C LAUS B RABRAND C ONCURRENCY (Q3,’06) M AR 13, 2006 C LAUS B RABRAND © 2005, University of...

CLAUS BRABRAND CONCURRENCY (Q3,’06) MAR 13, 2006

CLAUS BRABRAND

© 2005, University of Aarhus

[ [email protected] ] [ http://www.daimi.au.dk/~brabrand/ ]

CONCURRENCY (Q3,’06)

WEEK 7: ”CCS AND PROCESS EQUIVALENCE”

CLAUS BRABRAND[ 2 ]

CONCURRENCY (Q3,’06) MAR 13, 2006

Outline

Calculus of Communicating Systems (CCS) Syntax Semantics CCS LTS (via Semantics) [ Tool Demo ]

Process Equivalence Equivalences:

Equivalence Relation and Congruence Trace-Equivalence

Bisimulation Specification The Bisimulation Game GameTM [ Tool Demo ]


CALCULUS OF COMMUNICATING SYSTEMS

CCS: Calculus of Communicating Systems

[ Robin Milner, ’89 ]

CLAUS BRABRAND[ 4 ]


The Inactive Process: “0”

The inactive process: (aka. “the zero process” or “the nil process”)

Performs no action whatsoever!

Note that it offers: the prototypical behavior of a deadlocked process

(that cannot proceed any further in its execution)

Example:

0

0

CLAUS BRABRAND[ 5 ]


Action Prefixing: “.P”

Action Prefixing: Can perform action, , after which it behaves like

process, P

Example(s): Match:

Complex match:

Complex match 2:

.P

strike.0

take.strike.0

strike.burn.0

output action (convention: over-bar)

CLAUS BRABRAND[ 6 ]


Named Process: “K”

Named Process: Behaves just like the (statically named) process, K

Example(s):

K

Match = strike.0

ComplexMatch = take.Match

def

def

CLAUS BRABRAND[ 7 ]


Recursive Processes

Recursive Processes (though naming)

Example:

Expanding the definition we get:

Clock = tick.Clockdef

Clock

= tick.Clock

= tick.tick.Clock

= tick.tick.tick. … .tick.Clock

…

…

CLAUS BRABRAND[ 8 ]


Non-deterministic Choice: “P+Q”

Non-deterministic choice: Non-deterministic choice between processes P and Q

Initially has the capabilities of both P and Q; but performing an action from P, say, will pre-empt further execution of Q.

Example:

P+Q

Disp = coin.(coke.Disp + sprite.Disp)def

coke

spriteor

CLAUS BRABRAND[ 9 ]


Parallel Composition: “P|Q”

Parallel Composition: Any independent interleavings of processes P and Q

Also: may communicate (hand-shake): process P using input action, a; process Q corresponding output action, a (or vice versa)

Example: Student: Coke Machine:

P|Q

Stud = read.coin.coke.Studdef

CokeM = coin.coke.CokeMdef

CokeM | Stud

CLAUS BRABRAND[ 10 ]


Parallel Composition (cont’d)

Stud | CokeM

(Stud | CokeM) | Stud

(Stud | CokeM) | CokeM

Stud CokeM

[ << ? >> ]

[ << ? >> ]

read

coke

coin

coin

coke



Restriction: “P\a”

Restriction (private name): Behaves just like P, except cannot make a or a actions

(except within P) Reminiscent of local variables (in private scope)

Example:

P\a

(Stud | CokeM) \ coin \ coke

((Stud | CokeM) \ coin \ coke) | Stud



Action Relabeling: “P[f]”

Action Relabeling: Behaves like P, except that actions are renamed

according to action renaming function, f Permits parameterized reuse of processes

Examples:

P[f]

VendingMachine = coin.item.VendingMachine

CokeMachine = VendingMachine[coke/item]

MarsMachine = VendingMachine[mars/item]

def

Note: relabel inputs to inputs (and corresponding outputs to outputs)

def

def


SYNTAX FOR CCS



Input, output (and internal) action

Actions: Set of Channel Names (input) Set of Channel Co-Names (output) Special silent (invisible/internal) action

tau

Note: inputs and outputs are complementary: Communication: hand-shake on a and a only (no values)

Metavariable, :

a A

a A

a = a

Act = A A { }



CCS Syntax

CCS Syntax:

“0” // inaction “.P” // action prefix “P+P” // non-deterministic choice “P|P” // parallel composition “P\a” // restriction (private name) “P[f]” // action relabeling “K” // process variable

P ::= 0 | .P | P+P | P|P | P\a | P[f] | K

X = P, Y = Q, … def def

a: f(a) = f(a) f() =

f:ActAct

… where

Note: restrictions on f



Alternative Syntax

Alternative Syntax (that we will use): Abbreviate inaction termination:

P for P.0 // obvious from context

Parameterized sum: iI Pi for P0 + P1 + … + Pn

Inactive process (as empty sum): iØ Pi for 0

Restriction (by set): P \ L for P \ a1 \ … \ an L={a1,…,an}



Algebraic Operator Precedence

1. Restriction and relabelling “P\L” “P[f]” 2. Action prefixing “.P” 3. Parallel composition “P|Q” 4. Summation “P+Q”

Q: How is “R+a.P|b.Q\L” then to be read ?

A: “R+((a.P)|(b.(Q\L)))” !

tightest


SOS FOR CCS



CCS Semantics

Structural Operational Semantics:

Q: why (tau) in communication “P|Q” (instead of propagating a or a) ?

~ “the unobservable hand-shake”

[RES][REN]

[COM1] [COM2] [COM3]

[ACT] [SUM][DEF]



Example Derivation

Assume:

Consider:

A = a.A

(b.0|(A|a.0))[c/a]

def

(b.0 | (A | a.0)) [c/a] (b.0 | (A | a.0)) [c/a]

(b.0 | (A | a.0)) (b.0 | (A | a.0))[REN]

(A | a.0) (A | a.0)[COM2]

A A

a.A A

[COM1]

[DEF]

[ACT]

A = a.Adef

c

a

a

a

a

[RES][REN]

[COM1] [COM2] [COM3]

[ACT] [SUM][DEF]



Transition Diagram

Transition Diagram: A visualization of a Labeled Transition System:

Configurations annotated with processes (e.g. ) Transitions annotated with actions (e.g. )

a.0 | a.0

0 | a.0 a.0 | 0

0 | 0

a a

aa

a.0 | 0

a



Example: Semaphore

Example: Semaphore and mutual exclusion:

Mutex = (User | Sema) \ p \ v

User = p.enter.exit.v.User

Sema = p.v.Semadef

def

def

// critical region



Concurrency Workbench

[ Concurrency Workbench ]

P

testing (interactive simulation) verification (via logic formulae) dump transition graph (NFA) ...

[ http://homepages.inf.ed.ac.uk/perdita/cwb/summary.html ]



CCS Visualizer

[ CCS Visualizer ]


PROCESS EQUIVALENCE



Equal vs. Equivalent

Equal (concrete): 3 = 3

Equivalent (abstract): 3 003 310 0x0316 \0038 00112

3 three 3 3 1+2 3 3 let n=2 in n*(n-1)+(n-2)

ii=0

2

more abstract



CCS: “Single-Language Formalism”

CCS is a so-called “Single-lang. formalism”; i.e. one may specify both:

implementation ( ) and specification ( )

We would like to check via some (reasonable) equivalence, R , that:

“The implementation has the intended behavior”:

R the spec. and impl. are “equivalent”

IMPL =def ...

SPEC =def ...

IMPLSPEC

We would also like to reason about process equivalence in general



Equivalence Relation

Let R be a binary relation over set A: R A A

Definition: R is an equivalence relation iff: Reflexive:

Symmetric:

Transitive:

xA: x R x

x,yA: x R y x R y

x,y,zA: x R y y R z x R z



We would like R to be an equiv.rel.

