A Formalism for Real-Time Concurrent Object-Oriented ... - CiteSeerX

Proceedings of ACM OOPSLA'92

A Formalism for Real-Time Concurrent Object-Oriented Computing Ichiro Satoh [email protected]

Mario Tokoro

3

[email protected]

Department of Computer Science, Keio University 3-14-1, Hiyoshi, Kohoku-ku, Yokohama, 223, Japan

Tel:+81-45-560-1150

Abstract We investigate a formal model for reasoning about real-time object-oriented computations. The model is an extension of CCS with the notion of time, called RtCCS (Real-time Calculus of Communication Systems). It can naturally model real-time concurrent objects as communicating processes and represent the timed properties of objects. We de ne two timed equivalences based on CCS's bisimulation and derive algebraic laws for reasoning about real-time processes. The equivalences provide a formal framework for analyzing the behavior and timing of real-time computations. Also, we de ne a sound and complete equational proof system for nite processes. Some examples in RtCCS are shown in order to demonstrate its usefulness.

1 Introduction Real-time systems are increasingly being used in various areas such as factory automation, robotics, and multi-media systems. These systems have to interact and cooperate with many external ele-

Also with Sony Computer Science Laboratory Inc. 314-13 Higashi-Gotanda, Shinagawa-ku, Tokyo, 141, Japan. 3

Fax:+81-45-560-1151

ments which run in parallel, such as other computers, sensors, and actuators. The notion of concurrent object-oriented computing [24] is considered as a powerful method to design and to develop such real-time systems. This is because concurrent object-oriented systems consist of objects which are logically self-contained active entities that cooperate with each other. Concurrent objects can naturally model such active elements directly. Recently, some real-time systems and languages use this concept as their basis [9, 21]. Real-time systems have certain time constraints which must be satis ed. The correctness of a realtime system depends not only on the logical results of computation, but also on the time at which the results are produced. Therefore, the construction and debugging of real-time programs is far more complex and dicult than those of ordinary concurrent programs. We need the support of formal veri cation methods for reasoning about real-time programs. In the past few years several researchers have proposed such methods based on timed Petri nets, rst order logics, and temporal logics. However, these frameworks are not always t for concurrent object-oriented computing. The goal of this paper is to investigate a formal model to reason about real-time object-oriented computations. Various formal models for concurrent objectoriented computation have previously been devised. Among these, process calculus [2, 11, 13] is a well-de ned theory that can model naturally and easily concurrent objects as communicating pro-

cesses which may change their states when communicating with another agent. Also, process calculi have equivalence relations over processes which provide theoretical frameworks for analyzing the behavior of objects and for substituting objects. In this paper we develop a process calculus which permits expressing and analyzing time constraints in real-time object-oriented computations. To do this, we extend an existing process calculus with the notion of time and introduce a timed process calculus called RtCCS (Real-time Calculus of Communication Systems). It is an extension of Milner's CCS [11] with a minimal set of notions for time: a tick action and a timeout operator. The execution of tick actions corresponds to the passage of time; the timeout operator represents a behavior dependent on the passage of time. Furthermore, we develop theoretical equivalences over processes with time properties. In RtCCS, time independent properties of processes can be treated as usual CCS while the time dependent properties can be treated with the timed extensions. In order to demonstrate its eectiveness in a simpler form, our timed extension is developed for CCS. However, the same extension can be naturally adopted into  -calculus [13] which has more powerful mechanisms for modeling object-oriented computing. In the next section, we discuss some of the related works. In Section 3, we de ne the syntax and the operational semantics of RtCCS. Section 4 de nes two equivalence relations called timed strong equivalence and timed observation equivalence respectively, and studies their basic properties. In Section 5, we present some examples that demonstrate the usefulness of RtCCS. The nal section contains some concluding remarks. In Appendix A, we de ne an equational proof system based on timed strong equivalence.

2 Related Research Recently, many theoretical models for concurrent object-oriented computations have been explored in process calculi, such as CCS [11], -calculus [13], and ACP [2]. In the process calculus paradigm,

