Formal Techniques for Distributed Objects, Components, and Systems: 39th IFIP WG 6.1 International Conference, FORTE 2019, Held as Part of the 14th International Federated Conference on Distributed Computing Techniques, DisCoTec 2019, Kongens Lyngby, Denmark, June 17–21, 2019, Proceedings [1st ed.] 978-3-030-21758-7;978-3-030-21759-4

Table of contents :
Front Matter ....Pages i-xiv
Front Matter ....Pages 1-1
Psi-Calculi Revisited: Connectivity and Compositionality (Johannes Åman Pohjola)....Pages 3-20
Squeezing Streams and Composition of Self-stabilizing Algorithms (Karine Altisen, Pierre Corbineau, Stéphane Devismes)....Pages 21-38
Parametric Updates in Parametric Timed Automata (Étienne André, Didier Lime, Mathias Ramparison)....Pages 39-56
Parametric Statistical Model Checking of UAV Flight Plan (Ran Bao, Christian Attiogbe, Benoît Delahaye, Paulin Fournier, Didier Lime)....Pages 57-74
Only Connect, Securely (Chandrika Bhardwaj, Sanjiva Prasad)....Pages 75-92
Output-Sensitive Information Flow Analysis (Cristian Ene, Laurent Mounier, Marie-Laure Potet)....Pages 93-110
Component-aware Input-Output Conformance (Alexander Graf-Brill, Holger Hermanns)....Pages 111-128
Declarative Choreographies and Liveness (Thomas T. Hildebrandt, Tijs Slaats, Hugo A. López, Søren Debois, Marco Carbone)....Pages 129-147
Model Checking HPnGs in Multiple Dimensions: Representing State Sets as Convex Polytopes (Jannik Hüls, Anne Remke)....Pages 148-166
Causal-Consistent Replay Debugging for Message Passing Programs (Ivan Lanese, Adrián Palacios, Germán Vidal)....Pages 167-184
Correct and Efficient Antichain Algorithms for Refinement Checking (Maurice Laveaux, Jan Friso Groote, Tim A. C. Willemse)....Pages 185-203
Towards Verified Blockchain Architectures: A Case Study on Interactive Architecture Verification (Diego Marmsoler)....Pages 204-223
Unfolding-Based Dynamic Partial Order Reduction of Asynchronous Distributed Programs (The Anh Pham, Thierry Jéron, Martin Quinson)....Pages 224-241
Encapsulation and Sharing in Dynamic Software Architectures: The Hypercell Framework (Jean-Bernard Stefani, Martin Vassor)....Pages 242-260
Decentralized Real-Time Safety Verification for Distributed Cyber-Physical Systems (Hoang-Dung Tran, Luan Viet Nguyen, Patrick Musau, Weiming Xiang, Taylor T. Johnson)....Pages 261-277
Front Matter ....Pages 279-279
On Certifying Distributed Algorithms: Problem of Local Correctness (Kim Völlinger)....Pages 281-288
On a Higher-Order Calculus of Computational Fields (Giorgio Audrito, Mirko Viroli, Ferruccio Damiani, Danilo Pianini, Jacob Beal)....Pages 289-292
Semantically Sound Analysis of Content Security Policies (Stefano Calzavara, Alvise Rabitti, Michele Bugliesi)....Pages 293-297
Back Matter ....Pages 299-299

Citation preview

LNCS 11535

Jorge A. Pérez Nobuko Yoshida (Eds.)

Formal Techniques for Distributed Objects, Components, and Systems 39th IFIP WG 6.1 International Conference, FORTE 2019 Held as Part of the 14th International Federated Conference on Distributed Computing Techniques, DisCoTec 2019 Kongens Lyngby, Denmark, June 17–21, 2019, Proceedings

123

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board Members David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C. Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C. Pandu Rangan Indian Institute of Technology Madras, Chennai, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA

11535

More information about this series at http://www.springer.com/series/7408

Jorge A. Pérez Nobuko Yoshida (Eds.) •

Formal Techniques for Distributed Objects, Components, and Systems 39th IFIP WG 6.1 International Conference, FORTE 2019 Held as Part of the 14th International Federated Conference on Distributed Computing Techniques, DisCoTec 2019 Kongens Lyngby, Denmark, June 17–21, 2019 Proceedings

123

Editors Jorge A. Pérez University of Groningen Groningen, The Netherlands

Nobuko Yoshida Imperial College London London, UK

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-030-21758-7 ISBN 978-3-030-21759-4 (eBook) https://doi.org/10.1007/978-3-030-21759-4 LNCS Sublibrary: SL2 – Programming and Software Engineering © IFIP International Federation for Information Processing 2019 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Foreword

The 14th International Federated Conference on Distributed Computing Techniques (DisCoTec) took place in Kongens Lyngby, Denmark, during June 17–21, 2019. It was organized by the Department of Applied Mathematics and Computer Science at the Technical University of Denmark. The DisCoTec series is one of the major events sponsored by the International Federation for Information Processing (IFIP). It comprised three conferences: – COORDINATION, the IFIP WG 6.1 21st International Conference on Coordination Models and Languages – DAIS, the IFIP WG 6.1 19th International Conference on Distributed Applications and Interoperable Systems – FORTE, the IFIP WG 6.1 39th International Conference on Formal Techniques for Distributed Objects, Components and Systems Together, these conferences cover a broad spectrum of distributed computing subjects, ranging from theoretical foundations and formal description techniques to systems research issues. In addition to the individual sessions of each conference, the event included several plenary sessions that gathered attendants from the three conferences. This year, the general chair and the DisCoTec Steering Committee joined the three DisCoTec conferences in the selection and nomination of the plenary keynote speakers, whose number was accordingly increased from the traditional three to five. The five keynote speakers and the title of their talks are listed below: – Prof. David Basin (ETH Zürich, Switzerland) – “Security Protocols: Model Checking Standards” – Dr. Anne-Marie Kermarrec (Inria Rennes, France) – “Making Sense of Fast Big Data” – Prof. Marta Kwiatkowska (University of Oxford, UK) – “Versatile Quantitative Modelling: Verification, Synthesis and Data Inference for Cyber-Physical Systems” – Prof. Silvio Micali (MIT, USA)—“ALGORAND—The Distributed Ledger for the Borderless Economy” – Prof. Martin Wirsing (LMU, Germany) – “Toward Formally Designing Collective Adaptive Systems” As is traditional in DisCoTec, an additional joint session with the best papers from each conference was organized. The best papers were: – “Representing Dependencies in Event Structures” by G. Michele Pinna (Coordination) – “FOUGERE: User-Centric Location Privacy in Mobile Crowdsourcing Apps” by Lakhdar Meftah, Romain Rouvoy and Isabelle Chrisment (DAIS)

vi

Foreword

– “Psi-Calculi Revisited: Connectivity and Compositionality” by Johannes Åman Pohjola (FORTE) Associated with the federated event were also two satellite events that took place: – ICE, the 12th International Workshop on Interaction and Concurrency Experience – DisCoRail, the First International Workshop on Distributed Computing in Future Railway Systems I would like to thank the Program Committee chairs of the different events for their help and cooperation during the preparation of the conference, and the Steering Committee and Advisory Boards of DisCoTec and their conferences for their guidance and support. The organization of DisCoTec 2019 was only possible thanks to the dedicated work of the Organizing Committee, including Francisco “Kiko” Fernández Reyes and Francesco Tiezzi (publicity chairs), Maurice ter Beek, Valerio Schiavoni, and Andrea Vandin (workshop chairs), Ann-Cathrin Dunker (logistics and finances), as well as all the students and colleagues who volunteered their time to help. Finally, I would like to thank IFIP WG 6.1 for sponsoring this event, Springer’s Lecture Notes in Computer Science team for their support and sponsorship, EasyChair for providing the reviewing infrastructure, the Nordic IoT Hub for their sponsorship, and the Technical University of Denmark for providing meeting rooms and additional support. June 2019

Alberto Lluch Lafuente

Preface

This volume contains the papers presented at FORTE 2019: the 39th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Objects, Components, and Systems. FORTE 2019 was held as one of three main conferences of the 14th International Federated Conference on Distributed Computing Techniques (DisCoTec), during June 17–21, 2019 in Lyngby, Denmark. FORTE is a well-established forum for fundamental research on theory, models, tools, and applications for distributed systems, with special interest in: – – – – – – –

Software quality, reliability, availability, and safety Security, privacy, and trust in distributed and/or communicating systems Service-oriented, ubiquitous, and cloud computing systems Component- and model-based design Object technology, modularity, software adaptation Self-stabilization and self-healing/organizing Verification, validation, formal analysis, and testing of the above

The Program Committee received a total of 42 quality submissions, written by authors from 21 different countries. Of these, 18 papers were selected for inclusion in the scientific program: 15 full papers, one short paper, and two “journal first” papers—a new submission category we introduced this year. Each submission was reviewed by at least three Program Committee members with the help of external reviewers in selected cases. There was one submission with which both of us declared ourselves in conflict; Uwe Nestmann kindly agreed to oversee and lead the discussion for this submission, which was eventually accepted. The selection of accepted submissions was based on electronic discussions via the EasyChair conference management system. Toward the end of this electronic discussion, there was a two-day physical meeting in which we discussed the referee reports for each submission with the relevant Program Committee members. We found this combination of electronic and physical discussion highly effective. As program chairs, we actively contributed to the selection of the five keynote speakers of DisCoTec 2019: – – – – –

Prof. David Basin (ETH Zürich, Switzerland) Dr. Anne-Marie Kermarrec (Inria Rennes, France) Prof. Marta Kwiatkowska (University of Oxford, UK) Prof. Silvio Micali (MIT, USA) Prof. Martin Wirsing (LMU, Germany)

We are most grateful to Prof. Basin for accepting our invitation as FORTE-related keynote speaker. This volume includes the abstract of his keynote talk: “Security Protocols: Model Checking Standards.”

viii

Preface

As is traditional in DisCoTec, a joint session with the best papers from each main conference was organized. The best paper of FORTE 2019 was “Psi-Calculi Revisited: Connectivity and Compositionality” by Johannes Åman Pohjola (Data61/CSIRO, University of New South Wales, Australia). We wish to thank all the authors of submitted papers, all the members of the Program Committee for their thorough evaluations of the submissions, and the 26 external reviewers who assisted the evaluation process. We are also indebted to the Steering Committee of FORTE for their advice and suggestions. Last but not least, we thank the DisCoTec general chair, Alberto Lluch Lafuente, and his organization team for their hard, effective work on providing an excellent environment for FORTE 2019 and all other conferences and workshops. April 2019

Jorge A. Pérez Nobuko Yoshida

Organization

Program Committee Samik Basu Annette Bieniusa Stefano Calzavara Natalia Chechina Mila Dalla Preda Rayna Dimitrova Patrick Eugster Ichiro Hasuo Thomas Hildebrandt Sophia Knight Etienne Lozes Emanuela Merelli Roland Meyer Uwe Nestmann Gustavo Petri Jorge A. Pérez Willard Rafnsson Anne Remke Guido Salvaneschi Cesar Sanchez Ana Sokolova Alexander J. Summers Peter Thiemann Jaco van de Pol Tim Willemse Nobuko Yoshida Lukasz Ziarek

Iowa State University, USA University of Kaiserslautern, Germany Università Ca’ Foscari Venezia, Italy Bournemouth University, UK University of Verona, Italy University of Leicester, UK University of Lugano (USI), Switzerland National Institute of Informatics, Japan University of Copenhagen, Denmark University of Minnesota, USA I3S, University of Nice and CNRS, France University of Camerino, Italy TU Braunschweig, Germany TU Berlin, Germany IRIF, Paris Diderot, Paris 7, France University of Groningen, The Netherlands IT University of Copenhagen, Denmark WWU Münster, Germany TU Darmstadt, Germany IMDEA Software Institute, Spain University of Salzburg, Austria ETH Zurich, Switzerland Universität Freiburg, Germany Aarhus University, Denmark Eindhoven University of Technology, The Netherlands Imperial College London, UK SUNY Buffalo, USA

Additional Reviewers Aldini, Alessandro Alvim, Mario S. Åman Pohjola, Johannes Back, Christoffer Olling Chini, Peter Courtieu, Pierre Dubut, Jérémy Francalanza, Adrian Inverso, Omar

Keiren, Jeroen Madiot, Jean-Marie Maestri, Stefano Maubert, Bastien Menikkumbura, Danushka Neumann, Elisabeth Otoni, Rodrigo Pilch, Carina Radanne, Gabriel

Sasse, Ralf Savvides, Savvas Schweizer, Sebastian Sedwards, Sean Tesei, Luca Wolff, Sebastian Yamada, Akihisa Zeller, Peter

Security Protocols: Model Checking Standards (Invited Talk)

David Basin Department of Computer Science, ETH Zurich, Switzerland

The design of security protocols is typically approached as an art, rather than a science, and often with disastrous consequences. But this need not be so! I have been working for ca. 20 years on foundations, methods, and tools, both for developing protocols that are correct by construction [9, 10] and for the post-hoc verification of existing designs [1–4, 8]. In this talk I will introduce my work in this area and describe my experience analyzing, improving, and contributing to different industry standards, both existing and upcoming [5–7].

References 1. Basin, D.: Lazy infinite-state analysis of security protocols. In: Secure Networking — CQRE [Secure] 1999. CQRE. LNCS, vol. 1740, pp. 30–42. Springer, Heidelberg (1999) 2. Basin, D., Cremers, C., Dreier, J., Sasse, R.: Symbolically analyzing security protocols using tamarin. SIGLOG News 4(4), 19–30 (2017). https://doi.org/10.1145/3157831.3157835 3. Basin, D., Cremers, C., Meadows, C.: Model checking security protocols. In: Clarke, E., Henzinger, T., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 727–762. Springer, Cham (2018) 4. Basin, D., Mödersheim, S., Viganò, L.: OFMC: a symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3), 181–208 (2005). published online December 2004 5. Basin, D.A., Cremers, C., Meier, S.: Provably repairing the ISO/IEC 9798 standard for entity authentication. J. Comput. Secur. 21(6), 817–846 (2013) 6. Basin, D.A., Cremers, C.J.F., Miyazaki, K., Radomirovic, S., Watanabe, D.: Improving the security of cryptographic protocol standards. IEEE Secur. Priv. 13(3), 24–31 (2015). https:// doi.org/10.1109/MSP.2013.162, http://dx.doi.org/10.1109/MSP.2013.162 7. Basin, D.A., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: Formal analysis of 5G authentication. CoRR abs/1806.10360 (2018). http://arxiv.org/abs/1806.10360 8. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF), pp. 78–94 (2012) 9. Sprenger, C., Basin, D.: Refining key establishment. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF), pp. 230–246 (2012) 10. Sprenger, C., Basin, D.: Refining security protocols. J. Comput. Secur. 26(1), 71–120 (2018). https://doi.org/10.3233/JCS-16814, http://dx.doi.org/10.3233/JCS-16814

Contents

Full Papers Psi-Calculi Revisited: Connectivity and Compositionality . . . . . . . . . . . . . . . Johannes Åman Pohjola

3

Squeezing Streams and Composition of Self-stabilizing Algorithms . . . . . . . . Karine Altisen, Pierre Corbineau, and Stéphane Devismes

21

Parametric Updates in Parametric Timed Automata . . . . . . . . . . . . . . . . . . . Étienne André, Didier Lime, and Mathias Ramparison

39

Parametric Statistical Model Checking of UAV Flight Plan . . . . . . . . . . . . . Ran Bao, Christian Attiogbe, Benoît Delahaye, Paulin Fournier, and Didier Lime

