Synchrony vs. Causality in Asynchronous Petri Nets
BB. Luttik and F. D. Valencia (Eds.): 18th International Workshop onExpressiveness in Concurrency (EXPRESS 2011)EPTCS 64, 2011, pp. 119–131, doi:10.4204/EPTCS.64.9 c (cid:13)
J.-W. Schicke, K. Peters & U. GoltzThis work is licensed under theCreative Commons Attribution License.
Synchrony vs. Causalityin Asynchronous Petri Nets ∗ Jens-Wolfhard Schicke
Institute for Programming and Reactive Systems, TU Braunschweig, Germany [email protected]
Kirstin Peters
School of EECS, TU Berlin, Germany [email protected]
Ursula Goltz
Institute for Programming and Reactive Systems, TU Braunschweig, Germany [email protected]
Given a synchronous system, we study the question whether the behaviour of that system can beexhibited by a (non-trivially) distributed and hence asynchronous implementation. In this paperwe show, by counterexample, that synchronous systems cannot in general be implemented in anasynchronous fashion without either introducing an infinite implementation or changing the causalstructure of the system behaviour. keywords: asynchrony, distributed systems, causal semantics, Petri nets
It would be desirable – from a programming standpoint – to design systems in a synchronous fashion,yet reap the benefits of parallelism by means of an (ideally automatically generated) asynchronous im-plementation executed on multiple processing units in parallel. We consider the question under whichcircumstances such an approach is applicable, or equivalently, what restrictions must be placed on thesynchronous design in order that it may be simulated asynchronously.We formalise this problem by means of Petri nets (Section 2), a semi-structural requirement (Section3) on Petri nets to enforce asynchrony in the implementation, and an equivalence relation (Section 4)on possible Petri net behaviours to decide whether a candidate implementation is indeed faithful to thesynchronous specification.Countless equivalence relations for system behaviour have already been proposed. When comparingthe strictness of these equivalences, as done in [2] or [3], and exploring the resulting lattice, one findsmultiple “dimensions” of features along which such an equivalence may be more or less discriminating.The most prominent one is the linear-time branching-time axis, denoting how well the decision structureof a system is captured by the equivalence. Another dimension relevant to this paper is that along whichthe detail of the causal structure increases. On the first of these two dimensions, we would at the veryleast like to detect deadlocks introduced by the implementation, on the second one, at least a reductionin concurrency due to the implementation. As every (non-trivial) implementation will introduce internal t -transitions, a suitable equivalence must abstract from them, as long as they do not allow a divergence. ∗ This work was supported by the DFG (German Research Foundation), grants GO-671/6-1 and NE-1505/2-1.
20 Synchrony vsCausality in Asynchronous PetriNets a b c
Figure 1: A fully reached, pure M , the problematic structure from [4] a b c Figure 2: A repeated pure M . A finite, 1-safe, undistributable net used as a running counterexample.[4] answers part of the question of distributed implementability for a certain equivalence of this spec-trum, namely step readiness equivalence. Step readiness equivalence is one of the weakest equivalencesthat respects branching time, concurrency and divergence to some degree but abstracts from internalactions. For this equivalence we derived an exact characterisation of asynchronously implementable(“distributable”) Petri nets. The main difficulty in implementing arbitrary Petri nets up to step readinessequivalence is a structure called pure M , depicted in Figure 1, where two parallel transitions are in pair-wise conflict with a common third. By [4] a synchronous net is distributable only if it contains no fullyreachable pure M . The other direction needed for exactness has not been published yet, as the only as ofyet existing proofs utilises an infinite implementation.Using the strictly weaker completed step trace equivalence, [10] proved any synchronous net to bedistributable. Comparing these two results and the given implementation in the latter we made a veryinteresting observation: We were unable to find an implementation of a synchronous net with a fullyreachable pure M which did not introduce additional causal dependencies.In this paper we show that this drawback holds for any sensible encoding of synchronous interactions,i.e., it is a general phenomenon of encoding synchrony. We reach that result by extending the pure M ofFigure 1 into a repeated pure M , depicted in Figure 2. We thereby get a separation result similar to [4]along a different, namely the causal, dimension of the spectrum of behavioural equivalences.We introduce basic Petri net concepts in Section 2, then turn to recounting the definition of dis-tributability in Section 3. Afterwards we introduce completed pomset trace equivalence in Section 4,justify it by means of illustrative examples, and use it in Section 5 to prove the impossibility of imple-menting general Petri nets while respecting causality. Finally Section 6 concludes..-W.Schicke, K.Peters &U.Goltz 121 Most material in this section has been taken verbatim or with minimal adaptation from [4] or [10].Where dealing with tuples, we use pr , pr , . . . as the projection functions returning the first, second, . . .element respectively. We extend these functions to sets element-wise. Definition 1.
Let Act be a set of visible actions and t Act be an invisible action .A labelled net (over Act) is a tuple N = ( S , T , F , M , ℓ ) where • S is a set (of places ), • T is a set (of transitions ), • F ⊆ S × T ∪ T × S (the flow relation ), • M ⊆ S (the initial marking ) and • ℓ : T → Act ∪ { t } (the labelling function ).A net is called finite iff S and T are finite.Petri nets are depicted by drawing the places as circles, the transitions as boxes containing the respectivelabel, and the flow relation as arrows ( arcs ) between them. When a Petri net represents a concurrentsystem, a global state of such a system is given as a marking , a set of places, the initial state being M .A marking is depicted by placing a dot ( token ) in each of its places. The dynamic behaviour of therepresented system is defined by describing the possible moves between markings. A marking M mayevolve into a marking M ′ when a nonempty set of transitions G fires . In that case, for each arc ( s , t ) ∈ F leading to a transition t in G , a token moves along that arc from s to t . Naturally, this can happen onlyif all these tokens are available in M in the first place. These tokens are consumed by the firing, but alsonew tokens are created, namely one for every outgoing arc of a transition in G . These end up in the placesat the end of those arcs. A problem occurs when as a result of firing G multiple tokens end up in the sameplace. In that case M ′ would not be a marking as defined above. In this paper we restrict attention to netsin which this never happens. Such nets are called . Unfortunately, in order to formally define thisclass of nets, we first need to correctly define the firing rule without assuming 1-safety. Below we do thisby forbidding the firing of sets of transitions when this might put multiple tokens in the same place.To help track causality throughout the evolution of a net, we extend the usual notion of marking to dependency marking . Within these dependency markings, every token is augmented with the labels ofall transitions having causally contributed to its existence. The other basic Petri net notions presentedhere have been extended in the same manner. While it might seem more natural to annotate the causalhistory of the tokens by a partial order, we only use a set here in order to keep the number of reachablemarkings finite for finite nets (a property a later proof will utilise).We denote the preset and postset of a net element x ∈ S ∪ T by • x : = { y | ( y , x ) ∈ F } and x • : = { y | ( x , y ) ∈ F } respectively. These functions are extended to sets in the usual manner, i.e. • X : = { y | y ∈ • x , x ∈ X } . Definition 2.
Let N = ( S , T , F , M , ℓ ) be a net. Let M , M ⊆ S × P ( Act ) . G ⊆ T , G = ∅ , is called a dependency step from M to M , M [ G i N M , iff • all transitions contained in G are enabled, i.e. ∀ t ∈ G . • t ⊆ pr ( M ) ∧ ( pr ( M ) \ • t ) ∩ t • = ∅ , • all transitions of G are independent, that is not conflicting: ∀ t , u ∈ G , t = u . • t ∩ • u = ∅ ∧ t • ∩ u • = ∅ ,22 Synchrony vsCausality in Asynchronous PetriNets • causalities are extended by the labels of the firing transitions: M = { p ∈ M | pr ( p ) • G } ∪ s , ( { ℓ ( t ) } \ { t } ) ∪ [ p ∈ M ∧ pr ( p ) ∈ • t pr ( p ) (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) t ∈ G , s ∈ t • .Applying pr to a dependency marking results in the classical Petri net notion of marking and similar forthe other notions introduced in this section. We will however mainly employ the versions defined hereand drop the qualifier “dependency” most of the time. A token ( s , P ) ∈ M is Q -dependent iff Q ⊆ P and Q -independent iff P ∩ Q = ∅ .To simplify the following argumentation we use some abbreviations. m −→ N denotes a labelled stepon a single transition labelled m . a = ⇒ N denotes a step on a surrounded by arbitrary t -steps, i.e., = ⇒ N abstracts from t -steps. Definition 3.
Let N = ( S , T , F , M , ℓ ) be a labelled net.We extend the labelling function ℓ to (multi)sets element-wise. −→ N ⊆ P ( S × P ( Act )) × N Act × P ( S × P ( Act )) is given by M A −→ N M ⇔ ∃ G ⊆ T . M [ G i N M ∧ A = ℓ ( G ) t −→ N ⊆ P ( S × P ( Act )) × P ( S × P ( Act )) is defined by M t −→ N M ⇔ ∃ t ∈ T .ℓ ( t ) = t ∧ M [ { t }i N M = ⇒ N ⊆ P ( S × P ( Act )) × Act ∗ × P ( S × P ( Act )) is defined by M a a ··· a n ===== ⇒ N M ⇔ M t −→ ∗ N { a } −→ N t −→ ∗ N { a } −→ N t −→ ∗ N · · · t −→ ∗ N { a n } −→ N t −→ ∗ N M where t −→ ∗ N denotes the reflexive and transitive closure of t −→ N .We omit the subscript N if clear from context.We write M A −→ N for ∃ M . M A −→ N M , M X A −→ N for ∄ M . M A −→ N M and similar for the other tworelations. Likewise M [ G i N abbreviates ∃ M . M [ G i N M . A marking M is said to be reachable iff thereis a sequence of labels s ∈ Act ∗ such that M × { /0 } s = ⇒ N M . The set of all reachable markings isdenoted by [ M i N .As said before, here we only want to consider 1-safe nets. Formally, we restrict ourselves to contact-free nets , where in every reachable marking M ∈ [ M i for all t ∈ T with • t ⊆ pr ( M )( pr ( M ) \ • t ) ∩ t • = ∅ .For such nets, in Definition 2 we can just as well consider a transition t to be enabled in M iff • t ⊆ pr ( M ) ,and two transitions to be independent when • t ∩ • u = ∅ . After having introduced Petri nets in general, we still need to find a notion of such a net being distributedbefore being able to answer the question of distributed implementability. A straightforward approach isto assign to each net element a location , place sensible restrictions on arrows crossing location borders,and restrict the sets of net elements being allowed to reside on the same location.We will regard locations as sequential execution units of the underlying system, each one able toexecute at most one action during each step. This necessitates that no pair of transitions firing in the.-W.Schicke, K.Peters &U.Goltz 123 t t t a b c
Figure 3: A centralised implementation of Figure 2, location borders dotted.same step can reside on the same location. Additionally, if locations are indeed physically apart as theirname suggests, communication between them can only proceed asynchronously.We discussed a very similar notion of distribution in [4], whence the following description and def-inition of the present version have been derived from. The central insight from that paper is that thesynchronous removal of tokens from preplaces of a transition is essential to the conflict resolution takingplace between multiple enabled transitions and that hence transitions must reside on the same locationas their preplaces.We model the association of locations to the places and transitions in a net N = ( S , T , F , M , ℓ ) as afunction D : S ∪ T → Loc, with Loc a set of possible locations. We refer to such a function as a distribution of N . Since the identity of the locations is irrelevant for our purposes, we can just as well abstract fromLoc and represent D by the equivalence relation ≡ D on S ∪ T given by x ≡ D y iff D ( x ) = D ( y ) . Definition 4.
Let N = ( S , T , F , M , ℓ ) be a net.The concurrency relation ⌣ ⊆ T is given by t ⌣ u ⇔ t = u ∧ ∃ M ∈ [ M i . M [ { t , u }i . N is distributed iffit has a distribution D such that • ∀ s ∈ S , t ∈ T . s ∈ • t = ⇒ t ≡ D s , • t ⌣ u = ⇒ t D u .It is straightforward to give a semi-structural characterisation of this class of nets: Observation 1.
A net is distributed iff there is no sequence t , . . . , t n of transitions with t ⌣ t n and • t i − ∩ • t i = /0 for i = , . . . , n . We now motivate the equivalence relation used for the rest of the paper by means of highlighting somepossible shortcomings of implementations one would intuitively like to avoid.When trying to implement a synchronous Petri net by a distributed one, one of the easiest approachesis central serialisation of the entire original net by introduction of a single new place connected with loopsto every transition, thereby vacuously fulfilling the requirement that no parallel transitions may resideon the same location. This clearly loses parallelism. We illustrate in Figure 3 the result of applyinga slightly more intricate variant of this scheme, where every visible step of the original still exists in mainly structural, but with a reachability side-condition
24 Synchrony vsCausality in Asynchronous PetriNets a b c t t
Figure 4: A locally deadlocking implementation of Figure 2, location borders dotted.the implementation, to the repeated pure M . Nonetheless, this approach is intuitively not scalable, asall decisions made concurrently in the original net are now made in sequence. In particular, the partsof the net firing a were completely independent of those parts firing c in the specification, while beingconnected trough the central place in the implementation. Such new dependencies can be detected if thecausal dependencies between events are included in the behavioural description of a net. Apart from theobvious implications for scalability, if a Petri net is used as an abstract description of a more concretesystem, a new dependency might enable interactions between different parts of the system the designerdid not take into account. Hence we would like to disallow such a strategy by means of the equivalencebetween specification and implementation.No such causalities are introduced by the implementation in Figure 4. There however, one of thecycles of a ’s or c ’s may spontaneously decide to commit to the b action and wait until the other doeslikewise, resulting in what is essentially a local deadlock. Compared to the original net, where a stayedenabled until b was fired, such behaviour is new. Trying to resolve this deadlock by adding a t -transitionin the reverse direction would introduce a diverging computation not present in the original net.All these deviations from the original behaviour can elegantly be captured by the causal equivalencefrom [10], called completed pomset trace equivalence. It extends the pomset trace equivalence of [8] asto detect local deadlocks, which can be regarded as unjust executions in the sense of [9].Pomset trace equivalence is obtained by unrolling a Petri net into a process as defined by [7]. Such aprocess can be understood to be an account of one particular way to decide all conflicts which occurredwhile proceeding from one marking to the next. The behaviour of the net is hence a set of these processes,covering all possible ways to decide conflicts.Unrolling a net N intuitively proceeds as follows: The initially marked places of N are copied into anew net N and their correspondence to the original places recorded in a mapping p . Then, whenever in N a transition t is fired, this is replayed in N by a new transition connected to places corresponding by p to the original preplaces of t and which are not yet connected to any other post-transition. A new placeof N is created for every token produced by t . Again all correspondences are recorded in p . Every placeof N has thus at most one post-transition. If it has none, this place represents a token currently beingplaced on the corresponding original place.As a shorthand notation to gather these places, we introduce the end of a net. Definition 5.
Let N = ( S , T , F , M , ℓ ) be a labelled net.The end of the net is defined as N ◦ : = { s ∈ S | s • = ∅ } . Definition 6.
A pair P = ( N , p ) is a process of a net N = ( S , T , F , M , ℓ ) iff • N = ( S , T , F , M , (cid:127)l ) is a net, satisfying – ∀ s ∈ S . | • s | ≤ ≥ | s • | ∧ s ∈ M ⇔ • s = /0.-W.Schicke, K.Peters &U.Goltz 125 – F is acyclic, i.e. ∀ x ∈ S ∪ T . ( x , x ) F + ,where F + is the transitive closure of { ( t , u ) | F ( t , u ) > } , – and { t | ( t , u ) ∈ F + } is finite for all u ∈ T . • p : S ∪ T → S ∪ T is a function with p ( S ) ⊆ S and p ( T ) ⊆ T , satisfying – s ∈ M ⇔ | p − ( s ) ∩ M | = s ∈ S , – p is injective on M , – ∀ t ∈ T , s ∈ S . F ( s , p ( t )) = | p − ( s ) ∩ • t | ∧ F ( p ( t ) , s ) = | p − ( s ) ∩ t • | , and – ∀ t ∈ T . (cid:127)l ( t ) = ℓ ( p ( t )) . P is called finite if N is finite. P is maximal iff p ( N ◦ ) X −→ N . The set of all maximal processes of a net N is denoted by MP ( N ) .To disambiguate between a not-yet-occurred firing of a transition a and the impossibility of firing an a ,we restrict the set of processes relevant for the behavioural description to maximal processes. We therebyobtain a just semantics in the sense of [9], i.e. a transition which remained enabled infinitely long mustultimately fire.To abstract from the t -actions introduced in an implementation, we extract from the maximal pro-cesses the causal structure between the fired visible events in the form of a partially ordered multiset( pomset ). Formally, a pomset is an isomorphism class of a partially ordered multiset of action labels. Definition 7. A labelled partial order is a structure ( V , T , ≤ , l ) where • V is a set (of vertices ), • T is a set (of labels ), • ≤ ⊆ V × V is a partial order relation and • l : V → T (the labelling function ).Two labelled partial orders o = ( V , T , ≤ , l ) and o ′ = ( V ′ , T , ≤ ′ , l ′ ) are isomorphic , o ≅ o ′ , iff there exista bijection j : V → V ′ such that • ∀ v ∈ V . l ( v ) = l ′ ( j ( v )) and • ∀ u , v ∈ V . u ≤ v ⇔ j ( u ) ≤ ′ j ( v ) . Definition 8.
Let o = ( V , T , ≤ , l ) be a partial order.The pomset of o is its isomorphism class [ o ] : = { o ′ | o ≅ o ′ } .By hiding the unobservable transitions of a process, we gain a pomset which describes causality relationsof all participating visible transitions. Definition 9.
Let P = (( S , T , F , M , (cid:127)l ) , p ) be a process.Let O : = { t ∈ T | (cid:127)l ( t ) = t } , i.e. the visible transitions of the process. The visible pomset of P is thepomset V P ( P ) : = [( O , Act , F ∗ ∩ O × O , (cid:127)l ∩ ( O × Act ))] where F ∗ is the transitive and reflexive closureof the flow relation F .MVP ( N ) : = { V P ( P ) | P ∈ MP ( N ) } is the set of pomsets of all maximal processes of N .Using this notion we can now define completed pomset trace equivalence. Definition 10.
Two nets N and N ′ are completed pomset trace equivalent , N ≃ CPT N ′ , iff MVP ( N ) = MVP ( N ′ ) .26 Synchrony vsCausality in Asynchronous PetriNets t a ca ca c ... . . . t a b t b Figure 5: An infinite implementation of Figure 2, constructed by taking every maximal process andinitially choosing one, location borders dotted.
As completed pomset trace equivalence is a very linear-time equivalence, it disregards the decision struc-ture of a system and an implementation like the one of Figure 5, which simply provides a separate branchfor each possible maximal process of the original net, would be fully satisfactory. In practice though,such an infinite implementation is unwieldy to say the least. If however infinite implementations areruled out, our main result shows that no valid implementation of the repeated pure M of Figure 2 exists.Before we consider this main theorem of the paper, let us concentrate on two auxiliary lemmata.The first states that the careful introduction of a t -transition before an arbitrary transition of a net, asdescribed below, does not significantly influence the properties of that net. Lemma 1.
Let N = ( S , T , F , M , ℓ ) be a finite, 1-safe, distributed net with the distribution function D. Lett ∈ T .The net N ′ = ( S ′ , T ′ , F ′ , M , ℓ ′ ) with • S ′ = S ∪ { s t } , • T ′ = T ∪ { t t } , • F ′ = ( F \ ( S × • t )) ∪ { ( s , t t ) | s ∈ • t } ∪ { ( t t , s t ) , ( s t , t ) } , and • ℓ ′ ( x ) = ( t if x = t t ℓ ( x ) otherwiseis finite, 1-safe, distributed and completed pomset trace equivalent to N.Proof. (Sketch) N ′ is finite as only two new elements were introduced. N ′ is completed pomset trace equivalent to N . Given a process ( N , p ) of N , a process of N ′ can beconstructed by refining in N every transition u in the same manner as p ( u ) was in N . For the reversedirection, note that in every maximal processes of N ′ , p ( u ) = t = ⇒ p ( • u ) = { s t } ∧ p ( • s t ) = { t t } . By While ℓ and (cid:127)l look nearly identical, the authors see no problem in that, given the close correspondence. .-W.Schicke, K.Peters &U.Goltz 127fusing u , • u , and •• u into a single transition v whenever p ( u ) = t and setting the process mapping of v to t , a maximal process of N ′ can be transformed into a maximal process of N .For the same reason, N ′ is also 1-safe. N ′ is distributed with the distribution function D ′ ( x ) : = ( D ( t ) if x = s t ∨ x = t t D ( x ) otherwise . The places in • t t areon D ( t ) = D ′ ( t t ) . D ′ ( s t ) = D ( t ) = D ′ ( t ) . Hence all transitions are on the same location as their preplaces.No new parallelism is introduced, as a parallel firing of either t t or t with some other transition u canonly occur if t and u could already fire in parallel in N .Next we show, that if a marking is reached twice during an execution, the dependencies of all tokensconsumed and produced by a transition firing in such a cycle are equal. Lemma 2.
