1 / 16

CCS: Property Specification

CCS: Property Specification. Reading: Slides. Mads Dam. Goal: Logic to express interesting correctness properties for CCS CCS: Standard labelled transition system so LTL and CTL applies Here: Introduce very powerful temporal logic – mu-calculus Strong ties to bisimulation equivalence.

wynn
Download Presentation

CCS: Property Specification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CCS: Property Specification Reading: Slides Mads Dam

  2. Goal: Logic to express interesting correctness properties for CCS CCS: Standard labelled transition system so LTL and CTL applies Here: Introduce very powerful temporal logic – mu-calculus Strong ties to bisimulation equivalence Temporal Logics for CCS

  3. Modal Logic Logic for possibility/contingency and necessity <>:  is possible []:  is necessary Kripke structure: Possible worlds and accessibility relation w : <> :  holds in some w’ accessible from w w : [] :  holds in all w’ accessible from w Here: Use a labelled accessibility relation ! Note: LTL and CTL are themselves modal logics, with modalities such as O, AX, EX, F, G, U (binary), AF, etc.

  4. Hennessy-Milner Logic - HML Modal logic with labelled accessibility/transition relation P ² <>  holds in some P’ such that P  P’ P ² []  holds in all P’ such that P  P’ Directly representable as unary FOL predicate: (<>)(P) iff 9 P’.P ! P’ Æ(P’) ([])(P) iff 8 P’.P ! P’ implies (P’) HML syntax: • ::= true | false |    |    | <>  | []  Positive form, no negation needed De Morgan:  <>  = []  ,  []  = <>  

  5. HML - Examples • P ² <in>true an ”in” action is possible in state P • P ² [out]false no ”out” action is possible in state P • P ² <in><out>true ... • P ² <in>[in]false ... Distinguishing formula: <a>[b]false distinguishes a.b.0 + a.c.0 from a.(b.0 + c.0) HML characterises strong bisimulation equivalence for CCS: Theorem (Modal Characterisation): Provided all process definitions are guarded, the following statements are equivalent for P, Q guarded: • P » Q • For all HML formulas , if P ² then Q ²

  6. Proof of Modal Characterisation (This material is intermediate level) 1 ! 2: Use induction on structure of  2 ! 1: Let: P »0 Q (always) P »i+1 Q iff • whenever P ! P’ then exists Q’ such that Q ! Q’ and P’ »i Q’ • whenever Q ! Q’ then exists P’ such that P ! P’ and P’ »i Q’ Exercise: Show that for all i2N, »i¶»i+1 (monotonicity) Let P »’ Q iff P »i Q for all i2N Exercise: Show that P »’ Q if P » Q Exercise: Show that if P is guarded then {P’ | P ! P’} is finite (terminology: P is image finite)

  7. Modal Characterisation, II We show P »’ Q implies P » Q. If P ! P’ then there exists some Q’ such that for infinitely many i2N, Q ! Q’ and P’ »i Q’ This follows from image finiteness But then P’ »i Q’ for all i2N This follows from monotonicity Symmetrically, if Q ! Q’ some P’ can be found But then »’ is a strong bisimulation relation, so P » Q So if P ¿ Q then there is some i2N such that P ¿i Q Use this to construct HML formula P,i such that P ² and Q ²:

  8. Modal Characterisation, III Suppose P ¿i Q Construct P,i by induction on i Base case, i = 0: Immediate contradiction since P »0 Q Induction step, i = i’+1: Let P,i = Æ{<>P’,i’ | P ! P’} Æ (Æ[](Ç{P’,i’ | P ! P’})) Use induction to show P ²P,i Since P ¿i Q either • P ! P’, some P’, and whenever Q ! Q’ then P’ ¿i’ Q’, or • Q ! Q’, some Q’, and whenever P ! P’ then P’ ¿i’ Q In either case the argument is closed by the induction hypothesis Exercise: Fill in the details

  9. A Proof System for HML - P : true True P :  P :    P :  P :    OrL OrR P :  P :  P :    P’ :  P : <>  (P ! P’) And Dia P1 :  ... Pn :  P : []  Box ({P1,...,Pn} = {P’ | P ! P’})

  10. Extensions Action sets • Sets L  Act label the modalities <L>, [L] • L = {  |   L } • Complementation: -L abbreviates Act-L - abbreviates Act- • Examples: [-]false, [in][-out]false Weak modalities <<L>>, [[L]]: • Refer to the weak transition relations • Example: [[in]][[-(out,eps)]]false

  11. Adding Recursion to HML Adding a temporal dimension to HML Observation: CTL operators are recursive, e.g. AG = Æ AXAG Unfortuntely, equations do not have unique solutions Which sets satisfy the equation X = <>X ? • Sol’n 1: X = false • Sol’n 2: X =  = {P0 | for all i > 0 there is Pi such that Pi -1  Pi} Sol’n 1: least solution, X. <> X Sol’n 2: greatest solution, X. <> X

  12.  - Calculus, II Unfolding fixed point formulas ( is either  or ):  X.  = [ X.  / X] Example: X.<>X = <>X.<>X = <> <>X.<>X ... Fixed point approximants: 0X. = false 0X. = true k+1X. = [kX./X] k+1X. = [kX./X] Knaster-Tarski Theorem (for CCS and strong transitions): X. = k.kX. X. = k.kX. Note that: 0X.  1X.  2X.  ...  X. 0X.  1X.  2X.  ...  X.

  13. Example Properties -calculus: Tiny programming language for program properties AG  X.   [-]X terminates X.[-]X AF  X.   (<->tt  [-]X) A( U ) X.Ç (Æ [-]X) Eventually  has to be taken X.<->tt  [-]X On all paths infinitely often  X.Y.(  [-] X)  [-]Y <<>>  X.  <>X <<>>  <<>><><<>> Point to note: Once some abbreviation has been introduced it’s free to being used, of course.

  14. Example: Buffer Properties Ongoing capability X.<<in>><<out>>X Alternation of in and out AG [[in]][[-out]]false AG [[out]][[in]]false Deadlock freedom AG <->tt Progress AG X.[]X Word of warning: It’s easy to say ”alternation of in and out”. What do you actually mean? More precisely: Which property of infinite labelled trees are you after?

  15. Proof Rules for Fixed Point Formulas Let A be a set of CCS terms: P ²AX. means P ² [A{P}X./X] or P  A P ²AX. means P ² [A{P}X./X] and P  A Idea: Has P been already visited? Proof rules: And a ”negative” rule: P : [A,PX./X] P : AX. - P : AX. Fix1 Fix2 (P  A) (P  A) P : AX. - give up - Fix3 (P  A)

  16. Example Buf = in.out.Buf Sys = (Buf[comm/out] | Buf[comm/in])Â{comm} Spec = ”On all paths infinitely often out is possible” = X.Y.(<out>true  [-]X)  [-]Y Prove Sys : Spec Proof given in class

More Related