Relative Expressivenessfor Process Calculi
Daniele Gorla“Sapienza”,Università di Roma
BASICS 2009Shanghai, October 15th, 2009
Overview
Absolute vs Relative Expressiveness, and the role of full abstraction
A first attempt towards a unified approach to encodability and separation results
Encodings and some desirable properties New proofs of known seperation results Proving new separation results
A hierarchy of calculi for mobility
A hierarchy of calculi with different communication primitives
Conclusions
Designing a new language
When we design a new language L, there are two kinds of issues that should be considered: Practical issues:
implementation (efficiency, resource usage, … ) usability (graphical interfaces, user friendness, … ) novelty (main reason for defining a new language)
Theoretical issues: What can/cannot be rendered in the language?Are its features really ‘new’ or are they just ‘macros’ that can be defined in another language?
Same problem from different prespectives
Expressiveness: Theory vs Practice
Practitioner: show scenarios that should not be properly rendable show a scenario that can be naturally modeled in a language; claim that the same scenario cannot be rendered as naturally in another language Quite
unsatisfactory: does it depend on the programmer’s skills or on the language itself?
Either by declaring that it is not possible to render at all or by
showing an unsatisfactory
implementation
Theoretician: show scenarios that cannot be rendered (formal proof) show a scenario that can be naturally modeled in a language; show that the same scenario cannot be rendered in another language (formal proof)
More difficult but more satisfactory
The jungle of Concurrency
The problem of expressiveness is more evident in formalisms for concurrency
Uwe Nestmann (CONCUR’06):
“The original Pi Calculus arose out of a reformulation
and extension of CCS. In turn, it boosted the invention
and study of a whole zoo of further process calculi”
Pi calculus: many variants (synchr/asychr, monadic/polyadic, first/higher order, different modelling of infinite behaviours… )
New calculi: Join, Dpi, KLAIM, Ambient (Mobile, Safe, Boxed, and their variants), …
Process Calculi
A process calculus is a tripleL = (Σ, →, )
where• Σ is the set of processes• → is the reduction relation• is a behavioural relation
Absolute vs Relative Expressiveness
Absolute expressiveness: “What can/cannot be rendered in L?”
Relative expressiveness: “Can L be rendered in another language?” “Can L render another language?
Through encodings
Absolute Expressiveness: Advantages and disadvantages
+ Gives a clear feeling of what can be implemented and what cannot
+ Can be used for studying relative expressiveness
pick up two languages, one solving a problem and one not find encodability criteria that map a solution in the source into a solution in the target claim that there exists no encoding of the source in the target respecting the criteria
– Difficult to use difficult to properly define the problem difficult to find a solution and/or to prove that a solution does not exist difficult to define reasonable encodability criteria and prove that they map a source solution into a target solution the criteria are problem-driven
– Every problem creates a bipartition of the languages ( hierarchies of languages call for several separation problems)
Relative Expressiveness
To compare two languages L1 and L2, try to translate one in the other
1. If L1 can be translated into L2 and vice versa, then the two languages have the same expressive power2. If L1 can be translated into L2 but not vice versa, then L2 is more expressive
3. If L1 cannot be translated into L2 nor vice versa, then L1 and L2 are incomparable
Relative Expressiveness: Advantages and disadvantages
+ Very natural for building hierarchies of languages
+ The encodability criteria are not problem-driven but are ‘absolute’
+ Easier than absolute expressiveness in separation results
find a construct of the source that cannot be rendered in the target you only have to prove that the construct is not rendable
– it gives you few hints on the practical problems that can/cannot be implemented
Encodability and Separation Results
With relative expreessiveness, we have to deal with two kinds of results:
Encodability results: develop an encoding
Separation results: show that no encoding exists
We cannot accept every encoding, otherwise no separation results will ever hold.
