- Email: [email protected]
Modelling causality via action dependencies in branching time semantics
Information
Processing
Letters 59 ( 1996) 179-184
Modelling causality via action dependencies in branching time semantics ’ Ursula Goltz *, Heike Wehrheim *** Institut fiir Informatik. University of Hildesheim, Posrfach 101363, D-31 113 Hildesheim, Germany Received 3 April 1996; revised 9 July 1996
Communicated by H. Ganzinger
Abstract We show that the approach of Mazurkiewicz trace theory - modelling causalities between action occurrences using a global dependency relation - can be generalised to branching time semantics (modelling both causalities and points of choice). More precisely, we show that the usual notion of bisimulation coincides with history preserving bisimulation and that usual testing coincides with “causal testing” for a system model with a global dependency relation. Keywords: Concurrency;
Formal semantics;
Equivalence
notions; Trace theory
1. Introduction An important branch of research in concurrency theory was initiated by Mazurkiewicz [lo]: Trace theory gives semantics for concurrent systems by presupposing a notion of dependency of actions describing which actions in a system may occur concurrently and which may not. This gives a “non-interleaving semantics” where causalities between action occurrences are represented. However, this is a special approach since it requires that it is indeed possible to assume such a global dependency relation for the actions in a system. On the other hand, this approach turned out to be very powerful since it allows to use technically an interleaving approach: runs of a system can be described * Corresponding author. ‘The research reported in this paper was partially supported by the Human Capital and Mobility Cooperation Network “EXPRESS (Expressiveness of Languages for Concurrency). ’ Email: { goltz,wehrheim} @informatik.uni-hildesheim.de.
simply as sequences of action occurrences. Based on the dependency relation, it is then possible to obtain a causal semantics by reconstructing which action occurrences were indeed dependent. A similar approach was used by Zwiers [ 81. The power of trace theory lies in generalisations of language theoretic results which are now possible and in the compositionality aspects in this semantics [ 12,9]. Moreover, the assumption of having a global dependency relation often turns out to be practically quite useful. It is for instance natural in database serializability or automatic parallelisation of programs to have such a notion of dependency, see for example [ 81. Also in model checking theory a global dependency relation on actions or transitions is used for achieving faster model checking algorithms [ 14,221. More generally speaking, one could argue that dependency is such a basic feature in the modelling of a system that action occurrences with different dependencies should be distinguished by using different action
0020-0190/96/$12.00 Copyright @ 1996 Elsevier Science B.V. All rights reserved. PII SOO20-0190(96)0011 l-l
180
U. Goltz, H. Wehrheidlnformation
names. The problem is that this means to model systems at a lower level of abstraction as for example in general process algebras and this may be a drawback for certain applications. However, if this level of abstraction is not needed, modelling with global dependency allows to work within a much simpler framework and to use many well-established techniques. We show in this paper, that this approach is applicable in a broader class of system models than considered by trace theory. Trace theory gives a “linear time semantics” to concurrent systems in the sense that a system is represented by the set of its possible runs. In this paper, we suggest to adopt the key idea of Mazurkiewicz traces also for branching time semantics. Branching time semantics are defined using models where also the conflict structure of a system is represented, namely the points of choice between alternative behaviours. A whole spectrum of such semantics is being considered [ 171, varying on the degree in which the choice structure is taken into account. In this paper, we consider the two most prominent semantics in this respect. We first show that the usual bisimulation semantics together with a dependency relation on actions indeed gives a causal branching time semantics. It turns out that the induced equivalence is exactly historypreserving bisimulation [ 15,181. Then we introduce a version of testing equivalence taking causalities into account (investigated in detail in [ 51) and show that the corresponding result holds also for testing (or failure) semantics. In order to establish these results, we need a system model which precisely represents causalities and conflict. We have chosen prime event structures with events labelled by actions as a basic model of this type. We additionally introduce a global dependency relation on actions. Now, the requirement on the model is that the causality relation respects action dependencies: roughly speaking, events are ordered if and only if their labellings with actions are dependent. We then define interleaving and causal equivalences for our model - bisimulation and history preserving bisimulation, testing and causal testing - and show that they coincide. Our results are not dependent on the specific model we have used; they hold in the same way for all kinds of event-based models generating configurations with a causality ordering on events. However, the require-
Processing Letters 59 (1996) 179-184
Fig. 1. Two systems with different
dependency
relations.
ment that the ordering on events respects the dependency relation is crucial. Note that the classical example that distinguishes interleaving from causality - a ) b versus ab + ba cannot be formulated in our setting with one global dependency relation. The two systems in Fig. 1 (boxes contain configurations, arrows between boxes denote the ordering on configurations) cannot be structures respecting the same dependency relation: in the left one a and b are independent whereas in the right one they are dependent.
