Process Algebra: An Algebraic Theory of Concurrency

Transcription

1 Process Alger: An Algeric Theory of Concurrency Wn Fokkink Vrije Universiteit Amsterdm, Deprtment of Theoreticl Computer Science, De Boeleln 1081, 1081 HV Amsterdm, The Netherlnds Astrct. This tutoril provides n overview of the process lger ACP. 1 Introduction The term process lger ws coined in 1982 y Jn Bergstr nd Jn Willem Klop, originlly in the sense of universl lger, to refer to structure stisfying prticulr set of xioms. Nowdys it is used in more generl sense for lgeric pproches to descrie nd study concurrent processes. In the lte 70 s, Roin Milner nd Tony Hore lrgely independently developed the process lgers CSS nd CSP, respectively. In the erly 80 s, Bergstr nd Klop developed third process lger clled ACP. System ehviour generlly consists of processes nd dt. Processes re the control mechnisms for the mnipultion of dt. While processes re dynmic nd ctive, dt is sttic nd pssive. System ehviour tends to e composed of severl processes tht re executed concurrently, where these processes exchnge dt in order to influence ech other s ehviour. Fundmentl to process lger is prllel opertor, to rek down systems into their concurrent components. A set of equtions is imposed to derive whether two terms re ehviourlly equivlent. In this frmework, non-trivil properties of systems cn e estlished in rigorous nd elegnt fshion. For exmple, it my e possile to equte n implementtion of system to the specifiction of its required input/output reltion. A vriety of utomted tools hve een developed to fcilitte the derivtion of such properties in process lgeric frmework. Astrct dt types (see, e.g., [5]) offer frmework in which lso the dt cn e specified y mens of equtions. µcrl [10] is specifiction lnguge, supported y verifiction tools, tht comines process lger with equtionl specifiction of dt types. In this tutoril we will however minly focus on processes. Applictions of process lger exist in diverse fields such s sfety-criticl systems, network protocols, nd iology. In the eductionl vein, process lger hs een recognised to tech skills to del with complex concurrent systems, y representing nd resoning out such systems in mthemticlly cler nd precise mnner. Recommended textooks re [15] for CCS, [17] for CSP, nd [8] for ACP. Jos Beten [2] presented detiled ccount on the history of process lger. Here I will focus on the process lger ACP; this tutoril is sed on [8]. This tutoril is structured s follows. Section 2 explins the generl frmework. Section 3 introduces the sic process lger BPA. Section 4 extends the frmework with prllelism, communiction nd encpsultion. Section 5 dds recursion to express

2 2 Wn Fokkink infinite ehviour. Section 6 introduces the silent step τ, nd strction opertors to hide internl ehviour. Finlly, Section 7 presents process lgeric specifiction nd verifiction of the Alternting Bit Protocol. 2 The Generl Frmework Process grphs As strting point, we ssume tht system ehviour is represented s process grph. It siclly consists of set of nodes together with set of lelled edges etween these nodes. A node represents system stte, while lelled edge represents trnsition from one system stte to the next. Tht is, if the process grph contins n edge s s, then the process grph cn evolve from stte s into stte s y the execution of ction. One stte is selected to e the root stte, i.e., the initil stte of the process. Behviourl equivlences The sttes in process grphs re distinguished y some ehviourl equivlence. For exmple, such n equivlence my relte two process grphs if nd only if their root sttes cn execute exctly the sme strings of ctions. This tutoril focuses on isimilrity, which is the finest of ll known process equivlences. Bisimilrity requires not only tht two process grphs cn execute the sme strings of ctions, ut lso tht they hve the sme rnching structure. Bisimilrity is widely recognised s well-suited semntic notion when resoning out concurrent processes. Process lger terms For the purpose of mthemticl resoning it is often convenient to represent process grphs lgericlly in the form of terms. Process lger focuses on the specifiction nd mnipultion of process terms s induced y collection of opertor symols. This symolic nottion fcilittes mnipultion y computer. Most process lgers contin sic opertors to uild finite processes, communiction opertors to express concurrency, nd some notion of recursion to cpture infinite ehviour. Moreover, it is convenient to introduce two specil constnts: the dedlock enles us to force ctions into communiction, while the silent step llows us to strct wy from internl computtions. Structurl opertionl semntics Trnsition rules, which re inductive proof rules, provide ech process term with its intended process grph (see, e.g., [1]). We re going to present the process lger ACP τ with recursion in severl steps, strting from the sic process lger BPA. With every extension we need to check tht it is conservtive, mening tht the trnsition rules for the new opertors do not influence the ehviour of the old process lger terms. This cn e checked y inspecting the syntctic form of the trnsition rules. Moreover, the process lgeric opertors should e congruence with respect to isimilrity, mening tht if two process terms re isimilr, then they re lso isimilr under ny context. Agin this cn e checked y inspecting the syntctic form of the trnsition rules. Equtionl logic The crux of process lger is tht it imposes n equtionl logic on process terms tht is sound nd complete. Soundness mens tht if two process

3 Process Alger: An Algeric Theory of Concurrency 3 terms cn e equted then their process grphs re ehviourlly equivlent. Vice vers, completeness mens tht if two process terms hve ehviourlly equivlent process grphs, then they cn e equted. 3 Bsic Process Alger We strt with descriing sic process lger, denoted y BPA. 3.1 Syntx of BPA The core for process lger consists of the following opertors. First of ll, we ssume non-empty set A of (tomic) ctions, representing indivisile ehviour (such s reding dtum, or sending dtum). Ech tomic ction is constnt tht cn execute itself, fter which it termintes successfully: The predicte represents successful termintion fter the execution of ction. Moreover, we ssume inry opertor + clled lterntive composition. The term t 1 + t 2 represents the process tht executes the ehviour of either t 1 or t 2. In other words, the process grph of t 1 + t 2 is otined y joining the process grphs of t 1 nd t 2 t their root sttes: t 1 t 2 Finlly, we ssume inry opertor clled sequentil composition. The term t 1 t 2 represents the process tht executes first the ehviour of t 1, nd then the ehviour of t 2. In other words, the process grph of t 1 t 2 is otined y replcing ech successful termintion s in in the process grph of t 1 y trnsition s s, where s is the root of the process grph of t 2 : t 1 t 2 Exmple 1. Let,, c nd d e ctions. The sic process term (( + ) c) d represents the following process grph, with the root stte presented t the top:

4 4 Wn Fokkink c d Ech finite process grph cn e represented y process term tht is uilt from the set A of tomic ctions, +, nd. Such terms re clled sic process terms, nd the collection of ll sic process terms is clled sic process lger, revited to BPA. 3.2 Trnsition Rules of BPA We hve provided syntx for sic process terms, together with some intuition for the process grph tht elongs to such term. This reltionship hs to e mde forml in order for it to ecome relly meningful. For this purpose we pply structurl opertionl semntics. This involves giving collection of trnsition rules, which define trnsitions t t to express tht term t cn evolve into term t y the execution of ction, nd predictes t to express tht term t cn terminte successfully y the execution of ction. Tle 1 presents the trnsition rules tht constitute the structurl opertionl semntics of BPA. The vriles x, x, y nd y in the trnsition rules rnge over the collection of sic process terms, while v rnges over the set A of tomic ctions. Tle 1. Trnsition rules of BPA v v x v x + y v x v x x + y v x v y x + y v y v y x + y v y x v x y v y x v x x y v x y The trnsition rules of BPA provide ech sic process term with process grph, ccording to the intuition tht ws presented in the previous section: the first trnsition rule sys tht ech tomic ction v cn terminte successfully y executing itself; the next four trnsition rules express tht t + t ehves s either t or t ;

5 Process Alger: An Algeric Theory of Concurrency 5 the lst two trnsition rules express tht t t executes t until successful termintion, fter which it proceeds to execute t. Exmple 2. The trnsition rules in Tle 1 provide the sic process term (( + ) c) d with the following process grph (cf. Exmple 1): (( + ) c) d c d c d d For instnce, the trnsition (( + ) c) d c d cn e proved from the trnsition rules in Tle 1 s follows: ( v v, v := ) + y v ( x + y v, v :=, x :=, y := ) ( + ) c c ( x v x y v, v :=, x := +, y := c) y (( + ) c) d x v x c d ( x y v x y, v :=, x := ( + ) c, x := c, y := d) At the right-hnd side, the trnsition rules re displyed tht re pplied in the consecutive proof steps, together with the sustitutions tht re pplied to them. From now on, s inding convention we ssume tht inds stronger thn +. For exmple, + c represents ( ) + ( c). Occurrences of re often omitted from process terms; tht is, st denotes s t. 3.3 Bisimultion In the previous section, ech sic process term hs een provided with process grph using structurl opertionl semntics. Processes hve een studied since the erly 60 s,

6 6 Wn Fokkink first to settle questions in nturl lnguges, lter on to study the semntics of progrmming lnguges. These studies originlly focused on so-clled trce equivlence, in which two processes re sid to e equivlent if they cn execute exctly the sme strings of ctions. However, for system ehviour this equivlence is not lwys stisfctory, which is shown y the following exmple. Exmple 3. Consider the two processes elow: red(d) red(d) red(d) write 1 (d) write 2 (d) write 1 (d) write 2 (d) The first process reds dtum d, nd then decides whether it writes d on disc 1 or on disc 2. The second process mkes choice for disc 1 or disc 2 efore it reds dtum d. Both processes disply the sme strings of ctions, red(d)write 1 (d) nd red(d)write 2 (d), so they re trce equivlent. Still, there is crucil distinction etween the two processes, which ecomes pprent if for instnce disc 1 crshes. In this cse the first process lwys sves dtum d on disc 2, while the second process my get into dedlock (i.e., my get stuck). Bisimilrity, defined elow, is more discrimintive thn trce equivlence. Nmely, if two processes re isimilr, then not only they cn execute exctly the sme strings of ctions, ut lso they hve the sme rnching structure. For exmple, the two processes in Exmple 3 re not isimilr. A isimultion reltion B is inry reltion on sttes in process grphs such tht: 1. if s B t nd s s, then t t with s B t ; 2. if s B t nd t t, then s s with s B t ; 3. if s B t nd s, then t ; 4. if s B t nd t, then s. Two sttes s nd t re isimilr, denoted y s t, if there is isimultion reltion B such tht s B t. Exmple 4. ( + ) + ( + ). A isimultion reltion tht reltes these two sic process terms is defined y ( + ) B + ( + ), B, nd B +. This isimultion reltion cn e depicted s follows: ( + ) + ( + ) +

7 Process Alger: An Algeric Theory of Concurrency 7 Bisimilrity is congruence with respect to BPA. Tht is, if s s nd t t, then s + t s + t nd s t s t. This follows from the fct tht the trnsition rules in Tle 1 re in the so-clled pth formt [21]. 3.4 Axioms for BPA Checking whether the process grphs of two sic process terms re isimilr requires hrd lour. First these process grphs hve to e computed, nd next isimultion reltion hs to e estlished etween their root sttes. This section introduces n xiomtistion for BPA, to equte isimilr sic process terms. This voids the computtion of process grphs nd isimultion reltions ltogether. The xioms hve the dditionl dvntge tht they cn e used in utomted resoning, so tht they fcilitte mechnised derivtion tht two sic process terms re isimilr. We re fter n xiomtistion such tht the induced equlity reltion = on sic process terms chrcterises isimilrity over BPA in the following sense: 1. the equlity reltion is sound, mening tht if s = t holds for sic process terms s nd t, then s t; 2. the equlity reltion is complete, mening tht if s t holds for sic process terms s nd t, then s = t. Soundness ensures tht if terms cn e equted, then they re in the sme isimilrity clss, while completeness ensures tht isimilr terms cn lwys e equted. Tle 2. Axioms for BPA A1 x + y = y + x A2 (x + y) + z = x + (y + z) A3 x + x = x A4 (x + y) z = x z + y z A5 (x y) z = x (y z) Tle 2 presents n xiomtistion for BPA modulo isimilrity. The equlity reltion on sic process terms induced y this xiomtistion is otined y tking the set of sustitution instnces of A1-5, nd closing it under equivlence nd contexts. The xiomtistion A1-5 is sound for BPA modulo isimilrity. Since isimilrity is oth n equivlence nd congruence for BPA, it suffices to check the soundness of the individul xioms. Moreover, the xiomtistion is complete for BPA modulo isimilrity, mening tht s t implies s = t. This cn e proved y directing xioms A3-5 from left to right, so tht we otin term rewriting system (see, e.g., [20]). One cn show tht isimilr sic process terms reduce to the sme norml form, modulo the xioms A1,2. From now on, process terms re considered modulo ssocitivity of the +, nd we often write t 1 + t 2 + t 3 insted of (t 1 + t 2 ) + t 3 or t 1 + (t 2 + t 3 ).

