Circular causality in event structures Tiziana Cimoli Dip. - - PowerPoint PPT Presentation

Circular causality in event structures

Tiziana Cimoli

• Dip. Matematica e Informatica, Universit`

a degli Studi di Cagliari t.cimoli@unica.it

(joint work with M. Bartoletti, G.M. Pinna, R. Zunino)

1 / 38

A typical transaction

• 1. B pays.
• 2. A ships.

2 / 38

A distrusted transation

• 1. B pays.
• 2. A takes the money and runs away.

3 / 38

Contract based computing (1)

4 / 38

Contract based computing (2)

5 / 38

Contract based computing (3)

6 / 38

Contract based computing (4)

7 / 38

A model for contracts

The model must be able to :

◮ decide if γ has an agreement ◮ make γ evolve under actions ◮ assign duties to principals ◮ detect violations

Example: “A will ship after B does pay”

◮ contract-as-process: pay. ship ◮ contract-as-formula: pay → ship

8 / 38

Winskel’s Event structures

Event structures E = (E, #, ⊢) are made of:

◮ a set of events E, ◮ a conflict relation #

(e1 # e2)

◮ an enabling relation ⊢

(X ⊢ e2) ES Contract {payCC} ⊢ ship I will ship after you payCC {payCash} ⊢ ship ⇐ ⇒ I will ship after you payCash payCash # payCC I will either payCC or payCash

9 / 38

ES: Configurations

A set C of events is a configuration if,

• 1. C is conflict free and
• 2. for all e ∈ C, there exists a sequence e0, . . . , en of

events of C such that en = e and: ∀i ≤ n : {e0, . . . , ei−1} ⊢ ei The set of configurations of E is denoted by FE.

10 / 38

Example

∅ ⊢ a {a} ⊢ b {a} ⊢ c b#c a b c F = { ∅, {a}, {a, b}, {a, c}}

11 / 38

Buyer-Seller (1)

• 1. A says: I ship, after you pay.
• 2. B says: I pay, after you ship.

Modelled as an event structure:

◮ EA : {pay} ⊢ ship ◮ EB : {ship} ⊢ pay

The event structure EA ∪ Eb does not have any configuration besides the empty one:

◮ no agreement and no move !

12 / 38

Buyer-Seller (2)

• 1. A says: I ship, after you pay.
• 2. B says: I pay.

Modelled as an event structure:

◮ EA : {pay} ⊢ ship ◮ EB : ∅ ⊢ pay

Configurations of EA ∪ Eb are : ∅, {pay} and {pay, ship}. On {pay, ship} there is an agreement.

13 / 38

Buyer-seller: the attack (3)

Now, an attack is possible:

• 1. M(A) says: 1 sheep, after you pay
• 2. B says: I pay.

Modelled as an event structure:

◮ EM: {pay} ⊢ sheep ◮ EB: ∅ ⊢ pay

The problem: a contract of the form ∅ ⊢ a offers no protection.

14 / 38

The idea.

• 1. M(A) says: 1 sheep, after you pay
• 2. B says: I will pay if you promise to ship.

Modelled as an event structure:

◮ EA : {pay} ⊢ sheep. ◮ EB : {ship}pay.

Now, B is protected.

15 / 38

Event structures with circular causality

CES E = (E, #, ⊢, ) are made of:

◮ a set of events E, ◮ a conflict relation #, ◮ an enabling relation ⊢, ◮ a circular enabling relation .

CES: {pay} ⊢ ship {ship} pay ⇐ ⇒ Contract: I will ship after you pay. I will pay if you promise to ship.

16 / 38

Event structures with circular causality

CES E = (E, #, ⊢, ) are made of:

◮ a set of events E, ◮ a conflict relation #, ◮ an enabling relation ⊢, ◮ a circular enabling relation .

CES: {pay}

• ship

{ship} pay ⇐ ⇒ Contract: I will ship if you promise to pay. I will pay if you promise to ship.

