MPRI C-2-3: Concurrency (Part 1 of 4)

Transcription

1 From Computability to Concurrency Theory Calculus of Comunicating Systems CCS Verification and Specification. Expressiveness Solutions to Exercises. MPRI C-2-3: Concurrency (Part 1 of 4) Frank D. Valencia (CNRS-LIX, Ecole Polytechnique) Parts 2,3,4 by Francesco Zappa Nardelli (INRIA), James Leifer (INRIA) and Emmanuel Haucourt (CEA) MPRI C-2-3 MPRI C-2-3: Concurrency (Part 1 of 4)

2 Concurrency is everywhere... Concurrent Systems Multiple agents (processes) that interact among each other. Some concurrent systems of interest to our community: Reactive Systems. Synchronous Systems Mobile Systems Secure Systems Biological Systems Concurrent systems can combine: Example The Internet is a very complex concurrent system!

3 Concurrency: A Serious Challenge... Models of Concurrency Formal Models to describe and analyze concurrent systems. As other models of reality, these models must be simple, be expressive, be formal, provide reasoning techniques. Just like λ calculus model of sequential computation! Models for sequential computation don t apply. Concurrent computation is usually Non-Terminating Reactive (or Interactive)

4 Mobility What kind of mobility will we consider in this course? Processes move. Links move The last one, because it is the π-calculus choice; for flexibility and simplicity. π-calculus has the ability of communicating private and public links (names).

5 Mobile Systems Mobile phones

6 Mobile Systems Mobile phones

7 Sending private links: A flavour of process calculi Consider the following System: In the π-calculus we can represent this system as: Sys =(νa)(printer(a) Server(a, b) ) Client(b) where Printer(a) =a(x).p, Server(a, b) = b a.server and Client(b) =b(c).client (c) and Client (c) =c d.c

8 Communicating private links: A flavour of the π-calculus The evolution of the System: corresponds to the reduction : Sys (νa) ( Printer(a) Server Client (a) ) where Printer(a) =a(x).p, Server(a, b) = b a.server and Client(b) =b(c).client (c) and Client (a) =a d.c

9 Security Protocols The π-calculus can be used to formalize and analyze security protocols: Concurrent agents (processes) exchanging private messages over an untrusted network Want to achieve authentication, secrecy, anonymity, etc. Example: Needham-Schroder Public-Key Protocol.

10 Security Protocols Needham-Schroder Public-Key Protocol: Intended to provide mutual authentication between two agents A and B communicating on an untrusted network. Here m and n represent private/unique items (nonces) and {M} pub(x ) represents a message M encrypted with the X s public key.

11 Security Protocols Needham-Schroder Public-Key Protocol: Intended to provide mutual authentication between two agents A and B communicating on an untrusted network. But it fails to satisfy secrecy: The man-in-the-middle attack: By impersonating A, the agent C obtains B s private information; i.e., the nonce n.

12 Security Protocols and Other Applications of Process Calculi A nice application of process calculi: Modeling Security Protocols Process calculi can be used to predict flaws in Security Protocols. As done for the Needham-Schroeder Protocols in the late nineties by Gavin Lowe using CSP. Other applications include: Modelling Biological systems. Correctness of Distributed Algorithms. Analisys of Object Oriented Programs. Modelling Bussiness Processes.

13 This course This course is an introduction to models and techniques to reason about concurrent systems and languages. They allows us to reason about properties of concurrent and distributed programs. Just like the λ-calculus for sequential programs,

14 Course Structure Teachers: Frank Valencia (CCS, 12h) James Leifer (pi-calculus, 12h) Francesco Zappa(shared memory, separation logic, rely-guarantee,12h) Emmanuel Haucourt (directed algebraic ropology and concurrency,12h) Exams: Two exams (50% each): Personal and lecture notes allowed. References: Milner, R.. Communication and Concurrency.Prentice Hall. Milner, R. The pi-calculus. Cambridge University Press. Sangiorgi, D. and Walker, D. The pi-calculus: a Theory of Mobile Processes. Nachbin, L.. Topology and Order. Van Nostrand Reinhold. Higgins, P.J. Categories and Groupoids. Van Nostrand Reinhold. Course material, calendrier complet du cours : access with user=guest, pass=guest.

