A calculus of communicating systems

Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis

92 IIII

Robin Milner

A Calculus of Communicating Systems

Springer-Verlag Berlin Heidelberg New York 1980

Editorial Board

W. Brauer P. Brinch Hansen D. Gries C. Moler G. SeegmiJIler J..q;toer N. Wirth Author

Robin Milner University of Edinburgh Dept. of Computer Science James Clerk Maxwell Building The King's Buildings Mayfield Road Edinburgh EH9 3JZ Great Britain

AMS Subject Classifications (1979): 68-02 CR Subject Classifications (1974): 4.30, 5.20, 5.22, 5.24 ISBN 3-540-10235-3 Springer-Verlag Berlin Heidelberg New York ISBN 0-38?-10235-3 Springer-Verlag NewYork Heidelberg Berlin Library of Congress Cataloging in Publication Data. Milner, Robin. A calculus of communicating systems. (Lecture notes in computer science; 92) Bibliography: p. Includes index, t. Machine theory. 2. Formal languages. I. Title. 11.Series. CIA26?.M53. 511.3 80-21068 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically those of translation, reprinting, re-use of illustrations, broadcasting, reproduction by photocopying machine or similar means, and storage in data banks. Under § 54 of the German Copyright Law where copies are made for other than private use, a fee is payable to the publisher, the amount of the fee to be determined by agreement with the publisher. © by Springer-Verlag Berlin Heidelberg 1980 Printed in Germany Printing and binding: Beltz Offsetdruck, Hemsbach/Bergstr. 9145/3140-543210

work was mainly done during my six-month appo_i n - - t , ~ t

frcm

1979 to January 1980, at the Ommouter Science deoalb~ent in

Aarhus University, ~ k .

Although much of the ground work had been

done previously it was mainly in response to their encouragement (to make the theory more accessible and related to practice), and to their informed criticism, that the material reached a scmewhat coherent form. I an deeply grateful to them and their students for allowing me to lecture once a week on what was, at first, a loosely connected set of ideas, and for the welccming enviromnent in which I was able to put the ideas in order.

I also thank Edinburgh University for awarding me

five months sabbatical leave subsequently, which helped me to cc~plete the task in a reasonable time. The calculus presented here 9~ew out of work which was inspired by Dana Scott's theory of computation, though it has since diverged in some respects. Plotkin;

At every stage I have been influenced by Gordon

even where I cannot trace particular ideas to him I have

been greatly illtmlinated by our discussions and by his chance remarks, and without them the outccme would certainly be less than it is. would also like to thank others with whom I have worked: with whom I worked out the Laws of Flow Algebra;

I

George Milne,

Matthew Hennessy, with

whcm the notion of observation equivalence developed;

and Tony Hoare,

whose parallel work cn different but strongly related ideas, expressed in his "Ccamtmicating Sequential Processes", has been a strong stimulus. Many people have given detailed and helpful criticisms of the manuscript, and thus improved its final form.

In particular I thank Michael

Gordon and David MacQueem, who went through it all in detail in a Seminar at the Information Sciences Institute, University of California;

this

not only exposed same mistakes and obscurities but gave me more csnfidence in the parts they didn't criticise. Finally, I am very thank~=ul to Dorothy McKie and Gina Temple for their patience and skill in the long and involved task of typing.

O.

Introduction Purpose - Character - Related ~ r k

!.

- Evolution - Outline.

Emperimentin 9 on Nondeterministic Machines Traditional equivalence of finite state acceptors - E x p e r ~ t i n g upon acceptors - Behaviour as a tree - Algebra of RSTs Unobservable acticns.

2.

S[nchronizaticn

19

Mutual experimentation - Composition,

restriction and relabelling -

Extending the Algebra of STs - A sinple ~ l e :

binary semaphores -

The ST Expansion Theorem.

3.

A case study in synchronizaticn and proof t e ~ i q u e s

33

A scheduling problem - Building the scheduler as a Petri Net Observation equivalence - Proving the scheduler.

4.

Case studies in value-cc~6~1~dnication Review - Passing values - An exanple: An example:

5.

47 Data Flow - Derivations -

Zero searching.

65

Syntax and Semantics of CCS Introduction - Syntax - Semantics by derivations - Defining behaviour identifiers - Sorts and programs - Direct equivalence of behaviour programs - Congruence of behaviour programs - Congruence of behaviour expressions and the Expansion ~neorem.

6.

Cu,,~!~cation Trees (CTs) as a model of CCS CTs and the dynamic o p e r a t i c n s CTs defined by recursion - A ~ c

84

C'fs and the static operations actions and derivations of CTs -

Strong equivalence of CTs - Equality in the CT model - S ~ .

7.

Cb~ticn

~_iivalence and its properties

Review - Observation equi%ralence in CCS - Observation oongruence Laws of observation congruence - Proof ted%niques - Proof of Theor~n 7.7 - Further exercises.

98

VJ

8.

111

Some proofs about Data Structures Introduction - Registers and mamories - Chaining operations Pushdc~s

9.

and queues.

126

Translaticn into CCS Discussion - The language P - Sorts and auxiliary definiticns Translation of P - Adding pzocedures to P - Protection of resources.

i0.

~tezminacy

138

and Confluence

Discussion - Strong confluence - ~ i t e ccnfluence - Strcng determinacy: Proof in DCCS:

guards and the use of

Confluent detezminate CCS -

the scheduler again - abservaticn confluence and

detezminacy.

II.

158

Conclusion What has been achieved? - Is OCS a programming language? The question of fairness - The notion of behaviour - Directions for further work.

~

:

References

Properties of cc~gruence and equivalence.

166

16 9

CHAPTER

0

Introduction

O.i

Pu~se These notes present a calculus of concurrent systems.

is partly infozrflal, and aimed

at practice;

The presentation

we unfold the calculus through

the medium of examples each of which illustrates first its expressive power, and second the techniques which it offers for verifying properties of a system. A useful calculus, of cGmputing systems as of anything else, must have a high level of articulacy in a full sense of the word implying not only rid%ness in expression but also flexibility in manipulation.

It should be

possible to describe existing systems, to specify and progr~n new systems, and to argue mathematically about them, all without leaving the notational frame%~rk of the calculus. These are demanding criteria, and it may be impossible to meet them even for the full range of concurrent syst~ns which are the proper concern of a ccmputer scientist, let alone for syste~ns in general. n~st be made.

But the attempt

We believe that our calculus succeeds at least to this extent:

the sane notations are used both in defining and in reasoning about systems, a n d - as our examples will show - it appears to be applicable not only to prograns (e.g. operating systems or parts of them) but also to data structures and, at a certain level of abstraction,

to hardware systems.

For

the latter however, we do not claim to reach the detailed level at which the correct functicr/ng of a s y s t ~ depends on timing considerations. Apart from artioulacy, we aim at an underlying, theory whose basis is a small well-knit collection of ideas and which justifies the manipulations of the calculus.

~nis is as important as generality - perhaps even mere

in~portant. Any theory will be superseded sooner or latem;

during its life,

understanding it and assessing it are only possible and worthwhile if it is seen as a logical 9~owth frcm rather fewbasic assumptions and concepts. We take this further in the next section, where we introduce our chosen conoeptual basis. One purpose of these notes is to provide material for a graduate course. With this in mind (indeed, the notes grew as a graduate course at Aarhus University in A u t ~

1979) we have tried to find a good expository sequence,

and have cmitted scme parts of the theory - which will appear in technical publications - in favour of case studies.

There are plenty of exercises,

and anyone who bases a course on the notes should be able to think of others; one pleasant feature of concurrent systems is the wealth and variety of small but non-trivial e~maples'

We could have included many more examples

in the text, and thereby given greater evidence for the fairly wide applicability of the calculus;

but, since

our main

aim is to present

it as a calculus, it seemed a good rule that every example program or syste~ should be subjected to scrne proof or to same manipulation.

O.2

Character Our calculus if founded on two central ideas.

The first is Observation;

we aim to describe a ooncurrent system fully enough to determine e~mctly what behaviour will be seen or experienced by an external observer. the approach is tho~oughly extensional;

Thus

two systems are indistinguishable

if we cannot tell the~ apart without pulling thegn apart.

We therefore

give a fomaal definition of observation equivalence (in Chapter 7) and investigate its properties. This by no meaD~ prevents us frcm studying the structure of systems. Every interesting concurrent system is built frcrn independent agents which ccmmunicate, and s~nchronized communication is our second central idea. We regard a cut~t~nication between two component agents as an indivisible action of the ccr~0osite system, and the heart of our algebra of systems is concurrent c c ~ s i t i o n ,

a binary operation which c c ~ e s

pendent agents, allowing thegn to coma~anicate.

two inde-

It is as eentral for us

as sequential ccmioosition is for sequential programming, and indeed subsumes the latter as a special case.

Since for us a program or system description

is just a tel~n of the calculus, the structure of the program or system (its intension) is reflected in the structure of the term.

Our ~nanipulations

often consist of transfozndng a tezm, yielding a term with different intension but identical behaviour (extension).

Such transfozmations az~ faniliar

in sequential progranmiing, where the extension may just be a mathematical function (the "input/output be/qaviour"); for concurrent systems however, it seer,s clear that functions are inadequate as extensions. These two central ideas are really one.

For we suppose that the only

way to observe a system is to o.xL'municate with it, which r0akes the observer

and system together a larger system.

The other side of this ooin is

that to place two ccr~ponents in ~ c a t i o n is just to let them observe each other.

(i.e. to cc~pose them) If observing and cut~u~cating

are the s~ne, it follows that one cannot Observe a syste~ without its participation.

The analogy with quantum physics may or may not be super-

ficial, but the approach is unifying and appears natural. We call the calculus CCS (Calculus of C~m.~nicating Systems). temps of CCS stand for behaviours to equational laws.

(extensions)of systems and are subject

This gives us an algebra, and we are in agreement

with van Erode Boas and Janssen [EHJ] who argue that ~rege's

principle

of ocmpositionality of meaning requires an algebraic framework. is s ~ a t

The

more than algebra;

But CCS

for example, derivatives and derivations

of terms play an inportant part in describing the dynamics of behaviours. The variety of systems which can be expressed and discussed in CCS is illustrated by the exanples in the text:

an agent for scheduling

task perfomaance by several other agents (Chapter 3);

'data flow'

cc~putations and a concurrent n%~rerical algorithm (Chapter 4); devices and data structures (Chapter 8); parallel progranlming language (Chapter 9).

n~mnory

semantic description of a In addition, G. Milne [Mln 33

modelled and verified a peripheral hardware device - a cardreader - using an earlier version of the present ideas. After these remarks, the character of the calculus is best discovered by a quick look through Chapters 1-4, ignoring tedanical details.

§O.5

(Outline) may also help, but the next two sections are not essential for a quick appraisal.

O. 3

Related Work At present, the most fully developed theory of concurrency is that

of Petri and his colleagues.

(See for example C.A. Petri, "Introduction

to General Net ~heory" [Pet3, and H.J. Genrich, K. Lautenbach, P.S. Thiagarajan, "An Overview of Net Y~leory" [GLT].)

It is i~portant to

contrast our calculus with Net Theory, in tez~as of underlying concepts. For Net Theory, a (perhaps the) basic notion is the concurrenc~ relation system;

over the places (conditions)

and transitions (events) of a

if two events (say) are in this relation, it indicates that

they a~e causally independent and may occur in either order or simultaneously.

This relation is conspicuously absent in our theory, at

least as a basic notion.

Hen

we o ~ p o s e two agents it is the synchroni-

zation of their mutual cc~amlnications which d e t ~ e s

the cc~oosite;

we

treat their independent actions as occurring in arbitrary order but not simultaneously.

The reason is that we assLlre of our external observer

that he can make only one observation at a time;

this i~plies that he

is blind to the possibility that the syst~n can support two observations simultaneously, so this possibility is irrelevant to the extension of the systea in our sense.

This assumption is certainly open to (extensive')

debate, but gives our calculus a sinplicity which would be absent otherwise.

To answer the natural objection that it is unwieldy to consider all

possible sequences (interleavings) of a set of causally independent events, we refer the reader to our case studies, for exanple in Chapters 3 and 8, to satisfy himself that our methods can avoid this unwieldiness almost

~Zetely. Cn the other hand, Net Theory provides many strong analytic techniques; we must justify the proposal of another theory. is upon synthesis and upon extension;

The emphasis in our calculus

algebra appears to be a natural tool

for expressing how systems are built, and in showing that a system meets its specification we are demanding properties of its extension.

~

activity

of programming - more generally, of system synthesis - falls naturally into CCS, and we believe our approach to be more articulate in this respect than Net Theory, at lea_st on present evidence.

It remains for us to

develop analytic techniques to match these of ~Net Theory, whose achievements will be a valuable guide. As a bridge between Net Theory and programming languages for concurrency, we should mention the early work of Karp and Miller [KM] on parallel program schemata.

This work bears a relation to Net Theory in yielding an

analysis of properties of concurrent systems, such as deadlock and liveness; it also esmes closer to programming (in the ccnventional sense), being a generalisaticn

of the familiar notion of a sequential flow chart.

In recent proposals for concurrent programming languages there is

a

trend towards direct ccrm~nication between cc~i0onents or modules, and away from c~i~unication through shared registers or variables.

Examples are:

N. Wirth "MCDUIA:

A language for modular multiprogramling", [Wir];

P. Brinch Hansen "Distributed Processes; [Bri 2];

a concurrent programming ccnoept",

C.A.R. Hoare "C~ti~nicating Sequential Processes", [Hoa 3].

Hoare's "monitors" [Hoa 2] gave a discipline for the administration of shared resources in concurrent programming.

These papers have helped

towards understanding the art of concurrent programming. differs frcm all of them in two ways:

Our calculus

first, it is not in the accepted

sense an imperative language - there are no commands, only expressions; second, it has evolved as part of a mathematical study.

In the author's

v i ~ it is hard to do mathematics with imperative languages, though one may add mathematics (or logic) to them to get a proof methodology, as in the well-known "assertion" method or Hoare's axicmatic method. One of the main encumbrances to proof in imperative languages is the presence of a more-or-less global m~mory (the assignable variables). was recognized by Hoare in "Communicating Sequential Processes"; CSP is imperative

~his

although

Hoare avoids one aspect of global m~nory which makes

concarrent programs hard to analyse, by forbidding any member of a set of concurrent programs to alter the value of a variable mentioned by another m~.

This significant step brings CSP quite close to our calculus, the

more so because the treatment of eutmunication is similar and expressed in similar notation.

Indeed, algorithms can often be translated easily from

one to the other, and it is reasonable to hope that a semantics and proof theory for CSP can be developed frGm CCS.

Hoare, in his paper and more

recently, gives encouraging evidencs for the expressiveness of CSP. We now turn to two models based on non-synchronized o~t,manication. One, with strong expressive power, is Hewitt's Actor Systems; reference is [HAL].

Here the ~ c a t i o n

a recent

discipline is that each

message sent by an actor will, after finite time, arrive at its destination actor ; no structure over waiting messages (e.g. ordering by send-time) is imposed.

This, together with the dynamic creation of actors, yields

an interesting programming method.

Hc~ever, it see~ns to the author that

the fluidity of structure in the model, and the need to handle the collection of waiting messages, poses difficulties for a tractable extensional theory. Another non-synchronized model, deliberately less expressive, was first studied by Kahn and relx)rted by him and MacQueen [KMQ].

Here the

interc~Li~t.~nicationof agents is via unbounded buffers and queues, the

whole being determinate.

Problems have arisen in extending it to non-

determinate systems, but many non-trivial algorithms find their best expression in this medit~n, and it is an example of applicative (i.e. non-imperative)

prograrmling which yields to extensional treatment by

the semantic techniques of Scott.

Moreover, Wadge [Wad] has recently

shown how simple calculations can demonstrate the livemess of such systems. A lucid oc~parative account of three approaches - Hewitt, Kahn/ MacQueen and Milner - is given in [MQ]. In Chapter 9 of these notes we show how one type of concurrent language - where ccmmmnication is via shared variables - may be derived frc~ or expressed in terms of CCS.

This provides sane evidence that our

calculus is rich in expression, but we certainly do not claim to be able to derive every language for concurrency. A rather different style of presenting a concurrent system is exer~olified by the path expressions of Campbell and Habermann [CaH]. Here the active parts of the system are defined separately from the constraints

(e.g. the path expressions) which dictate how they must

synchronize.

More recent work by Lauer, Shields and others - mainly

at Newcastle - shows that this model indeed yields to mathematical analysis.

A very different example of this separation is the elegant

work of Maggiolo-Schettini et al [ ~ ] ;

here the constraints are

presented negatively, by stating what conjunctions of states (of separate ccnponent agents) may not occur.

This approach has an advantage for

systems whose crmponents are largely independent (the authors call it "loose coupling"), since then only few constraints need to be expressed. This section has shown the surprising variety of possible treatments of concurrent systems.

It is nothing like a cc~prehensive survey, and

the author is aware that important work has not been mentioned, but it will serve to provide sc~e perspective on the work presented here.

O. 4

Evolution %Tuis work evolved frc~n an atter~ot to treat c~L~nication mathemati-

cally. [Mil 11

In Milner : "Processes:

a mathematical model of ~ t i n

9 agents"

a model of interacting agents was constructed, using Scott's

theory of dcrm~ms. and Milner:

~his was refined and grew more algebraic in G. Milne

"Concurrent Prooesses and their syntax"

EMM3.

At this

point we proposed no programming language, but were able to prove properties of defined c o n ~ n t

behaviours.

For example, Milne in his

Ph.D. Thesis "A mathematical model of concurrent computation" [Mln] proved partial correctness of a piece of hardware, a card-reader, built from four separate cc~ponents as detailed in its hardware description. Our model at this stage drew upon Plotkin's and Sa~yth's P ~ e r ~ constructions,

[PIo i, Sa~y]. which extended Scott's theory to admit

non-detenminism.

Part of our algebra is studied in depth in [Mil 2].

At this point there were two crucial develo~aents.

First - as we

had hoped - our behaviour definitions looked considerably like programs, and the rescm%blance was increased by merely improving notation. result, essentially the language of CCS, was partly p ~ t e d

The

is reported in [Mii 3] and

by discussions with Hoare and Scott.

(For completeness,

two other papers [Mil 4,5] by the author are included in the reference list.

Each gives a slightly different perspective from [Mil 3], and

different examples. )

The second develolm~nt was to realise that the

resulting language has many interpretations;

and that the P c ~ r ~

model, and variants of it, may not be the correct ones. needed, to reject the wrong interpretations. to observation equivalence;

A criterion was

For this purpose, we turned

two behaviour expressions should have the

sane interpretation in the model iff in all contexts they are indistinguishable by observation. It now turns out that a definition of observation equivalence (for which admittedly there are a few alternatives)

detemnines a model, up

to isc~orphism, and moreover yields algebraic laws which are of practical use in arguing about be2~iriours. which are in some sense complete;

We have strong hope for a set of laws in fact the laws given in Chapters 5

and 7 have been shown cc~!olete for a sinplified class of finite (ten~inating) behaviours.

In this case, "complete" means that if two behaviour expressions

are observation-equivalent in all contexts then they may be proved equal by the laws; 0.5

this completeness is shown in [HM].

Outline In Chapter 1 we discuss informally the idea of experimenting on, or

observing, a non-dete2xninistic agent;

this leads to the notion of

synd0monisation tree (ST) as the behaviour of an agent.

Chapter 2 dis-

ct~ses m t u a l experiment, or c~mL~nicaticn, between agents, and develops an algebra of STs.

In Chapter 3 we do a small case-study (a scheduling

system) and prove scxnething about it, anticipating the formal definition of observation equivalence and its properties to be dealt with fully in Chapter 7. Chapter 4 enriches our cul,udnications - up to now they have been just syndlronizations - to allow the passing of values frcm one agent to another, and illustrates the greater expressive p ~ e r

in two more exar~les;

cne is

akin to Data Flow, and the other is a concurrent algorithm for finding a zero of a continuous function.

The notion of derivative of a behaviour

is introduced, and used in the seccnd example. In Chapter 5 we define CCS formally, giving its dynamics in terms of derivations

(derivative sequences).

~his yields our strong congruence

relation, under which two programs are ccngruent iff they have essentially the same derivations, and we establish several laws obeyed by the congruence. In Chapter 6 we present c~mlunicaticn trees (CTs, a generalisation of STs) as a model which obeys these laws;

this model is not necessary for the

further development, but meant as an aid to understanding. Chapter 7 is the core of the theory;

observation equivalence is

treated in depth, and from it we gain our main congruence relation, observation congruence, under which two prograns are congruent ~iff they cannot be distinguished by observation in any context.

Having derived

scme properties of the congruence, we use them in Chapter 8 to prove the correct behaviour of two further systems, both to do with data structures. In Chapters 9 and IO we look at sane derived Algebras.

One takes the

form of an imperative concurrent programming language, with a s s i s t statements, "cobegin-coend" statements, and procedures.

In effect, we

show how to translate this language directly into CCS.

The other is a

restriction of CCS in which determinacy is guaranteed, and we indicate how proofs about such programs can be sir~ler than in the general case. Finally, in Chapter ii we try to evaluate what has been achieved, and indicate directions for future research.

CHAPTER

1

Experimenting on nondetenninisticmachines

ioi

Traditional equivalence of finite state acceptors Take a pair

={a,b,c,d}

S,T

of nondetezadnistic

acceptors over the alphabet

:

T

The accepting states of

S

and

T

are

s 2 and

t 2 respectively;

in non-

deterministic acceptors we can always make do, as here, with a single

'dead'

accepting state. A standard ~

t

accept the same language

that

S

and

T

are equivalent, meaning that they

(set of strings), run~ as follows.

t i) to represent the language accepted starting frcm state get a set of equations for

S , and for

Taking

s i (resp

s i (resp t i) , we

T :

s O = as I

t O = at 1 + at~

s I = bs 2 + cs 3

t I = bt 2

S2 = ~

t I = ct 3

S 3 = ds 0

t2 = £

!

t 3 =dt 0 Here as usual

+

stands for union of languages,

e

for the language

containing ~nly the 6~pty string, and we can think of the symbol for a function over languages:

as = a(s) = {a~; ~ E s} .

Now by sinlole substitution we deduce s O = a(bc + cds0) . By applying the distributive law s O = ab~ + acds 0

a(s + s') = as + as'

we deduce

a

standing

10

and we can go further, using a standard rule for solving such equations known as Arden' s rule, to get sO = (acd)*abe . For

T

it is even simpler;

we get directly (without using distributivity)

t O = ab~ + acdt 0 and the unique solvability of such equations tells us that and

T

sO = t O , so

S

are equivalent acceptors.

But are they equivalent, in all useful senses?

1.2

Experimentin 9 upon acceptors Think differently about an acceptor over

{a,b,c,d> .

It is a black

box, whose behaviour you want to investigate by asking it to accept symbols one at a time.

So each box has four buttons, one for each symbol: a

a w

S

b

sO t

i d

There are four atomic e x p e r ~ t s a-experiment on

S

T

I

b

tO

you can do, cne for each symbol. Doing an

(secretly in state

s O , but you don't know that) con-

sists in trying to press the a-button, with two possible outccmes in general: (i)

Failure - the button is locked;

(ii)

Success - the button is unlocked, and goes down (and secretly a state transiticn occurs).

In fact we cannot distinguish between by any single atcndc experiment;

S

and

T , in their initial states,

the a-experiment succeeds in each case, and

the other three fail. After a successful a-experiment on each machine, which may yield a S

bl

a #

s1~d t

.

T

b

i

d

t

t we may try another atc~tic experiment, in our aim to see if the machines are equivalent or not.

Clearly a b-experiment now succeeds for

S

and fails

11

for

T , though the other three e x p e r ~ t s

fail to distinguish the~.

trying the b-experiment, then, can we conclude that

S

and

T

After

are not

equivalent? No, because

S's response to the a-experiment could have been different

(for all we know) and locked the b-button, while

T's response could have

been different (for all we know - and it could indeed') and unlocked the b-button.

Following this argLm~nt further, we may feel forced to admit that

no finite amount of experiment could prove to us that

S

and

T

are, or are

not, equivalent'. But suppose (i)

It is the weather at any mcn~nt which determines the choice of transition (in case of ambiguity, e.g. a-experiment)

(ii)

T

at

t O under an

;

The weather has only finitely many states - at least as far as choice-resolution is concerned ;

(iii) We can control the weather . For sane machines these assunptions are not so outrageous; for example, one of two pulses may always arrive first within a certain temperature range, and outside this range the other may always arrive first.

(At the boundary of

the range we have the well-known glitch problem, which we shall ignore here.) Nc~, by conducting an a-experiment an

S

and

T

under all weather con-

ditions (always in their start states, which we have to assume are recoverable), we can find that

S's b-button is always unlocked, but that

T's

b-button is sc~etimes locked, and we can conclude that the machines are not equivalent. Is this sense of equivalence, in which a meaningful one?

S

and

T

are not equivalent,

We shall find that we can make it precise and shall adopt

it - partly because it yields a nice theory, partly because it is a finer (s~aller) equivalence relation than the standard cne (which we can always recover by introducing the distributive law used in §i.i), but more for the following reason.

Imagine that the b-buttons on

Then in all weathers every successful e x p e r ~ t visible button: S (with

b

hidden) is not deadlockable

S upon

and S

T

are hidden.

unlocks same

12

while in sc~e weathers, and after same experiments, all of

T's visible

buttons will be lo~ked: T (with

b

hidden) is deadlockable.

We wish to think of a nondeterministic choice in such machines as being resolved irreversibly, at a particular manent, by information flowing into the system from an unseen source;

if a deadlock can thus arise in one machine

but not in another, we do not regard them as behaviourally equivalent.

1.3

Behaviour as a tree Because we reject the distributive law

a(x + y) = ax + ay , we can no

longer take languages (sets of strings) as the behaviours of our machines. We proceed to an alternative.

Frcm now on we will use

NIL

instead of

e

to stand for a behaviour which can do nothing (= admits no experiment) ; we shall also use Greek letters for our ~ i s should consider

~,~,y ,5

- i.e. names of buttons - so you

as replace~_nts for

First, take the transition graph for

a,b,c,d

S

in our sinple example.

and unfold it into a tree with

states as node labels and symbols as arc labels:

B

Because state na~es are present we have lost no information; the state transition graph can be recovered frcm such a tree. see the state - he can only see the transitions.

But the experimenter cannot This leads us to drop the

node labels, and take the infinite tree

U as the behaviour of I Definition We are using

S .

a

A label is a n~mber of a given (fixed) label set ~,B,Y,.. to stand for labels.

-A .

(The use of the word 'label' in

place of 'symbol' will be further motivated later.)

13

I Definition

A sort is a subset of A

We shall usually use

g

L,M,N, .. to stand for sorts.

We shall also often use

the word a~ent in place of 'madline' or 'acceptor', so 'S is an acceptor over the alphabet

Z'

becomes 'S is an agent of sort Definition

L'

A Rigid Synchronization Tree (RST) of sort

unordered, finitely b r a n ~ member of

L

is a rooted,

tree each of whose arcs is labelled by a

L .

Thus the tree in the last diagran is an RST of sort

{~, B, ~, 8} .

(It is also

an RST of any larger sort.) Why 'rigid'?

Because it is the behaviour of a rigid agent - one which

can make no transition except that corresponding to an atomic experiment.

We

shall soon meet other transitions. Why 'synchronizaticn'?

Because we shall later see how the oammunication

of two agents can be represented in fozrcing their joint tree frcm their separate trees.

Then the joint tree will not be rigid, in general, since

intercuf,udnication between cc~ponent agents is not observable. Notice that finite RSTs can be represented as expressions:

B//~

is

~ ~

is

(BNIL + ~NIL)

~BNIL + ~ N I L

and usually there is more than one natural expression: ~rIn + (~NIL + 7NIL) , or

is

(c~LL + BNIL) + yNIL . Indeed,

+

is both oactuutative and associative, since we declared RSTs to

be unordered trees - and

NIL

is easily seen to be a zero for summation.

To justify these remarks we nc~ define the algebra of RSTs.

14

i. 4

Algebra of RSTs Ignoring sorts for a mcn~nt, we have an elementary algebra over RSTs,

whose operations are: NIL

(nullary operation) NIL

+

is the tree

•

;

(binary operation) + A

is the t r e e ~

(unary operation, for each

(identify roots) ~

), ~ A)

They obey the follc~ing laws, as you can easily see: Associativity

x + (y + z) = (x + y) + z

Ccurnutativity

x + y = y + x

Nullity

x + NIL = x

In fact, these laws are ccalolete:

any true equaticn between RST expressions

can be deduced frcm them. If we consider sorts, and let then

NIL

is of sort NIL

Further,

and

~

~

L

for any

RST L

be the set of RSTs of sort

L ,

L :

RST L .

+

takes trees of sort

+

E

L,M

RST L × RST M ÷ RSTLu M

takes a tree of sort

L

respectively to a tree of sort

LuM :

,

to a tree of sort

Lu{l} :

We shall usually forget about sorts for the present, but there are times later when they will be essential. Consider now solving recursive equations over RSTs. ations for our agent

S

We wish the equ-

of §l.1

s O = ~s I

s I = ~s 2 + ys 3

s 2 = NIL

s 3 = 6s 0

to define the (infinite) behaviour of

S

as an RST of sort

{~,8,Y,8} -

15

This set of equations has a unique, solution for the variables

s0 ' ""s3

;

you can see this by the fact that the entire tree can be developed top-down to any depth: =

sO

=

=

...

and so on.

Not every set of recursive equations has a unique solution; consider the simple equation s

=

s

which is satisfied by any RST (or anything else, for that matter) . Again, scrne sets of equatioD~ define no RST at all. s

=

s +~NIL

Consider the equation

;

a solution would have to be infinitely branching at the root.

Even if we

allowed infinitely branching RSTs, so that

would be a solution, it would not be unique since be a solution for any Exercise i. 1

sO + t

t . We defer this problem to Chapter 5.

Can you find a condition on a set of equations

sO =

Q

•

•

O

i

O

(with RST expressions involving si =

s O ,.. ,sn

on the right-hand sides)

ooo S n

would also

=

which ensures that it possesses a unique solution in RSTs? (Hint:

1.5

consider cycles of

c-transitions in transition graphs.)

Unobservable actions Under the conventional definition, a nondeterministic acceptor may

have transitions labelled by fication of our

R

S

~ ~ the null string.

Consider

R , a modi-

of §i.I (reverting briefly to Rcn~ml alphabet):

a

~

~

d

~

~

16

(The loop fomaed by the

d-transition is irrelevant to our ccrnparison.)

In the conventional sense,

R

and

S

are equivalent.

But what does the

c-transition mean, in our more mechanistic interpretation? R

in state

r i (i.e. after the

r I' , and that if a

move silently to state

It means that

a-button has been pressed) may at any time b-experiment is never attesloted

it will do so. Thus, if we attespt a

b-experiment on

R , after the successful

experiment, there are sc~e weather conditions in which we find the button peamanently locked; (after the

if on the other hand we a t t ~

a

a-

b-

c-experiment

a-experiment) we shall in all weather conditions find the

c-button eventually unlocked (eventually, because although little t ~

to decide on its

R

may take a

e-transition, it will do so since no

b-

experiment is attespted). Exercise 1.2 and

T

Use this as the basis of an ~

are equivalent.

t

that no pair of

A rigorous basis for the a r ~ t

R, S

will be given

later. Let us return to our Greek alphabet, and ask how we should write the equations specifying e

R's behaviour.

We choose the symbol

T

in place of

(to avoid confusion with the null string), and use it as a new unary

operation uponbehaviours. r0,..,r 3

The equations dete_~mining the behaviours

are: !

r 0 = ~r I

r i = 8r 2 + xr~

r 2 = NIL

r 3 = ~r 0

We are ass~aing that Definition

r I = yr 3

T % A (the fixed label set).

A Synchronization Tree (ST) of sort

L

is a rooted, unordered,

finitely branching tree eac~ of whose arcs is labelled by a ~ r Lu{~}

of

.

Thus a rigid ST (an RST) is just an ST with no arcs labelled

T ;

it is

the behaviour of an agent which can make no silent transitions. Since we are taking the unary operation

we can of course deduce the ST-behaviour of

T

R .

over STs to be given by

It is

17

Y

y

-

STs are a sinlole and useful notion of behaviour.

They are just the

unfoldings of behaviour equations, which in turn follow directly fran transition graphs.

Of course in this way different transition graphs can

yield the sane ST, frcrn which we can be certain that they are i n d i s ~ s h -

able by experiment. Exercise 1.3

Convince yourse1_f that the transition graphs

have the same unfolding. However, different STs (or transition graphs yielding different STs) may be indistinguishable by experiment.