8 8 Wn Fokkink 4 Alger of Communicting Processes Atomic ctions nd the opertors lterntive nd sequentil composition from the previous section provide reltively primitive tools to construct process grph. In generl, the size of sic process term is comprle to the size of the relted process grph. This section introduces opertors to express prllelism nd concurrency, which enle us to cpture lrge process grph y mens of comprtively smll process term. 4.1 Prllelism nd Communiction In prctice, process ehviour is often composed of severl processors tht re executed in prllel, where these seprte entities my influence ech other s execution. One could sy tht the processors re the uilding locks tht mke up the complete system, cemented together y mutul communiction ctions. In order to model such concurrent systems, we introduce the merge, which is inry opertor tht executes the two process terms in its rguments in prllel. Tht is, s t cn choose to execute n initil trnsition of s (i.e., trnsition s s or s ) or n initil trnsition of t. This is formlised y four trnsition rules for the merge: x v x v x y v y v y x y v y x y v x y x y v x x y v x y Moreover, s t cn choose to execute communiction etween initil trnsitions of s nd t. For this purpose we ssume communiction function γ : A A A, which produces for ech pir of tomic ctions nd their communiction γ(, ). This communiction function is required to e commuttive nd ssocitive; tht is, for,, c A, γ(, ) γ(, ) γ(γ(, ), c) γ(, γ(, c)). The next four trnsition rules for the merge express tht s t cn choose to execute communiction of initil trnsitions of s nd t: x v y w x v y w y x v x y w x v x y w y x y γ(v,w) x y γ(v,w) y x y γ(v,w) x x y γ(v,w) x y Exmple 5. Let the communiction of two tomic ctions from {,, c} lwys result in c. The process grph of the process term () () is depicted elow. This exmple shows tht the merge of two simple process terms produces reltively lrge process grph. This prtly explins the strength of theory of communicting processes, s this theory mkes it possile to drw conclusions out the full system y studying its seprte concurrent components.

9 Process Alger: An Algeric Theory of Concurrency 9 () () c () () c c c c c 4.2 Left Merge nd Communiction Merge Moller [16] proved tht there does not exist sound nd complete finite xiomtistion for BPA extended with the merge, modulo isimilrity. This prolem is overcome y defining two extr opertors, clled left merge nd communiction merge, which oth cpture prt of the ehviour of the merge. The left merge s t tkes its initil trnsition from the process term s, nd then ehves s the merge. This is expressed y two trnsition rules for the left merge, which correspond with the first two trnsition rules for the merge: x x v y v y x x v x y v x y The communiction merge s t executes s initil trnsition communiction etween initil trnsitions of the process terms s nd t, nd then ehves s the merge. This is expressed y four trnsition rules for the communiction merge, which correspond with the lst four trnsition rules for the merge: x v x y γ(v,w) y w x v y w y x y γ(v,w) y x v x y w x y γ(v,w) x x v x y w y x y γ(v,w) x y As inding convention we ssume tht,, nd ind stronger thn +. For exmple, + c represents ( ) + ( c). We refer to BPA extended with the three prllel opertors,, nd s PAP (for process lger with prllelism). The left nd communiction merge together cover the ehviour of the merge, in the sense tht s t (s t + t s) + s t. Nmely, s t cn execute either n initil trnsition of s or t, which is covered y s t or t s, respectively, or communiction of initil trnsitions of s nd t, which is covered y s t. The trnsition rules of PAP constitute conservtive extension of the ones of BPA, mening tht they do not influence the process grphs of sic process terms. Tht is, n

10 10 Wn Fokkink initil trnsition of sic process term is derivle from the trnsition rules of PAP if nd only if this trnsition cn e derived from the trnsition rules of BPA. This follows from the fct tht this extension dheres to the syntctic restrictions of the conservtive extension formt from [11]. Bisimilrity is congruence with respect to PAP. Agin this follows from the fct tht the trnsition rules of PAP re in the pth formt. 4.3 Axioms for PAP Tle 3 presents the xioms for the three prllel opertors modulo isimilrity. We lredy noted tht the merge cn e split into the left merge nd the communiction merge; this is exploited in xiom M1. Axioms LM2-4 nd CM5-10 enle us to eliminte occurrences of the left merge nd the communiction merge from process terms. The xioms for PAP re dded to the ones for BPA. Tle 3. Axioms for merge, left merge, nd communiction merge M1 x y = (x y + y x) + x y LM2 v y = v y LM3 (v x) y = v (x y) LM4 (x + y) z = x z + y z CM5 v w = γ(v, w) CM6 v (w y) = γ(v, w) y CM7 (v x) w = γ(v, w) x CM8 (v x) (w y) = γ(v, w) (x y) CM9 (x + y) z = x z + y z CM10 x (y + z) = x y + x z It cn e proved tht the resulting xiomtistion is sound nd complete for PAP modulo isimilrity. Agin, the completeness proof is sed on term rewriting nlysis, in which the xioms re directed from left to right. 4.4 Dedlock nd Encpsultion If two tomic ctions re le to communicte, then often we only wnt these ctions to occur in communiction with ech other, nd not on their own. For exmple, let the ction send(d) represent sending dtum d into one end of chnnel, while red(d) represents receiving this dtum t the other end of the chnnel. Furthermore, let the communiction of these two ctions result in trnsferring the dtum d through the chnnel y the ction comm(d). For the outside world, the ctions send(d) nd red(d) never pper on their own, ut only in communiction in the form comm(d).

