C LAUS B RABRAND S EMANTICS (Q1,’06) O CT 06, 2006 C LAUS B RABRAND © 2005-2006, University of Aarhus [ [email protected] ] [ brabrand

CLAUS BRABRAND SEMANTICS (Q1,’06) OCT 06, 2006

CLAUS BRABRAND

© 2005-2006, University of Aarhus

[ [email protected] ] [ http://www.daimi.au.dk/~brabrand/ ]

SEMANTICS (Q1,’06)

WEEK 6: ”EQUIVALENCES, BISIMULATION, AND GAMES”

CLAUS BRABRAND[ 2 ]

SEMANTICS (Q1,’06) OCT 06, 2006

Course Structure

Introduction [background]: Prerequisitional Math // 1 week

Part I [describe/explain/analyze]: Structural Operational Semantics // 3 weeks

Part II [compare/reason]: Concurrency and Communication (CCS) // 1 week

Part III [compare/prove/apply]: Equivalence: Bisimulation and Games // 1 week

To be decided... //

1 week

CLAUS BRABRAND[ 3 ]


Week 6 - Outline

Competition results A Tale of Two Coca-Cola Machines About Equivalences Strong Bisimulation The Strong Bisimulation Game Properties Model-Checking CCS Tools

CLAUS BRABRAND[ 4 ]


And the winner is...

Here are the results of the Luxembourg jury...

1.

EmilRennerBerthing

“Learn while you sleep!”

“The Semantics Pillow”

Only$19,95

CLAUS BRABRAND[ 5 ]


CCS Syntax

CCS Syntax:

“0” // inaction “.P” // action prefix “P+P” // non-deterministic choice “P|P” // parallel composition “P\a” // restriction (private name) “P[f]” // action relabelling “K” // process variable

P ::= 0 | .P | P+P | P|P | P\a | P[f] | K

X = P, Y = Q, … def def

a: f(a) = f(a) f() =

f:ActAct

… where

Note: restrictions on f

CLAUS BRABRAND[ 6 ]


SOS for CCS

Structural Operational Semantics:

Q: why (tau) in communication “P|Q” (instead of propagating a or a) ?

~ “the unobservable hand-shake”

[RES][REN]

[COM1] [COM2] [COM3]

[ACT] [SUM][DEF]

CLAUS BRABRAND[ 7 ]


Example: Lock ("Mutual Exclusion")

Example: ("mutex") Lock

Q: How are the critical enters and exits related ? A: never two enters without exit in between

Mutex = (User | Lock) \ {acq,rel}

User = acq.enter.exit.rel.User

Lock = acq.rel.Lockdef

def

def

System = (User | Lock | User’) \ {acq,rel}def

User’ = User[enter’/enter,exit’/exit]def

// critical region

aka. a "semaphore"

acq

rel

Sema = p.v.Sema"Passern" (Dutch: to pass)

"Vrijgeven" (Dutch: to give free)E. Dijkstra

Historically:

Lock

def Prolaag and Verhoog ?


A TALE OF TWO COCA-COLA MACHINES

Keywords:

- equality - equivalence (equivalence relations) - congruence

CLAUS BRABRAND[ 9 ]


Once upon a time...

Dispenser:

Dispenser’: ’’

Would you consider them equal ‘=’ ?

coin . (coke + sprite)

coin.coke + coin.sprite

Would you consider them equivalent ‘’ ?

What does it at all mean for them to be equivalent ‘’ ?!?

CLAUS BRABRAND[ 10 ]


Equal vs. Equivalent

Equal (concrete identity): 3 = 3

Equivalent (abstract): 3 003 310 0x0316 \0038 00112

3 three 3 3 1+2 3 3 let n=2 in n*(n-1)+(n-2)

ii=0

2

more abstract



Trace Equivalence

Definition: Trace Equivalence: Two processes P and Q are trace equivalent “tr” iff:

They can produce the same traces:

Example: Traces( )

= { , coin, coin;coke, coin;sprite }

Traces( )

= { , coin, coin;coke, coin;sprite }


coin.coke + coin.sprite

’’’’trHence:

Traces(P) = { Act* | Q : P * Q }



Contextual Composition…?

Recall:

"Coke-only-drinker":

Contextualcomposition:


coin.coke + coin.sprite ’’

’’tr

What the.. !?

coin . coke . drink

The coke drinkeris certainly able to to distinguish the two dispensers !!

