Post on 08-Jul-2020
Introduction to Process AlgebraIntroduction to Process Algebragg
Korea Advanced Institute of Science and Technology
Weakness on Traditional Validation & Verification (V&V)Weakness on Traditional Validation & Verification (V&V)We have seen tragic accidents due to software andWe have seen tragic accidents due to software and specification bugsThese bugs are hard to find because those bugs occurs g gonly in “exceptional” casesInformal system specification and requirement specification makes automatic analysis infeasible, which results in incomplete coverageTo provide better coverage, we need
Formal requirement specificationFormal system modelFormal system model
OKSystem model
C t
or
Requirement
Model Checking(state exploration)
2
Counter example
Requirement properties
OutlineOutline
Requirement specification problems“ ”( ) fViewpoint on “meaning”(semantics) of
systemyComplexity of a systemF l d li iFormal modeling v.s. programmingIntroduction to process algebrap g
3
Requirement Specification ProblemsRequirement Specification Problems
AmbiguityExpression does not have unique meaning but canExpression does not have unique meaning, but can be interpreted as several different meaning.
• Ex. long type in C programming language
IncompletenessRelevant issues are not addressed , e.g. what to do , gwhen user errors occur or software faults show.
• Ex. Retail chain management software
InconsistencyContradictory requirements in different parts of the
ifi tispecification.
4
Viewpoint on Semantics of a System Viewpoint on Semantics of a System
A system execution isx:0,y:0s0A system execution is
a sequence of states s0s1…
x:0,y:1s10
A state has an environment s:Var-> Val
A t h it
x:1,y:2s2x:5,y:1s11
A system has its semantics as a set of system executions
x:1,y:3
2 4
s3x:5,y:2s12
system executions x:2,y:4s4
x:5,y:3
x:5 y:4
s13x:7,y:3
x:7 y:4
s21
x:5,y:4s14
x:7,y:4s22
5
Complexity of SystemsComplexity of Systems
The complexity of a system is sometimes more accurately expressed using semanticaccurately expressed using semantic viewpoint (# of reachable states) rather than syntactic viewpoint (line # of source code)
the number of different states a system can reachthe number of different states a system can reach• Ex> An integer has 232 (~4000000000) possible values
6
Formal Modeling V.S. ProgrammingFormal Modeling V.S. Programming
Formal Modeling Programming
Static Abstraction High Low
Aspects Level
Development Ti
Short Long
Time
Dynamic Aspects
Executable Yes (model checking)No (theorem proving)
Always
Aspects No (theorem proving)
System Semantics
Mathematically defined Usually given by examples
Environment Semantics (i.e. testbeds)
Mathematically defined Usually given by examples
testbeds)Program State Space
Manageable (i.e. tractable state space)
Unmanageable (i.e. beyond computing power)
7
Validation By exhaustive exploration or deductive proof
By testing (incomplete coverage)
Complex System AttributesComplex System Attributes
You may not need to model a simple system such as + * or HelloWorldsuch as +, , or HelloWorld.However, you must have a scientific way of abstracting/modeling a system with complexabstracting/modeling a system with complex structure, e.g.,
Hi hHierarchyConcurrencyC i tiCommunication
Also, you need to have a systematic way to analyze the correctness of your design
8
Process AlgebraProcess AlgebraA l b i t fA process algebra consists of
a set of operators and syntactic rules for constructing processesa semantic mapping which assigns meaning or interpretation toa semantic mapping which assigns meaning or interpretation to every processa notion of equivalence or partial order between processes
Advantages: A large system can be broken into simpler subsystems and then proved correct in a modular f hifashion.
A hiding or restriction operator allows one to abstract away unnecessary details.unnecessary details.Equality for the process algebra is also a congruence relation; and thus, allows the substitution of one component with another
l t i l tequal component in large systems.
Note that the model is constructed in a component-based way but the analysis is not
9
based way, but the analysis is not.
