CHAPTER 9
PROCESS ALGEBRA
A computer process is a program or section of a program (such as a function) in execution. It may be in one of the following states: ready, running, waiting, or terminated. A process algebra is a concise language for describing the possible execution steps of computer processes. It has a set of operators and syntactic rules for specifying a process using simple, atomic components. It is usually not a logic-based language.
Central to process algebras is the notion of equivalence, which is used to show that two processes have the same behavior. Well-established process algebras such as Hoare’s Communicating Sequential Processes (CSP) [Hoare, 1978; Hoare, 1985], Milner’s Calculus of Communicating Systems (CCS) [Milner, 1980; Milner, 1989], and Bergstra and Klop’s Algebra of Communicating Processes (ACP) [Bergstra and Klop, 1985] have been used to specify and analyze concurrent processes with interprocess communication. These are untimed algebras since they allow one to only reason about the relative ordering of the execution steps and events.
To use a process algebra or a process-algebraic approach to specify and analyze a system, we write the requirements specification of the system as an abstract process and the design specification as a detailed process. We then show that these two processes are equivalent, thus showing the design specification is correct with respect to the requirements specification. Here, the requirements specification may include the desired safety properties.
9.1 UNTIMED PROCESS ALGEBRAS
A process algebra has four basic components: (1) a concise language to specify a system as a process or set of processes, (2) an unambiguous semantics to provide
237
238 PROCESS ALGEBRA
precise meanings for the behavior of the specified processes, showing the possible execution steps of these processes, (3) an equivalence or preorder relation to compare the behavior of the processes, and (4) a set of algebraic laws to syntactically manipulate the process specifications. There are several notions of equivalence. In general, two processes are equivalent if every execution step of one process is also the same execution of the other process and vice versa. If the set of execution steps or behavior of a process is a subset of another process, a preorder exists between these two processes.
A typical process algebra has the following set of operators for composing processes or atomic components to specify complex systems. A prefix operator specifies the ordering of actions and events. A choice (or summation) operator selects one option among several possible choices. A parallel (or composition) operator indicates that two processes execute simultaneously. A hiding and restriction operator abstracts lower-level details such as communicating steps to reduce analysis complexity. A recursion operator describes a list of possibly infinite processes. Note that similar operators are used in David Parnas’ event-action model language described in chapter 6. In this chapter, we describe the untimed process algebra CCS and the timed process algebra called Algebra of Communicating Shared Resources (ACSR). We show how ACSR can be used to specify real-time systems, which can then be analyzed using syntactic and semantic techniques.
9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
Inspired by Dana Scott’s theory of computation, [Milner, 1980] developed a process algebra called the Calculus of Communicating Systems (CCS) to specify the behavior of untimed, concurrent, and communicating systems. He proposes the concept of observation equivalence of programs, and thus a congruence relation.
Observation Equivalence and Congruence: Two programs are observation equivalent if and only if they are indistinguishable by observation. Then, two programs are observation congruent if and only if they are observation equivalent.
Since an observation congruence class is considered a behavior, CCS is thus an algebra of behaviors in which each program stands for its congruence class. The syntax of CCS consists of (1) value expressions; (2) labels, sorts, and relabeling;
(3) behavior identifiers; and (4) behavior expressions.
Value Expressions: Value expressions are constructed from simple variables, constant symbols, and function symbols signifying known total functions over values. Labels are = , and τ. A sort L is a subset of and a sort L(B) is assigned to each behavior expression B. Given that P and Q are sorts, S : P → Q is a relabeling from P to Q if (1) it is a bijection and (2) it respects complements; that is,
S(a) = S(a) for a, a L.
MILNER’S CALCULUS OF COMMUNICATING SYSTEMS |
239 |
Each behavior identifier has a preassigned arity n(b) which indicates the number of value parameters, and a sort L(b).
Behavior Expressions: Behavior expressions are constructed with six types of behavior operators, by parameterizing behavior identifiers and by conditionals. The behavior operators are: inaction, summation, action, composition, restriction, and relabeling.
The inaction operator NIL (null) produces no atomic actions. The summation operator “+” in A + B adds the atomic actions of A and B, yielding a sum of A and B’s actions. The action operator “.” is used to express axioms. The composition operator “|” in A | B signifies that an action of A or B in the composition produces an action of the composite in which the other component is unaffected. The restriction operator “\” in A\b indicates that B is restricted so that there are no b or b actions. An identifier can be parameterized as in b(E1, . . . , En(b)). A conditional is of the
def |
def |
form if E then B else B . The definition operator “ = |
” in X = P defines process X |
as a more complex process expression P. |
|
Example. Consider a system of two processes. Let Ni be the non-critical sections of process i, Ti be its section requesting to enter its critical section, and Ci be its critical section. The following CCS statement specifies that action P is the summation of three actions, each of which is a composition of two actions:
def
P = N1|N2 + T1|N2 + N1|T2.
More precisely, one choice is for the system’s two processes to stay in the non-critical sections. The second choice is for process 1 to request to enter its critical section while process 2 remains in the non-critical section. The third choice is for process 2 to request to enter its critical section while process 1 remains in the non-critical section.
The following CCS statement specifies that action Q has a choice of executing the critical section of process 1 or executing the critical section of process 2. Also, while executing C1, C2 is not allowed. Similarly, while executing C2, C1 is not allowed.
def
Q =C1\{C2} + C2\{C1}.
9.2.1 Direct Equivalence of Behavior Programs
Behavior programs having the same semantic derivations can be considered equivalent. In fact, these programs yield an equivalent relation or congruence, thus any program can be replaced by an equivalent one in any context without changing the behavior of the entire system. For example, the programs A + A and A + A are different but obviously interchangeable. Other example rules include: A + (B + C) =
(A + B) + C; A + N I L = A; and A + A = A.
240 PROCESS ALGEBRA
Summation Sum ≡ |
|
|
|
A + N I L = A |
|||||||
|
|
|
|
|
A + A = A |
||||||
|
|
|
|
A + B = B + A |
|||||||
|
|
|
A + (B + C) = (A + B) + C |
||||||||
Action Act ≡ |
|
|
α |
|
.A = α |
|
.A{ |
|
/ |
|
} |
x |
y |
y |
x |
||||||||
|
where |
|
is a vector of distinct variables not in A |
||||||||
|
y |
||||||||||
Composition Com |
|
|
|
|
A|B = B|A |
||||||
|
|
|
A|(B|C) = (A|B)|C |
||||||||
|
|
|
|
|
A|N I L = A |
||||||
Restriction Res ≡ |
|
|
|
|
NIL\α = NIL |
||||||
|
|
|
(A + B)\α = A\α + B\α |
||||||||
|
|
(g.A)\α = N I L i f α = name(g) |
|||||||||
|
|
|
|
else, = g.(A\α) |
|||||||
Relabeling Rel ≡ |
|
|
|
NIL[S] = NIL |
|||||||
|
|
|
(A + B)[S] = A[S] + B[S] |
||||||||
Rel |
|
|
(g.B)[S] = S(g).(B[S]) |
||||||||
A[I ] = A, I : L → L is the identity mapping |
|||||||||||
|
|
|
|
|
A[S] = A[S ] |
||||||
|
|
|
A[S][S ] = A[S oS] |
||||||||
|
A[S]\β = A\α[S], β = name(S(α)) |
||||||||||
|
|
|
(A|B)[S] = A[S]|B[S] |
||||||||
Conditional |
|
|
if true then A else B = A |
||||||||
|
|
|
if false then A else B = B |
||||||||
Unobservable action τ |
|
|
|
|
g.τ.A = g.A |
||||||
|
|
|
|
A + τ.A = τ.A |
|||||||
|
g.(A + τ.B) + g.B = g.(A + τ.B) |
||||||||||
|
|
|
A + τ.(A + B) = τ.(A + B) |
||||||||
Observation equivalence |
|
|
|
|
A ≈ τ.A |
||||||
|
|
|
¬(P Q) = (¬P ¬Q) |
||||||||
|
Figure 9.1 CCS laws. |
||||||||||
Direct Equivalence: Two behavior programs are directly equivalent iff for every input, both programs produce the same behavior, that is, same results.
Given a specification written in CCS, we can use equational laws to rewrite it in a form we desire. To show that two specifications are equivalent, we can use these laws to rewrite them to establish equivalence. We summarize selected CCS laws for easy reference in Figure 9.1.
9.2.2 Congruence of Behavior Programs
The results of the actions of directly equivalent programs must be identical. To generalize the direct equivalence relation, a congruence relation that requires only the