650 likes | 787 Views
Programming Paradigms for Concurrency. Lecture 12 Part III – Message Passing Concurrency. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A A A A A. Notions of Behavioral Equivalence in the ¼ -Calculus.
E N D
Programming Paradigms for Concurrency Lecture 12 Part III – Message Passing Concurrency TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAAAAAA
Formal Reasoning about Systems When can one system be safely replaced by another? When is one system a refinement of another system? To answer such questions we need to formally relate the behavior of systems.
Vending Machines Consider the following two process terms:
Vending Machines They denote the same sets of traces (trace equivalence): But are they indistinguishable? Q P
Let’s add a Coffee Drinker P C Parallel composition of P and C gives S
Let’s add a Coffee Drinker Q C Parallel composition of Q and C gives T T can deadlock
Trace Equivalence Trace equivalent processes are not guaranteed to behave identically in every process context. • Trace equivalence is not a congruence on process terms • We need a finer notion of process equivalence
Simulation Relations • A binary relation on transition systems (respectively their states) • formalizes under which conditions one system correctly implements another (i.e., behaves in the same way) • Important for system synthesis • stepwise refinement of a system specification MI into a an implementation MI : MI¹ ... ¹MS • Important for system verification • simulation relations formalize abstractions • instead of proving M²Á directly, prove M¹M’ and then M’ ²Á We focus on simulation relations on states of systems.
(Strong) Simulation Let • M =hS, L, !, Iibe a labeled transition system and • RµS£S a binary relation on states of M R is called a simulation over Miff We say that ssimulates t written if there exists a strong simulation R such that sRt. As we shall see, in the ¼-calculus it gets slightly more complicated...
Strong Bisimulation A binary relation R over Sis called a bisimulationover LTS M =hS, L, !, Iiiff both R and its inverse R -1 are simulations for M. We say that sbisimulatest written s»tiff there exists a bisimulationR such that sRt.
Properties of Bisimilarity The relation » is • an equivalence relation • itself a bisimulation • the largest bisimulation, i.e., for all bisimulationsR of an LTS M, Rµ» • decidable for finite LTS • decidable for some infinite LTS (e.g. timed automata) • undecidablefor ¼-calculus processes (and already for CCS)
Vending Machines Qsimulates P because: is a simulation for Q and P. Q Q P P P1 P1 Q1 Q1 Q2 Q2
Vending Machines But P does not simulate Q : Q P P1 Q1 Q2 No relation can contain the pair (P, Q)
(Bi)simulation and Value Passing Our earlier definition of simulation does not quite work for the ¼-calculus Assume z2fn(R,x). Then the process terms would not be bisimilar because but However, P and Q are structurally equivalent and both can take transitions x(w) for any other w.
Simulation for the ¼-calculus early Bisimulationand bisimilarity»are defined as before.
Properties of Late Bisimulation • The relation » is • an equivalence relation • itself a late bisimulation • the largest late bisimulation • a congruence for process terms • Structural congruence ´ is a late bisimulation but ´ is not identical to » Are there algebraic laws for » similar to the ones we used to define ´?
Algebraic Laws for LateBisimulation Define the relation ¼ as follows • the rules as for ´ • one more rule for parallel composition +
Soundness and Completeness Theorem. For all process terms P and Q: P»QiffP¼Q One of the main results of [Milner, Parrow, Walker, 1992] We can use equational reasoning to prove bisimilarity of process terms
Beyond this Lecture • other notions of bisimulation for the ¼-calculus • weak bisimulation: allow stuttering transitions • barbed bisimulation: induces a congruence equivalent to early strong bisimulation • logical characterizations of bisimulation • Hennessy-Milner Logic for CCS [1985] • ¼-¹-calculus [Dam, 2003]
A Publish/Subscribe Service in Scala sealed abstract class Category case object Cat1 extends Category ... case object CatN extends Category case object List case class Categories(cats: Set[Category]) ... class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } } } } } override def act() = loop({_ => EmptySet}) } class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...") ... } } else { server ! Unsubscribe(cat) exit('normal) } } override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } } } class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) } } } }
A Publish/Subscribe Service in Scala Subscriber Subscriber Subscriber enl(Cat2) server server server • Infinite state system • number of Subscriber and Publisher processes and • number of messages in mailboxes can grow unboundedly enl(Cat1) enl(Cat1) Server server Content(Cat1) server Publisher sender Publisher
Verification of Safety Properties Subscriber server enl(Cat1) Server Content(Cat1) sender “Shape Invariants” “The server link of a Subscriber always points to a Server” “Subscribers only receive content they are enlisted to” “No process ever reaches a local error state”
Undecidability of Verification Problems Encoding of a two counter machine next counter1 next C C C State machine next C C counter2 Are there any interesting fragments with decidable verification problems?
Depth-Bounded Systems (DBS) [Meyer 2008] Definition A system is depth-boundediff there exists a constant that bounds the length of all simple pathsin all reachable state graphs. The actual definition is in terms of ¼-calculus processes.
Depth-Bounded Systems (DBS) Subscriber Subscriber Subscriber enl(Cat2) server server server enl(Cat1) enl(Cat1) Server Content(Cat1) sender server Content(Cat1) server Publisher sender Publisher maximal length of any simple path is 5
The Covering Problem Given a transition system and a bad configuration init bad decide whether there is a reachable configuration that “covers” the bad one.
