On Specifying Real-Time Systems in a Causality ... - Semantic Scholar

OninSpeci f yi n g Real Ti m e Systems a Causality-Based Setting?

Joost-Pieter Katoena ??, Rom Langeraka, Diego Latellab and Ed Brinksmaa Faculty of217,Computing Science, University of Twente P. O . Box 7500 AE Enschede, The Netherlands b CNUCE Istituto del CNR, Via Santa Maria 36, 56100 Pisa, Italy a

Abstract. are a promi modeltoforevents, concurrency. RealEvent -timestructures event structures associnaentte anoniset nofterltiemavie ningstants

model ute time constrai nts, and to causalWe dependenci es,model ling relatimodel ve delliand anysg absol betweencausal l y dependentevents. i n troduce thi s novel temporal show howa process it can bealgused toakiprovi dLOTOS. e a denotati onalformalsemanti ccls utodesa real ti m e vari a nt of ebra n to Thi s i s m i n aouttimanded-acti on pre x(i.e.,whiticmh edconstrai ns theoperator. occurrenceAn tievent-based me of actiooperati ns, a tiomnalewatchdog i n terrupt) semanti cs foronalthissemanti formalciss.mAsis anpresented thatwe use is shown to tbee buer consiswitentth tiwimthe theconstrai denotati exampl e an i n ni data. nts on the message latency and the rates of accepting and producing

1 Introduction

Timedextensi olnsofi nterleaviAlntgmodelsforconcurrencyhavebeeninvestigatedthoroughl y i n the a st decade. hough theresystems, are manythedimost erentprominent ways in interleaving which time can be i n corporated i n l a bel l e d transition model , it seemsthatthi in [3] and [21]. s issueis quite well-understood, cf.the recipes and proposals Interleaviour.ngThere, modelsitaresuces appropriate for thethedescription ofa theblacksystem'sobservational behavi to consider system as box, fori.e.,instance, not takingto into account that a system i s composed of subsystems. This applies, theis avai elldablofeconformance testi ngstructure where usually (andsystem. oftenAlso deliberately) noknowledge about the i n ternal of the in the nal realization phase when (part of) a speci cation needs to be implemented on a single processor, interleaving models suce.

The work in thistemporali paper is partially funded by C.NLOTOS .R. - Progetto Bilaterale: Estensioni probabilistichee dell' a lgebra di processi basate su strutture di eventi, per la speci ca e analisi quantitative di sistemi distribuiti, by C. N . R . Progetto Coor-e dinato: Strumenti per la speci ca e veri ca di proprieta' critiche di sistemi concorrenti distribuiti,Systems and by(REACT). the EU as part of the ESPRIT BRA project 6021: Building Correct Reactive ?? Correspondence to: J.-P. Katoen, e-mail: [email protected], fax: +31-53-4893247. ?

Interl eaviaspects ng model s aresystem not that appropriate forr^ole.design stages in whichassumption the distriofbuti o n of the play a prominent The global state interleavinngg model s hampers to faithfully modeleachthathaving a system consists ofstate. severalIn co-operati subsystems at dierent locations, its own local this designprevai stagelsthe. In system is considered as a whiteserves box where the internal system structure particular, if the speci cation as a prescription for the system' s i m pl e mentati o n rather than as a reference for the observational behaviour a system, inofterlactieavionsngismodels becomeproperly unattractive or evenfor misleading sincedesignthe ioftechni ndependence not re ected [28]. Also an important que, known asur,action re nement , where an abstract actionare ismoreimplemented by asee,concrete behavi o i t appears that noninterleaving models appropriate, e.g., [26]. The instructures corporatio[n29]of, pomsets quantitative information in noninterleaving models, suchscantas event [24], and Mazurkiewicz traces [19], has received attenti oinn whi in thech theliterature. Since these modelsis seem to beprevalent, attractivebutat thewheredesignthe stages observational behaviour no longer iinntensi ocnalularsystem characteristics dominate, one might even argue thatdesign such model s parti shoul d deal with issues like timeand probability. In these stages ibit liistyofcertai utmostn alitmernati portance how actionswhichare atscheduled in timelevelandof with what probav e executions, a more high abstraction could be faithfully modelled by means of nondeterminism, can appear. This paperthereforeproposesareal-timeextensionof(avariantof)eventstructures; probabi liatidenotati es are dealonalt with in [7, to15].a The real-time modelalgebra is usedbasedas aonvehicle to provi d e semantics temporal process a kernel whi cchh iconstrai s akin tontsLOTOS [5]. Thistime formalism includesandaatimed action-pre x operator whi the occurrence of actions, timeout and watchdog (i.e., timed interrupt) operator. The inclusio[n8],ofcon gurations time in partial-order models is not new:[12],e.g.,setsextensions are[13]known ofeventpomsets [18], f and ; or g -automata of posets and. structures [ 2 0] . The timed extension of causal trees [10] resembles our model Wewatchdogs are, however, unaware ofsetting.Theseingredients any proposal that incorporates time, totimeouts, and i n aparti a l order areconsidered beessential to specify real-time systems. Weusestructures Langerak'[2s 9]extended bundlspeci c e eventrequirements structures [17],an adaptationsynchronization of Winskel's event to t the of multi-party and dissrupti oginti([m>ate). and Sincecompl we believe thatin thebothsystem interleaving and noninterleaving model are l e e mentary design process we alsoat hand consiwhiderch,anbyevent-based operational semantics for the real-time process algebra omiproven tting event identi ers, results intimedan interleaving semantics.equivalent) The two semanti c s are to coincide (i.e., strong (event) bisimulation in a and coherent way. Thisof existing also facilitates the comparison tiandmedthusparticanal beorderusedmodel the wealth timed interleaving models.of 3our 3

For space reasons the proofs are omitted from this paper; they can be found in [14].

2 The language Thi s papermore is based the process algebraicby thelanguage in fact LOTOS with a somewhat concionse syntax, generated followingPA,grammar: B : = 0 j p j a ; B j B + B j B j G B j B[H ] j B n G j B >> B j B [> B j P: We ;  assume a givspeci en setal acti of observable actions Act and an additional invisibl e action 2 6 Act . The o n  , which is not user-de nable, indicates the successful p represents the successful termination of a behavi o ur;  2 6 Act . 0 denotes inaction ; termination of a behaviB1 oandur. aB;2 Bis denotes theB1 +action-pre x of a 2 Act [f  g and B. The choice between denoted B 2 and their sequential composition by(G B1Act>>)aresynchroni B2. B1 j G Bz2atidenotes parallj jelabbreviates compositionj ?where actions composition in G [f  g o n actions. ,i.e.,parallel without zati oandn. Bfor[H]adenotes theH(arel) a6=bellingandofHB(aaccording toGHdenotes where Hhiding ( ) .=Bsynchroni  ,[>H (B) denotes = 2 Act : ) = 6  . B n ofterminated. B1 by B2; Finally, i.e., B1 Pmaydenotes at anyapoint of itsinstantiation executi1 on where di2srupteda behavi bytheBo2disruption ,urunless it process is considered in thecontains contextoccurrences of a set ofof Pprocess de ni t i o ns of the form P : = B where B possibly . Thej , precedences of the composi t i o n operators are, in decreasing binding order: ; , +, [>, >>, n and []. Trailing 0s are usually omitted.  denotes Thestandard(i n terl e avi n g)semanticsof PA ispresentedinTable 1where G G [f  g.

