Course material Concurrency Theory

Concurrency Theory

Lecture 1

Alban Ponse

section Theory of Computer ScienceInformatics Institute

University of Amsterdamhttps://staff.fnwi.uva.nl/a.ponse/

2017 - 2018

Course material

Www-site for this course: Blackboard (Bb) athttp://blackboard.ic.uva.nl/

Literature (offered at Bb as pdf’s)

HandoutsVarious papers from JLAP51(2), i.e., the Journal of Logic andAlgebraic Programming, volume 51, number 2 (2002)Wan Fokkink, Introduction to Process Algebra, Springer Verlag,2000, ISBN 3-540-66579-X

These slides provide a summary of all course material

FYI = For Your Information-slides: extra knowledge, not required forthe exam.

Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 1 2017 - 2018 2 / 27

Overview of the course

The course Concurrency Theory 2017/2018 is about three main topics:1 Program Algebra (PGA) and Thread Algebra (TA), an algebraic

approach to imperative programming (⇡ first 2.5 lectures)

2 Process Algebra (ACP), an algebraic approach to communicatingprocesses / behaviors and PSF Toolkit (⇡ next 4.5 lectures)

3 1 + 2 + more theory, subjects: state machines, multi-threading,expressiveness, and concurrent machine models (rest)

Objective

Learning about algebraic methods in the field of concurrencytheory (specification languages, modelling of processes, anddistributed algorithms)Introduction to TCS’s current research and the track programmeFoundations of Computing and Concurrency (VU-UvA-MSc. CS)


Course catalogue: Objectives

The student should be able

1 to reason with equational axioms for instruction sequences,2 to relate these axioms to a simple semantics for instruction

sequences,3 to apply these axioms to small examples, such as algorithms for

simple computations on simple data structures,

4 to reason with equational axioms for sequential and concurrentprocesses,

5 to relate these axioms to a simple semantics, and6 to apply these axioms to small examples, for example proving the

correctness of a communication protocol.


Position & motivation

This course is a constrained choice course in the track (or,specialization) Foundations of Computing and Concurrency (FCC)and its main objective is twofold:

1 to introduce the FCC-student to the field of concurrency theory(and to more advanced courses in this field), and

2 to provide a general introduction to this field suitable for MScstudents in related disciplines.

Assessment

Written examination (70%) and practical assignments (30%).Submission of the practical assignments is required.


Overview of Lecture 1

Contents

PGA, a quick introductionThreads (or behaviors) and behavior extractionSome simple expressiveness results

Slides will be available at Bb under Course Documents.1

Literature

Handout 1Bergstra and Loots, JLAP51(2):125–156

(Also available at Bb under Course Documents.1)

1Or: https://staff.science.uva.nl/a.ponse/CT.htmlAlban Ponse (TCS, UvA) Concurrency Theory - Lecture 1 2017 - 2018 6 / 27

Program algebra, or PGA for short

PGA is an algebraic approach to sequential-imperative and objectbased programming.

Main question: What is a program?

Rough answer: a sequence of instructions.

We start with a collection ⌃ of basic instructions a, b, c, ...In a later stage we will consider more specific basic instructions, suchas [x := 3x + 1]. For now we only say

the execution of a basic instruction a invokes a behavior:the action a followed by some subsequent behavior.

(In these slides, colors are used to distinguish basic instructions andactions.)


PGA’s syntax

PGA has five types of (primitive) instructions:

1 for each a 2 ⌃ the basic instruction a2 the termination instruction !

3 for each a 2 ⌃ the positive test instruction +a4 for each a 2 ⌃ the negative test instruction �a5 for each k 2 N the jump instruction #k

PGA-programs are these:

each primitive instruction is a PGA-programif X and Y are PGA-programs, so is their concatenation X ; Yif X is a PGA-program, so is its repetition X!


Almost no first intuitions

A PGA-program represents a program object, i.e., a sequence ofprimitive instructions.

primitive instructions will also be called PGA-instructions, orshortly instructions if the context is cleara program object can be infinite: in this case repetition occurs ineach representing PGA-programprogram objects are executed single-pass: each instruction isdropped after execution

We postpone to explain the meaning (execution) of PGA’s primitiveinstructions and first concentrate on syntax.


First identification:X ; (Y ; Z ) = (X ; Y ); Z

and henceforth we usually omit brackets in repeated concatenations.

Some examples of PGA-programs:

a; ! (two instructions)

+a;�b; c (three instr’s)

#2; !; #1; +a; ! (five instr’s)

#2; (b; #1; a)!; ! (infinitely many instr’s)


Axioms for instruction sequence congruence

(X ; Y ); Z = X ; (Y ; Z ) (PGA1)

(X n)! = X! (PGA2, n > 0)

X!; Y = X! (PGA3)

(X ; Y )! = X ; (Y ; X )! (PGA4)

with X 1 = X en X n+1 = X ; X n, so there are infinitely many axioms(schematized by PGA2).

PGA1 expresses that brackets are not needed in concatenations (butmay occur, to enhance readability). PGA2–4 axiomatize repetition.

Unfolding: X! = X ; X!


With the axioms for instruction sequence congruence, which were

(X ; Y ); Z = X ; (Y ; Z ) (PGA1)

(X n)! = X! (PGA2, n > 0)

X!; Y = X! (PGA3)

(X ; Y )! = X ; (Y ; X )! (PGA4)

we can give a proof of X! = X ; X!, i.e., of unfolding:

Proof:X! = (X ; X )! (PGA2, n = 2)

= X ; (X ; X )! (PGA4)

= X ; X! (PGA2)

(Often we don’t mention axioms in proofs.) ⇤


Instruction sequence congruence

PGA-programs are “the same" if they represent the same programobject (sequence of instructions). This can always be proved with theaxioms PGA1–4, and is called instruction sequence congruence.

Explicit notation: X =isc Y .

Instruction sequence congruence is a congruence indeed (i.e., =isc ispreserved under the operations of PGA): if X =isc Y , then also

X ; Z =isc Y ; ZZ ; X =isc Z ; YX! =isc Y!

We usually write X = Y instead of X =isc Y .


First canonical forms

With the axioms PGA1–4 each PGA-program can be rewritten(preserving instruction sequence congruence) to a form

Y , where Y contains no repetition, or

Y ; Z!, where Y and Z do not contain repetition.

Here Y and Y ; Z! are called first canonical forms.

First canonical forms are not unique, e.g.

#4; (+a; b)! = #4; +a; (b; +a; b; +a)!

but minimal ones are (minimal in length of the expression).


FYI

Conversely, with unfolding (X! = X ; X!), PGA1 and the !-rule

X = Y ; X ) X = Y!

one can derive PGA2-PGA4.

Proof:

PGA2, e.g. for n = 2: X! = X ; X!

= X ; (X ; X!)= (X ; X ); X!

) X! = (X ; X )!

PGA3: X!; Y = (X ; X!); Y= X ; (X!; Y )) X!; Y = X!

PGA4: exercise. ⇤


Thread Algebra (TA), behaviors with polarized actions

In thread algebra there are two constants for (non-active) threads:

S represents termination (the terminated thread)D represents for inaction or deadlock

Execution of a basic instruction a yields the action a, followed by areply true or false. The operators on threads are these:

_ E a D _ (for each a 2 ⌃). The postconditional compositionP E a D Q represents action a followed by thread P iftrue was replied, and a followed by Q otherwise,

a � _ (for each a 2 ⌃). The action prefix a � P is a shortnotation for P E a D P (the reply to a plays no role).


Notation

Action prefix binds stronger than postconditional composition, thus

b � S E a D D = (b � S) E a D D

and this thread starts with an a-action, while

b � (S E a D D)

is a different thread (it starts with a b-action).

Note that actions and PGA’s basic instructions come from the sameset ⌃. It is determined by the context what is meant... (and what coloris used).

In the following slides we will visualize threads and discuss theirrelation with PGA-programs.


Visualizing finite threads

We visualize threads as follows:

b � (S E c D D) E a D D : h a i��

[ b ]✏✏

D

h c i��

S D

an action between angular brackets represents postconditionalcomposition:

the arrow descending to the left represents the true-casethe arrow descending to the right represents the false-case

an action between square brackets represents action prefixthe initial state is explicitly mentioned


A first intuition

Given the thread

b � (S E c D D) E a D D : h a i��

[ b ]✏✏

D

h c i��

S D

the actions a and c represent the execution of test instructions:upon true and false, the subsequent behavior is differentthe action b represents the execution of a basic instruction b, thereply true or false is not used

The action a will be associated with the execution of a test instruction+a or �a (and similar for c)...


Thread extraction (or behavior extraction)

The operator |...| extracts threads from PGA-programs and is definedthus (u a PGA-instruction):

|a| = a � D |+a| = a � D

|�a| = a � D

|!| = S

|#k | = D

|!; X | = S

|a; X | = a � |X ||+a; X | = |X | E a D |#2; X ||�a; X | = |#2; X | E a D |X |

|#0; X | = D

|#1; X | = |X ||#k+2; u| = D

|#k+2; u; X | = |#k+1; X |

These 13 equations plus the default rule (slide 23) define the executionof all program objects (also of those not expressible as PGA-programs;future lecture on state machines / services).


Examples of thread extraction

|�a; #0; b; +c; !| = |#2; #0; b; +c; !| E a D |#0; b; +c; !|= |b; +c; !| E a D D= b � |+c; !| E a D D= b � (|!| E c D |#2; !|) E a D D= b � (S E c D D) E a D D

Thus, |�a; #0; b; +c; !| specifies the thread

b � (S E c D D) E a D D : h a i��

[ b ]✏✏

D

h c i��

S D

The same thread is also specified by |+a; #2; #0; +b; #1; +c; !|(and by many more PGA-programs).


Equations for infinite program objects

With unfolding we find |(a; +b)!| = |a; +b; (a; +b)!|, and hence

|(a; +b)!| = a � |+b; (a; +b)!|,

|+b; (a; +b)!| = |(a; +b)!| E b D |+b; (a; +b)!|.Shorter and easier to read: P = |(a; +b)!| with

P = a � Q,

Q = P E b D Q.

(Also the identifier Q is arbitrarily chosen.) In this case, P in the above(system of) two equations defines/specifies the thread |(a; +b)!|. In apicture:

P : [ a ]✏✏

h b i

//

��


Thread extraction continued

Default rule. If the 13 equations for thread extraction do not generateany behavior, as in

|(#2)!| = |#2; #2; (#2)!| = |#1; (#2)!| = |(#2)!|,

we assign D.

Property: |X | = |X ; (#k)!| (convince yourself).

Definition: two programs X and Y are behavioral equivalent if|X | = |Y |. Notation: X ⌘be Y .

Fact: behavioral equivalence is not a congruence.

E.g., #0 ⌘be #1 (because D = D)#0; ! 6⌘be #1; ! (because D 6= S).


Some expressiveness issues

In PGA, basic and negative test instructions are redundant.

Idea: First, |X | = |X ; (#0)!| = |X ; #0; ...; #0; (#0)!|.

Secondly, |a; u; Y | = |+a; #1; u; Y |,

|�a; u; Y | = |+a; #2; u; Y |.

Example: |�a; !| = |+a; #2; !; (#0)!| (= |+a; #2; !; #0|).

Even stronger: iterative canonical forms (u1; ...; uk )! with ui a positivetest, a jump or a termination instruction are sufficient to express eachPGA-behavior.

(Lecture 2: each PGA-behavior can be programmed by an iterativecanonical form.)


Expressiveness results continued

In PGA, small jumps are redundant.

