Lecture Notes in Computer Science
6269
Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board David Hutchison, UK Josef Kittler, UK Alfred Kobsa, USA John C. Mitchell, USA Oscar Nierstrasz, Switzerland Bernhard Steffen, Germany Demetri Terzopoulos, USA Gerhard Weikum, Germany
Takeo Kanade, USA Jon M. Kleinberg, USA Friedemann Mattern, Switzerland Moni Naor, Israel C. Pandu Rangan, India Madhu Sudan, USA Doug Tygar, USA
Advanced Research in Computing and Software Science Subline of Lectures Notes in Computer Science Subline Series Editors Giorgio Ausiello, University of Rome ‘La Sapienza’, Italy Vladimiro Sassone, University of Southampton, UK
Subline Advisory Board Susanne Albers, University of Freiburg, Germany Benjamin C. Pierce, University of Pennsylvania, USA Bernhard Steffen, University of Dortmund, Germany Madhu Sudan, Microsoft Research, Cambridge, MA, USA Deng Xiaotie, City University of Hong Kong Jeannette M. Wing, Carnegie Mellon University, Pittsburgh, PA, USA
Paul Gastin François Laroussinie (Eds.)
CONCUR 2010 – Concurrency Theory 21st International Conference, CONCUR 2010 Paris, France, August 31  September 3, 2010 Proceedings
13
Volume Editors Paul Gastin Laboratoire Spécification et Vérification (LSV) ENS de Cachan & CNRS 94235 Cachan cedex, France Email:
[email protected] François Laroussinie LIAFA, Université Paris Diderot 75205 Paris cedex 13, France Email:
[email protected] Library of Congress Control Number: 2010933357 CR Subject Classification (1998): D.2, F.3, C.2, D.3, H.4, D.2.4 LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues ISSN ISBN10 ISBN13
03029743 3642153747 Springer Berlin Heidelberg New York 9783642153747 Springer Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © SpringerVerlag Berlin Heidelberg 2010 Printed in Germany Typesetting: Cameraready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acidfree paper SPIN: 06/3180 543210
Preface
This volume contains the proceedings of the 21st Conference on Concurrency Theory (CONCUR 2010), held in Paris, at Universit´e Denis Diderot, August 31–September 3, 2010. CONCUR 2010 was organized by CNRS, INRIA, ENS Cachan and the Universit´e Denis Diderot. The purpose of the CONCUR conference is to bring together researchers, developers, and students in order to advance the theory of concurrency and promote its applications. The principal topics include basic models of concurrency such as abstract machines, domain theoretic models, game theoretic models, process algebras, and Petri nets; logics for concurrency such as modal logics, probabilistic and stochastic logics, temporal logics, and resource logics; models of specialized systems such as biologyinspired systems, circuits, hybrid systems, mobile and collaborative systems, multicore processors, probabilistic systems, realtime systems, serviceoriented computing, and synchronous systems; veriﬁcation and analysis techniques for concurrent systems such as abstract interpretation, atomicity checking, model checking, race detection, preorder and equivalence checking, runtime veriﬁcation, state–space exploration, static analysis, synthesis, testing, theorem proving, and type systems; related programming models such as distributed, componentbased, objectoriented, and Web services. This edition of the conference attracted 107 submissions. We wish to thank all their authors for their interest in CONCUR 2010. After careful discussions, the Program Committee selected 35 papers for presentation at the conference. Each submission was refereed by three reviewers, who delivered detailed and insightful comments and suggestions. The conference Chairs warmly thank all the members of the Program Committee and all their referees for the excellent support they gave, as well as for the friendly and constructive discussions. We would also like to thank the authors for having revised the papers to address the comments and suggestions by the referees. The conference program was enriched by the outstanding invited talks by: – Frank S. de Boer (CWI, Amsterdam, The Netherlands) – Maurice Herlihy (Brown University, Providence, USA) – Holger Hermanns (Saarland University, Saarbr¨ ucken, Germany)
VI
Preface
– Anca Muscholl (LaBRI, University Bordeaux 1, France) – Vladimiro Sassone (ECS, University of Southampton, UK) The conference this year was colocated with the 17th International Symposium on Temporal Representation and Reasoning (TIME 2010). Additionally, CONCUR 21010 included the following satellite workshops: – – – – – –
Structural Operational Semantics (SOS 2010) Expressiveness in Concurrency (EXPRESS 2010) Security in Concurrency (SecCo 2010) Foundations of Interface Technologies (FIT 2010) GASICS Workshop on Games for Design, Veriﬁcation and Synthesis Foundations of Coordination Languages and Software Architectures (FOCLASA 2010) – International Workshop on Distributed Open and Timed Systems (DOTS 2010) – Young Researchers Workshop on Concurrency Theory (YRCONCUR) We would like to thank all the people who contributed to the success of CONCUR 2010, in particular the Organizing Committee and the administrative staﬀ. We gratefully acknowledge the generous support from Digiteo, R´egion ˆIle de France, CNRS, INRIA, ENS Cachan, the Minist`ere de l’enseignement sup´erieur et de la recherche, and the Universit´e Denis Diderot  Paris 7. We are also grateful to Andrei Voronkov for his excellent EasyChair conference system, which we used for the eletronic submission of papers, the refereeing process, and the Program Committee work. June 2010
Paul Gastin Fran¸cois Laroussinie
Conference Organization
Program Chairs Paul Gastin Fran¸cois Laroussinie
LSV, ENS Cachan, France LIAFA, Universit´e Denis Diderot  Paris 7, France
Program Committee Mart´ın Abadi Parosh Abdulla Jos Baeten Steﬀen van Bakel Julian Bradﬁeld Lu´ıs Caires Luca Cardelli Vincent Danos Daniele Gorla Anna Ing´ olfsd´ ottir Petr Janˇcar JoostPieter Katoen Kim Larsen Nancy Lynch Ugo Montanari Markus M¨ ullerOlm K. Narayan Kumar Catuscia Palamidessi Prakash Panangaden Wojciech Penczek Shaz Qadeer Jan Rutten Roberto Segala P.S. Thiagarajan Walter Vogler
UC Santa Cruz and Microsoft Research, CA, USA Uppsala University, Sweden Eindhoven University of Technology, The Netherlands Imperial College London, UK University of Edinburgh, UK Universidade Nova de Lisboa, Portugal Microsoft Research Cambridge, UK University of Edinburgh, UK Universit`a di Roma “La Sapienza”, Italy Reykjavik University, Iceland Technical University of Ostrava, Czech Republic RWTH Aachen University, Germany and University of Twente, The Netherlands Aalborg University, Denmark Massachusetts Institute of Technology, USA Universit` a di Pisa, Italy M¨ unster University, Germany Chennai Mathematical Institute, India LIX, INRIA, France McGill School of Computer Science, Canada IPI PAN, University of Podlasie, Poland Microsoft Research Redmond, WA, USA CWI, The Netherlands Universit` a di Verona, Italy National University of Singapore University of Augsburg, Germany
VIII
Conference Organization
Steering Committee Roberto Amadio Jos Baeten Eike Best Kim Larsen Ugo Montanari Scott Smolka
PPS, Universit´e Paris Diderot  Paris 7, France Eindhoven University of Technology, The Netherlands Carl von Ossietzky Universit¨at Oldenburg, Germany Aalborg University, Denmark Universit` a di Pisa, Italy SUNY, Stony Brook University, USA
Organizing Committee Benedikt Bollig Stefan Haar Florian Horn Stefan Schwoon Olivier Serre Mihaela Sighireanu
LSV, CNRS, France LSV, INRIA, France LIAFA, CNRS, France LSV, INRIA, France LIAFA, CNRS, France LIAFA, Universit´e Denis Diderot  Paris 7, France
External Reviewers Roberto M. Amadio Suzana Andova Tadashi Araragi Farhad Arbab Mohamed Faouzi Atig Franco Barbanera Massimo Bartoletti Emmanuel Beﬀara Nick Benton Josh Berdine Marco Bernardo Nathalie Bertrand Dietmar Berwanger Chiara Bodei Frank S. de Boer Bernard Boigelot Benedikt Bollig
Filippo Bonchi Tom´aˇs Br´azdil Franck van Breugel V´aclav Broˇzek Roberto Bruni Marco Carbone Pietro Cenciarelli Taolue Chen YuFang Chen Corina Cˆırstea Dave Clarke Thomas Colcombet Alejandro Cornejo Flavio Corradini Pedro R. D’Argenio Ugo de’Liguoro St´ephane Demri
Conference Organization
Yuxin Deng Rocco De Nicola Mariangiola Dezani Maria Rita Di Berardini Alessandro D’Innocenzo Lucas Dixon Laurent Doyen Deepak D’Souza J´er´emy Dubreil Ross Duncan Tayfun Elmas Javier Esparza Yuan Feng J´erˆome Feret Bernd Finkbeiner Cormac Flanagan Vojtˇech Forejt Martin Fr¨ anzle Carsten Fritz Fabio Gadducci Philippa Gardner Simon Gay Blaise Genest Nargess Ghahremani Marco Giunti Stefan G¨ oller Alexey Gotsman Carlos GregorioRodr´ıguez Marcus Groesser Julian Gutierrez Peter Habermehl Serge Haddad Fr´ed´eric Haziza Thomas Hildebrandt Peter H¨ofner Espen Højsgaard Luk´aˇs Hol´ık ChihDuo Hong Hans H¨ uttel Radha Jagadeesan
Agata Janowska Mariusz Jarocki Christophe Joubert Bartek Klin Michal Knapik Alexander Knapp Sophia Knight Natallia Kokash Barbara K¨ onig Beata Konikowska Martin Kot Christian Krause Jean Krivine Dietrich Kuske Akash Lal Peter Lammich Mikkel Larsen Pedersen J´erˆome Leroux JeanJacques L´evy Xinxin Liu Kamal Lodaya Michele Loreti ´ Etienne Lozes Bas Luttik Pasquale Malacaria Radu Mardare Nicolas Markey Jasen Markovski Tom´aˇs Masopust Mieke Massink Richard Mayr Antoni Mazurkiewicz Damiano Mazza Frank McSherry Alexandru Mereacre Massimo Merro Roland Meyer Marino Miculan R´emi Morin Madan Musuvathi
IX
X
Conference Organization
Wojtek Nabialek Sebastian Nanz Daniel Neider Calvin Newport Dejan Niˇckovi´c Artur Niewiadomski Thomas Noll Gethin Norman Jan Obdrˇz´alek Petur Olsen Rotem Oshman Luca Padovani David Parker Jorge A. Perez Iain Phillips Sophie Pinchinat Nir Piterman Sanjiva Prasad Rosario Pugliese Paola Quaglia Sriram Rajamani R. Ramanujam Ant´ onio Ravara Ahmed Rezine Pau Ruet Joshua Sack Arnaud Sangnier Ivano Salvo Davide Sangiorgi Zdenˇek Sawa JensWolfhard Schicke Alan Schmitt Sven Schneider Stefan Schwoon Anil Seth ˇ c´ık Jaroslav Sevˇ Ali Sezgin Mihaela Sighireanu Alexandra Silva Robert Simmons
Anu Singh Satnam Singh Pawel Soboci´ nski Ana Sokolova Monika Solanki Jeremy Sproston Jiˇr´ı Srba Christian Stahl Jan Strejˇcek Georg Struth Rong Su Kohei Suenaga Jun Sun S.P. Suresh Maciej Szreter Andrzej Tarlecki Claus Thrane Francesco Tiezzi Frank Valencia Bj¨ orn Victor Hugo Vieira Saleem Vighio Maria Grazia Vigliotti Erik de Vink Marc Voorhoeve Igor Walukiewicz Alexander Wenner J´ ozef Winkowski Verena Wolf WengFai Wong Bo˙zena Wo´znaSzcze´sniak Tobias Wrigstad Alex Yakovlev Nobuko Yoshida Kenneth Yrke Jørgensen Gianluigi Zavattaro Marc Zeitoun Lijun Zhang
Table of Contents
Dating Concurrent Objects: RealTime Modeling and Schedulability Analysis (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Frank S. de Boer, Mohammad Mahdi Jaghoori, and Einar Broch Johnsen Applications of Shellable Complexes to Distributed Computing (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maurice Herlihy
1
19
Concurrency and Composition in a Stochastic World (Invited Talk) . . . . Christian Eisentraut, Holger Hermanns, and Lijun Zhang
21
Taming Distributed Asynchronous Systems (Invited Talk) . . . . . . . . . . . . . Anca Muscholl
40
Trust in Anonymity Networks (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . Vladimiro Sassone, Sardaouna Hamadou, and Mu Yang
48
Learning I/O Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fides Aarts and Frits Vaandrager
71
Constrained Monotonic Abstraction: A CEGAR for Parameterized Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Parosh Aziz Abdulla, YuFang Chen, Giorgio Delzanno, Fr´ed´eric Haziza, ChihDuo Hong, and Ahmed Rezine
86
Information Flow in Interactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . M´ ario S. Alvim, Miguel E. Andr´es, and Catuscia Palamidessi
102
From Multi to Single Stack Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mohamed Faouzi Atig
117
A Geometric Approach to the Problem of Unique Decomposition of Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Thibaut Balabonski and Emmanuel Haucourt A Logic for True Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Paolo Baldan and Silvia Crafa A Theory of DesignbyContract for Distributed Multiparty Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Laura Bocchi, Kohei Honda, Emilio Tuosto, and Nobuko Yoshida Bisimilarity of OneCounter Processes Is PSPACEComplete . . . . . . . . . . Stanislav B¨ ohm, Stefan G¨ oller, and Petr Janˇcar
132 147
162 177
XII
Table of Contents
Nash Equilibria for Reachability Objectives in Multiplayer Timed Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Patricia Bouyer, Romain Brenguier, and Nicolas Markey Stochastic RealTime Games with Qualitative Timed Automata Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tom´ aˇs Br´ azdil, Jan Krˇca ´l, Jan Kˇret´ınsk´y, Anton´ın Kuˇcera, and ˇ ak Vojtˇech Reh´
192
207
Session Types as Intuitionistic Linear Propositions . . . . . . . . . . . . . . . . . . . Lu´ıs Caires and Frank Pfenning
222
Session Types for Access and Information Flow Control . . . . . . . . . . . . . . . Sara Capecchi, Ilaria Castellani, Mariangiola DezaniCiancaglini, and Tamara Rezk
237
Simulation Distances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ˇ y, Thomas A. Henzinger, and Arjun Radhakrishna Pavol Cern´
253
MeanPayoﬀ Automaton Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Krishnendu Chatterjee, Laurent Doyen, Herbert Edelsbrunner, Thomas A. Henzinger, and Philippe Rannou
269
Obliging Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Krishnendu Chatterjee, Florian Horn, and Christof L¨ oding
284
Multipebble Simulations for Alternating Automata (Extended Abstract) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lorenzo Clemente and Richard Mayr
297
Parameterized Veriﬁcation of Ad Hoc Networks . . . . . . . . . . . . . . . . . . . . . . Giorgio Delzanno, Arnaud Sangnier, and Gianluigi Zavattaro
313
Termination in Impure Concurrent Languages . . . . . . . . . . . . . . . . . . . . . . . Romain Demangeon, Daniel Hirschkoﬀ, and Davide Sangiorgi
328
Buﬀered Communication Analysis in Distributed Multiparty Sessions . . . PierreMalo Deni´elou and Nobuko Yoshida
343
Eﬃcient Bisimilarities from SecondOrder Reaction Semantics for πCalculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pietro Di Gianantonio, Svetlana Jakˇsi´c, and Marina Lenisa
358
On the Use of Nondeterministic Automata for Presburger Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Antoine DurandGasselin and Peter Habermehl
373
Reasoning about Optimistic Concurrency Using a Program Logic for History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ming Fu, Yong Li, Xinyu Feng, Zhong Shao, and Yu Zhang
388
Table of Contents
XIII
Theory by Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yuxi Fu
403
On the Compositionality of Round Abstraction . . . . . . . . . . . . . . . . . . . . . . Dan R. Ghica and Mohamed N. Menaa
417
A Linear Account of Session Types in the Pi Calculus . . . . . . . . . . . . . . . . Marco Giunti and Vasco T. Vasconcelos
432
Generic Forward and Backward Simulations II: Probabilistic Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ichiro Hasuo
447
Kleene, Rabin, and Scott Are Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jochen Hoenicke, Roland Meyer, and ErnstR¨ udiger Olderog
462
Reversing HigherOrder Pi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ivan Lanese, Claudio Antares Mezzina, and JeanBernard Stefani
478
Modal Logic over Higher Dimensional Automata . . . . . . . . . . . . . . . . . . . . . Cristian Prisacariu
494
A Communication Based Model for Games of Imperfect Information . . . . R. Ramanujam and Sunil Simon
509
Flat Coalgebraic Fixed Point Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lutz Schr¨ oder and Yde Venema
524
Conditional Automata: A Tool for Safe Removal of Negligible Events . . . Roberto Segala and Andrea Turrini
539
Representations of Petri Net Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pawel Soboci´ nski
554
Communicating Transactions (Extended Abstract) . . . . . . . . . . . . . . . . . . . Edsko de Vries, Vasileios Koutavas, and Matthew Hennessy
569
Consistent Correlations for Parameterised Boolean Equation Systems with Applications in Correctness Proofs for Manipulations . . . . . . . . . . . . Tim A.C. Willemse
584
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
599
Dating Concurrent Objects: RealTime Modeling and Schedulability Analysis Frank S. de Boer1,2 , Mohammad Mahdi Jaghoori1,2, and Einar Broch Johnsen3 1
CWI, Amsterdam, The Netherlands LIACS, Leiden, The Netherlands 3 University of Oslo, Norway
2
Abstract. In this paper we introduce a realtime extension of the concurrent object modeling language Creol which is based on duration statements indicating best and worst case execution times and deadlines. We show how to analyze schedulability of an abstraction of realtime concurrent objects in terms of timed automata. Further, we introduce techniques for testing the conformance between these behavioral abstractions and the executable semantics of RealTime Creol in RealTime Maude. As a case study we model and analyze the schedulability of thread pools in an industrial communication platform.
1
Introduction
In the objectoriented modeling language Creol [9,3], objects are concurrent; i.e., conceptually, each object encapsulates its own processor. Therefore, each object has a single thread of execution. Creol objects communicate by asynchronous message passing. The message queue is implicit in the objects. Furthermore, the scheduling policy is underspeciﬁed; i.e., messages in the queue are processed in a nondeterministic order. The running method can voluntarily release the processor using special primitives, allowing another message to be scheduled. For example, a method can test whether an asynchronous call has been completed, and if not, release the processor; thus modeling synchronous calls. In this paper we extend Creol with realtime information about the deadlines of messages and the best and worst execution times of the (sequential) control statements. We formalize the semantics of RealTime Creol with respect to given intraobject scheduling policies in the realtime extension of Maude [5]. This formalization of a RealTime Creol model provides a reﬁnement of the underlying untimed model in the sense that it only restricts its behaviors. Schedulability analysis. In general analyzing schedulability of a real time system consists of checking whether all tasks are accomplished within their deadlines.
This research is partly funded by the EU projects IST33826 CREDO: Modeling and Analysis of Evolutionary Structures for Distributed Services (http://credo.cwi.nl) and FP7231620 HATS: Highly Adaptable and Trustworthy Software using Formal Methods (http://www.hatsproject.eu).
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 1–18, 2010. c SpringerVerlag Berlin Heidelberg 2010
2
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
We employed automata theory in our previous work [7,8] to provide a highlevel framework for modular schedulability analysis of concurrent objects. In order to analyze the schedulability of an open system of concurrent objects, we need some assumptions about the realtime arrival patterns of the incoming messages; in our framework, this is contained in the timed automata [1] modeling the behavioral interface of the open system. A behavioral interface captures the overall realtime input/output behavior of an object while abstracting from its detailed implementation in its methods; a deadline is assigned to each message specifying the time before which the corresponding method has to be completed. Further, we use timed automata to describe an abstraction of the system of objects itself including its message queues and a given scheduling policy (e.g., Earliest Deadline First). The analysis of the schedulability of an open system of concurrent objects can then be reduced to modelchecking a timed automaton describing the interactions between the behavioral abstraction of the system and its behavioral interface (representing the environment). Conformance. We test conformance between the RealTime Creol model of an open system of concurrent objects and its behavioral abstraction in timed automata with respect to a given behavioral interface. Our method is based on generating a timed trace (i.e., a sequence of timestamped messages) from the automaton constructed from its behavioral abstraction and interface. Using modelchecking techniques we next generate for each time speciﬁed in the trace additional realtime information about all possible observable messages. This additional information allows us to ﬁnd counterexamples to the conformance. To do so, we use the RealTime Maude semantics as a language interpreter to execute the realrime Creol model driven by the given trace. Then we look for counterexamples by incrementally searching the execution space for possible timed observations that are not covered in the extended timed trace. Case Study. Thread pools are an important design pattern used frequently in industrial practice to increase the throughput and responsiveness of software systems, as for instance in the ASK system [2]. The ASK system is an industrial communication platform providing mechanisms for matching users requiring information or services with potential suppliers. A thread pool administrates a collection of computation units referred to as threads and assigns tasks to them. This administration includes dynamic creation or removal of such units, as well as scheduling the tasks based on a given strategy like ‘ﬁrst come ﬁrst served’ or priority based scheduling. The abstraction from the internal message queue of each object and the related scheduling policies is one of the most important characteristics of Creol which allows for abstractly modeling a variety of thread pools. In this paper, we give an example of an abstract model in Creol of a basic pool where the threads share the task queue. The shared task queue is naturally represented implicitly inside a Creol object (called a resourcepool) that basically forwards the queued tasks to its associated threads also represented as Creol objects. We associate realtime information to the tasks concerning their deadlines and best and worst case execution times.
Dating Concurrent Objects: RealTime Modeling
3
We perform schedulability analysis on a network of timed automata constructed from the automata abstraction and behavioral interface of the thread pool model in order to verify whether tasks are performed within their deadlines. In the context of the ASK system, schedulability ensures that the response times for service requests are always bounded by the deadlines. We use Uppaal [12] for this purpose. Further, we test conformance between the RealTime Creol model of a thread pool and its behavioral abstractions as described above. Related work. We extend Creol with explicit scheduling strategies and a duration statement to specify execution delays. CreolRT [11] is another realtime extension of Creol with clocks and timeouts. Our work follows a descriptive approach to specifying realtime information suitable for schedulability analysis, whereas the prescriptive nature of time in CreolRT can aﬀect the functional behavior of an object. Schedulability analysis in this paper can be seen as the continuation of our previous work [7] on modular analysis of a singlethreaded concurrent object with respect to its behavioral interface. In this paper, we extend the schedulability analysis to an open system of concurrent objects in a way similar to [4]. The work of [6,10] is based on extracting automata from code for schedulability analysis. However, they deal with programming languages and timings are usually obtained by proﬁling the real system. Our work is applied on highlevel models. Therefore, our main focus is on studying diﬀerent scheduling policies and design decisions. We test conformance between a Creol implementation and abstract automata models. Our notion of conformance is similar to tioco introduced by Schmaltz and Tretmans [16,15], but we do not directly work with timed input/output transition systems; an innovation of our work is dealing with conformance between diﬀerent formalisms, namely Creol semantics in rewrite logic on one hand and timed automata on the other hand. Furthermore, we focus on generating counterexamples during testing along the lines of our previous work [8], which is novel in testing. Outline. The realtime extension of the concurrent object language Creol is explained in Section 2. As explained in Section 3, abstract models of concurrent objects, speciﬁed in timed automata, are analyzed to be schedulable. To be able to argue about the schedulability of RealTime Creol models, we need to establish conformance between our Creol and automata models; this is explained in Section 4. We conclude in section 5.
2
Concurrent Objects in RealTime Creol
Creol is an abstract behavioral modeling language for distributed active objects, based on asynchronous method calls and processor release points. In Creol, objects conceptually have dedicated processors and live in a distributed environment with asynchronous and unordered communication between objects. Communication is between named objects by means of asynchronous method calls;
4
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
Syntactic categories. g in Guard s in Stmt x in Var e in Expr o in ObjExpr b in BoolExpr d in Time
Definitions. IF ::= interface I { [Sg] } CL ::= class C [(I x)] [implements I] { [I x; ] M } Sg ::= I m ([I x]) M ::= Sg { [I x; ] s } g ::= b  x?  g ∧ g  g ∨ g s ::= x := e  x := e.get  skip  release  await g  return e  s; s  [o]!m(e, d)  if b then { s } else { s }  duration(d, d) e ::= x  o  b  new C (e)  [o]!m(e, d)  this  deadline
Fig. 1. Syntax of the RealTime Creol kernel. Terms such as e and x denote lists over the corresponding syntactic categories and square brackets denote optional elements.
these may be seen as triggers of concurrent activity, resulting in new activities (tasks) in the called object. Objects are dynamically created instances of classes, declared attributes are initialized to some arbitrary typecorrect values. An optional init method may be used to redeﬁne the attributes during object creation. An object has a set of tasks to be executed, which stem from method activations. Among these, at most one task is active and the others are suspended on a task queue. The scheduling of tasks is by default nondeterministic, but controlled by processor release points in a cooperative way. Creol is strongly typed: for welltyped programs, invoked methods are supported by the called object (when not null), such that formal and actual parameters match. In this paper, programs are assumed to be welltyped. This section introduces RealTime Creol, explaining Creol constructs (for further details, see, e.g., [9,3]) and their relation to realtime scheduling policies. Figure 1 gives the syntax for a kernel of RealTime Creol, extending a subset of Creol (omitting, e.g., inheritance). A program consists of interface and class deﬁnitions and a main method to conﬁgure the initial state. Let C, I, and m be in the syntactic category of Names. IF deﬁnes an interface with name I and method signatures Sg. A class implements a list I of interfaces, specifying types for its instances. CL deﬁnes a class with name C, interfaces I, class parameters and state variables x (of types I), and methods M . (The attributes of the class are both its parameters and state variables.) A method signature Sg declares the return type I of a method with name m and formal parameters x of types I. M deﬁnes a method with signature Sg and a list of local variable declarations x of types I and a statement s. Statements may access class attributes, locally deﬁned variables, and the method’s formal parameters. Statements for assignment x := e, sequential composition s1 ; s2 , skip, if, while, and return e are standard. The statement release unconditionally releases the processor by suspending the active task. In contrast, the guard g controls processor release in the statement await g, and consists of Boolean conditions which may contain return tests x? (see below). If g evaluates to false, the current task is suspended and the execution thread becomes idle. When the execution thread is idle, an
Dating Concurrent Objects: RealTime Modeling
5
enabled task may be selected from the pool of suspended tasks by means of a userprovided scheduling policy. Expressions e include declared variables x, object identiﬁers o, Boolean expressions b, and object creation new C(e). As usual, the reserved readonly variable this refers to the identiﬁer of the object. Note that remote access to attributes is not allowed. (The full language includes a functional expression language with standard operators for data types such as strings integers lists, sets, maps, and tuples. These are omitted in the core syntax, and explained when used in the examples.) Time. In RealTime Creol, the local passage of time is expressed in terms of duration statements. We consider a dense time model represented by the sort Time which ranges over nonnegative real numbers and is totally ordered by the lessthan operator. Furthermore, we denote by ∞ a term of sort Time such that for all t1 , t2 = ∞, t1 + t2 < ∞. The statement duration(b, w) expresses the passage of time, given in terms of an interval between the best case b and the worst case w (assuming b ≤ w). All other statements are assumed to be instantaneous, except the get statement which lets time pass while it is blocking (see below). Communication in RealTime Creol is based on asynchronous method calls, denoted by expressions o!m(e, d), and future variables. (Local calls are written !m(e, d).) Thus, after making an asynchronous method call x := o!m(e, d), the caller may proceed with its execution without blocking on the method reply. Here x is a future variable, o is an object expression, e are (data value or object) expressions, and d is a deadline for the method invocation. This deadline speciﬁes the relative time before which the corresponding method should be scheduled and executed. The local variable deadline refers to the remaining permitted execution time of the current method activation. We assume that message transmission is instantaneous, so the deadline expresses the time until a reply is received; i.e., it corresponds to an endtoend deadline. As usual, if the return value of a call is of no interest, the call may occur as a statement. The future variable x refers to a return value which has yet to be computed. There are two operations on future variables, which control synchronization in Creol. First, the guard await x? suspends the active task unless a return to the call associated with x has arrived, allowing other tasks in the object to execute. Second, the return value is retrieved by the expression x.get, which blocks all execution in the object until the return value is available. Standard usages of asynchronous method calls include the statement sequence x := o!m(e, d); v := x.get which encodes a blocking call, abbreviated v := o.m(e, d) (often referred to as a synchronous call), and the statement sequence x := o!m(e, d); await x?; v := x.get which encodes a nonblocking, preemptible call, abbreviated await v := o.m(e, d). 2.1
ObjectOriented Modeling of ThreadPools
Figure 2 shows a Creol model of a thread pool. The model deﬁnes a Thread class and the ResourcePool class. The task list is modeled implicitly in terms of the message queue of an instance of the ResourcePool class. The variable
6
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
class Thread(ResourcePool myPool) implements Thread { Void run() { myPool!finish(this) } Void start() { skip; duration(5,6); myPool!finish(this) } } class ResourcePool(Int size) implements ResourcePool { Set[Thread] pool; Void init() { Thread thr; pool := {}; while (size>0) { thr := new Thread(this); size := size1 } } Void invoke() { Thread thread; await ¬isempty(pool); thread := choose(pool); pool := remove(pool,thread); thread!start(deadline) } Void finish (Thread thr) { pool := add(pool,thr) } }
Fig. 2. The thread pool
size represents the number of available threads, i.e., instances of the Thread class. The variable pool is used to hold a reference to those threads that are currently not executing a task. Tasks are modeled in terms of the method start inside the Thread class. For our analysis the functional diﬀerences between tasks is irrelevant, so the method is speciﬁed in terms of its duration only and a subsequent call to the method finish of the ResourcePool object which adds that thread to its pool of available threads. Tasks are generated (by the environment) with (asynchronous) calls of the invoke method of the ResourcePool object. In case there are no available threads, the execution of the invoke method suspends by the execution of the await statement which releases control (so that a call of the finish method can be executed). When multiple tasks are pending and a thread becomes available, the scheduling strategy of the ResourcePool object determines which task should be executed next when the current task has been completed. 2.2
RealTime Execution in RealTime Maude
RealTime Maude [14] deﬁnes realtime rewrite theories (Σ, E, IR, T R), where: – (Σ, E) is a theory in membership equational logic [13] with a signature Σ and a set E of conditional equations. The system’s state space is deﬁned as an algebraic data type in (Σ, E), which is assumed to contain a speciﬁcation of a sort Time capturing the (dense or discrete) time domain. – IR is a set of labeled conditional instantaneous rewrite rules specifying the system’s local transitions, written crl [l] : t −→ t if cond , where l is a name for the rule. Such a rule speciﬁes a onestep transition (in zerotime) from an instance of a pattern t to the corresponding instance of a pattern t , provided the condition cond holds. As usual in rewriting logic [13], the rules are applied modulo the equations in E.
Dating Concurrent Objects: RealTime Modeling
7
– T R is a set of timed rewrite rules (or tick rules) capturing the progression of time, written crl [l] : {t} −→ {t } in time τ if cond where τ is a term of sort Time which denotes the duration of the rewrite. Observe that {_} is the builtin constructor of sort GlobalSystem, so tick rules apply to the entire state of the system which allows time to advance uniformly. Initial states must be ground terms of sort GlobalSystem, which reduce to terms of the form {t} by the equations in E. The form of the tick rules then ensures that time advances uniformly throughout the system. Realtime rewrite theories are executable under reasonable assumptions and RealTime Maude provides diﬀerent analysis methods [14]. For example, timed “fair” rewrite simulates one behavior of the system up to a certain duration and is written (tfrew t in time ≤ τ .)
for an initial state t and a ground term τ of sort Time. Furthermore, timed search searches breadthﬁrst for states that are reachable from a given initial state t within time τ , match a search pattern, and satisfy a search condition. The command which searches for one state satisfying the search criteria is written (tsearch [1] t −→∗ pattern such that cond in time ≤ τ .)
Creol’s semantics in Maude. Creol has a semantics deﬁned in Rewriting logic [13] which can be used directly as a language interpreter in Maude [5]. The semantics is explained in detail in [9] and can be used for the analysis of Creol programs. In this section we focus on the extension of Creol’s semantics in order to deﬁne a semantics for RealTime Creol in RealTime Maude. The state space of Creol’s operational semantics is given by terms of the sort Configuration which is a set of objects, messages, and futures. The empty conﬁguration is denoted none and whitespace denotes the associative and commutative union operator on conﬁgurations. Objects are deﬁned as tuples o, a, q
where o is the identiﬁer of the object, a is a map which deﬁnes the values of the attributes of the object, and q is the task queue. Tasks are of sort Task and consist of a statement s and the task’s local variables l. We denote by {ls} ◦ q the result of appending the task {ls} to the queue q. For a given object, the ﬁrst task in the queue is the active task and the ﬁrst statement of the active task to be executed is called the active statement. Let σ and σ be maps, x a variable name, and v a value. Then σ(x) denotes the lookup for the value of x in σ, σ[x → v] the update of σ such that x maps to v, σ ◦ σ the composition of σ and σ , and dom(σ) the domain of σ. Given a mapping, we denote by [[e]]cσ the evaluation of an expression e in the state given by σ and the global conﬁguration c (the latter is only used to evaluate the polling of futures; e.g., await x?). Rewrite rules execute statements in the active task in the context of a conﬁguration, updating the values of attributes or local variables as needed. For an active task {l  s}, these rules are deﬁned inductively over the statement s.
8
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
rl [skip] : o, a, {l  skip;s} ◦ q −→ o, a, {l  s} ◦ q . rl [assign] : o, a, {l  x:=e;s} ◦ q −→ if x ∈ dom(l) then o, a, {l[x → [[e]]none a◦l ]  s} ◦ q else o, a[x → [[e]]none a◦l ], {l  s} ◦ q fi . rl [release] : o, a, {l  release;s} ◦ q −→ o, a, schedule({l  s},q) . crl [await1] : { o, a, {l  await e;s} ◦ q c} −→ { o, a, {l  s} ◦ q c} if [[e]]ca◦l . crl [await2] : { o, a,{l  await e;s} ◦ q c} −→ { o, a, {l  release;await e;s} ◦ q c} if ¬[[e]]ca◦l .
Fig. 3. The semantics of Creol in Maude
Some (representative) rules are presented in Figure 3. Rule skip shows the general setup, where a skip statement is consumed by the rewrite rule. Rule assign updates either the local variable or the attribute x with the value of an expression e evaluated in the current state. The suspension of tasks is handled by rule release, which places the active task in the task queue. The auxiliary function schedule in fact deﬁnes the (local) task scheduling policy of the object, for example ﬁrst in ﬁrst out (FIFO) or earliest deadline ﬁrst (EDF). Rules await1 and await2 handle conditional suspension points. RealTime Creol’s semantics in RealTime Maude. The rewrite rules of the RealTime Creol semantics are given in Figure 4. The ﬁrst rule ensures that a duration statement may terminate only if its best case execution time has been reached. In order to facilitate the conformance testing discussed below, we deﬁne a global clock clock(t) in the conﬁgurations (where t is of sort Time) to timestamp observable events. These observables are the invocation and return of method calls. Rule asynccall emits a message to the callee [[e]]none (a◦l) with none method m, actual parameters [[e]](a◦l) including the deadline, a fresh future identiﬁer n, which will be bound to the task’s socalled destiny variable [3], and, ﬁnally, a time stamp t. In the (method) activation rule, the function task transforms such a message into a task which is placed in the task queue of the callee by means of the scheduling function schedule. The function task creates a map which assigns the values of the actual parameters to the formal parameters (which includes the deadline variable) and which assigns the future identity to the destiny variable. The statement of the created task consist of the body of the method. Rule return adds the return value from a method call to the future identiﬁed by the task’s destiny variable and time stamps the future at this time. Rule get describes how the get operation obtains the returned value. The global advance of time is captured by the rule tick. This rule applies to global conﬁgurations in which all active statements are duration statements which have not reached their worst execution time or blocking get statements. These conditions are captured by the predicate canAdvance in Figure 5. When the tick rule is applicable, time may advance by any value t below the limit determined by the auxiliary maximum time elapse [14] function mte, which
Dating Concurrent Objects: RealTime Modeling
crl [duration] : o, a, {l  duration(b, w); s} ◦ q −→ o, a, {l  s} ◦ q if b ≤ 0 . crl [asynccall] : o, a,{l  x:=e!m(e);s} ◦ q clock(t) none −→ o, a,{l[x → n]  s} ◦ q m(t, [[e]]none a◦l , [[e]]a◦l , n) n if fresh(n) . crl [activation] : o, a,{l  s} ◦ q m(t, o, v¯) −→ o, a,{l  s} ◦ schedule(task(m(o, v¯)),q) . crl [return] : o, a,{l  return(e);s} ◦ q n clock(t) −→ o, a, {l  s} ◦ q clock(t) n,[[e]]none ,t if n = l(destiny) . (a◦l) crl [get] : o, a,{l  x := e.get;s} ◦ q n,v,t −→ o, a,{l  x := v;s} ◦ q n,v,t if [[e]]none a◦l = n . crl [tick] : {C} −→ {δ(C)} in time t if t < mte(C) ∧ canAdvance(C) .
Fig. 4. The semantics of RealTime Creol in RealTime Maude
op eq eq eq
canAdvance : Configuration → Bool . canAdvance(C1 C2) = canAdvance(C1) ∧ canAdvance(C2) . canAdvance( o, a, {l  duration(b, w); s} ◦ q ) = w > 0 . canAdvance( o, a,{l  x := e.get; s} ◦ q n) = true if n = [[x]]none .
eq canAdvance(C) = false [owise] . op eq eq eq
mte : Configuration → Time . mte(C1 C2) = min(mte(C1), mte(C2)) . mte( o, a,{l  duration(b, w); s} ◦ q ) = w . mte(C) = ∞ [owise] .
op δ1 : Task Time → Task . eq δ1 ({l  s}, t) = {l[deadline → l(deadline) − t]s} . op δ2 : TaskQueue Time → TaskQueue . eq δ2 ({ls} ◦ q, t) = δ1 ({ls}, t) ◦ δ2 (q, t) . eq δ2 (, t) = op δ3 : Task Time → Task . eq δ3 ({lduration(b, w); s}, t) = {l[deadline → l(deadline) − t]  duration(b − t, w − t); s}. eq δ3 ({ls}, t) = {l[deadline → l(deadline) − t]s} [owise] . op eq eq eq eq
δ : Configuration Time → Configuration . δ(C1 C2, t) = δ(C1,t) δ(C2,t) . δ(clock(t ),t) = clock(t + t) . δ( o, a, {ls} ◦ q ,t) = o, a, δ3 ({ls}) ◦ δ2 (q) . δ(C, t) = C [owise] .
Fig. 5. Definition of Auxiliary Functions
(a◦l)
9
10
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
!
Fig. 6. Sequence diagram of a scenario from generation until completion of a task
ﬁnds the lowest remaining worst case execution time for any active task in any object in the conﬁguration. Note that the blocking get operation allows time to pass arbitrarily while waiting for a return. When time advances, the function δ, besides advancing the global clock, determines the eﬀect of advancing time on the objects in the conﬁguration, using the auxiliary functions δi , for i = 1, 2, 3, deﬁned in Figure 5, to update the tasks. The function δ1 decreases the deadline of a task. The function δ2 applies δ1 to all queued tasks; δ2 has no eﬀect on an empty queue . The function δ3 additionally decreases the current best and worst case execution times of the active duration statements.
3
Schedulability Analysis
Schedulability analysis consists of checking whether tasks can be accomplished before their deadlines. For analysis, RealTime Maude uses tick rules that advance time in discrete time steps, therefore veriﬁcation of dense time models in RealTime Maude is incomplete. Timed automata veriﬁcation tools, e.g., Uppaal, use symbolic time and thus cover the whole dense time space. In this section, we explain how to use timed automata for abstractly modeling concurrent objects and performing schedulability analysis. In this abstract modeling, inﬁnite Creol programs are mapped to ﬁnite state automata. We present a generalization of the automatatheoretic framework in [7] for schedulability analysis of concurrent objects. The overall realtime input/output behavior of an object is to be speciﬁed in an automaton called its behavioral interface. A behavioral interface abstracts from the detailed implementation of the object, which is in turn given in terms of its output behavior, given in the automata modeling the methods; and, the input enabled scheduler automaton that includes a queue to buﬀer the messages waiting to be executed. In this paper we extend the schedulability analysis to an open system of concurrent objects. We explain this extension in terms of the thread pool example introduced in Section 2.1. Such a model can be synthesized from the sequence diagram in Figure 6 which depicts the lifecycle of a task from its generation until its completion. To allow communication between diﬀerent automata, we
Dating Concurrent Objects: RealTime Modeling
11
c1 >= 2 deadline=D1, c1 = 0 invoke[task][self][Env]! c1 >= 3 invoke[task][self][Env]! deadline=D2, c1 = 0
Fig. 7. Modeling a task generation pattern (right)
deﬁne a channel for each action in this diagram: Channel invoke has three parameters; namely, task name, the receiver and the sender. The parameters to channel start capture the task to be executed, the thread assigned to it, and the current object’s identiﬁer. Channel finish is parameterized in the identiﬁers of the executing thread and object. Next we discuss the diﬀerent automata models corresponding to the three diﬀerent lifelines in Figure 6. Behavioral interfaces. The behavioral interface captures the overall realtime input/output behavior of an object while abstracting from its detailed implementation. Figure 7 shows a possible behavioral interface for our model of thread pools. This automaton is parameterized in the identiﬁer of the thread pool, written self, and an identiﬁer Env that represents any entity that may invoke a task on the thread pool. Since we only assume one task type in this example, we deﬁne a global constant task that will be used to identify this task. We use a clock c1 for modeling interarrival times and the global variable deadline is used for associating deadlines to each task generated. The tasks with diﬀerent deadlines are interleaved and there is at least 2 and 3 time units of interarrival time between two consecutive task instances. This shows an example of nonuniform task generation pattern. Scheduler and queue. The queue and the scheduling strategy are modeled in separate automata; together they represent the ResourcePool class. To model the ResourcePool, every thread is assumed to have a dedicated processing unit, but they share one task queue. We assume a ﬁxed number TRD of threads given a priori. We separate the task queue in two parts: an execution part, consisting of the slots 0 to TRD1, and a buﬀer part consisting of the rest of the queue. The execution part includes the tasks that are being executed. This part needs one slot for each thread and is therefore as big as the number of threads. The selection of a task from the buﬀer part to start its execution is based on a given scheduling strategies, e.g., EDF, FPS, etc.; in our example, we use EDF. Figure 8(a) shows a queue of size MAX which stores the tasks in the order of their arrival; the queue is modeled by the array q and tail points to the ﬁrst empty element in the queue. This automaton is parameterized in s which holds the identity of this object. This automaton can accept any task (whose identiﬁer is between 0 and the constant MSG) by any caller (whose identiﬁer is between 0 and the constant OBJ); this is seen as the Uppaal ‘select’ statement over msg and caller on the invoke channel. This transition is enabled if the queue is not yet full (tail < MAX). To check for deadlines, a clock x is assigned to each
12
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
msg : int[0,MSG], caller : int [0,OBJ] tail < MAX invoke[msg][s][caller] ? insertInvoke(msg, caller)
i : int[0,MAX1] counter[i] > 0 && x[i]>d[i] Error tail == MAX
(a) A queue shared between threads
i:int[TRD,MAX1] start[q[t]][t][s] ! (i < tail && forall (m : int[TRD,MAX1]) tail d[ca[i]]d[ca[m]]) finish[t][s]? finish[t][s]? contextSwitch(s, t, i) contextSwitch(s,t,TRD)
(b) An EDF scheduler for each thread
Fig. 8. Allowing parallel threads to share a queue
task in the queue, which is reset when the task is added, i.e., in insertInvoke function. The queue goes to Error state if a task misses its deadline (x[i] > d[i]) or the queue is full (tail == MAX). Figure 8(b) shows how a scheduling strategy can be implemented. This automaton should be replicated for every thread, thus parameterized in thread identity t as well as the object identity s. There will be one instance of this automaton for each slot q[t] in the execution part of the queue. This example models an EDF (earliest deadline ﬁrst) scheduling strategy. The remaining time to the deadline of a task at position i in the queue is obtained by x[ca[i]]d[ca[i]]. When the thread t ﬁnishes its current task (i.e. a synchronization on finish[t][s]), it selects the next task from the buﬀer part of the queue for execution by putting it in q[t]; this task is then immediately started (start[q[t]][t][s]). To perform schedulability analysis by model checking, we need to ﬁnd a reasonable queue length to make the model ﬁnite. The execution part of the queue is as big as the number of threads, and the buﬀer part is at least of size one. As in singlethreaded situation of objects [7], a system is schedulable only if it does not put more than Dmax /Bmin messages in its queue, where Dmax is the biggest deadline in the system, and Bmin is the bestcase execution time of the shortest task. As a result, schedulability is equivalent to the Error state not being reachable with a queue of length Dmax /Bmin . Tasks. A simple task model is given in Figure 9. In this model, the task has a computation time of between 5 to 6 time units. This corresponds to the model of the task given in the Creol code, which is deﬁned in the start method of the Thread class and contains a skip statement followed by a duration. In general, a task model may be an arbitrarily complex timed automaton. For schedulability analysis, one can experiment with diﬀerent parameters. For example, one can choose diﬀerent scheduling policies, like FCFS, EDF, etc. Since we assume that threads run in parallel, with more threads, we can handle more task instances (i.e., smaller interarrival times). Furthermore, if deadlines are too tight, schedulability cannot be guaranteed. Schedulability analysis amounts to checking whether the Error location in the queue automaton is reachable. Analysis shows that in the chosen settings, i.e., the selected interarrival times for the tasks and an EDF scheduler, this model cannot be schedulable with 2
Dating Concurrent Objects: RealTime Modeling
execute x = 5
start[task][r][self]? x=0 finish [r][self]!
Fig. 9. Modeling a task
parallel threads, no matter how big the deadlines are. Intuitively, every 5 time units, two instances of the task may be inserted in the queue, and each task may take up to 6 time units to compute. With three parallel threads, these tasks can be scheduled correctly even with the deadline value of 6 time units for each task instance.
4
Conformance Testing
Our overall methodology for the schedulability analysis of a RealTime Creol model consists of the following: We model the realtime pattern of incoming messages in terms of a timed automaton (the behavioral interface of the Creol model). Next we develop on the basis of sequence diagrams, which describe the observable behavior of the Creol model, automata abstractions of its overall realtime behavior. We analyze the schedulability of the product of this abstraction and the given behavioral interface (in for example Uppaal). Further, we deﬁne conformance between the RealTime Creol model and its timed automaton abstraction with respect to the given behavioral interface in terms of inclusion of the timed traces of observable actions. More speciﬁcally, let C denote a Creol model, i.e., a set of Creol classes, B a timed automaton specifying its behavioral interface and A a timed automata abstraction of the overall behavior of C. We denote by O(A B) the set of timed traces of observable actions of the product of the timed automata A and B. The set of timed traces of the timed automaton B we denote by T (B). Further, given any timed trace θ ∈ T (B), the Creol class Tester(θ) denotes a Creol class which implements θ (see, for example, the class Tester in Figure 11). This class simply injects the messages at the times speciﬁed by θ. We denote by O(C, Tester(θ)) the set of timed traces of observable actions generated by the RealTime Maude semantics of the Creol model C driven by θ. We now can deﬁne the conformance relation C ≤B A by O(C, Tester(θ)) ⊆ O(A B), for every timed trace of observable actions θ ∈ T (B). In this section we illustrate a method for testing conformance by searching for counterexamples to the conformance in terms of our running example. Note that a counterexample to the above conformance consist of a timed trace θ ∈ T (B) such that O(C, Tester(θ)) \ O(A B) = ∅.
14
F.S. de Boer, M.M. Jaghoori, and E.B. Johnsen
global == 2 invoke[task][0][0]! deadline = D1 finish[r][0]? R1 r:int[0,TRD1] global 0 ∧ si = si then λ = rateMA1 (s1 , s1 ) + rateMA2 (s2 , s2 ), otherwise • λ = rateMA1 (s1 , s1 ) and s2 = s2 , or λ = rateMA2 (s2 , s2 ) and s1 = s1 , – so = s1o A s2o ∈ S 1 × S 2 is the initial state. In a process algebraic setting, the style of defining this operator can be made more elegant [34], but this is not the topic of this paper. 4.1 The Roots of MA Parallel Composition It is illustrative to relate this operator to the ones it is derived from. 1. Whenever MA1 and MA2 are labelled transitions systems, MA1 A MA2 reduces to LOTOSstyle parallel composition [9]. 2. Whenever MA1 and MA2 are discretetime Markov chains over the same singleton set Act, MA1 Act MA2 reduces to the synchronous product of the models, where both Markov chains proceed in lockstep. 3. Whenever MA1 and MA2 are continuoustime Markov chains, MA1 ∅ MA2 reduces to the independent and concurrent execution of the two Markov chains, justified by the memoryless property. 4. Whenever MA1 and MA2 are probabilistic automata, MA1 A MA2 agrees with the essence of the parallel composition for PA [45] (neglecting minor differences in synchronisation set constructions). 5. Whenever MA1 and MA2 are interactive Markov chains, MA1 A MA2 reduces to the parallel composition for IMC [25]. A few further remarks are in order (despite they may seem obvious to many readers): MA takes the LOTOSstyle parallel operator A as a basis, but we could have equally well opted for CCS style [40], CSP style [30], asynchronous or synchronous πcalculus style [41], I/O style [36], etc. From a pragmatic perspective, the A operator is a convenient ’Swiss army knife’. It can, as special cases, express asynchronous interleaving (∅ ), synchronous product (Act with Act = 1). It can also be used to encode shared variable communication, as well as asynchronous message passing communication. Shared variables can be modelled as separate MA, where states correspond to variable valuations, and transitions are put in place for reading and updating the state. Similarly, asynchronous message passing channels can be encoded as MA that keep memory of the messages in transit (see e.g. [4, Chapter 2] for details). We mention this to make clear that a properly and well understood semantics for this one operator is the nucleus for a well understood semantics of essentially any prevailing communication paradigms found in the real world. Since the models developed with MA (just like GSPN, IMC, PA) are meant to be designed and evaluated in order to provide insight into performance and dependability of the system being modelled, a well understood semantics is essential.
Concurrency and Composition in a Stochastic World
27
4.2 A Connection between DTMCs and CTMCs To shed some more light on the parallel behaviour of these models, we state an interesting observation relating the interleaving semantics for CTMCs to the synchronous semantic for DTMCs. They are both derived from our single parallel composition for MAs, but why do they make sense after all? This section establishes a probably astonishing connection between the two. Geometric and Exponential Distributions. It is well known – and we thus here take it for granted – that for any state in a CTMC, the sojourn time of that state is exponentially distributed, and likewise, that for any state in a DTMC, the sojourn time of that state is geometrically distributed. Furthermore, the exponential distribution can be considered as the limit of the geometric distribution, in the following sense: Let continuous random variable X be exponentially distributed with parameter λ > 0, i.e. its density is fX (t) = λe−λt . Further, for Δ > 0 with p = λΔ < 1, we consider the geometrically distributed discrete random variable XλΔ with parameter λΔ, i.e., with density function fXλΔ (k) = λΔ(1 − λΔ)k−1 . Then the definition of Euler’s number implies that the density of X at time point t > 0 can be approximated by the density function of XλΔ at step Δt , formally: ∀t > 0. fX (t) = lim fXλΔ (t/Δ)/Δ Δ→0
One may consider Δ as a step size in continuous time (used to perform a single Bernoulli experiment, from which the geometric distribution is derived). This view is helpful in the discussion that follows. Discretised Markov Chain. Let M = (S, Q, s0 ) be a CTMC, and Δ be a sufficiently small step size. In the classical terminology [33], this CTMC is a family {C(t)} of random variables each taking values in S, indexed by (continuous) time t, that obeys the Markov property. From this, we can derive a Δdiscretised DTMC MΔ = (S, PΔ , s0 ) by: PΔ (s, s ) = P rob(C(Δ) = s  C(0) = s). It holds that: – PΔ (s, s ) equals Q(s, s )Δ + o(Δ), provided s = s , and otherwise – PΔ (s, s) equals 1 + Q(s, s)Δ + o(Δ). Here, o(Δ) subsumes the probabilities to pass through intermediate states between s and s during the interval Δ, and we have PΔ (s, s) ∈ (0, 1) – for sufficiently small Δ. Moreover, the rate between s and s can be derived from the derivative: – Q(s, s ) = limΔ→0 PΔ s = s , and otherwise (s, s )/Δ, provided – Q(s, s) = limΔ→0 (− s =s PΔ (s, s )/Δ).
This observation justifies that the behaviour of a CTMC can be approximated arbitrarily closely by a Δdiscretised DTMC, just by choosing Δ small enough, since in the limit Q = limΔ→0 (PΔ − I)/Δ, where I denotes the identity matrix. The limit is understood elementwise. All the above facts can, albeit usually stated in a different flavour, be found in many textbooks on Markov chains, for example in [47].
28
C. Eisentraut, H. Hermanns, and L. Zhang
What is not found in textbooks is the question whether this approximation is com patible with parallel composition: For two CTMCs M and M , let MΔ and MΔ denote the corresponding Δdiscretised DTMCs respectively, which we assume labelled over , the same singleton set Act. We now consider the synchronous product MΔ Act MΔ where the two Markov chains evolve in lockstep with the step size – on a continuous time line – being Δ. Now, how does this product relate to M ∅ M , the parallel composition of the CTMCs M and M under interleaving semantics? The following lemma answers this. Lemma 1. Let M = (S, Q, s0 ) and M = (S , Q , s0 ) be two CTMCs, let MΔ , MΔ denote the probability matrices in the discretised DTMCs, respectively. Moreover, let  M ∅ M = (S ∅ S , Q , s0 ) and MΔ Act MΔ = (S Act S , PΔ , s0 ). Then, 
Q = lim (PΔ − I)/Δ Δ→0
Proof. Let s, t ∈ S and s , t ∈ S . We consider a few cases: = t . By the synchronised product in the DTMCs, we have: 1. Assume s = t and s 
PΔ (s Act s , t Act t ) = PΔ (s, t) · PΔ (s , t ) = Q(s, t)Q (s , t )Δ2 + o(Δ) 
It holds now limΔ→0 PΔ (s Act s , t Act t )/Δ = 0. By definition of ∅ we also have Q (s ∅ s , t ∅ t ) = 0. 2. Now we consider the case s = t and s = t . Under this assumption we have that  Q (s ∅ s , t ∅ t ) = Q (s , t ), and moreover, PΔ (s, s) = 1+Q(s, s)Δ+o(Δ). The rest can be shown similarly as previous case. 3. Finally we consider the case s = t and s = t . In this case we have 
PΔ (s Act s , s Act s ) = (1 + Q(s, s)Δ + o(Δ)) · (1 + Q (s , s )Δ + o(Δ)) = 1 + (Q(s, s) + Q (s , s ))Δ + o(Δ) 
Thus: limΔ→0 (PΔ (s Act s , s Act s ) − 1)/Δ = Q(s, s) + Q (s , s ), which is exactly Q (s ∅ s , s ∅ s ). The above lemma derives the interleaving semantics for CTMCs through the limiting behaviour of their discretised DTMCs evolving synchronously.
5 Simulations and Bisimulations We now discuss equivalences and preorders for MA and submodels thereof. We first introduce a notation that makes our further discussion more compact, at the price of mildly reduced readability. It enables a uniform treatment of immediate and timed transitions. In doing so, we introduce the special action χ(r) to denote the exit r rate of a state. Moreover, we let Act χ := Act ∪ {χ(r)  r ∈ R≥0 }, and α, β, ... range over this set. Definition 3. Let MA = (S, Act, , , so ) be an MA. Let E ∈ S and α ∈ Act χ . α We write E −→ μ if α – E μ ∧ α ∈ Act or – E↓ ∧ r = rate(E) ∧ α = χ(r) ∧ μ = P(E, ·).
Concurrency and Composition in a Stochastic World
29
5.1 Strong Simulations and Bisimulation Strong Simulations. Strong simulations for DTMCs were originally introduced [31] using the concept of weight functions. Weight function have since become a standard way of formalising specification and refinement relations between probabilistic processes. Given distributions μ, μ and a relation R, a weight function δ requires assign ing weights in [0, 1] for every pair of states in R, such that μ(s) = s ∈S δ(s, s ) and symmetrically μ (s ) = s∈S δ(s, s ). Owed to the need of assigning these weights, many proofs need human ingenuity and become certainly nontrivial. This is felt, for instance, in the proof of transitivity of strong similarity. As a consequence, a few equivalent reformulations of weight functions have emerged. One of them is based on computing the maximum flow on a particular network constructed out of μ, μ and R [2]. This has been successfully exploited in decision procedures for various simulation preorders [2,52,21]. Below, we use another, rather recent, reformulation [51,21]: the existence of a weight function for distributions μ, μ with respect to R is equivalent to the statement that, μ(A) ≤ μ(R(A)) for every set A of states. Here, we write R(A) := {s  (s, s ) ∈ R ∧ s ∈ A}. This alternative characterisation of weight function provides a very intuitive interpretation: for every set A, μ assigns a higher probability to the related set R(A) relative to μ. The inspiration for this definition stems from [19], in which strong simulation relations are, in addition, required to be preorders. Definition 4 (Strong Simulations). Let MA = (S, Act, , , so ) be an MA. Let R be a binary relation on S. Then, R is a strong simulation iff ERF implies: α
α
1. for all α ∈ Act : E −→ μ implies F −→ μ for some distribution μ such that μ(A) ≤ μ (R(A)) for all A ⊆ S, and χ(r)
χ(r )
2. for all r ∈ R≥0 : E −−−→ μ implies F −−−→ μ for some distribution μ and r ∈ R≥0 such that r ≤ r and μ(A) ≤ μ (R(A)) for all A ⊆ S. State F strongly simulates E, written E F , if (E, F ) is contained in some strong simulation. 1. 2. 3. 4. 5.
On labelled transitions systems coincides with standard strong similarity [42,1]. On discretetime Markov chains coincides with strong similarity [31]. On continuoustime Markov chains coincides with strong similarity [5]. On probabilistic automata coincides with strong similarity [46]. On interactive Markov chains coincides with strong similarity [32] if strengthening r ≤ r to r = r .
Strong Bisimulations. Strong bisimilarity in its diverse flavours is the most prominent equivalence relation for probabilistic models. For MA , the obvious combination of strong bisimilarity for IMC and strong bisimilarity for PA can be phrased as follows: , , so ) be an MA. Let R be an equivalence Definition 5. Let MA = (S, Act, relation on S. Then, R is a strong bisimulation iff ERF implies for all α ∈ Act χ : α α E −→ μ implies F −→ μ with μ(C) = μ (C) for all C ∈ S/R.
30
C. Eisentraut, H. Hermanns, and L. Zhang
Two states E and F are strongly bisimilar, written E ∼ F , if (E, F ) is contained in some strong bisimulation. 1. On labelled transitions systems ∼ is strong bisimilarity [42,40]. 2. On discretetime Markov chains ∼ coincides with strong bisimilarity [35] and corresponds to lumpability [33]. 3. On continuoustime Markov chains ∼ coincides with lumping equivalence [26]. 4. On probabilistic automata ∼ coincides with strong bisimilarity [46]. 5. On interactive Markov chains ∼ coincides with strong bisimilarity [25]. For PA, coarser relations than strong bisimilarity and strong similarity – still treating internal transitions as ordinary transitions – are established based on the concept of combined transitions. The resulting relations are called strong probabilistic (bi)similarities [46,45]. They can also be defined directly in our setting, by replacing a F −→ μ by a convex combination of several alabelled transitions starting in F . Details are left to the interested reader. 5.2 Weak Transitions Weak transitions for probabilistic systems have been defined in the literature via probabilistic executions in [44], trees [20], or infinite sums [18]. We adopt the tree notation here. The material presented below concerning weak transitions provides no innovation over the classical treatment, it is included for the benefit of the reader. We consider in the following S × R≥0 × Act χ ∪ { }labelled trees. Briefly, a node in such trees is labelled by the corresponding state, probability of reaching this node, and the chosen action (including the special action for timed transitions) to proceed. For a node σ we write Stat (σ) for the first component of t(σ), Probt (σ) for the second component of t(σ) and Actt (σ) for the third component of t(σ). , , so ) be an MA. A (weak) transition tree T Definition 6. Let MA = (S, Act, is a S × R≥0 × Act χ ∪ { }labelled tree that satisfies the following condition: 1. 0 < ProbT (ε) ≤ 1 2. ∀σ ∈ Leaf(T ) : ActT (σ) = .
ActT (σ)
3. ∀σ ∈ Inner(T ) \ Leaf(T ) : ∃μ : StaT (σ) −−−−−→ μ and
4.
ProbT (σ) · μ = (StaT (σ ), ProbT (σ ))  σ ∈ ChildrenT (σ)
σ∈Leaf ProbT
(σ) = ProbT (ε).
We call the tree weak, if ProbT (ε) < 1. Restricting Act χ to Act, a transition tree T corresponds to a probabilistic execution fragment: it starts from StaT ( ), and resolves the nondeterministic choice by executing the action ActT (σ) at the inner node σ. The second label of σ is then the probability of reaching StaT (σ), starting from StaT ( ) and following the selected actions. If in a node σ the timed transition is chosen, the third label ActT (σ) ∈ R≥0 represents the
Concurrency and Composition in a Stochastic World
31
exit rate of StaT (σ). In this case, a child σ is reached with ProbT (σ) times the discrete branching probability P(StaT (σ), StaT (σ )). An internal transition tree T is a transition tree where each ActT (σ) is either τ or . Let T be a transition tree. Then the subdistribution associated with T , denoted by μT , is defined as def μT = (StaT (σ), ProbT (σ)) . σ∈LeafT
We say subdistribution μT is induced by T . Obviously, μT is a full distribution if we have ProbT (ε) = 1. With the above definitions we are now able to express weak transitions: Definition 7. For E ∈ S and μ a full distribution we write – E =⇒ μ if μ is induced by some internal transition tree T with StaT (ε) = E. α – E =⇒ μ if μ is induced by some transition tree T with StaT (ε) = E, where on every maximal path from the root at least one node σ is labelled ActT (σ) = α. In case that α = τ , then there must be exactly one such node on every maximal path. And all other inner nodes must be labelled by τ . α ˆ α – E =⇒ μ if α = τ and E =⇒ μ or E =⇒ μ. For all three transition relations we say that the transition tree that induces μ also induces the transition to μ. τˆ
Note that E =⇒ ΔE and E =⇒ ΔE holds independently of the actual transitions E τ α ˆ τ ΔE . For all α = τ , E =⇒ μ is can perform, whereas E =⇒ ΔE only holds if E α identical to E =⇒ μ. Below we define the notion of combined transitions [44], which arise as convex combination of a set of transitions with the same label, including the label representing timed transitions. α
Definition 8. We write E =⇒C μ, if α ∈ Act χ and there is a finite indexed set {(ci , μi )}i∈I of pairs of positive real valued weights and distributions such that α E =⇒ μi for each i ∈ I and i∈I ci = 1 and μ = i∈I ci μi . α
We say that E =⇒C μ is justified by the set {(ci , μi )}i∈I . Transitions relations from states to distributions can be generalised to take (sub)distributions μ to (sub)distributions, by weighting the result distribution of the transition of each element E ∈ Supp(μ) by μ(E). ˆ , , −→ . Then, we write μ γ if γ = Definition 9. Let ∈ =⇒, =⇒, si ∈Supp(μ) μ(si )μi , where si μi holds for all si ∈ Supp(μ). We say that μ γ is justified by the transitions si μi . 5.3 Weak Simulations and Bisimulations over Subdistributions Weak simulations and bisimulations are means to abstract from internal transitions and sequences thereof. In our setting this means that we intend to fuse distributions that arise from sequences of internal transitions in an MA into single, accumulated distributions.
32
C. Eisentraut, H. Hermanns, and L. Zhang
Relating distributions. Bisimulations for PA and IMC have in the past been defined as relations on states, akin to bisimulations for LTS. The latter reside in a single state at every point in time during their execution, thus bisimulation relations on states are all that is needed to capture their behaviour adequately. In contrast, a stochastic system resides – for every point in time – in a certain state with a certain probability. The system behaviour is thus not correctly determined by the states occupied, but instead by probability distributions over states in which a system can reside at any point in time. It thus seems natural to define bisimulation relation as relations on distributions over states. Several simulation relations for PA adopt this approach [46,44,48] in an asymmetric way, simulating a state by a distribution over states. Among these relations, probabilistic forward similarity [44] is the coarsest. We denote it by ≤fwd . In Figure 2, state u is forward simulated by state v and vice versa. In an asymmetric way, ≤fwd achieves exactly what we intend to achieve for MA : we aim at fusing distribution along internal immediate transition sequences. It is however not obvious how to extend the definition of forward simulation, which relates states to distributions, to a bisimulation setting, which should then relate distributions to distributions. Even partially statebased ap proaches seem to fail, since in order to equate u and v, the two distributions (v , 1) 1 2 and (E, 3 ), (F, 3 ) must be considered equivalent. However, from a statebased point of view, the two distributions must be different, assuming that E and F represent states of different equivalence classes, since neither E nor F alone can then be equivalent to state v . ≥fwd ≤fwd
u
v
a
a 1 3
E
v τ
PA
2 3
F
1 3
E
2 3
F
Fig. 2. Probabilistic forward simulation versus probabilistic weak bisimulation
We instead advocate a bisimulationoverdistribution approach to define a notion of weak bisimilarity that satisfies our demands [22]. In the sequel, we reiterate and rephrase several interesting aspects of this approach, and characterise the semantical relationship between weak bisimilarity and the standard bisimilarities of PA and IMC. Na¨ıve Weak Bisimulation over States. In the following, we will show that the standard bisimulations of PA and IMC can easily by cast as relations over distributions. In favour of a concise presentation, we will not consider the standard bisimulations for PAs and IMC separately, but only investigate a relation , which we define as a direct combination of IMC and PA weak bisimilarity, such that on the IMC submodel we obtain IMC weak bisimilarity [25], and on the PA submodel, we obtain (a divergence sensitive variation) of PA weak bisimilarity, namely stable weak bisimilarity. The variation in the latter case is owed to the maximal progress assumption, inherited from IMC and necessary for general MAs. This has, however, no influence on the technical development.
Concurrency and Composition in a Stochastic World
33
We have first introduced this relation in [22, Def. 10], as a na¨ıve approach of defining a suitable weak equivalence for MAs. As we have argued there, this relation is, however, not suitable to achieve the intended effect of fusing internal transitions. We thus call this relation na¨ıve weak bisimulation. Definition 10 (Na¨ıve Weak Bisimulation). Let MA = (S, Act, , , so ) be a MA. For two states s, s ∈ S, s s holds if (s, s ) ∈ E for some equivalence relation E on S for which EEF implies for all α ∈ Act χ and for all equivalence classes C of α α ˆ E, E −→ μ implies F =⇒C γ for some γ and ∀C ∈ S/E : μ(C) = γ(C). Weak (Bi)simulations over Subdistributions. We will now introduce two weak bisimulation – and also two weak simulation – relations that relate distributions (or subdistributions, to be precise). One of them is weak bisimulation for Markov automata as introduced in [22, Def. 11], the other bisimulation appears new. We will show that this new bisimulation relation on distributions induces a bisimilarity on states that coincides with na¨ıve weak bisimulation, which itself is defined directly over states. This strong connection bridges between the statebased and distributionbased approach and allows us to make precise their relationship. We call the new relation semiweak bisimulation, since it is weak, meaning partially oblivious to internal transitions, but yet finer than weak bisimulation for Markov automata. Both relations rely on the idea of equating subdistributions exactly when they can be split into subdistributions, such that for each component in one splitting there exists a related component of the other splitting that exhibits identical behaviour, and vice versa. Remarkably, the definitions only differ in one specific point. For semiweak (bi)simulation, splittings need to be immediately related to match their behaviour. For weak (bi)simulation, we relax the conditions such that it suffices if equated distributions are able to reach distributions that can then be split suitably by internal transitions. To make explicit that the relations only differ in the way subdistributions are split, we define two sets of possible splittings of a subdistribution. – For weak (bi)simulation, we use a set
split(μ) = {(μ1 , μ2 )  ∃μ : μ =⇒C μ ∧ μ = μ1 ⊕ μ2 } where each splitting of an internal successor subdistribution of μ is a valid splitting. – For semiweak (bi)simulation, we use a more restricted set
split◦ (μ) = {(μ1 , μ2 )  μ = μ1 ⊕ μ2 } where only direct splittings of μ are valid splittings. Since weak and semiweak bisimulation only differ in this one point, we will define them simultaneously in one definition. In what follows, the expression split(◦) needs to be replaced by split in order to obtain weak bisimulation. Semiweak bisimulation is obtained by replacing it by split◦ . Definition 11 (Weak Bisimulations). A relation R on subdistributions over S is called a (semi)weak bisimulation iff whenever μ1 Rμ2 then for all α ∈ Act χ : μ1  = μ2  and
34
C. Eisentraut, H. Hermanns, and L. Zhang
1. ∀E ∈ Supp(μ1 ): ∃μ2 g , μ2 s : (μ2 g , μ2 s ) ∈ split(◦) (μ2 ) and (i) (E, μ1 (E)) R μ2 g and (μ1 −E) R μ2 s α α ˆ (ii) whenever E −→ μ1 for some μ1 then μ2 g =⇒C μ and (μ1 (E) · μ1 ) R μ (◦) g s g s 2. ∀F ∈ Supp(μ2 ): ∃μ1 , μ1 : (μ1 , μ1 ) ∈ split (μ1 ) and (i) μ1 g R (F, μ1 (F )) and μ1 s R (μ2 −F ) α α ˆ (ii) whenever F −→ μ2 for some μ2 then μ1 g =⇒C μ and μ R (μ2 (F ) · μ2 ) Two subdistributions μ and γ are (semi)weak bisimilar, denoted by μ ≈(◦) γ, if the pair (μ, γ) is contained in some (semi)weak bisimulation. It is worth noting that the weak bisimilarity ≈ in the above definition is identical to [22, Def. 11]. We immediately obtain simulation relations by removing Condition 2. Definition 12 (Weak Simulations). A relation R on subdistributions over S is called a (semi)weak simulation iff whenever μ1 Rμ2 then for all α ∈ Act χ : μ1  = μ2  and ∀E ∈ Supp(μ1 ): ∃μ2 g , μ2 s : (μ2 g , μ2 s ) ∈ split(◦) (μ2 ) and (i) (E, μ1 (E)) R μ2 g and (μ1 −E) R μ2 s α ˆ α (ii) whenever E −→ μ1 for some μ1 then μ2 g =⇒C μ and (μ1 (E) · μ1 ) R μ Two subdistributions μ and γ are (semi)weak similar, denoted by μ (◦) γ, if the pair (μ, γ) is contained in some (semi)weak simulation. It is not obvious that these relations are indeed equivalence relations and preorders, respectively. Reflexivity and symmetry is straightforward. The latter holds, because the union of two (semi)weak bisimulations is again a (semi)weak bisimulation. Since the pioneering work of Larsen and Skou [35], it has become a standard for bisimilarity notions defined in the stochastic setting, to presuppose the bisimulations to be equivalence relations on states. Because this property is not closed under union, several otherwise standard properties become difficult to establish. Owed to the distribution perspective on these relations illustrated above, the equivalence relation presupposition can be dropped, simplifying an easy exercise. Only transitivity needs a technical and involved proof. The proof for ≈ can be found in [22,23]. The crucial idea for this proof is that we can define (bi)simulation relations uptosplitting. We refer the reader to [22] for further details. The proof for ≈◦ follows exactly the lines of that proof, but needs to distinguish fewer cases. Lemma 2. and ◦ are preorders, ≈ and ≈◦ are equivalence relations. It is apparent that ≈ and are weaker notions than ≈◦ and ◦ respectively: Theorem 1.
≈◦ ⊆ ≈
and
◦ ⊆
The relations defined above relate subdistributions, but they induce relations on states in (◦) the obvious way: We call two states E, F (semi)weak bisimilar, denoted by E ≈Δ F , if ΔE ≈(◦) ΔF . Analogously, we call two states E, F (semi)weak similar, denoted by (◦) (◦) E Δ F , if ΔE Δ ΔF . In the following we establish that and ≈◦Δ coincide. Since is the na¨ıve (statebased) integration of PA and IMC weak bisimulation, this fact provides insight into the twist achieved by moving from semiweak to weak formulation.
Concurrency and Composition in a Stochastic World
Theorem 2.
35
= ≈◦Δ
Proof. We first prove that the lifting of semiweak bisimilarity to states, ≈◦Δ , is also a statebased bisimulation in the sense of Definition 10. The crucial point in this proof is the claim, that μ ≈◦ γ implies ∀C ∈ S/≈◦Δ : μ(C) = γ(C), since then the conditions of Definition 10 follow immediately. To see the claim, note that ≈◦ itself is a semiweak bisimulation. Then, by repeated application of the left hand side of clause (i) in the definition of ≈◦ , we can split γ into a family of subdistribution {γE }E∈Supp(μ) , such that every E ∈ Supp(μ) is matched by one of these distributions, and μ(E)ΔE ≈◦ γE E holds. In turn, we can split μ(E)ΔE into a family μF F ∈Supp(γE ) accordingly, such that each state F ∈ Supp(γE ) is matched by the subdistribution μE F , satisfying ◦ E μE F ≈ γE (F )ΔF . Every subdistributions μF must be of the form γE (F )ΔE . Hence, we know that γE (F )ΔE ≈◦ γE (F )ΔF . In total, we have split μ and γ into sets of subdistributions, such that there is a total matching of subdistribution of one set with subdistributions of the other set. Matched subdistributions have the same size and the single elements of their supports are equivalent up to ≈◦Δ . From here we can immediately conclude that ∀C ∈ S/≈◦Δ : μ(C) = γ(C) holds.
For the other direction we show that the relation R = {(μ, γ)  ∀C ∈ S/ : μ(C) = γ(C)} is a semiweak bisimulation. Then, whenever E F , the pair (ΔE , ΔF ) is contained in the semiweak bisimulation R, which implies E ≈◦Δ F . Let us consider an arbitrary pair (μ, γ) ∈ R. By symmetry it suffices to check the necessary conditions for an arbitrary E ∈ Supp(μ). Let C be the equivalence class of containing E. Since μ(C) = γ(C), there exists a splitting γ g ⊕ γ s of γ with Supp(γ g ) = {F1 , . . . , Fk } and Fi E for each Fi , and furthermore, ∀C ∈ S/ : γ s (C) = (μ−E)(C). Hence Condiα tion (i) is satisfied. Whenever E −→ μ , following Condition (ii), then for each Fi we α immediately deduce from E Fi that Fi =⇒C γFi and ∀C ∈ S/ : μ (C) = γFi (C). α Let us set ρ := i=1...k γFi . It is then straightforward to show that in total γ g =⇒C ρ and that ∀C ∈ S/ : μ(E) · μ (C) = ρ(C). By the choice of R this immediately implies (μ(E)μ , ρ) ∈ R, which suffices to establish Condition (ii). 2 Just like , most existing weak relations for systems with probabilistic or stochastic timed transitions can be recast as relations on distributions, which can be formulated as slight adaptations of ≈◦ and ◦ , respectively. So, with ≈◦ and ◦ at hand, the exact extra power of the distributionbased perspective, combined with distribution splitting, becomes apparent: ≈◦ and ≈ only differ in their use of split◦ (μ) and split(μ), respectively. The latter allows additional internal transition sequences, and is the key to fuse distributions along sequences thereof. It is thus a natural generalisation comparable to the classical passage from strong transitions to weak transitions. Discussion. We will now summarise the relationship between the respective standard notions of weak (bi)similarity on the submodels and weak (bi)similarity for Markov automata. Since all of these relations are defined over states, we will compare them to ≈Δ and ≈◦Δ .
36
C. Eisentraut, H. Hermanns, and L. Zhang
1. On labelled transitions systems, both ≈Δ and ≈◦Δ coincide with stable weak bisimilarity [49]. They both coincide with standard weak bisimilarity [40] if no infinite sequences of internal transitions appear in the LTS. This difference is inherited from IMC, and owed to the maximal progress assumption [28]. The same applies to Δ , ◦Δ , and weak similarity on LTS [40]. 2. On discretetime Markov chains, ≈Δ and ≈◦Δ coincide with weak bisimilarity [3,5]. We claim that Δ and ◦Δ can be adapted such that they both coincide with weak similarity for statelabelled DTMC [5]. 3. On continuoustime Markov chains, ≈Δ and ≈◦Δ coincide with lumping equivalence [26], due to the fact that our weak transitions do not affect timed transitions. For this reason we see no obvious way to adapt Δ and ◦Δ such that they match weak similarity for statelabelled CTMC [5]. 4. On probabilistic automata, ≈◦Δ coincides with weak bisimilarity [44], if restricting to models without infinite sequences of internal transition. This slight restriction is again a legacy of the maximal progress assumption. This technical discrepancy carries over to all other relations defined on PA. If instead we adapt the definition and remove the stability condition, the adapted version of ≈◦Δ and weak bisimilarity on PA [44] coincide. The same holds for ◦Δ and weak similarity for PA [44]. Remarkably, Δ and probabilistic forward similarity ≤fwd [44] coincide. 5. On interactive Markov chains ≈Δ and ≈◦Δ coincide with weak bisimulation [25]. A weaker variant is found in [10]. To the best of our knowledge no weak similarity relations for IMC have been introduced in the literature so far, so the one jointly induced by and ◦ is new. The fact that on PA Δ and ≤fwd agree is especially interesting, since a bisimulation variant of this relation was not known to date, but is now at hand with ≈Δ . Furthermore, ≈Δ has a selection of distinguishing properties. We refer the reader to [22] for details. We mention only briefly, that ≈Δ is a congruence with respect to parallel composition. The congruence property can be established for other standard process algebraic operators – with the usual root condition being needed to arrive at a congruence for nondeterministic choice. We finally want to correct our claim [22], that a reformulation of PA weak bisimilarity as a relation on distribution would not be compositional with respect to subdistribution composition, now turns out to be wrong. It is easy to show that ≈◦ is indeed compositional with respect to this operator, and since on PA, ≈◦ coincides with PA weak bisimilarity (except for divergence behaviour), this also holds for PA weak bisimilarity.
6 Conclusions This paper has tried to provide insight into the foundational aspects of Markov automata, a model that integrates probabilistic automata and interactive Markov chains. We have laid out the principal ingredients of a compositional theory for MA, and have discussed how a lifting of relations to (sub)distributions, together with the notion of distribution splitting, enables us to cast a variety of existing simulations and bisimulations in a uniform setting, making subtle differences and semantic choices apparent.
Concurrency and Composition in a Stochastic World
37
Markov automata target a domain of concurrency modelling and evaluation, where designers find it adequate to work with durations that are memoryless, and need to represent branching probabilities as well as concurrency in a convenient manner. In this area, GSPNs have seen broad applicability, but, as we have highlighted, only with incomplete semantic understanding. The MA model changes the picture, it can serve as a semantic foundation for GSPN, and, since it is compositional in a strict sense, we think it is the nucleus for a fully compositional and usable language for this modelling domain. Noteworthy, the MA model is – just like IMC – rich enough to allow for nonexponential distributions, namely by approximating them as phasetype distributions [27], albeit at the price of a state space increase. PA as well as IMC are supported by mature software tools, PRISM [29] and CADP [16]. We are eagerly exploring possibilities to arrive at tool support for the analysis of MA. In this paper, we have restricted our attention to finite and finitelybranching models. It remains for further work to establish the results of this paper in a setting with (un)countably many states or transitions. Acknowledgements. Christian Eisentraut and Holger Hermanns are supported by the DFG as part of the Transregional Collaborative Research Centre SFB/TR 14 AVACS, by the European Community’s Seventh Framework Programme under grant agreement no 214755 QUASIMODO, and by the NWODFG bilateral project ROCKS. The work of Lijun Zhang has received partial support from MTLAB, a VKR Centre of Excellence.
References 1. Abadi, M., Lamport, L.: The existence of refinement mappings. Theoretrical Computer Science 82(2), 253–284 (1991) 2. Baier, C., Engelen, B., MajsterCederbaum, M.E.: Deciding bisimilarity and similarity for probabilistic processes. J. Comput. Syst. Sci. 60(1), 187–231 (2000) 3. Baier, C., Hermanns, H.: Weak bisimulation for fully probabilistic processes. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 119–130. Springer, Heidelberg (1997) 4. Baier, C., Katoen, J.P.: Principles of Model Checking, 1st edn. MIT Press, Cambridge (2008) 5. Baier, C., Katoen, J.P., Hermanns, H., Wolf, V.: Comparative branchingtime semantics for Markov chains. Information and Computation 200(2), 149–214 (2005) 6. Balbo, G.: Introduction to generalized stochastic Petri nets. In: Bernardo, M., Hillston, J. (eds.) SFM 2007. LNCS, vol. 4486, pp. 83–131. Springer, Heidelberg (2007) 7. Bandini, E., Segala, R.: Axiomatizations for probabilistic bisimulation. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 370–381. Springer, Heidelberg (2001) 8. Bergstra, J.A., Ponse, A., Smolka, S.A.: Handbook of Process Algebra. Elsevier, Amsterdam (2001) 9. Bolognesi, T., Brinksma, E.: Introduction to the iso specification language lotos. Computer Networks 14, 25–59 (1987) 10. Bravetti, M.: Revisiting interactive markov chains. Electr. Notes Theor. Comput. Sci. 68(5) (2002) 11. Busch, H., Sandmann, W., Wolf, V.: A numerical aggregation algorithm for the enzymecatalyzed substrate conversion. In: Priami, C. (ed.) CMSB 2006. LNCS (LNBI), vol. 4210, pp. 298–311. Springer, Heidelberg (2006)
38
C. Eisentraut, H. Hermanns, and L. Zhang
12. Cheung, L., Stoelinga, M., Vaandrager, F.W.: A testing scenario for probabilistic processes. J. ACM 54(6) (2007) 13. Chiola, G., Donatelli, S., Franceschinis, G.: GSPNs versus SPNs: What is the actual role of immediate transitions? In: PNPM, pp. 20–31. IEEE, Los Alamitos (1991) 14. Chiola, G., Franceschinis, G., Gaeta, R., Ribaudo, M.: GreatSPN 1.7: Graphical editor and analyzer for timed and stochastic Petri nets. Perf. Eval. 24(12), 47–68 (1995) 15. Chiola, G., Marsan, M.A., Balbo, G., Conte, G.: Generalized stochastic Petri nets: A definition at the net level and its implications. IEEE TSE 19(2), 89–107 (1993) 16. Coste, N., Garavel, H., Hermanns, H., Hersemeule, R., Thonnart, Y., Zidouni, M.: Quantitative evaluation in embedded system design: Validation of multiprocessor multithreaded architectures. In: DATE, pp. 88–89 (2008) 17. Courtney, T., Daly, D., Derisavi, S., Gaonkar, S., Griffith, M., Lam, V.V., Sanders, W.H.: The M¨obius modeling environment: Recent developments. In: QEST, pp. 328–329. IEEE, Los Alamitos (2004) 18. Deng, Y., van Glabbeek, R.J., Hennessy, M., Morgan, C.: Testing finitary probabilistic processes. In: CONCUR, pp. 274–288 (2009) 19. Desharnais, J., Gupta, V., Jagadeesan, R., Panangaden, P.: Approximating labelled Markov processes. Inf. Comput. 184(1), 160–200 (2003) 20. Desharnais, J., Gupta, V., Jagadeesan, R., Panangaden, P.: Weak bisimulation is sound and complete for PCTL*. Inf. Comput. 208(2), 203–219 (2010) 21. Desharnais, J., Laviolette, F., Tracol, M.: Approximate analysis of probabilistic processes: Logic, simulation and games. In: QEST, pp. 264–273 (2008) 22. Eisentraut, C., Hermanns, H., Zhang, L.: On probabilistic automata in continuos time. In: LICS. IEEE, Los Alamitos (to appear, 2010) 23. Eisentraut, C., Hermanns, H., Zhang, L.: Probabilistic automata in continuous time. Reports of SFB/TR 14 AVACS 62, Saarland University (April 2010), http://www.avacs.org 24. Florio, V.D., Donatelli, S., Dondossola, G.: Flexible development of dependability services: An experience derived from energy automation systems. In: ECBS, pp. 86–93. IEEE, Los Alamitos (2002) 25. Hermanns, H. (ed.): Interactive Markov Chains. LNCS, vol. 2428, p. 57. Springer, Heidelberg (2002) 26. Hermanns, H., Herzog, U., Katoen, J.P.: Process algebra for performance evaluation. Theoretical Computer Science 274(12), 43–87 (2002) 27. Hermanns, H., Katoen, J.P.: Automated compositional Markov chain generation for a plainold telephone system. Science of Comp. Progr. 36(1), 97–127 (2000) 28. Hermanns, H., Lohrey, M.: Priority and maximal progress are completely axioatisable (extended abstract). In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 237–252. Springer, Heidelberg (1998) 29. Hinton, A., Kwiatkowska, M.Z., Norman, G., Parker, D.: PRISM: A tool for automatic verification of probabilistic systems. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 441–444. Springer, Heidelberg (2006) 30. Hoare, C.A.R.: Communicating Sequential Processes. Prentice Hall, Englewood Cliffs (1985) 31. Jonsson, B., Larsen, K.G.: Specification and refinement of probabilistic processes. In: LICS, pp. 266–277. IEEE, Los Alamitos (1991) 32. Katoen, J.P., Klink, D., Neuh¨außer, M.R.: Compositional abstraction for stochastic systems. In: Ouaknine, J., Vaandrager, F.W. (eds.) FORMATS 2009. LNCS, vol. 5813, pp. 195–211. Springer, Heidelberg (2009) 33. Kemeny, J.G., Snell, J.L., Knapp, A.W.: Denumerable Markov Chains, 2nd edn. Springer, Heidelberg (1976)
Concurrency and Composition in a Stochastic World
39
34. Klin, B., Sassone, V.: Structural operational semantics for stochastic process calculi. In: Amadio, R.M. (ed.) FOSSACS 2008. LNCS, vol. 4962, pp. 428–442. Springer, Heidelberg (2008) 35. Larsen, K.G., Skou, A.: Bisimulation through probabilistic testing. Information and Computation 94(1), 1–28 (1991) 36. Lynch, N.A., Tuttle, M.R.: Hierarchical correctness proofs for distributed algorithms. In: PODC, pp. 137–151 (1987) 37. Marsan, M.A., Balbo, G., Chiola, G., Conte, G.: Generalized stochastic Petri nets revisited: Random switches and priorities. In: PNPM, pp. 44–53. IEEE, Los Alamitos (1987) 38. Marsan, M.A., Balbo, G., Chiola, G., Conte, G., Donatelli, S., Franceschinis, G.: An introduction to generalized stochastic Petri nets. Microel. and Rel. 31(4), 699–725 (1991) 39. Marsan, M.A., Balbo, G., Conte, G., Donatelli, S., Franceschinis, G.: Modelling with Generalized Stochastic Petri Nets. John Wiley & Sons, Chichester (1995) 40. Milner, R.: Communication and Concurrency. Prentice Hall, Englewood Cliffs (1989) 41. Palamidessi, C.: Comparing the expressive power of the synchronous and asynchronous picalculi. Mathematical Structures in Computer Science 13(5), 685–719 (2003) 42. Park, D.M.R.: Concurrency and automata on infinite sequences. Theoretical Computer Science, pp. 167–183 (1981) 43. Sandmann, W., Wolf, V.: Computational probability for systems biology. In: Fisher, J. (ed.) FMSB 2008. LNCS (LNBI), vol. 5054, pp. 33–47. Springer, Heidelberg (2008) 44. Segala, R.: Modeling and Verification of Randomized Distributed RealTime Systems. PhD thesis, Laboratory for Computer Science, Massachusetts Institute of Technology (1995) 45. Segala, R.: Probability and nondeterminism in operational models of concurrency. In: Baier, C., Hermanns, H. (eds.) CONCUR 2006. LNCS, vol. 4137, pp. 64–78. Springer, Heidelberg (2006) 46. Segala, R., Lynch, N.: Probabilistic simulations for probabilistic processes. Nordic Journal of Computing 2(2), 250–273 (1995) 47. Stewart, W.J.: Probability, Markov Chains, Queues, and Simulation: The Mathematical Basis of Performance Modeling. Princeton University Press, Princeton (2009) 48. Stoelinga, M., Vaandrager, F.W.: Root contention in IEEE 1394. In: Katoen, J.P. (ed.) AMASTARTS 1999, ARTS 1999, and AMASTWS 1999. LNCS, vol. 1601, pp. 53–74. Springer, Heidelberg (1999) 49. van Glabbeek, R.J.: The linear time  branching time spectrum II. In: Best, E. (ed.) CONCUR 1993. LNCS, vol. 715, pp. 66–81. Springer, Heidelberg (1993) 50. Wolf, V.: Modelling of biochemical reactions by stochastic automata networks. ENTCS 171(2), 197–208 (2007) 51. Zhang, L.: Decision Algorithms for Probabilistic Simulations. PhD thesis, Universit¨at des Saarlandes (2008) 52. Zhang, L., Hermanns, H., Eisenbrand, F., Jansen, D.N.: Flow faster: Efficient decision algorithms for probabilistic simulations. Logical Methods in Computer Science 4(4) (2008)
Taming Distributed Asynchronous Systems Anca Muscholl LaBRI, University Bordeaux, France
Abstract. This extended abstract surveys some analysis techniques for distributed, asynchronous systems with two kinds of synchronization, shared variables and fifo channels.
1
Introduction
Modeling distributed, asynchronous systems so that computerassisted analysis becomes feasible, is an ongoing challenge in both theory and practice. Several automatabased models for such systems have been proposed and studied over the past twenty years, capturing various aspects of distributed behavior. Depending on the motivation, such models fall into two large categories. In the ﬁrst one we ﬁnd rather simple models, capturing basic synchronization mechanisms: Petri nets, communicating automata, . . . . They were studied for algorithmic properties and/or their expressive power. In the second category we see more sophisticated models, that were conceived for supporting practical system design, like Harel’s statecharts, or Lynch’s I/O automata. It is clear that being able to develop automated veriﬁcation techniques requires a good understanding of the simpler models, in particular since more complex ones are often built as a combination of basic models. In this survey we address the issue of analyzing networks of (mostly ﬁnitestate) processes with two kinds of communication mechanisms, unbounded ﬁfo channels and shared variables. We also go one step beyond veriﬁcation, or modelchecking, by addressing the synthesis problem in the sharedvariable case. Synthesis, and in particular controller synthesis, is a challenging problem even for such simple models as the ones considered in this survey, since it essentially amounts to solve distributed games. This topic is still rather poorly understood and open for future research, in spite of considerable eﬀorts and partial results obtained during the past decade.
2
Models of Distributed Computation
The architecture of a distributed asynchronous system consists of a set of processes P related by links, and we will consider it as ﬁxed. Such links may correspond for instance to communication channels or to shared variables. We do not discuss here other synchronization mechanisms that appear in the literature, like e.g. state observation or signals. P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 40–47, 2010. c SpringerVerlag Berlin Heidelberg 2010
Taming Distributed Asynchronous Systems
41
Zielonka’s asynchronous automata is an asynchronous model based on shared variables. It has its roots in the theory of Mazurkiewicz traces [28], which came up in the late seventies in connection with the semantics of 1safe Petri nets (the reader may ﬁnd in [11] a wealth of results about traces). Asynchronous automata provide one of the ﬁrst highly nontrivial examples of distributed (closed) synthesis, as expressed in Theorem 1 below. Given a ﬁnite set P of processes, we consider an alphabet of actions Σ and a location function dom : Σ → (2P \ ∅), associating with each action a nonempty set of processes. The location mapping dom deﬁnes in a natural way an independence relation I: two actions a, b ∈ Σ are independent (denoted as (a, b) ∈ I) if they synchronize disjoint sets of processes, i.e., if dom(a)∩dom(b) = ∅. One can deﬁne the relation ∼I on Σ ∗ as the equivalence generated by all pairs (uabv, ubav), for (a, b) ∈ I and u, v ∈ Σ ∗ . A trace is then a ∼I equivalence class, and a trace language is a word language closed under ∼I . Alternatively, traces can be viewed as labeled pomsets (see an example in Figure 1), and the set of (labeled) linearizations of such a pomset corresponds to the ∼I equivalence class [u] of any of these linearizations u ∈ Σ ∗ . A (deterministic) asynchronous automaton is a tuple A = {Sp }p∈P , s0 , {δa }a∈Σ , F , where a ﬁnite set of (local) states of process p, – Sp is – s0 ∈ p∈P Sp is a (global) initial state, – δa : p∈dom(a) Sp → p∈dom(a) Sp is a transition relation; so on a letter a ∈ Σit is a partial function on tuples of states of processes in dom(a), – F ⊆ p∈P Sp is a set of ﬁnal (accepting) states. An asynchronous automaton can be seen aas a sequential automaton with the state set S = p∈P Sp and transitions s −→ s if ((sp )p∈dom(a) , (sp )p∈dom(a) ) ∈ δa , and sq = sq for all q ∈ / dom(a). By L(A) we denote the set of words labeling accepting runs. This deﬁnition has an important consequence. If (a, b) ∈ I then the same state is reached on the words ab and ba. More generally, whenever u ∼I v and u ∈ L(A) then v ∈ L(A), too. This means that L(A) is a trace language. Example 1. Let us consider the asynchronous automaton A deﬁned by Sp = {0}, Sq = Sr = {0, 1}, and transition function δa (sp , sq ) = (sp , ¬sq ) if sq = 1 (undeﬁned otherwise), δd (sr ) = ¬sr if sr = 1 (undeﬁned otherwise), δb (sq , sr ) = (1, 1) if sq ∧ sr = 0 (undeﬁned otherwise) and δc (sp ) = sp . Starting with s0 = (0, 0, 0), an accepting run of A checks that between any two successive bevents, there is either an a or a d (or both), and there is a bevent before all a and d. One of the deepest results of trace theory is Zielonka’s construction of a deterministic asynchronous automaton from a ﬁnitestate one. One can see it as an example of distributed closed synthesis, i.e., without any environment.
42
A. Muscholl
p
c
c a
a
q b r
b d
b d
Fig. 1. The pomset associated with the trace t = [c b a d c b a d b], with dom(a) = {p, q}, dom(b) = {q, r}, dom(c) = {p}, dom(d) = {r}.
Theorem 1. [40] Given a ﬁnite automaton A accepting the trace language L(A), a deterministic asynchronous automaton B can be eﬀectively constructed with L(A) = L(B). The above construction has received a lot of interest, and a series of papers aimed at improving it algorithmically (see e.g. [10, 30, 19, 17]). Currently the best construction starting with a DFA A is polynomial in the size of A and simply exponential in the number of processes. Surprisingly, it is rather diﬃcult to come up with a matching lower bound (see [17] for partial results). As explained in Section 3, this construction plays a fundamental role in other settings of distributed synthesis, as for instance for communicating automata, that we present next. A communicating automaton (CA for short) is parametrized by a set P of processes, a set of pointtopoint ﬁfo channels Ch ⊆ P 2 \ idP , and a set of message contents Msg. It is a tuple A = (Ap )p∈P , Σ, F where – each Ap = (Sp , →p , s0p ) is a ﬁnite labeled transition system with state space Sp , transition relation →p ⊆ Sp × Σp × Sp , and initial state s0p ∈ Sp ; the local action alphabet Σp consists of send actions (denoted as p!q(m), with (p, q) ∈ Ch, m ∈ Msg), receive actions (denoted as p?r(m), with (r, p) ∈ Ch, m ∈ Msg), and local actions. – F ⊆ p∈P Sp is a set of global ﬁnal states. We denote the product S := p∈P Sp as set of global states. The behavior of a CA is deﬁned as the behavior of an inﬁnite labeled transition system, by considering the possible (local) transitions on the set of conﬁgurations of the CA. A conﬁguration of the CA A consists of a global state, together with a word from Msg∗ for each channel (p, q) ∈ Ch. Transitions are deﬁned in the usual way: the eﬀect of an action a ∈ Σp is to change the Sp state component according to Ap , and to perform the obvious modiﬁcation on one channel of p, according to a being a send of message m from p to q (written as a = p!q(m)) or a receive of m on p from r (written as a = p?r(m)). Example 2. The CA in the ﬁgure below describes the communication between two (ﬁnitestate) processes C and S, connected through one channel in each
Taming Distributed Asynchronous Systems
43
direction. The set of message contents is Msg = {0, 1, $}. From the initial conﬁguration (c0 , s0 ), (ε, ε) (say, (C, S) is the ﬁrst channel) one can reach e.g. the conﬁgurations (c1 , s0 ), (010, ε) and (c0 , s0 ), (101, $), but not (c0 , s0 ), (0101, $). C!S(0)
C!S(1)
C!S(0)
For instance, (c0 , s0 ), (ε, ε) −→ (c1 , s0 ), (0, ε) −→ (c0 , s0 ), (01, ε) −→ (c1 , s0 ), (010, ε). start
c0
start
C!S(0)
s0
S?C(0) C!S(1), C?S($) c1
S?C(1), S!C($) s1
Like traces being partially ordered representations of runs of asynchronous automata, runs of CA have a natural interpretation in terms of labeled pomsets, too. The pomsets associated with such runs are called message sequence charts, and represent in a diagrammatic way messages exchanged between processes.
3
Analyzing Communicating Automata
In spite of their simplicity, communicating automata are Turingpowerful, as it can be easily seen (by simulating e.g. Post tag systems). From the veriﬁcation viewpoint this immediately implies that one needs to accept approximated or semialgorithmic solutions. Simple approximated solutions, like ignoring the order of messages in the channels or imposing a limit on their size, are of course too coarse. Acceleration methods using some ﬁnitary representation of possibly inﬁnite sets of conﬁgurations (called symbolic representations), are a more powerful example of underapproximation. In the case of communicating automata, such symbolic representations are based on ﬁnite automata or some extended automata models with good algorithmic properties [4, 5, 7]. The general idea is to speedup the naive enumeration of reachable conﬁgurations, by computing the result of loop iteration. A nice example for overapproximating methods are lossy channel systems. Of course, such a model may be interesting in its own right, since it allows to model imperfect channels. Lossy channels are a particular instance of wellstructured transition systems [13, 2]. In particular, questions like controlstate reachability and termination are decidable [2, 14], albeit of nonprimitive recursive complexity [36]. On the other hand, liveness properties or boundedness of lossy channels are undecidable [1, 27]. Whereas the above mentioned approaches emphasize symbolic representations of sets of (reachable) conﬁgurations, there is a complementary, languageoriented approach based on partial orders. The languagetheoretical viewpoint emphasizes
44
A. Muscholl
the (partiallyordered) executions, instead of the channel contents. This kind of eventbased reasoning arises very naturally when communicating automata are viewed as sequential automata synchronizing over communication events. The main advantage it oﬀers is that the synthesis problem can be stated in a natural way. Undecidability of various questions about communicating automata has actually two sources: the ﬁrst, obvious one, is the unboundedness of channels. The second, more subtle, comes up when the speciﬁcation formalism (e.g. regular ones like LTL) is incompatible with the partiallyordered model. As a consequence, getting solutions for modelchecking or synthesis requires both channel restrictions and partial order speciﬁcations. A universally channelbounded automaton is one where there is a uniform bound on the size of channels, over all reachable conﬁgurations. So a universally bounded automaton is just a ﬁnite state system. A much less restrictive notion is an existential channelbound. Such a bound roughly means that any execution can be rescheduled in such a way that it can be executed with bounded channels. In particular, existential bounds admit channels of arbitrary size. A simple example illustrating the idea is a pair of processes, a producer and a consumer, where the producer keeps sending messages to the consumer, who is supposed to accept every message. Since there is no control on the relative speed of these two processes, there is no bound on the number of messages in transit. But for verifying many properties, like e.g. controlstate reachability, it suﬃces to reason about schedulings where messages are consumed without delay, i.e. where executions can be scheduled with a channel of size one. The main result obtained in this setting is a solution for closed synthesis, that can be stated as a KleeneB¨ uchi theorem about communicating automata with channel bounds [21,18]. A main ingredient of these constructions is the link between automata with channel bounds and trace languages and in particular, Zielonka’s construction of asynchronous (trace) automata. Modelchecking existentially bounded automata w.r.t. partial order speciﬁcations like MSO [24], closed regular speciﬁcations [20] or PDL [6], is also decidable. Several promising, recent research directions can be mentioned. One of them is motivated by the need of analyzing distributed recursive programs, and aims at identifying reasonable, tractable subclasses of communicating automata extended by additional capabilities for the single processes, like for instance pushdown storage [3, 39, 22]. A second, quite challenging perspective for future work is the general synthesis problem for communicating systems. This problem can be stated in many diﬀerent ways, depending on the degree of completeness of the speciﬁcation (speciﬁcations may e.g. talk only about external messages). However, one probably needs ﬁrst a solution for the problem described in the next section, before working out a general solution for synthesizing or controlling communicating automata.
4
Distributed Control for Asynchronous Automata
In the simplest case, the synthesis problem asks to ﬁnd a model for a given speciﬁcation, so it is just a satisﬁability problem, where one is given some formalism
Taming Distributed Asynchronous Systems
45
for the speciﬁcation (e.g. logics) and one for the model (e.g. ﬁnite automata). In a more reﬁned version one is also given a system (or plant, usually an automaton) and is asked to ﬁnd a controller such that the controlled system satisﬁes the given speciﬁcation. The control consists in forbidding some actions of the plant, but not every action can be forbidden, and the control has also to ensure that the system does not block completely. Synthesis was ﬁrst considered in a synchronous (hardware) setting by Church [9]. In his model, the speciﬁcation is a relation between input variables, which are controlled by the environment, and output variables, controlled by the (centralized) system. Church’s problem stimulated a fruitful research direction on 2person, zerosum inﬁnitary games, starting with the fundamental results of [8, 34, 35] (see also [37, 38] for recent surveys). Distributed controller synthesis is a more recent research topic, that was initiated by Pnueli and Rosner [33], who show that only very restricted architectures admit a decidable synthesis problem. Undecidability of distributed synthesis follows already from the work of Peterson and Reif on “multipleperson alternating machines” [32]. Various versions of distributed synthesis appear in the literature. One important distinction is to be made between synchronous and asynchronous systems, respectively. In the synchronous case, processes execute a step at each (global) clock tick, whereas in the asynchronous case they are decoupled. Another distinction is how much information is allowed to be exchanged between processes. At least two diﬀerent classes of models were studied here. In the model considered by [33, 23, 12, 16], a distributed system is given by an architecture describing (synchronous) channels between processes, and the information conveyed via the channels between processes, is ﬁnite. In the model studied in [15, 26, 31], the distributed system is an asynchronous automaton (and the controller is also required to be such an automaton). Here, the information exchanged between processes corresponds to the causal past of events, therefore it is unbounded. Decidability for synchronous synthesis basically requires a pipeline architecture where information ﬂows in a single direction (see [33, 23, 25, 29, 12, 16] for various reﬁnements). To state it informally, the reasons for undecidability are either global speciﬁcations or “information forks”, like the case where two independent processes can be “observed” by a third one. Compared with the synchronous case, our understanding of asynchronous controller synthesis is still unsatisfactory. For instance, it is open whether this problem is decidable! Two decidability results are known in this setting. The ﬁrst one [15] was obtained by restricting the (in)dependencies between letters of the input alphabet. The second paper [26] shows decidability by restricting the plant: roughly speaking, the restriction requires that if two processes do not synchronize during a long amount of time, then they won’t synchronize ever again. The proof of [26] goes beyond the controller synthesis problem, by coding it into monadic secondorder theory of event structures and showing that this theory is decidable when the criterion on the asynchronous automaton holds.
46
A. Muscholl
References 1. Abdulla, P.A., Cerans, K., Jonsson, B., Tsay, Y.K.: General decidability theorems for infinite state systems. In: LICS 1996, pp. 313–323. IEEE Computer Society, Los Alamitos (1996) 2. Abdulla, P.A., Jonsson, B.: Verifying programs with unreliable channels. Inform. and Comput. 127(2), 91–101 (1996) 3. Atig, M.F., Bouajjani, A., Touili, T.: On the reachability analysis of acyclic networks of pushdown systems. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 356–371. Springer, Heidelberg (2008) 4. Boigelot, B., Godefroid, P.: Symbolic verification of communication protocols with infinite state spaces using QDDs. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 1–12. Springer, Heidelberg (1996) 5. Boigelot, B., Godefroid, P., Willems, B., Wolper, P.: The power of QDDs. In: Van Hentenryck, P. (ed.) SAS 1997. LNCS, vol. 1302, pp. 172–186. Springer, Heidelberg (1997) 6. Bollig, B., Kuske, D., Meinecke, I.: Propositional Dynamic Logic for messagepassing systems. Logical Methods in Computer Science (to appear, 2010) 7. Bouajjani, A., Habermehl, P.: Symbolic reachability analysis of FIFOchannel systems with nonregular sets of configurations. Theor. Comp. Science 221(12), 211–250 (1999) 8. B¨ uchi, J., Landweber, L.: Definability in the monadic second order theory of successor. J. of Symb. Logic 34(2), 166–170 (1969) 9. Church, A.: Applications of recursive arithmetic to the problem of circuit synthesis. In: Summaries of the Summer Institute of Symbolic Logic, vol. 1, pp. 3–50. Cornell Univ. (1957) 10. Cori, R., M´etivier, Y., Zielonka, W.: Asynchronous mappings and asynchronous cellular automata. Inform. and Comput. 106, 159–202 (1993) 11. Diekert, V., Rozenberg, G. (eds.): The Book of Traces. World Scientific, Singapore (1995) 12. Finkbeiner, B., Schewe, S.: Uniform distributed synthesis. In: LICS 2005, pp. 321– 330. IEEE Computer Society Press, Los Alamitos (2005) 13. Finkel, A.: A generalization of the procedure of Karp and Miller to well structured transition systems. In: Ottmann, T. (ed.) ICALP 1987. LNCS, vol. 267, pp. 499– 508. Springer, Heidelberg (1987) 14. Finkel, A., Schnoebelen, P.: Wellstructured transition systems everywhere! Theor. Comp. Science 256(12), 63–92 (2001) 15. Gastin, P., Lerman, B., Zeitoun, M.: Distributed games with causal memory are decidable for seriesparallel systems. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 275–286. Springer, Heidelberg (2004) 16. Gastin, P., Sznajder, N., Zeitoun, M.: Distributed synthesis for wellconnected architectures. Formal Methods in System Design 34(3), 215–237 (2009) 17. Genest, B., Gimbert, H., Muscholl, A., Walukiewicz, I.: Optimal Zielonkatype construction of deterministic asynchronous automata. In: ICALP 2010. LNCS. Springer, Heidelberg (2010) 18. Genest, B., Kuske, D., Muscholl, A.: A Kleene theorem and model checking algorithms for existentially bounded communicating automata. Inform. and Comput. 204(6), 920–956 (2006) 19. Genest, B., Muscholl, A.: Constructing exponentialsize deterministic Zielonka automata. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 565–576. Springer, Heidelberg (2006)
Taming Distributed Asynchronous Systems
47
20. Genest, B., Muscholl, A., Seidl, H., Zeitoun, M.: Infinitestate highlevel MSCs: Modelchecking and realizability. J. Comput. Syst. Sci. 72(4), 617–647 (2006) 21. Henriksen, J.G., Mukund, M., Kumar, K.N., Sohoni, M., Thiagarajan, P.: A theory of regular MSC languages. Inform. and Comput. 202(1), 1–38 (2005) 22. Heußner, A., Leroux, J., Muscholl, A., Sutre, G.: Reachability analysis of communicating pushdown systems. In: Ong, L. (ed.) FOSSACS 2010. LNCS, vol. 6014, pp. 267–281. Springer, Heidelberg (2010) 23. Kupferman, O., Vardi, M.: Synthesizing distributed systems. In: LICS 2001. IEEE Computer Society Press, Los Alamitos (2001) 24. Madhusudan, P., Meenakshi, B.: Beyond message sequence graphs. In: Hariharan, R., Mukund, M., Vinay, V. (eds.) FSTTCS 2001. LNCS, vol. 2245, pp. 256–267. Springer, Heidelberg (2001) 25. Madhusudan, P., Thiagarajan, P.: Distributed control and synthesis for local specifications. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 396–407. Springer, Heidelberg (2001) 26. Madhusudan, P., Thiagarajan, P.S., Yang, S.: The MSO theory of connectedly communicating processes. In: Sarukkai, S., Sen, S. (eds.) FSTTCS 2005. LNCS, vol. 3821, pp. 201–212. Springer, Heidelberg (2005) 27. Mayr, R.: Undecidable problems in unreliable computations. Theor. Comp. Science 297(13), 337–354 (2003) 28. Mazurkiewicz, A.: Concurrent program schemes and their interpretations. DAIMI Rep. PB 78, Aarhus University, Aarhus (1977) 29. Mohalik, S., Walukiewicz, I.: Distributed games. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 338–351. Springer, Heidelberg (2003) 30. Mukund, M., Sohoni, M.: Gossiping, asynchronous automata and Zielonka’s theorem. Report TCS942, School of Mathematics, SPIC Science Foundation, Madras, India (1994) 31. Muscholl, A., Walukiewicz, I., Zeitoun, M.: A look at the control of asynchronous automata. In: Perspectives in Concurrency Theory. IARCSUniversities, Universities Press (2009) 32. Peterson, G.L., Reif, J.H.: Multiperson alternation. In: FOCS 1979, pp. 348–363. IEEE Computer Society Press, Los Alamitos (1979) 33. Pnueli, A., Rosner, R.: Distributed reactive systems are hard to synthesize. In: FOCS 1990, pp. 746–757. IEEE Computer Society Press, Los Alamitos (1990) 34. Rabin, M.: Decidability of secondorder theories and automata on infinite trees. Trans. Amer. Math. Soc. 141, 1–35 (1969) 35. Rabin, M.O.: Automata on Infinite Objects and Church’s Problem. American Mathematical Society, Providence (1972) 36. Schnoebelen, P.: Verifying lossy channel systems has nonprimitive recursive complexity. Inform. Proc. Lett. 83(5), 251–261 (2002) 37. Thomas, W.: On the synthesis of strategies in infinite games. In: Mayr, E.W., Puech, C. (eds.) STACS 1995. LNCS, vol. 900, pp. 1–13. Springer, Heidelberg (1995) 38. Thomas, W.: Church’s problem and a tour through automata theory. In: Avron, A., Dershowitz, N., Rabinovich, A. (eds.) Pillars of Computer Science. LNCS, vol. 4800, pp. 635–655. Springer, Heidelberg (2008) 39. Torre, S.L., Madhusudan, P., Parlato, G.: Contextbounded analysis of concurrent queue systems. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 299–314. Springer, Heidelberg (2008) 40. Zielonka, W.: Notes on finite asynchronous automata. RAIRO  Informatique Th´eorique et Applications 21, 99–135 (1987)
Trust in Anonymity Networks Vladimiro Sassone, Sardaouna Hamadou, and Mu Yang ECS, University of Southampton
Abstract. Anonymity is a security property of paramount importance, as we move steadily towards a wired, online community. Its import touches upon subjects as diﬀerent as eGovernance, eBusiness and eLeisure, as well as personal freedom of speech in authoritarian societies. Trust metrics are used in anonymity networks to support and enhance reliability in the absence of verifiable identities, and a variety of security attacks currently focus on degrading a user’s trustworthiness in the eyes of the other users. In this paper, we analyse the privacy guarantees of the Crowds anonymity protocol, with and without onion forwarding, for standard and adaptive attacks against the trust level of honest users.