2. Basic notions We assume Act to be a given set of actions and D C Act x Act to be a symmetric and reflexive global dependency relation on the set of actions. The complement of D ((Act x Act) \ D) will be denoted by I (independency relation). Our investigation requires the use of a model that represents causality. For this purpose we have chosen prime event structures [ 211. We use event structures with a particular property of the causality relation, namely respecting the dependency relation. The ordering among two events is always generated by dependencies: either two ordered events are directly via their labellings - dependent or their ordering is obtained by transitivity via other dependent events; conversely, dependent events are always ordered. Let E be a global set of events. Definition 1. A D-respecting (labelled) prime event structure over E is a tuple & = (E, <,#, l), where l E C E is a set of events, l < C E x E is a partial order (the causality relation) satisfying the principle ofjnite causes: Ve E E :
{d E E 1d < e} is finite,
il. Goltz, H. Wehrheidlnformation
and being D-compatible:
3. Bisimulation
!fe,e’
We now define two equivalence notions on event structures: The first one is the ordinary strong bisimulation of Park and Milner [ 13,111, a pure interleaving equivalence respecting precisely choices between alternative behaviours, and the second one history preserving bisimulation [ 15,181 which additionally takes causality into account.
E E :
l(e) D l( e’) + e < e’ V e’ < e V e # e’ and
l
e Q e’ + l(e)
D l(e’),
( e Q e’ :* e < et and e < e” < e’ =S e = e” or e’ = e”), # C E x E is an h-reflexive, symmetric relation (the conjlict relation) satisfying the principle of conjlict heredity:Vd,e,f
l
181
Processing Letters 59 (1996) 179-184
EE:
d
1 : E + Act is a labelling function.
The behaviour of an event structure is described by the set of its configurations. For X & E&, the restriction of & to X is defined as
semantics
Definition 3. Let E, F be prime event structures. A relation R 2 C(E) x C(3) is called a bisimulation between & and 3 iff l (0,0) E R and 0 (X, Y) E R implies 0
XAEX’j 3Y’ such that Y--%FY’
l
Definition 2. A subset X G E of events of a prime event structure E is left-closed iff, for all d,e E E, e E X A d < e j d E X. X is conjict-free iff &lx is conflict-free (#I& tl( X x X) = 0). X c E is called a configuration iff it is left-closed and conflict-free. C(E) denotes the set of all configurations of E. Configurations of an event structure & can also be seen as posets by inheriting the causality relation of E. Two configurations X, Y are isomorphic if there exists a bijective function f : X + X’ such that e
H X C X’ A X’ \ X = {e}, 1E(e) = a.
a, we write ~LEX~, X, E C(E), Fors=at... iff there exist configurations Xr . . . X,,_t such that OAEX, aE f. . *Ex”.
YL,Y’=+ 3X’ such that XAEX’
and (X’, Y’) E R,
and (X’, Y’) E R.
I and F are bisimilar (I - 3) iff there exists a bisimulation relation between & and F. Definition 4. Let E, 3 be prime event structures. A relation R C C(E) x C(F) is called a (weak) history preserving bisimulation between & and 3 if (0,0) E R and whenever (X, Y) E R then l there is an isomorphism between X and Y, l XAeX’ + 3Y’ with YL,Y’, (X’, Y’) E R, l YLFY’ + 3X’ with XAEX’, (X’, Y’) E R. & and F are (weak) history preserving bisimilar (E oh 3) iff there exists a history preserving bisimulation between & and 3. Due to the reflexivity of the dependency relation all D-respecting event structures will be without autoconcurrency and we can hence use the simpler “weak” version of history preserving bisimulation here (analogously later for causal testing). We now state that the ordinary strong bisimulation (-) of Park and Milner [ 13,l l] and history preserving bisimulation collapse into one when interpreted on D-respecting event structures: Theorem 5. structures.
Let &,3
be D-respecting
Then & N 3 u
E Y, 3.
prime
event
182
U. Goltz, H. Wehrheim/lnformation
Proof. (+) Straightforward. (+) Let R C C(E) x C(3) be a bisimulation relation between I and 3. We will inductively construct a history preserving bisimulation ‘Z?.& C(E) x C( 3) between & and 3. l Let (0,0) be an element of 7% l Now assume that (X, Y) is already in 7% We have to construct elements of ii for all configurations reachable from X and Y via transitions. In the following we treat X and Y as posets, i.e. with Ex being the set of events, Gx the causality relation and Ix the labelling function. Let f be the isomorphism between X and Y. YLFY’ and (X’, Y’) E R. Assume XAEX’, Let{et) := Ex/\Ex,{ez} := Erj\ErandZxj(et) = Zyr(e2) = a. Next let (X’, Y’) be in 72. Then f’ = f U { (el, e2)) is an isomorphism between X’ and Y’. First, f'is bijective since f is bijective. Second, Zx,(et) = Zyf(f’(el)) = Zyl(e2) holds by definition. It remains to be shown that for all events e, e’ in Exf the following holds: e
Processing Letters 59 (1996) 179-184
Note that the result is due to the D-compatibility of the causality relation: if two actions occurring one after another are dependent then the first one has to be causal for the second whereas if they are independent they may not be directly ordered (only via other dependent actions). Hence the ordering in the occurrence of actions plus the dependency relation gives us the complete information about causality.