This is true even for RSTs;

consider the simple pair

each of which adaits a single

~-experiment and then nothing else.

But it is even more true in the case of unobservable actions. we shall study an equivalence relation, c~servation equivalence,

Later

over STs,

which can (for finite STs) be axicmatized by a finite set of equations added to those given in §1.4 above.

To get a foretaste of the equivalence

consider the following exercise. Exercise 1.4

ExamiD~ each of the following pairs of s ~ p l e STs and try to

decide by infozmal ~ t ,

as in Exercise 1.2 above, which are observation

equivalent (i.e. indistinguishable by experiment).

You may reasonably

conclude that four pairs are equivalent, or that six pairs are equivalent, but you should also find that the notion of equivalence is not yet precise. Ehe point of this exercise is that it is not trivial to capture our infozmal arguments by a precise notion.

oH~

oH ~

c~

o~

v

~

f

O

~o

Chapter 2

Synchronization

2.1

Mutual experimentation ~he success of an

s-experiment enables the machine to proceed (to

offer further experiments);

it also allows the observer to proceed (to

attempt further experiments).

This suggests an ~bvious symmetry;

we

would like to represent the observer as a machine, then to represent the ccmposite observer/machine as a machine, then to understand how this m c h i n e behaves for a new observer. How should two machines interact?

S

~

T

0

We must say which experiments offered by which experiments of

T

S

may combine with or (ccraplement)

to yield an interaction.

label correspondence (e.g.

a ++~, ~++ n)

for each machine ccmbination,

we introduce a little structure on our label set We ass~ne a fixed set

A

of names.

Rather than set up a

We use

A. ~, B, y, ... to stand for

names° We assume a set with it;

o~(~A) ~ and we call we have

~

of co-names, disjoint frc~

~

~.

Using ( ) also for the inverse bijection,

~ = ~.

to range over

A.

A =

A u

We call

to be our set of labels. l

and

[

in particular for any sort

L,

~, = {~;

We shall scmetimes need the function name(a) = name (~) = which we extend to sorts by defining

We shall use

X

cc~plementary_ labels.

The function (-) is now a bijection over A;

and in bijection

<~(cA)

the co-name of

N C ~ we assume

of

A

the bijection is (-):

A.

We extend it to subsets X~L}.

20

na~es (L) = {n~ne(l) ; 16L} . NOW consider the pair of machines

Y

Y

S: {~,S,~} The natural candidate, perhaps, for the ccr~bined machine

Slit

maybe

pictured thus:

/ I or:

ST

1_ .... _ /

\

The intuition is that cc~olementary ports, one in each machine, are linked and hidden (labels removed), sinoe these links represent mutual observation, while other ports still support external observation. But under this scheme there are two disadvantages.

r

R: {8,~}

First, consider

21

We can form

RII[SIIT)

and

1

r[[ each of sort

{~,~}

are observed by II

T

(RIiS)!IT:

.... j.

1

but clearly different.

Ii

S's offers of 8-experiments

in the first case, but by

R

in the second case.

So

is not associative. Second, it is useful to allow that

S's

8-experiment-offers

(or 8-capabilities as we shall sometimes call them) may be observed by either R R

or

and

T,

or

T

(that is, each 8-experiment cn

but not both) ;

this makes

S

S

may be done by either

into a resource shared by

R

T. The solution is to factor cc~biD~tion into two separate operations:

one to link ports, the other to hi__~ them.

We shall use the %Drd

.composition for the first of these operations, and the second we shall call restriction.

2.2

Cc~0osition, The ccsposite

restricticn and relabelling RIS

of our two machines

i s i

r.

while for (RIS) IT we get

R

and

S

may be pictured

22

8

~hat is, for each I, in

U

in foi~r/ng UIV

to every port labelled

Exercise 2.1

Frcm

R 1 (SIT)

[

in

we link every port labelled V.

as a picture, and ccnvince yourself by other

~examples that - on pictures - composition is an associative and cc~sautative operation. Before defining cc~positicn of behaviours, let us look at two other operations on pictures. For each

~,

we define a postfixed restriction operation

which on pictures just means "hide the ports labelled it drops the labels

(RJS)\~

and

~

( = RN S )

((RIS) IT)\8\Y\~

\_

or

~",

\5, i.e.

frcm pictures, thus reducing their sort.

I-i s T ........

~

it J

23

Which of the following are identical as pictures?

Exercise 2.2 (i)

((RIS) IT)\B\¥\~

(v)

(RI (SlT)\6)\Bky

(ii)

((RIS)kSIT)ky\:

(vi)

(RI (SlT)\x)\B\~

(iii)

((RIS)\yIT) \B\~

(vii) ((RIT) \6 IS) \B\y

(iv)

((RXyIS) IT)XB\6

(viii) ((RIT)k61S\6)\B\y

Note:

\a binds tighter than

I , so that

Besides its use with c c ~ i t i c ~ ,

U:V~

means

uI (v~).

the restriction operation by itself

corresponds to a sinple, rather concrete, action:'internal\sing' certain ports of a machine.

that of hiding or

Compare the re~arks on hiding

the b-buttons of two machines, at the end of §1.2. Note that we can define Sll T = (SIT)\~I...\~ n

where

S liT, where

S:L

and

T:M,

by

{~l,..O,an} = names (L~).

We shall henceforth abandon the use of upper case letters for machines. There is a fine distinction between the ideas of (i) a machine which may move through states but ~

+_he same machine (a physical notion) and

(ii) a machine-state pair, i.e. a way of specifying a behaviour with a definite start (a more mthematical notion, exemplified by the nonnal definition of Finite-state Acceptor as consisting of a state set, a transition relation, a set of accepting states and a start state)o case letters correspond to the latter i d e a fied behaviours algebra;

(here as STs), and it is these which are the dc~ain of our

we shall soon see what

rls

etc. mean as behaviourso

We also have another use for upper case letters; (where (i) (ii)

L,M

are sorts) is a re!abelling frcm L

to

S:L + M

if

it respects cc~lements S(~) = S(~) for ~,~eL)o

We define the postfixed relabellin~ operation

IS ], over (pictures of)

machines of sort L, as simply replacing each label

~It =

we say that M

it is a bijection;

(i.eo

Thus for

Our lower

indeed, they denote the speci-

r,t

as above we have

I , Y

leL

by

S(1).

24

and

S: {fl,y,8,~} ÷ {Sty,e,[}, given by

s(~) = 6 , is a relabelling;

s(~) = y ,

s(~)=~,

s(~) = s

we then have

(r It) [ s] =

We shall use convenient abbreviations in writing relabellings explicitly. Thus ii/~ I ,...,in/~n (where

el,.O.,an

or

1112""

"in/~lS2"""~n

are distinct nanes, and

distinct nares) stands for the relabelling (i)

S(~i ) = Ii

if ei~L

(ii) S(~i) = I i

if mi~L

Ii,...,I n

are labels with

S:L ÷ M given by

(iii) S(1) = I if name (1)~{el,...,an} provided that the function so defined is a relabelling.

So in place of

(rlt)[~ above, we write (rlt)[~/8, ~/8]

or (r]£)[~e/8~].

When we see the laws of the Flow Algebra (laws for the C ~ i t i o n , Restriction and Relabelling operations) in Theorem 5.5, we shall see that relabelling distributes over oc~i0osition, so that we have (rIt)[~/~, ~/8] = r[~/B, e/6]]t[~/~, c/8] (as you can readily check) - even though in strict fozmality stands for a different melabelling in each case, because

r,t

~/B,

e/8

and

r]t

possess different sorts. 2.3

Extemf~n@ the Algebra of Synchronization Trees We must now add our three new operations to the algebra of STs, using

intuition about the operational meaning of these trees. In future we continue to use I to range over A, and use ~,~ to range over Au{T}.

25

Cc~oosition

I : STL x STM ÷ STLu M

Consider two STs

t=

~

u =

For their ~ i t e , (because

t

four actions are possible,

does), so one branch of

/

tlu

admits an e-experiment

tlu will be

This branch represents independent action by one ccrsponent, and similar branches exist for a 8-experiment on

t

and an m-experiment on u.

of these three branches represents interaction between there is a possible interaction, sinoe e-offer.

t

and

u;

None but

u's m-offer ccmpl~ments t's

Since this action is internal (not observable) we use

T

and

represent it in the composite tree by a branch

Putting all the branches together yields

Now cc~position of of their sons;

t

and

u

has been defined in tezms of cc~position

clearly this amounts to a recursive definition of

More precisely, since every tree may be written in the fozm t =

~ ~iti , l_
~i~Au{~}

(with m=O if t = NIL), we may define ~ i t i o n Definition

If

t = [~iti i

and

as follws:

u = [~ .u., then j 33

tlu = [~i(tilu) + ~j(tlu j) + [_ Y(tilu j) 3 ~i=~ j

1

26

Exercise 2.3 (i)

(Consider only finite STs).

Prove by ~duction on the depth of

(ii) Work out

tlu

for

t = a/~8

t

and

that u=

tlNIL = t.

I~;

choose sane

other examples. (iii)

Prove by induction on the stwn of the depths of trees that tlu = ult

and

t I(ulv) = (tlu) Iv.

We should criticize two aspects (at leas~)of our definition. Considering our first example of ST ~ s i t i o n , that the form we gave for current activity of g-experiment on on

t

t

tlu

and

u

it can well be argued

fails to represent the possible con-

for example, we may think that a

can be performed s ~ t a n e o u s l y

with an W-experiment

u, while (looking at your result for Exercise 2.3(ii) also)

the ST

for tlu merely indicates that the two experiments may be performed in either order.

Indeed, STs in no way represent true concurrency.

Two not completely convincing defences can be given.

First,

are simple, and tractability in a model has great advantages; in so far as we wish a 'behaviour-object'

STs

second,

to tell us how a system may

appear to an observer who is only capable of one experiment at a time, we find it possible to ignore true concurrency.

You are urged to

consider this question in greater depth. The second aspect for criticis~ is the introduction of successful 'mutual observations'.

T to represent

If we had no need for it in defining I,

we could leave it out of our theory altogether. Again, there are two defences, but this time convincing ones. consider replacing the third term in the recursive definition of namely the team

[

T(tilu j) -

by just

[

intuitively, an internal action just vanishes.

First, tlu

-

(tiI%); It turns out that

1

is no longer an associative operation, which conflicts strongly with our assumption that the joint behaviour of t/kree agents should in no way depend upon the order in which we wire them together before they do anything' Exercise 2.4 for t =

With this new definition work out e

, u =

a

,

v = 8

t I (ulv)

and (tlu) Iv

to justify the above assertion.

27

The second defence is that we must sc~ehow express, in the when and

t = aAB, u

u =

I~,

ST (tlu)\~

the possibility that ccmaunication between

t

can prevent any B-experiment.

Exercise 2.5

Under the nonaal definition of

I,

and of

\~

(see below) ,

work out that

(tlu)\~ = T ~ B in this case. This

ST

does indeed represent possible prevention of a

and unless we leave

STs

(and derived models) altogether it is hard to

see how such deadlock p h e ~ Restriction

8-experiment,

can he represented without

z.

\~:ST L ÷ STL_{~,~ } (~cA)

We wish to deny all ~-

and

m-experiments, so that

by pruning away all branches and slAb-branches labelled

t\~ ~

or

is formed e.

Considering

t =

again, we see that

(tlu) \~ =

More formally, for t = ~. iti

Definition

t\~ =

~

we have

- ~i (ti\~)

An obvious alternative to the restriction operation would be to define \l

for each me~ber t\l

i

of

A

by

ui~l~i (ti\l) ;

in other words, we might choose to restrict na~es and oo-names independently, instead of both at once.

~nis would, of course, have a correspondingly

28

different effect on pictures.

The reason for our choice is in fact to

do with the algebra of pictures (Flow Algebra) under it has a particularly simple algebraic theory

I,

\e

and [S];

[~M, Mil 2], which we

have not found for the suggested alternative. Re!abellin ~

IS]:

ST L + STM

This operation is as simple on applies the relabelling for

t = _[uiti

S

(S:L ÷ M STs

to all

a relabelling)

as it is on pictures; it just labels in the tree.

More formally,

we have

1

Definition

t[S] = _~S(~i) (ti[S]) 1 where we now adopt the convention that An imF~rtant (though

S(T) = •

for any relabelling S.

not the only) use of relabelling is in cases

where we have several instances of a single agent

r

in a system, but

each with different labelling, so that under ec~position they are properly linked.

We have only to define several 'copies' r i = r[S i]

of the generic agent

r,

and then cc~pose the

ri.

One might have allowed more general relabellings, using many-one functions over

A (so that differently labelled ports ccme to bear the

sane label) or even relations in place of functions (so that one port could 'split' into two differently labelled ports).

Suffice it to say

that this creates problems in the axicmatization of Flow Algebra.

The

present choice allows plenty of scope. 2 . 4 A simple exar~ole: binary S~naphores A binary semaphore

s, of sort

{~,~},

may be pictured

1[

r-

TO g a i n t h e s~,at:t~ore ( D i j k s t r a ' s

ext:eximent;

we r e l e a s e i t

s =~s

P O p e r a t i o n ) we must p e r f o r m a

(the V operation) by a ~ - e x ~ r ~ m e n t .

1[Clearly

29

expresses the appropriate behaviour

(a long thin ST').

Imagine a

generic agent p, whose critical section we represent by a sequence <~,8>

of atomic actions (experiments upon a resource, say), and whose

non-cri%ical section we ignore: p = ~6~p . We wish to place several instances of p Pi = P[Si] = ~i6i~Pi in ~ c a t i o n

with

two copies of

s,

(where S i = ~i8i/~6)

and derive the ocmposite ST.

Consider just

p (i = 1,2) and form

q = (pllP21S)\~\~ which may be pictured as shown:

~1

p

s

p

61

a,2 62

q We e a s i l y d e r i v e an equation f o r the az~posite Theorem - g i v e n i n

§2.5 - r e p e a t e d l y .

ST q, using the Expansion

You should read t h a t s e c t i o n w i t h

reference t o the expansion whiah f o l l o w s :

q = (~a181~pl I~262¢P2 !~S) \~,\¢

= T ((~Is~pl iP21Ss) \~\¢) + T ( (p~ I~262~P2 i~s) \~\~ = re161( (#Pl IP2 I~s)\~\~) + ~282 ((Pll#P2 lSs)\~\~) = T~161T ((Pl IP2 Is)\~\~) + T~262~ ((Pl IP2 Is)\~\# ) = ~e181Tq + T~262Tq • SO

q

is the

ST given recursively by

~I

~2

30

and exactly expresses the fact that the critical sections of P2

can never overlap in time, i.e. a sequence like

Pl

~I~2BI...

and is not

possible. In fact, an n-bounded s~maphore (n_> i) can be constructed as s

n

=

slsl...Is

n times this is an exanple of cc~Iocsition which effects no linkage, but will yield a multi-way linkage with 'user' agents. The 2-bounded semaphore

s2 , with 3 users, can be pictured

/

/

s2

II I I

c~3

P

B2

B3

P

1

1

i

Diagram for (piIp21P31S2)\~\~

(s2's border, and its two collector nodes, are fictitious;

they are just

used here to avoid drawing 12 links in the picture).

Exercise 2.6 expression

As practice in using the Expansion Theor~n, develop the q = (pl[p21P31SlS)\~\~,

and draw part of the ST to oonvinoe

yourself that at most two critical sections can be simultaneously active. Can you even derive a set of mutually recursive behaviour equations, for which

q

is the solution?

It's a bit lengthy, but possible.

development is shorter if you take with

(plplplsls)\~\~

instead;

critical sections of each copy of

~i=~2=~3=~,

[0,23.

i.e. deal

then the ST will not distinguish the p, but you should be able to show

that at any point in time the excess of lies in the range

B1=~2=B3=8;

The

e's

over

B's

performed

31

2.5

The S T ~ p a n s i o n T h e o r e m We consider trees e x p r e s s e d i n t h e t =

For a set

Then

[ ~iti . l~i~n

{~l,...,ek} = A of names, we abbreviate

Theorem 2.1 Let

form

(The Expansion Theorem_)

t = (tI It21 .... Itm) \A,

where each

t = ~{~((tll'"It"l l"'Itm)\A);

[S],

and can be done by induction on

unrestricted action of sc~e and

t. 3

a stl~mand of

ti ,

1
it uses properties of the Flow operations

The theore~ states that each branch of

t. l

is a s~n as above.

l_
+ ~{T((tlI...It.' l...It.' l...Itm)\A); i 3 It i' a su~Inand of ti, ~tj' Omitted;

ti

(V) ~A}

nar~

Proof

\~1\~2...\~k by \A.

(i < j).

tj } $,

\~ and

m. t

corresponds either to an

t i , or to an internal cc~munication between

For example consider

((at + ~t') I (~u + yu') I(~v + ~v'))\~\~; the theorem gives us

(unrestricted actions)

+ ~(((~t + st')i(~u + ~u')Iv')\~\~) + T ( (tlu ] (~v + yV')) \~\B)

(~-cut~,enication)

+ T ( (t' I (~u + yu') Iv) \~\8)

(8-oalm~ication)

+ T ( ( (at + St') Iu' Iv') \~\8)

(y-cc~munication)

32

A lot can be done using cc~positions of two kinds of element:

Exercise 2.7

C~cler

c = eByc

Dis~oiner

B

y

d = e(Bd + yd) !

e

(i)

~8

Write the behaviour of

I

I

as a restricted ec~Dsition of relabellings of represent the port at which each copy of

c

c.

offers its first experi-

r~_nt; the progress of the system can be simulated try it).

(The little arrows

by "swinging arrows":

Expand the behaviour, to get a recursive definition of an ST

which doesn't involve composition, restriction or relabelling. (ii)

Design a system (using s = ~(tBts + tXts). IS this equivalent to d?

c

only) to behave as the ST

CHAPTER 3

A case s t u ~ in synchronization, and 3.1 A schedulin9

proof

tedlniques

problem

Suppose that a set

{Pi ; I -
a certain task repeatedly, and we wish to design a sdueduler to ensure that they perform it in rotation~ starting with

Pl

(~his exan~ple

was used in [Mil 5 ]. ) More precisely, the task in rotaticn;

Pi

are to start their perfonuance of the

we do not ir~0ose the restriction that their perfozm-

ances should exclude each other in time (this could be done using a s~ma~hore) but we do impose the restriction tb~t each

Pi

should be

prevented frcm initiating the task twioe without ccrapleting his first initiation.

(Pi may try this unintentionally, because of bad programming

for example. ) Suppose that

ccnpletion at where

Pi

requests initiation at label

8i (I -
~hen our scheduler

ai ' and signals Sch

of sort

A uB ,

A=

{~. ; l_
~hen all occurrences of (al~ 2 ....~n )

(ii) Foreach

~i (l-
;

i , when al! occurrences of

aj,Sj(j~i)

are deleted ,

it beccr0es

We could write a behaviour description for Sch directly, but prefer to build it as a ring of elementary identical czmponents, called cyclers. Generic cycler c :

34

Scheduler Sch :

82

~3

using also a 'start button',

Starter

s

:

In building the net we have instantiated

c

by

I ei = e[~i/~' ~i/B' Yi/Y' ~i+1/~3 1 for

1 < i _
What are the behaviours enable

cI

at

Y1

s

and

c ?

I

The starter is there just to

and die, so

AS for the cycler, it appears that he should cycle endlessly as follows:

(i) Be enabled by predecessor at (ii) Receive initiation request at (iii) Receive teITnination signal at in either order.

y ; ~ ; ~

and enable successor at

6 ,

35 So we define

and this determines Sch cc~pletely.

But does it work?

Info~mally

we can convince ourselves that it does, by arrow-swinging.

More

formally, there are two possibilities: Method 1

Show as directly as possible that constraints (i) and (ii)

are met.

For the first ccnstraint, this may be e~pressed as absorbing

(i.e. permitting) all

~i

ccrsaunications, and showing that the result

is observationally equivalent to (~1;2"" "~n ) ~ Let us make this precise by adopting the convention that if non-~mpty label sequence, then s

s~

s

is any

is the behaviour given by

= s (s~).

Then what we want to prove, for the first constraint, is --

(i)

Schll(81

(where

~

1.... 18n~)

--

--

L0

~ (~1~2.--~n)

is observational equivalence, which we define fomaally in §3.3).

Using the notation {qi ; i ~ I }

or

~ qi i~I

for multiple ccn~cxgsition, we can rewrite (i) as 0~

SCh II F[ 8j l_<j~n

--

~ (~l'''an)

'

The required equivalence for the seccnd ccnstraint is (~i~i) 3~x

Method 2

for each

i , l_
3~i

We can specify the behaviour of the conplete scheduler by a

single parameterized behaviour equation, in the following way. that the scheduler has to keep two pieces of infomaation: (a) An integer

i

(l_
indicating whose turn it is

to initiate next. (b) A subset

X

of

[1,n]

indicating which agents are

currently performing the task.

Observe

36

If

Spec(i,X)

represents the required behaviour of the scheduler for

parameter values Spec(i,X) =

i Z

and

X , then we can specify the scheduler by (i e X)

~j Spee(i,X- {j})

j~x m

~j Spec(i,X- {j})

Spec(i,X) = ~i Spec(i+l, Xu{i}) +

(i#X)

jcx These equations say that if any case any

pj (j e X)

Pi

is not perfozming he can initiate, and in

can signal cc~oleticn.

For this method we only

have to prove one observation equivalence: Sch

~

Spec(i,~)

In §3.4 we give part of a proof using Method i, which may be preferred since it directly represents the constraints as specified.

Method 2 is

possible, but a little harder.

~

3.1

Can you 'build' the cycler defined here, using six copies

II

of the cycler

II

which the ccnstruction behaves like the present cycler needs careful

II

U

study.

-Exercise 3.2

c

of Exercise 2.7?

It is not hard, but the sense in

This is dealt with in §3.3. Build a scheduler which ini0oses a third constraint on a

signal sequence

E (A u B) ~ :

(iii) When all occurrences of beoanes

ei (i ~ i < n)

are deleted, it

(~182..- 8n) a

This coD~traint says that the

Pi

must also terminate their tasks

in cyclic order. Note:

These exercises are plaiting to sc~e extent, but they may have

same significance for building asynchronous hardware from cc~ponents. This remains to be seen. We shall now divert to cc~pare our bebaviours with Patti Nets, informally, using the scheduler as an example. Net Theory may skip the next section.

Readers unfamiliar with

37

3.2

Buildin 9 the scheduler as a Petri Net We will use Petri nets in which the events or transitions are

labelled by members of T

A u {T} .

In fact, we shall just cmit the

labels. A net

c , for our cycler, is as follows, where circles stand for

places and bars for transitions:

Y

With the initial marking as shown, the net is clearly live in the usual sense.

But in our interpretation a

l-lah~lled event is merely potential;

it needs cooperation with an event which bears a cc~plementary label, or with an observer performing a

~-expemin~t.

The flow operations

and [S]

over

I ,\ ~

can be satisfactorily defined

a class of nets (as b~gens Nielsen has shown) in such a way as to

yield a Flow Algebra.

Here, however, it %will be enough to use only IS]

- the obvious relabelling operation - and the derived operation nI

and

n2

are nets of sort L and M and if

II ;

if

{ e l " ' ' ' ~ k } = names (LnM),

then n III n 2

=

(nlIn2)\a i .... \ak

may be described as follc~s: Identify the event labelled event labelled

a i (resp ei )

then drop the labels [Note: a

~i (resp ~i ) in

a l'""" '~k

in

n 2 , for each

nI

with the i , and

and their ccr~plements.

This needs more careful phrasing if we allow that

l-event even though

possibility that

~eL .

nI

may not have

Also, in general we must take care of the

n I - for example - may have two or more

l-events.

38

However, if we start with nets labelled

n

of sort L

having exactly one event

l e L , and confine the use of c~position to pairs

n :L, n :M 1 2 for which L and M are disjoint, then all nets built with [S] and II

will have exactly one event for each label in their sort]. To illustrate with cyclers, we have, for

Yi

and for

c I IIc2

~

~

c i = c[~i/~,Si/B,yi/7,?i+i/~]:___

?i+1

:

~3

Y1

2

Finally we give the diagram for a scheduler of size 5 cn which you can play the token game:

39

~4 ~4

~3

~3

a2

The Petri Net for the scheduler

40

~otice the slight cheat:

cI

has been given a different initial marking.

This would not have been needed if we had included a part of the net for our start button, and in building the net we would then find the need for more than one event labelled of

c

71

- w h i c h corresponds to the shared port

in the picture of Sch, §3.1.

There is a growing body of techniques for analysis of Petri Nets. For exanple, the behaviour of ~n/ked GraFhs is well la%derstcod [Coil]; a marked graph is a Petri net in which each place has indegree and outdegree equal to I, and our scheduler is indeed a marked graph.

Further, much

can be discovered of the behaviour of arbitrary nets using techniques frcm Linear Algebra due to Kurt Lautenbach (f~9, Bonn) to discover Invariants (properties which holds for all accessible markings, or token distributions). Kurt Jensen has pointed out that these techniques are strong enough to tell us that our scheduler net indeed satisfies the two constraints specified. Nevertheless we shall tackle the proof of correctness of the scheduler by our own methods, since we shall see later that they apply also to systems which are not so readily represented as Petri Nets (e.g. Systems whose cc~munication structure does not remain fixed).

3.3

Observation equivalence It is now time to be ~ l e t e l y

precise about the form of equivalence

of agents that ~

wish to adopt.

deliberately so;

but now that we have a case study in hand where correctness

The discussion in Chapter 1 was ~precise,

of an agent has been expressed as equivalence between the agent and its specification, we have enough motivation to study equivalence seriously. We may forget our algebra temporarily, and imagine simply that we have a set { ~--~ ; ~ A u

P

of agents (or behaviours) together with a family {z} } of binary relations over

we can also forget temporarily that

P .

A = A U~ .

A

is our label set, but

We shall consistently use X

41

to range over

A , and

P I_~ p,

~,v

means

"p

to range over

admits a k-experiment, and can

transform into p - ~ p'

means S p! p--->

W e shall write for scme

"p

Po .... 'Pn

A u{T} .

p'

as a result"

can transform to s = ~i" • o "~n

, for

p'

unobserved"

•(A u{T})* , to mean that

(n _>O)

~ ~2 ~n = p, P = P0 - - ~ P l ---~ P2 . . . . . >Pn " Now consider the result(s) of performing a sequence experiments on

p

k0 P •

(n ~0).

ki lIT

~l,...,In

The result may be any

p'

of atcmzic

for which

kn 12...I T ...... n > p'

(ki > O)

;

that is, an arbitrary number of silent moves may occur before, among and after the Definition

I.. 1 for

s ~ A* , define the relation

P s___>p, iff for sc~e

Tk01sTk112. •.

" p

if

s = I I " " % n ' then

in~kn >p'

s-experiment

" p

s

(se h*), and then

admits an s-experLme/~t and can transform to

also say more briefly

by:

k 0 ..... kn_>O

p We may talk of an

s

~

can produce

Note that for the empty sequence

p'

p ~ p'

under

p,

means

as a result" ;

we may

s ".

E • A* , an e-experiment ccnsists of

lettJ_ng the agent proceed silently as it wishes, while observing nothing; for ~.~ have p ~

p'

iff for scme

Note also the special case

p ~

k>-O p

when

k p ,,,~,~ p' . k = 0 .

Now we can state in words what we shall mean by equivalent agents. p

and

q

are equivalent iff for every

(i) For every result

p'

of an s-experiment on

is an equivalent result (ii) For every result equivalent result

q' p'

se A*

q'

p , there

of a s-experiment on

of an s-experiment on of a s-experiment on

q .

q , there is an p .

42

qhis appears to be a circular definition (the formal definition will take care of this point) but note first that it implies that, for each

s , p

admits an s-experiment iff

But it implies much more;

q

does.

for example, the two ST's

admit exactly the same s - e x p e r ~ t s ,

but neither of the two possible

results of an s-experiment on the first tree is equivalent to the result of an s-experiment on the seccnd. The motivation for our definition is this: on, perfomT/ng an e x p e r ~ t ,

we imagine switching

and switching it off again.

equivalent, it must be possible to switch

q

For

p

to be

on, do the sane e x p e r ~ t ,

and switch it off in a state equivalent to the state in which switched off (and the same, interchanging

q

p

and

p

was

q ).

Our fomnal definition is in terms of a decreasing sequence ~0' ~i . . . . .

=k ....

of (finer and finer) equivalence relations:

Definition (Observation equivalence)

Exercise 3.3

(i) if

p =>

S

p,

(ii) if

s q ~

q,

iff Vk->O.

then for scme

q', q ~

s

q,

then for same

p', p ~

p'

P ~k q

(a) Prove that each

induction on that

is always true;

iff V S e A*

P ~k+i q

p m q

P ~0 q

p ~k+l q

k .

(i.e. ~ = ~ = k k

~k

q "

and

p,

~k

q,

;

P' ~k q' ;

)

is an equivalence relation, by

(b) Prove by induction that

ini°lies p ~

and

~k+l c_ ~k ' i.e.

43

This equivalence relation has many interesting properties, which we need not exmnine until Chapter 7 - except one or two. First, it is not necessarily true that recurrence relation defining p~q

~k+l

V s e A* s p~ (i) if p = >

~

itself satisfies the

in terms of

~k ' that is, the property

iff

(ii) if

(*) then

~> q,

q

then

3q'.q S > q , 3p'.p

s> p,

& &

p,~q, p,

~q'

(which is a formal version Of our verbal recursive definition of equivalence given earlier in this section). but not in general. one which satisfies

It is true if

case we shall call

~cise ~[

3.4

and

q

are finite STs,

However, our definition has nioer properties than (*).

For STs, our binary relations t _~I t' (resp. t

p

T> t') t'

iff

a

and

T.

has a branch

are obvious; It' (resp. Tt').

l-son (resp. •-son) of

Prove that

inductive proof that

t

)'>

t ~ Tt

for

STs.

In this

t .

(You need a veiny simple

t ~ k ~Zt).

Let us consider one exanple of equivalent STs:

t

To check equivalence, i.e. step:

t ~u

implies

identical trees under and

t ~k u

t ~

t ~k+lU. s ; ~lder

by induction.

u

for all

k , we must prove the inductive

Now for every

s~ c, t and u produce

e , t produces only

t

and

u

cnly

u ,

44

Definition

(Note that

If

P s p,

p

(o e A*)

p'

is an s-derivative of p.

is always an s-derivative of itself).

rephrase the definition of " P ~k+l q

Zk+l

iff, for all p

Exercise 3.5

in t e ~

s(A*

and

q

up to

of

We can thus

~k :

, s-derivatives

have the same

~k

equivalence.

"

Re-examine Exercise 1.4, and verify precisely which pairs are

observation equivalent.

Exercise 3.6

then

(Deadlock)

You should find exactly four pairs.

Prove that if

p~q

is true of both or of neither, for given "It is possible to do a

11 . .. In

reach a state where a

then the following statement 11,. .. ,ln,ln+ 1 :

experiment and

kn+i-experiment is impossible"

One property of agents is not respected by our equivalence. possible for

p

and

q

to be equivalent even though

p

It is

possesses an

infinite silent cc~mputation P J-~ Pl - ~ {diver~enoe)

while

P2 - ~ q

.... Pk ~

Pk+l ~-~

cannot diverge in this way.

be refined to exclude this possibility.

3.4

"'" The equivalence can

See the remarks in §7.3.

Proving the scheduler It is ~ s o m e

to use the direct definition of ~ ; we shall instead

use a few of its key properties, ~hich are derived fomaally in Chapter 7. We begin by listing them, so that Chapter 7 need not be read first. (~ 1 )

t ~ Tt

NoW we can see that t

by

t' (when

(see Exercise 3.4) ~

is not a ccngruence relation;

t ~ t ')

exanlole , N I L ~ TNIL,

in

but

u

to get

~NIL + NIL

u'

that is, replacing

does not ensure

~ ~NIL + TNIL •

u~u'.

For

45

I Exe_r_cise 3.7

Verify this fact.