The Covering Problem Application: verify absence of bad patterns Subscriber server enl(Cat1) Server Content(Cat2) sender “Subscribers only receive content they are enlisted to” The covering problem is decidable for DBSs
Well-Quasi-Orderings • Definition • A relation ·µS£S is a well-quasi-orderingiff • · is a quasi-ordering (reflexive and transitive) • for any infinite sequence s1, s2, … there are • i < j such that si·sj • Examples • identity relation on a finite set • order on the natural numbers • extension of a well-quasi-ordering on an alphabet to words over the alphabet (Higman’s Lemma) • tree embedding order (Kruskal’s Tree Theorem)
Well-Structured Transition Systems (WSTS) [Finkel 1987] • Definition • A WSTS is a tuple (S, init, !, ·) where • (S, init, !) is a transition system • · is a well-quasi-ordering on S • ·is a simulation relation: • for all s, t, s’ 2Swith s!s’ and s·tthere exists t’ 2Swith t!t’ and s’ ·t’ • Examples • Petri nets • lossy channel systems
Predicate Transformers Let M=hS,init,!i be a transition system. For XµS define Using post we can define the reachable states of M: Reach(M) = lfpX. post(X) [ {init}
Upward and Downward Closures #Y= {y’2S| 9y2X. y’·y} "X Y · · X #Y "X = {x’2S| 9x2X. x·x’}
Some Properties of Closed Sets Let · be a quasi-ordering on Sand M = hS, init, !i a transition system. Then • the upward closed subsets of S are closed under unions and intersections. What is more"(X[Y ) = "X["Y and #(X\Y )= #X\#Y • the same holds for downward closed sets • if · is a simulation for M then the upward closed subsets of S are closed under pre. • if · is a well quasi-ordering then every upward closed subset of S has finitely many minimal elements.
Covering Problem Let M=hS,init,!i be a transition system, · a quasi-ordering on S and bad2S a state. The covering problem asks whether: bad2#(Reach(M)) = #(lfpX. post(X) [ {init}) respectively init2lfpX. pre(X) ["bad For WSTS M=hS,init,! ,·i with decidable · and computable pre, the covering problem is decidable.
Backward Algorithm for the Covering Problem of WSTS prek("bad) pre("bad) "bad … init bad lfpX. pre(X) ["bad
Backward Algorithm for the Covering Problem of WSTS prek("bad) pre("bad) "bad … init … bad lfpX. pre(X) ["bad
Depth-Bounded Systems as WSTS • Depth-bounded systems form WSTS for • their reachable states • and the quasi-ordering induced by • subgraph isomorphism Next we show that is a well-quasi-ordering on the reachable states
Well-Quasi Ordering on States of DBS • the subgraph ordering is well-founded but what about infinite antichains? • In general, infinite antichains exist, but not if we restrict ourselves to states of depth-bounded systems Idea of the proof: • encode state graphs of DBS and the subgraph ordering into labeled trees • show that Kruskal’s Tree Theorem can be applied to the tree encoding
Closure of a Tree Add edges according to transitive closure of the edge relation Every (undirected) graph is contained in the closure of some tree.
Tree-Depth of a Graph Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. tree depth is 2 height is 2
Tree-Depth and Depth-Bounded Systems Proposition A set S of graphs has bounded tree-depthiffS is bounded in the length of its simple paths. the reachable configurations of a depth-bounded system have bounded tree-depth.
Tree Encodings of Depth-Bounded Graphs tree(G) G Take a minimal tree whose closure contains the graph G. Label each node v in the tree by the subgraph of G induced by the nodes on the path to v. Number of labels used in the encoding is finite.
tree(G1) ¹Ttree(G2) implies G1 G2 Homeomorphic Tree Embedding Extend quasi-ordering ¹ on vertex labels to quasi-ordering ¹T on trees as follows: • T1¹TT2iff either • for the root vertices v1 and v2 of T1, T2 we have • label(v1) ¹label(v2) and • for every subtreeT’1 of T1 rooted in a child of v1 there exists a subtreeT’2of T2rooted in a child of v2 such that T’1¹TT’2 • there exists a subtreeT’2of T2rooted in a child of the root of T2 such that T1¹TT’2 ¹T Onecan show for all graphs G1, G2:
Kruskal’s Tree Theorem Theorem [Kruskal1960, Nash-Williams 1963] Homeomorphic tree embedding is a well-quasi-ordering on finite trees, labeled by a WQO set. subgraphisomorphisms induce a well-quasi-ordering on the reachable states of a depth-bounded system.
Backward Algorithm for the Covering Problem of WSTS prek("bad) pre("bad) "bad … • Requirements • ·is decidable • pre is effectively computable init bad
Backward Analysis of DBSs • WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations • reachability is undecidable so pre is not computable for the induced WSTS • only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k • termination of a backward analysis can only be ensured if the bound of the system is known a priori. Standard backward algorithm is not a decision procedure for the covering problem of DBS.
Is there a forward analysis that decides the covering problem for depth-bounded systems? Forward Analysis of DBS Yes, there is. See [Wies, Zufferey, Henzinger, FoSSaCS’10] for the details. We are currently building a software model checker for Scala actors based on this algorithm.
Backward Analysis is Impractical Backward analysis has to guess sender (and other parameters) of sent messages explosion in the nondeterminism Subscriber Subscribe(Cat1) server sender Server