15 From Computability to Concurrency Theory Calculus of Comunicating Systems CCS Verification and Specification. Expressiveness Solutions to Exercises. CCS Outline 1 From Computability to Concurrency Theory Basic Concepts from Automata Theory Bisimilarity Equivalence 2 Calculus of Comunicating Systems CCS General Aspects of Process Calculi Syntax and Semantics Bisimilarity Observable Behaviour and other Equivalences 3 Verification and Specification. Verification and Specification 4 Expressiveness 5 Solutions to Exercises. MPRI C-2-3 MPRI C-2-3: Concurrency (Part 1 of 4)

16 Classic Automata Theory Automata Definition An automata A over an alphabet Act is a tuple (Q, Q 0, Q f, T ) where Write q S(A) =Q = {q 0, q 1,...} is the set of states, S 0 (A) =Q 0 Q is the set of initial states, S f (A) =Q f Q is the set of accepting (or final) states, T (A) =T Q Act Q is the set of transitions. a q for (q, a, q ) T. Omit Act when it is understood. Example: A Typical Graph Representation

17 Classic Automata Theory Regular Sets and Expressions Definition (Acceptance, Regularity) Fact a A accepts a 1...a n iff there is a path q 1 a 0 2 a q1 n in T (A) with q 0 S o (A) and q n S f (A). qn The Language of (or recognized by) A, L(A), is the set of sequences accepted by A. Regular sets are those recognized by finite-state automata (FSA). Regular Expressions (e.g. a.(b + c) ) are as expressive as FSA. Example

18 Classic Automata Theory Some Nice Properties and Exercises Fact 1 Deterministic and NonDeterministic FSA are equally expressive. 2 Regular sets are closed under (a) union, (b) complement, (c) intersection. 3 The Emptyness Problem and Language Equivalence of FSA are decidable. Exercises Using (2) prove (3).

19 Classic Automata Theory What is good for? Classic Automata Theory is solid and foundational with several applications in computer science. BUT consider reactive systems like the vending machine below. Example: A FSA Vending Machine Representation Example: A FSA Vending Machine Representation

20 Classic Automata Theory. The Problem with Language Equivalence In automata theory a (b + c) =a b + a c. I.e., p 0 and q o are equivalent. We need stronger equivalences that do not validate the above.

21 Bisimilarity: The Equivalence of Reactive Systems. Transition Systems Labelled Transition Systems (LTS) are automata in which initial and final states are irrelevant. Simulation Let T be an LTS. A relation R S(T ) S(T ) is a simulation iff for each (p, q) R: If p a p then there is q s.t. q a q and (p, q ) R. Bisimulation A relation R is a bisimulation iff R and its converse R 1 are both simulations. Similarity & Bisimilarity p is simulated by q iff there exists a simulation R s.t (p, q) R.

22 Game theoretical definition of Bisimilariy Bisimularity can be thought of as game between an attacker (Player I) and a defender (Player II) over a pair (p, q) trying to prove whether or not p q. 1 Player I must choose any valid transition from p or from q. I.e., either a p a p or a q a q. 2 Player II must then match that transition: If Player I chose p a p then Player II must choose a transition q a q. Go to (1) with p as p and q as q. The other case is analogous. 3 Players continue to take alternating turns until: 1 Player II is unable to find any valid transitions to match the Player I s move. In this case Player I wins. 2 The game reaches states p and q from which there are no transitions. In this case Player II wins. 3 The game goes on forever, in which case Player II wins. Exercise: Prove that p q if and only if Player II has a winning strategy for (p, q).

23 Bisimilarity and Games Definition. Say that p is game equivalent to q iff Player II has a winning stretegy for (p, q). Theorem p q if and only if p is game equivalent to q.

24 Bisimilarity is a bisimulation Theorem is (1) an equivalence and (2) a bisimulation.

25 Bisimilarity: Back-and-forth property Theorem p q if and only if 1 p α p implies for some q,q 2 q α q implies for some p,p Definition Define p q if and only if 1 p α p implies for some q, q 2 q α q implies for some p, p Proof. α q and p q α p and p q α q and p q α p and p q By showing that =. Since is a bisimulation, we have (*). To show, verify that is a bisimulation. This can be done by using (*) to show that if p q then p q.

26 Exercise: A weird bisimulation. Recall p q. Note also that p q (why?). Show that. Weird Simulation R is a weird simulation iff (p, q) R: 1- If p a p then there is q s.t. q a q and (p, q ) R. 2- If q a then p. a Weird Bisimilarity p < q iff there is a weird simulation R s.t (p, q) R. Also, p and q are weird bisimilar, written p q, iff p < q and q < p. Exercise

27 Exercise: A weird bisimulation. Weird Simulation R is a weird simulation iff (p, q) R: 1- If p a p then there is q s.t. q a q and (p, q ) R. 2- If q a then p. a Weird Bisimilarity p < q iff there is a weird simulation R s.t (p, q) R. Also, p and q are weird bisimilar, written p q, iff p < q and q < p. p q but p q

28 Process Calculi Process calculi treat processes much like λ-calculus treats computable functions: Structure of terms represent the structure of processes. E.g.: P Q Operational Semantics to represent computational steps. E.g.: P α P PAR P Q α P Q

29 Typical Issues in Developing Process Calculi Which process constructs fit the intended phenomena? E.g. atomic actions, parallelism, nondeterminism. How should these constructs be given meaning? E.g. Operational Semantics, Denotational Semantics. How should processes be compared? E.g. Observable Behavior, Process Equivalences. How should process properties be specified and proved? E.g. Logic for expressing process specifications (like in Hoare s Logic). How expressive is the calulus? E.g. What cannot be expressed in the calculus.

30 CCS Syntax Basic Entities of CCS: A set N = a, b,... of names and N = {a a N } of co-names. A set L = N N of labels (ranged over by l, l,...). A set Act = L { τ} of actions (ranged over by α, β,...). Action τ is called the silent or unobservable action. Actions a and a are viewed as being complementary. I.e., a = a.

31 CCS Syntax Definition (CCS Syntax of Processes) P, Q,... : Σ i I α i.p i P Q (νa)p A(a 1,..., a n ) Bound names of P, fn(p): Those with a bound occurrence in P. Free names of P, bn(p): Those with a not bound occurrence in P. For each (call) A(a 1,..., a n ) there is a unique process definition A(b 1... b n ) def = P, α.p denotes a summation where I = 1, and 0 denotes a summation where I = 0. P Q also written as P Q, and (νa)p is also written as P\a. The set of all processes is denoted by P.

32 Intuitions CCS: Transitions We will use a labelled transition semantics for CCS processes. A transition P α Q means that P can offer α (for interaction) and then behave as Q. For example,

33 Intuitions CCS: Transitions More intuitions: 1 Σ i I α i.p i may offer α i and evolve into P i : i.e., Σ i I α i.p i α i Pi 2 P Q may offer an action from P or an action from Q. Also if P can offer an action α and Q can offer its complement ᾱ then P Q may synchronize and this is represented with a τ action. 3 (νa)p may offer any action from P except a. 4 If A(b) def = P then A(a) may perfom any action from P[a/b]. Example a We have a.p ā.q P ā.q, and a.p ā.q a.p ā.q τ P Q. But we only have (νa)(a.p ā.q) force inner interactions. ā a.p Q, and τ (νa)(p Q). Thus (νa) can