11 Process Alger: An Algeric Theory of Concurrency 11 In order to enforce communiction in such cses, we introduce specil constnt δ clled dedlock, which does not disply ny ehviour. The communiction function γ is extended y llowing tht the communiction of two tomic ctions results in δ, i.e., γ : A A A {δ}. This extension of γ enles us to express tht two ctions nd do not communicte, y defining γ(, ) δ. Furthermore, we introduce unry encpsultion opertors H for sets H of tomic ctions, which renme ll ctions in H into δ. PAP extended with dedlock nd encpsultion opertors is clled the lger of communicting processes (ACP). Since the dedlock does not disply ny ehviour, there is no trnsition rule for this constnt. Furthermore, since the communiction of ctions cn result in δ, the lst four trnsition rules for the merge nd the four trnsition rules for the communiction merge need to e supplied with the requirement γ(v, w) δ. Finlly, the ehviour of the encpsultion opertors is cptured y the following trnsition rules, which express tht H (t) cn execute those trnsitions of t tht hve lel outside H: x v H (x) v v H x v x H (x) v H (x ) We give n exmple of the use of encpsultion opertors. v H Exmple 6. Suppose dtum 0 or 1 is sent into chnnel, which is expressed y the process term send(0) + send(1). Let this dtum e received t the other side of the chnnel, which is expressed y the process term red(0) + red(1). The communiction of send(d) nd red(d) results in comm(d) for d {0, 1}, while ll other communictions etween ctions result in δ. The ehviour of the chnnel is descried y the process term {send(0), send(1), red(0), red(1)} ((send(0) + send(1)) (red(0) + red(1))) The encpsultion opertor enforces tht the ction send(d) cn only occur in communiction with the ction red(d), for d {0, 1}. Bewre not to confuse trnsition of the form t δ with trnsition of the form t ; intuitively, the first trnsition expresses tht t gets stuck fter the execution of, while the second trnsition expresses tht t termintes successfully fter the execution of. A process term t is sid to contin dedlock if there re trnsitions t 1 t 2 1 n t n such tht the process term t n does not hve ny initil trnsitions (i.e., t n δ). In generl it is undesirle tht process contins dedlock, ecuse it represents tht the process gets stuck without producing ny output. Experience lerns tht nontrivil specifictions of system ehviour often contin dedlock. For exmple, the third sliding window protocol in [19] contined dedlock; see [14, Stelling 7]. It cn, however, e very difficult to detect such dedlock, even if one hs good insight into such protocol. Automted tools hve een developed to help with the detection of dedlocks in process lgeric frmework. ACP is conservtive extension of PAP, mening tht the trnsition rules for the encpsultion opertors do not influence the process grphs elonging to process terms

12 12 Wn Fokkink in PAP. Agin this follows from the fct tht this extension dheres to the syntctic restrictions of the conservtive extension formt. Moreover, isimilrity is congruence with respect to ACP, ecuse the trnsition rules of ACP re in the pth formt. Tle 4. Axioms for dedlock nd encpsultion A6 A7 x + δ = x δ x = δ D1 v H H(v) = v D2 v H H(v) = δ D3 H(δ) = δ D4 H(x + y) = H(x) + H(y) D5 H(x y) = H(x) H(y) LM11 δ x = δ CM12 δ x = δ CM13 x δ = δ Tle 4 presents xioms A6,7 for the dedlock, xioms D1-5 for encpsultion, nd xioms LM11 nd CM12,13 to del with the interply of the dedlock with left nd communiction merge. It cn e proved tht the resulting xiomtistion is sound nd complete for ACP modulo isimilrity. Agin, the completeness proof is sed on term rewriting nlysis, in which the xioms re directed from left to right. 5 Recursion Up to now we hve focused on finite processes. However, systems cn often exhiit infinite trces. In this section it is shown how such infinite ehviour cn e specified using recursive equtions. 5.1 Gurded Recursive Specifictions Consider the process tht lterntely executes ctions nd until infinity, with the root node presented t the top: Since ACP cn only specify finite ehviour, there does not exist process term in ACP with this (or isimilr) process grph. The process ove cn e cptured y mens of two recursive equtions:

13 Process Alger: An Algeric Theory of Concurrency 13 X = Y Y = X. Here, X nd Y re recursion vriles, which intuitively represent the two sttes of the process in which it is going to execute or, respectively. In generl, recursive specifiction consists of finite set of recursive equtions X 1 = t 1 (X 1,..., X n ). X n = t n (X 1,..., X n ) where the left-hnd sides X i re recursion vriles, nd the t i (X 1,..., X n ) t the right-hnd sides re process terms in ACP with possile occurrences of the recursion vriles X 1,..., X n. Process terms s 1,..., s n re sid to e solution for recursive specifiction {X i = t i (X 1,..., X n ) i {1,..., n}} (with respect to isimilrity) if s i t i (s 1,..., s n ) for ll i {1,..., n}. A recursive specifiction should represent unique process grph, so we wnt its solution to e unique, modulo isimilrity. Tht is, if s 1,..., s n nd s 1,..., s n re two solutions for the sme recursive specifiction, then s i s i for i {1,..., n}. However, there exist recursive specifictions tht llow more thn one solution modulo isimilrity. We give some exmples. Exmple 7. Let A. 1. All process terms re solution for the recursive specifiction {X=X}. 2. All process terms s tht cn execute n initil trnsition s re solution for the recursive specifiction {X=+X}. 3. All process terms tht cnnot terminte successfully re solution for the recursive specifiction {X=X}. The following exmple fetures recursive specifictions tht do hve unique solution modulo isimilrity. Exmple 8. Let, A. 1. The only solution for {X=Y, Y =X}, modulo isimilrity, is X nd Y. 2. The only solution for {X=Y, Y =X}, modulo isimilrity, is X nd Y. 3. The only solution for {X=(+) X}, modulo isimilrity, is X ( + )( + )( + ). A recursive specifiction llows unique solution modulo isimilrity if nd only if it is gurded. A recursive specifiction

