Hennessy is able to specify a complete axiomatization for one of them, but only a ..... Abramsky, Matthew Hennessy, Alan Je rey, Achim Jung and Robin Milner.
FINITE BUT UNBOUNDED DELAY IN SYNCHRONOUS CCS M. HUTH, M. KWIATKOWSKA School of Computer Science, University of Birmingham, Edgbaston, B15 2TT, UK We recast Milner's work on SCCS�, a calculus for nite but unbounded delay based on SCCS, by giving a denotational semantics for admissibility of in nite computations on a bi nite domain . Using Abramsky's SFP domain for bisimulation we obtain a fully abstract model in for an operational preorder which includes divergence and, if restricted to nite behaviour, corresponds to Abramsky's nitary preorder. We use nite but unbounded delay, choice and the synchronous product to derive a fair parallel operator in SCCS�. K
D
D � K
1 Introduction This paper mainly builds upon two pieces of work: Milner's calculus SCCS�, an extension of SCCS with nite but unbounded delay [1] and Abramsky's domain equation for bisimulation [2]. The importance of synchronous CCS with nite delay stems from its ability to make ne-grained distinctions between passive resources, like an accessible register, and active ones, like agents that need to initiate some action in nite time. To clarify this point, consider an active agent �p which behaves like p, but can also delay by performing any number of silent actions 1. This can be de ned by means of the equation �p rec x:1x + p but, unfortunately, �p admits the in nite computation consisting entirely of delay steps (1! ), and thus it cannot be guaranteed that p is eventually evoked. So, while �p models passive resources well, one still has to cater for the case of active agents. For that purpose, Milner introduced the operator �, where �p behaves like �p except that it prevents the in nite delay of p. Using nite delay, one can also provide a more expressive coding of an asynchronous calculus within the synchronous one [3]. The presence of nite but unbounded delay further allows for very natural solutions to certain fairness problems arising from the synchronous parallel operation. For example, one can use � to de ne a fair parallel in SCCS�. In fact, one may think of such a delay as a special liveness property [4]. Milner developed a theory of nite but unbounded delay with an accompanying notion of operational preorder (called forti cation ), an asymmetric and conservative extension of (strong) bisimulation in SCCS. For guarded recursion he showed that recursive equations have least (but not always unique) xed points with respect to this operational preorder, and that it is preserved by all the combinators of the calculus. The notion of forti cation crucially depends on that of an admissible in nite computation u for a process p. In [1] this had �
1
been formalized using prevention ordinals. However, Milner's paper does not give a denotational semantics for SCCS�, and it is not at all clear what such a semantics should look like. For example, should it somehow be derived as a sort of limit from a denotational semantics for the nite computations as done in [5, 6]a following an idea in [8]? And if so, would we be able to \turn the handle" and extract a sound and complete program logic from a fully abstract denotational model? Unfortunately, the models in [5, 6] leave the realm of SFP domains for which there exists such a mechanical method for transforming a denotational semantics into an equivalent program logic [9]. In this extended abstract we sketch the details of a fully abstract denotational model for an extension of forti cation, more precisely, an extension of forti cation plus divergence, in a bi nite domain, which then allows us to use the machinery of [9] at the level of objects. Our model is a product where is the initial solution for Abramsky's domain equation for bisimulation in [2]. The bi nite domain is a complete lattice and the semantics on is monotone, whereas the semantics on is continuous. The semantics on is then realised as a pairing of these semantics. Since the category SFP and the category of complete lattices and monotone maps are cartesian closed [10, 11] this opens up the possibility of future work on nite delay in a higher-order setting. The signi cance of this work lies foremost in giving a fully abstract denotational semantics for SCCS� and in giving it in a bi nite, and in particular, algebraic lattice (i.e., an inverse limit of nite lattices with respect to continuous projection-embedding pairs). This lattice has a Stone dual from which one may \read o�" the corresponding program logic. Another main contribution is the logical separation of nitely observable and truly in nite, \fair", behaviour in the model resulting in a very elegant representation of the environment as , the in nite part of the model. By the same token, our model lets us \recycle" the full abstraction results of [2] for SCCS on , the nitely observable part of the model. Our results improve on the work in [12, 5], for we specify a bi nite model and we develop an asynchronous fair parallel from ner building blocks (synchronous product, sum and nite but unbounded delay). Our results also go well beyond those in [6]; their model is not fully abstract and there proofs require substantial book-keeping of the synchronous product for synchronization algebras [13]. D � K
D
K
K
D
D � K
K
D
a Such a derivation as a limit process has in fact intrinsic limitations [7].
2
2 The calculus SCCS� and its operational semantics We study Milner's SCCS�, synchronous CCS with nite delay [1, 14] with the standard signature, the only exception being its restriction to nite sums, as done in [2], in order to secure full abstraction of our denotational semantics. De nition 1 We de ne a language by the following grammar in BNF form: L
p ::= nil a: p p�A p[S ] �p p + p p p x rec x:p where x is out of a countable set of variables Var, a is an element of a countable abelian group Act with identity 1, A is a subset of Act containing 1 and S : Act Act is a group homomorphism. The binding operations rec x, x Var, introduce the usual notions of free and bound variables. Let SCCS� denote the set of all closed terms of . We can de ne an additional operation � within by setting �p rec x:1x + p. We write ap instead of a: p whenever this is j
j
j
j
j
j
�
j
j
!