objects can be viewed as processes, interactions among objects can be seen as communications, and encapsulation can be modeled by the restriction of visible communications. In [8] a formal system based on the notion of actor-like object with asynchronous communication was investigated, and in [17] an executable notation for specifying concurrent object-oriented languages in a process calculus was explored. In [18] some requirements for a calculus suitable for concurrent objects is presented. In [15] the author presents a language based on a process calculus and analyzes the essential features of object-based concurrency. In [22] a semantics for POOL [1] is de ned by the translation of the language constructs into -calculus [13]. Many theoretical models for real-time computations have been explored in temporal logic, timed Petri nets, and denotational semantics frameworks based on linear history semantics. More recently, several studies developed temporal models based on process calculi such as CCS, ACP, and CSP [6, 5, 10, 16, 14, 23]. Milner's SCCS [10] is a calculus for synchronous processes based on the idea that each atomic action takes one unit of time. The concurrent agents of SCCS essentially proceed in lockstep and at every instant perform a single action; there is also an asynchronous operator. Since each object in an object-oriented computation proceeds at indeterminate relative speeds, SCCS does not t our purposes. TPA [6], timed CCS [23], and Temporal CCS [14] introduce delay operators into CCS. The delay operators represent the suspension of execution for a speci ed time, similarly to the delay command in Ada. In TPA and timed CCS, like in RtCCS, there are two assumptions: time advances only when communications are not possible and that actions are instantaneous. Once an action is enabled, it cannot be disabled. Therefore, they cannot express timeout behavior. On the other hand, Temporal CCS can represent timeout behavior but has no equivalent relation over processes based on observation of their behaviors. PTCCS [5] and ATP [16], like ours, have a timeout operator. PTCCS is

an extension of CCS with discrete time and probability. PTCCS is similar to our RtCCS. However, unlike ours, time stops inside the timeout operator of PTCCS. Therefore, the timeout operator of PTCCS cannot apply to a process with timed properties, and PTCCS cannot describe a timeout exception for such a process. The timeout operator of ATP is similar to ours. However, ATP has no notion of observation equivalence because ATP has no  action, since it is not based on CCS.

process Q if P does not perform any action within t units of time. That is to say, P and Q correspond

to ordinary and timeout processes respectively, in practical programming. if t > 1

In this section, we present the basic idea of RtCCS and provide its formal de nition. 3.1

0 @

P

0a 0 9 0

P

p a0 @ @@R 090 0

@@R 00

P P

a 0 0! p P 0! P 00

hP ; Qit01

hP; Qi1

if t = 1

3 RtCCS

hP; Qit p

P

a 0! P0

Q

Figure 1: The behavior of the timeout operator

Time Extensions

We assume a conceptual global clock: time passes as the global clock performs tick actions. The tick action is a synchronous broadcast message over all processes. It is described as p. The advance of time can be represented as a sequence of tick actions and is viewed as discrete time. Also, we assume that all communications and internal actions take no time, and that complementary actions and internal actions are performed as soon as they become possible. Therefore, a process having a communication action ready must wait until other process becomes ready to communicate with it. Once both the partners of a communication are ready, they must perform the communication actions immediately, before the next tick p. As mentioned previously, many real-time programming languages have timed operations such as delay and timeout. In order to be used as a framework for formal semantics of languages, RtCCS needs to represent behaviors dependent on the advancing of time. We introduce a special binary operator: h ; it, called a timeout operator. As shown in Figure 1, hP; Qit denotes a process that after t time units becomes Q, unless P performs any actions prior to that. Intuitively hP; Qit behaves as process P if P can execute an initial transition within t units of time, whereas hP; Qit behaves as

3.2

The RtCCS Language

In this subsection, we present the syntax and the operational semantics of RtCCS.

3.2.1 Notation and Syntax of RtCCS We presuppose that A is a set of communication action names and A the set of co-names. Let a,b,. . . range over A and a,b,. . . over A. An action a is the complementary action of a, and a  a. Let  denote an internal action, and p a tick action. Finally let Act  A[A[f g ranged over by , ,. . ., and ActT  Act [ fpg ranged over by ,  ,. . ..

De nition 1 The set E of RtCCS expressions ranged over by E; E1 ; E2 ; F; . . . is de ned recursively by the following abstract syntax.

E ::= 0 j X j :E j E1 + E2 j E1 jE2 j E [f ] j EnL j rec X : E j hE1 ; E2it

(Deadlock Process) (Process Variable) (Action Pre x) (Summation) (Composition) (Relabeling) (Restriction) (Recursion) (Timeout)

where t is a natural number, f 2 Act ! Act and L  Act . We assume that f ( ) =  , f (p) = p, and that X is always guarded 1 [11]. We denote the set of closed expressions by P ( E ), ranged over P; Q; . . ..

The syntax of RtCCS is essentially the same as that of CCS, except for the newly introduced tick action p and timeout operator. Intuitively, the meaning of process constructions are as follows: 0 represents a deadlocked or terminated process; :E performs an action  and then behaves like E ; E1 + E2 is the process which may behave as E1 or E2; E1jE2 represents processes E1 and E2 executing concurrently; E [f ] behaves like E but with the actions relabeled by function f ; E n L behaves like E but with actions in L [ L prohibited; rec X : E binds the free occurrences of X in E but we shall often use the more readable notation X def = E instead.