57

Only Connect, Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chandrika Bhardwaj and Sanjiva Prasad

75

Output-Sensitive Information Flow Analysis . . . . . . . . . . . . . . . . . . . . . . . . Cristian Ene, Laurent Mounier, and Marie-Laure Potet

93

Component-aware Input-Output Conformance. . . . . . . . . . . . . . . . . . . . . . . Alexander Graf-Brill and Holger Hermanns

111

Declarative Choreographies and Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . Thomas T. Hildebrandt, Tijs Slaats, Hugo A. López, Søren Debois, and Marco Carbone

129

Model Checking HPnGs in Multiple Dimensions: Representing State Sets as Convex Polytopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jannik Hüls and Anne Remke

148

Causal-Consistent Replay Debugging for Message Passing Programs. . . . . . . Ivan Lanese, Adrián Palacios, and Germán Vidal

167

Correct and Efficient Antichain Algorithms for Refinement Checking . . . . . . Maurice Laveaux, Jan Friso Groote, and Tim A. C. Willemse

185

Towards Verified Blockchain Architectures: A Case Study on Interactive Architecture Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diego Marmsoler

204

xiv

Contents

Unfolding-Based Dynamic Partial Order Reduction of Asynchronous Distributed Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Anh Pham, Thierry Jéron, and Martin Quinson

224

Encapsulation and Sharing in Dynamic Software Architectures: The Hypercell Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jean-Bernard Stefani and Martin Vassor

242

Decentralized Real-Time Safety Verification for Distributed Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hoang-Dung Tran, Luan Viet Nguyen, Patrick Musau, Weiming Xiang, and Taylor T. Johnson

261

Short and “Journal First” Papers On Certifying Distributed Algorithms: Problem of Local Correctness. . . . . . . Kim Völlinger

281

On a Higher-Order Calculus of Computational Fields . . . . . . . . . . . . . . . . . Giorgio Audrito, Mirko Viroli, Ferruccio Damiani, Danilo Pianini, and Jacob Beal

289

Semantically Sound Analysis of Content Security Policies . . . . . . . . . . . . . . Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi

293

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

299

Full Papers

Psi-Calculi Revisited: Connectivity and Compositionality Johannes ˚ Aman Pohjola1,2(B) 1

2

Data61/CSIRO, Sydney, Australia [email protected] University of New South Wales, Sydney, Australia

Abstract. Psi-calculi is a parametric framework for process calculi similar to popular pi-calculus extensions such as the explicit fusion calculus, the applied pi-calculus and the spi calculus. Mechanised proofs of standard algebraic and congruence properties of bisimilarity apply to all calculi within the framework. A limitation of psi-calculi is that communication channels must be symmetric and transitive. In this paper, we give a new operational semantics to psi-calculi that allows us to lift these restrictions and simplify some of the proofs. The key technical innovation is to annotate transitions with a provenance—a description of the scope and channel they originate from. We give mechanised proofs that our extension is conservative, and that the standard algebraic and congruence properties of bisimilarity are maintained. We show correspondence with a reduction semantics and barbed bisimulation. We show how a pi-calculus with preorders that was previously beyond the scope of psi-calculi can be captured, and how to encode mixed choice under very strong quality criteria. Keywords: Process algebra · Psi-calculi · Nominal logic Interactive theorem proving · Bisimulation

1

·

Introduction

This paper is mainly concerned with channel connectivity, by which we mean the relationship that describes which input channels are connected to which output channels in a setting with message-passing concurrency. In the pi-calculus [18], channel connectivity is syntactic identity: in the process a(x).P | b y.Q where one parallel component is waiting to receive on channel a and the other is waiting to send on channel b, interaction is possible only if a = b. c IFIP International Federation for Information Processing 2019  Published by Springer Nature Switzerland AG 2019 J. A. P´ erez and N. Yoshida (Eds.): FORTE 2019, LNCS 11535, pp. 3–20, 2019. https://doi.org/10.1007/978-3-030-21759-4_1

4

J. ˚ Aman Pohjola

Variants of the pi-calculus may have more interesting channel connectivity. The explicit fusion calculus pi-F [9] extends the pi-calculus with a primitive for fusing names; once fused, they are treated as being for all purposes one and the same. Channel connectivity is then given by the equivalence closure of the name fusions. For example, if we extend the above example with the fusion (a = b) a(x).P | b y.Q | (a = b) then communication is possible. Other examples may be found in e.g. calculi for wireless communication [19], where channel connectivity can be used to directly model the network’s topology. Psi-calculi [2] is a family of applied process calculi, where standard metatheoretical results, such as the algebraic laws and congruence properties of bisimulation, have been established once and for all through mechanised proofs [3] for all members of the family. Psi-calculi generalises e.g. the pi-calculus and the explicit fusion calculus in several ways. In place of atomic names it allows channels and messages to be taken from an (almost) freely chosen term language. In place of fusions, it admits the formulas of an (almost) freely chosen logic as first-class processes. Channel connectivity is determined by judgements of said logic, with one restriction: the connectivity thus induced must be symmetric and transitive. The main contribution of the present paper is a new way to define the semantics of psi-calculi that lets us lift this restriction, without sacrificing any of the algebraic laws and compositionality properties. It is worth noting that this was previously believed to be impossible: Bengtson et al. [2, p. 14] even offer counterexamples to the effect that without symmetry and transitivity, scope extension is unsound. However, a close reading reveals that these counterexamples apply only to their particular choice of labelled semantics, and do not rule out the possibility that the counterexamples could be invalidated by a rephrasing of the labelled semantics such as ours. The price we pay for this increased generality is more complicated transition labels: we decorate input and output labels with a provenance that keeps track of which prefix a transition originates from. The idea is that if I am an input label and you are an output label, we can communicate if my subject is your provenance, and vice versa. This is offset by other simplifications of the semantics and associated proofs that provenances enable. Contributions. This paper makes the following specific technical contributions: – We define a new semantics of psi-calculi that lifts the requirement that channel connectivity must be symmetric and transitive, using the novel technical device of provenances (Sect. 2). – We prove that strong bisimulation is a congruence and satisfies the usual algebraic laws such as scope extension. Interestingly, provenances can be ignored for the purpose of bisimulation. These proofs are machine-checked1 in Nominal Isabelle [24] (Sect. 3.1). 1

Isabelle proofs are available at https://github.com/IlmariReissumies/newpsi.

Psi-Calculi Revisited: Connectivity and Compositionality

5

– We prove, again using Nominal Isabelle, that this paper’s developments constitute a conservative extension of the original psi-calculi (Sect. 3.2). – We further validate our semantics by defining a reduction semantics and strong barbed congruence, and showing that they agree with their labelled counterparts (Sect. 3.2). – We capture a pi-calculus with preorders by Hirschkoff et al. [11], that was previously beyond the scope of psi-calculi because of its non-transitive channel connectivity. The bisimilarity we obtain turns out to coincide with that of Hirschkoff et al. (Sect. 4.1). – We exploit non-transitive connectivity to show that mixed choice is a derived operator of psi-calculi in a very strong sense: its encoding is fully abstract and satisfies strong operational correspondence (Sect. 4.2). For lack of space we elide proofs; please see the associated technical report [1].

2

Definitions

This section introduces core definitions such as syntax and semantics. Many definitions are shared with the original presentation of psi-calculi, so this section also functions as a recapitulation of [2]. We will highlight the places where the two differ. We assume a countable set of names N ranged over by a, b, c, . . . , x, y, z. A nominal set [8] is a set equipped with a permutation action ·; intuitively, if X ∈ X and X is a nominal set, then (x y) · X, which denotes X with all occurrences of the name x swapped for y and vice versa, is also an element of X. n(X) (the support of X) is, intuitively, the set of names such that swapping them changes X. We write a#X (“a is fresh in X) for a ∈ / n(X). A nominal set X has finite support if for every X ∈ X, n(X) is finite. A function symbol f is equivariant if p · f (x) = f (p · x); this generalises to n-ary function symbols in the obvious way. Whenever we define inductive syntax with names, it is implicitly quotiented by permutation of bound names, so e.g. (νx)ax = (νy)ay if x, y#a. Psi-calculi is parameterised on an arbitrary term language and a logic of environmental assertions: . Definition 1 (Parameters). A psi-calculus is a 7-tuple (T, A, C, , ⊗, 1, →) with three finitely supported nominal sets: 1. T, the terms, ranged over by M, N, K, L, T ; 2. A, the assertions, ranged over by Ψ ; and 3. C, the conditions, ranged over by ϕ. We assume each of the above is equipped with a substitution function [ := ] that substitutes (sequences of ) terms for names. The remaining three parameters are equivariant function symbols written in infix:  : A × C ⇒ bool (entailment) 1:A (unit)

⊗ : A × A ⇒ A (composition) . → : T × T ⇒ C (channel connectivity)

6

J. ˚ Aman Pohjola

. Intuitively, M → K means the prefix M can send a message to the prefix K. The substitution functions must satisfy certain natural criteria wrt. their treatment of names; see [2] for the details. Definition 2 (Static equivalence). Two assertions Ψ, Ψ  are statically equivalent, written Ψ Ψ  , if ∀ϕ. Ψ  ϕ ⇔ Ψ   ϕ. Definition 3 (Valid parameters). A psi-calculus is valid if (A/ , ⊗, 1) form an abelian monoid. Note that since the abelian monoid is closed, static equivalence is preserved by composition. Henceforth we will only consider valid psi-calculi. The original . . presentation of psi-calculi had ↔ for channel equivalence in place of our →, . and required that channel equivalence be symmetric (formally, Ψ  M ↔ K iff . Ψ  K ↔ M ) and transitive. Definition 4 (Process syntax). The processes (or agents) P, ranged over by P, Q, R, are inductively defined by the grammar P := 0 M N.P case ϕ  : P (νx)P

(nil) (output) (case) (restriction)

Ψ  M (λ x)N.P P |Q !P

(assertion) (input) (parallel composition) (replication)

A process is assertion guarded ( guarded for short) if all assertions occur underneath an input or output prefix. We require that in !P , P is guarded; that in case ϕ  : P, all P are guarded; and that in M (λ x)N . P it holds that x  ⊆ n(N ). We will use PG , QG to range over guarded processes. Restriction, replication and parallel composition are standard. M N.P is a process ready to send the message N on channel M , and then continue as P . x)N.P is a process ready to receive a message on channel M Similarly, M (λ that matches the pattern (λ x)N . The process Ψ  asserts a fact Ψ about the environment. Intuitively, Ψ  | P means that P executes in an environment where all conditions entailed by Ψ hold. P may itself contain assertions that add or retract conditions. Environments can evolve dynamically: as a process reduces, assertions may become unguarded and thus added to the environment. case ϕ  : P is a process that may act as any Pi whose guard ϕi is entailed by the environment. For discussion of why replication and case must be guarded we refer to [2,15]. The assertion environment of a process is described by its frame: Definition 5 (Frames). The frame of P , written F(P ) = (νbP )ΨP where bP bind into ΨP , is defined as F(Ψ ) = (ν)Ψ

F(P | Q) = F(P ) ⊗ F(Q) F(P ) = 1 otherwise

F((νx)P ) = (νx)F(P )

Psi-Calculi Revisited: Connectivity and Compositionality

7

where name-binding and composition of frames is defined as (νx)(νbP )ΨP = (νx, bP )ΨP , and, if bP #bQ , ΨQ and bQ #ΨP , (νbP )ΨP ⊗ (νbQ )ΨQ = (νbP , bQ )ΨP ⊗ ΨQ . We extend entailment to frames as follows: F(P )  ϕ holds if, for some bP , ΨP such that F(P ) = (νbP )ΨP and bP #ϕ, ΨP  ϕ. The freshness side-condition bP #ϕ is important because it allows assertions to be used for representing local state. By default, the assertion environment is effectively a form of global nonmonotonic state, which is not always appropriate for modelling distributed processes. With ν-binding we recover locality by writing e.g. (νx)(x = M  | P ) for a process P with a local variable x. The notion of provenance is the main novelty of our semantics. It is the key technical device used to make our semantics compositional: Definition 6 (Provenances). The provenances Π, ranged over by π, are either ⊥ or of form (ν x; y)M , where M is a term, and x , y bind into M . # y , we interpret the expresWe write M for (ν; )M . When x , y#x , y and x     sion (ν x; y)(ν x ; y )M as (ν x x ; y y )M . Furthermore, we identify (ν x; y)⊥ and ⊥. Let π ↓ denote the result of moving all binders from the outermost binding sequence to the innermost; that is, (ν x; y)M ↓= (ν; x , y)M . Similarly, π ↓ z denotes the result of inserting z at the end of the outermost binding sequence: formally, (ν x; y)M ↓ z = (ν x, z; y)M . Intuitively, a provenance describes the origin of an input or output transition. For example, if an output transition is annotated with (ν x; y)M , the sender is an output prefix with subject M that occurs underneath the ν-binders x , y. For technical reasons, these binders are partitioned into two distinct sequences. The intention is that x  are the frame binders, while y contains binders that occur underneath case and replication; these are not part of the frame, but may  binders nonetheless bind into M . We prefer to keep them separate because the x are used for deriving  judgements, but y are not (cf. Definition 5). Definition 7 (Labels). The labels L, ranged over by α, β, are: M (ν x)N (output)

M N (input)

τ (silent)

The bound names of α, written bn(alpha), is x  if α = M (ν x)N and  otherx)N or α = M N . wise. The subject of α, written subj(α), is M if α = M (ν x)N or α = M N . Analogously, the object of α, written obj(α), is N if α = M (ν While the provenance describes the origin of a transition, a label describes how it can interact. For example, a transition labelled with M N indicates readiness to receive a message N from an output prefix with subject M .

J. ˚ Aman Pohjola

8

Table 1. Structured operational semantics. A symmetric version of Com is elided. In the rule Com we assume that F (P ) = (ν bP )ΨP and F (Q) = (ν bQ )ΨQ where  bP is fresh for Ψ and Q, x  is fresh for Ψ, ΨQ , P , and  bQ , y are similarly fresh. In rule ParL bQ is fresh for Ψ, P, π and α. ParR has the we assume that F (Q) = (ν bQ )ΨQ where  same freshness conditions but with the roles of P, Q swapped. In Open the expression a ˜ ∪ {b} means the sequence a ˜ with b inserted anywhere. In

. Ψ K→M

. Ψ M →K

Out



K N [ y :=L]  Ψ  M (λ y )N . P −−−−−−−→ P [ y := L]

KN

Ψ  M N . P −−→ P

M

M

α

ParL

→ P ΨQ ⊗ Ψ  P − π

α

Ψ  P | Q −−−→ P  | Q

bn(α)#Q

π↓ bQ

α

ParR

→ Q ΨP ⊗ Ψ  Q − α

π

Ψ  P | Q −−−−→ P | Q

bn(α)#P

(ν bP )π

M (ν a)N

KN

ΨQ ⊗ Ψ  P −−−−−−→ P 

ΨP ⊗ Ψ  Q −−−−−−→ Q

(ν bP ; x)K

Com

(ν bQ ; y )M

τ

Ψ  P |Q − → (ν a)(P  | Q )

 a#Q

⊥

α

Case

Ψ  Pi − → P

Ψ  ϕi

π

α

Ψ  case ϕ  : P −→ P  π↓

M (ν a)N

Open

Ψ  P −−−−−→ P  π

M (ν a∪{b})N

Ψ  (νb)P −−−−−−−−→ P  (νb)π

α

Scope

Ψ  P − → P π α

Ψ  (νb)P −−−→ (νb)P 

b#α, Ψ

(νb)π

b# a, Ψ, M b ∈ n(N )

α

Rep

Ψ  P | !P − → P α

π

Ψ  !P −→ P  π↓

Definition 8 (Operational semantics). The transition relation −→⊆ A × α P × L × Π × P is inductively defined by the rules in Table 1. We write Ψ  P − → π







P for (Ψ, P, α, π, P ) ∈−→. In transitions, bn(α) binds into obj(α) and P . The operational semantics differs from [2] mainly by the inclusion of provenances: anything underneath the transition arrows is novel. The Out rule states that in an environment where M is connected to K, the prefix M N may send a message N from M to K. The In rule is dual to Out, but also features pattern-matching. If the message is an instance of the pattern, as witnessed by a substitution, that subtitution is applied to the continuation P .

