660 likes | 855 Vues
Relative Expressiveness for Process Calculi. Daniele Gorla “Sapienza”,Università di Roma BASICS 2009 Shanghai, October 15 th , 2009. Overview. Absolute vs Relative Expressiveness, and the role of full abstraction A first attempt towards a unified approach to encodability and
E N D
Relative Expressivenessfor Process Calculi Daniele Gorla “Sapienza”,Università di Roma BASICS 2009 Shanghai, October 15th, 2009
Overview Absolute vs Relative Expressiveness, and the role of full abstraction A first attempt towards a unified approach to encodability and separation results Encodings and some desirable properties New proofs of known seperation results Proving new separation results A hierarchy of calculi for mobility A hierarchy of calculi with different communication primitives Conclusions
Designing a new language • Practical issues: • implementation (efficiency, resource usage, … ) • usability (graphical interfaces, user friendness, … ) • novelty (main reason for defining a new language) When we design a new language L, there are two kinds of issues that should be considered: Same problem from different prespectives • Theoretical issues: • What can/cannot be rendered in the language? • Are its features really ‘new’ or are they just ‘macros’ that can be defined in another language?
Expressiveness: Theory vs Practice Practitioner: show scenarios that should not be properly rendable show a scenario that can be naturally modeled in a language; claim that the same scenario cannot be rendered as naturally in another language • Theoretician: • show scenarios that cannot be rendered (formal proof) • show a scenario that can be naturally modeled in a language; • show that the same scenario cannot be rendered in another • language (formal proof) Quite unsatisfactory: does it depend on the programmer’s skills or on the language itself? Either by declaring that it is not possible to render at all or by showing an unsatisfactory implementation More difficult but more satisfactory
The jungle of Concurrency The problem of expressiveness is more evident in formalisms for concurrency Uwe Nestmann (CONCUR’06): “The original Pi Calculus arose out of a reformulation and extension of CCS. In turn, it boosted the invention and study of a whole zoo of further process calculi” Pi calculus: many variants (synchr/asychr, monadic/polyadic, first/higher order, different modelling of infinite behaviours… ) New calculi: Join, Dpi, KLAIM, Ambient (Mobile, Safe, Boxed, and their variants), …
Process Calculi A process calculus is a triple L = (Σ, →, ) where Σ is the set of processes → is the reduction relation is a behavioural relation
Absolute vs Relative Expressiveness Absolute expressiveness: “What can/cannot be rendered in L?” Relative expressiveness: “Can L be rendered in another language?” “Can L render another language? Through encodings
Absolute Expressiveness: Advantages and disadvantages Gives a clear feeling of what can be implemented and what cannot Can be used for studying relative expressiveness pick up two languages, one solving a problem and one not find encodability criteria that map a solution in the source into a solution in the target claim that there exists no encoding of the source in the target respecting the criteria Difficult to use difficult to properly define the problem difficult to find a solution and/or to prove that a solution does not exist difficult to define reasonable encodability criteria and prove that they map a source solution into a target solution the criteria are problem-driven Every problem creates a bipartition of the languages ( hierarchies of languages call for several separation problems)
Relative Expressiveness 1. If L1 can be translated into L2 and vice versa, then the two languages have the same expressive power To compare two languages L1 and L2, try to translate one in the other 2. If L1 can be translated into L2 but not vice versa, then L2 is more expressive 3. If L1 cannot be translated into L2 nor vice versa, then L1 and L2 are incomparable
Relative Expressiveness: Advantages and disadvantages Very natural for building hierarchies of languages The encodability criteria are not problem-driven but are ‘absolute’ Easier than absolute expressiveness in separation results find a construct of the source that cannot be rendered in the target you only have to prove that the construct is not rendable it gives you few hints on the practical problems that can/cannot be implemented
Encodability and Separation Results With relative expreessiveness, we have to deal with two kinds of results: Encodability results: develop an encoding Separation results: show that no encoding exists We cannot accept every encoding, otherwise no separation results will ever hold. → identify a set of criteria that an encoding has to satisfy to be acceptable
Full Abstraction (in denotational semantics) D Denotations |[ - ]| Two equivalent programs have the same denotation (i.e., the same meaning) P Q P ≈ Q iff |[P]| = |[Q]| Programs Programs/≈
The encoding respects and reflects the quotient induced by the equivalences in the source and target language Full Abstraction (in expressiveness) P Q |[P]| |[Q]| L1 /≈1 L2 /≈2 P ≈1 Q iff |[P]| ≈2 |[Q]| ≈1 ≈2 P Q |[ - ]| |[P]| |[Q]| L1 L2
Full Abstraction in Expressiveness:Advantages and Disadvantages It is a property related to the observable behaviour of the languages: the encoding agrees with the observational semantics of the languages it gives no hints on what/how the languages compute (i.e., their operational semantics) it strongly relies on the behavioural equivalences choosen unsuited for proving separation results what does it say on the quality of the encoding ??
