quantitative information in the tuple space coordination model

Theoretical Computer Science 346 (2005) 28–57www.elsevier.com/locate/tcs

Quantitative information in the tuple spacecoordination model

Mario Bravetti, Roberto Gorrieri, Roberto Lucchi∗,Gianluigi Zavattaro

Dipartimento di Scienze dell’Informazione, Università degli Studi di Bologna, Mura Anteo Zamboni 7,I-40127 Bologna, Italy

Abstract

Tuple Spaces is a well-known coordination model at the basis of coordination languages such asLinda, JavaSpaces and TSpaces. Tuple spaces are flat and unstructured multisets of tuples that canbe accessed via output, read, and input operations. We investigate, from an expressiveness viewpoint,the impact of the introduction of quantitative information in the tuple space coordination model inorder to quantify the relevance or importance of each tuple. We consider two possible interpretationsfor this information: in the first case it quantifies a weight indicating how much frequently each tupleshould be retrieved, in the second case it expresses a priority level for the tuples.© 2005 Elsevier B.V. All rights reserved.

Keywords:Tuple space coordination model; Probability; Priority

1. Introduction

The notion ofcoordination modelhas been introduced by Carriero and Gelernter in[8],where a programming-specific meaning of the termcoordinationis reported presenting thefollowing equation [8]:

Programming= Computation+ Coordination

∗ Corresponding author.E-mail addresses:[email protected](M. Bravetti), [email protected](R. Gorrieri), [email protected]

(R. Lucchi),[email protected](G. Zavattaro).

0304-3975/$ - see front matter © 2005 Elsevier B.V. All rights reserved.doi:10.1016/j.tcs.2005.08.004

http://www.elsevier.com/locate/tcs

mailto:[email protected]




M. Bravetti et al. / Theoretical Computer Science 346 (2005) 28–57 29

They formulated this equation arguing that in the design of a concurrent system thereshould be a clear separation between the specification of the components of the systemand the specification of their interactions or dependencies. On the one hand, this separationfacilitates the reuse of components; on the other hand, the same patterns of interactionusually occur in many different problems—so it might be possible to reuse the coordinationspecification as well.

A number of interesting models have been proposed. Examples include “tuple spaces” asin Linda[12], various forms of “multiset rewriting” or “chemical reactions” as in Gamma [2].The common feature of these models is to support the coordination among the collaboratingentities through a common repository of data; for this reason, those models are called data-driven coordination models [19].

Coordination languagesare the linguistic embodiment of coordination models; they area class of programming notations which offer a solution to the problem of specifying andmanaging the interactions among computing entities. In fact, they generally offer languagemechanisms for composing, configuring, and controlling systems made of independent,even distributed, active components.

The tuple space approach is the most prominent among the data-driven coordinationmodels: processes communicate with the other entities in the environment by introducing(executing theout primitive) tuples, i.e. ordered sequences of data, in the tuple space;processes interested in retrieving information useful for coordinating their activities performrd (non-consuming read) orin (consuming input) operations specifying via a templatethe kind of tuples they are interested in. Following this approach, the tuple space is anunstructured and flat bag of tuples. All tuples have the same importance and relevanceinside the shared repository, in the sense that when several tuples match the template of adata-retrieval operation, one of them is selectednon-deterministically.

In this paper we investigate the impact, from an expressiveness viewpoint, of the intro-duction of quantitative information in the tuple space coordination model. This informationcould be used to quantify the relevance or importance of each tuple in the tuple space. Forinstance, a tuple could be more important because it should be retrieved more frequently orwith a higher precedence. The introduction of this information is justified by the existenceof an interesting class of applications whose design could benefit from this enhanced tuplespace coordination model. We briefly discuss two prototypical examples of this class ofapplications.

As a first example, consider the problem of coordinating clients and services in a dynamicenvironment where new services enter and old services exit. In this scenario, a typicalapproach is to exploit a service registry: new services advertise their availability registeringat the service registry, while clients discover new services sending queries to the registry.Thetuple space coordination model is particularly suited for supporting this kind of interactionbetween clients and services. The services register producing a tuple that describes thekind of service they intend to offer, while the clients access the tuple space in order todiscover the actual service availability. In the case more than one service is willing tooffer the required service, according to the standard tuple retrieval mechanism, one ischosen non-deterministically. This is not satisfactory if we intend to distribute in a balancedway the workload, thus to avoid the overwhelming of requests towards one service whileleaving other services under-utilized. This problem can be naturally solved if the tuple space

30 M. Bravetti et al. / Theoretical Computer Science 346 (2005) 28–57

coordination model is extended with the possibility to associate to the tuples a weight,and assuming that tuple retrieval occurs probabilistically depending on those weights. Thehigher is the weight of a tuple, the greater is the probability for that tuple to be retrieved. Inthis enhanced coordination model, it is sufficient for a service to calculate a weight whichquantifies (the inverse of) its current workload and associate it to the tuple used for theadvertisement.

As a second example, consider a master–worker application where the masters producejobs that are executed from the workers. Tuple spaces are particularly suited for this kind ofapplications: masters produce job requests storing tuples in the tuple space, while workersaccess the tuple space to retrieve the description of the jobs to execute. However, due tonon-determinism in tuple retrieval, it could be the case that a job is never executed becausethe masters indefinitely select more recent requests. Besides this problem of fairness, thereare cases in which some job is to be executed more urgently with respect to the otherones. For instance, a job requested within a fire or an earthquake alarm should be executedby workers as soon as possible independently of the other currently available jobs. Thisscenario (as well as the problem of fairness) could be easily tackled assuming a tuplespace coordination model extended with the possibility to decorate tuples with an urgencylevel.

1.1. Paper contribution and structure

In order to perform a formal investigation of the impact of the introduction of quantitativeinformation in the tuple space coordination model, we need to introduce some adequateformal model.To be as general as possible, we intend to exploit a model which is independentof the different tuple space coordination languages available in the literature. For instancewe model tuples as sequences of names all belonging to a unique sort. In other words,we do not consider typed fields as it happens e.g. in languages such as C-Linda[22] orJavaSpaces [11], where the fields are typed with C types or Java classes, respectively. Weconsider three coordination primitives:out to produce a new tuple,in andrd to consumeand read tuples, respectively. Thein andrd primitives use templates to indicate the kind oftuple to be retrieved: a template is an ordered sequence of names and wildcards. A tuplematches a template if it has the same length and it has the same names in the exact positionwhere they appear in the template.

We embed the coordination primitives in a minimal language that comprises only threeconstructs: a prefix operator that associates to a primitive its continuation, a parallel operatorto glue together the processes that coordinate through the tuple space, and a replicationoperator used to support a limited form of recursive behavior. The obtained formal modelingof the tuple space coordination model is calledLinCa .

After, we extend the syntax ofLinCa adding the possibility to associate quantitativelabels to tuples; we equip the new syntax with two different semantics thus obtaining twocalculi,PrioLinCa in which the quantitative labels denote priorities andProbLinCa inwhich they represent weights. These calculi permit to formally prove gap of expressivenessbetween the considered extensions and the native tuple space model.

The gap of expressiveness betweenLinCa andPrioLinCa is rather surprising; theaddition of a minimum structure of priority, comprising only two priority levelshigh and


low, is sufficient to increase the expressive power of the calculus fromTuring incompletenessto Turing completeness. Indeed, we show how to model Random Access Machines (a well-known register based Turing powerful formalism) using two levels of priority, and we provethat such an encoding cannot be provided inLinCa because termination is decidable forsuch a calculus.

On the other hand, the gap of expressiveness we prove betweenLinCa andProbLinCafollows a more traditional discriminating technique between non-deterministic and prob-abilistic behavior in distributed systems with asynchronous communication. Namely, weconsider theleader election problem(see, e.g.,[1]), and we show that it can be solved forsymmetric systems only inProbLinCa while this is not the case forLinCa .

The paper is structured as follows. In Section 2 we present theLinCa calculus. InSection 3 we extend the syntax ofLinCa introducing the quantitative labels, we providethe prioritized semantics (thus obtaining thePrioLinCa calculus) and we formally proveour first gap of expressiveness modeling Random Access Machines inPrioLinCa andproving that termination is decidable inLinCa . In Section 4 we present the probabilisticsemantics (thus obtaining theProbLinCa calculus) and we discuss how weights on tuplespermit to solve the leader election problem (the proof of the impossibility to solve leaderelection inLinCa is reported inAppendixA). Finally, in Section 5 we draw some conclusiveremark discussing how our results, proved on abstract formal models, adapt to concrete tuplespace coordination languages.

2. LinCa: the Linda calculus

The coordination primitives that we basically have in Linda-like coordination languagesare:out(e), in(t) andrd(t). The output operationout(e) inserts a tuplee in the tuple space(TS for short). Primitivein(t) is the blocking input operation: when an occurrence of atuple e matching witht (denoting a template) is found in the TS, it is removed fromthe TS and the primitive returns the tuple. The read primitiverd(t) is the blocking readoperation that, differently fromin(t), returns the matching tupleewithout removing it fromthe TS.

The tuples are ordered and finite sequences of typed fields, while template are orderedand finite sequences of fields that can be eitheractualor formal (see [22]): a field is actualif it specifies a type and a value, whilst it is formal if the type only is given. For the sake ofsimplicity, in the formalization of Linda we are going to present, fields are not typed.

Formally, letMess, ranged over bym,m′, . . ., be a denumerable set of messages andVar,ranged over byx, y, . . ., be the set of data variables. In the following, we use�x, �y, . . ., todenote finite sequencesx1; x2; . . . ; xn of variables.

Tuples, denoted bye, e′, . . ., are finite and ordered sequences of data fields (we usearity(e) to denote the number of fields ofe), whilst templates, denoted byt, t ′, . . ., are finiteand ordered sequences of fields that can be either data or wildcards (used to match with anymessage).

Formally, tuples are defined as follows:

e = 〈�d〉,


where�d is a term of the following grammar:

�d ::= d | d; �dd ::= m | x.

