Concurrent abstract state machines
 1.7k Downloads
 20 Citations
Abstract
A concurrent Abstract State Machine (ASM) is a family of agents each equipped with a sequential ASM to execute. We define the semantics of concurrent ASMs by concurrent ASM runs which overcome the problems of Gurevich’s distributed ASM runs and generalize Lamport’s sequentially consistent runs. A postulate characterizing an intuitive understanding of concurrency is formulated. It allows us to state and prove an extension of the sequential ASM thesis to a concurrent ASM thesis.
Keywords
Sequential Consistency Abstract State Machine Shared Location Memory Request Consistency Memory Model1 Introduction
There are numerous models of concurrency in the literature or implemented in current hardware/software systems and underlying distributed algorithms, specification and programming languages. To cite only a few examples with a rich scientific literature: distributed algorithms [45], process algebras [36, 48, 49, 55], actor models [3, 35], trace theory [46, 47] (see [66] for a survey), Petri nets [33, 50, 51], etc.
Abstract State Machines (ASMs) have been used since their discovery in the 1990s to model sequential and concurrent systems (see [20, Ch. 6, 9] for references), the latter ones based upon various definitions of concurrent ASM runs which eventually were superseded by the definition in [28] of socalled distributed ASM runs as a certain class of partially ordered runs. It turned out, however, that the elegance of this definition has a high price, namely to be too restrictive and thereby impractical. The theory counterpart of this experience is that until today for this notion of distributed ASM runs no extension of the socalled sequential ASM thesis is known.
The ASM thesis was first stated in [26, 27] as project idea for a generalization of Turing’s thesis—years before the definition of ASMs in [28]—and has been eventually proved in [29] for sequential ASMs from three natural postulates. This proof confirmed the experience made meanwhile (see [15, 20], Ch. 9] for a survey) that ASMs allow one to faithfully model at any level of abstraction sequential systems found in practice (‘ground model’ concern [17]) and to provide a basis for the practitioner to rigorously analyze and reliably refine such models to their implementations (correct refinement concern [16]). A considerable research effort has been devoted to extend this sequential ASM thesis to other computational concepts, in particular to parallel machines [7, 11], to machines which interact with the environment during a step [8, 9, 10] (for one more variation see [12, 13]), to quantum algorithms [25] and to database systems [56, 57, 58, 60, 64]. But up to now no postulates have been found from which a thesis for truly concurrent ASMs can be proven.

execute each a sequential process,

run asynchronously, each with its own clock,

interact with (and know of) each other only via reading/writing values of designated locations.

Concurrency Postulate A concurrent process or algorithm is given by a finite set \(\mathcal {A}\) of pairs (a, alg(a)) of agents a which are equipped each with a sequential process alg(a) to execute. In a concurrent \(\mathcal {A}\)run started in some initial state \(S_0\), each interaction state \(S_n\) (\(n \ge 0\)) where some agents (say those of some finite set \(A_n\) of agents) interact with each other yields a next state \(S_{n+1}\) by the moves of all agents \(a \in A_n\) which happen to simultaneously complete the execution of their current alg(a)step they had started in some preceding state \(S_j\) (\(j \le n\) depending on a).
The sequential ASM thesis allows one to consider every sequential process (algorithm) as given by a sequential ASM that is executed by a single agent. Sequential ASMs come with a comprehensive notion of state and how states change by sequences of steps (moves of a single agent), a notion underlying also other rigorous approaches for the development of discrete systems, notably the (Event) B [1, 2] and the TLA [42] methods. The question then is how computations of single agents interact with each other in concurrent (not only interleaved) runs. We were surprised to eventually find out that a simple conservative extension of sequential to concurrent ASM runs allows one to extend Gurevich’s proof of the sequential ASM thesis to a concurrent ASM thesis (Sect. 4) with respect to the above stated Concurrency Postulate, which seems to comprise a large class of concurrent computations.
In this paper we define concurrent ASM runs in a way that preserves the parallel statebased ASM computation model at the level of single autonomous agents (Sect. 3). To motivate the definition we explain in Sect. 2 why distributed ASM runs as defined in [28] are too restrictive as a concept of concurrent ASM runs. We also show how Lamport’s concept of sequential consistency [40] can be generalized to ASMs in a way that sets the stage for our definition of concurrent ASM runs in Sect. 3. Section 5 contains concluding remarks. In an “Appendix” we illustrate concurrent ASM runs by explaining the relation of this concept to Lamport’s spacetime view of distributed systems (“Appendix 2”) and to various notions of Petri net runs (“Appendix 3”).
We assume the reader to have some basic knowledge of ASMs, covering the definitions—provided 20 years ago in [28] and appearing in textbook form in [20, Sect. 2.2/4]—for what are ASMs (i.e. their transition rules) and how their execution in given environments performs state changes by applying sets of updates to locations. For the discussion and proof of the Concurrent ASM Thesis in Sect. 4 we additionally assume some knowledge of the Sequential ASM Thesis (explained and proved 15 years ago in [29], see also the simplification of the proof in the AsmBook [20, Sect. 7.2]). Nevertheless at places where some technical details about ASMs need to be referred to we briefly describe their notation and their meaning so that the paper can be understood also by a more general audience of readers who view ASMs as a semantically wellfounded form of pseudocode that performs computations over arbitrary structures. For the “Appendix” we assume knowledge of Lamport’s spacetime view of distributed systems (defined in the influential paper [39]) and knowledge of the basic definition of Petri nets [6, 50].
2 Distributed and sequentially consistent runs
In this section we set the stage for the definition in Sect. 3 by an analysis of Gurevich’s definition of distributed ASM runs [28] and Lamport’s concept of sequentially consistent runs [40].
2.1 Gurevich’s distributed ASM runs
In [28] Gurevich defined distributed ASM runs as particular partial orderings of single moves of agents a from a family of pairwise different agents, each executing a sequential asm(a); where not relevant we do not mention the signature and the set of initial states each ASM comes with. The partial order approach to concurrency tries to focus on what are called ‘causal’ dependencies (which require a sequential ordering) of single moves, eliminating any nonessential ordering among them. Gurevich’s definition tried to enrich a mere control flow analysis (on ‘which transitions fired and in which order’) by including possible data dependencies, as offered by the general notion of state underlying ASMs. However, the definition uses an axiomatic concept of global state which turned out to be too restrictive to represent plausible concurrent computations. In the ASM community this is folklore knowledge; we use it in this section to motivate why a definition is needed which supports computing practice. Before doing this we review Gurevich’s definition.
Definition 1

