Ioana D. Cristecu, Jean Krivine and Daniele Varacca PPS - Univ

Concurrent systems with negative events

Ioana D. Cristecu, Jean Krivine and Daniele VaraccaPPS - Univ. Paris Diderot

Supported by ANR REVER INS

Friday, December 20, 13

Systems and models

NaturalSystems

DesignedSystems

Physical world Mathematical world

Evolution

Physics

Humain brain Syntax Semantics

Models

Formalism A

Domain Specific Language: when syntax and semantics reflect physical world constraints.


Outline

TransactionalSystems

Physical worldPi-calculus

model

Partial orders

Conf. structures

Denotationalworld

Operationalworld


Outline


Physical world

Distributed consensus

Pi-calculus

model

Partial orders

Conf. structures

Denotationalworld

Operationalworld


Outline


Physical world


Pi-calculus

model

Partial orders

Conf. structures

Groupoid

Signed conf. str.

Negativeevents

Denotationalworld

Operationalworld


Outline


Physical world


Pi-calculus

model

Partial orders

Conf. structures

Reversible pi-calculus

model Groupoid

Signed conf. str.

Negativeevents

Denotationalworld

Operationalworld


Natural consensus


Designed consensus (this talk)

Distributed transaction

plane hotel car

client

webservice 1

webservice 2

web service 3

web service 4

airline 3

hotel 1

car company 2

car company 3

client 1 client 2

hotel 2

hotel 3

hotel 4

car company 1

airline 2

airline 1

Fig. 1. A transaction is performed in a possibly complicated network (left), whereseveral resources may be accessed concurrently by nodes (web services) in charge of asub-transaction. The spec (right) requires exactly one plane, one hotel and one car tobe secured for the client. The web-services that are contacted is not part of this spec.

In the end, the transaction is a success when every node has acquired and securedthe resources it was looking for. In the example of Fig. 1, the transaction is asuccess when the client node has secured exactly 3 resources. Note that whetherthe client has an immediate access to the resources, or whether it secured themvia a web service is irrelevant. We proceed now with a model that abstracts thenotion of nested distributed transactions.

Definition 4 (Transaction state). A (micro) transaction state is representeda tuple s =def ⌥X,F,B,R,A, �, w,�,⇥� where:

– X = F ⌃B⌃R⌃A = {x : tx, y : ty, z : tz, . . . } is a set of (typed) agents withtx, ty, tz, · · · ⇧ T are types.

– F ⇤ X is the set of free agents– B ⇤ X is the set of busy agents– R ⇤ X is the set of ready agents– A ⇤ X is the set of aborting agents– � : X ⇥ T ⌅ N is the cost function that tells how much typed resources an

agent needs to acquire– � ⇤ B ⇥ B is a set of (directed) pairs specifying how agents have booked

each others.– ⇥ ⇤ X⇥X is a set of (directed) pairs specifying the network topology. Note

that this map is not necessarily symmetric.

The satisfaction of agent x for resource t is defined as

sat(x, t) =def �(x, t)� | {y : t | x � y} | (2)


Deadlocks...

P1

P2


Deadlocks...

P1

P2

a1


Deadlocks...

P1

P2

a1 b1


Deadlocks...

P1

P2

eat

a1 b1


Deadlocks...

P1

P2

a1 b1


Deadlocks...

P1

P2

b1


Deadlocks...

P1

P2


Deadlocks...

P1

P2a2


Deadlocks...

P1

P2a2

b1


Deadlocks...

P1

P2a2

b1


Deadlocks...

P1

P2a2

b1

a1 a2b1 b2

;

{a1, b1} {a2, b2}

{a2, b2, eat2}

{a2, b2, eat2, a�2 }

{a2, b2, eat2, a�2 , b�2 }

Partial order given by inclusion


Deadlocks...

P1

P2a2

b1

a1 a2b1 b2

;

{a1, b1} {a2, b2}

{a2, b2, eat2}

{a2, b2, eat2, a�2 }

{a2, b2, eat2, a�2 , b�2 }



Deadlocks...

P1

P2a2

b1

a1 a2b1 b2

;

{a1, b1} {a2, b2}

{a2, b2, eat2}

{a2, b2, eat2, a�2 }

{a2, b2, eat2, a�2 , b�2 }



Deadlocks...

P1

P2

directed

non-confluent

a2

b1

a1 a2b1 b2

;

{a1, b1} {a2, b2}

{a2, b2, eat2}

{a2, b2, eat2, a�2 }

{a2, b2, eat2, a�2 , b�2 }


Two-phase commit


Correctness

We need to add exit strategies out of deadlocks...


Correctness


Commithorizon


Correctness

Not locallydecidable!

