A formalism to describe concurrent non-deterministic systems and an application of it by analysing systems for danger of deadlock

A formalism to describe concurrent non-deterministic systems

and an application of it by analysing systems for danger of

deadlock

Citation for published version (APA):

Huis In T Veld, R. J. (1988). A formalism to describe concurrent non-deterministic systems and an application of it by analysing systems for danger of deadlock. (EUT report. E, Fac. of Electrical Engineering; Vol. 88-E-200). Technische Universiteit Eindhoven.

Document status and date: Published: 01/01/1988

Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne Take down policy

If you believe that this document breaches copyright please contact us at: openaccess@tue.nl

providing details and we will investigate your claim.

Concurrent Non-Deterministic

Systems and

an Application of it by

Analysing Systems for

Danger of Deadlock

by

R.J. Huis in 't Veld

EUT Report 88-E-200 ISBN 90-6144-200-1 August 1988

ISSN 0167- 9706

Faculty of Electrical Engineering Eindhoven The Netherlands

Coden: TEUEDE

A FORMALISM TO DESCRIBE CONCURRENT NON-DETERMINISTIC SYSTEMS AND

AN APPLICATION OF IT BY ANALYSING SYSTEMS FOR DANGER OF DEADLOCK

by

R.J. Huis in ' t Veld

EUT Report 88-E-200 ISBN 90-6144-200-1

Eindhoven August 1988

A formalism to describe concurrent non-deterministic systems and an application of it by analysing systems for danger of deadlock / by R.J. Huis in I t Veld.

-Eindhoven: University of Technology, Faculty of Electrical Engineering. - Fig. - (EUT report, 155N 0167-9708, 88-E-200)

Met lit. opg., reg. ISBN 90-6144-200-1

5150 520.6 UDC 510.5 NUGI 811

AN APPLICATION OF IT BY ANALYSING SYSTEMS FOR DANGER OF DEADLOCK R.J. Huis in ' t Veld

Faculty of Electrical Engineering,' Digital Systems Group (EB) Eindhoven University of Technology

P.O. Box 513, 5600 MB Eindhoven, The Netherlands Abstract:

A formalism is introduced to describe the behaviour of systems built out of concurrently running mechanisms. The central notion in this formalism is called process. It is used to specify the behaviour of these systems. Furthermore, criteria to differentiate between specifications are discussed. Each of these criteria will be formalized by an equivalence relation on processes. Finally, the formalism is used to analyse the behaviour of systems for deadlock-like properties. Several concepts describing these properties are introduced. I t appears that a system may show one of these properties, while its components do not. For this purpose, theorems are derived. They state the conditions under which larger systems may be built out of smaller ones, without introducing deadlock-like properties.

-Preface 1 1. The Formalism

1.0 Introduction 3

1.1 Process 3

1.2 Concurrency 8

1.3 Equivalence relations on processes 10

1.4 Properties of Bisimulation Equivalence 19

2. Deadlock

2.0 Introduction 23

2.1 Locked and Lockfree 25

2.2 Construction of lockfree systems 29

2.3 A substitution property 32 2.4 Deadlockfree 37 3. Other Concepts 3.0 Introduction 39 3.1 Disablefree 39 3.2 Ignorefree 40 4. Conclusions 42 5. References 43 iv

-CCS (a Calculus of Communicating Systems) [6], CSP (Communicating Sequential Processes) [3] and Trace Theory [5] have been evolved to formalize the reasoning about systems built out of concurrently running mechanisms. Each of these formalisms shows how abstract specifications of the behaviour of a system and its components may be given. Then, properties of a system may be expressed by predicates over these specifications.

In this report. we combine the mayor features of CCS and Trace Theory into a new formalism. The central notion in this formalism is called process. It is used to specify the behaviour of systems bull t out of concurrently running mechanisms. Also, criteria to differentiate between the behaviour of these systems are discussed. Each of these criteria is formalized by an equivalence relation on processes. Furthermore, we apply the formalism to analyse systems for danger of deadlock. A concept in terms of our formalism is presented that corresponds to our intuitive meaning of deadlock. It appears that a system may have danger of deadlock while its components do not. For this purpose, a theorem is derived. It states the conditions under which larger deadlockfree systems may be built out of smaller ones. Finally, we treat other, to deadlock related propertles of systems.

We conclude this preface with some notational conventions used throughout this report. Slightly unconventional notations are used for variable binding constructs. Universal quantification is denoted by (81: d: E) where B is the quantifier, 1 is a list of bound variables, d delineates the range of each of these variables, and E is the quantified expression. Similarly, (E 1: d: E)

denotes existential quantification. Furthermore, we use in the same way the quantifiers !..! and 0 to denote continued unification and continued intersection respectively.

Given two sets X and Z. The proof that X is a subset of Z (X ~ Z) may run like: X ~ Y and Y ~ Z for some set Y. Henceforth, we record such proofs as follows:

-x

~ { hint why X ~ Y }

Y

~ { hint why Y ~ Z } Z

1. 0 Introduction

The behaviour of a system built out of concurrently running mechanisms may show some unwanted aspects. To determine whether these aspects are present in the behaviour of a system, a formalism is used that is based upon CCS and Trace Theory. In this chapter the formalism is presented.

We start by introducing the notion process. At first, a process is used to describe the behaviour of a mechanism. Later on, this is generalized to describe the behaviour of a system built out of concurrently running mechanisms. Then, we continue by discussing criteria to differentiate between the behaviour of systems. Each of these criteria is formalized by an equivalence relation on the universe of processes. Finally, some properties are derived for the strongest of these relations.

1.1 Process

We postulate two disjoint infinite sets Id and II. The elements of Id are called behaviour-names. Elements and subsets of 1\ are called action-symbols

and alphabets respectively.

Let A be a set. The set of all finite-length sequences of elements of A is denoted by A*. The empty sequence is denoted by c. Elements of 11* are called

traces.

Small and large letters near the beginning of the Latin alphabet are used to denote action-symbols and alphabets respectively, and small and large letters near the end of the Latin alphabet are used to denote traces and behaviour-names respectively.

Furthermore, we denote by Exp the set of expressions defined by the following syntax in Backus-Naur Form:

-E .. = a:E

E + E

X

NIL

where a and X range over A and Id respectively. NIL is a special symbol that is not an element of A or Id. Additionally, we assume that for expressions Ei, i " 0, the infinite sequence EO + E1 + E2 + ... (abbreviated by

(+i:i .. O:Ei» is also an expression.

A transition-function is a partial function from Id to Exp. Frequently, we write a transition-function 'Y as a set of pairs {(X,'Y(XllIXe dom('Y)}. For transition-functions 'YO and 'Y1 with disjoint domains, we denote by 'YO u 'Y1 the transition-function that corresponds to the union of the with 'YO and 'Y1 associated sets of pairs.

We now have a sufficient base to introduce the notion process. Assume

E

to be an expression, A to be an alphabet and 'Y to be a transition-function. We call the triple <E,A,'Y> a process if and only if the elements of A are the only action-symbols that occur in

E

and in the expressions in the range of 'Y. To refer more easily to the three components that make up a process P,

P = <E,A,'Y>, we denote by rP the expression E, by ~P the alphabet A and by uP

the transition-function 'Y.

