The starting point for our investigations into refinement is the notion of bisimulation. Bisimulation is an equivalence over processes. It equates two processes if they can perform the same actions at corresponding stages of execution.
This notion was successfully used for comparing behaviours of communicating (par- allel) processes (see CCS [90]) and automata (see [94]). In order to apply the theory of bisimulation to our setting, we need to make a few modifications.
In CCS [90], process and state are identified, suggesting that every process has a local state which can only be accessed by other processes through message-passing com- munication. An essential feature of the Gamma model is its use of a shared dataspace. The shared dataspace is a repository of data which may be operated upon concurrently by multiple processes. Every change to the dataspace can be noticed by all processes. Clearly, the behaviour of schedules depends on the shared dataspace. Therefore, we are concerned with the behaviour of configurations hs, Mi which tie the behaviour of schedules to the contents of the shared dataspace.
Additionally, bisimulation induces an equivalence relation, while we are interested in a partial ordering of refinements which considers a schedule s to be a refinement of a schedule t, if s may engage in a subset of the behaviours of t, but not necessarily the other way around. The notion obtained by breaking the symmetry of bisimulation is studied in Section 4.2.1. In subsequent sections we will improve this notion and study several variations.
4.2.1
Prefix Simulation
The obvious, but as it turns out naive, way of obtaining simulation from bisimulation is by breaking the symmetry. This leads to the following characterization of refinement: s
can be simulated by t, if every transition ofs can be matched byt. For reasons that will be explained shortly, the notion we have arrived at is called prefix simulation.
Definition 4.2.1 A binary relation on configurations R ⊆C×C is a prefix simulation if (hs, Mi,ht, Ni)∈ R implies, for all λ,
1. N =M
2. hs, Mi λ
−→ hs′, M′i ⇒ ∃t′ :ht, Mi λ
−→ ht′, M′i such that (hs′, M′i,ht′, M′i)∈ R
Prefix refinement is defined as the largest prefix simulation relation.
Definition 4.2.2 Given configurations hs, Miand ht, Ni, we say that hs, Mi is aprefix refinement of ht, Ni, written hs, Mi 6p ht, Ni, if (hs, Mi,ht, Ni) ∈ R for some prefix
simulation R. This may be equivalently expressed as:
6p =S{R | R is a prefix simulation }
The well-definedness of the relation 6p can be shown using standard fixed-point tech-
niques (e.g. [90]).
The definition of prefix simulation says that if hs, Mi is to be a prefix refinement of
ht, Ni, then for every transition that hs, Mi makes, ht, Ni must be able to follow suit. This works as expected for the following example (we abbreviate ri → skip byri).
Example 4.2.3 Consider the following prefix refinement
If hr1;r2;r3, Miexecutes its first rule r1 (resulting in hr2;r3, M′i for some M′) then this
can be simulated by hr1kr2kr3, Mi which leads to a configuration hr2kr3, M′i. Next
hr2;r3, M′i may proceed by executing r2 yielding hr3, M′′i for some M′′. This can be
mimicked by hr2kr3, M′i, also ending up as hr3, M′′i.
We intend to use simulation to repeatedly get successively more refined versions of a schedule. Then in order to retain correctness, it is necessary that a refined schedule terminates in multiset(s) that is (are) also a terminal multiset(s) for the schedule that it refines. The next example illustrates that this requirement is not guaranteed by the notion of prefix simulation.
Example 4.2.4 We check that the following is a prefix-refinement
hr1, Mi 6p hr1kr2, Mi
If the left hand side executes r1, it arrives in hskip, M′i for some M′. The right hand
side can match execution ofr1 and becomeshr2, M′i. Because the refining side hskip, M′i
can make no further transition, the definition of 6p holds vacuously for the remaining
configurations. However, the right hand sidehr2, M′ihas not yet reached a final multiset.
Hence in this case the refining side does not reach the same final multiset(s). From this example we learn that, in general, we have, for any configuration hs, Mi,
hskip, Mi6p hs, Mi
This justifies the refinement of the schedule component of an arbitrary configuration by the empty schedule. This replacement does not in general ensure that the functionality of the schedule is preserved, hence this notion does not satisfy our intended meaning of refinement.