So ingeneral

t ~ t'

other operations do preserve (~ 2)

t ~ t'

t + u ~ t' + u .

does not imply

implies

But all our

= pt ~ ut'

(.see below for

tlu~t'lu

and

~ )

ult~u'It

t\~ ~ t'\~ t[S] = t'[S] Fortunately, too, when we apply a guard p to equivalent STs get not cnly

pt~t',

but

ut ~ pt' , where

t,t'

we

~ is a strQnger relation than

which is preserved by all our operaticns. (~ 3)

~

is a oongrue.nce relaticn, and t c t'

inplies

t ~ t'

Beyond these, we need one more property ~ i c h may look a little surprising; we leave its discussion to Chapter 7 . (~ 4)

t + Tt c Tt

Apart fran this, the proof below will use only rather natural properties of our operations, including the Expansion ~heorem, all justified by Qhapter 5. ~

treat only the first constraint, namely S~h

Define the left

[I (~i

I " ' " IBn '~ ) ~

hand s i d e t o be

(%" - ..~n )~

Sch'

satisfies the defining equation of

.

(I)

We s h a l l

actually

show t h a t Sch'

(~i o . .~n )~ , namely

Sch' ~ ~ l " " ~ n Sch' .

(2)

frc~ which (i) follows, by general principles which we shall not treat here (but see Exercise 7.7). We may write SCh' =

Sch'

as

(s fell ... I C'n)\71"''\Yn

(using general properties of

I and \e ), where

C'l = (ci I B~m)\~il represents the ith cycler with

(3)

(4) ~i

pe~nitted.

Now we shall discover

46

below that w

--Yi~iYi+l c ,l'

C

Ci so ~

(5)

can use these expressicns interchangably, by (~ 3), to assist our

expansion of Sch', which runs as follows:

schl

c

(?:[NILIYI~I?2c; I . . . . t ~ n % ? l C n , ) \ ¥ 1 . . . \ ¥ n

C

--

--

(the start buttcn has worked)

c ~h~2"

.~n
IT cl)\h "\~n

(leaving .

.

.

.

!

C

~:~1Tc~2. . . . T~nT (NIL islY2CliC2 [.

=

~1~2 . . . % Sch'

Let us now show (5) , for

Q .

to be reenabled)

ic~)\yl,.XYn

as required, by (~ 1) and (~ 2). i = 1

say.

= (Y1c~1(61Y2c I + Y281Cl) I B1~)\61

c~

= hh(~2c~ But

!

.

c' 1

Y2 T c II

~c

~72c,

+

+ i 2 • c~)

, by Y2Cl

(= I)

i2 • ci' c ~72c~ C

by ~ s i o n .

~72C ~

and +

(~ 2), so

-y2ci, ~ (_-3) by (= 4),

and by substituting in the expansion of I

cI

C

--

--

Yl°~lY2Cl'

c~

we get by

(~ i), (~ 2)

as required.

We leave the verification of the second constraint on the scheduler as an exercise in Chapter 8. property than

(-- 4).

It is not hard, but uses a slightly more general

CHAPTER 4

Case studies in value-ccmmm/cation 4.1

Review So far, we have seen how bebaviours (STs) may be built using six

kinds of operation, together with the all-inportant use of recursion. The operations fall into two classes: (i) Dynamic operations

(Chapter i)

Inaction

NIL

Su~nation

+

Axztion

~ c Au {T}

The dynamic qperations build nondeterministic sequential behaviours. (2) Static operations

(Chapter 2)

Cc~mposition

I

Restriction

\~

Relabelling

IS]

(~ ~ A)

The static operations establish a fixed linkage structure among concurrently active behaviours. The examples gi~_n were static combinations of sequential behaviours, yielding systems with fixed linkage structure.

But dynamically-evolving

structures can be gained by defining recursive behaviours involving composition.

The possibilities are quite rich;

we give an example, not

for its usefulness (whid~ is doubtful) but to illustrate the power of OCS. First, let us define an operation ~ahich has wide application. x : L, y : M and L n M = ~, with

~eL

and

If

~ E M , the cJlainimz7 operation

*-~ is given by x " ~ y = (x[~/B] I y[6/~])\6 where

~ { ~(LuM).

In pictures:

(See §8.3 for a proof that f-~ is associative;

this even holds if

LnM~.)

48

Now consider in particular

p:{~,8,y}

p = a~y(P~P)

, q = ~q

and

q:{~}

given by

and consider the following derivation:

2 ~_~_>pf-~ p,", p , ~ p-~, q 4 c~y > p..-., p,--, pr~ p , ~ p,"~ p,"~ p r , p~-, q •

After

.etc .....

n

Exercise 4.1

u's, 2n - I 7's (and no more) can have occurred. (For fun).

Describe the behaviour of

precisely - e.g. how many Exercise 4.2 which

y's

p~q

a bit more

must have occurred after

Build a counter of sort

n

~'s?

{i ,6 ,~}

(i) Can always be incremented by an 1-experJ/nent; (ii) Can be decremented by a f-experiment if non-zero; (iii) Can admit a ~-experiment only when it is zero. Hint:

in state

about

n

by one;

n, it will be sGmething like a chain of

cells.

Incrementing must increase the cell-count

d~ting

must decrease the cell-count by one by

causing one cell to die - i.e. became NIL.

You m y

need a

doubly linked dnain, built by a suitably generalised chaining operator, and looking like

"0:

0:

But our calculus so far has an irmportant restriction which makes it inadequate for programming;

all ccm,I~mication is pure syndqronization,

and no data-values are passed fram one agent to another.

True, we could

in principle 'read' the contents of the counter of Exercise 4.2 by. seeing how many decrements (6) are needed before a ~ Tnis would be ~ c m e ,

(test for zero) is offerred.

to say the least, and for the counter as specified

it would destroy the count stored in it:

49

So we now proceed to a generalisation of the algebra. so we are forced to abandon our ST interpretation. place must wait till Chapters 5 and 6;

In doing

What takes its

meanwhile the reader must

realise that - for example - the equality symbol between our more general behaviour expressions is not explained in this chapter.

4.2

Pass in~ values Consider the simple behaviour

%_

P = ~ 8 ~ p

S~p~8

It's no more than the cycler of Exercise 2.7, but if we think of positive labels (e,8) and negative labels

(~)

?

as accepting input pulses,

as giving output pulses, then

p

beccmes

a behaviour which "gi~_s an output whenever it has received two inputs" (the inputs being demanded in a particular order). Suppose that an input at a value (an integer, say).

~

consists of more than a pulse;

it is

qhat is, attempting an a-experiment on

consists of offerrin9 a value to

p

at s .

p

We may then wish to represent

p 's behaviour as p = ex.--where

x

is a variable (supposed to become bound to the value received

in an s-experiment), and - - - is sc~e behaviour expression _dependent upon x

x , i.e. containing

is bound by

x

as a free variable.

We say that the variable

a, and its sco~e is - - - .

(This is very f~niliar to anyone who knows the l-calculus;

the difference

here is that any positive label e may bind a variable, while in the l-calculus there is only one binder - the symbol "I".) We can go further, in our aim to transfo~n

p

into a behaviour whose

output values depend on its input values, and write p = ~x.Sy. - - Here

8

binds the variable

while the scope of

y

since then any occurence of to

x ;

y .

Note that the scope of

is just - - - . x

the value bound by

x

is

By.---,

(It would be stupid to write

ax.Sx.---

in - - - would refer to the value bound by a

to

x

is inaccessible.)

50

Suppose we want the s~n of

x

and

y

to be output at

~ .

That is, in general for negative labels, attespting a ~-experi1nemt on

p

cc~sists of ~ d i n ~

a value fram

p

at

~ .

Thus negative

labels do not bind variables - instead they qualify value expressions (which may contain variables).

SO we write

p = ~x. 8y.~ (x+y) .p it is now proper to talk of an " ~ v-experiment" rather than an "~-exp~_r~t",

where

v

is the value submitted by the c~server, and

similarly of a "~ v-experiment" where observer.

v is the value received by the l So, generalising the relation --~ of §3.3, we say p X_~Vp,

means ,,p admits a I v - e x p e r ~ t ,

and can

transfozm to p' as result". (Note the different sense, according to the sign of I .) As a general rule then, we can state ~x.B where

v

eV~

is any value,

B{v/x} B

B{v/x}

is a behaviour expression, and

the result of replacing all unbound occurrences of

x

in

B

by

means v.

And similarly (more sin!sly) ~v.B

~V;B

for the 2articular value on

v o

So the following derivation is possible

p: p = ~x.By.~ (x+y) .p ~3 ~ By.~(3+y) .p 84 ~ (3+4) .p

~7~

p

(See §4.4 for more about derivations.) Now we have hardly anything more to add to our language before finding that it can be used conveniently for progranming.

As for its inter-

pretation, we can introduce a generalised fona of ST which we call Cxa~,t~nication Trees (C~), but for the present we wish to rely on intuitive understanding.

51

We shall usually be handing expressions of the fo~m [ ~ixi.B i i ! Bi,Bj, ~ It

where

and the

E

+

[ ~jEj.B i j

+

[ T.B~ k

are behaviour expressions, the

are value expressions.

xi

are variables,

As for expressions involving

3 cc~position (I) and the other operations, it will be enough to look at a simple example and then give a generalised Expansion Theorem (§2.5). Consider B = (~x.B I + BY.B2) i ~v.B 3

We expect a s~n of 4 temas, one involving

~ :

B = ~x.(BII~v.B 3) + 8y.(H21~v.B 3) + ~v.((ex.B 1+Sy.B 2) I B 3) + Y-(HI{v/x}IH 3) Note that the "label" • does not bind a variable or qualify a value expression.

We shall also reselcve the right to use other labels in

this simple way when they only represent synchronization. shall allow a positive label to bind a tuple

x = Xl,...,x n

variables, and a negative label, to qualify a tuple value expressions;

g

of (distinct)

E = El,... ,En

of

then for pure synchronization we just use O-tuples.

We shall use the term guard to ccr~prise the prefixes and use

In fact we

to stand for a guard.

Dijkstra [Dij]

~,6~

and T,

invented the notion

of guard, to stand for same condition to be met before the execution of a program part. is

It is natural to adapt it to the case where the condition

the acceptance of an offerred c~Lunication, as Hoare [Hoa 3] has

also done in his CSP.

We then find that the analogue of Dijkstra's

guarded ccn~ands is provided by st~mation; Egk. ~

we refer to an expression

as a sum of 9~ards, and call each

expression.

Expansion Theorem Let

gk'~

a s ~ n a n d of the

We denote the nan~ of g's label by name(g). (stated and proved as Theorem 5.8).

B = (Bll...IBm) kA , where each

Bi

B = [{g.((BIO...IBII...IBm)\A) ; g.B l

is a s~n of guards. a summand of

+ ~{T.((BII...IB~{~/~}I...IB~I...IBm) A); Hi, eE.B 3

a summand of

B 3• ,

~.B'.l

g.

Bi, name(g)% A} a simTnand of

i~j}

provided that, in the first tena, no free variable in by

Then

Bk(k ~ i)

is bound

52

The meaning

of the Theorem is that all unrestricted actions and all

internal c~,~Lunications in

B

may occur.

Note that our language contains two distinct kinds of expression value expressions and behaviour expressions. the first kind, B the second.

Consider

~ E.B ;

E

is

We allow the following simple but

important constructs in our language: (i) Conditional behaviour expressions. if where

E

E

then

B 1 else

B2

is boolean-valued.

ex.(if x->O

then

Consider for example

~x.B

else

{x.B)

(ii) Paraneterised behaviour definitions. a(y) = ax.(if

x->y

then

(iii) Local variable declarations. let

x=6

and

y=lO

in

For example:

~x.a(y)else

{x a(y))

We shall allow constructs like B

and B

where

x = 6

and

y = i0

.

They mean exactly the same - namely, the same as substituting 6

for

x

and

i0

for

y

throughout

B.

We hope that the language is simple enough to be understoc~ intuitively, without fonmal syntax.

4.3

An example

-

Exact f o ~ a t i o n

comes later'

Data Flow

We will now show how to build and verify a simple system which bears a strong relation to the Data Flow Schemata of Dennis et al [DFL] o The task is to build a net which will ccmpute integer

2x

for arbitrary non-negative

x , given components for cc~puting more primitive functions and

predicates, and same standard gating and switching ~xml0o~ts.

That is,

we want a net whose behaviour is observation equivalent to a = ix.o2 x. a (We shall often use standard ccm~nents.

~

(i) for input, o for output).

First, we define same

53

(i) Unary functic~ agent For arbitrary unary function DO f

=

f , we define the agent

ix.o(f(x)).(DO f)

(2)

~DOf/

0 we shall only use sinple f's ; we are actually trying to build the b e h a ~ o ~

~b~p where

bexp (x) = 2x , as you can see by oanloaring (I) and (2).

(ii) Unary predicate agent For arbitrary unary predicate

p , we define

A S K p = ~x. i_~fp(x) then

olx. (ASKp)

else

~2x. (ASK p)

Note that the value

x

4 ol

o2

is passed unchanged out of one of the

output ports. (iii) A ~ate

4~I C~TE

=

~x.ox.y.GATE

~ G ~ /

%~e gate transmits a value unchanged, but n~st be r e - ~ e d

at

y to repeat.

=

ix.y.ox.TRIG

TRIG

y~T~G/

Like a gate, but must be triggered (or trigger sc~neone

O

else') after receipt and before transmission. (v) A source For arbitrary constant value

v , a ~ent

source of

is given by DOv

=

~.ov.(DOv) O

We use

D O , because the unary function agent is easily

generalised to just

n-ary function agents, and constants are

o-azy functions.

v's

54

(vi) A sink SINK

=

Ix.SINK

~S'INKy

For discarding ur~anted values. 1

(vii) A switch

t

SWITCH

=

Ix. (YI.OlX.SWITCH + Y2.o2x.SWITCH)

Y1 ~-~TI~y2 o/

02

A generalisation of a trigger; triggering

Yi

selects output port

This is all we need for our example;

oi "

it is not a cc~plete (or necessarily

best) set, and it would be interesting to design a good set of cc~ponents which could be shown adequate for a wide class of data-flow computations. We would like to factor our design into a control part and a controlled part.

For the control part, it will be convenient to build

an agent observation-equivalent to x times CONTROL = ix:y. • • • .y.'~.CONTROL i.e. for input

x

it will admit

x

and return to its original 'state'.

(3)

y-experiments followed by a 6-experinent, We show the net for realising CONTROL;

it can be shown by Expansion to satisfy an equation like (3) with many intervening w's, and this is observation equivalent to CCNTROL, as we shall see in Chapter 7.

55

I

i I !

CONTROL

I

t I

\ \ ! ! ! b i

\

i i : I

t

Y \ I

\ ##

\ % %

6

# ! I I I

| | I I I !

One can check for the right b~haviour infozmally, by "arrow-swinging". Note that the initial state is restored, and that if either trigger is replaced by a gate then 'overtaking' can occur, yielding the wrong behaviour.

56

The oontrolled part, or body, is to admit a value then after

n

v

at

~' ,

y-experiments follow~d by a ~-experiment it will emit

× v at o and restore itself. BODY = 1'y. b(y)

That is, we want to realise

where

(4)

b(y) = ~.b(2y) + ~.oy.BODY

I' BODY

~

i ¢ s j r

s (k

I

"Irr~

I

!

i Exercise 4.3

Put this net together, as a restricted ~ i t i o n

of

relabelled standard components, and show that it satisfies an equation like (4) (but with intervening T's), using the Expansion Theorem.

57

Having established the behaviour of BODY and C ~ L ,

it is a simple

matter to put them together in sud% a way that an input

x

to the

whole system first gates a i into BODY, then enters C O N S U L itself. ~e

outer pair of gates (present also in BODY and CONTROL) is to

prevent overlappin 9

of successive ccmputations. I

II t

DO bexp

! | 1 I

t I 1

I !

t 1

BODY

-7

k~ %

L

T! -! I

O

58

Exercise 4.4

Treating BODY and CONTROL as given by (3) and (4)~put

the net together as in the last exercise, and show that it behaves like DO be~xp, but with intervening

T's.

See (i) and (2).

The exa~ole shows how nets may be built in modules which are verified separately.

There are two remarks:

(i) The use of the Expansion Theorem is tedious, but as we mentioned earlier it can be mechanised. (ii) We have implicitly assigned that if two behaviours are observation equivalent, then replacing one by another in any system context will yield an observation equivalent system.

(This is what justified our treatment of BODY

and CONTROL - replacing them by their s ~ c i f i e d behaviours). This asstmption is justified for the contexts we have considered, but it is not trivial to prove that this is so.

Exercise 4.5

Construct data flow nets to cc~pute the value of

input values

x

and

y

frcm

y , for each of the following prograns:

(i) while

p(x)

do

(y:= f(x,y) ; x: = g(x))

(ii) while

p(y)

do

(y:= if q(x,y) then

f(x,y) else

f(y,x) ;

x:= g(x) ) You will almost oertainly need same other 'standard' agents, and a different way of handling predicates - since the construct 'ASK q' doesn't generalise very well for non-unary predicates.

4.4

Derivations In

§4.2

Similarly,

we gave an exarmple of a derivation of

B = ((~x.B1 + 8y.B 2) I ~voyz-B3)\S

p = ~x.Sy.y(x+y).p :

has derivations

B ~ (B1{5/x} t ~v-~z.B3)\S ; B ~-->(B2{v/y} I Yz-B3)\8

~

(B2{v/Y} I B3{7/z})\8

-

59

A general derivation takes the form B

PlVl) BI____ ~2v2 ~B2

__.>...

p v n n B n

(which has length

n) or may be infinite.

derivation of length n as UlVl ~2v2

We shall often ~a~ite a ~1vl.~2v2..

Pnv ,

or

....

B

~

v

n n, B

n n we can abbreviate

B -J--~B' m

and abbreviate

by B ~ B'

(n ->O)

n

B ~ . ~ V . T B'

k57 B ~ > B '

(m,n >_O).

(see also §3.3). A cc~01ete derivation is either an infinite derivation, or a finite derivation which cannot be extended (this means Exercis____~e4.__66 Using equations (3) and (4) in

I

derivations of BODY, ~ L

B

n

= NIL).

4.3, write sc~e of the

and (BODY I CONTROL)\y\6 .

derivations are there?

A ccrmplete finite derivation of

B

represents a possibility that

can reach a point where no further action is Ix)ssible;

4.5

What ccr~piete

B

it may deadlock.

An example - Zero s ~ c h i n ~ We want to set two agents

a root for the equation function

p

f(X) = 0

and

q

in the range

[A,B] , for a continuous

f , knowing that such a root exists - i.e.

It is natural to make

p

and

q

calculate

and concurrently, for two internal F~ints

If

to work together in finding

p

finishes first, and finds that

he can leave a message for

q

A'

f(A) ×f(B) -<0.

f(A')

and

and

B'.

f(A')

f(B')

respectively,

differs in sign frcm

to cane and help him in the new interval

[A,A'], and begin to work within this interval himself.

f (A) ,

60

If he finds

f(A')

should go to help

q

to have the sane sign as

+

+

A

A'

He could choose a point Section 3]

f(A),

then he

in the interval [A',B3.

:-A"

B'

A"

in

B

[A',B']

or in

[B',B].

Kung [Kun,

made the elegant suggestion that the points

A',B'

not trisect [A,B], but rather divide it so that the ratios B'B:AB

and

A'B':A'B

the new point A"

are equal;

then in the case above

should

AA':AB, A

may pick

so that the new interval [A' ,B] is subdivided by the

~ r k i n g points in the same ratio This determines

A' ,B'

as [A,B] was subdivided.

as the g o l ~

A

A' ..... ' e2£

. ~£

sections of

BI

A,B; O2 + 8 - - 1 ;

" B

~ 03~

0=

~~--1

-~" .618

e~ A t any n~ment t h e n , t h e r e a r e two p o s s i b i l i t i e s :

(i) p

and

q

are both ~ r k i n g on golden sections of [A,B];

(ii) One of them is working on a golden section point, and the other on a point outside the interval (because the other agent has shrunk the interval). The oc~putation stops when the interval has been reduced to less than same predetexmined value 'eps '. As Kung observed, the algorithm can be implemented by giving a local variable

X

(his working point), q

a local variable

Y

p similarly,

and representing the interval by a few global variables which either q

p

or

may inspect and update, using a critical secticn for the purpose.

Thus an outline program for p = while

P , using conventional and obvious notation, is:

interval >_ eps

~u~ similarly for

cP TIe

do f (X) ;

update globals

q , and the whole progran is

p

II q

SECT

o0end

.

end

;

61

T. M~idner has given the ac~plete algorithm [Mtil].

I am grateful to

A. Salwicki for drawing rmy attention to this ~ l e ,

which is a good

one to illustrate different concurrent programfing disciplines. Now in a sense p

and

q

are sharing a resource,

interval, represented by global variables.

i.e. the

Hoare and others have

made the point that code and data associated with shared resources are better located at ¢xle site, rather than distributed over the sharing agents;

Hoare proposed Monitors as a device to achieve this modularity

[Hoa 23. Here we propose to represent the interval as a separate agent, without the need for any extra progranmdng construct for the purpose. The idea is that

p

or

q

submits the result of his evaluation

to the interval agent, which then hands him a new evaluation point. p, working on

X , is represented by

p(X) = ~i (X,f (X)) .e2x' . p (X')

~p(X)~ ~i ~2

and

q , working on

Y, by

~I

q(Y) = ~l(Y'f(X) )'82Y''q(Y')

B2~

Notice that each suk~ts a pair, a r ~ t

and function-value, to the

interval. The interval Int is parameterised on A,B,a,b (and always later)

a = f(A), b = f(B) and

where initially

a×b-
By carefully reversing the direction of the interval when necessary, Int ensures that at any time p

is working either at

£[A~B] (left section) or outside the interval;

q

"

r[A,B] (right section) "

'. . . . .

The interval agent has sort finally at

"

"

{~i '~2'81 '82 '~} ' and delivers the root

~ . It is defined as follows:

"

62

Int (A,B,a,b) = if

:

IA-BI < eps then

(~1 (X,x).

i_~fX = A' if

~A.NIL else

-

.

g

A'

B'

,

(p)

(q)

then

>

)

B

x×a_
the/~~ [2%[A,A '] .Int (A,A' ,a,x) else else

e2£[B,A '].Int(B,A',b,x)

t

+

~2A' .Int (A,B,a,b)

_

"

{

+ 81(Y'Y)" if Y = B' then if y × b _ < O then

j

t

{

i

+

~

I

i

_

~

~2r[B ',B].Int(B' ,B,y,b)

e!s e ~2r[B ',A].Int(B',A,y,a) else ~2B' .Int (A,B,a,b) ) where A',B' = £[A,B],r[A,B]

The ccrnplete system is

(q) (p) + (.P)

([q)

Sys(A,B,a,b,X,Y) =

(p(X) IInt(A,B,a,b) {q(Y))\~l\~2\~l\~ 2

(The arrows are marked assuming the case ~ a t do we want to prove about Sys? derivation computes a near-root of

f

we mean a Z such that [Z-eps,Z +eps] we require

IA-BI -> eps.) SJ-~ply that every possible

in [A,B].

(By a near-root Z of f,

contains a root.)

More precisely,

63

if

(i) a = f(A), b = f(B), a × b < O ,

and

(ii) X = ~[A,B]

then

or

Y = r[A,B],

every ccmplete derivation of

Sys(A,B,a,b,X,Y)

takes the form

Sys (A,B,a,b,X,Y) where

Z ¢ [A,B]

~

NIL

is a near-root of

f.

It's convenient to prove this by induction on the size of [A,B], defined as the least

n

such that

Sys (A,B,a,b,X,Y)

On × I A - B I < eps.

For size = 0

we have

.[A> NIL

as the only complete deri~ation~ and we are done.

For size > O, we can

use the Expansion ~qeore~ to show the following, which is enouc~ to cfm_~_lete the proof: conditions (i) and (ii) , every complete derivation of Sys(A,B,a,b,X,Y)

extends a derivation

T,T

' ~ Sys(A',B',a',b',X',Y')

where the parameters again satisfy (i) and (ii), and (a) if

X = £[A,B]

and

(b) otherwise either X' = £[A,B]

~

Exercise 4.7

t I

and

Y = r[A,B]

[A',B']

then

[A',B']

has ~naller size;

has smaller size or

[A',B'] = [A,B],

Y' = r[A,B] .

Verify the above statement by expanding

Note that the interval decreases in size after ~

Sys(A,B,a,b,X,Y). cc~outations, though

not always after one.

_Exercise 4.8

It isn't necessary for

distinct ports. and similarly E~ercise 4.9

P and q Redesign Int so that ports e I , 81

e2' 82;

Int through are identified,

it's easy but not cc~pletely trivial.

Kung remarks that a rcot-seardli~ algorithm for three

cooperating agents can be designed so that the interval subdivision adoptS one of the two patterns

~/4

~./4

~/4

. Program this algorithm.

~/4

~/3

~/6 ~/6

9./3

64

I Exercis____~e 4.1___OO Suffuse that p (q similarly) can pause during its evaluation of f (X) at certain times, to ask the interval "should I continue or start on a new point?" Adjust the in~ agent to respond to these interrupts.

CHAPTER 5

Syntax and Semantics of CCS

5.1

Introduction We have seen some examples of expressions of OCS, representing both

programs and their specifications.

We sm~ that, with the introduction

of value-passing, we had to abandon the simple interpretation of behaviour expressions as syndqronizaticn trees, but in §4.2 we talked of atamic e~periments on behaviour expressions

(or on the behaviours for which they

stand), and this was developed further in §4.4 on derivations. We are now reaahy to present CCS precisely, and to define precisely the atnmic actions (and hence the derivaticns) of every OCS program.

On

this basis, we proceed in this chapter and in Chapter 7 to develop our central notion, observation equivalence of programs. short step to a congruence relation; iff they are observation equivalent in every context.

Frcm this it is a

two prograns are observaticn congTuent (i.e. indistinguishable by observation)

Our proposal is that an observation congruence class is

a behaviour, so that 0CS is indeed an algebra of behaviours, in which each progran stands for its congruence class. This main development is independent of the notion of ST. now be regarded as a first approximation

STs may

(not sufficiently abstract) to a

model of CCS without value-passing, and in Chapter 6 we show how they may be generalised to CTs (cca~m~ication trees) to give a first approximation to a model of OCS with value-passing;

again, the main development is in-

dependent of CTs, which are only discussed to aid understanding.

~hen we

eventually define observation equivalence over prograns in Chapter 7, it will look just like the corresponding definition in §3.3 over STs, which generalises to CTs in an obvious way.

Indeed, we expect to find that two programs

are equivalent iff the correslxlnding CTs are so;

in that case CTs, though

not technically essential, fit naturally into our picture. ~his chapter is devoted to a ocmgruence over programs which we call stron~ congruence, since it is stronger than the observation o0ngruence studied in Chapter 7.

By approaching our proposal in two stages we intro-

duce the properties of behaviour gradually, and with greater insight than if we tackled observation ccngruence immediately.

In fact we even subdivide

the first stage in this chapter, approaching strong congruence via an even

66

stronger relation called d i ~ c t equivalence. The CCS

language

was introduced in the author's "Synthesis of

C~,~nicating Behaviour" [Mil 3].

However, the semantic sToecificaticn

by derivations was not given there in detail.

Value e~0~ssicns E Value expressions are built frGm (i) Variables

x,y,...

(ii) Constant s y ~ I s ,

and functicn symbols standing

for knc~n total functicns over values using conventional notation. value expressions.

We also allow tuples

(El .... ,En)

of

ThUS each value expressicn without variables stands

for a uniquely defined value;

we shall not worry about the distinction

between such expressions and their values. We shall also avoid details about the types of values and value expressions, though we shall have to mention sane syntactic constraints depending cn such details (which are standard). Labels, sorts and relabellin@ As in Chapter 2, our labels are We use

e,8,.,

A u{% } .

to range over

A = A u A , together with

~, I over A, and

A sort L is a subset of A ;

u,v,..,

~.

to range over

to each behaviour expression

B will be assigned a sort L(B). % A relabelling

S : L÷M

However, scme positive labels and the~ that

S

~

between sorts ~

L

and

M

is as in §2.2.

will be used to bind (tuples of) variables,

will qualify (tuples of) value expressic~s;

preserves the sign of such labels

we must ensure

(i.e. S (e) e A ).

Moreover, in

a ccr~plete treatment we should have to assign types to value variables and value e~pressions, hence also to labels, and to ensure that relabellings respect the types of labels.

We will avoid these details;

they need care,

but would only obscure the more important aspects of semantics which we want to discuss here. % We shall only meet finite sorts in examples. However, all we need to ass~ne - for technical reasons - is that A is never exhausted. Infinite sorts may be of use; see the end of Chapter 6.

67

Behaviour identifiers ~

b

presuppose a collection of such identifiers, each having

preassigned (i) an arit~ (ii) a sort

n(b) - the n~m%ber of value parameters. L(b).

We assume that the meaning of such identifiers is given, often r ~ s i v e l y , by a behaviour expression. behaviour identifier p

For example, in §4.5 we gave meaning to the

by

p(x) = ~i(x,f(x)).~gx'. p(x') where

n(p) = i, L(p) = {~i,~2}

o

Again, a cGmplete treatment would specify not just an ~ type (i.e. list of parameter types) for each

Behaviour expressions

but a

b .

B

Behaviour expressions are formed by our six kinds of behaviour operator (§4.1), by parameterising behaviour identifiers, and by conditionals. It's convenient to present the forma~tion rules as a table (see below), giving for each expression

B

its sort

L(B)

and its free variable set

FV(B). We should regard the language given by the table as a core language, which we are free to extend by defining derived behaviour operators chaining ccmbinator

~

(the

of §4.1 for example) and by alternative syntax

for cc~monly occurring patterns. In what follows, we shall use ....

}

to denote the result of substituting expression x i (i s i-
at all its free oc~]rrences within

Ei

for variable

B .

Sc~etimes we shall

abbreviate vectors (tuples) of variables and expressions as

~

and

E ,

and write a substitution as

(As usual, suc/h substituticns may require dlange of bound variables, to avoid clashes. )

68

SYNTAX TABLE FOR B~]~AVIOL~ EXPRESSIONS

Form

B"

L (B")

FV (B")

¢

~acti~

NIL

Summation

B+B'

L(B)

Action

ax I~ .... ,xn . B

L(B) u {e}

u

L(B')

FV(B) U FV(B')

FV(B) - {xi ..... Xn}

L(B) u {~}

FV(B) u U. FV(E i)

T.B

L(B)

FV(B)

Composition

BIB'

L(B) U L(B')

FV(B) u FV(B')

Restriction

B\c~

L(B) - {a,~}

FVCB)

Relabelling

B[S]

S (L (B))

FV(B)

Identifier

b(E 1 ..... En(b) )

L(b)

~FV(Ei)

~E I .... ,En

B

1

Conditional

if E then B else B'

The table shows how of sorts

L(B) ,L(B').

B"

FV(E) u FV(B) u FV(B')

L(B) u L(B')

of sort

L(B")

may be built from

B,B'

Parentheses are to be used to make parsing

unambiguous, or to e~phasize

structure;

to avoid excessive use of

parentheses we asst~ne the operator precedences {Restricti°n} Relabelling

> Action

>

ODm~osition

>

St~mation .

~qus for example B I~.B'\~ + B"[S]

means

(BI (T. ( B ' \ ~ ) ) )

+ (m"[s])

.

6g

5.3

Semantics by derivaticns We proceed to define a binary relaticn

for each u cAu{T}

and value

v

~

over behaviour expressions,

(of type appropriate to ~ ).

may be read "B produces (or can produce) B' under are in the relation in

B'

-

B ~--~VB'

~v " ; thus if

~v , a particular atcrnic action of

B

B,B'

- resulting

is indicated.

Referring back to §3.3, we are taking behaviou[ expressions to be our agents;

towards the end of §3.3 we chose STs as agents, and we shall

see in the next chapter how to regard CTs as agents. T is a particular case of our relations, since the only Note that -~ value of type appropriate to T is the O-tuple. ~he relations ~ behaviour expressions.

are defined by induction on the structure of This means that all the atanic acticns of a

pound expression can be inferred frQm the atamic actions of its ec~qx)nent (s). Such a relation, though not indexed as here by appeared in connection with the

l-calculus.

~v , probably first

It was called a reduction

relation, and the clauses of its definition ~

called reduction rules.

Gordon Plotkin first made me aware of the power and flexibility of such relations in giving meaning-by-evaluation to progranluing languages.

(In

passing we may note that the original definition of ALC/3L 68, though strongly verbal, is in essence a set of reduction rules.) I~c~on NIL has no atomic acticns. Suranation Fr~

BI--~--~B~

infer

BI+B2~B

B2~B~

infer

BI+ B 2 ~ B ~

1

Tnus the atcmic acticns of a stun are exactly those of its summands. We adopt the following presentaticn of such inference rules:

Sum --)

(i)

B1 ~ B1 + B2 ~

B{

(2) B1 ,

B2 ~-~vB~ B1 + B2 ____>B 2~v ,

70

Action

(1) =x I ..... x . B ~(vl .....Vn~

B { vl/x I .....v / x n}

Act ÷ (2)

~V 1 ..... Vn.B ~ (Vl' .... Vn)- B

(3)

T.B ~-~B

Notes:

(i) These are not inference rules, but axicrns. (ii) Act ÷ (i) holds for all tuples type for ~ ) , while A c t + (2) qualified by

(v1 ..... v n) (of appropriate holds just for the tuple

~ .