We attach an operational semantics to processes, by defining for each action-symbol a the binary relation ~ on the universe P of processes.

Definition 1.1.0

For each action-symbol a, we denote by ~ the smallest binary relation on P satisfying:

i) (a:E,A,'Y) ~ (E,A,'Y)

ii) if (EO,A,'Y) ~ (E,A,'Y) or (E1,A,'Y) ~ (E,A,':!)

then (EO + E1,A,'Yl ~ (E,A,'Yl

iii) if ('Y(X),A,':!) ~ (E,A,'Y) then (X,A,':!) ~ (E,A,'Y)

where E, EO and E1 are expressions, A is an alphabet, X is a behaviour-name, and 'Y is a transition-function.

(End of Definition)

We continue by extending the binary relations on the universe of processes from action-symbols to traces.

Definition 1. 1. 1

t

For a trace t, we recursively define the binary relation --7 on P as follows

i) P

---E...

P

ii) For trace s and action-symbol a:

PO ~ P2

=

(EP1:P1 e P:PO ~ P1 A P1 ~ P2) (End of Definition)

The operational semantics we have attached to a process

P

may be expressed graphically. The binary relations --7 , a a eA. and the set Q,

Q

=

{P'

I

(Es: s e ~p·:P ~ P' )}, specify a rooted, directed, connected graph.

This graph is called the state graph of P, and it is defined by:

There exists a one to one correspondence between the vertices of the graph and the processes in Q. The root of the graph corresponds to P.

The arcs of the graph are labelled by action-symbols. There exists an arc labelled by action-symbol a from the vertex associated with process PO to the vertex associated with process P1 if and only i f

PO ~ P1.

When drawing the state graph of a process, the root is denoted by o. Furthermore, we label some of the vertices of the graph sometimes by their

corresponding processes.

Example 1.1.2

Let ~ be the transition-function {(W,a:X), (X,c:Y + d:Z), (Y,b:W),(Z,NIL)}. Furthermore, let P be the process <W,{a,b,c,d},~>.

The state graph of P is presented in Figure 1.1.0, where the processes PO, P1

and P2 are defined by: PO

=

<X,{a,b,c,d},~>

P1

=

<Y,{a,b,c,d},~> P2

=

<Z,{a,b,c,d},~>

01°

P c d .~. ---? P1 PO P2

Figure 1.1.0: The state graph of process P. (End of Example)

from the vertices of GO to the vertices of Gl such that: The root of GO is mapped into the root of Gl.

The labelled arcs that are drawn between any two vertices VO and Vl in GO are the same labelled arcs that are drawn between the vertices

f(VO) and f(Vl) in Gl.

Notice that two processes have the same operational semantics if their state graphs are isomorfic.

A process

P

may be used to describe the behaviour of a mechanism as follows: The vertices of the state graph of P correspond to the states the mechanism may be in. The action-symbols in i1,P correspond to actions the mechanism may perform. We assume that these actions have no duration and that they do not overlap.

Initially the mechanism is in the state that corresponds to [Po

Let A be a state in the state graph of P, and let the mechanism be in

in this state. Then, the mechanism can only perform next one of the with the labels of the outgoing arcs of A associated actions. Assume A

has an outgoing arc that is labelled by action-symbol a. After performing the action associated with a, the mechanism will be in a new (perhaps the same) state. This is one of the states to which A has an outgoing arc that is labelled by a.

Let G be a rooted, directed, connected graph in which the arcs are labelled by action-symbols. A process with G as state graph is easily constructed. Define an injective function f from the vertices of G to Id. Assume that the root of G is mapped into Z. A process PO has G as state graph i f it satisfies:

[PO

=

Z

aPO

contains at least the action-symbols that label the arcs in G.

·dom(nPO) = rng(f)

For each X, X E rng(f), nPO(X) denotes an expression that is obtained by placing in a sequence of all the elements of the set

{a:Y!a E A AYE rng(f)

A there is an arc labelled a from f-1(X) to f-1(y)}

between each two successive elements the + operator. I f this set is empty nPO(X) is NIL.

Let P be a process. If P can be obtained by applying the above construction

method to its state graph, P is said to be in normal form.

We call two processes PO and P1 identical, denoted by PO = P1, if they have

the same alphabets and the same operational semantics. Since the operational semantics of a process is fully captured by the process's state graph, two processes are identical if they have the same alphabets and isomorfic state graphs. Clearly, for each process in P there exists a process in normal form that is identical to it. So, without loss of generality, we confine ourselves in the sequel to processes in normal form. Therefore, we postulate a largest possible set Q of processes in normal form. Each two different elements in Q have disjoint behaviour-names and they are not identical. Henceforth, we assume that a process either is an element of Q or denotes its identical element in Q. Moreover, sets of processes are subsets of Q.

A consequence of restricting ourselves to processes in Q is that the state graph of a process does not contain two or more vertices with which identical

processes are associated.

Each element of Exp is built out of action-symbols, behaviour-names and NIL that are glued together by the operators: and +. In Definition 1.1.0 we have given the semantics of these operators. Similar operators may be introduced on processes.

Definition 1.1.3

(0) For each process P, P = <E, A, ':I>, and for each action-symbol a, we denote by a:P the process in Q that is identical to <a:E,A u {a},':I>.

(1) Let PO and P1 be processes such that PO

=

<EO,A,':IO>, P1

=

<El,A,':I1>

and the behaviour-names occurring in PO and Pl are disjoint. We

denote by PO + P1 the process in Q that is identical to

<EO + E1,A,':IO u ':11>. (End of Definition)

Let PO and Pl be processes, and let a be an action-symbol. With a: PO a

mechanism may be associated that initially performs the action that corresponds to a, and whose successive behaviour is specified by PO. With PO + P1 a mechanism may be associated that has an initial choice: Either to behave as specified by PO or to behave as specified by Pl.

Property 1. 1. 4

Let PO and P1 be processes with the same alphabets. Furthermore, we denote

for each alphabet A by NULLA the process in Q that is identical to <NIL,A,0>. Then,

(0) PO + P1

=

P1 + PO

(1 ) PO + NULLl!.PO = PO (End of Property)

1. 2 Concurrency

Consider two mechanisms. One of these mechanisms, called the sender, repeatedly receives via a channel co a message from its environment and then puts it on channel Cl. The other mechanism, called the receiver, repeatedly receives a message put on channel Cl and sends it to its environment by placing it on channel C2. The precise behaviour of the sender and the receiver is specified by the processes Sand R respectively.

S = <SO, {co,cil, {(SO,co:S1), (S1,Cl:SO)}>

R

=

<RO,{Cl,C2},{(RO,Cl:Rl + cl:R2), (R1,C2:RO), (R2,C2:R3), (R3,NUL)}>

In Sand R we have used the names of the channels as action-symbols. They denote the actions of the sender and the receiver regarding these channels

In order to state anything about the behaviour of the Sender-Receiver System, we consider a system built out of concurrently running mechanisms to be a mechanism as well. Consequently, the behaviour of a system has to be specified by a process. Since such a process is related to the processes describing the behaviour of the system's components, it is derived from these processes.

