10.2 True Concurrency Semantics 309 The main part of the semantics is the interpretation of behaviour expres- sions. Thus, in the rest of this section we assume that B  ❏ B 1 ❑ (d) = Ψ 1 = ε 1 , A 1 , R 1  with ε 1 =(E 1 , # 1 , → 1 ,l 1 )andB  ❏ B 2 ❑ (d) has a corresponding format. Furthermore, for B 1 and B 2 we assume that E 1 ∩ E 2 = ∅;incaseof name clashes, renaming can be used to obtain this property. 10.2.3.1 Inaction, Successful Termination and Action Prefix These are defined as follows. B  ❏ stop ❑ (d)  ∅, ∅, ∅, ∅, ∅, ∅ B  ❏ exit I ❑ (d)  { e }, ∅, ∅, { (e, δ) }, { (e, I) }, ∅ where e ∈U E B  ❏ aI; B 1 ❑ (d)  E,# 1 , →,l,A, R where E = E 1 ∪{e } for, e ∈U E \ E 1 → = → 1 ∪ ({{e }}×rin(Ψ 1 )) l = l 1 ∪{(e, a) } A = { (e, I) }∪(E 1 ×{R +0 }) R = R 1 ∪{(({ e },e  ), A 1 (e  )) | e  ∈ rin(Ψ 1 ) } Thus, stop yields the empty timed bundled event structure and exit I is mapped to a single event, labelled δ with timing I. With regard to aI; B 1 , a bundle is added from a new event e (labelled a)toeventsinΨ 1 that are, either, initial (e will now causally precede these events) or time-restricted. For all such initial and time-restricted events, e  say, the delay is now relative to e, so a time delay A 1 (e  ) is associated with each bundle { e } → e  and A(e  )becomesR +0 ; i.e. e  becomes time-unrestricted. In addition, I becomes the timing of e. It is sufficient in the untimed case to introduce only bundles from e to the initial events of Ψ 1 ; c.f. Section 4.2. However, in the timed case, new bundles to time-restricted events of Ψ 1 are used to make delays relative to e. Notice that the above construction applies to both observable and internal events. As an example, Figure 10.6(b) provides the semantics of x [5, 6] ; P ,where the semantics of P is given as Figure 10.6(a). The following behaviour would yield an event structure consistent with figure 10.6(a). P := ( ( y (2) ; z (8) ; ( w (2) ; stop ||| exit (18))) |[w]| w [8, 25] ; stop ) ||| i [12, 14] ; v ; stop 310 10 Semantic Models for tLOTOS (a) y 2 8 z 2 [8,25] 18 i [12,14] v ( b ) 2 z 8 y 2 [5,6] [12,14] iv 18 x [8,25] w δ w δ Fig. 10.6. Semantics of Action Prefix 10.2.3.2 Delay, Hiding and Relabelling The semantics for these constructs are as follows. B  ❏ wait [d] B 1 ❑ (d)  E 1 , # 1 , → 1 ,l 1 , ((+d) ◦A 1 ), R 1  B  ❏ hide G in B 1 ❑ (d)  E 1 , # 1 , → 1 ,l,A 1 , R 1  where , ( l 1 (e) ∈ G =⇒ l(e)=i ) ∧ ( l 1 (e) ∈ G =⇒ l(e)=l 1 (e)) B  ❏ B 1 [H] ❑ (d)  E 1 , # 1 , → 1 , (H ◦ l 1 ), A 1 , R 1  10.2 True Concurrency Semantics 311 Semantically, wait [d] B 1 is identical to B  ❏ B 1 ❑ (d) , but with event delays in- cremented by d (◦ denotes function composition; i.e. f ◦ g (x)=f(g(x))). Bundle delays express relative delays between events, and, thus, are unaf- fected. B  ❏ hide G in B 1 ❑ (d) simply takes B  ❏ B 1 ❑ (d) and turns events with labels in G into internal events. B  ❏ B 1 [H] ❑ (d) is identical to B  ❏ B 1 ❑ (d) ,but with events relabelled according to H. As an example of these denotational semantics, consider the timed bundle event structure depicted in figure 10.7(a). After the hiding of actions y and v the event structure of Figure 10.7(b) results. [5,6] [12,14] 2 [8,25] 2 z 8 y iv 18 [5,6] [12,14] [8,25] (a) z 8 i 2 ii 18 x x w δ δ w ( b ) 2 Fig. 10.7. Example of Semantics for Hiding 312 10 Semantic Models for tLOTOS 10.2.3.3 Choice The semantics of choice are straightforward. B  ❏ B 1 [] B 2 ❑ (d)  E 1 ∪ E 2 , #, → 1 ∪ → 2 ,l 1 ∪ l 2 , A 1 ∪A 2 , R 1 ∪R 2  #=# 1 ∪ # 2 ∪ (init(Ψ 1 ) × init(Ψ 2 )) B  ❏ B 1 [] B 2 ❑ (d) takes the componentwise union of B  ❏ B 1 ❑ (d) and B  ❏ B 2 ❑ (d) subject to the addition of conflicts between initial events of B  ❏ B 1 ❑ (d) and B  ❏ B 2 ❑ (d) . This ensures that, in the resulting structure, only one of B 1 or B 2 can happen. Timing is unaffected by this construct. 10.2.3.4 Enabling The semantics of enabling are as follows. B  ❏ B 1 >> B 2 ❑ (d)  E 1 ∪ E 2 , #, →,l,A, R #=# 1 ∪ # 2 ∪ (exit(Ψ 1 ) × exit(Ψ 1 )) \ Id → = → 1 ∪ → 2 ∪ ({ exit(Ψ 1 ) }×rin(Ψ 2 )) l =((l 1 ∪ l 2 ) \ (exit(Ψ 1 ) ×{δ })) ∪ (exit(Ψ 1 ) ×{i }) A = A 1 ∪ (E 2 ×{R +0 }) R = R 1 ∪R 2 ∪{((exit(Ψ 1 ),e), A 2 (e)) | e ∈ rin(Ψ 2 ) } Thus, the event set of B  ❏ B 1 >> B 2 ❑ (d) is the union of those for B  ❏ B 1 ❑ (d) and for B  ❏ B 2 ❑ (d) . Component conflicts are inherited, with the addition of conflicts between nonidentical successful termination events of B  ❏ B 1 ❑ (d) (the identity relation (Id) is subtracted in order to avoid generating self-conflicts). These mutual conflicts between successful termination events ensure that newly introduced bundles really are bundles, i.e. have mutually in conflict enabling sets. These new bundles are introduced from the successful termina- tion events of B  ❏ B 1 ❑ (d) to the initial and time-restricted events of B  ❏ B 2 ❑ (d) . Bundles to the initial events of B  ❏ B 2 ❑ (d) reflect that B 2 can only start if B  ❏ B 1 ❑ (d) has successfully terminated. In a similar way as with action prefix, new bundles to time-restricted events of B  ❏ B 2 ❑ (d) are required to enforce that event delays become relative to the termination of B  ❏ B 1 ❑ (d) . Finally, in standard fashion, successful termination events of B  ❏ B 1 ❑ (d) are relabelled as internal events. Figure 10.8 illustrates these semantics. The diagram depicts stages in se- mantic interpretation of the behaviour, P>>Q where P := ( y ; exit (5) ) [] ( x ; exit (2) ), and Q := ( z ; w (10) ; stop ) |[w]| ( w [5, 7] ; stop ) 10.2 True Concurrency Semantics 313 The exact reason why B  ❏ Q ❑ (d) generates the enabled structure, shown to the left of the equals in Figure 10.8 becomes clear when we discuss the semantics of parallel composition. However, for the moment, the main point to note is how the enabling event structure is appended on the front of the enabled event structure. Notice also that e z is an initial event of B  ❏ Q ❑ (d) ,wherease w is a time-restricted event of B  ❏ Q ❑ (d) . 2 z 10 [5,7] w y x δ δ = 5 [5,7] 10 yz wx 5 2 i i >> Fig. 10.8. Example of Semantics for Enabling 10.2.3.5 Parallel Composition The first four clauses of the definition of parallel composition (shown in Fig- ure 10.9) are inherited unchanged from the untimed setting; see Section 4.4. However, we briefly re-iterate their explanation for completeness. Firstly, the events of B  ❏ B 1 |[G]| B 2 ❑ (d) comprise events arising through the pairing of (i) the symbol ∗ with events of B  ❏ B 1 ❑ (d) or B  ❏ B 2 ❑ (d) that do