The definition of template follows:

t = 〈 �dt〉,where �dt is a term of the following grammar:

�dt ::= dt | dt; �dtdt ::= d | null.

A data field dcan be a message or a variable. The additional valuenull denotes the wildcard,whose meaning is the same of formal fields of Linda, i.e. it matches with any field value.In the following, the setTuple(resp.Template) denotes the set of tuples (resp. templates)containing no variable.

The matching rule between tuples and templates we consider is the classical one of Linda,whose definition is as follows.

Definition 2.1 (Matching rule). Let e = 〈d1; d2; . . . ; dn〉 ∈ Tuple be a tuple,t = 〈dt1; dt2; . . . ; dtm〉 ∈ T emplate be a template; we say thate matchest (denotedby e� t) if the following conditions hold:(i) m = n.

(ii) dti = di or dti = null, 1≤ i ≤ n.Condition (1) checks ife and t have the same arity, whilst (2) tests if each non-wildcardfield of t is equal to the corresponding field ofe.

Processes, denoted byP,Q, . . ., are defined as follows:P, Q, . . . ::= processes

0 null process| out (e).P output| rd t (�x).P read| in t (�x).P input| P | P parallel composition| !in t (�x).P replication

A process can be a terminated program0 (that we usually omit), a prefix form�.P ,the parallel composition of two programs, or the replication of a program. The prefix�can be one of the following coordination primitives: (i)out (e), that writes the tuplee inthe TS; (ii) rd t (�x), that given a templatet reads a matching tuplee in the TS and storesthe return value in�x; (iii) in t (�x), that given a templatet consumes a matching tupleein the TS and stores the return value in�x. In both therd t (�x) and in t (�x) operations(�x)is a binder for the variables in�x. The parallel compositionP | Q of two processesPandQ behaves as two processes running in parallel. Infinite behaviors can be expressed


using the replication operator!in t (�x).P . Replication is a typical operator used in processcalculi to denote the parallel composition of an unbounded amount of instances of the sameprocess. In our calculus we restrict the application of replication to input guarded processes.This is justified by the fact that replicated output operation (resp. read operations), maygive rise to an undesired behavior by producing (reading) a tuple an unbounded amountof time.

In the following, P [d/x] denotes the process that behaves asP in which all occur-rences ofx are replaced withd. We also useP [ �d/�x] to denote the process obtained byreplacing inP all occurrences of variables in�x with the corresponding value in�d, i.e.P [d1; d2; . . . ; dn/x1; x2; . . . ; xn] = P [d1/x1][d2/x2] . . . [dn/xn].

We say that a process iswell formedif each prefix of kindrd/in 〈 �dt〉(�x) is such that thevariables�x and the data�dt have the same arity. Notice that in therd t (�x) andin t (�x) oper-ations we use a notation which is different from the standard Linda notation: we explicitlyindicate in(�x) the variables that will be bound to the actual fields of the matching tuple,while in the standard Linda notation these variables are part of the template. Observe thatthe two notations are equivalent up to the fact that our notation introduces variables also inassociation to the formal fields of the template. In the following, we consider only processesthat are well formed;Processdenotes the set of such processes.

Let DSpace, ranged over byDS, DS′, . . ., be the set of possible configurations of theTS, that isDSpace= Mfin(Tuple), whereMfin(S) denotes the set of all the possible finitemultisets onS. In the following, we useDS(e) to denote the number of occurrences ofewithin DS ∈ DSpace. The setSystem= {[P,DS] | P ∈ Process,DS ∈ DSpace}, rangedover bys, s′, . . ., denotes the possible configurations of systems.

The semantics we use to describe processes interacting via coordination primitives isdefined in terms of a transition system(System,−→), where→⊆ System× System. Moreprecisely,−→ is the minimal relation satisfying the axioms and rules of Table1 (symmetricrule of (4) is omitted).(s, s′) ∈−→ (also denoted bys −→ s′) means that a systemscan evolve (performing a single action) in the systems′. Finally, we uses −→+ s′ (resp.s −→∗ s′) for the transitive (resp. reflexive and transitive) closure of−→. A computations1 −→ s2 −→ · · · −→ sn is maximal if there exists nos′ such thatsn −→ s′. We say that aprocessterminatesif it has a finite maximal computation.

Axiom (1) describes the output operation that produces a new occurrence of the tuplee inthe shared spaceDS(DS⊕e denotes the multiset obtained byDSincreasing by 1 the numberof occurrences ofe). Rules (2) and (3) describe thein and therd operations, respectively: ifa matchinge tuple is currently available in the space, it is returned at the process invokingthe operation and, in the case ofin, it is also removed from the space (DS− e denotes theremoval of an occurrence ofefrom the multisetDS). Rule (4) represents a local computationof processes, whilst (5) the replication operator that produces a new instance of the processand copies itself.

2.1. Examples

Here, we report some simple examples with the aim of introducing the reader to thenotation used inLinCa . These examples are inspired by the master–worker applicationsand the service registry discussed in Introduction.


Table 1Semantics ofLinCa . Symmetric rule of (4) omitted

(1) [out (e).P ,DS] −→ [P,DS⊕ e]

(2)∃ e ∈ DS : e� t

[in t (�x).P,DS] −→ [P [e/�x],DS− e]

(3)∃ e ∈ DS : e� t

[rd t (�x).P,DS] −→ [P [e/�x],DS]

(4)[P,DS] −→ [P ′,DS′]

[P | Q,DS] −→ [P ′ | Q,DS′]

(5)[in t (�x).P,DS] −→ [P ′,DS′]

[!in t (�x).P,DS] −→ [P ′ | !in t (�x).P,DS′]

Example 2.2(Master–worker). The idea is that masters request a job supplied by workersby inserting a tuple containing the job and workers select jobs by retrieving such tuplesfrom the space. Letjob ∈ Messbe a job; the proceduressubmit(job) andsupply_job, whichsubmits and supplies a job, respectively, are defined as follows:

submit(job)def= out(〈job〉),

supply_jobdef= in 〈null〉(x).Supply(x),

whereSupply(x) is the process performing the jobx. It is clear that the workers selectsubmitted jobs in a non-deterministic way, thus preventing to manage different urgencylevels of jobs.

Example 2.3(Service registry). In this case the tuple space is used as a services registry.The registration of a new service consists of inserting a new tuple containing the serviceinformation. To discover services, processes can perform read operations. Lets ∈ Messandpl ∈ Messbe a task and a link to a service, respectively. The procedureregister(s, pl),which registers a service supplying tasks that is available at linkpl, is defined as follows:

register(s, pl)def= out (〈s;pl〉),

while the procedurediscover(s), which discovers a service supplying tasks, is defined asfollows:

discover(s)def= rd 〈s; null〉(x1; x2).


where at the end of the computationx2 will contain the link to a service supplying tasks.When more than one service is available, the retrieved link is non-deterministically chosen.

3. PrioLinCa: the calculus with prioritized data retrieval

We extend the syntax ofLinCa permitting to decorate each tuple with quantitativeinformation in terms of aquantitative label. This is a positive (non-zero) natural numberthat can be associated to the tuples in order to quantify the relevance of the tuple inside thetuple space.

In this section we analyze the expressiveness of the quantitative labels when they areinterpreted as priorities. Priorities on tuples represent an absolute preference of the currentlyavailable tuples in the shared space. More precisely, if a process performing ard/in operationreceives as the return value a tuplee, there is no currently available matching tuplee′ in TSsuch that its priority level is greater than the one ofe.

We present a model that formalizes the following intuition: priorities on tuples are setby the output operations and the data-retrieval operations return a matching tuple with thehighest priority among the available ones. The obtained calculus is namedPrioLinCa .We prove thatPrioLinCa is expressive enough for modeling Random Access Machines(RAMs) [24], a well-known Turing powerful formalism. On the contrary, we show that suchan encoding cannot be provided inLinCa as termination (the existence of a terminatingcomputation) is decidable in the calculus without quantitative labels.

3.1. The syntax with quantitative labels

In order to add the quantitative labels, the syntax ofLinCa is slightly modified as follows.Let QLab, ranged over byl, l′, . . ., be the set of the possible quantitative labels. Even

if not necessary, for the sake of simplicity, we assume to use positive (non-zero) naturalnumbers as quantitative labels, thusQLabcoincides withNI \ {0}. Tuples are now definedas follows:

e = 〈�d〉 [l] ,

wherel ∈ QLab and �d is a sequence of data fieldsd that are defined by the followinggrammar:

d ::= m | l | x.A data fieldd now can be a message, a quantitative label, or a variable. We also define·as the function that, given a tuplee, returns its sequence of data fields (e.g. ife = 〈�d〉 [l]thene = �d). In the following, we denote withQL the function that, given a tuple, returnsits quantitative label (e.g., ife = 〈�d〉 [l] thenQL(e) = l). Quantitative labels are notconsidered in the matching rule whose definition is unchanged.

Example 3.1(Master–worker with job priorities). We extend the Example2.2 by allowinga classification betweencritical andstandardjobs. Critical jobs must be executed as soonas a free worker is available. We can program such a system using ‘critical’ and ‘standard’


Table 2Semantics ofPrioLinCa . Rules (1), (4) and (5) of Table1 omitted

(2′)∃ e ∈ DS : e� t ∀e′ ∈ DS : e′� t QL(e) ≥ QL(e′)

[in t (�x).P,DS] −→ [P [e/�x],DS− e]

(3′)∃ e ∈ DS : e� t ∀e′ ∈ DS : e′� t QL(e) ≥ QL(e′)

[rd t (�x).P,DS] −→ [P [e/�x],DS]

as symbolic names representing quantitative labels, and interpretingcritical as a priorityhigher thanstandard. Thus, the two procedures for job submissions become

submitCritical(job)def= out(〈job〉[critical]),

submitStandard(job)def= out(〈job〉[standard]).