`` ap;?!B ?!0a B a B 0 ` B + B ?! a B0 B ?! a a B0 0 B ?! B ` B + B ?! a B 0 a 6=  ` B >> B ?! a B 0 >> B B ?!  B 0 ` B >> B ?!  B B ?! a B0 a = a B 0 [> B B ?! 6  ` B [> B ?!  B 0 ` B [> B ?!  B0 B ?! a a 0 B0 ?! B ` B [> B ?! B00 a a B ?! B a 62 G ` B j B ?! Bj B a B 0 a 62 G ` B j GG B ?! a B j GG B 0 B ?! a B 0 ^ B ?! a B 0 a 2 G ` B j G B ?! a B0 j B0 B ?! a B 0 a 62 G ` B n G ?! a B0 n G G B ?! a B 0 a 2 G ` B n G ?!  B0 n G B ?! H a B 0 [H ] a 0 B ?! B ` B[Ha] ????! a 0 0 B ?! B P := B ` P ?! B 1

1

1

1

1 2

2

1 2

1 2 1 1 1 1 2

2

1 2

1

1 2

1 1 1 1 1 1 1 1 1 1

2 2

2 2

2 2 2 2 2 2

()

Table 1. Structured operational semantics of PA.

1 2

1 2

1 1 2 1 1 1

2

2

2 2 2

The real-time variant of PA, baptized PAR, is generated by the following grammar: B : = 0 j p j (T ) at ; B j B +t B j B j G B j B[H ] j B n G j B >> B j B [> B j B B B j B I B j P: WerangeuseoverTimTie m=eI.R(+T )[fa ;0B; 1gdenotes as timethedomain, T to range over Pand(TimBe),where and ta tois timed action-pre x of a allowed(butnotforced)tooccuratsome t 2 T .Wewrite(t) a for([t; 1)) a and a for t (0) aif. BB11 BdoesB2notdenotesthe timeout of Bbefore 1 by B2 attime t;initiallyitbehaveslike B1 , but perform any action t (since the enabling of this behaviour) then the control i s passed to B 2 . At time t a nondeterministic choice between B1 and tB2 appears. B is called a `weak timeout' [21]. I isa watchdog operator; initially B1 I B2 behaves like B1 but at time t controlt is passed to B2 provided B1 is not yet successfully terminated. Note that in B1 B B2 control is passed to B2 only ift B1 does notisperform anyB2action|either internaloforthenot|before t,Bwhereas in B1 I B2 control passed to at time t , regardless activities of 1 until time t (with the exception of termination). Theready synchroni zationinpriitn.ciple isforthatinstance, an actionin can only1) boccur when all participants areenabl to engage Thus, a ; ( T j f a;b g a ; (T2 ) b, action b 0is me isynchronizations n ta+T1 \ ta+T2 may = ta +(become T1 \ Timpossible 2 ), where t+T denotes f t+t j tti0m2inTegdgconstrai .atNotianycentithat due iftoTincompatible ts i n the participating behaviours. For instance, 1 \ T2 = ?, action b can never occur.

3 Extended bundle event structures

Extended eons(aneventmodellingtheoccurrence event structures (or, simply: event structures) consist of events lrelabelatiloensdwiofbundl thacti ofitsaction),together withas causal i t y and con ict between events. System runs can be modelled partiaclt orders events satisfying con i relationsof between the4 events.certain constraints posed by the causality and Con ict imeani s an asymmetric binary relation, denotedit disables , between events andofthee, 0 0 iand ntended n g of e e is that (i) if e occurs the occurrence 0 both occur in a single system run then e causally precedes e0. (i i ) i f e and e Causal bye. The a relation between isa that set Xif ofe happens events, that aresystem pairwise iexactl n con iyityconet,isandrepresented an event interpretation in a run,to event i n X has happened before (and caused e ). This enables us at causal orderingrelation betweenbetween the events in atheysystem run. When thereOnceis neiunienabltqherueled,yaide ne con i c nor a causal events are independent. ndependent events can occur in any order or in parallel. 4 The term asymmetric does not mean that e e0 ) e0 6 e as it might suggest. e e0 and e0 e is allowed and is equivalent with e # e0, the usual symmetric con ict in event structures. Poign e [22].The terminology `asymmetric' is adopted from Langerak [17] and Pinna &

De ni tiaon1.set ofAnevents (extended bundl eE), event structure Easymmetric is a quadruple (E; relation, ; 7!;l) with E , ,  E  the (irre exive) con ict 7!where PL(Eis) asetE, oftheactibundlon leabelrelas,tion,suchandthatl : E ?! L, the action-labelling function, 8 X  E;e 2 E : X 7! e ) (8 e0;e0 2 X : e0 =6 e0 ) e0 e0 ): Theconstrai ntspeci esthatforbundle X 7! e alleventsin X areinmutualcon ict. Eventstructuresaregraphi cally representedinthefollowingway.Eventsaredenoted

0 is indicated by a dotted arrow asfromdots;e toneare0. theA bundl dot thee (X;e acti)onislabel is given. e e indicated bylines.drawing an arrowan event from each eventa byin Xe .toEBES e anddenotes connecti n g al l arrows by small We denote labelled the class of event structures; E ranges over EBES. a In the sequel weof adopt theinfollo,wing notations. For sequences  = x1 :::xn, let   , f x1 ;:::;xn g, and let i denote the denote the set el e ments that is, pre x ofsequence  up to the (i?1)-the1 :::eelement, that is, i , x1 :::xi?1, for 0 < i 6 n+1. For  a of events n we de ne c () , f e 2 E j9 ei 2  : e ei g c () that isthehavesetofevents and satare(di) s,ablfeed 2byEsome j8 Xevent  E :inX7!. sate ()) Xis the\ set6= ?gof .events that a (causal predecessor i n  for al l bundl e s pointing to them. That is, for events in sat ) all bundles are `satis ed'. Let en() , sat() n (c () [ ). )andarecon ict-free( ei 62 c in(the Eventtracesconsi stofdiIn addi stinctevents(i.e., ei 62inithe i )), forsequence obviousby reasons. t i o n, each event event trace is preceded a causal predecessor for each bundle pointing to it (i.e., ei 2 sat(i)).  of Etheisasequenceofevents forDe ni all 0ti cas) j jfollows: d). (a) a ; c j f c g b ; (c + d), (b) (a ; x j j a ; y)

4 Real-time event structures

Tilaymbetween e is addedcausal to bundle event structures in istwoassociated ways. Totospecify theandrelative del y dependent events time bundles, in order faci the speci cation of timing constraints onassociated events thatto have noThough bundle poiitot seemssuci ntinlgitateto them (i . e . , the initial events), time is also events. enttoonl y havetimelabelsforinitialevents,synchronizationofevents makes i t necessary to allow for equipping all events with time labels, including the non-initial ones. 5 We assume mappings T and D to associate a set of time instants, to bundlesTand respectiovneliys.that A bundle (X;ein) with T ((happened X;e)) = atT aiscertain denotedtime,by then X 7!e eis; ievents, tenabl s interpretati if an event X has edetcanhappen timeunitslatany ater,forany t 2 T .Theinterpretation ofevent e with D(e)= T itos that t 2 T fromthebeginning ofthesystem,usuallyassumed be time 0. Indiorder to speciotherfy tievents meoutinmechanisms we they use urgent events. Urgentonceevents are erent from the sense that are forced to occur they are enabled. De ni tion3. A(E;real-time event structure ?Tiismea),quadruple hEdel; Day; Tfunction, ; Ui withTE ,: an7! event structure ; ! 7 ;l ), D : E ?! P ( the event ?!Pthat(Timfore),althel e bundl e delaUy(efunction, such 2 E with ): and U : E ?! Bool, the urgency predicate 1. 8 e0 2 E;X  E :((e0 e _ e e0) ^ XT 7! e) ) (X 7! e0 _ X e0) 2. 9 t 2 Time : D(e)  [t;t] _ (9 X  E : X 7! e ^ T  [t;t]) . Here, X e0 equals (8 e0 2 X : e0 e0). Note that ? e0 for all e0. The constrainitnrequires that thee0 thatitdisables,i.e., enablings of an urgente0 event e are either contaiof enedii rst n theenabl gsofanevent e ,orthatanenabling 0 (the case e e0 is identical). This constraint enforces that as s di s abl e d by e 0 soon asoreisispermanentl enabled eiytherdisabled, e is alsosince enabled (provided eofisenotis disabled disabled(byin another 0). As way), some enabling e a resul globalei0mcanpactoccur|once of urgent events is limited; suces see alsoto[16].consider Thus, thein order to(and deciurgent) dt ethewhether it is enabled|it local disablings of e0. Thesecondconstrai if ever. The motivatinotensuresthaturgenteventsareenabledatasingletimeinstant, n for this constraint is that urgent events are used for the sole 5