not need to synchronise (E f 1 and E f 2 , respectively), and (ii) events labelled with actions in G ∪{δ} with identically labelled events in the other process (as determined by E s 1 and E s 2 ). Thus, parallel composition events are non- synchronising component events paired with ∗ and synchronising events of B  ❏ B 1 ❑ (d) and B  ❏ B 2 ❑ (d) paired with each other. E s k and E f k (for k ∈{1, 2}) were defined in Section 4.4. Events are put in conflict if (i) any of their components are in conflict or (ii) distinct events have a common proper component (i.e. other than ∗). The latter case arises if a number of events in one process synchronise with the same event in the other process. With regard to causality, bundles in the parallel composition are such that, if a projection on B 1 (or B 2 ) of all events in the bundle is taken, a bundle in B  ❏ B 1 ❑ (d) (or B  ❏ B 2 ❑ (d) ), respectively, results. Labelling is straightforward. The new clauses are the last two, which were originally highlighted by Ka- toen [107]. Firstly, the event timing function is the intersection of component event timings, with * events yielding null timing constraints. Secondly, bundle timings are defined to be the intersection of the time sets associated with the bundles obtained by projecting on the events of B 1 (or B 2 ), subject to the 314 10 Semantic Models for tLOTOS requirement that this projection yields a bundle in B  ❏ B 1 ❑ (d) (or B  ❏ B 2 ❑ (d) ), respectively. B   B 1 |[G]| B 2  (d)  E, #, →,l,A, R where, E =(E f 1 ×{∗}) ∪ ({∗}×E f 2 ) ∪ {(e 1 ,e 2 ) ∈ E s 1 × E s 2 | l 1 (e 1 )=l 2 (e 2 ) } (e 1 ,e 2 )#(e  1 ,e  2 ) ⇔ (e 1 # 1 e  1 ) ∨ (e 2 # 2 e  2 ) ∨ (e 1 = e  1 = ∗∧e 2 = e  2 ) ∨ (e 2 = e  2 = ∗∧e 1 = e  1 ) X → (e 1 ,e 2 ) ⇔ (∃X 1 . (X 1 → 1 e 1 ∧ X = {(e, e  ) ∈ E | e ∈ X 1 })) ∨ (∃X 2 . (X 2 → 2 e 2 ∧ X = {(e, e  ) ∈ E | e  ∈ X 2 })) l((e 1 ,e 2 )) = if e 1 = ∗ then l 2 (e 2 ) else l 1 (e 1 ) A((e 1 ,e 2 )) = A 1 (e 1 ) ∩A 2 (e 2 ) where, A 1 (∗)=A 2 (∗)=R +0 . R((X, (e 1 ,e 2 ))) = if X = ∅ then R +0 otherwise,  X 1 ∈S 1 R 1 (X 1 ,e 1 ) ∩  X 2 ∈S 2 R 2 (X 2 ,e 2 ) where, S 1 = {X 1 ⊆ E 1 | X 1 → 1 e 1 ∧ X = {(e, e  ) ∈ E | e ∈ X 1 }} S 2 = {X 2 ⊆ E 2 | X 2 → 2 e 2 ∧ X = {(e, e  ) ∈ E | e  ∈ X 2 }} Fig. 10.9. TBES Semantics for Parallel Composition Our first illustration of parallel composition (see Figure 10.10) highlights how events are constructed when there is no synchronisation. Note, in contrast to earlier event structure depictions in this chapter, event labels are explicitly represented. This is required to avoid ambiguity, because here, multiple events have the same label. Events are denoted e, f , g etc. and their primed versions. The following tLOTOS behaviour could yield the event structures shown in Figure 10.10. P ||| Q where P := x ; z [2, 10] ; stop and Q := ( y ; z (5) ; stop )[](w ; stop ) 10.2 True Concurrency Semantics 315 Because no causal or conflict relationships cross component event structures, the parallel composition yields two disconnected and, thus, independently evolving, event structures. x [2,10] z ||| 5 z = e [2,10] z y 5 x (e,*) (f,*) (*,e’) (*,f’) z w P P ||| Q Q (*,e’’) f’ y e’ e’’ f w Fig. 10.10. Example Without Synchronisation, Illustrating Semantics for Parallel Composition Next, we consider an example containing synchronisation. This yields pair- ing of component events and intersection of component event timings; see Figure 10.11. This structure could arise from the following behaviour, P |[z]| ( Q |[z]| R )where P and Q are as defined above and R := z [2, 5] ; stop The final example (see Figure 10.12) could arise from the following tLOTOS behaviour, S |[x]| T where S := ( x [2, 8] ; i (10) ; stop )[](x [3, 10] ; stop )and T := ( x [2, 7] ; z (9) ; stop )[](w [2, 12] ; stop ) The example shows how bundles can result from synchronisation. In par- ticular, because two in conflict events (e and f) both labelled x in the left component event structure are synchronised with a single event (e  ) labelled x in the right-hand component, a single bundle is generated of the form, { (e, e  ), (f,e  ) } → (∗,g  ). In addition, this example demonstrates how event timings are intersected dur- ing parallel composition. For example, A (S |[x]| T ) ((f,e  ))=A S (f) ∩A T (e  ). 316 10 Semantic Models for tLOTOS [2,10] z 5 z (e,*) [2,10] 5 x z [2,5] = e [2,5] f |[z]| (*,e’’) P|[z]| (Q |[z]| R) x P f’ (*,e’) y Q |[z]| R e’ y e’’ w w ( f , f’ ) Fig. 10.11. Example with Synchronisation, Illustrating Semantics for Parallel Com- position = e f g i x i z [2,8] 10 x [3,10] 9 [2,7] xz 10 e’ (e,e’) x x w 9 (f,e ’ ) S |[x]| T [2,7] [3,7] S [2,12] g’ (*,f’) (g,*) (*,g’) |[x]| T [2,12] f’ w Fig. 10.12. Further Example with Synchronisation, Illustrating Semantics for Par- allel Composition 10.2.3.6 Process Instantiation The rule for process instantiation can be succinctly stated. B  ❏ P ❑ (d)   j F j B (⊥)where 10.2 True Concurrency Semantics 317 (P := B) ∈ d and F j B (⊥)  F B (F B ( F B (⊥) )) with j repetitions of F B on the right-hand side. However, this belies a good deal of theoretical complexity, which is required in order to support this statement. This complexity is focused on the derivation of a suitable fixed point theory to handle recursive process definitions. As was the case for the other denotational semantics we have considered, the trace semantics of Chapter 3 and the (untimed) bundle event structure semantics of Chapter 4, it is beyond the scope of this book to present the necessary fixed point theory in full detail. However, the required semantic constructions are very closely related to those presented in [107], have similarities to those given in [32] and are presented in detail in [46]. To give an informal perspective on this theory, the mathematical constructions in [46] ensure that the above defi- nition characterises the (unique) least timed bundle event structure, according to a complete partial order, denoted , that satisfies Ψ = F B (Ψ). B  ❏ P ❑ (d) for P := B is defined using standard fixed point theory. A complete partial order  is defined (see [46]) on timed bundle event structures with the empty event structure (i.e. B  ❏ stop ❑ (d) ) as the least element, denoted ⊥. Then, for each definition P := B, a function F B is defined that substitutes a timed bundle event structure for each occurrence of P in B,interpreting all operators in B as operators on timed bundle event structures. (Due to the compositionality of our semantics this approach is feasible.) F B is shown to be continuous with respect to , which means that B  ❏ P ❑ (d) can be defined as the least upper bound of the chain (under ) ⊥, F B (⊥), F B (F B (⊥)), Such a chain reflects the unfolding of a recursive process definition, with the nth unfolding of the process definition being larger, in the sense of ,thanthen−1 previous unfoldings. Furthermore, [46] gives a definition of  ,suchthat  i Ψ i is the least upper bound of such a chain; i.e. it is the smallest TBES that is larger according to  than all TBESs in the chain. We illustrate this mathematical construction with a simple example of a recursive process: Q := x [2, 4] ; ( hide x in ( z [3, 6] ; stop ||| Q )) Our semantics would yield the series of timed bundle event structure approx- imations to B  ❏ Q ❑ (d) shown in Figure 10.13. As a further example, consider the channel from the multimedia stream specification of Section 9.3.2: Channel := sourceOut ;((i [80, 90] ; sinkIn [0] ; stop [] i [0, 90] ; stop ) ||| Channel ) 318 10 Semantic Models for tLOTOS ✲ ❍ ❍ ❍ ❍❥ ✟ ✟ ✟ ✟ ✟✯ ❍ ❍ ❍ ❍❥ ✟ ✟ ✟ ✟ ✟✯ ✲ ✲ ✟ ✟ ✟ ✟ ✟✯ ❍ ❍ ❍ ❍❥ t tt [2, 4] [3, 6] [3, 6] [2, 4] ETC [2, 4] x z x [3, 6] z i x z i z i z [2, 4] z [2, 4] [3, 6] [3, 6] [3, 6] t t t t t t t t t [2, 4] Fig. 10.13. Example Fixed Point Approximations Figure 10.14 presents the true concurrency model resulting from this be- haviour. The triangle informally denotes further recursive unfolding of the event structure. We have not included the interleaved interpretation, because the parallel interleaving of time and action transitions makes it too com- plicated to draw. In fact, even without showing time transitions, the labelled transition system is highly complex. This example illustrates one of the major benefits of the true concurrency approach: avoidance of state-space explosion. 10.2.4 Anomalous Behaviour As noted in [47], some situations of degenerate behaviour that arise when tLOTOS is given an operational semantics (see Section 9.4) do not arise in the true concurrency setting. In particular, the direct link between unguarded recursion and timelocks is lost when event structure semantics are considered. In addition, zeno processes can be given a natural interpretation in a rather straightforward way. We discuss these issues in this section. Consider, for example the unguarded recursion introduced in Section 9.4. unguarded := ( x [2, 6] ; stop ) ||| unguarded The interleaving semantics of tLOTOS generates a timelock for this behaviour. In contrast, the timed bundle event structure semantics for an instantiation of unguarded, [...]... Automata t1 . instantiation of unguarded, 10.2 True Concurrency Semantics 3 19 [0,0] Channel sourceOut [0,0] sinkIn i i sourceOut i sinkIn [80 ,90 ] [0 ,90 ] [80 ,90 ] [0 ,90 ] i Fig. 10.14. True Concurrency Model of Multimedia. before the right-hand side i. Unguarded recursion is the only one of the anomalous behaviours consid- ered in Section 9. 4 that behave fundamentally differently in the true concur- rency setting and verifying real-time systems. This is particularly evident from the success of region graph-based model-checking techniques, implemented in tools such as Uppaal [16] 1 , Kronos [66] and HyTech [92 ]. Different