34 CCS: Labelled Transitions Semantics. SUM Σi I α i.p i α i Pi P α P COM 1 P Q α P Q Q α Q COM 2 P Q α P Q COM 3 P l P Q l P Q Q τ P Q RES P (νa)p α P α (νa)p if α a and α a REC P α A[b 1,..., b n /a 1,..., a n ] P α A b 1,..., b n P if A(a 1,..., a n ) def = P A

35 Example of a Derivation. Derivation (tree) of a.p ā.q τ P Q: SUM a a.p P SUM ā.q COM 3 a.p ā.q τ P Q ā Q Derivation (tree) of a.p ā.q a P ā.q: SUM a COM a.p P 1 a.p ā.q a P ā.q

36 Examples in CCS Think of a counter as black-box you can interact with by pressing some buttons. In CCS: def = zero.c 0 + inc.c 1 C 0 def C n = dec.c n 1 + inc.c n 1 C def = C 0 But we presupposed infinitely many definitions C 0, C To illustrate the power of the restriction operator (ν ) let s do it with two defintions: def C = zero.c + inc.(νl)(c(l) l.c) C (l) def = dec. l.0 + inc.(νl )(C (l ) l.c (l))

37 Examples in CCS We do not have an explicit operator for sequentialization. I.e., P; Q which executes Q after P has finished. Exercise. A process is finite iff it does not have occurrences of recursive calls. Say that P is t-finite if it is finite and t is the last action P may offer. Suppose that P and Q are t-finite, encode P; Q so that P; Q is also t-finite.

38 Basic programming language. We have sequentialization and counters. For counter X replace C with X and zero, inc, dec with zero x, inc X, dec X. As before we use t to signal termination. The instruction X ++corresponds to inc X. t and The instruction X corresponds to dec X. t + zero X. t Encode the instruction X := Y. Encode the instruction if X = 0 then I else J where I and J are instructions. Encode a program (i.e., a sequence of instructions) Prog = I 1 ; I 2,..., I n over counters X, Y. Now you can even have parallel programs Prog Prog over counters.

39 CCS: Bisimilarity Labeled Transition System of CCS The LTS of CCS has P (the set of all processes) as its states and its transitions are given by the labelled transition semantics. Hence P Q iff the states represented by P and Q are bisimilar. Example: Processes and LTS states P = a.(b.0 + c.0) corresponds to p 0 and Q = a.b.0 + a.c.0 corresponds to q 0. Hence P Q.

40 Some Algebraic Equalities Some basic algebraic bisimilarity equalities: P Q Q P P 0 P (P Q) R P (Q R) (νa)0 0 (νa)α.p α.(νa)p (under what conditions?) (νa)(νb)p (νb)(νa)p P (νa)q (νa)(p Q) (under what conditions?) (νa)p (νb)p[b/a] (under what conditions?)

41 Commutativity Proof of commutativity of :

42 Congruence issues Suppose that P Q. We would like P R Q R. More generally, if P Q we would like C[P] C[Q] for any process context C[ ]. A context C[ ] is a term with a hole [ ] such that replacing the hole with any P yields a process term C[P]. for example, above C[ ] = [ ] R and C[P] =P R. We want to be a congruence. The notion of congruence allows us to replace equals with equals.

43 Congruence issues In fact is a congruence. We show this by proving that if P 1 P 2 then M + α.p 1 M + α.p 2 P 1 Q P 2 Q (νx)p 1 (νx)p 2

44 Congruence issues Proof. Want to prove that P 1 P 2 P 1 Q P 2 Q.

45 CCS Bisimilarity, Applications Recall our sequential composition P; Q defined as (ν s)( P[s/t] s.q) where s is fresh and t is the last action of P. Exercise: Prove that sequentialization is associative: P;(Q; R) (P; Q); R. Hint use the fact that is a congruence and basic equalities for.