Calculus of Communicating Systems (CCS)
Developed by R.Milner (Univ. of Cambridge)ACM Turing Award 1991g
Provides many interesting paradigmsEmphasis on communication and concurrency
• Provides compact representation on both communication and concurrency
– Ex> a (receive) and a’ (send)E | ( ll l t )– Ex> | (parallel operator)
Provides observation based abstraction• Hiding internal behaviors using \ (restriction) operator, i.e., g g ( ) p
considering all internal behaviors as an invisible special action
Provides correctness claim based on equivalence• Branching time based equivalence
– Strong equivalence v.s. weak equivalence
10
Overview on Overview on CCS CCS Syntax and Semantics Syntax and Semantics CCS describes a system as a set of communicatingCCS describes a system as a set of communicating Processes Behavior of a process is expressed using actions
Act =input_actions U output_actions U {}Each process is built based on the following 7 operators
Nil (null-ary opeartor): 0Nil (null ary opeartor): 0Prefix: a.P Definition: P = a.b.QChoice: a P + b PChoice: a.P + b.PParallel: P | QRestriction: P \ {a,b}R l b lli P[ /b]Relabelling: P[a/b]
Each operator has a clear formal semantics via inference rules (premises-conclusion rules)( )
Based on these inference rules, a meaning/semantincs of a process is given as a labelled transition system
11
Example of a CCS SystemExample of a CCS SystemA set of actions Act = {a a’ b }A set of actions Act {a,a ,b,}We define a CCS system Sys as
Sys = (a.E + b.0) | a’.FS t f th f ll i 4 tiSys can executes one of the following 4 actions
Sys –a-> E | a’F Sys –a’-> (a.E + b.0)|F a.E –a-> E
Prefixy ( )|
Sys –b-> 0 | a’.FSys - -> E|F
(a E + b 0)) | a’ F –a-> E | a’ FParL
(a.E + b.0)) –a-> E ChoiceL
Sys =(a.E + b.0) | a’.F
(a.E + b.0)) | a .F a > E | a .F
Sys (a.E b.0) | a .Fa a’ b
E | ’ F 0 | ’ F(a E + b 0)|F
E | FE | a’.F 0 | a’.F(a.E + b.0)|F E | F
ab a’
12
a’ 0 | F
Usage of Process AlgebraUsage of Process Algebra
Sequential system v.s. Reactive systemEx1. Mathematical functions with given inputs generate outputs
• Usually no environment consideration and timing considerationconsideration.
Ex2. Ad-hoc On-Demand Vector routing protocol• Should model multiple concurrent nodes (environment)Should model multiple concurrent nodes (environment)• Should model communication among the nodes• Should model timely behavior (e.g. time-out, etc)
Modeling of a complex systemConcurrency => interleaving semanticsConcurrency interleaving semanticsCommunication => synchronizationHierarchy => refinementHierarchy refinement
13
Notations (1/2)Notations (1/2)
A t i d ib d t f i tiA system is described as a set of communicating processes
Each process executes a sequence of actionsActions represents either inputs/outputs or internal
t ti tcomputation steps
A set of actions/events Act = L U L’ U {τ} L ={a,b,…} is a set of names and L’ ={a’,b’,…} is a set of co-names
• a L can be considered as the act of receiving a signal a’ L’ can be considered as the act of emitting a signal• a L’ can be considered as the act of emitting a signal
• τ is a special action to represent internal hidden action
Act – {τ } represents the set of externally visible actions:
14
Act {τ } represents the set of externally visible actions:
Notations (2/2)Notations (2/2)
O ti l (t iti l) ti f CCSOperational (transitional) semantics of CCS processDefine the “execution steps” that processes may engaged inP –a-> P’ holds if a process P is capable of engaging in action a and then behaving like P’
Define –a-> inductively using inference rules for operators• premises
(side condition)-------------- (side condition)conclusion
Example 1:
Q --> Q’ChoiceR ---------------
P Q Q’
Example 2:
Prefix -------------- P –-> PR P+Q --> Q’ .P –-> P
15
Operators for Sequential ProcessOperators for Sequential Process
The idea: 7 elementary ways of producing or putting together labelled transition systemsy
1.Nil 0 No transitions (deadlock)Prefix Prefix
2.Prefix .P ( Act) in.out.0 –in-> out.0 –out-> 0
(empty) in out(empty)Prefix --------------
.P –-> P
in out
3.Defn A = P Buffer = in.out.BufferB ff t B ff B ffBuffer-in->out.Buffer-out->Buffer
in
out
16
Operators for Sequential Process (cont.)Operators for Sequential Process (cont.)