→ identify a set of criteria that an encoding
has to satisfy to be acceptable
Full Abstraction (in denotational semantics)
Two equivalent programs have the same denotation
(i.e., the same meaning)
Programs
P
Denotations
D
|[ - ]|
Programs/≈
Q
P ≈ Q iff |[P]| = |[Q]|
Full Abstraction (in expressiveness)
P
Q
|[P]|
|[Q]|
|[ - ]|
≈1
P
Q
|[P]|
|[Q]|
≈2
L1
L1 /≈1
L2
L2
/≈2
The encoding respects and reflects the quotient induced by the equivalences in the source and
target language
P ≈1 Q iff |[P]| ≈2 |[Q]|
Full Abstraction in Expressiveness:
Advantages and DisadvantagesIt is a property related to the
observable behaviour of the languages:+ the encoding agrees with the observational semantics of the languages– it gives no hints on what/how the languages compute (i.e., their operational semantics)– it strongly relies on the behavioural equivalences choosen– unsuited for proving separation results– what does it say on the quality of the encoding ??
The Meaning of Full Abstraction:
false negativesCCSgc P ::= Σi αi.Pi | P|P | P\a | A [Mil’90s]
CCS P ::= α.P | Σi Pi | P|P | P\a | A [Mil’80s]
≈1 weak bisimilarity (equivalence/congruence) in CCSgc
≈2 weak bisimulation equivalence in CCS
≈3 weak bisimulation congruence in CCSThe identity encodes (CCSgc,→,≈1) into (CCS,→,≈3)
BUT τ.a ≈1 a whereas |[τ.a]| = τ.a ≈3 a = |[a]|
The identity doesn’t enjoy (one direction of) F.A.
The identity encodes (CCS,→,≈3) into (CCS,→,≈2)
BUT |[τ.a]| = τ.a ≈2 a = |[a]| whereas τ.a ≈3 a
The identity doesn’t enjoy (the other direction of) F.A.
Consider– (L1 , →1 , L1×L1 ) with L1 any language– (L2 , →2 , ≈2 ) with L2 non-empty, ≈2 any equivalence– the encoding that maps every S L1 to the same T L2
Then the encoding is fully abstract !!!
But, is it ‘good ’ ???
The Meaning of Full Abstraction:
false positives
Full Abstraction in Expressiveness:
conclusionsTo sum up: full abstraction cannot be considered THE criterion for validity of an encoding
it is an extra value for an encoding useful if the target language has an efficient proof-technique for its equivalence
useful for compositional development of programs (equivalent source processes behave in the same way in any target execution context)
On the Criteria for an Encoding
Traditional Approach: For encodability results, try to satisfy as many properties as possible For separation results, isolate the minimal set of properties that make a translation impossible
This makes the two kinds of results difficult to relate and combine together to build lattices of languagesCall for a unified
approach
Encodings
An encoding of L1= (Σ1 , →1 , 1 ) in L2= (Σ2 , →2 , 2 ) is a function
|[ - ]| : Σ1 Σ2
An encoding is valid if it satisfies a fixed set of criteria Encodability results: develop a valid encoding of L1 into L2 Separation results: show that no valid encoding of L1 into L2 exists
Compositionality
For every k-ary operator op and set of names N, there exists a k-holes context CN
op ( _1 ;…; _k ) such that
|[ op (S1,…,Sk) ]| = CNop (|[S1]|;…;|[Sk]|)
whenever N are the free names of S1,…,Sk
The encoding of a compound term must be
obtained by combining the encodings of its
sub-terms
Name Invarianceif two terms differ only in their
names, also their encodings must do so
for every permutation of names , it holds that
|[ (S) ]| = ( |[S]| )
However, the encoding may introduce new names or translate a single name into a tuple of names.
TOO DEMANDING !
for every permutation of names , it holds that
|[ (S) ]| = ’( |[S]| ) for some permutation of names ’.
Better, but too vague.
In general, every encoding assumes a renaming policy
φ : N → N k (k ≥ 1)
Name invariance: for every , it holds that
|[(S)]| = ’( |[S]| ) where ’ ordinately swaps φ(a) and φ(b), for every a and b swapped by .