(Bougé 80s)


Commithorizon


Correctness

Not locallydecidable!

(Bougé 80s)

We need to add exit strategies out of deadlocks......but this solution cannot denote a distributed implementation!

Commithorizon


Exit strategies

Classical process

critical zone(abort possible)


Exit strategies

Classical process What we suggest...

critical zone(abort possible)

Ergodic exploration

success is locally decidable

Directedcomputation


Negative events

a2, b1a1, b2

a1, b1 a2, b2

a2 b2

a1b1

a1

;

b1

b2

classicalresidual

;

Definition 1 (Stable configuration structures). Let C = hE,Cibe a configuration structure. Say that C is stable if it is:

– rooted: ; 2 C

– connected: 8x 2 C : x 6= ; ) 9e 2 x : x \ {e} 2 C

– closed under bounded union: 8x, y, z 2 C : x[y ✓ z ) x[y 2 C

– closed under bounded intersection: 8x, y, z 2 C : x [ y ✓ z )x \ y 2 C

We can now define a simple residuation operation, adapted fromRef. [5].

Definition 2 (Residuation). Let C = hE,Ci be configuration struc-

ture. For all x 2 C let

R

x

(C) := hE, {u 2 P(E) | 9y 2 C : x ✓ y & u = y\x}i

An alternative definition isRx

(C) := hE, "x\xi with "x := {y 2 C | x ✓ y}.

Property 2. Let C = hE,Ci be a configuration structure:

8x 2 C : C is stable ) R

x

(C) is stable (2)

R;(C) = C (3)

8x 2 C, 8y 2 R

x

(C) : x [ y 2 C & R

y

(Rx

(C)) = R

x[y(C) (4)

3 Signed configuration structures

We extend here the constructs introduced in the previous section todeal with reversible computations. x 2 MZ(E) is a signed configu-

rations (over events in E), represented as a multiset of events withvalues in {�1, 0, 1}. We will use the notation x = {�e, e0, e00} to de-note a multiset containing �1 occurrence of e and one occurrence ofe

0 and e

00. For such multisets we use µx

: E ! {�1, 0, 1} to denote themultiplicity of an event in x. Let � : MZ(E) ⇥MZ(E) ! MZ(E)denote the multiset union and : MZ(E) ⇥MZ(E) ! MZ(E)denote the multiset subtraction, where for all e 2 E:

µ

M0�M1(e) = µ

M0(e) + µ

M1(e)µ

M0 M1(e) = µ

M0(e)� µ

M1(e)


Negative events

a2, b1a1, b2

a1, b1 a2, b2

a2 b2

a1b1

a1

;

b1

b2

classicalresidual

;

Let |.| : MZ(E) ! P(E) denote the support of a signed configura-tion x and let x, y be two signed configurations. Say that x v y if|x| ✓ |y| and for all e 2 x, µ

x

(e) = µ

y

(e). For instance ; v {�e}and ; v {e} but {�e} 6v {e}. Also {�e, e0} v {�e, e0,�e00}. For allsigned configuration x we also use �x to denote the signed configu-ration such that µ

x

(e) := �µ�x

(e).A signed configuration structure is a pair M = hE,Mi where E

is a set of events and M is a set of signed configurations partiallyordered by v.

Definition 3 (Stable signed configuration structures). Let M =hE,Mi be a signed configuration structure. Say that M is stable if it

is:

– rooted: ; 2M

– connected: 8x 2 M : x 6= ; ) 9y 2 M : |x y| = {e} for some

e 2 E.

– closed under bounded sum: 8x, y, z 2M : (x[y) v z ) x[y 2M

– closed under bounded intersection: 8x, y, z 2 M : (x [ y) v z )(x \ y) 2M

where \ and [ denote respectively the multiset intersection and union

operations.

The notion of past of a computation in a signed configurationstructure is derived from the notion of symmetric residuation:

Definition 4 (Symmetric residuation). Let M = hE,Mi be signedconfiguration structure. For all x 2M let

S

x

(M) := hE, {u 2MZ(E) | 9y 2M : u = y x}i

Note that the condition x ✓ y has been dropped and that x y isalways defined for all signed configurations x, y.

