Title: Bisimulation by Unification
1Bisimulation by Unification
UIUC, 21 Oct. 2002
- Roberto Bruni (Pisa Illinois)
- Paolo Baldan (Pisa Venezia)
- Andrea Bracciali (Pisa)
- Research supported by
- University of Illinois
- CNR Fellowship on Information Sciences and
Technologies - IST Programme on FET-GC Projects AGILE, MYTHS,
SOCS
2Outline
- Introduction Motivation
- Running Example (toy PC with ambients)
- Symbolic Bisimulation
- Symbolic Transition Systems
- Strict Large Bisimilarity
- Bisimulation by Unification
- Conclusions
- (Related Work Future Work)
3Goal
- Sound methodology for the formal analysis of open
systems - Algebraic Representations of Processes
- Up-To Abstract Equivalences
- Process Calculi Bisimilarity
- Closed Terms Components
- Contexts Coordinators
- Compact (Symbolic) Transition Systems
4Open Systems are
- Interactive, Autonomous, Accessible via
Interfaces, Dynamic, Programmable, - Ex. Web Services, WAN Computing, Mobile Code
p
q
CX1,X2,X3
r
Components
Coordinators
5Interaction
- Components can be dynamically connected
- Ex. Access to Network Services
(Typed) Holes constrained dynamic binding
Cp,q,r
Boundaries access policies
6Lets Get Formal
- Process Calculi Ingredients
- Structure (?,E) Signature Structural Axioms
- Operational Semantics (SOS, LTS/RS)
- Linguistic abstraction for holes and binding
- Variables Substitutions
- Logic for expressing and proving properties
- Specification Verification
Mostly devised for components!
7Abstraction
- Equivalence on Components p ? q
- Bisimulation, Traces, May/Must Testing
- Equivalence on Coordinators
- CX ?univ DX iff ?p. Cp ? Dp
- (for simplicity, we consider one-holed contexts
in most slides) - needs universal quantification
8Bisimulation
- Focus on Bisimilarity (largest bisimulation)
- p ? q
- if p a? p then ? q a? q with p ? q
- (and vice versa)
9Graphically
Components
p1
q1
a1
a1
p
q
an
an
pn
qn
10Example Ambients Asynchronous CCS com.
p 0 a a.p np open n.p in n.p
out n.p pp
(Assume AC1 parallel composition)
11In Maude Notation I
fmod CCSAmb is protecting MACHINE-INT . sorts
Act Amb Proc . op n MachineInt -gt Amb . op a
MachineInt -gt Act . op 0 -gt Proc . op _
Act -gt Proc frozen . op _._ Act Proc -gt Proc
frozen . op __ Amb Proc -gt Proc . op
open(_)._ Amb Proc -gt Proc frozen . op
in(_)._ Amb Proc -gt Proc frozen . op
out(_)._ Amb Proc -gt Proc frozen . op __
Proc Proc -gt Proc assoc comm id0 .
12In Maude Notation II
vars N M Amb . vars P Q R Proc . vars A
Act . rl (NP) (open(N) . Q) gt P Q
. rl (NP) (M(in(N) . Q) R) gt
NP (MQ R) . rl N(P (M(out(N)
. Q) R)) gt (NP) (M(Q R))
. rl N(A . P) (A ) Q gt NP Q
. endfm
13A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
14A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
15A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
16A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
17A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
18A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
19A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
20A Problem on Coordinators
nX ?? mX
21Symbolic Approach
- Bisimulation Without Instantiation
- Facilitate analysis verification of
coordinators properties - Distinguishing Features
- Symbolic LTS
- states are coordinators
- labels are spatial/modal formulae
- Avoids universal closure
- Allows for coalgebraic techniques
- Constructive definition for Algebraic SOS
- (In general yields equivalences finer than ?univ )
22Notation
- We start from a PC specified by
- Syntax Structural Equivalence (?,E)
- T?,E is the set of Components p,q,r
- T?,E(X) is the set of Coordinators CX, DX,
- CX1,,Xn means var(C) ? X1,,Xn
- Labels ? ranged by a,b,
- LTS L (defined on T?,E ?)
- possibly defined by SOS rules
23Symbolic Transition Systems
- Ordinary SOS approach
- Behavior of a coordinator can depend on
- The spatial structure of the components that are
inserted/connected/substituted - The behavior of those components
- Idea to borrow formulae from a suitable logic
to express the most general class of components
that can take part in the coordinators evolution
24What Logic Do We Need?