Proof: Use iterative canonical forms (u1; ...; uk )! and increment alljump counters with k . ⇤

Example:

|(+a; +b; #2)!| = |(+a; +b; #5)!|= ...

= |(+a; +b; #3002)!|


FYI - In PGA, large jumps are necessary (⌃ 6= ;)

Proof (sketch): Given some n > 2, we define a thread that can NOT beprogrammed without jumps larger than n: for j = 1, ..., n + 1 let

Y j = aj ; +a; !; #mj

with all mj such that Yj repeats itself in the repetition part of

X = +a; #[to Y 1]; ...; +a; #[to Y n+1]; !; (Y 1; ...; Y n+1)! (L1-picture.pdf).

Assume the behavior of X can be defined with jumps of at most n, thenalso by a first canonical form

u1; ...; um; (v1; ...; vk )!

Between each adjacent pair of Y 1-instructions in (v1, ..., vk )! there areat most n � 1 other instructions, but these represent the n differentthreads defined by the repetition of Y2, ..., Yn+1: contradiction. ⇤


End of Lecture 1

In this lecture we introduced many concepts

PGA, a quick introductionTA, threads (or behaviors), and behavior extractionSome simple expressiveness results

Take your time for practice and study. E.g., draw from slide 20 theconclusion that the meaning of a positive test instruction +a in aPGA-program is to execute the action a, and if the reply is

true, then to execute the next instruction if present and otherwisedeadlockfalse, then to skip the next instruction and execute theinstruction thereafter if present, and otherwise deadlock

END OF LECTURE 1


Concurrency Theory

Lecture 2

Alban Ponse


University of Amsterdamhttps://staff.science.uva.nl/a.ponse/

2017 - 2018


Contents:PGLDg and PGLE, and thread extractionRegular threadsAn expressiveness theoremPGLEc: PGLE with conditional constructionsMolecular DynamicsThe PGA toolset

Literature:Handout 1Bergstra and Loots, JLAP51(2):125–156J.A. Bergstra and I. Bethke, JLAP 51(2):193–214, 2002(you may skip Sections 4, 8, and 9)

(literature available at Bb under Course Documents)Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 2 2017 - 2018 2 / 27

PGLDg, a language with labels and go-to’s

The primitive instructions of PGLDg are

basic instructions from ⌃ (in Handout 1 called A)

positive and negative test instructions based on ⌃

termination instruction !

label instructions £k with k 2 N, executes like skip (in ASCII: Lk)

the go-to instruction ##£k (k 2 N), execution jumps to leftmost£k if present, else termination

In PGLDg,

the only composition mechanism is concatenation (notation ;)

termination occurs also by default, i.e., upon a go-to to anon-existent label or after the last instruction is executed


Two examples

Example 1: £5; +a; ##£5; b with the behavior P as defined by

P = P E a D b � S

This program is also in PGLE, a sublanguage of PGLDg: each testmust be followed by a termination or a go-to instruction. (Motivation forPGLE follows later.)

Example 2: £5; +a; +c; ##£5; b having behavior Q defined by

Q = (Q E c D b � S) E a D Q

This program is not in PGLE.


Behavior extraction on PGLDg: |X |pgldg

|X |pgldg = |1, X |, and for all n 2 N and a PGLDg-program u1; ...; uk ,

|n, u1; ...; uk | =

8>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>:

S if n = 0, or n > k , or un = !,

a � |n+1, u1; ...; uk | if un = a,

|n+1, u1; ...; uk | E a D |n+2, u1; ...; uk | if un = +a,

|n+2, u1; ...; uk | E a D |n+1, u1; ...; uk | if un = �a,

|n+1, u1; ...; uk | if un = £l ,

|m, u1; ...; uk | if un = ##£p and um is the leftmostlabel £p, or m = 0 if there is no £p.

If |n, u1; ...; uk | does not generate any behavior using these 6equations, it is defined to be D.


Two PGLDg examples on behavior extraction

Example 1 (as before): X = £5; +a; ##£5; b implies

|X |pgldg = |1, X |= |2, X |= |3, X | E a D |4, X |= |1, X | E a D b � |5, X |= |X |pgldg E a D b � S

An example involving D:

|£8; ##£8|pgldg = |1, £8; ##£8|= |2, £8; ##£8|= |1, £8; ##£8|

) |£8; ##£8|pgldg = D

The behavior extraction |X |pgldg is not discussed inJLAP51(2):125–156, but is used in a future lecture on TA and statemachines.


Regular threads

A thread P is regular over ⌃ if for some n > 0, P = P1 and P1 isdefined by n equations

Pi = ti

where ti = Pj E ai D Pk , or ti = S, or ti = D (i , j , k n, ai 2 ⌃).

An example: P1 = P3 E a D P1,

P2 = S,

P3 = P3 E b D P4,

P4 = D.

(If ti = Pj E ai D Pj , you may write Pi = ai � Pj )


Another example

Computation of P1 = |(a; +b; #2; #3; c; #4; +d ; !)!| yields thefollowing regular thread:

P1 = a � P2, P2 = P3 E b D P4, P3 = c � P2,

P4 = (P5 E d D P1), P5 = S

This thread can be depicted as follows:

P1 : [ a ]✏✏

h b i��

[ c ]

//

h d i��

oo

S


An expressiveness result

Theorem: PGA-programs characterize regular behaviors.

Proof: First canonical forms define regular behaviors (immediate frombehavior extraction on PGA), so each PGA-progam defines a regularbehavior.

For the converse, given a regular thread P1 defined by

Pi = ti for i = 1, ..., n

consider the following translation [...] of P1, ..., Pn to PGLDg:

Pi = Pk E ai D Pl[Pi ]��! £i ; +ai ; ##£k ; ##£l

Pi = S [Pi ]��! £i ; !

Pi = D [Pi ]��! £i ; ##£i

Let P = [P1]; ...; [Pn], then |P|pgldg = P1.

Later we will prove: Projection to PGA of P yields a behaviorally equivalentPGA-program. ⇤


PGLEc, PGLE with conditionals

We extend PGLE with four new kinds of instructions:

positive conditional instruction: +a{ (for all a 2 ⌃)negative conditional instruction: �a{ (for all a 2 ⌃)then/else separator: }{end brace: }

In +a{; b; }{; c; }, the boolean value of the test instruction +adetermines whether b is executed (case true), or c (case false).

(Cf. if a then b else c fi.)

Recall: PGLEc is a PGLE-extension: each (pos/neg) test instructionmust be followed by either a go-to or a termination instruction.


Projection from PGLEc to PGLE

PGLEca: a variant of PGLEc in which separators and closinginstructions are annotated with a natural number: 0 if they do notmatch any other instruction, and otherwise with the matching position.

Example: pglec2pgleca(+a{; c; }{; b; }) = +a{; c; }1{; b; }3

Projection semantics for PGLEca with auxiliary functions i :

pgleca2pgle(u1; ...; uk ) = 1(u1); ...; k (uk ) with

i(##£n) = ##£n + k + 1, i(�a{) = +a; ##£i , i(£n) = £n + k + 1, i(}n{) = ##£i ; £n,

i(+a{) = �a; ##£i , i(}n) = £n,

i(u) = u otherwise.

Example:pgleca2pgle(+a{; c; }1{; b; }3) = �a; ##£1; c; ##£3; £1; b; £3


Thread extraction on PGLEc: |X |pglec

Definitions: for X 2 PGLEc (pp. 145–146 in JLAP51(2):125–156 - Studythis!):

1 pglec2pgle(X ) = pgleca2pgle(pglec2pgleca(X ))

2 |X |pglec = |pglec2pgle(X )|pgldg

Note that a non-sense program as }{; £17; };�a{; b, say X , is in PGLEc anddefines a unique behavior:

|X |pglec= |pgleca2pgle(}0{; £17; }1;�a{; b)|pgldg

= |##£1; £0; ##£23; £1; +a; ##£4; b|pgldg = S E a D b � S

PGLE is motivated by PGLEc: behavior extraction of

+a{; +b; }{; +c; }

need not be considered...Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 2 2017 - 2018 12 / 27

Molecular Dynamics

Ideas here: chemical reactions, that isstate of a system: “fluid” of molecules (see rectangle)molecule: atoms (•) connected by directed links (“fields”) a, b, ...(re)actions: add/withdraw atoms, modify contents of fieldsobservations: bring selected atoms into “focus” x , y , ...

x •

a

✏✏

b// •

b

✏✏

a//

c

⇢⇢ •

e

⇢⇢a

zz

d

YY y

��

z��•

c''

a

YY •bgg

•

c

YY •

b

YY c// •

a

⌅⌅

f

EE e// •

u__


Molecular programming primitives (MPP)

MPP contains three kinds of instructions:

mutations: change a molecule by adding new atoms or fields andby modifying fields; return a boolean value depending on theappropriateness of the actionassignments: modify selected atoms; return a boolean valuedepending on the appropriateness of the actiontests: return a boolean value


MPP’s instructions

Mutations

Atom creation: x=new (returns true)Field introduction (reflexive): x.+f (true if x exists, without f)Field withdrawal: x.-f (ditto, with f)Field mutation: x.f=y (true if x.f exists)

Assignments

Field selection: x=y.f (true if y.f exists)Assignment: x=y (true)

Tests

Atom identity test: x==y (true if x, y exist, at same atom)Field membership test: x/f (true if x exists and has field f)


Example 1

A step by step illustration of the fluid evolution programmed byx=new; y=new; x.+a; y.+b; x.a=y; y.b=x


Program algebra: PGLEc.mpp

Here using ASCII for program syntax (thus L0 instead of £0, etc.):

1 basic instructions: MPP2 positive/negative test instructions +a,�a (for all a 2 MPP)3 termination instruction !

4 label instruction Lk (k 2 N)5 goto instruction ##Lk (k 2 N)6 conditional instruction: +a{ and �a{ (for all a 2 MPP)7 then/else separator: }{8 end brace: }

Recall: concatenation is the only structuring mechanism: X ; Y


Example 2

Consider the PGLEc.mpp program

x=new; L0; y=new; y.+a; y.a=x; x=y; ##L0

The resulting fluid evolves perpetually.

A fluid evolution stopped at L0 upon the fifth iteration:


Example 3

We define the following PGLEc.mpp programs:

setZerodef= Z=new; y=Z

Sdef= -x/s{; x.+s; y=new; y.+p; y.p=x; x.s=y;

}{; y=x.s; }

Convention: x is the input focus and y is the output (or result) focus.