The workers can supply a job by using the following procedure:

supply_jobdef= in 〈null〉(x).Supply(x)

that is exactly the one defined in Example2.2. In this way, when a worker performs thesupply_job procedure it is ensured that no standard jobs are served in case at least onecritical job has been submitted.

3.2. The prioritized semantics

In order to formalize the prioritized semantics we follow an approach similar to the oneadopted in [3,4] where priorities are represented in terms of attributes.

The new semantics extends that ofLinCa by verifying that when therd/in primitivesare performed all the available matching tuples have a lower priority with respect to thepriority of the returned one. The semantics is thus obtained by taking the rules in Table 1and replacing rules (2) and (3) with those reported in Table 2.

Informally, priority levels partition the space: the idea is that the search space is restrictedto the partition ofDSwhich has the greatest priority level and contains a matching tuple.

3.3. Modeling RAMs inPrioLinCa

We show thatPrioLinCa is expressive enough for encoding any Random AccessMachine (RAM) [24], that is a Turing complete formalism. In Section 3.4 we prove thatsuch an encoding cannot be provided inLinCa by showing that process termination isdecidable in that calculus. This is proved by giving the semantics ofLinCa in terms ofPetri nets where deadlock is decidable.


Definition 3.2. A RAM is a computational model composed of a finite set of registers,that can hold arbitrary natural numbers, and by a program, that is a sequence of simplenumbered instructions, like arithmetical operations (on the contents of registers) or con-ditional jumps. Programs receive the input parameters in registersr1, . . . , rm, that canhold arbitrary large numbers; any other register used by the program during the compu-tation rm+1, . . . , rn are supposed to contain the value 0 when it starts. The program exe-cution starts with the first instruction and continues by executing the other instructions insequence, unless a jump instruction is encountered. The execution stops when an instructionnumber higher than the length of the program is reached; this happens if the program wasexecuting the last instruction of the program and this instruction does not require a jump,or if the current instruction requires a jump to an instruction number not appearing in theprogram. The output of the program, if it terminates, is represented by the value of certainregisters.

In [16] it is shown that recursive functions can be modeled by RAMs programmed withthe following instructions only:• Succ(rj ): adds 1 to the contents of registerrj ;• DecJump(rj , s): if the contents of registerrj is not zero, then decreases it by 1 and go to

the next instruction, otherwise jumps to instructions.The state of the computation is represented by means of configurations. A configuration

is denoted by(i, c1, c2, . . . , cn) where i indicates that the next instruction to execute isthe ith andcl is the contents of the registerrl for l = 1, . . . , n. Given a programR and aconfiguration(i, c1, c2, . . . , cn) we use the notation:

(i, c1, c2, . . . , cn) −→R (j, c′1, c

′2, . . . , c

′n)

to state that after the execution of theith instruction of the programRwith contents of theregistersc1, . . . , cn, the program counter points to thej th instruction, and the registers willcontainc′1, . . . , c′n.

The technique we use to encode RAM programs is inspired by the one used in[5]. Inthat paper RAMs are modeled as follows. Each unit inside a registerrj is modeled withan instance of the tuple〈rj 〉. In this way, an increment instruction onrj simply produces anew instance of〈rj 〉, while a decrement instruction removes, if available, one instance of〈rj 〉. In this last case, the consumption operation is performed using aninp operation;inpis a non-blocking version ofin which terminates communicating failure in case no tuple isavailable for consumption.

In PrioLinCa , non-blocking primitives similar toinp are not available. Thus, we haveto modify the representation of registers in order to avoid blocking in case a decrementoperation is performed on an empty register. The solution we adopt exploits two levels ofpriority that we callhigh and low (where the former is greater than the latter). An emptyregisterrj is modeled by a tuple〈rj ,empty〉[low]. Each unit insiderj is represented bya tuple〈rj ,nonempty〉[high]. When a decrement operation is performed, the instructionin〈rj ;null〉(x1; x2) is executed; this operation cannot block because at least one tuple among〈rj ,nonempty〉[high] and〈rj ,empty〉[low] is available. As the units〈rj ,nonempty〉[high]have a higher priority w.r.t.〈rj , empty〉[low], it is ensured that the variablex2 is assignedthe valueemptyif and only if the register is actually empty. In this way it is enough to test


the value ofx2 in order to chose the correct continuation, either incrementing the programcounter by 1 or jumping.

Formally, we encode RAMs by defining systems[P,DS] in which (i) program statesdefine the tuple spaceDS, and (ii) program instructions define the processP.

Program states are encoded by means of tuples. Given the configuration(i, c1, c2, . . . , cn),the next instruction is indicated by the tuple〈pi〉[l] (l arbitrary), while the value of reg-ister rj is encoded bycj occurrences of the tuple〈rj ;nonempty〉[high] and by one tuple〈rj ;empty〉[low] (wherelow< high), for 1≤ j ≤ n. It is worth noting thatin 〈rj ,null〉(�x).P (the same holds forrd) retrieves the tuple〈rj ;empty〉[low], that we call bottom ofrj , onlyin the case no occurrences of〈rj ;nonempty〉[high] are available and this happens when thevalue of the registerrj is 0.

Formally, the encoding of program states that determines the configuration of the tuplespace is defined as follows:

[[(i, c1, c2, . . . , cn)]] def= 〈pi〉[l] ⊕ 〈r1;empty〉[low] ⊕ · · · ⊕ 〈rn;empty〉[low]⊕〈r1;nonempty〉[high] ⊕ · · · ⊕ 〈r1; nonempty〉[high]︸︷︷︸

c1 times

⊕

. . .

⊕ 〈rn;nonempty〉[high] ⊕ · · · ⊕ 〈rn;nonempty〉[high]︸︷︷︸cn times

.

LetRbe a program composed of the sequence of instructionsI1 . . . Ik. Each instruction ismodeled by a replicated process guarded by an input operation on the corresponding programcounter tuple. Instructions are replicated because they can be executed an unbounded amountof time during the computation. Formally we define the encoding for instructions as follows:

[[R]] def= [[I1]] | . . . | [[Ik]][[i : Succ(rj )]] def= !in〈pi〉(x).out(〈rj ; nonempty〉[high]).out(〈pi+1〉[l])[[i : DecJump(rj , s)]] def= !in〈pi〉(x).in〈rj ; null〉(x1; x2).out(〈cnti; x2〉[l]) |

!in〈cnti; nonempty〉(y1; y2).out(〈pi+1〉[l]) |!in〈cnti; empty〉(y1; y2).out(〈rj ; empty〉[low]).out(〈ps〉[l])

.

The increment instruction simply produces a new instance of the register tuple and thenincrements the program counter. The decrement instruction requires a more complex en-coding. It is composed of three replicated processes. The first process is responsible forstarting the instruction by trying to decrement the register; the other two processes managethe two possible continuations. The first of these two possible continuations is activatedif the decrement succeeded and simply increments the program counter; the second onemanages the case in which the register is empty by performing the corresponding jump.

After having consumed the corresponding program counter, the first process performsthe input operationin〈rj ;null〉(x1; x2); as discussed above the variablex2 is assigned witheithernonempty(if the decrement has succeeded) orempty(if the register is actually empty).After, the output operationout (〈cnti; x2〉[l]) is executed, wherel is an arbitrary priority


andcnti is a datum indicating that one of the two continuations should start. The correctcontinuation is selected by the second fieldx2. The continuations are simple; the uniquerelevant note is that in the case the register is empty the tupleout (〈rj ;empty〉[low]) shouldbe reproduced as it could be read in subsequent decrement instructions.

In order to formalize the correctness of the encoding, we abstract away from the emptyprocesses that are produced during the computation; namely, we do not distinguish theprocessP from the processes0|P andP |0.

Theorem 3.3. Let R be a RAM program, then• Soundness: for any maximal computation[[[R]], [[(i, c1, c2, . . . , cn)]]] −→ [P1,DS1] −→ [P2,DS2] −→ · · ·there exist i and a configuration(j, c′1, c′2, . . . , c′n) such that

[Pi,DSi ] =[[[R]], [[(j, c′1, c′2, . . . , c′n)]]

]and

(i, c1, c2, . . . , cn) −→R (j, c′1, c

′2, . . . , c

′n)

• Completeness: if(i, c1, c2, . . . , cn) −→R (j, c′1, c

′2, . . . , c

′n) then also

[[[R]], [[(i, c1, c2, . . . , cn)]]] −→+ [[[R]], [[(j, c′1, c′2, . . . , c′n)]]].

Proof. By cases on the possible instruction (either increment, decrement or jump) thatcan be activated. In the proof of soundness we use the fact that the program counter tuple〈pi〉[l] in the system[[[R]], [[(i, c1, c2, . . . , cn)]]] ensures that only the agent correspondingto theith instruction can start the maximal computation; moreover the computation evolvesdeterministically. �

Corollary 3.4. Let R be a RAM program and(i, c1, c2, . . . , cn) its initial configuration.The RAM R terminates if and only if[[[R]], [[(i, c1, c2, . . . , cn)]]] terminates.

Proof. We first observe that given a configuration(i′, c′1, c′2, . . . , c′n) the system[[[R]], [[(i, c′1, c′2, . . . , c′n)]]]

has no outgoing transition if and only if the configuration(i′, c′1, c′2, . . . , c′n) is a final configuration for the RAMR.After we observe that given the RAM computation that terminates, by completeness we canproduce a finite computation that is maximal for the above observation.

On the other hand, given a finite maximal computation of the encoding, by soundness wecan produce a RAM computation by partitioning the maximal computation in such a waythat each fragment of the computation corresponds to a RAM step; in light of the aboveobservation this RAM computation reaches a terminating configuration.�

From this Corollary we can conclude that termination ofPrioLinCa systems is unde-cidable.

3.4. Deciding termination inLinCa

We show that the calculusLinCa is less expressive than the prioritized extensionPrioLinCa by proving that it is not expressive enough for modeling faithfully RAMs.This is a consequence of the fact that termination turns to be decidable inLinCa .


