Finite-state concurrent programs can be expressed pairwise

Finite-state concurren t programs ca n b e expressed pairwise P aul C. A ttie Departmen t of C omputer Science American Univ ersit y of Beirut and Cen ter for Adv anced Mathematical Sciences American Unive rsit y of Beirut paul.a ttie@au b.edu.lb Septem b er 7, 2021 Abstract W e present a p airwi se normal form for finite-state shared memory concurrent programs: all v ariables are shared betw een exactly tw o processes, and th e guards o n transitions are conjunctions of conditions o ver th is pairwise shared state. This representation has b een used to efficiently (in p olynomial time) synthesize and model-chec k correctness p roperties of co ncurrent progra ms. Our main result is that any finite state concurrent program can b e transformed into pairwise normal form. Sp ecifically , if Q is an arbitrary fi n ite-state shared memory concurrent p rogram, th en there exists a finite-state shared memory concurrent program P expressed in pairwise normal form suc h that P is strongly bisimilar to Q . Our result is constructiv e: w e g ive an alg orithm for pro ducing P , given Q . 1 In tro duction The state ex plosio n pr oblem is recognized as a fundamental imp ediment to the wides pread a pplication of mechanical finite-state verification and sy nthesis metho ds, in particular, mo del-chec king. The problem is particularly severe when co ns idering finite-state concurrent pro grams, a s the individual pro cesses making up such progra ms may be quite different (no similar it y) a nd may be only lo osely coupled (leading to a lar ge nu mber of g lobal states). In previous work [1, 2, 5], we have sug gested a metho d of av o iding state-explosio n by expressing the synchronization and communication co de for each pair of interacting pr oce sses separately fro m that for other (even intersecting) pairs . In particular , all shar ed v a riables are shar ed b y exactly one pair of pro cesses. This “pairwise no rmal form” ena bles us, for a ny arbitrar ily large concurr en t progr am, to mo del-chec k cor rectness prop erties for the co ncurrent comp ositions of small num b ers of pro cesses (so far 2 or 3) a nd then conclude that these prop erties also hold in the larg e progra m. If P is a concur rent prog r am consisting of K pro ces s es each having O ( N ) lo cal s tates, then w e can v erify the deadlo c k freedo m o f P in O ( K 3 N 3 b ) time 1 or O ( K 4 N 4 ) time, using either of tw o conserv ative tests [5], and we can verify s afet y and liveness prop erties of P in O ( K 2 N 2 ) time [1, 2]. A key question reg arding the pairwise approach is: do es it give up expressive p ow er? That is, in requiring synchronization and communication co de to b e expresse d pairw is e, do we constrain the set of concurr e n t progra ms that can b e repres en ted? In this pa p er, we ans w er this q ue s tion in the negative: we show that for any concur ren t progr am Q , we can (co nstructively) pro duce a concurrent pro gram P that is in pair wise normal form, and that is str ongly bisimilar to Q . The rest of the pa per is as fo llo ws. Section 2 presents o ur mo del of concur rent computation and defines the global s tate trans itio n diagram of a co ncurrnt pro g ram. Section 3 defines pairwis e normal for m. Section 4 presents our main r esult: any finite-state concurrent pr ogram can b e expressed in pairwis e norma l form. Section 5 discuss e s related work, and Section 6 co ncludes. 1 b is the maximum branc hing in the local state transition relation of a s ingle pr ocess 1 2 T ec hnical Preliminaries 2.1 Mo del of concurren t c omputation W e consider finite-state shar ed memor y concurr en t prog rams of the for m P = P 1 k · · · k P K that co nsist o f a finite num ber n of fixed sequential pro cesses P 1 , . . . , P K running in parallel. E ach P i is a synchr onization skeleton [1 1], that is, a dir e cted multigraph where each no de is a (lo cal) state of P i (also called an i -state and is la beled b y a unique name ( s i ), and where each a rc is lab eled with a guar ded comma nd [9 ] B i → A i consisting of a g ua rd B i and corr espo nding a ction A i . E a c h no de must hav e a t least one outgoing ar c, i.e., a s k eleton contains no “dea d ends.” With e ach P i , we asso ciate a s et AP i of atomic pr op ositions , a nd a mapping V i from lo cal states of P i to subsets o f AP i : V i ( s i ) is the set of atomic prop ositions that ar e true in s i . As P i executes transitions and changes its lo cal state, the atomic pro p ositio ns in AP i are updated. Different lo cal s tates o f P i hav e differ en t truth assignments: V i ( s i ) 6 = V i ( t i ) for s i 6 = t i . A tomic pr opo sitions are not share d: AP i ∩ AP j = ∅ when i 6 = j . Other pr oc esses ca n r ead (via guards) but not up date the atomic pro pos itions in AP i . W e define the set of a ll atomic pr opo sitions AP = AP 1 ∪ · · · ∪ AP K . There is also a se t S H = { x 1 , . . . , x m } o f s ha red v ariables, which ca n b e read and wr itten by ev ery pro cess. Thes e are updated by the a ction A i . A glob al st ate is a tuple of the fo r m ( s 1 , . . . , s K , v 1 , . . . , v m ) where s i is the current lo cal state of P i and v 1 , . . . , v m is a list giving the current v a lues of x 1 , . . . , x m , resp ectively . A gua rd B i is a predicate on glo bal s tates, a nd so can reference any a tomic pr opo sition a nd any shared v a riable. An action A i is a n y piece of termina ting pseudo co de that up dates the shared v ariables. 