With this convention, these programs can be used to construct anyinitial part of the Naturals as an object:

setZero constructs 0 focused by Z and y

S yields the successor (s-field) of x focused by y:if x has an s-field, then y focuses the resulting atomotherwise, a new atom is created and connected to x by an s-fieldand a p-field (“predecessor")


Question

Find a PGLEc.mpp program that builds the fluid below using



}{; y=x.s; }


Answer

The program setZero; x=y; S; x=y; S does the job if (ofcourse) setZero and S are replaced by their defining code:

Note the use of the input focus x and output focus y, and recall:



}{; y=x.s; }


Example 3 and mod2

The function mod2 is defined by x mod2 = 0 if x is even and 1otherwise, and can in PGLEc.mpp be programmed by

mod2def= y=x; L0; +y==Z; !; y=y.p;

-y==Z{; y=y.p; ##L0; }{; y=y.s; }

Adding reflexive odd and/or even fields admits a faster program:

setZerodef= Z=new; Z.+even; y=Z


+x/even{; y.+odd;

}{; y.+even; };

}{; y=x.s; }

mod2def= +x/even{; y=Z; }{; y=Z.s; }

Cf. Natural numbers 1 and 2 in JLAP51(2):193–214, page 201.Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 2 2017 - 2018 22 / 27

Preparation for your Lab Assignment

Define y = x1 + x2 on Naturals (without even/odd fields)

Algorithm: x1 + x2 =

(x2 if x1 = 0,

(x1�1) + (x2+1) otherwise

Program in PGLEc.mpp: (convention: x1 and x2 are the input foci)

Adddef= L0; +x1/p{; x1=x1.p;

+x2/s{; x2=x2.s;}{; x2.+s; y=new; y.+p;y.p=x2; x2.s=y; x2=x2.s; };

##L0;}{; y=x2; }


Preparation: adding 1 + 2 with Add

Adddef= L0; +x1/p{; x1=x1.p;

+x2/s{; x2=x2.s;}{; x2.+s; y=new; y.+p;y.p=x2; x2.s=y; x2=x2.s; };

##L0;}{; y=x2; }

Add��!Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 2 2017 - 2018 24 / 27

Molecular programming primitives with values (MPPV)

fixed number of basic types: e.g. boolean, int,...values are denoted by literals: e.g. true, false, 0, 1,...values are terminal objects labeled with literals

New instructions:

1 value field introduction (with initialization): x.+f:t2 value field mutation (no sharing but replacement): x.f=y3 constant value assignment: x=u4 constant value identity test: x==u


Example

x=new; z=new; y=17; x.+e:int; x.+a; x.a=z;z.+g:bool; z.+f:int; z.f=y

0

x // •e

int

66

a

((

17y

oo

z // • g

bool//

f

intvv

false

17


The PGA Toolset

Installed in the lab rooms:https://staff.science.uva.nl/b.diertens/pga/

genparser -P PGLEc -B MPP program

gensim -g -v -P PGLDg -B MPPV -l program

Supported languages: ... PGLDg, PGLE, PGLEc, ...

Supported basic instruction sets: ... MPP, MPPV, ...

Web interface:http://tcs.science.uva.nl/WebToolset/

END OF LECTURE 2


Concurrency Theory

Lecture 3

Alban Ponse


University of Amsterdamhttps://staff.science.uva.nl/a.ponse/

2017 - 2018


Contents

Basic Process Algebra (BPA)

Literature

Wan Fokkink, Introduction to Process Algebra, Springer-Verlag,2000: Chapter 2 (pdf offered at Blackboard and mirror site)Slide material is also from the author (but slightly adapted)


Motivation1

Virtually all designed systems contain computers and areconnected via data networksThis leads to many communications between the differentcomponents involved ...... and to huge state spaces, e.g. 10(1010), exceeding by farastronomical numbers: computer engineering numbersAbstract approach is necessary for understanding and analysis(e.g., even in the case of the on/off switch of a laptop)

1Groote and Mousavi, Modelling and Analysis of Communicating Systems, August2014 (http://www.amazon.com/Modeling-Analysis-Communicating-Systems-Groote/dp/0262027712).Quote (foreword from the manuscript of this book: Many distributed algorithmspublished in the literature turn out to be wrong, or if correct their proofs contain flaws.For most of the known standard communication protocols so many serious flaws havebeen revealed, that it is very likely to assume that the newest accepted internationalstandards contain literally hundreds of serious - yet to be uncovered - bugs.


Examples of concurrent systems

A pocket calculator:

7 8 9

C

0

4 5 6

3 2 1

5765

A colony of ants:


The alternating bit protocol (ABP):

Data elements are sent from Sender to Receiver via faulty channel B.Sender alternatingly attaches bit 0 or bit 1 to data elements.

If Receiver receives a datum, it sends the attached bit to Sender viafaulty channel D, to acknowledge reception. If Receiver receives acorrupted message, then it resends the preceding acknowledgement.

Sender keeps sending a datum with attached bit b until it receivesacknowledgement b. Then it starts sending the next datum withattached bit 1 � b until it receives acknowledgement 1 � b, et cetera.


Process graphs

Assume a set S of states, together with a finite set A of (atomic)actions.

A transitions a! s0

expresses that state s can evolve into state s0 by execution ofaction aA transition

s a! p

expresses that state s can terminate successfully by execution ofaction a

A process (graph) is a set of transitions, with a special root state.


Example of a process graph

Part of the process graph of the pocket calculator:

83 �1 28

= = =0 + 83..

=

0 � 1..

–

7 ⇤ 4..

7 ⇤ ..0 � ..

0 + ..

C

��

@@

@@

��

@@

87..

*

4

0 + 8..

3 1

+ 70


Example – continued

Behaviour of the plus button:

+m + ..

–

C

=

m � .. m ⇤ .. m*

0n + d1...dk ..

dk

...

d1

n + ..

+

n

lll�

�


Basic process terms

Basic process terms are built from atomic actions, alternativecomposition and sequential composition:

an atomic action a represents indivisible behaviour. It executesitself and then terminates successfully:

a a! p

Alternative composition: the process term

t1 + t2

executes the behaviour of either t1 or t2Sequential composition: the process term

t1 · t2

first executes t1, and upon successful termination proceeds toexecute t2


A more abstract example

The basic process term ((a + b) · c) · d represents the process graph:

pd

d

c

c · d

((a + b) · c) · d

a b


Transition rules of Basic Process Algebra (BPA)

These are BPA’s 7 transition rules, whereH

tis notation for "if H then t" with H a set of premises and t the

conclusion (empty premise set is left out)v is an atomic action (v 2 A)

v v! px v! p

x + y v! px v! x 0

x + y v! x 0

y v! p

x + y v! py v! y 0

x + y v! y 0

x v! p

x · y v! y

x v! x 0

x · y v! x 0 · y


Example

((a + b) · c) · d b! c · d

Proof:b b! p

v v! p————–

a + b b! p y v! p

x + y v! p——————

(a + b) · c b! cx v! p

x · y v! y————————–

((a + b) · c) · d b! c · dx v! x 0

x · y v! x 0 · yThe transition rules at the right are instantiated in the correspondingproof steps. ⇤


Process equivalence based on traces: not satisfactory

Trace equivalence is not satisfactory for our purposes. For example,

p pp p

read(d) read(d)

write2(d)

read(d)

write1(d) write2(d)write1(d)

The first process reads datum d , and then decides whether it writes don disc 1 or on disc 2. The second process makes a choice for disc 1or disc 2 before it reads datum d .Both processes display read(d), write1(d) and read(d), write2(d), sothey are trace equivalent.A crucial distinction between the two processes becomes apparent ifdisc 1 crashes. Then the first process always saves datum d on disc 2,while the second process may get stuck.


Bisimulation equivalence

A bisimulation relation is a binary relation B on processes such that:1 if p B q and p a! p0, then q a! q0 with p0 B q0

2 if p B q and q a! q0, then p a! p0 with p0 B q0

3 if p B q and p a! p, then q a! p

4 if p B q and q a! p, then p a! p

Two processes p and q are bisimilar, denoted

p $ q

if there is a bisimulation relation B such that p B q.

Convention: the operator · binds strongest and the symbol · is often leftout, thus

ab + c = (a · b) + c


Example of bisimulation equivalence

(a + a)b $ ab + a(b + b)

b b

aa

b pp

ab + a(b + b)(a + a)b

a

b

a

b

b + bbQQQQQQ

⌘⌘⌘⌘⌘⌘

A witnessing bisimulation relation B (as in the picture) is defined by

(a + a)b B ab + a(b + b), b B b, b B b + b

(Another common notation: B = {((a + a)b, ab + a(b + b)), (b, b), (b, b + b)}.)Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 3 2017 - 2018 15 / 22

Congruence

Bisimulation equivalence is a congruence over BPA.

That is, if s $ s0 and t $ t 0 , then s + t $ s0 + t 0 and s · t $ s0 · t 0. Thiscongruence property follows from the fact that each transition rule ⇢ forBPA is in panth format 2 :

for each premise t a! t 0 of ⇢, the right-hand side t 0 is a singlevariablethe source of ⇢ (i.e., t if t a! t 0 is the conclusion of ⇢) contains nomore than one function symbolthere are no multiple occurrences of the same variable in theright-hand sides of premises and in the source of ⇢

2Predicates And Negative Tyft/tyxt Hybrid formatAlban Ponse (TCS, UvA) Concurrency Theory - Lecture 3 2017 - 2018 16 / 22

Axioms for BPA modulo bisimulation

A1 x + y = y + x

A2 (x + y) + z = x + (y + z)

A3 x + x = x

A4 (x + y) · z = x · z + y · z

A5 (x · y) · z = x · (y · z)


Equality relation and soundness

The axioms induce an equality relation = on basic process terms:

(Substitution)If s = t is an axiom and � maps all variables in s and t to basicprocess terms, then �(s) = �(t)(Equivalence)

- t = t for all basic process terms t- if s = t , then t = s- if s = t and t = u, then s = u

(Context or congruence)If s = s0 and t = t 0, then s + t = s0 + t 0 and s · t = s0 · t 0

The axioms for BPA are sound modulo bisimulation equivalence:

s = t ) s $ t


Since bisimulation equivalence is a congruence over BPA, soundnessof the axioms can be verified by checking that

�(s) $ �(t)

for each axiom s = t and for all mappings � from variables in s and t tobasic process terms:

A1: both s + t and t + s represent a choice between s and tA2: both (s + t) + u and s + (t + u) represent a choice between s,t and uA3 (i.e., x + x = x): a choice between t and t amounts to a choicefor tA4: both (s + t) · u and s · u + t · u represent a choice between sand t , followed by uA5: both (s · t) · u and s · (t · u) represent s followed by t followedby u


Completeness

The axioms for BPA are complete modulo bisimulation equivalence:

s $ t ) s = t

Completeness can be verified by considering basic process termsmodulo AC of the + : we write

s =AC t

if s and t can be equated by axioms A1 and A2.

(AC: A = “associativity”, C = “commutativity”)


Term rewriting

The axioms for BPA are turned into a term rewriting system, moduloAC of the +:

x + y =AC y + x(x + y) + z =AC x + (y + z)

x + x ! x(x + y) · z ! x · z + y · z(x · y) · z ! x · (y · z)

Each basic process term is reduced to a normal form, which does notreduce any further. (See Fokkink, p. 14-15.)

If s $ t , and s and t have normal forms s0 and t 0, respectively, then bysoundness, s0 $ t 0.

By analysis of the possible transitions of s0 and t 0 it follows thats0 =AC t 0 (cf. Fokkink, p. 14-15). Hence, we can derive in BPA:

s = s0 =AC t 0 = t


Example with term rewriting

(a + a)(cd) + (bc)(d + d) = ((b + a)(c + c))d :

(a + a)(cd) + (bc)(d + d)

A3! a(cd) + (bc)(d + d)

A3! a(cd) + (bc)d

A5! a(cd) + b(cd)

((b + a)(c + c))d

A3! ((b + a)c)d

A5! (b + a)(cd)

A4! b(cd) + a(cd)

The two resulting normal forms are equivalent modulo AC of the +, sothe two original basic process terms are provably equal.

END OF LECTURE 3


Concurrency Theory

Lecture 4

Alban Ponse



2017 - 2018


Contents

Algebra of Communicating Processes (ACP)

Literature

Wan Fokkink, Introduction to Process Algebra, Springer-Verlag,2000: Chapter 3Slide material is also from the author (but slightly adapted)


Communication

A communication function � : A ⇥ A ! A produces for each pair ofatomic actions a and b their communication �(a, b).

