2G1516 Formal Methods2005 Mads Dam IMIT, KTH 1 CCS: Operational Semantics And Process Algebra Mads Dam Reading: Peled 8.3, 8.4, 8.6 – rest of ch. 8

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 2 Value-passing CCS Combinators Value-passing combinators and definitions as abbreviations using labels of the form a(v) (receiving v) or b(v) (sending v) Prefix a(x), b(v)a(x).P(x) = a(v 0 ).P(v 0 ) a(v n ).P(v n ) b(v).P(v) = b(v).P(v) Definition A(x) == P(x)Buf == in(x).Buf 1 (x) Buf 1 (x) == out(x).Buf(x) Conditional if C then PTeller(x) == Deposit(x) + Withdrawal(x) Deposit(x) == deposit(x).Teller(x + y) Summation  y: P(y) Withdrawal(x) ==  y: if y  x then withdraw(y).Teller(x - y)

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 3 Transition Semantics To apply observational equivalence need a formalised semantics Each CCS expression -> state in LTS derived from that expression Compositionality: Construction of LTS follows expression syntax Inference rules: P 1   P 2 P 1 | Q   P 2 | Q Meaning: For all P 1, P 2, Q, , if there is an  transition from P 1 to P 2 then there is an  transition from P 1 | Q to P 2 | Q

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 4 P   P’ PÂL   P’ÂL CCS Transition Rules (no rule for 0!) - .P   P Prefix Def P   Q A   Q (A == P) Choice L P   P’ P+Q   P’ Choice L Q   Q’ P+Q   Q’ Com L P   P’ P|Q   P’|Q Com R Q   Q’ P|Q   P|Q’ Com P  l P’ Q  l Q’ P|Q   P’|Q’ Restr ( ,   L) Rel P   P’ P[f]  f(  P’[f]

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 5 CCS Transition Rules, II Closure assumption: !  is least relation closed under the set of rules Example derivation: Buf 1 == in.comm.Buf 1 Buf 2 == comm.out.Buf 2 (Buf 1 | Buf 2 )Â{comm}  in comm.Buf 1 | Buf 2   Buf 1 | out.Buf 2  out Buf 1 | Buf 2

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 6 Extending the Language Two ways of adding new operators: 1.By equation Example: Buffer composition P Æ Q = (P[comm/out]|Q[comm/in])Â{comm} 2.By extending the transition semantics Example: Sequential composition of processes Assume special (non-label) action X for termination Let X = X and f(X) = X for relabelling functions f Seq 1 P   P’ P;Q   P’;Q (  X)(  X) Seq 2 P  X P’ Q   Q’ P|Q   Q’

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 7 Example: Semaphores Semaphore: Unary semaphore: S 1 == p.S 1 1 S 1 1 == v.S 1 Binary semaphore: S 2 == p.S 2 1 S 2 1 == p.S v.S 2 S 2 2 == v.S 2 1 Result: S 1 | S 1  S 2 Proof: Show that {(S 1 | S 1, S 2 ), (S 1 1 | S 1, S 2 1 ), (S 1 | S 1 1, S 2 1 ), (S 1 1 | S 1 1, S 2 2 )} is a strong bisimulation relation pv

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 8 Example: Simple Protocol Spec == in.out.Spec Sender == in.Transmit Transmit == transmit.WaitAck WaitAck == ack +.Sender + ack -.Transmit Receiver == transmit.Analyze Analyze == .out.ack +.Receiver + .ack -.Receiver Protocol == (Sender | Receiver)Â{transmit,ack +,ack - } Exercise: Prove Spec  Protocol

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 9 Example: Jobshop i E : input of easy job i N : input of neutral job i D : input of difficult job O: output of finished product A == i E.A’ + i N.A’ + i D.A’ A’ == o.A Spec = A | A Hammer: H == gh.ph.H Mallet: M == gm.pm.M Jobber: J ==  x  {E,N,D} i x.J x J E == o.J J N == gh.ph.J E + gm.pm.J E J D == gh.ph.J E Jobshop == (J | J | H | M)Â{gh,ph,gm,pm} Theorem: Spec  Jobshop Exercise: Prove this.

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 10 Proving Equivalences Two main methods for establishing an equivalence P  Q: 1.Establish a weak bisimulation relation S s.t. P S Q (this is the canonical method) 2.Use equational reasoning But: What about substitutivity – replacing equals for equals?

