Abstract Interpretation of the 7r-Calculus

Arnand Venet*

LIX, Ecole Polytechnique, 91128 Palmseau, France. venet@lix.polytechnique.fr

http://lix.polytechnique.fr/~venet

A b s t r a c t . We are concerned with the static analysis of the commu- nication topology for systems of mobile processes. For this purpose we construct an abstract interpretation of a large fragment of the ~r-calculus which can be used as a metalanguage to specify the behaviour of these systems. The abstract domain is expressive enough to give accurate de- scriptions of infinite and non-uniform distributions of processes and com- munication channels. We design appropriate widening operators for the automatic inference of such information.

1 I n t r o d u c t i o n

The static analysis of communicating processes with dynamically changing struc- ture - commonly called mobile processes - has been mostly studied in the par- ticular case of CML-like programs INN94, Co195a, Co195b]. The design of these analyses heavily depends on type and control-flow information that is specific t o CML. In this paper we propose an analysis of communications in the ~r- calculus [Mil91, MPW92]. Our choice is motivated by the fact tha t the z~-calculus is a widely accepted model for describing mobile processes. It is fairly simple and yet very expressive, since it can encode data structures [Mil91], higher-order communication [Mil91, San94a] and various ),-calculi [Mi192].

Our purpose is to analyze the communicat ion topology of a system of mobile processes, i.e. the distribution of processes and communication channels during the evolution of the system. In the standard semantics of the 7r-calculus this information is encoded within a process algebra. We construct a refinement of this semantics where an instance of a process at a certain stage of evolution of the system is represented by the sequence of internal computations that lead to it. The communication channels are represented in turn as the congruence classes of an equivalence relation over the communication ports of all process instances. This semantic model originated in the study of data structures [Jon81] and has been successfully applied to the alias analysis of ML-like programs by A. Deutsch [Deu92a, Deu92b, Deu94] who designed a powerful analysis based on Abstract Interpretation [CC77, CC92].

C. Colby [Co195b] further extended Deutsch's work and built an analysis for a subset of CML which can discover non-uniform descriptions of infinitely grow- ing communication topologies. However, the whole framework relies on having a

* This work was partly supported by ESPRIT BRA 8130 LOMAPS.

52

good approximation of the control-flow of the program before doing the analy- sis of communications. Whereas a closure analysis can be used for higher-order CML programs, there is no realistic solution for the ~r-calculus where the only kind of computat ion is communication. Therefore we design a new abs t rac t in- terpretat ion which gets rid of this problem and still ensures a comparable level of accuracy. We use the technique of cofibered domains introduced in [Ven96] which allows us to infer simultaneously an approximation of control-flow and communications.

The paper is organized as follows. In Sect. 2 we present the syntax and seman- tics of the 7r-calculus. The refined semantics is described in Sect. 3. In Sect. 4 we present the basic concepts of Abstract Interpretat ion. We construct an abst ract domain for the analysis of the ~r-calculus in Sect. 5. The abs t rac t semantics of the 7r-calculus is described in Sect. 6. In Sect. 7 we design widening operators in order to make the analysis effective.

2 T h e 1 r - C a l c u l u s

The basic entities in the ~-calculus are names, which are provided to represent communication channels. The key point is tha t computat ion is restricted to the transmission and reception of names along channels. There are various possibili- ties of defining processes in the r-calculus, depending on the way communication, recursion and nondeterminism are handled. Our presentation is based on a sub- set of the polyadie ~-calculus [Mil91]. Let X = {x, y , . . . } be an infinite set of names. The syntax of ~r-terms 7 ) = (P, Q , . . . } is given by the following grammar:

P ::= ~ i e ~ r i .P i guarded sum of finitely many processes ] P I Q parallel composition [ ~,x.P restriction [ !~.P guarded replication

r ::= L [o atomic action ::= x(y) input

o ::= 5[y] output

where y is a (possibly empty) tuple (Yl , . . . ,Yn) of pairwise distinct names. We denote by 0 the empty sum of processes ( that is when I -- 0). We call a nonempty sum ~-~iex ~ri.Pi of processes an agent, and a replication 2 !L.P a server. We use the common abbreviat ion tha t consists of omitt ing the trailing .0 in ~r-terms. The restriction vx.P binds the name x in P and an input guard x(y l , . . . , yn).P binds the names Yl , - . - , Yn in P. We denote by fn(P) the set of names occurring free in a process P. If x and y are tuples of names of the same length, we denote by { y / x } the substi tution tha t maps any xi to Yi- The s tandard operational semantics of the 7r-calculus is given by a structural congruence - and a reduction relation defined in Fig. 1 and Fig. 2.

2 We use a restricted form of replication inspired from the one involved in the definition of P I C T [Tur95]. Yet it is expressive enough to perform all major constructions in the 7r-calculus (data structures, higher-order communication, etc.).

53

Let -= be the smallest congruence relation on P which satisfies the following axioms:

- P _= Q if P and Q are a-convertible. - ( P / - , [, O) is a commutative monoid. - v x . vy .P =_ vy .vx .P . - v x . O - O .

- v x . ( P ] Q) - P ] ~x.Q whenever x is not free in P.

Fig . 1. Structural congruence

p ~ p , p _~ p ,

P ] Q --4 P' ] Q •x.P ~ vx .P '

( . . . + x ( y ) . p + . . . ) ] ( . . . +5[z] .Q + . . . ) -+ { z / y } p [ Q

[x(y).P I ("" + ~[z].Q + - . . ) --~ {z/y}P I!x(y).P I Q p = p , p ' --+ Q' Q, = Q

p . - + Q

Fig. 2. Process reduction

We model a system S of mobile processes by a closed 7r-term. The evolution of the system is determined by the internal communications. The structural laws allow us to rewrite a 7r-term in order to bring communicands in juxtaposition. They are the analogue of the heating/cooling rules of the Chemical Abstract Machine [BB92]. In the chemical metaphore, a 7r-term is a syntactic encoding of a "solution of floating ions", i.e. a multiset of agents and servers, in which reaction is communication. The structural congruence identifies all encodings of the same solution. In particular, any closed process P is structurally equivalent to a term of the following form:

l /X1.. , vXl.(A1 I " " I A,~ [$1 ] . . - [ S n ) (*)

where the Ai are agents and the Sj are servers, such that each name occurring free in any one of the Ai or Sj lies in { x l , . . . , xl }. Intuitively, this 7r-term exhibits the communication topology of P , i.e. all active agents and servers linked together by communication channels. Whereas the Ai and Sj are unique (up to permuta- tion of the indices), the decomposition (*) is not, because of a-renaming and the possibility to add and remove useless channel names by structural rewriting 3.

3 If x ~ fn(P), ~'x.P = P.

54

Hence, we will define this notion more formally and unambiguously using hyper- graphs.

The notion of hypergraph is a generalization of that of graph where an edge can connect more than two vertices. More precisely, an undirected hypergraph H labelled over L is given by a set V of vertices, a set E of hyperedges, a

boundary function cO : E , p(V), and a labelling function A : E �9 L. We identify hypergraphs which only differ by a bijective renaming of their vertices and hyperedges, i.e. we consider abstract hypergraphs.

