Symbolic Equivalences for Open Systems

1. FM seminar UIUC, 6 Dec. 2002 Symbolic Equivalences for Open Systems Roberto Bruni (Pisa – Illinois) Paolo Baldan (Pisa – Venezia) Andrea Bracciali (Pisa) • Research supported by • IST Programme on FET-GC Projects AGILE, MYTHS, SOCS • Italian MIUR Project COMETA • CNR Fellowship on Information Sciences and Technologies

2. Outline Ongoing Work! • Introduction & Motivation • Example: toy PC with ambients • Symbolic Bisimulation • Symbolic Transition Systems • Strict Symbolic Bisimilarity • Large & Irredundant Bisimilarity • Bisimulation by Unification • Conclusions • ( Traces ) • ( Duality, Related Work & Future Work )

3. Open Systems Evolve autonomously, interact via interfaces, programmable, … Ex. Web Services, WAN Computing, Mobile Code p q C[X1,X2,X3] r Components Coordinators

4. Interaction Components can be dynamically connected Ex. Access to Network Services (Typed) Holes: constrained dynamic binding C[p,q,r] Boundaries: access policies

5. The Problem Partially specified / partially known systems Behaviour defined via the possible instances Problem: how to reuse ordinary specification / analysis / verification techniques developed for “closed” systems?

6. General Goal Methodology for the formal analysis of open systems Focus on Process Calculi • Mathematical models of computation widely used for isolating and studying phenomena arising in concurrent languages (like -calculus for sequential computations) • Algebraic representations of processes (terms) • Components = Closed Terms • Coordinators = Contexts (holed processes) • Structural and Behavioural Equivalences Proposal: • Compact (Symbolic) LTS for open systems

7. Process Calculi Ingredients • Structure (,E): • Signature + Structural Axioms • Operational Semantics LTS/RS: • (SOS) inference rules for transitions/rewrites • Logic for expressing and proving properties • Specification & Verification Mostly devised for components!

8. Abstraction Equivalence on Components: p  q • Bisimulation, Traces, May/Must Testing

9. Abstraction Equivalence on Components: p  q • Bisimulation, Traces, May/Must Testing “Universal” Equivalence on Coordinators • C[X] univ D[X] iff p. C[p]  D[p] (for simplicity, we consider one-holed contexts in most slides) • needs universal quantification!

10.  a.b+a.c a.(b+c) a a a b c b+c b c b c 0 0 0 0 Bisimulation Focus on Bisimilarity (largest bisimulation): p  q • if p –a p’ then  q –a q’ with p’  q’ • (and vice versa)

11. p1 q1 a1 a1 an an pn qn Coordinators a1 a1 D[X] C[X] an an Graphically Components p q

12. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R Example: Ambients + Asynchronous CCS com. p ::= 0 | a’ | a.p | n[p] | open n.p | in n.p | out n.p | p|p Assume AC1 parallel composition, a unique label  (omitted)

13. In Maude Notation I fmod CCSAmb is protecting MACHINE-INT . sorts Act Amb Proc . op n : MachineInt -> Amb . op a : MachineInt -> Act . op 0 : -> Proc . op _^ : Act -> Proc [frozen] . op _._ : Act Proc -> Proc [frozen] . op _[_] : Amb Proc -> Proc . op open(_)._ : Amb Proc -> Proc [frozen] . op in(_)._ : Amb Proc -> Proc [frozen] . op out(_)._ : Amb Proc -> Proc [frozen] . op _|_ : Proc Proc -> Proc [assoc comm id:0] .