The communication function � is commutative and associative:

�(a, b) = �(b, a)

�(�(a, b), c) = �(a, �(b, c))


Merge operator

The merge k executes the two process terms in its arguments inparallel:

x v! p

x k y v! y

x v! x 0

x k y v! x 0 k y

y v! p

x k y v! x

y v! y 0

x k y v! x k y 0


The merge can also execute a communication between initialtransitions of its arguments:

x v! py w! p

x k y�(v ,w)! p

x v! py w! y 0

x k y�(v ,w)! y 0

x v! x 0 y w! p

x k y�(v ,w)! x 0

x v! x 0 y w! y 0

x k y�(v ,w)! x 0 k y 0


Example

Let �(a, a) = �(a, b) = �(b, b) = c. The process graph of (ab) k (ba):

a b

cb

p p

a bp

a

a

a b

cb b

ap

p

babka a b

a

(ab)ka

c

a bpp

bap

bb

b

a

c aa

bp

p

ab bka

bk(ba)@@@

��

� CC⇤⇤

CC⇤⇤ CC⇤⇤

��⇠⇠

��

� CC⇤⇤

CC⇤⇤

CC⇤⇤CC⇤⇤

��

�

@@@CC⇤⇤

CC⇤⇤CC⇤⇤

��

�

@@@CC⇤⇤

⇣⇣⇣⇣⇣⇣⇣⇣ CC⇤⇤

PPPPPPPP

CC⇤⇤ba

b ac

c ba

b

pp

ap

bka

(ab)k(ba)

CC⇤⇤CC⇤⇤

HHHHHHXX

@@@CC⇤⇤

CC⇤⇤

CC⇤⇤


Example - improved

Let �(a, a) = �(a, b) = �(b, b) = c.

The process graph of (ab) k (ba) (add the transition labels in asystematic way):

(ab) k (ba)

b k aba ab

p

a b

b k (ba) (ab) k a

��⇡HHHj

?��⇡

HHHj

?

��⇡HHHj

?HHHj

��⇡HHHj

��⇡

?HHHj

��⇡


Left merge and communication merge

Two auxiliary operators are needed to axiomatise the merge.

The left merge k executes an initial transition of its left argument:

x v! p

x k y v! y

x v! x 0

x k y v! x 0 k y

The communication merge | executes a communication between initialtransitions of its arguments:

x v! py w! p

x | y�(v ,w)! p

x v! py w! y 0

x | y�(v ,w)! y 0

x v! x 0 y w! p

x | y�(v ,w)! x 0

x v! x 0 y w! y 0

x | y�(v ,w)! x 0ky 0


Conservative extension

PAP (Process Algebra with Parallelism) is BPA extended with k, kand |.

PAP is a conservative extension of BPA, i.e., the process graphs ofbasic process terms remain the same.

This follows from the following two facts:

the variables in each transition rule of BPA are source-dependentthe sources of the transition rules for merge, left merge andcommunication merge contain an occurrence of k, k or |

The source-dependent variables in a transition rule ⇢ are defined by:

all variables in the source of ⇢ are source-dependentif t a! t 0 is a premise of ⇢ and all variables in t aresource-dependent, then all variables in t 0 are source-dependent


Example

Recall:

all variables in the source of ⇢ are source-dependent

if t a! t 0 is a premise of ⇢ and all variables in t aresource-dependent, then all variables in t 0 are source-dependent

The transition rulex v! x 0

x · y v! x 0 · yis source-dependent.

Namely,

the variables x and y in the source are source-dependent

since x is source-dependent and there is a premise x v! x 0, itfollows that the variable x 0 is source-dependent


Congruence

Bisimulation equivalence is a congruence over PAP. That is, if s $ s0

and t $ t 0, then

s + t $ s0 + t 0

s · t $ s0 · t 0

s k t $ s0 k t 0

s k t $ s0 k t 0

s | t $ s0 | t 0

This congruence property follows from the fact that each transition rule⇢ for PAP is in panth format:

for each premise t a! t 0 of ⇢, the right-hand side t 0 is a singlevariablethe source of ⇢ contains no more than one function symbolthere are no multiple occurrences of the same variable in theright-hand sides of premises and in the source of ⇢


Axioms for PAP

M1 x k y = (x k y + y k x) + x | y

LM2 v k y = v · yLM3 (v · x) k y = v · (x k y)

LM4 (x + y) k z = x k z + y k z

CM5 v | w = �(v , w)

CM6 v | (w · y) = �(v , w) · yCM7 (v · x) | w = �(v , w) · xCM8 (v · x) | (w · y) = �(v , w) · (x k y)

CM9 (x + y) | z = x | z + y | zCM10 x | (y + z) = x | y + x | z


Soundness of PAP

The axioms for PAP are sound modulo bisimulation equivalence:

s = t ) s $ t

Since bisimulation equivalence is a congruence over PAP, soundnessof the axioms can be verified by checking that

�(s) $ �(t)

for each axiom s = t and for all mappings � from variables in s and t toprocess terms.


Completeness of PAP

The axioms for PAP are complete modulo bisimulation equivalence:

s $ t ) s = t

This follows by turning the axioms for PAP into a term rewriting system,modulo AC of the +.

Each process term over PAP is reduced to a normal form.

If s $ t , and s and t have normal forms s0 and t 0, respectively, then

s0 =AC t 0

Hence, s = s0 =AC t 0 = t .


Deadlock and encapsulation

The deadlock � does not display any behaviour. There is no transitionrule for this constant.

The domain of the communication function � is extended with �:

� : A ⇥ A ! A [ {�}

If a and b do not communicate, then �(a, b) ⌘ �.

The encapsulation operator @H , with H ✓ A, renames all actions fromH in its argument into �:

x v! p(v 62 H)

@H(x)v! p

x v! x 0 (v 62 H)

@H(x)v! @H(x 0)

Encapsulation operators enable to enforce actions into communication.For example, if �(a, b) 6= �, then @{a,b}(a k b) can only execute �(a, b).


Conservative extension

ACP is a conservative extension of PAP, i.e., the process graphs ofprocess terms over PAP remain the same.


the variables in each transition rule of PAP are source-dependentthe sources of the transition rules for encapsulation operatorscontain @H

Convention: all operators of ACP and PAP that are not in BPA bindstronger than + and weaker than ·, e.g.,

ab k c + d = ((ab) k c) + d


Congruence

Bisimulation is a congruence over ACP.

That is, if s $ s0 and t $ t 0, then

s + t $ s0 + t 0

s · t $ s0 · t 0

s k t $ s0 k t 0

s k t $ s0 k t 0

s | t $ s0 | t 0

@H(s) $ @H(s0)

This congruence property holds because each transition rule for ACPis in panth format.


Axioms for deadlock and encapsulation

A6 x + � = xA7 � · x = �

D1 @H(v) = v (v 62 H)

D2 @H(v) = � (v 2 H)

D3 @H(�) = �

D4 @H(x + y) = @H(x) + @H(y)

D5 @H(x · y) = @H(x) · @H(y)

LM11 � k x = �

CM12 � | x = �

CM13 x | � = �


Soundness of ACP

The axioms for ACP are sound modulo bisimulation equivalence:

s = t ) s $ t

Since bisimulation equivalence is a congruence over ACP, soundnessof the axioms can be verified by checking that

�(s) $ �(t)

for each axiom s = t and for all mappings � from variables in s and t toprocess terms.


Completeness of ACP

The axioms for ACP are complete modulo bisimulation equivalence:

s $ t ) s = t

This follows by turning the axioms for ACP into a term rewritingsystem, modulo AC of the +.

Each process term over ACP is reduced to a normal form.

If s $ t , and s and t have normal forms s0 and t 0, respectively, then

s0 =AC t 0

Hence, s = s0 =AC t 0 = t .


Example with encapsulation and communication

Let �(a, b) ⌘ c and �(a0, b0) ⌘ c0 be the only communications betweenactions.

(a + a0) k (b + b0)M1= (a + a0) k (b + b0) + (b + b0) k (a + a0)

+ (a + a0) | (b + b0)

(LM4, CM9,10) = a k (b + b0) + a0 k (b + b0)

+ b k (a + a0) + b0 k (a + a0)

+ a | b + a | b0 + a0 | b + a0 | b0

(LM2, CM5) = a · (b + b0) + a0 · (b + b0)

+ b · (a + a0) + b0 · (a + a0)

+ c + � + � + c0

(A6) = a · (b + b0) + a0 · (b + b0)

+ b · (a + a0) + b0 · (a + a0)

+ c + c0


Example – continued

Let H denote {a, a0, b, b0}.

@H((a + a0) k (b + b0)) = @H(a · (b + b0) + a0 · (b + b0)

+ b · (a + a0) + b0 · (a + a0) + c + c0)

(D1,2,4,5) = � · @H(b + b0) + � · @H(b + b0)

+ � · @H(a + a0) + � · @H(a + a0)

+ c + c0

(A6,7) = c + c0

Conclusion: @H enforces communication between the actions in H,thus in this example between a and b and between a0 and b0.

END OF LECTURE 4Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 4 2017 - 2018 22 / 22

Concurrency Theory

Lecture 5

Alban Ponse



2017 - 2018


Contents

Recursive specifications in process algebra

Literature



Recursion

From now on we tacitly use associativity of + and · (ax’s A2, A5) andcommutativity of +, and e.g. write a + b + c and abc without brackets.

Consider the process graph

b a

Intuitively, this process (starting at the top state) can be captured bymeans of two recursive equations

X = aY ,

Y = bX

Also, we can use the following single recursive equation:

Z = abZ

X , Y and Z are recursion variables, X and Z both representing the topstate of the above process graph.


Recursive specifications

A recursive specification is a collection equations

X1 = t1(X1, . . . , Xn)...

Xn = tn(X1, . . . , Xn)

where the ti(X1, . . . , Xn) are process terms over ACP with possibleoccurrences of the recursion variables X1, . . . , Xn.

Note:in Fokkink’s book, only finite recursive specifications are used(finite sets of equations)the right-hand sides in a recursive specification need not containrecursion variables, e.g. also

X = a

is called a “recursive specification”Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 5 2017 - 2018 4 / 23

Solution

Processes p1, . . . , pn are a solution for a recursive specification

{Xi = ti(X1, . . . , Xn) | i 2 {1, . . . , n}}

modulo bisimulation equivalence if pi $ ti(p1, . . . , pn) for i 2 {1, . . . , n}.

If p1, . . . , pn and q1, . . . , qn are two solutions for the same recursivespecification, then we want that pi $ qi for i 2 {1, . . . , n}.

A recursive specification that allows more than one solution modulobisimulation equivalence is

X = X

In contrast, the recursive specification

X = aX

has a unique solution modulo bisimulation.Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 5 2017 - 2018 5 / 23

Guardedness

A recursive specification

{Xi = ti(X1, . . . , Xn) | i 2 {1, . . . , n}}

is guarded if the right-hand sides of its recursive equations can beadapted to the form

a1 · s1(X1, . . . , Xn) + · · · + ak · sk (X1, . . . , Xn) + b1 + · · · + b`

using the axioms of ACP and the possibility to replace recursionvariables by the right-hand sides of their recursive equations.

In this sum, k and ` can be both zero, in which case it represents �.

Guarded recursive specifications are exactly the recursivespecifications that have a unique solution modulo bisimulationequivalence.


Example

Let �(a, b) ⌘ c and �(b, b) ⌘ c.