4.Choice P + Q BadBuf = in.(.0 + out.BadBuf)
f fPrefix
BadBuf –in-> .0 + out.BadBuf
> 0 or out > BadBuf
P -->P’ ChoiceL ----------------
P+Q --> P’
Q Q’
ChoiceL ChoiceR
--> 0 or –out-> BadBuf
out
Q --> Q’ChoiceR ---------------
P+Q --> Q’
in
Obs: No priorities between ’s, a’s or a’s !May use notation to comactly represent sequentialMay use notation to comactly represent sequential
process
Ii
ii PP .
17
Ii
Example: Boolean BufferExample: Boolean Buffer of Size 2of Size 2
Action and Process Def.in0 :0 is coming as inputin1 :1 is coming as inputout0 :0 is going out as output
Buf2 = in0.Buf20 + in1.Buf21
Buf20 = out0.Buf2 +0 g g p
out1 :1 is going out as output
Buf2 : Empty 2-place buffer
in0.Buf200 + in1.Buf201
Buf21 = out1.Buf2 +2 2Buf : Empty 2 place buffer
Buf20 : 2-place buffer holding 0 Buf201: 2-place buffer holding
0 at head and 1 at tail
in0.Buf210 + in1.Buf211
Buf200 = out0.Buf200 at head and 1 at tail
Buf201 = out0.Buf21
Buf210 = out1.Buf201 0input output 10 1 0
Buf211 = out1.Buf21Buf201
18
Operators for Concurrent ProcessOperators for Concurrent ProcessBuf1 = in.comm’.Buf15 C iti 1 1Buf2 = comm.out.Buf2Buf = Buf1 | Buf2 Buf
5. CompositionP -->P’
ParL ------------------- P Buf-in-> comm’.Buf1 | Buf2 - > Buf1 | out.Buf2
ParL P|Q --> P’|Q
Q --> Q’ParR ------------------
P|Q > P|Q’
ParL
Par
Par 1 2 -out-> Buf1 | Buf2
Buf
P|Q --> P|Q
P-a->P’, Q–a’->Q’Par --------------------------
ParR
Buf-comm-> Buf1 | out.Buf2-out-> Buf1 | Buf2
P|Q --> P’|Q’ ParR
ParR
comm’.Buf1|Buf2
icomm’ out
Buf=Buf1|Buf2 comm’.Buf1|out.Buf2in comm
commout
in
’
19Buf1|out.Buf2
out comm’
Operators for Concurrent Process (cont.)Operators for Concurrent Process (cont.)
Buf1 = in.comm.Buf1B f ’ t B f
6. Restriction P\LBuf2 = comm’.out.Buf2Buf=(Buf1 | Buf2)\{comm}P -->P’
Res ------------------- LUL’ P\L --> P’\L
Buf-in-> (comm.Buf1 | Buf2)\{comm}
> (Buf | out Buf )\{comm}
comm.Buf1|Buf2
--> (Buf1 | out.Buf2)\{comm}-out-> (Buf1 | Buf2)\{comm}Buf=Buf1|Buf2
in
Buf -comm’-> Buf1 | out.Buf2
Buf1|out.Buf2out
(Buf1 | Buf2)\{comm} : a design for buffer with separated input/output ports ReqBuf = in.out.ReqBuf : a requirement for buffer design(Buf1 | Buf2)\{comm} == ReqBuf means that buffer design satisfies the requirement
20
(Buf1 | Buf2)\{comm} == ReqBuf means that buffer design satisfies the requirement
Operators for Concurrent Process (cont.)Operators for Concurrent Process (cont.)
