallel c_1!v_1 \parallel c_2!v_2$ is deterministic. For both assignments $\uparrow c_1 \in \mu_1$ and $\uparrow c_4 \in \mu_2$ must hold for the resulting safely-stable system $[c_1!(2,4)]_{\mu_1} \parallel [c_4!]_{\mu_2}$, but the remaining permissions $\downarrow c_1$, $\downarrow c_2$ and
For the most part, we have abstract away from structural manipulation of terms, with the exception (3.26) is derived using (3.25) can be derived using the rules recall from Example 2.7 that same safely-stable system; this holds because these reductions are confluent, as the separate per-
cussion part of any system evaluation will be structurally equivalent to eventual safely-stable system reached.

\( \uparrow c_2 \), which are redundant at that point, can arbitrarily be split amongst \( \mu_1 \) and \( \mu_2 \). More specifically, recall from Example 2.7 that

\[
\text{Prg} \triangleq (\text{new } c_3) (\text{Fltr}||\text{Dbl})
\]

\[
\text{Fltr} \triangleq c_1!x_1, \text{if } x_1 \leq 9 \text{ then } c_3!x_1 \parallel c_1?x_3, (c_1!(x_1, x_3) \parallel c_{4!}) \text{ else } c_4!x_1
\]

Using the permission assignment in (3.23) we can have the reduction sequence below. Reduction (3.25) can be derived using the rules cLct, cStr and cPar from (cf. Figure 2) whereas reduction (3.26) is derived using cStr, cPar and cRes; other reductions can be derived in similar fashion. For the most part, we have abstract away from structural manipulation of terms, with the exception of reduction (3.33) which employs cTan and cStr to discard the redundant scoped channel name \( c_3 \) and the permissions associated with it.

\[
\begin{align*}
[\text{Prg}]_{[c_1,c_2,c_3]} & \parallel [c_1?2]_{[c_1]} \parallel [c_2!5]_{[c_2]} \rightarrow (3.25) \\
(\text{new } c_3) \left( [\text{Fltr}]||[\text{Dbl}]_{[c_1,c_2,c_3]} \parallel [c_1?2]_{[c_1]} \parallel [c_2!5]_{[c_2]} \right) & \rightarrow (3.26) \\
(\text{new } c_3) \left( [\text{Fltr}]_{[c_1,c_2,c_3]} \parallel [\text{Dbl}]_{[c_2,c_3]} \parallel [c_1?2]_{[c_1]} \parallel [c_2!5]_{[c_2]} \right) & \rightarrow (3.27) \\
(\text{new } c_3) \left( \text{if } 2 \leq 9 \text{ then } c_3?x_3, (c_1!(2, x_3) \parallel c_{4!}) \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{Dbl}]_{[c_2,c_3]} \parallel [c_2!5]_{[c_2]} \rightarrow (3.28) \\
(\text{new } c_3) \left( c_3?x_3, (c_1!(2, x_3) \parallel c_{4!}) \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{Dbl}]_{[c_2,c_3]} \parallel [c_2!5]_{[c_2]} \rightarrow (3.29) \\
(\text{new } c_3) \left( c_3?x_3, (c_1!(2, x_3) \parallel c_{4!}) \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{Dbl}]_{[c_2,c_3]} \parallel [c_2!5]_{[c_2]} \rightarrow (3.30) \\
(\text{new } c_3) \left( c_3?x_3, (c_1!(2, x_3) \parallel c_{4!}) \right)_{[c_1,c_2,c_3,c_4]} \parallel [c_1!(2+2)]_{[c_2,c_3,c_4]} \rightarrow (3.31) \\
(\text{new } c_3) \left( c_1!(2, 4) \parallel c_{4!} \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{nil}]_0 \rightarrow (3.32) \\
\text{new } c_3) \left( c_1!(2, 4) \parallel c_{4!} \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{nil}]_0 \rightarrow \left( \text{new } c_3 \right) \left( [\text{nil}]_0 \right) \rightarrow (3.33) \\
\left( \text{new } c_3 \right) \left( c_1!(2, 4) \parallel c_{4!} \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{nil}]_0 \rightarrow \left( \text{new } c_3 \right) \left( [\text{nil}]_0 \right) \rightarrow (3.34) \\
\left( \text{new } c_3 \right) \left( c_1!(2, 4) \parallel c_{4!} \right)_{[c_1,c_2,c_3,c_4]} \parallel [\text{nil}]_0 \rightarrow \left( \text{new } c_3 \right) \left( [\text{nil}]_0 \right) \rightarrow (3.35) \\
\end{align*}
\]

We highlight two important aspects of this reduction sequence. First, reduction (3.30) could have been interleaved with any of the reductions (3.27), (3.28) and (3.29) while still yielding the same safely-stable system; this holds because these reductions are confluent, as the separate permissions held by each subsystem attest. Second, we could have opted for a different permission partitioning in the reductions (3.26), (3.29) and (3.34), and still attained a safely-stable system. For instance, in (3.26) we could have allocated permission \( \uparrow c_4 \) to the process \( \text{Dbl} \) and, similarly, in the case of (3.29) permission \( \uparrow c_4 \) could have been allocated to the process \( \uparrow c_3 \), without altering the eventual safely-stable system reached.

From the fact that (3.35) is safely-stable and the contrapositive of Lemma 3.7 we know that permissions were never violated throughout the reduction sequence. Theorem 3.11 guarantees that the process part of any system evaluation will be structurally equivalent to \( c_1!(2, 4) \parallel c_{4!} \) and, by Theorem 3.23 and Theorem 3.24 this implies that \( \text{Prg} \parallel c_1!v_1 \parallel c_2!v_2 \) deterministically evaluates to \( c_1!(2, 4) \parallel c_{4!} \); i.e., it always converges.
From a compositional perspective, permission-sets also delineate the footprint of every process and, indirectly, the requirement for well-resourcing of Definition 3.4 defines an interface for detecting race conditions. Consider for example the system:

\[
\left[ P_{\text{Prg}} \right]_{\downarrow c_1, \downarrow c_2, \uparrow c_4}
\]

In order for this system to be safe, it needs the permission \( \downarrow c_1 \) (otherwise it would yield a permission violation through rule \( \text{ElN} \)). Recall the context \( c_1! \parallel c_2!v_2 \parallel c_1?x.nil \) from Example 2.7 which had introduced a race condition on inputs on channel \( c_1 \). In order for this system not to violate permissions itself, it must own a permission set \( \mu \), i.e., \( \left[ c_1! \parallel c_2!v_2 \parallel c_1?x.nil \right]_{\mu} \), where \( \downarrow c_1 \in \mu \) as well. However, the separation condition for well-resourcing prohibits us from composing these two systems together because their respective permissions are not disjoint i.e., \( \{ \downarrow c_1, \downarrow c_2, \uparrow c_4 \} \not\subset \mu \).

**Example 3.33.** If, in the array \( a_1!v_1 \parallel \ldots \parallel a_n!v_n \) to be sorted, we assign the permission set \( \mu_i = \{ \uparrow a_i \} \) to every element \( a_i!v_i \) and assign the permission set \( \rho = \{ \downarrow a_1, \ldots, \downarrow a_n, \uparrow r \} \) to \( \text{Qck}(1, n) \) then it turns out that we can show that

\[
\left[ \text{Qck}(1, n) \right]_{\rho} \parallel \left[ a_1!v_1 \right]_{\mu_1} \parallel \ldots \parallel \left[ a_n!v_n \right]_{\mu_n} \downarrow T
\]

for some safely stable system \( T \) where

\[
T = \left[ a_1!u_1 \right]_{\mu_1} \parallel \ldots \parallel \left[ a_n!u_n \right]_{\mu_n} \parallel \left[ r! \right]_{\rho}
\]

Note how, as in Example 3.32, \( \rho \) in \( \left[ \text{Qck}(1, n) \right]_{\rho} \) defines an interface that parallel processes to be composed with it to respect, in order for it to evaluate deterministically.

### 3.6. Discussion.

Process spawning, \( \text{cSpl}_c \), is intentionally non-deterministic: apart from alleviating permission annotation\(^3\), its non-deterministic nature is in line with the unspecified way that permissions can be allocated in a confined system. Correspondingly, through Theorem 3.11 and Corollary 3.25, we have seen how there may be more than one way how to validly distribute permissions across processes so as to prove determinacy.

Since we eventually plan to use confined processes as part of the model for our logic (cf. Section 4), we here opt for the most flexible solution i.e., non-deterministic splits for parallel composition, which permits more narratives explaining process determinism while still restricting the permission allocations that can be used. This setup gives better separation of concerns between confined process reduction and the model used for our logic. In particular, this model incorporates environments describing permission-transfer invariants, apart from confined processes. These environments are however orthogonal to the properties of confined processes derived in this section. In fact, their purpose is that of allowing for better compositional analysis when determining assertion satisfactions, as we shall see in Section 4 and Section 5.

---

\(^3\) The current formulation leads to a more lightweight form of annotation for confined processes. The other alternative would have been to extend the definition of parallel composition at the process level and have systems of the form \([ P \parallel_{\rho_1, \rho_2} Q ]_{\rho} \), whereby \( \mu_1 \) and \( \mu_2 \) specify deterministically how \( \rho \) is to be apportioned amongst \( P \) and \( Q \).
4. Logic

We define a separation-based logic that enables us to reason about programs that deterministically evaluate to stable systems satisfying assertions describing their state. Our logic concentrates more on describing data held at asynchronous outputs in stable systems, and abstracts away from issues dealing with control for deterministic evaluation. For this reason, the logic semantics is not defined directly on bare processes. Instead, the confined processes of Section 3 together with the definitions for safe-stability and evaluations, Definition 3.8, provide the basis for a model to our separation logic whereby the permissions owned constitute our units of separation (cf. Definition 3.3).

Together with the associated proof system of Section 5, this amounts to our proposal for a logical framework for reasoning over non-interfering concurrent programs.

4.1. Permission Environments. In our logic, channels have a dual role. Apart from acting as a mechanism for communicating data, they also act as delimiters of mutual-exclusion groups of resources, modeling condition-critical regions[31]. Each input process \( c?\vec{x}.P \) abides to use certain permissions in \( P \) only after it synchronises on channel \( c \) whereas each output-process \( c!\vec{e} \) obliges to own the permissions guarded by \( c \); these guarded permissions are transferred dynamically upon communication on \( c \) using rule \( \text{cCom} \) of Figure 2 and enable us to reason about channel reuse in deterministic systems.

The invariants relating to permission mutual-exclusion are characterised as permission environments, \( \Gamma \in \text{Chans} \rightarrow \mathcal{P}(\text{Perm}) \), partial maps associating channels \( c \) to permission-sets \( \rho \). They require abiding processes to own all the permissions in \( \rho \) when outputting on \( c \) and, dually, allow processes to assume the acquisition of all permissions in \( \rho \) when inputting on \( c \). The constraints in Definition 4.1 ensure that (1) permission transfer always includes the permission \( \uparrow c \) to output over the communicating channel, but never the capability \( \downarrow c \) to input over it, as this must already belong to the receiving process; (2) environments are suitably closed.

**Definition 4.1 (Permission Environment).** \( \Gamma \) is a finite map from names to permission sets such that:

1. \( \forall c \in \text{dom}(\Gamma) \downarrow c \notin \Gamma(c) \) and \( \uparrow c \in \Gamma(c) \),
2. \( \rho \in \text{cod}(\Gamma) \) implies \( \text{nm}(\rho) \subseteq \text{dom}(\Gamma) \),

where \( \text{nm}(\rho) \triangleq \{ c | \downarrow c \in \rho \text{ or } \uparrow c \in \rho \} \).

4.2. Logical Formulas. Our logic formulas, ranged over by the meta-variables \( \phi, \psi \), characterise a ‘spatial’ notion of state for deterministic processes in terms of the data held on asynchronous channels at stable processes. In order to simplify our conceptual process interpretations, we limit ourselves to describing only the states of stable processes, abstracting away from the intermediary reductions that lead to stability. For this we require asynchronous output data assertions, \( c(\vec{e}) \), the ‘separated conjunction’, \( \phi \ast \psi \), and its unit, \( \text{emp} \); formulas constructed using just these constructs are denoted by the metavariable \( \chi \) and are called state formulas. Guided by Proposition 3.14, stability requires our formulas to describe (input) blocked processes, \( \text{blk}(c) \). Finally, we also describe unrestricted terminating processes by \( \text{any} \) whenever we want to abstract away completely from the structure of a terminating process.