Alternatively, we could explicitly model the start of the system by some ctitious event, ! say. Then the time associated to event e can be considered as the time associated to thebundlepointingfrom the ctitiouseventto e. We do not considerthe introductionof such event ! since the de nitions become more complex|! has to be treated dierently than `normal'Xevents|and obligations become more severe|e.g. one has to prove that bundles 7! e satisfyproof X = f ! g, or ! 62 X and e 6= !.

purpose instant onlof ymodel . ling timeouts, and a timeout typically can appear at a single time Let EBESctedR denote thea bundl class eofandreal-time event structures. Bundle andareevent delaysby areopendepi near to event, respectively. Urgent events denoted dots, other events by closed dots. Zero delays are omitted. For events that have more thanTone bundle pointing to them we take the following T interpretati on. Consider f ea g 7! ec and f eb g 7! ec. Then, if ea happens at time tintersecti a and eb at time tb , then ec is enabled at any t 2 (ta +T ) \ (tb +T 0 ). When the on ofcannot two (oroccur more)at sets of timeandinstants is empty thisdisabled. means that the event at hand any time will be permanently The notiA otinmofedtimed event tracedenotes is de ned ashappened a generalization oftthe. Fornotion of eventof trace. event ( e;t ) that e at time sequences timed events (e1ti;tm1e)(:::;e()endenote ;tn) letthe[]setdenote theinstants sequenceatofwhich eventse in2 en,([i.e.,]) [coul ] ,d happen, e1 :::en.gi=Let of time venif (ithat) itseach event ei inDtimed event trace(ii) occurred atrelative time ttoi. Event e can occur absol u te delay ( e ) is respected, the time allej itseimwemedihaveatethatcausale occurs predecessors is respected, and (iii) for each event ej with at at least t j . (ii) and (iii) take care of the fact that events cannot temporal orderioccur ng.TSo,before their causes, i.e., they entail that causal ordering implies time(;e) , (fD(e) g[ H1 [ H2) whereT H = f t + T j9 X  E : X 7! e ^ X \ []= f ej gg H21 = f [tjj ; 1) j9 ej 2 []: ej e g . The mnotiumonofofsettimT .edForeventT =trace mini ?, Min(is now T ) ,de ned 1. as follows. Let Min(T ) denote the De ni t(ieo1n4. A timed event trace of ?t 2= TihEm; De,; satisfying T ; Ui is aesequence T (ofE ),timed events ;t ) ::: ( e ;t ) wi t h e 2 E , :::e 2 ti 2 1 n time(i;ei), 1for all 0n 1 ^ ta +3 6 tc 6 ta +30; and (ea;ta)(eb;tb)(ec;tc) if ta > 1 ^ tb = ta +30 ^ tc > max(ta +3;tb): Timore) med ievent traces events do respectcan causality, buttracenotinnecessarily time.regardless That is, oftwotheir(or n dependent occur in a either order tiuremi2.ng.TheForpossi exampl echoi , (ecbes; 1)(correspond ea; 3) and to(eathe; 3)(possible eb; 1) areinterleavings timed eventoftraces of Figb l e the causally iorderi ndependent Since thecancausalneverordering between events impliestheir ng the events. causal ordering contradict the temporal order. temporal The folnlogwitinmge-consi resultsitent mplieseventthattrace for any0, ill-timed event trace  from thereexists a correspondi that can be obtained by swapping repeatedly il -timed pairs of timed events, yielding  = 0. Theorem5. For t0 < t :  (e;t)(e0;t0) 0 2 TT (? ) )  (e0;t0)(e;t) 0 2 TT (? ). thethereverse imevents plicatione0 edoesin anottracehold;cannot for instance, if e causally depends 0 that onNote e then order of be reversed since this would contradi c t thei r causal ordering. For a more extensive discussion on ill-timed traces we refer to [1, 2].

5 Event structure semantics

Thi s sectiWeonpresentsacausality-basedsemanticsfor PA.RForusingreal-timeeventstructures. de ne a mapping E [ ] : PA ?! EBES convenience we use A.the R R denotational semantics E 0[ ] forR the untimed case which is de ned in Appendix De nition6.  : PAR ?! PA is de ned as follows: (p0) , 0p ( ) , ((T ) a ; B) , a ; (B) (B1 op B2) , (B1) op (B2) for op 2f +; j G ;>>; [> g (opt B) , op (B) for op 2fn; [] g (B1 Bt B2) , (B1)+  ; (B2) (B1 I B2) , (B1)[> (B2):

annotati (B) is othens iunti to B obtained by omitting all time n Bmanded behavi convertiourng corresponding B and I into + and [>, respectively. The purpose

of the internal event introduced by the timeout operator will be explained later on. si)secti tEE2R=[ B?i.]The= ?functions i = hEi ; Di ; Ti ; Ui i, for i = 1; 2, with EsetIni =(theof Einrestii;tialiof;and7!thii;ltermi andnatioEno1nl\eevents, init andforexitevent whichstructures denote thein respectively, are de ned Appendithex A(inand nitaree) uniusedverseforofreal-time denote events. event structures in the same way. Let EU De nition7. ER[ ] : PAR ?! EBESR is de ned for 0, p, and (T ) a ; as follows: EE R[[p0 ]] ,, hEhE00[[ ((0p)])]]];;?f;(?e ;;?iTime) g; ?; f (e ; false) gi R   ER[ (T ) a ; B1E] =, hE(E;[f 1e; 7!g ;lfor1 [fe 2(eEa;a)ngE); D; T ; Ui where a U 1 7!D == f7!(11e ;T[ ()ffag[ea(gg E1 ) E1 f Time g) a TU == UT1 [f[f(((ef ;efalse) a g;e); D1 (e)) j e 2 E1 g g: 1 a p is self-explanatory. In ER[ (T ) a ; B1 ] a bundle is introThe semanti c s of 0 and duced fromrela anewtiveevent ea (labelled a) to all events in ?1. The delay of these events eDbecomes to e a , so each bundle f ea g 7! e is associated with a time delay 1 (e), and D(e) becomes Time. D(ea ) becomes T . In the untimed case it suces tobundl onleys itontroduce bundlof e?s1from eareto introduced the initial events oftimed?1, case cf. Appendix A.forThethe al l events that in the are used sole of making delays relative to ea. Figure 3, e.g., shows (a) ER[ B ] , and (b) Epurpose R [ ([2; 7)) a ; B ] . d

d

[π,5]

[π,5] e

a [0,17]

c

b 4

1

(7,41] 1

3

e

[0,17]

[2,7) b

c

3

4

(7,41]

Fig.3. Example of semantics for timed action pre x. De nition8. ER[ ] : PAR ?! EBESR is de ned for n, [], +, >> and [> as follows: ER[EB[ opop BB ]] ,, hEhE00[[ ((Bop Bop)]B]; )]D];;DT ;[DU i for; T [Top 2fn ; U [U i; op 2f +; [> g ; [] g R (a): B