We introduce on the universe of processes a new infix operator

I,

called the composition operator. The semantics of this operator is presented in the following definition.

Definition 1.2.0 (composition)

For each a, a E A, we denote by ~ the smallest binary relation on {pIQiP E Q A Q E Q} satisfying:

i) if <EO,AO,~O> ~ <E,AO,~O> and a ~ A1 then

<EO,AO,~0>I<E1,A1.~1> ~ <E,AO,~0>I<E1,A1,~1>

ii) if <E1,A1,~1> ~ <E,A1,~1> and a ~ AO then

<EO,AO,~O>I<El,Al,~l> ~ <EO,AO,~0>I<E,A1,~1>

iii) if PO ~ PO' and P1 ~ Pl' then POlp1 ~ PO'IP1'

where E, EO and El are expressions, AO and A1 are alphabets, and ~O and ~1

are transition-functions.

(End of Definition)

Similar to Definition 1. 1. 1, we extend the above defined relations from action-symbols to traces.

Let P and Q be processes. As we have seen a E A, on the set {POIQOiPO E Q A QO E Q A

a for processes, the relations ~, (Es:s E A-:pIQ ~ POIQO)} specify

a graph G with plQ as root. In the sequel, we denote by plQ the process in Q that has G as state graph and gP U gQ as alphabet.

Applying the above to our Sender-Receiver System, SiR denotes the process:

<Z, {cO,CI,C2}, { (Z,co:QO), (QO,ct:Q1 + c1:Q2), (Ql,co:Q3 + C2:Z)

,(Q2,co:Q4 + C2:QS), (Q3,C2:QO>, (Q4,C2:Q6), (QS,co:Q6)

, (Q6,NIL)}>

Notice that SiR does not completely specify the behaviour of the Sender-Receiver System. For instance, according to SiR there is no time laps between the moment the sender puts a message on CI and the moment the receiver removes it from ct. In real practice, this transfer of messages can not be instantaneous. I f the system is in the state associated with Q1, i t

may either perform co or C2. These actions will be performed by different

components of the system, and they involve interaction with the system's environment. I f the environment has no objections, they may be performed simultaneously. Although we are aware of these kinds of limitations, we take them for granted in this report.

Property 1. 2. 1

(0) POlp1 = P11PO (1) POl (P1In) = (POlpll1P2

(end of Property)

(commutative) (associative)

The composition operator is not idempotent. For instance, take process P, P = <X,{a,b,c},{(X,a:XO + a:X2),(XO,b:Xll,(X1,NIL), (X2,c:X1))>. pip is the process <Z,{a,b,c},{(Z,a:ZO + a:Z1 + a:Z2),(ZO,b:Z1), (Zl,NIL),(Z2,c:Z1)}>. Obviously, the state graphs of P and pip are not isomorfic.

Since the composition operator is commutative and associative, composition may be extended to sets of processes. Let X be a set of processes. We denote by C(X) the process obtained by composing the elements in X. By definition, C(,,) denotes the process NULL,,' In this report, we implicitly assume that composition is only applied on sets of processes that do not contain two or more processes with the same alphabets. Consequently, the next property is only defined for those sets X and Y of processes such that X, Y and X u Y satisfy this condition.

Property 1. 2. 2

Let X and Y be sets of processes such that X n Y

= ".

Then C(X)IC(Y)

=

C(X u Y)

(End of Property)

1.3 Equivalence relations on processes.

Consider a system S specified by a process P. This system may be embedded in a system T. S may perform two types of actions regarding T. First, the actions by which S and T interact. These actions are called the observable

actions of S regarding T. Second, all the other actions S may perform. These

are the actions by which the components of S interact with one another, and the actions by which S interacts with the environment of the system composed of Sand T. They are called the unobservable actions of S regarding T.

By interacting with S, T only experiences a part of the behaviour of S. Namely, the observable actions of S regarding T. This experienced behaviour can be described by process P. But P specifies in detail the unobservable actions of S regarding T. Clearly, the nature of these unobservable actions are not important for the specification of the behaviour of S as it is

experienced by T. Only their occurrences matter. So, instead of P, we may use

the process P in which all action-symbols that denote the unobservable

actions are replaced by the same, fresh action-symbol.

The above shows how to abstract from details in a process. We formalize it by introducing the operation hiding on processes. Therefore, A is extended by a special action-symbol T, T f A. The set A v {T} is denoted by A .

T In the

sequel, traces are elements the notion of process is

of A • and alphabets

T are subsets of A . Moreover, T

modified a little. All we have stated about action-symbols holds also for T, except that a T may never occur in the alphabet of a process. The universe of processes Q is extended by a maximal set of processes in normal form such that T occurs at least once in each of these processes. Furthermore, each two different processes in this set are not identical and have disjoint behaviour-names. The extended universe of processes is denoted by Q .

T

Definition 1.3.0 (hiding)

Let P be a process, and let A be an alphabet. We denote by P~A the process

~ is the transition-function

in Q that is identical to <rP,~P A A,~>, where

T

obtained from nP by replacing in each expression in the range of

nP

each occurrence of an action-symbol in ~P\A by a T.

(End of Definition)

Informally, we may associate with a process in which T-symbols occur a mechanism that is capable of performing some unspecified actions.

To facilitate our discussion of processes, we no longer distinguish between processes and the mechanisms they specify.

The above suggests a criterion to differentiate between two systems T and U.

T and U are the same regarding a set A of actions if and only if each system that only interacts by the actions in A with T and U respectively experiences no difference between them. In the sequel, this criterion is formalized by an equivalence relation on processes. The relation is called bisimulation

equivalence. Preceding its definition, other equivalence relations on processes are given that at first sight seem to capture our criterion. In order to do this, the concepts projection and successor-set are introduced first.

The notion of hiding is extended to traces. Definition 1.3.1 (projection)

For trace t and alphabet A, we recursively define the projection of t on A,

denoted by ttA, by: etA = e

(sa) tA = stA

(sa) tA = (stA)a

(End of Definition)

for trace s and action-symbol a such that a ~ A.

for trace s and action-symbol a such that a e A.

Informally, the projection of trace t on alphabet

A

denotes the trace t in which all occurrences of action-symbols not in A are removed.

Definition 1.3.2 (successor-set)

For a process P, the successor-set of P, denoted by Succ(P), is the set of action-symbols

{ala e aP A (Ep':p'e Q : (Et:t e (aP v {T})* A ttaP

=

a :P ~ P'

»}

T

(End of Definition)

Informally, for a process P we denote by Succ(P) the maximal subset of non T actions that the process may perform next.

Let P and P' be processes, and let s be a trace in aP*. In the sequel we

t ) s

abbreviate (Et:t e (aP v {T})* A ttaP

=

soP ~ P' by P ==+ P'.

We continue with an enumeration of a number of equivalence relations on processes. These relations are only defined between processes with the same alphabets.

