Programming Paradigms for Concurrency

Lecture 12

Part III – Message Passing Concurrency

Notions of Behavioral Equivalence in the ¼-Calculus

Formal Reasoning about Systems

When can one system be safely replaced by another?

When is one system a refinement of another system?

To answer such questions we need to formally relate the behavior of systems.

Vending Machines

Consider the following two process terms:

Vending Machines

They denote the same sets of traces (trace equivalence):

But are they indistinguishable?

P Q

Let’s add a Coffee Drinker

C

S

P

Parallel composition of P and C gives

Let’s add a Coffee Drinker

T

Parallel composition of Q and C gives

Q C

T can deadlock

Trace Equivalence

Trace equivalent processes are not guaranteed to behave identically in every process context.

Trace equivalence is not a congruence on process terms

We need a finer notion of process equivalence

Simulation Relations

• A binary relation on transition systems (respectively their states)– formalizes under which conditions one system correctly

implements another (i.e., behaves in the same way)• Important for system synthesis– stepwise refinement of a system specification MI into a an

implementation MI : MI ¹ ... ¹ MS

• Important for system verification– simulation relations formalize abstractions– instead of proving M ² Á directly, prove M ¹ M’ and then M’

² Á

We focus on simulation relations on states of systems.

(Strong) Simulation

Let • M =h S, L, !, I i be a labeled transition system

and• R µ S £ S a binary relation on states of MR is called a simulation over M iff

We say that s simulates t written if there exists a strong simulation R such that s R t.

As we shall see, in the ¼-calculus it gets slightly more complicated...

Strong Bisimulation

A binary relation R over S is called a bisimulation over LTS M =h S, L, !, I i iff both R and its inverse R -

1 are simulations for M.

We say that s bisimulates t written s » t iff there exists a bisimulation R such that s R t.

Properties of Bisimilarity

The relation » is• an equivalence relation• itself a bisimulation• the largest bisimulation, i.e., for all bisimulations R

of an LTS M, R µ »• decidable for finite LTS• decidable for some infinite LTS (e.g. timed automata)• undecidable for ¼-calculus processes

(and already for CCS)

Vending Machines

Q simulates P because:

is a simulation for Q and P.

P QP1 Q1 Q2P QP1 Q1 Q2

Vending Machines

But P does not simulate Q :

P QP1 Q1 Q2

No relation can contain the pair (P, Q)

Our earlier definition of simulation does not quite work for the ¼-calculus

Assume z 2 fn(R,x). Then the process terms

would not be bisimilar because but

However, P and Q are structurally equivalent and both can take transitions x(w) for any other w.

(Bi)simulation and Value Passing

P ®! P 0 z =2 n(®)

(ºz)P ®! (ºz)P 0(Res)

Simulation for the ¼-calculus

Bisimulation and bisimilarity » are defined as before.

early

Properties of Late Bisimulation

• The relation » is– an equivalence relation– itself a late bisimulation– the largest late bisimulation– a congruence for process terms

• Structural congruence ´ is a late bisimulation but ´ is not identical to »

Are there algebraic laws for » similar to the ones we used to define ´?

Algebraic Laws for Late Bisimulation

Define the relation ¼ as follows

P + P ¼P (BS-Idem)

x =2 n(®)

(ºx)®:P ¼®:(ºx)P(BS-Res1)

®= x(y) or ®= xhyi

(ºx)®:P ¼0(BS-Res2)

(ºx)(P + Q) ¼(ºx)P + (ºx)Q (BS-Res3)

+• the rules as for ´• one more rule for

parallel composition

Rule for Parallel Composition(BS-Exp)Let P =

Pi ®i :Pi and Q =

Pj ¯ j :Qj ,

where bn(®i ) \ fn(Q) = ; and bn(¯ i ) \ fn(P ) = ; for all i; j . Then

P j Q ¼X

i

®i :(Pi j Q) +X

j

¯ j :(P j Qj ) +X

®i comp ¯ j

¿:R i j

where ®i comp¯ j and R i j are de ned by the following cases:

1. ®i = x(y) and ¯ j = xhzi in which caseR i j = Pi [z=x] j Qj ,

2. ®i = x(y) and ¯ j = (ºz)xhzi in which caseR i j = (ºz)(Pi [z=x] j Qj ),

3. The converseof 1.

4. The converseof 2.

Soundness and Completeness

Theorem. For all process terms P and Q: P » Q iff P ¼ Q

One of the main results of[Milner, Parrow, Walker, 1992]

We can use equational reasoning to prove bisimilarity of process terms

Beyond this Lecture

• other notions of bisimulation for the ¼-calculus– weak bisimulation: allow stuttering transitions– barbed bisimulation: induces a congruence

equivalent to early strong bisimulation• logical characterizations of bisimulation– Hennessy-Milner Logic for CCS [1985]– ¼-¹-calculus [Dam, 2003]

Model Checking Scala Actors

A Publish/Subscribe Service in Scalasealed abstract class Categorycase object Cat1 extends Category...case object CatN extends Categorycase object Listcase class Categories(cats: Set[Category])...class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } } } } } override def act() = loop({_ => EmptySet})}

class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...") ... } } else { server ! Unsubscribe(cat) exit('normal) } }

override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } }}

class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) } } }}

A Publish/Subscribe Service in Scala

Server

Subscriber

Subscriber

PublisherPublisher

server

server

enl(Cat1)

Subscriber

server

enl(Cat1)

server

server

enl(Cat2)

Content(Cat1)

sender

Infinite state system• number of Subscriber and Publisher processes and• number of messages in mailboxes can grow unboundedly

Server

Subscriber

server

enl(Cat1)

Content(Cat1)sender

“The server link of a Subscriber always points to a Server”

“Subscribers only receive content they are enlisted to”

“No process ever reaches a local error state”

Verification of Safety Properties

“Shape Invariants”

Undecidability of Verification Problems

Statemachine

Ccounter1 C

nextC

next

C Cnext

counter2

Encoding of a two counter machine

Are there any interesting fragments with decidable verification problems?

Depth-Bounded Systems (DBS)[Meyer 2008]

DefinitionA system is depth-bounded iffthere exists a constant that bounds the lengthof all simple paths in all reachable state graphs.

The actual definition is in terms of ¼-calculus processes.

Depth-Bounded Systems (DBS)

Server

Subscriber

Subscriber

PublisherPublisher

server

server

enl(Cat1)

Subscriber

server

enl(Cat1)

server

server

enl(Cat2)

Content(Cat1)

sender

Content(Cat1)sender

maximal length of any simple path is 5

The Covering Problem

init bad

Given a transition system and a bad configuration

decide whether there is a reachable configuration that “covers” the bad one.

Server

Subscriber

server

enl(Cat1)

Content(Cat2)sender

Application: verify absence of bad patterns

“Subscribers only receive content they are enlisted to”

The Covering Problem

The covering problem is decidable for DBSs

Well-Quasi-Orderings

DefinitionA relation · µ S £ S is a well-quasi-ordering iff• · is a quasi-ordering (reflexive and transitive)• for any infinite sequence s1, s2, … there are

i < j such that si · sj

Examples• identity relation on a finite set• order on the natural numbers• extension of a well-quasi-ordering on an alphabet

to words over the alphabet (Higman’s Lemma)• tree embedding order (Kruskal’s Tree Theorem)

Well-Structured Transition Systems (WSTS) [Finkel 1987]

DefinitionA WSTS is a tuple (S, init, !, ·) where• (S, init, !) is a transition system• · is a well-quasi-ordering on S• · is a simulation relation:

for all s, t, s’ 2 S with s ! s’ and s · t there exists t’ 2 S with t ! t’ and s’ · t’

