CHAPTER 9 PROCESS ALGEBRA A computer process is a program or section of a program (such as a function) in execution. It may be in one of the following states: ready, running, waiting, or termi- nated. A process algebra is a concise language for describing the possible execution steps of computer processes. It has a set of operators and syntactic rules for spec- ifying a process using simple, atomic components. It is usually not a logic-based language. Central to process algebras is the notion of equivalence, which is used to show that two processes have the same behavior. Well-established process algebras such as Hoare’s Communicating Sequential Processes (CSP) [Hoare, 1978; Hoare, 1985], Milner’s Calculus of Communicating Systems (CCS) [Milner, 1980; Milner, 1989], and Bergstra and Klop’s Algebra of Communicating Processes (ACP) [Bergstra and Klop, 1985] have been used to specify and analyze concurrent processes with in- terprocess communication. These are untimed algebras since they allow one to only reason about the relative ordering of the execution steps and events. To use a process algebra or a process-algebraic approach to specify and analyze a system, we write the requirements specification of the system as an abstract process and the design specification as a detailed process. We then show that these two pro- cesses are equivalent, thus showing the design specification is correct with respect to the requirements specification. Here, the requirements specification may include the desired safety properties. 9.1 UNTIMED PROCESS ALGEBRAS A process algebra has four basic components: (1) a concise language to specify a system as a process or set of processes, (2) an unambiguous semantics to provide 237 Real-Time Systems: Scheduling, Analysis, and Verification. Albert M. K. Cheng Copyright ¶ 2002 John Wiley & Sons, Inc. ISBN: 0-471-18406-3 238 PROCESS ALGEBRA precise meanings for the behavior of the specified processes, showing the possible execution steps of these processes, (3) an equivalence or preorder relation to com- pare the behavior of the processes, and (4) a set of algebraic laws to syntactically manipulate the process specifications. There are several notions of equivalence. In general, two processes are equivalent if every execution step of one process is also the same execution of the other process and vice versa. If the set of execution steps or behavior of a process is a subset of another process, a preorder exists between these two processes. A typical process algebra has the following set of operators for composing pro- cesses or atomic components to specify complex systems. A prefix operator specifies the ordering of actions and events. A choice (or summation) operator selects one option among several possible choices. A parallel (or composition) operator indi- cates that two processes execute simultaneously. A hiding and restriction operator abstracts lower-level details such as communicating steps to reduce analysis com- plexity. A recursion operator describes a list of possibly infinite processes. Note that similar operators are used in David Parnas’ event-action model language described in chapter 6. In this chapter, we describe the untimed process algebra CCS and the timed process algebra called Algebra of Communicating Shared Resources (ACSR). We show how ACSR can be used to specify real-time systems, which can then be analyzed using syntactic and semantic techniques. 9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS Inspired by Dana Scott’s theory of computation, [Milner, 1980] developed a process algebra called the Calculus of Communicating Systems (CCS) to specify the behav- ior of untimed, concurrent, and communicating systems. He proposes the concept of observation equivalence of programs, and thus a congruence relation. Observation Equivalence and Congruence: Two programs are observation equiv- alent if and only if they are indistinguishable by observation. Then, two programs are observation congruent if and only if they are observation equivalent. Since an observation congruence class is considered a behavior, CCS is thus an algebra of behaviors in which each program stands for its congruence class. The syntax of CCS consists of (1) value expressions; (2) labels, sorts, and relabeling; (3) behavior identifiers; and (4) behavior expressions. Value Expressions: Value expressions are constructed from simple variables, con- stant symbols, and function symbols signifying known total functions over values. Labels are  =  ∪ ,andτ .Asort L is a subset of  and a sort L(B) is assigned to each behavior expression B. Given that P and Q are sorts, S : P → Q is a re- labeling from P to Q if (1) it is a bijection and (2) it respects complements; that is, S(a) = S(a) for a, a ∈ L. MILNER’S CALCULUS OF COMMUNICATING SYSTEMS 239 Each behavior identifier has a preassigned arity n(b) which indicates the number of value parameters, and a sort L(b). Behavior Expressions: Behavior expressions are constructed with six types of be- havior operators, by parameterizing behavior identifiers and by conditionals. The behavior operators are: inaction, summation, action, composition, restriction, and relabeling. The inaction operator NIL (null) produces no atomic actions. The summation operator “+”inA + B adds the atomic actions of A and B, yielding a sum of A and B’s actions. The action operator “.” is used to express axioms. The composition operator “|”inA | B signifies that an action of A or B in the composition produces an action of the composite in which the other component is unaffected. The restriction operator “\”inA\b indicates that B is restricted so that there are no b or b actions. An identifier can be parameterized as in b( E 1 , .,E n(b) ). A conditional is of the form if E then B else B  . The definition operator “ def = ”inX def = P defines process X as a more complex process expression P. Example. Consider a system of two processes. Let N i be the non-critical sections of process i, T i be its section requesting to enter its critical section, and C i be its critical section. The following CCS statement specifies that action P is the summation of three actions, each of which is a composition of two actions: P def = N 1 |N 2 + T 1 |N 2 + N 1 |T 2 . More precisely, one choice is for the system’s two processes to stay in the non-critical sections. The second choice is for process 1 to request to enter its critical section while process 2 remains in the non-critical section. The third choice is for process 2 to request to enter its critical section while process 1 remains in the non-critical section. The following CCS statement specifies that action Q has a choice of executing the critical section of process 1 or executing the critical section of process 2. Also, while executing C 1 , C 2 is not allowed. Similarly, while executing C 2 , C 1 is not allowed. Q def = C 1 \{C 2 }+C 2 \{C 1 }. 9.2.1 Direct Equivalence of Behavior Programs Behavior programs having the same semantic derivations can be considered equiv- alent. In fact, these programs yield an equivalent relation or congruence, thus any program can be replaced by an equivalent one in any context without changing the behavior of the entire system. For example, the programs A + A  and A  + A are dif- ferent but obviously interchangeable. Other example rules include: A + (B + C) = (A + B) + C; A + NIL = A;and A + A = A. 240 PROCESS ALGEBRA Summation Sum ≡ A + NIL = A A + A = A A + B = B + A A + (B + C) = ( A + B) + C Action Act ≡ αx. A = αy.A{y/x } where y is a vector of distinct variables not in A Composition Com ∼ A|B = B| A A|(B|C) = (A|B)|C A|NIL = A Restriction Res ≡ NIL\α = NIL (A + B)\α = A\α + B\α (g. A)\α = NIL if α = name(g) else, = g.( A\α) Relabeling Rel ≡ NIL[S]=NIL (A + B)[S]= A[S]+B[S] (g.B)[S]=S(g).(B[S]) Rel ∼ A[I ]= A, I : L → L is the identity mapping A[S]=A[S  ] A[S][S  ]=A[S  oS] A[S]\β = A\α[S],β = name(S(α)) (A|B)[S]=A[S]|B[S] Conditional if true then A else B = A if false then A else B = B Unobservable action τ g.τ.A = g.A A + τ.A = τ.A g.(A + τ.B) + g.B = g.(A + τ.B) A + τ.(A + B) = τ.(A + B) Observation equivalence A ≈ τ.A ¬(P ∧ Q) = (¬P ∨¬Q) Figure 9.1 CCS laws. Direct Equivalence: Two behavior programs are directly equivalent iff for every input, both programs produce the same behavior, that is, same results. Given a specification written in CCS, we can use equational laws to rewrite it in a form we desire. To show that two specifications are equivalent, we can use these laws to rewrite them to establish equivalence. We summarize selected CCS laws for easy reference in Figure 9.1. 9.2.2 Congruence of Behavior Programs The results of the actions of directly equivalent programs must be identical. To gen- eralize the direct equivalence relation, a congruence relation that requires only the TIMED PROCESS ALGEBRAS 241 results be equivalent is introduced. Using this congruence relation, equivalence be- tween programs is also preserved by the substitution of equivalent programs. 9.2.3 Equivalence Relations: Bisimulation The concept of bisimulation is used to establish the equivalence between two pro- cesses. Bisimulation compares the execution trees of these two processes. Two com- mon types of bisimulation exist: strong bisimulation and weak bisimulation [Milner, 1989]. Strong Bisimulation: A binary relation r is a strong bisimulation for a given tran- sition “→” if, for (P, Q) ∈ r and for any action or event a, 1. if P a →P  , then ∃Q  , Q a →Q  and (P  , Q  ) ∈ r ,and 2. if Q a →Q  , then ∃P  , P a →P  and (P  , Q  ) ∈ r . This basically means that if P (or Q) can execute one step on event a, then Q (or P) should be able to execute one step on event a such that both of the next states are also bisimilar. Weak Bisimulation: A binary relation r is a weak bisimulation for a given transi- tion “→” if, for (P, Q) ∈ r and for any action or event a ∈ D, 1. if P a →P  , then ∃Q  , Q ˆa ⇒ Q  and (P  , Q  ) ∈ r ,and 2. if Q a →Q  , then ∃P  , P ˆa ⇒ P  and (P  , Q  ) ∈ r . 9.3 TIMED PROCESS ALGEBRAS Introducing the notion of time to untimed process algebras makes them applicable to specify and verify real-time systems while maintaining their modular verification capabilities as well as their single-language specification advantage. Dual-language specifications include model checking and the time ER net/TRIO approach. For in- stance, in model checking, the modeled system is specified as a state-transition graph and the property to be checked is specified in temporal logic. The time extension is done by adding timed operators to the original set of un- timed operators. Several timed process algebras exist as a result of these timed exten- sions. These real-time process algebras can specify process synchronization delays and upperbounds in terms of absolute timing intervals but vary in the way they model the resources used by processes. On one end of the spectrum is the assumption that each type of resource is unlim- ited so that a ready process (not blocked by communication constraints, as discussed in chapter 3) can start execution without delay. On the other end of the spectrum is the assumption that a single processor exists so that all process executions are inter- leaved. Between these two extreme assumptions are real-time process algebras that 242 PROCESS ALGEBRA assume a limited number of resources. One popular timed process algebra that as- sumes a limited number of n resources capable of executing n actions is the ACSR [Lee, Bremond-Gregoire, and Gerber, 1994]. 9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES The ACSR language is a discrete real-time process algebra based on CCS (described earlier) that provides several operators to handle timing properties. These operators can be used to bound the execution time of a sequence of actions, to delay the se- quence’s execution by a number of time units, and to timeout while waiting for spe- cific actions to occur. The exception operator can be inserted into any place within a process and allows an exception to be raised, immediately handled by an external exception-handling process, just like in an exception-handling mechanism of a real computer process. The interrupt operator allows the specification of responses or re- actions to asynchronous actions or events. The ACSR computation model views a real-time system as a collection of communicating processes competing for shared resources. Every execution step is either an action or an event. Action: An action is set of consumptions of resources {r 1 , .,r n } at corresponding non-negative priority levels p 1 , ., p n for one time unit. A resource consumption is denoted by a pair (r i , p i ). The execution of an action is constrained by the availability of the the specified resources and the priorities of competing actions. For example, the action {(cpu1, 2)} means the use of the resource cpu1 at priority level 2 for one time unit, and the action {(cpu1, 2), (disk2, 1)} means the use of the resource cpu1 at priority level 2 and the use of the resource disk2 at priority level 1 for one time unit. The action ∅ indicates idling for one time unit, that is, the non-consumption of any resource for one time unit. An event serves as a synchronization or communication mechanism between pro- cesses, or as an observation or monitoring step by an entity external to the specified system. Event: Each event e i has a corresponding priority p i and is denoted by a pair (e i , p i ). The execution of an event is instantaneous and does not consume any resource. As for actions, priorities are used to determine which event to execute if there is more than one ready event. Unless synchronization constraints exist between matching events in two processes, they execute their events asynchronously. Timed Behavior: A timed behavior is a possibly infinite sequence of execution steps. More precisely, this behavior is a sequence of actions in which a sequence of zero or more events may appear between any two consecutive actions. ALGEBRA OF COMMUNICATING SHARED RESOURCES 243 9.4.1 Syntax of ACSR We next describe in detail the syntax and semantics of the different types of ACSR processes. NIL is a process that performs no action and is always deadlocked. This is the same as CCS’s inaction operator NIL, which produces no atomic actions. The action prefix operator “:” in A : P indicates that the resource-consuming action A executes at the first time unit, and then process P runs. The event prefix operator “.” in (a, n).P indicates that the event (a, n) executes (occurs) instantly with no time passage, and then process P runs. In CCS, “.” is the action operator used to express axioms. The choice operator “+” in P + Q is basically an “or,” signifying a choice is available between processes P and Q. The effect is that this composed process may behave like either P or Q.InCCS,“+” is the summation operator, so A + B adds the atomic actions of A and B, yielding a sum of A and B’s actions. The parallel operator “”inP  Q indicates that processes P and Q can execute in parallel. This is similar to CCS’s composition operator “|”. The close operator “[ ]” in [P] I creates a process that only uses resources in the set I . The restriction operator “\”inP \F indicates that while process P is executing, events with labels in F cannot execute. This is similar to CCS’s restriction operator “\”asinA\b, which indicates that B is restricted so that there are no b or b actions. The hiding operator “\\”inP\\H hides the identity of the resources in the set H from process P. The notation rec X .P signifies process P is recursive so that the described behavior of P is infinite. The following operator allows ACSR to specify absolute timing properties. The notation P α t (Q, R, S) indicates that a temporal scope binds the process P and is called the scope construct. t is a non-negative integer time bound. If P ends suc- cessfully before t by executing the event α, control is transferred to Q, called the success-handler. Otherwise, if P does not end successfully before t , control is trans- ferred to R, called the timeout exception-handler. S may interrupt P before t time units and break the binding of P to this temporal scope, that is, cause P to exit this temporal scope. The definition operator “ def = ”inX def = P allows one to use the process name X instead of its longer and more complex process expression P. As usual, subscripts are used to indicate indexed processes and events as in P 2 and (e 1 , k).P. The notation P n means that P executes or occurs n times, that is, P : P : . : P, in which there are nPs. This is similar to the notation used in regular expressions described in chapter 2. Note that operators such as “.” have implicit timing specifications. Many notations (operators) borrow from logic operators. 9.4.2 Semantics of ACSR: Operational Rules A labeled transition system (represented by a state space graph) is used to describe and define the executions of a process. The labeled transition system of a process is a labeled directed graph G = (V , E). V is a set of states of a process. E is a 244 PROCESS ALGEBRA set of edges, each of which denotes an execution step or action e i such that an edge (P i , P j ) connects state P i to state P j iff there is a step e i that is enabled at state P i , and executing e i will modify the state of the process to have the same values as the tuple at state P j . An invocation of a process can be thought of as tracing a path in the labeled transition system. The states are described by a concrete syntax (a process) in process algebra. We use a finite set of transition rules to infer the execution steps of the behavior of a process. Two transition systems are available for defining the semantics of ACSR: unconstrained and prioritized. Unconstrained Transition System: In the unconstrained transition system, P e −→ P  denotes a transition, and no indication is given of a priority for pruning impossible execution steps. Prioritized Transition System: In the prioritized transition system, P e −→ π P  de- notes a transition, and priority information is used to ignore impossible execution steps. Operational rules are used to define the semantics of the ACSR operators. An operational rule defines an execution step corresponding to a transition in the labeled transition system. It describes a particular behavior of a process. Two ACSR axioms exist for action prefix and event prefix. These are similar to CCS’s prefix operator. Axiom The following axiom is for action prefix: ActT − A : P A −→ P Example. Consider the process C 1, j def =∅ : C 1, j +{(cpu1, 1)}:C 1, j+1 +{(cpu2, 1)}: C 1, j+1 , 0 ≤ j < c 1 . The last branch {(cpu2, 1)}:C 1, j+1 , 0 ≤ j < c 1 means that this process can use the resource cpu2 at priority level 1 for one time unit and go to process C 1, j+1 . Axiom The following axiom is for event prefix: ActI − A : (a, n).P (a,n) −→ P Example. The process T 1 def = (s 1 , 1).C 1,0 can execute event (s 1 , 1) andgotopro- cess C 1,0 . ALGEBRA OF COMMUNICATING SHARED RESOURCES 245 The choice rules allow the selection of one option between two possible choices and are the same for actions and events. The choice operator is the same as CCS’s summation operator Sum. Choice ChoiceL P e −→ P  P + Q e −→ P  ChoiceR Q e −→ Q  P + Q e −→ Q  Example. The process C 1, j def =∅ : C 1, j +{(cpu1, 1)}:C 1, j+1 +{(cpu2, 1)}: C 1, j+1 , 0 ≤ j < c 1 may choose one of three execution steps: idling for one time unit, using resource cpu1, or using resource cpu2. The parallel operator Par is used to specify communication and concurrency. In CCS, the parallel operator Par is called the composition operator Com. The ParT rule applies to two synchronous time-consuming transitions. The ParIL, ParIR, and ParCom rules apply to event transitions, which may be asynchronous. Parallel Composition ParT P A 1 −→ P  , Q A 2 −→ Q  P  Q A 1 ∪A 2 −→ P   Q  with (s( A 1 ) ∩ s( A 2 ) =∅),wheres( A 1 ) and s(A 2 ) are the sets of resources used by actions A 1 and A 2 , respectively. This constraint indicates that only one process may use a specific resource during a time step. ParIL P (a,n) −→ P  P  Q (a,n) −→ P   Q ParIR Q (a,n) −→ Q  P  Q (a,n) −→ P  Q  246 PROCESS ALGEBRA ParCom P (a,n) −→ P  , Q (a,m) −→ Q  P  Q (ρ,n+m) −→ P   Q  Example. The following shows the parallel composition of five processes: Radar def =[(Scheduler  T 1  T 2  T 3  T 4 ) \{s 1 , s 2 , s 3 , s 4 }] { cpu 1, cpu 2} . The scope operator is used to specify behaviors induced by a temporal scope. The ScopeCT and ScopeCI rules mean that while t > 0andP does not execute an event b, P’s executions continue. The “end” ScopeE rule means that P can exit the temporal scope by executing an event b. This label b becomes the identity label ρ on exit. The timeout ScopeT rule means that when t = 0, indicating timeout from the scope, control is transferred to the timeout exception-handler R. The ScopeI rule means that while the scope is active, process S may kill (interrupt) process P. Scope ScopeCT P A −→ P  P b t (Q, R, S) A −→ P   b t−1 (Q, R, S) where t > 0. ScopeCI P (a,n) −→ P  P b t (Q, R, S) (a,n) −→ P   b t (Q, R, S) where a = b, t > 0). ScopeE P (b,n) −→ P  P b t (Q, R, S) (ρ,n) −→ Q where t > 0. ScopeT R e −→ R  P b t (Q, R, S) e −→ R  where t = 0. [...]... ACSR [Bremond-Gregoire, 1994; Lee, Bremond-Gregoire, and Gerber, 1994] To improve the user interface, [Ben-Abdallah, Lee, and Choi, 1995; Ben-Abdallah, 1996; Ben-Abdallah and Lee, 1998] introduced a graphical language called GCSR together with a formal semantics specifying and analyzing real-time systems [Ben-Abdallah et al., 1998] and [Choi, Lee, and Xie, 1995] also applied the process-algebraic approach... specify the solution to the two-process mutual-exclusion problem Use the definition operator to specify a recursive process without using the rec operator How does ACSR extend CCS to allow the specification of real-time systems? Describe the timing-related operator The radar system specified using ACSR employs a rate-monotonic scheduler to assign priorities to its signal-processing tasks It also has two... approaches such as untimed automata (chapter 2), model-checking (chapter 4), Statecharts (chapter 5), RTL (chapter 6), and timed automata (chapter 7), and thus also suffers from the state-explosion problem However, this transition system is usually smaller since it describes only behaviors of interest to the analysis, such as deadlock-freedom The process-algebraic method constructs a specification of a system... process specification to study specific system behaviors The basic version of VERSA has a command-oriented interface for inputting process descriptions, binding them to identifiers, and operating on them The graphicsoriented version of VERSA provides an X/Motif user interface, known as X-VERSA, with a point-and-click interface This significantly improves the usability of the algebraic term rewriting facility... a design specification is correct with respect to a requirements specification using a process-algebraic approach, we show that the two processes representing respectively these two specifications are equivalent Two ways exist to establish this equivalence: syntax-based and semantics-based techniques The syntax-based technique uses a suite of equational laws to manipulate the textual representations of... properties Two ways are available to establish equivalence: syntax-based and semantics-based techniques The VERSA system [Clarke, Lee, and Xie, 1995] maintains as much as possible the syntax of ACSR while using ASCII keyboard-typable notations for special ACSR characters and subscripted or superscripted variables Here, VERSA converts the algebraic-process descriptions bound to these processes to state machines... testing algorithms Indexed names are not supported in X-VERSA 9.5.3 Practicality Originally, the lack of a graphical input-output interface makes ACSR and its corresponding tool kit VERSA more difficult to use than other tools with a graphical user interface Recently, a graphical language [Ben-Abdallah, Lee, and Choi, 1995; BenAbdallah, 1996; Ben-Abdallah and Lee, 1998] was introduced to provide a better... To specify and verify real-time systems while maintaining their modular verification capabilities as well as their single-language specification advantage, untimed process algebras have been extended with the notion of time by adding timed operators to the original set of untimed operators Several timed process algebras exist as a result of these timed extensions These real-time process algebras can... interleaved Between these two extreme assumptions, real-time process algebras assume a limited number of resources One popular timed process algebra that assumes a limited number of n resources capable of executing n actions is the Algebra of Communicating Shared Resources (ACSR) [Lee, Bremond-Gregoire, and Gerber, 1994] The ACSR language is a discrete real-time process algebra based on CCS (described earlier)... machines VERSA and its graphical user interface version, X-VERSA, are implemented in C++ It is made more portable with the use of the LEDA class library, and the libg++ and X/Motif libraries The input and output interface is built with the Lex and Yacc compiler construction tools To make the analysis more efficient, the tool kit makes use of a low-level programming language and the latest state space construction . [Bremond-Gregoire, 1994; Lee, Bremond-Gregoire, and Gerber, 1994]. To improve the user interface, [Ben-Abdallah, Lee, and Choi, 1995; Ben-Abdallah, 1996; Ben-Abdallah. X/Motif user interface, known as X-VERSA, with a point-and-click interface. This significantly improves the usability of the alge- braic term rewriting facility.