Efficiency of asynchronous systems, read arcs, and the MUTEX-problem  by Vogler, Walter
Theoretical Computer Science 275 (2002) 589–631
www.elsevier.com/locate/tcs
E#ciency of asynchronous systems, read arcs, and the
MUTEX-problem
Walter Vogler
Institut fur Informatik, Universitat Augsburg, Universitatstr. 2, D-86135 Augsburg, Germany
Received April 1998; accepted June 2001
Communicated by M. Nivat
Abstract
Two solutions to the MUTEX-problem are compared w.r.t. their temporal e#ciency. For this,
a formerly developed e#ciency testing for asynchronous systems is adapted to Petri nets with
so-called read arcs. Furthermore, a compositional semantics for fair behaviour (in the sense of the
progress assumption) is presented. On the one hand, this semantics is related to e#ciency testing.
On the other hand, it is used to specify formally what a solution to the MUTEX-problem is. It is
shown that one of our solutions indeed satis9es this speci9cation and that ordinary nets without
read arcs cannot solve the MUTEX-problem. c© 2002 Elsevier Science B.V. All rights reserved.
Keywords: Concurrent system; Testing; Performance; Fairness; Mutual exclusion
1. Introduction
The testing scenario of De Nicola and Hennessy [8] has been developed further in
[34, 35, 14] in order to compare the temporal e#ciency of asynchronous systems—
using Petri nets as system models. This approach is applied here to two solutions of
the mutual-exclusion problem (MUTEX-problem) based on token passing. The cor-
responding nets contain what we call read arcs, and one of our main results is that
ordinary nets without read arcs cannot solve the MUTEX-problem.
In Petri nets, the check of a side-condition is modelled with a loop as shown in
Fig. 1: the occurrence of t removes the token on c and restores it afterwards; conse-
quently, t and t′ can occur in any order, but not at the same time. This is certainly
 This work was partially supported by the DFG-project ‘Halbordnungstesten’. An extended abstract has
appeared in Proc. ICALP 97, LNCS 1256, pp. 538–548 under the title ‘E#ciency of Asynchronous Systems
and Read Arcs in Petri Nets’.
E-mail address: vogler@informatik.uni-augsburg.de, walter.vogler@informatik.uni-augsburg.de
(W. Vogler).
0304-3975/02/$ - see front matter c© 2002 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(01)00300 -0
590 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Fig. 1.
adequate in many cases, e.g. if c models the processor that t and t′ run on or a lock
on a region of a database t and t′ have to acquire. In other cases, we might want a
side-condition that must be true for t or t′ to occur, but which is left untouched such
that t and t′ can occur at the same time; e.g. c might be a value from a database,
which can be read concurrently. We model such cases with special read arcs instead of
loops. This discussion should make clear that the issue ‘read arcs vs. loops’ is not just
a technical problem of Petri nets, but will have its counterpart at least in any model
of shared-memory.
The idea of read arcs is very natural, but it seems that until quite recently they have
not found so much attention, probably because loops and read arcs are treated just the
same if we only look at interleaving semantics. But they do make a diLerence when
we explicitly take into account concurrency. E.g. Christensen and Hansen [5] discuss
a step semantics and Montanari and Rossi [21] de9nenet-processes for nets with read
arcs (or positive contexts, as they are called there). In both approaches, a net with read
arcs can be translated to an equivalent net without; the respective construction (without
a formal treatment) can already be found in [30]. It is argued in [21] that nets with
read arcs can be more natural and compact. In clear contrast, read arcs are even better
motivated in our setting, since they add relevant expressivity: the MUTEX-problem
can be solved with nets having read arcs, but not with ordinary nets having no read
arcs.
To prove this, we have to specify formally what a solution to the MUTEX-problem
is; for this, we have to consider fairness (in the sense of weak fairness or progress
assumption). Thus, this paper is concerned with the triangle ‘e#ciency testing—
MUTEX-problem—fairness’, where e#ciency testing is applied to two solutions of
the MUTEX-problem and fairness is needed to specify such a solution. We close this
triangle by showing that e#ciency testing is based on a behaviour notion which is a
fairly conservative extension of fair behaviour.
In the testing approach of De Nicola and Hennessy [8], a system is an implementation
if it performs in all environments, i.e. for all users, just as well as the speci9cation.
While in the classical setting successful performance only depends on the functionality,
i.e. which actions are executed, the testing approach was re9ned in [34] to take also
into account the e#ciency of implementation and speci9cation: success (indicated by
an action !) has to be reached within a given time. The must-version of this e#ciency
testing (concerned with worst case behaviour) is not so easy to de9ne in the case of
asynchronous systems, where time cannot be used to coordinate components since these
work with indeterminate speeds; most often, this is interpreted as ‘each component may
work arbitrarily slow’. Under this interpretation, the worst case is simply that nothing
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 591
is done for a long time, hence every test is failed and we do not have a sensible theory
of testing.
As a way out, it is assumed in [35] that each action is performed within one unit
of time (or is disabled within this time). Such an upper time bound is a reasonable
basis for judging the e#ciency, see e.g. [24, 18]; since actions can also be performed
arbitrarily fast, the components work with indeterminate relative speeds also under this
assumption, and we have a valid theory for asynchronous systems. Taking 1 as upper
time bound is a natural standard choice, and it allows to assess the e#ciency of Petri
nets without explicit timing. (Similarly, if we want to view Petri nets without explicit
timing as synchronous systems, one naturally assumes that each transition 9res exactly
time 1 after enabling and this gives the well-known maximal-step semantics.) When
we de9ne the new behaviour notion using the upper time bound, we will argue more
formally, why this gives a general theory of asynchronous systems; we will extend this
argument when comparing the new behaviour notion to fairness.
It turns out that, for the testing scenario in [35], the implementation preorder is a
sensible faster-than relation. While in [35] a discrete time scale is used, the same idea
of e#ciency testing is studied in [14] using a dense time scale. Three variants are
considered and each of them is shown to coincide with a discretely timed version;
one of the variants is the one from [35]. We will consider here another of the three
variants, which is probably the most simple one: in this variant, transitions must 9re
within time 1, but the 9ring itself is instantaneous.
After de9ning nets with read arcs and some basic concepts in Section 2, we de9ne
our asynchronous 9ring rule with dense time in Section 3. The essential point is that
the 9ring of t in Fig. 1 disables t′—say, at time 1—, hence t′ gets again one unit of
time when re-enabled and might 9re at time 2. If t were on a read arc with c, then t′
would not be disabled, hence it would have to 9re at time 1, too. We generalize the
development of Jenner and Vogler [14] to nets with read arcs and show that discrete
time can be used just as well. Section 4 presents a characterization of the faster-than
relation that results from testing; this characterization is used to show that, roughly
speaking, read arcs are faster than loops.
It is natural to assume that, in a parallel system, an independent processor that has
all resources available to proceed with some activity will indeed do so eventually.
This progress assumption is formalized in Section 5, where the fair language of a net
with read arcs is de9ned. Also, fair failure semantics is presented, which is a suitable
compositional semantics for dealing with fair behaviour. As a 9rst application of fair
failure semantics, we relate it to our e#ciency testing and take this as formal basis
to discuss the generality of our approach. We give some preliminary results on the
expressiveness of read arcs in Section 6.
In Section 7, we give the two MUTEX-solutions with read arcs. While usually a
solution is seen as code that has to be added to the code of the user processes, we view
a solution as an independent component; this component and the users are composed
in parallel, synchronizing on the request-, enter- and leave-actions. In this view, the
MUTEX-process just oLers certain actions, e.g. it oLers the request-actions initially,
592 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
but one or both of these actions might never be performed—and this 9ts very well the
fair failure semantic, which we use to de9ne formally what a solution to the MUTEX-
problem is. This de9nition is in terms of actions that are or are not performed; hence,
it can in principle be translated to other action-based formalisms like process algebras.
With this de9nition, we prove the correctness of one of our solutions and then show
that no net without read arcs can be correct. Finally, we compare the speed of the two
solutions: in one case, a token allowing access to the critical section is passed around
either after leaving the critical section or if no access is requested; in the other case,
one user owns the token such that the other user has to order the token in case of
need. We prove that, from the point of view of one user seen in isolation, the 9rst
solution is more e#cient. Some more related literature is discussed in Section 8.
2. Basic notions of Petri nets with read arcs
In this section, we introduce Petri nets which are extended with read arcs as explained
in the introduction; we de9ne the basic 9ring rule and the parallel composition for
such nets. For general information on ordinary Petri nets, the reader is referred to e.g.
[23, 29]. We will deal with safe nets (safe place=transition-nets extended with read
arcs) whose transitions are labelled with actions from some in9nite alphabet  or with
the empty word . In general, these actions are left uninterpreted; the labelling only
indicates that two transitions with the same label from  represent the same action
occurring in diLerent internal situations, while -labelled transitions represent internal,
unobservable actions.  contains a special action !, which we will need in our tests
to indicate success.
Thus, a labelled Petri net with read arcs N =(S; T; F; R; l;MN ) (or just a net for
short) consists of 9nite disjoint sets S of places and T of transitions, the 6ow F ⊆ S ×
T ∪T × S consisting of (ordinary) arcs, the set of read arcs R⊆ S ×T , the labelling
l :T→∪{}, and the initial marking MN : S→{0; 1}; we require that (R∪R−1)∩
F = ∅. When we introduce a net N or N1 etc., then we assume that implicitly this
introduces its components S; T; F; : : : or S1; T1; : : : ; etc. and similarly for other tuples
later on. The net is called ordinary, if R= ∅.
As usual, we draw transitions as boxes, places as circles and arcs as arrows; read
arcs are drawn as lines without arrow heads.
For each x∈ S ∪T , the preset of x is ·x= {y | (y; x)∈F}, the postset of x is
x · = {y | (x; y)∈F}, and the read set of x is xˆ= {y | (y; x)∈R∪R−1}. These notions
are extended to sets as usual, e.g. ·X is the union of all ·x with x∈X . If x∈ ·y∩y ·,
then x and y form a loop. A marking is a function S→N0. We sometimes regard
sets as characteristic functions, which map the elements of the sets to 1 and are 0
everywhere else; hence, we can e.g. add a marking and a postset of a transition or
compare them componentwise.
We now de9ne the basic 9ring rule, which extends the 9ring rule for ordinary nets
by regarding a read arc (s; t) as loop, i.e. as ordinary arcs (s; t) and (t; s).
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 593
• A transition t is enabled under a marking M , denoted by M [t〉, if ·t ∪ tˆ6M . If M [t〉
and M ′=M + t · − ·t, then we denote this by M [t〉M ′ and say that t can occur or
7re under M yielding the marking M ′. M is deadlocked, if no transition is enabled
under M .
• This de9nition of enabling and occurrence can be extended to sequences as usual:
a sequence w of transitions is enabled under a marking M , denoted by M [w〉, and
yields the follower marking M ′ when occurring, denoted by M [w〉M ′, if w=  and
M =M ′ or w=w′t, M [w′〉M ′′ and M ′′[t〉M ′ for some marking M ′′ and transition t.
If w is enabled under the initial marking, then it is called a 7ring sequence.
• We can extend the labelling to sequences of transitions as usual, i.e. homomorphi-
cally; note that internal actions are automatically deleted in this image of a sequence.
With this, we lift the enabledness and 9ring de9nitions to the level of actions: a
sequence v of actions from  is enabled under a marking M , denoted by M [v〉〉, if
there is some w∈T ∗ with M [w〉 and l(w)= v; M [v〉〉M ′ is de9ned analogously. If
M =MN , then v is called a trace. The language L(N ) is the set of all traces.
• A marking M is called reachable if MN [w〉M for some w∈T ∗. The net is safe if
M (s)61 for all places s and reachable markings M .
General assumption: All nets considered in this paper are safe and only have transi-
tions t with ·t = ∅. (The latter condition is no serious restriction, since it can be satis9ed
by adding a loop between t and a new marked place if ·t were empty otherwise; this
addition does not change the 9ring sequences.)
Finally, we introduce parallel composition ‖A with synchronization inspired from
TCSP. If we combine nets N1 and N2 with ‖A, then they run in parallel and have to
synchronize on actions from A. To construct the composed net, we have to combine
each a-labelled transition t1 of N1 with each a-labelled transition t2 from N2 if a∈A.
In the de9nition of parallel composition, ∗ is used as a dummy element, which
is formally combined, e.g. with those transitions that do not have their label in the
synchronization set A. (We assume that ∗ is not a transition or a place of any net.)
Let N1; N2 be nets, A⊆. Then the parallel composition N =N1 ‖A N2 with synchro-
nization over A is de9ned by
S = S1 × {∗} ∪ {∗} × S2;
T = {(t1; t2) | t1 ∈ T1; t2 ∈ T2; l1(t1) = l2(t2) ∈ A}
∪{(t1; ∗) | t1 ∈ T1; l1(t1) =∈ A}
∪{(∗; t2) | t2 ∈ T2; l2(t2) =∈ A};
((s1; s2); (t1; t2)) ∈ F if


(s1; t1) ∈ F1; s1 ∈ S1; t1 ∈ T1
or
(s2; t2) ∈ F2; s2 ∈ S2; t2 ∈ T2;
594 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
((t1; t2); (s1; s2)) ∈ F if


(t1; s1) ∈ F1; s1 ∈ S1; t1 ∈ T1
or
(t2; s2) ∈ F2; s2 ∈ S2; t2 ∈ T2;
((s1; s2); (t1; t2)) ∈ R if


(s1; t1) ∈ R1; s1 ∈ S1; t1 ∈ T1
or
(s2; t2) ∈ R2; s2 ∈ S2; t2 ∈ T2;
l((t1; t2)) =


l1(t1) if t1 ∈ T1;
l2(t2) if t2 ∈ T2;
MN = MN1∪˙MN2 ; i:e: MN ((s1; s2)) =


MN1 (s1) if s1 ∈ S1;
MN2 (s2) if s2 ∈ S2:
We write ‖ for ‖−{!}. Parallel composition is an important operator for the modular
construction of nets. In the present paper, the main purpose of this operator is to
combine a net N with a test net. Designing suitable test nets O and looking at the
behaviour of N ‖ O, we can get information on the behaviour of N . The net O may
also be regarded as an observer of N . For the general approach of testing, see [8].
3. Timed behaviour of asynchronous systems
We will describe the asynchronous behaviour of a parallel system, taking into account
the times at which things happen. The components of an asynchronous system vary in
speed—but we assume that they are guaranteed to perform each enabled action within
at most one unit of time; this upper time bound allows the relative speeds of the
components to vary arbitrarily, since we have no positive lower time bound. Thus, the
behaviour we de9ne is truly asynchronous.
Hopefully, De9nition 3.1 below—which takes time as real-valued—is a convincing
formalization of this intuitive concept of asynchronous behaviour; it de9nes continuous
9ring sequences where transitions 9re and time steps from R+ (the set of positive real
numbers) occur. Afterwards we will show that, in the testing framework to be de9ned,
this de9nition can be replaced by another de9nition based on discrete time, which is
possibly not as convincing at 9rst sight.
We require that each enabled transition 9res within time 1—unless it is disabled
within this time. To keep track of the remaining time an enabled transition has, we use
a function ; (t) is initialized to 1, when t gets enabled. The crucial point of read arcs
is that they diLer from ordinary loops w.r.t. disabling. If we have a loop (c; t), (t; c)
and an arc or read arc (c; t′) for a place c and transitions t and t′, compare Fig. 1, then
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 595
9ring t removes the token from c and, thus, disables t′ momentarily—even though t
returns the token and activates t′ anew; hence, (t′) is reinitialized to 1. If, instead,
(c; t) is a read arc, t just checks for the presence of a token without removing it and,
thus, t′ is not disabled and the value of (t′) remains unchanged. In other words, a
transition t disables another transition t′ if and only if ·t and ·t′ ∪ t̂ ′ have a place in
common.
Firing itself is instantaneous (as in the basic 9ring rule), and the de9nitions and
results of this section are more or less the same as those for the special case in [14]
called instantaneous 9ring. We repeat them here with full proofs not only for ease of
reference, but mainly for the following two reasons: 9rst, de9nitions are given here
for nets with read arcs and the results are generalized to these nets; second, since our
behaviour notion is only one of the three treated in [14], some de9nitions and proofs
can be simpli9ed here.
When dealing with functions (especially those from transitions to real numbers), we
denote a constant function by this constant.
Denition 3.1. A continuous(ly timed) instantaneous description CID of a net is a
pair (M; ) consisting of a marking M of N and a function  mapping the transitions
enabled under M to [0; 1];  describes the residual activation time of an enabled
transition. The initial CID is CIDN =(MN ; N ) with N =1.
We write (M; )[〉c(M ′; ′) and (M; )[〉c if one of the following cases applies:
(1) = t ∈T; M [t〉M ′, ′ equals  for those transitions enabled under M − ·t and is
1 for the other transitions enabled under M ′.
(2) =(r); r ∈R+; r6min ; M ′=M; ′= − r.
Extending this de9nition to sequences, we get the set CFS(N )= {w |CIDN [w〉c}
of continuous 7ring sequences of N ; the set CL(N )= {l(w) |w∈CFS(N )} is the
continuous language of N , where we let l preserve time steps, i.e. l((r))= (r).
Part 2 of this 9ring rule ensures that every transition that is enabled for one unit of
time 9res within that unit, but according to 1 it may also act faster. In fact, by only
applying 1, we get L(N )⊆CL(N ); additionally, the occurrence of time steps only
changes  while the 9ring of transitions only depends on M as usual. Hence, deleting
the time steps from all sequences in CL(N ) we get exactly L(N ). This shows that
despite the time bound 1 we still deal with the full complexity of asynchronous systems;
we have simply enriched the asynchronous behaviour by some timing information in
an orthogonal way.
When transition t 9res, it disables itself completely or re-enables itself with -value 1,
since we have required ·t = ∅. Therefore, we can always 9re transitions with -value
0 until none is left and then let time progress according to 2; hence, as intuitively
desirable, we avoid a time-stop.
Denition 3.2. For every w in CL(N ) resp. CFS(N ), (w) is the sequence of actions
resp. transitions in w, and (w) is the duration, i.e. the sum of time steps in w.
596 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
To see whether a system N performs successfully in a testing environment O even
in the worst case, we have to check that in each run of N ‖O the success action ! is
performed at some given time D at the latest. To be sure that we have seen everything
that occurs up to time D, we only look at runs w with (w)¿D.
Denition 3.3. A net is testable if none of its transitions is labelled with !. A con-
tinuously timed test is a pair (O;D), where O is a net (the test net) and D∈R+0
(the test duration). A testable net N c-satis7es a continuously timed test (O;D)
(N mustc (O;D)), if each w∈CL(N ‖O) with (w)¿D contains some !. For testable
nets N1 and N2, we call N1 a continuously faster implementation of N2, N1c N2, if
N1 c-satis9es all continuously timed tests that N2 c-satis9es.
We speak of a faster implementation, since the implementation might satisfy more
tests and, in particular, some test net within a shorter time. Note that N mustc(O;D)
implies N mustc(O;D′) for all D′¿D; hence, if N1 c-satis9es the same O as N2 but
with a diLerent time D, this must be a shorter time.
Since our timed testing approach deals with worst case behaviour, we are only
interested in the slowest 9ring sequences; these sequences will decide the success
of a timed test (O;D). It turns out that we can restrict attention to the discretized
sublanguage of the continuous language, i.e. those w∈CL that contain only discrete
time steps of one unit.
Denition 3.4. The d-continuous language of a net N is the subset of CL(N ) de9ned
as DCL(N )= {v∈CL(N ) | for all time steps (r) in v: r=1}. DCL(N ) is also gener-
ated by the suitably de9ned d-continuous 7ring sequences DCFS(N ). Analogously to
De9nition 3.3, we de9ne (discretely) timed testing: a timed test is a pair (O;D), where
O is a net and D∈N0. A testable net N d-satis7es such a test (O;D), N mustd(O;D),
if each v∈DCL(N ‖O) with (v)¿D contains some !, and write N1d N2 if for all
(O;D) we have N2 mustd(O;D)⇒N1 mustd(O;D).
We now show that for every w∈CFS we can 9nd a v∈DCFS that has the same
action sequence but is discrete in its time steps, starts with (1) and is slower. The
sequence v is constructed from w by letting one time unit pass in v whenever the
cumulated time in w exceeds the next natural number.
Lemma 3.5. For a net N there is for each w∈CFS(N ) a v∈DCFS(N ) starting with
a (1)-time-step such that (v)= (w) and (v)¿(w).
Proof. We will construct for each w∈CFS(N ) a suitable v∈DCFS(N ) with (v)=
(w) and (v)¿(w); furthermore, we will show that for CIDw and CIDv reached after
w and v we have v + (v) − (w)¿w. Note that, as a consequence of (w)= (v),
CIDw and CIDv coincide in their M -component. The proof is by induction on |w|,
where for w=  we can choose v=(1); note that v+(v)−(w)= 0+1−0¿1= w.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 597
Hence, assume that for w∈CFS(N ) we have constructed v∈DCFS(N ) as required
and consider w′=w∈CFS(N ). We denote the CID’s reached after w′ and the cor-
responding v′ by CIDw′ and CIDv′ .
If ∈T then v′= v∈DCFS(N ) with (v′)= (v)= (w)= (w′) and (v′)= (v)
¿(w)= (w′). The residual times w′ and v′ coincide with w and v or, for the
newly activated transitions, are both equal 1 and 1+(v′)−(w′)= 1+(v)−(w)¿1.
Now let =(r), i.e. r6w. If r6(v) − (w) we choose v′= v; obviously, (v′)
= (w′) and (v′)= (v)¿r+(w)= (w′). Furthermore v′+(v′)−(w′)= v+(v)−
(w)−r¿w−r= w′ . If on the other hand r ¿(v)−(w), we choose v′= v(1). Since
v + (v) − (w)¿w¿r¿(v) − (w), we have v¿0 and v=1 by v∈DCFS(N );
thus, the time step (1) is enabled after v and v′= v(1)∈DCFS(N ) with (v′)= (w′).
Furthermore, (v′)= (v) + 1¿(w) + r= (w′) and v′ + (v′) − (w′)= 0 + (v) +
1− (w)− r= v + (v)− (w)− r¿w − r= w′ .
A similar result is shown in [26], namely that all the markings that can be reached
in continuous time can also be reached in discrete time, and this in a setting where the
time between enabling and 9ring of a transition t must be in a given interval [at ; bt]
with at ; bt ∈N0—compared to [0; 1] in our setting; whereas for us it is important that
the continuous 9ring sequence is transformed to a longer discrete one (the length is
rounded up to the next integer), this is of no concern in [26], where the length is
rounded down to the previous integer.
Theorem 3.6. The relations c and d coincide.
Proof. For testable nets N1 and N2 we show N1c N2⇔N1d N2.
“⇒ ”: Assume a timed test (O;D) with N1 =mustd(O;D). Since DCL(N1 ‖O)⊆
CL(N1 ‖O), we have N1 =mustc(O;D) and by hypothesis N2 =mustc(O;D). Let (w)¿D
for a w∈CL(N2 ‖O) that contains no !. Using Lemma 3.5, from w we construct a
v∈DCL(N2 ‖O) with (v)¿(w)¿D that contains no ! either and conclude
N2 =mustd(O;D).
“⇐”: Assume a continuously timed test (O;D) with N1 =mustc(O;D). Then there
is a w∈CL(N1 ‖O) with (w)¿D that contains no !. Using Lemma 3.5, we can
9nd a v∈DCL(N1 ‖O) with (v)¿D′= D that contains no !, i.e. N1 =mustd(O;D′).
From N1d N2 we conclude N2 =mustd(O;D′), i.e. there is a v′ ∈DCL(N2 ‖O) with
(v′)¿D′ + 1¿D that contains no !. This v′ shows N2 =mustc(O;D).
The construction of a DCFS-sequence from a CFS-sequence has made it very obvi-
ous that several transitions can occur at the same moment, i.e. without any time passing
inbetween. In particular, a long sequence of events where one event causes the next
could occur in zero-time. Some readers might regard this as unrealistic. In contrast, we
could require that between any two transitions a positive amount of time has to pass;
this would not change the testing preorder—see [14].
598 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
We continue our transformation of the continuous language by slightly rewriting
DCL to the discrete language DL. The main change is that we replace the residual
time function , which has only values in {0; 1}, by a set U of urgent transitions
containing those transitions with (t)= 0. We also write the time steps (1) as $ and
assume, using Lemma 3.5, that all sequences start with a $; this initial $ is left implicit,
i.e. it will actually be omitted.
Denition 3.7. An instantaneous description ID of a net is a pair (M;U ) consisting of
a marking M of N and a set U of urgent transitions. The initial ID is IDN =(MN ;UN )
with UN = {t |MN [t〉}.
We write (M;U )[〉(M ′; U ′) if one of the following cases applies:
1. = t ∈T; M [t〉M ′; U ′=U − ((·t)· ∪ ·ˆt),
2. = $; M =M ′; U = ∅; U ′= {t |M [t〉}.
The set DFS(N )= {w | IDN [w〉ID} is the set of discrete(ly timed) 7ring sequences
of N , the set DL(N )= {l(w) |w∈DFS(N )} is the discrete language of N containing
the discrete traces of N . As in De9nition 3.1, we let l preserve time steps, i.e. l($)= $.
We extend (w) to elements of DFS and DL in the obvious way, i.e. (w) is the
number of $’s in w. The behaviour inbetween two $′s is called a round.
A testable net N satis7es a timed test (O;D), N must(O;D), if each w∈DL(N ‖O)
with (w)¿D contains some !; we call a net N1 faster than a net N2, N1N2, if for
all (O;D) we have N2 must(O;D)⇒N1 must(O;D).
Again, Part 1 allows enabled transitions—urgent or not—to 9re; hence, DL(N ) in-
cludes the language of N and describes an asynchronous behaviour. U = ∅ in Part 2
requires that no urgent transition is delayed over the following $. Each enabled tran-
sition is urgent after $. Thus, a discrete trace is any ordinary trace subdivided into
rounds by $’s such that no transition enabled at (i.e. immediately before) one $ is
continuously enabled until after the next $.
The initial set UN contains all initially activated transitions as we assume an (‘invis-
ible’) (1)-time-step at the beginning of the sequence. When de9ning satisfaction of a
test, we consider sequences v with (v)¿D, because due to the invisible (1)-time-step
these are the sequences with (v)¿D from the DCL-point of view.
Theorem 3.8. The relations c and  coincide.
Proof. By Theorem 3.6, we have to show that d and  coincide. Since these relations
are based on the same tests, it su#ces to show that a testable net N mustd(O;D) iL it
must(O;D). For this, in turn, it su#ces to show that, for a net N and D∈N0, there
exists some v∈DCFS(N ) with (v)¿D not containing an !-transition iL there exists
some w∈DFS(N ) with (w)¿D not containing an !-transition. By Lemma 3.5, we
may assume that v starts with (1). Now it is not hard to see that w can be obtained
from v by deleting the initial (1) and replacing every other (1) by $; this can be
reversed to obtain v from w.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 599
4. Characterization of the timed testing preorder
The test-preorder  formalizes observable diLerence in e#ciency; referring to all
possible tests, it is not easy to work with directly. Therefore, our aim is now to
characterize  internally, i.e. by only looking at the nets themselves that are compared.
In the classical case [8], the must-testing preorder can be characterized using failure
semantics which contains pairs (w; X ) where w is an executable action sequence and X
is a set of actions that can be refused by the system in some state reached after w. In
a refusal trace this refusal information is also given for intermediate states encountered
during execution of an action sequence [25]. Similarly, we replace the $’s in a discrete
trace by sets of actions which now indicate the time-steps. Such a set contains actions
that are not urgent when the time-step occurs; these actions are not possible or can at
least be delayed, i.e. they can be refused at this moment. Note that our treatment of
internal actions is very diLerent from ordinary refusal traces; in particular, all internal
actions must be refused, i.e. they must not be urgent when the time-step occurs. We
call the resulting sequences i-refusal traces in agreement with Jenner and Vogler [14],
since actions are instantaneous in our approach.
Denition 4.1. We write (M;U )[〉r(M ′; U ′) for instantaneous descriptions (M;U ) and
(M ′; U ′), if one of the following cases applies:
(1) = t ∈T; M [t〉M ′; U ′=U − ((·t)· ∪ ·ˆt),
(2) =X ⊆; M =M ′; U ′= {t |M [t〉}; ∀t ∈U : l(t) =∈X ∪{};
X is called a refusal set.
The corresponding sequences are called i-refusal 7ring sequences, their set is de-
noted by RFS(N ). RT (N )= {l(w) |w∈RFS(N )} is the set of i-refusal traces where
l(X )=X . If ID[w〉rID′, we write ID[l(w)〉〉rID′.
The RT -semantics is more detailed than the DL-semantics, since the occurrence of
 exactly corresponds to that of $.
Proposition 4.2. For nets N1 and N2; RT (N1)⊆RT (N2) implies DL(N1)⊆DL(N2).
A simple observation is the following.
Proposition 4.3. Let v∈RT (N ) and let v′ be obtained from v by removing some
refusal sets. Then v′ ∈RT (N ).
Proof. Deletion of a refusal set can only make the urgent set at this stage smaller,
since only enabled transitions can be urgent and all of them are urgent after a refusal
set. If some t or X can occur at some stage, it can also occur if the urgent set is
smaller, and in this case the urgent set will be smaller or equal after.
Now we want to show that the RT -semantics induces a congruence for parallel
composition; for this, we de9ne ‖A for i-refusal traces. Applying this operation, actions
600 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
from A are merged, while others are interleaved. A combined transition (t1; t2) of some
N1 ‖A N2 is enabled, if t1 is enabled in N1 and t2 is enabled in N2; hence (t1; t2) is urgent
only if t1 and t2 are urgent. Essentially due to this similarity between enabledness and
urgency, refusal sets are combined as in ordinary failure semantics.
Denition 4.4. Let u; v∈ (∪P())∗, A⊆. Then u ‖A v is the set of all w∈
(∪P())∗ such that for some n we have u= u1 : : : un, v= v1 : : : vn, w=w1 : : : wn and
for i=1; : : : ; n one of the following cases applies:
(1) ui = vi =wi ∈A,
(2) ui =wi ∈ (− A) and vi = ,
(3) vi =wi ∈ (− A) and ui = ,
(4) ui; vi; wi⊆ and wi⊆ ((ui ∪ vi)∩A)∪ (ui ∩ vi).
In this de9nition, ’s are inserted into the decomposition of u and v to describe
the interleaving of actions from  − A. We also de9ne the parallel composition of
instantaneous descriptions.
Denition 4.5. Let N1; N2 be nets, A⊆, and N =N1 ‖A N2. Let ID, ID1, ID2 be
reachable instantaneous descriptions of N , N1, N2, respectively. Then ID=(M;U ) is
the A-combination of ID1 = (M1; U1) and ID2 = (M2; U2) if
M ((s1; ∗)) = M1(s1) for s1 ∈ S1;
M ((∗; s2)) = M2(s2) for s2 ∈ S2;
U = ((U1 × {∗}) ∪ (U1 × U2) ∪ ({∗} × U2)) ∩ T:
The reason for the last equation is again that a synchronized transition is urgent iL
both its components are urgent. The following technical lemma is essential for proving
that we have de9ned ‖A appropriately for i-refusal traces. Its proof is easy, but lengthy
and therefore omitted.
Lemma 4.6. Let N1; N2 be nets; A⊆; and N=N1 ‖A N2. Let ID1 = (M1; U1); ID2 =
(M2; U2) and ID=(M;U ) be reachable instantaneous descriptions of N1; N2; N; respect-
ively; such that ID is the A-combination of ID1 and ID2.
(1) If ID[〉r in N according to De7nition 4:1(1) or (2); then there are 1; 2 such
that ID1[1〉r in N1; ID2[2〉r in N2 and one of the following cases applies:
(a) =(t1; t2); 1 = t1; 2 = t2; l1(t1)= l2(t2)∈A;
(b) =(t1; ∗); 1 = t1; 2 = ; l1(t1) =∈A;
(c) Analogously for =(∗; t2);
(d) =X; 1 =X1; 2 =X2; X ⊆ ((X1 ∪X2)∩A)∪ (X1 ∩X2):
(2) Let ID1[1〉r and ID2[2〉r according to De7nition 4:1(1) or (2).
(a) If 1 = t1; 2 = t2; l1(t1)= l2(t2)∈A; then ID[〉r with =(t1; t2).
(b) If 1 = t1; 2 = ; l1(t1) =∈A; then ID[〉r with =(t1; ∗).
(c) Analogously for 2 = t2; l2(t2) =∈A.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 601
(d) If 1 =X1 and 2 =X2; then ID[〉r for all =X with X ⊆ ((X1 ∪X2)∩A)∪
(X1 ∩X2):
Furthermore; in both cases; if for these ; 1; 2 we have that ID[〉rID′; ID1[1〉rID′1;
ID2[2〉rID′2; then ID′ is the A-combination of ID′1 and ID′2.
This lemma implies in the usual fashion the following theorem, which gives us one
half of the characterization given afterwards.
Theorem 4.7. For nets N1 and N2 and A⊆ we have
RT (N1 ‖A N2) =
⋃
{u ‖A v | u ∈ RT (N1); v ∈ RT (N2)}:
Theorem 4.8. Let N1 and N2 be testable nets. Then N1N2 if and only if RT (N1)⊆
RT (N2).
Proof. “if”: Let (O;D) be a timed test. By Theorem 4.7 and Proposition 4.2, RT (N1)
⊆RT (N2) implies DL(N1 ‖O)⊆DL(N2 ‖O). Thus, if N1 fails the test due to some
w∈DL(N1 ‖O), then so does N2.
“only if”: In this proof upper indices are used; e.g. a21 is an item with two in-
dices in the following and not the string a1a1. We assume N1N2 and take some
w= a11 : : : a
1
n1X
1 : : : ak1 : : : a
k
nk X
k ∈RT (N1), where k; ni ∈N0. (All i-refusal traces of N1
can be extended to end with a set, hence it is enough to consider traces of this form.)
We may assume that X j ⊆ l1(T1)∪ l2(T2), i.e. X j is 9nite (j=1; : : : ; k), since any
RT (N ) is closed under addition and removal of actions that do not appear in N at all
to resp. from the refusal sets. We construct a test (O;D) that a net fails if and only if
it has w as i-refusal trace. Then N1 fails (O;D), hence N2 does and we are done. We
choose D= k + 1 and de9ne O as follows; see Fig. 2 for the case w= ab{x}a{y}.
SO = {sji | j = 1; : : : ; k + 1; i = 0; 1; 2} ∪ {sk+21 }
∪{sjai | j = 1; : : : ; k; i = 1; : : : ; nj + 1}
∪{sjrx | j = 1; : : : ; k; x ∈ X j};
TO = {tji | j = 1; : : : ; k + 1; i = 0; 1; 2} ∪ {tk+21 }
∪{tjai | j = 1; : : : ; k; i = 1; : : : ; nj}
∪{tjrx | j = 1; : : : ; k; x ∈ X j};
O has arcs for the following pairs:
(sj0; t
j
0); j = 1; : : : ; k + 1;
(tj0; s
j+1
0 ); j = 1; : : : ; k;
602 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Fig. 2.
(tj0; s
j+1
1 ); j = 1; : : : ; k + 1;
(tj0; s
j
2); j = 1; : : : ; k + 1;
(sj2; t
j
2); j = 1; : : : ; k + 1;
(sj1; t
j
1); j = 1; : : : ; k + 2;
(sj1; t
j
2); j = 1; : : : ; k + 1;
(tj0; s
j
a1); j = 1; : : : ; k;
(sjai ; t
j
ai); j = 1; : : : ; k; i = 1; : : : ; nj;
(tjai ; s
j
a(i+1)); j = 1; : : : ; k; i = 1; : : : ; nj;
(sja(nj+1); t
j
2); j = 1; : : : ; k;
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 603
(tj0; s
j+1
rx ); j = 1; : : : ; k − 1; x ∈ X j+1;
(sjrx; t
j
rx); j = 1; : : : ; k; x ∈ X j;
(sjrx; t
j+1
2 ); j = 1; : : : ; k; x ∈ X j:
Initially, the places s10, s
1
1 and s
1
rx with x∈X 1 are marked. The labelling is as follows:
lO(t
j
0) = lO(t
j
2) = ; j = 1; : : : ; k + 1;
lO(t
j
1) = !; j = 1; : : : ; k + 2;
lO(t
j
ai) = a
j
i ; j = 1; : : : ; k; i = 1; : : : ; nj;
lO(tjrx) = x; j = 1; : : : ; k; x ∈ X j:
The subnet consisting of the s ji , t
j
i with i=0; 1; 2 for j=1; : : : ; k + 1 and s
k+2
1 , t
k+2
1
acts as a clock. It ends with an !-transition (tk+21 ), and in order to fail the test, the
clock must proceed as slow as possible but still respect the 9ring discipline, i.e. it must
work with a 9xed speed. Assume some N fails the test for D= k+1, i.e. k+1 rounds
with k + 1 $’s occur in N ‖O, not counting the initial implicit $, in the following
called 0th $.
We now describe how such a failing discrete trace must look like. First, consider the
sequence of the s j0 , t
j
0 with j=1; : : : ; k +1 9nished by s
k+2
1 , t
k+2
1 . Before the (k +1)th
$ occurs, tk+21 must not be urgent, i.e. t
k+1
0 must 9re after the kth $. Inductively, we
see for j= k + 1 down to 1 that t j0 must 9re after the (j − 1)th $. As t10 is initially
activated, it must 9re before the 9rst $. Inductively, t j0 must 9re before the jth $.
Altogether, t j0 must 9re in the jth round.
As a result, t j1 is urgent in the jth round, for j=1; : : : ; k+1, and must be deactivated
by t j2 ; since s
j
2 is only marked in the jth round, t
j
2 9res in the jth round.
The t jai are sequenced inbetween t
j
0 and t
j
2 , and by the above argument, they all must
9re in zero time in the jth round. By the synchronization discipline, N must be able
to perform aj1 : : : a
j
nj in round j.
The occurrence of some t jrx would make t
j+1
2 impossible; hence, t
j
rx does not 9re
but is urgent in round j because s jrx (for j¿1) was marked one round before. We
conclude that N must not oLer an urgent x at the end of round j, i.e. it can refuse X j
at this stage.
In other words, as desired, N must perform w to fail the test (O; k + 1), and it will
indeed fail the test if it performs w.
Observe that a faster system has less i-refusal traces, i.e. such a trace is a witness
for slow behaviour, it is something ‘bad’ due to the refusal information it contains.
Also observe that, for Theorem 4.8, we only need test nets without read arcs.
Corollary 4.9. Inclusion of RT -semantics (i.e. ) is fully abstract w.r.t. DL-inclusion
and parallel composition of nets, i.e. it is the coarsest precongruence for parallel
composition that respects DL-inclusion.
604 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Proof. The proof follows from Proposition 4.2, Theorems 4.7 and 4.8. Theorem 4.7
and Proposition 4.2 show that RT -inclusion is a precongruence that respects discrete-
language inclusion. If RT (N1)*RT (N2), then the proof of Theorem 4.8 exhibits a test
net O such that DL(N1 ‖O)*DL(N2 ‖O). (If N1 or N2 contain the special action !,
then its roˆle in O must be played by some other action a not occurring in N1 or N2;
consider DL(Ni ‖−{a} O) in this case.)
As observed in [14], Theorem 4.8 essentially reduces  to an inclusion of regular
languages; the only small problem is that the refusal sets X can be arbitrarily large,
but when comparing N1 and N2, it is obviously su#cient to draw these sets from
the 9nite set l1(T1)∪ l2(T2). Thus,  is in particular decidable, which is not obvious
from the start, where we have an in9nite (even uncountable) state space according to
De9nition 3.1. In the literature, similar results exist that reduce an in9nite state space
arising from the use of dense time to a 9nite one, starting with Alur and Dill [1]; but
it seems that these results are not applicable to our setting.
The testing preorder  is also compatible with some other interesting operations for
the construction of nets as system models, namely relabelling, hiding and restriction.
We generalize here the respective result from [14] to nets with read arcs, mainly
because we will also obtain a similar result for fair behaviour in the next section.
Denition 4.10. A relabelling function is a function f :∪{}→∪{} with f()
=  and f()⊆. The relabelling N [f] of N with relabelling function f is obtained
from N by changing the labelling from l to f ◦ l. We can extend a relabelling homo-
morphically to 9nite or in9nite sequences over .
Hiding a∈ in N means changing all labels a to ; it results in N=a. Similarly, w=a
is obtained from a 9nite or in9nite sequence w over  by removing all occurrences
of a.
Restricting a∈ in N means deleting all a-labelled transitions; it results in N\a.
Theorem 4.11.  is a precongruence w.r.t. relabelling; hiding and restriction. More
precisely; for a net N; we have
• RT (N [f])= {f(w1)X1f(w2)X2 : : : f(wn)Xnf(wn+1) |w1f−1(X1)w2f−1(X2) : : : wn
f−1(Xn)wn+1 ∈RT (N ); where wi ∈∗; Xi⊆},
• RT (N=a)= {w1=a X1 w2=a X2 : : : wn=a Xn wn+1=a |w1(X1 ∪{a})w2(X2 ∪{a}) : : : wn(Xn ∪
{a})wn+1 ∈RT (N ); where wi ∈∗; Xi⊆},
• RT (N\a)= {w1X1w2X2 : : : wnXnwn+1 |w1(X1−{a})w2(X2−{a}) : : : wn(Xn−{a})wn+1
∈RT (N ); where wi ∈ (− {a})∗; Xi⊆}.
Proof. The RT -semantics of a net is constructed from the i-refusal 9ring sequences
of this net. For the case of relabelling, 9ring a transition t in such a sequence gives
rise to the action l(t) in N and f(l(t)) in N [f]. At some ID reached along such a
sequence, no urgent transition has a label in X ∪{} in N [f] if and only if no urgent
transition has a label in f−1(X )∪{} in N . This proves the case of relabelling; hiding
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 605
is very similar, since it can be seen as a relabelling that turns a into . Also restriction
is not much diLerent; observe that in N\a a always may (but does not have to) be
refused, even if N in a corresponding ID has an urgent a-transition.
To check the testing preorder we have de9ned, it is often helpful to use the following
forward simulation.
Denition 4.12. For nets N1 and N2, a relation S between some ID’s of N1 and some
of N2 is a (forward) simulation from N1 to N2, if the following hold:
(1) (IDN1 ; IDN2 ) ∈S,
(2) If (ID1; ID2) ∈ S and ID1[t〉rID′1 or ID1[X 〉rID′1, then for some ID′2 with (ID′1;
ID′2) ∈S we have ID2[l1(t)〉〉rID′2 or ID2[X 〉〉rID′2. Observe that these moves from
ID2 to ID′2 may involve several transitions.
The following theorem is straightforward; compare e.g. [19] for a similar result and
a survey on the use of simulations; note that a simulation does not have to exist in
each case where N1N2.
Theorem 4.13. If there exists a simulation from N1 to N2; then N1N2.
As a 9rst application of simulations, we have a look at two modi9cations of nets
concerned with read arcs.
Denition 4.14. A trivial-read modi7cation of a net N is obtained by adding a new
marked place s and read arcs from s to some transitions. A read-to-rewrite modi7cation
of N is obtained by replacing a read arc (s; t) by a loop, i.e. by the two arcs (s; t) and
(t; s).
Theorem 4.15. If a net N2 is a trivial-read modi7cation of a net N1; then N1 and N2
are RT -equivalent; i.e. N1N2 and N2N1. If N2 is a read-to-rewrite modi7cation
of N1; then N1N2.
Proof. In the 9rst case, we can relate an ID (M1; U1) of N1 to an ID (M2; U2) of N2,
if M2 equals M1 except for an additional token on the respective place s and U1 =U2.
This relation and its inverse are obviously simulations.
In the second case, we relate (M1; U1) to (M2; U2) if M1 =M2 and U1 ⊇ U2. This is
a simulation: a set X enabled under (M1; U1) is certainly also enabled if the urgent-set
is smaller, and performing such a set leads to identical ID’s; both ID’s enable the
same transitions and 9ring a transition t changes the marking in the same way in both
nets and disables all transitions in N2 that are disabled in N1; note that t might disable
more transitions in N2 if it is on a new loop.
This theorem shows that read arcs are faster than loops (in many cases, they are
strictly faster, but not always). This result is intuitively plausible, hence it also increases
606 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
the plausibility of our approach. An additional check for the presence of an always
existing token with a read arc does not inTuence the performance of the system; doing
the same with a loop might slow the system down. Jenner and Vogler [14] de9ne a
sequentialization of a net N as a net obtained by adding a new marked place s and loops
between s and two transitions; it is shown that N is faster than each sequentialization,
and this result can be seen as a corollary to Theorem 4.15.
Jenner and Vogler [14] also consider two other operations on nets, which add an
internal initialization or make a transition last longer by splitting it in two; both oper-
ations are shown to slow a system down. Since the splitting of a transition has to deal
with read arcs, we will also consider it here.
Denition 4.16. An elongation of N is obtained by choosing a transition t, adding a
new unmarked place s and a new -labelled transition t′ with ·t′= {s} and t′ · = t ·
and, 9nally, rede9ning t · by t · := {s}.
Thus, when splitting t into two parts, the 9rst part checks the read set and empties
the preset (performing the same action as t), while the second part produces the new
tokens.
Theorem 4.17. If a net N2 is an elongation of a net N1; then N1N2.
Proof. We simply relate each ID (M1; U1) of N1 to itself. (Here, we regard M1 as
a set, i.e. M1 as a marking of N2 leaves the new place s empty.) Firing of t in
N1 is simulated by 9ring tt′ in N2, which changes the ID in the same way in both
nets.
5. A precongruence for fair behaviour
As explained in the introduction, we have to consider fairness in order to specify
what a solution to the MUTEX-problem is. We will determine a compositional seman-
tics suitable for dealing with fairness, and we will relate fairness to the DL-semantics
our e#ciency testing is based on. With this result, we can give another argument, why
our theory deals with arbitrary asynchronous systems—despite our assumption of an
upper time bound for actions.
Fairness (in the sense of weak fairness or progress assumption) requires that a
continuously enabled activity should eventually occur. Continuous enabledness means
that the respective ‘processor’ and all other resources are always available, and in
a parallel system such an independent processor will certainly act eventually. Thus,
fairness is met automatically, it does not have to be implemented; see [10] for more
on fairness. The DL- and DFS-semantics require that a continuously enabled activity
should occur within one round, so this is very close to fairness.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 607
Fairness is satis9ed in general by in9nite runs only; hence, we now extend the
de9nition of 9ring sequences, discrete 9ring sequences etc. to in9nite sequences in the
obvious way and also take into account that an in9nite run should take in9nite time
(otherwise we would have an unrealistic Zeno-run).
Denition 5.1. An in9nite sequence is an in7nite 7ring sequence of a net N if all its
9nite pre9xes are 9ring sequences of N ; similarly, in7nite discrete and in7nite i-refusal
7ring sequences are de9ned. If the image of an in9nite 9ring sequence is in9nite, it is
an in7nite trace.
A progressing 7ring sequence is an in9nite discrete 9ring sequence with in9nitely
many $’s; we denote their set by PFS(N ). The image of such a sequence is a progress-
ing trace, and their set is the progressing language denoted by PL(N ). Analogously,
a progressing refusal sequence is an in9nite i-refusal 9ring sequence with in9nitely
many refusal sets; we denote their set by PRFS(N ). The image of such a sequence is
a progressing refusal trace, and their set is denoted by PRT (N ).
For a progressing 9ring sequence or trace v; (v) is obtained by deleting all $’s in
v. (In case of a progressing trace v; (v) is its action sequence.) Similarly, (v) is
obtained from a progressing refusal trace v by deleting all refusal sets in v.
Note that a trace without further quali9cation is always a 9nite trace; should the
image of an in9nite 9ring sequence be 9nite, then it is already the image of a 9nite
pre9x, hence a trace.
First, let us observe the connection between our testing approach, which considers
only 9nite i-refusal traces, and the in9nite progressing refusal traces. Since we only
deal with 9nite nets, we can show with KWonig’s Lemma, that RT and PRT are equally
expressive.
Lemma 5.2. Let w be an in7nite sequence over ∪P() having in7nitely many oc-
currences of sets. Then; w∈PRT (N ) if and only if every 7nite pre7x of w is in RT (N ).
Similarly; for a sequence w with in7nitely many $’s; w∈PL(N ) if and only if every
7nite pre7x of w is in DL(N ).
Proof. The only-if part of the 9rst paragraph being obvious, we show the if-part. We
construct a graph with vertices (v; ID), where v is a pre9x of w and IDN [v〉〉rID, and
with edges ((v; ID1)(v”; ID2)), whenever ”∈∪P() and ID1[”〉〉rID2. Since N only
has 9nitely many ID’s, this graph is clearly locally 9nite, but in9nite. By KWonig’s
Lemma, it has an in9nite path, which demonstrates the 9rability of w.
The second paragraph now follows, since a discrete trace can be regarded as a special
i-refusal trace if we interpret $ as .
Lemma 5.3. Each i-refusal trace of a net N can be extended to a progressing refusal
trace of N. Each trace or discrete trace of N can be extended to a progressing trace
of N.
608 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Proof. From the ID reached by an i-refusal trace, one can 9re urgent transitions as
long as possible; 9ring an urgent transition removes it from the set U , hence we can
eventually add the refusal set  and repeat this. A trace can be regarded as a special
discrete trace, and a discrete trace can be regarded as a special i-refusal trace if we
interpret $ as ; in the same way, a progressing trace can be regarded as a special
progressing refusal trace.
Theorem 5.4. For all nets N1 and N2; RT (N1)⊆RT (N2) if and only if PRT (N1)⊆
PRT (N2). Furthermore; DL(N1)⊆DL(N2) if and only if PL(N1)⊆PL(N2).
Proof. The if-parts are true, since every i-refusal trace can be extended to a progressing
refusal trace by Lemma 5.3 The only-if parts follow from Lemma 5.2.
We can also translate Proposition 4.3 to an in9nite version using Lemma 5.2.
Proposition 5.5. Let v∈PRT (N ) and let v′ be obtained from v by removing some
refusal sets such that in7nitely many remain. Then v′ ∈PRT (N ).
A 9nite 9ring sequence MN [t0〉M1[t1〉M2 : : : Mn is called fair, if Mn is a deadlocked
marking. For an in9nite 9ring sequence MN [t0〉M1[t1〉M2 : : : ; we have to be careful
when considering the eLect of loops and read arcs. The classical de9nition, compare
[10], would call such a sequence fair if we have: if some transition t is enabled under
all Mi for i greater than some j, then t= ti for some i¿j. With this de9nition, an
in9nite sequence of t’s would not be fair in the net of Fig. 6 at the end of Section 6,
since t′ is enabled under all states reached, but never occurs. This would be adequate
if t were on a read arc instead of a loop, but in Fig. 6 the sequence should be fair:
t′ is not continuously enabled, since every occurrence of t disables it momentarily,
compare [28, 33]; one could even say that the resource needed by t′ is nearly always
in use. Thus, we will require in the de9nition of fairness that a continuously enabled
t is enabled also while each ti with i¿j is 9ring. For this, we have to keep in mind
that a read arc does not consume a token.
Denition 5.6. For a transition t, a 9nite 9ring sequence MN [t0〉M1[t1〉M2 : : : Mn is
called t-fair, if Mn does not enable t. An in9nite 9ring sequence MN [t0〉M1[t1〉M2 : : :
is called t-fair, if we have: if t is enabled under all Mi − ·ti for i greater than some
j, then t= ti for some i¿j.
A 9nite or in9nite 9ring sequence is fair, if it is t-fair for all transitions t of N ; we
denote the set of these sequences by FairFS(N ). The fair language of N is the set
Fair(N )= {v | v= l(w) for some w∈FairFS(N )} of fair traces.
Now we relate our semantics with upper time bound to fairness:
Theorem 5.7. (i) A 7nite or in7nite 7ring sequence w of a net N is fair if and only
if w= (u) for some progressing 7ring sequence u.
(ii) Fair(N )= {v | ∃u∈PL(N ): v= (u) }
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 609
Proof. (i) In a progressing 9ring sequence we have for each round and each transition:
the transition occurs in this round or it is not enabled initially, i.e. not in the set U , or
it is not enabled under M − ·t when it is removed from U . Since we have in9nitely
many rounds, deletion of all $’s gives a fair 9ring sequence.
A 9nite fair 9ring sequence can be extended with in9nitely many $’s to give a
progressing 9ring sequence. So let MN [t0〉M1[t1〉M2 : : : be a fair in9nite 9ring sequence.
We extend the markings to ID’s and incrementally add $’s to get a progressing 9ring
sequence. Initially and after each inserted $, fairness gives for each transition: it is not
enabled now, hence not in U , or it is removed from U when it occurs later in the
sequence or when it is not enabled under some later Mi − ·ti. Thus, U will always be
empty eventually and we can always insert another $.
(ii) Directly from (i).
Corollary 5.8. Each trace of a net N can be extended to a fair trace of N.
Proof. Lemma 5.3 and Theorem 5.7(i).
Next we will determine the coarsest precongruence for parallel composition that
respects fair-language-inclusion; this is just the right relation if we want to build systems
compositionally and are interested in the fair language. Theorems 5.10 and 5.11 were
to my knowledge 9rst obtained by Gold [11] and surveyed in [32, p. 69]. We improve
the original results by allowing read arcs and loops; also, Gold considered safe nets
where ·t = ∅ for all transitions t—as we do—but allowed unsafe nets with isolated
transitions (i.e. with ·t= ∅= t · ) as environments in the proof of Theorem 5.11; this
is improved, too.
Denition 5.9. A net N1 is a fair implementation of a net N2; if Fair(N1 ‖A N )⊆Fair(N2
‖A N ) for all A⊆ and nets N .
For a net N , the fair failure semantics is the set of the fair refusal pairs de9ned
by FF(N )= {(v; X ) |X ⊆ and v= l(w) for some, possibly in9nite, 9ring sequence
w that is t-fair for all transitions t with l(t)∈X ∪{}}.
The motivation for this de9nition is as follows: assume N1 is a fair implementation
of the speci9cation N2, N2 is a component of a parallel system and we replace this
component by N1; then we will get only fair behaviour that is allowed by N2, i.e. that
is possible when N2 is used.
The intuition for (v; X )∈FF(N ) is that all actions in X can be refused when v is
performed, in the sense that fairness does not force performance of these actions. This
is essentially (up to divergence, i.e. in9nite internal runs) the same intuition as for
ordinary failure semantics: after a 9nite run, fairness forces the performance of some
enabled action while all others can be refused.
Extending De9nition 4.4 to in9nite sequences over , one can show:
610 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Fig. 3.
Theorem 5.10. For nets N1 and N2 and A⊆ we have
FF(N1 ‖A N2) = {(w; X ) | ∃(wi; Xi) ∈FF(Ni); i = 1; 2 :
w ∈ w1 ‖A w2 and X ⊆ ((X1 ∪ X2) ∩ A) ∪ (X1 ∩ X2)}:
Proof. The proof proceeds along the lines of the proof of Theorem 4.7. The essential
observation is: if M1∪˙M2[(t1; t2)〉 in N1 ‖A N2, then (M1∪˙M2)− ·(t1; t2) enables (t′1; t′2)
if and only if (M1− ·t1)[t′1〉 and (M2− ·t2)[t′2〉 (where · ∗ = ∅ and ∗ is always enabled).
A tricky detail for the proof of the reverse inclusion should be mentioned:
assume l(t′1; t
′
2)= a∈X1 ∩A and (t′1; t′2) is for some 9ring sequence enabled under
all (M1i∪˙M2i) − ·(t1i ; t2i) for i=1; : : : : Then, t′1 is enabled under all M1i − ·t1i and
t′1 = t1j for some j by fairness. This is a contradiction, since t
′
1 is not enabled under
M1j − ·t′1.
Now we come to the compositionality result we have been aiming for.
Theorem 5.11. (i) For nets N1 and N2; N1 is a fair implementation of N2 if and only
if FF(N1)⊆FF(N2).
(ii) Inclusion of FF-semantics is fully abstract w.r.t. fair-language inclusion and
parallel composition of nets in the sense of Corollary 4:9.
Proof. (i) The if-part is clear from Theorem 5.10 and because v∈Fair(N ) iL (v; )∈
FF(N ). For the only-if part, let A= l1(T1)∪ l2(T2); x∈−A and (v; X )∈FF(N1),
where again we assume X ⊆A. The environment net N has parts for each a occur-
ring in v and each a∈X (see Fig. 3). If a occurs m∈N times in v, N contains
a chain of m a-transitions (as shown in Fig. 3 for m=3); if b occurs in9nitely
often in v, N contains a b-transition on a loop; for c∈X , N contains a cx-chain
(see Fig. 3). Obviously, N can perform v without using the cx-chains such that all
d∈−X are treated fairly, i.e. (v; −X )∈FF(N ). Hence, (v; )∈FF(N ‖A N1) and
v∈Fair(N ‖A N1)⊆Fair(N ‖A N2), thus (v; )∈FF(N ‖A N2). Applying Theorem 5.10
again, there must exist a suitable (v; Y )∈FF(N ), where in particular we must have
x∈Y since x =∈A. Thus, N must perform v without using any of the c-transitions from
the cx-chains; the maximal set Y for this case is  − X , i.e. we must have (v; X ) ∈
FF(N2).
(ii) Follows from Part (i) and Theorem 5.10, analogously to Corollary 4.9.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 611
The second part of this theorem shows that we can exchange a component by a
fair implementation of it also in contexts built by applying several ‖A, possibly with
diLerent sets A.
The following relation to our testing approach will also be useful in the next section.
Theorem 5.12. For a net N; (v; X )∈FF(N ):
• if and only if there is some w∈PRT (N ) such that v= (w) and; for each x∈X;
there is some suBx of w where x is in all refusal sets
• if and only if there is some w∈PRT (N ) such that v= (w) and all refusal sets
equal X .
Proof. Observe that it is enough to consider 9nite X , namely X ⊆ l(T ). Now the proof
for the 9rst characterization is more detailed, but essentially the same as the proof of
Theorem 5.7.
Some w satisfying the second characterization also satis9es the 9rst one. Vice versa,
some w satisfying the 9rst characterization has some su#x where all refusal sets contain
X by 9niteness of X ; hence, we can reduce these to X and with Proposition 5.5 remove
the others.
Corollary 5.13. FF-inclusion is decidable.
Proof. Let nets N1 and N2 be given. By de9nition, for any Y ⊆ with Y ∩ (l1(T1)∪
l2(T2))= ∅ and i=1; 2, we have (w; X )∈FF(Ni) if and only if (w; X ∪Y )∈FF(Ni).
Hence, to check FF(N1)⊆FF(N2), we can just as well check (w; X )∈FF(N1)⇒
(w; X )∈FF(N2) for each of the 9nitely many X ⊆ l1(T1)∪ l2(T2) separately. For each
such X and i=1; 2, we can consider the 9nite automaton A with the reachable ID’s of
Ni as states and {(ID1; li(t); ID2) | t ∈Ti; ID1[t〉rID2 in Ni}∪ {(ID1; X; ID2) | ID1[X 〉rID2
in Ni} as transition relation; {w | (w; X )∈FF(Ni)} equals by Theorem 5.12 {w | ∃v∈
PRT (Ni): w= (v) and all refusal sets in v equal X }, and this set is essentially BWuchi
recognizable by A. Now the result follows since inclusion of BWuchi recognizable
languages is decidable; see e.g. [31].
Corollary 5.14. PRT -inclusion (and thus RT -inclusion) implies PL-inclusion (and thus
DL-inclusion) and FF-inclusion; which all in turn imply fair-language-inclusion. If
N1 is faster than N2; then N1 is a fair implementation of N2.
Proof. The 9rst sentence follows from Theorem 5.4, Proposition 4.2, Theorem 5.7(ii)
and the last two theorems. The second part now follows with Theorems 4.8 and 5.11.
We have argued above that, by assuming a time bound of 1 for each action,
we have added timing information to the asynchronous behaviour in an orthogonal
way such that we still have a theory of general asynchronous systems. Now we can more
612 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Fig. 4.
fully argue, why it is no restriction of generality to consider only asynchronous systems
where there is a 9xed time bound on the delay of actions.
Usually, one explains ‘asynchronous’ by ‘actions may delay arbitrarily’. In such
systems, the delay may even be in9nite. A suitable behaviour notion would be the
language (from which we could deduce the in9nite traces as in Lemma 5.2); hence, we
could call N1 an in7nite-delay (infd-)implementation of N2, if L(N1 ‖A N )⊆L(N2 ‖A N )
for all A⊆ and nets N . After the above considerations, it should be easy to see that
this is the same as L(N1)⊆L(N2). In particular, the empty net infd-implements every
other net. And indeed, each net has the choice to delay every activity forever, and in
an implementation we can decide for any choice oLered by the speci9cation.
This approach is realistic, but not very useful. (But note that a faster implementa-
tion is also an infd-implementation, since the language of N simply is the set of all
v∈RT (N ) that contain no set.) Therefore, it is generally agreed to assume arbitrary, but
9nite delays—which is also intuitively plausible. Under this assumption, the behaviour
should be described by the fair language, and implementations can be characterized by
the FF-semantics as we have seen. Observe that now the empty net is not a universal
implementation: it has  as fair trace, which is for most nets not the case. It should be
clear that, in this approach, we only consider the functionality of systems, i.e. which
actions are performed, but that we cannot study the e#ciency.
To compare the e#ciency, we have to introduce a time bound on the delay. This
is a re9nement of the 9nite-delay approach: if N1 is a faster implementation of N2,
then it is also a fair implementation. If we exchange N2 for a faster N1 in a parallel
composition and the full system violates the time bound, we can obviously forget all
considerations of speed, but at least the new system will functionally still be correct
by Corollary 5.14.
Let us reconsider the three modi9cations of nets de9ned in the last section. If
N2 is a trivial-read modi9cation of a net N1, then N1 and N2 are RT -equivalent by
Theorem 4.15, hence also fair implementations of each other. If N2 is a read-to-rewrite
modi9cation or elongation of N1, then N1 is faster than, hence a fair implementation
of N2. For the 9rst operation, the two nets are clearly language equivalent, since the
transition 9ring rule treats loops and read arcs just the same; but N2 does not have
to be a fair implementation of N1: Fig. 4 shows a net N1 where the read-to-rewrite
modi9cation, but not N1, has an in9nite sequence of a’s as fair trace. Finally, we have
the following result for elongation.
Theorem 5.15. If a net N2 is an elongation of a net N1; then N1 and N2 are fair
implementations of each other.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 613
Proof. Since N1 is faster than N2, it is also a fair implementation of N2. Assume t
was split introducing the new transition t′ and the new place s. Each fair refusal pair
of N2 arises from a 9ring sequence w which is fair to all internal transitions. Let w′
be obtained by deleting all occurrences of t′ in such a w. We will show that, if w
is additionally fair to some transition t1 = t′, then w′ is, too—and since t1 could be
internal, thus also to all internal transitions. Then, w and w′ give rise to the same fair
refusal pairs.
Since w is t′-fair, each occurrence of t is followed by one of t′. The markings
reached along w and w′ are essentially equal; of course, there is no place s in N1—but
apart from this diLerence, we might only have that in N1 all places of t · are marked
while they are empty in N2. This shows that w′ can be 9red in N1.
If t occurs only 9nitely often in w, then w and w′ coincide on a su#x and so do
the markings reached along this su#x, i.e. w′ is also t1-fair. Hence, assume t occurs
in9nitely often in w. If (·t ∪ t · )∩ (·t1 ∪ t ·1 ) = ∅, then t1 is not enabled while t 9res,
thus w′ is t1-fair. Otherwise, the markings reached along w and w′ coincide on ·t1,
hence w′ is t1-fair because w is.
We can also show easily that FF-inclusion gives a precongruence for relabelling,
hiding and restriction.
Corollary 5.16. FF-inclusion is a precongruence w.r.t. relabelling; hiding and re-
striction. More precisely; for a net N we have:
• FF(N [f])= {(f(w); X ) | (w;f−1(X ))∈FF(N )};
• FF(N=a)= {(w=a; X ) | (w; X ∪{a})∈FF(N )};
• FF(N\a)= {(w; X ) | (w; X − {a})∈FF(N ); where w does not contain a}.
Proof. By Lemma 5.2, the PRT -semantics of N [f], etc. can be determined from
the PRT -semantics of N as in Theorem 4.11. Using the second characterization of
Theorem 5.12, the results now follow.
It is also interesting to note how FF-semantics treats divergence, i.e. in9nite inter-
nal evolutions or (in our model) 9ring sequences. Ordinary failure semantics regards
divergence as catastrophic; for a de9nition in a Petri net setting, see the FD-semantics
of [32, p. 27]. Let DIV be a net consisting of a marked place and an internal transi-
tion tDIV on a loop with this place. In ordinary failure semantics, every net implements
DIV, since DIV is an immediate catastrophe and everything is better than that. Even
more, for any net N; DIV and N ‖∅DIV are equivalent. This is adequate in a se-
quential setting, where N ‖∅DIV runs on a single processor: executing N ‖∅DIV,
this processor might in the worst case choose to run DIV 9rst, hence N ‖∅DIV is
just as bad as DIV. If N ‖∅DIV is a distributed system, then DIV and N run
independently of each other; since DIV has no visible behaviour, an adequate theory
should regard N and N ‖∅DIV as equal. This is the case for FF-semantics.
Proposition 5.17. For all nets N; FF(N )=FF(N ‖∅DIV).
614 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Proof. If a 9ring sequence w gives rise to (v; X )∈FF(N ), we can insert in9nitely
many tDIV into w to show (v; X )∈FF(N ‖∅DIV).
Vice versa, if a 9ring sequence w gives rise to (v; X )∈FF(N ‖∅DIV), then we
can simply remove all tDIV from w to show (v; X )∈FF(N ).
We close this section by giving an alternative formulation for the FF-semantics.
(v; X )∈FF(N ) means that N can perform v in such a way that all internal actions
and all actions in X are treated fair. Hence, (v; X ) =∈FF(N ) means that either N
cannot perform v in such a way that all internal actions are treated fair or it can, but
which way ever it performs v, it treats some action in X unfair. The latter means that
some x∈X is continuously enabled from some point onward; if N is on its own, it
certainly performs such an x—as a component of a larger system, N simply oLers such
an x. We therefore de9ne:
Denition 5.18. If for a net N and some (v; X )∈∗×P() we have (v; X ) =∈FF(N ),
then we say that N surely oCers (some action of) X along v.
This is similar to a reformulation often used in the case of ordinary failure semantics:
if (v; X ) is not in the failure semantics of N , then one says that N after v must X . In
our case, if N surely oCers X along v and, in a run of a composed system, N as a com-
ponent performs v while the environment oLers in this run each action in X , then some
action in X will be performed in this run. A special case of this observation is the only-
if-part of the following proposition, which will be applied in Proposition 7.7 below.
Proposition 5.19. Let X ⊆ I ⊆; N1 and N2 be nets with transition labels in I ∪{}
and let w be a 7nite or in7nite sequence such that N1 surely oCers {x} along w for
all x∈X and not N1 surely oCers ∅ along w (i.e. (w; ∅)∈FF(N1)). Then N2 surely
oCers X along w if and only if N1 ‖I N2 surely oCers X along w.
Proof. (w; ∅)∈FF(N1) means that N1 can perform w being fair to all internal transi-
tions; in particular, w is a sequence over I and, therefore, w∈ u ‖I v iL u= v=w. With
this fact we show the proposition by contraposition.
If (w; X )∈FF(N2), then (w; ∅)∈FF(N1) implies (w; X )∈FF(N1 ‖I N2) by
Theorem 5.10. On the other hand, if (w; X )∈FF(N1 ‖I N2), then there exist Y and
Z such that (w; Y )∈FF(N1); (w; Z)∈FF(N2) and X ⊆Y ∪Z . Since (w; {x}) =∈
FF(N1) for each x∈X , we get X ∩Y = ∅ and X ⊆Z , from which we conclude
(w; X )∈FF(N2).
6. First results on expressiveness of read arcs
In this section, we will give some 9rst results on the expressiveness of read arcs con-
sidering examples without a speci9c meaning. A much more general result concerning
a meaningful example will be given in the next section. We start with a lemma.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 615
Lemma 6.1. Let N be an ordinary net; t a transition; w a 7nite or in7nite 7ring
sequence and B⊆∪{}; let us call a transition with label in B a B-transition.
(i) If w is not fair to t; then we can write w as w1w′1 such that w1w2tw3 is a 7ring
sequence whenever w′1 =w2w3.
(ii) Whenever w=w1w2; then we can insert B-transitions into w2 to get w′2 such that
w1w′2 is a 7ring sequence and fair to all B-transitions.
Proof. (i) Take a pre9x w1 such that MN [w1〉M1[w′1〉 and t is continuously enabled
while w′1 occurs. This means that
·t is marked under all markings reached along w′1,
and for all t′ in w′1 we have
·t ∩·t′= ∅. Hence, for any M1[w2〉M2[w3〉 with w′1 =w2w3
we have M2[tw3〉.
(ii) In this proof, i-refusal 9ring sequences seem to be a useful tool. We can regard w
as an i-refusal 9ring sequence and will turn it into a suitable progressing refusal 9ring
sequence. For this, assume we have already constructed an i-refusal 9ring sequence vv′
(where initially w1 = v and w2 = v′); we will subdivide v′ into v′1v
′
2 such that v
′
1 = 
whenever v′ =  and insert B-transitions into v′1 to get v′′1 such that vv′′1Bv′2 is again an
i-refusal 9ring sequence.
Repeating this construction with vv′′1B as new v and v
′
2 as new v
′, we always extend
the v-part to contain more and more transitions of w; 9nally, we get a progressing
refusal 9ring sequence u containing all transitions of w such that (u) is fair to all
B-transitions; this can be seen as in the 9rst paragraph of the proof of Theorem 5.7(i).
This (u) can serve as w1w′2.
It remains to show the construction step, so assume that vv′ is given. If some
B-transition t is in all U -components of the ID’s reached along v′, then (vv′) is
not fair to t and we can insert t into v′ as in (i). Since 9ring t removes it from
the U -component, we can insert 9nitely many B-transitions into a 9nite pre9x v′1
of v′ (where v′1 can be chosen to be nonempty if v
′ = ) such that the U -component
after the new v′′1 does not contain a B-transition. Hence, we have found vv
′′
1Bv
′
2 as
desired.
Our 9rst result shows that no ordinary net can have the same fair language as
the net with read arc shown in Fig. 4; by 5.14, this implies that no ordinary net
can have the same discrete traces or the same progressing traces, etc. Note that the
net in Fig. 4 has each anb; n∈N0, but not a! as fair trace, and it cannot perform
an a after a b. (Here and sometimes later on we use ! also to denote the small-
est in9nite ordinal; this should not give rise to confusion.) This net can be inter-
preted as giving some kind of priority to b: b, but not necessarily a, will certainly
occur eventually. But recall that this priority does not have to be implemented; b
occurs simply because it is continuously enabled and therefore progresses at some
stage. In terms of discrete traces, b—but not necessarily a—will certainly occur in
the 9rst round; still, several a’s can occur before b, but only if they happen very
quickly.
616 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Fig. 5.
Proposition 6.2. Let N be an ordinary net such that only a and b occur in fair traces
and anb∈Fair(N ) for in7nitely many n∈N0. Then some anbaw∈Fair(N ); n∈N0
or a! ∈Fair(N ).
Proof. Assume that N is an example for the contrary. Then we have an ∈L(N ) for all
n∈N0. Since N has only 9nitely many markings, we can 9nd some m¿0; k and M
such that MN [ak〉M [am〉M . Hence, a! is an in9nite trace of N , and by Lemma 6.1
(ii) with B= {a; }, we even have (a!; {a})∈FF(N ). By assumption a! =∈Fair(N ),
thus each 9ring sequence underlying a! is unfair to some b-transition t. By
Lemma 6.1(i), we can insert this t, hence some anba! is an in9nite trace of N . Now
anba can be extended to some anbaw∈Fair(N ) by Corollary 5.8, a contradiction.
This result shows that read arcs add expressiveness that ordinary loops do not have.
In fact, we can show that ordinary loops are not needed in nets with read arcs. We
formulate this result in terms of RT -semantics, which gives the 9nest equivalence we
consider in this paper.
Proposition 6.3. For each net N; there is a net N ′ without loops such that RT (N )=
RT (N ′).
Proof. The proof is by induction on the number of places that are on a loop (not on
the number of loops), i.e. we have to show how to get rid of such a place s (compare
Fig. 5). For this, we add a new empty place s′ and duplicate each transition t with
s∈ ·t ∪ tˆ. Each duplicate t′ has the same label as the original t and is connected in N ′
with all places diLerent from s and s′ just as t is in N and in N ′.
(1) If t is on a loop with s in N , then we have arcs (s; t); (t; s′); (s′; t′) and (t′; s) in
N ′.
(2) If we have the arc (s; t) in N but not the reverse arc, then we add the arc (s′; t′).
(3) If (s; t) is a read arc in N , then we add a read arc (s′; t′).
It is not too di#cult to see that indeed RT (N )=RT (N ′). For this, observe that under
the reachable markings of N ′ we have at most one token on s and s′ together, and we
get just the reachable markings of N by moving the token from s′ to s if there is such
a token. A marking of N ′ enables either t or t′ (if it exists) if and only if t is enabled
in N under the corresponding marking; 9ring such enabled transitions in N and N ′
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 617
Fig. 6.
updates the markings in corresponding ways. Finally, the occurrence of a transition or
its duplicate (if it exists) disables t or t′ (if it exists) in N ′ if and only if the transition
disables t in N , i.e. the urgent sets are updated in corresponding ways, too.
From this result, it might seem that we should simply reinterpret ordinary loops
as read arcs, i.e. live without ordinary loops and drop the additional R-component in
a net. There are several reasons against this. First, this diLerent interpretation of loops
contradicts the traditional view, which would become clearer when de9ning steps or
net-processes: two transitions on loops with the same place cannot occur simultaneously
in one step, two transitions connected to the same place with read arcs could; in net-
processes, one can see graphically how a transition removes a token from a loop
place and puts it back again—and some eLort is needed to de9ne a suitable notion
of net-process for nets with read arcs, see [21]. Second, this traditional view of loops
is certainly often adequate: if two activities need the same processor, this is most
adequately modelled by two transitions accessing a common loop-place. The activities
cannot occur together; if one takes place, the other has to wait a little—and this is just
how we treat loops here. Third, the construction above makes nets much larger: a net
with n transitions and m places might be transformed into a net with 2mn transitions.
Fourth, at least on the level of fair 9ring sequences (and thus also on the level of
i-refusal 9ring sequences, etc.), loops have expressivity of their own; we prove that no
net without loops has the same fair 9ring sequences as the one shown in Fig. 6.
Proposition 6.4. If N is a net without loops and with transitions t and t′ such that
some t′w; tt′v∈FairFS(N ); then t! =∈FairFS(N ).
Proof. Consider any place s∈ (·t ∪ tˆ)∩ (·t′ ∪ t̂′). Since t′ is enabled after t, we get
s∈ tˆ ∪ t · ; hence, t and s are on a read arc, since there are no loops. Therefore, the
occurrence of t does not disable the initially enabled t′, and t! is not fair to t′.
7. Two token-passing MUTEX-processes
In this section, we will show how useful, in fact necessary, read arcs are to achieve
mutual exclusion. Both our processes pass an access-token around, and mutual exclu-
sion is guaranteed since only the owner of the token is allowed to access the critical
section. Our 9rst process will be a modi9cation of the Petri net solution MUTEX0 in
Fig. 7 given in [15], which is a translation of Dijkstra’s Token-Ring [9] for the case
of two users. The 9rst user has priority, i.e. owns the access-token lying on p1. This
user can repeatedly request access with r1, enter the critical section with e1 (marking
618 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Fig. 7.
c1) and leave it with l1. The second user misses the access-token (m2 is marked); if
she requests access, she has to order the token by marking o2, and now the 9rst user
might grant the token by marking g2.
For MUTEX0 to work properly, Kindler and Walter [15] assume fairness in general:
for example, if the internal transition ordering the token is enabled, it has to 9re
eventually, since otherwise the token will never be passed and the requesting user will
never enter the critical section. As usual, MUTEX0 is seen as ‘code’, which has to
be inserted into the code of the users; e.g. the r1-transition is the 9rst user requesting
access. Since the 9rst user should not be obliged to request, Kindler and Walter [15]
have a special class of ‘weak’ transitions for which fairness is not assumed. This
concept is not needed in our view.
We see a net such as MUTEX0 as a scheduler, a separate component guaranteeing
mutual exclusion. The interface to this component is I = {r1; e1; l1; r2; e2; l2}; the user
processes are put in parallel with such a MUTEX-process using ‖I , they issue their
requests to it and are then allowed to enter the critical section. In this view, the r1-
transition is the MUTEX-process oLering the possibility to request; if this oLer is not
used, then, technically, time can pass in an i-refusal trace without r1 ever occurring—
namely, with refusal sets not containing r1. Thus, all visible transitions are ‘weak’
in the sense of Kindler and Walter [15], since they only occur if the users, i.e. the
environment, take part. On the other hand, internal transitions become urgent and have
to occur if time goes on.
Our view seems to be very bene9cial as a clean way to deal with the question what
users do while being non-critical; they may e.g. communicate with each other and even
run into deadlocks—it is not completely clear whether this is allowed in the usual view.
In our view, it obviously is allowed, but we do not have to deal with it explicitly, since
such a behaviour is not part of the MUTEX-process. The obligation to prove that a
user can indeed request becomes obvious in our view—this obligation is often ignored,
see also below. Considering independent MUTEX-processes is particularly adequate for
the examples we treat here: the internal activities that pass the access-token need some
processes independent of the users anyway.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 619
Fig. 8.
Fig. 9.
If, in MUTEX0, the second user orders the access-token, the 9rst user could repeat-
edly enter the critical section and disable the granting transition at the same time; thus,
fairness is not enough to guarantee that the token will be passed eventually. Kindler
and Walter [15] therefore require a restricted form of strong fairness by introducing
‘fair arcs’ (like the one from p1 to the granting transition). We will show that, using
read arcs, strong fairness is not needed at all.
Our 9rst MUTEX-process MUTEX1 is a modi9cation of MUTEX0 and shown in
Fig. 8. Here, the places oi are complemented and e.g. the upper e1-transition checks
with a read arc that the token has not been ordered. This check does not disable the
ordering transition (i.e. the upper right-hand internal transition); so, if the latter is
enabled and time progresses, then it will order the token, which now cannot be used
by the owner to enter the critical section again and will be passed eventually.
While in MUTEX1 the token has to be ordered, it is passed automatically in
MUTEX2 shown in Fig. 9 if it has been used or is not needed. The check whether
620 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
the token is needed or not is performed by the read arcs from nc1 and nc2. In [27], a
solution similar to MUTEX2 is attributed to Le Lann.
In MUTEX1 and MUTEX2, we will call the r1-labelled transition simply r1 and
similarly for l1, r2, l2, e1 and e2, where in the latter two cases we add ‘the lower’ or
‘the upper’ if necessary.
Denition 7.1. We call a 9nite or in9nite sequence over I = {r1; e1; l1; r2; e2; l2} legal
if ri, ei and li only occur cyclically in this order for i=1; 2.
We will now argue in our setting that MUTEX2 is correct, omitting the similar
arguments for MUTEX1. MUTEX2 ensures that the users follow the right protocol, i.e.
that only legal sequences are performed. But we will not require this in our de9nition
what a correct MUTEX-process is: illegal sequences can only occur if the users want
to perform them, i.e. make a mistake. Making the requirements for a correct MUTEX-
process weaker makes—at least in principle—our impossibility result below stronger.
Correctness consists of a safety and a liveness requirement. Safety requires that
never both users are in their critical sections at the same time. For MUTEX2 this
is easy: if one user enters, then he must leave before another enter is possible, since
we always have exactly one token on the places c1, p1, p2 and c2. (This set is an
S-invariant, see e.g. [29].) Liveness—i.e. whenever a user wishes to enter he will be
able to do so eventually—is more di#cult and requires to assume fairness. First, we
have to make sure that a user may always perform a request.
Proposition 7.2. Let w∈ I∗ ∪ I! be legal and i∈{1; 2}. Then in w ri occurs and each
li is followed by another ri; or MUTEX2 surely oLers {ri} along w.
Proof. From the de9nition, MUTEX2 surely oCers {ri} along w if MUTEX2 cannot
be fair to all internal transitions when performing w. So assume that MUTEX2 per-
forms w and is fair to all internal transitions. Initially, or when li is performed, ri gets
enabled. If it is not 9red, it will stay enabled continuously, since no other transition
(in particular none of the internal transitions) can disable it; then, MUTEX2 is not
fair to ri.
This proposition says that if the ith user—being part of the environment O—tries
to request (enables an ri-transition) at a proper moment (initially or after leaving, i.e.
when he is not already requesting or in the critical section) and does not withdraw
(does not disable the transition again), then the request will be performed, because
otherwise it would be enabled continuously in the complete system MUTEX2 ‖I O
violating fairness. Recall how the refusal sets of fair refusal pairs are composed ac-
cording to Theorem 5.10: the complete system is fair, i.e.  is refused, only if one of
the components refuses ri. An alternative proof using progressing refusal traces instead
of fair refusal pairs shows, that in fact the request will occur at the latest in the next
round after enabling.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 621
Similarly, we can show that a user that enters and then wants to leave will do so—in
fact, in the present or next round.
Proposition 7.3. Let w∈ I∗ ∪ I! be legal and i∈{1; 2}. Then each ei in w is followed
by an li; or MUTEX2 surely oLers {li} along w.
Observe that MUTEX2 can show a behaviour where some ei is not followed by li;
since MUTEX2 oLers li in such a behaviour, this can only happen when the user is
not willing to leave, and this is a misbehaviour on part of the user.
The most di#cult part is to show that a requesting user will eventually enter; here,
we must require that a requesting user is indeed willing to enter and also that a user
that enters is willing to leave after a while. Since by the last proposition, willingness
to leave is enough to ensure that this happens indeed, we can restrict attention to
sequences where each ei is followed by li. For such a sequence we show that each
requesting user will enter unless some user has requested but is not willing to enter.
In other words, if some users request access but do not enter, then MUTEX2 oLers
at least one of them to enter; this user misbehaves by not accepting this oLer.
Proposition 7.4. Let w∈ I∗ ∪ I! be legal such that each ei is followed by li. Then
either each ri is followed by ei or MUTEX2 surely oLers X along w where X consists
of those ei where some ri in w is not followed by ei.
Proof. Again, we look at a case where MUTEX2 9res w being fair to all internal
transitions. Assume that, say, some r1 is not followed by e1 in w. Recall that the
places c1, p1, p2 and c2 together contain always exactly one token. After 9ring r1,
neither nc1 nor c1 is marked. (Also nc1, c1 and req1 form an S-invariant.) Hence, p1,
p2 or c2 is marked.
If p1 is marked, only the enabled e1 can empty this place; since e1 is not 9red,
MUTEX2 is not fair to e1, it surely oLers X . If c2 is marked, then the last e2
will be followed by l2 by assumption on w, which marks p1 and we are done
again.
It remains the case that p2 is marked, which gives two subcases. Either nc2 is
marked and r2 does not 9re. Then t will 9re since MUTEX2 is fair to all internal
transitions, such that we are back in the case where p1 is marked. Otherwise, since c2
is empty, we have that req2 is marked or will be marked. Once it is marked, e2 gets
enabled. Now either it 9res—bringing us back to the case where c2 is marked—or the
last occurrence of r2 is not followed by e2 and MUTEX2 is not fair to e2.
We now come to the main result regarding the expressiveness of read arcs .
Denition 7.5. We call a net MUTEX with transition labels in I ∪{} a correct
MUTEX-process, if MUTEX satis9es safety, i.e. e- and l-transitions only occur al-
ternatingly in a trace that is legal, and satis9es liveness, i.e. Propositions 7:2–7:4.
622 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Theorem 7.6. (i) MUTEX2 is a correct MUTEX-process.
(ii) If N is a correct MUTEX-process; then N has read arcs.
Proof. (i) direct from the above.
(ii) Assume to the contrary that N has no read arcs. We 9rst demonstrate that, due
to liveness, N has to allow the in9nite repetition of r1e1l1.
We apply Lemma 6.1 with B= {} to the empty sequence and conclude that (; ∅)∈
FF(N ). By Proposition 7.2, N is not fair to an r1-labelled transition when performing
, i.e. we can apply Lemma 6.1(ii) to insert r1 and then Lemma 6.1(i) to conclude
(r1; ∅)∈FF(N ). By Proposition 7.4, N is not fair to an e1-labelled transition when
performing r1, i.e. we can apply Lemma 6.1 twice to insert e1 after(!) r1 and conclude
(r1e1; ∅)∈FF(N ). By Proposition 7.3, N is not fair to an l1-labelled transition when
performing r1e1, i.e. we can apply Lemma 6.1 again to conclude (r1e1l1; ∅)∈FF(N ).
Repetition of this construction gives us for u=(r1e1l1)! that (u; ∅)∈FF(N ).
Applying Proposition 7:2 and Lemma 6.1 to this u shows that we can insert r2
into this sequence and make it fair again to internal transitions; 9nally, we can apply
Proposition 7.4 and Lemma 6.1 to insert e2 after r2 and immediately after some e1;
hence, N can perform some we1e2l1 and violates safety.
Independently, Kindler and Walter [16] have shown a similar result. De9ning correct-
ness, some state-properties are required and a certain net-structure is prescribed there.
On the one hand, this separation is elegant: the state-properties only require safety and
the usual liveness property that a requesting user will eventually enter; the net-structure
ensures that a user in his critical section may and in fact will leave and then is able to
request again. On the other hand, it is not convincing that the prescribed net-structure
is really necessary for something that intuitively should be a MUTEX-solution; it is
quite restrictive, and in fact MUTEX0 designed by the same authors does not have
the prescribed net-structure; a precursor to [16] presented in [38] uses a less restrictive
net-structure. Prescribing some net-structure also makes the results of Walter [38] and
Kindler and Walter [16] quite dependent on Petri nets as system models, whereas our
MUTEX-speci9cation is action-oriented and, thus, to some degree model-independent.
The aim of Kindler and Walter [16] is to show that a stronger fairness requirement
than the progress assumption is needed to solve the MUTEX-problem. As in this
paper, progress assumption is understood as the requirement that each continuously
enabled activity will be performed eventually; this is in contrast with strong fairness,
which requires that an activity which is enabled again and again will occur. In [16],
the progress assumption is formalized as maximality of non-sequential runs (Petri net
processes) for ordinary nets without read arcs; this has the eLect that each behaviour
can be turned into one satisfying the progress assumption simply by inserting additional
activities (compare Lemma 6.1(ii)) without enforcing any choices. Based on our formal
de9nition of a MUTEX-solution, Theorem 7.6(ii) con9rms that the MUTEX-problem
can only be solved under a fairness assumption that enforces choices. At the same time,
I believe that the de9nition of fairness in this paper is an adequate formalization of the
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 623
idea of progress for nets with read arcs; hence, Theorem 7.6(i) shows that progress is
enough to solve the MUTEX-problem. One could say that read arcs allow a ‘re9ned’
progress assumption, since with read arcs repeated read accesses to one location do
not block a write access to this location. This is a restricted form of what Raynal [27]
calls fairness of hardware, which requires that no accesses to one location can block
another access forever.
In fact, the discussion of Dekker’s and Knuth’s algorithms in [27, p. 27=28] might
give the impression that the latter does not rely on any fairness of hardware—something
that should be false in view of our theorem. And it is: without this fairness, one
user-process in Knuth’s algorithm can e.g. repeatedly test the variable turn in its pre-
protocol, thereby preventing the other process from writing turn in its post-protocol
and in eLect from requesting again. Thus, Proposition 7:2 treats a realistic possibility
for failure that is often ignored.
We have not required a correct MUTEX-process to enforce legal behaviour; as men-
tioned above, this makes Theorem 7.6 stronger. Our next result shows that any cor-
rect MUTEX-process can be turned into one that also enforces legal behaviour. Here,
LEGAL is the net obtained from MUTEX2 by omitting the places p1 and p2, the
internal transitions and all incident arcs; LEGAL has exactly all legal sequences as
9nite or in9nite traces.
Proposition 7.7. A net MTX is a correct MUTEX-process if and only if the net
MTX ‖I LEGAL is; the latter net only performs legal sequences.
Proof. Clearly, L(MTX ‖I LEGAL) is the intersection of L(MTX ) and L(LEGAL);
therefore, MTX ‖I LEGAL violates safety if and only if MTX does, and MTX ‖I
LEGAL only performs legal sequences.
For the 9rst part of liveness, assume w∈ I∗ ∪ I! is a legal sequence where for
some i∈{1; 2} ri does not occur or some li is not followed by another ri. Then
(w; ∅)∈FF(LEGAL) since w is legal and LEGAL surely oCers {ri} along w. If
MTX is correct, then MTX surely oCers {ri} along w and Proposition 5.19 im-
plies that MTX ‖I LEGAL surely oCers {ri} along w. Vice versa, if MTX ‖I LEGAL
is correct, then MTX ‖I LEGAL surely oCers {ri} along w and, again by Proposi-
tion 5.19, MTX surely oCers {ri} along w.
The other parts of liveness can be shown analogously; observe for the third part
that LEGAL surely oCers {ei} along w for each i∈{1; 2} such that some ri is not
followed by ei in w.
The next result shows that our notion of a correct MUTEX-process is compatible
with our implementation notions.
Theorem 7.8. If a net MTX is a correct MUTEX-process and a net N is faster than
MTX or a fair implementation of MTX ; then N is a correct MUTEX-process; too.
624 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
Proof. Safety forbids certain traces. Since each trace can be extended to a fair trace
w, safety in eLect forbids certain fair refusal pairs (w; ). Also liveness forbids certain
fair refusal pairs.
If N is faster than MTX , it is also a fair implementation of MTX , i.e. we have
FF(N ) ⊆FF(MTX ). Thus, ifFF(MTX ) does not contain a forbidden fair refusal
pair, then neither does FF(N ), i.e. N is a correct MUTEX-process.
We have de9ned i-refusal traces in order to compare the e#ciency of components for
asynchronous systems. We conclude the discussion of the MUTEX-problem by com-
paring the e#ciency of MUTEX1 and MUTEX2. Our results are intuitively plausible,
hence they demonstrate the feasability of our approach.
The 9rst observation is that both processes have their advantages and disadvantages:
if there is no competition, then moving the access-token to the other part of the net is a
useless and time consuming eLort; on the other hand, if the competition is strong, order-
ing the token is an additional overhead. This is demonstrated by the following i-refusal
traces. If in MUTEX2 the access-token is moved to p2 immediately before r1, then t
(see Fig. 9) becomes urgent only in the second round, at the end of which e1 can still be
refused; we get r1{e1}{e1}∈RT (MUTEX2)−RT (MUTEX1) showing that sometimes
MUTEX2 is slower—namely if the second user is not interested in entering the crit-
ical section such that the token can stay with the 9rst user in MUTEX1. Vice versa,
MUTEX1 is sometimes slower as witnessed by r2{e2}{e2}{e2}∈RT (MUTEX1)—
RT (MUTEX2), where an additional round is needed to order the token. (After the
9rst set, the token is ordered; after the second, the token is granted; only after the
third, the lower e2-transition becomes urgent and cannot be refused anymore.)
RT (MUTEXi) shows how e#ciently the MUTEX-processes serve the environment
consisting of both users. Interestingly, we can also use our approach to study a diLer-
ent view: how e#ciently are the needs of the 9rst user met by the system, which for
him consists of a MUTEX-process and the second user? As second user, we take the
standard user shown in Fig. 10: in the non-critical section, she can choose between
requesting with r2 and some other internal activity; if she requests, she is willing to
enter the critical section in the next round and to leave it again in the round after.
We compose this user with MUTEXi via ‖{r2 ; e2 ; l2} and hide the synchronized actions
(change them to ), since from the point of view of the 9rst user they are internal activ-
ities of the system. Omitting duplicate places, MUTEX2 is transformed to MUTEX4
shown in Fig. 11 and similarly MUTEX1 is transformed to MUTEX3. (Observe that
only req2 and c2 have the same connections in MUTEX2 and the standard user.) It
is plausible that MUTEX4 is more e#cient than MUTEX3: we consider the worst
case e#ciency; naturally, for the 9rst user strong competition is the worst case, and in
the case of strong competition MUTEX2 is more e#cient since it saves the additional
eLort of ordering the token. We will now show that in our setting indeed MUTEX4
is more e#cient than MUTEX3.
Theorem 7.9. MUTEX4 is strictly faster than MUTEX3.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 625
Fig. 10.
Fig. 11.
Proof. This proof is not so easy to do by hand, since MUTEX4—though it has only 12
reachable markings—has 41 reachable ID’s. In the following, we describe the relevant
behaviour of MUTEX4 and, on the way, a simulation relation for MUTEX3.
Initially, both systems are in what we call a start situation: MUTEX4 marks (among
others) nc1, while MUTEX3 marks nc1, p1, nc2 and m2; r1 is urgent in MUTEX4 iL
it is in MUTEX3.
From the initial ID and whenever necessary, MUTEX3 can 9re the internal loop-
transition such that neither this transition nor r2 are ever urgent in MUTEX3. As a
consequence, here and in the following, actions are only urgent in MUTEX3 if explicitly
mentioned. Thus, MUTEX3 can always perform a time step and, in fact, always the
same time steps MUTEX4 can.
In a start situation, MUTEX4 can work internally which is ignored by MUTEX3; it
can perform a time step which is simulated by MUTEX3; or, 9nally, it can 9re r1. In
626 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
the latter case, we reach one of the following four situations, where MUTEX3 simulates
as follows: if MUTEX4 reaches (1), MUTEX3 9res r1; r2 and the second user orders
the token; or MUTEX3 additionally grants the token to the second user and orders
for the 9rst to reach (2); or MUTEX3 furthermore 9res the lower e2 to reach (3); or
MUTEX3 additionally 9res l2 and grants the token to the 9rst user to reach (4).
(1) MUTEX4 marks req1; p2 and nc2; MUTEX3 marks req1; p1 and o2. MUTEX4
possibly performs a time step simulated by MUTEX3 such that t becomes urgent in
both nets. (See Fig. 8 for MUTEX3.) Now or immediately MUTEX4 9res r2 or t. In
the 9rst case, we reach (2) when MUTEX3 9res t and orders a token for the 9rst user;
in the second case, we reach (4) when MUTEX3 additionally 9res the lower e2 and l2
and grants the token to the 9rst user.
(2) MUTEX4 marks req1; p2 and req2; MUTEX3 marks g2 and o1. MUTEX4 possibly
performs a time step simulated by MUTEX3 such that (the lower) e2 becomes urgent in
both nets. Now or immediately MUTEX4 9res e2 simulated by the lower e2 in MUTEX3
and we reach (3).
(3) MUTEX4 marks req1 and c2; MUTEX3 marks c2 and o1. MUTEX4 possibly
performs a time step simulated by MUTEX3 such that l2 becomes urgent in both nets.
Now or immediately MUTEX4 9res l2. MUTEX3 9res l2 and grants the token to the
9rst user, such that we reach (4).
(4) MUTEX4 marks req1 and p1; MUTEX3 marks g1; nc2 and m2. MUTEX4 possibly
performs a time step simulated by MUTEX3 such that (the lower) e1 becomes urgent
in both nets. Now or immediately MUTEX4 9res e1 and MUTEX3 9res (the lower) e1.
From (4) we reach a situation where MUTEX4 marks c1 and MUTEX3 marks c1; nc2
and m2. Again, a time step might be possible making l1 urgent in both nets. Then, l1
9res and we are back in the start situation.
It remains to show that MUTEX4 is strictly faster than MUTEX3. For this, we can
read oL from the above case analysis, that MUTEX4 can perform at most four times
{e1} after 9ring r1—namely, once in each of the situations (1) – (4). MUTEX3 on the
other hand, can perform an additional {e1} after r1 when leaving the start situation and
another {e1} after l2 in (3). Thus, we get r1{e1}6 ∈ RT (MUTEX3)−RT (MUTEX4).
8. Conclusion and related literature
The approach of Vogler [35] and Jenner and Vogler [14] describes when one asyn-
chronous system is observably faster than another by de9ning a suitable testing scenario.
In the present paper, this approach is generalized to safe Petri nets with read arcs in
order to apply it to two solutions of the MUTEX-problem, which contain read arcs;
this application uses a characterization of the faster-than relation  in terms of some
sort of refusal traces. This RT -semantics is also used to show that read arcs are faster
than loops, which are usually employed.
The coarsest precongruence for parallel composition respecting fairness (in the sense
of assuming progress) is determined and it turns out that the above faster-than relation
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 627
Fig. 12.
is a re9nement of this fair-implementation relation; this result supports the claim that
 indeed compares general asynchronous systems.
Finally, the expressivity of read arcs is studied on the basis of fairness and
RT -semantics. In particular, a solution to the MUTEX-problem is seen as a sepa-
rate component of a parallel system, an action-based speci9cation of such a correct
MUTEX-solution is given, and it is shown that no ordinary net without read arcs can
satisfy this speci9cation—while one of the solutions with read arcs is proven to be
correct. The speci9cation does not depend on Petri nets as system models, thus it can
in principle be applied to any other action-based formalism with a similar parallel
composition, e.g. to process algebras like CCS.
Also the impossibility result can probably be transferred to other settings, since loops
and read arcs can be interpreted as diLerent views how shared variables are accessed.
E.g. access to a variable with values 0 and 1 could be modelled in a Petri net as shown
in Fig. 12: the two places represent the two possible values of the variable (always one
of the places is marked), reading the variable means performing one of the read0- or
read1-transitions, writing the variable means performing one of the write0- or write1-
transitions. In Fig. 12, 9ring e.g. one read0-transition does not disable the other one nor
the enabled write0- or write1-transitions; hence, reading does not block other accesses,
and one of them will certainly be performed when time goes on. If we use loops
instead of the read arcs in Fig. 12, then repeated reading does block other accesses,
and this makes a solution of the MUTEX-problem impossible.
Read arcs are quite old, but they have found some more attention only recently:
Christensen and Hansen [5] discuss a step semantics for nets with read arcs,
Montanari and Rossi [21] de9ne net-processes (the classical partial order semantics
for Petri nets) for them, and in [3] this de9nition (essentially) is extended to nets that
also have inhibitor arcs. In these approaches, a net with read arcs can be translated
to an equivalent net without, i.e. read arcs do not have any additional expressivity.
Janicki and Koutny [13] use read arcs to de9ne net-processes for nets with inhibitor
arcs. Expressivity is not studied, but applying the ideas of Janicki and Koutny [13] to
nets with read arcs would allow to 9re steps ( tt′ ) in some cases where neither tt
′ nor
t′t are 9rable; this is not possible in ordinary nets; see also [36].
In papers or books about the MUTEX-problem, correctness is often not speci9ed
formally. We have already discussed the formal speci9cation of Kindler and Walter [16]
628 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
where a similar result to ours is given. A formal, even automatic veri7cation of some
MUTEX-solutions from the literature with the Concurrency Workbench is discussed in
[37]. To apply this tool, the MUTEX-solutions are translated into the process algebra
CCS, i.e. into an action-based formalism with a similar parallel composition to ours.
The view in [37] is traditional: a MUTEX-solution is some ‘code’ (consisting of pre-
and a post-protocols) that is inserted into two sequential user-programs that run in
parallel. These programs consist of a non-critical and a critical section each, where
the latter is represented in CCS by an enter-action followed by a leave-action. This
way, safety can be formulated just as we have done it, and it can be checked with the
Concurrency Workbench.
To formulate liveness, the transition from the non-critical section to the pre-protocol
is represented (or rather: signalled) by a request-action. Walker [37] now discusses the
problem that the Concurrency Workbench is based on bisimulation, which does not
have the necessary fairness built in. As a consequence, a rather idiosyncratic liveness
property is formulated, which is then checked with the Concurrency Workbench: ‘if
a user i requests and in9nitely often some user enters, then user i also enters even-
tually’. This property is e.g. satis9ed, if both users request and then deadlock! Since
this property is implied by the usual liveness property, it is satis9ed by all the usual
solutions under the assumption of fairness. The Concurrency Workbench now checks
the property without assuming fairness, and it turns out that some respectable solutions
violate the property, whereas two MUTEX-solutions (Knuth’s and Peterson’s) satisfy
it; this is rather surprising since it seems to indicate that these two MUTEX-solutions
do not really need fairness. The diLerence is probably due to a translation detail: the
request-action is not inserted at the very end of the non-critical section, where we
can assume it to be under the complete control of the respective user, but after the
9rst action of the pre-protocol—and execution of this action in Knuth’s and Peterson’s
solution is exactly the one that is only guaranteed under some fairness assumption.
Walker [37] also says some words about the usual liveness property ‘a requesting
user always enters eventually’, i.e. a user can never be stuck in his pre-protocol. As
already discussed after Theorem 7.6, this property is not su#cient since a user might
just as well be stuck in his post-protocol; this would in eLect prevent the user from
requesting again, but this ability is also desired. We have already argued that our view
of a MUTEX-solution as an independent component, which the users have to synchro-
nize with, might help to avoid such an omission: clearly, a user can perform a request-,
enter- or leave-action in our setting only if the MUTEX-process takes part in it.
A satisfactory formal speci9cation of a correct MUTEX-solution can be found in
[18, Chs. 10 and 20]. Here, solutions are modelled with I ,O-automata; these are 9-
nite automata with some additional structure for fairness, and they are combined with
an action-based parallel composition as ours. The distinctive feature is an additional
restriction: whenever diLerent components of a system communicate via a common ac-
tion, this action is an output-action for exactly one of them, say C, and an input-action
for the others; it is required that the action is under the control of C, i.e. all the others
are always willing to synchronize on this action (– they are input-enabled).
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 629
Lynch [18] views a MUTEX-solution as an independent component (as we do), such
that a request-action as an input to this component is automatically always possible for
the user and similarly the leave-action. On the other hand, the enter-action is controlled
by the MUTEX-process; consequently, it will be performed, whenever the MUTEX-
process so wishes. Hence, the requirement that a user is never stuck in his pre-protocol
becomes—due to the I ,O-restriction—simply: in each fair sequence of the MUTEX-
process each request-action is followed by the respective enter-action. Additionally, a
MUTEX-process in [18] has a rem-action as output to signal the end of the post-
protocol; the requirement that a user is never stuck in his post-protocol is treated
and becomes: in each fair sequence each leave-action is followed by the respective
rem-action.
In [18], each user only has the respective request-, enter-, leave- and rem-action
as visible actions; thus, the other advantage of viewing a MUTEX-solution as an in-
dependent MUTEX-process is not worked out, namely: with this view, one does not
restrict the behaviour of the users and in particular their communication patterns in any
way. Lynch [18] employs a fairness assumption which ensures progress in such a way
that neither read- nor write-accesses to a variable can block another access forever;
this is stronger than our assumption, but one could certainly formulate a feature for
I ,O-automata that is analogous to read arcs.
A completely diLerent treatment for the access to shared variables can be found in
[17]. Lamport remarks that the usual solutions to the MUTEX-problem assume that it
has already been solved on a lower level, namely that accesses to a variable do not
overlap (safety) to guarantee the expected result of an access, and that each access
eventually succeeds (liveness). He suggests a solution on a simpler and realistic basis,
requiring the following. Accesses to a variable take time; each variable is written to
by at most one process and each write succeeds with the expected result; each read
succeeds, but its result may be corrupted: if it overlaps with a write, it might result in
the old or the new value. Thus, Lamport assumes liveness on the lower level but not
safety. By comparison, one can say that we assume safety (the instantaneous accesses
do not overlap), but require liveness in a limited way only: an access can be blocked
by repeated writes but not by repeated reads modelled by read arcs.
We close by shortly listing some faster-than relations from the literature. Arun-Kumar
and Hennessy [2], Moller and Tofts [20] and Corradini et al. [4] de9ne bisimulation-
type preorders and require functional equivalence, i.e. the faster implementation has
to perform the same actions as the speci9cation, hence these approaches are some-
times more discriminating than ours. The approaches of Hennessy and Regan [12],
Cleaveland and Zwarico [6] and Natarajan and Cleaveland [22] are testing-based, but
only the third uses some bound in the tests (similar to our test duration). In [12, 20],
a unit-time-delay operator with a special treatment is introduced, while actions take
no time; hence, the parallel execution of two actions is equated with their arbitrary
interleaving, but these are diLerent in the present paper since actions may take up to
time 1. Our approach similarly diLers from that of Arun-Kumar and Hennessy [2], an
interleaving approach that simply counts the number of internal actions and disregards
630 W. Vogler / Theoretical Computer Science 275 (2002) 589–631
concurrent execution; hence, e#ciency in the sense of Arun-Kumar and Hennessy [2]
is not temporal e#ciency. Combining ideas from Arun-Kumar and Hennessy [2] and
Vogler [34], Natarajan and Cleaveland [22] present a testing scenario with a bound on
the number of internal actions. Time-consuming actions are considered in [6, 4]. In the
testing approach of Cleaveland and Zwarico [6], simple transition systems are used as
models, i.e. only sequential systems are considered. Even for sequential systems, the
preorders of Cleaveland and Zwarico [6] are incomparable to ours, e.g. because in case
of a choice between an internal and a visible action, no internal decision is possible
in [6]—but, as usual, it is possible in our approach. Finally, in the bisimulation-like
approach of Corradini et al. [4], local time-stamps are attached to actions and actions
do not necessarily occur in the order given by these time-stamps; e#ciency is judged
on the basis of these local time stamps. Again, this is a very diLerent idea—developed
further in a number of papers like [7]—and no relation to our approach holds.
Acknowledgements
I am grateful to Ekkart Kindler for our discussions, which made me think more
carefully about some aspects of the approach presented here, and I thank Roberto
Gorrieri and Lars Jenner for their comments, which helped to improve the presentation
of this paper.
References
[1] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183–235.
[2] S. Arun-Kumar, M. Hennessy, An e#ciency preorder for processes, Acta Inform. 29 (1992) 737–760.
[3] N. Busi, M. Pinna, Non-sequential semantics for contextual P=T-nets, in: J. Billington, W. Reisig (Eds.),
Applications and Theory of Petri Nets 1996, Lecture Notes in Computer Science, vol. 1091, Springer,
Berlin, 1996, pp. 113–132.
[4] F. Corradini, R. Gorrieri, M. Roccetti, Performance preorder: ordering processes with respect to speed,
in: J. Wiedermann, P. Hajek (Eds.), MFCS ’95, Lecture Notes in Computer Science, vol. 969, Springer,
Berlin, 1995, pp. 444–453.
[5] S. Christensen, N.D. Hansen, Coloured Petri nets extended with place capacities, test arcs, and inhibitor
arcs, in: M. Ajmone-Marsan (Ed.), Applications and Theory of Petri Nets 1993, Lecture Notes in
Computer Science, vol. 691, Springer, Berlin, 1993, pp. 186–205.
[6] R. Cleaveland, A. Zwarico, A theory of testing for real-time, in Proc. 6th Symp. on Logic in Computer
Science, IEEE Computer Society Press, Silver Spring, MD, 1991, pp. 110–119.
[7] P. Degano, J.-V. Loddo, C. Priami, Mobile processes with local clocks, in: Proc. LOMAPS Workshop
on Analysis and Veri9cation of Multiple-Agent Languages, Lecture Notes in Computer Science, vol.
1192, Springer, Berlin, 1996, pp. 296–319.
[8] R. De Nicola, M.C.B. Hennessy, Testing equivalence for processes, Theoret. Comput. Sci. 34 (1984)
83–133.
[9] E.W. Dijkstra, Invariance and non-determinacy, in: C.A.R. Hoare, J.C. Sheperdson (Eds.), Mathematical
Logic and Programming Languages, Prentice-Hall, Englewood CliLs, NJ, 1985, pp. 157–165.
[10] N. Francez, Fairness, Springer, Berlin, 1986.
[11] R. Gold, Verklemmungsfreiheit bei modularer Konstruktion fairer Petrinetze, Diplomarbeit, Techn. Univ.
MWunchen, 1988.
[12] M. Hennessy, T. Regan, A process algebra for timed systems, Inform. and Comput. 117 (1995) 221–239.
W. Vogler / Theoretical Computer Science 275 (2002) 589–631 631
[13] R. Janicki, M. Koutny, Semantics of inhibitor nets, Inform. and Comput. 123 (1995) 1–16.
[14] L. Jenner, W. Vogler, Fast asynchronous systems in dense time, Theor. Comp. Sci. 254 (2001) 379–422.
[15] E. Kindler, R. Walter, Message passing mutex, in: J. Desel (Ed.), Structures in Concurrency Theory,
Workshop in Computing, Springer, Berlin, 1995, pp. 205–219.
[16] E. Kindler, R. Walter, Mutex needs fairness, Inform. Process. Lett. 62 (1997) 31–39.
[17] L. Lamport, The mutual exclusion problem: Part II—statements and solutions, J. Assoc. Comput. Mech.
33 (1986) 327–348.
[18] N. Lynch, Distributed Algorithms, Morgan Kaufmann Publishers, San Francisco, 1996.
[19] N. Lynch, F. Vaandrager, Forward and backward simulations I: Untimed systems, Inform. and Comput.
121 (1995) 214–233.
[20] F. Moller, C. Tofts, Relating processes with respect to speed, in: J. Baeten, J. Groote (Eds.),
CONCUR’91, Lecture Notes in Computer Science, vol. 527, Springer, Berlin, 1991, pp. 424–438.
[21] U. Montanari, F. Rossi, Contextual nets, Acta Inform. 32 (1995) 545–596.
[22] V. Natarajan, R. Cleaveland, An algebraic theory of process e#ciency, 11th Ann. Symp. Logic in
Computer Science (LICS ’96), IEEE, 1996, pp. 63–72.
[23] J.L. Peterson, Petri Net Theory, Prentice-Hall, Englewood CliLs, NJ, 1981.
[24] G. Peterson, M. Fischer, Economical solutions for the critical section problem in a distributed system,
9th ACM Symp. Theory of Computing, 1977, 91–97.
[25] I. Phillips, Refusal testing, Theoret. Comput. Sci. 50 (1987) 241–284.
[26] L. Popova, On time Petri nets, J. Inform. Process. Cybernet. EIK 27 (1991) 227–244.
[27] M. Raynal, Algorithms for Mutual Exclusion, North Oxford Academic, London, 1986.
[28] W. Reisig, Partial order semantics versus interleaving semantics for CSP-like languages and its impact
on fairness, in: J. Paredaens (Ed.), Automata, Languages and Programming, Lecture Notes in Computer
Science, vol. 172, Springer, Berlin, 1984, pp. 403–413.
[29] W. Reisig, Petri Nets, EATCS Monographs on Theoretical Computer Science 4, Springer, Berlin, 1985.
[30] G. Richter, A note on side-conditions and inhibitor arcs, Petri Net Newslett. 21 (1985) 29–37.
[31] W. Thomas, Automata on in9nite objects, in: Jan. van Leeuwen (Ed.), Handbook of Theoretical
Computer Science, Ch. 4, Elsevier, Amsterdam, 1990.
[32] W. Vogler, Modular Construction and Partial Order Semantics of Petri Nets, Lecture Notes in Computer
Science, vol. 625, Springer, Berlin, 1992.
[33] W. Vogler, Fairness and partial order semantics, Inform. Process. Lett. 55 (1995) 33–39.
[34] W. Vogler, Timed testing of concurrent systems, Inform. and Comput. 121 (1995) 149–171.
[35] W. Vogler, Faster asynchronous systems, in: I. Lee, S. Smolka (Eds.), CONCUR 95, Lecture Notes in
Computer Science, vol. 962, Springer, Berlin, 1995, pp. 299–312, full version as Report Nr. 317, Inst.
f. Mathematik, Univ. Augsburg, 1995.
[36] W. Vogler, Partial order semantics and read arcs, Technical Report 1997-1, Inst. f. Informatik, Univ.
Augsburg, 1997; see http:==www.math.uni-augsburg.de=∼vogler=; extended abstract in MFCS 97, Lecture
Notes in Computer Science, vol. 1295, Springer, Berlin, 1997, pp. 508–517. To appear in Theor. Comp.
Sci.
[37] D. Walker, Automated analysis of mutual exclusion algorithms using CCS, Formal Aspects Comput. 1
(1989) 273–292.
[38] R. Walter, Petrinetzmodelle verteilter Algorithmen, Edition Versal, vol. 2, Bertz Verlag, Berlin, 1995.