To prove this decidability result we present an encoding ofLinCa systems into finitePlace/Transition nets that preserves the existence of a finite computation; the decidabilityof termination follows from the fact that the deadlock problem is decidable[20] for finitePlace/Transition nets.

This proof technique has been already used in [5] to prove that the deadlock problem isdecidable in a Linda language equipped with a different semantics for the output operation,calledunordered. An output is unordered if there is an unpredictable delay between theexecution of the operation and the actual availability of the emitted tuple in the space. Besidesthe different semantics of the output operation, there are two other main differences betweenthe calculus in [5] andLinCa . In LinCa the system state is represented by a pair composedof the processes and the tuple space, while in [5] the system glues together processes andtuples that are terms of the same algebra. InLinCa thein andrd operations permit to acquirenames using wildcards while in [5] tuples as well as templates are composed of only onename, and no wildcards are permitted. This difference has the following consequence: in[5] the execution of anin or rd operation has only one possible continuation, while inLinCa there are different continuations depending on the actually acquired names. Thus,it is necessary to prove that the Place/Transition nets obtained by encodingLinCa systemsare finite also in this more general case. Informally, such a condition holds because thecalculus does not allow new names definition, and the number of possible continuationsis always less than the number of tuples that can be produced with the (finite) number ofinitially available names.

Definition 3.5. A P/T system is a tripleN = (S, T ,m0) whereS is the set ofplaces,T ⊆ Mfin(S)×Mfin(S) is the set of transitions, andm0 is a finite multiset over the setSof places. Finite multisets over the setSof places are calledmarkings; m0 is calledinitialmarking. Given a markingm and a places, we say that the places containsm(s) tokens.We also definedom(m) as the domain ofm which is defined as the set of placess withm(s) > 0. A P/T system is finite if bothSandT are finite.

A transition� = (c, p) (also denoted byc −→ p) is composed of the markingc (usuallycalled preset and denoted by•�) which represents the tokens to be consumed, and themarkingp (usually called postset and denoted by�•) which represents the tokens to beproduced. A transition� can be performed at a markingm if •� ⊆ m and the reached

marking ism′ = (m \ •�) ⊕ �•. This is written asm�−→m′ or simplym−→m′ when

the transition� is not relevant. We use� to range over sequences of transitions; the empty

sequence is denoted by�; let� = �1, . . . , �n, we writem�−→m′ to mean the firingsequence

m�1−→ · · · �n−→m′. We say thatm′ is reachable from mif there exists� such thatm

�−→m′.A marking m is deadif � ∃m′ s.t.m−→m′. The netN = (S, T ,m0) has adeadlockif

there exists a dead marking reachable fromm0. The deadlock problem for a net consists ofdeciding if it has a deadlock.

Now we show that anyLinCa system can be represented by a finite P/T net: places areused to represent tuples and sequential processes. By sequential process we mean a processthat is guarded by a coordination primitive or replicated (remember that replication can beapplied only to processes guarded by input operations).


In this respect, parallel processes can be encoded by defining a place for every sequentialprocess it contains or that can be reached during the computation; the transitions are usedto describe the system behavior.

We useS to denote the possible places for the P/T nets we consider:

S = {P | P is a sequential process} ∪ {e | e ∈ Tuple}.

We define the decomposition functiondec : System→ Mfin(S) that mapsLinCa sys-tems into markings as follows:

dec([P,DS]) = decp(P ),DSdecp(0) = � decp(�.P ) = {�.P }decp(P |Q) = decp(P ), decp(Q) decp(!in t (�x).P ) = {!in t (x).P }.

We also defineT as the transition set obtained as instances of the following axiomsschemata (we parameterize the axioms in order to identify specific instances):

IN(t, e,Q) in t (�x).Q, e −→ dec(Q[e/�x]) if e� t,

RD(t, e,Q) rd t (�x).Q, e −→ dec(Q[e/�x]), e if e� t,

OUT (e,Q) out (e).Q−→ e, dec(Q)

REP(t, e,Q) !in t (�x).Q, e −→ !in t (�x).Q, dec(Q [e/�x]) if e� t.

Axioms IN, RD andOUT describe the three prefixes, whileREPare the transitions whichdescribe the behavior of the replication operator.

Let ma([P,DS]) be a function which returns the maximum among the arity of thelongest tuple contained inDS, or the arity of the longest template or tuple inP. Obvi-ously,ma([P,DS]) is finite for anyLinCa system[P,DS]. We also definedf (P ) anddf (DS) as the functions that return the set of data fields, except the variables, containedin P andDS, respectively. WithTup[P,DS] we denote the set of tuples that can be obtainedcombining the possible data fields appearing in the system[P,DS] for an arity less thanthe maximal arity appearing in the same system:

Tup[P,DS] = {e ∈ Tuple| df (e) ⊆ df (P ) ∪ df (DS) andarity(e) ≤ ma(P,DS)}.

This set is clearly finite for any system[P,DS].Since the calculus uses value passing, the set of places should be defined taking into

account all the possible substitutions of formal variables to actual received messages.

Prc[P,DS] = {Q | Q is obtained by a sequential subprocess ofP

changing its variables with values ofdf (P ) ∪ df (DS)}.

Observe that also this set is finite for any system[P,DS].We are now in place for formally defining the P/T net associated with aLinCa

system.


Definition 3.6. Let [P,DS] be aLinCa system, the corresponding P/T net, denoted byNet([P,DS]) = (S, T ,m0), is defined as follows:

S = Tup[P,DS] ∪ Prc[P,DS],T = {c→ p | (c, p) ∈ T s.t.dom(c) ⊆ S},m0 = dec([P,DS]).

As Tup[P,DS] andPrc[P,DS] are finite for anyLinCa system[P,DS], we can concludethatNet([P,DS]) is finite.

In the remaining part of this section we will prove that the encoding respects the transitionsystem semantics ofLinCa given in Section2, thus the deadlock problem is decidable inLinCa . In order to prove this result, formalized in Theorem 3.9, we exploit Propositions 3.7and 3.8 which show that for any transition performable by aLinCa systems′whose markingis legal in the P/T net corresponding to the systems there exists a transition in the net inwhich the reached marking is the decomposition of the state reached bys′, and vice versa.

Proposition 3.7. Let sl ∈ System be aLinCa system andNet(sl) = (S, T ,m0) be thecorrespondingP/T net. Lets ∈ System be a system s.t. dom(dec(s)) ⊆ S, then ifs −→ s′there exists� ∈ T s.t. dec(s)

�−→ dec(s′).

Proof. We proceed by induction on the derivation of the transitions −→ s′. We have thefollowing base cases; the transition is proved using either (1), (2), (3) or (5) of Table1. Wereport the analysis of the first case (the other cases are similar).

If s −→ s′ is proved using directly the axiom (1) we have thats = [out (e).P ,DS]and s′ = [P,DS⊕ e]. Sincedec([out (e).P ,DS]) = {out (e).P } ⊕ DS ⊆ S, thenOUT (e, P ) ∈ T . By performingOUT (e, P ) at marking{out (e).P } ⊕ DS the reachedmarking isdecp(P ) ⊕ e ⊕ DS. Finally, it is easy to verify that this is the decompositionof s′.

In the inductive case we have that the last rule to be applied in the derivation ofs −→ s′is (4) or its symmetric. In the first of these two cases we have thats = [P |Q,DS] ands′ = [P ′|Q,DS′] as well as[P,DS] −→ [P ′,DS′]. By induction hypothesis, we have that

dec([P,DS]) �−→ dec([P ′,DS′]) for some� ∈ T . This transition can be fired also in anymarking greater thandec([P,DS]), thus also fordec([P |Q,DS]) = decp(P )⊕decp(Q)⊕DS; the reached marking isdecp(P ′)⊕ decp(Q)⊕DS′ = dec([P ′|Q,DS′]). The analysisfor the symmetric rule is similar. �

Proposition 3.8. Let sl ∈ System be aLinCa system andNet(sl) = (S, T ,m0) bethe correspondingP/T net. Let s ∈ System be a system s.t. dom(dec(s)) ⊆ S, then if

dec(s)�−→m′ there existss′ ∈ System s.t. s −→ s′ anddec(s′) = m′.

Proof. We proceed by case analysis on the type of the transition�. We discuss here onlythe case of transition of typeIN(t, e,Q).

If � = IN(t, e,Q) then dec(s) = e ⊕ {in t (�x).Q} ⊕ m, for somem, andm′ =dec(Q[e/�x]) ⊕ m. By considering the functiondec the systems must be of the form[in t (�x).Q|P, e ⊕ DS

]for someP and DS wheredec([P,DS]) = m. According with


Table1, we have thats = [in t (�x).Q|P, e ⊕ DS

] → [Q[e/�x]|P,DS

]whose decomposi-

tion corresponds withm′. �

Theorem 3.9. Let s ∈ System be aLinCa system.• Soundness: ifdec(s)−→m1 · · · −→mn in Net(s) then there exists1 · · · sn such thats −→ s1 · · · −→ sn anddec(si) = mi for i = 1, . . . , n;

• Completeness: ifs −→ s1 · · · −→ sn thendec(s)−→ dec(s1) · · · −→ dec(sn) inNet(s).

Proof. By induction onn: by exploiting Proposition3.8 for Soundness and Proposition 3.7for Completeness. �

Corollary 3.10. Termination is decidable inLinCa systems.

Proof. It directly follows from the decidability of deadlock in finite P/T nets, and by the factthat our encoding ofLinCa systems into finite P/T nets defines a one-to-one mapping fromfinite maximal computations of theLinCa system into finite maximal firing sequences inthe corresponding net.�

4. ProbLinCa: the calculus with probabilistic data retrieval

In this section we consider the probabilistic interpretation of the quantitative labels.More precisely, the quantitative information is interpreted as aweightthat contributes in thedefinition of a probabilistic distribution indicating the probability for a tuple to be returnedas the result of a data retrieval operation. The principle we follow is the usual one:thegreater is the weight of a tuple, the higher is the probability for that tuple to be retrieved.We start by discussing the probabilistic model that we will adopt and then we formallydefine the semantics of theProbLinCa calculus.