Throughout the remainder of this section we assume PO and P1 to be processes with the same alphabets. Moreover, all non '[-actions are considered to be observable actions.

Intuitively, a first approach to distinguish between processes is to look at finite-length sequences of actions. Each of these sequences specifies the actions that a process may consecutively engage itself in from the moment it starts operating. Then, two processes may be called equivalent if they have the same set of finite-length sequences of actions. This equivalence relation is known as trace equivalence, and it is formalized in the following

definition.

Definition 1.3.3 (trace equivalence)

PO and Pl are called trace-equlvalent, denoted by PO '" Pl, if and only if

1

the following holds

(BP,s:P e Q

_...

As e gPO· A PO ~ P:(EP':P'e Q

_...

A Pl ~ P':true)) A (BP',s:P'e Q

_...

AS e aPl· A Pl ~ P': (EP:Pe Q A PO ~ P:true))

...

(End of Definition)

Consider the state graphs of the processes PO and Pl (Figure 1.3.0).

PO Pl 0 0

Y"'z

La

•

•

•

Ib

Ib

•

•

Figure 1.3.0: The state graphs of processes PO and Pl.

Contrary to process Pl, process PO may never be able to perform action b

after having performed action a. Easily, a system can be found that distinguishes between these trace equivalent processes. This suggests the following equivalence relation.

Definition 1.3.4 (fallure equivalence)

PO and Pl are called failure equivalent, denoted by PO ~ Pl, if and only if the following predicate holds:

(BP,s,X:P e Q ... A S e gPO· A PO ~ P A X ~ A A X n Succ(P)

=

0

: (EP':P'e Q A Pl ~ P':X n Succ(P') = 0))

...

A (BP',s,X:P'e Q

_...

AS e aPl· A Pl ~ P' A X ~ A A X n Succ(P') = 0 : (EP:P e Q

_...

A PO ~ P:X n Succ(p)

=

0))

Figure 1.3.1 shows the state graphs of processes PO and Pl. PO Pl

;/aI~

0

;/

_~

•

•

•

•

•

bi Ci

bi~

bi iC

•

•

•

•

•

•

Figure 1. 3.1: The state graphs of processes POandP1.

These processes are failure equivalent. After they both perform action a, PO may still choose between band c. Pl, however, has no choice. A system that can monitor all the observable actions a process may perform next distinguishes between these processes. This observation yields the following equivalence relation.

Definition 1.3.5 (successor equivalence)

PO and Pl are successor equivalent, denoted by PO 6 Pl, if and only if the following holds:

(BP,s:P E

a

A s E

aPO·

A PO ~

P

T

: (EP':P'E

a

A Pl ~ P':Succ(P)

=

Succ(P' I)) T

A (BP',s:P'E

a

AS E aPl- A Pl ~ P' T

: (EP:P E 0T A PO ~ P:Succ(P) = Succ(P')))

(End of Definition)

Consider the state graphs of the processes PO and Pl. (Figure 1.3.2).

PO Pl

;/0~

_;/~

0

•

•

•

•

bi

bi~

bi

bi~

•

•

•

•

•

di ei ei di

•

•

•

•

Figure 1.3.2: The state graphs of processes PO and Pl.

•

In spite of PO 6 Pl, we can think of a reason to differentiate between these processes. Suppose we have a system that interacts via the actions a, b, c, d

and e with either process in the following way:

The interactions have no duration and they do not overlap. Moreover, an interaction takes place if both the process and the system agree on it.

Fi r st, the sys t em in t eracts with a process by action a. If the process is then capable of interacting by action b as well as by action C, the system wishes to interact by the actions band e

successively. Otherwise, the system actions band d successively.

wishes to interact by the

If the system interacts with PO, i t will encounter no problems. Yet by interacting with PI a problem may arise. Suppose the system wishes to interact by a, band e successively. The last interaction will never take place, since PI only wishes to interact by d. The above suggests the following equivalence relation.

Definition 1.3.6 (k-equivalence

&

~-equivalence)

For k, k i?:: 0, k-equivalent) by: we recursively define PO '" P1 k PO '" P1 always holds o For n, n i!! 1, PO '" Pl n =

( pronounce: PO and P1 are

(BP, s: P e Q II S e aPO· II PO ~ P: (EP' : P' e Q 1\ PI ~ P' : P '" P'))

T T n-l

II

(BP' ,s: P' e Q

T 1\ S e aP1- 1\ P1 ~ P' : (EP: P e QT 1\ PO ~ P: P '" n-l P' II

PO and Pl are called i-equivalent, denoted by PO i PI, if and only if for all

k, k >: 0, PO '" PI.

k

(End of Definition)

The following property shows the relations between the various equivalence relations introduced so far.

Property 1.3.7

(0) PO i} Pl

..

_PO "'1Pl

(1) _{PO ~ P1 .. PO ~ P1} (2) PO '" P1 ₂

..

PO 6 P1

(3) _{PO '" PI} = _{(Bi: 0 '"} i S _{k:PO '" Pl)} , _{for k} >: _O.

Proof

The proof of (0) through (2) follows immediately from the definitions. We only show, by induction on k, that (3) holds.

Base:For k

=

0 and k

=

1 the proof is trivial. Step:For k = n + I, n ~ I, we have: po" not PI

=

{ _Definition

"

k } (BP,s:P e Q .. A S e aPO· 1\ PO ~ P: (EP' : P' e Q A PI ~ P' : P " P' » .. n

A (BP',s:p'e Q .. A S e aP1· A PI ~ P': (EP:P e Q 1\ po ~ P:P" P'»

.. n

=

{ = { induction hypothesis } po" not PI A (BP,s:Pe Q

..

1\ S e aPo· A A (BP',s:P'e Q

..

1\ S e aP1· Definit ion " k } PO" PI A PO" PI n+l n

= {

induction hypothesis} PO ~ P: (EP' : P' e Q .. 1\ 1\ PI ~ P' : (EP: P e Q ..

PO" PI A (Ai:O '" 1 :s n:PO "Pll

n+l - 1

= {

predicate calculus }

(Bi:O '" i :s n + l:PO " PI)

I

(End of Proof and Property)

PI ~ P' : P" P' ) ) n-l

1\ PO ~ P: P" P'

»

n-l

Notice that each example preceding the definition of an equivalence relation ensures that the implications in (0) through (3) may not be replaced by

equalities.

Referring to the constructive way in which i-equivalence is defined, it may be asked whether there exists a simpler, recursively defined equivalence relation with almost the same power of expression. Indeed, such a relation, called bisimulation equivalence, exists.

Definition 1.3.8 (bislmulation)

A subset ~ of Q

_..

x Q

..

is called a bisimulation if and only if for each pair

(PO,PI) in ~ the following holds:

(BP,s:P e Q .. A S e ilPO· A PO ~ P: (Ep':P'e Q .. A PI ~ P': (P,P') e ~»

(AP' s:P'e _{_ .} Q _1: AS e ilPI· A PI ~ P': (EP:P e Q 1\ PO ~ P: (P,P') e ~»

1 : .