CCSgc P ::= Σiαi.Pi | P|P | P\a | A [Mil’90s] CCS P ::= α.P | Σi Pi | P|P | P\a | A [Mil’80s] ≈1weak bisimilarity (equivalence/congruence) in CCSgc ≈2weak bisimulation equivalence in CCS ≈3weak bisimulation congruence in CCS The Meaning of Full Abstraction: false negatives The identity encodes (CCSgc,→,≈1) into (CCS,→,≈3) BUTτ.a ≈1awhereas |[τ.a]| = τ.a ≈3a = |[a]| The identity doesn’t enjoy (one direction of) F.A. The identity encodes (CCS,→,≈3) into (CCS,→,≈2) BUT |[τ.a]| = τ.a ≈2a = |[a]| whereas τ.a ≈3a The identity doesn’t enjoy (the other direction of) F.A.
The Meaning of Full Abstraction: false positives Consider (L1 , →1 , L1×L1 ) with L1 any language (L2 , →2 , ≈2 ) with L2 non-empty, ≈2 any equivalence the encoding that maps every S L1 to the same T L2 Then the encoding is fully abstract !!! But, is it ‘good ’ ???
To sum up: • full abstraction cannot be considered THE criterion for validity of an encoding • it is an extra value for an encoding • useful if the target language has an efficient proof-technique for its equivalence • useful for compositional development of programs (equivalent source processes behave in the same way in any target execution context) Full Abstraction in Expressiveness:conclusions
On the Criteria for an Encoding Traditional Approach: For encodability results, try to satisfy as many properties as possible For separation results, isolate the minimal set of properties that make a translation impossible This makes the two kinds of results difficult to relate and combine together to build lattices of languages Call for a unified approach
Encodings An encoding of L1= (Σ1 , →1 , 1 ) in L2= (Σ2 , →2 , 2 ) is a function |[ - ]| : Σ1 Σ2 An encoding is valid if it satisfies a fixed set of criteria Encodability results: develop a valid encoding of L1 into L2 Separation results: show that no valid encoding of L1 into L2 exists
The encoding of a compound term must be obtained by combining the encodings of its sub-terms Compositionality For every k-ary operator op and set of names N, there exists a k-holes context CNop( _1 ;…; _k ) such that |[ op (S1,…,Sk) ]| = CNop(|[S1]|;…;|[Sk]|) whenever N are the free names of S1,…,Sk
if two terms differ only in their names, also their encodings must do so Name Invariance TOO DEMANDING ! In general, every encoding assumes a renaming policy φ : N → N k (k ≥ 1) Name invariance: for every , it holds that |[(S)]| = ’( |[S]| ) where ’ordinately swapsφ(a)andφ(b), for everyaandbswapped by. for every permutation of names , it holds that |[ (S) ]| = ’( |[S]| ) for some permutation of names ’. Better, but too vague. for every permutation of names , it holds that |[ (S) ]| = ( |[S]| ) However, the encoding may introduce new names or translate a single name into a tuple of names.
Every computation of a source term can be mimicked by its encoding, and vice versa 2 2 It is better to formulate this property up to the behavioural relation of the target language L2, to garbage collect junk processes left by the encoding. • – if S S’, then |[ S ]| |[ S’ ]| • –if |[ S ]| T,then S S’ and T |[ S’ ]| Operational Correspondence • This formulation is sometimes too demanding. • For example, consider Nestmann’s encoding of choices: • it mimicks a source transition • it arrives in a state that is the encoding of the arrival process PLUS some junk process to be garbaged
Every non-divergent source term must be translated into a non-divergent term Divergence Reflection where a process P diverges whenever P →→...→... If every encoding of L1 into L2 introduces divergence, then L2 has not enough expressive power to “properly” translate L1.
Every successful source term must be translated into a successful term, and vice versa Success Sensitiveness • To simplify the setting: • we assume the same distinguished success process √ in every language • a process is successful if it may reduce to a process that has a top-level √ for some notion of success. For example: a set of barbs a set of tests that may/must be passed … Remark : the notions of success in the source and in the target can be very different
Supporting our Criteria The best known encodings appearing in the literature are valid; The criteria are not trivial: there are encodings that do not satisfy them; They can be used to prove (in an easier and more uniform way) known separation results; New separation results can be now formally proved.