finite history: each move has only finitely many predecessors, i.e. \(\{m' \in M \mid m' \le m \}\) is finite for each \(m \in M\),

sequentiality of agents: for each agent a the set of its moves is linearly ordered, i.e. \(agent(m)=agent(m')\) implies \(m \le m'\, {\mathbf { or }}\, m'\le m\), where agent(m) denotes the agent which executes move m,

coherence: each finite initial segment (downward closed subset) I of \((M, \le )\) has an associated state \(\sigma (I)\)—interpreted as the result of all moves in I with m executed before \(m'\) if \(m \le m'\)— which for every maximal element \(m \in I\) is the result of applying move m in state \(\sigma (I\{m\})\).
Distributed ASM runs clearly extend purelysequential ASM runs; in fact each sequence of moves of a totally ordered set of moves (e.g. moves of a singleagent ASM) represents a distributed ASM run.

Linearization Lemma for distributed ASM runs. Let I be a finite initial segment of a distributed ASM run. All linearizations of I yield runs with the same final state.

Unique Result Lemma. Two distributed ASM runs with same partially ordered moves and same initial state \(\sigma (\emptyset )=\sigma '(\emptyset )\) yield for every finite initial segment I the same associated state \(\sigma (I)=\sigma '(I)\).
We illustrate the definition by two simple examples taken from Robert Stärk’s lectures on ASMs at ETH Zürich in 2004.
The characterizing requirement for mutual exclusion protocols is usually guaranteed by a selection mechanism to choose among interested processes, those which in a given moment simultaneously want to \({\textsc {Grab}}(resource)\). To resolve the conflict requires an ‘atomic’ combination of reading and writing the location owner(resource). For the \({\textsc {MutualExclusion}}\) ASM defined above the property holds in every distributed ASM run; there is no need of further scheduling, because Gurevich’s coherence condition already enforces the exclusive resource access. In fact it is not difficult to show the following regular behavior of \({\textsc {MutualExclusion}}\) in its distributed ASM runs.

\(m_0\) is the least \({\textsc {MutualExclusion}}\) move in M and \(m_i<m_{i+1}\) (monotonicity),

\(m_{2i}\)/\(m_{2i+1}\) are \({\textsc {Grab}}\)/\( {\textsc {Release}}\) moves of a same \(agent(m_{2i})\),

M contains no \({\textsc {MutualExclusion}}\) move between \(m_{2i}\) and \(m_{2i+1}\) and between \(m_{2i+1}\) and \(m_{2i+2}\),

all \({\textsc {MutualExclusion}}\) moves m in M are ordered wrt \(m_i\), i.e. for each i holds \(m \le m_i \vee m_i <m\).
Gurevich’s definition of distributed ASM runs makes it hard to construct such runs (or to prove that they exist; for some characteristic example see [30, 31]) and often such runs do not exist. In the next section we provide an example which excludes notpurelysequential distributed ASM runs but has sequentially consistent runs in the sense of Lamport [40].
2.2 Lamport’s sequentially consistent runs
Lamport [40] defines for sequential processors running concurrently on a computer and accessing a common memory the following notion of sequential consistency:
The result of any execution is the same as if the operations of all the processors were executed in some sequential order, and the operations of each individual processor appear in this sequence in the order specified by its program.

R1: ‘Each processor issues memory requests in the order specified by its program.’

R2: ‘Memory requests from all processors issued to an individual memory module are serviced from a single FIFO queue. Issuing a memory request consists of entering the request on this queue.’
In an email (of December 3, 2011) to the first author Lamport gave a more detailed version of this definition, clarifying the intended meaning of ‘result of any execution’:
Definition 2
(Lamport) An execution is a set of sequences of operations, one sequence per process. An operation is a pair \(\langle operation,value \rangle \), where the operation is either read or write and value is the value read or written.
The execution is sequentially consistent iff there exists an interleaving of the set of sequences into a single sequence of operations that is a legal execution of a singleprocessor system, meaning that each value read is the most recently written value.
(One also needs to specify what value a read that precedes any write can obtain.)
Each such interleaving is called a witness of the sequential consistency of the execution. Different witnesses may yield different results, i.e. values read or written, in contrast to the above stated Unique Result Lemma for distributed ASM runs.
For later reference we call the two involved properties sequentiality preservation resp.readfreshness.
A processor (computer) is called sequentially consistent if and only if all its executions are sequentially consistent.
2.2.1 Relation to distributed ASM runs
We show below (in terms of a generalization of sequential consistency for ASM runs) that distributed ASM runs yield sequentially consistent ASM runs. Inversely, process executions can be sequentially consistent without having any notpurelysequential distributed ASM run. This is illustrated by the following example.
 \(\{(m_1),(m_2)\}\) is a sequentially consistent \({\textsc {RacyWrite}}\) run with two witnesses yielding different results (namely \(x=2\) or \(x=1\), respectively):$$\begin{aligned} m_1;m_2 \text{ and } m_2;m_1 \end{aligned}$$
 There is no notpurelysequential distributed ASM run of \({\textsc {RacyWrite}}\) in the sense of Gurevich where each agent makes (at least) one step. The only distributed ASM runs of \({\textsc {RacyWrite}}\) are purelysequential runs.