{X=YkZ , Y=Z + a, Z=bZ} is guarded:

Z=bZ is already in the desired formY=Z + a is brought in the desired form by replacing Z by theright-hand side bZ of its recursive equationX=YkZ is brought in the desired form by replacing Y by bZ + aand Z by bZ , and manipulating the resulting term (bZ + a)kbZ bythe axioms:

(bZ + a)kbZ = (bZ + a) k bZ + bZ k (bZ + a) + (bZ + a)|bZ

= bZ k bZ + a k bZ + bZ k (bZ + a)

+ bZ |bZ + a|bZ

= b(ZkbZ ) + abZ + b(Zk(bZ + a)) + c(ZkZ ) + cZ


Transition rules for recursion

Assume a guarded recursive specification E :

{Xi = ti(X1, . . . , Xn) | i 2 {1, . . . , n}}

We introduce constants

hXi |Ei (i 2 {1, . . . , n})

representing a solution for Xi in E . The constant hXi |Ei is often calledthe standard solution for Xi in E .

That is, hXi |Ei inherits the behaviour of ti(hX1|Ei, . . . , hXn|Ei):

ti(hX1|Ei, . . . , hXn|Ei) v! p

hXi |Ei v! pti(hX1|Ei, . . . , hXn|Ei) v! y

hXi |Ei v! y


Example

Let E = {X=aY , Y=bX}. The process graph of hX |Ei and aderivation of its first transition:

a a! pv v! p

———————–

a · hY |Ei a! hY |Ei x v! p

x · y v! y———————–

hX |Ei a! hY |Ei v · hY |Ei v! y

hX |Ei v! y

The transition rules at the right are instantiated in the correspondingproof steps. The b-transition is derived similarly.


Conservative Extension

ACP with guarded recursion is a conservative extension of ACP.


the variables in each transition rule of ACP are source-dependentthe sources of the transition rules for guarded recursion containhXi |Ei

Congruence: Bisimulation equivalence is a congruence over ACP withguarded recursion.

This congruence property holds because each transition rule for ACPwith guarded recursion is in panth format.


Example – bag over {0, 1}We can put elements 0 and 1 into a bag, and subsequently collectthese elements from the bag in arbitrary order.

The bag over {0, 1} is specified by:

X = in(0)(Xkout(0)) + in(1)(Xkout(1))


Axioms for Recursion

Assume E is a guarded recursive specification of the form

E = {Xi = ti(X1, . . . , Xn) | i 2 {1, . . . , n}}

The Recursive Definition Principle (RDP) reads

RDP hXi |Ei = ti(hX1|Ei, . . . , hXn|Ei) for i 2 {1, . . . , n}

i.e., hXi |Ei is a solution for Xi .

The Recursive Specification Principle (RSP) reads

RSP If yi = ti(y1, . . . , yn) for i 2 {1, . . . , n},

then yi = hXi |Ei (i 2 {1, . . . , n})

i.e., any solution yi for Xi is equal to the standard solution hXi |Ei.


Example

Applying RDP twice we find

hZ | Z=aZ i = ahZ | Z=aZ i = aahZ | Z=aZ i

Let E = {X = aaX}, then hZ | Z=aZ i solves the equation for X in E .Hence by RSP,

hZ | Z=aZ i = hX | Ei

Furthermore, hZ | Z=aZ i RDP= ahZ | Z=aZ i

RDP= aahZ | Z=aZ i

RDP= aaahZ | Z=aZ i

So by RSP, hZ | Z=aZ i = hY | Y=aaaY i

Hence, hX | Ei = hZ | Z=aZ i= hY | Y=aaaY i


Soundness

The axioms for ACP with guarded recursion are sound modulobisimulation equivalence:

s = t ) s $ t

Since bisimulation equivalence is a congruence over ACP withguarded recursion, soundness can be verified by checking soundnessof all instantiations of axioms.

RSP is not sound for unguarded recursion. For example, since t = t ,RSP would yield

t = hX | X=X ifor all process terms t , and thus t = t 0 for all process terms t , t 0.


Example

Let �(a, b) ⌘ c. Then hX | X=aX ikhY | Y=bY i

= hX | X=aX i k hY | Y=bY i + hY | Y=bY i k hX | X=aX i+ hX | X=aX i|hY | Y=bY i

= a(hX | X=aX ikhY | Y=bY i) + b(hY | Y=bY ikhX | X=aX i)+ c(hX | X=aX ikhY | Y=bY i)

Hence, for H = {a, b},

@H(hX | X=aX ikhY | Y=bY i) = c · @H(hX | X=aX ikhY | Y=bY i)

So by RSP,

@{a,b}(hX | X=aX ikhY | Y=bY i) = hZ | Z=cZ i


Let E , E 0 be guarded recursive specifications, where E 0 is obtainedfrom E by adapting the right-hand sides of its recursive equations,

using the axioms for ACP with guarded recursion, andreplacing recursion variables by the right- hand sides of theirrecursive equations

Then hX |Ei = hX |E 0i can be derived from the axioms for ACP withguarded recursion for all recursion variables X in E .

Example: hX | X=aX+aX i = hX | X=(aa)X i can be derived by

first applying A3 (i.e., x + x = x)next replacing X by its right-hand side aXand finally applying A5 (i.e., (xy)z = x(yz))


Regular processes

A process p is regular if there are only finitely many processes p0 suchthat p a! · · · b! p0. A recursive specification is linear if its recursiveequations are of the form

X = a1 · X1 + · · · + ak · Xk + b1 + · · · + b`

with X = � if k and ` are both zero.

Each regular process can be described by a linear recursivespecification, in which for each state s there is a recursion variable Xs:

if state s can evolve into state s0 by execution of a, then there is asummand aXs0 in the recursive equation for Xs

if state s can terminate successfully by execution of a, then thereis a summand a in the recursive equation for Xs

Vice versa, a linear recursive specification gives rise to a regularprocess.


Completeness for regular processes

The axioms for ACP with linear recursion are complete modulobisimulation equivalence:

s $ t ) s = t

This follows from two facts:

each process term over ACP with linear recursion is equal to aterm hX |Ei with E a linear recursive specificationif hX |Ei $ hY |E 0i for linear recursive specifications E , E 0, thenhX |Ei = hY |E 0i

Hence, if s $ t , then s = hX |Ei = hY |E 0i = t .

Note. The axioms are not complete for ACP with guarded recursionmodulo bisimulation.


Projection Operators

The projection operator ⇡n for n 2 N executes all transitions of itsargument up to depth n:

x v! p

⇡n+1(x)v! p

x v! x 0

⇡n+1(x)v! ⇡n(x 0)

Conservative Extension: ACP with guarded recursion and projectionoperators is a conservative extension of ACP with guarded recursion.

Congruence: Bisimulation equivalence is a congruence over ACP withguarded recursion and projection operators.

Axioms: PR1 ⇡n(x + y) = ⇡n(x) + ⇡n(y)PR2 ⇡n+1(v) = vPR3 ⇡n+1(v · x) = v · ⇡n(x)PR4 ⇡0(x) = �PR5 ⇡n(�) = �


Approximation Induction Principle

AIP If ⇡n(x) = ⇡n(y) for all n 2 N, then x = y

The axioms for ACP with guarded recursion and projection operatorsare sound modulo bisimulation equivalence:

s = t ) s $ t

Strength of AIP. For each pair of bisimilar process terms s and t inACP with guarded recursion, ⇡n(s) = ⇡n(t) for n 2 N can be derivedfrom the axioms for ACP with guarded recursion and projectionoperators.

Example: the bag over {0, 1}, X = in(0)(Xkout(0)) + in(1)(Xkout(1))satisfies hX | Ei $ hY | Ei with Y = in(0)(out(0)kY ) + in(1)(out(1)kY )


A simple AIP example

Let E be given by

X = aX + bY + cXY = aX + bY + cY

From AIP it follows that hX | Ei = hY | Ei.

Proof: It suffices to derive by induction on n that

⇡n(hX | Ei) = ⇡n(hY | Ei)

The case n = 0 is trivial. By induction:

⇡n+1(hX | Ei) = a · ⇡n(hX | Ei) + b · ⇡n(hY | Ei) + c · ⇡n(hX | Ei)= a · ⇡n(hX | Ei) + b · ⇡n(hY | Ei) + c · ⇡n(hY | Ei)= ⇡n+1(hY | Ei) 2


By way of conclusion

How would a proof with RSP of hX | Ei = hY | Ei where

E = {X = aX + bY + cX , Y = aX + bY + cY}

look like?

Proof ideaUse hZ | Z = aZ + bZ + cZ i, which is for both X and Y in E a solution.

How would a proof with AIP of

hX | X=aXb+bi = hZ | Y=aZb+b, Z=aYb+bi

look like?

Terrible (Use RSP instead and skip Exercise 4.5.6)Study Example 4.5.1 (slide 20) for a case in which AIP is essential.


Instead of Exercise 4.5.6

Exercise 4.5.6, i.e., the last example has a trivial proof with RSP.

Proof: By RDP,

hX | X=aXb+bi = a · hX | X=aXb+bi · b + b

Therefore, hX | X=aXb+bi is a solution for both Y and Z in

Y=aZb+b,

Z=aYb+b

By RSP,

hX | X=aXb+bi = hY | Y=aZb+b, Z=aYb+bihX | X=aXb+bi = hZ | Y=aZb+b, Z=aYb+bi 2

END OF LECTURE 5


Concurrency Theory

Lecture 6

Alban Ponse



2017 - 2018


Contents

Abstraction in process algebra

Literature



Abstraction

The silent step ⌧ represents an internal action:

⌧⌧! p

The abstraction operator ⌧I , with I ✓ A, renames all actions from I in itsargument to ⌧ :

x v! p(v 62 I)

⌧I(x)v! p

x v! x 0 (v 62 I)

⌧I(x)v! ⌧I(x 0)

x v! p(v 2 I)

⌧I(x)⌧! p

x v! x 0 (v 2 I)

⌧I(x)⌧! ⌧I(x 0)


Branching bisimulation equivalence

Not all ⌧ -transitions are silent. Example: A malfunctioning channel.

a datum received via channel 1 is sent into channel 2 or 3a datum communicated via channel 2 it is sent into channel 4a datum communicated via channel 3 gets stuck, because thesubsequent channel 5 is broken

The system gets into a deadlock if a datum is transferred viachannel 3. This deadlock should not disappear when abstracting awayfrom the communication actions via channels 2 and 3.


A rationale

The following pairs of process terms are not equivalent:

a + ⌧� and a (the first has deadlock)@{b}(a + ⌧b) and @{b}(a + b)

a + ⌧b and a + b (t = u ) @{b}(t) = @{b}(u))

A correct answer to the question which ⌧ -transitions are truly silent?turns out to be

those ⌧ -transitions that do not lose possible behaviours !

For example, a + ⌧(a + b) and a + b are equivalent: after executing the⌧ in the first process term it is still possible to execute a.


Branching bisimulation

Letp #. A branching bisimulation is a binary relation B on processes

such that (p

,p

) 2 B, and:

1 if p B q and p a! p0, then

- either a ⌘ ⌧ and p0 B q- or q ⌧! · · · ⌧! q0 such that p B q0 and q0

a! q0 with p0 B q0

2 if p B q and q a! q0, then

- either a ⌘ ⌧ and p B q0

- or p ⌧! · · · ⌧! p0 such that p0 B q and p0a! p0 with p0 B q0

3 if p B q and p #, then q ⌧! · · · ⌧! q0 such that q0 #4 if p B q and q #, then p ⌧! · · · ⌧! p0 such that p0 #

Two processes p and q are branching bisimilar, denoted p $b q, ifthere is a branching bisimulation relation B such that p B q.