Psi-Calculi Revisited: Connectivity and Compositionality

9

In the Com rule, we see how provenances are used to determine when two processes can interact. Specifically, a communication between P and Q can be derived if P can send a message to M using prefix K, and if Q can receive a message from K using prefix M . Because names occuring in M and K may be local to P and Q respectively, we must be careful not to conflate the local names of one with the other; this is why the provenance records all binding names that occur above M, K in the process syntax. Note that even though we identify frames and provenances up-to alpha, the Com rule insists that we consider alpha-variants such that the frame binders and the outermost provenance binders coincide. This ensures that the K on Q’s label really is the same as the K in the provenance. It is instructive to compare our Com rule with the original: M (ν a)N

ΨQ ⊗ Ψ  P −−−−−−→ P 

. Ψ ⊗ ΨP ⊗ ΨQ  M ↔ K

KN

Com-Old

ΨP ⊗ Ψ  Q −−−→ Q τ

Ψ  P | Q −→ (ν a)(P  | Q )

 a#Q

where F(P ) = (νbP )ΨP and F(Q) = (νbQ )ΨQ and bP #Ψ, bQ , Q, M, P and bQ #Ψ, bQ , Q, K, P . Here we have no way of knowing if M and K are able to synchronise other than making a channel equivalence judgement. Hence any derivation involving Com-Old makes three channel equivalence judgements: once each in In, Out and Com-Old. With Com we only make one—or more accurately, we make the exact same judgement twice, in In resp. Out. Eliminating the redundant judgements is crucial: the reason Com-Old needs associativity and commutativity is to stitch these three judgements together, particularly when one end of a communication is swapped for a bisimilar process that allows the same interaction via different prefixes. Note also that Com has fewer freshness side-conditions. A particularly unintuitive aspect of Com-Old is that it requires bP #M and bQ #K, but not bP #K and bQ #M : we would expect that all bound names can be chosen to be distinct from all free names, but adding the missing freshness conditions makes scope extension unsound [14, pp. 56–57]. With Com, it becomes clear why: because bQ binds into M . All the other rules can fire independently of what the provenance of the premise is. They manipulate the provenance, but only for bookkeeping purposes: α → in order for the Com rule to be sound, we maintain the invariant that if Ψ  P − π

P  , the outer binders of π are precisely the binders of F(P ). Otherwise, the rules are exactly the same as in the original psi-calculi. The reader may notice a curious asymmetry between the treatment of provenance binders in the ParL and ParR rules. This is to ensure that the order of the provenance binders coincides with the order of the frame binders, and in the frame F(P | Q), the binders of P occur syntactically outside the binders of Q (cf. Definition 5).

10

3

J. ˚ Aman Pohjola

Meta-theory

In this section, we will derive the standard algebraic and congruence laws of strong bisimulation, develop an alternative formulation of strong bisimulation in terms of a reduction relation and barbed congruence, and show that our extension of psi-calculi is conservative. While weak equivalences are beyond the scope of the present paper, we believe it is possible (if tedious) to adapt the results about weak bisimilarity from [15] to our setting. 3.1

Bisimulation α

α

→ P  . Bisimulation is We write Ψ  P −→ P  as shorthand for ∃π. Ψ  P − π then defined exactly as in the original psi-calculi: Definition 9 (Strong bisimulation). A symmetric relation R ⊆ A × P × P is a strong bisimulation iff for every (Ψ, P, Q) ∈ R 1. Ψ ⊗ F(P ) Ψ ⊗ F(Q) (static equivalence) 2. ∀Ψ  .(Ψ ⊗ Ψ  , P, Q) ∈ R (extension of arbitrary assertion) α

α

3. If Ψ  P −→ P  and bn(α)#Ψ, Q, then there exists Q such that Ψ  Q −→ Q and (Ψ, P  , Q ) ∈ R (simulation) . . We let bisimilarity ∼ be the largest bisimulation. We write P ∼Ψ Q to mean . . . (Ψ, P, Q) ∈ ∼, and P ∼ Q for P ∼1 Q. Clause 3 is the same as for pi-calculus bisimulation. Clause 1 requires that two bisimilar processes expose statically equivalent assertion environments. Clause 2 states that if two processes are bisimilar in an environment, they must be bisimilar in every extension of that environment. Without this clause, bisimulation is not preserved by parallel composition. This definition might raise some red flags for the experienced concurrency theorist. We allow the matching transition from Q to have any provenance, irrespectively of what P ’s provenance is. Hence the Com rule uses information that is ignored for the purposes of bisimulation, which in most cases would result in a bisimilarity that is not preserved by the parallel operator. Before showing that bisimilarity is nonetheless compositional, we will argue that bisimilarity would be too strong if Clause 4 required transitions with matching provenances. Consider two distinct terms M, N that are connected to the . . same channels; that is, for all Ψ, K we have Ψ  M → K iff Ψ  N → K. We would expect M .0 and N .0 to be bisimilar because they offer the same interaction possibilities. With our definition, they are. But if bisimulation cared about provenance they would be distinguished, because transitions originating from M .0 will have provenance M while those from N .0 will have N . The key intuition is that what matters is not which provenance a transition has, but which channels the provenance is connected to. The latter is preserved by Clause 3, as this key technical lemma—formally proven in Isabelle, by a routine induction—hints at:

Psi-Calculi Revisited: Connectivity and Compositionality

11

Lemma 1. (Find connected provenance) MN

, K 1. If Ψ  P −−−→ P  and C is finitely supported, then there exists bP , ΨP , x π

)K and bP #Ψ, P, M, N, P  , C, x  such that F(P ) = (νbP )ΨP and π = (νbP ; x .  and x #Ψ, P, N, P , C and Ψ ⊗ ΨP  M → K. 2. A similar property for output transitions (elided). In words, the provenance of a transition is always connected to its subject, and the frame binders can always be chosen sufficiently fresh for any context. This simplifies the proof that bisimilarity is preserved by parallel: in the original psicalculi, one of the more challenging aspects of this proof is finding sufficiently fresh subjects to use in the Com-Old rule, and then using associativity and symmetry to connect them (cf. [2, Lemma 5.11]). By Lemma 1 we already have a sufficiently fresh subject: our communication partner’s provenance. Theorem 1 (Congruence properties of strong bisimulation). . . 1. P ∼Ψ Q ⇒ P | R ∼Ψ Q | R . . 2. P ∼Ψ Q ⇒ (νx)P ∼Ψ (νx)Q if x#Ψ . . 3. PG ∼Ψ QG ⇒ !PG ∼Ψ !QG . .  if P, Q  are guarded 4. ∀i.Pi ∼Ψ Qi ⇒ case ϕ  : P ∼Ψ case ϕ :Q . . 5. P ∼Ψ Q ⇒ M N.P ∼Ψ M N.Q Theorem 2 (Algebraic laws of strong bisimulation). . . . P ∼Ψ P | 0 P | (Q | R) ∼Ψ (P | Q) | R P | Q ∼Ψ Q | P . P | (νa)Q ∼Ψ (νa)(P | Q) if a#P

. (νa)0 ∼Ψ 0

. M N.(νa)P ∼Ψ (νa)M N.P if a#M, N

. x)N.(νa)P ∼Ψ (νa)M (λ x)N.P if a# x, M, N M (λ .  ∼  : P if a#ϕ  case ϕ  : (νa)P Ψ (νa)case ϕ

. !P ∼Ψ P | !P

. (νa)(νb)P ∼Ψ (νb)(νa)P

The proofs of Theorems 1 and 2 have been mechanised in Nominal Isabelle. Note that bisimilarity is not preserved by input, for the same reasons as the pi-calculus. As in the pi-calculus, we can define bisimulation congruence as the substitution closure of bisimilarity, and thus obtain a true congruence which satisfies all the algebraic laws above. We have verified this in Nominal Isabelle, following [2]. The fact that bisimilarity is compositional yet ignores provenances suggests that the semantics could be reformulated without provenance annotations on labels. To achieve this, what is needed is a side-condition S for the Com rule which, given an input and an output with subjects M, K, determines if the input transition could have been derived from prefix K, and vice versa: M (ν a)N

KN

ΨQ ⊗ Ψ  P −−−−−−→ P 

ΨP ⊗ Ψ  Q −−−→ Q τ

Ψ  P | Q −→ (ν a)(P  | Q )

S

12

J. ˚ Aman Pohjola

But we already have such an S: the semantics with provenances! So we can let M (ν a)N

KN

(ν bP ; x)K

(ν bQ ; y )M

S = ΨQ ⊗ Ψ  P −−−−−−→ P  ∧ ΨP ⊗ Ψ  Q −−−−−−→ Q Of course, this definition is not satisfactory: the provenances are still there, just swept under the carpet. Worse, we significantly complicate the definitions by effectively introducing a stratified semantics. Thus the interesting question is not whether such an S exists (it does), but whether S can be formulated in a way that is significantly simpler than the semantics with provenances. The author believes the answer is negative: S is a property about the roots of the proof trees used to derive the transitions from P and Q. The provenance records just enough information about the proof trees to show that M and K are connected; with no provenances, it is not clear how this information could be obtained without essentially reconstructing the proof tree. 3.2

Validation

We have defined semantics and bisimulation, and showed that bisimilarity satisfies the expected laws. But how do we know that they are the right semantics, and the right bisimilarity? This section provides two answers to this question. First, we show that our developments constitute a conservative extension of the original psi-calculi. Second, we define a reduction semantics and barbed bisimulation that are in agreement with our (labelled) semantics and (labelled) bisimilarity. . Let −→o and ∼o denote semantics and bisimilarity as defined by Bengtson et al. [2], i.e., without provenances and with the Com-Old rule discussed in Sect. 2. The following result has been mechanised in Nominal Isabelle: . Theorem 3 (Conservativity). When → is symmetric and transitive we have . . ∼o = ∼ and −→o = −→. Our reduction semantics departs from standard designs [4,17] by relying on reduction contexts [7] instead of structural rules, for two reasons. First, standard formulations tend to include rules like these: P −→ P  P | Q −→ P  | Q

α.P + Q | α.R + S −→ P | R

A parallel rule like the above would be unsound because Q might contain assertions that retract some conditions needed to derive P ’s reduction. The reduction axiom assumes prefix-guarded choice. We want our semantics to apply to the full calculus, without limiting the syntax to prefix-guarded case statements. But first, a few auxiliary definitions. The reduction contexts are the contexts in which communicating processes may occur:

Psi-Calculi Revisited: Connectivity and Compositionality

13

Table 2. Reduction semantics. Here Ψ abbreviates the composition Ψ1 ⊗ Ψ2 ⊗ . . . , and  abbreviates the parallel composition Ψ1  | Ψ2  | . . . —for empty sequences they Ψ are taken to be 1 and 0 respectively. Struct

P ≡Q

Ctxt

Q −→ Q

Q ≡ P 

Scope

P −→ P  . Ψ  M → N

K = L[ x := T]

P −→ Q (νa)P −→ (νa)Q

∀ϕ ∈ conds(C). Ψ  ϕ

Ψ | C[M K.P, N (λx)L.Q] −→ Ψ | P | Q[x := T ] | ppr(C)

Definition 10 (Reduction contexts). The reduction contexts, ranged over by C, are generated by the grammar C := PG (process) C | C (parallel)

[] (hole)      case ϕ  : PG [] ϕ : C [] ϕ : QG (case)

Let H(C) denote the number of holes in C. C[P G ] denotes the process that results from filling each hole of C with the corresponding element of P G , where holes  |, C[ P ] is undefined. are numbered from left to right; if H(C) = |P G G We let structural congruence ≡ be the smallest equivalence relation on processes derivable using Theorems 1 and 2. The conditions conds(C) and parallel processes ppr(C) of a context C are, respectively, the conditions in C that guard the holes, and the processes of C that are parallel to the holes: ppr(PG ) = PG

ppr([ ]) = 0

ppr(C1 | C2 ) = ppr(C1 ) | ppr(C2 )

   ppr(case ϕ  : P G [] ϕ : C [] ϕ : QG ) = ppr(C)

conds([ ]) = ∅

conds(PG ) = ∅

conds(C1 | C2 ) = conds(C1 ) ∪ conds(C2 )

    conds(case ϕ  : P G [] ϕ : C [] ϕ : QG ) = {ϕ } ∪ conds(C)

Definition 11 (Reduction semantics). The reduction relation −→ ⊆ P × P is defined inductively by the rules of Table 2. In words, Ctxt states that if an input and output prefix occur in a reduction context, we may derive a reduction if the following holds: the prefixes are connected in the current assertion environment, the message matches the input pattern, and all conditions guarding the prefixes are entailed by the environment. The ppr(C) in the reduct makes sure any processes in parallel to the holes are preserved.

J. ˚ Aman Pohjola

14

τ

Theorem 4. P −→ P  iff there is P  such that 1  P −→ P  and P  ≡ P  For barbed bisimulation, we need to define what the observables are, and what contexts an observer may use. We follow previous work by Johansson et al. [15] on weak barbed bisimilarity for the original psi-calculi on both counts. First, we take the barbs to be the output labels a process can exhibit: we define M (ν a)N a)N ) to mean ∃P  . 1  P −−−−−→ P  . We write P ↓M (νa)N (P exposes M (ν τ



P ↓M for ∃ a, N.P ↓M (ν A)N  , and P ⇓α for P −→ ↓α . Second, we let observers use static contexts, i.e. ones built from parallel and restriction. . Definition 12 (Barbed bisimilarity). Barbed bisimilarity, written ∼ , is barb . the largest equivalence on processes such that P ∼ Q implies barb

a#Q then Q ↓M (νa)N (barb similarity) 1. If P ↓M (νa)N and  2. If P

. −→ P  then there exists Q such that Q −→ Q and P  ∼ Q barb

(reduction simulation) . a)(Q | R) (closure under static contexts) 3. (ν a)(P | R) ∼ (ν barb

Our proof that barbed and labelled bisimilarity coincides only considers psicalculi with a certain minimum of sanity and expressiveness. This rules out some degenerate cases: psi-calculi where there are messages that can be sent but not received, and psi-calculi where no transitions whatsoever are possible. Definition 13. A psi-calculus is observational if: . 1. For all P there are MP , KP such that F(P )  MP → KP and not P ⇓Kp . 2. If N = ( x y) · M and y#M and x , y are distinct then M [ x := y] = N . The first clause means that no process can exhaust the set of barbs. Hence observing contexts can signal success or failure without interference from the process under observation. For example, in the pi-calculus MP , KP can be any name x such that x#P . The second clause states that for swapping of distinct names, substitution and permutation have the same behaviour. Any standard definition of simultaneous substitution should satisfy this requirement. These assumptions are present, explicitly or implicitly, in the work of Johansson et al. [15]. Ours are given a slightly weaker formulation. We can now state the main result of this section: . . Theorem 5. In all observational psi-calculi, P ∼ Q iff P ∼1 Q. barb

4

Expressiveness

In this section, we study two examples of the expressiveness gained by dropping symmetry and transitivity.