Property 3. Let M = hE,Mi be a signed configuration structure:

8x 2 C : M is stable ) S

x

(M) is stable (5)

S;(M) = M (6)

8x 2M : �x 2 S

x

(M) (7)

8x 2M : y 2 S

x

(M)) x� y 2 M & S

y

(Sx

(M)) = S

x�y

(M) (8)


Negative events

a2, b1a1, b2

a1, b1 a2, b2

a2 b2

a1b1

a1

;

b1

b2

�a1

�a1, b1

�a1, a2

�a1, a2, b1

�a1, a2, b2

�a1, b2

Config. structure with a past!;

Let |.| : MZ(E) ! P(E) denote the support of a signed configura-tion x and let x, y be two signed configurations. Say that x v y if|x| ✓ |y| and for all e 2 x, µ

x

(e) = µ

y

(e). For instance ; v {�e}and ; v {e} but {�e} 6v {e}. Also {�e, e0} v {�e, e0,�e00}. For allsigned configuration x we also use �x to denote the signed configu-ration such that µ

x

(e) := �µ�x

(e).A signed configuration structure is a pair M = hE,Mi where E

is a set of events and M is a set of signed configurations partiallyordered by v.

Definition 3 (Stable signed configuration structures). Let M =hE,Mi be a signed configuration structure. Say that M is stable if it

is:

– rooted: ; 2M

– connected: 8x 2 M : x 6= ; ) 9y 2 M : |x y| = {e} for some

e 2 E.

– closed under bounded sum: 8x, y, z 2M : (x[y) v z ) x[y 2M

– closed under bounded intersection: 8x, y, z 2 M : (x [ y) v z )(x \ y) 2M

where \ and [ denote respectively the multiset intersection and union

operations.


Definition 4 (Symmetric residuation). Let M = hE,Mi be signedconfiguration structure. For all x 2M let

S

x

(M) := hE, {u 2MZ(E) | 9y 2M : u = y x}i

Note that the condition x ✓ y has been dropped and that x y isalways defined for all signed configurations x, y.

Property 3. Let M = hE,Mi be a signed configuration structure:

8x 2 C : M is stable ) S

x

(M) is stable (5)

S;(M) = M (6)

8x 2M : �x 2 S

x

(M) (7)

8x 2M : y 2 S

x

(M)) x� y 2 M & S

y

(Sx

(M)) = S

x�y

(M) (8)


Properties

Let |.| : MZ(E) ⇧ P(E) denote the support of a signed configura-tion x and let x, y be two signed configurations. Say that x � y if|x| ⌅ |y| and for all e ⌥ x, µx(e) = µy(e). For instance ↵ � {�e}and ↵ � {e} but {�e} �� {e}. Also {�e, e⇤} � {�e, e⇤,�e⇤⇤}. For allsigned configuration x we also use �x to denote the signed configu-ration such that µx(e) := �µ�x(e).

A signed configuration structure is a pair M = ✓E,M◆ where Eis a set of events and M is a set of signed configurations partiallyordered by �.

Definition 3 (Stable signed configuration structures). Let M =✓E,M◆ be a signed configuration structure. Say that M is stable if itis:

– rooted: ↵ ⌥ M– connected: x ⌥ M : x �= ↵ ⌃ ⌦y ⌥ M : |x ⇤ y| = {e} for some

e ⌥ E.– closed under bounded sum: x, y, z ⌥ M : (x�y) � z ⌃ x�y ⌥ M– closed under bounded intersection: x, y, z ⌥ M : (x � y) � z ⌃

(x ✏ y) ⌥ M

where ✏ and � denote respectively the multiset intersection and unionoperations.


Definition 4 (Symmetric residuation). Let M = ✓E,M◆ be signedconfiguration structure. For all x ⌥ M let

Sx(M) := ✓E, {u ⌥ MZ(E) | ⌦y ⌥ M : u = y ⇤ x}◆

Note that the condition x ⌅ y has been dropped and that x ⇤ y isalways defined for all signed configurations x, y.

Property 3. Let M = ✓E,M◆ be a signed configuration structure:

x ⌥ C : M is stable ⌃ Sx(M) is stable (5)

S⌅(M) = M (6)

x ⌥ M : �x ⌥ Sx(M) (7)

x ⌥ M : y ⌥ Sx(M) ⌃ x⇥ y ⌥ M & Sy(Sx(M)) = Sx⇥y(M) (8)

Corollary 1. Let M = ⌃E,M⌥ be a signed configuration structure.For all x, y ⇤ M :

Sx(M) = Sy(M) ⇥ x = y

Proof. By Prop.7 we have S�y(Sx(M)) = M. Furthermore, by Prop. 8we have S�y⇥x(M) = M and S�y⇥x(M) = S⇤(M) by Prop 6. Hencex = y.