1 Introduction Protecting online privacy is an essential part of today’s society and its importance is increasingly recognised as crucial in many fields of computeraided human activity, such as eVoting, eAuctions, bill payments, online betting and electronic communication. One of the most common mechanisms for privacy is anonymity, which generally refers to the condition of being unidentifiable within a given set of subjects, known as the anonymity set. Many schemes have been proposed to enforce privacy through anonymity networks (e.g. [6, 15, 19, 24, 25]). Yet, the open nature of such networks and the unaccountability which results from the very idea of anonymity, make the existing systems prone to various attacks (e.g. [10, 18, 22, 23]). An honest user may have to suﬀer repeated misbehaviour (e.g., receiving infected files) without being able to identify the malicious perpetrator. Keeping users anonymous also conceals their trustworthiness, which in turn makes the information exchanged through system transactions untrustworthy as well. Consequently, a considerable amount of research has recently been focussing on the development of trustandreputationbased metrics aimed at enhancing the reliability of anonymity networks [7–9, 11, 31, 33]. Developing an appropriate trust metric for anonymity is very challenging, due to the fact that trust and anonymity are seemingly conflicting notions. Consider for instance the trust networks of Figure 1. In (a) peer A trusts B and D, who both trust C. Assume now that C wants to request a service from A anonymously, by proving her trustworthiness to A (i.e., the existence of a trust link to it). If C can prove that she is trusted by D without revealing her identity (using e.g. a zeroknowledge proof [3]), then A cannot distinguish whether the request originated from C or E. Yet, A’s trust in D could be insuﬃcient to obtain that specific service from A. Therefore, C could strengthen her request by proving that she is trusted by both D and B. This increases the trust guarantee. Unfortunately, it also decreases C’s anonymity, as A can compute the intersection of P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 48–70, 2010. c SpringerVerlag Berlin Heidelberg 2010
Trust in Anonymity Networks
49
Fig. 1. Trust networks [3]
peers trusted by both D and B, and therefore restrict the range of possible identities for the request’s originator, or even identify C uniquely. Indeed, consider Figure 1(b). Here the trust level between two principals is weighted, and trust between two nonadjacent principals is computed by multiplying the values over link sequences in the obvious way. Assume that the reliability constraint is that principal X can send (resp. receive) a message to (from) principal Y if and only if her trust in Y is not lower than 60%. Principal E can therefore only communicate through principal D. So, assuming that trust values are publicly known, E cannot possibly keep her identity from D as soon as she tries to interact at all. These examples document the existence of an inherent tradeoﬀ between anonymity and trust. The fundamental challenge is to achieve an appropriate balance between practical privacy, and acceptable network performance. Communitybased reputation systems are becoming increasingly popular both in the research literature and in practical applications. They are systems designed to estimate the trustworthiness of principals participating in some activity, as well as predict their future behaviour. Metrics for trustworthiness are primarily based on peerreview, where peers can rate each other according to the quality they experienced in their past mutual interactions [12, 13, 20]. A good reputation indicates a peer’s good past behaviour, and is reflected in a high trust value. Recent research in this domain has raised fundamental issues in the design of reputation management systems for anonymous networks. In particular, 1. what metrics are suitable for computing trust for a given application field? 2. how to ensure the integrity of the peers’ trust values, i.e., how to securely store and access trust values against malicious peers? 3. how to ensure that honest users accurately rate other members? The latter issue requires a mechanism to distinguish a user’s bad behaviour resulting from her being under attack, from a deliberately malicious behaviour. This is a challenging and fundamental problem. Indeed, if we cannot accurately tell these two situations apart, malicious users will target honest members in order to deteriorate their performance, and hence reduce other members’ trust in them, while maintaining their apparent good behaviour. Thus, honest users may in the long term end up enjoying
50
V. Sassone, S. Hamadou, and M. Yang
very low trust levels, while attackers might see their reputation increased, and so they increase their probability of being trusted by others. Over time this will, of course, severely aﬀect the system’s anonymity performance. Nevertheless, although a considerable eﬀort has recently been devoted to tackle the first two issues [7, 8, 31], to the best of our knowledge the latter has been so far relatively ignored. In this paper we investigate the eﬀect of attacks to the trust level of honest users on the security of existing anonymity networks, such as the Reiter and Rubin’s Crowds protocol [28] and onion routing networks [10]. The Crowds protocol allows Internet users to perform anonymous web transactions by sending their messages through a random chain of users participating in the protocol. Each user in the ‘crowd’ must establish a path between her and a set of servers by selecting randomly some users to act as routers (or forwarders). The formation of such routing paths is performed so as to guarantee that users do not know whether their predecessors are message originators or just forwarders. Each user only has access to messages routed through her. It is well known that Crowds cannot ensure strong anonymity in presence of corrupt participants [5, 28], yet when the number of corrupt users is suﬃciently small, it provides a weaker notion of anonymity known as probable innocence. Informally, a sender is probably innocent if to an attacker she is no more likely to be the message originator than not to be. Networks based on Onion Routing are distributed anonymising networks that use onion routing [32] to provide anonymity to their users. Similarly to Crowds, users choose randomly a path through the network in which each node knows its predecessor and successor, but no other node. The main diﬀerence with respect to Crowds is that traﬃc flows through the path in cells, which are created by the initiator by successively encrypting the message with the session keys of the nodes in the path, in reverse order. Each node in the act of receiving the message peels the topmost layer, discovers who the next node is, and then relays it forward. In particular, only the last node can see the message in clear and learn its final destination. In the paper we propose two variants of the congestion attacks in the literature, aimed at deteriorating the trust level of target users in diﬀerent extension of the Crowds protocol. More specifically, we first extend the protocol so that trust is used to inform the selection of forwarding users. Our analysis of this extension shows that a DoS type attack targeting a user who initially enjoys satisfactory anonymity protection, may threaten her privacy, as her trust level quickly decreases over the time. We then extend the protocol further with a more advanced message forwarding technique, namely onion routing. While this extension oﬀers much better protection than the previous one, our analysis ultimately shows that it suﬀers from similar DoS attacks as the others. Related work. Anonymity networks date back thirty years, to when Chaum introduced the concept of Mixnet [6] for anonymous communications, where diﬀerent sources send encrypted messages to a mix which forwards them to their respective destinations. Various designs [1, 10, 15, 24–26, 28, 29, 32] have since been proposed to improve Chaum’s mixes, e.g., by combinations of artificial delays, variation in message ordering, encrypted message formats, message batching, and random chaining of multiple mixes. A variety of attacks [2, 4, 10, 14, 18, 21–23, 27] have since been discovered against such anonymity systems. Those most related to the present work are the socalled con
Trust in Anonymity Networks
51
gestion or clogging attacks. In an congestion attack, the adversary monitors the flow through a node, builds paths through other nodes, and tries to use all of their available capacity [2]. The idea is that if the congested node belongs to the monitored path, the variation in the messages’ arrival times will reflect at the monitored node. In [23], Murdoch and Danezis describe a congestion attack that may allow them to reveal all Tor’s routers (cf. [10]) involved in a path. However, although their attack works well against a Tor network of a relatively small size, it fails against networks of typical sizes, counting nodes in the thousands. More recently, Evans et al. [14] improved Murdoch and Danezis’s attack so as to practically deanonymise Tor’s users in currently deployed system. A similar attack against MorphMix [29] was recently described by Mclachlan and Hopper [21], proving wrong the previously held view that MorphMix is robust against such attacks [34]. Finally, a congestion attack is used by Hopper et al. [18] to estimate the latency between the source of a message and its first relay in Tor. In loc. cit. the authors first use a congestion attack to identify the path, and then create a parallel circuit throughout the same path to make their measurements. Numerous denial of service (DoS) attacks have been reported in the literature. In particular, the ‘packet spinning’ attack of [27] tries to lure users into selecting malicious relays by targeting honest users by DoS attacks. The attacker creates long circular paths involving honest users and sends large amount of data through the paths, forcing the users to employ all their bandwidth and then timing out. These attacks motivate the demand for mechanisms to enhance the reliability of anonymity networks. In recent years, a considerable amount of research has been focusing on defining such mechanisms. In particular, trustandreputationbased metrics are quite popular in this domain [3, 7–9, 11, 31, 33]. Enhancing the reliability by trust, not only does improve the system’s usability, but may also increase its anonymity guarantee. Indeed, a trustbased selection of relays improves both the reliability and the anonymity of the network, by delivering messages through ‘trusted’ routers. Moreover, the more reliable the system, the more it may attract users and hence improve the anonymity guarantee by growing the anonymity set. Introducing trust in anonymity networks does however open the flank to novel security attacks, as we prove in this paper. In a recent paper of ours [30] we have analysed the anonymity provided by Crowds extended with some trust information, yet against a completely diﬀerent threat model. The two papers diﬀer in several ways. Firstly, [30] considers a global and ‘credentialbased’ trust notion, unlike the individualandreputationbased trust considered here. Secondly, in [30] we considered an attack scenario where all protocol members are honest but vulnerable to being corrupted by an external attacker. The global and fixed trust in a user contrasts with the local and dynamic trust of this paper, as is meant to reflect the user’s degree of resistance against corruption, that is the probability that the external attacker will fail to corrupt her. The paper derives necessary and suﬃcient conditions to define a ‘social’ policy of selecting relays nodes in order to achieve a given level of anonymity protection to all members against such attackers, as well as a ‘rational’ policy maximise one’s own privacy. Structure of the paper. The paper is organised as follows: in §2 we fix some basic notations and recall the fundamental ideas of the Crowds protocol and its properties, including the notion of probable innocence. In §3 we present our first contribution: the
52
V. Sassone, S. Hamadou, and M. Yang
Crowds protocol extended with trust information in the form of a forwarding policy of its participating members, and the privacy properties of the resulting protocol are studied; §4 repeats the analysis for an extension of the protocol with a more advanced forwarding technique inspired by onion routing. Finally, §5 introduces a new ‘adaptive’ attack scenario, and presents some preliminary results on its analysis, both for the protocol with and without onion forwarding.
2 Crowds In this section, we briefly revise the Crowds protocol and the notion of probable innocence. 2.1 The Protocol Crowds is a protocol proposed by Reiter and Rubin in [28] to allow Internet users to perform anonymous web transactions by protecting their identities as originators of messages. The central idea to ensure anonymity is that the originator forwards the message to another, randomlyselected user, which in turn forwards the message to a third user, and so on until the message reaches its destination (the end server). This routing process ensures that, even when a user is detected sending a message, there is a substantial probability that she is simply forwarding it on behalf of somebody else. More specifically, a crowd consists of a fixed number of users participating in the protocol. Some members (users) of the crowd may be corrupt (the attackers), and they collaborate in order to discover the originator’s identity. The purpose of the protocol is to protect the identity of the message originator from the attackers. When an originator –also known as initiator– wants to communicate with a server, she creates a random path between herself and the server through the crowd by the following process. – Initial step: the initiator selects randomly a member of the crowd (possibly herself) and forwards the request to her. We refer to the latter user as the forwarder. – Forwarding steps: a forwarder, upon receiving a request, flips a biased coin. With probability 1 − p f she delivers the request to the end server. With probability p f she selects randomly a new forwarder (possibly herself) and forwards the request to her. The new forwarder repeats the same forwarding process. The response from the server to the originator follows the same path in the opposite direction. Users (including corrupt users) are assumed to only have access to messages routed through them, so that each user only knows the identities of her immediate predecessor and successor in the path, as well as the server. 2.2 Probable Innocence Reiter and Rubin have proposed in [28] a hierarchy of anonymity notions in the context of Crowds. These range from ‘absolute privacy,’ where the attacker cannot perceive the presence of an actual communication, to ‘provably exposed,’ where the attacker can prove a senderandreceiver relationship. Clearly, as most protocols used in practice,
Trust in Anonymity Networks
53
Crowds cannot ensure absolute privacy in presence of attackers or corrupted users, but can only provide weaker notions of anonymity. In particular, in [28] the authors propose an anonymity notion called probable innocence and prove that, under some conditions on the protocol parameters, Crowds ensures the probable innocence property to the originator. Informally, they define it as follows:
A sender is probably innocent if, from the attacker’s point of view, she appears no more likely to be the originator than to not be the originator.
(1)
In other words, the attacker may have reason to suspect the sender of being more likely than any other potential sender to be the originator, but it still appears at least as likely that she is not. We use capital letters A, B to denote discrete random variables and the corresponding small letters a, b and calligraphic letters A, B for their values and set of values respectively. We denote by P(a), P(b) the probabilities of a and b respectively and by P(a, b) their joint probability. The conditional probability of a given b is defined as P(a  b) =
P(a, b) . P(b)
Bayes Theorem relates the conditional probabilities P(a  b) and P(a  b) as follows P(a  b) =
P(b  a) P(a) . P(b)
(2)
Let n be the number of users participating in the protocol and let c and n − c be the number of the corrupt and honest members, respectively. Since anonymity makes only sense for honest users, we define the set of anonymous events as A = {a1 , a2 , . . . , an−c }, where ai indicates that user i is the initiator of the message. As it is usually the case in the analysis of Crowds, we assume that attackers will always deliver a request to forward immediately to the end server, since forwarding it any further cannot help them learn anything more about the identity of the originator. Thus in any given path, there is at most one detected user: the first honest member to forward the message to a corrupt member. Therefore we define the set of observable events as O = {o1 , o2 , . . . , on−c }, where o j indicates that user j forwarded a message to a corrupted user. In this case we also say that user j is detected by the attacker. Reiter and Rubin [28] formalise their notion of probable innocence via the conditional probability that the initiator is detected given that any user is detected at all. This property can be written in our setting as the probability that user i is detected given that she is the initiator, that is the conditional probability P(oi  ai ).1 Probable innocence holds if 1 (3) ∀i. P(oi  ai ) ≤ 2 1
We are only interested in the case in which a user is detected, although for the sake of simplicity we shall not note that condition explicitly.
54
V. Sassone, S. Hamadou, and M. Yang
Reiter and Rubin proved in [28] that, in Crowds, the following holds: ⎧ n−c−1 ⎪ ⎪ ⎪ pf i = j 1− ⎪ ⎪ ⎨ n P(o j  ai ) = ⎪ ⎪ ⎪ 1 ⎪ ⎪ ⎩ pf i j n
(4)
Therefore, probable innocence (3) holds if and only if n≥
pf c + 1 and p f − 1/2
pf ≥
1 2
As previously noticed in several papers (e.g., [5]), there is a mismatch between the idea of probable innocence expressed informally by (1), and the property actually proved by Reiter and Rubin, viz. (3). The former seems indeed to correspond to the following interpretation given by Halpern and O’Neill [16]: ∀i, j. P(ai  o j ) ≤
1 . 2
(5)
In turn, this has been criticised for relying on the probability of users’ actions, which the protocol is not really in control of, and for being too strong. However, both (3) and (5) work satisfactorily for Crowds, thanks to its high symmetry: in fact, they coincide under its standard assumption that the a priori distribution is uniform, i.e., that each honest user has equal probability of being the initiator, which we follow in this paper too. We remark that the concept of probable innocence was recently generalised in [17]. Instead of just comparing the probability of being innocent with the probability of being guilty, the paper focusses on the degree of innocence. Formally, given a real number α ∈ [0, 1], a protocol satisfies αprobable innocence if and only if ∀i, j. P(ai  o j ) ≤ α
(6)
Clearly αprobable innocence coincides with standard probable innocence for α = 1/2.
3 Trust in Crowds In the previous section, we have revised the fundamental ideas of the Crowds protocol and its properties under the assumption that all members are deemed equal. However, as observed in §1, this is clearly not a realistic assumption for today’s open and dynamic systems. Indeed, as shown by the socalled ‘packet spinning’ attack [27], malicious users can attempt to make honest users select bogus routers by causing legitimate routers time out. The use attributes relating to some level of trust is therefore pivotal to enhance the reliability of the system. In this section, we firstly reformulate the Crowds protocol under a novel scenario where the interaction between participating users is governed by their level of mutual trust; we then evaluate its privacy guarantees using property (6). We then focus on the analysis of attacks to the trust level of honest users and their impact on the anonymity of the extended protocol. Finally, we investigate the eﬀect of a congestion attack [14] to the trust level of honest users.
Trust in Anonymity Networks
55
3.1 Crowds Extended We now extend the Crowds protocol to factor in a notion of trust for its participating members. To this end, we associate a trust level ti j to each pair of users i and j, which represents user i’s trust in user j. Accordingly, each user i defines her policy of forwarding to other members (including herself) based on her trust in each of them. A policy of forwarding for user i is a discrete probability distribution {qi1 , qi2 , · · · , qin }, where qi j denotes the probability that i chooses j as the forwarder, once she has decided to forward the message. A natural extension of Crowds would obviously allow the initiator to select her first forwarder according to her own policy, and then leave it to the forwarder to pick the next relay, according to the forwarder’s policy. This would however have the counterintuitive property that users may take part in the path which are not trusted by the initiator, just because they are trusted by a subsequent forwarder. We rather take the same view as most current systems, that the initiator is in charge of selecting the entire path which will carry her transactions. When an initiator wants to communicate with a server, she selects a random path through the crowd between herself and the server by the following process. – First forwarder: with probability qi j the initiator i selects a member j of the crowd (possibly herself) according to her policy of forwarding {qi1 , qi2 , · · · , qin }. – Subsequent forwarders: the initiator flips a biased coin; with probability 1 − p f the current forwarder will be the last on the path, referred to as the path’s exit user. Otherwise, with probability p f × qik , she selects k (possibly herself) as the next forwarder in the path; and so on until a path’s exit user is reached. The initiator then creates the path iteratively as follows. She establishes a session key by performing an authenticated key exchange protocol, such as DiﬃeHellman,2 with the first forwarder F1 . At each of subsequent iteration i ≥ 2, the initiator uses the partiallyformed path to send Fi−1 an encrypted key exchange message to be relayed to Fi . In this way, the path is extended to Fi , and the use of session keys guarantees that any intermediary router only knows her immediate predecessor and successor. Once the path is formed, messages from the initiator to the server are sent in the same way as in the normal Crowds. Thus, all the nodes in the path have access to the contain of the message and, obviously, to the end server. In particular, this means that the notion of detection remains the same in the extended protocol as in the original one. Then we use our probabilistic framework to evaluate Crowds extended protocol. We start by evaluating the conditional probability P(o j  ai ). Let ηi (resp. ζi = 1 − ηi ) be the overall probability that user i chooses a honest (resp. corrupt) member as a forwarder. Then we have the following result. Proposition 1 q i j ζi p f , P o j  ai = ζi i j + 1 − ηi p f
1 i= j where ηi = k≤(n−c) qik , ζi = k≤c qik and i j = 0 i j 2
We assume that public keys of participating users are known.
56
V. Sassone, S. Hamadou, and M. Yang
Proof. Let k denote the position occupied by the first honest user preceding an attacker on the path, with the initiator occupying position zero. Let P(o j  ai )(k) denote the probability that user j is detected exactly at position k. Only the initiator can be detected at position zero, and the probability that this happens is equal to the overall probability that the initiator chooses a corrupt member as a forwarder. Therefore P o j  ai
(0)
=
ζi i = j 0 i j
Now the probability that j is detected at position k > 0 is given by – the probability that she decides to forward k times and picks k − 1 honest users, k−1 i.e.,pk−1 (recall that at the initial step she does not flip the coin), f ηi – times the probability of choosing j as the kth forwarder, i.e., qi j , – times the probability that she picks any attacker at stage k + 1, i.e., ζi p f . Therefore
∀k ≥ 1, P o j  ai
(k)
k = ηk−1 i p f q i j ζi
and hence ∞ P o j  ai = P o j  ai
(k)
k=0
= ζi i j +
∞
k ηk−1 i p f q i j ζi
k=1
= ζi i j +
∞
ηki pk+1 f q i j ζi
k=0
= ζi i j + p f qi j ζi
∞
ηki pkf
k=0
q i j ζi p f = ζi i j + . 1 − ηi p f An immediate consequence is that when user i initiates a transaction, user j is not detectable if and only if the initiator’s policy of forwarding never chooses an attacker or j as forwarder. Corollary 1. P(o j  ai ) = 0 if and only if one of the following holds: 1. ζi = 0 ; 2. qi j = 0 and i j. Now, let us compute the probability of detecting a user P(o j ). We assume a uniform distribution for anonymous events.
Trust in Anonymity Networks
57
Proposition 2. If the honest members are equally likely to initiate a transaction, then P(o j ) =
q i j ζi p f 1 ζj + , n−c 1 − ηi p f i≤(n−c)
where ζ j and ηi are defined as in Proposition 1. Proof. Since the anonymous events are uniformly distributed then P(ai ) = 1/(n − c) for all i. Thus P o j  ai P(ai ) P(o j ) = i≤(n−c)
=
P o j  ai
i≤(n−c)
1 n−c
=
1 P o j  ai n − c i≤(n−c)
=
q i j ζi p f 1 ζi i j + n − c i≤(n−c) 1 − ηi p f
=
q i j ζi p f 1 ζj + . n−c 1 − ηi p f i≤(n−c)
As one could expect, a user j is not detectable if both herself and any user i that might include j in her path never choose a corrupted member as a forwarder. Formally: Corollary 2. P(o j ) = 0 if and only if ζj = 0
and ∀i. ( qi j = 0 or ζi = 0 ) .
Now from Propositions 1 and 2 and Bayes Theorem (2), we have the following expression for the degree of anonymity provided by the extended protocol, which holds when P(o j ) 0. Proposition 3. If the honest members are equally likely to initiate a transaction, then P ai  o j =
ζi i j +
q i j ζi p f 1 − ηi p f
q k j ζk p f ζj + 1 − ηk p f k≤(n−c)
,
where ζi and η j are defined as above. It is now easy to see that if all honest users have uniform probability distributions as forwarding policies, the extended protocol reduces to the original Crowds protocol.
58
V. Sassone, S. Hamadou, and M. Yang
Corollary 3. If for all i and j, qi j = 1/n, then ηi = (n − c)/n and ζi = c/n. Therefore ⎧ n−c−1 ⎪ ⎪ ⎪ pf 1− ⎪ ⎪ ⎨ n P ai  o j = ⎪ ⎪ ⎪ 1 ⎪ ⎪ ⎩ pf n
i= j i j
3.2 On the Security of Extended Crowds Here we show that the absence of a uniform forwarding policy makes it very hard to achieve probable innocence as defined by Halpern and O’Neill (5). Indeed consider the following instance of the protocol, where three honest users {1, 2, 3 } face a single attacker {4}. Assume that the honest users are aware of the malicious behaviour of 4, and choose their forwarding policies as follows: p f = 2/3, and q1 j = q2 j = 1/3, and q3 j = 0.33 for all j ≤ 3. In other words, the first two choose uniformly any honest users as a forwarder and never pick the attacker, whilst the third one may choose the attacker, though with a small probability q34 = 0.01. Thus, ζ1 = ζ2 = q14 = q24 = 0 and ζ3 = q34 = 0.01. It follows that P(a3  o j ) = 1, for all j, and the instance does not ensure probable innocence, even though the third user’s policy is after all very similar to those of the other honest users. This is because if someone is detected, then user 3 is necessarily the initiator, as she is the only one who might possibly pick the attacker in her path. Observe however that this instance of the protocol ensures probable innocence in Reiter and Rubin’s formulation: indeed, for all honest users i and j, P(o j  ai ) < 0.0165. The key diﬀerence at play here is that Halpern and O’Neill’s definition is stronger, as it focuses on the probability that a specific user is the initiator once somebody has been detected, regardless of the probability of the detection event. On the other hand, Reiter and Rubin’s formula measures exactly (the conditional probability of) the latter. This means that if the probability of detection is small, as in this case, systems may be classified as statistically secure even when one such detection event may lead to complete exposure for some initiators, as in this case. Attackings trust. As already observed by its authors, Crowds is vulnerable to denial of service (DoS) attacks: it is enough that a single malicious router delays her forwarding action to severely hinder the viability of an entire path. This kind of attack is in fact hard for the initiator to respond to. Just because the creation of multiple paths by any single user substantially increases their security risk, the initiator has a strong incentive to keep using the degraded path. Indeed, it is advisable in Crowds to modify a path only when it has collapsed irremediably, e.g. due to a system crash of a router, or their quitting the crowd. In this case the path is rerouted from the node preceding the failed router. As a consequence, recent research has been devoted to developing ‘trust metrics’ meant enhance the reliability of anonymity systems [7, 8, 31]. Although the primary goal of incorporating trust in anonymity networks is to ‘enhance’ the privacy guarantees by routing messages through trusted relays, preventing the presence of attackers in forwarding paths is in itself not suﬃcient. External attackers
Trust in Anonymity Networks
(a) i = j = 7
59
(b) i j = 7 Fig. 2. Crowds extended
may in fact target honest users with DoS attacks independent of the protocol, to make them look unreliable and/or unstable. In this way, the target users will gradually loose others members’ trust, whilst internal attackers may keep accruing good reputations. Thus, over the time the trust mechanisms may become counterproductive. Let us illustrate an attack of this kind. Consider an instance of the protocol where seven honest users {1, 2, · · · , 7} face a single attacker {8}, assume that 7 is the honest user targeted by the attack, and that all users are equally likely to initiate a transaction. Recall that a path in Crowds remains fixed for a certain amount of time –typically one day– known as a session. In practice, all transactions initiated by a given user follow the same path, regardless of their destination servers. At the end of the session then, all existing paths are destroyed, new members can join the crowd, and each member willing to initiate anonymous transactions creates a new path. Trust level updates play therefore their role at the beginning of each session. For the purpose of this example, we assume that the protocol is equipped with mechanisms to detect unstable routers (e.g., by monitoring loss of messages, timeouts, variations in response time and so on); upon realising that her path is unstable, an initiator will notify all members of the identity of the unstable node (in this case 7).3 When a node is reported as unstable, all other honest nodes decrease their trust in her at the beginning of the following session. For simplicity, we assume that all users start with the same trust level τ, and that the target user remains fixed over time. The following policies of forwarding are therefore in place for each session, with n = 8, c = 1 and τ = 50.
q(k) ij
⎧ 1 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ n ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ τ−k =⎪ ⎪ ⎪ n×τ−k ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ τ ⎪ ⎪ ⎩ n×τ−k
i=7 i 7 and j = 7 i 7 and j 7 .
In words, honest users other that the target decrease their trust in her by one and redistributed it uniformly to the remaining users. On the other hand, the target has no 3
This contrasts with the approach of [11], where the initiator would directly decrease her trust in all users in the path.
60
V. Sassone, S. Hamadou, and M. Yang
reason to change her trust, as there is no evidence to suspect anybody as the source of the external attack. Thus, her policy remains the same over the time. Hence, we have ⎧ c ⎪ i=7 ⎪ ⎪ ⎪ n ⎪ ⎨ (k) ζi = ⎪ ⎪ ⎪ τ ⎪ ⎪ ⎩ otherwise. n×τ−k Assuming that the forwarding probability is p f = 0.7, Figure 2 shows the probability that the target will be identified over time. Clearly, the target’s privacy deteriorates quickly, as it becomes increasingly unlikely that users other than herself pick her when building a path. In particular, after seven sessions the protocol can no longer ensure probable innocence as the probability P(a7  o7 ) becomes greater than 0.5.
4 Onion Forwarding in Crowds In the previous section we analysed the privacy protection aﬀorded by Crowds extended with a notion of trust. Following a similar pattern, in this section we focus on the privacy guarantees oﬀered by our protocol when equipped with ‘onion forwarding,’ a superior forwarding technique used in systems actually deployed, such as Tor [10]. In Crowds, any user participating in a path has access to the cleartext messages routed through it. In particular, as all relay requests expose the message’s final destination, a team of attackers will soon build up a host of observations suitable to classify the behaviour of honest participants. We recently proved in [17] that such extra attackers’ knowledge makes it very diﬃcult to achieve anonymity in Crowds. The most eﬀective technique available against such a risk is onion forwarding, originally used in the ‘Onion Routing’ protocol [32], and currently implemented widely in realworld systems. The idea is roughly as follows. When forming a path, the initiator establishes a set of session encryption keys, one for each user in it, which she then uses to repeatedly encrypt each message she routes through, starting with the last node on the path, and ending with the first. Each intermediate user, in the act of receiving the message decrypts it with her key. Doing so, she ‘peels’ away the outmost layer of encryption, discovers who the next forwarder is, and relays the message as required. In particular, only the last node sees the message in clear and learns its actual destination. Thus, a transaction is detected only if the last user in the path, also known as the ‘exit node,’ is an attacker, and the last honest user in the path is then detected. 4.1 Privacy Level of the Onion Forwarding Next we study the privacy ensured to each member participating in the protocol under the onion forwarding scheme. As we did earlier, we begin with computing the conditional probability P(o j  ai ). Proposition 4 q i j ζi p f . P o j  ai = (1 − p f ) ζi i j + 1 − ζi p f
Trust in Anonymity Networks
61
Proof. Let k denote the last position occupied by an honest user preceding an attacker on the path, i.e., the position of the detected user. We denote by P(o j  ai )(k) the probability that user j is detected exactly at position k. Again, only the initiator can be detected at position zero, and the probability that this happens is equal to the overall probability that the initiator chooses a corrupt member as a forwarder, multiplied by the probability that the latter is the last node in the path. Therefore (1 − p f ) ζi i = j P o j  ai (0) = 0 i j Now the probability that j is detected at position k > 0 is given by – the probability that she decides to forward k times and picks k − 1 users (does not matter whether honest or not, as nonexit attackers cannot see the messages), i.e., (recall that at the initial step she does not flip the coin), pk−1 f – times the probability of choosing j as the kth forwarder, i.e. qi j , – times the probability that she picks any number k of attackers at the end of the
k k path, i.e. ∞ k =1 p f ζi (1 − p f ). Therefore
∀k ≥ 1, P o j  ai
(k)
=
∞
pk−1 f qi j
∞
pkf ζik (1 − p f ) ,
k =1
k=1
and hence ∞ P o j  ai = P o j  ai
(k)
k=0
= (1 − p f )ζi i j +
∞
pk−1 f qi j
∞
pkf ζik (1 − p f )
k =1
k=1
∞ ∞ k k = (1 − p f ) ζi i j + qi j p ζ pk−1 i f f k=1
k =1
∞ ζi p f = (1 − p f ) ζi i j + qi j pk−1 f 1 − ζi p f k=1
q i j ζi p f 1 = (1 − p f ) ζi i j + 1 − ζi p f 1 − p k q i j ζi p f = (1 − p f ) ζi i j + . (1 − p f )(1 − ζi p f ) Corollary 4. P(o j  ai ) = 0 if and only if one of the following holds: 1. ζi = 0 ; 2. qi j = 0 and i j.
62
V. Sassone, S. Hamadou, and M. Yang
Now on the probability of detecting a user P(o j ). Assuming uniform distribution of anonymous events we have the following result. Proposition 5. If the honest member are equally likely to initiate a transaction then. q i j ζi p f 1 P(o j ) = (1 − p f ) ζ j + . n−c 1 − ζi p f i≤(n−c) Proof. Since the anonymous events are uniformly distributed then P(ai ) = 1/(n − c) for all i. Thus P o j  ai P(ai ) P(o j ) = i≤(n−c)
=
P o j  ai
i≤(n−c)
1 n−c
=
1 P o j  ai n − c i≤(n−c)
=
q i j ζi p f 1 (1 − p f )ζi i j + n − c i≤(n−c) 1 − ζi p f
=
q i j ζi p f 1 (1 − p f )ζ j + . n−c 1 − ζi p f i≤(n−c)
We then have the same conditions of nondetectability as in the previous section; that is, the following result holds. Corollary 5. P(o j ) = 0 if and only if ζj = 0
and ∀i. ( qi j = 0 or ζi = 0 ) .
Now from Proposition 4 and 5 and the Bayes theorem, we have the following result. Proposition 6. If the honest members are equally likely to initiate a transaction, then P ai  o j =
q i j ζi p f (1 − p f )(1 − ζi p f )
ζi i j +
q k j ζk p f ζj + (1 − p f )(1 − ζk p f ) k≤(n−c)
.
Now from Propositions 3 and 6, we can prove eﬀectively that the privacy level ensured by the onion version is better than those oﬀered by the versions where messages are and P(ai  o j ) denote the forwarded in cleartext. More formally, let P(ai  o j ) CR OR probability that i is the initiator given that j is detected under cleartext routing and onion routing, respectively. Then the following holds. Theorem 1. P(ai  o j ) ≤ P(ai  o j ) . OR
CR
Trust in Anonymity Networks
63
4.2 On the Security of the Onion Forwarding Version As mentioned before, onion forwarding is the forwarding technique of choice in several realworld systems. Recent work [14, 18, 21–23] shows that such systems are vulnerable to socalled congestion attacks, which intuitively work as follows. Assume that the initiator selects a path which contains a corrupt user as the exit node. The attacker can then observe the pattern of arrival times of the initiator’s requests, and tries to identify the entire path by selectively congesting the nodes she suspect to belong to it. Precisely, to determine whether or not a specific node occurs in the path, she asks a collaborating attacker to build a long path looping on the target node and ending with a corrupt node. Using this, the attacker perturbs the flow through the target node, so that if the latter belongs also to the path under observation, the perturbation will reflect at its exit node.
Fig. 3. Congestion attack
Here we use a variant of the congestion attack which, similarly to the previous section, allows internal attackers to deteriorate the reputation of a targeted honest user, and does not require the attacker to belong to a path. Figure 3 illustrates the attack, where a long path is built looping as many times as possible over the target, preferably using diﬀerent loops involving diﬀerent users. Thank to such properties, the target user will be significantly busy handling the same message again and again, whilst no other member of the path will be congested. Figure 4 illustrates the eﬀect of this attack using the same example as in the cleartext forwarding version in §3. The results are completely in tune with those presented by Figure 2: even though the target node initially enjoys a better anonymity protection, her anonymity will unequivocally fall, although more smoothly than in §3. In particular, after twenty sessions, the protocol no longer ensures probable innocence, as the probability of identifying the target node becomes greater than 0.5.
5 Adaptive Attackers We have worked so far under the assumption that protocol participants either behave always honestly or always maliciously. Arguably, this is a rather unrealistic hypothesis
64
V. Sassone, S. Hamadou, and M. Yang
(a) i = j = 7
(b) i j = 7 Fig. 4. Onion forwarding
in open and dynamic systems, where honest nodes can become malicious upon being successfully attacked. In this section we take the more realistic view that nodes may become corrupt, and study a new kind of attackers, which we dub ‘adaptive,’ and the relative attacks. Adaptive attackers diﬀer from those we considered so far in the paper –and indeed from those considered so far in the literature on Crowds– in that when they intercept a message, rather than just reporting its sender as the initiator, they attempt to travel the path back in order to improve their chance to catch the actual originator. They do so by trying to corrupt the sender of the message, say j1 . If the attack succeeds, then the attacker eﬀectively learns from j1 all she needs to identify j1 ’s predecessor on the path, say j2 , and repeat the adaptive attack on j2 , having moved a step closer to the initiator. The process is repeated iteratively until the attacker either fails to corrupt the current node (or timeouts whilst trying to) or reaches the beginning of the path. When that happens, the attacker reports the current node, say jk , which is obviously a better candidate than j1 to have originated the transaction. We regard this as a significant and realistic kind of attack, as there clearly are a multitude of ways in which the adaptive attacker may attempt to corrupt a node. These range from brute force attacks via virus and worms which gains the attacker complete control over the node, to milder approaches based on luring the target to give away some bit of information in exchange for some form of benefit, and in general are entirely independent of the Crowds protocol. We therefore do not postulate here about the means which may be available to the attacker to carry out her task, make no assumptions whatsoever about her power, and take the simplified view that each node has at all time the same probability π to become corrupted. In the rest of the section we reevaluate the privacy guarantees aﬀorded by Crowds extended –with and without onion forwarding– under this new adaptive attack scenario. We shall however carry out the analysis under the unrealistic assumption that it is necessary for attackers to corrupt a node each time they meet her on the path. Recall in fact that a single node will typically appear several times in a path. Therefore, an adaptive attacker in her attempt to travel the path backwards towards the initiator will in general meet the each node several times. The reason why our assumption may be justified is when the attacks only gain the attacker access to just enough data to get to the node’s last predecessor on the path, rather than to the entire set of them. On the other hand, the
Trust in Anonymity Networks
65
reason why this assumption is ultimately unsatisfactory is that it is overly dangerous to make limiting assumptions as to the degree of success of an attack, and assess speculatively the extent to which a node’s integrity is compromised, the methodologically correct attitude being to assume that the attacker has gained total control over the target. And when she has, by definition she simply has no need to corrupt the node again, and no new knowledge may be acquired by doing so. In the concluding section, we discuss a few preliminary ideas on how to remove this restriction in future work. 5.1 Crowds Extended Our technical development proceeds mutatis mutandis as in §3 and §4. In particular, as before we first evaluate the conditional probability P(o j  ai ), then under the hypothesis that all honest users are equally likely to initiate a transaction, we compute P(o j ), and finally, using Bayes Theorem, we obtain P(ai  o j ). In this section we omit all proofs. The probabilities P(oi  ai )(0) and P(o j  ai )(1+) that node i is detected at the initiator position or at any position after that can be expressed respectively as P oi  ai
(0)
= ζi +
P o j  ai
(1+)
=
p f ηi ζi π 1 π − , 1 − π 1 − p f ηi 1 − πp f ηi qi j ζi ηi p2f π2 q i j ζi p f , − 1 − p f ηi (1 − π)(1 − p f ζi )
which gives the following result, where again i j = 1 if i = j, and 0 otherwise. The key to these formulae is to consider that when a user is detected at position h, this is potentially due to a detection at position h+k, for any k ≥ 0, whereby the attacker has successively travelled back k positions on the path, by either corrupting honest users with probability π or by meeting other attackers. The situation would be quite diﬀerent were we to take into account that the attacker only needs to corrupt a honest user once, as π would not anymore be a constant. Proposition 7 P(o j  ai ) = i j P oi  ai
(0)
+ P o j  ai
(1+)
.
Under the hypothesis of a uniform distribution of anonymous events, it is easy to prove the following. Proposition 8. If the honest members are equally likely to initiate a transaction, then 1 P(o j ) = P oj  aj + P o j  ak . (0) (1+) n−c k≤(n−c) Now from Proposition 7 and 8 and Bayes Theorem, we have the following.
66
V. Sassone, S. Hamadou, and M. Yang
(a) i = j = 7, π = 0.02
(b) i j = 7, π = 0.02
(c) i = j = 7, π = 0.5
(d) i j = 7, π = 0.5
Fig. 5. Example in Crowds extended against adaptive attack
Proposition 9. If the honest members are equally likely to initiate a transaction, then i j P oi  ai + P o j  ai (0) (1+) P ai  o j = .
P o j  a j + k≤(n−c) P o j  ak (0)
(1+)
Of course, in case the attacker’s attempts to travel back the path never succeed, the formula reduces to the one we found previously. Corollary 6. If π = 0, that is the attacker is not adaptive, then P ai  o j =
ζi i j +
q i j ζi p f 1 − ηi p f
q k j ζk p f ζj + 1 − ηk p f k≤(n−c)
,
which is the same as Proposition 3. Figure 5 illustrates the formulae P(a7  o7 ) and P(ai  o7 ) for i 7 on our running example, where we add π = 0.02 and π = 0.5 to the existing parameters, viz., n = 8 , c = 1, p f = 0.7, and τ = 50. It is interesting here to observe the eﬀect of the attacker’s corruption power, insofar as that is represented by π: the larger π, the more lethal the attacker, the farther away the protocol from the standard, and the more insecure. In particular, for π = 0.5 the system fails by a large margin to guarantee probable innocence even before the attack to 7’s trust level starts.
Trust in Anonymity Networks
67
5.2 Onion Forwarding Under onion forwarding, the adaptive attackers must appear as the last node on the path, and from there, starting with her predecessor, try to corrupt nodes back towards the originator. Following the same proof strategy as before, we define obtain the following formulae. p f ηi ζi π (1 − p f ) 1 π = (1 − p f )ζi + − P oi  ai , (0) (1 − p f ζi )(1 − π) 1 − ηi p f 1 − π ηi p f P o j  ai
(1+)
=
p2f ηi ζi π qi j q i j ζi p f 1 π + − , 1 − ζi p f (1 − p f ζi )(1 − π) 1 − ηi p f 1 − π ηi p f
and therefore: Proposition 10 P o j  ai = i j P oi  ai
(0)
+ P o j  ai
(1+)
.
Now on the probability of detecting a user P(o j ). Proposition 11. If the honest members are equally likely to initiate a transaction, then P(o j ) =
1 P o j  ak P oj  aj + . (0) (1+) n−c k≤(n−c)
As before, the result below follows from Propositions 10 and 11 and Bayes Theorem. Proposition 12. If the honest members are equally likely to initiate a transaction then. i j P oi  ai + P o j  ai (0) (1+) P ai  o j = .
P o j  a j + k≤(n−c) P o j  ak (0)
(1+)
Corollary 7. If π = 0, that is the attacker after all not adaptive, then ζi i j + P(ai  o j ) = ζj +
q i j ζi p f (1 − p f )(1 − ζi p f )
q k j ζk p f (1 − p f )(1 − ζk p f ) k≤(n−c)
,
which coincides with Proposition 6. Finally, Figure 6 illustrates P(a7  o7 ) and P(ai  o7 ) for i 7 on our running example, for π = 0.5. Although the graphs are shaped as in the previous cases, it is possible to notice the increase security aﬀorded by the onion forwarding.
68
V. Sassone, S. Hamadou, and M. Yang
(a) i = j = 7
(b) i j = 7
Fig. 6. Onion forwarding against adaptive attacks
6 Conclusion In this paper we have presented an enhancement of the Crowds anonymity protocol via a notion of trust which allows crowd members to route their traﬃc according to their perceived degree of trustworthiness of other members. We formalised the idea quite simply by means of (variable) forwarding policies, with and without onion forwarding techniques. Our protocol variation has the potential of improving the overall trustworthiness of data exchanges in anonymity networks, which may naturally not be taken for granted in a context where users are actively trying to conceal their identities. We then analysed the privacy properties of the protocol quantitatively, both for Crowds and onion forwarding, under standard and adaptive attacks. Our analysis in the case of adaptive attacks is incomplete, in that it assumes that attackers whilst attempting to travel back over a path towards its originator, need to corrupt each honest node each time they meet her. Arguably, this is not so. Typically a node j will act according to a routing table, say T j . This will contain for each path’s id a translation id and a forwarding address (either another user, or the destination server) and, in the case of onion forwarding, the relevant encryption key. (Observe that since path’s id are translated at each step, j may not be able to tell whether or not two entries in T j actually correspond to a same path and, therefore, may not know how many times she occurs on each path.) It is reasonable to assume that upon corruption an attacker c will seize T j , so that if she ever reaches j again, c will find all the information to continue the attack just by inspecting T j . Observe now that the exact sequence of users in the path is largely irrelevant to compute P(o j  ai ). It only matters how many times each of them appears in between the attacker at the end of the path and the detected node. Using some combinatorics, it is therefore relatively easy to write a series for P(o j  ai ) based on summing up a weighted probability for all possible occurrence patterns of n − c honest users and c attackers in the path. Quite a diﬀerent story is to simplify that series to distill a usable formula. That is a significant task which we leave for future work. Acknowledgements. We thank Ehab ElSalamouny and Catuscia Palamidessi for their insights and for proofreading.
Trust in Anonymity Networks
69
References 1. Abe, M.: Universally verifiable Mixnet with verification work indendent of the number of Mixservers. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 437–447. Springer, Heidelberg (1998) 2. Back, A., M¨oller, U., Stiglic, A.: Traﬃc analysis attacks and tradeoﬀs in anonymity providing systems. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, pp. 245–257. Springer, Heidelberg (2001) 3. Backes, M., Lorenz, S., Maﬀei, M., Pecina, K.: Anonymous webs of trust. In: 10th Privacy Enhancing Technologies Symposium, PETS 2010. LNCS. Springer, Heidelberg (to appear, 2010) 4. Borisov, N., Danezis, G., Mittal, P., Tabriz, P.: Denial of service or denial of security? In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security, pp. 92–102. ACM, New York (2007) 5. Chatzikokolakis, K., Palamidessi, C.: Probable innocence revisited. Theor. Comput. Sci. 367(12), 123–138 (2006) 6. Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981) 7. Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Pesenti, M., Samarati, P., Zara, S.: Fuzzy logic techniques for reputation management in anonymous peertopeer systems. In: Wagenknecht, M., Hampel, R. (eds.) Proceedings of the 3rd Conference of the European Society for Fuzzy Logic and Technology, pp. 43–48 (2003) 8. Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P., Violante, F.: A reputationbased approach for choosing reliable resources in peertopeer networks. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 207–216. ACM, New York (2002) 9. Dingledine, R., Freedman, M.J., Hopwood, D., Molnar, D.: A reputation system to increase mixnet reliability. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, pp. 126–141. Springer, Heidelberg (2001) 10. Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The secondgeneration onion router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004) 11. Dingledine, R., Syverson, P.F.: Reliable MIX cascade networks through reputation. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 253–268. Springer, Heidelberg (2003) 12. ElSalamouny, E., Krukow, K.T., Sassone, V.: An analysis of the exponential decay principle in probabilistic trust models. Theor. Comput. Sci. 410(41), 4067–4084 (2009) 13. ElSalamouny, E., Sassone, V., Nielsen, M.: HMMbased trust model. In: Degano, P., Guttman, J.D. (eds.) Formal Aspects in Security and Trust. LNCS, vol. 5983, pp. 21–35. Springer, Heidelberg (2010) 14. Evans, N.S., Dingledine, R., Grothoﬀ, C.: A practical congestion attack on Tor using long paths. In: Proceedings of the 18th USENIX Security Symposium (2009) 15. Freedman, M.J., Morris, R.: Tarzan: a peertopeer anonymizing network layer. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 193–206. ACM, New York (2002) 16. Halpern, J.Y., O’Neill, K.R.: Anonymity and information hiding in multiagent systems. Journal of Computer Security 13(3), 483–512 (2005) 17. Hamadou, S., Palamidessi, C., Sassone, V., ElSalamouny, E.: Probable innocence in the presence of independent knowledge. In: Degano, P., Guttman, J.D. (eds.) Formal Aspects in Security and Trust. LNCS, vol. 5983, pp. 141–156. Springer, Heidelberg (2010) 18. Hopper, N., Vasserman, E.Y., ChanTin, E.: How much anonymity does network latency leak? ACM Trans. Inf. Syst. Secur. 13(2) (2010)
70
V. Sassone, S. Hamadou, and M. Yang
19. Jakobsson, M.: Flash mixing. In: Annual ACM Symposium on Principles of Distributed Computing, PODC 1999, pp. 83–89 (1999) 20. Krukow, K., Nielsen, M., Sassone, V.: A logical framework for historybased access control and reputation systems. Journal of Computer Security 16(1), 63–101 (2008) 21. McLachlan, J., Hopper, N.: Don’t clog the queue! circuit clogging and mitigation in P2P anonymity schemes. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 31–46. Springer, Heidelberg (2008) 22. McLachlan, J., Tran, A., Hopper, N., Kim, Y.: Scalable onion routing with Torsk. In: AlShaer, E., Jha, S., Keromytis, A.D. (eds.) ACM Conference on Computer and Communications Security, pp. 590–599. ACM, New York (2009) 23. Murdoch, S.J., Danezis, G.: Lowcost traﬃc analysis of tor. In: IEEE Symposium on Security and Privacy, pp. 183–195. IEEE Computer Society, Los Alamitos (2005) 24. Nambiar, A., Wright, M.: Salsa: a structured approach to largescale anonymity. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) ACM Conference on Computer and Communications Security, pp. 17–26. ACM, New York (2006) 25. Neﬀ, C.A.: A verifiable secret shuﬄe and its application to evoting. In: ACM Conference on Computer and Communications Security, pp. 116–125 (2001) 26. Ohkubo, M., Abe, M.: A lengthinvariant hybrid mix. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 178–191. Springer, Heidelberg (2000) 27. Pappas, V., Athanasopoulos, E., Ioannidis, S., Markatos, E.P.: Compromising anonymity using packet spinning. In: Wu, T.C., Lei, C.L., Rijmen, V., Lee, D.T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 161–174. Springer, Heidelberg (2008) 28. Reiter, M.K., Rubin, A.D.: Crowds: Anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1(1), 66–92 (1998) 29. Rennhard, M., Plattner, B.: Introducing MorphMix: peertopeer based anonymous internet usage with collusion detection. In: Jajodia, S., Samarati, P. (eds.) Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, WPES, pp. 91–102. ACM, New York (2002) 30. Sassone, V., ElSalamouny, E., Hamadou, S.: Trust in Crowds: probabilistic behaviour in anonymity protocols. In: Symposium on Trustworthy Global Computing, TGC 2010. LNCS, vol. 6084. Springer, Heidelberg (2010) 31. Singh, A., Liu, L.: Trustme: Anonymous management of trust relationships in decentralized P2P systems. In: Shahmehri, N., Graham, R.L., Caronni, G. (eds.) PeertoPeer Computing, pp. 142–149. IEEE Computer Society, Los Alamitos (2003) 32. Syverson, P.F., Goldschlag, D.M., Reed, M.G.: Anonymous connections and onion routing. In: IEEE Symposium on Security and Privacy, pp. 44–54. IEEE Computer Society, Los Alamitos (1997) 33. Wang, Y., Vassileva, J.: Trust and reputation model in peertopeer networks. In: Shahmehri, N., Graham, R.L., Caronni, G. (eds.) PeertoPeer Computing. IEEE Computer Society, Los Alamitos (2003) 34. Wiangsripanawan, R., Susilo, W., SafaviNaini, R.: Design principles for low latency anonymous network systems secure against timing attacks. In: Brankovic, L., Coddington, P.D., Roddick, J.F., Steketee, C., Warren, J.R., Wendelborn, A.L. (eds.) Proc. Fifth Australasian Information Security Workshop (Privacy Enhancing Technologies), AISW 2007. CRPIT, vol. 68, pp. 183–191. Australian Computer Society (2007)
Learning I/O Automata Fides Aarts and Frits Vaandrager Institute for Computing and Information Sciences, Radboud University Nijmegen P.O. Box 9010, 6500 GL Nijmegen, The Netherlands
Abstract. Links are established between three widely used modeling frameworks for reactive systems: the ioco theory of Tretmans, the interface automata of De Alfaro and Henzinger, and Mealy machines. It is shown that, by exploiting these links, any tool for active learning of Mealy machines can be used for learning I/O automata that are deterministic and output determined. The main idea is to place a transducer in between the I/O automata teacher and the Mealy machine learner, which translates concepts from the world of I/O automata to the world of Mealy machines, and vice versa. The transducer comes equipped with an interface automaton that allows us to focus the learning process on those parts of the behavior that can eﬀectively be tested and/or are of particular interest. The approach has been implemented on top of the LearnLib tool and has been applied successfully to three case studies.
1
Introduction
Modelbased system development is becoming an increasingly important driving force in the software and hardware industry. In this approach, models become the primary artifacts throughout the engineering lifecycle of computerbased systems. Requirements, behavior, functionality, construction and testing strategies of computerbased systems are all described in terms of models. Models are not only used to reason about a system, but also used to allow all stakeholders to participate in the development process and to communicate with each other, to generate implementations, and to facilitate reuse. The construction of models typically requires signiﬁcant manual eﬀort, implying that in practice often models are not available, or become outdated as the system evolves. Automated support for constructing behavioral models of implemented components would therefore be extremely useful. The problem of inducing, learning or inferring grammars and automata has been studied for decades, but only in recent years grammatical inference a.k.a. grammar induction has emerged as an independent ﬁeld with connections to many scientiﬁc disciplines, including bioinformatics, computational linguistics and pattern recognition [10]. Also recently, some important developments have taken place on the borderline of veriﬁcation, testing and machine learning, see
This research was supported by European Community’s Seventh Framework Programme under grant agreement no 214755 (QUASIMODO).
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 71–85, 2010. c SpringerVerlag Berlin Heidelberg 2010
72
F. Aarts and F. Vaandrager
e.g. [6,16,23], and researchers have shown that it is possible (at least in principle) to apply grammatical inference for learning models of software components. Grammatical inference techniques aim at building a grammar or automaton for an unknown language, given some data about this language. Within the setting of active learning, it is assumed that a learner interacts with a teacher. Inspired by work of Angluin [5] on the L∗ algorithm, Niese [20] developed an adaptation of the L∗ algorithm for active learning of deterministic Mealy machines. This algorithm has been further optimized in [23]. In the algorithm it is assumed that the teacher knows a deterministic Mealy machine M. Initially, the learner only knows the action signature (the sets of input and output symbols I and O) and her task is to learn a Mealy machine that is equivalent to M. The teacher will answer two types of questions — output queries (“what is the output generated in response to input i ∈ I?”) and equivalence queries (“is an hypothesized machine H correct, i.e., equivalent to the machine M?”). The learner always records the current state q of Mealy machine M. In response to query i, the current state is updated to q and answer o is returned to the learner. At any point the learner can “reset” the teacher, that is, change the current state back to the initial state of M. The answer to an equivalence query H is either yes (in case M ≈ H) or no (in case M ≈ H). Furthermore, the teacher will give the learner a counterexample that proves that the learner’s hypothesis is wrong with every negative equivalence query response, that is, an input sequence u ∈ I ∗ such that obsM (u) = obsH (u). This algorithm has been implemented in the LearnLib tool [23]. In practice, when a real implementation is used instead of an idealized teacher, the implementation cannot answer equivalence queries. Therefore, LearnLib “approximates” such queries by generating a long test sequence that is computed by standard methods such as state cover, transition cover, Wmethod, and the UIO method (see [15]). LearnLib has been applied successfully to learn computer telephony integrated (CTI) systems [11], and more recently to learn parts of the SIP and TCP protocols [1] and the new biometric passport [2]. Currently, LearnLib is able to automatically learn Mealy machines with up to 30.000 states. Nevertheless, a lot of further research will be required to make automata based learning tools suitable for routine use on industrial case studies. An important issue, clearly, is the development of abstraction techniques in order to be able to learn much larger state spaces (see [1], also for further references). Another issue is the extension of automata learning techniques to nondeterministic systems (see e.g. [29]). In this paper, we address a third issue that hinders the application of the LearnLib tool. In practice, the restriction of Mealy machines that each input corresponds to exactly one output is felt as being overly restrictive. Sometimes several inputs are required before a single output occurs, sometimes a single input triggers multiple outputs, etc. The I/O automata of Lynch & Tuttle [18,17] and Jonsson [13] constitute a popular modelling framework which does not suﬀer from the restriction that inputs and outputs have to alternate. Our aim is to to develop eﬃcient algorithms for active learning of I/O automata. Hence we assume that the teacher knows an I/O automaton A. We consider a setting in which the task of the learner is to
Learning I/O Automata
73
partially learn A. More speciﬁcally, we assume that the learner initially knows an interface automaton P in the sense of De Alfaro and Henzinger [8], called the learning purpose, and that she has to learn the part of A whose behavior is compatible with P. We think there are several good reasons to extend the framework of active learning with a notion of a learning purpose. In principle, the systems that we model using I/O automata will accept any input in any state. But in practice, a learner may not be able (e.g., not fast enough) to eﬀectively provide any input in any state. Also, systems are often designed to be used in a certain manner, and their behavior may become unspeciﬁed and/or nondeterministic when they are used improperly. In such cases a learner may decide to interact with the system following the speciﬁed interaction protocol, for instance “after providing an input a user should wait for the system to become quiescent before she may provide a next input”. A ﬁnal motivation for using learning purposes is that often the state space of practical systems is very big and cannot be fully explored. By not providing certain inputs (in certain states), the learner may focus on interesting parts of the behavior that can be eﬀectively learned. Rather than developing and implementing an algorithm from scratch, we will use LearnLib. Our idea is to place a transducer in between the IOA teacher and the Mealy machine learner, which translates concepts from the world of I/O automata to the world of Mealy machines, and vice versa. The transducer and Mealy machine learner together then implement an IOA learner. Note that this architecture is very similar to the architecture proposed in [1], where a transducer is used to relate the large parameter spaces of realistic communication protocols to small sets of actions that can eﬀectively be handled by stateoftheart automata learning tools. As a spinoﬀ of our research, we establish links between three widely used modeling frameworks for reactive systems: the ioco theory of Tretmans [26,27], the interface automata of De Alfaro and Henzinger [8], and Mealy machines. In particular, we present behavior preserving maps between interface automata and Mealy machines, and we link the ioco preorder to alternating simulation. The rest of this paper is structured as follows. Section 2 recalls interface automata and links alternating simulation to the ioco preorder. Section 3 addresses a basic question: what is the I/O behavior of an I/O automaton? Section 4 recalls Mealy machines and discusses translations between interface automata and Mealy machines. Section 5 describes our framework for learning I/O automata. In Section 6, we describe the implementation of our approach and its application to three case studies. Finally, Section 7 wraps up with some conclusions and suggestions for further research.
2
Interface Automata
An interface automaton models a reactive system that can interact with its environment. It is a simple type of state machine in which the transitions are associated with named actions. The actions are classiﬁed as either input or output.
74
F. Aarts and F. Vaandrager
The output actions are assumed to be under the control of the system whereas the input actions are under control of the environment. The interface automata that we study in this paper are a simpliﬁed version of the interface automata of De Alfaro and Henzinger [8] without internal actions. Within ioco theory [26,27] interface automata are called labelled transition systems with inputs and outputs. Interface automata are similar to the I/O automata of Lynch & Tuttle [18,17] and Jonsson [13]. The main diﬀerence is that in an I/O automaton input actions are required to be enabled in every state. In an interface automata certain input actions may be illegal in certain states: they are not enabled and we assume that the environment will not generate such inputs. In this paper, an interface automaton (IA) is deﬁned to be a tuple A = (I, O, Q, q 0 , →), where I, O and Q are ﬁnite, nonempty sets of input actions, output actions, and states, respectively, with I and O disjoint, q 0 ∈ Q the initial a state, and →⊆ Q × (I ∪ O) × Q the transition relation. We write q → q if a a (q, a, q ) ∈→. An action a is enabled in state q, notation q →, if q → q , for some state q . We write outA (q), or just out(q) if A is clear from the context, for the a set {a ∈ O  q →} of outputactions enabled in state q. For S ⊆ Q a set of states, we write outA (S) for {outA (q)  q ∈ S}. An I/O automaton (IOA) is an interface automaton in which each input action is enabled in each state, that i is q →, for all q ∈ Q and all i ∈ I. A state q is called quiescent if it enables no output action. An interface automaton A is – input deterministic if for each state q ∈ Q and for each action a ∈ I there is a a at most one outgoing transition of q with label a: q → q1 ∧q → q2 ⇒ q1 = q2 ; – output deterministic if for each state q ∈ Q and for each action a ∈ O there is a a at most one outgoing transition of q with label a: q → q1 ∧q → q2 ⇒ q1 = q2 ; – deterministic if it is both input and output deterministic; – output determined if each state has at most one outgoing output transition: o
o
q →1 q1 ∧ q →2 q2 ∧ {o1 , o2 } ⊆ O ⇒ o1 = o2 ∧ q1 = q2 . Figure 1 displays a simple example of a deterministic IOA that is also output determined. The initial state is marked with an extra circle, there is a single input action in and there are two output actions out1 and out2.
in
in
in out1
out2
in
Fig. 1. A deterministic, output determined IOA
Let A1 = (I, O, Q1 , q10 , →1 ) and A2 = (I, O, Q2 , q20 , →2 ) be interface automata with the same signature. Let A = I ∪ O and let X, Y ⊆ A. A binary relation R ⊆ Q1 × Q2 is an XY simulation from A1 to A2 if whenever (q, r) ∈ R and a ∈ A it holds that:
Learning I/O Automata a
75
a
– if q →1 q and a ∈ X then there exists a r ∈ Q2 s.t. r →2 r and (q , r ) ∈ R. a a – if r →2 r and a ∈ Y then there exists a q ∈ Q1 s.t. q →1 q and (q , r ) ∈ R. We write A1 ≤XY A2 if there exists an XY simulation from A1 to A2 that contains (q10 , q20 ). AAsimulations are commonly known as bisimulations and OIsimulations are known as alternating simulations [4]. De Alfaro and Henzinger [8] propose alternating simulations as the primary notion of reﬁnement for IAs. In their approach, one IA reﬁnes another if it has weaker input assumptions and stronger output guarantees. We often write A1 ≤a A2 instead of A1 ≤OI A2 and A1 ≈b A2 instead of A1 ≤AA A2 . There are several obvious inclusions between the diﬀerent preorder, e.g. it follows that A1 ≤AY A2 implies A1 ≤XY A2 . Figure 2 shows an example of an alternating simulation between two IAs with inputs {in1 , in2 } and outputs {out1 , out2 , d}. d
out1
in1
in1
out2
d
d in2 out1
Fig. 2. Example of alternating simulation (from left to right IA)
Suppose that A1 ≤a A2 and that R is the largest alternating simulation from A1 to A2 . We deﬁne AS(A1 , A2 ), the alternating simulation interface automaton induced by A1 and A2 , as the structure (I, O, R, (q10 , q20 ), →) where a
a
a
(q, r) → (q , r ) ⇔ q →1 q and r →2 r . Figure 3 shows the alternating simulation IA induced by the IAs of Figure 2. The following lemma follows easily from the deﬁnitions. in1
d
out1
Fig. 3. IA induced by alternating simulation of Figure 2
Lemma 1. Suppose A1 ≤a A2 . Then A1 ≤OA AS(A1 , A2 ) ≤AI A2 . Larsen, Nyman and Wasowski [14] criticize interface automata and alternating simulations for being unable to express liveness properties and since they allow for trivial implementations: an IA T with a single state that accepts all inputs but never produces any output is a reﬁnement of any IA over the same signature. In order to ﬁx this problem, Larsen, Nyman and Wasowski [14] deﬁne model automata, an extension of interface automata with modality. In this paper, we propose a diﬀerent solution, which is very simple and in the spirit of I/O automata and ioco theory: we make quiescence observable.
76
F. Aarts and F. Vaandrager
Let A = (I, O, Q, q 0 , →) be an IA and let δ be a fresh symbol (not in I ∪ O). Then the δextension of A, notation Aδ , is the IA obtained by adding δloops to all the quiescent states of A. Formally, Aδ = (I, Oδ , Q, q 0 , → ) where Oδ = δ
O ∪ {δ} and → =→ ∪{q → q  q ∈ Q quiescent}. For A1 and A2 IAs with the same signature, we deﬁne A1 ≤aδ A2 ⇔ Aδ1 ≤a Aδ2 . Observe that in general A1 ≤aδ A2 implies A1 ≤a A2 , but A1 ≤a A2 does not imply A1 ≤aδ A2 : even though T ≤a A, for any IA A with the same signature as our trivial IA T , we do in general not have T ≤aδ A. If Aδ enables a sequence of input actions leading to a state r from which an output is possible, then T δ must enable the same sequence of inputs leading to a related state q. But whereas q enables a δtransition, r does not enable a matching δtransition. In order to argue that ≤aδ indeed is a reasonable notion of implementation, we will now show that — under certain determinacy assumptions — ≤aδ coincides with the wellknown ioco preorder of [26,27]. We extend the transition relation to sequences by deﬁning, for σ ∈ (I ∪ O)∗ , σ ⇒ to be the least relation that satisﬁes, for q, q , q ∈ Q and a ∈ I ∪ O,
q⇒q σ σa a q ⇒ q ∧ q → q ⇒ q ⇒ q Here denotes the empty sequence. We say that σ ∈ (I ∪ O)∗ is a trace of A σ if q 0 ⇒ q, for some state q, and write T races(A) for the set of traces of A. We σ write A after σ for the set {q ∈ Q  q 0 ⇒ q} of states of A that can be reached with trace σ. Let A1 and A2 be IA with the same signature. Then A1 and A2 are inputoutput conforming, notation A1 ioco A2 , if ∀σ ∈ T races(Aδ2 ) : out(Aδ1 after σ) ⊆ out(Aδ2 after σ) The results below link alternating simulation and the ioco preorder. These results generalize a similar, recent result of Veanes and Bjørner [28], which is stated in a setting of fully deterministic systems. We ﬁrst state a small technical lemma. Lemma 2. Let A1 and A2 be IAs with the same action signature such that A1 is input deterministic and A2 is output deterministic. Let R be an alternating simulation from A1 to A2 . Let σ ∈ (I ∪ O)∗ , q1 ∈ Q1 and q2 ∈ Q2 such that σ σ q10 ⇒ q1 and q20 ⇒ q2 . Then (q1 , q2 ) ∈ R. Theorem 1. Let A1 and A2 be IAs with the same action signature such that A1 is input deterministic and A2 is output deterministic. Then A1 ≤aδ A2 implies A1 ioco A2 . Theorem 2. Let A1 and A2 be IAs with the same action signature such that A1 is input enabled and A2 is deterministic. Then A1 ioco A2 implies A1 ≤aδ A2 . Corollary 1. Let A1 be an input deterministic IOA and let A2 be a deterministic IA with the same action signature. Then A1 ioco A2 iﬀ A1 ≤aδ A2 . Observe that all the determinacy conditions in the above results are essential: as soon as one assumption is left out the corresponding result no longer holds.
Learning I/O Automata
3
77
The I/O Behavior of I/O Automata
In order to be able to learn I/O automata, we need to decide which type of questions the learner may ask to the teacher. One obvious proposal would be to allow for membership queries of the form “Is sequence u ∈ (I ∪ O)∗ a (quiescent) trace of the IOA?”. However, there is strong evidence that this is an ineﬃcient approach. In his PhD thesis [20], Niese compared two algorithms for learning Mealy machines. The ﬁrst algorithm, an optimized version of Angluin’s [5] L∗ algorithm, allowed for membership queries “Is sequence u ∈ (I × O)∗ a trace of the MM?”. The second algorithm supported membership queries “What is the output generated by the MM in response to input sequence u ∈ I ∗ ?”. Niese showed that the second algorithm has a much better performance and requires less membership queries. We expect that for IOAs the situation is very similar. Lynch & Tuttle [18,17] and Jonsson [13] do not deﬁne a notion of input/output behavior for I/O automata, that is, given a stream of input values that is provided by the environment, the stream of output values that is computed by the I/O automaton. The main reason for this is that such a notion of behavior is not compositional. Instead, the behavior of an IOA is deﬁned in terms of traces, sequences of input and output actions that may be observed during runs of the automaton. Henzinger [9] links determinism to predictability and calls a reactive system deterministic if, for every stream of input values that is provided by the environment, the stream of output values that is computed by the system is unique. The example IOA of Figure 1 is not deterministic in this sense since the input stream in in may either lead to the output stream out1 or to the output stream out2. One obvious way to proceed is to restrict the class of IOA that one calls deterministic, and and to study a notion of input/output behavior for this restricted class. This route is explored by Panangaden and Stark [21] in their study of “monotone” processes. We will explore a diﬀerent route, in which the power of testers is slightly increased and the IOA of Figure 1 becomes again behavior deterministic. If a system is predictable then one may expect that, for any history of input and output actions, the time required by the system to produce its next output (if any) is more or less known. Predictability is at the basis of the assumption in ioco theory that quiescence is observable: whenever a test is carried out, it is assumed that if a system does not produce an output within some ﬁxed time T after the last input, it will never produce an output. By the same line of reasoning, one could assume that there exists a ﬁxed time t such that the system never produces an output within time t after an input. Hence, if one assumes that the tester can compute faster than the IUT, then in principle the tester always has the choice to either wait for the next output of the IUT or to generate its next input before time t, that is, before occurrence of the output. Based on these considerations, we slightly increase the power of the testers: at any point we let the tester decide who is going to perform the next step, the IUT or the tester itself. Formally, we introduce a fresh delay action Δ. By performing Δ, the environment gives an IOA the opportunity to perform its next output (if any). Let
78
F. Aarts and F. Vaandrager
IΔ = I ∪ {Δ}. The behavior of an environment can then be described by an environment sequence in (IΔ )∗ , that is, a sequence of input actions interleaved with delay actions. Let A = (I, O, Q, q 0 , →) be an IA and let q, q ∈ Q, e ∈ (IΔ )∗ e/u
and u ∈ (I ∪ Oδ )∗ . We write q ⇒ q to indicate that as a result of oﬀering environment sequence e in state q, Aδ may produce trace u and end up in state q . e/u
/
Formally, ⇒ is the least relation that satisﬁes q ⇒ q and: e/u
e i/u i
i
q ⇒ q ∧ q → q ∧ i ∈ I ⇒ q ⇒ q e/u
o
q ⇒ q ∧ q → q ∧ o ∈ Oδ ⇒ q
e Δ/u o
⇒
q
For each environment sequence e ∈ (IΔ )∗ , we deﬁne obsA (e) to be the set of traces that may be observed when oﬀering e to Aδ , that is, obsA (e) = {u ∈ e/u
(I ∪ Oδ )∗  ∃q ∈ Q : q 0 ⇒ q}. Let A1 and A2 be two IOAs with the same sets I and O of input and output actions, respectively, We write A1 A2 , if obsA1 (e) ⊆ obsA2 (e), for all environment sequences e ∈ (IΔ )∗ . If A is a deterministic and output determined IOA then obsA (e) contains exactly one element for each input sequence e. Thus, with this notion of observable behavior, a deterministic and output determined IOA is also behavior deterministic in the sense of Henzinger [9]. Even though our notion of observation is based on a stronger notion of testing than ioco theory, the resulting notion of preorder is the same. Theorem 3. Let A1 and A2 be IOAs with the same inputs and outputs. Then A1 ioco A2 iﬀ A1 A2 .
4
From Interface Automata to Mealy Machines and Back
A (nondeterministic) Mealy machine (MM) is a tuple M = (I, O, Q, q 0 , →), where I, O and Q are ﬁnite, nonempty sets of inputs, outputs, and states, respectively, q 0 ∈ Q is the initial state, and →⊆ Q × I × O × Q is the transition i/o
i/o
relation. We write q → q if (q, i, o, q ) ∈→, and q → if there exists a q such that i/o
q → q . Mealy machines are assumed to be input enabled : for each state q and ini/o
put i, there exists an output o such that q →. The transition relation is extended u/s
to sequences by deﬁning ⇒ to be the least relation that satisﬁes, for q, q , q ∈ Q, /
u/s
i/o
u ∈ I ∗ , s ∈ O∗ , i ∈ I, and o ∈ O: q ⇒ q and q ⇒ q ∧ q → q ⇒ q 0 u/s
u i/s o
⇒ q .
A state q ∈ Q is called reachable if q ⇒ q, for some u and s. A Mealy machine is deterministic iﬀ given a state q and an input i there is exactly one output o i/o
and exactly one state q such that q → q . For q ∈ Q and u ∈ I ∗ , deﬁne obsM (q, u) to be the set of output sequences that may be produced when oﬀering input sequence u to M, that is, obsM (q, u) = u/s
{s ∈ O∗  ∃q : q ⇒ q}. Two states q, q ∈ Q are observation equivalent, notation
Learning I/O Automata
79
q ≈ q , if obsM (q, u) = obsM (q , u), for all input strings u ∈ I ∗ . Write obsM (u) as a shorthand for obsM (q 0 , u). Two Mealy machines M1 and M2 with the same sets of inputs I are observation equivalent, notation M1 ≈ M2 , if obsM1 (u) = obsM2 (u), for all input strings u ∈ I ∗ . If M is deterministic then obsM (u) is a singleton set for each input sequence u. Thus a deterministic Mealy machine is also behavior deterministic in the sense of Henzinger [9]. We call an interface automaton active if each state enables an output action. Observe that for any interface automaton A, the δextension Aδ is active. Active interface automata can be translated to equivalent Mealy machines. We translate i/+
i
each input transition q → q to a transition q → q in the Mealy machine, where + is a fresh output action denoting that the input is accepted. If input i is not i/−
enabled in state q, then we add a selfloop q → q to the Mealy machine. Here − is a fresh output symbol denoting that the input is illegal. The fresh input action Δ (“delay”) is used to probe for possible outputs: each output transition Δ/o
o
q → q translates to a transition q → q in the Mealy machine. Formally, for active IA A = (I, O, Q, q 0 , →), the Mealy machine T (A) is deﬁned as the structure (IΔ , O ∪ {+, −}, Q, q 0, → ), where i/+
i
i ∈ I ∧ q → q ⇒ q → q i/−
i
i∈I ∧q → ⇒ q → q Δ/o
o
o ∈ O ∧ q → q ⇒ q → q Figure 4 illustrates transformation T . We now deﬁne transformation R, the Δ/δ in2/−
in1/− in2/−
in1/+ Δ/out2
Δ/d in1/−
in2/−
Fig. 4. Result of applying T to the δextension of the IA of Figure 3
inverse of transformation T , which takes a Mealy machine and turns it into an IA. Let M = (IΔ , O ∪ {+, −}, Q, q 0, →) be a Mealy machine. Then R(M) is the IA (I, O, Q, q 0 , → ), where i/+
i
i ∈ I ∧ q → q ⇒ q → q
and
Δ/o
o
o ∈ O ∧ q → q ⇒ q → q
If one takes any total IA A and applies ﬁrst T and then R, one gets back A. Theorem 4. Let A be a total IA. Then A = R(T (A)). Observe that if A is deterministic and output determined then T (A) is deterministic, and if M is deterministic then R(M) is deterministic and output
80
F. Aarts and F. Vaandrager
determined. In order to obtain a dual version of Theorem 4, we need to impose three additional conditions on M. Let M be a Mealy machine whose inputs include Δ and whose outputs include + and −. Then M is separated if an input in I always leads to an output + or −, and input Δ always leads to an output i/o
in O: q → q ⇒ (i = Δ ⇔ o ∈ O). M is consistent if there exists no state q i/+
i/−
and input i for which both outputs + and − are possible: ¬(q → ∧q → ). M i/−
is stable if an output − does not lead to a change of state: q → q ⇒ q = q . Clearly, for any total IA A, T (A) is separated, consistent and stable. Note that deterministic Mealy machines are consistent. Using the conditions of separation, consistency and stability, it is easy to prove M = T (R(M)). Theorem 5. Let M be a separated, consistent and stable Mealy machine with inputs IΔ and outputs O ∪ {+, −}. Then M = T (R(M)).
5
Learning I/O Automata
In this section, we present our approach for active learning of I/O automata. We assume that the teacher knows a deterministic and output determined IOA A = (I, O, Q, q 0 , →). We consider a setting in which the task of the learner is to partially learn A: the learner initially knows a deterministic interface automaton P = (I, Oδ , P, p0 , → ), called the learning purpose, and has to learn the part of A whose behavior is compatible with P. We require Aδ ≤a P. The teacher and learner play the following game. The teacher records the current state of A, which initially is q 0 , and the learner records the current state of P, which initially is p0 . Suppose that the teacher is in state q and the learner is i
in state p. The learner now can do four things: (1) If an input transition p → p is enabled then it may jump to p and present input i to the teacher, which will i then jump to the state q such that q → q . (2) The learner may present a delay Δ to the teacher. If the teacher enables some output o, then it will jump to the o unique state q such that q → q and return answer o to the learner. If no output action is enabled in q then the teacher returns δ. The learner then jumps to the unique state p that can be reached by the answer o or δ that it has just received (by the assumption that Aδ ≤a P we know this state exists). (3) The learner may return to its initial state and ask the teacher to do the same (“‘reset”). (4) The learner may pose a preorder query (“is an hypothesized IA H correct?”). An hypothesis is a deterministic, output determined IA H such that Hδ ≤AI P. An hypothesis is correct if A ≤aδ H. If H is correct then the teacher returns the answer yes. If an hypothesis is not correct then, by Corollary 1, Hδ has a trace σ such that the unique output o enabled by Aδ after σ diﬀers from the unique output enabled by Hδ after σ. The teacher then returns the answer no together with counterexample σ o. In order to appreciate our learning framework, consider the trivial learning purpose Ptriv displayed in Figure 5 (left). Here notation i : I means that we have an instance of the transition for each input i ∈ I. Notation o : O is deﬁned
Learning I/O Automata
81
i:I
i:I
o:O
δ
δ
o:O
Fig. 5. A trivial learning purpose (left) and a learning purpose with a nontrivial δ transition (right)
similarly. If H is an hypothesis, then by deﬁnition Hδ ≤AI Ptriv . This just means that H is input enabled. If H is correct then A ≤aδ H. Since both A and H are deterministic, output determined IAs, this means that A and H are bisimilar! The following lemma provides some key insight in our approach in case of an arbitrary learning purpose. It implies that if hypothesis H is correct, Hδ is bisimilar to AS(Aδ , P). Lemma 3. Suppose A1 , A2 and A3 are IAs, A1 is active and input deterministic, A2 is output determined, A3 is output deterministic, and A1 ≤a A3 ≤AI A2 . Then A3 ≈b AS(A1 , A2 ). It is important that a learning purpose may contain nontrivial δ transitions. As an example, consider the IA of Figure 5 (right). This learning purpose expressing that after an input one has to wait until the system gets into a quiescent state before oﬀering the next input. It is not possible to express this without δ’s. But since in the end we want to learn IAs without δ’s, we need an operation that eliminates all δtransitions from an automaton. Let A = (I, Oδ , Q, q 0 , →) be an δ
IA. Let ≡ be the smallest equivalence relation that contains →. Then we deﬁne ρ(A) to be the quotient IA (I, O, Q/≡, q 0 / ≡, → ) where a
a
q/ ≡→ q / ≡ ⇔ ∃r, r : q ≡ r ∧ r → r ∧ r ≡ q The following lemma implies that under certain conditions operation ρ preserves bisimulation equivalence. Lemma 4. Suppose A1 and A2 are deterministic, output determined IAs, A1 has outputs O, A2 has outputs Oδ , and both IAs share the same sets of inputs I. Suppose furthermore that A2 satisﬁes the following triangle property, for i ∈ I: i δ i q → q ∧ q → q ⇒ q → q . Then Aδ1 ≈b A2 implies A1 ≈b ρ(A2 ). We always assume that the learning purpose P satisﬁes the triangle property. Under this assumption, it follows using the above lemma that, if hypothesis H is correct, H is bisimilar to ρ(AS(Aδ , P)). Rather than developing and implementing an algorithm from scratch, we use the LearnLib tool [23] to implement our learning approach. We place a transducer in between the IOA teacher and the Mealy machine learner, which records the current state p of the learning purpose P and translates concepts from the
82
F. Aarts and F. Vaandrager
world of I/O automata to the world of Mealy machines, and vice versa, using the translation functions deﬁned in the previous section. Initially, the MM learner only knows a signature consisting of inputs IΔ and outputs Oδ ∪ {+, −}. The behavior of the transducer is as follows: – Whenever the transducer receives an output query i ∈ I from the MM learner, it checks if i is enabled in the current state of P. If the input is not enabled (“illegal”) then the transducer returns an output − to the MM learner. If the output is enabled then the transducer returns an output + to the MM learner, updates state p to the unique state p with an itransition from p to p , and forwards i to the IOA teacher. – Whenever the transducer receives an output query Δ this is forwarded directly to the IOA teacher. When it receives a response o ∈ Oδ , the transducer updates state p accordingly, and forwards o to the MM learner. – Whenever the transducer receives a “reset” from the MM learner, it resets its state to p0 , and forwards the “reset” to the IOA teacher. – Whenever the transducer receives an equivalence query H from the MM learner, then it ﬁrst checks whether ρ(R(H)) ≤AI P (since both IAs are deterministic, this can be done in time linear in the size of their synchronous product). If ρ(R(H)) does not conform to learning purpose P, then an answer no is returned to the MM learner, together with a distinguishing trace in which all output symbols are replaced by Δ. If ρ(R(H)) ≤AI P then the transducer forwards the preorder query ρ(R(H)) to the IOA teacher. The transducer forwards a subsequent response of the IOA teacher to the MM learner, but with all output symbols replaced by Δ. If the response is yes then the transducer has successfully learned an IA ρ(R(H)) that meets all the requirements. Observe that when LearnLib is used, equivalence queries are always separated and stable. We claim that the algorithm always terminates and that the transducer indeed learns an IOA that is equivalent to ρ(AS(Aδ , P)). In order to see why this claim is true, a key observation is that the IOA teacher and transducer together behave like a teacher for Mealy machine T (AS(Aδ , P)). Lemma 5. The IOA teacher and transducer together behave like a teacher for Mealy machine T (AS(Aδ , P)). The main technical result of this article is that the MM learner and the transducer together will succeed in learning ρ(AS(Aδ , P)), that is, the subautomaton of A induced by the learning purpose P: Theorem 6. The composition of MM learner and transducer behaves like a learner for I/O automata, that is, execution will terminate after a ﬁnite number of queries, and upon termination the transducer has learned an IA that is bisimilar to ρ(AS(Aδ , P)).
Learning I/O Automata
6
83
Experiments
We have implemented and applied our approach to infer three types of I/O automata. In this section, we ﬁrst describe our experimental setup, thereafter its application to the three case studies.1 To serve as IOA teacher, we read in an I/O automaton speciﬁed in Aldebaran format [3]. We connect the IOA teacher to a transducer equipped with an interface automaton, which is also described in Aldebaran format. As MM learner in our framework, we use the LearnLib library [22]. In our ﬁrst (trivial) case study we learned the IOA shown in Figure 1. Because the interaction with this automaton is not constrained, we used an interface automaton that accepts every input and output, see Figure 5. The inferred Mealy machine model can be transformed to the IOA by transformations R and ρ. A model of the electronic passport [12,7] has been inferred in a second experiment. We provided the IOA teacher with a model of the protocol taken from Mostowski et al. [19]. Analyzing the behavior of the automaton revealed that almost always the passport reacts like a Mealy machine: 13 out of 14 inputs generate an output symbol before a new input symbol can be transferred. Following this information, we deﬁned an interface automaton in which inputs alternate with outputs or quiescence, see Figure 6 (left). Because no output is generated in response to a Reset input in the IOA, an output δ occurs within the Mealy machine that is learned. In fact, the inferred Mealy machine has one additional state, which can only be reached by a Δ/δ transition. After applying transformation R and ρ, we obtained the corresponding subautomaton of the IOA that was given to the teacher. With respect to learning performance, we observe that inferring an IOA requires more membership queries than learning the same behavior as a Mealy machine having i/o instead of i/+ and Δ/o transitions. Inferring an IOA of the electronic passport required 44294 membership queries, whereas learning the corresponding Mealy machine with i/o transitions merely needed 1079 queries. The diﬀerence can be explained by the fact that 80,72% of the membership queries asked to infer the passport IOA comprised unspeciﬁed input sequences. Because of the Mealy machine behavior of the IOA, no outputs are deﬁned for most consecutive inputs. Moreover, membership queries were asked for the additional state. In a third case study we applied our approach to learn a model of the Session Initiation Protocol (SIP) [25,24]. The teacher is supplied with an IOA based on a Mealy machine generated using inference and abstraction techniques [1]. Analyzing the structure of the automaton showed that each input symbol is followed by one or more outputs. Furthermore, in the initial state only certain inputs are allowed. To concentrate the learning on this restricted behavior, we used the interface automaton shown in Figure 6 (right). Again, by applying transformation ρ and R, the inferred Mealy machine could be converted to the corresponding subautomaton of the IOA given to the teacher. 1
All IOAs and interface automata used in the diﬀerent case studies as well as the corresponding learned Mealy machines can be found at the URL http://www.mbsd.cs.ru.nl/publications/papers/fvaan/LearningIOAs/.
84
F. Aarts and F. Vaandrager i:I
δ o:O
δ
Fig. 6. IA in which each input is followed by at most one output (left) and IA in which initially only certain inputs are allowed and two consecutive inputs are not allowed (right)
7
Conclusions and Future Work
We have presented an approach for active learning of deterministic and output determined I/O automata. By eliminating the restriction from Mealy machines that inputs and outputs have to alternate, we have extended the class of models that can be learned. Our approach has been implemented on top of the LearnLib tool and has been applied successfully to three case studies. A new idea introduced in this paper is to use interface automata to focus the learning process to interesting/relevant parts of the behavior. Both in the passport and the SIP case study, the use of interface automata greatly reduced the number of queries. The eﬃciency of our learning approach can be improved by integrating this notion of interface automata within LearnLib: in this way it will be possible to further reduce the number of membership queries. Obvious topics for future research are to extend our approach to automata with nondeterminism and silent transitions, and to integrate our transducers with the ones used in [1] for data abstraction. Acknowledgement. Many thanks to Bengt Jonsson, Bernhard Steﬀen, Jan Tretmans and the anonymous referees for inspiring discussions and/or pointers to the literature, and to Falk Howar for his generous LearnLib support.
References 1. Aarts, F.: Inference and Abstraction of Communication Protocols. Master thesis, Radboud University Nijmegen and Uppsala University (November 2009) 2. Aarts, F., Schmaltz, J., Vaandrager, F.: Inference and abstraction of the biometric passport (May 2010) 3. ALDEBARAN manual, http://www.inrialpes.fr/vasy/cadp/man/aldebaran.html 4. Alur, R., Henzinger, T., Kupferman, O., Vardi, M.: Alternating reﬁnement relations. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 163–178. Springer, Heidelberg (1998) 5. Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987) 6. Berg, T., Grinchtein, O., Jonsson, B., Leucker, M., Raﬀelt, H., Steﬀen, B.: On the correspondence between conformance testing and regular inference. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 175–189. Springer, Heidelberg (2005) 7. BSI. Advanced security mechanisms for machine readable travel documents  extended access control (eac)  version 1.11. Technical Report TR03110, German Federal Oﬃce for Information Security (BSI), Bonn, Germany (2008) 8. de Alfaro, L., Henzinger, T.: Interface automata. In: ESEC/FSE 2001. Software Engineering Notes, vol. 26, pp. 109–120. ACM Press, New York (2001)
Learning I/O Automata
85
9. Henzinger, T.: Two challenges in embedded systems design: Predictability and robustness. Philosophical Trans. of the Royal Society A 366, 3727–3736 (2008) 10. Higuera, C.d.: Grammatical Inference: Learning Automata and Grammars. Cambridge University Press, Cambridge (2010) 11. Hungar, H., Niese, O., Steﬀen, B.: Domainspeciﬁc optimization in automata learning. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 315–327. Springer, Heidelberg (2003) 12. ICAO. Doc 9303  machine readable travel documents  part 12. Technical report, International Civil Aviation Organization, 6th edn. (2006) 13. Jonsson, B.: Modular veriﬁcation of asynchronous networks. In: PODC 1987, pp. 152–166 (1987) 14. Larsen, K., Nyman, U., Wasowski, A.: Modal i/o automata for interface and product line theories. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 64–79. Springer, Heidelberg (2007) 15. Lee, D., Yannakakis, M.: Principles and methods of testing ﬁnite state machines — a survey. Proceedings of the IEEE 84(8), 1090–1123 (1996) 16. Leucker, M.: Learning meets veriﬁcation. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) FMCO 2006. LNCS, vol. 4709, pp. 127–151. Springer, Heidelberg (2007) 17. Lynch, N.: Distributed Algorithms. Morgan Kaufmann Publishers, Inc., San Francisco (1996) 18. Lynch, N., Tuttle, M.: Hierarchical correctness proofs for distributed algorithms. In: PODC 1987, pp. 137–151 (1987) 19. Mostowski, W., Poll, E., Schmaltz, J., Tretmans, J., Wichers Schreur, R.: Modelbased testing of electronic passports. In: FMICS 2009, pp. 207–209. Springer, Heidelberg (2009) 20. Niese, O.: An Integrated Approach to Testing Complex Systems. PhD thesis, University of Dortmund (2003) 21. Panangaden, P., Stark, E.: Computations, residuals, and the power of indeterminancy. In: Lepist¨ o, T., Salomaa, A. (eds.) ICALP 1988. LNCS, vol. 317, pp. 439–454. Springer, Heidelberg (1988) 22. Raﬀelt, H., Steﬀen, B., Berg, T.: Learnlib: a library for automata learning and experimentation. In: FMICS 2005, pp. 62–71. ACM Press, New York (2005) 23. Raﬀelt, H., Steﬀen, B., Berg, T., Margaria, T.: Learnlib: a framework for extrapolating behavioral models. STTT 11(5), 393–407 (2009) 24. Rosenberg, J., Schulzrinne, H.: Reliability of Provisional Responses in Session Initiation Protocol (SIP). RFC 3262 (Proposed Standard) (June 2002) 25. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard). Updated by RFCs 3265, 3853, 4320, 4916, 5393 (June 2002) 26. Tretmans, J.: Test generation with inputs, outputs, and repetitive quiescence. Software–Concepts and Tools 17, 103–120 (1996) 27. Tretmans, J.: Model based testing with labelled transition systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) FORTEST. LNCS, vol. 4949, pp. 1–38. Springer, Heidelberg (2008) 28. Veanes, M., Bjørner, N.: Inputoutput model programs. In: Leucker, M., Morgan, C. (eds.) Theoretical Aspects of Computing  ICTAC 2009. LNCS, vol. 5684, pp. 322–335. Springer, Heidelberg (2009) 29. Willemse, T.: Heuristics for iocobased testbased modelling. In: Brim, L., Haverkort, B.R., Leucker, M., van de Pol, J. (eds.) FMICS 2006 and PDMC 2006. LNCS, vol. 4346, pp. 132–147. Springer, Heidelberg (2007)
Constrained Monotonic Abstraction: A CEGAR for Parameterized Verification Parosh Aziz Abdulla1 , YuFang Chen2 , Giorgio Delzanno3 , Fr´ed´eric Haziza1 , ChihDuo Hong2 , and Ahmed Rezine1 1 2 3
Uppsala University, Sweden Academia Sinica, Taiwan Universit` a di Genova, Italy
Abstract. In this paper, we develop a counterexampleguided abstraction reﬁnement (CEGAR) framework for monotonic abstraction, an approach that is particularly useful in automatic veriﬁcation of safety properties for parameterized systems. The main drawback of veriﬁcation using monotonic abstraction is that it sometimes generates spurious counterexamples. Our CEGAR algorithm automatically extracts from each spurious counterexample a set of conﬁgurations called a “Safety Zone”and uses it to reﬁne the abstract transition system of the next iteration. We have developed a prototype based on this idea; and our experimentation shows that the approach allows to verify many of the examples that cannot be handled by the original monotonic abstraction approach.
1
Introduction
We investigate the analysis of safety properties for parameterized systems. A parameterized system consists of an arbitrary number of identical ﬁnitestate processes running in parallel. The task is to verify correctness regardless of the number of processes. One of the most widely used frameworks for inﬁnitestate veriﬁcation uses systems that are monotonic w.r.t. a wellquasi ordering [2,22]. This framework provides a scheme for proving termination of backward reachability analyses, which has already been used for the design of veriﬁcation algorithms of various inﬁnitestate systems (e.g., Petri nets, lossy channel systems) [8,20,21]. The main idea is the following. For a class of models, we ﬁnd a preorder on the set of conﬁgurations that satisﬁes the following two conditions (1) the system is monotonic w.r.t. and (2) is a wellquasi ordering (WQO for short). Then, backward reachability analysis from an upward closed set (w.r.t. ) is guaranteed to terminate, which implies that the reachability problem of an upward closed set (w.r.t. ) is decidable. However, there are several classes of systems that do not ﬁt into this framework, since it is hard to ﬁnd a preorder that meets the aforementioned two conditions at the same time. An alternative solution is to ﬁrst ﬁnd a WQO on the set of conﬁgurations and then apply monotonic abstraction [6,4,7] in order to force monotonicity. Given a preorder on conﬁgurations, monotonic abstraction P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 86–101, 2010. c SpringerVerlag Berlin Heidelberg 2010
Constrained Monotonic Abstraction
87
deﬁnes an abstract transition system for the considered model that is monotonic w.r.t. . More precisely, it considers a transition from a conﬁguration c1 to a conﬁguration c2 to be possible if there exists some smaller conﬁguration c1 c1 that has a transition to c2 . The resulting abstract transition system is clearly monotonic w.r.t and is an overapproximation of the considered model. Moreover, as mentioned, if is a WQO, the termination of backward reachability analysis is guaranteed in the abstract transition system. Monotonic abstraction has shown to be useful in the veriﬁcation of heap manipulating programs [1] and parameterized systems such as mutual exclusion and cache coherence protocols [4,6]. In most of the benchmark examples for these classes, monotonic abstraction can generate abstract transition systems that are safe w.r.t to the desired properties (e.g. mutual exclusion). The reason is that, for these cases, we need only to keep track of simple constraints on individual variables in order to successfully carry out veriﬁcation. However, there are several classes of protocols where we need more complicated invariants in order to avoid generating spurious counterexamples. Examples include cases where processes synchronize via shared counters (e.g. readers and writers protocol) or reference counting schemes used to handle a common set of resources (e.g. virtual memory management). For these cases, monotonic abstraction often produces spurious counterexamples, since it is not suﬃciently precise to preserve the needed invariants. Therefore, we introduce in this paper a counterexampleguided abstraction reﬁnement (CEGAR) approach to automatically and iteratively reﬁne the abstract transition system and remove spurious counterexamples. The idea of the CEGAR algorithm is as follows. It begins with an initial preorder 0 , which is the one used in previous works on monotonic abstraction [6]. In the ith iteration, it tries to verify the given model using monotonic abstraction w.r.t. the preorder i−1 . Once a counterexample is found in the abstract transition system, the algorithm simulates it on the concrete transition system. In case the counterexample is spurious, the algorithm extracts from it a set S of conﬁgurations called a “Safety Zone”. The computation of the “Safety Zone”is done using interpolation [28,26]. The set S (“Safety Zone”) is then used to strengthen the preorder that will be used in the next iteration. Monotonic abstraction produces a more accurate abstract transition system with the strengthened preorder. More precisely, in the (i + 1)th iteration, the algorithm works on an abstract transition system induced by monotonic abstraction and a preorder i := {(c, c ) c i−1 c and c ∈ S ⇒ c ∈ S}. Intuitively, the strengthened preorder forbids conﬁgurations inside a “Safety Zone”to use a transition from some smaller conﬁguration (w.r.t i−1 ) outside the “Safety Zone”. The strengthening of the preorder has an important property: It preserves WQO. That is, if i−1 is a WQO, then i is also a WQO, for all i > 0. Therefore, the framework of monotonic systems w.r.t. a WQO can be applied to each abstract transition system produced by monotonic abstraction and hence termination is guaranteed for each iteration. Based on the method, we have implemented a prototype, and successfully used it to automatically verify several nontrivial examples, such as protocols synchronizing by shared counters and
88
P.A. Abdulla et al.
reference counting schemes, that cannot be handled by the original monotonic abstraction approach. Outline. We deﬁne parameterized systems and their semantics in Section 2. In Section 3, we ﬁrst introduce monotonic abstraction and then give an overview of the CEGAR algorithm. In Section 4, we describe the details of the CEGAR algorithm. We introduce a symbolic representation of inﬁnite sets of conﬁgurations called constraint. In Section 4, we show that all the constraint operations used in our algorithm are computable. In Section 6, we show that the termination of backward reachability checking is guaranteed in our CEGAR algorithm. Section 7 describes some extension of our model for parameterized system. In Section 8 we describe our experimentation. Finally, in Section 9, we conclude with a discussion of related tools and future works.
2
Preliminaries
In this section, we deﬁne a model for parameterized systems. We use B to denote the set {true, f alse} of Boolean values, N to denote the set of natural numbers, and Z to denote the set of integers. Let P be a set and be a binary relation on P . The relation is a preorder on P if it is reﬂexive and transitive. Let Q ⊆ P , we deﬁne a strengthening of by Q, written Q , to be the binary relation Q := {(c, c ) c c and c ∈ Q ⇒ c ∈ Q}. Observe that Q is also a preorder on P . Let XN be a set of numerical variables ranging over N. We use N (XN ) to denote the set of formulae which have the members of {x − y c, x c  x, y ∈ XN , c ∈ Z, ∈ {≥, =, ≤}} as atomic formulae, and which are closed under the Boolean connectives ¬, ∧, ∨. Let XB be a ﬁnite set of Boolean variables. We use B(XB ) to denote the set of formulae which have the members of XB as atomic formulae, and which are closed under the Boolean connectives ¬, ∧, ∨. Let X be the set of primed variables {x  x ∈ X}, which refers to the “next state” values of X. 2.1
Parameterized System
Here we describe our model of parameterized systems. A simple running example of a parameterized system is given in Fig. 1. More involved examples can be found in the tech. report [3]. The example in Fig. 1 is a readers and writers protocol that uses two shared variables; A numerical variable cnt (the read counter) is used to keep track of the number of processes in the “read” state and a Boolean variable lock is used as a semaphore. The semaphore is released when the writer ﬁnished writing or all readers ﬁnished reading (cnt decreased to 0). A parameterized system consists of an unbounded but ﬁnite number of identical processes running in parallel and operating on a ﬁnite set of shared Boolean and numerical variables. At each step, one process changes its local state and checks/updates the values of shared variables. Formally, a parameterized system is a triple P = (Q, T, X), where Q is the set of local states, T is the set of
Constrained Monotonic Abstraction
89
transition rules, and X is a set of shared variables. The set of shared variables X can be partitioned to the set of variables XN ranging over N and XB ranging over B. A transition rule t ∈ T is of the form q → r : stmt , where q, r ∈ Q and ) and φB ∈ stmt is a statement of the form φN ∧ φB , where φN ∈ N (XN ∪ XN B(XB ∪ XB ). The formula φN controls variables ranging over N and φB controls Boolean variables. Taking the rule r1 in Fig. 1 as an example, the statement says that: if the values of shared variables cnt = 0 and lock = true, then we are allowed to increase the value of cnt by 1, negate the value of lock, and change the local state of a process from t to r.
r1 : r2 : r3 : r4 : w1 : w2 :
shared lock: Boolean, cnt: nat cnt + 1 ∧ lock ∧ ¬lock t → r : cnt = 0 ∧ cnt = t → r : cnt >= 1 ∧ cnt = cnt + 1 r → t : cnt >= 1 ∧ cnt = cnt − 1 r → t : cnt = 1 ∧ cnt = cnt − 1 ∧ ¬lock ∧ lock t → w : lock ∧ ¬lock w → t : ¬lock ∧ lock Initial: t, lock
Fig. 1. Readers and writers protocol. Here t, r, w are “think”, “read”, and “write” states, respectively.
2.2
Transition System
A parameterized system P = (Q, T, X) induces an inﬁnitestate transition system (C, −→) where C is the set of conﬁgurations and −→ is the set of transitions. A conﬁguration c ∈ C is a function Q ∪ X → N ∪ B such that (1) c(q) ∈ N gives the number of processes in state q if q ∈ Q, (2) c(x) ∈ N if x ∈ XN and (3) c(x) ∈ B if x ∈ XB . We use [xv11 , xv22 , . . . , xvnn , b1 , b2 , . . . , bm ] to denote a conﬁguration c such that (1) c(xi ) = v1 for 1 ≤ i ≤ n and (2) c(b) = true iﬀ b ∈ {b1 , b2 , . . . , bm }. t Let c, c ∈ C be two The set of transitions is deﬁned by −→:= t∈T −→. t conﬁgurations and t = q → r : stmt be a transition rule. We have (c, c ) ∈−→ t (written as c −→ c ) if (1) c (q) = c(q) − 1, (2) c (r) = c(r) + 1, and (3) substituting each variable x in stmt with c(x) and its primed version x in stmt with c (x) r1 produces a formula that is valid. For example, we have r0 , w0 , t3 , cnt0 , lock −→ 1 0 2 ∗ r , w , t , cnt1 in the protocol model of Fig. 1. We use −→ to denote the transitive closure of −→ .
3
Monotonic Abstraction and CEGAR
We are interested in reachability problems, i.e., given sets of initial and bad conﬁgurations, can we reach any bad conﬁguration from some initial conﬁguration in the transition system induced by a given parameterized system.
90
P.A. Abdulla et al.
We ﬁrst recall the method of monotonic abstraction for the veriﬁcation of parameterized systems and then describe an iterative and automatic CEGAR approach. The approach allows to produce more and more precise overapproximations of a given transition system from iteration to iteration. We assume a transition system (C, −→) induced by some parameterized system. 3.1
Monotonic Abstraction
Given an ordering deﬁned on C, monotonic abstraction produces an abstract transition system (C, ;) that is an overapproximation of (C, −→) and that is monotonic w.r.t. . Definition 1 (Monotonicity). A transition system (C, ;) is monotonic (w.r.t. t t c3 ⇒ ∃c4 . c3 c4 ∧ c2 ; c4 . ) if for each c1 , c2 , c3 ∈ C, c1 c2 ∧ c1 ; The idea of monotonic abstraction is the following. A conﬁguration c is allowed to use the outgoing transitions of any smaller conﬁguration c (w.r.t ). The resulting system is then trivially monotonic and is an overapproximation of the original transition system. Formally, the abstract transition system (C, ;) is deﬁned as follows. The set of conﬁgurations C is identical to the one of the concrete transition system. The set of abstract transitions is deﬁned by ;:= t t t t t∈T ;, where (c1 , c3 ) ∈; (written as c1 ; c3 ) iﬀ ∃c2 c1 . c2 −→ c3 . It is t t clear that ;⊇ −→ for all t ∈ T , i.e., (C, ;) overapproximates (C, −→). In our previous works [4,6], we deﬁned to be a particular ordering ⊆ C ×C such that c c iﬀ (1) ∀q ∈ Q.c(q) ≤ c (q), (2) ∀n ∈ XN . c(n) ≤ c (n), and (3) ∀b ∈ XB . c(b) = c (b). Such an ordering has shown to be very useful in shape analysis [1] and in the veriﬁcation of safety properties of mutual exclusion and cache coherence protocols [4,6]. In the CEGAR algorithm, we use as the initial preorder. 3.2
Refinement of the Abstraction
Figure 2 gives an overview of the counterexampleguided abstraction reﬁnement (CEGAR) algorithm. The algorithm works fully automatically and iteratively.
C, −→ , 0
Reachability Checker (Algorithm 1) Strengthened Ordering i
“Spurious Error”
“Safe”
“No”, Trace Counterexample Analyzer (Algorithm 2)
“Real Error” Trace
Fig. 2. An overview of the CEGAR algorithm (Algorithm 3)
Constrained Monotonic Abstraction
91
In the beginning, a transition system (C, −→) and an initial preorder 0 (which equals the preorder deﬁned in the previous subsection) are given. The CEGAR algorithm (Algorithm 3) consists of two main modules, the reachability checker (Algorithm 1) and the counterexample analyzer (Algorithm 2). In the ith iteration of the CEGAR algorithm, the reachability checker tests if bad conﬁgurations are reachable in the abstract transition system obtained from monotonic abstraction with the preorder i−1 . In case bad conﬁgurations are reachable, a counterexample is sent to the counterexample analyzer, which reports either “Real Error” or “Spurious Error”. The latter comes with a strengthened order i (i.e., i ⊂i−1 ). The strengthened order i will then be used in the (i + 1)th iteration of the CEGAR loop. Below we describe informally how i−1 is strengthened to i . The formal details are given in Section 4. Strengthening the Preorder. As an example, we demonstrate using the protocol of Fig. 1 how to obtain 1 from 0 . The set of bad conﬁgurations Bad = {c  c(r) ≥ 1 ∧ c(w) ≥ 1} contains all conﬁgurations with at least one process in the “write” state and one process in the “read” state. The set of initial conﬁgurations Init = {c  c(w) = c(r) = c(cnt) = 0 ∧ c(lock)} contains all conﬁgurations where all processes are in the “think” state, the value of the “cnt” equals 0, and the “lock” is available. B4
B3
B2
B1
c(lock) c(t)≥2
¬c(lock) c(cnt)≥1 c(t)≥1 c(r)≥1
¬c(lock) c(cnt)≥1 c(r)≥2
c(lock) c(r)≥1 c(t)≥1
r1
Bad r2
r4
w1
c(w)≥1 c(r)≥1
Fig. 3. The counterexample produced by backward reachability analysis on the readers = ∅. and writers protocol. Notice that in the counterexample, Init ∩ B4
In iteration 1 of the CEGAR algorithm, the reachability checker produces a counterexample (described in Fig. 3) and sends it to the counterexample analyzer. More precisely, the reachability checker starts from the set Bad and ﬁnds the w set B1 contains all conﬁgurations that have (abstract) transitions ;1 to the set w1 Bad . That is, each conﬁguration in B1 either has a concrete transition −→ to w1 Bad or has some smaller conﬁguration (w.r.t 0 ) with a concrete transition −→ to Bad . It then continues the search from B1 and ﬁnds the set B2 that have r4 (abstract) transitions in ; to B1 . The sets B3 and B4 can be found in a similar = ∅. way. It stops when B4 is found, since B4 ∩ Init The counterexample analyzer simulates the received counterexample in the concrete transition system. We illustrate this scenario in Fig. 4. It starts from the set of conﬁguration F4 = Init ∩ B4 1 and checks if any bad conﬁgurations can be r1 r2 r4 w1 reached following a sequence of transitions −→; −→; −→; −→. Starting from F4 , it 1
The set of initial conﬁgurations that can reach bad conﬁgurations follows the ser1 r2 r4 w1 quence of transitions ;; ;;;;; in the abstract transition system
92
P.A. Abdulla et al.
B3 Init∩B4 F4
B2 S
r1 r1
F3
r2 r2
F2
F2
B1 Bad r4 r4
Fig. 4. Simulating the counterexample on the concrete system. Here F4 = Init ∩ B4 = {c  c(t) ≥ 2 ∧ c(w) = c(r) = c(cnt) = 0 ∧ c(lock)}, F3 = {c  c(t) ≥ 1 ∧ c(w) = 0 ∧ c(r) = c(cnt) = 1 ∧ ¬c(lock)}, F2 = {c  c(cnt) = c(r) = 2 ∧ c(w) = 0 ∧ ¬c(lock)}, and F2 = {c  c(cnt) = 1 ∧ c(r) ≥ 1 ∧ ¬c(lock)}
ﬁnds the set F3 which is a subset of B3 and which can be reached from F4 via the r1 transition −→. It continues from F3 and then ﬁnds the set F2 in a similar manner r2 r4 However, there exists no transition −→ starting from any via the transition −→. conﬁguration in F2 = {c  c(cnt) = c(r) = 2 ∧ c(w) = 0 ∧ ¬c(lock)}. Hence the simulation stops here and concludes that the counterexample is spurious. In the abstract transition system, all conﬁgurations in F2 are able to reach B1 r4 w1 via transition ; and from which they can reach Bad via transition ;. Notice r4 that there exists no concrete transition −→ from F2 to B1 , but the abstract r4 from F2 to B1 does exist. The reason is that all conﬁgurations in transition ; r4 F2 have some smaller conﬁguration (w.r.t. 0 ) with a transition −→ to B1 . Let r4 to B1 . It is F2 be the set of conﬁgurations that indeed have some transition −→ clear that F2 and F2 are disjoint. Therefore, we can remove the spurious counterexample by preventing conﬁgurations in F2 from falling to some conﬁguration in F2 (thus also preventing them from reaching B1 ). This can be achieved by ﬁrst deﬁning a set of conﬁgurations S called a “Safety Zone”with F2 ⊆ S and F2 ∩ S = ∅ and then use it to strengthen the preorder 0 , i.e., let 1 := {(c, c ) c 0 c and c ∈ S ⇒ c ∈ S}. In Section 4, we will explain how to use interpolation techniques [28,26] in order to automatically obtain a “Safety Zone”from a counterexample.
4
The Algorithm
In this section, we describe our CEGAR algorithm for monotonic abstraction. First, we deﬁne some concepts that will be used in the algorithm. Then, we explain the two main modules, reachability checker and counterexample analyzer. The reachability checker (Algorithm 1) is the backward reachability analysis algorithm on monotonic systems [2], which is possible to apply since the abstraction induces a monotonic transition system. The counterexample analyzer (Algorithm 2) checks a counterexample and extracts a “Safety Zone”from the counterexample if it is spurious. The CEGAR algorithm (Algorithm 3) is obtained by composing the above two algorithms. In the rest of the section, we assume a parameterized system P = (Q, T, X) that induces a transition system (C, −→).
Constrained Monotonic Abstraction
4.1
93
Definitions
A substitution is a set {x1 ← e1 , x2 ← e2 , . . . , xn ← en } of pairs, where xi is a variable and ei is a variable or a value of the same type as xi for all 1 ≤ i ≤ n. We assume that all variables are distinct, i.e., xi = xj if i = j. For a formula θ and a substitution S, we use θ[S] to denote the formula obtained from θ by simultaneously replacing all free occurrences of xi by ei for all xi ← ei ∈ S. For example, if θ = (x1 > x3 ) ∧ (x2 + x3 ≤ 10), then θ[x1 ← y1 , x2 ← 3, x3 ← y2 ] = (y1 > y2 ) ∧ (3 + y2 ≤ 10). Below we deﬁne the concept of a constraint, a symbolic representation of conﬁgurations which we used in our algorithm. In this section, we deﬁne a number of operations on constraints. In Section 5, we show how to compute those operations. We use Q# to denote the set {q #  q ∈ Q} of variables ranging over N in which each variable q # is used to denote the number of processes in the state q. Deﬁne the set of formulae Φ := {φN ∧ φB  φN ∈ N (Q# ∪ XN ), φB ∈ B(XB )} such that each formula in Φ is a constraint that characterizes a potentially inﬁnite set of conﬁgurations. Let φ be a constraint and c be a conﬁguration. We write c φ if φ[{q # ← c(q)  q ∈ Q}][{x ← c(x)  x ∈ XN }][{b ← c(b)  b ∈ XB }] is a valid formula. We deﬁne the set of conﬁgurations characterized by φ as [[φ]] := {c  c ∈ C ∧ c φ}. We deﬁne an entailment relation on constraints, where φ1 φ2 iﬀ [[φ1 ]] ⊆ [[φ2 ]]. We assume that the set of initial conﬁgurations Init and bad conﬁgurations Bad can be characterized by constraints φInit and φBad , respectively. For a constraint φ, the function Pret (φ) returns a constraint characterizing the t c }, i.e., the set of conﬁgurations from which we can reach set {c  ∃c ∈ [[φ]]∧c −→ t and Postt (φ) returns a constraint a conﬁguration in [[φ]] via transitions in −→; t characterizing the set {c  ∃c ∈ [[φ]] ∧ c −→ c}, i.e., the set of conﬁgurations t that can be reached from some conﬁguration in [[φ]] via transitions in −→. For a constraint φ and a preorder on the set of conﬁgurations, the function Up (φ) returns a constraint such that [[Up (φ)]] = {c  ∃c ∈ [[φ]] ∧ c c }, i.e., the upward closure of [[φ]] w.r.t. the ordering . A trace (from φ1 to φn+1 ) in the abstract transition system induced by monotonic abstraction and the preorder is a sequence φ1 ; t1 ; . . . ; φn ; tn ; φn+1 , where φi = Up (Preti (φi+1 )) and ti ∈ T for all 1 ≤ i ≤ n. A counterexample (w.r.t. ) is a trace φ1 ; t1 ; . . . ; φn ; tn ; φn+1 with [[φ1 ]] ∩ [[φInit ]] = ∅ and φn+1 = φBad . We use Var(φ) to denote the set of variables that appear in the constraint φ. Given two constraints φA and φB such that φA ∧ φB is unsatisﬁable. An interpolant φ of (φA , φB ) (denoted as ITP(φA , φB )) is a formula that satisﬁes (1) φA =⇒ φ, (2) φ ∧ φB is unsatisﬁable, and (3) Var(φ) ⊆ Var(φA ) ∩ Var(φB ). Such an interpolant can be automatically found, e.g., using oﬀtheshelf interpolant solvers such as FOCI [28] and CLPprover [29]. In particular, since φA , φB ∈ Φ, if we use the “split solver” algorithm equipped with theory of diﬀerence bound [26] to compute an interpolant, the result will always be a formula in Φ (i.e., a constraint).
94
4.2
P.A. Abdulla et al.
The Reachability Checker
Algorithm 1. The reachability checker
1 2 3 4 5 6 7 8 9
input : A preorder over conﬁgurations, constraints φInit and φBad output: “Safe” or “No” with a counterexample φ1 ; t1 ; . . . ; φn ; tn ; φBad Next := {(φBad , φBad )}, Processed := {}; while Next is not empty do Pick and remove a pair (φCur , Trace) from Next and add it to Processed; if [[φCur ∧ φInit ]] = ∅ then return “No”, Trace; foreach t ∈ T do φPre = Up (Pret (φCur )); old = ∃(φ, •) ∈ Next ∪ Processed.φ φPre ; if ¬old then Add (φPre , φPre ; t; Trace) to Next; return “Safe”;
Let be a preorder on C and (C, ;) be the abstract transition system induced by the parameterized system P and the preorder . Algorithm 1 checks if the set [[φInit ]] is backward reachable from [[φBad ]] in the abstract transition system (C, ;). It answers “Safe” if none of the initial conﬁgurations are backward reachable. Otherwise, it answers “No”. In the latter case, it returns a counterexample φ1 ; t1 ; . . . ; φn ; tn ; φBad . The algorithm uses a set Next to store constraints characterizing the sets of conﬁgurations from which it will continue the backward search. Each element in Next is a pair (φ, Trace), where φ is a constraint characterizing a set of backward reachable conﬁgurations (in the abstract transition system) and Trace is a trace from φ to φBad . Initially, the algorithm puts in Next the constraint φBad , which describes the bad conﬁgurations, together with a trace contains a singleton element namely φBad itself (Line 1). In each loop iteration (excepts the last one), it picks a constraint φCur (together with a trace to φBad ) from Next (Line 3). For each transition rule t ∈ T , the algorithm ﬁnds a constraint φPre characterizing the set of conﬁgurations backward reachable from t [[φCur ]] via ; (Line 6). If there exists no constraint in Next that is larger than φPre (w.r.t. ), φPre (together with a trace to φBad ) is added to Next (Line 7). 4.3
The Counterexample Analyzer
Given a counterexample φ1 ; t1 ; . . . ; φn ; tn ; φn+1 , Algorithm 2 checks whether it is spurious or not. If spurious, it returns a constraint φS that describes a “Safety Zone”that will be used to strengthen the preorder. As we explained in Section 3, we simulate the counterexample forwardly (Line 16). The algorithm begins with the constraint φ1 ∧ φInit . If the counterexample is spurious, we will ﬁnd a constraint φ in the ith loop iteration for some i : ti 1 ≤ i ≤ n such that none of the conﬁgurations in [[φ]] has transition −→ to [[φi+1 ]] (Line 3). For this case, it computes the constraint φ characterizing the ti set of conﬁgurations with transitions −→ to [[φi+1 ]] (Line 4) and then computes a constraint characterizing a “Safety Zone”.
Constrained Monotonic Abstraction
95
Algorithm 2. The counterexample analyzer.