In fact the initial segments of an unordered set \(M=\{m_1,m_2\}\) are \(\emptyset , \{m_1\}, \{m_2\}\), \(\{m_1,m_2\}\) and \(x=i\) holds in \(\sigma (\{m_i\})\). But \(m_1;m_2\) and \(m_2;m_1\) are two different linearizations of \(\{m_1,m_2\}\).

2.2.2 Sequential consistency versus relaxed memory models

either the sequential execution order of the programs of agents \(a_3\) and \(a_4\) is changed, say for some optimization purpose, or

the memory access to read/write location values is changed from atomic to a finer grained mechanism which allows some agent to read (somewhere) a location value even if another agent is writing or has already written (somewhere) another value for that location.
2.3 Sequentially consistent ASM runs
 Each move instead of a single read/write operation becomes a set of parallel (simultaneously executed) read/write operations.This is only an ASM formalization of Lamport’s concept; in fact Lamport makes no assumption on the structure of what is read or written, so instead of just one it could be a set of (possibly structred) locations.
 More precisely, for every agent a with program asm(a), every move m of a in a state S consists in applying to S a set of updates computed by asm(a) in S, generating a next state \(S'\), usually written as \(S \rightarrow _{asm(a)} S'\) or \(S \rightarrow _m S'\). This update set contains tobeperformed write operations (l, v) by which values v will be assigned to given locations l; the update set is denoted by \(\Delta (asm(a),S)\) (the ‘difference’ executing an asm(a)step will produce between S and \(S'\)), its application by \(+\) so that \(S \rightarrow _{asm(a)} S'\) can also be expressed by an equation$$\begin{aligned} S'=S ~+\Delta (asm(a),S) \end{aligned}$$

 Between two moves of a the environment can make a move to update the input and/or the shared locations.Singleagent ASMs which continuously interact with their environment via input (also called monitored) locations are defined in [20, Def. 2.4.22] and called basic ASMs to distinguish them from what Gurevich called sequential ASMs. The sequential ASM thesis, right from the beginning conceived as a generalization of Turing’s thesis [26], disregards monitored locations. Sequential ASM runs once started proceed executing without any further interaction with the environment; in other words input for a sequential run is given by the initial state only, as is the case in the classical concept of Turing machine runs [14]. For interacting Turing machines see [65].
 More precisely, when a makes a move in a state \(S_n\) resulting in what is called the next internal statean ‘environment move’ leads to the next state where a can make its next move (unless it terminates). Using again the \(\Delta \)notation this can be expressed by the equation$$\begin{aligned} S_n'= S_n ~+ \Delta (asm(a),S_n), \end{aligned}$$Note that whereas \(\Delta (asm(a),S)\) is a function of the ASM rule asm(a) and the state S, for the sake of brevity we also write \(\Delta (env(a),S')\) though the environment nondeterministically may bring in to state \(S'\) updates which do not depend on \(S'\). To distinguish the ‘moves’ of env(a) from those of a the latter are also called internal and the former external moves (for a). A run without environment moves is called an internal run of a.$$\begin{aligned} S_{n+1}=S_n'~+ \Delta (env(a),S_n'). \end{aligned}$$

For sequentially consistent ASM executions the readfreshness property has to include the effect of external environment moves which in sequential ASMs follow internal moves. In other words one can allow any interleaving where between two successive moves \(m,m'\) of any agent a, moves of other agents can be arranged in any sequentiality preserving order as long as their execution computes the effect of the environment move between m and \(m'\). This is described by the following definition.
Definition 3
Let \(\mathcal {A}\) be a set of pairs (a, asm(a)) of agents \(a \in A\) each equipped with a basic ASM asm(a). Let R be an \(\mathcal {A}\)execution (resp. an \(\mathcal {A}\)run), i.e. a set of aexecutions (resp. aruns), one for each \(a \in A\).
R is called a sequentially consistent ASM execution (resp. run), if there is an interleaving of R where for every a and n the sequence \(M_{n,a}\) of moves of other agents in this interleaving between the nth and the \((n+1)\)th move of a yields the same result as the nth environment move in the given aexecution (resp. run).
Such an interleaving (or its corresponding sequence of states) is called a witness of the sequentially consistent \(\mathcal {A}\)execution (resp.run) R.
For the comparison of sequential to concurrent ASM runs in Sect. 3 we state as a lemma properties which directly follow from the definition of sequentially consistent ASM runs. Lamport’s requirement quoted above that ‘One also needs to specify what value a read that precedes any write can obtain’ has to be generalized with respect to initial ASM states. The Single Move Property expresses the generalization of Lamport’s single read/write operations to multiple updates in single ASM steps. The Sequentiality Preservation Property is generalized to also take the underlying state into account.
2.3.1 Characterization Lemma
 1.The witnesses of sequentially consistent \(\mathcal {A}\)runs are the internal runs (i.e. runs without any interaction with the environment) of the following ASM:
 2.Each witness of a sequentially consistent \(\mathcal {A}\)run is a sequence \(S_0,S_1,\ldots \) of \(\Sigma _A\)states such that the following properties hold:

Initial State Property: for each state \(S_i\) where an agent a makes its first move in the witness, \(S_i\downarrow \Sigma _a\) (the restriction of \(S_i\) to the signature of a) is an initial astate.
 Single Move Property: for each state \(S_n\) (except a final one) there is exactly one \(a \in A\) which in this state makes its next move and yields \(S_{n+1}\), i.e. such that thw following holds:

Sequentiality Preservation Property: for each agent a its run in the given ASM run of A is the restriction to \(\Sigma _a\) of a subsequence of the witness run.

