A timed failures model for extended communicating processes (extended abstract)

A timed failures model for extended communicating processes

(extended abstract)

Citation for published version (APA):

Gerth, R. T., & Boucher, A. (1986). A timed failures model for extended communicating processes (extended abstract). (Computing science notes; Vol. 8612). Technische Universiteit Eindhoven.

Document status and date: Published: 01/01/1986 Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers) Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne

Take down policy

If you believe that this document breaches copyright please contact us at:

openaccess@tue.nl

providing details and we will investigate your claim.

RRD

01

CSN

for Extended Communicating Processes (extended abstract) by Rob Gerth and Andy Boucher

Processes (extended abstract) To be presented at ICALP87 by Rob Gerth and Andy Boucher March 1987

COMPUTING SCIENCE NOTES

This is a series of notes of the Computing Science Section of the Qepartment of

Mathematics and Computing Science of Eindhoven University of Technology.

Since many of these notes are preliminary versions or may be published elsewhere, they have a limited distribution only and are not for review.

Copies of these notes ~re available from the author or the editor.

Eindhoven University of Technology

Department of Mathematics and Computing Science

- - - -P.O. Box 513

5600 MB EINDHOVEN The Netherlands All rights reserved

tlB

European Strategic Programme of Research and Development in Information Technology

Project 937 : Debugging and Specification of Ada Real-Time Embedded Systems Package 4 : Fonnal Semantics and Proof Systems for Real-Time Languages

TR.4-4(1) TR

Mail to

Doc. No. Type

Title _{A Timed Failure Semantics for Extended Communicating} Processes Author Date R. Gerth, A. Boucher 1-12-86 Version Document Status : Confidentiality Level: GSI-TECSI SYSTEAMKG FOXBORO Netherlands NV Replaces: submitted public domain

ELECfRONIQUE SERGE DASSAVLT

EINDHOVEN UNIVERSITY OF TECHNOLOGY UNIVERSITY OF STIRLING

AOCAD Ltd

o

.Copyright 1986 by the DESCARTES consortium formed by the companies and universities listed above.

Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage. and that the DES-CARTES copyright notice and the title of this document and date appear.

A TIMED FAILURES MODEL FOR

EXTENDED COMMUNICATING PROCESSES*

extended abstract

Rob Gerth1_{,2 and Andy Boucher}3

March,1987

Abstract. We develop a model for the real-time behaviour of an extension of communi-cating sequential processes. ECP: the timed failures model. ECP includes a time-out mechanism for actions that synchronize and a broadcast construct. The model maximal-izes local activity in processes and allows the delay of enabled synchronization actions to be a-priori bounded. It is a direct generalization of the (non-timed) failures model: traces are generalized to time-action relations. associating actions to the times at which they oc-cur. and failure-sets to time-failure relations. associating actions to the times at which they are refused. In addition to a-priori bounded delay of actions. the model supports non-discrete time and concurrency of actions; it makes the semantic operators continuous and is fully abstract when actions and the times at which they take place are made ob-servable.

1. INTRODUCTION

Lots of interesting research has been done in the past, and the intention of this paper is to do even better for the benefit of man kind, Amen.

(I

EH87 / )

In the last 6 years, the area of real-time computing has grown from a "lost world" (see R. L. Glass in [Gla80]) into a vigorous research area. On a practical level, various high level languages for real-time industrial applications have come into existence: The most well-known is Ada [A83], the DOD common language. Perhaps less well-known

*The research reported here originates in and extends work, conducted independently, by both authors

- - - as puolisli~a:-in-[KSRGA85-;-Bou86-;-HGR87]~Du-rin-g-that -time;-the-second-author-was-at-BaUiol-Gollege,-Ox- - - ---ford University, working at the Computing Laboratory and supported by a National Science Foundation

gra-duate fellowship.

lEindhoven University of Technology, Department of Mathematics and Computing Scienoe, P.O.Box 5l3, 5600 MB Eindhoven, the Netherlands. Electronic mail: mcvax!eutrc3!wsinrobg.UUCP.

2The autQor is currently working in and partially supported by ESPRIT project 937: "Debugging and Specification of Ada Real-Time Embedded Systems (DESCARTES)"

3University of Southern California, Department of Mathematics, University Place, Los Angeles, CA 90089.

but equal to Ada in scope is CCITT's high level language Chill [BL W82]. Of more recent vintage is Occam [084] developed by Inmos to be usoo as the machine language for their transputer.

On a theoretical level, N. Halbwachs and his co-workers experiment with a real-time data flow language, WSTRE [BCH85]. In the area of program development and speCification, there are G. Berry's ESTEREL language and system [BC85] and D. J-Iarel's Statelan-system [Har86]. Temporal logic has been extended by R. Koymans et al to deal with real-time and has been applied to the axiomatic definition of a real-time fragment of Chill [KVR83] and to the speCification of systems [KR85]. Compositional semantics, [KSRGA86, Bou86], and proof systems for Occam-like real-time languages have been developed [Ho086]. Full abstraction of related semantics have been addressed in [HGR87, Bou86]. Finally, G. Jones [Jon82] and G. M. Reoo and A. W. Roscoe [RR86] have extendoo the fundamental work of C. A. R. Hoare, R. Milner and their co-workers on (algebraic) models for non-timed communication to include the timing of actions.

This paper addresses the problem of extending the above non-timed models to the area of real-time computations.

In order to assess the adequacy of such extensions, one must first dedde upon criteria to judge real-time models against. We feel that at least the following properties are essential:

(1) a-priori bounded delay ot actions. Since the time behaviour of a system is at issue, it is obvious that when some actions become possible (enabled), an adequate model should guarantee that (at least) one of these actions is taken within an a-priori bounded time interval. Otherwise, systems will only have trivial time properties. Observe that this reqUirement immediately precludes using models based on inter-leaving, since such models introduce arbitrary delays.

(2) time-out ot actions. The possibility of programming a system to preempt from a commitment to doing an action, can be found in virtually every real-time language. (3) the time-domain can be any linear order with a least element. In particular, a model

should not depend on time being discrete. Insisting on a linear order means that all actions in all parts of a system can be related in time to each other. Moreover, the existence of a least element ensures that we may speak of the "first" time at which something happens.

(4) no constraints on the times at which actions may start and terminate.

(5) "true" concurrencl. A model must allow more than one action per time to happen. Since independent parts can proceed independently, events occurring to different parts mayor may not occur at the same time, and so simultaneous actions are possi-ble.

(6) concurrency is not conservative. A model should not reduce concurrency to non-deterministic choice.

(7) proper treatment ot internal and external or controllable choice. A model should dis-tinguish these two types of non-deterministic choice.

4We stress that this differs from the notion used by Petri-net researchers. There the notion conveys the idea that concurrent actions cannot be causally related, rather than that they actually concur.

-2-(8) fwl abstraction. If two systems behave the same whatever stimuli their environment offers, a model should not distinguish them.