1

2 1

(b): ([2,7)) a ; B

1

1

2

1 2 1 1 1 1

2 1

2

ER[ B1 >> B2 ] =, h(E1[[ E2; [f; 7!(e;e;l);0D) j; Te;e; U0 12[Uexit(2i?where 1 2 1 ) ^ e 6= e0 g 7!l == 7!((l1 [[l 7!) n2 (exit( [ (f exit( ?1) g E2) ? ) f  g)) [ (exit(?1) f  g) 1 2 1 DT == DT 1 [T[ (E[f2 f((exit( Time g) ?1);e); D2(e)) j e 2 E2 g: 1 2 For op equalngtochoi ceordisrupt E0R[ [B(B1 op1 opB2B]2istheuntimedevent structure ofthe correspondi expressi o n in PA , E )] ] , where the timings of events and bundl e s i n ? 1 and ?2 are unaected. Similarly, ER [ ] is de ned for relabelling and hiding. Thethe events R [ B1 >> B2 ] are those in E1 [ E2 . Bundles are introduced between successfulof Etermination events of ?1 and the events in ?2. The reason for

ithentroduci all events of ?2asisforto timed make theaction-pre x. event delays in ?2 relative to terminngatibundl on ofes?1to. This is similar d1erandparal?2l,eorl composition.RecallfromAppendix Athat eventsare pairsis oftheNowweconsi events of ? with one component equal to  . The delay of an event maxiatedmumwithofa thebundldelays of itstocomponents thatofarethedierent from . Thewithtimethe associ e is equal the maximum times associated bundlee,s iwef thigets projecti by projecting bundl on yieldsona thebundlei-thincomponents ?i. (i=1; 2) of the events in the For E =(Eas1 [fg 2 ) 2 E and X  E let for i=1; 2 projection bede ned pri((e1);e2))(E2,[fg ei,if e);i (6=e1;eand pri(X ) , f pri(e) j e 2 X \ dom(pri) g. De nition9. ER[ ] : PAR0 ?! EBESR is de ned for j G as follows: ER[ DB((1 jeG;eB2))] =, DhE ([e()B\1 jDG (Be2))]]with ; D; T ; Ui where D ()= Time: 1 T ((X;U (((ee11;e;e22))))) == TU11((pr (1 X);e2 1))2 \ T2((pri 2(X);e2)) with Ti((?;ei))= Time 1 2 1 (e1 ) _ U2 (e2 ) with Ui ()=false: Example 3. Consider the following timed behaviours B1 =([1; 7)) a ; (5) b ; 0 j b (f 1; 3; 6 g) c ; (7) b ; 0 B2 =([4; 9]) a ; (2) b ; 0 j b (((4; 27]) b ; 0 +(3) d ; 0) . Figure 4 shows how ER[ B1 j f a;b g B2 ] is constructed from ER[ B1 ] and ER[ B2 ] . a

5

[1,7) c

b

||{a,b}

a

b

2

a (4,27] =

(4,27]

[4,7)

[4,9] 7

c

Fig.4. Example of semantics for parallel composition. {1,3,6}

b

5

3

d

{1,3,6}

7 3

d

InexpiErRati[ Bon1 Boft Bthe2 ] tiamnew innternal, urgent event expires e is introduced that models the er. Si ce either the timer or B 1 performs an initial acti on before (or?2 canonl at) t, event e isput in mutual con ict with all initial events of ?1. Theeventsof y occurafterthetimeout;thisismodelledinthesamewayas forbundlactieson-pre x: e is introduced e 2 ?2delay . Theofdelaye becomes of these is determianbundl ed aseifn ethe g7!action-pre x case.forTheallevent [t;t] such thatt it can only occur at t time units since the enabling of ER[ B1 Bt B2 ] . So, ER[ B1 B B2 ] equals ER[ B1 +([t;t])  ; B2 ] where  is urgent. De nition10.t ER[ ] : PAR ?! EBESR is de ned for B as follows: ER[ B1 B B2E] =, Eh(E;[ E; 7![f;l)e; Dg; Tfor; Uisomewheree 2 E n (E [ E ) = 11 [ 2 2 [(init(?1) f e g) [U (f e 1g init(2 ?1)) 7!l == l7!1[ l[ [f7!2(e[;(ff) ge gg E2) 1 2  DT == DT 1 [T[f (e[f ; [((t;tf])e g[g;e()E; D2 f(e))Tijmee2g)E g 2 U = U11 [U22 [f (e ; true) g: 2 Example 4. Let B1 = (2) a ; (5)12b j j ([6; 21)) c and B2 = (3) d ; (2) g j g ([27; 41]) g. Figure 5 il ustrates how ER[ B1 B B2 ] is constructed from ER[ B1 ] and ER[ B2 ] . a

a 2

5 c [6,21)

b

12

d 3

Fig.5. Example of semantics for B.

2

g

2 =

[6,21)

5

b

3

d

c

[27,41] [12,12] τ

2

g

[27,41]

A similar approach could be taken for the watchdogt operator (using [> rather than +), butderthere i s al s o a possi b i l i t y to model Bevent 1 I B2 without using urgent events. Consi E [ B [ > B ] , i . e . , the real-time structure of Bcan1 [>onlyB2,occur and (i) R 1 2 restri c t al l event del a ys i n ? by [0 ;t ] ensuring that these events at 1 time t at the l a test, and (i i ) postpone all events in ? by time t such that these 2 events can only occur from t on. De nition11.t ER[ ] : PAR ?!t EBESR is de ned for I as follows: ER[ B1 I B2D] ,= Ef 0([e;D(B(1eI) \B[02)];t]]); Dj ;eT21 [TE 2g[f ; U1 [U2i where (e;t+D2(e)) j e 2 E2 g: 1 1

Figure 6 shows how ?1 12I ?2 is constructed from ?1 and ?2. a

[3,7]

2

c

b

6

a

d

= [4,32)

[3,6] [6,6]

6 Recursion

b [0,6]

c

6

Fig.6. Example of semantics for watchdog operator. Theorem12. 8 B 2 PAR : ER[ B ] 2 EBESR.

2

[10,38) d

Inwitthih thes secticonstruct on we extend PAwhere R with recursion. To that end we extend the syntax B : = P P denotes aofprocess instantiation. We assume a behavi o ur i s al w ays considered in the context a set of process de nitions of the form P := B where B is a behaviour possibly containing occurrences of P . Etheory R [ P ] for P := B is de ned in the following way by using standard xed point [2th7].theA compl eteeventpartialstructure order (i.e., (c.p.o.)ER[E0is] ) de ned on real-time event struc-for tures wi empty as the least element ? . Then each de nifortioneachP :=occurrence B a function FinB Bis, de ned that substitutes a real-time event structure of P interpreting all operators in B as operators e event asstructures. Fupper B is shown to be continuous, which means that EFRB[(P?on),] realcanFB-(tibeFmBde ned the least bound (l.u.b.)theof appropriate the chain (under E) ?, ( ? )) ;::: . For this paper we just de ne ordering E, therathercorrespondi n g l . u . b ., and present the main results. Given these ingredients it is strai g htforward to de ne a continuous function F B . Further details can be found in [14]. tion13. Let ?i = h(Ei; i; 7!i;li); Di; Ti; Uii for i = 1; 2. Then ?1 E ?2 i EDe ni 1  E2 , l1 = l2  E1 , D1 = D2  E1 , U1 = U2  E1 , and 1. 1 = 2 \ (E1  E1) 2. 7!1 = f ((X \ E1);e) j e 2 E1 ^ X 7!2 e g, and 3. 8 e 2 E1 : T1((X \ E1;e))= T2((X;e)). where toForverifycon icts that Eweisrequire a partialthatorderno winewth con i ? =denotes hcts(?;appear ?restri ; ?; ?ci)ntion. ; ??; ?Itbetween ; ?iis straightforward as least element. eventsof that are inalready in ?1. Similarly, the 2 second constrai n t forbi d s the introduction bundles ? 2 pointing to events in ?1 for whieschtothere exiinssuch ts noaprojected bundle inbundle ?1.Noteis contained that thisconstraint allows for bundl grow way that the old in the new one. The last constraint requires for those bundles to keep the same delay.