4. Testing semantics A similar result also holds for another branching time equivalence and its causal variant, namely for the interleaving testing equivalence of De Nicola and Hennessy [ 4 1. On event structures we will use the following form of the interleaving tests: E after s MUST L holds if in all configurations which are being reached from the initial configuration 0 by successively executing the actions of the string s next an action from the set L is possible. Definition 6. Let E, F be prime event structures, s E Act* and L C Act. E after s MUST L iff for all X such that @*)EX there exists an Q E L, X’ E C(E) such that X$,X’. & and 3 are interleaving testing equivalent (E wr 3) iff for all s E Act*, L c Act, E after s MUST L iff 3 after s MUST L. The idea of testing can be - as for bisimulation - extended for keeping track of causalities [ 51 (we again only give the weak version). The idea is that the experiments on event structures are pomsets p instead of words and the actions which are required to take place after p are being causally related to p; we thus use sets of pomsets Q being extensions of p by one action occurrence. Definition 7. Let E, F be prime event structures, p a pomset and Q a set of pomsets such that Vq E Q : P 4 4. EaferpMUSTQiffforallXEC(f) withXEp there exists q E Q, X’ E C(E) such that X’ E q. & and 3 are (weak) causal testing equivalent (8 -WCt 3) iff for all p, Q, E after p MUST Q H 3 after p MUST Q holds.
U. Goltz, H. Wehrheim/lnformation Processing Letters 59 (1996) 179-184
When interpreted on D-respecting event structures these two equivalences again collapse into one:
183
L := {l&e) I 4 E Q,& \ Ep = {e}). Then V’s E Zin(p) : & after s MUST L. This holds since due to D-compatibility all configurations X such that B&,X are in p and since then there exists q E Q, X’ E C(E) such that X’ E q we can always find a configuration X’ with X*EX’ for some a E L. Hence also 3 after s MUST L for all s E Zin(p) . With the same reasoning we get that all configurations LF,Y are in p and all configuY~C(3)suchthat0 rations Y’ such that YL,Y’ for some a E L are in q. It follows that 3 after p MUST Q which contradicts the assumption. Cl
we are able to work with a simpler model than causal trees, namely just the usual interleaving transition system, whereas in causal trees the causality still has to be explicitly represented. Our theorem on bisimulation could also be derived from [ 1,161 together with a transformation from transition systems with dependencies into causal trees, but the direct proof of the theorem which we have given is rather simple. A problem in interleaving semantics is that they are not robust against refinement of actions. Our results imply that it is indeed possible to use action refinement in an interleaving setting as long as we work with a global dependency relation. This follows since history preserving bisimulation is known to be invariant against refinement and in [5] it is shown that this also holds for causal testing. However, one application of global dependencies is the definition of more loose notions of refinement (inheriting causalities only when specified by a dependency [ 7,191) . In [ 201 invariance against loose refinement is shown to hold for history preserving bisimulation on prime event structures, for other models like e.g. flow event structures it is however lost. Another consequence of our result for bisimulation is that we can use Hennesssy-Milner-logic [6] as a logical characterisation of history preserving bisimulation on prime event structures respecting a dependency relation.
5. Conclusion
Acknowledgement
We have shown that it is possible to work with an interleaving semantics and still retrieve the information about causalities when a global dependency relation can be assumed. There is a connection of our result on bisimulation semantics with [ 1,161. There it is shown that bisimulation on causal trees ( [ 21) equals history preserving bisimulation. The ideas underlying this work and ours are similar: the causality which is preserved by history preserving bisimulation is in causal trees represented by the causes in the labels of the tree and in our work by the dependency relation. Hence it is not very surprising that bisimulation on transition systems together with a global dependency relation also yields history preserving bisimulation in our setting. However, in the class of systems with global dependencies
Thanks to Arend Rensink for many fruitful discussions, and to the anonymous referees for valuable comments which helped to improve the paper.