**Definition 4.2 (Formulas).**

\[
\begin{align*}
\chi, \eta & \in \text{SFr}m ::=: \text{emp} \mid c(\vec{e}) \mid \chi \ast \eta \\
\phi, \psi & \in \text{Fr}m ::=: \text{emp} \mid \text{any} \mid c(\vec{e}) \mid \text{blk}(c) \mid \phi \ast \psi 
\end{align*}
\]
\begin{align*}
\Gamma, S \models \textbf{emp} & \quad \text{iff } S \upharpoonright [\text{\texttt{nil}}]_0; \\
\Gamma, S \models \textbf{any} & \quad \text{iff } S \upharpoonright T; \\
\Gamma, S \models c \langle \bar{e} \rangle & \quad \text{iff } S \upharpoonright [c!\bar{e}]_\rho \text{ with } \bar{e} \upharpoonright \nu_e \text{ and } \Gamma(c) \subseteq \rho; \\
\Gamma, S \models \textbf{blk}(c) & \quad \text{iff } S \upharpoonright (\text{new} \vec{d}) [c?\vec{x}.P]_\rho \text{ with } c \notin \vec{d} \text{ and } c \in \text{dom}(\Gamma); \\
\Gamma, S \models q_1 \ast q_2 & \quad \text{iff } S \upharpoonright (\text{new} \vec{d})(S_1 \parallel S_2) \text{ with } \vec{d} \notin \text{dom}(\Gamma) \text{ and } \Gamma, S_1 \models q_1 \text{ and } \Gamma, S_2 \models q_2;
\end{align*}

Figure 3: Formula Satisfaction

Our formulas are interpreted over permission environments and well-formed systems, i.e., \( \Gamma, S \models q \). They are defined in Figure 3 inductively on the structure of \textit{closed} formulas i.e., formulas with no free variables in the expressions \( \bar{e} \) of \( c \langle \bar{e} \rangle \). Our definition of formula satisfaction relies heavily on the evaluation judgement, \( S \upharpoonright T \), which is only defined for closed systems (Definition 3.8); recall that system evaluation existentialises over a reduction path leading to a stable system.

The satisfaction relation in Figure 3 describes the state of a system once it stabilises. Perhaps the main part of this definition is that for data assertions, \( c \langle \bar{e} \rangle \), as it relates the data held on asynchronous outputs of a stable system with the data stated in the assertion. To do this, the definition relies on the assumption that \( S \) is closed to establish the equality between the two expressions \( \bar{e} \) and \( \bar{e}' \). Moreover, it uses the environment, \( \Gamma \), to ensure that the (stable) asynchronous output owns the permissions imposed by the permission guarding invariants. Its use has already been discussed in Section 4.1 and will be elaborated further when we consider compositional analysis of satisfaction in Section 5.

Data assertions are typically composed together using the separating conjunction assertion, \( q_1 \ast q_2 \), and the empty assertion, \textbf{emp}. For the satisfaction for \textbf{emp}, the system \( [\text{\texttt{nil}}]_0 \) is chosen to be the identity interpretation for our model wrt. separation, thereby making the interpretation for just these constructs a commutative monoid (cf. Lemma 4.9).

The satisfaction definition of the separating conjunction, \( q_1 \ast q_2 \), is however more complicated than one would have expected, as it needs to handle conjunctions with \textbf{blk}(c) and \textbf{any} formulas as well; the interpretation for the latter two formulas is rather straightforward. Thus, apart from relying on the system well-resourcing assumption to guarantee that the partitioned sub-systems are separate, \( S_1 \perp S_2 \) (cf. Definition 3.3), satisfaction for the separating conjunction also enforces that a system is stable before it is split, i.e., \( S \upharpoonright S_1 \parallel S_2 \). This condition rules out systems whose subcomponents satisfy the sub-formulas of a conjunction \( q_1 \ast q_2 \), but then violate stability once composed together; we return to this later in Example 4.4. The fact that separating conjunction ranges over input-blocked processes also requires a satisfaction definition that ignores scoping of channel names across separation i.e., \( S \upharpoonright (\text{new} \vec{d})(S_1 \parallel S_2) \); these scoped names \( \vec{d} \) refer to channels used in the continuations of blocked processes, as explained later in Example 4.3 and cannot be abstracted away using structural equivalence rules such as \texttt{scExt} and \texttt{scNew} from Figure 2.
Example 4.3 (Satisfiability). Recall the process definitions

\[ Prg \triangleq (\text{new } c_3) (\text{Fltr} \parallel \text{Dbl}) \]
\[ Dbl \triangleq c_2 ? x_2 . c_3 ? x_4 . c_1 ! (x_4 + x_4) \]
\[ \text{Fltr} \triangleq c_1 ? x_1 . \text{if } x_1 \leq 9 \text{ then } c_3 ! x_1 \parallel c_1 ? x_3 . (c_1 ! (x_1, x_3)) \text{ else } c_4 ! x_1 \]

from Example 2.7. Assuming the environment

\[ \Gamma = c_1 : \{\uparrow c_1\}, c_2 : \{\uparrow c_2\}, c_4 : \{\uparrow c_4, \downarrow c_1\} \]

we have the following satisfactions:

\[ \Gamma, [Prg]_{\{c_1,c_2,c_4\}} [c_1!2]_{\{c_1\}} [c_2!5]_{\{c_2\}} \models c_1(2, 4) * c_4() \quad (4.1) \]
\[ \Gamma, [Prg] [c_1!2] [c_2!5]_{\{c_1,c_2,c_4\}} \models c_1(2, 4) * c_4() \quad (4.2) \]
\[ \Gamma, [c_1!(5-3, 3+1)]_{\{c_1\}} [c_4!1]_{\{c_4\}} \models c_1(2, 4) * c_4() \quad (4.3) \]

whereby, according to the definition in Figure 3, satisfaction is only concerned with the existence of a reduction path to a stable system, where the outputs corresponding to data assertions are required to own the permissions expected by permission environment \( \Gamma \); the reduction path (4.1) and (4.2) has already been discussed in Example 3.32. Satisfaction for (4.3) is more straightforward to determine as the system is stable. On the other hand, for \( \Gamma \) defined above, the following do not satisfy their respective assertions:

\[ \Gamma, [Prg]_{\{c_1,c_2,c_4\}} [c_1!2]_0 [c_2!5]_{\{c_2\}} \not\models c_1(2, 4) * c_4() \quad (4.4) \]
\[ \Gamma, [Prg]_{\{c_2,c_4\}} [c_1!2]_{\{c_1\}} [c_2!5]_{\{c_2\}} \not\models c_1(2, 4) * c_4() \quad (4.5) \]
\[ \Gamma, [c_1!]_{\{c_1\}} [c_4!]_{\{c_4\}} \not\models c_1(2, 4) * c_4() \quad (4.6) \]
\[ \Gamma, [c_1!(2, 3)]_{\{c_1\}} [c_4!1]_{\{c_4,c_1\}} \not\models c_1(2, 4) * c_4() \quad (4.7) \]

The first two systems fail to satisfy the assertion because they cannot evaluate to safely-stable systems due to lack of permission. In particular, in (4.4) process \( c_1!2 \) does not own permission \( \uparrow c_1 \) required for communication (cf. cCom in Figure 2) whereas in (4.5) \( Prg \) is missing permission \( \downarrow c_1 \). The third system, (4.6), fails to satisfy the assertion although it is already a safely-stable system, as it violates the permission obligations for outputs imposed by \( \Gamma \) i.e., output \( c_4!1 \) does not own permission \( \downarrow c_1 \). Finally, the fourth system (4.7) fails to satisfy the assertion due to a mismatch between the data expected by the assertions and the data communicated by the outputs. We also have the following satisfactions involving the other assertion forms of the logic:

\[ (\Gamma, c_3 : \{\uparrow c_3\}) , [\text{Fltr} \parallel \text{Dbl}]_{\{c_1,c_2,c_4\}} [c_1!10]_{\{c_1\}} [c_2!5]_{\{c_2\}} \models c_4(10) * \text{blk}(c_3) \quad (4.8) \]
\[ (\Gamma, c_3 : \{\uparrow c_3\}) , [\text{Prg}]_{\{c_1,c_2,c_4\}} [c_1!10]_{\{c_1\}} [c_2!5]_{\{c_2\}} \models c_4(10) * \text{any} \quad (4.9) \]
\[ (\Gamma, c_3 : \{\uparrow c_3\}) , [\text{Prg}]_{\{c_1,c_2,c_4\}} [c_1!10]_{\{c_1\}} [c_2!5]_{\{c_2\}} \models \text{any} \quad (4.10) \]
\[ (\Gamma, (\text{new } c_3) \left( c_1 ? c_3 ! \right)_{\{c_1\}} [c_2?c_3?.\text{nil}]_{\{c_2\}}) \models \text{blk}(c_1) * \text{blk}(c_2) \quad (4.11) \]

Satisfaction (4.8) requires us to extend \( \Gamma \) to account for the permission invariants of channel \( c_3 \), which is not scoped. We also need the input permission \( \downarrow c_3 \) as dictated by the satisfaction of the sub-assertion \( \text{blk}(c_3) \) in Figure 3. In the subsequent satisfaction, (4.9), \text{any} is used to describe the input-blocked process on a scoped channel \( c_3 \) that is scoped in \( Prg \) (recall that \( Prg \triangleq (\text{new } c_3) (\text{Fltr} \parallel \text{Dbl}) \)). Note also how, in (4.11), since \( c_3 \notin \text{dom}(\Gamma) \) (cf. satisfaction for \( q_1 * q_2 \) in Figure 3), the scopes of \( c_3 \) does not prohibit us from splitting the system to determine the satisfaction of the subcomponents of the formula i.e., \( \text{blk}(c_1) \) and \( \text{blk}(c_2) \).
The requirement that satisfaction is limited to safe evaluations in Figure 3 intentionally makes certain formulas unsatisfiable. Alternative definitions could have been possible whereby we allow systems to temporarily satisfy a formula but then fail to satisfy it as computation progresses, meaning that the eventual stable system would not necessarily satisfy the formula. However, as discussed briefly in the Introduction, in our eventual framework of Section 5 systems will have the dual role of acting both as state as well as state-transformers. We therefore opted for the simpler interpretation that is conceptually easier to work with and chose a satisfaction interpretation that can be easily reasoned about in terms of the eventual stable systems reached.

Example 4.4 (Unsatisfiability). Formulas such as the ones below are unsatisfiable under the interpretation given in Figure 3:

\[
\begin{align*}
(5) \ast (6) & \quad (1) \ast \text{blk}(c)
\end{align*}
\]

In the first case, i.e., \( (5) \ast (6) \), sub-systems respectively satisfying \( (5) \) and \( (6) \) can never be merged into a well-resourced system as they must conflict on the permission \( \uparrow c \) irrespective of the narrative chosen, due to the environment constraints set out in Definition 4.1. This is desirable because any system satisfying the first formula will create a race condition for any inputs on the channel \( c \).

In later case, i.e., \( (1) \ast \text{blk}(c) \), sub-systems satisfying the sub-formulas of the separating sub-formulas of the separating conjunction become unstable once they are composed in parallel violating their respective sub-formula satisfaction. Hence any such satisfying system would violate the evaluation condition imposed on the satisfaction of the conjunct formula \( q_1 \ast q_2 \) in Figure 3. In fact, any sub-system \( S_1 \) satisfying \( c(1) \) must evaluate to a stable system of the form \( [c!e]_p \) where \( e \uparrow 1 \). Similarly any sub-system \( S_2 \) satisfying \( \text{blk}(c) \) must evaluate to a stable system that is structurally equivalent to \( (\text{new } \vec{d}) [c?x.P]_l \) (where \( c \not\in \vec{d} \)). This means that, by the semantics of Section 3 \( [c!e]_p \| (\text{new } \vec{d}) [c?x.P]_l \) is not stable, even if it is well-resourced (i.e., \( \rho \cap \mu = \emptyset \)). Our satisfaction definition \( q_1 \ast q_2 \) rules out this possibility by first requiring the composite system evaluates to a stable system before splitting. There are two reasons for this stricter interpretation. First, once the reduction happens leading to an evaluation to some other stable state \( S_3 \)

\[
[c!e]_p \| (\text{new } \vec{d}) [c?x.P]_l \rightarrow (\text{new } \vec{d}) [P\{1/x\}]_{l_p\mu} \parallel S_3
\]

it may be the case that \( S_3 \) does not satisfy \( (1) \ast \text{blk}(c) \) anymore. Second, and perhaps more important, the above reduction can potentially trigger permission-violating or non-terminating behaviour in \( (\text{new } \vec{d}) \{P\{1/x\}\} \) \( l_p\mu \). For instance, process \( P \) may be of the form \( d!1\|d!2\|d?x.c!(x+y) \) i.e., it has two competing outputs on channel \( d \). This implies that, whereas \( (\text{new } \vec{d}) [c?x.P]_l \) is safely-stable, its continuation is permission-violating, irrespective of the permissions held at that point, because it can hold at most one permission to output on channel \( d \).

Since structural equivalence is central to Definition 3 (in Definition 3.3 incorporates it), satisfaction abstracts over structurally equivalent systems, which allows us to work up to structural equivalence when reasoning about systems. Moreover, we can also reason about formula satisfaction from existing system-formula satisfaction and systems that reduce (converge) to them in zero or more steps.

Proposition 4.5 (Satisfaction and Evaluation). \( \Gamma, S \models \tau \) implies \( \exists \tau. S \parallel \tau \) and \( \Gamma, T \models \tau \)

Proposition 4.6 (Structural Eq. and Satisfaction). \( \Gamma, S \models \tau \) and \( S \equiv T \) implies \( \Gamma, T \models \tau \)

Proposition 4.7 (Satisfaction and Convergence). \( \Gamma, S \models \tau \) and \( T \rightarrow \ast \) \( S \) implies \( \Gamma, T \models \tau \)
We overload \( \models \) to denote semantic implication amongst formulas in standard fashion. We then are able to prove certain properties about our logic, stated in Lemma 4.9.