Operational Correspondence
2
2
It is better to formulate this property up to the
behavioural relation of the target language L2,
to garbage collect junk processes left by the encoding.
– if S S’, then |[ S ]| |[ S’ ]|– if |[ S ]| T, then S S’ and T |[ S’ ]|
This formulation is sometimes too demanding.
For example, consider Nestmann’s encoding of choices:
• it mimicks a source transition
• it arrives in a state that is the encoding of the arrival process PLUS some junk process to be garbaged
Every computation of a source term can be mimicked by its
encoding, and vice versa
Divergence Reflection
where a process P diverges whenever
P →→...→...
If every encoding of L1 into L2 introduces divergence, then L2 has not enough expressive power to “properly” translate L1.
Every non-divergent source term must be
translated into a non-divergent term
Success Sensitiveness
for some notion of success. For example:
– a set of barbs– a set of tests that may/must be passed– …
Remark : the notions of success in the source
and in the target can be very different
Every successful source term must be translated
into a successful term, and vice versa
To simplify the setting: we assume the same distinguished success process √ in every language
a process is successful if it may reduce to a process that has a top-level √
Supporting our Criteria
• The best known encodings appearing in the literature are valid;
• The criteria are not trivial: there are encodings that do not satisfy them;
• They can be used to prove (in an easier and more uniform way) known separation results;
• New separation results can be now formally proved.
Pi-calculiFull pi-calculus (or π ) :
P ::= 0 | √ | ab.P | a(x).P | (n)P | P1|P2 | P1+P2 | [a=b]P | !P
with (…+ ab.Q +…) | (…+ a(x).P +…) Q | P{b/x}
Asynchronous pi-calculus (or aπ) :P ::= 0 | √ | ab | a(x).P | (n)P | P1|P2 | [a=b]P | ! P
with ab | a(x).P P{b/x}
Mobile Ambients (MA)P ::= 0 | M | (x).P | M.P | n[P] | (n)P | P1|P2 | !P
M ::= n | in_n | out_n | open_n | M.M
with M | (x).P P{M/x}
n[in_m.P | Q] | m[R] m[R | n[P | Q]]
m[R | n[out_m.P | Q]] n[P | Q] | m[R]
open_n.P | n[Q] P | Q
Several Known Encodings are Valid
• Milner’s encoding of poly-π into mon-π
• Honda’s and Boudol ’s encodings of π into aπ
• Nestmann’s (divergence-free) encoding of input-guarded into aπ
• Sangiorgi’s encoding of HOπ into π
• …
There are Encodings that are not Valid
• Nestmann’s divergent encoding of input-guarded choices in aπ • Nestmann’s encoding of separated choices in aπ
• the encoding of an input sum leaves unobservable junks• the encoding of an output sum leaves observable junks• operational correspondence is broken!!
• Cardelli’s and Gordon’s encodings of aπ in MA (FoSSaCS’98 and POPL’99)
• they have both these two problems
Cardelli’s and Gordon’s encoding of aπ in MA (FoSSaCS’98):
|[a(x).P | ab]| = (νp)(io[in_a.(x).p[out_a.|[P]|] ] | open_p)
| io[in_a.b] | a[ !open_io ]
A non-valid Encoding of aπ in MA
1st problem: it introduces divergence
!a(x) | ab doesn’t diverge while |[!a(x) | ab]| does
2nd problem: it introduces spourious computations
a(x) | ab | ac evolves to either ab or ac |[a(x) | ab | ac]| →7 io[in_a.c] | a[ !open_io ] →2 a[ !open_io | c] → ≈ |[ab]| ≈ |[ac]|
Encoding aPi in MA, not yet
|[ ab ]| = a1[open_a2.b1,b2]
|[ a(x).P ]| = (ν p)(open_p | a2[ in_a1.(x1,x2).p[ out_a1.|[P]|] ])
|[ (ν a) P ]| = (ν a1 a2) |[ P ]|
Ideas:
• communications over a are rendered as exchanges within a
• for every channel a, there are two ambients a1 and a2, one containing the output and the other one the input
• communication happens after that an a2 has entered an a1 and dissolved
• finally, the (encoding of the) continuation of the input is restored at top-level
Problems:1. a1 must be dissolved after use
2. what if several ambients a2 enters the same a1 ?
Let us consider |[ab | a(x).P | ac | a(y).Q]|
With this encoding, it allows reducing to|[P{b/x}]| | a1[ ] | |[ ac | a(y).Q]|
That in turn can reduce to the deadlocked state
|[P{b/x}]| | a1[ a2[…|[Q]|] ] | |[ ac]|
Let us again consider |[ab | a(x).P | ac | a(y).Q]|
With this encoding, it allows reducing toa1[a2[…|[P]|] | a2[…|[Q]|] ] | |[ ac]|
That in turn can again reduce to the deadlocked state
|[P{b/x}]| | a1[ a2[…|[Q]|] ] | |[ ac]|
Encoding aPi in MA (1)
|[ ab ]| = a1[open_a2.b1,b2]
|[ a(x).P ]| = (ν p q)(open_p.open_q | q[ open_a1 ]
| a2[ ! in_a1 | (x1,x2).in_q.p[ out_q.|[P]|] ])
Better!! But it introduces divergenceab | ! a(x) doesn’t diverge but |[ab | ! a(x) ]| does
Indeed|[ab | ! a(x) ]| → a1[ a2[…]] | |[ ! a(x) ]| → a1[ a2[…] | a2[…]] | |[ ! a(x) ]| → a1[a2[…] | a2[…] | a2[…]] | |[ ! a(x) ]| → …
Encoding aPi in MA (2)
|[ ab ]| = a0[a1[open_a2.b0,b1,b2]]
|[ a(x).P ]| = open_a0.(ν p q)(open_p.open_q | q[ open_a1 ]
| a2[ ! in_a1 | (x0,x1,x2).in_q.p[ out_q.|[P]|] ])
|[ (ν a) P ]| = (ν a0 a1 a2) |[ P ]|
NOW IT WORKS!
aπ cannot be encoded in CCS
Haagensen, Maffeis, Phillips (EXPRESS07):aπ MA
CCSby proving that• aπ and MA have (a form of) matching systems• CCS does not• there exists no translation
– homomorphic w.r.t. | – a demanding form of name invariance (one-to-one correspondence between source and target names)– a form of success sensitiveness.
Size matters?
• [HMP07]:– 1 page for defining the problem– 2 pages to sketch that aπ has a M.S. and CCS doesn’t– 1 page to sketch the separation proof
• Myself (@ CONCUR’08):– half LNCS page (20 lines!!) to fully prove the separation
• By contradiction, assume a valid encoding |[-]|: aπ → CCS
• S = a(x).S’ | ab S’ = [x = b][c = c][d = d] √, for a,b,c,d pairwise distinct• By operational correspondence, since S → √, it must be that
|[ S ]| T ≈ |[√ ]|
• Moreover, by success sensitiveness, T is successful since |[√ ]| is successful and ≈ is sensible to success• By compositionality, |[ S ]| = (νn)( |[ a(x).S’]| | |[ab]| | T’)
• Thus, |[ a(x).S’]| K
|[ab]| | T’ K’
(νn)(K | K’) T
Our separation proof (1)
1... k 1... k
Our separation proof (2)• Let σ = {ac, bd} and σ’ = {φ(a)φ(c), φ(b)φ(d)} • Thus, |[ Sσ ]| = (νn)( |[ c(x).S’σ]| | |[cd]| | T’)
|[ c(x).S’σ]| Kσ’|[cd]| | T’ K’σ’(νn)(Kσ | K’σ’) Tσ’
• |[ a(x).S’]| | |[ c(x).S’σ]| K | Kσ’ |[ad]| | T’ | |[cb]| | T’ K’ | K’σ’• |[ a(x).S’ | ad | c(x).S’σ | cb]| T | Tσ’ • a(x).S’ | ad | c(x).S’σ | cb = a(x).[x = b][c = c][d = d]√ | ad | c(x).[x = d][a = a][b = b]√σ | cb Contradiction with success sensitiveness!! □
1... k
1... k
1 1 ... k k 1... k k
Separation based on Leader Election
• The problem: program a system of parallel processes s.t.