Examples• Petri nets• lossy channel systems

Predicate Transformers

Let M=hS,init,!i be a transition system. For X µ S define

Using post we can define the reachable states of M:

Reach(M) = lfp X. post(X) [ {init}

Upward and Downward Closures

"X

X

·

Y

·

#Y

"X = {x’2S | 9x2X. x · x’}

#Y = {y’2S | 9y2X. y’ · y}

Some Properties of Closed Sets

Let · be a quasi-ordering on S and M = hS, init, !i a transition system. Then• the upward closed subsets of S are closed under

unions and intersections. What is more"(X [ Y ) = "X [ "Y and #(X \ Y ) = #X \ #Y

• the same holds for downward closed sets• if · is a simulation for M then the upward closed

subsets of S are closed under pre.• if · is a well quasi-ordering then every upward closed

subset of S has finitely many minimal elements.

Covering Problem

Let M=hS,init,!i be a transition system, · a quasi-ordering on S and bad 2 S a state.

The covering problem asks whether:

bad 2 #(Reach(M)) = #(lfp X. post(X) [ {init})

respectively

init 2 lfp X. pre(X) ["bad

For WSTS M=hS,init,! ,·i with decidable · and computable pre, the covering problem is decidable.

Backward Algorithm for the Covering Problem of WSTS

bad

"badpre("bad)

…prek("bad)

init

lfp X. pre(X) ["bad

Backward Algorithm for the Covering Problem of WSTS

bad

"badpre("bad)

…prek("bad)

init

…lfp X. pre(X) ["bad

Depth-Bounded Systems as WSTS

Depth-bounded systems form WSTS for• their reachable states• and the quasi-ordering induced by

subgraph isomorphism

Next we show that is a well-quasi-ordering on the reachable states

Well-Quasi Ordering on States of DBS

• the subgraph ordering is well-founded but what about infinite antichains?

• In general, infinite antichains exist, but not if we restrict ourselves to states of depth-bounded systems

Idea of the proof:• encode state graphs of DBS and the subgraph

ordering into labeled trees• show that Kruskal’s Tree Theorem can be applied to

the tree encoding

Closure of a Tree

Add edges according to transitive closure of the edge relation

Every (undirected) graph is contained in the closure of some tree.

Tree-Depth of a Graph

DefinitionThe tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G.

height is 2tree depth is 2

Tree-Depth and Depth-Bounded Systems

PropositionA set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.

the reachable configurations of a depth-bounded system have bounded tree-depth.

Tree Encodings of Depth-Bounded Graphs

G tree(G)

Number of labels used in the encoding is finite.

Take a minimal tree whose closure contains the graph G.Label each node v in the tree by the subgraph of G induced by the nodes on the path to v.

Homeomorphic Tree Embedding

¹T

tree(G1) ¹T tree(G2) implies G1 G2

One can show for all graphs G1, G2:

Extend quasi-ordering ¹ on vertex labels to quasi-ordering ¹T on trees as follows:

T1 ¹T T2 iff either1. for the root vertices v1 and v2 of T1, T2 we have

a) label(v1) ¹ label(v2) and b) for every subtree T’1 of T1 rooted in a child of v1 there

exists a subtree T’2 of T2 rooted in a child of v2 such that T’1 ¹T T’2

2. there exists a subtree T’2 of T2 rooted in a child of the root of T2 such that T1 ¹T T’2

Kruskal’s Tree Theorem

Theorem [Kruskal 1960, Nash-Williams 1963]Homeomorphic tree embedding is a well-quasi-ordering on finite trees, labeled by a WQO set.

subgraph isomorphisms induce a well-quasi-ordering on the reachable states of a depth-bounded system.

Backward Algorithm for the Covering Problem of WSTS

bad

"badpre("bad)

…prek("bad)

initRequirements• · is decidable• pre is effectively computable

Backward Analysis of DBSs

• WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations

• reachability is undecidable so pre is not computable for the induced WSTS

• only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k

termination of a backward analysis can only be ensured if the bound of the system is known a priori.

