Formal Techniques for Software Engineering: CCS: A Calculus for Communicating Systems
Size: px
Start display at page:

Download "Formal Techniques for Software Engineering: CCS: A Calculus for Communicating Systems"

Transcription

1 Formal Techniques for Software Engineering: CCS: A Calculus for Communicating Systems Rocco De Nicola IMT Institute for Advanced Studies, Lucca rocco.denicola@imtlucca.it June 2013 Lesson 10 R. De Nicola (IMT-Lucca) FoTSE@LMU 1 / 40

2 What have we done 1 Importance of formal methods for proving correctness of concurrent systems 2 Labelled Transition Systems (LTS) as formal models 3 Operators of Process Description Languages (PDL) for modeling systems composition and interaction. 4 Structural Operational Semantics (SOS) for modelling operators and building transition systems corresponding to composite systems. 5 Behavioural Equivalences to abstract from unwanted details of the modelled systems 6 A number of PDL obtained by careful selection of Operators and equivalences 7 Alternative approaches (Equational and Denotational) to defining the Semantics of PDL R. De Nicola (IMT-Lucca) FoTSE@LMU 2 / 40

3 What s next Now we concentrate on one language (CCS), study its theory more in depth and consider a number of small examples (case studies). R. De Nicola (IMT-Lucca) FoTSE@LMU 3 / 40

4 CCS Basics Sequential Fragment Nil (or 0) process (the only atomic process) action prefixing (a.p) names and recursive definitions () nondeterministic choice (+) Any finite LTS can be described (up to isomorphism) by using the operations above. Parallelism and Renaming parallel composition ( ) (synchronous communication between two components = handshake synchronization) restriction (P L) relabelling (P[f ]) R. De Nicola (IMT-Lucca) FoTSE@LMU 4 / 40

5 CCS Basics Sequential Fragment Nil (or 0) process (the only atomic process) action prefixing (a.p) names and recursive definitions () nondeterministic choice (+) Any finite LTS can be described (up to isomorphism) by using the operations above. Parallelism and Renaming parallel composition ( ) (synchronous communication between two components = handshake synchronization) restriction (P L) relabelling (P[f ]) R. De Nicola (IMT-Lucca) FoTSE@LMU 4 / 40

6 CCS Basics Sequential Fragment Nil (or 0) process (the only atomic process) action prefixing (a.p) names and recursive definitions () nondeterministic choice (+) Any finite LTS can be described (up to isomorphism) by using the operations above. Parallelism and Renaming parallel composition ( ) (synchronous communication between two components = handshake synchronization) restriction (P L) relabelling (P[f ]) R. De Nicola (IMT-Lucca) FoTSE@LMU 4 / 40

7 Definition of CCS (channels, actions, process names) Let A be a set of channel names (e.g. tea, coffee are channel names) L = A A be a set of labels where A = {a a A} (elements of A are called names and those of A are called co-names) by convention a = a Act = L {τ} is the set of actions where τ is the internal or silent action (e.g. τ, tea, coffee are actions) K is a set of process names (constants) (e.g. CM). R. De Nicola (IMT-Lucca) FoTSE@LMU 5 / 40

8 Definition of CCS (expressions) P := K process constants (K K) α.p prefixing (α Act) i I P i summation (I is an arbitrary index set) P 1 P 2 parallel composition P L restriction (L A) P[f ] relabelling (f : Act Act) such that f (τ) = τ f (a) = f (a) The set of all terms generated by the abstract syntax is the set of CCS process expressions (and is denoted by P). Notation P 1 + P 2 = i {1,2} P i Nil = 0 = i P i R. De Nicola (IMT-Lucca) FoTSE@LMU 6 / 40

9 Precedence Precedence 1 restriction and relabelling (tightest binding) 2 action prefixing 3 parallel composition 4 summation Example: R + a.p b.q L means R + ( (a.p) (b.(q L)) ). R. De Nicola (IMT-Lucca) FoTSE@LMU 7 / 40

10 Definition of CCS (defining equations) CCS program A collection of defining equations of the form K P where K K is a process constant and P P is a CCS process expression. Only one defining equation per process constant. Recursion is allowed: e.g. A a.a A. R. De Nicola (IMT-Lucca) FoTSE@LMU 8 / 40

11 Structural Operational Semantics for CCS Structural Operational Semantics (SOS) G. Plotkin 1981 Small-step operational semantics where the behaviour of a system is inferred using syntax driven rules. Given a collection of CCS defining equations, we define the following LTS (Proc, Act, { a a Act}): Proc = P (the set of all CCS process expressions) Act = L {τ} (the set of all CCS actions including τ) transition relation is given by SOS rules of the form: RULE premises conclusion conditions R. De Nicola (IMT-Lucca) FoTSE@LMU 9 / 40

12 SOS rules for CCS (α Act, a L) ACT α.p α P α P j P j SUM j i I P α i P j j I COM1 P α P P Q α P Q COM2 COM3 P a P Q a Q P Q τ P Q α Q Q P Q α P Q RES P α P P L α P L α, α L REL P α P P[f ] f (α) P [f ] CON P α P K α P K P R. De Nicola (IMT-Lucca) FoTSE@LMU 10 / 40

13 Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

14 Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

15 Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? COM1 a (A a.nil) b.nil (A a.nil) b.nil REL ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

16 Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL COM1 a A a.nil A a.nil COM1 a (A a.nil) b.nil (A a.nil) b.nil ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

17 Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL CON a A a.a A A COM1 a A a.nil A a.nil COM1 a (A a.nil) b.nil (A a.nil) b.nil ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

18 Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL COM1 ACT a a.a A CON A a A COM1 a A a.a A a.nil A a.nil a (A a.nil) b.nil (A a.nil) b.nil ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

19 LTS of the Process a.nil a.nil a.nil a.nil a a Nil a.nil τ a.nil Nil a a Nil Nil R. De Nicola (IMT-Lucca) FoTSE@LMU 12 / 40