2.3.2 Remark on states
The states \(S_n\) in witnesses of a sequentially consistent \(\mathcal {A}\)run are not states any single agent a can see—a sees only the restriction \(S_n\downarrow \Sigma _a\) to its own signature—but reflect the fact that we speak about viewing a system as concurrent, in accordance with [44, pg. 1159] where it is pointed out that instead ‘of a distributed system, it is more accurate to speak of a distributed view of a system.’ In other words what may be conceived as a ‘global’ state is only a way to look at a run for the purpose of its analysis.
2.3.3 CoreASM runs

for the subset \(B \subseteq A\) of agents chosen for execution of a step in state \(S_0\) the restriction \(S_0\downarrow \Sigma _B\) of the state \(S_0\) (to the union of the signatures of each element \(b \in B\)) comprises an initial state for each \(b \in B\),

for each state \(S_n\) (except the final one if the sequence is finite) the scheduler component of CoreASM chooses a subset \(B \subseteq A\) of agents each of which makes a move in this state such that altogether these moves result in \(S_{n+1}\).
2.3.4 Agent’s view of sequentially consistent ASM runs
Witnesses of sequentially consistent ASM runs allow one to reconstruct the original run of each involved agent.
Proposition 1
From each witness of a sequentially consistent ASM run the original sequential run of each agent can be reconstructed.
Proof
Let any witness \(S_0,S_1,\ldots \) of a sequentially consistent run of agents \(a \in A\) with program asm(a) be given. We reconstruct the original sequential run of a as the aview \(S_0(a),S_1(a),\ldots \) of the witness by induction.
Let \(m_0(a),m_1(a),\ldots \) be the sequence of moves a makes in the witness. Let \(S_n(a)=S_i\downarrow \Sigma _a\) for the witness state \(S_i\) where a makes its move \(m_n(a)\). Then \(S_i \rightarrow _{m_n(a)} S_{i+1}\) with \(S_{i+1}\downarrow \Sigma _a =S_n'(a)\).
Let \(S_j\) be the witness state where a makes its next move \(m_{n+1}(a)\) (if any) where \(i+1 \le j\) (in case a makes no move after \(m_n(a)\) the aview ends with \(S_{i+1}\downarrow \Sigma _a\)). Let U be such that \(S_{i+1}+U=S_j\) (result of the witness segment \(S_{i+1},\ldots ,S_j\)), so that U is perceived by a as effect of the ‘environment move’ between \(m_n(a)\) and \(m_{n+1}(a)\). Define \(S_{n+1}(a)\) as \(S_j \downarrow \Sigma _a\).
2.3.5 Sequentially consistent versus distributed ASM runs
Distributed ASM runs yield sequentially consistent ASM runs for each finite initial run segment.
Proposition 2
For each distributed ASM run \((M,\le )\) and for each finite initial segment I of \(\le \) holds:
Each linearization L of I yields a witness for the sequential consistency of the set of Lsubruns of all agents which make a move in L.
Here the Lsubrun of agent a denotes the sequence of moves of a in L.
Proof
Let L be any linearization of I—remember that I may be only partially ordered—and A the set of the agents which make some move in L. The Lsubruns of the agents in A are welldefined finite executions by the constraint on finite history and the sequentiality of agents in distributed ASM runs. By the coherence condition each single move \(m \in L\) is an internal move (as defined in Sect. 2.3) of the agent(m) which executes it. Therefore the moves in L generate a sequence \(States(L)=S_0,S_1,\ldots S_k\) of states where each \(S_{i+1}\) is the result of applying the ith move in L to \(S_i\) (\(0 \le i\)) and \(S_k=\sigma (I)\).
3 Concurrent ASM runs

ground model concern [17] to choose the degree of atomicity of basic update actions such that they directly reflect the level of abstraction of the system to be modeled,

correct refinement concern [16] to refine this atomicity controllably by hierarchies of more detailed models with finer grained atomic actions, leading from ground models to executable code.

the reading is viewed as locally recording the current values of the input and the shared locations of the process,

the writing is viewed as writing back new values for the output and the shared locations of the process so that these values become visible to other processes in the run.
With treating reading resp. writing as atomic operations we deliberately abstract from possibly overlapping reads/writes as they can occur in relaxed memory models; we view describing such models as a matter of further detailing the atomic view at refined levels of abstraction, essentially requiring to specify the underlying caching mechanisms used to access shared locations. For an example we refer to the ASM defined in [63] for the Location Consistency Memory Model.
These considerations lead us to the following definition of concurrent runs of multiagent ASMs.
Definition 4
Let \(\mathcal {A}\) be a set of pairs (a, asm(a)) of agents \(a \in A\) with sequential asm(a), called a multiagent ASM.
A concurrent run of \(\mathcal {A}\) is a sequence \(S_0,S_1,\ldots \) of states together with a sequence \(A_0,A_1, \ldots \) of subsets of A such that each state \(S_{n+1}\) is obtained from \(S_n\) by applying to it the updates computed by the agents \(a \in A_n\) each of which started its current (internal) step by reading its input and shared locations in some preceding state \(S_j\) depending on a. The run terminates in state \(S_n\) if the updates computed by the agents in \(A_n\) are inconsistent.
Remark
The definition generalizes the definition in [20, Def. 2.4.22] of runs of basic ASMs whose moves alternate with environment moves. It relaxes the Single Move Property of sequentially consistent ASM runs since it requires to apply to \(S_n\) possibly multiple update sets \(\Delta _j\) instead of just one. It trades the readfreshness property for the readcleanness property by allowing that updates to a location made after an agent read this location may become visible to this agent in the concurrent run only once the agent has completed the step which started with this reading (and thus is based upon it). To determine subsets \(A_n\) of agents is the role of scheduling and is the place where message passing algorithms, network communication protocols etc. come in to define particular notions of concurrent system execution.
3.1 Agent’s view of sequentially concurrent ASM runs

\(S_{viewOf(a,0)}=S_{readMove(a,0)} \downarrow \Sigma _{asm(a)}\) is an initial state of a,
 \(S_{viewOf(a,n+1)}=S_{writeMove(n,a)+k} \downarrow \Sigma _{asm(a)}\) for some \(k>0\) such that$$\begin{aligned} readMove(n+1,a)=writeMove(n,a)+k \end{aligned}$$
3.2 Remark on atomicity of reads/writes
Some authors (see for example [53]) claim that states like the ones we use to define concurrent runs cannot exist. However, epistemologically there is a difference between ‘existence’ and ‘observability’. In a discrete system view one ‘observes’ (‘freezes’) the system at certain moments in time such that each (atomic) location holds a welldefined value, therefore such states have to be assumed to be observable. This is what our definition expresses in terms of local state views, without need to refer to global states.

no specific assumption is made on the granularity of the read/write operations,

the capability of ASMs to capture algorithmic computations at any level of abstraction is preserved.
Assuming that the reads and writes a process performs in a step on shared locations are executed atomically reflects an abstract interpretation of the intuitive ‘interaction’ concept in the Concurrency Postulate. One reviewer suggests to consider a more general interaction notion where agents which simultaneously bring in different updates for a location are allowed to negotiate the resulting values for such locations. We think that such cases are captured by Definition 4: the negotiation can be specified by a separate negotiator ASM which steps in when multiple agents present inconsistent location updates. Note also that in [12, 13] (and earlier papers cited there) some specific classes of ASMs with interprocess communication facilities have been studied which lead to a thesis for corresponding classes of algorithms, but the considered runs are not truly concurrent.
3.3 Remark on interleaving
Definition 4 generalizes Lamport’s sequential consistency concept because concurrent ASM runs abstract from strict interleavings of single process executions. Obviously any parallel (simultaneous) updates by several processes can be replaced by an interleaving of these updates that is performed in any order with no process initiating a new step in between; this typical sequential implementation of synchronous parallelism is easily made precise and proved to be correct using the ASM refinement framework [16]. The reason why we prefer to consider in Definition 4 compact runs where synchronous parallelism in single steps allows us to avoid interleaving, is the following: the analysis of compact runs, due to the abstraction from semantically not needed sequentiality, is a) often simpler than the direct analysis of corresponding interleaved runs and b) easily completed (where needed) by a standard refinement argument to a finergrained analysis of interleaved runs. This is a general experience reflected in the ASM literature, that the abstraction from semantically not needed sequentiality often simplifies both the design and the analysis of complex systems M by first working with an abstract, compact ASM model \(M'\) and then refining this (usually by a series of small steps) to the more detailed M. To mention at least one out of many nontrivial examples we point to the analysis of Java and its implementation by the JVM in [62].
4 The Concurrent ASM thesis
As for the sequential ASM thesis proved by Gurevich [29], for the concurrent ASM counterpart we have to prove two statements:
Theorem 1
Plausibility. Each concurrent ASM satisfies the Concurrency Postulate from Sect. 1.
Characterization. Each concurrent process \(\mathcal {A} = \{ (a,alg(a)) \mid a \in A \}\) as stipulated by the Concurrency Postulate in Sect. 1 can be simulated by a concurrent ASM \(\mathcal {M} = \{ (a,M_a) \mid a \in A \}\) the such that sets of agents and their steps in concurrent runs are in a onetoone relation (also called lockstep simulation).
The first statement follows from the above described ASM interpretation of the intuitive notions of interaction, single step and state in the Concurrency Postulate and from the definition of concurrent ASM runs because sequential ASMs are a specific way to describe algorithms for sequential processes.
 Sequential Time Postulate. Each algorithm \(A=alg(a)\) is associated with

a set \(\mathcal {S}(A)\), the set of states of A,

a subset \(\mathcal {I}(A)\subseteq \mathcal {S}(A)\), the set of initial states of A,

a map \(\tau _A:\mathcal {S}(A)\rightarrow \mathcal {S}(A)\), the onestep transformation of A.

 Abstract State Postulate. For each algorithm \(A=alg(a)\) holds:

the states of A are algebraic firstorder structures,

all states of A have the same finite signature \(\Sigma _A\),

the onestep transformation \(\tau _A\) does not change the base set of the state,

\(\mathcal {S}(A)\) and \(\mathcal {I}(A)\) are closed under isomorphisms,

If \(S,S'\in \mathcal {S}(A)\) and \(\alpha \) is an isomorphism from S to \(S'\), then \(\alpha \) is also an isomorphism from \(\tau _A(S)\) to \(\tau _A(S')\).


Uniformly Bounded Exploration Postulate. There exists a finite set T—called bounded exploration witness—of ground terms (i.e. without free variables) of A such that the next computation step of the algorithm depends only on that part of the state which can be accessed via terms in T. In other words, whenever two states S and \(S'\) coincide over T, then \(\Delta (A,S)=\Delta (A,S')\).
Therefore we have to construct the rules for sequential ASMs \(M_a\) for each agent \(a \in A\). The signature for \(M_a\), the states and initial states, the onestep transformation function \(\tau _a\), etc. are given by Gurevich’s postulates.
4.1 Observation
The construction of the rule for the sequential ASM in the proof of the sequential ASM thesis in [29] does not depend on the entire run \(S_0, S_1, \dots \), but only on the state pairs \((S_i,S_{i+1})\), i.e. \((S, \tau (S))\).
We exploit this observation for the concurrent runs defined by \(\mathcal {A}\).
That is, the update set defining the change from state \(S_i\) to its successor state \(S_{i+1}\) in the concurrent run is a finite union of update sets \(\Delta (alg(a_j),S_{i_j} \downarrow \Sigma _{alg(a_j)})\) where \(i_j=lastRead(a,i)\). For each agent \(a_j \in Ag_i\) participating with a nonempty update set there exists a welldefined previous state \(S_{i_j}\) whose (possibly including monitored and shared) location values \(alg(a_j)\) determine its update set. The restriction of this state to the signature \(\Sigma _j\) of \(alg(a_j)\) is a valid state for the sequential algorithm \(alg(a_j)\), and the determined update set is the unique update set defining the transition from this state \(S_{i_j} \downarrow \Sigma _j\) to its next state via \(\tau _a\) (see Lemma 5.1 in [29, p.89]).

\(S_a\) is a state of alg(a) and \(\Delta (S_a)\) is the unique, consistent update set computed by alg(a) for the transition from \(S_a\) to \(\tau _a(S_a)\),

\(S_a = S_{i_j} \downarrow \Sigma _{alg(a)}\) for some state \(S_{i_j}\) in some nonterminated run of \(\mathcal {A}\), in which alg(a) computes an update set that contributes to the definition of a later state in the same run.
Lemma 1
For each agent \(a \in A\) there exists an ASM rule \(r_a\) such that for all \((S_a,\Delta (S_a)) \in R_a\) we get \(\Delta (S_a)=\Delta (r_a,S_a)\), i.e. the updates the rule \(r_a\) yields in state \(S_a\) are exactly the updates in \(\Delta (S_a)\) determined by alg(a).
So any given concurrent \(\mathcal {A}\)run \(S_0, S_1, \dots \) together with \(Ag_0, Ag_1, \dots \) is indeed a concurrent \(\mathcal {M}\)run of the concurrent ASM \(\mathcal {M} = \{ (a,M_a) \mid a \in A \}\). This proves Theorem 1.
Remark
Note that Theorem 1 remains valid if one of the agents \(a \in A\) is not given by an algorithm but as environment. The environment may behave in a nondeterministic way. Though it may participate in the transition from state \(S_n\) to \(S_{n+1}\) by means of an update set \(\Delta \), this set may not depend on any previous state or the dependence may not be functional, e.g. in the case of providing sensor values. In such cases there is no point to look for an ASM to describe the environment.
5 Conclusion
We proposed a semantics for concurrent ASMs by concurrent ASM runs, which overcomes the problems related to Gurevich’s definition of distributed ASM runs. Our definition preserves the characteristic property of ASMs to compute update sets in some state and to apply them to determine a new state. The main difference to sequential ASMs is that the new state is some next state, but not necessarily the next one in the concurrent run, and furthermore that the new state may be the result of finitely many agents bringing in each one its update set computed in some earlier state (depending on the agent). For reasons of simplicity of exposition we restricted our attention to sequential ASMs. However, exploiting further the observation stated in Sect. 4 our definition and the sequential as well as the concurrent ASM thesis work also with basic ASMs (whose moves alternate with environment moves [20, Def. 2.4.22]) and with parallel ASMs (see [7, 11]) for which a conjecture of the second author in [59]—namely that for alg(a) to capture unbounded parallelism, only the bounded exploration witness T has to be changed to a finite set of list comprehension terms—could recently be proven and is available in [22] leading to a parallel ASM thesis).
It seems that the concepts of concurrent runs in other wellknown approaches to concurrency we know about satisfy the Concurrency Postulate and can be expressed by concurrent ASM runs, thus experimentally confirming the Concurrent ASM Thesis. A detailed comparative analysis must be left to future work. In the Appendix we sketch however the comparison of concurrent ASMs with two outstanding examples, namely Lamport’s spacetime view of distributed systems (“Appendix 2”) and Petri nets (“Appendix 3”). We would appreciate if readers who have reasons to disagree with our expectation let us know their arguments.
Footnotes
 1.
We note in passing that by its definition this is a global notion of state, including for each transition its relevant token information. The marking functions are termed this way in the Petri net literature (see for example [6, Sect. 5.2.1]) although each transition sees only the local state part marking(p) for its pre and postplaces p.
Notes
Acknowledgments
The first author thanks numerous colleagues with whom he discussed over the years the problems with Gurevich’s distributed ASM runs and what ‘concurrency’ could reasonably mean for ASMs. This includes in particular R. Stärk, D. Rosenzweig, A. Raschke, A. Prinz, M. Lochau, U. Glässer, U. Goltz, A. Fleischmann, I. Durdanović, A. Cisternino, P. Arcaini. We also thank one of the anonymous referees for very careful readings of two previous versions of this paper and for numerous insightful questions and comments for its improvement.
References
 1.Abrial, J.R.: The BBook. Cambridge University Press, Cambridge (1996)CrossRefzbMATHGoogle Scholar
 2.Abrial, J.R.: Modeling in EventB. Cambridge University Press, Cambridge (2010)CrossRefzbMATHGoogle Scholar
 3.Agha, G.: A Model of Concurrent Computation in Distributed Systems. MIT Press, Cambridge (1986)Google Scholar
 4.Banach, R., Hall, A., Stepney, S.: Retrenchment and the atomicity pattern. In: Fifth IEEE International Conference on Software Engineering and Formal Methods, pp. 37–46 (2007)Google Scholar
 5.Banach, R., Jeske, C., Hall, A., Stepney, S.: Atomicity failure and the retrenchment atomicity pattern. Form. Asp. Comput. 25, 439–464 (2013)MathSciNetCrossRefGoogle Scholar
 6.Best, E.: Semantics of Sequential and Parallel Programs. Prentice Hall, Englewood Cliffs (1996)zbMATHGoogle Scholar