14 14 Wn Fokkink X 1 = t 1 (X 1,..., X n ). X n = t n (X 1,..., X n ) is gurded if the right-hnd sides of its recursive equtions cn e dpted to the form 1 s 1 (X 1,..., X n ) + + k s k (X 1,..., X n ) l with 1,..., k, 1,..., l A, y pplictions of the xioms of ACP nd replcing recursion vriles y the right-hnd sides of their recursive equtions. The process term ove is llowed to hve zero summnds (i.e., k nd l cn oth e zero), in which cse it represents the dedlock δ. The recursive specifictions in Exmple 7 re ll ungurded; tht is, their right-hnd sides cnnot e rought into the desired form presented ove. The recursive specifictions in Exmple 8 re ll gurded. 5.2 Trnsition Rules for Gurded Recursion If E is gurded recursive specifiction, nd X recursion vrile in E, then intuitively X E denotes the process tht hs to e sustituted for X in the solution for E. For instnce, if E is {X=Y, Y =X}, then X E represents the process, while Y E represents the process ; see the first recursive specifiction in Exmple 8. We extend ACP with the constnts X E, for gurded recursive specifictions E nd recursion vriles X in E. Assume tht the gurded recursive specifiction E is of the form X 1 = t 1 (X 1,..., X n ). X n = t n (X 1,..., X n ). Gurded recursion is cptured y two trnsition rules which express tht the ehviour of the solutions X i E for the recursion vriles X i in E, for ech i {1,..., n}, is exctly the ehviour of its right-hnd side t i (X 1,..., X n ): t i ( X 1 E,..., X n E ) v X i E v t i ( X 1 E,..., X n E ) v y X i E v y Exmple 9. Let E denote {X=Y, Y =X}. The process grph of X E is X E Y E

15 Process Alger: An Algeric Theory of Concurrency 15 The trnsition X E Y E cn e derived from the trnsition rules s follows: ( v v, v := ) Y E Y E X E Y E ( x v xy v y, v :=, x :=, y := Y E ) ( Y E v y X E v, v :=, y := Y E ) y ACP with gurded recursion is conservtive extension of ACP, ecuse this extension dheres to the syntctic restrictions of the conservtive extension formt. Moreover, isimilrity is congruence with respect to ACP with gurded recursion, ecuse the trnsition rules of gurded recursion re in the pth formt. As n exmple of the use of gurded recursion we consider the g process over the set {0, 1}. Exmple 10. We specify process tht cn put elements 0 nd 1 into g, nd susequently collect these elements from the g in ritrry order. The ctions in(0) nd in(1) represent putting 0 or 1 into the g, respectively. Similrly, the ctions out(0) nd out(1) represent collecting 0 or 1 from the g, respectively. All communictions etween ctions result in δ. Initilly the g is empty, so tht one cn only put n element into the g. The process grph elow depicts the ehviour of the g over {0, 1}, with the root stte plced in the leftmost uppermost corner. Note tht this g process consists of infinitely mny non-isimilr sttes. out(1) out(1) out(1) in(0) in(0) in(0) out(0) out(0) out(0) in(1) out(1) in(1) out(1) in(1) in(0) out(0) in(0) out(0) in(0) out(0) in(1) out(1) in(1) out(1) in(1) in(0) in(0) in(0) out(0) out(0) out(0) in(1) out(1) in(1) out(1) in(1)...

16 16 Wn Fokkink The g over {0, 1} cn e specified y single recursive eqution, using the merge. Let E denote the gurded recursive specifiction X = in(0) (X out(0)) + in(1) (X out(1)). The process grph of X E is isimilr with the ehviour of the g over {0, 1} s depicted ove. Nmely, initilly X E cn only execute n ction in(d) for d {0, 1}. The susequent process term X E out(d) cn put elements 0 nd 1 in the g nd tke them out gin (y mens of the prllel component X E ), or it cn t ny time tke the initil element d out of the g (y mens of the prllel component out(d)). 5.3 Recursive Definition nd Specifiction Principles As efore, we wnt to fit gurded recursion into n xiomtic frmework. Tle 5 contins two xioms for gurded recursion, the recursive definition principle (RDP) nd the recursive specifiction principle (RSP). The gurded recursive specifiction E in the xioms is ssumed to e of the form X 1 = t 1 (X 1,..., X n ). X n = t n (X 1,..., X n ). Intuitively, RDP expresses tht X 1 E,..., X n E is solution for E, while RSP expresses tht this is the only solution for E modulo isimilrity. Tle 5. Recursive definition nd specifiction principles RDP X i E = t i( X 1 E,..., X n E ) (i {1,..., n}) RSP If y i = t i(y 1,..., y n) for ll i {1,..., n}, then y i = X i E (i {1,..., n}) The resulting xomtistion is sound for ACP with gurded recursion modulo isimilrity. However, it is not complete. For instnce, the following two symmetric gurded recursive specifictions of the g over {0, 1} (see Exmple 10) re isimilr, ut cnnot e proved equl y mens of the xioms: X = in(0) (X out(0)) + in(1) (X out(1)) Y = in(0) (out(0) Y ) + in(1) (out(1) Y ). (In this prticulr cse, this could e remedied y dding commuttivity xiom for the merge.)

17 Process Alger: An Algeric Theory of Concurrency 17 One cn prove tht the xiomtistion is complete for the suclss of liner recursive specifictions. A recursive specifiction is liner if its recursive equtions re of the form X = 1 X k X k l with 1,..., k, 1,..., l A. (The empty sum represents δ.) Note tht liner recursive specifiction is y defult gurded. A regulr process, which y definition consists of finitely mny sttes nd trnsitions, cn lwys e descried y liner recursive specifiction. Nmely, ech stte s in the regulr process cn e represented y recursion vrile X s. If stte s cn evolve into stte s y the execution of n ction, then this is expressed y summnd X s t the right-hnd side of the recursive eqution for X s. Moreover, if stte s cn terminte successfully y the execution of n ction, then this is expressed y summnd t the right-hnd side of the recursive eqution for X s. The result is liner recursive specifiction E, nd X s E s for ll sttes s in the regulr process. Vice vers, liner recursive specifiction lwys gives rise to regulr process. 6 Astrction If customer sks progrmmer to implement product, idelly this customer is le to provide the externl ehviour of the desired progrm. Tht is, he or she is le to tell wht should e the output of the progrm for ech possile input. The progrmmer then comes up with n implementtion. The question is, does this implementtion relly disply the desired externl ehviour? To nswer this question, we need to strct wy from the internl computtion steps of the progrm. 6.1 Rooted Brnching Bisimultion In order to strct wy from internl ctions, we introduce specil constnt τ, clled the silent step. Intuitively, τ-trnsition represents sequence of internl ctions tht cn e eliminted from process grph. As ny tomic ction, the constnt τ cn execute itself, fter which it termintes successfully. This is expressed y the trnsition rule τ τ From now on, v nd w in the trnsition rules nd the xioms of ACP with gurded recursion rnge over A {τ}. (So the trnsition rule for tomic ctions in Tle 1 yields the trnsition rule for the silent step τ presented ove.) The domin of the communiction function γ is extended with the silent step, γ : A {τ} A {τ} A {δ}, y defining tht ech communiction involving τ results in δ. In the presence of the silent step τ, isimilrity is no longer stisfctory process equivlence. Nmely, if process terms s nd t re equivlent, nd s cn execute n ction τ, then it need not e the cse tht t cn simulte this τ-trnsition of s y the execution of n ction τ. The intuition for the silent step, tht it represents n internl computtion

