Springer - Concurrency Theory Episode 3 pps

64 3 Basic Interleaved Semantic ModelsAlso notice that the behaviour stop is mapped to the trace set which includes just one trace: , the empty trace.. It is a rule of trace semantics th

3.2 Trace Semantics 63

3.1.4 What Makes a Good Semantics?

We look at a number of different semantic models for LOTOS Before we dothis, it is worth considering what constitutes a “good” semantics, and whatcriteria we can apply to the choice of semantics The following issues can behighlighted

• A semantics should enable properties of a specification to be verified, e.g.

that the specification cannot do a particular “bad thing,” such as deadlock

• The semantics should be unambiguous; i.e it should not be possible to

relate a specification to two different meanings

• The semantics must be intuitively meaningful Perhaps the most

impor-tant criterion for the choice of semantics is that it correctly reflects the

“meaning” that is trying to be extracted from a specification Thus, thesemantics should relate specifications that are “intuitively” the same

• A semantics must distinguish specifications that are different This is just

as important as the previous point If a semantic map relates two itively” different specifications to the same semantic model we would not

“intu-be able to differentiate “intu-between the specifications in our semantic world.This would, for example, mean that any property that held about one

of the specifications would hold for the other Thus, we must be careful

to ensure that our semantics are fully expressive, in the sense that theydistinguish between enough specifications

An obvious question that arises from these points is: what is an appropriateintuitive meaning? There are actually a number of different such intuitions.Most of our semantics though seek to describe only the observable behaviour

of systems (this applies less to the true concurrency model) Thus, we seek

to locate semantics that model the observable behaviour of systems and thatabstract from the internals of how this behaviour is obtained

3.2 Trace Semantics

3.2.1 The Basic Approach

This is the first semantic model that was considered for process calculi [95]and it remains the simplest approach that is in use The idea is to modelthe semantics of specifications as the set of all possible linear sequences (ortraces) of actions that the specification can perform The “all possible” here

is important In particular, you should notice that we are not solely interested

in complete traces, i.e sequences of actions that cannot be extended Rather,

we are interested in all possible intermediate and complete traces

As a reflection of the fact that trace semantics consider linear traces, such approaches are frequently referred to as linear time models As suggested

earlier, we denote the trace semantic map as

64 3 Basic Interleaved Semantic Models

Also notice that the behaviour stop is mapped to the trace set which includes just one trace: , the empty trace It is a rule of trace semantics

that the trace set of any behaviour will contain the empty trace, because allbehaviours can perform an empty trace

Process invocation and action relabelling can also be easily modelled usingtrace semantics Consider the following recursive process definition,

P [z, w] := z ; w ; P [w, z]

Notice how the action names are flipped on recursive invocation So,

invo-cation of this behaviour with the action z relabelled to x and the action w relabelled to y will have the following infinite trace model,

JP [x, y]K tr = {  , x , xy , xyy , xyyx , xyyxx , xyyxxy , xyyxxyy , }

Infinite models typically arise when recursive behaviour is considered Weconsider how to handle such behaviour shortly

As already indicated, we are interested in modelling just the observablebehaviour of pbLOTOS specifications As a reflection of this, internal actions

do not find their way into trace sets For example, the behaviours

Notice that this gives us equality between behaviours such as

i ; i ; stop , i ; stop and stop

and also, between behaviour such as

x ; y ; stop and hide z in ( x ; z ; y ; stop ).

Because of the suppression of internal actions, the point of sequential sition is not directly reflected in trace semantics Remember that successfultermination in pbLOTOS has the form:

compo-B1>> B2

where the behaviour B1enables the behaviour B2when all concurrent threads

in B1have performed an exit and an internal action is generated when control

is handed from B1 to B2 For example, the behaviour,

P := ( x ; y ; exit [] z ; exit ) >> ( w ; stop )

will map to the following trace set,

J P K tr = {  , x , z , xy , zw , xyw }

However, successful termination actions, denoted δ, can arise in trace sets.

