Incremental coinduction for process algebra Andrei Popescu and Elsa - PowerPoint PPT Presentation

Incremental coinduction for process algebra Andrei Popescu and Elsa Gunter University of Illinois at Urbana-Champaign 1

Context • Process algebra • Transition system • Bisimilarity = notion of process equality • Interactive proofs of bisimilarity 2

Bisimilarity • Processes form Act-labeled transition system, P  a → P’ • Bisimulation: binary relation Θ on Proc, s.t. for P,Q ∈ Proc and a ∈ Act P Θ Q ∧ P  a → P’ ⇓ ∃ Q’. Q  a → Q’ ∧ P’ Θ Q’ (and the same for Q versus P) • Bisimilarity, written ≡ , is the largest bisimulation 3

A more intuitive description of bisimilarity P ≡ Q iff • Whenever P  a → P’ • Also Q  a → Q’ for some Q’ such that P’ ≡ Q’ • Same for Q versus P • And so on, indefinitely 4

Example – CCS-like calculus ∀ τ ∈ Act, - : Act → Act s.t. a - - = a • P ::= 0  a . P  P | Q  ! P P  a → P’ Q  a → Q’ a . P  a → P (Pref) ---------------------- (ParL) --------------------- (ParR) P | Q  a → P’ | Q P | Q  a → P | Q’ P  a → P’ Q  a - → Q’ P  a → P’ P  a → Q’ P  a - → R’ ------------------------ (ParS) ---------------- (Repl) ------------------------ (ReplS) P | Q  τ→ P’ | Q’ !P  a → !P | P’ !P  τ→ !P | Q’ | R’ 5

Examples of proof tasks ∀ ∀ P, Q. P | Q ≡ Q | P ∀ ∀ P, Q, R. (P | Q) | R ≡ P | (Q | R) ∀ ∀ P. P | !P ≡ !P 6

Standard interactive bisimilarity proofs • Goal: prove P ≡ Q • Formal proof: – Define a relation Θ – Show P Θ Q – Show Θ bisimulation 7

Standard interactive bisimilarity proofs • Goal: prove P ≡ Q • Formal proof: – Define a relation Θ - this is the “real” proof – Show P Θ Q – Show Θ bisimulation 8

By contrast: intuitive argument for P ≡ Q Possible continuations of P P  a 1 → P 1 ’ |  a 2 → P 2 ’ | … |  a n → P n ’ match them (completely) with Possible continuations of Q Q  b 1 → Q 1 ’ |  b 2 → Q 2 ’ | … |  b m → Q m ’ E.g., a i = b j , and further claim P i ’ ≡ Q j ’ 9

Intuitive argument for P ≡ Q • For each match (i,j), do the same for new claim, P i ’ ≡ Q j ’ • Until (pattern) repetitions discovered in the tree of claims P ≡ Q : P i2 ’ ≡ Q j2 ’ : : ... … ------------- ------------ P i1 ’ ≡ Q j1 ’ P i2 ’ ≡ Q j2 ’ … -------------------------------------------- P ≡ Q 10

Argument built intuitively then fed into the formal proof ∀Θ = The set of all nodes in the “claim tree” • Prove Θ bisimulation Thus: • Gap between intuition and formalities • No formal support for building the desired bisimulation incrementally (as in the intuitive argument) 11

Our contribution • Fill this gap between intuition and formalities • Provide a formal system where – Bisimulations can be built incrementally – Goal-discharging repetitions/circularities are first-class citizens 12

Sample Goals 1. Comm: ∀ P Q. P | Q ≡ Q | P 2. Assoc: ∀ P Q R. (P | Q) | R ≡ P | (Q | R) 3. ∀ P. P | !P ≡ !P Say we proved 1 and 2, and wish to prove 3 13

Proof Hypotheses: Comm, Assoc (i.e., lemmas known so far) Conclusion: P | !P ≡ !P 14

Proof Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Try equational reasoning: Fail (P | !P ≡ !P does not follow from just Comm, Assoc via the rules of equational logic: Refl, Trans, Cong, Subst) 15

Proof Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Then unfold P | !P: • P | !P  a → { P’ | !P, P | (!P | P’) } if P  a → P’ • P | !P τ→ { P | (!P | (Q’ | R’)), Q’ | (!P | R’) } if P  a → Q’ and P  a - → R’ 16

Parenthesis – unfold automatically • Compose primitive rules of the system until atomic assumptions are reached • Side-conditions are composed accordingly P  a - → R’ ----------------------(Repl) P  a → Q’ !P  a - → !P | R’ -----------------------------------------------(ParS) P | !P  τ→ Q’ | (!P | R’) 17

Back to Proof Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Then unfold P | !P and !P: • P | !P  a → { P’ | !P, P | (!P | P’) } if P  a → P’ • P | !P τ→ { P | (!P | (Q’ | R’)), Q’ | (!P | R’) } if P –a → Q’ and P  a - → R’ • !P  a → { !P | P’ } if P  a → P’ • !P τ→ { !P | (Q’ | R’) } if P  a → Q’ and P  a - → R’ 18