46 Recall our sequential composition P; Q =(ν s)( P[s/t] s.q) where s is fresh and t is the last action of P. Exercise: Prove that sequentialization is associative: P;(Q; R) (P; Q); R. Hint: Using the algebraic equations and the fact that is a congruence we get: P;(Q; R) (νs)(p[s/t] s.(νs )(Q[s /t] s.r)) (νs )(νs)(p[s/t] s.(q[s /t] s.r)) (νs )(νs)(p[s/t] s.q[s /t] s.r)) (νs )((νs)(p[s/t] s.q))[s /t] s.r)) (P; Q); R

47 CCS: The expansion law. Notice that a.0 ā.0 is bisimilar to a.ā.0 + ā.a.0 + τ.0. More generally, we have the expansion law: (ν a)(p 1... P n ) Σ{a i.(ν a)(p 1... P i... P a n P i i P i, a, a i a} + Σ{τ.(νa)(P 1... P i... P j... P n P i l P i, P j l P j } So, every move in (ν a)(p 1... P n ) is either one of the P i or a communication between some P i and P j.

48 Up-to Techniques Definition A symmetric S is a bisimulation up to if P S Q implies - If P l P then Q st Q l Q and P S Q. Theorem If S is a strong bisimulation up to then S is strong bisimulation. So to prove P Q then we only need to find a strong bisimulation S up to containing the pair (P, Q). Why? Recall that Id P.

49 Up-to Techniques Proof: Want to show that... if S is a bisimulation up to, S is bisimulation.

50 Observable Behavior In principle, P and Q should be equivalent iff another process (the environment, an observer) cannot observe any difference in their behavior. Notice τ.p P, although τ is an unobservable action. So could be too strong:). We look for other notion of equivalence focused in terms of l observable actions (i.e., actions, l L).

51 Observations Think of any l with l τ as an observation. Think of an experiment e as a sequence l 1.l 2... l n of observable actions. Notation: If s = α 1... α n Act then define s = = ( τ ) α 1 ( τ )... ( τ ) α n ( τ ) e Notice that = for e = l 1.l 2... l n L denotes a sequence of observable actions inter-spread with τ actions: The notion of experiment.

52 Trace Equivalence Definition (Trace Equivalence) P and Q are trace equivalent, written P t Q, iff for every experiment (here called trace) e = l 1... l n L P = e iff Q = e Observations: τ.p t P (nice!) a.b.0 + a.c.0 t a.(b.0 + c.0) (not that nice:) a.b.0 + a.0 t a.b.0 (not sensitive to deadlocks) a.0 + b.0 t (νc)(c.0 c.a.0 c.b.0)

53 Language Equivalence Definition The language (or completed traces) of P is given by L(P) ={s L Q : P = s α Q α Act : Q }. Two processes are language equivalent iff they have the same language. We use L to denote language (or completed traces) equivalence. Let D def = τ.d, i.e., the divergent process. We have τ.0 t D, but τ.0 F D.

54 Failures Equivalence Definition (Failures Equivalence) A pair (e, L), where e L (a trace) and L L, is a failure for P iff there is P s.t.: (1)P e l = P, (2) P for all l L, and (3)P τ P f Q iff P and Q have the same failures. Observations: τ.p f P. a.b.0 + a.c.0 f a.(b.0 + c.0) (Exercise: why?) a.b.0 + a.0 f a.b.0. a.0 + b.0 f (νc)(c.0 c.a.0 c.b.0) (Exercise) a.(b.c.0 + b.d.0) f a.b.c.0 + a.b.d.0. Let D = τ.d. We have τ.0 f D.