As with classical configuration structures, (symmetric) residu-ation preserves stability of (signed) configurations (Prop. 5). Alsothe residual of M after the empty configuration is just the restric-tion of M to its reachable configurations (Prop. 6). Proposition 7is reminiscent to a classical property of reversible systems statingthat if a computation x can be performed from M then its reversecomputation may occur from Sx(M). This is stated as a loop lemmain the reversible process algebra literature [1, 2, 4, 3]. Note that animportant di�erence here is that loop lemmas hold for computationtraces whereas we shall see that a signed configuration x capturesan equivalence class of traces, namely the equivalence up-to permu-tation and collapse of opposite transitions. Eventually Proposition 8states that the residuation operation defines morphisms of the cat-egory of computation, whose objects are signed configuration struc-ture. By proposition 7, these morphisms are also isos (a concrete wayto build the category of fractions?).

4 Prime event structures

A stable configuration structure C is equivalent to a prime eventstructure E = ⌃E,<,#⌥ in which every e ⇤ E is a complete primeof C and ex < ey if x � y and ex#ey if x ⇧ y ⌅⇤ C. In turn the leftclosed configurations of E denote the domain of configurations C.

It is natural to look at the counterpart of signed configurationin PES terminology. We will see that (stable) signed configurationsstructures denotes +/- PES which are a particular case of labelled(prime) event structure. The residuation operation naturally trans-ports to +/- PES.

Definition 5 (+/- PES). A +/- PES is a tuple E = ⌃E,<,#, �⌥where:

A process with this denotational semantics will have the property :

P Qt

t’iff t~t’


Commitment is Classical residual

�a1

;

b1b2

�a1, b1 �a1, a2

�a1, a2, b1�a1, a2, b2

�a1, b2;

�a1, a2, b2


Operational semantics?

Conf. struct with classical residuals(populated by pi-calculus processes)

With symmetric residuals (populated by Rpi!)


A digression on event structures...

• Stable conf. structures are isomorphic to Prime Event structures

• Symmetric residual preserves stability

• This entails a notion of symmetric residual for PES with negative events


Operational semantics(reduction)

ab.P | a(x).Q ! P | Q{b/x}PiComputation is

dissipative


Operational semantics(reduction)

ab.P | a(x).Q ! P | Q{b/x}Pi

m0(c) = m(a)

m(b) = dwith

explicit subst.

m :ab.P | m0 :c(x).Q $ (i, ab).m :P | (i, c[d/x]).m0 :Q

subst. in m applied to b

RPi

Computation is information preserving!

Computation is dissipative


Example

(ac | bc | c) | a(x).x | b(x).x

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2


Example

(ac | bc | c) | a(x).x | b(x).x

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2


Example

(1, ac) : 0 | bc | c) | (1, a[c/x]) : x | b(x).x

;

�a

c1

b, c1

b

�a, b

�a, b, c2

b, c2


Example

(1, ac) : 0 | (2, bc) : 0 | c) | (1, a[c/x]) : x | (2, b[c/x]) : x

;

�b

c1 c2

�b, c1 �a, c2

�a

�a,�b


What about compositional

semantics?


The classical LTSab.P | a(x).Q ! P | Q{b/x}


The classical LTSab.P | a(x).Q ! P | Q{b/x}


The main issue...

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

c

ac, c bc, c

ac, bc

ac, bc, c

ac | bc | c


The main issue...

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)

Instabilityis bad for

reversibility


The main issue...

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)

Instabilityis bad for

reversibility

This pathviolates causality

(to be made formal)


Correctness criteria

An LTS semantics is a sound abstraction of the reduction semantics iff:

any derived sequence of transitions is the projection of a derived sequence of

reductions

8 P0 !a0 · · · !ak Pk+1

9C0[•] : C0[P0] ! · · · ! Ck+1[Pk+1]

LTS transitions

Reductions


Projection

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)

The path in the “open” system is not the projection of a path in some “closed” system (structural causality violation)...

opensystem...


Projection

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)


opensystem...

... in a closing context


Projection

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)


opensystem...



Projection

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)


opensystem...



Projection

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)


opensystem...



What we need to do

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)

c

ac | bc | c

;

ac bc

ac, c bc, c

ac, bc

ac, bc, c

This inductive step needs to yield a process denoted by a stable configuration structure...

