of the channel that establishes a link between two agents. In this paper we redesign our previous analysis in order to take this information into acco

Transcription

1 Automatic Determination of Communication Topologies in Mobile Systems Arnaud Venet LIX, Ecole Polytechnique, 112 Palaiseau, France. Abstract. The interconnection structure of mobile systems is very dif- cult to predict, since communication between component agents may carry information which dynamically changes that structure. In this paper we design an automatic analysis for statically determining all potential links between the agents of a mobile system specied in the - calculus. For this purpose, we use a nonstandard semantics of the - calculus which allows us to describe precisely the linkage of agents. The analysis algorithm is then derived by abstract interpretation of this semantics. Keywords. -calculus, nonstandard semantics, abstract interpretation. 1 Introduction We are interested in analyzing the evolution of the interconnection structure, or communication topology, in a mobile system of processes, abstracting away all computational aspects but communication. Therefore, we can restrict our study to the -calculus [Mil1, MPW2], which is a widely accepted formalism for describing communication in mobile systems. Whereas the communication topology of systems written in csp [Hoa5] or ccs [Mil] can be directly extracted from the text of the specication, a semantic analysis is required in the -calculus, because communication links may be dynamically created between agents. In the absence of automatic analysis tools this makes the design and debugging of mobile systems very dicult tasks (see [DPLT6] for a detailed case study). In this paper we propose a semantic analysis of the -calculus based on Abstract Interpretation [CC77, CC2] for automatically inferring approximate but sound descriptions of communication topologies in mobile systems. In a previous work [Ven6b] we have presented an analysis of the -calculus which relies on a nonstandard concrete semantics. In that model recursively de- ned agents are identied by the sequence of replication unfoldings from which they stem, whereas the interconnection structure is given by an equivalence relation on the agent communication ports. That semantics is inspired of a representation of sharing in recursive data structures [Jon1] which has been applied to alias analysis [Deu2]. However, the equivalence relation does not capture an important piece of information for debugging and verication purposes: the instance

2 of the channel that establishes a link between two agents. In this paper we redesign our previous analysis in order to take this information into account, while still preserving a comparable level of accuracy. Surprisingly enough, whereas our original analysis was rather complicated, involving heavy operations like transitive closure of binary relations, the rened one is tremendously simpler and only requires very basic primitives. The paper is organized as follows. In Sect. 2 we introduce our representation of mobile systems in the -calculus. Section 3 describes the nonstandard semantics of mobile systems, which makes instances of recursively dened agents and channels explicit. The abstract interpretation gathering information on communication topologies is constructed in Sect. 4. In Sect. 5 we design a computable analysis which is able to infer accurate descriptions of unbounded and nonuniform communication topologies. Related work is discussed in Sect Mobile Systems in the -Calculus We consider the asynchronous version of the polyadic -calculus which was introduced by Turner [Tur5] as a semantic basis of the pict programming language. This restricted version has simpler communication primitives and a more operational avour than the full -calculus, while still ensuring a high expressive power 1. Let N be a countable set of channel names. The syntax of processes is given by the following grammar: P ::= c![x 1 : : : x n ] Message j c?[x 1 : : : x n ]:P Input guard j c?[x 1 : : : x n ]:P Guarded replication j (P j P ) Parallel composition j (x)p Channel creation where c x x 1 : : : x n are channel names. Input guard and channel creation act as name binders, i.e. in the process c?[x 1 : : : x n ]:P (resp. (x)p ) the occurrences of x 1 : : : x n (resp. x) in P are considered bound. Usual rules about scoping, -conversion and substitution apply. We denote by fn(p ) the set of free names of P, i.e. those names which are not in the scope of a binder. Following the cham style [BB2], the standard semantics of the -calculus is given by a structural congruence and a reduction relation on processes. The congruence relation \" satises the following rules: (i) P Q whenever P and Q are -equivalent. (ii) P j Q Q j P. (iii) P j (Q j R) (P j Q) j R. (iv) (x)(y)p (y)(x)p. (v) (x)p j Q (x)(p j Q) if x 62 fn(q). The reduction relation is dened in Fig. 1, where P fx 1 =y 1 : : : x n =y n g denotes the result of substituting every name x i for the name y i in P. This may involve -conversion to avoid capturing one of the x i 's. 1 We can encode the lazy -calculus for example [Bou2].

3 c![x 1 : : : x n ] j c?[y 1 : : : y n ]:P! P fx 1 =y 1 : : : x n =y n g c![x 1 : : : x n ] j c?[y 1 : : : y n ]:P! P fx 1 =y 1 : : : x n =y n g j c?[y 1 : : : y n ]:P P! P 0 P 0 P P! Q Q Q 0 P! P 0 (x)p! P 0 P 0! Q 0 P j Q! P 0 j Q Fig. 1. Reduction relation in the standard semantics. We now have to dene what we mean by a \mobile system in the -calculus". We cannot simply allow a mobile system to be described by any process S. In fact, we are unable to design the nonstandard semantics, and hence the analysis, if we do not require S to be closed, i.e. fn(s) =. In other words, we must consider the system in a whole. In order to make the semantic constructions of the following sections simpler, we add further constraints to the structure of mobile systems, which are inspired of Milner's denition of friendly systems [Mil1]. We denote by x a tuple (x 1 : : : x n ) of channel names. We say that a process is a thread if it is made of a message possibly preceded by some input guards: c 1?[x 1 ] : : : c n?[x n ]:c![x]. We call resource a replicated process of the following form: c?[x]:(y)(t 1 j j T n ) where all the T i 's are threads. A mobile system S is then dened as: S (c)(r 1 j j R n j T 0 ) where the R i 's are resources and T 0 is a message, the initial thread, which originates all communications in the system. The names in c are called the initial channels. Therefore, all threads and channels created by a mobile system are fetched from its resources. Example 1. We model a system S which sets up a ring of communicating processes, where each component agent may only communicate with its left and right neighbours. The system generating a ring of arbitrary size is dened as follows: S (make)(mon)(left 0 )(R 1 j R 2 j make![left 0 ]) where R 1 make?[left]:(right)(mon![left right] j make![right]) is the resource that adds a new component to the chain of processes and R 2 make?[left]:mon![left left 0 ] is the resource that closes the ring. The name \mon" should be seen as a reference to a hidden resource (for example a C program) which monitors the behaviour

4 of a ring component 2. For the sake of clarity, we denote by c the free names of all agents in the system at every stage of its evolution. Then, a ring with four components can be generated by S in four steps as follows: S! (c)(r 1 j R 2 j mon![left 0 right 1 ] j make![right 1 ])! (c)(r 1 j R 2 j mon![left 0 right 1 ] j mon![right 1 right 2 ] j make![right 2 ])! (c)(r 1 j R 2 j mon![left 0 right 1 ] j mon![right 1 right 2 ] j mon![right 2 right 3 ] j make![right 3 ])! (c)(r 1 j R 2 j mon![left 0 right 1 ] j mon![right 1 right 2 ] j mon![right 2 right 3 ] j mon![right 3 left 0 ]) The right i 's represent the successive instances of the channel right created at each request to R 1. As illustrated by the above example, the conguration of a mobile system at any stage of its evolution has the following particular form: (c)(r 1 j j R {z m j T } 1 j j T n ) {z } Resources Threads where R 1 : : : R m are the resources originally present in the system. Intuitively, every thread T i or channel c i present in the conguration could be unambiguously identied with the instant of its creation in the history of computations. Unfortunately, this precious information is not captured by the standard semantics. The process of -conversion in particular, which is inherent to the denition of the semantics, destroys the identity of channels. The purpose of the next section is to introduce a rened semantics of the -calculus which restores this information. 3 Nonstandard Semantics of Mobile Systems Let S be a mobile system described in the -calculus. In order to identify the threads and channels created by the system, we must be able to locate the syntactic components of S from which they stem. This is the role of the following notations. We denote by R(S) the number of resources in S. We assume that every resource is assigned a unique number r in f1 : : : R(S)g. For any such r, we denote by S r the corresponding resource in S and by T(r) the number of threads spawned by the resource. We similarly assign a unique number t in f1 : : : T(r)g to every thread in S r and we denote by S rt this thread, which has the following form: S rt = c 1?[x 1 ] : : : c A(rt)?1?[x A(rt)?1 ]:c A(rt)![x A(rt) ] 2 Recall that we only take communications into account, abstracting away all other computational aspects like the details of the monitoring procedure here.