55 Weak Bisimilarity Definition (Weak Bisimilarity) A symmetric relation R is a weak bisimulation iff for every (P, Q) R: If P = e P then there is Q s.t. Q = e Q and (P, Q ) R. Define P Q iff (P, Q) R for some weak bisimulation R. Observations: τ.p P, a.τ.p a.p However, a.0 + b.0 a.0 + τ.b.0 a.(b.c.0 + b.d.0) a.b.c.0 + a.b.d.0.(exercise) Let D = τ.d. We have τ.0 D. a.0 + b.0 (νc)(c.0 c.a.0 c.b.0) (Exercise)

56 Sensitivity to Convergence/Divergence. Definitions We say that P is convergent iff there is a Q such that P Q τ and Q. We say P is divergent iff P( ) τ ω. An equivalencce is sensitive to divergence (covergence) iff whenever P Q and P is divergent (convergent) then Q is divergent (convergent). 1 Show that weak-bisimilarity is not sensitive to divergence. 1 Show that failures-equivalence is not sensitive to divergence. 1 Show that trace equivalence and language-equivalence do not include each other. 1 Show that language-equivalence is not a congruence. 1 Show that failures-equivalence implies language-equivalence. 1 Show that of the above equivalence, failures-equivalence is the only one sensitive to convergence. τ

57 Solutions to previous exercises. Let Div = τ.div and R(a) =a.r(a). 1 Show that weak-bisimilarity is not sensitive to divergence. Take Div and τ.0 2 Show that failures-equivalence is not sensitive to divergence. Take Div + τ.0 and τ.0 3 Show that trace equivalence and language-equivalence do not include each other. Take a.a.0 and a.0 + a.a.0 4 Show that language-equivalence is not a congruence. Consider restriction. 5 Show that failures-equivalence implies language-equivalence. 6 Show that of the above equivalence, failures-equivalence is the only one sensitive to convergence. Take P = τ.r(a) and P = Div for language-equivalence and Q = τ.div + τ.0 and Q = Div for weak-bisimilarity and trace-equivalence.

58 Weak Bisimilarity Definition (Weak Bisimilarity) A symmetric relation R is a weak bisimulation iff for every (P, Q) R: If P = e P then Q s.t. Q = e Q and (P, Q ) R. Define P Q iff (P, Q) R for some weak bisimulation R. Theorem R is a weak bisimulation iff (P, Q) R: - If P l P then Q st Q = l Q and (P, Q ) R, - If P τ P then Q st Q = Q and (P, Q ) R.

59 Weak bisimulation up to Theorem Definition R is a weak bisimulation up to if P R Q implies - If P l P then Q st Q = l Q and P R Q, - If P τ P then Q st Q = Q and P R Q Theorem If R is weak bisimulation up to then R is a weak bisimulation. Hence order to prove P Q it suffices to find a weak bis R up to such that (P, Q) R.

60 Weak bisimulation up to Definition R is a weak bisimulation up to if P R Q implies - If P l P then Q st Q = l Q and P R Q, - If P τ P then Q st Q = Q and P R Q Conjecture R is weak bisimulation up to then R is a weak bisimulation. Is the above conjecture true? If not, try to fix the definition for up-to.

61 Weak Bisimulation upto Definition R is a weak bisimulation up to if P R Q implies - If P τ P then Q st Q = Q and P R Q This is not sound: τ.c and 0 are not weakly bisimilar. One fix is the following: Definition R is a weak bisimulation up to if P R Q implies - If P = s P then Q st Q = s Q and P R Q Theorem If R is weak bisimulation up to then R is a bisimulation.

62 Weak Bisimilarity is a congruence Theorem is a congruence. In particular, if P Q then M + α.p M + α.q.

63 Further properties of But weak bisimulation is not about ignoring all silent actions: Notice that P Q R P.

64 Further properties of Weak bisimulation allows arranging terms involving silent actions: The dashed transitions above can be eliminated up-to weak bisimilarity. In fact 1 P τ.p 2 M + N + τ.n M + τ.n 3 M + α.p + α.(τ.p + N) M + α.(τ.p + N). 4 M + α.p + τ.(α.p + N) =M + τ.(α.p + N) (*)

65 Unique Solutions to Equations Recall our counter definition. Let X 0, X 1... satisfying the equations In CCS: X 0 zero.x 0 + inc.x 1 X n dec.x n 1 + inc.x n+1 Clearly a solution for X i is C i. But are there more solutions up to? Consider also the equation X τ.x.

66 Unique Solutions to Equations Consider X a.p + τ.x. Does it have a solution? Many solutions (up-to weak bisimilarity)? Show that for any Q, the above equation has the solution X = a.p + τ.q (infinite family) Take X = a.0 + τ.y and Y = b.0 + τ.x. Does it have an infinity family of solutions for X? Take X 1 a.x 1 + τ.x 2 and X 2 a.x 1 + b.x 2. Find a solution for X 1. Are there more modulo weak bimilarity?

67

68 Unique Solutions to Equations Theorem Let X 1, X 0,... a (possibly infinite) sequence of variables satisfying : X 0 α 00.X k(00) α 0n0 X k(0n0 ) X 1 α 10.X k(10) α 1n1 X k(1n1 ) where each α ij τ. Then up to there is a unique sequence P 0, P 1,... satisfying the equations.

69 Unique Solutions to Equations

70 Application: Correctness of the counter Recall our two definitions of the counters def K 0 = zero.k 0 + inc.k 1 def K n = dec.k n 1 + inc.k n+1 And Count 0 Count(l n ) def = zero.count 0 + inc.(νl 1 )(Count(i 1 ) l 1.Count 0 ) def = dec. l n.0 + inc.(νl n+1 )(Count(l n+1 ) l n+1.count(l n )) Exercise: Prove that Count 0 K 0.

71 Axiomatization for Consider the set of axioms Axioms A 1 (A0-A4) stating that = is an equality and that + is commutative, associative with neutral element 0, and M + M = M. Axioms A 2 : A0-A4 + axioms for τ actions: A5. P = τ.p A6. M + N + τ.n = M + τ.n A7. M + α.p + α.(τ.p + N) =M + α.(τ.p + N) Exercise: Prove that A 2 can be equivantely defined by replacing A6 with A6 : M + α.p + τ.(α.p + N) =M + τ.(α.p + N)

72 Axiomatization for Consider the set of axioms Axioms A 1 (A0-A4) stating that + is commutative (A1), associative (A2), that M + M = M (A3) and M + 0 = 0 (A4). Axioms A 2 : A0-A4 + Axioms for τ actions: A5. P = τ.p A6. M + N + τ.n = M + τ.n A7. M + α.p + α.(τ.p + N) =M + α.(τ.p + N) Exercise: P def = a.(b.0 + τ.0) and Q def = a.(b.0 + τ.0)+a.0. Prove that A 2 P = Q. Notice: Q has a property that P doesn t: If Q = Q then Q α Q (i.e., α.q is a summand of Q) α

73 Axiomatization for Definition P is in full standard form iff P =Σ i α i.p i where each P i is itself in full standard form; If P = α P then P α P. A full standard form is saturated in the following sense: P α = P then α.p is a summand. The axioms of A 2 allows for saturation. Theorem If P α = P then A 2 P = P + α.p. The above can be used to prove that every P can be converted into a full normal form P so that A 2 P = P.

74 Axiomatization for Proof: Want to show that... If P α = P then A 2 P = P + α.p.

75 Axiomatization for Definition P is in full standard form iff Theorem P =Σ i α i.p i where each P i is itself in normal form; If P = α P then P α P. For every P there exists a full standard form P so that A 2 P = P. Proof. By induction on P. Take all pairs (α i, P i ) such that P = P i but α P P i. By ind. hypothesis each P i is in full standard form. Use the saturation theorem to prove that A 2 P = P +Σα i.p i. Clearly, P is full standard form. α

76 Axiomatization for Definition P is in full standard form iff P =Σ i α i.p i where each P i is itself in full standard form; If P α = P then P α P. A full standard form is saturated in the following sense: P = α P then α.p is a summand. The axioms of A 2 allows for saturation. Theorem If P and Q are finite processes then Proof. P Q if and only if A 2 P = Q Soundness (right to left direction) is easy. To prove completeness, we know there are P and Q in full standard form such that A P = P and A Q = Q. Then show that A P = Q.

