OBSERVING PROCESSES - The CSP Approach

STOP

6.1 OBSERVING PROCESSES

Stable refusals

A process P is guaranteed to be able to respond to an offer of an event a if that event can be performed from P, provided there are no internal transitions from P which might result in withdrawal of this offer. A process P which can make no internal progress is said to be stable, written P^#:

P^#

=

(

^P ^?^!

)

Guarantees are concerned with stable states.

More generally, a stable process P can always respond in some way to the offer of a set of events X

^Xif there is at least one a²X that P can perform. If there is no such a²X, then P refuses the entire offer set X.

The CSP approach to semantics is to associate processes with observations of their executions, and then to use this information to understand the behaviour of the process as a whole. A single execution of a process P consisting of internal transitions leading to a stable state P⁰ will not provide information about the events that are guaranteed to be offered, but will rather provide information about events that can possibly be refused. If no events in a set X are possible in the stable state P⁰, then when P is initially offered X it is possible that it will reach a stable state (P⁰) which deadlocks under that offer—no further progress can be made.

In this case, the set X is termed a refusal of P.

A refusal might be thought of as one result of an experiment on the process P, where it is executed in an environment which offers the set X, and waits as long as necessary to see if any events in X are performed. If no events are performed, then X is considered a refusal of P, written PrefX. The assertion PrefX that P can possibly refuse the set X is defined as follows:

PrefX

=

⁹^P⁰ ^P

=

^hi⁾^P⁰^{^}^P⁰^# ^{^}⁸^a²^X^:

(

^P⁰ ^?^!^a

)

a b

fa^;b^g

P¹

=

^a^!^STOP²^b^!^STOP

P²

=

^a^!^STOP^u^b^!^STOP

P³

= (

^c^!^a^!^STOP²^b^!^STOP

)

ⁿ^f^c^g

a b

fb^g ^fa^g ^fb^g

fa^;b^g

Fig. 6.1 Three processes and their stable states labelled with refusals

Another possible result of the experiment is that some event from X is performed. This will be recorded as trace information. The final possible result is that P performs internal transitions for ever, never reaching a stable state nor performing any event. In this case, P is said to be divergent, written P^".

P^"

=

^9h^Pⁱⁱⁱ^2N

(

=

^P⁰^{^}⁸ⁱ^Pⁱ ^?^! ^Pⁱ⁺¹

)

A process is non-divergent if it does not diverge, and it is divergence-free if none of its reachable states diverge.

The offer of a set of events A will be guaranteed some response from a non-divergent process P precisely when A is not a possible refusal set for P.

The refusals of a process P are concerned with the sets of events that might be refused by P before any visible events have occurred. Refusals thus provide information about initial behaviour. The notion of refusal also extends to other stages of an execution. In general, an observer will experiment on a process by repeatedly offering to interact on sets of events, where each offer is either accepted by the process, or not. Once they are made, offers are not withdrawn by the observer, so if an offer is not accepted by the process then the experiment ends.

Example 6.1

The transition graphs and associated refusal sets of the following three pro-cesses are illustrated in Figure 6.1. Each of them is able to perform only events a and b, so all other events will automatically be refused at any stable node, and are not included explicitly.

Since the refusal sets associated with a process state are subset closed, only the maximal refusal set in each case is included.

The process P¹

=

^a^!^STOP²^b^!STOP is unable to refuse either a or b in its initial state, but can refuse both of these events after it has performed something.

The process P²

=

^a ^! ^STOP ^u ^b ^! STOP is unstable, as there are two internal transitions that are possible for it. Each of these leads to a stable state where either a or b is possible, and the other can be refused.