Def in i t i on 1 C o m m u n i c a t i o n Topology. Let P be a closed r - te rm and A1, �9 . . , Am~ SI~.. . , Sn be the agents and servers appearing in decomposition (*). The communication topology T~(P) of P is the undirected hypergraph (V, E, 0, A) labelled over the set {a, s} where:

m A n 1. y = [3~=1 ~ ( ~ ) u [3~=1/~(sD. 2. E {(a, 1 ) , . . . , (a, m), (s, 1 ) , . . . , (s, n)}. 3. CO(a,/) = fn(Ai), CO(s,j) = fn(Sj) . 4. V(t,x) 6 E : A(t,x) = t. []

Note that the definition is not ambiguous because we are working with abstract hypergraphs. Hyperedges represent processes that are "glued" together via ver- tices which are communication ports. The labelling of hyperedges represents the type of each process appearing in the communication topology, either agent (a) or server (s).

Given a system S of mobile processes represented as a closed term of the r-calculus, we are interested in the communication topology of the system at any stage of its evolution, that is in the following set of hypergraphs:

Tc.(S ) do~ {To(P) ] S _5, p)

Example 1. Let S be the closed r-term

~l.~c.~x.(l[x] 1!l(y).~z.(~[y, z] I l[~]))

After n > 0 computation steps, the system is structurally equivalent to the process

~ l . ~ c . ~ 0 . . . ~ . (~ [~0 ,~1 ] I--. I ~ [ x ~ - l , ~ ] I ~[x~] t!l(y).~.(~[y, ~] I ~[z]))

whose communication topology is given by the following hypergraph:

55

where boxes (resp. circles) represent hyperedges (resp. vertices). []

Our goal is to discover automatically a finitely representable superset of T~* (S). We will apply techniques coming from the area of alias analysis [Ven96], but this requires first to refine the standard semantics of the ~r-calculus.

3 N o n s t a n d a r d S e m a n t i c s o f t h e 7 r - C a l c u l u s

Let S be a closed ~r-term. A careful inspection of the reduction rules of Fig. 2 shows that any active agent or server of a process P such that S -~ P , is a residual of a subprocess of S, i.e. a process sQ, where s is a substitution and Q is a subterm of S. In particular, several residuals of a same subprocess of S can only be obtained by repeated requests to a server via communication. Thereby, we can uniquely identify an active process in P with the sequence of requests to servers during the computation S Z~ p that contributed to create the process, together with the subprocess of S from which it is a residual 4. We use this idea to construct a new operational semantics of the system S of mobile processes.

In order to simplify the presentation of the semantics, we assume that S is in normal form, given by the following grammar:

N ::= 0 [ V X l . . . , x m . ( A S 1 [... lASh) AS ::= !~.N [ ~ i e I ~ri.Ni

where I ~ 0 and 5, ~r are the atomic actions of the ~r-calculus defined in Sect. 2. Moreover, we require tha t all variable bindings in S be pairwise distinct. Any process can always be brought into normal form by using the structural laws. We uniquely label each occurrence of an agent or a server in S. Let s be the set of these labels, and A(S) be the subset corresponding to all labels of agents. For any g E s we denote by St the process labelled by g. A configuration in our operational semantics is a pair (~, ~-~) where:

1. ~ is a function from s into ~(A(S)*) such that , for each l E / : (S ) , ~(~) is finite.

2. ~ is an equivalence relation over the following set:

Ports(~) doj {(e ,L ,x) I t 6 f-.(S),L 6 ~ ( t ) , x 6 fn(St)}

The function ~ associates to each label t the set of residuals of St in the con- figuration. A residual is identified with the sequence of agent labels which were involved in the creation of the process via requests to servers. Ports (#) is the set of communication ports corresponding to the distribution of processes ~. The communication channels are given by the congruence classes of the channel relation ~ which expresses the links between ports. Note that since we use the ~ relation, we get rid of problems of name generation and a-conversion

4 This idea is somehow related to the notion of locality developed for process alge- bras [BCHK94, San94b].

56

as it is the case in the standard semantics. The nonstandard semantics gives more information than what is really needed to define the communication topol- ogy. However, this higher level of expressivity is required to design an accurate abstract interpretation, as we will see in Sect. 5.

We denote by C(S) the set of all configurations (~, ~-~). If �9 6 / : ( S ) , p(~4(S)*) and p is a binary relation over Ports(~), we denote by [p]~ the smallest equivalence relation over Ports(~) containing p. We denote by U the pointwise

inclusion on s , p(,4(S)*). The nonstandard operational semantics of S is given by a transition relation =~ on C(S) defined in Fig. 3 and Fig. 4. The se- mantic rules require a few explanations. In the case of communication between two agents (Fig. 3), the instances of S~, and Sio are removed from �9 and new instances of the S~ and S~o~ are created with the same residual as their parent

process. The channel relation is defined on the process distribution �9 (J ~' in- cluding the communicands and the newly released processes. The relation ~'~c implements communication, i.e. it links y~ and ti in all spawned processes that involve these names. The r61e of *'~i and ~'*o is to bind the free names in the Sl~

and Slok to the corresponding ones in the parent processes. Finally ~ . ~ relates all occurrences of a newly created name among the processes spawned by the sender and the receiver. This information is then propagated to all other ports by the transitive closure involved in [-]#o~," Once this has been done, the restriction of *-.~' to Ports(~') eliminates all information relative to the communicands. The situation is almost identical for a communication between an agent and a server (Fig. 4), except that the instance of the server is not deleted. The newly spawned instances of the S j are assigned the residual Lo.go, thus formalizing our intuition about the meaning of residuals.

In our context, given a closed ~r-term S in normal form, we are interested in computing an upper-approximate of the collecting semantics [CC77] Ss of

S, that is the set {P I S 4 P} of descendants of the initial configuration in the standard operational semantics. Thereby, we connect the nonstandard operational semantics with the standard one via a relation ~ �9 p(7 ~ x C(S)) defined as follows. If s = {g , , . . . , gn} and, for all i �9 { 1 , . . . , n } , ~(g~) = {L,~,I, �9 �9 �9 L~,k~ }, then

(p, �9

whenever p - UXl . . .UXm. (P t l , l [ "" [Ptl,k~ [ " " [ P~.,1 [" "" [Pg.,k.) where:

- For all i �9 { 1 , . . . , n } and j �9 {1 , . . . , k i} , Pl, j = si,jSg,, where si,j is a substitution such that si,j(fn(S~,)) C {Xl , . . . , Xm}.

- Vi , j �9 { 1 , . . . , n } : Vx �9 fn(Sl , ) : Vy �9 fn(S~j) : VR �9 {1, .... ,ki} : Vq �9 {1 , . . . , k j} : st,,p(x) : slj,q(y) r (gi, Ll,,p,x) ~ (gj,nlj,q,y).

If S = uxl . . . uxt.(Se~ ] ".. ] S~.) we denote by cs the nonstandard configuration ( r * '~s) where

O s ( g ) = { ~ e} otherwiseif~=gif~

57

and ~-~s= [{((t i ,r I 1 <_ i , j < n ,x �9 In(St,) Nfn(St~)}]v s. Note

that (S, cs) �9 ~. The nonstandard collecting semantics S~ is given by {c I cs :~ c}.

T h e o r e m 2. Let F : ~(g(S)) , ~(7 ~) be the function that sends any set C o/configurations to {p I Sc �9 r (p, c) �9 ~}. Then, Ss = F(S~s).

This means that the standard and nonstandard collecting semantics of the r - calculus are equivalent. Note that ~ provides a direct way to compute the commu- nication topology associated to a nonstandard configuration (~, *-~), the vertices being given by the congruence classes of ~,~.

Example 2. Consider the r - term S of Example 1 (which is in normal form) that we label as follows:

If cs ~ (~, ~-~), for n > 0, then

} = ~ 3 ~ - t ~ 1 0 < i < n } g4 ~+ { ~ 1 . ~ - 1 }

and ~ is the smallest equivalence relation on Ports(~) such that:

- (~3, ~1 .~ , y) ~ (~3, ~1.~, z) r i = j + 1 - (e4, e ~ . ~ - ~ , z) ~ (~3, ~l.e~ -~, z)

(~4, ~1 ~-1 - .Q , I) ~ (~2, E, I) - (~3,~1.~,c) ~'~ (~2,c,c), for all i �9 { 0 , . . . , n - 1) []

It now remains to build an abstract interpretation of the u-calculus based upon the nonstandard semantics.

4 A b s t r a c t I n t e r p r e t a t i o n

Abstract Interpretation [CC77, CC92] provides general frameworks to reason about semantic approximation. Typically, this problem amounts to finding an upper-approximate of the least fixpoint S ~ of a U~-complete endomorphism F ~ over a complete lattice (7:)~, ~ , _lfl, tl~, T~, R~), the concrete semantic ]unction.

Example 3. The nonstandard collecting semantics S~s of a system S of mobile processes can be shown to be equal to the least fixpoint of the U-complete mor- phism Fs defined over (g3(g(S)), C, ~, U, g(S), N) as follows (see [CC77]):

Fs ~' A X . {cs} U {c[ Sc' E X : c' ~ c)

We can thereby apply an abstract interpretation framework to the analysis of the r-calculus. []

58

If

- ~ , ~o �9 s - Li �9 r Lo �9 ~(lo) , - s~, . . . . + ~ ( y ~ , . . . , ~ ) . ~ . . . ~ , . ( & ~ I - - I &: , ) + - - , - S~o = . - . + ~ [ t , , . . . , t ~ ] . ~ ? . .- ~?o.(&~o I -" I&:o) + - . . , - (~ , , Li, x) ~ (~o, Lo, z) ,

then

where:

- If we put

then

(~, ~ ) ~ (~', ~ ' )

(~(g) - { L n} ~(~) = ~(~) if ~ = f , for ~ �9 {i, o} otherwise

(~ t([) U {L,} if ~----l~ for ~ �9 {i,o), k �9 { 1 , . . . , n , ) ~'(~) -- ~t (~) otherwise

- *~.~'= [ ~ U ~'~c U ~ i U ~'~o U ~ '~]~0~' n (Ports(~') x Ports(~')) where:

�9 * '~c: {((~,Li,yh),(~ko,Lo, th)) I 1 < j < hi,1 < k < no,1 < h < m, yh � 9 � 9

�9 ~.~,--- { ( ( ~ , , L v , u ) , ( ~ , L ~ , u ) ) ] 1 < j < n , , u �9 fn (S t , ) nfn(St~)}, for

, �9 {i, o). j , k , {1, . . , n , ) , h �9 { 1 , . . . , l , } , �9 ~ ' ~ = { ( ( g v ' L v ' V h ) ' ( ~ . ' L " v h ) ) [ j , k �9 .

~ �9 n fn(S~)), for ~ �9 {i,o}.

Fig. 3. Interagent communication

Following [CC92], the semantic approximation is achieved via an abstract semantic specification given by a preordered set (:D~, ~), the abstract semantic

domain, related to :D~ by a concretization function ~ : T)~ ~ l)~, an abstract

basis I~ E 7)~, and an abstract semantic function F ~ : l ) ~ . D ~, such that:

1 . . ~ E ~ ~( '~) . 2. Vx, y e l)~ : x 5 Y ~ "y(x) E_~ ~/(y). 3. Vx e I)~ : F ~ o ~/(x) E ~ ~/ o F~(x).

In order to compute effectively an approximation of S ~, we introduce the notion of widening operator.

Def in i t i on 3 W i d e n i n g O p e r a t o r [CC77, CC92]. A widening on (:D~, _) is

a binary operator V : 7:)~ x :D~ . :D~ which satisfies the following properties:

1. Vx, y E T)~ : x ~ x V y.

59

If

- e~, go e s - Li E O(gi), Lo E ~(~o),

St, =!x(yl , . u i - . . , y , , ) . v ~ . . . ~ j , . ( s t : I "'" I s r - S~o = . . . + ~ [ t ~ , . . . , t , ~ ] . ~ s ~ < . ( s t , o I " " I Sco) + ' " , - (gi, Li, x ) ~ (go, Lo, z),

then

where:

- If we put

then

( t ,~ )~ (~ ' ,~ ' )

~t(g) =_ f ~(g) -{Lo} if g = go ~(g) otherwise

(~ t (g ) U{Lo} if g--- go k for k E {1, . . . ,no} ~'(g) = ~ ~t(g) U {Lo.go} if l = gk for k e { 1 , . . , hi}

( ~t (g) otherwise

- ~-.~'= [ ~ U ~'*c U ~'*i U ~ o O ~'*v]~0~, N (Ports(~') • Ports(~')) where:

" ~'~c = {((gJi,Lo.go,Yh),(gk,Lo, th)) I 1 < j <_ hi,1 < k < no, 1 < h < m, yh e tn(S~) , th e ~(&o~)}. ~'~i=- {((l , ,Li,u), j �9 (li,Lo.go, U)) ] 1 < j < ni,u e fn(St,) M fn(St~)}.

�9 ~ o = {((go,Lo, u), (gJo,no, u)) I 1 < j < no,U e fn(Sto) M in(Set) }. �9 ~.~,= {((gg, Lo, v~),(gk,Lo,vg)) I j , k e {1 , . . . , no} ,h E {1 , . . . , /o} ,

v~ e .f'n(Stl ) Cl .f'n(Sto,.)} U {((g{,no.go, i k i %),(g~,Lo.~o,%)) I L k { 1 , . . , n i } , h e { 1 , . . i �9 .. , t ,} , , , , , e ~ ( s t ~ ) n ~ ( & ~ ) } .

Fig. 4. Agent-server communication

2. Vx, y E T ) ~ : y ~ x V y . 3. For every sequence (xn)n>o of elements of D~, the sequence (x~),_>0 induc-

tively defined as follows:

f .TO 7 ~ X 0

~n%7+i = 2 ~ V Xn+ 1

is ultimately stationary. []

The approximation of the least fixpoint is obtained as the limit of an abstract iteration sequence with widening.

60

T h e o r e m 4 A b s t r a c t I t e r a t e s [CC92]. The iteration sequence (FV)n>O de- fined a s :

Fo v =_I_~ Fur+, = Fn v if F (F v ) ~ Fn v

= F v V F(F v ) otherwise

is ultimately stationary and its limit S ~ satisfies S ~ E ~ 3~(8~). Moreover, if N >_ 0 is such that FVN = FVN+I, then Vn > N : F v = F~.

We now have to construct an abstract domain (T)t, _) approximating C(S) via

a concretization function 7 : :D~ , C(S).

5 Abstract Semant ic Domain

We construct/)~ as a set of abstract configurations ( ~ , ~ ) defined as follows. We represent a set of residuals of a process St by a rational language. More precisely, let A be the set of automata (Q,I ,T,T), where Q is a finite set of states, I , T C_ Q are the initial and final states, and T E p(Q • A(S) • Q) is the transition relation. In order to keep A small and representable, we suppose that all states come from an infinite recursive set Q. For any automaton A in A, we denote by Paths(A) the set of successful paths of A, and by T(A) the set of transitions of A. An abstract distribution of processes ~ is a function from L(S) into A. An abstract communication port is a tuple (l, i, t, x) where

E s x E In(St), i and t being respectively initial and final states of the automaton ~ ( l ) . It describes all concrete ports ( / , L , x ) where L is a word labelling a path 5 from i to t in qS~(~). We denote by Ports~(~ ~) the set of all abstract communication ports associated to ~ .

Our representation of the abstract channel relation is based upon a numerical encoding of paths. The aim of this construction is to be able to represent non- uniIorm channel relations, i.e. to distinguish instances of a process which is recursively spawned. Intuitively, if ~ is the label of such a process, the automaton 4~(~), which is an approximation of the residuals of St, certainly contains cycles (since there is potentially an infinity of instances of Sl). The encoding amounts to assigning a counter to each of these cycles and to identify a residual L of Sl by the number of times a path labelled by L runs through each cycle, i.e. by a tuple of counter values. This idea was first introduced by A. Deutsch [Deu92a, Deu92b] in the context of alias analysis, with a different formulation though. In order to avoid having to find cycles and also to ensure a bet ter precision, we will actually assign a counter to each arrow of the automaton. We now give a formal definition of this construction.

I fp is a successful path in (Q, I , T, T), we denote by p~ its commutative image, tha t is the function from ~- into the set of integers N, which maps any transition of the automaton to the number of times it occurs in p. If l l ,12 E L(S) and

5 We can reduce the number of abstract ports to consider by requiring that there be at least one path in 4 ~ (s from i to t.

61

�9 ~(li) = (Qi, Ii, T~, Ti) for i E {1, 2}, the channel relation between abstract ports

is given by a set of tuples (~ l , i l , t l , x )~ .~(~2, i2 , t2 ,y) where v E (T1 , IN) x

(7-2 , N). If we denote by i(p) (resp. t(p)) the initial (resp. final) s tate of a successful path p of an automaton, this abstract channel relation denotes all pairs (~ l ,L l ,x ) ~-~ ( /2 ,L2,y) for which there exists a successful path pj in ~ ( / j ) labelled by Lj, such that i(pj) = ij and t(pj) = tj, for each j E {1,2}, and v = (p~,p~). Considering commutative images of paths instead of tuples of counter values alleviates us from introducing explicit counter variables which would have led to intricate problems of renaming when it had come to defining the abstract semantics. In the following we will tacitly use the isomorphism:

(-,-1 , x , , N

where ~ denotes the coproduct in the category Se t s of sets and functions (i.e. the disjoint union).

In order to guarantee finite representability for the abstract configurations, we require tha t the set:

(~1, il , tl, X)4""~ (~1, i2, t2, y) d___ef {/2 I (~1, il, tl, X ) ( ~ (~1, i2, t2, Y)}

be effectively given. This can be achieved by considering an abstract numeri-

cal domain, tha t is a representable class of subsets of (~-1 @ ~-2) , N. Sev- eral numerical domains have already been developed for abstract interpreta- tion using various kinds of representations: intervals [CC76], arithmetic congru- ences [Gra89], aJflne equalities [Kar76], convex polyhedra [CH78] or congruence equalities [Gra91]. They all can be described in an abstract way. Let F i n S e t s be

the category of finite sets and functions. If f : V , W is a function between

finite sets, we define Vf : p(V , IN) , p (W , N) to be the function

that maps any X E p(V , N) to the set:

.(v)} ,cI-l(w)

D e f i n i t i o n 5 A b s t r a c t N u m e r i c a l D o m a i n . An abstract numerical domain is a functor ),'~ : F i n S e t s , P o S e r s that sends any finite set V to a poset tha t comes with the structure of a lattice 0)~V, C_~, U~v, ~ ~ T~v) and 0 V, Rv, a mono-

tone map ")'y : (Y~V, C~) * (p(V , N), C). We will omit the subscript V

whenever it will be clear from the context. Moreover, if V * W is an arrow in F i n S e t s , then Vf o "Yv _C "fw o V~f. []

Example 4. We denote by Q the field of rational numbers. Karr 's abstract numer- ical domain [Kar76] associates to each finite set V the set of all affine subspaces

of V , Q endowed with its canonical affine structure 6. ~/v sends any element

An affine subspace of V , Q is a set {p + Al.el + .-. + A,~.e~ ] )~ , . . . , ~ E Q}

where p, el, . . . , e~ are elements of V * Q, addition and multiplication by a scalar being defined componentwise.

62

X~ of ])~V to X~ n (V , N), whereas ~ y is the intersection and LJ~v the sum

of affine subspaces. An affine subspace of V , Q can equivalently be seen as the set of solutions Sol(S) of a system S of affine equations al .vl + . . . + an.vn = c over the variables V = {v l , . . . , vn},. []

Thereby, an abstract channel relation ~ can equivalently be seen as a function of domain Ports ~ ( ~ ) x Ports ~ ( ~ ) that maps any pair ((~1, il , t l , x), (~2, i2, t2, y)) of abstract ports to the element (gl, il, t l , x )~ ,~ (~2, i2, t2, y) of ))~ (vl �9 r2). We leave the choice of the abstract numerical domain 1): as a parameter of our analysis.

Following [Ven96], we provide Z)~ with the structure of a cofibered domain. Given two automata ,41 -- (Q1,11, T1, T1) and ,42 = (Q2,12, T2, "r2), we define a

morphism A1 f , A2 as a pair of functions f l : Q1 ~ Q2 and f2 : T1 * ~-2 satisfying the following conditions:

1. ]1(/1) c_ 12. 2. fl(T1) c_ T2. 3. V(q,~,q r) E ~-1 : f2 (q , t ,q r) = ( f l (q) ,g, f l (q ')) .

A can thereby be turned into a category. We denote by q~ (S) the product cat- egory I]ee~(s) A- An object of 4i~ (S) is an abstract distribution of processes

previously defined. We now construct a functor A from ~ ( S ) into the cate- gory P o S e r s of partially ordered sets and monotone maps. The image of an object 4f~ in ~ ( S ) is the set of all abstract channel relations ~-~ over 4i~ or-

dered by inclusion. We call A ~ the fiber of A over ~5~. Now let 4~ ~ , 4~ be a morphism 7 in ~5~(S). A Jr maps any abstract channel relation ~ ' ~ l in qs~ to the relation *~'~2 such that, for all (~l, i ' l , t ' l ,x) , (~2,i'2,t'2,y) 6 Por t s~ (~ ) , the s e t ( l l , " ' Zl, t l , x)*~--*~2(~2, iS, t~, y) is defined as:

�9 I ( i , ) = =

where ~2(~i) = ( Q j , I j , T j , T j ) , for j ~ {1,2}. We define the preorder _ on T)~ from the Grothendieck construction [BW90] applied to A, i.e. (qS~, ~ '~1) _

(0~, ~"~2) iffthere exists a morphism qS~ ~ , 0~2 such that A}-(,~,,~) C * '~2 . We call A the display associated to the cofibered domain (:D~,-4). Intuitively, 7) ~ consists of a category of posets "glued" together. The cofibered structure will play a major rSle in the definition of the abstract semantics and widening operators.

The concretization function "~ : T)~ * C(S) sends any abstract configura- tion (~fi, ~-~) to the set of concrete configurations (4~, ~,,*) for which there exists

a family of functions (A~ : 4~(~) , Paths(~(~) ) ) te~(s ) satisfying the following conditions:

For each ~ 6 ~C(S), ~'(~): 4i~(~) , 4i~(~) is a morphism of automata.

63

1. For all e E E(S) and L 6 #(e), the path At(L) is labelled by L. 2. Let (el, L1, x), (e2, L2, y) be distinct s ports of #, and pj be the path At~ (L j),

for j E {1,2}. We denote by Tj, j E {1,2}, the set of transitions of ~ ( e j ) . Then, (el, L1, x) ~ (e2, L2, y) implies that

(p~, p~ ) e '~'1 ~r2 ((el, i (Pl), t (Pl), X) ~ ~ (e2, i(p2), t (192), y))

P r o p o s i t i o n 6 . Vc~,c~ e ~O~: c~ _ c~ ~ ~,(c~) C_ 7(c~).

Example 5. We carry on with Example 2. Let ~ E ~ (S) be the abstract distri- bution of processes defined by the following automata:

�9 (e3)

j ,

where we associate distinct counter variables {i, j , i ' , j '} to each transition of the automata. If el,e2 E ~(S), and c is a counter variable associated to a transition a E T(~(ei)), for i E {1, 2}, we denote by ci a counter variable associated to the canonical image of a into r(4 ~ (el))@~-(~ (e2)). We use Karr's abstract numerical domain, hence systems of affine equations represent the abstract values. Now let ~-~ be the abstract channel relation of A ~ that satisfies:

(tl, ql, ql, l ) ~ ( e 2 , q2, q2, l) --- (el, ql, ql, l)~'~(e4, q4, q~, l) = (e2, q2, q2, q 4 , 4 , l) = (e3, q3, q~, C ) ~ ( e 3 , q3, q~, C) ---- (e3, q3, q~, C) ~ ~ (e2, q2, q~, C) =

(e3, q3, q~, y ) ~ (e3, q3, q~, z) =

(e4, qa, 4 , z)~..,J (e3, q3, q~, z) =

ii = i2 = i~

I 31 - - - - j2+l iii ~ i2 1 j l l j2 /

the other components being defined symmetrically. Thus ~ denotes exactly all communication channels that may be created during the evolution of S. []

8 We do not require the channel relation to denote reflexivity since this information can be extracted from ~.

64

6 Abstract Semantics of the ~r-Calculus

Before defining the abstract semantics, we need some additional properties of

abstract numerical domains. Let V ~ I ~ W be an injective map in F inSe t s .

Any abstract numerical domain )?~ : F i n S e t s . P o S e t s provides two com-

putable functions, an embedding Y : 1)~V . );~W, and a projection 7 :

];~W . ~;~V, satisfying the following conditions:

1. VX~ 6 V~V: W 6 7v(X~) : {~ 6 W . N I ~ o / = ~} _C 7w(-~(X~)).

2. VY~ e V~W: W �9 Vw(V~) : ~ o I �9 ~v(7 (y~) ) .

If s is a system of linear equations over the set of variables V, there is a com- putable element Sol~v(S) of ~;~V which upper-approximates the set of variable

assignments in V , N that are solutions of S. We will omit the subscript V whenever it will be clear from the context. Moreover, the lattice ];~V is provided with a widening operator.

Example 6. For Karr's abstract numerical domain, 7 ( Y ~) amounts to the elimi- nation of the coordinates corresponding to the variables W - f ( V ) from a system

of a point and vectors describing Y~. 7 ( X ~) is described by the same system of affine equations as X~. Sol~v(S) is of course directly expressible in Y~V. Since I;~V satisfies the ascending chain condition, a widening is provided by the join U~y . []

We first construct the abstract counterpart of the closure operator [-]~ that maps any binary relation p over Ports(O) to the smallest equivalence relation containing p. This closure operation can be expressed by the following inductive rules:

x �9 Ports(~) (x,y) �9 p (x, x) �9 p (y, �9 p

(x, y) �9 p (y, z) �9 p (x, z) �9 p

The computation of [p]~ amounts to calculating a least fixpoint in (p(Ports (aS) x Ports(~)), C_) (see [CC95]). Thereby, we define the corresponding abstract op- eration as the limit of an abstract iteration sequence 9 on a fiber of T)~ using Theorem 4. For this purpose, we introduce a closure relation t> on abstract chan- nel relations which mimics the inductive rules for [-]~. Let ~ be an abstract distribution of processes. We define E> on A ~ as follows:

1. If pt~,pt~2 �9 Ports~(~ ~) and * '~1 �9 A ~ , then *--~1~>~-~2 where, for all Ptl , pt2 �9 Ports~(~5~):

~ 1 Pt2 if pt 1 = pt' 2 and pt 2 = pt' 1 Ptl ~ 2 P t 2 ---- { ~ ~1 otherwise

9 Note that we only have to cope with the symmetry and transitivity rules (cf. the definition of 7)-

65

2. Let t~,s �9 s and pt~ = (s �9 Ports~(+~), for j �9 {1,2,3}.

We denote by (Qj,Ij,T~,Tj) the automaton r163 for j �9 {1,2,3}. Let

T : T 1 ~ ) T 2 ~ ) T 3 and T~ ~ ) T 2 l l f2 fa T, 1-2 ~ 1-3 : = T, "/'1 r I"3 ~ -~ T be the canonical inclusion maps in FinSets. Now let ~,*~ �9 A ~ and Xj = (l~,i~,t~,x~) ~,.J~ (l~+~,i~+~,t~+~,xj+~), for j �9 {1,2}. Then, * - - ~ t t ~ > ~ where, for M1 pt~, pt 2 �9 Ports ~ (~) ,

--+X -~- --=+ n~ f2 ( 2 ) ) if ptt = Pt~l and pt 2 = pt~ Ptl ~'~2 pt2 = 0"f3 ( f t (X~) otherwise

The fiber A ~ can be endowed with a lattice structure, the join Uv~ and the meet E~, being defined by componentwise application of U~ and H~. We define similarly an operator V ~ on A ~ by componentwise application of the widening operators provided by the abstract numerical domain.

Proposi t ion 7. V ~ is a widening operator on A ~ .

We define an endomorphism Fc, on the fiber A ~ as:

c'~ I ,

Definition 8 Abstract Closure. Let ~ be an abstract distribution of pro- cesses and *,~fl an element of A ~ . The abstract closure [~,~]~, of ~ is given by the limit of the abstract iteration sequence of Theorem 4 applied to the func- tion F~ on the domain A~5~, with ~-~ as abstract basis and V~u as widening operator. []

Note that this closure operation enforces transitivity on an abstract channel relation ~ J . It may cause an important loss of accuracy, since the union of transitive relations (which is what is denoted by ~--~) is in general not transi- tive. In fact, as we will see when we will define the abstract semantics, we only need to perform this closure operation on a relation ~-~ -= ~'~1 U ~"~2 where ~ '~ t denotes concrete channel relations and ~'~2 contains additional relations between ports in the domain of ~'~1 and some newly created ports. Therefore, it is possible to modify the rules defining E> so that they can only be applied to pairs involving a new port, leaving the relation ~'~1 unchanged l~ In order to keep the presentation simple, we do not detail this improvement of the analysis.

We define the abstract semantics of the 7r-calculus by a transition relation ==~ on :D~ which mimics =~. Let ( ~ , ~-*~) be an abstract configuration and to � 9 such that:

= . . . + e [ t l , . . . , I - - I S :o) + . . .

We have a transition ( ~ , ~-~) ~ (~., ~-~.) whenever there is & E/:(S), such that S~ is one of the following processes:

lo This was pointed out to us by Alain Deutsch.

66

. . . . + x(yl , . . . , ym).~vl... ~vl,.(@ I"" I @ , ) + " "

- !x(yl , . . . ,ym).yv~. . t,v~, (St~ I . . . IS t~ , ) and

(~, s~, t~, z )~(~o , So, to, z) # 0 ~ for two abstract ports (~i,si, ti,x) and (s So,to, Z). In other words, there is the possibility of a communication between two residuals of St~ and Sto in a concrete configuration abstracted by ( ~ , ~,-~). We denote by Xc ~ the abstract value (ei, si, ti, x)~"*~(s so, to, z).

We define ~ as follows:

�9 ~.(e) do=~ / ~(e)~(e) @ ,4 0 otherwiseif l = l~, for r/E {i, o}, k E {1,. . . ,nn}

where Ai and Ao are automata representing the residuals of the newly spawned processes, and @ denotes the coproduct i n /~ Whatever St~ may be, agent or server, Ao is always defined as the automaton (Qo, {So}, {to}, To), where, for r] E {i, o}, Qo (resp. To) is the set of states (resp. transitions) of 4f~(go). Indeed, in the nonstandard semantics the residuals of the processes spawned by the sender are always inherited from their parent agent. For Ai there are two different cases depending on the type of St~ :

1. St~ is an agent. Then we put clef

A~ = (Qi, {si}, {t~}, Ti)

2. St~ is a server. We suppose that we are provided with a distinguished element

12 in the set Q of all states of the automata in A. Let Qo : ~= Qo @ {J)}

and {O} : ~2 Qo @ {/2} be the canonical inclusion maps in FinSets. We

denote by To ~ ~ ~-o the function that maps any transition (q,s q') to (~1 (q), l, ~1 (q'))- Then we put

r ar (Qo (~ {a}, {~1 (8o)}, {~2 (J'2)}, To t) d e f

where T o' = {(~l(q),~,~l(q')) [ (q,~,q') �9 70} U {(~l(to),to,~2(S2))}. This is the abstract counterpart of assigning the residual Lo.io to the processes created by the server in the concrete semantics.

I

We denote by A n %, ~ ( e t ) the canonical inclusion morphism in A, for ~ �9

{i, o}, I �9 {1, . . . , nn}. Note that the sets of residuals denoted by ~t are larger than the ones denoted by ~ . Indeed, we are not allowed to remove anything since we have lost all information about the number of residuals of each St.

The abstract channel relation ~ ,~ . mimics the concrete one:

~,~. ~'_-' [A2"(~.~) u~. ~.,,~ u~. ~,,~ u~. ~-~o u~. ~,~,,]~.

where, for all ~ �9 s ~(~) ~:(t) ~.(e) is the canonical inclusion morphism in A. The definitions of ~--~t~, ~ t ~ , ~'*to and ~ follow the lines of their concrete counterparts in Fig. 3 and Fig. 4. We distinguish two cases, depending on the type of Sty.

67

to Ii

x~

t~ t~

Fig. 5. Abstract interagent communication

In te ragen t Communica t i on . If Sl~ is an agent, the abstract semantics of communication is summarized in Fig. 5. We have represented the automata cor- responding to the residuals of Sty, Seo, St~ and Sty, the latter being two processes spawned by the sender and the receiver after the communication occurred.

The abstract channel relation *~'~c performs the binding between the names Yh and t h involved in the communication. Since Xc~ denotes residuals of St~ and St~ that may communicate, we use this same abstract numerical value to denote all possible channels between the ports associated to Yh and th. This can be stated formally as follows. For all j E {1, . . . ,n i} , k e {1, . . . ,no}, h E {1 , . . . ,m}, Yh efn(St~) and th E j~(~o~), we put

(e~, (~)~ (~,), (d)~ (t,), yh)~-,~o(~o k, (~o% (~o), (~o% (to), th) do__, v~((~)~ �9 (~o%)(x~)

d~f 0~" For any other abstract ports p t l ,p t 2 E Ports~(~.), we put p t l ~ c p $ 2 = The abstract channel relations ~ '~ i and ~ o bind the free names in the

instances of Se~ ancl Sto to the corresponding ones in the processes released after the communication. Their r61e is thereby to propagate the scope of free names. The abstract numerical value associated to the relation ~'*~i, for example, is the

68

x~

lo

Fig. 6. Abstract agent-server communication

solution in the abstract numerical domain of the system of equations T ---- T ~, where T is any transition in the automaton corresponding to St~ and T ~ is the copy of ~- in the automaton associated to the newly created process Sl~, as shown

in Fig. 5. The definition of ~ o is similar. The meaning of these operations at the concrete level is to bind pairs of ports with the same residuals. Since we abstract a residual by the number of times a path labelled by this residual runs through each transition of the automaton, our definition is quite natural. This can be stated more formally as follows. For all ~ E {i,o}, k E {1, . . . ,nn} and u E fn(S4) N fn(S~k), we put

(~Y'-~(e,)l (8•), .~(e,)l (ty) , U ) e ' ~ , (ek, (~k)l (8,), (tk)l (ty) , U) de_~ Sol~ (S~)

where S~ is the system of affine equations over 7(~.(g,)) @ ~(~. (l~)) defined as follows: { ~10 ~(~,)2(O') ---- I20 (tk)2(~T)

a E T u

where T(r ~ , T ( 4 ~ . ( 4 ) ) e ~ ( r 1 6 2 T( r canonical

inclusion maps in F inSe t s . For any other abstract ports ptl, pt2 E Ports~(~.), we put ptl ~,~npt 2 ~ 0 ~.

69

The abstract channel relation ~ - ~ binds the new ports created by the com- munication in the spawned processes. Since all processes released during a com- munication by either the sender or the receiver have the same residuals, we define ~ - ~ similarly to ~-~i and ~ o as the abstract solution of a system of linear equations. That is, for all y �9 {i,0}, j , k �9 {1, . . . ,nn}, with j r k 11, and j �9 {1, . . . ,ln} such that v~ �9 fn(Se~ ) N/~n(SQ~), we put

(~J, (/'~)1 (8,), (~J)l (t,), ?~)~'~g(~ k, (/,k)l (8,), (/~k)l (t,), ?~) dr SOI~(S~,k)

where S~ 'k is the system of affine equations over ~(4~!(~))(~ T(qh!(~kn) ) defined as follows:

o = o

a � 9 T u

where T(4~(e~)) ~ . V(4~.(s ~ T(~.(/k)) , ~ T(4~.(~k)) axe the canonical

inclusion maps in FinSets . For any other abstract ports ptl, pt u �9 Ports~(~.), we put ptl ~ p t 2 ~ ~ .

Agen t -Se rve r Commun ica t i on . If S~ is a server, the abstract semantics of communication is summarized in Fig. 6. The abstract channel relations ~'~o and ~ - ~ are constructed exactly as above. The situation is quite different for ~ i and ~"~c, because the automata corresponding to the processes spawned by St~ are copies of the automaton associated to Sto suffixed with a transition labelled by go.