4.1. Probabilistic model

In tuple space coordination languages a probabilistic choice among entities reacting to agiven communication request (e.g. tuples matching a “rd” or “ in” request) requires a muchmore complex mechanism w.r.t. languages employing channel-based communication (like,e.g., those representable by standard process algebras). This is due to the greater complex-ity of the Linda-like matching-based communication mechanism w.r.t. such a simpler formof communication. If we had channel-based communication then we could just considerprobability distributions (i.e. functions assigning probabilities that sum up to 1 to elementsof a given domain) over the messagesa( �d) actually available on the channel typea; whena receive operation is performed on the channel of typea, the channel would “react” tothe request by simply choosing a messagea( �d) for somed according to such a probabilitydistribution (this is what would happen by adopting either the “reactive model” of probabil-ity [13] or the “simple model” of [23]). When we consider the Linda-like matching-basedcommunication mechanism, we loose the separation above between the channel type (whichdecides the set of entities involved in the communication) and the datumd that is read. Since


the set of matching tuples〈 �d〉 is now established from a templatet on data that is chosen bythe “rd” or “ in” operation, it is unavoidable to deal with the situation in which the set ofmatching tuples is a proper subset of the domain of a probability distribution: in this casea re-normalization of “probability” values must be done in order to have them summingup to 1 (this is the same situation that arises for the restriction operator in generative mod-els [13]). Note that the only way to avoid this would be to have an individual probabilitydistribution for each datum〈 �d〉 that is present in the shared space (over the several instancesof such datum), i.e. by treating each different datum〈 �d〉 in the same way as a channel typea in channel-based communication. However, since in this case the channel type wouldcoincide with the datum that is read from the tuple space, reading (or consuming) differenttuples having the same channel type (i.e. different instances of the same datum〈 �d〉) wouldhave the same observable effect on the system, hence probability distributions would beuseless.

As a consequence of this remark, since when the shared space is accessed the prob-abilities of matching tuples must be determined by using re-normalization (on the basisof the “selecting power” of the template in the “rd” or “ in” operation), it is natural toexpress probability statically associated to tuples in the space by means ofweights[25].Usually, a weight is a positive real number which is associated to an entity that can beinvolved in a probabilistic choice: the actual probability that the entity assumes in thechoice is determined from the associated weight depending on the context, i.e. from theweights of the other entities involved in the choice, by re-normalization. In our case, weuse the quantitative label (that is a positive natural number) to identify the weight ofa tuple.

Example 4.1.We indicate the weightw of a tuple associating the notation[w] to the tupleitself. Let us suppose that the tuple space contains three tuples〈m1,m2〉[w], 〈m1,m

′2〉[w′]

and〈m′1,m2′′〉[w′′], then the following happens. If the operationrd 〈null, null〉(x1, x2).

P is performed, the variablesx1, x2 are bound: tom1,m2 with probabilityw/(w+w′+w′′),tom1,m

′2 with probabilityw′/(w+w′+w′′), and tom′1,m2

′′ with probabilityw′′/(w+w′+w′′). If the operationrd 〈m1, null〉(x1, x2). P is performed, the variablesx1, x2 are bound:tom1,m2 with probabilityw/(w+w′) and tom1,m

′2 with probabilityw′/(w+w′). If the

operationrd 〈m1,m2〉(x1, x2).P is performed, the variablesx1, x2 are bound: tom1,m2with probabilityw/w = 1.

Moreover note that since the structure of the shared space is highly dynamic and tuplesare introduced individually in the space, expressing weights associated to tuples seems tobe preferable w.r.t. expressing a single probabilistic distribution over all tuples (generativeapproach of[13]) which is to be updated by re-normalization to value 1 every time a tupleis added or removed. Therefore, due to the inherent re-normalization behavior of Linda,and to the observations we have made, we adopt, like in [4,3], the approach above based onweights.

Example 4.2(Service registry with workload distribution). We extend the Example2.3 byprogramming a discovery service which supports a balanced workload distribution. Weightsare used to express the current workload of services: the higher is the workload, the lower


Table 3Semantics ofProbLinCa

(1) [out (e).P ,DS] −→ [P,DS⊕ e]

(2)∃ e ∈ DS : e� t

[in t (�x).P,DS] −→ �pin t (�x).P,DS

(3)∃ e ∈ DS : e� t

[rd t (�x).P,DS] −→ �prd t (�x).P,DS

(4)[P,DS] −→ �

[P | Q,DS] −→ �|Q

(5)[P,DS] −→ �

[!P,DS] −→ �|!P

is the weight. Thus, the registration procedure must now take into account the workload ofthe service, represented by a weightw

register(s, pl, w)def= out(〈s;pl〉[w]).

In order to discover a service supplying tasksservices can use the following procedure:

discover(s)def= rd 〈s;null〉(x1; x2),

which is exactly the one defined in Example2.3. In this way services with the lowest work-load have the highest probability to be discovered, thus obtaining a workload distributionaccordingly with the probability distribution on the accesses to the tuples.

4.2. The probabilistic semantics

The syntax of theProbLinCa calculus is the same as the syntax defined in Section 3.1.The semantics replaces the standard non-deterministic choice of a tuple among the matchingones in the TS, with a probabilistic choice exploiting weights.

We consider probability distributions taken from the following setProb: Prob ={� | � : System−→ [0,1] ∧ supp(�) is finite ∧∑

s∈System�(s) = 1}, wheresupp(�) ={s | �(s) > 0}.

The operational semantics ofProbLinCa is defined in terms of a probabilistic transitionsystems(System,Prob,−→), where→⊆ System×Prob. More precisely,−→ is the minimal


Table 4Probability distributions

�pin t (�x).P,DS(s) =

QL(e) · DS(e)

∑e′∈DS:e′ � t QL(e′) · DS(e′)

if s = [P [e/�x],DS− e]with e ∈ DS ∧ e� t,

0 o.w.

�prd t (�x).P,DS(s) =

∑e′∈DS:e′ � t∧P [e′/�x]=P [e/�x] QL(e

′) · DS(e′)∑e′∈DS:e′ � t QL(e′) · DS(e′)

if s = [P [e/�x],DS]with e ∈ DS ∧ e� t,

0 o.w.

�|Q(s) =

�([P ′,DS

]) if s = [P ′ | Q,DS],

P ′ ∈ Process∧ DS∈ DSpace,

0 o.w.

relation satisfying the axioms and rules of Table3. (s, �) ∈−→ (also denoted bys −→ �)means that a systems can reach a generic system configuration, says′ ∈ System, with aprobability equal to�(s′). Note that, several probability distributions may be performablefrom the same states, i.e. it may be thats −→ � for several different�. This means that(like in the simple model of [23]) whenever the system is in states, first a non-deterministicchoice is performed which decides which of the several probability distributions� mustbe considered, then the next configuration is probabilistically determined by the chosendistribution�. Note that the non-deterministic choice may, e.g., arise from several concurrentrd operations which probabilistically retrieve data from the tuple-space. We uses −→ s′ todenotes −→ �, with � the trivial distribution which gives probability 1 tos′ and probability0 to all other configurations.

Table 4 defines: (i) the probability distributions�pin t (�x).P,DS and�p

rd t (�x).P,DS used forin and rd operations, respectively; (ii) the operator�|Q that, given�, computes a newprobability distribution that accounts for composition with “Q”. It is worth noting that�pin t (�x).P,DS and�p

rd t (�x).P,DS are defined only fort ∈ T emplate andDS ∈ DSpacesuchthat there existse ∈ DS : e�t (that is the condition reported in axioms (2) and (3)). Themeaning of such probability distributions, that are used in axioms and rules of Table 3, iscommented in the description of the operational semantics that follows.

Axiom (1) describes the output of the tuplee; after the execution an occurrence ofe isadded to the shared spaceDS and the process continues withP. Axiom (2) describes thebehavior ofin operations; if a tuplee matching with templatet is available in theDS, thein execution produces the removal from the space ofe and then the process behaves asP [e/�x]. The probability of reaching a configuration where a matching tupleecontained in


theDS is removed is the ratio of the total weight of the several instances ofe in theDS,to the sum of the total weights of the several instances of the matching tuples currentlyavailable in theDS. In this way, the probability to reach a system configuration takes intoaccount the multiple ways of removinge due to the several occurrences ofe in the DS.Axiom (3) describesrd operations; if a tupleematching with templatet is available in theDS, then the process behaves asP [e/�x]. Differently from the previous axiom,rd operationsdo not modify the tuple space, i.e. reached states do not change the configuration ofDS,therefore they are simply differentiated by the continuationP [e/�x] of the reading process.For example, let us consider two different tuplese = 〈d; dc〉[w] ande′ = 〈d ′; dc〉[w′].LetP = rd 〈null; null〉(x1; x2).out (〈x2〉[w]) be the process performing the read; it is notpossible to discriminate the selection of the two different tuples. Therefore, the probabilityof reaching a configurations that is obtained by reading a tuplee matching witht in theDS (yielding valuee) is the ratio of the sum of the total weights associated to the severalinstances of tuplese′ matching witht in theDS such that the continuation of the readingprocess obtained by reading tuplee′ is the same as the one obtained by readinge, to the sumof the total weights of the several instances of the matching tuples currently available in theDS. Rule (4) describes the behavior of the parallel composition of processes (the symmetricrule is omitted): if configurations reachable from[P,DS] are described by the probabilitydistribution�, andPperforms an action in the system[P | Q,DS] (the process that proceedsbetweenPandQ is non-deterministically selected), then the reachable configurations are ofthe form[P ′ | Q,DS′], for someP ′ ∈ ProcessandDS′ ∈ DSpace. The probability valuesof such configurations do not depend onQ (that is “inactive”) and are equal to�([P ′,DS′]).Finally, rule (5) describes the behavior of process replication operator:!P behaves as anunbounded parallel composition of the processP.