Such actions will only appear when an exit is left “dangling” in a behaviour,i.e is not matched by a sequential composition Thus, the behaviour

Q := ( x ; y ; exit ) [] ( z ; exit )

will map to the following trace set,

J Q K tr={  , x , z , xy , zδ , xyδ }

Trace semantics typically model concurrency using interleaving (an exception

is found in [139]) This view of concurrency fits naturally with the linear traceapproach For example, the behaviours

66 3 Basic Interleaved Semantic Models

of all traces of a computation is likely to be infinite Thus, we model behaviour

as a (potentially) infinite set of finite computations We use σ, σ  , σ  , σ

1, σ2,

to range overT and we define a number of basic operations on traces.

• Concatenation Two traces σ and σ  can be concatenated by performing

the operation, σ.σ  Formally, we can define concatenation as:

(σ1=  = ⇒ σ1 σ2= σ2) ∧

(σ2=  = ⇒ σ1 σ2= σ1) ∧

(σ1= x1x2 x n ∧ σ2= y1y2 y n)

=⇒ σ1.σ2= x1x2 x n y1y2 y n

As a slight abuse of notation, we write x to mean both a single action and

the singleton trace; the correct interpretation is clear from the context

1In fact, our semantics will ensure that successful termination actions only arise

as the last element of a trace, however, for ease of presentation, we use a more liberaldefinition here

3.2 Trace Semantics 67

• Star Given a set A ⊆ Act, we denote the set of all traces that can be formed using actions from the set A as A ∗ Formally,

A ∗
{} ∪ { x0x1 x n | x i ∈ A }

Using this notation we can note thatT = (Act ∪ {δ}) ∗.

A wealth of additional operators on traces is defined in [96]

3.2.2.2 A Denotational Trace Semantics for pbLOTOS

The following rules define a, so called, denotational semantics for pbLOTOS.This will realise the semantic map J Ktr and, thus, define a function frompbLOTOS specifications to trace sets The function is expressed by defin-ing the meaning of all the syntactic elements of the language This is done

by traversing the abstract syntax of pbLOTOS The mathematically correctphrase is that the mapping is defined by induction over the syntax of the lan-guage So, the rules work construct by construct through the language Therules we give are based on those presented in [120] with some influence fromsimilar rules presented for CSP in [96]

What we are interested in is the meaning of an arbitrary pbLOTOS ification, i.e to evaluateJ S K tr , where S ∈ pbLOTOS and J K trhas the form:

spec-J Ktr : pbLOT OS −→ P(T )

The function J Ktr is defined according to the syntactic alternatives a level pbLOTOS specification can be constructed from, i.e according to thefirst clause in the pbLOTOS abstract syntax Thus, we have the followingrules, which handle the two alternative forms that a top-level specificationcan take

top-J B K tr
BJ B K (∅)

J B where D K tr
BJ B K (DJ D K)

BJ K is the semantic function that maps behaviour expressions to trace sets.

The functionBJ K has two parameters: the behaviour expression to evaluate (here B) and a set of process definitions (the second parameter is written as

a subscript of the application, e.g J K(d)) This set of definitions is used in

the evaluation of the behaviour B, thus enabling processes defined in D to be instantiated in B In analogy with programming language semantics d is an

environment

The rules state that if the specification just contains a behaviour sion, with no process definitions, then the trace model of the specification

expres-is given by applyingBJ B K (∅) (with the definition parameter empty)

Alter-natively, if the specification is a behaviour followed by a where clause, then

the trace model of the specification is given by applying BJ B K (DJ D K), i.e

evaluating behaviour B according to the declarations in D.