2
L
L
�
unambiguous. The structural operational semantics for SCCS� is standard as in [14]: p!a p a; a2A p�A! p �A
p!a p p[S ]!Sa p [S ]
p1 !a p1 p1 +p2 !a p1
p2 !a p2 p1 +p2 !a p2
0
ap!a p
0
p1 !a p1 ; p2 !b p2 p1 �p2 !ab p1 �p2 0
0
0
0
0
0
p[x:=rec x:p]!a p rec x:p!a p
0
0
0
0
0
0
with the two additional rules (WAIT) and (FULFILL) of [1]: a 0
p p �p 1 �p (WAIT) �p a p0 (FULFILL) The last two rules attempt to express the operational intuition that �p has the same dynamic capacity as the process p (FULFILL) but that it may choose to postpone its dynamics unboundedly but nitely often (WAIT). This attempt, however, fails as such: using the operational rule for recursion, one readily notices that �p rec x:1x + p has the same nite behaviour as �p; these processes are in fact bisimilar. However, if p is some process in SCCS� which cannot compute an in nite sequence of 1's then �p is allowed to delay forever, whereas �p is not. So we need to re ne the notion of bisimulation in order to express such di�erent capacities of performing in nite computations. Essentially, we need to rule out in nite computations �p 1 �p 1 �p : : : where each transition is justi ed by an instance of the (WAIT) rule. This will require a precise book-keeping of such undesired subcomputations in a general !
!
!
�
!
3
!
!
context (p1 ; : : : ; pn ) which is built from the only static combinators of this process calculus: synchronous product, relabeling and restriction. In [1] this is achieved via prevention ordinals; we extend his de nition to include relabeling. De nition 2 [1] We de ne a partial function o: SCCS� Act! * Ord into the class of ordinals. We then say that p admits the in nite computation u Act! if and only if the ordinal o(p; u) is unde ned. We de ne o(p; u) to be the least ordinal � such that (p; u) is contained in the set M� . The sets M� SCCS� Act! are de ned by trans nite induction, setting M0 = (nil; u): u Act! and for � > 0 C
�
2
�
f
�
2
�
�
�
g
(ap; bu) M� if a = b or (a = b & (p; u) M� for some � < �); 2
6
2
(p�A; u) M� if u A! or (p; u) M� for some � < �; 2
62
2
(p[S ]; u) M� if u = S ! v for all v Act! or for all v u = S ! v we have (p; v) M� for some � < �;b 2
6
2
2
Act! with
2
�
(�p; u) M� if for all m ! such that u = 1m v we have (p; v) M� for some � < �;
�
(p1 + p2 ; u) M� if (pi ; u) M�i for some �i < �, (i = 1; 2);
�
(p1 p2 ; u) M� if for all v; w Act! with u = v w we have (p1 ; v) M� or (p2 ; w) M� for some � < �;c
2
2
2
�
2
2
2
2
�
2
2
�
(rec x:p; u) M� if (p[x := rec x:p]; u) M� for some � < �. 2
2
Given a process p 2 SCCS� we associate with it its set of admissible in nite computations k(p) = fu 2 Act! : o(p; u) is unde nedg. For example, one may now prove that k(� rec x:ax) = f1! g [ f1ma! : m 2 !g and k(� rec x:ax) = k(� rec x:ax) n f1! g as expected. It should be pointed out that this formal de nition exactly captures Milner's informal notion of admissibility for guarded terms in SCCS� [1, Theorem 5.3]. We therefore take this formal de nition as applying to unguarded terms in SCCS� as well.d Our full abstraction results will indeed be formulated for this larger class of processes. b The map S ! : Act! ! Act! is de ned by S ! u = Su0 Su1 � � �. c Given v; w 2 Act! we de ne v � w as the in nite word u 2 Act! where ui is the product vi wi in the group Act, (i � 0). d Recall that a term p is guarded if all free occurrences of its free variables occur in some
subexpression of the form ap . 0
4
Before we introduce operational preorders for processes in SCCS� we state the usual de nition of a divergence predicate [2]: x2Var rec x:x"
p" p�A"
p" p[S ]"
p1 " p1 +p2 "
p2 " p1 +p2 "
p1 " or p2 " p1 �p2 "
p[x:=rec x:x]" rec x:p"
p" �p"
where we needed to add the rule for � above. Note that this last rule matches the combined ones for + and recursion if we identify �p with rec x:1x + p, for 1q converges for all processes q. This is to be expected since syntactic divergence is a nitary property. We write p p0 if p a p0 is provable from the rules of the structural semantics for a Act. The triple (SCCS�; ; ) is a transition system in the sense of [2]. Following Hennessy's and Stirling's ideas of generalized transition systems [15], we de ne such a notion which suitably represents admissible in nite computations. De nition 3 A generalized transition system over Act is a quadruple (S; ; k; ) where S is a set of states, associates to every a Act a binary relation a S S and S is a predicate of divergence. Finally, k: S is a function, where is the bi nite domain of subsets of Act! ordered under reverse inclusion:e = (Act! ) with F G in if and only if G F . Notice that has uncountably many compact elements as the set Act! is uncountable. Further, generalized transition systems depend on Act and its derived parameter . The intuition behind a generalized transition system is that it provides an operational semantics for abstract states in terms of transitions labeled by elements of Act and that k(s) represents the set of admissible in nite computations beginning in state s. We de ne natural co-inductive relations on generalized transition systems and we list their usual properties. De nition 4 Let = (S; ; k; ) be a generalized transition system over Act. A partial forti cation on is a binary relation R S S such that xRy implies k(x) k(y) a Act x a x0 implies the existence of some y0 such that y a y0 and !