18 18 Wn Fokkink in which we re not relly interested, sks for new process equivlence. The question tht we must pose ourselves is: which τ-trnsitions re truly silent? The ovious nswer to this question, ll τ-trnsitions re truly silent, turns out to e incorrect. Nmely, this nswer would produce n equivlence reltion tht does not preserve dedlock ehviour. As n exmple of n ction τ tht is not truly silent, consider the process terms + τδ nd. If the τ in the first term were truly silent, then these two terms would e equivlent. However, the process grph of the first term contins dedlock, +τδ τ δ, while the process grph of the second term does not. Hence, the τ in the first term is not truly silent. In order to descrie this cse more vividly, we give n exmple. Exmple 11. Consider protocol tht first receives dtum d vi chnnel 1, nd then communictes this dtum vi chnnel 2 or vi chnnel 3. If the dtum is communicted through chnnel 2, then it is sent into chnnel 4. If the dtum is communicted through chnnel 3, then it gets stuck, s the susequent chnnel 5 is roken. So the system gets into dedlock if the dtum d is trnsferred vi chnnel 3. This dedlock should not dispper if we strct wy from the internl communiction ctions vi chnnels 2 nd 3, ecuse this would cover up n importnt prolem of the protocol The system, which is depicted ove, is descried y the process term {s5(d)}(r 1 (d) (c 2 (d) s 4 (d) + c 3 (d) s 5 (d))) D1,2,4,5 = r 1 (d) (c 2 (d) s 4 (d) + c 3 (d) δ) where s i (d), r i (d), nd c i (d) represent send, red, nd communiction ction of the dtum d vi chnnel i, respectively. Astrcting wy from the internl ctions c 2 (d) nd c 3 (d) in this process term yields r 1 (d) (τ s 4 (d)+τ δ). The second τ in this process term cnnot e deleted, ecuse then the process would no longer e le to get into dedlock. Hence, this τ is not truly silent. As further exmple of τ-trnsition tht is not truly silent, consider the process terms +τ nd +. We rgued previously tht the process terms {} (+τ) = +τδ nd {} (+) = re not equivlent, ecuse the first term contins dedlock while the second term does not. Hence, + τ nd + cnnot e equivlent, for else the envisioned equivlence reltion would not e congruence. Prolems with dedlock preservtion nd congruence cn e voided y tking more restrictive view on strcting wy from silent steps. A correct nswer to the question

19 Process Alger: An Algeric Theory of Concurrency 19 which τ-trnsitions re truly silent? turns out to e those τ-trnsitions tht do not lose possile ehviours! For exmple, the process terms + τ( + ) nd + re equivlent, ecuse the τ in the first process term is truly silent: fter execution of this τ it is still possile to execute. In generl, process terms s + τ(s + t) nd s + t re equivlent for ll process terms s nd t. By contrst, in process term such s + τ the τ is not truly silent, since execution of this τ mens losing the option to execute. The intuition ove is formlised in the notion of rnching isimilrity. Let the process terms s nd t e rnching isimilr. If s τ s, then t does not hve to simulte this τ-trnsition if it is truly silent, mening tht s nd t re rnching isimilr. Moreover, non-silent trnsition s s need not e simulted y t immeditely, ut only fter numer of truly silent τ-trnsitions: t τ τ t 0 t, where s nd t 0 re rnching isimilr (to ensure tht the τ-trnsitions re truly silent) nd s nd t re rnching isimilr (so tht s s is simulted y t 0 t ). A specil termintion predicte is needed in order to relte rnching isimilr process terms such s τ nd. Assume specil termintion predicte, nd let represent stte with. A rnching isimultion reltion B is inry reltion on sttes in process grphs such tht: 1. if s B t nd s s, then - either τ nd s B t; - or there is sequence of (zero or more) τ-trnsitions t τ s B t 0 nd t 0 t with s B t ; 2. if s B t nd t t, then - either τ nd s B t ; - or there is sequence of (zero or more) τ-trnsitions s τ τ t 0 such tht τ s 0 such tht s 0 B t nd s 0 s with s B t. 3. if s B t nd s, then there is sequence of (zero or more) τ-trnsitions t τ t 0 such tht s B t 0 nd t 0 ; 4. if s B t nd t, then there is sequence of (zero or more) τ-trnsitions s τ s 0 such tht s 0 B t nd s 0. Two sttes s nd t re rnching isimilr, denoted y s t, if there is rnching isimultion reltion B such tht s B t. Exmple τ( + ) τ( + ) +. A rnching isimultion reltion tht reltes these two process terms is defined y + τ( + ) B τ( + ) +, + B τ( + ) +, + τ( + ) B +, + B +, nd B. This reltion cn e depicted s follows: τ τ