⌫c(•)


Reversible scope extrusion!

open 6=ac | bc | c

⌫c

⌫c

(1, ac) : 0 | bc | c

1

⌫c1

⌫c1

(1, ac) : 0 | (3, bc) : 0 | c

3

⌫c

ac | (3, bc) | c

3

(1, ac) : 0 | bc | (1, 2, c) : 0

⌫c

ac | (3, bc) : 0 | (3, 2, c) : 0

⌫c

⌫c1 3

1 3

(1, ac) : 0 | (3, bc) : 0 | (1, 2, c) : 0

(1, ac) : 0 | (3, bc) : 0 | (3, 2, c) : 0

a(⌫c)

b(⌫c)

b(⌫c)

a(⌫c)

c1

3

c3

b(⌫c)

c1

c3

a(⌫c)



open 6=ac | bc | c

⌫c

⌫c

(1, ac) : 0 | bc | c

1

⌫c1

⌫c1

(1, ac) : 0 | (3, bc) : 0 | c

3

⌫c

ac | (3, bc) | c

3

(1, ac) : 0 | bc | (1, 2, c) : 0

⌫c

ac | (3, bc) : 0 | (3, 2, c) : 0

⌫c

⌫c1 3

1 3

(1, ac) : 0 | (3, bc) : 0 | (1, 2, c) : 0

(1, ac) : 0 | (3, bc) : 0 | (3, 2, c) : 0

a(⌫c)

b(⌫c)

b(⌫c)

a(⌫c)

c1

3

c3

b(⌫c)

c1

c3

a(⌫c)



open 6=ac | bc | c

⌫c

⌫c

(1, ac) : 0 | bc | c

1

⌫c1

⌫c1

(1, ac) : 0 | (3, bc) : 0 | c

3

⌫c

ac | (3, bc) | c

3

(1, ac) : 0 | bc | (1, 2, c) : 0

⌫c

ac | (3, bc) : 0 | (3, 2, c) : 0

⌫c

⌫c1 3

1 3

(1, ac) : 0 | (3, bc) : 0 | (1, 2, c) : 0

(1, ac) : 0 | (3, bc) : 0 | (3, 2, c) : 0

a(⌫c)

b(⌫c)

b(⌫c)

a(⌫c)

c1

3

c3

b(⌫c)

c1

c3

a(⌫c)


About the “close” rule

ac | bc | c

a(x).x

(1, ac) : 0 | bc | c

�c1

(1, a[c/x]) : x

�c

�c1

(1, a[c/x]) : x

�c

(1, ac) : 0 | (3, bc) : 0 | c

3

3

⌧ b(�c)

Synch. between and can only occur if one picks cause at the level of the open rule

c x

1

open

close open

⌫c


The Reversible LTS...B. Dynamics

1) Transitions and transition labels: The label ⇤ of atransition t : R

��⇤ S is a quadruple of the form (i, j, k) : ⇥where i ⇧ I � {⇥} is the identifier of t, j ⇧ I is theinstantiator of i and k ⇧ I is the contextual cause of i.The labels ⇥ are built on the following grammar:

⇥ ::= � | ��

� ::= b(c) | b⌦a↵ | b(�a�)

where b(�a�) corresponds to the bound output of the ⌅calculus, whenever � = ⌃, and otherwise corresponds toa free output, decorated with a set of event identifiers.

For all label ⇥ of the form � or ��, we write subj (⇥) = bif � ⇧ {b(c), b⌦a↵, b(�a�)} for some a. We also writebn(⇥) = {a} whenever � = b⌦�a� ⇤=⌅↵ for some b. Atransition is positive whenever its label is of the form �,and negative if the label is of the form ��. It is derivableif it can be obtained form the LTS presented in the nextsection.

As we already hinted at, R⌅ substitutions are not executeddirectly but simply logged in event labels. As a consequence,processes need to search in their memories for the publicname of a channel in order to check that a synchronizationis possible. Such operation is performed only on demand,when a process is trying to reduce its prefix (see IN+ andOUT+ axioms in Section II-B2).

Definition 2.3 (Public label): For all process of the formm � ⌅.P let m[⌅] be the public label of ⌅. It is defined bylexicographical induction on the pair (⌅,m):

⇧[a] = am[b(c)] = m[b](c)m[b⌦a↵] = m[b]⌦m[a]↵(⌦i, k, b[c/a]↵.m)[a] = c(⌦i, k, b[ /a]↵.m)[a] = a(⌦⌅↵.m)[a] = m[a](e.m)[a] = m[a] otherwise

2) The labelled transition system (LTS): The labelledtransition system of R⌅ can be divided into positive andnegative rules. The negative ones are derived from thepositive ones by inversion (see Definition 2.4). The positive

rules are:

IN+i /⇧ m j = instm(b)

m � b(c).P(i,j,�):m[b(c)]��⌅ ↵i, ⇥, b[⌥/c]�.m � P

OUT+i /⇧ m j = instm(b)

m � b↵a�.P (i,j,�):m[b⇤a⌅]��⌅ ↵i, ⇥, b↵a��.m � P

OPEN+R

(i,j,k):��⌅ R⇥ � = b↵a� ⌦ � = b↵�a�⇥�

�a�R(i,j,k):b⇤⌫a�⌅��⌅ �a�+iR

⇥

CAUSE REF+R

(i,j,k):��⌅ R⇥ a ⇧ subj(�)