1 2 3 4 5 6 7
input : A counterexample φ1 ; t1 ; . . . ; φn ; tn ; φn+1 output: “Real Error” or “Spurious Error” with a constraint φS φ = φ1 ∧ φInit ; for i = 1 to n do if [[Postti (φ)]] = ∅ then φ = Preti (φi+1 ); return “Spurious Error”, ITP(φ, φ ); φ = Postti (φ) ∧ φi+1 ; return “Real Error”;
As we explained in Section 3, a “Safety Zone”is a set S of conﬁgurations that satisﬁes (1) [[φ]] ⊆ S and (2) S ∩ [[φ ]] = ∅. Therefore, the constraint φS characterizing the “Safety Zone”should satisfy (1) φ =⇒ φS and (2) φS ∧ φ is not satisﬁable. The interpolant of (φ, φ ) is a natural choice of φS that satisﬁes the aforesaid two conditions. Hence, in this case the algorithm returns ITP(φ, φ ) (Line 5). If the above case does not happen, the algorithm computes a constraint characterizing the next set of forward reachable conﬁgurations in the counterexample (Line 6) and proceeds to the next loop iteration. It returns “Real Error” (Line 7) if the above case does not happen during the forward simulation. 4.4
The CEGAR Algorithm of Monotonic Abstraction
Algorithm 3. A CEGAR algorithm for monotonic abstraction
1 2 3 4 5 6 7 8
input : An initial preorder 0 over conﬁgurations, constraints φInit and φBad output: “Safe” or “Real Error” with a counterexample φ1 ; t1 ; . . . ; φn ; tn ; φBad i = 0; while true do result = ReachabilityChecker(i , φInit , φBad ); if result=“No”, Trace then type = CounterexampleAnalyzer(Trace); if type=“Spurious Error”, φS then i = i + 1, i := Str(i−1 , φS ); else return “Real Error”, Trace else return “Safe”
In Algorithm 3, we describe the CEGAR approach for monotonic abstraction with the initial preorder 0 . As described in Section 3, the algorithm works iteratively. In the ith iteration, in Line 3, we invoke the reachability checker (Algorithm 1) using a preorder i−1 . When a counterexample is found, the counterexample analyzer (Algorithm 2) is invoked to ﬁgure out if the counterexample is real (Line 8) or spurious. In the latter case, the counterexample analyzer generates a constraint characterizing a “Safety Zone”and from which Algorithm 3 computes a strengthened preorder i (Line 6 and 7). The function Str(i−1 , φS ) in Line 8 strengthens the preorder i−1 by the set of conﬁgurations [[φS ]].
96
5
P.A. Abdulla et al.
Constraint Operations
In this section we explain how to compute all the constraint operations used in the algorithms in Section 4. Recall that Φ denotes the set of formulae {φN ∧ φB  φN ∈ N (Q# ∪ XN ), φB ∈ B(XB )}, where each formula in Φ is a constraint representing a set of conﬁgurations. We deﬁne Ψ := {φN ∧ φB  φN ∈ N (Q# ∪ Q# ∪ XN ∪ XN ), φB ∈ B(XB ∪ XB )}, where each formula in Ψ deﬁnes a relation between sets of conﬁgurations. Observe that formulae in Φ and in Ψ are closed under the Boolean connectives and substitution. Lemma 1. [19] Both Φ and Ψ are closed under projection (existential quantiﬁcation) and the projection functions are computable. Lemma 2. [19] The satisﬁability problem of formulae in Φ and Ψ is decidable. Below we explain how to preform the constraint operations used in the algorithms in Section 4. For notational simplicity, we deﬁne V := Q# ∪ XN ∪ XB and V := Q# ∪ XN ∪ XB . Let φ be a formula in Φ (respectively, Ψ ) and X a set of variables in V (respectively, V ∪ V ), we use ∃X. φ to denote some formula φ in Φ (respectively, Ψ ) obtained by the quantiﬁer elimination algorithm (Lemma 1). t for t = q → r : stmt ∈ T can be Pre and Post. The transition relation −→ described by the formula θt := stmt ∧ q # = q # − 1 ∧ r# = r# + 1, which is in Ψ . For a constraint φ, Pret (φ) = ∃V . (θt ∧ φ[{x ← x  x ∈ V}]) ∈ Φ and Postt (φ) = (∃V. (θt ∧ φ))[{x ← x  x ∈ V}] ∈ Φ. Both functions are computable. Entailment. Given two constraints φ1 and φ2 , we have φ1 φ2 iﬀ φ1 ∧ ¬φ2 is unsatisﬁable, which can be automatically checked. In practice, constraints can be easily translated into disjunctions of diﬀerence bound matrices (DBM) and hence a suﬃcient condition for entailment can be checked by standard DBM operations [19]. Intersection with Initial States. Let φInit be a constraint characterizing the initial conﬁgurations and φB be a constraint characterizing a set of conﬁgurations. We have [[φInit ]] ∩ [[φB ]] = ∅ iﬀ φInit ∧ φB is satisﬁable. Strengthening. Here we explain how to strengthen an ordering w.r.t a constraint φS ∈ Φ, providing that is expressed as a formula φ ∈ Ψ . The strengthened order can be expressed as the formula φS := φ ∧ (φS ∨ ¬φS [{x ← x  x ∈ V}]). Intuitively, for two conﬁgurations c1 and c2 , the formula says that c1 S c2 iﬀ c1 c2 and either c1 is in the “Safety Zone”or c2 is not in the “Safety Zone”. Remark 1. The initial preorder 0 of our algorithm can be expressed as the formula x∈Q# ∪XN , x ∈Q# ∪X . x ≤ x ∧ b∈XB , b ∈X . (b ∧ b ) ∨ (¬b ∧ ¬b ), N B which is in Ψ . The constraint extracted from each spurious counterexample is in Φ if the algorithm in [26] is used to compute the interpolant. Since the initial preorder is a formula in Ψ and the constraint used for strengthening is in Φ, the formula for the strengthened order is always in Ψ and computable.
Constrained Monotonic Abstraction
97
Upward Closure. We assume that the ordering is expressed as a formula φ ∈ Ψ and the constraint φ ∈ Φ. The upward closure of φ w.r.t. can be captured as Up (φ) := (∃V. (φ ∧ φ ))[{x ← x  x ∈ V}], which is in Φ.
6
Termination
In this section, we show that each loop iteration of our CEGAR algorithm terminates. We can show by Dickson’s lemma [18] that the initial preorder is a WQO. An ordering over conﬁgurations is a WQO iﬀ for any inﬁnite sequence c0 , c1 , c2 , . . . of conﬁgurations, there are i and j such that i < j and ci cj . Moreover, we can show that the strengthening of a preorder also preserves WQO. Lemma 3. Let S be a set of conﬁgurations. If is a WQO over conﬁgurations then S is also a WQO over conﬁgurations. If a transition system is monotonic w.r.t. a WQO over conﬁgurations, backward reachability analysis, which is essentially a ﬁxpoint calculation, terminates within a ﬁnite number of iterations [2]. The abstract transition system is monotonic. In Section 5, we show that all the constraint operations used in the algorithms are computable. Therefore, in each iteration of the CEGAR algorithm, the termination of the reachability checker (Algorithm 1) is guaranteed. Since the length of a counterexample is ﬁnite, the termination of the counterexample analyzer (Algorithm 2) is also guaranteed. Hence, we have the following lemma. Lemma 4. Each loop iteration of the CEGAR algorithm (Algorithm 3) is guaranteed to terminate.
7
Extension
The model described in Section 2 can be extended to allow some additional · → q : stmt , (2) features. For example, (1) dynamic creation of processes q → · : stmt , and (3) synchronous movement dynamic deletion of processes q1 , q2 , . . . , qn → r1 , r2 , . . . , rn : stmt . Moreover, the language of the statement can be extended to any formula in Presburger arithmetic. For all of the new features, we can use the same constraint operations as in Section 5; the extended transition rule still can be described using a formula in Ψ , Presburger arithmetic is closed under Boolean connectives, substitution, and projection and all the mentioned operations are computable.
8
Case Studies and Experimental Results
We have implemented a prototype and tested it on several case studies of classical synchronization schemes and reference counting schemes, which includes
98
P.A. Abdulla et al.
Table 1. Summary of experiments of case studies. Interpolant denotes the kind of interpolant prover we use, where DBM denotes the diﬀerence bound matrix based solver, and CLP denotes the CLPprover. Pass indicates whether the reﬁnement procedure can terminate with a speciﬁc interpolant prover. Time is the execution time of the program, measured by the bash time command. #ref is the number of reﬁnements needed to verify the property. #cons is the total number of constraints generated by the reachability checker. For each model, we use #t, #l, #s to denote the number of transitions, the number of local variables, and the number of shared variables, respectively. All case studies are described in details in tech. report [3]. model readers/writers
interpolant pass time #ref #cons #t #l #s √ DBM 0.04 sec 1 90 √ 6 5 2 CLP 0.08 sec 1 90 √ reﬁned readers/writers DBM 3.9 sec 2 3037 8 5 3 priority to readers CLP X √ reﬁned readers/writers DBM 3.5 sec 1 2996 √ 12 7 5 priority to writers CLP 68 sec 4 39191 √ sleeping DBM 3.9 sec 1 1518 √ 10 15 1 barbers CLP 4.1 sec 1 1518 √ pmap reference DBM 0.1 sec 1 249 √ 25 4 7 counting CLP 0.1 sec 1 249 √ reference DBM 0.02 sec 1 19 √ 7 4 1 counting gc CLP 0.05 sec 1 19 missionary & DBM X √ 7 7 1 CLP 0.1 sec 3 86 cannibals √ swimming DBM 0.2 sec 2 59 √ 6 0 10 CLP 0.2 sec 2 55 pool v2
readers/writers protocol, sleeping barbers problem, the missionaries/cannibals problem [11], the swimming pool protocol [11,23], and virtual memory management. These case studies make use of shared counters (in some cases protected by semaphores) to keep track of the number of current references to a given resource. Monotonic abstraction returns spurious counterexamples for all the case studies. In our experiments, we use two interpolating procedures to reﬁne the abstraction. One is a homemade interpolant solver based on diﬀerence bound matrices [26]; the other one is the CLPprover [29], an interpolant solvers based on constraint logic programming. The results, obtained on an Intel Xeon 2.66GHz processor with 8GB memory, are listed in Table 1. It shows that our CEGAR method eﬃciently veriﬁes many examples in a completely automatic manner. We compare our approach with three related tools: the ALV tool [14], the Interproc Analyzer [24], and FASTer [11] based on several examples (and their variants) from our case studies. The results are summarized in Table 2. Note that these tools either perform an exact forward analysis where the invariant is exactly represented (FASTer), or try to capture all possible invariants of a certain form (ALV and Interproc Analyzer). In these two approaches, the veriﬁcation of the property is deduced from the sometimes expensively generated invariants. The main diﬀerence between our approach and the other ones is that
Constrained Monotonic Abstraction
99
Table 2. Summary of tool comparisons. For cma, we selected the best results among the ones obtained from DBM and CLP. For FASTer, we tested our examples with library Mona and the backward search strategy. For the other tools, we just used the default settings. In our experiment, ALV outputted “unable to verify” for the missionaries/cannibals model and failed to verify the other test cases after one day of execution. FASTer failed to verify four of the six test cases within a memory limit of 8GB. Interproc Analyzer gave false positives for examples other than the swimming pool protocol and the missionaries/cannibals model. That is, it proved reachability for models where the bad states were not reachable. Model swimming pool protocol v2 Model missionary & cannibals Model missionary & cannibals v2
Tool Pass Result Model √ cma 0.2 sec pmap FASTer X oom √ reference Interproc 2.7 sec counting ALV X timeout Tool Pass Result Model √ cma 0.1 sec readers FASTer X oom √ writers Interproc 2 sec pri. readers ALV X cannot verify Tool Pass Result Model √ cma 0.2 sec readers FASTer X oom writers Interproc X false positive pri. readers ALV X timeout v2
Tool Pass Result √ cma 0.1 sec √ FASTer 85 sec Interproc X false positive ALV X timeout Tool Pass Result √ cma 3.9 sec √ FASTer 3 min 44 sec Interproc X false positive ALV X timeout Tool Pass Result √ cma 0.5 sec FASTer X oom Interproc X false positive ALV X timeout
we concentrate on minimal constraints to track the violation of the property at hand. Using upward closed sets as a symbolic representation eﬃciently exploits the monotonicity of the abstract system where the analysis is exact yet eﬃcient.
9
Related and Future Work
We have presented a method for reﬁning monotonic abstraction in the context of veriﬁcation of safety properties for parameterized systems. We have implemented a prototype based on the method and used it to automatically verify parameterized versions of synchronization and reference counting schemes. Our method adopts an iterative counterexample guided abstraction reﬁnement (CEGAR) scheme. Abstraction reﬁnement algorithms for forward/backward analysis of wellstructured models have been proposed in [25,16]. Our CEGAR scheme is designed instead for undecidable classes of models. Other tools dealing with the veriﬁcation of similar parameterized systems can be divided into two categories: exact and approximate. In Section 8, we compare our method to a representative from each category. The results conﬁrm the following. Exact techniques, such as FASTer [11], restrict their computations to underapproximations of the set of reachable states. They rely on computing the exact eﬀect of particular categories of loops, like nonnested loops for instance, and may not terminate in general. On the contrary, our method is guaranteed to terminate at each iteration.On the
100
P.A. Abdulla et al.
other hand, approximate techniques like ALV and the Interproc Analyzer [14,24], rely on widening operators in order to ensure termination. Typically, such operators correspond to extrapolations that come with a loss of precision. It is unclear how to reﬁne the obtained overapproximations when false positives appear in parameterized systems like those we study. Also, the reﬁnement method proposed in the present paper allows us to automatically verify new case studies (e.g. reference counting schemes) that cannot be handled by regular model checking [27,17,9,12,30,13], monotonic abstractions [6,4,7] (they give false positives), environment abstraction [15], and invisible invariants [10]. It is important to remark that a distinguished feature of our method with respect to methods like invisible invariants and environment abstraction is that we operate on abstract models that are still inﬁnitestate thus trying to reduce the loss of precision in the approximation required to verify a property. We currently work on extensions of our CEGAR scheme to systems in which processes are linearly ordered. Concerning this point, in [5] we have applied a manually supplied strengthening of the subword ordering to automatically verify a formulation of Szymanski’s algorithm (deﬁned for ordered processes) with nonatomic updates.
References 1. Abdulla, P.A., Bouajjani, A., Cederberg, J., Haziz, F., Rezine, A.: Monotonic abstraction for programs with dynamic memory heaps. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 341–354. Springer, Heidelberg (2008) ˇ ans, K., Jonsson, B., Tsay, Y.K.: General decidability theorems 2. Abdulla, P.A., Cer¯ for inﬁnitestate systems. In: LICS 1996, pp. 313–321 (1996) 3. Abdulla, P.A., Chen, Y.F., Delzanno, G., Haziza, F., Hong, C.D., Rezine, A.: Constrained monotonic abstraction: a cegar for parameterized veriﬁcation. Tech. report 2010015, Uppsala University, Sweden (2010) 4. Abdulla, P.A., Delzanno, G., Rezine, A.: Parameterized veriﬁcation of inﬁnitestate processes with global conditions. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 145–157. Springer, Heidelberg (2007) 5. Abdulla, P.A., Delzanno, G., Rezine, A.: Approximated contextsensitive analysis for parameterized veriﬁcation. In: FMOODS 2009/FORTE 2009, pp. 41–56 (2009) 6. Abdulla, P.A., Henda, N.B., Delzanno, G., Rezine, A.: Regular model checking without transducers (on eﬃcient veriﬁcation of parameterized systems). In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 721–736. Springer, Heidelberg (2007) 7. Abdulla, P.A., Henda, N.B., Delzanno, G., Rezine, A.: Handling parameterized systems with nonatomic global conditions. In: Logozzo, F., Peled, D.A., Zuck, L.D. (eds.) VMCAI 2008. LNCS, vol. 4905, pp. 22–36. Springer, Heidelberg (2008) 8. Abdulla, P.A., Jonsson, B.: Verifying programs with unreliable channels. Info. Comput. 127(2), 91–101 (1996) 9. Abdulla, P.A., Jonsson, B., Nilsson, M., d’Orso, J.: Regular model checking made simple and eﬃcient. In: Brim, L., Janˇcar, P., Kˇret´ınsk´ y, M., Kucera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 116–130. Springer, Heidelberg (2002)
Constrained Monotonic Abstraction
101
10. Arons, T., Pnueli, A., Ruah, S., Xu, J., Zuck, L.: Parameterized veriﬁcation with automatically computed inductive assertions. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 221–234. Springer, Heidelberg (2001) 11. Bardin, S., Leroux, J., Point, G.: FAST extended release. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 63–66. Springer, Heidelberg (2006) 12. Boigelot, B., Legay, A., Wolper, P.: Iterating transducers in the large. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 223–235. Springer, Heidelberg (2003) 13. Bouajjani, A., Habermehl, P., Vojnar, T.: Abstract regular model checking. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 372–386. Springer, Heidelberg (2004) 14. Bultan, T., YavuzKahveci, T.: Action language veriﬁer. In: ASE 2001, p. 382 (2001) 15. Clarke, E., Talupur, M., Veith, H.: Environment abstraction for parameterized veriﬁcation. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 126–141. Springer, Heidelberg (2005) 16. Cousot, P., Ganty, P., Raskin, J.F.: Fixpointguided abstraction reﬁnements. LNCS. Springer, Heidelberg (2007) 17. Dams, D., Lakhnech, Y., Steﬀen, M.: Iterating transducers. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 286–297. Springer, Heidelberg (2001) 18. Dickson, L.E.: Finiteness of the odd perfect and primitive abundant numbers with n distinct prime factors. Amer. J. Math. 35, 413–422 (1913) 19. Dill, D.: Timing assumptions and veriﬁcation of ﬁnitestate concurrent systems. In: AVMFSS 1989, pp. 197–212 (1989) 20. Emerson, E., Namjoshi, K.: On model checking for nondeterministic inﬁnitestate systems. In: LICS 1998, pp. 70–80 (1998) 21. Esparza, J., Finkel, A., Mayr, R.: On the veriﬁcation of broadcast protocols. In: LICS 1999 (1999) 22. Finkel, A., Schnoebelen, P.: Wellstructured transition systems everywhere! TCS 256(12), 63–92 (2001) 23. Fribourg, L., Ols´en, H.: Proving safety properties of inﬁnite state systems by compilation into Presburger arithmetic. In: Mazurkiewicz, A., Winkowski, J. (eds.) CONCUR 1997. LNCS, vol. 1243, pp. 213–227. Springer, Heidelberg (1997) 24. Gal Lalire, M.A., Jeannet, B.: A web interface to the interproc analyzer, http://popart.inrialpes.fr/interproc/interprocweb.cgi 25. Geeraerts, G., Raskin, J.F., Begin, L.V.: Expand, enlarge and check... made efﬁcient. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 394–404. Springer, Heidelberg (2005) 26. Jhala, R., McMillan, K.L.: A practical and complete approach to predicate reﬁnement. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 459–473. Springer, Heidelberg (2006) 27. Kesten, Y., Maler, O., Marcus, M., Pnueli, A., Shahar, E.: Symbolic model checking with rich assertional languages. TCS 256, 93–112 (2001) 28. McMillan, K.L.: An interpolating theorem prover. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 101–121. Springer, Heidelberg (2004) 29. Rybalchenko, A., SofronieStokkermans, V.: Constraint solving for interpolation. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 346–362. Springer, Heidelberg (2007) 30. Touili, T.: Regular Model Checking using Widening Techniques. ENTCS 50(4) (2001)
Information Flow in Interactive Systems M´ario S. Alvim1 , Miguel E. Andr´es2 , and Catuscia Palamidessi1 2
1 ´ INRIA and LIX, Ecole Polytechnique Palaiseau, France Institute for Computing and Information Sciences, The Netherlands
Abstract. We consider the problem of defining the information leakage in interactive systems where secrets and observables can alternate during the computation. We show that the informationtheoretic approach which interprets such systems as (simple) noisy channels is not valid anymore. However, the principle can be recovered if we consider more complicated types of channels, that in Information Theory are known as channels with memory and feedback. We show that there is a complete correspondence between interactive systems and such kind of channels. Furthermore, we show that the capacity of the channels associated to such systems is a continuous function of the Kantorovich metric.
1 Introduction Information leakage refers to the problem that the observable parts of the behavior of a system may reveal information that we would like to keep secret. In recent years, there has been a growing interest in the quantitative aspects of this problem, partly because it is convenient to represent the partial knowledge of the secrets as a probability distribution, and partly because the mechanisms to protect the information may use randomization to obfuscate the relation between the secrets and the observables. Among the quantitative approaches, some of the most popular ones are based on Information Theory [5,12,4,16]. The system is interpreted as an informationtheoretic channel, where the secrets are the input and the observables are the output. The channel matrix is constituted by the conditional probabilities p(b  a), defined as the measure of the executions that give observable b within those which contain the secret a. The leakage is represented by the mutual information, and the worstcase leakage by the capacity of the channel. In the above works, the secret value is assumed to be chosen at the beginning of the computation. In this paper, we are interested in Interactive systems, i.e. systems in which secrets and observables can alternate during the computation, and influence each other. Examples of interactive protocols include auction protocols like [21,18,17]. Some of these have become very popular thanks to their integration in Internetbased electronic commerce platforms [9,10,14]. As for interactive programs, examples include web servers, GUI applications, and commandline programs [3]. We investigate the applicability of the informationtheoretic approach to interactive systems. In [8] it was proposed to define the matrix elements p(b  a) as the measure of the traces with (secret, observable)projection (a, b), divided by the measure of the trace with secret projection a. This follows the definition of conditional probability in terms of joint and marginal probability. However, it does not define an informationtheoretic P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 102–116, 2010. c SpringerVerlag Berlin Heidelberg 2010
Information Flow in Interactive Systems
103
channel. In fact, by definition a channel should be invariant with respect to the input distribution, and such construction is not, as shown by the following example. Example 1. Figure 1 represents a webbased interaction between one seller and two possible buyers, rich and poor. The seller offers two different products, cheap and expensive, with given probabilities. Once the product is offered, each buyer may try to buy the product, with a certain probability. For simplicity we assume that the buyers offers are exclusive. We assume that the offers are observables, in the sense that they are made public in the website, while the identity of the buyer that actually buys the product should be secret to an external observer. The symbols r, s, t, r, s, t represent the probabilities, with the convention that r = 1 − r. Following [8] we can compute the conditional probabilities as p(ba) = p(a,b) p(a) , thus obtaining the matrix on Table 1. expensive cheap r r However, the matrix is not invariant with respect to the input distribution. For instance, if we fix r = r = 0.5 and poor poor rich rich s s t t consider two different input distributions, obtained by varying the values of (s, t), we get two different matrices of conditional probabilities, which are represented in Table 2. Hence when the secrets occur after the observables we cannot conFig. 1. Inter. System sider the conditional probabilities as representing a (classical) channel, and we cannot apply the standard informationtheoretic concepts. In particular, we cannot adopt the (classical) capacity to represent the worstcase leakage, since the capacity is defined using a fixed channel matrix over all possible input distributions. The first contribution of this paper is to consider an extension of the theory of channels which makes the Table 1. Cond. probabilities informationtheoretic approach applicable also the case of of Example 1 interactive systems. It turns out that a richer notion of chancheap expensive nels, known in Information Theory as channels with memrs rt ory and feedback, serves our purposes. The dependence of poor rs+rt rs+rt rs rt inputs on previous outputs corresponds to feedback, and rich rs+rt rs+rt the dependence of outputs on previous inputs and outputs corresponds to memory. Table 2. Two different channel matrices induced by two different input distributions cheap expensive poor rich
2 5 3 5
3 5 2 5
Input dist. p(poor) = p(rich) =
(a) r = 12 , s = 25 , t =
3 5
Input dist.
cheap expensive 1 2 1 2
poor rich
1 4 9 16
3 4 7 16
(b) r = 12 , s =
p(poor) = p(rich) = 1 ,t 10
=
1 5 4 5
3 10
A second contribution of our work is the proof that the channel capacity is a continuous function of the Kantorovich metric on interactive systems. This was pointed out also in [8], however their construction does not work in our case due to the fact that
104
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
(as far as we understand) it assumes that the probability of a secret action, in any point of the computation, is not 0. This assumption is not guaranteed in our case and therefore we had to proceed differently. A more complete version of this paper (with proofs) is on line [1].
2 Preliminaries 2.1 Concepts from Information Theory For more detailed information on this part we refer to [6]. Let A, B denote two random variables with corresponding probability distributions pA (·), pB (·), respectively. We shall omit the subscripts when they are clear from the context. Let A = {a1 , . . . , an }, B = {b1 , . . . , bm } denote, respectively, the sets of possible values for A and for B. The entropy of A is defined as H(A) = − A p(ai ) log p(ai ) and it measures the uncertainty of A. It takes its minimum value H(A) = 0 when pA (·) is a delta of Dirac. The maximum value H(A) = log A is obtained when pA (·) is the uniform distribution. Usually the base of the logarithm is set to be 2 and the entropy is measured in bits. The conditional entropy of A given B is H(AB) = − B p(bi ) A p(aj bi ) log p(aj bi ), and it measures the uncertainty of A when B is known. We can prove that 0 ≤ H(AB) ≤ H(A). The minimum value, 0, is obtained when A is completely determined by B. The maximum value H(A) is obtained when A and B are independent. The mutual information between A and B is defined as I(A; B) = H(A) − H(AB), and it measures the amount of information about A that we gain by observing B. It can be shown that I(A; B) = I(B; A) and 0 ≤ I(A; B) ≤ H(A). The entropy and mutual information respect the chain laws. Namely, given a sequence of random variables A1 , A2 , . . . , Ak and B, we have: H(A1 , A2 , . . . , Ak ) =
k
H(Ai A1 , . . . , Ai−1 )
(1)
I(Ai ; BA1 , . . . , Ai−1 )
(2)
i=1
I(A1 , A2 , . . . , Ak ; B) =
k i=1
A (discrete memoryless) channel is a tuple (A, B, p(··)), where A, B are the sets of input and output symbols, respectively, and p(bj ai ) is the probability of observing the output symbol bj when the input symbol is ai . An input distribution p(ai ) over A determines, together with the channel, the joint distribution p(ai , bj ) = p(ai bj ) · p(ai ) and consequently I(A; B). The maximum I(A; B) over all possible input distributions is the channel’s capacity. Shannon’s famous result states that the capacity coincides with the maximum rate by which information can be transmitted using the channel. In this paper we consider input and output sequences instead of just symbols. Convention 1. Let A = {a1 , . . . , an } be a finite set of n different symbols (alphabet). When we have a sequence of symbols (ordered in time), we use a Greek letter αt to denote the symbol at time t. The notation αt stands for the sequence α1 α2 . . . αt . For instance, in the sequence a3 a7 a5 , we have α2 = a7 and α2 = a3 a7 .
Information Flow in Interactive Systems
105
Convention 2. Let X be a random variable. X t denotes the sequence of t consecutive occurrences X1 , . . . , Xt of the random variable X. When the channel is used repeatedly, the discrete memoryless channel described above represents the case in which the behavior of the channel at the present time does not depend upon the past history of inputs and outputs. If this assumption does not hold, then we have a channel with memory. Furthermore, if the outputs from the channel can be fed back to the encoder, thus influencing the generation of the next input symbol, then the channel is said to be with feedback; otherwise it is without feedback. Equation 3 makes explicit the probabilistic behavior of channels regarding those classifications. Suppose a general channel from A to B with the associated random variables A for input and B for output. Using the notation introduced in Convention 1, the channel behavior after T uses can be fully described by the joint probability p(αT , β T ). Using probability laws we derive: p(αT , β T ) =
T
p(αt αt−1 , β t−1 )p(βt αt , β t−1 )
(by the expansion law) (3)
t=1
The first term p(αt αt−1 , β t−1 ) indicates that the probability of αt depends not only on αt−1 , but also on β t−1 (feedback). The second term p(βt αt , β t−1 ) indicates that the probability of each βt depends on previous history of inputs αt and outputs β t−1 (memory). If the channel is without feedback, then we have that p(αt αt−1 , β t−1 ) = p(αt αt−1 ), and if the channel is without memory, then we have also p(βt αt , β t−1 ) = p(βt αt ). T From these we derive p(β T αT ) = t=1 p(βt αt ), which is the classic equation for discrete memoryless channels without feedback. Let (V, K) be a Borel space and let (X , BX ) and (Y, BY ) be Polish spaces equipped with their Borel σalgebras. Let ρ(dxv) be a family of measures on X given V. Then ρ(dxv) is a stochastic kernel if and only if and only if ρ(·v) is a random variable from V into the power set P(X ). 2.2 Probabilistic Automata A function μ : S → [0, 1] is a discrete probability distribution on a countable set S if s∈S μ(s) = 1 and μ(s) ≥ 0 for all s. The set of all discrete probability distributions on S is D(S). A probabilistic automaton [15] is a quadruple M = (S, L, sˆ, ϑ) where S is a countable set of states, L a finite set of labels or actions, sˆ the initial state, and ϑ a transition function ϑ : S → ℘f (D(L × S)). Here ℘f (X) is the set of all finite subsets of X. If ϑ(s) = ∅ then s is a terminal state. We write s→μ for μ ∈ ϑ(s), s ∈ S. Moreover, we write s→r for s, r ∈ S whenever s→μ and μ(, r) > 0. A fully probabilistic automaton is a probabilistic automaton satisfying ϑ(s) ≤ 1 for all states. When ϑ(s) = ∅ we overload the notation and denote ϑ(s) the distribution outgoing from s.
1 2 A path in a probabilistic automaton is a sequence σ = s0 → s1 → · · · where i+1 si ∈ S, i ∈ L and si → si+1 . A path can be finite in which case it ends with a state. A path is complete if it is either infinite or finite ending in a terminal state. Given a
106
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
finite path σ, last(σ) denotes its last state. Let Pathss (M ) denote the set of all paths, Paths s (M ) the set of all finite paths, and CPathss (M ) the set of all complete paths of an automaton M , starting from the state s. We will omit s if s = sˆ. Paths are ordered by the prefix relation, which we denote by ≤. The trace of a path is the sequence of actions in L∗ ∪ L∞ obtained by removing the states, hence for the above σ we have trace(σ) = l1 l2 . . .. If L ⊆ L, then trace L (σ) is the projection of trace(σ) on the elements of L . Let M = (S, L, sˆ, ϑ) be a (fully) probabilistic automaton, s ∈ S a state, and let σ ∈ Pathss (M ) be a finite path starting in s. The cone generated by σ is the set of complete paths σ = {σ ∈ CPathss (M )  σ ≤ σ }. Given a fully probabilistic automaton M = (S, L, sˆ, ϑ) and a state s, we can calculate the probability value,
denoted by Ps (σ), of any finite path σ starting in s as follows: Ps (s) = 1 and Ps (σ → s ) = Ps (σ) μ(, s ), where last(σ) → μ. Let Ωs CPathss (M ) be the sample space, and let Fs be the smallest σalgebra generated by the cones. Then P induces a unique probability measure on Fs (which we will also denote by Ps ) such that Ps ( σ) = Ps (σ) for every finite path σ starting in s. For s = sˆ we write P instead of Psˆ. Given a probability space (Ω, F , P ) and two events A, B ∈ F with P (B) > 0, the conditional probability of A given B, P (A  B), is defined as P (A ∩ B)/P (B).
3 Discrete Channels with Memory and Feedback We adopt the model proposed in [19] for discrete channels with memory and feedback. Such model, represented in Figure 2, can be decomposed in sequential components as follows. At time t the internal channel’s behavior is represented by the conditional probabilities p(βt αt , β t−1 ). The internal channel takes the input αt and, according to the history of inputs and outputs up to the moment αt , β t−1 , produces an output symbol βt . The output is then fed back to the encoder with delay one. On the other side, at time t the encoder takes the message and the past output symbols β t−1 , and produces a channel input symbol αt . At final time T the decoder takes all the channel outputs β T ˆ . The order is the following: and produces the decoded message W Message W,
α1 , β1 ,
α2 , β2 ,
...,
αT , βT ,
ˆ Decoded Message W
Let us describe such channel in more detail. Let A and B be two finite sets. Let {At }Tt=1 (channel’s input) and {Bt }Tt=1 (channel’s output) be families of random variables in A and B respectively. Moreover, let AT and B T represent their T fold product spaces. A channel is a family of stochastic kernels {p(βt αt , β t−1 )}Tt=1 . Let Ft be the set of all measurable maps ϕt : B t−1 → A endowed with a probability distribution, and let Ft be the corresponding random variable. Let F T , F T denote the Cartesian product on the domain and the random variable, respectively. A channel code function is an element ϕT = (ϕ1 , . . . , ϕT ) ∈ F T . Note that, by probability laws, p(ϕT ) = Tt=1 p(ϕt ϕt−1 ). Hence the distribution on F T is uniquely determined by a sequence {p(ϕt ϕt−1 )}Tt=1 . We will use the notation ϕt (β t−1 ) to represent the Avalued ttuple (ϕ1 , ϕ2 (β 1 ), . . . , ϕt (β t−1 )).
Information Flow in Interactive Systems
W
Code/ Functions ϕT
Time 0
ϕt
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ αt βt Decoder Encoder Channel / / / t−1 T t t−1 T ˆ = γ (β T ) {α {p(β = ϕ (β )} α , β )} W t t t t=1 t=1 O βt−1 o Delay Time T + 1 Time t = 1...T _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
107
/W ˆ
Fig. 2. Model for discrete channel with memory and feedback
In Information Theory this kind of channels are used to encode and transmit messages. If W is a message set of cardinality M with typical element w, endowed with a probability distribution, a channel code is a set of M channel code functions ϕT [w], interpreted as follows: for message w, if at time t the channel feedback is β t−1 , then the channel encoder outputs ϕt [w](β t−1 ). A channel decoder is a map from B T to W which attempts to reconstruct the input message after observing all the output history β T from the channel. 3.1 Directed Information and Capacity of Channels with Feedback In classical Information Theory, the channel capacity, which is related to the channel’s transmission rate by Shannon’s fundamental result, can be obtained as the supremum of the mutual information over all possible input’s distributions. In presence of feedback, however, this correspondence does not hold anymore. More specifically, mutual information does not represent any longer the information flow from αT to β T . Intuitively, this is due to the fact that mutual information expresses correlation, and therefore it is increased by feedback. But the feedback, i.e the way the output influences the next input, is part of the a priori knowledge, and therefore should not be counted when we measure the output’s contribution to the reduction of the uncertainty about the input. If we want to maintain the correspondence with the transmission rate and with information flow, we need to replace mutual information with directed information [13]. Definition 1. In a channel with feedback, the directed information from input AT to T T T T t t−1 ). In the other dioutput B is defined as I(A → B ) = t=1 I(α ; βt β T T rection, the directed information from B to A is defined as: I(B T → AT ) = T t−1 t−1 α ). t=1 I(αt ; β Note that the directed information defined above are not symmetric: the flow from AT to B T takes into account the correlation between αt and βt , while the flow from B T to AT is based on the correlation between β t−1 and αt . Intuitively, this is because αt influences βt , but, in the other direction, it is β t−1 that influences αt . It can be proved [19] that I(AT ; B T ) = I(AT → B T ) + I(B T → AT ). If a channel does not have feedback, then I(B T → AT ) = 0 and I(AT ; B T ) = I(AT → B T ). In a channel with feedback the information transmitted is the directed information, and not the mutual information. The following example should help understanding why.
108
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
Example 2. Consider the discrete memoryless channel with input alphabet A = {a1 , a2 } and output alphabet B = {b1 , b2 } whose matrix is represented in Table 3. Suppose that the channel is used with feedback, in such a way that, for all t’s, αt+1 = a1 if βt = b1 , and αt+1 = a2 if Table 3. Channel matrix for Example 2 = 0. βt = b2 . It is easy to show that if t ≥ 2 then I(At ; B t ) b1 b2 However, there is no leakage from from At to B t , since the rows of the matrix are all equal. We have indeed that I(At → a1 0.5 0.5 B t ) = 0, and the mutual information I(At ; B t ) is only due to a2 0.5 0.5 the feedback information flow I(B t → At ). The concept of capacity is generalized for channels with feedback as follows. Let DT = {{p(αt αt−1 , β t−1 )}Tt=1 } be the set of all input distributions. For finite T , the capacity of a channel {p(βt αt , β t−1 )}Tt=1 is: CT = sup DT
1 I(AT → B T ) T
(4)
4 Interactive Systems as Channels with Memory and Feedback (General) Interactive Information Hiding Systems ([2]), are a variant of probabilistic automata in which we separate actions in secret and observable; “interactive” means that secret and observable actions can interleave and influence each other. Definition 2. A general IIHS is a quadruple I = (M, A, B, Lτ ), where M is a probabilistic automaton (S, L, sˆ, ϑ), L = A ∪ B ∪ Lτ where A, B, and Lτ are pairwise disjoint sets of secret, observable, and internal actions respectively, and ϑ(s) ⊆ D(B ∪ Lτ × S) implies ϑ(s) ≤ 1, for all s. The condition on ϑ ensures that all observable transitions are fully probabilistic. Assumption. In this paper we assume that general IIHSs are normalized, i.e. once unfolded, all the transitions between two consecutive levels have either secret labels only, or observable labels only. Moreover, the occurrences of secret and observable labels alternate between levels. We will call secret states the states from which only secretslabeled transitions are possible, and observable states the others. Finally, we assume that for every s and there exists a unique r such that s → r. Under this assumption we have that the traces of a computation determine the final state, as expressed by the next proposition. In the following trace A and trace B indicate the projection of the traces on secret and observable actions, respectively. Given a general IIHS, it is always possible to find an equivalent one that satisfies this assumptions. The interested reader can find in [1] the formal definition of the transformation. Proposition 1. Let I = (M, A, B, Lτ ) be a general IIHS. Consider two paths σ and σ . Then, trace A (σ) = trace A (σ ) and trace B (σ) = trace B (σ ) implies σ = σ . In the following, we will consider two particular cases: the fully probabilistic IIHSs, where there is no nondeterminism, and the secret nondeterministic IIHSs, where each secret choice is fully nondeterministic. The latter will be called simply IIHSs.
Information Flow in Interactive Systems
109
Definition 3. Let I = ((S, L, sˆ, ϑ), A, B, Lτ ) be a general IIHS. Then I is: – fully probabilistic if ϑ(s) ⊆ D(A × S) implies ϑ(s) ≤ 1 for each s ∈ S. – secretnondeterministic if ϑ(s) ⊆ D(A × S) implies that for each s ∈ S there exist si ’ such that ϑ(s) = {δ(ai , si )}ni=1 . We show now how to construct a channel with memory and feedback from IIHSs. We will see that an IIHS corresponds precisely to a channel as determined by its stochastic kernel, while a fully probabilistic IIHS determines, additionally, the input distribution. In the following, we consider an IIHS I = ((S, L, sˆ, ϑ), A, B, Lτ ) is in normalized form. Given a path σ of length 2t − 1, we denote trace A (σ) by αt , and trace B (σ) by β t−1 . Definition 4. For each t, the channel’s stochastic kernel corresponding to I is defined as p(βt αt , β t−1 ) = ϑ(q)(βt , q ), where q is the state reached from the root via the path σ whose inputtrace is αt and output trace β t−1 . Note that q and q in previous definitions are well defined: by Proposition 1, q is unique, and since the choice of βt is fully probabilistic, q is also unique. If I is fully probabilistic, then it determines also the input distribution and the dependency of αt upon β t−1 (feedback) and αt−1 . Definition 5. If I is fully probabilistic, the associated channel has a conditional input distribution for each t defined as p(αt αt−1 , β t−1 ) = ϑ(q)(αt , q ), where q is the state reached from the root via the path σ whose inputtrace is αt−1 and output trace is β t−1 . 4.1 Lifting the Channel Inputs to Reaction Functions Definitions 4 and 5 define the joint probabilities p(αt , β t ) for a fully probabilistic IIHS. We still need to show in what sense these define a informationtheoretic channel. The {p(βt αt , β t−1 )}Tt=1 determined by the IIHS correspond to a channel’s stochastic kernel. The problem resides in the conditional probability of {p(αt αt−1 , β t−1 )}Tt=1 . In an informationtheoretic channel, the value of αt is determined in the encoder by a deterministic function ϕt (β t−1 ). However, inside the encoder there is no possibility for a probabilistic description of αt . Furthermore, in our setting the concept of encoder makes no sense as there is no information to encode. A solution to this problem is to externalize the probabilistic behavior of αt : the code functions become simple reaction functions ϕt that depend only on β t−1 (the message w does not play a role any more), and these reaction functions are endowed with a probability distribution that generates the probabilistic behavior of the values of αt . Definition 6. A reactor is a distribution on reaction functions, i.e., a stochastic kernel {p(ϕt ϕt−1 )}Tt=1 . A reactor R is consistent with a fully probabilistic IIHS I if it induces the compatible distribution Q(ϕT , αT , β T ) such that, for every 1 ≤ t ≤ T , Q(αt αt−1 , β t−1 ) = p(αt αt−1 , β t−1 ), where the latter is the probability distribution induced by I. The main result of this section states that for any fully probabilistic IIHS there is a reactor that generates the probabilistic behavior of the IIHS.
110
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
Theorem 3. Given a fully probabilistic IIHS I , we can construct a channel with memory and feedback, and probability distribution Q(ϕT , αT , β T ), which corresponds to I def in the sense that, for every t, αt and β t , with 1 ≤ t ≤ T , Q(αt , β t ) = ϕT Q(ϕT , αt , β t ) = p(αt , β t ) holds, where p(αt , β t ) is the joint probability of input and output traces induced by I. Corollary 1. Let a I be a fully probabilistic IIHS. Let {p(βt αt , β t−1 )}Tt=1 be a sequence of stochastic kernels and {p(αt αt−1 , β t−1 )}Tt=1 a sequence of input distributions defined by I according to Definitions 4 and 5. Then the reactor R = {p(ϕt ϕt−1 )}Tt=1 compatible with respect to the I is given by: p(ϕ1 ) = p(α1 α0 , β 0 ) = p(α1 ) p(ϕt (β t−1 )ϕt−1 (β t−2 ), β t−1 ), 2 ≤ t ≤ T p(ϕt ϕt−1 ) =
(5) (6)
β t−1
Figure 3 depicts the model for IIHS. Note that, in relation to Figure 2, there are some simplifications: (1) no message w is needed; (2) the decoder is not used. At the beginning, a reaction function sequence ϕT is chosen and then the channel is used T times. At each usage t, the encoder decides the next input symbol αt based on the reaction function ϕt and the output fed back β t−1 . Then the channel produces an output βt based on the stochastic kernel p(βt αt , β t−1 ). The output is then fed back to the encoder with a delay one. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ReactionFunctions ϕT
/
ϕt
“Interactor” {αt = ϕt (β t−1 )}Tt=1 O
αt
Channel / {p(βt αt , β t−1 )}Tt=1
/
βt
Delay o _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ βt−1
Fig. 3. Channel with memory and feedback model for IIHS
We conclude this section by remarking an intriguing coincidence: The notion of reaction function sequence ϕT , on the IIHSs, corresponds to the notion of deterministic scheduler. In fact, each reaction function ϕt selects the next step, αt , on the basis of the β t−1 and αt−1 (generated by ϕt−1 ), and β t−1 , αt−1 represent the path until that state.
5 Leakage in Interactive Systems In this section we propose a notion of information flow based on our model. We follow the idea of defining leakage and maximum leakage using the concepts of mutual information and capacity (see for instance [4]), making the necessary adaptations. Since the directed information I(AT → B T ) is a measure of how much information flows from AT to B T in a channel with feedback (cfr. Section 3.1), it is natural to consider it as a measure of leakage of information by the protocol.
Information Flow in Interactive Systems
111
Definition 7. The information leakage of an IIHS is defined as: I(AT → B T ) = T t−1 , B t−1 ) − H(AT B T ). t=1 H(At A T Note that t=1 H(At At−1 , B t−1 ) can be seen as the entropy HR of reactor R. Compare this definition with the classical Informationtheoretic approach to information leakage: when there is no feedback, the leakage is defined as: I(AT ; B T ) = H(AT ) − H(AT B T )
(7)
The principle behind (7) is that the leakage is equal to the difference between the a priori uncertainty H(AT ) and the a posteriori uncertainty H(AT B T ) (gain in knowledge about the secret by observing the output). Our definition maintains the same principle, with the proviso that the a priori uncertainty is now represented by HR . 5.1 Maximum Leakage as Capacity In the case of secretnondeterministic IIHS, we have a stochastic kernel but no distribution on the code functions. In this case it seems natural to consider the worst leakage over all possible distributions on code functions. This is exactly the concept of capacity. Definition 8. The maximum leakage of an IIHS is defined as the capacity CT of the associated channel with memory and feedback.
6 Modeling IIHSs as Channels: An Example In this section we show the application of our approach to the Cocaine Auction Protocol [17]. Let us imagine a situation where several mob individuals are gathered around a table. An auction is about to be held in which one of them offers his next shipment of cocaine to the highest bidder. The seller describes the merchandise and proposes a starting price. The others then bid increasing amounts until there are no bids for 30 consecutive seconds. At that point the seller declares the auction closed and arranges a secret appointment with the winner to deliver the goods. The basic protocol is fairly simple and is organized as a succession of rounds of bidding. Round i starts with the seller announcing the bid price bi for that round. Buyers have t seconds to make an offer (i.e. to say yes, meaning “I’m willing to buy at the current bid price bi ”). As soon as one buyer anonymously says yes, he becomes the winner wi of that round and a new round begins. If nobody says anything for t seconds, round i is concluded by timeout and the auction is won by the winner wi−1 of the previous round, if one exists. If the timeout occurs during round 0, this means that nobody made any offers at the initial price b0 , so there is no sale. Although our framework allows the forrmalization of this protocol for an arbitrary number of bidders and bidding rounds, for illustration purposes, we will consider the case of two bidders (Candlemaker and Scarface) and two rounds of bids. Furthermore, we assume that the initial bid is always 1 dollar, so the first bid does not need to be announced by the seller. In each turn the seller can choose how much he wants to increase the actual bid. This is done by adding an increment to the last bid. There
112
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
are two options of increments, namely inc1 (1 dollar) and inc2 (2 dollars). In that way, bi+1 is either bi + inc1 or bi + inc2 . We can describe this protocol as a normalized IIHS I = (M, A, B, Lτ ), where A = {Candlemaker, Scarface, a∗ } is the set of secret actions, B = {inc1 , inc2 , b∗ } is the set of observable actions, Lτ = ∅ is the set of hidden actions, and the probabilistic automaton M is represented in Figure 4. For clarity reasons, we omit transitions with probability 0 in the automaton. Note that the special secret action a∗ represents the situation where neither Candlemaker nor Scarface bid. The special observable action b∗ is only possible after no one has bidden, and signalizes the end of the auction and, therefore, no bid is allowed anymore. a∗ p 3
p1 Cm Sf p2
inc1 q22
Cm Sf p9 p10 inc2 inc1 q23 q24
a∗
p11
inc2 q25
b∗ inc1 1 q27
inc2 q7
inc q6 1
inc2 q5
inc q4 1
Cm p12 Sf p13 inc2 inc1 q28 q29
a∗
p14
inc2 q30
b∗ inc1 1 q32
Cm p15 Sf p16 inc2 inc1 q33 q34
a∗
p17
inc2 q35
b∗ inc1 1 q37
Cm p18 Sf p19 inc2 inc1 q33 q39
b∗ 1 a∗
a∗ 1
p20
inc2 q40
b∗ 1
b∗ 1
Fig. 4. Cocaine Auction example
Table 4 shows all the stochastic kernels for this example. The formalization of this protocol in terms of IIHSs using our framework makes it possible to prove the claim in[17] suggesting that if the seller knows the identity of the bidders then the (strong) anonymity guaranties are not provided anymore. Table 4. Stochastic kernels for the Cocaine Auction example
α1 → β1 Candlemaker Scarface a∗
inc1 q4 q6 0
inc2 q5 q7 0
(a) t = 1, p(β1 α1 , β 0 )
b∗ 0 0 1
α1 , β1 , α2 → β2 Cheap Expensive b∗ Candlemaker,inc1 ,Candlemaker q22 q23 0 Candlemaker,inc1 ,Scarface q24 q25 0 Candlemaker,inc1 ,a∗ 0 0 1 Candlemaker,inc2 ,Candlemaker q27 q28 0 Candlemaker,inc2 ,Scarface q29 q30 0 Candlemaker,inc2 ,a∗ 0 0 1 Scarface,inc1 ,Candlemaker q32 q33 0 Scarface,inc1 ,Scarface q34 q35 0 Scarface,inc1 ,a∗ 0 0 1 Scarface,inc2 ,Candlemaker q37 q38 0 Scarface,inc2 ,Scarface q39 q40 0 Scarface,inc2 ,a∗ 0 0 1 a∗ ,b∗ ,a∗ 0 0 1 All other lines 0 0 1 (b) t = 2, p(β2 α2 , β 1 )
Information Flow in Interactive Systems
113
7 Topological Properties of IIHSs and Their Capacity In this section we show how to extend to IIHSs the notion of pseudometric defined in [8] for Concurrent Labelled Markov Chains, and we prove that the capacity of the corresponding channels is a continuous function on this pseudometric. The metric construction is sound for general IIHSs, but the result on capacity is only valid for secretnondeterministic IIHSs. Given a set of states S, a pseudometric (or distance) is a function d that yields a nonnegative real number for each pair of states and satisfies the following: d(s, s) = 0; d(s, t) = d(t, s), and d(s, t) ≤ d(s, u) + d(u, t). We say that a pseudometric d is cbounded if ∀s, t : d(s, t) ≤ c, where c is a positive real number. We now define a complete lattice on pseudometrics, and define the distance between IIHSs as the greatest fixpoint of a distance transformation, in line with the coinductive theory of bisimilarity. Definition 9. M is the class of 1bounded pseudometrics on states with the ordering d d if ∀s, s ∈ S : d(s, s ) ≥ d (s, s ). It is easy to see that (M, ) is a complete lattice. In order to define pseudometrics on IIHSs, we now need to lift the pseudometrics on states to pseudometrics on distributions in D(L × S). Following standard lines [20,8,7], we apply the construction based on the Kantorovich metric [11]. Definition 10. For d ∈ M, and μ, μ ∈ D(L × S), we define d(μ, μ ) (overloading the notation d) as d(μ, μ ) = max (i ,si )∈L×S (μ(i , si ) − μ (i , si ))xi where the maximization is on all possible values of the xi ’s, subject to the constraints 0 ≤ xi ≤ 1 ˆ i , si ), (j , sj )), where d(( ˆ i , si ), (j , sj )) = 1 if i and xi − xj ≤ d(( = j , and ˆ i , si ), (j , sj )) = d(si , sj ) otherwise. d((
It can be shown that with this definition m is a pseudometric on D(L × S). Definition 11. d ∈ M is a bisimulation metric if, for all ∈ [0, 1), d(s, s ) ≤ implies that if s → μ, then there exists some μ such that s → μ and d(μ, μ ) ≤ . The greatest bisimulation metric is dmax = {d ∈ M  d is a bisimulation metric}. We now characterize dmax as a fixed point of a monotonic function Φ on M. For simplicity, from now on we consider only the distance between states belonging to different IIHSs with disjoint sets of states. Definition 12. Given two IIHSs with transition relations θ and θ respectively, and a preudometric d on states, define Φ : M → M as: ⎧ ϑ(s) = {δ(a1 ,s1 ) , . . . , δ(am ,sm ) } maxi d(si , si ) if ⎪ ⎪ ⎪ ⎪ (s ) = {δ(a1 ,s1 ) , . . . , δ(am ,sm ) } and ϑ ⎪ ⎪ ⎪ ⎨ if ϑ(s) = {μ} and ϑ (s ) = {μ } Φ(d)(s, s ) = d(μ, μ ) ⎪ ⎪ ⎪ 0 if ϑ(s) = ϑ (s ) = ∅ ⎪ ⎪ ⎪ ⎪ ⎩1 otherwise
114
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
It is easy to see that the definition of Φ is a particular case of the function F defined in [8,7]. Hence it can be proved, by adapting the proofs of the analogous results in [8,7], that F (d) is a pseudometric, and that d is a bisimulation metric iff d Φ(d). This implies that dmax = {d ∈ M  d Φ(d)}, and still as a particular case of F in [8,7], we have that Φ is monotonic on M. By Tarski’s fixed point theorem, dmax is the greatest fixed point of Φ. Furthermore, in [1] we show that dmax is indeed a bisimulation metric, and that it is the greatest bisimulation metric. In addition, the finite branchingness of IIHSs ensures that the closure ordinal of Φ is ω (cf. Lemma 3.10 in the full version of [8]). Therefore one can show that dmax = {Φi ()  i ∈ N}, where is the greatest pseudometric (i.e. (s, s ) = 0 for every s, s ), and Φ0 () = . Given two IIHSs I and I , with initial states s and s respectively, we define the distance between I and I as d(I, I ) = dmax (s, s ). Next theorem states the continuity of the capacity w.r.t. the metric on IIHSs. It is crucial that they are secretnondeterministic (while the definition of the metric holds in general). Theorem 4. Consider two normalized IIHSs I and I , and fix a T > 0. For every > 0 there exists ν > 0 such that if d(I, I ) < ν then CT (I) − CT (I ) < . We conclude this section with an example showing that the continuity result for the capacity does not hold if the construction of the channel is done starting from a system in which the secrets are endowed with a probability distribution. This is also the reason why we could not simply adopt the proof technique of the continuity result in [8] and we had to come up with a different reasoning. Example 3. Consider the two following programs, where a1 , a2 are secrets, b1 , b2 are observable, is the parallel operator, and +p is a binary probabilistic choice that assigns probability p to the left branch, and probability 1 − p to the right one. s) (send (a1 ) +p send (a2 )) receive(x).output (b2 ) t) (send (a1 ) +q send (a2 )) receive(x).if x = a1 then output(b1 ) else output(b2 ). Table 5 shows the fully probabilistic IIHSs corresponding to these programs, and their associated channels, which in this case (since the secret actions are all at the toplevel) are classic channels, i.e. memoryless and without feedback. As usual for classic channels, they do not depend on p and q. It is easy to see that the capacity of the first channel is 0 and the capacity of the second one is 1. Hence their difference is 1, independently from p and q.
s a1
b1
0 1
b2
p
a1
a2 1−p b1
0 1
b2
b1
1 0
b2
t q
a2
1−q b1
0 1
b2
s a1 a2
b1 b2 0 1 0 1 (a)
Table 5. The IIHSs of Example 3 and their corresponding channels
t a1 a2
b1 b2 1 0 0 1 (b)
Information Flow in Interactive Systems
115
Let now p = 0 and q = . It is easy to see that the distance between s and t is . Therefore (when the automata have probabilities on the secrets), the capacity is not a continuous function of the distance.
8 Conclusion and Future Work In this paper we have investigated the problem of information leakage in interactive systems, and we have proved that these systems can be modeled as channels with memory and feedback. The situation is summarized in Table 6(a). The comparison with the classical situation of noninteractive systems is represented in (b). Furthermore, we have proved that the channel capacity is a continuous function of the kantorovich metric. IIHSs as automata Normalized IIHSs with nondeterministic inputs and probabilistic outputs Normalized IIHSs with a deterministic scheduler solving the nondeterminism Fully probabilistic normalized IIHSs
IIHSs as channels Sequence of stochastic kernels {p(βt αt , β t−1 )}Tt=1 Sequence of stochastic kernels {p(βt αt , β t−1 )}Tt=1 + reaction function seq. ϕT Sequence of stochastic kernels {p(βt αt , β t−1 )}Tt=1 + reactor {p(ϕt ϕt−1 )}Tt=1
Notion of leakage Leakage as capacity
Leakage as directed information I(AT → B T )
(a) Classical channels Channels with memory and feedback The protocol is modeled in independent uses of The protocol is modeled in several the channel, often a unique use. consecutive uses of the channel. The channel is from AT → BT , i.e., its input is a single string αT = α1 . . . αT of secret symbols and its output is a single string β T = β1 . . . βT of observable symbols. The channel is memoryless and in general implicitly it is assumed the absence of feedback. The capacity is calculated using information I(AT ; B T ).
The channel is from F → B, i.e. its input is a reaction function ϕt and its output is an observable βt . The channel has memory. Despite the fact that the channel from F → B does not have feedback, the internal stochastic kernels do. The capacity is calculated using mutual directed information I(AT → B T ). (b)
Table 6.
For future work we would like to provide algorithms to compute the leakage and maximum leakage of interactive systems. These problems result very challenging given the exponential growth of reaction functions (needed to compute the leakage) and the quantification over infinitely many reactors (given by the definition of maximum leakage in terms of capacity). One possible solution is to study the relation between deterministic schedulers and sequence of reaction functions. In particular, we believe that for each sequence of reaction functions and distribution over it there exists a probabilistic scheduler for the automata representation of the secretnondeterministic IIHS.
116
M.S. Alvim, M.E. Andr´es, and C. Palamidessi
In this way, the problem of computing the leakage and maximum leakage would reduce to a standard probabilistic model checking problem (where the challenge is to compute probabilities ranging over infinitely many schedulers). In addition, we plan to investigate measures of leakage for interactive systems other than mutual information and capacity.
References 1. Alvim, M.S., Andr´es, M.E., Palamidessi, C.: Information Flow in Interactive Systems (2010), http://hal.archivesouvertes.fr/inria00479672/en/ 2. Andr´es, M.E., Palamidessi, C., van Rossum, P., Smith, G.: Computing the leakage of informationhiding systems. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 373–389. Springer, Heidelberg (2010) 3. Bohannon, A., Pierce, B.C., Sj¨oberg, V., Weirich, S., Zdancewic, S.: Reactive noninterference. In: Proc. of CCS, pp. 79–90. ACM, New York (2009) 4. Chatzikokolakis, K., Palamidessi, C., Panangaden, P.: Anonymity protocols as noisy channels. Inf. and Comp. 206(24), 378–401 (2008) 5. Clark, D., Hunt, S., Malacaria, P.: Quantified interference for a while language. In: Proc. of QAPL 2004. ENTCS, vol. 112, pp. 149–166. Elsevier, Amsterdam (2005) 6. Cover, T.M., Thomas, J.A.: Elements of Information Theory. J. Wiley & Sons, Inc., Chichester (1991) 7. Deng, Y., Chothia, T., Palamidessi, C., Pang, J.: Metrics for actionlabelled quantitative transition systems. In: Proc. of QAPL. ENTCS, vol. 153, pp. 79–96. Elsevier, Amsterdam (2006) 8. Desharnais, J., Jagadeesan, R., Gupta, V., Panangaden, P.: The metric analogue of weak bisimulation for probabilistic processes. In: Proc. of LICS, pp. 413–422. IEEE, Los Alamitos (2002) 9. Ebay website, http://www.ebay.com/ 10. Ebid website, http://www.ebid.net/ 11. Kantorovich, L.: On the transfer of masses (in Russian). Doklady Akademii Nauk 5(1), 1–4 (1942); Translated in Management Science 5(1), 1–4 (1958) 12. Malacaria, P.: Assessing security threats of looping constructs. In: Proc. of POPL, pp. 225–235. ACM, New York (2007) 13. Massey, J.L.: Causality, feedback and directed information. In: Proc. of the 1990 Intl. Symposium on Information Theory and its Applications (1990) 14. Mercadolibre website, http://www.mercadolibre.com/ 15. Segala, R.: Modeling and Verification of Randomized Distributed RealTime Systems. PhD thesis. Tech. Rep. MIT/LCS/TR676 (1995) 16. Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009) 17. Stajano, F., Anderson, R.J.: The cocaine auction protocol: On the power of anonymous broadcast. In: Information Hiding, pp. 434–447 (1999) 18. Subramanian, S.: Design and verification of a secure electronic auction protocol. In: Proc. of SRDS, pp. 204–210. IEEE, Los Alamitos (1998) 19. Tatikonda, S., Mitter, S.K.: The capacity of channels with feedback. IEEE Transactions on Information Theory 55(1), 323–349 (2009) 20. van Breugel, F., Worrell, J.: Towards quantitative verification of probabilistic transition systems. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 421–432. Springer, Heidelberg (2001) 21. Vickrey, W.: Counterspeculation, Auctions, and Competitive Sealed Tenders. The Journal of Finance 16(1), 8–37 (1961)
From Multi to Single Stack Automata Mohamed Faouzi Atig LIAFA, CNRS & Univ. of Paris 7, Case 7014, 75205 Paris 13, France
[email protected] Abstract. We investigate the issue of reducing the verification problem of multistack machines to the one for singlestack machines. For instance, elegant (and practically efficient) algorithms for boundedcontext switch analysis of multipushdown systems have been recently defined based on reductions to the reachability problem of (singlestack) pushdown systems [10,18]. In this paper, we extend this view to both boundedphase visibly pushdown automata (BVMPA) [16] and ordered multipushdown automata (OMPA) [1] by showing that each of their emptiness problem can be reduced to the one for a class of singlestack machines. For these reductions, we introduce effective generalized pushdown automata (EGPA) where operations on stacks are (1) pop the top symbol of the stack, and (2) push a word in some (effectively) given set of words L over the stack alphabet, assuming that L is in some class of languages for which checking whether L intersects regular languages is decidable. We show that the automatabased saturation procedure for computing the set of predecessors in standard pushdown automata can be extended to prove that for EGPA too the set of all predecessors of a regular set of configurations is an effectively constructible regular set. Our reductions from OMPA and BVMPA to EGPA, together with the reachability analysis procedure for EGPA, allow to provide conceptually simple algorithms for checking the emptiness problem for each of these models, and to significantly simplify the proofs for their 2ETIME upper bounds (matching their lowerbounds).
1 Introduction In the last few years, a lot of effort has been devoted to the verification problem for models of concurrent programs (see, e.g., [5,3,16,9,2]). Pushdown automata have been proposed as an adequate formalism to describe sequential programs with procedure calls [8,14]. Therefore, it is natural to model recursive concurrent programs as multistack automata. In general, multistack automata are Turing powerful and hence come along with undecidability of basic decision problems [13]. To overcome this barrier, several subclasses of pushdown automata with multiple stacks have been proposed and studied in the literature. Contextbounding has been proposed in [12] as a suitable technique for the analysis of multistack automata. The idea is to consider only runs of the automaton that can be divided into a given number of contexts, where in each context pop and push operations are exclusive to one stack. Although the state space which may be explored is still unbounded in presence of recursive procedure calls, the contextbounded reachability P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 117–131, 2010. c SpringerVerlag Berlin Heidelberg 2010
118
M.F. Atig
problem is NPcomplete even in this case [11]. In fact, contextbounding provides a very useful tradeoff between computational complexity and verification coverage. In [16], La Torre et al. propose a more general definition of the notion of a context. For that, they define the class of boundedphase visibly multistack pushdown automata (BVMPA) where only those runs are taken into consideration that can be split into a given number of phases, where each phase admits pop operations of one particular stack only. In the above case, the emptiness problem is decidable in double exponential time by reducing it to the emptiness problem for tree automata. Another way to regain decidability is to impose some order on stack operations. In [6], Breveglieri et al. define ordered multipushdown automata (OMPA), which impose a linear ordering on stacks. Stack operations are constrained in such a way that a pop operation is reserved to the first nonempty stack. In [1], we show that the emptiness problem for OMPA is 2ETIMEcomplete1. The proof of this result lies in a complex encoding of OMPA into some class of grammars for which the emptiness problem is decidable. In this paper, we investigate the issue of reducing the verification problem of multistack machines to the one for singlestack machines. We believe that this is a general paradigm for understanding the expressive power and for establishing decidability results for various classes of concurrent program models. For instance, elegant (and practically efficient) algorithms for boundedcontext switch analysis of multipushdown systems have been recently defined based on reductions to the reachability problem of (singlestack) pushdown systems [10,18]. We extend this view to both OMPA and BVMPA by showing that each of their emptiness problem can be reduced to the one for a class of singlestack machines. For these reductions, we introduce effective generalized pushdown automata (EGPA) where operations on stacks are (1) pop the top symbol of the stack, and (2) push a word in some (effectively) given set of words L over the stack alphabet, assuming that L is in some class of languages for which checking whether L intersects a given regular language is decidable. Observe that L can be any finite union of languages defined by a class of automata closed under intersection with regular languages and for which the emptiness problem is decidable (e.g., pushdown automata, Petri nets, lossy channel machines, etc). Then, we show that the automatabased saturation procedure for computing the set of predecessors in standard pushdown automata [4] can be extended to prove that for EGPA too the set of all predecessors of a regular set of configurations is a regular set and effectively constructible. As an immediate consequence of this result, we obtain similar decidability results of the decision problems for EGPA like the ones obtained for pushdown automata. Then, we show that, given an OMPA M with n stacks, it is possible to construct an EGPA P, whose pushed languages are defined by OMPA with (n − 1) stacks, such that the emptiness problem for M is reducible to its corresponding problem for P. The EGPA P is constructed such that the following invariant is preserved: The state and the content of the stack of P are the same as the state and the content of the nth stack of M when its first (n − 1) stacks are empty. Then, we use the saturation procedure for 1
Recall that 2ETIME is the class of all decision problems solvable by a deterministic Turing dn machine in time 22 for some constant d.
From Multi to Single Stack Automata
119
EGPA to show, by induction on the number of stacks n, that the emptiness problem of an OMPA is in 2ETIME with respect to n (matching its lowerbound [1]). Another application of EGPA is to show that, given a kphase BVMPA M with n stacks, it is possible to construct an EGPA P, whose pushed languages are defined by (k − 1)phase BVMPA with n stacks, such that the emptiness problem of M can be reduced to compute the set of predecessors of a regular set of configurations of P. Then, we exploit the saturation procedure for EGPA to show, by induction on the number of phases k, that the emptiness problem for a BVMPA is in 2ETIME with respect to k (matching its lowerbound [17]). Related works: To the best of our knowledge, the class of effective generalized pushdown automata that we define in this paper is the first nontrivial extension of pushdown automata that allows to push a nonregular language (e.g., Petri nets languages) into the stack which is not the case of prefixrecognizable graphs [7]. Moreover, our reductions from OMPA and BVMPA to EGPA, together with the reachability analysis procedure for EGPA, provide conceptually simple algorithms for checking the emptiness problem for each of these models, and proving their 2ETIME upper bounds.
2 Preliminaries In this section, we introduce some basic definitions and notations that will be used in the rest of the paper. Integers: Let N be the set of natural numbers. For every i, j ∈ N such that i ≤ j, we use [i, j] (resp. [i, j[) to denote the set {k ∈ N  i ≤ k ≤ j} (resp. {k ∈ N  i ≤ k < j}). Words and languages: Let Σ be a finite alphabet. We denote by Σ ∗ (resp. Σ + ) the set of all words (resp. non empty words) over Σ, and by the empty word. A language is a (possibly infinite) set of words. We use Σ and Lang(Σ) to denote respectively the set Σ ∪ {} and the set of all languages over Σ. Let u be a word over Σ. The length of u is denoted by u. For every j ∈ [1, u], we use u(j) to denote the j th letter of u. We denote by uR the mirror of u. Let Θ be a subset of Σ. Given a word v ∈ Σ ∗ , we denote by vΘ the projection of v over Θ, i.e., the word obtained from v by erasing all the symbols that are not in Θ. This definition is extended to languages as follows: If L is a language over Σ, then LΘ = {vΘ  v ∈ L}. Transition systems: A transition system is a triplet T = (C, Σ, →) where: (1) C is a (possibly infinite) set of configurations, (2) Σ is a finite set of labels (or actions) such a that C ∩ Σ = ∅, and (3) →⊆ C × Σ × C is a transition relation. We write c −→T c whenever c and c are two configurations and a is an action such that (c, a, c ) ∈→. Given two configurations c, c ∈ C, a finite run ρ of T from c to c is a finite sequence c0 a1 c1 · · · an cn , for some n ≥ 1, such that: (1) c0 = c and cn = c , and (2) a ci −−i+1 −→T ci+1 for all i ∈ [0, n[. In this case, we say that ρ has length n and is labelled by the word a1 a2 · · · an . u Let c, c ∈ C and u ∈ Σ ∗ . We write c =⇒T c if one of the following two cases n
holds: (1) n = 0, c = c , and u = , and (2) there is a run ρ of length n from c to
120
M.F. Atig u
u
u
c labelled by u. We also write c =⇒∗T c (resp. c =⇒+ ⇒T c for T c ) to denote that c =n some n ≥ 0 (resp. n > 0). For every C1 , C2 ⊆ C, let Traces T (C1 , C2 ) = {u ∈ Σ ∗  ∃(c1 , c2 ) ∈ C1 × u C2 , c1 =⇒∗T c2 } be the set of sequences of actions generated by the runs of T from a configuration in C1 to a configuration in C2 , and let P re∗T (C1 ) = {c ∈ C  ∃(c , u) ∈ u C1 × Σ ∗ , c =⇒∗T c } be the set of predecessor configurations of C1 .
Finite state automata: A finite state automaton (FSA) is a tuple A = (Q, Σ, Δ, I, F ) where: (1) Q is the finite nonempty set of states, (2) Σ is the finite input alphabet, (3) Δ ⊆ (Q×Σ ×Q) is the transition relation, (4) I ⊆ Q is the set of initial states, and (5) a F ⊆ Q is the set of final states. We represent a transition (q, a, q ) in Δ by q −→ Aq . Moreover, if I and F are two subsets of Q, then we use A(I , F ) to denote the finite state automaton defined by the tuple (Q, Σ, Δ, I , F ). The size of A is defined by A = (Q + Σ). We use T (A) = (Q, Σ, Δ) to denote the transition system associated with A. The language accepted (or recognized) by A is given by L(A) = Traces T (A) (I, F ).
3 Generalized Pushdown Automata In this section, we introduce the class of generalized pushdown automata where operations on stacks are (1) pop the top symbol of the stack, and (2) push a word in some (effectively) given set of words L over the stack alphabet. A transition t is of the form δ(p, γ, a, p ) = L where L is a (possibly infinite) set of words. Being in a configuration (q, w) where q is a state and w is a stack content, t can be applied if both p = q and the content of the stack is of the form γw for some w . Taking the transition and reading the input letter a (which may be the empty word), the system moves to the successor configuration (p , uw ) where u ∈ L (i.e., the new state is p , and γ is replaced with a word u belonging to the language L). Formally, we have: Definition 1 (Generalized pushdown automata). A generalized pushdown automaton (GPA for short) is a tuple P = (P, Σ, Γ, δ, p0 , γ0 , F ) where: (1) P is the finite nonempty set of states, (2) Σ is the input alphabet, (3) Γ is the stack alphabet, (4) δ : P × Γ × Σ × P → Lang(Γ ) is the transition function, (5) p0 ∈ P is the initial state, (6) γ0 ∈ Γ is the initial stack symbol, and (7) F ⊆ P is the set of final states. Definition 2 (Effectiveness Property). A GPA P = (P, Σ, Γ, δ, p0 , γ0 , F ) is effective if and only if for every finite state automaton A over the alphabet Γ , it is decidable whether L(A) ∩ δ(p, γ, a, p ) = ∅ for all p, p ∈ P , γ ∈ Γ , and a ∈ Σ . A configuration of a GPA P = (P, Σ, Γ, δ, p0 , γ0 , F ) is a pair (p, w) where p ∈ P and w ∈ Γ ∗ . The set of all configurations of P is denoted by Conf (P). Similarly to the case of pushdown automata [4], we use the class of Pautomata as finite symbolic representation of a set of configurations of GPA. Formally, a Pautomaton is a FSA A = (QA , Γ, ΔA , IA , FA ) such that IA = P . We say that a configuration (p, w) of P is accepted (or recognized) by A if w ∈ L(A({p}, FA )). The set of all configurations recognized by A is denoted by LP (A). A set of configurations of P is said to be recognizable if and only if it is accepted by some Pautomaton.
From Multi to Single Stack Automata
121
The transition system T (P) associated with the generalized pushdown automaton P is defined by the tuple (Conf (P), Σ, →) where → is the smallest transition relation such that: For every p, p ∈ P , γ ∈ Γ , and a ∈ Σ , if δ(p, γ, a, p ) = ∅, a ∗ then (p, γw) −→ T (P) (p , uw) for all u ∈ δ(p, γ, a, p ) and w ∈ Γ . Let L(P) = Traces T (P) ({(p0 , γ0 )}, F × {}) denote the language accepted by P. Observe that pushdown automata can be seen as a particular class of effective GPA where δ(p, γ, a, p ) is a finite set of words for all (p, γ, a, p ). On the other hand, we can show that the class of effective GPA is closed under concatenation, union, Kleene star, projection, homomorphism, and intersection with a regular language. However, effective GPA are not closed under intersection.
4 Computing the Set of Predecessors for a GPA In this section, we show that the set of predecessors of a recognizable set of configurations of an effective GPA is recognizable and effectively constructible. This is done by adapting the construction given in [4]. On the other hand, it is easy to observe that the set of successors of a recognizable set of configurations of an effective GPA is not recognizable in general. Theorem 1. For every effective generalized pushdown automaton P, and every Pautomaton A, it is possible to construct a Pautomaton recognizing P re∗T (P) (LP (A)). Proof. Let P = (P, Σ, Γ, δ, p0 , γ0 , F ) be an effective generalized pushdown automata and A = (QA , Γ, ΔA , IA , FA ) be a Pautomaton. Without loss of generality, we assume that A has no transition leading to an initial state. We compute P re∗T (P) (LP (A)) as the set of configurations recognized by a Pautomaton Apre∗ = (QA , Γ, Δpre∗ , IA , FA ) obtained from A by means of a saturation procedure. Initially, we have Apre∗ = A. Then, the procedure adds new transitions to Apre∗ , but no new states. New transitions are added according to the following saturation rule: For every p, p ∈ P , γ ∈ Γ , and a ∈ Σ , if δ(p, γ, a, p ) = ∅, then for every q ∈ QA such that δ(p, γ, a, p ) ∩ L(Apre∗ ({p }, {q})) = ∅, add the transition (p, γ, q) to Apre∗ It is easy to see that the saturation procedure eventually reaches a fixed point because the number of possible new transitions is finite. Moreover, thesaturation pro cedure is well defined since the emptiness problem of the language δ(p, γ, a, p ) ∩ L(Apre∗ ({p }, {q})) is decidable ( P is an effective GPA). Then, the relation between the set of configurations recognized by Apre∗ and the set P re∗T (P) (LP (A)) is established by Lemma 1. Lemma 1. LP (Apre∗ ) = P re∗T (P) (LP (A)).
As an immediate consequence of Theorem 1, we obtain the decidability of the emptiness problem and the membership for effective generalized pushdown automata. Theorem 2 (E MPTINESS , M EMBERSHIP ). The emptiness and the membership problems are decidable for effective generalized pushdown automata.
122
M.F. Atig
5 Ordered MultiPushdown Automata In this section, we first recall the definition of multipushdown automata. Then ordered multipushdown automata [6,1] appear as a special case of multipushdown automata. 5.1 Multipushdown Automata Multipushdown automata have one readonly left to right input tape and n ≥ 1 readwrite memory tapes (stacks) with a lastinfirstout rewriting policy. A transia tion is of the form t = q, γ1 , . . . , γn −→q , α1 , . . . , αn . Being in a configuration (p, w1 , . . . , wn ), which is composed of a state p and a stack content wi for each stack i, t can be applied if both q = p and the ith stack is of the form γi wi for some wi . Taking the transition and reading the a (which might be the empty word), the system moves to the successor configuration (q , α1 w1 , . . . , αn wn ). Definition 3 (Multipushdown automata). A multipushdown automaton (MPA) is a tuple M = (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) where: n ≥ 1 is the number of stacks. Q is the finite nonempty set of states. Σ is the finite set of input symbols. Γ is the containing the special stack symbol ⊥. finite set of stack symbols Δ ⊆ Q × (Γ )n × Σ × Q × (Γ ∗ )n is the transition relation such that, for all ((q, γ1 , . . . , γn ), a, (q , α1 , . . . , αn )) ∈ Δ and i ∈ [1, n], we have: • αi  ≤ 2. • If γi = ⊥, then αi ∈ (Γ \ {⊥})∗ . • If γi = ⊥, then αi = αi ⊥ for some αi ∈ Γ . – q0 ∈ Q is the initial state. – γ0 ∈ (Γ \ {⊥}) is the initial stack symbol. – F ⊆ Q is the set of final states. – – – – –
The size of M, denoted by M, is defined by (n + Q + Σ + Γ ). In the rest of a this paper, we use q, γ1 , . . . , γn −→M q , α1 , . . . , αn to denote that the transition ((q, γ1 , . . . , γn ), a, (q , α1 , . . . , αn )) is in Δ. Moreover, we denote by M(q, γ, q ) the multipushdown automaton defined by the tuple (n, Q, Σ, Γ, Δ, q, γ, {q }). A stack content of M is a sequence from Stack (M) = (Γ \ {⊥})∗ {⊥}. A configuration of M is a (n + 1)tuple (q, w1 , . . . , wn ) with q ∈ Q, and w1 , . . . , wn ∈ Stack (M). A configuration (q, w1 , . . . , wn ) is final if q ∈ F and w1 = · · · = wn = ⊥. The set of configurations of M is denoted by Conf (M). The behavior of the MPA M is described by its corresponding transition system T (M) defined by the tuple (Conf (M), Σ, →) where → is the smallest transition rea lation satisfying the following condition: if q, γ1 , . . . , γn −→M q , α1 , . . . , αn , then a (q, γ1 w1 , . . . , γn wn ) −→T (M) (q , α1 w1 , . . . , αn wn ) for all w1 , . . . , wn ∈ Γ ∗ such that γ1 w1 , . . . , γn wn ∈ Stack (M). Observe that the symbol ⊥ marks the bottom of a stack. According to the transition relation, ⊥ can never be popped. The language accepted (or recognized) by M is defined by the set L(M) = {τ ∈ τ Σ ∗  (q0 , γ0 ⊥, ⊥, . . . , ⊥) =⇒∗T (M) c for some final configuration c}.
From Multi to Single Stack Automata
123
5.2 Ordered Multipushdown Automata An ordered multipushdown automaton is a multipushdown automaton in which one can pop only from the first nonempty stack (i.e., all preceding stacks are equal to ⊥). In the following, we consider only ordered multipushdown automata in normal form with respect to the definitions in [1]. Definition 4 (Ordered multipushdown automata). An ordered multipushdown automaton (OMPA for short) is a multipushdown automaton (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) such that Δ contains only the following types of transitions: a – q, γ, , . . . , −→ M q , γ γ , , . . . , for some q, q ∈ Q, γ, γ , γ ∈ (Γ \ {⊥}) and a ∈ Σ . a – q, γ, , . . . , −→ M q , , . . . , , γ , , . . . , for some q, q ∈ Q, γ, γ ∈ (Γ \{⊥}) and a ∈ Σ (γ is pushed on one of stacks 2 to n). a – q, ⊥, . . . , ⊥, γ, , . . . , −→M q , γ ⊥, ⊥, . . . , ⊥, , , . . . , for some q, q ∈ Q, γ, γ ∈ (Γ \ {⊥}) and a ∈ Σ (γ is popped from one of the stacks 2 to n). a – q, γ, , . . . , −→q , , . . . , for some q, q ∈ Q, γ ∈ (Γ \ {⊥}) and a ∈ Σ
We introduce the following abbreviations: (1) For n ≥ 1, we call a MPA/OMPA a nMPA/nOMPA, respectively, if its number of stacks is n, and (2) A MPA over Σ is a MPA with input alphabet Σ. Next, we recall some properties of the class of languages recognized by nOMPA. Lemma 2 ([6]). If M1 and M2 are two nOMPAs over an alphabet Σ, then it is possible to construct a nOMPA M over Σ such that: (1) L(M) = L(M1 ) ∪ L(M2 ) and M = O(M1  + M2 ). Lemma 3 ([6]). Let Σ be an alphabet. Given a nOMPA M over Σ and a finite state automaton A over Σ, then it is possible to construct a nOMPA M such that: L(M ) = L(M) ∩ L(A) and M  = O(M · A).
6 The Emptiness Problem for a nOMPA Is in 2ETIME In this section, we show that the emptiness problem for ordered pushdown automata is in 2ETIME. (We provide here a simpler proof of the 2ETIME upper bound than the one given in [1].) To this aim, we proceed as follows: – First, we show that, given a nOMPA M with n > 1, it is possible to construct a GPA P with transition languages defined by (n − 1)OMPAs of size O(M2 ) such that the emptiness problem of M can be reduced to the emptiness problem of P. Let us present the main steps of this construction. For that, let us consider an accepting run ρ of M. This run can be seen as a sequence of runs of the form ς1 σ1 ς2 σ2 · · · ςm σm such that pop operations are exclusive to the first (n−1)stacks (resp. the nth stack) of M during the sequence of runs ς1 , ς2 , . . . , ςm (resp. σ1 , σ2 , . . . , σm ). Observe that, by definition, the first (n − 1)stacks of M are empty along the runs σ1 , σ2 , . . . , σm . Moreover, at the beginning of the runs
124
M.F. Atig
ς1 , ς2 , . . . , ςm , the OMPA M is in some configuration c where the first stack of M contains just one symbol and the stacks from 2 to n − 1 are empty (i.e., c of the form (q, γ⊥, ⊥, . . . , ⊥, w)). Then, we construct P such that the following invariant is preserved during the simulation of M: The state and the content of the stack of P are the same as the state and the content of the nth stack of M when its first (n − 1)stacks are empty (and so, L(P) = ∅ if and only if L(M) = ∅). To this aim, a pushdown operation of M that pops a symbol γ from the nth stack is simply simulated by a pushdown operation of P that pops the symbol γ. This implies that a run of the form σi , with 1 ≤ i ≤ m, that pops the word ui from the nth stack of M is simulated by a run of P that pops the same word ui . Now, for every j ∈ [1, m], we need to compute the pushed word vj into the nth stack of M during the run ςj in order to be pushed also by P. For that, let L(q,γ,q ) be the set of all possible pushed words u into the nth τ stack of M by a run (q, γ⊥, ⊥, . . . , ⊥, w) =⇒∗T (M) (q , ⊥, ⊥, . . . , ⊥, uw) where pop operations are exclusive to the first (n − 1)stacks of M. We show that this language L(q,γ,q ) can be defined by a (n − 1)OMPA M (q, γ, q ) over the stack alphabet of M that: (1) performs the same operations on its state and (n − 1)stacks as the one performed by M on its state and its first (n − 1) stacks while discarding the pop operations of M over the nth stack, and (2) makes visible as transition labels the pushed symbols over the nth stack of M. Now, to simulate the τj run ςj = (qj , γj ⊥, ⊥, . . . , ⊥, wj ) =⇒∗T (M) (qj , ⊥, ⊥, . . . , ⊥, uj wj ) of M, P can push into its stack the word uj ∈ L(M (qj , γj , qj )). – Then, we prove, by induction on n, that the emptiness problem for the nOMPA M is in 2ETIME with respect to the number of stacks. For that, we assume that the emptiness problem for (n − 1)OMPAs can be solved in 2ETIME. This implies that the GPA P (that simulates M) is effective (see Definition 2 and Lemma 3). Now, we can use Theorem 2 to prove the decidability of the emptiness problem of the effective GPA P (and so, of the nOMPA M). To show that the emptiness problem of P and M is in 2ETIME, we estimate the running time of our saturation procedure, given in section 4, under the assumption that the emptiness problem for (n − 1)OMPAs can be solved in 2ETIME. Let us give in more details of the proof described above. 6.1 Simulation of a nOMPA by a GPA In the following, we prove that, given an OMPA M, we can construct a GPA P, with transition languages defined by (n − 1)OMPAs of size O(M2 ), such that the emptiness problem for M is reducible to the emptiness problem for P. Theorem 3. Given an OMPA M = (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) with n > 1, it is possible to construct a GPA P = (P, Σ , Γ, δ, p0 , ⊥, {pf }) such that P = Q∪{p0 , pf }, Σ = Q, and we have: – L(M) = ∅ if and only if L(P) = ∅, and
From Multi to Single Stack Automata
125
– For every p1 , p2 ∈ P , a ∈ Σ , and γ ∈ Γ , there is a (n − 1)OMPA M(p1 ,γ,a,p2 ) R over Γ s.t. L(M(p1 ,γ,a,p2 ) ) = δ(p1 , γ, a, p2 ) and M(p1 ,γ,a,p2 )  = O(M2 ). The proof of Theorem 3 is structured as follows. First, we define a (n − 1)OMPA M over the alphabet Γ that: (1) performs the same operations on its state and (n−1)stacks as the one performed by M on its state and its first (n − 1) stacks while discarding the pop operations of M on the nth stack, and (2) makes visible as transition labels the pushed symbols over the nth stack of M. Intuitively, depending on the initial and final configurations of M , the “language” of M summarizes the effect of a sequence of pop operations of M over the first (n − 1)stacks on the nth stack of M. So, if we are interested only by the configurations of M where the first (n − 1) stacks are empty, a run of M can be seen as a sequence of alternations of a pop operation of M over the nth stack and a push operation over the nth stack of a word in the “language” of M . Then, we construct a generalized pushdown automaton P such that the state and the stack content of P are the same as the state and the nth stack content of M when the first (n − 1) stacks of M are empty. In the definition of P, we use the (n − 1)OMPA M to characterize the pushed word on the nth stack of M due to a sequence of pop operations of M on the (n − 1) first stacks of M. This implies that the emptiness problem for M is reducible to its corresponding problem for P Constructing the (n − 1)OMPA M : Let us introduce the following the nOMPA M[1,n[ = (n, Q, Σ, Γ, Δ[1,n[ , q , γ , F ) such that Δ = Δ ∩ Q × (Γ )n−1 × 0 0 [1,n[ {}) × Σ × (Q × (Γ ∗ )n ) . Intuitively, M[1,n[ is built up from M by discarding pop operations of M over the nth stack. Then, let M = (n − 1, Q, Γ, Γ, Δ , q0 , γ0 , F ) be the (n − 1)OMPA, built out from M[1,n[ , which (1) performs the same operations on the first n−1 stacks of M[1,n[ , and (2) makes visible as transition label the pushed stack symbol over the nth stack of M[1,n[ . Formally, Δ is defined as the smallest transition relation satisfying the following conditions: a – If q, γ1 , . . . , γn−1 , −→ ∈ Q, M[1,n[ q , α1 , . . . , αn−1 , for some q, q γ1 , . . . , γn−1 ∈ Γ , a ∈ Σ , and α1 , . . . , αn−1 ∈ Γ ∗ , then q, γ1 , . . . , γn−1 −→ M q , α1 , . . . , αn−1 . a – If q, γ, , . . . , −→M[1,n[ q , , . . . , , γ for some q, q ∈ Q, a ∈ Σ , and γ, γ ∈ γ
(Γ \ {⊥}), then q, γ, , . . . , −−→M q , , . . . , . Let us now give the relation between the effect of a sequence of operations of M[1,n[ on the nth stack and the language of M . Lemma 4. For every q, q ∈ Q, and w1 , w1 , . . . , wn , wn ∈ Stack (M[1,n[ ), τ (q, w1 , . . . , wn ) =⇒∗T (M[1,n[ ) (q , w1 , . . . , wn ) for some τ ∈ Σ ∗ if and only if there is u
) and wn = uR wn . u ∈ Γ ∗ such that (q, w1 , . . . , wn−1 ) =⇒∗T (M ) (q , w1 , . . . , wn−1
Constructing the GPA P: We are ready now to define the generalized pushdown automaton P = (P, Σ , Γ, δ, p0 , ⊥, {pf }), with P = Q ∪ {p0 , pf } and Σ = Q, that keeps track of the state and the content of the nth stack of M when the first (n − 1) stacks are empty. Formally, P is built from M as follows: For every p, p ∈ P , q ∈ Σ , and γ ∈ Γ , we have:
126
M.F. Atig
– If p = p0 , γ = ⊥, q = q0 , and p ∈ Q, then δ(p, γ, q, p ) = {uR ⊥  u ∈ L(M (q0 , γ0 , p ))}. – If p ∈ F , γ = ⊥, q = , and p = pf , then δ(p, γ, q, p ) = {}. R – If p, p ∈ Q, γ = ⊥, and q ∈ Q, then δ(p, γ, q, p ) = γ ∈Γ L(M (q, γ , p )) a where Γ = {γ ∈ Γ  ∃a ∈ Σ , p, ⊥, . . . , ⊥, γ −→ M q, γ ⊥, ⊥, . . . , ⊥, }. – Otherwise, δ(p, γ, q, p ) = ∅. Observe that for every p1 , p2 ∈ P , q ∈ Q , and γ ∈ Γ , we can construct an R (n − 1)OMPA M(p1 ,γ,q,p2 ) over Γ such that L(M(p1 ,γ,q,p2 ) ) = δ(p1 , γ, q, p2 ) and M(p1 ,γ,q,p2 )  = O(M2 ). This can be easily proved using Lemma 2. To complete the proof of Theorem 3, it remains to show that the emptiness problem for M is reducible to its corresponding problem for P. This is stated by Lemma 5. Lemma 5. L(M) = ∅ if and only if L(P) = ∅. 6.2 Emptiness of a nOMPA Is in 2ETIME In the following, we show that the emptiness problem for a nOMPA is in 2ETIME. Theorem 4. The emptiness problem for a nOMPA M can be solved in time 2dn O(M ) for some constant d. Proof. Let M = (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) be a nOMPA. To prove Theorem 4, we proceed by induction on n. Basis. n = 1. Then, M is a pushdown automaton. From [4], we know that the emptiness problem for M can be solved in time polynomial in M. Step. n > 1. Then, we can apply Theorem 3 to construct a generalized pushdown automaton P = (P, Q, Γ, δ, p0 , ⊥, {pf }), with P = Q ∪ {p0 , pf }, such that: – L(P) = ∅ if and only if L(M) = ∅, and – For every p1 , p2 ∈ P , a ∈ Q , and γ ∈ Γ , there is a (n − 1)OMPA M(p1 ,γ,a,p2 ) R over Γ s.t. L(M(p1 ,γ,a,p2 ) ) = δ(p1 , γ, a, p2 ) and M(p1 ,γ,a,p2 )  = O(M2 ). It is easy to observe that P is an effective generalized pushdown automaton. This is established by the following lemma. Lemma 6. P is an effective generalized pushdown automaton. From Theorem 2, Theorem 3, and Lemma 6, we deduce that the emptiness problem for the nOMPA M is decidable. Let us now estimate the running time of the decision procedure. From Theorem 2, we know that the emptiness problem of P is reducible to compute the set of predecessors of the configuration (pf , ) since L(P) = ∅ if and only if (p0 , ⊥) ∈ Pre ∗T (P) ({pf } × {}). Let A be the Pautomaton that recognizes the configuration (pf , ) of P. It is easy to see that such Pautomaton A, with A = O(M), is effectively constructible. Now,
From Multi to Single Stack Automata
127
we need to analysis the running time of the saturation procedure (given in section 4) applied to A. For that, let A0 , . . . , Ai be the sequence of Pautomaton obtained from the saturation procedure such that A0 = A and LP (Ai ) = Pre ∗T (P) (LP (A)). Then, we have i = O(M3 ) since the number of possible new transitions of A is finite. Moreover, at each step j, with 0 ≤ j ≤ i, we need to check, for every q ∈ QA , p, p ∈ P , γ ∈ Γ , and a ∈ Q , whether L(Aj )({p }, {q}) ∩ δ(p, γ, a, p ) = ∅. Using Lemma 3, we can construct, in time polynomial in M, a (n − 1)OMPA M(q,p,γ,a,p ) such that L(M(q,p,γ,a,p ) ) = (L(Aj )({p }, {q}))R ∩ L(M(p,γ,a,p ) ) and M(q,p,γ,a,p )  ≤ c(M3 ) for some constant c. Now, we can apply the induction hypothesis to M , and we obtain that the problem of checking whether L(M(q,p,γ,a,p ) ) = d(n−1) ∅ can be solved in time O (c M3 )2 . Putting together all these equations, we obtain that the problem of checking whether (p0 , ⊥) ∈ Pre ∗T (P) ({pf } × {}) can be d(n−1) solved in time O M3 M5 (c M3 )2 . By taking a constant d as big as needed, we can show that the problem of checking whether L(M) = ∅ can be solved in time dn
O(M2 ).
7 BoundedPhase Visibly MultiPushdown Automata In this section, we recall the definition of visibly multipushdown automata [16], another subclass of MPA, where an action is associated with a particular stack operation. An action can be a push, pop, or internal action. Formally, a visibly multipushdown automaton (VMPA for short) is a tuple V = (M, type) where M = (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) is a MPA and type : Σ → ({Push, Pop} × [1, n]) ∪ {Int} a is a function satisfying, for all transitions q, γ1 , . . . , γn −→M q , α1 , . . . , αn : – a = , – if type(a) = (Push, i) for some i ∈ [1, n], then γ1 = . . . = γn = , αi ∈ (Γ \ {⊥}), and αj = for all j ∈ [1, n] \ {i}, – if type(a) = (Pop, i) for some i ∈ [1, n], then γi ∈ Γ , αi ∈ {⊥} ∪ {}, and γj = αj = for all j ∈ [1, n] \ {i}, and – if type(a) = Int, then γi = αi = for all i ∈ [1, n]. If, in a VMPA, we restrict the number of phases, where in one phase pop operations are exclusive to one stack, then we obtain boundedphase visibly multipushdown automata. A boundedphase visibly multipushdown automaton (BVMPA for short) is a triple B = (M, type, τ ) where M = (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) is a MPA, τ is a word over [1, n], and (M, type) is a VMPA. For every i ∈ [1, n], let Σi = {a ∈ Σ  j = i, type(a) = (Pop, j)}. The language accepted by B is defined as follows: L(B) = L(M) ∩ (Στ∗(1) Στ∗(2) · · · Στ∗(τ )) In the rest of this paper, we use a τ phase nBVMPA over Σ to denote a BVMPA of the form (M, type, τ ) with M is a nMPA over Σ. Next, we show that the class of languages accepted boundedphase visibly multipushdown automata is closed under intersection with a regular languages.
128
M.F. Atig
Lemma 7. Let Σ be an alphabet. Given a τ phase nBVMPA B = (M, type, τ ) over Σ and a FSA A over Σ, it is possible to construct a τ phase nBVMPA B = (M , type, τ ) such that L(B ) = L(B) ∩ L(A) and M  = O(MA).
Proof. Similar to the proof of Lemma 3.
8 The Emptiness Problem for a τ Phase nBVMPA Is in 2ETIME In this section, we show that the emptiness problem for boundedphase visibly multipushdown automata is in 2ETIME with respect to the length of τ . To this aim, we proceed as follows: First, we prove that the emptiness for a τ phase nBVMPA is reducible to the emptiness problem for a generalized pushdown automaton with transition languages defined by τ phase nBVMPAs with τ = τ · τ (τ ). Then, we use the saturation procedure, given in Section 4 to prove, by induction on τ , that the emptiness problem for a τ phase nBVMPA is in 2ETIME. For the rest of this section, let us fix a BVMPA B = (M, type, τ ) where M = (n, Q, Σ, Γ, Δ, q0 , γ0 , F ) is a MPA. We assume w.l.o.g that Σ ∩ Γ = ∅. For every i ∈ [1, n], let Σi = {a ∈ Σ  j = i, type(a) = (Pop, j)}. Moreover, let us assume that k = τ (τ ) and τ = τ k. 8.1 Simulation of a τ Phase nBVMPA by a GPA In the following, we prove that it is possible to construct a GPA P such that the emptiness problem for B is reducible to the emptiness problem for P. Theorem 5. Assume that k > 1. Then, it is possible to construct a GPA P = (P, Σ, Γ, δ, p0 , ⊥, {pf }) such that P = Q ∪ {p0 , pf } and we have: – L(B) = ∅ if and only if L(P) = ∅, and – For every p, p ∈ P , a ∈ Σ , and γ ∈ Γ , there is a τ phase nBVMPA B(p,γ,a,p ) = (M(p,γ,a,p ) , type , τ ) over Σ such that Γ ⊆ Σ , M(p,γ,a,p )  = O(M2 ), and R δ(p, γ, a, p ) = (L(B(p,γ,a,p ) )Γ ) {⊥}. Proof. By definition, L(B) = ∅ if and only if there are q ∈ F and σj ∈ Στ∗(j) σ1 ···στ 
for all j ∈ [1, τ ] such that ρ = (q0 , γ0 ⊥, ⊥, . . . , ⊥) =====⇒∗T (M) (q, ⊥, . . . , ⊥). Thus, the emptiness problem for B can be reduced to the problem of checking whether there are q ∈ Q, w1 , . . . , wn ∈ Stack (M), q ∈ F , and σj ∈ Στ∗(j) for all j ∈ [1, τ ] such that: (1) wl = ⊥ for all l ∈ [1, n] and σ1 ···σ(τ −1)
l = k, (2) ρ1 = (q0 , γ0 ⊥, ⊥, . . . , ⊥) ========⇒∗T (M) (q , w1 , . . . , wn ), and (3) σ(τ )
=⇒∗T (M) (q, ⊥, . . . , ⊥). Observe that at the configuration ρ2 = (q , w1 , . . . , wn ) === (q , w1 , . . . , wn ) only the content of the kstack of M can be different from ⊥. Moreover, during the run ρ2 , pop and push operations are exclusive to the kth stack of M. So, in order to prove Theorem 5, it is sufficient to show that all possible contents wk of the kstack of M reached by the run ρ1 can be characterized by a language accepted
From Multi to Single Stack Automata
129
by a τ phase nBVMPA Bq = (Mq , type , τ ) over Σ such that Γ ⊆ Σ (i.e., R wk ∈ (L(Bq )Γ ) {⊥}). Once this is done, we can construct a GPA P that simulates B. The automaton P proceeds as follows: First, it pushes in its stack the content wk of the kth stack of M reached by the run ρ1 using the language of Bq . Then, P starts to simulate the run ρ2 by performing the same operations on its state and its stack as the ones performed by M on its state and its kth stack. This is possible since along the run ρ2 pop and push operations of M are exclusive to kth stack. Finally, P checks if the current configurations is final and moves its state to the final state pf . Constructing the τ phase nBVMPA Bq : In the following, we show that it is possible to construct, for every q ∈ Q, a τ phase nBVMPA Bq such that wk ∈ R (L(Bq )Γ ) {⊥} if and only if there are σj ∈ Στ∗(j) for all j ∈ [1, τ [ such σ1 ···σ(τ −1)
that (q0 , γ0 ⊥, ⊥, . . . , ⊥) ========⇒∗T (M) (q , w1 , . . . , wn ) where wl = ⊥ for all l ∈ [1, n] and l = k. For that, let us define the nMPA M that contains all the transitions of M and that have the ability to push the new fresh symbol instead of any possible pushed symbol by M into the kth stack. Moreover, the symbol can be popped from the kth stack at any time by M without changing its state. Formally, M is defined by the tuple (n, Q, Σ , Γ , Δ , q0 , γ0 , F ) where Γ = Γ ∪ {} is the stack alphabet, Σ = Σ ∪ Γ ∪ {} is the input alphabet, and Δ is the smallest transition relation satisfying the following conditions: – Δ ⊆ Δ . a – If q1 , γ1 , . . . , γn −→ = (Push, k), then M q2 , α1 , . . . , αn and type(a) αk q1 , γ1 , . . . , γn −−→Mq q2 , α1 , . . . , αn with αl = αl for all l = k and αk = .
– For every q ∈ Q, q , γ1 , . . . , γn −→Mq q , α1 , . . . , αn if γl = for all l = k, γk = , and α1 = . . . = αn = . Let B = (M , type , τ ) be a τ phase nBVMPA where the function type : Σ → ({Push, Pop}×[1, n])∪{Int} is defined as follows: type (a) = type(a) for all a ∈ Σ, type () = (Pop, k), and type (γ) = (Push, k) for all γ ∈ Γ . Let Ξk = {a ∈ Σ  type (a) = (Pop, k)}. Then, from Lemma 7, it is possible to construct, for every q , a τ phase nBVMPA Bq = (Mq , type , τ ) from B such that L(Bq ) = L((M (q0 , γ0 , q ), type , τ )) ∩ (Σ ∪ Γ )∗ {}∗ (Σ \ Ξk )∗ . The relation between Bq and M is given by Lemma 8 which can be proved by induction. Lemma 8. For every q ∈ Q, wk ∈ ((L(Bq )Γ )R {⊥}) iff there are σj ∈ Στ∗(j) for σ1 ···σ(τ −1)
all j ∈ [1, τ [ such that (q0 , γ0 ⊥, ⊥, . . . , ⊥) ========⇒∗T (M) (q , w1 , . . . , wn ) where wl = ⊥ for all l ∈ [1, n] and l = k. Constructing the GPA P: Formally, the transition function δ is defined as follows: for every p, p ∈ P , γ ∈ Γ , and a ∈ Σ, we have: – Initialization: δ(p, γ, a, p ) = L(Bp )Γ {⊥} if p = q0 , p ∈ Q, γ = ⊥, and a = . This transition pushes in the stack of P the content of the kth stack of M reached by the run ρ1 .
130
M.F. Atig
– Simulation of a push operation on the kth stack of M: δ(p, γ, a, p ) = {αk γ  a p, γ1 , . . . , γn −→ ∈ Q, and a ∈ Σk such that M p , α1 , . . . , αn } if p, p type(a) = (Push, k). – Simulation of a pop operation on the kth stack of M: δ(p, γ, a, p ) = a {αk  p, γ1 , . . . , γn −→M p , α1 , . . . , αn , γ = γk } if p, p ∈ Q and a ∈ Σk such that type(a) = (Pop, k). – Simulation of an internal operation of M: δ(p, γ, a, p ) = {γ} if p, p ∈ Q and a ∈ Σk such that type(a) = Int. – Final configuration: δ(p, γ, a, p ) = {} if p ∈ F , p = pf , γ = ⊥, and a = . – Otherwise: δ(p, γ, a, p ) = ∅. Then, it is easy to see that L(B) = ∅ if and only if L(P) = ∅.
As an immediate consequence of Theorem 5, we obtain that the emptiness problem for a τ phase nBVMPA is in 2ETIME. Theorem 6. The emptiness problem for a BVMPA B = (M, type, τ ) can be solved in dτ  time O(M2 ) for some constant d. The proof of Theorem 6 is similar to the proof of Theorem 4.
9 Conclusion In this paper, we have shown that the emptiness problem for both OMPA and BVMPA can be reduced to the one for the class of effective generalized pushdown automata. We provide here simple algorithms for checking the emptiness problem for each of these models and proving their 2ETIME upper bounds. Recently, A. Seth has showed in [15] that the set of predecessors of a regular set of configurations of a BVMPA is a regular set and effectively constructible. We believe that our automatabased saturation procedure for computing the set of predecessors for an effective GPA can be used to show (by induction on the number of stacks) that the set of predecessors of a regular set of configurations of an OMPA is a regular set and effectively constructible (which may answer to a question raised in [15]). It is quite easy to see that the modelchecking problems for omegaregular properties of effective generalized pushdown automata are decidable. This can be done by adapting the construction given in [4]. This result can be used to establish some decidability/complexity results concerning the modelchecking problems for omegaregular properties of both OMPA and BVMPA.
References 1. Atig, M.F., Bollig, B., Habermehl, P.: Emptiness of multipushdown automata is 2ETIMEcomplete. In: Ito, M., Toyama, M. (eds.) DLT 2008. LNCS, vol. 5257, pp. 121–133. Springer, Heidelberg (2008) 2. Atig, M.F., Bouajjani, A., Touili, T.: On the reachability analysis of acyclic networks of pushdown systems. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 356–371. Springer, Heidelberg (2008)
From Multi to Single Stack Automata
131
3. Bouajjani, A., Esparza, J.: Rewriting models of boolean programs. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 136–150. Springer, Heidelberg (2006) 4. Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to modelchecking. In: Mazurkiewicz, A., Winkowski, J. (eds.) CONCUR 1997. LNCS, vol. 1243, pp. 135–150. Springer, Heidelberg (1997) 5. Bouajjani, A., M¨ullerOlm, M., Touili, T.: Regular symbolic analysis of dynamic networks of pushdown systems. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 473–487. Springer, Heidelberg (2005) 6. Breveglieri, L., Cherubini, A., Citrini, C., Crespi Reghizzi, S.: Multipushdown languages and grammars. International Journal of Foundations of Computer Science 7(3), 253–292 (1996) 7. Caucal, D.: On infinite transition graphs having a decidable monadic theory. In: Meyer auf der Heide, F., Monien, B. (eds.) ICALP 1996. LNCS, vol. 1099, pp. 194–205. Springer, Heidelberg (1996) 8. Esparza, J., Knoop, J.: An automatatheoretic approach to interprocedural dataflow analysis. In: Thomas, W. (ed.) FOSSACS 1999. LNCS, vol. 1578, pp. 14–30. Springer, Heidelberg (1999) 9. Kahlon, V.: Boundedness vs. unboundedness of lock chains: Characterizing decidability of pairwise cflreachability for threads communicating via locks. In: LICS, pp. 27–36. IEEE Computer Society, Los Alamitos (2009) 10. Lal, A., Reps, T.W.: Reducing concurrent analysis under a context bound to sequential analysis. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 37–51. Springer, Heidelberg (2008) 11. Qadeer, S.: The case for contextbounded verification of concurrent programs. In: Havelund, K., Majumdar, R., Palsberg, J. (eds.) SPIN 2008. LNCS, vol. 5156, pp. 3–6. Springer, Heidelberg (2008) 12. Qadeer, S., Rehof, J.: Contextbounded model checking of concurrent software. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 93–107. Springer, Heidelberg (2005) 13. Ramalingam, G.: Contextsensitive synchronizationsensitive analysis is undecidable. ACM Trans. Program. Lang. Syst. 22(2), 416–430 (2000) 14. Reps, T.W., Schwoon, S., Jha, S.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 189–213. Springer, Heidelberg (2003) 15. Seth, A.: Global reachability in bounded phase multistack pushdown systems. In: CAV 2010. LNCS. Springer, Heidelberg (2010) 16. La Torre, S., Madhusudan, P., Parlato, G.: A robust class of contextsensitive languages. In: Proceedings of LICS, pp. 161–170. IEEE, Los Alamitos (2007) 17. La Torre, S., Madhusudan, P., Parlato, G.: An infinite automation characterization of double exponential time. In: Kaminski, M., Martini, S. (eds.) CSL 2008. LNCS, vol. 5213, pp. 33–48. Springer, Heidelberg (2008) 18. La Torre, S., Madhusudan, P., Parlato, G.: Reducing contextbounded concurrent reachability to sequential reachability. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 477–492. Springer, Heidelberg (2009)
A Geometric Approach to the Problem of Unique Decomposition of Processes Thibaut Balabonski1 and Emmanuel Haucourt2 1
Laboratoire PPS, Universit´e Paris Diderot and CNRS, UMR 7126
[email protected] 2 CEA, LIST, GifsurYvette, F91191, France
[email protected] Abstract. This paper proposes a geometric solution to the problem of prime decomposability of concurrent processes ﬁrst explored by R. Milner and F. Moller in [MM93]. Concurrent programs are given a geometric semantics using cubical areas, for which a unique factorization theorem is proved. An eﬀective factorization method which is correct and complete with respect to the geometric semantics is derived from the factorization theorem. This algorithm is implemented in the static analyzer ALCOOL. Keywords: Concurrency, Milner problem, Decomposition of processes, Geometric semantics.
1
Introduction: Parallel Programming Problem
This paper aims at introducing some new static analysis technology for concurrent programs. The work presented here gives a new insight into the problem of decomposition of processes, which was ﬁrst explored by R. Milner and F. Moller in [MM93]. The main new results are an algorithm maximally decomposing concurrent programs into independent processes (Section 4) and the proof that this prime decomposition is unique in the considered class of programs (Theorem 2). They are derived from a study of algebraic properties of cubical areas. Given an associative and commutative operator for parallel composition of two processes (with the empty process as unit), decomposing a concurrent program P into a multiset {P1 , ..., Pn } such that P = P1 ...Pn and the Pi s are independent has several interests. For instance the decomposition may be relevant for the allocation of processors to subprograms. Another important concern is the static analysis of concurrent programs, whose complexity grows exponentially with the number of concurrent processes: ﬁnding independent subprograms that can be analyzed separately could dramatically decrease the global complexity
This work has been partially supported by Agence Nationale pour la Recherche via the project PANDA (Parallel and Distributed Analysis) ANR09BLAN016902.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 132–146, 2010. c SpringerVerlag Berlin Heidelberg 2010
A Geometric Approach to the Problem of Unique Decomposition
133
of the static analysis. Hence this paper aims at ﬁnding the ﬁnest decomposition (and proving its uniqueness) for a wide class of concurrent programs. Let us ﬁrst take a look at a nontrivial example of independent processes, in the socalled P V language introduced by E.W. Dijkstra [Dij68] as a simple framework for the study of concurrency with shared resources. The only instructions are P (name) and V (name)1 , where name is an identiﬁer which refers to a resource. The idea is to have some common pool of resources which can be taken (with P ) and released (with V ) by concurrent processes. The resources are formalized by semaphores which, depending on their arity, can be held simultaneously by a certain number of processes (arity n allows at most n − 1 simultaneous processes). Now suppose c is the name of a ternary semaphore, which means it can be held by at most two processes, and a, b are the names of binary semaphores, also called mutex for mutual exclusion. Example 1. Σ := π1 π2 π3 π4
= P a.P c.V c.V a = P b.P c.V c.V b = P a.P c.V c.V a = P b.P c.V c.V b
A naive syntactic analysis would stamp this program as indecomposable since all processes share the resource c, but the following ﬁner analysis can be made: thanks to mutex a (respectively b), the processes π1 and π3 (respectively π2 and π4 ) cannot both hold an occurrence of the resource c at the same time. Then there are never more than two simultaneous requests over c, which means that the instructions P c and V c play actually no role in determining the semantics of the program. And without c, Σ can be split in two independent systems (they use disjoint resources). Basically, this example is based on the fact that semaphores are not the real resources, but mere devices used to guard their access. And it may be that some guards are redundant. This work is based on a geometric semantics for concurrency. The semantics for P V programs was implicitly given in [Dij68], then explicited by Carson et al.[CR87]. Roughly speaking, the instructions of a process are pinned upon a 1dimensional “directed” shape, in other words track along which the instructions of the program to execute are written. If N sequential processes run together, one can consider their N instruction pointers as a multidimensional control point. Although we have made the construction explicit for P V programs only, the result applies to any synchronisation or communication mechanism whose geometric interpretation is a socalled cubical area (the notion is formalized in Section 3.5). See for instance [GH05] for the geometric semantics of synchronisation barriers, monitors and synchronous or asynchronous communications (with ﬁnite or inﬁnite message queues): their geometrical shape is the complement of an orthogonal polyhedron [BMP99, Tha09], which is a special case of cubical area. 1
P and V stand for the dutch words “Pakken” (take) and “Vrijlaten” (release).
134
T. Balabonski and E. Haucourt
Outline of the paper The paper is organized as follows. Section 2 provides the mathematics of the geometric semantics, detailed for P V programs. Section 3 establishes the link between algebraic properties of the semantics and independence of subprograms, and then states and proves prime decomposability theorems for algrebraic frameworks encompassing the geometric semantics (Theorems 1 and 2). Section 4 describes the corresponding algorithm and implementation as well as a detailed example and some benchmarks.
2
The Geometric Semantics
The geometric semantics of a PV program is a subset of the ﬁnite dimensional real vector space whose dimension is the number N of processes running concurrently: then each process is associated with a coordinate of RN . Yet given a mutex a, the instructions P(a) and V(a) that occur in the k th process should be understood as opening and closing parentheses or more geometrically as the least upper bound and the greatest lower bound of an interval Ik of R. The forbidden area generated by a mutex a is thus the ﬁnite union of hyperrectangles2 of the following form (with k < k ) R+ × · · · × R+ × Ik × R+ × · · · × R+ × Ik × R+ × · · · × R+ product of N terms
V (a)
P (a)
For example, P(a).V(a) P(a).V(a) is a program written in PV language. Assuming that a V (a) p is a mutex (semaphore of arity 2), its geometric P (a) + 2 2 model is (R ) \[1, 2[ . Intuitively, a point p in [1, 2[2 would correspond to the situation where both processes hold the semaphore a, which is forbidden by the semantics of mutices. In the sequel of this section we formalize the PV language syntax as well as the construction of the geometric semantics. Denote the positive halfline [0, +∞[ by R+ . For each α ∈ N\{0, 1} let Sα be an inﬁnite countable set whose elements are the semaphores of arity α of the PV language. A PV process is a ﬁnite sequence on the alphabet A := P (s), V (s) s ∈ Sα α≥2
and a PV program is a ﬁnite (and possibly empty) multiset of PV processes. The parallel operator then corresponds to the multiset addition therefore it is associative and commutative3 . Given a semaphore s and a process π, the se2 3
However we will more likely write “cube” instead. The collection of multisets over a set A forms a monoid which is isomorphic to the free commutative monoid over A. The ﬁrst terminology is usually used by computer scientists while mathematicians prefer the second one. Anyway it will be described and caracterized in the Section 3.
A Geometric Approach to the Problem of Unique Decomposition
135
quences (xk )k∈N and (yk )k∈N are recursively deﬁned as follows: set y−1 = 0 and – xk = min{n ∈ N  n > yk−1 and π(n) is P (s)} – yk = min{n ∈ N  n > xk and π(n) is V (s)} with the convention that min ∅ = ∞, π(n) denotes the nth term of the process π and its ﬁrst term is π(1). Then, the busy area of s in π is4 Bs (π) := [xk , yk [ k∈N
Actually this description implies some extra assumptions upon the way instructions are interpreted. Namely a process cannot hold more than one occurrence of a given resource. Thus a process already holding an occurrence of a semaphore s ignores any instruction P (s), and similarly a process holding no occurrence of s ignores any instruction V (s). Then denote by χπs : R → R the characteristic function of Bs deﬁned by
1 if x ∈ Bs (π) π χs (x) = 0 otherwise Because the sequence π is ﬁnite, there exists some k such that xk = ∞ and for any such k and any k ≥ k, one also has xk = ∞. In particular, if the instruction P (s) does not appear in π, then Bs (π) is empty and χπs is the null map. The geometric model of a PV program with N processes running concurrently is a subpospace of [0, +∞[N deﬁned as follows:  Call Π = (π1 , . . . , πN ) the program to model.  Given a semaphore s of arity α deﬁne the forbidden area of s in Π as → − → Fs := − χs · → x ∈ [0, +∞[N − x ≥α N − → = (χπ1 , . . . , χπN ) and − →·− → where → x = (x1 , . . . , xN ), − χ χ x = χπs i (xi ). The s s s s i=1 →·− → value − χ s x indicates how many occurrences of the semaphore s are held when → the instruction pointer is at position − x . Note that Fs is a ﬁnite union of hyperrectangles which may be empty even if s appears in the program Π. In the end, the forbidden area of the program Π is the following union over S the union of all the sets Sα . Fs F := s∈S
Because there are ﬁnitely many resource names s appearing in a PV program, there are ﬁnitely many nonempty sets Fs . Hence the previous union is still a ﬁnite union of hyperrectangles. The state space or geometric model of Π is 4
Including the greatest lower bound and removing the least upper bound is the mathematical interpretation of the following convention: the changes induced by an instruction are eﬀective exactly when the instruction pointer reaches it.