3.2.2 Operational Semantics of RtCCS RtCCS is a labeled transition system h E ; ActT ;   f 0! j  2 ActT g i where 0! is a transition re lation (0! E 2E ). The transition relation 0! is

de ned by structural induction and is the smallest relation given by the rules in Figure 2. The 0! relation does not distinguish between observable and unobservable actions. In order to re ect that  is not visible, we de ne two transition relations due to the unobservability of  .

ACT0 :

Also, we de ne an operation to denote a process capable of in nite internal computation.  ! 0 De nition 3 E " if 9E 0 : E (0! ) E

X is in E if each occurrence of X is only within some subexpressions :E 0 in E ; c.f. expressions, e.g. rec X : X or rec X : X + E . 1

guarded

0p

ACT1 :

a:E 0! a:E

ACT2 :

0 0! 0

SUM0 : SUM1 : SUM2 : COM0 : COM1 : COM2 : COM3 :

0p

 E 0! E0  E + F 0! E 0  F 0! F0  E + F 0! F 0 p p E 0! E 0 p; F 0! F 0 E + F 0! E 0 + F 0  E 0! E0  E jF 0! E 0 jF

 F 0! F0  E jF 0! E jF 0 a a E 0! E 0 ; F 0! F0  E jF 0! E 0 jF 0 p p E 0! E 0 ; F 0! F 0 ; E jF p E jF 0! E 0jF 0

0! 6

RES0 :

 E 0! E 0 ; ;  2= L  E n L 0! E0 n L

RES1 :

0 E 0! p E E n L 0! E 0 n L

REL :

 E 0! E0 f () 0 E [f ] 0! E [f ]

REC :

 E frec X : E=X g 0! E0  rec X : E=X 0! E 0

De nition 2   3   3 (i) P =) Q def = P (0! ) 0! (0! )Q b  3   3 (ii) P =) Q def = P (0! ) 0! (0! ) Q if  = 6   3 and otherwise P (0!) Q.

0

 :E 0! E

TIME0 : TIME1 : TIME2 :

p

 E 0! E0 ; t > 0  hE; F it 0! E0 p E 0! pE 0 ; t > 0 hE; F it 0! hE 0; F it01  F 0! F0  hE; F i0 0! F 0

unguarded

Figure 2: Inference Rules of RtCCS

Example 1 Here we give some simple examples of RtCCS expressions.

(1) a:hb:P ; 0it After performing an input action a, it behaves as P if an output action b is executed within t units of time, otherwise terminates. (2) a:h0; b:P it After performing a, it is idle for t time units and then behaves as b:P . (3) a:(h0; b:0id jP ) After performing a, it behaves as P but b becomes available after d time units. Note that h0; b:0id jP represents a process which behaves as P and sends b as an asynchronous output communication with transmission delay d time units. Remarks

1. The fundamental aspects of concurrent objectoriented computing are modeled as the primitive constructions of RtCCS as follows:

 

Objects as processes.



Message passing as communication between processes.



Encapsulation in objects as restriction and relabeling.

Concurrency among objects as parallel composition.

Also, we capture the fundamental aspects of real-time computing delayed processing and timeout handling, through the timeout operator of RtCCS. 2. An external action cannot be performed before its partner action in another process is ready to communicate. While a process having an external action is waiting for its partner action, it must perform p actions. If a process has an executable communication (including  ), it must perform the communication immediately, instead of idling.

4

Timed Bisimilarity

In this section we present two equivalences over processes, which are extensions of CCS's bisimulation with the notion of time. The equivalences provide a formal framework for analyzing the behavior and timing of real-time object-oriented computations. 4.1

Timed Strong Equivalence

De nition 4 A binary relation S  P 2 P is a timed strong bisimulation if (P; Q) 2 S implies, for all  2 Act T ,

  (i) 8P 0 : P 0! P 0  9Q0: Q 0! Q0 ^ (P 0; Q0) 2 S .   (ii) 8Q0: Q 0! Q0  9P 0 : P 0! P 0 ^ (P 0; Q0) 2 S .

We let \T " denote the largest timed strong bisimulation, and call P and Q timed strongly equivalent if P T Q. Intuitively, if P and Q are timed strongly equivalent, they seem indistinguishable from one another in behavior and timing. We show some algebraic properties of the equivalence:

Proposition 1 1. 2. 3. 4.

P + Q T Q + P P + (Q + R) T (P + Q) + R P + P T P P + 0 T P

Proposition 2

P jQ T QjP P j(QjR) T (P jQ)jR P j0  T P (P + Q) n L T P n L + Q n L  2 L [ L 5. (:P ) n L T 0:P n L ifotherwise 6. (P + Q)[f ] T P [f ] + Q[f ] 7. (:P )[f ] T f ():P [f ] 1. 2. 3. 4.