Psi-Calculi Revisited: Connectivity and Compositionality

4.1

15

Pi-Calculus with Preorders

Recall that pi-F [25] extends the pi-calculus with name equalities (x = y) as first-class processes. Communication in pi-F gives rise to equalities rather than substitutions, so e.g. xy.P | xz.Q reduces to y = z | P | Q: the input and output objects are fused. Hirschkoff et al. [11] observed that fusion and subtyping are fundamentally incompatible, and propose a generalisation of pi-F called the picalculus with preorders or πP to resolve the issue. We are interested in πP because its channel connectivity is not transitive. The equalities of pi-F are replaced with arcs a/b (“a is above b”) which act as one-way fusions: anything that can be done with b can be done with a, but not the other way around. The effect of a communication is to create an arc with the output subject above the input subject, so x(y).P | x(z).Q reduces to (νxy)(z/y | P | Q). We write ≺ for the reflexive and transitive closure of the “is above” relation. Two names x, y are considered joinable for the purposes of synchronisation if some name z is above both of them: formally, we write x  y for ∃z.x ≺ z ∧ y ≺ z. Hirschkoff et al. conclude by saying that “[it] could also be interesting to study the representation of πP into Psi-calculi. This may not be immediate because the latter make use of on an equivalence relation on channels, while the former uses a preorder” [11, p. 387]. Having lifted the constraint that channels form an equivalence relation, we happily accept the challenge. We write ΨP for the psi-calculus we use to embed πP . We follow the presentation of πP from [12,13], where the behavioural theory is most developed. Definition 14. The psi-calculus ΨP is defined with the following parameters: TN

C  {x ≺ y : x, y ∈ N } ∪ {x  y : x, y ∈ N }

A  Pfin ({x ≺ y : x, y ∈ N }) . → 

1  {}

⊗ ∪

  the relation denoted  in [13].

The prefix operators of πP are different from those of psi-calculi: objects are always bound, communication gives rise to an arc rather than a substitution, and a conditional silent prefix [ϕ]τ.P is included.2 These are encodable as follows: Definition 15 (Encoding of prefixes). The encoding   from πP to ΨP is homomorphic on all operators except prefixes and arcs, where it is defined by a/b = b ≺ a

a(y).P  = (νxy)(ax.(x ≺ y | P ) where x#y, P

a(y).P  = (νy)(a(λx)x.(y ≺ x | P )) where x#y, P [ϕ]τ.P  = case ϕ : (νx)(x(λx)x.0 | xx.P ) where x#P 2

We ignore protected prefixes because they are redundant, cf. Remark 1 of [12].

16

J. ˚ Aman Pohjola

This embedding of πP in psi-calculi comes with a notion of bisimilarity per Definition 9. We show that it coincides with the labelled bisimilarity for πP (written ∼) introduced in [12,13]. . Theorem 6. P ∼ Q iff P  ∼ Q Thus our encoding validates the behavioural theory of πP by connecting it to our fully mechanised proofs, while also showing that a substantially different design of the LTS yields the same bisimilarity. We will briefly compare these designs. While we do rewriting of subjects in the prefix rules, Hirschkoff et al. instead use relabelling rules like this one (mildly edited to match our notation): a(x)

P −−−→ P 

F(P )  a ≺ b b(x)

P −−→ P  An advantage of this rule is that it allows input and output labels to be as simple as pi-calculus labels. A comparative disadvantage is that it is not syntaxdirected, and that the LTS has more rules in total. Note that this rule would not be a viable alternative to provenances in psi-calculi: since it can be applied more than once in a derivation, its inclusion assumes that the channels form a preorder wrt. connectivity. πP also has labels [ϕ]τ , meaning that a silent transition is allowed in environments where ϕ is true. A rule for rewriting ϕ to a weaker condition, similar to the above rule for subject rewriting, is included. Psi-calculi does not need this because the Par rules take the assertion environment into account. πP transi[ϕ]τ τ tions of kind P −−→ P  correspond to ΨP transitions of kind {ϕ}  P −→ P  . Interestingly, the analogous full abstraction result fails to hold for the embedding of pi-F in psi-calculi by Bengtson et al. [2], because outputs that emit distinct but fused names are distinguished by psi-calculus bisimilarity. This issue does not arise here because πP objects are always bound; however, we believe the encoding of Bengtson et al. can be made fully abstract by encoding free output with bound output, exploiting the pi-F law a y.Q ∼ a(x)(Q | x = y). 4.2

Mixed Choice

This section will argue that because we allow non-transitive channel connectivity, the case operator of psi-calculi becomes superfluous. The formal results here will focus on encoding the special case of mixed choice. We will then briefly discuss how to generalise these results to the full case operator. Choice, written P + Q, is a process that behaves as either P or Q. In psicalculi we consider P + Q to abbreviate case  : P []  : Q for some condition  that is always entailed. Mixed choice means that in P + Q, P and Q must be prefix-guarded; that is, the outermost operators of P, Q must be input or output prefixes. In particular, mixed choice allows choice between an input and an output. There is a straightforward generalisation to n-ary sums that, in order to simplify the presentation, we will not consider here.

Psi-Calculi Revisited: Connectivity and Compositionality

17

. Fix a psi-calculus P = (T, A, C, , ⊗, 1, →) with mixed choice; this will be our source language. We will construct a target psi-calculus and an encoding such that the target terms make no use of the case operator. The target language E(P) adds to T the ability to tag a term M with a name x; we write Mx for the tagged term. We write αx for tagging the subject of the prefix α with x. Tags are used to uniquely identify which choice statement a prefix is a summand of. As the assertions of E(P) we use A × Pfin (N ), where Pfin (N ) are the disabled tags. The encoding   from P to E(P) is homomorphic on all operators except assertion and choice, where it is defined as follows: α.P +β.Q = (νx)(αx .(P  | (1, {x}) | βx .(Q | (1, {x})

Ψ  = (Ψ, ∅)

where x#α, β, P, Q. If we disregard the tag x, we see that the encoding simply offers up both summands in parallel. This clearly allows all behaviours of α.P + β.Q, but there are two additional behaviours we must prevent: (1) communication between the summands, and (2) lingering summands firing after the other branch has already been taken. The tagging mechanism prevents both, as a consequence of how we define channel equivalence on tagged terms in E(P): . (Ψ, N)  Mx → Ny

. if Ψ  M → N and x = y and x, y ∈ /N

That is, tagged channels are connected if the underlying channel is connected. To prevent (1) we require the tags to be different, and to prevent (2) we require that the tags are not disabled. Note that this channel connectivity is not transitive, not reflexive, and not monotonic wrt. assertion composition—not even if the source language connectivity is. Theorem 7 (Correctness of choice encoding). α

α

1. If Ψ  P −→ P  then there is P  such that (Ψ, ∅)  P  −→ P  and . P  ∼(Ψ,∅) P  . α

α

⊥ 2. If (Ψ, ∅)  P  −→ P  then there is P  such that Ψ  P −−→ P  and  .  P ∼(Ψ,∅) P . . . 3. P ∼1 Q iff P  ∼(1,∅) Q.

Here α⊥ denote the label α with all tags removed. It is immediate from Theorem 7 and the definition of   that our encoding also satisfies the other standard quality criteria [10]: it is compositional, it is name invariant, and it preserves and reflects barbs and divergence. In the original psi-calculi, our target language is invalid because of nontransitive connectivity. If we remove the requirement that tags are distinct, and only allow separate choice (where either both summands are inputs or both summands are outputs), the encoding is correct for the original psi-calculi. These results generalise in a straightforward way to mixed Case statements case ϕ1 : α.P [] ϕ2 : β.Q by additionally tagging terms with a condition, i.e. Mx,ϕ1 , that must be entailed in order to derive connectivity judgements

18

J. ˚ Aman Pohjola

involving the term. The generalisation to free choice, i.e. P + Q where P, Q can be anything, is more involved and sacrifices some compositionality. The idea is to use sequences of tags, representing which branches of which (possibly nested) case statements a prefix can be found in, and disallowing communication between prefixes in distinct branches of the same Case operator.

5

Conclusion and Related Work

We have seen how psi-calculi can be conservatively extended to allow asymmetric and non-transitive communication topologies, sacrificing none of the bisimulation meta-theory. This confers enough expressiveness to capture a pi-calculus with preorders, and makes mixed choice a derived operator. The work of Hirschkoff et al. [11] is closely related in that it uses nontransitive connectivity; see Sect. 4.1 for an extensive discussion. Broadcast psi-calculi [5] extend psi-calculi with broadcast communication in addition to point-to-point communication. There, point-to-point channels must still be symmetric and transitive, but for broadcast channels this condition is lifted, at the cost of introducing other side-conditions on how names are used: broadcast prefixes must be connected via intermediate broadcast channels which have no greater support than either of the prefixes it connects, precluding language features such as name fusion. We believe provenances could be used to define a version of broadcast psi-calculi that does not need this side-condition. Kouzapas et al. [16] define a similar reduction context semantics for (broadcast) psi-calculi. Their reduction contexts requires three kinds of numbered holes with complicated side-conditions on how the holes may be filled; we have attempted to simplify the presentation by having only one kind of hole. While (weak) barbed congruence for psi-calculi has been studied before [15] (see Sect. 3.2), barbed congruence was defined in terms of the labelled semantics rather than a reduction semantics, thus weakening its claim to independent confirmation slightly. There is a rich literature on choice encodings for the pi-calculus [10,20–23], with many separation and encodability results under different quality criteria for different flavours of choice. Encodings typically require complicated protocols and tradeoffs between quality criteria. Thanks to the greater expressive power of psi-calculi, our encoding is simpler and satisfies stronger quality criteria than any choice encoding for the pi-calculus. Closest to ours is the choice encoding of CCS into the DiX calculus by Busi and Gorrieri [6]. DiX introduces a primitive for annotating processes with conflict sets, that are intended as a generalisation of choice. Processes with overlapping conflict sets cannot interact, and when a process acts, every process with an overlapping conflict set is killed. These conflict sets perform the same role in the encoding as our tags do. We believe the tagging scheme used in our choice encoding also captures DiX-style conflict sets.

Psi-Calculi Revisited: Connectivity and Compositionality

19

Acknowledgements. These ideas have benefited from discussions with many people at Uppsala University, ITU Copenhagen, the University of Oslo and Data61/CSIRO, including Jesper Bengtson, Christian Johansen, Magnus Johansson and Joachim Parrow. I would also like to thank Jean-Marie Madiot and the anonymous reviewers for valuable comments on earlier versions of the paper.

References ˚man Pohjola, J.: Psi-calculi revisited: connectivity and compositionality. Tech1. A nical report, EP192416, CSIRO, Canberra, Australia (2019). https://publications. csiro.au/rpr/pub?pid=csiro:EP192416 2. Bengtson, J., Johansson, M., Parrow, J., Victor, B.: Psi-calculi: a framework for mobile processes with nominal data and logic. Logical Methods Comput. Sci. 7(1) (2011). https://doi.org/10.2168/LMCS-7(1:11)2011 3. Bengtson, J., Parrow, J., Weber, T.: Psi-calculi in Isabelle. J. Autom. Reasoning 56(1), 1–47 (2016). https://doi.org/10.1007/s10817-015-9336-2 4. Berry, G., Boudol, G.: The chemical abstract machine. In: Proceedings of the 17th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1990, pp. 81–94. ACM, New York (1990). https://doi.org/10.1145/96709. 96717 5. Borgstr¨ om, J., et al.: Broadcast psi-calculi with an application to wireless protocols. Softw. Syst. Model. 14(1), 201–216 (2015). https://doi.org/10.1007/s10270-0130375-z 6. Busi, N., Gorrieri, R.: Distributed conflicts in communicating systems. In: Ciancarini, P., Nierstrasz, O., Yonezawa, A. (eds.) ECOOP 1994. LNCS, vol. 924, pp. 49–65. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-59450-7 4 7. Felleisen, M., Hieb, R.: The revised report on the syntactic theories of sequential control and state. Theor. Comput. Sci. 103(2), 235–271 (1992). https://doi.org/ 10.1016/0304-3975(92)90014-7 8. Gabbay, M.J., Pitts, A.M.: A new approach to abstract syntax with variable binding. Formal Aspects Comput. 13, 341–363 (2002). https://doi.org/10.1007/ s001650200016 9. Gardner, P., Wischik, L.: Explicit fusions. In: Nielsen, M., Rovan, B. (eds.) MFCS 2000. LNCS, vol. 1893, pp. 373–382. Springer, Heidelberg (2000). https://doi.org/ 10.1007/3-540-44612-5 33 10. Gorla, D.: Towards a unified approach to encodability and separation results for process calculi. Inf. Comput. 208(9), 1031–1053 (2010). https://doi.org/10.1016/ j.ic.2010.05.002 11. Hirschkoff, D., Madiot, J., Sangiorgi, D.: Name-passing calculi: from fusions to preorders and types. In: 28th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2013, New Orleans, LA, USA, 25–28 June 2013, pp. 378–387. IEEE Computer Society (2013). https://doi.org/10.1109/LICS.2013.44 12. Hirschkoff, D., Madiot, J., Xu, X.: A behavioural theory for a π-calculus with preorders. J. Log. Algebr. Meth. Program. 84(6), 806–825 (2015). https://doi.org/ 10.1016/j.jlamp.2015.07.001 13. Hirschkoff, D., Madiot, J.-M., Xu, X.: A behavioural theory for a π-calculus with preorders. In: Dastani, M., Sirjani, M. (eds.) FSEN 2015. LNCS, vol. 9392, pp. 143–158. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24644-4 10

20

J. ˚ Aman Pohjola

14. Johansson, M.: Psi-calculi: a framework for mobile process calculi: cook your own correct process calculus - just add data and logic. Ph.D. thesis, Uppsala University, Division of Computer Systems (2010) 15. Johansson, M., Bengtson, J., Parrow, J., Victor, B.: Weak equivalences in psicalculi. In: LICS, pp. 322–331. IEEE Computer Society (2010). https://doi.org/ 10.1109/LICS.2010.30 16. Kouzapas, D., Gutkovas, R., Gay, S.J.: Session types for broadcasting. In: Donaldson, A.F., Vasconcelos, V.T. (eds.) Proceedings 7th Workshop on Programming Language Approaches to Concurrency and Communication-cEntric Software, PLACES 2014, Grenoble, France, 12 April 2014. EPTCS, vol. 155, pp. 25–31 (2014). https://doi.org/10.4204/EPTCS.155.4 17. Milner, R.: Functions as processes. In: Paterson, M.S. (ed.) ICALP 1990. LNCS, vol. 443, pp. 167–180. Springer, Heidelberg (1990). https://doi.org/10.1007/ BFb0032030 18. Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, part I/II. Inf. Comput. 100(1), 1–77 (1992). https://doi.org/10.1016/0890-5401(92)90008-4 19. Nanz, S., Hankin, C.: A framework for security analysis of mobile wireless networks. Theor. Comput. Sci. 367(1–2), 203–227 (2006) 20. Nestmann, U., Pierce, B.C.: Decoding choice encodings. Inf. Comput. 163(1), 1–59 (2000). https://doi.org/10.1006/inco.2000.2868 21. Palamidessi, C.: Comparing the expressive power of the synchronous and the asynchronous pi-calculus. In: Lee, P., Henglein, F., Jones, N.D. (eds.) Conference Record of POPL 1997: The 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Papers Presented at the Symposium, Paris, France, 15–17 January 1997, pp. 256–265. ACM Press (1997). https://doi.org/10. 1145/263699.263731 22. Peters, K., Nestmann, U.: Is it a “good” encoding of mixed choice? In: Birkedal, L. (ed.) FoSSaCS 2012. LNCS, vol. 7213, pp. 210–224. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28729-9 14 23. Peters, K., Nestmann, U., Goltz, U.: On distributability in process calculi. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 310–329. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37036-6 18 24. Urban, C.: Nominal techniques in Isabelle/HOL. J. Autom. Reason. 40(4), 327–356 (2008). https://doi.org/10.1007/s10817-008-9097-2 25. Wischik, L., Gardner, P.: Explicit fusions. Theor. Comput. Sci. 304(3), 606–630 (2005). https://doi.org/10.1016/j.tcs.2005.03.017