**Definition 4.8 (Semantic Implication).** \( \varphi \models \psi \) def = \( \Gamma, S \models \varphi \) implies \( \Gamma, S \models \psi \)

**Lemma 4.9 (Formula equivalence).** The following bidirectional implications hold:

1. \( \text{emp} \ast \varphi \models \models = \varphi \)
2. \( \varphi_1 \ast (\varphi_2 \ast \varphi_3) \models \models = (\varphi_1 \ast \varphi_2) \ast \varphi_3 \)
3. \( \varphi \ast \psi \models \models = \psi \ast \varphi \)

4.3. Composing satisfactions. Recall, from Example 4.4, that the satisfaction of the sub-assertions \( \varphi_1 \) and \( \varphi_2 \) does not necessarily imply the satisfaction of the composite assertion, \( \varphi_1 \ast \varphi_2 \). Nevertheless it is possible to determine when it is safe to infer this by analysing the structure of the sub-formulas. This analysis is formalised as the formula separation judgement, denoted as \( \varphi \bot \psi \) and defined in Definition 4.10. This judgement relies on the functions \( \text{edg()} \) and \( \text{trg()} \) to conservatively approximate matching outputs and inputs across sub-systems satisfying the formulas \( \varphi_1 \), \( \varphi_2 \) and, by prohibiting such matching channel operations, it ensures that no new reductions are introduced when sub-systems are composed in parallel. As a result, sub-systems that satisfy sub-formulas in a separating conjunction formulas must still satisfy the conjunction formula once composed, as stated in Lemma 4.11. This formula separation judgement is used later on by the proof system in Section 5 to circumvent the construction of problematic formulas such as those discussed in Example 4.4.

**Definition 4.10 (Formula Edges, Triggers and Separation).**

\[
\text{edg}(\varphi) \quad \text{def} =
\begin{cases}
\emptyset & \text{if } \varphi = \text{emp} \text{ or } \varphi = \text{blk}(c) \\
\{\uparrow c\} & \text{if } \varphi = c(\vec{e}) \\
\text{edg}(\varphi_1) \cup \text{edg}(\varphi_2) & \text{if } \varphi = \varphi_1 \ast \varphi_2 \\
\text{undefined} & \text{otherwise}
\end{cases}
\]

\[
\text{trg}(\varphi) \quad \text{def} =
\begin{cases}
\emptyset & \text{if } \varphi = \text{emp} \text{ or } \varphi = c(\vec{e}) \\
\{\uparrow c\} & \text{if } \varphi = \text{blk}(c) \\
\text{trg}(\varphi_1) \cup \text{trg}(\varphi_2) & \text{if } \varphi = \varphi_1 \ast \varphi_2 \\
\text{undefined} & \text{otherwise}
\end{cases}
\]

\( \varphi \bot \psi \quad \text{def} = \text{edg}(\varphi) \cap \text{trg}(\psi) = \emptyset \quad \land \quad \text{edg}(\psi) \cap \text{trg}(\varphi) = \emptyset \)

**Lemma 4.11 (Merging Assertions).**

\( \Gamma, S \models \psi \) and \( \Gamma, T \models \psi \) and \( S \bot T \) and \( \psi \bot \psi \) implies \( \Gamma, S \parallel T \models \psi \ast \psi \)

**Proof.** See Appendix A.3.

Note that, for a number of conjunctions, the sub-formulas are trivially separate making formula separation checks superfluous. For instance, \( \text{emp} \) is separate from any formula; also state formulas \( \chi_1 \ast \chi_2 \) are trivially separate, \( \chi_1 \bot \chi_2 \) as stated in Proposition 4.12.

**Proposition 4.12.** For any environment, \( \Gamma \), state formulas, \( \chi, \eta \) and formula \( \psi \) we have:

1. \( \chi \bot \eta \)
2. \( \psi \bot \text{emp} \)

**Proof.** Immediate from 4.10.
5. Proof System

We complete our framework by developing a compositional proof-system for the logic of §4 interpreted according to the satisfaction of Figure 3. Our sequents, inspired by Hoare triples, have the format

$$\Gamma; b \vdash \{\psi\} \ S \ \{\psi\},$$

where $S$ is a well-resourced system, $\psi$ and $\psi$ are respectively the pre-condition and post-condition, $\Gamma$ is a permission environment, and $b$ is a boolean expression defined in Figure 1 now serving as a boolean formula over our value domain. The system, formulas and boolean condition in a sequent are potentially open, i.e., may have free variables. Thus, the meaning of our sequents quantifies over all substitutions, $\sigma \in \text{Sub}$ that make the boolean condition evaluate to true, and also over all systems $T \in \text{Sys}$ which are separate from $S$ and which satisfy the precondition in the following way.

**Definition 5.1 (Sequent satisfaction).**

$$\Gamma, b \models \{\psi\} \ S \ \{\psi\} \overset{\text{def}}{=} \forall \sigma, T. \ b_\sigma \| tt \ \Gamma, T_\sigma \models \psi_\sigma, \ T_\sigma \| S \ \sigma \implies \Gamma, (T \| S) \sigma \models \psi_\sigma$$

As in [21], our sequents tease apart auxiliary reasoning about our value domain, since determining the truth (or otherwise) of these boolean formulas is process-independent. Such disentangling also allows us to make refined claims about derivations in our system. For instance, if we limit value expressions to Presburger arithmetic, we know that our boolean formula derivations exist and are decidable [33].

We note that our sequents deal with total-correctness. Formula satisfaction, defined in Figure 1 centers around system evaluation, $S \| T$, which existentially quantifies over one sequence of system reductions. The strength of what may, at first, seem a rather weak behaviour assertion comes from the determinism properties afforded by our model of confined processes. In fact, Theorem 3.11 (Evaluation Determinism) allows us to extend such behaviour assertions to universal system behaviour, up-to redundant permissions. What we are ultimately interested in however is universal processes behaviour. This can then be retrieved in immediate fashion through Definition 5.6 (Process Satisfaction), defined later in Section 5.3, Theorem 3.24 (Process Convergence), and ultimately, Theorem 3.22 (Process Evaluation Determinism).

The proof system, defined by the rules in Figure 4, assumes the derivation judgement $b_1 \models b_2$ between two (possibly open) boolean formulas, with the expected property that

$$\forall \sigma : \text{Sub}. \ b_1 \models b_2 \text{ and } b_1 \sigma \| tt \implies b_2 \sigma \| tt$$

Most of the logical rules are rather intuitive and their ‘naturality’ is, in part, due to the strong substratum provided by process confinement, in terms of absence of races. We have four logical axioms where $\text{lNil}$, $\text{lBlk}$ and $\text{lOut}$ deal with stable systems. More precisely, $\text{lNil}$ acts as a wire between the precondition and the postcondition, $\text{lBlk}$ trivialises proofs with an unsatisfiable boolean condition, $\text{lBlk}$ generates input-blocked process assertions, and $\text{lOut}$ generates data assertions.

The rule $\text{lIn}$ is central to the proof system as it is the only rule that consumes part of the precondition. Together with $\text{lOut}$ and $\text{lPar}$ they capture process communication in our proof system. In particular, they observe the permission mutual-exclusion invariants dictated by the environment, whereby the side-condition in $\text{lOut}$, i.e., $\Gamma(c) \subseteq \rho$, forces outputs to own the permissions guarded by the mutual exclusion through the side-condition $\Gamma(c) \in \rho$, whereas the premise in $\text{lIn}$ permit inputs to assume ownership of these guarded permissions after communication, through the masking of these permissions in the conclusion, i.e., $\rho \ \setminus \ \Gamma(c)$. The permission checking side-conditions in the axioms $\text{lOut}$ and $\text{lBlk}$ ensure that stable systems are safe; similarly, the permission checking
Logical Rules

\[
\begin{align*}
\text{LNil} & \quad \Gamma; b \vdash \{q\} [\text{nil}]_\rho \{q\} \\
\text{LFls} & \quad \Gamma; \text{false} \vdash \{q\} S \{\psi\} \\
\text{LBlk} & \quad \Gamma; b \vdash \{\text{emp}\} [c?x.Y]_\rho (\text{blk}(c)) \\
\text{LOut} & \quad \Gamma(c) \leq \rho \quad \Gamma; b \vdash \{\text{emp}\} [c(x)\rho \{c(x)\}] \\
\text{LIf} & \quad \Gamma; \{q\} S \{\psi\} \quad \Gamma; b \vdash \{q\} [P]_\rho \{S \{\psi\}\} \\
\text{LPar} & \quad \Gamma; \{q\} S \{\psi_1 \& \psi_2\} \quad \Gamma; \{q\} S \{\psi_1 \& \psi_2\} \\
\text{LRes} & \quad \Gamma; \{q\} S \{\psi\} \\
\end{align*}
\]

Structural Rules

\[
\begin{align*}
\text{LInst} & \quad \Gamma; b \vdash \{q\} S \{\psi\} \\
\text{LImp} & \quad \Gamma; b \vdash b' \quad q \vdash q_1 \quad S \equiv T \quad \psi_1 \vdash \psi \\
\text{LSub} & \quad b \models x = e \\
\text{LRen} & \quad d \not\in \text{fn}(\Gamma, q, \psi, S) \\
\end{align*}
\]

Figure 4: Sequent Rules

side-condition in LIn ensures that evaluations are also safe - recall that any permission violation is propagated down to the eventual stable system by Lemma 3.7.

The system parallel composition rule (LPar) is central to our proof system. It is the only rule that allows us to introduce a cut-middle formula in the hypotheses, \(q_3\). The asymmetry in the hypotheses of this rule guarantees the existence of a reduction sequence across two independently verified sub-systems since the unidirectional cut disallows mutual dependencies across the premise sequents; this prevents deadlocks and ensures total correctness. LPar also carries two side-conditions, \(\psi_1 \perp \psi_2\) and \(q_2 \perp q_3\), denoting formula separation, defined in Definition 4.10.

The proof system also has a rule for process parallel composition, (LSp.), which forces a partitioning of permission-resources, analogously to cSp. from Figure 2, similarly, the process scoping rule (LLcl) follows rule cLcl from Figure 2. The system scoping rule (LRes) restricts the permission-guarding invariants relating to the scoped channels and filters assertions blocked by the scoping
using the function $\psi \setminus \vec{c}$, as defined in Definition 5.2; in particular this function over-approximates to any any message state assertions and input-blocked assertions affected by the name scoping of the restriction. lRes also uses an environment restriction operation $\Gamma \setminus c$ defined in Definition 5.3.

**Definition 5.2** (Formula Restriction).

$$q \setminus \vec{c} \overset{\text{def}}{=} \begin{cases} 
  d(\vec{e}) & \text{if } q = d(\vec{e}) \text{ and } d \notin \vec{c} \\
  \text{blk}(d) & \text{if } q = \text{blk}(d) \text{ and } d \notin \vec{c} \\
  \text{emp} & \text{if } q = \text{emp} \\
  (q_1 \setminus \vec{c}) \ast (q_2 \setminus \vec{c}) & \text{if } q = q_1 \ast q_2 \\
  \text{any} & \text{otherwise}
\end{cases}$$

**Definition 5.3** (Environment Restriction).

$$\Gamma \setminus c \overset{\text{def}}{=} \begin{cases} 
  \emptyset & \text{if } \Gamma = \emptyset \\
  \Gamma' \setminus c & \text{if } \Gamma = \Gamma', c; \rho \\
  (\Gamma' \setminus c), d : (\rho \setminus \downarrow c, \uparrow c) & \text{if } \Gamma = \Gamma', d : \rho \text{ and } c \neq d
\end{cases}$$

**Proposition 5.4.** If $\Gamma$ is a permission environment then $\Gamma \setminus c$ is as well.

**Proof.** It is immediate to check that Definition 4.1 is still observed by $\Gamma \setminus c$, in particular that it is suitably closed (Definition 4.1.2).

The remaining logical rules are fairly straightforward. In the conditional proof rule $\mathsf{I}$, the hypotheses on each branch are augmented with the corresponding assertion, as usual in Hoare logics; this mechanism works in pairs with the structural rule $\mathsf{L}$ which trivialises the proof obligations on unreachable branches. $\mathsf{S}$ completes the treatment of the logical rules in the obvious way. Note that rules $\mathsf{N}$ and $\mathsf{S}$ abuse the substitution notation, extending it from values to (possibly open) expressions.

The proof system also has a number of structural rules. The rule $\mathsf{I}$ permits instantiations of generic sequents whereas $\mathsf{Sub}$ permits substitutions of expressions to variables that can be inferred to be equivalent from the sequent boolean expression. The rule $\mathsf{Ren}$ renames channel names in sequents; the rule side-condition guarantees that the name $d$ is fresh which make renaming injective. Finally, $\mathsf{Imp}$ endows proofs with a basic understanding of structural equivalence, $\equiv$, and of logical implication, $\models$.