Proposition 3 1. h:P ; :P it T :P

2. 3. 4. 5. 6. 7. 8.

h:P ; h:P ; Qit is T h:P ; Qis+t h:P + Q; Rit T :P + Q (t > 0) hP; Qit n L T hP n L; Q n Lit hP; Qit [f ] T hP [f ]; Q[f ]it hP; Q + Rit T hP; Qit + hP; Rit hP + Q; Rit T hP;Rit + hQ; Rit P; Rit (s  t) hhP; Qis; Rit T hhP; hQ; Rit0sis (s < t)

Proof. All the laws may be proved by exhibiting appropriate timed strong bisimulations. The hardest is (8) of Proposition 3 in the case of (s < t) which we prove as follows: We need to show that S is a timed strong bisimulation, where f ( hhP1; P2 is ; P3 it ; hP1 ; hP2; P3it0s is ) j 0 s < t; P1 ; P2 ; P3 2 Pg. So let hhP1 ; P2 is ; P3 it 0! Q1 ; it is enough to  nd Q2 such that hP1; hP2 ; P3 it0sis 0! Q2 and (Q1; Q2 ) 2 S . There are two cases:  Case 1  2 Act and P1 0! P10 . By TIME0 , 0 0 Q1  P1 , and Q2  P1 , and we know Q1  Q2 . Case 2  = p. p Case 2.1 s = 0. We assume that P2 0! P20 . By TIME2 , Q1  hP20 ; P3 it01 and Q2  hP20 ; P3 it01 , hence Q1  Q2 . p Case 2.2 s > 0. We assume that P1 0!P10 . By TIME1 , Q1  hhP10 ; P2 is01 ; P3it01 , and Q2  hP10 ; hP2 ; P3it0s is01 , and clearly (Q1 ; Q2) 2 S .

By a symmetric argument, we complete the proof. RtCCS, like CCS, is based on the concept of interleaving and can reduce concurrent processes to sequential processes in terms of nondeterminism, for example, :0j :0 T : :0 + ::0.

Corollary 1 The Expansion Laws

 P 2  :P and Q  P 2 :Q ; P P P jQ T i2I i :(Pi jQ) + j2J j :(P jQj ) P + :(P jQ )

1. Let P

i

I

i

i

i = j

j

i

j

J

j

j

 hP 2  :P ; P 0 i1 and Q  P 2 :Q ; P P P jQ T h i2I i :(Pi jQ) + j 2J j :(P jQj ) P + i = j :(Pi jQj ) ; P 0 jQi1 P 3. Let P  h 2  :P ; P 0i1 and Q  P 0 h 2 :Q ; Q i1 ; P P P jQ T h i2I i :(Pi jQ) + j 2J j :(P jQj ) P + :(P jQ ) ; P 0 jQ0 i

2. Let P

i

I

i

i

i

j

J

j

j

I

i

j

J

j

i

j

i

i = j

j

1

From the laws in Proposition 1, 2, 3, and Corollary 1, we can develop an equational proof system based on timed strong equivalence. The system is given in appendix A.

Proposition 4 (Congruence)

Timed strong equivalence operators.

T

is preserved by all

Proof. We show a proof only for the timeout operator; the proofs for the other operations are similar to the proofs of [11]. We will prove that hP1 ; Qit T hP2; Qit where P1 ; P2 ; Q 2 P and P1 T P2. It is enough to show that S = f(hP1; Qit ; hP2 ; Qit) : P1 T P2 ; t  0g is a timed strong bisimulation. We assume hP1; Qit 0! R. There are two cases: 

Act and P1 0! P10 . Then be cause P1 T P2, we have 9P20 : P2 0! P20  with P10 T P20 . Hence hP1 ; Qit 0! P10 ,  hP2 ; Qit 0! P20 , and clearly P10 T P20 . Case 2  = p. Case 2.1 t = 0. Obvious.   Case 2.2 t > 0, P1 0! P10 , and hP1 ; Qit 0! hP10 ; Qit01 . Then because P1 T P2,  we have 9P20 : P2 0! P20 with P10 T  P20 . Hence hP2 ; Qit 0! hP20 ; Qit01 and 0 0 (hP1 ; Qit01 ; hP2 ; Qit01 ) 2 S .

Case 1 

2

By a symmetric argument, we complete the proof. The proof for the other case of the timeout operator, i.e. hQ; P1 it T hQ; P2it where P1 T P2 , is similar. By this proposition we guarantee that if two objects are timed strongly equivalent, the objects are substitutable for each other.

4.2

Timed Observation Equivalence

The timed strong equivalence has several useful algebraic properties but gives no special status to the internal action  which indeed should not be observed. We present a weaker equivalence which re ects the observation of behaviors and timing in the computation.