5 where A(r t) is the number of input/output actions in S rt. Note that A(r t) is always nonzero because a thread contains at least one message. For 1 6 n 6 A(r t), we denote by act(r t n) the n-th input/output action of S rt, and by S n the subterm c n?[x n ] : : : c A(rt)![x A(rt) ] of S rt starting at the n-th input/output action act(r t n). By convention, the initial thread is assigned the resource number 0. Finally, given a resource number r such that S r c?[x]:(y 1 ) : : : (y n )(T 1 j j T T(r) ) we put guard(r) = c?[x] and C(r) = fy 1 : : : y n g. Example 2. We consider the system of Example 1 which contains two resources R 1 and R 2. We put S 1 = R 1 and S 2 = R 2. Thus we have: { guard(1) = make?[left] C(1) = frightg T(1) = 2 S 11 = mon![left right] S 12 = make![right] A(1 1) = A(1 2) = 1. { guard(2) = make?[left] C(2) = T(2) = 1 S 21 = mon![left left 0 ] A(2 1) = 1. The initial thread is S 01 = make![left 0 ]. A conguration of S in the nonstandard semantics is a nite set of thread instances. We do not need to represent resources since they are statically given and accessible by all the threads in any state of the system. A thread instance is a tuple hr t n id Ei where 1 6 r 6 R(S), 1 6 t 6 T(r), 1 6 n 6 A(r t), id is a thread identier and E is an environment. The thread identier is the history of resource requests which led to the creation of the thread, starting from the initial one. A resource request being nothing more than a message to a replicated process, it can be identied with the thread that released this message. If we denote by Thr(S) = f(r t) j 1 6 r 6 R(S) 1 6 t 6 T(r)g the set of all threads originally present in the system, then id 2 Thr(S). The empty sequence " is the identier of the initial thread. The environment E maps every free name x 2 fn(s n) of the thread instance to a channel instance. A channel instance is a tuple (r 0 y id 0 ) where 1 6 r 0 6 R(S), y 2 C(r 0 ) and id 0 is a channel identier. Instances of initial channels are represented similarly except that they are assigned the resource number 0. The channel identier is the history of resource requests that led to the creation of the instance of channel y by resource r 0. Therefore, channel identiers and thread identiers are represented identically, i.e. id 0 2 Thr(S). Similarly, the identier of an initial channel is the empty sequence ". We assume that there is no overlapping of scopes in the mobile system, i.e. we forbid terms like x?[y]:y?[y]:y![z] or c?[y z]:(y)z![y]. This assumption can always be satised by appropriate -conversion. The transition relation \." of the nonstandard operational semantics is dened in Fig. 2 and Fig. 3. It should be clear that without the hypothesis on name scoping, the denition of the resulting environments is ambiguous. The two transition rules correspond to the

6 two kinds of operations that may arise in a mobile system: resource fetching and communication between threads. The initial conguration C 0 of the nonstandard semantics is given by C 0 = fh0 1 1 " E 0 ig where the environment E 0 maps any z 2 fn(s 1) to the instance (0 z ") of the corresponding initial channel. Example 3. Using the notations of Example 2, a ring with four components is described in the nonstandard semantics as follows: * < mon 7! (0 mon ") = (0 1) left 7! (0 left : 0 ") right 7! (1 right (0 1)) * < mon 7! (0 mon ") = (0 1):(1 2) left 7! (1 right (0 1)) : >< right 7! (1 right (0 1):(1 2)) >= * < mon 7! (0 mon ") = (0 1):(1 2) 2 left 7! (1 right (0 1):(1 2)) : right 7! (1 right (0 1):(1 2) 2 ) * < mon 7! (0 mon ") = (0 1):(1 2) >: 3 left 7! (1 right (0 1):(1 2) : 2 ) > left 0 7! (0 left 0 ") The generative process of the ring is now made entirely explicit thanks to the information carried by thread and channel identiers (compare with the corresponding computation in the standard semantics given in example 1). Both semantics can be shown to be equivalent by dening the translation of a nonstandard conguration C of S to a term (C) of the -calculus and by applying a bisimulation argument. We may assume without loss of generality that the -terms we will generate are built upon the set of names N 0 dened as the disjoint union of N with the set of all channel instances (r y id) that could be created by S. We identify an environment with a substitution over N 0. We denote by P the result of applying a substitution to a -term P. Then, for any nonstandard conguration C = fhr 1 t 1 n 1 id 1 E 1 i : : : hr k t k n k id k E k ig we dene the translation (C) as follows: (C) = (c)(s 1 E 0 1 j j S R(S)E 0 R(S) j (S r 1t n 1 )E 1 j j (S rk t n k )E k ) where, for 1 6 r 6 R(S), E 0 r is the environment which maps any z 2 fn(s r ) to (0 z "). The channels in c are all those which have a free occurrence in some agent of the top-level parallel composition of (C). Theorem 4. If C 0. C and C. C 0, then (C)! (C 0 ). If C 0. C and (C)! P, then there exists C 0 such that C. C 0 and P (C 0 ).

7 If there are 2 C and 1 6 r 0 6 R(S) such that: { = hr t n id Ei { act(r t n) = x![x 1 : : : x k ] { guard(r 0 ) = c?[y 1 : : : y k ] { E(x) = (0 c ") then C. (C? fg) [ fhr 0 t 0 1 id :(r t) E t 0i j 1 6 t 0 6 T(r 0 )g where, for all 1 6 t 0 6 T(r 0 ) and z 2 fn(s r0 1) 0 < E(x i ) if z = y i, 1 6 i 6 k E t 0(z) = (r : 0 z id:(r t)) if z 2 C(r 0 ) (0 z ") otherwise, i.e. if z is an initial channel Fig. 2. Resource fetching. A nonstandard conguration describes the communication topology of a mobile system at a particular moment of its evolution in terms of the resources initially present in the system. Therefore, the nonstandard semantics is a good basis for deriving an analysis, since the resulting information can be used to determine the role of each syntactic component of the system in the evolution of its interconnection structure. Constructing a computable abstraction of this semantics is the purpose of the next section. 4 Abstract Interpretation of Mobile Systems We denote by C the set of all possible nonstandard congurations for a system S. We are actually interested in the set S = fc 2 C j C 0. Cg of congurations of the system which are accessible from the initial one by a nite sequence of computations. This is the collecting semantics of S [Cou1], which can be expressed as the least xpoint of the [-complete endomorphism IF on the complete lattice (}(C) [ \ C) dened as follows: IF(X) = fc 0 g [ fc j C 0 2 X : C 0. Cg Following the methodology of Abstract Interpretation [CC77, CC2], we construct a lattice (C ] v t? u >), the abstract domain, allowing us to give nite descriptions of innite sets of congurations. This domain is related to }(C) via a monotone map : (C ] v)! (}(C) ), the concretization function. Then we derive an abstract counterpart IF ] : C ]! C ] of IF which must be sound with respect to, that is: IF IF ]. The abstract domain C ] is based upon a global abstraction of all environments in a nonstandard conguration. We assume that we are provided

8 If there are 2 C such that: { = hr t n id Ei { = hr 0 t 0 n 0 id 0 E 0 i { act(r t n) = x![x 1 : : : x k ] { act(r 0 t 0 n 0 ) = y?[y 1 : : : y k ] { E(x) = E 0 (y) then where, for all z 2 fn(s r0 t n0 1) C. (C? f g) [ fhr 0 t 0 n 0 1 id 0 E 00 ig E 00 E(xi ) (z) = E 0 (z) if z = y i, 1 6 i 6 k otherwise Fig. 3. Communication between threads. with a lattice (Id ] 2 v 2 t 2? 2 u 2 > 2 ) and a monotone map 2 : (Id ] 2 v 2)! (}(Thr(S) Thr(S) ) ). This lattice is left as a parameter of our abstraction. It will be instantiated in the next section when we will set up an eective analysis. Let Chan(S) be the set f(r t n x r 0 y) j (r t) 2 Thr(S) n 2 A(r t) x 2 fn(s n) 1 6 r 0 6 R(S) y 2 C(r 0 )g of all possible syntactic relations between a free name in a thread and a channel created by a resource of the system. The abstract domain C ] is then dened as C ] = Chan(S)! Id ] 2, the lattice operations being the pointwise extensions of those in Id ] 2. Given an abstract conguration C ], (C ] ) is the set of nonstandard congurations C such that, for any hr t n id Ei 2 C and any x 2 fn(s n), the following condition is satised: E(x) = (r 0 y id 0 ) ) (id id 0 ) 2 2 (C ] (r t n x r 0 y)) Monotonicity of is readily checked. For the sake of readability, we will denote an abstract conguration C ] by its graph fh{1 7! id ] 1 i : : : h{ n 7! id ] nig, where the {i's are in Chan(S) and each id ] j is in Id] 2. We may safely omit to write pairs of the form h{ 7!? 2 i. The abstract semantics is given by a transition relation on abstract congurations. In the relation C ] 1 C] 2, the conguration C] 2 represents the modication to the communication topology of C ] 1 induced by an abstract computation. Therefore, the function IF ] is given by: IF ] (C ] ) = C ] 0 t C] t G fc ] j C ] C ] g where C ] 0 is the initial abstract conguration dened as fh0 1 1 x 0 xi 7! " 2 j x 2 fn(s 1)g, " 2 being a distinguished element of Id ] 2 such that (" ") 2 2 (" 2 ). The transition relation is dened in Fig. 4 and Fig. 5 by using the

9 If there are h(r t n x 0 c) 7! id ] i 2 C ] and 1 6 r 0 6 R(S) such that: { act(r t n) = x![x 1 : : : x k ] { guard(r 0 ) = c?[y 1 : : : y k ] { id ] 6=? 2 then C ] fh{ 7! id ] t 0 zr 00 w i j { = (r0 t 0 1 z r 00 w) 1 6 t 0 6 T(r 0 )g where, for all 1 6 t 0 6 T(r 0 ) push (rt) (C ] (r t n x i r 00 w)) if z = y i 1 6 i 6 k ><? 2 if z 2 C(r 0 ) and (r 00 w) 6= (r 0 z) id ] t 0 zr 00 w = dpush (rt) (C ] (r t n x 0 c)) if z 2 C(r 0 ) and (r 00 w) = (r 0 z)? >: 2 if z is initial and (r 00 w) 6= (0 z) spush(c ] (r t n x 0 c)) if z is initial and (r 00 w) = (0 z) Fig. 4. Abstract resource fetching. following abstract primitives: a \push" operation push : Id ] 2! Id] 2, a \double push" dpush : Id ] 2! Id] 2 and a \single push" spush : Id ] 2! Id] 2 dened for any 2 Thr(S), a \synchronization" operator sync : Id ] 2 Id] 2! Id] 2 and a \swapping" operation swap : Id ] 2! Id] 2. These operations depend on the choice of Id ] 2, however they must satisfy some soundness conditions: { For any 2 Thr(S) and id ] 2 Id ] 2, f(id : id 0 ) j (id id 0 ) 2 2 (id ] )g 2 (push (id ] )). { For any 2 Thr(S) and id ] 2 Id ] 2, f(id : id :) j (id id 0 ) 2 2 (id ] )g 2 (dpush (id ] )). { For any 2 Thr(S) and id ] 2 Id ] 2, f(id : ") j (id id 0 ) 2 2 (id ] )g 2 (spush (id ] )). { For any id ] 2 Id ] 2, f(id 0 id) j (id id 0 ) 2 2 (id ] )g 2 (swap(id ] )). { For any id ] 1 id ] 2 2 Id] 2, f(id 1 id 2 ) j id 0 2 Thr(S) : (id 1 id 0 ) 2 2 (id ] 1 ) ^ (id 2 id 0 ) 2 2 (id ] 2 )g 2(sync(id ] 1 id ] 2 )). Intuitively, the push operation concatenates to the rst component of every pair of identiers. The dpush and spush operations act similarly, except that dpush duplicates the rst component into the second one and spush sets the second component to ". The swap operation permutes the components of every pair of identiers. The sync operation extracts pairs of identiers corresponding to redexes, i.e. pairs of agents linked to the same instance of a channel. Proposition 5. If C 2 (C ] ) and C. C 0, then there exists C ] in C ], such that C ] C ] and C 0 2 (C ] t C ] ).

10 If there are h{1 7! id ] 1 i h{ 2 7! id ] 2 i 2 C] such that: { {1 = (r t n x r 00 u) { {2 = (r 0 t 0 n 0 y r 00 u) { act(r t n) = x![x 1 : : : x k ] { act(r 0 t 0 n 0 ) = y?[y 1 : : : y k ] { id ] s = sync(id ] 1 id ] 2 ) 6=? 2 then C ] fh{ 7! id ] zr 000 w i j { = (r0 t 0 n 0 1 z r 000 w)g where, if we put id ] ir 000 w = C ] (r n t x i r 000 w) for 1 6 i 6 k ( id ] zr 000 w = swap(sync(swap(id ] ir w) swap(id ] s))) if z = y 000 i, 1 6 i 6 k C ] (r 0 t 0 n 0 z r 000 w) otherwise Fig. 5. Abstract communication between threads. The soundness of IF ] is then a simple consequence of the previous result. It is remarkable that the soundness of the whole semantics depends only on very simple conditions over some primitive operations. This means that we only need to construct the domain Id ] 2 and instantiate those operations to obtain a computable and sound abstract semantics. This is the goal that we will achieve in the next section. 5 Design of a Computable Analysis The collecting semantics S is the least xpoint of IF. Therefore, by Kleene's theorem, it is the limit of the following increasing iteration sequence: S0 = S n1 = IF(S n ) Following [CC77, Cou1] we will compute a sound approximation S ] of S by mimicking this iteration, using IF ] instead of IF. Since the resulting computation may not terminate, we use a widening operator to enforce convergence in nitely many steps. A widening operator r : C ] C ]! C ] must satisfy the following conditions: { For any C ] 1 C] 2 2 C], C ] 1 t C] 2 v C] 1 r C] 2. { For any sequence (C ] n) n>0, the sequence (C ] n) n>0 dened as: ( C ] 0 = C ] 0 C ] n1 = C ] n r C] n1

11 is ultimately stationary. Note that we can construct a widening on C ] from an existing widening r 2 on Id ] 2 by pointwise application of r 2. We dene the approximate iteration sequence (S ] n) n>0 as follows: < S ] 0 =? S : ] n1 = S ] n r IF ] (S ] n) if :(IF ] (S ] n) v S ] n) S ] n1 = S ] n if IF ] (S ] n) v S ] n Convergence is ensured by the following result: Theorem 6 [Cou1]. The sequence (S ] n) n>0 is ultimately stationary and its limit S ] satises S (S ] ). Moreover, if N > 0 is such that S ] N1 = S ] N, then for all n > N, S ] n = S ] N. This provides us with an algorithm for automatically computing a sound approximation of S. It now remains to instantiate the domain Id ] 2 and the associated abstract primitives. We will design two abstractions of }(Thr(S) Thr(S) ), each one capturing a particular kind of information. Our rst abstraction captures sequencing information and is based upon an approximation of thread and channel identiers by regular languages. Let (Reg [ \ Thr(S) ) be the lattice of regular languages over the alphabet Thr(S) ordered by set inclusion. We dene Id ] reg as the product lattice Reg Reg. The concretization reg is given by reg (L 1 L 2 ) = L 1 L 2. The associated abstract primitives are dened as follows: { push reg (L 1 L 2 ) = (L 1 : L 2 ) { dpush reg (L 1 L 2 ) = (L 1 : L 1 :) { spush reg (L 1 L 2 ) = (L 1 : ") { swap reg (L 1 L 2 ) = (L 2 L 1 ) { sync reg ((L 1 L 2 ) (L 0 1 (L1 L L0 2)) = 0 1) if L 2 \ L 0 2 6= ( ) otherwise The soundness conditions are easily checked. The element " reg 2 is given by (" "). Since Id ] reg may have innite strictly increasing chains, we must dene a widening operator r reg 2. It is sucient to construct a widening r reg on Reg and to apply it componentwise to elements of Id ] reg. A simple choice for L 1 r reg L 2 consists of quotienting the minimal automaton of L 1 [ L 2 such that any letter of the alphabet may occur at most once in the automaton. The resulting automaton is minimal, and there are nitely many such automata, which ensures the stabilization property. The second approximation captures counting relations between the components of a tuple of thread or channel identiers. This will allow us to give nonuniform descriptions of recursively dened communication topologies. Suppose that we are given an innite set of variables V. We assign two distinct variables x and y to each element of Thr(S). Now we consider a nite system K of linear equality constraints over the variables V with coecients in Q. If we denote

12 by jidj the number of occurrences of in the sequence id, the concretization num (K) of K is the set of all pairs (id id 0 ) such that the following variable assignment: fx 7! jidj y 7! jid 0 j j 2 Thr(S)g is a solution of K. The domain of nite systems of linear equality constraints over V ordered by inclusion of solution sets can be turned into a lattice Id ] num. This domain has been originally introduced by Karr [Kar76]. We refer the reader to the original paper for a detailed algorithmic description of lattice operations. We could use more sophisticated domains of computable numerical constraints such as linear inequalities [CH7] or linear congruences [Gra1], but the underlying algorithmics is much more involved. Nevertheless, giving a rigorous construction of the abstract primitives on Id ] num would be still very technical. Therefore, for the sake of readability, we only outline the denition of these primitives: { push num (K) is the system of constraints K in which we have replaced every occurrence of the variable x by the expression x? 1. { If K is a system of linear equality constraints, we denote by K x the system in which we have removed all constraints involving a variable y. Then dpush num (K) is the system push num (K x ) with the additional constraints x 0 = y 0, for any 0 2 Thr(S). { Similarly, spush num (K) is the system push num (K x ) with the additional constraints y 0 = 0, for any 0 2 Thr(S). { swap num (K) is the system in which we have replaced each occurrence of x by y and vice-versa. { Let K 1 and K 2 be two systems of linear equality constraints. For any 2 Thr(S), let x 0 and y 0 be fresh variables of V. Let K2 0 be the system K 2 in which we have substituted each occurrence of x (resp. y ) by x 0 (resp. y). 0 We construct the system K 12 as the union of K 1 and K2 0 together with the additional constraints y = y, 0 for any 2 Thr(S). Then, we dene sync num (K 1 K 2 ) as the system K 12 in which we have removed all constraints involving a variable y or y, 0 each remaining variable x 0 being renamed in y. Note that a normalization pass (namely a Gauss reduction) has to be performed on the system after or during each of these operations. The element " num 2 is given by the system of constraints fx = 0 y = 0 j 2 Thr(S)g. Since we only consider systems dened over the nite set of variables fx y j 2 Thr(S)g, we cannot have innite strictly increasing chains [Kar76]. Therefore, we can use the join operation t num as a widening. Example 7. We consider the product of domains Id ] reg and Id ] num and we run the analysis on the system of Example 1 with the notations of Example 2. For the sake of readability, at each step we only write the elements of the abstract conguration that dier from the previous iteration. Moreover, we do not gure trivial constraints of the form x = 0 whenever they can be deduced from the Id ] reg component.

13 First iteration. h0 1 1 make 0 makei 7! h(" ") >numi h0 1 1 left 0 0 left 0 i 7! h(" ") > num i Second iteration. h1 1 1 mon 0 moni 7! h((0 1) ") x (01) = 1i h1 1 1 left 0 left 0 i 7! h((0 1) ") x (01) = 1i h1 1 1 right 1 righti 7! h((0 1) (0 1)) x >< (01) = y (01) = 1i >= h1 2 1 make 0 makei 7! h((0 1) ") x (01) = 1i h1 2 1 right 1 righti 7! h((0 1) (0 1)) x (01) = y (01) = 1i h2 1 1 mon 0 moni 7! h((0 1) ") x (01) = 1i h2 1 1 left >: 0 0 left 0 i 7! h((0 1) ") x (01) = 1i > h2 1 1 left 0 left 0 i 7! h((0 1) ") x (01) = 1i Third iteration. h1 1 1 mon 0 moni 7! h((0 1):(" (1 2)) ") x (01) = 1i x(01) = y h1 1 1 left 0 righti 7! (01) = 1 ((0 1):(1 2) (0 1)) x (12) = 1 * ((0 1):(" (1 2)) (0 1):(" (1 2))) h1 1 1 right 1 righti 7! x(01) = y (01) = 1 x >< (12) = y (12) >= h1 2 1 make 0 makei 7! h((0 1):(" (1 2)) ") x (01) = 1i * ((0 1):(" (1 2)) (0 1):(" (1 2))) h1 2 1 right 1 righti 7! x(01) = y (01) = 1 x (12) = y (12) h2 1 1 mon 0 moni 7! h((0 1):(" (1 2)) ") x (01) = 1i h2 1 1 left 0 0 left 0 i 7! h((0 1):(" (1 2))) ") x (01) = 1i x(01) = y >: h2 1 1 left 0 righti 7! (01) = 1 ((0 1):(1 2) (0 1)) > x (12) = 1 Fourth iteration. h1 1 1 mon 0 moni 7! h((0 1):(1 2) ") x (01) = 1i * ((0 1):(1 2) (0 1):(" (1 2))) h1 1 1 left 0 righti 7! x(01) = y (01) = 1 x (12) = y (12) 1 * ((0 1):(1 2) (0 1):(1 2) ) h1 1 1 right 1 righti 7! x(01) = y (01) = 1 x >< (12) = y (12) >= h1 2 1 make 0 makei 7! h((0 1):(1 2) ") x (01) = 1i * ((0 1):(1 2) (0 1):(1 2) ) h1 2 1 right 1 righti 7! x(01) = y (01) = 1 x (12) = y (12) h2 1 1 mon 0 moni 7! h((0 1):(1 2) ") x (01) = 1i h2 1 1 left 0 0 left 0 i 7! h((0 1):(1 2) ") x (01) = 1i * ((0 1):(1 2) (0 1):(" (1 2))) h2 1 1 left 0 righti 7! x(01) = y >: (01) = 1 > x (12) = y (12) 1

14 Fifth iteration. h1 1 1 left 0 righti 7! >< h2 1 1 left 0 righti 7! >: h2 1 1 left 0 righti 7! >: * ((0 1):(1 2) (0 1):(1 2) ) x(01) = y (01) = 1 x (12) = y (12) 1 * ((0 1):(1 2) (0 1):(1 2) ) x(01) = y (01) = 1 x (12) = y (12) 1 At the sixth iteration step we nd the same conguration. Therefore, following Theorem 6, we know that the limit has been reached. Putting all previous computations together, we obtain: h0 1 1 make 0 makei 7! h(" ") > num i h0 1 1 left 0 0 left 0 i 7! h(" ") > num i h1 1 1 mon 0 moni 7! h((0 1):(1 2) ") x (01) = 1i h1 1 1 left 0 left 0 i 7! h((0 1) ") x (01) = 1i * ((0 1):(1 2) (0 1):(1 2) ) h1 1 1 left 0 righti 7! x(01) = y (01) = 1 x (12) = y (12) 1 * ((0 1):(1 2) (0 1):(1 2) ) h1 1 1 right 1 righti 7! x(01) = y >< (01) = 1 >= S ] x = (12) = y (12) h1 2 1 make 0 makei 7! h((0 1):(1 2) ") x (01) = 1i * ((0 1):(1 2) (0 1):(1 2) ) h1 2 1 right 1 righti 7! x(01) = y (01) = 1 x (12) = y (12) h2 1 1 mon 0 moni 7! h((0 1):(1 2) ") x (01) = 1i h2 1 1 left 0 0 left 0 i 7! h((0 1):(1 2) ") x (01) = 1i h2 1 1 left 0 left 0 i 7! h((0 1) ") x (01) = 1i * ((0 1):(1 2) (0 1):(1 2) ) x(01) = y (01) = 1 x (12) = y (12) 1 This is a very accurate description of the communication topology of the ring. In particular, we are able to distinguish between instances of recursively dened agents and channels. 6 Conclusion We have described a parametric analysis framework for automatically inferring communication topologies of mobile systems specied in the -calculus. We have instantiated this framework to obtain an eective analysis which is able to give nite descriptions of unbounded communication topologies that distinguish between instances of recursively dened components. To our knowledge this is the only existing analysis of mobile systems (excluding [Ven6b]) which can produce results of that level of accuracy without any strong restriction on the >= > >