…and we would like (R to be an equiv. rel.):

reflexitivity : SYS R SYS (same behavior as itself) !

transitivity (for stepwise modelling/refinement) !!! : S0 R S1 R ... R Sn R IMPL => S0 R IMPL

symmetry (just a nice property to have in that): S R S’ S’R S



…and satisfy properties:

Furthermore, we would like these properties: P+Q R Q+P // ‘+’ commutative (P+Q)+R R P+(Q+R) // ‘+’ associative

i.e. we can drop the parentheses (as in "1+2+3")

P|Q R Q|P // ‘|’ commutative (P|Q)|R R P|(Q|R) // ‘|’ associative

i.e. we can drop the parentheses

0+P R P // ‘0’ is neutral wrt. ‘+’ 0|P R P // ‘0’ is neutral wrt. ‘|’ ...



...and be a congruence

Definition: “R ” congruence: P R Q => C[P] R C[Q] , for all contexts C[]

“relation is preserved under contextual substitution”

A context = a process with a gap:

Examples: P R Q P+R R Q+R P R Q P|S R P|S P R Q a.P R a.Q P R Q ((a.P|R)+S)\x R ((a.Q|R)+S)\x

[]+R

[]|S

a.[]

?

C : .[] | []+P | P+[] | []|P | P|[] | [][f] | []\a


TRACE-EQUIVALENCE

"A Tale of Two Coca-Cola Machines"



Two Dispensers

Dispenser:

Dispenser’: ’’

Would you consider them equal ‘=’ ?

coin . (coke + sprite)

coin.coke + coin.sprite

Would you consider them equivalent ‘’ ?

What does it mean for them to be equivalent ‘’ ? trace equivalence



Trace Equivalence

Definition: Trace Equivalence: Two processes P and Q are trace equivalent “tr” iff:

they can produce the same traces

Example: Traces( )

= { , coin, coin;coke, coin;sprite }

Traces( )

= { , coin, coin;coke, coin;sprite }


coin.coke + coin.sprite

’’’’trHence:



Trace Equivalence (cont'd)

Equivalence Relation?

Expected Properties?

Congruence?



...but are they "observably equivalent"?

Recall:

Coke-only-drinker observer:

Contextualcomposition:


coin.coke + coin.sprite ’’

’’tr

What the.. !?

coin . coke . drink

The coke drinkeris certainly able to to "distinguish" the two dispensers !!

Can we put the two dispensers in a context where they can be differentiated by some observer?

problematic equality



Trace Equiv. ~ DFM Acceptance

P tr Q iff they can produce the same traces

This point of view is totally justified and natural if we view our LTSs as non-deterministic devices that may generate or accept sequences of actions. However, is it still a reasonable one if we view our automata as reactive machines that interact with their environment ?

-- [ Aceto, Larsen, Ingólfsdóttir ]

‘tr’ doesn’t take communication capabilities of intermediate states into account; can make a big difference when made to interact w/ another system!



Trace Equivalence

On sale…

Trace Equivalence Special offer: 5 for only $0.85

This week only!

“On sale: 5 for only $0.85!”

“Trace Equivalence”

5 for $0.85

trtrtrtrtr


(STRONG) BISIMULATION: (~)



Def: A Bisimulation

Let (Proc, Act, ) be a LTS

Def: a bin. rel. R Proc Proc is a bisimulation iff whenever (s,t) R : aAct :

if s s’ then t t’ for some t’ such that (s’,t’) R if t t’ then s s’ for some s’ such that (s’,t’) R

Note: Definition on LTS (not necessarily on processes)

a

a

a

a

a

Intuition: “Only equate as consistently allowed by the semantics”



Def: Bisimilarity (~)

A Bisimulation:

Def: a bin. rel. R Proc Proc is a bisimulation iff whenever (s,t) R : aAct :

if s s’ then t t’ for some t’ such that (s’,t’) R if t t’ then s s’ for some s’ such that (s’,t’) R

The Bisimilarity relation (~):

Def: two (processes) s and t are bisimilar( s ~ t ) iff bisimulation R : (s,t) R .

i.e.

a

a

a

a

‘~’ := {R | R is a bisimulation }



Basic Properties of (~)

Theorem: ‘~’ is an equivalence relation

Theorem: ‘~’ is the largest bisimulation

i.e. for any bisimulation R we have that: R ‘~’

Theorem: s ~ t iff aAct :

if s s’ then t t’ for some t’ such that s’ ~ t’ if t t’ then s s’ for some s’ such that s’ ~ t’

a

a

a

a



How to Prove Bisimilarity ?

How to prove bisimilarity for two processes ?

i.e. ?:

Exhibit a (any) bisimulation R , for which:

By definition we get that: since ‘~’ was the largest bisimulation(s,t) R ‘~’

(s,t) R

p ~ q



Example Proof of Bisimilarity

Example: Buffer (capacity 1):

Buffer (capacity 2):

Show that:

A0 =def in . A1

A1 =def out . A0

B0 =def in . B1

B1 =def in . B2 + out . B0

B2 =def out . B1

B0 ~ A0|A0

B0

B1

B2

A0|A0

A1|A0 A0|A1

A1|A1

R = { (B0 , A0|A0) , (B1 , A1|A0) , (B1 , A0|A1) , (B2 , A1|A1) }



How to Prove Non-Bisimilarity ?

How to prove non-bisimilarity ? i.e. ?

Enumerate all binary relations: Check that none are bisimulations and contain (p,q)

However: extremely expensive O(2|p||q|)

Use “Feynman Problem-Solving Algorithm”: (1). Write down the problem; (2). Think very hard; (3). Write down the answer.

Or…

s ~ t



The Bisimulation Game

It’s Amazing…

The Bisimulation Game®

Special Family Edition (w/ TV cables & remote control) Beat your sister at Process Algebra simulation…

“Special Family Edition!”

“The Bisimulation Game”

Only$31,95

The

Bisimulation

Game


(~) BISIMULATION GAMES



The (Strong) Bisimulation Game

Let (Proc, Act, ) be a LTS and s,t Proc

Define 2-player game: [ attacker v defender ] The game is played in “rounds” and the configurations

of the game are (Proc Proc); The game starts (first round) in (s,t) Proc Proc

Intuition (objectives): The defender wants to show that: The attacker wants to show that:

a

s ~ t

s ~ t



Rules of the Bisimulation Game

In round k the players change the current configuration (sk,tk) as follows:

First, the attacker chooses: 1) one of the processes (e.g. tk); i.e., left or right; 2) a legal action from that process: a Act; 3) a legal transition according to the LTS: tk tk+1

Then, the defender chooses: -) a “counter-move” using same action, a: sk sk+1

(sk+1,tk+1) becomes the next round’s configuration…

Winning: If (only) one player cannot move, the other player wins If the game is infinite, the defender wins

a

a



Game Characterization of (~)

Theorem: States (processes) s and t are not strongly bisimilar

iff the attacker has a universal winning strategy States (processes) s and t are strongly bisimilar

iff the defender has a universal winning strategy

(s ~ t) basically means that: “the ‘perfect attacker’ always wins”

(s ~ t) basically means that:“the ‘perfect defender’ always wins”



Let’s Play…

Let’s play…:

~ / ~ ? show of hands…

~ ’’?


coin.coke + coin.sprite ’’

coincoincoin’’

spritespritecoke

coke



Another Game…

Are the following two LTS(/processes) s and t strongly bisimilar: s ~ t ?

There’s a universal attack strategy hence, they are not strongly bisimilar : s ~ t



Tool Demos... [ CCS Visualizer/Simulator ]: [ The Bisimulation Game Game ]:

By:- Martin Mosegaard- Claus Brabrand

By:- Martin Mosegaard- Claus Brabrand


</concurrency>

Good luck with the exams

Date post:	20-Dec-2015
Category:	Documents
View:	218 times
Download:	0 times

C LAUS B RABRAND C ONCURRENCY (Q3,’06) M AR 13, 2006 C LAUS B RABRAND © 2005, University of...

Documents