Definition 1.3.9 (bisimulation equivalence)

PO and P1 are bisimulation equivalent, denoted by PO E P1, i f and only i f there exists a bisimulation ~ such that (PO,P1) e ~

(End of Definition)

Bisimulation equivalence is a stronger equivalence relation on processes than l-equivalence. Yet, a large class of processes exists for which they are the same. The following theorem clarifies this. Preceding it, we first have to introduce the notion non-divergent.

A process P is called non-divergent,

if for each s e aP' the set {POlpO e

Theorem 1. 3.10

denoted by non-divergent(P), Q

.,.

A P ~ PO} is finite.

For all non-divergent processes PO and P1 in Q ,

_.,.

we have

PO l _- P1

=

PO E _- P1

(End of Theorem)

if and only

The proof of this theorem is based upon the validity of two lemmata. Lemma 1. 3. 11

Let P and P' be non-divergent processes.

Furthermore, let po and PI denote the sets of processes: po

=

{POlpO e Q

_.,.

A (Es:s e ~P':P ~ PO)}

pI

=

{P11p1 e Q

_.,.

A (Es:s e ~P':P'~ P1)}

Then, the set ~, ~ = {(PO, P1) I (PO, Pll e po x pI A PO ~ Pll}' is a

bisimulation. Proof

We first observe that, since P and P' are non-divergent, the elements in po and pI are also non-divergent.

The symmetry of the definition of bisimulation ensures that the following derivation is sufficient to prove the lemma.

(PO, Pl) e ~

= { Definitions: ~ and l-equivalence } PO e po A P1 e pI A (Bk:k ~ O:PO ~kP1)

~ { predicate calculus, Definitions: ~k' po and PI } (Bk: k ~ 1:

: (BPO',s:PO'e po A S e ~PO' A PO ~ PO'

: (EP1' : PI' e PI A P1 ~ P1': PO' ~ P1' )))

= { P1 is non-divergent, Property 1.3.7.3 }

(BPO' ,s:PO'e po A S e aPO*A PO ~ PO'

: (EP1':P1'e pi A P1 ~ P1': (Bk:k ~ = { Definition ~ }

(BPO' ,s:PO'e po A S e ~PO·A PO ~ PO'

l:PO'.. P1'»)

'-1

: (EP1' : P1' e pi A P1 ~ P1' : (PO' ,P1') e ~»)

(*)

Notice that the equality marked by (*) boils down to stating that the universal quantification may distribute over the existential quantification. This is allowed, since the dummy P1' in the existential quantification ranges

over a finite set of processes (due to our assumption of non-divergence) and Property 1.3.7.3 holds.

(End of Proof and Lemma)

Lemma 1.3.12

Let ~ be a bisimulation. Then, for each pair (PO,P1) in ~ we have PO l Pl.

Proof

According to the Definition of k-equivalence, i t is sufficient to demonstrate for each pair (PO,Pl) in ~ that (Bk:k ~ 0: PO

We prove it by mathematical induction on k.

Let (PO, PO e ~

'" Pl).

k

Base: For k

=

0 the proof is trivial, since each two processes are O-equi valent. Step:For k

=

n + 1, n ~ 1, we have (PO,

Pll

e ~

= {

Definition bisimulation } A PO ~ PO' (BPO',s:PO'e Q~ A S e aPO· : [EP1':P1'e Q A Pl ~ ~ Pl':(PO',Pl') eM) A (BP1' ,s:Pl'e Q A S e !!oPl· A P1 ~ Pl' ~

: (EPO':PO'e Q~ A PO ~ PO': (PO',Pl')

~ { induction hypothesis } (BPO',s:PO'e Q~ A S e : (EP1' : Pl' e Q ~ !!oPO· A PO ~ PO' A P1 ~ Pl':PO'''' P1'» A (BP1',s:Pl'e Q AS e ~ :(EPO':PO'eQ ~ = { Definition'" } PO '" Pl n+1 k

(End of Proof and Lemma)

n

ePt- A PI ~ PI' A PO ~ PO':PO'" Pl'»

n

1.4 Properties of Bisimulalion Equivalence

In this section we elaborate on bisimulation equivalence. Some of the properties treated here may be extended to the other equivalence relations. We start with the introduction of the notion after.

Definition 1.4.0 (after) Let P be a process.

We denote by after(P) the set of after(P) = {SiS e Q_y A (Et:t e

(End of Definition)

processes defined

t

gP':P ~ S)}

Property 1. 4.1

For processes P and p'. such that P ~ P' , we have (0) a:P B a:P' for action-symbol a, a

(1) nA B P' tA for alphabet A, A ~ A . y

(2 ) _piS ~ _{p'IS for process} S, S e Q. y

Proof

by

eA. y

To prove (0) through (2 l, we have to find for each case U), O:s i :s 2, a bisimulation

(piS, p'IS) e B2

B

I such that (a:P,a:P') e Bo' (PtA, P' tAl e B

,

and

We give B , Band B

2. I t is left to the interested reader to verify that

o , they satisfy.

There exists a bisimulation B, B ~ after(P) x after(P'), such that

(P,P') e B. Then, we define:

BO= B u {(a:P,a:P')}

B,= {(POtA,P1tA)

I

(PO,P1) e B} B

2= {(POISO,P1IS0)

I

(PO,P1) e B A SO E after(S)}

(End of Proof and Property)

Let P, P' and S be processes such that P 7l P'. Generally, we do not have

Example 1. 4. 2

Let PO and Pl be processes with alphabet {b} and whose state graphs are drawn in Figure 1.4. O.

r-·.·.-.·--· ..

-.----.--··i

'PO 'Pl

IT

r--·Ib

• _. __ ... _ ... _ .. __ ... _._.J •

Ib

I

• . ... _ .... _ ... __ .. _ ... _---_.j

Figure 1.4.0: The state graphs of processes PO and Pl.

There exists a bisimulation such that PO B P1. This bisimulation is made explicit in Figure 1. 4. 0 by drawing for each pair of processes in the bisimulation a dotted line between the with these processes corresponding vertices.

Consider, furthermore, the process S, S: <Z,{c},{(Z,c:ZO), (ZO, NIL)}>. The state graphs of PO + Sand Pl + S are drawn in Figure 1.4.1.

PO + S Pl + S

Yj

0

.~

c b c

•

•

Figure 1.4.1: The state graphs of processes PO + Sand Pl + S

Consider the vertex that can be reached in the state graph of PO + S by performing an initial T action. The process associated with that vertex is not bisimulation equivalent with any of the processes that correspond to the vertices of the state graph of Pl + S. Hence, ,(PO ~ Pl).

(End of Example)

Property 1.4.3

Let PO and Pl be processes, and let A be an alphabet such that aPO n aPl ~ A.

We have:

(POlpl)tA ~ (POtA)I(PltA) Proof

B

=

{«plp'ltA, (PtA)I(P'tA»lp e after(PO) A P'e after(Pll} We will prove that this is indeed a bisimulation.