(iii) See § 5.5 below for why we consider only values v 1 ..... v n (not expressions

E 1 ..... En) in A c t ÷ (2)

Cc~position

(2) B2 ~vB~

B~JB2~--%vBIIB~

BIIB2~B~IB 2

Cam÷

(3)

~i --~ Sl

B2

B~ IB2~ B~ IB~ t~tes:

(i) Can ÷(i) and (2) express the idea that an action of

B I or of B 2 in the ccr~position

B lIB 2 yields an

action of the ccr~0osite in which the other ccr~onent is unaffected. (ii) Cam ÷ (3)

expresses that cQmmunication of ~ n e n t s

yields a T-action of the ~ s i t e .

71 Restriction B ~--~VB'

~{e,~}

,

Res ÷

B\~ ~--~VB,\~ the side condition ensures that

Note:

B\~

has no

~v

or

ev

actions.

Rel~iLinS, B ~_~vB ,

Rel ÷

B[S] (Su)v B'[S] Note:

recall our convention that

Identifier.

Suppose that identifier

ST = T b is defined by the (.possibly

recursive) clause b(x I .....X n ( b ) ) ~

~

(FV(~) E {xI .....Xn(b)})

We shall discuss such definitions shortly.

Ide

Our rule is

~{vl/x I .... ,Vn(b)/X(b ) } ~-~B' b(v I .....Vn (b))- ~

Note:

B'

the rule says, in effect, that each parameterized identifier has exactly the s~ne actions as the appropriate instance of the right-hand side of its definition.

Conditional Con ->

(i)

BI~-R~VB' i

(2)

if true tb~nB 1 else B2 ~-~VB 1

Note:

B2~-P~VB~ if false then B I else B2 ~--~VB~

As with all value expressions without variables, we assume that boolean-valued expressicns evaluate 'autcmatically' to their boolean values.

See §5.5 bel(x~ for why we need not

consider value-expressions containing variables in these rules.

72 5.4

~finin 9 behaviour identifiers We shall now assume that every behaviour identifier

b

is defined

by a clause b(x I .... ,Xn(b)) ~ where

x I .....Xn(b)

Bb

are distinctvariables, andwhere

F V ( ~ ) c { x I .... ,Xn(b)}"

The symbol ' ~ ' is preferred to ' = ' since we are not yet talking of the behaviours denoted by behaviour expressions (so ' = ', in the sense of equality of meaning, would be out of place), and also because we will later in this chapter use ' =' to mean identity between expressions. We thus have a collection of clauses defining our b's, and they may be mutually recursive.

Although not actually essential, we shall ini0ose a

slight constraint on the collection, which will forbid such definitions as b(x) ~

O~

~x.NIL + b(x+l)

~b I ~

b2 + ~.b3

[ b2

blIB.b 4

in which a behaviour may ' c a l l i t s e l f r e c u r s i v e l y without passing a g u a r d ' . Thus the following are permitted: b(x) ~ and

~x.NIL + T.b(x+l)

~b I ~

b2 + c~.b3

tb 2 ~

~.bllS"b4

More precisely, we say that b without an enclosing guard. the b's

is tm$~arded i n B

if it occurs in

B

The restriction on our defining clauses for

is that there must be no infinite sequence bi(1) ,bi(2) ,... such

that, for each

j , bi(j+l) is unguarded in bi(j)

examples above there are such sequences: respectively.)

(In the forbidden

b,b,b, .... and bl,b2,bl,b2,...

Further, for correctness of sorts, we require

L(~) _c L(b) When the above constraints are met, we shall say that the behaviour identifiers are guardedly well-defined.

73

5.5

so~

and p ~ r ~

Our f o x . o n expression

r u l e s a s c r i b e a u n i q u e s o r t L(B) each ~ h a v i o u r

B ; we write B : L(B)

to mean

'B possesses sort L(B) '

to allow

B

For many reasons, it is convenient

to possess all larger sorts as well; B : L & L _c M

implies

so we declare

B :M

For example, this allows us to make sense of an expression like NIL[ 8/= ] since

8/~ : {~} + {8}

is a relabelling, and

NIL : {~}

since

NIL : @.

An ~ o o r t a n t property of at/mdc actions as defined in §5.3 is the following: Proposition 5.1

If

B ~-~VB ' ~ and

~ L u {T} Proof

and

B:L

, then

B' : L

By induction on the length of the inference which ensures

B~

B' ,

using the ascription of sorts by the fox,nation rules. Although our rules for atcrnic actions apply to arbitrary behaviour expressions, they fail to describe fully the meaning of expressions with free variables.

For example, the rule

Act ÷ gives no action for

~(x+ I) . NIL and Con ÷ says nothing for i_ff x->O

then

~x.NILelse fl(-x).NIL

Clearly they could not determine the actions of these e~oressions, since actions involve values, not variables, and in the second exanple even the label of the possible action depends upon the 'value' of We choose to regard the m ~ i n g free variables value-vectors Definition

~

x .

of a be~aviour expression

as dete/~nined by the meanings of

B{~/~}

B

with

for all

q . We define a program to be a closed behaviour expression,

i.e. one with no free variables.

74

Now the fact that our rules describe the meanings of programs satisfactorily is due to the following: prc~ositi0n 5.2

If

B

is a program and

B ~B'

, then

B'

is also

a progran. Proof

By induction on the length of the inference which ensures

B ~ v B' .

~e

cendition cn the free variables of each

~

, and

the substitution involved in Act + (i) , are critical.

5.6

Direct equivalence of behaviour programs (In §5.6 and §5.7 we are concerned only with programs). We now take ~o the question, posed in 55.1, of which behaviour

programs possess the same derivations;

this will yield an equivalence

relation, which will also be a ccngruence - that is, any program may be replaced by an equivalent one in any context, without affecting the behaviour (derivations) B+B'

of the whole. and

For example,

B' + B

are different prograns, but we clearly expect them to be interchangeable in this sense. A first approximation to what ~ we denote it by Definition ~,v and

(Warning:

want may be called direct e~uivalence ;

- , and define it as follows:

B 1 _--B 2

(B1 and

B2

are directly equivalent) iff for every

B

-- is not a congruenoe relation.

For example, we may have

B I - B 2 , but in general

I

BIB 2

.

I

%

.NILI B 2

For

le, II

a~

not identical:

NIL I B 2

But the congruence relation we want will be ~nplied by following laws for

~ , and so the

- will hold for the congruence also. )

75

In what follo~ it is often convenient to let arbitrary guard

eX , ~E

guard is given by

or

The name of the label in Theorem 5.3

T.

The result

S(ax) = (S~)x g

, S(~)

Sg

g

stand for an

of relabelling a

= (S~)E

and

ST = T .

is denoted by name(g)

(Direct ~uivalenc~_s).

The following direct equivalenoes

hold (classified by the leading operator on the left side): Sum -

(2) B I + (B2+B 3) -- (BI+B2)+ ~

(I) BI+ B 2- B 2 + B I (3) B + NIL - B

Act-

ex.B =- ~y.B{y/x} where

Res -

(4) B + B - = B

(change of bound variables)

y

are distinct variables not in

(i) NIL\8 - NIL

(2) (B1 +B2) \6 - BI\8 + B2\~

(3) (g.B)\8--- INIL

if

! g.B\~

Rel -

B

8 =name(g) otherwise

(i) NIL[S] - NIL

(2) (B1 +B2) [S] - BI[S] +B2[S]

(3) (g.B) [S] -- Sg.B[S]

Now in view of S~-m [ Si l
meaning

[{B i ; i e I} If each and each

Cc[n-

Bi

the following notations are unambiguous:

Let

(NIL, if n=O)

more generally, w~_re

is of fozm

B. l

BI+...+B n

I

is finite.

gi.Bi , we call such a sum a s~n of ~ ,

a sL~mand.

B

and

C

- [{g.(B'IC)

be st~s of guards.

Then

;

g.B'

a simmandof

B}

+ [{g. (BIC') ;

g.C'

a s~anand of

C}

+ [{~.(B'{~/x}IC');

sx.B'

and + ~{T. (B'[C'{~/~})

~°C'

; ~.B'

and

~x.C'

a summandof

B

a summand of a summand of a summand of

C} B C}

76

Ide-

Let identifier

b

be defined by

b(x)~ ~

; then

b(~) _--Bb{-~/'x}

Con_--

(I) if true then

B i else B 2 _--B I

(2) if false then

Proof

B I els___eeB2 = B 2

To prove each law is a routine application of the definition

of the relations

~v> .

We consider three laws:

(i) Stun---(2): BI+(B 2 + B 3) - (B1+B2) + B 3 let

BI+ (B2+B 3 ) ~

B.

This can only be due to

either

rule Su~n + (i), because

B 1 ~V>B

or

rule Sum 4(2) , because

B 2 + B 3 ~V~B ,

and in the latter case, similarly, either

B2~-~ B

or

B3 U~B

In each of the three cases, rules Sum 4(1) and Sum 4(2) yield (B I +B~) + B 3 ~-XvB .

The reverse inplicaticn is similar. (ii) Res- (3) : (~x.B)\~-={NIL

(~=a)

eX.(B\6) (8:*:~) By A c t ÷ (i) , the only actions of

~x.B

are of fomn

N

~X.B Thus

(~x.B)\~

~V~B{~/X}

(for arbitrary v ).

has no actions (since Res + yields none} ;

neither has NIL, which settles the case For

(8~),

byRes ÷

thecnly actions of

(ex.B)\8 a~,B{~/x}\B

=

c~iii~ c ~

-

:
(We use let

X

Tben

~x. (B\B).

~-5 and T is similar.

=- I'"+ l--- + I--- + I ' " .

, and B

are

to abbreviate the right-hand side.)

BIC ~--~VD .

(a) B ~ B "

(~x.B)\8

(B\8){~/x}

and these are exactly the actions of The proof for guards

8 = a.

There are several cases. D = B"IC

(by Corn+(1) ).

has a slmlnand g.B'

(by Sum +).

for which

g.B' ~V~B"

This action must be an instance of Act +

.

77

frc~ which we can also find that

g. (B' IC) ~v> B,,IC

(considering the three types of guard). Hence also

X~B"IC

= D .

(b) C ~-~vC " , and D = BIC" The ~

t

that

X ~--~D

(c) B ~-guB '' , C ~-~uC ' ana (by Can ÷ (3) ;

(by Ccrn÷(2)) is similar.

~ v = •, D = B"IC'

there is a similar case with

= ,~

Then by S ~ + and Act ÷ ,

B

has a stm~and

and

C

has a s%mm~nnd ~u.C'

B" = B ' { ~ x } ,

Hence, since

X

while

has a summand

X-~B"IC'

=D

~x.B'

~.(B'{u~}IC'),

we have

, as required .

We have now shown by (a),(b) & (c) that for all

BlC ~--%VD ~

exchanged)

u,v

and

D

X ~V~D

and the reverse implication can be argued similarly.

Exercise 5.1

Prove sane more of the equivalences claimed;

e.g. Sum-(1), easy as

5.7

S~

Re s-(2),

Rel ~(2)

and

C o n - (I) .

They are all as

-(2) .

Congruence of behaviour programs We now propose to extend or widen our direct equivalence relation to a

congruence relation.

Apart frc[flthe wish to get a congruence relaticn

(so that equivalence is preserved by substitution of equivalent programs) there is another motivation;

' -' requires that the results of actions of

equivalent programs should be identical, and it is reasonable to ask only that the results should be equivalent again. We therefore define the relation '~' over programs, which we call strong equivalence

(we define it analogously to the observation _equiv-

alence of §3.3, but it is stronger because we do not allow arbitrary T-actions to interleave the observable actions). a decreasing sequence

~0' ~1 ..... ~k ....

We define it in terms of

of equivalence relations:

78

Definition

BN o C

is always true;

B ~k+l C iff for all ~, v (i) if B ~V-~B' then for same

C'

C u--~Vc' and

B'

'

(ii) if C ~--~Vc' then for some B; , B ~--~VB' and B ~ C

iff k/k>-O. B ~k C

(i.e.

implies

'

B' ~k C' ;

~ = ~ ~k ) . k

We leave out the sir~ple proofs that each relation, and that B ~k+l C

C' ~k

~k

B ~k C

is an equivalence

(i.e. the sequence of

equivalences is decreasing). ~Ex~se

5.2

B E C

Show that

~lies

B

~k C for each k

f

and

ce in,plies B ~ C . Theore~ 5.4

~

is a oongruence relation.

More precisely,

BI~ B 2

implies

BI+C~B2+C,

C+BI~ C+B 2

~.B I~~v.B 2 , T.BI~ ~-B 2

and

BIIC~B21C

,

BI\~~B2\~

, BI[S] ~B2[S]

BI{~/~}~B2{~/x}

CIBI~CIB 2

(for all ~)

implies

~.B 1 ~ ~.B 2 Proof on

We give the proof only for ccr~position. k

We prove by induction

that B1 ~k B2

For

k = O

let

B IlC~-~DI "

implies

it is trivial.

B 11C ~k B2 IC

Now ass~ne

We want

D2

B1 ~k+l B2 "

such that

B21C ~-~Y~vD2 ~k D1 There are three cases: (a) B1 ~--~VB~ , and D 1 = B~IC (by Cam+_(1)) Then B ~ B ~ ~k B' . for scme B~ , 2 v 1 whence B21C ~-~vB~IC by C c ~ ( 1 ) ~k (b) C U I C "

and

D

= BIlC'

qPnen B21C~--~VB2~C' But

D1 (= B1 IC)

by inductive hypothesis •

(by Ccm÷(2))

by Ccxn÷(2)

B 1 ~k B2 (since B I ~k+l B2) " hence BIIC' ~k B21C' by inductive hypothesis.

79

(c) Bi l--~UB'llu' C !~C', Then

B2~B2'

and

~'k' Bi

.~v = T, Di' = B i'IC' (byCcm÷(3))

for sc~ne B 2

~k D1 By symmetry, of course, if BIIC~D1

~k D

Exercise 5.3

by inductive hypothesis . B2 1 C ~

D2

then we find

D1

such that

e

(i) Prove that

this shows that

B I~B 2

B1 ~k B 2 implies

guarding increases the index of

implies

~v.B 1 ~k+i~v.B2 ;

~v.B 1 ~ a~.B 2, and also that Nk

by one.

(ii) Prove the last part of the Theorem, involving the positive label guard.

We end this section by giving same useful properties of the form of equational laws. of its properties, since

-

~ , in

Note that Theorem 5.3 already gives many is contained in

~

Since we run the

risk of bewildering the reader with a confused mass of properties, let us e~phasize some structure. In Theorem 5.3,

S~n _=

semigroup with absorption, and

states that + and NIL f o ~ a cc~rm/tative Res _=, Rel -_-,Cam _= each describe how

one of the static behaviour operations dynamic operations that

+,

~v and NIL.

\~, [S] , I interacts with the In the following theorem Ccrn~ states

J and NIL folm a cc~mutative semigroup, while Res ~ and Rel ~ state

how the static operations interact with each other. 5.5 are only concerned with the static operaticns-

The laws of Theorem they are essentially

the Laws of Flow in [M~, Mil 2] . Theorem 5.5

Res

N

(Stron9 congruences)

(i)

BllB2~B21B1

(3)

B1NIL~B

(i) B \ ~ ~ B

The following strong congruences hold:

(2) Blt(B2IB3)~ (BlJB2) IB3

(B:L, a ~ n ~ s ( L ) )

(2) B\a\8 ~ B\B\a (3) (BIIB2)\a~BI\aIB2\~

(BI:LI,B2:L2,~ ~ ns~r~s (Lln L2) )

80

ReIN

(i) B[I] ~B

(I:L÷L

(2) B[S]~B[S']

(B:L, and S[L = S'~L)

is the identity relabelling)

(3) B[S3[S'] ~B[S'oS] (4) B[S]\B ~ B\~[S]

(8 = nane(S(~)))

(5) (B1]B2)[s] ~ BI[S] [B2[S]

Proof

~

give the proof of

Ccm~(2).

It is the hardest - but all the

proofs are routine inductions. We prove ~BIB2B 3 . BI[(B21 B3) ~k (BI[B2) IB3 by induction on For k = O it's trivial. Now for

k+l

, let BII(B21B3) ~--~VD ; we require

D'

k.

such that

( ~ 1 ~ ) [ ~ ~-Z,v~ ' -k ~ " There are several cases: (a) ~ pv B~

, and

D = B~[ (B2[B 3) by C~n+(1).

Then (BI]B2)[B3 ~_.v, (B~IB 2) IB3 by C~+(1) twice ~k D by induc+_ion. (b) B21B3 ~--~Vc , and D = B1]C

by

Ccra+(2).

Subcases

(i) B2~-Z v B 2' , and C = B ' 2[B3 by C.(m~(1) ; i.e. D = B I(B21B ) . I 3 ~ B II B 2 ~ B~l B~ by Can+(2) ,

~k

D by induction.

(~1% --*~B[, anac = B2[B'3 by Ca~(2); s=~J_ar. (iii) B 2 ~

B~ , so

by Ccm+(3). D = BI[.(B'2 ' IB') 3'"

~en B1 I% ~ B~[B~ by Ca~+(2),

so (BI[B 2) [B3Z-~(BIlB ~) IBZ by C . ~ ( 3 ) , ~k D by induction.

(~)~XUBI

,%[B 3~c,D=%'I

c

by Ccgn÷(3) .

and ~ v =

Subcases

(i) B2 ~ ~ so (ii) B 3 ~

B~ , ana c = B~[B 3 by C~+(i)

; i.e.

D :

BI IB2 ~+ B~ IB~ bY c ~ ( 3 ) , (BI [B2) (B[ IBm)JB 3 by Corn+(1), ~k D by induction.

[B3-~

B~

, and C = B 2 IB~ bY ~ ( 2 )

: s~ar.

B~_[(B~]B3)

81

D' ~ D

Thus we have found the required Similarly given

in each case; D'

(BIlB2) IB3P-~VD , we find

BII(B21B3)

such that

~kD

0'

%T~s ompletes the inductive step, showing BII(B21B3) ~k+l (BIlB2) IB3 ~ Exercise 5.4 H

Prove

CGm~(3)and

Res~(3)

.

For the second, you

need to appeal to Proposition 5 .i. We now state and prove a t~heorem which we need later.

It depends

critically on the assunption that all behaviour identifiers are guardedly well defined (§5.4). Strong ccngruence 'satisfies its definition' in the

Theorem 5.6

following sense: B ~ C

iff for all

(i) if

B-~

(ii) if Proof

(~)

p,v

B'

then for sane

C'

C ~--~Vc'

then for same

B', B-~

B'~ C'

in, lies

and (ii) we deduce (3) B~B'

Since

B' ~k C'

B ~k+l C B ~k+l C

then, for each

C~C'

for any

for all for all

k,

F

B' k ;

and

B '~ C'

and

B '~ C' .

hence frcm (i)

k , by definition, whence

B~C

.

k , we have by definition that if

3 ~ . C ~

& B'~kC k .

But frcm our

assumption that all b~aviour identifiers are guardedly well-defined it follows that argument).

{C' ;C ~

C' }

Hence for scme C ~

C'

and this implies decreasing in

and

B' ~k C'

k , hence

is finite (we cmit the details of this

C' ,

B' ~k C'

for infinitely many

for all

k

k , since the relations

~k

are

B'~C ' .

Thus (i) is proved, and (ii) is similar.

5.8

Con@ruence of Behaviour expressions and the Expansion Theorem Having established definitions and properties of direct equivalence

and congruence of programs - behaviour expressions without free variables we are now in a positicn to lift the results to arbitrary behaviour expressicns. All that is needed is to define

-

and

~

over expressions as follows:

82

Definition Let

~

be the free variables occurring in

BI

or

B2

or both.

Then BI - B2

iff, for all

v , Bi{~/x}---B2{~/~}

Bi ~ B2

iff, for all

~ , B1{v/x}~S2{v/~}

Now we clearly want to extend the results of Tneore~ 5.3, 5.5 to arbitrary expressions;

for example, we would like to apply

Cc~(3)

of Theorem 5.5 to replace ~(x+l). NILINIL

by

~(x+I).NIL

anywhere in any expression, but the law only applies at present to programs, and the expressicns shown have a free variable

x.

We state without proof the desired generalisation. Theorem 5.7

The relation

~

is a congruence over behaviour expressions.

~Dreover, the results of Theorems 5.3, 5.5 hold over arbitral~y expressions, with the foll~ing adjustments: (i) In

Ccm-

and

everywhere by

Ide~

of Theorem 5.3, replace

v (a value tuple)

(a tuple of value expressions).

(ii) Add in Coin= the condition that, in the first (resp.seoond) s ~ on the right-hand side, no free variable of C(resp. B) is bound by g. We now have enough to prove the Expansion Theorem, which we used in Chapter 4. Theorem 5.8 Let

(The Expansion Theorem).

B = (Bll... IBm)\A,

ccBiI

IBi

where each

Bi

is a s ~ of ~/ards.

Then

IBm \A ; g.Bi

a s~mmand of B i, name(g) { A} + [{~" ((BII " " I B I { ~ } I--- IB~I "-" IBm)\A) ; ~.B i

a summand of

Bi,

%E.B 3

a sLmlmand of

B. , i ~ j } ] provided that in the first team no free variable in bound by

g.

~ (k # i)

is

83

Proof.

We first show, by induction on

m, that

BII...IB m ~ ~{g.(BII...IB~I...IB m) ; g.B 1 sunl~

+

of

a

B. , l-
(BII-..

IB I.-.fBm) ;

e~.B: a sunmand of B. , ~E.B'. a l i 3 s ~ a a n d of B. , i,j~{l, ....m}, i ; j } ] under the proviso of the Theorem.

Note first that for

m = 1

the

second temn is vacuous and the result follows simply by reflexivity of

~.

Now ass~ne the property for

m - 1 , with right-hand side

C.

Then we have (by congruence)

Bil---IBm_liB m ~ ClBm and we may a p p l y C

and

B

m

Cam =

is a s~

Can ~ ( s t a t e d as ( i i )

present theorem.

, g e n e r a l i s e d as i n Theorem 5 . 7 , s i n c e each o f

o f g u a r d s - and m o r e o v e r t h e s i d e - c o n d i t i o n i n Theorem 5 . 7 ) f o l l o w s

The property for

slightly tedious, manipulations;

m

for

frcm the proviso of the

then follows by routine, though

of course we rely strongly on

Finally, the theorem follc~s easily by repeated use of

Ccm~ (2).

Res -(3)

and

Sun -(3).

Exercise 5.5

Ccmplete the details of the inductive step in the proof,

and see exactly where the proviso of the theorem is necessary.

In sim~nazy : we nc~ have a powerful set of laws for transfoz~ting programs and behaviour expressions while preserving their derivation pattern. (These laws are enough to prove the Expansion Theorem, Theorem 5.8, for example. ) We have prepared the way for introducing CTs, an algebra which satisfies these laws and so may be regarded as a model of OCS which is faithful to its derivation patterns. But we should mention that o~ervation equivalence (~) (generalised from §3°3 to admit value-passing)

is a wider relation that our ~ , and

satisfies still more equational laws.

CHAPTER 6

C~,~lunication Trees (CTs) as a model of CCS %

6.1

CTS and the D~namic Operations Let us review the definition of STs.

An

ST

of sort

LeA

is

a rooted, finitely branching, unordered tree whose arcs are labelled by members of

Lu{T} .

Another way of saying this is that an ST of sort collection (multiset) of pairs of form t

is again an

ST

of sort

<~,t>

L

(~eLu{~})

is a finite where each

L.

(We allow this definition to include the possiblity of infinite paths in an ST, though to state this fozmally requires same mathematical so!~qistication which we do not want to be bothered with - the idea of infinite paths is clear enough.) Here is a typical ST:

Now in the language of Chapter 5, positive labels are allowed to bind variables, and negative ones are allowed to qualify values (or value expressions).

Thus, what 'happens next' after passing a positive

label (= input guard) depends upon the value input;

less crit~cally, a

value is output while passing a negative label (= output guard). that

{v0,vl,...}

are the values of type appropriate to

value of type appropriate to

~,

then a typical

CT

~,

and

Supposing v

is a

will look like this:

v

2, This chapter is not essential to the technical development, and can be cmitted. Its p ~ e is to assist understanding by giving the natural generalisatian of STs to admit value-passing.

85

indicating (i)

that on passing guard

~,

the input

vi

selects

ti

to 'happen next'° (ii) that We expect this

CT

v

is output on passing

8.

to be the interpretation of a behaviour progr~n

ax.B + ~V.B' + T.B" where

(i)

the programs

B{vi/x ) stand for

(ii) the programs Notice that the variable

B'

x

and

B"

CTs

stand for

appears nowhere in the

in the program is to show how

B

ti ; t' CT;

and

t".

its purpose

depends upon the value input, and this

dependenoe is explicit in the CT;

each

ti

depends, literally, from

the value v.. (Of course, v~ can never draw a whole CT, 1 even to finite depth - because of infinite value dcmains).

in general -

More fozmally, then: Definition

ACT

L

of sort

is a finite collection (multiset) of pairs,

each of fo~xn <~,f> (~£L), where

f

is a family of

CTs

of sort

L

indexed

by the value set appropriate to or

<~,> (SeL), where

or



is a where

Let us denote by values appropriate for

CT

t

is a

C~ L

the

s.

NIL (nullary operation) is the

is a value ap[mopriate to

of sort CT

of

CT

NIL E CT~ .

+ (binar~ operation)

is the CT

~

and

L sort

CTs of sort

We have, as with

follows:

NIL

v

L. L,

and by

~

the set of

STs, an algebra of

CTs as

t

86

(a

'~f-ary" operation)

v0

vI

v2

takes a set o f ~ f:_ V~ + CTL,

of

v0

CT L

indexed by

and gives a member of

~ (v~ ÷ cTL) ~%is is why we called

÷

~

vI

V , which is just a function

CTLu{e } ;

so

CTLu{~}. a

V -ary operation.

(a family of unary operaticns) ~v

For each

,

v,

for each

veV ,

~v e CTL + CTLu{~};

is the Cf

~ e Ve ÷ (CTL ÷ CTLu{~}).

2

T (unary operation)

T ~ C T L ÷ C T L. Clearly there is a very close relaticn between CCS programs (involving only the dynamic operations) and expressions for CTs in this algebra. ~his is no accident' Corresponding to programs NIL, NIL, ~vt, CT

~f;

express

~t,

t + t'.

~(v

T.B,

B + B'

Corresponding to the program

if we wrote the C~ family ~f

~v.B,

f

as

v ~+ t(v)

we have

~x.B

CTs

we have a

then we would

as ~ t(v))

Of oourse there are many CTs whiQh we cannot write down as expressions, because arbitrary finitely.

V - i n d e x e d families of CTs cannot be written down

87

But we can, using these notations, begin to define the interpretation of CCS in the algebra of CTs. for as

~B ].

We shall write the CT which B stands

Then we have

Definition = NIL

~N~L~

~X.B

~

= ~ (V ~{I~V/X}~)

~jv.B ~ = j~B~ [~ .B~

= T~B~

[B + B'~ = [B] + [B']

6.2

CTs and the static operations We now show that the static operations

] , \~, [ S] can be defined

recursively over CTs.

Recall that a CT is, fom~ally, a multiset of

elements like

<6,>

<~,f>,

elements branches of the CT. infoxm~%l definition of

or <x,t> ; we shall call such

We shall oontent ourselves with a rather

I , \~, [S]

using pictures of branches, rather

than defining them formally in temas of multisets.

,I.......

(binary operation) I~CTL x C~fM÷ CTLu M

Let

tcCTL, ueCT M.

Then

tlu

has the following brandles:

vI

v0 (i)

For each branch

vo

vI

Tc~

"

of t, a branch

T~

(ii) For each branch ~ /

(iii) For eachbranch ~ T

of t, a branch -

X

of t, a branch

i

88 and similarly for the branches of u. (iv) For each pair of branches

[

of t, and

of u,

a branch

and similarly for brandles (~nus an output branch of input branch.

<~,> u

of

t

and

selects a nm~ber of

You should c c ~ r e

<~,vi~+ ui> t's

u.

of

cempla~ntary

this definition with crmpcsition of

STs in §2.3.) \a

(unar~operation) \~CT L

÷ c~{~,~}

We could give the recursive definition, but it's enough to say that is gained by pruning away all

e-

and

t\a

~-branches occurring anywhere

int.

[S ]

(unary operatic) [S]ECTL + % ,

where

Again it's enough to say that

S:L ÷ M

is a relabelling.

t[S] is gained by replacing

k

by

Sl

everywhere in t (IEL). If_Exercise 6.1 Give the recursive defintions of ii H style as we defined I°

\s,

IS]

in the same

Now of course, we can continue our definition of the interpretation of behaviour programs, as follows: Definition

EBIB'~ = EB]I~B'~ ~BES]] = EB][S] Ei_~ftrue then

B

else

B'] = [B~

[i_~ffalse then B

else

B'~ = [B'~

89

Since our definitions of

~

for programs look very trivial, as they

should, we must remind ourselves of the purpose.

We are aiming to show

that when we are working with strong equivalence of programs (the congruence relation

~

defined in §5.7), and using its properties as

listed in theorems 5.3, 5.5 (but cmitting S%~n =(4), the absorption law), then we are justified in thinkin~ of the pro~rars as the CTs that they denote;

CTs are meant principally to be a helpful mental picture, or

visual aid. The rest of this chapter gives the appropriate justification.

But

first we must deal with recursively defined CTs. 6°3

CTs defined by recursion Ass~ne as in §5.4 that our behaviour identifies

b

are defined by

clauses b (xi,... ,xn (b)) ~ one for each

b.

~'

Here it will be convenient to suppose that

b0, bl,...

are the set of identifiers, witha~ities no, nl,... , and write

B i for

, so that the clauses are i bi(xi,--.,Xni) ~

Bi .

New we intend to shc~ that these clauses define, for each = v I, ... ,Vn of values appropriate for 1 interpretation of

b i,

i and vector

a unique CT as the

bi

~hat are these CTs to be?

We will call them

them, we also knew the meaning of

Bi{v/~}

is so because, by our definitions

[]

An ~ l e

will make this clear.

b(x) ~ =

i_ff x = 0

and call the right-hand side ~B{0/x}~ = ~0oNIL~ = while for any

then

for each

so far, eadl

rewritten as a CT expression in terms of u.

~b i(9) ]. i

~hen we know and

~Bi{v/x}~

~bj (u)~ for various

v;

this can be j

and

Consider the defining clause ~x.NIL

else

~y.b(y)

B o Then T0 (NIL)

(a CT expression)

v ~ 0

~B{v/x}] = ~y.b(y)~ = ~(u ~b(y){u/y}~)

= e(u ~ b ( u ) ~ )

,

90

Now we wish our

CTs

b. (v), for each

i

and

V,

to be solutions

l

of the equations over CTs ~bi(v) ~ = [Bi{~/x}~ (there are very many such equations, one for each pair Luckily,

i, 5. )

we can prove the following:

Pro~x)sition 6.1 (see §5.4)

If the hehaviour identifiers b i are guardedly well-defined

then the equations

~bi(v) ~ = ~Bi{~/~}] define a unique CT ~b. (~) ~ for eadl pair (i,v). 1

~f

Omitted.

We can see why this is so, for our exar~ple above, as follows. Clearly ~b(0)~ = 80(NIL) =

[ ~

is uniquely defined.

0 For any

v ~ 0 we have [b(v)] = ~(u ~ [ b ( u ) ] )

=

[~

|

A

2

........

SO that by using the two equations repeatedly the CT v

~b(v) ]

for any

can be developed unambiguously to any desired depth. On the other hand, consider again the forbidden example in §5.4 b(x) ~

For any

~x.NIL + b(x+l).

v (a non-negative integer) we would have ~b(v) I = ~v(NIL) • ~b(v+l)

91

and if we develop this, we obtain the infinitely branching (forbidden') CT for b(0) :

~b(0)~

Moreover, even if we allowed infinite branching in Cgs this would not be a unique soluticn.

Exercise 6.2

Find another solution.