Standard backward algorithm is not a decision procedure for the covering problem of DBS.

Is there a forward analysis that decides the covering problem for depth-bounded systems?

Yes, there is.See [Wies, Zufferey, Henzinger, FoSSaCS’10] for the details.

We are currently building a software model checker for Scala actors based on this algorithm.

Forward Analysis of DBS

Backward Analysis is Impractical

Server

Subscriber

server

Subscribe(Cat1)

sender

Backward analysis has to guess sender (and other parameters) of sent messages

explosion in the nondeterminism

Backward Analysis is Impractical

Server

Subscriber

server

Subscribe(Cat1)

sender

Backward analysis has to guess sender (and other parameters) of sent messages

explosion in the nondeterminism

This is similar to the aliasing problem for backward analysis of programs with pointers

?

Forward Analysis of a WSTS

init

#init #post(#init) … #postk(#init)

bad

Forward Analysis of a WSTS

init

#init #post(#init) … #postk(#init)

bad

We need “limits” of all downward-closed sets for termination.

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

X YD

wqo set ADL for X

°

For every z 2 Y, °(z) is a downward-closed subset of X

X D

wqo set ADL for X

° Y

Every downward-closed subset of X is generated by a finite subset E of Y [ X

E1

E2

E = E1 [ E2

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

Expand, Enlarge, and Check

Theorem [Geeraerts, Raskin, Van Begin 2006]

There exists an algorithm that decides the covering problem for WSTS with effective ADL.

X1

Y1

X2

Y2

X2

Y2

… µ X

µ Y

µ

…µ

µ

µ

µ

µ

Next: an ADL for depth-bounded systems

Server

Loop Acceleration à la Karp-Miller

Server

Subscriber SubscriberSubscriber

Server

¾ ¾

+

limit configuration

Idea for loop accelerationRecord which parts of a configuration can be duplicated.

Content

Server

Limit Configurations

Server

Subscriber Subscriber

Subscriber+

+Content

ContentContent

Server

Subscriber

Content

°

…

Denotation °(L) is downward-closure of all unfoldings of L

An ADL for Depth-Bounded Systems

Server

Subscriber+

TheoremLimit configurations form an ADL for depth-bounded graphs.

CorollaryThe EEC algorithm decides the covering problem for depth-bounded systems.

Theorem [Finkel, Goubault-Larrecq 2009]

The downward-closed directed subsets of a wqo set X form an ADL for X.

Canonical Adequate Domain of Limits

X

A directed set for qo (X, ·) is• a nonempty subset of X• closed under upper bounds

·· X

D

D1

D2

D3

D4

D5

= (Q,§,Qf,¢)Q = {p,q,r,s}§ = {a,b,c}Qf = {p}¢ = {a(²) → s b(²) → r c(sr*s) → q a(q+) → p}

Hedge Automata

A a

c c

a a a abs s s sr

q q

p

To proof: For every directed downward-closed set D, there exists a limit configuration L with

Proof Sketch

D = °(L)

Look at the tree encodings tree(D) and ¹construct a hedge automaton AD such that

From AD construct the limit configuration L.

D = #tree¡ 1(L (AD ))

Proof Sketch

…

…

directed dc set

Further Related WorkMeyer, Gorrieri 2009 –

depth-bounded systems and place/transition nets

Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs

Ganty, Raskin, Van Begin 2006 –Forward analysis of WSTSs without ADLs

Dam 1993, Amadio, Meyssonnier 2002 –decidable fragments of the ¼-calculus

Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 –type systems for the ¼-calculus

Bauer (Kreiker), Wilhelm 2007 –shape analysis for depth-bounded systems

Conclusions

• many real-life examples of message passing systems are depth-bounded

• many interesting safety properties are expressible in terms of covering

• our main result: the covering problem is decidable for depth-bounded systems

• our ADL suggests a whole spectrum of forward analyses for depth-bounded systems