A Polynomial Translation of  -Calculus (FCP) to Safe Petri Nets Roland Meyer 1, Victor Khomenko 2, and Reiner Hüchting 1 1 Department of Computing Science, University of Kaiserslautern, Germany 2 School of Computing Science, Newcastle University, UK

2  -Calculus A formalism (process algebra) for modelling mobile and reconfigurable systems Processes communicate by message passing: channels are sent via channels  passing an IP address or hyperlink  passing a pointer/reference to a procedure New fresh channels can be dynamically created (Logical) interconnect topology changes over time

3  -Calculus: example P1P1 P2P2 P3P3 … Scheduler Task generators TG 1 TG 2 TG k … Array of processors

4  -Calculus Syntax P ::= 0  | K ⌊ a 1,…,a n ⌋  | P + P  | P | P  | .P  | a:P  ::= a  | a(x)  |  No replication operator ‘!’ – using recursive definitions of the form K ⌊ a 1,…,a n ⌋ :=P instead Input prefix a(x).P and restriction x:P bind name x in P NOCLASH assumption (can always be enforced by  - conversion): each name is bound at most once the sets of bound and free names are disjoint stop callchoiceParallel composition prefix restriction

5 Finite Control Processes  -Calculus is expressive (Turing-powerful), so nothing is decidable Wanted: a (syntactic) fragment that is decidable but retains a reasonable degree of expressiveness sufficient for modelling practical mobile and reconfigurable systems Finite Control Processes (FCP): parallel composition of a fixed number of sequential (i.e. not using the | operator) processes (threads) Good compromise between expressiveness and verifiability

6 Motivation for FCP  PN translation FCPs have complicated semantics, and thus difficult for model checking:  checking if two terms are structurally congruent is graph isomorphism complete  difficult to use condensed representations of the state space  difficult to use reductions when exploring the state space In contrast, safe low-level PNs are well suited for model checking, with many efficient heuristics available

7 Our contribution Safe low-level PNs: Efficient verification Not convenient for reconfigurability FCPs: Convenient for modelling reconfigurability Verification is hard Gap

8 Complexity-theoretic considerations Any reachable state of an FCP can be represented by a term bounded by the FCP’s size Hence an FCP can be simulated by a Turing machine with linear in the FCP’s size tape (characterises PSPACE) A Turing machine with a bounded tape can be simulated by a safe low-level PN of polynomial size Hence a polynomial translation from FCPs to safe low- level PNs must exist This argument is constructive, but the resulting PN would be big and ugly Wanted: A natural polynomial FCP  PN translation, suitable for practical verification

9 Related work Much work concerning  -Calculus  PN translations has been performed Mostly theoretical, often concerning the full  - Calculus and so results in infinite PNs or undecidable PN classes (inhibitor arcs, coloured with infinite sets of colours, etc.) Existing FCP  PN translations (or restrictions of  - Calculus  PN translations to FCPs) are non- polynomial and/or have an unnecessarily powerful target formalism (coloured / inhibitor / transfer PNs) Our contribution: natural polynomial FCP  safe low-level PN translation suitable for practical verification

10 Principles of translation Replace restricted names by fresh public ones, e.g. x. y.P and P[ab/xy] (a & b are fresh) are bisimilar Recycle the fresh names to avoid generating unbounded number of them:  static bound on the number of names an FCP can ‘remember’  if P reacts with x.Q and a is a currently unused (recycled) public name then P reacts with Q[a/x]  PN keeps track of the currently used names Distributed representation of the substitution:  P[ab/xy]=P[a/x][b/y], so [a/x] and [b/y] are treated as independent variables and represented by separate PN places

11 Translation N subs  H(N 1 || … || N n ) Substitution net Implementation operator Hiding operator State machines implementing threads Parallel composition operator

12 Translation: Pre-processing Ensure that each thread of the FCP has its own set of process definitions: K(u,v):= .L(u,v)K(u,v):= .L(u,v) L(x,y):= .K(x,y)L(x,y):= .K(x,y) K’(u’,v’):= .L’(u’,v’) L’(x’,y’):= .K’(x’,y’) K ⌊ a,b ⌋ | K ⌊ b,c ⌋ K ⌊ a,b ⌋ | K’ ⌊ b,c ⌋ At most quadratic increase in size – can be recovered by using symmetries in model checking

13 Translation: Substitution net p1p1 p2p2  p np n1n1 n2n2  n nn i1i1           i ni        f1f1        f nf      r1r1 Restricted names are never mapped to public ones, so no places here      r nr       Input names Formal parameters Restricted names Public names Recyclable names Operations: test(x=y) map(x,y) unmap(x,y) The operations do not interfere when applied to different names Complimentary places allow to determine which names are currently unused

14 Translation: Control of threads Model the control of each thread by a finite state machine; its transitions carry two labels:  communication action send(a,b), rec(a,b) or   set of commands working with the substitution: test(x=y), map(x,y), unmap(x,y) Additional transitions are inserted to initialise restricted names, pass parameters, and to unmap bound names when they go out of scope

15 Control of threads: Examples SS send(p 1,p 1 ) send(p 1,p 2 ) send(n nn,n nn ) {test(x=p 1 ), test(y=p 1 )} … … … {test(x=p 1 ), test(y=p 2 )} {test(x=n nn ), test(y=n nn )} SS rec(p 1,p 1 ) rec(p 1,p 2 ) rec(n nn,n nn ) {test(x=p 1 ), map(y,p 1 )} … … … {test(x=p 1 ), map(y,p 2 )} {test(x=n nn ), map(y,n nn )}  x.S+…  x(y).S+… SendReceive  r.P PP    {map(r,n 1 )} {map(r,n 2 )} {map(r,n nn )} … … … Restriction

16 Translation: Parallel composition Synchronise the send actions with the corresponding rec actions, with the resulting label  and the sets of commands united  the original transitions are not removed and available for further synchronisations PP send(a,b) … … {test(u=a), test(v=b)}  u.P+… SS rec(a,b) … … {test(x=a), map(y,b)}  x(y).S+…  {test(u=a), test(v=b), test(x=a), map(y,b)} PP send(a,b) … … {test(u=a), test(v=b)}  u.P+… SS rec(a,b) … … {test(x=a), map(y,b)}  x(y).S+… ||

17 Translation: Hiding Remove the non-  transitions after all the parallel compositions are performed All the remaining transitions are  –labelled, so can drop this label – only a set of commands is attached to each transition now PP send(a,b) … … {test(u=a), test(v=b)}  u.P+… SS rec(a,b) … … {test(x=a), map(y,b)}  x(y).S+…  {test(u=a), test(v=b), test(x=a), map(y,b)}

18 Translation: Implementation operator Implements the commands attached to each transition by adding arcs between this transition and the places in the substitution net: test(x=a) … … x=a map(x,a) … … x=a xaxa unmap(x,a) … … x=a xaxa map(r,n) … … r=n r*nr*n i1ni1ni ni  n … f1nf1n f nf  n … [r *  n]

19 Implementation operator: Examples Example: communication and restriction: PP … …  u.P+… SS … …  x(y).S+… {test(u=a), test(v=b), test(x=a), map(y,b)} PP … …  r.P {map(r,n)} u=a v=b x=a y=b ybyb i1ni1ni ni  n r=n r*nr*n … f1nf1n f nf  n …

20 Correctness and size of the translation Weak bisimulation between FCP and PN Strong bisimulation between FCP and the ‘stable’ transition system of PN The size of the resulting PN is O(|FCP| 4 )  dominated by the number of transitions modelling communication  reduced down to O(|FCP| 3 ) on the next slide  the PN is significantly smaller in practice than the worst case suggests

21 Optimisations Split the transitions modelling communication:  model communication between a and x(y) not by a single step but by a pair of steps: the first checks that a=x, and the second maps y to b  reduces the size of the resulting PN from O(|FCP| 4 ) down to O(|FCP| 3 ) Bound names that are never simultaneously active can share the same row of places in the substitution net Can statically compute good approximations of the domains of bound names Can share subnets for unmapping bound names that go out of scope Can use symmetries reduction during model checking Etc. – see the paper and technical report

22 Extensions Polyadic communication: exchanges multiple names in a single reaction, i.e. prefixes a and b(y 1,…,y n ) can react iff a=b, and after synchronisation each y i gets the value of x i  can be achieved by generalising the ‘communication splitting’ idea Match and mismatch: modelled by transitions testing the [non-]equality of two names in the substitution  reachable states corresponding to the ‘stuck between the guards’ situation have to be declared invalid (they can easily be distinguished from the valid ones, so still OK for model checking)

23 Experimental results Translation has been implemented in the fcp2pn tool: The practicality of the approach was demonstrated as follows:  a number of FCPs, including scalable ones, were translated to safe PNs using fcp2pn  the PNs grow much slower with |FCP| than the worst-case bound suggests  optimisations work very well  the PNs were checked for deadlocks using LOLA, with good results

24 Conclusions First polynomial translation from FCPs to safe low- level PNs The translation is natural, i.e. there is a close correspondence between the control flows of the FCP and the resulting PN The resulting PN is suitable for practical model checking Proposed a number of optimisations Extensions to polyadic communication and match/mismatch Implemented in the fcp2pn tool Encouraging experimental results

25 Thank you! Any questions?