Upload
alpha
View
39
Download
0
Embed Size (px)
DESCRIPTION
UIUC, 21 Oct. 2002. Bisimulation by Unification. Roberto Bruni (Pisa – Illinois) Paolo Baldan (Pisa – Venezia) Andrea Bracciali (Pisa). Research supported by University of Illinois CNR Fellowship on Information Sciences and Technologies IST Programme on FET-GC Projects AGILE, MYTHS, SOCS. - PowerPoint PPT Presentation
Citation preview
Bisimulation by Bisimulation by UnificationUnification
Roberto Bruni (Pisa – Illinois)Paolo Baldan (Pisa – Venezia)Andrea Bracciali (Pisa)
UIUC, 21 Oct. 2002
Research supported by• University of Illinois• CNR Fellowship on Information Sciences and
Technologies• IST Programme on FET-GC Projects AGILE, MYTHS,
SOCS
Outline
I. Introduction & Motivation II. Running Example (toy PC with
ambients)III. Symbolic Bisimulation
I. Symbolic Transition SystemsII. Strict & Large Bisimilarity
IV. Bisimulation by UnificationV. ConclusionsVI. (Related Work & Future Work)
“Goal”
Sound methodology for the formal analysis of open systems
– Algebraic Representations of Processes– Up-To Abstract Equivalences
• Process Calculi + Bisimilarity• Closed Terms = Components• Contexts = Coordinators
– Compact (Symbolic) Transition Systems
Open Systems are…Interactive, Autonomous, Accessible via Interfaces, Dynamic, Programmable, … Ex. Web Services, WAN Computing, Mobile Code
Components Coordinators
p
q
rC[X1,X2,X3]
Interaction
Components can be dynamically connectedEx. Access to Network Services
Boundaries: access policies
(Typed) Holes: constrained dynamic binding
C[p,q,r]
Let’s Get Formal
Process Calculi “Ingredients”– Structure (,E): Signature + Structural
Axioms– Operational Semantics (SOS, LTS/RS)– Linguistic abstraction for holes and binding
• Variables & Substitutions
– Logic for expressing and proving properties• Specification & Verification
Abstraction
Equivalence on Components: p q– Bisimulation, Traces, May/Must Testing
Equivalence on Coordinators– C[X] univ D[X] iff p. C[p] D[p]
(for simplicity, we consider one-holed contexts in most slides)
– needs universal quantification
Bisimulation
Focus on Bisimilarity (largest bisimulation): p q– if p –a p’ then q –a q’ with p’ q’– (and vice versa)
a.b+a.c a.(b+c)
b c
0 0
b+c
0 0
a a
b c
a
b c
GraphicallyComponents
p
p1a1
an pn
q
q1a1
an qn
Coordinators
C[X] D[X]
a1
an
a1
an
Example: Ambients + Asynchronous CCS com.
p ::= 0 | a’ | a.p | n[p] | open n.p | in n.p | out n.p | p|p
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
(Assume AC1 parallel composition)
In Maude Notation Ifmod CCSAmb is
protecting MACHINE-INT .sorts Act Amb Proc .op n : MachineInt -> Amb .op a : MachineInt -> Act .
op 0 : -> Proc .op _^ : Act -> Proc [frozen] .op _._ : Act Proc -> Proc [frozen] .op _[_] : Amb Proc -> Proc .op open(_)._ : Amb Proc -> Proc [frozen] .op in(_)._ : Amb Proc -> Proc [frozen] .op out(_)._ : Amb Proc -> Proc [frozen] .op _|_ : Proc Proc -> Proc [assoc comm id:0] .