Idea (can we…?):put the two dispensers in acontext where theycan be differentiated !

problematic equality(!)

?

Trace equivalencecannot distinguish the two dispensers.


ABOUT EQUIVALENCES

Keywords:

- equivalence relation - congruence - properties



CCS: “Single-Language Formalism”

CCS is a so-called “Single-lang. formalism”; i.e. one may specify both:

implementation ( ) and specification ( )

We would like to check via some (reasonable) equivalence, R , that:

“The implementation has the intended behavior”:

R the spec. and impl. are “equivalent”

IMPL =def ...

SPEC =def ...

IMPLSPEC



Def: Equivalence Relation

Let R be a binary relation over set A: R A A

R is an equivalence relation iff: Reflexive:

Symmetric:

Transitive:

xA: x R x

x,yA: x R y y R x

x,y,zA: x R y y R z x R z

Q: is trace equivalence “tr” an equivalence relation ?



...and (equivalence relation)

…and we would like (R to be an equiv. rel.):

reflexitivity : SYS R SYS (same behavior as itself) !

transitivity (for stepwise modelling/refinement) !!! : S0 R S1 R ... R Sn R IMPL => S0 R IMPL

symmetry (just a nice property to have in that): S R S’ S’R S

Is trace equivalence, ‘tr’, an equivalence relation ? Yes



…and (satisfy properties)

Furthermore, we would like these properties: P+Q R Q+P // ‘+’ commutative (P+Q)+R R P+(Q+R) // ‘+’ associative P|Q R Q|P // ‘|’ commutative (P|Q)|R R P|(Q|R) // ‘|’ associative 0+P R P // ‘0’ is neutral wrt. ‘+’ 0|P R P // ‘0’ is neutral wrt. ‘|’ ...

Trace equivalence ‘tr’ ? Yes



…and (congruence wrt. CCS)

Definition: “R ” congruence (wrt. CCS): P R Q C[P] R C[Q] , for all contexts C[]

“relation is preserved under contextual substitution”

A context = a process with a gap:

Examples: P R Q P+R R Q+R P R Q P|S R P|S P R Q a.P R a.Q P R Q ((a.P|R)+S)\x R ((a.Q|R)+S)\x

C : .[] | []+P | P+[] | []|P | P|[] | [][f] | []\a

[]+R

[]|S

a.[]

?2

Congruence ‘tr’ ?



Trace Equiv. ~ DFM Acceptance

Recall: a deterministic finite automaton, A: is completely identified by its set of traces: L(A)

Trace equivalence ~ DFA acceptance: (without accept states - by construction) P tr Q iff they can produce the same traces

This point of view is totally justified and natural if we view our LTSs as non-deterministic devices that may generate or accept sequences of actions. However, is it still a reasonable one if we view our automata as reactive machines that interact with their environment ?

-- [Aceto, Larsen, Ingólfsdóttir, p. 33]



…and (abstract)

We would also like R to: abstract away from:

(particular choices of) states non-determinism internal (unobservable) behavior

Consider only behavior (observable actions)

Trace equivalence ‘tr’ ? No

‘tr’ doesn’t take communication capabilities of intermediate states into account (can make a difference when made to interact w/ another system)



Trace Equivalence

On sale…

Trace Equivalence Special offer: 5 for only $0.85

This week only!

“On sale: 5 for only $0.85!”

“Trace Equivalence”

5 for $0.85

trtrtrtrtr


STRONG BISIMULATION: (~)



Def: A Strong Bisimulation

Let (Proc, Act, ) be a LTS

Def: a bin. rel. R Proc Proc is a strong bisimulation iff whenever (s,t) R : aAct :

if s s’ then t t’ for some t’ such that (s’,t’) R if t t’ then s s’ for some s’ such that (s’,t’) R

Note: 1. Definition on LTS (not necessarily wrt. processes) 2. Definition relative to a (SOS) semantics (via LTS)

a

a

a

a

a

Intuition: “Only equate as consistently allowed by the semantics”



Def: Strongly Bisimilar (~)

A Strong Bisimulation:

Def: a bin. rel. R Proc Proc is a strong bisimulation iff whenever (s,t) R : aAct :

if s s’ then t t’ for some t’ such that (s’,t’) R if t t’ then s s’ for some s’ such that (s’,t’) R