Squeezing Streams and Composition of Self-stabilizing Algorithms Karine Altisen(B) , Pierre Corbineau, and St´ephane Devismes Univ. Grenoble Alpes, CNRS, Grenoble INP (Institute of Engineering Univ. Grenoble Alpes), VERIMAG, 38000 Grenoble, France [email protected]

Abstract. Composition is a fundamental tool when dealing with complex systems. We study the hierarchical collateral composition which is used to combine self-stabilizing distributed algorithms. The PADEC library is a framework developed with the Coq proof assistant and dedicated to the certification of self-stabilizing algorithms. We enrich PADEC with the composition operator and a sufficient condition to show its correctness. The formal proof of the condition leads us to develop new tools and methods on potentially infinite streams, these latter ones being used to model the algorithms’ executions. The cornerstone has been the definition of the function Squeeze which removes duplicates from streams. Keywords: Coq proof assistant · Streams · Coinduction Composition · Distributed algorithm · Self-stabilization

1

·

Introduction

In computer science, separation of concerns is a standard design principle which consists of decomposing a complex problem into several simpler ones. These subproblems are then solved independently, and finally, glued together to obtain a global solution to the initial problem. With this in mind, composition is a natural tool that simplifies both the design and proof of complex algorithms. For example, the sequential composition of two algorithms “A1 ; A2 ” enforces A1 and A2 to be executed in sequence, i.e., A2 is initiated only after A1 ’s completion. Composition methods are widely used in distributed systems [4,10,25]. Self-stabilization [21] is a versatile fault-tolerant paradigm of distributed computing. Indeed, a self-stabilizing distributed algorithm resumes a correct behavior within finite time, regardless the initial state of the system, and therefore also after a finite number of transient faults hit the system and place it in some arbitrary global state. The ability to implement sequential composition This study has been partially supported by the anr projects Descartes (ANR-16CE40-0023) and Estate (ANR-16-CE25-0009). c IFIP International Federation for Information Processing 2019  Published by Springer Nature Switzerland AG 2019 J. A. P´ erez and N. Yoshida (Eds.): FORTE 2019, LNCS 11535, pp. 21–38, 2019. https://doi.org/10.1007/978-3-030-21759-4_2

22

K. Altisen et al.

in a distributed system mainly relies on the ability to locally detect the termination. Now, termination detection is inherently impossible for self-stabilizing algorithms [34]. Indeed, since the system may suffer from faults such as memory corruption, the nodes cannot trust their local memory. To circumvent such an issue, several other composition operators devoted to self-stabilizing algorithms have been proposed, e.g., the fair [23] and cross-over [6] compositions. We are more particularly interested in the hierarchical collateral composition [20], a simple and widely used variant of the collateral composition [27]. This composition actually emulates the sequential composition “A1 ; A2 ” by providing the same output despite A1 and A2 being executed (more or less) concurrently. The PADEC framework [2,3] consists in a library for certifying self-stabilizing algorithms. The certification of an algorithm means proving its correctness formally using a proof assistant, here Coq [9,35], i.e., a tool which allows to develop formal proofs interactively and mechanically check them. The framework includes tools to model self-stabilizing algorithms, certified general statements that can be used to build certified correctness proofs of such algorithms, and case studies that validate them. In PADEC, the semantics of self-stabilizing algorithms’ executions is defined as potentially infinite streams and properties, such as algorithm specifications, are defined using temporal logic on those streams. Hence, the definitions and proofs presented in PADEC as well as this paper, make an intensive use of streams and thus of coinductive definitions and proofs. Overview of the Contributions. The first contribution of this paper consists of new general tools for streams, in particular a squeezing operator. This latter is actually a productive filter on streams that uses both inductive and coinductive mechanisms. Our second contribution is a case study: we apply the squeezing operator to certify the hierarchical collateral composition of self-stabilizing algorithms. To our knowledge, our proposal is the first work on the certification of a composition operator for self-stabilization. Detailed Contributions. We develop many tools for streams. Our streams are potentially infinite sequences of at least one element and require to be defined over a partial setoid, i.e., over a type endowed with a partial equivalence relation that models equality; thus justifying this new development. Apart from usual tools required by developments on streams, such as temporal logic operators, we also provide tools specific for PADEC. In particular, the squeezing toolbox provides a filter to remove any duplicated value from a given stream that may contain an infinite suffix of duplicates. We study the conditions under which such a squeezed stream can be computed and provide a function that actually builds it. This filter can be viewed as an extension of a work by Bertot [8]. Indeed, although Bertot’s filter relies on a general predicate (ours simply uses the equality between two consecutive elements), the squeezing operator is designed for more complex streams (that can be finite or infinite) and allows to remove an infinite suffix. In his paper, Bertot clearly explains the difficulty to formally define such a filter since this latter mixes both coinduction and induction mechanisms. The definition of squeezing is even more difficult since it requires to decide at each

Squeezing Streams and Composition of Self-stabilizing Algorithms

23

step whether the filtering of new elements should continue or be given up because a constant, potentially infinite, suffix has been reached. As an application, we use these tools to enrich the PADEC library with a formalization of the hierarchical collateral composition operator ⊕ and a sufficient condition to show its correctness. By correctness, we mean that if A1 and A2 are self-stabilizing w.r.t. their specification, then A1 ⊕A2 is also self-stabilizing w.r.t. both specifications. Executions of self-stabilizing algorithms and their compositions are modeled as streams, and the squeezing toolbox has been the cornerstone to solve the major locks in the correctness proof of the composition operator. Related Work. Previous work dealing with PADEC [3] only considered terminating algorithms that did not require any scheduling assumption, consequently their proofs were only induction-based. Here, A2 may be a non-terminating algorithm (e.g., a token circulation). Moreover, the sufficient condition to show the correctness of the composition assumes a weakly fair scheduling, which requires a coinductive definition. Coinductive objects and proofs allow to reason on potentially infinite objects. They are supported by major proof assistants such as Coq [26], Isabelle [32], and Agda [1]. Coinductive constructions are commonly used to represent potentially infinite behaviors of programs and systems (see, for example, [31] for sequential programs and [17] for distributed systems) but also for modeling lazy programs such as the prime number sieve [8]. Proofs in distributed algorithms are commonly written by hand, based on informal reasoning. This potentially leads to errors when arguments are not perfectly clear, as explained by Lamport in his position paper [30]. As a matter of facts, several studies [7,22] reveal, using formal methods, some bugs in existing literature. Hence, certification of distributed algorithms is a powerful tool to prevent bugs in their proofs, and so, to increase confidence in their correctness. Certification of non fault-tolerant distributed algorithms is addressed in [13,14,17]; and certification in the context of fault-tolerant, yet non selfstabilizing, distributed computing is addressed in [5,28]. Up to now, only few simple self-stabilizing algorithms have been certified, e.g., [29] (in PVS) and [3,16] (in Coq). By simple, we mean non-composed algorithms working on particular topologies (i.e., rings, lines, or trees) and/or assuming restrictions on possible interleaving (e.g., in [29], only sequential executions are considered). Now, progress in self-stabilization has led to consider more and more complex distributed systems running in increasingly more adversarial environments. As an illustrative example, the three first algorithms proposed by Dijkstra in 1974 [21] were designed for oriented ring topologies and assuming sequential executions only, while nowadays most self-stabilizing algorithms are designed for fully asynchronous arbitrary connected networks, e.g., [12,19], and even for networks, such as peer-to-peer systems, where the topology (frequently) varies over the time, e.g., [11]. Consequently, the design of self-stabilizing algorithms becomes more and more intricate, and accordingly, their proofs of correctness and complexity. To handle such difficulties, designers must adopt a modular approach, e.g., using composition operators. Consequently, a preliminary necessary step to certify present-day self-stabilizing algorithms is the certification of a composition operator.

24

K. Altisen et al.

Roadmap. Section 2 introduces streams and self-stabilization as defined in PADEC. Section 3 presents the composition. Section 4 details the squeezing toolbox and shows its application into the proof of correctness of the composition. The composition and the stream toolboxes contain about 1500 lines of Coq specifications and 4800 lines of Coq proofs.1 This represents about 25% of the whole PADEC library. We advocate the reader to visit the following webpage for a deeper understanding of our work. http://www-verimag.imag.fr/∼altisen/PADEC/ All documentation and source codes are available at this address.

2

Streams and Self-stabilization in the PADEC Library

PADEC is a Coq library designed to model and prove results on self-stabilizing algorithms. The framework makes an intensive use of (partial-)setoids, i.e., types for which the equality is represented by a (partial-)equivalence relation. This choice is justified in [3] and has some consequences on the design of the framework. Nevertheless, we omit here the technical issues due to the use of such (partial-)setoids, since it is out of the scope of this paper. We now present self-stabilizing algorithms as they are defined in distributed computing and the PADEC library. Beforehand, we introduce streams as they are used to model executions of self-stabilizing algorithms in PADEC. 2.1

Streams

We implement a stream as a potentially infinite sequence of at least one element. Each element belongs to some given type A. A stream is then defined as a value of the following type. CoInductive Stream : Type := | O: A → Stream | C: A → Stream → Stream .

Remark that such a stream cannot be empty since each constructor (O, C) enforces the existence of a first element. Moreover, it may be finite or infinite since the keyword CoInductive generates the greatest fixed point capturing potentially infinite constructions.2 For instance, the finite stream of naturals 1 2 3 4 is given by s4 = C 1 (C 2 (C 3 (O 4))) and the infinite stream of naturals, made of an infinite number of 1, is defined by CoFixpoint ones: Stream (A := nat) := C 1 ones. Therefore, the above definition allows to construct both finite and infinite streams thanks to the two constructors. In contrast, streams from the standard Coq API [35] and those proposed by Bertot [8] are made of only one constructor, which enforces the stream to be necessarily infinite. 1 2

As evaluated by the ad hoc tool coqwc. In contrast, the keyword Inductive generates the smallest fixed point and only captures finite constructions.

Squeezing Streams and Composition of Self-stabilizing Algorithms

25

We define the function (H: Stream → A) which returns the first element of the stream, e.g., (H s4) returns 1. For any function (f: A → B) and any type B, we note (f • H: Stream → B) the function defining the composition of H and f as follows: ((f • H) s) returns (f (H s)), for any stream s. We now briefly introduce tools on streams that will be used in the sequel. The following predicates are usual temporal logic operators [15,33]. They are defined w.r.t. a given predicate P over streams. The first one checks that there is a suffix of the stream in which P is satisfied. The second one checks that P is satisfied in every suffix of the stream. Inductive Eventually ( P : Stream → Prop): Stream → Prop := | ev_now : ∀ s , P s → Eventually P s | ev_later : ∀ a s , Eventually P s → Eventually P (C a s ). CoInductive Always ( P : Stream → Prop): Stream → Prop := | al_one : ∀ a , P (O a ) → Always P (O a ) | al_cons : ∀ a s , P (C a s ) → Always P s → Always P (C a s ).

Note the difference between the two definitions: Eventually is defined using the keyword Inductive since a proof of (Eventually P s), for some stream s and predicate P, should only contain a finite number of ev_later. In contrast, Always uses CoInductive: a proof of (Always P s) would potentially contain an infinite number of al_cons and so, should be lazily constructed. We defined many other properties and technical tools that ease the use of those predicates (see [2] for details), e.g., we use Eventually to check that a stream is finite: finite : Stream → Prop := Eventually P_finite .

where (P_finite s) holds if and only if the stream s is made of a single element a, i.e., is equal to (O a). 2.2

Self-stabilization: Model and Semantics

Most of self-stabilizing algorithms are designed in the atomic-state model, a computational model introduced by Dijkstra [21], which abstracts away the communications between nodes of the network. The PADEC framework has been developed using this model (see [3]). However, we do not detail the model here, since this is not the heart of the contribution. Instead, we summarize features that are mandatory to present and understand our contributions. A distributed algorithm is executed over a network, made of a finite number of nodes (we introduce the Coq type Node to represent nodes). Each node p is endowed with a local state (of type State) defined by the value of its local variables. Node p updates its local state by executing its local algorithm in atomic moves, where it first reads its own local state and that of its neighbors, and then only writes its own variables. Notice that some variables owned by p, usually system inputs, should never be written by its local algorithm. Such variables are declared read-only. A node is said to be enabled if its next move will actually modify its local state. Otherwise, the node is said to be disabled.

26

K. Altisen et al.

We call environment the global state of the network. In PADEC, environments are functions from Node to State: Env := Node → State, namely for an environment (g: Env) and a node (n: Node), (g n) is the local state of n in g. If no node is enabled in g, then g said to be terminal. This property is defined by the predicate terminal: Env → Prop. Each node can locally evaluate whether or not it is enabled. So, since the number of nodes is finite, the terminal property is decidable, i.e., the evaluation of (terminal g) is computable:3 Lemma. terminal_dec : ∀ g , { terminal g }+{ ¬terminal g }.

Let g be the current environment. If g is not terminal, then a step of the distributed algorithm is performed as follows: every node n that is enabled in (g n) is candidate to be executed; some candidates (at least one) are nondeterministically activated, meaning that they atomically update their local state using their local algorithm, leading the system to a new environment g’. This nondeterminism actually materializes the asynchronism of the system. Notice that two environments linked by a step are necessarily different. This point is fundamental in asynchronous deterministic algorithms: the system progress can only be observed when the environment changes. In PADEC, we use the relation Step: Env → Env → Prop to encode all possible steps. A maximal run in the network is defined as a stream of environments, using type Exec: Type := Stream (A := Env), where every pair of consecutive environments in the stream is a step, and if the stream is finite then its last environment is necessarily terminal. This notion is captured by the predicate is_max_run ( e : Exec ): Prop := Always P_run e .

where (P_run e) checks that the stream e matches one of the two following patterns. Either e is (O g) and the environment g is terminal, i.e., (terminal g) holds; or e is (C g e’) (with g an environment and e’ a stream) and there is a step from g to (H e’), i.e., (Step (H e) g’) holds. We model the nondeterminism of the system using an artifact called the daemon. In this paper, we focus on the so-called weakly fair daemon [24]: a maximal run is executed under the weakly fair daemon if and only if every node that is continuously enabled is eventually activated by the daemon. To encode the weakly fair daemon, we define the following predicate: weakly_fair ( e : Exec ): Prop := ∀ ( n : Node ) , Always ( fun e ’ = > EN n e ’ → Eventually ( AN n ) e ’) e .

Namely, all along a run e, whenever some node n is enabled (predicate (EN n)), it is eventually either activated or neutralized (predicate (AN n)), i.e., either it is eventually chosen by the daemon to execute in a step, or it eventually becomes disabled, due to the move of some of its neighbors. Note that this definition involves both inductive and coinductive predicates.

3

The notation { A }+{ B } (so-called sumbool in Coq) means there exists an algorithm able to choose between Conditions A and B.