From this point of view, neither Jones's nor Reed and Roscoe's model are completely adequate. The latter two authors construct a topological model for CSP which goes half-way since it only satisfies the third, fourth and fifth of our properties. Though, their denotations do support the notion of an action occurring at the same time at which it becomes enabled. The earlier work of Jones unfortunately has never been published and we can do nothing but refer to the evaluation of Reed and Roscoe in [RR86], who mention, e.g., the non-continuity of the hiding operator and conclude that Jones's model is inade-quate too.

The timed failures model that we develop in this paper, satisfies the full list of pro-perties indeed, but for the restriction that the execution time of (visible) actions be non.,. zero. It is based on and extends the non-timed failures model of Brookes, Hoare and Ros-coe [BHR84]. Moreover, the model shares the mathematical simplicity of the non-timed model and it makes the process-operators that we introduce in this paper continuous. As a consequence, the model supports recursive definitions.

The non-timed failures model takes an extensional view of systems or processes. Specifically, a process is equated with the set of behaViours that its environment can elicit. A behaViOur or failure is a pair, (s ,X), where s is a trace, i.e., a sequence of actions trac-ing out the computation history leadtrac-ing to this point and X is a failure-set, i.e., a set of actions which the process will refuse to do after the computation s and which captures the process's deadlock behaviour.

Our timed failure model, too, identifies a process with its set of possible behaViOUrs. However, the notion of timed behaviour or timed failure involves a three-step generaliza-tion over the older nogeneraliza-tion:

- an explicit time-domain relative to which actions are ordered replaces the impliCit ord-ering of actions in traces, thus acquiring property 3,

- event relations replace traces and associate actions with the times at which they occur, thus acquiring properties 4 and 5, and

- failure relations replace failure sets and associate actions with the times at which they can be refused, thus acquiring properties land 2.

A timed failure is a pair, (u,X), where u is an event relation and X is a failure relation. The first two generalization steps are obvious. The third step seems less obViOUS. Our extended language allows actions to time-out, as a consequence of which failure dispositions may voluntarily change over time in a way that is impossible in the non-timed case. This indicates that the notion of failure has to be changed in some way. A generalization as extensive as we propose here - recording the refusable actions throughout

---a-compu ta tion -"'--originates-in-the-posslbi-lity--bot-hof -aetions-to- time-out--and-of-aGtions-to -- --- ----concur. In fact, we will show in section 2 that we cannot do with less failure

informa-tion than that proposed here.

There is a similarity between our timed failures model and the barbed wire semantics introduced by A. Pnueh [Pnu85] to model broadcast communication. That semantics keeps track throughout a computation of actions that were not taken. This similarity makes it possible to introduce broadcast in ECP. We feel that this is important, since it is the communication mechanism of both the ESTEREL and the Statelan real-time

specification languages.

In section 2, we will introduce the model as deriving from an informal notion of testing of machines. This idea goes back 10 the work of E. F. Moore [Mo056] but has been brnughl to prominence in the area of' prognllll semantics by R. Milner [Mil79] on an intui-tive level and by M. Hennessy and R. De Nicola [Hen83, Nic85] on a formal level. The section is a long one, since we want to make the intuition behind the model as clear as possible. We end the section with a definition of process and a set of four laws that processes satisfy. In section 3 we introduce a variety of processes and process combina-tors. In addition to the standard CSP processes and operacombina-tors. ECP includes a WAfT pro-cess that suspends execution for a specified amount of time, a broadcast concurrency operator and a bounded delay operator that bounds the delay of an enabled action to a specified time period. With each of the process operators we list some of the process equivalences that it induces. We will restrict ourselves here to the discrete time case. Section 4 addresses full abstraction. The model turns out to be fully abstract in a strong sense: it is fully abstract with respect to a set of processes and operators (namely. time out of synchronization events, sequential and synchronous concurrent composition) that is more restricted than the set introduced in section 3; moreover, any extension of it will remain fully abstract provided the new operators obey the process laws of section 2. Sec-tion 5 contains proofs of well-defmedness and continuity of the processes and operators. Section 6 draws some conclusions and compares the model with some existing ones; speCifically with the refusal testing model ([Phi86]) and with a recent generalization of testing equivalence to labeled event structures ([ANF86]).

2. THE TIMED FAILURES MODEL

The model is most readily explained using the notion of testing of machines. We will use this as a tool to guide our intUition but will not formally derive our model from it. Moreover, in this section we will assume machines not to have infinite behaviour. The idea of testing reflects the embedding of systems in an actively interacting environment. The environment - in general, consisting of other machines - is abstracted to an agent that tests machines.

Like the machines introduced by Milner [Mil79], we conSider a machine to be a black box equipped with a set of buttons labeled with the possible Visible actions

Un

some finite action-alphabet

r).

The machine is willing to perform a (visible) action if the button labeled with this action is unlocked or enabled. The act of pushing an enabled button will force the machine to do the corresponding action. Our machines will be able to per-form several actions simultaneously. Like Milner's machines, ours too can offer a choice to perform some of a number of action at a time. The sets of actions that a machine is prepared to engage in and the choices between. actions that are offered change during an execution, either as the result of interaction with the machine's environment (i.e., as the result of pushing some buttons) or autonomously by internal computations. We stipulate that a machine can only sense whether or not an enabled button is pushed and hence can-not sense whether a disabled button is pushed.

Knowledge about such a machine's behaviour is obtained through repeatedly testing the machine for a finite amount of time and by recording the test results, which in general will abstract from everything that happens during a sequence of tests. A process P will

.

.

be the collection of all possible test results about a machine. We would like to identify machines with their corresponding processes. Whether this makes sense. depends on the

-4-nature of the machines and the allowed tests. Specifically, we must ensure that machines that "behave" differently, are associated different sets of test results. Since we are baSi-cally interested in the (visible) actions that a machine can perform, the decisive factor in distinguishing two machines is whether a tester can eliCit a sequence of visible actions from one machine that the other machine is unable to perform. This notion of observable behaviour will be discussed more in sections 4 and 6.

We stress that there are four aspects to this scheme. There is a notion of test, which is applied to a machine. A test sequence is a repetition of such tests, possibly subjected to some constraints. Information about a sequence of tests, but not necessarily everything about it, is recorded in a test result. Finally, there is a notion of observational behaviour, which corresponds to what the tester tries to entice from the machine. This notion is not applied to a machine in isolation but rather to the conglomeration of a machine and tester, since performing an action, in general, will require cooperation of both a machine - which enables the corresponding button - and a tester - who pushes the button. In finding an adequate notion of test result or process, we will have succeeded to remove the explicit dependence on testers from the definition of behaViour of machines.

Since the timed failure model extends the original failure model, we will first present . the latter as corresponding to a particular form of testing.