De nition 5 A binary relation S  P 2 P is a timed weak bisimulation if (P; Q) 2 S implies, for all  2 Act T ,  b (i) 8P 0: P =) P 0  9Q0 : Q =) Q0 ^ (P 0 ; Q0 ) 2 S .  b (ii) 8Q0 : Q =) Q0  9P 0 : P =) P 0 ^ (P 0 ; Q0 ) 2 S .

 (i) 8P 0 : P =) P 0  (ii) 8Q0: Q =) Q0 (iii) P " i Q ".

We write P =T Q if P and Q are timed observation congruent.

Proposition 6 If P T Q and both processes are stable 2 , then P =T Q. Proof. Direct from De nition 5 and 6.

Proposition 7 For all P; Q 2 P , if P T Q then P =T Q, and if P =T Q then P T Q.

Let \T " denote the largest timed weak bisimulation, and call P and Q timed observation equivalent if P T Q.

T

Intuitively, if P and Q are timed observation equivalent, each action of P must be matched by a sequence of actions of Q with the same visible contents and timing, and conversely. The equivalence can equate objects that are not distinguishable by the observable behavior and the timing in the computations.

Proposition 8

Proposition 5 1. 2. 3. 4. 5. 6. 7.

:P T P ::P T :P :P + P T :P :(:P + Q) T :(:P + Q) + :Q h:P ; Qit T P (t > 0) hP; :Qit T hP; Qit h:P ; :h:P ; Qis it T h:P ; Qis+t

Proof. Easy application of De nition 5.

Like a weak equivalence in CCS, T is not a congruence relation. However, we can de ne a timed observation congruence relation based on the timed observation equivalence.

De nition 6 P and Q are timed observation congruent if for all  2 Act T

 9Q0: Q =) Q0 ^ P 0 T Q0 .  9P 0 : P =) P 0 ^ P 0 T Q0 .

Proof. By De nition 4 to 6, clearly =T lies between and T .

Intuitively, if P T Q and both have no  derivative, then P =T Q. Therefore, we can easily prove the following properties.

1. 2. 3. 4. 5.

::P =T :P :P + P =T :P :(:P + Q) =T :(:P + Q) + :Q hP; :Qit =T hP; Qit (t > 0) h:P ; :h:P ; Qisit =T h:P ; Qis+t

Proof. Use Proposition 5 and 6.

Proposition 9 (Congruence)

Timed observation congruence =T is preserved by all operators. Proof. Same as Proposition 4.

=T is a congruence relation and very close to timed observation equivalence. We grantee that if two objects are timed observation congruent, they are substitutable for each other even though their internal implementations are dierent. 2

P

 is stable if P 0! P 0 is impossible for all P 0 .

Remarks

It seems that we can always assume that if P  Q (or P  Q) holds in CCS, then P T Q (or P T Q) holds in RtCCS. There is however a counterexample: unguarded recursion expressions, e.g., rec X : X expression. This is because in RtCCS such expressions are not allowed. However, we think that such expressions are unrealizable in object-oriented computing.

5 Examples In this section we present two examples which illustrate the expressiveness and utility of RtCCS.

Example 2 A Timer Object

We describe a timer object T in RtCCS as follows:

T def = start:hstop:T ; timeout:T it Upon reception of a request start to start the timer, it receives the amount t of p and then sends timeout. If it accepts a request stop, the timer goes back to its initial state T .

Example 3 Veri cation of Timed Systems

In order to illustrate how to describe and verify systems in RtCCS we describe the Alternating Bit Protocol for OSI data link layer. There are ve components: the sender, the receiver, the two unreliable channels, and the timer. To nd out duplicate messages or acknowledgments, messages and acknowledgements are sent tagged with bits 0 and 1 alternately.





Upon reception of a request to send a message (accept ), the sender sends it tagged with an appropriate bit b (send S;b ) to the channel. It then waits for an appropriate acknowledgement (ack R;b ). If the acknowledgement cannot be received within a speci ed period of time, the sender retransmits the message. The two channels are unreliable. They may occasionally lose a message or an acknowledgement.



The receiver waits for a message (send R;b or send R;bb , where bb is the complement of b) and then it sends an acknowledgement to the channel (ack R;b or ack R;bb ). If it accepts a message tagged with an appropriate bit, it sends the message to the environment (deliver ).

The sender S has the following de nition.

Sb def = accept:Sb0 Sb0 def = sendS;b :start:Sb00 Sb00 def = ackS;b :stop:Sbb + ackS;bb :Sb00 + timeout:Sb0 = accept:Sbb0 Sbb def

Sbb0 def = sendS;bb :start:Sbb00 Sbb00 def = ackS;bb :stop:Sb + ackS;b :Sbb00 + timeout:Sbb0 The timer T has the following de nition, where t is the timeout time.