Let TO and TO' be elements of after(PO), let T1 and n ' be elements of after(P1), and let trace r be an element of A*. We derive

(Toln) tA ~ (TO'ln') tA

= {

Definition hiding }

(Es:s e (aTO u aT1)* A stA

=

r: (TOIT1)

= {

Definition composition}

•

""""*

(TO'ln'»

(Es,t,u:s e (aTO u aT1)* A stA

=

rAt

=

staTO A u

=

staT1

:TO ~ TO' A T1 ~ T1')

=

{ note }

r e «aTO u an) () A)* A (Et:t e aTO* A ttA

₌

rtaTO:TO

_""""*

t A (Eu: u e an* A utA

₌

rtaT1:T1 ~ T1')

=

{ _{Definition hiding} }

TO' )

r e «aTO u an) () A)* A TOtA rtaTO, TO' tA A T1tA rtaT1, T1' tA

= {

r e A*, Definition composition} (TOtAlntA) ~ (TO' tAln' tAl Note

For traces t and u such that t e aTO*, u e aT1*, ttA

=

rtaTO and utA

=

rtaT1, we clarify the implication:

TO ~ TO' A T1 ~ T1' Are «aTO u aT1) () A)*

(Es:s e (aTO u aT1)* A stA

=

rAt

=

staTO A u

=

staT1

t u

:TO ==* TO' A T ==* T1')

Its validity is based upon the following observation. Let qO and q1 be traces. The set that consists of the symbols out of which qO is composed is denoted by sym(qO). Similarly, we define sym(q1). Then, we have

=

qOtsym(q1) = q1tsym(qO)

(Eq2:q2 e (sym(qO) u sym(q1»* A sym(q2)

=

sym(qO) u sym(q1)

:q2tsym(qO)

=

qO A q2tsym(q1)

=

q1)

This property is known as the Lift Theorem, and its proof can be found in [5, p8-9).

The following derivation proves the implication:

TO ~ TO' A T1 ~ T1' Are «9TO u 9T1) n A)-~ { Lift Theorem, ttA = rt9TO, utA = rt9T1 }

(EsO,sl:s0 e (sym(t) u A sl e (sym(u) u

sym(r»-:sym(sO)

=

sym(t) u sym(r) A sym(sl)

=

sym(u) u sym(r) A sOtA

=

sltA

=

r A sOtsym(t)

=

t A sltsym(r)

=

u Are «9TO u 9T1) n A)- A TO ~ TO'A T1 ~ T1'»

~ { Lift Theorem, set-calculus, 9TO n 9T1 ~ A }

(Es2:s2 e (9TO u 9T1)- A s2tA

=

rAt

=

S2t9TO A u

=

s2t9T1 :TO ~ TO' A T1 ~ T1')

(End of Proof and Property)

Property 1. 4. 4

Let PO, P1, SO and Sl be processes such that 9PO n ~SO

=

~P1 n 9S1.

Furthermore, let AO and A1 be alphabets such that 9PO n 9S0 ~ AO ~ ~PO n ~P1,

~PO n 9S0 ~ A1 ~ gSO n 9S1, POtAO ~ P1tAO and SOtA1 B SltA1. Then (POISO)t(AO u A1) ~ (P1IS1)t(AO u A1)

(POISO)t(AO u A1)

~ { ~PO n ~SO ~ AO u A1, Property 1. 4.3 } POt(AO u A1)ISOt(AO u A1)

~ { (AO u A1) n 9PO = AO, (AO u A1) n 9S0 = A1 }

(POtAO) I (SOtA1)

~ { POtAO ~ P1tAO, SOtA1 ~ SltA1, Property 1.4.1.2 }

(P1 tAO) I (Sl tAl)

~ { (AO u A1) n 9PO

=

AO, (AO u A1) n 9S1

=

A1 }

P1t(AO u A1)IS1t(AO u A1)

~ { 9P1 n ~Sl ~ AO u A1, Property 1.4.3 } (P1IS1)t(AO u Al)

2.0 Introduction

The phenomenon deadlock is treated in many articles and books concerning parallelism. Informally, it may be defined by:

'Given a set of concurrently running mechanisms. This system has danger of deadlock if i t may stop while some of its components still want to continue.'

Applying this informal definition to a system built out of concurrently running mechanisms that never stop, we may phrase that such a system has danger of deadlock alternatively:

'The system may stop.'

The latter formulation is frequently used in the literature, cf [3).

We continue with an example of a system that has danger of deadlock. Example 2.0.0

Consider the three processes 00, RO and 50 with ~OO

=

{aO,bO}, ~RO

=

{al,bl}

and ~50

=

{bO,bl}. Their state graphs are presented in Figure 2.0.0.

QO

[}

RO 50 bO 51 o ---=.-=----+l • Ibl Ibl

[}

_{• ---=.-=----+l •} bO Ql Rl 52 53

Figure 2.0.0: The state graphs of the processes QO, RO and 50.

The process U is the composition of these processes, i.e. U

=

C({QO,RO,50}).

U (Figure 2.0.1) may be viewed as the specification of a system consisting of two work-stations (specified by 00 and RO) and one computer (specified by

50). The action-symbols of ~(C({OO,RO,50}» correspond to the following actions:

-aO:

a file is placed in the memory of the work-station specified by

QO.

bO: a file in the memory of the work-station specified by

Ql

is updated by the computer.

al: as

aO

but for the work-station specified by Rl.

bl: as bO but for the work-station specified by Rl.

The system stops after it has performed six actions. Then, each of the work-stations has a file in its memory that needs to be updated by the computer. Hence, the system has danger of deadlock.

(End of Example)

(OOIROISO)

(QlIROISO)

(OOIROISl)

(Ql!ROISll

U: 0

aO

)

.

bO )

.

aO

)

.

all

all

all

all

(ooIRqSO)

(QqRqsO) (oolRqSll (QqRqSll

aO

bO

aO

•

)

.

)

.

)

.

bll

bll

bll

bll

(OOI RO IS2)

(Q1

IRO IS2)

(QOIRO IS3)

(Qq Ro IS3)

aO

bO

aO

•

)

.

)

.

)

.

all

all

all

all

aO

bO

aO

•

)

.

)

.

)

.

(QOIRl IS2)

(QqRqS2) (ooIRqS3) (QqRqS3)

Figure 2.0.1: The state graph of process

u.

From the processes

00,

RO, SO

and U, it can be derived that the system in the above example has danger of deadlock. This is made explicit in the following sections.

We conclude this section with some notions needed throughout the remainder of this report.

First, the notion successor-set is redefined. In section 1. 3. 2 the successor-set of a process denotes the maximal set of non T actions this

---,-_

..

process may perform next. Henceforth, it is defined by: Succ(P)

=

{ala e A A (EP':P'e after(P) A P ~ P')}

T

We say that P is non-terminating if and only if for each PO, PO e after(P), Succ(PO) ~ 121.

Let X be a set of processes in which no two elements have the same alphabet. By restricting ourselves to processes in Q , the definition of composition

T

states that with each process T, T e after(C(X)), several sets of processes may be associated. Informally, each of these sets denotes the states that the components of system X may be in, while the composite is in state

T.