�a�R(i,j,k⇥):��⌅ �a�R

⇥[k⇥/k]@i

k = k⇥or

⌥k⇥ ⇧ � k ⇥R k⇥

COM+

R(i,j,k):b⇤a⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ R⇥ � S⇥

[a/c]@i

k =� j⇥

k⇥ =� j

CLOSE+

R(i,j,k):b⇤⌫a�⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ �a�(R

⇥ � S⇥[a/c]@i)

k =� j⇥

k⇥ =� j

with a ⌃⇧ fn(S) whenever � = �

PAR+R

(i,j,k):��⌅ R⇥

R � S(i,j,k):��⌅ R⇥ � S

bn(�) fn(S) = �, i /⇧ S

MEM+R ⇤m S

⇤�⌅ S⇥ ⇤m R⇥

R⇤�⌅ R⇥

NEW+R

⇤�⌅ R⇥

⇤a�R⇤�⌅ ⇤a�R

⇥a /⇧ ⇥

with for all i, j ⇧ I , i =⇥ j if ⇥ ⇧ {i, j} or i = j.

Note that the complete positive LTS contains also thesymmetrical rules for the COM+, CLOSE+ and PAR+ ruleswith respect to the � operator. For lack of space, we do notwrite them explicitly.

The backward rules are derived according to the followingdefinition:

Definition 2.4 (Inverting operation): Let ��1 = �� and(��)�1 = �. Let opp be the operation defined in afunctorial manner on labeled transition systems as:

opp(R(i,j,k):⇥��⌅ S) = S

(i,j,k):⇥�1

��⌅ R

B. Dynamics



⇥ ::= � | ��

� ::= b(c) | b⌦a↵ | b(�a�)







rules are:


m � b(c).P(i,j,�):m[b(c)]��⌅ ↵i, ⇥, b[⌥/c]�.m � P


m � b↵a�.P (i,j,�):m[b⇤a⌅]��⌅ ↵i, ⇥, b↵a��.m � P

OPEN+R

(i,j,k):��⌅ R⇥ � = b↵a� ⌦ � = b↵�a�⇥�

�a�R(i,j,k):b⇤⌫a�⌅��⌅ �a�+iR

⇥

CAUSE REF+R

(i,j,k):��⌅ R⇥ a ⇧ subj(�)

�a�R(i,j,k⇥):��⌅ �a�R

⇥[k⇥/k]@i

k = k⇥or

⌥k⇥ ⇧ � k ⇥R k⇥

COM+

R(i,j,k):b⇤a⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ R⇥ � S⇥

[a/c]@i

k =� j⇥

k⇥ =� j

CLOSE+

R(i,j,k):b⇤⌫a�⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ �a�(R

⇥ � S⇥[a/c]@i)

k =� j⇥

k⇥ =� j


PAR+R

(i,j,k):��⌅ R⇥

R � S(i,j,k):��⌅ R⇥ � S

bn(�) fn(S) = �, i /⇧ S

MEM+R ⇤m S

⇤�⌅ S⇥ ⇤m R⇥

R⇤�⌅ R⇥

NEW+R

⇤�⌅ R⇥

⇤a�R⇤�⌅ ⇤a�R

⇥a /⇧ ⇥





opp(R(i,j,k):⇥��⌅ S) = S

(i,j,k):⇥�1

��⌅ R

... is essentially a decoration of the regular pi-calculus LTS !


The Reversible LTS...B. Dynamics



⇥ ::= � | ��

� ::= b(c) | b⌦a↵ | b(�a�)







rules are:


m � b(c).P(i,j,�):m[b(c)]��⌅ ↵i, ⇥, b[⌥/c]�.m � P


m � b↵a�.P (i,j,�):m[b⇤a⌅]��⌅ ↵i, ⇥, b↵a��.m � P

OPEN+R

(i,j,k):��⌅ R⇥ � = b↵a� ⌦ � = b↵�a�⇥�

�a�R(i,j,k):b⇤⌫a�⌅��⌅ �a�+iR

⇥

CAUSE REF+R

(i,j,k):��⌅ R⇥ a ⇧ subj(�)