Example

Example: a + ⌧(a + b) $b ⌧(a + b) + b, in a picture:

Branching bisimulation relation B is defined by:

a + ⌧(a + b) B ⌧(a + b) + ba + b B ⌧(a + b) + ba + ⌧(a + b) B a + ba + b B a + bpBp


Rooted Branching Bisimulation

(Once more) The following pairs of process terms are not equivalent:

a + ⌧� and a@{b}(a + ⌧b) and @{b}(a + b)

a + ⌧b and a + bb and ⌧b (although they are branching bisimilar)

A rooted branching bisimulation is a binary relation B on processessuch that:

1 if p B q and p a! p0, then q a! q0 with p0 $b q0

2 if p B q and q a! q0, then p a! p0 with p0 $b q0

Two processes p and q are rooted branching bisimilar, denotedp $rb q, if there is a rooted branching bisimulation relation B such thatp B q.


Guarded Linear Recursion

All process terms ⌧s are solutions for the recursive specificationX = ⌧X , because ⌧s $rb ⌧⌧s. Hence, X = ⌧X is unguarded.

A recursive specification is linear if for ai , bj 2 A [ {⌧}, its recursiveequations are of the form

X = a1 · X1 + · · · + ak · Xk + b1 + · · · + b`

with X = � if k and ` are both zero. A linear recursive specification Eis guarded if there does not exist an infinite sequence of ⌧ -transitions

hX |Ei ⌧! hX 0|Ei ⌧! hX 00|Ei ⌧! · · ·

The guarded linear recursive specifications are exactly the linearrecursive specifications that have a unique solution modulo rootedbranching bisimulation.


Conservative Extension

ACP⌧ with guarded linear recursion is a conservative extension of ACPwith linear recursion.

This follows from the following three facts:

the transition rules of ACP and for linear recursion are allsource-dependentthe sources of the transition rules for the silent step andabstraction contain ⌧ or ⌧I . The sources of the transition rules for aguarded linear recursive specification E that includes a ⌧ containthe fresh constant hX |Eieach transition rule for alternative composition, sequentialcomposition or linear recursion that involves ⌧ -transitions containsa premise that includes the fresh relation symbol ⌧! or predicate⌧! p

, and a left-hand side of which all variables occur in thesource of the transition rule


Congruence

Rooted branching bisimulation equivalence is a congruence over ACP⌧

with guarded linear recursion.

Axioms for Abstraction (v 2 A [ {⌧}):

B1 v · ⌧ = v

B2 v · (⌧ · (x + y) + x) = v · (x + y)

TI1 ⌧I(v) = v (v 62 I)

TI2 ⌧I(v) = ⌧ (v 2 I)

TI3 ⌧I(�) = �

TI4 ⌧I(x + y) = ⌧I(x) + ⌧I(y)

TI5 ⌧I(x · y) = ⌧I(x) · ⌧I(y)


Example – Queues (or buffers)

Q1 = r1 s3 Q1

Q2 = r3 s2 Q2

We further write Q1 instead of hQ1|Q1 = r1 s3 Q1, Q2 = r3 s2 Q2i (andsimilar for Q2). Let �(r3, s3) = c3 be the only communication defined.Buffers Q2 and Q1 of capacity one in parallel, i.e.,

⌧{c3}(@{s3,r3}(Q2 k Q1))

behave as a buffer of capacity two: X = r1 YY = r1 Z + s2 XZ = s2 Y


Proof: Q2 k Q1 = Q2 k Q1 + Q1 k Q2 + Q2 | Q1

= r3s2Q2 k Q1 + r1s3Q1 k Q2 + r3s2Q2 | r1s3Q1

= r3 · (s2Q2 k Q1) + r1 · (s3Q1 k Q2)

+ � · (s2Q2 k s3Q1)

= r3 · (s2Q2 k Q1) + r1 · (s3Q1 k Q2)

So @{s3,r3}(Q2 k Q1) = @{s3,r3}(r3 · (s2Q2 k Q1) + r1 · (s3Q1 k Q2))

= @{s3,r3}(r3 · (s2Q2 k Q1))

+ @{s3,r3}(r1 · (s3Q1 k Q2))

= @{s3,r3}(r3) · @{s3,r3}((s2Q2) k Q1)

+ @{s3,r3}(r1) · @{s3,r3}(s3Q1 k Q2)

= � · @{s3,r3}(s2Q2 k Q1)

+ r1 · @{s3,r3}(s3Q1 k Q2)

= r1 · @{s3,r3}(s3Q1 k Q2)


Likewise we can derive:

@{s3,r3}(s3Q1 k Q2) = c3 · @{s3,r3}(Q1 k s2Q2)

@{s3,r3}(Q1 k s2Q2) = r1 · @{s3,r3}(s3Q1 k s2Q2)

+ s2 · @{s3,r3}(Q2 k Q1)

@{s3,r3}(s3Q1 k s2Q2) = s2 · @{s3,r3}(s3Q1 k Q2)


Hence ⌧{c3}(@{s3,r3}(Q2 k Q1)) = ⌧{c3}(r1 · @{s3,r3}(s3Q1 k Q2))

= r1 · ⌧{c3}(@{s3,r3}(s3Q1 k Q2))

= r1 · ⌧{c3}(c3 · @{s3,r3}(Q1 k s2Q2))

= r1 · ⌧ · ⌧{c3}(@{s3,r3}(Q1 k s2Q2))

= r1 · ⌧{c3}(@{s3,r3}(Q1 k s2Q2))and likewise we can derive

⌧{c3}(@{s3,r3}(Q1 k s2Q2)) = r1 · ⌧{c3}(@{s3,r3}(s3Q1 k s2Q2))

+ s2 · ⌧{c3}(@{s3,r3}(Q2 k Q1))

⌧{c3}(@{s3,r3}(s3Q1 k s2Q2)) = s2 · ⌧{c3}(@{s3,r3}(Q1 k s2Q2))

Hence, a solution for the linear recursive specification E for the bufferof capacity two is

X = ⌧{c3}(@{s3,r3}(Q2 k Q1))

Y = ⌧{c3}(@{s3,r3}(Q1 k s2Q2))

Z = ⌧{c3}(@{s3,r3}(s3Q1 k s2Q2)) 2


Cluster Fair Abstraction Rule (CFAR)

⌧ -loops can be constructed by abstraction: ⌧{a}(hX | X=aX i)

Let E be a guarded linear recursive specification, and I ✓ A.Recursion variables X and Y in E are in the same cluster for I if

hX |Ei b1! · · · bm! hY |Ei and hY |Ei c1! · · · cn! hX |Eiwith bi , ci 2 I [ {⌧}. Either a or aX is called an exit for cluster C if:

1 a or aX is a summand in the right-hand side of the recursiveequation for a recursion variable in C

2 in the case of aX , a 62 I [ {⌧} or X 62 C

If X is in a cluster for I with exits {v1Y1, . . . , vmYm, w1, . . . , wn}, thenCFAR is the following rule:

v · ⌧I(hX |Ei) = v · ⌧I(v1hY1|Ei + · · · + vmhYm|Ei + w1 + · · · + wn)


Intuition for CFAR

Let E denoteX1 = aX2 + b1

...Xn�1 = aXn + bn�1Xn = aX1 + bn

Then ⌧{a}(hX1|Ei) executes ⌧ -transitions until it executes an action bifor i 2 {1, . . . , n}. After the execution of such a ⌧ it is still possible toexecute any of the bi .

Fair abstraction says that ⌧{a}(hX1|Ei) does not stay in the ⌧ -loopforever, so that at some time it will execute a bi . Hence,

⌧{a}(hX1|Ei) $rb b1 + ⌧(b1 + · · · + bn)

Namely, initially ⌧{a}(hX1|Ei) can execute b1 or ⌧ . In the latter case,this non-silent ⌧ is followed by the execution of a series of silent ⌧ ’s,until one of the actions bi is executed.


Example

Let E denoteX = heads · X + tails

Then hX |Ei represents tossing a fair coin until the result is tails. Weabstract away from throwing heads: ⌧{heads}(hX |Ei).

{X} is the only cluster for {heads}, and the only exit of this cluster istails. So by CFAR,

⌧ · ⌧{heads}(hX |Ei) = ⌧ · ⌧{heads}(tails)

= ⌧ · tails

Hence, ⌧{heads}(hX |Ei) = ⌧{heads}(heads · hX |Ei + tails)

= ⌧ · ⌧{heads}(hX |Ei) + tails

= ⌧ · tails + tails


Soundness

The axioms for ACP⌧ with guarded linear recursion and CFAR aresound modulo rooted branching bisimulation equivalence:

s = t ) s $rb t

Rooted branching bisimulation equivalence is a congruence over ACP⌧

with guarded linear recursion, so it suffices to check soundness of allinstantiations of axioms.


Completeness

The axioms for ACP⌧ with guarded linear recursion, RDP, RSP andCFAR are complete modulo rooted branching bisimulationequivalence:

s $rb t ) s = t

This follows from two facts:

each term over ACP⌧ with guarded linear recursion is equal to aterm hX |Ei with E a guarded linear recursive specification

if hX |Ei $rb hY |E 0i for guarded linear recursive specificationsE , E 0, then

hX |Ei = hY |E 0i


Concurrency Theory

Lecture 7

Alban Ponse



2017 - 2018


Contents

Protocol verification in process algebra

Literature

Wan Fokkink, Introduction to Process Algebra, Springer-Verlag,2000: Chapter 6.1Handout 2Slide material is also from the author (but slightly adapted)


Alternating Bit Protocol (ABP)

Data elements are sent from Sender to Receiver via faulty channel B.Sender alternatingly attaches bit 0 or bit 1 to data elements.

If Receiver receives a datum, it sends the attached bit to Sender viafaulty channel D, to acknowledge reception. If Receiver receives acorrupted message, then it resends the preceding acknowledgement.

Sender keeps sending a datum with attached bit b until it receivesacknowledgement b. Then it starts sending the next datum withattached bit 1 � b until it receives acknowledgement 1 � b, et cetera.


Specification of the ABP

Sender sending a datum with bit b attached (b 2 {0, 1}):

Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb

Udb = rD(b) · S1�b + (rD(1 � b) + rD(?)) · Tdb

Receiver expecting a datum with b attached:

Rb =P

d2�{rB(d , b) · sC(d) · Qb + rB(d , 1 � b) · Q1�b} + rB(?) · Q1�b

Qb = (sD(b) + sD(?)) · R1�b

A send and a read action of the same message ((d , b), b or ?) overthe same channel (B or D) communicate with each other.

The alternating bit protocol is specified by ⌧I(@H(R0kS0)) with H the setof read and send actions over channels B and D, and I the set ofcommunication actions.


Verification of the ABP

So ABP = ⌧I(@H(R0kS0)).

