Formal Techniques for Software Engineering: CCS: A Calculus for Communicating Systems

Similar documents
Semantics and Verification

Process Algebras and Concurrent Systems

Complex Systems Design & Distributed Calculus and Coordination

Concurrent Processes and Reaction

Topics in Concurrency

Topics in Concurrency

Models of Concurrency

An introduction to process calculi: Calculus of Communicating Systems (CCS)

The Calculus of Communicating Systems

Communication and Concurrency: CCS

Review of The π-calculus: A Theory of Mobile Processes

Communication and Concurrency: CCS. R. Milner, A Calculus of Communicating Systems, 1980

A Note on Scope and Infinite Behaviour in CCS-like Calculi p.1/32

Correspondence between Kripke Structures and Labeled Transition Systems for Model Minimization

Communicating and Mobile Systems

CCS: Syntax & Semantics (Final Version)

Introduction to process algebra

Trace Refinement of π-calculus Processes

Decidable Subsets of CCS

Concurrency theory. proof-techniques for syncronous and asynchronous pi-calculus. Francesco Zappa Nardelli. INRIA Rocquencourt, MOSCOVA research team

Partial model checking via abstract interpretation

Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc.

T Reactive Systems: Temporal Logic LTL

Chapter 5: Linear Temporal Logic

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Introduction to Process Algebra. Based on: Wan Fokkink, Introduction to Process Algebra, Springer-Verlag, 1999.

MAKING THE UNOBSERVABLE, UNOBSERVABLE.

MPRI C-2-3: Concurrency (Part 1 of 4)

Timo Latvala. February 4, 2004

Design and Analysis of Distributed Interacting Systems

A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice

Trace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University

Introduction to mcrl2

Formal Methods in Software Engineering

Chapter 3: Linear temporal logic

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Timo Latvala. March 7, 2004

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Modal and Temporal Logics

Models for Concurrency

Lecture 4 Event Systems

The State Explosion Problem

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Embedded systems specification and design

Modelling Membranes with Brane Calculi

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Lecture 18: Zero-Knowledge Proofs

3 Propositional Logic

Some techniques and results in deciding bisimilarity

Propositional Logic: Syntax

On Expressiveness and Behavioural Theory of Attribute-based Communication

Multicore Semantics and Programming

A Modern Mathematical Theory of Co-operating State Machines

Equations, contractions, and unique solutions

Agreement. Today. l Coordination and agreement in group communication. l Consensus

The π-calculus Semantics. Equivalence and Value-Passing. Infinite Sums 4/12/2004

Trace and Testing Equivalence on Asynchronous Processes 1

Lecture Notes on Inductive Definitions

Logical Time. 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Algebraic Trace Theory

A Weak Bisimulation for Weighted Automata

Automatic Synthesis of Distributed Protocols

Expressiveness of Timed Events and Timed Languages

Structure Preserving Bisimilarity,

Distributed Systems Principles and Paradigms. Chapter 06: Synchronization

Section 1.1 Propositions

Alan Bundy. Automated Reasoning LTL Model Checking

Algebraic Trace Theory

Clojure Concurrency Constructs, Part Two. CSCI 5828: Foundations of Software Engineering Lecture 13 10/07/2014

Linear Temporal Logic (LTL)

Lecture Notes on Ordered Proofs as Concurrent Programs

MAD. Models & Algorithms for Distributed systems -- 2/5 -- download slides at

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Unifying Theories of Programming

Proof Techniques (Review of Math 271)

Time and Fairness in a Process Algebra with Non-Blocking Reading. F. Corradini, M.R. Di Berardini, W. Vogler. Report July 2008

Bringing class diagrams to life

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Theoretical Foundations of the UML