2 W e w r ite just A i for true → A i and just B i for B i → sk i p , where s k ip is the empty assig nmen t. W e mo del parallelis m as usua l by the nondeterministic interleaving of the “ato mic” transitions o f the individual pro cesse s P i . Let s = ( s 1 , . . . , s i , . . . , s K , v 1 , . . . , v m ) b e the cur rent global state, and let P i contain an arc from node s i to s ′ i lab eled with B i → A i . W e write suc h an arc as the tuple ( s i , B i → A i , s ′ i ), and call it a P i - ar c fr om s i to s ′ i . W e use just ar c when P i is sp ecified by the co ntext. If B i holds in s , then a per missible next state is s ′ = ( s 1 , . . . , s ′ i , . . . , s K , v ′ 1 , . . . , v ′ m ) where v ′ 1 , . . . , v ′ m are the new v a lues for the shared v aria bles resulting from action A i . Th us, at each step of the computation, a pro cess with an enabled arc is nondeter ministically selec ted to b e executed next. The tr ansition r elation R is the set of all such ( s, i, s ′ ). The a rc from node s i to s ′ i is enable d in state s . An a rc tha t is not e nabled is blo cke d . Our mo del of c o mputation is a high-atomicity mo del, since a pr o ces s P i can ev aluate the g ua rd B i , ex ecute the action A i , a nd change its lo cal s tate, all in one actio n. Recall that we define a glo bal sta te to b e a tuple of lo ca l states a nd shar ed v ariable v alue s , ra ther than a “ na me” together with a lab eling function L that gives the asso ciated v aluation, A consequence of this definition is that tw o different global states must differ in either some lo cal state or some share d v a riable v alue. Since w e req uir e different lo cal states to differ in at least one atomic prop osition v alue, w e conclude that tw o differ e n t globa l states differ in at least one atomic prop osition v alue or one shar e d v ariable v alue. W e define the v aluatio n corr espo nding to a globa l sta te s = ( s 1 , . . . , s i , . . . , s K , v 1 , . . . , v m ) as follows. F or an atomic propo sition p i ∈ AP i : s ( p i ) = tru e if p i ∈ V i ( s i ), and s ( p i ) = false if p i 6∈ V i ( s i ). F or a s hared v ariable x ℓ , 1 ≤ ℓ ≤ m : s ( x ℓ ) = v ℓ . W e define s ↾ AP to b e the s et { p ∈ AP | s ( p ) = true } i.e., the set of prop ositions that are true in state s . s ↾ AP is ess en tially the pro jection o f s onto the atomic prop ositions. Also, s ↾ i is defined to b e s i , i.e., the lo cal state of P i in s . W e also de fine s ↾ S H to be the set {h p, s ( x ) i | x ∈ S H} , i.e., the set o f all pairs cons is ting of a sha red v ar iable x in S H to g ether with the v alue that s assigns to x . Let S t b e a given set of initial states in which computations of P can s ta rt. A c omputation p ath is a sequence of states whos e first state is in S t and where each successive pair o f states is r elated by R . A state is r e achable iff it lies on some co mputation path. Since w e must s p ecify the start states S t in o rder for the computation paths to b e well-defined, we re- define our notion of a progr am to b e P = ( S t, P 1 k · · · k P K ), i.e., a pro gram consists of the para lle l comp osition of K pro cesses, together with a set S t o f initial states. F or technical co n venience, and without loss of gener alit y , we assume that no synchronization skeleton contains a no de with a se lf-lo o p. The functionality of a self-lo op (e.g., a busy wait) can alwa ys b e achiev ed 2 W e wil l only use straight-line co de in this pap er, so termination is alwa ys guarant eed. 2 by using a lo op co ntaining tw o lo cal states . Th us, a tra ns ition by P i changes the lo cal sta te of P i , a nd therefore the v a lue of at lea st one atomic prop osition in AP i . Hence, no glo bal sta te s has a s elf lo op, i.e., a tra ns ition by so me P i bo th star ting and finishing in s . F or a lo cal state s i , define { | s i | } as follows: Definition 1 (State-to-F orm ula T ranslation) { | s i | } = “( ^ p ∈ V i ( s i ) p ) ∧ ( ^ p 6∈ V i ( s i ) ¬ p )” wher e p r anges over AP i . { | s i | } converts a lo cal state s i int o a pr opo sitional formula ov er AP i . If s is a glo bal state a nd B is a guar d, we define s ( B ) by the usual inductive scheme: s (“ x = c ”) = tru e iff s ( x ) = c , s ( B 1 ∧ B 2) = t rue iff s ( B 1) = t ru e and s ( B 2 ) = tru e , s ( ¬ B 1 ) = true iff s ( B 1) = false . If s ( B ) = true , we a lso write s | = B . 2.2 The Global State T ransition Diagram of a Concurren t P rogram Definition 2 (Global state transi ti on diagram) Given a c oncurr ent pr o gr am P = P 1 k · · · k P K and a set S t of initial glob al states for P , the global state tr ansition diag ram g enerated by P is a Kripke st ructur e M = ( S t, S, R ) given as fol lows: (1) S is t he s mal lest s et of glob al st ates satisfying (1.1) S t ⊆ S and (1.2) if ther e exist s ∈ S, i ∈ [ K ] 3 , and u such that ( s, i, u ) is in the next-state r elation define d ab ove in Se ct ion 2.1, then u ∈ S , and ( 2) R is the nex t-state r elation r estricte d to S . W e define strong bisimulation in the standa rd way . Definition 3 (Strong Bisi m ulation) L et M = ( S t, S, R ) and M ′ = ( S t ′ , S ′ , R ′ ) b e two Kripke structur es with the same underlying set AP of atomic pr op ositions. A r elation B ⊆ S × S ′ is a strong bisimulation iff: 1. if B ( s, s ′ ) then s ↾ AP = s ′ ↾ AP 2. if B ( s, s ′ ) and ( s, i, u ) ∈ R t hen ∃ u ′ : ( s ′ , i, u ′ ) ∈ R ′ ∧ B ( u, u ′ ) 3. if B ( s, s ′ ) and ( s ′ , i, u ′ ) ∈ R then ∃ u : ( s, i, u ) ∈ R ∧ B ( u, u ′ ) We also define ∼ to b e the union of al l str ong bisimulatio n r elations: ∼ = S { B : B is a str ong bisimulation } . We say that M and M ′ ar e stro ngly bisimila r , and write M ∼ M ′ , if and only if ther e exists a str ong bisimulation B su ch that ∀ s ∈ S t, ∃ s ′ ∈ S t ′ : B ( s ′ s ′ ) and ∀ s ′ ∈ S t ′ , ∃ s ∈ S t : B ( s ′ s ′ ) . 3 P airwise n ormal form Let ⊕ , ⊗ be binar y infix o pera tors. A gener al guar de d c ommand [2] is either a guarded command as given in Section 2.1 a b ov e, or ha s the form G 1 ⊕ G 2 or G 1 ⊗ G 2 , where G 1 , G 2 are general g uarded co mmands. Roughly , the o pera tional semantics o f G 1 ⊕ G 2 is that either G 1 or G 2 , but not b oth, can b e ex ecuted, and the op era tio nal semantics of G 1 ⊗ G 2 is that b o th G 1 or G 2 m ust be executed, that is, the guar ds of both G 1 and G 2 m ust hold at the same time, a nd the b odies of G 1 and G 2 m ust b e executed s im ultaneously , as a s ingle paralle l assignment statement. F or the seman tics of G 1 ⊗ G 2 to b e well-defined, there m ust be no conflicting a s signment s to sha red v a r iables in G 1 and G 2 . This will alwa ys b e the case for the progr ams we consider. W e refer the reader to [2] for a compr ehensive presentation o f genera l g uarded commands . 