20 20 Wn Fokkink + τ( + ) τ( + ) + τ τ + + It is left to the reder to verify tht this reltion stisfies the requirements of rnching isimultion reltion. Brnching isimilrity stisfies notion of firness. Tht is, if n exit from τ- loop exists, then no infinite execution sequence will remin in this τ-loop forever. The intuition is tht there is zero chnce tht no exit from the τ-loop will ever e chosen. For exmple, it is not hrd to see tht X X = τx + nd re rnching isimilr. Brnching isimilrity preserves lrge clss of interesting properties (including dedlock ehviour) [7]. See [13] for n exposition on why rnching isimilrity constitutes sensile equivlence reltion to strct wy from internl computtions. Brnching isimilrity is n equivlence reltion; see [4]. However, it is still not congruence with respect to BPA. For exmple, nd τ re rnching isimilr, ut we lredy rgued tht + nd + τ re not rnching isimilr. This prolem cn e overcome y dding rootedness condition: initil τ-trnsitions re never truly silent. In other words, two sttes re considered equivlent if they cn simulte ech other s initil trnsitions, such tht the resulting sttes re rnching isimilr. This leds to the notion of rooted rnching isimilrity. A rooted rnching isimultion reltion B is inry reltion on sttes in process grphs such tht: 1. if s B t nd s s, then t t with s t ; 2. if s B t nd t t, then s s with s t ; 3. if s B t nd s, then t ; 4. if s B t nd t, then s. Two sttes s nd t re rooted rnching isimilr, denoted y s r t, if there is rooted rnching isimultion reltion B such tht s B t. Since rnching isimilrity is n equivlence reltion, it is not hrd to see tht rooted rnching isimilrity is lso n equivlence reltion. Brnching isimilrity includes rooted rnching isimilrity, which in turn includes isimilrity: r. In the sence of τ (for exmple, in ACP), isimilrity nd rnching isimilrity induce exctly the sme equivlence clsses. In other words, two process terms in ACP re isimilr if nd only if they re rnching isimilr. 6.2 Gurded Liner Recursion Revisited Assume recursive specifiction E tht consists of liner recursive equtions X i = t i (X 1,..., X n ) for i {1,..., n}. Since from now on we consider process terms in

21 Process Alger: An Algeric Theory of Concurrency 21 the setting of rooted rnching isimilrity, process terms s 1,..., s n re sid to e solution for E (with respect to rooted rnching isimilrity) if s i r t i (s 1,..., s n ) for i {1,..., n}. In the setting with the silent step, the notion of gurdedness, which ims to clssify those recursive specifictions tht hve unique solution modulo the process equivlence under considertion, needs to e dpted. For exmple, ll process terms τ s re solutions for the recursive specifiction X = τx, ecuse τs r ττs holds for ll process terms s. Hence, we consider such recursive specifiction to e ungurded. The notion of gurdedness is extended to liner recursive specifictions tht involve silent steps y requiring the sence of τ-loops. A recursive specifiction is liner if its recursive equtions re of the form X = 1 X k X k l with 1,..., k, 1,..., l A {τ}. A liner recursive specifiction E is gurded τ if there does not exist n infinite sequence of τ-trnsitions X E X τ E X E τ. The gurded liner recursive specifictions re exctly the liner recursive specifictions tht hve unique solution, modulo rooted rnching isimilrity. ACP with silent step gurded liner recursion constitutes conservtive extension of ACP with liner recursion, ecuse this extension dheres to the syntctic restrictions of the conservtive extension formt. Moreover, rooted rnching isimilrity is congruence with respect to ACP silent step nd gurded liner recursion. This follows from the fct tht the trnsition rules re in the RBB cool formt from [9]. Tle 6 presents the xioms B1,2 for the silent step, modulo rooted rnching isimilrity. Tle 6. Axioms for the silent step B1 v τ = v B2 v (τ (x + y) + x) = v (x + y) The resulting xiomtistion is sound for ACP with silent step nd gurded liner recursion, modulo rooted rnching isimilrity. Moreover, it cn e shown tht the xiomtistion is complete, see [12]. 6.3 Astrction Opertors We introduce unry strction opertors τ I, for susets I of A, which renme ll tomic ctions in I into τ. The strction opertors enle us to strct wy from the internl computtion steps of n implementtion. The ehviour of the strction opertors is cptured y the following trnsition rules, which express tht in τ I (t) ll lels of trnsitions of t tht re in I re renmed into τ:

22 22 Wn Fokkink x v v τ I (x) v v I x x τ I (x) v τ I (x ) x v v τ I (x) τ v I x x τ I (x) τ τ I (x ) v I v I ACP extended with silent step nd strction opertors is denoted y ACP τ. ACP τ once gin constitutes conservtive extension of ACP, ecuse this extension dheres to the syntctic restrictions of the conservtive extension formt. Moreover, rooted rnching isimilrity is congruence with respect to ACP τ with gurded liner recursion, ecuse the trnsition rules re in the RBB cool formt. Tle 7 presents xioms for the strction opertors, modulo rooted rnching isimilrity. Tle 7. Axioms for strction opertors TI1 v I τ I(v) = v TI2 v I τ I(v) = τ TI3 τ I(δ) = δ TI4 τ I(x + y) = τ I(x) + τ I(y) TI5 τ I(x y) = τ I(x) τ I(y) The resulting xiomtistion is sound for ACP τ with gurded liner recursion modulo rooted rnching isimilrity. However, to otin complete xiomtistion, we need one more proof principle. 6.4 Cluster Fir Astrction Rule Although τ-loops re prohiited in gurded liner recursive specifictions, they cn e constructed using n strction opertor. For exmple, τ {} ( X X=X ) cn only execute τ s until infinity. This oservtion motivtes the following distinction etween specifile nd constructile regulr processes: specifile regulr processes re the process grphs elonging to process terms in ACP with silent step nd gurded liner recursion; constructile regulr processes re the process grphs elonging to process terms in ACP τ with gurded liner recursion. τττ is the simplest exmple of regulr process tht is constructile, eing the process grph of τ {} ( X X=X ), ut not specifile. In generl, constructile regulr process is specifile if nd only if it is free of τ-loops. One extr xiom is