(Hint:

consider, if you know

the theory of regular expressions, why the equation for given sets of strings soluticn for

R

S

and

R = SR + T -

T - does not have a unique

as a set of strings unless

c~S,

where

e

is the

null string. ) TO stun up;

we crxsplete our interpretation of behaviour programs

as CTs by defining unambiguously for each

Definition

Remark

~(~) ~

=

b

~{~/X}~

There is a more general interpretation than CTs whidn makes sense

of unguarded recursions, but we decided not to use it here.

6.4

Atcmic acticns and derivaticns of CTs If we wish to think of behaviour programs as the CTs which they

stand for, then - for one ~ g action relations

~v

over CTs

- we must be able to understand the in such a way that they hazmonize

with the correslx)nding relations over programs. We therefore start with an independent defintion of the relations ~v

over CTs.

(We c~tld use a different symbol frc~ --~ for these

relations, but it will in fact always be clear whether we are talking about atcmic actions of CTs or of prograns. )

g2 Definition

Let

t

be a CT, i.e. a multiset of pairs (as defined in

§6.1). Then

t

has the atcmic actions

(i)

t

~v) f(v)

type (ii)

t ~ v t'

(iii) t

for e a c h ~ r

appropriate for

T ~ t'

...pv .. ~

IIF xercise 6.3

I

of

t

for ead~ member

<~,>

of

for each member



t.

~ i s states, for every relation



and each

~

of

of

t;

t, exactly which pairs

for every

v

u;

and

are in the

v.

List the atomic actions of the typical CT diagrammed in

§6.1.

IF~ercise 6.4 or

Prove that

tI + t2

~ v t'

iff either

t 1 ~v> t'

t2 ~ v t'. Exercise 6.4

action relations the rules Sum+

gives a hint of the h ~ y ~v

we expect between the

over CTs and over prograns.

For if we recall

of §5.3, we can rephrase them as follows:

B I + B 2 ~v > B'

iff

either

B1 ~V~B,

or

B2 ~ > B '

(the 'iff' being justified by the fact that S~n+ is the only rule by which actions of

Bi + B2

Similarly, the CT

can be inferred).

~f, which is the multiset whose only member is

<~,f>, has only the actions ef

ev> f(v) , for each

v,

which we can cc~pare with the fact, frcm Act+ (1) in §5.3, that the program

ax.B

has only the actions

~x.B ~v> B{v/x}, for each Exercise 6.5 the CT

v.

Using the definition of

I over CTs in §6.2, show that

tllt 2 has exactly the actions

(i)

t. It^ -~v t' It^ when _fLY_ , (ii) tllt 2 tllt 2 when (iii) tllt 2 T t~it ~ when

Cc~pare Corn+ in §5.3.

t~ ~v t' ; ~ , t 2 ' t2; tl lv t~

~v and

t2

!

t2.

93

Surely then the atomic actions of related.

B

and its CT

[B ~ are closely

We state the relation in a theorem:

Theorem 6.2 (i)

If

B

(2)

If

[B~

Proof

WV>B,

then

Wv>t,,

~

Uv> ~,~;

then for same

B', B

Mainly by induction on the structure of

is needed when

B = b(9),

~v>B,

B;

and

[B'~ = t I.

but particular care

and the asstmlotion that the b's are guardedly

well defined is important. In other words, the atcmic actions of where

B

~v >B'

is an atomic action of

[B~ B;

are exactly

~B~

Wv > [B'

this means that in con-

sidering atrm~c acticns, it makes no difference whether we think of programs or of the CTs that they stand for. The next step is to show that this holds too in considering strong equivalence.

6.5

Strong equivalence of CTs We proceed in the sane style;

that is, we define strong equivalence

(~) over CTs independently, and then show how it hanmonises with strong equivalence of programs. ~

Our definition is entirely analogous to that of

for programs (§5.8) ; we use a decreasing sequence

~0' ~I '"" "'~ k'""

of equivalences:

Definition t~k+lU

t~0u

is always true;

iff for all

u,v

(i)

if

t

~v. t'

then for same

u',

u ~v ~ u' and

t' ~k u';

(ii)

if

u

Bv

then for some

t',

t Bv

t' ~k u'.

t~u

iff V k >0.t~ku.

u'

t' and

Although we don't need it at present, we may as well state the a n a ! ~ of Theorem 5.4.

Theorem 6.3 precisely,

~

is a congruence relaticn in the algebra of C~s.

t l ~ t 2 inlolies

More

94

tI + u ~ t 2 + u , u + t i ~ u + t

2

~v
fl (v) ~ f2 (v)

(for all v)

i~plies

~fl ~ ~f2"

Analogous to Theorem 5.4, and cmitted.

What we do need, to ccmlolete our justification of thinking of programs as CTs, is the following: Theorem 6.4 Proof

BI~B 2

[BI~~ [B2].

We tin/stprove separately, by induction on

(i) BI~kB 2 (2)

iff

implies

[B1] ~ k~B2]

k,

that

~BI~~k[B2];

inlolies B 1 ~ kB2 -

We do only (i), leaving (2) as an ez~ercise. The case k=0 _z_rcise 6.6

9~y?

Now asst~me (i) at k, Suppose

~BI]

is trivial.

and assl~ne BI~k+IB2, and prove

!

~ v tl"

BI--Z~B'I

[BI~ ~k+l[B2~.

Then by Theorem 6.2(2)

for some BI,' with

~B~ = t'l '

So by ass~mlotion

B2 ~ v ~

for ~

B~, with Blip2,

and by Theorem 6.2 (!) ~B2~ ~Y-~ B'2~, with

t I = ~B'~~~.[B'~I ~ z by inductive hypothesis.

This verifies the first clause in ~k+l's

definition;

the second clause

follows by symmetry, so the inductive step for (i) is ec~iolete. Exercise 6.7

Prove (2) by inducticm on

parts of Theorem 6.2;

k.

You will again need both

if you think you need only one part, then your

proof is lJ_kely to be wrong.

95

6.6

Equality in the CT model Can wehave

B I ~ B 2 but [BI~ 9 [B2~?

That is, if two progr~ns are

strcngly equivalent, are their CDs perhaps always the same? No, because for example T.NIL + T.NIL ~ ~.NIL; but the two ~

are

T

and T

respectively.

But then perhaps the only difference between the CTs ~BI~ and when B I ~ B 2, is due to the fact that

t + t = t

[B2~,

is false for CTs, because

we allow the presence of identical branches. In fact, we first thought that if we adjusted our definition of CTs to be in terms of sets rather than multisets, then all our results so far ~Duld hold, and also we would have BI~B 2

iff

~BI~ = [B2~

(?)

However, Brian Mayoh showed this to be false, with the following simple counter-example.

Suppose

x

is a Boolean variable, and consider the two

programs B 1 = e.x.C1 + ~x.C2 B 2 = ~x (i_ff x where

C1

and

C2

four actions for

do not ccntain

[B~

B2

x.

are different

C1)

ve{true,false} and ie{1,2} So

B 1 ~ B 2.

But

[BI~ and

CTs:

true ~

false

true ~

AAAAA ~BI~ ~ ~B2~

else

Clearly we have only the following

has exactly the same four actions.

in which

then C 2

B :

BI~-~Y~Vci , and

then C 1 el__~ C2)+ ax. (if x

ti = [Ci~, it{l,2}.

false

AA So in general

[BI~ # [B2~ , though of course

by Theorem 6.4.

We dnose to define CTs as multisets rather than sets of branches, because it seemed that multisets are a more eoncrete intuitive model;

96

after all, to check whether two branches are identical requires an infinite a~ount of work'

But it is very much a matter of taste.

Even in the present model, many equalities hold. ourselves to drop the semantic brackets

In fact, if we allow

[ ~ , and take a behaviour program

to denote a CT without this extra formality, then we state the following:

Theorem 6.5

All the oongruences of Theorems 5.3, 5.5 are identities in

the CT model, except Sty---(4) (absorption).

Proof

Omitted.

It is a matter of proving that the two CTs in question -

for exauple (BIIB 2) \~ and

(Bl\a) ~(B2\a)

(Res~ (3) in Theorem 5.5) -

are identical to depth

for arbitrary

k

k,

(using induction on

k).

In fact, the identities of Theorem 5.3 can be proved without any induction.

Exercise 6.8

Also prove

Ccm ~ (1) of Theorem 5.5 - B 1 IB2 = B21B 1

- by induction on depth.

That is, asst~me that

are identical to depth

for all in 1-1 depth

6.7

Prove some of the identities of Theorem 5.3.

C 1,C2,

CIlC 2

and

C21C 1

then show that the branches of

correspondence, with o o ~ d i n g

B lIB2, B 21B 1

k are

branches identical to

k+l.

S~r~%ry In this chapter we have

(i)

Constructed CTs as an intuitive model of CCS;

(ii) Shown that, in ccnsidering atc~ic actions and strcng equivalence of programs, we are justified in ccnsidering these notions as they apply to the denoted CTs; (iii) Shown that many useful program equivalence laws are actually identities for CTs. We have not studied the wider relation of observation-equivalence over programs.

But it turns out that, for any equivalence relation whirl% is

defined in terms of

~v

and/or

equivalence relation over CTs.

~, we can think of this also as as

g7

Exercise 6.9

After reading ~7.1 and §7.2 on observation equivalence

(~), define the analogous relation

z over CTs.

Then investigate

whether the analogue of Tneorem 6.4 B I = B 2 iff [BI ~ B 2 is true, as suggested in §5. !. One further point should be mentioned.

The syntax of CCS is such

that only a small subclass of CTs are expressible as prograns. cular, a CT of fozm for which the fanily

B, f

{<~,f>}

ocnsidered as a function of its free variables schematically.

that

f = {~[

{<~,f>}

; ioN},

~,

~.B expresses

Now there are effectively indexed CT-families

f which cannot be represented by CCS expressions; the family

In parti-

can cnly be expressed by a program

and let

s

ccnsider for example

bind an integer variable, so

is the-eCT 0

i

I

2

whose (infinite) sort is {a,~0,yi,y2,...}.

To express it in CCS we may

wish to allow labels to be parametically dependent upon values, and write ~X.~x.NIL.

In more (xmplex cases

~x

could also qualify a value expressicnt

or be replaced by a positive parametric label binding a variable. extensions of CCS may be of real practical value.

Such

If we wish to ccnsider

them, then the theory of CTs increases in importance since it does not co,nit us to any particular expressible subclass of CTs.

CHAPTER

7

•

Observation equiv~ence and its properties

7.1

Review In Chapter 6 we studied CTs as a model of CCS;

this should have

given insight into the laws of strcng ccngruence ( ~ )

stated in Theorems

5.3 and 5.5, since CTs satisfy all these laws except the absorption law B + B - B, interpreted as identities.

In spite of this slight discrepancy,

it is still useful to think of programs 'as' CTs. In §3.3 we defined a notion of Observation Equivalenoe (=) for STS; in our Data Flow example (§4.3) we anticipated using it in full CCS but gave no definition.

We saw that its purpose was to allow unobservable

actions (~) to be absorbed into experiments. Recall also the derivations of §4.4. m B Tm--~B' (m>-0) by B - ~ B ' m n B ~" ~v.T >B' (re,n_>0) by B

We abbreviated

~v >B'

More generally, we now abbreviate

~ . ~iv:Tm~ ....~kVk. ~ B

by

B

(k-> 0, m 0 .....ink> 0)

~B'

~IVl ..... ~ k V k B '

which includes the above cases (they correspond to k = 0, k = i).

It also

includes the possibility

means

B

Tm

>B'

for some

m>0,

~i =

T, so that for example

while

m >-0 ; but usually we shall have For each

s =

e~ >B'

means

B -S->B'

define Observaticn Equivalence

B

m

T ~B'

for sane

u ic A.

XIv I ..... IkVk ~(A × V)*, ~

relation, and each instance

7.2

B

B ~B'

=

is the s-experiment

is called a s-experimemt.

We now

in tezms of s-experiments.

Qbservatic n equivalence in CCS Analogous to §3.3, =

of equivalences:

is defined for programs by a decreasing sequence

99

Definition

B z0C

is always true;

B Dk+l C iff for all

s%(A x V)*

(i) if

B

s .~B' then for same

(ii) if

C

s-~C'

B=C

iff

k/k >0.

C',

C

S ;C' andB' ~k C';

then for scrae B',

B

s ~B' and B' ~k C';

B ~k C.

Remarks (i)

There is a

question

as to whether we need to consider all s-experiments

in this definition, or if it is enough to coD~ider only those of length 1 - i.e. we might replace

se(A x V)* by

sea

× V

in the definition.

The relation ~ thus obtained is different, but it turns out that the congruence (§7.3) which it induces is the same (assuming only that CCS includes an equality predicate over values), t/qough we shall not prove it here~

Our present definition, using

(AxV)* , has sc~aewhat

nicer properties. (2)

Our definition has a

property

which must be pointed out.

It all(x~s

the program (CTs)

T

and

=

to be equivalent'

~iExercise i " ~ ~7.1

Prove

T~

(T~

~.~

NIL = •

can be defined by

to

T~ Tm >Tm

T.b.)

NIL by induction on k.

Notice that the 0nly experiment on I i

b~

for any m)

R

T~

is

~%-~ ;'T~

(corresponding

and NIL's only experiraent is

Thus, whenever we have proved

NIL

e > NIL.

B~C (e.g. B may be a program and C

its specification) we cannot deduce that B has no infinite unsee~ action, even if C has none.

In one sense we can argue for our def-

inition, since infinite unseen action is - by Our rules - unobservable'

But the problem is deeper;

it is related to so-called

fairness, which we discuss briefly in §11.3.

In any case, there is

a more refined notion of ~ which respects the presence of infinite unseen action, with properties close to those we mention for the present one.

I00

(3)

Disregarding the question of which equivalence is correct, if indeed there is a single 'correct' one, the finer equivalence (under a slight further refin~Inent)has interesting properties. Plotkin

[HP 2]

Hennessy and

have recently found that it can be axic~atized, in

a sense which we cannot explain here.

Much more needs to be known

before we can say which equivalence yields better proof methods; at least we can say that, if an equivalence can be proved und~_r the refined definition, then it holds also under ours. We now turn to the properties of

z.

There are many, but three are

enough to give a feeling for it, and to allow you to read the first case study in Chapter 8, if you wish, before proceeding to §7.3. The main thing which distinguishes

Proposition 7.1 Proof (i)

Let

k

B ~kr.B and

by induction on

prove for

B s--~-B'.

~k

from

~

is the following:

B ~T •B

We show

asst~ne for

z

Then also

k.

k=0

is trivial, so we

k+1: s. - B' , a n d w e know

~.B

B'~kB'

(each

is an equivalence relation:)

(ii) Let

T.B ~ C ' .

either (a)

s=e,

Then and

C'

induction or

(b)

~.B ~ B

is

~.B;

but then also

i.e.

B

B

B, and by

B ~kT.B s

C',

S;c,

also, and again

C' ~k c' This completes the inductive step, yielding

B=k+IT.B.

This proposition should make you immediately suspicious of because we can show that it cannot be a ccngruence. B~C

does not imply

B + D ~ C + D;

e.g. take

B

as

thenB~C

byProp. 7.1, but

as

NIL,

C

T.NIL, B +D

D

as

=,

In particular

e.NIL-

~2 C + D .

IExerci______se 7__.2 Show that NIL + ~.NIL ~2T.NIL + ~.NIL, by observing that

I

RHS

E> NIL, but the only e-experiment on IHS yields a result which

is

~I NIL

101

Even so, Theorem 7.3 b e l ~ tells us that gruence for many purposes. Theorem 7.2 Proof

B~C

it is trivial; at k+l. (i)

~ .

B ~ C.

B~C

implies

ass~ne it at

Assume

is near exKx~h a ccn-

First we need to see its relation with

implies

We show that

~

k

B~kC

(for all

by induction on B

and

C),

k.

At k=0

and prove it

B~C:

let

B ~Bn,

say

the

~ivi may be

B T,

~I~I>B ........

÷

BnVn Bn,

..,

where sane of

while the re~rainder ccnstitute

Theor~n 5.6 used repeatedly, there exist

Ci, ..., %

s.

Then by

with

ivl ~nVn C ~ C 1 ÷ ... ~ C n , i.e. n with B. ~C. for all i<-n. i 1 In particular Bn~Cn, so by induction Bn~ kCn , and we have found the desired (ii) Let

%.

C ~Cn;

then similarly we find Bn

with

B ~B

n=kCn .

The importance of this theorem is that all laws of Theorems 5.3, 5.5 hold also for

=.

Theorem 7.3

Observation equivalence is a congruence for all behaviour

operations except (I)

B~kC

+.

ir~plies

~bre precisely: I~v.B~k~.C,

T.B~kT.C ,

i

I BID~kCI D , t B\a = kC\a, and

B{v/x}~kC{V/X}

(2)

Hence the same holds with the indices

Proof

for all

v

B[S] ~ kC[S] implies

~x.B~k~X.C. k

removed.

Let us just take the n~st interesting case:

B~kC

implies

BID~kCID ,

which we prove by induction cn

k.

(This property is not true for the

different observation equivalence suggested in Remark (i) ~ e . ) at

k,

for all

B, C, D,

and ass~ne

B=k+IC:

Assume

102

i)

Let

BID

for scr~ form

S>E;

then

q,r

must be

B'ID' , with

B

(ccntaining ccr~lementary ~ s

B ' ~ k C'

But then

Then for same

C'

by assumption.

C JD S;. C' 1D', and by the induce_ive hypothesis

B'JD'~kC'ID' , i.e. CID

q;-B', D ~ D '

which 'rcerge' to

s .> in a way which we need not detail)

C :q'-c' and

(ii) Let

E

E~kC'ID'.

s~ .....E, then similarly we find

BID ~ B ' I D ' ~ k

B'ID'

such that

E.

The e s s e n o e o f P r q 0 o s i t i c n 7 . 1 and Theorems 7 . 2 , 7 . 3 i s t h a t we can use a l l o u r laws, and c a n c e l

T's

too, in proving observation

e q u i v a l e n c e - p r o v i d e d o n l y t h a t we i n f e r n o t h i n g a b o u t t h e r e s u l t o f

substituting

C

for

B

under

+,

when we only know

B~C.

The next section tells us what such inferences can be made. Exercise 7.2 on k.

Prove that

B~kC

implies

Why is induction neaessary? As we did for

Definition B=C

Let

~, we extend

x

if, for all

av.B~k~V.C

(Consider ~

by induction

~-experiments).

to expressions by:

be the free variables in

B

or

C

or both.

Then

v

Then we have

Theorem 7.4

Proposition 7.1 and Theorems 7.2, 7.3 hold also for expres-

sions. Proof

Routine.

Frgn now on, we deal with expressions.

103

7.3

Observation Congruence We must nc~ face the fact that

7.2).

~

is not a ccngruence (see Exercise

But we would like a congruence relation, because we would like to

know that if replace

B

B

by

and C

C

are equivalent, then in whatever context we

the result of the replacement will be equivalent to

the original - which is cnly trae for an equivalence relation which is a congruence.

We have one congruence - strcng congruence (~) - but it is

too strong;

for exarp!e

~.~.NIL ~ ~.NIL.

Can we find a ccngruence relation which is weaker than

~ (so that

all our laws, Theorems 5.3 and 5.5 will hold for it), and has sane of the properties of

% (so that for example ~.T.NIL and

~.NIL will be congruent)i

Let us draw the order relation (part of the lattice of equivalence relations) among our existing equivalence relations with stronger relations to the leftj and square boxes representing ccngruences: Equivalences over behaviour programs:

Identity _~ ~ .Relation

~

We want to fill in "?".

~

~

Universal 1 Relation

It must be strcnger than

ccngruent prograns to be observation equivalent.

~

because we do want

We get what we want by

the following: I Definition context

B ~

c

C

(Obse#vation congruence) iff

for every expression

C[ ], C[B]~C[C].

Theorem 7.5 (i) (2)

c If

is a congruence relation; @ is a ccngruence and

BSC

implies

B~C,

then

BSC

implies

BC~c. Proof

Omitted;

it is ccmpletely standard, and has no~dling to do with

particular properties of the equivalence

Z-

[~

104

c

Our Theorem says that (smaller than)

~.

Cor011ary 7.6

B~

Proof

C

is the weakest congruence stronger than

implies

B

c

C

implies

B=C

°

Immediate. It is cne thing to define a congruence, another to know its properties. c = to =; in the next

We first find out more about the relation of c secticn we find sc~e laws satisfied by ~ .

We saw earlier that sign ccntexts were critical for B~C

does not imply B + D ~C + D. + = :

~, because

~lis leads us to explore a new equi-

valence relation Definition

B~+C

iff

YD.

B + D~C

+ D

(equivalence in all sun contexts.) Now the critical result is the following: Theorem 7.7 Proof

~+

See

§7.6.

definition of

is a congruence. This proof is not standard, but depends strongly on the

~;

it is not true for the alternative in Remark (i) of §7.2,

and that is why we chose our definition.

Theorem 7.3 is critical.

Frcm this we get, fortunately: Theorem 7.8

~

c

and

~

+

are the sane congruence.

Proof + (i)

B =+ C

implies

stronger than (ii) B

c

B ~ c C by Theorems 7.5(2) and 7.7, since ~

= (take

C

implies

D

is

to be NIL in the definition).

B ~+ C, since

[ ]+ D

is just a special kind of

context. Now we know that we preserve texts.

What do we do if we have

B + D and C + D? C

B

by substitution exoept in '+' conand wish to know s c m e t h i ~ about

Luckily, for an important class of expressions

we can infer from

Definition

~ B~ C

B=C

that B ~c C, and then infer that

is stable iff

B-~B'

B

and

B + D ~c C + D.

is impossible for any B'.

Thus a stable behaviour is one which cannot 'move' unless you observe it. Stability is ir~portant in practice;

one reason why our scheduler in

Chapter 3 works, for exanple, is that it will always reach a stable state if it is deprived of external c~,tlunication for long enough. the notion of "rigid" in Chapter I~

Cc~pare

we may define a rigi d program to be

one whose derivatives, including itself, are all stable.

105

There are two main propositions about stability;

first we prove a

lesma in a slightly more general form than we need for the propositions but the general fozm helps in the proof of Theorem 7.7 (skip the lemma if you are only interested in main results, not proofs). Lenm~ 7.9

If

B z+C and

that

C ~ ;'C' and

Proof

S~ppose

B-~B',

then for each

C'

does not exist;

we find

centrary to assir~ption. Take

D

sort of

B~B',

C+D

B

~E

B'

or

C.

Now sinoe

then either (i)

E

(ii) C ~ E ,

~k B'

; or

impossible since Hence

D

to be

D

there is a

such that

1 ° .NIL, where we have

is C + D,

C'

such

~'

B + D ~ C + D,

Io

is not in the

B+D~B'.

But if

since C +DI~;NIL, but

by supposition;

or

(iii)

D ~TE

-

is stable.

B+D ~ C+D, contradicting

Proposition 7.10 Proof

k

B' ~k C'.

If

B ~Cc

B =+C.

then either both are stable or neither is.

Direct frcm Lemma 7.9 (B ~ ~k C' not needed). More important, for proof methods, is the following:

Proposition 7.11 Proof

If

B

and

C

are stable, and

It is enough to show that

induction on

k.

B + D =k C + D

B=C,

then

B ~Cc.

for arbitrary

D, by

We do the inductive step.

Let B+D ~ E : (i)

If

s=e

then either

by induction, or

E

is

D ~ ET,,

B + D, and then C + D and then

C + D

e;~E

e;-C + D , ~ k B + D also

(B .... ~ ;-E impossible

by stability). (ii) Otherwise either whence

C

D

s

S;-F=kE

s ~E, and then C + D ----~E also, or

(because

B ~ C ) , whence a l s o C + D

Thus we have found in each case an F s.t.C ÷ D ~ argr~ent is similar, Now for any guard that g.B=g.C

so

B ~E, S>F~kE.

F ~ k E.

The converse

B=C

(for any B,C)

B + D ~ k + I C + D.

g ~ T , we can deduce frmm

(Theorem 7.3) ,

and hence g.B z % . C

since both are stable.

implication holds in fact for any guard, by the following Proposition (which is essential in the proofs of Chapter 8): Proposition 7.12 B~C

i~plies

For any guard g.B~%.C.

g,

t06

Proof

By the above re,harks we need only consider

T.B + D ~ k T . C + D Let (i)

If

for arbitra/ny D, by induction an k.

T~.B + D s=e

S;E.

then either

T.C + D

B c

We prove

Inductive step:

Then E

by induction, or D ~ E , and then

g = T.

is

~.B + D, and then T.C + D ~

and then T.C + D ~ E

e>E, whence C ~ F ~ k

E (since

e

T.C + D ~

also, or

T.B T.~E,

B~C), whence also

; F~kE.

(ii) Otherwise either

s D ........~E, ..... and then C + D ~ E :

~ence C S~-F~kE (since B ~ C ) , whence also As in Prop. 7.11, this ca~pletes the proof. By now these inductive proofs of hypothesis only when

=k'

also, or T.C + D

B ~E, S>F=kE.

appealing to the inductive

e-experiments are ccnsidered, are befxmaing familiar;

we shall leave them as exercises in future.

7.4

Laws of Observation C o n ~ We are going to prove three laws, for which we have strong evidence

that they say all that needs to be said about the strange invisible c ~ ; this suggests that the apparently never-ending strean of laws

under

is drawing to a close'

The evidence is that these new laws, together

with those of Theorem 5.3, have been shown to be ccrmplete for CCS without recursion and value-passing. (in this

restricted language)

This means that any true statement can be proved frcm the laws;

B ~Cc

in fact the

laws of Theorem 5.3 are quite a lot simpler without value-passing, and those of Theorem 5.5 are unnecessary without recursion. One would expect to have to add sane induction principle in the presence of recursicn;

what needs to be added for value-passing is

less obvious (but in several more-or-less natural examples, including those in Chapter 8, we have not needed more than we have already). Theorem 7.13

(2)

( T laws) c g.T.B = g.B c B + T.B ~ T.B

(3)

C g.(B + T.C)+ g.C ~ g.(B + z.C)

(i)

Proof

(i)

follows directly frcm Prop. 7.1 (T.B~ B) and Prop 7.12.

For (2), we must prove for arbitrary D,k B + T . B + D = k T.B + D and this follows the pattern of Props. 7.11, 7.12.

107

For (3) similarly, we need g. (B + T.C)+ g.C + D ~ g . (B + T.C)+ D which follows the same pattern, but needs the extra easy fact that for s s ~ , if g.C - > E then also g.(B + T.C) ~ E . ~ercise

7.3

Ccr~plete the proofs of (2) and (3)

e

A more useful form of (2) is the following: Corollary 7.14

E + T.(B + C) c T.(B + C) .

Proof Exercise 7.4

Prove this, by first applying (2) to

need another law of

~. (B+C);

you will

+.

One may justify the laws intuitively by thinking of any behaviour B

as a collection of action capabilitie s (the branches of its C2),

including perhaps sane T-actions (the T-branches) which are capable of rejecting the other capabilities. Law (i) may then be explained by saying that, under the guard the T-action of no effect.

T.B

g,

rejects n_~oother capabilities and therefore has

For Law (2), the capabilities represented by

present after the T-action of

T.B

B

are again

in the context B + T.B, SO

T.B

itself has all the power of B + T .B. For Law (3), an

observation of

the left side may reject

in

B

by passing the guard

g

g.C,

but

this rejection is already represented in g. (B + ~.C). But such wordy justifications badly need support;

observation equivalence is what

gives them support here. Laws (2) and (3) are absorption laws;

they yield many other absorp-

tions. Exercise 7.5 (i) (ii) (iii)

Prove, directly from the laws, that

~.(B I + ~.(B 2 + ~.B3) ) + B3 c ~ . ( B 1 + x.(B 2 + T.B 3)) ~.(B 1 + T.(B 2 + B 3)) + ~ c T . ( B ~

+ T.(B

+ B 3))

To(B 1 + e.(B 2 + T.B 3)) + ~.B3 ~ T . ( B I +2 .(B2 + T.B 3))

and eonsider how they generalise. On the other hand, disprove 6.(B + C ) + ~.C c 6 . ( B + T.C) by finding 7.5

B,C

which make

them not

~.

Proof Techniques In conducting proofs, we may take the liberty of using "=" in place

of "~" or

,,c,,, adopting the familiar traditicn that "=" means equality

108

this helps us to highlight our uses of

in the intemded interpretation; ,

With t~mls

for which care is needed because it is not a congruence.

convention, let us stmlnarise the ir~portant properties. (i)

The laws of ~ (Chapter 5); B ~T.B

(ii)

(Proposition 7.1) ;

B = C

(iii)

implies

B~ C

(Corollary 7.6) ;

is preserved by all operations except +

(iv)

(v)

B~ C

implies

(vi)

B~ C

in,plies g.5:g.C (Proposition 7.12) ;

(vii)

The

x laws

B=C

when both stable

(Theorem 7.13).

Since we mentioned that the bother with

m

(Theozem 7.3);

(Proposition 7.11) ;

in proofs?

often show that a behaviour

T laws have a cx~npleteness property, why The reason is to do with stability. B

We can

of interest, not stable itself, satisfies

B = T.B* for scrse stable

B*;

This expresses that

so of course B

B~B*

stabilises.

(but B ~ C B *, by Proposition 7.10')

Stable hehaviours are often easier to

handle, and the oonstrained substitutivity of

z

often allows us to conduct

our proofs mainly in tezms of stable behaviours.

Chapter 8 should make this

point clear. Many proofs can be done with our laws without using any induction principle, though the laws are established using induction on

~k "

Xhere is, however, a pcwerful induction principle - C ~ u t a t i c n

Induction

- due to Scott, which we cannot use at present since it involves a

partial order over behaviours.

We believe that this principle can be

invoked for the finer notion of observation equivalence alluded to in §7.2, Remmrk(2);

7.6

Proof of Theorem 7.7

Theorem 7.7 Proof

it remains to be seen how important its use will be.

~+

is a congruence.

First, we show that

implies

B ~+ C

+ B + D ~ C + D;

require (B + D) + E ~ (C + D) + E

for arbitrary E.

But

+ (D + E)

(Theorem 5.3)

C + (D + E)

(since B~C)

(B + D) + E ~ B

~(C +D) Next we require that

B ~+C

+E. implies

g.B ~+g.C ,

I

B\~ ~+C\~ , B[S] ~+C[S] ;

that is, we

t09

e.g.

we want

g.B + E~g.C + E

for any E.

In each case the proof follows

the pattern of proof in Propositions 7.11, 7.12 (these Propositions are stated in terms of c ,

but the proofs are entirely in terms of z ). + The critical case is B + C implies BID zCID. A s s ~ B + C and

prove BID + E ~

CID + E, for arbitrary E,

Inductive Step: (i)

Let BID + E ~

If

s ~e,

or

BID s-~--E'

B~C (ii) If

then either E ~ E ' ,

~

by induction on k.

E; and then CID + E ~ E '

and then CID S~>F'~kE'

for scme F'

BID=ClD ~ ~ e o ~ m 7.3), w ~ c e

S=e, then either E'

cLD+E

~;cID+E,

then CID + E

is BID + E

%BtD+E

> E'

also,

also, (since

CID + E ~ F ' ~ k E '

also.

itself, and then

byindu~±~,

or E ~ ET ,

o_rr BID ~-~ B' ID' ~s> E'.

!

~d

These are now

the three cases: (a) B'

is B, and D - ~ D ' ;

by Theorem 7.3 CID + E (b) D'

F' ~kE'

IV>B'

for sane F',

(this is the only use of

is all that is needed),

sane F'.

and BID'~CID' whence

as required.

So finally CID + E and D-!V>D';

B +C

S>E',

k+l B '

- elsewhere

and we also have

frcm Theorem 7.3, so since B'ID (c) B

T>CID'

and B T-~-~B'; then by lemma 7.9 C ~ C ' =

for same C' B=C

so CID' ~

~:-F'~kE'

is D

then CID

B'ID~k+IC'ID

C'ID c-~F'=kE'

for

~:.C'ID ~ F ' = k E ' .

then C

IV;-c"~k+iB'

for scme C',

9~qence CID ..T;,C' ID' ~k+iB' ID' by Theorem 7.3, whence C'ID'

~"" F' ~k E'

Thus we have found F'

for some F',

whence also CID + E

in every case so that CID + E

~.> F' ~~E'.

S~-F'~kE' ; by

symmetry, we have BID + E~k+ICID + E which ccrnpletes the induction.