3 W e use [ K ] for the set consisting of the natural num b ers 1 , . . . , K . 3 Definition 4 (P airwise No rm al F orm) A c oncurre nt pr o gr am P = P 1 k · · · k P K is in pairwise nor ma l form iff the fol lowing four c onditions al l hold: 1. every ar c a i of every pr o c ess P i has t he form a i = ( s i , ⊗ j ∈ I ( i ) ⊕ ℓ ∈{ 1 ,...,n j } B j i,ℓ → A j i,ℓ , t i ) , wher e B j i,ℓ → A j i,ℓ is a guar de d c ommand, I is an irr eflex- ive symmetric r elation over [ K ] t hat defines a “inter c onne ction ” (or “n eighb ors”) r elation amongst pr o c esses, and I ( i ) = { j | ( i, j ) ∈ I } , 2. variables ar e shar e d in a p airwise manner, i.e., for e ach ( i, j ) ∈ I , ther e is some set S H ij of shar e d variables that ar e the only variables that c an b e re ad and written by b oth P i and P j , 3. B j i,ℓ c an r efer enc e only variables in S H ij and atomic pr op ositions in AP j , and 4. A j i,ℓ c an u p date only variables in S H ij . F or each neighbor P j of P i , ⊕ ℓ ∈ [1: n ] B j i,ℓ → A j i,ℓ sp ecifies n a lternatives B j i,ℓ → A j i,ℓ , 1 ≤ ℓ ≤ n for the int eractio n b et ween P i and P j as P i transitions from s i to t i . P i m ust execute such an interaction with ea c h of its neighbor s in order to tr ansition from s i to t i . W e emphas ize that I is no t necessa r ily the set of all pairs, i.e., there can b e pro cesses that do not directly in teract by r eading each others atomic prop ositions or reading /writing pairwis e shar ed v ariables. W e do no t assume, unless other wise s tated, that pro cesses are isomorphic, or “simila r .” W e use a sup erscr ipt I to indicate the re lation I , e.g., pro cess P I i , and P i I -arc a I i . W e define a I i .start = s i , a I i .g uar d j = W ℓ ∈{ 1 ,...,n j } B j i,ℓ , and a I i .g uar d = V j ∈ I ( i ) a i .g uar d j . If P I = P I 1 k . . . k P I K is a co ncurrent progra m with interconnection r elation I , then we call P I an I -system . F or the sp ecial case when I = { ( i, j ) | i, j ∈ [ K ] , i 6 = j } , i.e., I is the complete interconnection relation, we o mit the sup erscript I . In pair wise normal form, the sy nc hronizatio n co de for P I i with one o f its neighbor s P I j (i.e., ⊕ ℓ ∈{ 1 ,...,n j } B j i,ℓ → A j i,ℓ ) is ex pr essed s eparately from the synchronization co de for P I i with another neig h b or P I k (i.e., ⊕ ℓ ∈{ 1 ,...,n k } B k i,ℓ → A k i,ℓ ) W e c a n exploit this pr oper t y to define “ s ubsystems” o f an I -s ystem P as follows. Let J ⊆ I and rang e ( J ) = { i | ∃ j : ( i, j ) ∈ J } . If a I i is a ar c of P I i then define a J i = ( s i , ⊗ j ∈ J ( i ) ⊕ ℓ ∈ [ n ] B j i,ℓ → A j i,ℓ , t i ). Then the J -system P J is P J j 1 k . . . k P J j n where { j 1 , . . . , j n } = ra ng e ( J ) and P J j consists o f the arcs { a J i | a I I is a arc of P I j } . Intuitiv ely , a J -system c o nsists of the pro cesses in ra ng e ( J ), where each pro - cess contains o nly the synchronization co de needed for its J -neighbo rs, ra ther than its I -neighbors. If J = {{ i , j }} for some i, j then P J is a p air-system , and if J = {{ i , j } , { j, k } } fo r some i, j, k then P J is a triple-system . F o r J ⊆ I , M J = ( S t J , S J , R J ) is the GSTD o f P J as defined in Section 2.1 , and a global state of P J is a J -state . If J = {{ i , j }} , then we write M ij = ( S t ij , S ij , R ij ) instead o f M J = ( S t J , S J , R J ). In [1, 2, 4] we give, in pairwis e normal for m, solutions to many well-kno wn problems, such as dining philosophers, drinking philosophers, mutual exclusion, k -out-o f- n mutual exc lus ion, tw o-phase co mmit, and replicated data servers. W e c onjecture that any finite-state concur rent pr ogram can b e rewr itten (up to s trong bisimilation) in pairwise nor mal form. The restriction to pair wise no r mal for m enables us to mechanically verify c ertain c orrectness pro per ties very efficiently . Recall that K is the num b er o f pro cesse s , b is the maximum branching in the lo cal state transition relation of a single pro cess, and N is the s ize o f the larg est pro cess. Then, s a fet y and liv eness prop erties that can be expressed ov e r pairs of pro cesses can b e verified in time O ( K 2 N 2 ) by mo del-checking pair -systems, [1, 2], and deadlo ck-freedom can b e verified in time in O ( K 3 N 3 b ) or O ( K 4 N 4 ) using either of tw o c o nserv ative tes ts [5 ], which in turn o per ate by mo del chec king triple-systems. Ex haustive state-space enumeration would of cours e r equire O ( N K ) time. 4 The P airwise Expressiv eness Result Let Q = ( S t Q , Q 1 k · · · k Q K ) b e a n arbitrary finite-sta te share d memory co ncurrent prog ram as defined in Section 2.1 ab ov e, with ea ch pro cess Q i having an asso cia ted set AP i of atomic prop ositions a nd with sha red v aria ble s x 1 , . . . , x m . The trans fo rmation of Q to pairwise no r mal form pro ceeds in three phases, as given in the se q uel. 4 TRANSF ORM( M Q , M ′ Q ) S t ′ Q := S t Q ; S ′ Q := S Q ; R ′ Q := R Q ; rep eat until there is no change in M ′ Q let s b e a state in M ′ Q such that | in pr o cs ( s ) | > 1; forall i ∈ in pr o cs ( s ) do create a new ma rked state s i such that s i ↾ AP = s ↾ AP , s i ↾ S H = s ↾ S H if s ∈ S t Q then S t ′ Q ← S t ′ Q ∪ { s i } endif ; S ′ Q ← S ′ Q ∪ { s i } ; forall j, u : ( s, j, u ) ∈ R Q do R ′ Q ← R ′ Q ∪ { ( s i , j, u ) } endfor ; forall u : ( u, i, s ) ∈ R Q do R ′ Q ← R ′ Q ∪ { ( u, i , s i ) } endfor ; S t ′ Q ← S t ′ Q − { s } ; S ′ Q ← S ′ Q − { s } ; remov e all tra nsitions incident o n s from R ′ Q endfor endrep eat Figure 1 : T ransforma tion o f M Q so that all incoming transitions a re lab eled with the same pro cess index. 