In the sequel, we wish to address each process in after(C(X)) together with all its corresponding sets of processes. Therefore, the notion after is modified. Each process U, U e after(C(X)), is assumed to occur as many times in after(C(X)) as there are 'sets of processes associated with U. Hence, after(C(X)) becomes a bag. We implicitly assume some sort of one to one mapping between the processes U in after(C(X)) and the with U associated sets of processes. Then, e(V,P,X), P e X and Ve after(C(X)), denotes the unique element of after(P) that occurs in the with V associated set of processes.

2.1 Locked and Lockfree

Throughout the remainder of this report, X is a set of processes and P is an element of X. Furthermore, only processes Q with a finite number of elements

in the set after(Q) are considered.

We start by formalizing the informal definition of danger of deadlock by the concept lockfree.

Definition 2.1.0 (locked)

locked(P,X)

=

(ET:T e after(C(X)):Succ(T) # 121 A Succ(e(T,P,X)) ~ 121)

(End of Definition)

Definition 2.1.1 (lockfree)

lockfree(X) = (BP:P e X:~locked(P,X))

(End of Definition)

If ~lockfree(X) holds, we say that the system specified by X has danger of peiqg locked.

Property 2.1.2 lockfree(e)

lockfree ({P}) , for any process P

(0)

(1)

(2) C(X) is non-terminating ~ lockfree(X) (End of Property)

Property 2.1.3

Let PO be a process in after(C(X». We then have Succ(PO) ~ (UT:T e X:Succ(e(PO,T,X»)

Proof

a e Succ(PO)

= {

Definition Succ(P) }

a e {bib e AT A (EP':P'e after(PO):PO ~ P')}

= {

set calculus }

a e

A

A (EP':P'e after(C(PO»:PO ~ P')}

T

~ { PO e after(C(X), Definition composition}

(ET:T e X:a E A _T A (EP':P'E after(T):e(PO,T,X) _. ~ P')}

= {

Definition Succ(P) }

(ET:T E X:a E Succ(e(PO,T,X»)

= { set calculus }

a E (UT:T E X:Succ(e(PO,T,X»)

(End of Proof and Property)

Property 2.1.4 lockfree(X)

=

1 >

(BPO:PO E after(C(X»: (Succ(PO)

=

e)

=

(BT:T E X:Succ(e(PO,T,X»

=

e»

lockfree(X)

= {

Definition lockfree }

(BT:T e X:~locked(T,X»

=

{ _{Definition locked}}

(BT:T E X: (BPO:PO E after(C(X»:Succ(PO)

*

e v Succ(e(PO,T,X»

=

{ _{predicate calculus }}

(BPO:PO E after(C(X»:Succ(PO)

= "

~ (BT:T E X:Succ(e(PO,T,X»

=

{ Property 2.1.3 }

=

e))

(BPO:PO e after(C(X»: (Succ(PO)

=

0)

=

(BT:T e X:Succ(e(PO,T,X»

=

0»

(End of Proof and Property)

Theorem 2.1.5

Let X be a set of processes. For each process T, T e X, T denotes the process

C(X\{T}). Then A lockfree(X) =(BT:T e X:lockfree({T,T}» lockfree(X)

= {

Definition lockfree } (BT:T e X:,locked(T,X»

= {

note } A A (BT:T e X:,locked(T,X» A (BT:T e X :,locked(T,{T,T}» A A

= {

C(X)

=

C({T,T}), T e {T,T}, Definition locked} A A A (BT:T e X:,locked(T,{T,T}» A (BT:T e X:,locked(T,{T,T}»

= {

predicate calculus, Definition lockfree }

A

(BT:T e X:lockfree({T,T}»

We prove:

A A

(BT:T e X:,locked(T,X» ~ (BT:T e X:,locked(T,{T,T}»

For any T, T E X, we derive:

A A

locked(T, {T, T})

= { Definition locked}

A A A

(EPO:PO e after(C{T,T}):Succ(PO)

=

0 A Succ(p(PO,T,{T,T}»

*

0)

~ { C({T,T})

=

C(X), Property 2.1.3 }

(EPO:PO e after(C(X»:Succ(PO)

=

0 A (EU:U e X\{T}:Succ(e(PO,U,X»

*

0»

= {

predicate calculus, Definition locked}

(EU:U e x\{T}:locked(U,X»

~ { predicate calculus }

(EU:U e X:locked(U,X» (End of Proof and Theorem)

Example 2.1.6

Consider the three processes 00, RO and SO that were introduced in example 2.0.0.

Let X = {OO,RO,SO}, and let PO be the process that corresponds to the

composition of the elements in {Q1,R1,S3}.

As it can be derived from Figure 2.0.1, PO is an element of after(C(X». Since Succ(PO)

=

e and Succ(Q1)

*

e, we conclude locked(OO,X) and

locked (00, {OO,C(x\{OO})}). (End of Example)

Example 2.1.7

Consider the processes

va, va

and WO. Their alphabets only contain the action-symbols that label the arcs of their state graphs (Figure 2.1.0). Let X

=

{VO,VO,WO}.

Each vertex in the state graph of C(X) (Figure 2.1.1) has at least one outgoing arc. Hence, C(X) is non-terminating. Moreover, Property 2.1.2.2 yields lockfree(X). (End of Example)

UO

V2 VI WI

•

V2

vo

•

V1

(U2IVOIW2) (UlI VO

I

Wll

C(X) :

:y.~;y.~

(U2IV2IWO) a (UOIVOIWO) b (UIIVIIWO)

• ) 0 E •

~/O~/,

_•

_•

(UOIV2IW4) (UOIVIIW3)

Figure 2.1.1: The state graph of process C(X).

2.2 Construction of lockfree systems

It is difficult to determine whether a system that is specified by a set X of processes has danger of being locked. If X only consists of non-terminating processes, we may proceed as in example 2.1.7. A more general method is presented in this section.

Lemma 2.2.0

Let X and Y be sets of processes such that X A Y

=

0 and lockfree(X). Then

~locked(C(X),{C(X),C(Y)})

=

(BT:T e X:~locked(T,X u Y)) ~locked(C(X),{C(X),C(Y)})

= {

Definition locked} (BPO:PO e after(C({C(X),C(Y)})) :Succ(PO)

*

0 v Succ(e(PO,C(X),{C(X),C(Y)}))

=

0) = { lockfree(X) } (BPO:PO e after(C({C(X),C(Y)})) :Succ(PO)

*

0 v (BT:T e X:Succ(e(e(PO,C(X),{C(X),C(Y)}),T,X))

=

0))

= {

C({C(X),C(Y)})

=

C(X u y) }

(BPO:PO e after(C(X u Y))

:Succ(PO)

*

0 v (BT:T e X:Succ(e(PO,T,X u Y))

=

0))

= {

predicate calculus, Definition: locked}

(BT:T e X:~locked(T,X u y))

The following theorem shows how to build larger lockfree systems out of smaller ones.