F The l . u . b . of a chai n ? 1 E ?2 E :::, denoted i ?i , can be characterized as follows. Forthesetofevents,con i cts,ts,llaabellings belingfunction,andeventdelayswesimplytakethe union of al l events, con i c and eventdoesdelays of thetoevent structures in theSuppose chainsome . As bundl e s may grow this approach not apply the set of bundles. ?sj Xhas7!bundl e Xj 7!j e. According to the de nition of E there is a seri e s of bundl e j j e, Xj+1 S7!j+1 e;::: satisfying Xk+1 \ Ek = Xk for k > j . Then the l.u.b. contains bundle ( n Xj+n) 7! e. For ?1 E ?2 E :::: De nition14. Let Fi ?i , h(Si Ei; Si i; 7!; Si li); Si Di; T ; Si Uii with 7!T == ff (((SSk XXk;e;e))j9;T j) j9:(8jk:(>8 jk :>Xjk :7!Xk e7!T ^ eX^k+1X\ Ek\=EXk=) gX ) g: k k k+1 k k k k Proposition15. Fi ?i is the least upper bound of chain ?1 E ?2 E :::. Proposition16. For ?1 E ?2 E ::: a chain: TT (Fi ?i)= Si Tj>i TT (?j). De nition17. For P := B a process de nition let ER[ P ] , Fi FBi (?). Example 5. As an example of a recursive process de nition in PAR we consider P := ([3; 5]) a ; ((14) b ; P +(1) c ; ([3;)) d ; P ) . mstructure. ation of theThereal-time event structure Fsemantics of this de nition isureThe?7(a). , rsttheByapproxi empty second approximation B (?) is depicted in Figin Figure 7(b).repeated substitution we obtain the real-time event structure depicted [3,5] 14

a

[3,5] a 1

b

1

14 c [3,π)

b

d

14

(a)

[3,5] b 14

c [3,π)

[3,5] a

d [3,5] a

1

a

c [3,π)

1

14

d [3,5] 14

1 c [3,π)

b d

[3,5]

a

[3,5]

a

1 14

a 1

Fig.7. Example of semantics for a recursive process de nition in PAR. (b)

14

1

7 Example: a time-constrained FIFO buer

We show howtreatiPAnRg and real-time event rst-in rst-out structures can (FIFO) be usedbuer. to specify real-timee systemsby a ti m e-constrained Thisexampl ; thefyonlya FIFO dierence we consider a buerdataof type in nitequeue: length. Ais taken simplefrom way [to30]speci buerisisthatby using an abstract Fifo(w :queue):= xX2D ([w = hxi_w0] ! rdx ; Fifo(w0)+ wrx ; Fifo(w_hxi)) . Dof ixs asetofdataval uesthatcanbebuered, wrreading x denotesthewriting(i.e.,insertion) 2 D i n to the buer and rd denotes the of ax singleton from the P is a generaliz_ed versionx of the choice operator;(i.e., hremoval) buer. x i denotes queue ningifxcondition and denotes can becontai executed b holds.concatenation of queues. [b] ! E denotes that E The FIFO buer shoul d model a communication network with the following timing constrai (i1)message messageperlatency in the(iii)rangemessage of 2 tooutput 5 timerateunits; (ii) message itwo nputtimrateentsuniset[3t0]s.to:These time unit; of 1 message time constraints are maintained by the following processes:per TD := (wrx ; ([20; 5]) rdx) j j0TD Wr := wrx ; Wr0 where Wr0 :=(1) wrx ; Wr0 0 Rd := rdx ; Rd where Rd :=(2) rdx ; Rd . The required buer is obtained by putting these processes in parallel with Fifo: Fifo(hi) j Rd j Wr j TD where jesistheashorthandfor j Act ,i.e.,fullsynchronization.Thisspeci cationstrongly resembl timed CSP speci cation in [30]. A problng eandm wiwrithtthiing:s speci cation is that itmayprescribes a mutualto read exclusion betweenthe readi at any moment one either choose (provided buerto aiscertai not empty) orindependent. to write. However, intuitively reading andmorewriting shouldit beshoul n extent If the queue contains one or elements, d oben constrai possiblentot iread them inunnatural parallel withif reading writing and new writing elements.takeTheplace mutualat excl u si s especially diWeerent locatipropose ons (whiacdierent h is quitewaycommon in caseaoftime-constrained a communicationFIFOnetwork). therefore of modelling in which we exploiX t the use of event structures as a partial order model: buer Cell := wp ; x2D wrx ; ((1) wn j j ([2; 5]) rp ; rdx ; (2) rn) Chain := (Cell j f wn;rn g Chain[wp := wn;rp := rn]) nf wn;rn g Buf := Chain nf wp;rp g . The correspondingTheto unlabelled, the Cell andgreyBufdots processes are de-inpiternal ctedrealevents. in-tiFimgeureevent8(a)structures and (b), respectively. represent

rdx

rp

2

[2,5] wp

wrx

1

wn

rn

rdx1

rdx2

2

2

[2,5]

[2,5]

[2,5]

wrx1 1

wrx2 1

Fig.8. Real-time event structure of a time-constrained FIFO buer. (a)

rdx3

2 .....

wrx3 1

(b)

ProcessactiCelonsl wpdescriandbesrpa ensure buer cellthatallowing thewaitswriting andwriting readingresp.of areading; data value.wn The the cell before and rnceliln. diChaicaten theputs nianshunbounded ofwriting and reading andinareparallel used inusing Chainantoappropriate `start' the next number of cells renamionsnofg functi on. Ficelnlal. ly, process Buf hides the write-previous and read-previous acti the front Note that ntheed. rdItxwoul anddwrbex events in the latter speci cation aretoinhappen principleas timeunconstrai more natural to force these events soonthe astreatment they areofenabl e d. Thi s can be done by using an explicit urgent operator; can be found such in [16]operator . in our setting falls beyond the scope of this paper and

8 Event-based operational semantics

Vari ousto ticompare med process algebras areavingknown basedtoonthese an interleaving semantics.andIn order our noni n terl e approach existing approaches tosemanti investicsgofateLOTOS the `compati bility'anofevent-based our proposaloperational with the semantics standard (interleaving) we present for PAweR. keep The basi c i d ea i s to de ne a transi t ion system (in the sense of [23]) in which track (times of)operati occurrence of actionsThis ratherresults thaninthea timed actionsevent themselves as issystem usualof. The ithen structured o nal semantics. transition approach is adopted fromp[6, 17] and is also applied in [16]. Each occurrence of an actiidoenti n-pre x, and Bbyis asubscripted withThese an arbitrary but unique event occurrence er, denoted Greek letter. occurrence identi erscreated. play theIf e r^isolane ofevent eventname names.of BForandparallel composition new eventpossible names 0 0 can be e an event name in B , then new names for events i n B j G B 0 are (e; ) and (;e0 ) for unsynchronized events and 0 (e;e ) for synchronized events. (e;a;t)!. B ????! (e;a;t)! The operatithat onal behavi semantiourcs de nes a set of transition relations ????! ; , 0B denotes B can perform event e , labelled with action a 2 Act 0 atthetismal me tle2stTirelmaeti,oand B . The n closubsequently sed under allevolve inferenceintorules listedtransition in Table 2.relation ?!! is As aysubsi diary notion let ut(B) denote the set of time instants at which B can ini+ denote PAR includingtheauxiliaryoperators tiall performanurgentevent.Let PA R t [ ] and t f g (see below).

De nition18.t ut : PAR0 ?!P0 (Time) is de ned by: ut( [ B ]) , f t +t j t 2 ut(B) g ut(B top B ) , ut(0B ) [ ut(B 0 ) for op 2f +; [>; j G g ut( f B g) , f t 2 ut(B) j t > t g ut(B >> B ) , ut(B ) ut(opt B) , ut(B) for op 2fn; [] g ut(B Bt B ) , ut(B ) [f t g ut(B I B ) , ut(B ) [ ut(t[ B ]) ut(P ) , ut(B) for P := B: For all other syntactical constructs let ut(B) , ?. +

1

2

1

2

1

1

2

1

1

2

1

1

2

2

Letet utmtbe(Bwel)abbrevi ateweMin(require ut(B)),where Minoftheemptysetequals 1.Inorder to lway(i l de ned process instantiations to occur in a weakly guarded theyshoulnames). d becomeguardedaftera nitenumberofsubstitutionsofbodies for thei.er.,process p canperform Asthe0successful cannot performanytransitionthereisnoruleforthisconstruct. termievolnation actiont[ B].att [anyB ] time t. (T ) a ; B can perform event  at tit0mtiemteuni , t 2tTs ,inand v es into can be considered asatbehaviour B shifted t [B ] advance. That is, if B can perform event  , say, time t , then 0 t can perform at atthetimlaenguage t+t . Note counterpart level.that [ B ] is only an auxiliary construct; it has no Therul erelsforparal learelcompositioninwhichnosynchronizationtakesplace,forhiding, and for a bel l i n g extensions ofcantheuntimed rules.equally Synchronizatievent on canwhoseonlylabeltakeisplinastraightforward cethewhen both participants perform an synchronization set G (or equals ) at time t. labelled The rulexcept es forthat>> iaren casealsoBa1 straightforward extensiontermination of the rulesactionfor the atuntimed case performs a successful time t, then B 1 >> B2 evolves into t [ B2 ] rather than B2 . This represents that t time units have been passed action-pre x case.before B2 can start with itsexecution. This is similarto the timed s fordeBthe1 +choiB2 caree. E.g., somewhat BThe2 canruledeci in adapted since (initial) urgent events in B1 or (12) a +((18) b B5  ([1; 7) c) theif Bevent  wil occur at time 5, and resolve the choice in favour of B2. In general, 1 performs an event at time t then B1 + B2 can perform the same provided thatsymmetry, B2 cannota perform an urgentisevent at anyfor time earlier, i.e., if t 6 mt(B2). Bycondi si m i l a r condition obtained B 2 performing an event. Similar tions appear for [>, B, and I. For rulesBare1 [>justi ed 1 performs an event at time t and evolvBes1 [>intoB2Bthe10 then B2 canasdofollows. the sameIf Bwhile evolving into B10 [> tf B2 g. 0

0

0

p ????! ;;t ! 0 ` ;a;t ! t [ B ] t 2 T ` (T ) a ; B ?????! ;a;t ;a;t t ! t [ B0 ] 0 t B ?????!! B ` [ B ] ???????! ;a;t ;a;t B ?????!! B0 t 6 mt(B ) ` B + B ?????!! B0 ;a;t ! B 0 t 6 mt(B ) ` B + B ?????! ;a;t ! B 0 B ?????! ;a;t ;a;t ! B 0 >> B 0 B ?????!! B a =6  ` B >> B ?????! ;;t ;;t ! t [ B ] B ????!! B0 ` B >> B ????! ;a;t ! B 0 (a 6=  ^ t 6 mt(B )) ` B [> B ?????! ;a;t ! B 0 [> t f B g B ?????! ;;t ;;t ! B 0 0 B ????!! B t 6 mt(B ) ` B [> B ????! ;a;t ;a;t ! B 0 B ?????!! B0 t 6 mt(B ) ` B [> B ?????! ;a;t ! B 0 t > t0 ` t f B g ?????! ;a;t ! t f B 0 g B ?????! ;a;t ; ;a;t ! B 0 j G B 0  B ?????!! B a 62 G ` B j G B ???????! ;a;t ; ;a;t ! B j G B0 B ?????!! B0 a 62 G ` B j G B ???????! ;a;t ! B 0 ^ B ?????! ;a;t ! B 0 a 2 G ` B j G B ???????! ; ;a;t ! B 0 j G B 0 B ?????! ;a;t ;a;t 0 B ?????!! B a 62 G ` B n G ?????!! B0 n G ;a;t ! B 0 a 2 G ` B n G ????! ;;t ! B 0 n G B ?????! ;a;t ! B 0 ` B [H ] ???????! ;H a ;t ! B 0 [H ] B ?????! t ;a;t ;a;t ! B 0 B ?????!! B0 t0 6 t ` B Bt B ?????! ;;t ! t [ B ] t 6 mt(B ) ` B Bt B ?????! ;a;t ! B 0 (t0 6 t ^ a = ;a;t ! B 0 It B B ?????! 6 ) ` B It B ?????! ;;t ! B 0 t0 6 t ` B I B ?????! ;;t ! B 0 B ?????! t ;a;t ;a;t t ! t[ B0 ] B ?????!! B0 t 6 mt(B ) ` B I B ???????! ;a;t ! B 0 (P := B ) ` P ?????! ;a;t ! (B 0 ) B ?????! ;a;t ;a;t ! (B 0 ) 0 B ?????!! B ` (B) ?????! (

1 ( 2 (

1 (

1 (

)

)

) )

1 (

1 1 ( 2 (

) )

(

1 2 )

1 (

1 2

(

1

0)

)

1

)

1 2

2 2 1

0 1 ( ) 0) 2 ( 2 ( )

)

1 1 1 1 1

1

1

(

1 1 1 1 1 1 1

1 1 1

1

1

0

2

(

0)

1

1

)

( ) + 0) 0 2 ( ) 1 2 ( ) 2 2 ( ) 1 2 ( ) 2 2 ( ) 1 2 ( ) 1 2 ( ) 2 ( ) 0 2 (( ) ) 1 2 (( ) ) 1 2 (( ) ) 1 ( ) ( ) ( () ) ( 0) 2 1 ( ) 2 2 0) 2 2 ( 1 0) ( 2 1 0) ( + 2 2 ( ) ( ) (

0

2 1

)

1 ( ) 2 ( ) 2 ( ) ( ) ( )

1

1 (

(

)

2

2

2 2 2

Table 2. Event-based operational semantics for PAR. t f B g behaves like B except that it is unable to perform events before t. This ensuresthat B cannotdisrupt B0 [> B byperforminganeventattime t0,say,while 2

2

2 1 0. The other inference rules for disrupt are Bstrai1 hasghtforward performedextensi an event at time t > t onsoftherulesfortheuntimedcase(usingsimilarconditions 2

as for +). t f B g is that if B can perform an event attime t,then t f B g The i n ference rul e for 0 candosoi f t > t .Notethat t f B g is|like t [ B ]|anauxiliaryoperatorthatcannot be speci ed by the user. 0, with t0 6 t, and evolves into B10 then B1 Bt B2 IfcanB1doperforms an event at ti m e t the same;an iacti n thions case the(orpossibility that Btime 2 happens is dropped since B1 has performed before at) time t . At t the timeout event can t [ B2 ], B2 shifted t time units in advance. happen and the resul t i n g behaviour is This can only be done if t 6 mt(B1). This condition ensures that isnot performed 7 21 if B1 can perform an urgent event before t. E.g., in (a B b) B c it prevents from 0