– the processes only differ in their names– there is no central coordinating process– in every computation exactly one process becomes the leader
• Show that leader election is possible in L1 but not in L2 • Find the least set of criteria K that turn an electoral system in L1 into an electoral system in L2 (homomorphism of ‘|’, name invariance, success sensitiveness, divergence reflection)
• Conclude that there cannot be any encoding that satisfies K of L1 into L2
Known Separation Results based on Leader Election
[Palamidessi@MSCS03]:CCS πmix π
aπ πigc πsep
[PhillipsVigliotti@IC08]:MA BA SA PAC
πsep
For a good overview: [PalamPhillipsVigliotti@TCS07]
Our Proof of such Results
We found that the following property covers all the separation results that rely on leader election:
If there exists a L1-process S s.t.- S does not report success, but - S|S reports success
and for every L2-process T it holds that- if T|T reduces then T reduces
then there exists no valid encoding of L1 into L2
Examples for the Previous Property
Examples of the first condition:In CCS (similar in πmix and π): a.√ + a
In MA (similar in BA, SA, …):n[in_n.p[out_n.out_n.√]] | open_p
Examples of the second condition:In πsep(similar in aπ, πigc, MA-in, Dpi, …):
if T|T →, then either T → orT exhibits an input and a
complementaryoutput (that must be in different
choices)Hence, again, T →.
Assumptions to Prove our Property (1)
– 2 is “exact” (i.e., P 2 Q P then Q )
– CN|( _1 ; _2 ) = _1 | _2 for every N
usually assumed when proving separation results
includes trace equiv. and bisimulations in their synchronous formulation
Assumptions to Prove our Property (2)
– N R,n . CN|( _1 ; _2 ) = (νn)( _1 | _2 | R)
– 2 is “reduction-sensitive” (i.e., P 2 Q Q → then P → )
Generalizable to any context,
but then the proof depends on
the target language
General enough to catch all
the encodings we are aware of
includes strong bisimulation and the expansion preorder
Assumptions to Prove our Property (3)
– N R,n . CN|( _1 ; _2 ) = (νn)( _1 | _2 | R)
– occurrences of 2 in operational correspondence are only of the form (νm)( |[ S’ ]| | T ) 2 |[ S’ ]| , for (νm)T 2 0 (i.e., instead of
S S’ implies that |[ S ]| 2 |[ S’ ]| we require
S S’ implies that |[ S ]| (νm)(|[ S’ ]| |T ), for (νm)T 2 0 and similarly for the other direction)This is exactly the aim of
: garbage collect junk processes left by the encoding
Separation Results based on Matching Systems
• The problem: program a system of clients and servers s.t.
– the client/server processes only differ in their free names (that are n )– there is no central coordinating process– in every computation clients and servers with the same names must recognize each other
• Show that n-ary matching systems exist in L1 but not in L2 • Find the least set of criteria K that turn an n-ary matching system of L1 into an n-ary matching system of L2 (homomorphism of ‘|’, name invariance, success sensitiveness, divergence reflection)
• Conclude that there cannot be any encoding that satisfies K of L1 into L2
Our Proof of such Results
Define the matching degree of a language, MD(L), asthe greatest number of names that are atomicallymatched to allow a reduction.