- Formulae must express the minimal amount of
information on components for enabling the step - Components that are not playing active role in
the step - Most general active components needed for the
step - Assumptions not only on the structure of
components, but also on their behavior - Logic L must include, as atomic formulae
- Place-holders (process variables) X q X
- Components p q p iff q ?E p
25Symbolic Transitions
Coordinators
- CX ?(Y)?a DY
- intuitively whenever p ?(q),
- then Cp a? Dq
- ( q is to some extent the residual of p after
satisfying ? )
Formula
Ordinary label
26Correctness
CX ?(Y)?a DY
STS
?pi,qi. pi ?(qi)
Cp1 a? Dq1
Cp2 a? Dq2
LTS L
Cpn a? Dqn
components that can make a
27Completeness
r ?E Cp a? q
LTS L
? ?,s. CX ?(Y)?a DY
STS
with p ?(s) and q ? Ds
28Strict Bisimilarity
- Strict Bisimilarity largest (strict)
bisimulation s.t. - CX ?(Y)?a CY
- ?strict ?strict
- DX ?(Y)?a DY
- THEOREM
- If the STS is correct complete, then
- ?strict ? ?univ
29Strict Bisimilarity
- Strict Bisimilarity largest (strict)
bisimulation s.t. - CX ?(Y)?a CY
- ?strict ?strict
- DX ?(Y)?a DY
- THEOREM
- If the STS is correct complete, then
- ?strict ? ?univ
30Strict Bisimilarity
- Strict Bisimilarity largest (strict)
bisimulation s.t. - CX ?(Y)?a CY
- ?strict ?strict
- DX ?(Y)?a DY
- THEOREM
- If the STS is correct complete, then
- ?strict ? ?univ
31Strict Bisimilarity
- Strict Bisimilarity largest (strict)
bisimulation s.t. - CX ?(Y)?a CY
- ?strict ?strict
- DX ?(Y)?a DY
- THEOREM
- If the STS is correct complete, then
- ?strict ? ?univ
32Strict Bisimilarity
- Strict Bisimilarity largest (strict)
bisimulation s.t. - CX ?(Y)?a CY
- ?strict ?strict
- DX ?(Y)?a DY
- THEOREM
- If the STS is correct complete, then
- ?strict ? ?univ
33Back to the Open Problem
nX Ykout n.ZW? nYkZW ?strict?
mX
34Back to the Open Problem
nX Ykout n.ZW? nYkZW ?strict?
mX Ykout n.ZW -/?
35Back to the Open Problem
nX Ykout n.ZW? nYkZW ?strict
mX Ykout n.ZW -/?
36Back to the Open Problem
nX ?univ mX
(take X kout n.0)
37A Last Problem
nmout n.X Y? n0m0 ?strict
? n0maa.X Y? n0m0
38A Last Problem
nmout n.X Y? n0mY ?strict
n0maa.X Y? n0mY
39A Last Problem
nmout n.X ?strict n0maa.X
nmout n.X ?univ n0maa.X
?
40Large Bisimilarity
- What if ?strict is too fine?
- We can relax the strict bisimilarity when the
logic L includes generic spatial formulae - Operators f??
- q f(?1,,?n) iff ?qi. q ?E f(q1,,qn) ?