In the following slides we verify the ABP:

1 we consider @H(R0kS0) (thus without abstraction):we sketch its process graph, and prove with RDP and RSP that

@H(R0kS0) = hX1|Ei

with E the linear recursive specification that models this processgraph

2 we show with CFAR, ACP⌧ , RDP and RSP that

⌧I(hX1|Ei) = hZ | Z =P

d2�rA(d) · sC(d) · Z i

thus proving that ABP behaves externally as a one-slot buffer


Process graph of @H(R0kS0) (1), some arrows have multiple labels:


R0kS0 =P

d 02�{rB(d 0, 0) · ((sC(d 0)Q0)kS0)

+ rB(d 0, 1) · (Q1kS0)} + rB(?) · (Q1kS0)

+P

d2� rA(d) · (Td0kR0)

@H(R0kS0) =P

d2� rA(d) · @H(Td0kR0)

In the process graph:

1rA(d)�! 2 (for all d 2 �)

Recall: Sender sending a datum with bit b attached:

Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb



Rb =P


Qb = (sD(b) + sD(?)) · R1�b


Td0kR0 = (sB(d , 0) + sB(?)) · (Ud0kR0)

+P

d 02�{rB(d 0, 0) · ((sC(d 0)Q0)kTd0)

+ rB(d 0, 1) · (Q1kTd0)} + rB(?) · (Q1kTd0)

+ cB(d , 0) · (Ud0k(sC(d)Q0)) + cB(?) · (Ud0kQ1)

@H(Td0kR0) = cB(d , 0) · @H(Ud0k(sC(d)Q0)) + cB(?) · @H(Ud0kQ1)


2cB(d ,0)�! 4, 2

cB(?)�! 3Recall: Sender sending a datum with bit b attached:

Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb



Rb =P


Qb = (sD(b) + sD(?)) · R1�b


Ud0kQ1 = rD(0) · (S1kQ1)+ (rD(1) + rD(?)) · (Td0kQ1)

+ (sD(1) + sD(?)) · (R0kUd0)

+ (cD(1) + cD(?)) · (Td0kR0)

@H(Ud0kQ1) = (cD(1) + cD(?)) · @H(Td0kR0)


3cD(1)�! 2, 3

cD(?)�! 2


Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb



Rb =P


Qb = (sD(b) + sD(?)) · R1�b


Ud0k(sC(d)Q0) = rD(0) · (S1k(sC(d)Q0))

+ (rD(1) + rD(?)) · (Td0k(sC(d)Q0))

+ sC(d) · (Q0kUd0)

@H(Ud0k(sC(d)Q0)) = sC(d) · @H(Q0kUd0)


4sC(d)�! 5


Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb



Rb =P


Qb = (sD(b) + sD(?)) · R1�b


Q0kUd0 = (sD(0) + sD(?)) · (R1kUd0)

+ rD(0) · (S1kQ0) + (rD(1) + rD(?)) · (Td0kQ0)

+ cD(0) · (R1kS1) + cD(?) · (R1kTd0)

@H(Q0kUd0) = cD(0) · @H(R1kS1) + cD(?) · @H(R1kTd0)


5cD(0)�! 7, 5

cD(?)�! 6


Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb



Rb =P


Qb = (sD(b) + sD(?)) · R1�b


(Last detailed derivation for states 1 up to 7)

R1kTd0 =P

d 02�{rB(d 0, 1) · ((sC(d 0)Q1)kTd0)

+ rB(d 0, 0) · (Q0kTd0)} + rB(?) · (Q0kTd0)

+ (sB(d , 0) + sB(?)) · (Ud0kR1)

+ (cB(d , 0) + cB(?)) · (Q0kUd0)

@H(R1kTd0) = (cB(d , 0) + cB(?)) · @H(Q0kUd0)


6cB(d ,0)�! 5, 6

cB(?)�! 5Recall: Sender sending a datum with bit b attached:

Sb =P

d2�rA(d) · Tdb

Tdb = (sB(d , b) + sB(?)) · Udb



Rb =P


Qb = (sD(b) + sD(?)) · R1�b


Likewise we derive (symmetric in 0 and 1):

@H(R1kS1) =P

d2� rA(d) · @H(Td1kR1)

@H(Td1kR1) = cB(d , 1) · @H(Ud1k(sC(d) · Q1))

+ cB(?) · @H(Ud1kQ0)

@H(Ud1kQ0) = (cD(0) + cD(?)) · @H(Td1kR1)

@H(Ud1k(sC(d)Q1)) = sC(d) · @H(Q1kUd1)

@H(Q1kUd1) = cD(1) · @H(R0kS0)

+ cD(?) · @H(R0kTd1)

@H(R0kTd1) = (cB(d , 1) + cB(?)) · @H(Q1kUd1)


Owing to the twelve derived equations, by RSP

@H(R0kS0) = hX1|Eiwhere E is the linear recursive specification

{ X1 =P

d 02� rA(d 0) · X2d 0

X2d = cB(d , 0) · X4d + cB(?) · X3d

X3d = (cD(1) + cD(?)) · X2d

X4d = sC(d) · X5d

X5d = cD(0) · Y1 + cD(?) · X6d

X6d = (cB(d , 0) + cB(?)) · X5d

Y1 =P

d 02� rA(d 0) · Y2d 0

Y2d = cB(d , 1) · Y4d + cB(?) · Y3d

Y3d = (cD(0) + cD(?)) · Y2d

Y4d = sC(d) · Y5d

Y5d = cD(1) · X1 + cD(?) · Y6d

Y6d = (cB(d , 1) + cB(?)) · Y5d | d 2 � }Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 7 2017 - 2018 14 / 19

After application of ⌧I to hX1|Ei, the loops of communication actionsbecome ⌧ -loops, which can be removed by CFAR.

For example, X2d and X3d form a cluster for I with exit

cB(d , 0) · X4d

sorA(d) · ⌧I(hX2d |Ei) = rA(d) · ⌧I(cB(d , 0) · hX4d |Ei)

= rA(d) · ⌧ · ⌧I(hX4d |Ei)= rA(d) · ⌧I(hX4d |Ei)

Likewise the removal of the other ⌧ -loops yields

sC(d) · ⌧I(hX5d |Ei) = sC(d) · ⌧I(hY1|Ei)rA(d) · ⌧I(hY2d |Ei) = rA(d) · ⌧I(hY4d |Ei)sC(d) · ⌧I(hY5d |Ei) = sC(d) · ⌧I(hX1|Ei)


So, with CFAR we derive

⌧I(hX1|Ei) =P

d2� rA(d) · ⌧I(hX2d |Ei)=

Pd2� rA(d) · ⌧I(hX4d |Ei)

=P

d2� rA(d) · sC(d) · ⌧I(hX5d |Ei)=

Pd2� rA(d) · sC(d) · ⌧I(hY1|Ei)

Likewise we derive

⌧I(hY1|Ei) =P

d2� rA(d) · sC(d) · ⌧I(hX1|Ei)

So using RSP it follows that

⌧I(hX1|Ei) = hZ | Z =P

d2�rA(d) · sC(d) · Z i

Hence,

⌧I(@H(R0kS0)) =P

d2� rA(d) · sC(d) · ⌧I(@H(R0kS0))

which concludes the verification of the ABP.Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 7 2017 - 2018 16 / 19

Protocol verification - a first conclusion

Let protocol P be specified in ACP⌧ by

P = ⌧I(@H(P1k...kPn))

A common verification technique is the following:1 assume the merge is commutative and associative, and apply

linearization, i.e., derive a linear recursive specification E with

@H(P1k...kPn) = hX |Ei

(relatively easy with this assumption; see Handout 2)2 apply CFAR and the axioms of ACP⌧ , RDP and RSP on

⌧I(hX |Ei)

thus obtaining an external behavior Q3 conclude that P = Q


Your future in process algebra / system verification

Further reading and courses

Jan Friso Groote and Mohammad Reza Mousavi.Modelling and Analysis of Communicating Systems, 2014.Lecture note version (2013):http://www.mcrl2.org/download/mcrl2-lecture-notes.pdf

Wan Fokkink. Modelling Distributed Systems: Protocol Verificationwith µCRL (2nd ed., 2011). Available athttp://www.cs.vu.nl/~wanf/BOOKS/moddissys.pdf

Further education

Protocol Validation, a 6 EC course (period 1) by me @ VU UniversityAmsterdam: https://www.vu.nl/en/study-guide/2017-2018/Graduation work (Ponse et al)


End of Lecture 7

Reading list (the classical literature)

Jan A. Bergstra, Alban Ponse, and Scott A. Smolka (eds.).Handbook of Process Algebra, Elsevier, 2001.

J.C.M. Baeten and W.P. Weijland.Process Algebra, Cambridge Tracts in Theoretical Computer Science18, Cambridge University Press, 1990.

J.C.M. Baeten and C. Verhoef.Concrete process algebra, in Handbook of Logic in Computer Science,Volume IV, pp. 149–268, Oxford University Press, 1995.

R. Milner. Communication and Concurrency, Prentice Hall, 1989.

J.C.M. Baeten (ed.).Applications of Process Algebra, Cambridge Tracts in TheoreticalComputer Science 17, Cambridge University Press, 1990.


Concurrency Theory

Lecture 8

Alban Ponse



2017 - 2018


Contents

Modeling of programs interacting with state machinesModeling of non-regular threads

Literature

Handout 1Bergstra and Ponse, JLAP 51(2):175–192, 2002

Main idea

A state machine may support a program in its execution, forexample as a memory device

Note: nowadays, state machines are often called services.Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 8 2017 - 2018 2 / 19

State machine

A state machine is a pairhM, F i

consisting of an interface M and a reply function F .

The interface M of a state machine consists of co-actions (also calledmethods). Notation

a(x)

or in some examples more concrete, e.g.,

set(true), println(hello), c1:isZero()

An example of an interface of a state machine is

M = {read(n),send(n) | n < 216}


The reply function

The reply function F of a state machine hM, F i is a mapping that givesfor each finite sequence of co-actions from the interface M a reply in{true,false, D}.

M+: the set of non-empty, finite sequences over M, where “," is usedas a separator:

a(x) 2 M ) a(x) 2 M+

� 2 M+ and a(x) 2 M ) �,a(x) 2 M+

The value D will be used as an error-value:

1 if a(x) 62 M then F (�,a(x)) = D2 also, the reply function F is persistent in D: if for some � 2 M+,

F (�) = D, then for all a(x) 2 M, F (�,a(x)) = D


Example of a state machine: Boolean register smbr

The Boolean register smbr (“state machine boolean register”) is

h{set(true),set(false),eq(true),eq(false)}, F smbr i

where the reply function F smbr replies

true to the co-actions set(true) and set(false)

false to the co-actions eq(true) and eq(false) until theregister is set, after which it replies true to eq(b) whenever b isthe current value of the register, and false otherwise

Examples: F smbr (eq(false),eq(true)) = falseF smbr (eq(false),set(false)) = true

State notation: smbr(s) with s 2 {T,F} for smbr being set to value s,where T and F abbreviate true and false, respectively.


Program algebra: focus.method notation (FMN)

We take basic instructions to have more syntactical structure thanbefore: for basic instructions we use

f.a(x)

where f is the so-called focus (cf. Lecture 2) of the instruction, anda(x) is its co-instruction part or method (upon execution: co-action).

For example,smbr.set(true)

has focus smbr and method set(true), and

Console.println(hello)

has focus Console and method println(hello).


Using state machines

Two ways of interfacing a program (behavior) and a state machine:

Use. In a “use interface" the task of a state machine H is to supportprogram X in its execution, which will express its value by executingactions that are not processed by H, notation

|X |/f H

for focus f. Upon termination of the execution of X , H is forgotten andso is the state it is in.

Apply, the other way round: |X | transforms state machine H. The“apply interface” is not considered in this course.


The use interface

So, in a use interface, a state machine processes actions and providesBoolean replies that are (can be) used for further control of execution.

For any state machine H and focus f,

S/f H = S and D/f H = D

Another use of D: the default state machine D, which has universalinterface and replies D to any action with focus f. In particular,

(P E f.a(x)D Q)/f D = D


Used state machines

Assume state machine H = hM, F i has already used co-action a(x):the state machine

@@a(x)H

is defined by @@a(x)H = hM, F 0i with F 0(�) = F (a(x),�) for all � 2 M+.

Example: @@set(true)smbr is the Boolean register set to true.

It replies the same as e.g. @@set(true)( @

@eq(false)smbr), hence thenotation smbr(T).(So, the notations smbr, smbr(T) and smbr(F) are sufficient tocompute any reply: smbr has no memory, only a current state.)