7.7 Further exercises We end this Chapter with some in the theoretical development.

harder exercises, for readers interested

Exercise 7.6 (Hennessy). Prove the following result, which further clarifies the relation between ~ and c : B~C

iff ( B c C

or

B CT.c

or

T.B Cc)

I10

Exercise 7.7

We would like to know that if

then

b ~CB;

b <

s.b

this states that, up to

has a unique solution.

b~

c,

~.b

and

B C~.B

the recursive definition

The argument in §3.4, proving t/le

scheduler correct, used a mild generalisation of this result.

The

following exercises lead to a more general theorem (for simplicity, work without value passing). (i)

Prove:

if

(ii)

Deduce:

B=e.B

if

B ~C~.B

More generally, let

for

and

C E ]

C~e.C

and

then

C ~C~.c

B~C.

then

B ~Cc.

be of form

D I + UI.(D2 + ~2.( ..... (Dm + pm.[3)...)) where at least one P i is not T.

m ->I,

(iii)

Prove:

(iv)

Deduce:

if

B ~CCEB]

and

C c C[C]

then

B ~Cc.

(v)

Deduce:

if

b~C[b]

and

B c C[B]

then

b ~CB.

~cise

7.8

if

B~C[B] and

C~C[C]

then

B~C.

Ccnsider a different definition of observaticn equivalence.

First, define a decreasing sequenoe of pre-orders B ~0 C

~0,~
is always true ;

B
iff, for all if B-~>B '

s ,

then for some C', C ~ > C ' and

B' ~k C' .

Thus we take only the first clause of the definition of ~k+i" B < C We may take

m

iff Vk. B

B ~ C

(ii) Prove that

and

~

are preorders, that

implies m

~D. B+D Z C+D -

iff

B ~< C

and

%~%en;

C ~ B .

as a candidate for observation equivalence.

(i) Prove that that

:

z

is an equivalence, and

B ~ C .

is a congruence;

in particular, that

(first show that each

~

B z C

has this property).

imDlies Thus

differ, since the latter is not a congruence.

(iii) Find a simple exanple in which a similar exanple) that

-

B = C

but

B ~ C . Also show (by

does not respect deadlock prqperties in

the sense of Exercise 3.6. This is why we rejected

=

as our notion of observation equivalence, in

spite of its sc~s~what simpler theory°

CHAPTER

8

Same proofs about data structures

8.1

Introduction We have already shown sc~e not quite trivial algorithms and systems

expressed in CCS.

The point of this chapter is twofold.

First we want

to show that familiar data structures, as well as algorithms, find natural expression in CCS;

second, we want to illustrate how the properties of

observation equivalence and congruence allow us to prove that systems work properly.

The data structures here give good proof examples.

To what

extent they correspond to hardware realisations must be left open, but it does not appear unreasonable that at least some hardware structures can be faithfully represented in OCS.

8.2

Registers and memories The simplest shared resource, which may be the r~ans of interaction

between otherwise independent agents, is probably a single memory register. Many concurrent algorithms have been represented in languages which permit agents to interact only through 'shared variables' well as 'readable').

(usually 'writeable'

as

We argued ~] §4.5 that algorithms are not always best

expressed this way - many people have recently made this point. But if we do want a register, readable and writeable by one or more agents, its behaviour may be well represented by

REG(v)

~

REG(v) :{e,{)

defined by:

~x.RES(x) + ~v.REG(v) _

(write)

Two kinds of atGmic experiment are possible: REG(v) REG(v)

~ Yv>

BEG(u)

(write u)

REG(v)

(read

(read)

v)

We may also find it useful to define LOC

~

~x.REG(x)

- a register without initial eontentg which at first admits only writing. If we define relabellings

S i = eiYi/ay

(l
are all distinct names, then we can define a memory of sort {al,yi,

...,~n,Tn } by MH~ORY n

=

LOC[SI]

I

.--

I

LOC[S n]

ei,Ti

112

or, using

~

to represent multiple cc~position:

M~4ORYn

LOC[S ] l_
=

O

~I

~2

O

...

~n -@-

YI Y2 Yn Note that this use of cc~position just plaoes the registers side by side; they don't cum~nicate with each other: Let us now suppose, more realistically, that we want to build a memory of size (i)

2k

At

with just three ports:

~ , it receives in sequence the

me,or/ address (ii)

m ,

k

bits

~-1'

"'"a0

of a

0<_m<2k ;

At

~

it receives a value to be written at address

(iii) At

{

it delivers the value stored at address

Let us call the memory, storing values

m ;

m .

v = (v0 .... ,V2k_ 1) , ~ ( v ) :{~,8,y}.

We shall adopt a oonvention which is in fact a reality for magnetic core memories; in

destructive reading.

To write a new value

u

into address

m

~ (v) , the envirorm~nt will perfon~ .

.

.

.

.

.

and ignore the value received at will actually be

vm.

.

.

.

y (which is bound to

Thus to read the raemory at

writes an arbitrary value (say 0) to writes

where

vm

back at

m ;

x );

m , the e n v i r ~ t

m , receives and holds

first

v m , and

it perfozms

B (the continuing enviror~nent behaviour) will use

ignore

this value

x

samehow, but

y .

In s ~ m a r y then, we can express how we want that for any e n v i r o ~ t ~-1

expression

B

Mk

to beha~ by saying

of fozm (i)

. . . . . ~ 0 .Su.yx. B'

the following observation equivalence must hold:

(~(~)

where

v(u/m)

I B )\~\8\Y

means

~

(~(~(u/m))

I B'(Vm/X} )\~\8\Y

(2)

(v0, ..,Vm_l,U,Vm+ 1 .... V2k_l)

This requirement is an example of incc~plete specification; not specify what happens if

B

we do

supplies too few or too many address bits,

or acts strangely in sane other way.

It is a natural inocmloleteness ,

I

113 because we might naturally cc~pose

~

with a 'front end' agent whose job

is to receive integer addresses, decode them into bit-sequences of length k (complaining if the integer reeeived is outside the range

[0,2k-1] )

and conduct the correct re~d~ng and writing sequences with the inccmplete specification actually makes the design of

~ ~

. Also, easy, as we

shall see. A specification which would be too incGmplete would be to demand merely that

~mk-1 . . . . . e/n0"~u'~Vm ~> ~ (v(u/m))

Mk (~7)

m~t

have this derivation for every

;

certainly

~(~7)

m=

ink_1..... m 0

and every

u , but this would not exclude unwanted derivations like

- deacllock: Nc~ let us abbreviate L0=

by

L , and define arbitrary sorts

{e0,80,~0 } , L I = {~l, Bl,~l } , asking only that all these nares

~' " " Y 1

are distinct and that

the sort of by

{~,~,~}

~0,60,Y0,el, BI, Y1

B . We will also abbreviate

\L0, etc., and set

\~\8\7

don't appear in by

\L ,

~

,

\a0\80\70

S i = ~i8i~i/~87 , i = 0, i .

First we can see that the specificaticn (2) is equivalent to demanding ( ~ ( v ) [~0 ] I B 0) kL 0 Z ( M~(v(u/m))SS 0] for any B e of fozm (3) we note that

[ B~{Vm/X} )LL 0

(3)

~ k - i . . . . . ~ 0 . 8 0 u . Y~. B 0 ; to deduce (2) frQm

(Mk(J) I B ) ~

= (~(J)[B)[S0AL 0

¢Rei~(i),(2),(4) )

=

(~(v)

(Rel~(5))

=

(Mk(~) [s0] I B 0 )~0

[S O ] ! B[S 0] )\L 0 with

B 0'

(~!;-=(3))

= B ' [S O ] ;

the other side of (2) transforr~s similarly, and (3) can be used to get (2). Conversely to deduce (3) frcm (2) we work with inverse relabelling to

S O , and use Pel~(1), (3) knowing that

the identity relabelling.

I

R0oS 0 = I ,

Such manipulations should became routine'

We now come to the design of taining

R 0 = ~Sy/~0BOY0 , the

~

. M0(v) , the rmm~ry of size 1 con-

v , is given by S0(v)

=

CEr;.(v) , where CELL(x)

~== ~ . ~ .

Ck~.L(y)

(4)

114

(The a

port is not used.)

We build M]~+I(v:w) (~,w each of length 2k; ation) out of

~(v)

and ~(w)

v:w

is their concaten-

by composing themwith

whose job is to inspect the first address bit

NODE: Lo[.0uL1 ,

z which it receives and -

roughly- transmit the rest of the communication to ~ (v) according as

or

~ (w)

z = 0 or 1 . Precisely:

kDDE < =

Noo

az.

i<=

NfI)E z

(i=0,i)

z. iz. NooEi +

(5)

i.................. and

,,, ~+I(~:W)

=

( ~(v)[S 0] I ~(w)[S 1] I NODE )\L0\L1

.

Notice that

NODEi

,,,.....

.

does not know how many bits to receive;

it must be

ready for an address bit or a value, and act accordingly. The diagram cn the next page shows

M 3 (v) , with arrc~s indicating

the initial capabilities of the cu~onents.

By swinging arrows about on

it, you can convince yourself that it works - and that 'wrong' sequences deadlock;

e.g.

M 3(v)

~0.~l.~u > NIL .

(The idea to use as an example a memory built of nodes which 'use the first bit to direct traffic' came frcm a talk with Nigel Derrett, who told me that this method is used in practice.) Having now defined ~

rather succinctly by (4) - (6), and specified

its intended behaviour by (i) and (2), we proceed to prove that it meets its specification.

J

115

J

/

J

~.

/ .

/

k

i/ ///

\

k

/

I 1

~ \\\\

\

[/I l/

\\\\~k

DDE I

Diagram of M3(v) , showin~ initial action ~ i l i t i e

s .

116

Theorem 8.1

For any

(~(v) Proof

For

B

of fozm ~ _ 1

. . . . . ~m0.su.yx. B' ,

I B )v, ~ (~(~(u~))

k = O w e have, since

I B'{Vm/X} )\L.

v = (v O) ,

(M0(~) I B )\L = ( 8y.yv 0. CELL(y) I [u.yx. B' )\L = T.T-(CELL(u) I B'{V0/X} )\L (Expansion) = as required.

(M0(~(u/0))

I B'{v0/x} )\L

Now asstlne the theor~n for

~'~-1 and consider

(Proposition 7.1)

k . Take

B

. . . . . ~0.~u.yx. B'

~(~:w)

, where

v,w

are of length

2k . We want

¢ ~ + 1 (~:~) I B )\L = ¢ ~ + l ¢ ( ~ : w ) ( u ~ m ) ) where

of fo~n

I B'{¢~:w)nkJx} )\L

m = ink_1, . ..,m0 • By symmetry it will be enough to prove this

for the case ~ = 0

, which is to say we want

( ~ + i (~:~) I B )\L = (~+l¢v(u/m) :w) I B'{vJx} )\L The left-hand side is, by (6), ( ( ~(~)[S O ] [ ~ ( w ) [ S I] I NODE )\L0\L 1 ] B )\L L0

LI

L~LoOL I (writing sorts below)

= ( ~(w ) [ S I] I ( ~(v)[S O ] I (NODE IB) \L ) \L 0 )\L 1 where we have regrouped by repeated use of ~ i n g

that

L0~

Now recalling ~ = 0

-- L I ~

Res~ and by

(7)

Ccm~(1),

= ~ •

, by the Expansion ~ e o r e m

( ~ , I m v, = ~. ( ~ 0

I ~_~- .... _ ~0.~u.~x. B, ) v,, ~0mk_l ..... ~0m0.60u.70 x. (NODEIB') \L

by Proposition 7.1 and Theore~ 7.3 . But this is a

B 0 of the form

needed for (3), which we showed equivalent to the theorem at

k (whirl%

we're ass~ning) ; so recalling Theor~n 7.3 - that ~ can be substituted except under

+

- we can rewrite (7) as

-~ ( Mk(W)[S 1] I (Mk(C#(u/m) )IS0] ] B~{VJX} )\L 0 )\L 1 where B 0 (NOOEIB')\L , so B~{Vm/X} = (NODEIB'{Vm/X})\L since x is not a free variable in NODE . Now we can regroup, just reversing the operations by which we got the fona (7), to get = ( ( ~(v(u/m))[S 0] I ~ ( W ) [ S 1] ] NODE )\LokL 1 I B'{VJX} )\L = ( ~+l(~(u/m):~ ) ] B'{Vm/X } )\L as required.

117

Exercise 8.1

Suppose you have available a decoder, which accepts an

integer (assLm~d to be in the range decodes it into its bit sequence. DECODE < = ~e

~m.~_

E0,~-13

for some fixed

k) and

~qat is:

I . . . . . ~m0. ~. DECODE

integer comes in at ~ , the bits go out at

:{~,~,~}

e, and

~

o

signals

~letion. Design another agent, called DECCDE , ~

and

M~(v)

FRONTEND , so that when you oc~pose

with appropriate relabellings and

restrictions you get a system

~(v)

: {~,8,~}

satisfying

+

(TO write value

u

read the memory at ~m.yy . . . . . Hint:

)

m

m , the user perfozms

~m.6u ....

and bind the received value to

y

and

D~CODE

to

he performs

must cooperate to produce expressions

B , so that you can use ~heorem 8.1 about

Exercise 8.2

;

Prove the desired equivalence.

FRONTEND

of the form

at address

Can you think of a way to redesign

~(v)

~(~)

.

so that the

outgoing value doesn't have to travel up the binary tree?

8.3

Chaining operations Suppose we have agents

B I and

B2

and wish to join thegn like this:

@

@

........

It is natural to define a binary operaticn Definition

Let B~B

BI:L I ,

2 =

B2:L 2 and

( BI[~/~]

B1 ~'~ B 2 .

;

I B2[~/~] )\6

Note that the definition is specific to write

~

"~

for this purpose.

then where

and

6 ~ names(Ll~2)

~ ; perhaps we should

118

We need to justify our definition by showing that the choice of doesn't affect it.

To see this, suppose that

d' / names(LluL 2) , ~'~6 o

Then (BI[ ~'/6] IB2[~'/e]) ~ ' = (BI[~'/8]IB2[$'/~])\~'[6/6'] by Rel~(1),(2) = (BI[6'/6][6/~']IB216'/~][6/~'])\6 by Rel~(4),(5) = (BliP/S] IB216/~]) \~

by Rel~(3) .

Note that B "~B may fo~n other links, depending on L 1 and L 2 ; 1 2 this doesn't affect our ~ t , but we are mainly interested in the case L I ~ 2 = @ . The inportance of "~ is that it is associative;

this property is

helpful when we need to chain several agents together. associativity.

Let us prove

Suppose BI:L 1 , B2:L 2 , B3:L 3 .

Then (B F B2) " B 3 = ( (BI[~/8]IB2[~/~])\~[~/8] choosing

6, ~ ~ names(LlUL2uL 3) and

~

;

= ( (BI[~/8]IB2[~/~])[~/B]\~ by Rel~(4) and Res~(1)

IB3[~/~] )\~

IS3[~/~]\~ )\~

(we are pushing relabellings inwards, pulling

restrictions outwards) ; =

(B116/6][~B ] ~216/e][~B]IB3[~]) \6\~

by Rel~(5) and Res~(3) =

(check its side condition') ;

(BI[6/83 IB216V~S3 IB3[V~]) \~\~

by ~i~(3) and Res~(2) ;

= BI

(B

B

by

Exactly the sane can be done for double chaining; -

we Want to join them together to give

given two agents

119

Definition

Let

BI:L 1 , B2:L 2

and let

e,B,y,~

be distinct.

Then

B l a B 2 = (B1[~/8,0/~] IB2[~/~,0/Y])\0\~ where

n,0 i na~eS(LlUL 2)

and

~8

.

It is easy but tedious to check the associativity of

~

. We shall

use this operation in the next section. Both

"

and ~. give us special cases of theorem 5.8, the Expan-

sion ~heorem;

we just state it for ~

, in the siaple case where

B 1, ....B n : {e,~} , ioe. no labels are present except the chaining labels o

Expansion ~heorem for "~

If

BI,O..,B n : {~,~} , and each is a sL~n

of guards, then

X{ x. (B I

B2

+[{Bv.(B I

B2

; ~oB~

-..

a stm~nand of B1}

B n) ; 8-~.Bn a s~mmand of Bn}

+ [{ T. (Bi'~. • .~" B i' ~ Bi+l{V/X} ' ~ ~ "~..."~Bn)

13-~.B1 a s ~

o f Bi , c~x.B~_+l a ~ d

o f Bi+l}

All that this says is that the only external actions occur at the ends of the chain, and the only internal acticns occur b e ~ will use the correspcnding theorem for ~,'~ ;

neighbours.

We

it's obvious enough, so we

do not write it down.

8o4

Pushdc~ns Let

V

and queues

be a value set;

What should be the behaviour

we use

s

to range over

PD(s) : {s,y}

which values are pushed in at

V* o

of a pushdown store in

and popped out at

y ?

A reasonable

suggestion is PD(s) < =

ex. PD(x:s) if

Here

':'

es~otiness;

s=e

then

+

(i)

y$o PD(e)

is the prefixing operation over

else

y(first s)oPD(rest s)

V* , and '$'

indicates

we test the pushdcwn for e~ptiness by popping and testing

the value popped°

120

Tnus we want tO build

PD(s)

PD(e)

=

~x. PD(x:E) + ~$. PD(e)

PD(v:s)

=

ex. PD(x:v:s) + ~v. PD(S)

What we shall actually build is

NIL .

PUSH(s)

PUSH(e)

=

~x. PUSH(x:e) + ~$. NIL

=

~x. PUSH(x:v:s) + ~ . PUSH(e)

to satisfy

PUSH(s)

(3)

, when popped, degenerates

~]%is is easier to build, and it's also easy to build a

special front end, PD(s) We build

=

FRONT , so that (2) is satisfied by FRONT ~PUSH(s)

PUSH

.

as a chain of cells, each of which can hold

O, 1

$ . A cell holding

or 2 values, tezminated by an end cell holding y

(2)

: {~,~}

PUSH(v:s)

the only difference being that to

to satisfy

is

_

CELT,I(y) <~--- ~4. CEI,T,2(x,y) + ~ . Then the rest of the

Y

~,L

(4)

0

definition is

~T__z2(x,y) : {%~,~, ~ }

C~,T,2(x,y) < = ~ .

~0

: {~,S,~,6} C ~ T ° <---~ax. (i !

~;,$

We

(5)

C~,LI(X)

x=$

then

CELL S

else

~,T,

(x))

~--- ~ . (C~T, I (x)--~ , $) + ~$. ~ L

show the successive configurations of a typical derivation,

starting from

CELT,S , in the diagram below.

(6)

1

(7)

121

I~6

(push 6)

~5

(push 5)

IT (pop 5)

(8) (push 2)

~he derivation

Now for any

s = (vl,...~vn)

PUSH(S) = Clearly

PUSH(s)

shows you that no

CELL S

m6.~5.~5.~2 > CELL 2 (2,6)~CRT,T.$

let us define

CRLLi(Vl)~ ..o ~ C E L L I ( vn) ~ C E L L . .

is stable;

(9)

the fourth eonfiguration in the diagram

r-actions are possible.

It is also reasonably

clear that every configuration will stabilise, given time, but that external o~t,~mication can occur before stability is reached.

122 Let us see what we need to prove (3), which is our aim.

From

(9), by the Expansion Theorem, we get

C~!,T,$=

PUSH(~) =

~X. (CELL 1 (X)~,T,$)

= so the

first part of (3) is done. (Recall that we allow ourselves

to write that

+ ~$.NIL

~x. PUSH(X:e) + y$. NIL

'='

'='

whenever we use a congruenoe,

always inplies PUSH(v:s) =

'~' o)

'~'

or

,~c,~ , and

We also get

~.T, 1 (V) ~APUSH(s)

=

~Xo (CE~2(x,v)~PU~(s))

+ ~v.(C~0~Pu~(s))

•

We therefore propose to prove CELL 2 (u,v)~PUSH(s) CELL0~PUSH(s)

m

~

PUSH(u:v:s)

(iO)

PUSH(s) .

(ii)

These cannot be congruences (=c) since the left-hand side is unstable in each case.

But

'='

is strengthened to

'='

by a guard

(Proposi~on 7.12), so for example frcm (ii) we deduce

~v. ( C ~ L 0 ~ P ~ H ( s ) )

= ~v.PUSH(s)

;

applying the same technique to (iO) we finally reach (3). achieved equality (=) before substituting under

We have

'+' .

To prove (iO) and (ii) we only need four little lemmas, grouped together:

Lem~

8.2

(i) CELL2(u,v)~C~TI(w) Z CELLI(u)CC~Th(v,w) (2) CELL2(u,v)OCELL $ ~ c~r%(u)D~T'I(V)CC~T' $

Proof

(3)

CELLo"~--CkTI,T,I(W) ~ CE'T'ILI(w)~CET'T' 0

(4)

CELL0~CRT.T. $ ~ CELL S •

All by the Expansion Theorem;

first in detail.

--

I

we need only consider the

123

We have C ~ T 2 (u,v) C c ~ r I (w) = ~. (C~.Tu (u)C ~ r

2 (v,w))

= CELLI(u)~CELL2(v,w) For the last, we need the fact that

I]mxe~cise 8 •3

by Theorem 7.1 .

CETI.$~NIL = C~,I$ .

Pl~(~ this si~l~ f~ct +

Now (iO) and (ii) follow: Lemma 8.3

Proof

T,2(U,v)~PUSH(s)

(i)

~,

(2)

~.T.0~PUSH(s)

Let

~ PUSH(U:V:S)

~ PUSH(S) .

s = wl,...,w n ;

to get (i), use the definiticn of

and apply Lemma 8.2(1) repeatedly, then I~t~+~ 8.2(2). 8.2(3), (4) similarly.

Note that

the latter is defined without using

~

PUSH,

To get (2), use

is preserved by ~ since

+ .

SO by what we did before, we have settled Theonan 8.4 PUSH (e) = ax. IXJSH(x: e) + ~$. NIL PUSH(v:s) = ax. P ~ ( x : v : s )

Exercise 8.4

+ ~.

PUSH(s)

.

Analogous to (3), we may specify a q~eue by

QUEOE(~) = ~ . g~JE(x:~-) + ~$. NIL QUEUE(v:s) = ~x. QL~TJE(v:s:x) + ~ .

QU]K/E(s)

.

(Note that ':' is being used to postfix elEs~nts to sequences, as well as for prefixing.) CELL2(x,y)

Make a very small change to the behaviour of

(5), and adjust the iesrmas to show that

g.~E(s)

=

cmr,r,l(v ~) C ° . . ~ C ~ r , r . ~ ( v ±

(for

n

)~CELL s = vl,...,v n)

satisfies the above equations. Exercise 8.5

Design

FRONT : {~,~,~,~}

FRONT~PUSH (s) satisfies the equations

(2) for

PD(s)

.

so that

124

We were rather careful in our definition (5) of it must push

y

down before it can pop

C"A~I,2 (x,y) ;

x . Was this necessary?.

By

considering diagram (8) and similar derivations you can probably satisfy yourself that

2 (x,y)

~I,

happens to our proof though?

c ~ t 2 (x,y) ~

can be allowed to pop

x . ~hat

Let us redefine

?x. ~c~t.t. i(y) + I-y. Ck~T'T,I (X) • 6

We need only make sure that Lemma 8.2(i),(2)

still hold.

For the first, we have by expansion

CELL 2 (u,v) 3 ~ . t . i (w) = ~u. (C~.T i (V)C~'T, i (w)) + ~. ( ~ t i (u) D ~ t .

which does not look right. the second?

2 (v,w))

But can the first term be absorbed into

By Corollary 7.14 - a derived absorption law - we must show

C~T.T.I(U)~rm~.L2(V,W) = ~U. (C~T.T.I(V)~CET.T.I,(W) ) + for same

(12)

B

(13)

B . Expanding the left-hand side gives

C~TJ, (U) ~C~T.T.2(V,W) = ~U. (CET,T.0~2(V,W)) 1

+

B

(14)

i

while expanding part of this gives

C~T/.0C(IX[L2(V,W)

= T. (C~T'T.I(V)~CET'T'I(W)) +

B2

(15)

NOW put (14) and (15) together: ~'T'I (u) ~_ CELL_z (v,w) = yu.(T. (~.T.I(V)~CRT.T,I(W)) + B2) + B I , = B = y-u.(CELL 1 (v) ~C~T.T.I (W)) + B which is what we wanted'

We now have (13), and this justifies the step

fram (12) to c ~ . u 2 (u,v) ~ , T ,

say,

by Theorem 7.13 (3)

I (w) = t. (CELL i ( u ) ~ C ~ t 2 (v,w)) ,

125

SO ~e still have Lemma 8.2(1). ii

ll rcise 85

show

IiExercise 8.6

Give

all of ~

f~

82(2) still holds, some extra freedom as well, and show that

8.2 still holds.

Why does extra freedom for

CELLO

have

effect on the deduction (12)-(15) above?

~rcise

8.7

ll

Complete the proof of the scheduler, half of which was

in §3.4; it remains to show that the second constraint in Method Idone i, §3. i, is satisfied. You will almost certainly need the derived

Iabsorption law, Corollary 7.14. Exercise 8.8

Re-examine Exercises 4.3 and 4.4, in the light of our

proof techniques. As a deeper exercise, investigate what happens if the two in the

OONTROL

part of the net are removed.

CONTROL

GATEs

will not

satisfy the same equation, but the whole system may still function as specified.

If so, can you prove it?

Exercise 8.9 of

PUSH

We can get rid of

CELL 2

completely from the definition

by defining ~ . L 1 (y) ~

ex. (~.L 1 (X)~Cg~.L1 (y)) + ~ . CET.T.0

(Notice that we could not then adapt our syste~ to form a queue, as in Exercise 8.4') Carry out the proof for this changed syst~n.

9

TraD~slation into CCS

9.1

Discussion Many concurrent algorithas can be expressed in CCS with sane lucidity.

On the other hand, the aim in designing a high level concurrent language is (in part) to provide and enforce a discipline in the way in which ~ e n t s ~cate

and share their resources, partly to protect the prograrmer

frcrn unwanted deadlocks.

This often restricts (usefully) the behaviours

which may be expressed. If such a language can be translated into CCS, its meaning is thereby determined; ~le,

we also obtain a way of reasoning about the language.

For

observation equivalences among its prograTs can be established,

and these may yield useful laws for program transfozmation. In this chapter we give a translation for a rather simple language. It is a subset of various languages in use;

also Hennessy and Plotkin

[HP 13 have specified its semantics in detail, in a very different way. Our translation is quite straightforward;

the main reason for this

is that the scoping of program variables, which often requires the use of a notion of environment in semantic specifications, directly by the restriction operation of OCS.

is for us represented

However, when we examine

how to translate an enrichment of the language in which procedures may be defined, and each procedure is supposed to admit several concurrent activations, we discover a limitation of CCS in its present form (we can handle a prooedure which cannot be concurrently activated, however). The translation will be seen to be phrase-by-phrase;

each phrase of

the language beccmes a behaviour program which is totally independent of the context of the phrase.

(Such translations are scmetimes called macro-

expansions. ) We shall write ~C~ to mean the translation of phrase

C.

For exanlole ~IF

E

THEN

C

~.qE

C'~

will be oonstructed uniquely from ~E~ , ~C~ and ~C'~ . This means that the ccnstruct

"IF-THI~-EISE-"

in the source language can be thought of

just as a derived ternary behaviour operation.

We can then think of the

entire source language as a derived behaviour algebra.

127

9.2

The language Programs of

P P

are built frcm expressions

assignable program variables F,

standing for functions

symbol.

x. f.

E

and ccrm~nds

C, using

We suppose a fixed set of function symbols A coD~tant symbol is just a nullary function

We do not specify the value types of expressions.

The syntax of expressions is just E::= X I F(E, ....,E) (This includes e.g. "+(X,I())" which is written "X+l"). The syntax of cc~mands is C: :=

(Assignment)

X:=E

(Sequential ccmposition)

C;C IF E

%~EN

WHILE

E

BEGIN

X;

C

PAR

INPUT

C

DO

C

(Conditional)

ELSE C

(Iteration)

~D

(Declaration)

C

(Parallel cc~position) (Input )

X

OUTPUT

(~tput)

E

SKIP

(NO action)

(Parentheses are used to avoid parsing ambiguities). The main doubt about the meaning of ~le,

can the 'concurrent' a s s i s t s

P

is to do with

PAR.

For

in the program

X:=0 ; X:=X+I

PAR

overlap in time?

X:=X+I

If so, the resulting value of

it not, it must be

X

oould be

I

or

2;

Our first translation will yield the fozm~_r; we

2.

see how to get the latter afterwards.

9.3

Sorts and auxiliary definitions Each variable

X

will be represented by a register (§8.2) of sort

{eX,~X } . Recalling §8.2, we define . . . .

,

LOC

:{~,~} ~

REG(y) :{a,~} ~ ~US

for

X

we will have

we will abbreviate

......

~x.REG(x) ~X.REG(x)+ ~y.REG(y) LOC x = LOC[~xYx\~T];

REG(y)[~XYX\~73

by

REGx(Y).

,

128

We use

L x = {~X, YX } -

the oc~olement of the sort of

LOC x - in

defining the sorts of commands and expressions; we call it the access sort of

X. Each n-ary function symbol

F

(denoting function

f) will be repre-

~nted by ]

bf ~

whose sort is have

PlXl. .... PnXn o ~(f(xl, ....Xn)). NIL {Pl ..... Pn '~}"

1'

So for a ccnstant symbol -

e.g.

2 - we

b 2 ~ ~2.NIL. Each expression

E with variables

a behaviour progran of sort their result at tion of

E

5,

X 1,. .. , ~

{YXl,...,y~,~}.

and then die;

will be represented by

Thus expressions deliver

this means that if ~E~ is the transla-

it has the property .... ov ~E] ~ B implies B = NIL.

In translating commands we often write, for same

B,

(~E] Ipx.B)\p which we abbreviate to

[E~ result (px.B), defining the behaviour operation

result by

1

B~ result ~.B2 ~. (B~'B~)\P" . . . Eadl ccmmand C

with ~lobal variables

by a behaviour program of sort

I X I ,... , ~

L~u...UL~U{I,o,~}.

will be represented We call this program ~C~;

it uses l ,o for input and output and signaTs its completion at ~. It then dies, so

[C~ .....~ B

implies

B = NIL

Scme auxiliary behaviour operations are useful in defining ~C]; done = ~.NIL B 1 before B 1 par

B2 =

(B new)

(Bl[~1/6]IB2[~2/6]](61.62.done+

62.61.done)\61\62 (61,62 new) ~ Exercise 9.1 Use the laws of Theorems 5.3, 5.5 and 7.13 to show that ~

~d ~

B2 =

(BI[~/~]ISoB2)\ B

are associative, and ~

is cu,,,~tative.

We now have all we need to define the translations inductively on the structure of ~%rases.

~E]

and

[C~

129

m

Prove, by induction on the structure of expressions and

Exercise 9.2

c(mmands, that (i) If

E

Xl,...,X~,. then ~E] has the sort

conea~ns variables

n x u...uLx u{~}I K (ii) If the non-local (free) variables of

~c] m s the sort (bound) in

C

are

(_Note that

Lx u...uLx u{~,o,~}. i k

BEGIN X;

X i,...,~ X

then

is local

C ~qD.)

Many simple equivalences over

P

can be shown from the translation.

Here are a few as exercises.

Exercise 9.3 (i) Prove ~SKIP;C] = ~C~ (ii) Prove ~ 4 I I ~ (iii) If

X

E

DO

C~ ~ ~ I F E ~

is not a free variable of

(C; C,

~

E DO C) ELSE SKIP~

prove

~BEGIN X; C m m ] ~ ~C] ~BEGIN X; C; C' ~ ]

~ ~C; BEGIN X; C' E~D]

~BEGIN X; C PAR C' END]~ ~C PAR (BEGIN X; C' EhD)] (iv) If

X

is not in

E, prove

~BEGIN X; IF

E ~

~IF

(BEGrN X; C ~ 9 )

E

~

C

ELSE

C'

~D]

ELSE (BEGIN X; C' EhD)]

and investigate ?

~B~ZNX;~mm

E

DO

C

mD~

~

~ ;

E

D O B E G I N X; C E~3] ?

(v) ~hat can you conclude from Exercise 9.1?

