progress assumption in concurrent systems

Formal Aspects of Computing (1995) 7:18-36 �9 1995 BCS Formal Aspects

Of Computing

Progress Assumption in Concurrent Systems

J. F. C o s t a and A. Se rnadas

INESC, Lisboa Codex, Portugal

Keywords: Concurrency; Inequational proof systems; Process algebras; Liveness; Quiescence; Transactions

Abstract. A denotational semantics and a sound and complete inequational proof systems for processes with varying degrees of liveness is presented. New insights on quiescence are given concerning the Jonsson characterisation of input/output system. A theory of transational behaviour of the type carry out until the end is developed as an application of this concept of process with liveness requirements. The proposed model fully reflects the parallel composition of transactional requirements, giving the expected composite requirements.

1. Introduction

Most modern approaches to software development adopt a process view of modularity in the sense that the system to be developed is to be set up by combining (via parallel composition) several component processes - see for instance [SFS89, MAP92]. Indeed, the ever popular object-oriented approaches adopt the essential notions of community of interacting objects where each object is basically a process (its behaviour) endowed with state-dependent attributes [ESS90, EhSg0]. There- fore, the horizontal composition of system components is reduced basically to the well understood notion of parallel composition of processes. In short, the theory of concurrent processes is highly relevant to software development.

However, there are some limitations of the core theory of processes when applied to the practical understanding of concurrent systems in general. Clearly, it is mandatory to enrich the notion of process with state-dependent attributes, towards the notion of object (see for instance [ESS90]). But disregarding that issue, there are other important extensions to consider. Herein, we concentrate on liveness

Correspondence and offprint requests to: J. F. Costa, INESC, Apartado 10105, 1017 Lisboa Codex, Portugal.

Progress Assumption in Concurrent Systems 19

requirements. Liveness requirements appear in two seemingly unconnected contexts [SEC90, ESS90]: (1) for distinguishing between active and passive objects and (2) for implementing objects over other objects.

It is useful in practice to distinguish between active objects that will require CPU time and passive objects, usually in some storage media, that evolve only when manipulated by other (active) objects. Clearly, active objects comply with liveness requirements, such as reach the end of the program. On the other hand, passive objects have no liveness requirements. As an illustration consider a STACK as a passive object and an application program whose execution is an active object that in turn prints each element of the stack and then pops it until the S TACK is empty.

With respect to implementing objects over objects, it is well known that a single event of the original object may correspond to a complex action in the implementation. However, the latter must retain the atomicity properties of the former. Therefore it is called a transaction [EhS90]. Curiously, processes with transactions can be explained as processes with a special kind of liveness requirements. Indeed, the transaction also complies with the requirement of the type reach the end. Consider the problem of implementing a (passive) STACK over the parallel composition of a (passive) ARRAY and a (passive) POINTER. For instance, an event push of STACK will correspond to a transaction involving updating the ARRAY and the POINTER, say first the ARRAY and then the POINTER. Once started we want the push to go to the end (atomicity of the implementation of an event). We will only work with linear transactions which w.r.t, the classical transaction model [Gra80, Kan80], correspond to a linear order precedence relation.

Clearly, for such implementation purposes it is sufficient to work with finite liveness requirements reflecting the finiteness of transactions (finite number of steps). But in general we may want to impose infinite liveness requirements: consider the example of a nonstopping clock. However, herein we only consider a model of processes with finite liveness requirements and we apply it to the study of processes with transactions such as those arising in implementations. At each stage we provide a denotational model and a sound and complete inequational proof system.

In Section 2 we illustrate in detail the notion of process with finite liveness requirements, as well as the notion of process with transactions, taking the opportunity to make a short survey of related work by others. In Section 3 we present the model for processes with finite liveness requirements. Special attention is dedicated to the parallel composition operation in order to explain the liveness of a composite process. In Section 4 we deal with transactions via their liveness requirements (that we call transactional requirements). Since liveness can be used to represent transactions, we expect to be able to derive the properties of processes with transactions by looking at them as processes with liveness requirements. The proof system for processes with liveness requirements turns out to be complete also for the calculus of communicating processes with transactions.

2. Motivation and Survey

Several convenient, sophisticated mathematical models for processes have been proposed, such as those reported in [BHR84, Hoa85, Hen88, Old91], taking some or all of the basic three approaches: axiomatisation, denotational semantics and operational semantics. Many relevant issues, like nondeterminism and limitations

20 J .F . Costa and A. Sernadas

of the interleaving models, have been clarified and are by now well understood. As a whole, the basic notion of process is mathematically well founded. This nice state of affairs is reflected in, e.g. Hennessy's and Olderog's textbooks tHen88, Old91].

In the reports just mentioned a variety of behavioural equivalences for processes were studied. As nicely stated in [NEL89], these equivalences are operationally defined in terms of different views of the branching structure of the labelled transition systems associated with process terms over a given signature. Typically they disagree on the axiom of choice e. (p + q) = e .p + e . q because of the obvious difference w.r.t, branching structure. The equivalences can also distinguish between concurrency and purely nondeterministic processes. Typically they disagree on the axiom a . p f l b . q = a . ( p r l b . q ) + b . (a.pllq) because of the obvious difference w.r.t, full concurrency and interleaving paradigms. In this paper we will work with the simplest model for processes, accepting the two last equational axioms. There- fore we accept as a basis the view of a process as a set of traces (a deterministi@ sequential view). The reader may wonder, what aspects are yet to be brought to light within the context of such a simple model when most effort is nowadays dedicated to more sophisticated models supporting non-determinism and/or full concurrency ?

Actually, it is possible to include more information in a set of traces in order to model liveness requirements by dropping the prefix-closure condition. Indeed, the envisaged model of deterministic processes with liveness is obtained from the traditional trace model (PS model in then88], from prefix-closed set) in that way.

The paper takes as starting point two well-known notions from concurrency theory; the notion of capability of action (a .p is a process which has the capability of performing a and becoming p) and the trace process model (a process is semantically determined by the set of its traces, i.e., sequences of actions). In the traditional approach, the set of the traces of a process is prefix-closed, i.e., if a process has a trace, say ab, then it has also the trace a, with the intuitive meaning that after a, action b can also never be performed. Within the paper a distinction is introduced between two different kinds of capabilities, i.e. active capability: !a. x is a process which will eventually perform a ; and passive capability: a. x is a process which can perform a, but also wait forever. The semantics of a process is given now by the set of its quiescent traces, which is not necessarily prefix-closed; if a process has the trace ab, but not the trace a, then that means that action b must eventually be performed after a.