The Strong Bisimilarity relation (~):

Def: two (processes) s and t are strongly bisimilar( s ~ t ) iff strong bisimulation R : (s,t) R .

i.e.

a

a

a

a

‘~’ := {R | R is a strong bisimulation }



Basic Properties of (~)

Theorem: ‘~’ is an equivalence relation

Theorem: ‘~’ is the largest strong bisimulation

i.e. for any bisimulation R we have that: R ‘~’

Theorem: s ~ t iff aAct :

if s s’ then t t’ for some t’ such that s’ ~ t’ if t t’ then s s’ for some s’ such that s’ ~ t’

a

a

a

a



How to Prove Strong Bisimilarity ?

How to prove strong bisimilarity for two processes ?

i.e. ?:

Exhibit a (any) bisimulation R , for which:

By definition we get that: since ‘~’ was the largest bisimulation(s,t) R ‘~’

(s,t) R

p ~ q



Example Proof of Bisimilarity

Example: Buffer (capacity 1):

Buffer (capacity 2):

Show that:

A0 =def in . A1

A1 =def out . A0

B0 =def in . B1

B1 =def in . B2 + out . B0

B2 =def out . B1

B0 ~ A0|A0

B0

B1

B2

A0|A0

A1|A0 A0|A1

A1|A1

R = { (B0 , A0|A0) , (B1 , A1|A0) , (B1 , A0|A1) , (B2 , A1|A1) }



How to Prove Non-Bisimilarity ?

How to prove non-bisimilarity ? i.e. ?

Enumerate all binary relations: Check that none are bisimulations and contain (p,q)

However: extremely expensive O(2|p||q|)

Use “Feynman Problem-Solving Algorithm”: (1). Write down the problem; (2). Think very hard; (3). Write down the answer.

Or…

s ~ t



The Bisimulation Game

It’s Amazing…

The Bisimulation Game®

Special Family Edition (w/ TV cables & remote control) Beat your sister at Process Algebra simulation…

“Special Family Edition!”

“The Bisimulation Game”

Only$31,95

The

Bisimulation

Game


(~) BISIMULATION GAMES



The (Strong) Bisimulation Game

Let (Proc, Act, ) be a LTS and s,t Proc

Define 2-player game: [ attacker v defender ] The game is played in “rounds” and the configurations

of the game are (Proc Proc); The game starts (first round) in (s,t) Proc Proc

Intuition (objectives): The defender wants to show that: The attacker wants to show that:

a

s ~ t

s ~ t



Rules of the Bisimulation Game

In round k the players change the current configuration (sk,tk) as follows:

First, the attacker chooses: 1) one of the processes (e.g. tk); i.e., left or right; 2) a legal action from that process: a Act; 3) a legal transition according to the LTS: tk tk+1

Then, the defender chooses: -) a “counter-move” using same action, a: sk sk+1

(sk+1,tk+1) becomes the next round’s configuration…

Winning: If one player (only) cannot move, the other player wins If the game is infinite (repeats configuration), the defender wins

a

a



Game Characterization of (~)

Theorem: States (processes) s and t are not strongly bisimilar

iff the attacker has a universal winning strategy States (processes) s and t are strongly bisimilar

iff the defender has a universal winning strategy

(s ~ t) basically means that: “the ‘perfect attacker’ always wins”

(s ~ t) basically means that:“the ‘perfect defender’ always wins”



Let’s Play…

Let’s play…:

~ / ~ ? show of hands…

~ ’’?

coin . (coke + sprite) coin.coke + coin.sprite ’’

coincoincoin’’

spritespritecoke

coke



Another Game…

Are the following two LTS(/processes) s and t strongly bisimilar: s ~ t ?

There’s a universal attack strategy hence, they are not strongly bisimilar : s ~ t


(~) CONGRUENCE



(~) is a Congruence for CCS

Theorem: Let P and Q be processes such that P ~ Q; then:

.P ~ .Q Act P+R ~ Q+R R Proc R+P ~ R+Q R Proc P|R ~ Q|R R Proc R|P ~ R|Q R Proc P[f] ~ Q[f] f : P(Act) P(Act) relabellings P\a ~ Q\a a Act \ { }

i.e. ‘~’ is a congruence for CCS



Other Properties of (~)

The following properties hold P, Q, R: P+Q ~ Q+P // ‘+’ commutative (P+Q)+R ~ P+(Q+R) // ‘+’ associative P|Q ~ Q|P // ‘|’ commutative (P|Q)|R ~ P|(Q|R) // ‘|’ associative P+0 ~ P // ‘0’ neutral wrt. ‘+’ P|0 ~ P // ‘0’ neutral wrt. ‘|’ ...