2.1. Non-timed failure testing5

A test result is obtained through a finite sequence of tests. The tester performs each individual test by simultaneously trying to push a (possibly empty) set of buttons. Only if an enabled button was pushed during the test, may the tester proceed with the next test. He continues in this way until the test fails because no button in the selected set can he pushed. (By convention, a test consisting of an empty set of buttons always fails.) The corresponding test result is obtained by recording for every test the actions labeling the buttons that were enabled and for the last failing test the whole set of actions label-ing the selected buttons. Since the failure set model does not allow actions to concur, test results can be rendered in the familiar form of failure pairs, (s ,X), where s E

r*

traces the sequence of enabled buttons that were pushed and Xc

r

records the failure of the last test.

2.2. In transition to the timed failures model

Although this notion of testing is the proper one for CSP machines - it leads to a fully abstract model - it is inadequate for our purposes. To understand why, consider two vending machines which both dispense two brands of chocolate bars, Mars and Raider. The first machine exhibits the behaViour given by the CSP process

(MARS --. STOP)

n

(RAIDER --. STOP)

n

STOP, and the second machine's behaviour is representable by (MARS --. STOP) 0 (RAIDER --. STOP»)

n

STOP.

- --- - - - ---

-Here, fl denotes internal choice and 0 external or controllable chOice. The differences between the machines are as follows: the first machine may either dispense a Mars bar (provided a customer pulls the "Mars bar" knob), dispense a Raider bar (provided the

SNot to be confused with I. Phillips's refusal testing [Phi86].

"Raider bar" knob is pulled), or do nothing. And which it does is decided by the machine: while pulling the appropriate knob is necessary for obtaining a bar, it does not determine which bar the vending machine chooses to emit Cif, indeed, the machine is so generous). On the other hand, the second machine is less dictatorial. Although it may also simply do nothing, if it does do something, what it does depends on the customer and the knob he pulls.

Obviously, any customer can distinguish between these two machines. A customer (who prefers Mars to Raider bars) simply pulls the "Mars bar" knob first and, if no candy appears, then pulls the "Raiders bar" knob. When confronted with the first machine, the person may get three possible reactions: a Mars bar on the first trial, or no reaction on the first trial but a Raider bar on the second trial, or no reaction at all. With the second machine, however, only two reactions are possible: either a Mars bar appears on the first trial, or nothing happens at all. In other words, the observable behaviour that this particular tester may entice from the first machine but not from the second one, is the appearance of a RAIDER bar.

On closer inspection, validity of this strategy depends on two assumptions: Firstly, the customer must be able to change his choice of candy bar, i.e., must be able to time-out his chOice. Secondly, the customer must be sure that the vending machine - if it decides to respond at all - will respond within a fixed period of time, i.e., reacts with bounded delay. For the rest of this section, we assume that machines will react immediately to pushing enabled buttons.

Bounded delay and time-out of actions are part of ECP but not of CSP. Conse-quently, non-timed failure testing is unable to distinguish between the two vending machines, whereas we do want them distinguished. Indeed, the reader can easily deter-mine that on trying to push the Mars-bar knob in both cases two eventualities ensue: either the knob can be pushed or it cannot be pushed. Likewise for trying to push the Raider-bar knob or both.

It is clear that for the proper notion of testing in this context, the tester must be allowed to proceed even if a test fails and, consequently, must be allowed to stop testing at any time. Next, we must deCide on the proper notion of test result.

There are a number of possible ways to define a test result. These, we will discuss now. The obviOUS choice is to try and stay as close as possible to the original notion. Since we want to time the occurrence of actions, it is clear that test results can no longer be captured using a sequence over L. Such sequences are now replaced by relations, u,

that relate the enabled actions to the times at which the corresponding buttons were pushed. These relations also make it possible to record the concurrence of actions. Next, the failure set, X, is not well-deoned any more because we now allow test sequences to proceed even if some indiVidual tests fail. The perhaps most straightforward option is to retain the refused actions of the last test that failed. This leads to a first redefinition of test result:

a) Record for a test sequence the enabled actions with the times at which they were executed and record the refused actions and the time of the last test - if any - that failed. Hence, a test result is rendered as a pair, eu,X), where both u and X relate time and actions and X has either an empty or a Singleton domain.

This notion suffices to distinguish the two vending machines (since they have bounded response time). The first machine's reaction to the strategy outlined above may

-6-give a test result ({(1,RAIDER)}, {CO,MARS)}) (assuming the customer pulls knobs at times

a

and 1) whereas no testing can entice this result from the second machine.

Although sufficient to distinguish vending machines, the notion is too weak in gen-eral. To illustrate this, consider the pairs of machines, Pn ,Qn (n ~ 0), defined by the

CSP-programs

Po = a , Qo = b

P_{n +1}

=

bO(a-+Pn)n cO(a-+Qn) , Qn+l

=

bO(a-+Qn)il _{cO(a-+Pn )}

We claim that a tester can distinguish between Pn and Qn for any 17.. Indeed, Po and Qo are obviously distinguishable. Of the pair _Pn + 1 and Qn + l' only P_n + 1 can behave like a -+ Pn after the tester tried to push the c -button and found it disabled. The claim now

follows by induction. More concretely, we can inductively defme test sequences, Tn' by To = al

Tn+l = cl-+a1-+Tn'

where a 1 is ad-hoc notation for trying to push the a -button for 1 time unit. Under test sequence Tn' P_n may perform 17.

+

I a -actions without doing any other action. Qn can perform at most n a -actions. To prolong the sequence, at least one c -action would have to occur.

With the current notion of test result we can only record the precise behaviour of P_n for 11

<

2. For larger values of 17. , the refused actions of more than one failed test would have to be recorded. Indeed, the example programs show that arbitrary extensive his-tories of failed tests have to be recorded. This leads to:

b) In addition to (a), record the refused actions and times of every failed test. With this notion, test Tn applied to machine P_n may give a test result ( { (2i

+

1,a) I i = O .. n -1} U {(2n ,a)} , { (2i ,c) I i = O .. n - I } ),

where we assumed that tests occur at every time unit. This test result is impossible to obtain from Qn .

The above changes in test result reflect the increased sensitivity of our testing -specifically the possibility to continue testing even if a test fails - to different forms of nondeterministiC behaviour. Note, that all of the above machines are ordinary CSP machines.

Allowing - as we do - different actions of a machine to concur, creates its own obsta-cles for a tester. Indeed, the current notion of test result is still not the one we need. Consider the machines

--. ----E-=-aJI0b

-Q = (a-+b)O(b-+a»)n P

The intended meaning of P is, that it enables the a -button until it is pushed and likewise for the b -button.

We should want P and Q to be distinct since if we try to push the a and b -button simultaneously, only the first machine, P guarantees that both actions are executed. If Q decides to behave like (a -+ b )OCb -+ a ) then, obviously, only one of the two buttons can

, I

I

I

I

I

,

be found enabled. The suggested test is in fact the only one that can expose the difference between the machines. Since Q may behave like P, the specific difference in observable behaviour is that

Q

but not P may react to the above test by doing only one of the two actions.

