A Framework for Fair Communicating Processes

Electronic Notes in Theoretical Computer Science 6 (1997) URL: http://www.elsevier.nl/locate/entcs/volume6.html 22 pages A Framework for Fair Commu...

Download PDF

1MB Sizes 2 Downloads 129 Views

Report

PDF Reader
Full Text

Electronic Notes in Theoretical Computer Science 6 (1997)

URL: http://www.elsevier.nl/locate/entcs/volume6.html

22 pages

A Framework for Fair Communicating Processes Susan Older 1 Department of Electrical Engineering and Computer Science Syracuse University Syracuse, NY 13244

Abstract

This paper describes a general framework for modeling fairness for communicating processes, based on the notion of fair traces. Intuitively, a fair trace is an abstract representation of a fair computation, providing enough structure to capture the important essence of the computation (e.g., the sequences of states encountered or the communications made along it) as well as any contextual information necessary for compositionality. The key for determining this necessary contextual information is the introduction of parameterized fairness notions, which permit compositional characterizations of fairness. In contrast, most traditional treatments of fairness are based on operational semantics 8,2] and do not lend themselves naturally to compositional reasoning. This trace framework is remarkably robust. By varying the structure of the traces, we can construct several di erent semantics that re ect di erent types of fairness assumptions for the same language of communicating processes. These semantics in turn support not only compositional reasoning about fair program behavior but also the comparison of di erent fairness notions and the semantic structure that they require.

1 Introduction

The behavior of a parallel system depends not only on the properties of the individual components running in parallel, but also on the interactions among these components. These interactions in turn depend on external factors (such as the relative speed of processors or the particular scheduler implementation) whose details can be complex or even unknown. By introducing This research was sponsored in part by the Oce of Naval Research under Grant No. N00014-92-J-1298. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the ocial policies, either expressed or implied, of ONR or the U.S. Government. 1

c 1997 Published by Elsevier Science B. V.

Older appropriate fairness assumptions |roughly speaking, assurances that every suciently enabled component eventually proceeds|we can abstract away from these details without ignoring them completely. For this reason, fairness assumptions are often essential for reasoning about liveness properties of programs. However, modeling fairness for communicating processes is especially dicult: synchronization requires the cooperation of two processes, and hence the enabledness of a process depends on the ability of other processes to synchronize with it. This paper describes a general framework for incorporating fairness assumptions into denotational semantics for communicating processes. The key to constructing these fair semantics is to augment standard traces 12,6,9,14] with additional fairness-related information. Determining the necessary information rst requires that we develop a compositional characterization of fairness. Standard fairness formulations 8] do not admit compositional characterizations: generally speaking, a command's fair computations cannot be determined solely from the fair computations of its component commands. We therefore formulate parameterized notions of fairness that generalize the traditional notions of fairness while supporting such compositional characterizations. This general approach can be instantiated to yield a variety of dierent semantics for several well-known notions of fairness, including strong (process) fairness, weak (process) fairness, and strong channel fairness. The details of these semantics can be found in 18] in this paper, I emphasize the general structure of these dierent semantics. This work places the strongly fair semantics of 5] in a more general light, showing that the semantics introduced there are instances of a more general framework. In particular, the resulting framework shows that fairness assumptions can be incorporated into denotational semantics in a systematic and unied way. Unlike the common operational approaches for reasoning about fairness 8,2], these denotational methods support compositional reasoning and do not rely on program transformations. The rest of the paper unfolds as follows. Section 2 introduces an imperative language of communicating processes, which provides a backdrop for the remainder of the paper. Section 3 provides an overview of a general approach for incorporating fairness assumptions into denotational semantics of particular importance is the concept of parameterized fairness, which supports the compositional characterization of fair computations. The next three sections serve as examples of this approach, each section describing a semantics that incorporates a dierent fairness assumption for the same language of communicating processes: Section 4 describes a strongly process-fair semantics, Section 5 describes a weakly process-fair semantics, and Section 6 describes a strongly channel-fair semantics. Finally, Section 7 reviews related work, and Section 8 concludes with some observations about the fair-trace framework. 2

Older

2 Communicating Processes We introduce an imperative language of communicating processes, based on Hoare's CSP 11] and Milner's CCS 17], in which processes have disjoint local states and communicate with one another only via synchronous message passing. 2.1 Syntax The abstract syntax of the language relies on the following seven syntactic domains: Ide, the set of identiers, ranged over by i BExp, the set of boolean expressions, ranged over by b Exp, the set of (integer) arithmetic expressions, ranged over by e Chan, the set of channel names, ranged over by h Gua, the set of communication guards, ranged over by g GCom, the set of guarded commands, ranged over by gc and Com, the set of commands, ranged over by c. We take for granted the syntax of identiers, channel names, and boolean and arithmetic expressions. The syntax of guards, guarded commands and commands is given by the following grammar: g ::= h?i j h!e gc ::= g ! c j gc1 gc2 c ::= skip j i:=e j c1 c2 j if b then c1 else c2 j while b do c j gc j c1kc2 j cnh In examples, as is conventional, we often use the abbreviation g for the guarded command g ! skip. We also impose the syntactic constraint that, for all commands of form c1kc2, c1 and c2 have disjoint free identiers. This constraint ensures that processes can alter one another's local states only as the result of handshake communications. 2.2 Operational semantics A state is a nite partial function from identiers to integers, and we dene the set S of states as S = Ide * Z]. For any state s, sji = n] is the state that agrees with s except that it assigns value n to identier i. The domain of a state s, written dom(s), is the set of identiers for which s has a value. Two states s1 and s2 are considered disjoint when their domains are disjoint: dom(s1 ) \ dom(s2 ) = . In such cases, we write disjoint(s1 s2 ). For simplicity, we assume that an evaluation semantics is given for arithmetic and boolean expressions, and that expression evaluation always terminates and produces no side eects. We write hesi ! n to indicate that expression e in state s evaluates to value n. We use a similar notation for the evaluation of boolean expressions, letting B = ftt ffg represent the set of truth values. We use a labeled transition system for commands, guards, and guarded 3

Older

h

h iterm s

iterm h iterm h k iterm if disjoint(

c1 s 1 c1

c2 s2

c2 s1

s2

Fig. 1:

s1 s2

h iterm h n iterm

)

c s

c h s

The predicate term.

