process semantics: global axioms, compositional rules, and … · 2012. 4. 27. · wc have only a...

Process Semantics: Global Axioms, Compositional Rules, and Applications

Van Vicious Nguyen and Rob Strom IBM Thomas J. Watson Research Center

P.O. Box 704 Yorktown Heights, NY 10598, USA

[email protected], [email protected]

.Abstract

We present a set of global axioms and compositional rules for describing the semantics of concurrent processes. In our semantic model, a process is defined by a set of partially-ordered traces on ports. The global axioms serve to rule out pathological processes. The compositional rules are used to derive semantics of composite processes from the semantics of their component processes. We prove that the global axioms are preserved by the compositional rules. A sound and complete proof system for our semantics is given. Finally, we apply the semantic model to give a formal definition of a concurrent language with dynamic process creation and dynamic port bindings.

1. Introduction

Since the introduction of concurrency, there has been a need to provide formal tools for specifying and reasoning about concurrent processes. There exist many models and proof systems for concurrent processes. Some are state-machine-based models and proof systems [ 1, 93, while some are trace based [3, 4, 6, 10, 1 I, 141. The state-machine approach describes a process by its internal structure and state transition function, while the trace approach spcci- fies a process solely by its input-output behavior. Trace models are often simpler than state models, because trace models can hide internal information.

Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct com- mercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that ‘copying is by permission of the Association for Computing Machinery. TO copy otherwise, or to republish, requires a fee and/or specific permission.

0 1988 ACM O-89791-277-2/88/0007/0232 $1.50 232

On the other hand, state models tend to be more expressive. However, none of the work that we know of addresses nil of the following issues in a single framework.

The semantics should be compositional, i.e. semantics of composite processes can be obtained from the semantics of their components by corn- positional ruks. It should bc possible to model commonly used programming constructs, such as sequential composition, conditional, repetition, parallel execution, and communication over channels, using a small set of compositional rules and a few primitive processes. Other complex rules should be derivable as theorems. The semantics should be expressive enough to specify temporal properties such as fivcness and fairness.

.

The semantics should be able to rule out pathological proccascs. A process is pathological if it dots not correspond even to an idealization of a physical process - c.g. a process whose outputs always equal its future inputs. The property of being non-pathological should bc preserved by the compositional rules. This eliminates the need to prove that a composite process is non- pathological when its components are known to be non-pathological. The semantics should not bc so expressive that different semantics can be assigned to processes that cannot hc distinguished on the basis of any cxtcrnal interactions. We follow the principle elucidated in [S] and applied in [2] that proc- csses should bc considered different only if they can be differentiated by means of intcract.ion with a test process. Thcrc should be a formal system, e.g. algebra, Hoarc’s !ogic, or temporal logic, for specifying

nntl verifying proccsscs. It must be consistent with the sctnanlics and prcfcrably bc rclativcly complctc, i.c. any spccificalion that is valid in the semantics is provable in the formal system.

l Tinrs should he partially ordered, instead of linearly ordered, in the semantics. That is, systems of processes should bc viewed as distributed, where some events may not be comparable in time to other events.

In this paper, WC present a trace-based semantics that satisfies all thcsc conditions.

Initially, trace models used partially-ordered time [3, 131. When proof systems for trace models were defined, it was thought difficult to use partially- ordcrctl time. Thcrcforc, la tcr tract moclcls used totally-ordered time [6, 7, IO], However, partially- ordered time is more realistic for modelling distributed systems. Pratt [143 presents a convincing case for partially-ordered time.

The proof systems cited above USC first-order logic and cannot handle livcness properties. To deal with liveness properties, Nguyen et al. [I 11 introduced the behavior model and used temporal logic in their proof system. However, this work also used totally- ordered time.

None of the works nbovc deals with the problem of ruling out pathological proccsscs from the model. One way to rule out pathological proccsscs from a model is to include a set of global axiom that non- pathological proccsscs satisfy and prove that the axioms are prcscrved by the compositional rules. All the primitive processes in the model arc required to satisfy the global axioms. We use this approach in OUT work. In [I I] a few global axioms arc given, but they are not preserved by the compositional rules. There are also pathological processes that their axi-

Further, their models often have to be modified t.o hantllc new programming constructs. In contrast, WC have only a few compositional rules, which WC can use to model various programming constructs by having the appropriate primitive processes. The model does not change at all.

The rest of the paper is organized as follows. Section 2 presents the basic notions, gIoba1 axioms, and compositional rules of our semantics. Section 3 describes a proof system based on the semantics. Applications of our semantics and proof system are given in section 4. The last section compares our work with some other trace models.

2. Global Axioms and Compositional Rules

2. I Global Axioms

The elements of our model are processe,v, ports, events, and femporal precedence. Since a network formed by composing processes is itself a process, we USC the terms process and network interchangca- bly throughout this paper.

Informally, a network is a distributed system in which eoenfs occur at particular points called ports. A port is a point in space whcrc one process products cvcnts and another process detects them asynchronously. All events on the same port occur in a total order. However, events on different ports may occur at incomparable times. There are three types of ports: input ports, whose events are rcceivcd by the network but are produced by the environment of the network, output ports, whose events are produced by the network but not received by it, and internal ports, which result from composition of networks and do not interact with the environment.

oms do not rule out. Pratt [I41 does not give any global axioms, but he argues for having these axioms We have the following formal definitions.

to rule out pathofogical processes and to simplify the language for specifying non-pathological processes. Domains of Ports

(In Pratt’s analogy, a restaurant menu needs not Every port has a domain that is a set of values. state of each dish that it is non-poisonous, because El nnn-poisonousness is part of the axiom defining what fond is.) Jn [C)] t.hc problem is not addressed at all. Events

An cv~rrt on port k is a pair (v, k), whcrc v is :I vnlur In /C>. I I, l4], ;I tlistinct ccmipositionnl rule or in the domain of port k. Events on input ports :IIC

(~pCr;1Iot’ i< given lilr Cvcr-y progr-;rmming conslrltct. called itrpwt PW~/.F (inputs), cvent.s on outpuf port Y 233

are callecl oldtplct everlts (outputs), and events on internal ports are called internal events. cl

Traces and Temporal Precedence

A trace on sets I, J, and K of input ports, output ports, and internal ports is a (possibly infinite) multiset of events on ports in I U .I U K related by a binary relation < and satisfying these properties:

l PI] Relation < is a partial order, i.e. l for any event e in the trace, e # e , l for any two events e,, e2 in the trace, e, < ez

implies e2 7(: e, , and l for any three events e,, e,, and e,, e, < e, and

e2 < e3 imply e, < e3. l [T2] The events on any port are totally ordered

under <. l [T3] No event may have more than a finite

number of temporal antecedents.