Our notion of test result, again, does not allow us to record the reaction of Q: because the test exposing this reaction did not fail, no refusal information is retained in the test result. A second modification is consequently needed:

c) In addition to (b), record the refused actions and times for tests that did not fail, too. Now, simultaneously pushing the a and b-button at time 0 may lead to a test result ({(O,a )1, {(G,b )J) for Q. This can never be enticed from P.

With this change, a test result does not abstract anything anymore from a machine's reaction to a sequence of tests. We need one fmal extension, though; this time for a more technical reason: in order to properly treat sequential composition and the time out of actions in section 3, we need to know the termination times of machines. To keep within the conceptual framework of this section, one can imagine machines to come equipped with a buzzer. The buzzer sounds as soon as the machine terminat.es, and the tester can deCide to record the termination time or not. A tester stops testing as soon as the buzzer goes off. Let

J

be a symbol that does not occur in

r.

Termination at time t is recorded by appending a pair (t

,J)

to the failure relation. Note, however, that termination is a positive event, unlike the other pairs in the failure relation. The next section formalizes these ideas.

2.3. Timed failure testing.

A test consist of pushing simultaneously a, possibly empty, set of buttons. A test result will be a pair, (u,X), where both u and X are relations over time and actions. A test occurring at time t, contributes an event, (t ,a), to the event relation, u, if the

a-button was found enabled and contributes a failure, (t ,a ), to the failure relation, X, if the

a -button was found disabled. Termination of the machine at time t contributes an event

Ct

,J)

to the failure relation and effectively ends the test sequence.

To turn this into a mathematical theory, we need to introduce some notation and definitions.

First, we introduce a time domain. Definition 1: Time domain.

A time domain is a structure, (TIME,<,+,O), such that

<

is a linear order which has a least element 0 and + an "addition" that for all x ,y E TIME satisfies x +y = y +x , x +0= x. x <y iff 3 z ~ 0 x +z = y. and O<x <y implies 311 E (,t) Y <n.x, where 1l.X

stands for the n -fold addition of x to x .

In particular, note that we can take the time domain to be the positive integers, rationals or reals with the natural ordering and addition. In the sequel we will occasionally use

<

to relate sets of times to a time element in the natural way: e.g., {5,B,3. 7}

<

10. For ease of definition, we will use symbols 00 and - 0 0 and assume that - 0 0 <TIME and that

TIME <00.

Definition 2: event and failure sets.

Let l: be some unite set of actions and let J~

r.

-8--FAIL = TRACEU{XUj(t,J)} I XETRACE A domain (X)<tl

TRACE is the set of event relations, with typical elements u, v, w. FAIL is the set of failure relations, with typical elements X, Y, Z.

To refer to the image or preimage of some element x in a relation, R, we use x Rand Rx. E.g., if X E F AIL then t X denotes the set of actions that can be refused at time t and Xa denotes the set of time instances at which the action a can be refused. We extend this notation to refer to the image or preimage of a set in the obVious way so that, e.g., X(I: U I J}) denotes the domain of X, domain (X) ..

We introduce some notation and conventions: Defmi tion 3:

For A ~ TIME, let

I t if t

~

A and tEA • min A = 00 otherwise I t if t

~

A and tEA • max A = _ 00 otherwise

• ";u

=

min(uI:) (i.e., the time of the first action in u) • u,.; = max( uI:) (i.e., the time of the last action in u) • X.J

=

min(XJ) (i.e., the termination time in X)

• .t : TIME X (I: U {J}) -+ TIMEx(I:u {J}) is defined by Xt = {(t'+t ,a) I (t',a)EX}

We will let X-oc =

x

oo

= 0.

I

u U v if u 'c

<

(v

• u;v = undefined otherwise

We shall often write uv i'nstead of u;v. Unless indicated otherwise, the use of uv in the sequel, impliCitly will constrain v in such a way that uv is defined; i.e., such that

u .. <v";.

Finally, we may define our set of behaviours or test results. (A process will be a set of behaviours which satisfies certain conditions.)

Definition 4: Behaviours. BFH = {(u,X) I u";<X.J}.

A process P is the collection of all possible test results about a machine. From the above discussions it is clear that we can impose structure on such processes.

For instance, since one possible t.est is doing nothing. we have

(0,0) E P - - - -- - - ---- ----CTO)- - - .

If we can test the machine up to some time t , we can also test it up to some earlier time

(u;v,X) E P :::::? (u,Y) E P, whereY=X

n

{t It <";v}XI: (Tt)

The failure relation, y, is restricted to those failures that can be observed using the events in u.

I( ,

For the next law, remember that a test may leave a tester with incomplete informa-tion about the refusable events. Hence:

(u,x) E P and y~ X ~ (u,Y) E P (T2)

The following law is self-evident, though more difficult to state. It expresses that if a test result cannot be extended by some event, then the corresponding action can actually be refused.

(u,X) E P , (u;{(t,a )}'X) ~ P and X';; ~t <XJ

<00

~ (u,xu {(t,a )}) E P (T3) One could think of other laws that processes should satisfy. For instance, the processes in section 3 will also satisfy a "finite variability" condition: only finitely many actions can be executed in finite time (independent from the specific time domain). The above four laws suffice for our purposes, however, since all process operators are continu-ous for processes that satisfy these laws.

Deftn~tion 5: Process domain.

PROC

=

{P I P~ BEl-l A P satisfies TO, TI, T2 and T3 }.

The process domain also supports a cpo structure. This will be given in section 5. 3. PROCESSES AND COMBINATORS

In this chapter we introduce a variety of processes, operations on processes and give some of the process equivalences induced by the definitions. The process operations include the traditional CSP ones. In particular we have the two choice operators, nand

0, the (A-synchronous) concurrency operator,

"A '

and the hiding operator, \a. The paral-lel composition allows different actions to concur, though. As a consequence, there are two alternative semantics for the controllable or external choice, O. In addition, we intro-d uce a bounded delay operator, # t a , and a broadcast concurrency operator, I A' The delay

operator bounds the delay of an enabled a -action to at most t time units. The broadcast operator intends to model the communication mechanism of ESTEREL [BC85] and Sta-techarts [Har86]: a process that executes one of the broadcast actions in A , the set sub-scripting the operator, can do so voluntarily but forces any other process that can also execute the action to synchronize.

All operators defined here are continuous w.r.t. a suitable ordering, so that processes can be recursively defined, too. Continuity and well-definedness of these operators is treated in section 5. Remember that we restrict ourselves to discrete time.

Defmition 6: Failure closure.

FC : P(BEl-l) --+ P(BEl-l) maps a set of behaViours onto the smallest superset of behaViours that satisfies law T2.

3.1. Basic processes 3.1.1. STOP

STOP is the process that will refuse every action offered and that does not terminate.

It is usually taken to represent the deadlocked process. So STOP = {(0,X) I XE TRACE}

-10-For future use we introduce a predicate on processes Defmition 7: Unresponsiveness.

For any process P define the predicate Pi by Pi iff STOP c P

If Pi holds, then P has a possibility to be unresponsive, i.e., to refuse doing anything. Next, we introduce two processes, EMPTY and CHAOS, that exhibit respectively no behaviour at all and every possible behaviour.

3.1.2. EMPTY

EMPTY

=

{(0,0)} 3.1.3. CHAOS

CHAOS

=

{(u,X) I uE TRACE" XE FAlL" u';; <XJ} 3.1.4. WAIT t

This process does nothing until it tenninates at time t. Thus, it is able to refuse any event at times t

'<

t , but terminates at time t. So,

WAITt = {(0,X) I XE FAIL" XJ E {t,oo}}

Remember that XJ= 00 indicates absence of knowledge about the termination time rather

than divergence.

Observe that WAITO

=

FC({(0,{(O,J)})}). In contrast with EMPTY, WAITO has some behaviour - it terminates.

For the next two processes, we have to detennine their execution time. So, let T be a subset of the time domain TIME such that O~ T. We will assume that execution of any of these processes will tenninate after some time t E T has elapsed. The reader will notice that introducing a set T of termination times instead of assuming termination after, say, 1 time unit is a rather cheap generalization. It does show, however, the independence of the model from the execution times of actions.

3.1.5. SKIP

SKIP takes t time units to perform for some t E T, whereupon it terminates having done nothing.

SKIP = {(0,X) I XEFAIL "X"'ETU{oo}}

3.1.6. Actions

- - - -For any a E

r,

there is a process a. One can imagine this process as a machine doing

one of two things: if the tester never tries to press the a -button, no event occurs; and if the tester does try, an a -event occurs after which the process terminates. So, we get

a = {C0,X) I XETRACE"

Vt

a ~tX} U

{ (Ut ,a )}, X) I XE FAIL A XJ E {oo} U t +T A Vt '~t: a ~ t

X},

where t +T is defined in the obvious way.

Observe that between the occurrence of the event and termination, the process refuses every action.

3.1.7. Action aggregates

There is a straightforward generalization of action processes. A process, a, corresponds to a machine that refuses anything but pushing the a -button. Likewise, a process la,b,c} will correspond to a machine that refuses everything except simultaneously pushing the a, b, and c -button.

So, with every finite, non-empty set of actions, A ~

r,

there corresponds an actiol1-aggregate process, A, defined as

A

= {

(0,X) I X E TRACE 1\

Vt :

A ~ t X } U

{(txA,X) I XEFAIL /\ XJE{ooIU t+T /\ Vt'~t:A ~t'X} 3.2. Process combinators

3.2.1. Sequencing, P;Q

OccaSionally, we will also write this as P-+Q. The process P;Q, behaves like P until it terminates, after which it behaves like Q:

P;Q = l(u,X) I (u,x)E P /\ XE TRACE} U

l(uu vt ,XU yt) I XJ-00 1\ (u,Xu I(t ,J)I)E P /\ (v,Y)E Q}

Process equivalences

Obviously, sequencing is associative: (P;Q);R = P;(Q;R). It has WAIT 0 as a "unit", and EMPTY, CHAOS and STOP as "left-zero's":

WAITO;P = P;WAITO

=

P,

EMPTY;P = EMPTY, CHAOS;P = CHAOS, STOP;P = STOP 3.2.2. Internal choice, pn Q

This is a non-deterministic chOice between P and Q, and as usual is defined by pnQ= PUQ

Process equivalences

Like in the non-timed case,

n

is commutative, associative, and idempotent; it has CHAOS as a zero. In this model it has a unit, too: EMPTY. So,

pnQ = Qnp, (pnQ)nR

=

pn(QnR), pnp = P, pn CHAOS = CHAOS, pn EMPTY = P

3.2.3. Controllable choice, PDQ

The controllable chOice is most easily defined in two stages. First we define a left controllable choice PD.Q which favors doing the actions of the first argument; by sym-metry we arrive at the final definition:

-12-PDQ = PO.Q U QCLP

The intended meaning of PO.Q is that if P can do an action or can terminate no later than Q does, PClQ will behave like P; otherwise it will do nothing.

IDQ =

U

{(u,X)E P I Qi} U

Fe (

{(u,Z) I 3X,v ,Y: (u,X)E P /\ (v,Y)E Q /\

vu

{yJ}=0

=*

uU {XJ}=0 1\

min(';;u,X'/)~ minC'v,yJ) "

_It

Xn t Y if t

<

minC';;u,XJ)} )

V t t Z- t X otherwise An alternative definition

Consider the process R

=

aO{a,b}. The reader ({<O,a )},{<O,b )})= ({(O,a )}.{(O,b )})Cl({<O,a ),<O,b )},0)E aO{a,b}.

will easily see that Here we have used the obvious extension of Q from processes to behaviours. In other words, when offered an a and a b event at time 0, the process may decide to do the a event but may refuse to do the b event. One could wish this not to be true and want that a process should always execute as many actions as it can. This leads to an alternative definition of O. It is obtained from the older one through changing the definition of the failure-relation, Z, into

t Xn t Y if t

<

minC';;u,X J)

Vt

t Z = t X n t Y if t = ';;u " t u ~ ';;vC v )

t X otherwise

Observe that now C{<O,a )}.{(O,b )j)~ aO{a,b}, since {a }C {a ,b} so that at time 0, we are forced to take the intersection of the failure sets: ({(O,a )},0)E aO{a,b}.

In the sequel, any unqualified occurrence of 0 will refer to either definition. Program equivalences

In our model, the controllable chOice, irrespective of either definition, satisfies the same axioms as in the non-timed failures model. Hence, it is commutative, associative, idempotent and has STOP as a unit. Moreover, it distributes over the internal chOice:

pn(QDR)

=

(pnQ)O(pnR), PD(QnR)

=

(PDQ)n(PDR)

EMPTY acts as a zero element: PDEMPTY = EMPTY. Although we do have (PDQ);R= P;RDQ;R, obviously";" does not distribute "from the left": P;( QDR)~ P;QOP;R.

Time-out of actions

Using the controllable choice, we can program actions to time-out. As an example, the process a OW AIT 1 is prepared to do an a -action for one time period. If one time period passes and no a -action is offered, the process times-out and terminates. Indeed, according to the definition of Q, ({(t ,a )},X)O...c0 ,YU {O,J)})= 0 if t

>

1, since min(t ,XJ)~t

>

1 in that case.

3.2.4. B-synchronous concurrency, PII B Q

This combinator forces P and Q to synchronize on actions in B. P and Q may but need not synchronize on other actions. In contrast with the non-timed concurrency opera-tor of

esp,

here, separate actions can and will occur simultaneously.

The defmition is very close to the non-timed deflnition of [Old86]. We need some additional notation and define

- U_B

=

un

(TIMEx(B U {J})), - U;t

=

UU (TIME xr)'

- Un-V = (U;UJnV;v J)

n

C<UUV)r x r U (UUV)Jx {J}) and - U(B)V = (UU V)B U (UrrV)Y\B'

Now, liB is deflned as follows:

PII_B Q = {(UU v,Z) I

3

X,Y,W: (u,X)E P 1\ (v,Y)E Q 1\ UB =VB 1\ W= X(B)Y 1\

=

jw

J if XJ= yJ or max(xJ,yJ)=oO.} Z

W\

{(W ,J)} otherwise

Observe that PII B Q terminates when both P and Q have terminated.