h i ! h := i ! h j = ]i h i ! h i :h iterm h i ! h iterm h i ! h i h i ! h i h i ! tt h i ! ff hif then else i ! h i hif then else i ! h i h i ! tt h i ! ff hwhile do i ! h while do i hwhile do i ! h i hskip i!h i

s

c1 s

0

0

c1 c2 s

0

c1

e s

0

c1 s

n

c1 s

0

i

0

c1 s

c1 c2 s

c1 s

c1

b

c2 s

b

c s

0

c2 s

b

c2 s

b s

c

0

b s

b s

c s

n

s

c1 c 2 s

c2 s

b

b s

b

i

0

c1 s

e s

s

c s

s

Transition rules for sequential constructs. commands this approach is standard and follows that of 20]. A conguration is a pair h i (or more generally, h i or h i) for which state is dened on at least the free identiers of (or or ). We introduce the placeholder to represent termination, allowing congurations with forms such as h i, hk 2 i and hn i. A conguration h i is terminal if the predicate h iterm can be proved from the axioms and inference rules in Figure 1. A label is a member of the set = f gf ! ? j 2 Chan & 2 Zg. Every transition has a label indicating the type of atomic action involved: represents an internal action (e.g., assignment to a variable), ! represents the transmission of value along channel , and ? represents the receipt of value from channel . Two labels 1 and 2 match if and only if one has the form ! and the other ? for some channel and value in such cases, we write match( 1 2). For a label , chan( ) is the channel associated with by convention, we dene chan( ) = . We write h i ! h 0 0i to indicate that the command0 in state0 can perform a transition labeled , leading to the command in state . The transition relations ! ( 2 ) are characterized by the axioms and inference rules given in Figure 2 and Figure 3. A direction is a member of the set = f ! ? j 2 Chang we occasionally use the extended set of directions + = f g. For a label , dir( ) is the direction associated with : for example, dir( ! ) = ! and dir( ? ) = ? by convention we let dir( ) = . 0 0 A conguration h i is enabled if there exists a transition h i ! h i 0 0 for some command , state and label . A conguration is blocked (or disabled ) if it is neither enabled nor terminal. We write h idead to indicate that the conguration h i is blocked. We dene a set inits( ) that contains 4 Fig. 2:

c s

g s c

s

c s

gc s

g

s

gc

h s

c s

c s

h n h n

h

n

h n

n

n

h

h

h n

h n

h n

h

c s

n

c s

c

s

c

s

d

h h

h

h n

h

h n

c s

s

c s

c s

h

c s c

c s

c s

Older

h ? i!h j h i s

h?n

s

i

= ]i for each n

n

h i ! h ! i ! h i

2Z

e s

h!n

h e s

n

s

h i ! h i h ! i ! h i h i ! h i h i ! h i h i ! h i h i ! h i h i ! h i h k i ! h k i if disjoint( ) h i ! h i h k i ! h k i if disjoint( ) h i ! h i h i ! h i if disjoint( ) h k i ! h k i & match( ) h i ! h i if chan( ) =6 h n i ! h n i

g s

g

gc1 s

gc1

c1

1

c2 s1

0

s2

0

c s

c h s

2

c2 s2

0

0

s1 s2

0 s2

1 2

0

c s

0

s2

c2 s2

0 0 c2 s1 0

s1 s2

0

0

c1 c2 s1

c

0

c s

0

0

s2

c2 s 2

gc2 s

0

c s

s1 s2

0

0

0 c1

0

c1 c2 s1

0

gc1

c1 s1

s2

c1 s 1

0

s2

c2 s2

c1 s1

0

gc2 s

c s

0

c s

0

c1 s1

c1 c2 s1

c s

c s

gc2 s

c1 c2 s1

s

0

h

h s

Transition rules for communication and parallel constructs. the directions (possibly including ) that can be used on transitions from the conguration h i: inits( ) = fdir( ) j 9 0 0 h i ! h 0 0ig. A computation is a nite or innite, maximal sequence of transitions a partial computation is a nite sequence of transitions ending in a nonterminal conguration. We call a nite computation ending in a terminal conguration successful and one ending in a blocked conguration deadlocked. Fig. 3:

c s

c s

c s : c s

c s

2.3 Fairness As given, the operational semantics species all transition sequences possible for a given command: it imposes no constraints on transitions to ensure that the generated computations are fair (that is, that no component is forever ignored). Rather, the fair computations of a command are determined in a two-phase approach: rst all possible computations are considered, and then external fairness criteria eliminate certain computations as unfair. In the context of communicating processes, there are many dierent fairness criteria that can be applied. In particular, Francez 8] and Kuiper and de Roever 15] have collectively identied a hierarchy of fairness notions for CSP that includes the following forms of fairness, each with both strong and weak varieties: process fairness, channel fairness, guard fairness, and communication fairness. In this paper, we consider three of these fairness notions: 5

Older , , and strong channel fairness. Strong fairness states that every process that is enabled innitely often eventually proceeds. In contrast, weak fairness states that every process that is enabled continuously eventually proceeds. Although both fairness notions are concerned with the progress of processes, they impose dierent expectations on what it means for a process to be treated fairly. Weak fairness provides a weaker (and therefore more realizable) assumption than strong fairness, and it is much easier to implement as a scheduling policy. However, as we shall see, it is much more dicult to model (and reason about) for communicating processes. Strong channel fairness provides a stronger assumption than strong process fairness: in addition to the guaranteed progress of innitely enabled processes, strong channel fairness requires that every channel on which communication is enabled innitely often be used innitely often. In the original CSP, where processes communicate by name, a channel is simply a pair of processes 2 . In our language, a particular channel may be used by several processes, and two processes may communicate with one another via several channels. strong (process) fairness weak (process) fairness

3

Towards Fair Traces

The general framework of this paper is based on the notion of fair traces. Intuitively, a fair trace is a pair h i that serves as an abstract record of a fair computation. The component captures the \essence" of the computation (e.g., the sequences of states encountered or the communications made along the computation) and corresponds to standard notions of trace 12,6,9,14]. The component provides additional contextual information that is necessary for reasoning about fairness in a compositional way the particular structure of depends on the notion of fairness under consideration. By varying the structure of the traces, we construct several dierent semantics that re!ect dierent types of fairness assumptions for the same language of communicating processes. In this section, we introduce dierent versions of a single notion of program behavior that guides our construction of the dierent semantics. This notion of behavior mandates a certain type of structure for the -components of the fair traces we also describe (in general terms) the factors that in!uence the structure of the -components.