TESTING is one of the most important parts of the

Safety and Liveness Properties

cis32-ai lecture # 18 mon-3-apr-2006

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong

ESE601: Hybrid Systems. Introduction to verification

Automata-theoretic analysis of hybrid systems

Model Checking of Systems Employing Commutative Functions

Herbrand Theorem, Equality, and Compactness

Reasoning about Time and Reliability

First-order resolution for CTL

Bounded Stacks, Bags and Queues

Strong bisimilarity can be opened

MATH1050 Greatest/least element, upper/lower bound

CS411 Notes 3 Induction and Recursion

Self-Adaptation and Information Flow in Multiparty Communications

Chapter 1: The Logic of Compound Statements. January 7, 2008

Formal Methods for Java

Distributed Systems Principles and Paradigms

Introduction to Turing Machines. Reading: Chapters 8 & 9

Transcription:

Formal Techniques for Software Engineering: CCS: A Calculus for Communicating Systems Rocco De Nicola IMT Institute for Advanced Studies, Lucca rocco.denicola@imtlucca.it June 2013 Lesson 10 R. De Nicola (IMT-Lucca) FoTSE@LMU 1 / 40

What have we done 1 Importance of formal methods for proving correctness of concurrent systems 2 Labelled Transition Systems (LTS) as formal models 3 Operators of Process Description Languages (PDL) for modeling systems composition and interaction. 4 Structural Operational Semantics (SOS) for modelling operators and building transition systems corresponding to composite systems. 5 Behavioural Equivalences to abstract from unwanted details of the modelled systems 6 A number of PDL obtained by careful selection of Operators and equivalences 7 Alternative approaches (Equational and Denotational) to defining the Semantics of PDL R. De Nicola (IMT-Lucca) FoTSE@LMU 2 / 40

What s next Now we concentrate on one language (CCS), study its theory more in depth and consider a number of small examples (case studies). R. De Nicola (IMT-Lucca) FoTSE@LMU 3 / 40

CCS Basics Sequential Fragment Nil (or 0) process (the only atomic process) action prefixing (a.p) names and recursive definitions () nondeterministic choice (+) Any finite LTS can be described (up to isomorphism) by using the operations above. Parallelism and Renaming parallel composition ( ) (synchronous communication between two components = handshake synchronization) restriction (P L) relabelling (P[f ]) R. De Nicola (IMT-Lucca) FoTSE@LMU 4 / 40

CCS Basics Sequential Fragment Nil (or 0) process (the only atomic process) action prefixing (a.p) names and recursive definitions () nondeterministic choice (+) Any finite LTS can be described (up to isomorphism) by using the operations above. Parallelism and Renaming parallel composition ( ) (synchronous communication between two components = handshake synchronization) restriction (P L) relabelling (P[f ]) R. De Nicola (IMT-Lucca) FoTSE@LMU 4 / 40

CCS Basics Sequential Fragment Nil (or 0) process (the only atomic process) action prefixing (a.p) names and recursive definitions () nondeterministic choice (+) Any finite LTS can be described (up to isomorphism) by using the operations above. Parallelism and Renaming parallel composition ( ) (synchronous communication between two components = handshake synchronization) restriction (P L) relabelling (P[f ]) R. De Nicola (IMT-Lucca) FoTSE@LMU 4 / 40

Definition of CCS (channels, actions, process names) Let A be a set of channel names (e.g. tea, coffee are channel names) L = A A be a set of labels where A = {a a A} (elements of A are called names and those of A are called co-names) by convention a = a Act = L {τ} is the set of actions where τ is the internal or silent action (e.g. τ, tea, coffee are actions) K is a set of process names (constants) (e.g. CM). R. De Nicola (IMT-Lucca) FoTSE@LMU 5 / 40

Definition of CCS (expressions) P := K process constants (K K) α.p prefixing (α Act) i I P i summation (I is an arbitrary index set) P 1 P 2 parallel composition P L restriction (L A) P[f ] relabelling (f : Act Act) such that f (τ) = τ f (a) = f (a) The set of all terms generated by the abstract syntax is the set of CCS process expressions (and is denoted by P). Notation P 1 + P 2 = i {1,2} P i Nil = 0 = i P i R. De Nicola (IMT-Lucca) FoTSE@LMU 6 / 40

