CHAOS

The process which can do absolutely anything except diverge is CHAOS. This is able to accept or refuse any events, but it is at least guaranteed to stabilize. It has all possible stable failures, and the same traces as RUN:

traces

(

^CHAOS

) =

^TRACE

SF

[[

^CHAOS

]] =

^TRACEP

(

^X

)

Chaotic behaviour may be restricted to a particular set of events A

^X. The process CHAOSAallows any events in the set A to be performed or refused, but cannot perform any events outside the set A.

traces

(

^CHAOSA

) =

^ftrj

(

^tr

)

^Ag

SF

[[

^CHAOSA

]] =

^f

(

^tr;X

)

^j

(

^tr

)

^Ag

RUN

Although they have the same traces, in the stable failures model RUN is better behaved than CHAOS, always willing to interact and never refusing any interaction.

SF

[[

^RUN

]] =

^f

(

^tr;X

)

^jX

=

^fg_X2

(

^tr

)

^g

The process RUNAparameterized by a particular set A is able to perform events in that set, and to refuse all others.

SF

[[

^RUNA

]] =

^f

(

^tr;X

)

^j

(

^tr

)

^{A^}

(

^X\A

=

^fg_X2

(

^tr

))

^g

If^X62A then RUNAcannot terminate.

External choice

An observer of the choice construct P^{1 2} P² might observe an execution of P¹, or of P²; there are no other possibilities. Before any events are performed and the choice resolved, any

refused set must be refused by both P¹ and P², so both processes must be stable. After the choice is resolved, any refusal need be possible only for the process which resolved the choice.

SF

[[

^P12P2

]] =

^f

(

^hi;X

)

^j

((

^hi;X

)

^2SF

[[

^P1

]]

^\SF

[[

^P2

]])

^g

[

f

(

^tr;X

)

^jtr6

=

^{hi^}

(

^tr;X

)

^2SF

[[

^P1

]]

^[SF

[[

^P2

]]

^g

The properties of idempotence, associativity, and commutativity still hold for external choice in the stable failures model. Furthermore, STOP is still a unit, though RUN is no longer a zero because P might not be initially stable. Instead RUN²DIV is its zero. It has the same traces and stable failures as RUN apart from on the empty trace, where it is not stable.

P²

(

^{RUN 2DIV}

) =

^SF

(

^{RUN 2DIV}

)

^h2SF-zeroi

The executions of the indexed external choice²_i

2IPiare the executions of all of its components. Its stable failures will be those of its components:

SF

[[

²_i2IPi

]] =

^f

(

^hi;X

)

^j

((

^hi;X

)

^2Ti²I^SF

[[

^Pi

]])

^g

[

f

(

^tr;X

)

^jtr6

=

^{hi^}

(

^tr;X

)

^2Si²I^SF

[[

^Pi

]]

^g

In the case where the choice is over the empty set of processes, the intersection

T

i²I^SF

[[

^Pi

]]

is taken to include all possible stable failures, since all of them are vacuously in each of the

SF

[[

^Pi

]]

. This means that in this case, any refusal is possible on the empty trace. Furthermore, no events are possible. As in the traces model, an empty choice is equivalent to STOP

Internal choice

The internal choice P^1uP²behaves either as P¹or as P², and its environment exercises no control over which. The possible observations are precisely those that either P¹or P²are able to exhibit.

SF

[[

^P1uP2

]] =

^SF

[[

^P1

]]

^[SF

[[

^P2

]]

The stable failures of P^{1 u} P² differ from those of P^{1 2} P²in the case where no events have been performed: before the choice has been made. When the trace is empty, a refusal of P¹²P²must be generated from both participants, whereas in the case of internal choice, only one of the components of P^1uP²is required to contribute to any refusal. Hence

(

^hi;fag

)

^is

a failure of a^!STOP^ub^!STOP, but is not a failure of a^!STOP²b^!STOP.

The indexed internal choice^u

i²JPiis able to behave as any of its component processes, and its behaviours will be the union of those of its constituents:

SF

[[

^u_i

2JPi

]] =

^Si²J^SF

[[

^Pi

]]

The internal choice operator also distributes over the external choice operator:

P^1u

(

^P22P3

) =

^SF

(

^P1uP2

)

²

(

^P1uP3

)

^h2-u-disti

Any set X that is initially offered can either be accepted by one of the three component processes, or it might be refused, either by P¹or by both P²and P³. The two extra refusal possibilities for the right hand side—that X should be refused by both P¹and P², or by both P¹and P³—both imply that P¹can refuse X, and hence that the left hand side has this as a refusal too.

Example 6.3

This law helps to clarify the possible behaviours associated with a drinks machine, which will either return the cash or will offer a choice between a tea and a coffee.

(

^ret!STOP

)

^u

(

^{tea!STOP2coffee!STOP}

)

= (

^{ret!STOPutea!STOP}

)

²

(

^{ret!STOPucoffee!STOP}

)

This law states that it makes no difference whether the machine first makes its internal decision and then possibly offers a choice to the customer, or whether the customer makes the choice between tea and coffee first and the machine then decides internally whether to service that

choice or return the cash. ²

Alphabetized Parallel

In the parallel combination P1A^kBP2, processes P1and P2synchronize on events in

(

^A\B

)

^X,

and perform their other events independently.