4.3. Leader election protocol inProbLinCa

We provide an expressiveness gap also betweenProbLinCa andLinCa . Namely, weprove that inProbLinCa the quantitative information associated to the tuples, interpretedas weights, permits to solve the leader election problem also in symmetric systems. This isnot the case for the calculusLinCa without quantitative information.

Informally, the leader election problem consists in ensuring that all the processes inside asystem will reach an agreement, about the leader of the system, in finite time. In symmetricsystems (intuitively, systems composed of processes performing the same protocol) such aproblem cannot be solved because a system with a leader is not symmetric, and asynchronouscommunication usually is not able to force the initial symmetry to break.

Tuple space communication is asynchronous because it is mediated by the tuple reposi-tory. The formal proof of the impossibility to solve the leader election problem inLinCa isreported in Appendix A as it is a simple adaptation of an equivalent proof presented in[18]for the asynchronous�-calculus.

The addition of weights, on the contrary, permits to break the initial symmetry. This isproved by presenting a simple symmetric system (according to Definition A.3) composedof two processes only, which is also an electoral system, i.e. a system in which the leaderelection problem is solved.


Here we reformulate the protocol of[14,15] by using the calculusProbLinCa insteadof probabilistic asynchronous�-calculus as done in [14,15]. LetP0 andP1 be the twosymmetric processes (see Appendix A) that must interact in order to elect a leader, andw,w′, w� ∈ QLab be weights, wherew� = � · w with � positive real number such that� < 1. For the sake of simplicity, in the following we will omit weights associated to tupleswhen their value is not significant.

We assume that the space is initially partitioned inDS0 andDS1 which are defined asfollows:

DS0=〈0; T ; ∗〉[w]⊕〈0; ∗; unlock〉[w�] ⊕ 〈choice0;0〉[w′]⊕〈choice0;1〉[w′]⊕〈0〉,DS1=〈1; T ; ∗〉[w]⊕〈1; ∗; unlock〉[w�]⊕〈choice1;0〉[w′]⊕〈choice1;1〉[w′]⊕〈1〉.

We assume that the leader is communicated to the environment by the two processesP0 andP1 via a tuple〈o; l〉, wherel ∈ {0,1} represents the leader. The idea is that tuples〈i; T ; ∗〉[w] initially contained in the tuple space are “owned” by the corresponding processPi . When execution starts, each processPi tries to remove both its own tuple〈i; T ; ∗〉 andthe tuple〈i +2 1; T ; ∗〉 owned by the other processPi+21 (here we use+2 as the summodulo 2). If it succeeds, it is the leader and communicates this toPi+21, by inserting thetuples〈i;F ; ∗〉 and〈i +2 1;F ; ∗〉 in the tuple space, and then to the external environmentby inserting〈o; i〉. If it does not succeed, it repeats such a procedure.

More in details, sincePi may try to remove tuples〈i; T ; ∗〉 and 〈i +2 1; T ; ∗〉 onlysequentially (we assume that we have no primitive for simultaneous tuple removal), it isfundamental to consider the order of removal of such tuples. The protocol that we willpresent operates as follows.

First it performs a probabilistic “blind” choice that determines whether the attempt toremove〈i; T ; ∗〉 will be done before the attempt to remove〈i +2 1; T ; ∗〉 or, vice versa,the opposite ordering is undertaken. Such a choice is “blind” in the sense that the processcommits to the choice of the orderingbeforeknowing whether tuples are available.As shownin [14,15], such a commitment is essential for ensuring that the leader will be elected withprobability 1 under every possible scheduling of the two processes. Technically, such aprobabilistic choice is performed byPi by reading a tuple matching with〈choicei; null〉:which yields 0 or 1 (which identifies the first tuple that the process will try to remove)in the second field with probability12 and 1

2 (the same weightw′ is associated with both〈choicei;0〉 and〈choicei;1〉 tuples).

Assuming thatPi is able to remove the first tuple, the idea is that now the protocol checkswhether the second tuple is available: in the affirmative case the second tuple is removedandPi declares himself to be the leader, otherwisePi puts back the tuple he just removed inthe tuple space and restarts its protocol. Such “idealized behavior” is, however, only approx-imated by the protocol that we consider. This because, removing the tuple〈i +2 1; T ; ∗〉(or 〈i; T ; ∗〉 depending on the outcome of the initial probabilistic blind choice) in thecase it is available and performing something else otherwise — technically we removethe tuple〈i +2 1; ∗; unlock〉 (or 〈i; ∗; unlock〉) — would require a prioritized mechanismwhere〈i +2 1; T ; ∗〉 and〈i; T ; ∗〉 are assigned a higher priority than〈i +2 1; ∗; unlock〉and〈i; ∗; unlock〉. As in [14] we approximate this behavior by using a probabilistic choicewhere the unprioritized behavior has very low probability (we use weightw�) while the


Table 5Leader election protocol forPi

Pi =!in 〈i〉(x).rd 〈choicei ; null〉(x1; x2).

if (x2 = i) thenin 〈i; null; ∗〉(x3; x4; x5).

if (x4 = T ) thenin 〈i +2 1; null; null〉(x6; x7; x8).

if (x7 = T ) thenout (〈i;F ; ∗〉).out (〈i +2 1;F ; ∗〉).out (〈o; i〉)

elseout (〈i +2 1; ∗; unlock〉[w�]).out (〈i; T ; ∗〉[w]).out (〈i〉)

elseout (〈o; i +2 1〉)

elsein 〈i +2 1; null; ∗〉(x3; x4; x5).

if (x4 = T ) thenin 〈i; null; null〉(x6; x7; x8).

if (x7 = T ) thenout (〈i +2 1;F ; ∗〉).out (〈i;F ; ∗〉).out (〈o; i〉)

elseout (〈i; ∗; unlock〉[w�]).out (〈i +2 1; T ; ∗〉[w]).out (〈i〉)

elseout (〈o; i +2 1〉)

prioritized behavior has very high probability (we use weightw). The closer to zero thevalue of� is, the more efficient the algorithm is: nevertheless� < 1 is sufficient to guaranteethat the system will eventually elect a leader with probability 1.

Whenever a processPi succeeds in removing both tuples〈i; T ; ∗〉 and〈i +2 1; T ; ∗〉, he declares himself to be the leader and communicates this event to theother process by putting the tuples〈i;F ; ∗〉 and〈i +2 1;F ; ∗〉 in the tuple space. The otherway around, whenever a processPi reads a tuple〈i;F ; ∗〉 or 〈i +2 1;F ; ∗〉, he declares theother process to be the leader.

Concerning the use of special value “∗” in the three-valued tuples: the second field is “∗”(this tuple is not part of the information exchanged for establishing the leader) wheneverthe third is “unlock”; the third field is “∗” (this tuple is not used for avoiding deadlock)whenever the second field is “T” or “ F”.

In order to make the protocol more intelligible, we use aif–then–elseconstruct whichis just a shorthand for a simpleProbLinCa expression. In particular, assumed thatx is avariable that can assume valuesv1 andv2 only, we useif (x = v1) thenP elseQto stand for:

out (〈cnt; x〉) | !in 〈cnt; v1〉(y1; y2).P | !in 〈cnt; v2〉(y1; y2).Q,

where “cnt”, which stands for “continuation”, must be a different name for each syntacticaloccurrence of the constructif–then–elsein the protocol.


The protocol for processPi (i = 0,1) is defined in Table5.The system[P0 | P1,DS0⊕DS1], wherePi with i ∈ {0,1} are defined as in Table 5 and

DSi with i ∈ {0,1} are the two initial spaces defined above, eventually elects a leader withprobability one under every possible scheduling of processesP1 andP2. The proof of thisfact can be found in [15] in a language independent format.

5. Conclusion

We divide this conclusive section in two subsections; the former reports a summary ofthe results proved in this paper, the latter discusses the relevance of our results with respectto some of the most significant tuple based coordination languages.

5.1. Summary of the results

We have investigated, from an expressiveness viewpoint, the impact of the introductionof quantitative information in the tuple space coordination model. More precisely, we haveconsidered the possibility to decorate each tuple with a quantitative label. We have assumedtwo possible interpretations for such a label: either as a weight supporting a probabilisticaccess to the tuple space (the greater is the weight of a tuple, the higher is the probabilityfor that tuple to be returned) or as a priority level supporting a prioritized access. After aninformal discussion of applications for which this kind of tuple space access mechanismsseems particularly suited, we have formally discussed its expressive power.

A formal investigation of the expressive power requires a formal representation of theconsidered access mechanisms. We have achieved this representation by embedding thecoordination primitives into a minimal process algebra. This algebra comprises only threeoperators: the prefix operator used to associate a continuation to the execution of a primitive;the parallel operator used to compose the processes that coordinate via the tuple space; thereplication operator used as the unique infinite operator.

Namely, we have introduced three process algebras:LinCa which models the standardtuple space coordination model,ProbLinCa which introduces the probabilistic accessmechanism, andPrioLinCa which consider the prioritized access. In this section wediscuss also a fourth process algebra, that we do not formally define, which combinesboth the access mechanisms. This algebra, that we denote withPPLinCa , is obtainedassociating two quantitative labels to the tuples, one interpreted as a priority and the otherone as a weight. Data are retrieved probabilistically according to the weights of the tupleswith the highest priority among the matching ones.

Fig. 1 presents an overview of results regarding the impossibility to provide encodingsamong the several considered algebras. An encoding is a function from one algebra toanother one that preserves some intended semantics. The remainder of this subsection isdevoted to the discussion of these impossibility results.

We have proved that termination is decidable inLinCa while this is not the casein PrioLinCa . Moreover, we have proved that the leader election problem for sym-metric systems can be solved inProbLinCa while it cannot be solved inLinCa (seeAppendix A).


sublanguage relation

PrioLinCa ProbLinCa

LinCa

PPLinCa

no uniform encoding preserving reasonable semantics

no computable encoding preserving reasonable semantics

Fig. 1. Overview of the results.