The process P3

= (

^c ^! ^a ^! ^STOP ² ^b ^! ^STOP

)

ⁿ ^f^c^gis initially unstable, although it can perform the event b from its initial unstable state, after which it can refuse

fa^;b^g. However, there is no refusal set associated with the initial unstable state, and the single internal transition leads to a state in which b is refused. This means that an interacting process wishing to synchronize on b event might succeed, but it is also possible that the internal event will occur first and the b will then be refused. There is no guarantee that b will be accepted, since the internal transition is entirely under the control of process P³itself and cannot be

prevented from occurring. ²

Stable failures

It is possible that at some point during an execution an offer set X will be refused by the process P. This refusal will be recorded together with the finite sequence of events tr that were performed during the execution leading up to the refusal of X. The observation

(

^tr^;^X

)

^is

called a stable failure of P, recording the fact that

9P⁰⁰P

=

^tr⁾^P⁰⁰^{^}^P⁰⁰^# ^{^}^P⁰⁰^ref^X

The process may perform the events in tr, and then reach a stable state where it refuses all of the events in the set X. If after the performance of tr it is in an environment in which events from the set X are possible but no others then there will be no further progress.

Example 6.2

Figure 6.2 gives the transition graph of the process P defined as follows:

= (

^a^!

(

^c^!^STOP^u^d^!^STOP

)

²^b^!^STOP

)

(

^b^!^c^!^STOP²

(

^c^!

(

^f ^!^d^!^STOP²^e^!^STOP

)

ⁿ^f

))

There are two stable states P can reach purely by performing internal transitions, corresponding to the trace^hi. These reflect the ways the top level choice can be resolved. One of these states is able to refuse the set^fc^;d^g, so

(

^hi;^f^c^;^d^g

)

is a possible failure of P. However,

(

^hi;^f^b^g

)

is not a failure of P, since both stable states are able to perform b—neither can refuse it.

Similarly,

(

^hi;^f^a^;^c^g

)

is not a failure of P since each stable state is able to perform some event from the set^fa^;c^g, even though^fa^gand^fc^gcan be refused separately.

b b

c e

Fig. 6.2 Transitions of process P of Example 6.2

Subsequent to the performance of the a event, there are again two stable states that can be reached. One of them is unable to perform any of the set^fa^;b^;c^g, so

(

^hâî;^fâ^;^b^;^c^g

)

^{is a}

failure of P.

There are two stable states corresponding to the trace^hbⁱ. One of them is able to refuse c, so

(

^h^b^i;^f^c^g

)

is a failure of P. On the other hand, c is possible from the other stable state, so^hb^;cⁱis a possible trace of P, and

(

^h^b^;^c^i;^fg

)

is a possible failure.

Finally, there is a single stable state subsequent to an initial c event, and e is not possible from that state, though it is transiently possible immediately after the c. Thus

(

^h^c^i;^f^e^g

)

^{is a}

failure of P. ²

Semantic model

The stable failures model for CSP identifies a process P with the traces and the stable failures that are associated with it. This model is more discriminating and hence less abstract than

the traces model, but the underlying approach taken to the semantics and to specification and verification is the same. The extra information associated with processes allows them to be analyzed with respect to additional specifications, such as those concerned with liveness requirements.

If two sets T and SF of traces and of stable failures respectively are to correspond to the possible behaviours of some process, there are some consistency conditions that they should meet. These are properties that must hold of any pair of sets which describe some process.

As in the traces model, the set T should meet T

1

^{and T}

2

of Page 90: it must be empty and prefix closed. Consistency between SF and T requires that any failure

(

^tr^;^X

)

²^{SF must}

have its trace recorded in T:

1 (

^tr^;^X

)

²^SF⁾^tr²^T

There is also a property of subset closure in the refusal component of a behaviour: if a set X can be refused after a trace tr, then any subset X⁰of X can also be refused after that trace.

2 (

^tr^;^X

)

²^SF^{^}^X⁰^X⁾

(

^tr^;^X⁰

)

²^SF

Thirdly, if a stable state has been reached from which no events in a set X⁰are possible, then the refusal set can be augmented with the set X⁰:

3 (

^tr^;^X

)

²^SF^{^}⁸â²^X⁰^trâ^fâ^g⁶²^T ⁾

(

^tr^;^X^[^X⁰

)

²^SF

Finally, any terminating trace results in a stable state in which no further events are possible (and so any set can be refused):

No documento The CSP Approach (páginas 189-193)