20 Puzzle Time: 50 Prisoners Problem Solve the problem and write down the solution as a process 50 prisoners kept in separate cells got a chance are told that From time to time one of them would be taken to a special room (in no particular order, possibly multiple many consecutive times, but with a fair schedule to avoid infinite wait) and then back to the cell. The room is completely empty except for an on/off switch a lamp (the light is not visible from outside). At any time, if any of them says that all the prisoners have already entered the room at least once and this is true, all prisoners will be released (but if it is false, the play ends and they are life sentenced). Before the challenge starts, the prisoners have the possibility to discuss together some protocol to follow. Is there a winning strategy for the prisoners? Note that the initial state of the light in the room is not known. R. De Nicola (IMT-Lucca) FoTSE@LMU 13 / 40

21 First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

22 First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

23 First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

24 First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

25 Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

26 Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

27 Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

28 Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

29 Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

30 Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

31 Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

32 Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

33 Problems Initial state is not known The Light Light τ.lighton + τ.lightoff LightOn turnoff.lightoff LightOff turnon.lighton If the light is initially ON and the counting prisoner enters the room first then it must count 50 switching, otherwise only but he cannot know! Prison (Room Light C 50or49? P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 17 / 40

34 Problems Initial state is not known The Light Light τ.lighton + τ.lightoff LightOn turnoff.lightoff LightOff turnon.lighton If the light is initially ON and the counting prisoner enters the room first then it must count 50 switching, otherwise only but he cannot know! Prison (Room Light C 50or49? P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 17 / 40

35 Problems Initial state is not known The Light Light τ.lighton + τ.lightoff LightOn turnoff.lightoff LightOff turnon.lighton If the light is initially ON and the counting prisoner enters the room first then it must count 50 switching, otherwise only but he cannot know! Prison (Room Light C 50or49? P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 17 / 40

36 Solution What about counting twice? = = 98 If he can count 98 switchings then all other prisoners must have entered the room at least once (well... most of them twice). If not: = = 96 Generic Prisoners & Re-playing Prisoners & Idle Prisoners P roomin.(turnon.roomout.rp + turnoff.turnon.roomout.p) RP roomin.(turnon.roomout.ip + turnoff.turnon.roomout.rp) IP roomin.τ.roomout.ip Prison (Room Light C 98 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 18 / 40

37 Solution What about counting twice? = = 98 If he can count 98 switchings then all other prisoners must have entered the room at least once (well... most of them twice). If not: = = 96 Generic Prisoners & Re-playing Prisoners & Idle Prisoners P roomin.(turnon.roomout.rp + turnoff.turnon.roomout.p) RP roomin.(turnon.roomout.ip + turnoff.turnon.roomout.rp) IP roomin.τ.roomout.ip Prison (Room Light C 98 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 18 / 40

38 Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil R. De Nicola (IMT-Lucca) 19 / 40

39 Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil τ Nil save(3).nil R. De Nicola (IMT-Lucca) 19 / 40

40 Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil τ Nil save(3).nil Parametrized Process Constants For example: Bank(total) save(x).bank(total + x). R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

41 Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil Bank(100) τ Nil save(3).nil Bank(100) Parametrized Process Constants For example: Bank(total) save(x).bank(total + x). R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

42 Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil Bank(100) τ Nil save(3).nil Bank(100) τ Nil Nil Bank(103) Parametrized Process Constants For example: Bank(total) save(x).bank(total + x). R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

43 Translation of Value Passing CCS to Standard CCS Value Passing CCS C in(x).c (x) C (x) out(x).c Standard CCS C i N in i.c i C i out i.c out(x) out i in 2 C C i C C 2 C (x) in(x) symbolic LTS in i out 1 C 1 in 1 infinite LTS out 2 R. De Nicola (IMT-Lucca) FoTSE@LMU 20 / 40

44 CCS Has Full Turing Power Fact CCS can simulate a computation of any Turing machine. Remark Hence CCS is as expressive as any other programming language but its use is to rather describe the behaviour of reactive systems than to perform specific calculations. R. De Nicola (IMT-Lucca) FoTSE@LMU 21 / 40

45 Strong Bisimilarity Let (Proc, Act, { a a Act}) be an LTS. Strong Bisimulation A binary relation R Proc Proc is a strong bisimulation iff whenever (s, t) R then for each a Act: a a if s s then t t for some t such that (s, t ) R a if t t a then s s for some s such that (s, t ) R. Strong Bisimilarity Two processes p 1, p 2 Proc are strongly bisimilar (p 1 p 2 ) if and only if there exists a strong bisimulation R such that (p 1, p 2 ) R. = {R R is a strong bisimulation} R. De Nicola (IMT-Lucca) FoTSE@LMU 22 / 40

46 Example Buffer Buffer of Capacity 1 B 1 0 in.b1 1 B 1 1 out.b1 0 Buffer of Capacity n B n 0 in.bn 1 Bn i in.b n i+1 + out.bn i 1 for 0 < i < n B n n out.b n n 1 Example: B 2 0 B1 0 B1 0 B0 2 in B1 2 in B2 2 out out B 1 1 B1 0 in out out in B 1 0 B1 0 B 1 1 B1 1 in in out out B 1 0 B1 1 R. De Nicola (IMT-Lucca) FoTSE@LMU 23 / 40

47 Example Buffer Buffer of Capacity 1 B 1 0 in.b1 1 B 1 1 out.b1 0 Buffer of Capacity n B n 0 in.bn 1 Bn i in.b n i+1 + out.bn i 1 for 0 < i < n B n n out.b n n 1 Example: B 2 0 B1 0 B1 0 B0 2 in B1 2 in B2 2 out out B 1 1 B1 0 in out out in B 1 0 B1 0 B 1 1 B1 1 in in out out B 1 0 B1 1 R. De Nicola (IMT-Lucca) FoTSE@LMU 23 / 40

48 Example Buffer Buffer of Capacity 1 B 1 0 in.b1 1 B 1 1 out.b1 0 Buffer of Capacity n B n 0 in.bn 1 Bn i in.b n i+1 + out.bn i 1 for 0 < i < n B n n out.b n n 1 Example: B 2 0 B1 0 B1 0 B0 2 in B1 2 in B2 2 out out B 1 1 B1 0 in out out in B 1 0 B1 0 B 1 1 B1 1 in in out out B 1 0 B1 1 R. De Nicola (IMT-Lucca) FoTSE@LMU 23 / 40

49 Example Buffer Theorem For all natural numbers n: B n 0 B1 0 B 1 0 B 1 0 }{{} n times Proof. Construct the following binary relation where i 1, i 2,..., i n {0, 1}. R = { ( B n i, B 1 i 1 B 1 i 2 B 1 i n ) n i j = i} j=1 ( B n 0, B0 1 B1 0 ) B1 0 R R is strong bisimulation R. De Nicola (IMT-Lucca) FoTSE@LMU 24 / 40

50 Example Buffer Theorem For all natural numbers n: B n 0 B1 0 B 1 0 B 1 0 }{{} n times Proof. Construct the following binary relation where i 1, i 2,..., i n {0, 1}. R = { ( B n i, B 1 i 1 B 1 i 2 B 1 i n ) n i j = i} j=1 ( B n 0, B0 1 B1 0 ) B1 0 R R is strong bisimulation R. De Nicola (IMT-Lucca) FoTSE@LMU 24 / 40

51 Question Time Prove the following (or give counterexamples) is reflexive is symmetric is transitive is an equivalence relation If R is a strong bisimulation then R For all natural numbers n, k: B n+k 0 B n 0 Bk 0 R. De Nicola (IMT-Lucca) FoTSE@LMU 25 / 40

52 Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

53 Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

54 Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

55 Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

56 Strong Bisimilarity is a Congruence for CCS Operations Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P + R Q + R for each CCS process R R + P R + Q for each CCS process R P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof sketch for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a bisimulation. Suppose P + R µ S. If it is because P µ S, then Q µ T with (S, T ) because P Q and hence Q + R µ T with (S, T ) R. Otherwise, it is because R µ S, but then Q + R µ S with (S, S) Id R. The case where Q + R moves is symmetric. R. De Nicola (IMT-Lucca) FoTSE@LMU 27 / 40

57 Other Properties of Strong Bisimilarity The Following Properties Hold for all CCS Processes P, Q, R P + Nil P (Neutral element for +) P Nil P (Neutral element for ) P + Q Q + P (Commutativity of +) P Q Q P (Commutativity of ) (P + Q) + R P + (Q + R) (associativity of +) (P Q) R P (Q R) (associativity of ) P + P P (Idempotency of +) (proof sketch for commutativity of +) Let R = { (P + Q, Q + P) P, Q Proc } Id. It suffices to show that R is a bisimulation. Suppose P + Q µ S using SUM1 (resp. SUM2), then Q + P µ S using SUM2 (resp. SUM1) and (S, S) Id R. The case where Q + P moves is analogous. R. De Nicola (IMT-Lucca) FoTSE@LMU 28 / 40

58 Strong Bisimilarity Summary Properties of an equivalence relation the largest strong bisimulation a congruence enough to prove some natural rules like P Q Q P P Nil P (P Q) R Q (P R) Question Should we look any further??? R. De Nicola (IMT-Lucca) FoTSE@LMU 29 / 40

59 Strong Bisimilarity Summary Properties of an equivalence relation the largest strong bisimulation a congruence enough to prove some natural rules like P Q Q P P Nil P (P Q) R Q (P R) Question Should we look any further??? R. De Nicola (IMT-Lucca) FoTSE@LMU 29 / 40

60 Behavioural Equivalence: Cells Cell1 = One-position cell Cell2 = Two-positions cell ParCell = Cell1 Cell1 SeqCell = Cell1 Cell1 Are Cell2, ParCell and SeqCell equivalent? (p restricted) R. De Nicola (IMT-Lucca) FoTSE@LMU 30 / 40

61 Behavioural Equivalence: FIFO buffers FIFO1 = One-pos. FIFO buffer FIFO2 = Two-pos. FIFO buffer ParFIFO = FIFO1 FIFO1 SeqFIFO = FIFO1 FIFO1 (p0, p1 restricted) Are FIFO2, ParFIFO and SeqFIFO equivalent? R. De Nicola (IMT-Lucca) FoTSE@LMU 31 / 40

62 Weak Transition Relation Let (Proc, Act, { a a Act}) be an LTS such that τ Act. Definition of the Weak Transition Relations Let a be an action or ε: { a ( ) τ = = a ( ) τ ( ) τ if a ε if a = ε Definition If a is an observable action, then â = a. On the other hand, ˆτ = ε. R. De Nicola (IMT-Lucca) FoTSE@LMU 32 / 40

63 Weak Bisimilarity Let (Proc, Act, { a a Act}) be an LTS such that τ Act. Weak Bisimulation A binary relation R Proc Proc is a weak bisimulation iff whenever (s, t) R then for each a Act (including τ): if s if t a s â then t = t for some t such that (s, t ) R a t â then s = s for some s such that (s, t ) R. Weak Bisimilarity Two processes p 1, p 2 Proc are weakly bisimilar (p 1 p 2 ) if and only if there exists a weak bisimulation R such that (p 1, p 2 ) R. = {R R is a weak bisimulation} R. De Nicola (IMT-Lucca) FoTSE@LMU 33 / 40

64 Weak Bisimilarity Properties Properties of an equivalence relation the largest weak bisimulation strong bisimilarity is included in weak bisimilarity ( ) validates lots of natural laws, e.g. a.τ.p a.p P + τ.p τ.p a.(p + τ.q) a.(p + τ.q) + a.q P + Q Q + P P Q Q P P + Nil P... abstracts from τ loops τ a a R. De Nicola (IMT-Lucca) FoTSE@LMU 34 / 40

65 Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

66 Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. What about choice? Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

67 Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof attempt for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a weak bisimulation. Suppose P + R µ S. If it is because R µ S, then Q + R µ S with (S, S) Id R. Otherwise, it is because P µ S, then Q = ˆµ T with (S, T ) because P Q (is this true???) and hence Q + R = ˆµ T with (S, T ) R. Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

68 Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof attempt for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a weak bisimulation. Suppose P + R µ S. If it is because R µ S, then Q + R µ S with (S, S) Id R. Otherwise, it is because P µ S, then Q = ˆµ T with (S, T ) because P Q (is this true???) and hence Q + R = ˆµ T with (S, T ) R. (counterexample) τ.a.nil a.nil but τ.a.nil + b.nil a.nil + b.nil Conclusion R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

69 Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof attempt for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a weak bisimulation. Suppose P + R µ S. If it is because R µ S, then Q + R µ S with (S, S) Id R. Otherwise, it is because P µ S, then Q = ˆµ T with (S, T ) because P Q (is this true???) and hence Q + R = ˆµ T with (S, T ) R. (counterexample) τ.a.nil a.nil but τ.a.nil + b.nil a.nil + b.nil What is wrong and which one is it the right alternative? R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

70 Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

71 Case Study: Communication Protocol A message delivery system, accept a message transfer request, deliver the message and then it becomes ready again to serve a new request. The implementation must take into account that errors can arise during the message transfer, in which case the message must be resent. R. De Nicola (IMT-Lucca) FoTSE@LMU 36 / 40

72 Case Study: Communication Protocol Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} acc ack Send Rec del error send Med trans Impl? Spec R. De Nicola (IMT-Lucca) 37 / 40

73 Case Study: Communication Protocol Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} acc ack Send Rec del error send Med trans Impl? Spec R. De Nicola (IMT-Lucca) 37 / 40

74 Case Study: Communication Protocol Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} acc ack Send Rec del error send Med trans Impl? Spec R. De Nicola (IMT-Lucca) 37 / 40

75 Case Study: Communication Protocol acc ack Send Rec del error send Med trans Send acc.sending Rec trans.del Sending send.wait Del del.ack Wait ack.send + error.sending Ack ack.rec Med send.med Med τ.err + trans.med Err error.med R. De Nicola (IMT-Lucca) FoTSE@LMU 38 / 40

76 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

77 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

78 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

79 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

80 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

81 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

82 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

83 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

84 A visual execution R. De Nicola (IMT-Lucca) 39 / 40

85 Question Time Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} Question Impl? Spec 1 Draw the LTS of Spec (by hand) 2 Draw the LTS of Impl (by hand) 3 Prove (by hand) their equivalence 4 Use TAPAS! R. De Nicola (IMT-Lucca) FoTSE@LMU 40 / 40

Similar documents

Semantics and Verification

Semantics and Verification Semantics and Verification Lecture 2 informal introduction to CCS syntax of CCS semantics of CCS 1 / 12 Sequential Fragment Parallelism and Renaming CCS Basics (Sequential Fragment) Nil (or 0) process

More information

Process Algebras and Concurrent Systems

Process Algebras and Concurrent Systems Process Algebras and Concurrent Systems Rocco De Nicola Dipartimento di Sistemi ed Informatica Università di Firenze Process Algebras and Concurrent Systems August 2006 R. De Nicola (DSI-UNIFI) Process

More information

Complex Systems Design & Distributed Calculus and Coordination

Complex Systems Design & Distributed Calculus and Coordination Complex Systems Design & Distributed Calculus and Coordination Concurrency and Process Algebras: Theory and Practice Francesco Tiezzi University of Camerino francesco.tiezzi@unicam.it A.A. 2014/2015 F.

More information

Concurrent Processes and Reaction

Concurrent Processes and Reaction Concurrent Processes and Reaction Overview External and internal actions Observations Concurrent process expressions Structural congruence Reaction References Robin Milner, Communication and Concurrency

More information

Topics in Concurrency

Topics in Concurrency Topics in Concurrency Lecture 3 Jonathan Hayman 18 October 2016 Towards a more basic language Aim: removal of variables to reveal symmetry of input and output Transitions for value-passing carry labels

More information

Topics in Concurrency

Topics in Concurrency Topics in Concurrency Lecture 3 Jonathan Hayman 18 February 2015 Recap: Syntax of CCS Expressions: Arithmetic a and Boolean b Processes: p ::= nil nil process (τ p) silent/internal action (α!a p) output

More information

Models of Concurrency

Models of Concurrency Models of Concurrency GERARDO SCHNEIDER UPPSALA UNIVERSITY DEPARTMENT OF INFORMATION TECHNOLOGY UPPSALA, SWEDEN Thanks to Frank Valencia Models of Concurrency p.1/57 Concurrency is Everywhere Concurrent

More information

An introduction to process calculi: Calculus of Communicating Systems (CCS)

An introduction to process calculi: Calculus of Communicating Systems (CCS) An introduction to process calculi: Calculus of Communicating Systems (CCS) Lecture 2 of Modelli Matematici dei Processi Concorrenti Paweł Sobociński University of Southampton, UK Intro to process calculi:

More information

The Calculus of Communicating Systems

The Calculus of Communicating Systems The Calculus of Communicating Systems Wolfgang Schreiner Research Institute for Symbolic Computation (RISC-Linz) Johannes Kepler University, A-4040 Linz, Austria Wolfgang.Schreiner@risc.uni-linz.ac.at

More information

Communication and Concurrency: CCS

Communication and Concurrency: CCS Communication and Concurrency: CCS R. Milner, A Calculus of Communicating Systems, 1980 cours SSDE Master 1 Why calculi? Prove properties on programs and languages Principle: tiny syntax, small semantics,

More information

Review of The π-calculus: A Theory of Mobile Processes

Review of The π-calculus: A Theory of Mobile Processes Review of The π-calculus: A Theory of Mobile Processes Riccardo Pucella Department of Computer Science Cornell University July 8, 2001 Introduction With the rise of computer networks in the past decades,

More information

Communication and Concurrency: CCS. R. Milner, A Calculus of Communicating Systems, 1980

Communication and Concurrency: CCS. R. Milner, A Calculus of Communicating Systems, 1980 Communication and Concurrency: CCS R. Milner, A Calculus of Communicating Systems, 1980 Why calculi? Prove properties on programs and languages Principle: tiny syntax, small semantics, to be handled on

More information

A Note on Scope and Infinite Behaviour in CCS-like Calculi p.1/32

A Note on Scope and Infinite Behaviour in CCS-like Calculi p.1/32 A Note on Scope and Infinite Behaviour in CCS-like Calculi GERARDO SCHNEIDER UPPSALA UNIVERSITY DEPARTMENT OF INFORMATION TECHNOLOGY UPPSALA, SWEDEN Joint work with Pablo Giambiagi and Frank Valencia A

More information

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization Rob Schoren Abstract This document is mainly an extension of the work of Michel Reniers and Tim Willemse,

More information

Communicating and Mobile Systems

Communicating and Mobile Systems Communicating and Mobile Systems Overview:! Programming Model! Interactive Behavior! Labeled Transition System! Bisimulation! The π-calculus! Data Structures and λ-calculus encoding in the π-calculus References:!

More information

CCS: Syntax & Semantics (Final Version)

CCS: Syntax & Semantics (Final Version) CCS: & Semantics (Final Version) Prof. Susan Older 14 September 2017 (CIS 400/632) CCS & Semantics 14 September 2017 1 / 10 Relevant Syntactic Sets: A Recap from Last Time We have the following countably

More information

Introduction to process algebra

Introduction to process algebra Introduction to process algebra Luís S. Barbosa DI-CCTC Universidade do Minho Braga, Portugal March, 2010 Actions & processes Action is a latency for interaction for a L, L denoting a set of names Act

More information

Trace Refinement of π-calculus Processes

Trace Refinement of π-calculus Processes Trace Refinement of pi-calculus Processes Trace Refinement of π-calculus Processes Manuel Gieseking manuel.gieseking@informatik.uni-oldenburg.de) Correct System Design, Carl von Ossietzky University of

More information

Decidable Subsets of CCS

Decidable Subsets of CCS Decidable Subsets of CCS based on the paper with the same title by Christensen, Hirshfeld and Moller from 1994 Sven Dziadek Abstract Process algebra is a very interesting framework for describing and analyzing

More information

Concurrency theory. proof-techniques for syncronous and asynchronous pi-calculus. Francesco Zappa Nardelli. INRIA Rocquencourt, MOSCOVA research team

Concurrency theory. proof-techniques for syncronous and asynchronous pi-calculus. Francesco Zappa Nardelli. INRIA Rocquencourt, MOSCOVA research team Concurrency theory proof-techniques for syncronous and asynchronous pi-calculus Francesco Zappa Nardelli INRIA Rocquencourt, MOSCOVA research team francesco.zappa nardelli@inria.fr together with Frank

More information

Partial model checking via abstract interpretation

Partial model checking via abstract interpretation Partial model checking via abstract interpretation N. De Francesco, G. Lettieri, L. Martini, G. Vaglini Università di Pisa, Dipartimento di Ingegneria dell Informazione, sez. Informatica, Via Diotisalvi

More information

Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc.

Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc. Finite State Machines Introduction Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc. Such devices form

More information

T Reactive Systems: Temporal Logic LTL

T Reactive Systems: Temporal Logic LTL Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Temporal Logic LTL Spring 2005, Lecture 4 January 31, 2005 Tik-79.186 Reactive Systems 2 Temporal Logics Temporal logics are currently the most

More information

Chapter 5: Linear Temporal Logic

Chapter 5: Linear Temporal Logic Chapter 5: Linear Temporal Logic Prof. Ali Movaghar Verification of Reactive Systems Spring 94 Outline We introduce linear temporal logic (LTL), a logical formalism that is suited for specifying LT properties.

More information

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent

More information

Introduction to Process Algebra. Based on: Wan Fokkink, Introduction to Process Algebra, Springer-Verlag, 1999.

Introduction to Process Algebra. Based on: Wan Fokkink, Introduction to Process Algebra, Springer-Verlag, 1999. Introduction to Process Algebra Based on: Wan Fokkink, Introduction to Process Algebra, Springer-Verlag, 1999. Reading list: J. Baeten and P. Weijland, Process Algebra, Cambridge Tracts in Theoretical

More information

MAKING THE UNOBSERVABLE, UNOBSERVABLE.

MAKING THE UNOBSERVABLE, UNOBSERVABLE. MAKING THE UNOBSERVABLE, UNOBSERVABLE. 3 PAPERS FROM THE LAST 365 DAYS AVAILABLE TO READ NOW ON YOUR COMPUTER PAWEL SOBOCINSKI AND JULIAN RATHKE GO TO www.ecs.soton.ac.uk/~ps/publications.php Plan of the

More information

MPRI C-2-3: Concurrency (Part 1 of 4)

MPRI C-2-3: Concurrency (Part 1 of 4) From Computability to Concurrency Theory Calculus of Comunicating Systems CCS Verification and Specification. Expressiveness Solutions to Exercises. MPRI C-2-3: Concurrency (Part 1 of 4) Frank D. Valencia

More information

Timo Latvala. February 4, 2004

Timo Latvala. February 4, 2004 Reactive Systems: Temporal Logic LT L Timo Latvala February 4, 2004 Reactive Systems: Temporal Logic LT L 8-1 Temporal Logics Temporal logics are currently the most widely used specification formalism

More information

Design and Analysis of Distributed Interacting Systems

Design and Analysis of Distributed Interacting Systems Design and Analysis of Distributed Interacting Systems Organization Prof. Dr. Joel Greenyer April 11, 2013 Organization Lecture: Thursdays, 10:15 11:45, F 128 Tutorial: Thursdays, 13:00 13:45, G 323 first

More information

A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice

A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice Luis Pino*, Filippo Bonchi** and Frank Valencia* (Presented by: Jorge A. Pe rez) *E quipe Come te, LIX, Laboratoire

More information

Trace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University

Trace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University Trace semantics: towards a unification of parallel paradigms Stephen Brookes Department of Computer Science Carnegie Mellon University MFCSIT 2002 1 PARALLEL PARADIGMS State-based Shared-memory global

More information

Introduction to mcrl2

Introduction to mcrl2 Introduction to mcrl2 Luís S. Barbosa DI-CCTC Universidade do Minho Braga, Portugal May, 2011 mcrl2: A toolset for process algebra mcrl2 provides: a generic process algebra, based on Acp (Bergstra & Klop,

More information

Formal Methods in Software Engineering

Formal Methods in Software Engineering Formal Methods in Software Engineering Modeling Prof. Dr. Joel Greenyer October 21, 2014 Organizational Issues Tutorial dates: I will offer two tutorial dates Tuesdays 15:00-16:00 in A310 (before the lecture,

More information

Chapter 3: Linear temporal logic

Chapter 3: Linear temporal logic INFOF412 Formal verification of computer systems Chapter 3: Linear temporal logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 LTL: a specification

More information

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052

More information

Timo Latvala. March 7, 2004

Timo Latvala. March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness Timo Latvala March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness 14-1 Safety Safety properties are a very useful subclass of specifications.

More information

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic Model Checking (I) SMV the Symbolic Model Verifier Example: the alternating bit protocol LTL Linear Time temporal Logic CTL Fixed Points Correctness Slide 1 SMV - Symbolic Model Verifier SMV - Symbolic

More information

Modal and Temporal Logics

Modal and Temporal Logics Modal and Temporal Logics Colin Stirling School of Informatics University of Edinburgh July 23, 2003 Why modal and temporal logics? 1 Computational System Modal and temporal logics Operational semantics

More information

Models for Concurrency

Models for Concurrency Models for Concurrency (A revised version of DAIMI PB-429) Glynn Winskel Mogens Nielsen Computer Science Department, Aarhus University, Denmark November 1993 Abstract This is, we believe, the final version

More information

Lecture 4 Event Systems

Lecture 4 Event Systems Lecture 4 Event Systems This lecture is based on work done with Mark Bickford. Marktoberdorf Summer School, 2003 Formal Methods One of the major research challenges faced by computer science is providing

More information

The State Explosion Problem

The State Explosion Problem The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis

More information

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs? Comprising of three parts Formal Verification techniques consist of three parts: 1. A framework for modeling

More information

Embedded systems specification and design

Embedded systems specification and design Embedded systems specification and design David Kendall David Kendall Embedded systems specification and design 1 / 21 Introduction Finite state machines (FSM) FSMs and Labelled Transition Systems FSMs

More information

Modelling Membranes with Brane Calculi

Modelling Membranes with Brane Calculi Modelling Membranes with Brane Calculi (and translation of Brane Calculi into CLS) 1/42 Introduction A biological cellular membrane is an closed surface that can perform various molecular functions. Membranes

More information

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004

More information

Lecture 18: Zero-Knowledge Proofs

Lecture 18: Zero-Knowledge Proofs COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be

More information

3 Propositional Logic

3 Propositional Logic 3 Propositional Logic 3.1 Syntax 3.2 Semantics 3.3 Equivalence and Normal Forms 3.4 Proof Procedures 3.5 Properties Propositional Logic (25th October 2007) 1 3.1 Syntax Definition 3.0 An alphabet Σ consists

More information

Some techniques and results in deciding bisimilarity

Some techniques and results in deciding bisimilarity Some techniques and results in deciding bisimilarity Petr Jančar Dept of Computer Science Technical University Ostrava (FEI VŠB-TU) Czech Republic www.cs.vsb.cz/jancar Talk at the Verification Seminar,

More information

Propositional Logic: Syntax

Propositional Logic: Syntax Logic Logic is a tool for formalizing reasoning. There are lots of different logics: probabilistic logic: for reasoning about probability temporal logic: for reasoning about time (and programs) epistemic

More information

On Expressiveness and Behavioural Theory of Attribute-based Communication

On Expressiveness and Behavioural Theory of Attribute-based Communication On Expressiveness and Behavioural Theory of Attribute-based Communication Rocco De Nicola Joint work with Y. A. Alrahman and M. Loreti Final Meeting CINA Civitanova Marche January 2016 Contents 1 Introduction

More information

Multicore Semantics and Programming

Multicore Semantics and Programming Multicore Semantics and Programming Peter Sewell Tim Harris University of Cambridge Oracle October November, 2015 p. 1 These Lectures Part 1: Multicore Semantics: the concurrency of multiprocessors and

More information

A Modern Mathematical Theory of Co-operating State Machines

A Modern Mathematical Theory of Co-operating State Machines 201 A Modern Mathematical Theory of Co-operating State Machines Antti Valmari Abstract Valmari, Antti (2005). A Modern Mathematical Theory of Co-operating State Machines In Proceedings of the Algorithmic

More information

Equations, contractions, and unique solutions

Equations, contractions, and unique solutions Equations, contractions, and unique solutions Davide Sangiorgi To cite this version: Davide Sangiorgi. Equations, contractions, and unique solutions. POPL 2015 - Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT

More information

Agreement. Today. l Coordination and agreement in group communication. l Consensus

Agreement. Today. l Coordination and agreement in group communication. l Consensus Agreement Today l Coordination and agreement in group communication l Consensus Events and process states " A distributed system a collection P of N singlethreaded processes w/o shared memory Each process

More information

The π-calculus Semantics. Equivalence and Value-Passing. Infinite Sums 4/12/2004

The π-calculus Semantics. Equivalence and Value-Passing. Infinite Sums 4/12/2004 The π-calculus Semantics Overview ate and early semantics Bisimulation and congruence Variations of the calculus eferences obin Milner, Communicating and Mobil Systems Davide Sangiorgi and David Walker,

More information

Trace and Testing Equivalence on Asynchronous Processes 1

Trace and Testing Equivalence on Asynchronous Processes 1 Information and Computation 172, 139 164 (2002) doi:10.1006/inco.2001.3080, available online at http://www.idealibrary.com on Trace and Testing Equivalence on Asynchronous Processes 1 Michele Boreale,

More information

Lecture Notes on Inductive Definitions

Lecture Notes on Inductive Definitions Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 September 2, 2004 These supplementary notes review the notion of an inductive definition and

More information

Logical Time. 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation

Logical Time. 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation Logical Time Nicola Dragoni Embedded Systems Engineering DTU Compute 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation 2013 ACM Turing Award:

More information

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of Computer Science University of Oxford Overview Temporal logic Non-probabilistic temporal logic CTL Probabilistic temporal

More information

Algebraic Trace Theory

Algebraic Trace Theory Algebraic Trace Theory EE249 Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October 21, 2002 ee249

More information

A Weak Bisimulation for Weighted Automata

A Weak Bisimulation for Weighted Automata Weak Bisimulation for Weighted utomata Peter Kemper College of William and Mary Weighted utomata and Semirings here focus on commutative & idempotent semirings Weak Bisimulation Composition operators Congruence

More information

Automatic Synthesis of Distributed Protocols

Automatic Synthesis of Distributed Protocols Automatic Synthesis of Distributed Protocols Rajeev Alur Stavros Tripakis 1 Introduction Protocols for coordination among concurrent processes are an essential component of modern multiprocessor and distributed

More information

Expressiveness of Timed Events and Timed Languages

Expressiveness of Timed Events and Timed Languages Expressiveness of Timed Events and Timed Languages Diletta R. Cacciagrano and Flavio Corradini Università di Camerino, Dipartimento di Matematica e Informatica, Camerino, 62032, Italy, {diletta.cacciagrano,

More information

Structure Preserving Bisimilarity,

Structure Preserving Bisimilarity, Structure Preserving Bisimilarity, Supporting an Operational Petri Net Semantics of CCSP Rob van Glabbeek NICTA, Sydney, Australia University of New South Wales, Sydney, Australia September 2015 Milner:

More information

Distributed Systems Principles and Paradigms. Chapter 06: Synchronization

Distributed Systems Principles and Paradigms. Chapter 06: Synchronization Distributed Systems Principles and Paradigms Maarten van Steen VU Amsterdam, Dept. Computer Science Room R4.20, steen@cs.vu.nl Chapter 06: Synchronization Version: November 16, 2009 2 / 39 Contents Chapter

More information

Section 1.1 Propositions

Section 1.1 Propositions Set Theory & Logic Section 1.1 Propositions Fall, 2009 Section 1.1 Propositions In Chapter 1, our main goals are to prove sentences about numbers, equations or functions and to write the proofs. Definition.

More information

Alan Bundy. Automated Reasoning LTL Model Checking

Alan Bundy. Automated Reasoning LTL Model Checking Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have

More information

Algebraic Trace Theory

Algebraic Trace Theory Algebraic Trace Theory EE249 Presented by Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October

More information

Clojure Concurrency Constructs, Part Two. CSCI 5828: Foundations of Software Engineering Lecture 13 10/07/2014

Clojure Concurrency Constructs, Part Two. CSCI 5828: Foundations of Software Engineering Lecture 13 10/07/2014 Clojure Concurrency Constructs, Part Two CSCI 5828: Foundations of Software Engineering Lecture 13 10/07/2014 1 Goals Cover the material presented in Chapter 4, of our concurrency textbook In particular,

More information

Linear Temporal Logic (LTL)

Linear Temporal Logic (LTL) Chapter 9 Linear Temporal Logic (LTL) This chapter introduces the Linear Temporal Logic (LTL) to reason about state properties of Labelled Transition Systems defined in the previous chapter. We will first

More information

Lecture Notes on Ordered Proofs as Concurrent Programs

Lecture Notes on Ordered Proofs as Concurrent Programs Lecture Notes on Ordered Proofs as Concurrent Programs 15-317: Constructive Logic Frank Pfenning Lecture 24 November 30, 2017 1 Introduction In this lecture we begin with a summary of the correspondence

More information

MAD. Models & Algorithms for Distributed systems -- 2/5 -- download slides at

MAD. Models & Algorithms for Distributed systems -- 2/5 -- download slides at MAD Models & Algorithms for Distributed systems -- /5 -- download slides at http://people.rennes.inria.fr/eric.fabre/ 1 Today Runs/executions of a distributed system are partial orders of events We introduce

More information

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Lecture Notes on Emptiness Checking, LTL Büchi Automata 15-414: Bug Catching: Automated Program Verification Lecture Notes on Emptiness Checking, LTL Büchi Automata Matt Fredrikson André Platzer Carnegie Mellon University Lecture 18 1 Introduction We ve seen

More information

Unifying Theories of Programming

Unifying Theories of Programming 1&2 Unifying Theories of Programming Unifying Theories of Programming 3&4 Theories Unifying Theories of Programming designs predicates relations reactive CSP processes Jim Woodcock University of York May

More information

Proof Techniques (Review of Math 271)

Proof Techniques (Review of Math 271) Chapter 2 Proof Techniques (Review of Math 271) 2.1 Overview This chapter reviews proof techniques that were probably introduced in Math 271 and that may also have been used in a different way in Phil

More information

Time and Fairness in a Process Algebra with Non-Blocking Reading. F. Corradini, M.R. Di Berardini, W. Vogler. Report July 2008

Time and Fairness in a Process Algebra with Non-Blocking Reading. F. Corradini, M.R. Di Berardini, W. Vogler. Report July 2008 à ÊÇÅÍÆ ËÀǼ Universität Augsburg Time and Fairness in a Process Algebra with Non-Blocking Reading F. Corradini, M.R. Di Berardini, W. Vogler Report 2008-3 July 2008 Institut für Informatik D-8635 Augsburg

More information

Bringing class diagrams to life

Bringing class diagrams to life Bringing class diagrams to life Luis S. Barbosa & Sun Meng DI-CCTC, Minho University, Braga & CWI, Amsterdam UML & FM Workshop 2009 Rio de Janeiro 8 December, 2009 Formal Methods proofs problems structures

More information

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC Alessandro Artale (FM First Semester 2007/2008) p. 1/39 FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC Alessandro Artale Faculty of Computer Science Free University of Bolzano artale@inf.unibz.it http://www.inf.unibz.it/

More information

Theoretical Foundations of the UML

Theoretical Foundations of the UML Theoretical Foundations of the UML Lecture 17+18: A Logic for MSCs Joost-Pieter Katoen Lehrstuhl für Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ws-1718/fuml/ 5.

More information

TESTING is one of the most important parts of the

TESTING is one of the most important parts of the IEEE TRANSACTIONS 1 Generating Complete Controllable Test Suites for Distributed Testing Robert M. Hierons, Senior Member, IEEE Abstract A test suite is m-complete for finite state machine (FSM) M if it

More information

Safety and Liveness Properties

Safety and Liveness Properties Safety and Liveness Properties Lecture #6 of Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling and Verification E-mail: katoen@cs.rwth-aachen.de November 5, 2008 c JPK Overview Lecture

More information

cis32-ai lecture # 18 mon-3-apr-2006

cis32-ai lecture # 18 mon-3-apr-2006 cis32-ai lecture # 18 mon-3-apr-2006 today s topics: propositional logic cis32-spring2006-sklar-lec18 1 Introduction Weak (search-based) problem-solving does not scale to real problems. To succeed, problem

More information

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Petri nets. s 1 s 2. s 3 s 4. directed arcs. Petri nets Petri nets Petri nets are a basic model of parallel and distributed systems (named after Carl Adam Petri). The basic idea is to describe state changes in a system with transitions. @ @R s 1

More information

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms CS 249 Project Fall 2005 Wing Wong Outline Introduction Asynchronous distributed systems, distributed computations,

More information

ESE601: Hybrid Systems. Introduction to verification

ESE601: Hybrid Systems. Introduction to verification ESE601: Hybrid Systems Introduction to verification Spring 2006 Suggested reading material Papers (R14) - (R16) on the website. The book Model checking by Clarke, Grumberg and Peled. What is verification?

More information

Automata-theoretic analysis of hybrid systems

Automata-theoretic analysis of hybrid systems Automata-theoretic analysis of hybrid systems Madhavan Mukund SPIC Mathematical Institute 92, G N Chetty Road Chennai 600 017, India Email: madhavan@smi.ernet.in URL: http://www.smi.ernet.in/~madhavan

More information

Model Checking of Systems Employing Commutative Functions

Model Checking of Systems Employing Commutative Functions Model Checking of Systems Employing Commutative Functions A. Prasad Sistla, Min Zhou, and Xiaodong Wang University of Illinois at Chicago Abstract. The paper presents methods for model checking a class

More information

Herbrand Theorem, Equality, and Compactness

Herbrand Theorem, Equality, and Compactness CSC 438F/2404F Notes (S. Cook and T. Pitassi) Fall, 2014 Herbrand Theorem, Equality, and Compactness The Herbrand Theorem We now consider a complete method for proving the unsatisfiability of sets of first-order

More information

Reasoning about Time and Reliability

Reasoning about Time and Reliability Reasoning about Time and Reliability Probabilistic CTL model checking Daniel Bruns Institut für theoretische Informatik Universität Karlsruhe 13. Juli 2007 Seminar Theorie und Anwendung von Model Checking

More information

First-order resolution for CTL

First-order resolution for CTL First-order resolution for Lan Zhang, Ullrich Hustadt and Clare Dixon Department of Computer Science, University of Liverpool Liverpool, L69 3BX, UK {Lan.Zhang, U.Hustadt, CLDixon}@liverpool.ac.uk Abstract

More information

Bounded Stacks, Bags and Queues

Bounded Stacks, Bags and Queues Bounded Stacks, Bags and Queues J.C.M. Baeten 1 and J.A. Bergstra 2,3 1 Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, NL-5600 MB Eindhoven, The Netherlands,

More information

Strong bisimilarity can be opened

Strong bisimilarity can be opened Strong bisimilarity can be opened Henning E. Andersen Hans Hüttel Karina N. Jensen June 7, 2002 Abstract We present an extension of the semantics of the π-calculus without match where strong bisimilarity

More information

MATH1050 Greatest/least element, upper/lower bound

MATH1050 Greatest/least element, upper/lower bound MATH1050 Greatest/ element, upper/lower bound 1 Definition Let S be a subset of R x λ (a) Let λ S λ is said to be a element of S if, for any x S, x λ (b) S is said to have a element if there exists some

More information

CS411 Notes 3 Induction and Recursion

CS411 Notes 3 Induction and Recursion CS411 Notes 3 Induction and Recursion A. Demers 5 Feb 2001 These notes present inductive techniques for defining sets and subsets, for defining functions over sets, and for proving that a property holds

More information

Self-Adaptation and Information Flow in Multiparty Communications

Self-Adaptation and Information Flow in Multiparty Communications Self-Adaptation and Information Flow in Multiparty Communications Joint work with Ilaria Castellani (INRIA, FR) Jorge A. Pérez (University of Groningen, NL) ABCD meeting London, 20th April, 2015 1 / 36

More information

Chapter 1: The Logic of Compound Statements. January 7, 2008

Chapter 1: The Logic of Compound Statements. January 7, 2008 Chapter 1: The Logic of Compound Statements January 7, 2008 Outline 1 1.1 Logical Form and Logical Equivalence 2 1.2 Conditional Statements 3 1.3 Valid and Invalid Arguments Central notion of deductive

More information

Formal Methods for Java

Formal Methods for Java Formal Methods for Java Lecture 20: Sequent Calculus Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg January 15, 2013 Jochen Hoenicke (Software Engineering) Formal Methods for Java

More information

Distributed Systems Principles and Paradigms

Distributed Systems Principles and Paradigms Distributed Systems Principles and Paradigms Chapter 6 (version April 7, 28) Maarten van Steen Vrije Universiteit Amsterdam, Faculty of Science Dept. Mathematics and Computer Science Room R4.2. Tel: (2)

More information

Introduction to Turing Machines. Reading: Chapters 8 & 9

Introduction to Turing Machines. Reading: Chapters 8 & 9 Introduction to Turing Machines Reading: Chapters 8 & 9 1 Turing Machines (TM) Generalize the class of CFLs: Recursively Enumerable Languages Recursive Languages Context-Free Languages Regular Languages

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback