bisimulation by unification

Bisimulation by Bisimulation by UnificationUnification

Roberto Bruni (Pisa – Illinois)Paolo Baldan (Pisa – Venezia)Andrea Bracciali (Pisa)

UIUC, 21 Oct. 2002

Research supported by• University of Illinois• CNR Fellowship on Information Sciences and

Technologies• IST Programme on FET-GC Projects AGILE, MYTHS,

SOCS

Outline

I. Introduction & Motivation II. Running Example (toy PC with

ambients)III. Symbolic Bisimulation

I. Symbolic Transition SystemsII. Strict & Large Bisimilarity

IV. Bisimulation by UnificationV. ConclusionsVI. (Related Work & Future Work)

“Goal”

Sound methodology for the formal analysis of open systems

– Algebraic Representations of Processes– Up-To Abstract Equivalences

• Process Calculi + Bisimilarity• Closed Terms = Components• Contexts = Coordinators

– Compact (Symbolic) Transition Systems

Open Systems are…Interactive, Autonomous, Accessible via Interfaces, Dynamic, Programmable, … Ex. Web Services, WAN Computing, Mobile Code

Components Coordinators

p

q

rC[X1,X2,X3]

Interaction

Components can be dynamically connectedEx. Access to Network Services

Boundaries: access policies

(Typed) Holes: constrained dynamic binding

C[p,q,r]

Let’s Get Formal

Process Calculi “Ingredients”– Structure (,E): Signature + Structural

Axioms– Operational Semantics (SOS, LTS/RS)– Linguistic abstraction for holes and binding

• Variables & Substitutions

– Logic for expressing and proving properties• Specification & Verification

Abstraction

Equivalence on Components: p q– Bisimulation, Traces, May/Must Testing

Equivalence on Coordinators– C[X] univ D[X] iff p. C[p] D[p]

(for simplicity, we consider one-holed contexts in most slides)

– needs universal quantification

Bisimulation

Focus on Bisimilarity (largest bisimulation): p q– if p –a p’ then q –a q’ with p’ q’– (and vice versa)

a.b+a.c a.(b+c)

b c

0 0

b+c

0 0

a a

b c

a

b c

GraphicallyComponents

p

p1a1

an pn

q

q1a1

an qn

Coordinators

C[X] D[X]

a1

an

a1

an

Example: Ambients + Asynchronous CCS com.

p ::= 0 | a’ | a.p | n[p] | open n.p | in n.p | out n.p | p|p

n[P]|open n.Q P|Q

n[P|m[out n.Q|R]] n[P]|m[Q|R]

n[P] n[Q]P Q P Q

P|R Q|R

n[a.P|a’|Q] n[P|Q]

n[P]|m[in n.Q|R] n[P|m[Q|R]]

(Assume AC1 parallel composition)

In Maude Notation Ifmod CCSAmb is

protecting MACHINE-INT .sorts Act Amb Proc .op n : MachineInt -> Amb .op a : MachineInt -> Act .

op 0 : -> Proc .op _^ : Act -> Proc [frozen] .op _._ : Act Proc -> Proc [frozen] .op _[_] : Amb Proc -> Proc .op open(_)._ : Amb Proc -> Proc [frozen] .op in(_)._ : Amb Proc -> Proc [frozen] .op out(_)._ : Amb Proc -> Proc [frozen] .op _|_ : Proc Proc -> Proc [assoc comm id:0] .

In Maude Notation IIvars N M : Amb .vars P Q R : Proc .vars A : Act .

rl (N[P]) | (open(N) . Q) => P | Q .

rl (N[P]) | (M[(in(N) . Q) | R]) => N[P | (M[Q | R])] .

rl N[(P | (M[(out(N) . Q) | R]))] => (N[P]) | (M[(Q | R)]) .

rl N[(A . P) | (A ^) | Q] => N[P | Q] .endfm

A Problem on Components

n[P]|open n.Q P|Q


n[P] n[Q]P Q P Q

P|R Q|R



n[a.0|a’] - n[0] -/ ? m[b.0|b’] - m[0] -/

A Problem on Coordinators

n[P]|open n.Q P|Q


n[P] n[Q]P Q P Q

P|R Q|R



n[X] ? m[X]

Symbolic Approach Bisimulation Without Instantiation

– Facilitate analysis & verification of coordinators’ properties

Distinguishing Features– Symbolic LTS

• states are coordinators• labels are spatial/modal formulae

– Avoids universal closure– Allows for coalgebraic techniques– Constructive definition for Algebraic SOS– (In general yields equivalences finer than univ )

Notation

We start from a PC specified by – Syntax & Structural Equivalence: (,E)

• T,E is the set of Components p,q,r…

• T,E(X) is the set of Coordinators C[X], D[X],…

• C[X1,…,Xn] means var(C) {X1,…,Xn}

– Labels: ranged by a,b,…

– LTS: L (defined on T,E & )• possibly defined by SOS rules

Symbolic Transition Systems

Ordinary SOS approach: – Behavior of a coordinator can depend on:

1. The spatial structure of the components that are inserted/connected/substituted

2. The behavior of those components

Idea: to borrow formulae from a suitable “logic” to express the most general class of components that can take part in the coordinators’ evolution

What Logic Do We Need? Formulae must express the minimal amount of information on components for enabling the step:

– Components that are not playing active role in the step– “Most general” active components needed for the step– Assumptions not only on the structure of components,

but also on their behavior

Logic L must include, as atomic formulae:– Place-holders (process variables) X: q╞ X

– Components p: q╞ p iff q E p

Symbolic Transitions

C[X] –(Y)a D[Y]

intuitively: whenever p╞ (q), then C[p] –a D[q]

( q is to some extent the residual of p after satisfying )

Coordinators

Formula Ordinary label

Correctness

C[p] –a D[q]

C[X] –(Y)a D[Y]STS

LTS L

C[p1] –a D[q1]

C[p2] –a D[q2]

C[pn] –a D[qn]

pi,qi. pi╞ (qi)

components that can make a

p╞ (q)

Completeness

r E C[p] –a q

STS

LTS L

,s. C[X] –(Y)a D[Y]with p╞ (s) and q D[s]

Strict Bisimilarity Strict Bisimilarity: largest (strict) bisimulation s.t.

C[X] –(Y)a C’[Y]

strict strict

D[X] –(Y)a D’[Y]

THEOREM: If the STS is correct & complete, then

strict univ


n[P]|open n.Q P|Q


n[P] n[Q]P Q P Q

P|R Q|R



n[X] –Y|k[out n.Z|W]] n[Y]|k[Z|W] strict? m[X] –Y|k[out n.Z|W]] -/


n[P]|open n.Q P|Q


n[P] n[Q]P Q P Q

P|R Q|R



n[X] –Y|k[out n.Z|W]] n[Y]|k[Z|W] strict m[X] –Y|k[out n.Z|W]] -/


n[P]|open n.Q P|Q


n[P] n[Q]P Q P Q

P|R Q|R



n[X] univ m[X]

(take X = k[out n.0])

A Last Problem

n[P]|open n.Q P|Q


n[P] n[Q]P Q P Q

P|R Q|R



n[m[out n.X]] strict n[0]|m[a’|a.X]

n[m[out n.X]] univ n[0]|m[a’|a.X]

Large Bisimilarity What if strict is too fine?

We can relax the strict bisimilarity when the logic L includes generic spatial formulae:

– Operators f: • q╞ f(1,…,n) iff qi. q E

f(q1,…,qn) qi╞ i

We call spatial formulae those composed by spatial operators and place-holders only

– Ambivalent view of Spatial Formulae as Coordinators

Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.

C[X] –(Y)a C’[Y] large D’[(Y)]large

D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial

THEOREM: If the STS is correct & complete, then

large univ

Large Bisimilarity Large Bisimilarity: largest (large) bisimulation s.t.

C[X] –(Y)a C’[Y] large D’[(Y)]large

D[X] –(Z)a D’[Z] (Y) = ((Y))(Y) spatial

THEOREM: strict large If the STS is correct & complete, then

large univ

Why Use strict & large • As an approximation method for univ

univ is not defined coinductively

univ requires the verification of infinitely many equivalences

• Bonus Theorems:– C[X] large D[X] implies C[E[Y]] univ D[E[Y]]

– C[X] strict D[X] implies C[E[Y]] univ D[E[Y]]

• Note that in general large is not transitive

• Bonus Theorem:– if C[X] large D[X] implies C[E[Y]] large D[E[Y]], then

large is transitive and thus it is an equivalence relation

Algebraic SOS Format (spatial/modal constraints)

(Yi is either Xi (if iI) or Zi (if iI))

Formulae: ::= X | p | a. | f(,…,)– Modality a: q╞ a. iff q –a p p ╞

Bisimulation by Unification

C[X1,…,Xn] –a D[Y1,…,Yn]

{Xi –ai Zi}iI

trs( box(A,X) , A , X ) :- !.

trs( C[X1,…,Xn],a,D[Y1,…,Yn] ) :-

trs(Xi1 , ai1 , Zi1), … ,

trs(Xin , ain , Zin).

The program can be seen as the specification of the STS

– Goals have the form ?- trs(C[X1,…,Xn], a , Z).– Backtracking mechanism + meta-logic ops (bagof) can be

used to compute all symbolic transitions for C[X]

THEOREM:The resulting STS is correct & complete

The Prolog Algorithm

Conclusions• General formal framework for open systems

– Meta-theoretic foundations

• Under suitable hypothesis: strict implies large implies univ

• For the Algebraic SOS format, a minimal STS can be defined constructively in Prolog– cut + unification– extension to AC1 parallel operator (see paper)

Dual View• Instantiation Contextualization• When is not a congruence:

– p q iff C[X]. C[p] C[q] is not a bisimulation (unless is a congruence)

• (the largest congruence which is also a bisimulation is called dynamic bisimulation)

• Sewell, Leifer & Milner: minimal contexts as labels– Transitions: p –C[ _ ,X1,…,Xn] D[X1,…,Xn]

1. pi. C[p,p1,…,pn] - D[p1,…,pn]2. C[.] minimal (not necessarily minimum)– Universal quantification moved from contexts to

components!

Related Work / Source of Inspiration

• Sewell, Leifer & Milner– categorical characterization of the most general

interaction (relative pushout)

• Caires, Cardelli & Gordon• Fiadeiro, Maibaum, Martì-Oliet, Meseguer &

Pita– elegant mathematical tool for expressing

structural & temporal aspects

• Bruni, Montanari & Rossi – interactive view of Logic Programming

Future Work• Deal with names

– Name restriction & Logical notion of freshness

• Duality– Categorical formulation (relative pullback?)

• Symbolic approach to the verification of infinite state cryptographic protocols

• Extension to meta and abductive LP– Programmable definition of proofs– To answer questions like “under which assumptions

can p|X evolve so to satisfy a certain property?” that are relevant in dynamic system engineering

Bisimulation By Unification

a paper by Andrea Bracciali Paolo Baldan Roberto Bruni

a presentation by Roberto Bruni

bisimulation by unification

Documents

p qif p

vars p q r

p qbisimulation

p np open n

b m0

op open

set of components p

np mq r