Examples: MD(CCS) = MD(π) = 1MD(Dπ) = 2
MD(πn) = nMD(eπ) = ∞
If MD(L1) > MD(L2) then there exists no valid encoding of L1 into L2
Assumptions to Prove our Property
By either assuming that– N R,n . CN
|( _1 ; _2 ) = (νn)( _1 | _2 | R)
– 2 is “reduction-sensitive”
Or that– N R,n . CN
|( _1 ; _2 ) = (νn)( _1 | _2 | R)
– occurrences of 2 in operational correspondence are only of the form (νm)( |[ S’ ]| | T ) 2 |[ S’ ]|, for (νm)T 2 0
Calculi for Mobility• Name mobility (pi-calculi): the interconnection structure among processes varies as a result of communications
• Mobile computation (Dπ): a process (i.e. a computational entity) moves from one node to another in a net.
• Mobile computing (Ambient-based calculi): a whole ambient (i.e. a place for computations) moves (i.e. enters and exits other ambients) during its life.
Some Features for Communication Primitives
Common features: synchronism (synchronous vs asynchronous c.p.) arity (monadic vs polyadic c.p.) communication medium (channels vs dataspaces) pattern-matching (atomically checking some names while retrieving them: a(x,[b]) matches against ac,b - and replaces x with c - but not against ac,d ) point-to-point vs broadcasting c.p. first-order vs higher-order c.p. …
2 4 = 16 possible primitives
Naming the 16 Languages
A language of this family is denoted by
L 1 2 3 4
where: 1 = A if the communication is asynchronous = S if the communication is synchronous 2 = M if the communication is monadic
= P if the communication is polyadic 3 = D if the communication is dataspace-based
= C if the communication is channel-based 4 = No if there is no pattern-matching
= Pm if there is pattern-matching
The Hierarchy of Communication Primitives
LA,P,C,Pm LS,P,C,Pm LS,P,D,Pm LA,P,D,Pm
LA,M,C,Pm LS,M,C,Pm
LA,M,C,No LS,M,C,No LS,P,C,No LA,P,C,No
LS,M,D,Pm LS,P,D,No
LA,M,D,Pm LS,M,D,No LA,P,D,No
LA,M,D,No
Weak CompositionalityA two-level encoding:
|[ P ]| = C fn(P) ( [P] )
where |[-]| satisfies all properties but compositionality [-] satisfies all properties (also compositionality)All our results scale well to weak
compositionality
Parametric EncodingsA family of encoding functions:
|[ - ]|Ξ : L1 → L2
where every element of the family is valid Ξ is a set of names
Problem: What does Ξ represent?
This may change the definition of the first 3 properties:Compositionality: does the context
also depend on Ξ ?Name invariance:
if Ξ is a set of source names, then |[ Sσ ]|Ξσ
= (|[ S ]|Ξ)σ’
otherwise |[ Sσ ]|Ξσ’ = (|[ S ]|Ξ)σ’
Operational Correspondence:
S S’ implies |[S]|Ξ |[S’]|Ξ or |[S]|Ξ |[S’]|Ξ’
for some Ξ’ ?
Other forms of semantics
• We have worked in an interleaving framework
• There exist other frameworks:– true concurrency– probabilistic– …
What is the formulation of operational correspondence in these frameworks ??
Conclusions
we have advocated a uniform approach to encodability and separation results to build lattices of process calculi
we have isolated a set of criteria that are well-suited both for proving quality of encodings and separation results
prove (in an easier way) known separation results prove new separation results
Future work
carry out proofs under more general formulations of our criteria (by making less demanding assumptions on )
develop proofs for parametric encodings and other forms of semantics
CHALLENGE: a new approach to encodability results:
show existence of a translation without exhibiting it
References
All available at:http://www.dsi.uniroma1.it/~gorla/publications.htm
• General methodology and some sample separation results (aπ not in CCS, aπ in MA, CCS not in MA, all results on leader election and on matching systems)
– Full version: Tech. Rep. Submitted for publication– Short version: Proc. of CONCUR’08
• Hierarchy of calculi for mobility– Full version: Tech. Rep. submitted for publication– Short version: Proc. of TCG’08 and of MFPS XXV
• Hierarchy of communication primitives– Full version: Information and Computation (2008)– Short version: Proc. of FoSSaCS’06 and of EXPRESS’06