Summary: Strong Bisimilarity (~)

Properties of (~): an equivalence relation:

reflexive, symmetric, and transitive

the largest strong bisimulation: for proving bisimilarity (exhibit a bisimulation)

strong bisimulation game: for proving non-bisimilarity (winning attack strategy)

a congruence: P ~ Q => C[P] ~ C[Q]

obeys the following algebraic laws: ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, …


MODEL-CHECKING



Dictionary: “model”

In this course (we use): 3+4 : as in “Model-based design” (designing a model of a concurrent system) 12 : as in “Model-checking” (checking implementation against declarative (logic)

specification)

Main Entry: 1mod·el Pronunciation: 'mä-d&lFunction: nounEtymology: Middle French modelle, from Old Italian modello, from (assumed) Vulgar Latin modellus, from Latin modulus small measure, from modus1 obsolete : a set of plans for a building2 dialect British : COPY, IMAGE3 : structural design <a home on the model of an old farmhouse>4 : a usually miniature representation of something; also : a pattern of something to be made5 : an example for imitation or emulation6 : a person or thing that serves as a pattern for an artist; especially : one who poses for an artist7 : ARCHETYPE8 : an organism whose appearance a mimic imitates9 : one who is employed to display clothes or other merchandise : MANNEQUIN10 a : a type or design of clothing / b : a type or design of product (as a car)11 : a description or analogy used to help visualize something (as an atom) that cannot be directly observed12 : a system of postulates, data, and inferences presented as a mathematical description of an entity or state of affairs13 : VERSION

Webster’s(“model”):



Model-Checking

We have seen verification: In an operational setting:

Check: (spec’ and impl’ are equiv’)

Model-checking Declarative specification ( : logic property)

Check: (impl’ satisfies property )

Declarative (vs. operational): Abstraction: “what instead of how” Stability under reimplementation Easier to read, write, and modify Logic formulae can be very concise

SPEC IMPL

IMPL |-

t,t’’: acq(t) acq(t’’) t’: t<t’<t’’ rel(t’)


CCS TOOLS

Keywords:

- Concurrency Workbench - CCS visualizer and simulator - The Bisimulation Game Game



Concurrency Workbench

[ Concurrency Workbench ]

P

testing (interactive simulation) verification (via logic formulae) dump transition graph (NFA) ...

[ http://homepages.inf.ed.ac.uk/perdita/cwb/summary.html ]

[ /users/courses/dSem/bin/cwb ]



The Concurrency Workbench

CWB:

Recommendation: try it out (before the exam)!

CWB:> input “PandQ.ccs”;

CWB:> sim(P); // run the built-in simulator

CWB:> output “P.graph”; // name output fileCWB:> graph(P); // output for CCS visualizer and simulator

CWB:> strongeq(P,Q); // strong bisimilarityCWB’s answer

CWB:> eq(P,Q); // weak bisimilarityCWB’s answer



CCS Visualizer and Simulator

[ CCS Visualizer and Simulator ]

[ http://www.brics.dk/bisim/ ]

[ /users/courses/dSem/bin/cv ]



The Bisimulation Game

It’s Amazing…

The Bisimulation Game®

Special Family Edition (w/ TV cables & remote control) Beat your sister at Process Algebra simulation…

“Special Family Edition!”

“The Bisimulation Game”

Only$31,95

The

Bisimulation

Game

[ http://www.brics.dk/bisim/ ]



"Three minutes paper"

Please spend three minutes writing down the most important things that you have learned today (now).

After 1 dayAfter 1 week

After 3 weeksAfter 2 weeks

Immediately


Any Questions?

Thanks to Jiří Srba for inspiration to many of the slides

Go home and study; in particular, the Theorem proofs that I didn’t cover atthe lecture (you’ll need them for the exercise classes – …and for the exam)!

Documents

C LAUS B RABRAND S EMANTICS (Q1,’06) O CT 06, 2006 C LAUS B RABRAND © 2005-2006, University of Aarhus [ [email protected] ] [ brabrand