Squeezing Streams and Composition of Self-stabilizing Algorithms

27

A self-stabilizing algorithm is designed to fulfill a given specification under some assumptions, often related to the system. In the literature, those assumptions are directly encoded in the configurations using constants whose values achieve some conditions. For example, an identified network is modeled using a constant variable, called identifier, for each process and assuming that every two distinct processes have different identifiers. Following the literature, we express those assumptions (predicate Assume: Env → Prop) on the read-only variables of the nodes. Such assumptions need only to be checked on the initial environment of a run. Indeed, they are then inherently satisfied all along the run since they only rely on read-only variables. To sum up, we define an execution of the algorithm to be a stream of environments which is a maximal run satisfying the daemon constraints and where the read-only assumptions are satisfied in its first environment. Hence, executions are encoded by the following predicate. is_exec ( e : Exec ): Prop := ( Assume • H) e ∧ is_max_run e ∧ weakly_fair e .

It is important to note that a self-stabilizing algorithm can be initiated from any environment where the read-only assumptions are satisfied. This, in particular, means that every suffix of an execution is also an execution. The specification of an algorithm is given as a predicate S: Exec → Prop. Then, an algorithm A is self-stabilizing (predicate self_stabilization A: Prop) w.r.t. a specification S under the weakly fair daemon if there exists a set of environments called legitimate and detected using the predicate LEG: Env → Prop, such that for every execution e (implicitly e: Exec and is_exec e), – if its initial environment is legitimate, then each of its environments is legitimate, i.e., (LEG • H) e → Always (LEG • H) e (Closure); – it converges to a legitimate environment, i.e., Eventually (LEG • H) e (Convergence); and – if it is initiated in a legitimate environment, then it satisfies the specification, i.e., (LEG • H) e → S e (Specification). In this paper, we also consider the class of silent self-stabilizing algorithms. In the atomic-state model, an algorithm A is silent if all executions are finite: silent A: Prop := ∀ (e: Exec), is_exec e → finite e. A silent algorithm is designed to converge to terminal environments satisfying some properties. So, the specification of such an algorithm is rather formulated as a predicate over environments S g : Env → Prop, henceforth called environment specification.

3

Composition

The hierarchical collateral composition has been introduced in [20] together with a simple sufficient condition to show its correctness. We now describe the operator, its modeling, and the certification of the sufficient condition in PADEC.

28

K. Altisen et al.

Beyond the higher confidence in the accuracy of the result, certification, by enforcing proofs to be more rigorous, leads to a deeper understanding of the result. The goal of the hierarchical collateral composition operator is to mimic the sequential composition “A1 ; A2 ”. A1 and A2 run concurrently modulo some priorities (see details below) and collaborate together using common variables. The goal of A1 is to self-stabilizingly output correct inputs to A2 . A2 is selfstabilizing provided that its inputs, in particular those computed by A1 , are correct. Hence, the actual convergence of A2 is ensured only after A1 has stabilized. For example, the clustering algorithm for general networks given in [18] is a hierarchical collateral composition A1 ⊕ A2 , where A1 is a spanning tree construction and A2 a clustering algorithm dedicated to tree topologies. A1 should converge so that its output variables permanently fulfill the input assumptions of A2 to ensure that A2 stabilizes in nominal conditions. To that goal, we assume that A1 is silent, e.g., in [18], once the spanning tree construction has stabilized, all its variables, in particular those defining the tree, are constant. For each node, the local variables of the composite algorithm A1 ⊕ A2 are made of variables specific to A1 and A2 respectively, but also of variables common to A1 and A2 . Those variables store, in particular, the output of A1 used as input by A2 . They should be read-only in A2 since A2 should not prevent A1 from stabilizing by overwriting these variables. In the previous collateral composition [27] of Gouda and Herman, the choice for an activated node to execute either A1 or A2 , when both are enabled, was nondeterministic. In contrast, in the hierarchical collateral composition, the composite algorithm gives priority to A1 over A2 locally at each node. Let p be a node enabled w.r.t. A1 ⊕ A2 in some environment and assume that p is activated by the daemon in the next step. – If A1 is enabled at p (n.b., A2 may be enabled at p too), then p makes a move of A1 only. – Otherwise, p is disabled w.r.t. A1 , but enabled w.r.t. A2 , and so makes a move of A2 (only). Hence, when p moves in A1 ⊕ A2 , it either executes A1 or A2 , but not both. We should underline that this priority mechanism is only local: globally, a step of A1 ⊕ A2 may contain moves of A1 only, moves of A2 only, but also a mix of them, yet executed at different nodes. 3.1

The Composite Algorithm in Coq

We model the composite algorithm A1 ⊕ A2 in Coq as follows. We define the local states S3 of A1 ⊕ A2 assuming that the local states of A1 , noted S1, can be handled using the following getter and setter: – read1: S3 → S1 is a projection from S3 to S1, – write1: S1 → S3 → S3 modifies the S1-part of a composite state.

Squeezing Streams and Composition of Self-stabilizing Algorithms

29

Functions read2 and write2 are defined similarly for the local states S2 of A2 .4 Those functions follow the properties given by the commutative diagram of Fig. 1. For example, to update the S1-part of the composite local state (x3: S3) with (x1: S1), we use write1(x1,x3): this produces a new S3 local state with S1part x1, namely, read1(write1(x1,x3)) returns x1. Additionally, we encode the fact that any writing in the S2-part (by A2 ), that respects the read-only condition, actually does not modify the S1-part of an S3 state. Indeed, the common part between S1 and S2 is necessarily read-only for S2 (see x in Fig. 2). x S2×S3

S1×S3

write1 π1

S3

read2(x3)

π1

write2

read2

x2

x S2

read1 S1

Fig. 1. Commutative diagram for read and write. π1 gives access to the first element of the pair.

x3

read1(x3) = x

write2(x2,x3) x2

Fig. 2. write2 cannot modify S1-part. x is the common part between S1 and S2, read-only for S2.

We generalize the projections read1 and read2 to environments and streams. The projection envread1 to A1 of an environment g of A1 ⊕ A2 is an environment for A1 defined as read1 • g. Namely, for a node n, the projection of (g n) on A1 , is obtained by (read1(g n)). The projection on A1 of a stream s of A1 ⊕ A2 is called execread1 and is obtained using a cofixed point that applies envread1 to every element of the stream (i.e., a map on a stream). In particular, ((H • execread1) s) and ((envread1 • H) s) represent one and the same environment. The projections envread2 and execread2 on A2 are defined similarly. 3.2

Correctness of the Composition

The composition operator is proven correct under the following hypotheses: H1 : The daemon is weakly fair. H2 : A1 is silent and self-stabilizing w.r.t. the environment specification S1g : given the read-only assumption Assume1, each of its executions is finite and terminates in an environment satisfying S1g . H3 : A2 is self-stabilizing w.r.t. specification S2 : given the read-only assumption Assume2, each of its executions eventually reaches a legitimate environment (predicate LEG2) from which S2 is satisfied. 4

S1, S2, S3 stand for type State dedicated to Algorithms A1 , A2 , A1 ⊕ A2 , respectively.

30

K. Altisen et al.

H4 : The read-only assumption of A1 ⊕ A2 is Assume1 on A1 -projections. H5 : S1g implies Assume2, i.e., ∀ g, S1g (envread1 g) → Assume2 (envread2 g). Under those hypotheses, we have proven the theorem below for the specification S := fun e => Always (S1g • H • execread1) e ∧ (S2 • execread2) e. Theorem. Composition_Correctness : self_stabilization A1 ⊕ A2 .

The above theorem states that A1 ⊕ A2 eventually reaches an environment from which S2 holds and S1g is satisfied in all environments. We now outline the proof of the theorem. We first have to exhibit a predicate that defines the legitimate environments LEG3 of A1 ⊕ A2 . This predicate holds in each environment that is terminal for A1 and legitimate for A2 : LEG3 := fun g3 = > terminal ( envread1 g3 ) ∧ LEG2 ( envread2 g3 ).

Then, we prove the following intermediate result: Lemma. t1_e2 : ∀ e , is_exec e → ( terminal • H) ( execread1 e ) → Always ( terminal • H) ( execread1 e ) ∧ is_exec ( execread2 e ).

Namely, any execution e of A1 ⊕ A2 that starts in an A1 -terminal environment remains in A1 -terminal environments and is actually an execution for A2 . First, from an environment which is terminal for A1 , there is no way to update variables of A1 . So, e remains in environments that are A1 -terminal. This claim also implies that each step of e is actually a step of A2 and, consequently, (execread2 e) is a maximal run of A2 satisfying the weakly fair condition. Finally, ((H • execread2) e) satisfies Assume2. Indeed, A1 being silent and self-stabilizing, this implies that if A1 starts in a terminal environment, then, this environment satisfies S1g . Thus, we can use hypothesis H5 on the first environment of e. Hence, we can conclude that (execread2 e) is an execution of A2 . In the rest of the explanation, we consider an arbitrary execution e of A1 ⊕A2 . Closure. To show the closure, we have to prove that if e starts in a legitimate environment of A1 ⊕ A2 (i.e., an environment satisfying LEG3), it always remains in such environments. This is straightforward using Lemma t1_e2. Indeed, first, e remains in environments that are A1 -terminal. Second, as (execread2 e) is an execution for A2 , we can use the closure property of A2 on (execread2 e) (since A2 is self-stabilizing) and prove that legitimate environments for A2 are maintained forever in (execread2 e). Specification. We have to prove that if e is initiated in LEG3, then (S e) holds. We use Lemma t1_e2 again. First, every environment of e is A1 -terminal, and so satisfies S1g . Second, (execread2 e) is an execution of A2 on which we can apply the specification property of A2 (since A2 is self-stabilizing), hence satisfies S2 . Convergence. We should prove that e eventually reaches an environment that is legitimate for A1 ⊕ A2 . This goal is split into three subgoals: (1) Eventually ( terminal • H) ( execread1 e )

Squeezing Streams and Composition of Self-stabilizing Algorithms

31

i.e., e eventually reaches an environment which is terminal for A1 . This part of the proof is postponed to Sect. 4. Claim (1) ensures that e contains a suffix σ that starts in a terminal environment for A1 : we have ((terminal • H) (execread1 σ)). The second subgoal is then: (2) Always ( terminal • H) ( execread1 σ)

i.e., σ remains A1 -terminal. As any suffix of an execution is also an execution, so is σ. Hence, Claim (2) is immediate from Lemma t1_e2. The third subgoal is: (3) Eventually ( LEG2 • H) ( execread2 σ)

After e has reached an environment that is terminal for A1 , it eventually reaches an environment that is legitimate for A2 . Indeed, its suffix σ eventually reaches an environment that is legitimate for A2 : to prove this, we use the convergence of A2 (as A2 is self-stabilizing) since, by Lemma t1_e2, (execread2 σ) is an execution of A2 . Now, as σ eventually reaches LEG2, so does e.

4

Squeezing Streams and Convergence of Composition

The main part of the proof consists in proving that any execution of the composite algorithm eventually reaches an environment which is terminal for A1 (Claim (1)). This requires to use the assumption that A1 is silent, i.e., Hypothesis H2 . To that goal, we consider an execution e of A1 ⊕ A2 and we focus on its projection on A1 , (execread1 e). Now, this latter stream is usually not an execution of A1 and H2 only applies to executions of A1 . Actually, each step of e matches one of the two following cases: either at least one node executes A1 in the step, or all activated nodes only execute A2 . In the former case, the projection of the step on A1 is a step of A1 . In the latter case, the projection gives two identical environments of A1 . Hence, (execread1 e) is made of steps of A1 , separated by duplicates. So, to apply H2 , it is mandatory to construct an execution of A1 by computing the squeezing of (execread1 e), i.e., the stream obtained by removing all duplicates from (execread1 e). In Subsect. 4.1, we describe how to compute the squeezing of a general stream. Again, it is a filter in the sense of Bertot [8] since it removes elements from the stream. Yet, its filtering predicate is particular, as it forbids any two consecutive elements to be equal. But, in contrast with Bertot [8], the squeezing applies to streams that can be finite or infinite and allows to remove an infinite suffix of duplicates. Therefore, we have an additional issue: the squeezing needs to decide at each step whether to continue or give up because a constant, potentially infinite, suffix has been reached. The object resulting from squeezing – so-called squeezed stream – is complex since it is defined as an explicit construction. Consequently, dealing with it directly in proofs requires heavy Coq developments. To avoid such implementation details, we rather work on an abstraction stream relation, called simulation, which encompasses the useful properties of the squeezed stream.

32

K. Altisen et al.

4.1

Squeezing

We now explain how to build the squeezing of an arbitrary stream whose elements are of type A. Let s be such a stream. The squeezed version of s contains exactly the same elements as s, in the same order, yet without any duplicate. For example, if s = 1 2 2 3 3 3 3 3 4 5 6 6 7 8 8 8 ... (s ends with an infinite suffix of 8), then the squeezing of s is the finite sequence s’ = 1 2 3 4 5 6 7 8. Every element in s is still present in s’, following the same increasing order, yet every duplicate has been removed from s, including the infinite sequence of 8. Note that a squeezing may not be finite, e.g., if s is the infinite repetition of the pattern 1 2 3, then the squeezing of s is s itself. We want to build the squeezed stream, i.e., to define a function Squeeze which computes the squeezed version of an input stream s. This computation will be carried out by a coinductive function. To compute (Squeeze s), it is necessary to test whether all elements in the stream s are identical to (H s). If so, (Squeeze s) will be (O (H s)); otherwise it will be (C (H s) (Squeeze s )), where s is the maximal suffix of s starting with an element distinct from (H s). Now, a stream may be infinite, and so the aforementioned test is undecidable in general. Thus, we need extra information in order to make the decision and, since we will base the result of the squeezing algorithm on this decision, it has to be constructive. In Coq, constructive objects are in sort Type and carry computational content.5 We assume (Skippable (H s) s) where: Skippable ( a : A ) ( s : Stream ): Type := { is_constant a s }+{ reach_diff a s }.

Any value of (Skippable (H s) s) carries either a proof of (is_constant (H s) s) or a proof of (reach_diff (H s) s). For an element a and a stream s, (is_constant a s) means (Always (fun s => H s ∼ = a) s),6 i.e., the stream s contains nothing but the element a, albeit finite or not. Then, (reach_diff a s) means that s begins with a finite number of a followed by some element different from a. To be able to compute Squeeze, (reach_diff a s) should also provide a way to compute the suffix s of s where all the instances of a at the beginning of s have been removed. Actually, we implement (reach_diff a s) as (Acc (Rskip a) s). For an element a and two streams s1, s2, (Rskip a s1 s2) holds when either s1 and s2 are both reduced to the single element a or s2 is equal to (C a s1), i.e., C a s1 ∼ = s2 ∨ s1 ∼ = O a ∧ O a ∼ = s2. The inductive proposition Acc is taken from the Coq.Init.Wf standard library which provides tools on well-founded inductions. Predicate (Acc (Rskip a) s) means that any descending chain from s, using relation (Rskip a), is finite. Using a well-founded induction on a value of (reach_diff a s), we are able to define a recursive function Skip with dependent arguments (a: A), (s: Stream), and (rd: reach_diff a s) that computes 5 6

Conversely, objects in sort Prop are only proofs of logical statements. ∼ = is a generic notation that represents equality; when it applies on streams, it implements pointwise equality.

Squeezing Streams and Composition of Self-stabilizing Algorithms

33

the maximal suffix of s starting with an element distinct from a. Thus, whenever we obtain a proof of (reach_diff (H s) s), we can compute s using Skip. However, to be able to compute the corecursive call (Squeeze s ), we need to exhibit a value of (Skippable (H s ) s ). This means that we need an algorithm that may compute, repeatedly and lazily, along the stream, a value of (Skippable (H σ) σ), where σ is any suffix of s. This is performed by Always_, the counterpart in Type of Always. So, we obtain the following definition: Squeezable ( s : Stream ): Type := Always_ ( fun s = > Skippable (H s ) s ) s .

