Tải bản đầy đủ (.pdf) (22 trang)

Thời gian thực - hệ thống P9

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (191.46 KB, 22 trang )

CHAPTER 9
PROCESS ALGEBRA
A computer process is a program or section of a program (such as a function) in
execution. It may be in one of the following states: ready, running, waiting, or termi-
nated. A process algebra is a concise language for describing the possible execution
steps of computer processes. It has a set of operators and syntactic rules for spec-
ifying a process using simple, atomic components. It is usually not a logic-based
language.
Central to process algebras is the notion of equivalence, which is used to show
that two processes have the same behavior. Well-established process algebras such
as Hoare’s Communicating Sequential Processes (CSP) [Hoare, 1978; Hoare, 1985],
Milner’s Calculus of Communicating Systems (CCS) [Milner, 1980; Milner, 1989],
and Bergstra and Klop’s Algebra of Communicating Processes (ACP) [Bergstra and
Klop, 1985] have been used to specify and analyze concurrent processes with in-
terprocess communication. These are untimed algebras since they allow one to only
reason about the relative ordering of the execution steps and events.
To use a process algebra or a process-algebraic approach to specify and analyze a
system, we write the requirements specification of the system as an abstract process
and the design specification as a detailed process. We then show that these two pro-
cesses are equivalent, thus showing the design specification is correct with respect to
the requirements specification. Here, the requirements specification may include the
desired safety properties.
9.1 UNTIMED PROCESS ALGEBRAS
A process algebra has four basic components: (1) a concise language to specify a
system as a process or set of processes, (2) an unambiguous semantics to provide
237
Real-Time Systems: Scheduling, Analysis, and Verification. Albert M. K. Cheng
Copyright

2002 John Wiley & Sons, Inc.
ISBN: 0-471-18406-3


238
PROCESS ALGEBRA
precise meanings for the behavior of the specified processes, showing the possible
execution steps of these processes, (3) an equivalence or preorder relation to com-
pare the behavior of the processes, and (4) a set of algebraic laws to syntactically
manipulate the process specifications. There are several notions of equivalence. In
general, two processes are equivalent if every execution step of one process is also
the same execution of the other process and vice versa. If the set of execution steps
or behavior of a process is a subset of another process, a preorder exists between
these two processes.
A typical process algebra has the following set of operators for composing pro-
cesses or atomic components to specify complex systems. A prefix operator specifies
the ordering of actions and events. A choice (or summation) operator selects one
option among several possible choices. A parallel (or composition) operator indi-
cates that two processes execute simultaneously. A hiding and restriction operator
abstracts lower-level details such as communicating steps to reduce analysis com-
plexity. A recursion operator describes a list of possibly infinite processes. Note that
similar operators are used in David Parnas’ event-action model language described
in chapter 6. In this chapter, we describe the untimed process algebra CCS and the
timed process algebra called Algebra of Communicating Shared Resources (ACSR).
We show how ACSR can be used to specify real-time systems, which can then be
analyzed using syntactic and semantic techniques.
9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
Inspired by Dana Scott’s theory of computation, [Milner, 1980] developed a process
algebra called the Calculus of Communicating Systems (CCS) to specify the behav-
ior of untimed, concurrent, and communicating systems. He proposes the concept of
observation equivalence of programs, and thus a congruence relation.
Observation Equivalence and Congruence: Two programs are observation equiv-
alent if and only if they are indistinguishable by observation. Then, two programs are
observation congruent if and only if they are observation equivalent.

Since an observation congruence class is considered a behavior, CCS is thus an
algebra of behaviors in which each program stands for its congruence class. The
syntax of CCS consists of (1) value expressions; (2) labels, sorts, and relabeling;
(3) behavior identifiers; and (4) behavior expressions.
Value Expressions: Value expressions are constructed from simple variables, con-
stant symbols, and function symbols signifying known total functions over values.
Labels are  =  ∪
,andτ .Asort L is a subset of  and a sort L(B) is assigned
to each behavior expression B. Given that P and Q are sorts, S : P → Q is a re-
labeling from P to Q if (1) it is a bijection and (2) it respects complements; that is,
S(a) = S(a) for a, a ∈ L.
MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
239
Each behavior identifier has a preassigned arity n(b) which indicates the number
of value parameters, and a sort L(b).
Behavior Expressions: Behavior expressions are constructed with six types of be-
havior operators, by parameterizing behavior identifiers and by conditionals. The
behavior operators are: inaction, summation, action, composition, restriction, and
relabeling.
The inaction operator NIL (null) produces no atomic actions. The summation
operator “+”inA + B adds the atomic actions of A and B, yielding a sum of A
and B’s actions. The action operator “.” is used to express axioms. The composition
operator “|”inA | B signifies that an action of A or B in the composition produces an
action of the composite in which the other component is unaffected. The restriction
operator “\”inA\b indicates that B is restricted so that there are no b or
b actions.
An identifier can be parameterized as in b( E
1
,...,E
n(b)

). A conditional is of the
form if E then B else B

. The definition operator “
def
= ”inX
def
= P defines process X
as a more complex process expression P.
Example. Consider a system of two processes. Let N
i
be the non-critical sections of
process i, T
i
be its section requesting to enter its critical section, and C
i
be its critical
section. The following CCS statement specifies that action P is the summation of
three actions, each of which is a composition of two actions:
P
def
= N
1
|N
2
+ T
1
|N
2
+ N

1
|T
2
.
More precisely, one choice is for the system’s two processes to stay in the non-critical
sections. The second choice is for process 1 to request to enter its critical section
while process 2 remains in the non-critical section. The third choice is for process
2 to request to enter its critical section while process 1 remains in the non-critical
section.
The following CCS statement specifies that action Q has a choice of executing the
critical section of process 1 or executing the critical section of process 2. Also, while
executing C
1
, C
2
is not allowed. Similarly, while executing C
2
, C
1
is not allowed.
Q
def
= C
1
\{C
2
}+C
2
\{C
1

}.
9.2.1 Direct Equivalence of Behavior Programs
Behavior programs having the same semantic derivations can be considered equiv-
alent. In fact, these programs yield an equivalent relation or congruence, thus any
program can be replaced by an equivalent one in any context without changing the
behavior of the entire system. For example, the programs A + A

and A

+ A are dif-
ferent but obviously interchangeable. Other example rules include: A + (B + C) =
(A + B) + C; A + NIL = A;and A + A = A.
240
PROCESS ALGEBRA
Summation Sum ≡ A + NIL = A
A + A = A
A + B = B + A
A + (B + C) = ( A + B) + C
Action Act ≡ αx. A = αy.A{y/x }
where y is a vector of distinct variables not in A
Composition Com ∼ A|B = B| A
A|(B|C) = (A|B)|C
A|NIL = A
Restriction Res ≡ NIL\α = NIL
(A + B)\α = A\α + B\α
(g. A)\α = NIL if α = name(g)
else, = g.( A\α)
Relabeling Rel ≡ NIL[S]=NIL
(A + B)[S]= A[S]+B[S]
(g.B)[S]=S(g).(B[S])

Rel ∼ A[I ]= A, I : L → L is the identity mapping
A[S]=A[S

]
A[S][S

]=A[S

oS]
A[S]\β = A\α[S],β = name(S(α))
(A|B)[S]=A[S]|B[S]
Conditional if true then A else B = A
if false then A else B = B
Unobservable action τ g.τ.A = g.A
A + τ.A = τ.A
g.(A + τ.B) + g.B = g.(A + τ.B)
A + τ.(A + B) = τ.(A + B)
Observation equivalence A ≈ τ.A
¬(P ∧ Q) = (¬P ∨¬Q)
Figure 9.1 CCS laws.
Direct Equivalence: Two behavior programs are directly equivalent iff for every
input, both programs produce the same behavior, that is, same results.
Given a specification written in CCS, we can use equational laws to rewrite it in
a form we desire. To show that two specifications are equivalent, we can use these
laws to rewrite them to establish equivalence. We summarize selected CCS laws for
easy reference in Figure 9.1.
9.2.2 Congruence of Behavior Programs
The results of the actions of directly equivalent programs must be identical. To gen-
eralize the direct equivalence relation, a congruence relation that requires only the
TIMED PROCESS ALGEBRAS

241
results be equivalent is introduced. Using this congruence relation, equivalence be-
tween programs is also preserved by the substitution of equivalent programs.
9.2.3 Equivalence Relations: Bisimulation
The concept of bisimulation is used to establish the equivalence between two pro-
cesses. Bisimulation compares the execution trees of these two processes. Two com-
mon types of bisimulation exist: strong bisimulation and weak bisimulation [Milner,
1989].
Strong Bisimulation: A binary relation r is a strong bisimulation for a given tran-
sition “→” if, for (P, Q) ∈ r and for any action or event a,
1. if P
a
→P

, then ∃Q

, Q
a
→Q

and (P

, Q

) ∈ r ,and
2. if Q
a
→Q

, then ∃P


, P
a
→P

and (P

, Q

) ∈ r .
This basically means that if P (or Q) can execute one step on event a, then Q (or P)
should be able to execute one step on event a such that both of the next states are
also bisimilar.
Weak Bisimulation: A binary relation r is a weak bisimulation for a given transi-
tion “→” if, for (P, Q) ∈ r and for any action or event a ∈ D,
1. if P
a
→P

, then ∃Q

, Q
ˆa
⇒ Q

and (P

, Q

) ∈ r ,and

2. if Q
a
→Q

, then ∃P

, P
ˆa
⇒ P

and (P

, Q

) ∈ r .
9.3 TIMED PROCESS ALGEBRAS
Introducing the notion of time to untimed process algebras makes them applicable
to specify and verify real-time systems while maintaining their modular verification
capabilities as well as their single-language specification advantage. Dual-language
specifications include model checking and the time ER net/TRIO approach. For in-
stance, in model checking, the modeled system is specified as a state-transition graph
and the property to be checked is specified in temporal logic.
The time extension is done by adding timed operators to the original set of un-
timed operators. Several timed process algebras exist as a result of these timed exten-
sions. These real-time process algebras can specify process synchronization delays
and upperbounds in terms of absolute timing intervals but vary in the way they model
the resources used by processes.
On one end of the spectrum is the assumption that each type of resource is unlim-
ited so that a ready process (not blocked by communication constraints, as discussed
in chapter 3) can start execution without delay. On the other end of the spectrum is

the assumption that a single processor exists so that all process executions are inter-
leaved. Between these two extreme assumptions are real-time process algebras that
242
PROCESS ALGEBRA
assume a limited number of resources. One popular timed process algebra that as-
sumes a limited number of n resources capable of executing n actions is the ACSR
[Lee, Bremond-Gregoire, and Gerber, 1994].
9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES
The ACSR language is a discrete real-time process algebra based on CCS (described
earlier) that provides several operators to handle timing properties. These operators
can be used to bound the execution time of a sequence of actions, to delay the se-
quence’s execution by a number of time units, and to timeout while waiting for spe-
cific actions to occur. The exception operator can be inserted into any place within
a process and allows an exception to be raised, immediately handled by an external
exception-handling process, just like in an exception-handling mechanism of a real
computer process. The interrupt operator allows the specification of responses or re-
actions to asynchronous actions or events. The ACSR computation model views a
real-time system as a collection of communicating processes competing for shared
resources. Every execution step is either an action or an event.
Action: An action is set of consumptions of resources {r
1
,...,r
n
} at corresponding
non-negative priority levels p
1
,..., p
n
for one time unit. A resource consumption is
denoted by a pair (r

i
, p
i
).
The execution of an action is constrained by the availability of the the specified
resources and the priorities of competing actions. For example, the action {(cpu1, 2)}
means the use of the resource cpu1 at priority level 2 for one time unit, and the action
{(cpu1, 2), (disk2, 1)} means the use of the resource cpu1 at priority level 2 and the
use of the resource disk2 at priority level 1 for one time unit. The action ∅ indicates
idling for one time unit, that is, the non-consumption of any resource for one time
unit.
An event serves as a synchronization or communication mechanism between pro-
cesses, or as an observation or monitoring step by an entity external to the specified
system.
Event: Each event e
i
has a corresponding priority p
i
and is denoted by a pair
(e
i
, p
i
).
The execution of an event is instantaneous and does not consume any resource. As
for actions, priorities are used to determine which event to execute if there is more
than one ready event. Unless synchronization constraints exist between matching
events in two processes, they execute their events asynchronously.
Timed Behavior: A timed behavior is a possibly infinite sequence of execution
steps. More precisely, this behavior is a sequence of actions in which a sequence

of zero or more events may appear between any two consecutive actions.
ALGEBRA OF COMMUNICATING SHARED RESOURCES
243
9.4.1 Syntax of ACSR
We next describe in detail the syntax and semantics of the different types of ACSR
processes. NIL is a process that performs no action and is always deadlocked. This
is the same as CCS’s inaction operator NIL, which produces no atomic actions. The
action prefix operator “:” in A : P indicates that the resource-consuming action A
executes at the first time unit, and then process P runs. The event prefix operator “.”
in (a, n).P indicates that the event (a, n) executes (occurs) instantly with no time
passage, and then process P runs. In CCS, “.” is the action operator used to express
axioms.
The choice operator “+” in P + Q is basically an “or,” signifying a choice is
available between processes P and Q. The effect is that this composed process may
behave like either P or Q.InCCS,“+” is the summation operator, so A + B adds
the atomic actions of A and B, yielding a sum of A and B’s actions. The parallel
operator “”inP  Q indicates that processes P and Q can execute in parallel. This
is similar to CCS’s composition operator “|”.
The close operator “[ ]” in [P]
I
creates a process that only uses resources in the
set I . The restriction operator “\”inP \F indicates that while process P is executing,
events with labels in F cannot execute. This is similar to CCS’s restriction operator
“\”asinA\b, which indicates that B is restricted so that there are no b or
b actions.
The hiding operator “\\”inP\\H hides the identity of the resources in the set H
from process P. The notation rec X .P signifies process P is recursive so that the
described behavior of P is infinite.
The following operator allows ACSR to specify absolute timing properties. The
notation P

α
t
(Q, R, S) indicates that a temporal scope binds the process P and is
called the scope construct. t is a non-negative integer time bound. If P ends suc-
cessfully before t by executing the event α, control is transferred to Q, called the
success-handler. Otherwise, if P does not end successfully before t , control is trans-
ferred to R, called the timeout exception-handler. S may interrupt P before t time
units and break the binding of P to this temporal scope, that is, cause P to exit this
temporal scope.
The definition operator “
def
= ”inX
def
= P allows one to use the process name X
instead of its longer and more complex process expression P. As usual, subscripts
are used to indicate indexed processes and events as in P
2
and (e
1
, k).P. The notation
P
n
means that P executes or occurs n times, that is, P : P : ... : P, in which there
are nPs. This is similar to the notation used in regular expressions described in
chapter 2.
Note that operators such as “.” have implicit timing specifications. Many notations
(operators) borrow from logic operators.
9.4.2 Semantics of ACSR: Operational Rules
A labeled transition system (represented by a state space graph) is used to describe
and define the executions of a process. The labeled transition system of a process

is a labeled directed graph G = (V , E). V is a set of states of a process. E is a
244
PROCESS ALGEBRA
set of edges, each of which denotes an execution step or action e
i
such that an edge
(P
i
, P
j
) connects state P
i
to state P
j
iff there is a step e
i
that is enabled at state P
i
,
and executing e
i
will modify the state of the process to have the same values as the
tuple at state P
j
. An invocation of a process can be thought of as tracing a path in
the labeled transition system.
The states are described by a concrete syntax (a process) in process algebra. We
use a finite set of transition rules to infer the execution steps of the behavior of a
process. Two transition systems are available for defining the semantics of ACSR:
unconstrained and prioritized.

Unconstrained Transition System: In the unconstrained transition system, P
e
−→ P

denotes a transition, and no indication is given of a priority for pruning impossible
execution steps.
Prioritized Transition System: In the prioritized transition system, P
e
−→
π
P

de-
notes a transition, and priority information is used to ignore impossible execution
steps.
Operational rules are used to define the semantics of the ACSR operators. An
operational rule defines an execution step corresponding to a transition in the labeled
transition system. It describes a particular behavior of a process. Two ACSR axioms
exist for action prefix and event prefix. These are similar to CCS’s prefix operator.
Axiom
The following axiom is for action prefix:
ActT

A : P
A
−→ P
Example. Consider the process C
1, j
def
=∅ : C

1, j
+{(cpu1, 1)}:C
1, j+1
+{(cpu2, 1)}:
C
1, j+1
, 0 ≤ j < c
1
. The last branch {(cpu2, 1)}:C
1, j+1
, 0 ≤ j < c
1
means that
this process can use the resource cpu2 at priority level 1 for one time unit and go to
process C
1, j+1
.
Axiom
The following axiom is for event prefix:
ActI

A : (a, n).P
(a,n)
−→ P
Example. The process T
1
def
= (s
1
, 1).C

1,0
can execute event (s
1
, 1) andgotopro-
cess C
1,0
.

×