14. In Maude Notation II vars N M : Amb . vars P Q R : Proc . vars A : Act . rl (N[P]) | (open(N) . Q) => P | Q . rl (N[P]) | (M[(in(N) . Q) | R]) => N[P | (M[Q | R])] . rl N[(P | (M[(out(N) . Q) | R]))] => (N[P]) | (M[(Q | R)]) . rl N[(A . P) | (A ^) | Q] => N[P | Q] . endfm

15. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’]- n[0] -/ ? m[b.0|b’]- m[0] -/

16. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’]- n[0]-/ ? m[b.0|b’]- m[0] -/

17. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’] - n[0]-/ ? m[b.0|b’]- m[0]-/

18. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0]-/

19. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/

20. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’] - n[0] -/ ?  m[b.0|b’] - m[0] -/

21. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Components n[a.0|a’] - n[0] -/ ?  m[b.0|b’] - m[0] -/

22. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Problem on Coordinators n[X] ? m[X]

23. Symbolic Approach Bisimulation Without Instantiation • Facilitate analysis & verification of coordinators’ properties Distinguishing Features • Symbolic LTS • states are coordinators • labels are spatial/modal formulae • Avoids universal closure • Allows for coalgebraic techniques • Constructive definition for Algebraic SOS and GSOS specs • (In general yields equivalences finer than univ )

24. Notation We start from a PC specified by • Syntax & Structural Equivalence: (,E) • T,E is the set of Components p,q,r, … • T,E(X) is the set of Coordinators C, D, … • C[X1,…,Xn] means var(C)  {X1,…,Xn} • Labels: ranged by a,b,… • LTS:L(defined on T,E & ) • possibly defined via SOS inference rules

25. Symbolic Transition Systems Ordinary SOS approach: • Behavior of a coordinator can depend on: • The spatial structure of the components that are inserted/connected/substituted • The behavior of those components Idea: to borrow formulae from a suitable “logic” to express the most general class of components that can take part in the coordinators’ evolution

26. What Logic Do We Need? Formulae must express the minimal amount of information on components for enabling the step: • “Most general” active components needed for the step • Assumptions not only on the structure of components, but also on their behavior • Components not playing active role in the step

27. Spatial / Modal Formulae Logic L must include, as atomic formulae: • Place-holders (process variables) X: q╞ X • Components p: q╞ p iff q Ep We will also consider: • Spatial formulae (for operators f): • q╞ f(1,…,n) iff q1╞1… qn╞n. q E f(q1,…,qn) • Modality a (for labels a): • q╞a. iff p╞. q –a p

28. Symbolic Transitions Coordinators C[X] –(Y)a D[Y] intuitively: whenever p╞(q), then C[p] –a D[q] ( q is to some extent the residual of p after satisfying  ) Formula Ordinary label

29. Symbolic Transitions: Examples • n[ X | a’ ] –a.Y n[Y] for any p E a.q, n[ p|a’ ] – n[q] • X1 | X2–.Y1,Y2 Y1 | Y2 for any p1– q1 and p2 , p1|p2 – q1|p2

30. p╞(q) Correctness STS C[X] –(Y)a D[Y] C[p] –a D[q] pi,qi. pi╞(qi) C[p1] –a D[q1] C[p2] –a D[q2] LTS L C[pn] –a D[qn] components that, plugged in C, can perform a

31. Completeness r EC[p] –a q LTS L  ,s,D. C[X] –(Y)a D[Y] STS with p╞(s) and q E D[s]

32. Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t. C[X] –(Y)a C’[Y] strictstrict D[X] –(Y)a D’[Y] THEOREM: If the STS is correct & complete, then strict univ

33. Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t. C[X] –(Y)a C’[Y] strictstrict D[X] –(Y)a D’[Y] THEOREM: If the STS is correct & complete, then strict univ

34. Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t. C[X] –(Y)a C’[Y] strictstrict D[X] –(Y)a D’[Y] THEOREM: If the STS is correct & complete, then strict univ

35. Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t. C[X] –(Y)a C’[Y] strict strict D[X] –(Y)a D’[Y] THEOREM: If the STS is correct & complete, then strict univ

36. Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t. C[X] –(Y)a C’[Y] strict strict D[X] –(Y)a D’[Y] THEOREM: If the STS is correct & complete, then strict univ

37. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R Back to the Open Problem n[X] –Y|k[out n.Z|W]] n[Y]|k[Z|W] strict? m[X]

38. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R Back to the Open Problem n[X] –Y|k[out n.Z|W]]n[Y]|k[Z|W] strict? m[X]–Y|k[out n.Z|W]] –/

39. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R Back to the Open Problem n[X] –Y|k[out n.Z|W]]n[Y]|k[Z|W] strict m[X]–Y|k[out n.Z|W]] –/

40. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R Back to the Open Problem n[X] univ m[X] (take X = k[out n.0])

41. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Last Problem n[m[out n.X]] –Y n[0]|m[0] strict? n[0]|m[a’|a.X] –Y n[0]|m[0]

42. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Last Problem n[m[out n.X]] –Y n[0]|m[Y] strict n[0]|m[a’|a.X] –Y n[0]|m[Y]

43. n[P]|open n.Q  P|Q n[P]|m[in n.Q|R]  n[P|m[Q|R]] n[P|m[out n.Q|R]]  n[P]|m[Q|R] n[a.P|a’|Q]  n[P|Q] P  Q P  Q n[P]  n[Q] P|R  Q|R A Last Problem n[m[out n.X]] strict n[0]|m[a’|a.X] n[m[out n.X]] univ n[0]|m[a’|a.X] 

44. r.P –r P key1(X) –lock(r.Y) key1(Y)key1(X) ~strict~univ key2(X) –lock(r.Y) key2(Y)key2(X) ~strict~univ key3(X) –lock(r.Y) key3(Y)key3(X) key3(X) –lock(r.lock(Y)) key3(lock(Y))~strict~univ key1(X) keyi(lock(r.P)) – keyi(P) Is ~strict Too Fine? I p ::= 0 | r.p | lock(p) | key1(p) | key2(p) | key3(p) | … “Pathological” example:

45. r.P –r P key1(X)–lock(r.Y) key1(Y)key1(X) ~strict ~univ key2(X)–lock(r.Y) key2(Y)key2(X) ~strict ~univ key3(X)–lock(r.Y) key3(Y)key3(X) key3(X)–lock(r.lock(Y)) key3(lock(Y)) ~strict ~univ key1(X) keyi(lock(r.P)) – keyi(P) Is ~strict Too Fine? I p ::= 0 | r.p | lock(p) | key1(p) | key2(p) | key3(p) | … “Pathological” example:

46. r.P –r P key1(lock(X)) –r.Y key1(Y)key1(lock(X)) ~strict~univ key2(lock(X)) –r.Y key2(Y)key2(lock(X)) key2(lock(X)) –r.Y key2(Y)~strict~univ key3(lock(X)) key3(lock(X)) –r.Y key3(Y)~strict~univ key1(lock(X)) keyi(lock(r.P)) – keyi(P) Is ~strict Too Fine? II p ::= 0 | r.p | lock(p) | key1(p) | key2(p) | key3(p) | … “Pathological” example:

47. r.P –r P key1(lock(X))–r.Y key1(Y)key1(lock(X)) ~strict ~univ key2(lock(X))–r.Y key2(Y)key2(lock(X)) key2(lock(X))–r.Y key2(Y) ~strict ~univ key3(lock(X)) key3(lock(X))–r.Y key3(Y) ~strict ~univ key1(lock(X)) keyi(lock(r.P)) – keyi(P) Is ~strict Too Fine? II p ::= 0 | r.p | lock(p) | key1(p) | key2(p) | key3(p) | … “Pathological” example:

48. Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t. C[X] –(Y)a C’[Y] large D’[(Y)] large D[X] –(Z)a D’[Z] (Y) = ((Y)) (Y) spatial THEOREM: If the STS is correct & complete, then large univ

49. Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t. C[X] –(Y)a C’[Y] large D’[(Y)] large D[X] –(Z)a D’[Z] (Y) = ((Y)) (Y) spatial THEOREM: If the STS is correct & complete, then large univ

50. Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t. C[X] –(Y)a C’[Y] large D’[(Y)] large D[X] –(Z)a D’[Z] (Y) = ((Y)) (Y) spatial THEOREM: If the STS is correct & complete, then large univ