3.1

Soundness and full abstraction

A semantics is sound with respect to a given notion of behavior if, whenever it gives two terms the same meaning, those terms induce the same behaviors in This interpretation of channel corresponds to that used by Francez 8]. Kuiper and de Roever describe a notion of channel fairness in which channel refers to a pair of \semantically matching guards" 15]. 2

6

Older all program contexts. A semantics is fully abstract 16] with respect to a notion of behavior if the converse also holds: that is, a fully abstract semantics gives two terms the same meaning if and only if they induce the same behaviors in all program contexts. In this paper, we consider strongly fair, weakly fair, and strongly channelfair versions of a state-trace behavior. Each of these behaviors incorporates the assumptions that programs are closed systems (i.e., no external communication is possible), that each and every step is detectable, and that deadlock is distinguishable from both successful termination and innite idling. Using the tag to indicate deadlock and letting = f 0 1 k j 8 i 2 g, we dene the strongly fair state-trace behavior Ms : Com ! P( 1 ) as follows: Ms ] = f 0 1 k j h 0i ! h 1 1i !

! h k kitermg

S

s s

:::s

i

k: s

S

c

s s

f f h

:::s

c s

c s

S

S

c s

j h i ! h i !

! h ideadg j i ! h i !

! h i !

is strongly fairg

s0 s1 : : : s k

c0 s0

c1 s1

ck sk

s0 s1 : : : s k : : : c0 s0

c1 s 1

ck s k

We let Mw and Mch be the obvious corresponding weakly fair and strongly channel-fair state-trace behaviors. These state-trace behaviors guide our construction of the fair semantics. In particular, we aim for semantics that are (when possible) fully abstract with respect to these state-trace behaviors. There are, of course, other notions of behavior that could be considered. However, the goal of this paper is to show how dierent notions of fairness aect the structure necessary for reasoning about a xed notion of fair program behavior. We begin with simple traces, which form the common basis for each of our fair semantics.

3.2 Simple traces We start with a set of steps " = S S intuitively, each step (s s0) corresponds to a transition of form hc si ! hc0 s0i. A (simple) trace is a nite or innite sequence of steps representing a sequence of uninterrupted transitions. We dene a set of empty traces "0 = f"s j s 2 S g (each "s corresponds to a conguration with form hc si), and we dene the set of simple traces to be "1 = " "! , where " = "0 "+, and "+ = f(s0 0 s1 )(s1 1 s2) : : : (sk k sk+1) j k 0 & 8i k:(si i si+1 ) 2 " g ! " = f(s0 0 s1 )(s1 1 s2) : : : (sk k sk+1) : : : j 8i 0:(si i si+1) 2 "g: Given a (possibly partial) computation , trace( ) records the state transitions and actions occurring along . For example, if is the computation k 0 1 hc s0i ! hc1 s1i !

! hck+1 sk+1iterm then trace( ) = (s 0 s1)(s1 1 s2) : : : (sk k sk+1). 7

:

Older The intermediate states that appear along these simple traces are essential, because the behaviors in which we are interested also include intermediate states. If, instead, the guiding behaviors included only communication sequences, then only initial and nal states (vital for correctly modeling sequential composition in our language) would be necessary. These simple traces are clearly insucient for reasoning about fairness: they record only the events that occurred along a computation, providing no information about events that could have occurred but did not. Such information is essential for determining whether or not certain processes have been enabled along a given computation. 3.3 Parameterized fairness Whether a given process is enabled (and therefore whether it is treated fairly) depends upon the context in which that process appears. This contextual dependency has important consequences for characterizing fair computations compositionally. For example, consider the strongly fair computations of the program C (C1 k(C2 kC3 ))nanb where we dene C1 while true do a?x, C2 while true do a!0, and C3 while true do (b!0 ! a!0). In the strongly fair computations of C , the components C1 and C2 repeatedly synchronize with one another along channel a, while C3 waits for the (never occurring) opportunity to communicate on channel b. However, these strongly fair computations of C cannot be dened solely in terms of the strongly fair computations of its components C1, C2, and C3: in every strongly fair computation of C3 (and of C2kC3), C3 makes innitely many transitions. Instead, the strongly fair computations of C all depend on certain unfair computations of C2 kC3, namely those in which C2 makes innite progress and C3 idles. Moreover, merely knowing the restricted channels of C is insucient for identifying which subcommands are enabled along any given computation of C : even though communication is restricted on channel a in the command C , C2 can make continual progress by synchronizing with C1 innitely often. The solution to characterizing fair computations compositionally is to introduce generalized notions of fairness that are parameterized by sets representing conditions under which certain unfair computations may contribute to truly fair computations. For example, the (unfair) innite computation of C2kC3 that never performs output along channel b still contributes to a strongly fair computation of the larger command C : the source of unfairness| C3 's lack of progress despite being enabled innitely often|disappears in the larger context, where C3 is no longer enabled innitely often. We can characterize this unfair computation of C2kC3 as being strongly fair modulo fb!g: intuitively, this characterization indicates (1) that the computation is strongly fair except for C3's ignored attempt to perform output on channel b and (2) 8

Older that there are larger contexts (such as ) where the computation re!ects the contribution of 2k 3 to a strongly fair computation. (A more thorough, if still informal, explanation of parameterized strong fairness appears in the next section.) This concept of parameterized fairness extends to other notions of fairness, but the precise structure necessary for the parameterized characterization depends on the particular notion of fairness under consideration. As hinted in the preceding discussion, strong fairness can be parameterized by sets of directions. To parameterize weak fairness, we use sets of sets of directions. Finally, we parameterize strong channel fairness by pairs ( ), where is a set of directions and is a set of channels. In each case, the parameterization provides a way to characterize fairness compositionally, which the standard formulations of fairness do not permit. Moreover, these parameterizations help determine the structure necessary for the resulting fair trace semantics. The next three sections, each of which focuses on a dierent notion of fairness, demonstrate how this structure is incorporated into the fair traces. C