68 3 Basic Interleaved Semantic Models

Now we step down one level in the pbLOTOS abstract syntax to define themeaning of lists of definitions All we do here is to place the list of definitionsinto a set, which can be accessed at a deeper level in the semantics Thus, wedefine the function

mean-BJ K (d) : Beh × P(Defs) −→ P(T )

which evaluates behaviour expressions Notice that the two parameters to thefunction are made explicit in the typing

In a similar way to earlier,BJ K is defined by working through the possible

syntactic forms that a behaviour expression can take Thus, we define themeaning of all possible formats that a behaviour expression can take

Stop The semantics of this behaviour are trivial; it simply yields the set

containing the empty trace This indicates that the behaviour stop cannot

perform any nontrivial traces

BJ stop K (d)
{}

Exit The semantics of exit are only marginally more complex:

BJ exit K (d)
{, δ}

exit is a behaviour which can perform one of two traces: the empty trace

or a singleton trace just containing an action δ The δ action is the special

distinguished action which denotes successful termination The action is used

as a signal to indicate successful termination This becomes clear when we

consider the semantics of enabling, >>, which use the δ action to initiate the

transfer of control to the enabled behaviour

Action Prefix There are two clauses for action prefix; the first deals with

observable actions and the second deals with internal actions The first is asfollows,

BJ x ; B K (d)
{} ∪ { x.σ | σ ∈ BJ B K (d) }

3.2 Trace Semantics 69The trace set for action prefix is defined by taking the traces that can be

derived from B (thus, BJ K is a recursive definition) and prepending the action x on the front of all of them The empty trace must also be added,

because, althoughBJ B K (d)will contain an empty trace, it will be lost when

Choice Choice yields a straightforward trace semantics; it simply

corre-sponds to taking the union of the trace sets derived from the two alternativebehaviours

BJ B1 [] B2K(d)
BJ B1K(d) ∪ BJ B2K(d)

Notice that any traces that can be performed by both B1 and B2 will berepresented by a single trace inBJ B1[] B2K(d)and that choice points are notexplicitly reflected in the semantics

Enabling The semantic rule for sequential composition centres on the

han-dling of the δ action.

BJ B1 >> B2K(d)

{  } ∪ { σ.x | σ.x ∈ BJ B1K(d) ∧ x = δ } ∪

{ σ.σ  | σ.δ ∈ BJ B1K(d) ∧ σ  ∈ BJ B2K(d) }

Firstly, any trace from B1 that does not successfully terminate, i.e does not

have δ as the last element, is included directly in the semantics of B1>> B2.

These traces reflect the noncomplete evaluations of B1, in other words, all

the traces that B1 performs before it terminates Secondly, all traces from B1

that finish with δ are concatenated with all traces from B2 It is important

to note that the δ action does not appear in the concatenated trace (unless it appears in B2) In terms of the informal definition of pbLOTOS, the δ should

be transformed into an internal action However, because internal actions arenot depicted in trace semantics, this replacement is not visible

Parallel Composition The semantics of parallel composition are somewhat

more complex We need to compose the traces of B1 and B2 in such a waythat the resultant traces reflect the parallel composition of the two behaviours.The basic rule is

BJ B1|[x1, , x n]| B2K(d)

{ σ | ∃σ1∈ BJ B1K(d) , ∃σ2∈ BJ B2K(d) s.t σ ∈ σ1|{x1, , x n , δ }|σ2}

70 3 Basic Interleaved Semantic Models

which returns the set of all traces that are in σ1|{x1, , x n , δ }|σ2for all

possi-ble traces σ1inBJ B1K(d) and σ2inBJ B2K(d) Thus, we determine the traces

of B1 and the traces of B2; then we apply |{x1 , , x n , δ }| to each possible

pair of traces from the two For each of these pairs,|{x1 , , x n , δ }| derives

the set of possible interleavings of the two traces subject to synchronisation

on actions from {x1 , , x n , δ } Notice, in particular, that δ is included in

this synchronisation set This is because a parallel composition only fully terminates when both its constituent threads have terminated (see thediscussion in Section 2.3.7)

success-So, the central aspect of this definition is the mapping|{x1, , x n , δ }|; it

is a function with the following type,

|A| : T × T −→ P(T )

where A ⊆ Act ∪ {δ}

The operator is written infix, as σ1|A|σ2, and, broadly, it denotes the set of

possible interleavings of σ1and σ2that identify actions in A The operator is

defined as follows, where x, x  ∈ A, x = x  and y, y  ∈ A,

σ1|A|σ2

if (σ1= x.σ1 ∧ σ2= ) ∨ (σ1=  ∧ σ2= x  .σ 

2) ∨ (σ1= σ2= ) ∨ (σ1 = x.σ 

2 ∧ σ2 = y  .σ 

2 } ∪ { x.σ | σ ∈ σ 

1|A|σ 

2 ∧ σ1= x.σ 

1 ∧ σ2= x.σ 

2}

This definition mirrors, in some respects, the operational semantics definition

of parallel composition that we present in Section 3.3.2.2 The operator is bestillustrated through an example Consider the behaviour

would apply|{x}| to all possible pairings of traces from the two sets (in fact,

it would apply|{x, δ}|, but because there is no exit in the original behaviour,

δ can be safely ignored) The results of these applications are:

3.2 Trace Semantics 71

 |{x}| = {} y |{x}| = {y} yx |{x}| = {y} yxz |{x}| = {y}

 |{x}|x = {} y |{x}|x = {y} yx |{x}|x = {yx} yxz |{x}|x =

{yxz}

 |{x}|xw = {} y|{x}|xw = {y} yx|{x}|xw = yxz |{x}|xw =

{yxw} {yxzw, yxwz}

The definition ofBJ B1 |[x1 , , x n]| B2K(d)accumulates traces from the sets,

to yield

BJ y ; x ; z ; stop |[x]| x ; w ; stop K (d)=

{  , y , yx , yxz , yxw , yxzw , yxwz }

as required

Hiding We need an auxiliary operator in defining the semantics of hiding.

The operator is denoted / and it has the type:

/ : T × (Act ∪ {δ} −→ T ) −→ T

The operator is written infix and has two arguments: a trace and a function

from actions to traces, which is total on Act ∪ {δ} The operator returns a new trace Given that λ ∈ Act ∪ {δ} −→ T , then σ/λ is defined as

/λ
 ∧ (x.σ  )/λ
λ(x).(σ  /λ)

Thus, the application,

σ/λ  where λ  (x)
if x = x i(1≤ i ≤ n) then σ i else x

has the effect of searching along the trace σ and replacing every occurrence

of an action x i with the trace σ i

The trace semantics for hiding derives all the traces from B and then removes all occurrences of the (to be hidden) actions x1, , x n from the

generated traces, by replacing x i with .

BJ hide x1, , x n in BK(d)
{ σ/λ hide | σ ∈ BJ B K (d) } where,

λ hide (x)
if x = x i(1≤ i ≤ n) then  else x

Relabelling The semantics of relabelling follow very much the same lines as

the semantics for hiding However, rather than replacing actions with a nulltrace, we replace them with the required relabelling

BJ B[y1 /x1, , y n /x n]K(d)
{ σ/λ rel | σ ∈ BJ B K (d) } where,

λ rel (x)
if x = x i(1≤ i ≤ n) then y i else x

Process Instantiation The semantics of process instantiation are

compli-72 3 Basic Interleaved Semantic Models

cated by the need to interpret recursion In fact, we only give a partial inition of such behaviour, as the full semantics are relatively complex Inparticular, we do not consider mutual recursion, i.e indirect recursion result-ing from a series of process instantiations (although, generalisation to suchdefinitions can easily be given) and our presentation is informal A full formaltreatment is beyond the scope of this book

def-Nonrecursive process definitions can be handled very easily; i.e

BJ P K (d)
BJ B K (d)

where P := B is a definition in d and P is not referenced in B

Notice that it is here, in defining the meaning of process instantiation, that

we use the definitions contained in d This rule states that the meaning of a

process instantiation is the meaning of the corresponding process body

In contrast, the semantics of recursion (in fact, only direct recursion) isdefined by

f B denotes a function, which takes a process instantiation and evaluates it in

place in the body of B In fact, f Bcan be thought of as a context corresponding

to the behaviour B, with holes where P is referenced Filling these holes corresponds to instantiating a behaviour in place for P