Theorem 8. Let E, F be D-respecting prime event structures. Then E y 3 _ & wWCt 3. Proof. (+) See [5]. (+) Assume E Nt 3 but not & NWCt 3. Then there must be some weak causal test p, Q such that E after p MUST Q but not 3 after p MUST Q (or reversely). From this we now derive interleaving tests. Let X E p be a representative of the class p and tr(X) := {el . . . e, 1 {et,. . . , e,} = X, e,
References [ 1] L. Aceto, History preserving,
causal and mixed-ordering equivalences over stable event structures, Fund. Inform. 17 (1992). [2] P. Darondeau and P. Degano, Causal trees = interleaving + causality, in: I. Guessarian, ed., Semantics of Systems of Concurrent Processes, Lecture Notes in Computer Science 469 (Springer, Berlin, 1990) 239-255. [3] J.W. de Bakker, W.-I? de Roever and G. Rozenberg, eds., Linear Eme, Branching lime and Partial Order in Logics and Models for Concurrency, Lecture Notes in Computer Science 354 (Springer, Berlin, 1989).
184
II. Go&, H. Wehrheim/Information Processing Letters 59 (1996) I79-I84
[4] R. De Nicola and M. Hennessy, Testing equivalences for processes, Theoret. Comput. Sci. 34 (1984) 83-133. [5] U. Goltz and H. Wehrheim, Causal testing, Tech. Rept. 5/96, University of Hildesheim, 1996. [6] M. Hennessy and R. Mimer, Algebraic laws for nondeterminism and concurrency, J. ACM 23 ( 1) ( 1985) 137-161. [7] W. Janssen, M. Poe1 and J. Zwiers, Actions systems and action refinement in the development of parallel systems in: J.C.M. Baeten and J.F. Groote, eds., Concur ‘91, Lecture Notes in Computer Science 527 (Springer, Berlin, 1991) 298-3 16. [S] W. Janssen and J. Zwiers, Protocol design by layered decomposition: A compositional approach, in: Formal Techniques in Real-Time and Fault-Toferant Systems, Lecture Notes in Computer Science 571 (Springer, Berlin, 1992). [9] A. Mazurkiewicz, Trace theory, in: W. Brauer, W. Reisig and G. Rozenberg, eds., Petri Nets: Applications and Relationships to Other Models of Concurrency, Lecture. Notes in Computer Science 255 (Springer, Berlin, 1986) 279-324. [IO] A. Mazurkiewicz, Basic notions of trace theory, in: J.W. de Bakker, W.-P de Roever and G. Rozenberg, eds., Linear 7ime, Branching 7ime and Partial Order in Lagics and Modelsfor Concurrency, Lecture Notes in Computer Science 354 (Springer, Berlin, 1989) 285-363. [ 111 R. Mimer, Communication and Concurrency (Prentice-Hall, Englewood Cliffs, NJ, 1989). [ 121 E. Ochmanski, Regular behaviour of concurrent systems, Bull. EATCS 27 (1985) 56-67. [ 131 D. Park, Concurrency and automata on infinite sequences, in: P Deussen, ed., Proc. 5th GI Conf. Lecture Notes in Computer Science 104 (Springer, Berlin, 198 1) 167-I 83.
I 141 D. Peled, All from one, one for all: On model checking using representatives, in: Proc. 5th Workshop on Computer Aided Verification, Lecture Notes in Computer Science (Springer, Berlin, 1993). [ 151 A. Rabinovich and B.A. Trakhtenbrot, Behaviour structure and nets, Fund. Inform. 11 (4) (1988) 357-404. [ 161 E Vaandrager, An explicit representation of equivalence classes of history preserving bisimulation, Unpublished manuscript, 1989. [ 171 R.J. van Glabbeek, The linear time - Branching time spectrum, in: J.C.M. Baeten and J.W. Klop, eds., Concur ‘90, Lecture Notes in Computer Science 458 (Springer, Berlin, 1990) 278-297. [ 181 R. van Glabbeek and U. Goltz, Equivalences and refinement, in: 1. Guessarian, ed., 18&me Ecofe de Printemps d’lnformatique Theorique Semantique du Parallelisme, Lecture Notes in Computer Science 469 (Springer, Berlin, 1990). [ 191 H. Wehrheim, Parametric action refinement, in: E.R. Olderog, ed., IFIP Transactions: Programming Concepts, Methods and Calculi (Elsevier, Amsterdam, 1994) 247-266. [20] H. Wehrheim, Specifying reactive systems with action dependencies: Modelling and hierarchical design, Ph.D. Thesis, University of Hildesheim, 1996. [21] G. Winskel, An introduction to event structures, submitted. in: J.W. de Bakker, W.-P de Roever and G. Rozenberg, eds., Linear 7ime. Branching Time and Partial Order in Lagics and Models for Concurrency, Lecture Notes in Computer Science 354 (Springer, Berlin, 1989) 364-397. [22] P Wolper and P Godefroid, Partial-order methods for temporal verification, in: E. Best, ed., CONCUR’93, Lecture Notes in Computer Science 715 (Springer, Berlin, 1993) 233-246.
Processing
Letters 59 ( 1996) 179-184
Modelling causality via action dependencies in branching time semantics ’ Ursula Goltz *, Heike Wehrheim *** Institut fiir Informatik. University of Hildesheim, Posrfach 101363, D-31 113 Hildesheim, Germany Received 3 April 1996; revised 9 July 1996
Communicated by H. Ganzinger
Abstract We show that the approach of Mazurkiewicz trace theory - modelling causalities between action occurrences using a global dependency relation - can be generalised to branching time semantics (modelling both causalities and points of choice). More precisely, we show that the usual notion of bisimulation coincides with history preserving bisimulation and that usual testing coincides with “causal testing” for a system model with a global dependency relation. Keywords: Concurrency;
Formal semantics;
Equivalence
notions; Trace theory
1. Introduction An important branch of research in concurrency theory was initiated by Mazurkiewicz [lo]: Trace theory gives semantics for concurrent systems by presupposing a notion of dependency of actions describing which actions in a system may occur concurrently and which may not. This gives a “non-interleaving semantics” where causalities between action occurrences are represented. However, this is a special approach since it requires that it is indeed possible to assume such a global dependency relation for the actions in a system. On the other hand, this approach turned out to be very powerful since it allows to use technically an interleaving approach: runs of a system can be described * Corresponding author. ‘The research reported in this paper was partially supported by the Human Capital and Mobility Cooperation Network “EXPRESS (Expressiveness of Languages for Concurrency). ’ Email: { goltz,wehrheim} @informatik.uni-hildesheim.de.
simply as sequences of action occurrences. Based on the dependency relation, it is then possible to obtain a causal semantics by reconstructing which action occurrences were indeed dependent. A similar approach was used by Zwiers [ 81. The power of trace theory lies in generalisations of language theoretic results which are now possible and in the compositionality aspects in this semantics [ 12,9]. Moreover, the assumption of having a global dependency relation often turns out to be practically quite useful. It is for instance natural in database serializability or automatic parallelisation of programs to have such a notion of dependency, see for example [ 81. Also in model checking theory a global dependency relation on actions or transitions is used for achieving faster model checking algorithms [ 14,221. More generally speaking, one could argue that dependency is such a basic feature in the modelling of a system that action occurrences with different dependencies should be distinguished by using different action
0020-0190/96/$12.00 Copyright @ 1996 Elsevier Science B.V. All rights reserved. PII SOO20-0190(96)0011 l-l
180
U. Goltz, H. Wehrheidlnformation
names. The problem is that this means to model systems at a lower level of abstraction as for example in general process algebras and this may be a drawback for certain applications. However, if this level of abstraction is not needed, modelling with global dependency allows to work within a much simpler framework and to use many well-established techniques. We show in this paper, that this approach is applicable in a broader class of system models than considered by trace theory. Trace theory gives a “linear time semantics” to concurrent systems in the sense that a system is represented by the set of its possible runs. In this paper, we suggest to adopt the key idea of Mazurkiewicz traces also for branching time semantics. Branching time semantics are defined using models where also the conflict structure of a system is represented, namely the points of choice between alternative behaviours. A whole spectrum of such semantics is being considered [ 171, varying on the degree in which the choice structure is taken into account. In this paper, we consider the two most prominent semantics in this respect. We first show that the usual bisimulation semantics together with a dependency relation on actions indeed gives a causal branching time semantics. It turns out that the induced equivalence is exactly historypreserving bisimulation [ 15,181. Then we introduce a version of testing equivalence taking causalities into account (investigated in detail in [ 51) and show that the corresponding result holds also for testing (or failure) semantics. In order to establish these results, we need a system model which precisely represents causalities and conflict. We have chosen prime event structures with events labelled by actions as a basic model of this type. We additionally introduce a global dependency relation on actions. Now, the requirement on the model is that the causality relation respects action dependencies: roughly speaking, events are ordered if and only if their labellings with actions are dependent. We then define interleaving and causal equivalences for our model - bisimulation and history preserving bisimulation, testing and causal testing - and show that they coincide. Our results are not dependent on the specific model we have used; they hold in the same way for all kinds of event-based models generating configurations with a causality ordering on events. However, the require-
Processing Letters 59 (1996) 179-184
Fig. 1. Two systems with different
dependency
relations.
ment that the ordering on events respects the dependency relation is crucial. Note that the classical example that distinguishes interleaving from causality - a ) b versus ab + ba cannot be formulated in our setting with one global dependency relation. The two systems in Fig. 1 (boxes contain configurations, arrows between boxes denote the ordering on configurations) cannot be structures respecting the same dependency relation: in the left one a and b are independent whereas in the right one they are dependent.