23 Process Alger: An Algeric Theory of Concurrency 23 needed to equte process terms of which the regulr process grphs re constructile ut not specifile. For exmple, τ {} ( X X=X ) r τ {,} ( Y Y =Z, Z=Y ) ecuse oth process terms execute τ s until infinity. However, these process terms cnnot e equted y mens of the xioms, due to the gurdedness restriction on RSP, which is essentil for the soundness of this xiom. In order to get rid of τ-loops, we introduce the notion of fir strction. For exmple, let E denote the following gurded liner recursive specifiction: X 1 = X 2 + s 1. X n 1 = X n + s n 1 X n = X 1 + s n for some A. The process term τ {} ( X 1 E ) executes τ-trnsitions tht re the result of strcting wy from the occurrences of in front of the recursion vriles X i, until it exits this τ-loop y executing one of the process terms τ {} (s i ) for i {1,..., n}. Note tht the trnsitions in the τ-loop re ll truly silent, ecuse they do not lose possile ehviours; fter the execution of such τ, it is still possile to execute ny of the process terms τ {} (s i ) for i {1,..., n}. Fir strction sys tht τ {} ( X 1 E ) does not sty in the τ-loop forever, so tht t some time it will strt executing τ {} (s i ). Hence, τ {} ( X 1 E ) r τ {} (s 1 + τ(s s n )). Nmely, initilly τ {} ( X 1 E ) cn execute either τ {} (s 1 ) or τ. In the ltter cse, this initil (so non-silent) τ-trnsition is followed y the execution of series of truly silent τ s in the τ-loop, until one of the process terms τ {} (s i ) for i {1,..., n} is executed. We now present n xiom to eliminte cluster of τ-trnsitions, so tht only the exits of such cluster remin. First, precise definition is needed of cluster nd its exits. Let E e gurded liner recursive specifiction, nd I A. Two recursion vriles X nd Y in E re in the sme cluster for I if nd only if there exist sequences of trnsitions X E 1 m Y E nd Y E c1 c n X E with 1,..., m, c 1,..., c n I {τ}. or X is n exit for the cluster C if nd only if: 1. or X is summnd t the right-hnd side of the recursive eqution for recursion vrile in C; nd 2. in the cse of X, either I {τ} or X C. Tle 8 presents n xiom clled cluster fir strction rule (CFAR) for gurded liner recursive specifictions. CFAR llows us to strct wy from cluster of ctions tht re renmed into τ, fter which only the exits of this cluster remin. In Tle

24 24 Wn Fokkink 8, E is gurded liner recursive specifiction. Owing to the presence of the initil ction τ t the left- nd right-hnd side of CFAR, the initil τ-trnsitions of τ I ( X E ) cn e truly silent. If the set of exits is empty, then the empty sum t the right-hnd side of CFAR represents δ. Tle 8. Cluster fir strction rule CFAR If in E, X is in cluster for I with exits {v 1Y 1,..., v my m, w 1,..., w n}, then τ τ I( X E ) = τ τ I(v 1 Y 1 E + + v m Y m E + w w n) The resulting xiomtistion (the xioms for ACP τ together with RDP, RSP nd CFAR) is sound nd complete for ACP τ with gurded liner recursion modulo rooted rnching isimilrity, see [8]. 7 Alternting Bit Protocol So fr we hve presented stndrd frmework ACP τ with gurded liner recursion for the specifiction nd mnipultion of concurrent processes. Summrising, it consists of sic opertors (A, +, ) to define finite processes, communiction opertors (,, ) to express prllelism, dedlock nd encpsultion (δ, H ) to force tomic ctions into communiction, silent step nd strction (τ, τ I ) to mke internl computtions invisile, nd gurded liner recursion ( X E ) to cpture regulr processes. These constructs form solid sis for the nlysis of wide rnge of systems. In prticulr, the frmework is suitle for the specifiction nd verifiction of network protocols. For such verifiction, the desired externl ehviour of the protocol is represented in the form of process term tht is in generl uilt from the sic opertors of BPA together with liner recursion. Moreover, the implementtion of the protocol is represented in the form of process term tht involves the sic opertors, the three prllel opertors, nd liner recursion. Next, the internl send nd red ctions of the implementtion re forced into communiction using n encpsultion opertor, nd the internl communiction ctions re mde invisile using n strction opertor, so tht only the input/output reltion of the implementtion remins. If the two process terms cn e equted y the xioms, then this proves tht the process grphs elonging to the desired externl ehviour nd to the input/output reltion of the implementtion re rooted rnching isimilr. An lterntive to n equtionl correctness proof is to verify tht the sttes in the process grph ove stisfy desirle properties, expressed in some temporl logic (see, e.g., [18]). Such utomted techniques to nlyse process grphs re clled model checking. µcrl [6, 10] is toolset for nlysing process lgeric specifictions in ACP comined with strct dt types; it supports equtionl proofs with theorem prover, s well s genertion of process grphs nd model checking.

25 Process Alger: An Algeric Theory of Concurrency Specifiction of the ABP As n exmple, we show how the Alternting Bit Protocol (ABP) [3] cn e specified in this frmework. Suppose two rmies hve greed to ttck city t the sme time. The two rmies reside on different hills, while the city lies in etween these two hills. The only wy for the rmies to communicte with ech other is y sending messengers through the hostile city. This communiction is inherently unsfe; if messenger is cught inside the city, then the messge does not rech its destintion. The prdox is tht in such sitution, the two rmies re never le to e 100% sure tht they hve greed on time to ttck the city. Nmely, if one rmy sends the messge tht it will ttck t sy 11m, then the other rmy hs to cknowledge reception of this messge, rmy one hs to cknowledge the reception of this cknowledgement, et ceter. The ABP is method to ensure successful trnsmission of dt through corrupted chnnel (such s messengers through hostile city). This success is sed on the ssumption tht dt cn e resent n unlimited numer of times, nd tht eventully ech dtum will e communicted through the chnnel successfully. The protocol lyout is depicted elow. A Sender B Receiver C D Dt elements d 1, d 2, d 3,... from finite set re communicted etween Sender nd Receiver. If the Sender reds dtum from chnnel A, then this dtum is communicted through chnnel B to the Receiver, which sends the dtum into chnnel C. However, chnnel B is corrupted, so tht messge tht is communicted through this chnnel cn e turned into n error messge. Therefore, every time the Receiver receives messge vi chnnel B, it sends n cknowledgement to the Sender vi chnnel D, which is lso corrupted. In the ABP, the Sender ttches it 0 to dt elements d 2k 1 nd it 1 to dt elements d 2k, when they re sent into chnnel B. As soon s the Receiver reds dtum, it sends ck the ttched it vi chnnel D, to cknowledge reception. If the Receiver receives corrupted messge, then it sends the previous cknowledgement to the Sender once more. The Sender keeps on sending pir (d i, ) s long s it receives the cknowledgement 1 or. When the Sender receives the cknowledgement, it strts sending out the next dtum d i+1 with ttched it 1, until it receives the cknowledgement 1, et ceter. Alterntion of the ttched it enles the Receiver to determine whether received dtum is relly new, nd lterntion of the cknowledgement enles the Sender to determine whether it cknowledges reception of dtum or of n error messge. We give liner recursive specifiction of the ABP in process lger. First, we specify the Sender in the stte tht it is going to send out dtum with the it ttched to it, represented y the recursion vrile S for {0, 1}: