Electronic Notes in Theoretical Computer Science 44 No (2003) URL: http://www.elsevier.nl/locate/entcs/volume44.html 27 pages Generating Processes from Specifications using the Relation Manipulation System RelView Michael Winter Department of Computer Science, University of the Federal Armed Forces Munich, 85577 Neubiberg, Germany Abstract In this paper we present an algorithm generating a bundle of processes from a given safety specification The specification is given by a formula in a process logic, i.e a modal logic with a set of possibility operators induced by the possible actions of the underlying transition system This logic is a finite sublanguage, in the sense that only finite conjunctions are allowed, of the language introduced by R Milner in [3] Furthermore, we present an implementation of the algorithm using the functional language HASKELL and the internal language of the RelView system Within the system processes are modelled by relations as shown in [8,9] Introduction One major task in writing parallel programs is to guarantee that the program will perfom sequences of actions in the specification intended Such properties of programs are called safety conditions For example, for a server implementation it may be important that any request of an arbitrary client will be served This paper focuses on this problem on an abstract level using processes instead of programs written in some specific programming language In [3] R Milner introduced a logical language PL (process logic) in terms of which interesting conditions of processes can be expressed Indeed, it was shown that two processes are bisimilar iff there is no formula of PL which distinguishes between them The same fact holds if we restrict the processes to finite branching processes (only finite sums are allowed) and PL to the sublanguage PLf using only finite conjunctions This shows that the logical languages have the right power to express safety conditions of processes In [8,9] a relation-algebraic model of processes was given All standard operations (including parallel composition/interleaving) of the Calculus of Communicating Systems CCS were interpreted by purely relational terms without any inductive methods A notion of relational bisimulation on this interpretation was introduced, and it was shown that a bisimulation class has a canonical c 2003 Published by Elsevier Science B V 194 Winter representative Throughout this paper we use those representatives as denotation of processes We present relational terms and programs written in the internal languages of RelView such that all operations on those graphs may be computed using the system In this paper we present an algorithm producing the set of minimal processes, i.e a set of relational interpretations of a process, from a given safety specification written in PLf Furthermore, we present an implementation of the algorithm using the functional language HASKELL and the RelView system Given a specification written in PLf the HASKELL program generates a RelView program which is able to compute the corresponding set of processes The paper is organized as follows First, we introduce the basic concepts of the algebra of concrete relations between arbitrary sets, the relational interpretation of processes and of the logical language PLf in the second section In the third section we present our algorithm This is done in two ways First, we explain the algorithm using natural language Afterwards we present it again using a PASCAL-like notation extended by operations on graphs and sets of graphs Furthermore, we give some examples of generating sets of processes using our algorithm Finally, we explain our implementation of the algorithm within HASKELL and the RelView system After a short introduction to the RelView system we present the relational terms and programs in the internal language of RelView needed to handle processes and sets of processes Using these terms and programs one may write for every specification written in PLf a RelView program which computes the corresponding set of processes using the algorithm The last part of this section is dedicated to the HASKELL program which automatically generates such a RelView program from a specification Relations and Processes In this section we briefly introduce the basic concepts of the algebra of concrete relations between arbitrary sets, the relational interpretation of processes and of the logical language PLf in the second section For further details we refer to [1,3,4,5,7,8,9] 2.1 Relation Algebraic Preliminaries Given two sets A and B, any subset R of the cartesian product A × B is called a relation with domain A and codomain B We denote this fact by R : A ↔ B, and instead of (a, b) ∈ R we write aRb Given relations Q : A ↔ B, R : A ↔ B and S : B ↔ C we define 195 Winter Join: Q R: A↔B a(Q R)b :⇔ aQb or aRb Meet: Q R: A↔B a(Q R)b :⇔ aQb and aRb Composition: R; S : A ↔ C Complement: Q: A↔B Transposition: Q : B↔A a(R; S)c :⇔ ∃b ∈ B : aRb and bSc aQb :⇔ not aQb bQ a :⇔ aQb The empty, the universal and the identity relation are denoted by ⊥ ⊥AB , AB and IA , respectively Furthermore, we will denote the inclusion of relations by The structure above is the standard example of a heterogeneous relation algebra Besides the well-known algebraic rules for operations on sets, the so-called Schrăoder equivalences are valid Q; R R ⇐⇒ S; R S ⇐⇒ Q ; S Q One might ask for the greatest solution of Q; X R Using the Schrăoder equivalences one gets X = Q ; R This relation is called the right residual Q\R of Q and R By duality one defines the left residual S/T := S; T of S and T It is easy to verify that we have the following b(Q\R)c ⇔ ∀a ∈ A : aQb → aRc a(S/T )b ⇔ ∀c ∈ C : bT c → aSc A symmetric version of the residuals is the symmetric quotient syQ(Q, R) := Q\R Q /R By definition this relation is the greatest relation X solving the inclusions Q Q; X R and X; R A relation R : A ↔ B is called (i) univalent (or a partial function) iff R ; R (ii) total iff IA IB , R; R , (iii) injective iff R is univalent, (iv) surjective iff R is total, (v) a mapping iff it is univalent and total We also use the notation f : A → B to indicate that f is a mapping from A to B A relation R : A ↔ A is called (i) reflexive iff IA A, (ii) symmetric iff R (iii) transitive iff R; R R, R, (iv) idempotent iff R; R = R, (v) an equivalence relation iff it is reflexive, transitive and symmetric 196 Winter As usual we denote the reflexive, transitive closure of a relation R : A ↔ A by R∗ This relation may be computed by R∗ = Ri where Ri := R; R; · · · ; R i≥0 i times Let I denote the one element set {∗} Then we call a relation V : I ↔ A a vector (or a subset) and a mapping x : I → A a point (or an element) V and x are a relational representation of the corresponding subset and element of A Another representation of subsets is given by subobjects, i.e by a set B and an injective mapping i from C to A For example the subset {2, 4} of A = {1, 2, 3, 4, 5} may be given by the injective mapping i from {1, 2} to A defined by i(1) := and i(2) := Using the operation IC ; i we may switch from a subobject to the corresponding vector Consider the cartesian product of two sets A and B The projections π : A × B → A and ρ : A × B → B fulfil π ; π = IA , π ; ρ = AB , ρ ; ρ = IB , π; π ρ; ρ = IA×B We use the following notations < P, Q > := P ; π Q; ρ , R × S := < π; R, ρ; S > A relation may be seen as a binary relation R : A ↔ B or equivalently as a subset of the cartesian product A × B The following operations R→ IA ; (π R; ρ ), V →( AI ; V π ); ρ may be used to switch between these representations The two injections ι : A → A + B and κ : B → A + B of the disjoint union A + B of A and B fulfil ι; ι = IA , ⊥AB , ι; κ = ⊥ κ; κ = IB , ι ; ι κ ; κ = IA+B We use the following notations R + S := [R; ι, S; κ], [P, Q] := ι ; P κ ; Q, distr := [ι × IC , κ × IC ] : (A × C) + (B × C) → (A + B) × C, where distr is a bijective mapping Given a symmetric idempotent S (also known as a partial equivalence relation) one might consider the set of (existing) equivalence classes B and the corresponding R which relates an equivalence class with all its elements R fulfils the following R; R = IB R ; R = S, In the situation above we say R splits S Using the construction above, we may also switch from the represenation of a subset by a vector V : I ↔ A to the corresponding subobject This is done by splitting the partial identity V ; V IA 197 Winter 2.2 Processes Throughout this paper we use the subset Pf of finite branching processes of CCS Consider a finite set L of labels resp actions and a set X of variables for processes Then the set Ef of process expressions is defined as the smallest set satisfying the following (i) ∈ Ef (Inactive Process), (ii) P ∈ Ef for all P ∈ X (Process Variable), (iii) l.E ∈ Ef for all l ∈ L and P ∈ Ef (Prefixing), (iv) E1 + E2 ∈ Ef for all E1 , E2 ∈ Ef (Summation), (v) E1 | E2 ∈ Ef for all E1 , E2 ∈ Ef (Parallel Composition) Now a definition of a set of processes P1 , , Pn is given by a system of mutually recursive equations of the form P1 def = E1 , def Pn = En , such that E1 , , En ∈ Ef and {P1 , , Pn } is the set of process variables def occuring in E1 , , En For example, we may define a process P by P = c.b.a.P + a.(b.0 | c.0) The operational behaviour of processes is given by a transition relation l →⊆ Ef × Ef for each l ∈ L These relations are defined by the following set of rules l E −→ E l P −→ E l l.E −→ E l def if P = E l E1 −→ E1 l E1 + E2 −→ E1 E2 −→ E2 l E1 + E2 −→ E2 l l E1 −→ E1 l E1 | E2 −→ E1 | E2 E2 −→ E2 l E1 | E2 −→ E1 | E2 def For example, we may derive that for the process P = c.b.a.P + a.(b.0 | c.0) a b there are processes P1 and P2 such that we have P −→ P1 , P1 −→ P2 and c P2 −→ | The processes P1 and P2 are given by the expressions b.0 | c.0 and | c.0 We have not introduced a notion of internal communication As usual this can be done by splitting L into a set of input and output labels and a distinguished symbol τ for an internal transition 198 Winter 2.3 Relational Interpretation of Processes In contrast to the synchronization tree approach [6], we model processes by labelled graphs, also called transition graphs For example, the recursively def defined process P = c.b.a.P + a.(b.0 | c.0) may be modelled by the following graph ✉ ✯ ✟ ✟✟ ❅ ✟ ❅ a ✟✟    c a❅ ✟ ✟ ✠ ❘ ❅✉ ✉ ✉  ✟ ✛ b b c ❄ ✉❄ We consider a labelled graph on a set of nodes Z as a pair (G, w) consisting of a relation G : Z ↔ L × Z and a point w : I → Z which is called the root of G Within a graph there may be an edge targeting at the root For several purposes we need to separate the root from the rest of the graph in the sense that there are no edges of this kind This may be done by duplicating the root using a relational sum with I In our example above ext(G) is given by ✉ ✁❆ ✁ ❆ ✁ ❆ c✁ ✉ ❆a ✯ ✟ ✁ ✟  ❅ ❆ ✟✁✟  ❅ ❆ a ✟✟ ✁ c a ❅❆ ✁✠ ☛ ❆ ✟✟ ❘ ❅ ✉ ✉  ✉ ✟ ✛ b b c ❄ ✉❄ Precisely, the extension ext(G) of a graph (G, w) is defined by (i) ext(G) := [w; G, G]; (IL × κ) : I + Z ↔ L × (I + Z), (ii) ext(w) := ι : I ↔ I + Z In [8,9] it was shown that G and ext(G) are bisimilar in respect to a suitable notion of bisimulation of labelled graphs Furthermore, it was shown that in every bisimulation-class there is a canonical representative which may be obtained by splitting the greatest fixpoint of the operation R → (G \(IL × R); G ) (G; (IL × R)/G) on the set of relations over Z Suppose A is that greatest fixpoint Then A is an equivalence relation, and two states z1 , z2 are equivalent iff for every (not neccessarily finite) sequence s of actions the following holds: s may be 199 Winter performed by the process starting in z1 iff s may be performed by the process starting in z2 Now, suppose S splits A Then the canonical representative term(G) is defined by term(G) := S; G; (IL × S ) and term(w) := w; S Now we want to define operations on labelled graphs corresponding to some standard operations for processes Let V : I → L be a vector The prefixing operation PV is defined by (i) PV (G) := [< V, w >, G]; (IL × κ) : I + Z ↔ L × (I + Z), (ii) PV (w) := ι : I → I + Z By the prefix operation a new root and a set of arcs labelled by the elements of V from the new to the original root is added to G Given two graphs (G1 , w1 ) and (G2 , w2 ) the sum operation S is defined by (i) S(G1 , G2 ) := R; (G1 + G2 ); distr; (IL × R ), (ii) S(w1 , w2 ) := (R; [ext(w1 ) , ext(w2 ) ]) , where R : C ↔ (I + Z1 ) + (I + Z2 ) splits the equivalence relation S := ι ; ext(w1 ) ; ext(w2 ); κ κ ; ext(w2 ) ; ext(w1 ); ι I(I+Z1 )+(I+Z2 ) The sum of two graphs is roughly given by the disjoint union of the graphs and identifying the separated roots Notice that using just Gi instead of ext(Gi ) does not give an adequate definition of the sum operation Consider the processes P1 = a.P1 and P2 = b.0 They are modelled by the graphs: G1 G2 ✉ ✲✉ ✛✘ a b ✚✙ ❄ ✉ Not using the extension of G1 and G2 we would get the following graph ✛✘ ❘✉ ❅ a ❅ ✚✙ ❅b ❘ ❅✉ This graph seen as a process may produce the stream ab, which is not in the behaviour of P1 + P2 Last but not least we define the interleaving operation I It is given by (i) I(G1 , G2 ) := (π; G1 ; (I × π ) Z1 × Z2 ↔ L × (Z1 × Z2 ), ρ; ρ ; ρ ) (ii) I(w1 , w2 ) :=< w1 , w2 > 200 (π; π ; ρ ρ; G2 ; (I × ρ )) : Winter By definition the state space of I(G1 , G2 ) is the product Z1 × Z2 The next picture shows an example of the interleaving of two graphs ✉ I(G1 , G2 ) G1 G2 ✉   a     ✠ ✉  c ❅ ❅ b❅ ❘❄ ❅ ✉ ✁❅ ✁ a❅ d ✁ ❅ ❘ ❅✉ ✉ c ✁✁ ❄     ✁ a ✁ ✁   ✁  b d   ✁ ✁  ☛ ✠ ✁ ❄ ✉✠ ✉  ✁c ❅ d❅ b ✁ ✁ ❅ ✁☛ ❘ ❅❄ ✉ ✉ d ❄ ✉ Last but not least, we are interested in the set of a-derivates of a process for a given label a ∈ L, i.e the set of full subgraphs G of G such that there is an edge labelled a between the root of G and the root of G A point p is a root of an a-derivate iff p is included in the vector w; G; (a ; a × IZ ); ρ of all states which are a-successors of the root of G The full subgraph of G starting in p is induced by the vector V := p; (G; ρ)∗ , i.e all states which are reachable within G from p Let i be the subobject corresponding to V Then the a-derivate of G with root p is given by i; G; (IL × i ) 2.4 The specification language The specification of a process is given by a formula in a sublanguage PLf of PL introduced in [3] Let PLf be the smallest set of formulae containing the following (i) true, (ii) a ϕ for all a ∈ L and ϕ ∈ PLf , (iii) ϕ1 ∧ ϕ2 for all ϕ1 , ϕ2 ∈ PLf , (iv) ¬ϕ for all ϕ ∈ PLf The possibility operator a is an example of a modal operator Informally a ϕ, pronounced ’diamond-a ϕ’, asserts for a process P that it is possible for P to a and thereby reach a state which satisfies ϕ More formally, the satisfaction relation |= between labelled graphs and PLf is inductively defined by (i) G |= true for all graphs G, (ii) G |= a ϕ iff there is an a-derivate G of G such that G |= ϕ, (iii) G |= ϕ1 ∧ ϕ2 iff G |= ϕ1 and G |= ϕ2 , (iv) G |= ¬ϕ iff G |= ϕ, i.e not G |= ϕ Our basis language PLf is, of course, extremely basic Suppose B = {l1 , lk } is a subset of the set of actions As usual we define new logical operators as 201 Winter follows: false := ¬true ϕ1 ∨ ϕ2 := ¬(¬ϕ1 ∧ ¬ϕ2 ) ϕ1 → ϕ2 := ¬ϕ1 ∨ ϕ2 [a]ϕ := ¬ a ¬ϕ B ϕ := ϕ ∧ [l1 ]ϕ ∧ · · · ∧ [lk ]ϕ a1 an ϕ := a1 · · · an ϕ [a1 an ]ϕ := [a1 ] · · · [an ]ϕ B n ϕ := B ··· B ϕ n times We call [a]ϕ a necessity, pronounced ’box-a ϕ’ It asserts for a process P that if P performs the action a it must thereby reach a state where ϕ is satisfied The formula B ϕ may be used to model delays within a process It asserts for a process P that P already satisfies ϕ and may perform an arbitrary action within B reaching a state where ϕ remains true As usual the priority of the logical symbols decreases from the left to the right ∗, ∧, ∨, → where ∗ ∈ {¬, a , [a], B }, It is easy to verify that one may write every formula ϕ of PLf without negation, implication and the iterated operators We call this formula the reduced form of ϕ It may be computed using the following transition rules: ¬true ❀ false ¬false ❀ true ¬ a ϕ ❀ [a]¬ϕ ¬[a]ϕ ❀ a ¬ϕ ¬(ϕ1 ∧ ϕ2 ) ❀ ¬ϕ1 ∨ ¬ϕ2 ¬(ϕ1 ∨ ϕ2 ) ❀ ¬ϕ1 ∧ ¬ϕ2 ¬ a1 an ϕ ❀ [a1 an ]¬ϕ ¬[a1 an ]ϕ ❀ a1 an ¬ϕ ¬(ϕ1 → ϕ2 ) ❀ ϕ1 ∧ ¬ϕ2 ¬¬ϕ ❀ ϕ ¬ B ϕ ❀ ¬ϕ ∨ l1 ¬ϕ ∨ · · · ∨ lk ¬ϕ ¬ B n+1 ϕ ❀ ¬ B n ϕ ∨ l1 ¬ B n ϕ ∨ · · · ∨ lk B n ¬ϕ The reduced form of a formula ϕ shows that the sum of processes satisfying ϕ again satisfies ϕ We will use this fact in the last step of our algorithm Finally, we want to specify the safety properties of a server with three clients in our language The set of possible actions within our system is given by {r1 , r2 , r3 , s1 , s2 , s3 } where ri is a request of client i and si denotes the service which is given to client i The specification consists of the following (i) The first request has to be accepted (ii) The first request must be served 202 Winter (iii) The server has to wait until the first request of a client is done In particular, no service should be given before the first request The properties above are expressed in respect to one client by the following formulae (i) ri true, (ii) [ri ] Bi si true where Bi = L \ {ri , si }, (iii) ¬ si true One may wonder why we not write simply [ri ] si true instead of (2) The reason is as follows The simple formula requires that the service has to be done immediately after the request Formula (2) allows the server to make four actions consisting in accepting requests from or serving other clients before We finally obtain the following specification in reduced form (up to the B operator) r1 true ∧ [r1 ] B1 B1 B1 B1 s1 true ∧ [s1 ]false ∧ r2 true ∧ [r2 ] B2 B2 B2 B2 s2 true ∧ [s2 ]false ∧ r3 true ∧ [r3 ] B3 B3 B3 B3 s3 true ∧ [s3 ]false The Algorithm In this section we want to present an algorithm computing from a given specification in reduced form the set of minimal processes fulfilling it The idea of the algorithm is as follows For a given graph G the algorithm checks by induction over the structure of the specification ϕ whether it is fulfilled In the positive case G is returned If the algorithm detects that a part of the specification is not fulfilled it tries (if possible) to extend the graph such that the result satisfies this part of ϕ We start the procedure with the empty graph ⊥ ⊥ : I ↔ L × I A step within the algorithm is done using the following table: Formula Action true Return the set with the given graph G false Return the empty set ϕ1 ∧ ϕ Let M be the singleton set with the given graph G Repeat the following two steps until nothing changes or M is empty (1) Recursive call with ϕ1 and every graph from M Let M be the union of the results (2) Recursive call with ϕ2 and every graph from M Let M be the union of the results Return M 203 Winter box M := generate(phi^.right,empty_graph); forall H in M begin prefix(phi^.label,H); sum(H,G); end; end; generate := M; end; : begin b := true; M := derivates(phi^.label,G); if M={} then generate := {G} else begin P := {}; forall H in M begin N := generate(phi^.right,H); if N={} then b := false; else begin forall K in N P := P union { replace(H,K,G) }; end; end; if b then generate := P else generate := {}; end; end; end; end; Now we want to illustrate our algorithm with two simple examples Consider the formulas (1) (2) [a]false ∧ a true, a (( a true ∨ b a true) ∧ [a]false) ∧ [a][b]true Formula (1) is equivalent to false and hence there is no process satisfying it Our algorithm produces the empty set of graphs after two iterations in the ∧ case The essential steps are summarized in the following table Formula Graph M [a]false ✉ { ✉} a true ✉ ✉ a✉ [a]false a✉ 206 ✉ {} Winter By the subformula ( a true ∨ b a true) ∧ [a]false of the second formula temporarily the two graphs ✉ b ❄ ✉ ✉ a a ❄ ✉ ❄ ✉ are produced The first one is deleted by the recursive call with [a]false In the second iteration the first graph is included and afterwards deleted again So, nothing has changed and the second graph is returned Finally, it is prefixed with another a action and the algorithm terminates Last but not least, we want to analyse the set of processes induced by the algorithm and the specification of a server from the last section Consider the subformula r1 true ∧ [r1 ] B1 B1 B1 B1 s1 true ∧ [s1 ]false The first part creates a process starting with a r1 action The second part replaces the empty graph after the r1 action by the graph which may perform every sequence of actions up to four actions within B and afterwards s1 , i.e we get the graph ✉ r1 r2 , r , s , s r2 , r , s , s r2 , r , s , s r2 , r , s , s ❄ ✉ ❏ ❏ ❏ ❏ ❄ ✉ s❏ ❙ ❏ ❙ ❏ ❙ ❏ ❙ ❄ ❏ ✉ s1❙ ❏ ❅ ❙ ❏ ❅ ❙ ❏ ❅ s1❅ ❙ ❏ ❄ ❙ ✉ ❏ ❅ ◗ ❙ ◗ ❏ ❅ ❙ ◗ ❅ ❙ ❏ ◗ s1 ◗ ❅ ❙ ❏ ◗ ❄ ❅ ❙ ❏ ✉ ◗   ◗  ◗❅ ❙ s1 ◗❅ ✇ ❙ ◗ s ❘ ❅ ③ ❄ ✉ ◗ The last part of the formula is satisfied by this process Finally, the three parts of the specification together will produce the expected process 207 Winter The Implementation using HASKELL and RelView We now present our implementation of the algorithm Therefore, we first give a short introduction to the RelView system Afterwards we present all relational terms and programs in the internal language of RelView which are needed to handle processes and sets of processes Last but not least, we discuss the HASKELL program mentioned in the introduction 4.1 The RelView System The RelView system is a computer program for manipulating and visualizing finite relations, i.e relations between finite sets Such a relation is represented by a Boolean matrix or sometimes by a graph For further details about RelView we refer to the website http://www.informatik.uni-kiel.de/~progsys/relview.html Within the system there are several operations and basic functions on relations corresponding to the operations and constructions mentioned in Section The following table describes those we will need Syntax Meaning I(R) Submatrix of the identity relation with the same size as R (if R is a square matrix I(R) gives the identity) O(R) Empty relation with same size as R L(R) Universal relation with same size as R Ln1(R) Universal relation with one column and the same row number as R L1n(R) Ln1(R^)^ -R Complement of R R|S Union of R and S R&S Intersection of R and S R^ Transposition of R R*S Composition of R and S [R,S] Tupeling of relations, e.g R; π R+S Sum of relations, e.g ι ; R S; ρ κ ;S atom(R) Submatrix of R with just one entry from R 208 Winter The system allows to load a set of relational terms automatically at startup time Since the following relational terms are basic and are defined in our start-up file we introduce them as a part of the system Syntax Implementaion & Meaning source(R) = I(R*R^) Identity with size equal to the number of rows of R target(R) = I(R^*R) Identity with size equal to the number of columns of R Lnm(R,S) = Ln1(R)*L1n(S) Universal relation with the same number of rows than R and the same number of columns than S Onm(R,S) = -Lnm(R,S) Empty relation with the same number of rows than R and the same number of columns than S pi(R,S) = [source(R),Lnm(R,S^)]^ First projection from the product of size equal to the product of the number of rows of R and S rho(R,S) = [Lnm(S,R^),source(S)]^ Secound projection from the product of size equal to the product of the number of rows of R and S pair(R,S) = [pi(R,S)*R,rho(R,S)*S] The pairing of relations, i.e the relation R × S iota(R,S) = (source(R)+Onm(S,R^))^ First injection into the sum of size equal to the sum of the number of rows of R and S kappa(R,S) = (Onm(R,S^)+source(S))^ Secound injection into the sum of size equal to the sum of the number of rows of R and S sum(R,S) = (R*iota(R^,S^))+(S*kappa(R^,S^) The summation of relations, i.e the relation R + S from Section distr(R,S,T) = [pi(R,S)+pi(R,T),sum(rho(R,S),rho(R,T))] The relation distr from Section The system uses row constant relations, i.e relations R such that R; AA = R, to describe subsets or elements This notion corresponds the notion of vectors introduced in Section via the mapping IA ; R There are several 209 Winter operations on these versions of vectors Syntax Meaning point(v) Submatrix of v consisting of the first nonempty row of v inj(v) Injection induced by the set of elements given by v, e.g inj(v) splits v; v init(v) I Relation with one column and the same row number as v where the first row is nonempty next(p) p has to be a n × matrix with one entry in row m next(p) has just one entry in row m + Within the RelView system it is possible to write programs based on the datatype of relations Such a relational program is essentially a while-program which should be understood in an intuitive way The condition in an IF or WHILE statement has to be a × matrix, which is interpreted by true or false The following operations produce such matrices Syntax Meaning empty(R) Test, whether R is empty eq(R,S) Test, whether R and S are equal incl(R,S) Test, whether R is contained in S The operation inj(v) computes the subobject given by the vector v The more general operation of splitting a symmetric idempotent is not implemented in the system Since this operation is a basic operation for the present study we present its relational program during the general introduction of the system split(A) DECL v, H BEG v = O(A); H = A; WHILE -empty(H) DO v = v | (atom(H)*L(H)); H = H & -(v^*A) OD; v = inj(v)*A RETURN v END 210 Winter 4.2 Terms and Programs for RelView Now, we want to present the relational terms and algorithms needed to handle processes and sets of processes A file containing these programs is available from http://www1.informatik.unibw-muenchen.de/thrash/relview.prog By convention, the first row of a relation corresponds to the root of the graph The following programs are the straightforward implementation of the operations on graphs introduced in Section 2.3 root(G) = init(Ln1(G))^ underlyingG(G,L) = G*rho(L,G) transition(a,G,L) = G*pair(a^*a,source(G))*rho(L,G) termGraphemb(G,L) DECL A,An,R,w BEG w = root(G); w = inj((w*trans(G*rho(L,G))|w)^); A = w^*Lnm(w,w^)*w; An = (G^\(pair(L,A)*G^))&((G*pair(L,A))/G); WHILE -eq(A,An) DO A = An; An = (G^\(pair(L,A)*G^))&((G*pair(L,A))/G) OD; R = split(A) RETURN R END terminalGraph(G,L) DECL R,S BEG S = G; R = termGraphemb(S,L) RETURN R*G*pair(L,R^) END prefixGraph(a,G,L) = ([a,root(G)]+G)*pair(L,kappa(Ln1(a),G)) sumGraph(G1,G2,L) DECL G,A,R,w1,w2 BEG G = sum(G1,G2)*distr(L,G1,G2); w1 = root(G1); w2 = root(G2); 211 Winter A = ((w1^*w2*kappa(G1,G2))+(w2^*w1*iota(G1,G2)))|source(G); R = split(A) RETURN R*G*pair(L,R^) END interGraph(G1,G2,L) = (pi(G1,G2)*G1*pair(L,pi(G1,G2)^) &rho(G1,G2)*rho(G1,G2)^*rho(L,pair(G1,G2))^) | (rho(G1,G2)*G2*pair(L,rho(G1,G2)^) &pi(G1,G2)*pi(G1,G2)^*rho(L,pair(G1,G2))^) der_vec(a,G,L) = root(G)*G*pair(a^*a,source(G))*rho(L,G) nextpoint(p,v) DECL e BEG IF incl(p,v) THEN e = next(p^)^; WHILE -incl(e,v) DO e = next(e^)^ OD ELSE e = O(p) FI RETURN e END der_1root(a,G,L) DECL v BEG v = der_vec(a,G,L); IF -eq(v,O(v)) THEN v = point(v^)^ FI RETURN v END der_nextroot(a,G,w,L) DECL v,p,e BEG v = der_vec(a,G,L); e = nextpoint(w,v) RETURN e END derivate(a,G,w,L) 212 Winter DECL i,H BEG i = inj((w*trans(G*rho(L,G))|w)^); H = i*G*pair(L,i^) RETURN H END derivate2(w,G,Z,L) DECL erg BEG erg = derivate(w,G,L); erg = I(Ln1(erg)*L1n(Z))^*erg*pair(L,I(Ln1(erg)*L1n(Z))) RETURN erg END replace_derivate(a,w,G1,G2,L) DECL G BEG G = G2&-(root(G2)^*[a,w]); G = sum(G,G1)*distr(L,G,G1); G = G|(root(G2)^+O1n(G1^)^)*[a,(O1n(G2^)^+root(G1)^)^] RETURN G END The parameter L corresponds to the set of labels and should be the identity on this set The function underlying computes the underlying unlabelled graph and the function transition the set of edges labelled with a These functions may be used to visualize a process by the graph drawing algorithms which are implemented in the RelView system terminalGraph computes the canonical representative using the program termGraphemb Furthermore, there is a program/function for each standard operation on processes Last but not least, there are some programs for computing derivates of a graph der vec computes the vector of all roots of a-derivates of the graph der 1root chooses the first point included in der vec if it exists and der nextroot gives the next one (in respect to w) if it exists by using nextpoint Both programs return the empty vector if the corresponding vector does not exist Finally, derivate returns the derivate with root w, derivate2 embeds the result of derivate into a fixed set of states given by Z and replace derivate replaces the a-derivate with root w in G2 by G1 Our algorithm produces a set of processes We will represent such a set in the following way One graph G : Z ↔ L × Z is represented by the corresponding vector V : I ↔ Z × (L × Z) The connection between these relations is given by vector2graph and graph2vector The empty set of processes is modelled by the universal relation IZ×(L×Z) This can be done since our algorithm will not produce a recursive process Any other set of 213 Winter processes is modelled by the disjoint union of the vectors corresponding to the graphs of them Therefore it is necessary that all graphs have the same set Z of nodes The following programs implement the basic set-theoretic operations vector2graph(V,Z,L) = (Ln1(Z)*V&pi(Z,pair(L,Z))^)*rho(Z,pair(L,Z)) graph2vector(G,Z,L) = L1n(Z)*(pi(Z,pair(L,Z))^&G*rho(Z,pair(L,Z))^) remove(S) DECL i,A BEG A = syq(S^,S^); i = split(A) RETURN (i*S) END union(S,T) DECL erg BEG IF isemptyset(S) THEN erg = remove(T) ELSE IF isemptyset(T) THEN erg = remove(S) ELSE erg = S+T; erg = remove(erg) FI FI RETURN erg END isemptyset(S) = eq(S,L(S)) emptyset(Z,L) = L1n(pair(Z,pair(L,Z))) setincl(S,T) DECL erg,v,w,V,W,One BEG One = L1n(Ln1(S)); IF isemptyset(S) THEN erg = One ELSE 214 Winter v = init(L(S))^; erg = -One; WHILE -empty(v) DO V = v*S; w = init(L(T))^; WHILE -empty(w) DO W = w*T; IF eq(V,W) THEN w = O(w); erg = One ELSE w = next(w^)^ FI OD; IF erg THEN v = next(v^)^; IF -empty(v) THEN erg = -One FI ELSE v = O(v) FI OD FI RETURN erg END seteq(S,T) DECL erg BEG erg = setincl(S,T); erg = erg & setincl(T,S) RETURN erg END Notice that a set of graphs may contain two isomorphic copies of a graph The following programs apply the operations sumGraph, prefixGraph and replace derivate on graphs elementwise on sets of graphs under the assumption that the given set of nodes Z has sufficient size setSumGraph(V,G,Z,L) DECL erg,w,Gn,Vn BEG w = init(L(V))^; Vn = w*V; IF eq(Vn,L(Vn)) THEN erg = Vn ELSE WHILE -empty(w) DO Gn = vector2graph(Vn,Z,L); 215 Winter Gn = sumGraph(Gn,G,L); Gn = terminalGraph(Gn,L); Gn = I(Ln1(Gn)*L1n(Z))^*Gn*pair(L,I(Ln1(Gn)*L1n(Z))); IF eq(w,init(L(V))^) THEN erg = graph2vector(Gn,Z,L) ELSE erg = erg+graph2vector(Gn,Z,L) FI; w = next(w^)^; Vn = w*V OD FI RETURN erg END setPrefixGraph(a,V,Z,L) DECL erg,w,Gn,Vn BEG w = init(L(V))^; Vn = w*V; IF eq(Vn,L(Vn)) THEN erg = Vn ELSE WHILE -empty(w) DO Gn = vector2graph(Vn,Z,L); Gn = prefixGraph(a,Gn,L); Gn = terminalGraph(Gn,L); Gn = I(Ln1(Gn)*L1n(Z))^*Gn*pair(L,I(Ln1(Gn)*L1n(Z))); IF eq(w,init(L(V))^) THEN erg = graph2vector(Gn,Z,L) ELSE erg = erg+graph2vector(Gn,Z,L) FI; w = next(w^)^; Vn = w*V OD FI RETURN erg END setreplace(a,w,V,G,Z,L) DECL erg,u,Gn,Vn BEG IF isemptyset(V) THEN erg = V ELSE u = init(L(V))^; Vn = u*V; 216 Winter WHILE -empty(u) DO Gn = vector2graph(Vn,Z,L); Gn = replace_derivate(a,w,Gn,G,L); Gn = terminalGraph(Gn,L); Gn = I(Ln1(Gn)*L1n(Z))^*Gn*pair(L,I(Ln1(Gn)*L1n(Z))); IF eq(u,init(L(V))^) THEN erg = graph2vector(Gn,Z,L) ELSE erg = erg+graph2vector(Gn,Z,L) FI; u = next(u^)^; Vn = u*V OD FI RETURN erg END 4.3 The HASKELL Program Since RelView has just one data type — the data type of relations — an inductive program on the structure of a formula cannot easily be implemented Therefore, we have written a HASKELL program which computes for a given formula a RelView program which generates the set of processes induced by our algorithm This program is available from http://www1.informatik.unibw-muenchen.de/thrash/formula.hs It is started by the function main First, it asks for an output file name where the generated RelView program is stored Afterwards, the program asks for a formula It uses the parser combinators introduced in [2] to parse this formula We want to explain the syntax of a formula by an example true&(O^2{a,b}false->[b,c]true)|-false This string corresponds to the formula a true ∧ ( B false → [b, c]true) ∨ ¬false where B = {a, b} The priorities of logical symbols introduced in Section 2.4 are respected by the parser Such a formula is transformed into its reduced form Corresponding to every subformula, a RelView program is generated For example by the formula true the following programs are generated make(Z,L) DECL H,V BEG H = Onm(Z,pair(L,Z)); V = p(H,Z,L) RETURN V END 217 Winter p(G,Z,L) DECL H,U,V,w BEG U = emptyset(Z,L); w = der_1root(a,G,L); WHILE -empty(w) DO H = derivate2(w,G,Z,L); V = graph2vector(H,Z,L); IF -isemptyset(V) THEN V = setreplace(a,w,V,G,Z,L); U = union(U,V) FI; w = der_nextroot(a,G,w,L) OD; IF isemptyset(U) THEN H = O(G); V = graph2vector(H,Z,L); U = setPrefixGraph(a,V,Z,L); U = setSumGraph(U,G,Z,L) FI; V = U RETURN V END The program make initializes the procedure, i.e it calls p with the empty graph The parameter L again corresponds to the set of labels Within the RelView system for every label a there has to be a point denoting this label The parameter Z corresponds to maximal size of the state space which is allowed during the procedure This parameter has to be choosen carefully If it is too small the algorithm will not work correctly A big Z will slow the algorithm down Conclusion In this paper we presented an algorithm generating a set of processes fulfilling a given safety specification This algorithm is defined by induction over the structure of the specification It combines two basic tasks within one procedure First of all, it is checked whether the given graph fulfills the specification ϕ If there is a part ϕ of ϕ which is not fulfilled the graph is extended (if it is possible) in such a way that ϕ is satisfied Furthermore, we gave an implementation of the algorithm using the functional language HASKELL and 218 Winter the RelView system For a formula ϕ the HASKELL program generates a RelView program which computes the result of the algorithm for ϕ This seperation into two programs is neccessary since it is not easily be possible to express an algorithm which is defined by induction over a suitable data structure within the RelView system Therefore, our implementation should be seen as a prototype Using the temporal operators ✷ and ✸ one may extend the logical language to a language where liveness properties may be expressed Informally ✷ϕ asserts for a process P that after every sequence of actions P will reach a state where ϕ is satisfied The dual formula ✸ϕ asserts that there is a sequence of actions such that ϕ will hold after P has performed this sequence For example, the following formula ϕ := a ✷ a true ∧ b ✷✸ a b true asserts two properties of a process P fulfilling ϕ First, P may perform an a and reach a state where it may perform an a after every sequence of actions On the other hand, P may perfom an b and reach a state such that it is possible after every sequence to reach a state where ab may be done Within the algorithm the occurrence of ✷ and ✸ means that loops have to be included into the generated processes, i.e the generated process is recursively defined For example, the following processes P fulfills ϕ ✉  ❅    a   ✲ ✉✠ ✛✘ a ❅ b❅ ❘ ❅✉ ✻ a b ✚✙ ❄ ✉2 Notice, that ψ := b ✷ a b true is not fulfilled by P After performing ba the process reaches a state where ab cannot be done If one identifies the states marked and the resulting graph will satisfy ψ References [1] Freyd P., Scedrov A.: Categories, Allegories North-Holland (1990) [2] Hutton, G.: Higher-order Functions for Parsing Journal of Functional Programming, 2(3), 323–344, (1992) [3] Milner R.: Communication and Concurrency Prentice Hall (1989) [4] Schmidt G., Hattensperger C., Winter M.: Heterogeneous Relation Algebras In: Relational Methods in Computer Science, Advances in Computing Science, 45–63 Springer (1997) 219 Winter [5] Schmidt G., Stră ohlein T.: Relationen und Graphen Springer (1989); English version: Relations and Graphs Discrete Mathematics for Computer Scientists, EATCS Monographs on Theoret Comput Sci., Springer (1993) [6] Winskel G.: Synchronization Trees Theoret Comput Sci 34, (1984) [7] Winter M.: Strukturtheorie heterogener Relationenalgebren mit Anwendung auf Nichtdetermismus in Programmiersprachen, Dissertationsverlag NG Kopierladen GmbH, Mă unchen, (1998) [8] Winter M., Kempf P.: Relational Semantics for Processes, Report Nr 1998-01, Fakultă at fă ur Informatik, Universită at der Bundeswehr Mă unchen, (1998) [9] Winter M., Kempf P.: Processes as Relations In: Relational Methods for Computer Science Applications, Studies in Fuzziness and Soft Computing Vol 65, Springer (2001) 220 ... implementation of the algorithm within HASKELL and the RelView system After a short introduction to the RelView system we present the relational terms and programs in the internal language of RelView needed... language of RelView which are needed to handle processes and sets of processes Last but not least, we discuss the HASKELL program mentioned in the introduction 4.1 The RelView System The RelView system. .. (R*iota(R^,S^))+(S*kappa(R^,S^) The summation of relations, i.e the relation R + S from Section distr(R,S,T) = [pi(R,S)+pi(R,T),sum(rho(R,S),rho(R,T))] The relation distr from Section The system uses row constant relations,