Proof Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Then unfold P | !P and !P: • P | !P  a → { P’ | !P, P | (!P | P’) } if P  a → P’ • P | !P τ→ { P | (!P | (Q’ | R’)), Q’ | (!P | R’) } if P –a → Q’ and P  a - → R’ • !P  a → { !P | P’ } if P  a → P’ • !P τ→ { !P | (Q’ | R’) } if P –a → Q’ and P  a - → R’ From matching if-hypotheses and action labels, obtain 4 new “claims”… 19

Proof Hypotheses: Comm, Assoc Conclusions: P’ | !P ≡ !P | P’ 1. P | (!P | P’) ≡ !P | P’ 2. P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) 3. Q’ | (!P | R’) ≡ !P | (Q’ | R’) 4. ... “claims” becoming new conclusions in the goal 20

Proof Hypotheses: Comm, Assoc, P | !P ≡ !P Conclusions: P’ | !P ≡ !P | P’ 1. P | (!P | P’) ≡ !P | P’ 2. P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) 3. Q’ | (!P | R’) ≡ !P | (Q’ | R’) 4. Also, previous conclusion becomes hypothesis! (to watch for possible “repetition of the claims”) 21

Proof Hypotheses: Comm, Assoc, P | !P ≡ !P Conclusions: P’ | !P ≡ !P | P’ 1. P | (!P | P’) ≡ !P | P’ 2. P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) 3. Q’ | (!P | R’) ≡ !P | (Q’ | R’) 4. All 4 conclusions discharged by equational reasoning from hypotheses. q.e.d. 22

The formal proof in our system P | !P ≡ !P |-- P’ | !P ≡ !P | P’ (by EqL) P | !P ≡ !P |-- P | (!P | P’) ≡ !P | P’ (by EqL) P | !P ≡ !P |-- P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) (by EqL) P | !P ≡ !P |-- Q’ | (!P | R’) ≡ !P | (Q’ | R’) (by EqL) ----------------------------------------------(apply Unfold) |-- P | !P ≡ !P (Omiting the reference to lemmas Comm, Assoc) 23

The formal proof in our system ∀ P. P | !P ≡ !P |-- ∀ P P’. P | (!P | P’) ≡ !P | P’ Valid inference in Equational Logic (and in FOL) 24

Soundness of our proof system Indeed, the relation Θ = { (P | !P, !P) . P ∈ Proc} ∪ { ( P’ | !P, !P | P’ ) . P, P’ ∈ Proc} ∪ { ( P | (!P | P’), !P | P’ ) . P, P’ ∈ Proc} ∪ { ( P | (!P | (Q’ | R’)), !P | (Q’ | R’) ) . P, Q’, R’ ∈ Proc} ∪ { ( Q’ | (!P | R’), !P | (Q’ | R’) ) . P, Q’, R’ ∈ Proc} turns out to be a bisimulation up to bisimilarity and arbitrary contexts (Davide Sangiorgi) 25

Scope • Process algebra by de Simone SOS rules X 1  a 1,1 → Y 1,1 … X 1  a 1,n1 → Y 1,n1 . . . X k  a k,1 → Y k,1 … X k  a k,nk → Y k,nk --------------------------------------------------- [ ϕ (b,…,a i,j ,…) ] f(X 1 ,…,X k )  b → T(…,X i ,…,Y i,j ,…) 26 (the X i s distinct, the Y i,j s distinct and fresh)

Isabelle formalization • Have formalized the proof system and proved its soundness in Isabelle/HOL • Potential to become an a priori formally certified tool • Need to write some custom Isabelle tactics to make it into a real tool 27

Credits • Robert de Simone, 1985: identify an amenable SOS format • Davide Sangiorgi, 1998: “up to” techniques for bisimilarity proofs • Grigore Rosu and Joseph Goguen, 2000: circular coinduction in hidden logic, applicable to deterministic systems (such as streams) 28

Conclusions • Gap between – formal support for interactive bisimilarity proofs – intuitive means of building the required bisimulation • Filled this gap by incremental proof system – Based on equational logic – Featuring circularities as first-class citizens – Applicable to a large class of process algebras – Formalized in Isabelle/HOL 29

Future work • Isabelle formalization into user-friendly tool • Extend the scope – Laxer SOS formats – Syntax with bindings (Pi-calculus) 30

Extra slides – More on the soundness of our proof system 31

The retract operator Retr : Rel (Proc) → Rel (Proc) Retr Θ = {(P,Q). ∀ a P’. P  a → P’ ⇓ ∃ Q’. Q  a → Q’ ∧ (P’,Q’) ∈ Θ and similarly for Q versus P} (Retr Θ contains all pairs “retracted back” from Θ ) Θ bisimulation means Θ ⊆ Retr Θ 32

Recall our formal proof P | !P ≡ !P |-- P’ | !P ≡ !P | P’ (by EqL) P | !P ≡ !P |-- P | (!P | P’) ≡ !P | P’ (by EqL) P | !P ≡ !P |-- P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) (by EqL) P | !P ≡ !P |-- Q’ | (!P | R’) ≡ !P | (Q’ | R’) (by EqL) -----------------------------------------------(apply Unfold) |-- P | !P ≡ !P (Omiting the reference to lemmas Comm, Assoc) 33