In Maude Notation IIvars N M : Amb .vars P Q R : Proc .vars A : Act .
rl (N[P]) | (open(N) . Q) => P | Q .
rl (N[P]) | (M[(in(N) . Q) | R]) => N[P | (M[Q | R])] .
rl N[(P | (M[(out(N) . Q) | R]))] => (N[P]) | (M[(Q | R)]) .
rl N[(A . P) | (A ^) | Q] => N[P | Q] .endfm
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Components
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/
A Problem on Coordinators
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[X] ? m[X]
Symbolic Approach Bisimulation Without Instantiation
– Facilitate analysis & verification of coordinators’ properties
Distinguishing Features– Symbolic LTS
• states are coordinators• labels are spatial/modal formulae
– Avoids universal closure– Allows for coalgebraic techniques– Constructive definition for Algebraic SOS– (In general yields equivalences finer than univ )
Notation
We start from a PC specified by – Syntax & Structural Equivalence: (,E)
• T,E is the set of Components p,q,r…
• T,E(X) is the set of Coordinators C[X], D[X],…
• C[X1,…,Xn] means var(C) {X1,…,Xn}
– Labels: ranged by a,b,…
– LTS: L (defined on T,E & )• possibly defined by SOS rules
Symbolic Transition Systems
Ordinary SOS approach: – Behavior of a coordinator can depend on:
1. The spatial structure of the components that are inserted/connected/substituted
2. The behavior of those components
Idea: to borrow formulae from a suitable “logic” to express the most general class of components that can take part in the coordinators’ evolution
What Logic Do We Need? Formulae must express the minimal amount of information on components for enabling the step:
– Components that are not playing active role in the step– “Most general” active components needed for the step– Assumptions not only on the structure of components,
but also on their behavior
Logic L must include, as atomic formulae:– Place-holders (process variables) X: q╞ X
– Components p: q╞ p iff q E p
Symbolic Transitions
C[X] –(Y)a D[Y]
intuitively: whenever p╞ (q), then C[p] –a D[q]
( q is to some extent the residual of p after satisfying )
Coordinators
Formula Ordinary label
Correctness
C[p] –a D[q]
C[X] –(Y)a D[Y]STS
LTS L
C[p1] –a D[q1]
C[p2] –a D[q2]
C[pn] –a D[qn]
pi,qi. pi╞ (qi)
components that can make a
p╞ (q)
Completeness
r E C[p] –a q
STS
LTS L
,s. C[X] –(Y)a D[Y]with p╞ (s) and q D[s]
Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t.
C[X] –(Y)a C’[Y]
strict strict
D[X] –(Y)a D’[Y]
THEOREM: If the STS is correct & complete, then
strict univ
Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t.
C[X] –(Y)a C’[Y]
strict strict
D[X] –(Y)a D’[Y]
THEOREM: If the STS is correct & complete, then
strict univ
Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t.
C[X] –(Y)a C’[Y]
strict strict
D[X] –(Y)a D’[Y]
THEOREM: If the STS is correct & complete, then
strict univ
Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t.
C[X] –(Y)a C’[Y]
strict strict
D[X] –(Y)a D’[Y]
THEOREM: If the STS is correct & complete, then
strict univ
Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t.
C[X] –(Y)a C’[Y]
strict strict
D[X] –(Y)a D’[Y]
THEOREM: If the STS is correct & complete, then
strict univ
Back to the Open Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[X] –Y|k[out n.Z|W]] n[Y]|k[Z|W] strict? m[X]
Back to the Open Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[X] –Y|k[out n.Z|W]] n[Y]|k[Z|W] strict? m[X] –Y|k[out n.Z|W]] -/
Back to the Open Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[X] –Y|k[out n.Z|W]] n[Y]|k[Z|W] strict m[X] –Y|k[out n.Z|W]] -/
Back to the Open Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[X] univ m[X]
(take X = k[out n.0])
A Last Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[m[out n.X]] –Y n[0]|m[0] strict ?n[0]|m[a’|a.X] –Y n[0]|m[0]
A Last Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[m[out n.X]] –Y n[0]|m[Y] strict n[0]|m[a’|a.X] –Y n[0]|m[Y]
A Last Problem
n[P]|open n.Q P|Q
n[P|m[out n.Q|R]] n[P]|m[Q|R]
n[P] n[Q]P Q P Q
P|R Q|R
n[a.P|a’|Q] n[P|Q]
n[P]|m[in n.Q|R] n[P|m[Q|R]]
n[m[out n.X]] strict n[0]|m[a’|a.X]
n[m[out n.X]] univ n[0]|m[a’|a.X]
Large Bisimilarity What if strict is too fine?
We can relax the strict bisimilarity when the logic L includes generic spatial formulae:
– Operators f: • q╞ f(1,…,n) iff qi. q E
f(q1,…,qn) qi╞ i
We call spatial formulae those composed by spatial operators and place-holders only
– Ambivalent view of Spatial Formulae as Coordinators
Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.
C[X] –(Y)a C’[Y] large D’[(Y)]large
D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial
THEOREM: If the STS is correct & complete, then
large univ
Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.
C[X] –(Y)a C’[Y] large D’[(Y)]large
D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial
THEOREM: If the STS is correct & complete, then
large univ
Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.
C[X] –(Y)a C’[Y] large D’[(Y)]large
D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial
THEOREM: If the STS is correct & complete, then
large univ
Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.
C[X] –(Y)a C’[Y] large D’[(Y)]large
D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial
THEOREM: If the STS is correct & complete, then
large univ
Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.
C[X] –(Y)a C’[Y] large D’[(Y)]large
D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial
THEOREM: strict large If the STS is correct & complete, then
large univ
Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.
C[X] –(Y)a C’[Y] large D’[(Y)]large
D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial
THEOREM: strict large If the STS is correct & complete, then
large univ
Why Use strict & large • As an approximation method for univ
univ is not defined coinductively
univ requires the verification of infinitely many equivalences
• Bonus Theorems:– C[X] large D[X] implies C[E[Y]] univ D[E[Y]]
– C[X] strict D[X] implies C[E[Y]] univ D[E[Y]]
• Note that in general large is not transitive
• Bonus Theorem:– if C[X] large D[X] implies C[E[Y]] large D[E[Y]], then
large is transitive and thus it is an equivalence relation
Algebraic SOS Format (spatial/modal constraints)
(Yi is either Xi (if iI) or Zi (if iI))
Formulae: ::= X | p | a. | f(,…,)– Modality a: q╞ a. iff q –a p p ╞
Bisimulation by Unification
C[X1,…,Xn] –a D[Y1,…,Yn]
{Xi –ai Zi}iI
trs( box(A,X) , A , X ) :- !.
trs( C[X1,…,Xn],a,D[Y1,…,Yn] ) :-
trs(Xi1 , ai1 , Zi1), … ,
trs(Xin , ain , Zin).
The program can be seen as the specification of the STS
– Goals have the form ?- trs(C[X1,…,Xn], a , Z).– Backtracking mechanism + meta-logic ops (bagof) can be
used to compute all symbolic transitions for C[X]
THEOREM:The resulting STS is correct & complete
The Prolog Algorithm
Conclusions• General formal framework for open systems
– Meta-theoretic foundations
• Under suitable hypothesis: strict implies large implies univ
• For the Algebraic SOS format, a minimal STS can be defined constructively in Prolog– cut + unification– extension to AC1 parallel operator (see paper)
Dual View• Instantiation Contextualization• When is not a congruence:
– p q iff C[X]. C[p] C[q] is not a bisimulation (unless is a congruence)
• (the largest congruence which is also a bisimulation is called dynamic bisimulation)
• Sewell, Leifer & Milner: minimal contexts as labels– Transitions: p –C[ _ ,X1,…,Xn] D[X1,…,Xn]
1. pi. C[p,p1,…,pn] - D[p1,…,pn]2. C[.] minimal (not necessarily minimum)– Universal quantification moved from contexts to
components!
Related Work / Source of Inspiration
• Sewell, Leifer & Milner– categorical characterization of the most general
interaction (relative pushout)
• Caires, Cardelli & Gordon• Fiadeiro, Maibaum, Martì-Oliet, Meseguer &
Pita– elegant mathematical tool for expressing
structural & temporal aspects
• Bruni, Montanari & Rossi – interactive view of Logic Programming
Future Work• Deal with names
– Name restriction & Logical notion of freshness
• Duality– Categorical formulation (relative pullback?)
• Symbolic approach to the verification of infinite state cryptographic protocols
• Extension to meta and abductive LP– Programmable definition of proofs– To answer questions like “under which assumptions
can p|X evolve so to satisfy a certain property?” that are relevant in dynamic system engineering
Bisimulation By Unification
a paper by Andrea Bracciali Paolo Baldan Roberto Bruni
a presentation by Roberto Bruni