A MODEL FOR COMMUNICATING SEQUENTIAL PF_OCESSES Stephen D. Brookes DEPARTMENT of COMPUTER SCIENCE Carneg,e-,Mellon Un,vers,ty (7__[J--_ q - _ 2-- _ 4 :_ A MOI)EL FOR COMMUNICATING SEQUENTIAL PROCESSES Stephen D. Brookes Thesis submitted for the degree of Doctor of Philosophy. University College Oxford University January 1983 ABSTRACT This thesis describes tile construction and mathematical properties of a model for communicating sequential processes. We define a semantic model for processes based on failures, which encapsulate certain finite aspects of process behaviour and allow an elegant treatment of nondeterminism. We define a set of process operations, including nondeter- ministic choice, conditional composition, and various forms of' parallel composition. These process operations enjoy many interesting mathematical properties, which allow us to prove many process identities. The failures model is well suited to reasoning about deadlock properties of processes, and some examples are given to illustrate this. The failures model does not treat in a reasonable way the phenomenon of divergence, which occurs when a process performs a potentially infinite sequence of internal actions and never interacts with its environment. We offer an extension of" the model in Chapter 5, which treats divergence more satisfactorily. We also give a complete proof system for proving semantic equivalence of terms. Tile thesis also contains some results on the relationship of these models to other models of processes in the literature, specifically relating to the work of Milner, Kennaway, Hennessy and de Nicola. Chapter 3 gives an alternative formula t;ion of the failures model, a]iowing comparison with Kennaway's work. Chapter 4 uses Milner's synchronis_tion trees as the basis for representing processes. In Chapter 6 we show how links can be established between Kennaway's model, the work of Hennessy and de Nicola, and our failures model; this chapter focusses on modal assertions of various kinds about process behaviour. We show that by varying the class of assertions we can characterise different semantic models. Acknowledgement,_ The author would like to thank Professor C.A.R.1toare, who has been a continuing source of inspiration and encouragement during the development of this work. Many thanks also to Bill Roscoe, with whom 1 have had many fraitful discussions and collaborative results. The other main stimulus to thi,_ work has been the research of Robin Milner and his colleagues at Edinburgh Universit, y. I have benefitted from discussions with Matthew tIennessy, Robin Milner, David ['ark, Bill Rounds, Joe Stoy, and Zhou Chaochen. This research was supported by a grant from the Science and Engineering Research Council of Great Britain. The author is also grateful to the Computer Science Department_ of Carnegie-Mellon University, whose facilities were used in the preparation of this thesis. Thanks to William L. Scherlis for help with the type-setting of the manuscript. Contents Introduction ............ Page 1 Acknowledgements ........... 5 Chapter 1: A Domain of Processes ..... 6 Chapter 2: Process operations ....... 18 Chapter 3: Implementations ..... 75 Chapter 4: Relationship with Milner's CCS . 9{} Chapter 5: A proof system for CSP ..... 108 Chapter 6: Testing processes ........ 12(,t Chapter 7: Some examples ............ 153 Chapter 8: Operational semantics ......... 165 Conclusions ....................... 173 Appendix A: A technical lemma ................ 176 References ........................ 178 Introcluct_on The decreasing cost and diminishing size of powerful computers, and tile opportunities offered in speed and et_ciency by distributed computer systems are encouraging the use of programming languages in which the programmer can make use of concurrency. By allowing a program's task to be distributed when it is not logically necessary for a single processor to perform it, significant gains can be made in efficiency. A job shared by several concurrent processors can be a job halved in execution time. Accordingly, many new programming languages have been proposed over the last few years, each involving a form of parallel construct. One of the most widely known of these languages is C.A.[_:.Hoare's CSP [H1], first published in 1978. In this language input and oatput, i.e., com-- munication between concurrently active processes, was taken as a primi-- tive, much in the way that conventional sequential imperative languages take assignment and sequencing as primitives. The most important feature of CSP was that it emphasised programmer-specified communication between processes and used synchronization as the mechanism for communication. The language, based on Dijkstra's guarded commands, allowed input request,_ to be used in guards, so that communications could direct the process's be-- haviour in a very elegant way. Moreover, a process in CS[' can exhibit non-- deterministic behaviour, notably when attempting to perform a guarded com-- mand in which more than one guard is satisfied. Depending on which guard is chosen in such circumstances the future behaviour of the process and its communication capabilities with other concurrent processes may vary. Thi,3 was all evident in Hoare's paper. Nondeterminacy is often a feature in parallel execution of programs, because one usually wishes to abstract away from the relative speeds of concurrently executing processors. It is well known that programs written in parallel programming languages can sometimes exhibit pathological behaviour. One of the most important examples of undesirable behaviour is called deadlock. A system of processes is said to be deadlocked if none of the processes in the system (assumed to be 1 INTRODUCTION Page 2 operating in parallel) is capable of communicating with any other: nothing can ihappen, typically because no process is able to inake a communication until another has done so. This situation can arise in practice when many processes are competing to share some scarce resource. When writing a program it is often vital to guarantee freedom from deadlock. When using any programming language it is important to know what the syntactic constructs are intended to denote. One cannot understand a program properly and be able to reason effectively about its execution unless one has some sound ideas about the sernantic_ of the language. For conven- tional sequential progralnming languages su(:h as PASCAl,, and the ALGOL family, there is a well-established body of work dealing with semantics. In general, programs here can be taken to denote input-output functions or state transformations, and logical proof systems can be built using Itoare-style assertions or Dijkstra's weakest preconditions. Partial and total correctness arguments or proofs can be given for programs in such languages in a reason.- ably straightforward way. In the case of a parallel programming language the situation is :not nearly so satisfactory. There is, for a start, no general agreement on what class of ma,ther._mtieal entities is suitable for modelling the meaning of programs written in a concurrent language. Even for one language, it is conceivable that more than one reasonable model exists. As remarked above, paralM programming can lead to pathological behaviour, of a kind not occurring with sequential proglams. ]t is important to know to what extent any model for parallel processes satisfactorily captures behavioural[ properties, such as deadlock. Different semantic models often seem to focus on particular classes of properties. For example, an early semantics for CSP, the so-called trace semantics of Hoare, was ideally suited to reasoning about potential com- munication sequences but was insensitive to the possibility of deadlock. This thesis is primarily concerned with the construction of a mathe- matical model of communicating processes and a collection of process opera- tions. The model enjoys a number of interesting and elegant mathematical properties, and seems adequate to serve as a semantic model for languages such as CSP. We investigate ill some detail the properties of our model, proving many process identities and other relations between processes; these results enable us to specify and prove a class of semantic properties of in- dividual processes. Roscoe's thesis [R] contains a detailed account of some general proof techniques applicable to this model; Roscoe has made significant contributions during the development of the model. In Chapter 1 we begin with the definition of a semantic domain for processes over an alphabet E. The elements of E, termed events can be thought INTRODUCTION Page 3 of as communications or other atomic actions. Instead of representing a CSP process as a set of traces, as in the trace model, we use a set of failures. A failure is a generalisation of a trace to include an indication of the potential for deadlock at the next step in execution. There is a natural ordering on failure sets corresponding to the fact that the nondeterminacy of a process is mirrored in its failure set: if one proces_ is more nondeterministic than another, then its failure set should be larger. This order turns the set of processes (identified with failure sets) into a complete semi-lattice. In Chapter 2 we give a denotational semantics to an abstract version of CSP, using the semantic domain just described. As usual in denotational semantics, the meaning of a combination or processes is defined from the meanings of the component processes. In effect, we define a set of opera- tions on processes, each corresponding to a syntactic operation on terms in an abstract language derived from CSP. With one notable exception, these process operations are continuous with respect to the nondeterminism order- ing. Chapter 3 contains an alternative construction of the domain of processes, in which a nondeterministic process is modelled as a set ot' deterministic processes. The basic idea is to identify a p, ocess with its set of possible im- plemenlatior'_s, each implementation being a deterministic process to ,ahich the original process is an approximation. All of the process operations of Chapter 2 can be de[ined in this new formulation.