17 / 38

CES: configurations

Winskel’s configurations: ∀i ≤ n : {e0, . . . , ei−1} ⊢ ei CES configurations: ∀i ≤ n : {e0, . . . , ei−1} ⊢ ei ∨ {e0, . . . , en} ei

18 / 38

CES: example

pay ⊢ ship ship pay ship pay Configurations:

◮ ∅ ◮ {ship, pay} has only the trace pay, ship

19 / 38

ES: families of configurations

The set F of configurations of an ES satisfies:

◮ coherence:

for all A ⊆ F pairwise compatible1 = ⇒ A ∈ F

1A ⊆ F pairwise compatible iff ∀e, e′ ∈ A. ∃C ∈ F. e, e′ ∈ C

20 / 38

ES: families of configurations

The set F of configurations of an ES satisfies:

◮ coherence:

for all A ⊆ F pairwise compatible1 = ⇒ A ∈ F

◮ finiteness:

∀C ∈ F. ∀e ∈ C. ∃C0 ∈ F. e ∈ C0 ⊆fin C

1A ⊆ F pairwise compatible iff ∀e, e′ ∈ A. ∃C ∈ F. e, e′ ∈ C

20 / 38

ES: families of configurations

The set F of configurations of an ES satisfies:

◮ coherence:

for all A ⊆ F pairwise compatible1 = ⇒ A ∈ F

◮ finiteness:

∀C ∈ F. ∀e ∈ C. ∃C0 ∈ F. e ∈ C0 ⊆fin C

◮ coincidence-freeness:

for all C ∈ F, and for all e = e′ ∈ C: ∃C ′ ∈ F. C ′ ⊆ C ∧ (e ∈ C ′ ⇐ ⇒ e′ ∈ C ′)

1A ⊆ F pairwise compatible iff ∀e, e′ ∈ A. ∃C ∈ F. e, e′ ∈ C

20 / 38

CES: quasi-families of configurations

The set F of configurations of a CES form a quasi-family of subsets of events because it satisfies

◮ coherence and ◮ finiteness

... but in general it does not satisfy coincidence-freeness!

Example

pay ⊢ ship ship pay F = {∅, {pay, ship}} ship pay

21 / 38

From Quasi-families to CES

Theorem. For all quasi-families of configurations F, there exists a CES ˆ E (with circular enablings only) such that

Fˆ

E = F

22 / 38

ES: LTS

Winksel’s LTS: C ⊢ e CF(C ∪ {e}) C

e

− →E C ∪ {e} Ex: ⊢ a, {a} ⊢ b ∅

a

− → {a}

b

− → {a, b} What happens in CES? Ex: {b} a, {a} ⊢ b ∅

a

− → ?

b

− → {a, b}

23 / 38

CES: X-configurations

CES Configurations: {e0, . . . , ei−1} ⊢ ei ∨ {e0, . . . , en} ei CES X-configurations: {e0, . . . , ei−1} ⊢ ei ∨ {e0, . . . , en} ei ∨ ei ∈ X The set of all X-configurations is denoted by F(X). X is a superset of all the pending credits.

24 / 38

Example

pay ⊢ ship ship pay ship pay (∅, ∅)

a

− − → {{a}, {a}}

b

− − → {{a, b}, ∅}

25 / 38

Example

pay ⊢ ship ship pay ship pay (∅, ∅)

a

− − → {{a}, {a}}

b

− − → {{a, b}, ∅} | | | F(∅) F({a}) F(∅)

25 / 38

LTS for event structures

Winksel’s LTS: C ⊢ e CF(C ∪ {e}) C

e

− →E C ∪ {e} CES’ LTS: CF(C ∪ {e}) (C, X)

e

− →E (C ∪ {e}, X ′)

where X ′ = least credit of C ∪ {e}

26 / 38

Properties of X-configurations (1)

• Th. If CF(C ∪ C ′):

C ∈ F(X) C ′ ∈ F(X ∪ C) C ∪ C ′ ∈ F(X)

27 / 38

Properties of X-configurations (1)

• Th. If CF(C ∪ C ′):

C ∈ F(X) C ′ ∈ F(X ∪ C) C ∪ C ′ ∈ F(X) In Intuitionistic Propositional Logic: Γ ⊢ p Γ, p ⊢ q Γ ⊢ q

(Cut)

27 / 38

Properties of X-configurations (2)

• Th. If CF(C ∪ C ′):

C ∈ F(X) C ′ ∈ F(X ∪ Y ) C ⊢ Y C ∪ C ′ ∈ F(X)

28 / 38

Properties of X-configurations (2)

• Th. If CF(C ∪ C ′):

C ∈ F(X) C ′ ∈ F(X ∪ Y ) C ⊢ Y C ∪ C ′ ∈ F(X) In Intuitionistic Propositional Logic: Γ ⊢ p Γ, q ⊢ r p → q ∈ Γ Γ ⊢ r

(→L)

28 / 38

Other properties of X-configurations (3)

• Th. If CF(C ∪ C ′):

C ∈ F(X ∪ C ′) C ′ ∈ F(X ∪ Y ) C Y C ∪ C ′ ∈ F(X)

