results be equivalent is introduced. Using this congruence relation, equivalence between programs is also preserved by the substitution of equivalent programs.

9.2.3 Equivalence Relations: Bisimulation

The concept of bisimulation is used to establish the equivalence between two processes. Bisimulation compares the execution trees of these two processes. Two common types of bisimulation exist: strong bisimulation and weak bisimulation [Milner, 1989].

Strong Bisimulation: A binary relation r is a strong bisimulation for a given transition “→” if, for (P, Q) r and for any action or event a,

This basically means that if P (or Q) can execute one step on event a, then Q (or P) should be able to execute one step on event a such that both of the next states are also bisimilar.

Weak Bisimulation: A binary relation r is a weak bisimulation for a given transition “→” if, for (P, Q) r and for any action or event a D,

9.3 TIMED PROCESS ALGEBRAS

Introducing the notion of time to untimed process algebras makes them applicable to specify and verify real-time systems while maintaining their modular verification capabilities as well as their single-language specification advantage. Dual-language specifications include model checking and the time ER net/TRIO approach. For instance, in model checking, the modeled system is specified as a state-transition graph and the property to be checked is specified in temporal logic.

The time extension is done by adding timed operators to the original set of untimed operators. Several timed process algebras exist as a result of these timed extensions. These real-time process algebras can specify process synchronization delays and upperbounds in terms of absolute timing intervals but vary in the way they model the resources used by processes.

On one end of the spectrum is the assumption that each type of resource is unlimited so that a ready process (not blocked by communication constraints, as discussed in chapter 3) can start execution without delay. On the other end of the spectrum is the assumption that a single processor exists so that all process executions are interleaved. Between these two extreme assumptions are real-time process algebras that

242 PROCESS ALGEBRA

assume a limited number of resources. One popular timed process algebra that assumes a limited number of n resources capable of executing n actions is the ACSR [Lee, Bremond-Gregoire, and Gerber, 1994].

9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES

The ACSR language is a discrete real-time process algebra based on CCS (described earlier) that provides several operators to handle timing properties. These operators can be used to bound the execution time of a sequence of actions, to delay the sequence’s execution by a number of time units, and to timeout while waiting for specific actions to occur. The exception operator can be inserted into any place within a process and allows an exception to be raised, immediately handled by an external exception-handling process, just like in an exception-handling mechanism of a real computer process. The interrupt operator allows the specification of responses or reactions to asynchronous actions or events. The ACSR computation model views a real-time system as a collection of communicating processes competing for shared resources. Every execution step is either an action or an event.

Action: An action is set of consumptions of resources {r1, . . . , rn } at corresponding non-negative priority levels p1, . . . , pn for one time unit. A resource consumption is denoted by a pair (ri , pi ).

The execution of an action is constrained by the availability of the the specified resources and the priorities of competing actions. For example, the action {(cpu1, 2)} means the use of the resource cpu1 at priority level 2 for one time unit, and the action {(cpu1, 2), (disk2, 1)} means the use of the resource cpu1 at priority level 2 and the use of the resource disk2 at priority level 1 for one time unit. The action indicates idling for one time unit, that is, the non-consumption of any resource for one time unit.

An event serves as a synchronization or communication mechanism between processes, or as an observation or monitoring step by an entity external to the specified system.

Event: Each event ei has a corresponding priority pi and is denoted by a pair

(ei , pi ).

The execution of an event is instantaneous and does not consume any resource. As for actions, priorities are used to determine which event to execute if there is more than one ready event. Unless synchronization constraints exist between matching events in two processes, they execute their events asynchronously.

Timed Behavior: A timed behavior is a possibly infinite sequence of execution steps. More precisely, this behavior is a sequence of actions in which a sequence of zero or more events may appear between any two consecutive actions.

9.4.1 Syntax of ACSR

We next describe in detail the syntax and semantics of the different types of ACSR processes. NIL is a process that performs no action and is always deadlocked. This is the same as CCS’s inaction operator NIL, which produces no atomic actions. The action prefix operator “:” in A : P indicates that the resource-consuming action A executes at the first time unit, and then process P runs. The event prefix operator “.” in (a, n).P indicates that the event (a, n) executes (occurs) instantly with no time passage, and then process P runs. In CCS, “.” is the action operator used to express axioms.

The choice operator “+” in P + Q is basically an “or,” signifying a choice is available between processes P and Q. The effect is that this composed process may behave like either P or Q. In CCS, “+” is the summation operator, so A + B adds the atomic actions of A and B, yielding a sum of A and B’s actions. The parallel operator “ ” in P Q indicates that processes P and Q can execute in parallel. This is similar to CCS’s composition operator “|”.

The close operator “[ ]” in [P]I creates a process that only uses resources in the set I . The restriction operator “\” in P\F indicates that while process P is executing, events with labels in F cannot execute. This is similar to CCS’s restriction operator “\” as in A\b, which indicates that B is restricted so that there are no b or b actions. The hiding operator “\\” in P\\H hides the identity of the resources in the set H from process P. The notation recX.P signifies process P is recursive so that the described behavior of P is infinite.

The following operator allows ACSR to specify absolute timing properties. The notation P αt (Q, R, S) indicates that a temporal scope binds the process P and is called the scope construct. t is a non-negative integer time bound. If P ends successfully before t by executing the event α, control is transferred to Q, called the success-handler. Otherwise, if P does not end successfully before t, control is transferred to R, called the timeout exception-handler. S may interrupt P before t time units and break the binding of P to this temporal scope, that is, cause P to exit this temporal scope.

instead of its longer and more complex process expression P. As usual, subscripts are used to indicate indexed processes and events as in P2 and (e1, k).P. The notation Pn means that P executes or occurs n times, that is, P : P : . . . : P, in which there are n Ps. This is similar to the notation used in regular expressions described in chapter 2.

Note that operators such as “.” have implicit timing specifications. Many notations (operators) borrow from logic operators.

9.4.2 Semantics of ACSR: Operational Rules

A labeled transition system (represented by a state space graph) is used to describe and define the executions of a process. The labeled transition system of a process is a labeled directed graph G = (V, E). V is a set of states of a process. E is a

244 PROCESS ALGEBRA

set of edges, each of which denotes an execution step or action ei such that an edge (Pi , Pj ) connects state Pi to state Pj iff there is a step ei that is enabled at state Pi , and executing ei will modify the state of the process to have the same values as the tuple at state Pj . An invocation of a process can be thought of as tracing a path in the labeled transition system.

The states are described by a concrete syntax (a process) in process algebra. We use a finite set of transition rules to infer the execution steps of the behavior of a process. Two transition systems are available for defining the semantics of ACSR: unconstrained and prioritized.

e

Unconstrained Transition System: In the unconstrained transition system, P−→P denotes a transition, and no indication is given of a priority for pruning impossible execution steps.

e

Prioritized Transition System: In the prioritized transition system, P−→π P denotes a transition, and priority information is used to ignore impossible execution steps.

Operational rules are used to define the semantics of the ACSR operators. An operational rule defines an execution step corresponding to a transition in the labeled transition system. It describes a particular behavior of a process. Two ACSR axioms exist for action prefix and event prefix. These are similar to CCS’s prefix operator.

Axiom

The following axiom is for action prefix:

ActT

−

A

A : P−→P

def

Example. Consider the process C1, j = : C1, j +{(cpu1, 1)} : C1, j+1 +{(cpu2, 1)} : C1, j+1, 0 ≤ j < c1. The last branch {(cpu2, 1)} : C1, j+1, 0 ≤ j < c1 means that this process can use the resource cpu2 at priority level 1 for one time unit and go to process C1, j+1.

Axiom

The following axiom is for event prefix:

ActI

−

(a,n)

A : (a, n).P−→P

def

Example. The process T1 =(s1, 1).C1,0 can execute event (s1, 1) and go to process C1,0.

The choice rules allow the selection of one option between two possible choices and are the same for actions and events. The choice operator is the same as CCS’s summation operator Sum.

Choice

ChoiceL

e

P−→P

e

P + Q−→P

ChoiceR

e

Q−→Q

e

P + Q−→Q

def

Example. The process C1, j = : C1, j + {(cpu1, 1)} : C1, j+1 + {(cpu2, 1)} : C1, j+1, 0 ≤ j < c1 may choose one of three execution steps: idling for one time unit, using resource cpu1, or using resource cpu2.

The parallel operator Par is used to specify communication and concurrency. In CCS, the parallel operator Par is called the composition operator Com. The ParT rule applies to two synchronous time-consuming transitions. The ParIL, ParIR, and ParCom rules apply to event transitions, which may be asynchronous.

Parallel Composition

ParT

with (s(A1) ∩ s(A2) = ), where s(A1) and s(A2) are the sets of resources used by actions A1 and A2, respectively. This constraint indicates that only one process may use a specific resource during a time step.

ParIL

(a,n)

P−→P

(a,n)

P Q−→P Q

ParIR

(a,n)

Q−→Q

(a,n)

P Q−→P Q

246 PROCESS ALGEBRA

ParCom

(a,n) (a,m)

P−→P , Q −→Q

(ρ,n+m)

P Q −→ P Q

Example. The following shows the parallel composition of five processes:

def

Radar =[(Scheduler T1 T2 T3 T4) \ {s1, s2, s3, s4}]{cpu1,cpu2}.

The scope operator is used to specify behaviors induced by a temporal scope. The ScopeCT and ScopeCI rules mean that while t > 0 and P does not execute an event b, P’s executions continue. The “end” ScopeE rule means that P can exit the temporal scope by executing an event b. This label b becomes the identity label ρ on exit. The timeout ScopeT rule means that when t = 0, indicating timeout from the scope, control is transferred to the timeout exception-handler R. The ScopeI rule means that while the scope is active, process S may kill (interrupt) process P.

Scope

ScopeCT

A

P−→P

A

P bt (Q, R, S)−→P bt−1(Q, R, S)

where t > 0. ScopeCI

(a,n)

P−→P

(a,n)

P bt (Q, R, S)−→P bt (Q, R, S)

where a = b, t > 0). ScopeE

(b,n)

P−→P

(ρ,n)

P bt (Q, R, S)−→Q

where t > 0. ScopeT

e

R−→R

e

P bt (Q, R, S)−→R

where t = 0.

ScopeI

e

S−→S

e

P bt (Q, R, S)−→S

where t > 0.

The restriction operator Res is used to specify a subset of events, indicated by labels, that are not allowed in the behavior of the system. Actions are not affected. Therefore, we can allow only those execution steps not involving these excluded events as specified by the given labels. This operator is the same as CCS’s restriction operator.

Restriction

ResT

A

P−→P

A

P\F−→P \F

ResI

(a,n)

P−→P

(a,n)

P\F−→P \F

where a, a F.

Example. The following process illustrates the restriction operator:

def

Radar =[(Scheduler T1 T2 T3 T4) \ {s1, s2, s3, s4}]{cpu1,cpu2}.

The set of events {s1, s2, s3, s4} are excluded from the behavior of the above five parallel processes.

The hiding operator Hide is used to hide information about resource usage from the external environment. Events are not affected.

Hiding

HideT

A

P−→P

A

P\\H −→P \\H

where A = {(r, n) A|r H }. HideI

(a,n)

P−→P

(a,n)

P\H −→P \H