C

C

F H

F

H

4

Strong Fairness

We begin by modeling the assumption of strong fairness, which requires every innitely enabled process to make progress innitely often. Several strongly fair semantics appear in 5,18], each tailored for a dierent notion of program behavior. We sketch the relevant details here, as they provide a convenient foundation for the discussion of other fairness notions. 4.1 Parameterized strong fairness For every nite set F of directions, we characterize those computations that are strongly fair modulo F . Roughly speaking, a computation of the command c is strongly fair modulo F if every innitely enabled process either (1) makes progress innitely often (just as in traditional strong fairness) or (2) eventually stops in a conguration in which its only possible transitions are labeled by directions in F and it cannot synchronize with any other processes. Intuitively, in a program context P ] that both restricts communication on the channels in F and fails to provide synchronization opportunities for members of F , the computation will represent c's contribution to a strongly fair computation of P c]. For example, the innite computation of C2kC3 that never performs output along channel b can be characterized as fair modulo fb!g: the context (C1 k)nanb restricts communication on channel b and provides no synchronization opportunities for C3's b!0 action. When F = , this characterization coincides with the traditional notion of strong process fairness, as given in 8,2]. However, unlike the traditional notion of strong fairness, parameterized strong fairness can be characterized compositionally. The full details appear in 18] roughly, the characterization 9

Older proceeds as follows. Every nite computation is strongly fair modulo , for all sets . A partial computation is strongly fair modulo if its nal conguration is blocked modulo 3 . An innite computation of a command not having form n or provided that the underlying computations 1 k 2 is strongly fair modulo of its component commands are all strongly fair modulo for example, an innite computation of a loop is strongly fair modulo if each execution of the loop's body is strongly fair modulo . An innite computation of n is fair modulo if the underlying computation (call it ) of is fair modulo f ! ?g intuitively, any subprocess of that is blocked modulo f ! ?g along will be blocked modulo along , where communication on channel is restricted. Finally, an innite computation of the parallel command 1 k 2 is fair modulo if and only if there exist sets 1 and 2, and computations 1 of 1 and 2 of 2, satisfying the following conditions: can be obtained 1 is strongly fair mod 1 , 2 is strongly fair mod 2, by merging and synchronizing 1 and 2 , is a superset of 1 2 , neither computation enables synchronization innitely often with a direction in the other component's fairness set, and neither component innitely often uses a direction in the other component's fairness set. These last two conditions ensure that neither component violates the assumptions re!ected in the other component's fairness set. F

F

F

F

c

c h

c

F

F

F

F

c h

F

F

F

h h

F

h

c

c

c

0

h h

0

c

F

c

F

F

F

c

F

F

F

F

4.2 Strongly fair traces

Guided by the denition of parameterized strong fairness, we augment simple traces with the additional contextual information to yield the set #s of strongly fair traces : #s = " (Pn (+) Pn(+) ff i pg) Intuitively, the trace h ( i)i represents an innite, strongly fair modulo computation, where is the simple trace that records its sequence of transitions and is its set of innitely enabled directions the tag i simply indicates that the trace represents an innite computation. Similarly, the trace h ( f)i represents a successfully terminating (and necessarily strongly fair mod ) computation having simple trace and enabled directions the tag f indicates that the trace represents a nite computation. 4 Finally, the trace h ( p)i (with ) represents a partial computation whose nal conguration has the set of directions (possibly including ) enabled when 62 , the partial computation is necessarily fair mod and therefore fair 1

:

F E

F

E

F E

F

F E

F

E

E

E

E

E

A conguration h i is blocked modulo if its only transitions are labeled by directions (i.e., if ( ) = ). 4 To be precise, the set is unnecessary for both nite traces and partial traces. However, its inclusion facilitates certain semantic denitions by giving a common structure to all possible traces.

3

in

c s

F

inits c s

F

F

F

10

Older mod 5 as well. These partial traces support reasoning about deadlock and blocking and are the obvious analogues of acceptances 9] or refusals 6]. For a successfully terminating (respectively, innite) computation , we dene en( ) to be the set of directions enabled (respectively, enabled innitely often) along . We then give an operational characterization of a strongly fair trace semantics Ts : Com ! P(#s) as follows: F

T ] = fhtrace( ) ( en( ) f)i j 2 P () & = h i ! h i !

! h k kiterm g fhtrace( ) ( p)i j = inits( k k) & & = h i ! h i !

! h k ki & :h k kitermg fhtrace( ) ( en( ) i)i j = h i ! h i !

!

is strongly fair mod g That is, Ts ] is the set of traces corresponding to the strongly fair (modulo appropriate sets ) computations of . This trace semantics Ts can also be characterized denotationally: for each s c

F

c s0

F

n

F

c1 s 1

E

0

k 1

1

c s

c1 s1

c s

F

1

k 1

1

k

E

c s

c s

c s0

0

F E c s0

0

c1 s1

F

:

c

F

c

construct of the language, we dene a corresponding operation on trace sets that re!ects its operational behavior. For example, we dene Ts 1k 2] = f j 9 1 2 Ts 1] 2 2 Ts 2] mergeable ( 1 2) & ( 1 2 ) 2 fairmergeg where mergeable ( 1 2) is a predicate re!ecting the conditions of the parallelcomposition clause for parameterized strong fairness and fairmerge #s #s #s is an adaptation of Park's fairmerge operator 19] that allows for the possibility of synchronization and performs the necessary bookkeeping for the fairness-related portion (i.e., the sets and ) of the traces. c

c

'

'

c

'

c

:

' '

' ' '

' '

F

E

4.3 Full abstraction for Ms The semantics Ts as given is sound but not fully abstract with respect to the behavior Ms. However, as described in 5], the introduction of appropriate closure conditions on trace sets yields a fully abstract semantics. Moreover, small changes in the simple-trace structure yields additional full-abstraction results for several other notions of strongly fair behavior 18]. In each case, the fairness-related structure remains the same, further demonstrating the suitability of the parameterized-fairness denition. If we add shared-variable parallelism and conditional critical regions to our language, the result is a language of communicating processes in which processes may communicate with one another both through changes to shared memory and by message passing. Combining Brookes' transition traces for 5

Every fair mod F computation is necessarily fair mod F , for all F F . 0

11

0

Older shared-variable programs 4] with the strongly fair trace semantics for communicating processes yields a fully abstract, strongly fair semantics for the hybrid language 18]. In particular, we modify only the structure of the simple traces |now permitting intermediate state changes|while retaining the fairness-related structure. The resulting semantics is reminiscent of the semantics introduced by Horita, de Bakker, and Rutten for a similar hybrid language 13]: the only dierence is that our semantics also incorporates fairness assumptions.

