Thời gian thực - hệ thống P9

Central to process algebras is the notion of equivalence, which is used to show that two processes have the same behavior.. Well-established process algebras such as Hoare’s Communicatin

CHAPTER 9

PROCESS ALGEBRA

A computer process is a program or section of a program (such as a function) inexecution It may be in one of the following states: ready, running, waiting, or termi-nated A process algebra is a concise language for describing the possible executionsteps of computer processes It has a set of operators and syntactic rules for spec-ifying a process using simple, atomic components It is usually not a logic-basedlanguage

Central to process algebras is the notion of equivalence, which is used to show

that two processes have the same behavior Well-established process algebras such

as Hoare’s Communicating Sequential Processes (CSP) [Hoare, 1978; Hoare, 1985],Milner’s Calculus of Communicating Systems (CCS) [Milner, 1980; Milner, 1989],and Bergstra and Klop’s Algebra of Communicating Processes (ACP) [Bergstra andKlop, 1985] have been used to specify and analyze concurrent processes with in-terprocess communication These are untimed algebras since they allow one to onlyreason about the relative ordering of the execution steps and events

To use a process algebra or a process-algebraic approach to specify and analyze a

system, we write the requirements specification of the system as an abstract process and the design specification as a detailed process We then show that these two pro-

cesses are equivalent, thus showing the design specification is correct with respect tothe requirements specification Here, the requirements specification may include thedesired safety properties

A process algebra has four basic components: (1) a concise language to specify a system as a process or set of processes, (2) an unambiguous semantics to provide

237

Real-Time Systems: Scheduling, Analysis, and Verification Albert M K Cheng

Copyright ¶ 2002 John Wiley & Sons, Inc.

ISBN: 0-471-18406-3

precise meanings for the behavior of the specified processes, showing the possible

execution steps of these processes, (3) an equivalence or preorder relation to pare the behavior of the processes, and (4) a set of algebraic laws to syntactically

com-manipulate the process specifications There are several notions of equivalence In

general, two processes are equivalent if every execution step of one process is also

the same execution of the other process and vice versa If the set of execution steps

or behavior of a process is a subset of another process, a preorder exists between

these two processes

A typical process algebra has the following set of operators for composing

pro-cesses or atomic components to specify complex systems A prefix operator specifies the ordering of actions and events A choice (or summation) operator selects one option among several possible choices A parallel (or composition) operator indi- cates that two processes execute simultaneously A hiding and restriction operator

abstracts lower-level details such as communicating steps to reduce analysis

com-plexity A recursion operator describes a list of possibly infinite processes Note that

similar operators are used in David Parnas’ event-action model language described

in chapter 6 In this chapter, we describe the untimed process algebra CCS and thetimed process algebra called Algebra of Communicating Shared Resources (ACSR)

We show how ACSR can be used to specify real-time systems, which can then beanalyzed using syntactic and semantic techniques

Inspired by Dana Scott’s theory of computation, [Milner, 1980] developed a processalgebra called the Calculus of Communicating Systems (CCS) to specify the behav-ior of untimed, concurrent, and communicating systems He proposes the concept of

observation equivalence of programs, and thus a congruence relation.

Observation Equivalence and Congruence: Two programs are observation

equiv-alent if and only if they are indistinguishable by observation Then, two programs are observation congruent if and only if they are observation equivalent.

Since an observation congruence class is considered a behavior, CCS is thus an

algebra of behaviors in which each program stands for its congruence class Thesyntax of CCS consists of (1) value expressions; (2) labels, sorts, and relabeling;(3) behavior identifiers; and (4) behavior expressions

Value Expressions: Value expressions are constructed from simple variables,

con-stant symbols, and function symbols signifying known total functions over values

Labels are
=  ∪ , and τ A sort L is a subset of
and a sort L(B) is assigned

to each behavior expression B Given that P and Q are sorts, S : P → Q is a

re-labeling from P to Q if (1) it is a bijection and (2) it respects complements; that is,

S (a) = S(a) for a, a ∈ L.

MILNER’S CALCULUS OF COMMUNICATING SYSTEMS 239

Each behavior identifier has a preassigned arity n (b) which indicates the number

of value parameters, and a sort L (b).