Precedence Precedence 1 restriction and relabelling (tightest binding) 2 action prefixing 3 parallel composition 4 summation Example: R + a.p b.q L means R + ( (a.p) (b.(q L)) ). R. De Nicola (IMT-Lucca) FoTSE@LMU 7 / 40

Definition of CCS (defining equations) CCS program A collection of defining equations of the form K P where K K is a process constant and P P is a CCS process expression. Only one defining equation per process constant. Recursion is allowed: e.g. A a.a A. R. De Nicola (IMT-Lucca) FoTSE@LMU 8 / 40

Structural Operational Semantics for CCS Structural Operational Semantics (SOS) G. Plotkin 1981 Small-step operational semantics where the behaviour of a system is inferred using syntax driven rules. Given a collection of CCS defining equations, we define the following LTS (Proc, Act, { a a Act}): Proc = P (the set of all CCS process expressions) Act = L {τ} (the set of all CCS actions including τ) transition relation is given by SOS rules of the form: RULE premises conclusion conditions R. De Nicola (IMT-Lucca) FoTSE@LMU 9 / 40

SOS rules for CCS (α Act, a L) ACT α.p α P α P j P j SUM j i I P α i P j j I COM1 P α P P Q α P Q COM2 COM3 P a P Q a Q P Q τ P Q α Q Q P Q α P Q RES P α P P L α P L α, α L REL P α P P[f ] f (α) P [f ] CON P α P K α P K P R. De Nicola (IMT-Lucca) FoTSE@LMU 10 / 40

Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? COM1 a (A a.nil) b.nil (A a.nil) b.nil REL ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL COM1 a A a.nil A a.nil COM1 a (A a.nil) b.nil (A a.nil) b.nil ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL CON a A a.a A A COM1 a A a.nil A a.nil COM1 a (A a.nil) b.nil (A a.nil) b.nil ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

Deriving Transitions in CCS Let A a.a. Then ( (A a.nil) b.nil ) [c/a] c ( (A a.nil) b.nil ) [c/a]. Why? REL COM1 ACT a a.a A CON A a A COM1 a A a.a A a.nil A a.nil a (A a.nil) b.nil (A a.nil) b.nil ( ) c (A a.nil) b.nil [c/a] ( (A a.nil) b.nil ) [c/a] R. De Nicola (IMT-Lucca) FoTSE@LMU 11 / 40

LTS of the Process a.nil a.nil a.nil a.nil a a Nil a.nil τ a.nil Nil a a Nil Nil R. De Nicola (IMT-Lucca) FoTSE@LMU 12 / 40

Puzzle Time: 50 Prisoners Problem Solve the problem and write down the solution as a process 50 prisoners kept in separate cells got a chance are told that From time to time one of them would be taken to a special room (in no particular order, possibly multiple many consecutive times, but with a fair schedule to avoid infinite wait) and then back to the cell. The room is completely empty except for an on/off switch a lamp (the light is not visible from outside). At any time, if any of them says that all the prisoners have already entered the room at least once and this is true, all prisoners will be released (but if it is false, the play ends and they are life sentenced). Before the challenge starts, the prisoners have the possibility to discuss together some protocol to follow. Is there a winning strategy for the prisoners? Note that the initial state of the light in the room is not known. R. De Nicola (IMT-Lucca) FoTSE@LMU 13 / 40

First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

First Attempt (assume the light is initially ON) The Light (initially ON) Light turnoff.turnon.light (can be read as recx.turnoff.turnon.x ) One Counting-Down Prisoner C i+1 turnoff.c i + τ.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + τ.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 14 / 40

Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

Problems Prisoners can just perform τs and never interact with the light The Light (initially ON) Light turnoff.turnon.light One Counting-Down Prisoner C i+1 turnoff.c i + turnon.turnoff.c i+1 C 0 freeall 49 Generic Prisoners P turnon.ip + turnoff.turnon.p IP τ.ip (Idle Prisoner) Prison (Light C 50 P... P) \{turnon, turnoff } R. De Nicola (IMT-Lucca) FoTSE@LMU 15 / 40

Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

Problems The light must be accessed in mutual exclusion The Room and The Light (initially ON) Room roomin.roomout.room One Counting-Down Prisoner Light turnoff.turnon.light C i+1 roomin.(turnoff.roomout.c i + turnon.turnoff.roomout.c i+1 ) C 0 freeall 49 Generic Prisoners P IP Prison roomin.(turnon.roomout.ip + turnoff.turnon.roomout.p) roomin.τ.roomout.ip (Room Light C 50 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 16 / 40

Problems Initial state is not known The Light Light τ.lighton + τ.lightoff LightOn turnoff.lightoff LightOff turnon.lighton If the light is initially ON and the counting prisoner enters the room first then it must count 50 switching, otherwise only 49... but he cannot know! Prison (Room Light C 50or49? P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 17 / 40

Problems Initial state is not known The Light Light τ.lighton + τ.lightoff LightOn turnoff.lightoff LightOff turnon.lighton If the light is initially ON and the counting prisoner enters the room first then it must count 50 switching, otherwise only 49... but he cannot know! Prison (Room Light C 50or49? P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 17 / 40

Problems Initial state is not known The Light Light τ.lighton + τ.lightoff LightOn turnoff.lightoff LightOff turnon.lighton If the light is initially ON and the counting prisoner enters the room first then it must count 50 switching, otherwise only 49... but he cannot know! Prison (Room Light C 50or49? P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 17 / 40

Solution What about counting twice? 50 + 49 = 99 49 + 49 = 98 If he can count 98 switchings then all other prisoners must have entered the room at least once (well... most of them twice). If not: 49 + 48 = 97 48 + 48 = 96 Generic Prisoners & Re-playing Prisoners & Idle Prisoners P roomin.(turnon.roomout.rp + turnoff.turnon.roomout.p) RP roomin.(turnon.roomout.ip + turnoff.turnon.roomout.rp) IP roomin.τ.roomout.ip Prison (Room Light C 98 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 18 / 40

Solution What about counting twice? 50 + 49 = 99 49 + 49 = 98 If he can count 98 switchings then all other prisoners must have entered the room at least once (well... most of them twice). If not: 49 + 48 = 97 48 + 48 = 96 Generic Prisoners & Re-playing Prisoners & Idle Prisoners P roomin.(turnon.roomout.rp + turnoff.turnon.roomout.p) RP roomin.(turnon.roomout.ip + turnoff.turnon.roomout.rp) IP roomin.τ.roomout.ip Prison (Room Light C 98 P... P) \{turnon, turnoff, roomin, roomout} R. De Nicola (IMT-Lucca) FoTSE@LMU 18 / 40

Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil τ Nil save(3).nil R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil τ Nil save(3).nil Parametrized Process Constants For example: Bank(total) save(x).bank(total + x). R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil Bank(100) τ Nil save(3).nil Bank(100) Parametrized Process Constants For example: Bank(total) save(x).bank(total + x). R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

Value Passing CCS Main Idea Handshake synchronization is extended with the possibility to exchange data (e.g., integers). pay(6).nil pay(x).save(x/2).nil Bank(100) τ Nil save(3).nil Bank(100) τ Nil Nil Bank(103) Parametrized Process Constants For example: Bank(total) save(x).bank(total + x). R. De Nicola (IMT-Lucca) FoTSE@LMU 19 / 40

Translation of Value Passing CCS to Standard CCS Value Passing CCS C in(x).c (x) C (x) out(x).c Standard CCS C i N in i.c i C i out i.c out(x) out i in 2 C C i C C 2 C (x) in(x) symbolic LTS in i out 1 C 1 in 1 infinite LTS out 2 R. De Nicola (IMT-Lucca) FoTSE@LMU 20 / 40

CCS Has Full Turing Power Fact CCS can simulate a computation of any Turing machine. Remark Hence CCS is as expressive as any other programming language but its use is to rather describe the behaviour of reactive systems than to perform specific calculations. R. De Nicola (IMT-Lucca) FoTSE@LMU 21 / 40

