Programming Paradigms for Concurrency Lecture 12 Part III – Message Passing Concurrency TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A A A A A A A AA A A A A AA

Notions of Behavioral Equivalence in the ¼ -Calculus

Formal Reasoning about Systems When can one system be safely replaced by another? When is one system a refinement of another system?  To answer such questions we need to formally relate the behavior of systems.

Vending Machines Consider the following two process terms:

Vending Machines They denote the same sets of traces (trace equivalence): But are they indistinguishable? P Q

Let’s add a Coffee Drinker C S P Parallel composition of P and C gives

Let’s add a Coffee Drinker T Parallel composition of Q and C gives Q C T can deadlock

Trace Equivalence Trace equivalent processes are not guaranteed to behave identically in every process context.  Trace equivalence is not a congruence on process terms  We need a finer notion of process equivalence

Simulation Relations A binary relation on transition systems (respectively their states) – formalizes under which conditions one system correctly implements another (i.e., behaves in the same way) Important for system synthesis – stepwise refinement of a system specification M I into a an implementation M I : M I ¹... ¹ M S Important for system verification – simulation relations formalize abstractions – instead of proving M ² Á directly, prove M ¹ M ’ and then M ’ ² Á We focus on simulation relations on states of systems.

(Strong) Simulation Let M = h S, L, !, I i be a labeled transition system and R µ S £ S a binary relation on states of M R is called a simulation over M iff We say that s simulates t written if there exists a strong simulation R such that s R t. As we shall see, in the ¼ -calculus it gets slightly more complicated...

Strong Bisimulation A binary relation R over S is called a bisimulation over LTS M = h S, L, !, I i iff both R and its inverse R - 1 are simulations for M. We say that s bisimulates t written s » t iff there exists a bisimulation R such that s R t.

Properties of Bisimilarity The relation » is an equivalence relation itself a bisimulation the largest bisimulation, i.e., for all bisimulations R of an LTS M, R µ » decidable for finite LTS decidable for some infinite LTS (e.g. timed automata) undecidable for ¼ -calculus processes (and already for CCS)

Vending Machines Q simulates P because: is a simulation for Q and P. P Q P1P1 Q1Q1 Q2Q2 P Q P1P1 Q1Q1 Q2Q2

Vending Machines But P does not simulate Q : P Q P1P1 Q1Q1 Q2Q2  No relation can contain the pair ( P, Q )

Our earlier definition of simulation does not quite work for the ¼ -calculus Assume z 2 fn(R, x). Then the process terms would not be bisimilar because but However, P and Q are structurally equivalent and both can take transitions x(w) for any other w. (Bi)simulation and Value Passing

Simulation for the ¼ -calculus Bisimulation and bisimilarity » are defined as before. early

Properties of Late Bisimulation The relation » is – an equivalence relation – itself a late bisimulation – the largest late bisimulation – a congruence for process terms Structural congruence ´ is a late bisimulation but ´ is not identical to » Are there algebraic laws for » similar to the ones we used to define ´ ?

Algebraic Laws for Late Bisimulation Define the relation ¼ as follows + the rules as for ´ one more rule for parallel composition the rules as for ´ one more rule for parallel composition

Rule for Parallel Composition

Soundness and Completeness Theorem. For all process terms P and Q : P » Q iff P ¼ Q One of the main results of [Milner, Parrow, Walker, 1992]  We can use equational reasoning to prove bisimilarity of process terms

Beyond this Lecture other notions of bisimulation for the ¼ -calculus – weak bisimulation: allow stuttering transitions – barbed bisimulation: induces a congruence equivalent to early strong bisimulation logical characterizations of bisimulation – Hennessy-Milner Logic for CCS [1985] – ¼ - ¹ -calculus [Dam, 2003]