### 5.1. Derived Rules.

Although $\mathsf{Par}$ is used extensively when proving properties of parallel communicating processes, it turns out that we often do not require its full power which makes it somewhat cumbersome to use. We therefore derive lightweight versions of $\mathsf{Par}$, enabling parallel code to be either logically sequenced thereby focussing on cutting intermediary formulas ($\mathsf{Cut}$), or else considered totally separate, where composite pre-conditions are assumed to produce composite post-conditions ($\mathsf{Sep}$). These derived rules require fewer side-conditions relating to formula separation. For instance, $\mathsf{Cut}$ disposes of the side-conditions entirely, and $\mathsf{Sep}$ limits them to one check.

\[
\begin{align*}
\mathsf{Cut} & \quad \frac{\Gamma; b \vdash \{q_1\} \ S \ \{\psi\} \quad \Gamma; b \vdash \{q_2\} \ T \ \{\psi_2\}}{\Gamma; b \vdash \{q_1\} \ S \parallel T \ \{q_2\}} \\
\mathsf{Sep} & \quad \frac{\Gamma; b \vdash \{q_1\} \ S \ \{\psi_1\} \quad \Gamma; b \vdash \{q_2\} \ T \ \{\psi_2\} \quad \psi_1 \perp \psi_2}{\Gamma; b \vdash \{q_1 \ast q_2\} \ S \parallel T \ \{\psi_1 \ast \psi_2\}}
\end{align*}
\]
For state formula pre and postconditions, an even simpler version lSep is obtained by Corollary 4.12, i.e., lSepSt, which requires no side-conditions at all.

\[
\text{lSepSt} \quad \Gamma; b + \{\eta_1\} S \{\chi_1\} \quad \Gamma; b + \{\eta_2\} T \{\chi_2\} \quad \Gamma; b + \{\eta_1 \ast \eta_2\} S \parallel T \{\chi_1 \ast \chi_2\}
\]

The derivations of these lightweight parallel rules are straightforward and use formula semantic implications from Lemma 4.9 together with properties for formula separation from Proposition 4.12. See Appendix A.4.

The output axiom rule lOut appears frequently in most derivations using our proof system. We find it convenient to formulate another derived rule that facilitates comparisons between the expression outputted by the process and that specified by the state formula, even when these expressions do not syntactically match.

\[
\text{lOutD} \quad b \models e_1 = e_2 \quad \Gamma(c) \subseteq \rho \\
\quad \Gamma; b + \{\text{emp}\} [c!e_1]_{\rho} [c(e_2)]
\]

Dually, the rule lIn is used frequently to dispose of cut-formulas. However the direct use of this rule can become unwieldy due to necessary system structural manipulations required to get the system in form required by the rule. A more convenient version can be derived that abstracts away from structural equivalence manipulations.

\[
\text{lInD} \quad \Gamma; b + \{\eta \ast c(\vec{e})\} T \{\psi\}
\]

The proofs for these derived rules are straightforward and relegated to Appendix A.4.

Derived rules similar to lIn can be obtained for lDef, lIf, lSpl and lLcl using an analogous derivation. In Section 6 we shall often abuse this fact and use the derived rule named as the respective proof rule while at the same time abstracting away from structural manipulations.

5.2. Frame Rule. The frame rule embodies local reasoning in separation-based logics [36]. For satisfiable post-conditions, a variant of the frame rule can be derived in our proof system.

\[
\text{l Frm} \quad \Gamma; b + \{\eta_1\} S \{\chi_2\} \quad \chi_2 \perp \psi \\
\quad \Gamma; b + \{\eta \ast \psi\} S \{\chi_2 \ast \psi\}
\]

Moreover, for the special case when the pre and post conditions are state formulas, the frame rule eliminates the need for the side condition as stated below.

\[
\text{l FrmSt} \quad \Gamma; b + \{\chi_1\} S \{\chi_2\} \\
\quad \Gamma; b + \{\chi_1 \ast \eta\} S \{\chi_2 \ast \eta\}
\]

We here show the derivation for the more general version of frame rule, i.e., lFrm, using the proof rules (lNil), (lPar) and (lImpl) and the structural rule \(S \parallel [\text{nil}]_0 \equiv S\).

\[
\Gamma; b + \{\eta_1\} S \{\chi_2\} \quad \Gamma; b + \{\psi\} [\text{nil}]_0 \{\psi\} \quad \text{l Nil} \quad \chi_2 \perp \psi \\
\quad \Gamma; b + \{\eta \ast \psi\} S \parallel [\text{nil}]_0 \{\eta \ast \psi\} \quad \text{l Sep} \quad S \equiv S \parallel [\text{nil}]_0 \\
\quad \Gamma; b + \{\eta \ast \psi\} S \{\chi_2 \ast \psi\} \quad \text{l Imp}
\]

Our proof-system is sound with respect to Definition 5.1.

**Theorem 5.5 (Soundness).** \(\Gamma; b \models \{\eta\} S \{\psi\}\) implies \(\Gamma; b \models \{\psi\} S \{\eta\}\).
Proof. By rule induction on $\Gamma; b \vdash \{q\} \ S \ {\psi}$. We here show the main rules:

**LOut**: For arbitrary $\sigma$, $T$ we have:

$$b\sigma \parallel tt \quad (5.1)$$

$$\Gamma, T\sigma \models \text{emp}\sigma \quad (5.2)$$

$$T\sigma \perp [c!\vec{e}]_\rho \sigma \quad (5.3)$$

and the side-condition

$$\Gamma(c) \subseteq \rho \quad (5.4)$$

By Figure 3 and (5.2) we know

$$T\sigma \parallel \{\text{nil}\}_\emptyset \quad (5.5)$$

By (5.3) we know that $T\sigma \parallel \{c!\vec{e}\}_\rho \sigma$ is well-resourced. Moreover, by (5.5) and cPar and scNt of Figure 2 we deduce

$$T\sigma \parallel \{c!\vec{e}\}_\rho \sigma \rightarrow^* \{\text{nil}\}_\emptyset \{c!\vec{e}\}_\rho \sigma \equiv \{c!\vec{e}\}_\rho \sigma \quad (5.6)$$

Clearly, $\{c!\vec{e}\}_\rho \sigma \not\rightarrow^*$. Moreover by the conditions imposed on environment mappings in Definition 4.1 we know $\uparrow c \in \Gamma(c)$ and thus by (5.4) we deduce that $\uparrow c \in \rho$ and hence that $\{c!\vec{e}\}_\rho \sigma \not\rightarrow^\text{car}$. As a result, from (5.6) we obtain $T\sigma \parallel \{c!\vec{e}\}_\rho \sigma \downarrow \{c!\vec{e}\}_\rho \sigma$ and for some $\vec{v}$ where $\vec{e}\sigma \parallel \vec{v}$ and by (5.4) and Figure 3 we obtain $\Gamma, (T\parallel \{c!\vec{e}\}_\rho \sigma \models (c\vec{e})\sigma)$.

**LIN**: For arbitrary $\sigma$, $T$ we have:

$$b\sigma \parallel tt \quad (5.7)$$

$$\Gamma, T\sigma \models (q \ast c(\vec{e})))\sigma \quad (5.8)$$

$$T\sigma \perp ([c?\vec{x}.P]_{\rho|\Gamma(c)} \parallel S)\sigma \quad (5.9)$$

and the side-condition

$$\downarrow c \in \rho \quad (5.10)$$

By (5.8) and Figure 3 we know

$$T\parallel (\text{new} \vec{d}) (T_1 \parallel T_2) \quad (5.11)$$

where $\vec{d} \notin \text{dom}(\Gamma)$

$$\Gamma, T_1 \models q\sigma \quad (5.12)$$

and $\Gamma, T_2 \models c(\vec{e})\sigma \quad (5.14)$

By $\Gamma, T_2 \models c(\vec{e})\sigma$ and Figure 3 we know

$$T_2\parallel \{c!\vec{e}\}_{\mu} \quad \text{where } \vec{e}\sigma \parallel \vec{v}, \vec{e}\sigma \parallel \vec{v} \text{ and } \Gamma(c) \subseteq \mu \quad (5.15)$$

By (5.12) we know $T\sigma \perp ([c?\vec{x}.P]_{\rho|\Gamma(c)} \parallel S)\sigma$ is well-resourced and by (5.12) and $\Gamma(c) \subseteq \mu$ of (5.15) we know that $c \notin \vec{d}$ and that $\vec{d} \notin \text{nm}(\mu)$. Thus by (5.11), (5.15) and cPar, cCom, of (5.12) and scExt we obtain

$$T\sigma \parallel ([c?\vec{x}.P]_{\rho|\Gamma(c)} \parallel S)\sigma \rightarrow^* \equiv (\text{new} \vec{d}) (T_1 \parallel \{c!\vec{e}\}_{\mu} \parallel ([c?\vec{x}.P]_{\rho|\Gamma(c)} \parallel S)\sigma) \quad (5.16)$$

$$(\text{new} \vec{d}) (T_1 \parallel \{c!\vec{e}\}_{\mu} \parallel ([c?\vec{x}.P]_{\rho|\Gamma(c)} \parallel S)\sigma \rightarrow (\text{new} \vec{d}) T_1 \parallel ([c?\vec{x}.P]_{\rho|\Gamma(c)} \parallel S)\sigma \quad (5.17)$$
By (5.16) and Lemma 3.6 we know that \((\text{new } \vec{d}) (T_1) \parallel (\lceil c?\vec{x}.P \rceil_\rho \parallel S) \sigma\) is well-resourced, and by \(\Gamma (c) \subseteq \mu\) of (5.15) we deduce that
\[
(\text{new } \vec{d}) T_1 \perp (\lceil \{\vec{e}/\vec{x}\} P \rceil_\rho \parallel S) \sigma \quad (5.18)
\]
By (5.13), (5.12) and Lemma A.17 we obtain
\[
\Gamma, (\text{new } \vec{d}) T_1 \models \psi \sigma
\]
and thus by (5.7), (5.18), the premise \(\Gamma; b \vdash \{\psi\} \lceil \{\vec{e}/\vec{x}\} P \rceil_\rho \parallel S (\psi)\) and I.H. we obtain
\[
\Gamma; (\text{new } \vec{d}) T_1 \parallel (\lceil \{\vec{e}/\vec{x}\} P \rceil_\rho \parallel S) \sigma \models \psi \sigma \quad (5.19)
\]
By \(\vec{e} \sigma \Downarrow \vec{v}\) of (5.15) and Lemma A.16 we get
\[
\Gamma, (\text{new } \vec{d}) T_1 \parallel (\lceil \{\vec{v}/\vec{x}\} P \rceil_\rho \parallel S) \sigma \models \psi \sigma
\]
Moreover by Lemma A.23 we also obtain
\[
\Gamma, (\text{new } \vec{d}) T_1 \parallel (\lceil \{\vec{v}/\vec{x}\} P \rceil_\rho \parallel S) \sigma \models \psi \sigma
\]
Thus by (5.16), (5.17) and Proposition 4.7 we obtain
\[
\Gamma, T \sigma \parallel (\lceil c?\vec{x}.P \rceil_\rho \parallel S) \sigma \models \psi \sigma \quad (5.20)
\]
**lPar**: For arbitrary \(\sigma, R\) we have:
\[
\begin{align*}
\text{by } & (5.20) \\
\text{by } & (5.21) \\
\text{by } & (5.22) \\
\text{by } & (5.21)
\end{align*}
\]
and side-conditions
\[
\begin{align*}
\psi_2 & \perp \psi_3 \\
\psi_1 & \perp \psi_2
\end{align*}
\]
By (5.21) we know
\[
R \sigma \Downarrow (\text{new } \vec{c}) (R_1 \parallel R_2) \quad (5.25)
\]
where \(\vec{c} \notin \text{dom}(\Gamma)\)
\[
\begin{align*}
\text{by } & (5.26) \\
\text{by } & (5.27) \\
\text{by } & (5.28)
\end{align*}
\]
By (5.25), (5.22) and Lemma 3.6 we know
\[
\begin{align*}
R_1 & \perp R_2 \\
\text{and } & R_1 \perp S \sigma \parallel T \sigma \\
\text{and } & R_2 \perp S \sigma \parallel T \sigma
\end{align*}
\]
By (5.20), (5.27), \(R_1 \perp S \sigma\) from (5.30) and I.H. we have \(R_1 \parallel S \sigma \models (\psi_1 \ast \psi_3) \sigma\) and from the satisfaction definition of Figure 3 we obtain
\[
R_1 \parallel S \sigma \Downarrow (\text{new } \vec{d}) (S_1 \parallel S_2) \quad (5.32)
\]
where \(\vec{d} \notin \text{dom}(\Gamma)\)
\[
\begin{align*}
\text{by } & (5.33) \\
\text{by } & (5.34) \\
\text{by } & (5.35)
\end{align*}
\]
By (5.29) and (5.31) we know $R_1 \parallel S_\sigma \perp R_2$. Thus, by (5.32) and Lemma 3.5 we derive $S_1 \perp R_2$, and by (5.28), (5.33), the rule side-condition (5.23) and Lemma 4.11 we obtain

$$\Gamma, R_2 \parallel S_2 \models (\psi_2 \ast \psi_3)\sigma$$

(5.36)

Using (5.29) and (5.32) we can also derive $R_2 \parallel S_2 \perp T\sigma$ and by (5.20), (5.36) and I.H. we derive

$$\Gamma, R_2 \parallel S_2 \models \psi_2\sigma$$

(5.37)

By (5.29) and (5.32) we also derive $S_1 \perp (R_2 \parallel S_2 \parallel T\sigma)$ and by the rule side-condition (5.24) and Lemma 4.11 we obtain

$$\Gamma, S_1 \parallel R_2 \parallel S_2 \parallel T\sigma \models (\psi_1 \ast \psi_2)\sigma$$

(5.38)

Thus by (5.26), (5.33) and Lemma A.17 we deduce

$$\Gamma, (\text{new } \vec{c}, \vec{d}) (S_1 \parallel R_2 \parallel S_2) \models (\psi_1 \ast \psi_2)\sigma$$

as required.

5.3. Process Sequent Satisfaction. We conclude this section with Definition 5.6, which extends sequent satisfaction to processes by assuming the existence of a permission environment and the respective permission-set, required by the satisfaction definition of Figure 3. This allows for the possibility of having multiple narratives explaining determinism, and is in line with the “ownership is in the eye of the asserter” principle [31].