CCS P ::= 0 | √ | a.P | a.P | (n)P | P1|P2| P1+P2| !P with (…+ a.Q +…) | (…+ a.P +…) Q | P
Pi-calculi Full pi-calculus (or π) : P ::= 0|√|ab.P |a(x).P | (n)P | P1|P2| P1+P2| [a=b]P | !P with (…+ ab.Q +…) | (…+ a(x).P +…) Q | P{b/x} Asynchronous pi-calculus (or aπ) : P ::= 0 | √ | ab | a(x).P | (n)P | P1|P2| [a=b]P | ! P with ab | a(x).P P{b/x}
Mobile Ambients (MA) P ::= 0 | M | (x).P | M.P | n[P] | (n)P | P1|P2| !P M ::= n | in_n | out_n | open_n | M.M with M | (x).P P{M/x} n[in_m.P | Q] | m[R] m[R | n[P | Q]] m[R | n[out_m.P | Q]] n[P | Q] | m[R] open_n.P | n[Q] P | Q
Milner’s encoding of poly-π into mon-π • Honda’s and Boudol ’s encodings of π into aπ • Nestmann’s (divergence-free) encoding of • input-guarded into aπ • Sangiorgi’s encoding of HOπ into π • … Several Known Encodings are Valid
Nestmann’s divergent encoding of input-guarded choices • in aπ • Nestmann’s encoding of separated choices in aπ • the encoding of an input sum leaves unobservable junks • the encoding of an output sum leaves observablejunks • operational correspondence is broken!! • Cardelli’s and Gordon’s encodings of aπ in MA • (FoSSaCS’98 and POPL’99) • they have both these two problems There are Encodings that are not Valid
A non-valid Encoding of aπ in MA 1st problem: it introduces divergence !a(x) | abdoesn’t diverge while |[!a(x) | ab]| does Cardelli’s and Gordon’s encoding of aπ in MA (FoSSaCS’98): |[a(x).P | ab]| = (νp)(io[in_a.(x).p[out_a.|[P]|] ] | open_p) | io[in_a.b] | a[ !open_io ] 2nd problem: it introduces spourious computations a(x) | ab| acevolves to either ab orac |[a(x) | ab| ac]| →7io[in_a.c] | a[ !open_io ] →2a[ !open_io | c] → ≈ |[ab]| ≈ |[ac]|
Encoding aPi in MA, not yet • Problems: • a1 must be dissolved after use • what if several ambients a2 enters the same a1 ? • Ideas: • communications over a are rendered as exchanges within a • for every channel a, there are two ambients a1 and a2, one containing the output and the other one the input • communication happens after that an a2 has entered an a1 and dissolved • finally, the (encoding of the) continuation of the input is restored at top-level Let us consider |[ab | a(x).P | ac | a(y).Q]| With this encoding, it allows reducing to |[P{b/x}]| | a1[ ] | |[ac | a(y).Q]| That in turn can reduce to the deadlocked state |[P{b/x}]| | a1[ a2[…|[Q]|] ] | |[ac]| |[ ab ]| = a1[open_a2.b1,b2] |[ a(x).P ]| = (νp)(open_p | a2[ in_a1.(x1,x2).p[ out_a1.|[P]|] ]) |[ (νa) P ]|= (ν a1 a2) |[ P ]| Let us again consider |[ab | a(x).P | ac | a(y).Q]| With this encoding, it allows reducing to a1[a2[…|[P]|] | a2[…|[Q]|] ] | |[ac]| That in turn can again reduce to the deadlocked state |[P{b/x}]| | a1[ a2[…|[Q]|] ] | |[ac]|
|[ ab ]| = a1[open_a2.b1,b2] |[ a(x).P ]| = (νp q)(open_p.open_q | q[ open_a1 ] | a2[ !in_a1|(x1,x2).in_q.p[ out_q.|[P]|] ]) Encoding aPi in MA (1) Better!! But it introduces divergence ab | ! a(x) doesn’t diverge but |[ab | ! a(x) ]| does Indeed |[ab | ! a(x) ]| → a1[ a2[…]] | |[ ! a(x) ]| → a1[ a2[…] | a2[…]] | |[ ! a(x) ]| → a1[a2[…] | a2[…] | a2[…]] | |[ ! a(x) ]| → …
Encoding aPi in MA (2) |[ ab ]| = a0[a1[open_a2.b0,b1,b2]] |[ a(x).P ]| = open_a0.(νp q)(open_p.open_q | q[ open_a1 ] | a2[ ! in_a1 | (x0,x1,x2).in_q.p[ out_q.|[P]|] ]) |[ (νa) P ]|=(νa0 a1 a2) |[ P ]| NOW IT WORKS!
aπ cannot be encoded in CCS Haagensen, Maffeis, Phillips (EXPRESS07): aπ MA CCS by proving that aπ and MA have (a form of) matching systems CCS does not there exists no translation homomorphic w.r.t. | a demanding form of name invariance (one-to-one correspondence between source and target names) a form of success sensitiveness.