Let N = ( S , T , F , M , ℓ ) be a finite, 1-safe net. Let t s , t s + , . . . , t e − , t e ∈ T be a sequence oftransitions leading from a reachable marking M base to the same, i.e. M base { t s } −−→ · · · { t e } −−→ M base .Then every t i produced tokens that were dependent on the same labels as the tokens on its preplaces.Proof. Assume the opposite, i.e. there is a t i for s ≤ i ≤ e such that t i consumed an L -independenttoken from one of its preplaces (for some L ⊆ Act), but produced no L -independent tokens. This L -independent token needs to be replaced to again reach M base . However the replacement token needs tobe L -independent as otherwise a dependency marking different from M base would be reached. This tokencan thus not depend on any of the tokens produced by t i , as it would then not be L -independent. In otherwords, had t i not fired, a new L -independent token could also have been produced on its preplaces, i.e. N would not be 1-safe, violating the assumptions. Hence no such t i can be fired, or equivalently, every t i produced tokens that were dependent on the same labels as the tokens on its preplaces (which hence allhave the same dependencies).We will now show that, given an arbitrary finite, 1-safe net, it is not possible in general to find a finite, 1-safe, and distributed net which is completed pomset trace equivalent to the original. As a counterexample,consider the repeated pure M of Figure 2. It is a simple net allowing to perform several transitions of a and c in parallel, and terminating with a single transition b . The main argument of the following proofproceeds as follows: To perform an arbitrary number of a and c -transitions within a finite net there hasto be a loop. To terminate with b the process has to escape from that loop by disabling all transitionsleading to a or c . Therefore either a single token is consumed that is dependent on a as well as on c ,or two different tokens – one a -dependent and one c -dependent – are consumed. In the first case anadditional iteration of the loop results in an additional causal dependency, i.e., in a causal dependencybetween a and c . In the second case the net is not distributed in the sense of Definition 4. Theorem 5.1.
It is in general impossible to find for a finite, 1-safe net a distributed, completed pomset trace equivalent,finite, 1-safe net.Proof.
Via the counterexample given in Figure 2. Suppose a finite, 1-safe, distributed net N impl , whichis completed pomset trace equivalent to the net of Figure 2, would exist. By refining every b -labelledtransition in N impl into two transitions in the manner of Lemma 1, a new net N = ( S , T , F , M , ℓ ) is derived.By Lemma 1 this new net is finite, 1-safe, distributed and completed pomset trace equivalent to the netin Figure 2 since N impl is. N has | S | places and 3 different labels, every place can hold either no token, or a token dependenton any possible combination of the three labels. Since N is finite so is | S | . Hence N has at most 9 | S |
28 Synchrony vsCausality in Asynchronous PetriNetsreachable dependency markings. Let m : = | S | . N is able to fire ( ac ) m b without any step containingmore than a single transition since the net of Figure 2 is and the two are assumed to be completedpomset trace equivalent. Let G , G , . . . G n be the steps fired while doing so. | G i | = i . In thecourse of firing that sequence, at least one dependency marking is bound to be reached twice. Of allthose dependency markings which occur twice, we take the one occurring last while firing ( ac ) m b andcall it M base . Let G s , G s + , . . . , G e − , G e be a sequence of steps between two occurrences of M base , i.e. M × { ∅ } G −→ G −→ · · · M base G s −→ · · · G e −→ M base · · · G n −→ .Using Lemma 2 the transitions of the steps G s to G e can be partitioned into subsets T X based onthe dependencies of the tokens they produced and consumed. A set T X includes all transitions produc-ing X -dependent, Act \ X -independent tokens. By firing G s ∩ T { a } , G s + ∩ T { a } , . . . , G e ∩ T { a } (skippingempty steps) repeatedly, M base a m = ⇒ . By firing G s ∩ T { c } , G s + ∩ T { c } , . . . , G e ∩ T { c } (skipping empty steps)repeatedly, M base c m = ⇒ .We now search for the marking, where the decision to fire b is made.Assume a reachable marking M ′′ of N with M ′′ a m = ⇒ . If M ′′ c m = ⇒ this holds for all M ′′′ reachable from M ′′ since c cannot be enabled using tokens produced by a transition labelled a or b . Otherwise therewould exist a pomsets of N in which a c is causally dependent on an a or b . Such a pomset however doesnot exist for the net of Figure 2 thereby violating the assumption of completed pomset trace equivalence.If however c is not re-enabled after M ′′ a maximal process including finitely many c but infinitely many a ’s can be produced also leading to a pomset not present in the net of Figure 2. The same argument canbe applied with the rˆoles of a and c reversed, hence M ′′ a m = ⇒ iff M ′′ c m = ⇒ .We start from M base and start to fire the steps G s , G s + , . . . , G n until a m cannot be fired any morefor the first time. This step always exists as after b no further a ’s or c ’s may be fired. Call the singletransition in that step t b . The marking right before that transition fired, we call M , the one right after it M ′ . Not only M a m = ⇒ but also M c m = ⇒ and not only M ′ a m = ⇒ but also M ′ c m = ⇒ , as both M and M ′ are reachablemarkings. t b is not itself labelled b , as the refined net has a t -transition before the b , and once a token resides onthe intermediate place, no a -transitions can be fired any more, as otherwise a pomset where an a whichis not a causal predecessor to a b would be produced, again not existing for the net of Figure 2.To disable the trace a m , the transition t b needed to consume a token. If t b had not fired, some G i ∩ T { a } , s ≤ i ≤ e could have consumed that token, hence that token must be a -dependent, c -independent.Similarly, t b must have consumed a token which could have led to c m . This token needs to be c -dependent, a -independent. Hence t b has at least two preplaces, which in turn are also preplaces to two differenttransitions, call them t a and t c , which then lead to a m and c m respectively. As they have commonpreplaces t a , t b and t c are on the same location.From M the net can fire a m consuming only a -dependent, c -independent tokens. It can also fire c m consuming only c -dependent, a -independent tokens.Hence there is a sequence of steps leading from M to a marking where t a is enabled, yet only a -dependent, c -independent tokens have been removed or added. Similarly there is a firing sequenceleading from M to a marking where t c is enabled, yet only c -dependent, a -independent tokens havebeen removed or added. As they change disjunct sets of tokens, these two firing sequences can beconcatenated, thereby leading to a marking where t a and t c are concurrently enabled, yet they are on thesame location, thereby violating the implementation requirements.Note that the self-loops of the counterexample are not critical to the success of the proof. The removal of the token leading to a m and the one leading to c m must indeed be done by a single transition t b as only asingle transition was fired between M and M ′ and both traces were possible in M but impossible in M ′ . .-W.Schicke, K.Peters &U.Goltz 129This paper only considered 1-safe nets as possible implementations. We conjecture however, that theproof of Theorem 5.1 can be extended to non-safe nets as well, as from a place where tokens of differentdependency mix, a transition can always choose the most-dependent token. In particular a transitionintended to produce independent tokens cannot have such a place as a preplace. Hence every part ofthe net providing independent tokens can do so without depending on firings of labelled transitions.The number of independent tokens produced on a place where a labelled transition consumes them isthus either finite over every run of the system, or unbounded even without any labelled transition everfiring. In both cases that place is unsuitable for disabling a potentially infinitely often occurring loop. Ifonly finitely many tokens are produced, the loop can no longer happen infinitely often, if an unboundednumber of tokens can be produced, no disabling can be guaranteed. A review of existing literature in the related area can be found in [4], nonetheless we wish to refer thereader also to [5], where instead of requiring the equivalence between specification and implementa-tion to preserve parallelism, more structural resemblance of the implementation to the specification isrequired.A paper not covered earlier is [1], where an algorithm for the automated synthesis of distributedimplementations of protocols is presented. The notion of distributed Petri nets employed therein differsfrom ours by not requiring formally that no parallelism may occur on the same location. The authorshowever finally generate a finite automaton for each location, again serialising all actions on a single lo-cation. In contrast to the present paper and similar to [5], the authors start with a user-supplied map fromevents to locations, and answer the concrete problem of whether that specific distribution is realisable ornot instead of requiring the maximal possible parallelism to be realised.Comparing the proof of Theorem 5.1 with the proof in [4] we observe that the counterexample inboth proofs is based on two conflicts overlapping by a transition, i.e., on what is therein called a fullyreachable pure M . In the synchronous setting such an overlapping conflict is solved by the simultaneousremoval of tokens on different places in the preset. In an asynchronous setting these two conflicts haveto be distributed over at least two locations. Intuitively, the problem with such a distribution is that itprevents the simultaneously solution of the original overlapping conflicts. Instead these two conflictshave to be solved in some order. This order must, as done within the encoding presented in [10], beenforced by the encoding, leading to additional causal dependencies.The present paper adds another patch to the emerging map of the separation plane between thoseequivalences from the spectrum of behavioural equivalences which allow asynchronous implementationin general and those which do not. In [4] we showed that Petri nets cannot in general be implementedup to step readiness equivalence, thereby giving an upper bound for distributability along the branching-time dimension. The present paper provided an upper bound on the dimension of causality. We did notformally proof that this bound is tight, and one might imagine that a behavioural equivalence closer tothe notion of dependency markings exists. However, we were unable to find an equivalence which issensitive to the local deadlock problem outlined in Figure 4 and is not based on processes. The imple-mentation of [10] can serve as a lower bound on both dimensions. It would be interesting to answer theimplementability question for systems which feature real-valued time, thereby enabling timeout detec-tion and simultaneous action without co-locality.That the observed effects are not peculiarities of the Petri net model of systems but a reality ofasynchronous systems in general is underlined by the existence of an companion paper [6], giving a30 Synchrony vsCausality in Asynchronous PetriNetsresult similar to the one achieved here in the setting of the asynchronous p -calculus.A closer look on the proof in [6] reveals that this proof depends on counterexamples that are so calledsymmetric networks including mixed choices in a similar way as our result depends on counterexamplesincluding a pure M . A symmetric network – for instance R = a + b + b . X | b + a + a . X in the secondpart of the proof – consists of some parallel processes that differ only due to some permutation of names.In combination with mixed choice, i.e., a choice between input as well as output capabilities, symmetricnetworks result in conflicting steps on different links. Hence in both cases the counterexamples refer tosome situation in the synchronous setting in which there are two distinct but conflicting steps. To solvethis conflict two simultaneous activities are necessary – in case of Petri nets two tokens are removedsimultaneously and in case of the p -calculus two sums are reduced simultaneously in one step. In theasynchronous setting this simultaneous solution has to be serialised by some kind of lock. It blocksthe enabling of the asynchronous implementations of source steps, such that no two implementationsof conflicting source steps are enabled concurrently. In both formalisms, Petri nets and the p -calculus,it is this temporally blocking of the implementation of source steps, necessary to avoid deadlock ordivergence in case of conflicting source steps, that leads to additional causal dependencies.Apart from this apparent similarity however, much of the relation between the two results remainsmysterious to us. To begin with, the requirements imposed on Petri net implementations and p -calculusimplementations take wildly different forms. Additionally, in contrast to the p -calculus result, the presentpaper connected implementation and original by means of behaviour only without any reference to thesystem structure. The p -calculus result on the other hand had no need to give special attention to infiniteimplementations. Finally, we also have no explanation for why the difference in expressive power (the p -calculus is turing-complete) should not make a difference for results such as this. We hope to answersome of these questions in future work.The question up to which behavioural equivalence general Petri nets are implementable can also bereversed into the question what properties or substructures of a Petri net make it unimplementable. Oneproblematic structure for causal equivalences, identified in this paper, is the net of Figure 2, possiblywith a more elaborate route from a and c back to the marking enabling all three transitions. We did notprove that no fundamentally different problematic structures exists, but we conjecture that this is indeedthe case. References [1] ´Eric Badouel, Benoˆıt Caillaud & Philippe Darondeau (2002):
Distributing Finite Automata Through PetriNet Synthesis . FormalAspectsofComputing13, pp. 447–470, doi:10.1007/s001650200022.[2] Rob J. van Glabbeek (1993):
The Linear Time - Branching Time Spectrum II . In: Proceedings of the4th International Conference on Concurrency Theory (CONCUR’93), Springer, London, UK, pp. 66–81,doi:10.1007/3-540-57208-2 6.[3] Rob J. van Glabbeek & Ursula Goltz (2001):
Refinement of actions and equivalence notions for concurrentsystems . ActaInformatica37(4/5), pp. 229–327, doi:10.1007/s002360000041.[4] Rob J. van Glabbeek, Ursula Goltz & Jens-Wolfhard Schicke (2008):
On Synchronous and Asyn-chronous Interaction in Distributed Systems . Technical Report 2008-04, TU Braunschweig. Available at http://arxiv.org/abs/0901.0048v1 . Extended abstract in Proceedings 33rd InternationalSym-posium on MathematicalFoundationsof Computer Science (MFCS 2008), Toru´n, Poland, August 2008 (E.Ochma´nski & J. Tyszkiewicz, eds.), LNCS 5162, Springer, 2008, pp. 16-35.[5] Richard P. Hopkins (1991):
Distributable nets . In: Advances in Petri Nets 1991, LNCS 524, Springer, pp.161–187, doi:10.1007/BFb0019974. .-W.Schicke, K.Peters &U.Goltz 131 [6] Kirstin Peters, Jens-Wolfhard Schicke & Uwe Nestmann (2011):
Synchrony vs Causality in the AsynchronousPi-Calculus . To appear in the Proceedings of EXPRESS’11.[7] Carl Adam Petri (1977):
Non-sequential Processes . GMD-ISF Report 77.05, GMD.[8] Vaughan R. Pratt (1985):
The Pomset Model of Parallel Processes: Unifying the Temporal and the Spa-tial . In: Seminar on Concurrency, Carnegie-Mellon University, Springer, London, UK, pp. 180–196,doi:10.1007/3-540-15670-4 9.[9] Wolfgang Reisig (1984):
Partial Order Semantics versus Interleaving Semantics for CSP-like Languagesand its Impact on Fairness . In: Proc. of the 11th Colloquium on Automata, Languagesand Programming,Springer, London, UK, pp. 403–413, doi:10.1007/3-540-13345-3 37.[10] Jens-Wolfhard Schicke (2009):