Strong Bisimilarity Let (Proc, Act, { a a Act}) be an LTS. Strong Bisimulation A binary relation R Proc Proc is a strong bisimulation iff whenever (s, t) R then for each a Act: a a if s s then t t for some t such that (s, t ) R a if t t a then s s for some s such that (s, t ) R. Strong Bisimilarity Two processes p 1, p 2 Proc are strongly bisimilar (p 1 p 2 ) if and only if there exists a strong bisimulation R such that (p 1, p 2 ) R. = {R R is a strong bisimulation} R. De Nicola (IMT-Lucca) FoTSE@LMU 22 / 40

Example Buffer Buffer of Capacity 1 B 1 0 in.b1 1 B 1 1 out.b1 0 Buffer of Capacity n B n 0 in.bn 1 Bn i in.b n i+1 + out.bn i 1 for 0 < i < n B n n out.b n n 1 Example: B 2 0 B1 0 B1 0 B0 2 in B1 2 in B2 2 out out B 1 1 B1 0 in out out in B 1 0 B1 0 B 1 1 B1 1 in in out out B 1 0 B1 1 R. De Nicola (IMT-Lucca) FoTSE@LMU 23 / 40

Example Buffer Buffer of Capacity 1 B 1 0 in.b1 1 B 1 1 out.b1 0 Buffer of Capacity n B n 0 in.bn 1 Bn i in.b n i+1 + out.bn i 1 for 0 < i < n B n n out.b n n 1 Example: B 2 0 B1 0 B1 0 B0 2 in B1 2 in B2 2 out out B 1 1 B1 0 in out out in B 1 0 B1 0 B 1 1 B1 1 in in out out B 1 0 B1 1 R. De Nicola (IMT-Lucca) FoTSE@LMU 23 / 40

Example Buffer Buffer of Capacity 1 B 1 0 in.b1 1 B 1 1 out.b1 0 Buffer of Capacity n B n 0 in.bn 1 Bn i in.b n i+1 + out.bn i 1 for 0 < i < n B n n out.b n n 1 Example: B 2 0 B1 0 B1 0 B0 2 in B1 2 in B2 2 out out B 1 1 B1 0 in out out in B 1 0 B1 0 B 1 1 B1 1 in in out out B 1 0 B1 1 R. De Nicola (IMT-Lucca) FoTSE@LMU 23 / 40

Example Buffer Theorem For all natural numbers n: B n 0 B1 0 B 1 0 B 1 0 }{{} n times Proof. Construct the following binary relation where i 1, i 2,..., i n {0, 1}. R = { ( B n i, B 1 i 1 B 1 i 2 B 1 i n ) n i j = i} j=1 ( B n 0, B0 1 B1 0 ) B1 0 R R is strong bisimulation R. De Nicola (IMT-Lucca) FoTSE@LMU 24 / 40

Example Buffer Theorem For all natural numbers n: B n 0 B1 0 B 1 0 B 1 0 }{{} n times Proof. Construct the following binary relation where i 1, i 2,..., i n {0, 1}. R = { ( B n i, B 1 i 1 B 1 i 2 B 1 i n ) n i j = i} j=1 ( B n 0, B0 1 B1 0 ) B1 0 R R is strong bisimulation R. De Nicola (IMT-Lucca) FoTSE@LMU 24 / 40

Question Time Prove the following (or give counterexamples) is reflexive is symmetric is transitive is an equivalence relation If R is a strong bisimulation then R For all natural numbers n, k: B n+k 0 B n 0 Bk 0 R. De Nicola (IMT-Lucca) FoTSE@LMU 25 / 40

Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs... 12 Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs... 12 Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs... 12 Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