Note: Condition 1’3 rules out pathological processes that could produce outputs in “finite time” that dc- pend on infinite inputs.

l [T4J Adding new relations e, < e, between all pairs of events e,, e, where e, is an input, e2 is an output, and e, jt: e2 does not create a cycle in the temporal ordering <.

Note: Whenever there is no temporal precedence from input event e, to output event e, in trace 1, it means that e, is independent of e,, i.e. the environment of the process producing I has the choice to produce e, as a result of e, or to do so indepcndcntly of e,. llence we disallow traces in which it is not possible for the environment to produce input events as results of independent output events.

Condition T4 is violated in the case where there arc two input events e,, e, and two output events J;,f3 such that e, <A, e, <A , e, #:$, , and e, #A . Add- ing new relationsf; < e, andf, < e, creates a cycle.

The subset of a trace t obtained by including only the events on ports of a set t, together with the in- duced partial ordering, is called the restriction qf t to L. and is denoted by &. Similarly, tip for network P denotes the restriction of trace t to the ports of P.

Cl

Network Descriptions

A network description has the form nnme (sipwmre). A signafure consists of three

-

pairwise-disjoint sets: the input port signature, the output port signature, and the internal port signature. Each port signature is a set of pairs port tzame: message iiomain.1 0

Semantics of Networks

For any two traces t, and t2, f, ;5 t2 (t, is a prefix of t2) denotes the fact that

0 the events in t, are a sub-multisct of those in t2, l for all q, e2 E t,, e, i e, in t, iff P, < e2 in t2, and l for all e, E I,, if q < e, in t2, then e, E t,.

Note that any prctix of a trace is also a trace.

The semantics of a network with network description P(I, J, K), denoted by [P(I, J, K)], is a set of traces on I U .I U K such that there exists a multisct M(P) of traces in [P(I, J, K)] and their finite prefixes, and a partial ordering + on M(P), such that tflc following axioms are satisfied.

l [Sl J For any input trace s on f (whose events belong to the right domains), there exist5 trace t E [P(I, ,I, K)] such that tlI = s.

Note: This axiom reflects the intuition that a process has no control of its inputs and that its semantics includes all possible behaviors for all possible inputs. The environment is free to provide arbitrary inputs, although the process may ignore them. There arc no “rcfusnls” in our model. For example. a vending mnchinc that rcjccts a coin is n~odcllcd by an input oT a coin followed by an output of a rejection.

l [SZJ If t E [P(/, J, K)] then there exists a trace t’ E [P(f, .I, K)] that contains the same cvcnts as t and whose partial ordering is a subset of that of t, such that

. an input cvcnt is prccedcd only by events on the same port.

. an output event prcccdcs only events on the same port.

Note: A process cannot force an input event always to occur aRcr an output event, since inputs arc never caused by outputs. It may appear at first glance that WC lose expressive power by not allowing proccsscs to specify that cvcnts on dimcrcnt output ports occur in a particular order. 11owcvcr, it dots no good For a process to fbrce events at dircrcnt output ports to occur in a p;lrt icular order, since no non-pilthnlngic~l process can tlctcct this.

I The internal port signature will bc omitted when, as is oltcn the cast, it is the empty set. ‘I’hc message domain will hc omitted whenever it is not relevant to the example.

234

‘I’raccs like I’ in axiom S2 can bc thought ol’ as canonical trams of a process. Note that it would he tlillicult to cxprcss axiom S2 in a totally-ordered tract model.

l [S3] If t E [P(I, .I, K)] then any trace t’ that contains the name cvcnts as t and whose partial ordering is a supcrsct of that of t is also in rrcr, J, a. Note: This axiom is the converse of S2. Jn our model, a process I’ defines the temporal ordering between some of its inputs and outputs. The environment of P has the freedom to introduce additional ordering. S3 implies that the environment may choose to make input cvcnts occur alter any output events that they do not cause. It also says that a process must respond in the same way to independent inputs and to inputs that follow some outputs.

0 [S4] t -+ t’ in M(P) implies t 5 t’.

Note: Intuitively, the multiset M(P) represents an “implementation” of the process. The finite clcmcnts of !14( 13 represent “iinite steps” in the computations of traces in [P(I, .I, K)] . The relationship f --+ I’ in M(P) means that the computation of trace t is cx- tended by that of trace I’.

Note that WC are interested only in the existence of the multiset M(P). The multiset itself is not part of a process specification.

l [SS] I E [I’(/, ,I, K)] implies that t E M(P) . Conversely, t E M(P) implies that

l t E [P(I, J, K)], or l t is finite and there exists i’ E [P(/, .I, K)]

such that t -+ t’ and tl, = t’j,.

Note: The lirst statement says that every tract of P is trivially a partial trace. The second statement says that all strictly partial traces are fmite and if one takes any partial trace and executes future steps without giving additional input, eventually one will obtain (possibly after an inJinite number of steps) a total trace.

l [SS] If t E M(P) and t’ is a finite prefix oft , then there exists t” E M(P) such that t” and t’ are the snmc as traces and t” -+ t. Further, if t,, t2E M(P) arc finite prefixes of t E M(P), t, 2 t:. f, --+ t nnd t, --+ t, then t, -+ t2.

Note: The first statement stntcs that any tract in M(P) is a limit point. of a scqucncc of execution steps wliosr trnccs arc prrlixcs of the original tract. 'I‘IIC

SCcontl StiltCnlCllt States that the obvious o&ring relationship holds among thcsc prcfixcs.

[S7] If t E n4(P) is finite, then for any finite trace 6 on I U J U K such that t ;5 t’ and f’l JUK =’ fll”K? there exists t” E M(P) such that t” and t’ are the Same as tracts and t --, t”.

Note: This axiom formalizes our intuition about the relationship bctwccn temporal order and functional dcpcndcncy. Jf’an output is caused by some inputs in a finite tract, then adding more inputs to the trace cannot stop the process from producing that output. ‘I’hc axiom rules out pathological “clairvoyant” proccsscs, such as one in which only the FI’* input must prccedc the n ‘h output, but the value of the 11”’ output always equals that ofthe (n + 1)” input. Note that the axiom would have been false if I is not required to be Jinitc. Consider a nondeterministic process ALARM(in, WI) that produces an infinite sequence of help on port out if there is no input on port in and produces an arbitrary finite number of help followed by ok if there are some inputs. The infinite tract of AIdARM with no input and an infinite sequence of outputs help clearly cannot be extended by any trace of ALARM. Jlowever, the axiom requires that any partial trace of ALARM with no input must have some extension with the same outputs and one input.

[SS] For any sequence s, we let #s denote its Icngth. Any ascending sequence r, -+ t2 -+ . . . in M(P) such that . all r,‘s are finite, and . there exists sequence {s,) where

. s, E [P(I, .I, K)] and f, -+ s,,, for all 11 l for any output port or linked port j and

any number n, if there is an infinite number of p such that #,%I,> #tnlj , then thcrc exists m > n such that #f,lj > #tnlj

has-a lub (Icast upper bound) in M(P). This lub is u t, and is in [P(I, J, K)].

” Note: The axiom says that any ascending scquencc of steps that makes progress infiniteJy olten on ever1 output port and linked port converges to a limiting total trace. 0

Some Examples of Processes

Example I: Consider a hypothetical process P that counts its inputs. If P receives exactly n cvcnts on input port i, it outputs a single event with value II on output port j. If it receives an infinite number of cvcnls, it products no output. Such a process is in- tuitivcly pathological, for there is no way a proccqs could know at the time it issues an output that thcrc will be no future input.

235

We now show that such a process violates our global axioms. Suppose that there exists M(P) that satisfies SI - SK Let t be any trace of [P) with f’mite inputs. By axiom S7, tract t’ obtained by adding a single additional input to 1 and leaving the output the same is a trace in M(P). By axiom SS some cx- tension of t’ is a tract in [PI. Ilowcvcr, such a trace contradicts the specification of P. Hence thcrc cannot be any trace of P with finite inputs. But t.hat contradicts axiom S 1. Therefore, P violates our global axioms. Cl

Example 2: Consider a process Fait-Choice with input port i and output port j. The input and output domains consist of the values 0 and I. Process P de- livers exactly one output for every input. Each output is either 0 or I nondeterministically, except that the process may not infinitely often deliver an output value that does not equal the previous input. That is, in every infinite trace there exists an n such that the nr* output equals the n’* input. We show that this fairness requirement does not violate our global axioms by constructing a multisct M(FairChoice) that satisfies Sl - S8.

The traces of M(FairChoice) are partitioned into disjoint classes, where there is one class for every positive integer. Every class n, where n is a positive integer, consists of those traces in [Fait-Choice] whose n’* outputs equal their nfh inputs and their finite prefixes. In class n, the ordering --+ is the same as the prefix ordering between traces. There is no ordering under -+ between traces in different classes. Now it is straightforward to verify that M(FairChoice) satisfies axioms Sl - S8. 0

Example 3: Consider a process P similar to that in Example 2, except that the fairness requirement is changed so that the process may not infinitely often deliver an output value that does not equal the n~.rl input. In every infinite trace, there is an n such that the nfh output equals the (n -t I)‘* input. In other words, process P has to guess the next input, and it may not make the wrong guess infinitely often. Such a specification is pathological because it cithcr con- strains the environment or requires clairvoyance on the part of the process.

We now show that P violates axioms SI - S8. Suppose that there exists M(P) that satisfies Sl - SK By axiom Sl, there exists a trace r, E [I’] with one

input and one output. By axiom S7, there exists t, E: M(P) such that fz is extended from t, hy adding one input not equal to the output of 1, and t, -+ tz. Axiom SS gunrantccs t.hat t, can hc cxtcndctl to a trncc .v2 E [P] halving the same inputs. Ag;lin, by axiom S7, thcrc exists 1, E M(P) such that I, is cx- tcntlcd from s, by adding one input tirjt equal to the last output of s, and t, --) tz-+ f,. By continuing this process and by using axiom S8, WC can show that thcrc is an infinite trace in [P] that does not satisfy the specification of P. This is a contradiction. Therefore, P does not satisfy our global axioms. cl

2.2 Cmnpositiond Rules

Renaming of Ports

Given a network description P(I, .I, K) and its semantics [P(I, .I, K)], one can rename its ports to obtain network dcscript.ion P(I’, J’, K’), where there are one-to-one corrcspondcnccs between I and I’, .I and .I’, and K and K’. The semantics [P(I’, ,I’, K’)] is ohtaincd from [I’(/, .I, K)] by renaming ports in cvcnts in the same way. Cl

Network Formation

In our mod& networks can be formed from smaller networks by identifying (linking) some output ports of one network with some input ports of another. Only ports with the same name and domain may be linked. The linked ports become internal ports of the composed network. The semantics of a network can hc ohtaincd from the semantics of its components by a simple rule, as follows.

Let W,, 4. K,), W2, 4, &h . . . , RV,, .I,, K) be network descriptions such that thcrc exists a set L of port names where

0 all port names in the signatures of P,, . . . , P, that are not in I, arc distinct, and

0 cvcry port name in /, appears as an output port in exactly one of the Pi’s and as input port in exactly one of the Pi ‘s.

Then ll(P,, Pz, ._. , P,) denotes the network obtained by linking the matching Rorts in L. It2 signature consists of IJ (Ii - L) , U (*Ii - L) , ( IJ Ki) U L . Trace t E [/j(Pl, . . . . f,,)] iff’-’ i-. I

l t is a trace on the ports of II(P,, . . . . P,), 0 tlr, E [P,], for all m,

236

Note: ‘I’his snys that an cxccution of lj(P,, . . . . I’,,) can hc obtained from a set of cxccutions of the l’,‘s if the cxccutions of the P,‘s nrc consistent, i.c. they hnvc the same cvcnts on linked ports and their or&rings on cvcnts arc consistent. n

The global axioms SI - S8 arc prescrvcd by thcsc compositional rulcs.2 This fact is important bccausc, once one knows that all the primitive processes are non-pathological, one can immediately infer that any process formed from them is also non-pathological.

3. The Proof System

We use a first-order assertion language. It contains a set of port constant symbols. There are no tract variables, trace constant symbols, event variables, or event constant symbols. Thcrc are no port variables, cithcr -- so quantification over ports is not allowed. For any trace t, the value of port constant symbol k in t is the (possibly infinite) scqucncc of values of the events on k in t. For any natural number II, k[n] is the mcssagc of the 11’~ cvcnt on k. Function symbol #, when applied to a port, gives the number of events occurring on that port. This number is 00 when the history of messages on the port is unbounded. There is also a predicate symbol < such that for any ports i andj, i[m] <j[n] means that the nz’” message on i precedes the nrh message on j in the trace. An assertiorz is a well-formed closed formula in the assertion language.

3.1 IVetwrk SpeciJcations

A W?MWY~< 5peciJicotiorr is of the form [nctworlt drwription] assertiorl , whcrc the only port names that occur in nssertion arc ports in the signature of the network description. A spccificntion is volitl if cvcry trace in the semantics of the network satisfies the assertion. A specification is precise if it is valid and if every trace on the ports of the nctwrjrk that satisfies the assertion is in the network’s sc- mantics.

Example 1:

[OncSfotRlAff~r(i,,~)] Vfz(n 12 #i 2 i[n] < j[n]) A i =.j

The first conjunction is a safety assertion that states that the nth input always precedes the nzL output. The second conjunction is a Iiveness assertion that says that every input is eventually reproduced on the output port. Typically, a network specification consists of a safety assertion and a liveness assertion. Note that the predicate < enables us to deal with partially-ordered time, and the use of infinite traces makes it possible to specify liveness properties. 0

Example 2: Process Fait-Choice in example 2 of section 2.1 can be specified as follows.

[FairChoice(i: (0, 11, j: (0, I})] #i = #j A Vn (n I #i 3 i[n] 4 j[n]) A 3rz (i[n] = j[n]) Cl

Example 3: Cnnsidcr a fair merge process with one output port k and two input ports i and j. lntu- itivcly, every event on k is caused by either an event on i or an cvcnt on j. Hence there exists a one-to-one nssignmcnt from events on k to events on i and j. Moreover, since the merge is fair, every event on i and j is covered by the assignment. The assignment must be such that if the mrh event on k is assigned to the n’* event on i (orn, then the latter precedes the former and they contain the same message. This can be modelled by relation Assign defined below.

For any sequence s whose elements s[m] are rt-ary tuplcs for some fixed n, let sl$e denote the subsc- qucnce of .F consisting of those elements e such that ~[it7dcx] = vniuc. For n a natural number, [l...rtf dcnotcs the scqucncc consisting of I, 2, ,,., 17 . If II - 0 then [l...n] is the empty sequence. For any finite scqucncc .r. Ict the relation Assi&s) denote the fact that

l for nil nt I #s, s[mJ is (0, n) or (I, 12) for sonic natural number 12,

l the projection of s/i, onto the second components of its clcmcnts is [I . ..rJ for some p, and

l the projection of sl! onto the second components of its elements is [I...qJ for some 9.

I ilecause of lack of space, the proofs arc omitted here and arc given (togcthcr with some other fWmaI proofs and axioms) irt [12], which is a more complete version of the pnpcr.

237

[FnirMerge({i,j}, k)] #k = #i -t kfi A Qp<#iQq<#j3s

.If is fairly straightforward to prove that, in the specification of FtzirMergc, the existence of a finite assignment for any length of inputs implies the cx- istcnce of an (possibly infinite) assignment for the whole inputs. We use finite assignments, and not infinite ones, in the specification because quantification over infinite string variables leads to the use of second-order logic. 0

3.2 Components of fhe Proof System

Our proof system consists of:

1. 2.

3.

4. 5.

6.

Axioms and inference rules of first-order logic, Axioms about the constant and function sym- bOlS,

Axioms that describe the properties of traces (thcnc axioms formalize propcrtics Tl - T4), Axioms about the domain of values in mcssagcs, A set of primitive networks whose semantics satisfy properties SI - S8, which correspond to the primitive constructs of the language, and their precise specifications, Proof rules to reason about networks derived from composing smaller constructs.

3.3 Proof Rules

We give proof rules based on the semantics rules given above. The proof rules ate similar to those in L-1 l] and are sound and relatively complete, except that here we use first-order logic instead of lincar- time temporal logic (LTL). WC cannot USC LTL hc- cause of partially-ordcrcd time, and WC choose not to use branching-time lemporal logic bccnusc it is no1 as convenient to USC as I,Tl,. Howcvcr, the IISC of port histories allows us lo hnndlc temporal propcrtics of processes, so thcrc is no loss of generality.

Renaming Rule: This rule allows us to change the port names of a network. It is useful for port linking.

ITI F [N’J F

mhcrc N’ and F are obtained from N and I; by changing some port names without introducing new links.

Network Formation Rule: This rule cnablcs us to dcrivc a specification for a network from spccifica- tions of its components. The simplicity of this rule comcn from the fact that intcrfcrcncc bctwccn nct.- work specifications does not arise. There is no in- tcrfcrcnce bccausc a network specification rcfcrs only to the ports of the network, and not to those ports of the cnvironmcnt. Note that the rule works even for n&works that contain cycles of linked ports.

The Network formation rule is not as trivial as it first appears. The rule is sound and relatively complete only hccausc of careful restrictions on the as- scrtion language and the model. The use of an assertion language as in Pratt’s model’ 114-J which allows cvcnt varinblcs, or as in Hoarc’s model [S], which allows trace variables, would invalidntc this rule.

Consequence Rule

[NJF, FIG

CN3 G

whcrc FI> G is provable by parts I - 4 of the proof system (in section 3.2). By not mentioning some port names in assertion G, information hiding is achieved.

4. Applications

We now USC our semantics to dcfme the semantics of a programming language PL that supports multi-

PlC prticcsscs, rcndczvous calls, dynamic inslnntiations of proccsscs, and dynnmic bindings of commnnic:rtion channels. The Iangungc is b:~srtl on Ad:1 [I 61 and N11, [IS], but has hccn simplil’iccl for cxpc~silory pilrpcvics.

‘lhc cxccution units of PL arc p~^f~ccss~s. E\,cry process consists of a scqucntial program and local

238

vnriablcs. I’~~CCS~CS can: (a) make assignmcn(s to IOCYII vnrinblcs, (I,) communicate with other- proccsrcs by mnki ng ~PI~&ZVOII.T cnlls over .~ocltr~s,~ and (c) instantiat,c other prnccsscs. To provide programma- blc control over who may communicat.c with whom, PI, supports dynamic bindings of sockets. Sockets arc cithcr r:nlIsoc/tcfs or ncc~~f.sockc~s. A call issued to a callsockct can bc scrviccd only by the process owning the acccptsocket to which the callsocket is bound.

Variables

Every process P has four kinds of variable:

l local variables (denoted by v,) - numbers, booleans, strings, etc.

l local callsockets (denoted by Its,). These sockets arc bound dynamically to accep,tsockcts in P’s child proccsscs at the time the children are instanstiatcd.

l imported callsockcts (dcnotcd by its,). Each imported callsockct is given a binding cxnctly once by P’s pnrcnl al the time P is instant.iatcd. The acccptstrckct it is bound to cithcr belongs to P’s parent or is bound to a cnllsockct of P’s prcnt.

. acceptsockcts (denoted by as,). Thcsc may bc bound to local callsockets of P’s parent at the time P is instantiated or to imported callsockcts of P’s children when they are instantiated.

We use cs to denote a callsocket when the distinction between being local and imported is not rclcvant. We use socket to denote collectively a callsocket or an acceptsocket.

Syntax

The syntax of PI, is:

process ::= process imports (AX,: ctype,, , its,,,: cfype,,,) exports (as,: riype,, . . . , as,,: Hype,) local (w,: vt,, . , u,,: wtsubu,

Its,: Hype,, . . . , its,: Icfype,) statement

statement :: = assign (v,, , vJ 4-

(expression,, . . , expression,) 1 call cs(v,, . , v,,) 1 statement ; statement 1 If v then statement else statement 1 while v repeat statement 1 accept (v,, .,. , v,) on as statement return 1 instantiate process

export (Childics, + Parentsockef,, . . . , Chifdics, -9 Parentsocket,)

import (Parentlcs, -+ Childas,, . . . , Parentlcs, + Childas,)

Sequential components

The asslgn statement and the sequential composition, If, and while compound statements are stand- ard.

Call and Accept

The call statcmcnt causes the values of the variables to bc copied into a call-messa~c (parameter list). This mcssagc is qucucd at the acceptsockct to which the callsockct is bound. The calling process suspends cxccution until the call-message is returned. The accept statement causes a queued call-message to be dequeucd and its parameter list to be copied into the local variables v,, . . . , v, . The statement embedded within accept is then executed, after which the (possibly changed) local variables are copied back into the call-message and the call-message is returned to tlic calling process. The calling process then copies the paramctcrs back into its local variables and rc- sumcs cxccu tion. The process issuing accept is blocked if the acccptsocket has no queued cnll- mcssngcs.

To gunrantcc that only nnc call at a time is proc‘- cxsctl from a given acccptsockct, thcrc is an ndtli- tional syntactic rule that no statcmcnt nested within an accept statement may be another accept for the same acceptsocket.

It is possible for several callsockets (even of dif- fcrent processes) to be bound to the same acccptsocket. When this happens, the call-messages are merged fairly, i.e. if the called process issues an

3 WC use the term “socket” here irlsteatl of the more customary term “port” to avoid confusion with the ports of our semantic model.

239

accept in finitely o&n, then cvcry call-message is guaranteed to be accepted eventually.

Instantiate

The instantiate statement creates a new instance of the specified process. The import list specifics bindings of local callsockets of the parent to acceptsockets of the child. The export list specifics bindings of import4 callsockets of the child. If Parentsocket, is an acceptsocket, the child’s callsocket is bound to that acceptsocket. If Parentsocket, is a callsocket, the child’s callsockct is bound to the acceptsockct that is bound to Parentsocketi at the time.

The types named in the declarations dctcrminc the domains of local variables and the numbers and types of variables in call-messages. The details of type definitions arc omitted hcrc.

4.2 A Form& Semantics of PL

The semantics of PL is described by a set of primitive networks and their compositions. The general ideas are as follows.

The main difficulties in specifying the semantics of PL are:

* Modelling the various scqucntial programming constructs with only one network formation rule,

. Handling dynamic process creation, and l I landling dynamic bindings of sockets.

Statements, as well as processes, in PI, arc rc- prcsentcd by networks with uniform interfaces. To deal with sequential programming constructs, WC need to be able to model the transfer of control flow

from one statement to another. This is achieved by having special ports whose messages are states of processes. A state message contains the values of local variables, the values of callsockets, the unique id of the executing process, and the id of the last

child process this process created. The passing of state messages from one statement network to another models the transfer of control flow. Note that a single static statement may be executed scvcral times, e.g. when it is in a loop. Hence a statement network may receive a stream of state messages, and every such message rcprcsents a new execution of the statement.

Bccnrlsc of dynamic process creation and rcpcli- tivc constructs, a single static PL process may bc instantiated multiple times. The number of exccut- ing processes may become infinite. To represent that by a finite number of networks in our model, we Ict. a single network rcprcscnt the multiple instantiations of a given PI, process. By giving every process instantiation a unique id and making the id part of the state messages, WC can distinguish between the diffcrcnt instantiations of a PL process.

Due to the dynamic bindings of sockets, a local callsocket may be connected to different acccptsockcts at diffcrcnt times. To rcprcscnt this by networks with static port bindings, we USC fan-out networks to link (the ports corresponding lo) the cnllsockct to (the ports corresponding to) all thcsc acccptsockcts. Every mcssagc on the callsockct contains the id of the acceptsockct currently bound to the callsocket. The message is broadcast to all tbc link4 acccptsockcts, but only the acccptsocket with the same id accepts it. The message also contains the id of the calling pmccss, so that the return mcssagc can bc routed to the right process.

For ease of exposition, we describe informally the primitive networks and show how they are combined to represent statcmcnts and processes. The formal prccisc spcciflcations of thcsc primitive networks can bc obtain4 straightforwardly from the informal dc- scriptions. Thcsc togcthcr with the proof rules in section 3.3 form a sound and rclnlivcly complctc proof system for Innguage PL.

4.2.1 Primitive Networks and Their Compositions

We define collections of ports called intf!fnces that arc used to interconnect the networks.

Interfaces

There are three types of interfaces: control interface, call intcrfacc, and accept interface.

l A control htwfuce consists of a sioglc port ctl rcprcscnting the initiation or termination of a st nI.cmcnt . An cvcnl on a control intcrfacc rc- prcscnts the passing of control Ilow. Its v:lluc 1s always a stntc of 3 process, which is a tuplc

24C

whcrc cnch v/r, is (hc currrnt v:rluc of Iocnl v:lri- contcxl can hc compoqcd. WC make the intcrfaccc

:Illlc v, ) c*.vl), is ~hc currcnl value of c:lllsockcl C.V, , of nctworkx that rcprcsent statements uniform. j)ic/ is a uniiluc vnluc identifying the process (hat Stnlcmcnt composition is defined solely by the

cxcculcs Ilic st31crncnt, and ci~l is the unique it1 bindings of thcsc interfaces. A statement has the of the lnst child rhis prc~css crcn~ctl. The vnluc following intcrfaccs, though it may not use all of

of 14, tlcprnds on lhc type of variable ,fi. The them: value of csb, is lhc acceptsocket to which this . An incoming and an outgoing control interface. callsocket is bound. We will see later that it

l For every acceptsocket in the context, an outgo- suffices to USC the process id of the owner of the acceptsocket as this value. In our notation, a

ing accept interface and an outgoing call inter-

face. The accept interface is used if the port with ctl in its name is always a control port; statement contains an accept for that socket. such names without overbars designate input The call interface is used if the statement ports while names with overbars dcsignatc output ports.

instantiates one or more child processes and ex-

l A rnll inte+~ for variable x consists of a pair ports access to that acceptsocket.

l For every imported callsocket in the context, an of ports: x.cml/ and x.rtn. Events on these ports outgoing call interface. rcprcscnt the sending and the returning of cnll-

l

‘lk cvcnt vnluc on cilhcr .r.f.frl/ or

For cvcry local callsocket in the context, an in- lllCSS:lgCS.

.x-.rcfrfrrr is a luplc coming and an outgoing call interface. The outgoing cnll interface is used if the statcmcnt makes

*- /id, f’d,. pfrrlrl~, . . . , /~fltnl,,, ‘;- a call on that callsocket. The incoming call intcrfacc is used when the callsocket is bound lo

whcrc [‘iti is the id of the process m:lking the c:~ll, an acccptsockct in a child crcatcd by the stalc-

c.rhis the identity of the acccptsockct to which the mcnt.

callsocket is bound, and pnrmi’s are the paramc- Figure 1 depicts a “black box” network whose ters being sent to or returned from the called interfaces are those of a PL statement. process. By convention, names with ovcrbars represent outgoing call interfaces, i.e. the call Assign and Call Primitive Statements port is an output port and rtn is an input port. Names without overbars represent incoming cnll

The primitive statements asslgn and call are mod- clled as follows:

ilttwfaws where the directions of the ports arc reversed. l The network representing an assignment statc-

. An ncc~~~ i/?fc~:fnctl for variable x consists of mcnt responds to events on the incoming control

three ports: .u.rq , x.f’fv, and .u.~*ct. Every cvcnt port by producing events on the outgoing control

on .Y.r-cl is n single value /jitl indicnling lhnt the port. For any process iclcntificr piif and any

process whose id is ICI is rcatly to accept a c:ill. tr:~cr of the network, if one cxamincs only cvcnts

Any cvcnl on .x.rf:~ is Ihc (Iclivcry of ;I c:~ll- in t hc trncc whc~c process i<l is pin. then the II’)’

mcssagc in rcsponsc to sonic e\*cn t on .~.r-q. An input cvcnt always prcccdcs the 11’~ output event

cvcnt on .r.wt is the returning of a call-mesxngc and the latter is a copy of the former, except thnt

by the accepting process. The value domain for the values of the assigned variables are rcplaccll

.x.rcv and x.vet is similar to that for a call intcr- hy the expression values. This property guaran-

face. Again, names with overbars rcprcscnt or4t- tees both the safety property that correct valuc~

going accept inteyfnces, i.e. the vq port and ret arc produced and the liveness property that an

port are output ports, and the YCV port is an in- outgoing control event is always produced in rc-

put port. Names without overbars represent in- sponse to an incoming control event.

coming accq~? interfnccs where the directions of Because the property is asserted only for a re- the ports are reversed. striction of the trace, it is possible for two control

Statements events having different process identifiers to occur in one order on the input control port, and

A stntcmcnt belongs to some context, which is a set in another order on the output control port. The

of dcclar~~l vnt’ir7hlcs. 0111~. stntcmcnfs with identical assignment statement does not generate any out-

241

v ” --

CZl

fEFi!lJ

k 5Ll.fet --. _..

lcs.call 58.ca

..- lcs.Ttn

1

Stutement OSwrn l -a

-7z ica.call ccs.rtn ,,. Zcu.calL

XLr tcs.Ttn & . . .

v

Figure 1. The interfaces of a network representing a statement

puts on the call or accept interfaces, and it ig- nom any inputs on thcsc interfaces.

l The statement call cs(v,, . . . , v,,,) is rcprcscntcd as a statement network that uses four ports: ctl, - -- ctl, cs.call , and cs.rtn. All other ports arc un- used, i.e. inputs ignored, outputs empty. Again, we specify only the restrictions of the tracts of the network to those events containing some process identifier pid. In such a restriction, the tzlh event on ctl always precedes the nth event on -- es. call. The value of the latter is < pid, csb, vb,, ,.. , vb, > where csb is the identifier of the acceptport to which callsocket cs is bound and the vb,‘s are the current values of v, , . . . , v,. (These values are copies of the corre-h sponding data of the nrh event on ctL) The above guarantees that when a call statement is cxc- cuted a call-message is sent.

If there is an nf” event on port c$ in the re- stricted trace that has the same csh, this means that the n’* call has been returned. In that cast, there is an rzrh event on the outgoing control output port ~3. This event must bc preceded by both the nrh events on ctl and on cs.rtn, and its value is a copy of that of the event on ctl, except that the values of variables v,, . . . . v,,, are replaced by the corresponding values of the event on cs. rtn . This guarantees that a call statement terminates whenever the call is returned.

Scqrlential Composition

For two statements to be composablc scquen- tially, they must be parts of the same process. Hence thcrc is a one-to-one correspondence between their interfaces such !hat corresponding interfaces rcpre- sent the same sockets of the process.* The ports of the two statements must be connected in such a way that the resulting network has the interface of a statcmcnt. Figure 2 depicts the port bindings made in composing two statements.

For every callsocket, the call interfaces of the two statcmcnts that correspond to it arc merged using a cnll muge primitive network. Any call made by cithcr slatcment will appear on the mcrgcd port, and lhc rcturncd call-message will bc routed to the state- mcnt making the call. Similarly, the accept intcr- faces rcprcscnting the same acceptsockct are merged using an acwpt mrrge primitive network.

If a call is made from outside the statements to a local callsockct then it is broadcast to both statements, since the socket may be bound to an acceptsocket of a child process in either of the statements. However, because the call contains the child process identifier as the identity of the acceptsocket, only one of the calls will actually be accepted. A c&l hvon~+~.ct primitive process is used to broadcast the call. Finally, the outgoing control port of the first statement is connected to the incoming control port of the second stotcmcnt.

The spccificnlions of call mcrgc, accept mctgc, and broadcast arc as follows. The call mcrgc has two incoming call interfaces and one outgoing call intcrfacc. Its functions arc: (I) to merge the calls

fairly, and (2) to route the return from a call to the call interface that made the call.

The accept mcrgc is the three-wire analog of the call merge. The relationship between the vq, YCV incoming interfaces and the rq, YCV outgoing interface is identical to that of a call merge. The relationship bctwccn the incoming ret’s and the outgoing rcf is exactly like that of a fair mcrgc. The accept mcq:c

1 To highlight this corrcspondcncc without having to give two clifTcrcnt ports the s;unc narnc, one can subscript cvcry port with the name of the network owning the port. ‘I‘lmsc ports corrc~sponding to or~c :tnothor have the samr name

but with different subscripts. 242

Fipurc 2. Scqucntial composition of two statcmcnts

can therefore lx defined as the parallcl composition of t hcse two networks.

The call broadcast has a single incoming call interface and two outgoing call interfaces. Every incoming call is simply copied to output ports of both outgoing call interfaces. Returns arriving from the outgoing call interfaces are merged fairly and reproduced on the output port of the incoming intcr- face.

If and While

The If statement. is motlcllcd in a similar manner to sequential compositinn. The only diffcrcncc is in the connection of the control ports. In Figure 3. wc use thick lines to rcprcscnt the call and ncccpt intcrfaccs rnthcr than showing pairs and triples of port con- ncctions. A cnntrol brr7nch primitive is used to route the control to cithcr the first or second statcmcnt, clcpcnding on the value of boolean variable v in the control input event. The control branch process has a simple description: for any process id, the subscqucncc of messages with that id on port ttxe.ct/ -.-- (/irlsc.ctl) is equal to the subscqucncc of messages with the same id on port rtl whose values for v is 1~77~ (fi7h). :ind the 17’~ event of the latter always PI cccdcs the 11’~ c\‘rnt of the former. A contrail ~nrrg~ proccw connects I hc outgoing control port of each

3.43

statcmcnt to the outgoing control port of the compound statcmcnt. The control merge is simply a fair merge.

The modelting of the while statement as a composition of a statement, control branch, and control merge is straightforward. It is illustrated in Figure 4.

Accept

The accept statement is formed by composing the cmbcdded statement with the accept primitive network. See Figure 5. The accept network has two sctx of control intcrfaccs: begitt.ctl, hegirt.ctl, rml,ctl, and crrd.c.t/ . It also has an outgoing accept intcrfacc for acccptsockct as.

The tracts of the accept network arc dcscrihctl in terms of their restrictions to a particular process idcntificr pid. Upon receiving the nrh event on control port hegin.ct/, the 12’~ request to receive a cail- message is sent on port am. If there is an nfh event on input port ns.~~, then the /zfh event is produced on control port hegin.cr/. This event is a copy of the control input event. except that the values of var.i- ables v,, . ..( V”, arc replaced by the corresponding values of the 11’~ cvcnt on CIS.YCV. If the r@ event 01~ control port r~r~/.rr/ also appears, then it is IX*-

trol Bran&

I I I

Control Merge

Figure 3. The if compound statement

c3

r 1 r

1 Contrf Merge [

J

#

1

et& a

CI

C) Statement -

c3 a Y

=

er

3

I I 1 V

I

Figure 4. The while statement

produced as the nrh event on endctl and its values for variables v,, . . . . v,,, are copicd into the nrh call-message -- on as.reC.

Because the embedded statement is not allowed to issue accept on the same accept.socket, it is not

I ti

bag<n.ctl $

end.ctl Tb

Accept sm

Figure 5. The accept statement

ncccssary to merge the accept intcrfacc of the statcmcnt with that of the accept primitive network. The accept primitive network provitlcs the accept intcr- face for the acccptsocket as, and the statcmcn t pro-

244

vidcs the call intcrfacc for as as well as the acccp,t inlcrl‘accs for all lhc ot.hcr acceptsockets. The accept inlcrfacc for as of the statement is hidtlcn by linking it lo a sink proccns that has no other ports and that dots nothing.

Forming a Process from a Statement

Bcforc giving the semantics for the instantiate statcmcnt, WC need to discuss the interfaces of networks that rcprcscnl proccsscs in fL. A process intcrfacc has:

0 an incoming con( 1.01 porl. whose cvcnts rcprcscnt instnnliations of lhc process,

l for cvcry acccptsockct, an incoming call intcr- face, and

l for cvcry imported callsocket, an outgoing call interface.

A process is built out of its outermost statement as follows. See Figure 6. For every acceptsocket of the statement, its accept interface is conncctcd to a cnf/ hrtffer primitive network that queues call- mcssagcs that have been sent but not yet accepted. l3ccause an acceptsocket of a process may bc called frc~i b,clth its children and non-child proccsscs, Ihc call buffer rcccivcs c:llls from n call mcrgc thn t corn- bincs calls from two sources: within the statcmcnt and c~ulsidc of the process.

Since the bindings for- the impnrtcd cnllsockcts arc known only when the process is cmbcddcd within a parent.. the call interfaces for thcsc callsockcts rc- main unconnected. And because local callsockets arc bound only to child processes, the outgoing call intcrfacc for each of them is connected to the in-

coming call interface for the same callsocket. This reflects the fact that within the statement there may be some cmbcdded instantiate statements that bind the callsocket and other embedded call statcmcnts that make calls on the callsocket. The calls from all the call statcmcnts arc merged until the top statcmcnt is r-cached. then they arc distributed via the call broadcas1s to all statcmcnts. Those instantiate s!:~~cmcnts that hind the callsocket pass the ~~111s I‘roni llic inc.c1niiug call inlctf:lccs lo llic hound a~wplsc~~licls of’ tlic cliilcl proccsscs. Only one or l!lCsc ;1~xx=p~p01 fs is ;1hlc to :Icccpt the 2311 hy pro- viding I hc m:ltchirig process id.

Finally, the process has a control input port whoxc cvcnts initiate its execution. These events hc- come lhc control input cvcnts of the statcmcnt. The control output port of the statement is hidden by being bound to a sink process, as PL does not provide any explicit sensing of process termination.

The tracts of the call buffer in Figure 6 arc dc- scribed in terms of their restrictions to a particular process idcntificr pid. If thcrc arc 1~‘~ even& on both porls trn// and ns.rcj of the call buffer, then the IV* cvcn! on ctrll is rcproduccd as the nrh cvcnt on port ns.rcv. This cxprcsscs the fact that the accept statcmcnt waits for a call to arrive. If n events have occurred on both cu/i and as.rq and additionally, the nrh cvcnt has occurred on as.ret, then a copy of the event on as.ret will appear as the nrh event on port rtn. This reflects the fact that returns are passed through to the caller. The behavior of the call merge guarantees that any return will be routed to the call interface that originally made the call.

Instantiating a Process

The above shows how a statement is expanded into a process. The Instantlate statement does the rc- vcrsc and cmbcds a process within a statcmcnt. See Figure 7. A process has incoming call interfaces for its ncccptsockctx, as shown in Figure 6. Hcncc TOI cvcry binding Parent& --+ Childas in the imports list of the Instantlate statcmcnl, the incoming ~11 intcrfacc for Par-entlcs is routed to the incoming call interface for Childas. A process also has outgoing call interfaces for their imported callsockets. So for each binding Childics ---) Parentsocket in the exports list, the outgoing call interface of the child is routctl

to the appropriate outgoing call interface of the statement. Notice that this call intcrfacc may belorl,: to an acccptsockct, an imported callsocket, or a Ioc:~! callsockct of the parent process.

Finally, the control ports of the statcmcnt arc provided by a crcnt~ primitive process. This process provides an initial control port chiM.cti for the child --- process and an outgoing control port pa~nt.r*f/ fi~r -- the parent. Events on pnwnt.ctl arc identical IO thosr on rhc incoming control port, cxccpt that tl~r values for Parentlcs in the imports list arc ch;lngc(I, and the unique id of the next child is incrcmcntctl. __- Events on chiM.ctl arc computed from those on the incoming control port by using cid as the value of th(

245

lcsl Statement w

Figure 6. Constructing a process from a statement

processes, and a proof system for specifying and verifying proccsscs. The global axioms arc prcservcd

V

Create . ttz-

w

by the compositional rules. Hence if all the primitive processes of a system or language arc non-

* pathological, then any process formed from them is also non-pathological. We use our theory to describe formally the semantics of a concurrent language.

Process chadm -I

I The trace models of Hoare and Pratt [6, 141 are closely related to ours. Hoare’s model assumes syn- chronous message passing and linearly-ordered time, while Pratt’s model assumes asynchronous message passing and partially-ordered time. Unlike our approach, they use only finite traces, hence liveness propcrtics cannot be expressed in their models. Bc- cause their main emphasis is on the algebraic properties of their models, they have many more operators and compositional rules in their models

Figure 7. The instantiate statement

child’s pid, cid.1 as the value of cid, null as the value of all local variables, pid as the value of all callsockcts of the child bound to acceptsockets of the parent, and for any callsocket of the child bound to a callsocket of the parent, its value is that of the latter.

than we do. F1owcvcr, our model does not stem to bc less cxprcssivc than theirs, since we can express a wide variety of programming constructs. The prob- Icm of global axioms is not addressed in their works. They do not provide relatively complete proof sys- tcms on their models, either. Since their models have such powerful algebraic operators, we suspect that this may be difficult to achieve. For instance, by at- lowing event variables as in Pratt’s approach, or

5. Conclusions trace variables as in Hoare’s approach, they cannot make use of the simple network formation rule that WC have (in section 3.3).

WC have defined a simple semantics for processes. This consists of a set of global axioms that processes An intcrcsting result whose proof is beyond the must satisfy, compositional rules for combining scope of this paper is that in our semantic model,

246

whcncvcr two procc<scs P and r’ satisfying global asioms S I - S8 have different input-output semantics, t.hcrc cxints a test process T satisfying axioms SI - SX that can distinguish them. A test proca.cs for P is one whose signature is complementary to that of I’, cxccpt for an extra output port on which only the single cvcnt 0, 1, or no event may occur.5 This result suggests that our model is not excessively ex- prcsxive. It will be given in a forthcoming paper.

There arc a number of open issues raised by our approach. To apply our semantics to programming languages that allow more dynamic behavior than the language PI, in section 4, such as NI I, [ !S], WC would have to bc able to model the passing of ports as data in messages and the instantiation of dynamically crcalcd proccsscs (rather than process con- stants), It remains to be seen whether this can be achieved simply by defining new primitive processes or whether our semantics needs to be extended.

Acknowledgement

WC would like to thank David Cries for useful comments on an earlier draft of the paper.

References

I. Apt. K.R.. I;ranccz, N.. and DC Rocvcr. W.1’. A proof system for cornrnur~icntirig scq~~cnti:ll proccsscs. ncnt ‘I’Oi’I.A.S, 2(3), 19x0.

2. l3l00n1, Il., Istrail, S., and Mcycr, A. R. Bisimulation Can’t he Traced: Preliminary Rc- port. Qfleenth Annual ACM Symposium on Prin- ciples of Programming Languages, pages 229-239, January 198X.

3. Brock, J.D. and Ackerman, W.D. Scenarios: a model of non-determinate computation. InrPrncl- tional Colloquium on Formalizalion of Program- ming Concepts, 198 1.

_ _ . . .---. _--.._- < A similnr nolicJr1 of kit procrws is usd in [SJ.

247

5.

6.

7.

x.

9.

10.

II.

12.

13.

14.

1s.

I6

IhNicola, R. and IJcnnessy, M. C. Testing cquivalcnccs for processes. Theoretical Computer Scimce, (38):83-l 33, 1984.

I loare, C.A.R. Communicating Sequential Prnc- esses. Prentice-l Iall, 1985.

Iloarc, C.A.R. and Zhou, C.C. Partial correct- ncss of communicating sequential proccsscs. Internalionni Conference on Disfrihrrled Computing, 198 1.

Kcllcr, R. M. and Panangaden, P. Semantics of networks containing indctcrminatc operators. I,NCS 197, 198.5.

I,cvin, (i.M. and Grits, II. A prooftcchniquc fat communicating sequential processes. Acta Infirmutica, (1 S), 198 1.

Misra, J. and Chandy, KM. Proofs of networks of ~rdcesscs. IEEE Transaction on Software En- gineering, SE-l’(4), 198 1,

Nguyen, V., Demers, A., Gries, D., and Owicki, S. A model and temporal proof system for networks of processes. Distributed Computing, l(l), 1986.

Nguyen, V. and Strom, R. Process semantics: global axioms, compositional rules, and applications, IBM ‘I’.J.Watson Research Ccntcr, Rc: 13723, 1988.

Pratt, V. On the composition of proccsscs. Ni~lrlr AC’Al Symposium on Principles of Programming I,arzguagex, 1982.

Pratt, V. Modeling concurrency with partial or- ders. International Journal of Parallel Program- ming, I986

Strom, R.E. and Yemini, S.A. NIL: An lntc- grated Language and System for Distributed I’ro- gramming. SIGPLAN ‘83 Symposium on Programming Languages, Issues in So~tware ,TJJ’s- terns, June 1983.

IJnitcd States Department of Defense, Rcfcrcncc manual for t,hc Ada programming langungc, numhcr ANSI/MII,-S?‘I)-1815-1983, I:cbruary 1983.

process semantics: global axioms, compositional rules, and … · 2012. 4. 27. · wc have only a...

Documents