We can think of a recursion as generating a series of models, which areincreasingly large; each successive model corresponds to a further unfolding ofthe recursive call This series of models is infinite; i.e we will keep on makingrecursive calls and increasing the size of the resulting model We refer to such

a series of models as a chain

The semantic model for this behaviour will have to be an infinite set; itwill be an infinite set which contains all the models from all the recursivecalls, i.e every model in the chain The expression:

3.2 Trace Semantics 73 .

f n

B (B )
f B (f B (f B (B  )) )

where there are n f Bs on the right-hand side

This construction generates the infinite chain to which we have been referring.The chain requires a “bottom” behaviour to start from; it can be shown that

stop is the required bottom or null behaviour Thus, in our above definition,

the chain is given by:

of this book; the interested reader is referred to [199]

In addition, it can be shown that, as long as the behaviour f B is guarded,this definition of recursion is the only solution [96,120] In fact, we would need

a strong guardedness property, because internal behaviour is not reflected intrace semantics For example, the definition:

nota-T and the semantic map J K tr In this section we consider the third: opment relations for trace semantics We consider the two classic relations:

devel-trace preorder and devel-trace equivalence These relations define how pbLOTOS

specifications can be related using trace semantics

3.2.3.1 Trace Preorder

Trace preorder is the basic refinement relation of trace semantics; it is denoted

≤ tr, and defined as follows

S ≤ S  if and only if J S K ⊆ J S  K

74 3 Basic Interleaved Semantic Models

So, S is a trace refinement of S  if and only if the traces of S are a subset of

or equal to the traces of S  Firstly, it is easy to show that this relation is a

preorder

Proposition 2

≤ tr is (i) reflexive and (ii) transitive.

Proof

(i) This is trivial, because the traces of a specification are equal to the traces

of the same specification (ii) This follows from transitivity of subset inclusion;i.e ifJ S K tr ⊆ J S  Ktr andJ S  Ktr ⊆ J S Ktr thenJ S K tr ⊆ J S Ktr

The fact that the trace preorder is not symmetric is also easy to verify sider for example the two behaviours:

Con-Q := stop and P := x ; stop

P4:= hide y, z in ( ( y ; x ; z ; stop ) [] ( z ; x ; stop ) )

P5:= ( x ; y ; stop ) |[y]| ( z ; stop )

You should also notice that the behaviour stop is more refined (by trace

preorder) than any other pbLOTOS specification This is because its traceset only contains the empty trace, which is included in the trace set of all

specifications Thus, we can refine any pbLOTOS specification to stop This

3.2 Trace Semantics 75

is clearly not very satisfactory, as it means that during development, we canjust throw all the content of a specification away

The theoretical justification for the trace preorder is that it preserves

so-called safety properties These are properties which state that “something bad

does not happen.” For example, we might want to ensure that a particular

unwanted action, perhaps one called crash, never happens Refinement by

trace preorder cannot introduce actions Thus, if our abstract specificationsatisfies a particular safety property, we know that all refinements of thespecification will satisfy the property But, this does not prevent us from

refining out all the wanted behaviour.

3.2.3.2 Trace Equivalence

As stated by Proposition 1 earlier, a preorder development relation will urally induce an equivalence between specifications In trace semantics, thetrace equivalence, denoted  ≤ tr (or  tr for presentational simplicity), is in-duced; it is defined as follows

nat-S  ≤ tr S  if and only if S ≤ tr S  and S  ≤ tr S

 ≤ tr is reflexive, symmetric and transitive, so, it is an equivalence; it playsthe role of identity in the trace theory of pbLOTOS From the definition ofthe trace preorder, it can easily be seen that

S  ≤ tr S  ⇐⇒ J S K tr =J S Ktr

Thus, any two specifications with equal traces are trace equivalent This isactually the identity that we have been using informally already; see, forexample, the discussion in Section 3.2.1

3.2.4 Discussion

So, we have defined a simple linear time semantics for pbLOTOS,S tr In itsentirety, the semantics comprises:

S tr
( P(T ) , J K tr , {≤ tr ,  tr } )

Thus, it containsP(T ) (a notation of semantic models), a semantic map J K tr

and two development relations,≤ trand tr The semantics is relatively crude;

in particular, we can make two observations

Firstly, although preserving safety is a useful property of development,there are many different classes of property that we would like to preserveduring refinement and safety is only one of these For example, we would like

to preserve liveness properties, i.e statements that “something good musteventually happen.” The trace preorder cannot guarantee such properties, asthe required “good thing” may simply be refined out during application of

≤

76 3 Basic Interleaved Semantic Models

Secondly, the trace semantics equate too many specifications They donot enable branching points to be distinguished; in particular, they do notenable deterministic and nondeterministic choice to be distinguished This ishighly unsatisfactory as, from our discussions already, we have noted thatdeterministic and nondeterministic choices yield a very different observablebehaviour We discuss this issue in more depth in Section 3.3.1

However, in a completely deterministic setting, trace semantics are quitesatisfactory and fully characterise the behaviour of pbLOTOS This is wit-nessed by the fact that in [96] a reduced process calculus, which is determin-istic, is completely characterised by a trace semantics

As presented in [96], the trace equality relation can be axiomatised forthis deterministic language We conjecture that similar trace-based axiomati-sations could be developed for pbLOTOS

We do not consider congruence issues with either trace preorder or traceequivalence This is for two reasons Firstly, for the reasons just discussed,neither are particularly useful development relations and secondly, in order toprove congruence in recursive contexts we would have to work from a completefixed point theory In the absence of such a theory, we wait for the, more useful,bisimulation relations before considering congruence issues

3.3 Labelled Transition Systems

A more distinguishing semantics than trace semantics can be given usinglabelled transition systems This is in fact the standard semantics for LOTOSand the one presented in the LOTOS standard [101] It is also the mostcommonly used semantics throughout the process calculi domain

3.3.1 The Basic Approach

We have already seen a notation that is similar to labelled transition systems(LTS), viz the behaviour trees presented in Chapter 2 (although in the gen-eral case we deal with graphs, rather than trees) For example, the two treesdepicted in Figure 3.1 could be viewed as labelled transition systems In such

systems, the arcs of the tree are called transitions and the actions associated with arcs give the labelling LTS model systems solely in terms of sequence

and choice In particular, a branching point indicates a choice and sequence

is denoted by transitions following one another

What though resides at the nodes of a labelled transition system? Nodesrepresent states; these are locations in the computation that are nonatomicand can consume time (remember actions and, thus, transitions are atomic).Such states are equated with the behaviour expression reached at that point

in evaluation Thus, the two labelled transition systems depicted in Figure 3.1can more fully be depicted as in Figure 3.2

3.3 Labelled Transition Systems 77

Fig 3.2.Labelled Transition System with States Explicitly Represented

The term branching time model is often associated with approaches such

as labelled transition systems, where choice is explicitly represented; this is

in contrast to linear time models As a reflection of this, labelled transition

systems can be seen to be more discriminating than trace semantics Forexample, the two behaviours,

x ; ( x1; stop [] x2; stop ) and ( x ; x1; stop ) [] ( x ; x2; stop )

cannot be distinguished in trace semantics; the two behaviours will both havethe trace semantic model,

{  , x , xx1 , xx2 }

However, they can be distinguished with labelled transition systems, as madeapparent in Figure 3.2 This example is a particularly good one, because fromour earlier discussion, it should be clear that we would like to differentiatethese two behaviours This is because the first expresses a deterministic choice,whereas the second expresses a nondeterministic choice If you are not happythat these two should be distinguished, look again at Section 2.3.4 and, inparticular, consider the illustration of these two behaviours in terms of black

78 3 Basic Interleaved Semantic Models

boxes offering interactions at buttons Thus, branching time models, such asLTS, can distinguish different forms of choice, whereas trace semantics cannot

3.3.2 Formal Semantics

3.3.2.1 Preliminaries: Labelled Transition Systems

We begin by giving a formal definition of a labelled transition system Theset of all labelled transition systems is denotedLT S and ∀Sys ∈ LT S, Sys is

a four tuple (S, A, T, s0), where

• S is a nonempty set of states; these are the behaviour expressions derived

from evaluation of the specification;

• A is a set of actions; A contains all the actions that the specification can perform, including i and δ, thus, A ⊆ Act ∪ {i, δ};

• T is a set of transition relations; one relation, T a, is included for each

a ∈ A; and

• s0∈ S is the starting state for Sys.

A transition relation T a is a set of triples of the form (s, a, s ); i.e.

T a ⊆ S × {a} × S

where (s, a, s  ) states that a transition from state s to state s  exists, which is

labelled with action a Transitions are usually denoted

s −→ s a 

The labelled transition system contains sufficient information to constructtransition system diagrams such as those that we have seen already:

• S defines the nodes of the diagrams;

• A defines the allowable labels for arcs in the diagrams;

• T defines the arcs in the diagrams; and

• s0defines the start point of the diagram

A final point to notice is that internal actions do get represented in labelledtransition systems This is in contrast to the situation with trace semantics,where all internal actions are ignored This may seem surprising, as it seems toindicate that labelled transition systems depict more than just the externallyvisible behaviour of the system This view is to some extent true However,

in general, the occurrence of internal actions is needed in order that differentvarieties of choice (in particular, forms of nondeterminism) can be distin-guished Section 3.3.3 shows how development relations can be used to equatethe labelled transition systems that cannot realistically be distinguished bythe external observer Thus, the approach in labelled transition systems is togive a distinguishing and expressive underlying semantic notation and then

to equate, using equivalence relations, models in the notation that should beviewed as the same

3.3 Labelled Transition Systems 79

3.3.2.2 An Operational Semantics for LOTOS

The following rules define a, so-called, operational semantics for pbLOTOS.This will realise the semantic mapJ Klts,

J Klts : pbLOT OS −→ LT S

i.e define a function from pbLOTOS specifications to labelled transition tems As was the case with the denotational approach, these semantics willtraverse the abstract syntax of pbLOTOS However, the rules for the seman-tics are expressed very differently from those in the denotational setting (for

sys-a comprehensive discussion of different forms of semsys-antics see [199]) ically, they are expressed as a series of inference rules A set of inferencerules defines a derivation system, which characterises how behaviours can bemapped to transition systems

Specif-Inference rules have the form:

R : P1 P n

where P1, , P n , Q are assertions The R here is merely a label for the rule, the assertions P1, , P n are called the premises of R and the assertion Q is called the conclusion or consequence of R C is optional; it is used to express conditions on the variables used in the inference rule (e.g a variable v might be stated to be in a set V ) The informal meaning of the rule is that if P1, , P n

hold then the assertion Q will hold If the list of premises is empty, i.e.

R : Q

then the inference rule defines an axiom of the derivation system; the

conse-quence Q will always hold, as it does not depend upon any premises.

Now we come to the operational semantics for pbLOTOS The derivationsystem that we define characterises how to derive transition relations from apbLOTOS behaviour The top-level structure of a pbLOTOS specification is

either B or B where D, with D a list of process definitions In the former

case, we can interpret the behaviour directly; in the latter case, we have to

interpret the behaviour B subject to the bindings set up in D In our tics, the process definitions of D are assumed to be available throughout the

seman-derivation system, enabling us to reference them in our inference rules Wecould add a mechanism to transmit these definitions through the inferencerules However, in order not to complicate our mathematical constructions,

we have not included this The basic derivation system follows

Stop The behaviour stop has no inference rule This is because, as it cannot

perform any actions, it cannot be derived further

Exit The behaviour exit has the following inference rule,

80 3 Basic Interleaved Semantic Models

(EX) :

