Event structure semantics of (controlled) reversible CCS

Highlights

• Event structure semantics of uncontrolled and controlled statically reversible CCS.

• Causal reversible bundle event structure semantics of uncontrolled reversible CCS.

• Statically reversible CCS controlled by rollback.

• Non-causal extended bundle event structure semantics of reversible CCS with rollback.

Abstract

CCSK is a reversible form of CCS which is causal, meaning that actions can be reversed if and only if each action caused by them has already been reversed; there is no control on whether or when a computation reverses. We propose an event structure semantics for CCSK. For this purpose we define a category of reversible bundle event structures, and use the causal subcategory to model CCSK. We then modify CCSK to control the reversibility with a rollback primitive, which reverses a specific action and all actions caused by it. To define the event structure semantics of rollback, we change our reversible bundle event structures by making the conflict relation asymmetric rather than symmetric, and we exploit their capacity for non-causal reversibility.

Introduction

Reversible process calculi have been studied in works such as [7], [9], [11], [18], [19], [26]. One feature of such reversible processes compared to forward-only processes is their sensitivity to true concurrency distinctions [25]. For instance, using CCS notation, the processes $a|b$ and $a.b+b.a$, which are respectively a parallel composition and a choice between two orderings of events, are equivalent under interleaving semantics; however in a reversible setting we can distinguish them by noting that $a|b$ allows us to perform a followed by b and then to reverse a, which is impossible for $a.b+b.a$. This motivates us to use event structures [24] to formulate a truly concurrent semantics of a reversible process calculus.

Two reversible forms of CCS have been proposed, both using uncontrolled reversibility: RCCS [9] and CCSK [26]. RCCS creates separate memories to store past (executed) actions, what is known as dynamic reversibility, while CCSK annotates past actions with keys within the processes themselves, known as static reversibility. We formulate an event structure semantics for CCSK rather than RCCS, since the semantics for past and future actions can be defined in a similar manner, rather than having to encompass both processes and memories. We note that Lanese et al. [16], [22] showed that RCCS and CCSK can be encoded in one another, meaning one can use their encoding in conjunction with our event structure semantics to obtain an event structure semantics for RCCS.

Event structures are a model of true concurrency and have been used for modelling forward-only process calculi [3], [6], [31]. Describing reversible processes as event structures gives us a simple representation of the causal relationships between actions and also yields equivalences between processes which generate isomorphic event structures. True concurrency in semantics is particularly important in reversible process calculi, as the order actions can reverse in depends on their causal relations rather than how the parallel actions interleave [25]. Knowing the causal relationships between actions in concurrent processes is also important when using causal-consistent debugging [20] to find bugs created by interactions between processes.

Cristescu et al. [8] used rigid families [4], related to event structures, to describe the semantics of Rπ [7]. However, their semantics requires a process to first reverse all actions to find the original process, map this process to a rigid family, and then apply each of the reversed memories in order to reach the current state of the process. Aubert and Cristescu [1] used a similar approach to describe the semantics of RCCS processes without auto-concurrency, auto-conflict, or recursion as configuration structures. By contrast, we map a CCSK process (with auto-concurrency, auto-conflict, and recursion) with past actions directly to a (reversible) event structure in a strictly denotational fashion.

Reversible forms of prime [27], asymmetric [27], and general [29] event structures have already been defined, but the usual way of handling parallel composition of forward-only prime (PES) and asymmetric event structures (AES) [30] does not translate into a reversible setting, and general event structures are far more expressive than is necessary for modelling reversible CCSK. We also considered using a reversible variant of flow event structures [3], but found that the additional expressiveness of flow event structures was unnecessary, and in fact created problems when it came to defining a category of the forward-only flow event structures [5]. We therefore chose to use bundle event structures (BESs) [21].

BESs were created with the specific purpose of allowing the same event to have multiple conflicting causes, thereby making it possible to model parallel composition without creating multiple copies of events. They do this by associating events with bundles of conflicting events, $X\mapsto e$, where in order for event e to happen one of the events of X must have already happened.

This approach can be used for modelling cases such as Example 1.1 below, where an action a has multiple options for synchronisation, either of which would allow the process to continue with the action b. If we model each synchronisation or lack thereof as a separate event then we clearly need to let b have multiple possible causes, which we can accomplish using BESs, but not using PESs. Having multiple copies of events depending on which causes we use is not possible in a reversible PES, as we do not know when performing an event what will cause it to reverse. If in Example 1.1 instead (the event labelled) b can reverse only from configurations containing either a or τ, we can have a situation where we do not have a or τ in the configuration we want to add b to, and then we do not know whether to add the b that can reverse when a is present or the b that can reverse when τ is present. In a reversible setting, bundles therefore not only simplify our event structures, but become necessary when we have events causing each other to reverse.

Example 1.1 Process represented as a BES

The CCS process $a.b|\bar{a}$ can be described by a BES with the events $a,\tau ,\bar{a},b$, the bundle $\{a,\tau \}\mapsto b$, and the conflicts $a♯\tau$ and $\bar{a}♯\tau$ as seen in Fig. 1 where a dashed line indicates conflict and connected arrows indicate a bundle. The process cannot be represented by a PES or AES without splitting some events into multiple events, due to b having multiple possible causes.

We therefore define a category of reversible BESs (RBESs) in Section 3. Since the reversibility allowed in CCSK (as in RCCS) is causal, meaning that actions can be reversed if and only if every action caused by them has already been reversed, we use the causal subcategory of RBESs for defining a denotational semantics of CCSK in Section 4.

Causal reversibility has the drawback of allowing a process to get into a loop doing and undoing the same action indefinitely; there is no control on whether or when a computation reverses. We modify CCSK to control reversibility by adding the rollback introduced for roll-π in [17]. In Roll-CCSK every action receives a tag γ, and the process only reverses when reaching a $\mathsf{roll}\gamma$ primitive, upon which the action tagged with γ, together with all actions caused by it, are reversed. As in roll-π, the rollback in Roll-CCSK is maximally permissive, meaning that any subset of reached rollbacks may be executed, even if one of them rolls back the actions leading to another.

The operational semantics of rollback works somewhat differently in Roll-CCSK from roll-π, since roll-π has a set of memories describing past actions in addition to a π-calculus process, while CCSK has the past actions incorporated into the structure of the process, meaning that it is harder to know whether one has found all the actions necessary to reverse. Since roll-π is based on higher order-π, it can create recursion by sending processes. Roll-CCSK on the other hand has explicit recursion, and therefore needs to use bindings on tags to avoid ambiguity about which tag a roll is associated with.

As in roll-π, we also describe a more distributed semantics of rollback. This version of the semantics reverses each action marked for rollback individually, rather than performing the entire roll in one step. However, unlike roll-π, we mark all past actions in one step. We do this because propagating a marking of past actions would otherwise require the action being marked to be able to look at previous actions further back in the structure of the process to find markings it can propagate. In roll-π this is not an issue, since one has a set of parallel memories all at the same level, which can easily be compared to find out which order they are in. We describe both of these operational semantics of Roll-CCSK in Section 6.

Rollback has also been defined for μKlaim, a tuple-based language with shared memory [13]. This was done similarly to roll-π, giving the locations of shared memories keys, which change when a process interacts with the location. Another variant of CCS with rollback, CCS_roll was defined in [23]. CCS_roll, like roll-π, has memories in parallel with the process and equips the process with an ordering of keys, which it uses to determine which actions have been caused by the action being rolled back. This makes the semantics less compositional than Roll-CCSK. The causal-consistent reversible debugger for Erlang, CauDEr [20], allows the user to roll back not only to a checkpoint, but to other past events such as receiving or sending a specific message.

Once a $\mathsf{roll}\gamma$ event has happened, we need to ensure that not only are the events caused by the γ-tagged action $a_{\gamma }$ able to reverse, but they cannot re-occur until the rollback is complete, at which point the $\mathsf{roll}\gamma$ event is reversed. This requires us to model asymmetric conflict between $\mathsf{roll}\gamma$ and events caused by $a_{\gamma }$ (apart from $\mathsf{roll}\gamma$ itself). Asymmetric conflict is allowed in extended BESs (EBESs) [21]. We define a category of reversible EBESs (REBESs) in Section 5 and use them to give an event structure semantics of rollback in Section 7. Note that we do not restrict ourselves to the causal subcategory of REBESs, since reversibility in Roll-CCSK is not necessarily causal: an action $a_{\gamma }$ tagged with γ is a cause of $\mathsf{roll}\gamma$, but we want $a_{\gamma }$ to reverse before $\mathsf{roll}\gamma$ does.

Outline. Section 2 recalls CCSK. Section 3 describes (reversible) bundle event structures and their categories. Section 4 defines the event structure semantics of CCSK. Section 5 describes (reversible) extended bundle event structures. Section 6 defines Roll-CCSK, a version of CCSK where reversibility is controlled by rollback, and its operational semantics, and Section 7 uses reversible extended bundle event structures to describe the event structure semantics of Roll-CCSK.

Changes from conference version [14].

• We include proofs of all results.

• Sections 3 and 5 include categorical definitions of the forward-only bundle and extended bundle event structures.

• Sections 3 and 5 include functors between the newly introduced categories and their forward-only counterparts and between RBES and REBES and other categories of reversible event structures introduced in [15] creating the categories of reversible event structures and functors between them shown in Fig. 2.

• Section 2 includes Proposition 4.8 showing that our ordering on event structures is a complete partial order and Lemma 4.9, Lemma 4.10, Lemma 4.11, Lemma 4.12 showing that the operations we define on the event structures are monotonic.

• Section 5 includes full definitions of REBES-morphisms, a functor from REBES to CS, and causal and cause-respecting REBESs. It also includes characterisations of products and coproducts of REBESs.

• We correct Definition 6.1, Definition 6.2 so that they deal with keys rather than tags, as tags are not necessarily unique. As a consequence we change rollbacks to be performed on tags after they find their associated action and therefore do not need the concept of bound tags.

• We add a more distributed small-step variant of the rollback semantics to Section 6. This semantics marks all the actions needing to be reversed and afterwards reverses them individually, rather than reversing them all at once when the rollback is performed. While the marked actions are being reversed, subprocesses not preceded by marked actions can continue to perform forward actions.

• Section 7 includes intermediate results Lemma 7.17, Lemma 7.18.

• We have added Example 3.5, Example 3.22, Example 3.26, Example 6.3, Example 6.7, Example 6.14, Example 7.2, Example 7.5.