Definition 5.6 (Process Sequent Satisfaction).

$$b \models \{\psi\} P \{\psi\} \overset{\text{def}}{=} \exists \Gamma, \rho \text{ such that } \Gamma, b \models \{\psi\} [P]_\rho \{\psi\}$$

Example 5.7. According to 5.6, we can now state that $Prg$, from Example 2.7 satisfies the property

$$x \leq 9 \models \{c_1(x) \ast c_2(y)\} Prg \{c_1(x, 2x) \ast c_4(y)\},$$

(5.39)

while abstracting over the narrative as to why $Prg$ is deterministic. It can be read as saying that, given two values $x$ and $y$ on channels $c_1$ and $c_2$ respectively, $Prg$ returns the value of $x$ together with its double on $c_1$ and a signal on $c_4$, provided that the value of $x$ is less than 10. Mirroring the previous discussion in Example 2.7, $Prg$ also satisfies the property

$$x > 9 \models \{c_1(x) \ast c_2(y)\} Prg \{c_4(x) \ast \text{any}\},$$

(5.40)

where any abstracts over the blocked code $(\text{new } c_3) (c_3?x_4.c_1!(x_4+x_4))$, as described earlier in Example 4.3.

We are also in a position to specify the correctness of our quicksort algorithm through some macro definitions for compactness.
Example 5.8 (Specifying Correctness for Parallel Quicksort). The expected behaviour of Qck(i, j) from Example 2.8 can be expressed through the sequent satisfaction

\[
\text{ord}((\vec{y}_i^j) \land \vec{x}_i^j = \vec{y}_i^j) \models A_i^j(\vec{x}_i^j) \equiv (A_i^j(\vec{y}_i^j)) \text{ Qck}(i, j) \quad (A_i^j(\vec{y}_i^j) \ast r()}
\]  

(5.41)

using the following macro definitions, whereby \(\vec{x}_i^j\) denotes lists of variables \(x_i \ldots x_j\) when \(i \leq j\) and the empty-list \(\varepsilon\) otherwise

\[
A_i^j(\vec{x}_i^j) \equiv \begin{cases} \text{emp} & \text{if } i > j \\ a_i(x_i) \ast A_{i+1}^j(\vec{x}_{i+1}^j) & \text{if } i \leq j \end{cases}
\]

\[
\text{ord}(\vec{x}_i^j) \equiv \begin{cases} \text{true} & \text{if } i = j \\ x_i \leq x_{i+1} \land \text{ord}(\vec{x}_{i+1}^j) & \text{if } i < j \end{cases}
\]

\[
\vec{x}_i^j \equiv \vec{y}_i^j \equiv \begin{cases} \text{true} & \text{if } i = j \\ \bigvee_{1 \leq k \leq j} (\vec{y}_i^j = \vec{y}_i^{k-1} \times_j \vec{y}_i^{k+1} \times_j) \land (\vec{x}_i^j = \vec{y}_i^{k-1} \times_j \vec{y}_i^{k+1}) & \text{if } i < j \end{cases}
\]

The specification of (5.41) above states that when Qck(i, j) is composed with an array of arbitrary values on channels \(a_1 \ldots a_j\), denoted by the assertion macro \(A_i^j(\vec{x}_i^j)\), it returns another array of values on the same channel list, \(A_i^j(\vec{y}_i^j)\), together with a signal on channel \(r\) denoting completion. Moreover, the values returned are

1. ordered, expressed as the predicate \(\text{ord}(\vec{y}_i^j)\)
2. equal, up to reordering, to the original values, expressed as the predicate \(\vec{x}_i^j \equiv \vec{y}_i^j\).

6. Application

We conclude by revisiting the properties stated in Section 5.3 and show how our proof-system can be used to prove properties about them. In Example 6.1 we see how proofs about concurrent code are performed by running through only one possible reduction trace, even when other interleavings are possible. The main appeal of these proofs is however their amenability to compositionality as shown in Example 6.2. In this example proof, the behaviour of sub-programs is verified in terms of their pre and post conditions only, without any concern towards external interference from other concurrent code. Independently verified sub-programs are then merged together using IPA (and its variants LCUT, LSEP and LSEPStr), as long as the sub-programs are separate wrt. the permissions that they own.

Example 6.1 (Proving Satisfiability). We prove the specifications (5.39) and (5.40) stated earlier in Example 5.7 by first augmenting the satisfaction specification with an appropriate narrative for determinism as stated in Definition 5.6. One possible narrative is the permission-set \{↓c_1, ↓c_2, ↑c_4\} together with the permission-transfer invariants

\[
\Gamma = c_1 : \{↑c_1\}, c_2 : \{↑c_2\}, c_4 : \{↑c_4, ↓c_1\}
\]

yielding the system specification

\[
\Gamma, x \leq 9 \models (c_1(x) \ast c_2(y)) \mid \text{Pr}_2[\Gamma_1, \Gamma_2, \Gamma_4] \{c_1(x, 2x) \ast c_4()\}
\]  

(6.1)

Another possible narrative is the permission-set \{↓c_1, ↓c_2\} and the environment

\[
\Gamma' = c_1 : \{↑c_1, ↑c_4\}, c_2 : \{↑c_2\}, c_4 : \{↑c_4, ↓c_1\}
\]
yielding a different intensional specification explaining the process determinism below:

\[ \Gamma', \ x \leq 9 \models \{c_1(x) \ast c_2(y)\} \left[ \text{Prg} \right]_{|_{c_1, i, c_2, i, c_3}} \{c_1(x, 2x) \ast c_4()\} \]

We here focus on the specification with the first narrative, (6.1), which by Theorem 5.5 follows from the proof of the sequent

\[ \Gamma; \ x \leq 9 \vdash \{c_1(x) \ast c_2(y)\} \left[ \text{Prg} \right]_{|_{c_1, i, c_2, i, c_3}} \{c_1(x, 2x) \ast c_4()\} \]

(6.2)

Since \( \text{Prg} \triangleq (\text{Fltr} \parallel \text{DbI}) \), we prove (6.2) by applying the proof rules \( \text{LDef} \) followed by \( \text{LCL} \) and \( \text{LRes} \), which leaves us with the following sequent to prove

\[ \Gamma''; \ x \leq 9 \vdash \{c_1(x) \ast c_2(y)\} \left[ \text{Fltr} \parallel \text{DbI} \right]_{|_{c_1, i, c_2, i, c_3}} \{c_1(x, 2x) \ast c_4()\} \]

(6.3)

where \( \Gamma'' \) is the extended environment \( \Gamma'' = \Gamma, c_3 : [c_3, \uparrow c_1] \). Note that, through \( \text{LRes} \), in (6.3) we have also increased the permissions owned by the system with \( c_3 \) and \( \uparrow c_3 \), the permissions relevant to the scope of \( c_1 \), opened by \( \text{LRes} \). Moreover for \( \text{LRes} \), the post-condition is unaffected in this case, i.e., according to Definition 5.2 \( \{c_1(x, 2x) \ast c_4()\} \setminus c_3 = c_1(x, 2x) \ast c_4() \). After applying the logical rule \( \text{LStP} \), followed by two applications of \( \text{LDef} \) for \( \text{Fltr} \) and \( \text{DbI} \) we are left with

\[ \Gamma''; \ x \leq 9 \vdash \{c_1(x) \ast c_2(y)\} \left( \begin{array}{l}
\{c_1 \ast c_2\}_{|_{c_1, i, c_2, i, c_3}} \{c_1(x, 2x) \ast c_4()\}
\end{array} \right) \]

\[ \text{Out} \]

We proceed by applying \( \text{Lin} \) twice for \( c_1 \) and \( c_2 \) (in any order) and then by applying \( \text{Lif} \), which gives us one unreachable branch since \( x \leq 9 \land \neg (x \leq 9) \Rightarrow \text{false} \); this can be discharged by \( \text{Impl} \) and the axiom \( \text{LFLS} \). The reachable premise can be proved as follows; we elide the environment and boolean condition from the sequents below as they remain unchanged throughout:

\[ x + x = 2x \]

\[ \Gamma''(c_1) \subseteq \{c_2, \downarrow c_3, \uparrow c_2, \uparrow c_3, \uparrow c_1\} \]

\[ \text{OutD} \]

Similarly, the proof for the second specification (5.40) in Example 5.7 can also be proved by the sequent:

\[ \Gamma; \ x > 9 \vdash \{c_1(x) \ast c_2(y)\} \left[ \text{Prg} \right]_{|_{c_1, i, c_2, i, c_3}} \{c_4(x) \ast \text{any}\} , \]

(6.4)
The proof is similar to that of (6.2), where we first apply $\text{lDef}$, $\text{lLcl}$, and $\text{lRes}$, which leaves us with the following sequent:

$$\Gamma''': x > 9 \vdash \{ c_1(x) \ast c_2(y) \} \quad \text{[Fltr]}[\text{Dbl}]_{\ae_1, \ae_2, \ae_3, \ae_4, \ae_5, \ae_6} \quad \{ c_4(x) \ast \text{blk}(c_3) \} \quad (6.5)$$

where, this time, we have the premise postcondition obtained as $c_4(x) \ast \text{blk}(c_3) \setminus c_3 = c_4(x) \ast \text{any}$ according to Definition 5.6. Again, similar to the proof for (6.2), we apply $\text{lSep}$ to (6.5) followed by two applications of $\text{lDef}$ for Fltr and Dbl. Then we apply $\text{lIn}$ twice for $c_1$ and $c_2$ to consume the state formula in the precondition, and then by applying $\text{lFl}$. This time, the rule for conditional gives us a different unreachable branch since $x > 9 \land x \leq 9 \Rightarrow \text{false}$. The reachable premise can be proved as follows:

\[
\begin{align*}
\Gamma'''(c_4) & \subseteq \{ \lceil c_1, \lceil c_2, \lceil c_3, \lceil c_4 \} \\
\text{emp} \quad \{ c_2!x \}_{\ae_1, \ae_2, \ae_3, \ae_4, \ae_5} \quad \{ c_4(x) \} & \text{LOut} \\
\downarrow c_3 & \in \{ \downarrow c_2, \downarrow c_3, \downarrow c_2 \} \\
\text{emp} \quad \{ c_3!x, c_1!(x_x + x_3) \}_{\ae_1, \ae_2, \ae_3, \ae_4} & \text{LBlk} \\
\\{ c_4(x) \ast \text{blk}(c_3) \} & \text{lSep}
\end{align*}
\]

Example 6.2 (Proving Correctness for Parallel Quicksort). To prove the correctness property (5.41) for $\text{Qck}(i, j)$, as stated in Example 5.8, we choose a narrative where the environment is

$$\Gamma = a_i: \{ \uparrow a_i \}, \ldots, a_j: \{ \uparrow a_j \}, \ r: \rho(r, i, j)$$

and $\text{Qck}(i, j)$ owns the permission set $\rho(r, i, j)$ defined as

$$\rho(x, i, j) \overset{\text{def}}{=} \{ \uparrow x, \downarrow a_i, \ldots, \downarrow a_j \}.$$ 

The permissions associated with $r$ express the fact that the array can only be read after the signal denoting completion is consumed.

We argue, by induction on $n = j - i$ (where $i \leq j$), that if we show that the following sequent holds for arbitrary $i$ and $j$,

$$\Gamma: \left( \text{ord}(\bar{x}_i^j) \land \bar{x}_i^j \equiv \bar{y}_i^j \right) \vdash \{ A_j^i(\bar{x}_i^j) \} \quad \{ \text{Qck}(i, j) \}_{\rho(r, i, j)} \quad \{ A_j^i(\bar{y}_i^j) \ast r(i) \} \quad (6.6)$$

this would imply correctness for $\text{Qck}(i, j)$ with the above narrative i.e.,

$$\Gamma: \left( \text{ord}(\bar{x}_i^j) \land \bar{x}_i^j \equiv \bar{y}_i^j \right) \vdash \{ A_j^i(\bar{x}_i^j) \} \quad \{ \text{Qck}(i, j) \}_{\rho(r, i, j)} \quad \{ A_j^i(\bar{y}_i^j) \ast r(i) \}$$

which, by Definition 5.6, would prove the satisfaction (5.41).

For the base case of (6.6), i.e., $n = 0$ assuming $i = j$ as part of the sequent boolean expression, we trivially prove the sequent using $\text{lFl}$, the state frame rule, $\text{lFrmSt}$, and $\text{lOut}$ as shown below. In what follows, we often elide the sequent environment and boolean condition from our proofs.

\[
\begin{align*}
\text{emp} \quad \{ r! \}_{\rho(r, i, j)} & \text{LOut} \\
\{ A_j^i(\bar{x}_i^j) \} \quad \{ r! \}_{\rho(r, i, j)} & \text{lFrmSt} \\
\{ A_j^i(\bar{y}_i^j) \} \quad \{ r! \}_{\rho(r, i, j)} & \text{lSub} \\
\{ A_j^i(\bar{x}_i^j) \} \quad \{ i \neq j \} & \text{lDef} \\
\{ A_j^i(\bar{y}_i^j) \} & \text{lFl}
\end{align*}
\]
The inductive case, \( n+1 = j-i \), i.e., adding \( i < j \) to the sequent boolean expression, assumes that the property holds for all \( m \leq n \), i.e., all \( m < j-i \) (the inductive hypothesis), and follows from proving the following two sequents

\[
\Gamma_1; b \vdash \left\{ A_i^j \left( z_i^{p-1} \right) \right\} \quad \text{[Prtr(i, j)]}_{p(r_3, r_2)} \quad \left\{ A_i^{p-1} \left( z_i^{p-1} \right) * a_p(y_p) \right. \\
\Gamma_1; b \vdash \left\{ A_j^j \left( z_j^{p-1} \right) * a_p(y_p) \right\} \quad \left. A_{p+1}^{j+1}(z_{p+1}^j) * r_3(p) \right\} \quad (6.7)
\]

\[
\Gamma_1; b \vdash \left\{ A_i^j \left( z_i^{p-1} \right) * a_p(y_p) \right\} \quad \left\{ \begin{array}{l}
\text{Prtr}(i, j) \quad \text{[Prtr(i, j)]}_{p(r_3, r_2)} \\
\text{Qck}(i, x - 1)[r_i/r] \\
\text{Qck}(x + 1, j)[r_j/r]
\end{array} \right\} \quad \left\{ A_i^j \left( z_i^{p-1} \right) * r(\rho) \right\} \quad (6.8)
\]

where \( \Gamma_1 \) extends \( \Gamma \) with the mapping for \( r_3 \) i.e., \( \Gamma_1 = \Gamma, r_3: \rho(r_3, i, j) \) and \( b \) is a stronger boolean condition defined as:

\[
b = \text{ord}(y_i^j) \land \exists i \quad z_i^j \in \left[ z_i^{p-1}, z_{p+1}^j \right] \land \left( \bigwedge_{k=i}^{p-1} z_k < y_p \right) \land \left( \bigwedge_{k=p+1}^j y_p < z_k \right)
\]

It requires intermediary lists of values \( z_i^{p-1} \) and \( z_{p+1}^j \), returned by partitioning \( \text{Prtr}(i, j) \), to be reorderings of the final values \( y_i^{p-1} \) and \( y_{p+1}^j \), (i), that the values in \( z_i^{p-1} \) are less than the pivot, (ii), and also that the values \( z_{p+1}^j \) are greater than or equal to the pivot, (iii).

The proof for sequent \((6.6)\) is derived from \((6.7)\) and \((6.8)\) by applying the derived rule \( \text{LCut} \) which logically sequentialises the two systems; then we apply \( \text{LInst} \) to substitute \( y_i^{p-1}, y_{p+1}^j \) for \( z_i^{p-1}, z_{p+1}^j \) in \( b \) (notice that the substitution leaves the pre/post-conditions and the system unchanged as \( z_i^{p-1}, z_{p+1}^j \) are not free in them), then \( \text{LImpl} \) to recover the boolean condition \( \left( \text{ord}(y_i^j) \land \exists i \quad z_i^j \in \left[ y_i^{p-1}, y_{p+1}^j \right] \right) \), then \( \text{LRes} \) to recover \( \Gamma \) from \( \Gamma_1 \), and finally \( \text{LCl} \) and \( \text{LDef} \) to recover \( [\text{Qck}(i, j)]_{\rho(r_3, i, j)} \).

The proof of sequent \((6.8)\) follows from the following three sequents \((6.9)\), \((6.10)\) and \((6.11)\) below, where \( \text{LRes} \) is used to extend \( \Gamma_1 \) as

\[
\Gamma_2 = \Gamma_1, r_1: \rho(r_1, i, p - 1), r_2: \rho(r_2, p + 1, j)
\]

to account for the mappings associated with the channels \( r_1 \) and \( r_2 \). Notice how this rule allows us to choose the permission association relating to \( r_1 \) and \( r_2 \) dynamically, depending on the index \( p \) returned by the partitioning phase of sequent \((6.7)\).

\[
\Gamma_2; b \vdash \left\{ A_i^{p-1} \left( z_i^{p-1} \right) \right\} \quad \left( \text{Qck}(i, p - 1) \right)_{p(r_1, i, p - 1)} \\
\Gamma_2; b \vdash \left\{ A_{p+1}^{j+1}(z_{p+1}^j) \right\} \quad \left( \text{Qck}(p + 1, j) \right)_{p(r_2, p + 1, j)} \\
\Gamma_2; b \vdash \left\{ A_i^j \left( z_i^{p-1} \right) * r_1(\rho) \right\} \quad \left( r_1, r_2 \right)_{[\rho, \rho]} \quad \left( A_{p+1}^{j+1}(z_{p+1}^j) * r_2(\rho) \right)
\]

Sequents \((6.9)\) and \((6.10)\) follow from the inductive hypotheses. Sequent \((6.11)\) can be easily derived using \( \text{L FrmStr} \), which eliminates \( A_i^j(y_i^j) \) from the pre and post conditions, and then applying \( \text{LIn} \) twice for \( r_1 \) and \( r_2 \) respectively, followed by applying \( \text{LOut} \) once for \( r_2 \); the two inputs on \( r_1 \) and \( r_2 \) would hand over the permissions \( \downarrow a_1, \ldots, \downarrow a_{p-1} \) and \( \downarrow a_{p+1}, \ldots, \downarrow a_j \) respectively; these are necessary for the output on \( r \) to be derived.

We recover the proof of sequent \((6.8)\) as follows. Sequents \((6.9)\) and \((6.10)\) can be composed together as separate parallel code using \( \text{LSep} \), and then extended to include \( a_p(y_p) \) in the pre and post-conditions using \( \text{L FrmStr} \). This allows us to logically sequence these two systems before the
The base case, i.e., \(A\) already above; the details are left for the interested reader.

Comparison at every iteration adds to the ordering information expressed by \(x\) current counter, \(\vec{x}\) expects a precondition split into 3 parts: by induction on \(n\) simply by applying + \(A\)

We have developed a logic for deterministic processes, interpreted over systems whose behaviour is confined by sets of linear permissions. We also developed a sound proof system through which we can determine, in compositional fashion, the satisfaction of formulas in this logic. We

behaviour is confined by sets of linear permissions. We also developed a sound proof system through which we can determine, in compositional fashion, the satisfaction of formulas in this logic. We

We prove (6.12) by proving the more general sequent

\[
\Gamma_1; b' \vdash \left\{ \begin{array}{l}
\text{(i)} A^q_{i+1}(\vec{w}^q_{i+1}) \\
\text{(ii)} A^q_{i+1}(\vec{w}^q_{i+1}) \\
\text{(iii)} A^q_{i+1}(\vec{w}^q_{i+1}) \end{array} \right\} \left[ \begin{array}{l}
\text{Trv}(i, j, x, i, i + 1) \end{array} \right]_{\rho(r, j, i, j)} \left\{ \begin{array}{l}
A^{p-1}_i(\vec{w}^{p-1}_i) \ast a_p(y_p) \\
A^{p-1}_j(\vec{w}^{p-1}_j) \ast r_3(p) \end{array} \right\} (6.13)
\]

where \(b' = b \land (i \leq q < c \leq j + 1) \land (\vec{x}_i^{c-1} = \vec{w}_i^{c-1}) \land (\bigwedge_{k=i+1}^{q} w_k < x_j) \land (\bigwedge_{k=q+1}^{c-1} x_i \leq w_k).

Sequent (6.13) allows us to stratify every iteration of the traversal, thereby proving the sequent by induction on \(n = (j + 1) - c\). At each iteration, \(c\), with pivot index \(x\) and pivot value \(x\), (6.13) expects a precondition split into 3 parts: \(A^q_{i+1}(\vec{w}^q_{i+1})\) holds processed values that are less than the pivot \(x\), (i), \(A^{c-1}_{i+1}(\vec{w}^{c-1}_{i+1})\) holds processed values that are greater than or equal to the pivot \(x\), (ii), and \(A^j_{j+1}(\vec{x}^j_{j+1})\) is the part of the array that still needs to be traversed. Note also that the values preceding the current counter, \(\vec{w}^{c-1}_{i+1}\), must be equal, up to reordering, of the values already processed \(\vec{x}^{c-1}_{i+1}\), (iii).

The base case, i.e., when \(c = j + 1\) (and thus \(A^j_{j+1}(\vec{x}^j_{j+1}) = \text{emp}\)), establishes the post-condition in (6.13) whereas the inductive case works up towards the base case, whereby the value comparison at every iteration adds to the ordering information expressed by \(b'\). Both proof cases use a mixture of rules \(\text{LN}, \text{OUT}, \text{IF}\) and, \(\text{SEP}\) and \(\text{LCUT}\) in a manner similar to that discussed already above; the details are left for the interested reader.

To obtain (6.12) from (6.13), we take \(q\) and \(c\) to be \(i\) and \(i + 1\) respectively. This case makes the array assertions \(A^q_{i+1}(\vec{w}^q_{i+1})\) and \(A^{c-1}_{i+1}(\vec{w}^{c-1}_{i+1})\) in the pre-condition of (6.13) empty, i.e., \(A^q_{i+1}(\vec{w}^q_{i+1}) = A^{c-1}_{i+1}(\vec{w}^{c-1}_{i+1}) = \text{emp}\), which by Lemma 4.9 and \(\text{IMP}\), leaves us with \(A^j_{j+1}(\vec{x}^j_{j+1})\), i.e., the pre-condition of (6.12). Moreover, for this case the boolean expression \(b'\) is of the form \(b \land (i \leq i < i + 1 \leq j + 1)\) which is implied by \(b\), i.e., \(b \models b'\). This means that we can recover \(b\) for our sequent simply by applying \(\text{IMP}\) as well.

7. Conclusion

We have developed a logic for deterministic processes, interpreted over systems whose behaviour is confined by sets of linear permissions. We also developed a sound proof system through which we can determine, in compositional fashion, the satisfaction of formulas in this logic. We
applied this logic and proof system to specify and prove the correctness of an in-place parallel
quicksort.

7.1. Related Work. Modal logics have traditionally been used in process calculi for the specification
of behavioural properties. Proof systems for these logics have been developed in a variety of settings (e.g., [22, 21, 13, 14, 5]) and some of these have focused on compositional reasoning as a means of dealing with the scalability problem (e.g., [2, 14, 5]). However, there has been little focus on locality of reasoning in these efforts. Approaching compositionality without necessarily modelling locality does seem to have been at the expense of general, but long-winded proof rules for parallel composition (e.g. [14]). In addition, termination is often not a major focus in these logics; in fact, the bisimulation proof technique, often associated with these logics, is insensitive to divergence. Termination is central to the logical characterisations that we give in this work.

Despite the apparent resemblance, spatial logics for process calculi such as [9, 10] differ from our interpretation of the separating conjunction: we separate on permissions, logical embellishments on processes, whereas their logical separation is more intensional and operates on the structure of processes, describing parallel composition directly. Moreover, their aims appear to differ from ours since they model mobility and channel privacy; we focus on data, non-interference and locality, and deal with implicit transfer of permissions.

Following [31], the use of separation logic to support local reasoning for concurrent programs has been studied intensively over the past few years for the shared-variable model of concurrency. The initial main idea of ownership transfer of resources between threads impacting upon local reasoning already appears in [31]. This was then extended to co-exist with Rely/Guarantee reasoning [41, 17] and recently refined through fractional permissions as Deny/Guarantee reasoning [15]. The latter is interesting to us as a means of widening our class of programs under analysis. For instance, [20] uses this approach for dealing with dynamically allocated resource locks.

Separation Logic has been applied to process calculi on at least three occasions. In [24], they give a separation semantics for a variant of the piCalculus, based on traces. Their work differs from ours in a number of respects in that they only deal with explicit ownership transfer of resources and are not concerned with developing a proof system. This work is then extended in [40], which uses resource analysis to reason about channel visibility in a piCalculus variant that does away with explicit channel scoping. Of particular interest here is the two-tiered trace semantics where the second tier takes into account channel resources; this is analogous, at least in spirit, to the confined semantics we describe in this work. In [34], they also use a process calculus as a model for a separation logic. They are quite general wrt. the form of resources and how these are transferred across processes and, as a result, our model of confined processes seems related to theirs. However, aspects such as the use of SCCS on their part, where processes evolve in synchrony, and the focus on value passing and stability on ours, lead to a substantially different satisfaction relation of the logics. The aim of their work is also different from ours; they establish a correspondence between strong bisimulation and logic satisfaction whereas we focus on developing a compositional proof system.

Separation logics has also been applied to imperative concurrent languages with message passing. The work in [42] focuses mainly on the implementability of message-passing communication as a copy-less communication over a shared memory model. Although their technical development is considerably different from the one presented here, this work can be seen as complementary to ours if implementation aspects of our language are considered. The work in [4] applies an extension of concurrent separation logic to reason about histories of communications over channels for the parallelisation of sequential code. Different from our case, they are able to handle multiple senders
and receivers on a particular channel at any one point in time. In [27] they apply local reasoning, permission levels and reference counting to reason about deadlock freedom in a language with locks and channels. Finally, in [16] they apply an extension of concurrent abstract predicates based on separation logic to reason about deterministic parallelism. However, their definition of deterministic parallelism appears to be different from ours and their analysis does not rely on confluence. In each of these case, the technical development is limited to partial correctness.

7.2. Future Work. There is much further work to be done in the area of local reasoning for message-passing concurrency.

With respect to the work presented here, there are a number of design decisions that are worth exploring. For instance, at the level of the proof system, a partial correctness interpretation of our sequents (as opposed to total correctness) would probably allow us to design a version of the parallel proof rule, $\text{P}_{\text{PAR}}$, that is more symmetric. Another avenue worth exploring is that of relaxing the interpretation of our logical assertions so as to not limit them to safely-stabilising systems. This would simplify the verification of certain formulas, such as any, and would also allow us to have models where formulas such as $c(\nu) * \text{blk}(c)$ are satisfiable. At the same time, this satisfaction weakening would also entail that our existing assertion interpretation changes to one where systems satisfy a formula at some point during their evaluation but may then fail to satisfy it as computation progresses. Although it is not yet clear whether this is a desirable property to have from the point of view of the application of the logic, it has appealing benefits in terms of the assertion satisfaction definition, as it streamlines the satisfaction of core formulas like the separating conjunction with existing interpretations. Moreover, we also conjecture that this altered interpretation would eliminate the need for the side conditions present in the existing parallel rule, $\text{P}_{\text{PAR}}$.

At a more general level, we also seek to widen the class of programs we can treat by introducing non-confluent behaviour in a controlled way. We intend to extend our setting to allow for more interesting forms of data to be communicated, including say channel names. We also need to develop algorithms for inferring the permission-set maps, develop tools to support the proof-system reasoning. Finally, and perhaps most importantly, we need to expand our suite of case studies and consider larger example proofs.

Acknowledgment

The authors wish to acknowledge numerous referees for their incisive comments on a preliminary version of this paper.

References

A.1. Processes.

Lemma A.1 (Structural Equivalence and Reductions).
\[ P = Q \land P \rightarrow P' \implies \exists Q' \implies Q' \rightarrow Q' \land P' = Q' \]

Proof. By rule induction on \( P = Q \).

Corollary A.2 (Structural Equivalence and Reductions). \( P = Q \land P \rightarrow \implies Q \rightarrow \)

A.2. Confined Processes.

Lemma A.3. \( S \equiv T \implies |S| \equiv |T| \)

Proof. By Rule induction on \( S \equiv T \)

Lemma A.17 (Properties of \( \equiv \) with respect to reductions).
1. \( S \equiv T \land T \rightarrow T' \land S \rightarrow \implies \exists S'. S \rightarrow S' \land S' \equiv T' \)
2. \( S \equiv T \land S \rightarrow \implies T \rightarrow \)

Proof. The first clause is proved by case analysis of \( T \rightarrow T' \) using Lemma A.5 to infer the structure of \( T \), then use the definition \( S \equiv T \) to determine the structure of \( S \). The second clause is proved by assuming that \( \exists T' \) such that \( T \rightarrow T' \) and then use the first clause to show that this leads to a contradiction.

Lemma A.5 (Reduction and System Structure). \( S \rightarrow T \implies \)

Proof. By rule induction on \( S \rightarrow T \).
Proposition 3.14 (Safe-Stability and System Structure).

\[ S \not\rightarrow \iff S \equiv (\text{new } \overline{d}) \left( \|P\|_{\rho}_{\mu} \parallel \|Q\|_{\nu}\right) \]

where

- \( \{c_1, \ldots, c_n\} \cap \{c_1', \ldots, c_m\} = \emptyset \)
- \( \bigwedge_{i=0}^{n} c_i \in \rho_i \) and \( \bigwedge_{j=0}^{m} c_j \in \mu_j \)

and where \( \|c_i\|_{\rho_i} \) and \( \|c_j'\|_{\mu_j} \) denote \([n\mid \rho_i\].

Proof. Immediate by case analysis of Lemma A.5, and then the conditions for \( S \rightarrow_{err} \) from Figure 2.

Lemma 3.18 (Partial Confluence). \( S \rightarrow T_1 \) and \( S \rightarrow T_2 \) implies either of the following:

1. \( T_1 \equiv T_2 \) or:
2. \( \exists T_3, T_1 \rightarrow T_3 \) and \( T_2 \rightarrow T_3 \)

Proof. By case analysis of the possible forms of \( S \) using Lemma A.5, then restricting the possibilities using properties of well-formed systems. We here overview the two main cases.

- For \( S \rightarrow T_1 \) we have \( S \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_1} \parallel \|Q\|_{\mu_1}\right) \), \( T_1 \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_1} \parallel \|R\| \right) \), \( \uparrow \rho_1 \in \rho_1 \), \( \downarrow \rho_1 \in \mu_1 \). Also for \( S \rightarrow T_2 \) we have \( S \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_2} \parallel \|Q\|_{\mu_2}\right) \), \( T_1 \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_2} \parallel \|R\| \right) \), \( \uparrow \rho_2 \in \rho_2 \), \( \downarrow \rho_2 \in \mu_2 \). We have two sub-cases:
  - \( c_1 \neq c_2 \): The two redexes in \( S \) are distinct and, for some system \( R \), we have \( R_1 \equiv (\text{new } \overline{d}) \left( \|P\|_{\rho_1} \parallel \|Q\|_{\mu_1}\right) \) and \( R_2 \equiv (\text{new } \overline{d}) \left( \|P\|_{\rho_2} \parallel \|Q\|_{\mu_2}\right) \) from which we can then find a common \( T_3 \) that both \( T_1 \) and \( T_2 \) reduce to.
  - \( c_1 = c_2 \): The conditions that \( \uparrow \rho_1 \in \rho_1 \), \( \downarrow \rho_1 \in \mu_1 \), \( \uparrow \rho_2 \in \rho_2 \), \( \downarrow \rho_2 \in \mu_2 \), and the fact that \( S \) is well-formed ensures that \( S \rightarrow T_1 \) and \( S \rightarrow T_2 \) refer to the same reduction (modulo structural equivalence) i.e., \( \rho_1 \equiv \rho_2 \), \( \mu_1 \equiv \mu_2 \), \( c_1 = c_2 \), \( P_1 = P_2 \) and \( R_1 = R_2 \) which implies \( T_1 \equiv T_2 \), thus \( T_1 \equiv T_2 \) by Proposition 3.16.

- For \( S \rightarrow T_1 \) we have \( S \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_1} \parallel \|Q\|_{\mu_1}\right) \), \( T_1 \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_1} \parallel \|R\| \right) \) and \( S \rightarrow T_2 \) we have \( S \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_2} \parallel \|Q\|_{\mu_2}\right) \), \( T_2 \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho_2} \parallel \|R\| \right) \). By the assumption that \( S \) is well-formed, we have the following sub-cases:
  - \( (\rho_1 \parallel \mu_1) \neq (\rho_2 \parallel \mu_2) \): Then we have different redexes meaning that for some \( R \) we have \( R_1 \equiv (\text{new } \overline{d}) \left( \|P\|_{\rho_1} \parallel \|Q\|_{\mu_1}\right) \) and \( R_2 \equiv (\text{new } \overline{d}) \left( \|P\|_{\rho_2} \parallel \|Q\|_{\mu_2}\right) \), which guarantees the existence of a common system \( T_3 \) that \( T_1 \) and \( T_2 \) can reduce to.
  - \( (\rho_1 \parallel \mu_1) = (\rho_2 \parallel \mu_2) \): Then we must have the same redexes, i.e., \( P_1 = P_2 \), \( Q_1 = Q_2 \) and \( R_1 = R_2 \). This implies \( T_1 \equiv T_2 \).

The following technical Lemmas deal with the restricted non-determinism of confined processes and how it can be characterised using the relation \( \equiv \). In particular, Lemma A.8 is useful because it allows us to correct reductions that lead to systems that do not evaluate by instead reducing to systems that are related to them by \( \equiv \), which in turn means, by Proposition 3.16, that they contain the same process structure.

Lemma A.6. \( S \parallel S \) and \( S \rightarrow T \) and \( T \parallel S \) implies \( \exists P, Q, R. \ S \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho}\parallel \|Q\|_{\mu}\parallel R \right) \) and \( T \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho}\parallel \|Q\|_{\mu}\parallel S' \right) \)

Proof. By induction on the number of reductions in \( S \parallel S \) leading to a safely-stable system i.e., \( S \rightarrow^n S' \) for some \( S' \).

\( n = 1 \): By Lemma 3.18 and \( S' \rightarrow (i.e., S' \rightarrow_{err}) \) it must be the case that \( T \equiv S' \). By Lemma 3.17, 2 this also implies \( T \rightarrow_{err} \) and since \( T \parallel S \) it must be the case that \( T \rightarrow_{err} \). Now by case analysis of Lemma A.5, the only system structure that allows this is when \( S \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho}\parallel \|Q\|_{\mu}\parallel S'' \right) \) and \( T \equiv (\text{new } \overline{c}) \left( \|P\|_{\rho}\parallel \|Q\|_{\mu}\parallel S'' \right) \).
Lemma A.7. \( S \parallel S \equiv (\text{new } \overline{c})\left[ [P]_p || [Q]_{p2} || R \right] \) implies \( \exists \mu_1, \mu_2 \text{ such that } \mu_1 \parallel \mu_2 = \rho \) and 
(\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R \right] \).

**Proof.** By induction on the number of reductions in \( S \parallel S \) leading to a safely-stable system i.e., \( S \rightarrow^* S' \parallel \) for some \( S' \).

\( n = 1 \): By cStr, \( S \equiv (\text{new } \overline{c})\left[ [P]_p || [Q]_{p2} || R \right] \) can reduce to (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R \right], for some \( \rho_1, \rho_2 \), and by Lemma \ref{lemma:initialization} and \( S' \rightarrow \) we must have \( S' \equiv (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R \right] \), and since \( S' \rightarrow_{err} \), this implies \( \exists \mu_1, \mu_2 \text{ such that } \mu_1 \parallel \mu_2 = \rho \) and (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R \right].

\( n = k + 1 \): We have \( S \rightarrow S' \rightarrow^* S'' \parallel \) for some \( S', S'' \). Lemma \ref{lemma:initialization} gives us two sub-cases:

\( S' \equiv (\text{new } \overline{c})\left[ [P]_p || [Q]_{p2} || R \right] \) where \( R \rightarrow R' \) : By \( S' \rightarrow^* S'' \parallel \) and I.H. we obtain \( \exists \mu_1, \mu_2 \text{ such that } \mu_1 \parallel \mu_2 = \rho \) and (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R' \right] which implies that \( \exists \mu_1, \mu_2 \text{ such that } \mu_1 \parallel \mu_2 = \rho \) and (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R \right].

(\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || R \right]: Immediate.

**Lemma A.8** (Corrective Reductions). \( S \parallel S \rightarrow T \) and \( T \parallel S \rightarrow^* T \) implies \( \exists R \text{ such that } S \rightarrow R \) and \( R \equiv T \) and \( T \parallel \).

**Proof.** By Lemma \ref{lemma:initialization}, we know \( S \equiv (\text{new } \overline{c})\left[ [P]_p || [Q]_{p2} || S' \right] \) and \( T \equiv (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || S' \right] \). By Lemma \ref{lemma:split}, we know \( \exists \mu_1, \mu_2 \text{ such that } \mu_1 \parallel \mu_2 = \rho \) and (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || S' \right]. Since \( T \equiv (\text{new } \overline{c})\left[ [P]_{p1} || [Q]_{p2} || S' \right] \), this implies that we can correct the permission split and be able to reduce to a safely-stable state.

In order to apply corrective actions to multiple reduction steps, we need to extend Lemma \ref{lemma:initialization} to systems that are related by \( \equiv \), due to reductions of type (1) of Lemma \ref{lemma:initialization}. The next Lemmas deal with this. Lemma \ref{lemma:evaluation} states that there exist matching reductions for systems related by \( \equiv \) preserving the evaluation property and Lemma \ref{lemma:evaluation2} extends this to multiple reductions. This allows us to prove the existence of corrective reductions over multiple reductions.

**Lemma A.20** (Evaluation Preservation for \( \equiv \)). \( S \equiv T \) and \( S \parallel S \rightarrow T \) implies \( \exists S' \text{ such that } S \rightarrow S' \) where \( S' \equiv T' \) and \( S' \parallel \).

**Proof.** By \( S \parallel S \) and Lemma \ref{lemma:split}, we have \( S \rightarrow_{err} \) and by Lemma \ref{lemma:split} we know \( \exists S_1 \text{ such that } S \rightarrow S_1 \) and \( S_1 \equiv T' \). At this point we have two sub-cases: if \( S_1 \parallel \) then the result follows immediately. Otherwise, if \( S_1 \parallel \), then Lemma \ref{lemma:initialization} states that \( \exists S_2 \text{ such that } S \rightarrow S_2 \) and \( S_2 \equiv S_1 \) and \( S_2 \parallel \). By transitivity we have \( S_2 \equiv S_1 \equiv T' \).
Lemma A.9 (Evaluation Preservation for $\equiv$). $S \equiv T$ and $S \parallel T$ and $T \leadsto^n T'$ implies $S' \equiv S$ such that $S \leadsto^n S'$ where $S' \equiv T'$ and $S' \parallel T'$.

Proof. By induction on $n$, the number of reductions in $T \leadsto^n T'$.

$n = 0$: Immediate.

$n = k + 1$: We have $T \leadsto T'' \leadsto^k T'$. From $T \leadsto T''$ and Lemma A.10, we obtain $S''$ such that $S \leadsto S'$ where $S' \equiv T'$ and $S' \parallel T'$. By I.H. we know $S' \leadsto S''$ for some $S''$ such that $S'' \equiv T''$ and $S'' \parallel T''$ gives us the required reduction sequence.

Lemma A.10. $|S| \equiv Q$ and $S \parallel T$ implies $\exists T'$ such that $S \leadsto Q \equiv T'$ and $T \parallel |T| = Q$.

Proof. By rule induction on $|S|$ $\not\equiv Q$.

Lemma A.11. $|S| \equiv Q$ implies $\exists T$ such that $T \leadsto T$ or $S \equiv T S$ where $|T| = Q$.

Proof. By rule induction on $|S| \equiv Q$ and then a tedious consideration of all the possible permutations of $S$ that may lead to $|S|$. $|S| = P || (P \parallel P_1)$ then $Q = (P || (P \parallel P_1))$ and $S$ can be either of the following:

$S = [P_1]_p || (P \parallel P_2)$: By 2 applications of cStr and then an application of cStr using scAss we obtain $S \leadsto [(P_1 \parallel P_2)]_p \parallel [P_3]$ where $P_1 \parallel P_2 \parallel P_3 = \rho$ and $|(P_1 \parallel P_2) || P_3 | = Q$.

Lemma 3.27 (Reduction Correspondence).

$S \parallel T$ and $S \rightarrow R$ implies $\exists R'$ such that $S \rightarrow R'$ and $|R| \equiv Q$.

Proof. By rule induction on $|S|$ $\not\rightarrow Q$. We here consider the main cases:

**rCom:** We have $|S| = c[\lbrack\epsilon\rceil c \lceil ? X . P \rceil_\downarrow P \parallel Q = P[\lceil \lbrack \epsilon\rceil X \rceil \parallel Q]$. We have two sub-cases for $S$:

$S = [c[\lbrack\epsilon\rceil c \lceil ? X . P \rceil_\downarrow P \parallel Q]_p \parallel Q$ and $Q = \lceil \lbrack \epsilon\rceil X \rceil_\downarrow P$ such that $\mu_1 \parallel \mu_2 = \rho$ and $S \rightarrow [c[\lbrack\epsilon\rceil ? X . P \rceil_\downarrow P \parallel Q]_p \parallel Q$.

$S = [c[\lbrack\epsilon\rceil ? X . P \rceil_\downarrow P]_p \parallel Q$. Similar

**rPar:** We have $|S| = P_1 || P_2$ and $Q = P_1 || (P_2 \parallel P_1)$ because $P_1 \rightarrow P'$ and $P_2 \rightarrow P_2$. We have two sub-cases for $S$:

$S = [P_1]_p || P_2$: By $S \parallel P_1 \parallel P_2$ such that $\mu_1 \parallel \mu_2 = \rho$ and $[P_1]_p || P_2 \rightarrow [P_1]_p || P_2$. Now $[P_1]_p || P_2 \parallel Q$ implies $[P_1]_p || P_2$ and by I.H. we know $\exists R$ such that $[P_1]_p \rightarrow R$ and $|R| \equiv Q$. Thus, by cPar, $[P_1]_p || (P_2 \parallel P_1) \rightarrow R || (P_2 \parallel P_1)$ and $|R| || (P_2 \parallel P_1) = Q$.

$S = S_1 || S_2$ where $|S_1| = P_1$ and $|S_2| = P_2$: Similar
aStr: We have $|S| = P_1$ and $Q = P_2$ because $P_1 \equiv P_1', P_1' \rightarrow P_2', P_2' \equiv P_2$. By $|S| = P_1$ and Lemma A.10 we know $\exists R_1$ such that $S \rightarrow^\ast R_1$ and $|R_1| = |P_1|$. By $P_1' \rightarrow P_2'$ and I.H. we know $\exists R_2$ such that $R_1 \rightarrow^\ast R_2$ and $|R_2| = |P_2|$. Since $\Gamma$ and I.H. and Lemma A.11 we know $\exists R_3$ such that $R_2 \rightarrow^\ast R_3$ and $|R_3| = P_2$. This implies $S \rightarrow^\ast R_1 \rightarrow^\ast R_2 \rightarrow^\ast R_3$, i.e., $S \rightarrow^\ast R_3$ where $|R_3| = Q$.

Lemma 3.30 (Correspondence and Termination). $|S| \not\rightarrow$ and $S \parallel T \implies |T| \equiv |S|$  
Proof. By induction on the number of reductions that lead to a safely-stable system $S \not\rightarrow^\ast T$

$n = 0$: We have $S = T$ which implies $|S| = |T|$.

$n = k + 1$: We have $S \not\rightarrow$ and $R \parallel T$. By $S \not\rightarrow$ and Cor. A.4 we get $|S| \equiv |R|$ and thus $|R| \not\rightarrow$.
Hence by I.H. and $R \parallel T$ we get $|T| \equiv |R|$ and by transitivity we obtain $|T| \equiv |S|$.

A.3. The Logic.

Lemma A.12. When $S \not\rightarrow$ and $\Gamma, S \models \psi$

- $S \equiv [c ! \ell \rho || R$ implies $\uparrow c \in \text{edg}(\psi)$ or $\text{edg}(\psi)$ is undefined;
- $S \equiv (new \delta)[c ? \chi . P] || R$ and $c \in \delta$ implies $\uparrow c \in \text{trg}(\psi)$ or $\text{trg}(\psi)$ is undefined.

Proof. By induction on the structure of $\psi$.

Lemma A.13. $\Gamma, S \models \psi$, $S \not\rightarrow$ and $\Gamma, T \models \psi$, $T \not\rightarrow$ and $\psi \perp \psi$ implies $\Gamma, S \parallel T \not\rightarrow$

Proof. Since $S \not\rightarrow$ and $T \not\rightarrow$, by Lemma A.5 we know that $S \parallel T \rightarrow R$ for some $R$ can only happen if:

$$S \equiv (new \delta)[c ! \ell \rho || S']$$

where $c \notin \delta$ and $\uparrow c \in \mu$ (A.1)

$$T \equiv [c ! \ell \rho || T']$$

or vice versa. We here focus on the case where (A.1) and (A.2) have to hold; the dual case is identical. By $\psi \perp \psi$ we know that $\text{trg}(\psi)$, $\text{edg}(\psi)$, $\text{trg}(\psi)$ and $\text{edg}(\psi)$ must all be defined. Thus by (A.1), $\Gamma, S \models \psi$ and Lemma A.12 we must have $\uparrow c \in \text{trg}(\psi)$. Similarly by (A.2), $\Gamma, T \models \psi$ and Lemma A.12 we must have $\uparrow c \in \text{edg}(\psi)$. However would contradict $\psi \perp \psi$ which requires that $\text{trg}(\psi) \cap \text{edg}(\psi) = \emptyset$. Thus $S \parallel T \not\rightarrow$.

Lemma 4.11 (Merging Assertions). $\Gamma, S \models \psi$ and $\Gamma, T \models \psi$ and $S \perp T$ and $\psi \perp \psi$ implies $\Gamma, S \parallel T \models \psi \equiv \psi$

Proof. $S \perp T$ implies $S \parallel T$ is well-resourced. From $\Gamma, S \models \psi$, $\Gamma, T \models \psi$ and Proposition 4.5 we know that $S \parallel S'$ and $T \parallel T'$ where $\Gamma, S' \models \psi$ and $\Gamma, T' \models \psi$. Lemma A.13 we know also that $S \parallel T || S' || T'$ and the result follows by satisfaction on Figure 3.

A.4. The Proof System. Proofs for the derived rules from Section 5.1

The proof for $t\text{Cut}$:

$$\begin{array}{c}
\Gamma; b \vdash [q_1] S \downarrow \psi \\
\Gamma; b \vdash [q_1] S \downarrow \psi \uparrow \psi
\end{array}$$

The proof for $t\text{Str}$:

$$\begin{array}{c}
\Gamma; b \vdash [q_1] S \downarrow \psi_1 \\
\Gamma; b \vdash [q_1] S \downarrow \psi_1 \uparrow \psi_1
\end{array}$$
The proof for **LOutD:**

\[ \Delta b + \{ e \} \Gamma \Gamma(c) \subseteq \rho \]

\[ \Delta b \wedge \Gamma = e_i \wedge e_i' = e_i'' \]

\[ \Gamma \Gamma(b \wedge e_i = e_i' \wedge e_i' = e_i'' + \{ \text{emp} \} c!e_i'_{i'} \}

\[ \Gamma \Gamma(b \wedge e_i = e_i' \wedge e_i' = e_i'' + \{ \text{emp} \} c!e_i'_{i'} \}

\[ \Gamma \Gamma\text{LSubLInst} \]

\[ \Gamma \Gamma\text{LMP} \]

**Lemma A.14.** Assume that \( \llbracket e \rrbracket[x] \) is a substitution that non-deterministically substitutes either \( e \) or \( v \) for \( x \). Then we have

\[ S \llbracket x \rrbracket \rightarrow T \llbracket x \rrbracket \]

and \( e \| v \) implies \( S \llbracket e \rrbracket \rightarrow R \) where \( R = T \llbracket e \rrbracket \)

for some non-deterministic substitution \( T \llbracket e \rrbracket \)

**Proof.** By rule induction on \( S \llbracket x \rrbracket \rightarrow T \llbracket x \rrbracket \)

\[ \square \]

**Lemma A.15.** \( \Gamma, T \llbracket x \rrbracket \models q \) and \( e \| v \) and \( T \not\rightarrow \) implies \( \Gamma, T \llbracket e \rrbracket \models q \)

**Proof.** By induction on the structure of \( q \)

\[ \square \]

**Lemma A.16.** \( \Gamma, T \llbracket x \rrbracket \models q \) and \( e \| v \) implies \( \Gamma, T \llbracket e \rrbracket \models q \)

**Proof.** Follows from Lemma A.14 and Lemma A.15

\[ \square \]

**Lemma A.17.** \( \Gamma, S \models q \) and \( d \notin \text{dom}(\Gamma) \) implies \( \Gamma, (\text{new } d)S \models q \)

**Proof.** By induction on the structure of \( q \). For instance:

\( c(e) \): We know \( S \llbracket e \rrbracket \), where \( e \| v \) and \( \Gamma(c) \subseteq \rho \). By cRes and then by cTerm and \( d \notin \text{nm}(c(e)) \cup \text{nm}(\Gamma) \) we deduce

\[ (\text{new } d)S \rightarrow^* (\text{new } d)(c!e_i'_{i'}) \equiv (\text{new } d)(c!e_i'_{i'} || \text{nil}(a)) \]

\[ (\text{new } d)(c!e_i'_{i'} || \text{nil}(a)) \rightarrow (c!e_i'_{i'} || \text{nil}(a)) \equiv (\text{new } d)(c!e_i'_{i'} || \text{nil}(a)) \]

Since \( d \notin \text{dom}(\Gamma) \) then by Definition A.12, i.e., the environment is suitably closed, it follows that \( \Gamma(c) \subseteq (\rho \setminus (\downarrow d, \uparrow d)) \) and hence \( \Gamma, (\text{new } d)S \models c(e) \)

and by Proposition 4.7 that \( \Gamma, (\text{new } d)S \models c(e) \).

\[ \square \]

**Definition A.18 (Permission Restriction).**

\[ S \setminus \mu \equiv \begin{cases} \{P \}_{\mu} & \text{if } S = \{P \}_{\mu} \\ S_1 \setminus \mu || S_2 \setminus \mu & \text{if } S = S_1 || S_2 \\ (\text{new } c)(T \setminus (\mu \setminus \{c, \uparrow c\})) & \text{if } S = (\text{new } c)T \end{cases} \]

**Proposition A.19.** \( S \setminus \mu \rightarrow^* \text{err} \) implies \( S \rightarrow^* \text{err} \)

**Lemma A.20.** \( S \setminus \mu \rightarrow^* \text{err} \) implies \( \exists T. S \rightarrow^* T \rightarrow^* \text{ where } (T \setminus \mu) \equiv (S \setminus \mu) \)

**Proof.** By Proposition 3.14 we know,

\[ S \setminus \mu \equiv (\text{new } d)(\llbracket e_i' \rrbracket_{\mu} || \text{new } \llbracket e_i' \rrbracket_{\mu} || \text{new } \llbracket e_i' \rrbracket_{\mu}) \]

where \( \{c_1, \ldots, c_n\} \cap \{c'_1, \ldots, c'_m\} = \emptyset \) (A.3)
By system structural equivalence, \(\equiv\), the only sub-systems in \(S\) that are abstracted away from \(S \setminus \mu\) in 
\[
\langle\text{new } \vec{d}\rangle \left( \parallel_{i=0}^{n} \left[c_i; e_i\right]_{\rho_i} \parallel_{j=0}^{m} \left[c'_j; x_j, P_j\right]_{\mu_j}\right)
\]
are those of the form \([\text{nil}]_{\rho}\) where \(\rho \subseteq \mu\); the operation made these systems equivalent to \([\text{nil}]_{\emptyset}\) which could then be eliminated through scNu. In \(S\), sub-systems of the form \([\text{nil}]_{\rho}\) can still be eliminated through cDsc and then scNu. (as before), leaving us with the same array of mismatching confined output and input processes found in \(S \setminus \mu\), less the restricted permissions.

**Lemma A.21.** \(S \setminus \mu \rightarrow T \setminus \mu\) implies \(S \rightarrow T\)

**Proof.** By rule induction on \(S \setminus \mu \rightarrow T \setminus \mu\).

**Lemma A.22.** \((S \setminus \mu) \parallel T\) implies \(S \parallel R\) where \(R \setminus \mu \equiv T\)

**Proof.** Follows from Lemma A.21 Lemma A.20 and Proposition A.19.

**Lemma A.23.** \(\Gamma, (S \setminus \mu) \models \varphi\) implies \(\Gamma, S \models \varphi\)

**Proof.** By induction on the structure of \(\varphi\) using Lemma A.22.