For � 2 M+ we define @@�H as H after having subsequently processed

the co-actions in �, so@

@�,a(x)H = @@a(x)( @

@�H)


Defining rules for P/f H (with H = hM, F i)

S/f H = S

D/f H = D

(P E g.a(x)D Q)/f H = (P/f H) E g.a(x)D (Q/f H) if g 6= f

(P E f.a(x)D Q)/f H = P/f@

@a(x)H if

(a(x) 2 M andF (a(x)) = true

(P E f.a(x)D Q)/f H = Q/f@

@a(x)H if

(a(x) 2 M andF (a(x)) = false

(P E f.a(x)D Q)/f H = D if a(x) 62 M or H = D


A simple example with the use operator - 1

Let the PGLE-program ProgA be defined by

smbr.set(true);

L0; +smbr.eq(true); ##L1; ##L2;

L1; smbr.set(false); Console.println(hello); ##L0;

L2; smbr.set(true); Console.println(goodbye); ##L0

So|ProgA|pgle = smbr.set(true) � P

with

P = smbr.set(false) � Q E smbr.eq(true)D smbr.set(true) � R,

Q = Console.println(hello) � P,

R = Console.println(goodbye) � P.


A simple example with the use operator - 2

From |ProgA|pgle = smbr.set(true) � P it follows that

|ProgA|pgle/smbr smbr = P/smbr smbr(T)

Recall

P = smbr.set(false) � Q E smbr.eq(true)D smbr.set(true) � R,

Q = Console.println(hello) � P,

R = Console.println(goodbye) � P.

The subsequent use-applications yield the following cycle:

P/smbr smbr(T) = Q/smbr smbr(F)= Console.println(hello) � (P/smbr smbr(F)),

P/smbr smbr(F) = R/smbr smbr(T)= Console.println(goodbye) � (P/smbr smbr(T)).


A non-regular thread - 1

Leaving out focus.method notation in actions a and b , consider thethread P defined as follows (with i , j 2 N):

P = a � Q(1, 0),

Q(i+1, j) = b � Q(i , j+1),

Q(0, j) = a � Q(j+1, 0).

So P has the following behavior:

P a�! Q(1, 0) b�! Q(0, 1) a�! Q(2, 0) b�! Q(1, 1) b�! Q(0, 2) a�! . . .

or, briefly,a � b � a � b2 � a � b3 � . . .

(the three dots . . . are essential here).


A non-regular thread - 2

The thread P defined by

P = a � Q(1, 0),

Q(i+1, j) = b � Q(i , j+1),

Q(0, j) = a � Q(j+1, 0)

and with behavior a � b � a � b2 � a � b3 � . . . is not regular:

1 if P were regular, then P could be represented by a finite picture(formally: then P could be defined by a finite system of equations)

2 this is clearly not the case: the number of consecutive b-actions isdetermined by the number of preceding a-actions

Nevertheless, it is not hard to find a PGLE-program that uses atwo-counter service TC and defines the thread P.


A two-counter service TC

The state of a two-counter TC can be described by TC(i,j) wherei 2 N is the value of the first counter and j 2 N that of the secondcounter. Initially,

TC = TC(0,0)

TC’s methods (co-actions), where succ refers to successor and predto predecessor:

c1:succ() increases the value of the first counter by 1 andalways yields truec1:isZero() tests whether the first counter has value 0c1:pred() decreases the value of the first counter by 1 if it has avalue larger than 0 and otherwise the value remains 0, thisco-instruction always yields true

For the second counter there are similar methods (c2:succ() etc.)


A program that uses TC and defines P

Assume TC has focus smnnc (“state machine natural number counter”)and actions a and b have a focus different from smnnc, and

ProgC = L0; a ; smnnc.c1:succ();

L1; +smnnc.c1:isZero(); ##L2;

b ; smnnc.c1:pred(); smnnc.c2:succ(); ##L1;

L2; +smnnc.c2:isZero(); ##L0;

smnnc.c2:pred(); smnnc.c1:succ(); ##L2

Then |ProgC|pgle/smnnc TC reaches infinitely many different statesalong the path

a � b � a � b2 � a � b3 � . . .

and thus |ProgC|pgle/smnnc TC = P.

To show this, we first apply behavior extraction on the fly...Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 8 2017 - 2018 16 / 19

Behavior extraction on the fly

ProgC = L0; a ;smnnc.c1:succ();L1; +smnnc.c1:isZero(); ##L2;

b ; smnnc.c1:pred(); smnnc.c2:succ(); ##L1;L2; +smnnc.c2:isZero(); ##L0;smnnc.c2:pred(); smnnc.c1:succ(); ##L2

Write Q1 = |ProgC|pgle and leave out foci, then

Q1 = a � c1:succ() � Q2,

(this will be a Shift NC1 7! NC2, adding bNC1). # &

Q2 = Q3 E c1:isZero()D b � c1:pred() � c2:succ() � Q2,Q3 = Q1 E c2:isZero()D c2:pred() � c1:succ() � Q3.

- " %(this will become a Shift NC2 7! NC1)


More formally...

Not leaving out foci and writing f for smnnc, we have

Q1 = a � f.c1:succ() � Q2,

Q2 = Q3 E f.c1:isZero()D b � f.c1:pred() � f.c2:succ() � Q2,

Q3 = Q1 E f.c2:isZero()D f.c2:pred() � f.c1:succ() � Q3,

and we find

Q1/f TC(i,0) = a � (Q2/f TC(i+1,0)),

Q2/f TC(i+1,j) = b � (Q2/f TC(i,j+1)),

Q2/f TC(0,j) = Q3/f TC(0,j) = Q1/f TC(j,0).

Hence Q1/f TC(i,0)a � bi+1��! Q1/f TC(i+1,0), which shows that

Q1/f TC = |ProgC|pgle/f TC(0,0) has behavior

a � b � a � b2 � a � b3 � . . .

and thus equals P.Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 8 2017 - 2018 18 / 19

Conclusion

A projection semantics without state machines does not exist if aprogram (a behavior) essentially uses a state machine with aninfinitary internal structure.

Ultimate examples:

a Turing machine, i.e., a regular control using an infinite tapea Minsky machine, i.e., a regular control using a two-counter(cf. our last example)

Even for “finite” state machines it can be totally impractical to avoidtheir use in projection semantics. (cf. JLAP51(2):175–192, 2002,Section 5).

Simple example: a semantics for a language with for-loops, i.e.for i = 1 to n do X od

END OF LECTURE 8


Concurrency Theory

Lecture 9

Alban Ponse



2017 - 2018


Contents

Modeling of action forecasting for regular threads,comprising a decidable result for a Risk Assessment Service

Literature

Handout ExtraBergstra and Ponse, A bypass of Cohen’s impossibility result,2005 (also at Bb)

Main idea

A service that can forecast whether a regular thread has nosecurity hazard (modelling a computer virus)


Cohen’s impossibility result

Suppose a decision procedure D exists (a predicate on program texts)that determines whether a program executes (and spreads) a virus.

Cohen’s impossibility result:

C = if (not D(C)) then P else Q,

where P executes a virus, and Q is virus-free.

If D(C) yields true, Q is executed: contradictionIf D(C) yields false, P is executed: contradiction

Hence, a risk assessment tool that implements D(C) cannot exist.


Our approach

A security hazard is modeled as the execution of a certain actioncalled risk .

A program may contain test actions s.ok wich are requests to a riskassessment tool.

Program code can thus be of the form

if s.ok then P else Q,

where s.ok is a request to a risk assessment tool with focus s, toassess the code P.

The subprograms P and Q may contain further s.ok tests ofcorresponding subprograms.


Our approach - 2

Inif s.ok then P else Q,

the tool should reply true to the test s.ok if and only if execution of Pusing the same tool will not lead to execution of risk .

Upon reply false, Q will be executed instead, but there is no riskassessment of Q.

So, risk assessment is on the true-branch P of the conditionalcontaining the test only. This is decidable.

In this it differs from the decision procedure in Cohen’s argumentwhere both P and Q are assessed.

Note. P and Q can be |...|pglz for some PGA-based language PGLZ .


Running example

Consider the regular thread x1 defined by the following specification:

x1 = x2 E s.ok D x8 x5 = b � x2

x2 = x3 E a D x4 x6 = risk � x1

x3 = x5 E s.ok D x6 x7 = c � x8

x4 = x6 E s.ok D x7 x8 = S

h s.ok i1

�� = ��h a i2

��

S8

h s.ok i3

�� = ��

h s.ok i4

=�� [ b ]5

//

[ risk ]6

oo

[ c ]7

oo


Risk(E), the minimal set of risk states for lin.spec. E

1 If x = y E risk D z, then x is a risk state2 If x = y E s.ok D z, and y and z are risk states,

then x is a risk state3 If x = y E a D z for a 6= risk , s.ok , and y or z is a risk state,

then x is a risk stateh s.ok i1

�� = ��h a i2

��

S8

h s.ok i3

�� = ��

h s.ok i4

=�� [ b ]5

//

[ risk ]6

oo

[ c ]7

oo

Correct risk assessment: reply true to x E s.ok D y iff x 62 Risk(E).Alban Ponse (TCS, UvA) Concurrency Theory - Lecture 9 2017 - 2018 7 / 12

Annotating E

Assumption. To define the reply function of the risk assessmentservice, E can be analyzed.

For the answer to a particular ok test, it must then be known whichpart of E is to be assessed.

Annotate the ok tests with variables from Var(E): E 7! Ea by replacingall equations

x = y E s.ok D z by x = y E s.ok :y D z.

This preprocessing allows us to define a history-based service.1

1In Bergstra, Ponse’05, a general risk assessment tool SHRAT (security hazardrisk assessment tool) is defined as a more powerful service that upon a request s.okloads both the specification and the identity of the state to be tested.

A disadvantage of that approach is that SHRAT does not necessarily commute withother thread-service applications.


A risk assessment service

The risk assessment service S(E) for the specification E :

focus smethods (co-actions) {ok :x | x 2 Var(E)} by the convention justintroduced, andwith reply function

F (�, ok :x) =

(true if x 62 Risk(E),

false otherwise,

(note: the history � is never used).


Actions(E)

For finite threads, Actions(_) is defined by

Actions(S) = Actions(D) = ;,

Actions(P E a D Q) = {a} [ Actions(P) [ Actions(Q),

and this is extended to regular threads defined by lin.spec E by

Actions(x) = {a} [ Actions(y) [ Actions(z)

if (x = y E a D z) 2 E .

For example, ifE = {x = D, y = x E a D y}

then Actions(x) = ; and Actions(y) = {a}.


Correctness of S(E) for lin.spec. E

Theorem 1. x 2 Risk(E) () risk 2 Actions(x/s S(E)).

Proof. ()) Easy, following the inductive definition of Risk(E).

(() Suppose risk 2 Actions(x/s S(E)).Then there must be a trace of x leading to a state where risk can beperformed, corresponding to a sequence

xk , xk�1, . . . , x1 2 Var(E)

with xk = x , k � 1, such that x1 = y E risk D z for some y , z, and

For i = 2, . . . , k , xi = y E a D z with xi�1 2 {y , z},and if a = s.ok , then xi/s S(E) = xi�1/s S(E).

(1)

Then xk 2 Risk(E) by induction on k and (1) (see Handout extra).


Question and Assignment

Question. Is it important that in the proof of the above Theorem, thetrace of x leading to a state where risk can be performed is minimal orcycle-free?

Assignment (Optional, may be used in rounding off your final mark):See Handout Extra.

Deadline: Wednesday 13 Dec, evening.

END OF LECTURE 9