Exercise 9.4

Show that ~X:--X + 11c

similarly.

yxX.~x(X + I)°done°

Simplify ~X:=0]

Now show, by brute force and expansion, that

~BEGIN X; X:=0; (X:=X + i PAR X:=X + i) ; OUTPUT X ~ 3 ] ~OUTPUT i] + ~OUTPUT 2~

(Recall the properties of

~

and

c,

listed in §7.5)

130

9.3

Translation of

P

For expressions:

~xl = y A j x . ~ ~F(EI,...,E n)}

=

(~EI~[Pl/PJl---I~En~[Pn/PJlbf)XPl--.kP n

For caanands:

~X:=E] = ~E~

result (px.a~.done)

~C;C'] = ~C~

before ~C'~

~IF

C

E

THEN

EI~E

C'] =

~E~ result px.(if x then ~C~ else ~C'~) [WHILE

E

DO

C] =

with w

w, a ne~ behaviour identifier,

~== ~E~ remilt (px. if

x then (~C] before

w) else done)

~ ~C

x; PAR

~INPUT ~

c ~

=

(U~x{ ~c~) \Lx

C'~

=

~C~ par

X ~

=

~X.~xX.done

E]

=

~E~ result ( p x.ox.done)

~SKIP~

=

R ~ s (i) We are using (2)

\~

The identifier such ~

~C']

w

done

to abbreviate \~X\YX ,

as was done in

§8.2.

for the }~HILE command must be different for every

translated.

A minor extension to CCS, adding expressicns

of the fozm fix b.B (in which

b

is a behaviour identifier bound by the prefix "fix")

would avoid this inelegance.

Such an expression may be understood as

b, where b 4 - = B where the identifier chosen is distinct frcm all others used.

(The

notation can be extended to match the definition of parareterised behaviour identifiers.) ~%YI-~E E

With the "fix" notation, we would write DO

C~ =

fix w. ~E~ result (...) .

I31

9.4

Addin~ procedures to The block

the resource

p

BEGIN X; C ~%D

creates a resource

X

for use by

C;

X

is represented by a behaviour, accessed through the sort

Procedures

(of many different kinds) are examples of other resources

Lx. to create.

Let us add a n6~ syntax class of declarations

language, with the understanding that each declaration accessed through an access sort block ~

~.

D

D to our is to be

Then we generalise the syntax of

to BEGIN D; C ~ 3

and begin the syntactic definition of declarations by D ::= VAR X J .... The uniform translation of b l ~

j,

will be

~BEGIND;C END~= (~D~J~C~)\~_

I

and the translation of variable declarations is now ~VAR X~ = LOC x

I

(with access sort

I~XI

-

t

Variables are particular in that they ~,L~nicate only with their accessors; this is reflected in the fact that the sort of ~

is just ~ .

Procedures

may, we suppose, contain free variables and call other procedures, so the corresponding behaviours will h a ~

a sort larger than the cc~pl~nent of the

access sort. Let us define D ::= VAR X J PROC G (VALUE X, RESULT Y) IS

CG

and add to the syntax of ccrm~nds C ::= .... ICALL G(E, Z) The procedure declaration indicates that

G

is a o n e - ~ t

taking its argument (by value) into a local variable (command CG) has

free variables

cedure is the value in as ~ n t , is to be

Y

X

and

on campletion.

Y

the body of

G

and the result of the proThe call passes the value of

and assigns the result to variable L G = {~G,YG } ,

X;

procedure,

Z.

The access sort of

E G

and we can immediately write the translation of a

procedure call:

~E~ result (px.~.~Gz.~zZ.done)

~CALL G (E,Z)~

I

We now have to say that the sort of ~C~ , when X 1 ,... , ~

and free prooedure identifiers

C has free variables

G 1 ,... ,~, is

---InLC~lU'"uLc~u{I'°'~}" ~ i s will follow frcm the definition N

LXIU'"ULXUk

_

of ~D~ for a procedure declaration.

(In fact sort-checking is a good

first guide to correct definition, like type-checking in good programming languages and dimension-analysis in school mechanics.) We can give a first approximation

(wrong for at least two reasons)

to the translation of procedure declarations: ? [PROC G(VALUE X, RESIST Y) IS CG~ = g, where g~== (LOCxILOCyI (~Gx.~xX.~CG ] before Notioe that this has sort of CG;

yyY.~GY.NIL))\Lx\Ly

~ ..__LcuLc-(L~L~{~} ~ ) where

LC

is the sort

this will make the sort of the block right.

Are the free variables of

CG treated properly?

What output do

we expect frcm the following amlnand C ? o BEGIN VAR Z; Z:=3; BEGIN PROC G (VALUE X, RESIST Y) IS Y:=Z; BEGIN VAR Z; CALL G (17, Z); OUTPUT Z ~D ~ND END ~he aD~wer should be "3", since the body of If it used the inner

Z

G

should use the outer

Z.

the answer would be "no output" since locations

cannot be used before they are assigned. Ex~rcise 9.5 for

If you are interested to see how a mechanical evaluator

P (via CCS) might work, simplify

~Co~ ~f first simplifying the

translations of subphrases as far as possible , and obtain c ~Co~ = ~OUTPUT 3 ~ o3.done.

133

The first mistake in

above is that it is not much use as a resource,

g

since it dies after one use.' Our other resources (registers) restore ths~selves (with possibly changed content) after use, so we m y

g

make

do the

same. Second approximation: ? [PROC G(VALUE X, RESULT Y) IS CG~ = g, g4==(LOCxI~I (~.~.[Cg~ So the last thing g

g

before

where

~y.~.g))\Lx\L Y

does is to restore itself.

Notice that the restored

is of foma (...)\Lx\Ly, so its local variables

the old

g.

But you should see how to allow

G

X,Y

are not those of

to have "own" variables

which are initialized at declaration and persist frcm call to call.

Exercise 9.6

Translate the ~

declaration

PROC G(VALUE X, RESULT Y) OWN Z:= E

so that

G's "own" variable

the value of

Z

is

CG

is initialised at declaration to

E.

The second mistake in call itself recursively. d~nand a reply to could meet it?

~Gv

g If

is that there is no provision for it to CG

contains

for sane value

The answer is:

v,

CALL G(-,-)

then it will

and nothing can meet it.

a fresh resource

g

for use by

}~nat

CG.

Taking the clue frcm the translation of blocks (whid~ is the way resources are provided for use), we obtain fLnally

~PROC G(VALUE X, RESULT Y) IS CG~ =

g, where

g 4== (LOCxllf~yI (~GX.~x. (g[[CG~ )\LG before 7yy.~Gy.g)) \Lx\Lz (with access sort LG)

Exercise 9.7

If

[CG~

has sort

g:

LGoL c -

LC, check that

yields the sa~ne sort for the right hand side of g's definition.

It is rather hard work to evaluate even simple recursive by hand via OCS.

What would be She point of evaluating them?

P

programs

Well, the

purpose of our translation is to investigate the power of CCS, and also

t34

to indicate that properties of languages such as properties of particular

P

prograus)

P (as distinct frcm

maX thereby be established.

But a check on the validity of t_he translation would be helpful, and could be provided by a mechanical CCS simplifier/evaluator.

Peter

Mosses has shown how Scott-Strachey semantic specifications expressed in the lambda-calculus can be checked out by a lambda sir~plifier/ evaluator [Mos]. We must now exanine a shortcmming of our translation of procedure declarations.

Since

g

only restores itself after returning

(~)

its result, it follows that although there may be concurrent calls of G

within the block of the declaration, for example CALL G(6,Z) PAR CALL G(7,W),

the resulting executions o f C G will not be overlapped in time; must take priority, while the other waits to use the restored cannot access the inner itself;

g

provided for recursive calls of

that is restricted by \LG.)

allow for concurrent activations of

one

g.

G

(It

by

At first sight, we might hope to G

by making

g

restore itself

directly after receiving its a r ~ t : ? [PROC G(VALUE X, RESULT Y) IS CG] = g, where g ~

= ~ " (gl (LOCxI~yI ( ~ " (g I[CG]) \LG before 7yy.~.NIL) \IX\~ )

(Note that we still have guarded recursion).

Now the restored

g

may be

activated inmediately after the first, and run concurrently with it. we cannot be sure that the two (or more) (~y)

g's

But

will return their results

to the correct calling sequences - each of which is waiting on

yGz '. There seems no natural solution to this probl~n in ~ stands.

True, we may generously allow some fixed number of

be created, as separate resources, by the declaration.

as it now g's

to

This could be

done by ? [PROC G(VALUE X, RESULT Y) IS CG~= gs, where gs~

%

I - ~ N g i'

and for each i

I

(gsI

\LG before

with LG = {eG,i' YG,i' l-
G,iy'gi))

135

Notice that each distinct

gi

gi

restores itself after cc~pletion;

can be concurrently active.

only the

N

The calling sequence must

also be adjusted: [CALL G(E,Z) ~ = ~E~ result (px.1
N

it may be realistic if we ass~ne a

on the m m ~ e r of processors available.

But we are

looking for solutions at a level of abstraction at which implementation is not yet considered. Even so, the 'right' solution is suggested by what implementors often do;

that is, for each call of

with the argument.

G

to supply a return link along

Each activation then knows which return link to use

in returning its result.

But in CC~ this would mean passin9 Labels (or

names) as values, which we have excluded. It is not trivial to give CCS this ability, and yet retain the theory which we have developed, but it may be possible (in exploratory discussions with Mogens Nielsen we have seen sGme chances).

The fact that we

have not met this need until now shows that much can be done without name-passing,

but its usefulness is certainly not limited to language

translations.

We tin/st leave the matter open.

Exercise 9.8

Generalise the (correct'.) translation of procedure declara-

tion to allow several procedures to be declared mutually recursively (as a single resource) by

A N D

-

-

-

c~ (vAu~ xk, RESET Yk) TS Ck

9.5

Protection of resources We finish this chapter with sane tentative remarks about mutual

exclusion between commands in

P

which would otherwise run concurrently.

There is no doubt that we can, in CCS, represent same methods for providing rm/tual exclusion, but to provide m~£hods which are robust, flexible and elegant is a very hard problem of high-level language design which is still not fully solved though

it has been studied for about ten years.

136

See for example [Hoa i,~, [Bri i]. so, towards the prQblem;

CCS is unprejudiced, and intenticnally

what it can do is to provide a means for rigorous-

ly assessing a proposed solution. If all we want is to prevent overlapped execution of assignment cQmklnds assigning to the sane variable, it is easy to adopt the wellsemaphore method. S~4:{~,~} ~

As in §2.4, define ~.~.S~4

=

and redefine

zoc x = (~x.P~x(X)) [sm~x The access sort

Lx

for resouree

X

Lx= {~,~,~,~} and the only change in translation is to redefine ~X:=E~ =

~

Exercise 9.9

~.~E~ result (px.~.$.done).

Re-work Exercise 9.4 with this new translation, getting

An alternative, to allow larger oc~aands to exclude each other, is to adopt the proposal of Hoare in "Towards a theory of parallel programruing" (referenced earlier).

Tne idea is to allow the programmer to

declare arbitrary abstract resources, by adding a new declaration fo~m D::= .... (where

R

I

~

R

is an arbitrary identifier) and a new command fozm C::= ....

I%~fH

R

DO

C

For example, the programmer may associate a particular

R

with the output

device, and adopt the discipline that every OUTPUT c~snand occurs within a "WITH R ... " context; frcm interference.

he can thus protect a sequence of OUTPUT cc~m~n~

In translation,

[RESOU~2E R ~= ~ R

R

is just a semaphore, so we specify

(with access sort ~

= {~R,~R })

and ~WITH

R

DO

C~ = ~R.~C] before (~R.done)

Hoare discusses the virtues and vices of this discipline.

In particular,

he points out the possiblity of deadly e~brace, or deadlock, as in

137

(WITH R DO WITH R' DO C) PAR (WITH R' DO WITH R DO C') But he observes that a ocmpile-time check can prevent this;

the program

must be such that any nesting of '~ITH R .... " e~m~nds, with distinct R's, must agree with the declaration nesting of the R's. lation we must add that, in '~ITH R DO C", for the same

R.

C

For our traD~-

must not contain '%rITH R ... "

Also the check must be more sophisticated in presence

of procedures, but can still be done by flow-analysis techniques. Now we can fozmally state d e a d l o c k - f r ~ If ~C~ ~ ie

B

for

C

as follc~:

is a cc~piete derivation (§4°4),

B ~ N I L , then

s = r~

for sc~e

r.

(C does not 'die' without signalling cfmpletion at

~).

Hen

the c~spile-

time check is satisfied, it should be ixgssible to prove this property of o~s~mxis (or a stronger property which implies it) by induction on their structure, though we have not done it.

But first we would have to remove

a simple source of deadlock - narely the attempt to use an unassigned variable.

This can be done by, for exanlole, respecifying ~VAR X~ = R~Gx(0)

(not LOC X) .

The proof would be a lot easier without procedures.

CHAPTER i0

D e t e r ' nacy~ and ~Confluence

iO. 1

Discussion In CCS, non-determinate behaviours

are the rule rather than the exception.

(in sane sense of detexminacy) The outcome - or even the

capability - of future observations may not be predictable, partly because the order of two interdependent internal cc~munications may affect it, and partly because of the presence of two or more identical guards in a sum of guards (e.g. ~.B I + T.B 2

or

~.B I + ~.B 2) .

Nevertheless, we would probably classify almost all our case-studies as detezndnate in same sense;

the exception is the root-fLndJmg algorithm

of Chapter 4, where the root found depends upon the relative speeds of cc~current function evaluations. In this chapter we make precise a notion of Determinacy, and a related ccncept Confluence, and show that a certain easily d~aracterized subclass of behaviour programs is guaranteed to be determinate. also admits a sir~ple proof technique.

This class

It is not a trivial class;

for

example, the Scheduling system of Chapter 3 falls within it, and in §10.5 we complete its correctness proof using the special technique. In this Chapter we shall for sinplicity revert to pure synchronizaticn; that is, no variables or value expressions in guards.

The results here

probably generalise s~oothly to full 0CS but we have not studied it. As a first approximatien, one may think it enough determinate if, whenever are equivalent (e.g. B2

to be determinate.

B I B1

~ or ~ );

and

B +I B2

k, then

of course we would again require

But this is not enough;

also hold, irsplying that the capability of a though the outoome is:

for same

to say that

for example

B

BI B1

B +T NIL

is and

B2

and may

l-experiment is not detezmined -

This motivates our definition of ccnfluence.

We

shall treat noticns of streng confluence and strong dete/mlinacy (so called because they are allied to strc~g equivalence) in detail first - they will be enough to give us the results we need here - and later we outline a more general notion which is allied to observation equivalence.

139

10.2

Stron~ confluence Our notion of strcng confluence will not imply d e ~ a c y

sense of the last section.

in the

We separate it from d e ~ c y

because, by

itself, it ir~plies a property of programs which supports our proof technique.

But d e ~ a c y

will be needed as well when we show that all

programs written in a certain derived ~alculus of

CCS

are ccnfluent and

therefore admit the technique. The following proposition can be read as a definiticn of strong ccnfluence, except that it 'defines' the property in terms of itself: Proposition i0. ! (i) Whenever

The behaviour program A ~+B

o_~rthere exist D~E

A ~+C

and

E

is strongly confluent iff

then either such that

u =v

and

B v+ D, C ~+E

B~C and

.

(ii) Whenever Proof:

and D

A

A ~+ B , B is strongly confluent.

Immediate frc~n the definition to follow.

We may picture condition (i) as B

implies either

~ = v

&

B~C

or

~ C

C

Such diagrams will be useful in proofs. two possibilities; and

A ~ C

V~D

B

the case

B~C

Note that if

are essentially the "same action".

we have

~ = • ; A ~+ B

A ~+ B

Our definition of

detexmdnacy will demand that this must be the case for do not want to demand this for

u = v

represents intuitively that

and

~ e A , but we

A T+ C

may arise,

for example, fram two different internal ccmmunicaticns. Now for our fozmal definition. sequenoe of properties for

k >- 0 .

As usual, we have to resort to a

140

Definition A

A

is always

strc~ly O-oonfluent

is strongl [ (k + 1 ) -confluent

iff

B~D O_Z . ). C~E

B

(i)

~

iuplies either

~ = ~ and

B~C

C

for some (ii)

A ~+ B

D

and

implies

E ; B

strongly k-confluent.

is strcm~ly ccnfluent

A

iff it is strongly k-confluent for all

k-> O.

Let us abbreviate "strongly confluent", "strongly k-ccnfluent" by SC, SC k

respectively.

We first want to know that SC is a property of strong

equivalence classes, not just of progr~as. Proposition 10.2 Proof A'

If

A

is

SC

We show by induction on is

and at

~

.

k+l

At

k=O

ass~ue

and k

A~A '

that if

A

so is

for sane

A'

is

~k

is SC. and

there is nothing to prove.

A

is

~+I

and

B ;

but

B

is

A~A'

Assurae at

then k ,

A~A'.

For part (ii) of the definition, if A ~ B~B'

then

A' ~ B'

then by Theore~ 5.6

~-k' hence by inductive hypothesis

B' . For part (i) , stppose B ! S !

u S U ..-~ B

A ,/

A' I-,i A /

, yielding for some B,C

C!

~nen (since or

A

for some

D,E

B'

C'

is

~+1 and

) either

~=~

and

B~C,

D' ,E'

~" D' B

~ D

C

P > E P > E'

•

B'

~ > D'

C'

~ > E'

so

so

B'~C'

,

141 c

However, SC is not preserved by c ~

~.~.NIL + 6.~.HIL while the first is

z

or

~ ;

for example

~.6.NIL + B.T.~.NIL

SC, the second is not.

We take up this question

later. For our main property of SC we first need a lemma to do with longer derivaticns. B

Lesma iO.3

If

A

is

and

SC

A

~

then

/.l

either

~ = ~i (some i) and

H

2

C

Proof At

By induction on

n+l

n .

For n = O ,

C

C

is

A

and take

~E

D,E

to be

we have

Af B ~ A

so either or

~=HI

and

~2" "~-

A1 ~ B , whence

B

2 ""u n+

(first case of inductive hypothesis for A I)

B

A

~I

.I>D~ C

by Theorem 5.6,

~=~i

(i>2)

~2" "Wi-l~i+l" ' "~n+l>D

~B i

B f2" "~i-lUi+l ' "~n+l > D' 2"" "~n+l

> C

and

B.

142

finding first then

B ,B'

since

A

is

SC , then

D'

since

SC,

A 1 is

D , or (second case of inductive hypothesis)

PJ[

B

]~2" • "Pn+l

>B I

A

> D

B' ~2"°'~n+l

A

..~n+l ~ C

~ D'

~ ~E

Now we can deduce our main property as an important special case. Theorem iO. 4

(Strcng Confluence).

If

A

is

SC

and

A-~ B

then

A=B.

Proof

We show that if

on

k.

Trivial at

SC

and

(i)

A

is

and

A-~B k,

then

and at

A Zk B, k+l

by induction

ass~ne

A

is

A-~ B.

If

B~B'

clearly

(ii) Let

A~A'.

either

B~B'

A~B'

or

B~

B',

B'

A' T~A"

In the second case, since inductive hypothesis; A' ~k B'

also.

Then frcm L~lua 10.3 we have, for sane

A'

case

SC

k--0; asstnne it at

but

A' ~

is

SC

implies

(Proposition iO.!), Zk

(Theorem 7.2)

A' =kA'' by so in either

as required.

The usefulness of the Strong Confluence Theorem is simply this: program find a

A B

a

may admit many actions, and so may its derivatives, but to such that

A~B

we need only follow an e-derivation (a sequence

of z-actions ) starting frcm A,

provided we know

A

to be

SC.

To follow all other derivaticns (as, in effect, the Expansion Theorem would do when repeatedly applied to

A, ~,...)

would often be heavy

work - and is unnecessary in this case. In the next section we illustrate this saving on a toy example, which we ass~ne to be confluent (later it will be seen to be so on general grounds).

But we first need to define a class of derived behaviour

operations, called ommposite action.

143 iO. 3 C c ~ i t e

9uards, and the use of cc~fluence

For ~ i ~ A u {T}, (~lJ..-J~n) is a c c ~ s i t e guard (n_>l) whose actions are given as follows, in the style of §5.3 (see Exercise 10.2, end of §10.4, for richer czm~posite guards): n>l

(Z1 j...j~n ) . B ~

n=l

(~I).B,I~B

(~1 j...l~i_lj~i~I...j~n ).B for each

i,

1 _
Fram this it is easy to deduce the following strong equivalences: Proposition 10.5 (I)

(~i).B~ ~I.B

(2) For n>l,

(~lj...Jun).B~

(3) For any penmutatic~ Proof

p

~ Ui'(Pl I'''j~i-II~i+Ij'''I~n)'B i_< i_
of

{i .... ,n}, (~lJ...I~n).B~(~p(1)J...l~p(n)).B

Omitted.

For example (~JsJy).B~a. (SIy).B + 8. (~Iy).B + y.(~JS).B~ (~jyJa).B; it just means that ~ ,8,7 can be done in any order. Note that we do not require

when

~I'""" '~n to be distinct.

In same proofs it is o0nvenient to define n=0.

(~lJ...J~n).A to be A,

We now want to examine the toy system built fram the cycler of

"

2

S %

! \

Exercise 2.7; notice that are cycling anticlockwise.

cI

is cycling clockwise, while

c 2 and c 3

Before going further you might try to guess

its behaviour (as the author d~d, for five minutes, and got it wrong).

144

~

We have

c I 4= ~1.~.~.Cl

Y

c2

c a 4= ~ 3 . y . 6 . c 3

and

s is (cIIc21c3)\A. (A={S,~,~}) We asst~ne S

strongly confluent.

Nc~ by expansion

S~al.S23 + e2.S13 + ~3.S12 where S23 is (8.6.clIc21c3)\A,

s13 is (c11LY.c21c3)XA and

s12 is (cllc21~.~.%)\A.

By expansion again,

$23 ~c~2.S 3 + ~3.$2 ~lere

$3 is (S.~.c11L~.c21%)XA

and

S

2 is

(~.~.51c219.~.%)\A,

S13~~I.$3 + ~3.$1 where and

$1

is (cI ILY.c 2 l{.~.c3)\A,

S12 ~ ~1"$2 + a2 "$1"

Now we need to consider S 0 where S O

is (8.~.ClIS.Y.c218.~.c3)\A ,

and we find

so & (~.cI j~.c 2 I~.L%)\ A

(6.clJc2 IL%)\ As

(t)

whence by confluence S0 = S. S 1 ~ al.S0

Also

(by Expansion) ~ al.S,

S2 ~ ~2"S0 ~ a2"S ~hile for S

3

we have s~ething different:

2

145

s 3 A (~.c11y.c21c3)\A ~a3.(6.ClIY.C21~.~.c3)\A ~3"S

by Expansion

by the same derivation as for

whence by confluence

SO

above,

S 3 ~ a3.S.

So finally we get

sl 2 c (%1%).s

,

sl 3 c (%1%).s

,

s2 3 c (%1%).s

and at last s

c

(~l~21~p.s

which specifies our system.

It was only at

(%)

that we were able to

ignore other actions in following a c-derivation, but such opportunities will abound in even slightly bigger systems. Here, we used oampf~ite actions only to abbreviate expressions which we obtained.

Later, we will see that ccmi0osite guarding prese~Jes confluence.

One final r~mark:

in the above calculaticn we were careful only to asstm~

strong confluance of valent to the~.

S,

its derivatives, and expressions strongly equi-

All this is justified by Propositifms IO.i and 10.2, but

we could well have wished to assume confluence of an expressicn which is only observation equivalent to scmething confluent.

As we said earlier,

observation equivalence does not preserve strcr~ oonfluence;

but it does

preserve a weaker form as we shall see, and fortunately Theorem i0.4 applies also to the w~aker fozm - so all is well. Exercise iO.i

Use ccnfluence to find the behaviour of other system%s with

the same shape as

S,

or as Exercise 2.7(i), but with different cycling

directions and/or different starting states (initial capabilities). Is the disjoiner about the behaviour

s

d

of Exercise 2.7 strongly confluent? in Exercise 2.7 (ii)?

What

146

10.4

Stron~ determinacy;

Confluent Detexminate

CCS

The natural definition of detexaiinacy is as follows: Definition

Let

~ ~ A, and let A

l-determinate

be a program.

(I-SD) iff for all

k

A

is

Then A

is strongly

strongly l-k-detemainate

(l-SDk) , where: Every A A

is

is

I-SD0;

I-SDk+I

iff

(i)

implies

B~ C

"~ " C

(ii) A--~B Definition

inplies

A

all IEA.

is A

B

is

strongly

I-SDk. k-detemainate

(S~)

iff it is

is strpn~ly determinate (SD) iff it is

l-detenainacy for partian/lar l consider determinacy for all

SDk

l - S ~ for for all ko

may have some use, but we will only

I.

Proposition io. 6 A

is l

(i)

SD

iff

B

A ~

inplies

B~C ;

C (ii) A-~)B Proof

~lies

B

is

SD.

Immediate.

As usual, we have had to make an inductive definition and then prove a more usable property. equivalence classes: Proposition iO.7 Proof

We also have that

If A ~ A ' and A

SD,

is a property of strong

them so is A'.

Analogous to Proposition 10.2 but simpler.

We use the abbreviation •

l!

and strongly (k-)determinate. preserve

is

SD

SCD,

SCD

(~)

for "strongly (k-)cx~nfluent

We look for behaviour operations which

and first eliminate same which do not.

147 Clearly both

~.NIL

and

~.NILI~.S.NIL~ is not

SD,

since

except when and

=.(~.S.NIL)

are SCD,

are

SCD,

and

but

+ =. (~ I6) .NIL

~.B.NIL + (~IB).NIL.

BI:L i, B2:L 2

e.6.NIL

~.B.NIL

We shall have to forbid

L I nL2=~.

BIIB 2

But this is not enough;

~.NIL

but

~.NILIe.8.NIL ~ T.B.NIL + ~. (s.6.NIL) + ..... is not the

SC,

since

8.NIL~B

is ~possible.

The problem here is that

~-action of ~.NIL may be observed either by

~.8.NIL or externally.

In effect (thinking of pictures) we shall have to prevent the sharing of ports, i.e. cne port supporting two links. In s~mazy, we will forbid

BIIB2,

but allow

BI:L 1 , B2:L 2 , L 1 n L2=~; we may call this operation (rd = "restricted disjoint"). (Note:

BII IB2 when rd-ec~sition

we have mostly avoided the operaticn II, and indeed its definition

needs sQme care.

Precisely, it is given by

BII ]B2 = (BIIB2)\A

where

A = names (L(BI) n L(B2) ) ; we can get a different result if we take A = nanes (Ll n.L 2) for arbitrary sorts LI,L 2 B2:L 2.

for which

BI:L i and

Strictly therefore, in each use of If we should make explicit the

names which are restricted;

but in most cases these will be implied by the

sorts of the argument expressions. ) Also we will forbid

B 1 + B 2 (see remark in §iO.i) but allow

(ull...Ipn).B,

ccmposite guarding, which includes (simple) guarding as a special case. We denote by Inaction(NIL),

~site

Relabelling; §10.5

the derived calculus whose operaticns are: Action,

rd-Cc~sition,

we now show that every

DCCS

Restriction and

program is

SCD.

(Skip to

if you are not interested in the proof.)

Propositicn 10.8 the properties Proof

DCCS

Clearly

Inacticn, Restricticn and Relabelling preserve both

~

and

SDk,

is

SC~.

NIL

for all

k.

Let us just prove that if A

so is A\~; the r~mainder are equally simple. on k, suppose A is S ~ + 1 and ~ A\~/

B\ e ,

C\~

B SO

A "~2

"~C

is

~,

For the inductive step

148 Then either and E,

~=~

and B~C,

whence B\~~C\~

B-~D , so also

[

C\a~--~E\~

(We have of ~o~rse used that ~ Also if A\m-~B\~ is

for same D

B~-~D\~

C~--~E

~

also, or

since ~,~j ~{~,~},

is a cc~gruence, Theorem 5.4).

then A~--~B, so B

is

S ~ , whence also (by induction)

s c k.

For Cc,~9osite A c t i o n we can p r o v e more (which we need i n h a n d l i n g recursion later), namely that an n-ccmpcment guard raises the level of SC and SD by

n:

Propositic~ 10.9

If A

is

~

(respectively S~)

~ k + n (respectively SDk+n). Proof

By induction on n,

for fixed k.

(~I I.-. IPn) .A is just A

prove, sinoe

there is nothing to

in this case.

Now let A'

and let us show that A'

(~11... [~n+l) .A, Assume

For n =0

be

is ~ken+l"

~' A,/

~c' Then ~,~E {u1,...,un+l }. Either ~--~' = ~n+i say, and B' , C' are both (ulI...I~n).A up to a pe~mutaticn of the guard, whence B' ~C' by Proposit/~n 10.5(3),

or ~--~n' ~=~n+l say,

and then

B'

A,Y

N~-.~

(Zlt...[Un

1 )'A

i s (~11 • • • I~n) .A which i s

Also, if A' ~-~B' the_~ P =~n+i say, and B'

~+n by inductivehypothesis, Hence A' SD part to the reader.

is

~-ken+l "

We l e a v e t h e

149

Corollar~, i0.iO

If A

(pll...l~n).A Proof

~ t e ,

is ~

is ~ + 1

(resp. SDk)

and n ->1 , then

(resp. SDk+I).

since ~ + n

implies

SCk+i

Thus far, the operations preserve SC

if n-> I .

and SD

separately.

can only show that

rd-Camposition preserves them tcgether.

~sition

If A 1

iO.ii

L In L2 = ~ ' then A IlIA2

Proof

and A 2 are ~ , is

with AI:L1,A2:L2 and

SCDk .

Take the inductive step; assume A 1 ,A2

f~st that A ill ~2

is

We

SCk+ i .

are S C ~ + I and show

Suppose

AitiA2~ %~nere are essentially four cases: (i) B

is B III ~ , C

is ~II C 2 (an ~

action), and

Blil ;~

A Bi

A2.~ ~ C2

(ii) B is

action and an ~

~ II c =~~

, yielding

BIlIA 2,

C is

Cll I A 2

(two

A1

B1II c2

acticr, s ) ,

and

/

C1 Then either

U=

v

and

B 1 ~ C1

, ,¢nence also

B1 II

~ ~ c~ 11 N

, or

150

(±i±) B is Bll I ~, ~ ='~, c is c111;'2 (a c~,~,onication and

an

action), and

A2---~ B 2

and

(I ~ L 1 n ['2 )

C1

v ~t

But then

II;`2~ c

, since

is impossible.

Hence

Bill B2~o111 B2

Bi--~ D 1 I Z C i--~ E 1

(iv) B

is

, whence also

ci11 ~Ellt

B ljl B 2, C is

C III C 2,

al

~ =v=T

have

(two ccmmunications), and

A2 4 <

(l,l' ~ h ~ L2) C2

C1 If

l=l'

then

B2

l=l'

also, and since

AI,~

are

SDk+ I

we must

BIll B 2 ~ CIN C 2 .

B 1 ~ C 1 , B 2 ~ C 2, whence also

Otherwise

B ~a 1

II

B ~D 2

and

el& ~i

12, whence

we need determinacy of

To camplete the SC part : B. l is

is either ~k

and

A. l S~,

ci II c2~ E~ 11~,2

c ~ ~2

Only in the fourth case ~

or a so

Blt I B2~Dll t D2

~-

if

A IlIA 2~-~B Ill B 2

or

A 1, A2 .

then, for

l-derivative of

SCDk, so by induction

A. , hence l Bll I B 2 is also

SCD k . For the SD part it only remains to show that

implies

hll ;`2. 1 C

B~C

i = 1,2

(l e A).

151

Now either both actions are frcrn ~ Lln L 2 = ¢

or both frGm A2, since

(our first use of disjointness).

In the first case

BI , whence AI~

B I ~ C I , whence

B(i.e. BIII ~ ) ~ C ( i . e .

CI!IA2).

C1

Similarly in the second case.

It remains to show that defLnition by recursion in DCCS guarantees that the behaviour identifiers are SCD.

Prop. 10.12 Proof.

Every behaviour identifier

By induction on

the definition b

k .

b0~= ~ 0

b

in

DCCS is ~ I ~

By guarded well-definedness,

for all

k.

(§5.4),

may be expanded (by substituting

~

for any

where necessary) until every behaviour identifier is guarded.

Fozmally, we apply KSnig's l~mma to find b0 ~ containing no

b

we deduce that

B'bo

unguarded. B' b

Assuming then that every

is SCDk+ I frcm

the latter being c-zO0cial in raising

k

is

SCDk ,

Props 10.8, i0.Ii and Cor IO.iOto

k+ ! .

and similarly each other behaviour identifier Exercise 10.2

b

-

It follows that

b0

is SCDk+ I .

We can also allow guard sequences in cfmposite guards,

e.g. (~.8)Iv or even

(a.(BI7)) !8 .

%Zqese still preserve SCD.