136
T. Balabonski and E. Haucourt
then [0, +∞[N \F , and is denoted by Π. Remark that the geometric model is also a ﬁnite union of hyperrectangles. In other words, the state space of Π is the set of positions of the “multidimensional instruction pointer” for which the number of occurrences of each semaphore s is strictly below its arity α. If Π is made of N concurrent process, this space is a N dimensional euclidean space with (cubical) holes. As an example, Figure 1 shows the construction of the geometric model of the PV program P (a)P (b)V (b)V (a) P (b)P (a)V (a)V (b) (refered to as the swiss flag). Figure 2 gives a simpliﬁed version of Example 1 ﬁtting in three dimensions.
V(b) V(a)
V(b)
P(a)
V(a)
Fb
Fa
F
P(a)
P(b)
P(b)
V(a)
V(b)
P(b)
P(a)
V(b)
P(b)
V(a)
P(a)
Fig. 1. Construction of a geometric model: the swiss ﬂag
Σ ∗ := π1 = P a.P c.V c.V a π2∗ = P c.V c π3 = P a.P c.V c.V a
Fig. 2. Example in three dimensions Intuitively, the graphs pictured here correspond to the essential components of the state space, see [GH07] for developments on this topic. The little cube on the left picture is the forbidden area of the semaphore c, which is contained in the forbidden area of the mutex a (in the full –and 4D– example Σ the forbidden area of c is contained in the union of the forbidden areas of a and b).
3
The Problem of Unique Decomposition
Now that the geometric semantics of programs is deﬁned, let us refocus on the main goal: ﬁnding the independent parts of a concurrent program. Hence the question: what does independence mean in this geometrical setting?
A Geometric Approach to the Problem of Unique Decomposition
3.1
137
Parallel Composition vs. Cartesian Product
A general deﬁnition has to be given for independence: say a program Π is independent from another program Π when its behaviour is unaﬀected by parallel composition with Π , whatever the way Π is executed. That means, the presence of Π , as well as its instruction pointer, has no eﬀect on the semantics of Π. A geometric translation of this assertion is: in the geometric model of ΠΠ , the cylinder5 over any state of Π (i.e. the subspace of all points with given ﬁx coordinates for the Π component) is equal to the model of Π. Hence two programs Π and Π of geometric models Π and Π are indenpendent if and only if the geometric model ΠΠ of their parallel composition is isomorphic to the cartesian product Π × Π . Thus the decompositions of a program correspond to the factorizations if its geometric model (with respect to the cartesian product). The next subsection reminds some algebraic settings and results needed for a notion like factorization to make sense. 3.2
Free Commutative Monoids
The reader not familiar with this notion can refer for instance to [Lan02]. Let M be a commutative monoid. Any element of M which has an inverse is called a unit. A nonunit element x of M is said to be irreducible when for all y and z in M , if x = yz then y or z is a unit. The set of irreducible elements of M is denoted by I(M ). For any elements x and y of M , say x divides y when there is an element x of M such that xx = y. A nonunit element x of M is said to be prime when for all y and z in M , if x divides yz then x divides y or x divides z. The set of prime elements of M is denoted by P (M ). Given a set X, the collection of maps φ from X to N such that {x ∈ X  φ(x) = 0} is ﬁnite, together with the pointwise addition, forms a commutative monoid whose neutral element is the null map: we denote it by F (X). Yet, given any subset X of a commutative monoid M , the following map ΦX M :
F (X) φ
/ Mφ(x) x / x∈X
is a welldeﬁned morphism of monoids. A wellknown result asserts that the following are equivalent [Lan02]: I(M)
1. The mapping ΦM
is an isomorphism of monoids
2. The set I(M ) generates6 M and I(M ) = P (M ) 3. Any element of M can be written as a product of irreducible elements in a unique way up to permutation of terms (unique decomposition property). 5 6
Categorists would write “ﬁbre” instead of “cylinder”. X ⊆ M generates M when all its elements can be written as a product of elements of X. The product of the empty set being deﬁned as the neutral element. Remark then that “I(M ) generates M ” implies that the only unit of M is its neutral element.
138
T. Balabonski and E. Haucourt
If M satisﬁes any of the preceding assertions, then it is said to be a free commutative monoid. Two standard examples of free commutative monoids are given by the set of nonzero natural numbers N\{0} together with multiplication (the unit is 1 and the irreducible elements are the prime numbers) and the set of natural numbers N together with addition (the unit is 0 and the only irreducible element is 1). 3.3
Cartesian Product and Commutation
The geometric model of a concurrent program is a set of points in an euclidean space of ﬁnite dimension. Each point is represented by the tuple of its coordinates so a geometric model is a set of tuples (whose length corresponds to the dimension of the space). The cartesian product on such structures is the following: X ×Y = (x1 , ..., xn , y1 , ..., yk ) (x1 , ..., xn ) ∈ X, (y1 , ..., yk ) ∈ Y However, this operator is not commutative whereas the parallel composition of programs should be so. Thus, in order to model parallel composition, we make the operator × commutative by allowing the permutation of coordinates. In the next subsection we prove a freeness theorem for a monoid generalizing this idea: tuples of (real) coordinates are replaced by words over an arbitrary (potentially inﬁnite) alphabet. We will deﬁne a free commutative monoid of which every geometric model of a PV program is an element. From the decomposition of such models we will deduce the processes factorization. 3.4
Homogeneous Sets of Words
Let A be a set called the alphabet. The noncommutative monoid of words A∗ consists on the ﬁnite sequences of elements of A together with concatenation. Given words w and w of length n and n , the word w ∗ w of length n + n is deﬁned by
wk if 1kn (w ∗ w )k = wk−n if n + 1 k n + n The length of a word w is also refered to as (w). A subword of w is a word of the form w ◦ φ where φ is a strictly increasing map {1, . . . , n} → {1, . . . , (w)}. Hence a subword of w is also entirely characterized by the image of the increasing map φ i.e. by a subset of {1, . . . , (w)}. If A is the image of φ then we write w ◦ A instead of w ◦ φ. The nth symmetric group Sn (the group of permutations of the set {1, ..., n}) acts on the set of words of length n by composing on the right, that is for all σ ∈ Sn and all words w of length n we have σ · w := w ◦ σ = (wσ(1) · · · wσ(n) ) The concatenation extends to sets of words. Given S, S ⊆ A∗ , deﬁne S ∗ S := {w ∗ w  w ∈ S; w ∈ S } Remark that this concatenation of sets corresponds to the cartesian product.
A Geometric Approach to the Problem of Unique Decomposition
139
The set P(A∗ ) of subsets of A∗ is thus endowed with a structure of noncommutative monoid whose neutral element is {}: the singleton containing the empty word. Note that the empty set ∅ is the absorbing element of P(A∗ ), that is for all S ⊆ A∗ we have ∅∗S =S∗∅=∅ A subset S of A∗ is said to be homogeneous when all the words it contains share the same length n. By analogy with the geometric construction, n is called the dimension of S and denoted by d(S). The symmetric group Sn acts on the set of homogeneous sets of dimension n in a natural way by applying the same permutation to all words: σ · S := {σ · w  w ∈ S} The homogeneous subsets of A∗ form a submonoid Ph (A∗ ) of P(A∗ ) and can be equipped with an equivalence relation as follows: write S ∼ S when d(S) = d(S ) = n and there exists σ ∈ Sn such that S = σ ·S. Moreover, for two permutations σ ∈ Sn and σ ∈ Sn , deﬁne the juxtaposition σ ⊗ σ ∈ Sn+n as:
σ(k) if 1kn σ ⊗ σ (k) := σ (k − n) + n if n + 1 k n + n A Godementlike exchange law is satisﬁed, which ensures that ∼ is actually a congruence: (σ · S) ∗ (σ · S ) = (σ ⊗ σ ) · (S ∗ S ) Hence the quotient Ph (A∗ )/∼ from which the absorbing element has been removed is still a monoid called the homogeneous monoid over A and denoted by H(A). Moreover the homogeneous monoid is commutative and its only unit is the singleton {}. Remark that if the alphabet A is a singleton (resp. the empty set) then the homogeneous monoid H(A) is isomorphic to (N, +, 0) (resp. the null monoid). From now on the elements of Ph (A∗ ) are denoted by capital letters S, S , Sk (and so on) while capital letters H, H , Hk are used to denote the elements of H(A). As they are ∼equivalence classes, the elements of H(A) are subsets of Ph (A∗ ). In particular for any H ∈ H(A) and any S, S ∈ H we have d(S) = d(S ) so we can soundly deﬁne the dimension of H as d(H) := d(S). Theorem 1. For any set A the homogeneous monoid over A is free. Proof. We check the characterizing condition 2 of the Section 3.2. From the equality d(H ∗ H ) = d(H) + d(H ) and a straightforward induction on the dimension of elements of H(A) we deduce they can all be written as products of irreducible elements: I(H(A)) generates H(A). Now suppose H is an irreducible element of H(A) which divides H1 ∗ H2 and pick S, S1 and S2 respectively from the equivalence classes H, H1 and H2 . Deﬁne n = d(S), n1 = d(S1 ) and n2 = d(S2 ), and remark that n n1 + n2 . There exists σ ∈ Sn and some S3 such that σ · (S1 ∗ S2 ) = S ∗ S3 in Ph (A∗ ). Suppose
140
T. Balabonski and E. Haucourt
in addition that H does not divide H1 nor H2 , then we have A1 ⊆ {1, ..., n1 } and A2 ⊆ {1, ..., n2 } s.t. A1 = ∅, A2 = ∅ and σ(A1 ∪ A2 ) = {1, ..., n} where A2 := {a + n1  a ∈ A2 }. Then we have a nontrivial factoring S = S1 ∗ S2 where S1 := w ◦ A1 w ∈ S1 and S2 := w ◦ A2 w ∈ S2 This contradicts irreducibility of H. Hence H divides H1 or H2 and thus H is prime. So any irreducible element of H(A) is prime: I(H(A)) ⊆ P (H(A)). Finally, suppose H is a prime element of H(A) such that H = H1 ∗ H2 . In particular H divides H1 ∗ H2 , and since H is prime it divides H1 or H2 . Both cases being symmetrical, suppose H divides H1 . In particular d(H) ≤ d(H1 ). On the other hand d(H) = d(H1 ) + d(H2 ), and thus d(H2 ) ≤ 0. Dimensions being natural numbers, we deduce that d(H2 ) = 0 and then that H2 = {}. Hence H is irreducible, and I(H(A)) = P (H(A)). A useful feature of the construction is that any binary relation over Ph (A∗ ) which is compatible with the product and satiﬁes
∀S, S ∈ Ph (A∗ ) d(S) = d(S ) and S S ⇒ ∀σ ∈ Sd(S) (σ · S) (σ · S ) can be extended to a relation on H(A) which is still compatible with the product. Actually it suﬃces to set H H when d(H) = d(H ) and there exists a representative S of H and a representative S of H such that for all σ ∈ Sd(H) we have (σ · S) (σ · S ). In addition, if the relation satisﬁes ∀S, S ∈ Ph (A∗ ) S S ⇒ d(S) = d(S ) then the quotient map is compatible with and its extension. The relation of inclusion ⊆ over Ph (A∗ ) obviously satisﬁes these properties and therefore extends to H(A). 3.5
Cubical Areas
The monoid Ph (R∗ ) is ordered by inclusion, according to the preceding section the relation ⊆ is then extended to H(R) by setting H H when d(H) = d(H ) and there exist S ∈ H and S ∈ H such that for all σ ∈ Sd(H) we have σ · S ⊆ σ · S . A cube of dimension n is a word of length n on the alphabet I of nonempty intervals of R so it can also be seen as a subset of Rn . In particular, given S ∈ Ph (I ∗ ) we can deﬁne the set theoretic union C C∈S
as a subset of Rn and thus an element of Ph (R∗ ) provided we identify any word of length n over R with a point of Rn . The elements of H(I) are called the cubical coverings and we will use the capital letters F , F or Fk (k ∈ N) to denote them. Furthermore the homogeneous
A Geometric Approach to the Problem of Unique Decomposition
141
monoid H(I) is endowed with a preorder arising from the inclusion on I. Indeed, given two homogeneous sets of cubes of the same dimension S and S we write S S when for all cubes C ∈ S there exists a cube C ∈ S such that C ⊆ C . The relation provides the monoid Ph (I ∗ ) with a preorder that can be extended to H(I) by setting F F when d(F ) = d(F ) and there exist S ∈ F and S ∈ F such that for all σ ∈ Sd(F ) we have σ · S σ · S . We now establish a Galois connection between (H(R), ) and (H(I), ). Given a cubical covering F one can check that the following is actually an element of H(R). γ(F ) := C S∈F C∈S
The mapping γ is a morphism of monoids and if F F then γ(F ) γ(F ). Conversely, given some S ∈ Ph (R∗ ) the collection of ndimensional cubes C such that C ⊆ S, ordered by inclusion, is a semilattice whose maximal elements are called the maximal cubes of S. The set MS of maximal cubes of S is homogeneous and for all σ ∈ Sn , σ · MS = Mσ·S . Then given H ∈ H(R) one can check that the following is actually an element of H(I). α(H) := MS S ∈ H Furthermore α is a morphism of monoids and if H H then α(H) α(H ). Then we have a Galois connection: Proposition 1. γ ◦ α = idH(R) and idH(I) α ◦ γ. Given H ∈ H(R) and F ∈ H(I) we say that F is a cubical covering of H when γ(F ) = H. The cubical areas are the elements H of H(R) which admit a finite cubical covering. The collection of cubical areas (resp. ﬁnite cubical coverings) forms the submonoid Are of H(R) (resp. Cov of H(I)). The restrictions of the morphisms γ and α to Cov and Are induce another Galois connection. Proposition 2. γ ◦ α = idAre and idCov α ◦ γ. Moreover, the morphisms γ and α of Proposition 2 induce a pair of isomorphisms of commutative monoids between Are and the collection of ﬁxpoints of α ◦ γ. A submonoid of a free commutative monoid may not be free. Yet, under a simple additional hypothesis this pathological behaviour is no more possible. We say that a submonoid P of a monoid M is pure when for all x, y ∈ M , x ∗ y ∈ P ⇒ x ∈ P and y ∈ P . Lemma 1. Every pure submonoid of a free commutative monoid is free. Proof. Let P be a pure submonoid of a free commutative monoid M . Let p be an element of P written as a product x1 · · · xn of irreducible elements of M . Each
142
T. Balabonski and E. Haucourt
xi is obviously an irreducible element of P so any element of P can be written as a product of irreducible elements of P . Furthermore any irreducible element of P is also an irreducible element of M because P is pure in M . It follows that any elements of P can be written as a product of irreducible elements of P in a unique way i.e. P is free. Then we have: Theorem 2. The commutative monoid of cubical areas is free. Proof. Let X and X be two elements of H(R) and suppose X ∗ X belongs to Are. Since both α and γ are morphisms of monoids we have α ◦ γ(X ∗ X ) = α ◦ γ(X) ∗ α ◦ γ(X ) which is ﬁnite. It follows that both α ◦ γ(X) and α ◦ γ(X ) are ﬁnite. Hence X and X actually belongs to Are, which is thus free as a pure submonoid of H(R). Moreover one can check that for any n ∈ N and any ﬁnite family C1 , . . . , Ck of bounded7 ndimensional cubes, Rn \(C1 ∪ · · · ∪ Ck ) is irreducible. Therefore the commutative monoid of cubical areas has inﬁnitely many irreducible elements. The Theorem 2 is the theoretical cornerstone of our method: the geometric model of a PV program is an element of H(I) so we obtain from its decomposition the expected processes factorization.
4
Eﬀective Factoring of Cubical Areas
Beyond their theoretical usefulness, the maximal cubes provide the data structure which allows to handle algorithmically cubical areas, as in the static analyzer ALCOOL which is devoted to the study of parallel programs. 4.1
Implementation
We need an algorithm which performs decompositions in H(A), its implementation is directly based on the proof of Theorem 1: H ∈ H(A) is reducible if and only if there exists some representative S of H which admits a nontrivial decomposition in Ph (A∗ ). In order to describe the algorithm we deﬁne S ◦ A := w ◦ A  w ∈ S for any S ∈ Ph (A∗ ) and A ⊆ {1, ..., d(S)}. Moreover for w ∈ A∗ with (w ) = A and Ac the complement of A (in {1, ..., d(S)}), we deﬁne the set of words Ψ (w , A, S) := w ◦ Ac  w ∈ S and w ◦ A = w Then the class [S ◦ A] ∈ H(A) divides H if and only if for all w ∈ S ◦ A one has Ψ (w , A, S) = [S ◦ Ac ]. In particular the choice of S ∈ H does not alter the result of the test and we have [S ◦ A] ∗ [S ◦ Ac ] = H 7
An ndimensional cube C is bounded when C ⊆ [−r, r]n for some r > 0.
A Geometric Approach to the Problem of Unique Decomposition
143
Then we look for some divisor of H by testing all the nonempty subsets A of {1, . . . , d(S)} (each test requires that we look over all the elements of S ◦ A) according to the following total ordering A A when A < A  or (A = A  and A lex A ) where lex is the lexicographic ordering (A lex A is recursively deﬁned by min(A) < min(A ) or (min(A) = min(A ) and A\{min(A)} lex A \{min(A )}). Doing so, we know that if A is the ﬁrst value such that [S ◦ A] divides H, then [S◦A] is irreducible. Moreover we have d([S◦A]) = A and for all H0 , H1 ∈ H(A), d(H0 ∗ H1 ) = d(H0 ) + d(H1 ) hence we can suppose A
d(H) +1 2
The software ALCOOL is entirely written in OCaml. The complexity of the decomposition algorithm implemented in it is exponential in the dimension n of the cubical area since it checks all the subsets of {0, . . . , n − 1}. However, it is worth remarking that our algorithm is eﬃcient when the cubical area to decompose is actually the product of several irreducible cubical areas of small dimension (see Subsection 4.2 for benchmarks). This remark should be compared with the fact that the standard decomposition algorithm of integer into primes is very eﬃcient on products of small prime numbers. We treat the case of the program Σ given in Example 1. Denote by H its geometric model, we are actually provided with some representative S ∈ H. With the preceding notation we then check that [S ◦A] divides H for A := {1, 3}. Applying the permutation (2, 3) we have (2, 3) · {1, 3}, {2, 4} = {1, 2}, {3, 4} then (2, 3) · S can be decomposed in Ph (R∗ ) as 2 [0,1[*[0,[ [4,[*[0,[ [0,[*[0,1[ [0,[*[4,[ and it follows that in the program Σ the sets of processes {π1 , π3 } and {π2 , π4 } run independently from each other. 4.2
Benchmarks
We describe some programs upon which the algorithm has been tested. The program Σn1 ,...,nk is made of k groups of processes: for all i ∈ {1, ..., k} it contains ni copies of the process P (ai ).P (b).V (b).V (ai ) where ai is a mutex and b is a semaphore of arity k + 1. All processes then share the resource b, but as for Σ in Example 1 the k groups are actually independent. On the other hand the program Σn 1 ,...,nk is the same as Σn1 ,...,nk but with b of arity only k, which forbids any decomposition. The nphilosophers programs
144
T. Balabonski and E. Haucourt
implement the standard n dining philosophers algorithm. The benchmark table of Figure 3 has been obtained using the Unix command time which is not accurate. Hence these results have to be understood as an overapproximation of the mean execution time. Example Time (in sec.) Decomp. 6 philosophers 0.2 No 7 philosophers 0.7 No 8 philosophers 3.5 No 9 philosophers 21 No 10 philosophers 152 No Example Time (in sec.) Σ2,2 Σ2,2,2 Σ3,3 Σ2,2,2,2 Σ4,4 Σ3,3,3 Σ4,5 Σ5,5
0.1 0.1 0.13 0.13 1 1.5 6.1 50
Decomp.
Example Time (in sec.) Decomp.
{1, 3}{2, 4} Σ2,2 {1, 4}{2, 5}{3, 6} Σ2,2,2 {1, 3, 5}{2, 4, 6} Σ3,3 {1, 5}{2, 6}{3, 7}{4, 8} Σ2,2,2,2 {1, 3, 5, 7}{2, 4, 6, 8} Σ4,4 {1, 4, 7}{2, 5, 8}{3, 6, 9} Σ3,3,3 {1, 3, 5, 7}{2, 4, 6, 8} Σ4,5 {1, 3, 5, 7, 9}{2, 4, 6, 8, 10} Σ5,5
0.1 0.3 0.52 7.1 33 293 327 2875
No No No No No No No No
Fig. 3. Benchmarks
5
Conclusion
Related work The problem of decomposition of concurrent programs in CCSstyle has been studied in [GM92] and [MM93]. By the possibility of using semaphores of arbitrary arity, our work seems to go beyond this previous approach. Also note that the silent and synchronous communication mechanism of CCS can be given a straightforward geometric interpretation which falls in the scope of the present discussion. However, the link between bisimilarity in CCS and isomorphic geometric interpretations is still to be explored to make clear the relations between these works. In [LvO05] B. Luttik and V. van Oostrom have characterized the commutative monoids with unique decomposition property as those which can be provided with a socalled decomposition order. In the case where the property holds, the divisibility order always ﬁts. Yet, there might exist a more convenient one. Unfortunately, in the current setting the authors are not aware of any such order yielding direct proofs. Nevertheless it is worth noticing that this approach is actually applied for decomposition of processes in a normed ACP theory for which a convenient decomposition order exists. One can also think of using this method to optimize the implementation of parallel programs. In the same stream of ideas, [CGR97] deﬁnes a preorder
A Geometric Approach to the Problem of Unique Decomposition
145
over a simple process algebra with durational actions in order to compare the implementations of a same algorithm according to their eﬃciency. Conclusion This paper uses a geometric semantics for concurrent programs, and presents a proof of a unique decomposition property together with an algorithm working at this semantic level (Theorem 2). The main strength of this work is that it applies to any concurrent program yielding a cubical area. Example of features allowed in this setting are: semaphores, synchronisation barriers, synchronous as well as asynchronous communications (with ﬁnite or inﬁnite message queues), conditional branchings. In fact we can even consider loops provided we replace the set I of intervals of the real line R by the set A of arcs of the circle. Future work Any cubical area naturally enjoys a pospace8 structure. Pospaces are among the simplest objects studied in Directed Algebraic Topology. In particular, a cubical area is associated with its category of components [FGHR04, GH05, Hau06] and [GH07], which is proven to be ﬁnite, loopfree9 and in most cases connected. Then, as the cubical areas do, these categories together with cartesian product form a free commutative monoid. It is worth noticing this is actually the generalization of a result concerning ﬁnite posets which has been established in the early ﬁfties [Has51]. Therefore a program Π can be decomposed by lifting the decomposition of the category of components of its geometric model Π. In general, the relation between the decomposition of a cubical area and the one of its category of components is a theoretical issue the authors wish to investigate. Another important concern is a clariﬁcation of the control constructs compatible with cubical areas: replacing in some dimensions the intervals of the real line by the arcs of the circle as mentioned above corresponds to a global loop, but some richer structures may be useful. A ﬁnal point of interest is the investigation of the exact relation between our decomposition results and the ones of [GM92, MM93, LvO05]. Indeed they use CCSlike syntaxes to describe some classes of edgelabelled graphs modulo bisimilarity, whereas the category of components of our models correspond to some other graphs modulo directed homotopy. Hence the question: what is in this setting the relation between bisimilarity and directed homotopy?
References [BMP99]
[CR87] 8 9
Bournez, O., Maler, O., Pnueli, A.: Orthogonal polyhedra: Representation and computation. In: Vaandrager, F.W., van Schuppen, J.H. (eds.) HSCC 1999. LNCS, vol. 1569, p. 46. Springer, Heidelberg (1999) Carson, S.D., Reynolds Jr., P.F.: The geometry of semaphore programs. ACM Transactions on Programming Languages and Systems, 25–53 (1987)
Shorthand for “partially ordered spaces” [Nac65]. Loopfree categories were introduced in [Hae91, Hae92] as “small categories without loop” or “scwols” in a context far away from ours.
146
T. Balabonski and E. Haucourt
[CGR97]
Corradini, F., Gorrieri, R., Roccetti, R.: Performance Preorder and Competitive Equivalence. Acta Inf. 34, 805–835 (1997) [Dij68] Dijkstra, E.W.: Cooperating sequential processes. In: Programming Languages: NATO Advanced Study Institute, pp. 43–112. Academic Press, London (1968) [FGHR04] Fajstrup, L., Goubault, E., Haucourt, E., Raußen, M.: Component categories and the fundamental category. App. Cat. Struct. 12, 81–108 (2004) [GH05] Goubault, E., Haucourt, E.: A practical application of geometric semantics to static analysis of concurrent programs. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 503–517. Springer, Heidelberg (2005) [GH07] Goubault, E., Haucourt, E.: Component categories and the fundamental category II. App. Cat. Struct. 15 (2007) [GM92] Groote, J.F., Moller, F.: Veriﬁcation of Parallel Systems via Decomposition. In: Cleaveland, W.R. (ed.) CONCUR 1992. LNCS, vol. 630, pp. 62–76. Springer, Heidelberg (1992) [Hae91] Haeﬂiger, A.: Complexes of groups and orbihedra. In: Group theory from a geometrical viewpoint, pp. 504–540. World Scientiﬁc, Singapore (1991) [Hae92] Haeﬂiger, A.: Extension of complexes of groups. Annales de l’institut Fourrier 42(12), 275–311 (1992), http://www.numdam.org/ [Has51] Hashimoto, J.: On direct product decomposition of partially ordered sets. Annals of Mathematics 54, 315–318 (1951) [Hau06] Haucourt, E.: Categories of components and Loopfree categories. Theory and Applications of Categories 16(27), 736–770 (2006) [Lan02] Lang, S.: Algebra. Springer, Heidelberg (2002) (4th corrected printing) [LvO05] Luttik, B., van Oostrom, V.: Decomposition orders: another generalisation of the fundamental theorem of arithmetic. Theor. Comp. Sci. 335, 147–186 (2005) [MM93] Milner, R., Moller, F.: Unique Decomposition of Processes. Theor. Comp. Sci. 107, 357–363 (1993) [Nac65] Nachbin, L.: Topology and Order. Van Nostrand Mathematical Studies, vol. 4. Van Nostrand, Princeton (1965) [Tha09] Thao, D.: Methods and Tools for Computer Aided Design of Embedded Systems. HDR Thesis, ch. 5 (2009) [Win95] Winskel, G.: Handbook of Logic in Computer Science. Semantic Modelling, vol. 4. ch. 1. Oxford University Press, Oxford (1995)
A Logic for True Concurrency Paolo Baldan and Silvia Crafa Department of Pure and Applied Math, University of Padova
Abstract. We propose a logic for true concurrency whose formulae predicate about events in computations and their causal dependencies. The induced logical equivalence is hereditary history preserving bisimilarity, and fragments of the logic can be identiﬁed which correspond to other true concurrent behavioural equivalences in the literature: step, pomset and history preserving bisimilarity. Standard HennessyMilner logic, thus (interleaving) bisimilarity, is also recovered as a fragment. We believe that this contributes to a rational presentation of the true concurrent spectrum and to a deeper understanding of the relations between the involved behavioural equivalences.
1
Introduction
In the semantics of concurrent and distributed systems, a major dichotomy opposes the interleaving approaches, where concurrency of actions is reduced to the nondeterministic choice among their possible sequentializations, to trueconcurrent approaches, where concurrency is taken as a primitive notion. In both cases, on top of the operational models a number of behavioural equivalences have been deﬁned by abstracting from aspects which are considered unobservable [1,2]. For the interleaving world, a systematic and impressive picture is taken in the lineartime branchingtime spectrum [1]. Quite interestingly, the equivalences in the spectrum can be uniformly characterised in logical terms. Bisimilarity, the ﬁnest equivalence, corresponds to HennessyMilner (HM) logic: two processes are bisimilar if and only if they satisfy the same HM logic formulae [3]. Coarser equivalences correspond to suitable fragments of HM logic. In the trueconcurrent world, relying on models like event structures or transition systems with independence [4], several behavioural equivalences have been deﬁned, ranging from hereditary history preserving (hhp) bisimilarity, to pomset and step bisimilarity. Correspondingly, a number of logics have been studied, but, to the best of our knowledge, a unifying logical framework encompassing the main trueconcurrent equivalences is still missing. The huge amount of work on the topic makes it impossible to give a complete account of related approaches. Just to give a few references (see Section 5 for a wider discussion), [5] proposes a general framework encompassing a number of temporal and modal
Supported by the MIUR Projects SisteR and AIDA2007, and the project AVIAMO of the University of Padova.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 147–161, 2010. c SpringerVerlag Berlin Heidelberg 2010
148
P. Baldan and S. Crafa
logics that characterize pomset and weak history preserving bisimilarities as well as interleaving bisimilarity. However, ﬁner equivalences are not considered and a single unitary logic is missing. History preserving (hp) bisimilarity has been characterised in automatatheoretic terms using HDautomata [6] or Petri nets [7]. More recently, hpbisimilarity has been obtained as a logical equivalence, using a separation ﬁxpoint modal logic where it is possible to check the causal dependence/independence of the last executed action [8,9]. Concerning hhpbisimilarity, several logics with modalities corresponding to the “retraction” or “backward” execution of computations have been proposed [10,11,12]. In absence of autoconcurrency they are shown to capture hhpbisimilarity, while the general case complicates the picture and requires some adjustments. In this paper we propose a behavioural logic for concurrency and we show that it allows to characterise a relevant part of the truly concurrent spectrum. More speciﬁcally, the full logic is shown to capture hhpbisimilarity, the ﬁnest equivalence in the spectrum [2]. Then suitable fragments of the logic are shown to scale down to the characterisation of other coarser equivalences, i.e., history preserving, pomset and step bisimilarity. Standard HM logic, and thus (interleaving) bisimilarity, is also recovered as a fragment. Our logic allows to predicate about events in computations together with their causal and independence relations. It is interpreted over prime event structures, but it could naturally be interpreted over any formalism with a notion of event, causality and consistency. A formula is evaluated in a conﬁguration representing the current state of the computation, and it predicates on a set of possible future evolutions starting from that state. The logic is eventbased in the sense that it contains a binder that allows to refer later to the events the formula predicates on. In this respect, it is reminiscent of the modal analogue of independencefriendly modal logic as considered in [13]. The logic contains two main operators. The formula (x, y < a z)ϕ declares that an alabelled future event exists, which causally depends on the event bound to x, and is independent from the event bound to y. Such an event is bound to variable z so that it can be later referred to in ϕ. In general, x and y can be replaced by lists of variables. A second operator allows to “execute” events previously bound to variables. The formula z ϕ says that the event bound to z is enabled in the current state, and after its execution ϕ holds. Diﬀerent behavioural equivalences are induced by fragments of the logics where we suitably restrict the set of possible futures the formulae are able to refer to. Namely, hhpbisimilarity, that is captured by the full logic, corresponds to the ability of observing the existence of a number of legal but (possibly) incompatible futures, without executing such futures. Interestingly, the deﬁnition of hhpbisimilarity is normally given in terms of backward transitions, whereas our logical characterization has a “forward ﬂavor”. By restricting to a fragment where future events can be observed only by executing them (any occurrence of the binding operator is immediately followed by a corresponding execution), we get hpbisimilarity. Pomset bisimilarity is induced by a fragment of the logic obtained by further restricting that for hpbisimilarity, with the requirement
A Logic for True Concurrency
149
that propositional connectives are used only on closed (sub)formulae. Roughly speaking, this fragment predicates about the possibility of executing pomset transitions and the closedness requirement prevents pomset transitions from being causally linked to the events in the past. Finally, quite intuitively, step bisimilarity corresponds to the possibility of observing only currently enabled concurrent actions. We believe that this work contributes to the deﬁnition of a logical counterpart of the true concurrent spectrum and shades further light on the relations between the involved behavioural equivalences.
2
Background
In this section we provide the basics of prime event structures which will be used as models for our logic. Then we deﬁne some common behavioural concurrent equivalences which will play a basic role in the paper. 2.1
Event Structures
Prime event structures [14] are a widely known model of concurrency. They describe the behaviour of a system in terms of events and dependency relations between such events. Throughout the paper Λ denotes a ﬁxed set of labels ranged over by a, b, c . . . Definition 1 (prime event structure). A (Λlabelled) prime event structure ( pes) is a tuple E = E, ≤, #, λ, where E is a set of events, λ : E → Λ is a labelling function and ≤, # are binary relations on E, called causality and conﬂict respectively, such that: 1. ≤ is a partial order and e = {e ∈ E  e ≤ e} is ﬁnite for all e ∈ E; 2. # is irreﬂexive, symmetric and hereditary with respect to ≤, i.e., for all e, e , e ∈ E, if e#e ≤ e then e#e . In the following, we will assume that the components of an event structure E are named as in the deﬁnition above. Subscripts carry over to the components. Definition 2 (consistency, concurrency). Let E be a pes. We say that e, e ∈ E are consistent, written e e , if ¬(e#e ). Moreover, we say that e and e are concurrent, written e  e , if ¬(e ≤ e ), ¬(e ≤ e) and ¬(e#e ). Causality and concurrency will be sometimes used on set of events. Given X ⊆ E and e ∈ E, by X < e we mean that for all e ∈ X, e < e. Similarly X  e, resp. X e, means that for all e ∈ X, e  e, resp. e e. We write X for e∈X e. The idea of (concurrent) computation is captured, in event structures, by the notion of conﬁguration. Definition 3 (configuration). Let E be a pes. A (ﬁnite) conﬁguration in E is a (ﬁnite) subset of events C ⊆ E pairwise consistent and closed w.r.t. causality (i.e., C = C). The set of ﬁnite conﬁgurations of E is denoted by C(E).
150
P. Baldan and S. Crafa
Hereafter, unless explicitly stated otherwise, all conﬁgurations will be assumed to be ﬁnite. A pairwise consistent subset X ⊆ E of events will be always seen as the pomset (partially ordered multiset) (X, ≤X , λX ), where ≤X and λX are the restrictions of ≤ and λ to X. Given X, Y ⊆ E we will write X ∼ Y if X and Y are isomorphic as pomsets. Definition 4 (pomset transition and step). Let E be a pes and let C ∈ C(E). Given ∅ = X ⊆ E, if C ∩ X = ∅ and C = C ∪ X ∈ C(E) we write X
C −−→ C and call it a pomset transition from C to C . When the events in X
X are pairwise concurrent, we say that C −−→ C is a step. When X = {e} {e}
e
we write C −−→ C instead of C −−→ C . A pes E is called image ﬁnite if for any C ∈ C(E) and a ∈ Λ, the set of events e
{e ∈ E  C −−→ C ∧ λ(e) = a} is ﬁnite. All the pess considered in this paper will be assumed to be image ﬁnite. As it commonly happens when relating modal logics and bisimilarities, this assumption is crucial for getting the logical characterisation of the various bisimulation equivalences in Section 4. 2.2
Concurrent Behavioural Equivalences
Behavioural equivalences which capture to some extent the concurrency features of a system, can be deﬁned on the transition system where states are conﬁgurations and transitions are pomset transitions. Definition 5 (pomset, step bisimulation). Let E1 , E2 be pess. A pomset bisimulation is a relation R ⊆ C(E1 ) × C(E2 ) such that if (C1 , C2 ) ∈ R and X1
X2
C1 −−→ C1 then C2 −−→ C2 , with X1 ∼ X2 and (C1 , C2 ) ∈ R, and vice versa. We say that E1 , E2 are pomset bisimilar, written E1 ∼p E2 , if there exists a pomset bisimulation R such that (∅, ∅) ∈ R. Step bisimulation is deﬁned analogously, replacing general pomset transitions with steps. We write E1 ∼s E2 when E1 and E2 are step bisimilar. While pomset and step bisimilarity only consider the causal structure of the current step, (hereditary) history preserving bisimilarities are sensible to the way in which the executed events depend on events in the past. In order to deﬁne history preserving bisimilarities the following deﬁnition is helpful. Definition 6 (posetal product). Given two pess E1 , E2 , the posetal product ¯ of their conﬁgurations, denoted C(E1 )×C(E 2 ), is deﬁned as {(C1 , f, C2 ) : C1 ∈ C(E1 ), C2 ∈ C(E2 ), f : C1 → C2 isomorphism} ¯ A subset R ⊆ C(E1 )×C(E 2 ) is called a posetal relation. We say that R is down¯ ward closed when for any (C1 , f, C2 ), (C1 , f , C2 ) ∈ C(E1 )×C(E 2 ), if (C1 , f, C2 ) ⊆ (C1 , f , C2 ) pointwise and (C1 , f , C2 ) ∈ R, then (C1 , f, C2 ) ∈ R.
A Logic for True Concurrency
151
Definition 7 ((hereditary) history preserving bisimulation). A history ¯ preserving (hp)bisimulation is a posetal relation R ⊆ C(E1 )×C(E 2 ) such that if e2
e1
→ e2 ], C2 ) ∈ (C1 , f, C2 ) ∈ R and C −−→ C1 then C2 −−→ C2 , with (C1 , f [e1 R, and vice versa. We say that E1 , E2 are history preserving (hp)bisimilar and write E1 ∼hp E2 if there exists an hpbisimulation R such that (∅, ∅, ∅) ∈ R. A hereditary history preserving (hhp)bisimulation is a downward closed hpbisimulation. The fact that E1 , E2 are hereditary history preserving (hhp)bisimilar is denoted E1 ∼hhp E2 .
3
A Logic for True Concurrency
In this section we introduce the syntax and the semantics of our logic, where formulae predicate about events in computations and their dependencies as primitive concepts. The logic is interpreted over pess, but it could be equivalently interpreted over any formalism with a notion of event, causality and consistency. As a ﬁrst step we deﬁne a quite general syntax and the semantics of the two distinctive operators. Our logic for concurrency will then be obtained by ﬁltering out formulae which do not satisfy a suitable wellformedness condition. In order to keep the notation simple, lists of variables like x1 , . . . , xn will be denoted by x and, abusing the notation, lists will be sometimes used as sets. Definition 8 (syntax). Let Var be a denumerable set of variables ranged over by x, y, z, . . .. The syntax of the formulae over the set of labels Λ is deﬁned as follows: ϕ ::= (x, y < a z) ϕ  z ϕ  ϕ ∧ ϕ  ¬ϕ  The operator (x, y < a z) acts as a binder for variable z, as clariﬁed by the following notion of free variables in a formula. Definition 9 (free variables). The set of free variables of a formula ϕ is denoted fv (ϕ) and it is inductively deﬁned by: fv ((x, y < a z) ϕ) = (fv (ϕ) \ {z}) ∪ x ∪ y
fv (z ϕ) = fv (ϕ) ∪ {z}
fv (ϕ1 ∧ ϕ2 ) = fv (ϕ1 ) ∪ fv (ϕ2 )
fv () = ∅
fv (¬ϕ) = fv (ϕ)
The satisfaction of a formula is deﬁned with respect to a conﬁguration, representing the state of the computation. Moreover a partial function η : Var → E is ﬁxed, called an environment, in order to bind free variables in ϕ to events. Definition 10 (semantics). Let E = E, ≤, #, λ be a pes. For C ∈ C(E) a conﬁguration, ϕ a formula and η : Var → E an environment such that fv (ϕ) ⊆ dom(η), satisfaction E, C =η ϕ is deﬁned as follows: E, C =η (x, y < a z) ϕ
if there is e ∈ E \ C, such that  λ(e) = a and C e, η(x) < e, η(y)  e  E, C =η ϕ, where η = η[z → e]
E, C =η z ϕ
if C −−−→ C and E, C =η ϕ
η(z)
152
P. Baldan and S. Crafa
The semantics of propositional connectives is deﬁned as usual. We say that a pes E satisﬁes a closed formula ϕ, written E = ϕ, when E, ∅ =∅ ϕ. Intuitively, the formula (x1 . . . xn , y1 . . . ym < a z) ϕ holds in C if in the future of such a conﬁguration there is an alabelled event e, and binding e to the variable z, the formula ϕ holds. Such an event is required to be caused (at least) by the events already bound to x1 . . . xn , and to be independent (at least) from those bound to y1 . . . ym . We stress that the event e might not be currently enabled; it is only required to be consistent with the current conﬁguration, meaning that it could be enabled in the future of the current conﬁguration. The formula z ϕ says that the event bound to z is currently enabled, hence it can be executed producing a new conﬁguration which satisﬁes formula ϕ. To simplify the notation we write (a z) ϕ for ( < a z) ϕ and we often omit trailing at the end of the formulae. b
d
a /o /o c E1
b < /o /o o/ d
~ ~>`
a
E7
E8
a
b
b
a
155
` ` b E9
Fig. 2.
Example 1 (Interleaving vs. Trueconcurrency). As a ﬁrst example, consider the pess E6 and E7 in Fig. 2. They are equated by interleaving equivalences and kept distinct by any trueconcurrent equivalence. The formula ϕ1 = a xx < b y = (a x ⊗ b y) is true only on E7 , while ϕ2 = a xx < b y is true only on E6 . Example 2 (Dependent vs Independent Events). The need of considering both causal dependency and independency in the binding operator of our logic is exempliﬁed below. Consider the pess E6 and E8 in Fig. 2. They are distinguished by any trueconcurrent equivalence, but since they have the same causal structure, in order to pinpoint how they diﬀer, the logic must be able to express the presence of two concurrent events: indeed E8 = a x ⊗ b y, while E6 = a x ⊗ b y. On the other hand, expressing causal dependencies between events is essential to distinguish, for instance, the pess E7 and E9 . These are equated by step bisimulation and distinguished by any equivalence which observes causality, e.g., pomset bisimulation. Example 3 (Conﬂicting Futures). Consider the following two pess, which can be proved to be hpbisimilar but not hhpbisimilar: c d ` ` >~ ~> a &f (h b &f /o /o o/ /o x8 a 6v x8 7w b 'g )i *j ,l ,l /o m g' n. )i 2r /o ,l 5u 0p 7w 1q /o r2 r2 4t 5u 7w
c
d `>~ ~>` a &f (h b &f /o /o /o x8 a 6v 8x 7w b g' )i *j ,l ,l /o m 'g n. )i 2r /o ,l u5 0p 7w 1q /o 2r 2r 4t 5u 7w
Intuitively, they diﬀer since the causes of the clabelled and dlabelled events are in conﬂict in the ﬁrst pes and independent in the second one. This is captured by the formula ϕ = ((a x) ⊗ (b y))((x < c z1 ) ∧ (y < d z2 )), which is satisﬁed only by the rightmost pes. Notice that the formula ϕ exploits the ability of the logic L of quantifying over events in conﬂict with previously bound events: formula ϕ is satisﬁed in the rightmost pes by binding x and y to the rightmost alabelled and blabelled events; then both z1 and z2 are bound to events which are in conﬂict with either x or y. For this, the possibility of quantifying over an event without executing it is essential: the formula ϕ = (a x ⊗ b y)((x < c z1 ) ∧ (y < d z2 )) would be false in both pess since the execution of the ﬁrst two events leads to a conﬁguration that is no further extensible. As a ﬁnal example, consider the two CCS processes P = a(b+c)+ab+b(a+c) and Q = a(b + c) + b(a + c). They contain no causal dependencies, but they exhibit a diﬀerent interplay between concurrency and branching. Accordingly,
156
P. Baldan and S. Crafa
the corresponding pess can be proved to be hpbisimilar but not hhpbisimilar. Intuitively, this diﬀerence comes from the fact that only the process P includes two concurrent events a and b such that, independently from their execution order, no clabelled event will be enabled. Such a diﬀerence can be expressed in L by the formula ((a x) ⊗ (b y))(¬(x < c z) ∧ ¬(y < c z )), which is satisﬁed only by the pes corresponding to P .
4
A Logical Characterisation of Concurrent Equivalences
In this section we study the logical equivalences induced by fragments of L. We have already argued that no formula in L distinguishes the pess a and a#a, hence the logical equivalence induced by L is surely coarser than isomorphism. We next show that the logical equivalence induced by L is hhpbisimulation. Moreover, we identify suitable fragments of L corresponding to coarser equivalences. Theorem 1 (hhpbisimilarity). Let E1 and E2 be pess. Then E1 ∼hhp E2 iﬀ E1 ≡ L E2 . 4.1
From HennessyMilner Logic to HPLogic
Hhpbisimilarity is the ﬁnest equivalence in the spectrum of true concurrent equivalences in [2]. Coarser equivalences such as step, pomset and hpbisimilarity, can be captured by suitable fragments of L summarised in Fig. 3, which can be viewed as the logical counterpart of the true concurrent spectrum. Interestingly, in each of these fragments after predicating the existence of an event we must execute it. As a consequence, diﬀerently from what happens in the full logic, in the fragments it is impossible to refer to events in conﬂict with already observed events. Intuitively, behavioural equivalences up to hpbisimilarity observe events only by executing them. Hence they cannot fully capture the interplay between concurrency and branching, which is indeed distinctive of hhpequivalence.
HM Logic
LHM
ϕ ::= a x ϕ  ϕ ∧ ϕ  ¬ϕ 
Step Logic
Ls
ϕ ::= (a1 x1  ⊗ · · · ⊗ an xn ) ϕ  ϕ ∧ ϕ  ¬ϕ 
Pomset Logic Lp
HP Logic
Lhp
ϕ ::= x, y < a z ϕ  ¬ϕ  ϕ ∧ ϕ  where ¬, ∧ are used only on closed formulae. ϕ ::= x, y < a z ϕ  ¬ϕ  ϕ ∧ ϕ 
Fig. 3. Fragments corresponding to behavioral equivalences
A Logic for True Concurrency
157
HennessyMilner Logic. A ﬁrst simple observation is that HennessyMilner logic can be recovered as the fragment of L where only the derived modality a xϕ (with no references to causally dependent/concurrent events) is allowed. In words, whenever we state the existence of an enabled event we are forced to execute it. Moreover, since no dependencies can be expressed, the bound variable x is irrelevant. The induced logical equivalence is thus bisimilarity [3] (recall that we consider only image ﬁnite pes’s). Step logic. A fragment Ls corresponding to step bisimilarity naturally arises as a generalisation of HM logic, where we can refer to sets of concurrently enabled events. More precisely, as shown in Fig. 3, Ls is the fragment of L where only the derived modality a1 x1  ⊗ · · · ⊗ an xn  is used, allowing to predicate on the possibility of performing a parallel step, but without any reference to causal dependencies. Note that all formulae in Ls are closed, and thus environments are irrelevant in their semantics (as well as the names of the bound variables). As an example, consider the two pess E6 and E7 in Fig. 2. They are bisimilar but not step bisimilar since only E7 can execute the step consisting of a and b; accordingly, the formula a ⊗ b in Ls is true only on E7 . Theorem 2 (step bisimilarity). Let E1 and E2 be pess. Then E1 ∼s E2 iﬀ E1 ≡Ls E2 . Pomset logic. The logic Lp for pomset bisimilarity consists of a fragment of L which essentially predicates about the possibility of executing pomset transitions. Even in Lp the events must be immediately executed when quantiﬁed, but it is now possible to refer to dependencies between events. However, propositional connectives (negation and conjunction) can be used only on closed formulae. Intuitively, in this logic closed formulae characterize the execution of a pomset. Then, the requirement that the propositional operators are used only on closed (sub)formulae prevents pomset transitions from being causally linked to the events in the past. These ideas are formalised by the results below, starting with a lemma showing that the execution of a pomset can be characterized as a formula in Lp . Definition 14 (pomsets as formulae in Lp ). Let px = ({x1 , . . . , xn }, ≤px , λpx ) be a labelled poset, whose elements {x1 , . . . , xn } are variables ordered by ≤px . Given a formula ϕ ∈ Lp , we denote by  px ϕ the formula inductively deﬁned as follows. If px is empty then  px ϕ = ϕ. If px = px ∪ {x}, where x is maximal with respect to ≤px , then if y = {x ∈ px  x ≤px x}, z = px \ y, and λpx (x) = a, then  px ϕ =  px  y, z < a xϕ. Lemma 1 (pomsets in Lp ). Let E be a pes and let C ∈ C(E) be a conﬁguration. Given a labelled poset px = ({x1 , . . . , xn }, ≤px , λpx ), then X
E, C =η  px  ϕ
iﬀ
C −−→ C where X = {e1 , . . . , en } is a pomset s.t. X ∼ px and E, C =η ϕ, with η = η[x1 → e1 , . . . , xn → en ]
158
P. Baldan and S. Crafa
As an example, consider the two pess E7 and E9 in Fig. 2. They are step bisimilar but not pomset bisimilar since only the second one can execute the pomset ({a, b}, a < b). Accordingly, the formula ϕ = a xx < b y in Lp is satisﬁed only by E9 . Theorem 3 (pomset bisimilarity). Let E1 and E2 be pess. Then E1 ∼p E2 iﬀ E1 ≡Lp E2 . History preserving logic. The fragment Lhp corresponding to hpbisimilarity is essentially the same as for pomset logic, where we relax the condition about closedness of the formulae the propositional connectives are applied to. Intuitively, in this way a formula ϕ ∈ Lhp , besides expressing the possibility of executing a pomset px , also predicates about its dependencies with previously executed events (bound to the free variables of ϕ). The two pess below can be proved to be pomset equivalent but not hpequivalent: b a
b
` ` b
a o/ a /o b
Intuitively, they allow the same pomset transitions, but they have a diﬀerent “causal branching”. Indeed, only in the leftmost pess after the execution of an alabelled event we can choose between an independent and a dependent blabelled event. Formally, the formula a x(x < b y ∧ (x < b z) in Lhp is true only on the leftmost pes. Theorem 4 (hpbisimilarity). Let E1 and E2 be pess. Then E1 ∼hp E2 iﬀ E1 ≡Lhp E2 .
5
Conclusions: Related and Future Work
We have introduced a logic for true concurrency, which allows to predicate on events in computation and their mutual dependencies (causality and concurrency). The logic subsumes standard HM logic and provides a characterisation of the most widely known true concurrent behavioural equivalences: hhpbisimilarity is the logical equivalence induced by the full logic, and suitable fragments are identiﬁed which induce hpbisimilarity, pomset and step bisimilarity. As we mentioned in the introduction, there is a vast literature relating logical and operational views of true concurrency, however, to the best of our knowledge, a uniform logical counterpart of the true concurrent spectrum is still missing. An exhaustive account of the related literature is impossible; we just recall here the approaches that most closely relate to our work. In [5,15,16] the causal structure of concurrent systems is pushed into the logic. The paper [5] considers modalities which describe pomset transitions, thus providing an immediate characterization of pomset bisimilarity. Moreover, [5,15,16] show that by tracing the history of states and adding the possibility of reverting
A Logic for True Concurrency
159
pomset transitions, one obtains an equivalence coarser than hpbisimilarity and incomparable with pomset bisimilarity, called weak hpbisimilarity. (We remark that, despite its name, weak hpbisimilarity is not related to silent actions.) Our logic intends to be more general by also capturing the interplay between concurrency and branching, which is not observable at the level of hpbisimilarity. A recent work [8,9] introduces a ﬁxpoint modal logic for true concurrent models, called Separation Fixpoint Logics (SFL). This includes modalities which specify the execution of an action causally dependent/independent on the last executed one. Moreover, a “separation operator” deals with concurrently enabled actions. The fragment of the logic without the separation operator is shown to capture hpbisimilarity, while the full logic induces an equivalence which lies in between hp and hhpbisimilarity, still being decidable for ﬁnite state systems. The approach of [8,9] is inspired by the socalled IndependenceFriendly Modal Logic (IFML) [13], which includes a modality that allows to specify that the current executed action is independent from a number of previously executed ones. In this sense IFML is similar in spirit to our logic. Although, most of the equivalences induced by fragments of IFML are not standard in the true concurrent spectrum, a deeper comparison with this approach represents an interesting open issue. Several classical papers have considered temporal logics with modalities corresponding to the “retraction” or “backward” execution of computations. In particular [10,11,12] study a socalled path logic with a future perfect (also called past tense) modality: @a ϕ is true when ϕ holds in a state which can reach the current one with an atransition. When interpreted over transition systems with independence, in absence of autoconcurrency, the logic characterises hhpbisimilarity. In [10] it is shown that, taking autoconcurrency into account, the result can be extended at the price of complicating the logic (roughly, the logic needs an operator to undo a speciﬁc action performed in the past). Compared to these works, the main novelty of our approach resides in the fact that the logic L provides a characterisation of the diﬀerent equivalences in a simple, unitary logical framework. In order to enforce this view, we intend to pursue a formal comparison with the logics for concurrency introduced in the literature. It is easy to see that the execution modalities of [8,9] can be encoded in L since they only refer to the last executed event, while the formulae in L can refer to any event executed in the past. On the other hand, the “separation operator” of [8,9], as well as the backward modalities mentioned above (past tense, future perfect, reverting pomset transitions) are not immediately encodable in L. A deeper investigation would be of great help in shading further light on the truly concurrent spectrum. Moreover L suggests an alternative, forwardonly, operational deﬁnition of hhpbisimulation, which could be inspiring also for other reverse bisimulations [17]. As a byproduct of such an investigation, we foresee the identiﬁcation of interesting extensions of the concurrent spectrum, both at the logical and at the operational side. For instance, a preliminary investigation suggests that the fragment of L where only events consistent with the current environment can be
160
P. Baldan and S. Crafa
quantiﬁed induces an equivalence which admits a natural operational deﬁnition and lies in between hp and hhpbisimilarity, still being diﬀerent from the equivalences in [8,9]. Moreover, the logic in its present form only allows to describe properties of ﬁnite, bounded computations. A more powerful speciﬁcation logic, wellsuited for describing properties of unbounded, possibly inﬁnite computations can be obtained by enriching L with some form of recursion. In particular, from some ﬁrst experiments, the idea of “embedding” our logic into a ﬁrst order modal mucalculus in the style of [18,19] seems promising. For this purpose, also the ﬁxpoint extension of the IndependenceFriendly Modal Logic in [20] could be inspiring. The resulting logic would allow to express nontrivial causal properties, like “any a action can be always followed by a causally related b action in at most three steps”, or “an a action can be always executed in parallel with a b action”. Connected to this, modelchecking and decidability issues are challenging directions of future investigation (see [21] for a survey focussed on partial order temporal logics). It is known that hhpbisimilarity is undecidable, even for ﬁnite state systems [22], while hpbisimilarity is decidable. Characterising decidable fragments of the logic could be helpful in drawing a clearer separation line between decidability and undecidability of concurrent equivalences. A promising direction is to impose a bound on the “causal depth” of the future which the logic can quantify on. In this way one gets a chain of equivalences, coarser than hhpbisimilarity, which should be closely related with nhhp bisimilarities introduced and shown to be decidable in [23]. As for veriﬁcation, we aim at investigating the automatatheoretic counterpart of the logic. In previous papers, hpbisimilarity has been characterised in automatatheoretic terms using HDautomata [6] or Petri nets [7]. It seems that HDautomata [6] could provide a suitable automata counterpart of the fragment Lhp . Also the gametheoretical approach proposed in [8,9] for the ﬁxpoint separation logic can be a source of inspiration.
References 1. van Glabbeek, R.: The linear time – branching time spectrum I; the semantics of concrete, sequential processes. In: Handbook of Process Algebra, pp. 3–99. Elsevier, Amsterdam (2001) 2. van Glabbeek, R., Goltz, U.: Reﬁnement of actions and equivalence notions for concurrent systems. Acta Informatica 37(4/5), 229–327 (2001) 3. Hennessy, M., Milner, R.: Algebraic laws for nondeterminism and concurrency. Journal of the ACM 32, 137–161 (1985) 4. Winskel, G., Nielsen, M.: Models for concurrency. In: Handbook of logic in Computer Science, vol. 4. Clarendon Press, Oxford (1995) 5. De Nicola, R., Ferrari, G.: Observational logics and concurrency models. In: Veni Madhavan, C.E., Nori, K.V. (eds.) FSTTCS 1990. LNCS, vol. 472, pp. 301–315. Springer, Heidelberg (1990) 6. Montanari, U., Pistore, M.: Minimal transition systems for historypreserving bisimulation. In: Reischuk, R., Morvan, M. (eds.) STACS 1997. LNCS, vol. 1200, pp. 413–425. Springer, Heidelberg (1997)
A Logic for True Concurrency
161
7. Vogler, W.: Deciding history preserving bisimilarity. In: Leach Albert, J., Monien, B., Rodr´ıguezArtalejo, M. (eds.) ICALP 1991. LNCS, vol. 510, pp. 495–505. Springer, Heidelberg (1991) 8. Gutierrez, J., Bradﬁeld, J.C.: Modelchecking games for ﬁxpoint logics with partial order models. In: Bravetti, M., Zavattaro, G. (eds.) CONCUR 2009. LNCS, vol. 5710, pp. 354–368. Springer, Heidelberg (2009) 9. Gutierrez, J.: Logics and bisimulation games for concurrency, causality and conﬂict. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 48–62. Springer, Heidelberg (2009) 10. Nielsen, M., Clausen, C.: Games and logics for a noninterleaving bisimulation. Nordic Journal of Computing 2(2), 221–249 (1995) 11. Bednarczyk, M.A.: Hereditary history preserving bisimulations or what is the power of the future perfect in program logics. Technical report, Polish Academy of Sciences (1991) 12. Hennessy, M., Stirling, C.: The power of the future perfect in program logics. Information and Control 67(13), 23–52 (1985) 13. Bradﬁeld, J., Fr¨ oschle, S.: Independencefriendly modal logic and true concurrency. Nordic Journal of Computing 9(1), 102–117 (2002) 14. Winskel, G.: Event Structures. In: Brauer, W., Reisig, W., Rozenberg, G. (eds.) APN 1986. LNCS, vol. 255, pp. 325–392. Springer, Heidelberg (1987) 15. Pinchinat, S., Laroussinie, F., Schnoebelen, P.: Logical characterization of truly concurrent bisimulation. Technical Report 114, LIFIAIMAG, Grenoble (1994) 16. Cherief, F.: Back and forth bisimulations on prime event structures. In: Etiemble, D., Syre, J.C. (eds.) PARLE 1992. LNCS, vol. 605, pp. 843–858. Springer, Heidelberg (1992) 17. Phillips, I., Ulidowski, I.: Reverse bisimulations on stable conﬁguration structures. In: Proc. of SOS 2009. Electronic Proceedings in Theoretical Computer Science, vol. 18, pp. 62–76 (2010) 18. Dam, M.: Model checking mobile processes. Information and Computation 129(1), 35–51 (1996) 19. Dam, M., Fredlund, L.˚ A., Gurov, D.: Toward parametric veriﬁcation of open distributed systems. In: de Roever, W.P., Langmaack, H., Pnueli, A. (eds.) COMPOS 1997. LNCS, vol. 1536, pp. 150–185. Springer, Heidelberg (1998) 20. Bradﬁeld, J., Kreutzer, K.: The complexity of independencefriendly ﬁxpoint logic. In: Ong, L. (ed.) CSL 2005. LNCS, vol. 3634, pp. 355–368. Springer, Heidelberg (2005) 21. Penczek, W.: Branching time and partial order in temporal logics. In: Time and Logic: A Computational Approach, pp. 179–228. UCL Press, London (1995) 22. Jurdzinski, M., Nielsen, M., Srba, J.: Undecidability of domino games and hhpbisimilarity. Information and Computation 184(2), 343–368 (2003) 23. Fr¨ oschle, S., Hildebrandt, T.: On plain and hereditary historypreserving bisimulation. In: Kutylowski, M., Wierzbicki, T., Pacholski, L. (eds.) MFCS 1999. LNCS, vol. 1672, pp. 354–365. Springer, Heidelberg (1999)
A Theory of DesignbyContract for Distributed Multiparty InteractionsÆ Laura Bocchi1 , Kohei Honda2, Emilio Tuosto1 , and Nobuko Yoshida3 1
3
University of Leicester 2 Queen Mary University of London Imperial College London
Abstract. Design by Contract (DbC) promotes reliable software development through elaboration of type signatures for sequential programs with logical predicates. This paper presents an assertion method, based on the πcalculus with full recursion, which generalises the notion of DbC to multiparty distributed interactions to enable effective specification and verification of distributed multiparty protocols. Centring on global assertions and their projections onto endpoint assertions, our method allows clear specifications for typed sessions, constraining the content of the exchanged messages, the choice of subconversations to follow, and invariants on recursions. The paper presents key theoretical foundations of this framework, including a sound and relatively complete compositional proof system for verifying processes against assertions.
1 Introduction This paper introduces an assertion method for specifying and verifying distributed multiparty interactions, drawing ideas from a framework known as DesignbyContract (DbC), which is widely used in practice for sequential computation [13,18]. DbC [25] specifies a contract between a user and a sequential program by elaborating the type signature of the program with pre/postconditions and invariants. Instead of saying “the method fooBar should be invoked with a string and an integer: then it will return (if ever) another string”, DbC allows us to say “the method fooBar should be invoked with a string representing a date d between 2007 and 2008 and an integer n less than 1000 then it will (if ever) return a string representing the date n days after d”. A type signature describes a basic shape of how a program can interact with other programs, stipulating its key interface to other components, which may be developed by other programmers. By associating signatures with logical predicates, DbC enables a highly effective framework for specifying, validating and managing systems’ behaviour, usable throughout all phases of software development [21,23,28]. As a modelling and programming practice, DbC encourages engineers to make contracts among software modules precise [14,25], and build a system on the basis of these contracts. The traditional DbCbased approaches are however limited to type signature of sequential procedures. A typical distributed application uses interaction scenarios that are Æ
This work is partially supported by EPSRC EP/F003757, EP/F002114, EP/G015635 and EP/G015481, Leverhulme Trust Award “Tracing Networks”.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 162–176, 2010. c SpringerVerlag Berlin Heidelberg 2010
A Theory of DesignbyContract for Distributed Multiparty Interactions
163
Assertion method (0) Add predicates to Global Types (1) Check wellassertedness (2) Project G obtaining a well asserted Endpoint Assertion Ti for each role (3a) Refine Ti to suit Asserted Process Pi (3b) Validate Pi against Ti'
Global Type
0. Assert G Global Assertion 1. Check Well asserted G Global Assertion
2. Project
Well asserted Endpoint Assertions T1
Well asserted Endpoint Assertions T1'
Asserted Process P1
Well asserted Endpoint Assertions T2
Well asserted Endpoint AssertionsT2'
Asserted Process P2
Well asserted Endpoint Assertions T3
Well asserted Endpoint AssertionsT3'
Asserted Process P3
3a. Refine
3b. Validate
Fig. 1. The assertion method
much more complex than, say, requestreply. To build a theory that extends the core idea of DbC to distributed applications, we consider a generalised notion of type signature for distributed interactions centring on abstraction units, called sessions. A session consists of a structured series of message exchanges among multiple participants. Each session follows a stipulated protocol, given as a type called session type [3,19,20], which prescribes a conversation scenario among its participants. Two or more sessions can interleave in a single endpoint. For example, a session for an electronic commerce will run interleaved with one for a financial transaction for payment. The communications in a distributed application are articulated as a collection of such sessions. On this basis, we introduce a theory of assertions for distributed interactions centring on global assertions. A global assertion specifies a contract for participants in a multiparty session by elaborating a session type with logical predicates. A session type only specifies a skeletal protocol: it does not, for example, refer to constraints on message values except their types. Just as in the traditional DbC, the use of logical predicates allows us to specify more refined protocols, regarding, among others, content of messages, how choice of subconversations is made based on preceding interactions, and what invariants may be obeyed in recursive interactions. The key ideas are presented in Figure 1, which we illustrate below. (0,1) A specification for a multiparty session is given as a global assertion G , namely a protocol structure annotated with logical predicates. A minimal semantic criterion, wellassertedness of G (§ 3.1), characterises consistent specifications with respect to the temporal flow of events, to avoid unsatisfiable specifications. (2) G is projected onto endpoints, yielding one endpoint assertion (Ti ) for each participant, specifying the behavioural responsibility of that endpoint (§ 4). The consistency of endpoint assertions are automatically guaranteed once the original global assertion is checked to be wellasserted. (3) Asserted processes, modelled with the πcalculus1 annotated with predicates (§ 5.1), are verified against endpoint assertions (§ 5.2) through a sound and relatively 1
For the sake of a simpler presentation, the present paper does not treat name passing in full generality, except for private channel passing in session initiation. The theory however can incorpoate these elements, as explained in Section 7.
164
L. Bocchi et al. Buyer
μt(p_vo:Int)
Seller
Bank
A1
predicates
vo:Int A
A A1 A2 A3 A4
A2
branch
hag t
ok
A3
= = = = =
{p_vo ≥ 100} {vo ≥ 100} {vo > p_vo} {vo = vp} {true}
vp:Int A4 va:Bool
Fig. 2. Global assertion for the protocol
complete compositional proof system (§ 6). Completeness, proved through generation of principal formulae, yields a relative decision procedure for satisfiability. Our contributions include an algorithmic validation of consistency of global assertions (Prop. 3.2 and 4.3); semantic foundations of global assertions through labelled transitions (Prop. 6.4 and 6.3); a compositional proof system for validating processes against assertions (Theorem 6.5), leading to predicate error freedom (Theorem 6.6) which ensures that the process will meet its obligations assuming that the remaining parties do so. Theorem 6.7 is completeness. § 7 concludes with further results and related work.
2 DbC for Distributed Multiparty Interactions The theory we present centres on the notion of global assertion. A global assertion uses logical formulae to prescribe, for each interaction specified in the underlying session type, what the sending party must guarantee, and dually what the receiving party can rely on. Concretely: 1. Each message exchange in a session is associated with a predicate which constrains the values carried in the message (e.g., “the quantity on the invoice from seller to buyer equals the quantity on the order”); 2. Each branch in a session is associated with a predicate which constrains the selection of that branch (e.g., “seller chooses the ‘sell’ option for a product if the ordered quantity does not exceed the stock”); 3. Each recursion in a session is associated with an invariant representing an obligation to be maintained by all parties at each repetition of the recursion (e.g., “while negotiating, seller and buyer maintain the price per unit about a fixed threshold”). As an illustration, Figure 2 describes a simple multiparty session among the participants Buyer, Seller, and Bank exchanging messages whose content is represented by the interaction variables vo , v p (of type Int) and va (of type Bool). Buyer asynchronously sends an offer vo , then Seller selects either to recursively start negotiating (hag) or to accept the offer (ok). In the latter case, Buyer instructs Bank to make a payment v p . Finally, Bank sends Seller an acknowledgement va . The recursion parameter p vo is initially set to 100 and, upon recursive invocation, it takes the value that vo had in the previous recursive invocation. This allows us to compare the current content of vo with
A Theory of DesignbyContract for Distributed Multiparty Interactions
165
the one of the previous recursion instance (cf. A2 below). In Figure 2, the recursion invariant A states that p vo is always greater or equal than 100; Buyer guarantees A1 which, dually, Seller relies upon; by A2, Buyer has to increase the price during negotiations until an agreement is reached; the value of the (last) offer and the payment must be equal by A3, while A4 does not constrain va .
3 Global Assertions We use the syntax of logical formulae, often called predicates, as follows. A, B :: e1 e2 e1 e2 φe1 , . . . , en A B A vA where ei ranges over expressions (which do not include channels) and φ over predefined atomic predicates with fixed arities and types [24, §2.8]. We denotes the set of free variables of A with varA, similarly for vare. We fix a model of the predicates, called underlying logic, for which we assume the validity of closed formulae to be decidable. Global assertions (ranged over by G , G , . . .) elaborate global session types in [20] with logical formulae. The syntax is given below: – p, p , .. are participants, G :: p p : k v˜ : S˜ A.G t e˜ – k, k , .. are channels, p p : k
A j l j : G j jJ G , G – u, v, .. are interaction variables, µt e˜ v˜ : S˜ A.G end – S, S , .. are sorts. Interaction p p : k v˜ : S˜ A.G describes a communication between a sender p and a receiver p via the kth session channel (k is a natural number), followed by G . The variables in the vector v˜ are called interaction variables and bind their occurrences in A and G ; interaction variables are sorted by sorts S (Bool, Int, ...) that denote types for firstorder message values. The predicate A constrains the content of v: ˜ the sender p guarantees A and the receiver p relies on A (like in the relyguarantee paradigm [22]). Branching p p : k
A j l j : G j jJ allows the selector p to send to participant p , through k, a label li from l j jJ (J is a finite set of indexes) if p guarantees Ai (upon which p can rely). Once li is selected, Gi is to be executed by all parties. Recursive assertion µt e˜ v˜ : S˜ A.G (cf. [11], t is an assertion variable) specifies how a recursive session, which may be repeated arbitrarily many times, should be carried out through interactions among participants. The formal parameters v˜ are a vector of pairwise distinct variables sorted by a vector of sorts S˜ of the same length (each vi in ˜ v˜ binds their free occurrences in A. The initialisation vector e˜ denotes v˜ has sort Si of S); the initial values for the recursion, each ei instantiating vi in v. ˜ The recursion invariant A specifies the condition that needs be obeyed at each recursion instantiation; recursion instantiation, of the form t e˜ , is to be guarded by prefixes, i.e. the underlying recursive types should be contractive. A recursive assertion can be unfolded to an infinite tree, as in the equirecursive view on recursive types [30]. Composition G , G represents the parallel interactions specified by G and G , while end represents the termination. Sorts and trailing occurrences of end are often omitted. We write p G when p occurs in G . For the sake of simplicity we avoid linearitycheck [3] by assuming that each channel in G is used (maybe repeatedly) only between two parties: one party for input/branching and by the other for output/selection.
166
L. Bocchi et al.
Example 3.1 (Global Assertions). The protocol described in § 2 is modelled by Gneg µt100 p vo : IntA. Buyer Seller : k1 vo : IntA1. Seller Buyer : k2 A2hag : tvo , trueok : Gok Gok Buyer Bank : k3 v p : IntA3. Bank Seller : k4 va : BoolA4. end where k1 , k2 , k3 , and k4 are channels and the recursion parameter p vo (initially set to 100) denotes the offer of Buyer in the previous recursion instance. 3.1 Well Asserted Global Assertions When setting up global assertions as a contract among multiple participants, we should prevent inconsistent specifications, such as those in which it is logically impossible for a participant to meet the specified obligations. Below we give two constraints on predicates of global assertions that guarantee consistency. Let I G be the set of variables occurring in G ; a participant p knows v I G if v occurs in an interaction of G involving p (this relation can be computed effectively, see [31]). I G p denotes the set of variables of G that p G knows. Historysensitivity. A predicate guaranteed by a participant p can only contain those interaction variables that p knows. Temporalsatisfiability. For each possible set of values satisfying A and, for each predicate A appearing after A, it is possible to find values satisfying A . Consider the following examples:
pB : k1 v : Inttrue. pB pC : k2 v : Inttrue. pC pA : k3 z : Intz v. end pA pB : k1 v : Intv 10 pB pA : k2 z : Intv z z 6. end. pA
The first global assertion violates historysensitivity since pC has to send z such that z v without knowing v. The second global assertion violates temporalsatisfiability because if pA sends v 6, which satisfies v 10, then pB will not be able to find a value that satisfies 6 z z 6. Assertions satisfying historysensitivity and temporalsatisfiability are called wellasserted assertions. For the formal definitions, including inductive rules to check wellassertedness, see [31]. Proposition 3.2 (Wellassertedness). Checking wellassertedness of a given global assertion is decidable if the underlying logic is decidable.
4 Endpoint Assertions and Projection Endpoint assertions, ranged over by T , T , .., specify the behavioural contract of a session from the perspective of a single participant. The grammar is given as follows.
T ::
k! v˜ : S˜ A ; T k? v˜ : S˜ A ; T
µte˜v˜ : S˜A.T k&Ai li : Ti i I te˜ k A j l j : T j j I end
˜ In k!v˜ : S˜ A; T , the sender guarantees that the values sent via k (denoted by Ssorted variables v) ˜ satisfy A, then behaves as T ; dually for the receiver k?v˜ : S˜ A; T .
A Theory of DesignbyContract for Distributed Multiparty Interactions
167
In k
A j l j : T j jI the selector guarantees A j when choosing l j on k; dually k&
A j l j : T j iI states that A j can be assumed when branching at k on a label l j . Assertion µt e˜ v˜ : S˜ A.T constrains parameters v˜ of type S˜ which initially take values e; ˜ the invariant of the recursion is A. The projection of predicate A on participant p, written A p, existentially quantifies all the variables of A that p does not know, and is defined as Vext A where Vext varAI G p. Also, e˜ p are the expressions in e˜ including only such that varei I G p. The projection function in Definition 4.1 maps global assertions, predicates and participants to endpoint assertions. Definition 4.1 (Projection). Given G and A, the projection of G for a participant p wrt A is denoted by G Ap and, assuming p1 p2 , recursively defined as follows.
k!v˜ : S˜A.G Ap A if p 1 p1 p2 : k v˜ : S˜A.G k?v˜ : S˜A AP p.G Ap A if p G Ap A otw A A k Aili : Gi p i I 2 p1 p2 : k Ai li : Gi i I Ap k&Ai êAP pli : Gi Ap êA i I G1 Ap A Gi Ap A A
P
AP p
3 G1 , G2 Ap
P
Gi p end
4 µte˜v˜ : S˜A.G Ap 5 te˜ Ap te˜ p P
P
i P
P
P
P
P
p1 p2
P
i P
j I
P
j
j I
j
j 1, 2 µte˜ pv˜ p : SA p.G Ap
if p if p
p1 p2
otw
if p Gi and p G j , i if p G1 and p G2
P
6 end Ap
P
end
If no side condition applies, G Ap is undefined. The projection of G on p, denoted G p, is given as G true p . In (1), value passing interactions are projected. For a send, the projection of a predicate A consists of A itself. Notice that if G is wellasserted then p1 knows all variables in A (i.e., A p1 A). For a receive, it is not sufficient to verify the nonviolation of the current predicate only. Consider the following wellasserted global assertion: Seller
Buyer : k1 cost : Intcost 10.Buyer Bank : k2 pay : Int pay cost .end
The predicate pay cost is meaningless to Bank since Bank does not know cost; rather the projection on Bank should be k2 ? pay : Int cost cost 10 pay cost , which incorporates the constraint between Buyer and Seller. Thus (1) projects all the past predicates while hiding incorporating the constraints on interactions p2 does not participate through existential quantification. This makes (1) the strongest precondition i.e. it is satisfied iff p2 receives a legal message, avoiding the burden of defensive programming (e.g. the programmer of Bank can concentrate on the case pay 10). In (2), the “otw” case says the projection should be the same for all branches. In (3), each participant is in at most a single global assertion to ensure each local assertion is single threaded. In (4), the projection to p is the recursive assertion itself with its predicate projected on p by existential quantification, similarly in (5).
168
L. Bocchi et al.
Example 4.2 (Projection). The projection of Gneg (Example 3.1) on Seller is
Tsel T2 Tok where B
µt 100 p vo : Int p vo 100 ; k1 ? vo : Int B ; T2 k2 vo p vo hag : t vo , true ok : Tok Gok Seller k4 ? va : Bool B
p vo 100 vo 100 and B
p vo .B vo
v p.
Below wellassertedness can be defined on endpoint assertions as for global assertions, characterising the same two principles discussed in §3.1. Proposition 4.3 (Projections). Let G be a wellasserted global assertion. Then for each p G , if G p is defined then G p is also wellasserted.
5 Compositional Validation of Processes 5.1 The πCalculus with Assertions We use the πcalculus with multiparty sessions [20, §2], augmented with predicates for checking (both outgoing and incoming) communications. The grammar of asserted processes or simply processes (P, Q, . . .) is given below. P ::
a[p] s˜.P νaP s!e˜v˜A; P s?v˜A; P if e then P else Q a[2..n] s˜ .P
request accept hide send receive conditional
s Al; P s Ai li : Pi i I P Q µX e˜t˜v˜s˜.P X e˜s˜ 0
Prt ::
select
νs˜Prt
errH errT n e e ... a true false l n˜ s : h˜
branch
P
parallel rec def
e ::
rec call
n ::
idle
h ::
On the left, we define programs. a[2..n] s˜.P multicasts a session initiationrequest to each a[p] s˜.P (with 2 p n) by multiparty synchronisation through a shared name a. Send, receive, and selection, all through a session channel s, are associated with a predicate. Branch associates a predicate to each label. Others are standard. Runtime processes Prt , given in the third column in the grammar, extend programs with runtime constructs. Process s : h1 ..hn represents messages in transit through a session channel s, assuming asynchronous inorder delivery as in TCP, with each hi denoting either a branching label or a vector of sessions/values. The empty queue is written s : . Processes errH and errT denote two kinds of runtime assertion violation: errH (for “error here”) indicates a predicate violation by the process itself; and errT (“error there”) a violation by the environment. Example 5.1 (Seller’s Process). We set Buyer, Seller, Bank to be participants 1, 2, 3 and define a process implementing the global assertion Gneg in Examples 3.1 and 4.2 as Pneg a[2, 3] s˜.P1 a[2] s˜.P2 a[3] s˜.P3 . Let us focus on the Seller P2 Q2
µX 100, s˜ p vo , s˜ .s1 ? vo B ; Q2 if e then s2 hag; X vo , s˜ else s2 ok; Pok
where
Pok
s4 ? va B ; 0
where B and B are as in Example 4.2, s˜ s1 , .., s4 , and Q2 uses a policy e to select a branch (e.g., e vo 200 vo p vo ).
A Theory of DesignbyContract for Distributed Multiparty Interactions
169
[ [ [ [ [ if e then P else Q P e true if e then P else Q Q e false [ 
a[2..n] s˜ .P1 a[2] s˜ .P2 ... a[n] s˜ .Pn νs˜ P1 P2 ... Pn s1 : ... sn : ˜ ˜ s! e˜ v˜ A ; P s : h P n˜ v˜ s : h n˜ e˜ n˜ A n˜ v˜ true s? v˜ A ; P s : n˜ h˜ P n˜ v˜ s : h˜ A n˜ v˜ true ˜ ˜ j I and A j true s Ai li : Pi iI s : l j h P j s : h P s : h˜ l A true s A l : P s : h˜
s s Al : P errH A false s! e˜ v˜ A ; P errH e˜ n˜ A n˜ v˜ false s? v˜ A ; P s : n˜ h˜ errT s : h˜ A n˜ v˜ false Ai li : Pi iI s : l j h˜ errT s : h˜ j I and A j false
R LINK
]
R SEND
]
R RECV
]
R BRANCH
]
R SELECT
]
R IF
]
[RSEND E RR ] [RRECV E RR ] [RBRANCH E RR ] [RSELECT E RR ]
Fig. 3. Reduction: nonerror cases (top)  error cases (bottom)
The reduction rules with predicate checking are given in Figure 3, which generate
by closing the induced relation under and ν and taking terms modulo the standard
structural equality2 [20]. The satisfaction of the predicate is checked at each communication action: send, receive, selection and branching, where we write A true (resp. e˜ n˜ ) for a closed formula A (resp. expression e) ˜ when it evaluates to true (resp. n˜ ). When initiating a session, [R  LINK] establishes a session through multiparty synchronisation, generating queues and hiding all session channels. The remaining rules are standard, modelling communications in a session via queues [3,20]. 5.2 Validation Rules For validation, we use judgements of the form C ; Γ P Δ, which reads: “under C and Γ, process P is validated against Δ”. Here, C is an assertion environment, which incrementally records the conjunction of predicates; hereafter, Γ P Δ abbreviates true; Γ P Δ. Γ is a global assertion assignment that is a finite function mapping shared names to wellasserted global assertions and process variables to the specification of their parameters (we write Γ a : G when Γ assigns G to a and Γ X : v˜ : S˜T1 @ p1 ...Tn @ pn when Γ maps X to the vector of endpoint assertions ˜ Δ is an endpoint assertion asT1 @ p1 ...Tn @ pn using the variables v˜ sorted by S). signment which maps the channels for each session, say s, ˜ to a wellasserted endpoint assertion located at a participant, say T @ p. The validation rules are given in Figure 4. In each rule, we assume all occurring (global/endpoint) assertions to be wellasserted. The rules validate the process against assertions, simultaneously annotating processes with the interaction predicates from endpoint assertions. We illustrate the key rules. Rule [S ND] validates that participant p sends values e˜ on session channel k, provided that e˜ satisfy the predicate under the current assertion environment; and that the 2
The structural equality includes µX e˜ v˜s˜1 . . . s˜n .P P µX v˜s˜1 . . . s˜n .P X e˜ v˜ where X e˜ s˜ µX v˜s˜1 . . . s˜n .P X is defined as µX e˜ s˜ v˜s˜1 . . . s˜n .P.
170
L. Bocchi et al.
C
C ; Γ P e˜ v˜ Δ, s˜ : T e˜ v˜ @ p Γ e˜ : S˜ [S ND] sk ! e˜ v˜ : S˜ A ; P Δ, s˜ :k! v˜ A ; T @ p C A; Γ, v˜ : S˜ P Δ, s˜ : T @ p [R CV] C ; Γ sk ? v˜ : S˜ A ; P Δ, s˜ : k? v˜ : S˜ A ; T @ p C A j C ; Γ P Δ, s˜ : T j @ p j I [S EL] C ; Γ sk A j l j : P Δ, s˜ : k Ai li : Ti i I @ p A e˜ v˜
C;Γ
C;Γ C;Γ
C
C
sk
Ai ; Γ Pi Δ, s˜ : Ti @ p i I Ai li : Pi i I Δ, s˜ : k& Ai li : Ti
i I @p
[B RA]
C ; Γ P Δ, s˜ : Γ a 1 @ 1 [M CAST] C ; Γ a[2..n] s˜ .P Δ e; Γ e; Γ Q Δ [I F] C ; Γ P Δ C ; Γ Q Δ [C ONC] Δ end only [I DLE] C ; Γ if e then P else Q Δ C;Γ 0 Δ C ; Γ P Q Δ, Δ C ; Γ, a : G P Δ a fn C , Γ, Δ C ; Γ P Δ C C Δ Δ [C ONSEQ] [H IDE] C;Γ P Δ C ; Γ νa : G P Δ T1 e˜ v˜ , . . . , Tn e˜ v˜ wellasserted and welltyped under Γ, v˜ : S˜ [VAR] C ; Γ, X : v˜ : S˜ T1 @ p1 ..Tn @ pn X e˜s˜1 ..s˜n s˜1 : T1 e˜ v˜ @ p1 , .., s˜n : Tn e˜ v˜ @ pn C ; Γ, X : v˜ : S˜ T1 @ p1 ..Tn @ pn P s˜1 : T1 @ p1 ..s˜n : Tn @ pn C ; Γ μX e˜s˜1 ..s˜n v˜s˜1 ..s˜n .P s˜1 : T1 e˜ v˜ @ p1 ..s˜n : Tn e˜ v˜ @ pn [R EC] P
Δ, s˜ : Γ a p @ p a[p] s˜ .P Δ
C;Γ P Δ C
p
1
[M ACC]
Fig. 4. Validation rules for program phrases
continuation is valid, once v˜ gets replaced by e. ˜ Dually, rule [R CV] validates a value input against the continuation of the endpoint assertion under the extended assertion environment C A (i.e., the process can rely on A for the received values after the input). Rules [S EL] and [BRA] are similar. Rules [M ACC] and [M CAST] for session acceptance and request validate the continuation against the projection of the global assertion onto that participant (n is the number of participants in G and p is one of them). Rule [I F] validates a conditional against Δ if each branch is validated against the same Δ, under the extended environment C e or C e, as in the corresponding rule in Hoare logic. As in the underlying typing [20], rule [C ONC] takes a disjoint union of two channel environments, and rule [I DLE] takes Δ which only contains end as endpoint assertions. Rule [HIDE] is standard, assuming a is not specified in C . Rule [C ONSEQ] uses the refinement relation on endpoint assertions. If T T , T specifies a more refined behaviour than T , in that T strengthens the predicates for send/selection, so it emits/selects less; and weakens those for receive/branching, so it can receive/accept more. Example 5.2 illustrates this intuition. Example 5.2 (Refinement). Below, endpoint assertion Ts refines Tw (i.e., Ts Tw ):
Ts Tw
10; k2 ?z : Intz 0; k3 &truel1 : T1 , v 100l2 : T2 0; k2 ?z : Intz 10; k3 &v 100l1 : T1
k1 ! v : Int v k1 ! v : Int v
Ts has a stronger obligation on the sent value v, and a weaker reliance on the received value z; while Ts has a weaker guarantee at l1 and offers one additional branch. The formal definition is in [31], where we also show that the refinement relation is decidable if we restrict the use of recursive assertions so that only those in identical shapes are compared, which would suffice in many practical settings.
A Theory of DesignbyContract for Distributed Multiparty Interactions
171
Rule [VAR] validates an instantiation of X with expressions against the result of performing the corresponding substitutions over endpoint assertions associated to X (in the environment). In [R EC], a recursion is validated if the recursion body P is validated against the given endpoint assertions for its zero or more sessions, under the same endpoint assumptions assigned to the process variable X. The validity of this rule hinges on the partial correctness nature of the semantics of the judgement. Example 5.3 (Validating Seller Process). We validate the Seller part of Pneg in Example 5.1 using Tsel from Example 3.1. We focus on one branch of Q2 in Pneg and associate each s1 , . . . , s4 of Pneg to a channel k1 , . . . , k4 of Tneg , respectively. Recall that B p vo 100 vo 100, A1 vo p vo , and A2 v p .p vo 100 vo 100 vo v p . Below Qok s4 ?va B ; 0. 
B e B , Γ 0 t : end @ 2 [R ] B e, Γ s4 ?va B ; 0 s˜ : k4 ?va : IntB ; end @ 2 (substituting) B e A1 B e, Γ Qok s˜ : Tok @ 2 B e, Γ s2 ok; Qok s˜ : k2 trueok : Tok , A1hag : tvo @ 2 ... B, Γ if e then s2 hag; X vo , s˜ else s2 ok; s4 ?va B ; 0 s˜ : T2 @ 2 [R true, Γ s1 ?vo B; Q2 s˜ : k1 ?vo : IntB; T2 @ 2
[IDLE ]
CV
[SEL ] [IF ] CV ]
The . . . on the premise of [IF] indicates the missing validation of the first branch. The interested reader may refer to [31] for a complete validation example with recursion.
6 ErrorFreedom and Completeness 6.1 Semantics of Assertions The semantics of asserted processes is formalised as a labelled transition relation that uses the following labels α :: a2..ns˜ ais˜ s!n˜ s?˜n s l s l τ for session requesting/accepting, value sending/receiving, selection, branching, and the α silent action, respectively. We write P Q when P has a onestep transition α to Q. The transition rules are the standard synchronous ones3 except that: (i) predicates are checked at each communication action and, if the predicate is violated, in the case of input/branching action the process moves to errT, in the case of an output/selection the process moves to errH with τaction, (ii) they include the reduction semantics given in τ § 5.1 (i.e., P Q induces P Q). The semantics of endpoint assertions is defined as another labelled transition relation, α of form Γ, Δ Γ , Δ , which reads: the specification Γ, Δ allows the action α, with Γ , Δ as the specification for its continuation. In this transition relation, only legitimate (assertionsatisfying) actions are considered. We define the semantic counterpart of Γ P Δ by using a simulation between the transitions of processes and those of assertions. The simulation (Definition 6.1), 3
The synchronous transition suites our present purpose since it describes how a process places/retrieves messages at/from queues, when message content may as well be checked.
172
L. Bocchi et al.
requires an input/branching action to be simulated only for “legal” values/labels, i.e. for actions in which predicates are not violated. Intuitively, we demand conformance to a proper behaviour only if the environment behaves properly. Below we use the predicate erasure to show that the validation can prevent bad behaviour even without runtime predicate checking, writing eraseP for the result of erasing all predicates from P. Similarly eraseΓ and eraseΔ erase predicates from the underlying session types, giving the typing environments. P is closed if it is without free variables. Definition 6.1 (Conditional Simulation). Let R be a binary relation whose elements relate a closed process P without errH or errT and a pair of assignments Γ, Δ such that eraseΓ eraseP eraseΔ in the typing rules in [20, §4]. Then R is a conditional simulation if, for each P, Γ, Δ R : 1. for each input/branching/session input P P , Γ, Δ has a respective move at α sbjα (the subject of α) and, if Γ, Δ Γ , Δ then P , Γ , Δ R . α α 2. for each output/selection/τ/session output move P P , Γ, Δ Γ , Δ such that P , Γ , Δ R . α
If R is a conditional simulation we write P ü Γ, Δ for P, Γ, Δ R .
The conditional simulation requires P to be welltyped against eraseΓ and eraseΔ. Without this condition, the inaction 0 would conditionally simulate any Δ. This stringent condition can be dropped, but our interest is to build an assertion semantics on the basis of the underlying type discipline. Definition 6.2 (Satisfaction). Let P be a closed program and Δ an endpoint assertion assignment. If P ü Γ, Δ then we say that P satisfies Δ under Γ, and write Γ P Δ. The satisfaction is extended to open processes, denoted C ; Γ P Δ, by considering all closing substitutions respecting Γ and C over Δ and P. The judgement Γ P Δ in Definition 6.2 states that (1) P will send valid messages or selection labels; and (2) P will continue to behave well (i.e., without going into error) w.r.t. the continuation specification after each valid action in (1) as well as after receiving each valid message/label (i.e. which satisfies an associated predicate). The satisfaction is about partial correctness since if P (is welltyped and) has no visible actions, the satisfaction trivially holds. 6.2 Soundness, Error Freedom and Completeness To prove soundness of the validation rules, we first extend the validation rules to processes with queues, based on the corresponding typing rules in [3,20]. Proposition 6.3 (Subject Reduction). Let Γ P Δ be a closed program and suppose α ..α α ..α we have Γ, Δ 1 n Γ , Δ . Then P 1 n P implies Γ P Δ .
The proof uses an analysis of the effects of τactions on endpoint assertions, observing the reduction at free session channels changes the shape of the session typing [3,20]. Let Δ Δ be a pointwise extension of (defined when domΔ domΔ ); Proposition 6.4 says that a process satisfying a stronger specification also satisfies a weaker one. Using these results we obtain Theorem 6.5. Proposition 6.4 (Refinement). If Γ P Δ and Δ Δ then Γ P Δ .
A Theory of DesignbyContract for Distributed Multiparty Interactions
173
Theorem 6.5 (Soundness of Validation Rules). Let P be a program. Then C ; Γ P Δ implies C ; Γ P Δ. A direct consequence of Theorem 6.5 is the error freedom of validated processes. Below we say Γ, Δ allows a sequence of actions α1 ..αn n 0 if for some Γ , Δ we have 1 ..αn Γ, Δ α Γ , Δ . Theorem 6.6 (Predicate Error Freedom). Suppose P is a closed program, Γ P Δ α1 ..αn and P P such that Γ, Δ allows α1 ..αn . Then P contains neither errH nor errT.
The proof system is complete relative to the decidability of the underlying logic for processes without hidden shared names. We avoid name restriction since it allows us to construct a process which is semantically equivalent to the inaction if and only if interactions starting from a hidden channel terminate. Since we can simulate arbitrary Turing machines by processes, this immediately violates completeness. In this case, nontermination produces a dead code, i.e. part of a process which does not give any visible action, which causes a failure in completeness.4 For each program without hiding, we can compositionally construct its “principal assertion assignment” from which we can always generate, up to , any sound assertion assignment for the process. Since the construction of principal specifications is compositional, it immediately gives an effective procedure to check as far as is decidable (which is relative to the underlying logic). We conclude: Theorem 6.7 (Completeness of Validation Rules for Programs without Hiding). For each closed program P without hiding, if Γ P Δ then Γ P Δ. Further Γ P Δ is decidable relative to the decidability of .
7 Extensions and Related Work Extensions to shared and session channel passing. The theory we have introduced in the preceding sections directly extends to shared channel passing and session channel passing, or delegation, carrying over all formal properties. In both cases, we have only to add predicate annotations to channels in assertions as well as in asserted processes. The shape of the judgement and the proof rules do not change, similarly the semanics of the judgement uses a conditional simulation. We obtain the same soundness result as well as completeness of the proof rules for the class of processes whose newly created channels are immediately exported. Since the presentation of such extension would require a detailed presentation of the notion of refinement, for space constraints and simplicity of presentation we relegate it to [31]. HennessyMilner logic for the πcalculus. HennessyMilner Logic (HML) is an expressive modal logic with an exact semantic characterisation [17]. The presented theory addresses some of the key challenges in practical logical specifications for the πcalculus, unexplored in the context of HML. First, by starting from global assertions, we gain in significant concision of descriptions while enjoying generality within its scope (properties of individual protocols). Previous work [2,11] show how specifications in 4
Not all dead codes cause failure in completeness. For example a dead branch in a branching/conditional does not cause this issue since the validation rules can handle it.
174
L. Bocchi et al.
HML, while encompassing essentially arbitrary behavioural properties of processes, tend to be lengthy from the practical viewpoint. In this context, the direct use of HML is tantamount to reversing the methodology depicted in Figure 1 of § 1: we start from endpoint specifications and later try to check their mutual consistency, which may not easily yield understandable global specifications. As another practical aspect, since is decidable for practically important classes assertions [31], the present theory also offers algorithmic validation methods for key engineering concerns [32] including consistency of specifications (cf. §3.1) and correctness of process behaviours with full recursion against nontrivial specifications (cf. Theorem 6.7), whose analogue may not be known for the general HML formulae on the πcalculus. The use of the underlying type structures plays a crucial role. From the viewpoint of logical specifications for name passing, the present theory takes an extensional approach: we are concerned with what behaviours will unfold starting from given channels, than their (in)equality [11]. While our approach does reflect recommended practices in applicationlevel distributed programming (where the direct use of network addresses is discouraged), it is an interesting topic to study how we can treat names as data as studied in [11]. Corresponding assertions and refinement/dependent types. The work [6] combines sessiontypes with correspondence assertions. The type system can check that an assertion end L, where L is a list of values (not a logical formula), is matched by the corresponding begin effect. The use of session types to describe behavioural properties of objects and components in CORBA is studied in [33]. In another vein, the refinement types for channels (e.g. [5]) specify value dependency with logical constraints. For example, one might write ?x : int, ! y : int y x using the notations from [15,34]. It specifies a dependency at a single point (channel), unable to describe a constraint for a series of interactions among multiple channels. Our theory, based on multiparty sessions, can verify processes against a contract globally agreed by multiple distributed peers. Contractbased approaches to functions and communications and functions. Verification using theories of contracts for programming functional languages, with applications to the validation of financial contracts, is studied in [29,35]. Our theory uses the πcalculus with session types as the underlying formalism to describe contracts for distributed interactions. We observe that a contractbased approach for sequential computing is generally embeddable to the present framework (noting that function types are a special form of binary session types and that the pre/post conditions in sequential contracts are nothing but predicates for interactions resulting from the embedding); it is an interesting subject of study to integrate these and other sequential notions of contracts into the present framework, which would enable a uniform reasoning of sequential and concurrent processes. In [8,12] use csemirings to model constraints that specify a Service Level Agreement. It would be interesting to consider global assertions where the logical language is replaced with csemirings. This would allow global assertions to express soft constraints but it could affect the effectiveness of our approach. However csemirings do not feature negation and the decidability of logics based on csemrings has not been deeply investigated.
A Theory of DesignbyContract for Distributed Multiparty Interactions
175
The global consistency checking is used in advanced security formalisms. In [16] a relyguarantee technique is applied to a trustmanagement logic. The main technical difference is that users have to directly annotate each participant with assertions because of the the absence of global assertions. In [4] cryptography is used to ensure integrity of sessions but logical contracts are not considered. Theories of contracts for web services based on advanced behavioural types are proposed, including those using CCS [7], πcalculus [10], and conversation calculus [9]. Some of the authors in this line of study focus on compliance of client and services, often defining compliance in terms of deadlockfreedom, e.g., in [1] a type system guaranteeing a progress property of clients is defined. Our approach differs from the preceding works in its use of global assertions for elaborating the underlying type structure, combined with the associated compositional proof system. This permits us to express and enforce finegrained contracts of choreographic scenarios. Global/endpoint assertions can express constraints over message values (including channels), branches and invariants, which cannot be represented by types alone, cf. [20]. The enriched expressiveness of specifications introduces technical challenges: in particular, consistency of specifications becomes nontrivial. The presented consistency condition for global assertions is mechanically checkable relatively to the decidability of the underling logic, and ensures that the endpoint assertions are automatically consistent when projected. On this basis a sound and relatively complete proof system is built that guarantees semantic consistency. As a different DbCbased approach to concurrency, an extension of DbC has been proposed in [27], using contracts for SCOOP [26] in order to reason about liveness properties of concurrent objectoriented systems. The main difference of our approach from [27] is that our framework specifies focuses on systems based on distributed message passing systems while [27] treats shared resources. The notion of pre/postconditions and invariants for global assertions centring on communications and the use of projections are not found in [27]. The treatment of liveness in our framework is an interesting topic for further study.
References 1. Acciai, L., Borale, M.: A type system for client progress in a serviceoriented calculus. In: Degano, P., De Nicola, R., Meseguer, J. (eds.) Concurrency, Graphs and Models. LNCS, vol. 5065, pp. 625–641. Springer, Heidelberg (2008) 2. Berger, M., Honda, K., Yoshida, N.: Completeness and logical full abstraction for modal logics for the typed πcalculus. In: Aceto, L., Damg˚ard, I., Goldberg, L.A., Halld´orsson, M.M., Ing´olfsd´ottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 99–111. Springer, Heidelberg (2008) 3. Bettini, L., et al.: Global Progress in Dynamically Interfered Multiparty Sessions. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 418–433. Springer, Heidelberg (2008) 4. Bhargavan, K., Corin, R., Deni´elou, P.M., Fournet, C., Leifer, J.: Cryptographic protocol synthesis and verification for multiparty sessions. In: CSF, pp. 124–140 (2009) 5. Bhargavan, K., Fournet, C., Gordon, A.D.: Modular verification of security protocol code by typing. In: POPL, pp. 445–456 (2010) 6. Bonelli, E., Compagnoni, A., Gunter, E.: Correspondence assertions for process synchronization in concurrent communications. JFC 15(2), 219–247 (2005)
176
L. Bocchi et al.
7. Bravetti, M., Zavattaro, G.: A foundational theory of contracts for multiparty service composition. Fundamenta Informaticae XX, 1–28 (2008) 8. Buscemi, M., Montanari, U.: CCPi: A constraintbased language for specifying service level agreements. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 18–32. Springer, Heidelberg (2007) 9. Caires, L., Vieira, H.T.: Conversation types. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 285–300. Springer, Heidelberg (2009) 10. Castagna, G., Padovani, L.: Contracts for mobile processes. In: Bravetti, M., Zavattaro, G. (eds.) CONCUR 2009. LNCS, vol. 5710, pp. 211–228. Springer, Heidelberg (2009) 11. Dam, M.: Proof systems for picalculus logics. In: Logic for Concurrency and Synchronisation. Trends in Logic, Studia Logica Library, pp. 145–212. Kluwer, Dordrecht (2003) 12. De Nicola, R., et al.: A Basic Calculus for Modelling Service Level Agreements. In: Coordination. LNCS, vol. 3454, pp. 33–48. Springer, Heidelberg (2005) 13. Floyd, R.W.: Assigning meaning to programs. In: Proc. Symp. in Applied Mathematics, vol. 19 (1967) 14. Frankel, D.S.: Model Driven Architecture: Applying MDA to Enterprise Computing. Wiley, Chichester (2003) 15. Freeman, T., Pfenning, F.: Refinement types for ml. SIGPLAN Not. 26(6), 268–277 (1991) 16. Guttman, J.D., et al.: Trust management in strand spaces: A relyguarantee method. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 325–339. Springer, Heidelberg (2004) 17. Hennessy, M., Milner, R.: Algebraic laws for nondeterminism and concurrency. JACM 32(1) (1985) 18. Hoare, T.: An axiomatic basis of computer programming. CACM 12 (1969) 19. Honda, K., Vasconcelos, V.T., Kubo, M.: Language primitives and type disciplines for structured communicationbased programming. In: Hankin, C. (ed.) ESOP 1998. LNCS, vol. 1381, pp. 22–138. Springer, Heidelberg (1998) 20. Honda, K., Yoshida, N., Carbone, M.: Multiparty asynchronous session types. In: POPL, pp. 273–284. ACM, New York (2008) 21. The Java Modeling Language (JML) Home Page 22. Jones, C.B.: Specification and design of (parallel) programs. In: IFIP Congress, pp. 321–332 (1983) 23. Leino, K.R.M.: Verifying objectoriented software: Lessons and challenges. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, p. 2. Springer, Heidelberg (2007) 24. Mendelson, E.: Introduction to Mathematical Logic. Wadsworth Inc., Bermont (1987) 25. Meyer, B.: Applying “Design by Contract”. Computer 25(10), 40–51 (1992) 26. Meyer, B.: ObjectOriented Software Construction, ch. 31. Prentice Hall, Englewood Cliffs (1997) 27. Nienaltowski, P., Meyer, B., Ostroff, J.S.: Contracts for concurrency. Form. Asp. Comput. 21(4), 305–318 (2009) 28. OMG: Object Constraint Language Version 2.0 (May 2006) 29. Peyton Jones, S., et al.: Composing contracts: an adventure in financial engineering. In: ICFP, pp. 281–292. ACM, New York (2000) 30. Pierce, B.C.: Types and Programming Languages. MIT Press, Cambridge (2002) 31. Full version of this paper, http://www.cs.le.ac.uk/people/lb148/fullpaper.html 32. SAVARA JBoss Project webpage, http://www.jboss.org/savara 33. Vallecillo, A., Vasconcelos, V.T., Ravara, A.: Typing the behavior of objects and components using session types. Fundamenta Informaticæ 73(4), 583–598 (2006) 34. Xi, H., Pfenning, F.: Dependent types in practical programming. In: POPL, pp. 214–227. ACM, New York (1999) 35. Xu, D., Peyton Jones, S.: Static contract checking for Haskell. In: POPL, pp. 41–52. ACM, New York (2009)
Bisimilarity of OneCounter Processes Is PSPACEComplete Stanislav B¨ohm1, , Stefan G¨oller2 , and Petr Janˇcar1 1
ˇ Techn. Univ. Ostrava (FEI VSBTUO), Dept of Computer Science, Czech Republic 2 Universit¨at Bremen, Institut f¨ur Informatik, Germany
Abstract. A onecounter automaton is a pushdown automaton over a singleton stack alphabet. We prove that the bisimilarity of processes generated by nondeterministic onecounter automata (with no εsteps) is in PSPACE. This improves the previously known decidability result (Janˇcar 2000), and matches the known PSPACE lower bound (Srba 2009). We add the PTIMEcompleteness result for deciding regularity (i.e. finiteness up to bisimilarity) of onecounter processes.
1 Introduction Among the various notions of behavioral equivalences of (reactive) systems, (strong) bisimilarity plays an important rˆole (cf, e.g., [16]). For instance, various logics can be characterized as the bisimulationinvariant fragment of richer logics. A famous theorem due to van Benthem states that the properties expressible in modal logic coincide with the bisimulationinvariant properties expressible in firstorder logic [28]. Similar such characterizations have been obtained for the modal μcalculus [8] and for CTL∗ [17]. Another important notion is weak bisimilarity that generalizes (strong) bisimilarity by distinguishing εmoves corresponding to internal behavior. There are numerous further notions of equivalences. For a more detailed treatment of the different behavioral equivalences in the context of concurrency theory, the reader is referred to [4]. The (weak/strong) bisimilarity problem consists in deciding if two given states of a given transition system are weakly/strongly bisimilar. On finite transition systems both weak and strong bisimilarity is wellknown to be complete for deterministic polynomial time [1]. Moreover, on finite transition systems weak bisimilarity can be reduced to strong bisimilarity in polynomial time by computing the transitive closure. In the last twenty years a lot of research has been devoted to checking behavioral equivalence of infinitestate systems, see [23] for an uptodate record. In the setting of infinitestate systems, see also [14] for Mayr’s classification of infinitestate systems, the situation is less clear. There are numerous classes of infinitestate systems for which decidability of bisimilarity is not known. Three such intricate open problems are (i) weak bisimilarity on basic parallel processes (BPP, a subclass of Petri nets), (ii) strong bisimilarity of process algebras (PA), and (iii) weak bisimilarity of basic process algebras (BPA). On the negative side, we mention undecidability of weak bisimilarity of PA by Srba [22]. On the positive side we mention an important result by S´enizergues who
S. B¨ohm and P. Janˇcar are supported by the Czech Ministry of Education, project No. 1M0567.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 177–191, 2010. c SpringerVerlag Berlin Heidelberg 2010
178
S. B¨ohm, S. G¨oller, and P. Janˇcar
shows that bisimilarity on equational graphs of finite out degree [19] (a slight generalization of pushdown graphs) is decidable. See also Stirling’s unpublished paper [25] for a shorter proof of this, using ideas from concurrency theory. For normed PA processes Hirshfeld and Jerrum prove decidability of strong bisimilarity [7]. When focussing on the computational complexity of bisimilarity checking of infinitestate systems for which this problem is decidable, the situation becomes even worse. There are only very few classes of infinitestate systemss for which the precise computational complexity is known. For instance, when coming back to one of the abovementioned positive results by S´enizergues/Stirling concerning (slight extensions of) pushdown graphs, a primitive recursive upper bound is not yet known. However, EXPTIME hardness of this problem was proven by Kuˇcera and Mayr [13]. As one of the few results on infinite systems where the upper and lower complexity bounds match, we can mention [10] where it is shown that bisimilarity on basic parallel processes is PSPACEcomplete. In this paper we study the computational complexity of deciding strong bisimilarity over processes generated by onecounter automata. Onecounter automata are pushdown automata over a singleton stack alphabet. This model has been extensively studied in the verification community; we can name, e.g., [2,5,6,3,26] as recent works. Weak bisimilarity for onecounter processes is shown to be undecidable in [15], via a reduction from the emptiness problem of Minsky machines. For strong bisimilarity the third author established decidability in [9], however without providing any precise complexity bounds. In an unpublished article [29] Yen analyses the approach of [9], deriving a triply exponential space upper bound. A PSPACE lower bound for bisimilarity is proven by Srba [24]. This lower bound already holds over onecounter automata that cannot test for zero and whose actions can moreover be restricted to be visible (so called visibly onecounter nets), i.e. that the label of the action determines if the counter is incremented, decremented, or not modified respectively. For visibly onecounter automata it is proven in [24] that strong bisimilarity is in PSPACE via reduction to the model checking problem of the modal μcalculus over onecounter processes [20]. For bisimilarity on general onecounter processes, in particular when dropping the visibility restriction, the situation is surely more involved. Our main result closes the complexity gap for bisimilarity of onecounter processes from above, thus establishing PSPACEcompleteness. In a nutshell, we provide a nondeterministic algorithm implementable in polynomial space which generates a bisimulation relation onthefly. The algorithm uses a polynomialtime procedure which, given a pair p(m), q(n) of processes, either gives a definite answer ‘surely bisimilar’ or ‘surely nonbisimilar’, or declares the pair as a candidate. For each fixed m there are (only) polynomially many candidates (p(m), q(n)), and the algorithm processes each m = 0, 1, 2, . . . in turn, guessing the bisimilarity status of all respective candidates and verifying the (local) consistency of the guesses. A crucial point is that it is sufficient to stop the processing after exponentially many steps, since then a certain periodicity is guaranteed, which would enable to successfully continue forever. We also consider the problem of deciding regularity (finiteness w.r.t. bisimilarity) which asks if, for a given onecounter process, there is a bisimilar state in some finite system. Decidability of this problem was proven in [9] and according to [24] it follows
Bisimilarity of OneCounter Processes Is PSPACEComplete
179
from [1] and [21] that the problem is also hard for P. We give a simpler Phardness proof, but we also show that the regularity problem is in P, thus establishing its Pcompleteness. It is appropriate to add that Kuˇcera [12] showed a polynomial algorithm deciding bisimilarity between a onecounter process and a (given) finite system state. The paper is organized as follows. Section 2 contains the basic notions, definitions, and recalls some auxiliary results. Section 3 recalls and enhances some useful notions which were used in [9] and elsewhere. Section 4 contains the crucial technical results, which have enabled to replace the decision algorithm from [9] with a polynomial space algorithm. The algorithm is elaborated in Section 5 and its correctness is shown in Section 6. Section 7 then shows PTIMEcompleteness of ∼regularity.
2 Preliminaries N denotes the set {0, 1, 2, . . .}. For a set X, by X we denote its cardinality. a
Transition systems. A (labelled) transition system is a structure T = (S, A, {−→ a a ∈ A}), where S is a set of states, A a set of actions, and −→⊆ S × S is a set of a alabeled transitions, for each action a ∈ A. We define −→= a∈A −→, and prefer a a to use the infix notation s1 −→ s2 (resp. s1 −→ s2 ) instead of (s1 , s2 ) ∈−→ (resp. (s1 , s2 ) ∈−→). T is a finite transition system if S and A are finite; we then define the a size of T as T  = S + A + a∈A −→. a
Bisimulation equivalence. Let T = (S, A, {−→ a ∈ A}) be a transition system. A binary relation R ⊆ S × S is a bisimulation if for each (s1 , s2 ) ∈ R the following bisimulation condition holds: a
a
– for each s1 ∈ S, a ∈ A, where s1 −→ s1 , there is some s2 ∈ S such that s2 −→ s2 and (s1 , s2 ) ∈ R , and a a – for each s2 ∈ S, a ∈ A, where s2 −→ s2 , there is some s1 ∈ S such that s1 −→ s1 and (s1 , s2 ) ∈ R . We say that states s1 and s2 are bisimilar, abbreviated by s1 ∼ s2 , if there is a bisimulation R containing (s1 , s2 ). Bisimilarity ∼ is obviously an equivalence. We also note that the union of bisimulations is a bisimulation, and that ∼ is the maximal bisimulation on S. Bisimilarity is naturally defined also between states of different transition systems (by considering their disjoint union). Onecounter automata. A onecounter automaton is a tuple M = (Q, A, δ=0 , δ>0 ), where Q is a finite nonempty set of control states, A is a finite set of actions, δ=0 ⊆ Q × {0, 1} × A × Q is a finite set of zero transitions, and δ>0 ⊆ Q × {−1, 0, 1} × A × Q is a finite set of positive transitions. (There are no εsteps in M .) The size of M is defined as M  = Q + A + δ=0  + δ>0 . Each onecounter a automaton M = (Q, A, δ=0 , δ>0 ) defines the transition system TM = (Q×N, A, {−→ a a ∈ A}), where (q, n) −→ (q , n + i) iff either n = 0 and (q, i, a, q ) ∈ δ=0 , or n > 0 and (q, i, a, q ) ∈ δ>0 . A onecounter net is a onecounter automaton, where δ=0 ⊆ δ>0 .
180
S. B¨ohm, S. G¨oller, and P. Janˇcar
A state (q, m) of TM is also called a configuration of M , or a onecounter process; we usually write it as q(m). Elements of δ=0 ∪ δ>0 are called transitions. σ The notion of a path p(m) −→ q(n), where σ is a sequence of transitions, is defined in the natural way. A transition sequence β in (δ>0 )+ is called an elementary cycle if it induces an elementary cycle in the control state set Q, i.e., if β = (q1 , i1 , a1 , q2 ), (q2 , i2 , a2 , q3 ), . . . (qm , im , am , qm+1 ) where qi = qj for 1 ≤ i < j ≤ m and qm+1 = q1 . We note that such a cycle has length at most Q, and its effect (i.e., the caused change) on the counter value is in the set {−Q, −Q + 1, . . . , Q}. Decision problems. We are interested in the following two decision problems. B ISIMILARITY ON OCA INPUT: A onecounter automaton M with two states p0 (m0 ) and q0 (n0 ) of TM , where both m0 and n0 are given in binary. QUESTION: Is p0 (m0 ) ∼ q0 (n0 ) ? We say that a onecounter process q(n), i.e. a configuration q(n) of a onecounter automaton M , is ∼regular (or finite up to bisimilarity) if there is a finite transition system with some state s such that q(n) ∼ s. ∼R EGULARITY ON OCA INPUT: A onecounter automaton M and a state q(n) of TM (n given in binary). QUESTION: Is q(n) ∼regular? a
Stratified bisimilarity. Given a transition system T = (S, A, {−→ a ∈ A}), on S we define the family of iequivalences, i ∈ N, ∼0 ⊇ ∼1 ⊇ ∼2 ⊇ · · · as follows. We put ∼0 = S × S, and we have s1 ∼i+1 s2 if the following two conditions hold: a
a
– for each s1 ∈ S, a ∈ A, where s1 −→ s1 , there is some s2 ∈ S such that s2 −→ s2 and s1 ∼i s2 ; a a – for each s2 ∈ S, a ∈ A, where s2 −→ s2 , there is some s1 ∈ S such that s1 −→ s1 and s1 ∼i s2 . The following proposition is an instance of the result for image finite systems [16]. Proposition 1. On states of TM we have ∼ = i≥0 ∼i . 2.1 Some Useful Observations The next proposition captures the locality of the bisimulation condition for onecounter automata, implied by the fact that the counter value can change by at most 1 in a move. Proposition 2. Given a onecounter automaton M = (Q, A, δ=0 , δ>0 ) and a relation R ⊆ (Q × N) × (Q × N), for checking if a pair (p(m), q(n)) ∈ R satisfies the bisimulation condition it suffices to know the restriction of R to the set NEIGHBOURS (m, n) = { (p (m ), q (n ))  m − m ≤ 1, n − n ≤ 1 }. Standard partition arguments [11,18] imply the following proposition for finite systems.