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 11  Is Not a Congruence Congruence: Equivalence preserved under substitution But: P  P’ does not imply P + Q  P’ + Q Example: a.0  .a.0 but a.0 + b.0  .a.0 + b.0 does not hold Exercise: Show that ¼ is preserved by prefixing, parallel, restriction, and relabelling Observational Congruence: Let S  Q  Q. The relation S is an observational congruence relation if whenever q 1 S q 2 then: –q 1   q 1 ’ implies q 2  ±!  ±) q 2 ’ for some q 2 ’ such that q 1 ’  q 2 ’ –q 2   q 2 ’ implies q 1 )±!  ±) q 1 ’ for some q 1 ’ such that q 1 ’  q 2 ’ Write P = Q if o.c.r. S exists such that P S Q

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 12 Observational Congruence Problem is initial  ’s in sums: Proposition: P = P’ iff for all Q, P + Q ¼ P’ + Q Exercise: Prove this. Theorem: Observational congruence = is the largest congruence contained in  Exercise: Prove this too (follow hints in class). Let C[.] be any CCS expression with a ”hole” in it Corollary: P = Q iff for all C[.], C[P]  C[Q] Stable agents: P is stable if no Q exists such that P   Q Corollary:  and = coincides on stable processes

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 13 Laws for Observational Congruence Too many... ;-) Summation: P + Q = Q + P P + (Q + R) = (P + Q ) + R P + P = P P + 0 = P Prefixing: l. .P = l.P P + .P = .P l.(P + .Q) + l.Q = l.(P + .Q) P + .(P + Q) = .(P + Q) Two non-laws: P = .P l.(P + Q) = l.P + l.Q Definition: If A == P then A = P Expansion law: (P | Q)ÂL =  {l.(P’|Q)ÂL | P  l P’, l  L} +  {l.(P|Q’)ÂL | Q  l Q’, l  L} +  { .(P’|Q’)ÂL |  l.P  l P’, Q  l Q’}

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 14 Example Derivation P == a.P + .b.0 Q == a.Q + c.0 R == c.b.0 S == (Q | R) \ c Task: Prove P = S S = (Q | R) \ c = (a.Q + c.0 | c.b.0) \ c = a.(Q | c.b.0) \ c + .(0 | b.0) \ c = a.(Q | R) \ c + .(0 | b.0) \ c = a.S + .b.(0 | 0) \ c = a.S + .b.0 Observe: P = a.P + .b.0 and S = a.S + .b.0 Can we conclude P = S ??

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 15 Unique Fixed Point Induction Let A == P be any definition UFI principle: If A is guarded in P (every occurrence of A in P in scope of prefix l.-) A does not occur in scope of |, \ or [f] in P Q = P[Q/A] Then P = Q

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 16 Partition Refinement Algorithm for deciding strong bisimulation equivalence Note: Doesn’t work for on-the-fly state generation! T1T1 T2T2 T3T3 T 4,1 T 4,2      

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 17 Partition Refinement, II Q = set of states create initial partition P = {Q} ; change := true ; while change do change := false if exists partitions T 1,T 2 2 P and action  such that T 1,1 = {q 2 T 1 | 9 q’ 2 T 2. q !  q’} and T 1,2 = T 1 Â T 1,1 are both nonempty then P := (PÂ {T 1 }) [ {T 1,1,T 1,2 } ; change := true fi od

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 18 Partition Refinement, Correctness Let P i be partition at step i of algorithm, and limP be the final partition Define: 1.p ´ q iff 9 T2 limP such that p,q 2 T 2.p ´ i q iff 9 T2 P i such that p,q 2 T Claim: ´ is a strong bisimulation relation Exercise: Check this Claim: If R is a strong bisimulation relation then R µ ´ i, for all i Proof: Induction on i. The statement holds for i=0. Suppose that p R q and p,q 2 T 2 P i. Either T 2 P i+1 as well (and we’re done) or T = T 1 [ T 2, T 1 Å T 2 = ;, and T 1, T 2 2 P i+1. In the latter case, if p 2 T 1 and q 2 T 2, say, we find some T’2 P i and p’ such that p !  p’2 T’ and whenever q!  q’ then not(q’2 T’). But then :(p’ R q’) by the induction hypothesis, so R cannot be a strong bisimulation relation.