Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff - PowerPoint PPT Presentation

✬ ✩ Proof Methodologies for Behavioural Equivalence in D  Alberto Cia ff aglione 1 , Matthew Hennessy 2 , Julian Rathke 2 1 Dipartimento di Matematica e Informatica, Universit` a di Udine (Italy) 2 Department of Informatics, University of Sussex (United Kingdom) Conference of the Types Project University of Nottingham, United Kingdom April 18-21, 2006 ✫ ✪

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Syntax of D  [HR02] M , N :: = Systems l � P � Located Processes M | N Composition ( new e : E ) M Name Scoping 0 Termination R , U :: = Processes u ! � V � R Output u ?( X ) R Input goto v . T Migration ( newc c : C ) R Local channel creation ( newloc k : K ) R Location creation if v 1 = v 2 then R else U Matching R | U Parallelism ∗ R Iteration ✫ ✪ stop Termination Proof Methodologies for Behavioural Equivalence in D  2

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Behaviour A configuration consists of a pair I ⊲ M , where: • I is a type environment , associating some type to every free name in M • there is a type environment Γ such that Γ ⊢ M and Γ < : I The behaviour is defined in terms of actions over configurations: → I ′ ⊲ M ′ , where µ ranges on: µ I ⊲ M − − • τ : an internal action, requiring no participation by the user e : ˜ E ) k . a ? V : the input of value V along the channel a , located at the • (˜ site k ; the bound names in (˜ e ) are freshly generated by the user e : ˜ • (˜ E ) k . a ! V : analogous for the output ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  3

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Internal actions ( m - comm ) ( m - comm ) e : ˜ e : ˜ I 1 ⊲ M (˜ E ) k . a ? V I 1 ⊲ M (˜ E ) k . a ! V → I ′ 1 ⊲ M ′ → I ′ 1 ⊲ M ′ − − − − − − − − − − − − − − − e : ˜ e : ˜ I 2 ⊲ N (˜ E ) k . a ! V I 2 ⊲ N (˜ E ) k . a ? V → I ′ 2 ⊲ N ′ → I ′ 2 ⊲ N ′ − − − − − − − − − − − − − − − E )( M ′ | N ′ ) E )( M ′ | N ′ ) τ e : � τ e : � I ⊲ M | N − − → I ⊲ ( new � I ⊲ M | N − − → I ⊲ ( new � ( m - split ) ( m - l . create ) τ τ I ⊲ k � P | Q � − − → β I ⊲ k � P � | k � Q � I ⊲ k � ( newloc l : L ) P � − − → β I ⊲ ( new l : L ) k � P � ( m - move ) ( m - c . create ) τ τ I ⊲ k � goto l . P � − − → β I ⊲ l � P � I ⊲ k � ( newc c : C ) P � − − → β I ⊲ ( new c @ k : C ) k � P � ( m - unwind ) τ I ⊲ k � ∗ P � − − → β I ⊲ k � ∗ P | P � ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  4

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 External actions ( m - in ) ( m - out ) I w ( k , a ) ↓ I ⊢ k V : I w ( k , a ) I r ( k , a ) ↓ I ⊲ k � a ?( X ) R � k . a ? V I ⊲ k � a ! � V � P � k . a ! V → I , � V : I r ( k , a ) � @ k ⊲ k � P � | V / − − − − → I ⊲ k � R { X | } � − − − − ( m - weak ) ( m - open ) I , � e : E � ⊲ M ( ˜ d : ˜ I , � e : ⊤� ⊲ M ( ˜ d : ˜ D ) k . a ? V D ) k . a ! V → I ′ ⊲ M ′ → I ′ ⊲ M ′ − − − − − − − − − − − − − − − − bn ( e ) � I I ⊲ M ( e : E � d : � I ⊲ ( new e : E ) M ( e : E � d : � D ) k . a ? V D ) k . a ! V → I ′ ⊲ M ′ → I ′ ⊲ M ′ − − − − − − − − − − − − − − − − − − − − − ( m - ctxt ) ( m - new ) µ µ → I ′ ⊲ M ′ → I ′ , � e : ⊤� ⊲ M ′ I ⊲ M − − I , � e : ⊤� ⊲ M − − bn ( µ ) � fn ( N ) bn ( e ) � µ → I ′ ⊲ M ′ | N µ µ → I ′ ⊲ ( new e : E ) M ′ I ⊲ M | N − − I ⊲ ( new e : E ) M − − µ → I ′ ⊲ N | M ′ I ⊲ N | M − − ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  5

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Bisimulation equivalence A binary relation over configurations is a bisimulation [HMR04] if both it, and its inverse, satisfy the following transfer property: ( I M ⊲ M ) R ( I N ⊲ N ) ( I M ⊲ M ) R ( I N ⊲ N ) � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � µ implies µ ˆ � � � � � � � � � � � � � � � � � � � ❄ ( I M ′ ⊲ M ′ ) ( I M ′ ⊲ M ′ ) R ( I N ′ ⊲ N ′ ) We denote ≈ bis the largest bisimulation between configurations, and write: I | = M ≈ bis N This is a relation over systems, parameterised over type environments ✫ ⇒ Tractable proof techniques can be developed for it ✪ Proof Methodologies for Behavioural Equivalence in D  6

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Proof techniques Theorem 1 (Contextuality) [HMR04] Suppose I | = M ≈ bis N . Then: • I ⊢ O implies I | = M | O ≈ bis N | O • I , � e : E � | = M ≈ bis N implies I | = ( new e : E ) M ≈ bis ( new e : E ) N Proposition 1 (Structural Equivalence) If M ≡ N , then M ≈ bis N . τ → ∗ Proposition 2 ( β -actions) Suppose I ⊲ M − − β N . Then I | = M ≈ bis N . ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  7

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Proof techniques (cont’d) A binary relation between configurations is a bisimulation up-to- β if both it, and its inverse, satisfy the following transfer property: ( I M ⊲ M ) R ( I N ⊲ N ) ( I M ⊲ M ) R ( I N ⊲ N ) � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � µ implies µ ˆ � � � � � � � � � � � � � � � � � � � ❄ ( I M ′ ⊲ M ′ ) ( I M ′ ⊲ M ′ ) → ∗ τ ( I N ′ ⊲ N ′ ) ( − − β ◦ ≡ ) ◦ R ◦ ≈ bis Proposition 3 (Bisimulations up-to– β ) If ( I ⊲ M ) R ( I ⊲ N ), where R is a bisimulation up-to- β , then I | = M ≈ bis N . ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  8

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Crossing a firewall Firewall [CG98,CG99,LS00,MN03] as a domain to which access is restricted: F ⇐ ( new f : F ) f � P | ∗ goto a . tell ! � f � � The existence of the firewall is made known only to a located agent: A ⇐ a � R | tell ?( x ) goto x . Q � Then, we prove the equivalence: I | = F | A ≈ bis ( new f : F )( f � P | ∗ goto a . tell ! � f � | Q � ) | a � R � (1) relative to a restricted environment I , such that: (i) I ⊢ max tell : r � F � a (ii) I ⊢ a � R � (iii) I ⊢ ( new f : F ) f � P � ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  9

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Firewall: the formal proof Since, up-to-structural equivalence: τ F | A − − → β F | a � tell ?( x ) goto x . Q � | a � R � by Propositions 1 and 2 it is su ffi cient to prove: I| = F | a � tell ?( x ) goto x . Q � | a � R � ≈ bis ( new f : F )( f � P |∗ goto a . tell ! � f �| Q � ) | a � R � By Contextuality and assumption (ii) we reduce to: I | = F | a � tell ?( x ) goto x . Q � ≈ bis ( new f : F )( f � P | ∗ goto a . tell ! � f � | Q � ) Then, by structural equivalence, and again Contextuality , to: I f | = f � P | ∗ goto a . tell ! � f � � | a � tell ?( x ) goto x . Q � ≈ bis f � P | ∗ goto a . tell ! � f � | Q � where I f is a shorthand for I , � f : F � ✫ ✪ Proof Methodologies for Behavioural Equivalence in D  10

✬ ✩ Cia ff aglione, Hennessy, Rathke Types 2006 Firewall: the formal proof (cont’d) Since: τ • f � P | ∗ goto a . tell ! � f � � | a � tell ?( x ) goto x . Q � − − → β f � P � | f � ∗ goto a . tell ! � f � � | a � tell ?( x ) goto x . Q � τ → ∗ • f � P | ∗ goto a . tell ! � f � | Q � β f � P � | f � ∗ goto a . tell ! � f � � | f � Q � − − by Proposition 2 , Contextuality and assumption (iii), we reduce finally to: I f | = f � ∗ goto a . tell ! � f � � | a � tell ?( x ) goto x . Q � ≈ bis f � ∗ goto a . tell ! � f � � | f � Q � ⇒ We define the parameterised relation R by letting J | = M R N whenever: (a) J ⊲ M is a configuration and N is the same as M (b) or J is I f and • M has form f � ∗ goto a . tell ! � f � � | a � tell ?( x ) goto x . Q � | Π n ( a � tell ! � f � � ) n ✫ • N has form f � ∗ goto a . tell ! � f � � | f � Q � | Π n ( a � tell ! � f � � ) n ✪ Proof Methodologies for Behavioural Equivalence in D  11