Model Checking Scala Actors

A Publish/Subscribe Service in Scala sealed abstract class Category case object Cat1 extends Category... case object CatN extends Category case object List case class Categories(cats: Set[Category])... class Server extends Actor { def loop(enl: Map[Category,Set[Actor]]){ val cats = Set(Cat1,...,CatN) react { case List => { reply(Categories(cats)) react { case Subscribe(c) => loop(enl + c -> (enl(c) + sender)) } case Unsubscribe(c) => loop(enl(c) + c -> (enl(c) - sender)) case Publish => { reply(Who) react { case Credential => if (*) { reply(Categories(cats)) react { case Content(c) => enl(c).forall( _ ! Content(c)) loop(enl) } } else { reply(Deny) loop(enl) } override def act() = loop({_ => EmptySet}) } class Subscriber(server: Actor) extends Actor { def loop(cat: Category): Unit = { if (*) { react { case Content(c) => if (c != cat) error("...")... } } else { server ! Unsubscribe(cat) exit('normal) } override def act(): Unit = { server ! List react { case Categories(cats) => val cat = cats.choose loop(cat) } class Publisher(server: Actor) extends Actor { override def act(): Unit = { server ! Publish react { case Who => reply(Credential) react { case Categories(cats) => val c = cats.choose reply(Content(c)) if (*) act() else exit('normal) case Deny => exit('badCredential) }

A Publish/Subscribe Service in Scala Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender Infinite state system number of Subscriber and Publisher processes and number of messages in mailboxes can grow unboundedly Infinite state system number of Subscriber and Publisher processes and number of messages in mailboxes can grow unboundedly

Server Subscriber server enl(Cat1) Content(Cat1) sender “The server link of a Subscriber always points to a Server” “Subscribers only receive content they are enlisted to” “No process ever reaches a local error state” Verification of Safety Properties “Shape Invariants”

Undecidability of Verification Problems State machine C counter 1 C next C CC counter 2 Encoding of a two counter machine Are there any interesting fragments with decidable verification problems? Are there any interesting fragments with decidable verification problems?

Depth-Bounded Systems (DBS) [Meyer 2008] Definition A system is depth-bounded iff there exists a constant that bounds the length of all simple paths in all reachable state graphs. Definition A system is depth-bounded iff there exists a constant that bounds the length of all simple paths in all reachable state graphs. The actual definition is in terms of ¼ -calculus processes.

Depth-Bounded Systems (DBS) Server Subscriber Publisher server enl(Cat1) Subscriber server enl(Cat1) server enl(Cat2) Content(Cat1) sender Content(Cat1) sender maximal length of any simple path is 5

The Covering Problem init bad Given a transition system and a bad configuration decide whether there is a reachable configuration that “covers” the bad one.

Server Subscriber server enl(Cat1) Content(Cat2) sender Application: verify absence of bad patterns “Subscribers only receive content they are enlisted to” The Covering Problem The covering problem is decidable for DBSs

Well-Quasi-Orderings Definition A relation · µ S £ S is a well-quasi-ordering iff · is a quasi-ordering (reflexive and transitive) for any infinite sequence s 1, s 2, … there are i < j such that s i · s j Definition A relation · µ S £ S is a well-quasi-ordering iff · is a quasi-ordering (reflexive and transitive) for any infinite sequence s 1, s 2, … there are i < j such that s i · s j Examples identity relation on a finite set order on the natural numbers extension of a well-quasi-ordering on an alphabet to words over the alphabet (Higman’s Lemma) tree embedding order (Kruskal’s Tree Theorem)

Well-Structured Transition Systems (WSTS) [Finkel 1987] Definition A WSTS is a tuple ( S, init, !, · ) where ( S, init, ! ) is a transition system · is a well-quasi-ordering on S · is a simulation relation: for all s, t, s ’ 2 S with s ! s ’ and s · t there exists t ’ 2 S with t ! t ’ and s ’ · t ’ Definition A WSTS is a tuple ( S, init, !, · ) where ( S, init, ! ) is a transition system · is a well-quasi-ordering on S · is a simulation relation: for all s, t, s ’ 2 S with s ! s ’ and s · t there exists t ’ 2 S with t ! t ’ and s ’ · t ’ Examples Petri nets lossy channel systems

Predicate Transformers Let M = h S,init, !i be a transition system. For X µ S define Using post we can define the reachable states of M : Reach( M ) = lfp X. post( X ) [ {init}

Upward and Downward Closures "X"X X · Y · #Y#Y " X = { x ’ 2 S | 9 x 2 X. x · x ’ } # Y = { y ’ 2 S | 9 y 2 X. y ’ · y }

Some Properties of Closed Sets Let · be a quasi-ordering on S and M = h S, init, !i a transition system. Then the upward closed subsets of S are closed under unions and intersections. What is more " (X [ Y ) = " X [ " Y and # (X \ Y ) = # X \ # Y the same holds for downward closed sets if · is a simulation for M then the upward closed subsets of S are closed under pre. if · is a well quasi-ordering then every upward closed subset of S has finitely many minimal elements.

Covering Problem Let M = h S,init, !i be a transition system, · a quasi- ordering on S and bad 2 S a state. The covering problem asks whether: bad 2 # (Reach( M )) = # (lfp X. post( X ) [ {init}) respectively init 2 lfp X. pre( X ) [" bad For WSTS M = h S,init, !, ·i with decidable · and computable pre, the covering problem is decidable.

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init lfp X. pre( X ) [" bad

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init … lfp X. pre( X ) [" bad

Depth-Bounded Systems as WSTS Depth-bounded systems form WSTS for their reachable states and the quasi-ordering induced by subgraph isomorphism Next we show that is a well-quasi-ordering on the reachable states

Well-Quasi Ordering on States of DBS the subgraph ordering is well-founded but what about infinite antichains? In general, infinite antichains exist, but not if we restrict ourselves to states of depth-bounded systems Idea of the proof: encode state graphs of DBS and the subgraph ordering into labeled trees show that Kruskal’s Tree Theorem can be applied to the tree encoding

Closure of a Tree Add edges according to transitive closure of the edge relation Every (undirected) graph is contained in the closure of some tree.

Tree-Depth of a Graph Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. Definition The tree-depth td(G) of a graph G is the minimal height of all trees whose closure contain G. height is 2 tree depth is 2

Tree-Depth and Depth-Bounded Systems Proposition A set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths. Proposition A set S of graphs has bounded tree-depth iff S is bounded in the length of its simple paths.  the reachable configurations of a depth-bounded system have bounded tree-depth.

Tree Encodings of Depth-Bounded Graphs G tree( G ) Number of labels used in the encoding is finite. Take a minimal tree whose closure contains the graph G. Label each node v in the tree by the subgraph of G induced by the nodes on the path to v.

Homeomorphic Tree Embedding ¹T¹T tree(G 1 ) ¹ T tree(G 2 ) implies G 1 G 2 One can show for all graphs G 1, G 2 : Extend quasi-ordering ¹ on vertex labels to quasi-ordering ¹ T on trees as follows: T 1 ¹ T T 2 iff either 1.for the root vertices v 1 and v 2 of T 1, T 2 we have a)label(v 1 ) ¹ label(v 2 ) and b)for every subtree T’ 1 of T 1 rooted in a child of v 1 there exists a subtree T’ 2 of T 2 rooted in a child of v 2 such that T’ 1 ¹ T T’ 2 2.there exists a subtree T’ 2 of T 2 rooted in a child of the root of T 2 such that T 1 ¹ T T’ 2

Kruskal’s Tree Theorem Theorem [Kruskal 1960, Nash-Williams 1963] Homeomorphic tree embedding is a well-quasi-ordering on finite trees, labeled by a WQO set. Theorem [Kruskal 1960, Nash-Williams 1963] Homeomorphic tree embedding is a well-quasi-ordering on finite trees, labeled by a WQO set.  subgraph isomorphisms induce a well-quasi-ordering on the reachable states of a depth-bounded system.

Backward Algorithm for the Covering Problem of WSTS bad " bad pre( " bad) … pre k ( " bad) init Requirements · is decidable pre is effectively computable Requirements · is decidable pre is effectively computable

Backward Analysis of DBSs WSTS of a depth-bounded system is defined wrt. the forward-reachable configurations reachability is undecidable so pre is not computable for the induced WSTS only option: if bound of the system is k, define WSTS wrt. the set of all graphs of depth at most k  termination of a backward analysis can only be ensured if the bound of the system is known a priori. Standard backward algorithm is not a decision procedure for the covering problem of DBS.

Is there a forward analysis that decides the covering problem for depth-bounded systems? Yes, there is. See [Wies, Zufferey, Henzinger, FoSSaCS’10] for the details. We are currently building a software model checker for Scala actors based on this algorithm. Forward Analysis of DBS

Backward Analysis is Impractical Server Subscriber server Subscribe(Cat1) sender Backward analysis has to guess sender (and other parameters) of sent messages  explosion in the nondeterminism

Backward Analysis is Impractical Server Subscriber server Subscribe(Cat1) sender Backward analysis has to guess sender (and other parameters) of sent messages  explosion in the nondeterminism This is similar to the aliasing problem for backward analysis of programs with pointers ?

Forward Analysis of a WSTS init # init # post( # init) … # post k ( # init) bad

Forward Analysis of a WSTS init # init # post( # init) … # post k ( # init) bad We need “limits” of all downward-closed sets for termination.

Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006] XY D wqo set ADL for X ° For every z 2 Y, ° (z) is a downward-closed subset of X

X D wqo set ADL for X ° Y Every downward-closed subset of X is generated by a finite subset E of Y [ X E1E1 E2E2 E = E 1 [ E 2 Adequate Domain of Limits (ADL) [Geeraerts, Raskin, Van Begin 2006]

Expand, Enlarge, and Check Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. Theorem [Geeraerts, Raskin, Van Begin 2006] There exists an algorithm that decides the covering problem for WSTS with effective ADL. X1X1 Y1Y1 X2X2 Y2Y2 X2X2 Y2Y2 … µ X µ Y µ … µ µ µ µ µ Next: an ADL for depth-bounded systems

Server Loop Acceleration à la Karp-Miller Server Subscriber Server ¾¾ + limit configuration Idea for loop acceleration Record which parts of a configuration can be duplicated.

Content Server Limit Configurations Server Subscriber + + Content Server Subscriber Content ° … Denotation ° (L) is downward-closure of all unfoldings of L

An ADL for Depth-Bounded Systems Server Subscriber + Theorem Limit configurations form an ADL for depth-bounded graphs. Theorem Limit configurations form an ADL for depth-bounded graphs. Corollary The EEC algorithm decides the covering problem for depth- bounded systems. Corollary The EEC algorithm decides the covering problem for depth- bounded systems.

Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. Theorem [Finkel, Goubault-Larrecq 2009] The downward-closed directed subsets of a wqo set X form an ADL for X. Canonical Adequate Domain of Limits X A directed set for qo (X, · ) is a nonempty subset of X closed under upper bounds · · X D D1D1 D2D2 D3D3 D4D4 D5D5

= (Q, §, Q f, ¢ ) Q = {p,q,r,s} § = {a,b,c} Q f = {p} ¢ = {a( ² ) → s b( ² ) → r c(sr * s ) → q a(q + ) → p} Hedge Automata a cc a a a ab s s s s r qq p

To proof: For every directed downward-closed set D, there exists a limit configuration L with Proof Sketch Look at the tree encodings tree( D ) and ¹ construct a hedge automaton A D such that From A D construct the limit configuration L.

Proof Sketch … … directed dc set

Further Related Work Meyer, Gorrieri 2009 – depth-bounded systems and place/transition nets Finkel, Goubault-Larreqc 2009 – Karp-Miller-style forward analysis of WSTSs with ADLs Ganty, Raskin, Van Begin 2006 – Forward analysis of WSTSs without ADLs Dam 1993, Amadio, Meyssonnier 2002 – decidable fragments of the ¼ -calculus Sangiorgi 1996, Busi et al. 2003, Ostrovský 2005 – type systems for the ¼ -calculus Bauer (Kreiker), Wilhelm 2007 – shape analysis for depth-bounded systems

Conclusions many real-life examples of message passing systems are depth-bounded many interesting safety properties are expressible in terms of covering our main result: the covering problem is decidable for depth-bounded systems our ADL suggests a whole spectrum of forward analyses for depth-bounded systems