Process algebra with strategic interleaving
aa r X i v : . [ c s . L O ] F e b Process Algebra with Strategic Interleaving
J.A. Bergstra and C.A. Middelburg
Informatics Institute, Faculty of Science, University of Amsterdam,Science Park 904, 1098 XH Amsterdam, the Netherlands
[email protected],[email protected]
Abstract.
In process algebras such as ACP (Algebra of CommunicatingProcesses), parallel processes are considered to be interleaved in an arbi-trary way. In the case of multi-threading as found in contemporary pro-gramming languages, parallel processes are actually interleaved accordingto some interleaving strategy. An interleaving strategy is what is called aprocess-scheduling policy in the field of operating systems. In many sys-tems, for instance hardware/software systems, we have to do with bothparallel processes that may best be considered to be interleaved in anarbitrary way and parallel processes that may best be considered to beinterleaved according to some interleaving strategy. Therefore, we extendACP in this paper with the latter form of interleaving. The establishedproperties of the extension concerned include an elimination property, aconservative extension property, and a unique expansion property.
Keywords: process algebra, arbitrary interleaving, strategic interleaving.
D.1.3, D.4.1, F.1.2
In algebraic theories of processes, such as ACP [5,7], CCS [18,21] and CSP [12,19],processes are discrete behaviours that proceed by doing steps in a sequentialfashion. The parallel composition of two processes is usually considered to in-corporate all conceivable interleavings of their steps. In each interleaving, thesteps of both processes occur in some order where each time one step is takenfrom either of the processes. According to many, this interpretation of parallelcomposition, called arbitrary interleaving, is a plausible, general, if not idealizedinterpretation. Underlying the usual justification of this claim is the assumptionthat at most one step is done at each point in time. However, others contend thatinterpretations in which this simplifying assumption is fulfilled are not faithful.Be that as it may, arbitrary interleaving turns out to be appropriate for manyapplications and to facilitate formal algebraic reasoning.Multi-threading as found in programming languages such as Java [16] andC
In this section, we give a survey of ACP (Algebra of Communicating Processes),guarded recursion in the setting of ACP, and some relevant results about theextension of ACP with guarded recursion. For a comprehensive overview, thereader is referred to [5,13]. 2 .1 ACP
In ACP, it is assumed that a fixed but arbitrary set A of actions , with δ / ∈ A ,has been given. We write A δ for A ∪ { δ } . It is further assumed that a fixed butarbitrary commutative and associative communication function γ : A δ × A δ → A δ ,with γ ( δ, a ) = δ for all a ∈ A δ , has been given. The function γ is regarded togive the result of synchronously performing any two actions for which this ispossible, and to give δ otherwise.The signature of ACP consists of the following constants and operators: – for each a ∈ A , the action constant a ; – the inaction constant δ ; – the binary alternative composition operator + ; – the binary sequential composition operator · ; – the binary parallel composition operator k ; – the binary left merge operator ⌊⌊ ; – the binary communication merge operator | ; – for each H ⊆ A , the unary encapsulation operator ∂ H .We assume that there are infinitely many variables, including x, y, z . Terms arebuilt as usual. We use infix notation for the binary operators. The precedenceconventions used with respect to the operators of ACP are as follows: + bindsweaker than all others, · binds stronger than all others, and the remaining op-erators bind equally strong.The constants and operators of ACP can be explained as follows: – the constant a denotes the process that is only capable of first performingaction a and next terminating successfully; – the constant δ denotes the process that is not capable of doing anything; – a closed term of the form t + t ′ denotes the process that behaves either asthe process denoted by t or as the process denoted by t ′ , but not both; – a closed term of the form t · t ′ denotes the process that first behaves as theprocess denoted by t and on successful termination of that process it nextbehaves as the process denoted by t ′ ; – a closed term of the form t k t ′ denotes the process that behaves as the processthat proceeds with the processes denoted by t and t ′ in parallel; – a closed term of the form t ⌊⌊ t ′ denotes the process that behaves the same asthe process denoted by t k t ′ , except that it starts with performing an actionof the process denoted by t ; – a closed term of the form t | t ′ denotes the process that behaves the sameas the process denoted by t k t ′ , except that it starts with performing anaction of the process denoted by t and an action of the process denoted by t ′ synchronously; – a closed term of the form ∂ H ( t ) denotes the process that behaves the sameas the process denoted by t , except that actions from H are blocked.The operators ⌊⌊ and | are of an auxiliary nature. They are needed to axiomatizeACP. 3 able 1. Axioms of ACP x + y = y + x A1( x + y ) + z = x + ( y + z ) A2 x + x = x A3( x + y ) · z = x · z + y · z A4( x · y ) · z = x · ( y · z ) A5 x + δ = x A6 δ · x = δ A7 ∂ H ( a ) = a if a / ∈ H D1 ∂ H ( a ) = δ if a ∈ H D2 ∂ H ( x + y ) = ∂ H ( x ) + ∂ H ( y ) D3 ∂ H ( x · y ) = ∂ H ( x ) · ∂ H ( y ) D4 x k y = x ⌊⌊ y + y ⌊⌊ x + x | y CM1 a ⌊⌊ x = a · x CM2 a · x ⌊⌊ y = a · ( x k y ) CM3( x + y ) ⌊⌊ z = x ⌊⌊ z + y ⌊⌊ z CM4 a · x | b = γ ( a, b ) · x CM5 a | b · x = γ ( a, b ) · x CM6 a · x | b · y = γ ( a, b ) · ( x k y ) CM7( x + y ) | z = x | z + y | z CM8 x | ( y + z ) = x | y + x | z CM9 δ | x = δ CM10 x | δ = δ CM11 a | b = γ ( a, b ) CM12 The axioms of ACP are the equations given in Table 1. In these equations, a , b and c stand for arbitrary constants of ACP, and H stands for an arbitrarysubset of A . Moreover, γ ( a, b ) stands for the action constant for the action γ ( a, b ).In D1 and D2, side conditions restrict what a and H stand for.In other presentations of ACP, γ ( a, b ) is regularly replaced by a | b in CM5–CM7. By CM12, which is more often called CF, these replacements give rise toan equivalent axiomatization. In other presentations of ACP, CM10 and CM11are usually absent. These equations are not derivable from the other axioms,but all there closed substitution instances are derivable from the other axioms.Moreover, CM10 and CM11 hold in virtually all models of ACP that have beendevised.In the sequel, we will use the sum notation P i Let T be ACP or a concrete extension of ACP . Then, for all guarded recursive specifications E over T , for all X ∈ V( E ) :(1) if Y = t Y ∈ E and t Y = t ′ Y is derivable from the axioms of T , then h X | E i = h X | ( E \ { Y = t Y } ) ∪ { Y = t ′ Y }i is derivable from the axioms of T ,RDP and RSP;(2) if Y = t Y ∈ E , Z = t Z ∈ E , and t ′ Y is t Y with some occurrence of Z in t Y replaced by t Z , then h X | E i = h X | ( E \ { Y = t Y } ) ∪ { Y = t ′ Y }i is derivablefrom the axioms of T , RDP and RSP;(3) if Y / ∈ V( E ) and t Y is a guarded T term in which variables other thanthe variables from V( E ) do not occur, then h X | E i = h X | E ∪ { Y = t Y }i isderivable from the axioms of T , RDP and RSP.Proof. In case (1), first we apply RDP for each recursion equation in E , nextwe apply t Y = t ′ Y to h Y | E i = h t Y | E i , and finally we apply RSP to the resultingset of equations. In case (2), first we apply RDP for each recursion equationin E , next we apply h Z | E i = h t Z | E i to h Y | E i = h t Y | E i , and finally we applyRSP to the resulting set of equations. In case (3), we first apply RDP for eachrecursion equation in E ∪ { Y = t Y } and then we apply RSP to the resulting setof equations. ⊓⊔ Proposition 1 will be used in the proof of Theorem 1 in Section 3.2.Let T be ACP or a concrete extension of ACP. Then the set HNF of headnormal forms of T is inductively defined by the following rules: – δ ∈ HNF ; – if a ∈ A , then a ∈ HNF ; – if a ∈ A and t is a T term, then a · t ∈ HNF ; – if t, t ′ ∈ HNF , then t + t ′ ∈ HNF .Each head normal form of T is derivably equal to a head normal form of theform P i For each guarded ACP rec term t , thereexists a head normal form t ′ of ACP such that t = t ′ is derivable from the axiomsof ACP rec .Proof. The proof is analogous to the proof of Proposition 3 in Section 3.2. ⊓⊔ Further details on cases (1) and (2) can be found in the proof of Theorem 4.3.2from [13]. Strategic Interleaving In this section, we extend ACP with strategic interleaving, i.e. interleaving ac-cording to some interleaving strategy. Interleaving strategies are abstractions ofscheduling algorithms. Interleaving according to some interleaving strategy iswhat really happens in the case of multi-threading as found in contemporaryprogramming languages. In the extension of ACP with strategic interleaving presented below, it is ex-pected that an interleaving strategy uses the interleaving history in one way oranother to make process-scheduling decisions.The set H of interleaving histories is the subset of ( N × N ) ∗ that is induc-tively defined by the following rules: – h i ∈ H ; – if i ≤ n , then ( i, n ) ∈ H ; – if h y ( i, n ) ∈ H , j ≤ n , and n − ≤ m ≤ n + 1, then h y ( i, n ) y ( j, m ) ∈ H . The intuition concerning interleaving histories is as follows: if the k th pair of aninterleaving history is ( i, n ), then the i th process got a turn in the k th interleavingstep and after its turn there were n processes to be interleaved. The number ofprocesses to be interleaved may increase due to process creation (introducedbelow) and decrease due to successful termination of processes.The presented extension of ACP is called ACP+SI (ACP with StrategicInterleaving). It covers a generic interleaving strategy that can be instantiatedwith different specific interleaving strategies that can be represented in the waythat is explained below.In ACP+SI, it is assumed that the following has been given: – a fixed but arbitrary set S ; – for each n ∈ N , a fixed but arbitrary function σ n : H × S → { , . . . , n } ; – for each n ∈ N , a fixed but arbitrary function ϑ n : H× S ×{ , . . . , n }× A → S .The elements of S are called control states , σ n is called an abstract scheduler ( for n processes ), and ϑ n is called a control state transformer ( for n processes ).The intuition concerning S , σ n , and ϑ n is as follows: – the control states from S encode data that are relevant to the interleavingstrategy, but not derivable from the interleaving history; – if σ n ( h, s ) = i , then the i th process gets the next turn after interleavinghistory h in control state s ; We write h i for the empty sequence, d for the sequence having d as sole element,and α y α ′ for the concatenation of sequences α and α ′ . We assume that the usualidentities, such as h i y α = α and ( α y α ′ ) y α ′′ = α y ( α ′ y α ′′ ), hold. if ϑ n ( h, s, i, a ) = s ′ , then s ′ is the control state that arises from the i thprocess doing a after interleaving history h in control state s .Thus, S , h σ n i n ∈ N , and h ϑ n i n ∈ N make up a way to represent an interleavingstrategy. This way to represent an interleaving strategy is engrafted on [22].Consider the case where S is a singleton set, for each n ∈ N , σ n is definedby σ n ( h i , s ) = 1 ,σ n ( h y ( j, n ) , s ) = ( j + 1) mod n , and, for each n ∈ N , ϑ n is defined by ϑ n ( h, s, i, a ) = s . In this case, the interleaving strategy corresponds to the round-robin schedulingalgorithm. More advanced strategies can be obtained if the scheduling makesmore advanced use of the interleaving history and the control state. The inter-leaving history may, for example, be used to factor the individual lifetimes ofthe processes to be interleaved and their creation hierarchy into the process-scheduling decision making. Individual properties of the processes to be inter-leaved that depend on the actions performed by them can be taken into accountby making use of the control state. The control state may, for example, be used tofactor the processes being interleaved that currently wait to acquire a lock froma process that manages a shared resource into the process-scheduling decisionmaking. In ACP+SI, it is also assumed that a fixed but arbitrary set D of data anda fixed but arbitrary function φ : D → P , where P is the set of all closed termsover the signature of ACP+SI (given below), have been given and that, for each d ∈ D and a, b ∈ A , cr ( d ) , cr ( d ) ∈ A , γ ( cr ( d ) , a ) = δ , and γ ( a, b ) = cr ( d ). Theaction cr ( d ) can be considered a process creation request and the action cr ( d )can be considered a process creation act. They represent the request to start theprocess denoted by φ ( d ) in parallel with the requesting process and the act ofcarrying out that request, respectively.The signature of ACP+SI consists of the constants and operators from thesignature of ACP and in addition the following operators: – for each n ∈ N , h ∈ H , and s ∈ S , the n -ary strategic interleaving operator k nh,s ; – for each n, i ∈ N with i ≤ n , h ∈ H , and s ∈ S , the n -ary positional strategicinterleaving operator ⌋⌊ n,ih,s .The strategic interleaving operators can be explained as follows: In [8], various examples of interleaving strategies are given in the setting of therelatively unknown thread algebra. The representation of the more serious of theseexamples in the current setting demands nontrivial use of the control state. able 3. Axioms for strategic interleaving k nh,s ( x , . . . , x n ) = ⌋⌊ n,σ n ( h,s ) h,s ( x , . . . , x n ) SI1 ⌋⌊ n,ih,s ( x , . . . , x i − , δ, x i +1 , . . . , x n ) = δ SI2 ⌋⌊ ,ih,s ( a ) = a SI3 ⌋⌊ n +1 ,ih,s ( x , . . . , x i − , a, x i +1 , . . . , x n +1 ) = a · k nh y ( i,n ) ,ϑ n +1 ( h,s,i,a ) ( x , . . . , x i − , x i +1 , . . . , x n +1 ) SI4 ⌋⌊ n,ih,s ( x , . . . , x i − , a · x ′ i , x i +1 , . . . , x n ) = a · k nh y ( i,n ) ,ϑ n ( h,s,i,a ) ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n ) SI5 ⌋⌊ n,ih,s ( x , . . . , x i − , cr ( d ) , x i +1 , . . . , x n ) = cr ( d ) · k nh y ( i,n ) ,ϑ n ( h,s,i, cr ( d )) ( x , . . . , x i − , x i +1 , . . . , x n , φ ( d )) SI6 ⌋⌊ n,ih,s ( x , . . . , x i − , cr ( d ) · x ′ i , x i +1 , . . . , x n ) = cr ( d ) · k n +1 h y ( i,n +1) ,ϑ n ( h,s,i, cr ( d )) ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n , φ ( d )) SI7 ⌋⌊ n,ih,s ( x , . . . , x i − , x ′ i + x ′′ i , x i +1 , . . . , x n ) = ⌋⌊ n,ih,s ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n ) + ⌋⌊ n,ih,s ( x , . . . , x i − , x ′′ i , x i +1 , . . . , x n ) SI8 – a closed term of the form k nh,s ( t , . . . , t n ) denotes the process that resultsfrom interleaving of the n processes denoted by t , . . . , t n after interleavinghistory h in control state s , according to the interleaving strategy representedby S , h σ n i n ∈ N , and h ϑ n i n ∈ N .The positional strategic interleaving operators are auxiliary operators used toaxiomatize the strategic interleaving operators. The role of the positional strate-gic interleaving operators in the axiomatization is similar to the role of the leftmerge operator found in ACP.The axioms of ACP+SI are the axioms of ACP and in addition the equationsgiven in Table 3. In the additional equations, n and i stand for arbitrary numbersfrom N with i ≤ n , h stands for an arbitrary interleaving history from H , s stands for an arbitrary control state from S , a stands for an arbitrary actionconstant that is not of the form cr ( d ) or cr ( d ), and d stands for an arbitrarydatum d from D .Axiom SI2 expresses that, in the event of inactiveness of the process whoseturn it is, the whole becomes inactive immediately. A plausible alternative is that,in the event of inactiveness of the process whose turn it is, the whole becomesinactive only after all other processes have terminated or become inactive. Inthat case, the functions ϑ n : H × S × { , . . . , n } × A → S must be extended tofunctions ϑ n : H × S × { , . . . , n }× ( A ∪{ δ } ) → S and axiom SI2 must be replacedby the axioms in Table 4.In (ACP+SI) rec , i.e. ACP+SI extended with guarded recursion in the waydescribed in Section 2, the processes that can be created are restricted to theones denotable by a closed ACP+SI term. This restriction stems from the re-quirement that φ is a function from D to the set of all closed ACP+SI terms.9 able 4. Alternative axioms for SI2 ⌋⌊ ,ih,s ( δ ) = δ SI2a ⌋⌊ n +1 ,ih,s ( x , . . . , x i − , δ, x i +1 , . . . , x n +1 ) = k nh y ( i,n ) ,ϑ n +1 ( h,s,i,δ ) ( x , . . . , x i − , x i +1 , . . . , x n +1 ) · δ SI2b The restriction can be removed by relaxing this requirement to the requirementthat φ is a function from D to the set of all closed (ACP+SI) rec terms. Wewrite (ACP+SI) +rec for the theory resulting from this relaxation. In other words,(ACP+SI) +rec differs from (ACP+SI) rec in that it is assumed that a fixed butarbitrary function φ : D → P , where P is the set of all closed terms over thesignature of (ACP+SI) rec , has been given.It is customary to associate transition systems with closed terms of the lan-guage of an ACP-like theory of processes by means of structural operationalsemantics and to use this to construct a model in which closed terms are iden-tified if their associated transition systems are bisimilar. The structural opera-tional semantics of ACP can be found in [5,13]. The additional transition rulesfor the strategic interleaving operators and the positional strategic interleavingoperators are given in Appendix A. In this section, the subject of concern is the connection between ACP andACP+SI. The main results are an elimination result and a conservative ex-tension result. We begin with establishing some results that will be used in theproof of those main results.Each guarded ACP+SI term is derivably equal to a head normal form ofACP+SI. Proposition 3 (Head normal form). For each guarded ACP+SI term t , thereexists a head normal form t ′ of ACP+SI such that t = t ′ is derivable from theaxioms of ACP+SI .Proof. The proof is straightforward by induction on the structure of t . The casewhere t is of the form δ and the case where t is of the form a ( a ∈ A ) are trivial.The case where t is of the form t · t follows immediately from the inductionhypothesis and the claim that, for all head normal forms t and t of ACP+SI,there exists a head normal form t ′ of ACP+SI such that t · t = t ′ is derivablefrom the axioms of ACP+SI. This claim is easily proved by induction on thestructure of t . The case where t is of the form t + t follows immediately fromthe induction hypothesis. The cases where t is of one of the forms t ⌊⌊ t , t | t , ∂ H ( t ) or ⌋⌊ n,ih,s ( t , . . . , t n ) are proved along the same lines as the case where t isof the form t · t . In the case that t is of the form t | t , each of the cases tobe considered in the inductive proof of the claim demands a proof by inductionon the structure of t . In the case that t is of the form ⌋⌊ n,ih,s ( t , . . . , t n ), the10laim is of course proved by induction on the structure of t i instead of t . Thecase that t is of the form t k t follows immediately from the case that t is ofthe form t ⌊⌊ t and the case that t is of the form t | t . The case that t isof the form k nh,s ( t , . . . , t n ) follows immediately from the case that t is of theform ⌋⌊ n,ih,s ( t , . . . , t n ). Because t is a guarded ACP+SI term, the case where t isa variable cannot occur. ⊓⊔ Each of the four theorems to come refer to several process algebras. It isimplicit that the same set A of actions and the same communication function γ are assumed in the process algebras referred to.Each guarded recursive specification over ACP+SI can be reduced to aguarded recursive specification over ACP. Theorem 1 (Reduction). For each guarded recursive specification E over ACP+SI and each X ∈ V( E ) , there exists a guarded recursive specification E ′ over ACP such that h X | E i = h X | E ′ i is derivable from the axioms of (ACP+SI) +rec .Proof. Let E be a guarded recursive specification over ACP+SI. Assume that,for each equation X = t X from E , t X is a guarded ACP+SI term. It followsfrom Proposition 1 that this assumption does not lead to loss of generality.Let X = t X be an equation from E . Now, by Proposition 3, there exist n, m ∈ N such that, for each i ∈ N with i < n and j ∈ N with j < m , there exist an a i ∈ A , an ACP+SI term t i , and a b j ∈ A such that t X = P i Theorem 2 (Elimination). For each closed (ACP+SI) +rec term t , there ex-ists a closed ACP rec term t ′ such that t = t ′ is derivable from the axioms of (ACP+SI) +rec . roof. We prove this by means of a term rewriting system that takes equationalaxioms of (ACP+SI) +rec and equations derivable from the axioms of (ACP+SI) +rec as rewrite rules. Thus, the proof boils down to showing that (a) the term rewrit-ing system concerned has the property that each (ACP+SI) +rec term has a uniquenormal form modulo axioms A1 and A2 and (b) each closed (ACP+SI) +rec termthat is a normal form modulo axioms A1 and A2 is a closed ACP rec term.Henceforth, we will write AC for the set of equations that consists of axioms A1and A2.Let R be a set of equations that contains for each guarded recursive specifi-cation E over ACP+SI and X ∈ V( E ) an equation h X | E i = h X | E ′ i , where E ′ is a guarded recursive specification over ACP, that is derivable from the axiomsof (ACP+SI) +rec . Such a set R exists by Theorem 1. Consider the term rewritingsystem R ((ACP+SI) +rec ) that consists of the axioms of (ACP+SI) +rec , with theexception of A1, A2, RDP, and RSP, and the equations from R taken as rewriterules.We show that R ((ACP+SI) +rec ) has the property that each (ACP+SI) +rec termhas a unique normal form modulo AC by proving that R ((ACP+SI) +rec ) is ter-minating modulo AC and confluent modulo AC.First, we show that R ((ACP+SI) +rec ) is terminating modulo AC. This can beproved by the reduction ordering > induced by the extended integer polynomials θ ( t ) associated with (ACP+SI) +rec terms t as follows: θ ( X ) = X ,θ ( a ) = 2 ,θ ( δ ) = 2 ,θ ( cr ( d )) = θ ( φ ( d )) + 1 ,θ ( t + t ) = θ ( t ) + θ ( t ) ,θ ( t · t ) = θ ( t ) · θ ( t ) , θ ( t k t ) = 3 · ( θ ( t ) · θ ( t )) + 1 ,θ ( t ⌊⌊ t ) = ( θ ( t ) · θ ( t )) ,θ ( t | t ) = ( θ ( t ) · θ ( t )) ,θ ( ∂ H ( t )) = 2 θ ( t ) ,θ ( k nh,s ( t , . . . , t n ) = ( θ ( t ) · . . . · θ ( t n )) + 1 ,θ ( ⌋⌊ n,ih,s ( t , . . . , t n )) = ( θ ( t ) · . . . · θ ( t n )) ,θ ( h X | E i ) = ( E is a guarded recursive specification over ACP3 otherwise , where it is assumed that, for each variable X over processes, X is a variable overintegers. The following is easy to see: (a) t > t ′ for all rewrite rules t = t ′ of R ((ACP+SI) +rec ) and (b) t > t ′ implies s > s ′ for all (ACP+SI) +rec terms s and s ′ for which t = s and t ′ = s ′ are derivable from AC. Hence, R ((ACP+SI) +rec )is terminating modulo AC.Next, we show that R ((ACP+SI) +rec ) is confluent modulo AC. It follows fromTheorems 5 and 16 in [20] and the fact that R ((ACP+SI) +rec ) is terminating Here, extended polynomials differ from polynomials in that both variables and ex-pressions of the form 2 X , where X is a variable, are allowed where only variables areallowed in polynomials. We do not have that t > t ′ for all rewrite rules t = s if SI2 is replaced by SI2a andSI2b (see Table 4). R ((ACP+SI) +rec ) is confluent modulo AC if it does not give riseto critical pairs modulo AC that are not convergent. It is easy to see that allcritical pairs modulo AC arise from overlappings of (a) A3 on A4, CM4, CM8,CM9, D3, and SI8, (b) A6 on A4, CM4, CM8, CM9, D3, and SI8, (c) A7 on CM3,CM5, CM6, CM7, D4, and SI5, (d) CM10 on CM9, and (e) CM11 on CM8. It isstraightforward to check that all critical pairs concerned are convergent. Hence, R ((ACP+SI) +rec ) is confluent modulo AC.Above, we have shown that R ((ACP+SI) +rec ) is terminating modulo AC andconfluent modulo AC and by this that it has the property that each (ACP+SI) +rec term has a unique normal form modulo AC. It remains to be shown that eachclosed (ACP+SI) +rec term that is a normal form modulo AC is a closed ACP rec term. It is not hard to see that, for each closed (ACP+SI) +rec term in whichother operators than + and · occur, a reduction step modulo AC is still pos-sible in R ((ACP+SI) +rec ). Because a reduction step modulo AC is impossiblefor a normal form modulo AC, no other operators than + or · can occur in aclosed (ACP+SI) +rec term that is a normal form modulo AC. Hence, each closed(ACP+SI) +rec term that is a normal form modulo AC is a closed ACP rec term. ⊓⊔ Each equation between closed ACP terms that is derivable in ACP+SI is alsoderivable in ACP. Theorem 3 (Conservative extension). For each two closed ACP terms t and t ′ , t = t ′ is derivable from the axioms of ACP+SI only if t = t ′ is derivablefrom the axioms of ACP .Proof. We prove this by means of a restriction of the term rewriting system fromthe proof of Theorem 2. Consider the term rewriting system R (ACP+SI) thatconsists of the axioms of ACP+SI, with the exception of A1 and A2. R (ACP+SI)is R ((ACP+SI) +rec ) restricted to ACP+SI terms. Just like R ((ACP+SI) +rec ), R (ACP+SI) is terminating modulo AC and confluent modulo AC. The proofsof these properties for R ((ACP+SI) +rec ) carry over to R (ACP+SI).Let t and t ′ be two closed ACP terms such that t = t ′ is derivable from theaxioms of ACP+SI. Reduce t and t ′ to normal forms s and s ′ , respectively, bymeans of the term rewriting system R (ACP+SI). By Theorem 5 in [20], beingconfluent modulo AC is equivalent to being Church-Rosser modulo AC for aterm rewriting system that is terminating modulo AC. This means that t and t ′ have the same normal form modulo AC. In other words, s = s ′ is derivable fromaxioms A1 and A2. Because (a) no other operators than + and · occur in t and t ′ and (b) no rewrite rule introduces one or more of the other operators if oneor more of the other operators was not already in its left-hand side, each rewriterule applied in the reduction from t to s or the reduction from t ′ to s ′ is one ofthe axioms of ACP. Therefore, each rewrite rule involved in the reduction from t to s or the reduction from t ′ to s ′ is an axiom of ACP. Hence, the reduction from t to s shows that t = s is derivable from the axioms of ACP and the reductionfrom t ′ to s ′ shows that t ′ = s ′ is derivable from the axioms of ACP. From this13nd the fact that s = s ′ is derivable from axioms A1 and A2, it follows t = t ′ isderivable from the axioms of ACP. ⊓⊔ The following theorem concerns the expansion of minimal models of ACP tomodels of ACP+SI. Theorem 4 (Unique expansion). Each minimal model of ACP has a uniqueexpansion to a model of ACP+SI .Proof. We write f A , where A is a model of ACP or ACP+SI and f is a constantor operator from the signature of A , for the interpretation of f in A . We write t A , where A is a model of ACP or ACP+SI and t is a closed term over thesignature of A , for the interpretation of t in A .Let A be a minimal model of ACP. Let CT be a function from the carrierof A to the set of all closed ACP terms such that, for each element p of thecarrier of A , CT ( p ) A = p . Because A is a minimal model of ACP, CT ( p ) is atotal function. We write p , where p is an element of the carrier of A , for CT ( p ).Let NF be a function from the set of all closed ACP+SI terms to the set of allclosed ACP terms such that, for each closed ACP+SI term t , NF ( t ) is one of thenormal forms that t can be reduced to by means of the term rewriting system R (ACP+SI) from the proof of Theorem 3.We start with constructing an expansion of A with interpretations of the ad-ditional operators of ACP+SI. Let B be the expansion of A with interpretationsof the additional operators of ACP+SI where these interpretations are definedas follows: k nh,s B ( p , . . . , p n ) = NF ( k nh,s ( p , . . . , p n )) A , ⌋⌊ n,ih,s B ( p , . . . , p n ) = NF ( ⌋⌊ n,ih,s ( p , . . . , p n )) A , for all p , . . . , p n from the carrier of A .We proceed with proving that B is a model of ACP+SI. By Theorem 3, itis sufficient to prove that B satisfies axioms SI1–SI8. By its construction, B isa minimal algebra and consequently it is sufficient to prove that B satisfies allclosed substitution instances of SI1–SI8. We use the following three claims toprove this: – for all closed substitution instances t = t ′ of SI1–SI8, t B = NF ( t ) A ; – for all closed substitution instances t = t ′ of SI1–SI8, t ′B = NF ( t ′ ) A ; – for all closed substitution instances t = t ′ of SI1–SI8, NF ( t ) A = NF ( t ′ ) A .The first claim follows easily from the definitions of the interpretations of theadditional operators of ACP+SI given above. The second claim follows easilyfrom these definitions and the proof of the first claim. Because R (ACP+SI) isChurch-Rosser modulo AC (see the proof of Theorem 3), we have that NF ( t ) = NF ( t ′ ) is derivable from axioms A1 and A2. From this, the third claim followsimmediately. It is an immediate consequence of the three claims that B satisfiesall closed substitution instances of SI1–SI8.We still have to prove that B is the only expansion of A to a model ofACP+SI. We can prove this by contradiction. Assume that C is an expansion of14 to a model of ACP+SI that differs from B . Then at least one of the additionaloperators of ACP+SI has different interpretations in B and C . By the definitionsof the interpretations of the additional operators of ACP+SI in B , this meansthat there exists a closed ACP+SI term t such that t C = NF ( t ) A . Moreover,because because t = NF ( t ) is derivable from the axioms of ACP+SI, t C = NF ( t ) C . Hence, NF ( t ) C = NF ( t ) A . Because NF ( t ) is a closed ACP term, thiscontradicts the fact that C is an expansion of A . ⊓⊔ We have extended the algebraic theory of processes known as ACP with theform of interleaving that underlies multi-threading as found in contemporaryprogramming languages. We have also established some basic properties of theresulting theory. It remains an open question whether strategic interleaving isdefinable in an established extension of ACP. Acknowledgements We thank an anonymous referee for carefully reading a preliminary version ofthis paper, for pointing out an error in one of the proofs, and for suggestingimprovements of the presentation. References 1. America, P., de Bakker, J.W.: Designing equivalent semantic models for processcreation. Theoretical Computer Science (2), 109–176 (1988)2. Baeten, J.C.M., Bergstra, J.A.: Real space process algebra. Formal Aspects ofComputing (6), 481–529 (1993)3. Baeten, J.C.M., Middelburg, C.A.: Process Algebra with Timing. Monographs inTheoretical Computer Science, An EATCS Series. Springer-Verlag, Berlin (2002)4. Baeten, J.C.M., Vaandrager, F.W.: An algebra of process creation. Acta Informat-ica (4), 303–334 (1992)5. Baeten, J.C.M., Weijland, W.P.: Process Algebra, Cambridge Tracts in TheoreticalComputer Science , vol. 18. Cambridge University Press, Cambridge (1990)6. Bergstra, J.A.: A process creation mechanism in process algebra. In: J.C.M. Baeten(ed.) Applications of Process Algebra, Cambridge Tracts in Theoretical ComputerScience , vol. 17, pp. 81–88. Cambridge University Press, Cambridge (1990)7. Bergstra, J.A., Klop, J.W.: Process algebra for synchronous communication. In-formation and Control (1–3), 109–137 (1984)8. Bergstra, J.A., Middelburg, C.A.: Thread algebra for strategic interleaving. FormalAspects of Computing (4), 445–474 (2007)9. Bergstra, J.A., Middelburg, C.A.: A thread algebra with multi-level strategic in-terleaving. Theory of Computing Systems (1), 3–32 (2007)10. Bergstra, J.A., Middelburg, C.A.: Distributed strategic interleaving with load bal-ancing. Future Generation Computer Systems (6), 530–548 (2008) 1. Bergstra, J.A., Middelburg, C.A., Usenko, Y.S.: Discrete time process algebra andthe semantics of SDL. In: J.A. Bergstra, A. Ponse, S.A. Smolka (eds.) Handbookof Process Algebra, pp. 1209–1268. Elsevier, Amsterdam (2001)12. Brookes, S.D., Hoare, C.A.R., Roscoe, A.W.: A theory of communicating sequentialprocesses. Journal of the ACM (3), 560–599 (1984)13. Fokkink, W.J.: Introduction to Process Algebra. Texts in Theoretical ComputerScience, An EATCS Series. Springer-Verlag, Berlin (2000)14. Gehrke, T., Rensink, A.: Process creation and full sequential composition in aname-passing calculus. Electronic Notes in Theoretical Computer Science , 141–160 (1997)15. van Glabbeek, R.J., Vaandrager, F.W.: Modular specification of process algebras.Theoretical Computer Science (2), 293–348 (1993)16. Gosling, J., Joy, B., Steele, G., Bracha, G.: The Java Language Specification, secondedn. Addison-Wesley, Reading, MA (2000)17. Hejlsberg, A., Wiltamuth, S., Golde, P.: C (1), 137–161 (1985)19. Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall, EnglewoodCliffs (1985)20. Jouannaud, J.P., Kirchner, H.: Completion of a set of rules modulo a set of equa-tions. SIAM Journal of Computing (4), 1155–1194 (1986)21. Milner, R.: Communication and Concurrency. Prentice-Hall, Englewood Cliffs(1989)22. Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs.In: Computer Security Foundations Workshop 2000, pp. 200–214. IEEE ComputerSociety Press (2000) A Structural Operational Semantics of ACP+SI It is customary to associate transition systems with closed terms of the languageof an ACP-like theory about processes by means of structural operational se-mantics and to use this to construct a model in which closed terms are identifiedif their associated transition systems are bisimilar. The structural operationalsemantics of ACP can be found in [5,13]. The additional transition rules for thestrategic interleaving operators and the positional strategic interleaving opera-tors are given in Table 5. In this table, – t a −→ √ indicates that t is capable of performing action a and then terminatingsuccessfully; – t a −→ t ′ indicates that t is capable of performing action a and then behavingas t ′ .The transition rules for the strategic interleaving operator are similar to thetransition rules for the positional strategic interleaving operators. However, eachtransition rule for the strategic interleaving operator has the side-condition i = σ n ( h, s ). 16 able 5. Transition rules for strategic interleaving x a −→ √ k h,s ( x ) a −→ √ x i a −→ √ i = σ n ( h, s ) k n +1 h,s ( x , . . . , x n +1 ) a −→ k nh y ( i,n ) ,ϑ n +1 ( h,s,i,a ) ( x , . . . , x i − , x i +1 , . . . , x n +1 ) x i a −→ x ′ i i = σ n ( h, s ) k nh,s ( x , . . . , x n ) a −→ k nh y ( i,n ) ,ϑ n ( h,s,i,a ) ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n ) x i cr ( d ) −−−→ √ i = σ n ( h, s ) k nh,s ( x , . . . , x n ) cr ( d ) −−−→ k nh y ( i,n ) ,ϑ n ( h,s,i, cr ( d )) ( x , . . . , x i − , x i +1 , . . . , x n , φ ( d )) x i cr ( d ) −−−→ x ′ i i = σ n ( h, s ) k nh,s ( x , . . . , x n ) cr ( d ) −−−→ k n +1 h y ( i,n +1) ,ϑ n ( h,s,i, cr ( d )) ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n , φ ( d )) x a −→ √ ⌋⌊ ,ih,s ( x ) a −→ √ x i a −→ √ ⌋⌊ n +1 ,ih,s ( x , . . . , x n +1 ) a −→ k nh y ( i,n ) ,ϑ n +1 ( h,s,i,a ) ( x , . . . , x i − , x i +1 , . . . , x n +1 ) x i a −→ x ′ i ⌋⌊ n,ih,s ( x , . . . , x n ) a −→ k nh y ( i,n ) ,ϑ n ( h,s,i,a ) ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n ) x i cr ( d ) −−−→ √ ⌋⌊ n,ih,s ( x , . . . , x n ) cr ( d ) −−−→ k nh y ( i,n ) ,ϑ n ( h,s,i, cr ( d )) ( x , . . . , x i − , x i +1 , . . . , x n , φ ( d )) x i cr ( d ) −−−→ x ′ i ⌋⌊ n,ih,s ( x , . . . , x n ) cr ( d ) −−−→ k n +1 h y ( i,n +1) ,ϑ n ( h,s,i, cr ( d )) ( x , . . . , x i − , x ′ i , x i +1 , . . . , x n , φ ( d )) B Term Rewriting Systems In this appendix, basic definitions and results regarding term rewriting systemsare collected. This appendix also serves to fix the terminology on term rewritingsystems used in the proofs that make use of term rewriting systems.We assume that a set of constants, a set of operators with fixed arities, anda set of variables have been given; and we consider an arbitrary term rewritingsystem R for terms that can be built from the constants, operators, and variablesin these sets. 17 rewrite rule is a pair of terms t → s , where t is not a variable and eachvariable occurring in s occurs in t as well. A term rewriting system is a set ofrewrite rules.A reduction step of R is a pair t → s such that for some substitution instance t ′ → s ′ of a rewrite rule of R , t ′ is a subterm of t , and s is t with t ′ replacedby s ′ . Here, t ′ is called the redex of the reduction step. A reduction of R is apair t →→ s such that either t ≡ s or there exists a finite sequence t → t , . . . , t n → t n +1 of consecutive reduction steps of R such that t ≡ t and s ≡ t n +1 .A term t is a normal form of R if there does not exist a term s such that t → s is a reduction step of R . A term t has a normal form in R if there existsa reduction t →→ s of R and s is a normal form of R . R is terminating on term t if there does not exist an infinite sequence t → t , t → t , t → t , . . . ofconsecutive reduction steps of R . R is terminating if R is terminating on allterms. R is confluent if for all reductions t →→ s and t →→ s of R there existreductions s →→ s and s →→ s of R . If R is terminating and confluent, theneach term has a unique normal form in R .A reduction ordering for R is a well-founded ordering on terms that is closedunder substitutions and contexts. R is terminating if and only if there exists areduction ordering > for R such that t > s for each rewrite rule t → s of R .A unifier of two terms s and t is a substitution σ such that σ ( s ) ≡ σ ( t ). A critical pair of R is a pair ( t , t ) of terms for which there exist rewrite rules s → s ′ and t → t ′ of R and a ‘most general unifier’ σ of s and a non-variablesubterm of t such that t ≡ σ ( t ′′ ) and t ≡ σ ( t ′ ), where t ′′ is t with σ ( s ) replacedby σ ( s ′ ). A critical pair ( t , t ) of R is convergent if there exist reductions t →→ s and t →→ s of R . If R is terminating, then R is confluent if and only ifall critical pairs of R are convergent.Henceforth, we consider an arbitrary set E of equations between terms.A reduction step modulo E of R is a pair t → E s such that there exists areduction step t ′ → s ′ of R such that t = t ′ and s = s ′ are derivable from E .A reduction modulo E of R is pair t →→ E s such that either t = s is derivablefrom E or there exists a finite sequence t → E t , . . . , t n → E t n +1 of consecutivereduction steps modulo E of R such that t ≡ t and s ≡ t n +1 .A term t is a normal form modulo E of R if there does not exist a term s such that t → E s is a reduction step modulo E of R . A term t has a normalform modulo E in R if there exists a reduction modulo E t →→ E s of R and s is anormal form modulo E of R . R is terminating modulo E on term t if there doesnot exist an infinite sequence t → E t , t → E t , t → E t , . . . of consecutivereduction steps modulo E of R . R is terminating modulo E if R is terminatingmodulo E on all terms. R is confluent modulo E if for all reductions modulo E t →→ E s and t →→ E s of R there exist reductions modulo E s →→ E s and s →→ E s of R . If R is terminating modulo E and confluent modulo E , then eachterm has a unique normal form modulo E in R . See e.g. Definition 10 in [20] for the definitions of most general unifier and completeset of unifiers modulo E .