exit −→ stop δ This rule defines an axiom stating that a behaviour exit can always perform

a δ (remember δ is a hidden action used to signal successful termination, as discussed in Section 3.2.2.2) and evolve to stop So, the sole purpose of exit

is to signal successful termination and then evolve no further

Action Prefix Sequencing by action prefix also yields an axiom of the

Choice The behaviour of choice is expressed using two rules, which are

sym-metric They are not axioms, because they are both dependent upon a singlepremise

into B  This correctly models the effect of choice, which is to select between

the two possible alternatives Notice also that δ actions are included; thus,

successful termination of one alternative can resolve the choice

As these are our first nonaxiomatic inference rules it is worth at this pointclarifying the manner in which transitions are derived using such rules So,consider for example, the behaviour,

P := ( x ; y ; stop ) [] ( x ; stop )

We are seeking to apply one of the two rules (CH.i) or (CH.ii) in order todetermine what transitions this behaviour is able to perform However, bothrules require properties to hold of one of the two constituent behaviours Thus,

determining the behaviour of P induces evaluation of the behaviour of,

x ; y ; stop and x ; stop

We can apply our action prefix rule (AP ) to determine what transitions can

be derived from these behaviours; i.e.,

x ; y ; stop −−→ y ; stop and x ; stop x −−→ stop x

The former of these enables us to apply (CH.i) and determine that

3.3 Labelled Transition Systems 81

P −−→ y ; stop x

whereas the latter enables us to apply (CH.ii) and determine that

P −−→ stop x

Thus, P offers a choice of transitions (as we would expect) From this

discus-sion it should be straightforward to see that the complete transition systemfor this behaviour is as depicted in Figure 3.3 Thus, the approach is, at eachstage, to apply exhaustively as many rules as possible We can in fact put aderivation of behaviour together into an inference tree in a similar way to thatfound in logical deduction; see, for example [148]

Fig 3.3.Derivation of Labelled Transition Systems from Inference Rules

Parallel Composition The parallel composition operator has three rules.

The first two are symmetric

These state how parallel composition can evolve for actions not in the

syn-chronisation set x1, , x n or equal to δ The rules state that, if one of the constituent behaviours, say B1, can perform an action that is not in the syn-

chronisation set and evolve into B 

1, then the whole behaviour can perform

the action and evolve into B 

1|[x1, , x n]|B2 It is important to note that,

in contrast to the situation with choice, an evolution of the whole behaviourdoes not exclude one of the constituent behaviours This reflects the nature

of parallel behaviour: B1 and B2 continue evolving in parallel.

Also notice that a δ action cannot be performed from these two rules This

reflects the fact that successful termination must be synchronised on by allparallel threads

82 3 Basic Interleaved Semantic Models

The final rule for parallel composition defines synchronisation behaviour,

of the behaviours is ready to perform an action in the synchronisation set (or

δ), if there are no alternative actions, it must wait for its “partner” behaviour

to offer the same action Notice also that δ actions can only be performed if

both threads can perform the action

We have only presented inference rules for the general form of parallelcomposition The two derived operators, ||| and ||, can be given very simple

direct operational semantics These are left as an exercise (note: you should

be careful of how you handle δ).

Enabling There are two rules for enabling.

(EN.i) : B1−→ B a 

1

B1>> B2−→ B a 

1>> B2 (a = δ) (EN.ii) : B1−→ B δ 

1

B1>> B2 −→ B2 i (EN.i) states that B1 can evolve by performing an action a as long as the

action is not a successful termination (EN.ii) states that B1 performing a

successful termination will cause B1>> B2to perform an internal action and

then evolve to B2 Thus, as stated in Section 2.3.7, successful termination

is represented by the occurrence of an i action So, the δ action is used to

signal the point of successful termination, but, that point is represented by

Relabelling This again has two forms.

x j

−−→ B 

B[y1/x1, , y n /x n] −−→ B y j  [y1/x1, , y n /x n] (1≤ j ≤ n)