The definition of * '~c is very similar to the definition of * - ~ in the pre- vious case. The binding between the names involved in the communication is performed by taking the solution of the system of equations a' -- a" in the ab- stract numerical domain, as illustrated in Fig. 6. Since residuals of the processes released by the receiver are suffixed with go, we furthermore require that the cor- responding transition be crossed exactly once. This operation can be formalized as follows. For all j �9 {1, . . . ,ni}, k �9 {1,. . . ,no}, h �9 {1,. . . ,m}, Yh �9 fn(Sl~) and th �9 In(Silo), we put

(~J, ($J)l o E1 (80), (tJ)l o ~2 (J~), yh)e,,,~c(~ko, (tok)l (80) , (tok)l(to), th ) a__~f Sol~ (sg,k)

where S g'k is the system of affine equations over T(~i (~)) (9 ~-(~, (eok)) defined as follows:

{ r o (~)~(~l(to),eo,~(~)) =

a E T o

where T(~(s r T(~.(s @ T(~(s , r 7(~(/ok)) are the canonical inclusion maps in FinSets . For any other abstract ports pt l ,p t 2 �9 Ports~(~), we put ptl~,~cpt 2 ~ O ~.

11 Reflexivity is implicit by definition of 7.

70

The definition of ~ - ~ is slightly more delicate. The residuals of the processes spawned by the server are represented by a copy of the automaton associated to the sender and ~-~i relates the instances of St~ which may communicate with S~o to the instances of St~ which have been effectively spawned by the commu-

nication. Thereby, the abstract numerical value associated to ~, ,~ consists of X~ for which each a has been mapped to its copy a" in the automaton corre- sponding to St~ (see Fig. 6), together with the constraint that the additional transition labelled by to must be crossed once. This can be stated formally as

clef I X1 I ! X2 I follows. Let ~ : T~ @ ~5 and T~ ~ -~ Ti, To ~ = ~ be the canonical inclusion maps in FinSets . For all k ~ {1,. . . ,n~} and u ~ fn(St~) ~ fn(S~), we put

(~i, ~7(~i)1 (8i), ~7(~i)1 (~i), U) e"~fii(~k, k (~i)1 0 ~i (8o), (bk)l 0 ~2 (~'~), ~) ae___.f

�9 o n =

~-, ~ . For any other abstract ports pt~,pt 2 ~ Ports~(~), we put pt~,~iptu :

Defini t ion 9 Abstract Semantic Function. Let c ~ = ( ~ , ~ ) be an ab- stract configuration. For any configuration (r such that c~ =~ (~.,

*~-~~ we denote by ~ ' [~ , ~ . ] : ~ , ~ . the canonical inclusion morphism.

Let r be the colimit in ~ ( S ) of the diagram { ~ [ ~ , ~-*~~ : ~ " 4~* I c~ =~

(r ~,~~ and {grt[4~., ~,-~.] : ~ ~ 4~ [ c ~ =~ (4~, ~-~.)} be the coli-

miting cocone. We define the abstract semantic function F~ : :D~ * /)~ as follows:

do~ U ~ {A~-t[r

[]

Theorem 10 Soundness of the Abstract Semantics.

F S o T C _ 7 o F ~

It now remains to define a widening operator on :D~ in order to make the abstract semantics of S computable.

7 W i d e n i n g O p e r a t o r s

There is a generic method to construct widening operators on cofibered domains by combining the widenings defined locally on each fiber [Ven96]. This requires to extend the notion of widening to categories.

7]

Def in i t ion 11 W i d e n i n g on a Category . Let C be a category. A widening operator V on C associates to any two objects X, Y of C two arrows:

X :~ Y X ~ 2 Y X , X V Y , Y

such that for any sequence of objects (Xn)n>0, the sequence of arrows (Xn v Iv, Xv+~)n>o in C defined by:

Zo v --X0 XV+l = x~ v X.+s

~: = xy G x.+,

is ultimately pseudo-stationary, i.e. there exists N such that, for all n > N, fn v is an isomorphism. Moreover we require V to be stable under isomorphism, that is, whenever X ~- X ~ and Y ~ Y~, then XV.Y -~ X ~ V Y ~. []

Assuming that 4~ (S) is provided with a widening V, we construct a widening operator V ~ on 79~ as follows. Let ( ~ , * '~1) and ($~, ~ 2 ) be abstract config- urations, ($~, *~"~1)V~(~, ~ 2 ) is given by:

- ( ~ , ~ V ~ A ( ( ~ ~ ~2)-~ o ( ~ ~ 2 ~/i~2))(,.~2))when 4i~ ~ ~2 is an isomorphism,

-- (~/~ V ~2, A(~ Vl ~/$~2)(*"~1~1)V~ V ~/i~ A(~ V2 ~2)(~"~12)) otherwise.

Intuitively the first case means that when the fiber is "stable", i.e. ~ ~1 ~ is an isomorphism, we "transfer" the abstract channel relation ~ 2 into the fiber and we make the widening with *~.~:

t I v,~ [ A((~ V1 ~)-~ o (~ V~ ~ ) ) ( ~ ) . . . . . . . . . . . . . . . . . . . . . . . . . . . "5

Otherwise we transfer ~'~1 and ~ 2 into the fiber over ~ V ~2 and we make the widening in this fiber:

I I

T h e o r e m 12. X7~ is a widening operator on (79~, _).

72

We now define a widening V on ~n (S) by componentwise application of a widening VA on ,%. The idea is to fold states in an automaton A = (Q, I , T, T) with respect to some "similarity" criterion which is represented by an equiva- lence relation - ~ on Q. The folding operation is achieved by quotienting the automaton with respect to this relation.

Example 7. Let k be a nonnegative integer. For any q E Q, we denote by L<k(q) the set of words labelling a path in ,4 originating from q and of length bounded by k. We define - ~ as follows:

q q' , = . L<k(q) = L<k(q')

This folding criterion is inspired by the k-limiting approximation of [JM81]. []

Def in i t i on 13 Q u o t i e n t o f a n A u t o m a t o n . Let A = (Q, I , T, T) be an au- tomaton of A and .~ be an equivalence relation on Q. We denote by 7r~ :

Q , Q / ~ the canonical projection onto the quotient set 12. The quotient .A/~ of A by .~ is then defined as

.4 /~ ~ (O/~ , r~ ( I ) , r~(T) , {(Tr~(q), g, 7r~(q')) I (q, i , q') e T})

[]

Example 8. Let - a be the smallest equivalence relation on Q such that:

1. Vi, i' E I : i - a i'. 2. V(q,~,r), (q ' ,U,r ' ) E r : q ==-a q' A ~ = ~' ==~ r --a r'.

Then it is obvious that the quotient automaton .A/-~ is deterministic. This is an approximate 13 procedure to make an automaton deterministic. []

Let .41, .42 be two automata. We denote by Ai e~, .41 @ .42, i E {1, 2}, the canonical inclusion morphisms in ,%. If for each automaton A in A we have a computable equivalence relation - ~ on the states of .4, we put

A1 VAA2 d~____f (-41 ~ A2)/----Vl~Z

If A1 @ A2 ~ " (A1 �9 A2) / -v is the morphism of automata induced by the =.41 ~,42

canonical projection 7r-v , we put A1 ~ i A2 de, = r o e i , for i E {1,2}. ~ .41 ~.~L 2

We cannot say much about VA in whole generality. We have to check by hand that each operator defined in this way satisfies the properties of Definition 11.