T def = start:hstop:T ; timeout:T it The channel C1 has the following de nition, where s is the transmission time for a message.

C1 def = sendS;b :h0; sendR;b :C1 + :C1is + sendS;bb :h0; sendR;bb :C1 + :C1 is The channel C2 has the following de nition, where a is the transmission time for an acknowledgement.

C2 def = ackR;b:h0; ackS;b :C2 + :C2 ia + ackR;bb :h0; ackS;bb :C2 + :C2 ia The receiver R has the following de nition.

Rb def = sendR;b :deliver:ackR;b :Rbb + sendR;bb :ackR;bb :Rb

= sendR;bb :deliver:ackR;bb :Rb Rbb def + sendR;b :ackR;b:Rbb

We present the behavior of the whole protocol under the assumption that s + a < t. The protocol is constructed by the parallel composition of

the sender, the receiver, the two channels, and the timer, as follows: (Sb jT jC1 jC2 jRb ) n L where L def = fsendS;b ; sendS;bb ; sendR;b; sendR;bb ;

ackS;b; ackS;bb ; ackR;b; ackR;bb ; start; stop; timeoutg

By using timed bisimilarity, we transform (Sb jT jC1 jC2 jRb ) n L into a timed observation equivalent expression ABP, which is a sequential process: (Sb jT jC1 jC2 jRb ) n L

T

ABP where

= accept:ABP 0 X ABP 0 def = :h0; deliver: h0; ABP ii2t+a is i 0 + :h0; ABP 0 it ABP

def

We present the proof of this transformation in Appendix B. By using the simpler expression, we can not only investigate the behavior of the protocol but also temporal properties, such as the minimal and maximal delay for delivering a message. With speci cations based on RtCCS, we can derive the behavior and timing of whole systems from the description of its components. Timed bisimilarities allows us to analyze systems through timed and behaviorally equivalent processes which may have substantially less complexity in their structure.

6 Conclusion We have de ned a formal model called RtCCS for real-time object-oriented computations. RtCCS is an extension of Milner's CCS by introducing a tick action and a timeout operator. It can formally describe the aspects of time dependence in realtime systems and enjoy many pleasant properties of CCS. We have introduced two timed equivalences based on CCS's bisimulation: timed strong equivalence and timed observation equivalence. The

equivalences provide a formal framework for analyzing the behavior and timing of real-time computations. We have presented examples that demonstrate the expressiveness and the proof method of RtCCS. Furthermore, we have given a sound and complete equational proof system based on timed strong equivalence in appendix. As an application of RtCCS, we are presently developing on the semantics of real-time objectoriented languages, such as DROL [21]. The semantics is de ned by translation rules from the syntactical constructions of the languages into RtCCS process expressions, also used as a static veri cation model for real-time programs. Details are presented in [19]. We are also interested in investigating whether an axiomatization based on observation congruence [12] can be applied to RtCCS, and whether other process equivalences such as distributed bisimulation [3] and testing equivalence [4] can be adopted by RtCCS.

Acknowledgements We are grateful to P. Wegner, and K. Takashio for useful discussions. We would like to thank Y. Ishikawa and K. Honda for suggestions at the early stage of this work. We thank V. Vasconcelos, and T. Minohara for comments on an earlier version of this paper.

References [1] America, P., de Bakker, J., Kok, J., and Rutten, J., Operational Semantics of a Parallel ObjectOriented Language, In proceedings of ACM POPL, 1987. [2] Beaten, J. C. M, and Bergstra, J. A, Process Algebra, Cambridge University Press 1990. [3] Castellani, H., Hennessy, M., Distributed Bisimulation, Journal of ACM, Vol.36, No.4, 1989. [4] de Nicola, R. and Hennessy, M., Testing equivalence for processes, Theoretical Computer Science, Vol.34, 1984. [5] Hansson, H. and Jonsson, B., A Calculus of Communicating Systems with Time and Probabilities,

[6] [7] [8] [9]

[10] [11] [12] [13]

[14] [15] [16] [17] [18]

[19]

[20]