 7.Blass, A., Gurevich, Y.: Abstract state machines capture parallel algorithms. ACM Trans. Comput. Log. 4(4), 578–651 (2003)MathSciNetCrossRefGoogle Scholar
 8.Blass, A., Gurevich, Y.: Ordinary interactive smallstep algorithms I. ACM Trans. Comput. Log. 7(2), 363–419 (2006)MathSciNetCrossRefGoogle Scholar
 9.Blass, A., Gurevich, Y.: Ordinary interactive smallstep algorithms II. ACM Trans. Comput. Log. 8(3), 1–41 (2007)MathSciNetGoogle Scholar
 10.Blass, A., Gurevich, Y.: Ordinary interactive smallstep algorithms III. ACM Trans. Comput. Log. 8(3), 1–51 (2007)MathSciNetGoogle Scholar
 11.Blass, A., Gurevich, Y.: Abstract state machines capture parallel algorithms: correction and extension. ACM Trans. Comput. Log. 9(3), 1–32 (2008)MathSciNetGoogle Scholar
 12.Blass, A., Gurevich, Y., Rosenzweig, D., Rossman, B.: Interactive smallstep algorithms I: axiomatization. Log. Methods Comput. Sci. 3(4:3), 1–29 (2007)MathSciNetzbMATHGoogle Scholar
 13.Blass, A., Gurevich, Y., Rosenzweig, D., Rossman, B.: Interactive smallstep algorithms II: abstract state machines and the characterization theorem. Log. Methods Comput. Sci. 3(4:4), 1–35 (2007)MathSciNetzbMATHGoogle Scholar
 14.Börger, E.: Computability, complexity, logic (English translation of Berechenbarkeit, Komplexität, Logik, ViewegVerlag 1985), Studies in Logic and the Foundations of Mathematics, vol. 128. NorthHolland (1989)Google Scholar
 15.Börger, E.: The origins and the development of the ASM method for highlevel system design and analysis. J. Univers. Comput. Sci. 8(1), 2–74 (2002)Google Scholar
 16.Börger, E.: The ASM refinement method. Form. Asp. Comput. 15, 237–257 (2003)CrossRefzbMATHGoogle Scholar
 17.Börger, E.: Construction and analysis of ground models and their refinements as a foundation for validating computer based systems. Form. Asp. Comput. 19, 225–241 (2007)CrossRefzbMATHGoogle Scholar
 18.Börger, E., Fleischmann, A.: Abstract state machine nets. Closing the gap between business process models and their implementation. In: Proceedings of the SBPM ONE 2015. ACM Digital Library. ACM. ISBN:9781450333122 (2015)Google Scholar
 19.Börger, E., Schewe, K.D.: Specifying transaction control to serialize concurrent program executions. In: AitAmeur, Y., Schewe, K.D. (eds.) Proceedings ABZ 2014, LNCS. Springer (2014)Google Scholar
 20.Börger, E., Stärk, R.F.: Abstract State Machines: A Method for HighLevel System Design and Analysis. Springer, Berlin (2003)CrossRefzbMATHGoogle Scholar
 21.Farahbod, R., et al.: The CoreASM Project. http://www.coreasm.org and http://www.github.com/coreasm
 22.Ferrarotti, F., Schewe, K.D., Tec, L., Wang, Q.: A new thesis concerning synchronised parallel computing—simplified parallel ASM thesis. CoRR abs/1504.06203 (2015).arXiv:1504.06203. Submitted for publication
 23.Fleischmann, A., Schmidt, W., Stary, C., Obermeier, S., Börger, E.: SubjectOriented Business Process Management. Springer Open Access Book, Heidelberg (2012). www.springer.com/9783642323911
 24.Genrich, H.J., Lautenbach, K.: System modelling with highlevel Petri nets. Theor. Comput. Sci. 13, 109–136 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
 25.Grädel, E., Nowack, A.: Quantum computing and abstract state machines. In: Börger, E., Gargantini, A., Riccobene, E. (eds.) Abstract State Machines 2003—Advances in Theory and Applications, Lecture Notes in Computer Science, vol. 2589, pp. 309–323. Springer, Berlin (2003)Google Scholar
 26.Gurevich, Y.: Reconsidering Turing’s thesis: toward more realistic semantics of programs. Technical Report CRLTR3684, EECS Department, University of Michigan (1984)Google Scholar
 27.Gurevich, Y.: A new thesis. Amer. Math. Soc. 6(4), 317 (1985)Google Scholar
 28.Gurevich, Y.: Evolving algebras 1993: Lipari guide. In: Börger, E. (ed.) Specification and Validation Methods, pp. 9–36. Oxford University Press (1995)Google Scholar
 29.Gurevich, Y.: Sequential abstract state machines capture sequential algorithms. ACM Trans. Comput. Log. 1(1), 77–111 (2000)MathSciNetCrossRefGoogle Scholar
 30.Gurevich, Y., Mani, R.: Group membership protocol: specification and verification. In: Börger, E. (ed.) Specification and Validation Methods, pp. 295–328. Oxford University Press, Oxford (1995)Google Scholar
 31.Gurevich, Y., Rosenzweig, D.: Partially ordered runs: a case study. In: Gurevich, Y., Kutter, P., Odersky, M., Thiele, L. (eds.) Abstract State Machines: Theory and Applications, LNCS, vol. 1912, pp. 131–150. Springer, Berlin (2000)CrossRefGoogle Scholar
 32.Gurevich, Y., Tillmann, N.: Partial updates. Theor. Comput. Sci. 336(2–3), 311–342 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 33.Hamburg, U.: The Petri nets bibliography. http://www.informatik.unihamburg.de/TGI/pnbib/index.html
 34.Harris, T., Larus, J., Rajwar, R.: Transactional Memory, 2nd edn. Morgan and Claypool, Los Altos (2010)Google Scholar
 35.Hewitt, C.: What is computation? Actor model versus Turing’s model. In: Zenil, H. (ed.) A Computable Universe: Understanding Computation and Exploring Nature as Computation. Dedicated to the memory of Alan M. Turing on the 100th anniversary of his birth. World Scientific Publishing (2012)Google Scholar
 36.Hoare, C.A.R.: Communicating Sequential Processes. PrenticeHall, Englewood Cliffs (1985)zbMATHGoogle Scholar
 37.Jensen, K.: Coloured Petri Nets  Basic Concepts, Analysis Methods and Practical. Monographs in Theoretical Computer Science. An EATCS Series vol. 3. Springer, Berlin (1997). doi: 10.1007/9783642607943
 38.Lamport, L.: A new solution of Dijkstra’s concurrent programming problem. Commun. ACM 17(8), 453–455 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
 39.Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21(7), 558–565 (1978)CrossRefzbMATHGoogle Scholar
 40.Lamport, L.: How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans. Comput. 28(9), 690–691 (1979)CrossRefzbMATHGoogle Scholar
 41.Lamport, L.: On interprocess communication. Part I: Basic formalism. Part II: algorithms. Distrib. Comput. 1, 77–101 (1986)CrossRefzbMATHGoogle Scholar
 42.Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. AddisonWesley (2003). http://lamport.org
 43.Lamport, L., Schneider, F.B.: Pretending Atomicity. DEC Systems Research Center (1989)Google Scholar
 44.Lamport, L., Lynch, N.: Distributed computing: models and methods. In: J. van Leeuwen (ed.) Handbook of Theoretical Computer Science, pp. 1157–1199. Elsevier (1990)Google Scholar
 45.Lynch, N.: Distributed Algorithms. Morgan Kaufmann (1996). ISBN:9781558603486Google Scholar
 46.Mazurkiewicz, A.: Trace Theory, pp. 279–324. Springer, Berlin (1987)zbMATHGoogle Scholar
 47.Mazurkiewicz, A.: Introduction to trace theory. In: Diekert, V., Rozenberg, G. (eds.) The Book of Traces, pp. 3–67. World Scientific, Singapore (1995)CrossRefGoogle Scholar
 48.Milner, R.: A Calculus of Communicating Systems. Springer (1982). ISBN 0387102353Google Scholar
 49.Milner, R.: Communicating and Mobile Systems: The PiCalculus. Springer (1999). ISBN 9780521658690Google Scholar
 50.Peterson, J.: Petri Net Theory and the Modeling of Systems. PrenticeHall, Englewood Cliffs (1981)zbMATHGoogle Scholar
 51.Petri, C.A.: Kommunikation mit automaten. Ph.D. thesis, Institut für Instrumentelle Mathematik der Universität Bonn (1962). Schriften des IIM Nr. 2Google Scholar
 52.Plosila, J., Sere, K., Walden, M.: Design with asynchronously communicating components. In: de Boer et al., F. (ed.) Proceedings of FMCO 2002, No. 2852 in LNCS, pp. 424–442. Springer (2003)Google Scholar
 53.Prinz, A., Sherratt, E.: Distributed ASMpitfalls and solutions. In: AïtAmeur, Y., Schewe, K.D. (eds.) Abstract State Machines, Alloy, B, TLA, VDM and Z—Proceedings of the 4th International Conference (ABZ 2014), LNCS, vol. 8477, pp. 210–215. Springer, Toulouse (2014)CrossRefGoogle Scholar
 54.Karp, R.M., Miller, R.: Parallel program schemata. J. Comput. Syst. Sci. 3, 147–195 (1969)MathSciNetCrossRefzbMATHGoogle Scholar
 55.Roscoe, A.: The Theory and Practice of Concurrency. PrenticeHall, Englewood Cliffs (1997)Google Scholar
 56.Schewe, K.D., Wang, Q.: A customised ASM thesis for database transformations. Acta Cybern. 19(4), 765–805 (2010)MathSciNetzbMATHGoogle Scholar
 57.Schewe, K.D., Wang, Q.: XML database transformations. J. Univers. Comput. Sci. 16(20), 3043–3072 (2010)zbMATHGoogle Scholar
 58.Schewe, K.D., Wang, Q.: Partial updates in complexvalue databases. In: Heimbürger, A., et al. (eds.) Information and Knowledge Bases XXII, Frontiers in Artificial Intelligence and Applications, vol. 225, pp. 37–56. IOS Press, Amsterdam (2011)Google Scholar
 59.Schewe, K.D., Wang, Q.: A simplified parallel ASM thesis. In: Derrick, J., et al. (eds.) Abstract State Machines, Alloy, B, VDM, and Z—Third International Conference (ABZ 2012), LNCS, vol. 7316, pp. 341–344. Springer (2012)Google Scholar
 60.Schewe, K.D., Wang, Q.: Synchronous parallel database transformations. In: Lukasiewicz, T., Sali, A. (eds.) Foundations of Information and Knowledge Bases (FoIKS 2012), LNCS, vol. 7153, pp. 371–384. Springer, Berlin (2012)Google Scholar
 61.Schneider, F., Lamport, L.: Paradigms for distributed programs. In: Distributed Systems, LNCS, vol. 190. Springer (1985)Google Scholar
 62.Stärk, R.F., Schmid, J., Börger, E.: Java and the Java Virtual Machine: Definition, Verification, Validation. Springer, Berlin (2001)CrossRefzbMATHGoogle Scholar
 63.Wallace, C., Tremblay, G., Amaral, J.N.: An abstract state machine specification and verification of the location consistency memory model and cache protocol. J. Univers. Comput. Sci. 7(11), 1089–1113 (2001)Google Scholar
 64.Wang, Q.: Logical Foundations of Database Transformations for ComplexValue Databases.Logos (2010). http://logosverlag.de/cgibin/engbuchmid?isbn=2563&lng=deu&id=
 65.Wegner, P.: Why interaction is more powerful than algorithms. Commun. ACM 40, 80–91 (1997)CrossRefGoogle Scholar
 66.Winskel, G., Nielsen, M.: Models for concurrency. In: Abramsky, S., Gabbay, D., Maibaum, T.S.E. (eds.) Handbook of Logic and the Foundations of Computer Science: Semantic Modelling, vol. 4, pp. 1–148. Oxford University Press, Oxford (1995)Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.