Let us consider, for the purpose of clarifying ideas, a VENDING-MACHINE. It is a process (cf. [Hoa85]) denoted by the process term

VENDING-MACHINE :~X{coin, choc}" coin. ! choc. X{coin, choc}

The standard trace semantics of such a process term (ignoring for the moment the bang heading the c o i n event) is the pair (E,A) with E = { c o i n , choc} and A denoted by the regular expression ( c o i n choc)* ( c o i n +e) This set of traces provides no information about the process liveness (indicated by the ! ) before the choc event, namely, that it is intended that a chocolate must be delivered by the machine whenever a c o i n is received (progress assumption) Thus, liveness is not captured by the classical semantics of prefix-closed sets of traces.

i Herein we use the classification found in [Hoa85]: "deterministic processes are those that whenever there is more than one event possible, the choice between them is determined externally by the environment of the process; it is determined either in the sense that the environment can actually make the choice, or in the weaker sense that the environment can observe which choice has been made at the very moment of that choice".

The idea of quiescence, due to Chandy and Misra [MiC81, MCS82, Mis84] and also developed by Jonsson [Jon85] in the context of a logic to reason about specifications, and by Sernadas, Ehrich and Costa [Cos89, SEC90] within an algebraic framework, provides a solution for the problem of representing state- dependent liveness in a process. We say that a process (or a community of processes) is in a quiescent state iff it can possibly wait forever unless the environment triggers a communication. Returning to our example, the quiescent traces of the VENDING-NACHINE are those that are defined with an equal number of c o i n and c h o c events, i.e. the set of traces is given by the regular expression (coin choc)*.

A process or a process community is represented by the set of its quiescent traces. A trace of the community is quiescent iffit can be projected onto a quiescent trace of every of its components (see [Jon85]), because the whole community is in a quiescent state iff all its components are in a quiescent state. The classical safety requirements (that prescribe, in every state of a given process, its enabled events) can always be retrieved from the prefix-closure of the set of its quiescent traces. Liveness states correspond to the nonquiescent traces.

According to the model just described, which we denote by QS (from quiescent set), given a finite set of events (the alphabet) E, any pair <E, A>, where A is a set of traces over E, is a process. For instance, the pair <{coin , choc}, ( c o i n choc) *>is a QS-process, but not a PS-process, since it is not prefix-closed. Clearly, every PS-process is also a QS-process. Such a process is considered to be without Iiveness or passive, since it is always quiescent. Those QS-processes that are not PS-processes display some liveness. Indeed, we say that the process <{coin , choc}, ( c o i n chock)*> above is active in the sense that, for instance, after c o i n it is eager to make c h o c happen. Given the set of traces A of any Qs-process we can compute the traces of the corresponding passive process: it is the smallest prefix-closed set of traces containing A.

Two processes with the same prefix-closure are comparable w.r.t, liveness: the smaller the number of quiescent traces the greater the liveness. Thus, every process has at least the liveness of its prefix-closure. This comparison should lead to a partial ordering among processes.

In order to generate the envisaged process domain, it is necessary to enrich the traditional language of deterministic processes by distinguishing two forms of prefixing: spontaneous or active (!) and nonspontaneous or passive. Informally, if p is a process term and e is an event, both e . p and ! e . p are process terms. Naturally, we want to impose

traces (e .p) ={e} U {es : s ~traces (p) }

traces ( ! e.p) ={es : s etraces (p) }

Thus, the process < { c o i n , c h o c } , ( c o i n choc )*> above is denoted, for example, by the process term

ACTIVE-MACHINE =~X{coin, choc} ~ coin. ! choc. X{coin, choc}

and its "prefix-closure" is denoted by

PASSIVE-MACHINE ----- ~X{coin, choc}" coin. choc. X{coin, choc}

One may wonder if such a simple extension to the basic language of Ps will be sufficient to deal with all sorts of liveness requirements. We shall see that it is indeed the case: every set of traces is denoted by some term written with these two forms of prefixing.

22 J.F. Costa and A. Sernadas

Spontaneous or active prefixing together with its axiomatisation is related with the strong prefixing introduced in [GoM90b, GoM90c]. This operator is introduced in [GoM90c] for extending CCS with atomic actions. The prefix operation a . q is assembled also with an underlined action _a. q. The meaning o f p =_a. q is that p can execute action a only as the beginning of an atomic sequence which ends with a nonunderlined action. By adding strong prefixes to CCS we can get a new language that can be used as an implementation language for standard CCS with refinement}

The simple model of processes with (finite) liveness requirements (or equipped with a strong prefixing operator) is also effective to explain processes with transactions 3 (such as those arising from implementing a process over other processes: each event of the original process will correspond in general to a sequence of events in the implementation, with the atomicity provision that this sequence either runs to the end or it does not happen at all). Such an atomic sequence is called a transaction (actually it is a very special case of transaction - see [CGM88]).

For illustration consider a machine that repeatedly sells cakes:

ABSTRACT-MACHINE :~X{sellcake}. sellcake �9 X{sellcake}

We may recognise that s e 11 c a ke is to be implemented by the transaction [ c o i n c a k e ]. Therefore, we would write:

IMPLEMENTATION-MACHINE :#X{eo• cake}" [ coin cake ] �9 X{eoin, cake}

The problem now is to provide an adequate semantics (and proof system) for such transactions. The basic idea is rather simple: we translate the process term with transactions onto an equivalent process term with liveness requirements. In the example at hand:

IMPLEMENTATION-MACHINE :~X{coin, cake}" coin. ! cake- X{co• cake}

That is, we replace a transaction by its liveness requirements (using the proposed language of spontaneous and passive prefixing). We call transactional requirements to the liveness requirements induced by transactions (carry out until the end).

Vice versa, a process <E, A ) is transaction-free if it is liveness-free, that is, i f fA is prefix-closed. Indeed, let <a T (E) , ~(A)) denote the folding of <E, A) , where a T (E) = { [ e ] : e e E +} is the alphabet of transactions over E and N(A) is obtained by folding the transactions of <E, A ) into events. The atomiser for transactions in aT (E) is a weaker version of the atomiser found in [Bou89]. The folded process involves a change of granularity: each event may be seen as a complex action.

With these ideas in mind, we easily find that for every nonempty set of quiescent traces A over E, containing the empty sequence e, we can define a transactional menu:

t rM (A) = { e e A : e ~ e and, for every prefix f of e, f ~ A implies f is e or f is e}

Hence, A can be folded by the folding map ] { : P ( E * ) - ~ ( ~ T (E) *), recursively defined as follows:

R(A) = {~} U U e~trM(A) {[e]s : s e ~({r : e r EA})}

The process that results from the folding of a given process displays the following

2 A paper by Roberto Gorrieri and Ugo Montanari [GoM92] addresses the problem of relating system descriptions at different levels of abstraction, following also the interleaving approach. 3 In [GoM90a, GoM90b] strong prefixing is not used to explain transactional behaviour.


property: the set of its traces is prefix-close& independently of the liveness of the original process.

Generally, a transaction (see [BHG87, CGM88, GiD85, Gra80]) is seen as the execution of a program containing primitive operations bracketed by markers beginning and ending the transaction. A transaction can finish normally or abnormally. In the first case we say that it is committed. In the second case we say that it is aborted. Until a transaction is committed it can be aborted. Moreover, a transaction has the following properties [cf. CGM88 for details]:

1. Consistency, which means that each transaction leads a process from one consistent state to another, although the process does not have to be in a consistent state during execution of the transaction.