77 Process Logic: Verification and Specification Processes can be used to specify and verify behavioural properties: E.g., 2p.tea.0 + 2p.coffe.0 specifies a machine which does not satisfy the behaviour specified by a 2p.(tea.0 + coffe.0). Alternatively, a logic can be used. An example of a property is P will never not execute a bad action or P eventually executes execute a good action.

78 Hennessy&Milner Logic Definition (Logic Syntax) F := true false F 1 F 2 F 1 F 2 K F [K]F where K is a set of actions The boolean operators are interpreted as in propositional logic. K F (possibility) asserts (of a given P): It is possible for P to do a a K and then evolve into a Q that satisfy F. Example: K true expresses the capability for perfoming actions from K [K]F (necessity) asserts (of a given P): If P can do a a K then it must evolve into a Q which satisfies F. Example: K false expresses the inability to initially perform an action in K,

79 Semantics of Hennessy-Milner Logic Definition The compliance of P with the specification F, written P = F, is given by: P = false P = true P = F 1 F 2 iff P = F 1 and P = F 2 P = F 1 F 2 iff P = F 1 or P = F 2 P = K F iff for some Q, P α Q, α K and Q = F P = [K]F iff if P α Q and α K then Q = F

80 From Computability to Concurrency Theory Calculus of Comunicating Systems CCS Verification and Specification. Expressiveness Solutions to Exercises. Examples Hennessy-Milner Logic Verification and Specification B 1 =[2p]([coffe] false tea true): After 2ps are deposited the coffee button cannot be pressed but the tea one can. B 1 =[2p][2p][2p] false: After 4ps are deposited no other coined may be deposited. B 1 = 2p true: You first need to deposite 2p. MPRI C-2-3 MPRI C-2-3: Concurrency (Part 1 of 4)

81 Examples Recall the bad vending machine B 2 : Is there an F such that B 1 = F but B 2 = F (or vice-versa)?

82 Examples Find distinsguish formula for: S = a.(b.c.0 + b.d.0) and S = a.b.c.0 + a.b.d.0.

83 HM Logic and Bisimilarity for Finitely Branching Processes. Example Let P 1 = a.(b.0 + c.0), P 2 = a.b.0 + a.c.0. Also let F = {a} ( {b} true {c} true). Notice that P 1 = F but P 2 = F. Theorem P Q if and onlyp = F iff Q = F for every F.

84 HM Logic and Bisimilarity for Finitely Branching Processes. Theorem P Q if and onlyp = F iff Q = F for every F. Proof. (=>) By induction on F. The interesting case is [a]f. Proof. (<=) Claim that set S of all pair of processes that satisfy the same formulae is a bisimulation. Suppose S is not. Then (P, Q) S so that Q cannot match a move P α P. There are two cases. Case 1: Q does have a transition Q α Q. But then P and Q do not satisfy the same formulae. Case 2: For Q s.t. Q α Q and P satifies a formula than Q doesn t. Then construct a formula that P satisfies but Q doesn t. Exercise. For the proof above the formula has the form a F with F = F 1... F i. What are the assumptions of the above proof? Does the theorem hold in general?

85 HM Logic and Bisimilarity for Finitely Branching Processes: Exercise. Theorem If P and Q are finite processes, then P Q if and onlyp = F iff Q = F for every F. Exercise: Define A ω def = a.a ω and A <ω def =Σ i 0 a i. Show that A <ω is not strongly bisimilar to A <ω + A ω but that they satisfy the same HM formulae.