Theorem 2.2.1

Let both X and Y be a set of processes such that X n Y = 0, lockfree(X) and lockfree(Y). We have: lockfree({C(X),C(Y)}

=

lockfree(X u Y) lockfree({C(X),C(Y)}) = { Definition lockfree } ~locked(C(X),{C(X),C(Y)}) A ~locked(C(Y),{C(X),C(Y)})

= {

Lemma 2.2.0 }

(BPO: PO e X:~locked(PO,X v Y)) A (BPO:PO e Y:~locked(PO,X v Y))

= { predicate calculus, Definition lockfree } lockfree(X v Y)

(End of Proof and Theorem)

Using Theorem 2.2.1 and Properties 2.1. 2.1 and 2.1.2.2, we may be able to determine for a finite set X of processes whether lockfree (X) holds. To explain this further, the notion of partition-tree is introduced.

A partition-tree of X is a finite binary tree in which the nodes are labelled by non-empty subsets of X. The root of the tree is labelled by X. Each node that is not a leaf is labelled by the union of the sets that label this node's children. Furthermore, each leaf is labelled by a singleton such that each two different leaves have different labels.

Example 2.2.2

For the set X, X = {XO, Xl, X2}, of processes, the following graph is a partition-tree of X. {XO,X1,X2}

1....---·

/~

• {XO} • {Xl}

1

•

Figure 2.2.0: A partition-tree of X. {X2}

Notice that several partition-trees of X exist.

(End of Example)

From Property 2.1.2.1, we infer that the singletons that label the leaves of a partition-tree of X are lockfree. I f such a tree can be traversed from leaves to root using Property 2.1.2.2 and Theorem 2.2.1, lockfree(X) holds. Example 2.2.3

Consider the processes PO, QO, RO and SO. Their alphabets only contain those

action-symbols that label the arcs in their state graphs (Figure 2.2.1) PO o QO RO SO

/j.

• E b •

[} [} [}

P2 Q1 R1 S1

Figure 2.2.1: The state graphs of processes PO, QO, RO and SO.

Let X = {PO,QO,RO,SO}.

Lockfree(X) can be proven using the following partition-tree.

{PO,QO,RO,SO}

! r - - - •

---""1

~~R;;}1

f{Qo~s;;}1

•

{PO} {RO}

•

{QO}

•

{SO}

•

Figure 2.2.2: A partition-tree of X.

Since ilPO " ilRO = 121 and PO as well as RO is non-terminating, C( {PO, RO}) is non-terminating. Property 2.1.2.2 then states lockfree({PO,RO}).

Similar reasoning yields lockfree({QO,SO}).

It is easily verified that lockfree({C({PO,RO}),C({QO,SO})}). Hence, we may conclude from Theorem 2.2.1 that lockfree(X) holds.

(End of Example)

The above strategy does not always work. There are lockfree systems for which a proper partition-tree can not be found. The following example shows such a system.

Example 2.2.4

Let us consider the processes QO, RO and SO such that

gQO = {a,b,c,d,e,f}

gRO

=

{a,b,c,d,e,g}

~SO = {a,b,c,d,e,h}

Their state graphs are presented in Figure 2.2.3.

QO RO R3 a a SO

/Id~

• S1

c..;

S2

~S3

a

Figure 2.2.3: The state graphs of processes QO, RO and SO. Let

X

=

{QO,RO,SO}.

For each subset Z of X that consists of two elements of X, ,lockfree(Z) holds. So, in spite of lockfree (X), there does not exist a partition-tree by which we may prove it.

(End of Example)

2.3 A substitution property.

Generally, the system that is obtained by replacing a process in a lockfree system by a bisimulation equivalent one is not lockfree. The following example demonstrates this.

Example 2.3.0

Consider the processes PO, QO and RO such that ~PO

=

gQO

=

{a,b,c} and

~RO

=

{a,b,c,d}. Their state graphs are presented in Figure 2.3.0.

From the definition of bisimulation equivalence, we may conclude that PO ~ QO.

hold. PO QO RO

fa

01

C

°

d

la

eQ1 eQ3

_'==+

eR1

Ib

_Ib

eQ2 _eR2

Ic

eR3 Figure 2.3.0: The state graphs of the processes PO, QO and RO.

(End of Example)

The above suggests that bisimulation equivalence does not sufficiently distinguish between processes on the occurrences of T'S. We make this explicit by presenting a stronger equivalence relation, called livelock bisimulation equivalence, on processes. Successively, we present in Theorem 2.3.3 the conditions under which a lockfree system stays lockfree after one of its process is substituted for another.

Definition 2.3.1 (livelock)

Let P be a process.

We say that P may have livelock, denoted by livelock(P), whenever the following predicate holds:

(EP' ,s:P'e after(P) A s e {T}+:P ~ P' A P'~ P')

Henceforth, ,livelock(P) is denoted by livelockfree(P).

(End of Definition)

When a process P may have livelock, i t boils down to the fact that P may continue infinitely performing only T actions.

Using the concept l1velock, we now define a new equivalence relation on processes. This relation is called livelock bisimulation equivalence, and it is a stronger relation than bisimulation equivalence.

Definition 2.3.2 (livelock bisimulation equivalence)

Two processes PO and PI are called livelock bisimulation equivalent, denoted by PO !!L PI, i f and only i f there exists a bisimulation /3 such that

(PO,Pl) e /3 and for all pairs (U,V) in /3 livelock(U)

=

livelock(V).

(End of Definition)

Without proof, we state that by restricting ourselves to processes P with after(P) finite, all properties derived in section 1.4 also hold for livelock bisimulation equivalence.

Theorem 2.3.3

Let TO, Tl and S be processes such that ~TO n ~S

=

~Tl n ~S.

Furthermore, let A be an alphabet such that ~TO n ~S !;; A !;; ~TO n ~Tl and

TO~A !!L Tl~A. We have:

lockfree({TO,S})

=

lockfree({Tl,S}) Proof

Since TO~A !!L Tl~A, there exists a proper bisimulation /3 for it. According to Property 1.4.4 (TOIS)t(A u ~S) !!L (T1IS)t(A U ~S).

Applying Property 1.4.1.2 makes it obvious that a corresponding bisimulation

r

is: {((POISO), (PtlSO»1 (PO,Pl) e /3 A SO e after(S)}

We will only derive locked(TO,{TO,S})

=

locked(Tl,{Tl,S}), because then the proof of locked(S,{TO,S})

=

locked(S,{Tl,S}) will be trivial.

locked(TO, {TO,S})

= { Definition locked}

(EP:P e after(C({TO,S}»:Succ(P)

=

0 A Succ(e(P,TO,{TO,S}» ~ 0)

= {

set calculus, Definition composition} (EP:P e after(C({TO,S}»

:Succ(P)

=

0 A (Ea:a e ~TO n ~S:a e Succ(e(P,TO,{TO,S}»»

= {

note }

(EP:P e after(C({Tl,S}»

:Succ(P) = 0 A (Ea:a e ~Tl n ~S:a e Succ(e(P,Tl,{Tl,S}»»

= {

set calculus, Definition composition}

(EP:P e after(C({Tl,S}»:Succ(P)

=

0 A Succ(e(P,Tl,{Tl,S}» ~ 0) = { Definition locked}