Logical Foundations of Data Science, UCL, Nov 2015 Supported by a - - PowerPoint PPT Presentation

Nikos Tzevelekos, Queen Mary University of London Andrzej Murawski, University of Warwick Radu Grigore & Steven Ramsay, University of Oxford Logical Foundations of Data Science, UCL, Nov 2015

Supported by a Royal Academy of Engineering Research Fellowship

Automata over infjnite alphabets: Automata over infjnite alphabets: Investigations in Fresh-Register Automata Investigations in Fresh-Register Automata

infjnite alphabets & program behaviour

public void foo() { // Create new list List x = new ArrayList(); x.add(1); x.add(2); Iterator i = x.iterator(); Iterator j = x.iterator(); i.next(); i.remove(); j.next(); }

infjnite alphabets & program behaviour

public void foo() { // Create new list List x = new ArrayList(); x.add(1); x.add(2); Iterator i = x.iterator(); Iterator j = x.iterator(); i.next(); i.remove(); j.next(); }

Programs with usage of resources/names can go beyond fjnite alphabets (cf. modelling/analysis

• f programs)

– but in a parametric way

What this talk is about

This talk is about an automata model over infjnite alphabets akin to fjnite-state automata: fjnite-state + registers + freshness oracles We give an overview of their expressiveness & talk about

• emptiness, closures
• bisimilarity
• extensions (pushdown, classes/histories)

Automata for infjnite alphabets

Let Σ = {a1

can only be compared for equality

Automata for infjnite alphabets

• examine languages over Σ*
• or, languages over ( F Ç Σ )*
• or, languages over ( F × Σ )*

– usually called data words (XML)

• look for notions of regularity, CFGs, etc.
• devise efgective algorithms for reachability,

membership, etc.

Let Σ = {a1

can only be compared for equality a fjnite set

• f constants

many (fjnitely many) automata models

History-Dependent Automata

• π-calculus models, “named sets”, symmetries, bisimulation

Register Automata (aka FMA)

• FSAs with registers, regularity, data words & XML, extensions

Nominal Automata

• Finite

fjnite orbit, used on nominal sets & other group actions →

[Montanari & Pistore '98, Pistore '99; Montanari & Pistore '00, Ferrari, Montanari & Pistore '02] [Bojańczyk, Klin & Lasota '11, '14] [Kaminski & Francez '94, Neven, Schwentick & Vianu '04] [Sakamoto & Ikeda '00, Demri & Lazić '09; Libkin, Tan & Vrgoc '15; Jurdzinski & Lazić '11, Figueira '12] [Bojańczyk, Muscholl, Schwentick, Segoufjn & David '06 , Bjorklund & Schwentick '10] [Cheng & Kaminski '98, Segoufjn '06]

Register Automata (RA)

q q'

λ

fjnitely many (say R) registers Let Σ = {a1

registers store names

[Kaminski & Francez '94]

Label λ of the form:

• reg(i), i  {1,..., R}
• dif(i), i  {1,..., R}

Transitions:

q q'

a g b reg(2)

q q'

reg(i)

Transitions:

q q'

a g b reg(2) a g b

q q'

g

reg(i)

Transitions:

q q'

a g b dif(2)

q q'

dif(i)

Transitions:

q q'

a g b dif(2) a c b

q q'

dif(i)

difgerent from current registers

c

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a a

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b b

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c c

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c a a

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c a d d

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c a d e e

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c a d e b b

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c a d e b a g c a b b

Example

L1 = { a1

≠ ai+1 }

(all strings where each name is distinct from its predecessor)

q0

dif(1)

a b c a d e b a g c a b a n d w e l o v e c a k e e

Quiz

dif(1), reg(1) dif(1), reg(1) dif(1), reg(1), reg(2) dif(2) reg(2)

Quiz

dif(1), reg(1) dif(1), reg(1) dif(1), reg(1), reg(2) dif(2) reg(2)

L2 = { a1

 aj }

(all strings where some name appears twice)

Lfr = { a1

≠ aj }

(all strings of pairwise distinct names) – what about the complement of Lfr ? And that of Lfr  Lfr ?