0

0

0

happening (at time 21), since  should have happened (at time 7). If B1 0performs an event (which0 is not a tsuccessful termination event) at time t0, wi0tht t 6 t, and evolves into B1 then B1 I B2 can do the same while evolving into (atbytimeB2 tbecomes ) by B2 remains. If (like B1 terminates B1 I B2; lthe successful y atpossi timebitl0i,tyt0for6 tdisruption , disruption impossible for B1 [> t 0 0 then B1t)IandB2 canperform B2 (provi performsaneventattime t andevolvesinto B2 before thetB[ 2B).If0same d ed B cannot perform an urgent event evolves into ]2 , B20 shifted t tim1e units in time. Itirencesofacti s assumedthateachprocessinstantiationof P isuniquelyidenti edlikealloccurp.Dierentoccurrencesofthesameprocessinstantiation o n-pre xand should produce di:=erent event transitions. In addition, event transitions cannot be repeated. For P ([ 2 ; 7]) a ; P we rst have an event transition with ( ;a;t ) for tent2 [from 2; 7]; the. These next ticomplications me that actionarea resolved occurs it byshould beanlabelled with a labeloperator dierusing event renaming that all eventsall event in a behaviour behavipre xes our B where identi ers with in B aarecertain pre xedoccurrence with . identi er. (B) is (B)denotesthesetofurgenteventsin B.(Thisfunctioncaneasilybede ned byLetinUEducti on on the structure of B and is omitted here.) e;;t =!). Proposition19. 8 B 2 PAR :(t 6 mt(B)) , (8 e 2 UE(B);t0 < t : B ??????! +

(

0)

Theconsi by stency between thedenotational and operational semanticsof PAR isgiven Theorem20. 8 B 2 PAR : TT (ER[ B ] )= f  j9 B0 : B ?!! B0 g.

9 Conclusions and related work

Thi s paperconcernsareal-timeextensionof(avariantof)eventstructures,apartialorder modelvforenessconcurrent systems.The original incentives oftheourspeci cation work are toofstudy thetributed expressi of event structures to eectively support dissystems and to facilitate formal representation of performance and reliability structures aspects. Atosecondary aimmodels is to (formally) relate such the real-time extensionandof event i n terleaving for concurrency that partial-order interleavinignmodel compared a perspis cancuousbe used way. coherently in the system design process and can be Toachithiesvemodel this weproposed a real-timevariant of extended bundlesemantics event structures, used for providing a (noninterleaving) denotational a realtiandconstructedacorresponding me process algebraic formalismevent-basedoperationalsemantics.Thisshowsthat that includes a timeout and watchdog tooperator, event structures table forof anymodelling real-time characteri zed by arethe suiabsence mechanism that systems. explicitlyBoth forcessemantics the passageare

ofconservati time; tivmeextensi e is treated as a parameter. The event-based operational semantics is a onofthestandardinterleavingoperationalsemanticsofLOTOS. An interacti oinnteracti can takeon cannot place ifappear all participants can engage ininstant it at does the same time instant. The if such common time not exist. in ourblemodel weodon does not not haveresult an explicit notion ofwhich the passage ofthetimepassage such anofSincetiimmpossi i n teracti in behaviours do block the entire system|even parts!|e but(so-calsimlpledy timel in theockslocal) inimpossibility to execute theineventcausally at hand.independent The[1,model basedy,on[11]timproposed ed-actionsa timed allows process for the algebra generationwithof theill-timed tracesCSP like inparal 2]lel .operator Recentl theoretical thatr independent also includeslocalclock, ill-timed andtraces.sincelocal In the proposals [1,only2, synchro11] subprocesses have thei clocksare nizedati n,il -tiismsiednessappears.Webelievethattheoperationalsemantics presentednteracti in thisopaper mpler by avoiding local clocks. Ill-tirealmedness is a phenomenon that issince sometimes explicitly ofavoided byevents othersin(likethe intrace -doestimnote ACP [ 4 ] and TIC [25]), the precedence timed re ecteachtheil order intrace time.there To ourexistsopinion ill-timed tracestime-consistent are not that obscure, si n ce for ti m ed a corresponding trace the same ed events. Moreover, we think that the avoidance of them leads towitahmore compltiimcated operational semantics. Acknowl . Theons.authors would like to thank Pedro d'Argenio and Arend Rensi nk foredgements their suggesti

A Denotational semantics of PA

we provianddesuccessful the full de nition of theeventscausality-based semanticsareof PAInde ned .thiThes appendi iasnfolitilaolws:xevents termination of an event structure init(E ) , f e 2 E j : (9 X  E : X 7! e) g and exit(E ) , f e 2

E j l(e)=  g. [U] ofis events. de nedInrecursi velyofinthiDe nition 21.let EWe[ Bsuppose there is an in nite universe EEwith the rest s section i ] = Ei =(Ei ; i ; 7!i ;li ), for i=1; 2 E1 \toE2 =, 7!?.and (If El.1) \ E2 6= ? then a suitable event renaming can be applied extended p is self-explanatory. In E[ a ; B1 ] a bundle is introduced The semanti c s of 0 and from the newEevent ea (labelled a) to all initial events in E1 as ea causally precedes theseevents. [ B 1 + B2 ] is equal to E1 [E2 extended withmutualcon ictsbetween nitiahappen. l events of E1 and E2 such that in the resulting structure only either B1 or Ball2 ican Elabel[ B1lendwiG ]thisidturni enticnalg thoseeventsintointernalones. to E1 except that events labelledE [ Bwith1[H]]a]label in Gsimilarly are now isde ned where events are relabelled according to H ( denotes usual function composition). 1 >> B2 ] is equal to E1 [E2 where bundles are introduced from the successfulE [ Btermi nation events of E to the initial events of E . (To create bundles, mutual 1

2

con i cts arewitihntroduced betweenthesetheinitial successful termination eventsif ofB1E1has.) Thissuccesscorresponds the fact that events can only occur fully terminated. The successful termination events of E1 are relabelled into internal events. EFi[rBst,1 [each > B2event ] is equalto E 1 [E2 extendedwithsomeadditionalasymmetriccon icts. i n E may be disabledB2byhappens. an initialInaddition,aftertheoccurrence event of E2. This models that 1 Bof1aissuccessful disruptedtermi once naninitialeventof ation event in E1 no initial event of E2 can happen anymore. erparallelcomposition.Theeventsof E [ B1 jneed G B2 ] areconstructed ipaiWe nal n thered wifollytlohconsi withengdauxi way:liaanry symbol event e of, andE1 oran Eevent that does not towithsynchronize is 2 which is labelled an action in  is paired with all events (if any) in the other process that are equally labelled. GThus events areare now pairsputof events of E1if andany Eof2, their or withcomponents one component equal to or. Two events in con ict are in con ict, iiff ditwoerent eventseventshaveina onecommon component dierent fromsame (such events appear or more process synchronize with the event in the other process). A bundl e i s introduced such that if we take the projection on the component (i=1s; 2) of all events in the bundle we obtain a bundle in E [ Bi ] . i-th For G  Act,sEi , f e 2 Ei j li(e) 2 G g is the set of synchronization events and f Ei , Ei n Ei the set of non-synchronizing events. De nition21. E[ ] : PA ?! EBES is de ned as follows: EE[[p0 ]] ,, ((?f e; ?g;;??;;??); f (e ;) g) for some e 2 E  E[ a ; B1E] ,= (EE;[f 1e; 7!g;lfor1 [fsome (ea;a) g) where  U e 2E nE ! 7 = 7!11 [ (ffa ea gg init(a E1))U 1 E[ B1 + B2 ] ,= (E1 [[E2; [; 7!(init( 1 [7!2 ;l1 [ l2 ) where E 1 2 1 )  init(E2 )) [ (init(E2 )  init(E1 )) E[ B1 n G ] , ((El 1(e; ) 21;G7!1);l)l(where e)=  ) ^ (l1(e) 62 G ) l(e)= l1(e)) 1 E [ B1[H]]] , (E1; 1; 7!1;H  l1) E[ B1 >> B2 ] ,= (E1 [[ E2; [f; 7!(;le;e) where 0) j e;e0 2 exit(E1) ^ e 6= e0 g 1 2 7!l == 7!((l1 [[l 7!) n2 (exit( [ (f exit( E 1 ) g init(E2 )) E 1 2 1 ) f  g)) [ (exit(E1 ) f  g) E[ B1 [> B2 ] ,= (E1 [[ E2; [; 7!(E1 [ init( 7!2;lE1 ))[ [l2)(init( where E 1 2 1 2 2 )  exit(E1 )) E[ B1 j G B2 ] , (E;f ; 7!;l) where f E = (E1 fg) [s (fg E2 ) [ s f (e1;e2) 2 E1  E2 j l1(e1)= l2(e2) g

(e1;e2) (e01;e02) , (e1 10 e01) _ (e2 2 0 e02) _ 0 (e1 = e1 6=  ^ e2 6= e2) _ (e2 = e2 6= 0 ^ e1 6= e01) X 7! (e1;e2) , (9 X1  E1 : X1 7!1 e1 ^ X = f (e;e0) 2 E j e02 X1 g) _ (9 X2  E2 : X2 7!2 e2 ^ X = f (e;e ) 2 E j e 2 X2 g) l((e1;e2)) = if e1 =  then l2(e2) else l1(e1): 0[ ] . The only Indierence this paper we use a sl i g htl y dierent version of E [ ] , denoted E 0 wi t h E [ ] i s that for action-pre x E [ ] introduces not only bundles from ecomposi tothei n i t i a leventsof ? (asabove),buttoalleventsin ? .Similarly,forsequential a 1 1 0[ ] introduces t i o n E bundles from the successful to all events in ?2. These additional bundles do not pose anytermination problems:events of ?1 Proposition22. 8 B 2 PA : T (E[ B ] )= T (E0[ B ] ).

References

1. L.93,Acetoand D.pages Murphy. Ontheill-timedbutwell-caused. InE. Best,editor, Concur' LNCS 715, 97{111. Springer-Verlag, 1993. 2. L.1996.Aceto(to andappear). D. Murphy. Timing and causality in process algebra. Acta Informatica, 3. R.126:Alur and D.1994. L. Dill. A theory of timed automata. Theoretical Computer Science, 1 83{235, 4. J.puting C.M,. Baeten and J.A1991. . Bergstra. Real time process algebra. Formal Aspects of Com3(2): 1 42{188, 5. T.Computer BolognesiandE. Brinksma. IntroductiontotheISOspeci cationlanguageLOTOS. Networks and ISDN Systems, 14:25{59, 1987. 6. G.semantics BoudolandI. Castellani. Flowmodelsofdistributedcomputations:threeequivalent for J.CCS. Information & Computation , 114: 247{314, 1994. analysis and 7. EtrueBrinksma, P. Katoen, R. Langerak, and D. Latella. Performance concurrency semantics. In T.oRus and, volume C. Rattray, editors, Series Theoriesin and Experi-, ences for Real Time System Devel pment 2 of AMAST Computing 12, pages 309{337. World Scienti c, 1994. 8. R.chapter T . Casley, R. F . Crew, J. Meseguer, and V. R79{213, . Pratt.1991. Temporal structures. Mathematical Structures in Computer Science , 1(2): 1 9. J.Time W. deandBakker,W. -P. deinRoever, andG. Rozenberg,editors. Linear Time, Branching Partial Order Logics and Model s for Concurrency , LNCS 354. SpringerVerlag, 1989. 10. C.itors,Fidge. Aconstraint-orientedreal-timeprocesscalculus. InM.Description DiazandR.Techniques Groz,ed-, FORTE'92 | Fifth International Conference on Formal C{10M.of Roccetti, IFIP Transactions , pages 363{378.A theory North-Holland, 1993.with durational 11. R.volume Gorrieri, and E. Stancampiano. of processes TheoreticalAComputer Science , 140:to73{94, 1995.behaviour. In B. Jonsson and 12. J.J.actions. Gunawardena. dynamic approach timed Parrow, editors,1994.Concur' 94: Concurrency Theory, LNCS 836, pages 178{193. Springer-Verlag,

13. cesses. W. Janssen, M.Langmaack, Poel, Q. Wu,W.-andP. deJ. Roever, Zwiers. and Layering of real-time distributed pro-in In H. J. Vytopil, Formal Techniques Real-Time and Fault-Tolerant Systems, LNCS 863, pages 393{417. Springer-Verlag, 1994. 14. University J.-P.Katoen.of Twente, Quantitative andQualitative ExtensionsofEventStructures. PhDthesis, 1996. 15. J.algebra: -P. Katoen, R. Langerak, andapproach. D. Latella.In Modellingsystems byAmer, probabilisticprocess An event structures R. L . Tenney, P. D . and M.U ., Uyar, editors, Formal Description Techniques VI , volume C{22 of IFIP Transactions pages 253{268. North-Holland, 1994. 16. causality-based J.-P. Katoen, D.andLatella, R. Langerak, E.a Brinksma, and algebra T. Bolognesi. A consistent interleaved view on timed process including timeouts. InDevelA. oCornell and D. Ionescu, Proceedings 3rd Amast Workshop on Real Time System pment , 1996. 17. Twente, R. Langerak. Transformations and Semantics for LOTOS. PhD thesis, University of 1992. 18. Theoretical A. Maggiolo-Schettini and J. ,Winkowski. Towards an algebra for timed behaviours. Computer Science 103: 3 35{363, 1992. Basic notions ofintrace theory. In deconcurrency. Bakker et al.Fundamenta [9], pages 285{363. 20.19. maticae D.A. Mazurkiewicz. Murphy. Time and duration noninterleaving Infor, 19: 4 03{416, 1993. 21. X.J.WNicollin and J.C.Sifakis. AnW.overview and synthesis on timed process algebras. In . de Bakker, Huizing, P. de Roever, and G. Rozenberg, editors, Real Time: Theory in Practice , LNCS 600, pages 526{548.of Springer-Verlag, 1992. in concur22. G.rency. M. Pinna and A. Poign e . On the nature events: another perspective TheoreticalA Computer Science , 138(2): 425{454, 1995. 23. G.DAIMI D. Plotkin. structural approach to operational semantics. 1981. Technical Report FN-19, Computer Science Department, Aarhus University, 24. allV.Rel. Programming Pratt. Modeling concurrency with partial orders. International Journal of Par, 15(1): 3 3{71, 1986. 25. J.of Quemada, D., 5:de224{252, Frutos,1993. and A. Azcorra. TIC: A TImed Calculus. Formal Aspects Computing 26. A.ProgrammingConcepts,MethodsandCal Rensink. Methodological aspects of caction re nement. InIFIPE.-Transactions R. Olderog, ,pages editor, ul i ,volumeA{56of North-Holland, 1994.Semantics: a methodology for language development. Al27. lyn227{246. D.Aand . Schmidt. Denotational Bacon,FDTs 1986. for open distributed systems, a retrospective and a prospective 28. C.view.A. Vissers. InL. Logrippo,R. L.Probert,andH. Ural,editors, Protocol Speci cation,Testing and Veri cation X , pages 341{362. North-Holland, 1990. 29. 397. G. Winskel. An introduction to event structures. In de Bakker et al. [9], pages 364{ 30. Transactions J.J. Zic. Time-constrained speci cations in CSP+T Timed 1994. CSP. ACM on Programmingbuer Languages and Systems , 16(6):and 1661{1674, This article was processed using the LaTEX macro package with LLNCS style