7. Relabelling P[f] Buf = in.out.BufBuf = Buf[comm/out]Buf1 = Buf[comm/out]
= in.comm.Buf1
P -->P’ Rel -------------------
P[f] –f()-> P’[f]
Buf2 = Buf[comm’/in]= comm’.out.Buf22
Relabelling function f must preserve complements:g p pf(a’) = f(a)’
Relabelling function often given by nameRelabelling function often given by name substitution as above
21
Example: 2Example: 2--way Buffersway Buffers
1-place 2-way buffer:Bufab = a+.b ’.Bufab + b+.a ’.Bufab Bufb =Bufab a+.b- .Bufab b+.a- .Bufab
LTS:
Bufbc Bufab[c+/b+,c-/b-,b-/a+,b+/a-]
(Obs:simultaneous substitution!)
Sys = (Bufab | Bufbc)\{b+,b-}a+ b-’
a-’ b+ a+ b-’ b- c-’
b-’.Bufaba
b-’a-’ b+ b+’ c+
But what’s wrong? In other words, Sys == Bufac?
Bufab
a-’.Bufab
a+b+
a-’
Deadlock occurs
22
Summary of CCS SemanticsSummary of CCS Semantics
Act --------------.P –-> P
P >P’
in.P -in-> P
Q >Q’P -->P ChoiceL ----------------
P+Q --> P’
P >P’
in.P + out.Q -in-> P or –out-> QQ -->Q
ChoiceR ----------------P+Q --> Q’
Q -->Q’P -->P’ ParL -------------------
P|Q --> P’|Q
P-a->P’, Q–a’->Q’
in.P|in’.Q -in->P|in’.Q or –in’-> in.P|QQ -->Q
ParR -------------------P|Q --> P|Q’
P a P , Q a QPar --------------------------
P|Q --> P’|Q’ in.P | in’.Q --> P|Q
P -->P’ Res ------------------- L U L’
P\L --> P’\L (in.P | in’.Q)\{in} --> (P|Q)\{in} only
P -->P’ Rel -------------------
P[f] –f()-> P’[f] in.P [out/in] -out-> P[out/in]
23
Inference of Process Execution Inference of Process Execution
Proof of ((a.E + b.0)| a’.F)\{a} --> (E|F)\{a}
Act ------------------
ChoiceL -------------------------- Act ------------------
ct
a.E –a-> E
Par -------------------------------------------------------
L
(a.E + b.0) -a-> E a’.F –a’-> F
Res ---------------------------------------------(a.E + b.0)| a’.F --> (E|F)
((a.E + b.0)| a’.F)\{a} --> (E|F)\{a}
24
ExercisesExercises
Derive following process execution from the inference rulesinference rules
(a.E + b.0) | a’.F –a-> E | a’.F(a E + b 0) | a’ F a’ > (a E + b 0) | F(a.E + b.0) | a .F –a -> (a.E + b.0) | F(a.E + b.0) | a’.F –b-> 0 | a’.F((a E + b 0) | a’ F)\{a} b > (0 |a’ F)\{a}((a.E + b.0) | a .F)\{a} –b-> (0 |a .F)\{a}
Draw corresponding labeled transition diagrams(a.E + b.0) | a’.F ((a.E + b.0) | a’.F)\{a}A = a.c’.A, B = c.b’.B
• A|B, (A|B)\{c}
25
Prefix
ProofsProofs
(a.E + b.0)) –a-> E ChoiceL
a.E –a-> E Prefix
Proof 1Proof 1
(a.E + b.0) | a’.F –a-> E | a’.FParL
( ))
Prefix a’.F –a’-> FProof 2Proof 2
(a.E + b.0) | a’.F –a’-> (a.E + b.0) | FParR
Ch ib.0 –b-> 0
PrefixProof 3Proof 3
(a.E + b.0) | a’.F –b-> 0 | a’.FParL
(a.E + b.0) –b-> 0 ChoiceR
26
(a.E + b.0) | a .F b > 0 | a .F
Labeled Transition SystemsLabeled Transition Systems
(a.E + b.0) | a’.FProof 1Proof 1
Proof 2Proof 2
a a’ b
E | a’.F
Proof 1Proof 1
0 | a’.Fa.E + b.0|F
Proof 3Proof 3
E | F| ||
a’ 0 | Fab a’
a 0 | F
((a.E + b.0) | a’.F)\{a}b
(0 | a’.F)\{a} (E | F)\{a}
27