The construction of Squeeze can now be completed as a cofixed point with dependent arguments (s: Stream A) and (sq: Squeezable s) (n.b., we omit parameter sq when it is clear from the context). As a direct consequence of the definition, we can show that a squeezed stream contains no duplicate: Lemma. S q u e e z e _ A l w a y s _ m o v e s : ∀ ( s : Stream ) ( sq : Squeezable s ) , Always moves ( Squeeze s ).

In the lemma, the predicate moves checks that a stream differs on its two first elements if they exist. The lemma is proven using a coinductive proof that follows the definition of Squeeze. It essentially relies on the fact that for every element a and stream s on which (Skip a s) can be evaluated (i.e., which begins with a finite number of a), the first element of (Skip a s) is different from a. 4.2

Preserving Properties by Simulation

We now define the simulation relation. As usual, our simulation defines an abstract view, yet adapted to our context. Given two streams X and Y, (Y ≤sim X) means that Y is obtained from X by removing some of its duplicates, namely Y and X contains exactly the same elements, in the same order, yet each element is at most as duplicated in Y as in X. For instance, with s = 1 2 2 3 3 3 3 4 5 6 6 7 8 8... (ending with an infinite sequence of 8) and s’ = 1 2 2 3 3 4 5 6 7 8..., we have (s’ ≤sim s) since every value, from 1 to 8, appears in both sequences and the number of 1 (resp. 2, 3, 4, 5, 6, 7, 8) is smaller or equal in s’. The relation ≤sim is based on inductive and coinductive mechanisms, defined as follows: CoInductive ≤sim : Stream → Stream → Prop := | sim_constant : ∀ a s , is_constant a s → O a ≤sim s | sim_cons : ∀ a s1 s2 s3 , s1 ≤sim s2 → C_plus a s2 s3 → C a s1 ≤sim s3 .

The first constructor sim_constant means that every stream made of one element a is smaller than any stream constantly made of a (albeit finite or infinite). The second constructor sim_cons means that given an element a and two streams s1 and s2 such that s1 is smaller than s2, if the stream s3 is obtained from s2 by adding a positive number of a (namely, (C_plus a s2 s3) holds), then (C a s1) is smaller than s3. The predicate C_plus is inductively

34

K. Altisen et al.

defined and (C_plus a s1 (C a s2)) checks that either s1 and s2 are equal or (C_plus a s1 s2). We can show that ≤sim is a partial order, and as squeezing means removing all duplicates of a stream, we can prove that for a given squeezable stream, its squeezing is minimal w.r.t. ≤sim (see [2] for details): Lemma. Squeeze_is_min : ∀ ( s : Stream ) ( sq : Squeezable s ) , Squeeze s ≤sim s ∧ ∀ x , x ≤sim s → Squeeze s ≤sim x .

We show that some properties can be transferred between ≤sim -related streams. Precisely, a property P is defined to be (decreasing) monotonic (resp. comonotonic) w.r.t. ≤sim as follows: monotonic P := ∀ x y , x ≤sim y → P y → P x comonotonic P := ∀ x y , x ≤sim y → P x → P y

The proof of Claim (1) requires to prove the preservation of the following properties. First, we prove a result related to the implication: for two predicates P and Q, such that P is comonotonic and Q is monotonic, we easily obtain that (fun s => P s → Q s) is monotonic. For some property P which is monotonic (resp. comonotonic), (Eventually P) is monotonic (resp. comonotonic): indeed if P is reached by a given stream y, then it is also reached by any stream x that contains less (resp. more) duplicates. Similarly, for some monotonic property P, (Always P) is monotonic. Some other ad-hoc properties are proven (co)monotonic, if necessary, using straightforward coinductions. 4.3

Proof of Claim (1)

The core of the proof is to use Squeeze on (execread1 e) and to show that the result is actually an execution of A1 . To allow the use of Squeeze (execread1 e), we need to show that (execread1 e) is squeezable, meaning that from any environment of (execread1 e), we can decide whether the remaining sequence of environments is constant. This proof uses the fact that e is weakly fair and that the predicate terminal is decidable. First, if initially e is terminal for A1 , then it remains so forever, and (execread1 e) is a constant sequence made of the environment (H (execread1 e)) only. Second, we show that if initially, e is not terminal for A1 , then necessarily, we have reach_diff (H (execread1 e)) (execread1 e) which means that (execread1 e) begins by a finite number of duplicates of (H (execread1 e)). Indeed, as (H e) is not terminal for A1 , there exists a node which is enabled to execute its local algorithm A1 in e. It will remain continuously enabled until being activated or neutralized, meaning that the node or one of its neighbors has made a move of A1 . This activation or neutralization eventually occurs due to the weakly fair assumption and the fact that A1 has priority over A2 . Following this remark, the proof is done by induction on the weakly fair assumption. Third, whether or not e is initially terminal for A1 is

Squeezing Streams and Composition of Self-stabilizing Algorithms

35

decidable (Lemma terminal_dec). Hence, the proof that (execread1 e) is squeezable is performed coinductively and each step of the coinduction decides whether the current environment is terminal for A1 . So we can build Se = Squeeze (execread1 e) and show it is an execution of A1 . (a) Se is initiated under Assume1 since a stream and its squeezing have the same initial environment. (b) Se is weakly fair. We have Se ≤sim (execread1 e) by Lemma Squeeze_is_min. We show that (execread1 e) is weakly fair by induction and coinduction on the definition of weakly_fair. Now, we can prove that weakly_fair is monotonic directly using preservation properties. So, we conclude that Se is weakly fair. (c) Se is a maximal run. We first prove the following intermediate claim: ( c1 ) ∀ e1 , Always moves e1 → e1 ≤sim execread1 e → is_max_run e1 .

The proof is split into two subgoals: (Always s_Step e1) and (Always s_terminal e1). Let s be any stream. (s_Step s) means that when s is made of at least two elements (i.e., s is equal to some (C a ss)), then (Step (H ss) a) holds. (s_terminal s) means that when s is made of a single element a (i.e., s is equal to (O a))), then (terminal a) holds. Subgoal 1 follows from the fact that Always (fun e => moves e → s_Step e) is monotonic. This latter can be shown by a direct coinduction, which mainly relies on the fact that as s_Step applies on the first two elements of the stream and can hold only when they are different. For Subgoal 2, we use the assumption (weakly_fair e) to show the property ( c2 ) ∀ g1 , is_constant g1 ( execread1 e ) → terminal g1 .

namely, if (execread1 e) is constantly made of an environment g1, then g1 is terminal. Actually, we proceed by contradiction and prove that if g1 is not terminal, then there exists a node n which is enabled in g1. Therefore, due to the weakly fair assumption, n will be eventually activated or neutralized in A1 ⊕ A2 , hence in A1 , since A1 has priority over A2 in A1 ⊕ A2 . Then, by induction on (Eventually (AN n) e), we obtain that e cannot be constantly made of g1. Subgoal 2 is then obtained with a direct coinductive proof using Claim (c2). This concludes the proof of Claim (c1) which can be applied on Se since, again, (Se ≤sim execread1 e) and (Always moves) hold on Se (see Lemma Sque eze_Always_moves). Hence, Se is a maximal run. Actually, e1 and Se represent one and the same stream, but working on e1 has allowed to get rid of the (complex) construction of Se = Squeeze (execread1 e) in the proof. As a conclusion, we deduce (by (a), (b), and (c)) that the squeezing Se of the stream (execread1 e) is an execution of A1 and use it on H2 (A1 is silent). Hence, Se is finite, i.e., it eventually reaches a terminal environment. As Eventually is comonotonic, (execread1 e) eventually reaches a terminal environment too, hence Claim (1) holds. This concludes the proof of convergence.

36

5

K. Altisen et al.

Conclusion

The composition theorem proves that hierarchical collateral composition preserves self-stabilization when applied under convenient assumptions, in particular assuming weakly fair executions. It comes with a toolbox for squeezing streams that was mandatory to achieve the proof of the theorem. As an example, we instantiated the theorem with the two first layers of the algorithm proposed in [20]. The first layer builds a rooted spanning tree on an identified connected network; the second layer assumes such a tree exists and computes a k-dominating set of the network (k ∈ N) using this tree. Both algorithms are self-stabilizing under a weakly fair daemon, and our result certifies that their composition is also self-stabilizing and so builds a k-dominating set of an arbitrary connected identified network. Composition techniques, in particular the hierarchical collateral composition, are widely used in the self-stabilizing area [18,23,27] because adopting a modular approach is unavoidable to design and prove complex present-day algorithms. Certification of such techniques is a step beyond traditional handmade proofs that offers hugely more confidence in the correctness of the result; and also a step towards the certification of complex multi-layered algorithms.

References 1. Abel, A., Pientka, B., Thibodeau, D., Setzer, A.: Copatterns: programming infinite structures by observations. In: The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2013, Rome, Italy, 23–25 January 2013 (2013) 2. Altisen, K., Corbineau, P., Devismes, S.: PADEC: A Framework for Certified SelfStabilization. http://www-verimag.imag.fr/∼altisen/PADEC/ 3. Altisen, K., Corbineau, P., Devismes, S.: A framework for certified selfstabilization. Logical Methods Comput. Sci. (special issue of FORTE 2016) 13(4) (2017) 4. Altisen, K., Devismes, S., Durand, A.: Concurrency in snap-stabilizing local resource allocation. J. Parallel Distrib. Comput. 102, 42–56 (2017) 5. Auger, C., Bouzid, Z., Courtieu, P., Tixeuil, S., Urbain, X.: Certified impossibility results for byzantine-tolerant mobile robots. In: Higashino, T., Katayama, Y., Masuzawa, T., Potop-Butucaru, M., Yamashita, M. (eds.) SSS 2013. LNCS, vol. 8255, pp. 178–190. Springer, Cham (2013). https://doi.org/10.1007/978-3-31903089-0 13 6. Beauquier, J., Gradinariu, M., Johnen, C.: Cross-over composition - enforcement of fairness under unfair adversary. In: Datta, A.K., Herman, T. (eds.) WSS 2001. LNCS, vol. 2194, pp. 19–34. Springer, Heidelberg (2001). https://doi.org/10.1007/ 3-540-45438-1 2 7. B´erard, B., Lafourcade, P., Millet, L., Potop-Butucaru, M., Thierry-Mieg, Y., Tixeuil, S.: Formal verification of mobile robot protocols. Distrib. Comput. 29(6), 459–487 (2016). https://doi.org/10.1007/s00446-016-0271-1 8. Bertot, Y.: Filters on coinductive streams, an application to eratosthenes’ sieve. In: Urzyczyn, P. (ed.) TLCA 2005. LNCS, vol. 3461, pp. 102–115. Springer, Heidelberg (2005). https://doi.org/10.1007/11417170 9

Squeezing Streams and Composition of Self-stabilizing Algorithms

37

9. Bertot, Y., Cast´eran, P.: Interactive Theorem Proving and Program Development Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series. Springer, Heidelberg (2004). https://doi.org/10.1007/ 978-3-662-07964-5 10. Blin, L., Fraigniaud, P., Patt-Shamir, B.: On proof-labeling schemes versus silent self-stabilizing algorithms. In: Felber, P., Garg, V. (eds.) SSS 2014. LNCS, vol. 8756, pp. 18–32. Springer, Cham (2014). https://doi.org/10.1007/978-3-31911764-5 2 11. Caron, E., Chuffart, F., Tedeschi, C.: When self-stabilization meets real platforms: an experimental study of a peer-to-peer service discovery system. Future Gener. Comput. Syst. 29(6), 1533–1543 (2013) 12. Caron, E., Datta, A.K., Depardon, B., Larmore, L.L.: A self-stabilizing k-clustering algorithm for weighted graphs. J. Parallel Distrib. Comput. 70(11), 1159–1173 (2010) 13. Cast´eran, P., Filou, V., Mosbah, M.: Certifying distributed algorithms by embedding local computation systems in the coq proof assistant. In: Symbolic Computation in Software Science (SCSS 2009) (2009) 14. Chen, M., Monin, J.F.: Formal verification of netlog protocols. In: Sixth International Symposium on Theoretical Aspects of Software Engineering, TASE 2012, Beijing, China, 4–6 July 2012 (2012) 15. Coupet-Grimal, S.: An axiomatization of linear temporal logic in the calculus of inductive constructions. J. Log. Comput. 13(6), 801–813 (2003) 16. Courtieu, P.: Proving self-stabilization with a proof assistant. In: 16th International Parallel and Distributed Processing Symposium (IPDPS 2002), Fort Lauderdale, FL, USA, 15–19 April 2002, CD-ROM/Abstracts Proceedings (2002) 17. Courtieu, P., Rieg, L., Tixeuil, S., Urbain, X.: Certified universal gathering in R2 for oblivious mobile robots. In: Gavoille, C., Ilcinkas, D. (eds.) DISC 2016. LNCS, vol. 9888, pp. 187–200. Springer, Heidelberg (2016). https://doi.org/10.1007/9783-662-53426-7 14 18. Datta, A.K., Devismes, S., Heurtefeux, K., Larmore, L.L., Rivierre, Y.: Competitive self-stabilizing k-clustering. Theor. Comput. Sci. 626, 110–133 (2016) 19. Datta, A.K., Gurumurthy, S., Petit, F., Villain, V.: Self-stabilizing network orientation algorithms in arbitrary rooted networks. Stud. Inform. Univ. 1(1), 1–22 (2001) 20. Datta, A.K., Larmore, L.L., Devismes, S., Heurtefeux, K., Rivierre, Y.: Selfstabilizing small k-dominating sets. IJNC 3(1), 116–136 (2013) 21. Dijkstra, E.W.: Self-stabilizing systems in spite of distributed control. Commun. ACM 17(11), 643–644 (1974) 22. Doan, H.T.T., Bonnet, F., Ogata, K.: Model checking of a mobile robots perpetual exploration algorithm. In: Liu, S., Duan, Z., Tian, C., Nagoya, F. (eds.) SOFL+MSVL 2016. LNCS, vol. 10189, pp. 201–219. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57708-1 12 23. Dolev, S.: Self-stabilization. MIT Press, Cambridge (2000) 24. Dubois, S., Tixeuil, S.: A Taxonomy of Daemons in Self-stabilization. CoRR abs/1110.0334 (2011). http://arxiv.org/abs/1110.0334 25. Fei, L., Yong, S., Hong, D., Yizhi, R.: Self stabilizing distributed transactional memory model and algorithms. J. Comput. Res. Dev. 51(9), 2046 (2014) 26. Gim´enez, E.: An application of co-inductive types in Coq: verification of the alternating bit protocol. In: Berardi, S., Coppo, M. (eds.) TYPES 1995. LNCS, vol. 1158, pp. 135–152. Springer, Heidelberg (1996). https://doi.org/10.1007/3-54061780-9 67

38

K. Altisen et al.

27. Gouda, M., Herman, T.: Adaptive programming. IEEE Trans. Softw. Eng. 17, 911–921 (1991) 28. K¨ ufner, P., Nestmann, U., Rickmann, C.: Formal verification of distributed algorithms. In: Baeten, J.C.M., Ball, T., de Boer, F.S. (eds.) TCS 2012. LNCS, vol. 7604, pp. 209–224. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3642-33475-7 15 29. Kulkarni, S.S., Rushby, J.M., Shankar, N.: A case-study in component-based mechanical verification of fault-tolerant programs. In: 1999 ICDCS Workshop on Self-stabilizing Systems, Austin, Texas, 5 June 1999, Proceedings (1999) 30. Lamport, L.: How to write a 21st century proof. J. Fixed Point Theory Appl. 11(1), 43–63 (2012) 31. Leroy, X., Grall, H.: Coinductive big-step operational semantics. Inf. Comput. 207(2), 284–304 (2009) 32. Paulson, L.C.: Mechanizing coinduction and corecursion in higher-order logic. J. Log. Comput. 7(2), 175–204 (1997) 33. Pnueli, A.: The temporal logic of programs. In: 18th Annual Symposium on Foundations of Computer Science, Providence, Rhode Island, USA, 31 October–1 November 1977, pp. 46–57. IEEE Computer Society (1977) 34. Tel, G.: Introduction to Distributed Algorithms, 2nd edn. Cambridge University Press, Cambridge (2001) 35. The Coq Development Team: The Coq Proof Assistant Documentation, June 2012. http://coq.inria.fr/refman/

Parametric Updates in Parametric Timed Automata ´ Etienne Andr´e1,2,3 , Didier Lime4 , and Mathias Ramparison1(B) 1

Universit´e Paris 13, LIPN, CNRS, UMR 7030, 93430 Villetaneuse, France [email protected] 2 JFLI, CNRS, Tokyo, Japan 3 National Institute of Informatics, Tokyo, Japan 4 ´ Ecole Centrale de Nantes, LS2N, CNRS, UMR 6597, Nantes, France

Abstract. Verification of timed concurrent systems is hard, especially when the exact value of timing constants remains unknown. In this work, we propose a new subclass of Parametric Timed Automata (PTAs) enjoying a decidability result; we allow clocks to be compared to parameters in guards, as in classic PTAs, but also to be updated to parameters. If we update all clocks each time we compare a clock with a parameter and each time we update a clock to a parameter, we obtain a syntactic subclass for which we can decide the EF-emptiness problem (“is the set of parameter valuations for which some given location is reachable in the instantiated timed automaton empty?”) and even perform the exact synthesis of the set of rational valuations such that a given location is reachable. To the best of our knowledge, this is the first non-trivial subclass of PTAs, actually even extended with parametric updates, for which this is possible.