Playful digression Some advanced proof methods 1 Proof by obviousness: So evident it need not to be mentioned 2 Proof by general agreement: All in favor? 3 Proof by majority: When general agreement fails 4 Proof by plausibility: It sounds good 5 Proof by intuition: I have this feeling... 6 Proof by lost reference: I saw it somewhere 7 Proof by obscure reference: It appeared in the Annals of Polish Math. Soc. (1854, in polish) 8 Proof by logic: It is on the textbook, hence it must be true 9 Proof by intimidation: Who is saying that it is false!? 10 Proof by authority: Don Knuth said it was true 11 Proof by deception: Everybody please turn their backs... 12 Proof by divine word: Lord said let it be true R. De Nicola (IMT-Lucca) FoTSE@LMU 26 / 40

Strong Bisimilarity is a Congruence for CCS Operations Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P + R Q + R for each CCS process R R + P R + Q for each CCS process R P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof sketch for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a bisimulation. Suppose P + R µ S. If it is because P µ S, then Q µ T with (S, T ) because P Q and hence Q + R µ T with (S, T ) R. Otherwise, it is because R µ S, but then Q + R µ S with (S, S) Id R. The case where Q + R moves is symmetric. R. De Nicola (IMT-Lucca) FoTSE@LMU 27 / 40

Other Properties of Strong Bisimilarity The Following Properties Hold for all CCS Processes P, Q, R P + Nil P (Neutral element for +) P Nil P (Neutral element for ) P + Q Q + P (Commutativity of +) P Q Q P (Commutativity of ) (P + Q) + R P + (Q + R) (associativity of +) (P Q) R P (Q R) (associativity of ) P + P P (Idempotency of +) (proof sketch for commutativity of +) Let R = { (P + Q, Q + P) P, Q Proc } Id. It suffices to show that R is a bisimulation. Suppose P + Q µ S using SUM1 (resp. SUM2), then Q + P µ S using SUM2 (resp. SUM1) and (S, S) Id R. The case where Q + P moves is analogous. R. De Nicola (IMT-Lucca) FoTSE@LMU 28 / 40

Strong Bisimilarity Summary Properties of an equivalence relation the largest strong bisimulation a congruence enough to prove some natural rules like P Q Q P P Nil P (P Q) R Q (P R) Question Should we look any further??? R. De Nicola (IMT-Lucca) FoTSE@LMU 29 / 40

Strong Bisimilarity Summary Properties of an equivalence relation the largest strong bisimulation a congruence enough to prove some natural rules like P Q Q P P Nil P (P Q) R Q (P R) Question Should we look any further??? R. De Nicola (IMT-Lucca) FoTSE@LMU 29 / 40

Behavioural Equivalence: Cells Cell1 = One-position cell Cell2 = Two-positions cell ParCell = Cell1 Cell1 SeqCell = Cell1 Cell1 Are Cell2, ParCell and SeqCell equivalent? (p restricted) R. De Nicola (IMT-Lucca) FoTSE@LMU 30 / 40

Behavioural Equivalence: FIFO buffers FIFO1 = One-pos. FIFO buffer FIFO2 = Two-pos. FIFO buffer ParFIFO = FIFO1 FIFO1 SeqFIFO = FIFO1 FIFO1 (p0, p1 restricted) Are FIFO2, ParFIFO and SeqFIFO equivalent? R. De Nicola (IMT-Lucca) FoTSE@LMU 31 / 40

Weak Transition Relation Let (Proc, Act, { a a Act}) be an LTS such that τ Act. Definition of the Weak Transition Relations Let a be an action or ε: { a ( ) τ = = a ( ) τ ( ) τ if a ε if a = ε Definition If a is an observable action, then â = a. On the other hand, ˆτ = ε. R. De Nicola (IMT-Lucca) FoTSE@LMU 32 / 40

Weak Bisimilarity Let (Proc, Act, { a a Act}) be an LTS such that τ Act. Weak Bisimulation A binary relation R Proc Proc is a weak bisimulation iff whenever (s, t) R then for each a Act (including τ): if s if t a s â then t = t for some t such that (s, t ) R a t â then s = s for some s such that (s, t ) R. Weak Bisimilarity Two processes p 1, p 2 Proc are weakly bisimilar (p 1 p 2 ) if and only if there exists a weak bisimulation R such that (p 1, p 2 ) R. = {R R is a weak bisimulation} R. De Nicola (IMT-Lucca) FoTSE@LMU 33 / 40