In proceedings of the 11th IEEE Real-Time Systems Symposium, 1990. Hennessy, M. and Regan, T., A Temporal Process Algebra, Technical Report 2/90, University of Sussex, 1990 Hoare, C. A. R., Communicating Sequential Processes, Prentice Hall, 1985. Honda, K., and Tokoro, M., An Object Calculus for Asynchronous Communication, In proceedings of ECOOP'91, LNCS 512, 1991. Ishikawa, Y., Tokuda, H., and Mercer, C. W., Object-Oriented Real-Time Language Design: Construction for Timing Constraints, In proceedings of ECOOP/OOPSLA'90, 1990. Milner, R., Calculi for Synchrony and Asynchrony, Theoretical Computer Science, Vol.25, 1983. Milner, R., Communication and Concurrency, Prentice Hall, 1989. Milner, R., A Complete Axiomatization for Observational Congruence of Finite Behavior, Information and Computation, Vol.81, 1989. Milner, R., Parrow, J., and Walker, D., A Calculus of Mobile Processes Part 1 & 2, Technical report ECS-LFCS-89-85 & 86, University of Edinburgh, 1989. Moller, F., and Tofts, C., A Temporal Calculus of Communicating Systems, In proceedings of CONCUR'90, LNCS 458, 1990. Najm, E., and Stefani, J. B., Object-Based Concurrency: A Process Calculus Analysis, In proceedings of TAPSOFT'91, LNCS 493, 1991. Nicollin, X., and Sifakis, J., The Algebra of Timed Process ATP: Theory and Applications, IMAG Technical Report, RT-C26, 1990. Nierstrasz, O. M., and Papathomas, M., Viewing Objects as Patterns of Communicating Agents, In proceedings of ECOOP/OOPSLA'90, 1990. Nierstrasz, O. M., Towards an Object Calculus, In proceedings of ECOOP'91 Workshop on Concurrent Object-Based Concurrent Computing, LNCS 612, 1992. Satoh, I., and Tokoro, M., A Formal Description and Veri cation for Parallel Computing with Timed Constraints, In proceeding of Joint Symposium Parallel Processing'92, June, 1992. (in Japanese) Satoh, I., and Tokoro, M., Timed Process Calculus Semantics for A Real-Timed Concurrent ObjectOriented Language, Technical Report, Dept. Computer Science, Keio University, February, 1992.

[21] Takashio, K., and Tokoro, M., DROL: An ObjectOrinted Programming Language for Distributed Real-time Systems, In proceedings of ACM OOPSLA'92, October, 1992. [22] Walker, D.,  -Calculus Semantics of ObjectOriented Programming Languages, In proceedings of Theoretical Aspects of Computer Software, LNCS 526, 1991. [23] Yi, W., CCS + Time = an Interleaving Model for Real Time Systems, In proceedings of Automata, Languages and Programming'91, LNCS 510, 1991. [24] Yonezawa, A., and Tokoro, M., editors, ObjectOriented Concurrent Programming, MIT Press, 1987.

Appendix A In this appendix, we develop a sound and complete equational proof system based on timed strong equivalence. We rst restrict our attention to the non-recursive nite process expressions. The equational system for RtCCS is de ned in Figure 3. We shall use \=" to denote derivability in our equational system, and \" to denote syntactical identity. It can be easily shown that the equational processes in Figure 3 are timed strongly equivalent. Therefore, we get the following result.

Theorem 1 (Soundness) If P = Q where P; Q 2 P , then P T Q. Proof. Obvious according to the propositions 1 to 3, and Corollary 1.

Next, we want to show that the system is complete. We can accomplish this by using the following normal forms.

De nition 7 A normal form (NF ) is de ned in-

ductively by:

(i) A process is in normal form if it is in NF 6 or NF hi . (ii) P A process is in NF 6 if it is of the form 0in i :Pi where each Pi is in NF . (iii) A process is in NF hi if it is of the form hP; Qi1 where P is in NF 6 and Q is in NF .

P +Q = Q+P P +P = P (P + Q) n L

=

P nL+QnL

(P + Q)[f ]

h:P ; :P it

= =

P [f ] + Q[f ] :P

hP; Qi0

=

Q

hP; Q + Rit hP; Qit[f ] P jQ P j0 P jQ

= = = = =

hP; Qit + hP; Rit hP [f ]; Q[f ]it QjP

P jQ = P jQ =

P + (Q + R) = (P + Q) + R P +0 = 8 P 0) < (s  t) hhP; Qis ; Rit = : hP; Rit hP; hQ; Rit0sis (s < t) hP + Q; Rit = hP; Rit + hQ; Rit hP; Rit n L = hP n L; Q n Lit P j(QjR) = (P jQ)jR

P

P

P

P

i = j :(Pi jQj ) + i2I i :(Pi jQ) + j 2J j :(P jQj ) P P where P  i2I i :Pi and Q  j2J j :Qj

hPi= j :(Pi jQj ) + Pi2I i:(PijQ) + Pj2J j :(P jQj ) ; P 0jQi1

 hP 2  :P ; P 0 i1 and Q  P 2 :Q hPi= j :(Pi jQj ) + Pi2I i:(PijQ) + Pj2J j :(P jQj ) ; P 0jQ0 i1 P  :P ; P 0 i and Q  hP :Q ; Q0 i where P  h where P

i

i

I

2

I

i

i

i

i

j

1

J

j

2

J

j

j

j

j

1

Figure 3: Equational Proof System based on T

Proposition 10 For each P normal form P 0 such P = P 0 .

2 P , there exists a

Proof. By structural induction on P .

Lemma 1 1. If P T Q where P is in NF , then Q is in NF 6 .

2. If P T Q where P is in NF , then Q is in NF hi .

NF 6

and Q is in

NF hi

and Q is in

Proof. The structure of NF 6 processes cannot be transformed by p and any NF hi process transforms its structure by p.

Theorem 2 (Completeness) If P P; Q 2 P , then P = Q.

T Q where

Proof. Assume that P T Q. By proposition 10, we can nd normal form processes P 0 and Q0 where P = P 0 and Q = Q0 . By lemma 1, both P 0 and Q0 must be in NF 6 or both P 0 and Q0 must be in NF hi . Hence we have that P = Q.

Appendix B In this appendix we present a rather detailed description of the behavior and timing of the Alternating Bit Protocol as given in section 5 under the assumption that s + a < t. The whole protocol is represented as a parallel composition of the ve component as follows: (Sb jT jC1 jC2 jRb ) n L

(Sb jT jC1 jC2 jRb ) n L

A

T accept:A n L where def = (S 0 jT jC1 jC2 jR ) T :(send :start:S 00jT jC1 jC2jR ) T ::(start:S00 jT jh0; send :C1 + :C1i jC2 jR ) T :::(R00jhstop:T ; timeout:T i jh0; send :C1 + :C1i jC2 jR ) T ::h0; (S 00jhstop:T ; timeout:T i 0 jsend :C1 + :C1 jC2 jR )i T h0; :B + :C i def = (S 00 jhstop:T ; timeout:T i 0 jC1 jC2 jdeliver:ack :Rb) T deliver:D def = (S 00 jhstop:T ; timeout:T i 0 jC1 jC2 jR ) T h0; (ack :stop:Sb + ack b:S 00 + timeout:S 0 jtimeout:T jC1 jC2 jR )i 0 T h0; Ai 0 def = (S 00 jhstop:T ; timeout:T i 0 jC1 jC2 jack :R ) T :(S 00jhstop:T ; timeout:T i 0 jC1 jh0; ack :C2 + :C2 i jRb) T :h0; (S 00jhstop:T ; timeout:T i 0( + ) jC1 jack :C2 + :C2jRb)i T h0; :E + :F i def = (S 00 jhstop:T ; timeout:T i 0( + ) jC1 jack :C2 jRb) T :(stop:Sbjhstop:T ; timeout:T i 0( + )jC1jC2 jRb) T SbjT jC1 jC2 jRb def = (S 00 jhstop:T ; timeout:T i 0( + ) jC1 jC2 jRb) T h0; Gi 0( + ) def = (S 0 jT jC1 jC2 jRb) T h0; :h0; :E + :F i + :h0; Gi 0 i b

b

S;b

b

b

R;b

b

s

t

b

t

b

b

R;b

s

s

b

R;b

b

s

s

B C

b

b

S;b

t

D

b

t

s

t

s

R;b

b

b

b

S;b

b

b

t

s

s

t

b

s

t

b

R;b

s

S;b

t

b

b

s

a

S;b

a

b

b

a

a

E

t

b

s

t

b

F

s

a

b

b

b

b

t

b

t

G

R;b

a

s

b

s

a

b

a

b

a

t

s s

Figure 4: Expansion of (Sb jT jC1jC2jRb ) n L where L def = fsendS;b ; sendR;b ; sendS;bb ; sendR;bb ; ackS;b; ackR;b ; ackS;bb ; ackR;bb ; start; stop; timeoutg. Using the timed strong equivalence and timed observation equivalence, we derive an expansion of (Sb jT jC1 jC2 jRb ) n L as shown in Figure 4. Expression A follows directly from Corollary 1, while A T h0; :B + :C is is derived from Proposition 5. Derivations of expressions B to G are similar to that of A. From Figure 4, we can transform (Sb jT jC1 jC2 jRb ) n L into a timed observation equivalent expression P as follows: (Sb jT jC1 jC2jRb ) n L

T P

where

P def = accept:A def A = h0; :deliver:h0; :P + :h0; Git0(s+a) ia + :h0; Ait0sis def G = h0; :h0; :A + :h0; Git0(s+a) ia + :h0; Git0s is Furthermore, since it can be easily shown that T ABP as given in section 5, we can conclude that ABP is timed observation equivalent to (Sb jT jC1 jC2jRb ) n L.

P