15 base language. Previous works addressed the issue of communication analysis in csp [CC0, Mer1] or cml [NN4, Col5a, Col5b]. In the latter papers, the analysis techniques heavily rely on cml type information and cannot be applied to more general untyped languages like the -calculus. In order to keep the presentation clear within a limited space, we had to make some simplifying assumptions that can be relaxed in many ways, for example by using more expressive abstract domains to denote relations between thread and channel identiers, like cobered domains [Ven6a, Ven], by rening the abstract semantics to take more information into account, like the number of instances of a channel or a thread, or by considering a richer version of the - calculus with guarded choice, matching and nested replications. Finally, in view of the encodings of classical language constructs (data structures, references, control structures) in the -calculus, it would be interesting to study the possiblity of using a static analysis of the -calculus as a universal analysis back-end for high-level languages. Acknowledgements. I wish to thank Radhia Cousot, Patrick Cousot, Ian Mackie and the anonymous referees for useful comments on a rst version of this paper. References [BB2] G. Berry and G. Boudol. The chemical abstract machine. Theoretical Computer Science, 6:217{24, 12. [Bou2] G. Boudol. Asynchrony and the -calculus. Technical Report 1702, INRIA, 12. [CC77] P. Cousot and R. Cousot. Abstract interpretation: a unied lattice model for static analysis of programs by construction or approximation of xpoints. In Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, pages 23{252, 177. [CC0] P. Cousot and R. Cousot. Semantic analysis of communicating sequential processes. In Seventh International Colloquium on Automata, Languages and Programming, volume 5 of LNCS, 10. [CC2] P. Cousot and R. Cousot. Abstract interpretation frameworks. Journal of logic and computation, 2(4):511{547, August 12. [CH7] P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In Proceedings of the Fifth Conference on Principles of Programming Languages. ACM Press, 17. [Col5a] C. Colby. Analyzing the communication topology of concurrent programs. In Symposium on Partial Evaluation and Program Manipulation, 15. [Col5b] C. Colby. Determining storage properties of sequential and concurrent programs with assignment and structured data. In Proceedings of the Second International Static Analysis Symposium, volume 3 of Lecture Notes in Computer Science, pages 64{1. Springer-Verlag, 15. [Cou1] P. Cousot. Semantic foundations of program analysis. In S.S. Muchnick and N.D. Jones, editors, Program Flow Analysis: Theory and Applications, chapter 10, pages 303{342. Prentice-Hall, Inc., Englewood Clis, 11.

16 [Deu2] A. Deutsch. A storeless model of aliasing and its abstraction using nite representations of right-regular equivalence relations. In Proceedings of the 12 International Conference on Computer Languages, pages 2{13. IEEE Computer Society Press, 12. [DPLT6] P. Degano, C. Priami, L. Leth, and B. Thomsen. Analysis of facile programs: A case study. In Proceedings of the Fifth LOMAPS Workshop on Analysis and Verication of Multiple-Agent Languages, volume 112 of Lecture Notes in Computer Science, pages 345{36. Springer-Verlag, 16. [Gra1] P. Granger. Static analysis of linear congruence equalities among variables of a program. In TAPSOFT'1, volume 43. Lecture Notes in Computer Science, 11. [Hoa5] C.A.R. Hoare. Communicating Sequential Processes. Prentice Hall, 15. [Jon1] H.B.M Jonkers. Abstract storage structures. In De Bakker and Van Vliet, [Kar76] editors, Algorithmic languages, pages 321{343. IFIP, 11. M. Karr. Ane relationships among variables of a program. Acta Informatica, pages 133{151, 176. [Mer1] N. Mercouro. An algorithm for analysing communicating processes. In Mathematical Foundations of Programming Semantics, volume 5 of LNCS, 11. [Mil] R. Milner. Communication and Concurrency. Prentice Hall, 1. [Mil1] R. Milner. The polyadic -calculus: a tutorial. In Proceedings of the International Summer School on Logic and Algebra of Specication. Springer-Verlag, 11. [MPW2] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes. Information and Computation, 100:1{77, 12. [NN4] H. R. Nielson and F. Nielson. Higher-order concurrent programs with - nite communication topology. In 21 st ACM Symposium on Principles of Programming Languages, 14. [Tur5] [Ven6a] D. N. Turner. The Polymorphic Pi-Calculus: Theory and Implementation. PhD thesis, Edinburgh University, 15. A. Venet. Abstract cobered domains: Application to the alias analysis of untyped programs. In Proceedings of the Third International Static Analysis Symposium SAS'6, volume 1145 of Lecture Notes in Computer Science, pages 366{32. Springer-Verlag, 16. [Ven6b] A. Venet. Abstract interpretation of the -calculus. In Proceedings of the Fifth LOMAPS Workshop on Analysis and Verication of High-Level Concurrent Languages, volume 112 of Lecture Notes in Computer Science, pages 51{75. Springer-Verlag, 16. [Ven] A. Venet. Automatic analysis of pointer aliasing for untyped programs. Science of Computer Programming, 1. To appear.