RA properties

• Capture regularity when Σ restricted to fjnite
• Closed under Ç , È , · , * .
• not closed under complement & not determinisable
• Universality / equivalence undecidable
• Decidable emptiness:
• complexity depends on register “mode” (NL

NP PSPACE) → →

• Can only truly distinguish between R+1 names

[Kaminski & Francez '94] [Neven, Schwentick & Vianu '04] [Sakamoto & Ikeda '00; Demri & Lazić '09]

Example revisited

public void foo() { // Create new list List x = new ArrayList(); x.add(1); x.add(2); Iterator i = x.iterator(); Iterator j = x.iterator(); i.next(); i.remove(); j.next(); }

here is a safety property φ:

if an iterator modifjes its collection x then other iterators of x become invalid

e.g. the code on the left is bad. We can express such “chaining” properties using RAs

• and dynamically verify them

[Grigore, Distefano, Petersen & T. '13]

Example revisited

public void foo() { // Create new list List x = new ArrayList(); x.add(1); x.add(2); Iterator i = x.iterator(); Iterator j = x.iterator(); i.next(); i.remove(); j.next(); }

here is a safety property φ:

if an iterator modifjes its collection x then other iterators of x become invalid

e.g. the code on the left is bad. We can express such “chaining” properties using RAs

• and dynamically verify them

[Grigore, Distefano, Petersen & T. '13]

but we cannot capture new!

Fresh-Register Automata (FRA)

q q'

λ

fjnitely many (say R) registers Let Σ = {a1

registers store names

[T. '11]

Label λ of the form:

• reg(i), i  {1,..., R}
• dif(i), i  {1,..., R}
• fresh(i), i  {1,..., R}

global freshness oracle

Transitions:

q q'

a g b

q q'

b1

fresh(2)

fresh(i)

Transitions:

q q'

a g b a c b

q q'

globally fresh

c

b1

fresh(2)

fresh(i)

Examples

q0 q1

dif(1) fresh(1)

L3 = { a1

≠ ai+1

i  n, j  2i. aj

≠ a2i }

Lfr = { a1

≠ aj }

(all strings of pairwise distinct names)

q0

fresh(1)

FRA properties

• Not closed under complement & not determinisable
• Closed under Ç , È , but not under · , *
• Universality / equivalence undecidable (from RAs)
• Decidable emptiness (same as RAs):
• complexity depends on register “mode” (NL

NP PSPACE) → →

• Bisimilarity: decidable [T.11], complexity open

FRAs for program equivalence

The modelling power of FRAs can be used to model resourceful programs via game semantics Program game model FRA → → efgectively: • what we get:

• decision procedures for ML fragments
• same for Interface Middleweight Java

http://bitbucket.org/sjr/coneqct/wiki/Home

their FRAs are language equivalent / bisimilar two programs are equivalent

[Murawski & T. '11, '12] [Murawski, Ramsay & T. '15]

More applications and variants

History-Dependent Automata

• freshness via “black holes” (histories)
• verifjcation of LTL + allocation

Session automata and learning

• freshness, but no difg

fg

• canonical forms, decide equivalence

Kleene algebras for languages with binders

• NKA: KA with ν-binder

match with automata →

[Bollig, Habermehl, Leucker & Monmege '14] [Pistore '99, Distefano, Rensink & Katoen '02, '04] [Gabbay & Ciancia '11; Kozen, Mamouras, Petrisan & Silva '15]

Investigations in FRAs

Bisimilarity for FRAs (complexity)

• Depends on register mode (NP

PSPACE EXPTIME) → →

• approach uses permutation group theory

Context-freeness: Pushdown FRA

• Reachability EXPTIME-complete
• Global reachability via “saturation”

Freshness oracle: from one to many histories

• History Register Automata (cf. DA/CMA)

[Murawski, Ramsay & T. '15] [Cheng & Kaminski '98; Segoufjn '06] [Murawski, Ramsay & T. '14] [Murawski & T. '12] [Grigore & T. '13]

Semantics formally: confjgurations

Semantics of FRAs given by confjguration graphs:

(q, ρ, H ) → (q', ρ', H' ) a

state register assignment:

ρ : {1,...,R} → Σ {#}

history: H fin Σ confjguration

q0

q1

dif(1) fresh(1)

(q0,#, ) (q1,a1,{a1}) (q1,a2,{a2}) … (q0,b1,{a1,b1}) (q0,b2,{a2,b2}) … a1 a2 b1 b2 (q1,c1,{a1,b (q1,c2,{a1,b … c1 c2

A behavioural notion of equivalence: two confjgurations κ1,κ2 are bisimilar (κ1 ~ κ2) if they can simulate one another name-by-name We say that two FRAs are bisimilar if their initial confjgurations are (in the combined conf. graph). e.g. (writing 1* for fresh(1) ):

Bisimilarity

A small detail: register modes

So far we assumed: registers initially empty, not possible to erase them or have name duplicates. We can generalise:

# is for empty

register content

M# S# MF S#0 SF Register fullness

• (F ) full
• (#0

• (#) eraseable

Name multiplicity

• (S ) single
• (M ) multiple

a g # b # a g z b z z

neat, but erasing gives exponentially large labels

(S#) ( → MF )

no multiplicities, but erasing allowed multiplicities, but no empty registers

(S#) ( → MF ) a g # b # a g z b z z a g c b d a' g' c b' d

neat, but erasing gives exponentially large labels concise, as each name appears at most twice no multiplicities, but erasing allowed neat, but erasing gives exponentially large labels multiplicities, but no empty registers

Complexity Picture

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

M# S# MF S#0 SF

Complexity Picture

EXPTIME-c PSPACE-c NP

M# S# MF S#0 SF

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

EXPTIME solvability

To decide bisimilarity of two confjgurations of size R:

• we need 2R names to represent all possible name

matchings between them

• plus one name that stands for “difgerent”
• and another one for “fresh”

→ 2R+2 names, that we can encode inside states:

Q Q ‰ (2R+2)R

(bisimilarity for fjnite-state automata is in PTIME)

Complexity Picture

EXPTIME

M# S# MF S#0 SF

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

EXPTIME hardness

The (S#) case is EXPTIME-hard:

• reduce from alternating TMs with linear-size tape (ALBA)
• model each cell by two registers:
• arrange for non-bisimilarity at rejecting fjnal states
• Bisimulation game ( Attacker (A) vs Defender (D) ):
• A controls universal states, D controls existential ones
• use Defender forcing [Jancar & Srba '08]

a # 1 # a

Complexity Picture

M# S# MF S#0 SF

EXPTIME EXPTIME

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

The original case (S#0 )

Disallowing erasures makes impossible our modelling of a linear-size tape... In fact, the problem is PSPACE complete First, we can model boolean assignments (cf. write-once tape), which are enough for PSPACE-hardness:

• we reduce from QBF
• Attacker chooses universal variables
• Defender chooses existential ones (via forcing)

Complexity Picture

EXPTIME EXPTIME PSPACE

M# S# MF S#0 SF

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

PSPACE solvability: diffjcult

Our best bet is APTIME = PSPACE

• problem: while we cannot simulate a linear tape, we

still have a lot of confjgurations! We look into internal symmetries of FRAs:

• symbolic reasoning: we are only look at how

confjgurations are related, not their actual content

• group representations: we express these interrelations

compactly via permutation groups

• bounded history: it suffjces to consider histories of size

up to 2R

PSPACE solvability

Reasoning symbolically:

• each decrease in the indexed chain can be traced

back to one of polynomially many factors! This means there is a fjnal polynomial-size i

• polynomial bound for bisimulation game

APTIME →

i

i  ω

1 2 i

~ ⊇ ~ ⊇ ~ ⊇ … ⊇ ~ ⊇ … and ~ s = Ç ~

use the fact that strict subgroup chains have bounded length

Complexity Picture

EXPTIME-c PSPACE PSPACE

M# S# MF S#0 SF

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

Bisimilarity for (F)RAs

PSPACE-c NP

M# S# MF S#0 SF

Multiplicity :

• (S ) single
• (M ) multiple

Fullness :

• (F ) full
• (#0 ) initially empty
• (#) eraseable

EXPTIME-c

Investigations in FRAs

Bisimilarity for FRAs (complexity)

• Depends on register mode (NP

PSPACE EXPTIME) → →

• approach uses permutation group theory

Context-freeness: Pushdown FRA

• Reachability EXPTIME-complete
• Global reachability via “saturation”

Freshness oracle: from one to many histories

• History Register Automata (cf. DA/CMA)

[Murawski, Ramsay & T. '15] [Cheng & Kaminski '98; Segoufjn '06] [Murawski, Ramsay & T. '14] [Murawski & T. '12] [Grigore & T. '13]

Pushdown FRAs (FPDRAs)

q q'

λ

fjnitely many (say R) registers Let Σ = {a1

pushdown stack Label λ of the form:

• reg(i), i  {1,..., R}
• …
• push(i), i  {1,..., R}
• pop(i), i  {1,..., R}
• pop-dif

registers & stack store names

[Cheng & Kaminski '98, Segoufjn '06; Murawski & T. 12]

Transitions:

q q'

a c b push(2) e a c

q q'

push(i)

Transitions:

q q'

a c b push(2) e a c

q q'

push(i)

Transitions:

q q'

a c b push(2) a c b e a c c e a c

q q'

push(i)

Transitions:

q q'

a c b pop(2) c e a c

q q'

pop(i)

Transitions:

q q'

a c b pop(2) c e a c

q q'

pop(i)

Transitions:

q q'

a c b pop(2) a c b c e a c e a c

q q'

pop(i)

Transitions:

q q'

a c b pop-dif e a c

q q'

pop-dif

Transitions:

q q'

a c b pop-dif e a c

difgerent from current registers

q q'

pop-dif

Transitions:

q q'

a c b pop-dif e a c a c b a c

q q'

pop-dif

difgerent from current registers

Example

L4 = { a1

≠ ai+1 }

q0 q1

dif(1)

q3

reg(1) push(1)

q2

dif(1) pop(1)

Example

L4 = { a1

≠ ai+1 }

q0 q1

dif(1)

q3

reg(1)

n

push(1)

q2

dif(1) pop(1)

n e v e r o d d o r e v e n

Example

L5 = { a1

≠ b }

(all strings where last name is distinct from all previous ones)

q0 q1

reg(1)

q2

ε

pop-dif dif(1) push(1)

Limited distinguish-ability

Lfr = { a1

≠ aj }

(all strings of distinct names)

Limited distinguish-ability

3R property:

Given a PDRA (no fresh) with R registers with states q1,q2, any run between them (from empty stack to empty stack) can be taken with at most 3R names. Conversely, there is a PDRA with R registers whose runs to a designated state involve exactly 3R names.

Lfr = { a1

≠ aj }

(all strings of distinct names)

EXPTIME PSPACE NP

Reachability/non-emptiness for (F)RAs

NL

FPDRA FRA(III) FRA(II) FRA(I)

→ R-FPRDA Reachability is EXPTIME-complete

• upper bound by 3R + freshness simulation [Murawski & T. 12]
• hardness by reduction from TMs with stack (SF, no fresh)

Investigations in FRAs

Bisimilarity for FRAs (complexity)

• Depends on register mode (NP

PSPACE EXPTIME) → →

• approach uses permutation group theory

Context-freeness: Pushdown FRA

• Reachability EXPTIME-complete
• Global reachability via “saturation”

Freshness oracle: from one to many histories

• History Register Automata (cf. DA/CMA)

[Murawski, Ramsay & T. '15] [Cheng & Kaminski '98; Segoufjn '06] [Murawski, Ramsay & T. '14] [Murawski & T. '12] [Grigore & T. '13]

HRAs: from registers to histories

histories = registers with unboundedly many equivalent elements

Expressivity

Histories simulate registers HRAs extend FRAs → Histories can be reset: → Closure under Kleene* and concatenation Several histories Closure wrt interleavings →

HRA properties

• Cleanly extend RAs and FRAs
• Closed under all regular operations apart from

complementation

• Closed under interleaving
• Universality undecidable (from RAs)
• Emptiness decidable, non-primitive recursive

complexity (~transfer/reset Petri nets)

• Closely related to Data / Class Memory Automata

[Bojańczyk, Muscholl, Schwentick, Segoufjn & David '06 , Bjorklund & Schwentick '10]

Concluding

Fresh-Register Automata:

• Class of automata over infjnite alphabets

“natural” for computation with names/resources

• new landscape of algorithms and results
• applications in verifjcation

Further on:

• open/working problems: automata learning, regular

expressions, infjnite words, verifjcation logics

• algorithm implementations (an FRA toolkit!)