qi ?i - We call spatial formulae those composed by
spatial operators and place-holders only - Ambivalent view of Spatial Formulae as
Coordinators
41Large Bisimilarity
- Large Bisimilarity largest (large) bisimulation
s.t. - CX ?(Y)?a CY ?large D?(Y)
- ?large
- DX ?(Z)?a DZ ?(Y) ?(?(Y))
- ?(Y) spatial
- THEOREM
- If the STS is correct complete, then
- ?large ? ?univ
42Large Bisimilarity
- Large Bisimilarity largest (large) bisimulation
s.t. - CX ?(Y)?a CY ?large D?(Y)
- ?large
- DX ?(Z)?a DZ ?(Y) ?(?(Y))
- ?(Y) spatial
- THEOREM
- If the STS is correct complete, then
- ?large ? ?univ
43Large Bisimilarity
- Large Bisimilarity largest (large) bisimulation
s.t. - CX ?(Y)?a CY ?large D?(Y)
- ?large
- DX ?(Z)?a DZ ?(Y) ?(?(Y))
- ?(Y) spatial
- THEOREM
- If the STS is correct complete, then
- ?large ? ?univ
44Large Bisimilarity
- Large Bisimilarity largest (large) bisimulation
s.t. - CX ?(Y)?a CY ?large D?(Y)
- ?large
- DX ?(Z)?a DZ ?(Y) ?(?(Y))
- ?(Y) spatial
- THEOREM
- If the STS is correct complete, then
- ?large ? ?univ
45Large Bisimilarity
- Large Bisimilarity largest (large) bisimulation
s.t. - CX ?(Y)?a CY ?large D?(Y)
- ?large
- DX ?(Z)?a DZ ?(Y) ?(?(Y))
- ?(Y) spatial
- THEOREM ?strict ? ?large
- If the STS is correct complete, then
- ?large ? ?univ
46Large Bisimilarity
- Large Bisimilarity largest (large) bisimulation
s.t. - CX ?(Y)?a CY ?large D?(Y)
- ?large
- DX ?(Z)?a DZ ?(Y) ?(?(Y))
- ?(Y) spatial
- THEOREM ?strict ? ?large
- If the STS is correct complete, then
- ?large ? ?univ
47Why Use ?strict ?large
- As an approximation method for ?univ
- ?univ is not defined coinductively
- ?univ requires the verification of infinitely
many equivalences - Bonus Theorems
- CX ?large DX implies CEY ?univ DEY
- CX ?strict DX implies CEY ?univ DEY
- Note that in general ?large is not transitive
- Bonus Theorem
- if CX ?large DX implies CEY ?large
DEY, then ?large is transitive and thus it is
an equivalence relation
48Bisimulation by Unification
- Algebraic SOS Format (spatial/modal constraints)
- (Yi is either Xi (if i?I) or Zi (if i?I))
- Formulae ? X p ?a.? f(?,,?)
- Modality ?a q ?a.? iff ?q a? p ? p ?
Xi ai? Zii?I
CX1,,Xn a? DY1,,Yn
49The Prolog Algorithm
- trs( box(A,X) , A , X ) - !.
- trs( CX1,,Xn,a,DY1,,Yn ) -
- trs(Xi1 , ai1 , Zi1),
- ,
- trs(Xin , ain , Zin).
- The program can be seen as the specification of
the STS - Goals have the form ?- trs(CX1,,Xn, a , Z).
- Backtracking mechanism meta-logic ops (bagof)
can be used to compute all symbolic transitions
for CX - THEOREM
- The resulting STS is correct complete
50Conclusions
- General formal framework for open systems
- Meta-theoretic foundations
- Under suitable hypothesis
- ?strict implies ?large implies ?univ
- For the Algebraic SOS format, a minimal STS can
be defined constructively in Prolog - cut unification
- extension to AC1 parallel operator (see paper)
51Dual View
- Instantiation ? Contextualization
- When ? is not a congruence
- p ? q iff ?CX. Cp ? Cq
- ? is not a bisimulation (unless ? is a
congruence) - (the largest congruence which is also a
bisimulation is called dynamic bisimulation) - Sewell, Leifer Milner minimal contexts as
labels - Transitions p C _ ,X1,,Xn? DX1,,Xn
- ?pi. Cp,p1,,pn -?? Dp1,,pn
- C. minimal (not necessarily minimum)
- Universal quantification moved from contexts to
components!
52Related Work / Source of Inspiration
- Sewell, Leifer Milner
- categorical characterization of the most general
interaction (relative pushout) - Caires, Cardelli Gordon
- Fiadeiro, Maibaum, Martì-Oliet, Meseguer Pita
- elegant mathematical tool for expressing
structural temporal aspects - Bruni, Montanari Rossi
- interactive view of Logic Programming
53Future Work
- Deal with names
- Name restriction Logical notion of freshness
- Duality
- Categorical formulation (relative pullback?)
- Symbolic approach to the verification of infinite
state cryptographic protocols - Extension to meta and abductive LP
- Programmable definition of proofs
- To answer questions like under which assumptions
can pX evolve so to satisfy a certain property?
that are relevant in dynamic system engineering
54- Bisimulation By Unification
- a paper by Andrea Bracciali
- Paolo Baldan
- Roberto Bruni
- a presentation by Roberto Bruni