29 / 38

Other properties of X-configurations (3)

• Th. If CF(C ∪ C ′):

C ∈ F(X ∪ C ′) C ′ ∈ F(X ∪ Y ) C Y C ∪ C ′ ∈ F(X) Γ, r ⊢ p Γ, q ⊢ r p ։ q ∈ Γ Γ ⊢ r

(Fix)

29 / 38

Other properties of X-configurations (3)

• Th. If CF(C ∪ C ′):

C ∈ F(X ∪ C ′) C ′ ∈ F(X ∪ Y ) C Y C ∪ C ′ ∈ F(X) Γ, r ⊢ p Γ, q ⊢ r p ։ q ∈ Γ Γ ⊢ r

(Fix) Propositional Contract Logic (PCL) - M. Bartoletti & R. Zunino, LICS’10

29 / 38

Propositional Contract Logic

(M. Bartoletti & R. Zunino, LICS’10)

Syntax: p ::= IPC formulae | p ։ p Axioms: IPC axioms + some for the contractual implications: ⊤ ։ ⊤ (p ։ p) → p (p′ → p) → (p ։ q) → (q → q′) → (p′ ։ q′) Note: a ։ b ∧ b ։ a ⊢PCL a ∧ b

30 / 38

Structural properties of PCL

Gentzen-style proof system ⊢PCL:

◮ consistency ◮ subformula property ◮ cut elimination ◮ decidability

PCL not homomorphically encodable into IPC.

31 / 38

CES configuration via PCL

[]F : finite CES − → PCL formulae a ⊢ b b a a b Encoding of E:

◮ [a ⊢ b]F = (!b ∧ !a ∧ a) → b ◮ [b a]F = (!a ∧ !b ∧ b) ։ a

{a, b} ∈ F ⇐ ⇒ [E]F, !a, !b ⊢PCL a ∧ b {a} ∈ F ⇐ ⇒ [E]F, !a ⊢PCL a

32 / 38

CES configuration via PCL

Def. [(Xi ◦ ei)i∈I]F = {[Xi ◦ ei]F | i ∈ I} [X ◦ e]F =

• !e ∧ X ∧ !X
• [◦] e

[◦] =

• →

if ◦ = ⊢ ։ if ◦ =

[a # b]F = (!a ∧ !b) → ⊥

• Th. Let E be a finite CES. For all C ⊆ E and for all X ⊆ E:

C ∈ FE(X) ⇐ ⇒ [E]F, !C, X ⊢PCL C and [E]F, !C, X ⊢PCL ⊥

33 / 38

Conclusions

◮ A model for contracts that

◮ is a conservative extension of event structures ◮ offers both agreements and protection 34 / 38

Conclusions

◮ A model for contracts that

◮ is a conservative extension of event structures ◮ offers both agreements and protection

◮ Strong relations between CES and contract logic

◮ configurations, ◮ reachable events ◮ urgent events 34 / 38

Conclusions

◮ A model for contracts that

◮ is a conservative extension of event structures ◮ offers both agreements and protection

◮ Strong relations between CES and contract logic

◮ configurations, ◮ reachable events ◮ urgent events

◮ There is a lot of work to do:

◮ deeper understanding of the structure of configurations ◮ game-theoretic notions of protection and agreement ◮ relations with Petri nets ◮ . . . 34 / 38

Thanks!

35 / 38

Urgent events

• Def. We say that e is urgent in (C, X) iff

∃σ. (C, X)

eσ

− →E (C ∪ σ, ∅) We denote with UC

E (X) the set of urgent events in (C, X).

• Theo. Let (C, X) be a reachable state of −

⇀UE. Then: ∃η. (C, X)

η

− ⇀UE (C ∪ η, ∅)

36 / 38

Urgent events via PCL

• Def. For a finite, conflict-free CES E, we define the

accessibility relation − →[E]U of an LTS as follows: C

e

− →[E]U C ∪ {e} iff [E]U, !C ⊢PCL Ue ∧ !C ⊢PCL !e

• Th. For a finite, conflict-free CES E, −

⇀UE = − →[E]U urgency (what to do and when) can be characterized using the encoding

37 / 38

The Gentzen-style rules for PCL

Γ ⊢ q Γ ⊢ p ։ q

(Zero)

Γ, p ։ q, a ⊢ p Γ, p ։ q, q ⊢ b Γ, p ։ q ⊢ a ։ b

(PrePost)

Γ, p ։ q, r ⊢ p Γ, p ։ q, q ⊢ r Γ, p ։ q ⊢ r

(Fix)

38 / 38