Read Operators and their Expressiveness in Process Algebras
BB. Luttik and F. D. Valencia (Eds.): 18th International Workshop onExpressiveness in Concurrency (EXPRESS 2011)EPTCS 64, 2011, pp. 31–43, doi:10.4204/EPTCS.64.3 c (cid:13)
F. Corradini, M.R. Di Berardini & W. VoglerThis work is licensed under theCreative Commons Attribution License.
Read Operators and their Expressiveness in Process Algebras ∗ Flavio Corradini Maria Rita Di Berardini
School of Science and Technology, Computer Science Division,University of Camerino [email protected], [email protected]
Walter Vogler
Institut f¨ur Informatik,Universit¨at Augsburg, Germany [email protected]
We study two different ways to enhance PAFAS, a process algebra for modelling asynchronous timedconcurrent systems, with non-blocking reading actions. We first add reading in the form of a read-action prefix operator. This operator is very flexible, but its somewhat complex semantics requirestwo types of transition relations. We also present a read-set prefix operator with a simpler semantics,but with syntactic restrictions. We discuss the expressiveness of read prefixes; in particular, wecompare them to read-arcs in Petri nets and justify the simple semantics of the second variant byshowing that its processes can be translated into processes of the first with timed-bisimilar behaviour.It is still an open problem whether the first algebra is more expressive than the second; we give anumber of laws that are interesting in their own right, and can help to find a backward translation.
Non-blocking reading is an important feature e.g. for proving the liveness of MUTEX solutions underthe progress assumption (aka weak fairness). We study the first process algebra with non-blocking readactions, where ‘read’ refers to accessing a variable, e.g. modelled as a separate process
Var . Observe thatread is an activity of
Var , and in a setting with explicit modelling of data, it would rather be an outputthan an input action of
Var .Non-blocking reading is known from Petri nets, where it has been added in the form of read arcs;these allow multiple concurrent reading of the same resource, a quite frequent situation in many dis-tributed systems. Read arcs represent positive context conditions , i.e. elements which are needed for anevent to occur, but are not affected by it. As argued in [17], the importance of such elements is twofold.Firstly, they allow a faithful representation of systems where the notion of “reading without consuming”is commonly used, like database systems [20] or any computation framework based on shared memory.Secondly, they allow to specify directly and naturally a level of concurrency greater than in classical nets:two transitions reading the same place may also occur simultaneously; in classical nets, the transitionswould be connected to the place by loops (namely, i.e. reading is modelled through a “rewrite” operation)which does not allow the simultaneous execution of two tasks that read the same resource. Read arcshave been used to model a variety of applications such as transaction serialisability in databases [20],concurrent constraint programming [18], asynchronous systems [22], and cryptographic protocols [14].Reading is also related to the notion of persistence e.g. in several calculi for describing and analysingsecurity protocols; in particular, persistent messages (that can be read but not consumed) are used tomodel that every message can be remembered by the spy (see [4] and the references therein). ∗ This work was supported by the PRIN Project ‘Paco: Performability-Aware Computing: Logics, Models, and Languages fairness of components , whilethis fails under fairness of actions . To improve this, one needs suitable assumptions about the hardware,cf. [19], namely that reading a value from a storage cell is non-blocking; to model this we introducespecific reading prefixes for PAFAS.We first add reading in the form of a read-action prefix a ⊲ Q (the new process language is calledPAFAS r ), which behaves as Q but, like a variable or a more complex data structure, can also be readwith the action a . Since being read should not change the state, a can be repeated until the execution ofsome ordinary action of Q . Thus, e.g. a ⊲ b . nil can perform any number of a ’s until it terminates via anordinary b . The operational semantics for a ⊲ Q needs two types of transition relations to properly deale.g. with sequences of read actions.Under some syntactic restrictions, the semantics can be simplified. To be still able to express se-quences of read actions directly, we introduced a read-set operator { a , · · · , a n } ⊲ Q in the languagePAFAS s . In [9], we already used PAFAS s to show the correctness of Dekker’s algorithm: regardingsome actions as reading, this algorithm satisfies MUTEX liveness already under the assumption of fair-ness of actions . It had long been an open problem how to achieve such a result in a process algebra [23].The simpler semantics of PAFAS s is helpful for building tools. Indeed, we have already proved someMUTEX algorithms correct or incorrect with the aid of the automated verification tool FASE [3]. Weplan to continue this work by also considering the efficiency of MUTEX algorithms and other systems.In this paper, we study PAFAS r and PAFAS s further with special attention to expressiveness. The firstissue is that PAFAS r models non-blocking reading in an intuitive way, while the necessary restrictionsin case of PAFAS s are not so obvious. In fact, the investigations for this paper have disclosed that therestrictions in [9] still allowed processes with a contra-intuitive semantics. To rectify this subtle mistake,we give an improved definition of proper PAFAS s processes , and we show how to translate each properprocess Q into a PAFAS r process whose timed behaviour is bisimilar and even isomorphic to that of Q .This shows at the same time that a proper process really has an intuitive behaviour and that PAFAS r is atleast as expressive as the proper fragment of PAFAS s .In this paper, we additionally show that safe Petri nets with read-arcs as in [22] can be modelled withproper PAFAS s processes. It is still an open problem whether PAFAS r is more expressive than PAFAS s ;we present a number of laws that are interesting in their own right and give a backward translation fora fragment of PAFAS r . Constructing a general backward translation seems to be related to finding anexpansion law for PAFAS r processes, a law that is not even known for standard PAFAS processes.We have also extended the correspondence between fair and everlasting runs; thus, also in PAFAS r Luckily, the model of Dekker’s algorithm in [9] is also proper as defined here. .Corradini, M.R.DiBerardini &W.Vogler 33and in PAFAS s , we capture fairness with timed behaviour. To demonstrate the extended expressivenessof reading with a concrete example, we prove that no finite-state process in standard PAFAS has the samefair language as a ⊲ b . nil (Theorem 2.5).The rest of the paper is organised as follows. Sections 2 and 3 introduce PAFAS r and PAFAS s with their respective timed operational semantics and prove result regarding a ⊲ b . Section 4 providesa mapping from PAFAS s to PAFAS r and presents the result for Petri nets. The backward translation isdiscussed in Section 5. Finally, Section 6 presents some concluding remarks. Some proofs can be foundin the appendices. In this section, we introduce PAFAS r and give a first expressiveness result. PAFAS is a CCS-like processdescription language [16] (with a TCSP -like parallel composition [1]), where actions are atomic andinstantaneous but have associated an upper time bound (either 0 or 1, for simplicity) interpreted as amaximal time delay for their execution. As explained in [11], these upper time bounds can be used forevaluating the performance of asynchronous systems, but do not influence functionality (which actionsare performed); so compared to CCS, also PAFAS treats the full functionality of asynchronous systems.W.r.t. the original language, here we introduce the new read prefix ⊲ to represent non-blocking behaviourof processes. Intuitively, the term a ⊲ P models a process like a variable or a more complex data structurethat behaves as P but can additionally be read with a : since being read does not change the state, a can be performed repeatedly until the execution of some ordinary action of P , and it does not block asynchronisation partner (a reading process) as described below.We use the following notation. A is an infinite set of visible actions . An additional action t is usedto represent internal activity, which is unobservable for other components. We define A t = A ∪ { t } .Elements of A are denoted by a , b , c , . . . and those of A t by a , b , . . . . Actions in A t can let time 1 passbefore their execution, i.e. 1 is their maximal delay. After that time, they become urgent actions written a or t ; these cannot be delayed. The set of urgent actions is denoted by A t = { a | a ∈ A } ∪ { t } and isranged over by a , b , . . . . Elements of A t ∪ A t are ranged over by m . X (ranged over by x , y , z , . . . ) is theset of process variables, used for recursive definitions. F : A t → A t is a general relabelling function if the set { a ∈ A t | /0 = F − ( a ) = { a }} is finite and F ( t ) = t . Such a function can also be used todefine hiding : P / A , where the actions in A are made internal, is the same as P [ F A ] , where the relabellingfunction F A is defined by F A ( a ) = t if a ∈ A and F A ( a ) = a if a / ∈ A .We assume that time elapses in a discrete way . Thus, an action prefixed process a . P can either doaction a and become process P (as usual in CCS) or can let one time step pass and become a . P ; a iscalled urgent a , and a . P cannot delay a , but as a stand-alone process can only do a to become P . Inthe following, initial processes are just processes of a standard process algebra extended with ⊲ . Generalprocesses include all processes reachable from the initial ones according to the operational semantics tobe defined below.The sets ˜ P of initial (timed) process terms P and ˜ P of (general) (timed) process terms Q is generatedby the following grammar: PAFAS is not time domain dependent, meaning that the choice of discrete or continuous time makes no difference for thetesting-based semantics of asynchronous systems, see [11] for more details. P :: = nil (cid:12)(cid:12) x (cid:12)(cid:12) a . P (cid:12)(cid:12) a ⊲ P (cid:12)(cid:12) P + P (cid:12)(cid:12) P k A P (cid:12)(cid:12) P [ F ] (cid:12)(cid:12) rec x . PQ :: = P (cid:12)(cid:12) a . P (cid:12)(cid:12) m ⊲ Q (cid:12)(cid:12) Q + Q (cid:12)(cid:12) Q k A Q (cid:12)(cid:12) Q [ F ] (cid:12)(cid:12) rec x . Q where nil is a constant, x ∈ X , a ∈ A t , m ∈ A t ∪ A t , F is a general relabelling function and A ⊆ A possibly infinite. We say that a variable x ∈ X is guarded in Q if it only appears in the scope of some m ∈ A t ∪ A t . We assume that recursion is guarded , i.e. for rec x . Q variable x is guarded in Q . A processterm is closed if every variable x is bound by the corresponding rec x -operator; the set of closed timedprocess terms in ˜ P and ˜ P , simply called processes and initial processes resp., is denoted by P and P resp.We briefly describe the operators. The nil -process cannot perform any action, but may let time passwithout limit. A trailing nil will often be omitted, so e.g. a . b + c abbreviates a . b . nil + c . nil . m . Q is(action-)prefixing known from CCS. Read-prefixed terms a ⊲ Q and a ⊲ Q behave like Q except for the(lazy and urgent, resp.) non-blocking action a . In both cases a is always enabled until component Q evolves via some ordinary action; moreover, a stays urgent even if it is performed. Q + Q modelsthe choice between processes Q and Q . Q k A Q is the parallel composition of two processes Q and Q that run in parallel and have to synchronise on all actions from A ; this synchronisation discipline isinspired from TCSP . Q [ F ] behaves as Q but with the actions changed according to F . rec x . Q models arecursive definition. We often use equations to define recursive processes, e.g. P ⇐ a . P + b ; in contrast, ≡ stands for syntactically equal. Below we use the (syntactic) sort of a process that contains all visibleactions the process can ever perform. Definition 2.1 (sort) For a general relabelling function F let ib ( F ) = { a ∈ A | /0 = F − ( a ) = { a }} (theimage base of F ); by definition of a general relabelling function, ib ( F ) is finite. The sort of Q ∈ ˜ P is theset L ( Q ) = { a ∈ A | a occurs in Q } ∪ S F occurs in Q ib ( F ) .The transitional semantics describing the functional behaviour of PAFAS r terms indicates whichactions they can perform. We need two different transition relations a and a to describe, resp., theordinary and the reading behaviour of PAFAS r processes. The functional behaviour is the union of thesetwo kinds of behaviour. Definition 2.2 (functional operational semantics) Let Q ∈ ˜ P and a ∈ A t . We say that Q a −→ Q ′ if Q a Q ′ or Q a Q ′ , where the SOS-rules defining the transition relations a ( ˜ P × ˜ P ) (the ordinary actiontransitions ) and a ⊆ ( ˜ P × ˜ P ) (the read action transitions ) for a ∈ A t , are given in Tables 1 and 2, resp. .As usual, we write Q a −→ Q ′ if ( Q , Q ′ ) ∈ a −→ and Q a −→ if Q a −→ Q ′ for some Q ′ ∈ ˜ P ; and analogously forother types of transition relations.Rule P REF o in Table 1 describes the behaviour of an action-prefixed process as usual in CCS. Notethat timing can be disregarded: when an action is performed, one cannot see whether it was urgent ornot, and thus a . P a P ; furthermore, a . P has to act within time 1, i.e. it can also act immediately, giving a . P a P . Rule R EAD o says that m ⊲ Q performs the same ordinary actions as Q removing the read-prefix at the same time. Note that in rule P AR o , an ordinary action transition can synchronise with bothan ordinary and a read action transition. The other rules are as expected. Symmetric rules have beenomitted. We do here without functions clean and unmark , used e.g. in [7] to get a closer relationship between states of untimed fairruns and timed non-Zeno runs. They do not change the behaviour (up to an injective bisimulation) and would complicate thesetting. .Corradini, M.R.DiBerardini &W.Vogler 35 P REF o m ∈ { a , a } m . P a P R EAD o Q a Q ′ m ⊲ Q a Q ′ S UM o Q a Q ′ Q + Q a Q ′ P AR o a / ∈ A , Q a Q ′ Q k A Q a Q ′ k A Q P AR o a ∈ A , Q a Q ′ , Q a −→ Q ′ Q k A Q a Q ′ k A Q ′ R EL o Q a Q ′ Q [ F ] F ( a ) Q ′ [ F ] R EC o Q { rec x . Q / x } a Q ′ rec x . Q a Q ′ Table 1: Ordinary behaviour of PAFAS r processes R EAD r m ∈ { a , a } m ⊲ Q a m ⊲ Q R EAD r Q a Q ′ m ⊲ Q a m ⊲ Q ′ S UM r Q a Q ′ Q + Q a Q ′ + Q P AR r a / ∈ A , Q a Q ′ Q k A Q a Q ′ k A Q P AR r a ∈ A , Q a Q ′ , Q a Q ′ Q k A Q a Q ′ k A Q ′ R EL r Q a Q ′ Q [ F ] F ( a ) Q ′ [ F ] R EC r Q { rec x . Q / x } a Q ′ rec x . Q a Q ′ Table 2: Reading Behaviour of PAFAS r processesMost of the rules in Table 2 say that the execution of reading actions does not change the state of aterm Q . Rule R EAD r is crucial to manage arbitrarily nested reading actions; contrast it with R EAD o .Due to technical reasons, rule R EC r allows unfolding of recursive terms; thus e.g. rec x . a ⊲ b . x a a ⊲ b . ( rec x . a ⊲ b . x ) . Notice that this leads to a timed bisimilar process, cf. Section 4.To give SOS-rules for the time steps of process terms, we consider (partial) time-steps like Q X −→ r Q ′ where the set X ⊆ A (called a refusal set ) consists of non-urgent actions. Hence Q is justified in delaying,i.e. refusing them; Q can take part in a real time step only if it has to synchronise on its urgent actions,and these are delayed by the environment. If X = A then Q is fully justified in performing this full unit-time step; i.e., Q can perform it independently of the environment. If Q A −→ r Q ′ , we write Q −→ Q ′ ; we saythat Q performs a . Definition 2.3 (refusal transitional semantics) The inference rules in Table 3 define X −→ r ⊆ ˜ P × ˜ P where X ⊆ A . A refusal trace of a term Q ∈ ˜ P records from a run of Q which visible actions are performed( Q a −→ Q ′ , a ∈ A ) and which actions Q refuses to perform when time elapses ( Q X −→ r Q ′ , X ⊆ A ); i.e. arefusal trace of Q is the sequence of actions from A and refusal sets ⊆ A occurring in a finite transitionsequence from Q (abstracting from t -transitions).Rule P REF t says that a . P can let time pass and refuse to perform any action while rule P REF t saysthat a . P can let time pass in an appropriate context, but cannot refuse the action a . Process t . P cannotlet time pass at all since, in any context, t . P has to perform t before time can pass further. Rule P AR t defines which actions a parallel composition can refuse during a time-step. Q k A Q can refuse the action a if either a / ∈ A and a can be refused by both Q and Q or a ∈ A and at least one of Q and Q can6 Read Operators and their Expressiveness inProcess Algebras N IL t nil X −→ r nil P REF t a . P X −→ r a . P P REF t a / ∈ X ∪ { t } a . P X −→ r a . P R EAD t Q X −→ r Q ′ a ⊲ Q X −→ r a ⊲ Q ′ R EAD t Q X −→ r Q ′ , a / ∈ X ∪ { t } a ⊲ Q X −→ r a ⊲ Q ′ S UM t Q i X −→ r Q ′ i for i = , Q + Q X −→ r Q ′ + Q ′ R EL t Q F − ( X ∪{ t } ) \{ t } −−−−−−−−−−→ r Q ′ Q [ F ] X −→ r Q ′ [ F ] R EC t Q { rec x . Q / x } X −→ r Q ′ rec x . Q X −→ r Q ′ P AR t Q i X i −→ r Q ′ i for i = , , X ⊆ ( A ∩ ( X ∪ X )) ∪ (( X ∩ X ) \ A ) Q k A Q X −→ r Q ′ k A Q ′ Table 3: Refusal transitional semantics of PAFAS r processesdelay it, forcing the other Q i to wait. Thus, an action is urgent (cannot be further delayed) only when allsynchronising ‘local’ actions are urgent. The other rules are as expected. Example 2.4
As an example for the definitions given so far, consider an array with two Boolean values t and f and define its behaviour as B t f ≡ P t k A Q f where P t ⇐ r tt ⊲ ( r t ⊲ w f . P f ) + r t f ⊲ ( r t ⊲ w f . P f ) , Q f ⇐ r t f ⊲ ( r f ⊲ w t . Q t ) + r f f ⊲ ( r f ⊲ w t . Q t ) and A = { r i j | i , j ∈ { t , f }} . Actions r i j , where i , j ∈ { t , f } , allowreading both entries at the same time, while r kj and w kj represent, resp., the reading and the writing ofthe value j ∈ { t , f } for the entry k ∈ { , } . By rules R EAD r and R EAD r , B t f r t f B t f and B t f r t B t f describing non-blocking reading. P t offers a choice between r t f and r tt , where synchronisation disallowsthe latter. Performing w f after a 1-step does not change the second component, so r f is still urgent; thisshows that w f does not block r f . With just one type of action transition, P t would lose the prefix r t f ⊲ when performing r t . Only the execution of an ordinary action can change the state of the array, e.g. B t f w f B f f ≡ P f k A Q f by Rule R EAD o .In [11], it is shown that inclusion of refusal traces characterises an efficiency preorder which is intuitivelyjustified by a testing scenario. In this sense, e.g. P ≡ a ⊲ b is faster than the functionally equivalent Q ≡ rec x . ( a . x + b ) , since only the latter has the refusal traces 1 a ( a ) ∗ : after 1 a , Q returns to itself, sincerecursion unfolding creates fresh a and b ; intuitively, b is disabled during the occurrence of a , so a andalso b can be delayed again. In contrast, after a time step and any number of a s, P turns into a ⊲ b and nofurther 1-step is possible. Since read actions do not block or delay other activities, they make processesfaster and, hence, have an impact on timed behaviour of systems. If a models the reading of a valuestored by P or Q and two parallel processes want to read it, this should take at most time 1 in a settingwith non-blocking reads. And indeed, whereas Q k { a } ( a k /0 a ) has the refusal trace 1 a a , this behaviouris not possible for P k { a } ( a k /0 a ) . Thus, P offers a faster service.Another application of refusal traces is the modelling of weak fairness of actions . Weak fairness re-quires that an action must be performed whenever continuously enabled in a run. Thus, a run from P withinfinitely many a ’s is not fair; the read action does not block b or change the state, so the same b is alwaysenabled but never performed. In contrast, if Q performs a , a fresh b is created; in conformance to [12],a run with infinitely many a ’s is fair. In [10], generalising [7], fair traces for PAFAS r (and PAFAS s ) arefirst defined in an intuitive, but very complex fashion in the spirit of [12] and then characterised: they are.Corradini, M.R.DiBerardini &W.Vogler 37the sequences of visible actions occurring in transition sequences with infinitely many 1-steps . Due tolack of space, we cannot properly formulate this as a theorem, but take it as a (time-based) definition of fair traces instead; FairL ( R ) is the set of fair traces of R . With this, infinitely many a ’s are a fair trace of Q since it can repeat 1 a indefinitely, but the fair traces of finite-state P are those that end with b . Thisshows an added expressivity of read prefixes: Theorem 2.5
If R ∈ ˜ P is a finite-state process without read-prefixes and with sort L ( R ) = { a , b } , then FairL ( R ) = { a i b | i ≥ } = FairL ( a ⊲ b ) . We can view fairness as imposing a kind of priority for b in P since, in contrast to a , it must beexecuted in a fair trace. This is of course very different from the usual treatment of priorities [6], since a can be prefered to b for a number of times. The following example shows that read actions can modelmore than two levels of priority. Example 2.6 In P ≡ a ⊲ (( rec x . b . x ) k { b } b ⊲ c ) , there are three levels of priority: in a fair trace we canperform arbitrarily many a ’s while both b and c remain enabled and have priority – so far, we can haveat most one 1-step. If b occurs, the action a disappears but we can perform arbitrarily many b ’s while c remains enabled and has priority – with, still, at most one 1-step. Formally, with a 1-step P evolves into P ≡ a ⊲ ( b . ( rec x . b . x ) k { b } b ⊲ c ) . P can perform an a to itself, a c (and become b . ( rec x . b . x ) k { b } nil ), orrepeated b ’s to (( rec x . b . x ) k { b } b ⊲ c ; no further 1-steps are possible due to the urgent c ; so in a fair trace,finally c is performed to (( rec x . b . x ) k { b } nil ) – where infinitely many 1-steps are possible. The special reading transitions of PAFAS r are needed to properly derive e.g. P ≡ a ⊲ b ⊲ Q b −→ a ⊲ b ⊲ Q .To get a simpler semantics, the idea is to collect all enabled reading actions of a ‘sequential component’in a set and write e.g. P as { a , b } ⊲ c . Thus, we define a new kind of read operator { m , . . . , m n } ⊲ Q with a slightly different syntax. In this way we try to avoid terms with nested reading actions and, as aconsequence, we can describe the behaviour of the new PAFAS s processes by means of a simpler timedoperational semantics with just one type of action transitions. A price to pay is that not all PAFAS s pro-cesses have a reasonable semantics; but the subset with a reasonable semantics is practically expressiveenough (e.g. for expressing MUTEX solutions adequately) due to the set of reading actions, cf. [9].The sets ˜ S of initial (timed) process terms P and ˜ S of (general) (timed) process terms Q is generatedby the following grammar: P :: = nil (cid:12)(cid:12) x (cid:12)(cid:12) a . P (cid:12)(cid:12) { a , . . . , a n } ⊲ P (cid:12)(cid:12) P + P (cid:12)(cid:12) P k A P (cid:12)(cid:12) P [ F ] (cid:12)(cid:12) rec x . PQ :: = P (cid:12)(cid:12) a . P (cid:12)(cid:12) { m , . . . , m n } ⊲ Q (cid:12)(cid:12) Q + Q (cid:12)(cid:12) Q k A Q (cid:12)(cid:12) Q [ F ] (cid:12)(cid:12) rec x . Q where nil is a constant, x ∈ X , a ∈ A t , { a , . . . , a n } ⊆ A t finite, { m , . . . , m n } is a finite subset of A t ∪ A t that cannot contain two copies (one lazy and the other one urgent) of the same action a , i.e. (cid:12)(cid:12) { a , a } ∩ { m , . . . , m n } (cid:12)(cid:12) ≤ a ∈ A t . Again, F is a general relabelling function and A ⊆ A possibly infinite. Also in this section, recursion is guarded. The sets of closed timed process terms in ˜ S and ˜ S , simply called processes and initial processes resp., are S and S resp. Observe that [9] just contains the application presented in [10]; PAFAS r is not treated there at all. Definition 3.1 (functional operational semantics) The SOS-rules defining the transition relations a −→⊆ ( ˜ S × ˜ S ) (the action transitions ) are those in Table 1 where we replace the rule R EAD o with: R EAD s m i ∈ { a , a }{ m , . . . , m n } ⊲ Q a −→ { m , . . . , m n } ⊲ Q R EAD s Q a −→ Q ′ { m , . . . , m n } ⊲ Q a −→ Q ′ Definition 3.2 (refusal transitional semantics) The inference rules defining the transition relation X −→ r ⊆ ˜ S × ˜ S where X ⊆ A are those in Table 3 where we replace the rules R EAD t and R EAD t with: R EAD t Q X −→ r Q ′ , U ( { m , . . . , m n } ) ∩ ( X ∪ { t } ) = /0 { m , . . . , m n } ⊲ Q X −→ r { m , . . . , m n } ⊲ Q ′ where U ( { m , . . . , m n } ) = { a | m i = a for some i ∈ [ , n ] } and { m , . . . , m n } is the set obtained from { m , . . . , m n } by replacing each a by a .A term Q ∈ ˜ S is read-guarded if every subterm of Q of the form { m , . . . , m n } ⊲ Q ′ is in the scope of someaction prefix m . () . Q ∈ ˜ S is read-proper if each subterm Q + Q is read-guarded and, for each subterm { m , . . . , m n } ⊲ Q , Q is read-guarded. We say that Q is x-proper if any free x is guarded in any subterm Q + Q , { m , · · · , m n } ⊲ Q and rec y . Q . Q is rec-proper if for any subterm rec x . Q , Q is either read-guarded or x -proper. A term Q is proper if it is read- and rec-proper. Below, we will prove that properterms have a reasonable semantics by relating them to PAFAS r processes with the same behaviour. Animportant feature of properness is that processes without read-prefixes are proper.According to the definitions given so far, neither P ≡ { a } ⊲ { b } ⊲ Q nor P ′ ≡ { a } ⊲ Q ′ + { b } ⊲ Q are read-proper because of { b } ⊲ Q . An essential idea of reading is that it does not change the stateof a process and therefore does not block other actions. With this, we should have P b −→ P , but reallywe have P b −→ { b } ⊲ Q . Similarly, we have P ′ b −→ { b } ⊲ Q instead of P ′ b −→ P ′ . Hence, we exclude suchprocesses. There is also a problem with the term P ≡ rec x . { a } ⊲ b . ( c + x ) . Indeed, P can perform a b and evolve to c + rec x . { a } ⊲ b . ( c + x ) which is not read-proper. Since the body of this recursion is notread-guarded, x has to be treated as a read-prefix term, i.e. the body has to be x -proper. A subtle detail isthe consideration of recursive subterms in the definition of x -proper. Without this detail, Q ≡ rec x . { a } ⊲ b . rec y . ( c . ( c + y ) k /0 x ) would be proper. But, Q b −→ rec y . ( c . ( c + y ) k /0 Q ) c −→ ( c + rec y . ( c . ( c + y ) k /0 Q )) k /0 Q .Notice that rec y . ( c . ( c + y ) k /0 Q ) , and hence c + rec y . ( c . ( c + y ) k /0 Q ) , is not read-proper.In contrast to the restriction to proper terms, we can freely use read-prefixes in PAFAS r , see e.g. theprocess in Example 2.4; this would have the wrong semantics in PAFAS s , i.e. if we change r i j ⊲ and r kj ⊲ (for i , j ∈ { t , f } and k ∈ { , } ) into { r i j } ⊲ and { r kj } ⊲ . The restriction only makes sense because ofProp. 3.3, which requires a careful, detailed proof. Proposition 3.3
Let Q ∈ ˜ S be proper. Q a −→ Q ′ or Q X −→ r Q ′ implies Q ′ proper. Actually, the result in [10] is not correct since we used an insufficient restriction there. But, luckily thePAFAS s process we used to model Dekker’s MUTEX algorithm is proper. This can been easily seensince proper processes are closed w.r.t. parallel composition and relabelling. To be formally precise: we have to replace all arrows in Table 1 by −→ . .Corradini, M.R.DiBerardini &W.Vogler 39 s In this section we compare the expressivity of PAFAS s with that of PAFAS r and Petri nets. A first resultshows that for each proper Q ∈ ˜ S there is a term in ˜ P whose behaviour is (timed) bisimilar and evenisomorphic to that of Q . Definition 4.1 (timedbisimulation) A binary relation S ⊆ P × P over processes is a timed bisimulation if ( Q , R ) ∈ S implies, for all a ∈ A t and all X ⊂ A :- whenever Q a Q ′ ( Q a Q ′ , Q X −→ r Q ′ ) then, for some R ′ , R a R ′ ( R a R ′ , R X −→ r R ′ , resp.) and ( Q ′ , R ′ ) ∈ S ;- whenever R a R ′ ( R a R ′ , R X −→ r R ′ ) then, for some Q ′ , Q a Q ′ ( Q a Q ′ , Q X −→ r Q ′ , resp.) and ( Q ′ , R ′ ) ∈ S .Two processes Q , R ∈ ˜ P are timed bisimilar ( bisimilar for short, written Q ∼ R ) if ( Q , R ) ∈ S for sometimed bisimulation S . This definition is extended to open terms as usual; two open terms are bisimilarif they are so for all closed substitutions. It can be proved in a standard fashion that timed bisimilarityis a congruence w.r.t. all PAFAS r operators. The same definition, but omitting the reading transitions,applies to PAFAS s .We start by providing a translation function [[ ]] r that maps terms in ˜ S into corresponding terms in ˜ P ; toregard [[ ]] r as a function in the read-case, we have to assume that actions are totally ordered, and that theactions of a read-set are listed according to this order. Definition 4.2 (atranslation function) For Q ∈ ˜ S proper, [[ Q ]] r is defined by induction on Q (subterms of Q are also proper) as follows :Nil, Var, Pref : [[ nil ]] r ≡ nil , [[ x ]] r ≡ x , [[ m . P ]] r ≡ m . [[ P ]] r Read: [[ { m , . . . , m n } ⊲ Q ]] r ≡ m ⊲ . . . ⊲ m n ⊲ [[ Q ]] r Sum: [[ Q + Q ]] r ≡ [[ Q ]] r + [[ Q ]] r Par: [[ Q k A Q ]] r ≡ [[ Q ]] r k A [[ Q ]] r Rel: [[ Q [ F ]]] r ≡ [[ Q ]] r [ F ] Rec: [[ rec x . Q ]] r ≡ rec x . [[ Q ]] r This translation is pretty obvious, but its correctness is not; observe that Theorem 4.3 does not holdfor all PAFAS s processes; cf. the processes P ≡ { a } ⊲ { b } ⊲ Q and P ′ ≡ { a } ⊲ Q ′ + { b } ⊲ Q at the endof Section 3. Function [[]] r is injective on proper terms; except for the read-case, this is easy since [[]] r preserves all other operators. In the read-case, Q is read-guarded, i.e. the top-operator of Q and [[ Q ]] r isnot ⊲ ; the read-set can be read off from [[ { m , . . . , m n } ⊲ Q ]] r as the maximal sequence of ⊲ -prefixes theterm starts with. With this observation, the following result, together with Prop. 3.3, shows that [[]] r is anisomorphism between labelled transition systems, if we restrict them, on the one hand, to proper termsand their transitions and, on the other, to the images of proper terms and the transitions of these images. Theorem 4.3
For all proper Q ∈ ˜ S :1. Q a −→ Q ′ ( Q X −→ r Q ′ ) implies [[ Q ]] r a −→ [[ Q ′ ]] r ( [[ Q ]] r X −→ r [[ Q ′ ]] r , resp.);2. if [[ Q ]] r a −→ Q ′′ ( [[ Q ]] r X −→ r Q ′′ ) then Q a −→ Q ′ ( Q X −→ r Q ′ ) with [[ Q ′ ]] r ≡ Q ′′ .0 Read Operators and their Expressiveness inProcess AlgebrasThe above theorem shows that the expressivity of proper PAFAS s processes is at most that of PAFAS r .On the other hand, it is enough to model safe Petri nets with read-arcs. To illustrate the proof idea, whichis based on a well-known view of a net as a parallel composition, consider an empty place of a net withpreset { t , t } and postset { t , t } , and being read by t and t . This is translated into process P with P ⇐ t . P + t . P and P ⇐ { t , t } ⊲ ( t . P + t . P ) ; P models the marked place. All the analogoustranslations of places are composed in parallel, synchronising each time over all common actions (e.g.net transitions). Finally, a relabelling corresponding to the labelling of the net is applied. Theorem 4.4
For each safe Petri nets with read-arcs in [22] there is a bisimilar proper PAFAS s process. r to PAFAS s In this section we study the problem whether PAFAS r is more expressive than PAFAS s or whether eachPAFAS r term can be translated into a bisimilar proper PAFAS s term. We first exhibit a subset of ˜ P that isessentially the image of [[ . ]] r and so has an easy translation; we say these terms are in read normal form(RNF) (see Def. 5.1). We then discuss how PAFAS r terms can be brought into RNF and illustrate, bymeans of examples, the problems of such a normalisation. Definition 5.1 (read normal form) For PAFAS r terms, we define read-guarded, and x - and rec-properas above except for considering read-action prefixes instead of read-set prefixes. We call such a term ra-proper if each subterm Q + Q is read-guarded, and for each subterm m ⊲ Q ′ either Q ′ is read-guardedor Q ′ ≡ n ⊲ Q ′′ . A term is RNF if it is rec- and ra-proper. The sets of terms and processes in RNF aredenoted by ˜ P rn and P rn , resp.Below we provide the function that translates each Q ∈ ˜ P rn into a proper term in ˜ S . We will need anadditional function to deal with read prefixes. A term such as m ⊲ Q is in RNF if either Q is read-guardedor, by iterative applications of Def. 5.1, Q has the form m ⊲ · · · ⊲ m n ⊲ Q n where Q n ∈ ˜ P rn is read-guarded.In the latter case, the actions m , · · · , m n must be collected in a read set. Since read sets cannot containmultiple copies (lazy and urgent) of the same action a , we use the following notation: if m , · · · , m n aregeneric actions in A t ∪ A t , [[ m , · · · , m n ]] denotes the set of actions { n , · · · , n m } such that: ∃ i ∈ [ , m ] with n i = a iff ∃ j ∈ [ , n ] with m j = a ; (2) ∃ i ∈ [ , m ] with n i = a iff ∃ j ∈ [ , n ] such that m j = a and,for each k ∈ [ , n ] , m k = a . Definition 5.2 (a translation function from ˜ P rn to ˜ S ) For Q ∈ ˜ P rn , we define the process term [[ Q ]] s ∈ ˜ S by induction on Q as in Definition 4.2 except for:Read: [[ m ⊲ Q ]] s ≡ [[ m , · · · , m n ]] ⊲ [[ Q n ]] s if Q ≡ m ⊲ · · · ⊲ m n ⊲ Q n and Q n is read-guardedWith the laws L1 and L2 below, we can rearrange successive read-action prefixes in a process in RNFsuch that the result is in the image of [[]] r , which essentially proves the second item of following result. Theorem 5.3
For all Q ∈ ˜ P rn :1. Q a −→ Q ′ or Q X −→ r Q ′ imply Q ′ ∈ ˜ P rn ;2. Q and [[ Q ]] s are timed bisimilar (in the sense of PAFAS s )..Corradini, M.R.DiBerardini &W.Vogler 41 Translating terms into read normal form
For translating a term that is not in read normal form, one idea is to use laws to rewrite the term into abisimilar one in RNF. E.g. although ( a ⊲ b ) + c does not belong to ˜ P rn , it has the same timed behaviouras a ⊲ ( b + c ) ∈ ˜ P rn , cf. L3.Besides commutativity and associativity of + and k , we have shown the laws in Fig. 1. Here, F { a → a } denotes the relabelling function that renames a to a , and all other actions as F . For the discussion,we also write [ a → a ] as a shorthand for F I { a → a } where F I is the identity relabelling function. TheL1 m ⊲ ( n ⊲ Q ) ∼ n ⊲ ( m ⊲ Q ) L2 a ⊲ ( m ⊲ Q ) ∼ m ⊲ Q , a ⊲ ( m ⊲ Q ) ∼ a ⊲ Q provided that m ∈ { a , a } L3 ( m ⊲ Q ) + R ∼ m ⊲ ( Q + R ) L4 a ⊲ ( Q k A Q ) ∼ (( a ⊲ Q ) k A ∪ { a } ( a ⊲ Q )) , a ⊲ ( Q k A Q ) ∼ (( a ⊲ Q ) k A ∪ { a } ( a ⊲ Q )) provided that a / ∈ L ( Q ) L5 ( a ⊲ Q )[ F ] ∼ F ( a ) ⊲ ( Q [ F ]) , ( a ⊲ Q )[ F ] ∼ F ( a ) ⊲ ( Q [ F ]) L6 ( Q [ F ])[ Y ] ∼ Q [ Y ◦ F ] L7 rec x . Q ∼ Q { rec x . Q / x } Figure 1: A set of lawsidea of the translation into RNF is to perform rewriting by induction on the term size; since action-prefix,parallel composition and relabelling preserve RNF, these operators are no problem. Read-prefixes m ⊲ Q can be dealt with distributing m among Q ’s components. But choice and recursion pose still unsolvedproblems.Regarding read prefixes, we have to show the stronger claim that for each Q in RNF we can normalise m ⊲ Q in such a way that, for any variable y , y guarded in Q implies y guarded in the RNF, and ifadditionally Q is y -proper this is also preserved. The proof is by induction on Q ; some cases are easybecause m ⊲ Q is in RNF itself (by the definition of RNF or by induction). We consider one of thethree remaining cases, namely the Par-case. The Rel-case is easier, while the Rec-case is much morecomplicated. Their proofs can be found in the appendix. For a fresh action a we have: a ⊲ ( Q k A Q ) ∼ ( a ⊲ ( Q k A Q ))[ a → a ] ∼ (( a ⊲ Q ) k A ∪{ a } ( a ⊲ Q ))[ a → a ] by L4, and then we are done by induction. The case of an a -read-prefix is similar.The case of choice is particularly tricky whenever one of the two alternatives is a parallel composi-tion. Hence, we now concentrate on the following problem: let Q , R ≡ R k A R be terms in RNF; is therean S in RNF such that S ∼ Q + R ?First, observe that we can rewrite Q into Q ′ by replacing all actions (also in relabellings) by freshcopies, such that Q ′ and R have disjoint sorts. Then, we can try to bring Q ′ + R into RNF and finallyapply a relabelling that ‘undoes’ the rewrite (cf. the last example above). This would give us a bisimilarterm in RNF for Q + R . From now on we assume that Q and R have disjoint sorts.If Q is deterministic (i.e. it never performs t and never performs an action in two different ways), wehave the law Q + ( R k A R ) ∼ ( Q + R ) k A ∪ L ( Q ) ( Q + R ) . Thus, to find S we now simply normalise thetwo components inductively. In general, this law fails: for Q ≡ a . b + a . c , Q + R evolves with a into either b or c . But ( Q + R ) k A ∪{ a , b , c } ( Q + R ) can perform a and evolve into the deadlocked b k A ∪{ a , b , c } c .A new idea that will work in many cases is to replace the second copy of Q by its ‘top-part’ that canperform the same time steps and the same initial actions as Q , but deadlocks after an ordinary action;2 Read Operators and their Expressiveness inProcess Algebrasadditionally, not all of L ( Q ) but only the initial actions are added to the synchronisation set: in ourexample, (( a . b + a . c ) + R ) k A ∪{ a } ( a + R ) is bisimilar to Q + R and could, in principle, be normalisedinductively. This idea must be adapted in case of read prefixes. Consider Q ≡ a ⊲ b . c ; here, the top-partis a ⊲ b , i.e. Q + R is bisimilar to ( a ⊲ b . c + R ) k A ∪{ a , b } ( a ⊲ b + R ) (in particular, both terms remainunchanged when performing a ). Another problem is that initial actions may also be performed later,e.g. in Q ≡ a ⊲ b . a ; again, rewriting plus later relabelling helps. In the example, Q + R is bisimilar to (( e ⊲ b . c + R ) k A ∪{ e , b } ( e ⊲ b + R ))[ e → a ] , and the terms e ⊲ b . c + R and e ⊲ b + R are again smallerthan Q + R .But what is the top-part for Q ≡ a k /0 b ? Action a can be performed initially, but also after b . If wecould transform Q into a . b + b . a , the top-part would be a + b , and using rewriting plus later relabellingsolves the problem. But unfortunately Q ∼ a . b + b . a is wrong: when performing 1 a , these terms end upin nil k /0 b and b resp., which are not timed bisimilar due to partial time step { b } .Finding the top-part of parallel compositions seems to be related to finding a suitable expansion law.But even for standard PAFAS, such a law is not known. Thus, our general proof idea does not work sofar, due to problems with choice terms. Also the treatment of recursion is not clear yet; an expansion lawwould certainly help. At least, we have identified a fragment of PAFAS r which does not have additionalexpressivity. Theorem 5.4
If all choice and recursive subterms of a PAFAS r process are in RNF then there is a bisim-ilar PAFAS s process. We have studied two different ways to enhance PAFAS with non-blocking reading actions. We have firstadded reading in the form of a read-action prefix operator and proved that this adds expressivity w.r.t. fairbehaviour. This operator is very flexible, but has a slightly complex semantics. To reduce complexity,we have introduced a read-set prefix operator with a simpler semantics, but with syntactic restrictions.For the second operator, it is not immediately clear whether its operational semantics models readingbehaviour adequately. We could prove this by translating proper PAFAS s terms into PAFAS r terms withthe same timed behaviour. We also show that PAFAS s is strong enough to model Petri nets with read-arcs.It is still not clear whether PAFAS r is more expressive than the restricted PAFAS s . We presentedsome ideas how a respective translation could work; these are based on some algebraic laws that are alsointeresting in their own right. In the future we will try to complete this translation. This is related tofinding an expansion law for generic PAFAS r (and PAFAS) terms. Such an expansion law should alsoprovide us with an axiomatisation for the full PAFAS language. Some results can be found in [21] wherea fragment of the language that just consists of prefix and choice has been axiomatised.We plan to use read prefixes for modelling systems and comparing their efficiency or proving themcorrect under the progress assumption. A first correctness proof (for Dekker’s MUTEX algorithm) withthe aid of the automated verification tool FASE has been presented in [9]. References [1] S. D. Brookes, C. A. R. Hoare, A. W. Roscoe. A Theory of Communicating Sequential Processes.
Journal ofthe ACM , pp. 560–599, 1984, doi: .[2] P. Bouyer, S. Haddad, P.A. Reynier. Timed Petri Nets and Timed Automata: On the Discriminating Power ofZeno Sequences. Information and Computation , 2008, doi: . .Corradini, M.R.DiBerardini &W.Vogler 43 [3] F. Buti, M. Callisto De Donato, F. Corradini, M.R. Di Berardini and W. Vogler. Automated Analysis ofMUTEX Algorithms with FASE . Proc. of GandALF 2011, doi: .[4] D. Cacciagrano, F. Corradini, J. Aranda and F.D. Valencia. Linearity, Persistence and Testing Semantics in theAsynchronous Pi-Calculus. Proc. of EXPRESS’07, ENTCS 194(2), pp. 59–84, doi: .[5] S. Christensen, N. D. Hansen. Coloured Petri nets extended with place capacities, test arcs, and inhibitor arcs.In Applications of Theory of Petri Nets, LNCS 691, pp. 186–205, 1993, doi: .[6] R. Cleaveland, G. L¨uttgen, V. Natarajan. Priority in process algebra. In J.A. Bergstra, A. Ponse, and S.A.Smolka, editors, Handbook of Process Algebra, pages 711–765. Elsevier Science Publishers, 2001.[7] F. Corradini, M.R. Di Berardini and W. Vogler. Fairness of Actions in System Computations.
Acta Informatica , pp. 73 130, 2006, doi: .[8] F. Corradini, M.R. Di Berardini, and W. Vogler. Checking a Mutex Algorithm in a Process Algebra withFairness. Proc. of CONCUR ’06, pp. 142–157, LNCS 4137, 2006, doi: .[9] F. Corradini, M.R. Di Berardini and W. Vogler. Time and Fairness in a Process Algebra with Non-blockingReading. Proc. of SOFSEM’09, LNCS 5404, pp. 193–204, doi: .[10] F. Corradini, M.R. Di Berardini and W. Vogler. Time and Fairness in a Process Algebra with Non-blocking Reading. TR available at [11] F. Corradini, W. Vogler, and L. Jenner. Comparing the Worst-Case Efficiency of Asynchronous Systems withPAFAS. Acta Informatica , pp. 735–792, 2002, doi: .[12] G. Costa, C. Stirling. Weak and Strong Fairness in CCS. Information and Computation , pp. 207–244,1987, doi: .[13] G. Costa, C. Stirling. A Fair Calculus of Communicating Systems. Acta Informatica , pp. 417–441, 1984,doi: .[14] F. Crazzolara, G. Winskel. Events in security protocols. Proc. of 8th ACM conference on Computer andCommunication Security, CCS’01, pp. 96–105, 2001, doi: .[15] C.A.R. Hoare. Communicating Sequential Processes . Prentice Hall, 1985.[16] R. Milner.
Communication and Concurrency . International series in computer science, Prentice Hall Inter-national, 1989.[17] U. Montanari, F. Rossi. Contextual net.
Acta Informatica , pp. 545–596, 1995, doi: .[18] U. Montanari, F. Rossi. Contextual occurrence nets and concurrent constraints programming. Proc. of GraphTransformation in Computer Science, LNCS 776, pp. 280–295, 1994, doi: .[19] M. Raynal. Algorithms for Mutual Exclusion . North Oxford Academic, 1986.[20] G. Ristori. Modelling Systems with Shared Resources via Petri Nets. PhD thesis, Department of ComputerScience, University of Pisa, 1994.[21] W. Vogler, L. Jenner. Axiomatizing a Fragment of PAFAS. Electronic Notes in Theoretical ComputerScience, 39(3) pp. 306–321, 2000, doi: .[22] W. Vogler. Efficiency of Asynchronous Systems, Read Arcs and the MUTEX-problem.
Theoretical ComputerScience , pp. 589–631, 2002, doi: .[23] D.J. Walker. Automated Analysis of Mutual Exclusion algorithms using CCS.
Formal Aspects of Computing , pp. 273–292, 1989, doi:10.1007/BF01887209