4.1 Phase One First, we generate M Q , the GSTD of Q , as given by Definition 2. By constructio n of Definition 2 , all sta tes in M Q are reachable. W e then execute the algorithm given in Figure 1 on M Q which transfor ms M Q int ro a Kripke structure M ′ Q = ( S t ′ Q , S ′ Q , R ′ Q ) which is bisimilar to M Q and which has the pr oper t y that all incoming tr ansitions into a state ar e lab eled with the s ame pro cess index. This is not strictly necessa ry , but significantly simplifies the transfor mation to pa irwise normal form. Define in pr o cs ( s ) = { i ∈ [ K ] | ∃ s ′ : ( s ′ , i, s ) ∈ R Q } . W e also introduce a new shar e d v ariable in whose v alue in a state s will b e the pro ces s index tha t lab els the transitions inco ming into s . Prop osition 1 Pr o c e dur e TRANSF ORM term inates. Pr o of. Each itera tion of the rep eat lo op (line 2) reduces the num be r of states s such that | in pr o cs ( s ) | > 1 by one. Since M ′ Q is initially set to M Q , which is finite, this ca nnot go on forever. ✷ Prop osition 2 M ′ Q ∼ M Q is a lo op invariant of the rep eat lo op (line 2) of TRANSFORM . Pr o of of Pr op osition 2 . Pr o of. Le t n 0 be the num b er of iterations that the rep eat lo op executes. Let M n = ( S t n , S n , R n ) b e the v alue of M ′ Q at the end of the n ’th iter ation, (for all n ≤ n 0 ) with M 0 being the initia l v alue M Q . W e will als o use the sup erscr ipt n for states in M n , when needed. W e show that ∀ n : 0 < n ≤ n 0 : M n − 1 ∼ M n . Consider the n ’th iteration o f the rep eat lo op. In this iter a tion, M n results from M n − 1 by deleting some sta te s and adding so me states s i 1 . . . s i ℓ , where { i 1 , . . . i ℓ } = in pr o cs ( s ). Since each of s i 1 . . . s i ℓ hav e the s a me suc c essor states as s , and agree with s on the v alues of all atomic pro positio ns, we hav e s ∼ s i 1 , . . . , s ∼ s i ℓ . Let u be an arbitrary predecessor of s in M n − 1 , i.e., ( u n − 1 , j, s ) ∈ R n − 1 , where u n − 1 indicates the oc c urrence of u in M n − 1 . At the end o f the iteration, we hav e ( u n , j, s j ) ∈ R n . Since s ∼ s j , we have u n − 1 ∼ u n , i.e., the occur rence of u in M n − 1 is bisimila r to the o ccurrence of u in M n . Since all other sta tes in M n − 1 and M n hav e an unchanged set of successor s, we conclude that M n − 1 ∼ M n . By a straig h tforward induction o n n , a nd using the transitivity of ∼ , we can show that ∀ n : 0 < n ≤ n 0 : M 0 ∼ M n . Thus M 0 = M n 0 . Now M Q = M 0 and M ′ Q = M n 0 , a nd the pr opo sition is es tablished. ✷ 5 Prop osition 3 Up on termination of pr o c e dur e TRANSF ORM , (1) M ′ Q ∼ M Q , and (2) every state s in M ′ Q satisfies | in pr o cs ( s ) | ≤ 1 . Pr o of. (1 ) follows from Pro pos ition 2. (2) follows immedia tely fom insp ecting line 2 of pro cedure TRANSFORM. ✷ F or all s ∈ S ′ Q such that | in pr o cs ( s ) | = 1, define in ( s ) to b e the unique i s uc h that ∃ s ′ : ( s ′ , i, s ) ∈ R ′ Q . Prop osition 4 Up on termination of pr o c e dur e TRANSF ORM , for any two states s, u in M ′ Q , s ↾ AP 6 = u ↾ AP or s ↾ S H 6 = u ↾ S H or in ( s ) 6 = in ( u ) . Pr o of. Immediate by construction of pro cedure TRANSF ORM. ✷ 4.2 Phase Two W e exploit the unique incoming pro cess index pro per ty of M ′ Q to extract a progr am P = ( S t P , P 1 k · · · k P K ) from M ′ Q such that P is bisimilar to Q = ( S t Q , Q 1 k · · · k Q K ) and P is in pairwise norma l form. The int erconnec tio n re la tion I for P is the complete r elation, and so w e omit the sup erscripts I o n P and P i . P op erates b y e mulating the execution of Q . In the sequel, let i, j, k implicitly rang e ov er [ K ], with p ossible further restric tio n, e.g ., i 6 = j . With each pro cess P i we a s so ciate the following state v ariable s , with the indicated access p ermissions and pur p ose • The atomi c prop ositions i n AP i . These are written by P i and read by all pro cesses . F or ea c h pro cess P i , these enable P i to emulate the local state of Q i , whic h is defined by the same set AP i of atomic pro pos itions. • A shared v ariable x i ij for ev ery x ∈ S H and j ∈ [ K ]. These are written by P i and read by P j . These ena ble P i to emulate the up dates that Q i makes to x . When P i is the last pr o ces s to hav e executed, any other pro cess P j will read x i ij to find the correct emulated v a lue of x , s ince this v alue will hav e b een computed by P i and store d in x i ij for all j ∈ [ K ]. F or technical conv enience, we admit x i ii . W e select so me ℓ ∈ [ K ] − { i } ar bitrarily a nd define x i ii to b e shared pair wise b etw een P i and P ℓ . This is needed to co nform technically to Definition 4. P ℓ will no t actually r eference x i ii . • A times tamp t j i for every j ∈ [ K ]. These a re written and r ead b y P i only . Timestamps hav e v alues in { 0 , 1 , 2 } . W e define o rderings < o , > o on timestamps as follows [8]: 0 < o 1, 1 < o 2, and 2 < o 0, and t > o t ′ iff t ′ < o t . Note that < o is no t transitive. The purp ose of t j i and t i j is to enable the pair of pro cesses P i and P j to establish an o rdering betw een themselves by computing t j i < o t i j . If t j i > o t i j , then P i executed a transitio n more recent ly than P j , and vice- versa. The timestamp t i i is unused, so we do not worry ab out initializing it, or what is v alue is in genera l. • A timestamp vector tv i ij for every j ∈ [ K ] . A K -tuple who s e v a lue is main tained equal to h t 1 i , . . . , t K i i . It is written by P i and r ead by P i and P j . Its pur p ose is to allow P i to c o mm unicate to P j the v alues of P i ’s timestamps w.r.t. a ll other pro ces ses. B y rea ding all tv i ij , i ∈ [ K ] − { j } , pro cess P j can correctly infer the index of the last pro cess to execute. This allows P j to read the corr ect emulated v alues of all shared v a riables. W e use tv i ij .k to denote the k ’th element of tv i ij , which is the v alue of t k i . F or technical convenience, we admit tv i ii . W e select some ℓ ∈ [ K ] − { i } arbitrar ily and define tv i ii to be shared pairw is e b et ween P i and P ℓ . This is needed to conform technically to Definition 4. P ℓ will no t actually r eference tv i ii . F or all the ab ov e, the order o f subscripts do es not matter, e.g., tv i ij and tv i j i are the sa me v aria ble, etc. The ess ence of the emulation is to deal correc tly with the shared v ar iables. This dep ends upo n every pro cess b eing able to compute the index o f the la s t pro cess to execute, as des cribe d ab ov e. Define the 6 auxiliary (“ghost”) v ariable last to be the index of the la st pro cess to ma k e a transition. As descr ib ed ab ov e, every pr oces s P j can co mpute the v alue of last ( last is not explicitly implemented, since doing so would violate pairwise norma l form). Then, P j reads the v ar iable x last last ,j that it shares with P last to find an up to da te v a lue for the v ar iable x in Q . T o gether with the unique incoming pro cess index prop erty of M ′ Q , this allows P j to a ccurately determine the cur ren tly simulated glo bal state of M ′ Q . P j can then up da te its asso ciated shar ed v aria bles a nd atomic prop ositions to acc ur ately emulate a transition in M ′ Q . Let M P be the GSTD of P , as given by Definition 2. W e will define P = ( S t P , P 1 k · · · k P K ) so that M ′ Q and M P are bis imilar. W e start with S t P . F or each initial s ta te u 0 of M ′ Q , we cr eate a corr espo nding initial state r 0 ∈ S t P so that: r 0 ↾ AP = u 0 ↾ AP V x ∈S H ,i,j r 0 ( x i ij ) = u 0 ( x ) Now fo r the bisimulation betw een M ′ Q and M P to work prop erly , we will require that in ( u ) = s ( last ), where u, s are bisimilar states of M ′ Q , M P , resp ectiv ely . It is p ossible, how ever, tha t so me initial state u 0 of M ′ Q do es not hav e an incoming tra nsition, and s o in ( u 0 ) is undefined. W e de a l with this a s follows. Call an initial state (of either M ′ Q or M P ) that do es not have an incoming transition a sour c e state . Since we de fined the corr espo nding r 0 ab ov e so that x i ij has the co r rect v alue (namely u 0 ( x )) for a ll i, j , w e can let any pr oc ess b e the “last”, as determined b y the times ta mps. T hus, for a source state u 0 in M ′ Q and its corres p onding so urce state r 0 in M P , we set: r 0 ( t j i ) =    1 if i = 1 ∧ j 6 = 1 0 if i 6 = 1 ∧ j = 1 X if i 6 = 1 ∧ j 6 = 1 where X denotes a “ do n’t care,” i.e., any v alue in { 0 , 1 , 2 } can b e used. This has the effect of making P 1 the “last” pro cess to hav e executed in a sourc e state, i.e., setting r 0 ( last ) = 1. W e now extend the definition of in to so ur ce sta tes by defining in ( u 0 ) = 1 for every so urce s ta te u 0 ∈ S t ′ Q . T ogether with the fact that states in M ′ Q are uniquely deter mined by the atomic prop osition and shared v ar iable v alues, this a utomatically takes c are of the bisimulation matching b et ween source states in M ′ Q and source states in M P , witho ut the need fo r an extra case a nalysis. Note als o tha t in ( u ) is now de fined for all s tates u in M ′ Q . F or an initial state u 0 of M ′ Q that is not a so urce state, and its cor resp onding initial s tate r 0 in M P , we set: r 0 ( t j i ) =    1 if i = in ( u 0 ) ∧ j 6 = in ( u 0 ) 0 if i 6 = in ( u 0 ) ∧ j = in ( u 0 ) X if i 6 = in ( u 0 ) ∧ j 6 = in ( u 0 ) where a g ain X means “don’t c a re.” This ha s the effect of setting r 0 ( last ) = in ( u 0 ), a s requir ed. F or all initial states r 0 ∈ S t P , whether thay are source sta tes o r not, we set the timesta mp vector v alues so that: V i,j,k r 0 ( tv i ij .k ) = r 0 ( t k i ) F or ea c h trans ition ( u, i, v ) in M ′ Q , we gener ate a single arc ARC u,v i in P i as follo ws. ARC u,v i starts in lo cal state u ↾ i o f P i and ends in lo cal state v ↾ i of P i . Let in ( u ) = c . Then the g uard B u,v i of AR C u,v i is defined a s follows: B u,v i df = = ( last = c ) ∧ V j 6 = i { | u ↾ j | } ∧ ( V x ∈S H x c ci = u ( x )) The first conjunct checks that the last pr oce ss that ex ecuted is the pro cess with index in ( u ). The second 7 step ( t, t ′ ) Precondition: 0 ≤ t, t ′ ≤ 2, that is, t, t ′ are timesta mp v a lue s if t > o t ′ then return ( t ) else if t = 0 ∧ t ′ = 1 then return (2) endif ; if t = 1 ∧ t ′ = 2 then return (0) endif ; if t = 2 ∧ t ′ = 0 then return (1) endif ; endif Figure 2 : The step pro cedure. conjunct chec ks that all atomic pr opo sitions hav e the v alues assigned to them b y glo bal state u . The thir d conjunct checks that all shared v ariables hav e the v a lues assig ned to them by global s ta te u . The action A u,v i of ARC u,v i is defined to b e k j 6 = i t j i := step ( t j i , tv i j i .j ); k j tv i ij := h t 1 i , . . . , t K i i ; k j,x ∈S H x i ij := v ( x ) where step ( t, t ′ ) is given in Figure 2. This cannot b e factor ed int o pairwise a ctions A j i,m bec ause all the t j i are used to upda te a ll the tv i ij . The solution is to make the t j i part of the lo cal s ta te of P i . W e do this in phase 3 b elow. F or now, we show that pr ogram P with the arcs given b y ARC u,v i = ( u ↾ i, B u,v i → A u,v i , v ↾ i ) is bisimilar to progr am Q . Prop osition 5 The fol lowing ar e invariants of P : 1. V i,j,k 6 = i tv i ij .k = t k i 2. V i (( last = i ) ≡ V j 6 = i t j i > o t i j ) 3. V i,j,k x i ij = x i ik Pr o of. By construction of P : S t P is defined so that the initial states all satisfy the a bove, and the actio ns A u,v i of e very pro cess P i of P are defined so that their execution prese r ves the ab ov e. ✷ Definition 5 Define ⊲ ⊳ ⊆ S ′ Q × S P as fol lows. F or u ∈ S ′ Q , r ∈ S P , u ⊲ ⊳ r iff: 1. u ↾ AP = r ↾ AP 2. in ( u ) = r ( last ) 3. V x ∈S H ,k r ( last ) = k ⇒ ( V i u ( x ) = r ( x k ki )) Theorem 6 ⊲ ⊳ is a str ong bisimulation Pr o of of The or em 6 . Pr o of. Let u ∈ S ′ Q , r ∈ S P , and u ⊲ ⊳ r . W e must show that all thr e e clauses of Definition 3 hold, that is: 8 1. if u ⊲ ⊳ r then u ↾ AP = r ↾ AP 2. if u ⊲ ⊳ r and ( u, i, v ) ∈ R Q then ∃ s : ( r, i, s ) ∈ R P ∧ v ⊲ ⊳ s 3. if u ⊲ ⊳ r and ( r , i, s ) ∈ R P then ∃ v : ( u, i , v ) ∈ R Q ∧ v ⊲ ⊳ s Clause 1 holds b y v ir tue of clause 1 of Definition 5. Pr o of of clause 2 . Assume ( u, i , v ) ∈ R Q , a nd let in ( u ) = c . W e show that there exists s such that ( r , i, s ) ∈ R P and v ⊲ ⊳ s . By our cons tr uction of P ab ov e, the tra nsition ( u, i, v ) generates the arc AR C u,v i in P i . By definition, the gua r d B u,v i of ARC u,v i is ( last = c ∧ V j 6 = i { | u ↾ j | } ∧ ( V x ∈S H x c ci = u ( x ))). (a) Now b y Definition 5 and u ⊲ ⊳ r , we hav e in ( u ) = r ( last ). Hence r | = last = c . Also by Definition 5 and u ⊲ ⊳ r , we hav e u ↾ AP = r ↾ AP . Hence r | = V j 6 = i { | u ↾ j | } . Aga in by Definition 5 and u ⊲ ⊳ r , we hav e V x ∈S H r ( last ) = c ⇒ u ( x ) = r ( x c ci . Hence V x ∈S H , u ( x ) = r ( x c ci ). And so r | = ( V x ∈S H x c cj = u ( x )). Since r s atisfies a ll three conjuncts o f (a), it follows that the guar d of ARC u,v i is true in state r , a nd therefore ARC u,v i is enabled in r . By Pro p ositio n 5 and insp ection of the action A u,v i of ARC u,v i , executing of AR C u,v i leads to a state s such that s ( last ) = i a nd s ↾ AP = v ↾ AP and ( V j x i ij = v ( x )). By Definition 5 , we have v ⊲ ⊳ s , a s requir e d. Pr o of of clause 3 . Assume ( r, i, s ) ∈ R P . W e show that there exists v such that ( u, i, v ) ∈ R Q and v ⊲ ⊳ s . By our co nstruction of P a bove, the tra nsition ( r, i, s ) re sults fro m executing an arc ARC w, v i in P i , for some w , v . Let in ( w ) = c . By definition of AR C w, v i , we hav e r | = V j 6 = i { | w ↾ j | } , and also r ↾ i = w ↾ i . Hence, by the definition of { | w | } (Definition 1 ), r ↾ AP = w ↾ AP . Also by definition of ARC w, v i , we hav e r ( last ) = in ( w ) = c ∧ ( V x ∈S H r ( x c ci ) = w ( x )). Hence: r ( last ) = in ( w ) = c and r ↾ AP = w ↾ AP and ( V x ∈S H r ( x c ci ) = w ( x )). (b) Since u ⊲ ⊳ r , we have r ( last ) = in ( u ) and u ↾ AP = r ↾ AP and ( V x ∈S H r ( x last last ,i ) = u ( x )). F rom (b), r ( last ) = c . Hence r ( last ) = in ( u ) and u ↾ AP = r ↾ AP and ( V x ∈S H r ( x c ci ) = u ( x )). (c) F rom (b,c) we have in ( w ) = in ( u ) and w ↾ AP = u ↾ AP and ( V x ∈S H w ( x ) = u ( x )). (d) Since all global states differ in either so me a tomic prop osition o r s ome shared v ar iable, o r some inco ming transition, by Pr o pos ition 4 , we conclude fro m (d) that w = u . By Pr opo sition 5 a nd insp ection of the ac tion A u,v i of AR C u,v i , executing ARC u,v i can only lead to a state s s uc h that s ( last ) = i a nd s ↾ AP = v ↾ AP and ( V j x i ij = v ( x )). By Definition 5 , we have v ⊲ ⊳ s , a s requir e d. ✷ 9 Corollary 7 M ′ Q ∼ M P . Pr o of. F rom Definition 5 and our definition of the initial states of P , we see that for every initial state u 0 of M ′ Q , there exists a n initial state r 0 of M P such that u 0 ⊲ ⊳ r 0 , and vice-versa. The r esult then follows from Theorem 6 and Definition 3. ✷ 4.3 Phase Three W e now expre ss ARC u,v i in a form that co mplies with Definition 4, that is, a s ⊗ j ∈ I ( i ) ⊕ ℓ ∈{ 1 ,...,n j } B j i,ℓ → A j i,ℓ , where B j i,ℓ can refer e nce only v ariables in S H ij and atomic pro p ositio ns in AP j , and A j i,ℓ can up date only v aria ble s in S H ij . Recall that ARC u,v i = ( u ↾ i, B u,v i → A u,v i , v ↾ i ). F or the res t of this sec tion, let in ( u ) = c . First consider B u,v i . By definition B u,v i = ( last = c ) ∧ V j 6 = i { | u ↾ j | } ∧ ( V x ∈S H x c ci = u ( x )). Now { | u ↾ j | } is a prop ositional for m ula ov er AP j , and so V j 6 = i { | u ↾ j | } is a conjunction o f prop ositional formulae over AP j , and so it p oses no problem. Likewise, since ( V x ∈S H x c ci = u ( x )) is a co njunction o ver pa ir wise s hared v a riables, it also is unproblematic. last = c is not in the pair wise form given ab ov e sinc e it refers to the gho s t v aria ble last . Note that in ( u ) is a consta n t, and so is not problema tic in this rega rd. Now last = c chec ks that the las t pro cess to execute is P c . In terms of timestamps, it is equiv alent to V j 6 = c t j c > o t c j , i.e., P c has executed more recently than all other pro cesses . Howev er , the timstamps t c j are inaccessible to P i , and the t j c are accessible to P i only in the sp ecial case that c = i , which do es not ho ld generally . The purp ose of the timestamp vectors is pr e cisely to de a l with this pro blem. Reca ll that tv c ci .j is maintained equa l to t j c , a nd tv j j i .c is maintained equal to t c j . Hence, we r eplace last = c by the e quiv alent V j 6 = c tv c ci .j > o tv j j i .c . (*) which moreov er can b e ev aluated by P i , s inc e it refers only to timestamp vectors that are access ible to P i . Now the expressio n tv c ci .j > o tv j j i .c refers to tv c ci , which is shared b y P c and P i , and tv j j i , which is shared by P j and P i . Thu s it is not in pairwise form. W e fix this as follows. tv c ci .j > o tv j j i .c is equiv alent to ( tv c ci .j = 0 ∧ tv j j i .c = 1 ) ∨ ( tv c ci .j = 1 ∧ tv j j i .c = 2 ) ∨ ( tv c ci .j = 2 ∧ tv j j i .c = 0 ), by de finitio n of > o . Hence, ( ∗ ) is equiv a len t to V j 6 = c ( tv c ci .j = 0 ∧ tv j j i .c = 1) ∨ ( tv c ci .j = 1 ∧ tv j j i .c = 2) ∨ ( tv c ci .j = 2 ∧ tv j j i .c = 0). This for mula has length in O ( K ). W e conv ert this to disjunctive normal for m, resulting in a fo rm ula of length in O ( exp ( K )). Let the result b e D 1 ∨ . . . ∨ D n for some n . E ach D m , 1 ≤ m ≤ n is a conjunction of literals, where ea c h literal has o ne o f the forms ( tv c ci .j op ts ), ( tv j j i .c op ts ), wher e op ∈ { = , 6 = } , and ts ∈ { 0 , 1 , 2 } . Sp ecifically , D m = LI T c m ( tv c ci .j ) ∧ V j 6∈{ c,i } LI T j m ( tv j j i .c ), where L I T c m ( tv c ci .j ) is a co njunction of litera ls of the form tv c ci .j op ts , a nd LI T c m ( tv j j i .c ) is a co njunction of literals o f the for m tv j j i .c op ts . Moreover, since lo g ical equiv alence to (*) ha s b een ma intained, we hav e ( D 1 ∨ . . . ∨ D n ) ≡ ( last = c ). F or m ∈ { 1 , . . . , n } , de fine: B u,v i ( m ) df = = D m ∧ V j 6 = i { | u ↾ j | } ∧ ( V x ∈S H x c ci = u ( x )) where we abuse nota tion by using B u,v i as the name for the “ array” of g uards B u,v i ( m ), a nd a lso a s the name for the gua rd of ARC u,v i , as defined a bove. The use of the index ( m ) will alwa ys disam biguate these tw o uses. 10 W e now define the se t of a rcs ARC S u,v i to contain n arcs, a (1 ) , . . . , a ( n ), where a ( m ) df = = ( u ↾ i, B u,v i ( m ) → A u,v i , v ↾ i ) for a ll m ∈ 1 , . . . , n . In particular , all these ar cs start in lo cal state u ↾ i of P i and end in lo cal state v ↾ i of P i . Prop osition 8 ( W 1 ≤ m ≤ n B u,v i ( m )) ≡ B u,v i Pr o of. Immediate from the definitio ns and distribution o f ∧ through ∨ . ✷ It r emains to show how each a ( m ) ca n b e r ewritten into pairw is e normal fo rm. F or all j 6∈ { i, c } , define B u,v i ( m, j ) df = = LI T j m ( tv j j i .c ) ∧ { | u ↾ j | } F or j = c . B u,v i ( m, c ) df = = L I T c m ( tv c ci .j ) ∧ { | u ↾ c | } ∧ ( V x ∈S H x c ci = u ( x )) Note that this works for b oth c 6 = i and c = i . The ca se c = i is why we needed to allow x i ii and tv i ii . Otherwise w e w ould need a sp ecial case to deal with c = i . In effect, when c = i we include B u,v i ( m, c ) as a conjunct of B u,v i ( m, ℓ ), where P ℓ is the pro cess a rbitrarily chosen to “ share” x i ii and tv i ii with P i . This allows us to conform to pairwise normal form, a nd use ( V j 6 = i B u,v i ( m, j )) as the g uard of the a rc: Prop osition 9 ( V j 6 = i B u,v i ( m, j )) ≡ B u,v i ( m ) Pr o of of Pr op osition 9 . Pr o of. by definition, B u,v i ( m ) = D m ∧ V j 6 = i { | u ↾ j | } ∧ ( V x ∈S H x c ci = u ( x )). W e also hav e, by construction, D m = L I T c m ( tv c ci .j ) ∧ V j 6∈{ c,i } LI T j m ( tv j j i .c ). Hence B u,v i ( m ) ≡ LI T c m ( tv c ci .j ) ∧ ( V j 6∈{ c,i } LI T j m ( tv j j i .c )) ∧ ( V j 6 = i { | u ↾ j | } ) ∧ ( V x ∈S H x c ci = u ( x )). Splitting up conjunctions and rearr anging gives us: B u,v i ( m ) ≡ ( V j 6∈{ c,i } LI T j m ( tv j j i .c )) ∧ ( V j 6∈{ c,i } { | u ↾ j | } ) ∧ LI T c m ( tv c ci .j ) ∧ { | u ↾ c | } ∧ ( V x ∈S H x c c,i = u ( x )). Grouping together the first tw o co njunctions, and the la st three: B u,v i ( m ) ≡ ( V j 6∈{ c,i } LI T j m ( tv j j i .c ) ∧ { | u ↾ j | } ) ∧ [ LI T c m ( tv c ci .j ) ∧ { | u ↾ c | } ∧ ( V x ∈S H x c c,i = u ( x ))]. Now LI T j m ( tv j j i .c ) ∧ { | u ↾ j | } is just B u,v i ( m, j ), and [ LI T c m ( tv c ci .j ) ∧ { | u ↾ c | } ∧ ( V x ∈S H x c c,i = u ( x ))] is just B u,v i ( m, c ). Hence B u,v i ( m ) ≡ ( V j 6∈{ c,i } B u,v i ( m, j )) ∧ B u,v i ( m, c ). Thus B u,v i ( m ) ≡ V j 6 = i B u,v i ( m, j ). ✷ The timestamps t j i are wr itten and read by P i and no other proce ss. T o ac hieve pariwis e normal for m, we now make the t j i part of the lo cal sta te of P i . Thus, we replace each lo cal state r i of P i by 3 K lo cal states, each of which agrees with r i on the atomic prop ositions in AP i . There is one s uc h state for every different a ssignment of timestamp v alues to t 1 1 , . . . , t K 1 . Call the new pro ces s that r esults P P i , a nd let P P = ( S t, P P 1 k · · · k P P K ). Note that P P has the sa me initial s ta tes as P . Let r ′ i be a lo cal sta te of P P i , and let t 1 i , . . . , t K i hav e some v alues d 1 , . . . , d K in r ′ i . Likewise let s ′ i agree with s i on the atomic pr opo sitions in AP i , and let t 1 1 , . . . , t K 1 hav e some v a lues d ′ 1 , . . . , d ′ K in s ′ i . Then, the set of arcs ARC S u,v i ( r ′ i , s ′ i ) is defined as follows. ARC S u,v i ( r ′ i , s ′ i ) contain n arcs, a ′ (1) , . . . , a ′ ( n ), where a ′ ( m ) df = = ( r ′ i , ⊗ j 6 = i B B u,v i ( m, j ) → AA u,v i ( m, j ) , s ′ i ) for all m ∈ 1 , . . . , n . In par ticular, all these arcs start in r ′ i and end in s ′ i . Also: F or all j 6 = i , B B u,v i ( m, j ) df = = B u,v i ( m ) j i ∧ step ( d j , tv j j i .i ) = d ′ j 11 F or all j 6 = i , AA u,v i ( m, j ) df = = ( tv i ij := h . . . , step ( d j , tv j j i .i ) , . . . i ; k x ∈S H x i ij := v ( x )) The new conjunct step ( d j , tv j j i .i ) = d ′ j in effect chec ks that the v alues of the timestamps t j i for all j in the new lo cal states are exa ctly those that the o pera tion ste p ( t j i , t i j ) would return, i.e ., those v alues that would indicate that P i has excecuted la ter than P j . The timestamp vector tv i ij can now be up dated co rrectly without violating pairwise nor ma l form, since the upda te c a n b e per formed using the d j v alues, which ar e constants, and the tv j j i .i . which are sha red pairw is e b et ween P i and P j , a nd are therefore p ermitted b y pairwise normal form. Let M P P = ( S t P , S P , R P P ) b e the state-transitio n diag ram of P P . Note that P P and P ha ve the same initial s tates, and the sa me global states, b y definition. Theorem 10 M P ∼ M P P Pr o of of The or em 10 Pr o of. Let ( r, i, s ) ∈ R P . ( r , i, s ) results fro m executing an arc ARC u,v i . Hence B u,v i is true in s ta te r . By Prop osition 8 , some B u,v i ( m ) is true in s tate r . Hence V j 6 = i B u,v i ( m, j ) is true in state r , by Pr opo sition 9 . Now let r ′ , s ′ be the states in M P P that corr e s pond to states r, s in M P , that is r ′ and r ag ree on all atomic pro pos itions a nd shar ed v ariabled (including times ta mps) and likewise s a nd s ′ . Let r ′ i = r ′ ↾ i , s ′ i = s ′ ↾ i . Let t 1 i , . . . , t K i hav e v alues d 1 , . . . , d K in r ′ i (and hence a lso in r ′ ), and v alues d ′ 1 , . . . , d ′ K in s ′ i (and hence a lso in s ′ ). ( r, r ′ are essentially different wa ys of refereeing to the same state, to indicate whether the containing structure is M P or M P P , and likewise s, s ′ ). Since ( r, i , s ) results from ex ecuting ARC u,v i , ste p ( d j , tv j j i .i ) = d ′ j m ust hold, s ince the a ction A u,v i of ARC u,v i contains the assignment k j 6 = i t j i := step ( t j i , tv i j i .j ). Hence V j 6 = i B B u,v i ( m, j ) is true in state r ′ . Thus, arc a ′ ( m ) of the set AR C S u,v i ( r ′ i , s ′ i ) is enabled in state r ′ . Executio n of a ′ ( m ) in sta te r ′ leads to state s ′ , by definition of AA u,v i ( m, j ). Hence ( r ′ , i ′ s ′ ) ∈ R P P . Now let ( r ′ , i, s ′ ) ∈ R P P . ( r ′ , i, s ′ ) results from executing an arc a ′ ( m ) of some set ARC S u,v i ( r ′ i , s ′ i ), where r ′ i = r ′ ↾ i , s ′ i = s ′ ↾ i . W e can r un the previous a rgument “backw ards” to show that ARC u,v i is enabled in state r of M P , a nd its e x ecution results in s tate s of M P . Hence ( r , i, s ) ∈ R P . W e hav e in fa c t show ed that R P = R P P , i.e., that the structure s M P and M P P are identical. Hence they are c e rtainly bisimilar. ✷ Corollary 11 M Q ∼ M P P Pr o of. Immediate from Pr opo sition 3 , Corolla ry 7 and Theor em 10, along with the transitivity of bisimula- tion. ✷ Since P P is in pairwise normal for m by construction, our main result follows immedia tely: Theorem 12 L et Q b e any fin ite- state c oncu rr ent pr o gr am. Then ther e exists a c oncurr ent pr o gr am P P such that (1) the glob al st ate tr ansition diagr ams of Q and P P ar e bisimilar, and (2) P P is in p airwise normal form. Our result shows that P P and Q hav e esse ntially the same b ehavior, since strong bisimulation is the strongest notion of equiv a lence b et ween concurrent pro grams. A consequence of o ur result is that P P and Q satisfy the sa me s p ecificatio ns, for many log ics of pr ograms. Recall tha t M P P and M Q are the glo bal state transition diagra ms of P and Q , resp ectively . Let f b e a fo r m ula o f the temp oral log ic CTL ∗ [10], a nd define M Q , u | = f to mea n ∀ u ∈ S t Q : M Q , u | = f , and M P P , s | = f to mea n ∀ s ∈ S t P : M P , s | = f , where M Q , u | = f and M P P , s | = f refer to the usual sa tisfaction r elation of CTL ∗ [10]. Then we have: Corollary 13 L et f b e a formula of CTL ∗ . Then M Q | = f iff M P P | = f . 12 Pr o of. Immediate from Corolla ry 11 and The o rem 14 in [7, chapter 11]. ✷ W e could eas ily establish similar results for other logics, such a s the m u-calculus. 4.4 Complexit y Results F or a single pr oc e ss Q i , define | Q i | , the s ize of Q i , to be the size of the representation of Q i using a standard co mplexit y-theore tic enco ding, i.e., enumeration for sets, character strings for g uards and actions etc. Likewise define | P P i | . Define | Q | , the siz e of Q , to b e | S t Q | + | Q 1 | + · · · + | Q K | , and | P P | , the s ize of P P , to be | S t P | + | P P 1 | + · · · + | P P K | . Define the size of a Kr ipk e structure to be the num b er of states plus the num b er o f transitions. Theorem 14 | P P | is in O ( K exp ( | Q | + K )) . Pr o of. | M Q | is in O ( exp ( | Q | )) by Definition 2. | M ′ Q | is in O ( K · | M Q | ), since e ach state and transitio n in M Q is “r e plicated” at most K times. So | M ′ Q | is in O ( K exp ( | Q | )). F or each tra nsition in M ′ Q , P P contains a num b er of arcs that is in O ( exp ( K )). Hence | P P | is in O ( | M ′ Q | · exp ( K )), and so | P P | is in O ( K · exp ( | Q | ) · exp ( K )). Th us | P P | is in O ( K exp ( | Q | + K )). ✷ 5 Related W ork It has b een long k nown that a multiple-reader multiple writer atomic register can be implemented using a set of single-rea der single-writer reg isters, and three are many such atomic r egister constructio ns in the liter ature [6, chapter 10 ]. Since, by definition, a sing le-reader single-writer r egister is shared by tw o pro cesses, these constructions may seem to subsume our result. How ever, the atomic regis ter cons tructions do not res p ect pairwise norma l for m. F or exa mple, they may in volv e the op eration of taking the maximum ov er a set of single-rea der sing le-writer registers that in volv e many different pairs of pro cesses . This direct use of register v alues corres p onding to ma ny different pairs, in computing a single expr ession v alue, is a direct vio lation of pairwise normal form. 6 Conclusions and F uture W ork W e show ed that a n y finite- state shared memory concurr en t pr ogram ca n b e rewr itten in pairwise nor ma l form, up to strong bisimulation, for a high- atomicity mo del of concur rent computation. A topic of future work is to establish a similar result in a low-atomicit y mo del, for ex a mple that presented in [3 ]. Our res ults hav e s ignificant implicatio ns for the efficient synthesis a nd mo del-chec king of finite-state shared memor y concurrent pro grams. In par ticula r, they show that the approaches of [1, 2, 5] do not sacrifice any expressive power by res tricting attent ion to pa irwise nor ma l for m. References [1] P . C. Attie. Synthesis of large concurrent programs via pairwise comp osition. In CO NCUR’99: 10th I nternat ional Confer enc e on Concurr ency The ory , num b er 1664 in LNCS. Sprin ger-V erlag, Aug. 1999. [2] P . C. Attie and E. A. Emerson. Synthesis of concurrent systems with many similar pro cesses. A CM T r ans. Pr o gr am. L ang. Syst. , 20(1):51–115, Jan. 1998. [3] P . C. Attie and E. A. Emerson. Synthesis of concurrent systems for an atomic read/write mod el of comput ation. ACM T r ans. Pr o gr am. L ang. Syst. , 23(2):187–242, Mar. 2001. Extended abstract app ears in Pro ceedings of the 15’th ACM Sy mposium of Principles of D istribu ted Computing (PODC), Philadelphia, Ma y 1996, 111–120. [4] P .C. Attie. Synthesis of large dyn amic concurrent programs from dyn amic sp ecifications. T echnical rep ort, Northeastern Universit y , Boston, MA, 2003. A v ailable at http://www.ccs.neu .edu/home/attie/pubs.html . 13 [5] P .C. Attie and H. Chockler. Efficiently verifiable su fficien t conditions for deadlock-freedom of large concurrent programs. T echnical report, N ortheastern U nive rsity , Boston, MA, 2004. Avai lable at http://www.cc s.neu. edu/home/a ttie/pubs.htm l . [6] H. Attiy a and J. W elch. Di stribute d Computing . McGra w Hill, London, UK, 1998. [7] E.M. Clarke , O. Grumberg, and D.A. Peled. Mo del Che cking . MIT Press, Cambridge, MA, 1999. [8] Dolev D. and Shavit N. Boun d ed concu rren t time-stamp in g. SIAM J. Comput. , 26(2):418–4 55, Ap r. 1997. [9] E. W. Dijkstra. A Discipl ine of Pr o gr amming . Prenti ce-Hall Inc., Englew oo d Cliffs, N.J., 1976. [10] E. A. Emerson. T emp oral and mo dal logic. In J. V an Leeuw en, editor, Handb o ok of The or etic al Computer Scienc e , volume B, F ormal Mo dels and Semantics . The MIT Press/Elsevier, Cambridge, Mass., 1990. [11] E. A. Emerson and E. M. Clark e. Using branching time temp oral logic to sy n thesize synchronization skeletons. Sci. Comput. Pr o gr am. , 2:241 – 266, 1982. 14