Concurrency theory. proof-techniques for syncronous and asynchronous pi-calculus. Francesco Zappa Nardelli. INRIA Rocquencourt, MOSCOVA research team

Transcription

1 Concurrency theory proof-techniques for syncronous and asynchronous pi-calculus Francesco Zappa Nardelli INRIA Rocquencourt, MOSCOVA research team francesco.zappa together with Frank Valencia (INRIA Futurs) Catuscia alamidessi (INRIA Futurs) Roberto Amadio (S) MRI - Concurrency October 15, 2007

2 Summary of last episode The syntax and reduction semantics of pi-calculus. A general and intuitive contextual equivalence. Relationship between lts + bisimulation and contextual equivalence. with proofs for CCS 1

3 Summary of actions in pi-calculus LTS l kind fn(l) bn(l) n(l) x y free output {x, y} {x, y} (νy)x y bound output {x} {y} {x, y} x(y) input {x, y} {x, y} τ internal 2

4 Back on pi-calculus LTS x v. x v x(y). x(v) { v / y } x v Q x(v) Q Q τ Q l bn(l) fn(q) = l v n(l)! l Q l Q (νv) l (νv)! l x v x v (νv)x v Q x(v) Q v fn(q) (νv) (νv)x v Q τ (νv)( Q ) 3

5 Subtleties of pi-calculus LTS Exercise: derive a τ transition corresponding to this reduction: (νx)a x. a(y).q (νx)( Q{ x / y }) Exercise: each side condition in the definition of the LTS is needed to have the theorem Q iff τ Q Remove on side condition at a time and find counter-examples to this theorem. 4

6 Weak bisimulation is a sound proof technique for reduction barbed congruence rove that weak bisimulation is reduction closed. rove that weak bisimulation is barb preserving. rove that weak-bisimulation is a congruence....at the blackboard...at the blackboard...ahem, think twice... 5

7 On soundness of weak bisimilarity Exercise: Consider the terms (in a pi-calculus extended with +): = x v y(z) Q = x v.y(z) + y(z).x v 1. rove that Q Does Q? 2 1 Does this hold if we replace + by 1 2 = (νw)(w w(). 1 w(). 2 ) in Q? 2 Hint: define a context that equates the names x and y. 6

8 Bisimilarity is not a congruence In pi-calculus, bisimilarity (both strong and weak) is not preserved by input prefixes, that is contexts of the form C[ ] = x(y).. Question: how to recover the soundness of the bisimilarity with respect to the reduction barbed congruence? Two solutions: 1. close the reduction barbed congruence under all non input prefix contexts; 2. close the bisimilarity under substitution: let c Q ( is fully bisimilar with Q) if σ Qσ for all substitutions σ. Exercise: Show that c Q, where and Q are defined in the previous slide. 7

9 And completeness? Completeness of bisimulation with respect to barbed congruence 3 (closed under non-input prefixes, denoted ) holds in the strong case. In the weak case, we have that for = a x E xy Q = a y E xy where E xy =!x(z).y z!y(z).x z it holds that Q but Q for each context C[ ]. Completeness (for image-finite processes) holds if a name-matching operator is added to the language. 3 barbed congruence is a variant of reduction-closed barbed congruence in which closure under context is allowed only at the beginning of the bisimulation game. 8

10 How to prove... To show that two processes are bisimilar, it is enough to fo find a bisimulation relating them. Easy? Example: we want to show that (in the pi-calculus) bisimilarity is preserved by parallel composition. We naturally consider R = {( R, Q R) : Q} as a candidate bisimulation. But... 9

11 The candidate bisimulation 1. may be larger than at first envisaged; 2. may be infinite; example: to show that x(z).y z (νw)(x(z).w z w(v).y v ), we must consider: {(x(z).y z, (νw)(x(z).w z w(v).y v ))} {(y a, (νw)(w a w(v).y v )) : a arbitrary} {(y a, (νw)(0 y a )) : a arbitrary} {(0, (νw)(0 0))} 3. hard to guess; which is the smallest bisimulation relating!! and!? 4. awkward to describe and to work with... 10

12 Up-to proof techniques Idea: find classes of relations that: 1. are not themselves bisimulations; 2. can be automatically completed into bisimulations. Idea, explained: if we had such a class then to prove that two processes are bisimilar it would be enough to exhibit a relation in this class 4 that contains the two processes. Example: bisimulation up to (analogous to what we did with CCS). 4 Hopefully, it is easier to find such relation than to find the candidate bisimulation directly. 11

13 Bisimulation up to non-input context A symmetric relation R is a bisimulation up-to non-input context if whenever R Q and l then there exists a process Q such that Q = ˆl Q and there exist a non-input context C[ ] and processes and Q such that C[ ], Q C[Q ], and R Q. Exercise: rove that if R is a bisimulation up to non-input context, then {(C[ ], C[Q]) : R Q and C[ ] is a non-input context} is a bisimulation up to structural congruence. Exercise: rove that!!! (hint: show that the relation R = {(!!,! )} is a bisimulation up to non-input context). 12

14 Alternative LTS rules for replication It is often convenient to replace the rule:! l! l with the three rules: l x y 1 x(y) 2 (νy)x y 1 x(y) 2! l!! τ ( 1 2 )!! τ (νy)( 1 2 )! 13

15 Theorems about replication The equivalence!!! shows that duplication of a replicable resource has no behavioural effect. Consider now (νx)(!x(y).q) We may call!x(y).q a private resource of. Suppose 1 that 2. It holds ) ) ) (νx) ( 1 2!x(y).Q (νx) ( 1!x(y).Q (νx) ( 2!x(y).Q provided that 1 and 2 never read over x. 14

16 Intermezzo: two applications of process languages rotocol verification using the Mobility Workbench ost-hoc specification of TC Demos 15

17 Asynchronous communication CCS and pi-calculus (and many others) are based on synchronized interaction, that is, the acts of sending a datum and receiving it coincide: a. a.q Q. In real-world distributed systems, sending a datum and receiving it are distinct acts: a. a.q a a.q Q. In an asynchronous world, the prefix. does not express temporal precedence. 16

18 Asynchronous interaction made easy Idea: the only term than can appear underneath an output prefix is 0. Intuition: an unguarded occurence of x y can be thought of as a datum y in an implicit communication medium tagged with x. Formally: x y x(z). { y / z }. We suppose that the communication medium has unbounded capacity and preserves no ordering among output particles. 17

19 Asynchronous pi-calculus Syntax: ::= 0 x(y). x y (νx)! The definitions of free and bound names, of structural congruence, and of the reduction relation are inherited from pi-calculus. 18

20 Examples Sequentialization of output actions is still possible: (νy, z)(x y y z z a R). Synchronous communication can be implemented by waiting for an acknoledgement: [ x y. ] = (νu)(x y, u u(). ) [ x(v).q ] = x(v, w).(w Q) for w Q Exercise: implement synchronous communication without relying on polyadic primitives. 19

21 Contextual equivalence and asynchronous pi-calculus It is natural to impose two constraints to the basic recipe: compare terms using only asynchronous contexts; restrict the observables to be co-names. To observe a process is to interact with it by performing a complementary action and reporting it: in asynchronous pi-calculus input actions cannot be observed. 20

22 A peculiarity of synchronous equivalences The terms =!x(z).x z Q = 0 are not reduction barbed congruent, but they are asynchronous reduction barbed congruent. Intuition: in an asynchronous world, if the medium is unbound, then buffers do not influence the computation. 21

23 A proof method Consider now the weak bisimilarity s built on top of the standard (early) LTS for pi-calculus. As asynchronous pi-calculus is a sub-calculus of pi-calculus, s is an equivalence for asynchronous pi-calculus terms. It holds s, that is the standard pi-calculus bisimilarity is a sound proof technique for. But!x(z).x z s 0. Question: can a labelled bisimilarity recover the natural contextual equivalence? 22

24 A problem and two solutions Transitions in an LTS should represent observable interactions a term can engage with a context: if x y then can interact with the context x(u).beep, where beep is activated if and only if the output action has been observed; if x(y) then in no way beep can be activated if and only if the input action has been observed! Solutions: 1. relax the matching condition for input actions in the bisimulation game; 2. modify the LTS so that it precisely identifies the interactions that a term can have with its environment. 23

25 Amadio, Castellani, Sangiorgi Idea: relax the matching condition for input actions. Let asynchronous bisimulation a be the largest symmetric relation such that whenever a Q it holds: 1. if l and l x(y) then there exists Q such that Q = ˆl Q and a Q ; 2. if x(y) then there exists Q such that Q x y = Q and a Q. Remark: is the outcome of the interaction of with the context x y. Clause 2. allows Q to interact with the same context, but does not force this interaction. 24

26 Honda, Tokoro x y x y 0 x(u). x(y) { y / u } 0 x(y) x y x y x y α y α (νy) (νy)x y (νy) α (νy) x y Q x(y) Q x (y) Q x(y) Q y fn(q) Q τ Q Q τ (νy)( Q ) α bn(α) fn(q) = α Q Q Q Q α Q α Q 25

27 Honda, Tokoro explained Ideas: modify the LTS so that it precisely identifies the interactions that a term can have with its environment; rely on a standard weak bisimulation. Amazing results: asynchrounous bisimilarity in ACS style, bisimilarity on top of HT LTS, and barbed congruence coincide. 5 5 ahem, modulo some technical details. 26

28 roperties of asynchronous bisimilarity in ACS style Bisimilarity is a congruence; it is preserved also by input prefix, while it is not in the synchronous case; bisimilarity is an equivalence relation (transitivity is non-trivial); bisimilarity is sound with respect to reduction barbed congruence; bisimilarity is complete with respect to barbed congruence. 6 6 for completeness the calculus must be equipped with a matching operator. 27

29 Some proofs about ACS bisimilarity... on asynchronous CCS Syntax: ::= 0 a. a (νa). Reduction semantics: a. a Q Q Q where is defined as: Q Q ( Q) R (Q R) (νa) Q (νa)( Q) if a fn(q) 28

30 Background: LTS and weak bisimilarity for asynchronous CCS a. a a a 0 a Q a Q Q τ Q Q l l Q l (νa) a fn(l) l (νa) symmetric rules omitted. Definition: Asynchronous weak bisimilarity, denoted, is the largest symmetric relation such that whenever Q and l, l {τ, a}, there exists Q such that Q = ˆl Q and Q ; a, there exists Q such that Q a = Q and Q. 29

31 Sketch of the proof of transitivity of Let R = {(, R) : Q R}. We show that R. Suppose that R R because Q R, and that a. The definition of ensures that there exists Q such that Q a = Q and Q. Since is a congruence and Q R, it holds that Q a R a. A simple corollary of the defintion of the bisimilarity ensures that there exists R R a = R and Q R. such that Then R R by construction of R. The other cases are standard. Remark the unusual use of the congruence of the bisimilarity. 30

32 Sketch of the proof of completeness We show that. Suppose that Q and that a. We must conclude that there exists Q such that Q a = Q and Q. Since is a congruence, it holds that a Q a. Since a, it holds that a τ. Since a Q a, the definition of ensures that there exists Q such that Q a = Q and Q, as desired. The other cases are analogous to the completeness proof in synchronous CCS. The difficulty of the completeness proof is to construct contexts that observe the actions of a process. The case a is straightforward because there is nothing to observe. 31

33 Some references Kohei Honda, Mario Tokoro: An Object Calculus for Asynchronous Communication. ECOO Kohei Honda, Mario Tokoro, On asynchronous communication semantics. Object- Based Concurrent Computing Gerard Boudol, Asynchrony and the pi-calculus. INRIA Research Report, Roberto Amadio, Ilaria Castellani, Davide Sangiorgi, On bisimulations for the asynchronous pi-calculus. Theor. Comput. Sci. 195(2),