!
2
! "
G
"
!
!
!
�
�
2
"�
! K
K
K
P
v
K
�
K
K
G
!
"
G
�
�
�
� 8
�
�
2
!
!
x0 Ry0 x implies [y & ( a Act y a y0 implies the existence of some x0 such that x a x0 and x0 Ry0 )].f #
#
8
2
!
!
e Of course, Act! denotes the set of in nite strings over Act. f Convergence # is de ned as S n".
5
For general reasons there exists the greatest partial forti cation on G , denoted by �G or � if G is clear from the context; moreover, � is a preorder. A relation R satisfying just the latter two clauses above is called a partial bisimulation [2]; the greatest partial bisimulation always exists and is a preorder denoted by �B ; it is contained in Abramsky's nitary preorder �F [2]. The operational preorder we consider is p C q if and only if p �F q & k(p) � k(q), the intersection of the nitary preorder with re nement with respect to admissibility. Also de ne p J q if and only if p �B q & k(p) � k(q).g We take C as the basis for this work since it is based on the notion of observability in its nitely observable behaviour; it further contains � and J while still enjoying all the nice properties of �, such as being a congruence and having least xed points. The possibility of considering several plausible operational preorders seems to be inherent in studying transition systems with in nite computations. For example, in [16], we nd two operational preorders for a simple language based on nite automata with three di�erent delay operators. Hennessy is able to specify a complete axiomatization for one of them, but only a sound one for the other.h This is to be compared with our full abstraction results in section 3.3. By adjusting the parameters k and " of generalized transition systems we may unify operational concepts as particular instances of partial forti cations. First, if k(s) = Act! for all s 2 S , we simply arrive at the notion of `partial bisimulation'. Second, if k is arbitrary and " = ; then we obtain Milner's `forti cation relation' [1], which he de ned for the concrete instance k. 2.1 Admissibility Denotationally
De nition 5
nilK = ; F �AK = F \ A! F +K G = F [ G �KF = f1nu: n 2 !; u 2 F g
aKF = au: u F F [S ]K = S ! u: u F F K G = v w Act! : v F and w G �K F = 1! +K �K F: f
2
f
�
f
f
g
2
�
2
g
2
2
g
g
Lemma 1 The functions nilK, aK, �AK, +K, �K and �K are continuous. The
functions [S ]K and �K are monotone. If S is injective then [S ]K is continuous as well. g One readily sees that p q implies p J q, for is a partial bisimulation and so p q implies p B q and k(p) k(q), but we do not know whether the converse is true as well. Clearly, J is properly contained in C [2]. �
�
�
�
h Hennessy does not de ne a denotational semantics.
6
�
The denotational semantics of admissible in nite computations is speci ed in the standard way: De nition 6 Let EnvK be Var . The signature � of has only one constant nil, unary operations a , �A, [S ] and � , and binary operations + and . The semantics [ ] K : EnvK is de ned as the standard least xed point semantics[17]. The map K is not continuous in general. There exists a process q SCCS of processes p0T p1 p2 : : : in SCCS� such that T ([�[pand] K a Kchain [ q] K ) di�ers from ( k�0 [ pk ] K ) K [ q] K . Therefore, the least k�0 k xed point will not, in general, be reached in ! many steps. Since we want to show that k(p) = [ p] K for all processes p SCCS�, we need to realize [ ] K as the trans nite limit of approximating semantics as done in [18, 12]: De nition 7 We de ne a family of functions [ ] K� : EnvK , � Ord, by trans nite induction on �: K
L
�
L !
! K
�
2
�
�
�
�
�
2
L !
[ p] K0 � [ nil] K�+1 � [ x] K�+1 � [ op(p1 ; : : : pk )]]K�+1 � [ rec x:p] K�+1 � [ p] K� �
= = = = = =
! K
2
Act! nilK ; � 2 Ord �(x); x 2 Var K K op ([[p1 ] � �; : : : ; [ pk ] K� �); op k-ary in � [ p[x := rec x:p]]]K� � \ K [ p] � �; � limit ordinal: �
