Nominal Process Calculi and Modal Logics Johannes Borgstrm Uppsala - PowerPoint PPT Presentation

Summary • Three process calculi: CCSish, pi, fusion • Reduction semantics • Residual-based labelled semantics • Bisimulation • Generalization: Nominal Transition Systems (NTS) • Saturday: Psi-calculi, modal logic for NTSs • Weak bisimilarity, weak logic, effects 37

The 𝛀 -calculus Jesper Bengtson, Magnus Johansson, Joachim Parrow, Björn Victor, Johannes Åman Pohjola, et al. 38

From pi to psi Ordinary pi-calculus ( ν z )( az ) | a ( x ) . [ x = b ] P arbitrary Data structures set of can be sent ( ν z )( aM ) | a ( x ) . [ x = b ] P data Pattern matching ( ν z )( aM ) | a ( λ ˜ x ) N. [ x = b ] P Channels can be ( ν z )( KM ) | L ( λ ˜ x ) N. [ x = b ] P arbitrary structures arbitrary Tests can be logic ( ν z )( KM ) | L ( λ ˜ x ) N. if ϕ then P arbitrary predicates new construct Facts about ( ν z )( KM ) . ( | Ψ | ) | L ( λ ˜ x ) N. if ϕ then P data

Cook a psi-calculus Define terms T (data terms, channels) M, N and conditions C (used in case stmt) ϕ and assertions A (facts about data) Ψ can be any nominal set (not syntactic) Define term substitution, and operators: Channel equivalence ↔ : T × T → C . Composition (practically ⊗ : A × A → A Unit assertion 1 : A anything) Entailment ` ✓ A ⇥ C 40

Axioms for substitution ˜ (( ˜ Assume all the distinct, all the distinct. b ˜ a b ˜ a ⊆ n ( X ) and b ∈ n ( ˜ a := ˜ if ˜ T ) then b ∈ n ( X [˜ T ] ) 1: if ˜ T ] = (( ˜ a ) · X ) [˜ a := ˜ b := ˜ b # X , ˜ a then X [˜ b ˜ T ] 2: ˜ 41

Easy as pi! Ψ ⇧ M . Ψ ⇧ M . ⌅ K ⌅ K In Out y := e K N [ e L ] K N y := e Ψ B M ( λ e y ) N.P ⇤ P [ e L ] � � � � � � � Ψ B M N.P � � � ⇤ P α ⇤ P � Case Ψ B P i � Ψ ⇧ ϕ i ϕ : e α ⇤ P � Ψ B case e P � Ψ ⇥ Ψ P ⇥ Ψ Q ⇧ M . ⌅ K M ( ν e a ) N K N ⇤ P � ⇤ Q � Ψ Q ⇥ Ψ B P � � � � � � Ψ P ⇥ Ψ B Q � � � a # Q e Com a )( P � | Q � ) τ Ψ B P | Q ⇤ ( ν e � α α ⇤ P � ⇤ P � Par Ψ Q ⇥ Ψ B P � Ψ B P � bn( α )# Q ⇤ ( ν b ) P � b # α , Ψ Scope α α ⇤ P � | Q Ψ B P | Q Ψ B ( ν b ) P � � M ( ν e a ) N ⇤ P � α ⇤ P � Rep Ψ B P | ! P Ψ B P � � � � � � � b # e a, Ψ , M Open b ∈ n( N ) M ( ν e a ⇥ { b } ) N α ⇤ P � ⇤ P � Ψ B ( ν b ) P Ψ B ! P � � � � � � � � � � 42

Results Machine-checked proofs • Generic results for all instances: LICS’09 • compositional semantics LICS’10 LMCS 2011 • bisimulation theory (strong and weak) • algebraic properties, congruence 
 • Results for many instances • symbolic semantics and bisimulation SOS’09 JLAP 2012 • procedure for computing bisimilarity constraint 43

Algebraic properties The usual structural laws, in particular Scope extension if a # P P | ( ν a ) Q ( ν a )( P | Q ) ∼ The usual congruence properties, in particular Machine-checked Compositionality, congruence proofs ) P . ⇒ P | R . ∼ Ψ Q = ∼ Ψ Q | R . . . ( ∀ e a := e a := e L. P [ e L ] . ∼ Ψ Q [ e L ]) ⇒ M ( λ e a ) N . P . ∼ Ψ M ( λ e a ) N . Q = 44

Nominal Isabelle Formalization Mainly by 
 Jesper Bengtson and Johannes Åman Pohjola 45

Making it this simple is hard work! • Easy to get things wrong, even when they are “obviously right” • Easy to miss a requirement • Easy to miss generalisations • Especially true when (name) binding is involved Easy to get worried! 46

Isabelle from day 1 • use Interactive theorem prover Isabelle 
 with Nominal package • supports nominal datatypes, under active development, produces readable proofs • use during development, not only afterwards! 47

Adaptable proofs: case example Original rule, tau action: easy induction proofs Ψ ⌅ ϕ i Old-Case ϕ : � τ Ψ ⇤ case � P � ⇤ P i e e � � � New rule: more standard, can express the above α ⇧ P � Case Ψ ⇤ P i Ψ ⌦ ϕ i � ϕ : � α ⇧ P � Ψ ⇤ case � P � Change requires re-checking all proofs! With Isabelle: took a day 48

Adaptable proofs: higher-order To get higher-order psi-calculi, just add the following: Invocation agent run M ∧ n( M ) ⊇ n( P ) { M ⇐ P Clauses α ! P 0 tion Ψ ` M ( P Ψ ⇤ P Invocation � rule α ! P 0 Ψ ⇤ run M � Parrow, Borgström, Raabjerg, Åman Pohjola, Now prove all meta-theory again! MSCS 2016 With Isabelle: meta-theory took a day and a night More effort: locales, canonical instances, encodings 49

Broadcast: harder To get broadcast communication: . Output connectivity , M � K , , K . Input connectivity � M , Ψ ` M . Ψ ` K . � K � M BrOut BrIn y := e ! K N ? K N [ e L ] y := e Ψ ⇤ M ( λ e y ) N . P ! P [ e L ] Ψ ⇤ M N . P � � � ! P � � � � � � � Five new semantics rules, ? K N ? K N ! P 0 ! Q 0 BrMerge Ψ Q ⌦ Ψ ⇤ P � � � Ψ P ⌦ Ψ ⇤ Q � � � two new actions ! P 0 | Q 0 SEFM’11 
 ? K N Ψ ⇤ P | Q � � � ! K ( ν e a ) N ? K N ! P 0 ! Q 0 Q ⌦ Ψ ⇤ P P ⌦ Ψ ⇤ Q BrCom Ψ � � � � � � Ψ � � � SoSyM 2015 a # Q e ! P 0 | Q 0 ! K ( ν e a ) N Ψ ⇤ P | Q � � � � � � ! K ( ν e a ) N ! P 0 Ψ ⇤ P � � � � � � b 2 n ( K ) BrClose b # Ψ τ a ) P 0 Quite some work getting it right! Ψ ⇤ ( ν b ) P ! ( ν b )( ν e � Adds about 12700 lines of Isabelle proofs, 
 reuses entire Psi codebase of about 20500 lines. Even with Isabelle: two years, seven coauthors 50

The power of Isabelle What about combining higher-order and broadcast? Re-prove all the 
 meta-theory… With Isabelle: took HALF a day, mostly waiting! “could be done by a clever shell script” 51

Effort It must take a lot of time to use Isabelle, surely? • Theory development is not only about doing proofs – most time spent elsewhere • Doing false proofs is a waste of time • Correct proofs make it worthwhile! No worries! 52

Nominal Transition Systems Based on slides by Joachim Parrow, OPCT 2017 53

Nominal Transition Systems What are NTS? Why? NTS are a general framework that fits almost all advanced process algebras , by generalising standard transition systems to include binders in actions 54

States 55

State predicates x=2 x=1 c= encrypt( m,k ) y>z prime( x ) 8 m, k. c 6 = encrypt( m, k ) 56

Transitions 57

Actions a τ b a ( ν b, c, d ) ab a ( x ) a ( x, y, z ) a ( ν b ) ch ( i ) M a h f ( g ( a ) , b ) i 58

Binding names A c t i a o n τ s c o n t a i n b n a m e s a ( ν b, c, d ) ab Predicates contain names a ( x ) a ( x, y, z ) a ( ν b ) States contain names ch ( i ) M a h f ( g ( a ) , b ) i 59

States, predicates, and actions STATES : A nominal set P, Q x = 2 x = 1 PRED : A nominal set ϕ y > z prime( x ) ` ✓ states ⇥ pred equivariant c = encrypt( m,k ) 8 m, k. c 6 = encrypt( m, k ) ACT : A nominal set α a τ b bn : act → P fin ( N ) equivariant ab a ( x ) a ( x, y, z ) a ( ν b ) a h f ( g ( a ) , b ) i ch ( i ) M bn( α ) ⊆ supp( α ) 60

Transitions a τ b a ( ν b, c, d ) ab a ( x ) a ( x, y, z ) a ( ν b ) ch ( i ) M a h f ( g ( a ) , b ) i states × [ P fin ( N )]( act × states ) equivariant → ⊆ ( P, < ˜ ˜ b> ( α , Q )) ∈ → implies b = bn( α ) α We write P � ! Q for ( P, h bn( α ) i ( α , Q )) 2 ! 61

Bisimulation DEFINITION (Strong Bisimulation) A symmetric relation R on processes satisfying: if R ( P,Q ) then → P 0 and bn( α )# Q then α If P Simulation → Q 0 and R ( P 0 , Q 0 ) α n ∃ Q 0 . Q Static implication If P ` ϕ then Q ` ϕ · ∼ Q if R ( P, Q ) for some bisimulation R P 62

Modal Logics for Nominal Transition Systems Based on CONCUR 2015 paper with Ram ū nas Gutkovas Lars-Henrik Eriksson Joachim Parrow Presentation based on slides by Tjark Weber Joachim Parrow 63

Logic Our objectives: A set of formulas A, B A satisfaction relation between states and formulas P | = A Expressive wrt existing work Fully formal Simple Not objectives : decidability, model checking 64

Formulas ^ | h α i A | ¬ A | A A i ϕ := i ∈ I Four basic constructors 65

State Predicates P satisfies the formula P | = ϕ holds if the state predicate holds in P P ` ϕ 66

Action modality P can do α and then satisfy A P | = h α i A holds if → P 0 and P 0 | α ∃ P 0 . P = A we consider formulas up to alpha equivalence, ie If a ∈ bn( α ) , b # α , A then h α i A = ( a b ) · ( h α i A ) 67

Negation P | = ¬ A holds if P | = A not 68

Conjunction Assume A i a formula for each i ∈ I ^ P | A i if for all i ∈ I it holds P | = A i = i ∈ I The million dollar question: which such conjunctions should be allowed ? 69

As in Hennessy t u Finite conjunction b e h f Milner 1985 a g S u o n e t o n ^ Allowed only for finite I P | A i = i ∈ I Same as binary conjunction A 1 ∧ A 2 Easy to make fully formal Quite limited expressiveness (suitable only for finite-branching transition systems) 70

Needs substantial As in Milner Arbitrary conjunction 1989 restrictions ^ Allowed for any I P | A i = i ∈ I Enormous expressiveness: 
 greater than the systems we study! Formulas might not be finitely supported, alpha-conversion might be impossible 71

As in Abramsky Uniformly bounded conjunction 1991 d r a d n t a o t S n t h u g b u o n e Allowed for any I such that ^ P | A i = conjuncts have common finite support i ∈ I for some finite set of names S ∀ i ∈ I. supp( A i ) ⊆ S Still of limited expressiveness ? OK to make fully formal 72

Example: quantifiers P | = ∀ x ∈ N . A some substitution holds if function for all z ∈ N it holds P | = A [ x := z ] Can this be represented as ^ ∀ x ∈ N . A = A [ x := z ] ? z ∈ N 73

^ ∀ x ∈ N . A = A [ x := z ] z ∈ N Is this conjunction uniformly bounded? No. At least not if z ∈ supp( A [ x := z ]) Quantification cannot be expressed by uniformly bounded conjunction! 74

Finitely supported conjunction n o i t u b i r t n o c r u O A i requires that the set of formulas ^ has finite support S i ∈ I { A i | i ∈ I } Assume F is the set of formulas supported by S . Consider the different formulas ∧ { A | A ∈ B } 
 where B ranges over the subsets of F . By Cantor’s Theorem, we have a contradiction. Solution: cardinality bound on conjunction width 75

? ^ ∀ x ∈ N . A = A [ x := z ] z ∈ N Is this conjunction finitely supported? Yes! 
 Assuming substitution is equivariant. 76

Expressiveness Dualities _ ^ A i = ¬ ¬ A i i ∈ I i ∈ I [ α ] A = ¬ h α i ¬ A 77

Expressiveness Quantifiers ^ ∀ x. A = A [ x := z ] z ∈ V _ ∃ x. A = A [ x := z ] z ∈ V Assumes V is finitely supported and substitution is equivariant 78

Expressiveness Fresh Quantifier P | = x. A i A if for some n # P it holds P | = ( x n ) · A N _ ^ x. A = ( x n ) · A N S ∈ cof n ∈ S COF is the set of cofinite sets of names There is a cofinite set such that 
 A holds for all its members 79

Expressiveness Next step modality _ hi A = h α i A α ∈ act bn( 𝛽 )# A Fixpoints minimal fixpoint defined as disjunction of all unfoldings With next and fixpoints 
 we get all of CTL* Emerson 1997 80

F Finite conjunction Applications A Arbitrary conjunction U Uniformly bounded conjunction F Hennessy, Milner 1985 Hennessy-Milner Logic for CCS A Milner 1989 U Abramsky 1991 for pi-calculus Milner, Parrow, Walker 1993 U for value passing F + quantifiers Hennessy, Liu 1995 for spi-calculus A Frendrup, Huttel, Jensen 2002 for applied pi-calculus Pedersen, 2006 F for fusion calculus Haugstad, Terkelsen, Vindum 2006 A for multi-labelled systems De Nicola, Loreti 2008 F + quantifiers for concurrent constraint calculus Y e t n Buscemi, Montanari 2007 o m o d a l for psi-calculi l o g i c Bengtson et al 2011 81

Adequacy Most often: A kind of sanity check: bisimulation If two states `` behave the same ´´ then they satisfy exactly the same formulas If two states do not ``behave the same´´ then there is a formula satisfied by one and not the other 82

Bisimulation DEFINITION (Bisimulation) A symmetric relation R on states satisfying: if R ( P,Q ) then → P 0 and bn( α )# Q then ∃ Q 0 . Q → Q 0 and R ( P 0 , Q α α If P If P | = ϕ then Q | = ϕ · ∼ Q if R ( P, Q ) for some bisimulation Q P THEOREM (Adequacy) · ∼ Q i ff for all formulas A : P | = A i ff Q | P = A 83

· ∼ Q i ff for all formulas A : P | = A i ff Q | P = A In direction ⇐ show that logical equivalence · = defined as { ( P, Q ) | ∀ A. P | = A i ff Q | = A } is a bisimulation. Assume not, then P has an 𝛽 -transition to P’ 
 that Q cannot simulate: 
 For each 𝛽 -derivative Q’ there is a distinguishing formula A between P’ and Q’ . Let B be the conjunction of all these A (one for each Q 0 ) Contradiction! Then P | = h α i B and not Q | = h α i B 84

Let B be the conjunction of all these A (one for each Q 0 ) Can this conjunction be defined in the logic? If the transition system is finitely branching then there are finitely many Q’ Eg CCS with guarded recursion so finite conjunction suffices If all the formulas A have 
 Eg pi- calculus a common finite support then uniformly bounded conjunction suffices In general use finitely supported conjunction Arbitrary nominal transition systems 85

In general use finitely supported conjunction Lemma: If P 0 | = A ^ Q 0 6 | = A then 9 B. P 0 | = B ^ Q 0 6 | = B ^ supp( B ) ✓ supp( P 0 ) If there is a distinguising formula for P ’ and Q ’ , then there is one with the support bounded by P ’ Proof idea : 
 Let PERM be the name permutations that fix P’ ^ B = π · A π ∈ perm 86

Formalisation Out of which 150 loc are All definitions and the adequacy 
 definitions and theorems theorem formalised in 
 Nominal Isabelle (~2700 loc) Significant new ideas for alpha-equivalence 
 and finite support in data types with 
 infinitary constructors. First ever mechanisation of an 
 infinitely branching nominal datatype. 87

Equivalences 
 and Modal Logics for Unobservable Actions Based on FORTE 2017 paper with Ram ū nas Gutkovas Lars-Henrik Eriksson Joachim Parrow Presentation based on slides by Tjark Weber Joachim Parrow 88

Weak = disregard silent transitions 𝜐 action with empty support (implies bn( 𝜐 )= ∅ ) 
 representing an unobservable action τ → P 0 P P can evolve to P’ without the environment noticing without interacting with the environment spontaneously silently 89

Weak transitions defined inductively as P ⇒ P 0 P = P 0 _ P τ ! � ) P 0 defined as α α ⇒ P 0 ! � ) P 0 P P ) � { if α = τ P ⇒ P 0 defined as ˆ α ⇒ P 0 P α otherwise ⇒ P 0 P P can evolve to P’ through zero or more transitions with observable content 𝛽 90

Simulation DEFINITION (simulation) A relation R on states satisfying: if R ( P,Q ) then → P 0 and bn( α )# Q then ∃ Q 0 . Q → Q 0 and R ( P 0 , Q α α If P 91

Weak simulation DEFINITION (weak simulation) A relation R on states satisfying: if R ( P,Q ) then → P 0 and bn( α )# Q then ∃ Q 0 . Q ⇒ Q 0 and R ( P 0 , Q 0 ) ˆ α α If P 92

Static implication? Can we re-use the static implication NO! If P ` ϕ then Q ` ϕ Example: transition system with two states, τ one transition, and 
 P Q one state predicate ϕ Should P and Q be equivalent? YES! 93

Weak static implication? If P ` ϕ then Q ) Q 0 ` ϕ (*) Yes No τ τ Q P R ϕ 0 ϕ 1 ϕ 0 ϕ 1 P and Q are weakly similar and satisfy (*) Are P and Q observationally equivalent? Observe ϕ 1 and then observe ϕ 0 94

Weak static implication! S is a weak static implication if S ( P,Q ) implies If P ` ϕ then Q ) Q 0 ` ϕ and S ( P, Q 0 ) τ τ Q P R ϕ 0 ϕ 1 ϕ 0 ϕ 1 NOT a WSI { ( P, Q ) , ( P, R ) } 95

Weak static implication Not enough (*) If P ` ϕ then Q ) Q 0 ` ϕ and S ( P, Q 0 ) by itself! P 0 α α Yes No P Q τ τ ϕ P 1 ϕ P and Q are weakly similar and the relation 
 satisfies (*) { ( P, Q ) , ( P, P 1 ) } Are P and Q observationally equivalent? Observe ϕ and then perform α 96

Weak static implication! P 0 α α P Q τ τ ϕ P 1 ϕ is a weak simulation { ( P, Q ) , ( P 0 , P 0 ) , ( P 1 , P 1 ) } is NOT a WSI is a WSI { ( P, Q ) , ( P, P 1 ) } is NOT a weak simulation Must require the relation to be both WSI and weak simulation! 97

Weak bisimulation DEFINITION A weak bisimulation is a symmetric relation R on states which is both a weak simulation and a weak static implication R ( P, Q ) implies: → P 0 and bn( α )# Q then ∃ Q 0 . Q ⇒ Q 0 and R ( P 0 , Q 0 ) ˆ α α If P If P ` ϕ then Q ) Q 0 ` ϕ and R ( P, Q 0 ) · ≈ Q if R ( P, Q ) for some weak bisimulation R P 98

τ P · Q P ≈ Q ϕ { ( P, Q ) , ( Q, Q ) } is a weak simulation and a WSI τ τ · P 6 ⇡ Q Q P R ϕ 0 ϕ 1 ϕ 0 ϕ 1 No relation is a WSI P 0 α α P Q · τ τ P 6 ⇡ Q ϕ P 1 ϕ No relation is both a weak simulation and a WSI 99

Exercise τ Q P 0 P 1 τ ϕ 0 ϕ 1 ϕ 0 ϕ 1 Which of the three states are weakly bisimilar? Note: ϕ 0 ∧ ϕ 1 is not a state predicate All of them! Let U be the universal relation on all three states U is a weak simulation U is a weak static implication 100