Size matters? [HMP07]: 1 page for defining the problem 2 pages to sketch that aπ has a M.S. and CCS doesn’t 1 page to sketch the separation proof Myself (@ CONCUR’08): half LNCS page (20 lines!!) to fully prove the separation
Our separation proof (1) By contradiction, assume a valid encoding |[-]|: aπ→ CCS S = a(x).S’ | ab S’ = [x = b][c = c][d = d] √, for a,b,c,d pairwise distinct By operational correspondence, since S → √, it must be that |[ S ]| T ≈ |[√ ]| Moreover, by success sensitiveness, T is successful since |[√ ]| is successfuland ≈ is sensible to success By compositionality, |[ S ]| = (νn)( |[ a(x).S’]| | |[ab]| | T’) Thus, |[ a(x).S’]| K |[ab]| | T’ K’ (νn)(K | K’) T
Our separation proof (2) Let σ = {ac, bd} and σ’ = {φ(a)φ(c), φ(b)φ(d)} Thus, |[ Sσ ]| = (νn)( |[ c(x).S’σ]| | |[cd]| | T’) |[ c(x).S’σ]| Kσ’ |[cd]| | T’ K’σ’ (νn)(Kσ | K’σ’) Tσ’ |[ a(x).S’]| | |[ c(x).S’σ]| K |Kσ’ |[ad]| | T’ | |[cb]| | T’ K’ | K’σ’ |[ a(x).S’ | ad|c(x).S’σ | cb]| T | Tσ’ a(x).S’ | ad|c(x).S’σ | cb = a(x).[x = b][c = c][d = d]√ | ad |c(x).[x = d][a = a][b = b]√σ | cb Contradiction with success sensitiveness!! □
Separation based on Leader Election The problem: program a system of parallel processes s.t. the processes only differ in their names there is no central coordinating process in every computation exactly one process becomes the leader Show that leader election is possible in L1 but not in L2 Find the least set of criteria K that turn an electoral system in L1 into an electoral system in L2 (homomorphism of ‘|’, name invariance, success sensitiveness, divergence reflection) Conclude that there cannot be any encoding that satisfies K of L1 into L2
Known Separation Results based on Leader Election [Palamidessi@MSCS03]: CCS πmixπ aππigcπsep [PhillipsVigliotti@IC08]: MA BA SA PAC πsep For a good overview: [PalamPhillipsVigliotti@TCS07]
Our Proof of such Results • If there exists a L1-process S s.t. • - S does not report success, but • - S|S reports success • and for every L2-process T it holds that • - if T|T reduces then T reduces • then there exists no valid encoding of L1 into L2 We found that the following property covers all the separation results that rely on leader election:
Examples for the Previous Property Examples of the first condition: In CCS (similar in πmix and π): a.√ + a In MA (similar in BA, SA, …): n[in_n.p[out_n.out_n.√]] | open_p Examples of the second condition: In πsep(similar in aπ, πigc, MA-in, Dpi, …): if T|T →, then either T → or T exhibits an input and a complementary output (that must be in different choices) Hence, again, T →.
Assumptions to Prove our Property (1) 2 is “exact” (i.e., P 2 Q Pthen Q ) CN|(_1 ; _2 ) = _1 | _2 for every N usually assumed when proving separation results includes trace equiv. and bisimulations in their synchronous formulation
Assumptions to Prove our Property (2) Generalizable to any context, but then the proof depends on the target language General enough to catch all the encodings we are aware of includes strong bisimulation and the expansion preorder N R,n . CN|(_1 ; _2 ) = (νn)( _1 | _2 | R) 2 is “reduction-sensitive” (i.e., P 2 Q Q → then P → )
Assumptions to Prove our Property (3) N R,n . CN|(_1 ; _2 ) = (νn)( _1 | _2 | R) occurrences of 2 in operational correspondence are only of the form (νm)(|[ S’ ]| | T ) 2|[ S’ ]| , for (νm)T 20 (i.e., instead of S S’ implies that |[ S ]| 2|[ S’ ]| we require S S’ implies that |[ S ]| (νm)(|[ S’ ]| |T ), for (νm)T 20 and similarly for the other direction) This is exactly the aim of : garbage collect junk processes left by the encoding
Separation Results based on Matching Systems The problem: program a system of clients and servers s.t. the client/server processes only differ in their free names (that are n ) there is no central coordinating process in every computation clients and servers with the same names must recognize each other Show that n-ary matching systems exist in L1 but not in L2 Find the least set of criteria K that turn an n-ary matching system of L1 into an n-ary matching system of L2 (homomorphism of ‘|’, name invariance, success sensitiveness, divergence reflection) Conclude that there cannot be any encoding that satisfies K of L1 into L2
Known Separation Results based on Matching Systems [CarboneMaffeis@NJC03]: eπ πn πm n > m