�a�R(i,j,k⇥):��⌅ �a�R

⇥[k⇥/k]@i

k = k⇥or

⌥k⇥ ⇧ � k ⇥R k⇥

COM+

R(i,j,k):b⇤a⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ R⇥ � S⇥

[a/c]@i

k =� j⇥

k⇥ =� j

CLOSE+

R(i,j,k):b⇤⌫a�⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ �a�(R

⇥ � S⇥[a/c]@i)

k =� j⇥

k⇥ =� j


PAR+R

(i,j,k):��⌅ R⇥

R � S(i,j,k):��⌅ R⇥ � S

bn(�) fn(S) = �, i /⇧ S

MEM+R ⇤m S

⇤�⌅ S⇥ ⇤m R⇥

R⇤�⌅ R⇥

NEW+R

⇤�⌅ R⇥

⇤a�R⇤�⌅ ⇤a�R

⇥a /⇧ ⇥





opp(R(i,j,k):⇥��⌅ S) = S

(i,j,k):⇥�1

��⌅ R

B. Dynamics



⇥ ::= � | ��

� ::= b(c) | b⌦a↵ | b(�a�)







rules are:


m � b(c).P(i,j,�):m[b(c)]��⌅ ↵i, ⇥, b[⌥/c]�.m � P


m � b↵a�.P (i,j,�):m[b⇤a⌅]��⌅ ↵i, ⇥, b↵a��.m � P

OPEN+R

(i,j,k):��⌅ R⇥ � = b↵a� ⌦ � = b↵�a�⇥�

�a�R(i,j,k):b⇤⌫a�⌅��⌅ �a�+iR

⇥

CAUSE REF+R

(i,j,k):��⌅ R⇥ a ⇧ subj(�)

�a�R(i,j,k⇥):��⌅ �a�R

⇥[k⇥/k]@i

k = k⇥or

⌥k⇥ ⇧ � k ⇥R k⇥

COM+

R(i,j,k):b⇤a⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ R⇥ � S⇥

[a/c]@i

k =� j⇥

k⇥ =� j

CLOSE+

R(i,j,k):b⇤⌫a�⌅��⌅ R⇥ S

(i,j⇥,k⇥):b(c)��⌅ S⇥

R � S(i,�,�):⌅��⌅ �a�(R

⇥ � S⇥[a/c]@i)

k =� j⇥

k⇥ =� j


PAR+R

(i,j,k):��⌅ R⇥

R � S(i,j,k):��⌅ R⇥ � S

bn(�) fn(S) = �, i /⇧ S

MEM+R ⇤m S

⇤�⌅ S⇥ ⇤m R⇥

R⇤�⌅ R⇥

NEW+R

⇤�⌅ R⇥

⇤a�R⇤�⌅ ⇤a�R

⇥a /⇧ ⇥





opp(R(i,j,k):⇥��⌅ S) = S

(i,j,k):⇥�1

��⌅ R

... is essentially a decoration of the regular pi-calculus LTS !

id(e) = id(e′), in which case (e, e′) forms a synchronisationpair.

B. Dynamics

1) Transitions and transition labels: The label ζ of atransition t : R

ζ−→ S is a quadruple of the form (i, j, k) : γwhere i ∈ I − {∗} is the identifier of t, j ∈ I is theinstantiator of i and k ∈ I is the contextual cause of i.The labels γ are built on the following grammar:

γ ::= α | α−α ::= b(c) | b〈a〉 | b(νaΓ)

where b(νaΓ) corresponds to the bound output of the π-calculus, whenever Γ = ∅, and otherwise corresponds to afree output, decorated with a set of event identifiers.

For all labels γ of the form α or α−, we write subj (γ) = bif α ∈ {b(c), b〈a〉, b(νaΓ)} for some a. We also writebn(γ) = {a} whenever α = b〈νaΓ#=∅〉 for some b. Atransition is positive whenever its label is of the form α,and negative if the label is of the form α−. It is derivableif it can be obtained from the LTS presented in the nextsection.

As we already hinted at, Rπ substitutions are not executeddirectly but simply logged in event labels. As a consequence,processes need to search in their memories for the publicname of a channel in order to check that a synchronisationis possible. Such operation is performed only on demand,when a process is trying to reduce its prefix (see IN+ andOUT+ axioms in Section II-B2).

Definition 2.3 (Public label): For all process of the formm ! π.P let m[π] be the public label of π. It is defined bylexicographical induction on the pair (π,m):

ε[a] = am[b(c)] = m[b](c)m[b〈a〉] = m[b]〈m[a]〉(〈i, k, b[c/a]〉.m)[a] = c(〈i, k, b[&/a]〉.m)[a] = a(〈↑〉.m)[a] = m[a](e.m)[a] = m[a] otherwise

2) The labelled transition system (LTS): The labelledtransition system of Rπ can be divided into positive andnegative rules. The negative ones are derived from thepositive ones by inversion (see Definition 2.4). The positiverules are presented in Table I, where for i, j ∈ I , i =∗ jmeans ∗ ∈ {i, j} or i = j.

Note that the complete positive LTS contains also thesymmetrical rules for the COM+, CLOSE+ and PAR+ ruleswith respect to the ‖ operator. For lack of space, we do notwrite them explicitly.


IN+i /∈ m j = instm(b)

m ! b(c).P(i,j,∗):m[b(c)]−−−−−−−−−→ 〈i, ∗, b[!/c]〉.m ! P

OUT+i /∈ m j = instm(b)

m ! b〈a〉.P (i,j,∗):m[b〈a〉]−−−−−−−−−→ 〈i, ∗, b〈a〉〉.m ! P

OPEN+R

(i,j,k):α−−−−−→ R′ α = b〈a〉 ∨ α = b〈νaΓ′〉

νaΓR(i,j,k):b〈νaΓ〉−−−−−−−−−→ νaΓ+iR

′

CAUSE REF+R

(i,j,k):α−−−−−→ R′ a ∈ subj(α)

νaΓR(i,j,k′):α−−−−−−→ νaΓR

′[k′/k]@i

k = k′ or∃k′ ∈ Γ k "R k′

COM+

R(i,j,k):b〈a〉−−−−−−−→ R′ S

(i,j′,k′):b(c)−−−−−−−−→ S′

R ‖ S(i,∗,∗):τ−−−−−→ R′ ‖ S′[a/c]@i

k =∗ j′

k′ =∗ j

CLOSE+

R(i,j,k):b〈νaΓ〉−−−−−−−−−→ R′ S

(i,j′,k′):b(c)−−−−−−−−→ S′

R ‖ S(i,∗,∗):τ−−−−−→ νaΓ(R

′ ‖ S′[a/c]@i)

k =∗ j′

k′ =∗ j

with a *∈ fn(S) whenever Γ = ∅

PAR+R

(i,j,k):α−−−−−→ R′

R ‖ S(i,j,k):α−−−−−→ R′ ‖ S

bn(α) ∩ fn(S) = ∅, i /∈ S

MEM+R ≡m S

ζ−→ S′ ≡m R′

Rζ−→ R′

NEW+R

ζ−→ R′

νaΓRζ−→ νaΓR

′a /∈ ζ

Table ITHE POSITIVE RULES OF THE LTS

Definition 2.4 (Inverting operation): Let α−1 = α− and(α−)−1 = α. Let opp be the operation defined in afunctorial manner on labelled transition systems:

opp(R(i,j,k):γ−−−−−→ S) = S

(i,j,k):γ−1

−−−−−−−→ R

and on derivation rules:

opp

Rζ−→ S

R′ζ′−→ S′

=opp(R

ζ−→ S)

opp(R′ζ′−→ S′)

opp

R1ζ1−→ S1 R2

ζ2−→ S2

Tζ′−→ T ′

=

opp(R1ζ1−→ S1) opp(R2

ζ2−→ S2)

opp(Tζ′−→ T ′)

391Friday, December 20, 13

What we have seen (1/2)



P1

P2

eata1 b1

a2

b1

Computationsof a distributed system...



P1

P2

eata1 b1

a2

b1


...can be modeled in an algebra whose trajectories

are denoted by partial orders...

in which deadlocks are apparent



P1

P2

eata1 b1

a2

b1


...can be modeled in an algebra whose trajectories

are denoted by partial orders...

in which deadlocks are apparent

... if one can define processes whose

transitions are reversible....

...one can exchange deadlocks for livelocks (which disappear with

fairness)...





;

�b

c1 c2

�b, c1 �a, c2

�a

�a,�b

...so we defined a process algebra with memories...

(1, ac) : 0 | (2, bc) : 0 | c) | (1, a[c/x]) : x | (2, b[c/x]) : x

...whose transitions correspond to having

symmetric residuals in the corresponding partial order



;

�b

c1 c2

�b, c1 �a, c2

�a

�a,�b

...so we defined a process algebra with memories...

(1, ac) : 0 | (2, bc) : 0 | c) | (1, a[c/x]) : x | (2, b[c/x]) : x

...whose transitions correspond to having

symmetric residuals in the corresponding partial order

;

a b

a, c1 b, c1a, b

a, b, c1 a, b, c2

⌫c(ac | bc | c) | a(x).x | b(x).x

;

bc

ac, c bc, c

ac, bc

ac, bc, c

⌫c(ac | bc | c)

...this reversible process algebra can be compositionally defined...

...although the naïve approach fails


The REVER project

• Denotational semantics for the pi-calculus

• Reversible abstract machine

• Corresponding bisimulation

• Proof technique (transactional theorem)

• and we are hiring post-docs...



Documents

Ioana D. Cristecu, Jean Krivine and Daniele Varacca PPS - Univ