Leader election has been exploited also in[18] to prove the impossibility to providea uniform encodingfrom the synchronous to the asynchronous�-calculus that preservesanyreasonable semantics. Informally, an encoding is uniform when it is a homomorphismw.r.t. parallel composition and preserves name substitution; a semantics is reasonable if itdistinguishes two processes, sayP andQ, whenever in some computation ofP the relevantobservable actions are different from those of any computation ofQ. This impossibilityresult holds also betweenProbLinCa (the calculus with probabilities) andLinCa (thecalculus representing the standard tuple space model).

The gap of expressiveness that we have proved between the model with priorities andthe standard tuple space model has the following consequence: there exists no computableencoding fromPrioLinCa (the calculus with priorities) toLinCa that preserves anyreasonable semantics. This follows from the fact that a reasonable semantics is able to dis-criminate between a faithful encoding of RAMs (such as the one we present in Section 3.3)and a unfaithful encoding. It is enough to consider RAMs that make observable their ter-mination and by formalizing faithfulness as follows: all the computations of the encodingof a RAM R terminate if and only ifR terminates. Such an encoding cannot be provided inLinCa as we have proved that termination is decidable in this calculus.

Another consequence of our results is the impossibility to provide encodings from the al-gebra with priority to the algebra with probability, and vice versa. First of all, we observe thatthe leader election problem cannot be solved in symmetric systems even inPrioLinCa ;


indeed, the proof reported in Appendix A applies also to the calculus with priorities. Thuswe have that it is not possible to provide a uniform encoding that preserves any reasonablesemantics fromProbLinCa to PrioLinCa .

Moreover, we have that the P/T net semantics we have used in Section3.4 to prove thattermination is decidable inLinCa , permits to prove that also reachability is decidable: giventhe systemss ands′ the reachability problem consists in verifying whether there exists acomputation froms to s′. The P/T net semantics can be easily adapted to the calculuswith probabilities, thus proving that reachability is decidable also forProbLinCa . On theother hand, reachability cannot be decided inPrioLinCa (this is a direct consequenceof Theorem 3.3). As a reasonable semantics distinguishes between two processes that havedifferent sets of reachable states, we have that there exists no computable encoding ofPrioLinCa into ProbLinCa that preserves any reasonable semantics.

This incomparability result between the prioritized and the probabilistic models permitsto conclude that the calculusPPLinCa comprising both of them is strictly more expressivethan bothPrioLinCa andProbLinCa .

5.2. Relevance of the results for coordination languages

We have embedded the coordination primitives into a minimal process algebraic lan-guage. In this last subsection we analyze how our results can be applied to those real worldcoordination languages obtained embedding the coordination primitives in richer (Turingpowerful) computational languages.

Let us consider the following notion of implementability of a coordination modelM intoa coordination languageL. We say thatM is implementable inL if any system designedaccording to the coordination modelM can be implemented using the languageL simplyby translating the coordination actions of the system components into coordination actionsexpressed with the primitives provided byL. In other terms, the implementation should notalter the structure of the overall application and should not affect the internal behavior ofthe components.

The impossibility to provide uniform encodings from the calculiPrioLinCa andProbLinCa into LinCa implies that the tuple space coordination model enhanced witheither prioritized or probabilistic tuple retrieval cannot be implemented into any standardLinda coordination language with only output, read, and input coordination primitives.

We now consider the Linda language in [22] that comprises also theinpandrdpprimitives.These are non-blocking versions ofin and rd which return the boolean valuefalse if notuple can be actually retrieved (i.e. no tuple matches the considered template). In this way,the absence of tuples matching a certain template can be tested. The prioritized model couldbe programmed using test for absence primitives as follows. The level of priority could beassociated to the tuples as an extra field. The processes that access the space could performan inp/rdp taking into account the first level of priority, and passing to the subsequentlevels only if no tuples are retrieved. Obviously, this approach is satisfactory only if fewlevels of priority are considered, because it is necessary to explicitly access one level ata time.

On the contrary, Linda languages with test for absence cannot implement the model withprobability. This can be proved considering previous results in [26], where it is shown that a


process calculus similar toLinCa is not expressive enough for solving the leader electionproblem in symmetric systems even when a test for absence operator is added.

We now consider another typical extension of Linda languages with group primitives.These primitives, such as thecollect primitive of [21], permit to withdraw all the tuplessatisfying a template. Group primitives permits to implement the probabilistic model. Eachtuple could be decorated with an extra field that quantifies its weight. When a tuple retrievaloperation is executed from a process, this process collects all the tuples satisfying thetemplate, select the tuple according to their weights, and re-introduce the tuples in thespace. This implementation is satisfactory only for small sized tuple spaces because itrequires to move from the tuple space to the process (and back) all the tuples matchingthe template; moreover this double transfer of tuples should be executed in a transactionalmanner, thus requiring consistent locks.

On the contrary, Linda languages with group primitives cannot implement the modelwith prioritized access to the tuple space. This can be proved considering previous resultsin [6], where it is shown that a process calculus similar toLinCa is not expressive enoughfor modeling faithfully RAMs even when acollectoperator is added.

The Linda extensions discussed so far permit to implement either the probabilistic orthe prioritized model, but in a rather unsatisfactory way. The main problem is that theimplementation of each probabilistic or prioritized access requires several (in some casesexpensive) interactions between the processes and the tuple space. This problem can befixed moving to coordination languages such as MARS [7] and TuCSoN [17] which permitto program the tuple space behavior. More precisely, processes can introduce programs inthe tuple space that are triggered by events such as the execution of a specific coordinationprimitive. Clearly, using coordination languages with this feature it is possible to programthe space in order to react to the execution of anin or ard primitive by executing a prioritizedor a probabilistic tuple retrieval.

A final remark is concerned with Probabilistic Klaim [10], the unique calculus to thebest of our knowledge that addresses probabilities in the context of Linda-like languages.Klaim [9] is a distributed mobile version of Linda where tuple spaces and processes areassociated to nodes in a net, and the processes may migrate from one node to another one.In Probabilistic Klaim probability comes into play at the global level (when the process tomove must be selected) as well at the local level (when the specific action to be executedmust be chosen). Moreover, the approach adopted in Probabilistic Klaim follows morefaithfully the tradition of process algebras, according to which a probability is associated toeach branch of a choice or to each process inside a parallel composed term. Our probabilisticmodel simply permits to associate a weight to the tuples when they are created; on the otherhand, in Probabilistic Klaim the tuples are produced with an associated probability equalto one. As a future work, we plan to investigate whether the schedule-driven approach ofProbabilistic Klaim is expressive enough for modeling our data-driven approach.

Appendix A. Unsolvability of the leader election problem in LinCa

In this appendix we present the formal discussion about the unsolvability of the leaderelection problem for symmetric systems expressed in theLinCa calculus. We adapt to ourcontext the proof reported in [18] developed for the asynchronous�-calculus.


In order to formalize the notion of symmetric systems we proceed as follows: we definea mechanism for associating a hypergraph to anyLinCa systems, and we characterizesymmetric systems in terms of the class of hypergraphs they are associated to.

We start reporting the basic notions about hypergraphs and automorphisms.

Definition A.1 (Hypergraph and automorphism). An hypergraphH is defined by a triple(N,X, t) whereN andX are finite sets defining the set of nodes and of hyperarcs, respec-tively, andt is a function which maps eachx ∈ X into a set of nodes.

An automorphism� of H defined as above is a pair(�N, �X) where�N : N −→ N

and�X : X −→ X are permutations such that, for eachx ∈ X, if t (x) = {n1, . . . , nk}thent (�X(x)) = {�N(n1), . . . , �N(nk)}. The composition of two automorphisms is still anautomorphism.

The orbit ofn ∈ N generated by� is defined asO�(n) = {n, �(n), . . . , �h(n)} in which�k represents� composed with itselfk times andh is such that�h+1(n) = id.

Now, we describe how to associate an hypergraph to anyLinCa system. In the fol-lowing, we assume that natural numbers are contained inMess. We also consider fixedpartitionings of the data space and we use the notation� to denote a partitioning such asDS1,DS2, . . . ,DSk.

Definition A.2 (Hypergraph associated to a system). Let � be the partitioningDS1,

DS2, . . . ,DSk and lets = [P1|P2| . . . |Pk,DS1 ⊕ DS2 . . .⊕ DSk] be aLinCa system.The hypergraph associated tos with partitioning� is H(s,�) = (N,X, t) whereN ={1, . . . , k}, X = df (P1|P2| . . . |Pk) ∪ df (DS1 ⊕ DS2 . . . ⊕ DSk) and, for eachx ∈ X,t (x) = {i ∈ N | x ∈ df (Pi) ∪ df (DSi )}.

We recall thatdf extracts the data fields from processes as well as data spaces. Let� = (�N, �X) be an automorphism on the hypergraph associated with the system[P,DS],we use�(P ) (resp.�(DS)) to denote the process (resp. the space) obtained by renamingeach data fieldd occurring inP (resp.DS) �X(d).

Definition A.3 (Symmetric system). Let � be the partitioningDS1,DS2, . . . ,DSk and lets = [P1|P2| . . . |Pk,DS1 ⊕ DS2 . . .⊕ DSk] be aLinCa system. Let� be an automorphismon the hypergraphH(s,�) = (N,X, t). We say thats is symmetric w.r.t.� and� iff, foreachi ∈ N , P�(i) is equal to�(Pi) (up to -renaming) andDS�(i) = �(DSi ) hold. Thesystems is symmetric w.r.t.� if it is symmetric w.r.t. all the automorphisms onH(s,�).

We use the term computation to identify a specific sequence of transitions of a system.For examples −→ s1 · · · −→ sn is a computation ofs. Let C andC′ be two computationsof a systems; we say thatC′ extendsC if C′ = s −→ s1 · · · −→ sn −→ sn+1 · · · −→ s′andC = s −→ s1 · · · −→ sn. If C is an infinite computation there exists nostrict extensionof C.

Let s = [P1|P2| . . . |Pk,DS] be a system andC a computation ofs; we useTuple(C, Pi)as the function which returns the set of tuples that are inserted byPi (and its derivatives) inthe space during the computationC, for i ∈ {1, . . . , k}.