1

Introduction

Timed automata (TAs) are a powerful formalism to model and verify timed concurrent systems, both expressive enough to model many interesting systems and enjoying several decidability properties. In particular, the reachability of a discrete state is PSPACE-complete [1]. In TAs, clocks can be compared with constants in guards, and can be updated to 0 along edges. This can model a system where processes synchronise (are reset) together periodically. Timed automata may turn insufficient to verify systems where the timing constants themselves are subject to some uncertainty, or when they are simply not known at the early design stage. Parametric timed automata (PTAs) [2] address this drawback by allowing parameters (unknown constants) in the timing This work is partially supported by the ANR national research program PACS (ANR14-CE28-0002). ´ Andr´e—Partially supported by ERATO HASUO Metamathematics for Systems E. Design Project (No. JPMJER1603), JST. c IFIP International Federation for Information Processing 2019  Published by Springer Nature Switzerland AG 2019 J. A. P´ erez and N. Yoshida (Eds.): FORTE 2019, LNCS 11535, pp. 39–56, 2019. https://doi.org/10.1007/978-3-030-21759-4_3

40

´ Andr´e et al. E.

constraints; this high expressive power comes at the cost of the undecidability of most interesting problems . In particular, the basic problem of EF-emptiness (“is the set of valuations for which a given location is reachable in the instantiated timed automaton empty?”) is “robustly” undecidable: even for a single rationalvalued [20] or integer-valued parameter [2,8], or when only strict constraints are used [15]. A well-known syntactic subclass of PTAs that enjoys limited decidability is L/U-PTAs [17], where the parameters set is partitioned into lower-bound and upper-bound parameters, i.e., parameters that can only be compared to a clock as a lower-bound (resp. upper-bound). The EF-emptiness problem is decidable for L/U-PTAs [11,17] and for PTAs under several restrictions [13]; however, most other problems are undecidable (e.g., [4,7,11,18,21]). Contributions. We investigate parametric updates, which can model an unknown timing configuration in a system where processes need to synchronise together on common events, as in e.g., programmable controller logic programs with concurrent tasks execution. We show that the EF-emptiness problem is decidable for PTAs augmented with parametric updates, with the additional condition that whenever a clock is compared to a parameter in a guard or updated to a parameter, all clocks must be updated (possibly to parameters)—this gives R-U2P-PTA. This result holds when the parameters are bounded rationals in guards, and possibly unbounded rationals in updates. Non-trivial decidable subclasses of PTAs are a rarity (to the best of our knowledge, only L/U-PTAs [17] and integer-points (IP-)PTAs [7]); this makes our positive result very welcome. In addition, not only the emptiness is decidable, but exact synthesis for bounded rational-valued parameters can be performed—which contrasts with L/U-PTAs and IP-PTAs as synthesis was shown intractable [7,18]. A full version of this paper with all detailed proofs is available at [6]. Related Work. Our construction is reminiscent of the parametric difference bound matrices (PDBMs) defined in [22, Sect. III.C] where the author revisit the result of the binary reachability relation over both locations and clock valuations in TAs; however, parameters of [22] are used to bound in time a run that reaches a given location, while we use parameters directly in guards and resets along the run, which make them active components of the run specifically for intersection with parametric guards, key point not tackled in [22]. Allowing parameters in clock updates is inspired by the updatable TA defined in [10] where clocks can be updated not only to 0 (“reset”) but also to rational constants (“update”). In [5], we extended the result of [10] by allowing parametric updates (and no parameter elsewhere, e.g., in guards): the EF-emptiness is undecidable even in the restricted setting of bounded rational-valued parameters, but becomes decidable when parameters are restricted to (unbounded) integers. Synthesis is obviously harder than EF-emptiness: only three results have been proposed to synthesize the exact set of valuations for subclasses of PTAs, but they are all concerned with integer -valued parameters [5,11,18]. In contrast, we deal here with (bounded) rational-valued parameters—which makes this result the first of its kind. The idea of updating all clocks when compared to parameters

Parametric Updates in Parametric Timed Automata

41

comes from our class of reset-PTAs briefly mentioned in [7], but not thoroughly studied. Finally, updating clocks on each transition in which a parameter appears is reminiscent of initialized rectangular hybrid automata [16], which remains one of the few decidable subclasses of hybrid automata. Section 2 recalls preliminaries. Section 3 presents R-U2P-PTA along with our decidability result. Section 4 gives a concrete application of our result.

2

Preliminaries

Throughout this paper, we assume a set X = {x1 , . . . , xH } of clocks, i.e., realvalued variables evolving at the same rate. A clock valuation is w : X → R+ . We write 0 for the clock valuation that assigns 0 to all clocks. Given d ∈ R+ , w + d (resp. w − d) denotes the valuation such that (w + d)(x) = w(x) + d (resp. (w − d)(x) = w(x) − d if w(x) − d > 0, 0 otherwise), for all x ∈ X. We assume a set P = {p1 , . . . , pM } of parameters, i.e., unknown constants. A parameter valuation v is a function v : P → Q+ . We identify a valuation v with the point (v(p1 ), . . . , v(pM )) of QM + . Given d ∈ N, v + d (resp. v − d) denotes the valuation such that (v + d)(p) = v(p) + d (resp. (v − d)(p) = v(p) − d if v(p) − d > 0, 0 otherwise), for all p ∈ P. In the following, we assume  ∈ {v y := pv2 fakeBlock t := 0 x := p1 y := p2 t=p t := 0 newBlock mine x := p1 y := p2 x>v t := 0 fakeBlock x := p1 y = max ∧ x < max y := p2 blockSolutiony t := 0 x := pv1 checky y := 0 t := 0

y≤v okBlock x := 0 y := 0 t := 0

x≤v okBlock x := 0 y := 0 t := 0

rewardx

rewardy

addBlock t := 0

Fig. 1. A proof-of-work modeled with a bounded R-U2P-PTA.

Definition 1. An update-to-parameter PTA (U2P-PTA) A is a tuple A = (Σ , L, l0 , X, P, ζ), where: (i) Σ is a finite set of actions, (ii) L is a finite set of locations, (iii) l0 ∈ L is the initial location, (iv) X is a finite set of clocks, (v) P is a finite set of parameters, (vi) ζ is a finite set of edges e = l, g, a, u, l  where l, l ∈ L are the source and target locations, g is a parametric guard, a ∈ Σ and u : X  N ∪ P is a parametric update function. An U2P-PTA is depicted in Fig. 1. Note that all clocks are updated whenever there is a comparison with a parameter (as in newBlock) or a clock is updated to a parameter (as in blockSolutionx ). Given a parameter valuation v, we denote by v(A) the structure where all occurrences of a parameter pi have been replaced by v(pi ). If v(A) is such that all constants in guards and updates are integers, then v(A) is a updatable timed automaton [10] but will be called timed automaton (TA) for the sake of simplicity in this paper. A bounded U2P-PTA is a U2P-PTA with a bounded parameter domain that assigns to each parameter a minimum integer bound and a maximum integer bound. That is, each parameter pi ranges in an interval [ai , bi ], with ai , bi ∈ N. Hence, a bounded parameter domain is a hyperrectangle of dimension M . A parametric timed automaton (PTA) [2] is a U2P-PTA where, for any edge e = l, g, a, u, l  ∈ ζ, u : X  {0}.

Parametric Updates in Parametric Timed Automata

43

Definition 2 (Concrete semantics of a TA). Given a U2P-PTA A = (Σ , L, l0 , X, P, ζ), and a parameter valuation v, the concrete semantics of v(A) is given by the timed transition system (S, s0 , →), withS = {(l, w) ∈ L × RH + }, s0 = (l0 , 0) and → consists of the discrete and (continuous) delay transition relations: e

– discrete transitions: (l, w) → (l , w ), if (l, w), (l , w ) ∈ S, there exists e =

l, g, a, u, l  ∈ ζ, w = [w]v(u) , and w |= v(g). d

– delay transitions: (l, w) → (l, w + d), with d ∈ R+ . e

Moreover we write (l, w) −→ (l , w ) for a combination of a delay and discrete d

e

transitions where ((l, w), e, (l , w )) ∈ → if ∃d, w : (l, w) → (l, w ) → (l , w ). Given a TA v(A) with concrete semantics (S, s0 , →), we refer to the states of S as the concrete states of v(A). A (concrete) run of v(A) is a possibly infinite alternating sequence of concrete states of v(A) and edges starting from s0 of the em−1 e0 e1 em s1 −→ · · · −→ sm −→ · · · , such that for all i = 0, 1, . . . , ei ∈ ζ, form s0 −→ and (si , ei , si+1 ) ∈ →. Given a state s = (l, w), we say that s is reachable (or that v(A) reaches s) if s belongs to a run of v(A). By extension, we say that l is reachable in v(A), if there exists a state (l, w) that is reachable. Throughout this paper, let K denote the largest constant in a given U2PPTA, i.e., the maximum of the largest constant compared to a clock in a guard and the largest upper bound of a parameter (if the U2P-PTA is bounded). Let us recall the notion of clock region [1]. Definition 3 (clock region). For two clock valuations w and w , ∼ is an equivalence relation defined by: w ∼ w iff (i) for all clocks x, either w(x) = w (x) or w(x), w (x) > K; (ii) for all clocks x, y with w(x), w(y) ≤ K, frac(w(x)) ≤ frac(w(y)) iff frac(w (x)) ≤ frac(w (y)); (iii) for all clocks x with w(x) ≤ K, frac(w(x)) = 0 iff frac(w (x)) = 0. A clock region is an equivalence class of ∼. Two clock valuations in the same clock region reach the same regions by time elapsing, satisfy the same guards and can take the same transitions [1]. In this paper, we address the EF-emptiness problem: given a U2P-PTA A and a location l, is the set of parameter valuations v such that l is reachable in v(A) empty?

3

A Decidable Subclass of U2P-PTAs

We now impose that, whenever a guard or an update along an edge contains parameters, then all clocks must be updated (to constants or parameters). Our main contribution is to prove that this restriction makes EF-emptiness decidable.

44

´ Andr´e et al. E.

Definition 4. An R-U2P-PTA is a U2P-PTA where for any l, g, a, u, l  ∈ ζ, u is a total function whenever:1 (i) g is a parametric guard, or (ii) u(x) ∈ P for some x ∈ X. The main idea for proving decidability is the following: given an R-U2PPTA A we will construct a finite region automaton that bisimulates A, as in TA [1]. Our regions will contain both clocks and parameters, and will be a finite number. Since parameters are allowed in guards, we need to construct parameter regions and more restricted clock regions. We will define a form of Parametric Difference Bound Matrices (viz., p–PDBMs for precise PDBMs, inspired by [17]) in which, once valuated by a parameter valuation, two clock valuations have the same discrete behavior and satisfy the same non-parametric guards. A p–PDBM will define the set of clocks and parameter valuations that satisfies it, while once valuated by a parameter valuation, a valuated p–PDBM will define the set of clock valuations that satisfies it. A key point is that in our p–PDBMs the parametric constraints used in the matrix will be defined from a finite set of predefined expressions involving parameters and constants, and we will prove that this defines a finite number of p–PDBMs. Decidability will come from this fact. We define this set (PLT for parametric linear term) as follows: PLT = {frac(pi ), 1 − frac(pi ), frac(pi ) − frac(pj ), frac(pj ) + 1 − frac(pi ), 1, 0, frac(pi ) − 1 − frac(pj ), −frac(pi ), frac(pi ) − 1}, for all 1 ≤ i, j ≤ M . Given a parameter valuation v and d ∈ PLT , we denote by v(d) the term obtained by replacing in d each parameter p by v(p). Let us now define an equivalence relation between parameter valuations v and v  . Definition 5 (regions of parameters). We write that v  v  if (i) for all parameter p, v(p) = v  (p) ; (ii) for all d1 , d2 , d3 ∈ PLT , v(d1 ) ≤ v(d2 )+v(d3 ) iff v  (d1 ) ≤ v  (d2 ) + v  (d3 ); Parameter regions are defined as the equivalence classes of . The definition is in a way similar to [1, Definition 4.3] but also involves comparisons of sums of elements of PLT . In fact, we will need this kind of comparisons to define our p–PDBMs. Nonetheless we do not need more complicated comparisons as in R-U2P-PTA whenever a parametric guard or update is met the update is a total function: this preserves us from the parameter accumulation, e.g., obtaining expressions of the form 5frac(pi ) − 1 − 3frac(pj ) (that may occur in usual PTAs). In the following, our p–PDBMs will contain pairs of the form D = (d, ), where d ∈ PLT . We therefore need to define comparisons on these pairs. We define an associative and commutative operator ⊕ as 1 ⊕ 2 = < if 1 = 2 , or 1 if 1 = 2 . We define D1 + D2 = (d1 + d2 , 1 ⊕ 2 ). Following the idea of parameter regions, we define the validity of a comparison between pairs 1

In the following we only consider either non-parametric, or (necessarily total) fully parametric update functions. A total update function which is not fully parametric (i.e., an update of some clocks to parameters and all others to constants) can be encoded as a total fully parametric update immediately followed by a (partial) nonparametric update function.

Parametric Updates in Parametric Timed Automata

45

of the form (di , i ) within a given parameter region, i.e., whether the comparison is true for all parameter valuations v in the parameter region Rp . Definition 6 (validity of comparison). Let Rp bea parameter region. Given any two linear terms d1 , d2 over P (i.e., of the form i αi pi + d with αi , d ∈ Z), the comparison (d1 , 1 )  (d2 , 2 ) is valid for Rp if: 1.  =