2. Basic notions We assume Act to be a given set of actions and D C Act x Act to be a symmetric and reflexive global dependency relation on the set of actions. The complement of D ((Act x Act) \ D) will be denoted by I (independency relation). Our investigation requires the use of a model that represents causality. For this purpose we have chosen prime event structures [ 211. We use event structures with a particular property of the causality relation, namely respecting the dependency relation. The ordering among two events is always generated by dependencies: either two ordered events are directly via their labellings - dependent or their ordering is obtained by transitivity via other dependent events; conversely, dependent events are always ordered. Let E be a global set of events. Definition 1. A D-respecting (labelled) prime event structure over E is a tuple & = (E, <,#, l), where l E C E is a set of events, l < C E x E is a partial order (the causality relation) satisfying the principle ofjnite causes: Ve E E :
{d E E 1d < e} is finite,
il. Goltz, H. Wehrheidlnformation
and being D-compatible:
3. Bisimulation
!fe,e’
We now define two equivalence notions on event structures: The first one is the ordinary strong bisimulation of Park and Milner [ 13,111, a pure interleaving equivalence respecting precisely choices between alternative behaviours, and the second one history preserving bisimulation [ 15,181 which additionally takes causality into account.
E E :
l(e) D l( e’) + e < e’ V e’ < e V e # e’ and
l
e Q e’ + l(e)
D l(e’),
( e Q e’ :* e < et and e < e” < e’ =S e = e” or e’ = e”), # C E x E is an h-reflexive, symmetric relation (the conjlict relation) satisfying the principle of conjlict heredity:Vd,e,f
l
181
Processing Letters 59 (1996) 179-184
EE:
d
1 : E + Act is a labelling function.
The behaviour of an event structure is described by the set of its configurations. For X & E&, the restriction of & to X is defined as
semantics
Definition 3. Let E, F be prime event structures. A relation R 2 C(E) x C(3) is called a bisimulation between & and 3 iff l (0,0) E R and 0 (X, Y) E R implies 0
XAEX’j 3Y’ such that Y--%FY’
l
Definition 2. A subset X G E of events of a prime event structure E is left-closed iff, for all d,e E E, e E X A d < e j d E X. X is conjict-free iff &lx is conflict-free (#I& tl( X x X) = 0). X c E is called a configuration iff it is left-closed and conflict-free. C(E) denotes the set of all configurations of E. Configurations of an event structure & can also be seen as posets by inheriting the causality relation of E. Two configurations X, Y are isomorphic if there exists a bijective function f : X + X’ such that e
H X C X’ A X’ \ X = {e}, 1E(e) = a.
a, we write ~LEX~, X, E C(E), Fors=at... iff there exist configurations Xr . . . X,,_t such that OAEX, aE f. . *Ex”.
YL,Y’=+ 3X’ such that XAEX’
and (X’, Y’) E R,
and (X’, Y’) E R.
I and F are bisimilar (I - 3) iff there exists a bisimulation relation between & and F. Definition 4. Let E, 3 be prime event structures. A relation R C C(E) x C(F) is called a (weak) history preserving bisimulation between & and 3 if (0,0) E R and whenever (X, Y) E R then l there is an isomorphism between X and Y, l XAeX’ + 3Y’ with YL,Y’, (X’, Y’) E R, l YLFY’ + 3X’ with XAEX’, (X’, Y’) E R. & and F are (weak) history preserving bisimilar (E oh 3) iff there exists a history preserving bisimulation between & and 3. Due to the reflexivity of the dependency relation all D-respecting event structures will be without autoconcurrency and we can hence use the simpler “weak” version of history preserving bisimulation here (analogously later for causal testing). We now state that the ordinary strong bisimulation (-) of Park and Milner [ 13,l l] and history preserving bisimulation collapse into one when interpreted on D-respecting event structures: Theorem 5. structures.
Let &,3
be D-respecting
Then & N 3 u
E Y, 3.
prime
event
182
U. Goltz, H. Wehrheim/lnformation
Proof. (+) Straightforward. (+) Let R C C(E) x C(3) be a bisimulation relation between I and 3. We will inductively construct a history preserving bisimulation ‘Z?.& C(E) x C( 3) between & and 3. l Let (0,0) be an element of 7% l Now assume that (X, Y) is already in 7% We have to construct elements of ii for all configurations reachable from X and Y via transitions. In the following we treat X and Y as posets, i.e. with Ex being the set of events, Gx the causality relation and Ix the labelling function. Let f be the isomorphism between X and Y. YLFY’ and (X’, Y’) E R. Assume XAEX’, Let{et) := Ex/\Ex,{ez} := Erj\ErandZxj(et) = Zyr(e2) = a. Next let (X’, Y’) be in 72. Then f’ = f U { (el, e2)) is an isomorphism between X’ and Y’. First, f'is bijective since f is bijective. Second, Zx,(et) = Zyf(f’(el)) = Zyl(e2) holds by definition. It remains to be shown that for all events e, e’ in Exf the following holds: e
Processing Letters 59 (1996) 179-184
Note that the result is due to the D-compatibility of the causality relation: if two actions occurring one after another are dependent then the first one has to be causal for the second whereas if they are independent they may not be directly ordered (only via other dependent actions). Hence the ordering in the occurrence of actions plus the dependency relation gives us the complete information about causality.
4. Testing semantics A similar result also holds for another branching time equivalence and its causal variant, namely for the interleaving testing equivalence of De Nicola and Hennessy [ 4 1. On event structures we will use the following form of the interleaving tests: E after s MUST L holds if in all configurations which are being reached from the initial configuration 0 by successively executing the actions of the string s next an action from the set L is possible. Definition 6. Let E, F be prime event structures, s E Act* and L C Act. E after s MUST L iff for all X such that @*)EX there exists an Q E L, X’ E C(E) such that X$,X’. & and 3 are interleaving testing equivalent (E wr 3) iff for all s E Act*, L c Act, E after s MUST L iff 3 after s MUST L. The idea of testing can be - as for bisimulation - extended for keeping track of causalities [ 51 (we again only give the weak version). The idea is that the experiments on event structures are pomsets p instead of words and the actions which are required to take place after p are being causally related to p; we thus use sets of pomsets Q being extensions of p by one action occurrence. Definition 7. Let E, F be prime event structures, p a pomset and Q a set of pomsets such that Vq E Q : P 4 4. EaferpMUSTQiffforallXEC(f) withXEp there exists q E Q, X’ E C(E) such that X’ E q. & and 3 are (weak) causal testing equivalent (8 -WCt 3) iff for all p, Q, E after p MUST Q H 3 after p MUST Q holds.
U. Goltz, H. Wehrheim/lnformation Processing Letters 59 (1996) 179-184
When interpreted on D-respecting event structures these two equivalences again collapse into one:
183
L := {l&e) I 4 E Q,& \ Ep = {e}). Then V’s E Zin(p) : & after s MUST L. This holds since due to D-compatibility all configurations X such that B&,X are in p and since then there exists q E Q, X’ E C(E) such that X’ E q we can always find a configuration X’ with X*EX’ for some a E L. Hence also 3 after s MUST L for all s E Zin(p) . With the same reasoning we get that all configurations LF,Y are in p and all configuY~C(3)suchthat0 rations Y’ such that YL,Y’ for some a E L are in q. It follows that 3 after p MUST Q which contradicts the assumption. Cl
we are able to work with a simpler model than causal trees, namely just the usual interleaving transition system, whereas in causal trees the causality still has to be explicitly represented. Our theorem on bisimulation could also be derived from [ 1,161 together with a transformation from transition systems with dependencies into causal trees, but the direct proof of the theorem which we have given is rather simple. A problem in interleaving semantics is that they are not robust against refinement of actions. Our results imply that it is indeed possible to use action refinement in an interleaving setting as long as we work with a global dependency relation. This follows since history preserving bisimulation is known to be invariant against refinement and in [5] it is shown that this also holds for causal testing. However, one application of global dependencies is the definition of more loose notions of refinement (inheriting causalities only when specified by a dependency [ 7,191) . In [ 201 invariance against loose refinement is shown to hold for history preserving bisimulation on prime event structures, for other models like e.g. flow event structures it is however lost. Another consequence of our result for bisimulation is that we can use Hennesssy-Milner-logic [6] as a logical characterisation of history preserving bisimulation on prime event structures respecting a dependency relation.
5. Conclusion
Acknowledgement
We have shown that it is possible to work with an interleaving semantics and still retrieve the information about causalities when a global dependency relation can be assumed. There is a connection of our result on bisimulation semantics with [ 1,161. There it is shown that bisimulation on causal trees ( [ 21) equals history preserving bisimulation. The ideas underlying this work and ours are similar: the causality which is preserved by history preserving bisimulation is in causal trees represented by the causes in the labels of the tree and in our work by the dependency relation. Hence it is not very surprising that bisimulation on transition systems together with a global dependency relation also yields history preserving bisimulation in our setting. However, in the class of systems with global dependencies
Thanks to Arend Rensink for many fruitful discussions, and to the anonymous referees for valuable comments which helped to improve the paper.