Process equivalences

Similar to the non-timed case, II B is commutative, associative and distributes over

chOice:

PIIBQ=QIIBP, PIIB(QIIBR)=(PIIBQ)IIBR, PIIB (QoR) = _{(PIIBQ)o(PIl B} R), for 0 E {n ,oj We also have PIILSTOP=STOP and PII 0STOP=P. Deflnability of liB'

In virtually every algebraic model, concurrency or parallelism is reduced to nondeter-ministic chOice. Notable exceptions are [BoC87] and [GV87]. In the timed failure model, deflnability of II B depends on whether actions correspond to point events or not.

For exam pIe, if we take TIME = Nand T = {1}, then a process all 0 b will essentially offer a chOice between behaving like a-+ b, or like {a,b}, or like b-+ a, depending on what the environment offers. In other words, it seems that we should have

all0b == a-+ b 0 {a,b} Ob-+a

This is in fact true, provided the second variant of 0 is taken. The flrst variant does not ensure that the right-hand side in the equation will react properly when offered an a and a b action simultaneously.

On the other hand, if actions can (partially) overlap in time, then obviously such a reduction no longer possible. This fully agrees with our extensional point of view, since only in this case a tester can notice that there is concurrency (provided he knows the minimal execution time of actions).

-14-3.2.5. Broadcast concurrency, PI B Q

The previous operator demands synchronization of P and Q on every B -action. The broadcast operator only demands synchronization of those processes that can do a B-action. Specifically, if P performs some B -action at time 1 , then Q may refrain doing so, prOVided it can actually refuse the action at time t. Hence,

PIBQ=

FCC

{(uuv,Z) 13X,Y,W:(u,X)EP/\ (v,Y)EQ/\UB~vUY /\vB~UUX /\

I

W if X,!= y'! or max(X,!,Y,!)= 00

w=xrrY /\ Z = W\ {(W'!,J)} otherwise } )

Process equivalences

Like liB' I B is commutative, associative and distributes over choice. Moreover, we

have

PILEMPTY

=

EMPTY, PIBSTOP = P

To illustrate the difference between the two concurrency operators, observe that we have

whereas

a I {a}W AIT'l_ a :;c WAIT 1_ a In fact, if TIME=N and T={1} then

a I {a}WAIT I_a = WAIT I_a 0 a_a = (WAIT lDa)_a 3.2.6. Recursion

Since all operators are continuous, processes can be defined recursively in the stan-dard way. As notation we use p.x.P, where P is some process description in which x may be used (see section 3.3). As an example, p.x.(WAITl_x) will denote the process that is continuously willing to do nothing, i.e., that diverges.

For the definition, assume that a recursive "call" takes 1 time unit and define

P

by PJ=CHAOS and

P+

1_{=llWAITl;P Ix]' where [.Ix] denotes a substitution for x. Then} section 5 shows that we can define p.x.P, as usual, by

n

pi.

i~O

So, (WAITl_xY-1 = WAITi_CHAOS, i ~ 1, and hence p.x.(WAITl_x)

=

STOP. I.e., in the timed failure model, (silent) divergence is equivalent with STOP, the process that usually denotes (irrevocable) deadlock. We feel that this is a sensible equivalence to ---- - -nave. lIrdeed-;-no-testing-can--en-tice-d-iff-eren-t-behav-iour-from-the--two_processes.. We will

have more to say about this in section 6. 3.2.7. Bounded delay, P#ta

This operator imposes a delay of at most t on any enabled action a. For its definition we just require that if a is not in the refusal relation for a period of t time units, then u will be in the event relation on that time instance.

I

Process equivalences

(Ve

t-t

~t

'<t _

a ~ t 'X) _ a E tu } )

First, (P#t a )#t.b = (P#t.b)#t a . This justifies bounding the delay of singleton actions and the use of #t A for A ~ L Next, #t distributes over choice

(PoQ)#t a

=

(P#t a )o(Q#( a) for 0 E {n ,O}.

Obviously, #ta does not· distribute over liB: (allab)#,a = b_STOP but (a#t a )11 a (b#t a)

=

EMPTY. The operator does distribute over I B:

(PIBQ)#t a = P#t a IB Q#t a

In combination with liB, #ta acts as a synchronizer. Again, let TIME=N and T={I} and consider the process P= p.x.(a#oa_x). Then PliaQ will force Q to syn-chronize on every other time instant.

Finally, observe that we can introduce a concurrency operator, II~ , that maximalizes activity in the parallel components by

PII~Q = (PIIBQ)#oB.

This corresponds to the notion of concurrency that was used in [Bou86, HGR87] to give meaning to Occam-like languages and in [KSRGA85] to an Ada-dialect.

3.2.8. Hiding, P\a

Hiding of event a is defined as follows

P\a

=

Fe ( {(u\a,Y) I (u,X)E P A XJ= yJ A

Vt

~ max(Xc U XJ\joo}): t Y=t Xu ja}} ), where u\a=un (TIMES

xI:\

{a

D.

An alternative defmition of hiding, PIa.

With the above definition of hiding, the following equivalence holds: a\a = p.x.(xnSKIP)

In particular, note that a\ai is true. Now, hiding turns actions into internal ones and hence should constrain them to be executed immediately. From this point of view, the above equivalence and the unresponsiveness is undesirable.

A hiding operator, which we denote by

.1

a, that behaves better in this respect is definable in terms of the existing combinators:

PIa

=

(p#

oa

)\a.

Now, we have that PIa

=

SKIP and that al a i does not hold. Process equivalences

-16-(P\a )\b

=

(P\b )\a, (P\a )\a

=

P\a, (pnQ)\a

=

P\a nQ\a, STOP\b

=

STOP

We also have (P\a )#ta

=

P\a and if A '=A \ {a}, then A\a = A'. These laws also hold for the alternative hiding operator.

3.3. The language ECP

Define a signature s=(STOP,SKIP,WAITt,a,A.n ,O,IIA' IA ,#ta ,\a), where a E

t.

A ~ t, t E TIME 6 _{Let Var = {x,y ,z, ... } be a (denumerable) set of variables and let}

X,Y, ... denote finite subsets of Var. Then, Tms [X] denotes the term-algebra over the sig-nature s U X, and the languages ErP (X) are inductively defined by

( 1) Tms [y] ~ ErP (X) provided Y ~ X

(2) P E ErP(X) ~ /-LX. P E ErP(Y) provided X\!x} ~ Y We shall write Tms for Tms [0].

Definition 8: Extended communicating processes. ECP = ErP(0)

Section 3.2, defines a compositional semantics, D:ECP-+ PROC in the obvious way. By convention, P and Q will stand for ECP-terms, P and Q for the processes they denote, and hence D(P)=P for all PE ECP.