As in the traces model, any trace of the parallel combination projected onto A^Xmust be a trace of P¹. Further, if P¹is able to refuse some events X in its interface A^X, then so too is the combination. Similar considerations apply to P². If synchronization is required for the performance of events, then either component is able independently to block them.

SF

[[

^P1A^kBP²

]] =

^f

(

^tr;X

)

^{j 9X1;X2}

:

^P

(

^X

)

X^\

(

^A[B

)

^X

= (

^X1\AX

)

^[

(

^X2\BX

)

^

(

^trAX;X1

)

^2SF

[[

^P1

]]

^

(

^trBX;X2

)

^2SF

[[

^P2

]]

^

(

^tr

)

(

^A[B

)

^Xg

All of the laws for the parallel operator given in Figure 4.5, with the exception of

k-idempotence, also hold for the stable failures model.

Example 6.4

The processes PETE and DAVE were introduced on Page 37. They both repeatedly and independently made a nondeterministic choice whether to lift a piano or a table.

PETE

=

^{lift piano!PETEulift table!PETE}

DAVE

=

^{lift piano!DAVEulift table!DAVE}

The process DAVE had exactly the same description.

Thus either of them can engage in any number of lift piano and lift table events, and then refuse either of them (but not both).

SF

[[

^PETE

]] =

^f

(

^tr;X

)

^{j tr2flift piano;lift tableg}

^flift piano^;lift table^g6X^g and^SF

[[

^DAVE

]] =

^SF

[[

^PETE

]]

^.

When these two processes are composed in parallel, then they must agree on the events that appear in the trace, but a refusal will be the union of refusals of the components. If

(

^tr;X1

)

^2SF

[[

^PETE

]]

^and

(

^tr;X2

)

^2SF

[[

^DAVE

]]

^{, then}

(

^tr;X1[X2

)

^2SF

[[

^PETEkDAVE

]]

^.

The constraints that each of PETE and DAVE must be willing to perform one of their events is not reflected in their combination, which can refuse any events at all. The constraints that^flift piano^;lift table^g6X¹and^flift piano^;lift table^g6X²are not strong enough to impose any constraints on X^1[X².

SF

[[

^PETEkDAVE

]] =

^f

(

^tr;X

)

^{jtr2flift piano;lift tablegg}

Any trace is still possible, but deadlock at any stage is also possible. ²

Interleaving

An interleaving of two processes P^{1 jj j}P²executes each of them entirely independently of the other. Since they do not synchronize, an event (other than termination) will be refused by the combination only when it is refused by both processes independently—if one of the processes is ready to perform the event, then so is the combination. Termination requires the participation of both components, so it can be blocked by either. As in the traces model, traces of the combination appear as interleavings of traces of the two component processes.

SF

[[

^P1jjjP2

]] =

^f

(

^tr;X1[X2

)

^{j9tr1;tr2 tr}interleavestr1

;tr2

^X¹

=

^X2

^

(

^tr1;X1

)

^2SF

[[

^P1

]]

^

(

^tr2;X2

)

^2SF

[[

^P2

]]

^g

The laws given in Figure 4.9 are all true for the stable failures model as well, with the exception of^jjj-zero. Although all (non-terminating) traces will be possible for P^jjjRUN, it will not be stable unless P is. Instability is introduced by including DIV as another interleaved component, resulting in the process RUN^jjjDIV which serves as the zero for interleaving: it has all nonterminating traces, and no stable failures.

P^jjj

(

^RUNjjjDIV

) =

^SF

(

^{RUN jjjDIV}

)

^hjjjSF-zeroⁱ This law is also true in the traces model, since RUN ^jjj DIV has the same traces as RUN.

Interface parallel The process P^1k

A

P²is a combination of synchronous and interleaved parallel, synchronizing on events in the set A^Xand interleaving outside that set.

Any stable failure of the parallel process P^1k

A

P²will be a combination of stable failures of its two components.

SF

[[

^P1k

A

P²

]] =

^f

(

^tr;X1[X2

)

^{j 9tr1;tr2}

trsynch_A tr^1;tr²

)

^X¹ⁿA^X

=

^X2nAX

^

(

^tr1;X1

)

^2SF

[[

^P1

]]

^

(

^tr2;X2

)

^2SF

[[

^P2

]]

^g

The laws for interface parallel given in Figure 4.10 all hold in the stable failures model with the exception of^k

AT-zerowhich requires instability to be introduced to the zero for the same reason as the zero for interleaving:

P^k

A

(

^{RUNnA jjjDIV}

) =

^SF

(

^{RUNnA j jjDIV}

)

^hk

ASF

-zeroⁱ

Hiding

The process PⁿA will undergo the same executions as P, but events in the set A will occur as internal events rather than as external synchronizations. This means that after any trace, a stable refusal X of PⁿA will correspond to a stable refusal of P in which not only internal

No documento The CSP Approach (páginas 195-200)