Behavior Expressions: Behavior expressions are constructed with six types of

be-havior operators, by parameterizing bebe-havior identifiers and by conditionals The behavior operators are: inaction, summation, action, composition, restriction, and

relabeling

The inaction operator NIL (null) produces no atomic actions The summation

operator “+” in A + B adds the atomic actions of A and B, yielding a sum of A

and B’s actions The action operator “.” is used to express axioms The composition

operator “|” in A | B signifies that an action of A or B in the composition produces an

action of the composite in which the other component is unaffected The restriction

operator “\” in A\b indicates that B is restricted so that there are no b or b actions

An identifier can be parameterized as in b (E1, , E n (b) ) A conditional is of the

form if E then B else B The definition operator “def

= ” in X def = P defines process X

as a more complex process expression P.

Example Consider a system of two processes Let N ibe the non-critical sections of

process i , T i be its section requesting to enter its critical section, and C ibe its critical

section The following CCS statement specifies that action P is the summation of

three actions, each of which is a composition of two actions:

P def = N1|N2+ T1|N2+ N1|T2.

More precisely, one choice is for the system’s two processes to stay in the non-criticalsections The second choice is for process 1 to request to enter its critical sectionwhile process 2 remains in the non-critical section The third choice is for process

2 to request to enter its critical section while process 1 remains in the non-criticalsection

The following CCS statement specifies that action Q has a choice of executing the

critical section of process 1 or executing the critical section of process 2 Also, while

executing C1, C2is not allowed Similarly, while executing C2, C1is not allowed

Q def =C1\{C2} + C2\{C1}.

9.2.1 Direct Equivalence of Behavior Programs

Behavior programs having the same semantic derivations can be considered alent In fact, these programs yield an equivalent relation or congruence, thus anyprogram can be replaced by an equivalent one in any context without changing the

equiv-behavior of the entire system For example, the programs A + A and A + A are ferent but obviously interchangeable Other example rules include: A + (B + C) =

dif-(A + B) + C; A + N I L = A; and A + A = A.

Summation Sum≡ A + N I L = A

A + A = A

A + B = B + A

A + (B + C) = (A + B) + C

where y is a vector of distinct variables not in A

A |(B|C) = (A|B)|C

A |N I L = A

(A + B)\α = A\α + B\α (g.A)\α = N I L i f α = name(g) else, = g.(A\α)

if false then A else B = B

Direct Equivalence: Two behavior programs are directly equivalent iff for every

input, both programs produce the same behavior, that is, same results

Given a specification written in CCS, we can use equational laws to rewrite it in

a form we desire To show that two specifications are equivalent, we can use theselaws to rewrite them to establish equivalence We summarize selected CCS laws foreasy reference in Figure 9.1

9.2.2 Congruence of Behavior Programs

The results of the actions of directly equivalent programs must be identical To eralize the direct equivalence relation, a congruence relation that requires only the

gen-TIMED PROCESS ALGEBRAS 241

results be equivalent is introduced Using this congruence relation, equivalence tween programs is also preserved by the substitution of equivalent programs

be-9.2.3 Equivalence Relations: Bisimulation

The concept of bisimulation is used to establish the equivalence between two cesses Bisimulation compares the execution trees of these two processes Two com-mon types of bisimulation exist: strong bisimulation and weak bisimulation [Milner,1989]

pro-Strong Bisimulation: A binary relation r is a strong bisimulation for a given

tran-sition “→” if, for (P, Q) ∈ r and for any action or event a,

Weak Bisimulation: A binary relation r is a weak bisimulation for a given

transi-tion “→” if, for (P, Q) ∈ r and for any actransi-tion or event a ∈ D,

1 if P →P a , then∃Q , Q ⇒Q ˆa and(P , Q ) ∈ r, and

2 if Q →Q a , then∃P , P ⇒P ˆa and(P , Q ) ∈ r.

Introducing the notion of time to untimed process algebras makes them applicable

to specify and verify real-time systems while maintaining their modular verificationcapabilities as well as their single-language specification advantage Dual-languagespecifications include model checking and the time ER net/TRIO approach For in-stance, in model checking, the modeled system is specified as a state-transition graphand the property to be checked is specified in temporal logic

The time extension is done by adding timed operators to the original set of timed operators Several timed process algebras exist as a result of these timed exten-sions These real-time process algebras can specify process synchronization delaysand upperbounds in terms of absolute timing intervals but vary in the way they modelthe resources used by processes

un-On one end of the spectrum is the assumption that each type of resource is ited so that a ready process (not blocked by communication constraints, as discussed

unlim-in chapter 3) can start execution without delay On the other end of the spectrum isthe assumption that a single processor exists so that all process executions are inter-leaved Between these two extreme assumptions are real-time process algebras that

assume a limited number of resources One popular timed process algebra that

as-sumes a limited number of n resources capable of executing n actions is the ACSR

[Lee, Bremond-Gregoire, and Gerber, 1994]

The ACSR language is a discrete real-time process algebra based on CCS (describedearlier) that provides several operators to handle timing properties These operators

can be used to bound the execution time of a sequence of actions, to delay the quence’s execution by a number of time units, and to timeout while waiting for spe- cific actions to occur The exception operator can be inserted into any place within

se-a process se-and se-allows se-an exception to be rse-aised, immedise-ately hse-andled by se-an externse-alexception-handling process, just like in an exception-handling mechanism of a real

computer process The interrupt operator allows the specification of responses or

re-actions to asynchronous re-actions or events The ACSR computation model views areal-time system as a collection of communicating processes competing for shared

resources Every execution step is either an action or an event.

Action: An action is set of consumptions of resources {r1, , r n} at corresponding

non-negative priority levels p1, , p nfor one time unit A resource consumption isdenoted by a pair(r i , p i ).

The execution of an action is constrained by the availability of the the specifiedresources and the priorities of competing actions For example, the action{(cpu1, 2)} means the use of the resource cpu1 at priority level 2 for one time unit, and the action {(cpu1, 2), (disk2, 1)} means the use of the resource cpu1 at priority level 2 and the use of the resource disk2 at priority level 1 for one time unit The action∅ indicatesidling for one time unit, that is, the non-consumption of any resource for one timeunit

An event serves as a synchronization or communication mechanism between

pro-cesses, or as an observation or monitoring step by an entity external to the specifiedsystem

Event: Each event e i has a corresponding priority p i and is denoted by a pair

(e i , p i ).

The execution of an event is instantaneous and does not consume any resource Asfor actions, priorities are used to determine which event to execute if there is morethan one ready event Unless synchronization constraints exist between matchingevents in two processes, they execute their events asynchronously

Timed Behavior: A timed behavior is a possibly infinite sequence of execution

steps More precisely, this behavior is a sequence of actions in which a sequence

of zero or more events may appear between any two consecutive actions

ALGEBRA OF COMMUNICATING SHARED RESOURCES 243

in(a, n).P indicates that the event (a, n) executes (occurs) instantly with no time

passage, and then process P runs In CCS, “.” is the action operator used to express

axioms

The choice operator “+” in P + Q is basically an “or,” signifying a choice is available between processes P and Q The effect is that this composed process may behave like either P or Q In CCS, “+” is the summation operator, so A + B adds the atomic actions of A and B, yielding a sum of A and B’s actions The parallel

operator “” in P  Q indicates that processes P and Q can execute in parallel This

is similar to CCS’s composition operator “|”

The close operator “[ ]” in[P] I creates a process that only uses resources in the

set I The restriction operator “\” in P\F indicates that while process P is executing, events with labels in F cannot execute This is similar to CCS’s restriction operator

“\” as in A\b, which indicates that B is restricted so that there are no b or b actions.

The hiding operator “\\” in P\\H hides the identity of the resources in the set H from process P The notation recX P signifies process P is recursive so that the

described behavior of P is infinite.

The following operator allows ACSR to specify absolute timing properties The

notation P  α

t (Q, R, S) indicates that a temporal scope binds the process P and is

called the scope construct t is a non-negative integer time bound If P ends cessfully before t by executing the event α, control is transferred to Q, called the success-handler Otherwise, if P does not end successfully before t , control is trans-

suc-ferred to R, called the timeout exception-handler S may interrupt P before t time units and break the binding of P to this temporal scope, that is, cause P to exit this

temporal scope

The definition operator “def = ” in X def = P allows one to use the process name X instead of its longer and more complex process expression P As usual, subscripts are used to indicate indexed processes and events as in P2and(e1, k).P The notation

P n means that P executes or occurs n times, that is, P : P : : P, in which there are n Ps This is similar to the notation used in regular expressions described in

chapter 2

Note that operators such as “.” have implicit timing specifications Many notations(operators) borrow from logic operators

9.4.2 Semantics of ACSR: Operational Rules

A labeled transition system (represented by a state space graph) is used to describeand define the executions of a process The labeled transition system of a process

is a labeled directed graph G = (V, E) V is a set of states of a process E is a

set of edges, each of which denotes an execution step or action e i such that an edge

(P i , P j ) connects state P i to state P j iff there is a step e i that is enabled at state P i,

and executing e i will modify the state of the process to have the same values as the

tuple at state P j An invocation of a process can be thought of as tracing a path inthe labeled transition system

The states are described by a concrete syntax (a process) in process algebra Weuse a finite set of transition rules to infer the execution steps of the behavior of aprocess Two transition systems are available for defining the semantics of ACSR:

unconstrained and prioritized.

Unconstrained Transition System: In the unconstrained transition system, P −→P e denotes a transition, and no indication is given of a priority for pruning impossibleexecution steps

Prioritized Transition System: In the prioritized transition system, P−→e π P notes a transition, and priority information is used to ignore impossible executionsteps

de-Operational rules are used to define the semantics of the ACSR operators Anoperational rule defines an execution step corresponding to a transition in the labeledtransition system It describes a particular behavior of a process Two ACSR axiomsexist for action prefix and event prefix These are similar to CCS’s prefix operator

Example Consider the process C1, j def = ∅ : C1, j +{(cpu1, 1)} : C1, j+1 +{(cpu2, 1)} :

C1, j+1 , 0 ≤ j < c1 The last branch{(cpu2, 1)} : C1, j+1 , 0 ≤ j < c1means that

this process can use the resource cpu2 at priority level 1 for one time unit and go to process C1, j+1

ALGEBRA OF COMMUNICATING SHARED RESOURCES 245

The choice rules allow the selection of one option between two possible choicesand are the same for actions and events The choice operator is the same as CCS’ssummation operator Sum

Choice

ChoiceL

P −→P e

P + Q −→P e ChoiceR

Q −→Q e

P + Q −→Q e

Example The process C1, j def = ∅ : C1, j + {(cpu1, 1)} : C1, j+1 + {(cpu2, 1)} :

unit, using resource cpu1, or using resource cpu2.

The parallel operator Par is used to specify communication and concurrency InCCS, the parallel operator Par is called the composition operator Com The ParTrule applies to two synchronous time-consuming transitions The ParIL, ParIR, andParCom rules apply to event transitions, which may be asynchronous

actions A1and A2, respectively This constraint indicates that only one process mayuse a specific resource during a time step

P (a,n) −→P , Q (a,m) −→Q

P  Q (ρ,n+m) −→ P  Q

Example The following shows the parallel composition of five processes:

Radar def =[(Scheduler  T1 T2 T3 T4) \ {s1, s2, s3, s4}]{cpu1, cpu2 }.

The scope operator is used to specify behaviors induced by a temporal scope

The ScopeCT and ScopeCI rules mean that while t > 0 and P does not execute an

event b, P’s executions continue The “end” ScopeE rule means that P can exit the temporal scope by executing an event b This label b becomes the identity label ρ

on exit The timeout ScopeT rule means that when t = 0, indicating timeout from

the scope, control is transferred to the timeout exception-handler R The ScopeI rule means that while the scope is active, process S may kill (interrupt) process P.

ALGEBRA OF COMMUNICATING SHARED RESOURCES 247

Example The following process illustrates the restriction operator:

Radar def = [(Scheduler  T1 T2 T3 T4) \ {s1, s2, s3, s4}]{cpu1, cpu2 }.

The set of events {s1, s2, s3, s4} are excluded from the behavior of the above fiveparallel processes

The hiding operator Hide is used to hide information about resource usage fromthe external environment Events are not affected

Hiding

HideT

P −→P A

P \\H −→P A \\H where A = {(r, n) ∈ A|r ∈ H}.

HideI

P (a,n)

−→P

P \H (a,n) −→P \H