Verifying concurrent system specifications in COSY

In this paper we illustrate the use of the COSY formalism [LTS79] for specifying, analysing and verifying highly parallel and distributed systems. We shall do this through a non-trivial example, the concurrent resource release mechanism which forms the central part of a novel, non-computational, concurrent and distributed solution to the problem of allocating reusable resources from a limited pool among a large number of concurrent users, the so-called COSY banker [LTD80]. After a brief overview of the COSY approach, we formally define a behavioural semantics for COSY programs in terms of vectors of strings — the vector firing sequences — which generalise the well-known notion of firing sequence to permit the explicit representation of concurrency in an algebraic manner and which may be manipulated in the same manner as strings except in cases where strings are inappropriate for the modelling of concurrent behaviour. Behavioural properties may be formally defined in terms of vector firing sequences. In particular, an analysis of the vector firing sequences of a given program allows one to determine whether a system specified by the program possesses desirable properties, whether these be general such as absense of deadlock or starvation, or specific, that is relating to particular properties required of a particular mechanism. We shall mainly be concerned with the latter form of analysis in our investigation of the concurrent resource release mechanism. More precisely, we demonstrate: firstly, a full characterisation of the behaviours of the mechanism; secondly, the correctness of the mechanism with respect to its desired properties and a functional interpretation of the operations it involves and thirdly, as a consequence of these, its absense of partial system deadlock. Full references to the copious work on other aspects of the notation are given in a conclusion.