Theorem 8. Let E, F be D-respecting prime event structures. Then E y 3 _ & wWCt 3. Proof. (+) See [5]. (+) Assume E Nt 3 but not & NWCt 3. Then there must be some weak causal test p, Q such that E after p MUST Q but not 3 after p MUST Q (or reversely). From this we now derive interleaving tests. Let X E p be a representative of the class p and tr(X) := {el . . . e, 1 {et,. . . , e,} = X, e,
References [ 1] L. Aceto, History preserving,
causal and mixed-ordering equivalences over stable event structures, Fund. Inform. 17 (1992). [2] P. Darondeau and P. Degano, Causal trees = interleaving + causality, in: I. Guessarian, ed., Semantics of Systems of Concurrent Processes, Lecture Notes in Computer Science 469 (Springer, Berlin, 1990) 239-255. [3] J.W. de Bakker, W.-I? de Roever and G. Rozenberg, eds., Linear Eme, Branching lime and Partial Order in Logics and Models for Concurrency, Lecture Notes in Computer Science 354 (Springer, Berlin, 1989).
184
II. Go&, H. Wehrheim/Information Processing Letters 59 (1996) I79-I84
[4] R. De Nicola and M. Hennessy, Testing equivalences for processes, Theoret. Comput. Sci. 34 (1984) 83-133. [5] U. Goltz and H. Wehrheim, Causal testing, Tech. Rept. 5/96, University of Hildesheim, 1996. [6] M. Hennessy and R. Mimer, Algebraic laws for nondeterminism and concurrency, J. ACM 23 ( 1) ( 1985) 137-161. [7] W. Janssen, M. Poe1 and J. Zwiers, Actions systems and action refinement in the development of parallel systems in: J.C.M. Baeten and J.F. Groote, eds., Concur ‘91, Lecture Notes in Computer Science 527 (Springer, Berlin, 1991) 298-3 16. [S] W. Janssen and J. Zwiers, Protocol design by layered decomposition: A compositional approach, in: Formal Techniques in Real-Time and Fault-Toferant Systems, Lecture Notes in Computer Science 571 (Springer, Berlin, 1992). [9] A. Mazurkiewicz, Trace theory, in: W. Brauer, W. Reisig and G. Rozenberg, eds., Petri Nets: Applications and Relationships to Other Models of Concurrency, Lecture. Notes in Computer Science 255 (Springer, Berlin, 1986) 279-324. [IO] A. Mazurkiewicz, Basic notions of trace theory, in: J.W. de Bakker, W.-P de Roever and G. Rozenberg, eds., Linear 7ime, Branching 7ime and Partial Order in Lagics and Modelsfor Concurrency, Lecture Notes in Computer Science 354 (Springer, Berlin, 1989) 285-363. [ 111 R. Mimer, Communication and Concurrency (Prentice-Hall, Englewood Cliffs, NJ, 1989). [ 121 E. Ochmanski, Regular behaviour of concurrent systems, Bull. EATCS 27 (1985) 56-67. [ 131 D. Park, Concurrency and automata on infinite sequences, in: P Deussen, ed., Proc. 5th GI Conf. Lecture Notes in Computer Science 104 (Springer, Berlin, 198 1) 167-I 83.
I 141 D. Peled, All from one, one for all: On model checking using representatives, in: Proc. 5th Workshop on Computer Aided Verification, Lecture Notes in Computer Science (Springer, Berlin, 1993). [ 151 A. Rabinovich and B.A. Trakhtenbrot, Behaviour structure and nets, Fund. Inform. 11 (4) (1988) 357-404. [ 161 E Vaandrager, An explicit representation of equivalence classes of history preserving bisimulation, Unpublished manuscript, 1989. [ 171 R.J. van Glabbeek, The linear time - Branching time spectrum, in: J.C.M. Baeten and J.W. Klop, eds., Concur ‘90, Lecture Notes in Computer Science 458 (Springer, Berlin, 1990) 278-297. [ 181 R. van Glabbeek and U. Goltz, Equivalences and refinement, in: 1. Guessarian, ed., 18&me Ecofe de Printemps d’lnformatique Theorique Semantique du Parallelisme, Lecture Notes in Computer Science 469 (Springer, Berlin, 1990). [ 191 H. Wehrheim, Parametric action refinement, in: E.R. Olderog, ed., IFIP Transactions: Programming Concepts, Methods and Calculi (Elsevier, Amsterdam, 1994) 247-266. [20] H. Wehrheim, Specifying reactive systems with action dependencies: Modelling and hierarchical design, Ph.D. Thesis, University of Hildesheim, 1996. [21] G. Winskel, An introduction to event structures, submitted. in: J.W. de Bakker, W.-P de Roever and G. Rozenberg, eds., Linear 7ime. Branching Time and Partial Order in Lagics and Models for Concurrency, Lecture Notes in Computer Science 354 (Springer, Berlin, 1989) 364-397. [22] P Wolper and P Godefroid, Partial-order methods for temporal verification, in: E. Best, ed., CONCUR’93, Lecture Notes in Computer Science 715 (Springer, Berlin, 1993) 233-246.