Bisimilarity of OneCounter Processes Is PSPACEComplete
181
a
Proposition 3. Given a finite transition system F = (Q, A, {−→ a ∈ A}), where k = Q, we have ∼k−1 = ∼k = ∼ on Q. Moreover, (the partition of Q corresponding to) ∼ can be computed in polynomial time.
3 Underlying Finite Automaton and the Set INC Most of the notions, claims and ideas in this section appeared in [9] and elsewhere; nevertheless, we present (and extend) them in a concise selfcontained way. If the context does not indicate otherwise, in what follows we (often implicitly) assume a fixed onecounter automaton M = (Q, A, δ=0 , δ>0 ), using k for Q. We start by observing that if the counter value is large, then M behaves, for a long time, like a (nondeterministic) finite automaton. By FM we denote the finite transition system una a derlying M ; we put FM = (Q, A, {−→ a ∈ A}), where −→= {(q1 , q2 ) ∈ Q×Q  ∃i : (q, i, a, q ) ∈ δ>0 }. (FM thus behaves as if the counter is positive, ignoring the counter changes.) In what follows, p, q, r ∈ Q are viewed as control states of M or as states of FM , depending on context. Our observation is formalized by the next proposition (which is obvious, by induction on m). Proposition 4. If m ≥ m then p(m ) ∼m p . (Here p(m ) is a state of TM , whereas p is a state of FM .) This implies, e.g., that if p ∼ q (i.e., p ∼k q by Proposition 3) and m, n ≥ k, then p(m) ∼k q(n) (and thus p(m) ∼ q(n)), since p(m) ∼k p, q(n) ∼k q and ∼k is an equivalence. If p ∼ q then we can have p(m) ∼ q(n), due to the possibility of reaching zero. For making this more precise, we define the following set INC = { r()  ∀q ∈ Q : r() ∼k q } . The configurations in INC are incompatible with FM in the sense that they are not bisimilar up to k moves with any state of FM . Proposition 5. If r() ∈ INC then < k. Moreover, INC can be constructed in polynomial time. ∈ INC. To construct INC, we can Proof. If ≥ k then r() ∼k r, and thus r() start with the set containing all k 3 pairs (r(), q), where < k ; all such pairs belong to ∼0 . We then delete the pairs not belonging to ∼1 , then those not belonging to ∼2 , etc., until ∼k . The configurations r() for which no pair (r(), q) survived, are in INC. (This process can be done simultaneously for the pairs (p, q) in FM ; we also use the fact r(k) ∼k r.)
The arguments of the previous proof also induce the following useful proposition. Proposition 6. The question if p(m) ∼k q(n) can be decided in polynomial time. We note that if p(m) ∈ INC and q(n) ∈ INC then p(m) ∼ q(n) (in fact, p(m) ∼k q(n)). More generally, if two onecounter processes are bisimilar then they must agree on the distance to INC; this is formalized by the next lemma. We define dist(p(m))
182
S. B¨ohm, S. G¨oller, and P. Janˇcar σ
as the length of the shortest transition sequence σ such that p(m) −→ INC (i.e., σ p(m) −→ r() for some r() ∈ INC); we put dist(p(m)) = ω if there is no such sequence, i.e., when INC is unreachable, denoted p(m) →∗ INC. Lemma 7. If p(m) ∼ q(n) then dist(p(m)) = dist(q(n)). Proof. For the sake of contradiction, suppose that p(m) ∼ q(n) and d = dist(p(m)) < dist(q(n)), for the least d ; necessarily d > 0, since we cannot have p(m) ∈ INC, a q(n) ∈ INC. Thus there is a move p(m) −→ p (m ) with dist(p (m )) = d−1, which a must be matched by some q(n) −→ q (n ) where p (m ) ∼ q (n ). Necessarily d−1 =
dist(p (m )) < dist(q (n )), which contradicts the minimality of d. The next lemma clarifies the opposite direction in the case of infinite distances. Lemma 8. If dist(p(m)) = ω then p(m) ∼ r for some r ∈ Q. Thus if dist(p(m)) = dist(q(n)) = ω then p(m) ∼ q(n) iff there is some r ∈ Q such that p(m) ∼k r ∼k q(n). Proof. If dist(p(m)) = ω, i.e. p(m) →∗ INC, then in particular p(m) ∈ INC, and there is thus r ∈ Q such that p(m) ∼k r. We can easily check that →∗ INC } R = { (p(m), r)  p(m) ∼k r, p(m) a
a
is a bisimulation: if p(m) −→ p (m ) and r −→ r where p (m ) ∼k−1 r , then p (m ) →∗ INC and the fact p (m ) ∈ INC implies that r ∼k p (m ) ∼k−1 r for some r ∈ Q; hence r ∼k−1 r and thus r ∼k r (by Proposition 3), which means
p (m ) ∼k r . In the next section we look in more detail at the function dist(p(m)), which provides a useful constraint on bisimilar pairs. But before that, we partition the set (Q × N) × (Q × N) into three categories. We say that a pair (p(m), q(n)) is – surelypositive if dist(p(m)) = dist(q(n)) = ω and p(m) ∼k q(n) (and thus surely p(m) ∼ q(n), by Lemma 8), = dist(q(n)) – surelynegative if p(m) ∼k q(n) or dist(p(m)) (and thus surely p(m) ∼ q(n)), – candidate otherwise, i.e., if p(m) ∼k q(n) and dist(p(m)) = dist(q(n)) < ω. By S URE P OS we denote the set of all surelypositive pairs, and we note the following obvious proposition. Proposition 9. S URE P OS is a bisimulation. It will be also useful to view the set CAND of all candidate pairs as the union CAND = CAND 0 ∪ CAND 1 ∪ CAND 2 ∪ · · · where CANDi contains the candidate pairs at level i, i.e. the pairs (p(m), q(n)) ∈ CAND with m = i.
Bisimilarity of OneCounter Processes Is PSPACEComplete
183
4 Distance to INC In this section we look at the distance function dist(p(m)) in more detail (Lemma 10) and derive some consequences (Lemma 11) which will be useful for the design and analysis of our later algorithm. We start with sketching some intuition which is then formalized in Lemma 10. To reach INC from p(m) most quickly, for a large m, one uses a suitable prefix arriving β
at a ‘most effective’ elementary cycle q(−) −→ q(−) (which decreases the counter by k = Q at most), let us call it a dcycle, then repeats the dcycle sufficiently many times, and finishes with a suffix arriving at INC. It is not difficult to anticipate that one can bound the length (and thus also the counter change) of the prefix and the suffix by a (small degree) polynomial pol(k). We now state the lemma. For technical reasons, we do not require explicitly that the dcycle is elementary; it is sufficient to bound its length by k. Lemma 10. There is a polynomial pol : N → N (independent of M ) such that for any σ p(m) with dist(p(m)) < ω there is a shortest path p(m) −→ INC with the transition sequence σ of the form σ = αβ i γ where length(αγ) ≤ pol(k) and β is a decreasing cycle of length ≤ k. Proof. To give a complete formal proof requires some technical work. Since the essence of the claim is not original and similar technical results appear in the previous works on onecounter automata, we do not provide a selfcontained proof, but we use Lemma 2 from an older paper [27]; in our notation, this lemma is formulated as follows: Claim. If there is a positive path (using positive transitions) from p(m) to q(n) σ and m−n ≥ k 2 and n ≥ k 2 then there is a shortest path p(m) −→ q(n) such i 2 that σ = αβ γ where length(αγ) < k and length(β) ≤ k. (Although [27] studies deterministic onecounter automata, the lemma obviously applies to our nondeterministic case as well, since we can view the transitions themselves as the actions.) We note that if m−n ≥ k 2 + k then β is necessarily a decreasing cycle σ (i ≥ 2 in this case). It is also clear that the (shortest) path p(m) −→ q(n) in the Claim 2 does not visit any q (n ) with n ≥ m + k + k; we say that the path moves in the “< (m+k 2 +k) area” (note that the prefix α moves in the “< (m+k 2 ) area” and the suffix γ moves in the “< (n+k 2 ) area”). Recalling that < k for each r() ∈ INC, we note that any shortest path σ p(m) −→ INC either moves in the “< k 2 area”, in which case its length is bounded 3 by k (since no configuration is visited twice), or can be presented in the form σm+1 σ1 σ2 σ3 σm q1 (k 2 ) −→ q2 (k 2 ) −→ · · · −→ qm (k 2 ) −→ INC where 1 ≤ m ≤ k p(m) −→ and q1 (k 2 ), q2 (k 2 ), . . . , qm (k 2 ) are all configurations on the path which have the σi+1 counter value k 2 . By the above considerations, the segment qi (k 2 ) −→ moves in the 2 2 “< (3k + k) area”, and its length is thus bounded by k · (3k +k). The segment σ1 q1 (k 2 ) either moves in the “< 2k 2 area”, in which case its length is bounded p(m) −→ σ
σ
1 2 p (m ) −→ q1 (k 2 ) where m ≥ 2k 2 and σ1 by 2k 3 , or it can be written p(m) −→ 3 (which might be empty) is bounded by 2k . The statement of our Lemma thus follows
σ
2 q1 (k 2 ). from the above Claim applied to the segment p (m ) −→
184
S. B¨ohm, S. G¨oller, and P. Janˇcar
The next lemma lists some important consequences. A main point is to clarify the distribution of the set CAND. Informally speaking, the candidate pairs are contained inside polynomially many linear belts, each belt having a rational slope, being a fraction of polynomially bounded integers, as well as a polynomially bounded (vertical) thickness. Remark. It is helpful to think in geometrical notions. Every relation R ⊆ (Q × N) × (Q × N) can be viewed as a ‘coloring’ χR : Q × Q × N × N → {•, ◦}; for each p, q ∈ Q it prescribes a blackwhite coloring of the plane (grid) N × N. This was more formalized in [9]; here we just informally use Figure 1. Lemma 11 1. There is a polynomialtime algorithm computing dist(p(m)) for any p, m; here the size of the input is M  + log m (m is written in binary). 2. If dist(p(m)) < ω then dist(p(m)) =
c1 c1 (m + d1 ) + d2 = m + ψ c2 c2
for some integers 0 ≤ c1 ≤ k, 1 ≤ c2 ≤ k, d1  ≤ pol1 (k), 0 ≤ d2 ≤ pol1 (k) where pol1 is a polynomial (independent of M ); the values c1 , c2 , d1 , d2 generally depend on p, m. Moreover, for the rational number ψ = cc12 d1 + d2 we have ψ ≤ (k+1) · pol1 (k). 3. If dist(p(m)) = dist(q(n)) < ω then n=ρ·m+ξ c c
where (the slope) ρ is either 0 or of the form c12 c2 , for c1 , c2 , c1 , c2 ∈ {1, 2, . . . , k}, 1 and ξ is bounded by a polynomial pol2 (k). (This formalizes the above announced polynomially many belts, with the vertical thickness 1 + 2 · pol2 (k).) 4. There is a polynomial pol4 such that for each m ≥ pol4 (k) we have ρ1 · m + pol2 (k) + 1 < ρ2 · (m−1) − pol2 (k), where ρ1 < ρ2 are (different) slopes from Point 3, pol2 also being taken from there. (I.e., for levels m ≥ pol4 (k) the belts are separated, in the sense that no two pairs from different belts are neighbours.) 5. There is a polynomialtime algorithm which, given i (in binary), computes the set CAND i of all candidate pairs at level i (all pairs (p(i), q(n)) such that p(i) ∼k q(n) and dist(p(i)) = dist(q(n)) < ω). We have CAND i  ≤ pol3 (k) for a polynomial pol3 . 6. If Δ is a multiple of the effects of all decreasing cycles of length ≤ k (the absolute values of the effects are in the set {1, 2, . . . , k}) then for each m ≥ k + pol(k), where pol is taken from Lemma 10, we have: p(m) →∗ INC iff p(m + Δ) →∗ INC.
Bisimilarity of OneCounter Processes Is PSPACEComplete
185
7. If m, n ≥ k + pol(k) then (p(m), q(n)) ∈ S URE P OS ⇔ ∀i, j ∈ N : (p(m + iΔ), q(n + jΔ)) ∈ S URE P OS (where pol and Δ are as in Point 6). σ
Proof Point 1. By Lemma 10 we know that a shortest path p(m) −→ INC (if there is any) is of the form β
α
β
β
p(m) −→ q(m+e1 ) −→ q(m+e1 −c2 ) −→ q(m+e1 −2c2 ) −→ · · · β
β
γ
· · · −→ q(−e2 +c2 ) −→ q(−e2 ) −→ r() ∈ INC where e1 is the effect (the counter change) of the prefix α, c2 is the absolute value of the effect of the dcycle β, and e2 is the effect of the suffix γ ; we put c1 = length(β), c3 = length(α), c4 = length(γ). Let us recall that 0 ≤ c2 ≤ c1 ≤ k and that the absolute values of other integers are bounded by pol(k) from Lemma 10. (Independently of p, m,) we thus have polynomially many possibilities (in k) for the tuple q, e1 , c1 , c2 , c3 , c4 , e2 , r, ; these possible tuples can be processed in turn. For each tuple we can check if (m+e1 )−(−e2 ) is divisible by c2 and then verify if the tuple is realizable by some appropriate α, β, γ; this verification is done by using straightforward graph reachability algorithms. (Regarding the dcycle, it is sufficient to verify the realizability of the first segment q(m+e1 ) −→ q(m+e1 −c2 ) and of the final segment q(−e2 +c2 ) −→ q(−e2 ).) With each realizable tuple we associate the value c3 + c4 when c2 = 0 and c3 + c4 + cc12 (m+e1 )−(−e2 ) when c2 > 0. We associate ω with each nonrealizable tuple. The value dist(p(m)) is obviously the minimal value associated with the above tuples. Point 2. This follows immediately from the analysis in the proof of Point 1. (Since d2 = c3 + c4 , d1 = e1 −+e2 , it suffices to take pol1 (k) = k + pol(k), for pol from Lemma 10. The consequence for ψ is obvious.) c Point 3. From dist(p(m)) = cc12 m + ψ = c1 n + ψ = dist(q(n)), we derive n = c1 /c2 ψ−ψ c1 /c2 m + c1 /c2 .
2
If c1 = 0 or c1 = 0 then dist(p(m)) = dist(q(n)) ≤ (k+1) · pol1 (k), and thus n < k + (k+1) · pol1 (k) (and we can put ρ = 0). We can thus take pol2 (k) = 2 · (k+1) · pol1 (k) · k. Point 4. Recalling the slopes from Point 3, we note that ρ1 0) and Bm+1 , and the polynomial procedure deciding membership in S URE P OS (cf. Lemma 12). • (If Bm is not correct, the computation fails.) If we force the algorithm to include the input pair (p0 (m0 ), q0 (n0 )) into Bm0 then an infinite run is possible if and only if p0 (m0 ) ∼ q0 (n). We also note that it is sufficient for the algorithm to keep only the current number m, and the sets Bm−1 (if m > 0), Bm , Bm+1 in memory. (By Point 5 of Lemma 11 this consists of at most 3 · pol3 (k) pairs, while the bitsize of the numbers is polynomial in k and in the bitsize of m, i.e. in log m.) A final crucial point is that the algorithm, getting p0 (m0 ), q0 (n0 ) in the input, will halt (answering p0 (m0 ) ∼ q0 (n0 )) after it has successfully processed the following levels. m = 0, 1, 2, . . . , z where z = m0 + pol4 (k) + 2pol5 (k) · 23k log k
(1)
Bisimilarity of OneCounter Processes Is PSPACEComplete
187
Here pol4 is from Point 4 of Lemma 11, and we put pol5 (k) = 2 · k 2 · (1 + 2 · pol2 (k)), where pol2 is from Point 3 of Lemma 11. With this halting condition, the algorithm obviously runs in polynomial space (when given M and a pair (p0 (m0 ), q0 (n0 ))). What remains to show is the correctness of the halting condition.
6 Correctness of (The Halting Condition of) the Algorithm Recall Points 3 and 4 of Lemma 11; the candidate pairs are contained inside polynomially many linear belts with vertical thickness (1 + 2 · pol2 (k)), which are separated for m ≥ pol4 (k). Informally speaking, if the algorithm (successfully) processes sufficiently many (exponentially many) numbers m after processing m0 , then the pigeonhole principle guarantees that a certain ‘pumpable’ segment appears inside each belt (this is visualized in Figure 1). At that time we are guaranteed that the relation R = {(p(m), q(n)) ∈ Bm ∪ S URE P OS  m ≤ m0 } can be extended with certain pairs (p (m ), q (n )), with m > m0 , so that the resulting relation is a bisimulation. (These pairs (p (m ), q (n )), m > m0 , may differ from those which were actually included in Bm by the algorithm.) We now make this informal argument more precise. Suppose that our algorithm successfully halts for the input pair (p0 (m0 ), q0 (n0 )), and consider the following subsequence of the sequence (1). m0 , m0 + Δ3 , m0 + 2Δ3 , m0 + 3Δ3 , . . . , m0 + 2pol5 (k) Δ3
(2)
where m0 = max{m0 , pol4 (k)} and Δ = k! ; hence Δ ≤ k k , and so Δ3 ≤ 23k log k . Remark. We have chosen Δ so that Points 6 and 7 of Lemma 11 can be applied. The chosen period Δ3 has the following useful property. We are guaranteed that ρΔ3 is c c a multiple of Δ for each slope ρ = c12 c2 (c1 , c2 , c1 , c2 ∈ {1, 2, . . . , k}) from Point 3 of 1 Lemma 11; by Point 7 of Lemma 11 we thus also get for each m ≥ pol4 (k): (p(m), q(n)) ∈ S URE P OS ⇔ ∀i ∈ N : (p(m + iΔ3 ), q(n + iρΔ3 )) ∈ S URE P OS . (3) (In the proof of Lemma 11, we have actually derived pol4 satisfying pol4 (k) ≥ k+pol(k). But any polynomial pol4 satisfying Point 4 could be replaced with a bigger one to satisfy also pol4 (k) ≥ k+pol(k) anyway.) For a relation R ⊆ (Q × N) × (Q × N) and a belt, identified with its slope ρ from Point 3 of Lemma 11, we define the Rcut of the belt ρ at level m as CUT ρ m (R)
= { (p(m), q(n)) ∈ R  ρm − pol2 (k) ≤ n ≤ ρm + pol2 (k) }.
Figure 1 illustrates two cuts CUT ρm1 (R), CUT ρm2 (R) (the black points representing elements of R, the white points being nonelements); the depicted cuts are ‘the same’ in the sense that one arises by shifting the other. Our choice of the subsequence (2) guarantees a repeat of a ‘2thick cut’:
188
S. B¨ohm, S. G¨oller, and P. Janˇcar
n
m1
(qk , qk ) ... (q1 , q2 ) (q1 , q1 )
m2
m
Fig. 1. Two isomorphic belt cuts in a coloring
Proposition 14. For every R and ‘belt’ ρ there are m1 , m2 in (2), where m1 < m2 , m2 = m1 + cΔ3 , such that – (p(m1 ), q(n)) ∈ CUTρm1 (R) ⇔ (p(m2 ), q(n + ρcΔ3 )) ∈ CUTρm2 (R), – (p(m1 + 1), q(n)) ∈ CUTρm1 +1 (R) ⇔ (p(m2 + 1), q(n + ρcΔ3 )) ∈ CUT ρm2 +1 (R). Proof. We first note that our choice of Δ also guarantees that ρcΔ3 is integer. Describing CUTρm (R) and CUTρm+1 (R) (for any m) obviously amounts to determine a (blackpoint) subset of a set with (at most) 2 · k 2 · (1 + 2 · pol2 (k)) elements; this is how we defined pol5 (k) in the halting condition of our algorithm (cf. (1)). There are 2pol5 (k) such subsets; thus the claim follows by the pigeonhole principle.
Our aim is to define some relation R so that R ∪ S URE P OS is a bisimulation and it coincides with B ∪ S URE P OS for the pairs (p(m), q(n)) with m ≤ m0 ; the set B consists of the candidate pairs included by (the successfully halting computation of) our algorithm into Bm , for m = 0, 1, 2, . . . , z as in (1). Let us now consider a particular belt ρ. Let m1 , m2 , where m1 < m2 = m1 + cΔ3 , be the levels guaranteed by Proposition 14 for the relation R = B ∪ S URE P OS. Inside the belt ρ, the suggested R will coincide with R for all levels m ≤ m2 +1. For all levels m = m2 +2, m2 +3, m2 +4, . . . , we define R inside the belt ρ by the following inductive definition: for each m, n, where m > m2 +1 and n − ρm ≤ pol2 (k):
Bisimilarity of OneCounter Processes Is PSPACEComplete
189
(p(m), q(n)) ∈ R iff (p(m−cΔ3 ), q(n−ρcΔ3 )) ∈ R . We note that this condition is, in fact, satisfied also for m ∈ {m2 , m2 +1}, due to our choice of m1 , m2 . We get the whole R after having defined it inside all belts. Proposition 15. R ∪ S URE P OS is a bisimulation. Proof. Suppose there is a pair (p(m), q(n)) ∈ R ∪S URE P OS which does not satisfy the bisimulation condition (which is determined by the restriction to NEIGHBOURS (m, n); recall Proposition 2). We take such a pair with the least m. It is clear that (p(m), q(n)) ∈ S URE P OS (recall Proposition 9); moreover, the restriction of R ∪ S URE P OS to NEIGHBOURS (m, n) cannot be the same as for B ∪S URE P OS (where the algorithm verified the bisimulation condition). Hence (m, n) lies in a belt ρ, and m ≥ m2 +1 for the respective m2 = m1 +cΔ3 . Then the pair (p(m−cΔ3 ), q(n−ρcΔ3 )) belongs to R and satisfies the bisimulation condition; moreover, this pair enables the same transitions as the pair (p(m), q(n)). So there must be some (p (m ), q (n )) ∈ NEIGHBOURS (m, n) ∈ R ∪ S URE P OS and (p (m −cΔ3 ), q (n −ρcΔ3 )) ∈ such that (p (m ), q (n )) R ∪ S URE P OS . But this contradicts the definition of R or the equivalence (3).
Our halting condition is thus correct, and we have proved: Theorem 16. There is a polynomial space algorithm which, given a onecounter automaton M and a pair p0 (m0 ), q0 (n0 ), decides if p0 (m0 ) ∼ q0 (n0 ). Remark. As in [9], we could derive that the bisimilarity ∼ (i.e., the maximal bisimulation) is ‘beltregular’. Our results here show that a natural (finite) description of this (semilinear) relation can be written in exponential space.
7 ∼Regularity We can easily derive the next lemma, which tells us that p(m) is not ∼regular iff it allows to reach states with arbitrarily large finite distances to INC. Lemma 17. Given p(m) for a one counter automaton M , p(m) is not ∼regular iff for any d ∈ N there is q(n) such that p(m) →∗ q(n) and d ≤ dist(q(n)) < ω. The next proposition gives a more convenient characterization. Proposition 18. p(m) is not ∼regular iff p(m) →∗ q(m+2k) →∗ INC for some q ∈ Q. (Recall that k = Q for the set Q of control states of M .) Proof. ‘Only if’ is obvious. σ1 σ2 q(m + 2k) −→ INC we have to cross the level (m + k) when On any path p(m) −→ going up as well as when going down to INC (recall that < k for any r() ∈ INC). The elementary cycles, which must necessarily appear when going up and down, can be suitably pumped to show the condition in Lemma 17.
Lemma 19. Deciding ∼regularity of onecounter processes is in PTIME.
190
S. B¨ohm, S. G¨oller, and P. Janˇcar
Proof. We check the condition from Proposition 18. Given p(m), we can compute all q(m+ 2k) which have finite distances to INC by a polynomial algorithm (recall Point 1 of Lemma 11). When m = 0, the reachability of a suitable q(2k) (q(2k) →∗ INC) can be checked straightforwardly. So we can compute all p such that p (0) is not ∼regular. Thus p(m) is not ∼regular iff it can reach one of the computed q(m + 2k) and p (0) by positive transitions. The polynomiality follows by the ideas similar to those discussed in the proof of Lemma 10.
Lemma 20. Deciding ∼regularity (even) of onecounter nets is PTIMEhard. Proof. We use a logspace reduction from bisimilarity on finite transition systems which a is PTIMEcomplete [1]. Given a finite transition system (Q, A, {−→}a∈A ) and f, g ∈ Q, we construct a one counter net which has the following behaviour: in s0 (m), m > 0, a
a
b
it has transitions s0 (m) −→ s0 (m + 1), s0 (m) −→ s0 (m − 1), s0 (m) −→ f (m), b
a
b
s0 (m) −→ g(m). In s0 (0) we only have s0 (0) −→ s0 (1) and s0 (0) −→ f (0). Any state f (n) just mimicks f (not changing the counter); similarly g(n) mimicks g. It is
easy to verify that s0 (n) is regular iff f ∼ g. Theorem 21. Deciding ∼regularity of onecounter processes is PTIMEcomplete. Acknowledgements. We thank the reviewers for useful comments and suggestions.
References 1. Balc´azar, J.L., Gabarr´o, J., Santha, M.: Deciding Bisimilarity is PComplete. Formal Asp. Comput. 4(6A), 638–648 (1992) 2. Br´azdil, T., Brozek, V., Etessami, K., Kuˇcera, A., Wojtczak, D.: OneCounter Markov Decision Processes. In: Proc. of SODA, pp. 863–874. IEEE, Los Alamitos (2010) 3. Demri, S., Sangnier, A.: When ModelChecking Freeze LTL over Counter Machines Becomes Decidable. In: Ong, L. (ed.) FOSSACS 2010. LNCS, vol. 6014, pp. 176–190. Springer, Heidelberg (2010) 4. Glabbeek, R.v.: The Linear Time – Branching Time Spectrum I; The Semantics of Concrete, Sequential Processes. In: Bergstra, J., Ponse, A., Smolka, S. (eds.) Handbook of Process Algebra, ch. 1, pp. 3–99. Elsevier, Amsterdam (2001) 5. G¨oller, S., Mayr, R., To, A.W.: On the Computational Complexity of Verifying OneCo´unter Processes. In: Proc. of LICS, pp. 235–244. IEEE Computer Society Press, Los Alamitos (2009) 6. Haase, C., Kreutzer, S., Ouaknine, J., Worrell, J.: Reachability in succinct and parametric onecounter automata. In: Bravetti, M., Zavattaro, G. (eds.) CONCUR 2009. LNCS, vol. 5710, pp. 369–383. Springer, Heidelberg (2009) 7. Hirshfeld, Y., Jerrum, M.: Bisimulation Equivalence Is Decidable for Normed Process Algebra. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 412–421. Springer, Heidelberg (1999) 8. Janin, D., Walukiewicz, I.: On the Expressive Completeness of the Propositional muCalculus with Respect to Monadic Second Order Logic. In: Sassone, V., Montanari, U. (eds.) CONCUR 1996. LNCS, vol. 1119, pp. 263–277. Springer, Heidelberg (1996) 9. Janˇcar, P.: Decidability of Bisimilarity for OneCounter Processes. Information Computation 158(1), 1–17 (2000)
Bisimilarity of OneCounter Processes Is PSPACEComplete
191
10. Janˇcar, P.: Strong Bisimilarity on Basic Parallel Processes is PSPACEcomplete. In: Proc. of LICS, pp. 218–227. IEEE Computer Society, Los Alamitos (2003) 11. Kanellakis, P.C., Smolka, S.A.: CCS Expressions, Finite State Processes, and Three Problems of Equivalence. Information and Computation 86(1), 43–68 (1990) 12. Kuˇcera, A.: Efficient Verification Algorithms for OneCounter Processes. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 317–328. Springer, Heidelberg (2000) 13. Kuˇcera, A., Mayr, R.: On the Complexity of Checking Semantic Equivalences between Pushdown Processes and Finitestate Processes. Inf. Comput. 208(7), 772–796 (2010) 14. Mayr, R.: Process Rewrite Systems. Information and Computation 156(1), 264–286 (2000) 15. Mayr, R.: Undecidability of Weak Bisimulation Equivalence for 1Counter Processes. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) ICALP 2003. LNCS, vol. 2719, pp. 570–583. Springer, Heidelberg (2003) 16. Milner, R.: Communication and Concurrency. International Series in Computer Science. Prentice Hall, Englewood Cliffs (1989) 17. Moller, F., Rabinovich, A.M.: Counting on CTL* : on the expressive power of monadic path logic. Inf. Comput. 184(1), 147–159 (2003) 18. Paige, R., Tarjan, R.E.: Three partition refinement algorithms. SIAM Journal on Computing 16(6), 973–989 (1987) 19. S´enizergues, G.: The Bisimulation Problem for Equational Graphs of Finite OutDegree. SIAM J. Comput. 34(5), 1025–1106 (2005) 20. Serre, O.: Parity games played on transition graphs of onecounter processes. In: Aceto, L., Ing´olfsd´ottir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 337–351. Springer, Heidelberg (2006) 21. Srba, J.: Strong Bisimilarity and Regularity of Basic Process Algebra Is PSPACEHard. In: Widmayer, P., Triguero, F., Morales, R., Hennessy, M., Eidenbenz, S., Conejo, R. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 716–727. Springer, Heidelberg (2002) 22. Srba, J.: Undecidability of Weak Bisimilarity for PAProcesses. In: Ito, M., Toyama, M. (eds.) DLT 2002. LNCS, vol. 2450, pp. 197–208. Springer, Heidelberg (2003) 23. Srba, J.: Roadmap of Infinite results. Formal Models and Semantics, vol. 2. World Scientific Publishing Co., Singapore (2004), http://www.brics.dk/˜srba/roadmap 24. Srba, J.: Beyond Language Equivalence on Visibly Pushdown Automata. Logical Methods in Computer Science 5(1:2) (2009) 25. Stirling, C.: Decidability of Bisimulation Equivalence for Pushdown Processes (2000) (unpublished manuscript) 26. To, A.W.: Model Checking FO(R) over OneCounter Processes and beyond. In: Gr¨adel, E., Kahle, R. (eds.) CSL 2009. LNCS, vol. 5771, pp. 485–499. Springer, Heidelberg (2009) 27. Valiant, L.G., Paterson, M.: Deterministic onecounter automata. J. Comput. Syst. Sci. 10(3), 340–350 (1975) 28. van Benthem, J.: Modal Correspondence Theory. PhD thesis, University of Amsterdam (1976) 29. Yen, H.C.: Complexity Analysis of Some Verification Problems for OneCounter Machines (20xx) (unpublished manuscript)
Nash Equilibria for Reachability Objectives in Multiplayer Timed Games Patricia Bouyer, Romain Brenguier, and Nicolas Markey LSV, ENS Cachan & CNRS, France {bouyer,brenguie,markey}@lsv.enscachan.fr
Abstract. We propose a procedure for computing Nash equilibria in multiplayer timed games with reachability objectives. Our procedure is based on the construction of a finite concurrent game, and on a generic characterization of Nash equilibria in (possibly infinite) concurrent games. Along the way, we use our characterization to compute Nash equilibria in finite concurrent games.
1
Introduction
Timed games. Game theory (especially games played on graphs) has been used in computer science as a powerful framework for modelling interactions in embedded systems [10, 15]. Over the last ﬁfteen years, games have been extended with the ability to depend on timing informations. Timed games allows for a more faithful representation of reactive systems, while preserving decidability of several important properties, such as the existence of a winning strategy for one of the agents to achieve her goal, whatever the other agents do [3]. Eﬃcient algorithms exist and have been implemented, e.g. in the tool Uppaal Tiga [4]. Zerosum vs. nonzerosum games. In this purely antagonist view, games can be seen as twoplayer games, where one agent plays against another one. Moreover, the objectives of those two agents are opposite: the aim of the second player is simply to prevent the ﬁrst player from winning her own objective. More generally, a (positive or negative) payoﬀ can be associated with each outcome of the game, which can be seen as the amount the second player will have to pay to the ﬁrst player. Those games are said to be zerosum. In many cases, however, games can be nonzerosum, especially when they involve more than two agents, whose objectives may not be complementary. Such games appear e.g. in various problems in telecommunications, where several agents try to send data on a network [9]. Focusing only on surelywinning strategies in this setting may then be too narrow: surelywinning strategies must be winning against any behaviour of the other agents, and does not consider the fact that the other agents also try to achieve their own objectives. Nash equilibria. In the nonzerosum game setting, it is then more interesting to look for equilibria. For instance, a Nash equilibrium is a behaviour of the
This work is partly supported by projects DOTS (ANR06SETI003), QUASIMODO (FP7ICTSTREP214755) and GASICS (ESFEUROCORES LogiCCC).
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 192–206, 2010. c SpringerVerlag Berlin Heidelberg 2010
Nash Equilibria for Reachability Objectives in Multiplayer Timed Games
193
agents in which they play rationally, in the sense that no agent can get a better payoﬀ if she, alone, modiﬁes her strategy [13]. This corresponds to stable states of the game. Notice that a Nash equilibrium need not exist in general, and is not necessarily optimal: several equilibria can coexist, possibly with very diﬀerent payoﬀs. Our contribution. We extend the study of Nash equilibria for reachability objectives (where the payoﬀ is 1 when the objective is reached, and 0 otherwise) in the setting of timed games, as deﬁned in [8] (but extended to n players in the obvious way). Since timed games are nondeterministic, we introduce the notion of pseudoNash equilibrium, in which nondeterminism is solved “optimally” (i.e., only the best outcome is considered). This corresponds to letting the players “optimally” solve nondeterminism, in such a way that they have no incentive to change their choice. As is usual in the timed setting, we rely on a regionbased abstraction, which in our context is a ﬁnite concurrent game. In order to prove that the abstraction preserves Nash equilibria, we deﬁne a characterization of Nash equilibria in (possibly inﬁnitestate) concurrent games. This characterization is built on the new concept of repellor sets: the repellor set for a subset A of agents is, roughly, the set of states from which players in A will not be winning in any Nash equilibrium. We explain how to compute those sets, and how they can be used to characterize Nash equilibria. We also use repellor sets to eﬀectively compute Nash equilibria in ﬁnite games, which solves open problems in the setting of equilibria in ﬁnite games and gives a complete solution to our original problem. Related work. Nash equilibria (and other related solution concepts such as subgameperfect equilibria, secure equilibria, ...) have recently been studied in the setting of (untimed) games played on a graph [6, 7, 14, 16–19]. Most of them, however, focus on turnbased games. In the setting of concurrent games, mixed strategies (i.e., strategies involving probabilistic choices) are arguably more relevant than pure (i.e., nonrandomized) strategies. However, adding probabilities to timed strategies (over both delays and actions) involves several important technical issues (even in zerosum nonprobabilistic timed games), and we defer the study of mixedstrategy Nash equilibria in timed games to future works. For lack of space, only sketches of proofs are given in the paper. Full proofs can be found in [5].
2
Preliminaries
We begin with deﬁning concurrent games and Nash equilibria. 2.1
Concurrent Games
A transition system is a 2tuple S = States, Edg where States is a (possibly uncountable) set of states and Edg ⊆ States × States is the set of transitions.
194
P. Bouyer, R. Brenguier, and N. Markey
Given a transition system S, a path π in S is a nonempty sequence (si )0≤i 0, player can “wait” in s0 until e is fired so that its delay is smaller than ε (this eventually happens with probability 1), and then she moves to s1 . The probability that e is assigned a delay at most 1 − ε in s1 is 1 − ε, and hence the constructed DFA accepts a play with probability 1 − ε. However, player has no optimal strategy. In this paper we consider the existence and eﬀective constructability of almostsure winning strategies for player . Formally, a strategy σ ∈ Σ is almostsure winning for a history h if for every strategy π ∈ Π we have that Pσ,π h (Play(A)) = 1. We show the following: Theorem 1. Let h be a history. If player has (some) almostsure winning strategy for h, then she also has a DTA almostsure winning strategy for h. The existence of a DTA almostsure winning strategy for h is decidable in exponential time, and if it exists, it can be constructed in exponential time. A proof of Theorem 1 is not immediate and requires several steps. First, in Section 3.1 we construct a product game GA of G and A and show that GA can be examined instead of G and A. The existence of a DTA almostsure winning strategy in GA is analyzed in Section 3.2. Finally, in Section 3.3 we present an algorithm which computes a DTA almostsure winning strategy if it exists. 3.1 The Product Game Intuitively, the product game of G and A, denoted by GA , is constructed by simulating the execution of A onthefly in G. Waiting times for events and clock valuations are represented explicitly in the states of GA , and hence the statespace of GA is uncountable. Still, GA is in many aspects similar to G, and therefore we use a suggestive notation compatible with the one used for G. To distinguish among the notions related to G and GA , we consistently use the “p” prefix. Hence, G has stamps, states, histories, etc., while GA has pstamps, pstates, phistories, etc.
Stochastic RealTime Games with Qualitative Timed Automata Objectives
215
Let n = E + X. The clock values of A and the delays of currently scheduled events are represented by a pvector ξ ∈ Rn≥0 . The set of pstates is S × Q × Rn≥0 , and the sets of pcontrols of player and player are C × Q × Rn≥0 and C × Q × Rn≥0 , respectively. The dynamics of GA is determined as follows. First, we define a pflow function FA , which to a given pstamp (s, q, ξ, t, e) assigns the pcontrol (c, q , ξ ), where c = F(s, e), and q , ξ are determined as follows. Let (q, L(s), g, X, q) be the unique edge of A such that the guard g is satisfied by the clock valuation stored in ξ + t. We put ξ = (ξ + s t)[(e ∪ X) := 0]. The operator “+ s t” adds t to all clocks stored in ξ and to all events scheduled in s, and (e ∪ X) := 0 resets all clocks of X to zero and assigns zero delay to e. Second, we define the set of pactions. For every pcontrol (c, q, ξ) and an action a ∈ A(c), there is a corresponding paction which to a given pstate (s , q, ξ ), where ξ = ξ[(E \ E(s )) := 0], assigns the probability a(s ). A pstamp is an element (s, q, ξ, t, e) of S × Q × Rn≥0 × R>0 × E. Now we define phistories and pplays as sequences of pstamps. In the game G we allowed arbitrary sequences of stamps, whereas in the product game we need the automaton part of the product to be consistent with the game part. We say that a pstamp x1 = (s1 , q1 , ξ1 , t1 , e1 ) is consistent with a pstamp x0 = (s0 , q0 , ξ0 , t0 , e0 ) if the image of x0 under the pflow function is a pcontrol (c, q1 , ξ ) such that ξ1 = ξ [A := 0] where A is the set of actions not enabled in s1 . A phistory is a finite sequence of pstamps p = x0 . . . xn such that xi is consistent with xi+1 for all 0 ≤ i < n. A pplay is an infinite sequence of pstamps x0 x1 . . . where each finite prefix x0 . . . xi is a phistory. Each phistory p = (s0 , q0 , ξ0 , t0 , e0 ), . . . , (sn , qn , ξn , tn , en ) can be mapped to a unique history H(p) = (s0 , t0 , e0 ), . . . , (sn , tn , en ). Note that H is in fact a bijection, because each history induces a unique finite execution of the DTA A and the consistency condition reflects this unique execution. By the last pcontrol of a phistory p we denote the image of the last pstamp of p under the pflow function. Region relation. Although the statespace of GA is uncountable, we can define a variant of region relation over phistories which has a finite index, and then work with finitely many regions. For a given x ∈ R≥0 , we use frac(x) to denote the fractional part of x, and int(x) to denote the integral part of x. For x, y ∈ R≥0 , we say that x and y agree on integral part if int(x) = int(y) and neither or both x, y are integers. A relevant bound of a clock x is the largest constant c that appears in all guards. A relevant bound of an event e is ue if ue < ∞, and e otherwise. We say that an element a ∈ E ∪ X is relevant for ξ if ξ(a) ≤ r where r is the relevant bound of a. Finally, we put ξ1 ≈ ξ2 if • for all relevant a ∈ E ∪ X we have that ξ1 (a) and ξ2 (a) agree on integral parts; • for all relevant a, b ∈ E ∪ X we have that frac(ξ1 (a)) ≤ frac(ξ1 (b)) if and only if frac(ξ2 (a)) ≤ frac(ξ2 (b)). The equivalence classes of ≈ are called time areas. Now we can define the promised region relation ∼ on phistories. Let p1 and p2 be phistories such that (c1 , q1 , ξ1 ) is the last pcontrol of p1 and (c2 , q2 , ξ2 ) is the last pcontrol of p2 . We put p1 ∼ p2 iﬀ c1 = c2 , q1 = q2 and ξ1 ≈ ξ2 . Note that ∼ is an equivalence with a finite index. The equivalence
216
T. Brázdil et al.
classes of ∼ are called regions. A target region is a region that contains such phistories whose last pcontrols have a target location in the second component. The sets of all regions and target regions are denoted by R and RT , respectively. Remark 1. Let us note that the region construction described above can also be applied to configurations of timed automata, where it coincides with the standard region construction of [3]. Strategies in the product game. Note that every pair of strategies (σ, π) ∈ Σ × Π defined for the original game G can also be applied in the constructed product game GA (we just ignore the extra components of pstamps). By reusing the construction of Section 2.1, for every phistory p and every pair of strategies (σ, π) ∈ Σ × Π, we define a probability measure Pσ,π p on the Borel σfield F over the pplays in GA (the details are given in [11]). For every S ⊆ R, let Reach(S) be the set of all pplays that visit a region of S (i.e., some prefix of the pplay belongs to some r ∈ S). We say that a strategy σ ∈ Σ is almostsure winning in GA for a phistory p if for every π ∈ Π we have that Pσ,π p (Reach(RT )) = 1. The relationship between almostsure winning strategies in G and GA is formulated in the next proposition. Proposition 2. Let σ ∈ Σ and p be a phistory. Then σ is almostsure winning for p in GA iﬀ σ is almostsure winning for H(p) in G. Another observation about strategies in GA which is heavily used in the next sections concerns strategies that are constant on regions. Formally, a strategy τ ∈ Σ ∪ Π is constant on regions if for all phistories p1 and p2 such that p1 ∼ p2 we have that τ(p1 ) = τ(p2 ). Proposition 3. Every strategy τ ∈ Σ ∪Π which is constant on regions is a DTA strategy. Proof (Sketch). We transform τ into a DTA AGA whose regions are in onetoone correspondence with the regions of GA . The automaton AGA reads a sequence of stamps of G and simulates the behavior of GA . It has a special clock for every clock of A and every event of E, and uses its locations to store also the current state of the game. The details are given in [11]. Note that due to Proposition 3, every strategy constant on regions can be eﬀectively transformed into a DTA strategy. 3.2 AlmostSure Winning Strategies In this section, we outline a proof of the following theorem: Theorem 2. Let p be a phistory. If there is a strategy σ ∈ Σ which is almostsure winning in GA for p, then there is a DTA strategy σ∗ ∈ Σ which is almostsure winning for p. Note that due to Proposition 3, it suﬃces to show that there is an almostsure winning strategy in GA for p which is constant on regions.
Stochastic RealTime Games with Qualitative Timed Automata Objectives
217
Observe that if σ ∈ Σ is an almostsure winning strategy in GA for p, then for every π ∈ Π the plays of GA may visit only regions from which it is still possible to visit a target region. Hence, a good candidate for an almostsure winning DTA strategy in GA for p is a strategy which never leaves this set of “safe” regions. This motivates the following definition (in the rest of this section we often write p ∈ S, where p is a phistory and S a set of regions, to indicate that p ∈ r∈S r). Definition 4. A DTA strategy σ ∈ Σ is a candidate on a set of regions S ⊆ R if for every π ∈ Π and every phistory p ∈ S we have that Pσ,π p (Reach(R \ S)) = 0 and Pσ,π p (Reach(RT )) > 0. In the following, we prove Propositions 4 and 5 that together imply Theorem 2. Proposition 4. Let σ be an almostsure winning strategy in GA for a phistory p0 . Then there is a set S ⊆ R and a DTA strategy σ∗ such that p0 ∈ S and σ∗ is a candidate on S. Proof (Sketch). We define S as the set of all regions reached with positive probability in an arbitrary play where player uses the strategy σ and player uses some π ∈ Π. For every action a, let phista be the set of all phistories where σ assigns a positive probability to a. For every region r ∈ S, we denote by Ar the set of all a ∈ Act for which there is π ∈ Π such that Pσ,π p0 (phista ∩ r) > 0. • Firstly, we show that every DTA strategy σ that selects only the actions of Ar in σ ,π every r ∈ S has to satisfy Pp (Reach(R \ S)) = 0 for all π ∈ Π and p ∈ S. To see this, realize that when we use only the actions of Ar , we do not visit (with positive probability) any other regions than we did with σ. Hence, we stay in S almost surely. • Secondly, we prove that from every phistory in S, we can reach a target region with positive probability. We proceed in several steps. − Let us fix a region r ∈ S. Realize that then there is a phistory p ∈ r for which σ is almostsure winning (since σ is almostsure winning and for every r ∈ S there is π ∈ Π such that r is visited with positive probability, there must be a phistory p ∈ r for which σ is almostsure winning). In particular, Pσ,π p (Reach(RT )) > 0 for every π ∈ Π. We show how to transform σ into a DTA strategy σ such that Pσp ,π (Reach(RT )) > 0. Let us first consider oneplayer games, i.e., the situation when C = ∅. Then there must be a sequence of regions r0 , . . . , rn visited on the way from p to a target, selecting some actions a0 , . . . , an−1 . We fix these actions for the respective regions (if some region is visited several times, we fix the last action taken) and thus obtain the desired DTA strategy σ . In the general case of twoplayer games, we have to consider a tree of regions and actions instead of a single sequence, because every possible behaviour of the opponent in the first n steps has to be taken into account. − Then we prove that for every p ∈ r we have that Pσp ,π (Reach(RT )) > 0 for every π ∈ Π. For the phistories p, p ∈ r, consider the probability that taking an action a results in reaching a given region in one step. These probabilities are either both positive or both zero. This onestep qualitative equivalence is then extended to arbitrary many steps. Hence, Pσp ,π (Reach(RT )) > 0.
218
T. Brázdil et al.
− Let us now drop the fixed region r. We need to “stitch” the DTA strategies described above for each region into one DTA strategy σ∗ . We construct σ∗ as follows. In the first step, we take an arbitrary region reachable with positive probability (e.g., the initial one containing p0 ) and fix the decisions in the regions r0 , . . . , rn (where rn ∈ RT ) discussed above. Let us denote this set of regions by F1 . In the second step, we take an arbitrary region v ∈ S \ F1 . Again, we take a sequence of regions r0 , . . . , rn ending in RT ∪ F1 . We fix the actions in these regions accordingly and get a set F2 . We repeat this step until Fk = S. In the other regions, σ∗ is defined arbitrarily requiring only it is constant on each region. on a set of regions S ⊆ R, then for Proposition 5. If a DTA strategy σ∗ is a candidate ∗ every p ∈ S and every π ∈ Π we have that Ppσ ,π (Reach(RT )) = 1. Note that we are guaranteed that for every phistory in every region in S, the probability of reaching a target is positive. However, it can be arbitrarily small. Therefore, even if we pass through these regions infinitely often and never leave them, it is not clear that we eventually reach a target almost surely. This would be guaranteed if the probabilities were bounded from below by a positive constant. Remark 2. If we considered the restricted case of oneplayer games with bounded intervals and exponentially distributed unbounded events, we can already easily prove that σ∗ is winning using [3] as follows. Fixing σ∗ resolves all nondeterminism and yields a system of the type considered by [3]. Since we are guaranteed the positive probability of reaching the target, we may apply Lemma 3 of [3]. However, in the setting of twoplayer games, we cannot use this argument directly and some (nontrivial) changes are required. Intuitively, the reason why the probabilities of reaching a target are generally not bounded from below is that when the fractional parts of the clocks are too close, the probability of reaching a given region may approach zero. The figure on the left shows the region graph of a system with two clocks and a sinr gle state. There is also a single event, which is positive on (0, 1) p and its associated clock is not depicted. Now observe that if p comes closer and closer to the diagonal, the probability that the (only) event happens in the region r is smaller and smaller. Nevertheless, we can bound the probabilities if we restrict ourselves to a smaller set of positions. We define δseparated parts of regions, where the diﬀerences of pclocks are at least δ (and hence we are at least δaway from the boundary of the region) or zero due to a synchronization of the clocks of the original automaton. Being away from the boundary by a fixed δ then guarantees that we reach the next region with a probability bounded from below. Definition 5. Let δ > 0. We say that a set D ⊆ R≥0 is δseparated if for every x, y ∈ D either frac(x) = frac(y) or frac(x)−frac(y) > δ. Further, we say that a phistory with the last pcontrol (s, q, ξ) is δseparated if the set {0} ∪ {ξ(a)  a ∈ E ∪ X, a is relevant for ξ} is δseparated.
Stochastic RealTime Games with Qualitative Timed Automata Objectives
219
Now we prove that the probabilities of reaching a target region are bounded from below if we start in a δseparated phistory. Proposition 6. Let σ∗ be a DTA strategy candidate on a set of regions S. For every δ > 0 there is ε > ∗0 such that for every δseparated phistory p ∈ S and every strategy π we have that Pσp ,π (Reach(RT )) > ε. Proof (Sketch). We prove that for every δ > 0 there is ε > 0 such that starting in a δseparated phistory, the probability of reaching a target in at most R steps is greater than ε. For this we use the observation that after performing one step from a δseparated phistory, we end up (with a probability bounded from below) in a δ separated phistory. This can be generalized to an arbitrary (but fixed) number of steps. Now it suﬃces to observe that for every π ∈ Π and a δseparated phistory p there is a sequence of regions r1 , . . . , rk with k ≤ R, such that p ∈ r1 , rk ∈ RT , and the probability of reaching ri+1 from ri in one step using σ∗ and π is positive. Nevertheless, there is a nonzero probability of falling out of safely separated parts of regions. To finish the proof of Proposition 5, we need to know that we pass through δseparated phistories infinitely often almost surely (since the probability of reaching a target from δseparated phistories is bounded from below by Proposition 6, a target is eventually visited with probability one). For this, it suﬃces to prove that we eventually return to a δseparated part almost surely. Hence, the following proposition makes our proof complete. Proposition 7. There is δ > 0 such that for every DTA strategy σ ∈ Σ and every π ∈ Π, a δseparated phistory is reached almost surely from every phistory p. Proof (Sketch). We prove that there are n ∈ N, δ > 0, and ε > 0 such that for every phistory p and every π ∈ Π, the probability of reaching a δseparated phistory in n steps is greater than ε. Then, we just iterate the argument. 3.3 The Algorithm In this section, we show that the existence of a DTA almostsure winning strategy is decidable in exponential time, and we also show how to compute such a strategy if it exists. Due to Proposition 2, this problem can be equivalently considered in the setting of the product game GA . Due to Proposition 3, an almostsure winning DTA strategy can be constructed as a strategy that is constant on every region of GA . We show that this problem can be further reduced to the problem of computing wining strategies in a finite stochastic game GA with reachability objectives induced by the product game GA . Note that the game GA can be solved by standard methods (e.g., by computing the attractor of a target set). First, we define the game GA and show how to compute it. The complexity discussion follows. The product GA induces a game GA whose vertices are the regions of GA as follows. Player , where ∈ {, }, plays in regions (c, q, [ξ]≈) 1 where c ∈ C . In a region 1
Note that a region is a set of phistories such that their last pcontrols share the same control c, location q, and equivalence class [ξ]≈ . Hence, we can represent a region by a triple (c, q, [ξ]≈ ).
220
T. Brázdil et al.
r = (c, q, [ξ]≈), she chooses an arbitrary action a ∈ A(c) and this action a leads to a stochastic vertex (r, a) = ((c, q, [ξ]≈), a). From this stochastic vertex there are transitions to all regions r = (c , q , [ξ ]≈ ), such that r is reachable from all p ∈ r in one step using action a with some positive probability in the product GA . One of these probabilistic transitions is taken at random according to the uniform distribution. From the next region the play continues in the same manner. Player tries to reach the set RT of target regions (which is the same as in the product game) and player tries to avoid it. We say that a strategy σ of player is almostsure winning for a vertex v if she reaches RT almost surely when starting from v and playing according to σ. At first glance, it might seem surprising that we set all probability distributions in GA as uniform. Note that in diﬀerent parts of a region r, the probabilities of moving to r are diﬀerent. However, as noted in the sketch of proof of Proposition 4, they are all positive or all zero. Since we are interested only in qualitative reachability, this is suﬃcient for our purposes. Moreover, note that since we are interested in nonzero probability behaviour, there are no transitions to regions which are reachable only with zero probability (such as when an event occurs at an integral time). We now prove that the reduction is correct. Observe that a strategy for the product game GA which is constant on regions induces a unique positional strategy for the game GA , and vice versa. Slightly abusing the notation, we consider these strategies to be strategies in both games. Proposition 8. Let G be a game and A a deterministic timed automaton. For every phistory p in a region r, we have that • a positional strategy σ is almostsure winning for r in GA iﬀ it is almostsure winning for p in GA , • player has an almostsure winning strategy for r in GA iﬀ player has an almostsure winning strategy for p in GA . The algorithm constructs the regions of the product GA and the induced game graph of the game GA (see [11]). Since there are exponentially many regions (w.r.t. the number of clocks and events), the size of GA is exponential in the size of G and A. As we already noted, twoplayer stochastic games with qualitative reachability objectives are easily solvable in polynomial time, and thus we obtain the following: Theorem 3. Let h be a history. The problem whether player has a (DTA) almostsure winning strategy for h is solvable in time exponential in G and A, and polynomial in h. A DTA almostsure winning strategy is computable in exponential time if it exists.
4 Conclusions and Future Work An interesting question is whether the positive results presented in this paper can be extended to more general classes of objectives that can be encoded, e.g., by deterministic timed automata with ωregular acceptance conditions. Another open problem are algorithmic properties of εoptimal strategies in stochastic realtime games.
Stochastic RealTime Games with Qualitative Timed Automata Objectives
221
References 1. Alur, R., Courcoubetis, C., Dill, D.L.: Modelchecking for probabilistic realtime systems. In: Leach Albert, J., Monien, B., RodríguezArtalejo, M. (eds.) ICALP 1991. LNCS, vol. 510, pp. 115–136. Springer, Heidelberg (1991) 2. Alur, R., Courcoubetis, C., Dill, D.L.: Verifying automata specifications of probabilistic realtime systems. In: Huizing, C., de Bakker, J.W., Rozenberg, G., de Roever, W.P. (eds.) REX 1991. LNCS, vol. 600, pp. 28–44. Springer, Heidelberg (1992) 3. Alur, R., Dill, D.: A theory of timed automata. TCS 126(2), 183–235 (1994) 4. Baier, C., Bertrand, N., Bouyer, P., Brihaye, T., Größer, M.: Almostsure model checking of infinite paths in oneclock timed automata. In: Proceedings of LICS 2008, pp. 217–226. IEEE, Los Alamitos (2008) 5. Baier, C., Hermanns, H., Katoen, J.P., Haverkort, B.R.: Eﬃcient computation of timebounded reachability probabilities in uniform continuoustime Markov decision processes. TCS 345, 2–26 (2005) 6. Bertrand, N., Bouyer, P., Brihaye, T., Markey, N.: Quantitative modelchecking of oneclock timed automata under probabilistic semantics. In: Proceedings of 5th Int. Conf. on Quantitative Evaluation of Systems (QEST 2008), pp. 55–64. IEEE, Los Alamitos (2008) 7. Bertsekas, D.P.: Dynamic Programming and Optimal Control. Athena Scientific, Belmont (2007) 8. Billingsley, P.: Probability and Measure. Wiley, Chichester (1995) 9. Bouyer, P., Forejt, V.: Reachability in stochastic timed games. In: Albers, S., MarchettiSpaccamela, A., Matias, Y., Nikoletseas, S., Thomas, W. (eds.) ICALP 2009. LNCS, vol. 5556, pp. 103–114. Springer, Heidelberg (2009) 10. Brázdil, T., Forejt, V., Krˇcál, J., Kˇretínský, J., Kuˇcera, A.: Continuoustime stochastic games with timebounded reachability. In: Proceedings of FST&TCS 2009. LIPIcs, vol. 4, pp. 61–72. Schloss Dagstuhl (2009) ˇ 11. Brázdil, T., Krˇcál, J., Kˇretínský, J., Kuˇcera, A., Rehák, V.: Stochastic realtime games with qualitative timed automata objectives. Technical report FIMURS201005, Faculty of Informatics, Masaryk University (2010) 12. Chen, T., Han, T., Katoen, J.P., Mereacre, A.: Quantitative model checking of continuoustime Markov chains against timed automata specifications. In: Proceedings of LICS 2009, pp. 309–318. IEEE, Los Alamitos (2009) 13. Haas, P.J., Shedler, G.S.: Regenerative generalized semiMarkov processes. Stochastic Models 3(3), 409–438 (1987) 14. Maitra, A., Sudderth, W.: Finitely additive stochastic games with Borel measurable payoﬀs. Int. Jour. of Game Theory 27, 257–267 (1998) 15. Martin, D.A.: The determinacy of Blackwell games. Journal of Symbolic Logic 63(4), 1565–1581 (1998) 16. Neuhäußer, M., Stoelinga, M., Katoen, J.P.: Delayed nondeterminism in continuoustime Markov decision processes. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 364–379. Springer, Heidelberg (2009) 17. Norris, J.R.: Markov Chains. Cambridge University Press, Cambridge (1998) 18. Rabe, M., Schewe, S.: Optimal timeabstract schedulers for CTMDPs and Markov games. In: Eighth Workshop on Quantitative Aspects of Programming Languages (2010) 19. Ross, S.M.: Stochastic Processes. Wiley, Chichester (1996) 20. Schassberger, R.: Insensitivity of steadystate distributions of generalized semiMarkov processes. Advances in Applied Probability 10, 836–851 (1978) 21. Whitt, W.: Continuity of generalized semiMarkov processes. Mathematics of Operations Research 5(4), 494–501 (1980)
Session Types as Intuitionistic Linear Propositions Lu´ıs Caires1 and Frank Pfenning2 1
CITI and Departamento de Inform´atica, FCT, Universidade Nova de Lisboa 2 Department of Computer Science, Carnegie Mellon University
Abstract. Several type disciplines for πcalculi have been proposed in which linearity plays a key role, even if their precise relationship with pure linear logic is still not well understood. In this paper, we introduce a type system for the πcalculus that exactly corresponds to the standard sequent calculus proof system for dual intuitionistic linear logic. Our type system is based on a new interpretation of linear propositions as session types, and provides the first purely logical account of all (both shared and linear) features of session types. We show that our type discipline is useful from a programming perspective, and ensures session fidelity, absence of deadlocks, and a tight operational correspondence between πcalculus reductions and cut elimination steps.
1 Introduction Linear logic has been intensively explored in the analysis of πcalculus models for communicating and mobile system, given its essential ability to deal with resources, effects, and noninterference. The fundamental way it provides for analyzing notions of sharing versus uniqueness, captured by the exponential “!”, seems to have been a source of inspiration for Milner when introducing replication in the πcalculus [22]. Following the early works of Abramsky [1], several authors have exploited variants of πcalculi to express proof reductions (e.g., [5]) or game semantics (e.g., [19]) in systems of linear logic. In the field of concurrency, many research directions have also drawn inspiration from linear logic for developing typetheoretic analyses of mobile processes, motivated by the works of Kobayashi, Pierce, and Turner [21]; a similar influence is already noticeable in the first publications by Honda on session types [16]. Many expressive type disciplines for πcalculi in which linearity frequently plays a key role have been proposed since then (e.g., [20,18,26,15]). However, linearity has been usually employed in such systems in indirect ways, exploiting the fine grained type context management techniques it provides, or the assignment of usage multiplicities to channels [21], rather than the deeper typetheoretic significance of linear logical operators. In this paper we present a type system for the πcalculus that exactly corresponds to the standard sequent calculus proof system for dual intuitionistic linear logic. The key to our correspondence is a new, perhaps surprising, interpretation of intuitionistic linear logic formulas as a form of session types [16,18], in which the programming language is a sessiontyped πcalculus, and the type structure consists precisely of the connectives of intuitionistic linear logic, retaining their standard prooftheoretic interpretation. In sessionbased concurrency, processes communicate through socalled session channels, connecting exactly two subsystems, and communication is disciplined by session protocols so that actions always occur in dual pairs: when one partner sends, the P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 222–236, 2010. c SpringerVerlag Berlin Heidelberg 2010
Session Types as Intuitionistic Linear Propositions
223
other receives; when one partner offers a selection, the other chooses; when a session terminates, no further interaction may occur. New sessions may be dynamically created by invocation of shared servers. Such a model exhibits concurrency in the sense that several sessions, not necessarily causally related, may be executing simultaneously, although races in unshared resources are forbidden; in fact this is the common situation in disciplined concurrent programming idioms. Mobility is also present, since both session and server names may be passed around (delegated) in communications. Session types have been introduced to discipline interactions in sessionbased concurrency, an important paradigm in communicationcentric programming (see [11]). It turns out that the connectives of intuitionistic linear logic suffice to express all the essential features of finite session disciplines. While in the linear λcalculus types are assigned to terms (denoting functions and values), in our interpretation types are assigned to names (denoting communication channels) and describe their session protocol. The essence of our interpretation may already be found in the interpretation of the linear logic multiplicatives as behavioral prefix operators. Traditionally, an object of type AB denotes a linear function that given an object of type A returns an object of type B [14]. In our interpretation, an object of type AB denotes a session x that first inputs a session channel of type A, and then behaves as B, where B specifies again an interactive behavior, rather than a closed value. Linearity of is essential, otherwise the behavior of the input session after communication could not be ensured. An object of type A ⊗ B denotes a session that first sends a session channel of type A and afterwards behaves as B. But notice that objects of type A ⊗ B really consist of two objects: the sent session of type A and the continuation session, of type B. These two sessions are separate and noninterfering, as enforced by the canonical semantics of the linear multiplicative conjunction (⊗). Our interpretation of A ⊗ B appears asymmetric, in the sense that, of course, a channel of type A ⊗ B is in general not typable by B ⊗ A. In fact, the symmetry captured by the proof of A ⊗ B B ⊗ A is realized by an appropriately typed process that coerces any session of type A ⊗ B to a session of type B ⊗ A. The other linear constructors are also given compatible interpretations, in particular, the !A type is naturally interpreted as a type of a shared server for sessions of type A, and additive product and sum, to branch and choice session type operators. We thus obtain the first purely logical account of both shared and linear features of session types. We briefly summarize the contributions of the paper. We describe a system of session types for the πcalculus (Section 3) that corresponds to the sequent calculus for dual intuitionistic linear logic DILL (Section 4). The correspondence is bidirectional and tight, in the sense that (a) any πcalculus computation can be simulated by proof reductions on typing derivations (Theorem 5.3), thus establishing a strong form of subject reduction (Theorem 5.6), and (b) that any proof reduction or conversion corresponds either to a computation step or to a process equivalence on the πcalculus side (Theorems 5.4 and 5.5). An intrinsic consequence of the logical typing is a global progress property, that ensures the absence of deadlock for systems with an arbitrary number of open sessions (Theorem 5.8). Finally, we illustrate the expressiveness of our system (Section 6) with some examples and discussion.
224
L. Caires and F. Pfenning
2 Process Model We briefly introduce the syntax and operational semantics of the process model: the synchronous πcalculus (see [24]) extended with (binary) guarded choice. Definition 2.1 (Processes). Given an infinite set Λ of names (x, y, z, u, v), the set of processes (P, Q, R) is defined by P ::= 0  P  Q  (νy)P  xy.P  x(y).P  !x(y).P  x.inl; P  x.inr; P  x.case(P, Q) The operators 0 (inaction), P  Q (parallel composition), and (νy)P (name restriction) comprise the static fragment of any πcalculus. We then have xy.P (send y on x and proceeds as P ), x(y).P (receive a name z on x and proceed as P with the input parameter y replaced by z), and !x(y).P which denotes replicated (or persistent) input. The remaining three operators define a minimal labeled choice mechanism, comparable to the nary branching constructs found in standard session πcalculi (see eg., [18]). For the sake of minimality and without loss of generality we restrict our model to binary choice. In restriction (νy)P and input x(y).P the distinguished occurrence of the name y is binding, with scope the process P . For any process P , we denote the set of free names of P by fn(P ). A process is closed if it does not contain free occurrences of names. We identify process up to consistent renaming of bound names, writing ≡α for this congruence. We write P {x/y} for the process obtained from P by capture avoiding substitution of x for y in P . Structural congruence expresses basic identities on the structure of processes, while reduction expresses the behavior of processes. Definition 2.2. Structural congruence (P ≡ Q), is the least congruence relation on processes such that P 0≡P P Q≡QP (νx)0 ≡ 0 (νx)(νy)P ≡ (νy)(νx)P
(S0) (SC) (Sν0) (Sνν)
(Sα) P ≡α Q ⇒ P ≡ Q P  (Q  R) ≡ (P  Q)  R (SA) x ∈ fn(P ) ⇒ P  (νx)Q ≡ (νx)(P  Q) (Sν)
Definition 2.3. Reduction (P → Q), is the binary relation on processes defined by: xy.Q  x(z).P → Q  P {y/z} xy.Q  !x(z).P → Q  P {y/z}  !x(z).P x.inl; P  x.case(Q, R) → P  Q x.inr; P  x.case(Q, R) → P  R Q → Q ⇒ P  Q → P  Q P → Q ⇒ (νy)P → (νy)Q P ≡ P , P → Q , Q ≡ Q ⇒ P → Q
(RC) (R!) (RL) (RR) (R) (Rν) (R≡)
Notice that reduction is closed (by definition) under structural congruence. Reduction specifies the computations a process performs on its own. To characterize the interactions a process may perform with its environment, we introduce a labeled transition system; the standard early transition system for the πcalculus [24] extended with apα propriate labels and transition rules for the choice constructs. A transition P → Q
Session Types as Intuitionistic Linear Propositions
α
α
P →Q α
(νy)P → (νy)Q P
(ν y)xy
→
τ
P Q→
(res)
α
P R→QR
x(y)
P Q → Q (νy)(P

Q )
x(z)
x(y).P → P {z/y} (in) x.inr
x.inr; P → P (rout)
α
P →Q
α
P → P Q → Q
(par)
τ
P  Q → P  Q
xy
P → Q
(close)
(νy)P
(ν y)xy
→
225
(open)
(com)
xy
xy.P → P (out)
Q
x(z)
!x(y).P → P {z/y}  !x(y).P (rep) x.inl
x.case(P, Q) → P (lin)
x.inl
x.inl; P → P (lout) x.inr
x.case(P, Q) → Q (rin)
Fig. 1. πcalculus Labeled Transition System
denotes that process P may evolve to process Q by performing the action represented by the label α. Transition labels are given by α ::= xy  x(y)  (νy)xy  x.inl  x.inr  x.inl  x.inr Actions are input x(y), the left/right offers x.inl and x.inr, and their matching coactions, respectively the output xy and bound output (νy)xy actions, and the left/ right selections x.inl and x.inr. The bound output (νy)xy denotes extrusion of a fresh name y along (channel) x. Internal action is denoted by τ , in general an action α (α) requires a matching α (α) in the environment to enable progress, as specified by the transition rules. For a label α, we define the sets fn(α) and bn(α) of free and bound names, respectively, as usual. We denote by s(α) the subject of α (e.g., x in xy). α
Definition 2.4 (Labeled Transition System). The relation labeled transition (P → Q) is defined by the rules in Figure 1, subject to the side conditions: in rule (res), we require y ∈ fn(α); in rule (par), we require bn(α) ∩ fn(R) = ∅; in rule (close), we require y ∈ fn(Q). We omit the symmetric versions of rules (par), (com), and (close). We recall some basic facts about reduction, structural congruence, and labeled transition, namely: closure of labeled transitions under structural congruence, and coinciα α dence of τ labeled transition and reduction [24]: (1) if P ≡→ Q, then P →≡ Q, and τ τ (2) P → Q if and only if P →≡ Q. We write ρ1 ρ2 for relation composition (e.g, →≡).
3 Type System We first describe our type structure, which coincides with intuitionistic linear logic [14,3], omitting atomic formulas and the additive constants and 0. Definition 3.1 (Types). Types (A, B, C) are given by A, B ::= 1  !A  A ⊗ B  AB  A ⊕ B  A B Types are assigned to (channel) names, and may be conveniently interpreted as a form of session types; an assignment x:A enforces that the process will use x according to the discipline A. A ⊗ B is the type of a session channel that first performs an output
226
L. Caires and F. Pfenning Γ ; Δ P :: T (T1L) Γ ; Δ, x:1 P :: T
Γ ; Δ, y:A, x:B P :: T (T⊗L) Γ ; Δ, x:A ⊗ B x(y).P :: T
Γ ; · 0 :: x:1
(T1R)
Γ ; Δ P :: y:A Γ ; Δ Q :: x:B (T⊗R) Γ ; Δ, Δ (νy)xy.(P  Q) :: x:A ⊗ B
Γ ; Δ P :: y:A Γ ; Δ , x:B Q :: T (TL) Γ ; Δ, Δ , x:AB (νy)xy.(P  Q) :: T Γ ; Δ P :: x:A Γ ; Δ , x:A Q :: T (Tcut) Γ ; Δ, Δ (νx)(P  Q) :: T
Γ ; Δ, y:A P :: x:B (TR) Γ ; Δ x(y).P :: x:AB
Γ ; · P :: y:A Γ, u:A; Δ Q :: T (Tcut! ) Γ ; Δ (νu)(!u(y).P  Q) :: T
Γ, u:A; Δ, y:A P :: T (Tcopy) Γ, u:A; Δ (νy)uy.P :: T Γ, u:A; Δ P {u/x} :: T (T!L) Γ ; Δ, x:!A P :: T
Γ ; · Q :: y:A (T!R) Γ ; · !x(y).Q :: x:!A
Γ ; Δ, x:A P :: T Γ ; Δ, x:B Q :: T (T⊕L) Γ ; Δ, x:A ⊕ B x.case(P, Q) :: T Γ ; Δ P :: x:A Γ ; Δ Q :: x:B (TR) Γ ; Δ x.case(P, Q) :: x:A B Γ ; Δ P :: x:A (T⊕R1 ) Γ ; Δ x.inl; P :: x:A ⊕ B
Γ ; Δ, x:B P :: T (TL2 ) Γ ; Δ, x:A B x.inr; P :: T Γ ; Δ, x:A P :: T (TL1 ) Γ ; Δ, x:A B x.inl; P :: T
Γ ; Δ P :: x:B (T⊕R2 ) Γ ; Δ x.inr; P :: x:A ⊕ B
Fig. 2. The Type System πDILL
(sending a session channel of type A) to its partner before proceeding as specified by B. In a similar way, AB types a session channel that first performs an input (receiving a session channel of type A) from its partner, before proceeding as specified by B. The type 1 means that the session terminated, no further interaction will take place on it. Notice that names of type 1 may still be passed around in sessions, as opaque values. A ⊕ B types a session that either selects “left” and then proceed as specified by A, or else selects “right”, and then proceeds as specified by B. Dually, AB types a session channel that offers its partner a choice between an A typed behavior (“left” choice) and a B typed behavior (“right” choice). The type !A types a nonsession (nonlinearized, shared) channel (called standard channel in [13]), to be used by a server for spawning an arbitrary number of new sessions (possibly none), each one conforming to type A. A type environment is a collection of type assignments, of the form x : A where x is a name and A a type, the names being pairwise disjoint. Following the insights behind dual intuitionistic linear logic, which goes back to Andreoli’s dyadic system for classical linear logic [2], we distinguish two kinds of type environments subject to different structural properties: a linear part Δ and an unrestricted part Γ , where weakening and contraction principles hold for Γ but not for Δ. A judgment of our system has then the form Γ ; Δ P :: z:C where name declarations in Γ are always propagated unchanged to all premises in the typing rules, while name declarations in Δ are handled multiplicatively or additively, depending on the nature of the type being defined. The domains of Γ, Δ and z:C are required to be pairwise disjoint.
Session Types as Intuitionistic Linear Propositions
227
Intuitively, such a judgment asserts: P is ensured to safely provide a usage of name z according to the behavior (session) specified by type C, whenever composed with any process environment providing usages of names according to the behaviors specified by names in Γ ; Δ. As shown in Section 5, in our case safety ensures that the behavior is free of communication errors and deadlock. A pure client Q that just relies on external services, and does not provide any, will be typed as Γ ; Δ Q :: −:1. In general, a process P such that Γ ; Δ P :: z:C represents a system providing behavior C at channel z, building on “services” declared in Γ ; Δ. Of particular interest is a system typed as Γ ; Δ R :: z:!A, representing a shared server. Quite interestingly, the asymmetry induced by the intuitionistic interpretation of !A enforces locality of shared names but not of linear (session names), which exactly corresponds to the intended model of sessions. We present the rules of our type system πDILL in Fig. 2. We use T, S for right hand side singleton environments (e.g., z:C). The interpretation of the various rules should be clear, given the explanation of types given above. Notice that since in ⊗R the sent name is always fresh, our typed calculus conforms to a sessionbased internal mobility discipline [23,7], without loss of expressiveness. The composition rules (cut and cut! ) follow the “composition plus hiding” principle [1], extended to a name passing setting. More familiar linear typing rules for parallel composition (e.g., as in [21]) are derivable (see Section 6). Since we are considering πcalculus terms up to structural congruence, typability is closed under ≡ by definition. πDILL enjoys the usual properties of equivariance, weakening in Γ and contraction in Γ . The coverage property also holds: if Γ ; Δ P :: z:A then fn(P ) ⊆ Γ ∪ Δ ∪ {z}. In the presence of typeannotated restrictions (νx:A)P , as usual in typed πcalculi [24], typechecking is decidable. We illustrate the type system with a simple example, frequently used to motivate session based interactions (see e.g., [13]). A client may choose between a “buy” operation, in which it indicates a product name and a credit card number to receive a receipt, and a “quote” operation, in which it indicates a product name, to obtain the product price. From the client perspective, the session protocol exposed by the server may be specified by the type ServerProto (NI(N ⊗ 1)) (N(I ⊗ 1)) We assume that N and I are types representing shareable values (e.g., strings N and integers I). To simplify, we set N = I = 1. Assuming s to be the name of the session channel connecting the client and server, consider the code QClntBodys s.inr; (νtea)stea.s(pr).0 QClntBodys specifies a client that asks for the price of tea (we simply abstract away from what the client might do with the price after reading it). It first selects the quoting operation on the server (s.inr), then sends the id of the product to the server (stea), then receives the price s(pr) from the server and finally terminates the session (0). Then ·; s : ServerProto QClntBodys :: −:1 is derivable (by T 1R, T ⊗L, T L and T L2 ). Here we wrote − for an anonymous variable that does not appear in QClntBody. This is possible even in a linear type discipline since the inactive process 0 is typed by x:1 and does not use x. Concerning the server code, let SrvBodys s.case( s(pn).s(cn).(νrc)src.0, s(pn).(νpr)spr.0 ) .
228
L. Caires and F. Pfenning Γ;Δ D : C (1L) Γ ; Δ, x : 1 1L x D : C
Γ ; · 1R : 1
(1R)
Γ ; Δ D : A Γ ; Δ E : B (⊗R) Γ ; Δ, Δ ⊗R D E : A ⊗ B
Γ ; Δ, y : A, x : B D : C (⊗L) Γ ; Δ, x : A ⊗ B ⊗L x (y.x. D) : C Γ;Δ D : A Γ ; Δ , x : B E : C (L) Γ ; Δ, Δ , x : AB L x D (x. E) : C Γ ; Δ D : A Γ ; Δ , x : A E : C (cut) Γ ; Δ, Δ cut D (x. E) : C
Γ ; Δ, y : A D : B (R) Γ ; Δ R (y. D) : AB
Γ ; · D : A Γ, u : A; Δ E : C (cut! ) Γ ; Δ cut! D (u. E) : C
Γ, u : A; Δ, y : A D : C (copy) Γ, u : A; Δ copy u (y. D) : C Γ;· D : A (!R) Γ ; · !R D : !A
Γ, u : A; Δ D : C (!L) Γ ; Δ, x : !A !L x (u.D) : C
Γ ; Δ, x : A D : C (L1 ) Γ ; Δ, x : A B L1 x (x. D) : C Γ;Δ D : A Γ;Δ E : B (R) Γ ; Δ R D E : A B
Γ ; Δ, x : B D : C (L2 ) Γ ; Δ, x : A B L2 x (x. D) : C
Γ ; Δ x : A D : C Γ ; Δ, x : B E : C (⊕L) Γ ; Δ, x : A ⊕ B ⊕L x (x. D) (x. E) : C
Γ;Δ D : A (⊕R1 ) Γ ; Δ ⊕R1 D : A ⊕ B
Γ;Δ D : B (⊕R2 ) Γ ; Δ ⊕R2 D : A ⊕ B
Fig. 3. Dual Intuitionistic Linear Logic DILL
Then ·; · SrvBodys :: s:ServerProto is derivable, by T R. By T cut we obtain for the system QSimple (νs)(SrvBodys  QClntBodys ) the typing ·; · QSimple :: −:1. In this example we have only introduced processes interacting in a single session, but clearly the system accomodates all the generality of session types, e.g., a simple process interacting in different sessions is x:A1, y:A ⊗ 1 y(w).(νk)xk.0 :: −:1.
4 Dual Intuitionistic Linear Logic As presented, session type constructors correspond directly to intuitionistic linear logic connectives. Typing judgments directly correspond to sequents in dual intuitionistic linear logic, by erasing processes [3,10]. In Figure 3 we present the DILL sequent calculus. In our presentation, DILL is conveniently equipped with a faithful proof term assignment, so sequents have the form Γ ; Δ D : C where Γ is the unrestricted context, Δ the linear context, C a formula (= type) and D the proof term that faithfully represents the derivation of Γ ; Δ C. Our use of names in the proof system will be consistent with the proof discipline, u, v, w for variables in Γ and x, y, z for variables in Δ. This is consistent with standard usage of names in πcalculi. Given the parallel structure of the two systems, if Γ ; Δ D : A is derivable in DILL then there is a process P and a name z such that Γ ; Δ P :: z:A is derivable in πDILL, and the converse result also holds: if Γ ; Δ P :: z:A is derivable in πDILL there is a
Session Types as Intuitionistic Linear Propositions
229
D
ˆz D
D
ˆz D
1R 1L x D ⊗R D E ⊗L x (y.x. D) R (y. D) L x D (x. E) R D E L1 x (x. D) L2 x (x. E)
⊕R1 D ⊕R2 E ⊕L x (x. D) (x. E) cut D (x. E)
ˆz z.inl; D ˆz z.inr; E ˆ z, E ˆz) x.case(D x ˆz ) ˆ E (νx)(D
!R D !L x (u. D) copy u (y. D) cut! D (u. E)
ˆy !z(y). D z ˆ D {x/u} ˆz (νy) uy. D ˆ y)  E ˆz) (νu)((!u(y). D
0 ˆz D
ˆy  E ˆz) (νy) zy. (D z ˆ x(y). D ˆz z(y). D ˆy  E ˆz ) (νy) xy. (D z ˆz ˆ z. case(D , E ) ˆz x. inl; D ˆz x. inr; E
ˆz Fig. 4. Proof D extracts to process D
derivation D that proves Γ ; Δ D : A. This correspondence is made explicit by a translation from faithful proof terms to processes, defined in Fig. 4: for Γ ; Δ D : C ˆ z for the translation of D such that Γ ; Δ D ˆ z :: z:C. we write D Definition 4.1 (Typed Extraction). We write Γ ; Δ D P :: z:A, meaning “proof ˆ z. D extracts to P ”, whenever Γ ; Δ D : A and Γ ; Δ P :: z:A and P ≡ D Typed extraction is unique up to structural congruence, in the sense that if Γ ; Δ D P :: z:A and Γ ; Δ D Q :: z:A then P ≡ Q, as a consequence of closure of typing under structural congruence. The system DILL as presented does not admit atomic formulas, and hence has no true initial sequents. However, the correspondence mentioned above yields an explicit identity theorem: Proposition 4.2. For any type A and distinct names x, y, there is a process id A (x, y) and a cutfree derivation D such that ·; x:A D id A (x, y) :: y:A. The id A (x, y) process, with exactly the free names x, y, implements a synchronous mediator that bidirectionally plays the protocol specified by A between channels x and y. For example, we analyze the interpretation of the sequent A ⊗ B B ⊗ A. We have x:A ⊗ B F x(z).(νn)yn.(P  Q) :: y:B ⊗ A where F = ⊗L x (z.x. ⊗R D E), P = id B (x, n) and Q = id A (z, y). This process is an interactive proxy that coerces a session of type A⊗B at x to a session of type B⊗A at y. It first receives a session of type A (bound to z) and after sending on y a session of type B (played by copying the continuation of x to n), it progresses with a session of type A on y (copying the continuation of z to y). As processes are related by structural and computational rules, namely those involved in the definition of ≡ and →, derivations in DILL are related by structural and computational rules, that express certain sound proof transformations that arise in cutelimination. The reductions (Figure 5) generally take place when a right rule meets a left rule for the same connective, and correspond to reduction steps in the process term assignment. On the left, we show the usual reductions for cuts; on the right, we show the corresponding reductions (if any) of the process terms, modulo structural congruence. Since equivalences depend on variable occurrences, we write Dx if x may occur in D.
230
L. Caires and F. Pfenning
The structural conversions in Figure 6 correspond to structural equivalences in the πcalculus, since they just change the order of cuts, e.g., (cut/−/cut1 ) translates to ˆ x  (νy)(Eˆ y  Fˆ z )) ≡ (νy)((νx)(D ˆx  E ˆ y )  Fˆ z ) (νx)(D In addition, we have two special conversions. Among those, (cut/1R/1L) is not needed in order to simulate the πcalculus reduction, while (cut/!R/!L) is. In cutelimination procedures, these are always used from left to right. Here, they are listed as equivalences because the corresponding πcalculus terms are structurally congruent. The root cause for this is that the rules 1L and !L are silent: the extracted terms in the premise and conclusion are the same, modulo renaming. For 1L, this is the case because a terminated process, represented by 0 :: − : 1 silently disappears from a parallel composition by structural congruence. For !L, this is the case because the actual replication of a server process is captured in the copy rule which clones u:A to y:A, rule rather than !L. It is precisely for this reason that the rule commuting a persistent cut (cut! ) over a copy rule (copy) is among the computational conversions. The structural conversions in Figure 8 propagate cut! . From the proof theoretic perspective, because cut! cuts a persistent variable u, cut! may be duplicated or erased. On the πcalculus side, these no longer correspond to structural congruences, but, quite remarkably, to behavioral equivalences, derivable from known properties of typed processes, the (sharpened) Replication Theorems [24]. These hold in our language, due to our interpretation of ! types. Our operational correspondence results also depend on six commuting conversions, four in Figure 7 plus two symmetric versions. The commuting conversions push a cut up (or inside) the 1L and !L rules. During the usual cut elimination procedures, these are used from left to right. In the correspondence with the sequent calculus, the situation is more complex. Because the 1L and !L rules do not affect the extracted term, cuts have to be permuted with these two rules in order to simulate πcalculus reduction. From the process calculus perspective, such conversions correspond to identity. There is a second group of commuting conversions (not shown), not necessary for our current development. Those do not correspond to structural congruence nor to strong bisimilarities on πcalculus, as they may not preserve process behavior in the general untyped setting, since they promote an action prefix from a subexpression to the top level. We conjecture that such equations denote behavioral identities under a natural definition of typed observational congruence for our calculus. Definition 4.3 (Relations on derivations induced by conversions). (1) ≡ : the least congruence on derivations generated by the structural conversions (I) and the commuting conversions (II): (2) s : the least congruence on derivations generated by all structural conversions (IIII). We extend s to processes as the congruence generated by the process equations on the right. (3) ⇒: the reduction on derivations obtained by orienting all conversions in the direction shown, from left to right or top to bottom. As discussed above, s is a typed behavioral equivalence on processes.
5 Computational Correspondence, Preservation, and Progress We now present the results stating the key properties of our type system and logical interpretation. Theorem 5.3 states the existence of a simulation between reductions in
Session Types as Intuitionistic Linear Propositions
231
ˆy  D ˆ 2x ))  x(y). E ˆz) (νx)(((νy) xy. (D 1 → ˆ 1y  D ˆ 2x  E ˆz) (νx)(νy)(D x ˆ )  (νy) xy. (E ˆy  E ˆ2z )) cut (R (y. Dy )) (x. L x E1 (x. E2x )) (νx)((x(y). D 1 ⇒ → ˆx  E ˆy  E ˆ2z ) cut (cut E1 (y. Dy )) (x. E2x ) (νx)(νy)(D 1 x x ˆ1 , D ˆ 2 )  x.inl; E ˆz ) (νx)(x.case(D cut (R D1 D2 ) (x.Li x (x. Ex )) ⇒ → ˆ ix  E ˆz ) cut Di (x. Ex ) (νx)(D ˆ x  x.case(E ˆ1z , E ˆ2z )) cut (⊕Ri D) (x.⊕L x (x. E1x ) (x. E2x )) (νx)(x.inl; D ⇒ → ˆx  E ˆiz ) cut D (x. Eix ) (νx)(D ˆ y )  (νy) uy. E ˆz ) (νu)((!u(y). D cut! D (u. copy u (y. Euy )) ⇒ → ˆ y  (νu)((!u(y). D ˆ y)  E ˆ z )) (νy)(D cut D (y. cut! D (u. Euy )) cut (⊗R D1 D2 ) (x. ⊗L x (y.x. Exy )) ⇒ cut D1 (y. cut D2 (x. Exy ))
Fig. 5. Computational Conversions (cut/−/cut1 ) (cut/−/cut2 ) (cut/cut! /−) (cut/−/cut! ) (cut/1R/1L) (cut/!R/!L)
cut D (x. cut Ex (y. Fy )) cut D (x. cut E (y. Fxy )) cut (cut! D (u. Eu )) (x. Fx ) cut D (x. cut! E (u. Fxu )) cut 1R (x. 1L x D) cut (!R D) (x. !L x (u. E))
≡ ≡ ≡ ≡ ≡ ≡
cut (cut D (x. Ex )) (y. Fy ) cut E (y. cut D (x. Fxy )) cut! D (u. cut Eu (x. Fx )) (cut! E (u. cut D (x. Fxu )) D cut! D (u. E)
Fig. 6. Structural Conversions (I): Cut Conversions (cut/1L/−) (cut/!L/−) (cut! /−/1L) (cut! /−/!L)
cut (1L y D) (x. Fx ) cut (!L y (u. Du )) (x. Fx ) cut! D (u. 1L y Eu ) cut! D (u. !L y (v. Euv ))
≡ ≡ ≡ ≡
1L y (cut D (x. Fx )) !L y (u. cut Du (x. Fx )) 1L y (cut! D (u. Eu )) !L y (v. cut! D (u. Euv ))
Fig. 7. Structural Conversions (II): Commuting Conversions ˆ y  (νy)(E ˆ y  Fˆ z )) (νu)(!u(y).D cut! D (u. cut Eu (y. Fuy ))
ˆy  E ˆy)  cut (cut! D (u. Eu )) (y. cut! D (u. Fuy )) (νy)((νu)(!u(y).D ˆ y  Fˆ z ) ) (νu)(!u(y).D ! ! y y ˆ  (νv)(!v(y).E ˆ  Fˆ z )) (νu)(!u(y).D cut D (u. cut Eu (v. Fuv ))
ˆy  E ˆ y ))  cut! (cut! D (u. Eu )) (v. cut! D (u. Fuv )) (νv)((!v(y).(νu)(!u(y).D ˆ y  Fˆ z ) ) (νu)(!u(y).D ! ! y y ˆ E ˆ ))  F z ) cut (cut D (u. Eu )) (v. Fv ) (νv)(!v(y).(νu)(!u(y).D
ˆ y  (νv)(!v(y).E ˆ y  Fˆ z )) (νu)(!u(y).D cut! D (u. cut! Eu (v. Fv )) ˆy  E ˆz ) cut! D (u. E) (νu)(!u(y).D
ˆ z )) ˆ z (for u ∈ F N (E E E Fig. 8. Structural Conversions (III): Cut! Conversions
232
L. Caires and F. Pfenning
the typed πcalculus and proof conversions / reductions, expressing a strong form of subject reduction for our type system. The proof relies on several auxiliary lemmas, which we mostly omit, among them a sequence of lemmas relating process reduction with derivation reduction, from which we select two typical examples. Lemma 5.1. Assume (a) Γ ; Δ1 D P :: x:A1 ⊗ A2 with P x(y)
(νy)xy
→
P ; and (b)
Γ ; Δ2 , x:A1 ⊗ A2 E Q :: z:C with Q → Q . Then (c) cut D (x. E) ≡⇒≡ F for some F ; (d) Γ ; Δ1 , Δ2 F R :: z : C for R ≡ (νy)(νx)(P  Q ). Lemma 5.2. Assume (a) Γ ; · D P :: x:A; (b) Γ, u:A; Δ2 E Q :: z:C with (νy)uy
Q → Q . Then (c) cut! D (u. E) ≡⇒≡ F for some F ; (d) Γ ; Δ F R :: z:C for some R ≡ (νu)(!u(x).P  (νy)(P {y/x}  Q )). Theorem 5.3. Let Γ ; Δ D P :: z:A and P → Q. Then there is E such that D ≡⇒≡ E and Γ ; Δ E Q :: z:A Proof. By induction on the structure of derivation D. The possible cases for D are D = 1L y D , D = !L x (u. D ), D = cut D1 (x. D2 ), and D = cut! D1 (x. D2 ), in all other cases P →. Key cases are the cuts, where we rely on a series of reduction lemmas, one for each type C of cut formula, which assign certain proof conversions to process labeled transitions. For example, for C = C1 ⊗ C2 , we rely on Lemma 5.1. The case of cut! , similar to the case C = !C , relies on Lemma 5.2. We show such case in detail. Let D = cut! D1 (u. D2 ). We have P ≡ (νu)(!u(w).P1  P2 ), Γ ; D1 P1 :: x:C, and Γ, u : C; Δ D2 P2 :: z:A by inversion. Since α P → Q, there two cases: (1) P2 → Q2 and Q = (νu)(!u(w).P1  Q2 ), or (2) P2 → Q2 where α = (νy)xy and Q = (νu)(!u(w).P1  (νy)(P1 {y/x}  Q2 )). Case (1): We have Γ, u : C; Δ D2 Q2 :: z:A for E with D2 ≡⇒≡ E by i.h. Then cut! D1 (u. D2 ) ≡⇒≡ cut! D1 (u. E ) by congruence. Let E = cut! D1 (u. E ). So Γ ; Δ E Q :: z:A by cut! . Case (2): By Lemma 5.2, cut! D1 (u. D2 ) ≡⇒≡ E for some E, and Γ ; Δ E R :: z:A with R ≡ Q . Theorems 5.4 and 5.5 state that any proof reduction or conversion also corresponds to either a process equivalence or to a reduction step on the πcalculus. Theorem 5.4. Let Γ ; Δ D P :: z:A and D s E. Then there is Q where P s Q and Γ ; Δ E Q :: z:A. Proof. Following the commuting squares relating ≡, and in Figures 6, 7 and 8. Theorem 5.5. Let Γ ; Δ D P :: z:A and D ⇒ E. Then there is Q such that P → Q and Γ ; Δ E Q :: z:A. Proof. Following the commuting squares relating ⇒, and → in Figure 5.
Notice that the simulation of πcalculus reductions by proof term conversions provided by Theorem 5.3, and from which subject reduction follows, is very tight indeed, as reduction is simulated up to structural congruence, which is a very fine equivalence on processes. To that end, structural conversions need to be applied symmetrically (as equations), unlike in a standard proof of cutelimination, where they are usually considered as directed computational steps. Under the assumptions of Theorem 5.3, we can also prove that there is an E such that D ⇒⇒ E and Γ ; Δ E R :: z:A, for
Session Types as Intuitionistic Linear Propositions
233
Q s R. Thus, even if one considers the proof conversions as directed reduction rules (⇒), we still obtain a sound simulation up to typed strong behavioral congruence. We now state type preservation and progress results for our type system. The subject reduction property (Theorem 5.6) directly follows from Theorem 5.3. Theorem 5.6 (Subject Reduction). If Γ ;Δ P :: z:A and P → Q then Γ ;Δ Q :: z:A. Together with direct consequences of linear typing, Theorem 5.6 ensures session fidelity. Our type discipline also enforces a global progress property. For any P , define live(P ) iff P ≡ (νn)(π.Q  R)
for some π.Q, R, n
where π.Q is a nonreplicated guarded process. We first establish the following contextual progress property, from which Theorem 5.8 follows as a corollary. Lemma 5.7. Let Γ ; Δ D P :: z:C. If live(P ) then there is Q such that either 1. P → Q, or α 2. P → Q for α where s(α) ∈ (z, Γ, Δ). More: if C = !A for some A, then s(α) = z. Proof. Induction on derivation D. The key cases are D = cut D1 (y. D2 ) and D = cut! D1 (u. D2 ). In the case of cut, we rely on lemmas that characterize the possible actions of a process on name y:A, depending on type A. These lemmas show that a synchronization between dual actions must occur. For cut! , an inversion lemma is needed, stating that free names of a nonlive process can only be typed by 1 or !A types. Theorem 5.8 (Progress). If ·; · D P :: x:1 and live(P ) then exists Q st. P → Q. Proof. By Lemma 5.7 and the fact that P cannot perform any action α with subject s(α) = x since x:1 (by the action shape characterization lemmas).
6 Discussion and Further Examples We further compare our linear type system for (finite) session types with more familiar session type systems [21,18,13]. An immediate observation is that in our case types are freely generated, while traditionally there is a stratification of types in “session” and “standard types” (the later corresponding to our !A types, typing session initiation channels). In our interpretation, a session may either terminate (1), or become a replicated server (!A), which is more general and uniform, and a natural consequence of the logical interpretation. Concerning parallel composition, usually two rules can be found, one corresponding to the cancellation of two dual session endpoints (a name restriction rule), and another corresponding to independent parallel composition, also present in most linear type systems for mobile processes. In our case, cut combines both principles, and the following rule is derivable: Γ ; Δ P :: −:1 Γ ; Δ Q :: T (comp) Γ ; Δ, Δ P  Q :: T A consequence of the logical composition rules cut and cut! is that typing intrinsically enforces global progress, unlike with traditional session type systems [18,13], which do not ensure progress in the presence of multiple open sessions, as we do here. Techniques to ensure progress in sessions, but building on extraneous devices such as wellfounded orderings on events, have been proposed [20,12]. It would be interesting to further compare the various approaches, as far as process typability is concerned.
234
L. Caires and F. Pfenning
Channel “polarities” are captured in our system by the leftright distinction of sequents, rather than by annotations on channels (cf. x+ , x− ). Session and linear type systems [21,18,13] also include a typing rule for output of the form Γ ; Δ P :: x:C Γ ; Δ, y:A xy.P :: x:A ⊗ C In our case, an analogous rule may be derived by ⊗R and the copycat construction, where a “proxy” for the free name y, bidirectionally copying behavior A, is linked to z. Γ ; Δ P :: x:C Γ ; Δ, y:A (νz)xz.(id A (y, z)  P ) :: x:A ⊗ C The copycat id A (y, z) plays the role of the “link” processes of [23,7]. Notice that in our case the definition of the “link” is obtained for free by the interpretation of identity axioms (Proposition 4.2). The two processes can be shown to be behaviorally equivalent, under an adequate notion of observational equivalence, as in [7]. We now elaborate on the example of Section 3, in order to illustrate sharing and session initiation. Consider now a different client, that picks the “buy” rather than the “quote” operation, and the corresponding composed system. BClntBodys s.inl; (νcof)scof.(νpin)spin.s(rc)0 BSimple (νs)(SrvBodys  BClntBodys ) We have the typings ·; s:ServerProto BClntBodys :: −:1 and ·; · BSimple :: −:1. In these examples, there is a single installed pair clientserver, where the session is already initiated, and only known to the two partners. To illustrate sharing, we now consider a replicated server. Such a replicated server is able to spawn a fresh session instance for each initial invocation, each one conforming to the general behavior specified by ServerProto, and can be typed by !ServerProto. Correspondingly, clients must initially invoke the replicated server to instantiate a new session (cf. the Tcopy rule). QClient (νs)cs.QClntBodys BClient (νs)cs.BClntBodys Server !c(s).SrvBodys SharSys (νc)(Server  BClient  QClient) For the shared server, by T!R, we type ·; · Server :: c:!ServerProto. We also have, for the clients, by Tcopy the typings c:ServerProto ; · BClient :: −:1 and c:ServerProto ; · QClient :: −:1. By (comp), T!L, and Tcut we obtain the intended typing for the whole system: ·; · SharSys :: − : 1. Notice how the session instantiation protocol is naturally explained by the logical interpretation of the ! operator.
7 Related Work and Conclusions We have established a tight correspondence between a sessionbased type discipline for the πcalculus and intuitionistic linear logic: typing rules correspond to dual intuitionistic linear sequent calculus proof rules, moreover process reduction may be simulated in a type preserving way by proof conversions and reductions, and vice versa. As a result, we obtain the subject reduction property, from which session fidelity follows. Our basic typing discipline intrinsically ensures global progress, beyond the restricted “progress on a single session” property obtained in pure session type systems.
Session Types as Intuitionistic Linear Propositions
235
Other works have investigated πcalculus models of linear logic proofs. Bellin and Scott [5] establish a mapping from linear logic proofs to a variant of the πcalculus and some connections between proof reduction and πcalculus reduction. However, this mapping results in complex encodings, so that their system could hardly be considered a type assignment system for processes, which has been achieved in this work. Moreover, no relation between behavioral descriptions and logical propositions was identified, as put by the authors: “[our encodings] have less to do with logic than one might think, they are essentially only about the abstract pluggings in proof structures”. A realizability interpretation for a linear logic augmented with temporal modalities (cf. HennessyMilner) was proposed in [4], also based on a πcalculus variant. A recent related development is [17], where a correspondence between (independently formulated) proof nets and an IOtyped πcalculus is established. In our case, the type system and the logic proof system are exactly the same, and we reveal a direct connection between pure linear logic propositions and behavioral types on πcalculus, that covers all (both shared and linear) features of finite session types. A development of session types as linear process types (in the sense of [21]) is presented in [15], where linearity and sharing are expressed by special annotations, unrelated to a linear logic interpretation. We have also analyzed the relation between our type discipline and (finite, deadlockfree) session types. It is important to notice that our interpretation does not require locality for session (linear) channels (under which only the output capability of names could be transmitted), which seems required in other works on linearity for πcalculi (e.g., [26]). On the other hand, our intuitionistic discipline enforces locality of shared channels, which, quite interestingly, seems to be the sensible choice for distributed implementations of sessions. Interesting related topics would be the accommodation of recursive types, logical relations [8], and the characterization of observational equivalences under our typing discipline. In particular, we expect that all conversions (including commuting conversions) between DILL derivations correspond to observational equivalences on our typed πcalculus. One important motivation for choosing a purely logical approach to typing is that it often suggests uniform and expressive generalizations. In ongoing work, we have also established an explicit relationship between sessionbased concurrency and functional computation where in both cases determinacy (no races) and progress (deadlockfreedom) are expected features. In particular, we have been investigating new encodings of λcalculi into the πcalculus that arise from translations from DILL natural deduction into sequent calculus. We also believe that dependent generalizations of our system of simple linear types, perhaps along the lines of LLF [9] or CLF [25], may be able to capture many additional properties of communication behavior in a purely logical manner. Already, some systems of session types have dependent character, such as [6] that, among other properties, integrates correspondence assertions into session types. Acknowledgments. To FCT/MCTES (INTERFACES NGN44), and the ICTI at CarnegieMellon. Thanks also to Bernardo Toninho, Nobuko Yoshida, and Andre Platzer.
References 1. Abramsky, S.: Computational Interpretations of Linear Logic. TCS 111(1&2) (1993) 2. Andreoli, J.M.: Logic Programming with Focusing Proofs in Linear Logic. Journal of Logic and Computation 2(3), 197–347 (1992)
236
L. Caires and F. Pfenning
3. Barber, A., Plotkin, G.: Dual Intuitionistic Linear Logic. Technical Report LFCS96347, Univ. of Edinburgh (1997) 4. Beffara, E.: A Concurrent Model for Linear Logic. ENTCS 155, 147–168 (2006) 5. Bellin, G., Scott, P.: On the πCalculus and Linear Logic. TCS 135, 11–65 (1994) 6. Bonelli, E., Compagnoni, A., Gunter, E.L.: Correspondence Assertions for Process Synchronization in Concurrent Communications. J. of Func. Prog. 15(2), 219–247 (2005) 7. Boreale, M.: On the Expressiveness of Internal Mobility in NamePassing Calculi. Theoretical Computer Science 195(2), 205–226 (1998) 8. Caires, L.: Logical semantics of types for concurrency. In: Mossakowski, T., Montanari, U., Haveraaen, M. (eds.) CALCO 2007. LNCS, vol. 4624, pp. 16–35. Springer, Heidelberg (2007) 9. Cervesato, I., Pfenning, F.: A Linear Logical Framework. Inf. & Comput. 179(1) (2002) 10. Chang, B.Y.E., Chaudhuri, K., Pfenning, F.: A Judgmental Analysis of Linear Logic. Technical Report CMUCS03131R, Carnegie Mellon University (2003) 11. DezaniCiancaglini, M., de’ Liguoro, U.: Sessions and Session Types: an Overview. In: 6th Intl. Workshop on Web Services and Formal Methods WSFM 2009. LNCS. Springer, Heidelberg (2010) 12. DezaniCiancaglini, M., de’ Liguoro, U., Yoshida, N.: On Progress for Structured Communications. In: Barthe, G., Fournet, C. (eds.) TGC 2007 and FODO 2008. LNCS, vol. 4912, pp. 257–275. Springer, Heidelberg (2008) 13. Gay, S., Hole, M.: Subtyping for Session Types in the Pi Calculus. Acta Informatica 42(23), 191–225 (2005) 14. Girard, J.Y., Lafont, Y.: Linear Logic and Lazy Computation. In: Ehrig, H., Kowalski, R.A., Levi, G., Montanari, U. (eds.) TAPSOFT 1987 and CFLP 1987. LNCS, vol. 250, pp. 52–66. Springer, Heidelberg (1987) 15. Giunti, M., Vasconcelos, V.T.: A Linear Account of Session Types in the PiCalculus. In: Gastin, P., Laroussinie, F. (eds.) 21st International Conference on Concurrency Theory, Concur 2010. Springer, Heidelberg (2010) 16. Honda, K.: Types for Dyadic Interaction. In: Best, E. (ed.) CONCUR 1993. LNCS, vol. 715, pp. 509–523. Springer, Heidelberg (1993) 17. Honda, K., Laurent, O.: An Exact Correspondence between a Typed picalculus and Polarised ProofNets. Theoretical Computer Science (to appear, 2010) 18. Honda, K., Vasconcelos, V.T., Kubo, M.: Language Primitives and Type Discipline for Structured CommunicationBased Programming. In: Hankin, C. (ed.) ESOP 1998. LNCS, vol. 1381, pp. 122–138. Springer, Heidelberg (1998) 19. Hyland, J.M.E., Luke Ong, C.H.: PiCalculus, Dialogue Games and PCF. In: WG2.8 Conference on Functional Programming Languages, pp. 96–107 (1995) 20. Kobayashi, N.: A Partially DeadlockFree Typed Process Calculus. ACM Tr. Progr. Lang. Sys. 20(2), 436–482 (1998) 21. Kobayashi, N., Pierce, B.C., Turner, D.N.: Linearity and the PiCalculus. In: 23rd Symp. on Principles of Programming Languages, POPL 1996, pp. 358–371. ACM, New York (1996) 22. Milner, R.: Functions as processes. Math. Struc. in Computer Sciences 2(2), 119–141 (1992) 23. Sangiorgi, D.: PiCalculus, Internal Mobility, and Agent Passing Calculi. Theoretical Computer Science 167(1&2), 235–274 (1996) 24. Sangiorgi, D., Walker, D.: The πcalculus: A Theory of Mobile Processes. CUP, Cambridge (2001) 25. Watkins, K., Cervesato, I., Pfenning, F., Walker, D.: Specifying properties of concurrent computations in CLF. In: Sch¨urmann, C. (ed.) 4th Intl. Workshop on Logical Frameworks and MetaLanguages (LFM 2004), Cork, Ireland, July 2004. ENTCS, vol. 199 (2004) 26. Yoshida, N., Honda, K., Berger, M.: Linearity and Bisimulation. J. Logic and Algebraic Programming 72(2), 207–238 (2007)
Session Types for Access and Information Flow Control Sara Capecchi1 , Ilaria Castellani2 , Mariangiola DezaniCiancaglini1, and Tamara Rezk2 1
Dipartimento di Informatica, Università di Torino, corso Svizzera 185, 10149 Torino, Italy 2 INRIA, 2004 route des Lucioles, 06902 Sophia Antipolis, France
Abstract. We consider a calculus for multiparty sessions with delegation, enriched with security levels for session participants and data. We propose a type system that guarantees both session safety and a form of access control. Moreover, this type system ensures secure information flow, including controlled forms of declassification. In particular, the type system prevents leaks that could result from an unrestricted use of the control constructs of the calculus, such as session opening, selection, branching and delegation. We illustrate the use of our type system with a number of examples, which reveal an interesting interplay between the constraints used in security type systems and those used in session types to ensure properties like communication safety and session fidelity. Keywords: concurrency, communicationcentred computing, session types, access control, secure information flow.
1 Introduction With the advent of web technologies and the proliferation of programmable and interconnectable devices, we are faced today with a powerful and heterogeneous computing environment. This environment is inherently parallel and distributed and, unlike previous computing environments, it heavily relies on communication. It therefore calls for a new programming paradigm which is sometimes called communicationcentred. Moreover, since computations take place concurrently in all kinds of different devices, controlled by parties which possibly do not trust each other, security properties such as the confidentiality and integrity of data become of crucial importance. The issue is then to develop models, as well as programming abstractions and methodologies, to be able to exploit the rich potential of this new computing environment, while making sure that we can harness its complexity and get around its security vulnerabilities. To this end, calculi and languages for communicationcentred programming have to be securityminded from their very conception, and make use of specifications not only for data structures, but also for communication interfaces and for security properties. The aim of this paper is to investigate type systems for safe and secure sessions. A session is an abstraction for various forms of “structured communication” that may occur in a parallel and distributed computing environment. Examples of sessions are
Work partially funded by the INRIA Sophia Antipolis COLOR project MATYSS, by the ANRSETI06010 and ANR08EMER010 grants, and by the MIUR Projects DISCO and IPODS.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 237–252, 2010. c SpringerVerlag Berlin Heidelberg 2010
238
S. Capecchi et al.
a clientservice negotiation, a financial transaction, or a multiparty interaction among different services within a web application. Languagebased support for sessions has now become the subject of active research. Primitives for enabling programmers to code sessions in a flexible way, as well as type systems ensuring the compliance of programs to session specifications (session types), have been studied in a variety of calculi and languages in the last decade. Session types were originally introduced in a variant of the picalculus [20]. We refer to [7] for a survey on the session type literature. The key properties ensured by session types are communication safety, namely the consistency of the communication patterns exhibited by the partners (implying the absence of communication errors), and session fidelity, ensuring that channels which carry messages of different types do it in a specific order. Enforcement of security properties via session types has been studied in [3,15]. These papers propose a compiler which, given a multiparty session description, implements cryptographic protocols that guarantee session execution integrity. The question of ensuring access control in binary sessions has been recently addressed in [13] for the Calculus of Services with Pipelines and Sessions of [4], where delegation is absent. On the other hand, the property of secure information flow has not been investigated within session calculi so far. This property, first studied in the early eighties [9], has regained interest in the last decade, due to the evolution of the computing environment. It has now been thoroughly studied for both programming languages (cf [16] for a review) and process calculi [8,10,12]. In this paper, we address the question of incorporating mandatory access control and secure information flow within session types. We consider a calculus for multiparty sessions with delegation, enriched with security levels for both session participants and data, and providing a form of declassification for data [18], as required by most practical applications. We propose a type system that ensures access control, namely that each participant receives data of security level less than or equal to its own. For instance, in a welltyped session involving a Customer, a Seller and a Bank, the secret credit card number of the Customer will be communicated to the Bank, but not to the Seller. Moreover, our type system prevents insecure flows that could occur via the specific constructs of the language, such as session opening, selection, branching and delegation. Finally, we show that it allows controlled forms of declassification, namely those permitted by the access control policy. Our work reveals an interesting interplay between the constraints of security type systems and those used in session types to ensure properties like communication safety and session fidelity. The rest of the paper is organised as follows. In Section 2 we motivate our access control and declassification policies with an example. Section 3 introduces the syntax and semantics of our calculus. In Section 4 we define the secure information flow property. In Section 5 we illustrate this property by means of examples. Section 6 presents our type system for safe and secure sessions and theorems establishing its soundness. Section 7 concludes with a discussion on future work. The reader is referred to the full paper (available at http://hal.inria.fr/INRIA) for complete definitions and proofs.
Session Types for Access and Information Flow Control
239
2 A First Example on Access Control and Declassification In this section we illustrate by an example the basic features of our typed calculus, as well as our access control policy and its use for declassification. The question of secure information flow will only be marginal here. It will be discussed in Sections 4 and 5. A client C sends the title of a book to a bookseller S. Then S delegates to a bank B both the reception of the credit card number of C and the control of its validity. This delegation is crucial for assuring the secrecy of the credit card number, which should be read by B but not by S. Then B notifies S about the result of the control: for this a declassification is needed. Finally, if the credit card is valid, C receives a delivery date from S, otherwise the deal falls through. More precisely, the protocol is as follows: 1. C opens a connection with S and sends a title to S; 2. S opens a connection with B and delegates to B part of his conversation with C; 3. C sends his secret credit card number apparently to the untrusted party S but really  thanks to delegation  to the trusted party B; 4. B delegates back to S the conversation with C; 5. B selects the answer ok or ko for S depending on the validity of the credit card, thus performing a declassification; 6. S sends to C either ok and a date, or just ko, depending on the label ok or ko chosen by B. In our calculus, which is an enrichment with security levels of the calculus in [2], this scenario may be described as the parallel composition of the following processes, where security levels appear as superscripts on both data and operators (here we omit unnecessary levels on operators and use ⊥ to mean “public” and to mean “secret”): ¯ I = a[2] ¯  b[2] C = a[1](α1 ).α1 !2, Title⊥ .α1 !⊥ 2, CreditCard .α1 &(2, {ok : α1 ?(2, date⊥ ).0, ko : 0}) S = a[2](α2 ).α2 ?(1, x⊥ ).b[2](β2 ).β2 !1, α2 .β2 ?((1, ζ )). β2 &(1, {ok : ζ ⊕ 1, ok.ζ !1, Date⊥ .0, ko : ζ ⊕ 1, ko.0}) B = b[1](β1 ).β1 ?((2, ζ )).ζ ? (2, cc⊥ ).β1 !ζ , 2. if valid(cc⊥ ) then β1 ⊕ 2, ok.0 else β1 ⊕ 2, ko.0
A session is a particular activation of a service, involving a number of parties with predefined roles. Here processes C and S communicate by opening a session on service a, while processes S and B communicate by opening a session on service b. The initiators ¯ specify the number of participants of each service. We associate integers a[2] ¯ and b[2] with participants in services: here C=1, S=2 in service a and B=1, S=2 in service b. In process C, the prefix a[1](α1 ) means that C wants to act as participant 1 in service a using channel α1 , matching channel α2 of participant 2, who is S. When the session is established, C sends to S a title of level ⊥ and a credit card number of level , indicating (by the superscript ⊥ on the output operator) that the credit card number may be declassified to ⊥. Then he waits for either ok, followed by a date, or ko. indent Process S receives a value in service a and then enters service b as participant 2. Here the output β2 !1, α2 sends channel α2 to the participant 1 of b, who is B, thus delegating to B the use of α2 . Then S waits for a channel ζ from B. Henceforth,
240
S. Capecchi et al. Table 1. Global types of the B, C, S example
1. C → S : String⊥ 2. S δ 3. C → S : Number↓⊥ 4. S δ 5.
6. S → C : {ok : S → C : String⊥ ; end, ko : end}
S → B : T B → S : T B → S : {ok : end, ko : end}
S communicates using both channels β2 and ζ : on channel β2 he waits for one of the labels ok or ko, which he then forwards to C on ζ , sending also a date if the label is ok. Forgetting session opening and abstracting from values to types, we may represent the whole communication protocol by the global types of Table 1 (where we use B, C, S instead of 1, 2), where the lefthand side and righthand side describe services a and b, respectively. Line 1 says that C sends a String of level ⊥ to S. In line 2, Sδ means that the channel from S to C is delegated: this delegation is realised by the transmission of the channel (with type T ) from S to B, as shown on the righthand side. Line 3 says that C sends a Number of level to S, allowing him to declassify it to ⊥. Notice that due to the previous delegation the Number is received by B and not by S. Line 4 describes a delegation which is the inverse of that in Line 2: here the (behavioural) type of the channel has changed, since the channel has already been used to receive the Number. Line 5 says that B sends to S one of the labels ok or ko. Finally, line 6 says that S sends to C either the label ok followed by a String of level ⊥, or the label ko. Since B’s choice of the label ok or ko depends on a test on the Number, it is crucial that Number be previously declassified to ⊥, otherwise the reception of a String of level ⊥ by C would depend on a value of level (this is where secure information flow comes into play). Type T represents the conversation between C and S after the first communication, seen from the viewpoint of S. Convening that ?(−), !− represent input and output in types, that “;” stands for sequencing and that ⊕−{−} represents the choice of sending one among different labels, it is easy to see that the session type T is: ? C, Number↓⊥ ; ⊕ C, {ok :! C, String⊥ ; end, ko : end}
where the communication partner of S (namely C) is explicitly mentioned. The session type T is the rest of type T after the first communication has been done: ⊕ C, {ok :! C, String⊥ ; end, ko : end}
To formalise access control, we will give security levels to service participants, and require that a participant of a given level does not receive data of higher or incomparable level. Since the only secret data in our example is CreditCard, it is natural to associate ⊥ with S in both services a and b, and with B in service b. Notice that C may indifferently have level or ⊥, since it only sends, but does not receive, the high data CreditCard.
3 Syntax and Semantics Our calculus for multiparty asynchronous sessions is essentially the same as that considered in [2], with the addition of runtime configurations and security levels.
Session Types for Access and Information Flow Control
241
Table 2. Syntax of expressions, processes, queues, and configurations P ::=             
u[n] ¯ u[p](α).P c! Π , e.P c? (p, x ).P c! q, c .P c? ((p, α)).P c ⊕ Π , λ .P c& (p, {λi : Pi }i∈I ) e P Q PQ 0 (νa )P D P Xe, c
u ::= x  a v ::= a 

 ...
nary session initiator pth session participant c ::= α  s[p] Value sending e ::= v  x Value receiving  e e  e ... Delegation sending Delegation reception D ::= X(x , α) = P Selection Π ::= {p}  Π ∪ {p} Branching Conditional ϑ ::= v↓  s[p]  λ Parallel Inaction m ::= (p, Π , ϑ ) Name hiding Recursion h ::= m · h  ε Process call H ::= H ∪ {s : h}  0/ Identiﬁer Value
r ::= a  s
Channel Expression Declaration Set of participants Message content Message in transit Queue Qset Service/Session Name
Syntax. Let (S , ) be a finite lattice of security levels, ranged over by , . We denote by and the join and meet operations on the lattice, and by ⊥ and its minimal and maximal elements. We assume the following sets: service names, ranged over by a, b, . . . each of which has an arity n ≥ 2 (its number of participants) and a security level , value variables, ranged over by x, y, . . . , all decorated with security levels, identifiers, i.e., service names and value variables, ranged over by u, w, . . . , all decorated with security levels, channel variables, ranged over by α , β , . . . , labels, ranged over by λ , λ , . . . (acting like labels in labelled records). Values v are either service names or basic values (boolean values, integers, etc.). When treated as an expression, a value is decorated with a security level ; when used in a message, it is decorated with a declassified level of the form ↓ , where ≤ (in case = , we will write simply instead of ↓ ). Sessions, the central abstraction of our calculus, are denoted with s, s . . .. A session represents a particular instance or activation of a service. Hence sessions only appear at runtime. We use p, q,. . . to denote the participants of a session. In an nary session (a session corresponding to an nary service) p, q are assumed to range over the natural numbers 1, . . . , n. We denote by Π a non empty set of participants. Each session s has an associated set of channels with role s[p], one for each participant. Channel s[p] is the private channel through which participant p communicates with the other participants in the session s. A new session s on an nary service a is opened when the initiator a¯ [n] of the service synchronises with n processes of the form a [p](α ).P. We use c to range over channel variables and channels with roles. Finally, we assume a set of process variables X,Y, . . . , in order to define recursive behaviours. The set of expressions, ranged over by e, e , . . . , and the set of processes, ranged over by P, Q . . . , are given by the grammar in Table 2, where syntax occurring only at runtime appears shaded . The primitives are decorated with security levels. When there is no risk of confusion we will omit the set delimiters {, }.
242
S. Capecchi et al.
As in [11], in order to model TCPlike asynchronous communications (with nonblocking send but message order preservation between a given pair of participants), we use queues of messages, denoted by h; an element of h may be a value message (p, Π , v↓ ), indicating that the value v is sent by participant p to all participants in Π , with the right of declassifying it from to ; a channel message (p, q, s[p ] ), indicating that p delegates to q the role of p with level in the session s; and a label message (p, Π , λ ), indicating that p selects the process with label λ among the processes offered by the set of participants Π . The empty queue is denoted by ε , and the concatenation of a new message m to a queue h by h · m. Conversely, m · h means that m is the head of the queue. Since there may be nested and parallel sessions, we distinguish their queues by naming them. We denote by s : h the named queue h associated with session s. We use H, K to range over sets of named queues, also called Qsets. Operational Semantics. The operational semantics is defined on configurations. A configuration is a pair C = < P , H > of a process P and a Qset H, possibly restricted with respect to service and session names, or a parallel composition of configurations, denoted by CC . In a configuration (ν s) < P , H >, all occurrences of s[p] in P and H and of s in H are bound. By abuse of notation we will often write P instead of < P , 0/ >. We use a structural equivalence ≡ [14] for processes, queues and configurations. Modulo ≡, each configuration has the form (ν r˜) < P , H >, where (ν r˜)C stands for (ν r1 ) · · · (ν rk )C, if r˜ = r1 · · · rk . In (ν a )C, we assume that α conversion on the name a preserves the level . Among the rules for queues, we have one for commuting independent messages and another one for splitting a message for multiple recipients. The transitions for configurations have the form C −→ C . They are derived using the reduction rules in Table 3. Rule [Link] describes the initiation of a new session among n processes, corresponding to an activation of the service a of arity n. After the connection, the participants share a private session name s and the corresponding queue, initialised to s : ε . The variable αp in each participant Pp is replaced by the corresponding channel with role s[p]. The output rules [Send], [DelSend] and [Label] push values, channels and labels, respectively, into the queue s : h. In rule [Send], e ↓ v denotes the evaluation of the expression e to the value v , where is the join of the security levels of the variables and values occurring in e. The superscript on the output sign indicates that v can be declassified to level , when received by an input process s[q]? (p, x ).P. This is why the value is recorded with both levels in the queue. The rules [Rec], [DelRec] and [Branch] perform the corresponding complementary operations. As usual, we will use −→∗ for the reflexive and transitive closure of −→.
4 Information Flow Security in Sessions We turn now to the question of ensuring secure information flow [6] within sessions. We shall be interested in the property of noninterference (NI) [9], combined with a limited form of declassification [1], which may only take place during a value communication. The property of NI requires that there is no flow of information from objects of a given level to objects of lower or incomparable level [21,19,16]. To set the stage for our information flow analysis, the first questions to ask are:
Session Types for Access and Information Flow Control
243
1. Which objects of the calculus should carry security levels? 2. Which information leaks can occur and how can they be detected? As concerns objects, we shall see that besides values, also labels, delegated channels and services will need security levels. Since this question requires some discussion, which is best understood through examples, we defer it to the next section, just assum ing here as a fact that queue messages have the form (p, Π , ϑ ), where ϑ may be v↓ , λ or s[p] . In the rest of this section, we will focus on the observation model, which will be based on bisimulation, as is now standard for concurrent processes [19,17]. We assume that the observer can see the content of messages in session queues. To fix ideas, one may view the observer as a kind of buffer through which messages may transit while reaching or leaving a session queue. We do not want to go as far as allowing an observer to take part in a session, since that could affect the behaviour of other processes. In other words, we assume a passive observer rather than an active one. What matters for security is observation relative to a given set of levels. Given a downwardclosed subset L of S , a L observer will only be able to see messages whose level belongs to L . A notion of L equality =L on Qsets is then introduced, representing indistinguishability of Qsets by a L observer. Based on =L , a notion of L bisimulation L will formalise indistinguishability of processes by a L observer. Formally, a queue s : h is L observable if it contains some message with a level in L . Then two Qsets are L equal if their L observable queues have the same names and contain the same messages with a level in L . This equality is based on a L projection operation on Qsets, which discards all messages whose level is not in L . Definition 1. Let the functions lev↑ and lev↓ be defined by: lev↑ (v↓ ) = , lev↓ (v↓ ) = , and lev↑ (s[p] ) = lev↑ (λ ) = = lev↓ (s[p] ) = lev↓ (λ ). Definition 2. The projection operation ⇓ L is defined inductively on messages, queues and Qsets as follows: Table 3. Reduction rules (excerpt) a [1](α1 ).P1  ...  a [n](αn ).Pn  a¯ [n] −→ (νs) < P1 {s[1]/α1 }  ...  Pn {s[n]/αn } , s : ε >
< s[p]! Π , e.P , s : h >−→< P , s : h · (p, Π , v↓ ) >
(e↓v )
< s[q]? (p, x ).P , s : (p, q, v↓ ) · h > −→< P{v /x } , s : h > < s[p]! q, s [p ].P , < s[q]? ((p, α)).P ,
s : (p, q, s [p ] ) · h >−→< P{s [p ]/α} ,
< s[p] ⊕ Π , λ .P , < s[q]& (p, {λi C
: Pi }i∈I ) ,
−→ (ν s)C ˜
s : h >−→< P ,
s : h · (p, q, s [p ] ) >
⇒
s : h >−→< P ,
s:h>
s : h · (p, Π , λ ) >
s : (p, q, λi0 ) · h >−→< Pi0
, s : h > (i0 ∈ I)
(ν r˜)(C C ) −→ (ν r˜)(ν s)(C ˜ C )
[Link] [Send] [Rec] [DelSend] [DelRec] [Label] [Branch] [ScopC]
244
S. Capecchi et al.
(p, Π , ϑ ) ⇓ L =
(p, Π , ϑ ) if lev↓ (ϑ ) ∈ L , ε otherwise.
ε ⇓L =ε (m · h) ⇓ L = m ⇓ L · h ⇓ L 0/ ⇓ L = 0/ H ⇓ L ∪ {s : h ⇓ L } if h ⇓ L = ε, (H ∪ {s : h}) ⇓ L = H ⇓L otherwise. Definition 3 (L Equality of Qsets). Two Qsets H and K are L equal, written H =L K, if H ⇓ L = K ⇓ L . When reducing a configuration (ν r˜) < P , H >, we have to make sure that input prefixes in P “agree” with messages in H. This is assured by our type system given in Section 6. A relation on processes is a L bisimulation if it preserves L equality of Qsets at each step, starting from typable configurations: Definition 4 (L Bisimulation on processes). A symmetric relation R ⊆ (Pr × Pr) is a L bisimulation if P1 R P2 implies, for any pair of Qsets H1 and H2 such that H1 =L H2 and < P1 , H1 >, < P2 , H2 > are typable: If < P1 , > H1 −→ (ν r˜) < P1 , > H1 , then either H1 =L H2 and P1 R P2 , or there exist P2 , H2 such that < P2 , H2 >−→∗ (ν r˜) < P2 , H2 > , where H1 =L H2 and P1 R P2 . Processes P1 , P2 are L bisimilar, P1 L P2 , if P1 R P2 for some L bisimulation R. Note that r˜ may be either empty or be a service name or a fresh session name s, and in the last case s cannot occur in P2 and H2 by Barendregt convention. Intuitively, a transition that adds or removes a message with level in L must be simulated in one or more steps, producing the same effect on the Qset, whereas a transition that only affects messages with level not in L may be simulated by inaction. Definition 5 (L Security). A program P is L secure if P L P.
5 Examples of Information Flow Security in Sessions In this section we illustrate the various kinds of flow that can occur in our calculus, through simple examples. Since we aim at justifying the introduction of security levels in the syntax (other than on values and participants), we shall initially omit levels in all other objects. In queues, we will use v as a shorthand for v↓ . For the sake of simplicity, we assume here just two security levels ⊥ and (also called low and high). In all examples, we suppose H1 = {s : (1, 2, true )} and H2 = {s : (1, 2, false )}. 5.1. High input should not be followed by low actions. A simple example of insecure flow, which is not specific to our calculus but arises in all process calculi with values and a conditional construct, is the following (assuming session s has four participants):
Session Types for Access and Information Flow Control
245
s[2]?(1, x ).if x then s[2]!3, true .0 else 0  s[3]?(2, z ).s[3]!4, true⊥ .0  s[4]?(3, y⊥ ).0 This process is insecure because, depending on the high value received for x on channel s[2], that is, on whether the Qset is H1 or H2 , the low value true⊥ will be emitted or not on channel s[3], leading to H1 = {s : (3, 4, true⊥ )} =L H2 = {s : ε } if L = {⊥}. This shows that a high input should not be followed by a low output. Note that the reverse is not true, since output is not blocking: if we swapped the polarities of input and output in the third participant (and adjusted them accordingly in the other participants), then the resulting process would be secure. Let us point out that this process is not typable in a classical session type system, since the session types of the conditional branches are not the same. However, it would become typable if the second branch of the conditional were replaced by the deadlocked process (ν b)b[1](β1 ).s[2]!3, true .0. The expert reader will notice that by adding to our type system the interaction typing of [2] (which enforces global progress) we would rule out also this second process. On the other hand, the interaction typing does not prevent deadlocks due to inverse session calls, as for instance: ¯ b[2]  b[1](β1).c[1](γ1 ).s[2]!3, true .0 c[2] ¯  c[2](γ2 ).b[2](β2 ).0 Clearly, this deadlock could be used to implement the insecure flow in our example. 5.2. Need for levels on services. Consider the following process: ¯ else 0 s[2]?(1, x ).if x then b[2] ⊥  b[1](β1 ).β1 !2, true .0  b[2](β2).β2 ?(1, y⊥ ).0 This process is insecure because, depending on the high value received for x , it will initiate or not a session on service b, which performs a low value exchange. To rule out this kind of leak we annotate service names with security levels which are a lower bound for all the actions they execute. Then service b must be of level , since it appears in the branch of a conditional, and hence it will not allow the output of the value true⊥ . 5.3. Need for levels on selection and branching. Consider the following process: s[2]?(1, x ).if x then s[2] ⊕ 3, λ .0 else s[2] ⊕ 3, λ .0  s[3]&(2, {λ : s[3]!4, true⊥ .0, λ : s[3]!4, false⊥ .0})  s[4]?(3, y⊥ ).0 This process is insecure because a selection in one participant, which depends on a high value, causes the corresponding branching participant to emit two different low values. To prevent this kind of leak, the selection and branching operators will be annotated with a security level which is a lower bound for all actions executed in the branches. 5.4. Need for levels on delegated channels. Consider the following process: s[2]?(1, x ). x s[2]!3, s [1].s[2]!4, s [1].0 ⊥ .0  s[4]?((2, η )).η !2,  s[3]?((2, η)).η!2, ⊥  s [2]?(1, x ).0  s [2]?(1, y⊥ ).0
⊥
s[2]!3, s [1].s[2]!4, s [1].0 .0
This process is insecure because, depending on the high value received for x , the participants 3 and 4 of s will be delegated to participate in sessions s and s , or viceversa,
246
S. Capecchi et al.
feeding the queues of s and s with different low values. This shows that delegation send and receive should also carry a level, which will be a lower bound for all actions executed in the receiving participant after the delegation. 5.5. Levels in queue messages. So far, we have identified which objects of the calculus need security levels, namely: values, service names, and the operators of selection, branching and delegation. We now discuss how levels are recorded into queue messages. Values are recorded in the queues with both their level and their declassified level. The reason for recording also the declassified level is access control: the semantics does not allow a low input process to fetch a high value declassified to low. More formally, a value v↓⊥ in the queue can only be read by a process s[q]? (p, x⊥ ).P. Concerning service names a , the level guarantees that the session initiator and all the participants get started in a context of level ≤ (see Example 5.2). Once the session is established, the name a disappears and it is its global type (cf next section) that will ensure that all participants perform actions of levels greater than or equal to . As for the operators of branching/selection and delegation, they disappear after the reduction and their level is recorded respectively into labels and delegated channels within queue messages. This is essential since in this case the communication is asynchronous and occurs in two steps. Hence queue messages have the form (p, Π , ϑ ), where ϑ is v↓ , λ or s[p] .
6 Type System In this section we present our type system for secure sessions and state its properties. Just like process syntax, types will contain security levels. Safety Global Types, Session Types, and Projections. A safety global type is a pair L, G , decorated with a security level , describing a service where: – L : {1, . . . , n} → S is a safety mapping from participants to security levels; – G is a global type, describing the whole conversation scenario of an nary service; – is the meet of all levels appearing in G, denoted by M(G). The grammar of global types is:
Exchange U ::= S↓  T  L, G G ::= p → Π : U.G  p → Π : {λi : Gi }i∈I Sorts S ::= bool  . . .  p δ .G  μ t.G  t  end The type p → Π : U.G says that participant p multicasts a message of type U to all participants in Π and then the interactions described in G take place. Exchange types U may be sort types S↓ for values (base types decorated with a declassification ↓ ), session types T for channels (defined below), or safety global types for services. If U = ↓ T , then Π is a singleton {q}. We use S as short for S , called a trivial declassification. Type p → Π : {λi : Gi }i∈I , where = i∈I M(Gi ), says that participant p multicasts one of the labels λi to the participants in Π . If λ j is sent, interactions described in G j take place. Type p δ .G says that the role of p is delegated to another participant; this construct does not appear in the original global types of [11]. It is needed here to “mark” the delegated part of the type, which is discharged when calculating its join (see below). Global
Session Types for Access and Information Flow Control
247
Type μ t.G is a recursive type, where the type variable t is guarded in the standard way. In the grammar of exchange types, we suppose that G does not contain free type variables. Type end represents the termination of a session. While global types represent the whole session protocol, session types correspond to the communication actions, representing each participant’s contribution to the session. As for M(G), we denote by M(T ) the meet of all security levels appearing in T . Session
T ::= !Π , S↓ ;T send delsend  ! q, T ;T  ⊕ Π , {λi : Ti }i∈I selection  μ t.T recursive  δ ; T delegation
    
receive ?(p, S↓ );T delreceive ? (p, T );T & (p, {λi : Ti }i∈I ) branching t variable end end
The send type !Π , S↓ ;T expresses the sending to all participants in Π of a value of type S, of level declassified to , followed by the communications described in T . The delsend type ! q, T ; T , where = M(T ), says that a channel of type T is sent to participant q, and then the protocol specified by T takes place. The selection type ⊕ Π , {λi : Ti }i∈I , where = i∈I M(Ti ), represents the transmission to all participants in Π of a label λ j in {λi  i ∈ I}, followed by the communications described in T j . The delegation type δ ; T , says that the communications described in T will be delegated to another agent. The receive, delreceive and branching types are dual to the send, delsend, and selection ones. The type system will assure that ≤ M(T ) in type ?(p, S↓ ); T , that ≤ M(T ) in type ? (p, T ); T and that = i∈I M(Ti ) in type & (p, {λi : Ti }i∈I ). In all cases, the need for the security level is motivated by one of the examples in Section 5. The relation between global types and session types is formalised by the notion of projection [11]. The projection of G onto q, denoted (G q), gives participant q’s view of the protocol described by G. For example the projection of G = p → p : T .G on q is the following, assuming = M(T ): ⎧ ⎪ ⎨ ! p , T ; (G q) if q = p, (p → p : T .G ) q = ? (p, T ); (G q) if q = p , ⎪ ⎩ G q otherwise Wellformedness of safety global types. To formulate the wellformedness condition for safety global types, we define the join J(T ) of a session type T . Intuitively, while M(T ) is needed for secure information flow, J(T ) will be used for access control. Recall from Section 2 our access control policy, requiring that participants in a session only read data of level less than or equal to their own level. This motivates our (slightly non standard) definition of join: in short, J(T ) is the join of all the security levels decorating the input constructs in T (receive, delreceive, branching). Moreover, unlike M(T ), J(T ) forgets the delegated part of T . This leads to the following condition of wellformedness for safety global types, where dom(L) denotes the domain of L: A safety global type L, G is well formed if for all p ∈ dom(L): L(p) ≥ J(G p). Henceforth we shall only consider wellformed safety global types.
248
S. Capecchi et al.
Typing expressions. The typing judgments for expressions are of the form:
Γ e : S where Γ is the standard environment which maps variables to sort types with trivial declassification, services to safety global types, and process variables to pairs of sort types with trivial declassification and session types. Formally, we define:
Γ ::= 0/  Γ , x : S  Γ , a : L, G  Γ , X : S T
assuming that we can write Γ , x : S (respectively Γ , a : L, G and Γ , X : S T ) only if x (respectively a and X) does not belong to the domain of Γ . An environment Γ is well formed if x : S ∈ Γ implies = and a : L, G ∈ Γ implies that = and G is well formed. Hence, if Γ is well formed, a : L, G ∈ Γ implies = M(G). In the following we will only consider wellformed environments. We type values by decorating their type with their security level, and names according to Γ :
Γ true , false : bool
Γ , u : S u : S
NAME
We type expressions by decorating their type with the join of the security levels of the variables and values they are built from. Typing processes. The typing judgments for processes are of the form:
Γ P Δ where Δ is the process environment which associates session types with channels:
Δ ::= 0/  Δ , c : T We decorate the derivation symbol with the security level inferred for the process: this level is a lower bound for the actions and communications performed in the process. Let us now present some selected typing rules for processes. – Rule S UB S allows the security level inferred for a process to be decreased.
Γ P Δ
≤
Γ P Δ
SUB S
– In rule MI NIT, the standard environment must associate with the identifier u a safety global type. The premise matches the number of participants in the domain of L with the number declared by the initiator. The emptiness of the process environment in the conclusion specifies that there is no further communication behaviour after the initiator. dom(L) = {1, . . . , n}
Γ , u : L, G u[n] ¯ 0/
MINIT
– In rule MACC , the standard environment must also associate with u a safety global type. The premise guarantees that the type of the continuation P in the pth participant is the pth projection of the global type G of u.
Γ , u : L, G P Δ , α : G p Γ , u : L, G u[p](α ).P Δ
MACC
Session Types for Access and Information Flow Control
249
Concerning security levels, in rule MACC we check that the continuation process P conforms to the security level associated with the service name u. Note that this condition does not follow from wellformedness of environments, since the process P may participate in other sessions, but it is necessary to avoid information leaks. For example, without this condition we could type a¯ [2]  a [1](α1 ).α1 !2, true .0  a [2](α2 ).α2 ?(1, x ).if x then b¯ [2] else 0  b [1](β1 ).c⊥ [1](γ1 ).γ1 !2, true⊥ .0  b [2](β2 ).0 ⊥ c¯ [2]  c[2](γ2 ).γ2 ?(1, y⊥ ).0 – In rule S END, the first hypothesis binds expression e with type S , where is the join of all variables and values in e. The second hypothesis imposes typability of the continuation of the output with security level . The third hypothesis relates levels , and (the level to which e will be declassified), preserving the invariant that is a lower bound for all security levels of the actions in the process.
Γ e : S
Γ P Δ , c : T
≤ ≤
Γ c! Π , e.P Δ , c : !Π , S↓ ; T
SEND
Note that the hypothesis ≤ ≤ is not really constraining, since P can always be downgraded to using rule S UB S and ≤ follows from wellformedness of S↓ . – Rule R CV is the dual of rule S END, but it is more restrictive in that it requires the continuation P to be typable with exactly the level :
Γ , x : S P Δ , c : T
≤
Γ c? (p, x ).P Δ , c :?(p, S↓ ); T
R CV
Notice for instance that we cannot type the reception of a value followed by a ⊥ action. On the other hand we can type the reception of a ↓ ⊥ value followed by a ⊥ action. For instance, in our introductory example of Section 2, rule [Rcv] allows the delegation send in process B to be decorated by ⊥: this is essential for the typability of both the process B and the session b between S and B. – Rule I F requires that the two branches of a conditional be typed with the same process environment, and with the same security level as the tested expression.
Γ e : bool
Γ P Δ
Γ Q Δ
Γ if e then P else Q Δ
I F
We say that a process P is typable in Γ if Γ P Δ holds for some , Δ . Typing queues and Qsets. Message types represent the messages contained in queues.
Message T ::= !Π , S↓ message value send message delegation  ! q, T  ⊕ Π , λ message selection  T; T message sequence Message types are very close to the send, delsend, selection session types, hence we shall not dwell on them. Let us just mention the associativity of the construct T; T .
250
S. Capecchi et al.
Typing judgments for queues have the shape
Γ s : h Θ where Θ is a queue environment associating message types with channels. Example: we can derive s : (2, {1, 3}, ok ) {s[2] : ⊕ {1, 3}, ok}. Typing judgments for Qsets have the shape:
Γ Σ H Θ where Σ is the set of session names which occur free in H. Typing configurations. Typing judgments for runtime configurations C have the form:
Γ Σ C < Δ Θ > They associate with a configuration the environments Δ and Θ mapping channels to session and message types respectively. We call < Δ Θ > a configuration environment. A configuration type is a session type, or a message type, or a message type followed by a session type: Configuration T ::= T session  T message  T; T continuation An example of configuration type is: ⊕⊥ {1, 3}, ok; !{3}, String ; ?(3, Number⊥ ); end A configuration is initial if the process is closed, it does not use runtime syntax and the Qset is empty. It is easy to check that for typable initial configurations the set of session names and the process and queue environments are all empty. Since channels with roles occur both in processes and in queues, a configuration environment associates configuration types with channels, in notation < Δ Θ >(c). Configuration types can be projected on a participant p. We write T p to denote the projection of the type T on the participant p. We also define a duality relation between projections of configuration types, which holds when opposite communications are offered (input/output, selection/branching). The above definitions are needed to state coherence of configuration environments. Informally, this holds when the inputs and the branchings offered by the process agree both with the outputs and the selections offered by the process and with the messages in the queues. More formally: Definition 6. A configuration environment < Δ Θ > is coherent if s[p] ∈ dom(Δ ) ∪ dom(Θ ) and s[q] ∈ dom(Δ ) ∪ dom(Θ ) imply < Δ Θ > (s[p]) q < Δ Θ > (s[q]) p. Typing rules assure that configurations are always typed with coherent environments. Since process and queue environments represent future communications, by reducing processes we get different configuration environments. This is formalised by the notion of reduction of configuration environments, denoted by < Δ Θ > ⇒ < Δ Θ >. We say that a queue is generated by service a, or agenerated, if it is created by applying rule [Link] to the parallel composition of a’s participants and initiator.
Session Types for Access and Information Flow Control
251
We are now able to state our main results, namely type preservation under reduction and the soundness of our type system for both access control and noninterference. In Theorem 2, we will use the function lev↑ (ϑ ) defined in Section 4 (Definition 1). Theorem 1 (Subject Reduction). Suppose Γ Σ C < Δ Θ > and C −→∗ C . Then Γ Σ C < Δ Θ > with < Δ Θ > ⇒ < Δ Θ >. Theorem 2 (Access Control) Let C be an initial configuration, and suppose Γ 0/ C < 0/ 0/ > for some standard environment Γ such that a : L, G ∈ Γ . If C −→∗ (ν s)C , where the queue of name s in C is agenerated and contains the message (p, q, ϑ ), then lev↑ (ϑ ) ≤ L(q). Theorem 3 (Noninterference). If P is typable, then P L P for all downclosed L .
7 Conclusion and Future Work In this work, we have investigated the integration of security requirements into session types. Interestingly, there appears to be an influence of session types on security. For instance, it is well known that one of the causes of insecure information flow in a concurrent scenario is the possibility of different termination behaviours in the branches of a high conditional. In our calculus, we may distinguish three termination behaviours: (proper) termination, deadlock and divergence. Now, the classical session types of [20] already exclude some combinations of these behaviours in conditional branches. For instance, a nontrivial divergence (whose body contains some communication actions) in one branch cannot coexist with a nontrivial termination in the other branch. Moreover, session types prevent local deadlocks due to a bad matching of the communication behaviours of participants in the same session. By adding to classical session types the interaction typing of [2], we would also exclude most of the global deadlocks due to a bad matching of the protocols of two interleaved sessions. However, this typing does not prevent deadlocks due to inverse session calls. We plan to study a strengthening of interaction typing that would rule out also this kind of deadlock. This would allow us to simplify our type system by removing our constraint in the typing rule for input. The form of declassification considered in this work is admittedly quite simple. However, it already illustrates the connection between declassification and access control, since a declassified value may only be received by a participant whose level is greater than or equal to the original level of the value. This means that declassification is constrained by the access control policy, as in [5]. We plan to extend declassification also to data which are not received from another participant, by allowing declassification of a tested expression, as in this variant of the B process of our example in Section 2: B = . . . if {cc⊥ = secret }↓⊥ then β1 ⊕⊥ 2, ok.0 else β1 ⊕⊥ 2, ko.0 Again, this declassification would be controlled by requiring B to have level . Acknowledgments. We would like to thank Nobuko Yoshida for her encouragement to engage in this work, and the anonymous referees for helpful feedback.
252
S. Capecchi et al.
References 1. Almeida Matos, A., Boudol, G.: On Declassification and the NonDisclosure Policy. Journal of Computer Security 17, 549–597 (2009) 2. Bettini, L., Coppo, M., D’Antoni, L., De Luca, M., DezaniCiancaglini, M., Yoshida, N.: Global Progress in Dynamically Interleaved Multiparty Sessions. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 418–433. Springer, Heidelberg (2008) 3. Bhargavan, K., Corin, R., Deniélou, P.M., Fournet, C., Leifer, J.J.: Cryptographic Protocol Synthesis and Verification for Multiparty Sessions. In: Proc. CSF 2009, pp. 124–140. IEEE Computer Society, Los Alamitos (2009) 4. Boreale, M., Bruni, R., Nicola, R., Loreti, M.: Sessions and Pipelines for Structured Service Programming. In: Barthe, G., de Boer, F.S. (eds.) FMOODS 2008. LNCS, vol. 5051, pp. 19–38. Springer, Heidelberg (2008) 5. Boudol, G., Kolundzija, M.: Access Control and Declassification. In: Proc. Computer Network Security. CCIS, vol. 1, pp. 85–98. Springer, Heidelberg (2007) 6. Denning, D.E.R.: Cryptography and Data Security. AddisonWesley, Reading (1982) 7. DezaniCiancaglini, M., de’Liguoro, U.: Sessions and Session Types: An Overview. In: Laneve, C. (ed.) WSFM 2010. LNCS, vol. 6194, pp. 1–28. Springer, Heidelberg (2010) 8. Focardi, R., Gorrieri, R.: Classification of Security Properties (Part I: Information Flow). In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001) 9. Goguen, J.A., Meseguer, J.: Security Policies and Security Models. In: Proc. IEEE Symposium on Security and Privacy, pp. 11–20. IEEE Computer Society, Los Alamitos (1982) 10. Honda, K., Yoshida, N.: A Uniform Type Structure for Secure Information Flow. In: Proc. POPL 2002, pp. 81–92. ACM Press, New York (2002) 11. Honda, K., Yoshida, N., Carbone, M.: Multiparty Asynchronous Session Types. In: Proc. POPL 2008, pp. 273–284. ACM Press, New York (2008) 12. Kobayashi, N.: TypeBased Information Flow Analysis for the PiCalculus. Acta Informatica 42(45), 291–347 (2005) 13. Kolundžija, M.: Security Types for Sessions and Pipelines. In: Bruni, R., Wolf, K. (eds.) WSFM 2008. LNCS, vol. 5387, pp. 175–190. Springer, Heidelberg (2009) 14. Milner, R.: Communicating and Mobile Systems: the PiCalculus. CUP, Cambridge (1999) 15. Planul, J., Corin, R., Fournet, C.: Secure Enforcement for Global Process Specifications. In: Proc. CONCUR 2009. LNCS, vol. 5710, pp. 511–526. Springer, Heidelberg (2009) 16. Sabelfeld, A., Myers, A.C.: LanguageBased InformationFlow Security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003) 17. Sabelfeld, A., Sands, D.: Probabilistic Noninterference for Multithreaded Programs. In: Proc. CSFW 2000, pp. 200–214. IEEE Computer Society, Los Alamitos (2000) 18. Sabelfeld, A., Sands, D.: Dimensions and Principles of Declassification. In: Proc. CSFW 2005. IEEE Computer Society, Los Alamitos (2005) 19. Smith, G., Volpano, D.: Secure Information Flow in a Multithreaded Imperative Language. In: Proc. POPL 1998, pp. 355–364. ACM Press, New York (1998) 20. Takeuchi, K., Honda, K., Kubo, M.: An Interactionbased Language and its Typing System. In: Halatsis, C., Philokyprou, G., Maritsas, D., Theodoridis, S. (eds.) PARLE 1994. LNCS, vol. 817, pp. 398–413. Springer, Heidelberg (1994) 21. Volpano, D., Irvine, C., Smith, G.: A Sound Type System for Secure Flow Analysis. Journal of Computer Security 4(2,3), 167–187 (1996)
Simulation Distances ˇ Pavol Cern´ y, Thomas A. Henzinger, and Arjun Radhakrishna IST Austria
Abstract. Boolean notions of correctness are formalized by preorders on systems. Quantitative measures of correctness can be formalized by realvalued distance functions between systems, where the distance between implementation and speciﬁcation provides a measure of “ﬁt” or “desirability.” We extend the simulation preorder to the quantitative setting, by making each player of a simulation game pay a certain price for her choices. We use the resulting games with quantitative objectives to deﬁne three diﬀerent simulation distances. The correctness distance measures how much the speciﬁcation must be changed in order to be satisﬁed by the implementation. The coverage distance measures how much the implementation restricts the degrees of freedom oﬀered by the speciﬁcation. The robustness distance measures how much a system can deviate from the implementation description without violating the speciﬁcation. We consider these distances for safety as well as liveness speciﬁcations. The distances can be computed in polynomial time for safety speciﬁcations, and for liveness speciﬁcations given by weak fairness constraints. We show that the distance functions satisfy the triangle inequality, that the distance between two systems does not increase under parallel composition with a third system, and that the distance between two systems can be bounded from above and below by distances between abstractions of the two systems. These properties suggest that our simulation distances provide an appropriate basis for a quantitative theory of discrete systems. We also demonstrate how the robustness distance can be used to measure how many transmission errors are tolerated by error correcting codes.
1
Introduction
Standard veriﬁcation systems return a boolean answer that indicates whether a system satisﬁes its speciﬁcation. However, not all correct implementations are equally good, and not all incorrect implementations are equally bad. There is thus a natural question whether it is possible to extend the standard speciﬁcation frameworks and veriﬁcation algorithms to capture a ﬁner and more quantitative view of the relationship between speciﬁcations and systems. We focus on extending the notion of simulation to the quantitative setting. For reactive systems, the standard correctness requirement is that all executions
This work was partially supported by the European Union project COMBEST and the European Network of Excellence ArtistDesign.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 253–268, 2010. c SpringerVerlag Berlin Heidelberg 2010
254
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
of an implementation have to be allowed by the speciﬁcation. Requiring that the speciﬁcation simulates the implementation is a stricter condition, but it is computationally less expensive to check. The simulation relation deﬁnes a preorder on systems. We extend the simulation preorder to a distance function that given two systems, returns a realvalued distance between them. Let us consider the deﬁnition of simulation of an implementation I by a speciﬁcation S as a twoplayer game, where Player 1 (the implementation) chooses moves (transitions) and Player 2 (the speciﬁcation) tries to match each move. The goal of Player 1 is to prove that simulation does not hold, by driving the game into a state from which Player 2 cannot match the chosen move; the goal of Player 2 is to prove that there exists a simulation relation, by playing the game forever. In order to extend this deﬁnition to capture how “good” (or how “bad”) the simulation is, we make the players pay a certain price for their choices. The goal of Player 1 is then to maximize the cost of the game, and the goal of Player 2 is to minimize it. The cost is given by an objective function, such as the limit average of transition prizes. For example, for incorrect implementations, i.e., those for which the speciﬁcation S does not simulate the implementation I, we might be interested in how often the speciﬁcation (Player 2) cannot match an implementation move. We formalize this using a game with a limitaverage objective between modiﬁed systems. The speciﬁcation is allowed to “cheat,” by following a nonexisting transition, while the implementation is left unmodiﬁed. More precisely, the speciﬁcation is modiﬁed by giving the transitions from the original system a weight of 0, and adding new “cheating” transitions with a nonzero positive weight. As Player 2 is trying to minimize the value of the game, she is motivated not to cheat. The value of the game measures how often the speciﬁcation can be forced to cheat by the implementation, that is, how often the implementation violates the speciﬁcation (i.e., commits an error) in the worst case. We call this distance function correctness. Let us consider the examples in Figure 1. We take the system S1 as the speciﬁcation. The speciﬁcation allows at most two symbols b to be output in the row. Now let us consider the two incorrect implementations I3 and I4 . The implementation I3 outputs an unbounded number of b’s in a row, while the implementation I4 can output three b’s in a row. The speciﬁcation S1 will thus not be able to simulate either I3 or I4 , but I4 is a “better” implementation in the sense that it violates the requirement to a smaller degree. We capture this by allowing S1 to cheat in the simulation game by taking an existing edge while outputting a diﬀerent symbol. When simulating the system I3 , the speciﬁcation S1 will have to output a b when taking the edge from state 2 to state 0. This cheating transition will be taken every third move while simulating I3 . The correctness distance from S1 to I3 will therefore be 1/3. When simulating I4 , the speciﬁcation S1 needs to cheat only one in four times—this is when I4 takes a transition from its state 2 to state 3. The distance from S1 to I4 will be 1/4. Considering the implementation I2 from Figure 1, it is easy to see that it is correct with respect to the speciﬁcation S1 . The correctness distance would thus be 0. However, it is also easy to see that I2 does not include all behaviors allowed
Simulation Distances
255
a 0
b a
1 a
(a) S1
b
2
a 0
b b a
(b) I2
1
0 (c) I3
b 0
1
b
2
b
3
a (d) I4
Fig. 1. Example Systems
by S1 . Our second distance function, coverage, is the dual of the correctness distance. It measures how many of the behaviors allowed by the speciﬁcation are actually implemented by the implementation. This distance is obtained as the value for the implementation in a game in which I is required to simulate S, with the implementation being allowed to cheat. Our third distance function is called robustness. It measures how robust the implementation I is with respect to the speciﬁcation S in the following sense: we measure how often the implementation can make an unexpected error (i.e., it performs a transition not present in its transition relation), with the resulting behavior still being accepted by the speciﬁcation. Unexpected errors could be caused, for example, by a hardware problem, by a wrong environment assumption, or by a malicious attack. Robustness measures how many such unexpected errors are tolerated. In addition to safety speciﬁcations, we consider liveness speciﬁcations given by weak (B¨ uchi) fairness constraints or strong (Streett) fairness constrains. In order to deﬁne distances to liveness speciﬁcations, the notion of quantitative simulation is extended to fair quantitative simulation. We study variations of the correctness, coverage, and robustness distances using limitaverage and discounted objective functions. Limitaverage objectives measure the longrun frequency of errors, whereas discounted objectives count the number of errors and give more weight to earlier errors than later ones. The correctness, coverage, and robustness distances can be calculated by solving the value problem in the corresponding games. Without fairness requirements, we obtain limitaverage games or discounted games with constant weights. The values of such games can be computed in polynomial time [20]. We obtain polynomial complexity also for distances between systems with weakfairness constraints, whereas for strongfairness constrains, the best known algorithms require exponential time. We present composition and abstraction techniques that are useful for computing and approximating simulation distances between large systems. Finally, we present an application of the robustness distance. We consider error correction systems for transmitting data over noisy channels. Three implementations based on the Hamming code, triple modular redundancy, and no error correction with diﬀerent robustness properties are analyzed. Related work. Weighted automata [4,10] provide a way to assign values to words, and to languages deﬁned by ﬁnitestate systems. Distances between systems can
256
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
be deﬁned using weighted automata, analogically to boolean language inclusion. However, the complexity of computation of such distance is not known [4]. Our solution of using a quantitative version of simulation games corresponds in the boolean case to the choice of using simulation instead of language inclusion. There have been several attempts to give a mathematical semantics to reactive processes which is based on quantitative metrics rather than boolean preorders [18,6]. In particular for probabilistic processes, it is natural to generalize bisimulation relations to bisimulation metrics [9,19], and similar generalizations can be pursued if quantities enter not through probabilities but through discounting [7] or continuous variables [2] (this work uses the Skorohod metric on continuous behaviors to measure the distance between hybrid systems). We consider distances between purely discrete (nonprobabilistic, untimed) systems, and our distances are directed rather than symmetric (based on simulation rather than bisimulation). Software metrics measure properties such as lines of code, depth of inheritance (in an objectoriented language), number of bugs in a module or the time it took to discover the bugs (see for example [12,16]). These functions measure syntactic properties of the source code, and are fundamentally diﬀerent from our distance functions that capture the diﬀerence in the behavior (semantics) of programs.
2
Quantitative Simulation Games
Transition Systems. A transition system is a tuple S, Σ, E, s0 where S is a ﬁnite set of states, Σ is a ﬁnite alphabet, E ⊆ S × Σ × S is a set of labeled transitions, and s0 is the initial state. We require that for every s ∈ S, there exists a transition from s. The set of all transition systems is denoted by S. A weighted transition system is a transition system along with a weight function v from E to Q. A run in a transition system T is an inﬁnite path ρ = ρ0 σ0 ρ1 σ1 ρ2 σ2 . . . ∈ (S · Σ)ω where ρ0 = s0 and for all i, (ρi , σi , ρi+1 ) ∈ E. Fairness Conditions. A B¨ uchi (weak fairness) condition for a (weighted) transition system is set of states F ⊆ S. Given a B¨ uchi condition F and a run ρ = ρ0 σ0 ρ1 σ1 . . . of a transition system, the run ρ is fair iﬀ ∀n ≥ 0 : (∃i > n : ρi ∈ F ). A Streett (strong fairness) condition for a (weighted) transition system is a set of requestresponse pairs F = {E1 , F1 , E2 , F2 , . . . , Ed , Fd } where each Ei , Fi ∈ 2S . Given a Streett condition, a run ρ = ρ0 σ0 ρ1 σ1 . . . is fair iﬀ ∀k ≤ d : ({i  ρi ∈ Ek } = ∞) ⇒ ({i  ρi ∈ Fk } = ∞) . We denote a transition system A with a fairness condition F as AF . Game Graphs. A game graph G is a tuple S, S1 , S2 , Σ, E, s0 where S, Σ, E and s0 are as in transition systems and (S1 , S2 ) is a partition of S. The choice of the next state is made by Player 1 (Player 2) when the current state is in S1 (respectively, S2 ). A weighted game graph is a game graph along with a weight function v from E to Q. A run in the game graph G is called a play. The set of all plays is denoted by Ω. When the two players represent the choices internal to a system, we call the game graph an alternating transition system. We only consider alternating
Simulation Distances
257
transition systems where the transitions from Player 1 states go only to Player 2 states and viceversa. We use AF to denote an alternating transition system A with fairness condition F . Strategies. Given a game graph G, a strategy for Player 1 is a function π : (S · Σ)∗ S1 → S × Σ such that ∀s0 σ0 s1 σ1 . . . si ∈ (S · Σ)∗ S1 , we have that if π(s0 σ0 s1 σ1 . . . si ) = (s, σ), then (si , σ, s) ∈ E. A strategy for Player 2 is deﬁned similarly. The set of all strategies for Player p is denoted by Πp . A play ρ = ρ0 σ0 ρ1 σ1 ρ2 σ2 . . . conforms to a player p strategy π if ∀i ≥ 0 : (ρi ∈ Sp =⇒ : (ρi+1 , σi+1 ) = π(ρ0 σ0 ρ1 σ1 . . . ρi )). The outcome of strategies π1 and π2 is the unique play out(π1 , π2 ) that conforms to both π1 and π2 . Two restricted notions of a strategy are suﬃcient for many classes of games. A memoryless strategy is one where the value of the strategy function depends solely on the last state in the history, whereas a finitememory strategy is one where the necessary information about the history can be summarized by a ﬁnite amount of information. Games and Objectives. A game is a game graph and a boolean or quantitative objective. A boolean objective is a function Φ : Ω → {0, 1} and the goal of Player 1 in a game with objective Φ is to choose a strategy so that, no matter what Player 2 does, the outcome maps to 1; and the goal of Player 2 is to ensure that the outcome maps to 0. A quantitative objective is a value function f : Ω → R and the goal of Player 1 is to maximize the value f of the play, whereas the goal of Player 2 is to minimize it. We only consider quantitative objectives with which map plays to values in [0, 1]. Given a boolean objective Φ, a play ρ is winning for Player 1 (Player 2) if Φ(ρ) = 1 (Φ(ρ) = 0). A strategy π is a winning strategy for Player p if every play conforming to π is winning for Player p. For a quantitative objective f , the value of the game for Player 1 is deﬁned as the supremum of the values of plays attainable against any Player 2 strategy, i.e., supπ1 ∈Π1 inf π2 ∈Π2 f (out (π1 , π2 )). The value of the game for Player 2 is deﬁned analogously. A strategy is an optimal strategy for a player if it assures a outcome equal to her value of the game. Similarly, a strategy is an optimal strategy for a maximizing (resp. minimizing) player if it assures an outcome that is no more that smaller (resp. larger) than the value of the game. We consider ωregular boolean objectives and the following quantitative objectives. Given a game graph with the weight function v and a play ρ = ρ0 ρ1 ρ2 . . ., for all i ≥ 0, let vi = v((ρi , σi , ρi+1 )). – LimAvg(ρ) = lim inf n→∞ n1 · n−1 vi i=0 n−1 – Disc λ (ρ) = lim inf n→∞ (1 − λ) · i=0 λi · vi where 0 < λ < 1. LimAvg is the longrun average of the weights occurring in a play, whereas Disc λ is the discounted sum of the weights. Therefore, LimAvg gives more importance to the inﬁnite suﬃx of a play whereas Disc λ gives more importance to the ﬁnite preﬁx of a play.
258
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
Note that for LimAvg and Disc objectives, optimal memoryless strategies exist for both players [11,20]. Also, for qualitative objectives speciﬁed as B¨ uchi conditions, memoryless winning strategies exist for both players, and for other ωregular conditions, ﬁnitememory winning strategies exist. Also, consider the following family of objectives where a boolean ωregular objective and a quantitative objective f are combined as follows. If a play ρ satisﬁes the boolean objective, then the value of ρ is the value according to f ; otherwise, the value of the ρ is the maximum possible value of f (in our case, it is always 1). When f = LimAvg and the ωregular objective is a parity objective, optimal ﬁnitememory strategies exist [5]. This result can be extended to arbitrary ωregular objectives as all ωregular objectives can be expressed as parity objectives with the latest appearance records memory [13]. Such objectives are called ωregular LimAvg objectives. 2.1
Qualitative Simulation Games
The simulation preorder [17] is a useful and polynomially computable relation to compare two transition systems. In [1] this relation was extended to alternating simulation between alternating transition systems. For systems with fairness conditions, the simulation relation was extended to fair simulation in [15]. These relations can be computed by solving games with boolean objectives. Simulation and Alternating Simulation. Consider two transition systems A = S, Σ, E, s0 and A = S , Σ, E , s0 . The system A simulates the system A if there exists a relation H ⊆ S × S such that (a) (s0 , s0 ) ∈ H; and (b) ∀s, t ∈ S, s ∈ S : (s, s ) ∈ H ∧ (s, σ, t) ∈ E ⇒ (∃t : (s , σ, t ) ∈ E ∧ (s , t ) ∈ H). For two alternating transition systems A = S, S1 , S2 , Σ, E, s0 and A = S , S1 , S2 , Σ, E , s0 , alternating simulation of A by A holds if there exists a relation H ⊆ S × S such that (s0 , s0 ) ∈ H and ∀s ∈ S, s ∈ S : (s, s ) ∈ H ⇒ (s ∈ S1 ⇔ s ∈ S1 ); and – ∀s ∈ S, s ∈ S : ((s, s ) ∈ H ∧ s ∈ S1 ) ⇒ ∀(s, σ, t) ∈ E : (∃(s , σ, t ) ∈ E : (t, t ) ∈ H). – ∀s ∈ S, s ∈ S : ((s, s ) ∈ H ∧ s ∈ S2 ) ⇒ ∃(s , σ, t ) ∈ E : (∀(s, σ, t) ∈ E : (t, t ) ∈ H). Simulation and Alternating Simulation Games. Given two (alternating) transition systems, A and A , we can construct a game such that, (alternating) simulation of A by A holds if and only if Player 2 has a winning strategy in the game Given two weighted transition systems A and A with the same alphabet, we deﬁne the corresponding quantitative simulation game graph GA,A as S × (Σ ∪ {#}) × S ∪ {serr }, S1G , S2G , Σ, E G , (s0 , #, s0 ) where S1G = (S × {#} × S ) ∪ {serr } and S2G = (S × Σ × S ). Each transition of the game graph corresponds to a transition in either A or A as follows: – ((s, #, s ), σ, (t, σ, s )) ∈ E G ⇔ (s, σ, t) ∈ E – ((s, σ, s ), σ, (s, #, t )) ∈ E G ⇔ (s , σ, t ) ∈ E
Simulation Distances
259
For each of the above transitions, the weight is the same as the weight of the corresponding transition in A or A . If there is no outgoing transition from a particular state, transitions to serr are added with all symbols. The state serr is a sink with transitions to itself on all symbols. Each of these transitions has weight 1 (the maximum possible value of a quantitative objective). For classical simulation games, we consider the same game graph without weights. The objective for Player 2 is to reach serr and for Player 1 to avoid it. Intuitively, in every state, Player 1 chooses a transition of A and Player 2 has to match it by picking a transition of A . If Player 2 cannot match at some point, Player 1 wins that play. It is easy to see that A simulates A iﬀ there is a winning strategy for Player 2 in this game. We can extend the simulation game to an alternating simulation game. We informally deﬁne the quantitative alternating simulation game graph. The formal deﬁnition can be found in the companion report [3]. Given two quantitative alternating transition systems A and A , we deﬁne the quantitative alternating simulation game graph HA,A as follows. If A is at state s and s ∈ S1 , Player 1 chooses a transition of A and Player 2 has to match it with a transition of A ; and if A is at s and s ∈ S2 , Player 2 has to choose a transition of A and Player 1 has to choose a transition of A to match it. If there cannot be a match, the control moves to the error state serr . As before, the transitions have the same weight as in the individual systems. We consider the game graph without weights to deﬁne the alternating simu lation game HA,A and the objective of the Player 1 is to ensure that the play reaches serr . It can be seen that alternating simulation holds iﬀ there exists a winning strategy for Player 2 . Fair Simulation. Given two (alternating) transitions systems with fairness con ditions AF and AF , the fair simulation game is played in the same game graph GA,A (HA,A ) as the simulation game. However, in addition to matching the symbol in each step, Player 2 has to ensure that if the sequence of transitions of A chosen by Player 1 satisﬁes the fairness condition F , then the sequence of A transitions chosen satisfy the fairness condition F . 2.2
Quantitative Simulation Games
We deﬁne a generalized notion of simulation games called quantitative simulation games where the simulation objectives are replaced by quantitative objectives. Quantitative Simulation Games. Given two quantitative (alternating) transition systems A and A , and f ∈ {LimAvg, Disc λ }, the quantitative (alternating) simulation game is played on the quantitative (alternating) simulation game graph GA,A (HA,A ) with the objective of Player 1 being to maximize the f f value of the play. We denote this game as QfA,A (PA,A ). Quantitative Fair Simulation Games. Analogous to quantitative (alternating) simulation games, the fair versions between two transition systems with fairness conditions. The quantitative objective for this game is the ωregular
260
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
LimAvg objective which is the combination of LimAvg objective and the boolean fair (alternating) simulation game objective. We do not use f = Disc λ along with fairness conditions as the two objectives are independent. The Disc λ objectives mainly consider the ﬁnite preﬁx of a play, whereas fairness conditions consider only the inﬁnite suﬃx. 2.3
Modification Schemes
We will use quantitative simulation games to measure various properties of systems. For computing these properties, we need to use small modiﬁcations of the original systems. For example, when trying to compute the distance as the number of errors an implementation commits, we add to the speciﬁcation some error recovery behavior. However, we impose strict rules on these modiﬁcations to ensure that the modiﬁed system retains the structure of the original system. A modification scheme is a function m from transition systems to quantitative (alternating) transition systems, which can be computed using the following steps: (a) Edges may be added to the transition system and each state may be replaced by a local subgraph. All edges of the graph have to be preserved; (b) Every edge of the system is associated with a weight from Q. We present two examples of modiﬁcation schemes. Output Modification. This scheme is used to add behavior to a system that allows it to output an arbitrary symbol while moving to a state speciﬁed by an already existing transition. For every transition (s, σ, s ), transitions with diﬀerent symbols are added to the system i.e., {(s, α, s )  α ∈ Σ}. These transitions are given a weight of 2 to prohibit their free use. All other transitions have the weight zero. Given a system T , we denote the modiﬁed system as OutMod (T ). Error Modification. In a perfectly functioning system, errors may occur due to unpredictable events. We model this with an alternating transition system with one player modeling the original system (Player 1) and the other modeling the controlled error (Player 2). At every state, Player 2 chooses whether or not a error occurs by choosing one of the two successors. From one of these states, Player 1 can choose the original successors of the state and from the other, she can choose either one of the original successors or one of the error transitions. We penalize Player 2 for the choice of not allowing errors to happen. Given T = S, Σ, E, s0 we deﬁne E(s) ¬c s ErrMod (T ) to be the quantitative alternating s transition system obtained by replacing each c s E(s) ∪ X(s) state s by the graph in Figure 2. If an error is allowed (modeled by the c edge), then all Fig. 2. Graph for ErrMod transitions that diﬀer from original transitions only in the symbol are added (represented by X(s) in Figure 2). Only the transitions labeled ¬c are given the weight 2. The rest are given the weight 0. The system ErrMod ∅ (T ) denotes a system where
Simulation Distances
261
a b 0
0
1
b
2
b
b 3
b 4
0
a
b 1
b
a
2
0
a (a) I1
(b) I5
(c) SL
1 b
(d) IL
Fig. 3. Example Systems
no additional transitions where introduced, only the states were replaced by a subgraph from Figure 2 (with X being the empty set). In addition to the above schemes, we deﬁne the trivial modiﬁcation scheme NoMod where no changes are made except to give every edge the weight 0.
3
Simulation Distances
Correctness. Given a speciﬁcation T2 and an implementation T1 , such that T1 is incorrect with respect to T2 , the correctness distance measures the degree of “incorrectness” of T1 . Even a single nonconformant behavior can destroy the boolean simulation relation. Here we present a game which is not as strict and measures the minimal number of required errors, i.e. the minimal number of times the speciﬁcation has to use nonmatching symbols when simulating the implementation. Definition 3.1 (Correctness distance). Let f = LimAvg or f = Disc λ . The correctness distance dfcor (T1 , T2 ) from system T1 to system T2 is the Player 1 value of the quantitative simulation game CTf1 ,T2 = QfNoMod(T1 ),OutMod(T2 ) . The game C can be intuitively understood as follows. Given two systems T1 and T2 , we are trying to simulate the system T1 by T2 , but the speciﬁcation T2 is allowed to make errors, to “cheat”, but she has to pay a price for such a choice. As the simulating player is trying to minimize the value of the game, she is motivated not to cheat. The value of the game can thus be seen as measuring how often she can be forced to cheat, that is, how often on average the implementation commits an error. If the implementation is correct (T2 simulates T1 ), then the correctness distance is 0. The value of the game is either the LimAvg or the Disc of the number of errors. If the objective f is LimAvg, then the value is the long run average of the errors, whereas if the objective f is Disc λ , the errors which occur earlier are given more importance and the value is the discounted sum of the position of the errors. Therefore, the Disc and LimAvg games are concerned with preﬁxes and inﬁnite suﬃxes of the behaviors respectively. We present a few example systems and their distances here to demonstrate the fact that the above game measures distances that correspond to intuition. In Figure 3 and Figure 1, S1 is the speciﬁcation system against which we want to measure the systems I1 through I5 . In this case, the speciﬁcation says that
262
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
Table 1. Distances according to the Correctness, Coverage and Robustness game T1 S1 S1 S1 S1 S1 S1 SL
T2 dLimAvg (T1 , T2 ) dLimAvg (T1 , T2 ) dLimAvg (T1 , T2 ) cor cov rob S1 0 0 1 I1 0 2/3 1/3 I2 0 1/3 2/3 I3 1/3 1 1 I4 1/4 3/4 1 I5 1/5 4/5 1 IL 1/2 1 1
there cannot be more than two b’s in a row. Also, we have a speciﬁcation with a liveness condition SL against which we want to measure the implementation IL . The distances between these systems according to the LimAvg correctness game are summarized in Table 1. Among the systems which do not satisfy the speciﬁcation S1 , i.e. I3 , I4 and I5 , we showed in the introduction that the distance from I3 to S1 is 1/3, while the distance from I4 to S1 is 1/4. However, surprisingly the distance from I5 to S1 is less than the distance from I4 . In fact, the distances reﬂect on the long run the number of times the speciﬁcation has to err to simulate the implementation. In case of the speciﬁcation SL and implementation IL with liveness conditions, the speciﬁcation can take the left branch to state 0 to get a penalty of 12 or take the right branch to state 2 to get a penalty of 1. However, it needs to take the right branch inﬁnitely often to satisfy the liveness condition. To achieve the distance of 12 , the speciﬁcation needs inﬁnite memory so that it can take the right branch lesser and lesser number of times. In fact, if the speciﬁcation 1 . has a strategy with ﬁnitememory of size m, it can achieve a distance of 12 + 2m Coverage. We present the dual game of the one presented above. Here, we measure the behaviors that are present in one system but not in the other system. Given a speciﬁcation T2 and an implementation T1 , the coverage distance corresponds to the behavior of the speciﬁcation which is farthest from any behaviour of the implementation. Hence, we have that the coverage distance from a system T1 to a system T2 is the correctness distance from T2 to T1 . Definition 3.2 (Coverage distance). Let f = LimAvg or f = Disc λ . The coverage distance dfcov (T1 , T2 ) from system T1 to system T2 is the Player 1 value of the quantitative simulation game VTf1 ,T2 = QfNoMod(T2 ),OutMod(T1 ) . V measures the distance from T1 to T2 as the minimal number of errors that have to be committed by T1 to cover all the behaviors of T2 . We present examples of systems and their distances according to V LimAvg . We use the example systems in Figures 3 and 1. The distances are summarized in Table 1. Robustness. Given a speciﬁcation system and a correct implementation, the notion of robustness presented here is a measure of the number of errors by the implementation that makes it nonconformant to the speciﬁcation. The more
Simulation Distances
263
such errors tolerated by the speciﬁcation, the more robust the implementation. In other words, the distance measures the number of critical points, or points where an error will lead to an unacceptable behavior. The lower the value of the robustness distance, the more robust an implementation is. In case of an incorrect implementation, the simulation of the implementation does not hold irrespective of implementation errors. Hence, in that case, the robustness distance will be 1. Definition 3.3 (Robustness distance). Let f = LimAvg or f = Disc λ . The robustness distance dfrob (T1 , T2 ) from system T1 to system T2 is the Player 1 value of the quantitative alternating simulation game RfT1 ,T2 = f . PErrMod(T 1 ),ErrMod ∅ (T2 ) The game RErrMod(T1 ),ErrMod ∅ (T2 ) is played in the following steps: (a) The speciﬁcation T2 chooses whether the implementation T1 is allowed to make an error; (b) The implementation chooses a transition on the implementation system. It is allowed to err based on the speciﬁcation choice in the previous step; and (c) Speciﬁcation chooses a matching move to simulate the implementation. The speciﬁcation tries to minimize the number of moves where it prohibits implementation errors (without destroying the simulation relation), whereas the implementation tries to maximize it. Intuitively, the positions where the speciﬁcation cannot allow errors are the critical points for the implementation. In the game played between S1 and S1 , every position is critical. At each position, if an error is allowed, the system can output three b’s in a row by using the error transition to return to state 0 while outputting a b. The next two moves can be b’s irrespective whether errors are allowed or not. This breaks the simulation. Now, consider I1 . This system can be allowed to err every two out of three times without violating the speciﬁcation. This shows that I1 is more robust than S1 for implementing S1 . The list of distances is summarized in Table 1. Computation of Simulation Distances. The computational complexity of computing the three distances deﬁned here is the same as solving the value problem for the respective games. For systems without fairness conditions, the dcor , dcov and drob games are simple graph games with LimAvg or Disc λ objectives. The decision problem for these games is in NP ∩ coNP [20], but no PTIME algorithm is known. However, for LimAvg objectives the existence of an algorithm polynomial in unary encoded weights implies that the computation of the distances can be achieved in polynomial time as we use constant weights. Using the algorithm of [20], in the case without fairness conditions dcor , dcov and drob distances can be computed in time O((SS )3 · (ES  + E S)) where S and S are state spaces of the two transition systems; and E and E are the sets of transitions of the two systems. A variation of the algorithm in [20] gives a PTIME algorithm for the Disc λ objectives (given a ﬁxed λ). For systems with B¨ uchi (weak fairness) conditions, the corresponding games are graph games with LimAvg parity games, for which the decision problem
264
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
is in NP ∩ coNP. However, the use of constant weights and the fact that the implication of two B¨ uchi conditions can be expressed as a parity condition with no more than 3 priorities leads to a polynomial algorithm. Using the algorithm presented in [5], we get a O((SS )3 · (ES  + E S)) algorithm. For systems with Streett (strong fairness) conditions, the corresponding games are graph games with LimAvg ωregular conditions. For an ωregular LimAvg game of n states, we can use the latest appearance records to convert into an equivalent parity game of 2O(n log(n)) states and edges; and n priorities. The algorithm of [5] gives a 2O(n log(n)) algorithm where n = S · S .
4
Properties of Simulation Distances
We present quantitative analogues of boolean properties of the simulation preorders. Proofs omitted are included in the companion report [3]. Triangle Inequality. Classical simulation relations satisfy the reﬂexivity and transitivity property which makes them preorders. In an analogous way, we show that the correctness and coverage distances satisfy the quantitative reﬂexivity and the triangle inequality properties. This makes them directed metrics [8]. Theorem 1. dfcor is a directed metric for f ∈ {LimAvg, Disc λ }, i.e.: – ∀S ∈ S : dfcor (S, S) = 0 – ∀S1 , S2 , S3 ∈ S : dfcor (S1 , S3 ) ≤ dfcor (S1 , S2 ) + dfcor (S2 , S3 ) Proof: We will prove the result for systems with fairness conditions. The case without fairness conditions is analogous. Consider any > 0. Let τ2 and τ3 be 2 optimal ﬁnite strategies for Player 2 in CS1 ,S2 and CS2 ,S3 respectively. Now, we construct a ﬁnitememory strategy τ ∗ for Player 2 in CS1 ,S3 . If M2 and M3 are the memories of τ2 and τ3 respectively, the memory of τ ∗ will be M2 × S2 × M3 . The strategy τ ∗ works as follows. Let the state of the game be (s1 , #, s3 ) and the memory of τ ∗ be (m2 , s2 , m3 ). – Let Player 1 choose to move according to the S1 transition (s1 , σ1 , s1 ) to the game state (s1 , σ1 , s3 ). Consider the game position (s1 , σ1 , s2 ) in CS1 ,S2 and let the τ2 memory be at state m2 . Say τ2 updates its memory to m2 and chooses the successor (s1 , #, s2 ) with transition symbol σ1 . Let the corresponding OutMod (S2 ) transition be (s2 , σ1 , s2 ). – If the transition (s2 , σ1 , s2 ) exists in S2 , then let σ2 = σ1 . Otherwise, there will exist (s2 , σ2 , s2 ) in S2 for some σ2 . Let σ2 = σ2 . Now, consider the game position (s2 , σ2 , s3 ) in CS2 ,S3 and the memory state m3 of τ3 . Say τ3 updates its memory to m3 and chooses the successor (s2 , #, s3 ) and the transition symbol σ2 . Let the corresponding OutMod(S3 ) transition be (s3 , σ2 , s3 ). – The memory of τ ∗ is updated to (m2 , s2 , m3 ) and τ ∗ chooses the successor (s1 , #, s3 ) with the transition symbol σ1 . The corresponding transition (s3 , σ1 , s3 ) exists in OutMod(S3 ) as there exists a transition with the same source and destination as (s3 , σ2 , s3 ).
Simulation Distances
265
If Player 2 cannot match σ1 with a zero weight transition s1,0 −−−−−→ s1,1 −−−−−→ s1,2 . . . while playing according to τ ∗ , eiσ1 (v2,0 ) σ1 (v2,1 ) s2,0 −−−−−→ s2,1 −−−−−→ s2,2 . . . ⎫ ther τ2 or τ3 would have also ρ σ2 (v2,0 ) σ2 (v2,1 ) ⎬ ⎪ taken a nonzero weight transi⎪ s2,0 −−−−−→ s2,1 −−−−−→ s2,2 . . . ⎪ ρ2 ⎪ tion. Using this fact, we can eas⎪ σ1 (v3,0 ) σ1 (v3,1 ) ⎭ s3,0 −−−−−→ s3,1 −−−−−→ s3,2 . . . ⎭ ily prove the required property. Fix an arbitrary ﬁnitememory Player 1 strategy σ. Now, let the play proceed according to the strategy τ ∗ . From the moves of the game and the state of the memory of τ ∗ , we can extract four transitions for each round of play as above, i.e. an S1 transition (s1 , σ1 , s1 ), an OutMod(S2 ) transition (s2 , σ1 , s2 ), an S2 transition (s2 , σ2 , s2 ) and an OutMod(S3 ) transition (s3 , σ1 , s3 ). We depict the situation in the above ﬁgure. The play ρ in CS1 ,S3 corresponds to the transitions in the ﬁrst and the last rows. This play can be decomposed into plays ρ1 and ρ2 in CS1 ,S2 and CS2 ,S3 by taking only the transitions in the ﬁrst two and last two rows respectively. Now, by the observation in the previous paragraph, each move in ρ has weight 2 only if one of the corresponding moves in ρ1 or ρ2 have weight 2. Let us denote the nth move in a play η by η n . If both S1 and S3 sequence of moves in ρ are fair or if S1 sequence is unfair, we have the following for the LimAvg case. σ1 (v1,0 )
ν(ρ) = lim inf n→∞
σ1 (v1,1 )
⎫ ⎪ ⎪ ρ1 ⎪ ⎪ ⎪ ⎬
n n 1
1 i v(ρi ) ≤ lim inf v(ρ1 ) + v(ρi2 ) n→∞ n i=0 n i=0
n n n 1 i 1
1
v(ρi1 ) + lim v(ρi2 ) v(ρ1 ) + v(ρi2 ) = lim n→∞ n n→∞ n n→∞ n i=0 i=0 i=0
= lim
n n 1
1
i = lim inf v(ρ1 ) + lim inf v(ρi2 ) n→∞ n n→∞ n i=0 i=0 ≤ dcor (S1 , S2 ) + + dcor (S2 , S3 ) + = dcor (S1 , S2 ) + dcor (S2 , S3 ) + 2 2 All the strategies we are considering are ﬁnitememory, and hence, each sequence of weights is ultimately repeating. Therefore, we can use lim and lim inf interchangeably in the above equations. The case for Disc λ is much simpler and not shown here. Hence, we have that the value of the play satisﬁes the required inequality for the case that both S1 and S3 perform fair computations. In the case that S1 sequence is fair and S3 sequence is not fair, the value of the play will be 1. However, by construction the value of either ρ1 or ρ2 will also be 1 and hence the inequality holds. Therefore, given an , we have strategy for Player 2 which assures a value less than dcor (S1 , S2 ) + dcor (S2 , S3 ) + for both the LimAvg and Disc λ case. Hence, we have the required triangle inequality. It can be shown by construction of a Player 2 strategy that copies every Player 1 move that dcor (S, S) = 0. Hence, we have the result.
266
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
Theorem 2. dfcov is a directed metric when f ∈ {LimAvg, Disc λ }, i.e. : – ∀S ∈ S : dfcov (S, S) = 0 – ∀S1 , S2 , S3 ∈ S : dfcov (S1 , S3 ) ≤ dfcov (S1 , S2 ) + dfcov (S2 , S3 ) The robustness distance satisﬁes the triangle inequality, but not the quantitative reﬂexivity. The system S1 in Figure 1 is a witness system that violates drob (S1 , S1 ) = 0. In fact, for LimAvg objectives and any rational value v ∈ [0, 1], it is easy to construct a system Sv such that drob (Sv , Sv ) = v. Theorem 3. dfrob conforms to the triangle inequality for f ∈ {LimAvg, Disc λ }, i.e. : ∀S1 , S2 , S3 ∈ S : dfrob (S1 , S3 ) ≤ dfrob (S1 , S2 ) + dfrob (S2 , S3 ) Compositionality In the qualitative case, compositionality theorems help analyse large systems by decomposing them into smaller components. For example, simulation is preserved when components are composed together. We show that in the quantitative case, the distance between the composed systems is bounded by the sum of the distances between individual systems. If A and A are two transition systems, we deﬁne asynchronous and synchronous composition of the two systems, written as A A and A × A respectively as follows: (a) The state space is S × S ; (b) ((s, s ), σ, (t, t )) is a transition of A A iﬀ (s, σ, t) is a transition of A and s = t or (s , σ, t ) is a transition of A and s = t, and (c) ((s, s ), σ, (t, t )) is a transition of A × A iﬀ (s, σ, t) is a transition of A and (s , σ, t ) is a transition of A . The following theorems show that the simulation distances between whole systems is bounded by the sum of distances between the individual components. Theorem 4. The correctness, coverage and robustness distances satisfy the following property, when f ∈ {LimAvg, Disc λ }: df (S1 × S2 , T1 × T2 ) ≤ df (S1 , T1 ) + df (S2 , T2 ) Theorem 5. The correctness, coverage and robustness distances satisfy the following property when f = LimAvg. df (S1 S2 , T1 T2 ) ≤ α.df (S1 , T1 ) + (1 − α).df (S2 , T2 ) where α is the fraction of times S1 is scheduled in S1 S2 in the long run, assuming that the fraction has a limit in the long run. Existential and Universal Abstraction. Classically, properties of systems are studied by studying the properties of overapproximations and underapproximations. In an analogous way, we prove that the distances between systems is bounded from above and below by distances between abstractions of the systems. Given T = S, Σ, E, s0 , an existential (universal) abstraction of it is a system whose states are disjoint subsets of S and an edge exists between two classes iﬀ there exists an edge between one pair (all pairs) of states in the classes. Theorem 6. Consider a specification S and an implementation I. Let S ∃ and I ∃ be existential abstractions, and S ∀ and I ∀ be universal abstractions of S and I respectively. The correctness, coverage and robustness distances satisfy the three following properties when f ∈ {LimAvg, Disc λ }:
Simulation Distances
267
(a) dfcor (I ∀ , S ∃ ) ≤ dfcor (I, S) ≤ dfcor (I ∃ , S ∀ ) (b) dfcov (I ∃ , S ∀ ) ≤ dfcov (I, S) ≤ dfcov (I ∀ , S ∃ ) (c) dfrob (I ∀ , S ∃ ) ≤ dfrob (I, S) ≤ dfrob (I ∃ , S ∀ )
5
Robustness of Forward Error Correction Systems
Forward Error Correction systems (FECS) are a mechanism of error control for data transmission on noisy channels. A very important characteristic of these error correction systems is the maximum tolerable biterror rate, which is the maximum number of errors the system can tolerate while still being able to successfully decode the message. We show that this property can be measured as the drob distance between a system and an ideal system (speciﬁcation). We will examine three forward error correction systems: one with no error correction facilities, Table 2. FECS’ robustness the Hamming(7,4) code [14], and triple moduT1 T2 drob (T1 , T2 ) lar redundancy (TMR) that by design can tolerNone Ideal 1 ate no errors, one error in seven and three bits Hamming Ideal 6/7 respectively. We measure the robustness with reTMR Ideal 2/3 spect to an ideal system which can tolerate an unbounded number of errors. For the pseudocode for the three systems we are examining, the user is referred to the companion report [3]. The only errors we allow are bit ﬂips during transmission. These systems were modelled and the values of drob of these systems measured against the ideal system are summarized in Table 2. The robustness values mirror the error tolerance values. In fact, each robustness value is equal to 1 − e where e is the corresponding error tolerance value.
References 1. Alur, R., Henzinger, T., Kupferman, O., Vardi, M.: Alternating reﬁnement relations. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 163–178. Springer, Heidelberg (1998) 2. Caspi, P., Benveniste, A.: Toward an approximation theory for computerised control. In: SangiovanniVincentelli, A.L., Sifakis, J. (eds.) EMSOFT 2002. LNCS, vol. 2491, pp. 294–304. Springer, Heidelberg (2002) ˇ 3. Cern´ y, P., Henzinger, T.A., Radhakrishna, A.: Simulation distances. Technical Report IST20100003, IST Austria (June 2010) 4. Chatterjee, K., Doyen, L., Henzinger, T.: Quantitative languages. In: Kaminski, M., Martini, S. (eds.) CSL 2008. LNCS, vol. 5213, pp. 385–400. Springer, Heidelberg (2008) 5. Chatterjee, K., Henzinger, T.A., Jurdzinski, M.: Meanpayoﬀ parity games. In: LICS, pp. 178–187 (2005) 6. de Alfaro, L., Faella, M., Stoelinga, M.: Linear and branching system metrics. IEEE Trans. Software Eng. 35(2), 258–273 (2009) 7. de Alfaro, L., Henzinger, T., Majumdar, R.: Discounting the future in systems theory. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) ICALP 2003. LNCS, vol. 2719, pp. 1022–1037. Springer, Heidelberg (2003)
268
ˇ P. Cern´ y, T.A. Henzinger, and A. Radhakrishna
8. de Alfaro, L., Majumdar, R., Raman, V., Stoelinga, M.: Game reﬁnement relations and metrics. Logical Methods in Computer Science 4(3) (2008) 9. Desharnais, J., Gupta, V., Jagadeesan, R., Panangaden, P.: Metrics for labelled Markov processes. Theor. Comput. Sci. 318(3), 323–354 (2004) 10. Droste, M., Gastin, P.: Weighted automata and weighted logics. Theor. Comput. Sci. 380(12), 69–86 (2007) 11. Ehrenfeucht, A., Mycielski, J.: Positional strategies for mean payoﬀ games. International Journal of Game Theory, 163–178 (1979) 12. Fenton, N.: Software Metrics: A Rigorous and Practical Approach, Revised (Paperback). Course Technology (1998) 13. Gurevich, Y., Harrington, L.: Trees, automata, and games. In: STOC, pp. 60–65 (1982) 14. Hamming, R.W.: Error detecting and error correcting codes. Bell System Tech. J. 29, 147–160 (1950) 15. Henzinger, T.A., Kupferman, O., Rajamani, S.K.: Fair simulation. Information and Computation, 273–287 (1997) 16. Lincke, R., Lundberg, J., L¨ owe, W.: Comparing software metrics tools. In: ISSTA, pp. 131–142 (2008) 17. Milner, R.: An algebraic deﬁnition of simulation between programs. In: IJCAI, pp. 481–489 (1971) 18. van Breugel, F.: An introduction to metric semantics: operational and denotational models for programming and speciﬁcation languages. Theor. Comput. Sci. 258(12), 1–98 (2001) 19. van Breugel, F., Worrell, J.: Approximating and computing behavioural distances in probabilistic transition systems. Theo. Comp. Sci. 360(13), 373–385 (2006) 20. Zwick, U., Paterson, M.: The complexity of mean payoﬀ games on graphs. Theor. Comput. Sci. 158(1&2), 343–359 (1996)
MeanPayoff Automaton Expressions Krishnendu Chatterjee1 , Laurent Doyen2 , Herbert Edelsbrunner1, Thomas A. Henzinger1,3, and Philippe Rannou2,3,4 1
IST Austria (Institute of Science and Technology Austria) 2 LSV, ENS Cachan & CNRS, France 3 EPFL Lausanne, Switzerland 4 ENS Cachan Bretagne, Rennes, France
Abstract. Quantitative languages are an extension of boolean languages that assign to each word a real number. Meanpayoff automata are finite automata with numerical weights on transitions that assign to each infinite path the longrun average of the transition weights. When the mode of branching of the automaton is deterministic, nondeterministic, or alternating, the corresponding class of quantitative languages is not robust as it is not closed under the pointwise operations of max, min, sum, and numerical complement. Nondeterministic and alternating meanpayoff automata are not decidable either, as the quantitative generalization of the problems of universality and language inclusion is undecidable. We introduce a new class of quantitative languages, defined by meanpayoff automaton expressions, which is robust and decidable: it is closed under the four pointwise operations, and we show that all decision problems are decidable for this class. Meanpayoff automaton expressions subsume deterministic meanpayoff automata, and we show that they have expressive power incomparable to nondeterministic and alternating meanpayoff automata. We also present for the first time an algorithm to compute distance between two quantitative languages, and in our case the quantitative languages are given as meanpayoff automaton expressions.
1 Introduction Quantitative languages L are a natural generalization of boolean languages that assign to every word w a real number L(w) ∈ R instead of a boolean value. For instance, the value of a word (or behavior) can be interpreted as the amount of some resource (e.g., memory consumption, or power consumption) needed to produce it, or bound the longrun average available use of the resource. Thus quantitative languages can specify properties related to resourceconstrained programs, and an implementation LA satisfies (or refines) a specification LB if LA (w) ≤ LB (w) for all words w. This notion of refinement is a quantitative generalization of language inclusion, and it can be used to check for example if for each behavior, the longrun average response time of the system lies below the specified average response requirement. Hence it is crucial to identify
This research was supported by EPFL, IST Austria,
[email protected] Cachan & CNRS, and the following grants: the European Union project COMBEST, the European Network of Excellence ArtistDesign, the DARPA grant HR00110510057, and the NSF grant DBI0820624.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 269–283, 2010. c SpringerVerlag Berlin Heidelberg 2010
270
K. Chatterjee et al.
some relevant class of quantitative languages for which this question is decidable. The other classical decision questions such as emptiness, universality, and language equivalence have also a natural quantitative extension. For example, the quantitative emptiness problem asks, given a quantitative language L and a threshold ν ∈ Q, whether there exists some word w such that L(w) ≥ ν, and the quantitative universality problem asks whether L(w) ≥ ν for all words w. Note that universality is a special case of language inclusion (where LA (w) = ν is constant). Weighted meanpayoff automata present a nice framework to express such quantitative properties [4]. A weighted meanpayoff automaton is a finite automaton with numerical weights on transitions. The value of a word w is the maximal value of all runs over w (if the automaton is nondeterministic, then there may be many runs over w), and the value of a run r is the longrun average of the weights that appear along r. A meanpayoff extension to alternating automata has been studied in [5]. Deterministic, nondeterministic and alternating meanpayoff automata are three classes of meanpayoff automata with increasing expressive power. However, none of these classes is closed under the four pointwise operations of max, min (which generalize union and intersection respectively), numerical complement1, and sum (see Table 1). Deterministic meanpayoff automata are not closed under max, min, and sum [6]; nondeterministic meanpayoff automata are not closed under min, sum and complement [6]; and alternating meanpayoff automata are not closed under sum [5]. Hence none of the above classes is robust with respect to closure properties. Moreover, while deterministic meanpayoff automata enjoy decidability of all quantitative decision problems [4], the quantitative languageinclusion problem is undecidable for nondeterministic and alternating meanpayoff automata [10], and thus also all decision problems are undecidable for alternating meanpayoff automata. Hence although meanpayoff automata provide a nice framework to express quantitative properties, there is no known class which is both robust and decidable (see Table 1). In this paper, we introduce a new class of quantitative languages that are defined by meanpayoff automaton expressions. An expression is either a deterministic meanpayoff automaton, or it is the max, min, or sum of two meanpayoff automaton expressions. Since deterministic meanpayoff automata are closed under complement, meanpayoff automaton expressions form a robust class that is closed under max, min, sum and complement. We show that (a) all decision problems (quantitative emptiness, universality, inclusion, and equivalence) are decidable for meanpayoff automaton expressions; (b) meanpayoff automaton expressions are incomparable in expressive power with both the nondeterministic and alternating meanpayoff automata (i.e., there are quantitative languages expressible by meanpayoff automaton expressions that are not expressible by alternating meanpayoff automata, and there are quantitative languages expressible by nondeterministic meanpayoff automata that are not expressible by meanpayoff automata expressions); and (c) the properties of cutpoint languages (i.e., the sets of words with value above a certain threshold) for deterministic automata carry over to meanpayoff automaton expressions, mainly the cutpoint language is ωregular when the threshold is isolated (i.e., some neighborhood around the threshold contains no word). Moreover, meanpayoff automaton expressions can express all 1
The numerical complement of a quantitative languages L is −L.
MeanPayoff Automaton Expressions
271
Table 1. Closure properties and decidability of the various classes of meanpayoff automata. Meanpayoff automaton expressions enjoy fully positive closure and decidability properties. Closure properties Decision problems max min sum comp. empt. univ. incl. equiv. Deterministic × × × 2 Nondeterministic × × × × × × Alternating × 2 × × × × Expressions
examples in the literature of quantitative properties using meanpayoff measure [1,6,7]. Along with the quantitative generalization of the classical decision problems, we also consider the notion of distance between two quantitative languages LA and LB , defined as supw LA (w)−LB (w). When quantitative language inclusion does not hold between an implementation LA and a specification LB , the distance is a relevant information to evaluate how far they are from each other, as we may accept implementations that overspend the resource but we would prefer the least expensive ones. We present the first algorithm to compute the distance between two quantitative languages: we show that the distance can be computed for meanpayoff automaton expressions. Our approach to show decidability of meanpayoff automaton expressions relies on the characterization and algorithmic computation of the value set {LE (w)  w ∈ Σ ω } of an expression E, i.e. the set of all values of words according to E. The value set can be viewed as an abstract representation of the quantitative language LE , and we show that all decision problems, cutpoint language and distance computation can be solved efficiently once we have this set. First, we present a precise characterization of the value set for quantitative languages defined by meanpayoff automaton expressions. In particular, we show that it is not sufficient to construct the convex hull conv(SE ) of the set SE of the values of simple cycles in the meanpayoff automata occurring in E, but we need essentially to apply an operator Fmin (·) which given a set Z ⊆ Rn computes the set of points y ∈ Rn that can be obtained by taking pointwise minimum of each coordinate of points of a set X ⊆ Z. We show that while we need to compute the set VE = Fmin (conv(SE )) to obtain the value set, and while this set is always convex, it is not always the case that Fmin (conv(SE )) = conv(Fmin (SE )) (which would immediately give an algorithm to compute VE ). This may appear counterintuitive because the equality holds in R2 but we show that the equality does not hold in R3 (Example 2). Second, we provide algorithmic solutions to compute Fmin (conv(S)), for a finite set S. We first present a constructive procedure that given S constructs a finite set of points S such that conv(S ) = Fmin (conv(S)). The explicit construction presents interesting properties about the set Fmin (conv(S)), however the procedure itself is computationally expensive. We then present an elegant and geometric construction of Fmin (conv(S)) as a set of linear constraints. The computation of Fmin (conv(S)) is a new problem in 2
Closure under complementation holds because LimInfAvgautomata and LimSupAvgautomata are dual. It would not hold if only LimInfAvgautomata (or only LimSupAvgautomata) were allowed.
272
K. Chatterjee et al.
computational geometry and the solutions we present could be of independent interest. Using the algorithm to compute Fmin (conv(S)), we show that all decision problems for meanpayoff automaton expressions are decidable. Due to lack of space, most proofs are given in the fuller version [3]. Related works. Quantitative languages have been first studied over finite words in the context of probabilistic automata [17] and weighted automata [18]. Several works have generalized the theory of weighted automata to infinite words (see [14,12,16,2] and [13] for a survey), but none of those have considered meanpayoff conditions. Examples where the meanpayoff measure has been used to specify longrun behaviours of systems can be found in game theory [15,20] and in Markov decision processes [8]. The meanpayoff automata as a specification language have been investigated in [4,6,5], and extended in [1] to construct a new class of (nonquantitative) languages of infinite words (the multithreshold meanpayoff languages), obtained by applying a query to a meanpayoff language, and for which emptiness is decidable. It turns out that a richer language of queries can be expressed using meanpayoff automaton expressions (together with decidability of the emptiness problem). A detailed comparison with the results of [1] is given in Section 5. Moreover, we provide algorithmic solutions to the quantitative language inclusion and equivalence problems and to distance computation which have no counterpart for nonquantitative languages. Related notions of metrics have been addressed in stochastic games [9] and probabilistic processes [11,19].
2 MeanPayoff Automaton Expressions Quantitative languages. A quantitative language L over a finite alphabet Σ is a function L : Σ ω → R. Given two quantitative languages L1 and L2 over Σ, we denote by max(L1 , L2 ) (resp., min(L1 , L2 ), sum(L1 , L2 ) and −L1 ) the quantitative language that assigns max(L1 (w), L2 (w)) (resp., min(L1 (w), L2 (w)), L1 (w) + L2 (w), and −L1 (w)) to each word w ∈ Σ ω . The quantitative language −L is called the complement of L. The max and min operators for quantitative languages correspond respectively to the least upper bound and greatest lower bound for the pointwise order such that L1 L2 if L1 (w) ≤ L2 (w) for all w ∈ Σ ω . Thus, they generalize respectively the union and intersection operators for classical boolean languages. Weighted automata. A Qweighted automaton is a tuple A = Q, qI , Σ, δ, wt , where – Q is a finite set of states, qI ∈ Q is the initial state, and Σ is a finite alphabet; – δ ⊆ Q × Σ × Q is a finite set of labelled transitions. We assume that δ is total, i.e., for all q ∈ Q and σ ∈ Σ, there exists q such that (q, σ, q ) ∈ δ; – wt : δ → Q is a weight function, where Q is the set of rational numbers. We assume that rational numbers are encoded as pairs of integers in binary. We say that A is deterministic if for all q ∈ Q and σ ∈ Σ, there exists (q, σ, q ) ∈ δ for exactly one q ∈ Q. We sometimes call automata nondeterministic to emphasize that they are not necessarily deterministic. Words and runs. A word w ∈ Σ ω is an infinite sequence of letters from Σ. A lassoword w in Σ ω is an ultimately periodic word of the form w1 · w2ω , where w1 ∈ Σ ∗
MeanPayoff Automaton Expressions
273
is a finite prefix, and w2 ∈ Σ + is a finite and nonempty word. A run of A over an infinite word w = σ1 σ2 . . . is an infinite sequence r = q0 σ1 q1 σ2 . . . of states and letters such that (i) q0 = qI , and (ii) (qi , σi+1 , qi+1 ) ∈ δ for all i ≥ 0. We denote by wt(r) = v0 v1 . . . the sequence of weights that occur in r where vi = wt(qi , σi+1 , qi+1 ) for all i ≥ 0. Quantitative language of meanpayoff automata. The meanpayoff value (or limitaverage) of a sequence v¯ = v0 v1 . . . of real numbers is either LimInfAvg(¯ v ) = lim inf n→∞
n−1 n−1 1 1 · vi , or LimSupAvg(¯ v ) = lim sup · vi . n i=0 n→∞ n i=0
Note that if we delete or insert finitely many values in an infinite sequence of numbers, its limitaverages do not change, and if the sequence is ultimately periodic, then the LimInfAvg and LimSupAvg values coincide (and correspond to the mean of the weights on the periodic part of the sequence). However in general the LimInfAvg and LimSupAvg values do not coincide. For Val ∈ {LimInfAvg, LimSupAvg}, the quantitative language LA of A is defined by LA (w) = sup{Val(wt(r))  r is a run of A over w} for all w ∈ Σ ω . Accordingly, the automaton A and its quantitative language LA are called LimInfAvg or LimSupAvg. Note that for deterministic automata, we have LA (w) = Val(wt(r)) where r is the unique run of A over w. We omit the weight function wt when it is clear from the context, and we write LimAvg when the value according to LimInfAvg and LimSupAvg coincide (e.g., for runs with a lasso shape). Decision problems and distance. We consider the following classical decision problems for quantitative languages, assuming an effective presentation of quantitative languages (such as meanpayoff automata, or automaton expressions defined later). Given a quantitative language L and a threshold ν ∈ Q, the quantitative emptiness problem asks whether there exists a word w ∈ Σ ω such that L(w) ≥ ν, and the quantitative universality problem asks whether L(w) ≥ ν for all words w ∈ Σ ω . Given two quantitative languages L1 and L2 , the quantitative languageinclusion problem asks whether L1 (w) ≤ L2 (w) for all words w ∈ Σ ω , and the quantitative languageequivalence problem asks whether L1 (w) = L2 (w) for all words w ∈ Σ ω . Note that universality is a special case of language inclusion where L1 is constant. Finally, the distance between L1 and L2 is Dsup (L1 , L2 ) = supw∈Σ ω L1 (w)−L2 (w). It measures how close is an implementation L1 as compared to a specification L2 . It is known that quantitative emptiness is decidable for nondeterministic meanpayoff automata [4], while decidability was open for alternating meanpayoff automata, and for the quantitative languageinclusion problem of nondeterministic meanpayoff automata. From recent undecidability results on games with imperfect information and meanpayoff objective [10] we derive that these problems are undecidable (Theorem 5). Robust quantitative languages. A class Q of quantitative languages is robust if the class is closed under max, min, sum and complementation operations. The closure properties allow quantitative languages from a robust class to be described compositionally. While nondeterministic LimInfAvg and LimSupAvgautomata are closed
274
K. Chatterjee et al.
under the max operation, they are not closed under min and complement [6]. Alternating LimInfAvg and LimSupAvgautomata3 are closed under max and min, but are not closed under complementation and sum [5]. We define a robust class of quantitative languages for meanpayoff automata which is closed under max, min, sum, and complement, and which can express all natural examples of quantitative languages defined using the meanpayoff measure [1,6,7]. Meanpayoff automaton expressions. A meanpayoff automaton expression E is obtained by the following grammar rule: E ::= A  max(E, E)  min(E, E)  sum(E, E) where A is a deterministic LimInfAvg or LimSupAvgautomaton. The quantitative language LE of a meanpayoff automaton expression E is LE = LA if E = A is a deterministic automaton, and LE = op(LE1 , LE2 ) if E = op(E1 , E2 ) for op ∈ {max, min, sum}. By definition, the class of meanpayoff automaton expression is closed under max, min and sum. Closure under complement follows from the fact that the complement of max(E1 , E2 ) is min(−E1 , −E2 ), the complement of min(E1 , E2 ) is max(−E1 , −E2 ), the complement of sum(E1 , E2 ) is sum(−E1 , −E2 ), and the complement of a deterministic LimInfAvgautomaton can be defined by the same automaton with opposite weights and interpreted as a LimSupAvgautomaton, and vice versa, since − lim sup(v0 , v1 , . . . ) = lim inf(−v0 , −v1 , . . . ). Note that arbitrary linear combinations of deterministic meanpayoff automaton expressions (expressions such as c1 E1 + c2 E2 where c1 , c2 ∈ Q are rational constants) can be obtained for free since scaling the weights of a meanpayoff automaton by a positive factor c results in a quantitative language scaled by the same factor.
3 The Vector Set of MeanPayoff Automaton Expressions Given a meanpayoff automaton expression E, let A1 , . . . , An be the deterministic weighted automata occurring in E. The vector set of E is the set VE = {LA1 (w), . . . , LAn (w) ∈ Rn  w ∈ Σ ω } of tuples of values of words according to each automaton Ai . In this section, we characterize the vector set of meanpayoff automaton expressions, and in Section 4 we give an algorithmic procedure to compute this set. This will be useful to establish the decidability of all decision problems, and to compute the distance between meanpayoff automaton expressions. Given a vector v ∈ Rn , we denote by v = maxi vi  the ∞norm of v. The synchronized product of A1 , . . . , An such that Ai = Qi , qIi , Σ, δi , wti is the n Q weighted automaton AE = A1 ×· · ·×An = Q1 ×· · ·×Qn , (qI1 , . . . , qIn ), Σ, δ, wt such that t = ((q1 , . . . , qn ), σ, (q1 , . . . , qn )) ∈ δ if ti := (qi , σ, qi ) ∈ δi for all 1 ≤ i ≤ n, and wt(t) = (wt1 (t1 ), . . . , wtn (tn )). In the sequel, we assume that all Ai ’s are deterministic LimInfAvgautomata (hence, AE is deterministic) and that the underlying graph of the automaton AE has only one strongly connected component (scc). We show later how to obtain the vector set without these restrictions. 3
See [5] for the definition of alternating LimInfAvg and LimSupAvgautomata that generalize nondeterministic automata.
MeanPayoff Automaton Expressions
a, 1 b, 0
a, 0 b, 1
q1
q2
A1
A2
275
(0, 1) H = conv(SE )
(0, 0)
Fmin (H)
(1, 0)
Fig. 1. The vector set of E = max(A1 , A2 ) is Fmin (conv(SE )) conv(SE )
For each (simple) cycle ρ in AE , let the vector value of ρ be the mean of the tuples labelling the edges of ρ, denoted Avg(ρ). To each simple cycle ρ in AE corresponds a (not necessarily simple) cycle in each Ai , and the vector value (v1 , . . . , vn ) of ρ contains the mean value vi of ρ in each Ai . We denote by SE the (finite) set of vector values of simple cycles in AE . Let conv(SE ) be the convex hull of SE . Lemma 1. Let E be a meanpayoff automaton expression. The set conv(SE ) is the closure of the set {LE (w)  w is a lassoword}. The vector set of E contains more values than the convex hull conv(SE ), as shown by the following example. Example 1. Consider the expression E = max(A1 , A2 ) where A1 and A2 are deterministic LimInfAvgautomata (see Fig. 1). The product AE = A1 × A2 has two simple cycles with respective vector values (1, 0) (on letter ‘a’) and (0, 1) (on letter ‘b’). The set H = conv(SE ) is the solid segment on Fig. 1 and contains the vector values of all lassowords. However, other vector values can be obtained: consider the word w = an1 bn2 an3 bn4 . . . where n1 = 1 and ni+1 = (n1 + · · · + ni )2 for all i ≥ 1. It is easy to see that the value of w according to A1 is 0 because the average number of a’s in n1 +···+ni 1 the prefixes an1 bn2 . . . ani bni+1 for i odd is smaller than n1 +···+n = 1+n1 +···+n i +ni+1 i which tends to 0 when i → ∞. Since A1 is a LimInfAvgautomaton, the value of w is 0 in A1 , and by a symmetric argument the value of w is also 0 in A2 . Therefore the vector (0, 0) is in the vector set of E. Note that z = (z1 , z2 ) = (0, 0) is the pointwise minimum of x = (x1 , x2 ) = (1, 0) and y = (y1 , y2 ) = (0, 1), i.e. z = fmin (x, y) where z1 = min(x1 , y1 ) and z2 = min(y1 , y2 ). In fact, the vector set is the whole triangular region in Fig. 1, i.e. VE = {fmin(x, y)  x, y ∈ conv(SE )}.
We generalize fmin to finite sets of points P ⊆ Rn in n dimensions as follows: fmin (P ) ∈ Rn is the point p = (p1 , p2 , . . . , pn ) such that pi is the minimum ith coordinate of the points in P , for 1 ≤ i ≤ n. For arbitrary S ⊆ Rn , define Fmin (S) = {fmin(P )  P is a finite subset of S}. As illustrated in Example 1, the next lemma shows that the vector set VE is equal to Fmin (conv(SE )). Lemma 2. Let E be a meanpayoff automaton expression built from deterministic LimInfAvgautomata, and such that AE has only one strongly connected component. Then, the vector set of E is VE = Fmin (conv(SE )).
276
K. Chatterjee et al.
For a general meanpayoff automaton expression E (with both deterministic LimInfAvg and LimSupAvg automata, and with multiscc underlying graph), we can use the result of Lemma 2 as follows. We replace each LimSupAvg automaton Ai occurring in E by the LimInfAvg automaton Ai obtained from Ai by replacing every weight wt by −wt. The duality of lim inf and lim sup yields LAi = −LAi . In each strongly connected component C of the underlying graph of AE , we compute VC = Fmin (conv(SC )) (where SC is the set of vector values of the simple cycles in C) and apply the transformation xi → −xi on every coordinate i where the automaton Ai was originally a LimSupAvg automaton. The union of the sets C VC where C ranges over the strongly connected components of AE gives the vector set of E. Theorem 1. Let E be a meanpayoff automaton expression built from deterministic LimInfAvgautomata, and let Z be the set of strongly connected components in AE . For a strongly connected component C let SC denote the set of vector values of the simple cycles in C. The vector set of E is VE = C∈Z Fmin (conv(SC )).
4 Computation of Fmin(conv(S)) for a Finite Set S It follows from Theorem 1 that the vector set VE of a meanpayoff automaton expression E can be obtained as a union of sets Fmin (conv(S)), where S ⊆ Rn is a finite set. However, the set conv(S) being in general infinite, it is not immediate that Fmin (conv(S)) is computable. In this section we consider the problem of computing Fmin (conv(S)) for a finite set S. In subsection 4.1 we present an explicit construction and in subsection 4.2 we give a geometric construction of the set as a set of linear constraints. We first present some properties of the set Fmin (conv(S)). Lemma 3. If X is a convex set, then Fmin (X) is convex. By Lemma 3, the set Fmin (conv(S)) is convex, and since Fmin is a monotone operator and S ⊆ conv(S), we have Fmin (S) ⊆ Fmin (conv(S)) and thus conv(Fmin (S)) ⊆ Fmin (conv(S)). The following proposition states that in two dimensions the above sets coincide. Proposition 1. Let S ⊆ R2 be a finite set. Then, conv(Fmin (S)) = Fmin (conv(S)). We show in the following example that in three dimensions the above proposition does = conv(Fmin (SE )) in R3 . not hold, i.e., we show that Fmin (conv(SE )) Example 2. We show that in three dimension there is a finite set S such that Fmin (conv(S)) ⊆ conv(Fmin (S)). Let S = {q, r, s} with q = (0, 1, 0), r = (−1, −1, 1), and s = (1, 1, 1). Then fmin(r, s) = r, fmin (q, r, s) = fmin(q, r) = t = (−1, −1, 0), and fmin (q, s) = q. Therefore Fmin (S) = {q, r, s, t}. Consider p = (r + s)/2 = (0, 0, 1). We have p ∈ conv(S) and fmin (p, q) = (0, 0, 0). Hence (0, 0, 0) ∈ Fmin (conv(S)). We now show that (0, 0, 0) does not belong to conv(Fmin (S)). Consider u = αq ·q+αr ·r+αs ·s+αt ·t such that u in conv(Fmin (S)). Since the third coordinate is nonnegative for q, r, s, and t, it follows that if αr > 0 or αs > 0, then the third coordinate of u is positive. If αs = 0 and αr = 0, then we have two cases: (a) if αt > 0, then the first coordinate of u is negative; and (b) if αt = 0, then the second coordinate of u is 1. It follows (0, 0, 0) is not in conv(Fmin (S)).
MeanPayoff Automaton Expressions
277
4.1 Explicit Construction Example 2 shows that in general Fmin (conv(S)) ⊆ conv(Fmin (S)). In this section we present an explicit construction that given a finite set S constructs a finite set S such that (a) S ⊆ S ⊆ conv(S) and (b) Fmin (conv(S)) ⊆ conv(Fmin (S )). It would follow that Fmin (conv(S)) = conv(Fmin (S )). Since convex hull of a finite set is computable and Fmin (S ) is finite, this would give us an algorithm to compute Fmin (conv(S)). For simplicity, for the rest of the section we write F for Fmin and f for fmin (i.e., we drop the min from subscript). Recall that F (S) = {f (P )  P finite subset of S} and let Fi (S) = {f (P )  P finite subset of S and P  ≤ i}. We consider S ⊆ Rn . Lemma 4. Let S ⊆ Rn . Then, F (S) = Fn (S) and Fn (S) ⊆ F2n−1 (S). Iteration of a construction γ. We will present a construction γ with the following properties: input to the construction is a finite set Y of points, and the output γ(Y ) satisfies the following properties 1. (Condition C1). γ(Y ) is finite and subset of conv(Y ). 2. (Condition C2). F2 (conv(Y )) ⊆ conv(F (γ(Y ))). Before presenting the construction γ we first show how to iterate the construction to obtain the following result: given a finite set of points X we construct a finite set of points X such that F (conv(X)) = conv(F (X )). Iterating γ. Consider a finite set of points X, and let X0 = X and X1 = γ(X0 ). Then conv(X1 ) ⊆ conv(conv(X0 )) (since by Condition C1 we have X1 ⊆ conv(X0 )) and hence conv(X1 ) ⊆ conv(X0 ); and F2 (conv(X0 )) ⊆ conv(F (X1 ))
(by Condition C2)
For i ≥ 2, let Xi = γ(Xi−1 ), and then by iteration we obtain that for Xn−1 we have (1) conv(Xn−1 ) ⊆ conv(X0 )
(2) F2n−1 (conv(X0 )) ⊆ conv(F (Xn−1 ))
From (1) and (2) above, along with the aid of Lemma 4 and Lemma 3, we show the following properties: (A) F (conv(X0 )) = Fn (conv(X0 )) ⊆ F2n−1 (conv(X0 )) ⊆ conv(F (Xn−1 )) (B) conv(F (Xn−1 )) ⊆ conv(F (conv(Xn−1 ))) ⊆ F (conv(X0 )) By (A) and (B) above we have F (conv(X0 )) = conv(F (Xn−1 )). Thus given the finite set X, we have the finite set Xn−1 such that (a) X ⊆ Xn−1 ⊆ conv(X) and (b) F (conv(X)) = conv(F (Xn−1 )). We now present the construction γ to complete the result. The construction γ. Given a finite set Y of points Y = γ(Y ) is obtained by adding points to Y in the following way:
278
K. Chatterjee et al.
– For all 1 ≤ k ≤ n, we consider all kdimensional coordinate planes Π supported by a point in Y ; – Intersect each coordinate plane Π with conv(Y ) and the result is a convex polytope YΠ ; – We add the corners (or extreme points) of each polytope YΠ to Y . The proof that the above construction satisfies condition C1 and C2 is given in the fuller version [3], and thus we have the following result. Theorem 2. Given a finite set S ⊆ Rn such that S = m, the following assertion n 2 n 3 holds: a finite set S with S  ≤ m2 · 2n +n can be computed in mO(n·2 ) · 2O(n ) time such that (a) S ⊆ S ⊆ conv(S) and (b) Fmin (conv(S)) = conv(Fmin (S )). 4.2 Linear Constraint Construction In the previous section we presented an explicit construction of a finite set of points whose convex hull gives us Fmin (conv(S)). The explicit construction shows interesting properties of the set Fmin (conv(S)), however, the construction is inefficient computationally. In this subsection we present an efficient geometric construction for the computation of Fmin (conv(S)) for a finite set S. Instead of constructing a finite set S ⊆ conv(S) such that conv(S ) = Fmin (conv(S)), we represent Fmin (conv(S)) as a finite set of linear constraints. Consider the positive orthant anchored at the origin in Rn , that is, the set of points with nonnegative coordinates: Rn+ = {(z1 , z2 , . . . , zn )  zi ≥ 0, ∀i}. Similarly, the negative orthant is the set of points with nonpositive coordinates, denoted as Rn− = −Rn+ . Using vector addition, we write y + Rn+ for the positive orthant anchored at y. Similarly, we write x + Rn− = x − Rn+ for the negative orthant anchored at x. The positive and negative orthants satisfy the following simple duality relation: x ∈ y + Rn+ iff y ∈ x − Rn+ . Note that Rn+ is an ndimensional convex polyhedron. For each 1 ≤ j ≤ n, we consider the (n − 1)dimensional face Lj spanned by the coordinate axes except the j th one, that is, Lj = {(z1 , z2 , . . . , zn ) ∈ Rn+  zj = 0}. We say that y + Rn+ is supported by X if (y + Lj ) ∩ X = ∅ for every 1 ≤ j ≤ n. Assuming y + Rn+ is supported by X, we can construct a set Y ⊆ X by collecting one point per (n − 1)dimensional face of the orthant and get y = f (Y ). It is also allowed that two faces contribute the same point to Y . Similarly, if y = f (Y ) for a subset Y ⊆ X, then the positive orthant anchored at y is supported by X. Hence, we get the following lemma. Lemma 5 (Orthant Lemma). y ∈ Fmin (X) iff y + Rn+ is supported by X. Construction. We use the Orthant Lemma to construct Fmin (X). We begin by describing the set of points y for which the j th face of the positive orthant anchored at y has a nonempty intersection with X. Define Fj = X − Lj , the set of points of the form x − z, where x ∈ X and z ∈ Lj . = ∅ iff y ∈ Fj . Lemma 6 (Face Lemma). (y + Lj ) ∩ X
MeanPayoff Automaton Expressions
279
Proof. Let x ∈ X be a point in the intersection, that is, x ∈ y + Lj . Using the duality relation for the (n − 1)dimensional orthant, we get y ∈ x − Lj . By definition, x − Lj is a subset of X − Lj , and hence y ∈ Fj .
It is now easy to describe the set defined in our problem statement. n Lemma 7 (Characterization). Fmin (X) = j=1 Fj . Proof. By the Orthant Lemma, y ∈ Fmin (X) iff y + Rn+ is supported by X. Equiva= ∅ for all 1 ≤ j ≤ n. By the Face Lemma, this is equivalent to lently, (y + Lj ) ∩ X y belonging to the common intersection of the sets Fj = X − Lj .
Algorithm for computation of Fmin (conv(S)). Following the construction, we get an algorithm that computes Fmin (conv(S)) for a finite set S of points in Rn . Let S = m. We first represent X = conv(S) as intersection of halfspaces: we require at most mn n halfspaces (linear constraints). It follows that n Fj = X − Lj can be expressedn as m linear constraints, and hence Fmin (X) = j=1 Fj can be expressed as n · m linear constraints. This gives us the following result. Theorem 3. Given a finite set S of m points in Rn , we can construct in O(n · mn ) time n · mn linear constraints that represent Fmin (conv(S)).
5 MeanPayoff Automaton Expressions Are Decidable Several problems on quantitative languages can be solved for the class of meanpayoff automaton expressions using the vector set. The decision problems of quantitative emptiness and universality, and quantitative language inclusion and equivalence are all decidable, as well as questions related to cutpoint languages, and computing distance between meanpayoff languages. Decision problems and distance. From the vector set VE = {LA1 (w), . . . , LAn (w) ∈ Rn  w ∈ Σ ω }, we can compute the value set LE (Σ ω ) = {LE (w)  w ∈ Σ ω } of values of words according to the quantitative language of E as follows. The set LE (Σ ω ) is obtained by successive application of min, max and sumprojections max sum pmin : Rk → Rk−1 where i < j ≤ k, defined by ij , pij , pij pmin ij ((x1 , . . . , xk )) = (x1 , . . . , xi−1 , min(xi , xj ), xi+1 , . . . , xj−1 , xj+1 , . . . xk ), psum ij ((x1 , . . . , xk )) = (x1 , . . . , xi−1 , xi + xj , xi+1 , . . . , xj−1 , xj+1 , . . . xk ),
max min ω and analogously for pmax ij . For example, p12 (p23 (VE )) gives the set LE (Σ ) of word values of the meanpayoff automaton expression E = max(A1 , min(A2 , A3 )). Assuming a representation of the polytopes of VE as a boolean combination ϕE of linear constraints, the projection pmin ij (VE ) is represented by the formula
ψ = (∃xj : ϕE ∧ xi ≤ xj ) ∨ (∃xi : ϕE ∧ xj ≤ xi )[xj ← xi ] where [x ← e] is a substitution that replaces every occurrence of x by the expression e. Since linear constraints over the reals admit effective elimination of existential quantification, the formula ψ can be transformed into an equivalent boolean combination
280
K. Chatterjee et al.
of linear constraints without existential quantification. The same applies to max and sumprojections. Successive applications of min, max and sumprojections (following the structure of the meanpayoff automaton expression E) gives the value set LE (Σ ω ) ⊆ R as a boolean combination of linear constraints, hence it is a union of intervals. From this set, it is easy to decide the quantitative emptiness problem and the quantitative universality problem: there exists a word w ∈ Σ ω such that LE (w) ≥ ν if and only if LE (Σ ω ) ∩ [ν, +∞[ = ∅, and LE (w) ≥ ν for all words w ∈ Σ ω if and only if LE (Σ ω ) ∩ ] − ∞, ν[ = ∅. In the same way, we can decide the quantitative language inclusion problem “is LE (w) ≤ LF (w) for all words w ∈ Σ ω ?” by a reduction to the universality problem for the expression F − E and threshold 0 since meanpayoff automaton expressions are closed under sum and complement. The quantitative language equivalence problem is then obviously also decidable. Finally, the distance between the quantitative languages of E and F can be computed as the largest number (in absolute value) in the value set of F − E. As a corollary, this distance is always a rational number. Comparison with [1]. The work in [1] considers deterministic meanpayoff automata with multiple payoffs. The weight function in such an automaton is of the form wt : δ → Qd . The value of a finite sequence (vi )1≤i≤n (where vi ∈ Qd ) is the mean of the tuples vi , that is a ddimensional vector Avgn = n1 · n−1 i=0 vi . The “value” associated to an infinite run (and thus also to the corresponding word, since the automaton is deterministic) is the set Acc ⊆ Rd of accumulation points of the sequence (Avgn )n≥1 . In [1], a query language on the set of accumulation points is used to define multithreshold meanpayoff languages. For 1 ≤ i ≤ n, let pi : Rn → R be the usual projection along the ith coordinate. A query is a boolean combination of atomic threshold conditions of the form min(pi (Acc)) ∼ ν or max(pi (Acc)) ∼ ν where ∼∈ {} and ν ∈ Q. A word is accepted if the set of accumulation points of its (unique) run satisfies the query. Emptiness is decidable for such multithreshold meanpayoff languages, by an argument based on the computation of the convex hull of the vector values of the simple cycles in the automaton [1] (see also Lemma 1). We have shown that this convex hull conv(SE ) is not sufficient to analyze quantitative languages of meanpayoff automaton expressions. It turns out that a richer query language can also be defined using our construction of Fmin (conv(SE )). In our setting, we can view a ddimensional meanpayoff automaton A as a product PA of 2d copies Ait of A (where 1 ≤ i ≤ d and t ∈ {LimInfAvg, LimSupAvg}), where Ait assigns to each transition the ith coordinate of the payoff vector in A, and the automaton is interpreted as a tautomaton. Intuitively, the set Acc of accumulation points of a word w satisfies min(pi (Acc)) ∼ ν (resp. max(pi (Acc) ∼ ν) if and only if the value of w according to the automaton Ait for t = LimInfAvg (resp. t = LimSupAvg) is ∼ ν. Therefore, atomic threshold conditions can be encoded as threshold conditions on single variables of the vector set for PA . Therefore, the vector set computed in Section 4 allows to decide the emptiness problem for multithreshold meanpayoff languages, by checking emptiness of the intersection of the vector set with the constraint corresponding to the query.
MeanPayoff Automaton Expressions
281
Furthermore, we can solve more expressive queries in our framework, namely where atomic conditions are linear constraints on LimInfAvg and LimSupAvgvalues. For example, the constraint LimInfAvg(wt1 ) + LimSupAvg(wt2 ) ∼ ν is simply encoded as xk + xl ∼ ν where k, l are the indices corresponding to A1LimInfAvg and A2LimSupAvg respectively. Note that the trick of extending the dimension of the dpayoff vector with, Sup Sup say wtd+1 = wt1 +wt 2 , is not equivalent because Lim Inf Avg(wt1 )±Lim Inf Avg(wt2 ) Sup and ±). is not equal to Lim Sup Inf Avg(wt1 ± wt2 ) in general (no matter the choice of Inf Hence, in the context of nonquantitative languages our results also provide a richer query language for the deterministic meanpayoff automata with multiple payoffs. Complexity. All problems studied in this section can be solved easily (in polynomial time) once the value set is constructed, which can be done in quadruple exponential time. The quadruple exponential blowup is caused by (a) the synchronized product construction for E, (b) the computation of the vector values of all simple cycles in AE , (c) the construction of the vector set Fmin (conv(SE )), and (d) the successive projections of the vector set to obtain the value set. Therefore, all the above problems can be solved in 4EXPTIME. Theorem 4. For the class of meanpayoff automaton expressions, the quantitative emptiness, universality, language inclusion, and equivalence problems, as well as distance computation can be solved in 4EXPTIME. Theorem 4 is in sharp contrast with the nondeterministic and alternating meanpayoff automata for which language inclusion is undecidable (see also Table 1). The following theorem presents the undecidability result that is derived from the results of [10]. Theorem 5. The quantitative universality, language inclusion, and language equivalence problems are undecidable for nondeterministic meanpayoff automata; and the quantitative emptiness, universality, language inclusion, and language equivalence problems are undecidable for alternating meanpayoff automata.
6 Expressive Power and CutPoint Languages We study the expressive power of meanpayoff automaton expressions (i) according to the class of quantitative languages that they define, and (ii) according to their cutpoint languages. Expressive power comparison. We compare the expressive power of meanpayoff automaton expressions with nondeterministic and alternating meanpayoff automata. The results of [6] show that there exist deterministic meanpayoff automata A1 and A2 such that min(A1 , A2 ) cannot be expressed by nondeterministic meanpayoff automata. The results of [5] shows that there exists deterministic meanpayoff automata A1 and A2 such that sum(A1 , A2 ) cannot be expressed by alternating meanpayoff automata. It follows that there exist languages expressible by meanpayoff automaton expression that cannot be expressed by nondeterministic and alternating meanpayoff automata. In Theorem 6 we show the converse, that is, we show that there exist languages expressible by nondeterministic meanpayoff automata that cannot be expressed by meanpayoff automaton expression. It may be noted that the subclass of meanpayoff
282
K. Chatterjee et al.
automaton expressions that only uses min and max operators (and no sum operator) is a strict subclass of alternating meanpayoff automata, and when only the max operator is used we get a strict subclass of the nondeterministic meanpayoff automata. Theorem 6. Meanpayoff automaton expressions are incomparable in expressive power with nondeterministic and alternating meanpayoff automata: (a) there exists a quantitative language that is expressible by meanpayoff automaton expressions, but cannot be expressed by alternating meanpayoff automata; and (b) there exists a quantitative language that is expressible by a nondeterministic meanpayoff automaton, but cannot be expressed by a meanpayoff automaton expression. Cutpoint languages. Let L be a quantitative language over Σ. Given a threshold η ∈ R, the cutpoint language defined by (L, η) is the language (i.e., the set of words) L≥η = {w ∈ Σ ω  L(w) ≥ η}. It is known for deterministic meanpayoff automata that the cutpoint language may not be ωregular, while it is ωregular if the threshold η is isolated, i.e. if there exists > 0 such that L(w) − η > for all words w ∈ Σ ω [6]. We present the following results about cutpoint languages of meanpayoff automaton expressions. First, we note that it is decidable whether a rational threshold η is an isolated cutpoint of a meanpayoff automaton expression, using the value set (it suffices to check that η is not in the value set since this set is closed). Second, isolated cutpoint languages of meanpayoff automaton expressions are robust as they remain unchanged under sufficiently small perturbations of the transition weights. This result follows from a more general robustness property of weighted automata [6] that extends to meanpayoff automaton expressions: if the weights in the automata occurring in E are changed by at most , then the value of every word changes by at most max(k, 1) · where k is the number of occurrences of the sum operator in E. Therefore Dsup (LE , LF ) → 0 when → 0 where F is any meanpayoff automaton expression obtained from E by changing the weights by at most . As a consequence, isolated cutpoint languages of meanpayoff automaton expressions are robust. Third, the isolated cutpoint language of meanpayoff automaton expressions is ωregular. To see this, note that every strongly connected component of the product automaton AE contributes with a closed convex set to the value set of E. Since the max, min and sumprojections are continuous functions, they preserve connectedness of sets and therefore each scc C contributes with an interval [mC , MC ] to the value set of E. An isolated cutpoint η cannot belong to any of these intervals, and therefore we obtain a B¨uchiautomaton for the cutpoint language by declaring to be accepting the states of the product automaton AE that belong to an scc C such that mC > η. Hence, we get the following result. Theorem 7. Let L be the quantitative language of a meanpayoff automaton expression. If η is an isolated cutpoint of L, then the cutpoint language L≥η is ωregular.
7 Conclusion and Future Works We have presented a new class of quantitative languages, the meanpayoff automaton expressions which are both robust and decidable (see Table 1), and for which the distance between quantitative languages can be computed. The decidability results come
MeanPayoff Automaton Expressions
283
with a high worstcase complexity, and it is a natural question for future works to either improve the algorithmic solution, or present a matching lower bound. Another question of interest is to find a robust and decidable class of quantitative languages based on the discounted sum measure [4].
References 1. Alur, R., Degorre, A., Maler, O., Weiss, G.: On omegalanguages defined by meanpayoff conditions. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 333–347. Springer, Heidelberg (2009) 2. Bojanczyk, M.: Beyond omegaregular languages. In: Proc. of STACS. LIPIcs, vol. 3. Schloss Dagstuhl  LeibnizZentrum fuer Informatik, Germany (2010) 3. Chatterjee, K., Doyen, L., Edelsbrunner, H., Henzinger, T.A., Rannou, P.: Meanpayoff automaton expressions. CoRR, abs/1006.1492 (2010) 4. Chatterjee, K., Doyen, L., Henzinger, T.A.: Quantitative languages. In: Kaminski, M., Martini, S. (eds.) CSL 2008. LNCS, vol. 5213, pp. 385–400. Springer, Heidelberg (2008) 5. Chatterjee, K., Doyen, L., Henzinger, T.A.: Alternating weighted automata. In: Ge¸bala, M. (ed.) FCT 2009. LNCS, vol. 5699, pp. 3–13. Springer, Heidelberg (2009) 6. Chatterjee, K., Doyen, L., Henzinger, T.A.: Expressiveness and closure properties for quantitative languages. In: Proc. of LICS, pp. 199–208. IEEE, Los Alamitos (2009) 7. Chatterjee, K., Ghosal, A., Henzinger, T.A., Iercan, D., Kirsch, C., Pinello, C., SangiovanniVincentelli, A.: Logical reliability of interacting realtime tasks. In: Proc. of DATE, pp. 909– 914. ACM, New York (2008) 8. de Alfaro, L.: How to specify and verify the longrun average behavior of probabilistic systems. In: Proc. of LICS, pp. 454–465. IEEE, Los Alamitos (1998) 9. de Alfaro, L., Majumdar, R., Raman, V., Stoelinga, M.: Game relations and metrics. In: Proc. of LICS, pp. 99–108. IEEE, Los Alamitos (2007) 10. Degorre, A., Doyen, L., Gentilini, R., Raskin, J.F., Toru´nczyk, S.: Energy and meanpayoff games with imperfect information. In: Proc. of CSL. LNCS, Springer, Heidelberg (to appear, 2010) 11. Desharnais, J., Gupta, V., Jagadeesan, R., Panangaden, P.: Metrics for labeled markov systems. In: Baeten, J.C.M., Mauw, S. (eds.) CONCUR 1999. LNCS, vol. 1664, pp. 258–273. Springer, Heidelberg (1999) 12. Droste, M., Gastin, P.: Weighted automata and weighted logics. Theor. Comput. Sci. 380(12), 69–86 (2007) 13. Droste, M., Kuich, W., Vogler, H.: Handbook of Weighted Automata. Springer, Heidelberg (2009) 14. Droste, M., Kuske, D.: Skew and infinitary formal power series. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) ICALP 2003. LNCS, vol. 2719, pp. 426–438. Springer, Heidelberg (2003) 15. Ehrenfeucht, A., Mycielski, J.: Positional strategies for mean payoff games. Int. Journal of Game Theory 8(2), 109–113 (1979) 16. Kupferman, O., Lustig, Y.: Lattice automata. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 199–213. Springer, Heidelberg (2007) 17. Rabin, M.O.: Probabilistic automata. Information and Control 6(3), 230–245 (1963) 18. Sch¨utzenberger, M.P.: On the definition of a family of automata. Information and Control 4(23), 245–270 (1961) 19. Vidal, E., Thollard, F., de la Higuera, C., Casacuberta, F., Carrasco, R.C.: Probabilistic finitestate machinespart I. IEEE Trans. Pattern Anal. Mach. Intell. 27(7), 1013–1025 (2005) 20. Zwick, U., Paterson, M.: The complexity of mean payoff games on graphs. Theor. Comput. Sci. 158(1&2), 343–359 (1996)
Obliging Games Krishnendu Chatterjee1 , Florian Horn1,2, and Christof Löding3 1
IST Austria (Institute of Science and Technology Austria) 2 CNRS, LIAFA, Université Paris 7, France 3 RWTH Aachen, Germany
[email protected],
[email protected],
[email protected] Abstract. Graph games of infinite length provide a natural model for open reactive systems: one player (Eve) represents the controller and the other player (Adam) represents the environment. The evolution of the system depends on the decisions of both players. The specification for the system is usually given as an ωregular language L over paths and Eve’s goal is to ensure that the play belongs to L irrespective of Adam’s behaviour. The classical notion of winning strategies fails to capture several interesting scenarios. For example, strong fairness (Streett) conditions are specified by a number of requestgrant pairs and require every pair that is requested infinitely often to be granted infinitely often: Eve might win just by preventing Adam from making any new request, but a “better” strategy would allow Adam to make as many requests as possible and still ensure fairness. To address such questions, we introduce the notion of obliging games, where Eve has to ensure a strong condition Φ, while always allowing Adam to satisfy a weak condition Ψ . We present a linear time reduction of obliging games with two Muller conditions Φ and Ψ to classical Muller games. We consider obliging Streett games and show they are coNP complete, and show a natural quantitative optimisation problem for obliging Streett games is in FNP. We also show how obliging games can provide new and interesting semantics for multiplayer games.
1 Introduction Games played on graphs provide a natural theoretical model to study problems in verification, such as synthesis of reactive systems [PR89, RW87], synthesis of systems from specifications [BL69, Chu62], and μcalculus modelchecking [Koz83, Sti01]. The vertices of the graph represent the states of the system, the edges represent transitions, the paths represent behaviours, and the players (Eve and the opponent Adam) represent the controller for the system and its environment, respectively. The goal of the controller is to satisfy a specification (desired set of behaviours) irrespective of the way the environment behaves: the synthesis of such a controller corresponds to the construction of a winning strategy in the graph game. The class of ωregular objectives provide a robust specification language to express properties that arise in verification and synthesis of reactive systems [Tho97]. Muller P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 284–296, 2010. c SpringerVerlag Berlin Heidelberg 2010
Obliging Games
285
and parity specifications are two canonical ways to specify ωregular objectives. In the classical study of graph games with ωregular objectives, the input is a graph game G and an ωregular objective Φ, and the question is whether there is a winning strategy for a player (Eve) that ensures that Φ is satisfied irrespective of the strategy of the other player (Adam). A specification Φ often consists of two parts: an assumption ΦA and a guarantee ΦG and the specification requires ΦA → ΦG . The specification ΦA typically represents the environment assumption under which the guarantee ΦG needs to be ensured. A winning strategy for Φ may vacuously satisfy Φ by violating ΦA , whereas a better strategy would ensure the “strong” specification Φ and allow the “weak” specification ΦA . For example, consider a Streett (fairness) condition: the fairness condition consists of a set of k requestgrant pairs, and requires that every request that appears infinitely often, must be granted infinitely often. A winning strategy may satisfy the fairness conditions by not allowing requests to happen, whereas a better strategy would be as follows: it ensures the strong specification that asks for the satisfaction of the strong fairness specification, and allows for the corresponding weak specification that requires that grants are allowed to happen infinitely often. To address the question above we consider a very general framework of games with two different levels of specifications: a strong one Φ and a weak one Ψ which are, in general, independent of each other. A “gracious” strategy for Eve must ensure the strong specification (in the classical sense), and allow the weak one: Adam has the choice to satisfy Ψ . We refer to them as obliging games. In the important case of fairness specifications, the weak specification can be selfderived from the fairness specification, and the weak specification requires that the requests are allowed to happen infinitely often. The contribution of our work is as follows: 1. We present a linear time reduction of obliging games (with two Muller conditions) to classical games (with a single Muller condition) such that Eve has a winning strategy in the classical game if, and only if, she has a gracious strategy in the obliging game. 2. We present a detailed analysis of the reduction and memory requirement for obliging games when both specifications are given as parity conditions. 3. In the case of fairness specifications (Streettgeneralized Büchi conditions), we show that the problem of the existence of a gracious strategy for Eve is coNP complete. We also study a quantitative optimisation version of this problem and show that it belongs to FNP (functional NP). 4. We also show how our concepts can be extended to multiplayer games, leading to new and interesting semantics in the context of verification. Related work. Our notion of “gracious strategy” can be likened to “permissive strategies”, which allow as many behaviours as possible) [BJW02]. In [BJW02] it has been shown that most general strategies can be constructed only for safety conditions, and for parity objectives a strategy that captures behaviour of all memoryless winning strategies was presented. Our work is different as our objectives are more general (Muller), and the goal is to construct a strategy that allows a given objective. Our work is also related to
286
K. Chatterjee, F. Horn, and C. Löding
multiplayer games on graphs and Nash equilibria [CMJ04, Umm08]. However in Nash equilibria there are no two levels of specifications as considered in obliging games.
2 Definitions Arenas. A twoplayer game arena A is a triple (V, V◦ , E) where (V, E) is a finite directed graph without deadlocks (each vertex has at least one outgoing edge) and V◦ is a subset of V called Eve’s vertices. The vertices in v \ V◦ are Adam’s vertices and are usually denoted by V . Plays and Strategies. A play ρ on the arena A is a (possibly infinite) sequence ρ1 ρ2 . . . of vertices such that for all i < ρ, we have (ρi , ρi+1 ) ∈ E. The limit vertices of ρ, denoted by Inf(ρ), are the vertices occurring infinitely often in ρ: Inf(ρ) = {q  ∃∞ i, ρi = q}. A strategy of Eve on the arena A is a function σ from V ∗ V◦ to V such that for all x ∈ V ∗ and for all v ∈ V◦ , we have (v, σ(xv)) ∈ E. A play ρ is consistent with σ (or a σplay) if for all i < ρ, ρi ∈ V◦ ⇒ ρi+1 = σ(ρ1 . . . ρi ). Strategies can also be defined as strategies with memory. In this case, σ is a tuple (M, m0 , σ u , σ n ), where M is the (possibly infinite) set of memory states, m0 is the initial memory content, σ u : (E × M ) → M is the memory update function, and σ n : (V × M ) → V is the nextmove function. The memoryupdate function can u naturally be extended from edges to finite sequences of vertices: σ+ (v0 v1 · · · vi , m) is u u m if i = 0 and σ ((vi−1 , vi ), σ+ (v0 v1 · · · vi−1 , m)) if i ≥ 1. Using this definition, the u (xv, m0 ). next move determined by σ for a play xv ∈ V ∗ V◦ is σ n (v, m), where m = σ+ A strategy is finitememory if M is a finite set, and memoryless if M is a singleton. Adam’s strategies are defined in a similar way. Muller conditions. A Γ colouring γ of an arena is a partial function of the edges of A to an arbitrary set of colours Γ . We use partial functions here because this sometimes eases the specification of the winning conditions. However, for formal reasons, we sometimes use a colour “−” that corresponds to the undefined value. This colour is not considered when building the limit set of a colour sequence (hence the limit set can be empty). A Muller condition Φ on Γ is a subset of 2Γ , and a play ρ of A satisfies Φ if, and only if, Inf(γ(ρ)) ∈ Φ. Here, γ(ρ) corresponds to the sequence of colours obtained by applying γ to the edges of ρ. This is a finite or infinite sequence over Γ , or an infinite sequence over Γ ∪ {−} using the above convention. We also consider the usual special cases of Muller conditions (recall that we allow partial colourings): – the Büchi condition is the condition {{}, {⊥, }} on {⊥, }; – the coBüchi condition is the condition {∅, {}} on {⊥, }; – the kgeneralised Büchi condition is the condition {{1, . . . , k}} on {1, . . . , k}; – the kparity condition is the condition on {0, . . . , k − 1} containing all and only the subsets whose minimum is even; – a kStreett condition on Γ is given by a set {(R1 , G1 ), . . . , (Rk , Gk ))} of k requestgrant pairs of subsets of Γ . It contains all and only the subsets that for each i either intersect Gi or do not intersect Ri .
Obliging Games
287
In the course of our proofs, it is often useful to consider boolean operations on Muller conditions, in which we interpret negation as complementation and conjunction as Cartesian product: if Φ and Ψ are conditions on ΓΦ and ΓΨ , then Φ ∧ Ψ is the condition on ΓΦ × ΓΨ which contains all and only the sets whose projection on the first component belongs to Φ, and projection on the second component belongs to Ψ . Notice that colourings are partial functions, so their product may return a colour for only one of the components. We then use the neutral colour “−” for the undefined component. Classical and obliging games. A classical Muller game G on Γ is a triple (A, γ, Φ) where A is an arena, γ is a Γ colouring of A, and Φ —the winning condition— is a Muller condition on Γ . An infinite play ρ of A is winning for Eve if it satisfies Φ. A strategy σ is uniformly winning (resp. winning from a vertex q) for Eve if any σplay (resp. any σplay starting in q) is winning for her. A vertex q is winning for Eve if she has a winning strategy from q. The winning region of Eve is the set of vertices winning for her. Adam’s winning plays, strategies, vertices, and regions are defined likewise, except that a play is winning for Adam if it does not satisfy Φ. An obliging game G is a tuple (A, γΦ , Φ, γΨ , Ψ ), where A is an arena, γΦ is a ΓΦ colouring, Φ —the strong condition— is a Muller condition on ΓΦ , γΨ is a ΓΨ colouring, and Ψ — the weak condition— is a Muller condition on ΓΨ . A uniformly gracious strategy σ for Eve is such that: – every infinite σplay ρ satisfies Φ; – for any finite σplay x, there is an infinite σplay ρ satisfying Ψ such that x is a prefix of ρ . So, Eve has to allow Adam to build a play satisfying Ψ at any position, regardless of what he previously did. However, she does not need to ensure Ψ if Adam is not willing to cooperate. Notice that there is no dual notion of spoiling strategy for Adam. In particular, the notion of “determinacy” does not make sense in obliging games, as Adam cannot demonstrate Eve’s lack of grace with a single strategy. We refer to obliging games by the names of the two conditions, with the strong condition first: for example, a parity/Büchi obliging game is an obliging game G = (A, γΦ , Φ, γΨ , Ψ ), where Φ is a parity and Ψ is a Büchi condition. Example 1. Consider the parity/parity obliging game in Figure 1. The pairs define the colours of the edge, the first component corresponding to the strong condition (Φ) and the second component to the weak condition (Ψ ). In order to satisfy Φ, a play has to either take the edge (q4 , q6 ) infinitely often, or the edge (q8 , q6 ) infinitely often and the edge (q7 , q2 ) finitely often. To satisfy Ψ , an infinite play has to take the edge (q7 , q2 ) infinitely often. In this game Eve has to behave differently depending on whether Adam moves to q3 or q4 . If the token reaches q6 coming from q4 , then Eve can safely move to q7 . If the game reaches q6 coming from q3 , then she can first complete the cycle q6 q5 q8 q6 and then move to q5 and then to q0 . This strategy can be implemented using memory of size 3 and it is a gracious strategy since each path satisfies Φ and Adam can produce a play satisfying Ψ by always moving to q4 . It is not difficult to observe that there is no gracious strategy for Eve with memory of size two for this game.
288
K. Chatterjee, F. Horn, and C. Löding
q0
(3,1)
q3
q1 (3,3)
q5
q2 (0,3)
q4
q6 q8
(1,2)
q7
(2,1)
Fig. 1. A parity/parity obliging game
3 Reducing Obliging Games to Classical Games In this section we provide a general method to reduce obliging games to classical games with a single winning condition. The underlying idea is based on the construction of merciful strategies from [BSL04]: we construct an extended game graph in which Adam decides either to choose his next move himself or to leave this choice to Eve. If he always leaves the choice to Eve from some point onwards, then Eve has to prove that Adam indeed has the possibility to satisfy the weak condition. Consequently, the winning condition for Eve in the new game is the strong condition from the obliging game in conjunction with the weak condition in the case that Adam only finitely often makes his own choice. Note that in the case that Eve has to satisfy the weak condition, the game remains in a subarena that is completely controlled by Eve. We use this fact by allowing to simplify the weak condition by means of nondeterministic ωautomata. The required technical framework is defined below. We use ωautomata with an acceptance condition specified on the transitions of the automaton rather than on the states. In our setting, an ωautomaton is of the form M = (Q, Σ, qin , Δ, γΥ , Υ ), where Q is a finite set of states, Σ is the input alphabet, qin ∈ Q is the initial state, Δ ⊆ Q × Σ × Q is the transition relation, γΥ : Δ → ΓΥ is a (partial) colouring function, and Υ is an acceptance condition over ΓΥ similar to the winning conditions defined for games. We write transitions (q, a, r) with γΥ ((q, a, r)) = c as a:c q −−→ r. A run of M on an infinite word α ∈ Σ ω is an infinite sequence ζ = q0 q1 q2 · · · of states such that q0 = qin , and (qi , α(i), qi+1 ) ∈ Δ for each i ≥ 0. We define the infinite colour sequence induced by α and ζ as the sequence obtained by applying γΥ to each transition: γΥ (α, ζ) = γΥ ((q0 , α(0), q1 ))γΥ ((q1 , α(1), q2 ))γΥ ((q2 , α(2), q3 )) · · · The run ζ on α is accepting if γΥ (α, ζ) satisfies the acceptance condition. The language L(M) accepted by M is the set of all infinite words on which M has an accepting run. As usual, we call an automaton deterministic if for each pair of state q ∈ Q and each a ∈ Σ there is at most one transition (q, a, r) ∈ Δ. We are interested in automata accepting languages that correspond to winning conditions. Given a winning condition Φ over ΓΦ , we define the language LΦ ⊆ (ΓΦ ∪{−})ω
Obliging Games
289
as the set of all infinite sequences that satisfy Φ (recall that “−” is a neutral colour representing the undefined value and is not considered for evaluating the winning condition). Lemma 2. Let G = (A, γΦ , Φ, γΨ , Ψ ) be an obliging game with arena A = (V, E), and let M = (Q, ΓΨ , qin , Δ, γΥ , Υ ) be an ωautomaton accepting LΨ . There is a game G = (A , γΛ , Λ) and a mapping ι : V → V with the following properties: (1) Λ = Φ ∧ (Υ ∨ B) for a Büchi condition B; (2) for each vertex v ∈ V , Eve has a gracious strategy from v in G if, and only if, she has a winning strategy from the vertex ι(v) in G ; and (3) from a winning strategy for Eve in G from ι(v) with memory of size n one can construct a gracious strategy for Eve in G from v with memory of size 2 · Q · n. Proof. To simplify the reduction, we assume without loss of generality that the arena is alternating, i.e. E ⊆ (V◦ × V ) ∪ (V × V◦ ). We construct G in such a way that, at any time in a play, Adam can ask Eve to show a path that satisfies Ψ . This is realised by introducing a second copy of G in which all vertices belong to Eve. In this copy we additionally keep track of the states of the automaton M recognising Ψ . If Adam chooses to switch to this copy, Eve makes the choices on behalf of Adam. Consequently, if from some point onward Adam decides to always leave his choices to Eve, the resulting play has to satisfy Φ and Ψ . Otherwise, it is sufficient for Eve to satisfy Φ. The Büchi condition is used to distinguish these two cases. Whether Ψ is satisfied can be decided using the condition Υ on the state sequence of M. Formally, the game G = (A , γΛ , Λ) and the mapping ι are constructed as follows: – The winning condition is Λ = Φ ∧ (Υ ∨ B) where B is a Büchi condition. – The arena A = (V , V◦ , E ) and the colouring γΛ of E are defined as follows: • V = (V◦ × {play }) ∪ (V × {choose} × Q) ∪ (V × {show } × Q); • V◦ = (V◦ × {play }) ∪ (V × {show } × Q); • Let u and v be vertices in V ; q and r be states in Q; and a, b, c be colours in (a,b)
b:c
ΓΦ , ΓΨ , ΓΥ such that u −−−→ v in E and q −−→ r in Δ. Then the following edges belong to E : (a,−,⊥)
u ∈ V◦ : (u, play ) −−−−−→ (v, choose, qin ) (a,−,)
u ∈ V : (u, choose, q) −−−−−→ (v, play ) (−,−,⊥)
(u, choose, q) −−−−−→ (u, show , q) (a,c,⊥)
u ∈ V◦ : (u, show , q) −−−−→ (v, choose, r) (a,c,⊥)
u ∈ V : (u, show , q) −−−−→ (v, show , r) – The mapping ι maps each v ∈ V◦ to (v, play ) and each v ∈ V to (v, choose, qin ). A schematic view of the construction is shown in Figure 2. We refer to the nodes from V◦ × {play} as the play part of the game, the nodes from V × {show } × Q as the show part, and the nodes from V × {choose} × Q as the choice part. We start by showing that a gracious strategy σ for Eve in the obliging game G can be used to define a winning strategy for Eve in G : Each play ρ in G naturally corresponds to a play ρ in G that is obtained by removing the vertices of the type (v, show , q) for
290
K. Chatterjee, F. Horn, and C. Löding V◦ × {play }
V × {choose } × Q
V × {show } × Q
play
choose
show
Fig. 2. Schematic view of the reduction from Lemma 2
v ∈ V and then projecting away the {play, show , choose} and the Q components from the vertices. Let us denote this operation by del , i.e., ρ = del (ρ ). The winning strategy of Eve in G is defined as follows. For a finite play x that ends in a node of the form (u, play) with u ∈ V◦ , Eve looks at the play del (x ) in G, checks which move (u, v) she would have made according to σ, and then moves to (v, choose, qin ) in G . If the play x in G enters the show part in a node (u, show , qin ) for the first time after having been in the play part, then Eve considers the play x = del (x ) in G. Since σ is a gracious strategy, there is a possible continuation ρ of x such that xρ is a σplay satisfying Ψ . In particular, since Ψ is a Muller condition, ρ satisfies Ψ and there is an accepting run ζ of M on ρ. Eve stores ρ and ζ in her memory for the strategy σ and now moves from (u, show , qin ) according to ρ for the first component, and according to ζ for the third component. If the play x in G is in a node (u, show , q) such that Eve has already stored some ρ and ζ in her memory as described above, then she simply moves according to ρ and ζ: she checks at which position in the play she has stored ρ and ζ, which part of ρ and ζ she has already reproduced since then, and makes the corresponding next move to reproduce one more step of ρ and ζ. If Adam at some point decides to enter the play part, i.e., to move to a vertex from V◦ × {play}, then Eve erases ρ and ζ from her memory. If π is an infinite play according to this strategy, then it certainly satisfies Φ because del (π ) is a σplay and the ΓΦ sequence of π corresponds to the one of del (π ) except for some insertions of the neutral colour −. Furthermore, either Adam infinitely often moves to a vertex from V◦ × {play}, in which case the Büchi condition B is satisfied, or from some point onward Eve simulates ρ and ζ to infinity, yielding a play in G that satisfies Υ because ζ satisfies Υ . This shows that π is winning and hence we have defined a winning strategy for Eve, as desired. For the other direction it suffices to show the third claim of the lemma since the existence of a winning strategy for Eve in G implies the existence of a finitememory winning strategy. Let (M, m0 , ς n , ς u ) be a winning strategy for Eve in G . We define a gracious strategy ({p, s} × Q × M, (p, qin , m0 ), σ n , σ u ) for Eve in G. This strategy distinguishes two cases to decide whether to use ς n as defined on the play vertices or on the show vertices. These two cases depend on the behaviour of Adam. If Adam makes a move in G from a vertex v that corresponds to the move of ς n from the vertex (v, show ) in G , then σ u updates the first component of the memory to s, i.e., σ n starts simulating
Obliging Games
291
ς n as if the play is in the show part of G . If Adam makes a move that is not of this kind, then σ u updates the first component of the memory to p and σ n simulates the behaviour of ς n on the play part of G . We first give the definition of the next move function σ n , which is quite straightforward: σ n (u, p, qin , m) = v with ς n ((u, play ), m) = (v, play , qin ), σ n (u, s, q, m) = v if ς n ((u, show , q), m) = (v, play , q ) for some q . The definition of the memory update function σ u is a bit more involved since we have to distinguish the different behaviours of player 1 as explained above. Below, we define the update of the memory for a move from u to v in G for different memory contents. If u ∈ V◦ , we assume that v is the vertex that is chosen by the next move function σ n because otherwise the move from u to v cannot occur in a play according to the strategy. (i) If u ∈ V◦ , then σ u (u, p, qin , m , v) = p, qin , m with m = ς u ((u, play), m, (v, choose, qin )) and σ u (u, s, q, m , v) = p, q , m with m = ς u ((u, show , q), m, (v, choose, q )) and ς n ((u, show , q), m) = (v, choose, q ) (here we use the assumption that σ n (u, s, q, m) = v, i.e., v is the target of the next move function). (ii) If u ∈ V and ς n ((u, show , q), ς u ((u, choose, q), m, (u, show , q))) = (v, show , q ), then σ u (u, x, q, m , v) = s, q , m with u ((u, play, q)(u, show , q)(v, show , q ), m) m = ς+
for all x ∈ {p, s}. This is the case where the move from u to v of Adam in G corresponds to the move that Eve would have made in his place in G . To obtain m we look at how the memory would have evolved in G in the move sequence in which Adam gives the choice to Eve. (iii) If u ∈ V and ς n ((u, show , q), ς u ((u, choose, q), m, (u, show , q))) = (v , show , q ) for some v = v, then σ u (u, x, q, m , v) = p, qin , m with m = ς u ((u, choose, q), m, (v, play )) for all x ∈ {p, s}. This is the case where Adam makes a choice different from the one that Eve would have made on his behalf in G . We now show that this strategy is indeed gracious in G. From the definition of σ n and σ u one can see that for every σ n play ρ there exists a corresponding ς n play ρ that is obtained from play by inserting appropriate vertices from V × {show } × Q at those positions where σ u updates the first component of the memory to s, i.e., if (ii) in the definition of σ u is applied. To formalize this let ρ = v0 v1 v2 · · · be a σ n play and let x0 , q0 , m0 x1 , q1 , m1 x2 , q2 , m2 · · · ∈ ({p, s} × Q × M )ω be the corresponding sequence of memory contents according to σ u .
292
K. Chatterjee, F. Horn, and C. Löding
Similar to the operation del from the first implication of the proof we now define an operation ins that transforms ρ into a corresponding play based on the sequence of memory contents. By abuse of notation we also define the operation ins to work on tuples of nodes by inserting the necessary information (we assume for simplicity that the play starts in V◦ ): ins(ρ) = (v0 , play )ins(v0 , v1 )ins(v1 , v2 )ins(v2 , v3 ) · · · with
⎧ if xi+1 = p and vi+1 ∈ V◦ , ⎨ (vi+1 , play ) if vi+1 ∈ V , ins(vi , vi+1 ) = (vi+1 , choose, qi+1 ) ⎩ (vi , show , qi )(vi+1 , show , qi+1 ) if xi+1 = s and vi+1 ∈ V◦ .
Now one can verify that a σplay ρ in G is transformed by ins into a ςplay ρ in G . Therefore, ρ satisfies Φ because the colour sequences from ΓΦ of ρ and ρ are the same except for some insertions of the neutral colour −. Furthermore, at each position of a play in G, Adam has the possibility to move so that Eve updates her memory content to an element with s in the first component: for a σplay x in G Adam checks what would have been the move of Eve according to ς in G for the play ins(x) extended by Adam’s move to the show part of the game. If Adam always copies these ς moves to G from some point onwards, then the resulting play ρ satisfies Ψ because ins(ρ) is a ςplay in G that does visit V◦ × {play} only finitely often and hence satisfies Υ . This means that the simulated run of M on the play is accepting and therefore the corresponding play in G satisfies Ψ . This shows that σ is indeed a gracious strategy.
Lemma 2 provides a reduction of obliging games to standard games. This notion is formalised as follows. We say that an obliging game G can be reduced to a standard game G with memory m if: 1. there is a mapping ι from the vertices of G to the vertices of G such that for each vertex v of G Eve has a gracious strategy from v in G if, and only if, Eve has a winning strategy from ι(v) in G ; 2. given a winning strategy for Eve from ι(v) in G with memory of size n, one can compute a gracious strategy for Eve from v in G with memory of size m · n. We also use this notion in connection with classes of games. A class K of games can be reduced to a class K of games with memory m if each game G in K can be reduced to a game G in K with memory m. The time complexity of such a reduction is the time needed to compute G from G, to compute the mapping ι, and to compute the strategy in G from the strategy in G . We can now instantiate Lemma 2 for several types of obliging games to obtain results on their complexity. The first instantiation is for general Muller conditions using the fact that the winning sequences for a condition Ψ can be recognised by a one state ωautomaton which itself uses the condition Ψ . Theorem 3. There is a linear time reduction with memory 2 from Φ/Ψ obliging games to standard (Φ ∧ (Ψ ∨ B))) games for a Büchi condition B. The point of using a nondeterministic ωautomaton in the formulation of Lemma 2 is illustrated by the following result.
Obliging Games
293
Theorem 4. There is a polynomial time reduction with memory 2( + 1)k from 2kparity/2parity obliging games to standard (2k + 2)parity games. Proof. We apply Lemma 2 with a Büchi automaton accepting LΨ for the 2parity condition Ψ . Such a Büchi automaton is easily constructed using ( + 1) states. On the first state the automaton loops and outputs ⊥ for each input priority. Using the other states the automaton can guess at any point that 2i is the minimal priority which appears infinitely often in the input sequence. It moves to state i and outputs whenever priority 2i appears on the input. For greater priorities it outputs ⊥, and for priorities smaller than 2i there is no transition. One easily verifies that this automaton accepts LΨ . Lemma 2 yields a reduction with memory 2( + 1) to a (2kparity ∧ Büchi) game (using the fact that a disjunction of two Büchi conditions is equivalent to a single Büchi condition). Analysing the Zielonka tree [Zie98, DJW97] of a (2kparity ∧ Büchi) condition shows that it has k leafs and the technique from [DJW97] gives a reduction to 2k + 2parity game with memory k. The composition of these two reductions gives the claimed reduction. One can note that this proof also works if the weak condition is a Rabin condition with pairs.
Since parity games are determined with memoryless strategies (see, e.g., [Tho97] or [Zie98]), Theorem 4 directly gives an upper bound on the memory required for a gracious strategy in parity/parity obliging games. Corollary 5. If Eve has a gracious strategy in a 2kparity/2parity obliging game, then she has a gracious strategy with memory of size at most 2( + 1)k. In the case = 1, we have rather tight lower bound for the required memory. Indeed, it is possible to construct a 2kparity/Büchi obliging game where Eve needs k memory states. The case k = 6 is depicted in Figure 3 (in order to improve readability, there are some vertices of Adam from where two edges lead to the same target). Eve has a gracious strategy with k memory states that works as follows: if Adam just 10 played 2i, she plays 2i + 1; otherwise, she 1 8 plays 2(k − 1). This strategy clearly ensures 0 9 the parity condition. Furthermore, Adam can get an infinite number of visits to the edge, by always answering 2(i − 1) to 2i + 1. 3 6 There is no gracious strategy for Eve with 2 7 less than k states: as there are k successors of 5 4 the central vertex, one of them is never visited. Thus, Eve can ultimately not propose the lower ones safely, and either does not guaranFig. 3. At least 6 memory states tee the parity condition or eventually forbids the Büchi condition.
4 Obliging Streett Games Streett games are a very natural setting for obligingness questions. Indeed, the Streett condition allows Eve to win by either granting requests or denying Adam the possibil
294
K. Chatterjee, F. Horn, and C. Löding
ity to make them. It is thus natural to consider kStreett/kgeneralised Büchi objectives, where the objectives of the weak condition are exactly the requests of the strong one. We call them simply obliging Streett games. As a generalised Büchi condition can be recognised by a Streett automaton with only one state, we can use Lemma 2 to reduce an obliging kStreett game with n vertices to a classical 2kStreett game with 2n vertices. As classical Streett games can also be reduced to obliging Streett games (by always allowing Adam to go to a vertex where all the pairs are forever requested and granted) and classical Streett games problem is coNP complete [EJ88], it follows that the obliging Streett games problem is coNP complete: Theorem 6. The decision problem of existence of a gracious strategy for Eve in obliging Streett games is coNP complete. In the cases where Eve does not have a gracious strategy, we might be interested in knowing how many simultaneous requests she can allow. This can be defined as a threshold problem: “Given ≤ k, is it possible to allow Adam to visit at least different requests?”; or as an optimisation problem: “What is the highest such that Eve can allow Adam to visit at least different requests?”. Theorem 7. The threshold problem of obliging Streett games is coNP complete; and the optimisation problem of obliging Streett games is in FNP. Proof. As the optimal number of request that Eve can allow is between −1 and k, the second statement follows directly from the first one. Furthermore, it is clear that the threshold problem is coNP hard since it generalises both classical Streett games (for = 0) and obliging Streett games (for = k). In order to show that the threshold problem belongs to coNP, we use once more Lemma 2: we just need a nondeterministic automaton recognising the words where at least different colours are visited infinitely often. We describe such an automaton in Figure 4, with the following conventions: the alphabet is {1, . . . , k}, and for each i, Ri = {i}; there is an unmarked loop on each state; unmarked edges are enabled for each letter and are labelled ⊥.
5 Multiplayer Obliging Games An interesting feature of obliging games is that they provide new and interesting semantics for multiplayer games. In this setting, Eve has more than one opponent and each must be allowed to satisfy his weak condition, regardless of what the others do. The definitions are similar to the twoplayer case, mutatis mutandis: a nplayer arena A is a finite directed graph (V, E) without deadlocks whose vertices are partitioned in n subsets, V◦ , V1 , . . . , Vn−1 ; a nplayer obliging game is a nplayer arena and as many colourings and conditions: γ◦ , Φ; γ1 , Ψ1 ; . . . ; γn−1 , Ψn−1 . A gracious strategy σ for Eve in such a game is such that: – any infinite σplay ρ satisfies Φ; – for any 1 ≤ i < n, for any finite σplay x, there is a strategy τi for Player i consistent with x such that any infinite play consistent with both σ and τi satisfies Ψi .
Obliging Games
2
1 2
···
k−+1 3
···
295
k−+2 ··· •
•
• ··· +1
k ···
Fig. 4. Büchi automaton recognising repeated outofk
We can solve nplayer obliging games by reduction to classical twoplayer games, in a way similar to the twoplayer case. However, we do not use automata to check whether the play satisfies the weak conditions, for two reasons: first, we cannot use nondeterministic automata: even if one opponent yields control of his moves, the others can still interfere so Eve cannot simply “choose” a correct run; second, we would have to remember the current state of each automaton, leading to an exponential blowup in the size of the arena. Theorem 8. Let G = (A, γΦ , Φ, γ1 , Ψ1 , . . . ; γn−1 , Ψn−1 ) be a nplayer obliging game with arena A = (V, E, V◦ , V1 , . . . , Vn−1 ). We can compute, in time linear in the size of G, a game G = (A , γΥ , Υ ) of size linear in the size of G and a mapping ι : V → V with the following properties: 1. Υ = Φ∧(Ψ1 ∨B1 )∧. . . (Ψn−1 ∨Bn−1 ), where B1 , . . . , Bn−1 are Büchi conditions. 2. For each vertex v in A, Eve has a gracious strategy from v in G if, and only if, she has a winning strategy from the vertex ι(v) in G . Proof. The construction of G is similar to its counterpart in the proof of Lemma 2. Each opponent has the possibility to leave Eve choose his move in his stead. If one of them eventually always does so, the play has to satisfy his weak condition; otherwise, the corresponding Büchi condition allows Eve to ignore it. The proof is even simpler, as there is no need to keep track of a run of an automaton.
6 Conclusion In this work we introduced the notion of obliging games and presented a linear time reduction to classical games for all ωregular objectives specified as Muller objectives. We also presented a complete analysis for the reduction and memory requirement when the specifications are given as parity objectives. We studied the important class of fairness (Streett) conditions, and showed that obligingness Streett games are coNP complete. We also studied a natural quantitative optimization problem for obliging Streett games
296
K. Chatterjee, F. Horn, and C. Löding
and proved inclusion in FNP. We showed extension of the notion of obligingness games to multiplayer games and how it leads to new and interesting semantics. In future work we will explore how the solution of obliging games can be used to synthesize more desirable controllers.
References [BJW02] Bernet, J., Janin, D., Walukiewicz, I.: Permissive strategies: from parity games to safety games. Theoretical Informatics and Applications 36(3), 261–275 (2002) [BL69] Büchi, J.R., Landweber, L.H.: Solving Sequential Conditions by FiniteState Strategies. Transactions of the AMS 138, 295–311 (1969) [BSL04] Bontemps, Y., Schobbens, P.Y., Löding, C.: Synthesis of Open Reactive Systems from ScenarioBased Specifications. Fundamenta Informaticae 62(2), 139–169 (2004) [Chu62] Church, A.: Logic, arithmetic, and automata. In: Proceedings of the International Congress of Mathematicians, pp. 23–35 (1962) [CMJ04] Chatterjee, K., Majumdar, R., Jurdzi´nski, M.: On Nash Equilibria in Stochastic Games. In: Marcinkowski, J., Tarlecki, A. (eds.) CSL 2004. LNCS, vol. 3210, pp. 26–40. Springer, Heidelberg (2004) [DJW97] Dziembowski, S., Jurdzi´nski, M., Walukiewicz, I.: How Much Memory is Needed to Win Infinite Games? In: Proceedings of LICS, pp. 99–110. IEEE, Los Alamitos (1997) [EJ88] Emerson, E.A., Jutla, C.S.: The Complexity of Tree Automata and Logics of Programs. In: Proceedings of FOCS, pp. 328–337. IEEE, Los Alamitos (1988) [Koz83] Kozen, D.: Results on the propositional μcalculus. TCS 27(3), 333–354 (1983) [PR89] Pnueli, A., Rosner, R.: On the Synthesis of a Reactive Module. In: Proceedings of POPL, pp. 179–190. ACM, New York (1989) [RW87] Ramadge, P.J., Wonham, W.M.: Supervisory control of a class of discreteevent processes. SIAM Journal on Control and Optimization 25(1), 206–230 (1987) [Sti01] Stirling, C.: Modal and Temporal Properties of Processes. Graduate Texts in Computer Science. Springer, Heidelberg (2001) [Tho97] Thomas, W.: Languages, Automata, and Logic. In: Handbook of Formal Languages. Beyond Words, vol. 3, ch. 7, pp. 389–455. Springer, Heidelberg (1997) [Umm08] Ummels, M.: The Complexity of Nash Equilibria in Infinite Multiplayer Games. In: Amadio, R.M. (ed.) FOSSACS 2008. LNCS, vol. 4962, pp. 20–34. Springer, Heidelberg (2008) [Zie98] Zielonka, W.: Infinite Games on Finitely Coloured Graphs with Applications to Automata on Infinite Trees. Theoretical Computer Science 200(12), 135–183 (1998)
Multipebble Simulations for Alternating Automata (Extended Abstract) Lorenzo Clemente and Richard Mayr LFCS. School of Informatics. University of Edinburgh. UK
Abstract. We study generalized simulation relations for alternating B¨uchi automata (ABA), as well as alternating finite automata. Having multiple pebbles allows the Duplicator to “hedge her bets” and delay decisions in the simulation game, thus yielding a coarser simulation relation. We define (k1 , k2 )simulations, with k1 /k2 pebbles on the left/right, respectively. This generalizes previous work on ordinary simulation (i.e., (1, 1)simulation) for nondeterministic B¨uchi automata (NBA) in [4] and ABA in [5], and (1, k)simulation for NBA in [3]. We consider direct, delayed and fair simulations. In each case, the (k1 , k2 )simulations induce a complete lattice of simulations where (1, 1) and (n, n)simulations are the bottom and top element (if the automaton has n states), respectively, and the order is strict. For any fixed k1 , k2 , the (k1 , k2 )simulation implies (ω)language inclusion and can be computed in polynomial time. Furthermore, quotienting an ABA w.r.t. (1, n)delayed simulation preserves its language. Finally, multipebble simulations yield new insights into the MiyanoHayashi construction [10] on ABA. A technical report with full proofs is available [2].
1 Introduction We consider simulation relations on (alternating) finite and infinite word automata: nondeterministic finite automata (NFA), alternating finite automata (AFA), nondeterministic B¨uchi automata (NBA) and alternating B¨uchi automata (ABA). Simulation preorder is a notion of semantic comparison of two states, called left state and right state, in automata, where the larger right state can match all moves of the smaller left one in a stepwise way. Simulation preorder implies language inclusion on NFA/AFA/NBA/ABA [4,5], but not viceversa. While checking language inclusion is PSPACEcomplete for all these classes of automata [8,11], the simulation relation can be computed in polynomial time [4,5]. Checking simulation preorder between two states can be presented as a game with two players, Spoiler and Duplicator, where Spoiler tries to prove that the simulation relation does not hold while Duplicator has the opposite objective. In every round of the simulation game, Spoiler chooses a transition from the current left state and Duplicator must choose a transition from the current right state which has the same action label. Duplicator wins iff the game respects the accepting states in the automata, and different requirements for this yield finer or coarser simulation relations. In direct simulation, whenever the left state is accepting, the right state must be accepting. In delayed simulation, whenever the left state is accepting, the right state must be eventually accepting. In fair simulation, if the left state is accepting infinitely often, then the right state must P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 297–312, 2010. c SpringerVerlag Berlin Heidelberg 2010
298
L. Clemente and R. Mayr
be accepting infinitely often. For finiteword automata, only direct simulation is meaningful, but for B¨uchi automata delayed and fair simulation yield coarser relations; see [4] for an overview. These notions have been extended in two directions. Etessami [3] defined a hierarchy of (1, k) multipebble simulations on NBA. Intuitively, the k pebbles on the right side allow Duplicator to “hedge her bets” and thus to delay making decisions. This extra power of Duplicator increases with larger k and yields coarser simulation relations. A different extension by Wilke and Fritz [5] considered simulations on ABA. In an ABA, a state is either existential or universal. The idea is that Spoiler moves from existential left states and universal right states, and dually for Duplicator. Our contribution. We consider (k1 , k2 )simulations on ABA, i.e., with multiple pebbles on both sides: k1 on the left and k2 on the right. Intuitively, Duplicator controls pebbles on universal states on the left and existential states on the right (and dually for Spoiler). This generalizes all previous results: the (1, k)simulations on NBA of [3] and the (1, 1)simulations on ABA of [5]. For each acceptance condition (direct, delayed, fair) this yields a latticestructured hierarchy of (k1 , k2 )simulations, where (1, 1) and (n, n)simulations are the bottom and top element if the automaton has n states. Furthermore, the order is strict, i.e., more pebbles make the simulation relation strictly coarser in general. For each fixed k1 , k2 ≥ 0, (k1 , k2 )simulations are computable in polynomial time and they imply language inclusion (over finite or infinite words, depending on the type of simulation). Quotienting AFA w.r.t. (k1 , k2 )simulation preserves their language. We also provide a corresponding result for ABA by showing that quotienting ABA w.r.t. (1, n)delayed simulation preserves the ωlanguage. This is a nontrivial result, since a na¨ıve generalization of the definition of semielectivequotients [5] does not work. We provide the correct notion of semielectivequotients for (1, n)simulations on ABA, and show its correctness. Moreover, unlike for NBA [3], quotienting ABA w.r.t. (1, k) delayed simulation for 1 < k < n does not preserve their language in general. Finally, multipebble simulations have close connections to various determinizationlike constructions like the subset construction for NFA/AFA and the MiyanoHayashi construction [10] on ABA. In particular, multipebble simulations yield new insights into the MiyanoHayashi construction and an alternative correctness proof showing an even stronger property. For full proofs, please see the technical report [2].
2 Preliminaries and Basic Definitions Automata. An alternating B¨uchi automaton (ABA) Q is a tuple (Q, Σ, qI , Δ, E, U, F ), where Q is a finite set of states, Σ is a finite alphabet, qI is the initial state, {E, U } is a partition of Q into existential and universal states, Δ ⊆ Q × Σ × Q is the transition relation and F ⊆ Q is the set of accepting states. We say that a state q is accepting if q ∈ F . We use n to denote the cardinality of Q. A nondeterministic B¨uchi automaton (NBA) is an ABA with U = ∅, i.e., where all choices are existential. We say that Q is complete iff ∀(q, a) ∈ Q × Σ. ∃(q, a, q ) ∈ Δ. An ABA Q recognizes a language of infinite words Lω (Q). The acceptance condition is best described in a gametheoretic way [6]. Given an input word w ∈ Σ ω ,
Multipebble Simulations for Alternating Automata
299
the acceptance game Gω (Q, w) is played by two players, Pathfinder and Automaton. Existential states are controlled by Automaton, while Pathfinder controls universal states. Automaton wins the game Gω (Q, w) iff she has a winning strategy s.t., for any Pathfinder counterstrategy, the resulting computation visits some accepting state in F infinitely often. The language Lω (Q) recognized by Q is defined as the set of words w ∈ Σ ω s.t. Automaton wins Gω (Q, w). See [5] for a formal definition. If we view an ABA Q as an acceptor of finite words, then we obtain an alternating finite automaton (AFA). For w = w0 . . . wm ∈ Σ ∗ , the finite acceptance game Gfin (Q, w) is defined as above for Gω (Q, w), except that the game stops when the last symbol wm of w has been read, and Automaton wins if the last state is in F . Lfin (Q) is defined in the obvious way. An alternating transition system (ATS) Q is an AFA where all states are accepting, and Tr(Q) := Lfin (Q) is its trace language. When we just say “automaton”, it can be an ABA, AFA or ATS, depending on the context. If Q is a set, with 2Q we denote the set of subsets of Q, and, for any k ∈ N, with Q,k we denote the subset of 2Q consisting of elements of cardinality at most k. When 2 drawing pictures, we represent existential states by q and universal states by q . Multipebble simulations. We define multipebble simulations in a gametheoretic way. The game is played by two players, Spoiler and Duplicator, who play in rounds. The objective of Duplicator is to show that simulation holds, while Spoiler has the complementary objective. We use the metaphor of pebbles for describing the game: We call a pebble existential if it is on an existential state, and universal otherwise; Left if it is on the l.h.s. of the simulation relation, and Right otherwise. Intuitively, Spoiler controls existential Left pebbles and universal Right pebbles, while Duplicator controls universal Left pebbles and existential Right pebbles. The presence of > 1 pebbles in each side is due to the further ability of Duplicator to split pebbles to several successors. Moreover, Duplicator always has the possibility of “taking pebbles away”. Since not all available pebbles have to be on the automaton, k + 1 pebbles are at least as good as k. Formally, let Q be an alternating automaton, q0 ∈ 2Q,k1 a k1 set and s0 ∈ 2Q,k2 a k2 set. We define the basic (k1 , k2 )simulation game G(k1 ,k2 ) (q0 , s0 ) as follows. Let Γ Sp and Γ Dup be a set of actions (or transitions) for the two players (to be specified below). In the initial configuration q0 , s0 , Left pebbles are on q0 and Right pebbles on s0 . If the current configuration at round i is qi , si , then the next configuration qi+1 , si+1 is determined as follows: – Spoiler chooses a transition (qi , si , ai , q , s ) ∈ Γ Sp . – Duplicator chooses a transition (qi , si , ai , q , s , qi+1 , si+1 ) ∈ Γ Dup . We now define the two transition relations. Let qE := q ∩ E be the set of existential states in q, and define qU , sE , sU similarly. Let P1 := 2Q,k1 × 2Q,k2 and P0 := Σ × 2Q,k1 × 2Q,k2 . Γ Sp ⊆ P1 × P0 models Spoiler’s moves: (q, s, a, q , s ) ∈ Γ Sp iff Spoiler chooses a as the next input symbol, and – q is obtained from qE by choosing a successor for each pebble in qE . Formally, q = { select(Δ(q, a))  q ∈ qE }, where select(r) chooses an element in r. – Similarly, s is obtained from sU by choosing a successor for each pebble in sU .
300
L. Clemente and R. Mayr
Duplicator’s moves are of the form (q, s, a, q , s , q , s ) ∈ Γ Dup ⊆ P1 × P0 × P1 : – q is a nonempty k1 subset of q ∪ Δ(qU , a), and – s is a nonempty k2 subset of s ∪ Δ(sE , a). Notice that Duplicator is always allowed to “take pebbles away”, and to “hedge her bets” by splitting pebbles into different successors. We say that a pebble on state q is stuck if q has no asuccessor (where a is clear from the context). We now formally define strategies. A strategy for Spoiler is a function δ : P1∗ P1 → P0 compatible with Γ Sp , i.e., for any (π · q, s ) ∈ P1∗ P1 , δ(π · q, s ) = (a, q , s ) implies (q, s, a, q , s ) ∈ Γ Sp . Similarly, a strategy for Duplicator is a function σ : P1∗ P1 → (P0 → P1 ) compatible with Γ Dup , i.e., for any π ∈ P1∗ P1 and (a, q , s ) ∈ P0 , σ(π)(a, q , s ) = q , s implies (q, s, a, q , s , q , s ) ∈ Γ Dup . A play π = q0 , s0 q1 , s1 · · · ∈ P1∗ ∪ P1ω is a finite or infinite sequence of configurations in P1 . For a word w = a0 a1 · · · ∈ Σ ∗ ∪ Σ ω s.t. w = π − 1 (with π = ω = ω − 1 if π ∈ Σ ω ), we say that a play π is σconform to w iff, for any i < π, there exists some (qi , si , ai , qi , si ) ∈ Γ Sp s.t. σ(q0 , s0 . . . qi , si )(ai , qi , si ) = qi+1 , si+1 . Intuitively, σconform plays are those plays which originate when Duplicator’s strategy is fixed to σ; δconform plays, for δ a Spoiler’s strategy, are defined similarly. Below, both strategies are fixed, and the resulting, unique play is conform to both. The game can halt prematurely, for pebbles may get stuck. In this case, the winning condition is as follows: If there exists a Left pebble which cannot be moved, then Duplicator wins. Dually, if no Right pebble can be moved, then Spoiler wins. Remark 1. Our winning condition differs from the one in [5] when pebbles get stuck. There, the losing player is always the one who got stuck. If we let Duplicator win when Spoiler is stuck on a universal Right pebble, we would obtain a simulation which does not imply language containment. (Notice that “simulation implies containment” is proved in [5] under the assumption that pebbles do not get stuck.) Furthermore, the condition in [5] is unnecessarily strong when Duplicator is stuck on a universal Left pebble, where letting Spoiler win is too conservative. Our definition generalizes the correct winning condition to multiple pebbles, for which we prove “simulation implies containment” without further assumptions. In all other cases, we have that all Left pebbles can be moved and at least one Right pebble can be moved, and the two players build an infinite sequence of configurations π = q0 , s0 q1 , s1 · · · ∈ P1ω . The winning condition is defined in terms of a predicate C(π) on π. Different choices of C(π) lead to different notions of simulation. 1. Ordinary (k1 , k2 )simulation. The acceptance condition is ignored, and Duplicator wins as long as the game doesn’t halt: C(π) : ⇐⇒ true. 2. Existential direct (k1 , k2 )simulation. Duplicator wins if, whenever every q ∈ qi is accepting, then some s ∈ si is accepting: C(π) : ⇐⇒ (∀i. qi ⊆ F =⇒ si ∩ F = ∅) . 3. Universal direct (k1 , k2 )simulation. Duplicator wins if, whenever some q ∈ qi is accepting, then every s ∈ si is accepting: C(π) : ⇐⇒ (∀i. qi ∩ F = ∅ =⇒ si ⊆ F ) .
Multipebble Simulations for Alternating Automata
301
As we will see, ordinary simulation is used for ATSs, while existential and universal direct simulation are used for automata over finite and infinite words, respectively. The winning condition for delayed and fair simulation requires some technical preparation, which consists in the notion of being existentially/universally good since some previous round. Given the current round m, we say that a state q ∈ qm has seen a state qˆ since some previous round i ≤ m, written has seenim (q, qˆ), iff either 1) q = qˆ, or i < m and there exists q ∈ qm−1 s.t. 2.1) q ∈ Δ(q , am−1 ), and 2.2) has seenim−1 (q , qˆ). Dually, we write cant avoidim (q, qˆ) iff either 1) q = qˆ, or i < m and, for all q ∈ qm−1 , q ∈ Δ(q , am−1 ) implies cant avoidim−1 (q , qˆ). We overload the notation on the set of accepting states, and we write has seenim (q, F ) to mean that q has seen some qˆ ∈ F ; and similarly for cant avoidim (q, F ). Finally, we say that sj is existentially good since round i ≤ j, written good∃ (sj , i), if at round j every state in sj has seen an accepting state since round i, and j is the least round for which this holds [3]. Similarly, we say that qj is universally good since round i ≤ j, written good∀ (sj , i), if at round j every state in qj cannot avoid an accepting state since round i, and j is the least round for which this holds. Formally, good∃ (sj , i) ⇐⇒
(∀s ∈ sj . has seenij (s, F )) ∧ ∀j . (∀s ∈ sj . has seenij (s , F )) =⇒ j ≥ j
good∀ (sj , i) ⇐⇒
(∀s ∈ sj . cant avoidij (s, F )) ∧ ∀j . (∀s ∈ sj . cant avoidij (s , F )) =⇒ j ≥ j
We write good∃ (sj ), omitting the second argument, when we just say that sj is good since some previous round. For a path π = s0 s1 . . . , we write good∃ (π, ∞), with the second argument instantiated to i = ∞, to mean that good∃ (sj ) holds for infinitely many j’s; and similarly for good∀ (sj ) and good∀ (π, ∞). We are now ready to define delayed and fair simulations. 4. Delayed (k1 , k2 )simulation. Duplicator wins if, whenever qi is universally good, then there exists j ≥ i s.t. sj is existentially good since round i: C(π) : ⇐⇒ ∀i. good∀ (qi ) =⇒ ∃j ≥ i. good∃ (sj , i) . 5. Fair (k1 , k2 )simulation. Duplicator wins if, whenever there are infinitely many i’s s.t. qi is universally good, then, for any such i, there exists j ≥ i s.t. sj is existentially good since round i: C(π) : ⇐⇒ good∀ (π0 , ∞) =⇒ (∀i. good∀ (qi ) =⇒ ∃j ≥ i. good∃ (sj , i)) , where π0 = q0 q1 . . . is the projection of π onto its first component. We will denote the previous acceptance conditions with x ∈ {o, ∃di, ∀di, de, f}, and the corresponding game is denoted as Gx(k1 ,k2 ) (q0 , s0 ). Remark 2. Notice that the condition for fair simulation is equivalent to the following simpler one: If qi is universally good since some previous round infinitely often,
302
L. Clemente and R. Mayr
then si is existentially good since some previous round infinitely often: C (π) : ⇐⇒ good∀ (π0 , ∞) =⇒ good∃ (π1 , ∞), where π1 = s0 s1 . . . is the projection of π onto its second component. We are now ready to define the simulation relation x(k1 ,k2 ) , with x as above. We say that a k2 set s xsimulates a k1 set q, written q x(k1 ,k2 ) s, if Duplicator has a winning strategy in Gx(k1 ,k2 ) (q, s). We overload the simulation relation x(k1 ,k2 ) on singletons: q x(k1 ,k2 ) s ⇐⇒ {q} x(k1 ,k2 ) {s}. For two automata A and B, we write A x(k1 ,k2 ) B for qIA x(k1 ,k2 ) qIB , where the simulation is actually computed on the disjoint union of A and B. If x(k1 ,k2 ) is a simulation, then its transitive closure is defined as x(k1 ,k2 ) . Note that, in general, x(k1 ,k2 ) is not itself a transitive relation. Multipebble simulations hierarchy. In general, having more pebbles (possibly) gives more power to the Duplicator. This is similar to the (1, k)simulations for NBA studied in [3], but in our context there are two independent directions of “growing power”. Theorem 1. Let x ∈ {o, ∃di, ∀di, de, f} and k1 ≥ k1 , k2 ≥ k2 . 1. Inclusion: x(k1 ,k2 ) ⊆ x(k ,k ) . (In particular, x(k1 ,k2 ) ⊆x(k ,k ) .) 1 2 1 2 2. Strictness: If k1 > k1 or k2 > k2 , there exists an automaton Q s.t. x(k1 ,k2 ) =x(k ,k ) . 1
2
Proof (Sketch). Point 1) follows directly from the definitions, since Duplicator can always take pebbles away. Point 2) is illustrated in Figure 1, which holds for any kind of simulation x ∈ {o, ∃di, ∀di, de, f}. x(2,3)
q a
a
q1
q2
Σ \ {b1 } Σ
s a
Σ \ {b2 } q3
s1
a
a
s2 c1
Σ
c2
s3 c3
s4
Fig. 1. Example in which q x(2,3) s, but q x(k1 ,k2 ) s for any k1 ≤ 2, k2 ≤ 3, with k1 < 2 or k2 < 3. The alphabet is Σ = {a} ∪ Σ, with Σ = {b1 , b2 , c1 , c2 , c3 }. Note that both automata recognize the same language, both over finite and infinite words: Lfin (q) = Lfin (s) = a(c1 + c2 + c3 )Σ ∗ and Lω (q) = Lω (s) = a(c1 + c2 + c3 )Σ ω .
Theorem 2. For any k1 , k2 ∈ N>0 and any automaton Q, o 1. ∃di (k1 ,k2 ) ⊆(k1 ,k2 )
de f o 2. ∀di (k1 ,k2 ) ⊆(k1 ,k2 ) ⊆(k1 ,k2 ) ⊆(k1 ,k2 ) .
Moreover, for each containment, there exists Q s.t. the containment is strict. Proof. The containments follow directly from the definitions. For the strictness, consider again the example in Figure 1, with the modifications below. If no state on the right is accepting, then no simulation holds except ordinary simulation. If q is accepting,
Multipebble Simulations for Alternating Automata
303
then universal direct simulation does not hold, but delayed simulation does. Finally, if the only accepting state is q, then delayed simulation does not hold, but fair simulation does. Is is easy to generalize this example for any k1 , k2 ∈ N>0 .
3 Finite Words Lemma 1. For any automaton Q with n states and states q, s ∈ Q: 1. 2. 3. 4.
fin fin q ∃di (k1 ,k2 ) s implies L (q) ⊆ L (s), for any k1 , k2 ∈ N>0 . o q (k1 ,k2 ) s implies Tr(q) ⊆ Tr(s), for any k1 , k2 ∈ N>0 . Lfin (q) ⊆ Lfin (s) implies q ∃di (n,n) s, provided that Q is complete. Tr(q) ⊆ Tr(s) implies q o(n,n) s, provided that Q is complete.
In particular, the last two points above show that existentialdirect (resp., ordinary) simulation “reaches” language inclusion (resp., trace inclusion) at (n, n). Subset constructions. The subset construction is a wellknown procedure for determinizing NFAs [8]. It is not difficult to generalize it over alternating automata, where it can be used for eliminating existential states, i.e., to perform the deexistentialization of the automaton. The idea is the same as in the subset construction, except that, when considering asuccessors of a macrostate (for a symbol a ∈ Σ), existential and universal states are treated differently. For existential states, we apply the same procedure as in the classic subset construction, by taking always all asuccessors. For universal states, each asuccessor induces a different transition in the subset automaton. This ensures that macrostates can be interpreted purely disjunctively, and the language of a macrostate equals the union over the language of the states belonging to it. Accordingly, a macrostate is accepting if it contains some state which is accepting. The previous construction can be dualized for deuniversalizing finite automata. For an AFA Q, let S ∃ (Q) and S ∀ (Q) be its deexistentialization and deuniversalization, respectively. (See Definitions 1 and 2 in Appendix B.1 of the technical report [2].) The following lemma formalizes the intuition that multipebble simulations for AFA in fact correspond to (1, 1)simulations over the appropriate subsetconstructions. Lemma 2. Let Q1 , Q2 be two AFAs over the same alphabet Σ, with Q1  = n1 and Q2  = n2 . Then, for any k1 ≤ n1 and k2 ≤ n2 , Q1 ∃di (k1 ,n2 ) Q2
⇐⇒
∃ Q1 ∃di (k1 ,1) S (Q2 )
(1)
Q1 ∃di (n1 ,k2 ) Q2
⇐⇒
S ∀ (Q1 ) ∃di (1,k2 ) Q2
(2)
Q1 ∃di (n1 ,n2 )
Q2
⇐⇒
∀
S (Q1 )
∃di (1,1)
∃
S (Q2 ) .
(3)
4 Infinite Words Multipebble existentialdirect simulation is not suitable for being used for ωautomata, since it does not even imply ωlanguage inclusion.
304
L. Clemente and R. Mayr
Theorem 3. For any k1 , k2 ∈ N>0 , not both equal to 1, there exist an automaton Q ω and states q, s ∈ Q s.t. q ∃di ⊆ Lω (s). (k1 ,k2 ) s holds, but L (q) Proof. Consider the example in Figure 2(a). Clearly, q ∃di (1,2) s holds, since Duplicator can split pebbles on the successors of s, and one such pebble is accepting, as required ⊆ Lω (s): In fact, (ab)ω ∈ Lω (q) = (a(b + by existentialdirect simulation. But Lω (q) ω ω ω ∗ ω c)) , but (ab) ∈ L (s) = ((ab) ac) .
∃di (1,2)
q b
a
b c
q0
s a
a
c
f(n,n)
q1
a
a
s0 a
b b
(a) An example in which q ∃di (1,2) s ⊆ Lω (s). holds, but Lω (q)
a
s1
b s2
b
(b) An example in which Lω (q0 ) ⊆ f(n,n) s0 . Lω (s0 ) holds, but q0
Fig. 2. Two examples
This motivates the definition of universaldirect simulation, which does imply ωlanguage inclusion, like the coarser delayed and fair simulations. Theorem 4. For x ∈ {∀di, de, f}, automaton Q, k1 , k2 ∈ N>0 and states q, s ∈ Q, q x(k1 ,k2 ) s
implies Lω (q) ⊆ Lω (s) .
Unlike in the finite word case, ωlanguage inclusion is not “reached” by the simulations {∀di, de, f}. See Figure 2(b) and Appendix C in the technical report [2]. Theorem 5. For any x ∈ {∀di, de, f}, there exist an automaton Q and states q0 , s0 ∈ x(n,n) s0 . Q s.t. Lω (q0 ) ⊆ Lω (s0 ), but q0 The MiyanoHayashi construction The MiyanoHayashi (MH) construction [10] is a subsetlike construction for ABAs which removes universal nondeterminism, i.e., it performs the deuniversalization of ωautomata. The idea is similar to the analogous construction over finite words, with extra bookkeeping needed for recording visits to accepting states, which may occur not simultaneously for different runs. A set of obligations is maintained, encoding the requirement that, independently of how universal nondeterminism is resolved, an accepting state has to be eventually reached. There is a tight relationship between these obligations and fair multipebble simulation. For an ABA Q, let Qnd be the deuniversalized automaton obtained by applying the MHconstruction. (See also Definition 3 in Appendix C.1 of the technical report [2].) The following lemma says that the MHconstruction produces an automaton which is (n, 1)fairsimulation equivalent to the original one, and this result is “tight” in the sense that it does not hold for either direct, or delayed simulation.
Multipebble Simulations for Alternating Automata
305
Lemma 3. For any ABA Q, let Qnd be the NBA obtained according to the MiyanoHayashi deuniversalization procedure applied to Q. Then, 1 de a) Q x(n,1) Qnd , for x ∈ {f, ∀di}, and a’) ∃ automaton Q1 s.t. Q1 (n,1) Qnd , f 2 2 x 2 b) Qnd (1,1) Q, and b’) ∃ automaton Q s.t. Qnd (1,1) Q , for x ∈ {de, ∀di}.
de (n,1)
Q1 q0 a
a
a
a
q12
a
a
q21
q22
a
a a
{∀di,de}
(1,1)
Q2 q0
s0
q11
q31
Qnd
q32
s1 a s2 a a
s3
a
a
q11
q12
a
a
q21
q22
a
a
q31
a
q32
a
Fig. 3. An example showing automata Q1 and Q2 s.t. Q1 de (n,1) Qnd (n = 2 suffices), and x 2 (1,1) Q for x ∈ {∀di, de}. The only difference between Q1 and Q2 is the state q31 being Qnd being nonaccepting in the latter. Notice that Q1nd = Q2nd = Qnd . accepting in the former and q31 The states in Qnd are: s0 = ({q0 }, {q0 }), s1 = ({q11 , q12 }, {q12 }), s2 = ({q21 , q22 }, ∅), s3 = ({q31 , q32 }, {q32 }).
Since fair simulation implies language inclusion, Q and Qnd have the same language. This constitutes an alternative proof of correctness for the MHconstruction. The MHconstruction “preserves” fair simulation in the following sense. Lemma 4. Let Q, S be two ABAs. Then, Q f(n,1) S ⇐⇒ Qnd f(1,1) Snd . Remark 3. A weaker version of the “only if” direction of Lemma 4 above, namely Q f(1,1) S =⇒ Qnd f(1,1) Snd (notice the (1, 1) in the premise), had already appeared in [5]. The same statement for both direct and delayed simulation is false, unlike as incorrectly claimed in [5]. In fact, it can be shown (with an example similar to Figure 3) x(1,1) Snd , with x ∈ that there exist automata Q and S s.t. Q x(1,1) S, but Qnd {di, de}. Finally, the “if” direction of Lemma 4 can only be established in the context of multiple pebbles, and it is new. Transitivity. While most (k1 , k2 )simulations are not transitive, some limit cases are. By defining a notion of join for (1, n) and (n, 1)strategies (see Appendix C.2 in the technical report [2]), we establish that (1, n) and (n, 1) simulations are transitive.
306
L. Clemente and R. Mayr
Theorem 6. Let Q be an ABA with n states, and let x ∈ {∀di, de, f}. Then, x(1,n) and x(n,1) are transitive. Remark 4 (Difficulties for (n, n) transitivity.). We did consider transitivity for (n, n)simulations on ABA, but found two major issues there. The first issue concerns directly the definition of the join of two (n, n)strategies, and this holds for any x ∈ {∀di, de, f}: The socalled “puppeteering technique”, currently used for defining the join for (1, n)and (n, 1)strategies, requires to maintain several games, and to pipe the output from one game to the input of one or more other games. This creates a notion of dependency between different games. For (1, n) and (n, 1), there are no cyclic dependencies, and we were able to define the joint strategy. However, for (n, n)simulations, there are cyclic dependencies, and it is not clear how the joint strategy should be defined. The second issue arises from the fact that we further require that the join of two winning strategies is itself a winning strategy. Therefore, the joint strategy needs to carry an invariant which implies the xwinning condition, for x ∈ {∀di, de, f}. While such an invariant for x = ∀di is straightforward, it is not clear what the correct invariant should be for either delayed or fair simulation.
5 Quotienting In the following we discuss how multipebble simulation preorders can be used for statespace reduction of alternating automata, i.e., we discuss under which notions of quotient the quotient automaton recognizes the same language as the original one. Let Q = (Q, Σ, qI , Δ, E, U, F ) be an alternating automaton, over finite or infinite words. Let be any binary relation on Q, and let ≈ be the induced equivalence, defined as ≈=∗ ∩(∗ )−1 . [·] : Q → [Q] is the function that maps each element q ∈ Q to the equivalence class [q] ∈ [Q] it belongs to, i.e., [q] := {q  q ≈ q }. We overload [P ] on sets P ⊆ Q by taking the set of equivalence classes. In all the notions of quotients that will be defined, only the transition relation varies. Thus, we gather the common part under a quotient skeleton. We define the quotient skeleton Q≈ = ([Q], Σ, [qI ], Δ≈ , E , U , F ) as follows: E := [E], U := [Q] \ E = { [q]  [q] ⊆ U } and F = [F ]. We leave Δ≈ unspecified at this time, as it will have different concrete instantiations later. Notice that mixed classes, i.e., classes containing both existential and universal states, are declared existential. The following definitions are borrowed from [5]. We say that q ∈ Δ(q, a) is a kxminimal asuccessor of q iff there there is no strictly x(1,k) smaller asuccessor of q, i.e., for any q ∈ Δ(q, a), q x(1,k) q implies q x(1,k) q . Similarly, q ∈ Δ(q, a) is a kxmaximal asuccessor of q iff for any q ∈ Δ(q, a), q x(1,k) q implies q x(1,k) q . Let minka,x (q)/maxka,x (q) be the set of minimal/maximal successors. 5.1 Finite Words Let be any preorder which implies language inclusion over finite words, i.e., q ∗ s =⇒ Lfin (q) ⊆ Lfin (s). In particular, one can take = (∃di (k1 ,k2 ) ) , or even equal to language inclusion itself. As before, let ≈ be the equivalence induced by . It is
Multipebble Simulations for Alternating Automata
307
well known that automata over finite words can be quotiented w.r.t. any preorder which implies language equivalence. Here, we show that not all transitions are needed, and that is is sufficient to consider maximal successors of existential states and minimal successors of universal states. We define the minimax [5] quotient automaton Qm ≈ by instantiating the quotient skeleton (see Section 5) with transition relation Δ≈ := Δm ≈, where ([q], a, [q ]) ∈ Δm ≈ iff either – [q] ∈ E and ∃ q ∈ [q] ∩ E, q ∈ [q ] s.t. ( q , a, q ) ∈ Δ ∧ q ∈ max q ), or a ( q , a, q ) ∈ Δ and q ∈ min q ). – [q] ∈ U and ∃ q ∈ [q], q ∈ [q ] s.t. ( a ( Notice that transitions from universal states in mixed classes are ignored altogether. Lemma 5. Let Q be any alternating finite automaton, and let be any preorder which implies finitelanguage inclusion. Then, for any q ∈ Q, Lfin (q) = Lfin ([q]m ). 5.2 Infinite Words Unlike for finite words, it is well known that quotienting ωautomata w.r.t. ωlanguageequivalence does not preserve the ωlanguage. It has even been shown that quotienting w.r.t. (1, 1)fair (bi)simulation does not preserve the ωlanguage either [7,4]. Therefore, one has to look for finer simulations, like delayed or direct simulation. Notice that multipebble existentialdirect simulation cannot be used for quotienting, since it does not even imply ωlanguage inclusion—see Theorem 3. Theorem 7. For any k1 , k2 ∈ N>0 and x ∈ {∃di, f } there exists an ABA Q s.t. Lω (Q) = Lω (Q≈ ), with ≈:=≈x(k1 ,k2 ) . For x = ∃di, k1 and k2 must not be both equal to 1. (Note that ≈∃di (1,1) quotienting does preserve the ωlanguage.) Thus, in the following we concentrate on universaldirect and delayed simulation. Minimax quotients for universaldirect simulation. In [5] it has been shown that minimax quotients preserve the ωlanguage (for direct simulation), and that one can consider just maximal/minimal successors of existential/universal states, respectively. Here, we improve this notion, by showing that, when considering multiplepebbles, it is not needed to consider every maximal successor of existential states, but it is safe to discard those maximal successors which are (1, k)simulated by a kset of other maximal successors. This suggests the following definition: For q ∈ E, a ∈ Σ and k > 0, we is a set of kmaximal representatives for asuccessors of q iff say that q ⊆ maxka,∀di( . ∃ (4) q ∈ 2q ,k . q ∀di q q q ) ∧ ∀q ∈ maxka,∀di ( q) \ q (1,k) Notice that the above definition is nondeterministic, in the sense that there might be different sets of maximal representatives: In this case, one can just take any ⊆minimal set satisfying Equation 4. In the following, we assume that a set of maximal represen has been selected for any q ∈ E and a ∈ Σ. tatives q We define the minimax+ quotient automaton Qm+ ≈ by instantiating the quotient skelem ton (see Section 5) with transition relation Δ≈ := Δm+ ≈ , which differs from Δ≈ just for m+ existential and mixed classes: ([q], a, [q ]) ∈ Δ≈ with [q] ∈ E iff
308
L. Clemente and R. Mayr
, where q is a – there exist q ∈ [q] ∩ E and q ∈ [q ] s.t. ( q , a, q ) ∈ Δ and q ∈ q fixed set of kmaximal representatives for asuccessors of q, as defined above. Our definition of minimax+ quotient differs from the one in [5] also w.r.t. the treatment of mixed classes, as discussed in the following remarks. Remark 5. While in [5] universal states in mixed classes do induce transitions (to minimal elements), in our definition we ignore these transitions altogether. In the setting of (1, 1)simulations these two definitions coincide, as they are shown in [5] to yield exactly the same transitions, but this needs not be the case in our setting: In the context of multiplepebbles, one minimal transition from a universal state q U might be subsumed by no single transition from some existential state q E in the same class, but it is always the case that q E has a set of transitions which together subsume the one from q U (cf. Lemma 15 in Appendix D.3 [2]). In this case, we show that one can in fact always discard the transitions from q U . Thus, in the context of multiplepebbles, minimax+ quotients result in less transitions than just minimax quotients from [5]. Remark 6. While minimax mixed classes are deterministic when considering (1, 1)simulations [5], this is not necessarily true when multiple pebbles are used. Theorem 8. q ≈∀di (1,n) [q]m+ , where the quotient is taken w.r.t. the transitive closure of ∀di , for any k such that 1 ≤ k ≤ n. In particular, Lω (q) = Lω ([q]m+ ). (1,k) Semielective quotients for delayed simulation. It has been shown in [5] that minimax quotients w.r.t (1, 1)delayed simulation on ABA do not preserve the ωlanguage. The reason is that taking just maximal successors of existential states is incorrect for delayed simulation, since a visit to an accepting state might only occur by performing a nonmaximal transition. (This is not the case with direct simulation, where if a simulationsmaller state is accepting, then every bigger state is accepting too.) This motivates the definition of semielective quotients [5], which are like minimax quotients, with the only difference that every transition induced by existential states is considered, not just maximal ones. Except for that, all previous remarks still apply. In particular, in mixed classes in semielective quotients it is necessary to ignore nonminimal transitions from universal states—the quotient automaton would recognize a bigger language otherwise. While for the (1, 1)simulations on ABA in [5] it is actually possible to ignore transitions from universal states in mixed classes altogether (see Remark 5), in the context of multiplepebbles this is actually incorrect (see Figure 5 in Appendix D.3 of the technical report [2]). The reason is similar as why nonmaximal transitions from existential states cannot be discarded: This might prevent accepting states from being visited. We define the semielelective+ quotient automaton Qse+ ≈ by instantiating the quotient skeleton (see Section 5) with Δ≈ := Δse+ ≈ , where ([q], a, [q ]) ∈ Δse+ ⇐⇒ (q, a, q ) ∈ Δ and either q ∈ E, or q ∈ U and q ∈ minn,de (q) a ≈ de Theorem 9. q ≈de (1,n) [q]se+ , where the quotient is taken w.r.t. (1,n) . In particular, ω ω L (q) = L ([q]se+ ).
Multipebble Simulations for Alternating Automata
qI
a
a
qu
qe
a q0 a
309
a
a
q1 a a a b
q2 e d
c
b, c, d
a
a q3 a
b, c
qu ≈de (1,2) qe q0 de (1,3) q1 q0 de (1,2) q1 q1 de (1,3) q0
c, d
a Fig. 4. (1, k)semielective+ quotients on ABA do not preserve the ωlanguage for 1 < k < n in general. Let k = 2. The only two (1, k)/(1, n)equivalent states are qu and qe , and in the quotient they form a mixed class. q1 is not a (1, n)minimal asuccessor of qu , but it is a (1, k)minimal successor for k = 2. Thus, the only difference between the (1, n) and (1, k)semielective+ quotients is that the dashed transition is (correctly) not included in the former, but (incorrectly) included in the latter. Thus the (1, k)semielective+ quotient automaton would incorrectly accept ∈ Lω (qI ) = aaa{b + c + d}aω . the word w = aaeaω
Remark 7. It is surprising that, unlike for NBA [3], quotienting ABA w.r.t. (1, k)de simulations, for 1 < k < n, does not preserve the language of the automaton in general. The problem is again in the mixed classes, where minimal transitions from universal states can be selected only by looking at the full (1, n)simulation. See the counterexample in Figure 4, where the dashed transition is present in the (1, k)quotient, despite being non(1, n)minimal. Remark 8. Semielective multipebble quotients can achieve arbitrarily high compression ratios relative to semielective 1pebble quotients, (multipebble)direct minimax quotients and mediated preorder quotients [1] (see Figure 6 in Appendix D.3 [2]).
6 Solving Multipebble Simulation Games In this section we show how to solve the multipebble simulation games previously defined. We encode each simulation game into a 2player gamegraph with an ωregular winning condition. In the gamegraph, Eve will take the rˆole of Duplicator, and Adam the one of Spoiler. A gamegraph is a tuple G = VE , VA , → , where nodes in VE belong to Eve (mimicking Duplicator), and nodes in VA belong to Adam (mimicking Spoiler). Transitions are represented by elements in →⊆ (VE × VA ∪ VA × VE ), where we write p → q for (p, q) ∈→. Notice that the two players strictly alternate while playing, i.e., the game graph is bipartite. We write V for VE ∪ VA . We introduce the following monotone operator on 2VA : For any x ⊆ VA , cpre(x) := {v0 ∈ VA  ∀v1 ∈ VE . (v0 → v1 =⇒ ∃v2 ∈ x. v1 → v2 )}, i.e., cpre(x) is the set of nodes where Eve can force the game into x.
310
L. Clemente and R. Mayr
We define various gamegraphs for solving simulations. We express the winning region of Eve as a μcalculus fixpoint expression over VA [9], which can then be evaluated using standard fixpoint algorithms. We derive the desired complexity upper bounds using the following fact: Lemma 6. Let e be a fixpoint expression over a graph V , with V  ∈ nO(k) . Then, for any fixed k ∈ N, evaluating e can be done in time polynomial in n. For solving direct and fair simulation, we refer the reader to Appendix E [2]. Here, we consider just delayed simulation, which is the most difficult (and interesting). The natural starting point for defining G de is the definition in [3] of the gamegraph for computing (1, k)simulations for NBAs. Unfortunately, the gamegraph in [3] is actually incorrect: According to the definition of delayed simulation (cf. Section 2), every new obligation encountered when the left side is accepting at some round should be independently satisfied by the right side, which has to be good since that round. Now, the algorithm in [3] just tries to satisfy the most recent obligation, which overrides all the previous ones. This is an issue: If the left side is continuously accepting, for example, then the right side might simply have not enough time to satisfy any obligation at all. Therefore, [3] actually computes an underapproximation to delayed simulation. We overcome this difficulty by explictly bookkeeping all pending constraints. This leads to the following definitions. The gamegraph for delayed simulation is G de = VEde , VAde , →de , where nodes in VAde are of the form v(q,Bad,s,Good) , and nodes in VEde of the form v(q,Bad,s,Good,a,q ,s ) , with q, q , s, s ⊆ Q. Bad = b1 ⊃ · · · ⊃ bm1 and Good = g1 ⊂ · · · ⊂ gm2 are two sequences of sets of states from Q, strictly ordered by setinclusion, which are used to keep track of multiple obligations. Intuitively, Bad is used to detect when new constraints should be created, i.e., to detect when every Left pebble is universally good since some previous round. At each round, a new set of bad pebbles b = q \ F is added to Bad. When accepting states are visited by Left pebbles, they are discarded from every set b ∈ Bad. When some b becomes eventually empty, this means that, at the current round, all Left pebbles are universally good since some previous round: At this point, b is removed from Bad, and we say that the red light flashes. The sequence Good represents a set of constraints to be eventually satisfied. Each g ∈ Good is a set of good pebbles, which we require to “grow” until it becomes equal to s. When Good = ∅, there is no pending constraint. Constraints are added to Good when the red light flashes (see above): In this case, we update Good by adding the new empty constraint g = ∅. When accepting states are visited by Right pebbles, we upgrade every constraint g ∈ Good by adding accepting states. Completed constraints g = s are then removed from Good, and we say that the green light flashes. Lemma 7. V de ≤ 2·(n+1)2(k1 +k2 ) · 1 + (k1 + 1)k1 +1 · 1 + 2(k2 + 1)k2 +1 ·Σ. Transitions in G de are defined as follows. For any (q, s, a, q , s ) ∈ Γ Sp , we have v(q,Bad,s,Good) →de v(q,Bad,s,Good,a,q ,s ) , and for (q, s, a, q , s , q , s ) ∈ Γ Dup , we have v(q,Bad,s,Good,a,q ,s ) →de v(q ,Bad ,s ,Good ) , where Bad , Good are computed according to Algorithm 1 in Appendix E.3 of the technical report [2]. We have that Eve wins iff every red flash is matched by at least one green flash, and different red flashes are matched by different green ones. This can be checked by
Multipebble Simulations for Alternating Automata
311
verifying that infinitely often either Good = ∅ or s ∈ Good, i.e., it is not the case that Good contains a constraint that it is not eventually “completed” and discarded. Let T = {v(q,Bad,s,Good)  Good = ∅ ∨ s ∈ Good}, and define the initial configuration as =∅ v(q,{q\F },s,∅) if q \ F vI = v(q,∅,s,{s∩F }) otherwise de q de = νxμy (cpre(y)∪T ∩cpre(x)). k1 ,k2 s iff T is visited infinitely often iff vI ∈W
Theorem 10. For any fixed k1 , k2 ∈ N, x ∈ {∀di, ∃di, de, f} and sets q, s ⊆ Q, deciding whether q x(k1 ,k2 ) s can be done in polynomial time.
7 Conclusions and Future Work Transitivity for (n, n)simulations. As discussed at the end of Section 4, composing (n, n) (winning) strategies is apparently much more difficult than in the (1, n) and (n, 1) case. We conjecture that all types of (n, n)simulations discussed in this paper are transitive, and showing this would conceivably solve the join problem as well. Quotienting with (n, 1) and (n, n)simulations. While we have dealt with (1, n)quotients, we have not considered (n, 1) or (n, n)quotients. For the latter, one should first solve the associated transitivity problem, and, for both, an appropriate notion of semielectivequotient has to be provided. We have shown that this is already a nontrivial task for (1, n)simulations on ABA. Future directions. Our work on delayed simulation has shown that several generalizations are possible. In particular, two issues need to be addressed. The first is the complexity of the structure of the gamegraph needed for computing delayed simulation. A possible generalization of delayed simulation involving looser “synchronization requirements” between obligations and their satisfaction might result in simpler gamegraphs. The second issue concerns Lemmas 3 and 4: We would like to find a weaker delayedlike simulation for which the counterexample shown there does not hold. This would give a better understanding of the MHconstruction. As in [4], it is still open to find a hierarchy of (k1 , k2 )multipebble simulations converging to ωlanguage inclusion when k1 = k2 = n. Acknowledgment. We thank K. Etessami and C. Fritz for helpful discussions, and an anonymous referee for suggesting the comparison to mediated preorder [1].
References 1. Abdulla, P.A., Chen, Y.F., Holik, L., Vojnar, T.: Mediating for reduction (on minimizing alternating B¨uchi automata). In: FSTTCS 2009, Dagstuhl, Germany. LIPIcs, vol. 4, pp. 1–12 (2009) 2. Clemente, L., Mayr, R.: Multipebble simulations for alternating automata. Technical Report EDIINFRR1376, University of Edinburgh, School of Informatics (2010), http://www.inf.ed.ac.uk/publications/report/1376.html
312
L. Clemente and R. Mayr
3. Etessami, K.: A hierarchy of polynomialtime computable simulations for automata. In: Brim, L., Jan`car, P., K`ret´ınsk´y, M., Ku`cera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 131–144. Springer, Heidelberg (2002) 4. Etessami, K., Wilke, T., Schuller, R.A.: Fair simulation relations, parity games, and state space reduction for B¨uchi automata. SIAM J. Comput. 34(5), 1159–1175 (2005) 5. Fritz, C., Wilke, T.: Simulation relations for alternating B¨uchi automata. Theor. Comput. Sci. 338(13), 275–314 (2005) 6. Gurevich, Y., Harrington, L.: Trees, automata, and games. In: STOC 1982: Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, pp. 60–65. ACM, New York (1982) 7. Henzinger, T.A., Rajamani, S.: Fair bisimulation. In: Schwartzbach, M.I., Graf, S. (eds.) TACAS 2000. LNCS, vol. 1785, pp. 299–314. Springer, Heidelberg (2000) 8. Hopcroft, J., Ullman, J.: Introduction to Automata Theory, Languages, and Computation. AddisonWesley, Reading (1979) 9. Kozen, D.: Results on the propositional mucalculus. Theor. Comput. Sci. 27, 333–354 (1983) 10. Miyano, S., Hayashi, T.: Alternating finite automata on ωwords. Theoretical Computer Science 32, 321–330 (1984) 11. Vardi, M.Y.: Alternating automata and program verification. In: van Leeuwen, J. (ed.) Computer Science Today. LNCS, vol. 1000, pp. 471–485. Springer, Heidelberg (1995)
Parameterized Verification of Ad Hoc Networks Giorgio Delzanno1 , Arnaud Sangnier1 , and Gianluigi Zavattaro2 1 2
University of Genova University of Bologna
Abstract. We study decision problems for parameterized veriﬁcation of a formal model of Ad Hoc Networks with selective broadcast and spontaneous movement. The communication topology of a network is represented as a graph. Nodes represent states of individual processes. Adjacent nodes represent singlehop neighbors. Processes are ﬁnite state automata that communicate via selective broadcast messages. Reception of a broadcast is restricted to singlehop neighbors. For this model we consider veriﬁcation problems that can be expressed as reachability of conﬁgurations with one node (resp. all nodes) in a certain state from an initial conﬁguration with an arbitrary number of nodes and unknown topology. We draw a complete picture of the decidability boundaries of these problems according to diﬀerent assumptions on communication graphs, namely static, mobile, and bounded path topology.
1
Introduction
In recent years there has been an increasing interest in the formal speciﬁcation of protocols used in Ad Hoc Networks. Building on previous models like [7,19,21], in [22] Singh, Ramakrishnan and Smolka deﬁne the ωcalculus as a formal model of Ad Hoc Networks with selective broadcast and spontaneous movement. In the ωcalculus a conﬁguration consists of a ﬁnite set of processes. Each process has a local state and an interface containing a ﬁnite set of group names. A group name represents a possible communication link with other processes in the network. From an abstract point of view, the structure underlying a conﬁguration of the ωcalculus is a ﬁnite graph that deﬁnes the communication topology of a network. A node in the graph represents the current state of an individual process. There exists and edge between two nodes if the corresponding interfaces share a common group name. Adjacent nodes are called singlehop neighbors. Processes communicate through selective broadcast. Speciﬁcally, a broadcast message can be received only by the set of singlehop neighbors of the emitter. When the number of nodes is ﬁxed a priori, formal models of Ad Hoc Networks like those provided by the ωcalculus can be veriﬁed by using ﬁnitestate model checking [11] or constraintbased model checking [22]. Lifting the study of veriﬁcation problems to the parameterized case in which networks have arbitrary size and possibly unknown topology is a challenging problem for this class of distributed systems. In the present paper we study parameterized veriﬁcation problems for an automatabased model of Ad Hoc Networks, we named AHN, inspired by the P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 313–327, 2010. c SpringerVerlag Berlin Heidelberg 2010
314
G. Delzanno, A. Sangnier, and G. Zavattaro
ωcalculus of [22]. Each node of a network is modeled as a ﬁnitestate automaton in which local transitions model either an internal action, a broadcast or a reception of a message taken from a ﬁnite alphabet. A protocol is deﬁned then as the composition of a ﬁnite but arbitrary number of copies of the automaton running in parallel. As in the ωcalculus a conﬁguration can naturally be viewed as a graph that deﬁnes the communication topology. We use group names and interfaces to select the set of neighbors of an emitter that are capable to receive a broadcast message. In our model we deﬁne veriﬁcation problems parametric on the size (number of nodes) and shape (topology of the communication graph) of the initial conﬁgurations. Our investigations take into account diﬀerent assumptions on the communication topology. Speciﬁcally, we consider conﬁgurations either with static or mobile topology and with static and bounded path topology. In the latter case we assume that there is an upper bound on the length of simple paths in the communication graphs underlying the initial conﬁgurations. For each of the above mentioned assumptions, we present a systematic analysis of the following decision problems: (cover) reachability of a conﬁguration with one node in a given state, (target) reachability of a conﬁguration with all nodes in a given state, (repeatcover) existence of a computation traversing inﬁnitely often conﬁgurations with at least one node in a given state. Our main negative result is that all three parameterized problems are undecidable for arbitrary static topology. The proofs are based on a simulation of a Turing complete formalism which is correct only for topologies of a given size and shape. As the topology is arbitrary, the simulation is preceded by a protocol able to explore the current topology and to start the simulation only if it is of the expected form. Perhaps surprisingly, all three problems become decidable in the mobile case. This result is similar to what happens in channel systems where introducing lossiness simpliﬁes the veriﬁcation task [3]. For static bounded path topologies, target and repeatcover turn out to be undecidable while cover is still decidable. The latter result is similar to those presented in [23,15] for bounded depth processes with pointtopoint communication. However, due to broadcast communication we need to resort to a diﬀerent proof technique. Namely, even if we use the theory of well structured transition systems (WSTS) [1,2,12] as in [15,23], we need to consider a stronger ordering on conﬁgurations based on the induced subgraph ordering [5] instead of the subgraph embedding. To the best of our knowledge, this is the ﬁrst case of application of the induced subgraph ordering in the context of WSTS. Related Work. Formal models of networks in which all processes receive a broadcast message at once are presented and analyzed in [6,8,19]. In our setting this kind of broadcast is modeled by conﬁgurations whose underlying graph is a clique. Selective broadcast has been studied in several process calculi for ad hoc networks and wireless communication like those presented in [7,13,14,16,21], some of which turn out to be extensions of the picalculus [17]. A distinguished feature of the ωcalculus [21,22] is that mobility of processes is abstracted from
Parameterized Veriﬁcation of Ad Hoc Networks
315
their communication actions, i.e., mobility is spontaneous and it does not involve any communication. In [22] the authors deﬁne a constraintbased analysis for conﬁgurations with a ﬁxed number of nodes. The shape of topologies leading to bad conﬁgurations is constructed in a lazy manner during a symbolic exploration of the state space. The symbolic approach in [22] seems to improve veriﬁcation results obtained with more standard model checking tools like Uppaal [11]. In the same paper the authors mention that, without name restriction, reachability of a conﬁguration from an initial one is decidable. In the present paper we lift our reachability problems to the parameterized case in which the initial conﬁguration has unknown size and shape. For networks of arbitrary size, in [20] Saksena et al. deﬁne a symbolic procedure based on graphtransformations to analyze routing protocol for Ad Hoc Networks. The symbolic representation is based on upward closed sets of graphs ordered by subgraph inclusion. The procedure is not guaranteed to terminate. In our paper we use a diﬀerent ordering on graphs, namely induced subgraph, for ensuring termination of backward reachability on graphs with paths of bounded length. Due to lack of space, omitted proofs can be found in [4].
2
A Formal Model for Ad Hoc Network Protocols
Following [22], a conﬁguration of an Ad Hoc Network is modeled as a tuple of nodes n1 , . . . , nk with k ≥ 1. A node ni maintains information about the current state of an individual process and its current set of communication links. The behavior of a single node is described by a ﬁnitestate automaton, called process, in which transitions represent internal, broadcast, or reception actions. Concerning the representation of communication links, a convenient way to describe the network topology is based on the use of group names. Speciﬁcally, to each node we associate an interface that deﬁnes the set of group names to which the node belongs. Two nodes are connected if their interfaces share at least one common group name. The semantics of the transitions speciﬁes how diﬀerent nodes interact in a global conﬁguration. We assume that nodes cannot dynamically be created or deleted. Definition 1. An Ad Hoc Network Protocol (shortly AHN) is a pair P, G where P is a process deﬁnition and G is a denumerable set of group names. A process P = Q, Σ, E, Q0 deﬁnes the behavior of a single node of the network. Here Q is a ﬁnite set of control states, Σ is a ﬁnite alphabet, E ⊆ Q × ({τ } ∪ {b(a), r(a)  a ∈ Σ}) × Q is the transition relation, and Q0 ⊆ Q is a set of initial control states. The label τ represents an internal action of a process, the label b(a) represents the capability of broadcasting message a, and r(a) the capability of receiving message a. Definition 2. Assume P = Q, Σ, E, Q0 . A node n is a pair q, I, where q ∈ Q is called the state and I ⊆ G is the called the interface of the node. A
316
G. Delzanno, A. Sangnier, and G. Zavattaro
q4 g2 q3
g1
g3 g3
q3
q2 g3 q1
g4 g4 g4
q3
Fig. 1. Graph associated to a conﬁguration
conﬁguration γ is a tuple n1 , . . . , nk of nodes with size k ≥ 1. We use C to denote the set of conﬁgurations of any size. A conﬁguration γ deﬁnes a given network topology speciﬁed by the graph G(γ). The vertices in G(γ) are in bijection with the nodes of γ. The label of a vertex is the state of the corresponding node in γ. Furthermore, there exists an edge between two vertices in G(γ) if and only if the intersection of the interfaces of the corresponding nodes in γ is not empty. For instance, consider a conﬁguration γ with nodes n1 = q4 , {g1 , g2 }, n2 = q3 , {g1 , g3 }, n3 = q3 , {g2 , g3 }, n4 = q1 , {g3 , g4 }, n5 = q2 , {g4 }, and n6 = q3 , {g4 }, the communication topology induced by γ is depicted in Figure 1. We deﬁne functions σ and ι to extract the state and the interface of a node, i.e., σ(q, I) = q and ι(q, I) = I. We extend σ and ι to conﬁgurations in the natural way. For a conﬁguration γ, we sometimes consider σ(γ) as a set rather than a vector and use q ∈ σ(γ) to denote that there exists a node ni in γ such that σ(ni ) = q. The set of indexes of nodes adjacent to a node ni in a conﬁguration γ = n1 , . . . , nk (singlehop neighbors of ni in G(γ)) is deﬁned as Shn(γ, i) = {j ∈ [1..k]  ι(ni ) ∩ ι(nj ) = ∅ and j = i}. For a broadcast message a ∈ Σ, we deﬁne the set of indexes Rec(γ, a) = {j ∈ [1..k]  (σ(nj ), r(a), q) ∈ E for some q ∈ Q}. The set of nodes in γ enabled by a broadcast a sent by node ni is then deﬁned as Enabled(γ, i, a) = Shn(γ, i) ∩ Rec(γ, a). Operational Semantics. The semantics of an AHN P = Q, Σ, E, Q0 , G is given by its associated transition system T S(P, G) = C, ⇒, C0 (we recall that C is the set of conﬁgurations of all possible size), C0 is the set of initial conﬁgurations deﬁned as C0 = {γ ∈ C  σ(γ) ⊆ Q0 } and ⇒ is the transition relation in C × C deﬁned as follows. Definition 3. For γ = n1 , . . . , nk and γ = n1 , . . . , nk , γ ⇒ γ iﬀ one of the following conditions holds: Internal. There exists i ∈ [1..k] such that (σ(ni ), τ, σ(ni )) ∈ E, ι(ni ) = ι(ni ), and nj = nj for all j ∈ [1..k] \ {i}. Broadcast. There exists a ∈ Σ and i ∈ [1..k] such that (σ(ni ), b(a), σ(ni )) ∈ E, ι(ni ) = ι(ni ), and the following conditions hold: – For all j ∈ Enabled(γ, i, a), (σ(nj ), r(a), σ(nj )) ∈ E and ι(nj ) = ι(nj ); – For all p ∈ / (Enabled(γ, i, a) ∪ {i}), np = np . We denote by ⇒∗ the reﬂexive and transitive closure of ⇒. An execution is a sequence γ0 γ1 . . . such that σ(γ0 ) ⊆ Q0 and γi ⇒ γi+1 for i ≥ 0.
Parameterized Veriﬁcation of Ad Hoc Networks
317
As an example, consider a process deﬁnition in which Q = {q1 , q2 , q3 , q4 }, Σ = {a}, and E contains the rules (q1 , τ, q2 ),
(q2 , b(a), q4 ), (q1 , r(a), q2 ), and (q3 , r(a), q2 )}
Starting from a connected component in which nodes have label q1 or q3 , once an alarm is detected by a q1 node (τ action), it is ﬂooded (broadcast of message a) to all singlehop neighbors which, in turn, forward the alarm to their neighbors, and so on. After some steps, the alarm reaches all multihop neighbors yielding a conﬁguration in which all nodes (in the connected component) have label q4 .
3
Decision Problems
In this section we consider decision problems related to veriﬁcation of safety and liveness properties like those studied for Petri nets [9,10]. We remark that in our formulation the size and the shape of of the initial conﬁgurations is not ﬁxed a priori. In the following deﬁnitions we assume an AHN P, G with transition system T S(P, G) = C, ⇒, C0 . The ﬁrst problem is control state reachability (cover) deﬁned as follows: given a control state q of P , do there exist γ ∈ C0 and γ ∈ C such that γ ⇒∗ γ and q ∈ σ(γ )? We recall that a conﬁguration γ is initial if σ(γ) ⊆ Q0 . Notice that being initial does not enforce any particular constraint on the topology. Thus, assume that the state q represents an error state for a node of the network. If we can solve cover, then we can decide if there exists a topology of the network and a suﬃcient number of processes from which we can generate a conﬁguration in which the error is exposed. The second problem is target reachability (target) which we deﬁne as follows: given a subset of control states F of P , do there exist γ ∈ C0 and γ ∈ C such that γ ⇒∗ γ and σ(γ ) ⊆ F ? Assume that the subset F represents blocking states for nodes of the network. If we can solve target, then we can decide if there exists a topology of the network and a suﬃcient number of processes from which we can reach a conﬁguration in which processes can no longer move. Finally we will also study the repeated control state reachability problem (repeatcover): given a control state q of P , does there exist an inﬁnite execution γ0 ⇒ γ1 ⇒ . . . such that the set {i ∈ N  q ∈ σ(γi )} is inﬁnite? This problem is a classical extension of the cover problem that can be used, for instance, to verify whether a protocol is able to react to the occurrence of errors by reaching a state from which errors do not occur any longer. Assume that q represents the error state. If we can solve repeatcover, then we can decide if there exists a topology of the network and a suﬃcient number of processes that can generate a computation including inﬁnitely many error states.
318
G. Delzanno, A. Sangnier, and G. Zavattaro
A0
r(req)
r(ack)
b(req)
Err
B0
r(ack)
r(req)
r(ok)
A1
r(req)
r(ack)
r(ack)
r(ack)
B1 b(ack) B2
A2
r(ok)
b(ok)
B3
A3
Fig. 2. The RAO (Req/Ack/Ok) protocol
4
Static Topology
In this section, we will prove that cover, target and repeatcover are all undecidable problems. We ﬁrst recall that in our decision problems there are no assumptions on the number of nodes and on the communication topology of the initial conﬁgurations. Furthermore, the model does not admit dynamic reconﬁgurations of the topology. Broadcast communication can be used however to ensure that a speciﬁc protocol succeeds only if the network topology has a certain form. To be more precise, consider the protocol speciﬁed by the process Req/Ack/Ok (RAO) of Figure 2 where A0 and B0 are the initial states. The following property then holds. Proposition 1. Let G be a denumerable set of group names and γ an initial conﬁguration of the AHN RAO, G. If γ is a conﬁguration such that γ ⇒∗ γ and such that B3 ∈ σ(γ ), then the graph G(γ ) has the following properties: – each node n labeled with B3 is adjacent to a unique node labeled with A3 (we denote this node by f (n))1 ; – for each node n labeled with B3 , all the nodes adjacent to n or f (n) are labeled with Err (except of course n and f (n)). Proof. Assume n is a node of γ in state B3 . Since n has received a message ok to reach B3 , it is necessarily adjacent to a node in state A3 . No other node adjacent to n can be in state A3 . Indeed, if n receives two req messages before sending an ack, then n moves to state Err. Furthermore, if n sends an ack, then all adjacent nodes that are in states A0 (ready to send a req) move to state Err. Rule (A0 , r(req), Err) ensures that, in G(γ ), no node labeled Ai is adjacent to a node labeled A3 . Rules (B0 , r(ack), Err) and (B1 , r(ack), Err) ensure that, when n has label B3 , its singlehop neighbors cannot have label Bi . Rule (B1 , r(ok), Err) ensures that a node diﬀerent from n but adjacent to f (n) must have state diﬀerent from Bi . Indeed, if such a node is in state B1 , then the broadcast ok sent by f (n) sends it to Err, and if such a node moves to B2 sending ack then it sends node f (n) to Err before it can reach A3 .
1
Two nodes are adjacent iﬀ there is an edge between them.
Parameterized Veriﬁcation of Ad Hoc Networks
319
Using an extension of the RAO protocol, we can deﬁne an AHN which simulates the execution of a deterministic twocounter Minsky machine and reduce the halting problem to cover. A deterministic Minsky machine manipulates two integer variables c1 and c2 , which are called counters, and it is composed of a ﬁnite set of instructions. Each of the instruction is either of the form (1) L : ci := ci + 1; goto L or (2) L : if ci = 0 then goto L else ci := ci − 1; goto L where i ∈ {1, 2} and L, L , L are labels preceding each instruction. Furthermore there is a special label LF from which nothing can be done. The halting problem consists then in deciding whether or not the execution that starts from L0 with counters equal to 0 reaches LF . The intuition behind the reduction is as follows. In the ﬁrst phase we use a variant of the RAO protocol to select a control node and two list of nodes, with state representing value 0 or 1, used to simulate the content of the counters. The length of each list must be suﬃcient to represent the maximum value stored in each counter during the simulation. All other nodes in the vicinity of the control state and of the two lists are sent to an error state during the execution of the ﬁrst phase. In the second phase the control node starts the simulation of the instructions. It operates by querying and changing the state of the nodes in the two lists according to the type of instructions to be executed. In this phase all nodes in the same list behave in the same way. Requests are propagated back and forth a list by using broadcast sent by a node to its (unique) singlehop successor/predecessor node. The protocols that deﬁne the two phases are fairly complicated; the corresponding automata are described in detail in [4]. From the undecidability of the halting problem for twocounter Minsky machines [18], we obtain the following result. Theorem 1. cover is an undecidable problem. Furthermore, we have the following corollary. Corollary 1. target and repeatcover are undecidable problems. Proof. Assume P = Q, Σ, E, Q0 and let G be a denumerable set of group names and q ∈ Q. To reduce cover to repeatcover we simply add a loop of the form (q, τ, q) to E. To reduce cover to target, we build the process P = Q , Σ , E , Q0 deﬁned as follows: – Q = Q {r0 , r1 , rF } (with Q ∩ {r0 , r1 , rF } = ∅); – Σ = Σ {F1 , F2 } (with Σ ∩ {F1 , F2 } = ∅); – E = E {(q, b(F1 ), rF ), (r0 , r(F1 ), r1 ), (r1 , b(F2 ), rF )} ∪ {(q , r(F2 ), rF )  q ∈ Q}; – Q0 = Q0 {r0 }. Let T S(P, G) = C, ⇒, C0 and T S(P , G) = C , ⇒ , C0 . It is then easy to see that there exist γ2 ∈ C0 and γ2 ∈ C such that γ2 ⇒∗ γ2 and σ(γ2 ) ⊆ {rF } if and only if there exists γ1 ∈ C0 and γ1 ∈ C such that γ1 ⇒∗ γ1 and q ∈ σ(γ1 ). In fact, in T S(P , G) after being in the state q a node can broadcast the message F1 which launches a protocol whose goal is to send all the other nodes in the state rF .
320
5
G. Delzanno, A. Sangnier, and G. Zavattaro
Mobile Topology
In this section we consider a variant on the semantics of AHN obtained by adding spontaneous movement of nodes as in [22]. Node mobility is modeled by nondeterministic updates of their interfaces. Formally, let P, G be a AHN with T S(P, G) = C, ⇒, C0 . The semantics of P, G with mobility is given by the transition system T SM (P, G) = C, ⇒M , C0 where the transition ⇒M is deﬁned as follows. Definition 4 (Transition Relation with Mobility). For γ, γ ∈ C with γ = n1 , . . . , nk and γ = n1 , . . . , nk , we have γ ⇒M γ iﬀ one the following conditions holds: – γ ⇒ γ (no movement); – there exists i ∈ [1..k] such that, σ(ni ) = σ(ni ) (state does not change), ι(ni ) ⊆ G (interface changes in an arbitrary way), and for all j ∈ [1..k] \ {i}, nj = nj (all other nodes remain unchanged) (movement). We prove next that cover, repeatcover and target are decidable for AHN with mobility. Intuitively, this follows from the observation that the topology of the network changes in an unpredictable and uncontrollable manner. Hence, every broadcast message sent by a node is received by a nondeterministically chosen set of nodes, namely those in the transmission range of the emitter at the time the message is sent. Formally, we reduce cover, target and repeatcover respectively to the marking coverability, marking reachability and repeated marking coverability problems for Petri nets, which are known to be decidable [9,10]. A Petri net (see e.g. [9]) is a tuple N = (S, T, m0 ), where S and T are ﬁnite sets of places and transitions, respectively. A ﬁnite multiset over the set S of places is called a marking, and m0 is the initial marking. Given a marking m and a place p, we say that the place p contains m(p) tokens in the marking m if there are m(p) occurrences of p in the multiset m. A transition is a pair of markings written in the → m . The marking m of a Petri net can be modiﬁed by means of transiform m tions ﬁring: a transition m → m can ﬁre if m(p) ≥ m (p) for every place p ∈ S; upon transition ﬁring the new marking of the net becomes n = (m\m )m where \ and are the diﬀerence and union operators for multisets, respectively. This is written as m → n. We use →∗ [resp. →+ ] to denote the reﬂexive and transitive closure [resp. the transitive closure] of →. We say that m is reachable from m if m →∗ m . The coverability problem for marking m consists of checking whether m0 →∗ m with m (p) ≥ m(p) for every place p ∈ S. The reachability problem for marking m consists of checking whether m0 →∗ m. Finally, the repeated coverability problem for marking m consists of checking wether there exists an inﬁnite execution m0 →+ m1 →+ m2 →+ . . . such that for all i ∈ N, mi (p) ≥ m(p) for every place p ∈ S. The coverability, reachability and repeated coverability problems are decidable for Petri nets [9,10]. We now show how to build a Petri net which simulates the behavior of an AHN with mobility. Figure 3 gives an example of a Petri net associated to a process. In the Petri net, each control state q has a corresponding place q, and
Parameterized Veriﬁcation of Ad Hoc Networks
start
321
•
q r(m)
b(m) q
q
ok
q r(m) qr
q
b(m) qb
m↑
q
Fig. 3. A Petri net which simulates an AHN with mobility
each node q, I of the network is represented by a token in the place q. The interfaces of nodes (thus also the network topology) are abstracted away in the Petri net. In the ﬁrst phase, the net nondeterministically puts tokens in the places corresponding to the initial control states of the process. Then it produces a token in the place ok and the simulation begins. The broadcast communication is modeled by a broadcast protocol whose eﬀect is to deliver the emitted message to a nondeterministically chosen set of potential receivers. More precisely, the broadcast protocol can be started by a token in a place q such that (q, b(m), q ); then the token is moved to a transient place qb and a token is produced in the place m ↑. During the execution of the protocol, every token in a place r such that (r, r(m), r ) can receive the message moving in a transient place rr . The protocol ends when the token in the transient place qb moves to the place q . The tokens in the transient places rr can move to the corresponding places r only when no broadcast protocol is running (when a broadcast protocol is running, there is no token in the place ok). This broadcast protocol does not faithfully reproduce the broadcast as formalized in the AHN model: in fact, in the Petri net there is no guarantee that the tokens in the transient places rr move to the corresponding places r at the end of the execution of the protocol. A token that remains in those transient places (thus losing the possibility to interact with the other tokens in the Petri net) corresponds to a node in the AHN model that disconnects, due to mobility, from the other nodes in the system. Testing whether there is an execution in the AHN with mobility which ends in a conﬁguration where one of the nodes is in the control state q can be done by testing whether the marking {q, ok} can be covered in the associated Petri net. Hence: Theorem 2. There exists a reduction from the cover problem for AHN with mobility to the marking coverability problem for Petri nets. Using the same construction, we also obtain:
322
G. Delzanno, A. Sangnier, and G. Zavattaro
Theorem 3. There exists a reduction from the repeatcover problem for AHN with mobility to the marking repeated coverability problem for Petri nets. In order to reduce target to marking reachability we need to extend the Petri net associated to an AHN, adding a ﬁnal stage in the computation, dedicated to the elimination of tokens from the places corresponding to the ﬁnal states in F . Intuitively we add a transition of the form {ok} → {end} and for each q ∈ F we add a transition {end, q} → {end} and we then test if the marking where all the places are empty except the place end is reachable. Theorem 4. There exists a reduction from the target problem for AHN with mobility to the marking reachability problem for Petri nets. From these three last theorems and from the fact that the marking coverability, marking repeated coverability and marking reachability problems are decidable for Petri nets, we ﬁnally deduce: Corollary 2. cover, repeatcover and target are decidable for AHN with mobility.
6
Static Bounded Path Topology
Let us go back to the AHN model with static topology. The possibility for a message to pass through an unbounded number of new nodes is a key feature in the proof of Theorem 1 (undecidability of cover for static topology). For this reason, it seems natural to study cover, target and repeatcover for a restricted class of conﬁgurations in which, for a ﬁxed K, a message can pass through at most Kdiﬀerent nodes. Formally, given an AHN P, G with T S(P, G) = C, ⇒, C0 our class of restricted conﬁgurations is deﬁned as follows: Definition 5. Given an integer K ≥ 1, a conﬁguration γ is a Kbounded path conﬁguration if the longest simple path in the associated graph G(γ) has length at most K. We denote by C K the set of Kbounded path conﬁgurations. The semantics of the AHN P, G resticted to Kbounded path conﬁgurations is given by the transition system T SK (P, G) = C K , ⇒K , C0K where the transition relation ⇒K is the restriction of ⇒ to C K × C K and C0K = C0 ∩ C K . For ﬁxed K, the class of Kbounded path conﬁgurations contains an inﬁnite set of graphs. To give some examples, stars with a center node and any number of satellite nodes have always 3bounded paths, whereas cliques of arbitrary size may have paths of unbounded length. 6.1
Decidability of cover
In order to study cover restricted to bounded path conﬁgurations, we ﬁrst introduce some deﬁnitions and prove auxiliary properties. First of all, we give the deﬁnition of the induced subgraph relation.
Parameterized Veriﬁcation of Ad Hoc Networks
a
a
b
a
c
c
d
c
G1
G2
b
b
b
c
d
is
is
(a)
a
323
G3
G2 (b)
Fig. 4. Examples of the induce subgraph relation
Definition 6. For conﬁgurations γ1 and γ2 , we deﬁne γ1 is γ2 if there exists a label preserving injection h from nodes of G1 = G(γ1 ) to nodes of G2 = G(γ2 ) such that (n, n ) is an edge in G1 if and only if (h(n), h(n )) is an edge in G2 , i.e., G1 is isomorphic to an induced subgraph of G2 . Notice that the induced subgraph relation is stronger than the subgraph relation. The subgraph ordering requires only a homomorphic embedding of G1 into G2 . To illustrate, in Fig. 4 (a) G1 is isomorphic to an induced subgraph of G2 , hence G1 is G2 . In (b) G3 is obtained from G1 by removing the edge from node a to node c. The induced graph of G2 with nodes a, b, c is no more isomorphic to G3 , hence G3 is G2 . Notice, however, that G3 is still a subgraph of G2 . The following lemma then holds. Lemma 1. Given K ≥ 1, (C K , is ) is a wellquasi ordering (shortly wqo), i.e., for every inﬁnite sequence of Kbounded path conﬁgurations γ1 γ2 . . . there exist i < j s.t. γi is γj . Proof. It immediately follows from Ding’s Theorem (Theorem 2.2 in [5]). Given a subset S ⊆ C K we deﬁne S ↑= {γ ∈ C K  γ ∈ S and γ is γ }, i.e., S ↑ is the set of conﬁgurations generated by those in S via is . A set S ⊆ C K is an upward closed set w.r.t. to (C K , is ) if S ↑= S. Since (C K , is ) is a wqo, we obtain that every set of conﬁgurations that is upward closed w.r.t. (C K , is ) has a ﬁnite basis, i.e., it can be ﬁnitely represented by a ﬁnite number of Kbounded path conﬁgurations. We can exploit this property to deﬁne a decision procedure for cover. For this purpose, we apply the methodology proposed in [1]. The ﬁrst property we need to prove is that the transition relation induced by our model is compatible with is . Lemma 2 (Monotonicity). For every γ1 , γ2 , γ1 ∈ C K such that γ1 ⇒K γ2 and γ1 is γ1 , there exists γ2 ∈ C K such that γ1 ⇒K γ2 and γ2 is γ2 . Proof. For lack of space, we focus here on the application of a broadcast rule with label b(a). Assume that the rule is applied to a node n adjacent in G(γ1 ) to nodes N = {n1 , . . . , nk }. Assume that the subset N of N contains nodes that are enabled by message a. By applying the operational semantics, the state of n and the states of nodes in N are updated simultaneously Assume now that G(γ1 ) is isomorphic to an induced subgraph of G(γ1 ) via the injection h. Then,
324
G. Delzanno, A. Sangnier, and G. Zavattaro
h(n) is adjacent to the set of nodes h(N ) (there cannot be more connections since h(G(γ1 )) is an induced subgraph of G(γ1 )). Thus, the same rule is enabled in h(n) and in h(N ) and yields the same eﬀect on the labels. Thus, we obtain
γ2 such that G(γ2 ) is G(γ2 ). Monotonicity ensures that if S is an upward closed set of conﬁgurations (w.r.t. (C K , is )), then the set of predecessors of S accroding to ⇒K , deﬁned as preK (S) = {γ  γ ⇒K γ and γ ∈ S}, is still upward closed. We now show that we can eﬀectively compute a ﬁnite representation of S ∪ preK (S). Lemma 3. Given a ﬁnite basis B of an upward closed set S ⊆ C K , there exists an algorithm to compute a ﬁnite basis B of S ∪preK (S) s.t. S ∪preK (S) = B ↑. Proof. We focus on the the backward application of a broadcast rule (q, b(a), q ) to a conﬁguration in the upward closure of B. The computation of the set B ↑ ∪ preK (B ↑), where preK (B ↑) = {γ  γ ⇒K γ and γ ∈ B ↑} is done according to the following steps. Initially, we set B := B. Then, for each γ ∈ B: 1. For each vertex n labeled with q in the graph G(γ), let N be the set of nodes adjacent to q , we apply then the following rule: – If there exists a node in N with state r such that (r, r(a), r ) is a rule in the model, then we add no predecessor to B (because every node n ∈ S in state r must react to the broadcast); – otherwise, for any subset N = {n1 , . . . , nk } of nodes in N such that ni has state ri and (ri , r(a), ri ) is a rule in the model, we build a predecessor conﬁguration γ in which the label of n is updated to q and the label of ni is updated to ri for i ∈ {1, . . . , k} and if there is no γ in B such that γ is γ , we add γ to B (Note that we have to select all possible subset N of N because we must consider the cases in which nodes connected to n are already in the target state of some reception rule). 2. Let Γ be the set of conﬁgurations γ in C K obtained by adding a node n in state q to γ such that in G(γ ), n is adjacent to at least one node (i.e. in Γ we have all the conﬁgurations obtained by added a connected node to γ and which are still Kbounded path conﬁgurations). We then apply the precedent rule 1. to each conﬁguration in Γ considering the added node n labeled with q .
We can now state the main theorem of this section. Theorem 5. For K ≥ 1, cover is decidable for AHN restricted to Kbounded path conﬁgurations. Proof. From Lemmas 1, 2, and 3 it follows that the transition system induced by any AHN is well structured with respect to (C K , is ). The theorem then follows from the general properties of well structured transition systems [1,2,12]. The decision algorithm is based on a symbolic backward exploration of the state space that, starting from a graph with a single node denoting the target state, saturates the set of symbolic predecessors computed using the operator described
Parameterized Veriﬁcation of Ad Hoc Networks
325
one1 one2 g1 one1
g2
q0
g5 g4
g3
one1
g6
one2 zero1
Fig. 5. Conﬁguration q0 , c1 = 3, c2 = 2 for c1 ∈ [0, 4] and c2 ∈ [0, 2]
in Lemma 3. Termination is ensured by the wqo property of the induced subgraph relation over Kbounded path conﬁgurations.
6.2
Undecidability of target and repeatcover
In order to show that target is undecidable for Kbounded path conﬁgurations, we show how to model a Minsky machine in such a way that the machine terminates if and only if the corresponding AHN has a computation (restricted to Kbounded path conﬁgurations) that reaches a conﬁguration in which all nodes are in some speciﬁc ﬁnal state. For this purpose, we design a protocol that succeeds only on star topologies in which the center node represents the current control state and the satellite nodes the units of the two counters. Such units are initially in the zeroi state (with i ∈ {1, 2}). The number of satellite nodes needed to guess the maximal values reached by the counters during the computation is nondeterministically chosen in a preliminary part of the simulation. Only runs that initially guess a suﬃcient number of satellite nodes can successfully terminate the simulation. A satellite node moves from the zeroi to the onei state when the ith counter is incremented, and a single node moves from the onei back to the zeroi state when the counter is decremented. For instance, the star in Figure 5 represents a conﬁguration with control state q0 and counters c1 = 3 (with maximal value equals to 4), and c2 = 2 (with maximal value equals to 2). The simulation of instructions with zerotest is a more diﬃcult task. The problem is that it is not possible to check the absence of neighbors with state onei . Nevertheless, it is possible to ensure that no node is in the state onei after a test for zero is executed. It is suﬃcient to use broadcast communication to move all the satellite nodes in the onei state to a special sink state. If the simulation terminates exposing the ﬁnal control state and no node is in the sink state (i.e. a conﬁguration is reached in which all the nodes are in the ﬁnal control state, in the zeroi , or the onei state), we can conclude that the simulated computation is correct, thus also the corresponding Minsky machine terminates. Note that the number of satellite nodes is not ﬁxed a priori. However the graph have bounded path (the construction works for paths of length 3), so we can conclude what follows: Theorem 6. target is undecidable for AHN restricted to Kbounded path conﬁgurations (with K ≥ 3).
326
G. Delzanno, A. Sangnier, and G. Zavattaro
As a corollary we now prove the undecidability of repeatcover. We need to slightly modify the way we model Minsky machines. The idea is to repeatedly simulate the computation of the Minsky machine, in such a way that the ﬁnal control state can be exposed inﬁnitely often if and only if the simulated Minsky machine terminates. Every simulation phase simulates only a ﬁnite number of steps of the Minsky machine, and if the ﬁnal control state is reached then a new simulation phase is started. This is achieved by including in the initial star topology also satellite nodes in the f ree state, and ensuring that every simulated action moves one of those nodes to the done state. In this way, a simulation cannot perform more steps than the number of f ree nodes in the initial star topology. If the ﬁnal control state is reached, a new simulation is started by moving all the nodes from the done to the f ree state, all the nodes from the onei to the zeroi state, and by restarting from the initial control state. Notice that nodes reaching the sink state (due to a wrong execution of a test for zero action) are no longer used in the computation. For this reason, as every time a wrong test for zero is executed some node moves in the sink state, we are sure that only ﬁnitely many wrong actions can occur. Hence, if the ﬁnal control state is exposed inﬁnitely often, we have that only ﬁnitely many simulation phases could be wrong, while inﬁnitely many are correct. As all simulation phases reach the ﬁnal control state (necessary to start the subsequent phase), we have that the corresponding Minsky machine terminates. Hence, we have the following Corollary of Theorem 6: Corollary 3. repeatcover is undecidable for AHN restricted to Kbounded path conﬁgurations (with K ≥ 3).
7
Conclusions
In this paper we have studied diﬀerent types of veriﬁcation problems for a formal model of Ad Hoc Networks in which communication is achieved via a selective type of broadcast. Perhaps surprisingly, a model with static topology turns out to be more diﬃcult to analyze with respect to a model with spontaneous node movement. A similar dichotomy appears in veriﬁcation of perfect and lossy channel systems. Studying the expressiveness of other variations on the semantics to model for instance conﬂicts, noise and lossiness, is an interesting research direction for future works. Acknowledgments. The authors would like to thank Prof. Barbara Koenig for having pointed out to us the connection with boundeddepth processes, and Prof. Guoli Ding for useful insights into the theory of graph orderings.
References 1. Abdulla, P.A., Čer¯ ans, C., Jonsson, B., Tsay, Y.K.: General decidability theorems for inﬁnitestate systems. In: LICS 1996, pp. 313–321 (1996) 2. Abdulla, P.A., Čer¯ ans, C., Jonsson, B., Tsay, Y.K.: Algorithmic analysis of programs with well quasiordered domains. Inf. Comput. 160(12), 109–127 (2000)
Parameterized Veriﬁcation of Ad Hoc Networks
327
3. Abdulla, P.A., Jonsson, B.: Verifying programs with unreliable channels. Inf. Comput. 127(2), 91–101 (1996) 4. Delzanno, G., Sangnier, A., Zavattaro, G.: Parameterized veriﬁcation of Ad Hoc Networks (Extended version). DISITR1001 (June 2010), http://www.disi.unige.it/index.php?research/techrep 5. Ding, G.: Subgraphs and well quasi ordering. J. of Graph Theory 16(5), 489–502 (1992) 6. Emerson, E.A., Namjoshi, K.S.: On model checking for nondeterministic inﬁnitestate systems. In: LICS 1998, pp. 70–80 (1998) 7. Ene, C., Muntean, T.: A broadcast based calculus for Communicating Systems. In: IPDPS 2001, p. 149 (2001) 8. Esparza, J., Finkel, A., Mayr, R.: On the veriﬁcation of Broadcast Protocols. In: LICS 1999, pp. 352–359 (1999) 9. Esparza, J., Nielsen, M.: Decidability issues for Petri nets  a survey. Bulletin of the EATCS 52, 245–262 (1994) 10. Esparza, J.: Some applications of Petri Nets to the analysis of parameterised systems. Talk at WISP 2003 (2003) 11. Fehnker, A., van Hoesel, L., Mader, A.: Modelling and veriﬁcation of the LMAC protocol for wireless sensor networks. In: Davies, J., Gibbons, J. (eds.) IFM 2007. LNCS, vol. 4591, pp. 253–272. Springer, Heidelberg (2007) 12. Finkel, A., Schnoebelen, P.: Wellstructured transition systems everywhere! TCS 256(12), 63–92 (2001) 13. Godskesen, J.C.: A calculus for Mobile Ad Hoc Networks. In: Murphy, A.L., Vitek, J. (eds.) COORDINATION 2007. LNCS, vol. 4467, pp. 132–150. Springer, Heidelberg (2007) 14. Merro, M.: An observational theory for Mobile Ad Hoc Networks. Inf. Comput. 207(2), 194–208 (2009) 15. Meyer, R.: On boundedness in depth in the picalculus. In: IFIP TCS 2008, pp. 477–489 (2008) 16. Mezzetti, N., Sangiorgi, D.: Towards a calculus for wireless systems. ENTCS 158, 331–353 (2006) 17. Milner, R.: Communicating and mobile systems: the picalculus. Cambridge Univ. Press, Cambridge (1999) 18. Minsky, M.: Computation: ﬁnite and inﬁnite machines. Prentice Hall, Englewood Cliﬀs (1967) 19. Prasad, K.V.S.: A Calculus of Broadcasting Systems. Sci. of Comp. Prog. 25(23), 285–327 (1995) 20. Saksena, M., Wibling, O., Jonsson, B.: Graph grammar modeling and veriﬁcation of Ad Hoc Routing Protocols. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 18–32. Springer, Heidelberg (2008) 21. Singh, A., Ramakrishnan, C.R., Smolka, S.A.: A process calculus for Mobile Ad Hoc Networks. In: Lea, D., Zavattaro, G. (eds.) COORDINATION 2008. LNCS, vol. 5052, pp. 296–314. Springer, Heidelberg (2008) 22. Singh, A., Ramakrishnan, C.R., Smolka, S.A.: QueryBased model checking of Ad Hoc Network Protocols. In: Bravetti, M., Zavattaro, G. (eds.) CONCUR 2009. LNCS, vol. 5710, pp. 603–661. Springer, Heidelberg (2009) 23. Wies, T., Zuﬀerey, D., Henzinger, T.A.: Forward analysis of depthbounded processes. In: Ong, L. (ed.) FOSSACS 2010. LNCS, vol. 6014, pp. 94–108. Springer, Heidelberg (2010)
Termination in Impure Concurrent Languages Romain Demangeon1 , Daniel Hirschkoﬀ1 , and Davide Sangiorgi2 1
ENS Lyon, Universit´e de Lyon, CNRS, INRIA, France 2 INRIA/Universit` a di Bologna, Italy
Abstract. An impure language is one that combines functional and imperative constructs. We propose a method for ensuring termination of impure concurrent languages that makes it possible to combine term rewriting measurebased techniques with traditional approaches for termination in functional languages such as logical relations. The method can be made parametric on the termination technique employed on the functional part; it can also be iterated. We illustrate the method in the case of a πcalculus with both functional and imperative names, and show that, with respect to previous approaches to termination, it allows us to extend considerably the set of processes that can be handled. The method can also be applied to sequential languages, e.g., λcalculi with references.
1
Introduction
In this paper, an impure language is one that combines functional and imperative constructs; for instance, a λcalculus with references, or a πcalculus with functional names. The πcalculus is naturally imperative. A πcalculus name may however be considered functional if it oﬀers a service immutable over time and always available. Special laws, such as copying and parallelisation laws, are only valid for functional names. As a consequence, the distinction between functional and imperative names is often made in applications. Examples are intermediate target languages of compilers of programming languages based on πcalculus, such as Pict [PT00], in which the peculiarities of functional names are exploited in code optimisations. In the πcalculus language in this paper, the distinction between functional and imperative names is made directly in the syntax. The functional names are introduced with a dedicated construct akin to the ‘letrec’ of functional languages. The other names — the ’ordinary’ πcalculus names — are called imperative. Correspondingly, a process is functional or imperative if it uses only functional or only imperative names. The subject of this paper is termination in impure concurrent languages. There are powerful techniques that ensure termination in purely functional languages, notably realisability and logical relations, that exploit an assignment of types to terms. Attempts at transporting logical relations onto concurrent languages have had limited success. In the πcalculus, the sets of processes which P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 328–342, 2010. c SpringerVerlag Berlin Heidelberg 2010
Termination in Impure Concurrent Languages
329
have been proved to be terminating with logical relations [YBH04, San06] are mainly “functional”: they include the standard encodings of the λcalculus into the πcalculus, but fail to capture common patterns of usage of imperative names. The other kind of techniques for termination proposed for concurrent languages such as πcalculus uses ideas from termrewriting systems, with a wellfounded measure that decreases as the computation proceeds [DS06]. Such measuretechniques are suitable to handling imperative languages and correspondingly, in the πcalculus, imperative processes. In contrast, the techniques can handle only a limited class of functions, or functional processes. In languages richer than (the analogue of) simplytyped λcalculi, for instance, measurebased proofs may be impossible (e.g., no measure argument representable in 2ndorder arithmetic could prove termination of the polymorphic λcalculus, as this would amount to proving consistency of the arithmetic; termination can however be proved with logical relations). In this paper we propose a method for the termination of concurrent languages that combines the measurebased techniques of imperative languages and the logical relation techniques of functional languages. The method can be made parametric on the functional sublanguage and its termination proof. We illustrate the combination of the two kinds of techniques from their simplest instance, in which the types used in logical relations are those of a simplytyped calculus, and the measure needed in the termrewriting technique strictly decreases at every imperative computation step. We explain the basic idea of the method. We ﬁrst extend the imperative measure to the functional constructs, but without the ambition of ensuring termination: the control on the measure performed on functional constructs is looser than the one performed on the imperative ones. Therefore, while the overall measure of a term decreases along imperative reductions (i.e., steps stemming from imperative constructs), the measure may increase along the functional ones. Indeed the measure assignment also captures divergent terms. However, termination holds if the purely functional sublanguage is terminating. The termination of this sublanguage can be established separately. The soundness proof of the method proceeds by contradiction. The crux is to prune a divergence of an impure term into a divergence of a purely functional term. The termination condition for the functional subcalculus (the simplytyped system) can be combined with the measure assignment. The result is a type system that reﬁnes the simplytyped one by attaching a measure to each type. The ﬁnal termination result can therefore be stated as a welltypedness condition in this type system. The method subsumes both component techniques, in the sense that the resulting terminating terms include those that can be proved terminating with logical relations or measures alone. For instance, a simplytyped purely functional term is accepted because no measurebased constraint is generated. In the soundness proof of the method we never have to manipulate logical relations (that are used to establish termination for the functional sublanguage). We indeed take the functional sublanguage and its termination proof as a black
330
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
box that we insert into our soundness proof. We can therefore generalise the method and make it parametric with respect to the functional core and the termination technique employed on it. The method could also be iterated, that is, applied more than once (in this case all iterations but the last one are applied on a purely functional language, a subset of which is treated using measures, another subset with other means). Further, we show that the method can be enhanced by building it on top of more sophisticated measurebased techniques. The method can also be applied to impure sequential languages, e.g., λcalculi with references. While the schema of the method is the same, the technical details, in particular the key step of pruning and the deﬁnition of stratiﬁcation, are quite diﬀerent, and will be presented elsewhere (the interested reader is referred to [DHS10b]). We mostly give only proof sketches of important results, for lack of space. Details and additional material can be found in [DHS10a].
2
An Impure πCalculus
The πcalculus, in its standard presentation, is imperative: the service oﬀered by a name (its input end) may change over time; it may even disappear. There may be however names whose input end occurs only once, is replicated, and is immediately available. This guarantees that all messages sent along the name will be consumed, and that the continuation applied to each such message is always the same. In the literature these names are called functional, and identiﬁed either by the syntax, or by a type system. The remaining names are called imperative. In the πcalculus we use, functional names are introduced using a def construct, akin to a “letrec” (as said above, we could as well have distinguished them using types). We use a, b for imperative names, f, g for functional names, x, y, c to range over both categories, and v, w for values; a value can be a name or (unit). In examples, later, the grammar for values may be richer – integers, tuples, etc.; such additions are straightforward but would make the notations heavier. (Processes) P ::= P1 P2 0 cv.P def f = (x).P1 in P2 (νa) P c(x).P !c(x).P (Values) v ::= a f We sometimes use the CCS notation (a.P , c.P , def f = P1 in P2 , . . . ) for inputs and outputs that carry the unit value ; we omit trailing occurrences of 0 under a preﬁx. We write fn(P ) for the set of free names of P (the binding constructs are restriction, input and def, the latter binding both the functional channel – f in the grammar above – and the received name – x). An inputunguarded output in P is an output preﬁx that does occur (i) neither under an input in P (ii), nor, for any subterm of P of the form def f = (x).P1 in P2 , in the P1 subterm.
Termination in Impure Concurrent Languages
(call)
(trig)
331
capt(E2 ) ∩ fn((x).P ) = ∅ E1 [def f = (x).P in E2 [f v.Q]] −→ E1 [def f = (x).P in E2 [P {v/x}  Q]]
E[av.Q  !a(x).P ] −→ E[Q  P {v/x}  !a(x).P ]
(comm)
E[av.Q  a(x).P ] −→ E[Q  P {v/x}]
(cong)
Q≡P
P −→ P Q −→ Q
P ≡ Q
Fig. 1. Reduction for πST
We call π ST the simplytyped version of this calculus (the discipline of simple types in π is standard – it is intrinsically contained in the type system we present in Section 3). Typing in particular ensures that the subject c of inputs c(x).P and !c(x).P is always an imperative name. Evaluation contexts are given by the following grammar: E = [ ] EP (νa) E def f = (x).P in E We write E[P ] for the process obtained by replacing the hole [ ] in E with P , and capt(E) stands for the captured names of E, that is, the names which are bound at the occurrence of the hole in E. Structural congruence between processes, written ≡, is deﬁned as the least congruence that is an equivalence relation, includes αequivalence, satisﬁes the laws of an abelian monoid for  (with 0 as neutral element), and satisﬁes the following two extrusion laws: P  (νa) Q ≡ (νa) (P Q)
if a ∈ / fn(P )
P  def f = (x).Q1 in Q2 ≡ def f = (x).Q1 in P Q2
if f ∈ / fn(P ).
(Rules for replication or for swapping consecutive restrictions or deﬁnitions are not needed in ≡.) We extend ≡ to evaluation contexts. Figure 1 presents the rules deﬁning the reduction relation on π ST processes, written −→. P {v/x} stands for the result of the application of the (capture avoiding) substitution of x with v in P . In rule (call), we impose that the intrusion of P {v/x} in the context E2 avoids name capture. A reduction is imperative (resp. functional ) when it is derived using a communication along an imperative (resp. functional) name. A process P0 diverges (or is divergent ) if there is an inﬁnite sequence of processes {Pi }i≥0 , such that, for all i ≥ 0, Pi −→ Pi+1 . Then P terminates (or is terminating) if P is not divergent; similarly, a set of processes is terminating if all its elements are.
332
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
Subcalculi. π def is the subcalculus with only functional names (i.e., without the productions in the second line of the grammar for processes: restriction, linear and replicated inputs), and π imp is the purely imperative one (i.e., without the def construct). Termination constraints and logical relation proofs for λcalculi can be adapted to π def . In the simplytyped case, the only additional constraint is that deﬁnitions def f = P in Q cannot be recursive (f is not used in the body P ). We call π 1def the language obtained in this way. It is rather easy to show that π 1def is included in the languages studied in [YBH04, San06], which gives: Theorem 1. π 1def is terminating. Various terminating sublanguages of π imp have been deﬁned in the literature. One of the simplest ones, in [DS06], ensures termination by a straightforward measuredecreasing argument. Roughly, an integer number, called level, is attached to each name; then one requires that in any input a(x).P , the level of each inputunguarded output in P is smaller than the level of a; in other words, the output at a consumed to activate P must be heavier than any output which is released. Thus the overall measure of a process (computed on the multiset of all its inputunguarded outputs) decreases at every reduction. The measure assignment is formalised as a type system to ensure invariance under reduction. We call π 1imp this terminating language, derived by adapting to π imp the simplest type system from [DS06] (this type system is hardwired into the system we present in Section 3).
3
Types for Termination in π ST
In this section we deﬁne a type system for termination that combines the constraints of the imperative π 1imp with those of the functional π 1def . First note that a straightforward merge of the two languages can break termination. This is illustrated in def f = a in (!a.f  a) , where a recursion on the name a is fed via a recursion through the functional deﬁnition of f . The process is divergent, yet the constraints in π 1def and π 1imp are respected (the process is simplytyped, has no recursive deﬁnition, the imperative input !a.f is welltyped as the level of a can be greater than the level of f ). Termination is guaranteed if the measure constraint imposed on imperative names is extended to the functional ones, viewing a def as an input. This extension would however be too naive: it would indeed aﬀect the class of functional processes accepted, which would be rather limited (not containing for instance the calculus π 1def and the process images of the simplytyped λcalculus). In the solution we propose, we do impose measures onto the functional names, but the constraints on them are more relaxed. This way, π 1def is captured. The drawback is that the measure alone does not anymore guarantee termination. However, it does if the purely functional sublanguage (in our case π 1def ) is terminating.
Termination in Impure Concurrent Languages
(Res)
(Nil)
(In)
Γ P : l
(Par)
Γ (νa) P : l
Γ 0 : 0
(Def)
Γ c : k• T
Γ w : T
Γ cw.P : max(k, l)
Γ a : kI T Γ P : l Γ x : T k>l
Γ P1 : l
Γ P2 : l2
Γ P1  P2 : max(l1 , l2 )
Γ P : l
(Out)
Γ a(x).P : 0
Γ P1 : l1
333
(Rep)
Γ P : l Γ a : kI T Γ x : T k>l Γ !a(x).P : 0
Γ P2 : l Γ f : kF T k≥l f∈ / fn(P1 )
Γ def f = (x).P1 in P2 : l Fig. 2. Typing Rules for π 1ST
The whole constraints are formalised as a reﬁnement of the simplytyped system in which a level is attached to types. To ease the proofs, the system is presented ` a la Church: every name has a predeﬁned type. Thus a typing Γ is a total function from names to types, with the proviso that every type is inhabited by an inﬁnite number of names. We write Γ (x) = T to mean that x has type T in Γ . Types are given by: T ::= kF T kI T unit . Type kF T is assigned to functional names that carry values of type T ; similarly for kI T and imperative names. In both cases, k is a natural number called the level. We write k• T when the functional/imperative tag is not important. The typing judgement for processes is of the form Γ P : l, where l is the level (or weight) of P . It is deﬁned by the rules of Figure 2; on values, Γ v : T holds if either Γ (v) = T , or v = and T = unit. We comment on the deﬁnition of the type system. Informally, the level of a process P indicates the maximum level of an inputunguarded output in P . Condition k > l in rules (In) and (Rep) implements the measure constraint for π 1imp discussed in Section 2. In rule (Def ) the constraint is looser: the outputs released can be as heavy as the one being consumed (condition k ≥ l). In other words, we just check that functional reductions do not cause violations of the stratiﬁcation imposed on the imperative inputs (which would happen if a functional output underneath an imperative input a could cause the release of imperative outputs heavier than a, as in the example at the beginning of this section). In the same rule (Def ), the constraint f ∈ / fn(P1 ) is inherited from π 1def , and forbids recursive calls in functional deﬁnitions. We call π 1ST the set of welltyped processes. Our type system subsumes the existing ones, and satisﬁes the subject reduction property: Lemma 2. We have π 1def ⊆ π 1ST and π 1imp ⊆π 1ST .
334
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
Proposition 3. If Γ P : l and P −→ P then Γ P : l for some l . The termination proof for π 1imp uses the property that at every reduction the multiset measure of a process (the multiset of the levels of inputunguarded outputs in the process) decreases. In π 1ST , this only holds for imperative reductions: along functional reductions the overall weight may actually increase. It would probably be hard to establish termination of π 1ST by relying only on measure arguments. Inferring termination. In view of the results in [DHKS07], we believe that a type inference procedure running in polynomial time can be deﬁned for the type system of Figure 2. This is possible as long as typability (and hence termination) can be inferred in polynomial time for the core calculus (here, π 1def ). The situation is less clear if we work in an impure πcalculus without syntactical distinction (via the def construct) between imperative and functional names, replicated inputs being used both for functional deﬁnitions and imperative inputs.
4
Termination Proof
In the proof, we take a welltyped π 1ST process, assume that it is divergent, and then derive a contradiction. Using a pruning function (Deﬁnition 4) and a related simulation result (Lemma 7), we transform the given divergence into one for a functional process in π 1def . This yields contradiction, as π 1def is terminating (Theorem 1). Thus the deﬁnition of pruning is central in our proof. Intuitively, pruning computes the functional backbone of a process P , by getting rid of imperative outputs and replacing imperative inputs (replicated or not) in P with the simplest possible functional term, namely 0. However, to establish simulation, we would need reduction to commute with pruning (possibly replacing reduction with a form of “semantic equality” after commutation). This however does not hold, at least using a simple deﬁnition of pruning: take for instance def def P0 = !a.f  a −→ P1 = !a.f  f ; the pruning of P0 would be 0 whereas that of P1 would be f , and the latter processes cannot be related in a natural way. We therefore have to be more precise, and make pruning parametric on a level p that occurs inﬁnitely often in the reductions of the given divergent computation (cf. Lemma 8 – the level of a reduction is the level of the name along which the reduction occurs). Further, we deﬁne p as the maximal level that occurs inﬁnitely often in the divergent computation (Lemma 8). Thus, at the cost of possibly removing an initial segment of the computation, we can assume the absence of reductions at levels greater than p. Indeed the actual pruning computes the functional backbone at level p of a process: we remove all imperative constructs, and the functional constructs (def and outputs) acting on functional names whose level is smaller than p. Typing ensures us that, in doing so, no functional constructs at level p that participate in the inﬁnite computation are
Termination in Impure Concurrent Languages
335
def
prpΓ (a(x).P ) = prpΓ (!a(x).P ) = prpΓ (0) = 0 prpΓ (P1  P2 ) = prpΓ (P1 )  prpΓ (P2 ) def
def
def
prpΓ ((νa) P ) = (νa) prpΓ (P )
prpΓ (av.P ) = prpΓ (P ) def
prpΓ (def f n = (x).P1 in P2 ) = def f = (x).prpΓ (P1 ) in prpΓ (P2 ) if n = p otherwise prpΓ (P2 ) n
def
prpΓ (f v.P ) =
f v.prpΓ (P ) if n = p otherwise prpΓ (P )
Fig. 3. Pruning in π1ST
removed. Therefore, the functional reductions at level p in the original divergent computation are preserved by the pruning, while the other kinds of reductions have no semantic consequence on pruning (in the sense that processes before and after the reduction are pruned onto semantically equal terms). We thus derive an inﬁnite computation in π 1def , which is impossible as π 1def is terminating. We can remark in passing that in the example given above, P0 is pruned to 0, and so is P1 : indeed, the level of a is less or equal than p (otherwise we would not examine a reduction of P0 ), so that f ’s level is strictly smaller than p, which entails, by Deﬁnition 4 below, that the output on f disappears when pruning P1 : in this case, the prunings of the terms involved in the reduction are equal. Pruning and its properties. The deﬁnition and properties of the pruning function are parametric upon a level p (which will be ﬁxed in Lemma 8 below) and a typing Γ . Definition 4 (Pruning). The pruning of P w.r.t. p and Γ , written prpΓ (P ), is defined by induction on P as in Figure 3, where a (resp. f n ) is a name whose type in Γ is imperative (resp. functional with level n). We write PR(Γ ) for the typing context of the simplytyped πcalculus obtained from Γ by removing all level information from the types, and πΓ Q for the typing judgements in the simplytyped πcalculus. We rely on these notations to state the following lemma: Lemma 5. Suppose Γ P : l. Then, for any p, πPR(Γ ) prpΓ (P ). We write for strong barbed congruence, deﬁned in the usual way [SW01].
is needed in the statement of the two next lemmas — we essentially use that
preserves divergences and is closed by static contexts. The following technical lemma establishes that in certain cases, the pruning of the continuation of an input is inactive, up to , and can thus be removed. This property is useful to derive the key simulation result involving pruning (Lemma 7).
336
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
Lemma 6 (Pruning – inactivity). – If Γ def f = (x).P1 in P2 : n, with Γ (f ) = nF T and n < p, then for any v s.t. Γ (v) = T , prpΓ (P1 ){v/x} 0. – If Γ !a(x).P1 : n, with Γ (a) = nF T and n ≤ p, then for any v s.t. Γ (v) = T , prpΓ (P1 ){v/x} 0. – If Γ a(x).P1 : n, with Γ (a) = nF T and n ≤ p, then for any v s.t. Γ (v) = T , prpΓ (P1 ){v/x} 0. Note that these properties are not immediate: for instance, in a(x).P , the continuation P may contain toplevel deﬁnitions at level p, that are not removed by pruning. We write P −→nI P (resp. P −→nF P ) if P has a reduction to P in which the interacting name is imperative (resp. functional) and its level is n. Lemma 7 (Simulation) Suppose Γ P : l. 1. If P −→pF P , then prpΓ (P ) −→ prpΓ (P ); 2. If P −→nF P with n < p, then prpΓ (P ) prpΓ (P ); 3. If P −→nI P with n ≤ p, then prpΓ (P ) prpΓ (P ). A delicate aspect of the proof of Lemma 7 is that if, for instance, !a(x).P is involved in a reduction, an instantiated copy of P is unleashed at toplevel; we rely on Lemma 6 to get rid of it (modulo ). The impossibility of an infinite computation. We can now present the termination proof, which exploits pruning to derive a contradiction from the existence of an inﬁnite computation starting from a typable process. Lemma 8. If Γ P0 : l, and if there is an infinite computation starting from P0 , given by {Pi }i≥0 , then there exists a maximum level p such that there are infinitely many reductions at level p in the sequence. Moreover, there are infinitely many functional reductions at level p. Proof (sketch). The first part holds because a process is typed using a finite number of levels. For the second part, we exploit the fact that the multiset of inputunguarded outputs at level p in a process decreases strictly along imperative reductions at level p, and decreases or remains equal along (imperative or functional) reductions at levels strictly smaller than p. Theorem 9 (Soundness). All processes in π 1ST are terminating. Proof (sketch). By absurd, let {Pi }i≥0 be an infinite computation starting from a π 1ST process P0 such that Γ P0 : l for some Γ and l. By Proposition 3, all the Pi ’s are welltyped. By Lemma 8 there is a maximal p s.t. for infinitely many i, Pi −→pF Pi+1 . Moreover, still by Lemma 8, we can suppose w.l.o.g. that no reduction occurs at a level greater than p.
Termination in Impure Concurrent Languages
337
Whenever Pi −→pF Pi+1 , we obtain by Lemma 7 prpΓ (Pi ) −→ prpΓ (Pi+1 ). Lemma 7 also tells us that when Pi reduces to Pi+1 via a reduction that is not a functional reduction at level p, we have prpΓ (Pi ) prpΓ (Pi+1 ). This allows us to construct an infinite computation in π 1def (by Lemma 5), which is impossible (Theorem 1).
5
Parametrisation on the Core Calculus
In this and the following sections we discuss how the exposed method can be enhanced and enriched. In Section 4, we assume a termination proof for (a subset of) the core functional π def from which the impure terms are built, but we never look into the details of such proof. As a consequence, the method can be made parametric. Let F be the chosen terminating functional core, and L the impure πcalculus language that we want to prove terminating. There are three requirements on L: 1. processes in L are welltyped in the type system of Figure 2, but without the constraint f ∈ / fn(P1 ) of rule (Def ) (that represented a speciﬁc constraint coming from π 1def ); 2. L is reduction closed (i.e., P ∈ L and P −→ P imply P ∈ L); 3. the pruning of a process in L (as given by Deﬁnition 4) returns a process in F. Theorem 10. If F and L satisfy (13) above, then L is terminating. It may be possible to formulate constraints for condition (3) as typing constraints to be added to the type system used in condition (1), as we actually did in Section 3, where F is π 1def and L is π 1ST . An example of a functional core that could be chosen in place of π 1def is π pr def , the πcalculus image of the primitiverecursive functions. Its termination is enforced by a control of recursion; the constraint on a construct def f = (x).P in Q is that for any inputunguarded output cv in P : (i) either the level of f is higher than that of c, or (ii) the two names have the same level and carry a ﬁrstorder argument (e.g., a natural number) that decreases its value (v < x). Even when the termination of the functional core can be proved using measures, as is actually the case for π pr def , the parametrisation on this core oﬀered by the method could be useful, because the measures employed in the proofs for the functional core and for the whole language can be diﬀerent; see example Sys2 discussed at the end of Section 6. Iterating the method. Our method could also be applied to a purely functional calculus in which names are partitioned into two sets, and the measure technique guarantees termination only for the reductions along names that belong to one pr 1 of the sets. An example is π 1+pr def , the calculus combining π def and π def ; thus, in any construct def f = (x).P1 in P2 , either f is not used in P1 , or all outputs in
338
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
P1 at the same level as f emit values provably smaller than x. (We think that a natural encoding of System T [GLT88] in the πcalculus would not be typable in π 1+pr def .) The method can be iteratively applied. For instance, having used it to establish termination for the functional calculus π 1+pr def , as suggested above, we can then take π 1+pr def as the functional core of a new application of the method. This iteration could for instance add imperative names. In [DHS10a], we use an iteration of the method to prove the termination of an example that combines the two examples presented in Section 6.
6
Examples
This section shows examples of the kind of systems whose termination can be proved with the method exposed in the earlier sections. These systems make use of both imperative and functional names. The systems cannot be handled by previous measurebased techniques, which are too weak on functional names, or by logical relation techniques, which are too weak on imperative names. Our method oﬀers the capability of combining techniques for both kinds of names, which is essential. The examples use polyadicity, and ﬁrstorder values such as integers and related constructs (including arithmetic constructs, and ifthenelse statements). These extensions are straightforward to accommodate in the theory presented earlier. A longer example is given in [DHS10a]. An encryption server. In this example, several clients ci are organised into a chain. Clients are willing to communicate, however direct communications between them are considered unsafe. Instead, each client must use a secured channel s to contact a server that is in charge of encrypting and sending the information to the desired client. Hence the messages travel through the ci ’s in order to be ﬁnally emitted on d. A client ci , receiving a message, has to perform some local imperative atomic computations. For readability, we condense this part into the acquire and release actions of a local lock named locki . Several messages can travel along the chain concurrently, and may overtake each other; the example is stated with n initial messages (they are all sent to c1 but could have been directed to other clients). def
Sys1 = (νlock1 , .., lockk ) lock1  ..  lockk  def s = (c, x).cenc[c, x] in def c1 = C1 in . . . def ck−1 = Ck−1 in def ck = Ck in (sc1 , msg1  . . .  sc1 , msgn )
where Ci (1 ≤ i < k) and Ck are: def
Ci = (yi ).locki .(locki  sci+1 , deci [yi ]) def
Ck = (yk ).lockk .(lockk  ddeck [yk ])
Termination in Impure Concurrent Languages
339
and enc, dec are operators for encryption and decryption, with equalities deci [enc[ci , m]] = m for all i. The way the ci ’s are organised (here a chain, but any wellfounded structure could have been used) ensures that the interactions taking place among the server and the clients do not lead to divergent behaviours: this is guaranteed by showing that the system is terminating. In the typing all the ci ’s must have the same type, because they all appear as the ﬁrst component of messages on s. We can typecheck Sys1 using the system of Section 3 (where the core functional language is π 1def ); if b is the type for the encrypted/decrypted data, then we assign 1F b for the ci ’s, 1F (1F b × b) for s, and 1 I unit for the locki ’s. The loose assignment of levels to functional names (the possibility k = l in rule (Def ) of Section 3) is essential for the typing: an output on ci can follow an input on s on the server’s side, and conversely on the clients’ side: ci and s must therefore have the same level. A movieondemand server. In this second example, the server s is a movie database, and handles requests to watch a given movie (in streaming) a given number of times. By sending the triple 15, r , tintin on s, the client pays for the possibility to watch the movie tintin 15 times; r (r in the server’s deﬁnition) is the return channel, carrying the URL (h) where the movie will be made available once. Two loops are running along the execution of the protocol. On the server’s side, a recursive call is generated with n − 1, after consumption of one access right. On the client’s side, process !c.r (z).(c  z) keeps interrogating the server: the client tries to watch the movie as many times as possible. def
Sys2 = def s = (n, r, f ). if f = tintin then (νh) (rh.h)  if f = asterix then . . . ···  if n > 0 then sn − 1, r, f in (νr ) s15, r , tintin  (νc) (c  !c.r (z).(c  z)) Here again, we rely on typing to guarantee that this system, where a server is able to call itself recursively, does not exhibit divergences. Sys2 uses both functional names (e.g., s) and imperative names (e.g., r). Its termination is proved by appealing to the primitive recursive language π pr def as core functional calculus. In the typing, channel c is given level 1, and s, r level 2 (this allows us to typecheck the recursive output on c). To understand the typing of functional names, it may also be useful to consider the variant Sys2 in which the following deﬁnition of a server s is inserted between the deﬁnition of s and the body (νr ) . . . : def s = (n, r, f ).sn, r, f in ..
340
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
Here, s models an old address where the server, now at s, used to run. Some of the clients might still use s instead of s, and s hosts a forwarder that redirects their requests to s. We can type Sys2 thanks to the looser level constraints on functional names which allow s and s to have the same type; the functional core is still π pr def . Note that a termination proof of the core calculus π pr def by a simple measure argument is not in contradiction with the observation that similar measures are too weak to type Sys2 : the levels used in the typing of Sys2 need not be the same as those used in the termination proof of its functional core (the pruning of Sys2 ). Indeed in this functional core s can be given a level higher than that of s (which is possible because the imperative clients have been pruned, hence, after the pruning, s and s need not have the same type).
7
Refinements
Nonreplicated imperative inputs. In the type system of Figure 2, nonreplicated inputs introduce the same constraint k > l as replicated inputs (rules (In) and (Rep)). This can be annoying, as the inputs that are dangerous for termination are the replicated ones. Simply removing the constraint k > l from rule (In) would however lead to an unsafe system. For instance, we could type the divergent process def f = (x).(ax  x) in def g = a(y).f y in f g . This example shows some of the subtle interferences between functional and imperative constructs that may cause divergences. We can improve rule (In) so to impose the constraint k > l only when the value communicated in the input is functional. Rule (In) is replaced by the following rule, where “T functional” holds if T is of the form kF T , for some k , T : Γ P : l Γ a : kI T Γ x : T if T functional then k > l and l = 0, otherwise l = l (In ) Γ a(x).P : l Corresponding modiﬁcations have to be made in the deﬁnition of pruning and related results. The rule could be reﬁned even further, by being more selective on the occurrences of x in P when x is functional. An example of this is discussed in [DHS10a], to be able to treat name c in the process Sys2 , from Section 6, as functional. (It is also possible to avoid communications of functional names along imperative names, by simple program transformations whereby communication of a functional name is replaced by communication of an imperative name that acts as a forwarder towards the functional name.) A beneﬁt of these reﬁnements is to be able to accept processes a(x).P where a is imperative and appears in inputunguarded outputs of P . This typically arises in the modelling of mutable variables in the asynchronous πcalculus (references
Termination in Impure Concurrent Languages
341
can also be modelled as services that accept read and write requests; in this case the above reﬁnements of the input rule are not needed). Another reﬁnement of the measurebased analysis, in which we handle sequences of input preﬁxes, along the lines of [DS06], is presented in [DHS10a]. Polymorphism. The method can be extended to handle polymorphism [Tur96]. A level on each type should however be maintained, and type abstraction therefore cannot hide levels. A type variable X is hence annotated with a level k, and it should only be instantiated with types whose level is less than or equal to k (assuming that ﬁrstorder types like integers have level 0).
8
Conclusions
We have described an analysis to guarantee termination of impure languages. Our technique exploits pruning in order to lift a termination proof based on logical relations (for a functional language) to a termination proof for a richer language. Despite recent progresses in impure simplytyped λcalculi, adapting the realisability/logical relation technique to nontrivial impure concurrent languages such as πcalculus remains hard. All our attempts failed, intuitively because, on the one hand, typing naturally arises in πcalculus on names and less naturally on terms; on the other hand, even adopting forms of behavioural types for πcalculus terms, the main operator for composing processes is parallel composition, and this operator does not isolate computation (in contrast with λcalculus application, which forces two terms to interact with each other). Using restricted forms of parallel composition in πcalculus often forbids useful imperative patterns. The extensions of realisability recently studied by Boudol [Bou07] and Amadio [Ama09] for impure λcalculi can also handle extra features such as threads. However the threads in these works do not interfere with termination. Most importantly, the underlying language must be the λcalculus (the technique relies on the standard realisability, and the crucial type construct in proofs is the functional type). It does not seem possible to transport these proofs outside the λcalculus, e.g., in the πcalculus. In another extension of the realisability technique, Blanqui [Bla04] is able to lift a termination proof based on realisability for simplytyped λcalculus into a termination proof for a λcalculus with higherorder patternmatching operators, provided a wellfounded order exists on the constructors used for patternmatching. Again, as reﬁnement of the realisability approach for a λcalculus, the method proposed, and the details of the proof, are entirely diﬀerent from ours. In the paper, we have proposed a method to treat the problem in which a standard measurebased technique for imperative languages is made parametric with respect to a terminating functional core language; the termination of the core language is established separately. The method can be further enhanced by reﬁning the initial measure technique. The core language parameter of the
342
R. Demangeon, D. Hirschkoﬀ, and D. Sangiorgi
method is functional. We do not know how to relax the property, needed in the deﬁnition of pruning. Acknowledgements. We wish to thank G. Boudol for fruitful discussions in the initial stages of this work. Support from the french ANR projects “CHoCo” and ANR08BLANC021101 “Complice”, and by the European Project “HATS” (contract number 231620) is also acknowledged.
References [Ama09]
Amadio, R.: On Stratiﬁed Regions. In: Hu, Z. (ed.) APLAS 2009. LNCS, vol. 5904, pp. 210–225. Springer, Heidelberg (2009) [Bla04] Blanqui, F.: A typebased termination criterion for dependentlytyped higherorder rewrite systems. In: van Oostrom, V. (ed.) RTA 2004. LNCS, vol. 3091, pp. 24–39. Springer, Heidelberg (2004) [Bou07] Boudol, G.: Fair Cooperative Multithreading. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 272–286. Springer, Heidelberg (2007) [DHKS07] Demangeon, R., Hirschkoﬀ, D., Kobayashi, N., Sangiorgi, D.: On the Complexity of Termination Inference for Processes. In: Barthe, G., Fournet, C. (eds.) TGC 2007 and FODO 2008. LNCS, vol. 4912, pp. 140–155. Springer, Heidelberg (2008) [DHS10a] Demangeon, R., Hirschkoﬀ, D., Sangiorgi, D.: Appendix to this paper, proofs (2010), http://www.cs.unibo.it/~ sangio/ [DHS10b] Demangeon, R., Hirschkoﬀ, D., Sangiorgi, D.: A Method for Termination in a λcalculus with References (2010), http://www.cs.unibo.it/~ sangio/ [DS06] Deng, Y., Sangiorgi, D.: Ensuring Termination by Typability. Information and Computation 204(7), 1045–1082 (2006) [GLT88] Girard, J.Y., Lafont, Y., Taylor, P.: Proofs and Types. Cambridge Tracts in Theoretical Computer Science, vol. 7. Cambridge University Press, Cambridge (1988) [PT00] Pierce, B.C., Turner, D.N.: Pict: a programming language based on the picalculus. In: Proof, Language, and Interaction, pp. 455–494. The MIT Press, Cambridge (2000) [San06] Sangiorgi, D.: Termination of Processes. Math. Structures in Comput. Sci. 16(1), 1–39 (2006) [SW01] Sangiorgi, D., Walker, D.: The πcalculus: a Theory of Mobile Processes. Cambridge University Press, Cambridge (2001) [Tur96] Turner, N.D.: The polymorphic picalculus: Theory and Implementation. PhD thesis, Department of Computer Science, University of Edinburgh (1996) [YBH04] Yoshida, N., Berger, M., Honda, K.: Strong Normalisation in the PiCalculus. Information and Computation 191(2), 145–202 (2004)
Buffered Communication Analysis in Distributed Multiparty Sessions PierreMalo Deni´elou and Nobuko Yoshida Department of Computing, Imperial College London
Abstract. Many communicationcentred systems today rely on asynchronous messaging among distributed peers to make efficient use of parallel execution and resource access. With such asynchrony, the communication buffers can happen to grow inconsiderately over time. This paper proposes a static verification methodology based on multiparty session types which can efficiently compute the upper bounds on buffer sizes. Our analysis relies on a uniform causality audit of the entire collaboration pattern — an examination that is not always possible from each endpoint type. We extend this method to design algorithms that allocate communication channels in order to optimise the memory requirements of session executions. From these analyses, we propose two refinements methods which respect buffer bounds: a global protocol refinement that automatically inserts confirmation messages to guarantee stipulated buffer sizes and a local protocol refinement to optimise asynchronous messaging without buffer overflow. Finally our work is applied to overcome a buffer overflow problem of the multibuffering algorithm.
1 Introduction Session types for buffer bound analysis. The expensive cost of synchronous communications has led programmers to rely on asynchronous messaging for efficient network interactions. The downside is that nonblocking IO requires buffers that can grow inconsiderately over time, bringing systems to stop. The analysis and debugging of this phenomenon is mainly done by a tedious monitoring of the communicated messages of the whole distributed system. This paper shows that, when a global interaction pattern is explicitly specified as a multiparty session [11,1,15,22], types can provide an effective way to statically verify buffer usage and communication optimisations, automatically guaranteeing safe and deadlockfree runs. Session types, first introduced in [20,10], can specify communication protocols by describing the sequences and types of read, write and choices on a given channel. For example, type T0 =! nat; ! string; ? real; end, in the original binary session type syntax, expresses that a natvalue and stringvalue will be sent in that order, then that a realvalue is expected as an input, and finally that the protocol ends. We can use session types to calculate the upper bounds of the buffer sizes of asynchronous channels (message passing is nonblocking and orderpreserving using FIFO buffers). For example, from type T0 , we can compute that the maximum number of messages that might be stored in a communication buffer is two, while a different type
The work is partially supported by EPSRC EP/F003757/01 and EPSRC G015635/01.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 343–357, 2010. c SpringerVerlag Berlin Heidelberg 2010
344
P.M. Deni´elou and N. Yoshida
T1 =! nat; ? real; ! string; end guarantees a maximum size of one, since the dual process engaged with T1 is forced to consume a natvalue before sending the next realmessage. This use of session types is informally observed in [7] and formally studied in [8] for binary session types. However, the binary case does not yield a direct extension to multiparty interactions as explained below. Buffer bounds analysis in multiparty sessions. We start by illustrating the difficulties of such an analysis on a simple three party interaction (Example (a) below), where s! V is an output of V to s, s?(x); P an input at s, and μ X.P a recursive agent: Example (a) (A) Alice=μ X.s1 ! 1; s3 ?(x); X
(C1 ) Carol1 = μ X.s3 ! 2.4; X
(B) Bob =μ X.s1 ?(x); s2 ! Orange; X (C) Carol=μ X.s2 ?(x); s3 ! 2.4; X Example (b) (B1 ) Bob1 = μ X.s1 ?(x); X
Example (a)
Example (b)
We assume the three buffers of s1 , s2 and s3 are initially empty and that values are pushed and read one by one. Assuming session types ensure that accesses to buffers do not create any race condition at any moment of the infinite protocol execution, none of the channels s1 , s2 , s3 need to buffer more that one value at any given time. However, if we change Bob and Carol to Bob1 and Carol1 as Example (b) above, while they still interact correctly, the buffers of s1 and s3 need an unbounded size because of the lack of synchronisation between Bob1 and Carol1 . The main difficulty of the communication buffer analysis is that, unlike in binary session types, each endpoint type itself does not provide enough information: for example, Alice’s local type Ta = μ x.s1 ! nat; s3 ? real; x (repeatedly sends a natvalue to s1 and receives a realvalue from s3 ) is the same in both Examples (a) and (b), while the needed buffer size for s1 and s3 are different (1 in (a) and ∞ in (b)) due to the change in the other parties’ behaviours. Our first question is: can we statically and efficiently determine the upper size of buffers in multiparty interactions? In our case, we take advantage of the existence of a global session type [11,1,15,22] for the analysis: G = μ x.Alice → Bob : s1 nat; Bob → Carol : s2 string; Carol → Alice : s3 real; x
The above type represents the global interaction between AliceBobCarol in (a) where Alice → Bob : s1 nat; means that Alice sends a natvalue to Bob through buffer s1 . To analyse buffer usage, we consider sessions as graphs and track causal chains for each channel: alternated message production and consumption mark the execution points at which buffers are emptied. This can be observed in Example (a). On the other hand, the global type of AliceBob1 Carol1 in (b) lacks the second Bob → Carol: no message forces Carol to wait for Bob’s reception before sending the next message. In that case, each buffer may accumulate an unbounded number of messages. Channel allocation. Our next problem is about resource allocation. Given a global scenario, can we assign the minimum number of resources (channels) without conflict so that, for instance, we can efficiently open a minimal number of sockets for a given network interaction? Assume Alice and Carol in (a) wish to communicate one more message after completing three communications, where the new communication happens on a fresh channel s4 (Example (c) below). Can we reuse either s1 , s2 or s3 for this new communication? Reusing s1 creates a writing conflict (the order between Alice’s
Buffered Communication Analysis in Distributed Multiparty Sessions
345
first and third messages would be unspecified) and reusing s3 would create a reading conflict (Carol could read her own message). Example (c) (A2 ) Alice2 = μ X.s1 ! 1; s3 ?(x); s4 ! x+1; X (B) Bob = μ X.s1 ?(x); s2 ! Orange; X (C2 ) Carol2 = μ X.s2 ?(x); s3 ! 2.4; s4 ?(y); X Example (d) (A3 ) Alice3 = μ X.s1 ! 1; s3 ?(x); s2 ! x+1; X (C3 ) Carol3 = μ X.s2 ?(x); s3 ! 2.4; s2 ?(y); X
Example (c)
Example (d)
The only safe way to reuse a channel in Example (c) is to merge s2 and s4 as in Example (d), in which case communications on other channels prevent any conflict. Global refinement for multiparty sessions. The third issue is how to fix a buffer overflow problem by “global refinement”, i.e. alteration of the original global protocol to satisfy given buffer sizes. Here, our simple approach is the insertion of a minimal number of confirmation messages to enforce synchronisation. In network or business protocols, they can be implemented as a system level signal. Consider the interaction (b) among AliceBob1 Carol1 where each buffer requires an unbounded size. If we wish to enforce a buffer size of at most 2, we can build a new global type where one confirmation message from Bob to Carol is inserted in any second iteration as: G = μ x. Alice → Bob : s1 nat; Carol → Alice : s3 real; Alice → Bob : s1 nat; Bob → Carol : s2 string; Carol → Alice : s3 real; x
The revised processes following G are given as: Bob4 = μ X.s1 ?(x); s1 ?(x); s2 ! Signal; X
Carol4 = μ X.s3 ! 2.4; s2 ?(x).s3 ! 2.4; X
Local refinement for multiparty messaging optimisations. The last issue is about flexible local refinement (optimisations) based on [15,14]. Assume that, in Example (a), Bob wishes to always start the asynchronous transmission of the string Orange to the buffer s3 without waiting for the delivery of the first natvalue from Alice on s1 . Bob5 = μ X.s2 ! Orange; s1 ?(x); X
(1.1)
Due to Bob’s unilateral implementation change, all three minimal buffer sizes go up from 1 to 2. Moreover, suppose Bob repeatedly applies the same optimisation on his next n messages, as in s2 ! Orange; s2 ! Orange; ..; s2 ! Orange; Bob. While the result is communicationsafe (no mismatch of the communication with Carol), all three minimal buffer sizes go up from 1 to n. How can we perform local optimisation without altering buffer sizes in a multiparty session? Contributions are summarised in the figure below. To the best of our knowledge, our work is the first which guarantees safe buffered multiparty communications for the π calculus with communicationsafety, progress and flexible refinements. The key contribution is a general causal analysis over graphs constructed from multiparty session types (§ 3). Due to the space limitation, we omit the global refinement. A full version which includes the global refinement, omitted definitions, examples and proofs, and a prototype for computing the upper bound on the buffer size are available [5].
346
P.M. Deni´elou and N. Yoshida
G Channel §4 allocation G Bound computation § 3 Bk G
Stripped global type Global type Bounded and infinite buffers
Global [5] refinement Refined G Projection }} JJJJglobal type
} ~}} ?>=< 89:; ?>=< 89:; T1 T2
Local refinement @ABC GFED T1 Type checking
P1
JJJ $ 89:; ?>=< T3
GFED @ABC T
§5 GFED @ABC T
2
P2
3
Local types Refined local types
§3
P3
Processes with buffer safety
1. The overall analysis starts from global types that have no channel annotation. We attribute channels based on memory requirements (§ 4). 2. From global types, our bound analysis computes the buffer bounds of finite channels and finds the infinite ones (§ 3) 3. The global refinement method then introduces additional messages to prevent any unboundedness (long version [5]). 4. Once the global type has been projected to local types, local refinement can optimise the distributed execution of the participants’ processes (§ 5). 5. The running optimised processes can then be typed and enjoy communication, buffer and type safety and progress properties (§ 3). 6. We apply our work to the multibuffering algorithm (§ 5.1).
2 Asynchronous Multiparty Sessions Syntax. We start from the π calculus for multiparty sessions from [11] with unbounded and bounded buffers. Base sets and the grammars are given below. P ::=       
a[2..n] (s˜m˜ ).P  a[p] (s).P ˜ s!e; ˜ P  s?(x); ˜ P s!s ˜ ; P  s?((s) ˜ ); P s l; P  s {li : Pi }i∈I if e then P else Q 0  (ν a)P  (ν s)P ˜ P  Q  μ X.P  X sn : h˜
request, accept send, receive session send, receive selection, branch conditional inact, hiding par, recursion message buffer
a, b, x, y, .. shared names s,t, .. session channels l, l , .. labels X,Y, .. process variables m, n, .. buffer size (integers or ∞) e ::= v  e and e · · · expressions v ::= a  true  false · · · values h ::= l  v˜  t˜ message values
a[2..n] (s˜m˜ ).P initiates, through a shared name a, a new session si with buffer size mi (1 ≤ n ≤ ∞) with other participants, each of the form a[p] (s).Q ˜ with 1 ≤ p ≤ n − 1. The si in vector s˜ is a session channel (bounded by buffer size mi ) used in the session. We call p, q,... (natural numbers) the participants of a session. Session communications (which take place inside an established session) are performed by the sending and receiving of a value; the session sending and reception (where the former delegates to the latter the capability to participate in a session by passing a channel associated with the session which is called delegation); and by selection and branching (the former chooses one of the branches offered by the latter). sn : h˜ is a message buffer of size n representing ordered messages in transit h˜ with destination s. This may be considered as a network pipe in a TCPlike transport with fixed bandwidth. The rest of the syntax is standard from [11]. ˜ 0, and unimportant arguments e.g. s! and s?(); P. An We often omit n from sn : h, initial process does not contain any runtime syntax (buffers and session hiding).
Buffered Communication Analysis in Distributed Multiparty Sessions
347
Reductions. A selection of reduction rules is given below. a[2..n] (s˜n˜ ).P1  a[2] (s).P ˜ 2  · · ·  a[n] (s).P ˜ n → (ν s)(P ˜ 1  P2  ...  Pn  sn11 : 0/  ...  snmm : 0) / n n ˜ ˜ ˜ n s! e; ˜ P  s : h → P  s : h · v˜ (n h, ei ↓ vi ) s?(x); ˜ P  s : v˜ · h˜ → P[v/ ˜ x] ˜  sn : h˜ ˜ s!t˜; P  sn : h˜ → P  sn : h˜ · t˜ (n h) n n ˜ ˜ ˜ s l; P  s : h → P  s : h · l (n h)
s?((t˜)); P  sn : t˜ · h˜ → P  sn : h˜ s {li : Pi }i∈I  sn : l j · h˜ → Pj  sn : h˜
( j ∈ I)
The first rule describes the initiation of a new session among n participants that synchronise over the shared name a. After the initiation, they will share m fresh private session channels si and the associated m empty buffers of size nm (0/ denotes an empty queue). The output rules for values, sessions and selection respectively enqueue values, sessions and labels if the buffer is not full. ei ↓ vi denotes the evaluation of ei to ˜ + 1. The size n = ∞ corresponds to the original vi . We define 0 / = 0 and h˜ · h = h asynchronous unbounded buffered semantics [11]. The input rules perform the complementary operations. Processes are considered modulo a structural equivalence ≡, whose definition is standard (e.g. μ X.P ≡ P[μ X.P/X]) [11].
3 Bound Analysis in Multiparty Sessions This section presents an analysis of causal chains and buffer sizes and introduces the typing system for the buffer safety property (Corollary 3.9). 3.1 Global Types and Dependencies Global types. A global type, written by G, G , .., describes the whole conversation scenario of a multiparty session as a type signature. Our starting syntax is from [11]. G, G ::= p → p : k U; G  p → p : k {l j : G j } j∈J  μ x.G  x  end
values U,U ::= S˜  T @p branching recursion, end S, S ::= bool  nat  G
sorts, session base, shared
Type p → p : k U; G says that participant p sends a message of type U on the channel k (represented as a natural number) so that participant p can receive it. The session continues with the interactions described in G . The value types U,U are either a vector of sorts or a located type T @p, representing a local type T assigned to participant p. Located types are used for delegation and defined in § 3.3. Sorts S, S are either base types or global types for shared names. Type p → p : k {l j : G j } j∈J says that participant p can invoke one of the li labels on channel k (for participant p to read) and that interactions described in G j follow. We require p = p to prevent selfsent messages. Type μ x.G is for recursive protocols, assuming the type variables (x, x , . . . ) are guarded in the standard way, i.e. they only occur under values or branchings. We assume G in value types is closed, i.e. without free type variables. Type end represents session termination (often omitted). k ∈ G means k appears in G. The functions chans(G) and prins(G) respectively give the number of channels and participants of G. Sessions as graphs. Global types can be seen (isomorphically) as session graphs, that we define in the following way. First, we annotate in G each syntax occurrence of
348
P.M. Deni´elou and N. Yoshida
subterms of the form p → p : k U; G or p → p : k {l j : G j } j∈J with a node name (n1 , n2 , . . .). Then, we inductively define a function nodeG that gives a node nk (or the special node end) for each of the syntactic subterm of G as follows: nodeG (end) = end nodeG (μ x.G ) = nodeG (G ) nodeG (x) = nodeG (μ x.G )
nodeG (ni : p → p : k U; G ) = ni nodeG (n j : p → p : k {l j : G j } j∈J ) = n j (if the binder of x is μ x.G ∈ G)
We define G as a session graph in the following way: for each subterm of G of the form n : p → p : k U; G , we have an edge from n to nodeG (G ), and for each subterm of G of the form n : p → p : k {l j : G j } j∈J , we have edges from n to each of the nodeG (G j ) for j ∈ J. We also define the functions pfx(ni ) and ch(ni ) that respectively give the prefix (p → p : k) and channel (k) that correspond to ni . For a global type G, nodeG (G) distinguishes the initial node. size(G) denotes the number of edges of G. Example 3.1 (Session graph). Our running example extends Example (a) from § 1 with branching. Below, we give the global type followed by its graph representation, with the edges as the dotted arrows (labels are for information). n1 is the initial node. μ x.Alice → Bob : s1 nat; Bob → Carol : s2 l1 : Carol → Alice : s3 {l3 : Alice → Carol : s2 string; x} l2 : Carol → Alice : s3 {l4 : end}
/ n2 : Bob → Carol : s2
n1 : Alice → Bob : s1
O
n4 : Alice → Carol : s2 o
l3
l1
n3 : Carol → Alice : s3
l2
/ n5 : Carol → Alice : s3
l4
end
The recursion call yields a cycle in the graph, while branching gives the edges l1 and l2 . The edges of a given session graph G define a successor relation between nodes, written n ≺ n (omitting G). Paths in this session graph are referred to by the sequence of nodes they pass through: a path n0 ≺ . . . ≺ nn can be written more concisely n0 . . . nn or n˜ when there is no ambiguity. We say that a path n0 . . . nn has suffix ni . . . nn for 0 < i < n. The empty path is ε . The transitive closure of ≺ is ≺≺. IOchains. We detect causality chains in a given G by the relation ≺IO , defined below: n1 ≺IO n2 if n1 ≺≺ n2 and pfx(n1 ) =p1 → p : k1 and pfx(n2 ) =p → p2 : k2 with k1 = k2
The relation ≺IO asserts the order between a reception by a principal and the next message it sends. An inputoutput dependency (IOdependency) from n1 to nn is a chain n1 ≺IO · · · ≺IO nn (n ≥ 1). 3.2 Algorithms for Buffer Size Analysis Unbounded buffers. In some sessions, messages (sent asynchronously) can accumulate without moderation in a buffer. A simple test can predict which channels require an unbounded buffer. We use the fact that IOdependencies characterise the necessity for a channel buffer to be emptied before proceeding. Infinite channels are the ones where such a dependency is missing.
Buffered Communication Analysis in Distributed Multiparty Sessions
349
Definition 3.2 (infinite and finite). A channel k is said to be finite if, for every node n ∈ G and for every cycle n˜ for ≺ such that ch(n) = k and n ∈ n˜ , there exists a cycle for ≺IO that starts from n and only involves nodes from n˜ . The other channels are infinite. Correspondingly, buffers are said to be bounded or unbounded. Given G, checking for the infinity of k in G can be computed in a time bounded by O(size(G)3 ). The proof relies on the fact that establishing all IOdependencies of a given session has O(size(G)3 ) timecomplexity (assuming the number of participants as a constant). Example 3.3 (Session graph and infinite channels). We illustrate on our running example the previous notions. We add to the picture the IOdependencies (with ⇒). / n2 : Bob → Carol : s2 / n5 : Carol → Alice : s3 n1 : Alice → ,4 ,4 O BobfnV:VsV1 IO VVVV V IO IO V VVVIO VVVV IO lt o n4 : Alice → Carol : s2 end ,4 n3 : Carol → Alice : s3 IO
Since each node of the main cycle n1 n2 n3 n4 is part of the IOcycles n1 n2 n3 or n3 n4 , there are no infinite channels in this session. Counting finite buffer size. To compute the bounds on buffer sizes, we first need to define a property on paths that characterises when a buffer has to be emptied. Definition 3.4 (reset). If n˜ = n0 . . . nn n is a path in G, the property Reset(˜n) holds if there exist 0 ≤ i0 < . . . < i j ≤ n ( j ≥ 1) such that ni0 ≺IO . . . ≺IO ni j ≺IO n and ch(ni0 )= ch(n). One practical instance of the nodes {ni0 , . . . , ni j , n} is called the reset nodes of n˜ . The paths that satisfy the reset property are the ones for which there exists a reception guard to the last node. Now that we know which buffers are infinite and have characterised the resetting paths that control buffer growth, we can describe our algorithm to count the buffer size required by finite channels. For each channel k of a global session type G, we define a function Bk G that will compute the bound on the buffer size of channel k. The key step is to reset the counter when we recognise the appropriate IOdependencies. Definition 3.5 (bound computation). Given a session graph G, for each channel k, we compute the bound as Bk G = Bk 0, 0, / ε , n0 for n0 the initial node of G. ⎧ 0 ⎪ ⎪ ⎨ maxn≺n Bk m, {˜n} ∪P, n˜ n, n Bk m,P, n˜ , n = maxn≺n Bk 1, {˜n} ∪P, n, n ⎪ ⎪ ⎩ max(m + 1, maxn≺n Bk m + 1, {˜n} ∪P, n˜ n, n )
if n = end or n˜ ∈ P if ch(n) = k , k = k if ch(n) = k, Reset(˜nn) if ch(n) = k, ¬Reset(˜nn)
The algorithm explores all the paths of the session graph until they grow to satisfy the reset property. Since we examine only finite channels, the length of such paths is limited and the algorithm terminates. The bound on the buffer size of a channel is the maximum buffer size required over these paths. For each path, the algorithm acts recursively on ˜ n) that records the current size the edges and maintains a counter (m in Bk m,P, n, of the buffer. If the current prefix does not involve the channel k, the size of the buffer is unchanged and the computation continues to the next nodes. If the current prefix
350
P.M. Deni´elou and N. Yoshida
uses the channel k, there are two cases: (a) the reset property holds for the current path, in which case the buffer has been emptied prior to the current message; or (b) the reset property does not hold and the buffer needs to be able to keep one more value. When there are no further node, or when the path currently examined has already been considered (i.e. is in P), the algorithm stops. Given a global type G, the upper bound of channel k in G can be computed in polynomial time. Note that the computation can be done for all channels at once. Example 3.6 (buffer bound analysis). We illustrate the algorithm on our running session example, where we compute the bound for channel s2 (we omit P for readability): Bs2 0, ε , n1 max explanation = Bs2 0, n1 , n2 0 s1 = s2 = max(Bs2 1, n1 n2 , n3 , Bs2 1, n1 n2 , n5 ) 1 ¬Reset(n1 n2 ), ¬Reset(n1 n3 ) = max(Bs2 1, n1 n2 n3 , n4 , Bs2 1, n1 n2 n5 , end) 1 s3 = s2 = max(Bs2 1, n4 , n1 , 0) 1 Reset(n1 n2 n3 n4 ) = Bs2 1, n4 n1 , n2 1 s1 = s2 = max(Bs2 2, n4 n1 n2 , n3 , Bs2 2, n4 n1 n2 , n5 ) 2 ¬Reset(n4 n1 n2 ), ¬Reset(n4 n1 n3 ) = max(Bs2 2, n4 n1 n2 n3 , n4 , Bs2 2, n4 n1 n2 n5 , end) 2 s3 = s2 = max(Bs2 1, n4 , n1 , 0) 2 Reset(n4 n1 n2 n3 n4 )
The algorithm starts with n1 , the root of G. Since n1 uses buffer s1 (different from s2 ), we continue with the successor n2 . It uses s2 and, since the accumulated path n1 n2 does not satisfy the reset property, the buffer requirement of s2 needs to be increased to 1. The next nodes, n3 and n5 , do not use the channel s2 . Since n4 uses s2 and Reset(n1 n2 n3 n4 ) holds (there is n2 ≺IO n3 ≺IO n4 ), the buffer has to be emptied before n4 : we thus reinitialise the buffer requirement to 1 and the path to just n4 . On the other branch, we reach end and stop the computation. The next prefix of n4 , n1 , does not use s2 , but it successor n2 does. We thus check the reset property on the path n4 n1 n2 , but it does not hold. The buffer requirement is thus increased to 2. As previously, n3 and n5 do not use the channel s2 and the accumulated path (in the main branch) becomes n4 n1 n2 n3 . The next prefix, n4 , uses s2 and Reset(n4 n1 n2 n3 n4 ) holds: thus we initialise the buffer requirement back to 1 and the path to just n4 . However, we just explored such a situation earlier in the computation and thus stop. The maximum buffer size encountered for s2 is then 2. Such a computation for s1 and s3 gives a buffer size of 1. 3.3 Subject Reduction and Buffer Safety Once global type G is agreed upon by all parties, a local type Ti from each party’s viewpoint is generated as a projection of G, and implemented as a process Pi . If all the resulting local processes P1 , .., Pn can be typechecked against T1 , .., Tn , they are automatically guaranteed to interact properly, without communication mismatch (communication safety) nor getting stuck inside a session (progress) [11]. Here we additionally ensure the absence of bufferoverflow based on the buffer bound analysis of G. Local types. Local session types typeabstract sessions from each endpoint’s view. T ::= k! U; T  k? U; T  k ⊕ {li : Ti }i∈I  k&{li : Ti }i∈I  μ x.T  x  end
Buffered Communication Analysis in Distributed Multiparty Sessions
351
Type k! U expresses the sending to k of a value of type U. Type k? U is its dual. Type k ⊕ {li : Ti }i∈I represents the transmission to k of a label li chosen in the set {li  i ∈ I}, followed by the communications described by Ti . Type k&{li : Ti }i∈I is its dual. The remaining type constructors are standard. We say a type is guarded if it is neither a recursive type nor a type variable. The relation between global and local types is formalised by projection, written G p (called projection of G onto p) and defined in [11,22]. For example, (p → p : k U; G ) p = k! U; (G p), (p → p : k U; G ) p = k? U; (G p ) and (p → p : k U; G ) q = (G q). We take an equirecursive view, not distinguishing between μ x.T and its unfolding T [μ x.T /x]. Linearity. To avoid race conditions and conflicts between typed processes, we build on the definition of linearity from [11]. The relations ≺II and ≺OO are defined by: n1 ≺II n2 if n1 ≺≺n2 and pfx(n1 ) = p1 → p : k1 and pfx(n2 ) = p2 → p : k2 s.t. p1 = p2 ⇔ k1 = k2 n1 ≺OO n2 if n1 ≺≺n2 and pfx(n1 ) = p → p1 : k1 and pfx(n2 ) = p → p2 : k2 s.t. p1 = p2 ⇒ k1 = k2
The three relations ≺IO , ≺II and ≺OO are used to characterise the authorised sequences of actions. An input dependency (Idependency) from n1 to n2 is a chain n1 ≺φ1 · · · ≺φn n2 (n ≥ 1) such that φi = IO for 1 ≤ i ≤ n − 1 and φn = II. An output dependency (Odependency) from n1 to n2 is a chain n1 ≺φ1 · · · ≺φn n2 (n ≥ 1) such that φi ∈ {OO, IO}. These dependency relations are respectively written ≺≺II and ≺≺OO . G is linear (written Lin(G)) if, whenever two nodes n1 ≺≺ n2 use the same channel k, the dependencies n1 ≺≺II n2 and n1 ≺≺OO n2 hold. If G carries other global types, we inductively demand the same. Examples can be found in [11,5]. We call linear global types whose projections are defined coherent. Hereafter we only consider coherent types. Typing initial processes. The type judgements for initial processes are of the form Γ P Δ which means: “under the environment Γ , process P has typing Δ ”. Environments are defined by: Γ ::= 0/  Γ , u : S  Γ , X : Δ and Δ ::= 0/  Δ , s˜m˜ : {T @p}p∈I . A sorting (Γ , Γ , ..) is a finite map from names to sorts and from process variables to sequences of sorts and types. Typing (Δ , Δ , ..) records linear usage of session channels. In multiparty sessions, it assigns a family of located types to a vector of session channels. In addition, we annotate each session channel sk with its buffer bound mk . Among the typing rules, the rule for session initiation uses the buffer size Bsi G calculated from G.
Γ a : G Γ P Δ , s˜m˜ : (G 1)@1 s ˜ = chans(G) Bk G = mk m ˜ Γ a[2..n] (s˜ ).P Δ The type for s˜ is the first projection of the declared global type for a in Γ . The endpoint type (G p)@p means that the participant p has G p, which is the projection of G onto p, as its endpoint type. The condition s ˜ = chans(G) means the number of session channels meets those in G. The condition Bk G = mk ensures that the size of the buffer mi for each sk does not exceed the size calculated from G. Similarly for accept. Other rules for initial processes are identical with [11]. Note that since Bk G is decidable, typechecking for processes with type annotations is decidable [11,22]. The rest of the typing system for programs and one for runtime are similar with those in [11] ([5]). Judgements for runtime are there extended to Γ Σ P Δ with Σ a set of session channels associated to the current queue.
352
P.M. Deni´elou and N. Yoshida
For the subject reduction, we need to keep track of the correspondence between the session environment and the buffer sizes. We use the reduction over session typing, k k Δ → Δ , that is generated by rules between types such as k! U; T @p, k? U; T @q → T @p, T @q. The key lemma about the correspondence between buffer size and reduction follows. We set [[G]] to be the family {(G p)@p  p ∈ G}. Regarding each type in [[G]] as the corresponding regular tree, we can define ≺, ≺II , ≺IO and ≺OO among its prefixes precisely as we have done for G. s
k
k ˜ = [[G]] and Δ → Δ , then [[G]](→)∗ [[G ]] with Δ (s) ˜ = [[G ]] and Lemma 3.7. If Δ (s) Bk G ≥ Bk G .
When Γ Σ P Δ , we say that (Γ , Σ , P, Δ ) is fully coherent for session s˜ if there exist P1 , . . . , Pk , Σ , Δ such that Γ Σ Σ P  P1  . . .  Pk Δ , Δ and Δ , Δ = Δ , s˜n˜ : {Tp @p}p∈I with [[G]] = {Tp @p}p∈I , G coherent and Bi G ≤ ni (1 ≤ i ≤ k). Theorem 3.8 (Subject Reduction). Γ Σ P Δ and P −→ Q with (Γ , Σ , P, Δ ) fully sk ∗ Δ and Bk G ≥ coherent imply Γ Σ Q Δ for some Δ , sk such that Δ = Δ or Δ (→) Bk G with Δ (s) ˜ = [[G]], Δ (s) ˜ = [[G ]] and (Γ , Σ , Q, Δ ) fully coherent. The proof relies on Lemma 3.7 and the fact that session reduction does not affect the causal dependencies within global types, so that buffer sizes can only decrease. To state our buffer safety result, we define the buffer overflow error as follows: ˜ n ≤ h P → Err
⇒ ⇒
s! e; ˜ P  sn : h˜ → Err , s!t˜; P  sn : h˜ → Err , s l; P  sn : h˜ → Err P  Q → Err , (ν a)P → Err , (ν s)P ˜ → Err , P ≡ Q → Err
Corollary 3.9 (Buffer Safety) If Γ Σ P Δ , then for all P s.t. P −→∗ P , P → Err .
4 Channel Attribution This section describes algorithms that attribute channels to the communications of a given global type without channels, called stripped global types (G, G , ...) defined as: G ::= . . .  p → p U; G  p → p {l j : G j } j∈J
values, branching
Our algorithms transform G into regular type G by adding channel annotations. We define the channel allocation of a global type G to be the value of the function ch. Singleton allocation. The simplest channel allocation attributes a different channel to each communication occurring in the global type syntax tree. Formally, the singleton allocation is such that: ∀n, n ∈ G, ch(n) = ch(n ) ⇐⇒ n = n . Singleton allocations enjoy the following good properties. Lemma 4.1. For any global type G with singleton allocation, (1) G satisfies the linearity property; (2) for the finite channels k of G, Bk G = 1; (3) for the finite channels k of G, ∑k Bk G ≤ size(G).
Buffered Communication Analysis in Distributed Multiparty Sessions
353
Channel equalities. As well as values of the ch function, allocations can be seen as partitions of the set of nodes {n}n∈G . We then define partition refinement through the notion of channel equality, i.e. the union of two partitions to produce a new allocation. Definition 4.2 (channel equality). A channel equality is the substitution of two channels k and k in a global type G by a single fresh channel k while keeping G linear. As we take the singleton allocation as a base, we can describe channel allocations by sets E of channel equalities, the empty set corresponding to the singleton allocation. We write GE the global type G with channel equalities E. In the rest of this section, we always start from the singleton allocation and proceed by channel equality. We notably rely on the fact that the result of the equality of two finite channels is finite. Formally, if Bk G = ∞ then ∀E, Bk GE = ∞. Note that the total number of possible channel allocations is finite and corresponds to the number of partitions of a given finite set. The exact count (if we do not take into account the linearity property) is given by a Bell number [19] which is exponential in the size of the global type. Given the finite number of possible allocations, we know that there exists an algorithm to find allocations satisfying any decidable property. Notably, one can reach any given memory requirement (number of channels, buffer sizes). Principal allocation. The most widely used allocation method attributes two communication channels (one in each direction) for each pair of participants. The session types in [8,1] follow this allocation. Formally, the principal allocation is such that: ∀n, n ∈ G s.t. pfx(n) = p → q : k and pfx(n ) = p → q : k , (k = k ⇐⇒ p = p ∧ q = q ). Lemma 4.3. For any global type G with principal allocation, (1) G satisfies the linearity property; (2) chans(G) ≤ n × (n − 1) where n = prins(G). Greedy allocations. We now define a family of efficient algorithms, that give good allocation results in practice. Definition 4.4 (Greedy allocation algorithm). Given a global type with singleton allocation G, of initial node n0 , and a successor function succ over the nodes, the func⎧ tion I0/ 0/ (n0 ) is defined by:
IEK (n) = IEK (n ) where
IEK (end) = E
⎨ succ(n) = n E ∪ {k = k } if ∃k ∈ K, Lin(GE∪{k=k } ) ch(n) = k ∧ E = E otherwise ⎩ K = K ∪ {k}
This algorithm is parameterised by the successor function over nodes (that can be given e.g. by a depthfirst graph search) and by the choice between the possible channels k ∈ K for equality. The greedy algorithm has the advantage of not backtracking and thus enjoys a polynomial complexity (if the choice procedures are polynomial) in the size of the graph. In particular, we define two efficient heuristics based on the generic greedy algorithm. In the greedy algorithm, we implement K by either: 1. (Early) a queue, so that we choose for channel equality the oldest channel k ∈ K . 2. (Late) a list, so that we choose for channel equality the latest channel k ∈ K. The early and late allocations are not optimal in terms of total memory requirements (computed by ∑k Bk G when all channels are finite) but give good results in practice while being polynomial.
354
P.M. Deni´elou and N. Yoshida
Example 4.5 (comparison of the allocations). Singleton Principal Early G. Late G. k0 k0 k0 We apply the allocation algorithms on n0 : A → B; k0 k1 k1 k1 a threeparty stripped global type. The n1 : B → A; k1 k0 k0 k0 results are given in the adjacent table n2 : A → B; k2 n3 : A → B; k3 k0 k0 k1 in term of number of allocated chann4 : A → C; k4 k2 k2 k2 nels and total memory requirement. n : C → B; k k3 k1 k3 5 5 The greedy algorithms give the best re n6 : B → C; k6 k4 k2 k1 sults on this example, with the early n7 : B → C k7 k4 k2 k2 greedy algorithm allocating less chan Nb channels 8 5 3 4 nels than the late greedy algorithm. Memory Req. 8 7 5 5
5 Local Refinement: Messaging Optimisations One of the significant practical concerns in systems with messaging is to optimise interactions through more asynchronous data processing to increase parallelism. Our recent work [15,14] developed a new form of subtyping, the asynchronous subtyping, that characterises the compatibility between classes of typesafe permutations of actions, in order to send messages before receiving. This subtyping allows, however, not only Bob5 in (1.1) in § 1 but also μ X.s2 ! Orange; X as a refinement of Bob, which changes all buffer sizes from 1 to ∞, leading to buffer overflows. Our aim is to overcome this problem by controlling permutations locally with the help of the IOdependency analysis. The key idea is to prohibit the permutation of an output action at k0 with an input or branching action which prevents (by IOcausality) the accumulation of values in k0 . Recall Definition 3.4. We define the minimal resetting paths to be the paths that satisfy the reset property while none of their suffix does. Then, we define the dependent nodes of channel k, noted dep(k) to be the union of the reset nodes of the minimal resetting paths that end with k. This set of nodes characterises a buffer usage. First, for a given G, we choose a partition {N0 , . . . , Nn } of the set of nodes of G. This partition should satisfy the two properties: ∀n ∈ Ni , n ∈ N j , ch(n) = ch(n ) ⇒ Ni = N j and ∀n ∈ Ni , dep(ch(n)) ⊂ Ni . The choice of a partitioning depends in particular on a choice of reset and dependent nodes. Note that the trivial partitioning (with only one partition) is always possible. Since that, for each channel k, all nodes using k are part of the same partition (written N(k)), we can annotate all uses of k in G by N(k). In the example below, the partitioning is made of N1 = {n1 , n2 } and N2 = {n3 , n4 }: we give the annotated session graph (with the IOdependencies highlighted) on the left and the projected types (where the annotations are kept) on the right. 1 n1 : Alice → Bob : sN 1
IO lt
O
/ n2 : Bob → Alice : sN1 ,4 2 IO
IO lt
2 o n4 : Bob → Alice : sN 4
N2
4, n3 : Alice → Bob : s3
IO
N1 N2 N2 1 TAlice = μ x.sN 1 !; s2 ?; s3 !; s4 ?; x N1 N2 N2 1 TBob = μ x.sN 1 ?; s2 !; s3 ?; s4 !; x opt
N2 N1 N2 1 TAlice = μ x.sN 1 !; s3 !; s2 ?; s4 ?; x
Next, we apply the sizepreserving asynchronous communication subtyping, following the annotations on the projected types. The relation T T means T is more asynchronous than (or more optimised than) T . The main rule is: (OI)
kN ! U; k0N0 ? U ; T k0N0 ? U ; kN ! U; T
(N ∩ N0 = 0) /
Buffered Communication Analysis in Distributed Multiparty Sessions
355
where the two prefixes are permutable if the IOchains of the two prefixes are disjoint. We can always permute two inputs and two outputs with distinct channels since they do not contribute to the input and output alternations that constitute the IOchains. The branching/selection rules are similarly defined, and others are context rules. Then we define a coinductive subtyping relation T1 c T2 as a form of type simulation, following [15,14]. The important fact is that c does not alter buffer sizes: suppose [[G]] = {T @p}p with T @p = (G p)@p and p ∈ G. Assume T @p c T @p with [[G ]] = {T @p}p Then Bk G = Bk G . Since there is no change in the buffer bounds, Type and Buffer Safety are just proved from Theorem 3.8 and Corollary 3.9. opt In the example above, in Alice’s type, we can permute sN2 1 ? and sN3 2 ! (TAlice c TAlice ) opt / keeping the size of each buffer one. Hence process typable by TAlice since N1 ∩ N2 = 0, can safely send message at s3 before input at s2 . In AliceBob5Carol from § 1, the original global type G annotated by IOchains has only one partition N = {n1 , n2 , n3 }: N N μ x. Alice → Bob : sN 1 nat; Bob → Carol : s2 string;Carol → Alice : s3 real; x
Bob’s local type is μ x.sN1 ? nat; sN2 ! string; x, which prevents any optimisation by (OI). Hence, Bob5 is not typable. Some typable examples are given in the next section. 5.1 Application: Multibuffering Algorithm The double buffering algorithm [6] is widely used in highperformance and multicore computing. We generalise this algorithm to multibuffering [16], and solve an open issue in our previous work [15, § 5]. The aim is to transport a large amount of data as a series of units (say each unit is 16kB) from a source (Source) to a transformer (called Kernel). Each unit gets processed at Kernel and delivered to a sink (Sink). Kernel uses n 16kB buffers, named Bi , to maximise the message transfer asynchrony. Processes which represent Source, Sink, Kernel and Optimised Kernel are given below using parameterised processes [22] (i.e. where foreach(i < n){P[i]} means we iterate P[i] for 0 ≤ i < n): Source: μ X.foreach(i < n){ri ? (); si !yi }; X
Sink: μ X.foreach(i < n){ti !; ui ? (zi )}; X
Kernel: μ X.foreach(i < n){ri !; si ? (xi );ti ? (); ui !xi }; X Optimised Kernel: r0 !; ...; rn−1 !; μ X.foreach(i < n){si ? (xi );ti ? (); ui !xi ; ri !}; X
In the loop, Kernel notifies Source with signals at ri that it is ready to receive data in each channel si of buffer Bi . Source complies, sending one unit via si . Then Kernel waits for Sink to inform (via ti ) that Sink is ready to receive data via ui : upon receiving the signals, Kernel sends the unit of processed data to Sink via ui . If Kernel sends the n notifications to r0 ,...,rn−1 ahead like Optimised Kernel, Source can start its work for the next unit (sending y j at s j ) without waiting for other buffers. The following proposition means that the nbuffers of size one in Kernel simulate one buffer of size n, maximising the asynchrony. The proof is done by annotating the global type with partitions {ri , si } and {ui ,ti }, and checking that the permutation of the projected Kernel type satisfies the (OI) rule. Proposition 5.1 (nbuffering correctness). SourceOptimal KernelSink satisfies both progress and communicationsafety. Also each buffer at si and ui holds at most one unit. If Optimised Kernel is optimised as r0 !; ...; foreach(i < n){ri !; si ? (xi );ti ? ; ui !xi } (which is not typable in our system), then all buffers are forced to hold 2 units. This
356
P.M. Deni´elou and N. Yoshida
unsafe optimisation is typable in [15] but prevented here by Proposition 5.1. In [5], we also deal with a use case of MPSoC buffer allocation from [4], with branching and iterations [22], and verify it by applying all of the previously described methods.
6 Related Work Checking buffer bounds based on global specifications has been studied through Petri nets and Synchronous data flow. Recent advances [9] in the study of Kahn Process Networks (KPN) have improved Parks’s algorithm [18] to ensure safe executions of streambased applications with bounded buffers, using an appropriate scheduling policy. Their theory is applied to KPN applications on MPSoC [4], demonstrating the effectiveness of nonuniform, finegrained buffer allocations. By contrast, our approach is typebased and relies on the existence of a global specification that brings additional guarantees (such as deadlockfreedom) and allows global choreography manipulation and refinements. It is moreover directly applicable to programming languages [12,22] by extending existing type syntax and checking. The idea of using a typeabstraction to investigate channel communications goes back to Nielson & Nielson’s work on CML [17]. Gay & Vasconcelos [8] propose a linear type system for binary sessions to enforce buffer bounds computed by a fixed point method. Their work is thus limited to a particular channel allocation (i.e. principal, cf. § 4) and does not extend to multiparty interactions (their method would find that the buffers in Example (a) are infinite). Terauchi & Megacz [21] describe a polynomial method to infer buffer bounds of a concurrent language through program analysis using linear programming techniques, improving on previous work in [13], see [21, § 7]. Our bound computation method differs in that it starts from a direct typebased abstraction of global interaction structures, namely session graphs, not from direct investigation of local types nor processes (normally in distributed systems, a peer does not know other peer’s type or implementation [12]). It also leads to the general simplicity of the analysis, and the uniform treatment of subtle issues such as asynchronous optimisations. Thanks to session types, the channel passing problem in [21, § 6] does not arise in our analysis: different (possibly newly generated) sessions and names can be stored in the same buffer, still giving the exact bound of stored channels. None of [8,21] have studied either channel allocation, global refinement or messaging optimisation. Among process calculi for serviceoriented computing (SOC), contracts [3] and the conversation calculus [2] provide static type checking for a series of interactions and ensure progress. We demonstrate the advantage of global types by the simplicity of our analysis and the uniform treatments and articulation of our various algorithms. Our approach is, however, extensible to these calculi because (1) the IOcausality analysis does not rely on the form of session branches so that other form of sums can be analysed by the same technique; and (2) combining with a polynomial inference which builds a graph from a collection of local types [[G]] [15], Subject Reduction Theorem can be proved using our invariance method noting that we use [[G]] for the proofs. An extension to other formalisms for SOC including [3,2] is an interesting future work. Further topics include the enrichment of global types with more quantitative information (such as distance, probabilities and weights), which would enable finergrained analyses and optimisations.
Buffered Communication Analysis in Distributed Multiparty Sessions
357
References 1. Bettini, L., Coppo, M., D’Antoni, L., Luca, M.D., DezaniCiancaglini, M., Yoshida, N.: Global progress in dynamically interleaved multiparty sessions. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 418–433. Springer, Heidelberg (2008) 2. Caires, L., Vieira, H.T.: Conversation types. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 285–300. Springer, Heidelberg (2009) 3. Castagna, G., Padovani, L.: Contracts for mobile processes. In: Bravetti, M., Zavattaro, G. (eds.) CONCUR 2009. LNCS, vol. 5710, pp. 211–228. Springer, Heidelberg (2009) 4. Cheung, E., Hsieh, H., Balarin, F.: Automatic buffer sizing for rateconstrained KPN applications on multiprocessor systemonchip. In: HLDVT 2007, pp. 37–44. IEEE, Los Alamitos (2007) 5. Deni´elou, P.M., Yoshida, N.: Buffered communication analysis in distributed multiparty sessions, Full version, Prototype at, http://www.doc.ic.ac.uk/˜ pmalo/multianalysis 6. Donaldson, A., Kroening, D., R¨ummer, P.: Automatic analysis of scratchpad memory code for heterogeneous multicore processors. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 280–295. Springer, Heidelberg (2010) 7. F¨ahndrich, M., et al.: Language support for fast and reliable messagebased communication in singularity OS. In: EuroSys 2006, ACM SIGOPS, pp. 177–190. ACM Press, New York (2006) 8. Gay, S., Vasconcelos, V.T.: Linear type theory for asynchronous session types. In: JFP (2009) 9. Geilen, M., Basten, T.: Requirements on the Execution of Kahn Process Networks. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 319–334. Springer, Heidelberg (2003) 10. Honda, K., Vasconcelos, V.T., Kubo, M.: Language primitives and type disciplines for structured communicationbased programming. In: Hankin, C. (ed.) ESOP 1998. LNCS, vol. 1381, pp. 122–138. Springer, Heidelberg (1998) 11. Honda, K., Yoshida, N., Carbone, M.: Multiparty Asynchronous Session Types. In: POPL, pp. 273–284 (2008) 12. Hu, R., Yoshida, N., Honda, K.: SessionBased Distributed Programming in Java. In: Vitek, J. (ed.) ECOOP 2008. LNCS, vol. 5142, pp. 516–541. Springer, Heidelberg (2008) 13. Kobayashi, N., Nakade, M., Yonezawa, A.: Static analysis of communication for asynchronous concurrent programming languages. In: Mycroft, A. (ed.) SAS 1995. LNCS, vol. 983, pp. 225–242. Springer, Heidelberg (1995) 14. Mostrous, D., Yoshida, N.: SessionBased Communication Optimisation for HigherOrder Mobile Processes. In: Curien, P.L. (ed.) TLCA 2009. LNCS, vol. 5608, pp. 203–218. Springer, Heidelberg (2009) 15. Mostrous, D., Yoshida, N., Honda, K.: Global principal typing in partially commutative asynchronous sessions. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 316–332. Springer, Heidelberg (2009) 16. Multibuffering, http://en.wikipedia.org/wiki/Multiple_buffering 17. Nielson, H., Nielson, F.: Higherorder concurrent programs with finite communication topology. In: POPL, pp. 84–97 (1994) 18. Parks, T.: Bounded Scheduling of Process Networks. PhD thesis, California Barkeley (1995) 19. Rota, G.C.: The number of partitions of a set. Amer. Math. Monthly 71, 498–504 (1964) 20. Takeuchi, K., Honda, K., Kubo, M.: An interactionbased language and its typing system. In: Halatsis, C., Philokyprou, G., Maritsas, D., Theodoridis, S. (eds.) PARLE 1994. LNCS, vol. 817, pp. 398–413. Springer, Heidelberg (1994) 21. Terauchi, T., Megacz, A.: Inferring channel buffer bounds via linear programming. In: Drossopoulou, S. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 284–298. Springer, Heidelberg (2008) 22. Yoshida, N., Deni´elou, P.M., Bejleri, A., Hu, R.: Parameterised multiparty session types. In: Ong, L. (ed.) FOSSACS 2010. LNCS, vol. 6014, pp. 128–145. Springer, Heidelberg (2010)
Eﬃcient Bisimilarities from SecondOrder Reaction Semantics for πCalculus Pietro Di Gianantonio1 , Svetlana Jakˇsi´c2, and Marina Lenisa1 1
Dipartimento di Matematica e Informatica, Universit` a di Udine, Italy {digianantonio,lenisa}@dimi.uniud.it 2 Faculty of Engineering, University of Novi Sad, Serbia
[email protected] Abstract. We investigate Leifer and Milner RPO approach for deriving eﬃcient (ﬁnitely branching) LTS’s and bisimilarities for πcalculus. To this aim, we work in a category of secondorder term contexts and we apply a general pruning technique, which allows to simplify the set of transitions in the LTS obtained from the original RPO approach. The resulting LTS and bisimilarity provide an alternative presentation of symbolic LTS and Sangiorgi’s open bisimilarity.
Introduction Recently, much attention has been devoted to deriving labelled transition systems and bisimilarity congruences from reactive systems, in the context of process languages and graph rewriting. Through the notion of contextual equivalence, reactive systems naturally induce behavioural equivalences which are congruences w.r.t. contexts, while LTS’s naturally induce bisimilarity equivalences with coinductive characterizations. However, such equivalences are not congruences in general, and it can be a diﬃcult task to derive LTS’s inducing bisimilarities which are congruences. Leifer and Milner [1] presented a general categorical method, based on the notion of Relative Pushout (RPO), for deriving a transition system from a reactive system, in such a way that the induced bisimilarity is a congruence. The labels in LeiferMilner’s transition system are those contexts which are minimal for a given reaction to ﬁre. In the literature, some case studies have been carried out in the setting of process calculi, for testing the expressivity of LeiferMilner’s approach [2,3,4,5,6,7,8]. Moreover, to deal with structural rules, an elaboration of the RPO theory in the Gcategory setting (GRPO) has been introduced by Sassone and Sobocinski in [2]. In general, in applying the RPO construction one needs to deal with the following problems: – To encode all the characteristics of the language, mainly: structural rules, name abstraction, name hiding.
Work partially supported by PRIN Project SISTER 20088HXMYN and FIRB Project RBIN04M8S8, both funded by MIUR.
P. Gastin and F. Laroussinie (Eds.): CONCUR 2010, LNCS 6269, pp. 358–372, 2010. c SpringerVerlag Berlin Heidelberg 2010
Eﬃcient Bisimilarities from SecondOrder Reaction Semantics
359
– To obtain a label transition system which is usable, where proofs of bisimilarities require to consider only a ﬁnite set of transitions at each step. Almost always, the RPO approach generates LTS’s that are quite large and often redundant, in the sense that most of the transitions can be eliminated from the LTS without aﬀecting the induced bisimilarity. – When the RPO construction is performed, by embedding the category of terms in a larger category, the resulting LTS can contain states that do not correspond to any term of the language, and whose intuitive meaning is diﬃcult to grasp. In order to solve the above problems, the RPO construction needs to be tunedup, that is we have to ﬁnd a convenient category in which to perform the construction, and general methods for pruning the LTS. In a previous work [7], we solve the above problems for the prototypical example of CCS. In [7], we use a category of term contexts, i.e. a Lawvere category. We encode names, and name binding using de Bruijn indexes; this allows a relatively simple and formally correct treatment of names, which, when represented natively, can be quite subtle to treat. Moreover, in [7] we introduce a general technique, which allows to prune an LTS obtained from a RPOconstruction, without modifying the induced bisimilarity. This is achieved by eliminating deﬁnable sets of transitions, i.e transitions whose eﬀect can be obtained by other transitions. In [7], by using the above ideas in applying the (G)RPO construction to CCS, we obtain the standard LTS from the standard reaction semantics. This is an indication that the (G)RPO technique in combination with our general pruning technique can generate useful LTS’s. In the present work, we treat in detail the πcalculus. The techniques developed for CCS turn out to be useful also for the πcalculus, but for the latter, in order to get an eﬃcient LTS, a further ingredient is necessary, i.e. secondorder contexts. Categories of secondorder term contexts have been introduced in [9] as generalizations of the Lawvere category of terms, where parametric rules can be readily represented. Intuitively, if we apply LeiferMilner technique to πcalculus by working in a standard Lawvere category of term contexts, in the resulting LTS, for any process P exposing an output preﬁx, we need to consider [ ]a(x).Q
transitions P −→ P , for all Q. All these label contexts are “minimal” for the reduction to ﬁre; we cannot avoid Q, since, in the resulting process P , a substitution is applied to Q. This makes the LTS ineﬃcient. To overcome this problem, we use secondorder contexts. In this way, all the above transitions can [ ]a(x).X
be parametrically captured by a single transition P −→ P , where X is a variable representing a generic term, which will be possibly instantiated in the future. The ﬁnal result of our construction produces a bisimilarity which is a mild variation of Sangiorgi’s open bisimilarity. In order to get the ﬁnal eﬃcient characterization of our bisimilarity, we need a further adhoc pruning. However, even if the GRPO construction does not directly give the ﬁnal result, once applied, it produces an LTS which is a superset of the ﬁnal usable one. Identifying redundant transitions is then not so diﬃcult; the only diﬃcult part is to prove that these are redundant.
360
P. Di Gianantonio, S. Jakˇsi´c, and M. Lenisa
Interestingly enough, our analysis provides new insights on the theory of πcalculus, namely we obtain an alternative presentation of symbolic LTS and open bisimilarity, where distinctions do not appear. Remarkably, the LeiferMilner technique has lead us to a bisimilarity congruence substantially in a direct way, just using general tools, without the need of new concepts. Whereas, in the standard treatment, in moving from CCS to πcalculus, various new notions are required, such as bound output transitions, distinctions, etc. In conclusion, the results for CCS of [7] and the above results for πcalculus are rather satisfactory, and they are an indication that the general techniques used in this paper could also give new insights on more recent calculi, whose theory is still evolving. Related Work. The RPO construction has been applied to πcalculus in [3,10]. In [3], History Dependent Automata are used to present a reactive system for the fragment of πcalculus without the νoperator. The reactive system is obtained by starting from an LTS and then incorporating the labels in the initial state of the transition. The reactive system considered in [10] is based on the theory of bigraphs and models the asynchronous πcalculus. The present work is also related to [11]. Both works use categories that are suitable generalizations of the Lawvere category of contexts. However, in our work we strictly apply the RPO construction to derive an LTS for the πcalculus, while [11] uses the RPO construction as a sort of inspiration for deﬁning directly an LTS for the πcalculus. The two works use a quite diﬀerent notion of generalized context, and thus also the obtained LTS’s are quite diﬀerent. Summary. In Section 1, a presentation of πcalculus syntax with de Bruijn indexes and parametric reaction semantics is given. In Section 2, the GRPO technique is applied to πcalculus, and eﬃcient characterizations of the GIPO bisimilarity are investigated. In Section 3, GIPO bisimilarity is compared with open bisimilarity. Final remarks appear in Section 4. In the extended version of the present paper [12], the theory of RPO’s in the Gcategory setting and the general pruning technique of [7] are recalled, and some proofs are presented.
1
SecondOrder πCalculus Processes
In this section, we present a version of πcalculus with de Bruijn indexes together with reaction semantics. Such presentation allows us to deal smoothly with binding operators, and it is needed for extending to contexts the structural congruence on processes. In our presentation, πcalculus names a0 , a1 , . . . are replaced by de Bruijn indexes r0 , r1 , . . ., which are name references. Intuitively, a name reference can be viewed as a link (or a pointer). So a bound name is replaced by a link to the corresponding binding operator, while a free name is replaced by a link to its occurrence in a list of names. Concretely, links are represented by natural numbers, and:  binding operators ν and input preﬁx do not contain any name;  the index ri refers to the free name aj if j = i − n ≥ 0 and ri appears under the scope of n binding operators;
Eﬃcient Bisimilarities from SecondOrder Reaction Semantics
361
 otherwise, if i < n, then ri is bound by the i + 1th binding operator on its left. E.g. in νr1 ().r2 r0 .0, r0 is bound by the input preﬁx r1 (), while r1 and r2 both refer to the free name a0 . In standard syntax, the above process will be written as (νa)a0 (a ).a0 a .0. Definition 1 (πcalculus Processes). Let r0 , r1 , . . . ∈ R be name references; we will use r, s as metavariables for name references. We deﬁne (Act ) α ::= τ  r()  rs actions (G ) M ::= 0  M1 + M2  α.P  Y guarded processes (P ) P ::= M  X  νP  P1 P2  rec X.P  σP processes where  X, X0 , X1 , . . . ∈ X are process variables, and Y, Y0 , Y1 , . . . ∈ Y are guarded process variables; we will use Z to range over X ∪ Y;  the process variable X appears guarded in rec X.P ;  σ is a name substitution obtained as a ﬁnite composition of the transformations {δi }i≥0 ∪ {si }i≥0 ∪ {tij }i,j≥0 , where δi , si represent the ith shifting and the ith swapping, respectively, and ti,j are the singleton substitutions, deﬁned by: ⎧ ⎪ if j = i, i + 1 ⎨rj rj+1 if j ≥ i δi (rj ) = si (rj ) = ri+1 if j = i ⎪ rj if j < i ⎩ ri if j = i + 1 rk if k =i ti,j (rk ) = rj if k = i A closed process is a process in which each occurrence of a variable is in the scope of a rec operator. In the following deﬁnition, we introduce the notion of secondorder context, consisting of a variable substitution θ and a ﬁrstorder context : Definition 2 (Secondorder Contexts). We deﬁne the secondorder 1hole process contexts (contexts) by: C ::= [ ]θ  νC  P + C  C + P  P C  CP  rec X.C  σC where θ = θX + θY : X + Y → P + G is a substitution of processes for process variables, mapping (guarded) process variables into (guarded) processes. Notation. We will often denote substitutions by the list of variables which are actually substituted, i.e. as {P1 /X1 , . . . , Pm /Xm , M1 /Y1 , . . . , Mn /Yn }, omitting the variables which are left unchanged. Moreover, for denoting secondorder contexts, we will also use the notation C[ ]θ , when we need to make explicit the variable substitution θ. Notice that in the above deﬁnition of contexts we do not distinguish between guarded and general contexts, thus also “illformed” contexts, such as ([ ]θ P )+P are included at this stage. In Section 2, where we will apply the GIPO technique, we will give a precise deﬁnition of guarded and general contexts.
362
P. Di Gianantonio, S. Jakˇsi´c, and M. Lenisa
In what follows, we will refer to πcalculus processes with de Bruijn indexes and secondorder contexts as terms, denoted by T . Intuitively, when a secondorder context C[ ]θ is applied to a term T , the variable substitution θ is applied to T and the resulting term is put in the hole. In order to formalize this notion of context application, we ﬁrst need to introduce the notion of applying a substitution to a term: Definition 3 (Context Application) (i) Let T be a term, and let θ be a variable substitution. We deﬁne the extension θ to terms, by induction on T as: ]θ ) = [ ] θ(Z) = θ(Z) θ([ θ◦θ 1 + T2 ) = θ(T 1 ) + θ(T 2) 1  T2 ) = θ(T 1 )  θ(T 2) θ(T θ(T ) θ(σT ) = σ θ(T
)) θ(νT ) = ν(θ(T θ(Z) where θ (Z) = X
if Z =X if Z = X ) simply by θ(T ). In what follows, by abuse of notation, we will often denote θ(T (ii) Let C be a context and let T be a term, the application of C to T , denoted by C · T , is deﬁned by induction on C by: ) νC · T = ν(C · T ) [ ]θ · T = θ(T (P + C) · T = P + (C · T ) (C + P ) · T = (C · T ) + P (P  C) · T = P  (C · T ) (C  P ) · T = (C · T )  P (rec X.C · T ) = rec X.(C · T ) (σC) · T = σ(C · T ) θ(rec X.T ) = rec X.θ (T ) ,
In order to apply the GRPO technique to πcalculus, it is convenient to extend the structural congruence, which is usually deﬁned only on processes, to all contexts. Here is where the syntax presentation a` la de Bruijn plays an important rˆ ole. Namely the πcalculus rule (νaP )  Q ≡ νa(P  Q) , if a not free in Q is problematic to extend to contexts with the usual syntax, since, if Q is a context, we have to avoid captures by the νoperator of the free variables of the processes that will appear in the holes of Q. Using de Bruijn indexes (and index transformations), the above rule can be naturally extended to contexts as: (νP )  C ≡ ν(P  δ0 C) where the shifting operator δ0 avoids the capture of free name references. In the standard syntax there is no way of deﬁning a general name substitution playing the role of δ0 . The complete deﬁnition of the structural congruence is as follows: Definition 4 (Structural Congruence). Let T be a term. Structural congruence is the equivalence relation ≡, closed under process constructors, inductively generated by the usual axioms on , +, and by:
Eﬃcient Bisimilarities from SecondOrder Reaction Semantics
(nu)
363
ν0 ≡ 0 T (νT ) ≡ ν((δ0 T )T ) ννT ≡ ννs0 T τ.νP ≡ ντ.P rs.νP ≡ νδ0 (rs).P r().νP ≡ νδ0 (r()).s0 P
(sigma) σ0 ≡ 0 σ(rs.T ) ≡ σ(r)σ(s).σ(T ) σ(τ.T ) ≡ τ.σ(T ) σ(r().T ) ≡ σ(r)().σ+1 T σ(T T ) ≡ σ(T )σ(T ) σ(rec X.T ) ≡ rec X.(σT ) σ(T + T ) ≡ σ(T ) + σ(T ) σ(νT ) ≡ ν(σ+1 T ) σ1 . . . σm T ≡ σ1 . . . σn T , if σ1 ◦ . . . ◦ σm = σ1 ◦ . . . ◦ σn (subs) [ ]θ ≡ [ ]θ1 if ∀X θ(X) ≡ θ1 (X) (rec) rec X.P ≡ P [rec X.P/X] ⎧ ⎪ ⎨σ(r) if α = r r0 if i = 0 where σ+1 (ri ) = σ(α) = σ(r) if α = r ⎪ (σ(ri−1 ))+1 otherwise ⎩ τ if α = τ The last three (nu)rules are not standard in πcalculus presentations, since they are not strictly necessary for proving the basic syntactic properties of the calculus. However, they are safe because they allow to move, inside/outside the ν operator, preﬁxes which are not captured by ν, see e.g. [13]. The assumption of such extra rules is not essential in our presentation, however it simpliﬁes the GIPO construction. As far as the (sigma)rule, notice that there is an eﬀective procedure to determine whether σ1 ◦ . . . ◦ σm = σ1 ◦ . . . ◦ σn . Namely, the two compositions are equal if and only if they contain the same number of transformations in the forms δi and their behaviour coincides on an initial segment of indexes (whose length can be calculated from the δi ’s and the si ’s involved). Finally, the unfolding rule (rec) is given only for processes P . It cannot be directly extended to contexts, since their unfolding can produce multiplehole contexts. However, the above (rec)rule is suﬃcient for our purposes, since we will only need it in reducing processes. As in the standard presentation, one can easily show that each πcalculus process P is structurally congruent to a process in normal form, i.e. a process of m1 mn the shape ν k (Σj=1 S1,j  . . .  Σj=1 Sn,j ), where all unguarded restrictions are at the top level, and name substitutions do not appear at the top level. We use S to range over processes of the shape α.P or σY . If mi = 1 for some i ∈ {1, . . . n} then S can also be of the form σX. Definition 5 (Reaction Semantics). The reaction relation → is the least relation closed under the following reaction rules and reaction contexts: Reaction rules.
(r().X1 + Y1 )  (rrj .X2 + Y2 ) → (ν(t0,j+1 X1 ))  X2 τ.X + Y → X
Reaction contexts. D ::= [ ]θ  νD  P D  DP  σD where σ is a permutation of name references (a one to one reference substitution). Notice that the permutation σ in the deﬁnition of reaction contexts is not strictly necessary for deﬁning the reaction semantics. It could be omitted, without changing the reaction semantics, since, using the congruence rules, name substitutions
364
P. Di Gianantonio, S. Jakˇsi´c, and M. Lenisa
distribute over the actions. However, in view of the GIPO construction of Section 2 it is useful to include it. A mapping T from standard πcalculus syntax into our de Bruijn presentation can be deﬁned by structural induction, using an extra set of names with negative indexes (a−1 , a−2 , . . .). The most meaningful cases are: T (P ) = T0 (P ), Tn (ai (aj ).P ) = ri+n ().Tn+1 (P{a−n−1 /aj } ), Tn (ai aj .P ) = ri+n rj+n .Tn (P ). For any pair of πcalculus processes P, Q on the standard syntax, it turns out that P → Q in the ordinary reaction system iﬀ T (P ) → T (Q) in our reaction system. We omit the details.
2
Applying the GIPO Technique to SecondOrder πCalculus
For lack of space, we do not present in detail the (G)RPO construction, we refer to [1] for a general introduction to the RPO technique, to [2] for the presentation of the GRPO technique and to [7] or to [12], for a compact presentation of all the theory on which the results presented here are based. However, in order to grasp most of the material presented in the paper, the following informal and intuitive explanations of the GRPO construction may suﬃce. The main idea in the RPO construction is to deﬁne an LTS, starting from a reaction system. The states of the derived LTS are terms, while the labels are the minimal contexts necessary for a given reaction to ﬁre. In more C detail, the LTS contains the transition t−→I v, if the reaction system contains the reaction C ◦ t → v, and for no subcontext C of C and no subterm v of v, there is a reaction C ◦ t → v . This idea is formalized using a category where arrows represent terms or contexts. The notion of minimal context is deﬁned in terms of a (relative) pushout construction. The main theoretical result is that the LTS, obtained by the RPO construction, induces a bisimilarity that is a congruence. The GRPO technique is a further elaboration of the RPO technique necessary to deal with the structural rules of the syntax; here the main idea is to perform the RPO construction in a 2category. A 2category is a category having an extra notion of morphism between arrows. When such morphisms are isomorphisms, as in the GRPO construction, the 2category is called Gcategory. In our setting, morphisms between two arrows represent a structural congruence between two terms (the two arrows), together with an induced mapping between occurrences of name references in the two terms. Gcategories always allow to distinguish between two diﬀerent name references denoting the same name, also when structural rules are used. In some cases, the RPO construction in the standard categories having as arrows equivalence classes of terms fails to produce the correct transitions, an example being r0 ().0  r0 r1 .0, see [2] for more details. We deﬁne here the Gcategory formed by the ﬁnite (i.e. without the rec operator) secondorder πcalculus terms equipped with structural congruence. We restrict the Gcategory to contain only ﬁnite processes, because we need the 2cell morphisms to be isomorphisms. When πcalculus processes contain the rec operator, two congruent processes can contain diﬀerent numbers of actions, so,
Eﬃcient Bisimilarities from SecondOrder Reaction Semantics
365
in general, there does not exist a onetoone map between occurrences of name references. It is possible to recover an LTS for the whole set of πprocesses by extending the rules obtained for the ﬁnite calculus, namely allowing parametric rules to be applied also to terms containing the rec operator (and by considering the unfolding rule for rec). Quite general arguments, based on the notion of ﬁnite approximation, show that, in the extended LTS, the bisimilarity is still a congruence. Moreover, once restricted to ﬁnite processes, in the deﬁnition of πcalculus term category, it is suﬃcient to consider linear terms, that is terms where each variable appears at most once. This restriction is justiﬁed by the fact that, in the GIPO transition system, closed terms generate only linear open terms; moreover, it simpliﬁes the GIPO construction below. Since the πcalculus grammar needs to distinguish between guarded and generic terms, the category needs to contain two corresponding distinct objects. Formally: Definition 6 (Category of Secondorder πcalculus Terms). Let Cπ be the category deﬁned by:  Objects are , G, P.  Arrows from to G (P) are linear (un)guarded processes, i.e. processes where each variable appears at most once. Arrows A → B are the contexts CB A generated by the grammar: G G CGG ::= [ ]θ  α.CP G  CG + M  M + CG G P G G CP ::= α.CP  CP + M  M + CP G P P P P CP G ::= CG  νCG  CG P  P CG  σCG P G P P P CP ::= [ ]θ  CP  νCP  CP P  P CP  σCP P where any context CB A = C[ ]θ is linear, i.e. any variable appears at most once in C[ ] and in the codomain of θ. The identity arrow on G and P is [ ]id . The only arrow with codomain is the identity. The composition between morphisms T : A → A , T : A → A is the context application T · T . In what follows, when not necessary, we will omit tags from contexts. One can easily prove that the above deﬁnition is wellposed. In particular, associativity of composition follows from associativity of composition of variable substitutions. B