An electoral system guarantees that all the processes in the system eventually elect thesame leader; the choice of the leader is done by producing the tuple〈o;m〉 wherem is theidentifier of the selected leader.

Definition A.4 (Electoral system). Let s = [P1|P2| . . . |Pk,DS] be a system;s is an elec-toral system if for every computationC there exists an extensionC′ of Candn ∈ {1, . . . , k}(the ‘leader’) such that〈o; n〉 ∈ Tuple(C′, Pi) and there exists no extensionC′′ of C′ inwhich 〈o;m〉 ∈ Tuple(C′′, Pi) for anyi ∈ {1, . . . , k} andm �= n.

We are now ready to prove the impossibility to have inPrioLinCa electoral systemsthat are also symmetric systems. The prove is restricted to a specific class of symmetricsystems, namely those with only one orbit (the extension to all symmetric systems can bedone as discussed in the Corollary 4.3 of[18]).

Proposition A.5. Let� be the partitioning DS1,DS2, . . . ,DSk and lets = [P1|P2| · · · |Pk,DS1 ⊕ DS2 · · · ⊕ DSk] be aLinCa system. If the associated hyper-graphH(s,�) admits an automorphism� �= id with only one orbit, and s is symmetricw.r.t. � and�, then s cannot be an electoral system.

Proof. We assume by contradiction thats is an electoral system. We will show that it ispossible to build an infinite sequence of computationsC1, C2, . . ., Cn, . . ., such thatCi+1extendsCi and the system reached by the computationCi is symmetric w.r.t.� and some�i(updated in order to take into account the possible data exchanged during the computation)and does not contain any tuple of the form〈o; n〉, for anyi andn, thus proving thatscannotbe an electoral system.

We proceed by induction onn. We consider the empty computation for the casen = 1.For the inductive case we considerCn and we describe how to defineCn+1. Let sn =[Pn1 |Pn2 | . . . |Pnk ,DSn

]be the system reached by the computationCn, which is symmetric

w.r.t. � and the partitioning�n = DSn1,DSn2, . . . ,DSnk . Sinces is an electoral system and,by hypothesis,〈o; l〉 �∈ Tuple(Cn, Pi) for any i andl, there must exists an extension ofCnthat produces the tuples indicating the leader. Now we exploit the fact that the hypergraphassociated toshas only one orbit: in this caseO�(i) = {i, �(i), . . . , �k−1(i)} = {1, . . . , k}for anyi ∈ {1, . . . , k}.

Let Pni be the process that moves andDSnj be the subspace in which it acts, that is

there exists a transition[Pni ,DSnj

]−→

[Pni

′,DSnj′]. Observe thatPni cannot perform the

output of 〈o; l〉 for somel. If this is possible then by symmetryPn�(i) (which is equalto �(P ni )) must be able to produce the tuple〈o; �(l)〉. Sinces is an electoral systemthere must bel = �(l) and, given that� generates one orbit only,� = id which is acontradiction.

By symmetry there exist also the following transitions:

[Pn�(i),DSn�(j)

]−→

[Pn�(i)

′,DSn�(j)

′],


[Pn�2(i)

,DSn�2(j)

]−→

[Pn�2(i)

′,DSn�2(j)

′],

. . .[Pn�k−1(i)

,DSn�k−1(j)

]−→

[Pn�k−1(i)

′,DSn�k−1(j)

′].

Note that the processPn is the parallel composition ofPni , Pn�(i), . . . , P

n�k−1(i)

. For the

sake of simplicity we assumePn = Pni |Pn�(i) . . . |Pn�k−1(i)(any different case is treated

similarly). Moreover,DSn = DSnj ⊕ DSn�(j) . . . ⊕ DSn�k−1(j). According with rule 4 of

Table1 the following computation can be performed:[Pni |Pn�(i) . . . |Pn�k−1(i)

,DSnj ⊕ DSn�(j) . . .⊕ DSn�k−1(j)

]−→

[Pni

′|Pn�(i) . . . |Pn�k−1(i),DSnj

′ ⊕ DSn�(j) . . .⊕ DSn�k−1(j)

]−→

· · · −→[Pni

′|Pn�(i)′ . . . |Pn�k−1(i)

′,DSnj

′ ⊕ DSn�(j)′. . .⊕ DSn�k−1(j)

′].

The reached system is still symmetric w.r.t.� and the partitioning�n+1 = DSn+11 ,

DSn+12 , . . . ,DSn+1

k and does not contain any tuple of the form〈o; l〉, for any l ∈{1, . . . , k}. �

References

[1] H. Attiya, J. Welch, Distributed Computing: Fundamentals, Simulations, and Advanced Topics, second ed.,Wiley, New York, 2004.

[2] JP. Banatre, D. LeMetayer, Programming by multiset transformation, Comm. ACM 36 (1) (1993) 98–111.[3] M. Bravetti, Specification and analysis of stochastic real-time systems, Ph.D. Thesis, Dottorato di

Ricerca in Informatica, Università di Bologna, Padova, Venezia, 2002, available athttp://www.cs.unibo.it/ ∼bravetti/ .

[4] M. Bravetti, M. Bernardo, Compositional asymmetric cooperations for process algebras with probabilities,priorities, and time, Proc. First Internat. Workshop on Models for Time-Critical Systems, MTCS 2000, StateCollege (PA), Electronic Notes in Theoretical Computer Science, Vol. 39(3), Elsevier, Amsterdam, 2000.

[5] N. Busi, R. Gorrieri, G. Zavattaro, On the expressiveness of Linda coordination primitives, Inform. Comput.156 (1–2) (2000) 90–121.

[6] N. Busi, A. Rowstron, G. Zavattaro, State- and event-based reactive programming in shared dataspaces,Coordination Languages and Models (COORDINATION’02), Lecture Notes in Computer Science,Vol. 2315,Springer, Berlin, 2002, pp. 111–124.

[7] G. Cabri, L. Leonardi, F. Zambonelli, Reactive tuple spaces for mobile agent coordination, SecondInternational Workshop on Mobile Agents, Lecture Notes in Computer Science, Vol. 1477, Springer, Berlin,1998, pp. 237–248.

[8] N. Carriero, D. Gelernter, Coordination languages and their significance, Comm. ACM 35 (2) (1992) 97–107.

[9] R. De Nicola, G. Ferrari, R. Pugliese, KLAIM:A Kernel Language forAgents Interaction and Mobility, IEEETrans. Software Engrg. 24 (5) (1998) 315–330 (special issue: Mobility and Network Aware Computing).

[10] A. Di Pierro, C. Hankin, H. Wiklicky, Probabilistic Klaim, Proc. Seventh Internat. Conf. on CoordinationModels and Languages (Coordination 04), Lecture Notes in Computer Science, Vol. 2949, Springer, Berlin,2004, pp. 119–134.

http://www.cs.unibo.it/~bravetti/

http://www.cs.unibo.it/~bravetti/


[11] E. Freeman, S. Hupfer, K. Arnold, JavaSpaces Principles, Pattern, and Practice, Addison-Wesley, Reading,MA, 1999.

[12] D. Gelernter, Generative Communication in Linda, ACM Trans. Programming Languages and Systems 7 (1)(1985) 80–112.

[13] R.J. van Glabbeek, S.A. Smolka, B. Steffen, Reactive, generative and stratified models of probabilisticprocesses, Inform. and Comput. 121 (1995) 59–80.

[14] O.M. Herescu, C. Palamidessi, Probabilistic asynchronous pi-calculus, Proc. FoSSaCS, Lecture Notes inComputer Science, Vol. 1784, Springer, Berlin, 2000, pp. 146–160.

[15] O.M. Herescu, C. Palamidessi, Probabilistic asynchronous pi-calculus, Technical Report, Penn StateUniversity, 2000, available athttp://www.cse.psu.edu/ ∼catuscia/papers/Prob_asy_pi/report.ps .

[16] M.L. Minsky, Computation: Finite and Infinite Machines, Prentince Hall, Englewood Cliffs, 1967.[17] A. Omicini, F. Zambonelli, Coordination of mobile information agents in TuCSoN, J. Internet Res. 8 (5)

(1998) 400–413.[18] C. Palamidessi, Comparing the expressive power of the synchronous and the asynchronous pi-calculus, in:

Proc. POPL, 1997, pp. 256–265, Full version appeared in Mathematical Structures in Computer Science,13(5) (2003) 685–719.

[19] G.A. Papadopoulos, F. Arbab, Coordination models and languages, Adv. Comput. 46 (1998) 329–400.[20] C. Reutenauer, The Mathematics of Petri Nets, Masson, Paris, 1988.[21] A. Rowstron, A. Wood, Solving the Linda multiplerd problem using thecopy-collect primitive, Sci.

Comput. Programming 31 (2–3) (1998) 335–358.[22] Scientific ComputingAssociates, Linda: User’s guide and reference manual, Scientific ComputingAssociates,

1995.[23] R. Segala, Modeling and verification of randomized distributed real-time systems. Ph.D. Thesis, Department

of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, 1995.[24] J.C. Shepherdson, J.E. Sturgis, Computability of recursive functions, J. ACM 10 (1963) 217–255.[25] C.M.N. Tofts, Processes with probabilities, priority and time, Formal Aspects of Computing 6 (1994) 534–

564.[26] G. Zavattaro, Towards an hierarchy of negative test operator for asynchronous communication, Proc.

Workshop of Expressiveness in Concurrency (EXPRESS’98), Electronic Notes in Theoretical ComputerScience, Vol. 16(2), Elsevier, Amsterdam, 1998.

http://www.cse.psu.edu/~catuscia/papers/Probprotect LY1extunderscore asyprotect LY1extunderscore pi/report.ps

http://www.cse.psu.edu/~catuscia/papers/Probprotect LY1extunderscore asyprotect LY1extunderscore pi/report.ps

quantitative information in the tuple space coordination model

Documents