2. Atomicity, which means that all or none of its constituent actions must be performed. In other words, if a transaction has to abort then all the changes it has already caused have to be restored by some roll-back mechanism.

3. Durability, which means that when a transaction is committed the changes made by it will never be lost even when the system crashes.

We do not enforce that transactions are independent of each other, i.e., that they do not communicate. Within our framework transactions can be put together and synchronised at appropriate events (a similar idea is developed in [GoM90b]: "synchronization of transactions are transactions"). But a different option can be found in [Bou89] where it is pointed out that "synchronization can be achieved by means of atomic actions, without any primitive notion of communication other than the manipulation of shared variables". However, as in [Bou89], we agree that the correct interpretation of an action by a whole process involves a change of granularity, namely by executing the process transactionally.

In our denotational approach besides atomicity we can only capture the consistent states. Thus, the envisaged proof system for dealing with transactional behaviour must be robust enough to reduce aborted transactions in inconsistent states to the previous consistent state: this is the roll-back procedure. Let us clarify ideas a bit further, by considering a foolish customer of the IMPLEMENTATION- MACHINE who, after inserting a c o i n , wants a c o f f e e instead of a c a k e :

CUSTOMER = ~X{coin, coffee}" [ coin coffee ] �9 X{coin, coffee}

If we put IMPLEMENTATION-MACHINE and CUSTOMER in parallel then, as the machine cannot deliver the c o f f e e after the c o i n , the composite process reaches an inconsistent state that must be rolled back (namely, by returning the c o i n ) to the last consistent state, i.e.,

/~x[coin coffee] .x II /~x. [coin cake].x:stop

even knowing that the two components do not deadlock in the first engagement. This is the way we model consistency and atomicity. A process in an inconsistent state will be denoted by the process term a b o r t . Therefore a. a b o r t is s t o p since the last consistent state before inconsistency is reached by a is s t o p . Furthermore, a . b . a b o r t is a. s t o p , and a. !b . a b o r t is a. a b o r t , that is, s t o p . Compare this with the fact that s t o p denotes a process in (consistent) deadlock.

3. Progress Assumption - the QS Model

This section is dedicated to Qs-processes, presenting the envisaged process language, denotational domain semantics and inequational inference system. The


corresponding operat ional semantics is left out because it is too lengthy to include here. However, the operat ional semantics and a full abstract ion result (of the denotat ional semantics w.r.t, the testing preorder) may be found in [Cos89]. We closely follow the algebraic characterisation style adopted in [Hen88] and [Old91] for deterministic processes. Al though we use the p r o o f techniques developed in [Hen88], we adopt the CSP style o f presentat ion found in [Oldgl]. Of course, the axiomatic p r o o f system, and denotat ional semantics o f deterministic processes are rather different f rom those presented in [Hen88] or [Hoa85].

Given a countable a lphabet 8 o f events, we introduce the signature Z ~ UZ 2 where s176 aborts: U~f~(g)}, 4 EQSL~QS0: U QS QS ,

]~{?s : {e. : e e @} tO { ! e . : e e @} (prefixing), and •QS 2 : { J - , II }(choice, paralleIcom- position). Each Zos J, for j = 0...2, is the set o f the j -ary operat ion symbols. As usual, we write e .p and ! e .p instead o f e . (p) and ! e . (p ) , respectively. Moreover , we assume that prefixing has priori ty over choice. Let ZQst denote gQsk{rl } .

Let x be a countable set (of variables) part i t ioned into sets x~ of variables with alphabet u. We let x > yu and zu range over x~ and x, y and z range over x. The set o f recursive terms over ZQs, denoted RECQs (X) , is the least set which satisfies:

1. I f x e x then x~RECQs (X) .

2. I f f eZQs of arity k and t s . . . . . t k are in RECQs(X), then f.(ts, ..-I tk) ~RECQs (X) .

3. If xeX and teRECQs (X), then/ix, teRECQs (X) .

Let the set o f recursive terms over s t be denoted by RECQs T. Let p be a term in RECQs (X). The set of free variables ~ (p) o f p is defined

inductively as follows:

I. ~(x) ={x} 2. ~(stopu)=~(abort u) :~5

3. ~(e.p)--%(!e.p):%(p)

4. ~(p+q)=~(PlIq):~(P) U~(q) 5. ~(~x.p)=~(p)\{x}

A variable x occurs free in p if x is not in the scope of a / z x . p . Otherwise x occurs bound. We say that peRECQs (x) is closed if~b (p) = ~ .

To every term p we assign an alphabet ~ (p) defined inductively as follows:

I. ~ (stopu) =~ (abortu) =U

2. ~ (x u) =U 3. 0~(e.p)=0~(!e.p) :{e}Uc~(p)

4. ~(p+q):c((pl[q):~(p) Ocg(q) 5. ~ ( / zx .p ) =c~(x) U ~(p)

For p e RECQs (X) the not ion o f subterm is defined inductively: p is a subterm of p, if = e . q or p = ! e . q then every subterm of q is a subterm o f p, if p = p 1 + P2 or p - - p~ II p2 then every subterm o f p s and every subterm of p2 is a subterm of p, and if p is /zx, q then every subterm of q is a subterm o f p.

4 In this paper we use the symbol ~ to denote the powerset of a given set. We use N when we are only interested in non empty subsets of a given set. The prefix g is often used in the sense of "finite" : g ~ refers to the finite subsets and fN to the nonempty finite subsets of a given set.

Progress A s s u m p t i o n in Concu r r en t Systems 25

A term p is called guarded if in every recursive subterm #x . q of p every free occurrence of x in q occurs within a subterm of the form e . r or ! e . r of q. A term p is called passively guarded if in every recursive subterm # x . q of p every free occurrence of x in q occurs within a subterm of the form e . r of q. Passively guarded process terms denote processes that are not always spontaneous: they exhibit periodic nonspontaneous states.

Now we are able to introduce the language of processes with liveness. Some restrictions related to the alphabet of the subterms are in order to simplify the envisaged p roof system (cf. [Old91]).

Definition. A process term is a term p in RECQs (X) which satisfies the following context-sensitive restrictions:

1. p is passively guarded.

2. Every subterm e . q o f p satisfies e e ~ (q) .

3. Every subterm !e-q o f p satisfies e e ~ (q) .

4. Every subterm q + r of p satisfies c~ (q) : c~(r) .

5. Every sub te rm/~x .q of p satisfies ~ (x) : ~ (q) .

Let P r o c (X) denote the set of all process terms, f P r o c (x) denote the set of nonrecursive process terms, c P r o c (X) the set of all closed process terms, and f c P r o c (X) the set of all finite and closed process terms. Let P r oc t (x) denote the subset of P r o c (X) of process terms also in RECQs, (X) (whenever necessary we also use the prefix notat ion c and f). As a consequence of the last definition, the term p x . x is not a process term. The term/~x. ! t i c k . x is not passively guarded but / ~ x . c o i n . ! c h o c . x is passively guarded because the variable x occurs in the subterm coin. ( ! choc. x) of the recursive term/~x, c o i n . ! c h o c - x.

We impose an algebraic complete partial order 5 denotational semantics for the process terms by choosing aEQs domain i = <]AL, ~<A, 2A>, where [il is the carrier set (its elements are called A-processes) such that, for every alphabet u e f ~ (d ~ there is a pair <lAuI, ~<A>, with Iiul _ IAI, which is an algebraic complete partial order under ~<a, and Ea provides for each n - a r y symbol f of EQs and n-ary continuous function fA within [hi. Moreover, we need a set ENV of environments consisting of mappings p : X-+A that respect alphabets, i.e. such that c~ ( x ) = u implies p ( x ) e A s. Then, the denotation of a term p, in a given environment p, is taken to be Alp]p, where h[_]p is defined as follows:

1. i~x]p is p (x)

2. A~f (Pt ..... Pk)]P is fa (A[pl]P .... ,A[Pk]P) 3. i~ux . PIP is the fixed point of 2~. A[p~ [ x / ~ ] p

where [ x / ~ ] p is the modified environment that agrees with p, except for the variable x whose value is the value of 4.

As expected, w.r.t, such a model A, two process terms p and q are said to be equal iff they denote the same A-process: A[p~p=A[q]p, for every environment p. Moreover, p is said to be more spontaneous then q, w.r.t. A, iff A[p~p ~< AA[q]p, for every environment p . That is, ~<A partially orders the A-processes according to their liveness. If, for every environment p, A[p~p ~< AA[q~p, then we write map ~< q .

5 By a comple te pa r t i a l o rder (cpo) we m e a n a pa r t i a l o rder A = <]A[, ~<A> wi th a least e lement _1_ A and such tha t every di rected subset D of e lements of A has a least upper b o u n d II ~D. An e lement a e A is compac t or finite i f whenever a ~<A t] AD, be ing a direct subset of A, there exists some C e D such tha t i ~< Ad. A is an a lgebra ic cpo if for every a e A a = II a{d ~< a : d is compact}.

The envisaged QS = <IQS], ~<es, ZQs> domain is easily established. Remember now that if S and T are two sets of traces over E and F, respectively, then S I] T, the weaving or shuffling of S and T, is the set { s : s +E e S and s ~ F e T}, where ~ stands fo r the familiar projection operation on traces.

IQS[:{<E,A>: Eef<(g) and Ae~nN (E*)} <E,A)~<Qs<E',A ) i f l ' E : m and A_cA'

~QS :{stop~ s, abort~s:Ue f~ (g) } U {e'Qs, !e.gs:e eg} U {+QS, l[Qs} abort~s :-~]QS I abor t~s : <U, ~> s top~ s : +IQSI s top~ s : <U, {e})

e.Qs:IQSI-~IQSI e. Qs (<U, A>) :<{e} U U, {~} 0 {es : seA}> !e.Qs :IQSI-~]QS I [ e.Qs (<U, A>) :<{e} U U, {es : s cA}) + Qs:IQS] [QSI-~IQSl +Qs(<U,A),<u',A')) :

Given a process p : <E, A> we refer to E as ~ (P) - the alphabet of P - and we refer to A as A (P) - the quiescent traces of P.

Let p c (A) denote the prefix-closure of A over E, i.e. pc (A) ={seE*:~ueE* (su~A) }.

The strict order ofliveness is defined as follows:

<E ,A)~<L<E ' ,A ' ) i f f E = E ' , p c (A) = p c ( A ' ) , and A__q A'

that is <E, A ) ~<~<E', A ' ) iff<E, A ) ~Qs<E', A ' ) , a n d p c (A) = p c (A') . We will show later on how we can handle the liveness ordering within the frame ordering

~<Qs-

It is straightforward to prove that <]QS[, ~<Qs,EQs) is a EQs domain, being <[QS[, ~< Qs) an algebraic cpo. Also straightforward is the p roof of the following result.

Proposition. The ZQs domain QS is finitary, i.e., every (syntactically) finite term is interpreted in QS as a finite element of QS and every finite element of QS can be denoted by a (syntactically) finite term.

Proof. It can be recognised immediately that every (syntactically) finite term in RE CQS (X) denotes a finite element of Q S. Conversely, let us take an arbitrary, finite element of Q S and find a (syntactically) finite term that denotes it. Let <E, A ) e]QS[ with A finite. That is, A = {s 1} U ... U {s k} with k >~ 0. I f k = 0 we may take the process term a b o r t u . Otherwise, assuming that we can find for every s• a process term Pi with alphabet E such that Q S [ p d : < E , { s i } ) , we can conclude the p roof by exhibiting the process term Pl + . . . + Pk which denotes <E, A ) . So we only have to prove that for every S e E * there exists a term p with alphabet E such that QS [p] = <E, {s}). Let ;l : E*- ->fcProc (X) be a map inductively defined as follows: (a)/~ (e) = s t opu and (b) ;~ (a s ) : ! a.;~ ( s ) . It is trivial to show by induction on the length of s that QS[~ (s) ] = < E , {s}>. []

We now want to give a syntactical characterisation of the QS model through a suitably correct and complete inequational inference system. But first we need to recall a few concepts. As usual, an inequation with variables in x is of the form p ~< q where p and q are terms ofRECQs (X) . Given a set I n ofinequations (said to be the proper axioms), we establish the smallest set ofinequations d c ( I n ) containing I n as well as {p ~ p : peRE CQS ( X ) } (reflexivity), and closed for transitivity, substitution, instantiation, recursion and co-induction (a well known infinitary axiom schema).

This set is called the derivation-closure of In and contains all the theorems we can derive from In . Thus, we write Inb-p~<q i f f p ~ < q e d c ( In) . It is worthwhile to recall the substitution, instantiation, recursion and o>induction rules, respectively:

Pl "< P 1-. "Pk "~ Pk s u b s t i t u t i o n f (Pl ..... Pk) ~<f (Pl,"',P;)

P ~< q for every substitution p, instantiation pp<~%o

recursion r [ /~x.p/x] p

for every approximation z~ of p , z~ ~< q co-induction p~<q

Within this inequationat inference system it is possible to use equations as abbreviations of the corresponding ineqnations (in both directions). That is, p = p' is an abbreviation of p ~< p" and p' ~< p.

The idea is to identify a set QS of proper axioms such that F-Qs ~< q iff ~Qs P ~ q , for every closed process terms p and q. It is not difficult to arrive at the following set (where we assume that a # b whenever a and b appear):

Trace Structure X U + X U : X U

xu+ (yu+zu) = (xu+y u) +zu x u + abort U ---- x U

[a. (xu+y U) = [a-xu+ [a.yt:

�9 Lattice Axiom abort U ~< x U

�9 Roll-back ! a, abort U = abort U u {a}

�9 Liveness ! a-xu+ stopuu{a}:a-x u

, Parallelism (Yv+ zv) IIx~ = yvLlXu + ZvHXu x~ II Yv = yu It xv x<~Ilabortv= abortuuv ! a.xullstopv\{a}= ! a. (x~I I s topv~{a})

[ a. x uI{ s toPv u {a} : abort u v~{a} ! b" ! a.xu\{b}l I !b'Yv\{a}= !a. (xt~\{b}II !b- yv\{a}+ ( ! a- xu\{b}llyv\{a }) [ a- Xu u {b}II ! b" Yvu{a}= abortu u vu{a,b} ! a. x~ u {b}I! ! b. Yv\{a} = ! a- (x u u {b}II ! b. Yv\{a}) [a.xuH[a-Yv:[a- (xulIy v)

Let QS* denote the subset o f QS no t con ta in ing the para l le l i sm equat ions , and rQS denote the subset o f QS no t con ta in ing the lat t ice axiom.

The set QS t is close to the one given in [Hen88] for p s wi thou t the para l le l compos i t i on ope ra t ion symbol . Na tu ra l ly , the co r r e spond ing ax iom x + n i l = x had to be replaced and the liveness ax iom schema had to be added.

I t is easy to es tabl ish that Q S is reduct ive over Q S t, i.e., for every n e f c P r o c (X) there exists a ~( e f c P r o c* (• such tha t RQs n = Z. F o r every n e c P r o c ( • a head n o r m a l form" q can be found such tha t RQs p = q : this result fol lows f rom the recurs ion ax iom and the ac t ion-guardness p r o p e r t y o f process terms. Thus the para l le l i sm equat ions can be used to t r ans fo rm every te rm in c p r o c (• in to a head n o r m a l form.

No te tha t d is t r ibut iv i ty o f n o n s p o n t a n e o u s prefixing w.r.t, choice can be der ived f rom the ax ioms above, the same being the case for the roll-back termination theorem and the liveness inequality theorem.

Proposi t ion. RQS a. abort u : s topu u {a}"

Proof. Using the liveness axiom, we can rewri te the process t e rm a - a b o r t u as ! a . a b o r t U + s t o P u u {a}- Rol l ing back, it yields the te rm a b o r t u u {a} + s t o p u u {a} ; thus ~Qs a. abort u : s toPu u {a}" []

Proposition. t--QS ! a . x u ~< a . x U .

Proof F r o m trace s t ructure it fol lows tha t }--Qs a b o r t ~ u {a} ~< a . x U . Thus it is easy to es tabl ish tha t R Q s a b o r % u { a } + ! a . x U ~ a . x u + ! a . x u. This t heo rem can be then rewri t ten as the p r o p o s i t i o n states, using the liveness ax iom and trace structure. [ ]

As an example we present the comple te expans ion o f a . ! b . ! c . s t o p s l l a . d . e . s t o p s with E = { a , b , c} and F = { a , d , e} . W e have tha t the expans ion is given by:

a . ! b . [ c . d . e . s t o p s u F d and e remain ing n o n s p o n t a n e o u s -{- a . ! b . ! d . ! c . ! e . s t o p e u F ac t iva t ion o f d and e + ! a . ! b . ! d- e . ! c . s t oPE U m ac t iva t ion o f d and e + a . ! d . ! e . ! b . l c . s t oPE U F ac t iva t ion o f d and e + a . ! d . ! b . ! c . e . s t o p E u F ac t iva t ion o f d ; e r emain ing n o n s p o n t a n e o u s + a- I d . ! b . ! e . ! c . s t oPE U v ac t iva t ion o f d and e

Please note tha t some events o f the second c o m p o n e n t a . d . e . s t o p r have been ac t iva ted in some subte rms o f the expansion, l ike d and e in a.!d.!b.!c.stopsuF.

This means tha t in the parallel composition we cannot shuffle a nonspontaneous event of one component between contiguous spontaneous events of the other component without activating it.

The correctness o f d o (QS) is easily verified.

Proposi t ion. F o r every p , q e P r o c (X) , ~ Q s p ~ < q implies ~ Q s p ~ < q .

Proof. The p r o o f is given (as in [Hen88]) in three steps: (a) the specific ax ioms o f QS are correct , (b) the inference rules o f d e (QS) are correct and (c) every inequa t iona l der iva t ion f rom QS using the inference rules is correct . The proofs o f ( a ) and (c) can

6 A process term having a prefixing or a choice operation as the top operation in the abstract syntax tree.

be easily adapted f rom [Hen88] and the correction of each specific axiom is straightforward. We only comment on the distribution of the parallel composition operator through choice. F rom the semantic point of view those axioms translate in the distribution of weaving or shuffling through union. But this is only true if the trace structures under union (denoting the choice operator) have equal alphabets, as they do in the presence case (cf. [Sne85]). []

We now prove completeness of the inference system w.r.t. QS, restricted to c P r o c (X) . We use normal forms in order to prove that:

1. Every process term in f c P r o c t (x) is equivalent to a b o r t or has a normal form, i.e., for every p e f c P r o c ? (X) there exists a normal form n (p) such that [--Qs,p=n (p) �9

2. For every pair of normal forms n and m, mQs n<<,m implies [-Qs' n<,m.

Using these results it follows more or less easily that, for every p , q e f c P r o c (X) , mQs P ~< q implies [-Qs P ~< q.

Associativity of choice and parallel composition allows us to omit many brackets f rom terms without ambiguity. Commutat ivi ty and idempotence allows us to introduce some further notational convenience. I f r I = {pa . . . . . Pk} is a finite set of

U terms with alphabet u let the process metaterm +peRp denote the process term U Pl + . - - - I - P k - I f I I is empty +p~n P simply denotes a b o r t u .

Definition. The set of normal forms of alphabet u is inductively defined as follows: (a) s t o p u is a normal form of alphabet u, and (b) i fA is a subset o f u and v u (e) is a normal form of alphabet u for each e ~ A then + e~Ae.v u ( e ) and + e~A ! e.v u ( e ) are normal forms of alphabet u.

Let n P r o c u ( x ) denote the set of normal forms of alphabet u and n p r o c (x) = U u n P r o c u (x) . The following normal form theorem is also proved by induction on the depth of a term.

Proposition. For every term p in f c P r o c t (X) either [--QS P = a b o r t ~ (p) or there exists a normal form n (p) such that [--Qs* p = n (p) .

Completeness follows more or less trivially.

Proposition. For every p , q e c p r o c ( x ) , ~Qs P~<q implies ~-Qs P~<q-

Proof. As QS is reductive over QS t, adapting from [Hen88] we only need to show that, for every p , q ~ f c PROC t (X) , ~QS P ~< q implies [--QS , p ~< q. So suppose mos p ~< q. I f either HQS p = a b o r t~ (p} or [-os q = a b o r t~ <q) the result follows f rom the lattice axiom or by reflexivity. Otherwise, neither p nor q are reducible to a b o r t , and t--Qs, p = n (p) and [--QS* q = n (q) . Since Q S satisfies all the axioms in Q s *, ~os p = n (p) and ~QS q = n (q) and therefore ~Qs n (p) ~<n (q) . We now prove that ~Qs n (p) ~<n (q) implies [--Qs* n (p) ~<n (q) f rom which it follows immediately that ~-os* P ~< q- I f either n (p) or n (q) is s t opu, with u = ~ (p) = e ( q ) , the result follows by reflexivity or by induction on the structure of a normal form. So we may assume that n (p) and n (q) are, respectively: l . U U e~Ae- v u (e) and (e) + e~B e " ~ U

U I U 2. + e e A . e ' v u (e ) and + e~ B !e . / ~ u (e ) , or 3. u i u +eeA- e.vu (e) and +eeBe./~u (e)

In all these cases it follows that A___B and ~Qs v ( e ) ~</~(e) for every e ~ A . Applying induction to the latter we obtain [--QS* v (e) ~</~ (e) . Considering only case (2) - the others being similar it follows that

U I u , e .vu (e) ~< +eeA-e'/~u (e) . Adding a b o r t U to both members and ~--QS t + eeA"

applying the instance }--Qs,abortu ~< + eeU\A ! e.]Au (e) o f the lattice axiom to the second member we derive t-Qs~ s (p) ~<n (q) . [ ]

Completeness w.r.t, the liveness inequality is a more interesting proper ty o f the logic. We state the following wi thout p r o o f (which is straightforward, adapt ing f rom the last proposit ion).

Proposition. For every p , q 6 c P r o c ( X ) , ~ QS P ~< L q implies R rQs P ~< q- 7

We can speed up derivations by joining to the axioms some new derived t ransformat ion schemas as, for example, the following.

Proposition. I f a q~ v , b ~ U then ~-Qs ! a . x U II b . Yv = !a-(xulib.y v) + !b-( ! a-xully v) .

Proof. Straightforward. See the p r o o f o f the next proposi t ion. [ ]

Proposition. I f a e v and b e U then RQs ! a . x u II b . Yv = a b o r t u u v-

Proof. Using the liveness axiom, we can rewrite the process term !a .xul ]b .y v as ! a . x ull ( ! b . Yv + s t o p v u{b}) - Distr ibution yields then the term ! a . x u II ! b . Yv + ! a . x u [I s tOpv u {b} and the parallelism axioms can be used in such a

way that we can write ~-Qs ! a-xuHb, yv = a b o r t u uv + a b o r t U uv = a b o r t u uv. [ ]

The equat ion f rom this last proposi t ion means that if a process componen t reaches an ending inconsistent state then the process must abor t and return to the last consistent state. In the next section we will see the role o f this roll-back mechanism in the calculus.

4. Transactions and Transactional Requirements - the T P Model

Let us now turn our at tent ion to processes with transactions (taken to be finite sequences o f events that should be carried out to the end or not at all) as an application o f the theory introduced in the previous section. Given a countable a lphabet ~ o f events, we introduce the signature ZTp =ZTp ~ U ETp ~ U Zzp 2 , where ] S T p ~ f ~ (g) }, ETp ={ [e ] �9 : e e g +} (prefixing), and E T p 2 = { + , 11} (choice, parallel composition). Please remember that we will use bold- type symbols f rom the Lat in alphabet to denote nonempty , finite sequences o f elements o f g. The set o f recursive terms o v e r ~]TP with variables in x is denoted by RECTp (X) .

To every trace e e g + we assign an alphabet ~ ( e ) given by { e ~ g : 3 u , v e g * ( e = u e v ) }. Fo r each e e g +, 0((e) is the set o f elements o f e . To every term p in RE CTp (X) we assign an alphabet ~ (p) defined inductively as follows:

I. o~(stopu)=U,

2. o~(xu) =U,

3. o~([e].p)=c((e) Uo~(p) 4. ~(p+q)=~z(pllq):~(p) U~(q) 5. ~( / : /x .p) - - - -~(x) U0~(p)

7 Recall that rQS denotes the subset of QS not containing the lattice axiom.

Subterms are defined mutatis mutandis as previously. A te rm p is called guarded if in every recursive s u b t e r m / ~ x . q o f p every free occurrence o f x in q occurs within a sub tenn o f the form, [ e l �9 r o f q.

Definition. A process te rm is a te rm p in RECTp (X) which satisfies the following context-sensit ive restrictions: (a) p is guarded, (b) every subterm [ e ] �9 q o f p satisfies c~ (e) c e ( q ) , (c) every sub te rm q + r o f p satisfies ~ (q) = 0~ ( r ) , and (d) every sub te rm # x . q of p satisfies ~ (x) = ~ (q).

Let T P r o c (X) denote the set o f a l t process terms, f T P r o c (X) denote the set o f non-recursive process te rms and c T P r o c (X) the set o f all closed process terms.

The envisaged XTp d o m a i n ([T P[, ~< TP, ETP>, where T P stands for transactional processes, is established as follows:

[TPI={<E,A>: Eef~(g) a n d A e ~ ( E * ) } <E, A> ~<Tp<E', A' > i f f E : E ' and A_~A' ETp={stop~p:U6f~(g)}U{[e]-Tp:eef+}U{+Tp ,IITP} s toPTUp : ITPI s tOp~p: <u, {e}> [e] "TP: ITP[->[ TP] [e] "TP (<u,A>) =<C((e) U U,{g}

U {es : seA}> + Tp : ITP[ [TPI-+ITP] +Tp (<U, A>, <U', A'>) =

llTp :ITPI t T P H T P I [!Tp ( , ) = 

The set TP o f p rope r ax ioms is now the following (where the mean ing o f N and J - will be explained later):

�9 Trace Structure XuJ-Xu:X U xu + Y~ = Yu + xu Xu+ (yv+Zu) = (xu+y u) +zu x u + s topu = x U [e]. (xu+y U) : [e].xu+ [e]-Yu

�9 Lattice Axiom s tOPu ~< x~

�9 Transaction [ef]-Xu+ [e].stopuU~(f)---- [e]- [f].x u

�9 Parallelism xullyv=~ <J-x~j> ID <Jyv)

As a ma in result, it can be derived f rom the ax ioms above the transaction inequality theorem t-~p [ e f ] �9 xu ~< [ e ] �9 [ f ] .x U . This theorem says tha t the process denoted by [ e l i .xv has m o r e t ransact ional requirements than the process denoted by the te rm [ e ] �9 [ f ] �9 x v on the right hand side, namely it contains fewer traces, e.g., trace e is not a trace o f [ e l i "xu but it is a trace of [ e ] �9 I f ] . xu .

Proposition. }-TP [ e f ] .xu~< [ e ] �9 [ f ] .x~

32 J .F . Costa and A. Sernadas

Proof. ~--Tp[ef] "Xu= [el] .Xu+stoPuu~(e ) u~{e)ue{f)

~< [el] .Xu+ [e]. [f].x U : [el] .xu+ [e]- ([s .xu+stoPuu~{e )) : [ef] .Xu+ [e]. [f].xu+ [e].stoPuue[f ) : ([el] .Xu+ [e].stoPuu=(f )) + [e]. [f].x u = [el-[f].xu+ [el. [f] .x U = [e]-[f] .x u []

A strict order of transactional requirements can be introduced as follows:

( E , A>~ <T(E ' ,A ' ) i f f E = E ' , p c (A) = p c (A ' ) , and A _ A '

that is ( E , A > ~ T < E ' , A ' > iff <E,A>~<Tp<E',A' ) , and pc (A) _ p c (A') . The transactional requirements ordering can be also handled within the frame ordering

~TS "

The rest of this section will be devoted to the implementation of process terms with transactional requirements over a conservative extension of the theory of processes with liveness requirements.

Let <EQs, QS) be the proposed presentation for the inequational theory of processes with liveness requirements, as given in Section 2, and <ZTp, TP> be the presentation for the theory above of processes with transactions.

Extending the signature ZQs with the transactional prefixing operation symbols of ETp and joining to QS the translation equations given below, we provide a conservative extension of (EQs, QS> that we denote by (EQs +, QS+>. In being conservative, we mean that we cannot prove any other theorem about liveness (on terms over ZQs) which is not already provable in QS.

, Translation Equations [ e a ] . X u = [ e ] . ! a . x u [a] . x u = a . x u

The translation equations above provide an interpretation of process terms with transactional requirements by process terms with liveness requirements.

Moreover, (ETp, TP > turns out to be equivalent to a subpresentation of (EQs+,QS+> (i.e., E~p_CZQs + and dc (TP)_Cd c (Q S +) ) where spontaneous and nonspontaneous prefixing operation symbols are hidden operation symbols in the proof system TP. We can also expand the domain QS to a domain QS +, such that QS + is generated by EQs +, QS + is sound and complete w.r.t, it on process terms over EQs +, and such that TP is a reduct of it.

In what follows P r o c + (X) denotes the set of all process terms over the signature EQs + .

Letct : ~ * @ T P r o c (X) -+Proc + (X) be a map that returns, for each pair <s, p> in g * | (X) , a mixed term in P r o c + (X) , defined inductively as follows: (a) for every p e T P r o c ( X ) , kt(e, p ) = p and (b) for every e ~ g , for every p e T p r o c (X) and for every s e g * , # ( e s , p ) = ! e . ~ ( s , p ) .

L e t r y : g * | (X) -+Proc + (X) b e a m a p that returns, for eachpair <s , p> in E * | (X) , a mixed term in p r o c + (x) , defined inductively as follows:

(a) for every p e T P r o c ( X ) , or(e,, p ) : p and (b) for every e e g , for every p e T P r o c (X) and for every s~eg*, c r ( e s , p ) : e . k t ( s , p ) .

Then the translated terms can be computed in the inductive way shown in the following.

�9 T r a n s l a t i o n

s topu ) s toPu

X U ) X U

J [e] .p ,G (e, 3- (p ) )

p + q ) (p) + 3 - (q)

J ~ x ' p ) ~ x ' ~ - (p)

The calculus of concurrent deterministic processes with transactions is easily achieved following a three-step procedure:

1. A translation from <E~p, TP> to <EQs, QS) (within <EQs +, QS+>) . 2. Equational reduction of the parallel composition operation symbol using QS + . 3. A (symbolic or meta) retranslation to <Y'TP, TP>. The symbolic retranslation is

inductively defined only for the relevant terms.

The last rule is a context-sensitive rewriting rule (recall that we have been using bold Latin letters to denote nonempty sequences belonging to the language of linear transactions).

, R e t r a n s l a t i o n

s topu

x U

a-p

P+q

stoPu

) x U

[a] -~ (p)

,~(p) +~(q)

~x-p )/ix.~ (p) [e].~(!a.p) ) [ea].~(p)

The translation and retranslation procedures provide a bridge between two levels of abstraction and granularity: they show us how to relate processes (together with their proof systems) with complex atomic actions (transactions) on top of processes with liveness requirements.

Let us provide some illustrative examples: we expect the process term [ abe ] �9 s top{a,b, c}]l [ a ] �9 [ e ] �9 [ f ] �9 s top{ a e f}tohavetransactionalrequirements a e b c and a e b f c inter alia. Omitting s tops', tl{e complete expansion is:

~-QS + [abe] II [a] �9 [e] �9 [f] = [abc]- [e] �9 If] +[abec]. [f] + [abefc] + [aefbc] + [aebc]- If]

+ [aebfc]

As another example, let us see roll-back in action in a deadlock situation after engagement in a transaction starting event:

~QS+ [ab]�9 stOP{a,b,d}[] [a] �9 [d] �9 stop{a,b,d}= stoP{a,b,d}

The complete expansion is carried out as follows:

~QS+ [ab]'stop{a,b,d}l[[a] �9 [d] "stOP{a,b,d}= a. lb. stOP{a,b,d} a'd'st~ : a. ( !b. stoP{a ,b,d}IId-stop{a,b,d}) = a. abo r t{a ' b, d} = S t oP{a, b, d}

We conclude by giving the correctness and completeness result for dc (T P) .

Proposition. For every p , q e c T P r o c (X) , }--Tpp~<q iff ~ T P P ~ q "

Proof. It is mainly a consequence of QS § being reductive w.r.t. Qs. Technically the proof follows the lines of the corresponding proof for Qs after choosing a suitable set of normal forms. []

5. Concluding Remarks and Further Work

We have presented a mathematical model for sequential, deterministic processes with liveness requirements. Liveness explains why some processes engage spon- taneously in some events but wait passively for the triggering by other processes before engaging in some (nonspontaneous) events. The basic idea was to throw away the traditional prefix-closure assumption in the trace semantics A of a given process: a trace s belongs to A iffin the state after s there is no commitment for the process to perform any further event. Parallel composition of liveness requirements was also explained and reflects the expected result that we cannot shuffle a nonspontaneous even of one process between contiguous spontaneous events of other process without activating it. A sound and complete inequational proof system was also presented.

As an application of this model we have shown how to look at processes with transactions as processes with liveness requirements. To this end, we have introduced a suitable language of process terms with transactions and a translation procedure from this language into the language of process terms with liveness requirements. In the opposite sense, almost all process terms with liveness requirements can be retranslated to process terms with transactional requirements. Using a translation/retranslation approach, we applied the same techniques used before to compose liveness requirements to the composition of transactional requirements, obtaining a useful theory of composition of processes with transactions.

Some ditficulties do arise if we try to capture, within the proposed model, processes with eternal liveness requirements like the CLOCK described by

CLOCK:~x. ! tick.x

because there is no trace in { t i ck}* after which the CLOCK is in a quiescent state. Passively guarded recursive processes can be represented by infinite sets of traces, but those processes that are not passively guarded cannot be captured by infinite sets of traces. The CLOCK must perform " t ransact ion" that could not be committed; therefore, the set of its quiescent traces is empty. In order to capture infinite commitments we must join some infinite sequences (so that a CLOCK that


has the recursive commitment of ticking is the process ({ t i ck} , {tick~~ A better way of dealing with infinite transactional requirements is to consider a process as a triple (E, P, L), where E is the alphabet, p a prefix-closed set of traces, and L a subset of P of its nonquiescent traces. Within this model, processes with infinite transactional requirements are limits in the traditional denotational semantics of domains. This will be the subject of further research.

Extension of the process signatures will also be subject of future work. For example, for any process term p in P roc (x) let {a}p be a new process term meaning that a is a liveness requirement of P. Extension of the equational theory of processes with liveness will be the starting point in establishing a bridge from temporal logic to equational logic of processes. Transformation schemas from one logic into the other can be suitably chosen in order to provide a top-down construction from temporal specifications to process terms by applying the principle oftransformationalprogramming as advocated in the Munich Project CIP [Bau85, Bau87] and in Olderog's textbook [Old91].

Acknowledgements

The authors are indebted to Hans-Dieter Ehrich and Joseph Goguen for many useful discussions on several aspects of the problems addressed in the paper. They are also grateful to the anonymous referees for their suggestions towards improving the arguments showing the usefulness of the proposed model. This work was partially supported by the Esprit Basic Research Action 3023 (IS-CORE) and by the JNICT Project PMCT/C/TIT/178/90 (FAC3).

References

[Bau85]

[Bau87]

[BHG871

[BHR84]

[Bou871 [CAM88]

[Cos891

[EhS90]

[ESS90]

[GiD85]

[GoM92]

[GoM90a]

[GoM90b]

Bauer, F. L. et al. : The Munich Project CIP, Vol. I: The Wide Spectrum Language CIP-L. In: Lecture Notes in Computer Science 183, Springer-Verlag, 1985. Bauer, F. L. et al. : The Munich Project CIP, Vol. II: The Program Transformation System CIP-S. In: Lecture Notes in Computer Science 292, Springer-Verlag, 1987. Bernstein, P. A., Hadzilacos, V. and Goodman, N. : Concurrency Control and Recovery in Database Systems, Addison-Wesley, 1987. Brookes, S., Hoare, C. A. R. and Roscoe, A. : A Theory of Communicating Sequential Processes. Journal of the ACM, 31 (7) (1984). Boudol, G.: Atomic Actions. Bulletin EA CS, 38, 136-t44 (1989). Cellary, W., Gelenbe, E. and Morzy, T. : Concurrency Control in Distributed Database Systems, North-Holland, 1988. Costa, J .F . : Teoria Algdbrica dos Processos Animados, MSc Thesis, available as a technical report, Universidade T6cnica de Lisboa, September 1989. Ehrich, H.-D. and Sernadas, A. : Algebraic Implementation of Objects Over Objects. In: Lecture Notes in Computer Science 430, Springer-Verlag, 1990. Ehrich, H.-D., Sernadas, A. and Sernadas, C. : From Data Types to Object Types. Journal of Information Processing and Cybernetics, EIK 26 (1,2) (1990). Gifford, D. K. and Donahue, J. E.: Coordinating Independent Atomic Actions. In: Processings COMPCON 85, 1985. Gorrieri, G. and Montanari, U, ~ Towards Hierarchical Description of Systems; a Proof System for Strong Prefixing", to appear in Foundations of Computer Science. Gorrieri, R. and Montanari, U. : Towards Hierarchical Specifications of Systems: a Proof System for Strong Prefixing. International Journal of foundations o f computer Science 1(3), 277-293, (1990). Gorrieri, R. and Montanari, U. : SCONE: a Simple Calculus of Nets. In: Lecture Notes in Computer Science 458, Springer-Verlag, 1990.

36 J .F. Costa and A. Sernadas

[GoM90c]

[Gra90]

[Hen88] [Hoa85] [JPZ91]

[Jon851

[Kan81]

[MiC81]

[MCS82]

[Mis84]

[MAP92]

[NEL891

[Otd91]

[SFS89]

[SEC90]

[Sne85]

Gorrieri, R. and Montanari, U. : A2CCS : Atomic Actions for CCS. Theoretical computer Science, 72, 203-223 (1990). Gray, J.: A Translational Model. In: Lecture Notes in Computer Science 85, Springer- Verlag, 1980. Hennessy, M. : Algebraic Theory of Processes, MIT Press, I988. Hoare, C. A. R. : Communicating Sequential Processes, Prentice-Hall, 1985. Janssen, J., Poel, M. and Zwiers, J.: Action Systems and Action Refinement in Development of Parallel Systems. In: CONCUR 91, LNCS 527, pp. 298-316, 1991. Jonsson, B. : A Model and Proof System for Asynchronous Networks. In: Proceedings of the 4th Annual ACM Symposium on Principles on Distributed Computing, Minaka, Canada, 1985. Kanellakis, P. C.: The Complexity of Concurrency Control for Distributed Databases, PhD thesis, MIT, 1981. Misra, J. and Chandy, K.: Proofs of Networks of Processes. IEEE Transactions on Software Engineering, SE-7(4), 417-426 (1981). Misra, J., Chandy, K. and Smith, T. : Proving Safety and liveness of communicating processes with examples. In: Proe. ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, pp. 201-208, 1982. Misra, J.: Reasoning About Networks of Communicating Processes. In: 1NRIA Advanced Nato Study Institute on Logics and Models for Verification and Specification of Concurrent Systems, Nice, France, 1984. Manna, Z. and Pnueli, A. : The Temporal Logic of Reactive and Concurrent Systems, Springer-Verlag, 1992. Nielsen, M., Engberg, U. and Larsen, K. : Fully Abstract Models for a Process Language with Refinement. In: Lecture Notes in Computer Science 354, 1989. Olderog, E.-R.: Nets Terms and Formulas, Cambridge Tracts in Theoretical Computer Science 23, Cambridge University Press, 1991. Sernadas, A., Fiadeiro, J., Sernadas, C. and Ehrich, H.-D. : Basic Building Blocks of Information Systems. In: E. Falkenberg and P. Lindgreen (eds), Information System Concepts: An In-depth Analysis, North--Holland, pp. 225-246, 1989. Sernadas, A., Ehrich, H.-D. and Costa, J. F.: From processes to Objects. The IBNESC Journal of Research and Development, I(1) (1990). Van de Snepseheut, J. : Trace Theory and VLSI Design. In: Lecture Notes in Computer Science 200, 1985.

Received June 1991 Accepted in revised form January 1994 by E. Astesiano

progress assumption in concurrent systems

Documents