5

Weak Fairness

An alternative to strong fairness is weak fairness, which states that every process enabled continuously eventually proceeds. The assumption of weak fairness is more general than strong fairness and easier to implement as a scheduling policy. Perhaps ironically, then, modeling weak fairness for communicating processes requires signicantly more semantic structure. 5.1 Parameterized weak fairness In parameterizing strong fairness, we do not need to distinguish between the actions possible for a single process and the actions possible for a collection of processes: a set of directions (likewise, a set of processes) is enabled innitely often if and only if some member of that set is enabled innitely often. In parameterizing weak fairness, however, the distinction is crucial: a set of directions (likewise, a set of processes) can be enabled continuously without any particular member being enabled continuously. For example, under strong fairness, the single-process command Q1 (a!0 ! b!0) (b!0 ! a!0) and the two-process command Q2 (a!0 k b!0) are equivalent in all program contexts. Under weak fairness, however, they can behave dierently when placed in parallel with the following command C : C (while true do (a?x c!1)) k (while true do (b?y c!2)): In particular, C has a computation that satises the following two conditions: Each of C 's subcomponents repeatedly performs output on channel c. At any time after the initial step, at least one of the components is inside its loop. Along this computation , the directions a? and b? are each enabled innitely often and disabled innitely often moreover, at any time after the rst step, at least one of the directions a? and b? is enabled. In any computation of (Q1 kC )nanb in which C performs the transition sequence , the single process of Q1 is enabled continuously: at each step it has some action enabled. As a result, it is impossible for C to perform the transition sequence in a weakly fair computation of (Q1kC )nanb: to satisfy Q1 's fairness constraints, C must eventually synchronize with it on channel a 12

Older or b. In contrast, ( 2 k )nanb does have weakly fair computations in which performs the transitions : neither of 2 's processes is guaranteed progress, because neither process is enabled continuously by 's actions. This example illustrates why the denition of parameterized weak fairness must distinguish between the actions possible for a single process and the actions possible for a collection of processes. 6 We therefore parameterize weak fairness by sets F of sets of directions intuitively, each set 2 F corresponds to the communications possible for one or more blocked subprocesses. For example, the set F1 = ffa! b!gg describes a computation in which one or more subprocesses are blocked modulo fa! b!g and have no synchronization opportunities: the partial computation h 1 i is weakly fair mod F1. In contrast, the set F2 = ffa!g fb!gg describes a computation in which one or more processes are blocked modulo fa!g and one or more processes are blocked modulo fb!g the partial computation h 2 i is weakly fair mod F2. Note that dierent sets may represent the same weak-fairness constraints. For example, the sets F1 = ffa! b!g fa!gg and F2 = ffa! b!gg represent identical constraints: each F is enabled for synchronization continuously along any computation that enables the set fa! b!g continuously. In eect, the possibilities inherent in the set fa!g are subsumed by the larger set fa! b!g: any computation that enables fa!g continuously must also enable fa! b!g continuously. We use downwards closure (dened by F #= f j 9 2 F g) to yield canonical representations of the fairness constraints. Intuitively, the sets F1 and F2 represent identical weak-fairness constraints whenever F1 #= F2 #. We can now give a characterization of parameterized weak fairness that mimics the parameterization of strong fairness in Section 4 but also accounts for the additional structure of the fairness sets F. A computation is weakly fair (in the standard sense) if and only if it is weakly fair modulo . Every successfully terminating computation is weakly fair mod F, and a partial computation is weakly fair mod F if its nal conguration is blocked modulo F 7 . An innite computation of the command n is weakly fair mod Q

C

C

Q

F

Q s

Q s

0

0

0

i

F

0

c

F

0

:F

0

F

h

Although these commands are often used to illustrate the dierence between interleaving and \true" concurrency, the need to distinguish 1 from 2 under weak fairness represents a separate phenomenon. Under true concurrency, the commands are distinguished because 2 possesses the ability to do something that 1 cannot, namely the ability to perform the actions a!0 and b!0 simultaneously. Under weak fairness, however, the commands are distinguished because 1 possesses an ability that 2 does not, namely the ability to prevent command from performing the computation . 7 A conguration h i is blocked modulo F if initsets( ) F #= , where (informally) the set initsets( ) is a more rened version of the set inits( ), containing sets of directions (and possibly f g) as follows: each member of initsets( ) reects the transitions possible for one (or more) of 's subprocesses from the conguration h i. 6

Q

Q

Q

Q

Q

Q

C

c s

c s

c s

c s

c s

c

13

c s

Older F if the underlying computation of c is weakly fair mod fF fh! h?g j F 2 Fg. Finally, an innite computation of the parallel command c1 kc2 is weakly fair modulo F if there exist sets F1 and F2, and computations 1 of c1 and 2 of c2 , satisfying the following conditions: 1 is weakly fair mod F1 , 2 is weakly fair mod F2, can be obtained by merging and synchronizing 1 and 2 , F # (F1 F2) #, and no subcomponent of c1 or c2 that fails to make innite progress is enabled for synchronization almost everywhere along . The nal condition in the parallel-composition clause ensures that no process that becomes blocked modulo F continuously has some opportunity to synchronize. The wording of this condition is dierent from the corresponding clause for parameterized strong fairness, because c 's constraints do not depend solely on 3 : a (sub)process can be enabled for synchronization continuously along the computation without being enabled for synchronization continuously along either 1 or 2 . For example, consider the commands C1 a?x k while true do (a!1 b!1) C2 while true do (a!2 b!2): Let 1 be an innite, weakly fair mod ffa?gg computation of C1 in which the process a?x makes no progress, and let 2 be a weakly fair computation of C2. Each of these computations enables synchronization with the process a?x innitely often but not continuously. However, the computations 1 and

2 can be interleaved to yield a computation of C1 kC2 in such a way that

does enable synchronization with a?x continuously. As a result, it is often necessary to look at the resulting computation of the parallel command to determine whether any blocked processes are actually enabled continuously. 0

i

i

5.2 Weakly fair traces

This parameterization of weak fairness again guides the construction of the weakly fair trace semantics. First, we need sets F of sets of directions to represent the process constraints, because a process can be enabled continuously without any one of its actions being enabled continuously. Second, we need to record the communications enabled at each step along a computation, because communications can be enabled continuously along a computation of a parallel command without being enabled continuously by any individual component. For technical reasons, each of these enabling sets may contain both channels and directions, with channels representing the potential for synchronization: we need to distinguish the case where input and output on the same channel appear as part of a guarded choice (as in (a!0 a?x)) from the case where synchronization is possible (as in (a!0 k a?x)). We therefore dene the set # of weakly fair traces by # = " (Pn (Pn(+)) Pn( Chan) ff i pg) Intuitively, the weakly fair trace h (F E f)i represents a (necessarily weakly w

w

1

1

For example, initsets((a!0kb!0) ) = ffa!g initsets((a!0ka?x) ) = ffa!g f g fa?gg. s

s

14

:

fb!gg, initsets((a!0 b!0) s)

=

ffa! b!gg,

and

Older fair) successfully terminating computation having the nite sequence E of enabling sets. Similarly, the weakly fair trace h (F E i)i represents an innite, weakly fair mod F computation having the innite sequence E of enabling sets. Finally, the weakly fair trace h (F E p)i represents a partial computation such that F # initsets( k k ), where h k k i is the nal conguration of E again represents the sequence of enabling sets encountered along the computation. We characterize a weakly fair trace semantics Tw : Com ! P(#w ) operationally as follows, using En ( ) to denote the sequence of enabling sets encountered along the computation :

c s

c s

!

Tw ] = fhtrace( ) (F En ( ) f)i j F 2 P (P ()) & = h i ! h i !

! h k kitermg fhtrace( ) (F En ( ) p)i j F # initsets( k k ) & = h i ! h i !

! h k ki & :h k kitermg fhtrace( ) (F En ( ) i)i j = h i ! h i !

!

is weakly fair mod Fg This weakly fair trace semantics Tw can also be characterized denotationally, in much the same way as Ts. In particular, the only modications to !

c

0

c s0

n

c1 s 1

n

k 1

1

c s

!

0

c s0

c s

c1 s 1

1

k 1

1

k

c s

c s

!

0

c s0

c1 s 1

:

the operations on trace sets are to the underlying bookkeeping operations necessary for maintaining accurate fairness-related information. 5.3

Lack of full abstraction for

Tw

The semantic function Tw is sound but not fully abstract with respect to the weakly fair state-trace behavior Mw . However, whereas the introduction of closure conditions yields full abstraction under strong fairness, there do not appear to be closure conditions whose addition would yield full abstraction for Mw . For example, consider the commands (a!0 ! 1) (a!0 ! 2) (a!0 ! 3) (a!0 ! 1) (a!0 ! 2) where 1 , 2 and 3 as dened follows: 1 while true do ((a!0 ! (b!0 c!0)) (b?x ! skip)) 2 while true do ((a!0 ! (b!0 c!0 b?x)) (b?x ! skip)) 3 while true do ((a!0 ! (b!0 c!0)) (b?x ! skip) (b?x ! skip)) Letting be the simple trace ( a!0 ) ( )( a!0 )( c!0 )]! , we see that the two traces ( fa!g fa! b?gfb! c! b?g]! )i 1 =h ( fa!g fa! b? b!gfb! c!g]! )i 2 =h 15 C

C

0

C

C

C

C

C

C

C

C

C

C

C

:

s

'

'

s

s s

s

s

s

s

Older are possible for both

C

'

and . In contrast, the trace C

0

= h (

fa!g fa! b?gfb! c!g]! )i

is possible only for , re!ecting a computation in which the guarded command (a!0 ! 3) is chosen. The trace can be distinguished from 1 only by a context that \detects" th 1 's additional enabling of b? on each (3 + 3) step: this detection requires a component can become blocked fairly if and only if b? is not enabled on these steps. Likewise, the trace can be distinguished from 2 only by a context with a blocking component that detects 2's additional enabling of b! on each (3 + 2)th step. However, the trace cannot be distinguished from both 1 and 2 at the same time, for the following subtle reason. The two \detection by blocking" components collectively must enable both input and output on channel b, and ultimately they interfere with one another: if they are placed in parallel, they can synchronize with one another (regardless of whether or is placed in the context) if they are placed together as part of a guarded choice, then both b! and b? are enabled on every (3 + 2)th and (3 + 3)th step (again, regardless of whether or is placed in the context). Thus the commands and are indistinguishable in all program contexts, even though they have dierent trace sets. Although a closure condition might be found to remove the distinction between the trace sets of and , there are related situations in which some arbitrary number of traces are individually but not simultaneously distinguishable from another trace. It is unlikely that a suciently general set of closure conditions could be found to remedy every such situation. Moreover, any conditions general enough to achieve full abstraction are unlikely to be intuitive enough to provide any additional insight into program equivalences. C

C

'

'

'

i

'

'

'

i

'

'

'

C

C

0

i

C

C

C

C

i

0

0

C

C

0

6 Strong Channel Fairness

One might expect that the need for extra structure in modeling weak fairness arises because weak fairness is a weaker assumption (and therefore provides less information) than strong fairness. In this section, we consider strong channel fairness, a fairness assumption that is stronger than strong fairness. In particular, strong channel fairness subsumes strong process fairness: a computation is strongly channel fair provided that every innitely enabled process makes progress and every channel on which communication is enabled is used innitely often. As we will see, modeling strong channel fairness also requires signicantly more semantic structure than modeling strong process fairness does. 16

Older 6.1 Parameterized channel fairness A computation can fail to be strongly channel fair for one of two reasons: (1) some process is enabled innitely often and yet makes only nite progress (i.e., the computation is not strongly process fair), or (2) some channel on which communication is enabled innitely often is used only nitely often. Similarly, parameterized channel fairness can be characterized by a combination of process constraints (representing the innitely enabled processes that fail to make innite progress) and channel constraints (representing the innitely enabled channels that do not get used innitely often). We parameterize strong channel fairness by pairs (F H ), where F is a nite set of directions representing the process constraints and H is a nite set of channels representing the channel constraints. Informally, a computation is channel fair mod (F H ) if and only if it is strongly fair mod F and the set H contains those channels that are enabled innitely often but used only nitely often along . When the sets F and H are both empty, this characterization coincides with Francez's notion of strong channel fairness 8]. It is important to distinguish between process constraints and channel constraints, because they represent dierent types of assumptions that can be discharged in dierent ways. Intuitively, the process constraints correspond to innitely enabled processes that|when the original command is placed in a larger context|cease to be treated unfairly because they are no longer enabled innitely often. In contrast, the channel constraints correspond to innitely enabled channels that|when the original command is placed in a larger context|cease to be treated unfairly either because they are no longer enabled innitely often or because some other component uses them innitely often. 6.2 Channel-fair traces We have already seen in Section 4 the semantic structure necessary for reasoning about process constraints. To reason about channel constraints accurately, we need to keep track of those channels that have been enabled innitely often but used only nitely often. Moreover, for each of these channels, we need to know whether synchronization on that channel has been enabled innitely often. 8 However, determining when synchronization on a given channel is enabled along a computation requires knowledge about the communications enabled at each step along a computation. In particular, knowing that a command Q1 (at some indeterminate point) enables input on channel h and that Q2 (at some indeterminate point) enables output on channel h is insucient for determining whether Q1 kQ2 has synchronization enabled on channel h: it If synchronization is enabled innitely often on a given channel, then that channel must be used innitely often for the resulting computation to be strongly channel fair. In contrast, a channel on which communication (but not synchronization) is enabled innitely often can be ignored fairly, provided that communication on that channel is eventually restricted.

8

17

Older depends on whether 1 and 2 enable those communications on simultaneously. We therefore need to record the sets of directions enabled at each step of a computation, with the following exception. Once we know that a particular channel has been used innitely often along a computation, we no longer need to know on which particular steps it is enabled. Intuitively, if is used innitely often along , then 's channel constraints have been satised and (due to process fairness) no other process can become blocked in a conguration in which it can use channel . In essence, by knowing that has been used innitely often (and therefore treated fairly), we no longer have to record information whose sole purpose is to allow us to determine whether has been treated fairly. Guided by this intuition, we let % = Pn(+ ) Pn (Chan) Pn (Chan) Pn (Chan)1 ff i pg and we dene the set #ch of strongly channel-fair traces as #ch = "1 % Intuitively, we can model each innite channel-fair mod ( ) computation with a trace h ( E i)i, where is the set of nitely used channels on which synchronization is enabled innitely often, is the set of \discharged" channel constraints (i.e., those channels used innitely often), and E is the sequence of sets of directions (with members of deleted) enabled along the computation. Note that the set of channel constraints can be obtained as the union of and the set of channels occurring in innitely many sets along E. Similarly, a trace h ( E f)i represents a (necessarily fair) successfully terminating computation that enables synchronization on the unused channels , uses channels , and has the sequence E of sets of directions (with members of deleted) enabled along the computation. Finally, a partial computation can be represented by the trace h ( E p)i, where is a superset of the directions enabled in the nal conguration of and E is the sequence of sets of directions enabled along there is no need to record channel-related constraints for partial computations. ! For a computation and a set of channels, we dene EnD ( ) to be the sequence of sets of directions (excluding members of ) enabled along . For example, if is the computation Q

Q

h

h

h

h

h

h

:

F H

F U D

U

D

D

H

U

U

F U D

D

D

F

F

D

D

=h

c s0

i ! h 0

c1 s1

k i !

! h k kiterm i = inits( i i ) (f g f ! ? j 2 g) 1

1

c s

! then EnD ( ) = 0 1 k , where for each . For an innite computation , used( ) is the set of channels used innitely often along and unused( ) is the set of nitely used channels on which synchronization is enabled innitely often along . Likewise, for a nite computation , used( ) is the set of channels used along and unused( ) is the set of unused channels on which synchronization is enabled along . Using these denitions, we can give an operational characterization of a channel-fair 18

E E

:::E

i

E

c s

h h

h

D

Older trace semantics Tch : Com ! P(#ch) as follows: Tch ] = fhtrace( ) ( unused( ) En! D( ) f)i j 2 Pn() & k 1 0 1 = used( ) & = h 0i ! h 1 1 i !

! h k k itermg fhtrace( ) ( En! ( ) p)i j inits( k k ) & k 1 0 1 = h 0i ! h 1 1!i !

! h k ki & :h k kitermg fhtrace( ) ( unused( ) EnD ( ) i)i j = used( ) & k 0 1 = h 0i ! h 1 1i !

!

is channel fair mod ( )g c

D

F

D

F

c s

F

c s

c s

c s

F

c s

F

c s

c s

c s

D

D

c s

c s

F H

As with the semantics Ts and Tw , the semantics Tch can also be characterized denotationally. 6.3

Full abstraction for

Mch

The semantics Tch is sound but not fully abstract with respect to the behavior Mch. In particular, the semantics distinguishes commands whose trace sets dier only in the nite prexes of certain innite sequences of enabling sets. For example, consider the following two commands: 3 a!0 ! ((b!0 ! while true do a!0) (c!0 ! skip)) a!0 ! (b!0 ! skip d!0 ! skip) 4 3 a!0 ! ((b!0 ! while true do a!0) (d!0 ! skip)) Let be the simple trace ( a!0 )( b!0 ) ( )( a!0 )]! , let E be the innite sequence h fa!gi! , and consider the innite traces ( fa!g hfa!g fb! c!giE i)i 3 =h ( fa!g hfa!g fb! d!giE i)i 4 =h which dier only in the sets of directions enabled on their second steps. Despite that 4 is possible only for 4, the commands 3 and 4 exhibit the same behaviors in all program contexts. In essence, the traces 3 and 4 are indistinguishable from the standpoint of strong-channel fairness, because they share the same innite sux of enabling sets: after some nite period of time, both enable the same communications on precisely the same steps. To achieve full abstraction, we introduce some simple superset-related closure conditions on trace sets, combined with an equivalence relation on traces that identies otherwise-identical innite traces whose sequences of enabling sets dier in only nitely many places. The resulting quotient structure yields a fully abstract semantics for the behavior Mch. However, the resulting semantics, while fully abstract, is inherently more complex than the strongly fair semantics. Moreover, the full abstraction result is signicantly less robust than the full-abstraction results for strong fairness, in the following sense: whereas small changes in the simple-trace structure yield full abstraction for several notions of strongly fair behavior, the entire structure of the channel19 C

C

C

:

s

s

s

s

s s

s

s

'

'

'

C

C

C

'

'

:

Older fair traces is predicated on the ability to detect each individual step and to determine which communications are enabled at each step. This apparent deciency in the semantics is inherent to the notion of channel fairness and its lack of equivalence robustness 1]: whether or not a computation is channel fair is highly dependent on the order in which independent actions occur. 7

Related Work

This framework places previous models for fair communicating processes in a more general light. Both Hennessy 10] and Brookes 3] introduce models for reasoning about program behavior under assumptions of unconditional fairness, which requires processes to make progress until they terminate successfully. Because these models ignore the possibility of blocking, they do not require additional fairness-related information such as process constraints or sets of enabled directions. Darondeau gives a strongly fair semantics for a stateless, CCS-like language 7] in which the meaning of terms are given by sets of histories these histories are very similar in structure to the strongly fair traces of this framework. However, the language he considers has no notion of sequential composition and only a very limited form of iteration: in particular, the iterative constructs generate only innite computations, and only simple actions may appear in the scope of these constructs. As a result, his nite traces do not require enabling information. For data!ow and asynchronous networks, Jonsson provides a fully abstract trace model that incorporates assumptions of weak fairness 14]. By modeling channels as transition systems with their own fairness constraints and by limiting which processes use which channels, he ensures that every process makes progress if enabled continuously. Essential for modeling weak fairness without the addition of fairness-related information are the assumptions that each channel is used for input by at most one node, that each channel is used for output by at most one node, and that no channel is used for both input and output by any node. 8

Conclusions

This paper describes a general, unifying framework for modeling fairness for communicating processes. Within this framework, standard traces are augmented with additional information that supports compositional reasoning about fair program behavior. This compositional treatment of fairness stands in stark contrast to the standard operational methods for reasoning about fairness essential to this compositional treatment are the notions of parameterized fairness. This framework also supports comparisons of fairness notions and the semantic structure that they require. Interestingly, the complexity of the struc20

Older ture necessary for modeling a particular notion of fairness is not related directly to the strength of the underlying fairness assumption. As evidenced by their respective semantics, strong fairness is signicantly simpler to model than either strong channel fairness or weak fairness, despite that strong fairness falls between the other two notions in the hierarchy of fairness notions 8,15] for communicating processes. The additional complexity necessary for modeling weak fairness and strong channel fairness seems tied to their lack of equivalence robustness 1]: these fairness notions are intrinsically dependent on the order in which independent actions occur, and their semantics re!ect this dependency. In contrast, strong fairness is equivalence robust and permits a much simpler trace structure. Finally, the semantics described in this paper are interleaving models. However, the fairness-related structure of the strongly fair semantics also seems appropriate for noninterleaving models of concurrency, such as event structures 22] or pomsets 21]: the parameterization of strong fairness relies only on blocked processes and sets of innitely enabled communications, features that are relevant for true concurrency and independent of the relative ordering of independent events. The models for strong channel fairness and weak process fairness are signicantly less likely to adapt for true concurrency: the lack of equivalence robustness for these fairness notions indicates that they are poor candidates as useful abstractions for noninterleaving models, where the ordering of independent actions is unimportant.

References 1] K. R. Apt, N. Francez, and S. Katz. Appraising fairness in languages for distributed programming. Distributed Computing, 2(4):226{241, 1988. 2] K. R. Apt and E.-R. Olderog. Verication of Sequential and Concurrent Programs. Springer-Verlag, 1991. 3] S. Brookes. Fair communicating processes. In A Classical Mind: Essays in Honour of C.A.R. Hoare, chapter 4. Prentice-Hall, January 1994. 4] S. Brookes. Full abstraction for a shared-variable parallel language. Information and Computation, 127(2):145{163, June 15, 1996. 5] S. Brookes and S. Older. Full abstraction for strongly fair communicating processes. In S. Brookes, M. Main, A. Melton, and M. Mislove, editors, Proceedings of the 11th Annual Conference on Mathematical Foundations of Programming Semantics, volume 1 of Electronic Notes in Computer Science. Elsevier, June 1995. 6] S. D. Brookes, C. A. R. Hoare, and A. W. Roscoe. A theory of communicating sequential processes. JACM, 31(3):560{599, July 1984. 7] P. Darondeau. About fair asynchrony. Theoretical Computer Science, 37(3):305{336, 1985.

21

Older 8] N. Francez. Fairness. Texts and Monographs in Computer Science. SpringerVerlag, 1986. 9] M. Hennessy. Acceptance trees. JACM, 32(4):896{928, 1985. 10] M. Hennessy. An algebraic theory of fair asynchronous communicating processes. Theoretical Computer Science, 49:121{143, 1987. 11] C. A. R. Hoare. Communicating Sequential Processes. CACM, 21(8):666{677, Aug. 1978. 12] C. A. R. Hoare. A model for communicating sequential processes. Technical Report PRG-22, Oxford University Programming Research Group, Oxford, England, 1981. 13] E. Horita, J. W. de Bakker, and J. J. M. M. Rutten. Fully abstract models for nonuniform concurrent languages. Information and Computation, 115(1):125{ 178, November 15, 1994. 14] B. Jonsson. A fully abstract model for data ow and asynchronous networks. Distributed Computing, 7(4):197{212, 1994. 15] R. Kuiper and W. P. de Roever. Fairness assumptions for CSP in a temporal logic framework. In D. Bjrner, editor, Proceedings of the IFIP Working Conference on Formal Description of Programming Concepts - II, pages 159{ 167. North-Holland, 1983. 16] R. Milner. Processes: A mathematical model of computing agents. In H. E. Rose and J. C. Shepherdson, editors, Logic Colloquium '73, volume 80, pages 157{173. North-Holland/American Elsevier, 1975. 17] R. Milner. A Calculus of Communicating Systems, volume 92. Springer-Verlag, 1980. 18] S. Older. A Denotational Framework for Fair Communicating Processes. PhD thesis, Carnegie Mellon University, 1996. Avaliable as tech report CMU-CS-96204. 19] D. Park. On the semantics of fair parallelism. In D. Bjrner, editor, Abstract Software Specications, volume 86 of Lecture Notes in Computer Science, pages 504{526. Springer-Verlag, 1979. 20] G. D. Plotkin. An operational semantics for CSP. In D. Bjrner, editor, Proceedings of the IFIP Working Conference on Formal Description of Programming Concepts - II, pages 199{225. North-Holland, 1983. 21] V. Pratt. Modeling concurrency with partial orders. International Journal of Parallel Programming, 15(1):33{71, February 1986. 22] G. Winskel. Event structures. In W. Brauer, W. Reisig, and G. Rozenberg, editors, Advances in Petri Nets, 1986: Proceedings of an Advanced Course, volume 2 of LNCS, pages 325{392. Springer-Verlag, 1986. 22

A Framework for Fair Communicating Processes

A Framework for Fair Communicating Processes

Recommend Documents