Prove the analogue of Prop 10.9 and Cor iO.iO for ccmposite guards defined as follows: (i) (ii)

is a ccrgposite guard If

gl,...,gn (gl'''''gn)

are composite guards (n>-l), so are and

(g!l...Ign).

152

10.5

Proof in DC~S;

the scheduler a~ain

We are interested in systems definable in DCCS. of ~IO.3 is an exanple; system

S

each

ci

The t~! system

there is defined in DCCS, and the

is also definable in DOCS by

c 1 !1 c 2 II c 3 Of course we were a b l e t o use t h e fozm S ~ (CllC21C3)\A p r e s e r v e s SCD, and a l s o a r e DCCS e x p r e s s i c r s ,

S ~ Sl "$23 + e2"S13 + e3"$12 ;

but the faithfulness

of

~

since

neither of these

t o SCD j u s t i f i e s

use i n t h e p r o o f . Let us return to the scheduler problem of

§3.1 ;

wehad

[ c ~ ~.~.c~l~).c l and defining

I'C'I'~ C[O~.8,'/,~._./c~6"f~] J. ~. ~. J.-~.L

I i

I

we get

I

(*)

c i ~ "~i.~i • ~'iI%.+~).% We also had

s~

~= (slc~l

....

Ic)\-q...Vr

n

and the second part of our specification demanded Sch NOW

-

II ( n ~

j~l 3

I = ~)= j~l 3

sc~ = ~-(~I Now we may define, for

(i)

(~181)~

getting rid of the start button

-

we have

;2)-%11 c211 .--II c 2_<j<_n

i°i whence easily c'

~

-

3 YJ "T'(wlYj+l) We shall show, then, that

.c'

(*)

3

Sch I • ~l.gl.SCh 1 (ccmioare equation

~

(2) in §3~4, and note the remarks there)

where

I s~1~--~1"%J~2)'cltlc~ jj'"lien I

(2)

their

t53

Clearly Sch I = the left side of equation (i) above. our definitions - in boxes above - are in DCCS.

Notice that all

Since SCD is a property

of ~ equivalence classes, we can use the equivalences (*) freely.

SChl ~

;1" ((~1l~2) "cllJ

c~ll

.... 11%)

and

(81t~'2)-allt

c~ll ... li cA 3

~1"el H V3-%110;II .... 11c n --~> ~1-eiII ~11%11 • ~

clJ 1%11' • • - tl

while

.11%_¢11 ~,.%

(*)

~1 • (c I ll c~ Ii .... li C'n_ ~ II "71.% ) c n_1 II

~1-"%'

P u t t i n g t h i s t o g e t h e r , u s i n g Theorem 10.4 and known p r o p e r t i e s o f we g e t Sd~1 = ~l.t~l.SCh

= ,

as r e q u i r e d .

The crucial part was the long --~> derivation (%) in which the action could be persistently ignored;

~I

without SCD we would have had to

deal with this action by absorption, as we did for the first part of the scheduler specification in §3.4. One point is worth noting. easily get

Thus SCD in effect guarantees absorption. From

c'.3 ~ 7j .T. (T 1-79+1) .c'.3 we can

c'. 3 ~ 7j .Yj+l.C~ ' , and this transformation would slightly

clarify our proof.

But we don't know that SCD is preserved by

(in fact we knew it is not, in general).

Our proofs will therefore

be less delicate when we have a weaker property OCD which is preserved by

m , and which also allows a version of %~neorem iO. 4.

We n ~

turn to

this question.

i0.6

Observation Confluence and Determinacy How should we arrive at a property OCT), weaker than SCD but supporting our proof method (based on Theore~ IO. 4) and preserved by de~c~,

we would probably look at

~ ?

For

IS4

imp~es

At c as a possibility.

But the use of

~--~ will prevent preservation of

; you will see this if you try diagrams as in

this property by Prop. 10.2.

B=C

So we might try ~

B

implies

B ~ C

This is closer to what we will adopt, but notice that it already entails a sort of confluence, for if whence

B~B'

B ~-~B' then we would have

(this is because

A~B'

B'= C

also,

also holds) .

Since we want to harmonize with our definition of ~ we do wish to use

~

rather than --> ;

if we cannot separate detemniD~cy from confluence

then a definition which covers both seems necessary. with

~

(s e A*)

rather than just ~

We should also deal

(k E A).

What should confluence say about r

B

A~//~s

,

r,s e A*

?

C It should imply sane oa,,~mtativity of observations, in so far as differ; of

s

B

r

and

s

should admit an abservation which is in scme sense the excess

over

r , written

s/r , and

C

should admit

r/s , in such a w a y

that the two results are suitably related:

r

B~D

B

iolies

r/%E c

we shall need to adjust "~" slightly, but first we define we get it by working through

r

frQm left to right, deleting in r

any symbol which occurs in (what remains of) s . by a pemT~tation of

r/s .

~hus

s , but depends upon the order of

r/s r .

Intuitively andin

is unchanged

s

155

Definition

For

r, s e A* , r/s, the excess of

r

over

s

is given recursivelyby g/S

~-

E

(l.r)/s =

Exar~oles:

r

i. (r/s)

if

r/(s/l)

otherwise .

s

1

r/s

is not in

s/r

We list some of the properties of "/" without proof (we write to mean

is a pe/m~tation of

r

(i) If

r

(ii) If

s

s

then

s'

~

r/s = s/r = e .

then

r/s = r/s', s/r

(iii) If

r

(iv) If

r

s

and r/s = r

pe~n

have no ~ •

perm

r

s) :

s/r:

s

ss' , then

s'/r.

in common then .

r/s

~

s'

and

s/r

~

~

(V) r. (s/r) pezm s. (r/s). (vi) r/sls 2 = (r/s I)/s 2 ,

rlr2/s = (rl/s) . (r2/(s/rl) ) .

There are many others, scme needed in proving the propositions below, but we will not give those proofs here. We now define OCD by a sequence { ~ Definition. A

is

A

is always OCD

0CDk+ I

; k>_O} :

o

iff B

(i)

A y

~iies

I~k for sc~e C r/s> E

implies

B

%c (ii) A

is

C~D

A

r> B

iff it is

Note the use of preserves OCD.

~

rather than

for all ~

;

is

D,E ;

0CD k

k>O. this is essential in showing that

156

Thus if

is

A

OCD

we have for each

k, for example:

C

B ---~.D (determinacy)

A ~r

;

C C

B ~ D A U Ba

implies

~k E

C ~

;

S

s

B ~ D

B

Ilk C =-~ E

implies

r

;

B .,s D

B

/rs

in,plies

C~E

The following results hold: Proposition!O.13 IExercise 10.3. then

A'

If

A

is

Prove this

is

0CD

and

by showing

A ~ A ' then

that if

A

is

A'

is

OCD k

OCD. and

A ~2kA'

OCD k . g

Theorem 10.14 (Confluence) proof

we show it for

asst~ne A (i) If

is

0(3)

B ~B'

If

~k

A

is

0CD

and

by induction Qn

A ~ B

k .

then

A ~ B.

For the inductive step,

S

and

A .........-'- B .

, then clearly

s

A

~B

,

also.

s

(ii)

If

A

>A'

then,

because

A

is

0CD,

s

B~B'

~k

for scme

B', C

E

A' ===~C But

A'

is

OCD, so by induction

Proposition iO.15

If

A

is

SCD

A' ~k C , whence

A' ~k B'

then it is OCD.

Frc~ this we immediately know that DCCS, and anything is

OCDo

as required.

~

to a DCCS program w

Although these facts do not imply it immediately, we also have

Prc~osition 10.16

The operations of DCCS all preserve the propel-ty OCD.

157

Two remarks should be made.

First, we do not know of any derived

calculus of CCS whose programs are all OCD but not all SCD.

It would be

very interesting to find one, particularly if it contained systems which are intuitively dete_~ninate in scme sedge, like earlier case-studies in these notes, but cannot be expressed in DCCS.

First of course we would

want to extend the present notions, and DCCS, to allow value-passingo Second, the reader may wonder why we introduced SCD at all, since CCD has the property which we used in proofs and preserves has the advantage that it is a property of behaviours not only of programs.

~

;

OCD

( ~ congruence classes),

The reason is partly technical;

the crucial property

of SCD (Cot iO.iO), which provided for recursively defined be/laviours in DCCS, cannot be established for OCD.

Also of course the stronger notion

may yield stronger methods. In conclusion:

we have found a derived calculus of CCS which possesses

an interesting property, and it is possible that other derived calculi may be found with useful properties.

For confluence and detensainacy, there is

a strong connection - still to be ~_xplored - with notions in Petri's Net Theory, particularly the notions of (absence of) Conflict and Confusion and the subclass of nets called Marked Graphs ECoH]. explored confluence in various settings.

to be the Church-Rosser theorem for the l-calculus; are discussed by Rosen [Ros] .

~-->and

Church-Rosser properties

Huet [Hue] studied conditions under which

tezm-rewriting systems are confluent; our r~riting relaticns

Other authors have

The origin of the idea appears

s

the principal difference here is that

are indexed by labels and sequences.

Keller [Kel] introduces a confluence notion into parallel oc~putatiOn~ his rewriting relations are inde~xed, but his definition of confluence does not exploit the i n ~ _ n g . The author's impression is that confluence is a deep notion which (as with most deep notions) manifests itself very differently in different fozn~al or mathematical settings° it scrne new clothes°

We have not invented it, but only found

CHAPTER

ii

Conclusion

ii.i

What has been achieved? We hope to have shown that our calculus is based on few and simple

ideas, that it allows us to describe succinctly and to manipulate a wide variety of cc~puting agents, that it offers rich and various proof tec~miques, that it underlies and explains some concurrent progrannair~ concepts, and that it allows the precise formulation of questions which remain to be answered (e.g. which equivalence

relation to e~ploy).

also appears to have some intrinsic mathematical interest.

It

Thus we

claim to have achieved, to scme extent, the aims of articulacy and conceptual unity expressed in Chapter O. In the next few sections we examine CCS critically in one or two respects; arise very clearly.

(though briefly)

in doing so same suggestions for further work

In the final section we propose same other directions

for the future.

11.2 I s CCS a programming language? It is not universally agreed what qualifications justify the title "programming language".

Let us try to examine CCS critically with respect

to sc~e possible qualifications. First, we have not said how to inpler~hnt it on a cc~puter (with one or many processors).

Inlolementation of concurrent progrars raises a host

of difficult questions.

To start with, such a program is often (at least

in our case) non-determinate;

should its '~plen~ntation'

be able to

follow any possible execution, by having the power to toss a coin frcm time to time or by using a machine whose parts run at unpredictable relative speeds?

Or is it more correct to talk of, not a single implen,en-

tation, but a set of inlol~nentations for each program, each implementation being deteaminate? Again, would one allow an ir~plementation which is, if not sequential, conducted under same

centralised control?

~his would be rather unsatisfactory,

since the calculus is designed to express heterarchy among concurrently

159

active omponents.

But since it can express systems which generate

unboundedly many such ecr~ponents, it is natural to expect an impler~mtation

to administer (not necessarily in a hierarchic manner) the

allocation of a fixed nunber of processors in executing the cc~ponents. An implementation problem arises, even with CCS programs with a fixed number of o o n ~ t processors to go round.

~ t s ,

and even if there are enough

In the general case where the components are

arbitrarily linked and where each one may have at ead% rfcment an arbitrary set of (rmmunication capabilities, our primitive notion of synchronised ccmarmication does not admit direct realisation by hardware (at least by current techniques) as far as the author knows.

Jerry Schwarz [Sch] has

exposed the difficulty and proposed a solution, which can indeed became simple in special cases but is not so in g~neral.

So

CCS

does not (yet)

have the property that its primitives have primitive realisatioD~.

We

claim rather to have found a communication primitive which allows other disciplines of o~m~nication

(e.g. by shared variables, or by bounded or

unbounded buffers) to be defined, and which can be handled mathematically. There is no

a priori reason that any such primitive should also be

simple to realise.

But we may cc~oare the primitives of the l-calculus

(functional abstraction and application), ccmbinators and combination) ;

or of cc~binatory logic (the

ten years ago these may have beem thought

to require very indirect realisation,

even via software, but they are

now being realised directly by hardware. Let us look at another qualification usually expected of a practical programling language.

It should not only have a powerful and not too

redundent set of constructs, but should also encourage disciplined and lucid programming.

This can mean that its constructs are conceptually

rather non-primitive;

consider the sophisticated array manipulations of

ALGOL 68, or - closer to concurrency - the mcnitors of Hoare.

On the

other hand a calculus, as distinct from a programming language, should oontain only a small set of conceptually primitive constructs (it will be hard to theorize about it otherwise), and should remain largely i~partial with respect to design decisions which aim at 'good' progranming.

Then the calculus can serve as a basis for defining practical

languages, or for building practical hardware configurations. one cannot distinguish sharply between the aims of

Of course

~nceptual parsimony

and practical utility, but it is fairly certain that a language for

180

writing good large programs will itself be too large to serve as a theoretical tool, and its design may well be motivated by current inpl~tation

techniques;

when these change it can grow obsolete.

Returning to the l-calculus as a prime example, it is now widely accepted as a mediL~n which can be used to define and discuss sequential algorithms, and richer languages for them.

Although CC~ is not as small and

simple, it is intended as a step towards such a mediu~n for concurrent syst~ns.

We also hope to have shown that at least sane concurrent

systems can be expressed lucidly in CCS;

perhaps this is because it

is not yet small enough:

ii. 3

Tne question of fairness In texms of CCS we may state a property, which is arguably a

property of real syst~rs and should therefore be reflected in a model: if an agent persistently offers an experLTent, and if an observer persistently attempts it, then it will eventually succeed.

A model

which reflects this property is scmetimes called fair.

CCS

Is

fair?

Consider the program B = T~II.NIL, The only actions of S So

B

B

where

T~

may be defined by

T.b

are

l~>y~ I NIL

and

B ~-/-~B 0

has no E-derivative which does not offer a

may plausibly be taken to mean that

B

l-experiment;

this

persistently offers the emperiment.

Now if we consider only the derivations of tion

b~

B,

the infinite deriva-

B T > suggests that the ezq~riment is not bound to succeed even if

attested by an observer;

hence we may choose to infer that CCS is not

fair. On the other hand if we consider observation equivalence, we can easily deduce B ~ ~ .NIL

and we argued in Chapter 1 that if an agent offers an e x p e r ~ t

and

has no alternative action - as here I.NIL has no alternative to its offer of an l ~ i m e n t is bound to succeed.

- then an observer's attempt at the experiment It therefore see~s that the insensitivity of

to infinite unobservable action makes CCS fair, at least for this one example.

This is slightly strengthened by noticing that the agents

161

B I = 1.NIL + ~ ,

B 2 = 1.NIL + T(I.NIL + T ~), ...

which do not persistently offer a l-experiment, are not equivalent to

B

(though all equivalent to each other). Indeed, we may tentatively foz~alise for arbitrary Definition

B

"B persistently offers

I"

as follows:

B must I

iff

B

~B'

i~plies ~B".B'

I ;~B" .

%~nen it is easy to prove that B~C

~plies

~I.(B

must I ~. ~.-C

tin/st i)

showing that, under this definition, observation equivalence respects the persistence or ncn-pexsiste~nce of offers. But this is very far from a demonstration that CCS is fair; for example, there are alternatives to the above definition, and a mud% more detailed investigation seems necessary to decide which is correct. Even if we could ccnclude that CCS is fair, with the present notion of observation equi%-alence, the the ~ k s

fact remains that other equivalences

(see

in §7.2) which respect the presence of infinite unobservable

action - and are therefore unfair in view of the above discussicn- may have other factors in their favour.

We must leave the question _open.

Other authors have focussed more directly on the fairness issue. Pnueli [Pnu i, 2], for example, shc~s how "eventually"

(closely allied

to fairness, as seen from the first paragraph of this section) can be represented in a temporal logic.

It would be interesting to combine

such a treatment with our algebraic methods.

ii. 4

The notion of behaviour 'Ibis work has been concerned throughout with e~pressing behaviour.

We have tried not to prejudge what a behaviour is, but rather regard it as a congruence by ccnsidering whid% expressions can be distinguished by observation.

At first we hoped this approad~ would lead us to cne obviously

best congruence relation, and entitle us to say that - within our chosen m~de of expression - we have defined behaviour. the discussion in §7.2

~s

has not transpired;

shows that there is still latitude for choioe in

the definition of observation equivalenoe, and same (though not all) of the choices induce different congruences. Hc~ever, we have provided a setting in which the latitude for choice is not embarrassingly great, and in which the consequences of each choice

162

can be examined. emerge. canonical

It is not improbable that a best choice will thus

Furthexmore, although the calculus itself cannot claim to be sinoe alternatives exist for the basic operations and their

derivational meaning, the sane approach to behaviour can be taken for many alternatives. Our methods should be contrasted

with what has often been

dQne in providing a denotational semantics for progr~ning languages, following the work of Scott and Strachey [SS].

The method - a very

fruitful one - is to define outright one or several ses~ntic dcmains, built frcm sinple dcmains by such standard means as Cartesian product, function space construction and (for nondeterminism)

a powerdcrnain

construction [Plo i, Stay]; then the semantic interpretation of phrases in these dQmains is specified by induction on phrase structure.

The

approach has given LTmemse insight, and yet it was found that the match between denotational and operational meaning was sQmetiu~s imperfect; this mismatch was first exposed by Plotkin for a typed k-calculus [Plo 2]. We found a mismatch again for the model of concurrent processes presented in [MM].

There is no reason to expect, a priors that an explicitly

presented denotational model will match the operational meaning;

the

latter should serve as a criterion for the correct denotational model, not vice versa (see also §0.4).

Of course, it would be satisfying to

find an explicit presentation of a model which does meet the criterion; this may entail extending our repertoire of dGmains and ~ / ~

construc-

tions, as found in [HP i] where so-called nondete~ministic dGmains and a tensor product is used. We can s~marise our approach, then, as an a t t e s ~ to calculate with behaviours without knowing what they are explicitly;

the calculations

are justified by operational meaning, and may help towards a better understanding - even an explicit fom~ulation - of a dc~ain of behaviours.

11.5

(i)

Directicns for further work In Chapter 9 ~e explained a simple high-level language in terms of CCS.

It will be interesting to see how far such languages can be

so explained, and how CCS may help in their design. in that ~hapter we ~ e d

For exanple,

an apparent deficiency of the calculus,

which could be r~r~ved if we allowed labels to be passed as values

163

in ~m~dnication. theory?

What effect would suc~ an extension have on our

And is the extension really necessary, or can we find a

way of simulating label-passing with CCS as it stands?

(An analogy

is that the l-calculus does not take the notions of rmm~ory and assignment as primitive, but can simulate them.) (ii) Although hardware devices can be described abstractly as in §8.2, it is not clear how to extend the calculus to deal with detailed timing ocnsiderations, or to bring it into hazm0ny with existing description methods which deal with timing. for hope here;

We have some grounds

for example, Luca Cardelli [Car] has recently con-

structed an algebra of analog processes (whose c ~ n i c a t i o n

signals

are time functions) and has shown it to be a Flow Algebra [Mil 2] that is, it satisfies the laws presented in Theorem 5.5.

However,

Flow Algebra deals only with our static operaticns (Cc~position, Restriction, Relabelling) and it is the dynamic operations (Action, S~mlmation) which are more c~mlitted to the idea of discreteness and synd~onisation in cuL,~nication.

I ~

not e~petent to judge

whether it is desirable, frcrn the engineering point of view, to build hardware ~ n e n t s

which realize these dynamic operations.

An

alternative may be to try to find a ccntinuous version of CCS, but how to de it is unclear. (iii) In Chapters 9 and i0 we were able to find two interesting derived calculi.

In particular DOCS, dete/mtix~te CCS, has ~

properties which facilitate proof.

simple

(Sinoe Chapter i0 was written,

Michael Sanderson has with little difficulty extended DCCS to allow value-passing.)

It is ~portant to isolate other subclasses of

behaviour, characterised by intuitively sin~le properties, and to find for any such subclass a derived calculus which can express only its mes~0ers. Of particular interest, for ~ l e , calculus of deadlock-free behaviours.

would be a

Again, it would be illuminating

to find that certain known models correslx~d to derived calculi; possible cases are Kahn/MacQueen networks of processes [KMQ], and the Data Flow model of Dennis et al [DFL]. (iv) As far as proof methods for CCS are cQncerned, we appear only to have made a beginning.

On the theoretical side, we should look

for cc~plete axic~atizations for subcalculi, where these are possible;

the results in [HM] and [HP 2] go scme way towards this.

184

On the more practical side, completeness (whidl may not be possible for the full calculus anyway) is less important than a repertoire powerful and manageable techniques. a few useful techniques;

In our examples we have found

in particular we found it useful to work

not just with congruence (c) but with equivalence (=) also, and this immediately suggests that other predicates of behaviour may be used with advantage.

Further, we often wish to show that an agent

meets an inc~splete specification, i.e. one whidl does not determine a unique ~ i o u r ; 3 and 8.

this was illustrated by the examples of Chapters

In these exanples the inczmplete specification could be

expressed within the tezn~ of CCS, and we weuld like

to discover

how far this is possible in general, and whether - when possible it is natural. More particularly, cc~cerning proof techniques, the question of recursive definitions and induction principles needs further study. For our definition of observation equivalence and congruence we are able to identify a class of recursive definiticns which possess unique solutions (up to

~

or

c );

see Exercise 7.7.

this class can be considerably widened.

We believe

It was this uniqueness

which allowed us to do certain proofs, e.g. the scheduler proof in Chapter 3, without appealing to any induction principle.

But

as we r~arked at the end of §7.5, we believe that the Cc~outation Induction principle of Scott will apply in the presence of a finer version of observation equivalence.

The strength of this principle

is that it works without assim~ing unique solutions of recursive definitions;

it allows us to deduce properties of least solutions

with respect to a partial ordering of behaviours.

But it remains

to be seen how inloortant the principle will be in practice;

moreover~

since the finer observation equivalence appears to be unfair (in the sense of §11.3) there is a delicate and difficult problem in relating proof theory to the conceptual correctness of the model. We are not discouraged by the emergence of this problem.

On the

contrary, we believe it to be intrinsic to concurrent computing, not merely a defect of our approach, and are rather pleased to see it emerge in a sharp fozm.

t65

(vi) Finally, and fundamentally, however successful we may ~

in

working within CCS, its primitive constructs deserve re-examination. Are they the smallest possible set?

Are other constructs

to express a richer class of behaviours?

needed

How can we relate Petri

Net Theory to the ideas of observaticn and synchrcr~zed c~mLunication? By repeatedly returning to such basic questions we may hope to get closer to an underlying theory for distributed ccmputation.

APPENDIX

Properties of congruence and equivalence ... §5.6

Direct equivalence Strong congruence

~.. §5.7

~

... §7.2

Cbservaticn equivalence c

Observation congruence

B-

C

implies B ~ C

implies

... §7.3

B C c

~lies

B=C

Observation congruence ,,c,, is also denoted by equality "=", though many laws (as their names indicate) hold for strong congruence "~" or even direct equivalence "_=". Except where indicated, the laws are those of Tneorers 5.3 and 5.5 generalised by Theor~n 5.7 .

Simmation Su~ - (i)

B1 + B2 = B2 + B1

(2) (3)

B 1 + (B2 + B 3) = (B1 + B2)+ B 3 B + NIL = B

(4)

B + B = B

Action Act _= ~ . B

= ~.B{y/x}

where

y

is a vector of distinct variables

not in B .

Ccr~0osition Cam = Let B and C be sL~s of guards.

%~en

BIC = [{g. ~' IC); g.B' a s~m~nd of B} + [{g.(BIC') ;

g.C' a s l m ~ n d of C}

+ [{y.(B'{E~}IC') ;

~x.B'a s~s~and of

B and ~ . C ' a simmand of C} + [{~.(B'IC'{F~}) ;

~ . B ' a sLm~and of

B and ax.C' a simm~nd of C} provided that in the first (second) ~ d no free variable of C (B) is bound by g.

... EX 5.2, Cor 7.6

167

Cam ~ (i)

BIIB 2 = B21B 1

(2)

BI(B21B 3) = (BIIB2) IB 3

(3)

BIN~=

B

Restriction Res - (i) (2) (3)

NIL\8 = NIL (B1 + B2)\6 = BI\ ~ + B2\8 (g.B)\8 = [NIL i f ~=name(g)

I g. (B\ 8 ) otherwise Res ~ (1)

B\~ = B (B:L, a% names (L))

(2)

B\a\6 = BkS\a

(3)

(B1 IB2)\a = BlXa tB2\~ (BI:LI,B2:L2: a~ nanes

(LinL2))

Relabelling Rel _= (1) (2) (3) Rel ~ (i)

NIL[S]

=

(BI + B 2)[S] = BI[S ] + B2[S ] (g.B)[S] = S(g). (B[S]) B[I]=

B

(I:L ÷ L the identity mapping)

(2)

B[S] = B[S']

(3)

B[S][S'] = B [ S % S ]

(4)

B[S]\6 = B\a[S]

(5)

(B1}B 2)[s] = BI[S ]IB2[S ]

(B:L and S~L = S'rL)

(8 = name (S (~)) )

Identifier Ide - Let b(x) 4== ~ ;

b(~.)

then

= Bb{~/~ }

Conditional Con _-- (i) (2)

I_fftrue then B 1 els___eeB 2 = B I if false then B 1 else B 2 = B 2

Unc~servable action T (I)

g.T.B = g.B

(2)

B + T.B = y.B

(3)

g. (B + T.C)+ g.C = g. (B + T.C)

(4)

B + r.(B + C) = T.(B + C)

1

... Theor~n 7.13 ... Cor. 7.14

168

Observation Equivaleno e (i)

B=T.B

... Prop_. 7.1

(2)

~ is preserved by all operations except + ... Theorem 7.3

(3)

B=C

~lies

(4)

B~C

i~plies g.B = g.C

B = C when B,C stable

... Prop. 7.11 ... Prop. 7.12 •.. Theore~ 5.8

Expansion Let B = (BI I.. • IBm) hA, where each B. is a sum of guards.

Then

I

B = [{g. ((BII... IBi' I... IBm)hA) ; g.B i

a summand of B i, name (g) %A}

+ [{~((B I •

1

~.B.~

°'"

IB' {E/x}I...IB~' I...IB~)\A); i

_~

a summand of B i, ~.Bj'

.i,

a stmmand

of Bj, i # j} provided that in the first term no free variable in ~ ( k

# i) is bound by g.

References (In these references, I/~CSn stands for Lecture Notes in Cc~puter Science, Vol n, Springer Verlag.) ~ril ]

P. Brinch Hansen, Operating Systems Principles, Prentice Hall, 1973.

[Bri2 ]

P. Brinch Hansen~ "Distributed processes; a concurrent programming concept", Ccmm. ACM 21, ii, 1978.

[Call]

Ro Campbell and A. Haben?ann, "The specification of process synchronization by Path Expressions", ~

[Car]

16, 1974.

L. Cardelli, "Analog Processes", To appear in Proc 9th MFCS, Poland, 1980.

[COIl]

F. Ccr~noner and A. Holt, "Marked directed graphs", JCSS 5, 1971.

[DFL]

J. Dennis, J. Fosseen and J. Linderman, "Data flew schemas", I/~CS 5, 1974.

[Dij ]

E. Dijkstra, "Guarded ccmnands, nondetexndnacy and formal derivation of programs", O3mm. A~4 18, 8, 1975.

[EBJ]

P. van Erode Boas and T. Janssen, "The impact of Frege's principle of ~ s i t i o n a l i t y

for the s~mantics of programming and natural

languages", Report 79-07, Dept. of Mathematics, University of Amsterdam, 1979. [~T]

H.J. Genrich, K. Lautenbach and P.S. Thiagarajan, "An overview of Net Theoryl; Proc. Advanced Course on General Net Theory of Processes and Systems, to appear in IxNCS, 1980.

[HAL]

C. Hewitt, G. Attardi and H.Liebezmann, "Specifying and proving properties of guardians for distributed systems", ~

[HM]

70, 1979.

M. Hennessy and R. Milner, "On observing nondetermini~ and concurrency", to be presented at 8th ICALP at Amsterdam, and appear in I/NCS, 1980.

[Hoal]

C.A.R. Hoare, "Towards a theory of parallel programming", in Operating Systems Techniques, Acaaemic Press, 1972.

[Hoa2]

C.A.R. Hoare, "Monitors: an operating system structuring concept", Cc~m. ACM 17, iO, 1974.

[Hoa3]

C.A.R. Hoare, "C~L,[mm_icating Sequential Processes", Comm. ACM 21, 8, 1978.

170

[HPI ]

M. Hennessy and G. Plotkin, "Full abstraction for a s ~ l e parallel progranmling language", Proc 8th MFCS, Czechoslovakia, INCS 74, 1979.

[HP2 ]

M. Hennessy and G. Plotkin, "A te~m model for CCS", to appear in Proc 9th MFCS, Poland, 1980.

[Hue ]

G. Huet, ,Confluent reductions: abstract properties and applications to term-rewriting syste~gs", Report No. 250, IRIA Laboria, Paris 1977.

[Kel ]

R. Keller, "A fundamental theorem of asynchronous parallel computation", Parallel Processing, ed. T.Y. Feng, Springer, 1975.

[KM0]

G. Kahn and D. MacQueen, "Coroutines and networks of parallel processes", Proc. IFIP Congress, North Holland, 1977.

Fmm]

H.T. Kung, "Synchronized and asynchronous algorithms" in Algorithms and Conlolexity, ed J.F. Traub, Academic Press, 1976.

[Mill ]

R. Milner, "Processes; a mathematical model of cc~puting agents", Proc Logic Colloquium '73, ed. Rose and Shepherdson, North Holland, 1973.

[Mil2]

R. Milr~__r, "Flowgraphs and flow algebras", J. AflM 26, 4, 1979.

[Mil3]

R. Milner, "Synthesis of ccmT~nicating behaviour", Proc 7th MFCS, Poland, I/NCS 64, 1978.

[Mil4]

R. Milner, "Algebras for communicating syst~ns", Report CSR-25-78, Cc~puter Science Dept., Edinburgh University, 1978.

[Mil5 ]

R. Milner, "An algebraic theory of synchronization", LNCS 67, 1979.

[Mln]

G. Milne, "A mathematical model of concurrent cc~putation", Ph.D. Thesis, Cc~uter Science Dept, University of Edinburgh, 1978.

[~]

G. Milne and R. Milner, "Concurrent processes and their syntax", J. A(IM, 26, 2, 1979.

[Mos]

P. Mosses, "SIS, Semantic Implementation System", DA/_MI Report ~D-33, Aarhus University, 1979.

[~]

D. MacQueen, "Models for distributed computing", Report No. 351, IRIA-lalx)ria, Paris, 1979.

[~.~]

T. M[ildner, "On sync/ironizing tools for parallel prograns", Report 357, Inst. of Ccmputer Science, Polish Acadermy of Science, Warsaw, 1979.

171

[~W]

A Maggiolo-Schettini,

H. Wedde and J. Winkowski, "Modelling a

Solution for a cc~trol problem in distributed systems by restrictions, I/NCS 70, 1979. [Pet]

C.A. Petri, "Introduction to General Net Theory", Proc. Advanced Course on General Net Theory of Processes and Systems, to appear in INCS, 1980.

[Plo~]

G. Plotkin, "A powerdomain construction", SIAM J. Ccm!0 5, 1976.

[Plo23

G. Plotkin, "LCF considered as a prograrmting language", TCS 5, 3, 1977. A. Pnueli, "The temporal logic of programs", 19th Annual Syrup. on Foundations of C(mputer Science, Providence R.I., 1977.

~Pnu2 ]

A. Pnueli I "The temporal semantics of concurrent programs", 70, 1979.

[Ros]

B. Rosen, "Tree manipulation systems and Church-Rosser Theorems", J. ACM 20, i, 1973.

[Sch]

J. Schwarz, "Distributed synchronization of processor communication", Internal Report, Dept. of Artificial Intelligence, University of Edinburgh, 1978. M. Smyth, "Powerdc~ains", JCSS 16, 1978.

[~s]

D. Scott and C. Strachey, "To%~rds a mathematical semantics for computer languages", Proc. Syrup. on Computers and Autcraata, Microwave Res. Inst. Symposia Series, Vol 21, Polytechnic Inst. of Brooklyn, 1972.

[Wad]

W. Wadge, "An extensional treatment of dataflc~ deadlock", I/qCS 70, 1979.

[wir ]

N. Wirth, "MODULA: A language for modular multiprogramming", Report 18, ETH Zurich, 1976.