P r o p o s i t i o n 14. The operator V A defined from the equivalence relations =-~4 of Example 7 is a widening on A.

12 Strictly speaking Q/~ is a representative of the quotient set in Q. 13 The language recognized by the quotient automaton can be larger than the original

one.

73

It only remains to define the abstract basis _lfl = (~x, ~ • in order to compute the iteration sequence. If S is the labelled ~r-term uxl . . . UXm.(gl : AS1 t "'" I gn : A S h ) , where the ASi are either agents or servers, ~x is defined as follows:

~ ( g ) do=f { ({F2},(@, 0, 0,{/2}'0) {I2}, ~) otherwiseif g e (~1,... ,gn}

For all distinct g,g' E { g l , . . . ,gn} and all x E fn(Se) N f n ( S e ) , we put

(e, O, ~, x)e~-~i(g ', f2, J),x) ~f T ~

Example 9. If we use the widening of Example 7 and enforce the automata to be deterministic with the procedure of Example 8, the limit of the abstract iteration sequence corresponding to the ~r-term S of Example 2 is given by the abstract configuration defined in Example 5. Our analysis is thus able to infer non-uniform communication topologies. []

8 Conclus ion

We have presented an analysis of communications in the ~r-calculus based on Abstract Interpretation. This analysis is able to infer accurate descriptions of the communication topology of a system S of mobile processes, since it can dis- tinguish instances of recursively spawned processes, as illustrated by Examples 5 and 9. This can be applied in particular to problems of security in distributed sys- tems, where this kind of information is required to ensure that confidential data cannot be accessed by unauthorized elements of the system. Another possible application would be to use the information about the communication topology to statically derive an allocation strategy of the processes on a multiprocessor architecture which optimizes the communication cost. Future work will focus on the implementation of the analysis and the experimental study of its usefulness for these applications.

Further extensions to the abstract interpretation of the r-calculus are to be investigated. One can enrich the abstract domain to take into account the num- ber of instances o f a process. This may improve the analysis and give interest- ing information for compilation (channels used only once, finite communication topologies, etc.). However the major extension is to consider ~r-terms with free variables in order to achieve modular analysis. This requires to modify the non- standard semantics in order to model interaction with the environment. Finally, other directions for the approximation of the communication topology should be studied, like hypergraph grammars in the style of [Hab92].

Acknowledgement s : I am grateful to Torben Amtoft, Radhia Cousot, Patrick Cousot and Inn Mackie for helpful comments on first versions of this paper. All diagrams have been designed using Paul Taylor's and Paul Gastin's I_4TEX packages.

74

References

[BB92]

[BCHK94]

[BW90]

[CC76]

[cc77]

[CC92]

[cc95]

[CH78]

[Co195a]

[Co195b]

[Deu92a]

[Deu92b]

[Deu94]

[Gra89]

[Gra911

[Hab921

G. Berry and G. Boudol. The chemical abstract machine. Theoretical Com- puter Science, 96:217-248, 1992. G. Boudol, I. Castellani, M. Hennessy, and A Kiehn. A theory of processes

with localities. Formal Aspects of Computing, 6(2):165-200, 1994. M. Barr and C. Wells. Category Theory for Computing Science. Prentice Hall, 1990. P. Cousot and R. Cousot. Static determination of dynamic properties of programs. In Proceedings of the 2 nd International Symposium on Program- ming, pages 106-130, Paris, 1976. Dunod. P. Cousot and R. Cousot. Abstract interpretation : a unified lattice model for static analysis of programs by construction or approximation of fix- points. In Conference Record of the 4 th ACM Symposium on Principles of Programming Languages, pages 238-252, Los Angeles, California, U.S.A., 1977. P. Cousot and R. Cousot. Abstract interpretation frameworks. Journal of logic and computation, 2(4):511-547, August 1992. P. Cousot and R. Cousot. Compositional and inductive semantic definitions in fixpoint, equational, constraint, closure-condition, rule-based and game theoretic form. In Conference on Computer-Aided Verification, 7th Inter- national Conference, CA V'95, volume 939 of Lecture Notes in Computer Science, pages 293-308. Springer-Verlag, 1995. Invited paper. P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In 5 th POPL. ACM Press, 1978. C. Colby. Analyzing the communication topology of concurrent programs. In Symposium on Partial Evaluation and Program Manipulation, 1995. C. Colby. Determining storage properties of sequential and concurrent pro- grams with assignment and structured data. In Proceedings of the Second International Static Analysis Symposium, volume 983 of Lecture Notes in Computer Science, pages 64-81. Springer-Verlag, 1995. A. Deutsch. Operational models of programming languages and representa- tions of relations on regular languages with application to the static determi- nation of dynamic aliasing properties of data. PhD thesis, University Paris VI (France), 1992. A. Deutsch. A storeless model of aliasing and its abstraction using finite representations of right-regular equivalence relations. In Proceedings of the 1992 International Conference on Computer Languages, pages 2-13. IEEE Computer Society Press, Los Alamitos, California, U.S.A., 1992. A. Deutsch. Interprocedural may-alias analysis for pointers: beyond k- limiting. In A CM SIGPLAN'94 Conference on Programming Language De- sign and Implementation. ACM Press, 1994. P. Granger. Static analysis of arithmetical congruences. International Jour- nal of Computer Mathematics, 30:165-190, 1989. P. Granger. Static analysis of linear congruence equalities among variables of a program. In TAPSGFT'91, volume 493. Lecture Notes in Computer Science, 1991. A. Habel. Hyperedge replacement: grammars and languages, volume 643 of Lecture Notes in Computer Science. Springer-Verlag, 1992.

75

[JM81]

[Jon81]

[Kar761

[Mil91]

[Mil92]

[MPW92]

INN94]

[San94a]

[San94b]

[Tur95]

[Ven96]

N. Jones and S. Muchnick. Flow analysis and optimization of lisp-like struc- tures. In Program Flow Analysis: Theory and Applications, pages 102-131. Prentice Hall, 1981. H.B.M Jonkers. Abstract storage structures. In De Bakker and Van Vliet, editors, Algorithmic languages, pages 321-343. IFIP, 1981. M. Karr. Affine relationships among variables of a program. Acta Infor- matica, pages 133-151, 1976. R. Milner. The polyadic ~r-calculus: a tutorial. In Proceedings of the In- ternational Summer School on Logic and Algebra of Specification. Springer Verlag, 1991. R. Milner. Functions as processes. Journal of Mathematical Structures in Computer Science, 2, 1992. R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes. In- formation and Computation, 100:1 - 77, 1992. H. R. Nielson and F. Nielson. Higher-order concurrent programs with fi- nite communication topology. In 21 st ACM Symposium on Principles of Programming Languages, 1994. D. Sangiorgi. Expressing mobility in process algebras: first-order and higher- order paradigms. PhD thesis, University of Edinburgh, 1994. D. Sangiorgi. Locality and true-concurrency in calculi for mobile processes. In International Symposium on Theoretical Aspects of Computer Software, Lecture Notes in Computer Science, 1994. D. N. Turner. The Polymorphic Pi-Caleulus: Theory and Implementation. PhD thesis, Edinburgh University, 1995. A. Venet. Abstract cofibered domains: Application to the alias analysis of untyped programs. In Proc. of the Third International Static Analysis Symposium SAS'96, volume 1145 of Lecture Notes in Computer Science, pages 366-382. Springer-Verlag, 1996.