4. FULL ABSTRACfION

This section is based on [Bou85, HGR87]. For any program, P, we fix its observa-tional behaviour, O(P), as follows:

O(P) ={u I 3X (u,X)E P}

I.e., we can only observe the occurrence of the visible actions directly. All other informa-tion, such as termination and deadlock, must be derivro from this (through suitable experiments). We will have more to say about this choice in section 6.

The reader might be worried that the observational behaviour is not defined in an independent way, as is usually done, using an operational semantics. Although formally unnecessary, it can be done and has been done for a related, OCCAM-like language in [HGR87].

Full abstraction can be introduced now as a principle of parsimony: find a composi-tional seman tics or morphism, F:Tms -+ P ROC , that respects the equivalence ind ucro by

0

and that is the "smallest" such morphism in a well-defined sense. In our context, the characterization implied by the following theorem makes more intuitive sense.

Theorem-I-:

-D:Tms -+ PROC is "fully abstract". I.e.,

VP,QE Tms: D(P):;z!= D(Q) iff 3C (x )E Tms [x] O(C (P»):;z!=O(C (Q»),

where C (P) denotes the program obtainro by substituting P for every occurrence of x in C(x ).

In the terms of section 2, testing of machines P and

Q

is done by embedding them in a larger machine, C (x ), and by observing the sequences of actions that C (P), respectively,

C <Q) engage in.

The reader will wonder why we "restricted" ourselves to Tms ' i.e., to non-recursive ECP-programs. The reason is the continuity of the morphism

D.

Intuitively, continuity implies that the behaViour of a recursive process fJ-X. P is completely given by its finite approximants

P

(i E CJ)). Specifically:

D(fJ-x. P) ~ D(fJ-x. Q) iff pi ~ Qj for some i and j. Note that

P

,Qi

E Tms'

Full abstraction of the model relies on the following lemma: Lemma 1 [HGR87]:

Let PE _{Tms ' QE Tms ' (u,X)E} P\Q and A = TIMEuu TIMEX C L Then there is a process, L E Tm_{s '} and a failure relation, Y, such that

- (u,Y)E L

- V(u,Y')E L: Y'~ Y (i.e., Y is maximal) _ yJ=X J

- Vt

<

XJ: t Y = A \t (X

u

U)

Obviously, the existence of such an L E Tms depends on the fact that every process associated with a Tms -term satisfies the finite variability-condition mentioned in section 2. The only non-trivial case is when L~ 0.

Now, let (u,X)E

P\

Q and define a context, C (x)E Tms [x] by C (x) = (x;a It:t\a L)# oL\a Ita a,

where a is an action that does not occur in either P or Q. Although

r

is a finite set, the existence of such an action is a harmless assumption to make (remember, r~ 0).

First observe that (u,0)E C (p). Next, observe that if (u,0)E C CQ) then there must be a (u,Z)E Q such that Vt <ZJ: A \tu ~ t ZU A \t (uU X) and hence, such that Vt <ZJ: t X~ t Z. If ZJ=XJ, then we have that X~ Z. Contradiction through law T2. If ZJ~ XJ, then we can see a difference in the times at which the a -actions occur.

An analysis of the proof shows that D is all ready fully abstract with respect to a smaller signature. Spedfically, the program L can be defined over a signature s 1 = (a OWAITI, ;), where a E L Hence, C ex) can be defined over the signature s 2 = S 1 U (a ,II A ,# 0), where a ELand A ~ L In other words, the timed failure model is allready fully abstract for any language that has actions, sequential and synchronous con-current composition, zero delay of enabled actions and time-outs.

Moreover, we constructed a separating context for an arbitrary behaViour in the difference of two processes. So, the model remains fully abstract if we add any well-defined operator, i.e., if we add any operator that obeys the process laws, provided the operator additionally satisfies the finite variability condition of section 2.

-18-5. WELL-DEFINEDNESS AND CONTINUITY OF THE PROCESS OPERATORS

One of the things we have to show is that the meaning of recursive terms, f.Lx.P, is well-defined.. For this, we show that PROC can be turned into a cpo.

Theorem 2:

(PROC ,b,.1) is a cpo, where l is defined by PlQ iff P~Q and

1.

= CHAOS. Proof:

Clearly,

.1

E PROC and

.1

lP for any PE PROC. The proof that l is a partial order is left to the reader. Next, let PObPIlPZb . .. be a chain of processes in PROC and define P= r} Pi' Obviously, P= () Pi' Since

n

Pi ~ PoE PROC for any n, PE PROC

pro-! I l::;;n

vided. p;z!= 0. As (0,0)E Pi for any i, this is always the case and consequently any directed set has a least upper bound.

Next, we show that the process operators are well-defined. Defmition 9: maximality.

For any (u,X)E PE PROC , call X maximal for u in P iff

XC

X for every (u,x)E P. Theorem 3:

The operators 0,

n,

Q, 0, II A' I A ' #t a and \a are all well-defined. Proof:

We only treat the 0. and #t a operators. Let P, QE PROC .

• PD.QE PROC: We take the second definition of Q. Let R=PQQ and observe that

R~ P. By definition of D., R satisfies law TO. Next, (uv,X)E R implies (uv,X)E P and hence (u,Y)E P, where y=xn {t It

<

"v}Xl:. We may assume that uU Y;z!= 0, since TO holds. Now, (uv,X)E R also implies that (uv,X)=(uv,X)[J..(w,Z) for some (w,Z)E Q. By definition of 0., then also (u,Y)=(u,Y)Q(w,Z)E R and law Tl is satisfied, too. Law T2 holds by definition. Finally, we turn to law T3. Take some (u,x)E R and fix a t <XJ<oo with t ~(uU X) ... Let (fi,XH R where fi=uU {(t,a )}. Define X=XU {(t ,a )}. Again, (u,X)= (u,x)Q.(v,Y) for some (v,Y)E Q. Now (ii,XH P, since otherwise (ii,X)= (u,X)o.(v,Y)ER. By T3 (and the fact that PE PROC), this implies that (u,X)E P.

If t

>

minC;;u,XJ), then (u,X)=(u,X)Q(v,Y)E R. If t ::::;:min(~u,XJ) then by definition of t we must have X"::::;: .. u= u .. = t. W.l.o.g., we may assume that Y is maximal for v in Q. Obviously, the only interesting case is where a ~ t Y. Now, let Y = Y n {t 'It '::::;:t

txt.

Since t ::::;:"v and yJ>t, (0,Y)E Q by law Tl and hence ({(t ,a )},Y)E Q by maximality of

Y and law T3. But then (u,X)= (u,X)Q( {(t ,a )I,Y)E R because tug; {a I .

• P#t a E PROC: Let R = P#t a. By definition, R satisfies laws TO and T2. Let (u;v,X)E P#ta with X.; < ~v. W.l.o.g., we may assume X to be maXimal for u in P#ta. Then, (u;v,X)E P and hence (u,X)E P, from which (u,X)E P#ta and satisfaction of law Tl follows. For law T3, let (u,X)E R but (ii,X)~ R, where ii = u;l(t ,a)} and ---- --: Xi.'; ::::;:t -<X" <00 . From (ii,XH R, we olrtain -tliartfi;X)~-Pbetause-extending-u-makes-it

easier to meet the constraints imposed by the combinator. Since PE PROC, this implies that (u,X)E P, where X = Xu {(t ,a)}, and hence that (u,X)E R because extending X weak-ens the constraints.

Next, we show continuity. Theorem 4:

Proof:

We only give proofs for 0, #ta and \a.

Let PO['pl[P2[ " , be a chain in PROC; let p=nPi and QE PROC.

i

• n(PiOQ)=PoQ: Let Ri=PiDQ and R=nRi • Take some (u,x)EPDQ. Then,

i i

(u,x)=(v,Y)O(w,Z) for some (v,Y)EP and (w,Z)EQ. Since P~Pi for all i, (v,Y)E Pi and hence (u,X)E Ri for all i. From this we conclude that (u,X)E R.

For the other direction, let (u,x)E R. Then for all i, there are (Vi ,Vi )E Pi and (Wi ,Zi)E Q such that (u,X)E (Vi ,Vi )O(Wi ,Zi)' If (u,X)E P then (u,X)E

(u,X)O(wo,Zo)~ PDQ. If (u,X)!t P, then there is a set I of infinite cardinality such that for all j E I (u,x)= (Wj ,Zj )U(v_j ,Y_{j ).} Hence, Wj =u for j E I and because of law T2,

- ,;:: J -

-we may take Zj = X. Let t = minC'u,X ) and define X = X

n

({t I t ~ t }X

r).

Then, again law T2 implies that we can take Y j = X. Finally, because of law T 1, we may assume that Vj = v= von ({t It ~t}xr). Since II I is infinite, we have (v,X)EP. Hence, (u,X)=(u,X)U(v,X)E QDP=PoQ.

• n (Pi #t a )= P#t a: Let Qi = Pi #t a. Firstly, since Qi ~ Pi for all i. we obtain n Qi ~ P.

i i

Since every (u,x)E nQi obviously, satisnes the bounded delay constraint, we also i

have n Qi ~ P#t a • i

For the other direction, observe that P~ Pi

=*

P#t a ~ Qi for all i. Hence. P#ta S;;;nQi'

i

• ilP_i \a=P\a: Let Qi =Pi \a and Q= rlQi' Take some (u,X)E Q. Since QE PROC. we

i i

may assume that X is maximal for u in Q. Then. for each i , there is a (Ui ,Xi ) E Pi with (U,X)= (Ui ,Xi )\a. By dennition. (Ui U Xi

)(r

u

{.j}) ~ (U

u

x)(r

u

{Jl). So. there is an n such that for all i ~n _{(Ui ,Xi )= (Un ,Xn )} and hence such that (un .Xn )E P. From this, conclude that (u,X) E P\a.

For the other direction, if (u,X)E P\a, then there is a (v,Y)E P such that (u,X)=(v,Y)\a. Hence, (u,X)EQ. Here, too, we assumed w.1.o.g. that X is maximal for'

U in P\a.

6. CONCLUSIONS

We started the paper by listing a set of requirements for real-time models. The timed-failure model developed here, satisfies all of them indeed. The basic insight proved to be that failure sets, as introduced in [BHR84], be retained throughout a computation. This insight was already present in our earlier work ([KSRGA85, Bou86. HGR87]), but formulated in terms of the complementary notion of "ready set" and developed in a more cumbersome way for a more restricted language (although these papers do deal with a state-based language).

In our work we have conSistently taken the view that a system's behaviour should be described in terms that are meaningful to such systems. This reflects the fact that a system's environment will consist of other systems and hence that interaction takes place

r

-20-through the system's interface, i.e., -20-through the actions in L. In this view, there is no place for special deadlock denotations or for distinguishing deadlock from divergence. Deadlock, as such, cannot be communicated to the environment because if it could, there would be no deadlock. Moreover, in the timed-failure model we have fJ..x.x= .\,],OP: both processes will refuse to interact at any time.

This point of view leads to problems in non-timed models. ConSider the process P = fJ..x.(a -+ x)/ a. P engages in so-called "infinite chatter". Two views have been taken of this: namely to have P=CHAOS or to have P=STOP. The first chOice is awkward since P cannot do anything at all, while CHAOS can do anything it wishes Cincluding behaving like P). This choice, however, does lead to a continuous hiding operator, whereas the second more reasonable alternative does not. In our model, there is no reason not to prefer the second chOice because our hiding operator is continuous.

We briefly mention 1. Phillips's refusal testing [Phi86]. That model induces a finer equivalence than the non-timed failure model does. Indeed, refusal testing distinguishes the CCS-terms a +Tb and a +T(a +b), because also refusing to do an action will force a machine to move (to the next stable state). So, on refusing a c -action, the first machine looses the ability to do an initial a -action, unlike the second machine. If we associate the passage of some time to doing a T-step, then refusal testing equivalence turns out to be weaker than timed failure equivalence. The CCS-terms a +Tb and a +T(a +Tb) satisfy the same refusal tests but are obViously distinguished in our model. The translation of these terms into ECP-terms is somewhat involved. As an example, a +Tb can be translated as

(Ua

-+c# Oc )O(SKIP-+d#

od

»)11 {e ,d}Cc O(d -+ b

»))\

{c ,d }

Finally, we mention De Nicola et aI's extension of testing equivalence to labeled event structures [ANF86]. We only have the space here to mention that the separation results that the authors set out to obtain are realized in the timed failure model, too. Specifically, the following in-equivalences hold:

all0b ~ (a-+ b)O(b-+a) ~ (aIl0b)O(a-+ b)O(b-+a).

The current model does not differentiate between several simultaneous occurrences of the same action and one such occurrence; i.e., it does not support multi-sets of simultane-ous actions. Consequently, the model induces the following equality that does not hold in the nontimed failure model

all0a = (aIl0a )na.

The reader is referred to [KSRGA85] or to [TV87] for the changes that would have to be made in order to separate the above two programs.

___ ---'Ac..=s __ areas of future research w~ m~ntio!l __ :thu~iomatj?~llon of... the timed failure congruence on which we are currently working. The notion of testing has been used in an informal way. We would like to formalize these ideas along the lines of De Nicola and Hennessy [Hen83, Nic85]. The precise set of combinators that we want to consider is still in flux. Specifically, it seems that broadcast concurrency behaves better than synchroniz-ing concurrency does, with respect to the bounded delay operator. So, we would like to be able to express II B in terms of lB' This may lead to a CCS-like language with a

monoid of actions and a Signature that includes a restriction operator. As further research topics, we mention relaxing the assumption of linearity of time and to extend E.-R.