Weak Bisimilarity Properties Properties of an equivalence relation the largest weak bisimulation strong bisimilarity is included in weak bisimilarity ( ) validates lots of natural laws, e.g. a.τ.p a.p P + τ.p τ.p a.(p + τ.q) a.(p + τ.q) + a.q P + Q Q + P P Q Q P P + Nil P... abstracts from τ loops τ a a R. De Nicola (IMT-Lucca) FoTSE@LMU 34 / 40

Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. What about choice? Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof attempt for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a weak bisimulation. Suppose P + R µ S. If it is because R µ S, then Q + R µ S with (S, S) Id R. Otherwise, it is because P µ S, then Q = ˆµ T with (S, T ) because P Q (is this true???) and hence Q + R = ˆµ T with (S, T ) R. Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof attempt for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a weak bisimulation. Suppose P + R µ S. If it is because R µ S, then Q + R µ S with (S, S) Id R. Otherwise, it is because P µ S, then Q = ˆµ T with (S, T ) because P Q (is this true???) and hence Q + R = ˆµ T with (S, T ) R. (counterexample) τ.a.nil a.nil but τ.a.nil + b.nil a.nil + b.nil Conclusion R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. (proof attempt for + R) Let R = { (P + R, Q + R) R Proc } Id. It suffices to show that R is a weak bisimulation. Suppose P + R µ S. If it is because R µ S, then Q + R µ S with (S, S) Id R. Otherwise, it is because P µ S, then Q = ˆµ T with (S, T ) because P Q (is this true???) and hence Q + R = ˆµ T with (S, T ) R. (counterexample) τ.a.nil a.nil but τ.a.nil + b.nil a.nil + b.nil What is wrong and which one is it the right alternative? R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

Is Weak Bisimilarity a Congruence for CCS? Theorem Let P and Q be CCS processes such that P Q. Then α.p α.q for each action α Act P R Q R for each CCS process R R P R Q for each CCS process R P[f ] Q[f ] for each relabelling function f P \ L Q \ L for each set of labels L. Conclusion Weak bisimilarity is not a congruence for CCS. R. De Nicola (IMT-Lucca) FoTSE@LMU 35 / 40

Case Study: Communication Protocol A message delivery system, accept a message transfer request, deliver the message and then it becomes ready again to serve a new request. The implementation must take into account that errors can arise during the message transfer, in which case the message must be resent. R. De Nicola (IMT-Lucca) FoTSE@LMU 36 / 40

Case Study: Communication Protocol Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} acc ack Send Rec del error send Med trans Impl? Spec R. De Nicola (IMT-Lucca) FoTSE@LMU 37 / 40

Case Study: Communication Protocol Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} acc ack Send Rec del error send Med trans Impl? Spec R. De Nicola (IMT-Lucca) FoTSE@LMU 37 / 40

Case Study: Communication Protocol Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} acc ack Send Rec del error send Med trans Impl? Spec R. De Nicola (IMT-Lucca) FoTSE@LMU 37 / 40

Case Study: Communication Protocol acc ack Send Rec del error send Med trans Send acc.sending Rec trans.del Sending send.wait Del del.ack Wait ack.send + error.sending Ack ack.rec Med send.med Med τ.err + trans.med Err error.med R. De Nicola (IMT-Lucca) FoTSE@LMU 38 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

A visual execution R. De Nicola (IMT-Lucca) FoTSE@LMU 39 / 40

Question Time Spec acc.del.spec Impl (Send Med Rec) {send, trans, ack, error} Question Impl? Spec 1 Draw the LTS of Spec (by hand) 2 Draw the LTS of Impl (by hand) 3 Prove (by hand) their equivalence 4 Use TAPAS! R. De Nicola (IMT-Lucca) FoTSE@LMU 40 / 40

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback