Quantitative Aspects of Programming Languages - Semantic Scholar

Fifth Workshop on

Quantitative Aspects of Programming Languages Braga, Portugal March 24–25, 2007

Edited by Alessandro Aldini and Franck van Breugel

Contents v

Preface

vii

Programme Luca Cardelli (Invited speaker) Artificial Biochemistry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

Radha Jagadeesan (Invited speaker) Approximate Reasoning for Time and Probabilities . . . . . . . . . . . . . . . . . . . . . .

3

Roberto Segala (Invited speaker) Nondeterminism in Quantitative Analysis of Probabilistic Systems . . . . . . .

5

Ashok Argent-Katwala and Jeremy Bradley PEPA Queues: Capturing customer behaviour in queueing networks . . . . . .

7

Stefano Bistarelli, Ugo Montanari, Francesca Rossi and Francesco Santini Modelling Multicast QoS Routing by using Best-Tree Search in And-or Graphs and Soft Constraint Logic Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Luca Bortolussi and Alberto Policriti Stochastic Concurrent Constraint Programming and Differential Equations

41

Tom Chothia, Jun Pang and Mohammad Torabi Dashti Keeping Secrets in Resource Aware Components . . . . . . . . . . . . . . . . . . . . . . . . .

55

Vincenzo Ciancia and Gian Luigi Ferrari Co-Algebraic Models for Quantitative Spatial Logics . . . . . . . . . . . . . . . . . . . . .

71

Yuxin Deng and Wenjie Du Probabilistic Barbed Congruence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Alessandra Di Pierro, Chris Hankin and Herbert Wiklicky On Probabilistic Techniques for Data Flow Analysis . . . . . . . . . . . . . . . . . . . . . . 103 Pedro Baltazar, Paulo Mateus, Rajagopal Nagarajan and Nikolaos Papanikolaou Exogenous Probabilistic Computation Tree Logic . . . . . . . . . . . . . . . . . . . . . . . . 119 Michael Smith Stochastic Modelling of Communication Protocols from Source Code . . . . . 135

iii

Daniele Varacca and Nobuko Yoshida Probabilistic π-Calculus and Event Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Gagarine Yaikhom, Murray Cole, Stephen Gilmore and Jane Hillston A structural approach for modelling performance of systems using skeletons 167 Martin Berger and Nobuko Yoshida (Short paper) Distributed Liveness and Timers for Mobile Processes . . . . . . . . . . . . . . . . . . . . 183 Maria Grazia Vigliotti (Short paper) Stochastic Ambient Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

iv

Preface This volume contains the preliminary proceedings of the Fifth Workshop on Quantitative Aspects of Programming Languages (QAPL 2007), held in Braga, Portugal on March 24 and 25, 2007. The workshop is a satellite event of the European Joint Conferences on Theory and Practice of Software (ETAPS). The final version of these proceedings will appear in the Electronic Notes in Theoretical Computer Science (ENTCS). Quantitative aspects of computation are important and sometimes essential in characterizing the behaviour and determining the properties of systems. They are related to the use of physical quantities (for example, time) as well as mathematical quantities (for example, probability). Such quantities play a central role in defining both the models of systems and the methodologies and tools for the analysis and verification of system properties. The aim of this workshop is to discuss the explicit use of quantitative information, such as time and probabilities, either directly in the model or as a tool for the analysis of systems. In particular, the workshop focuses on • the design of languages with quantitative aspects and the definition of semantic models for such languages, • the discussion of methodologies for the analysis of quantifiable properties, • the probabilistic analysis of systems which do not explicitly incorporate quantitative aspects, and • applications to other domains involving quantitative issues. QAPL’s first edition was held in Florence, Italy in 2001, as a satellite event of the ACM Symposium on Principles, Logics, and Implementations of high-level programming languages (PLI 2001). The proceedings appeared as volume 59(3) of ENTCS. The second edition was held in Barcelona, Spain in 2004, as a satellite event of ETAPS. The proceedings appeared as volume 112 of ENTCS. Based on QAPL 2004, a special issue of the journal Theoretical Computer Science was published as volume 346(1). Also in 2005 and 2006, QAPL was a satellite event of ETAPS and was held in Edinburgh, UK and Vienna, Austria. The proceedings of these last two editions appeared in ENTCS as volume 153(2) and 164(3). The QAPL 2007 programme committee members were Alessandro Aldini (co-chair), University of Urbino, Italy Pedro D’Argenio, University of Cordoba, Argentina Christel Baier, University of Bonn, Germany Franck van Breugel (co-chair), York University, Canada Luca Cardelli, Microsoft Research, UK

v

Vincent Danos, University of Paris VII, France Josee Desharnais, University of Laval, Canada Alessandra Di Pierro, University of Pisa, Italy Maurizio Gabbrielli, University of Bologna, Italy Ian Hayes, University of Queensland, Australia Jan Jurjens, Open University, UK Marta Kwiatkowska, University of Birmingham, UK Pasquale Malacaria, Queen Mary University of London, UK Mieke Massink, CNR-ISTI Pisa, Italy Paulo Mateus, Technical University of Lisbon, Portugal Annabelle McIver, Macquarie University, Australia Joel Ouaknine, Oxford University, UK Gerardo Rubino, INRIA Rennes, France Herbert Wiklicky, Imperial College London, UK Wang Yi, Uppsala University, Sweden With the help of 11 external referees, the programme committee selected 11 papers and 2 short papers for presentation at the workshop. Each submitted full paper was reviewed by at least 3 referees. The programme also contains invited talks given by Luca Cardelli, Microsoft Research, UK Radha Jagadeesan, DePaul University, USA Roberto Segala, University of Verona, Italy We would like to thank all the authors, the programme committee and the external referees for their contribution and the QAPL steering committee for their support. Alessandro Aldini Franck van Breugel

vi

Programme Saturday March 24, 2007 10:58 Welcome 11:00 Invited talk Nondeterminism in Quantitative Analysis of Probabilistic Systems Roberto Segala (University of Verona, Italy) 12:00 Paper Presentation Keeping Secrets in Resource Aware Components Tom Chothia (CWI, The Netherlands), Jun Pang (University of Oldenburg, Germany) and Mohammad Torabi Dashti (CWI, The Netherlands) 12:30–14:30 Lunch 14:30 Invited talk Artificial Biochemistry Luca Cardelli (Microsoft Research, UK) 15:30 Paper Presentation Stochastic Concurrent Constraint Programming and Differential Equations Luca Bortolussi (University of Trieste, Italy) and Alberto Policriti (University of Udine, Italy) 16:00–16:30 Break 16:30 Paper Presentations On Probabilistic Techniques for Data Flow Analysis Alessandra Di Pierro, Chris Hankin, and Herbert Wiklicky (Imperial College London, UK) Probabilistic π-Calculus and Event Structures Daniele Varacca (University of Paris 7, France) and Nobuko Yoshida (Imperial College London, UK) Probabilistic Barbed Congruence Yuxin Deng (Shanghai Jiao Tong University, China) and Wenjie Du (Shanghai Normal University, China)

vii

Sunday March 25, 2007 09:30 Invited Talk Approximate Reasoning for Time and Probabilities Radha Jagadeesan (DePaul University, USA) 10:30–11:00 Break 11:00 Paper Presentations Modelling Multicast QoS Routing by using Best-Tree Search in And-or Graphs and Soft Constraint Logic Programming Stefano Bistarelli (University of Pescara, Italy), Ugo Montanari (University of Pisa, Italy), Francesca Rossi (University of Padova, Italy) and Francesco Santini (IMT Lucca, Italy), Co-Algebraic Models for Quantitative Spatial Logics Vincenzo Ciancia and Gian Luigi Ferrari (University of Pisa, Italy) Exogenous Probabilistic Computation Tree Logic Pedro Baltazar, Paulo Mateus (University of Lisbon, Portugal), Rajagopal Nagarajan, and Nikolaos Papanikolaou (University of Warwick, UK) 12:30–14:30 Lunch 14:30 Paper Presentations Stochastic Modelling of Communication Protocols from Source Code Michael Smith (University of Edinburgh, UK) PEPA Queues: Capturing customer behaviour in queueing networks Ashok Argent-Katwala and Jeremy Bradley (Imperial College London, UK) A structural approach for modelling performance of systems using skeletons Gagarine Yaikhom, Murray Cole, Stephen Gilmore, and Jane Hillston (University of Edinburgh, UK) 16:00–16:30 Break 16:30 Short Paper Presentations Distributed Liveness and Timers for Mobile Processes Martin Berger and Nobuko Yoshida (Imperial College London, UK) Stochastic Ambient Logic Maria Grazia Vigliotti (Imperial College London, UK) 17:30 Steering Committee Meeting

viii

QAPL 2007 Preliminary Version

Artificial Biochemistry Luca Cardelli Microsoft Research 7 JJ Thomson Avenue, Cambridge, CB3 0FB, UK

Abstract Chemical and biochemical systems are presented as collectives of interacting stochastic automata: each automaton represents a molecule that undergoes state transitions. This framework constitutes an artificial biochemistry, where automata interact by the equivalent of the law of mass action. We analyze several example systems and networks, both by stochastic simulation and by ordinary differential equations.

This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs


Approximate Reasoning for Time and Probabilities Radha Jagadeesan School of CTI, DePaul University 243 S. Wabash Avenue, Chicago, Illinois 60604-2287, USA

Abstract The starting point and conceptual basis for classical investigations in concurrency are the notions of equivalence and congruence of processes—when can two processes be considered the same and when can they be substituted for each other? This style of reasoning is fragile in the sense of being too dependent on the exact numerical values of times and probabilities. This talk surveys some metric-based approaches to approximate reasoning in the presence of numerical information—such as probabilities and time—in the model. We focus in particular on pseudo-metric analogue of bisimulation for generalized semi- Markov processes. We show that several quantitative properties of interest are continuous with respect to the pseudo-metric. Thus, if two processes are metrically close, then observable quantitative properties of interest are indeed close.



Nondeterminism in Quantitative Analysis of Probabilistic Systems Roberto Segala Universit` a di Verona, Dipartimento di Informatica Strada Le Grazie 15, Ca’ Vignal 2, 37134 Verona, Italy

Abstract Although in quantitative analysis of probabilistic systems we are interested in the study of performance measures like probability of success or expected complexity for success, in several cases performance measures cannot be studied directly because some aspects of a system are not specified or not known in advance. Examples are distributed systems, where the scheduling order of different components is not known, reactive (open) systems, where the behavior of the external environment is not known in advance, and models for security, where the behavior of the adversaries is partially unspecified. In all these cases performance measures can be studied only after the nondeterminism is resolved, or else, under all possible ways to resolve nondeterminism. In this talk we show how it is possible to reason about probabilities within a nondeterministic environment. We give an overview of the existing literature on operational models for probabilistic nondeterministic systems taking Probabilistic Automata as reference model, we show how classical concepts from concurrency theory extend smoothly to the probabilistic case, and we show how Probabilistic Automata can be used for the analysis of distributed algorithms and security protocols.



PEPA Queues: Capturing customer behaviour in queueing networks Ashok Argent-Katwala Jeremy T. Bradley1 Department of Computing Imperial College London London, United Kingdom

Abstract Queueing network formalisms are very good at describing the spatial movement of customers, but typically poor at describing how customers change as they move through the network. We present the PEPA Queues formalism, which uses the popular stochastic process algebra PEPA to represent the individual state and behaviour of customers and servers. We offer a formal semantics for PEPA Queues, plus a direct translation to PEPA, allowing access to the existing tools for analysing PEPA models. Finally, we use the ipc/DNAmaca tool-chain to provide passage-time analysis of a dual Web server example. Keywords: Stochastic process algebra, PEPA, Queueing networks

1

Introduction

Queueing theory is a well-established discipline, good at describing and analysing quantitatively many complex systems. There are well-known classes of queueing networks which have tractable solutions and many modellers find them a natural modelling formalism to capture resource contention and buffering. However, while queueing networks are very good at representing the broad structure of a system, they are typically weak at describing the evolution of the individual customers within the network. Indeed, it is quite common to treat all customers as opaque, indistinguishable entities. These customers have no individual internal behaviour but may be segregated into a small set of static classes, when needed. PEPA Queues [2] augment ordinary queueing networks by allowing customers to have individual behaviour. In this formalism, we use a stochastic process algebra, PEPA, to represent the local behaviour of the customers, the service centres and how they interact. Simple mechanisms from queueing theory describe the migration of customers between queues. The PEPA Queues formalism is presented with an automatic translation directly into PEPA, giving access to the broad spectrum of existing tools available to analyse systems modelled in PEPA [9,6,12,3]. 1

Email: {ashok,jb}@doc.ic.ac.uk


Argent-Katwala and Bradley

In Sect. 2 we introduce PEPA and PEPA nets. Sect. 3 gives an overview of what PEPA Queues can do, and how we can model some common mechanisms from queueing theory. Sect. 4 defines the syntax and behaviour of PEPA Queues, with a short example followed by the formal semantics. In Sect. 5, we show how we convert a system of PEPA Queues into an equivalent PEPA model. We show the benefit of maintaining spatial separation and local behaviour using PEPA Queues by modelling a dual Web server on an intranet in Sect. 6. We discuss future work and conclude in Sect. 7.

2

Background

2.1

PEPA

PEPA [11] is a parsimonious stochastic process algebra that can describe compositional stochastic models. As in all process algebras, systems are represented in PEPA as the composition of components which undertake actions. In PEPA the actions are assumed to have a duration, or delay. Thus the expression (α, r).P denotes a component which can undertake an α action at rate r to evolve into a component P . Here α ∈ A where A is the set of action types and P ∈ C where C is the set of component types. The rate r represents the parameter of an exponential distribution, and the duration is assumed to be a random variable. PEPA has a small set of combinators, allowing system descriptions to be built up as the concurrent execution and interaction of simple sequential components. The syntax of the type of PEPA model considered in this paper may be formally specified using the following grammar: S ::= (α, r).S | S + S | CS P ::= P

¤¢ P L

| P/L | C

where S denotes a sequential component and P denotes a model component which executes in parallel. C stands for a constant which denotes either a sequential component or a model component as introduced by a definition. CS stands for constants which denote sequential components. The effect of this syntactic separation between these types of constants is to constrain legal PEPA components to be cooperations of sequential processes. More information including the structured operational semantics for PEPA can be found in [11]. A brief discussion of the basic PEPA operators is given below: Prefix The basic mechanism for describing the behaviour of a system with a PEPA model is to give a component a designated first action using the prefix combinator, denoted by a full stop. As explained above, (α, r).P carries out an α action with rate r, and it subsequently behaves as P . Choice The component P + Q represents a system which may behave either as P or as Q. The activities of both P and Q are enabled. The first activity to complete distinguishes one of them: the other is discarded. The system will behave as the derivative resulting from the evolution of the chosen component. Constant It is convenient to be able to assign names to patterns of behaviour associated with components. Constants are components whose meaning is given by a defining equation. The notation for def this is X = E. The name X is in scope in the expression on the right hand side meaning that, for def example, X = (α, r).X performs α at rate r forever. 8


Hiding The possibility to abstract away some aspects of a component’s behaviour is provided by the hiding operator, denoted P/L. Here, the set L identifies those activities which are to be considered internal or private to the component and which will appear as the distinguished unknown type τ .

¢ Cooperation We write P ¤ Q to denote cooperation between P and Q over L. The set which is used L as the subscript to the cooperation symbol, the cooperation set L, determines those activities on which the components are forced to synchronise. The set L cannot contain the unknown type τ . For action types not in L, the components proceed independently and concurrently with their enabled activities. ¢ We write P k Q as an abbreviation for P ¤ Q when L is empty. L In process cooperation, if a component enables an activity whose action type is in the cooperation set it will not be able to proceed with that activity until the other component also enables an activity of that type. The two components then proceed together to complete the shared activity with an appropriate rate. The capacity of a component P to perform an action α is denoted rα (P ), and is termed the apparent rate. PEPA respects the definition of bounded capacity: that is, a component cannot be made to perform an activity faster by cooperation, so the apparent rate of a shared activity in a cooperation is the minimum of the apparent rates of the activity in the cooperating components. 2.2

PEPA nets

A PEPA net [10] embeds PEPA components within a Petri net, allowing components to cooperate only when they are together on the net. This allows a clear description of systems where different pieces are mobile and move, for example, in and out of an area with network connectivity. PEPA nets are essentially coloured stochastic Petri nets [1], where the colour of a token is the state of a PEPA component. This state can change as the system evolves either independently, or in cooperation with their neighbouring components. The places on the net are typed with a component name; they may only be occupied by components that are derivatives of that type. Net-level transitions have associated action-types and rates. Components move in the net when a mobile component performs a net-level transition action, in cooperation with the net itself, to move into an appropriately typed empty slot. PEPA nets are a good example of a higher level formalism. As well as having their own explicit semantics, they may also be compiled into PEPA, and so analysed with the existing array of PEPA tools. This inspires our approach for PEPA Queues, where we embed PEPA components in a queueing network, rather than a Petri net. Just as PEPA nets bring the spatial advantages of Petri nets to stochastic modelling, so PEPA Queues offer similar advantages for queueing modellers. Both formalisms allow the expression of greater behavioural control over the tokens or customers.

3

Overview

When building a customer-oriented model of a queueing system in PEPA, it is often tempting to muddle the queueing behaviour with the descriptions of the individual agents. Where we have complex, migrant customers the elegance of the simple cooperations can be obscured by the scaffolding of where each customer is at present. PEPA Queues encourage the modeller to keep local behaviour and movement separate by representing 9


the system as a network of queues, each of which has a local component, cooperating with the component at the head of the queue. Note that the state of a PEPA Queue is given by the current state of each of the components waiting in the queue, in order, and the state of the local component. This cannot typically be represented by a vector of buffer occupancies, as would be the case with typical, opaque customers. It is instead akin to having a multi-class queueing network where the class does not influence the queueing discipline. For example, consider the single PEPA Queue in Fig. 1. It has four places in its input buffer, the local component is Q and it cooperates with the head of the queue over the set of actions L. The state of the queue can be given as [P, P 0 , P, P 00 ], where P 00 is at the head of the queue. For the moment, we are not concerned with the precise definitions of P , P 0 , P 00 and Q, they are ordinary PEPA components. On service, the next customer in the buffer is promoted to replace the served customer.

P

P’

Q

P P’’ L

Fig. 1. A single PEPA Queue

For simplicity, we restrict ourselves to closed networks of single-server queues using first-come firstserved discipline. The queues all have fixed-size, finite buffers and the network therefore has a fixed and finite population of customers. There are no losses when destination queues are full; queue services that lead to full queues are blocked. Handling open networks, unbounded buffers, triggers and negative customers is desirable, but the translation into PEPA of these entities is less straightforward. Here we focus on a simple core, which we can build upon in the future. There are three distinct layers to a PEPA Queues model: Customers PEPA components represent each individual customer. A customer may evolve internally, or in cooperation with the queue component when it is in service. It may not perform actions in the queue’s cooperation set unless it is in service. Queues Each queue has a local server component which cooperates with the customer in service, over a declared set of actions. By performing routing actions, it determines when customers are despatched and to which queue they are sent. It may also cooperate with the local components at other queues, based on the cooperations defined in the queueing system equation. Network routing We use PEPA cooperation to decide where components go after being served. Customers may only move to a particular destination queue if there is an open slot in that queue’s buffer, and the cooperation of the queue and the customer it is serving offer that routing action. (redo,T)

S

Pmilk Peggs Peggs Pmilk

serve

(send,T)

{milk,eggs,pay}

-

S

-

till

{milk,eggs,pay}

(repeat,T)

Fig. 2. A small dairy shop, modelled with two PEPA Queues. Queue A comprises the four slot buffer and Sserve and queue B the two slot buffer and Still .

10


The formal syntax for a network of PEPA Queues is given in Sect. 4.1, and the structural operational semantics follow in Sect. 4.3. First, however, we look at a short example.

3.1 Example: Dairy shop A system with two queues, A and B, as depicted in Fig. 2. Pmilk and Peggs are customers who wish to buy milk and eggs respectively. Sserve and Still are the server components that hand out goods and take payment. The dashes represent empty slots in B’s buffer. First, we examine the PEPA components that inhabit the network. The Pmilk and Peggs components are customers who begin waiting in queue A; each is trying to purchase a different product and pay. The customers can do both actions all the time, and the proper sequence is ensured by how they proceed around the network. def

Peggs = (eggs, >).Peggs + (pay, >).Peggs def

Pmilk = (milk , >).Pmilk + (pay, >).Pmilk The server components determine the routing of customers in the system. In the first queue the server may be out of stock of the lead customer’s item, in which case all the customers must wait for it to become available. This illustrates the interaction of having local state in the server and customer components. def

Seggs = (eggs, >).Snoeggs + (expire, eeggs ).Snoeggs def

Snoeggs = (restockeggs, reggs ).Seggs def

Smilk = (milk , >).Snomilk + (expire, emilk ).Snomilk def

Snomilk = (restockmilk , rmilk ).Smilk def

Swait = (eggs, >).Ssending + (milk , >).Ssending 9r r def Ssending = (send , ).Swait + (redo, ).Swait 10 10

¤¢ Sserve = (Seggs || Smilk ) {milk Swait ,eggs} def

def

Still = (pay, >).(process, p).(repeat, s).Still It is only when these components perform the queue routing actions (send, redo and repeat) that customers move between queues. These actions may be blocked in three circumstances: •

there are no customers in the queue;

•

the routing action is in the queue’s cooperation set and the customer in service is not currently offering that action;

•

there is no space in the queue the routing action would lead to. Where the same action out of a queue leads to more than one queue, only the ones with space to move into are enabled, and PEPA’s competitive choice will select which route we take. 11


Now, the queueing network itself. While the picture is useful, we also want a clear, textual form capturing all of the information in the diagram. We need to define both the routing within the network and the state of the individual queues with their buffers. In order to refer to the queues, we give them names. Queue names are prefixed with “Q :”, which prevents a clash with any valid PEPA names, since colons are not permitted in those. The pseudo-component prefixed with “QNet :” is the queueing system, describing the initial state of each queue, their local cooperation set and the system-level cooperation. Fig. 2 can be fully described by: def

Q : A = (redo, >) → Q : A + (send , >) → Q : B def

Q : B = (repeat, >) → Q : A

¤¢,pay} Sserve ) QNet : Sys = (Q : A[Pmilk , Peggs , Peggs , Pmilk ] {eggs,milk def

¤¢,pay} Still ) || (Q : B[−, −] {eggs,milk This syntax is defined in Sect. 4.1. The first two lines of the specification define the destinations for customers when they are served. Services take place when the server component – possibly in cooperation with the customer – performs any of these routing actions. In this example, all the action names are distinct but a modeller may use competitive choice to choose the destination instead. We choose to use routing actions which are passive here, and have the server processes, Sserve and Still , determine the rates. This is just a modelling choice, and you could have the queueing network determine the rate, or use active-active synchronisation if that better fits the situation being modelled. If a routing action is included in a queue’s cooperation set, then the customer in service also influences its routing – the components may only perform the action together, just as with any PEPA cooperation. If they are not in the cooperation, any routing actions the customer performs are purely internal, and do not change the position of the customer within the queueing network. Note that a properly formed network of PEPA Queues will not have any unresolved passive actions, where a component offers an action passively, but without cooperating over that action. This is the same restriction as in PEPA, but the modeller must also consider that customers move to places where the cooperation set may be different. The last line of the specification is the queueing system equation. The square brackets contain the state of each queue’s buffer, with PEPA component names for customers or a dash representing an empty slot. If a queue was simply a sink, it would be referred to in other queue routing equations, but not have one of its own, since it has no outbound transitions. There should perhaps be a more elegant way to represent this in the syntax. For brevity in these descriptions, we also allow P ∗n and −∗n in the queue state description, to represent n copies of P and n spaces respectively. For mechanical simplicity later on, we allow the degenerate constructs of P ∗ 0 and − ∗ 0, which occupy no space in the queue’s buffer. So, the queueing system equation above could be restated as:

¤¢,pay} Sserve ) QNet : Sys = (Q : A[Pmilk , Peggs ∗ 2, Pmilk ] {eggs,milk def

¤¢,pay} Still ) || (Q : B[− ∗ 2] {eggs,milk 12


Although we allow cooperations at the network level, they should be used with care. The intention is to use the queueing network to separate local behaviour from spatial migration. Allowing network-level interactions breaks this separation, but can be put to good use for inherently global actions like closing down the whole system, and a variety of forms of reset. Typically we would have, as in the example above, a straight parallel synchronisation between the queues.

3.2

Modelling features

PEPA Queues allow a succinct expression for many queueing mechanisms. For example, we could model breakdown and repair in a network of PEPA Queues as follows, allowing individual servers to fail and be repaired, or with a global reset if all the servers have failed. We omit the definition of the customers, P , for brevity. def

S1 = (reprocess, s1 ).S1 + (continue, s2 ).S1 + (break , rdown ).S01 def

S01 = (repair , rup ).S1 + (allrepair , rreset ).S1 def

S2 = (route, s).S02 + (break , sdown ).S02 def

S02 = (repair , sup ).S2 + (allrepair , rreset ).S2 def

S3 = (route, s).S03 + (break , sdown ).S03 def

S03 = (repair , sup ).S3 + (allrepair , rreset ).S3 def

Q : Pri = (reprocess, >) 7→ Q : Pri + (continue, >) 7→ Q : Sec def

Q : Sec = (route, >) 7→ Q : Ter def

Q : Ter = (route, >) 7→ Q : Pri

¢ QNet : Sys = (Q : Pri[P, P] ¤ S1 ) ∅ def

¤¢ (Q : Sec[−, −, −] ¤¢ S2 ) ∅ ¤¢ (Q : Ter[−, −, −] ¤ ¢ S3 ) {allrepair } ∅ {allrepair }

4

Defining PEPA Queues

4.1

Syntax

The syntax for PEPA Queues is in two parts: routing between queues and a queueing-system description of the initial state of each queue. All of the components for customers and queue servers are specified in PEPA. Each queue in a system is given a distinct name, which may be used only once in the final queueing system definition. Queue level routing is defined using an arrow combinator, addressing names of the queues, which all have a “Q:” prefix. 13


QName ::= Q : Name def

QRoute ::= QName = QTransList QTransList ::= QTrans | QTrans + QTransList QTrans ::= (α, r) −→ QName Our queueing system description uses those Q : X names to define the initial position of the customers in each queue, the cooperation set they have with that queue and the cooperation set amongst the queues: def

QSys

::= QNet : Name = QList

QList

::= QDef | QDef CoopSet QList

QDef

::= Q : Name [QCustNameList] CoopSet Name

CustNameList ::= CustName | CustName , CustNameList CustName

::= Name | − | Name ∗ Num | − ∗ Num

CoopSet

::=

¤¢

ActNameList

| ||

ActNameList ::= Name | Name , ActNameList

4.2

Behaviour of PEPA Queues

Before defining the formal semantics of PEPA Queues, and describing their mechanical conversion to PEPA, it is illuminating to consider how a network of PEPA Queues may evolve directly. In any network of PEPA Queues, there are three sorts of transitions that can occur: Local Any of the server or customer components may evolve independently, provided the action is not in the cooperation set for that queue. In-service cooperation The customer in service at a queue cooperates with the stationary component at that queue. If this is a routing action, we treat it as below, otherwise it is treated as a local evolution of both components, at the appropriate combined rate. Network-level A server transition can cause a customer to move in the network. This happens whenever a stationary component at a queue performs a service action. We move the customer that has been served to the first open slot in the target queue – that is the empty position that is closest to service. This ensures we never leave any blank spaces in a queue’s buffer. Our aim with PEPA Queues is to give the modeller the expressive convenience of queueing models, while retaining much of the simplicity and all of the well-foundedness of PEPA. We do this by converting PEPA Queues into PEPA. Every PEPA Queue model can be mechanically rewritten as a PEPA model with no change in its behaviour. Some of the structure of the original may be obscured in the compiled PEPA model, so tools will typically prefer to work with the PEPA Queues directly. Translating to PEPA allows us to use a wide range of tools that already exist, as well as giving toolmakers 14


and modellers who may want to work directly with PEPA Queues a precise definition of exactly how they behave. Translating to PEPA is not the only way to analyse PEPA Queues. In future, we hope to also offer a translation directly into PEPA nets, preserving much of the spatial structure, which will allow smart PEPA nets tools to exploit spatial features in their analysis. If we create tools that handle PEPA Queues while retaining their structure, then a translation in the other direction – from PEPA nets to PEPA Queues – should be of use too. Further, tools that apply known queueing network results directly, in terms of the PEPA Queues structure, will allow much faster solution of many problems. This is a rich source of future work.

4.3

Semantics of PEPA Queues (a,r)

Definition 4.1 The relation −→, operating over the set of component names. P −→ P0 means that P performs the action a at rate r and evolves into P0 . This is as defined in PEPA [11]. (a,r)

Definition 4.2 The relation 7−→, operating over the set of named queues. Q : A 7−→ Q : B means there is a queue routing action a at rate r leading from queue A to queue B. a

Definition 4.3 The relation 7−6 →, operating over the set of named queues. Q : A 7−6 → is equivalent to (a,r ) @Q : B[Q : A 7−→ Q : B], that is a is not a routing action for Q : A. Definition 4.4 rα (P ) is the apparent rate function, as defined in [11]. Definition 4.5 rα0 (A) is a secondary apparent rate function, for queue routing actions. α must be a routing action for Q : A and rα0 (A) is the sum of the rates of all the enabled α-activities for Q : A in the present state. Now we can specify individually all the legal ways a network of PEPA Queues can evolve. Throughout, each ellipsis signifies a (possibly empty) list of components that remains unchanged after the transition. IN denotes the positive integers, so − ∗ n below means that there is at least one empty slot in the queue’s buffer. Customer alone This rule governs a customer evolving independently, anywhere in the queue. Note that this only allows actions that are not in the queue’s cooperation set. Customers that are not in service may not perform those actions, and customers that are in service perform them via rule Local cooperation. (α,λ)

P −→ P 0

Q:A[...,P,...]

¤¢ ¢ S −→ Q:A[...,P 0 ,...] ¤ S L L (α,λ)

α∈L /

Server alone The server process may perform actions not in the queue cooperation set independently, no matter the state of the buffer. (α,λ)

S −→ S 0

Q:A[...]

(α,λ) ¤¢ ¢ S −→ Q:A[...] ¤ S0 L L

α∈L /

15


Local cooperation Only the head of the queue may cooperate with the server process for actions in L, and they must perform them together. (α,λ) α ¤¢ ¢ S −→ P 0 ¤ S 0 Q:A7−→ 6 L L (α,λ) ¢ ¢ Q:A[...,P ] ¤ S −→ Q:A[...,P 0 ] ¤ S0 L L

P

α∈L

Server routing 1 Declares that in order for a customer to move between queues, the server component at the first queue must perform a routing action, leading to a queue which has at least one space. The moved customer moves to the first empty slot. Where n is the largest such n to describe the blank spaces in Q : B. Routing actions may not appear in the inter-queue cooperation set, LQ . (α,λ)

0 SA −→ SA

(Q:A[...,P ]

(α,λq )

Q:A 7−→ Q:B

¤ ¢ SA ) ¤ ¢ (Q:B[−∗n,...] ¤ ¢ SB )(α,R) −→ LA LQ LB ¢ SA0 ) ¤ ¢ (Q:B[−∗(n−1),P,...] ¤ ¢ SB ) (Q:A[−,...] ¤ L L L A

Q

α∈L / A , α∈L / Q , n>0, R as below

B

Server routing 2 As Server routing 1 but where the routing action leads to the same queue. Note that we still need an empty slot, to avoid unduly prioritising local routing. Otherwise, a customer could be allowed to move to the back of the queue it has just left when arrivals from other queues are disallowed. (α,λ)

0 SA −→ SA

(Q:A[−∗n,...,P ]

(α,λq )

Q:A 7−→ Q:A

¤ ¢ SA )(α,R) −→ L

(Q:A[−∗n,P,...]

α∈L / A , n>0, R as below

¤ ¢ SA0 ) L A

A

Coop routing 1 For a routing action that is also in the queue’s cooperation set, the action must occur in cooperation between the lead customer and the queue’s server. Again, routing actions may not appear in the interqueue cooperation set, LQ . q) ¢ SA0 Q:A(α,λ ¤ ¢ SA (α,λ) 7−→ Q:B −→ P 0 ¤ LA LA ¢ SB )(α,R) ¢ (Q:B[−∗n,...] ¤ ¢ SA ) ¤ −→ (Q:A[...,P ] ¤ LB LQ LA ¢ (Q:B[−∗(n−1),P 0 ,...] ¤ ¢ SB ) ¢ SA0 ) ¤ (Q:A[−,...] ¤ L L L

P

A

Q

α∈LA , α∈L / Q , n>0, R as below

B

Coop routing 2 Just as for Coop routing 1, but routing to the same queue. As with Server routing 2 we require an empty slot in the queue. q) ¤ ¢ SA (α,λ) ¢ SA0 Q:A(α,λ −→ P 0 ¤ 7−→ Q:A LA LA ¢ SA (α,R) ¢ SA0 Q:A[−∗n,...,P ] ¤ −→ Q:A[−∗n,P 0 ,...] ¤ L L

P

A

α∈LA , α∈LQ , n>0, R as below

A

For the last four rules: R=

λq λ min(rα (SA ), rα0 (A))) 0 rα (SA ) rα (A)

where R represents the rate of active cooperation between the service component and the queueing 16


network. As in PEPA, it reflects the rate of the slower component in the cooperation. Note that we do not allow cooperation between the queues for routing actions. If we did then we would be including a potentially interesting class of synchronised, coupled queues but at the expense of a substantially more complex translation. With our present translation, we use the names of the routing actions, decorated with where they are occurring to provide us with global, unique names for each of the routing actions. If we allowed cooperation at this level, we would need some other mechanism for migrating components. It may be possible to extend still further the information we carry in the expanded action names, but needing to represent which pair of processes is cooperating in the action name would lead to a large explosion in the number of names used. We could conceivably use a synchronous immediate action to achieve these coupled queues, but we would first need to define that concretely.

5

Translation to PEPA

We use a similar approach to that used to translate PEPA nets to PEPA, and encode the spatial portion of the model by having dormant versions of every component that may occupy a given slot, and simply activate them when, in the higher level model, that component arrives in that particular slot. This is somewhat troublesome, since it leads to a large explosion in the number of components in the system, and we typically create both a huge model, textually, and a very large state space. However, it does mean that we can put to work existing tools for handling PEPA models, many of which can handle very large state spaces, with limits that are constantly improving. Since the slots in our buffers are not typed in any way, we need a definition for each component that may occur, in every position it may occupy.

5.1

Translation detail

Any translation from PEPA Queues to PEPA will in general increase the number of component definitions by a factor of n(m + 1), in a system which has n queueing positions and m customer states. We need to distinguish between each of the n queueing slots being empty or having any one of the m customer components in. With a clever encoding, we may be able to save some of these – for example where a particular customer could never reach part of the network. However, the cost of exploring the reachability, conditioned on the actions it may perform as it traverses the network, will be too high for non-trivial networks. The basic structure of the translated model is as follows: (i) Each customer type is represented by many component definitions, one for each spatial state and derivative customer component that the customer could reach. There is one spatial state for each of the queueing positions. (ii) The queueing transitions are split into a number of distinguishable action names, each leading to a particular slot in a queue. We replace each routing action with a choice of several different, new actions which encode the destination. All the new actions happen at the same rate as the original and we then ensure that only one of them is active at once. When the same action is used to route to different destinations, each is expanded in this manner, and we use PEPA’s competitive choice to 17


determine which route is used. (iii) There is a population tracker component for each queue which tracks the number of customers at that queue. The tracker component for a queue X with n slots would have n + 1 states, QXpop0 to QXpopn . In each state it enables just the queue routing actions to ensure that customers are delivered to the first available slot, and that no customers may join a full queue. To handle different queueing disciplines we would alter the actions these components enabled. Note that to be allowed to move, the destination slot must be empty. This means that when all four customers are in queue A, the redo action is disabled, as even though there will be a free slot after the lead customer moves, there is not one until then. If we allowed this form of movement it would give preferential treatment to customers coming from the same queue. The subscripts Xn on the routing actions indicate the current queue length at queue X, including any customer in service. This means on being served by this action, a customer would be placed in queue X in slot n + 1. So, the population trackers for the two queues of Sect. 3.1 are: def

QApop0 = (repeatA0 , >).QApop1 def

QApop1 = (repeatA1 , >).QApop2 + (redoA1 , >).QApop1 +(sendB0 , >).QApop0 + (sendB1 , >).QApop0 def



QApop4 = (sendB0 , >).QApop3 + (sendB1 , >).QApop3 def

QBpop0 = (sendB0 , >).QBpop1 def

QBpop1 = (sendB1 , >).QBpop2 +(repeatA0 , >).QBpop0 + (repeatA1 , >).QBpop0 +(repeatA2 , >).QBpop0 + (repeatA3 , >).QBpop0 def

QBpop2 = (repeatA0 , >).QBpop1 + (repeatA1 , >).QBpop1 +(repeatA2 , >).QBpop1 + (repeatA3 , >).QBpop1 Now, our stationary queue components also need to cater for this expanded set of routing actions, so we expand each of the routing actions to be a choice of all the new routing actions derived from that one. Since we have ensured that only one of these variants will be enabled at the same time, we can offer these extra choices without changing the effective rate of the group of actions. We also rewrite the actions in the queues’ cooperation sets to be unique to that queue. Thus, when we cooperate all these components together in a flat structure we preserve the spatial separation. Because only one variant of a particular action is enabled at any time, we ensure that we do not artificially inflate the rate of any particular action. Each queue’s stationary component is translated separately here, denoted by superscripts of the queue name. In this example this is not crucial, since the server components for each queue are different pro18


cesses, but we follow the convention nonetheless. def

A A SA eggs = (eggsA , >).Snoeggs + (expire, eeggs ).Snoeggs def

A SA noeggs = (restockeggs, reggs ).Seggs def

A A SA milk = (milkA , >).Snomilk + (expire, emilk ).Snomilk def

A SA nomilk = (restockmilk , rmilk ).Smilk def

A A SA wait = (eggsA , >).Ssending + (milkA , >).Ssending 9r A 9r A def SA ).Swait + (sendB1 , ).S sending = (sendB0 , 10 10 wait r r +(redoA0 , ).SA ).SA wait + (redoA1 , 10 10 wait r r +(redoA2 , ).SA ).SA wait + (redoA3 , 10 10 wait A A ¤¢ SA serve = (Seggs || Smilk ) {milk ,eggs def

A

A}

SA wait

def

B SB till = (payB , >).Still0 def

B SB till0 = (process, p).Still1 def

B B SB till1 = (repeatA0 , s).Still + (repeatA1 , s).Still + B (repeatA2 , s).SB till + (repeatA3 , s).Still

Note that each occurrence of a routing action is expanded into a choice of all the variants of that action, and that we have named the anonymous sub-components of Still to facilitate this. For each customer component or derivative, we clone the definitions for every buffer slot of every queue in the network that it could possibly reach. For any position not at the head of a queue, we omit any transitions that are in that queue’s cooperation set. In those positions, we add passive transitions for each of the queue’s service actions, which leads to the corresponding component one slot further forward in the queue. Concretely, for our two-node example network, we make copies Peggs and Pmilk for all six slots of the network. The original definitions were: def

Peggs = (eggs, re ).Peggs + (pay, pe ).Peggs def

Pmilk = (milk , rm ).Pmilk + (pay, pm ).Pmilk For the six queueing positions, this becomes the following. The superscript A4 indicates the component is fourth in the queue at A, including the customer in service. We also account for the queue routing by passively enabling all the movement actions and take the customer to the appropriate state to mimic the new spatial location. Our automated translation allows some impossible movements here (for example a customer at position A2 allows the routing action for A0). This is not a concern, since the population trackers will never enable these actions. def

A1 A1 B1 PA1 eggs = (eggsA , re ).Peggs + (payA , pe ).Peggs + (sendB0 , >).Peggs

19

Argent-Katwala and Bradley A3 A4 +(redoA1 , >).PA2 eggs + (redoA2 , >).Peggs + (redoA3 , >).Peggs def

A2 A2 B1 PA2 eggs = (eggsA , re ).Peggs + (payA , pe ).Peggs + (sendB0 , >).Peggs A3 A4 +(redoA1 , >).PA2 eggs + (redoA2 , >).Peggs + (redoA3 , >).Peggs def

A3 A3 B1 PA3 eggs = (eggsA , re ).Peggs + (payA , pe ).Peggs + (sendB0 , >).Peggs A3 A4 +(redoA1 , >).PA2 eggs + (redoA2 , >).Peggs + (redoA3 , >).Peggs def

A4 A4 B1 PA4 eggs = (eggsA , re ).Peggs + (payA , pe ).Peggs + (sendB0 , >).Peggs + A3 A4 (redoA1 , >).PA2 eggs + (redoA2 , >).Peggs + (redoA3 , >).Peggs def

B1 B1 A1 PB1 eggs = (eggsB , re ).Peggs + (payB , pe ).Peggs + (repeatA0 , >).Peggs A3 A4 +(repeatA1 , >).PA2 eggs + (repeatA2 , >).Peggs + (repeatA3 , >).Peggs def

B2 B2 A1 PB2 eggs = (eggsB , re ).Peggs + (payB , pe ).Peggs + (repeatA0 , >).Peggs A3 A4 +(repeatA1 , >).PA2 eggs + (repeatA2 , >).Peggs + (repeatA3 , >).Peggs def

A1 A1 B1 PA1 milk = (milkA , rm ).Pmilk + (payA , pm ).Pmilk + (sendB0 , >).Pmilk A3 A4 +(redoA1 , >).PA2 milk + (redoA2 , >).Pmilk + (redoA3 , >).Pmilk def




B1 B1 A1 PB1 milk = (milkA , rm ).Pmilk + (payA , pm ).Pmilk + (repeatA0 , >).Pmilk A3 A4 +(repeatA1 , >).PA2 milk + (repeatA2 , >).Pmilk + (repeatA3 , >).Pmilk def

B2 B2 A1 PB2 milk = (milkA , rm ).Pmilk + (payA , pm ).Pmilk + (repeatA0 , >).Pmilk A3 A4 +(repeatA1 , >).PA2 milk + (repeatA2 , >).Pmilk + (repeatA3 , >).Pmilk

We use two different cooperation sets: LR , with just the routing actions; and L with both the routing actions, and the local cooperating actions for each queue: LR = {repeatA0 , repeatA1 , repeatA2 , redoA0 , redoA1 , redoA2 , sendB0 , sendB1 } L = LR ∪ {eggsA , milkA , payA , eggsB , milkB , payB } We build the final system equation from three major components, representing the state of the queues (QState), the migrant customers (Customers) and the stationary server components (Servers), respecting the initial states of each. Customers reflects the initial placement of the customers, as in Fig. 2. def

QState = QApop3 def

Customers =

PA4 milk

¤ ¢ QBpop0 L R

¤¢ ¤¢ A2 ¤¢ A1 PA3 eggs L Peggs L Pmilk L

def

B Servers = SA serve || Still

20


Finally, we can write our system equation for the transformed model:

¢ ¢ Sys = QState ¤ Customers ¤ Servers L L def

6

Worked Example

Consider a very simple model of a small intranet, with separate Web servers serving two clients, as depicted in Fig. 3. Each customer fetches a page from the first server with a getpage action, then goes to the second server for some related resources (the getimages action), before returning to the first server. The server Spage doles out pages and the server Simages serves images. After Spage has issued a getpage, it releases the client from the first queue, A, with the send action, which routes the client on to the next queue, B (only if there is room in the downstream buffer for that client). The Simages server, after sending images to the client, then does some internal processing before issuing a repeat action which routes the client back to the first buffer again. Clearly there is contention for the second buffer which can fill up and block client movement from the first buffer. In the quantitative analysis below, where we generate passage-time distributions for the time from a getpage action to a repeat action, we will see that increasing the rate of the getpage action only has a limited effect on the overall passage. P

S

P

page

(send,T)

L

S

-

image

L

(repeat,T)

Fig. 3. Two Web servers with two clients. The cooperation set, L = {getpage, getimages} def

P = (getpage, rgetpage ).Pready def

Pready = (getimages, rgetimages ).P def

Spage = (getpage, >).(send , rsend ).Spage def

Simages = (getimages, >).(process, rproc ).(repeat, rrep ).Simages def

Q : A = (send , >) → Q : B def

Q : B = (repeat, >) → Q : A

¢ ¢ QNet : Sys = (Q : A[P, P] ¤ Spage ) || (Q : B[−] ¤ Simages ) L L def

where L = {getpage, getimages}. In Fig. 4, we measure the cumulative distribution function of the passage from a getpage action until the next repeat using the ipc/DNAmaca toolset [3]. In increasing the rate of the getpage action, we see some benefit at first, rgetpage = 0.01 to 1.0. However, when plotting the density function of the same passage, we see that the time for the passage to complete also depends on the other rates and structures in the system. To move from queue A to B a customer must wait for an empty slot at queue B, then a 21

Argent-Katwala and Bradley 1.2

0.4

r_getpage=1 r_getpage=0.5 r_getpage=0.01

r_getpage=100 r_getpage=1 r_getpage=0.01 0.35

1

Probability density

Cumulative probability, p

0.3 0.8

0.6

0.25

0.2

0.15

0.4 0.1 0.2 0.05

0

0 0

1

2

3

4

5 Time, t

6

7

8

9

10

0

1

2

3 Time, t

4

5

6

Fig. 5. Passage-time density functions from the first getpage action to the repeat action: for rgetpage = 0.01,1.0, 100

Fig. 4. Passage-time cumulative distribution functions from the first getpage action to the repeat action: for rgetpage = 0.01,0.5,1.0

send action to route it there. The next repeat action will only occur once the customer has performed the getimages action and can then perform a repeat to return to the first server. Hence in Fig. 5, we see that in looking at the passage for rgetpage = 100, we see that we don’t get a monotone improvement in probability of early passage completion as we see from rgetpage = 0.01 to 1.0, but instead the extra contention caused serves to worsen the overall passage metric.

7

Conclusions and Future Work

In this paper, we have introduced PEPA Queues, a formalism for expressing individual customer behaviour and routing in queueing networks. Queueing customers are described in PEPA, as are individual servers in the network, with interactions between customers and servers deciding the exact routing pathway for a customer. This synergy of a behavioural description and a spatial formalism is similar to PEPA nets but is obviously tailored to situations where queueing models would be a more appropriate spatial formalism. We further presented an operational semantics for PEPA Queues in terms of an underlying PEPA model and presented a worked example of a simple web server system. We finished by demonstrating passagetime analysis across the worked example. As described, PEPA Queues are restricted to closed networks of bounded queues, in keeping with PEPA’s handling of finite state spaces. It would also be desirable to handle unbounded queues, which will require further work to describe the semantics of the extended system. The most appealing next step would be to exploit known queueing network properties directly, for certain classes of PEPA Queue. By operating on a network of PEPA Queues directly, rather than in terms of their translation into PEPA, we could exploit known results – for example, separability in queueing networks. This is one of the appealing aspects of queueing networks, which can let us escape the typical state space explosion we have with Markovian modelling in general. There are also popular queueing network features which deserve further investigation: Unbounded buffers and open networks Handling open networks with unbounded buffers could allow us to apply many known theoretical queueing results to our models. For the translation we would need to use a formalism that allows infinite, regular state spaces, for which there are existing extensions to PEPA [2,4]. 22


Sources and sinks In a sense, these are just queues with unbounded buffers. However, if all our infinite queues have either no inputs or no outputs, then there is still a straightforward translation to PEPA which would follow the style of customer-centric models [5]. Inter-customer cooperation In some real-world systems, the customers may cooperate with one another in the queue. This may be a reasonable way to represent negative customers [8]. These cooperations could be just between neighbours or amongst all the customers awaiting service. Zero-automatic queues [7], for example, allow neighbouring customers of a shared group of classes to interact and coalesce into a single customer. It would also be useful to offer translations into other formalisms where we can retain more of the inherent structure. We are investigating a translation into PEPA nets, to be followed by other suitable target systems. We have introduced a basic syntax for defining networks of queues with embedded PEPA, together with a description of how to rewrite those models into PEPA.

References [1] Ajmone Marsan, M., G. Conte and G. Balbo, A class of generalized stochastic Petri nets for the performance evaluation of multiprocessor systems, ACM Transactions on Computer Systems 2 (1984), pp. 93–122. [2] Argent-Katwala, A., “A compositional, collaborative performance pipeline,” Ph.D. thesis, Imperial College, London, United Kingdom (2006). [3] Bradley, J. T., N. J. Dingle, S. T. Gilmore and W. J. Knottenbelt, Derivation of passage-time densities in PEPA models using ipc: the Imperial PEPA Compiler, in: G. Kotsis, editor, MASCOTS’03, Proceedings of the 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems (2003), pp. 344–351. [4] Clark, G., “Techniques for the Construction and Analysis of Algebraic Performance Models,” Ph.D. thesis, Department of Computer Science, University of Edinburgh, Edinburgh EH9 3JZ, UK (1994). [5] Clark, G. and J. Hillston, Product form solution for an insensitive stochastic process algebra structure, Performance Evaluation 50 (2002), pp. 129–151. [6] Clark, G. and W. Sanders, Implementing a stochastic process algebra within the Möbius modeling framework, in: L. de Alfaro and S. Gilmore, editors, Proc. of the 1st joint PAPM-PROBMIV Workshop, Lecture Notes in Computer Science 2165 (2001), pp. 200–215. [7] Dao-Thi, T.-H. and J. Mairesse, Zero-automatic queues, in: M. Bravetti, L. Kloul and G. Zavattaro, editors, EPEW/WS-FM, Lecture Notes in Computer Science 3670 (2005), pp. 64–78. [8] E. Gelenbe, E., Queuing networks with negative and positive customers, Journal of Applied Probability 28 (1991), pp. 656–663. [9] Gilmore, S. and J. Hillston, The PEPA workbench: A tool to support a process algebra-based approach to performance modelling, in: G. Haring and G. Kotsis, editors, Proceedings of the 7th International Conference on Modelling Techniques and Tools for Computer Performance Evaluation, Lecture Notes in Computer Science 794 (1994), pp. 353–368. [10] Gilmore, S., J. Hillston and M. Ribaudo, PEPA nets: A structured performance modelling formalism, in: A. Field et al., editor, Proceedings of the 12th International Conference on Modelling Tools and Techniques for Computer and Communication System Performance Evaluation, number 2324 in Lecture Notes in Computer Science (2002), pp. 111–130. [11] Hillston, J., “A Compositional Approach to Performance Modelling,” Distinguished Dissertations in Computer Science 12, Cambridge University Press, 1996. [12] Kwiatkowska, M. Z., G. Norman and D. Parker, Prism: Probabilistic symbolic model checker, in: A. Field et al., editor, TOOLS’02, Proceedings of Computer Performance Evaluation: Modelling Techniques and Tools, Lecture Notes in Computer Science 2324 (2002).

23


Modelling Multicast QoS Routing by using Best-Tree Search in And-or Graphs and Soft Constraint Logic Programming Stefano Bistarelli1 ,2 ,3 Department of Sciences University “G. d’Annunzio” of Chieti-Pescara Pescara, Italy

Ugo Montanari4 Department of Computer Science University of Pisa Pisa, Italy

Francesca Rossi2 ,5 Department of Pure and Applied Mathematics University of Padova Padova, Italy

Francesco Santini1 ,2 ,6 IMT Lucca - School for Advanced Studies Lucca, Italy

Abstract We suggest a formal model to represent and solve the multicast routing problem in multicast networks. To attain this, we model the network adapting it to a weighted and-or graph, where the weight on a connector corresponds to the cost of sending a packet on the network link modelled by that connector. Then, we use the Soft Constraint Logic Programming (SCLP) framework as a convenient declarative programming environment in which to specify related problems. In particular, we show how the semantics of an SCLP program computes the best tree in the corresponding and-or graph: this result can be adopted to find, from a given source node, the multicast distribution tree having minimum cost and reaching all the destination nodes of the multicast communication. The costs on the connectors can be described also as vectors (multidimensional costs), each component representing a different Quality of Service metric value. Therefore, the construction of the best tree may involve a set of criteria, all of which are to be optimized (multi-criteria problem), e.g. maximum global bandwidth and minimum delay that can be experienced on a single link. Keywords: And-or Graphs, Quality of Service, Multicast, Routing, Soft Constraint Logic Programming.


Bistarelli et al.

1

Motivation and main idea

Multicast is an important bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple receivers. Therefore, while saving resources, multicast is well suited to concurrently distribute contents on behalf of applications asking for a certain timeliness of delivery: thus, multicast routing has naturally been extended to guarantee Quality of Service (QoS) requirements [22]. In this paper we suggest a formal model to represent and solve the multicast routing problem in multicast networks with QoS. For the representation we use and-or graphs [15] to model the network and SCLP programs [2,4,12] on the graphs to compute the best tree according to QoS criteria. Given a multicast group of receiver nodes and a set of optimization objective functions, the multicast routing problem is the process of building a multicast tree that optimizes these functions, often expressing the aim of minimizing the cost of the tree. If we are dealing with QoS requirements, a set of constraints is also given: constraints are in the form of, for example, end-to-end delay bounds, jitter bound, minimum bandwidth of the path or other QoS metrics. The resulting multicast tree must provide both reachability from source to all destinations, and satisfy the QoS constraints. First, we will describe how to represent a network configuration in its corresponding and-or graph, mapping network nodes to and-or graph nodes and links to graph connectors. QoS link costs will be translated into costs for the connectors. Generally, and-or graphs are used to model problem solving processes, and together with minimum cost solution graphs have been studied extensively in artificial intelligence [19]. Afterwards, we will propose the Soft Constraint Logic Programming (SCLP) framework [2,4,12] as a convenient declarative programming environment in which to specify and solve such problem. SCLP programs are an extension of usual Constraint Logic Programming (CLP) [14] programs where logic programming is used in conjunction with soft constraints, that is, constraints which can be satisfied at a certain level. In particular, we will show how to represent an and-or graph as an SCLP program, and how the semantics of such a program computes the best tree in the corresponding weighted and-or graph. Therefore, the best tree found in this way, can be used to shape the optimized multicast tree that ensures QoS requirements on the corresponding network. Since several QoS parameters express the cost of a link at the same time, this problem can be addressed as a multi-criteria problem [6], where the combination of the costs is done via an operator which is more general than the usual sum of the link weights. This extension can be easily cast within the SCLP programming framework, because it is based on the general structure of a semiring with two 1 2 3 4 5 6

Partially supported by Institute for Informatics and Telematics (IIT-CNR) Pisa, Italy Supported by the MIUR PRIN 2005-015491 Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

26

Bistarelli et al.

operations (× and +). Then, × is used to combine the costs, while the partial order defined by + operation (see Section 4), is used to compare the costs. The work presented and suggested in this paper extends some results on shortest path problems presented in [5] and [6]. In these two works, the main idea concerned the use of non-linear clauses in SCLP, that is, clauses which have more than one atom in their body. In this paper, we use instead clauses closer to logic programming, and we represent trees instead of paths. Related formal approaches dealing with QoS, e.g. [18] and [13], adopt a hypergraph model in joint with semirings too, but the minimal path between two nodes (thus, not over an entire tree) is computed via a graphical calculous instead of SCLP. This paper is organized as follows: in Sec. 2 we present some general background information about multicast routing, including also its QoS extensions, then in Sec. 3 we describe the problem of finding the best weighted tree in an and-or graph. Section 4 features the SCLP framework, while Sec. 5 depicts how to represent a network environment with an and-or graph. At last, in Sec. 6 we describe the way to pass from and-or graphs to SCLP programs, showing that the semantic of SCLP program is able to compute the best tree in the corresponding and-or graph. This tree represents the solution: the multicast tree that optimizes QoS requirements. Section 7 draws the final conclusions and outlines intentions for future works.

2

Multicast Routing with QoS extensions

Given a node generating packets, we can classify network data delivery schemas into three main types: i) Unicast, when data is delivered from one sender to one specific recipient, providing one-to-one delivery, ii) Broadcast, when data is instead delivered to all hosts, providing one-to-all delivery, and finally, iii) Multicast, when data is delivered to all the selected hosts that have expressed interest; thus, this last method provides one-to-many delivery. In this paper we concentrate on the third paradigm, since our intention is to provide a solution to the problem of transmitting a data packet from one source to K receivers. In its simplest implementation, multicast can be provided using multiple unicast transmissions, but with this solution, the same packet can traverse the same link multiple times. For this reason, the network must provide this service natively. A multicast address is also called a multicast group address, with which the routers can locate and send packets to all the members in the group. A group member is a host that expresses interest in receiving packets sent to a specific group address. A group member is also sometimes called a receiver or a listener. A multicast source is a host that sends packets with the destination address set to a multicast group. To deliver data only to interested parties, routers in the network build a multicast (or distribution) tree (Figure 1). Each subnetwork that contains at least one interested listener is a leaf on the tree. Where the tree branches, routers replicate the data and send a single packet down each branch. No link ever carries a duplicate flow of packets, since packets are replicated in the network only at the point where paths diverge, reducing the global traffic. Applications that take advantage of multicast routing include, for example, video 27

Bistarelli et al.

Fig. 1. An example of a multicast distribution tree built on a network: oriented arcs highlight the tree (direction is down stream), while dashed lines correspond to links not traversed by the flow.

conference, corporate communications, distance learning, distributed simulation, resource discovery, software distribution, stock quotes, news and also entertainment applications such as, video-on-demand, games, interactive chatlines and internet jukebox. Since many applications that need multicast distribution also require a certain timeliness of delivery (real-time applications), multicast routing has been clearly extended to include and guarantee QoS requirements; a global picture of QoS is given in [24]. In this case, the Constraint-Based multicast routing, the problem is to find the best distribution tree with respect to certain performance related constraints, to better utilize network resources and to support QoS requirements of the applications. Constraint-Based Routing (CBR) denotes a class of routing algorithms that base path selection decisions on a set of requirements or constraints, in addition to the destination: constraints can be imposed by administrative policies, or by QoS needs [25]. The other intent of CBR is to increase the utilization of the network (CBR is a tool for Traffic Engineering [24,25]), and is a part of the global framework that provide Internet QoS [24]. Multicast problem has been studied with several algorithms and variants, such as Shortest-Path Tree (SPT), Minimum Spanning Tree (MST), Steiner Tree (ST), Constrained Steiner Tree (CST), and other miscellaneous trees [22]. Algorithms based on SPT (e.g. Dijkstra or Bellman-Ford [11]) aim to minimize the sum of the weights on the links from the source to each receiver, and if all the link cost one unit, the resulting tree is the least-hop one. The MST (e.g. Prim algorithm [11]) spans all the receivers in the multicast group, minimizing the total weight of the tree at the same time; at each step, the tree is augmented with an edge that contributes the minimum amount possible to the total cost of the tree, so the algorithm is greedy. A ST [23] is a tree which spans a given subset of vertices in the graph with the minimal total distance on its edges. If the subset matches the entire multicast 28

Bistarelli et al.

group, ST problem reduces to the MST problem. ST has been extended to CST, including side constraints concerning QoS metrics. ST and CST are NP-Complete problems [23], and many heuristics have been proposed to efficiently deal with them [22,23]. The most popular solutions to multicast routing involve tree construction. There are two reasons for basing efficient multicast routes on trees: i) the data can be transmitted in parallel to the various destinations along the branches of the tree, and ii) a minimum number of copies of the data are transmitted. Multicast QoS routing is generally more complex than unicast QoS routing, and less proposals have been elaborated in this area [25]. With respect to unicast, the additional complexity stems from the need to support shared and heterogeneous reservation styles (towards distinct group members) and global admission control of the distribution flow. Some of the approaches use a Steiner tree formulation [1] or extend existing algorithm to optimize the delay (MOSPF [17] is the multicast version of OSPF), while the Delay Variation Multicast Algorithm (DVMA) [21] computes a multicast tree with both bounded delay and bounded jitter. Also, delay-bounded and cost-optimized multicast routing can be formulated as a Steiner tree: an example approach is QoS-aware Multicast Routing Protocol [10] (QMRP). Other multicast QoS routing algorithms and related problems (entailing stability, robustness and scalability) are presented in [25], and we did not include them here for lack of space. Our solution, described in Section 5 and 6, is instead a formal model based on a transformation of the network into a corresponding and-or graph and on a description of the graph via SCLP clauses that can be solved to find multicast trees over the graph. The solutions are represented by the costs of the trees, in terms of QoS metric values.

3

And-or Graphs and Best Solution Trees

An and-or graph [15] is defined essentially as a hypergraph. Namely, instead of arcs connecting pairs of nodes there are hyperarcs connecting an n-tuple of nodes (n = 1, 2, 3, . . .). Hyperarcs are called connectors and they must be considered as directed from their first node to all others. Formally an and-or graph is a pair G = (N, C), where N is a set of nodes and C is a set of connectors C⊆N×

k [

N i.

i=0

Each k-connector (ni0 , ni1 , . . . , nik ) is an ordered (k+1)-tuple, where ni0 is the input node and ni1 , . . . , nik are the k output nodes. We say that ni0 is the predecessor of ni1 , . . . , nik and these nodes are the successors of ni0 . Note that when C ⊆ N 2 we have a usual graph whose arcs are the 1-connectors. Note that there are also 0-connectors, i.e., connectors with one input and no output node. In Figure 2 we give an example of an and-or graph, whose nodes are n0 , . . . , n8 . The 0-connectors are represented as a line ending with a square, whereas kconnectors (k ≥ 0) are represented as k directed lines connected together. For instance, (n0 , n1 ) and (n0 , n5 , n4 ) are the 1-connector and 2-connector, respectively, 29

Bistarelli et al.

with input node n0 . The order of the output nodes (when more than one) in the tuple representing the connector is decided by the orientation of the arrow representing the connector in the and-or graph: i.e. considering the connector (n0 , n5 , n4 ) in Figure 2, the arrow goes from n5 to n4 , and thus n5 precedes n4 in the tuple. An and tree is a special case of an and-or graph, where every node appears exactly twice in the set of connectors C, once as an input node of some connector, and once as an output node of some other connector. The only exception is a node called root which appears only once, as an input node of some connector. The leaves of an and tree are those nodes which are input nodes of a 0-connector. An example of an and tree with root n′2 is given in Fig. 3. Here n′7 , n′8 and n′′8 are leaves. f 0,1=3

n1 f 1,3 =7

n0 f 0,5,4 =2

f 1,2=3 n2 f 2,3=1

f 2,5,4 =3 f 4,5=2

n3 f 3,6,5 =1

n4 f 4,8 =2

n5 f 5,6 =3

f 5,7,8=2

n6 f 6,7,8=3

n8 3 n7 4

Fig. 2. A weighted and-or graph problem.

Fig. 3. A minimal cost solution and tree for the graph in Fig. 2, with start node nr = n2 .

30

Bistarelli et al.

Given an and-or graph G, an and tree H is a solution tree of G with start node nr , if there is a function g mapping nodes of H into nodes of G such that: •

the root of H is mapped in nr .

•

if (ni0 , ni1 , . . . , nik ) is a connector of H, then (g(ni0 ), g(ni1 ), . . . , g(nik )) is a connector of G.

Informally, a solution tree of an and-or graph is analogous to a path of an ordinary graph. It can be obtained by selecting exactly one outgoing connector for each node. For instance, the and tree in Fig. 3 is a solution tree of the graph in Fig. 2 with start node nr = n2 , if we let g(n′2 ) = n2 , g(n′4 ) = n4 , g(n′5 ) = n5 , g(n′7 ) = n7 , g(n′8 ) = n8 and g(n′′8 ) = n8 . Note that distinct nodes of the tree can be mapped into the same node of the graph. The and-or graph in Fig. 2 has a k-adic function over the reals (cost function) associated with each k-connector, and is therefore defined as functionally weighted and-or graph. In particular, a constant is associated with each 0-connector. It is easy to see that if the functionally weighted graph is an and tree H, a cost can be given to it, just evaluating the functions associated with its connectors. Recursively, to every subtree of H with root node ni0 , a cost ci0 is given as follows: •

If ni0 is a leaf, then its cost is the associated constant.

•

If ni0 is the input node of a connector (ni0 , ni1 , . . . , nik ), then its cost is ci0 = fr (ci1 , . . . , cik ) where fr is the function cost associated with the connector, and ci1 , . . . , cik are the costs of the subtrees rooted at nodes ni1 , . . . , nik .

The general optimization problem can be stated as follows: given a functionally weighted and-or graph, find a minimal cost solution tree with start node nr . The function used to assign a value to the input node ni0 of a k-connector (ni0 , ni1 , . . . , nik ) is of the form fr (ci1 , . . . , cik ) = ar + ci1 + . . . + cik where ar is a constant associated to the connector and ci1 , . . . , cik are the costs of the subtrees rooted at nodes ni1 , . . . , nik . Therefore, the cost of the tree in Fig. 3, with root node n2 , is 17. In the next Sections we will show that this cost function is an instantiation of a more general one based on the notion of c-semiring [2,3].

4

Soft Constraint Logic Programming

The SCLP framework [2,4,12], is based on the notion of c-semiring introduced in [3,8]. A c-semiring S is a tuple hA, +, ×, 0, 1i where A is a set with two special elements (0, 1 ∈ A) and with two operations + and × that satisfy certain properties: + is defined over (possibly infinite) sets of elements of A and thus is commutative, associative, idempotent, it is closed and 0 is its unit element and 1 is its absorbing element; × is closed, associative, commutative, distributes over +, 1 is its unit element, and 0 is its absorbing element (for the exhaustive definition, please refer to [8]). The + operation defines a partial order ≤S over A such that a ≤S b iff a + b = b; we say that a ≤S b if b represents a value better than a. Other properties related to the two operations are that + and × are monotone on ≤S , 0 is its minimum 31

Bistarelli et al.

and 1 its maximum, hA, ≤S i is a complete lattice and + is its lub. Finally, if × is idempotent, then + distributes over ×, hA, ≤S i is a complete distributive lattice and × its glb. Semiring-based constraint satisfaction problems (SCSPs) are constraint problems where each variable instantiation is associated to an element of a c-semiring A (to be interpreted as a cost, level of preference, . . . ), and constraints are combined via the × operation and compared via the ≤S ordering. Varying the set A and the meaning of the + and × operations, we can represent many different kinds of problems, having features like fuzziness, probability, and optimization. Moreover, in [8] we have shown that the cartesian product of two c-semirings is another c-semiring, and this can be fruitfully used to describe multi-criteria constraint satisfaction and optimization problems. Constraint Logic Programming [14] extends Logic Programming by replacing term equalities with constraints and unification with constraint solving. The SCLP framework extends the classical CLP formalism in order to be able to handle also SCSP [3,8] problems. In passing from CLP to SCLP languages, we replace classical constraints with the more general SCSP constraints where we are able to assign a level of preference to each instantiated constraint (i.e. a ground atom). To do this, we also modify the notions of interpretation, model, model intersection, and others, since we have to take into account the semiring operations and not the usual CLP operations. The fact that we have to combine several refutation paths when we have a partial order among the elements of the semiring (instead of a total one), can be fruitfully used in the context of this paper when we have an and-or graph problem with incomparable costs associated to the connectors. In fact, in the case of a partial order, the solution of the problem of finding a best tree should consists of all those trees whose cost is not “dominated” by others. Table 1 A simple example of an SCLP program.

s(X) p(a,b) p(a,c) q(a) t(a) r(a)

::::::-

p(X,Y). q(a). r(a). t(a). 2. 3.

A simple example of an SCLP program over the semiring hN, min, +, +∞, 0i, where N is the set of non-negative integers and D = {a, b, c}, is represented in Table 1. The choice of this semiring allows us to represent constraint optimization problems where the semiring elements are the costs for the instantiated atoms. To better understand this Table, we briefly recall the SCLP syntax: a program is a set of clauses and each clause is composed by a head and a body. The head is just an atom, and the body is either a collection of atoms, or a value of the semiring, or a special symbol (2) to denote that it is empty. Clauses where the body is empty or it is just a semiring element are called facts and define predicates which represent constraints. When the body is empty, we interpret it as having the best semiring 32

Bistarelli et al.

element (that is, 1). The intuitive meaning of a semiring value like 3 associated to the atom r(a) (in Table 1) is that r(a) costs 3 units. Thus the set N contains all possible costs, and the choice of the two operations min and + implies that we intend to minimize the sum of the costs. This gives us the possibility to select the atom instantiation which gives the minimum cost overall. Given a goal like s(x) to this program, the operational semantics collects both a substitution for x (in this case, x = a) and also a semiring value (in this case, 2) which represents the minimum cost among the costs for all derivations for s(x). To find one of these solutions, it starts from the goal and uses the clauses as usual in logic programming, except that at each step two items are accumulated and combined with the current state: a substitution and a semiring value (both provided by the used clause). The combination of these two items with what is contained in the current goal is done via the usual combination of substitutions (for the substitution part) and via the multiplicative operation of the semiring (for the semiring value part), which in this example is +. Thus, in the example of goal s(X), we get two possible solutions, both with substitution X = a but with two different semiring values: 2 and 3. Then, the combination of such two solutions via the min operation give us the semiring value 2.

5

Using and-or Graphs to represent QoS multicast networks

In this Section we explain a method to translate the representation of a multicast network with QoS requirements (Figure 5a) into a corresponding weighted andor graph model (Figure 5b). This procedure can be split in three distinct steps, respectively focusing on the representation of i) network nodes, ii) network links and iii) link costs in terms of QoS metrics. Each of the network nodes can be easily cast in the corresponding and-or graphs as a single graph node: thus, each node in the graph can represent an interconnecting device (e.g. a router), or a node acting as the source of a multicast communication (injecting packets in the network), or, finally, a receiver belonging to a multicast group and participating in the communication. In Sec. 6, when we will look for the best tree solution, the root of the best and tree will be mapped to the node representing the source of the multicast communication; in the same way, receivers will be modelled by the leaves of the resulting and tree. When we translate a receiver, we add an outgoing 0-connector (Figure 5b), whose meaning (cost) will be explained below. Suppose that {n0 , n1 , . . . , n9 } in Fig. 5a are the identifiers of the network nodes. To model the links, we examine the forward star (f-star ) of each node in the network (i.e. the set of arcs outgoing from a node): we consider the links as oriented, since the cost of sending packets from node ni to nj can be different from the cost of sending from nj to ni (one non-oriented link can be easily replaced by two oriented ones). Supposing that the f-star of node ni includes the arcs (ni , nj ), (ni , nk ) and (ni , nz ), we translate this f-star by constructing one connector directed from ni to each of the subsets of destination nodes {j, k, z} (Figure 4), for a total number of 2n − 1 subsets, excluding the emptyset. Thus, all the resulting connectors with ni 33

Bistarelli et al.

as the input node are (ni , nj ), (ni , nk ), (ni , nz ), (ni , nk , nj ), (ni , nk , nz ), (ni , nj , nz ) and (ni , nj , nk , nz ). As already stated in Section 3, in the tuple ordering of the nodes, the input node is at the first position and the output nodes (when more than one) follows the orientation of the related arrow in Figure 4. To simplify Fig. 4b, arcs linking directly two nodes represent 1-connectors (ni , nj ), (ni , nk ) and (ni , nz ), while curved oriented lines represent n-connectors (with n > 1), where the set of their output nodes correspond to the output nodes of the traversed arcs. With respect to ni , in Fig. 4 we have curved line labelled with a that correspond to (ni , nk , nj , nz ), b to (ni , nk , nj ), c to (ni , nj , nz ), and, at last, d to (ni , nk , nz ). To have a clear figure, the network links in Fig. 5a are oriented “towards” the receivers, thus we put only the corresponding connectors in Fig 5b.

Fig. 4. a) the f-star of ni network-node and b) its representation with connectors.

In the example we propose here, we are interested in QoS link-state information concerning only bandwidth and delay. Therefore, each link of the network can be labeled with a 2-dimensional cost, for example the pair h7, 3i tells us that the maximum bandwidth on that specific link is 70Mbps and the maximum delay is 30msec. In general, we could have a cost expressed with a n-dimensional vector, where n is the number of metrics to be taken in account while computing the best distribution tree. Since we want to maintain this link state information even in the and-or graph, we label the corresponding connector with the same tuple of values (Figure 5). In the case when a connector represent more than one network link, its cost is decided by assembling the costs of the these links with the composition operation ◦, which takes as many n-dimensional vectors as operands, as the number of links represented by the connector. Naturally, we can instantiate this operation for the particular types of costs adopted to express QoS: for the example given in this Section, the result of ◦ is the minimum bandwidth and the highest delay, ergo, the worst QoS metric values: ◦(hb1 , d1 i, hb2 , d2 i, . . . , hbn , dn i) −→ hmin(b1 , b2 , . . . , bn ), max(d1 , d2 , . . . , dn )i The cost of the connector (n1 , n3 , n4 ) in Fig. 5b will be h7, 3i, since the costs of connectors (n1 , n3 ) and (n1 , n4 ) are respectively h7, 2i and h10, 3i: ◦(h7, 2i, h10, 3i) = h7, 3i 34

Bistarelli et al.

To simplify Fig. 5b, we inserted only the costs for the 1-connectors, but the costs for the other connectors can be easily computed with the ◦ operation, and are all reported in Table 2. So far, we are able to translate an entire network with QoS requirements in a corresponding and-or weighted graph, but still we need some algebraic framework to model our preferences for the links to use in the best tree. For this reason, we use the semiring structure (Sec. 4). An exhaustive explanation of the semiring framework approach for shortest-distance problems is presented in [16]. For example, if we are interested in maximizing the bandwidth of the distribution tree, we can use the c-semiring SBandwidth = hB ∪ {0, +∞}, max, min, 0, +∞i (otherwise, we could be interested in minimizing the global bandwidth with hB ∪ {0, +∞}, max, min, +∞, 0i. We can use SDelay = hD ∪ {0, +∞}, min, max, +∞, 0i for the delay, if we need to minimize the maximum delay that can be experienced on a single link. With this result and the depth of the final tree, we can compute an upper bound for the end-to-end delay. Elements of B (i.e. the set of bandwidth values) and D (i.e. the set of delay values) can be obtained by collecting information about the network configuration, the current traffic state and technical information about the links. Since the composition of c-semirings is still a c-semiring [8], SN etwork = hhB ∪ {0, +∞}, D ∪ {0, +∞}i, +′ , ×′ , h0, +∞i, h+∞, 0ii where +′ and ×′ correspond to the vectorization of the + and × operations in the two c-semirings: given b1 , b2 ∈ B ∪ {0, +∞} and d1 , d2 ∈ D ∪ {0, +∞}, hb1 , d1 i +′ hb2 , d2 i = hmax(b1 , b2 ), min(d1 , d2 )i hb1 , d1 i ×′ hb2 , d2 i = hmin(b1 , b2 ), max(d1 , d2 )i Clearly, the problem of finding best distribution tree is multi-criteria, since both bandwidth and delay must be optimized. We consider the criteria as independent among them, otherwise they can be rephrased to a single criteria. Thus, the multidimensional costs of the connectors are not elements of a totally ordered set, and it may be possible to obtain several trees, all of which are not dominated by others, but which have different incomparable costs. For each destination node, the costs of its outgoing 0-connector will be always included in every path reaching the node. As seen in Section 3, a 0-connector has only one input node but no destination nodes. If we consider a receiver as a plain node, we can set the cost as the 1 element of the adopted c-semiring (1 is the unit element for ×), since the costs to reach this node are already totally described by the other connectors ending in this node: practically, we give highest QoS values to this 0-connector, infinite bandwidth and null delay. Otherwise we can imagine a receiver as a more complex subnetwork, and thus we can set the cost of the 0connector as the cost needed to finally reach a node in that subnetwork (in case we do not want, or cannot, show the topology of the subnetwork). Figure 5 shows the transformation of the network of Fig. 1 into a corresponding and-or graph. Group members not interested in the communication are not represented, since the distribution tree does not have to reach them. In Fig. 5a, one receiver (node n9 ) has been replaced with a subnetwork, with respect to Fig. 1. 35

Bistarelli et al.

Fig. 5. A network example and the corresponding and-or graph representation.

6

And-or graphs using SCLP

In this Section, we represent an and-or graph, as the one found in Section 5, with a program in SCLP. This decision is derived from two important features of this programming framework: the first is that SCLP is a declarative programming environment and, thus, is relatively easy to specify a lot of different problems; the second one is that the c-semiring structure is a very parametric tool where to represent several and different cost models, with respect to QoS metrics. Using this framework, we can easily solve the multi-criteria example concerning the multicast QoS network in Fig. 5b. As already proposed in [5] and [6], to represent the connectors in SCLP we can write clauses like c(ni , [nj , nk ]) : −h10, 3i, stating that the graph has connector from n0 to nodes nj and nk with a bandwidth cost of 100Mbps and a delay of 30msec. Other SCLP clauses can properly describe the structure of the tree we desire to search over the graph. We chose to represent an and-or graph with a program in CIAO Prolog [9], a system that offers a complete Prolog system supporting ISO-Prolog, but, at the same time its modular design allows both restricting and extending the basic language. Thus, it allows both to work with subsets of Prolog and to work with programming extensions implementing functions, higher-order (with predicate abstractions), constraints, objects, concurrency, parallel and distributed computations, sockets, interfaces to other programming languages (C, Java, Tcl/Tk) and relational databases and many more. CIAO Prolog has also a fuzzy extension, but since it does not completely conform to the semantic of SCLP defined in [4] (due to interpolation in the interval of the fuzzy set), we decided to use the CIAO operators among constraints (as < and ≤), and to model the × operator of the c-semiring with them. For this reason, we inserted the cost of the connector in the head of the clauses, differently from SCLP 36

Bistarelli et al.

clauses which have the cost in the body of the clause. As an example, from the weighted and-or graph problem in Fig. 5b we can build a corresponding CIAO program of Table 2 as follows. We describe the connectors of the graph with facts like connector(source node, [list of destination nodes], [link bandwidth, link delay]) e.g., the fact connector(n0 , [n2 , n3 , n4 ], [3, 6]) represents the connector of the graph (n0 , n1 , n2 , n3 , n4 ) with bandwidth 30Mbps and delay 60msec. The set of this facts is highlighted as Connectors in Table 2. In despite of what we declare in Sections 3 and 5, here we choose a different ordering for the nodes in the connector tuples when we have to write the program clauses: the input node is again (as in the previous Sections) at the first position of the list representing the connector in the clause, but in this Section we decide to lexicographically order the output nodes (i.e., n0 precedes n1 , n1 precedes n2 and so on). This decision is dictated by the resulting simplification in writing the program and the queries, since the ordering of the nodes can be easily remembered. The Leaves of Table 2 represent the terminations for the Prolog rules, and their cost is the cost of the associated 0-connector (a value of 100 (Mbps) represents the ∞ for the bandwidth). The Aggregators rules, times in Table 2, mimic the × operation of the c-semiring proposed in Section 5: SN etwork = hhB ∪ {0, +∞}, D ∪ {0, +∞}i, +′ , ×′ , h0, +∞i, h+∞, 0ii, where ×′ is equal to hmin, maxi, and +′ is equal to hmax, mini as defined in Section 5. At last, the rules 1 − 2 − 3 − 4 of Table 2 describe the structure of the trees we want to find over the graph. Rule 1 represents a tree of only one leaf node, Rule 2 outlines a tree made of a connector plus a list of sub-trees with root nodes in the list of the destination nodes of the connector, Rule 3 is the termination for Rule 4, and Rule 4 is needed to manage the junction of the disjoint sub-trees with roots in the list [X|Xs]. When we compose connectors and trees (Rule 2 and Rule 4 ), we use the Aggregators to compose their costs together. To make the program in Table 2 as readable as possible, we omitted two predicates: the sort predicate, needed to order the elements inside the list of destinationnodes of connectors and trees (otherwise, the query tree(n0 , [n6 , n7 , n8 , n9 ], [B, D]) and tree(n0 , [n9 , n7 , n8 , n6 ], [B, D]) produce different results), and the intersection predicate to check that multiple occurrences of the same node do not appear in the same list of destination nodes, if reachable from different connectors (otherwise, for example, the tree n0 , [n7 , n7 , n8, n9] can be a valid result). To solve the and-or graph problem it is enough to perform a query in Prolog language: for example, if we want to compute the cost of all the trees rooted at n0 and having as leaves the nodes representing the receivers (in this case, {n7 , n8 }), we have to perform the query tree(n0 , [n6 , n7 , n8 , n9 ], [B, D]), where B and D variables will be instantiated with the bandwidth and delay costs of the returned trees. One of the outputs of the CIAO program for this query corresponds to the cost of the tree in Fig. 6 (h2, 5i), since ×′ computes the minimum bandwidth - maximum delay of the connectors. 37

Bistarelli et al. Table 2 The CIAO program representing all the AND trees over the weighted and-or graph problem in Fig. 5b.

The final cost of the tree obtained with the CIAO program is equivalent to the one that can be computed using ×′ inside the fr function given in Sec. 3. Starting from source node n0 and connector (n0 , n1 ) with cost h10, 1i, the cost of the tree cn0 is cn0 = fr (cn1 ) = h10, 1i ×′ cn1

7

Conclusions

We have described a method to represent and solve the multicast QoS problem with the combination of and-or graph and SCLP programming: the best tree on a and-or graph correspond to the best multicast distribution tree modelled by the graph. The best tree optimizes some objectives regarding QoS performance, e.g. minimizing the global bandwidth consumption or reducing the delay. The structure 38

Bistarelli et al.

Fig. 6. One of the multicast distribution tree that can be found with the program in Table 2.

of a c-semiring defines the algebraic framework to model the costs of the links, and SCLP framework describes and solves the SCSP problem (the best tree) in a declarative fashion. Since several distinct criteria must be all optimized (the costs of the arcs include different QoS metric values), the best tree problem belongs to multi-criteria problem class. A first future improvement could be the use of Dynamic Programming techniques, for example Memoization, to reduce the exponential explosion during the search of multicast trees over the graph representing the network. However, in the future we plan to perform some experiments to directly test the computational complexity of our framework. Moreover, we plan to enrich this framework by using Soft Concurrent Constraint Programming [7] to handle the interactions among the routing devices and the receivers, and, consequently, we would like to introduce new “soft” operations (e.g. a retract of a constraint) to release the resources reserved by the multicast receivers, introducing a non-monotonic evolution of the constraint store. Future research could address also the remodelling of the best tree due to the continuous network-state changes, including the requests of multicast group members to dynamically join in and leave from the communication, or the modifications of the QoS metric values on the links, since a network must be efficiently used to transport multiple flows at the same time. Even if in this paper we have applied SCLP programs over and-or graph to find the best multicast distribution tree, the same framework could be used also to solve problems on decision tables [20], by translating them into and-or graphs, or even other dynamic programming problems. Decision tables are widely used in many data processing applications for specifying which action must be taken for any condition in some exhaustive set. Every condition is characterized by some combination of the outcomes of a set of condition tests. An important problem is to derive from a given decision table a decision tree which is optimal in some specified sense. 39

Bistarelli et al.

References [1] Berman, L., L. Kou and G. Markowsky, A fast algorithm for steiner trees, Acta Informatica 15 (1979), pp. 141–145. [2] Bistarelli, S., “Semirings for Soft Constraint Solving and Programming (Lecture Notes In Computer Science),” SpringerVerlag, 2004. [3] Bistarelli, S., U. Montanari and F. Rossi, Constraint Solving over Semirings, in: Proc. IJCAI95 (1995), pp. 624–630. [4] Bistarelli, S., U. Montanari and F. Rossi, Semiring-based Constraint Logic Programming, in: Proc. IJCAI97 (1997), pp. 352–357. [5] Bistarelli, S., U. Montanari and F. Rossi, Sclp semantics for (multi-criteria) shortest path problems, in: Informal Proc. CP-AI-OR’99, 1999. [6] Bistarelli, S., U. Montanari and F. Rossi, Soft constraint logic programming and generalized shortest path problems, Journal of Heuristics 8 (2002), pp. 25–41. [7] Bistarelli, S., U. Montanari and F. Rossi, Soft concurrent constraint programming, ACM Trans. Comput. Logic 7 (2006), pp. 563–589. [8] Bistarelli, S., U. Montanari and F. Rossi, Semiring-based Constraint Solving and Optimization, Journal of the ACM 44 (March 1997), pp. 201–236. [9] Bueno, F., D. Cabeza, M. Carro, M. Hermenegildo, P. Lopez and G. Puebla, The ciao prolog system. reference manual (1997), the CIAO System Documentation Series–TR CLIP3/97.1. [10] Chen, S., K. Nahrstedt and Y. Shavitt, A QoS-aware multicast routing protocol, in: INFOCOM (3), 2000, pp. 1594–1603. [11] Cormen, T. T., C. E. Leiserson and R. L. Rivest, “Introduction to algorithms,” MIT Press, Cambridge, MA, USA, 1990. [12] Georget, Y. and P. Codognet, Compiling semiring-based constraints with clp (fd, s), in: CP ’98: Proceedings of the 4th International Conference on Principles and Practice of Constraint Programming (1998), pp. 205–219. [13] Hirsch, D. and E. Tuosto, Shreq: Coordinating application level qos, in: SEFM ’05: Proceedings of the Third IEEE International Conference on Software Engineering and Formal Methods (2005), pp. 425–434. [14] Jaffar, J. and M. J. Maher, Constraint logic programming: A survey, Journal of Logic Programming 19/20 (1994), pp. 503–581. [15] Martelli, A. and U. Montanari, Optimizing decision trees through heuristically guided search, Commun. ACM 21 (1978), pp. 1025–1039. [16] Mohri, M., Semiring frameworks and algorithms for shortest-distance problems, J. Autom. Lang. Comb. 7 (2002), pp. 321–350. [17] Moy, J., RFC 2328: OSPF version 2 (1998), standard. [18] Nicola, R. D., G. L. Ferrari, U. Montanari, R. Pugliese and E. Tuosto, A formal basis for reasoning on programmable qos., in: N. Dershowitz, editor, Verification: Theory and Practice, Lecture Notes in Computer Science 2772 (2003), pp. 436–479. [19] Nilsson, N. J., “Principles of artificial intelligence,” Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1980. [20] Pooch, U. W., Translation of decision tables, ACM Comput. Surv. 6 (1974), pp. 125–151. [21] Rouskas, G. N. and I. Baldine, Multicast routing with end-to-end delay and delay variation constraints, IEEE Journal of Selected Areas in Communications 15 (1997), pp. 346–356. [22] Wang, B. and J. Hou, Multicast routing and its QoS extension: problems, algorithms, and protocols, IEEE Network 14 (2000). [23] Winter, P., Steiner problem in networks: a survey, Netw. 17 (1987), pp. 129–167. [24] Xiao, X. and L. M. Ni, Internet qos: A big picture, IEEE Network 13 (1999), pp. 8–18. [25] Younis, O. and S. Fahmy, Constraint-based routing in the internet: Basic principles and recent research., IEEE Communications Surveys and Tutorials 5 (2003), pp. 2–13.

40


Stochastic Concurrent Constraint Programming and Differential Equations Luca Bortolussi1 Department of Mathematics and Computer Science University of Trieste, Italia

Alberto Policriti2 Department of Mathematics and Computer Science University of Udine, Italia

Abstract We tackle the problem of relating models of systems (mainly biological systems) based on stochastic process algebras (SPA) with models based on differential equations. We define a syntactic procedure that translates programs written in stochastic Concurrent Constraint Programming (sCCP) into a set of Ordinary Differential Equations (ODE), and also the inverse procedure translating ODE’s into sCCP programs. For the class of biochemical reactions, we show that the translation is correct w.r.t. the intended rate semantics of the models. Finally, we show that the translation does not generally preserve the dynamical behavior, giving a list of open research problems in this direction. Keywords: Stochastic Concurrent Constraint Programming, stochastic modeling, ordinary differential equations, biological systems.

1

Introduction

In the last decade there has been a remarkable interest of the computer science community in systems biology [18], i.e. the branch of biological sciences concerned with the study of living beings under a systemic light. The key issue is that of understanding how the observable features of life emerge as the consequence of the complex interactions among its basic (molecular) constituents, like proteins and genes. In this activity a key role is played by the mathematical modeling of biological systems and the computational analysis of these models [6,17]. There are, broadly, two different classes of modeling formalisms used, the first based on the continuous and deterministic mathematics of differential equations, the second based on the theory of stochastic processes. Computer science enters this game at different levels: it provides the numerical routines for solving differential equations, it furnishes virtual environments where graphically building and analyzing models, and, above 1 2

[email protected] [email protected]


Bortolussi and Policriti

all, it lends to systems biology a class of formal languages, namely stochastic process algebras, that can be used to describe elegantly and precisely the systems of interest [22]. This is probably the most important contribution, as it goes towards the definition of a formally specified language, designed to tackle the intrinsic complexity of living systems. Process algebras used in biology are generally equipped with a stochastic semantics, resulting in a continuous-time Markov Chain (CTMC for short) [19]. Remarkably, when process algebras are used to describe biochemical reactions, the CTMC given by their semantics coincides with the one constructed when using classical stochastic simulation procedures, like the celebrated Gillespie algorithm [14]. When biochemical reactions are considered, the coexistence of Gillespie method and of a different modeling technique, based on ordinary differential equations (ODE), must be faced. Notably, both these methods are justified using the same fundamental principle, i.e. the law of mass action [14,24]. It is also important to recall that the relation between deterministic and stochastic models of biochemical reactions has been analitically studied in detail, leading to the development of an hybrid modeling approach via stochastic differential equations to chemical kinetics, i.e. the Chemical Langevin Equation [12]. The comparison between stochastic process and differential equations can be carried at two different levels: we can compare them either syntactically or semantically, looking at their dynamical behavior. In the case of stochastic and deterministic models of biochemical reactions, derived from the law of mass action, the syntactic comparison is somehow trivial: we assume them to be equivalent, as they are derived from the same set of chemical equations. Essentially, a stochastic and a differential model are equivalent in this syntactic sense if they are coherent with the principles used in the description and in the modeling of the system under study. A different problem is whether these systems show an equivalent dynamical behavior. First of all, we must decide in what sense a stochastic system, whose traces show the characteristic fluctuations of noise, can be considered equivalent to a deterministic system. We may take a “minimalist” approach, considering two such systems equivalent if the deterministic system coincides with the average behavior of the stochastic one. With this approach we are dropping all the information concerning the variance of the stochastic system, an assumption that cannot be made in general, see [24]. In fact, many stochastic systems exhibit an oscillatory behavior that is induced by stochastic fluctuations, while their average does not fluctuate at all; this is the case, for instance, for the stochastic model of the Lotka-Volterra prey-predator system, see [14,24] and the last section. Despite this simplification, however, only few special mass action deterministic models of biochemical reactions are equivalent in the behavioral sense to their stochastic counterpart, see again [12]. In this paper we focus on this intriguing problem in the more general context of stochastic models constructed using process algebras. Comparison of models of biological systems built using stochastic process algebras with models of the same systems derived using differential equations can be motivated by different reasons. First, numerically solving differential equations is a computational task generally easier than the stochastic simulation or the state-based analysis of stochastic systems: if we can get a set of ODE’s that describes the same behavior of a stochastic process, we may be able to analyze the model more efficiently. Viceversa, process algebra models are constructed taking into account the interaction patterns among entities of the model, while differential equations hide these interactions in numerical relations among variables: if, starting from a set of ODE’s, we 42


can build an equivalent SPA model, we may be able to recover part of the structure of these interaction patterns. Also SPA and ODE models can be compared at two levels, one syntactical and the other semantical, focussing on the dynamical behavior. How can we compare syntactically stochastic process algebra programs and differential equations? A possibility is to define (sensible) translation procedures, operating at the syntactical level, that associate a set of differential equations to a stochastic model and, viceversa, a stochastic model to a set of differential equations. These translations must satisfy some conditions of coherence. With biological applications in mind, we may at least ask that these translations, when applied to models of biochemical reactions, preserve the intended chemical kinetics, meaning that the result of the translation of a SPA model of a set of reactions should be the usual ODEs associated to that reactions. Note that this is essentially the point of view taken in [9]. Therefore, a stochastic system and a set of ODE’s may be considered equivalent whenever they can be derived one from the other using these translation methods. Recently, there has been some work in this directions, developing techniques associating sets of differential equations to programs written in PEPA [16] or in π-calculus [8]. The basic idea of these methods is to approximate the number of syntactic terms of a certain kind, present in parallel in the system, with a real number, and then derive the variation of the number of such terms by a syntactic inspection of their structure and their communication patterns. Hence, transitions involving these terms will contribute with a negative flux, while transitions creating copies of these terms will give a positive flux. These translations satisfy the coherency condition staten above: for instance, if we write a process algebra model of biochemical reactions using mass action kinetics (which is always the case for π-calculus or PEPA), then the derived set of differential equations is exactly the set of mass action ODE associated to the biochemical reactions under examination, see [9] for a formal proof. On the other hand, the system of ODE’s generated in this way is usually not behaviorally equivalent to the SPA model, in the sense of differential equations describing the average value of the stochastic system. The inverse direction, i.e. associating a stochastic process algebra model to a set of ODE’s, has received less attention in the literature, the only example known to us being [5], where the authors use as process algebra a stochastic version of concurrent constraint programming, sCCP [2]. In this paper, after recalling the basics of sCCP (Section 2), we extend the work done in [5], showing a method to associate ordinary differential equations to sCCP programs written with a restricted syntax (Section 3) and a translation of ODE’s into sCCP programs (Section 4). We then prove that these two translation are essentially each other’s inverse, showing also that they are coherent when applied, for instance, to sCCP agents describing biochemical reactions [4]. In practice, we show that the ODE’s associated to sCCP agents modeling biochemical reactions, as defined in [4], are the usual ODE’s describing the intended kinetics. Unfortunately, syntactic techniques developed up to now are not invariant from a dynamical point of view. In the conclusions (Section 5) we comment more on this side of the problem, putting more emphasis on the need of finding translations linking process algebras and ODE’s that preserve the observed behavior.

43


2

Stochastic Concurrent Constraint Programming

In this section we briefly recall the stochastic version of Concurrent Constraint Programming [23], as presented in [2,4]. Concurrent Constraint Programming (CCP) is a process algebra having two distinct entities: agents and constraints. Constraints are interpreted first-order logical formulae, stating relationships among variables (e.g. X = 10 or X +Y < 7). Agents in CCP, instead, have the capability of adding constraints (tell) into a “container” (the constraint store) and checking if certain relations are entailed by the current configuration of the constraint store (ask). The communication mechanism among agents is therefore asynchronous, as information is exchanged through global variables. In addition to ask and tell, the language has all the basic constructs of process algebras: non-deterministic choice, parallel composition, procedure call, plus the declaration of local variables. The stochastic version of CCP (sCCP [2,4]) is obtained by adding a stochastic duration to all instructions interacting with the constraint store C, i.e. ask, tell. Each instruction has an associated random variable, exponentially distributed with rate given by a function associating a real number to each configuration of the constraint store: λ : C → R + . This is a unusual feature in traditional stochastic process algebras like PEPA [15] or stochastic π-calculus [20], and it will be a crucially used in the translation mechanisms, cf. below. The underlying semantic model of the language (defined via structural operational semantic, cf. [2]) is a CTMC, as each configuration of the system in sCCP consists of the current set of processes and of the current configuration of the constraint store. Thus in every node of the transition graph all rate functions are evaluated. Therefore, as in stochastic π-calculus [20] or PEPA [15], we have a race condition between all active instructions such that the fastest one is executed. As in [4], we allow also tell instructions with infinite rate, which will be executed instantaneously whenever encountered by an agent. To deal with this kind of instructions and with procedure calls, we need to define two transitions relations: one instantaneous and one stochastic. These transitions are applied in an interleaved fashion: the instantaneous relation is applied until possible, then one step of the stochastic one is executed. Restrictions on the syntax guarantee that the instantaneous transition is confluent and becomes quiescent after a finite number of steps, hence the stochastic semantics is well defined, see [3] for further details. Variables used in the definition of rate functions need to store a single value that may vary over time. Such variables, for technical reasons, are conveniently modeled as variables of the constraint store, which are rigid (over time). To deal with this problem we store time varying parameters as growing lists with an unbounded tail variable. We will, however, use a natural notation where X=X+1 has the intended meaning of: “extract the last ground element n in the list X, consider its successor n + 1 and add it to the list (instantiating the old tail variable as a list containing the new ground element and a new tail variable)”. We refer to such variables as stream variables. We have developed an interpreter for the language that can be used for running simulations. This interpreter is written in Prolog and uses standard constraint solver on finite domains as manager for the constraint store. All simulations of sCCP shown in the paper are performed with it. 44


reaction(k, [R1 , . . . , Rn ], [P1 , . . . , Pm ]) : − `Vn ´ askrM A (k,R1 ,...,Rn ) i=1 (Ri > 0) . Vn V m tell∞ ( i=i (Ri − 1) ∧ j=i (Pj + 1)). reaction(k, [R1 , . . . , Rn ], [P1 , . . . , Pm ])

R 1 + . . . + R n → k P1 + . . . + P m

S

7→E K,V0

P

mm reaction(K, V0 , S, P ) : − askrM M (K,V0 ,S) (S > 0). (tell∞ (S − 1 ∧ P + 1)) . mm reaction(K, V0 , S, P ) where rM A (k, X1 , . . . , Xn ) = k · X1 · · · Xn ; V0 S rM M (K, V0 , S) = S+K ;

Table 1 Translation into sCCP of different biochemical reaction types, taken from [4]. The reaction process models a mass-action-like reaction, while the second arrow corresponds to a reaction with Michaelis-Menten kinetics. In the code, X − 1 stands for X = X − 1, while X + 1 stands for X = X + 1.

2.1

Modeling Biological Systems in sCCP

In [3,4] we argued that sCCP can be conveniently used for modeling biological systems. In fact, while maintaining the compositionality of process algebras, the presence of a customizable constraint store and of variable rates gives a great flexibility to the modeler, so that different kinds of biological systems can be easily described within this framework. In [4], we showed that biochemical reactions and genetic regulatory networks are easily dealt by sCCP. In [3] we added to this list also formation of protein complexes and the process of folding of a protein, whose description requires the knowledge about spatial position of amino acids constituting the protein (a kind of information easily added exploiting the potentiality of the constraint store). To simplify the task of modeling, in [4] we defined a library of agents corresponding to different types of biochemical reactions. Notably, the presence of non-constant rates allows to describe reactions that have a chemical kinetics different from the standard mass action one. This is not possible, for instance, in π-calculus, given the fact that global rates are defined there using a mass action principle: essentially, the number of possible communications on a channel are multiplied by the basic rate of that communication. In Table 1, we present an extract of the library defined in [4], where two different typologies of reactions are considered: the first one has the classical mass action kinetics, while the second represents a catalyzed transformation of S into P (thanks to the action of enzyme E) and has a Michaelis-Menten kinetics (its rate is computed using the expression at the bottom of the table, corresponding to the format of the Michaelis-Menten differential equation for enzymatic kinetics [10]; formal justification of these rates in stochastic modeling can be found in [21]).

3

sCCP to Ordinary Differential Equations

In this section we define a translation machinery that associates a set of ordinary differential equations to a sCCP program. This translation applies to a restricted version of the language, both in the constraint store and in the syntax. Despite these restrictions, this sub-language is sufficient to deal with applications in modeling biochemical reactions and 45


P rogram = D.A D = ε | D.D | p : −A π = tellλ (c) | askλ (c)

M = π.G | M + M

G = 0 | tell ∞ (c).G | p | M

A=0|M

N =A|AkN Table 2 Syntax of the restricted sCCP.

genetic regulatory networks. After defining this translation, we show that it preserves the chemical kinetic, or the rate semantics, as defined in [9]. Essentially, we take some sCCP agents used in modeling biochemical reactions (Table 1), and show that the associated ODE is the one describing their kinetics [10], i.e mass action for simple reaction agents and Michaelis-Menten equations for agents with Michaelis-Menten rate. We restrict the language both in the admissible constraints of the store and in the syntax of the agents. We restrict all the variables of the constraint store to be stream variables, and we allow only equalities and inequalities as constraints to be asked. In addition, we restrict the possible updates of variables in the store to a very special class of constraints, of the form X = X + k, where k is a positive or negative constant. Note that these are the kind of updates we use in biological modeling, see Table 1. The syntax of the language is restricted as in Table 2. First, we allow only sequential agents, fixing the number of agents in parallel in the initial configuration of the system. Sequential agents do not contain any parallel operator. In addition to this, we disallow the possibility of defining local variables: all variables used by agents must be global. Therefore, we can avoid to pass parameters in the procedure call, supposing that all procedures know the name of the global variables they must act on. 3 These restrictions are in the spirit of those introduced in [8,16]: we are forbidding an infinite unfolding of agents and we are considering only global interactions, forcing the speed of each action to depend on the whole state of the system. The translation from restricted sCCP programs to ODE proceeds in several steps, illustrated in the following paragraphs. Step 1: Reduced Transition Systems. The first step consists in associating a labeled graph to each sequential agent composing the network, the so called reduced transition systems [3]. In order to illustrate this procedure, we show its functioning on the following simple sCCP agent: RWX :tell1 (X = X − 1).RWX + tell1 (X = X + 2).RWX ) + askf (X) (true).( tell1 (X = X − 2).RWX + tell1 (X = X + 1).RWX )

f (X) =

1 X 2 +1

3 Sometimes parameter passing is used to reutilize the same code on different global variables. In this case, we need to define different procedures, one for each set of global variables we are interested in.

46


This agent performs a sort of random walk in one variable, increasing or decreasing its value by 1 or 2 units, depending on its inner state. Each component of the network and each procedure, as defined in Table 2, can be of three different types: a stochastic choice, an instantaneous tell and a procedure call. Specifically, each branch of a stochastic choice begins with a timed ask or tell, followed by zero o more instantaneous tell, followed again by a procedure call or by another stochastic choice. The first operation to perform is to collapse the timed instruction opening a stochastic branch (i.e. askλ or tellλ) with all the instantaneous tell∞ following it, replacing all these actions with a predicate of the form action(c, d, λ), where c is a constraint that must be entailed by the store for the branch to be enabled, d is the constraint that will be posted to the store and λ is the stochastic rate of the branch. After this replacement, there are only two possible agent types left: stochastic branches and procedure calls. We denote by collapsed(A) the agent A after this replacement. For example, the agent collapsed(RWX ) simply is: collapsed(RWX ) :action(true, X = X − 1, 1).RWX + action(true, X = X + 2, 1).RWX + action(true, true, f (X)).( action(true, X = X − 2, 1).RW X + action(true, X = X + 1, 1).RWX ) We can now associate to each agent collapsed(A) a graph where nodes correspond to stochastic choices (labeled with “+”) and procedure calls (labeled by the name of the called procedure) of collapsed(A), while edges correspond to instructions action(c, d, λ), and are labeled by the triple (c, d, λ). The structure of the graph mirrors the structure of the agent collapsed(A). The entering node of such graph is the node corresponding to the first instruction of collapsed(A) (which is always a summation). The graph for the agent collapsed(RWX ) is shown in Figure 1 (left). We can now process the initial configuration of the network, A 1 k . . . k An , acting separately on each Ai . Consider the graph associated to collapsed(A i): we want to remove the procedure call nodes. We do this by a kind of unfolding, using at most one copy of the graph of each different procedure (recall that we have a finite number of them). Consider a node corresponding to a procedure, say p, with p :- A. If the graph associated to collapsed(A) is not present in the graph we are manipulating, then we substitute the node for p with the graph of collapsed(A), otherwise we remove the node for p and we redirect its incoming edges to the entering node of the graph of collapsed(A). In Figure 1 (right) we show the result for the agent collapsed(RW X ). The resulting graph for each component of the network is called reduced transition system (RTS), as it contains all possible actions and all possible states of that component. Step 2: the interaction matrix. Consider an sCCP program, composed by several agents in parallel. Once we have converted all of them into their reduced transition system representation, we associate a unique number to each state and each transition of all such graphs. Successively, we need 47


Fig. 1. Steps in the creation of the reduced transition system for RWX . The graph on the left is the one obtained from the agent collapsed(RWX ), while the graph on the right is its reduced transition system. In these graphs, the asterisk * denotes the constraint true.

to identify the variables of the system of differential equations. All variables of the store used by the agents will have a syntactic counterpart in a variable of the ODE system. In the following, we denote such variables by X 1 , . . . , Xn . In addition, we associate a variable to each state of the reduced transition systems, of the form P i , where P is a name never used for a variable of the store, and i is the index assigned to the node. Consider a transition indexed by j; we indicate with exit j the variable labeling the exiting node of edge j, with ratej (X1 , . . . , Xn ) its rate function (labeling the corresponding edge in the RTS) and with guardj (X1 , . . . , Xn ) the indicator function of its guard, returning 1 if the guard is satisfied, 0 otherwise. We are now ready to define the interaction matrix. This matrix has one row for each variable X1 , . . . , Xn , P1 , . . . , Pm (we suppose to have m states in total in the RTS of sCCP agents), and one column for each transition. Column j is constructed in the following way: if edge j goes from the node identified by P i to a node identified by Ph , we put a -1 in correspondence to row Pi and a +1 in correspondence of row Ph (if i = h, we simply put a zero). Then, for each update instruction of edge j of the form X l = Xl + δ, we put δ in correspondence of row Xl . All other entries of the column are set to 0. We denote the interaction matrix by Im and the element corresponding to the row associated to variable Y and to column j by Im(Y, j). For the example introduced above, the resulting interaction matrix is: X −1 +2 0 −2 +1 (1)

P0 0

0 −1 +1 +1

P1 0

0 +1 −1 −1

Writing ODE’s. Once we have the interaction matrix, writing the set of ODE’s is very simple. To each row of the matrix we associate an equation expressing the variation of the corresponding variable. The equation for a variable Y is the following (k indicates the number of columns in the matrix): (2)

Y˙ =

k X

Im(Y, j) · guardj (X1 , . . . , Xn ) · ratej (X1 , . . . , Xn ) · exitj

j=1

48


For instance, the set of ODE’s associated to the agent of our example is   X˙ = P0 − P1    P˙ 0 = − X 21+1 P0 + 2P1     P˙ 1 = X 21+1 P0 − 2P1 3.1

ODE’s for Biochemical sCCP Agents

In Table 1 we have presented part of the library of sCCP agents describing the main biochemical reactions. Each agent in that diagram corresponds to a reaction having a specific kinetics. We considered here only mass action kinetics and Michaelis-Menten kinetics, theories usually presented by means of differential equations [10]. In this section we show that if we apply the translation just defined to these agents, we obtain exactly the differential equations corresponding to their kinetics. Therefore, we can say that our translation preserves the rate semantics, in the sense of [9]. Mass action kinetics. Consider the sCCP encoding (Table 1) of a biochemical reaction with mass action kinetics, indicated by the arrow R1 + . . . + Rn →k P1 + . . . + Pm . First of all, note that the expression of the rate function allows us to remove the condition in the ask guard. In fact, whenever one of the Ri variables is zero, the function rM A is also zero, hence the term in the ODE will give no contribution. The reduced transition system for the agent reactionk,R1 ,...,Rn ,P1 ,...,Pm is the following

Applying the translation method defined, we obtain the following set of ODE: R˙ 1 = −kR1 · · · Rn .. .

P˙ 1 = kR1 · · · Rn .. .

R˙ n = −kR1 · · · Rn

P˙m = kR1 · · · Rn

P˙ = 0

This is exactly the form of Mass Action ODE for this reaction. Michaelis-Menten kinetics. Let’s consider a reaction based on Michaelis-Menten kinetics, represented in Table 1 by the chemical arrow S 7→E K,V0 P . To generate the corresponding set of ODE’s, we first have to build its reduced transition system, having the form:

Note that also in this case we dropped the guard condition in the ask instruction, as the form of the rate function subsumes it. Building the interaction matrix, we can derive the corresponding set of ODE, taking the desired form of classic Michaelis-Menten equation: 49


P˙ =

4

max S S˙ = − VK+S

Vmax S K+S

X˙ = 0

Ordinary Differential Equations to sCCP

In this section we define a transformation that associates a sCCP process to a generic set of ordinary differential equation. Then, we show that the transformation behaves well, in the sense that the set of ODE associated to the derived sCCP agent, using the method of the previous section, is exactly the initial set of ODE. Finally, we give an example. Consider a system of first order ODE with n variables X 1 , . . . , Xn ; we write it separating positive and negative addends in each equation:  P 1 P 1  X˙ 1 = hj=1 f1j (X1 , . . . , Xn ) − kj=1 g1j (X1 , . . . , Xn )    .. (3) .     X˙ = Ph1 f (X , . . . , X ) − Pk1 g (X , . . . , X ) n

j=1 1j

1

n

j=1 1j

1

n

In order to keep the presentation simple, we impose that f ij (X1 , . . . , Xn ) ≥ 0 and gij (X1 , . . . , Xn ) ≥ 0. 4 The translation to sCCP simply proceeds associating an agent to each differential equation of (3), defined by manXi :-

Phi tellfij (X1 ,...,Xn ) (Xi = Xi + δ).manXi Pj=1 hi + j=1 tellgij (X1 ,...,Xn ) (Xi = Xi − δ).manXi

Here δ denotes the basic increment, that we consider as unitary. Notably, if we apply the transformation defined in the previous section, associating a set of ODE to our sCCP agent, we can easily see that we obtain exactly the initial set of ODE. Before showing this in more detail, we want to spend some words on the functional rates. This is a feature different from common process algebras, where rates are real numbers and the final speed of an action is determined from this basic rate in a mass action style, i.e. summing all rates of enabled transitions of a certain type. As a result, the ODE format that can be generated from these process algebras coincide with the set of mass action equations, like those of Section 3.1. On the contrary, functional rates are somehow more expressive, as they allow to encode, at least syntactically, every possible ODE, without restrictions. In fact, we are using non-constant rates to hide the logical interaction mechanism that is usually modeled explicitly in common process algebras. To generate a set of ODE from the agents man Xi , we have first to obtain their reduced transition system. It is easy to see that it has the form

If we consider the interaction matrix that is derived from these RTS, we observe that the row corresponding to variable Xi has non-zero entries only relatively to the transitions of 4

The definition of the sCCP agents in the general case is straightforward: we simply need to check if the value of a function, say f is positive or negative and act accordingly, using its absolute value as the rate.

50


the RTS for manXi , each entry being equal to δ or −δ. The corresponding ODE therefore is hi ki X X ˙ (4) Xi = δfij (X1 , . . . , Xn )Pi − δgij (X1 , . . . , Xn )Pi . j=1

j=1

Now, we can perform two simplifications: first, δ is the unitary increment, and we can set it equal to 1. Secondly, the equation for P i , the variable denoting the only state of agent manXi , has equation P˙i = 0, hence Pi is constant. As we have just one agent man Xi , Pi is equal to one. Therefore, equation (4) boils down to (5)

X˙ i =

hi X

fij (X1 , . . . , Xn ) −

ki X

gij (X1 , . . . , Xn ),

j=1

j=1

which is exactly the starting equation for X i . Note that as basic step in the translation from ODE to sCCP we are using a generic δ, determining the size of the basic increment or decrement of variables of the system. In sCCP, we are not forced to use integer variables, but we can let them vary, for instance, on a grid of rational numbers, where the basic distance can be set equal to δ. Varying the size of δ, we can calibrate the effect of the stochastic fluctuations, reducing or increasing it. This is evident in the following example, where we compare solutions of ODE’s and the simulation of the corresponding sCCP processes. Let’s consider the following system of equations, representing a model of the repressilator, a synthetic genetic network having an oscillatory behavior (see [11]): X˙ 1 = α1 X3−1 − β1 X10.5 , α1 = 0.2 X˙ 2 = α2 X1−1 − β2 X20.5 , α2 = 0.2

(6)

X˙ 3 = α3 X2−1 − β3 X30.5 , α3 = 0.2. The values of β are here parameters; their value has a severe impact on the behavior of the system, that for some values of β oscillates (as expected from repressilator) while for some other values does not oscillate at all (see Figure 2). The corresponding sCCP process is manX1 k manX2 k manX3 ,

(7) where

manX1 : −(tell[α1 X −1 ] (X1 = X1 + δ) + tell [β1 X10.5 ] (X1 = X1 − δ)).manX1 3



In Figure 2 we compare numerical solutions of S-Systems and simulations of the corresponding sCCP process, for different values of β (αs have the value defined in equation (6)) and fixed δ, equal to 0.01. As we can see, not only the general qualitative behavior is respected, but also the quantitative information about concentrations is preserved. Note that also “wild” behaviors of S-Systems are perfectly reproduced, see again Figure 2. Probably, one of the main ingredients guaranteeing this reproducibility is the fact that variables take values in a finer grid than integers, meaning that the effect of stochastic fluctuations is less remarkable, as they relative magnitude is smaller. This is essentially the same as working 51


Fig. 2. Numerical solutions of the system of equations for the repressilator (left column), and the numerical simulation of the corresponding sCCP program (right column), for β = 0.01 (top) and β = 0.001 (bottom)

with a sufficiently high number of molecules in Gillespie’s algorithm [14,13]. Interestingly, though there is a strong qualitative accordance between the deterministic and stochastic kinetics, the graphs differ in the time scale. This can be explained by noting that in (4) δ plays the role of a scaling factor in the differential equation, resulting in a stretching of the temporal axis of a factor 1δ .

5

Future Work and Conclusions

In the paper we focused on the problem of relating stochastic models written with process algebras and models with differential equations. Even though our interest is mainly in biological systems and examples are drawn from this field, the problem is general and these methods can be applied to a broad range of systems, like computer networks. Here we focused in the definition of translation procedures associating sets of differential equations to process algebraic models, and stochastic process algebra programs to differential equations. The process algebra we used is sCCP, a stochastic version of CCP; some of its features, functional rates above all, play an important role in this translation procedure. In particular, they enabled us to define a “well-behaving” translation from general differential equations, in the sense that applying the (inverse) transformation from sCCP programs we obtain again our initial equations. These translation procedures work at the syntactic level and in the paper we showed that, at least when applied to models of biochemical reactions, they preserve the intended chemical kinetics. Staten otherwise, the models obtained with this translation procedure are coherent with the notion of chemical kinetics used. However, there is no theoretical guarantee that the transformed model shows a dynamical behavior that is equivalent to the one of the initial model. For instance, consider the sCCP program for the set of reactions describing a simple population dynamics, the so-called Lotka-Volterra model (C is the predator and E is the prey), C →2 , E →5 2E and C + E →0.1 2C. The set of ODE 52


Fig. 3. Stochastic simulation of the Lotka Volterra model in sCCP (solid line) compared with the solution of associated ODE’s (dotted line), for initial conditions E0 = 20 and C0 = 50. Predators are shown in blue and preys are shown in red.

obtained with the translation method defined above are C˙ = 0.1EC − 2C and E˙ = 5E − 0.1EC. If we set the initial conditions of the system to E 0 = 20 and C0 = 50, the ODE’s are in equilibrium, and their solution is a straight line. Instead, the stochastic system shows no equilibrium at all: the number of preys and predators oscillates until they both go extinct, see Figure 3. In other cases, the ODE’s associated to a sCCP program perfectly capture the behavior of the system, see [7] for examples in this sense. However, the Lotka-Volterra example is one of many where associated ODE fail in doing this: we are far from having defined a procedure translating stochastic process algebra programs into ODE’s in a semantically correct way. We consider this as the main open problem in this research area. Indeed, there are other questions worth considering. First of all, we lack a reasonable definition of behavioral equivalence between stochastic processes and differential equations. Considering the average behavior of the stochastic process is not the best solution, as there are cases where the stochastic model exhibits strong oscillations, though the average value of the systems does not oscillate at all [3,5]. Therefore, a different approach, aiming at capturing qualitative aspects more than quantitative information, should be adopted. Another open question concerns the characterization of a class of sCCP programs for which the associated ODE’s works well also from a behavioral viewpoint. For these systems, the syntactic transformation we have defined is safe. A further interesting point is that of seeing if and where hybrid systems, like hybrid automata [1], can enter the picture. In fact, while passing to ODE’s we are dropping any form of non-determinism (which is, instead, present in stochastic systems under the form of race conditions); hybrid automaton, on the other hand, while having a continuous time evolution governed by ODE’s, have also discrete states and non-deterministic transitions among them. Finally, we need to characterize in a mathematically more precise sense what happens in the translation from ODE’s to sCCP. Specifically, it would be important to understand how a variation of the step’s value δ influences the behavior of the stochastic process w.r.t. the one of the ODE. Our conjecture is that in the limit of δ → 0, the average of the stochastic behavior coincides with the solution of the ODE (modulo a suitable time re-scaling), at least if the ODE’s trajectories are not too sensitive from initial conditions, for the particular initial values chosen. 53


References [1] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. The algorithmic analysis of hybrid systems. Theoretical Computer Science, 138(1):3–34, 1995. [2] L. Bortolussi. Stochastic concurrent constraint programming. In Proceedings of 4th International Workshop on Quantitative Aspects of Programming Languages, QAPL 2006, 2006. [3] L. Bortolussi. Constraint-based approaches to stochastic dynamics of biological systems. PhD thesis, PhD in Computer Science, University of Udine, 2007. In preparation. Available on request from the author. [4] L. Bortolussi and A. Policriti. Modeling biological systems in concurrent constraint programming. In Proceedings of Second International Workshop on Constraint-based Methods in Bioinformatics, WCB 2006, 2006. [5] L. Bortolussi and A. Policriti. Relating stochastic process algebras and differential equations for biological modeling. Proceedings of PASTA 2006, 2006. [6] J. M. Bower and H. Bolouri eds. Computational Modeling of Genetic and Biochemical Networks. MIT Press, Cambridge, 2000. [7] M. Calder, S. Gilmore, and J. Hillston. Modelling the influence of rkip on the erk signalling pathway using the stochastic process algebra pepa. Transactions on Computational Systems Biology, 4230:1–23, 2006. [8] L. Cardelli. Chemical π-calculus. Draft, 2006. [9] L. Cardelli. On process rate semantics. draft, 2006. [10] A. Cornish-Bowden. Fundamentals of Chemical Kinetics. Portland Press, 3rd edition, 2004. [11] M.B. Elowitz and S. Leibler. A syntetic oscillatory network of transcriptional regulators. Nature, 403:335–338, 2000. [12] D. Gillespie. The chemical langevin equation. Journal of Chemical Physics, 113(1):297–306, 2000. [13] D. Gillespie and L. Petzold. System Modelling in Cellular Biology, chapter Numerical Simulation for Biochemical Kinetics. MIT Press, 2006. [14] D.T. Gillespie. Exact stochastic simulation of coupled chemical reactions. J. of Physical Chemistry, 81(25), 1977. [15] J. Hillston. A Compositional Approach to Performance Modelling. Cambridge University Press, 1996. [16] J. Hillston. Fluid flow approximation of pepa models. In Proceedings of the Second International Conference on the Quantitative Evaluation of Systems (QEST05), 2005. [17] H. Kitano. Foundations of Systems Biology. MIT Press, 2001. [18] H. Kitano. Computational systems biology. Nature, 420:206–210, 2002. [19] J. R. Norris. Markov Chains. Cambridge University Press, 1997. [20] C. Priami. Stochastic π-calculus. The Computer Journal, 38(6):578–589, 1995. [21] C. V. Rao and A. P. Arkin. Stochastic chemical kinetics and the quasi-steady state assumption: Application to the gillespie algorithm. Journal of Chemical Physics, 118(11):4999–5010, March 2003. [22] A. Regev and E. Shapiro. Cellular abstractions: Cells as computation. Nature, 419, 2002. [23] V. A. Saraswat. Concurrent Constraint Programming. MIT press, 1993. [24] Darren J. Wilkinson. Stochastic Modelling for Systems Biology. Chapman & Hall, 2006.

54


Keeping Secrets in Resource Aware Components Tom Chothia CWI, Amsterdam, The Netherlands

Jun Pang Carl von Ossietzky Universit¨ at Oldenburg, Oldenburg, Germany

Mohammad Torabi Dashti CWI, Amsterdam, The Netherlands

Abstract We present a powerful and flexible method for automatically checking the secrecy of values inside components. In our framework an attacker may monitor the external communication of a component, interact with it and monitor the components resource usage. We use an automata model of components in which each transition is tagged with resource usage information. We extend these automata to pass values and say that a value is kept secret if the observable behaviour of the automata is the same for all possible instantiations of that value. If a component leaks some, but not all of the information about its secret we use a notion of secrecy degree to quantify the worst-case leakage. We show how this secrecy degree can be automatically calculated, for values from a finite domain, using the µCRL process algebraic verification toolset. Keywords: Secrecy, Q-Automata, automatic checking, component-based systems, quality of service, µCRL

1

Introduction

Component-based software development allows programs to be reused, interchanged and even downloaded onto a running system. Sometimes the maker or user of a component would like to keep some of the data inside the component secret from other components on the same system. This goal is complicated as the potential attackers may be running on the same computer as the target component and so can monitor its resource usage. We develop a framework for automatically checking how well values inside a component are kept secret from an attacker that can communicate with the component and monitor its resource usage. Resource usage or Quality of Service (QoS) aspects of components concern nonfunctional properties such as availability, response time, memory usage, etc. Following work on constraint semirings [4,13], we propose a general framework for a This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs

Chothia, Pang and Torabi Dashti

range of trust and quality values, which we call a Q-algebra. These algebras define a framework for quality values that could be combined with many kinds of automata or calculi. With the aim of making our system suitable for the kinds of applications we expect to model and of making our system more easily understandable, we have chosen to base our work on automata. These provide a concrete, intuitively clear, model of computation, and a structural approach to the analysis of the behaviour of components and their composition. Components will be represented by Q-automata [10]. These automata have an additional cost label on each transition to indicate the impact of taking that transition on the quality attributes of the system. Most automata models do not distinguish between the interleaving of two actions and their possible concurrent occurrence, however in the model proposed here it is possible that concurrent components can perform their actions simultaneously without having to synchronise (e.g., in a communication). Therefore, the resource usage of an application can be quite different depending on whether the smallest units of abstraction happen at the same time or one after the other. For instance, given two transitions, both of which “cost” a certain amount of bandwidth, measured in Kbit/s, running both at the same time will require the sum of the two individual costs, whereas running them one after the other will only cost the maximum of the two individual costs. Time costs on the other hand will sum sequentially, but not concurrently and we may choose to model memory allocation costs by summing them both concurrently and sequentially. We extend Q-automata to pass names from a finite domain of values in a similar way as non-value passing process calculi are often extended to value passing versions, c.f. [20]. We also define strong bisimulation as an equivalence relation for the (extended) Q-automata model that requires matching costs on transitions. We define Component Secrecy Degree and Variable Secrecy Degree to measure how well a model of a component keeps its secrets from any attacker who can interact with the component and monitor its resource usages. We do not consider an attacker that can examine the source code of a component, we are interested in modelling attackers that are other components running on the same computer as the target and so they can only use the standard communication channels and monitor the resource usage of other components. A component has prefect secrecy if any two instances of that component, observed by the attacker, are bisimilar for any possible secret values. The degrees of secrecy give a measure of how much information about the components secrets are leaked. This is similar to the approach of [11] in measuring anonymity degrees. We use the µCRL toolset [5] for performing state space reduction modulo bisimulation [6], which we use along with some purposebuilt scripts to generate all possible cases of the model and to calculate degrees of secrecy.

Main contributions. The contributions of this work include •

a resource aware automata model of components with secrets,

•

a corresponding definition of secrecy and a method of checking it via bisimulation, 56

Chothia, Pang and Torabi Dashti •

a tool to automatically check our measures of secrecy (based on µCRL).

Related work. Weighted automata have a simple weight or cost on each transition and have been extensively studied since the early days of computer science [14,22]. Our automata model differs from weighted automata by using a Q-algebra to provide the costs; this allows us to define a truly compositional model of the resource usage of components. Timed automata models label transitions with costs representing the time they take [1]. Priced or weighted timed automata [2,3] model time using clocks and have costs on states and transitions. The cost of each transition is paid each time the transition is made whereas the costs of each state is paid once for each time unit the automata spends in that state. This provides an expressive model of costs and time that is, in many cases, undecidable [8]. Our model is also similar to some process calculi, such as CCS [19], one of the main differences, apart from the automata setting, is that we allow multisets of actions to happen at the same time. In the context of computer security, there are several papers on modelling resource consumptions of different execution scenarios, [9,17]. A conceptual difference between our work and these papers is that they mainly focus on measuring the resources consumed by the attacker in an attack, whereas we allow the attacker to measure the resources consumed by the target system, and possibly use it to launch an attack. In this respect, our work is close to the body of research on side channel and timing attacks [15,18,21].

Structure of the paper. In the next section we introduce our automata model and cost algebra. In Section 3 we extend these automata to pass values and define secrecy degrees for these values. Section 4 introduces our automatic tool to check secrecy. Finally Section 5 concludes the paper.

2

Q-Automata: Modelling Resource Usage

Our model of resource aware components uses values from a Q-algebra to label the transitions of an automaton. 2.1

Q-algebra

To compute and analyse QoS values in a standard way, we develop a general framework as in the approach of De Nicola et al. [13]. First we recall the concept of a constraint semiring: Definition 2.1 A constraint semiring is a structure R = (C, ⊕, ⊗, 0, 1) where C is a set, 0, 1 ∈ C, and ⊕ and ⊗ are binary operations on C such that: — ⊕ is commutative, associative, idempotent and has identity 0 — ⊗ is associative and has identity 1 — ⊗ distributes over ⊕ and has 0 as an absorbing (zero) element 57


Note that for a constraint semiring (or c-semiring, for short) as above, the operation ⊕ induces a partial order ≤ on C defined by a ≤ b if and only if a ⊕ b = b. Moreover, two elements are comparable with respect to ≤ if and only if application of ⊕ to these elements yields one (the larger w.r.t. ≤) of the two. Actually, ⊕ always yields the least upper bound of the elements to which it is applied. Constraint semirings can be used to compose QoS values with “addition” ⊕ to select among values and “multiplication” ⊗ to combine them. Given an action of cost c1 and another action with cost c2 then the cost of both actions together is c1 ⊗ c2 , whereas ⊕ returns the least upper bound of c1 and c2 . The 0 element, as the identity of ⊕, is the least possible cost value and the 1 element, as the identity of ⊗, is the neutral cost value. A few examples: — (shortest) time: (R+ ∪ {∞}, min, +, ∞, 0) — bandwidth: (N ∪ {∞}, min, max, ∞, 0) — data encrypted: ({true, false}, ∨, ∧, false, true) — access control: (2U , ∪, ∩, ∅, U ), where U is the set of all users and 2U is the powerset of U . Constraint semirings work well when there is just one way to combine quality values. We may use these values to represent the cost of a method call, a sequence of reduction steps or the cost to execute an entire program. When dealing with a number of concurrent processes these steps may take place sequentially or in parallel and these two ways of combining actions might have very different overall results on the resource usage of the system. For instance, two processes that both require a certain number of CPU cycles per second will require a higher number of cycles per second when run at the same time than when run one after the other. We can model these different ways of combining values by adding a new multiplicative operator: Definition 2.2 A Q-algebra is a structure R = (C, ⊕, ⊗, ȅ, 0, 1) such that R⊗ = (C, ⊕, ⊗, 0, 1) and Rȅ = (C, ⊕, ȅ, 0, 1) are c-semirings. C is called the domain of R. The ȅ operator is used to combine two values concurrently: c1 ȅ c2 is the cost of c1 and c2 at the same time. The ⊗ operator combines values sequentially: c1 ⊗ c2 is the cost of c1 followed by c2 . Combining costs concurrently or sequentially will not affect the least or neutral cost elements so the two operations share their identities. As before, ⊕ is used to select between values. For example: — (shortest) time: (R+ ∪ {∞}, min, +, max, ∞, 0) — bandwidth: (N ∪ {∞}, min, max, +, ∞, 0) 2.2

Q-Automata

In this section we introduce Q-automata. These consist of an initialised labelled transition system together with a (labelled) Q-algebra to specify the cost of each transition. Note that each transition is labelled with a multiset of actions as a representation of simultaneous and multiple occurrences of actions. A multiset over a set X is a function m : X → N and the set of all multisets over X is denoted by 58


M(X). For two multisets m1 and m2 over X, their sum m1 + m2 is the multiset over X defined by (m1 + m2 )(x) = m1 (x) + m2 (x). Definition 2.3 A Q-automaton is a structure P = hS, t, A, R, T i where: — S is a finite set of states, — t ∈ S is its initial state, — A is a (finite) set of action names, — R = (C, ⊕, ⊗, ȅ, 0, 1) is a labelled QoS algebra with domain C of costs, — and T ⊆ S × M(Act) × C × S is the set of transitions. The set of actions of P , written Act, is derived from the set of action names A in the following way: each name a ∈ A can occur as an input action (denoted a?), an output action (denoted a!) or as an internal action (also denoted by a). We thus obtain AO = {a! : a ∈ A}, the set of output actions of P , AI = {a? : a ∈ A}, the set of input actions of P , and Aτ = A the set of internal actions of P . The sets AO , AI , and Aτ are assumed to be pairwise disjoint. Finally, we let Act = AO ∪ AI ∪ Aτ . The (finite) computations of Q-automata are defined in the standard way. Definition 2.4 Let P be a Q-automaton specified as in Definition 2.3. A computation (of length n ≥ 0) starting from a state s0 ∈ S is a sequence (s0 , m1 , c1 , s1 ), . . . , (sn−1 , mn , cn , sn ) with (si , mi , ci , si+1 ) ∈ T for all 0 ≤ i ≤ n − 1. If n = 0, then the computation is the empty sequence. Based on the Q-algebra and the costs of the transitions, we can compute the cost for each computation. Definition 2.5 Let γ = (s0 , m1 , c1 , s1 ), . . . , (sn−1 , mn , cn , sn ) be a computation as specified in Definition 2.4. Then the cost of γ is 1, if n = 0 and c1 ⊗ . . . ⊗ cn if n ≥ 1. So, the cost of a computation (a sequence of transitions) is computed using the “sequential multiplication” operator ⊗. Note that to compare the costs of different computations, the additive (selection) operation ⊕ can be used since it yields the least upper bound of the given values. “Concurrent multiplication” ȅ is used when Q-automata collaborate in a composite automaton (their product). This product automaton has as its Q-algebra the product of the Q-algebras of its components. Its state space is the Cartesian product of the state spaces of its components and its transitions are combinations of the components’ transitions, as defined below. In the formal definition of product automata, we use an auxiliary function sync, which in turn uses a relation ⇒ over pairs of multisets of actions such that the pair on the left equals the pair on right except one input on a name in one multiset and one output on the same name in the other multiset have been removed and a communication on that name has been added. Definition 2.6 Let A be a set of action names, Act be its associated set of actions as defined in Definition 2.3 and m1 and m2 be two multisets over Act. Then (m1 , m2 ) ⇒ (m′1 , m′2 ) if either there exists an a ∈ A such that: — m1 (a?) ≥ 1 and m2 (a!) ≥ 1 — m′1 (a) = m1 (a) + 1 and m′1 (a?) = m1 (a?) − 1, — m′2 (a!) = m2 (a!) − 1, 59


— and m′1 (b) = m1 (b) and m′2 (b) = m2 (b) for all other actions b ∈ Act. or if (m2 , m1 ) ⇒ (m′2 , m′1 ) as above. Let ⇒∗ be the reflexive, transitive closure of ⇒. Then sync(m1 , m2 ) = {m′1 + m′2 : for all m′1 , m′2 such that (m1 , m2 ) ⇒∗ (m′1 , m′2 )}. Thus sync(m, m′ ) is the set of all multisets that can be obtained by adding m and m′ with any possible combination of communications between them. Note that ⇒∗ in particular allows the multisets not to communicate at all. Definition 2.7 Let P1 = hS1 , t1 , A1 , R, T1 i and P2 = hS2 , t2 , A2 , R, T2 i be two Qautomata. Then their product, denoted by P1 ⊠ P2 , is the Q-automaton defined as P1 ⊠ P2 = hS, t, A, R, T i with — S = S1 × S2 , — t = (t1 , t2 ), — A = A1 ∪ A2 , — T = T1new ∪ T2new ∪ T joint where: •

T1new = {((s, t), m, c, (s′ , t)) : (s, m, c, s′ ) ∈ T1 and t ∈ S2 },

•

T2new = {((s, t), m, c, (s, t′ )) : s ∈ S1 and (t, m, c, t′ ) ∈ T2 }, and

•

T joint = {((s, t), m, c, (s′ , t′ )) : ∃(s, m1 , c1 , s′ ) ∈ T1 , (t, m2 , c2 , t′ ) ∈ T2 such that m ∈ sync(m1 , m2 ) and c = c1 ȅ c2 }.

In some cases we may want to impose a more restrictive model of communication on our automata, for instance we might want to require that only a single automaton can receive on a given channel or we might want to test our automata in the knowledge that no other automaton will ever be listening on some channel. We can do this by blocking all transitions that involve a given (internal, input, or output) action. Definition 2.8 Let P = hS, t, A, R, T i be a Q-automaton and let α ∈ AO ∪ AI ∪ Aτ be an action of P . Then P \α, the restriction of P with respect to α, is the Qautomaton hS, t, A, R, TP′ i with TP′ = {(s, m, c, s′ ) : (s, m, c, s′ ) ∈ TP and m(α) = 0}. We define P \ ∅ = P and P \ ({α} ∪ Y ) = (P \ α) \ Y .

3

Secret Values

3.1

Value Passing Q-automata

This subsection provides the additional machinery that we need to define and test secret values. We extend Q-automata to pass names from an ordered, finite data domain of values. We add a finite set of variables V and a finite domain of values D to the definition of Q-automata. Our definitions can naturally be extended to cover cases where different variables have separate, yet finite, data domains. However, to keep the presentation simple, we confine to the single value domain case in this paper. Below, we use x, y, . . . to refer to variables, d1 , d2 , . . . are elements of the data domain and n1 , n2 , . . . refer to either a variables or an element of the domain. Definition 3.1 An extended Q-automata is a structure Pe = hS, t, A, R, D, T i where: — S is a finite set of states, 60


— t ∈ S is its initial state, — A is a (finite) set of action names, — R = (C, ⊕, ⊗, ȅ, 0, 1) is a labelled QoS algebra with domain C of costs, — D a finite domain of data values, — and T ⊆ S × M(Act) × C × S is the set of transitions. The set of actions of P , written Act, contains four types of actions: Input on a name from a segment of the domain a?(x)[d1 , . . . , d2 ], output on a name a!(n1 ), internal action on a name a(n1 ), and conditionals on data values if (n1 = n2 ) as well as if (n1 6= n2 ). 1 The input action a?(x) “binds” the variable x. We say that a variable is “free” in a multiset of actions if it is used in an output or in a conditional but is not bound by an input. Furthermore, we say that a variable is free from a given state if there exists a trace, starting at that state, in which the variable appears free before it is bound. Below we define well-formed extended Q-automata. Definition 3.2 An extended Q-automata P is well-formed if •

None of the multisets of actions, on the transitions, bind the same variable more than once.

•

There are no free names from the start state.

From now on, we only consider well-formed extended Q-automata. We define the semantics of value passing automata by mapping them back into the non-value passing automata. We do this by mapping each combination of name and data value to a single name. For instance, the input action a?(x)[1,. . . ,4] would be mapped to four different input actions a 1?, · · · , a 4?, where each of these is a variable-free action in the basic system. To translate the “if ” condition, we test the values and if the condition holds then we replace it with an empty transition otherwise we remove it. We record the mappings from variables to values using a partial function σ : V → D. An action a?(x)[d1 , · · · , dn ] and a partial function σ are compatible if σ(x) ∈ {d1 , · · · , dn }, we write a σ(x)? for [a?(x)[d1 , · · · , dn ]]σ , when σ is compatible with the action. For example if σ = {(x, 4)}, then [a?(x)[1, · · · , 5]]σ is written as a 4?. We note that given a partial function σ that does not map x to a value, the smallest extensions of σ that are compatible with the action a?(x)[d1 , · · · , dn ] are σ ∪ {x 7→ d1 }, . . . , σ ∪ {x 7→ dn }. For output actions [a]σ is obtained by simultaneously substituting all variables for their values and forming the matching single output name. For instance, given a!(x) and σ = {(x, 3)}, we have [a!(x)]σ = a 3!. We extend these definitions to multisets of actions in a natural way. Note that the well-formedness conditions mean that there is no conflict between variable names. Definition 3.3 Given an extended Q-automaton Pe = hSe , te , Ae , Re , De , Te i we define its mapping to a basic Q-automata [[Pe ]] = hS, (te , ∅), Ae , Re , T i as follows: Each state in S is a pair (se , σ), where se ∈ Se and σ : V → D is a partial function 1

This can in principle be easily extended to any Boolean function as conditionals.

61


that assigns concrete values to members of V . We define S and T to be the smallest sets such that: •

(te , ∅) ∈ S

•

For all (s, σ) ∈ S and for all (s, m, c, s′ ) ∈ Te : · either there exists an “if” condition in m which is false using σ · or we remove the names bound by m from σ and define S to be the set of the smallest extensions of that substitution that are compatible with m, then for all σ ′ ∈ S: ((s, σ), [m]σ′ , c, (s′ , σ ′′ )) ∈ T

and

(s′ , σ ′′ ) ∈ S

where σ ′′ equals σ ′ with all names that are not free from state s′ removed. The removal of the names from σ ′ ensures that irrelevant extensions to the substitution mapping do not lead to more states than are necessary. A parameterised Q-automata Pe (x1 , . . . , xn ) is an extended Q-automata that has free variables in its computations, hence it is not well-formed. However, an instantiated Pe (x1 , . . . , xn ) with a mapping σ0 = {(x1 , d1 ), · · · , (xn , dn )} is wellformed and can be translated to a basic Q-automata [[Pe (d1 , . . . , dn )]] with starting the procedure introduced in Definition 3.3 with the initial state (t, σ0 ), instead of (t, ∅). 3.2

Hiding and Bisimulation

We do not want the attacker to be able to observe the internal actions of any automaton, therefore we define a hiding operator that removes the names from the internal actions but leaves the transition and its costs. Definition 3.4 Given a Q-automata P (~x) = hS, t, A, R, T i and a set of internal names I, the automata that results from hiding these names is P (~x){I} = hS, t, (A\I), R, T ′ i where: T ′ = {(s, m′ , c, s′ ) : (s, m, c, s′ ) ∈ T and for all a ∈ I. m′ (a) = m′ (a!) = m(a?) = 0 and m(b) = m′ (b) for all b 6= a } We define strong bisimulation for automata with costs as follows: Definition 3.5 We say two Q-automata P1 = hS1 , t1 , A1 , R1 , T1 i and P2 = hS2 , t2 , A2 , R2 , T2 i are bisimilar, denoted by P1 ∼ P2 , iff •

for all (t1 , m, c, s1 ) ∈ T1 , then there exists (t2 , m, c, s2 ) ∈ T2 such that hS1 , s1 , A1 , R1 , T1 i and hS2 , s2 , A2 , R2 , T2 i are bisimilar.

•

for all (t2 , m, c, s2 ) ∈ T2 , then there exists (t1 , m, c, s1 ) ∈ T1 such that hS2 , s2 , A2 , R2 , T2 i and hS1 , s1 , A1 , R1 , T1 i are bisimilar.

Two extended automata are bisimilar if their mappings into the basic automata are also bisimilar. We note that this definition requires the names and the costs on an action to match, therefore if two automata perform the same actions at different costs they are not bisimilar. 62


The equivalence used in the verification of secrecy models the observation power of the intruder. We use bisimulation to equate processes; this is in contrast to some previous work that used trace equivalence for secrecy, e.g. see [12]. While it is often possible, in an asynchronous setting, to implement processes in such a way that an intruder cannot tell the difference between two processes that are trace equivalent but not bisimilar, there also exist reasonable implementations in which the intruder can tell the difference. For instance, the two processes a.(b + c) and a.b + a.c are trace equivalent but not bisimilar. A reasonable implementation of these processes might use sockets for communication, in which case the first process would listen on port “a” for a message and then listen on ports “b” and “c” and accept only the first message that arrives. The second process could be implemented by either listening on port “a” and then port “b” or listening on port “a” and then port “c”. All an intruder has to do to tell these processes apart is to send on port “a” and then on port “b”. If the intruder can connect on port “b” they learn nothing, however if they find that port “b” is not open then they know that they are dealing with the second process. In this sense, using bisimulation rather than trace equivalence is a conservative decision; while it is possible for processes that are trace equivalent, but not bisimilar, to be safe, we cannot guarantee that they do not reveal information to the intruder. A second advantage of using bisimulation is that it can be much more efficient to check. The added restrictions on bisimilar processes mean that we can reject certain paths as not bisimilar long before we could detect that they are not trace equivalent. In the most extreme cases checking a particular pair of processes for trace equivalence can take exponential time while checking the same processes for bisimulation being linear time, e.g. see [16]. 3.3

Secrecy Degree

We say that a variable x in the automata P (x) is kept secret if for any two possible values d1 and d2 for x it holds that P (d1 ){I} is bisimilar to P (d2 ){I} where I is the set of the internal names. Different instantiations of an automaton are split into different equivalence classes whose members are all bisimilar. The Component Secrecy Degree measures the smallest of these classes. This represents the most that an attacker could deduce about the automata’s secret (input) based on its communication and resource usage. Below, ~z denotes a vector of z values. Definition 3.6 [Component Secrecy Degree] The component secrecy degree (csd) of an automata P (~z ) with respect to a set of internal names I is: csd = min | {d~2 : [[P (d~1 )]]{I} ∼ [[P (d~2 )]]{I} } | d~1

The best possible Component Secrecy Degree would be |D|n where n is the size of ~z and |D| is the size of the domain. So we will sometimes write the component secrecy degree as csd : |D|n . In the case that only one of our inputs needs to be kept secret we use Variable Secrecy Degree: 63


p1

p2

pn

p1

p2

..... P(p2)

P(p1)

....

pn

P(pn)

..... Fig. 1. Checking Secrecy Using State Space Reduction

Definition 3.7 [Variable Secrecy Degree] The variable secrecy degree (vsd) for the ith variable of automata P (~z ) with respect to a set of internal names I is: ~ vsd (i) = min | {di : ∃d1 , . . . , dn [[P (d1 , . . . , di , . . . , dn )]]{I} ∼ [[P (d)]]{I} }| d~

The Variable Secrecy Degree quantifies the secrecy of just one input value. The best possible Variable Secrecy Degree would be |D|. So we for the value secrecy degree will sometimes write vsd : |D|. Note that csd is in fact an upper bound on vsd values, i.e. ∀i. vsd (i) ≤ csd . This is because csd is the size of the smallest equivalence class whose members are indistinguishable for the attacker. Clearly, the number of different values that the ith variable may take in this class cannot be larger than the size of the class. We may use restriction to test conditions on automata. For instance if we have a booking agent component that may make purchases on our behalf, then we could check that it does not leak our credit card number without making a purchase by checking the variable secrecy degree for the credit card number in the automata restricted on the purchase action. We conjecture that the secrecy degrees are fully compositional properties, i.e. for any automata P (~x){I} and PA , the secrecy degrees of P (~x){I} × PA are not less than the corresponding secrecy degrees of P (~x). Similarly, the secrecy degrees of P (~x){I} \ Aα , where Aα denotes a set of restricted actions, is not less than those of P (~x){I}. This means that we can quickly build up quite complex models and check combinations of systems. We leave a formal treatment of this conjecture as future work.

4

Automatically Checking Secrecy in µCRL

Our definitions of secrecy require us to check bisimulations between every possible pair of automata inputs. Doing this by hand would not be easy, therefore we develop a tool to do this for us. The user specifies an extended Q-automata, the finite domain of its variables, and the names that need to be restricted and the internal names. Our scripts generate all possible basic Q-automata for all possible variable values, and also hide and restrict the names. We then test all the possible bisimulations in one go via “state space reduction modulo bisimulation”, see [7]. 64


We illustrate our method in Figure 1. We make use of this to test an automaton P (~x) by generating one large automaton that has one transition from the start state for each possible input value, and these transitions go to a sub automata that behave as P would on that input. More formally: Given an extended automata P (~x), a domain of variables {d1 , . . . , dn } and a set of internal names I, we generate all corresponding basic Q-automata for all possible inputs: [[P (d1 )]]{I} = hS1 , t1 , A1 , R, T1 i, · · · , [[P (dn )]]{I} = hSn , tn , An , R, Tn i. We then generate an automaton that branches to each of these automata from a start state: P = hS, t′ , A, R, T i where: •

S = S1 ∪ . . . ∪ Sn ∪ {t′ }

•

A = A1 ∪ . . . ∪ An ∪ {i : 1 ≤ i ≤ n}

•

T = T1 ∪ . . . ∪ Tn ∪ {(t′ , i, 1, ti ) : 1 ≤ i ≤ n}

This automaton is illustrated on the left of Figure 1. We perform state space reduction modulo bisimulation on this large automaton. 2 If a number of values the P (x) automata are bisimilar then the state space reduction will produce an automaton that takes the initial transition with the value labels to the same state. If the result is a system in which all of the initial transitions go to the same state, as illustrated on the right of Figure 1, we know that P (x) is bisimilar for all values of x, i.e. we have perfect secrecy. If the transitions go to a number of distinct states then the attacker can learn something about the input. We can measure how much the attacker learns using our secrecy degree, which we can read off from the simplified automaton. If we look at the set of labels on the transitions that go to the same state after simplification as equivalence classes then the component secrecy degree is the size of the smallest class. To find the variable secrecy degree it is necessary to look at each of the equivalence classes in turn and find the one that has the smallest number of possible values for the given variable. This smallest number of possible different values is the variable secrecy degree. 4.1

Example

We illustrate the details of our method with a simple example. Figure 2 shows an extended Q-automaton that two “choices” parameters (numbers between 1 and 3, which are different) and a credit card number parameter (either cc1 or cc2). It then inputs a number on the channel ch that represents what the environment is offering. If this number matches one of the two choices, the component reports the offer back to its owner on a private channel (this is an internal action) and if the owner confirms, it releases the credit card number. In order to automatically check our extended Q-automata we write them in Aldebaran like format: (0,"ch?(x)[1,2,3]",16,1) (1,"if (x=/=1stchoice)",-16,3) (3,"if (x=/=2ndchoice)",-8,4) (2,"offer",2,5) (6,"ch!",0,0) 2

(1,"if (x=1stchoice)",-16,2) (3,"if (x=2ndchoice)",-8,2) (4,"fail",0,0) (5,"comfirm",-2,6)

State space reduction modulo bisimulation reduces an automaton to a smaller automaton that is bisimilar.

65


Fig. 2. An Example Extended Q-Automaton

The first thing we can check is that the credit card number is kept secret unless the owner confirms its release. So we test the automata restricted on the confirm action hoping to find that the credit card number does not then affect the behaviour of the automaton. To test this secrecy we need to translate the restricted automata into a basic Q-automaton, this is done for the inputs cc1,1,2 in Figure 3. By replacing the multiset of actions with an ordered list of actions and appending the costs to this list we can write down these basic automata in the Aldebaran like format. For instance, the automata in Figure 3 would be written as: (0,"ch_1_16k?",1) (0,"ch_3_16k?",3) (2,"-8k",5) (4,"offer_2k",7) (6,"-8k",9) (9,"fail_0k",0)

(0,"ch_2_16k?",2) (1,"-16k",4) (3,"-8k",6) (5,"-8k",8) (8,"offer_2k",10)

We have written a Perl script that, given a value passing Q-automaton and information on the domains of its variables, generates the large automaton that includes all possible inputs, as described in Section 4, we then use µCRL toolset to perform state space reduction modulo strong bisimulation. Finally another script reads off our secrecy values by looking at all the transitions from the start state in the reduced version of the automaton. When analysing the example in Figure 2 we find that, as expected, the credit card value is kept secret (vsd(1) = 2 : 2) however we also find that the choices are not secret at all (vsd(2) = vsd(3) = 1 : 3). On closer inspection we can see that the first and second choices can be distinguished by the way in which memory is deallocated. If the environment provides the component’s first choice then the component will stop its search and deallocate 16k in one go, whereas if the environment offers the 2nd choice value then the component will deallocate 8k followed by another 8k. 66


[[ P(cc1,1,2) ]]/{comfirm}= {ch_1?} 16k

{ch_2?} 16k

{ch_3?} 16k

{} −16k

{} −8k

{} −8k

{offer } 2k

{} −8k

{} −8k

{fail} 0k

{offer } 2k

Fig. 3. An Basic Q-Automaton Example

Fig. 4. An Example Extended Q-Automaton That Hides the Choices

It is up to the user of our tools to decide if leaking information about a particular variable is a problem or not. In this case we may restore some secrecy to the choices by deallocating the memory in the same way for each choice, as done in Figure 4. For this automata our tools tell us that vsd(1) = 2 : 2, vsd(2) = 2 : 3 and vsd(3) = 2 : 3. While this is not perfect secrecy, these increased secrecy degrees show that the attacker cannot learn which value was the first choice and which was the second. 67


5

Conclusion

We have presented a method for automatically checking the secrecy of values inside components, even when the attacker can monitor resource usage. We base our framework on Q-automata and Q-algebras to provide a simple model of components and a wide range of possible costs. We use scripts and µCRL to automatically calculate our measures of secrecy degree from an automaton. This work forms part of the analysis methods developed within the Trust4All project. This is an ITEA project aimed at developing a programming environment for “trusted” components that will come with information on their resource usage. The methods and tools presented here will be used to check real components developed as part of this project. We are currently developing an Eclipse based graphical user interface to make building the automata models easier. Figures 2 and 4 are in fact screen shots of our editor. We will integrate our scripts for running µCRL and calculating the security values into this framework and make it publicly available. We are also interested in looking at more flexible ways of matching costed transitions. One possibility might be to use an approximate bisimulation to allow a margin of error when matching transitions. Another direction might be to define a bisimulation that allows a number of transitions in one system to be matched by another number of transitions in the other system. For instance, when modelling time we could allow two sequential five-second transitions to look the same as one ten-second transition. Acknowledgement We would like to thank Simona Orzan for useful discussion concerning checking security in µCRL and Stephanie Kemper for discussion concerning the automata model.

References [1] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994. [2] R. Alur, S. La Torre, and G.J. Pappas. Optimal paths in weighted timed automata. Theoretical Computer Science, 318(3):297–322, 2004. [3] G. Behrmann, A. Fehnker, T. Hune, K. G. Larsen, P. Pettersson, J. Romijn, and F.W. Vaandrager. Minimum-cost reachability for priced timed automata. In Proc. 4th Workshop on Hybrid Systems: Computation and Control, volume 2034 of LNCS, pages 147–161. Springer, 2001. [4] S. Bistarelli, U. Montanari, and F. Rossi. Semiring-based constraint satisfaction and optimization. Journal of the ACM, 44(2):201–236, 1997. [5] S. C. C. Blom, W. J. Fokkink, J. F. Groote, I. van Langevelde, B. Lisser, and J. C. van de Pol. µCRL: A toolset for analysing algebraic specifications. In Proc. 13th Conference on Computer Aided Verification, volume 2102 of LNCS, pages 250–254. Springer, 2001. [6] S. C. C. Blom and S. Orzan. A distributed algorithm for strong bisimulation reduction of state spaces. Software Tools for Technology Transfer, 7(1):74–86, 2005. [7] S. C. C. Blom and S. Orzan. Distributed state space minimization. Software Tools for Technology Transfer, 7(3):280–291, 2005. [8] P. Bouyer, T. Brihaye, and N. Markey. Improved undecidability results on weighted timed automata. Information Processing Letters, 98(5):188–194, 2006.

68

Chothia, Pang and Torabi Dashti [9] I. Cervesato. Towards a Notion of Quantitative Security Analysis. In Proc. 1st Workshop on Quality of Protection, pages 12–26, 2005. [10] T. Chothia and J. Kleijn. Q-automata: Modelling the resource usage of concurrent components. In Proc. 5th International Workshop on Foundations of Coordination Languages and Software Architectures, 2006. [11] T. Chothia, S. Orzan, J. Pang, and M. Torabi Dashti. A framework for automatically checking anonymity with µCRL. In Proc. 2nd Symposium on Trustworthy Global Computing, LNCS. Springer, 2006. [12] V. Cortier, M. Rusinowitch, and E. Zalinescu. Relating two standard notions of secrecy. In Proc. 20th Workshop on Computer Science Logic, volume 4207 of LNCS, pages 303–318. Springer, 2006. [13] R. De Nicola, G. Ferrari, U. Montanari, R. Pugliese, and E. Tuosto. A process calculus for QoS-aware applications. In Pro. 7th Conference on Coordination Models and Languages, volume 3454 of LNCS, pages 33–48. Springer, 2005. [14] S. Eilenberg. Automata, Languages, and Machines. Academic Press, 1976. [15] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Proc. 16th Annual International Cryptology Conference, volume 1109 of LNCS, pages 104–113. Springer, 1996. [16] F. Laroussinie and P. Schnoebelen. The state explosion problem from trace to bisimulation equivalence. In Proc. 3rd Conference Foundations of Software Science and Computation Structures, volume 1784 of LNCS, pages 192–207. Springer, 2000. [17] C. Meadows. A cost-based framework for analysis of denial of service networks. Journal of Computer Security, 9(1/2):143–164, 2001. [18] T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5):541–552, 2002. [19] R. Milner. A Calculus of Communicating Systems, volume 92 of LNCS. Springer, 1980. [20] R. Milner. Communication and concurrency. Prentice-Hall, 1989. [21] N. R. Potlapally, A. Raghunathan, S. Ravi, N. K. Jha, and R. B. Lee. Satisfiability-based framework for enabling side-channel attacks on cryptographic software. In Proc. 8th Conference on Design, Automation and Test in Europe, pages 18–23. EDAA, 2006. [22] M. P. Sch¨ utzenberger. On the definition of a family of automata. Information and Control, 4(2-3):245– 270, 1961.

69


Co-Algebrai Models for Quantitative Spatial Logi s

Vin enzo Cian ia

2

1

Gian Luigi Ferrari

3

Dipartimento di Informati a Università di Pisa Italy

Abstra t We introdu e a lass of oalgebrai models and a family of modal logi s that support the spe i ation of spatial properties of distributed appli ations. The evaluation of a formula yields a value in a suitable multi-valued algebrai stru ture, giving a of the satisfa tion of a requirement, indu ed by the de omposition of a system into subsystems, meant as available . As semanti domain we onsider

ertain algebrai stru tures, alled -semirings, that allow us to generalize boolean logi s to the multivalued ase, while keeping a number of the axioms of boolean algebras. Under suitable onditions on the stru ture of -semirings, we show that, even if our logi al formalisms are equipped with spatial operators, the interpretation of formulas fully hara terizes bisimilarity.

measure

Keywords:

1

resour es

Modal Logi s, Spatial Logi s, Coalgebras, C-Semirings, Quality of Servi e

Introdu tion

The use of spatial logi s for pro ess al uli [6,8,9℄ is re eiving more and more attention in the last years, in order to reason about non-behavioral aspe ts of omputation, su h as the presen e of hidden resour es, or the de omposition of a system into parallel omponents. The main dieren e between spatial logi s and more traditional

observational

temporal logi s (see e.g. [21℄), is that the latter only allow

observations about the

behavior

of a system, whi h is onstituted by the visible

ee t of a tions that the system performs, and syn hronizations with the outside world. For this reason, temporal logi s are onsidered

extensional :

we do not need

to know how a system is made, in order to tell what properties it satises, but just to des ribe its intera tions with the operational environment. Spatial logi s, instead, are usually onsidered

intensional, be ause the meaning

of formulas is not ree ted

in the observational semanti s of programs. For example, a typi al spatial operator 1 Resear h partially supported by the EU, within the FETPI Global Computing, Proje t IST-2005-16004 Sensoria (Software Engineering for Servi e-Oriented Overlay Computers). 2 Email: ian iadi.unipi.it 3 Email:

giangidi.unipi.it


Ciancia and Ferrari is parallel de omposition, whi h is usually dened on the syntax of programs, rather than on the semanti model, be ause parallel omponents are usually forgotten in the semanti s. Being extensional is important for a logi , be ause relations like soundness and

ompleteness an be established between semanti equivalen e and logi al equivalen e.

On the other hand, spatial operators are of interest not only for the very

spe i purpose of dealing with distributed omputations, but in a more general sense to represent availability of arbitrary

resour es

in omputation: the fa t that a

system in a given state is de omposable in two parts, for example, an be interpreted as the fa t that it ontains two distin t resour es. In [7℄, the work on spatial logi s has inspired the development of a type system where it is possible to express resour e a

ess poli ies and ownership of resour es by exploiting forms of spatial operators. Re ently, some approa hes have addressed the denition on non-synta ti al models of spatial logi s. In [16℄ and [13℄, for example, spatial logi s have been interpreted over parti ular kinds of graph rewriting systems, rather than on the term language of a spe i pro ess al ulus. In [23℄, a non-synta ti al interpretation of parallel de omposition is given, by adding spatial information to the semanti s of the language: a oalgebrai model, alled

spatial transition systems

(STS), has been developed and

tested as a semanti model for a CCS-like pro ess al ulus. It has been shown that the STS semanti s is fully on urrent (for example, the pro esses

a.b + b.a

and

a|b

have dierent meanings). In STS, the semanti s of pro ess al uli is given by rea tion rules, making behavioral observations about isolated subsystems impossible. Formal approa hes to the usage and availability of resour es are hot topi s in

omputer s ien e (see [18,15,2℄ and the referen es therein).

To reason about re-

sour e usage, temporal logi s have been modeled on more general domains than the booleans, for example in the multi-valued temporal logi of [11℄, or in the quantitative

µ- al ulus

of [12℄. These logi s are usually equipped with some kind of metri s

in order to be able to ompare dierent systems with respe ts to

how mu h

they

satisfy ertain requirements. A logi for reasoning on quality of servi e measurement has been introdu ed by Llu h Lafuente and Montanari in [20℄. The evaluation of a logi al formula is a value of a suitable algebrai stru ture, namely a

ing

onstraint semir-

( -semiring), representing the measure of the servi e level of the formula and

not just a boolean value expressing whether or not the formula holds. C-semirings

onsist of a domain and two operations, alled

additive

and

multipli ative, satisfying

some properties. The basi idea is that the former is used to sele t among values and the latter to ombine values. C-semirings were originally proposed to des ribe and program onstraint solving problems [4℄. The aim of this work is to dene quantitative spatial logi s interpreted on multivalued algebrai stru tures, whose semanti s is extensional, i.e. dened on semanti s rather than on syntax of pro ess al uli. It is important to emphasize that the semanti models that we onsider do not ontain quantitative information, but rather this information is inferred from the part of the model that re ords resour e availability (e.g. spatial de omposition) at a given state. This formally denes quality of servi e as resour e availability, in a natural way. We hoose -semirings as the domain of satisfa tion values, in order to extend the approa h introdu ed in [20℄, whi h generalizes various kinds of quantitative model- he king. Finally, in order to get a 72

Ciancia and Ferrari standard notion of semanti equivalen e, namely

bisimilarity,

we use oalgebras to

dene our semanti models.

spatial labeled transition systems (SLTS), a spatial transition systems of [23℄, that extends

In se tion 3.1, we introdu e

oalgebras, reminis ent of

lass of labeled

transition systems with spatial de omposition. Then, in se tion 3.2, we introdu e a logi that is interpreted over SLTS, the

quantitative observational spatial µ- al ulus

(QOS-µ). The logi we obtain is sort of an hybrid between propositional modal logi s interpreted over Kripke stru tures, and Hennessy-Milner logi s, be ause we have both spatial formulas without labels, indu ing valuations about states, and temporal formulas with a tion-labeled modalities, allowing extensional reasoning about observable a tions of the system. Using the general framework of oalgebras for the denition of SLTS, we dene ost-optimizing morphisms between systems, thus formally hara terizing the notion of osts less than. In se tion 4, we dis uss the expressiveness of QOS-µ logi s, when varying the semiring used for the interpretation of formulas. Our main result is that for a ertain

lass of -semirings, also in luding innite domains, not only QOS-µ is de idable for nite SLTS, but also it hara terizes bisimilarity, i.e., semanti equivalen e. Moreover, due to the presen e of xed point operators, and the fa t that -semirings

an be innite, a single formula an be stri tly more expressive than any formula interpreted over the booleans (see remark 4.7). We foresee dierent lasses of appli ations, both in the area of optimization of on urrent systems and in

servi e-oriented omputing

be used as fully on urrent models for pro ess al uli. to evaluate osts of

exe ution plans,

[25℄.

Spatial models an

QOS-µ in this ase allows

distinguishing between parallel and sequential

exe ution of ertain operations. In se tion 5 we give an SLTS semanti s to pure CCS, and we show some examples of QOS-µ formulas. In servi e-oriented omputing, on the other hand, QOS-µ, being a behavioral quantitative logi , an be exploited to dene patterns for servi e dis overy with an emphasis on quality of servi e and resour e availability.

2

Ba kground

2.1 Coalgebras, Coalgebra Homomorphisms and Spatial Transition Systems Coalgebras are mathemati al models used to represent the behavior of systems, abstra ting from the parti ular stru ture used, and to dene in a very general way properties su h as bisimulation or minimization of systems. In this se tion we briey introdu e the main denitions of oalgebras in the ategory

Set,

assuming some basi knowledge of ategory theory. A detailed exposition

of the theory of oalgebras and oindu tion an be found in [19,26℄, whi h we use as a basis for our introdu tion. Hereafter, we will use the following notations: for the

π1 and π2 indi ate the rst and se ond proje tion, and hf, gi is the pairing of f and g ; to represent the oprodu t (disjoint union) of two sets A and B we will use the set ({0} × A) ∪ ({1} × B); the nite power set fun tor, sending ea h set in the set of its nite subsets, will be denoted with Pf in ; with f ; g , as usual

ategorial produ t,

in ategory theory, we denote reverse omposition of arrows, whi h in the ategory 73

Ciancia and Ferrari

Set

f; g = g ◦ f;

orresponds to fun tion omposition:

set with one element, whi h we write as

nally, we denote with

1

a

∗.

Denition 2.1 ( oalgebra) Given a fun tor F : Set → Set, a oalgebra for F , or F - oalgebra, is a pair hS, f i where S is a set, alled the arrier of the oalgebra, and f : S → F (S) is the operation of the oalgebra. The arrier an be often thought of as the set of states in a system, while the operation of the oalgebra gives observations about the next states, depending on the hosen fun tor. Consider for example the fun tor for

F

is made up of a set

S

and a fun tion from

S. L is

i.e., a transition system with states in

F (S) = Pf in (L × S) for in S and labels in L.

Denition 2.2

a set of labels

S

F (S) = Pf in (S).

A oalgebra

to the set of its nite subsets,

Similarly, a oalgebra for the fun tor a labeled transition system with states

( oalgebra homomorphism) A oalgebra homomorphism from an

F - oalgebra hS, f i m; f ′ = f ; F (m).

to an

F - oalgebra hS ′ , f ′ i

is a fun tion

m : S → S′

su h that

Intuitively, a oalgebra homomorphism is a fun tion that preserves and ree ts transitions. Now, we introdu e bisimulation and bisimilarity, usually hosen as the semanti equivalen e notion when the semanti s of a programming language is given using

oalgebras.

Denition 2.3 C = hS, f i S × S ′ over

( oalgebrai bisimulation and bisimilarity) Given two

and

C ′ = hS ′ , f ′ i

C

and

C′

F - oalgebras R ⊆

is a relation

F - oalgebra B , su h that π1 and π2 are oalgebra C ′ , respe tively. The greatest bisimulation is s is bisimilar to s′ , written s ∼ s′ , if the pairhs, s′ i

whi h there exists an

homomorphisms from

alled

a bisimulation between

bisimilarity.

B

to

C

We say that

and

is in the bisimilarity relation.

Denition 2.4

F - oalgebra C ′ to

(nal oalgebra) An

=

F - oalgebra C = hS, f i is nal if for any other C′

hS ′ , f ′ i there exists exa tly one oalgebra homomorphism from

C. The nal oalgebra, if it exists, is unique up to isomorphism. An important lass

of fun tors that have a nal oalgebra is given in the following theorem (see e.g. [26℄, also for the denition of polynomial fun tor):

Theorem 2.5 For all fun tors that an be built from polynomial fun tors and the nite power set fun tor, a nal oalgebra exists. In [23℄, oalgebras are used to dene

spatial transition systems

(STS), that we

extend in this work obtaining SLTS. A STS is made up of a set of states, and two fun tions that des ribe respe tively the temporal evolution of the system, and the possible parallel de ompositions, in a given state.

Denition 2.6

(spatial transition system) Given the fun tor

F (A) = Pf in (A) × (1 + Pf in (A × A)) 74

Ciancia and Ferrari a spatial transition system is a oalgebra for

F

over a set

S,

i.e., a pair

hS, f : S → F (S)i The set that

S

represents the set of states and subsystems of a given system. Noti e

f = hftr , fsp i, where ftr : S → Pf in (S) = f ; π1 represents the fsp : S → 1 + Pf in (S × S) = f ; π2 allows to observe

behavior of the

system and

its subsystems.

These are either the set of all alternative hoi es for its de omposition into two parts, or

1

(i.e. a set of only one element,

{∗}),

up of a single, unde omposable omponent.

fsp

respe tively be ause they represent the

meaning that the system is made

These two fun tions, named

transitions

ftr

of the system and its

and

spatial

de omposition, give rise to orthogonal observations about the spatial and temporal aspe ts of omputation.

2.2 C-Semirings and Quantitative Model-Che king − |= − over State × F ormula → {true, f alse}.

In boolean logi s, the satisfa tion relation is a binary predi ate

states

and formulas, i.e., a fun tion of signature

There

is no reason why in prin iple we ould not use a domain dierent than the booleans; in [20℄ su h a line of development is given, by dening modal logi s over a parti ular kind of domains alled

-semirings.

C-semirings [3℄ have been introdu ed as a formal building blo k to dene generalized onstraint solving problems [4℄, and have been exploited in the eld of optimization, quality of servi e analysis [17,24℄, and also for dening metri s in omplex domains su h as those used for spee h re ognition [22℄. We refer to [4℄ for the full denitions and a thorough explanation.

Denition 2.7

A -semiring is a tuple

•

A

•

⋒ : 2A → A Ai ⊆ A, i ≥ 0

•

⋓ : A×A → A element, and 0 is

is a set, with

Usually, as the

⋒

0

and

satises

1

elements of

hA, ⋒, ⋓, 0, 1i

where

A.

S ⋒{a} = a, ⋒∅ = 0, ⋒A = 1, ⋒( i Ai ) = ⋒{⋒Ai }

is ommutative, asso iative, distributive over

⋒; 1

for

is its unit

its absorbing element.

is alled the

multipli ative

additive

operation of the semiring, while

⋓

is referred to

sele tion of the

ombines several

operation. The additive operation models the

best alternative in a set of hoi es, while the multipli ative one

hoi es (and their osts/values).

A -semiring is

distributive

if the multipli ative

operation is idempotent; in this ase the additive operation distributes over the multipli ative one. The

b ⇔ a ⋒ b = b.

Being

and maximum

1;

⋒

⋒

operation indu es a relation

≤⊆ A × A,

dened as

a≤ 0

idempotent, this relation is a partial order with minimum

moreover,

⋒

and

⋓

are monotone over

≤.

The rst, and simpler, -semiring we onsider is the domain of booleans:

h{f alse, true}, ∨, ∧, f alse, truei.

Bool =

C-semirings also arise in the analysis of a

ess

rights for a given resour e [24℄. In this ase, an appropriate -semiring domain ould be

hP(S), ∪, ∩, ∅, Si,

where

S

is the set of all obje ts in the model.

Other examples in lude: 75

Ciancia and Ferrari •

hR+ , min, +, +∞, 0i,

modeling transmission osts, where the best hoi e is the

minimum ost, and the ombination of two operations yields the sum of the osts;

•

hR+ , max, min, 0, +∞i,

modeling bandwidth, in a situation where data size is

onstant, and if we do several transfers in parallel we have to wait for ea h one to

omplete;

•

h[0, 1] , max, ·, 0, 1i,

modeling probability of events.

C-semirings are losed under Cartesian produ t, fun tional domain and power domain onstru tions, allowing the theory to be applied to problems having more than one quantitative dimension to model, e.g., both bandwidth usage and probability of

ertain events.

3

Spatial Labeled Transition Systems and QOS-µ

3.1 Spatial Labeled Transition Systems We now introdu e the notion of

Denition 3.1

spatial labeled transition systems

(SLTS).

(spatial labeled transition system) A spatial labeled transition sys-

tem over a set of labels

L

is a oalgebra for the fun tor

FL (S) = Pf in (L × S) × (1 + Pf in (S × S)) Given a oalgebra

f : S → FL (S),

we represent with

ftr = f ; π1

fsp = f ; π2 ftr gives, for

and

the temporal and spatial transition stru tures of the system. Noti e that

ea h state, a set of pairs, onsisting of a label and a state. Hereafter, we abbreviate

ha, s1 i ∈ ftr (s)

with

a

s −→ s1 .

The intuition behind SLTS is that both the behavior (represented by labeled transitions) and the de omposition of a system an be observed. For instan e, if we

onsider a al ulus with a parallel omposition operator, we might have

P2 k P3 ) = h1, {hP1 , P 2 k P3 i , hP2 , P1 k P3 i , hP3 , P1 k P2 i}i.

fsp (P1 k

De omposition ould

be dened as well in a non-synta ti al way, using semanti information (e.g. pro ess being

a tive

or

a

ina tive ) similarly to what happens in the lo ation semanti s

of CCS [5℄. We emphasize that SLTS are

semanti

models, and that they have been intro-

du ed to give a resour e- ons ious semanti s to dierent formalisms, even if there is no quantitative data in the model itself: the subsystems of a system are the available resour es, and their availability determines quantities su h as osts, or quality of servi e, dire tly from the analysis of the semanti s of programs.

3.2 The Quantitative Spatial Logi QOS-µ In this se tion, we introdu e the

µ),

quantitative observational spatial µ- al ulus

(QOS-

a spatial logi with a tion-labeled temporal modalities whi h is able to express

behavioral properties of systems, and we establish a onne tion between oalgebra homomorphisms and ost optimization.

The syntax of the logi extends with

a tion-labeled modalities and spatial operators the logi in [20℄, whi h in turn is a 76

Ciancia and Ferrari generalization to -semirings of the fragment of the propositional negation. We x here a set

Denition 3.2 V ar ,

the set of

L

µ- al ulus without

of labels, whi h we use throughout the paper.

(QOS-µ syntax) Given a set of onstants

QOS-µ formulas

over

A

A

and a set of variables

is dened by the following syntax

4:

ΦA ::= k | ΦA ∨ ΦA | ΦA ∧ ΦA | hαi ΦA | [α] ΦA | | ΦA k ΦA | ΦA ≍ ΦA | V | µV.ΦA | νV.ΦA α ∈ L, k ∈ A, V ∈ V ar , usual rules of α- onversion.

ν

and are subje t

Now we give an intuition about the semanti s of onne tives.

The easy ones

where to the

are

k,

variables are bound by

µ

and

the onstant formula, and minimum and maximum xed points, allowing to

measure respe tively unbound and innite behaviors. Disjun tion hooses the best valuation out of two formulas, while onjun tion ombines the valuations. Diamond modality

hαi φ

sele ts the best valuation of

α,

transition labeled

ensuring that there is

φ

in the set of states rea hable by a

at least one

transition whose valuation is at most the obtained one, and box modality

ombines all those valuations, ensuring that

all

α [α] φ

state rea hable by an

rea hable states have at least the

stands for a lo al system, i.e. a system that φ1 k φ2 de omposes a system into its parallel

omponents, ombining the valuations of φ1 and φ2 on the omponents and sele ting obtained valuation. The operator

annot be de omposed.

Formula

the best result, thus ensuring that there is at least a de omposition giving a ertain

φ2 , while φ1 ≍ φ2 is its dual. T C S A The semanti s JφKΓ : A of a formula φ ∈ Φ , given using an SLTS

valuation of

φ1

and

T ∈ FL (S) C = hA, ⋒, ⋓, 0, 1i, and the environment Γ : V ar → AS , is a valuation in AS , giving the value of φ, for ea h state in S , as an element of A. In the following, T and C will be freely omitted when lear from the

ontext, and Γ will be omitted when it is ∅. for some set of states

Denition 3.3

S,

the -semiring

(QOS-µ semanti s)

JkKΓ (s)

=k

JV KΓ

= Γ(V )

J KΓ (s)

= local(s)

JµV.φKΓ

= f ix λX.JφKΓ[X /V ]

Jφ1 k φ2 KΓ (s) = par (s, φ1 , φ2 , Γ)

JνV.φKΓ

= F ix λX.JφKΓ[X /V ]

Jφ1 ≍ φ2 KΓ (s) = P ar (s, φ1 , φ2 , Γ)

Jhαi φKΓ (s) =

Jφ1 ∨ φ2 KΓ (s) = Jφ1 KΓ (s) ⋒ Jφ2 KΓ (s) J[α] φKΓ (s) =

⋒

JφKΓ (si )

{hx,si i∈ftr (s)|x=α}

⋓

JφKΓ (si )

{hx,si i∈ftr (s)|x=α}

Jφ1 ∧ φ2 KΓ (s) = Jφ1 KΓ (s) ⋓ Jφ2 KΓ (s) where

f ix

and

F ix

are the least and greatest xed point operators, and

4 Hereafter, we overload the notation

ΦA

to denote both the syntax, and the set of all formulas over

77

A.

Ciancia and Ferrari

local(s) =

par (s, φ1 , φ2 , Γ) =

P ar (s, φ1 , φ2 , Γ) =

In the denitions for

 

⋒ hs′ ,s′′ i∈P

( 1 0

if

fsp (s) = h0, ∗i

otherwise

(Jφ1 KΓ (s′ ) ⋓ Jφ2 KΓ (s′′ ))

if

0  

fsp (s) = h1, P i

otherwise

⋓ hs′ ,s′′ i∈P

(Jφ1 KΓ (s′ ) ⋒ Jφ2 KΓ (s′′ ))

if

1

fsp (s) = h1, P i

otherwise

[α] φ and φ1 ≍ φ2 , there is a slight abuse of notation be ause

the multipli ative operation of the -semiring, whi h is binary, is applied to a nite set. However this operation is ommutative and asso iative, thus it an be easily extended to nite sets. We an now state our rst result: if there is a oalgebra homomorphism from a system over

b

a to another system b, then b osts less

than

a:

the valuation of any formula

is less or equal than the valuation of the same formula over

this has parti ular relevan e for the nal oalgebra, whi h is the

a.

Noti e that

minimal

system in

terms of QOS-µ valuations.

Theorem 3.4 Given two SLTS hS, f i and hS ′ , f ′ i, if there is a oalgebra homomor-

phism m : S ′ → S su h that m(s′ ) = s for s ∈ S and s′ ∈ S ′ , then for every QOS-µ formula φ over A, and appropriate -semiring stru ture for the valuation of φ, we have JφK(s) ≤ JφK(s′).

Proof

(sket h) We pro eed by indu tion on the stru ture of the formula, and by

m su h that m(s′ ) = ea h si s. We only show here the ase for hαi φ. By denitionD of homomorphism, E ′ ′ ′ α, sj ∈ ftr (s ), so we an su h that hα, si i ∈ ftr (s) is equal to m(sj ) for some

oindu tion on the two oalgebras, assuming a homomorphism

s′j for ea h si , all it m ¯ −1 (si ). We have ftr (s′ ) = K ∪ K ′ , where

K ⊆ ftr (s′ ), K ′ = α, m ¯ −1 (si ) | si ∈ ftr (s) , K ∩ K ′ = ∅. We now prove that Jhαi φK(s) ⋒ Jhαi φK(s′ ) = Jhαi φK(s′ ):

hoose one su h

Jhαi φK(s) ⋒ Jhαi φK(s′ ) = ⋒{hx,si i∈ftr (s)|x=α} JφK (si ) ⋒ ⋒{hx,s′ i∈ftr (s′ )|x=α} JφK s′j j = ⋒{hx,si i∈ftr (s)|x=α} JφK (si ) ⋒ ⋒{hx,si i∈ftr (s)|x=α} JφK m ¯ −1 (si ) ⋒ ⋒ ⋒{hx,s′ i∈K|x=α}JφK s′j j

= {properties

of

⋒}

⋒{hx,si i∈ftr (s)|x=α} JφK(si ) ⋒ JφK(m ¯ −1 (si )) ⋒ ⋒{hx,s′ i∈K|x=α}JφK s′j j

78

Ciancia and Ferrari

=

JφK(si ) ⋒ JφK(m ¯ −1 (si )) = JφK(m ¯ −1 (si )) ⋒{hx,si i∈ftr (s)|x=α} JφK(m ¯ −1 (si )) ⋒ ⋒{hx,s′ i∈K|x=α}JφK s′j

by oindu tive hypothesis,

j

= ⋒{hx,s′ i∈ftr (s′ )|x=α} JφK(s′j ) j = Jhαi φK(s′ )

2

Remark 3.5

QOS-µ does not in lude a negation operator, sin e -semirings usu-

ally do not have omplementation. However, ertain lasses of -semirings admit a

omplementation operator, and in that ase we an introdu e negation in the logi (see also [20℄ on the subje t), thus obtaining pairs of operators from ea h other by De Morgan duality (for example, obtaining

φ1 ≍ φ2

as

¬(¬φ1 k ¬φ2 ).

It should

be noti ed that there are interesting ases where omplementation an't be dened, like

hR+ , max, min, 0, +∞i,

hen e in this work we only deal with the more general

ase.

4

Expressiveness of QOS-µ

In this se tion we show that QOS-µ hara terizes bisimilarity (the so- alled

adequa y

property) when interpreted over a distributive -semiring, and that logi equivalen e is stri tly ner than bisimulation for non-distributive -semirings.

Moreover, we

state that non-boolean (e.g. innite) -semirings give to the logi a stri tly higher expressive power than the booleans. The rst result is omposed by three parts: (i) we show that bisimilarity implies logi al equivalen e (ii) we prove adequa y in the boolean ase (iii) we show that logi al equivalen e over any distributive -semiring implies logi al equivalen e over the booleans, thus on luding the proof.

Theorem 4.1 Given a distributive -semiring of an SLTS, we have

C = hA, ⋒, ⋓, 0, 1i, s and s′ states

s ∼ s′ ⇒ ∀φ ∈ ΦA .JφKC (s) = JφKC (s′ )

Proof

(sket h) Assuming that

s ∼ s′

we an pro eed by indu tion on the stru ture

of the formula. One interesting ase is

[α] φ1 ,

sin e it involves the use of distribu-

tivity. By denition we have:

J[α] φ1 K(s) = J[α] φ1 K(s′ ) ⇔ ⋓{hx,si i∈ftr (s)|x=α} Jφ1 KΓ (s) = ⋓{hα,s′ i∈ftr (s′ )} Jφ1 KΓ (s′ ) j

si there is an sj su h that si ∼ sj , and thus, by Jφ1 K(si ) = Jφ1 K(sj ). Thus, for ea h value k = Jφ1 K(si ) for hα, si i ∈ ftr (s), there is at least an hα, sj i ∈ ftr (s′ ) su h that k = Jφ1 K(sj ), and possibly more than one. This also holds in the opposite dire tion, so there is su h an si for ea h sj . Now, by bisimilarity, for ea h

oindu tion,

79

Ciancia and Ferrari Sin e in a distributive -semiring the

⋓

operation is idempotent, the above equation

is satised.

Remark 4.2

2 If the -semiring is not distributive, this result does not hold. Consider

{s1 , . . . , s5 } su h that ftr (s1 ) = {hα, s2 i}, and s1 and s3 are bisimilar, but the formula [a] k k su h that k ⋓ k 6= k, whi h ne essarily exists if C

for example an SLTS with states

ftr (s3 ) = {hα, s4 i , hα, s5 i}.

States

distinguishes them, if we hoose is not distributive.

Now we show that, when interpreted over the booleans, QOS-µ hara terizes bisimilarity.

Theorem 4.3 For s and s′ states of an SLTS, it holds that (∀φ ∈ Φ{true,f alse} .JφKBool (s) = JφKBool (s′ )) ⇔ s ∼ s′

Proof

(sket h) The

⇐ part

is a dire t onsequen e of theorem 4.1, but also similar

⇒ part, R(s, s′ ) = ∀φ ∈ Φ{true,f alse} .JφKBool (s) = JφKBool (s′ )

to standard results in modal logi s for labeled transition systems. For the one an show that the relation

is a bisimulation. For the temporal part of any SLTS, whi h is indeed a LTS, and the temporal fragment of QOS-µ, the result is well-known. Proofs for many modal

R(s, s′ ) and a ′ ′ ′ ′ −→ si su h that R(s1 , si ), then for every s −→ si there exists φi 6= Jφi K(s′i ). Then JφK(s) 6= JφK(s′ ), where φ = hai ∧i φi , and this

logi s an be done following the ones in [21℄. For example, suppose that

a

s −→

s1 , but ¬∃s′

su h that

Jφi K(s1 )

a

is a ontradi tion. For the spatial omponent, the proof an be done following the same pattern.

2

The last theorem needed to establish our result is that logi al equivalen e for formulas interpreted over a (distributive or not) -semiring alen e for formulas interpreted over

Theorem 4.4 For have:

C

implies logi al equiv-

Bool.

C = hA, ⋒, ⋓, 0, 1i -semiring, and s, s′ states of an SLTS, we

(∀φ ∈ ΦA .JφKC (s) = JφKC (s′ )) ⇒ (∀φ ∈ Φ{true,f alse} .JφKBool (s) = JφKBool (s′ ))

Proof

(sket h) The stru ture

all onstants from

A

C ′ = h{0, 1}, ⋒, ⋓, 0, 1i, obtained from C by removing

ex ept from the top and bottom element, is indeed a well

dened -semiring, isomorphi to the boolean one and respe ting the same axioms. So, given any formula in

Φ{0,1}

interpreted over

C ′,

we an ast the same formula

{true,f alse} , with an isomorphi interpretation; due to logi al equivalen e over into Φ C , we also have logi al equivalen e over C ′ and thus over Bool. 2 Now we are able to state the main theorem of this paper, en ompassing all the results of this se tion:

Theorem 4.5 QOS-µ interpreted over any non distributive -semiring is stri tly

ner than QOS-µ interpreted over a distributive -semiring. Moreover, QOS-µ interpreted over a distributive -semiring hara terizes bisimilarity. 80

Ciancia and Ferrari

Proof

We rst prove adequa y, i.e. for C = hA, ⋒, ⋓, 0, 1i distributive -semiring, s ∼ s′ ⇐⇒ ∀φ ∈ ΦA .JφKC (s) = JφKC (s′ ). A C The ⇒ part is given by theorem 4.1. Now suppose that ∀φ ∈ Φ .JφK (s) = JφKC (s′ ), then by theorem 4.4 we have ∀φ ∈ Φ{true,f alse} .JφKBool (s) = JφKBool (s′ ), ′ and by theorem 4.3 we get s ∼ s , on luding the adequa y proof. By remark 4.2, it follows that QOS-µ interpreted over non-distributive -semirings is ner than QOS-µ interpreted over distributive -semirings. 2

Remark 4.6

Regarding de idability of the model- he king problem, in [20℄ it is

stated that the fragment without fun tion symbols of the -semiring

µ- al ulus

de-

ned there is de idable (for nite models) when using distributive -semirings. This result an be asted in our framework, even in the ase of QOS-µ, when interpreted over distributive -semirings.

Remark 4.7

It is well-known that formulas in multi-valued logi s over nite latti es

an be he ked using boolean formulas whi h express

uts

on the state-transition

graph of the system [14℄. C-semirings, however, an be innite, thus this te hnique

annot be used; for ertain xed-points formulas of QOS-µ, indeed, we get a stri tly higher expressiveness than using nite latti es, sin e the equivalen e lasses indu ed by these formulas are innite (with just a single formula, we an separate the set of all systems into innite subsets).

5

Appli ations

5.1 SLTS Semanti s for Pro ess Cal uli In this se tion, as a ase study, we introdu e a SLTS semanti s for pure CCS. This semanti s is inspired both by the STS semanti s of [23℄ and by the lo ation semanti s of [5℄. A ommon riti ism of spatial logi s is that the indu ed equivalen e, in many

ases, is too intensional, and oin ides with stru tural equivalen e.

The spatial

semanti s we introdu e here, being not purely synta ti al, but rather behavioral, does not oin ide with stru tural equivalen e, yet it allows to he k properties related to the parallel omposition of pro esses. In the following we assume an enumerable set

Act

of a tions, and use the notation

Denition 5.1

Act = {¯ x | x ∈ Act}.

The syntax of CCS pro esses is given as follows

P ::= P k P |

X

→ αi .Pi | (νl)P | R(− x)

i∈I

→ αi ∈ L = {τ }∪ Act ∪Act, τ ∈ / Act∪Act, I is a nite set, l ∈ Act, − x ∈ Act∗ , − → and for ea h pro ess identier R there is a dening equation R( x ) = PR , where ea h pro ess identier in PR is in the s ope of an a tion α (guarded re ursion). where

0, name l in (νl)P is bound in P and f n(P ) is the set of free names in the labels

The sum over an empty set is written subje t to the rules of

α- onversion,

and

of a pro ess. 81

Ciancia and Ferrari

Denition 5.2 en e

0

≡

(Stru tural ongruen e) Stru tural ongruen e is the least ongru-

satisfying ommutativity, asso iativity and identity law of

as the unit element), the laws of

α- onversion

and

k

for the restri tion operator

and the axioms:

(with

(νl)P ,

α∈ / f n(P );

•

(να)(P k Q) ≡ P k (να)Q

•

(να)0 ≡ 0, (να)(νβ)P ≡ (νβ)(να)P .

if

P

We now give the SLTS semanti s of the al ulus.

Denition 5.3

(SLTS semanti s of CCS) The temporal transition fun tion

ftr

is

dened by the following rules:

α

P −→ P ′ α

α

α.P −→ P

(νl)P −→ (νl)P

α

α

P −→ P ′

α 6= l, ¯l

Q −→ Q′ τ

P + Q −→ P ′

P k Q −→ P ′ k Q′

α

P ≡ P′

P −→ P ′ α

α

P ′ −→ Q′

Q′ ≡ Q

α

P k Q −→ P ′ k Q i h→ − α ′ − P k /→ x −→ P − → if A( x ) = P − → α ′ A( k ) −→ P

P −→ Q

The spatial de omposition fun tion

fsp (P ) =

if

α ¯

P −→ P ′

α

′

( h0, ∗i

fsp if

h1, dec(P )i

is dened as:

reactive(P ) ∧ dec(P ) = ∅

otherwise

where

τ

τ

α

reactive(P ) = ∃n ≥ 0.P −→ . . . −→ Pn −→ P ′ ∧ α 6= τ n o dec(P ) = hP1 , P2 i P ≡ P1 k P2 , reactive(P1 ), reactive(P2 )

This denition, dierently from the one in [23℄, allows us to observe the parallel de omposition of a pro ess only if the involved subpro esses are

rea tive,

i.e. they

an syn hronize with other pro esses at some point (similarly to the lo ation semanti s of CCS [5℄). The obtained SLTS bisimulation obviously ontains ordinary CCS bisimulation, and it is oarser than stru tural ongruen e: onsider the pro esses

(νx) (x.0 k x ¯.0) k (νy) (y.0 k y¯.0) k a

and

(νx) (x.x.0 k x ¯.¯ x.0) k a.

These two

pro esses are SLTS and CCS bisimilar, but not stru turally ongruent.

5.2 Examples of QOS-µ usage We provide two examples of QOS-µ usage.

hLi φ , ∨α∈L hαi φ,

where

L

We adopt the following shorthand:

is a nite subset of 82

L.

Ciancia and Ferrari

Example 5.4

(lower bound of resour e availability) Consider

{τ } ∪ Act ∪ Act,

and the -semiring

Act = {a, b, c}, L =

Copt = hR, min, +, +∞, 0i.

The formula

φ1 = µX. ((hai 1 ∨ [a]+∞) ∧ ) ∨ (X k X)

ounts the number of parallel pro esses that an do the a tion

a in a given state.

Now onsider the formula

φ2 = hbi µX. (φ1 ∨ (hLi X)) this formula measures the minimum available quantity of a ertain kind of resour e (modeled by a pro ess that an do

a),

after the o

urren e of event

b.

This

kind of formula an be ompared, in the setting of multi-valued logi s, to the issues dealt with when onsidering the

measure

history dependent a

ess ontrol poli ies [1℄.

In our ase,

of resour e usage poli ies depends on the past history of exe ution, as

it is the ase for the

Example 5.5

validity

of poli ies in history dependent a

ess ontrol.

(dierent ost of parallel and sequential exe ution) Consider the fol-

lowing two pro ess denitions:

P1 = R k R k R P2 = S k S k S PR = a.R + b.R + c.R PS = a.0 + b.0 + c.0 The pro ess identiers

R

and

S

represent a basi resour e that is employed to

implement servi es oered by system

P1

and

P2 ,

respe tively, and whose minimum

availability during a servi e invo ation is used to determine the spe i ost that the lient has to pay. Let us onsider the two formulas

φ3

and

φ4

interpreted over the -semiring

Copt :

φ3 = φ1 k ( ∧ hbi 0) k ( ∧ hci 0) and

φ4 = (φ1 k ( ∧ hbi 0)) ∨ hbi (φ1 k ( ∧ hci 0)) In both ases, the formulas ount how many parallel pro esses in the urrent state are enabled to do

a,

using

φ1 .

The number of pro esses that an do

a

is the

number of available resour es, and if put in parallel with other formulas, it gives a measure of the Formulas

φ3

φ3

and

remaining

φ4

resour es, when some of them are used by a lient.

are exe ution plans to run the a tions

b

and

we onsider the parallel exe ution of both a tions, while in

sequential exe ution of

b

and

c,

c on the server. In φ4 we onsider the

thus we have to measure the available resour es in

both states rea hed. Applying both formulas, we an he k whether in a given state it osts less to exe ute while

b

Jφ4 K(P1 ) = 2, so if φ3 . On the

use the plan

and

c

sequentially or in parallel. We have

P1 , it osts less, for the lient, to Jφ3 K(P2 ) = Jφ4 K(P2 ) = 1, thus the

the system is in state other hand, we have 83

Jφ3 K(P1 ) = 1,

Ciancia and Ferrari

ost of the two plans is the same. The intuition behind this phenomenon is that in

P2

resour es get onsumed, so it is important to a quire them as soon as possible.

More omplex systems and plans ould as well make the parallel exe ution of two tasks less resour e- onsuming than their exe ution in sequen e.

6

Con luding Remarks

We have introdu ed a family of extensional spatial logi s for a lass of models whi h have labeled transitions, thus allowing behavioral observations.

These logi s are

generalized over -semirings, and if the -semirings used for the interpretation are distributive, they are de idable over nite models and adequate with respe ts to bisimilarity. Using these logi s, quantitative analysis of systems an be performed in a generalized way. Future developments are manifold. The SLTS semanti s for CCS given in se tion 5 does not de ompose pro esses under the s ope of a restri tion. This is a limit of our semanti s, when omparing it to lo ation semanti s. Further study is required to see if it is possible to obtain a SLTS semanti s equivalent to the lo ation one. Spatial semanti s of al uli like the

π - al ulus

or the ambient al ulus should be

given using SLTS, and we should investigate what relation is indu ed on pro esses from bisimulation in the model.

servi e-oriented omputing [25℄: quality of servi e requirements, and also as the basis for the implementation of semanti servi e dis overy, where a lient and a server establish a ontra t by dening respe tively a Other appli ations of interest are in the area of

a formal, semanti notion of quality measurement an be used for

minimum level of quality of servi e, and a maximum level of resour e usage, in an heterogeneous situation where many dierent programming languages are used for the implementation of servi es, and thus semanti models must be used. The quantitative, resour e ons ious nature of QOS-µ ensures to be able to model real-world situations in whi h resour es are limited, and there is a maximum number of lients that an simultaneously a

ess ea h servi e. An open question is if there are lasses of non-distributive -semirings for whi h de idability over nite models holds, while work is being done on oalgebrai models where the interpretation of QOS-µ using non-distributive -semirings hara terizes bisimilarity. Finally, sin e spatial logi s have been used as the basis of query languages for semistru tured data [10℄, appli ations of quantitative analysis, using QOS-µ, to this domain, ould be worth further resear h.

A knowledgement The authors wish to thank Alberto Llu h-Lafuente for helpful omments.

Referen es A

ess ontrol based on exe ution history., in: Pro eedings of the Network and Distributed System Se urity Symposium, NDSS 2003, San Diego, California, USA (2003).

[1℄ Abadi, M. and C. Fournet,

84

Ciancia and Ferrari

Types and ee ts for se ure servi e or hestration, in: CSFW '06: Pro eedings of the 19th IEEE Workshop on Computer Se urity Foundations (2006), pp.

[2℄ Bartoletti, M., P. Degano and G. L. Ferrari, 5769.

[3℄ Bistarelli, S., Semirings for Soft Constraint Solving and Programming, Le ture Notes in Computer S ien e , Springer, 2004.

2962

[4℄ Bistarelli, S., U. Montanari and F. Rossi, Journal of the ACM

44 (1997),

Semiring-based onstraint satisfa tion and optimization,

pp. 201236.

[5℄ Boudol, G., I. Castellani, M. Hennessy and A. Kiehn,

114 (1993),

pp. 3161.

Observing lo alities, Theoreti al Computer S ien e

Behavioral and spatial properties in a logi for the pi- al ulus, in: I. Walukiwi z, editor, Pro . of Foundations of Software S ien e and Computation Stru tures'2004 (FOSSACS), number 2987 in

[6℄ Caires, L.,

Le ture Notes in Computer S ien e (2004), pp. 7289.

Spatial-behavioral types for distributed servi es and resour es, in: Pro eedings of the 2nd International Symposium on Trustworthy Global Computing (TGC06), to appear, 2006.

[7℄ Caires, L.,

A Spatial Logi for Con urren y (Part I),

[8℄ Caires, L. and L. Cardelli,

186 (2003),

pp. 194235.

[9℄ Caires, L. and L. Cardelli, (2004), pp. 517565. [10℄ Cardelli, L. and G. Ghelli, (2004).

A Spatial Logi for Con urren y (Part II), Theoreti al Computer S ien e 3 TQL: a query language for semistru tured data based on the ambient logi .

[11℄ Che hik, M., B. Devereux, S. Easterbrook and A. Gurnkel, ACM Trans. Softw. Eng. Methodol. [12℄ de Alfaro, L., 126.

12 (2003),

pp. 371408.

Multi-valued symboli model- he king,

Quantitative veri ation and ontrol via the mu- al ulus., in: CONCUR, 2003, pp. 102

[13℄ Ferrari, G. and A. Llu h-Lafuente, (2006), pp. 143160.

Amadio and D. Lugiez, editors, 277. [15℄ Hennessy, M. and J. Riely, (2002), pp. 82120.

A logi for graphs with qos., Ele tr. Notes Theor. Comput. S i. 142

Multi-valued model he king via lassi al model he king., in: R. M. CONCUR, Le ture Notes in Computer S ien e 2761 (2003), pp. 263

[14℄ Gurnkel, A. and M. Che hik,

Resour e a

ess ontrol in systems of mobile agents,

[16℄ Hirs h, D., A. Llu h-Lafuente and E. Tuosto, Comput. S i.

Information and Computation

153 (2006),

pp. 135159.

A logi for appli ation level qos.,

Inf. Comput.

173

Ele tr. Notes Theor.

SHReQ: Coordinating Appli ation Level QoS, in: SEFM '05: Pro eedings of the Third IEEE International Conferen e on Software Engineering and Formal Methods (2005), pp.

[17℄ Hirs h, D. and E. Tuosto, 425434.

[18℄ Igarashi, A. and N. Kobayashi, , 2002, pp. 331342.

Languages

[19℄ Ja obs, B. and J. Rutten,

Resour e usage analysis, in: Symposium on Prin iples of Programming

A tutorial on ( o)algebras and ( o)indu tion,

Asso iation for Theoreti al Computer S ien e [20℄ Lafuente, A. and U. Montanari,

62 (1997),

Quantitative mu- al ulus and CTL dened over onstraint semirings,

Ele troni Notes on Theoreti al Computing Systems QAPL [21℄ Milner, R., J. Parrow and D. Walker,

114 (1993),

pp. 149171.

[22℄ Mohri, M. and M. Riley,

Bulletin of the European

pp. 222259.

112 (2005),

pp. 130.

Modal logi s for mobile pro esses, Theoreti al Computer S ien e

A weight pushing algorithm for large vo abulary spee h re ognition, in European

Conf. on Spee h Communi ation and Te hnology, Aalborg, Denmark (2001).

A noninterleaving model of on urren y based on transition systems with spatial stru ture., Ele tr. Notes Theor. Comput. S i. 106 (2004), pp. 261277.

[23℄ Monteiro, L.,

A Pro ess Cal ulus for QoSCOORDINATION [25℄ Papazoglou, M. P. and D. Georgakopoulos, Spe ial issue on servi e oriented omputing, Commun. ACM

[24℄ Ni ola, R. D., G. L. Ferrari, U. Montanari, R. Pugliese and E. Tuosto, , in: , 2005, pp. 3348.

Aware Appli ations.

46 (2003).

[26℄ Rutten, J. J. M. M., (2000), pp. 380.

Universal oalgebra: a theory of systems, 85

Theoreti al Computer S ien e

249


Probabilistic Barbed Congruence Yuxin Denga,b , Wenjie Duc a b

Shanghai Jiao Tong University, China

The University of New South Wales, Australia [email protected] c Shanghai Normal University, China [email protected]

Abstract This paper defines a probabilistic barbed congruence which turns out to coincide with observational equivalence in a probabilistic extension of CCS. Based on this coincidence result, we provide a sound and complete axiomatisation for the barbed congruence in a finite fragment of probabilistic CCS. Keywords: Probabilistic process calculus, Barbed congruence, Observational equivalence, Axiomatisation.

1

Introduction

Nowadays process algebras have become an important model to reason about concurrent computations. To describe the operational behaviour of a process, one can usually define two types of semantics: The transition semantics is given by defining appropriate equivalences (e.g. observational equivalence) based on a labelled transition system, while the reduction semantics is given by defining appropriate equivalences (e.g. barbed bisimulation) based on an unlabelled transition system. Reduction semantics is simpler but in some cases more enlightening than transition semantics, especially when one wants to compare two calculi which syntactically may be quite far from each other. Barbed bisimulation [14] was proposed by Milner and Sangiorgi as a tool to describe uniformly bisimulation-based equivalences which can be used in many different calculi. The idea is to equip a global observer with a minimal ability to observe actions and process states. However, barbed bisimulation is a very weak relation and it often fails to be a congruence. An easy way of inducing a congruence from barbed bisimulation is to require two processes to be barbed bisimilar under all contexts. The congruence thus obtained is called barbed congruence, which has the disadvantage of being difficult to use because of the quantification over all contexts. Sangiorgi has shown in [15, Theorem 3.3.2] that weak bisimulation coincides with barbed congruence in a variant of CCS [13] with a guarded sum. This charThis is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs

Deng and Du

acterisation result is significant because it allows us to use the coinductive proof technique offered by weak bisimulation to establish the equivalence of two processes under barbed congruence, and we do not need to consider all contexts any more. In this paper we extend Sangiorgi’s result to the probabilistic setting. More precisely, we define observational equivalence and barbed congruence in a probabilistic extension of Milner’s CCS, then we show that the two equivalences coincide in this probabilistic CCS. In addition, we provide a sound and complete axiomatisation for observational equivalence in a finite fragment of the probabilistic CCS. Thanks to the above coincidence result, the axiomatisation is also sound and complete for barbed congruence. Observational equivalence was already studied in various probabilistic process algebras [6,7,8]. However, the definitions of observational equivalence in [6,7,8] require a notion of combined weak transitions [17], which are formed by linear combinations of our familiar basic weak transitions. In this paper, we adopt the notion of weak transitions defined in [9], which is obtained by lifting a relation between states and distributions of states to one between distributions and distributions. Since the weak transitions of [9] have a built-in linear combination, it turns out to be equivalent to the combined weak transitions of [17]. However, the former is cleaner and more elegant than the latter because it constructs weak transitions from strong transitions simply by inserting some invisible transitions, as in the nonprobabilistic setting [13]. We no longer have to define complicated weak transition rules as in [6,7,8]. Although it is easy to show that observational equivalence is included in barbed congruence, the opposite inclusion is nontrivial. We need to build a class of contexts powerful enough to guarantee that barbed bisimulation on these contexts implies observational equivalence. The proof schema is similar to that in [15], but our construction of contexts is somewhat simpler though we are in the probabilistic setting. The completeness proof of our axiomatisation uses the same idea as the related proof in [7]: we exploit a Promotion Lemma (Lemma 5.6) as our stepping stone to show that the axiomatisation is complete w.r.t. observational equivalence (Theorem 5.7). Although more operators such as parallel composition are considered in this paper than in [6,7], they are not difficult to deal with in axiomatisation. For example, we use a probabilistic version of the expansion law to eliminate all occurrences of parallel composition. There is a lot of other related work about axiomatisations of probabilistic equivalences [10,4,2,18,1,3]. However, most of them is about axiomatizing probabilistic strong bisimilarity, so the interesting and subtle issue about weak transitions does not arise. Amongst those work about weak equivalences (e.g. branching bisimulation), to the best of our knowledge, none of them deals with barbed congruence. The rest of the paper is structured as follows. In Section 2, we present the syntax and operational semantics of a probabilistic version of CCS. Next, we define observational equivalence and show that it is a congruence in Section 3. We define barbed congruence and prove its coincidence with observational equivalence in Section 4. We provide a sound and complete axiomatisation in Section 5, restricted to a finite fragment of our calculus. Finally, we conclude in Section 6. 88

Deng and Du

2

Probabilistic CCS

In this section we give a probabilistic extension of CCS [13] that allows for nondeterministic and probabilistic choice. It is similar to the calculi studied in [5,11]. We assume a countable set of atomic actions, A = {a, b, ...}. Given a special action τ not in A, we let u, v, ... range over the set of actions, Act = A ∪ A ∪ {τ }, where A = {¯ a | a ∈ A}. The class of processes P is defined by the following syntax:

P ::= u.

M

pi Pi

i∈I

|

X

Pi

|

P1 | P2

|

P \A

|

P [f ]

|

Chxi

i∈I

L where A ⊆ A and f : Act → Act is a renaming function. Here i∈I pi Pi stands for a probabilistic choice operator, where the pi ’s represent positive probabilities, i.e., they P satisfy pi ∈ (0, 1] and i∈I pi = 1. Sometimes we are interested in certain branches L of the probabilistic choice; in this case we write i∈1..n pi Pi as p1 P1 ⊕ ... ⊕ pn Pn L L or ( i∈1..(n−1) pi Pi ) ⊕ pn Pn where i∈1..(n−1) pi Pi abbreviates (with a slight abuse P of notation) p1 P1 ⊕ ... ⊕ pn−1 Pn−1 . The second construction i∈I Pi stands for a P nondeterministic choice, and occasionally we may write i∈1..m Pi as P1 + ... + Pm . When m = 0 we abbreviate the nondeterministic choice as 0; when m = 1 we abbreviate it as P1 . We also abbreviate u.0 as u. We use | to denote the usual parallel composition. The restriction and renaming operators are as in CCS: P \A behaves like P as long as P does not perform an action a ∈ A; P [f ] behaves like P where each action a ∈ Act is replaced by f (a). A constant C has a definition def

C = (x)P , where x ∈ A and P ∈ P. The intuition is that Chyi behaves as P with y replacing x. Before giving the operational semantics of processes we need to introduce some notation about probability distributions. A (discrete) probability distribution over P a set S is a mapping ∆ : S → [0, 1] with i∈I pi = 1. The support of ∆ is given by ⌈∆⌉ := { s ∈ S | ∆(s) > 0 }. Let D(S), ranged over by ∆, Θ, Φ, denote the collection of all such distributions over S. We use s to denote the point distribution assigning probability 1 to state s and 0 to all others, so that ⌈s⌉ = {s}. If pi ≥ 0 P and ∆i is a distribution for each i in some finite index set I, then i∈I pi · ∆i is a distribution given by

(1)

X ( pi · ∆i )(s) i∈I

=

X

pi · ∆i (s)

i∈I

P where i∈I pi = 1. We will sometimes write it as p1 · ∆1 + . . . + pn · ∆n when the index set I is {1, . . . , n}. Some operations on processes can be extended to distributions of processes straightforwardly. Let ∆1 , ∆2 be two distributions on processes. We define ∆1 | ∆2 , 89

Deng and Du

u.

L

u

i∈I

pi Pi −→ ∆ where ∆(P ) =

P {pi | i ∈ I, Pi = P }

u

Pi −→ ∆

for some i ∈ I

u

i∈I Pi −→ ∆

P

u

P1 −→ ∆1

u

P2 −→ ∆2

u

P1 | P2 −→ P1 | ∆2

u

P1 | P2 −→ ∆1 | P2 a ¯

a

P1 −→ ∆1

a ¯

P2 −→ ∆2 τ

u

P1 | P2 −→ ∆1 | ∆2 v

P −→ ∆1

u 6∈ A ∪ A u

def

f (v) = u

u

P \A −→ ∆1 \A C = (x)P

P2 −→ ∆2 τ

P1 | P2 −→ ∆1 | ∆2 P −→ ∆1

a

P1 −→ ∆1

P [f ] −→ ∆1 [f ] u

P {y/x} −→ ∆ u

Chyi −→ ∆ Table 1 Operational semantics

∆1 \A and ∆1 [f ] as the following distributions.   ∆1 (P1 ) · ∆2 (P2 ) def (∆1 | ∆2 )(P ) =  0   ∆1 (P ′ ) def (∆1 \A)(P ) =  0

  ∆1 (P ′ ) def (∆1 [f ])(P ) =  0

if P = P1 | P2 otherwise

if P = P ′ \A otherwise if P = P ′ [f ] otherwise

The operational semantics of a process P is defined as a simple probabilistic automaton [16] whose states are the processes reachable from P and the transition u relation is defined by the rules in Table 1, where P −→ ∆ describes a transition that, by performing an action u, leaves from P and leads to a distribution ∆ ∈ D(P). The meaning of the rules should be self-explanatory. The presence of both probabilistic and non-deterministic choice in the probabilistic CCS allows us to specify systems that have both probabilistic and nondeterministic behaviour.

3

Observational equivalence

In the probabilistic setting, the definitions of bisimulation-like equivalences are somewhat complicated by the fact that transitions go from processes to distributions 90

Deng and Du

(see e.g. [12]). So we need to generalise relations between processes to relations between distributions. Inspired by [9], we develop the mathematical machinery below for doing this. Let R ⊆ P × P be a relation from processes to processes. We lift it to a relation R ⊆ D(P) × D(P) by letting ∆ R Θ whenever P P (i) ∆ = i∈I pi · Pi , where I is a finite index set and i∈I pi = 1

(ii) For each i ∈ I there is a process Qi such that Pi RQi P (iii) Θ = i∈I pi · Qi .

P An important point here is that in the decomposition (i) of ∆ into i∈I pi · Pi , the processes Pi are not necessarily distinct: that is, the decomposition is not in general unique. The lifting construction satisfies the following useful properties. Lemma 3.1

(i) If R1 ⊆ R2 then R1 ⊆ R2

(ii) If R is a transitive relation, then so is R.

2

The following proposition is inherited from Proposition 6.1 of [9]. P Proposition 3.2 Suppose R ⊆ P × P and i∈I pi = 1. Then we have P P (i) Θi R ∆i implies ( i∈I pi · Θi ) R ( i∈I pi · ∆i ). P P (ii) If ( i∈I pi · Θi ) R ∆ then ∆ = i∈I pi · ∆i for some set of distributions ∆i such that Θi R ∆i . 2 τˆ

u ˆ

τ

u

We write P −→ ∆ if either P −→ ∆ or ∆ = P . We write P −→ ∆ for P −→ ∆ if u 6= τ . To define weak transitions we need to consider sequences of transitions, so we generalise transitions in such a way that they go from distributions to distributions. u ˆ Let ∆ −→ Θ whenever P P (i) ∆ = i∈I pi · Pi , where I is a finite index set and i∈I pi = 1 u ˆ

(ii) For each i ∈ I there is a distribution Θi such that Pi −→ Θi P (iii) Θ = i∈I pi · Θi .

Weak transitions are defined in the standard manner except that they now apply τˆ τ to distributions, and −→ is used instead of −→. This reflects the intuition that if a distribution may perform a sequence of invisible moves before or after executing a visible action, different parts of the distribution may perform different numbers of internal actions. τˆ

τˆ

•

Let ∆1 =⇒ ∆2 whenever ∆1 (−→)∗ ∆2 .

•

Let ∆1 =⇒ ∆2 denote ∆1 =⇒ −→ =⇒ ∆2 .

τˆ

u

u

τˆ

u ˆ

u

If u 6= τ we also write ∆1 =⇒ ∆2 for ∆1 =⇒ ∆2 . Definition 3.3 An equivalence relation R ⊆ P × P is a (weak) bisimulation if u

u ˆ

P R Q and P −→ ∆ implies Q =⇒ Θ such that ∆ R Θ. Two processes P and Q are bisimilar, written P ≈w Q, if there exists a bisimulation R s.t. P R Q. 91

Deng and Du

To see that ≈w is the biggest bisimulation, we need to establish some properties of bisimulations. P u ˆ Lemma 3.4 Suppose i∈I pi = 1 and ∆i =⇒ Φi for each i ∈ I, with I a finite P index set. (Recall that i∈I pi · ∆i is only defined for finite I.) Then X

u ˆ

X

pi · ∆i =⇒

i∈I

pi · Φ i

i∈I

2 u

Lemma 3.5 Let R be a bisimulation. Suppose ∆ R Φ and ∆ −→ ∆′ . Then u ˆ Φ =⇒ Φ′ for some Φ′ such that ∆′ R Φ′ . Proof. First ∆ R Φ means that X (2) ∆= pi · Pi ,

Pi R Ri ,

Φ=

also ∆ −→

∆′

(3)

p i · Ri ;

i∈I

i∈I

u

X

means ∆=

X

u

q j · Qj ,

∆′ =

Qj −→ Θj ,

j∈J

X

q j · Θj ,

j∈J

and we can assume w.l.o.g. that all the coefficients pi , qj are non-zero. Now define Ij = { i ∈ I | Pi = Qj } and Ji = { j ∈ J | Qj = Pi }, so that trivially (4)

{(i, j) | i ∈ I, j ∈ Ji }

{(i, j) | j ∈ J, i ∈ Ij }

=

and note that (5)

∆(Pi ) =

X

qj

and

∆(Qj ) =

j∈Ji

X

pi

i∈Ij

Because of (5) we have Φ=

P

i∈I

p i · Ri =

P

=

P

i∈I

i∈I

qj j∈Ji ∆(Pi ) · pi ·qj j∈Ji ∆(Pi ) · Ri

pi · P

P

Ri

Now for each j in Ji we know that in fact Qj = Pi , and so from the middle parts of u ˆ

(2) and (3) we obtain Ri =⇒ Φ′ij such that Θj R Φ′ij . Lemma 3.4 yields P P u ˆ pi ·qj Φ =⇒ Φ′ = i∈I j∈Ji ∆(P · Φ′ij i)

where within the summations Pi = Qj , so that, using (4), Φ′ can also be written as X X pi · q j · Φ′ij ∆(Qj )

(6)

j∈J i∈Ij

∆′

Φ′ ,

Below we show that R which we do by manipulating ∆′ so that it takes on a form similar to that in (6): P ∆′ = j∈J qj · Θj P P pi = j∈J qj · i∈Ij ∆(Q · Θj using (5) again j) P P pi ·qj · Θj = j∈J i∈Ij ∆(Q j) 92

Deng and Du

Comparing this with (6) above we see that the required result, ∆′ R Φ′ , follows 2 from an application of Proposition 3.2(i). u ˆ

Lemma 3.6 Let R be a bisimulation. Suppose ∆ R Φ and ∆ =⇒ ∆′ . Then u ˆ Φ =⇒ Φ′ for some Φ′ such that ∆′ R Φ′ . Proof. First we consider two claims τˆ

τˆ

τˆ

τˆ

(i) If ∆ R Φ and ∆ −→ ∆′ , then Φ =⇒ Φ′ for some Φ′ such that ∆ R Φ′ (ii) If ∆ R Φ and ∆ =⇒ ∆′ , then Φ =⇒ Φ′ for some Φ′ such that ∆′ R Φ′ . The proof of claim (i) is similar to that of Lemma 3.5. Claim (ii) follows from claim τˆ

(i) by induction on the length of the derivation of =⇒. By combining claim (ii) with Lemma 3.5, we obtain the required result. 2 S Lemma 3.7 Let R = i { Ri | Ri is a bisimulation }. Then the equivalence closure of R, written R∗ , is a bisimulation. Proof. If P R∗ Q then there exists some bisimulations R0 , ..., Rn−1 and some processes P0 , ..., Pn such that P = P0 , Q = Pn , and for all i with 0 ≤ i < n, we have u ˆ u Pi Ri Pi+1 . If P −→ ∆0 then there exist ∆′1 such that P1 =⇒ ∆′1 with ∆0 R0 ∆′1 . u ˆ

For all i with 1 ≤ i < n, by Lemma 3.6 there exist ∆′i+1 such that Pi+1 =⇒ ∆′i+1 2 with ∆′i Ri ∆′i+1 . By Lemma 3.1 it holds that ∆0 R∗ ∆′n . Because of the above lemma, we can equivalently express ≈w as R∗ , which is the biggest bisimulation. As usual, observational equivalence is defined in terms of ≈w . Definition 3.8 Two processes P, Q are observationally equivalent, written P ≃w Q, if u

u

u

u

(i) whenever P −→ ∆, there exists Θ s.t. Q =⇒ Θ and ∆ ≈w Θ (ii) whenever Q −→ Θ, there exists ∆ s.t. P =⇒ ∆ and ∆ ≈w Θ. The following lemma can be used to show that ≃w is indeed an equivalence relation. τ

τ

τˆ

Lemma 3.9 If ∆ =⇒ ∆′ then there exists ∆′′ such that ∆ −→ ∆′′ =⇒ ∆′ . Proof. Let ⌈∆⌉ = {Pi }i∈I for some index set I and ∆(Pi ) = pi for each i ∈ I. We first consider the special case that τˆ

τ

τˆ

∆ −→ Θ −→ Θ′ =⇒ ∆′ τ

with ∆ 6= Θ and ∆ 6−→ Θ. By definition there exists Θi for each i ∈ I such that P τˆ Pi −→ Θi and Θ = i∈I pi · Θi . More precisely, there is a partition of I into two sets I1 , I2 such that τ

∀i ∈ I1 : Pi −→ Θi and ∀i ∈ I2 : Θi = Pi . P P That is, Θ = i∈I1 pi · Θi + i∈I2 pi · Pi . By Proposition 3.2 (ii), we know from P P τ Θ −→ Θ′ that Θ′ = i∈I1 pi · Θ′i + i∈I2 pi · Θ′i and (7)

(8)

τ

τ

∀i ∈ I1 : Θi −→ Θ′i and ∀i ∈ I2 : Θi −→ Θ′i 93

Deng and Du

for some Θ′i (i ∈ I). It follows from (7) and (8) that P τ P ∆ −→ i∈I1 pi · Θi + i∈I2 pi · Θ′i P τˆ P −→ i∈I1 pi · Θ′i + i∈I2 pi · Θ′i = Θ′ τˆ

=⇒ ∆′ For the general case that τˆ

τˆ

τ

∆ =⇒ Θ −→ Θ′ =⇒ ∆′ τˆ

τ

we prove by induction that ∆ −→ ∆′′ =⇒ ∆′ for some ∆′′ , using the result for the above special case. 2 Proposition 3.10 ≃w is an equivalence relation. Proof. Reflexivity and symmetry are immediate. Using Lemmas 3.9 and 3.6, transitivity is easy to show. 2 In Proposition 3.12 we show that the probabilistic CCS operators are compositional for ≃w , i.e. ≃w is a congruence. The following lemma gathers some facts we need in the proof of this proposition. Their proofs are straightforward. Lemma 3.11

u

u

(i) If P =⇒ ∆ then P + Q =⇒ ∆.

u ˆ

u ˆ

u ˆ

(ii) If ∆1 =⇒ ∆′1 then ∆1 | ∆2 =⇒ ∆′1 | ∆2 and ∆2 | ∆1 =⇒ ∆2 | ∆′1 . a ¯

a

τ

(iii) If ∆1 −→ ∆′1 and ∆2 −→ ∆′2 then ∆1 | ∆2 −→ ∆′1 | ∆′2 . f (u)

u

(iv) If P =⇒ ∆ then P [f ] =⇒ ∆[f ]. u

u

(v) If P =⇒ ∆ and u 6∈ A ∪ A then P \A =⇒ ∆\A.

2

Proposition 3.12 Suppose Pi ≃w Qi for i ∈ I. Then P P (i) u. i∈I pi Pi ≃w u. i∈I pi Qi (ii) P1 + P2 ≃w Q1 + Q2

(iii) P1 | P2 ≃w Q1 | Q2 (iv) P1 \A ≃w Q1 \A (v) P1 [f ] ≃w Q1 [f ] Proof. We consider the third item, which is the hardest. We construct the relation R ⊆ P × P as follows: def

R = {(P1 | P2 , Q1 | Q2 ) | P1 ≈w Q1 and P2 ≈w Q2 }. We show that R is a bisimulation. There are four cases to consider. u

(i) Suppose P1 ≈w Q1 , P2 ≈w Q2 and P1 | P2 −→ ∆1 | P2 because of the transition u ˆ

u

P1 −→ ∆1 . Then Q1 =⇒ Θ1 for some Θ1 with ∆1 ≈w Θ1 . By Lemma 3.11 we u ˆ have Q1 | Q2 =⇒ Θ1 | Q2 and also (∆1 | P2 ) R (Θ1 | Q2 ). τ

a

(ii) Suppose P1 | P2 −→ ∆1 | ∆2 because of the transitions P1 −→ ∆1 and a ¯

τˆ

a

τˆ

P2 −→ ∆2 . Then we have Q1 =⇒ Θ′1 −→ Θ′′1 =⇒ Θ1 for some Θ1 , Θ′1 , Θ′′1 with 94

Deng and Du τˆ

τˆ

a ¯

∆1 ≈w Θ1 , and Q2 =⇒ Θ′2 −→ Θ′′2 =⇒ Θ2 for some Θ2 , Θ′2 , Θ′′2 with ∆2 ≈w Θ2 . τˆ

τ

τˆ

By Lemma 3.11 we have Q1 | Q2 =⇒ Θ′1 | Θ′2 −→ Θ′′1 | Θ′′2 =⇒ Θ1 | Θ2 and (∆1 | ∆2 ) R (Θ1 | Θ2 ). (iii) The symmetric cases of (i) and (ii) can be similarly analysed. So we have checked that R is a bisimulation. Now suppose P1 ≃w Q1 and P2 ≃w Q2 . It is immediate that (P1 | P2 ) R (Q1 | Q2 ), thus (P1 | P2 ) ≈w (Q1 | Q2 ). Moreover, by using arguments similar to the above analysis, it can be shown that τ

τ

(i) if P1 | P2 −→ ∆ then Q1 | Q2 =⇒ Θ for some Θ such that ∆ R Θ τ

τ

(ii) if Q1 | Q2 −→ Θ then P1 | P2 =⇒ ∆ for some ∆ such that ∆ R Θ. Therefore, it holds that P1 | P2 ≃w Q1 | Q2 .

4

2

Barbed congruence

In this section, although we define barbed congruence in the probabilistic CCS, the definition can be given in any probabilistic process calculus that possesses a reduction relation and a predicate ↓a detecting the possibility of performing an action along channel a. a We write P ↓a if P −→ ∆ for some ∆, and ∆ ↓a if P ↓a for all P ∈ ⌈∆⌉. We τˆ

write P ⇓a if P =⇒ ∆ for some ∆ s.t. ∆ ↓a ; similar for ∆ ⇓a . The negation of P ↓a is P 6↓a ; similar for the meaning of ∆ 6⇓a . Definition 4.1 An equivalence relation R ⊆ P × P is a barbed bisimulation if P R Q implies: τ

τˆ

(i) whenever P −→ ∆ then Q =⇒ Θ and ∆ R Θ (ii) for each atomic action a, if P ↓a then Q ⇓a . Two processes P and Q are barbed-bisimilar, written P ≈b Q, if P R Q for some barbed bisimulation R. The following property is fundamental. Lemma 4.2 Let R be a barbed bisimulation. If ∆ R Φ and ∆ ⇓a then we have Φ ⇓a . 2 Barbed bisimilarity is too weak to be a congruence, but it induces a congruence relation by quantifying over all contexts. As usual, a context is a process expression with a hole in it. Given a context C[·] and a process P , we write C[P ] to denote the process obtained by filling in the hole of C[·] with P . Definition 4.3 Two processes P and Q are barbed-congruent, denoted by P ≃b Q, if for each context C[·], it holds that C[P ] ≈b C[Q]. We now characterize barbed congruence as observational equivalence. The proof schema of this characterisation is similar to that in [15], namely, to construct contexts with sufficient distinguishing power so that two processes barbed-bisimilar under these contexts must be able to strictly mimic each other’s moves in the manner of observationally equivalent processes. It is interesting to see that our construction 95

Deng and Du

of the contexts does not involve probabilistic choice operator, and it is somewhat simpler than the construction in [15], though we are dealing with probabilistic processes. Theorem 4.4 ≃b and ≃w coincide. Proof. The inclusion ≃w ⊆ ≃b is immediate. For the opposite direction, we need to build a class of contexts Cxt powerful enough to guarantee that barbed bisimulation on these contexts implies observational equivalence, i.e. prove that R = {(P, Q) | for some C[·] ∈ Cxt : C[P ] ≈b C[Q]} is an observational equivalence. As in [15], we use H to represent a set of pairs of action names, and let Hi denote the projection of H on the i-th component of the pairs, for i = 1, 2. We require that H1 ∩ H2 = ∅ and there is a bijective function from H1 × N to H2 that maps a pair (a, n) ∈ H1 × N to a name an ∈ H2 . Let {in , on , cn | n ∈ N} be a set of names disjoint from names in H. We define the processes P def Vn = (H)( a∈H1 a ¯.((an + in ) | an .Vn+1 hHi) P + a∈H1 a.((an + on ) | an .Vn+1 hHi) + cn ) and the relation def

R1 = {(P, Q) | n, H exist s.t. act(P ) ∪ act(Q) ⊆ H1 and (P | Vn hHi) ≈b (Q | Vn hHi)} where act(P ) collects the set of action names appearing in P . For simplicity, in the sequel we omit the parameter H and write Vn for Vn hHi. We now prove that R1 is a weak bisimulation. It is straightforward that R1 is an equivalence relation. So let’s see how two processes related by R1 can match u each other’s transitions. Suppose P R1 Q and P −→ ∆, we need to find some Θ s.t. u ˆ

(9)

Q =⇒ Θ and ∆R1 Θ.

We consider the case when u is an input, say u = a. The cases when u is an output can be similarly analyzed; and the case when u is τ is simpler. Process P | Vn has the following transitions: τ

def

τ

def

P | Vn −→ ∆ | (an + in ) | an .Vn+1 = Φ1 −→ ∆ | Vn+1

= Φ2

Since P | Vn ≈b Q | Vn , there exist distributions Γ1 , Γ2 s.t. τˆ

Q | Vn =⇒ Γ1 ≈b Φ1 τˆ

=⇒ Γ2 ≈b Φ2 We shall see that Γ′i s structure, i = 1, 2, strictly mirrors Φ′i s. •

Γ1 : Since (Q | Vn ) ⇓cn and Φ1 6⇓cn , process Vn has to perform some action in Q | τˆ

Vn =⇒ Γ1 so as to ensure Γ1 ≈b Φ1 . However, Vn cannot perform more than one 96

Deng and Du

actions because Φ1 ⇓in . Therefore Γ1 must be of the form Θ1 | (u′n + in ) | u′n .Vn+1 u′

u′

for some u′ and Θ1 s.t. Q =⇒ Θ1 and Vn −→ (u′n + in ) | u′n .Vn+1 . Since Φ1 ⇓an and Γ1 must be able to do the same, we deduce that u′n = an , thus u′ = a, i.e. Γ1 = Θ1 | (an + in ) | an .Vn+1 . So the structure of Γ1 is very similar to that of Φ1 . •

Γ2 : Since Γ1 ⇓an and Φ2 6⇓an , there must be an interaction between an + in and an .Vn+1 so as to ensure Γ2 ≈b Φ2 . However, an .Vn+1 cannot perform more than one actions because Φ2 ⇓cn+1 . Therefore it must be the case that Γ2 = Θ2 | Vn+1 τˆ

for some Θ2 s.t. Θ1 =⇒ Θ2 . Now we can observe that Γ2 ’s structure strictly mirrors Φ2 ’s. a

Combining the above steps gives Q =⇒ Θ2 . Moreover, we have ∆ R1 Θ2 because def ∆ | Vn+1 = Φ2 ≈b Γ2 = Θ2 | Vn+1 . Hence, for Θ = Θ2 , the requirements in (9) are met, this completes the proof that R1 is a weak bisimulation. We now define the relation R = {(P, Q) | P + w ≈b Q + w and P R1 Q} where w does not appear in P, Q. If P RQ then P ≈w Q since R1 is a weak τ τ bisimulation. Suppose P −→ ∆, then P + w −→ ∆. Since P + w ≈b Q + w, then τˆ there is some Θ such that Q + w =⇒ Θ and ∆ ≈b Θ. It is obvious that ∆ 6⇓w , so Θ 6⇓w , which means that Q + w must be able to make some τ move and discard the τ summand w. In other words, Q + w =⇒ Θ for some Θ with ∆ ≈b Θ. This can only τ τ happen if Q =⇒ Θ. Symmetrically, if Q −→ Θ, we can show that there is some ∆ τ 2 such that P =⇒ ∆ and ∆ ≈b Θ. Therefore, it holds that P ≃w Q.

5

Axiomatisation for finite processes

In this section we restrict ourselves to a finite fragment of our calculus, using all operators in Section 2 except for constants. We present the axiom system A for ≃w , which includes all axioms and rules displayed in Table 2, together with the usual rules for equality (reflexivity, symmetry, transitivity and substitutivity). Remark 5.1 In fact, A is obtained from the axiom system Ao in [8] by dropping all axioms about recursion and adding R1-2, N1-2, the axioms about restriction and renaming operators; for a detailed account of other axioms, the reader is refered to [8], where an observational equivalence (≃) was defined and completely axiomatized by Ao . As we shall see later, ≃w is completely axiomatized by A. It follows that, although formulated in different ways, ≃ and ≃w coincide, at least for finite processes without restriction and renaming operators. The notation A ⊢ P = Q means that the equation P = Q is derivable by applying the axioms and rules from A. The soundness of the axioms displayed in Table 2, and therefore of A, is easy to be verified. Theorem 5.2 (Soundness) If A ⊢ P = Q then P ≃w Q. The remainder of the section is devoted to proving the completeness of A. 97

2

Deng and Du

Definition 5.3 We say that P is in normal form if P is of the form X M ui . pij Pij i

j

where each Pij is also in normal form. Lemma 5.4 For each process P , there is some P ′ in normal form, such that A ⊢ P = P ′. Proof. The proof is carried out by induction on the structure of P . By using axioms R1-2, N1-2 and E, we can eliminate all occurrences of restriction, renaming and parallel composition operators. 2 u

Lemma 5.5 (Saturation) If P is in normal form and P =⇒ ∆ with ⌈∆⌉ = L {Pi }i∈i and ∆(Pi ) = pi then A ⊢ P = P + u. i pi Pi . Proof. By transition induction. We heavily rely on the probabilistic τ -laws T1-3 and the axiom C. 2 The proof of completeness is established by induction on the depth, d(P ), of a normal form P . Its depth is defined as: d(0) = 0 d(u.

i pi Pi ) = 1 + max{Pi }i P d( i Pi ) = max{d(Pi )}

L

As in [7], we prove a Promotion Lemma and use it as a stepping stone to establish the completeness of A. Lemma 5.6 (Promotion) If P ≈w Q then A ⊢ τ.P = τ.Q. Proof. We assume that P and Q are in normal form, in view of Lemma 5.4. The proof is by induction on d = d(P ) + d(Q). We consider the nontrivial case that d > 0. L u Let u. j∈J rj Rj be any summand of P . Then we have P −→ ∆, with ∆ = P u ˆ j∈J rj · Rj . Since P ≈w Q, there exists Θ such that Q =⇒ Θ and ∆ ≈w Θ. Hence, (10)

∆=

X

pi · Pi ,

Pi ≈w Qi ,

i∈I

Θ=

X

p i · Qi .

i∈I

It follows from induction hypothesis that A ⊢ τ.Pi = τ.Qi . So we can use T3 L L L L to derive that A ⊢ u. i pi Pi = u. i pi τ.Pi = u. i pi τ.Qi = u. i pi Qi . Since P L P i∈I pi · Pi , it follows from S5 that A ⊢ u. j∈J rj Rj = j∈J rj · Rj = ∆ = L u u. i pi Pi . Now observe that τ.Q =⇒ Θ, we know from Lemma 5.5 that A ⊢ τ.Q = L L τ.Q + u. i∈I pi Qi = τ.Q + u. j∈J rj Rj . In summary A ⊢ τ.Q = τ.Q + P . Symmetrically A ⊢ τ.P = τ.P + Q. Therefore, A ⊢ τ.P = τ.Q by T4. 2 Theorem 5.7 (Completeness) If P ≃w Q then A ⊢ P = Q. Proof. The proof is similar to that for Lemma 5.6. 98

Deng and Du

S1

P +0=P

S2

P +P =P P P i∈I Pi = i∈I Pρ(i) ρ is any permutation on I L L u. i∈I pi Pi = u. i∈I pρ(i) Pρ(i) ρ is any permutation on I L L u.(( i pi Pi ) ⊕ pP ⊕ qP ) = u.(( i pi Pi ) ⊕ (p + q)P )

S3 S4 S5 T1

T2

T3 T4 R1

L pij .Pij ) + u. i,j pi pij .Pij L L = τ. i pi (Pi + u. j pij .Pij ) L L L u. i pi (Pi + τ. j pij .Pij ) + u. i,j pi pij .Pij L L = u. i pi (Pi + τ. j pij .Pij ) L L u.(pτ.P ⊕ i pi Pi ) = u.(pP ⊕ i pi Pi ) τ.

L

i pi (Pi

+ u.

L

j

If τ.P = τ.P + Q and τ.Q = τ.Q + P then τ.P = τ.Q.  0 if u ∈ A ∪ A L (u. i∈I pi Pi )\A = L  u. p (P \A) otherwise i∈I

R2 N1 N2 C

i

i

P P ( i∈I Pi )\A = i∈I Pi \A

L L (u. i∈I pi Pi )[f ] = f (u). i∈I pi Pi [f ] P P ( i∈I Pi )[f ] = i∈I Pi [f ] P

i∈1..n u.

with

L

j

pij Pij =

P

i∈1..n ri

i∈1..n u.

L

j

pij Pij + u.

L

i∈1..n

L

j ri pij Pij

= 1.

E Assume P ≡ infer:

P

i ui .

L

P |Q=

P

ui . P

L

i

+

P

j

j

ui opp

pij Pij and Q ≡

P

k vk .

L

l qkl Qkl .

Then

P L pij (Pij | Q) + k vk . l qkl (P | Qkl ) L j,l (pij qkl )(Pij | Qkl ) vk τ.

where ui opp vk means that ui and vk are complementary actions, i.e., u ¯i = vk . Table 2 The axiom system A

Let u. P

j∈J

(11)

L

j∈J rj Rj

u

be any summand of P . Then we have P −→ ∆, with ∆ = u

rj · Rj . Since P ≃w Q, there exists Θ such that Q =⇒ Θ and ∆ ≈w Θ. Hence, ∆=

X

pi · Pi ,

Pi ≈w Qi ,

Θ=

X i∈I

i∈I

99

p i · Qi .

Deng and Du

It follows from the promotion lemma that A ⊢ τ.Pi = τ.Qi . So we can use T3 L L L L to derive that A ⊢ u. i pi Pi = u. i pi τ.Pi = u. i pi τ.Qi = u. i pi Qi . Since P P L j∈J rj · Rj = ∆ = i∈I pi · Pi , it follows from S5 that A ⊢ u. j∈J rj Rj = L u u. i pi Pi . Now observe that Q =⇒ Θ, we know from Lemma 5.5 that A ⊢ Q = L L Q + u. i∈I pi Qi = Q + u. j∈J rj Rj . In summary A ⊢ Q = Q + P . Symmetrically A ⊢ P = P + Q. Therefore, A ⊢ P = Q. 2 Corollary 5.8 P ≃b Q iff A ⊢ P = Q. Proof. A direct consequence of Theorems 4.4, 5.2 and 5.7.

6

2

Concluding remarks

In this paper we have proposed a probabilistic barbed congruence and proved that it coincides with observational equivalence in a probabilistic extension of CCS. For finite processes, we have provided an axiom system which is sound and complete w.r.t. barbed congruence. In the future it would be interesting to establish similar results in other probabilistic process calculi. It was shown in [15] that in the π-calculus barbed congruence coincides with early bisimulation congruence. We think that it might be possible to extend this result to a probabilistic π-calculus.

References ´ [1] L. Aceto, Z. Esik, and A. Ing´ olfsd´ ottir. Equational axioms for probabilistic bisimilarity (preliminary report). Technical Report RS-02-6, BRICS, 2002. [2] S. Andova. Probabilistic Process Algebra. PhD thesis, Eindhoven University of Technology, 2002. [3] S. Andova, J. C. M. Baeten, and T. A. C. Willemse. A complete axiomatisation of branching bisimulation for probabilistic systems with an application in protocol verification. In Proceedings of the 17th International Conference on Concurrency Theory, volume 4137 of Lecture Notes in Computer Science, pages 327–342. Springer, 2006. [4] J. C. M. Baeten, J. A. Bergstra, and S. A. Smolka. Axiomatizing probabilistic processes: ACP with generative probabilities. Information and Computation, 121(2):234–255, 1995. [5] C. Baier and M. Z. Kwiatkowaska. Domain equations for probabilistic processes. Structures in Computer Science, 10(6):665–717, 2000.

Mathematical

[6] E. Bandini and R. Segala. Axiomatizations for probabilistic bisimulation. In Proceedings of the 28th International Colloquium on Automata, Languages and Programming, volume 2076 of Lecture Notes in Computer Science, pages 370–381. Springer, 2001. [7] Y. Deng and C. Palamidessi. Axiomatizations for probabilistic finite-state behaviors. In Proceedings of the 8th International Conference on Foundations of Software Science and Computation Structures, volume 3441 of Lecture Notes in Computer Science, pages 110–124. Springer-Verlag, 2005. [8] Y. Deng, C. Palamidessi, and J. Pang. Compositional reasoning for probabilistic finite-state behaviors. In Processes, Terms and Cycles: Steps on the Road to Infinity, Essays Dedicated to Jan Willem Klop, on the Occasion of His 60th Birthday, volume 3838 of Lecture Notes in Computer Science, pages 309–337. Springer, 2005. [9] Y. Deng, R. van Glabbeek, M. Hennessy, C. Morgan, and C. Zhang. Remarks on testing probabilistic processes. Electronic Notes in Theoretical Computer Science, 2007. To appear. Available at http://www.cse.unsw.edu.au/∼yuxind/publications/gdpf.pdf. [10] A. Giacalone, C.-C. Jou, and S. A. Smolka. Algebraic reasoning for probabilistic concurrent systems. In Proceedings of IFIP WG 2.2/2.3 Working Conference on Programming Concepts and Methods, pages 453–459, 1990.

100

Deng and Du [11] M. Z. Kwiatkowska and G. Norman. A testing equivalence for reactive probabilistic processes. Electronic Notes in Theoretical Computer Science, 16(2):114–132, 1998. [12] K. G. Larsen and A. Skou. Bisimulation through probabilistic testing. Information and Computation, 94(1):1–28, 1991. [13] R. Milner. Communication and Concurrency. Prentice-Hall, 1989. [14] R. Milner and D. Sangiorgi. Barbed bisimulation. In Proceedings of the 19th International Colloquium on Automata, Languages and Programming, volume 623 of Lecture Notes in Computer Science, pages 685–695. Springer, 1992. [15] D. Sangiorgi. Expressing Mobility in Process Algebras: First-Order and Higher-Order Paradigms. PhD thesis CST–99–93, Department of Computer Science, University of Edinburgh, 1992. [16] R. Segala. Modeling and Verification of Randomized Distributed Real-Time Systems. PhD thesis, MIT, Deptartment of EECS, 1995. [17] R. Segala and N. A. Lynch. Probabilistic simulations for probabilistic processes. In Proceedings of the 5th International Conference on Concurrency Theory, volume 836 of Lecture Notes in Computer Science, pages 481–496. Springer, 1994. [18] E. W. Stark and S. A. Smolka. A complete axiom system for finite-state probabilistic processes. In Proof, language, and interaction: essays in honour of Robin Milner, pages 571–595. MIT Press, 2000.

101


On Probabilistic Techniques for Data Flow Analysis Alessandra Di Pierro1 Chris Hankin2 Herbert Wiklicky3 Department of Computing Imperial College London 180 Queen’s Gate London SW7 2AZ United Kingdom

Abstract We present a semantics-based technique for analysing probabilistic properties of imperative programs. This consists in a probabilistic version of classical data flow analysis. We apply this technique to pWhile programs, i.e programs written in a probabilistic version of a simple While language. As a first step we introduce a syntax based definition of a linear operator semantics (LOS) which is equivalent to the standard structural operational semantics of While. The LOS of a pWhile program can be seen as the generator of a Discrete Time Markov Chain and plays a similar role as a collecting or trace semantics for classical While. Probabilistic Abstract Interpretation techniques are then employed in order to define data flow analyses for properties like Parity and Live Variables. Keywords: Probabilistic Programs, Linear Operators Semantics, Probabilistic Abstract Interpretation, Data Flow Analysis

1

Introduction

Typically a classical Data Flow Analysis (DFA) considers all the paths in a controlflow graph and computes safe solutions according to a ‘meet-over-all-paths’ approach, i.e. all paths contribute equally to the solution independently on how feasible or likely to be executed they are. However, in practice even moderately large programs execute only a small part of the billions of paths that are possible for the program to execute. For a given analysis, the specific nature of the problem under consideration may help to reduce the number of paths. Moreover, it is now widely recognised that considering probabilistic information allows one to obtain more precise and practically useful results from a static analysis. Statistical or other types of information can be encoded in the form of probabilities in the program semantics and used to weight the execution paths according to their likelihood to actually 1 2 3

Email: [email protected] Email: [email protected] Email: [email protected]


Di Pierro, Hankin and Wiklicky

be executed. Following this approach, in this paper we define probabilistic DFA whose solutions are not safe in the classical sense but ‘close’ enough to the concrete behaviour of the program. This is similar to the approach in [7,8], where probabilistic techniques are used for the construction of static analyses of approximate properties. Considering approximate rather than absolute properties corresponds to asserting the property up to a given quantifiable error margin rather than as a Boolean relation. The significance of this approach is that it allows in general for more realistic analyses. As an example, a security property such as confinement is never satisfied by real systems in its absolute formulation asserting whether the system is confined or not. We show how a classical DFA can be turned into a probabilistic one via the use of an appropriate collecting semantics. This is defined as a linear operator on an appropriate linear space representing the operational configurations (current state and instruction to be executed) of a given probabilistic program. We will show that the use of tensor product is essential in the construction of the semantics in order to obtain a correct result of the analysis. This is demonstrated via the application of our probabilistic technique to two classical DFA examples, namely Parity Analysis and Live Variables Analysis. These examples also show how probabilistic analysis can result in more practically useful information compared to the standard classical one.

2

Probabilistic While

The language we consider is a simple classical While language extended with a probabilistic choice statement. A different but equivalent approach to defining probabilistic languages is the use of random assignment as in e.g. [14]. We choose the first approach because it is more suited as a base of the treatment we present in this paper. The same approach is also adopted in [6] where a Hoare-style proof system is introduced for reasoning about probabilistic sequential programs. 2.1

Syntax

The syntax of the language, which we call pWhile, is given by: S ::= skip | stop | x ← a | S1 ; S2

| choose p1 : S1 or p2 : S2 | if b then S1 else S2 end if | while b do S end while

In the probabilistic choice construct we assume that pi are some constants representing the probability that statement Si is executed; they define a probability distribution, i.e. p1 + p2 = 1. Arithmetic expressions a follow the usual syntax: a ::= n

|

x

|

a1 ⊙ a2

where n represents a constant value, x a program variable (for which we use typeface characters) and ‘⊙’ represents one of the usual arithmetic operations, like ‘+’, ‘−’, or ‘×’. We also need Boolean expressions which have the following form: b ::= true

|

false

|

¬b

|

104

b 1 ∨ b2

|

b1 ∧ b2

|

a1 < > a2


R0

hskip, σi−→1 hstop, σi

R1

hstop, σi−→1 hstop, σi

R2

hx ← a, σi−→1 hstop, σ[x 7→ [[a]]]i

R31

hS1 , σi−→p hS1′ , σ ′ i hS1 ; S2 , σi−→p hS1′ ; S2 , σ ′ i

R32

hS1 , σi−→p hstop, σ ′ i hS1 ; S2 , σi−→p hS2 , σ ′ i

R41

hchoose p1 : S1 or p2 : S2 , σi−→p1 hS1 , σi

R42

hchoose p1 : S1 or p2 : S2 , σi−→p2 hS2 , σi

R51

hif b then S1 else S2 end if, σi−→1 hS1 , σi

if [[b]] = true

R52

hif b then S1 else S2 end if, σi−→1 hS2 , σi

if [[b]] = false

R61

hwhile b do S end while, σi−→1 hS, σi

if [[b]] = true

R62

hwhile b do S end while, σi−→1 hstop, σi

if [[b]] = false

Table 1 A Probabilistic Transition System for pWhile

where ‘< >’ denotes one of the standard comparison operators for arithmetic expressions like: . 2.2

Operational Semantics

In this section we define a small step operational semantics for pWhile in the usual SOS style [17]. This corresponds to a probabilistic transition system [13] where states encode information on both the memory state (values of the program’s variables) and the instruction to be executed. The transition relation is probabilistic in the sense that the configuration reached in one step from another configuration is associated with a number expressing the probability of actually performing that transition; moreover, all probabilities associated to the outgoing transitions of a configuration form a probability distribution (i.e. they sum up to one). In other words, we define the operational semantics of our language according to the generative model of probability [20] and the resulting execution process is a Discrete Time Markov Chain, [19,1]. 2.2.1 Configurations and Transitions We define a state as a mapping from variables to values: σ ∈ State = Var → Value, The value of arithmetic and Boolean expressions is given by the functions [[.]]a and [[.]]b defined in Table 2. We will omit the index from the function [[.]] when it is clear from the context. A configuration is a pair hS, σi consisting of a statement S and a state σ ∈ State. The probabilistic transition relation −→ p is defined by the rules in Table 1. These 105


[[a]]a σ = n

[[a1 ⊙ a2 ]]a σ = [[a1 ]]a σ ⊙ [[a2 ]]a σ

[[x]]a σ = σ(x)

[[true]]b σ = true

[[b1 ∨ b2 ]]b σ = [[b1 ]]b σ ∨ [[b2 ]]b σ

[[false]]b σ = false

[[b1 ∧ b2 ]]b σ = [[b1 ]]b σ ∧ [[b2 ]]b σ

[[¬b]]b σ

= ¬[[b]]b σ

[[a1 < > a2 ]]b σ = [[a1 ]]b σ < > [[a2 ]]b σ

Table 2 Semantics of Expressions

reflect the typical semantics of a classical while language but for the presence of a probability labelling each transition. Final states are represented via a looping on configurations hstop, σi. This allows us to model a computation as a Markov chain as it guarantees that the matrix representing the execution of a pWhile program is a stochastic matrix (cf. Section 3.1). 2.2.2 Abstract Syntax Following the approach in [16], in order to determine the control flow (graph) of a program, regardless of the concrete information on the actual states in which each statement is executed, we associate a label from a set Lab to each assignment statement, to the skip statement and to each test that appears in conditional and loop statements. We call the resulting program a labelled program and define its syntax, which we call abstract syntax, as follows:

| S1 ; S2 | [choose]ℓ p1 : S1 or p2 : S2 | if [b]ℓ then S1 else S2 end if | while [b]ℓ do S end while

S ::= [skip]ℓ

|

[stop]ℓ

|

[x ← a]ℓ

We will refer to the elementary labelled instructions as commands and denote by Cmd the set of all commands with typical elements c1 , c2 , . . ., corresponding to statements of the form [skip]ℓ or [b]ℓ , etc. We will assume a unique labelling of commands, i.e. we will use ℓ interchangeably with c, where c is the elementary instruction with label ℓ; this is sometimes called the label consistency property [16]. The control flow FS of a program S is then defined as a set of pairs (ℓ, ℓ′ ) or hc1 , c2 i which record the fact that it is possible that after executing c1 the next command executed could be c2 (abstracting from the concrete outcomes of tests). In principle, it is possible to reconstruct the syntax of the original program S from the pairs hℓ, ℓ′ i in FS : we only have to indicate which branch is taken when a test succeeds or fails; and for probabilistic choices we need to record the transition probabilities. If we do this the control flow FS of S, which is sometimes also referred to as its abstract syntax [5], can be taken as an alternative description of the syntax of the program. In this paper, we will use the terms control flow and abstract syntax interchangeably to refer to a labelled program.

3

Probabilistic Data Flow Analysis

Classically, Data Flow Analysis is based on a graph representation of a program usually defined via a collecting semantics. For our probabilistic language we will 106


define such a collecting semantics as a linear operator (more precisely a Markov chain); this represents the states and the program statements in a way that the probabilistic information can be appropriately derived in the final result of the analysis. We will consider here the more common equational approach to DFA and introduce a probabilistic technique based on this approach and the linear operator semantics in Section 3.1. The probabilistic DFA we present is intra-procedural (we do not deal with functions or procedures). We will demonstrate our technique by presenting two classical examples of a forward and a backward analysis, the former being specifically a Parity Analysis and the latter Live Variables Analysis. 3.1

Collecting Semantics

A probabilistic transition system has a straightforward representation as a matrix, i.e. a linear operator on the vector space over configurations. In general, for any set X we can define the vector space V(X) over X as the space of formal linear combinations of elements in X with coefficients in a field W. We can represent the elements in V(X) as vectors with coefficients in W indexed by X: V(X) = { (vx )x∈X | vx ∈ W}. The field W is typically taken to be the set of complex numbers C. In our case it simply corresponds to [0, 1] ⊆ R ⊆ C, as we are interested in representing probability distributions. The support set X corresponds to the set of configurations Conf. A convenient way to represent the vector space on configurations is via the tensor product operation. The tensor product is a useful tool when it comes to describing composite systems, such as in the theory of stochastic systems, performance analysis, quantum physics, etc. Its properties allow us to elegantly represent the vector space over a cartesian product V(X × Y ) as V(X) ⊗ V(Y ). These properties and an abstract definition can be found e.g. in [18]. Concretely, we can define the tensor or Kronecker product of two finite dimensional matrices as follows: Given an n × m matrix A and and a k × l matrix B then A ⊗ B is the nk × ml matrix:   a11 B . . . a1n B   ..   . .. A ⊗ B =  .. . .    a1m B . . . anm B

Based on the abstract syntax or control flow of a program S we define the collecting semantics as a linear operator on V(State × Cmd) = V(Value) ⊗ V(Cmd) = V(Value1 ) ⊗ . . . ⊗ V(Valuen ) ⊗ V(Cmd). Here we assume an enumeration of the program variables x1 , . . . , xn and denote by Valuei the set of values for xi . Thus, we have that V(Value) = V(Value1 × . . . × Valuen ) = V(Value1 ) ⊗ . . . ⊗ V(Valuen ). For all possible control flow steps in FS , i.e. pairs of commands hc1 , c2 i in a program S we will describe the possible changes to the variables and then sum up these effects together with the actual transfer of control from one statement to another. In other words, we define the collecting semantics TSU of a program S in terms of the linear operators T(hc1 , c2 i, which for every pair hc1 , c2 i ∈ FS transform 107


T(h[skip]c1 , c2 i) = I ⊗ Ec1 ,c2 T(h[xi ← a]c1 , c2 i) = A(a) ⊗ Ec1 ,c2 T(h[b]c , ct i) = B(b) ⊗ Ec,ct T(h[b]c , cf i) = (I − B(b)) ⊗ Ec,cf T(h[choose]cpk , ck i) = pk · I ⊗ Ec,ck T(h[stop]c , [stop]c i) = I ⊗ Ec,c Table 3 Collecting Semantics

a vector configuration ~x ∈ V(State×Cmd) into the vector configuration describing the effect of the control flow step from c1 to c2 . Formally: X TSU = T(hc1 , c2 i) hc1 ,c2 i∈FS

where T can be expressed via: T(hc1 , c2 i) = M(hc1 , c2 i) ⊗ N(hc1 , c2 i) where M(hc1 , c2 i) is an operator on V(State) describing the possible state changes, while N(hc1 , c2 i) is an operator on V(Cmd) describing the control flow. For all possible commands c1 , c2 ∈ Cmd we define T(hc1 , c2 i) in Table 3, where we use the control and state operators explained below.

Control Operators In the deterministic case, i.e. the case where for a command c1 there is only one command c2 with hc1 , c2 i ∈ FS , the control flow part N is very simple: it is given by a so called matrix unit containing only one non-zero entry, namely   1 for i = c1 ∧ j = c2 N(hc1 , c2 i) = E(hc1 , c2 i)i,j =  0 otherwise

This is the case for [skip]ℓ , [stop]ℓ and [x ← a]ℓ . This kind of control transition applies in particular to the case of the control flow between the statements in a sequential composition. In the case of the random choice we have to construct the control transfer operator as a linear combination between two deterministic transitions, from the choice point to the initial label of each of the branches. This is effectively achieved by using N(hc, ck i)i,j = pk · E(c, ck ) where c is the choice command and ck the first command in the kth branch. For tests c = [b]ℓ in while’s and if’s we also have to construct a linear combination, however in this case we have to filter in each case those transitions which 108


actually happen when the test succeeds from those when the test does not succeed. T(hc, ct i) = B(b) · (I ⊗ Ec,ct ) T(hc, cf i) = (I − B(b)) · (I ⊗ Ec,cf ) where c is the test command [b]ℓ and ct and cf the successors in case the test succeeds or fails, respectively. Moreover, the operator I is the identity and the operator B is defined by: ! n O X D(evk ) B(b) = b(v1 ,...,vn )=true

k=1

where D(x) denotes the diagonal matrix with diagonal vector x and ei the unitvectors:   1 if i = j (ei ) =  0 otherwise.

Thus, D(ei ) = Ei,i , and B contains a ‘1’ in the diagonal if for some values of the variables the test b succeeds. Example 3.1 Suppose that we have two variables x1 and x2 which can both have values between 0 and 4. Then [x1 < 2]ℓ is represented by a 25 × 25 matrix given as the tensor product:     10000 10000         0 1 0 0 0 0 1 0 0 0         0 0 0 0 0⊗0 0 1 0 0         0 0 0 0 0 0 0 0 1 0     00001 00000

which expresses the fact that the value of x2 does not contribute to the result of the test.

State Operators For all commands c except for the assignment [x ← a]ℓ the variables will not change, i.e. we will have M = I, i.e. the identity on the vector space representing the value of the program variables. In the case of the assignment we have in the case of constants:  !  ! i−1 n X O O ℓ1 Ejn  ⊗ I ⊗ M([xi ← n] , c2 ) = I k=1

j

k=i+1

In general, i.e. for expressions a involving (other) variables we have: X M([xi ← a]ℓ1 , c2 ) = Av1 ,...,vi 7→v,...,vn a(v1 ,...,vn )=v

109


where Av1 ,...,vi 7→v,...,vn is a matrix with a single non-zero entry defined as:  !  ! i−1 n O X O Evi ,v  ⊗ D(evk ) ⊗  D(evk ) k=1

j

k=i+1

In other words, if a certain combination of values vi for the variables in a produces a certain result v, then the corresponding matrix Av1 ,...,vi 7→v,...,vn indicating this single update contributes to the sum. Example 3.2 Consider two variables x1 and x2 which both can take values in {0, 1, 2}. Then the update [x1 ← x1 + 1]ℓ is represented by a 9 × 9 matrix, which is the tensor product of two 3 × 3 matrices, namely:     100 010         ℓ M([x1 ← x1 + 1] , c2 ) =  0 0 1  ⊗  0 1 0      001 000 while

[x2 ← 1]ℓ is represented by 

100





010



        M([x2 ← 1]ℓ , c2 ) =  0 1 0  ⊗  0 1 0      010 001 3.2

Probabilistic Abstract Interpretation

In order to construct abstract DFA equations for a pWhile program out of the collecting semantics we need a way to abstract the semantics. A quantitative approach for obtaining DFA equations is provided by our framework of Probabilistic Abstract Interpretation (PAI) [10,11]. This is a general framework for the probabilistic analysis of (probabilistic) programs which recasts classical Abstract Interpretation [3,4] in a vector space setting. The basic idea is to define abstractions as some kinds of linear operators on some appropriate vector spaces. More precisely, domains (both abstract and concrete) are Hilbert spaces that is vector spaces with inner product. The crucial notion of concretisation is expressed in this framework via a notion of generalised inverse of a linear operator, and in particular the notion of MoorePenrose pseudo-inverse (MP). The properties of this kind of linear inverse makes the pair of a linear operator and its MP into an adjunction similar to the classical notion of Galois connection. Let C and D be two Hilbert spaces and A : C 7→ D a bounded linear map between them. A bounded linear map A† = G : D 7→ C is the Moore-Penrose pseudo-inverse of A iff A ◦ G = PA and G ◦ A = PG 110


where PA and PG denote orthogonal projections (i.e. P∗A = PA = P2A and P∗G = PG = P2G where .∗ denotes the adjoint [18, Ch 10]) onto the ranges of A and G. A probabilistic abstract interpretation is defined by a pair of linear maps, A : C 7→ D and G : D 7→ C, between the concrete domain C and the abstract domain D, such that G is the Moore-Penrose pseudo-inverse of A, and vice versa. As shown in [10] any classical abstract interpretation can be seen as a probabilistic abstract interpretation by lifting the classical domains into probabilistic domains (Hilbert spaces). Another approach to the analysis of probabilistic programs applies classical Abstract Interpretation techniques to probabilistic semantics [15]. This approach corresponds to a special case of classical abstract interpretation and it therefore results in safe, i.e. worst case analyses. As shown in [9], the more general PAI approach allows us to construct additionally statistical information which is more in the spirit of an average case analysis. Let T be a linear operator on some Hilbert space V representing the probabilistic semantics of the concrete program, and let A : V 7→ W be a linear abstraction function with G = A† . An abstract semantics can then be defined on W as: T# = GTA. This so-called induced semantics is guaranteed to be the best correct approximation of the concrete semantics for classical abstractions based on Galois connections. In the linear space based setting of PAI where the order of the classical domains is replaced with some notion of metric distance, the induced abstract semantics is the closest one to the concrete semantics [10].

4

Parity Analysis

The first example of an analysis based on the LOS of pWhile concerns the parity of variables. Although, it is arguable whether this analysis by itself is of practical use it is certainly a quite useful example in order to illustrate the basic methodology. The purpose of the Parity Analysis is to determine at every program point whether a variable is even or odd. It is a simple forward analysis where the concrete value of variables is abstracted to just their parity information. We will consider two simple programs which compute the factorial and twice the factorial of n which is left in m when the programs terminate. 1: 2: 3: 4: 5: 6:

[m ← 1]1 ; while [n > 1]2 do [m ← m × n]3 ; [n ← n − 1]4 end while [stop]5

1: 2: 3: 4: 5: 6:

[m ← 2]1 ; while [n > 1]2 do [m ← m × n]3 ; [n ← n − 1]4 end while [stop]5

Without going into too many details, it should be obvious that a classical Parity Analysis should detect that the parity of m = 2×n! at the end of the second program is always even even when the original value (and parity) of n is “unknown”. A safe classical analysis of the first program will however fail in the sense that it will return “unknown” or ⊤ for the parity of m at the end of the program. This is in some 111


sense rather unsatisfactory as it is obvious that m = n! is “nearly always” even. Only in the “rare” case that the initial n is less than or equal to 1 will m be odd at the end of the program. The purpose of a probabilistic program analysis is a formal derivation of this intuition about the parity of m when the program terminates. The idea is to (re)construct the abstract LOS of a program in the same way as the concrete LOS with the only difference that in the abstract case (some of the) operators which implement tests and assignments are replaced by their abstract versions. The general scheme for this program is given by: T = Mi ⊗ I ⊗ E1,2 + T⊤ (I ⊗ I ⊗ E2,3 ) + T⊥ (I ⊗ I ⊗ E2,5 ) + A ⊗ E3,4 + I ⊗ N ⊗ E4,2 + I ⊗ I ⊗ E5,5 where the first factor, i.e. first variable, represents m and the second one n. By a slight abuse of notation we use the same symbol I for identities of different dimensions. The last component in each contribution Eij is a 5 × 5 matrix which represents the control-flow steps. The first term specifies the dynamics at program point 1: m is initialised using an operator Mi with i = 1, 2 – depending which of the two programs we consider – of the form:     0 0 1 0 ... 0 1 0 0 ...         0 0 1 0 ... 0 1 0 0 ...     M1 =    M2 =  0 0 1 0 ... 0 1 0 0 ...     .. .. .. .. . . .. .. .. .. . . . . . . . . . . . .

which implement a change of m’s value to 1 and 2, respectively. The variable n stays unchanged, represented by the identity I and control is transfered from statement 1 to statement 2. The next two terms deal with the test [n > 1]2 : The actual effect is just a control transfer with no changes to the two variables. However, depending on the test’s result we get different control-flow transfers. The test operators are realised as:     0  0   T⊤ = I ⊗  0  0  . ..

0 0 0 ...  0 0 0 ...   0 1 0 ... ⊗I  0 0 1 ...  .. .. .. . .  . . . .

1  0   T⊥ = I ⊗  0  0  . ..

0 0 0 ...  1 0 0 ...   0 0 0 ... ⊗I  0 0 0 ...  .. .. .. . .  . . . .

T⊤ “filters” all those configurations where n is 2, 3, . . . while T⊥ “blocks” all configurations except where n is equal to 0 or 1. In both cases the value of m and the current position in the program are irrelevant; this is indicated by the identity 112


operators used to define the test operators. The fourth term represents the most complicated arithmetic operation namely the statement [m ← m × n]3 . The changes to m and n are rather complicated so that A, the operator describing the effects on m and n, is given as an “entangled” operator of the form: X A= ((I ⊗ Ej,i·j ⊗ I)(Ti ⊗ Tj ⊗ I)) i,j

with Tk = Ek,k for all k. This can be interpreted as follows: For all pairs (m, n) we first test whether m and n have certain values i and j, respectively (ignoring the current statement label), then we perform the update by leaving n (and the current statement label) unchanged but changing the value of m from j to its new value i · j. The penultimate term in the definition of T results in the decrement of n via the (shift) operator:   0 0 0 0 ...   1 0 0 0 ...      N = 0 1 0 0 ...    0 0 1 0 ...   . . . . .  .. .. .. .. . .

and the last term just specifies the terminal configuration [stop]5 as an infinite loop which leave m and n unchanged.

Concrete Semantics Both programs have five program points, which means that the control transition matrices are 5×5 matrices. The state of the two variables are in principle represented by infinite dimensional vectors. However, if we fix a maximal input size n ≤ N then we can also restrict the maximum size of m. For this finite approximation we need a vector in V({0, 1, . . . , N !}) ⊗ V({0, 1, . . . , N }) ⊗ V({1, . . . , 5}), i.e. a 5 · N · N ! dimensional vector. The concrete (finite) semantics is thus represented by a matrix of the same dimensions. Though sparse, it is for N = 10 already an about 18 million × 18 million matrix. Abstract Semantics In order to obtain an abstract semantics we can abstract both variables, i.e. “execute” the program with m and n being classified as even or odd. Alternatively, we can abstract only m and use the concrete values for the control variable n (the while-loop here is actually a for-loop). In both cases the dimension of T is drastically reduced. It is 2 · 2 · 5 = 20 in the first case, and 2 · N · 5 = 10N in the second case – for N = 10 we get a 100 × 100 matrix to represent T# instead of the 18 million in the concrete case. To be more precise: We construct the abstract semantics T# simply as 113


T# = M# i ⊗ I ⊗ E1,2 + T# ⊤ (I ⊗ I ⊗ E2,3 ) + T# ⊥ (I ⊗ I ⊗ E2,5 ) + A# ⊗ E3,4 + I ⊗ N# ⊗ E4,2 + I ⊗ I ⊗ E5,5 i.e. exactly in the same way as the concrete one. The difference is exhibited by only few of the operators (and the fact that the identities have a much reduced dimension). The control-flow steps are not changed at all as we are interested here only in a data-flow analysis. Each of the operators is constructed using the parity abstraction operator P:   0 1 0 1 0 ...  PT =  1 0 1 0 1 ... † # = and its Moore-Penrose Pseudo Inverse P† . For example: M# i = P MP, A † † (P ⊗ P )A(P ⊗ P), etc. We thus get (if we abstract both variables):         0 1 1 0 0 1 0 1  M#   N# =    A# =   M# 1 = 2 = 01 10 10 10

# The abstract test operators T# ⊤ and T⊥ depend on the finite approximation we consider. If we do not abstract the control variable n we need a more complicated # # are the same as for the A# but the test operators T# ⊤ and T⊥ as well as N concrete semantics.

Numerical Results It is rather straightforward to implement the finite approximations of the concrete as well as the abstract semantics using a numerical program like octave [12]. As to be expected the size, even using sparse matrix representations, is prohibitively large; while for N = 5 things still work out it is effectively impossible to deal with case that N = 10. The abstract semantics creates no such problem. If we abstract m to even and odd but leave n a concrete control variable, we can “execute” the (abstract) program for example in an initial configuration where n is represented by a uniform distribution over all possible input values for n < N and m has a 50 : 50 chance of being even and odd. Depending on the cut-off point N we obtain for N = 10 a 20%, for N = 100 a 2%, and for N = 1000 a 0.2% chance that m is odd at the end of the program. This reflects exactly, as expected, the fact that m “most likely” will be even in the end, the more so the larger the maximal input for n is.

5

Live Variable Analysis

A more interesting static program analysis is the classical Live Variable (LV) Analysis, see e.g. [16]. It is an example of a backward analysis, i.e. the control 114


flow has to be reversed. In order to do this we use the transposes of the original control-transfer matrices. The property we are interested in is whether a variable at every program point is live or dead (at the exit of a program point), i.e. if there is a possible use for a variable at a later stage of the program’s execution. If, for example, there is an assignment to a program variable which is never used then we can eliminate this assignment, i.e. perform a dead code elimination. The aim of a probabilistic LV Analysis is to provide estimates for the probabilities that a certain variable is later used. A possible application could be to support caching, variables which are more likely to be used could be kept in a ‘faster’ cache, while variables which have a very low probability of being live would be kept in a ‘slower’ cache or the main memory. The idea is, as before, to replace the operators which define the concrete semantics (describing the precise changes of the values of variables) with operators which only record whether a variable is used (in a test b or an expression a on the right hand side of an assignment) or being redefined (it appears on the left hand side of an assignment). This is essentially what also happens in the classical LV Analysis: if x is on the right hand side of an assignment it gets “killed”, if it is a (free) variable in a or b then it becomes alive (gets “generated”). The semantics of all other statements does not change the “liveliness” of a variable.

5.1

Intra-Statement Updates

The information we record about every variable is just if it is alive or not, i.e. we need to consider for every variable an abstract state in V({live, dead}). The update can be specified in a very similar way as in the case of the classical analysis (following e.g. [16]). We need kill and gen operators:     10 01   G= K= 10 01 With this we get for tests and assignments the following abstract operators: T[b]ℓ U = V(b) ⊗ NT and   n i−1 O O I) · V(a) ⊗ NT T[xi := a]ℓ U = ( I⊗K⊗ j=i+1

j=1

where NT is the transposed of the control-flow matrix, and V(e) identifies the (free) variables in a Boolean or arithmetic expression e:  n  G if xi ∈ F V (e) O Vi (e) with Vi (e) = V(e) =  I otherwise. j=1

Note, that we could obtain these operators by abstracting the concrete ones but for brevity’s sake we based our definitions directly on the classical analysis (as presented in [16]). 115


5.2

Inter-Statement Updates

The problem which we still have to resolve is what happens at “confluence points”, i.e. when several (backward) control-flows come together as at a test in an if- or while-statement. To do this we need additional information about the branching probabilities. This could be obtained (i) experimentally from profiling or (ii) from the concrete semantics, by not abstracting at least those variables which determine the control-flow (as in the previous example) or (iii) via another abstract semantics which estimates these probabilities. In the following we will sketch the basic elements of an analysis which is based on the last option. To illustrate the basic aims and structure of a probabilistic version of the LV Analysis consider the following two programs: 1: 2: 3: 4: 5: 6: 7:

[skip]1 if [odd(y)]2 then [x ← 1]3 else [y ← 1]4 end if [y ← x]5

1: 2: 3: 4: 5: 6: 7:

[y ← 2 × x]1 if [odd(y)]2 then [x ← 1]3 else [y ← 1]4 end if [y ← x]5

The classical LV Analysis of both programs, starting with LVexit (5) = ∅, results, among other things, in the following description of the live variables at the beginning of the test in statement 2: LVentry (2) = {x, y} This indicates the fact that both variables x and y might be alive at the test point. This is a conservative result. It is possible that in a concrete execution x is actually not alive: although it will be needed at label 5, it will be ‘killed’ (by redefining its value) if the test results fails, i.e. if y is even. In the first program, we can’t make too many assumptions about the probability that the test succeeds, but a closer inspection of the second program easily confirms that indeed y is always even, although the lack of knowledge about x makes it impossible to know the concrete value of y either. A reasonable result of a probabilistic LV analysis we are aiming for could be: 1 LVentry (2) = {hx, i, hy, 1i} 2 for the first program and LVentry (2) = {hy, 1i} for the second one. In the first case we would expect that a good estimate for the branching probabilities is given by 50 : 50 chance that the test succeeds or fails. This is a consequence that (without any further assumptions) the chances that y is even or odd are the same. In the second program we can guarantee via a reasonable parity analysis that y is always even, despite the fact that the exact value of y is completely unknown. As with all probabilistic versions of classical analyses we could (re)construct the classical result from the probabilistic version by just recording the possibilities 116


instead of probabilities. For this we only have to define a forgetful map from V(X) to P(X) which just considers the support of a probability distribution, i.e. those elements in X which are associated with a non-zero probability. 5.3

Estimating the Branching Probabilities

A formal estimation of the branching probabilities for if-statements (and similarly for while-loops) follows the following scheme: Perform a first phase analysis (e.g. a parity analysis) to determine the branching probabilities, then use these estimates to perform the actual analysis. This means in effect that we replace tests b with probabilistic choices where the choice probabilities p⊤ and p⊥ are determined by a first phase analysis. 1: 2: 3: 4: 5: 6:

[skip]1 [choose]2 p⊤ : [x ← 1]3 or p⊥ : [y ← 1]4 [y ← x]5

1: 2: 3: 4: 5: 6:

[y ← 2 × x]1 [choose]2 p⊤ : [x ← 1]3 or p⊥ : [y ← 1]4 [y ← x]5

As can be seen in this example our approach makes it necessary that “abstract” programs are eventually probabilistic ones, even when the “concrete” programs were deterministic. Once we have determined the choice probabilities p⊤ and p⊥ the actual LV Analysis is performed in essentially the same way as in the classical case, with the exception that we have to deal with probability distributions over variables (indicating the chances that a variable is live at a certain program point) instead of sets of potentially live variables. In order to combine information about live variables at “confluence” points we then use weighted sums or linear combinations utilising the choice probabilities p⊤ and p⊥ instead of set union as in the classical case.

6

Conclusions

In this paper we presented the basic elements of syntax-based probabilistic dataflow analyses constructed via Probabilistic Abstract Interpretation which replaces the standard Cousot & Cousot approach for a possibilistic analysis. We illustrated this framework using a small imperative language with a probabilistic choice construct, namely pWhile. For this language we presented a collecting semantics which essentially constructs the generator of a Discrete Time Markov Chain implementing the operational semantics of a pWhile program. This collecting semantics was defined “compositionally” using linear combinations (sums) and the tensor product in order to represent states and state transformations. Exploiting this structure we could then define an abstract semantics as the basis of our analyses. This kind of “compositional” analysis was possible because sum and tensor product distribute over probabilistic abstractions. 117


While it is straightforward to lift analyises like the Parity Analysis to a probabilistic version, other analyses like the Live Variable Analysis require a two-phase analysis where we first estimate the branching probabilities before the actual analysis takes place. Further work will look into the issue of optimal abstractions, i.e. ways to construct abstractions of in particular control variables in order to obtain optimal estimates for these branching probabilities. Alternatively, for sub-optimal abstractions, we are also interested in determining the error margins of these estimates. Finally, we plan to extend this approach also to higher order, e.g. functional, languages and to implement a prototype of an automatic analyser.

References [1] Bause, F. and P. Kritzinger, “Stochastic Petri Nets – An Introduction to the Theory,” Vieweg Verlag, 2002, second edition. [2] Bergstra, J., A. Ponse and S. Smolka, editors, “Handbook of Process Algebra,” Elsevier Science, Amsterdam, 2001. [3] Cousot, P. and R. Cousot, Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints, in: Proceedings of POPL’77, Los Angeles, 1977, pp. 238–252. [4] Cousot, P. and R. Cousot, Systematic Design of Program Analysis Frameworks, in: Proceedings of POPL’79, San Antonio, Texas, 1979, pp. 269–282. [5] Cousot, P. and R. Cousot, Systematic design of program transformation frameworks by abstract interpretation, in: Proceedings of POPL’02 (2002), pp. 178–190. [6] den Hartog, J. and E. de Vink, Verifying probabilistic programs using a Hoare-like logic, International Journal of Foundations of Computer Science 13 (2002), pp. 315–340. [7] Di Pierro, A., C. Hankin and H. Wiklicky, Quantitative relations and approximate process equivalences, in: R. Amadio and D. Lugiez, editors, Proceedings of CONCUR’03, Lecture Notes in Computer Science 2761 (2003), pp. 508–522. [8] Di Pierro, A., C. Hankin and H. Wiklicky, Measuring the confinement of probabilistic systems, Theoretical Computer Science 340 (2005), pp. 3–56. [9] Di Pierro, A., C. Hankin and H. Wiklicky, Abstract interpretation for worst and average case analysis, in: T. Reps, M. Sagiv and J. Bauer, editors, Program Analysis and Compilation, Theory and Practice: Essays dedicated to Reinhard Wilhelm, LNCS 4444, Springer-Verlag, 2007 pp. 160–174. [10] Di Pierro, A. and H. Wiklicky, Concurrent Constraint Programming: Towards Probabilistic Abstract Interpretation, in: Proceedings of PPDP’00 (2000), pp. 127–138. [11] Di Pierro, A. and H. Wiklicky, Measuring the precision of abstract interpretations, in: Proceedings of LOPSTR’00, Lecture Notes in Computer Science 2042 (2001), pp. 147–164. [12] Eaton, J., “Gnu Octave Manual,” www.octave.org, 2002. [13] Jonsson, B., W. Yi and K. Larsen, “Probabilistic Extentions of Process Algebras,” Elsevier Science, Amsterdam, 2001 pp. 685–710, see [2]. [14] Kozen, D., Semantics for probabilistic programs, Journal of Computer and System Sciences 22 (1981), pp. 328–350. [15] Monniaux, D., Abstract interpretation of probabilistic semantics, in: Proceedings of SAS’00, Lecture Notes in Computer Science 1824 (2000), pp. 322–339. [16] Nielson, F., H. R. Nielson and C. Hankin, “Principles of Program Analysis,” Springer Verlag, Berlin – Heidelberg, 1999. [17] Plotkin, G., A structural approach to operational semantics, Journal of Logic and Algebraic Programming 60-61 (2004), pp. 17–139. [18] Roman, S., “Advanced Linear Algebra,” Graduate Texts in Mathematics 135, Springer Verlag, 2005, second edition. [19] Tijms, H., “Stochastic Models – An Algorithmic Approach,” John Wiley & Sons, Chichester, 1994. [20] van Glabbeek, R., S. Smolka and B. Steffen, Reactive, generative and stratified models of probabilistic processes, Information and Computation 121 (1995), pp. 59–80.

118


Exogenous Probabilistic Computation Tree Logic Pedro Baltazar1 ,6 Paulo Mateus2 ,6 Security and Quantum Information Group, Institute for Telecommunications and Instituto Superior Técnico, Universidade Técnica de Lisboa, Lisbon, Portugal

Rajagopal Nagarajan3 ,5 Nikolaos Papanikolaou4 ,5 Department of Computer Science, University of Warwick, Coventry, England

Abstract We define a logic EpCTL for reasoning about the evolution of probabilistic systems. System states correspond to probability distributions over classical states and the system evolution is modelled by probabilistic Kripke structures that capture both stochastic and non–deterministic transitions. The proposed logic is a temporal enrichment of Exogenous Probabilistic Propositional Logic (EPPL). The model-checking problem for EpCTL is analysed and the logic is compared with PCTL; the semantics of the former is defined in terms of probability distributions over sets of propositional symbols, whereas the latter is designed for reasoning about distributions over paths of possible behaviour. The intended application of the logic is as a specification formalism for properties of communication protocols, and security protocols in particular; to demonstrate this, we specify relevant security properties for a classical contract signing protocol and for the so–called quantum one–time pad.

1 Introduction There are numerous applications in science where reasoning about probabilistic behaviour is necessary. In computing, applications include probabilistic algorithms, computer modelling and verification of probabilistic systems, including communication protocols with and without security guarantees. The properties of probabilistic programs in particular have been studied before using many different approaches, and it is widely accepted that the development of formal logics for reasoning about such programs is highly beneficial, allowing designers and users of systems to formulate properties which the programs may or may not satisfy. In this paper we describe a temporal probabilistic logic, EpCTL. Our approach is characterised by the use of an exogenous semantics, such that the models of state formulas are 1

Email: [email protected] Email: [email protected] 3 Email: [email protected] 4 Email: [email protected] 5 Partially supported by the EU Sixth Framework Programme (Project SecoQC: Development of a Global Network for Secure Communication based on Quantum Cryptography). 6 Partially supported by FCT and EU FEDER, namely via CLC POCTI (Research Unit 1-601), QuantLog project POCI/MAT/55796/2004 and the recent QSec initiative of SQIG-IT. Pedro Baltazar also supported by FCT and EU FEDER PhD fellowship SFRH/BD/22698/2005. 2


Baltazar, Mateus, Nagarajan, and Papanikolaou

essentially probability distributions of models of a propositional logic. We build atop earlier work on the probabilistic state logic EPPL [24] by introducing a temporal extension; the result is a branching time logic for reasoning about probabilistic programs. Our intention is to provide a powerful framework for specifying properties of communication protocols, especially security protocols. The proposed logic has enough expressive power to allow specification of relevant security properties, and enables high–level reasoning due to the use of an exogenous semantics. The exogenous semantics approach [25] involves taking the semantic structures of a base logic (e.g. propositional logic) and combining them together, possibly adding new structure, to provide the semantics for a higher-level logic. This approach has been used to build the probabilistic state logic EPPL and also a logic EQPL for reasoning about states of quantum information systems. The exogenous semantics approach can be considered a variant of the possible-worlds approach of Kripke for modal logic [18], and it is related to the society semantics introduced in [8] for many-valued logic and to the possible translations semantics proposed in [7] for paraconsistent logic. The logic described here is related to the logic PCTL proposed by Hansson and Jonsson [16]. PRISM [19,20] is a symbolic model-checker for PCTL. There is a fundamental difference between the semantics of the proposed logic EpCTL and PCTL; whereas PCTL enables reasoning about distributions over paths in a probabilistic transition system, EpCTL is designed for reasoning about how a probability distribution over a finite set of propositional symbols changes over time. The latter approach is particularly advantageous for reasoning about certain types of systems, such as distributed randomised algorithms. This will be discussed in more detail in Section 3.4. This paper is structured as follows. First we examine the syntax, semantics, model– checking problem and axiomatisation of the state logic EPPL. We then describe each of these aspects in turn for the temporal extension, namely the new logic EpCTL, and provide intuition for the various constructs. Proofs of theorems have been relegated to the Appendix.

2 Logic of Probabilistic States - EPPL The state logic of temporal logics like CTL [13], LTL [29] and CTL* [11] is classical propositional logic. Probabilistic temporal extensions, like PCTL [16], also use classical propositional logic for state logic. Here we consider quite a different state logic, exogenous probabilistic propositional logic (EPPL) [23,25,9,24], which was highly inspired by the works of Halpern et al. [15]. Given the envisaged application to model–checking, we consider only models over a finite set of propositional symbols Φ, which can be understood as Boolean registers (bits) that constitute the internal state of a protocol or an algorithm. In this setting an EPPL model, that henceforth we will call a probabilistic structure, is a pair (V, µ) where V is a set of classical valuations 7 over Φ and µ is a map µ : V → [0, 1] where ∑v∈V µ(v) = 1. For a model (V, µ) we call V the set of possible valuations, and µ the probability measure. Observe that µ can be extended to all valuations by assuming that impossible valuations are improbable, i.e, µ(v) = 0 for any v ∈ V \ V where V is the set of all valuations over Φ. Finally, it will be useful to consider the probability measure 8 , where µ is defined over sets of valuations, (V , 2V , µ) and Recall that a classical valuation over Φ is a map v : Φ → {0,1}. Recall that a probability measure is a triple (Ω, F ,µ) where F is a σ-algebra over Ω and µ is a measure where µ(Ω) = 1. Given the finitary assumption over Φ, in this paper we will always have Ω to be V and F to be the powerset of V .

7

8

120


µ(U ) = ∑v∈U µ(v) for any U ⊆ V . Example 2.1 Consider a variant of the Russian roulette game, where the gambler tosses a coin and if the outcome is tails, the gun is fired. Assume also that the gambler has 1/6 probability of shooting a bullet. We describe the system with three propositional symbols h (heads), b (bullet was shot), d (gambler is dead). The possible valuations described as sets of propositional symbols are: 0/ (all propositional symbols are false, the outcome of the coin was not heads); {h} (the outcome of the coin was heads but no bullet was shot); and {h, b, d} (the outcome of the coin was heads, a bullet was shot and the gambler is dead). The probability measure is / = 1/2, µ({h}) = 5/12 and µ({h, b, d}) = 1/12. µ(0) We continue by describing the syntax of the logic. 2.1

Language

The language consists of formulas at two levels. The formulas at the first level, classical formulas, enable reasoning about propositional symbols. The formulas at the second level, probabilistic state formulas, enable reasoning about probabilistic structures. There are also probability terms used in probabilistic state formulas to denote real numbers. The syntax of the language, expressed using BNF notation, is as follows. • • •

Classical formulas γ := Φ 8 ⊥ 8 (γ ⇒ γ)

Probability terms R p := 0 8 1 8 y 8 ( γ) 8 (p + p) 8 (p p) Probabilistic state formulas · ξ := (2γ) 8 (p ≤ p) 8 ⊥ ⊥ 8 (ξ ⊃ ξ)

The classical state formulas, ranged over by γ, γ1 , . . ., are built from the propositional symbols Φ and the classical disjunctive connectives ⊥ (falsum) and ⇒ (implication). As usual, other classical connectives (¬, ∨, ∧, ⇔) are introduced as abbreviations. For instance, (¬ γ) stands for (γ ⇒ ⊥). The probability terms, ranged over by p, p1 , . . ., denote elements of the reals. We also R assume a set of variables, Y = {yk : k ∈ N}, ranging over the reals. The term ( γ) denotes the measure of the set of valuations that satisfy γ. The probabilistic state formulas, ranged over by ξ, ξ1 , . . ., are built from the necessity formulas (2γ), the comparison formulas (p1 ≤ p2 ) and the connectives ⊥ ⊥ and ⊃. The formula (2γ) is true when γ is true of every possible valuation in the semantic structure. Other probabilistic connectives (⊖, ∪, ∩, ≈) are introduced as abbreviations. For instance, (⊖ ξ) stands for (ξ ⊃ ⊥ ⊥). We shall also use (3γ) as an abbreviation for (⊖(2(¬ γ))). Please note that the 2 and 3 are not modalities 9 . We also use any algebraic real number as a constant since√the language of EPPL has enough expressiveness to specify these constants. For instance, 2 ≤ y1 can be written as (y2 y2 = (1 + 1) ∩ y2 ≥ 0) ⊃ y2 ≤ y1 . We will use subtraction and division freely since they can also be expressed in EPPL, for instance x/y = −2 can be written as R ((z + (1 + 1) = 0) ∩ (⊖(y = 0))) ⊃ x = y · z. Finally, the conditional probability term ( γ1 |γ2 ) R R is an abbreviation of ( (γ1 ∧ γ2 ))/( γ2 ). 9

We do not have formulas such as 2(2γ).

121


The notion of occurrence of a term p and a probabilistic state formula ξ1 in the probabilistic state formula ξ can be easily defined. The notion of replacing zero or more occurrences of probability terms and probabilistic formulas can be similarly defined. For the sake of clarity, we shall often drop parentheses in formulas and terms if it does not lead to ambiguity. Example 2.2 Consider again the variant of the Russian roulette described in Example 2.1. R Stating that the coin is fair can be expressed by ( h = 1/2). We can also say the bullet is shot only if the outcome of the coin is heads by 2(b ⇒ h). Similarly, the gambler is dead only if the outcome of the coin toss is heads and the bullet is shot, which can be expressed by 2(d ⇒ b ∧ h). Finally, the fact that the probability of the bullet being shot is 1/6 can be R captured by ( b|h) = 1/6.

2.2

Semantics

Given V ⊆ V , the extent of a classical formula γ in V is defined as |γ|V = {v ∈ V : v c γ}, where c is the satisfaction relation for classical propositional logic. For interpreting the probabilistic variables, we need the concept of an assignment. An assignment ρ is a map such that ρ(y) ∈ R for each y ∈ Y. Given a probabilistic structure (V, µ) and an assignment ρ, the denotation of probabilistic terms and satisfaction of probabilistic state formulas are defined inductively as follows. •

Denotation of probability terms ρ · [[0]](V,µ) = 0 ρ

· [[1]](V,µ) = 1 ρ

· [[y]](V,µ) = ρ(y) ρ

· [[( γ)]](V,µ) = µ(|γ|V ) R

ρ

ρ

ρ

· [[p1 + p2 ]](V,µ) = [[p1 ]](V,µ) + [[p2 ]](V,µ) ρ

•

ρ

ρ

· [[p1 p2 ]](V,µ) = [[p1 ]](V,µ) × [[p2 ]](V,µ)

Satisfaction of probabilistic formulas · (V, µ)ρ (2γ) iff v c γ for every v ∈ V ρ ρ · (V, µ)ρ (p1 ≤ p2 ) iff V 6= 0/ implies ([[p1 ]](V,µ) ≤ [[p2 ]](V,µ) ) · (V, µ)ρ 6 ⊥ ⊥ · (V, µ)ρ (ξ1 ⊃ ξ2 ) iff (V, µ)ρ ξ2 or (V, µ)ρ 6 ξ1

The formula (2γ) is satisfied only if all v ∈ V satisfy γ. The formula (p1 ≤ p2 ) is satisfied if the term denoted by p1 is less than p2 . The formula (ξ1 ⊃ ξ2 ) is satisfied by a semantic model if either ξ1 is not satisfied by the model or ξ2 is satisfied by the model. Entailment is defined as usual: Ξ entails ξ (written Ξ ξ) if (V, µ)ρ ξ whenever (V, µ)ρ ξ0 for each ξ0 ∈ Ξ. Please note that an assignment ρ is sufficient to interpret a useful sub-language of probabilistic state formulas: κ := (a ≤ a) 8 ⊥ ⊥ 8 (κ ⊃ κ) a := 0 8 1 8 x 8 (a + a) 8 (aa). Henceforth, the terms of this sub-language will be called analytical terms and the formulas will be called analytical formulas. 122


2.3

Model–checking EPPL

For the model–checking procedure we assume that the probabilistic structure and assignment are represented using a floating point data structure. We assume that a probabilistic structure (V, µ) for Φ propositional symbols is modelled by a V -array of real numbers; the size of V is at most 2n with n = |Φ|. We also assume that the basic arithmetical operations take O(1) time. Moreover, we assume that we use only a finite number of variables Y and that assignment is a vector of real number of size |Y|. We also assume the definition of the length of a classical formula γ or a probabilistic formula ξ as the number of symbols required to write the formula. The length of a formula ξ (classical or probabilistic) is given by |ξ|. Given a probabilistic structure (V, µ), assignment ρ and a probabilistic formula ξ, the first R step is to evaluate all the terms occurring in ξ. For the probability terms γ, the evaluation takes |V |·|γ| steps as we check the set of valuations that satisfy γ. Once the terms are evaluated, the model–checking algorithm is straightforward. Theorem 2.3 Assuming that all basic arithmetical operations take unit time, there is an algorithm O(|ξ| · |V |) to decide if a probabilistic structure over Φ and an assignment ρ satisfy ξ. Clearly, since in the worst case the probability distribution will span all possible valuations, we have |V | = 2n where n = |Φ|. Observe that in many cases the set of possible valuations is small and it is possible to describe this set in a compact manner, as well as the probabilities associated, we will return to this discussion when we discuss the model–checking procedure of the temporal extension of the logic. 2.4

Axiomatisation of EPPL

The axiomatisation of the EPPL logic presented here relies entirely on that in [9] and will be presented in a summarised way. We need two new concepts for the axiomatisation, namely the notions of probabilistic tautology and of valid analytical formulas. Consider propositional formulas built from a countable set of propositional symbols Q using the classical connectives ⊥ and →. A probabilistic formula ξ is said to be a probabilistic tautology if there exists a propositional tautology β over Q, and a map σ from Q to the set of probabilistic state formulas, such that ξ coincides with β p σ (where β p σ is the probabilistic formula obtained from β by replacing all occurrences of ⊥ by ⊥ ⊥, → by ⊃ and q ∈ Q by σ(q)). For instance, the probabilistic formula ((y1 ≤ y2 ) ⊃ (y1 ≤ y2 )) is tautological (obtained, for example, from the propositional tautology q → q). As noted in Section 2.2 an assignment is enough to interpret all analytical formulas. We say that κ is a valid analytical formula if for any real closed field K and assignment ρ, κ is true for ρ. Clearly, a valid analytical formula holds for all semantic structures of EPPL. It is a well-known fact from the theory of quantifier elimination [17,3] that the set of valid analytical formulas so defined is decidable over algebraic ordered fields. Moreover, since the real numbers consitute a representative model of algebraic ordered fields (that is, if there exists a solution for a systems of inequations written with the terms of EPPL in an algebraic order field, there is also a solution for the real numbers), the decidability result extends over the real numbers. We shall not go into details of this result as we want to focus exclusively on reasoning about probabilistic aspects. The axioms and inference rules of EPPL are listed below. 123

Baltazar, Mateus, Nagarajan, and Papanikolaou •

Axioms · [CTaut] ⊢ (2γ) for each valid formula γ; · [PTaut] ⊢ ξ for each probabilistic tautology ξ · [Lift⇒] ⊢ ((2(γ1 ⇒ γ2 )) ⊃ (2γ1 ⊃ 2γ2 )) · [Eqv⊥] ⊢ ((2⊥) ≈ ⊥ ⊥) · [Ref∧] ⊢ (((2γ1 ) ∩ (2γ2 )) ⊃ (2(γ1 ∧ γ2 ))) · [RCF] ⊢ κ{|~y/~p|} where κ is a valid analytical formula, ~y and ~p are sequences of probability variables and probability terms respectively

•

· · · ·

/ ⊢ (( ⊥) = 0) [Meas0] R R R R [FAdd] ⊢ ((( (γ1 ∧ γ2 )) = 0) ⊃ (( (γ1 ∨ γ2 )) = ( γ1 ) + ( γ2 ))) R [Prob] ⊢ (( ⊤) = 1) R R [Mon] ⊢ ((2(γ1 ⇒ γ2 )) ⊃ (( γ1 ) ≤ ( γ2 ))) R

Inference rules · [CMP] (2γ1 ), (2(γ1 ⇒ γ2 )) ⊢ (2γ2 ) · [PMP] ξ1 , (ξ1 ⊃ ξ2 ) ⊢ ξ2

The axiom CTaut says that if γ is a valid classical formula then (2γ) is an axiom. The axiom PTaut says that a probabilistic tautology is an axiom. Since the set of valid classical formulas and the set of probabilistic tautologies are both recursive, there is no need to spell out the details of tautological reasoning. The axioms Lift⇒, Eqv⊥ and Ref∧ are sufficient to relate (local) classical state reasoning and (global) probabilistic tautological reasoning. The term κ{|~y/~p|} in the axiom RCF is the term obtained by substituting all occurrences of yi in κ by pi . The axiom RCF says that if κ is a valid analytical formula, then any formula obtained by replacing variables with probability terms is a tautology. We refrain from spelling out the details as the set of valid analytical formulas is recursive. The axiom Meas0/ says that the measure of empty set is 0. The axiom FAdd is the finite additivity of the measures. The axiom Mon relates the classical connectives with probability measures and is a consequence of monotonicity of measures. The axiom Prob says that the measure is a probability measure. The inference rules CMP and PMP are the modus ponens for classical and probabilistic implication respectively. As usual we say that a set of formulas Γ derives ξ, written Γ ⊢ ξ, if we can build a derivation of ξ from axioms and the inference rules using formulas in Γ as hypothesis. Theorem 2.4 EPPL is sound and weakly complete. Moreover, the set of theorems is recursive.

3 The Computation Tree Extension - EpCTL In this section we define the computation tree extension to EPPL, which we call exogenous probabilistic computation tree logic (EpCTL). The idea is to consider several probabilistic structures together with a transition relation between them, in other words, a Kripke structure whose nodes are probability structures. This structure is particularly interesting for two rea124


sons. Firstly, it captures the idea, which arises in the study of probabilistic transition systems, that the state space should be described as a distribution of classical states [30,14,9]. Secondly, it is a step towards reasoning about quantum systems, since in such systems a state is described as a probabilistic ensemble of pure quantum states (cf. mixed states, density operators). We will explore both aspects in Section 4 by presenting two detailed examples. We proceed to present the syntax of EpCTL. 3.1

Syntax

The syntax of EpCTL can be easily obtained from the syntax of EPPL. The idea is that at the level of probabilistic state formulas, we also introduce the usual CTL modalities. For the sake of clarity, we recall the definition of classical formulas and probability terms. • • •

Classical formulas γ := Φ 8 ⊥ 8 (γ ⇒ γ)

Probability terms R p := 0 8 1 8 y 8 ( γ) 8 (p + p) 8 (p p) Exogenous probabilistic computation tree logic formulas · δ := (2γ) 8 (p ≤ p) 8 ⊥ ⊥ 8 (δ ⊃ δ) 8 (EXδ) 8 (AFδ) 8 (E[δUδ])

The intuitive semantics of the temporal modalities is similar to that in classical CTL. The modalities are composed by two symbols, where the first one is chosen among E or A, and the second one among X, F, G and the bi-modality U. The second symbol is used for temporal reasoning: X stands for next; F for sometime in the future; G for always in the future; and U for until. The first symbol quantifies over all computation paths: an existential (E - for there exists) path or a universal (A - for all) paths. The combination of the two symbols can be easily understood. For example, the formula EXδ holds in a probability structure (V, p) if there exists a next structure of (V, p) (that is, a structure reachable from (V, p) with a single transition) that satisfies δ. As usual, all CTL modalities are obtained as abbreviations from EX, AF and EU. • • • • •

(AX δ) for ⊖ EX(⊖ δ);

(EF δ) for ⊖(E[(⊖ ⊥ ⊥)Uδ]);

(AG δ) for ⊖(EF(⊖ δ));

(EG δ) for ⊖(AF(⊖ δ));

A[δ1 Uδ2 ] for ⊖(E[(⊖ δ2 )U(⊖ δ1 ∩ ⊟ δ2 )]) ∩ (⊖(EG(⊖ δ2 ))).

Example 3.1 Consider again the Russian roulette variant from Example 2.1 together with some temporal primitives. First, we will like to state that the bullet can not be shot before the R R outcome of the coin is heads, which can be expressed as A[(( b) = 0)U(( h) > 0)]. Suppose that the gambler is always playing this game alone, clearly the probability of killing himself R tends asymptotically to 1, we can capture this statement with ((x < 1) ⊃ AF(( d) > x)). 3.2

Semantics

A probabilistic Kripke structure is a pair (P , R) where P is a set of probabilistic structures and R ⊆ P × P is a total transition relation, that is, for any (V, µ) ∈ P there exists (V ′ , µ′ ) such that (V, µ) R (V ′ , µ′ ). The notion of probabilistic Kripke structure is very general, and, as we 125


shall see, it is capable of capturing Markov transitions (and more) as well as systems with both non–deterministic and probabilistic transitions. Example 3.2 Consider the Russian roulette from Example 2.1, and consider that the gambler plays the game twice and then, if alive, halts. The probabilistic Kripke structure is such that / {h}, {h, b, d}}. all probability structures involved have the set of admissible valuations V = {0, / = 1. The probability distribution over V evolves Assume that the initial distribution µ0 is µ(0) accordingly to the following stochastic matrix   1

5

1

 2 12 12   5 1  M =  21 12  12   0 0 1

so, assuming that the gambler’s only choice is to play twice and then halt if alive, we have that / = 1/2, µ1 ({h}) = 5/12 and µ1 ({h, b, d}) = 1/12; moreover, µ1 R µ2 , with µ0 R µ1 and µ1 (0) / µ2 (0) = 11/24, µ2 ({h}) = 55/144 and µ2 ({h, b, d}) = 23/144; and finally µ2 R µ2 . The interpretation of probabilistic terms is defined as before. The satisfaction of a temporal formula is defined over a probabilistic Kripke structure (P , R), a probabilistic structure (V, µ) ∈ P and an assignment ρ. •

(P , R), (V, µ), ρ (2γ) iff (V, µ), ρ (2γ);

•

(P , R), (V, µ), ρ (p1 ≤ p2 ) iff (V, µ), ρ (p1 ≤ p2 );

• •

(P , R), (V, µ), ρ 6 ⊥ ⊥;

(P , R), (V, µ), ρ (δ1 ⊃ δ2 ) iff (P , R), (V, µ), ρ 6 δ1 or (P , R), (V, µ), ρ δ2 ;

•

(P , R), (V, µ), ρ (EXδ) iff (P , R), (V ′ , µ′ ), ρ δ with (V, µ) R (V, µ);

•

(P , R), (V, µ), ρ (AFδ) iff for all path π over R starting in (V, µ) there exist k ∈ N such that (P , R), πk , ρ δ;

•

(P , R), (V, µ), ρ (E[δ1 Uδ2 ]) iff there exist path π over R starting in (V, µ) and k ∈ N such that (P , R), πk , ρ δ2 and (P , R), πi , ρ δ1 for every i ≤ k;

where πi denotes the i-element of the path π. We say that (P , R) δ iff (P , R), (V, µ), ρ δ for all (V, µ) ∈ P and assignment ρ.

Example 3.3 Consider the probabilistic Kripke structure (P , R) of Example 3.2. The structure R satisfies the property that the probability of dying is non decreasing, that is, (P , R) ((( d) = R x) ⊃ (AG(( d) ≥ x))). 3.3

Model–checking EpCTL

We now address the problem of model–checking a temporal formula. Following the usual model–checking technique for CTL, the goal is to compute the set Sat(P ,R),ρ (δ) := {(V, µ) ∈ P : (P , R), (V, µ), ρ δ} for a probabilistic Kripke structure (P , R), assignment ρ and formula δ. This is called the global model–checking problem. Before presenting the model–checking algorithm, it is useful to introduce some notation for relations, namely in the context of a probabilistic Kripke 126


structure (P , R). We denote by R−1 the inverse relation of R, that is, (V, µ)R−1 (V ′ , µ′ ) iff (V ′ , µ′ )R(V, µ). Given a set of probabilistic strucutures X ⊆ P , we denote by R X the set {(V, µ) ∈ P : there exists (V ′ , µ′ ) ∈ X such that (V ′ , µ′ )R(V, µ)}. We are now able to present a model–checking algorithm, adapted from the usual algorithm for CTL: (i) Sat(P ,R),ρ (2γ) = {(V, µ) ∈ P : (V, µ), ρ (2γ)}; (ii) Sat(P ,R),ρ (p1 ≤ p2 ) = {(V, µ) ∈ P : (V, µ), ρ (p1 ≤ p2 )};

(iii) Sat(P ,R),ρ (δ1 ⊃ δ2 ) = (P \ Sat(P ,R),ρ (δ1 ) ∪ Sat(P ,R),ρ (δ2 ); (iv) Sat(P ,R),ρ (EXδ) = R−1 Sat(P ,R),ρ (δ); (v) Sat(P ,R),ρ (AFδ) = FixedPoint[F(AFδ) ] with

F(AFδ) (X ) = Sat(P ,R),ρ (δ) ∪ {(V, µ) ∈ P : R{(V, µ)} ⊆ X }; (vi) Sat(P ,R),ρ (E[δ1 Uδ2 ]) = FixedPoint[FE[δ1 Uδ2 ] ] with FE[δ1 Uδ2 ] (X ) = Sat(P ,R),ρ (δ2 ) ∪ (Sat(P ,R),ρ (δ1 ) ∩ R−1X ). In general, a probabilistic Kripke structure requires exponential space (over the number of propositional symbols) due to the exponential spanning of probabilities on the distribution over the valuations. For this reason, the model–checking algorithm takes exponential time on the number of propositional symbols, but it is polynomial on the size of the probabilistic Kripke structure and the complexity of the formula. Theorem 3.4 Assuming that all basic arithmetical operations take unit time, the model–checking algorithm for EpCTL takes O(|δ|2 · |P |2 · 2n ) time for inputs (P , R), ρ and δ, where δ is written with n propositional symbols. It is well known that a slightly better algorithm can be obtained if EG is taken as a basic modality instead of AF, but we refrain from doing so here. Although the algorithm is exponential in the worst case, it assumes that a probability distribution over valuations is encoded as a vector of probabilities. Clearly, for particular relevant cases, there are much more efficient and compact encodings; we are currently investigating which probability distributions can be encoded efficiently. 3.4

Expressiveness and Scope

In this section we discuss the scope and expressiveness of EpCTL. Substantial work has been done on model–checking probabilistic behaviour, namely using PCTL and probabilistic transition systems [2]. In order to fully understand the scope of EpCTL we will show how one can construct a probabilistic Kripke structure from a probabilistic transition system encompassing both probability and non–determinism [19]. To this end we consider the following simplified notion of probabilistic transition systems that we adapted from [2]. Definition 3.5 A probabilistic transition system is a tuple T = (S, A, M) where S is a set of states, A is a set of (non-deterministic) actions and M = {Ma }a∈A is a Markov chain over S for each a ∈ A. A probabilistic transition system evolves by a (non–deterministic) scheduler that chooses an action a ∈ A and then the stochastic transition Ma occurs. As usual in temporal reasoning, 127


we disregard the set of actions A that induce the transitions, and care only about the transitions. It is useful to describe a probabilistic transition systems as a stochastic process {Xw }w∈A∗ where each random variable X ranges over S and A∗ (words correspond to generative choices of the scheduler) constitutes the index space. To generate a probabilistic Kripke structure one requires an initial distribution over the states, say Xε , and a labeling function ℓ : S → 2Φ . For the sake of simplicity, we assume that S is denumerable, and thus each random variable Xw can be presented as a map Xw : S → [0, 1] associating to each state its probability. The labeling function ℓ maps each state to the set of propositional symbols holding in that state. Given a choice by the scheduler w ∈ A∗ we describe the evolution of the state by the stochastic matrix Mw = Man . . . Ma1 with w = a1 . . . an , and the resulting state is Xw = Mw .Xε 10 . It is easy to extract a probabilistic structure (V, µw ) from each Xw by taking V = 2Φ and µw (v) = ∑s:ℓ(s)=v Xw(s). It is easy to construct a probabilistic Kripke structure (P , R) over Φ, by taking P = {(2Φ , µw ) : w ∈ A∗ } and (2Φ , µw )R(2Φ , µw′ ) iff w′ = w.a for some a ∈ A 11 . Observe that the constructed relation R does not need to be a tree, since it may happen that (2Φ , µw ) = (2Φ , µw′ ) for w 6= w. Taking into account the above construction we have a common ground to understand better the differences between EpCTL and PCTL. PCTL enables reasoning about the distribution over paths in probabilistic transition systems while EpCTL is designed for reasoning about the evolution of the distribution of propositional symbols. Depending on the application, it can be better or worse to model a given property using distributions over paths or over the propositional symbols, since both approaches are valid, but quite different. Hence, the PCTL formula AG>q ϕ states that, for any choice of the scheduler, the measure of paths satisfying Gϕ R is greater than q. On the other hand the EpCTL formula AG( ϕ > q) means that for any choice of the scheduler, all the state distributions reached are such that the probability of ϕ holding is greater than q. Given that in PCTL the probabilities are endogenous in the modalities, it does not seem to be possible to express some more sophisticated types of property, such as: R R AG(( ϕ1 · ϕ2 ) > q). Observe also that it is common to describe the state of a random (distributed) algorithm or protocol as a probability distribution over the memory cells [30,14,9]. In this case, EpCTL is particularly suitable because the state logic EPPL reasons about distributions over memory cells (Boolean registers = propositional symbols), while state evolution is captured by the temporal modalities. This is the main motivation behind the design of EpCTL, and is fully explored in Section 4, where two examples are described in detail. On the other hand, it is worthwhile noting that for model–checking EpCTL one requires the number of reachable probability distributions over states to be finite. While in many security protocols and terminating random algorithms the number of reachable distributions is finite, in a distributed setting, where processes run forever this might not be the case. Observe that a probabilistic Kripke structure (P , R) does not impose any restrictions on two related distributions (V, µ) and (V ′ , µ′ ). This makes it possible to model general stochastic processes, not only Markov chains. This matters little in practice, since, in the majority of applications, it is heterogeneous Markov chains that are used to describe system evolution. Clearly the differences between PCTL and EpCTL need to be investigated further, and we will 10

Observe that {Xw }w∈A∗ constitutes a so–called heterogeneous Markov chain, given that for each temporal line of choices, that is, infinite word w, the associated (sub)stochastic process Y w = {Yiw }i∈N with Yiw = Xw0 ...wi is a Markov chain Φ 11 The stochastic process {µ } w w∈A∗ ranging over 2 is a so–called Markov modulated process, given that it is modulated by {Xw }w∈A∗

128


endeavour to do so in the full version of this paper. 3.5

Axiomatisation of EpCTL

Given a complete axiomatisation for the state logic EPPL, a sound proof system for the EpCTL follows directly; we adapt known complete axiomatisations for CTL. •

•

Axioms · [Inq] All valid EPPL formulas; · [Taut] All tautologies with propositional symbols substituted by EpCTL formulas; · [EX] ⊢ EX(δ1 ∪ δ2 ) ≡ EXδ1 ∪ EXδ2 · [X] ⊢ AX(⊖ ⊥ ⊥) ∩ EX(⊖ ⊥ ⊥) · [EU] ⊢ E[δ1 Uδ2 ] ≡ δ2 ∪ (δ1 ∩ EXE[δ1 Uδ2 ]) · [AU] ⊢ A[δ1 Uδ2 ] ≡ δ2 ∪ (δ1 ∩ AXA[δ1 Uδ2 ]) · [AG1] ⊢ AG(δ3 ⊃ ((⊖ δ2 ) ∩ EXδ3 )) ⊃ (δ3 ⊃ (⊖ A[δ1 Uδ2 ])) · [AG2] ⊢ AG(δ3 ⊃ ((⊖ δ2 ) ∩ (δ1 ⊃ AXδ3 ))) ⊃ (δ3 ⊃ (⊖ E[δ1 Uδ2 ])) · [AG3] ⊢ AG(δ1 ⊃ δ2 ) ⊃ (EXδ1 ⊃ EXδ2 ) Inference rules · [QMP] δ1 , (δ1 ⊐ δ2 ) ⊢ δ2 · [AGen] δ1 ⊢ AGδ1

While it is out of the scope of this paper to give a (weakly) complete set of axioms for EpCTL, we intend to provide them in the final version.

4 Illustrative Examples In order to demonstrate the expressiveness of EpCTL, we consider a couple of examples from the literature, starting with a model of the contract-signing protocol due to Ben-Or et al. [6]. We then consider a simple example of a protocol from the area of quantum cryptography, the quantum one–time pad [1], noting that this particular protocol may be modelled entirely in a probabilistic setting, and its properties formalised in a classical probabilistic (as opposed to specifically quantum) formalism. 4.1

A Contract Signing Protocol

The problem of contract signing is to find a way of getting two users, A and B, to commit to a contract C in such a way that neither party may falsely convince the other that the former has signed. In other words, A and B must sign the contract together, without one party gaining any advantage over the other. The traditional solution to the problem is for A and B to sign C simultaneously, but this is only possible if A and B are in physical proximity. Assuming that A and B are spatially separated, the only way for contract signing to be achieved is through a communication protocol, although it is likely that, at different stages of such a protocol, one party will have a relative advantage over the other. The objective of a “fair” contract signing protocol, such as the one proposed by Ben-Or et al. [6] (henceforth referred to simply as the BGMR protocol) is to constrain this relative advantage so that it remains within specific bounds tolerated and agreed upon by both users. The BGMR protocol assumes the setting of a network of users (we focus only on the two user case) with a signature scheme in operation. Only user U is assumed capable of producing 129


U’s signature on message m (unforgeability) and any other user is assumed capable of verifying the validity of U’s signature on m (universal verifiability). The protocol assumes that neither user A nor user B wants to be committed to contract C unless the other user is, and makes it possible for A and B to sign C by exchanging commitments. The notion of fairness for the protocol is defined as the property that, the conditional probability with which “B is not privileged” given that “A is privileged” is always small. Formally, the BGMR protocol is said to be (v, ε)–fair, this being defined as follows. Definition 4.1 A contract signing protocol is (v, ε)–fair for A if the following holds, for any contract C , when A follows the protocol properly: At any step of the protocol in which the probability that “B is privileged” is greater than v, the conditional probability that “A is not privileged” given that “B is privileged” is at most ε. If A and B are assumed to be dishonest, then a third party – a judge – must be invoked during the protocol in order to provide an independent judgement as to whether the contract is to be considered binding for both users. During the protocol, A and B exchange signed messages of the following form: m = (C, p,U ) = “ With probability p, the contract C shall be valid. Signed, User U . ” When message m is received, the recipient is said to be privileged with probability p, meaning that invocation of the judge will result in him ruling that contract C is binding to A and B with probability p. If the protocol does not terminate successfully by a pre–agreed date D, one of the two users invokes an early stopping procedure. We are now ready to state the BGMR protocol in detail. Steps 1–5 are for initialization of protocol parameters. (i) Parties A and B agree who goes first and set a termination date D. We assume that A is to go first. (ii) Party A chooses the conditional probability v that “B is privileged” while “A is not privileged.” (iii) Party A chooses the parameter α > 1 such that, the conditional probability that “A is privileged” given that “B is privileged” is at least α1 . (iv) Party B chooses β > 1 such that, the conditional probability that “B is privileged” given that “A is privileged” is at least β1 . (v) The protocol is initialised with λA = λB = 0. The symbol λA stores the probability mentioned in the message last sent from A, and similarly λB stores the probability mentioned in the message last transmitted from B. (vi) A and B perform the following procedures alternately: A-step. User A denotes the probability mentioned in the last message received by p. A then checks whether p > λA . If so, then A sets λA := max(v, min(1, p · α)). Otherwise, A assumes the protocol has been terminated. A then transmits message (C , λA , A) to B. B-step. User B denotes the probability mentioned in the last message received by p. B then checks whether p > λB . If so, then B sets λB := min(1, p · β). Otherwise, B assumes the protocol has been terminated. B then transmits message (C , λB , B) to B. The details of the judge’s procedure, and of the early stopping procedure, are to be found in [6]. An analysis of the protocol has been performed using the PRISM model-checker by 130


Norman and Shmatikov [27]. The essential point about the BGMR protocol is that it ensures a specified degree of fairness, characterised by the constants v and ε. At the end of the protocol, both parties need to be privileged. We formalise the notion of (v, ε)–fairness using EpCTL in what follows. We establish the set Φ = {ϕA , ϕB } of propositional constants, where ϕA corresponds to the truth of the event “A is privileged,” and similarly ϕB is true if “B is privileged.” To express the fairness property, we regard the protocol parameter ε as a real variable, namely a member of the set Y defined in Section 2. The probability v which party A fixes in step (ii) above may be expressed as the following term in EpCTL : v = ( ϕB |(¬ϕA )) R

In steps (iii) and (iv) of the protocol, parties A and B fix the parameters α and β respectively such that the following EpCTL properties are true: 1 α R 1 (2) ( ϕB |ϕA ) > β (1) ( ϕA |ϕB ) > R

The property of (v, ε)–fairness may be expressed thus: AG ((( ϕB ) > v) ⊃ (( (¬ϕA )|ϕB ) 6 ε)) R

R

that is to say, in all paths of the protocol, the probability that “A is not privileged” given that B is, assuming that the probability of “B being privileged” is greater than v, remains less than ε. Note that we are using the comparators >, > freely; these may be expressed in terms of the 6 operator in the formal syntax of EpCTL. 4.2

Quantum One Time Pad

A qubit is the basic memory unit in quantum computation (just as a bit is the basic memory unit in classical computation). The state of a qubit is a pair (α, β) of complex numbers such that |α|2 + |β|2 = 1. A quantum one time pad [1] encrypts a qubit using two key (classical) bits in a secure way: observing the encrypted qubit yields two results, both with equal probability. In the special case that α and β are real numbers one bit key ϕK suffices. If ϕK = 1 then the qubit is encrypted as the pair (β, −α), otherwise it remains the same. We consider that a real number α is encoded using floating point representation, namely a vector of propositional symbols ϕα1 . . . ϕαn which we denote just by ϕα . We will abbreviate by α = β the classical β β formula (ϕα1 ⇔ ϕ1 ) ∧ . . . ∧ (ϕαn ⇔ ϕn ). The following program simulates this process by first generating a random key and then encrypting the qubit (α, β): (i) Let ϕK := outcome of a fair Bernoulli trial; (ii) If (ϕK = 1) then (a) γ := α (b) α := β (c) β := −γ

Assume that the initial values of α and β are c and d respectively (with c 6= d). It follows from quantum information theory that in order to prove the security of the quantum one-time pad, it suffices to show that the probability after the encryption of α being c is 21 (and hence of 131


α being d is also 21 ). We can use our logic and model checking procedure to show the above by considering the probabilistic Kripke structure induced by the encryption program. Assume that the program induces a single transition in the Kripke structure, and from that point on the probability distribution over the states remains the same. Therefore, the security of the quantum one-time pad is equivalent to checking that all initial states fulfill (2(α = c ∧ β = d ∧ (¬(c = d)))) ⊃ AX(( (α = c)) = 12 ). R

5 Summary and Conclusion In this paper we have introduced a probabilistic branching-time logic, EpCTL, which may be regarded as a temporal extension of the exogenous probabilistic state logic EPPL. We have stated the syntax and semantics of EPPL, considered the model–checking problem for formulas in this state logic, and presented an axiomatisation for it. We described the EpCTL extension, stating syntax, semantics, and model–checking issues in an analogous way to EPPL. The expressiveness of EpCTL was discussed, and an axiomatisation was given. We demonstrated the use of EpCTL as a means of expressing properties of two security protocols: a classical probabilistic contract signing protocol, and the quantum one–time pad. Our approach has been inspired by earlier work by Halpern, and we expect the probabilistic temporal logic EpCTL to serve as a useful alternative to related classical logics such as PCTL. Future work will include refining the axiomatisation of EpCTL, considering possible improvements to the model–checking algorithm, and implementing the algorithm. Further work on case studies is necessary, especially with a view to classifying and verifying the types of properties which typically arise in security. We hope this work will serve as a basis for ongoing work in developing an exogenous, temporal quantum logic for model–checking general quantum protocols. A quantum state logic, exogenous quantum propositional logic (EQPL) was proposed in [23]; we intend to provide a temporal extension of that logic, extending the techniques described in the present paper. Thus we have the necessary ingredients for building a dedicated model–checking tool for the analysis of quantum cryptographic and communication systems, which is one of our long-term goals.

References [1] Ambainis, A., M. Mosca, A. Tapp and R. de Wolf, Private quantum channels, in: FOCS ’00: Proceedings of the 41st Annual Symposium on Foundations of Computer Science (2000), p. 547. [2] Baier, C. and M. Z. Kwiatkowska, Model checking for a probabilistic branching time logic with fairness, Distributed Computing 11 (1998), pp. 125–155. URL citeseer.ist.psu.edu/article/kwiatkowska96model.html [3] Basu, S., R. Pollack and R. M.-F. coise, “Algorithms in Real Algebraic Geometry,” Springer, 2003. [4] Beauquier, D., A. M. Rabinovich and A. Slissenko, A logic of probability with decidable model-checking, in: CSL ’02: Proceedings of the 16th International Workshop and 11th Annual Conference of the EACSL on Computer Science Logic (2002), pp. 306–321. [5] Ben-Ari, M., Z. Manna and A. Pnueli, The temporal logic of branching time, in: POPL ’81: Proceedings of the 8th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (1981), pp. 164–176. [6] Ben-Or, M., O. Goldreich, S. Micali and R. L. Rivest, A fair protocol for signing contracts, IEEE Transactions on Information Theory 36 (1990), pp. 40–46. [7] Carnielli, W. A., Possible-translations semantics for paraconsistent logics, in: Frontiers of Paraconsistent Logic (Ghent, 1997), Studies in Logic and Computation 8 (2000), p. 149163.

132

Baltazar, Mateus, Nagarajan, and Papanikolaou [8] Carnielli, W. A. and M. Lima-Marques, Society semantics and multiple–valued logics, in: Advances in Contemporary Logic and Computer Science (Salvador, 1996), Contemporary Mathematics 235 (1999), pp. 33–52. ´ [9] Chadha, R., P. Mateus and A. Sernadas, Reasoning about states of probabilistic sequential programs, in: Z. Esik, editor, Computer Science Logic 2006 (CSL06), Lecture Notes in Computer Science 4207, Springer-Verlag, 2006 pp. 240–255. [10] Clarke, E. M. and E. A. Emerson, Design and synthesis of synchronization skeletons using branching time temporal logics, in: Proceeding of the Workshop on Logics of Programs, LNCS 131, Springer-Verlag, 1981 . [11] Clarke, E. M. and E. A. Emerson, Design and synthesis of synchronization skeletons using branching-time temporal logic, in: Logic of Programs, Workshop (1982), pp. 52–71. [12] Clarke, E. M., E. A. Emerson and A. P. Sistla, Automatic verification of finite-state concurrent systems using temporal logic specifications, ACM Trans. Program. Lang. Syst. 8 (1986), pp. 244–263. [13] Clarke, E. M. and J. M. Wing, Formal methods: state of the art and future directions, ACM Comput. Surv. 28 (1996), pp. 626–643. [14] den Hartog, J. and E. de Vink, Verifying probabilistic programs using a hoare like logic, International Journal of Foundations of Computer Science 13 (2002), pp. 315–340. [15] Fagin, R., J. Y. Halpern and N. Megiddo, A logic for reasoning about probabilities, Information and Computation 87 (1990), pp. 78–128. URL citeseer.ist.psu.edu/fagin90logic.html [16] Hansson, H. and B. Jonsson, A logic for reasoning about time and reliability, Formal Aspects of Computing 6 (1994), pp. 512–535. URL citeseer.ist.psu.edu/hansson94logic.html [17] Hodges, W., “Model Theory,” Cambridge University Press, 1993. [18] Kripke, S., Semantical analysis of modal logic I. Normal modal propositional calculi, Zeitschrift für Mathematische Logik und Grundlagen der Mathematik 9 (1963), pp. 67–96. [19] Kwiatkowska, M., G. Norman and D. Parker, Prism: Probabilistic symbolic model checker, in: TOOLS ’02: Proceedings of the 12th International Conference on Computer Performance Evaluation, Modelling Techniques and Tools (2002), pp. 200–204. [20] Kwiatkowska, M., G. Norman and D. Parker, Probabilistic model checking in practice: case studies with prism, SIGMETRICS Perform. Eval. Rev. 32 (2005), pp. 16–21. [21] Kwon, Y. and G. Agha, Linear inequality LTL (iLTL): A model checker for discrete time Markov chains, in: J. Davies, W. Schulte and M. Barnett, editors, Proceedings of 6th International Conference on Formal Engineering Methods (ICFEM 2004), Lecture Notes in Computer Science 3308 (2004). [22] Mateus, P. and A. Sernadas, Exogenous quantum logic, in: W. Carnielli, F. Dion´ısio and P. Mateus, editors, Proceedings of CombLog’04, Workshop on Combination of Logics: Theory and Applications (2004), pp. 141–149. [23] Mateus, P. and A. Sernadas, Reasoning about quantum systems, in: J. Alferes and J. Leite, editors, Logics in Artificial Intelligence, Ninth European Conference, JELIA’04, Lecture Notes in Artificial Intelligence 3229 (2004), pp. 239–251. [24] Mateus, P. and A. Sernadas, Weakly complete axiomatization of exogenous quantum propositional logic, Information and Computation 204 (2006), pp. 771–794, arXiv math.LO/0503453. URL http://www.elsevier.com/wps/find/journaldescription.cws_home/622844/description#description [25] Mateus, P., A. Sernadas and C. Sernadas, Exogenous semantics approach to enriching logics., in: G. Sica, editor, Essays on the Foundations of Mathematics and Logic (2005), pp. 165–194. [26] Nilsson, N. J., Probabilistic logic, Artificial Intelligence 28 (1986), pp. 71–87. [27] Norman, G. and V. Shmatikov, Analysis of probabilistic contract signing, Journal of Computer Security (2006), to appear. [28] Papanikolaou, N., “Techniques for Design and Validation of Quantum Protocols,” Master’s thesis, Department of Computer Science, University of Warwick (2005), also available as Research Report CS-RT-413. [29] Pnueli, A., The temporal logic of programs, in: Proceedings of the 18th IEEE Symposium on Foundations of Computer Science (FOCS 1977), 1977, p. 4657. [30] Ramshaw, L. H., “Formalizing the analysis of algorithms.” Ph.D. thesis, Stanford University (1979).

133


Appendix A

Proof of Theorem 2.3

Proof. First notice that the terms that take longer to evaluate are those of the type ( γ) and R (2γ). The number of terms of type ( γ) is bounded by |ξ|. To evaluate one of these terms we require O(|V |) time corresponding to traveling throughout all the valuations satisfying γ and R summing all the associated probabilities. So, computing all ( γ) terms takes O(|ξ|.|V |) time. The same expression will be obtained to check the satisfaction of (2γ). After these values are obtained, the remaining computation (comparing terms, negating a boolean value, and making implications between boolean values) takes at most O(|ξ|) time. Hence, the total time to decide if a if a probabilistic structure over Φ and an assignment ρ satisfy ξ is O(|ξ|.|V | + |ξ|) = O(|ξ|.|V |). 2 R

B Proof of Theorem 2.4 Proof. The result follows from the fact that EPPL logic present here is a sublanguage of that presented in [9], for which the corresponding axiomatisation is proved to be sound and weakly complete. Hence, for further details look at [9]. 2

C

Proof of Theorem 3.4

Proof. The propositional CTL model–checking algorithm takes O(|δ| · |P |2 ) (see [10] for a detailed analysis). So, if we consider each (2γ) and p1 ≤ p2 to be a propositional symbol, the time complexity of the algorithm would be O(|δ| · |P |2 ). Finally, since checking if these formulas are satisfied by a (P , µ) and ρ takes O(|δ| · 2n ) (c.f. Theorem 2.3) we derive the desired upper bound. Recall that we consider all arithmetic computations to be O(1) by using floating point representation for the real numbers. 2

134


Stochastic Modelling of Communication Protocols from Source Code Michael J. A. Smith1 ,2 Laboratory for Foundations of Computer Science University of Edinburgh Edinburgh, United Kingdom

Abstract A major development in qualitative model checking was the jump to verifying properties of source code directly, rather than requiring a separately specified model. We describe and motivate similar extensions to quantitative/performance analyses, with particular emphasis on communication protocols. The central aim is to extract a stochastic model (in the PEPA language) from such source code. We construct a model compositionally, so that each function in the system corresponds to a sequential PEPA process. Such a process is derived by abstract interpretation over the state machine of a function, using interval abstraction to represent linear expressions of integer variables. We illustrate this by an analysis of a simple protocol. Keywords: Performance modelling, Stochastic process algebra, Static analysis, Communication protocols

1

Introduction

Communication protocols are notoriously difficult to get right. Not only do the usual challenges of distributed and concurrent programming apply, but they provide a service that other applications depend upon. Thus the performance of a protocol is critical to its success. For example, if a routing protocol fails to react quickly to changes in topology, the network can be brought to a standstill. Similarly, a reliable transport-layer protocol must be able to maintain a reasonable throughput, even when the network is congested. Because of this, it is vital to understand the performance characteristics of these protocols. There are currently two approaches to analysing such performance properties; either we dynamically take measurements from the real system, or we build an abstract model, which can then be analysed. The former includes techniques such as code profiling and operational analysis (as applied to the measurements taken), which can give accurate figures if we have access to the deployed system. The 1 This work was funded partly by the Engineering and Physical Sciences Research Council, and partly by a Microsoft Research European Scholarship 2 Email:[email protected]


Smith

latter includes simulation and mathematical modelling (at various degrees of abstraction), which are much more useful for explaining the behaviour of the system, and predicting its behaviour before deployment, but require a separate model to be developed. Simulations are often complicated, and may contain bugs. On the other hand, mathematical modelling is beyond the skill of the typical programmer, and also prone to mistakes. Stochastic extensions to existing formalisms in concurrency theory, such as process algebra, have considerably mitigated this last problem. In particular, the Performance Evaluation Process Algebra (PEPA) [10] is a high-level and compositional language, in which models describe continuous time Markov chains (CTMCs). This is arguably more intuitive, and less prone to error, than working directly with these mathematical structures. Despite these advances, performance models are still very much removed from implementations. Work has been done to derive PEPA models from UML [3], but this is at a higher level than the implementation itself. In most cases, the model is validated empirically, by comparing its predictions to measurements taken from the real system (and refining the model if necessary). However, when the source code of the system is available, we can obtain a much more definite handle on what it means for a model to be correct. In this paper we present the first steps towards solving this problem, by describing an abstraction to a performance model, directly from source code. In the world of qualitative model checking, where we are concerned with just the possibility of certain behaviours, this step has already been taken. SLAM [2] and Blast [9] both use predicate abstraction and counter-example guided refinement to verify such properties directly on real code, written in C. However, we cannot simply apply the same approach in a quantitative setting, since we do not have a well-defined notion of counter-example. Indeed, the problem is made much more difficult since we need to determine the probability of control-flow decisions, given some abstract environment of the program’s variables. The search space of such abstractions is simply too large to explore by a sequence of refinements, and so we must avoid initially over-abstracting the program. The benefits of such a technique for model extraction are numerous, and can be applied to more general distributed systems (web services being a prime example), rather than just communication protocols. Our main motivations are as follows. Firstly, we want to encourage wider application of performance analysis techniques, r Static Driver Veriby providing a tool that non-specialists can use. Microsoft ’s fier (SDV) [1] is a good example of how theory can be successfully applied in this way. Secondly, we want to allow non-functional testing to take place throughout the development cycle, rather than just at the end. We can do this by enabling performance evaluation of partially completed code. Finally, we wish to allow developers to verify that a protocol (or more general distributed system) satisfies some performance contract, or service-level agreement (SLA). The work in [7] takes some steps towards this, but at a more abstract level, in the context of web services. In this paper, we begin by introducing the structure of the protocols we will be analysing, and the language of the source code we consider, in Section 2. We then briefly introduce the PEPA language in Section 3. In the following two sections 136

Smith

(4 and 5 respectively), we describe how to construct a PEPA model first at the structural level (i.e. how to build a model of the system from models of the functions) and then at the functional level (i.e. how to build a model of a function from its source code). To illustrate this, we analyse a simple transport protocol in Section 6. We conclude with some comments on future work in Section 7.

2

Communication Protocols and Source Code

In this paper, we will limit our analysis to that of end-to-end communication protocols. In other words, we will not consider hop-by-hop protocols, such as those used for routing, since representing the topology of such systems leads to an unmanageable state space. We do, however, wish to deal with real protocols, and so we need to analyse real-world languages. In this case, that means C. There exist a number of tools for handling C, such as CCured [18], which together with the C Intermediate Language (CIL) [17] provides a cleaner (and type-safe) framework for analysis. However, even with the aid of these tools, the analysis of arbitrary programs is uncomputable (if we wish to retain some notion of the error involved). Fortunately, most protocols do not exhibit complex looping or recursive behaviour, so we can justifiably consider only a subset of the language. Let us take a subset of C, with only integer variables, boolean variables and enumeration types. In addition, we impose the following restrictions: (i) No pointers. We intend to relax this in future work, but that is beyond the scope of this paper. (ii) No recursion. In general this is beyond our ability to model in a Markovian setting, due to the memoryless property of states. Note that we can model tail recursion, if the analog of condition 4 below holds, but since this is equivalent to iteration (it does not require a stack), we will not discuss this further. P (iii) We allow only linear conditions of the form ni=1 ai xi {} c, where ai and c are integer constants. (iv) Loop variables must be memoryless with respect to previous iterations of the loop, or else vary linearly with time. In other words, on each iteration, a loop variable must either be set independently of its previous value, or incremented/decremented each time by a constant.

The restriction on conditions is quite a strict one. In particular, we can see that procedures like exponential backoff do not satisfy this. We expect that this restriction can be relaxed somewhat (for example, allowing bit-shifting operations to access flags in a field of a packet), but that is the subject of future work.

3

The PEPA Language

The target of our abstraction is a PEPA model. In PEPA, a system is a set of concurrent components, which are capable of performing activities. An activity a ∈ Act is a pair (α, r), where α ∈ A is its action type, and r ∈ R+ ∪ {⊤} is the rate of the activity. This rate parameterises an exponential distribution, and if unspecified (denoted ⊤), the activity is said to be passive. This requires another 137

Smith

component in cooperation to actively drive the rate of this action. PEPA terms have the following syntax: P := (α, r).P | P1 + P2 | P1

P2 | P/L | A L

We briefly describe these combinators as follows. For more detail, see [10]. •

Prefix ((α, r).P ): the component can carry out an activity of type α at rate r to become the component P .

•

Choice (P1 + P2 ): the system may behave either as component P1 or P2 . The current activities of both components are enabled, and the first activity to complete determines which component proceeds. The other component is discarded.

•

Cooperation (P1 P2 ): the components P1 and P2 synchronise over the cooperL ation set L. For activities whose type is not in L, the two components proceed independently. Otherwise, they must perform the activity together, at the rate of the slowest component. At most one of the components may be passive with respect to this action type.

•

Hiding (P/L): the component behaves as P , except that activities whose type is in L are hidden, and appear externally as the unknown type τ .

•

Constant (A = P ): the name A is assigned to component P .

def

The operational semantics of PEPA defines a labelled multi-transition system, which induces a derivation graph for a given component. Since the duration of a transition in this graph is given by an exponentially distributed random variable, this corresponds to a CTMC. There are many alternative formalisms that could be applied in this setting, but a Markovian approach has the advantage that it can be solved analytically. We choose CTMCs over discrete-time Markov chains, since we our execution model is at a higher level than that of a clocked processor. As we shall see, the states in the model correspond to basic blocks in the code, each having a different duration that is not deterministic (the processor may be pre-empted, etc.). Hence a continuous-time setting where we can attribute a rate seems most appropriate. Note that all choices in the model take some amount of time, since some condition must be evaluated, so we do not need zero-duration activities.

4

Structural Modelling

Assuming that we can model the behaviour of a function, what does a model of the system look like? For an end-to-end protocol, we have two clients, A and B, which communicate over a network. The operation of the protocol is driven by events, which fall into three categories – user interactions (i.e. telling the protocol to do something), receiving packets over the network, and timeouts. This is shown schematically in Figure 1, and leads to the following general form of the PEPA system equation, where the action sets U , T , R and S define the interfaces between the components: (User

Timer ) ClientA UA

TA

SAB ∪RBA

N etwork

138

SBA ∪RAB

(User

Timer ) ClientB UB

TB

Smith

Fig. 1. The structure of an end-to-end protocol

Furthermore, a client X will have the following form at the top-level: def

ClientX =

X

(recv i , ⊤).RecvX i +

i

X

(usercall j , ⊤).UserCallX j + (timeout , ⊤).TimeoutX

j

where i ranges over the abstract environment space of packets (i.e. it encodes an abstracted version of the packet contents), and j over that of the user interface (i.e. the API calls, and corresponding arguments, that the user can make). The states RecvX , UserCallX , and TimeoutX correspond to models of the corresponding functions on the client, whose construction is described in Section 5. Note that this implies a single-threaded client, since only one function can be called at a time. We can model multi-threaded clients by composing the functions in parallel. The network can be modelled in a number of ways, depending on the properties required. When the model of the system is constructed, we expect the user to choose the network from a library of components, so that they do not need to write the PEPA process themselves. For example, a half-duplex network with probability p of packet loss would look like the following: def

Network =

(A send i , ⊤).NetworkAB i +

def

X

(B recv i , (1 − p).rnetwork ).N etwork + (τ, p.rnetwork ).N etwork

X

(A recv j , (1 − p).rnetwork ).N etwork + (τ, p.rnetwork ).N etwork

(B send j , ⊤).NetworkBAj

j

i

NetworkAB i =

X

X j

def

NetworkBAj =

i

where i and j range of the abstract environment of packets sent by clients A and B respectively. Here, we encode the passing of both arguments and return values (when calling a function) and the contents of packets (when communication across the network) by an interface of actions. We will consider this interface in more detail in the next section, but first we must discuss how a function call can be modelled. When we abstract a function, we will reduce each sequential block to a single transition in the model; namely a single action, with a single rate. Given this, there are three fundamental approaches to modelling a function call, as illustrated in Figure 2: (i) Abstract the call to a single transition to the result state. This assumes that the function executes at a fixed rate, irrespective of the input, but this is often good enough for our purposes, and simplifies the model considerably. (ii) Explicitly embed a model of the function. This is more general, and is appropriate when the function has a more complex behaviour that we wish to capture. The disadvantage is in remembering which environment we were in before calling the function, so that we can recover the correct state afterwards, 139

Smith

Fig. 2. The three ways of modelling a function call

which leads to an exponential blowup of state. We assume that such a call is synchronous. (iii) Model the function as a separate process running in parallel, which synchronises over call and return actions. This separates the functionality of one function from another, at the expense of an exponential blowup of state when we do a Markovian analysis. We will use this abstraction when two components are communicating over the network, and the call is assumed to be asynchronous. We rely on user annotations in the source code to tell us how to analyse each function. In the first case, the user must also provide a summary of the function’s behaviour (i.e. how it affects the environment of the caller), so that we can model the system without having to analyse every function (e.g. libraries, system calls, etc.). The user does not write in PEPA directly; instead using a simple but higherlevel syntax. Note that the second and third cases are essentially equivalent, except for whether the call is synchronous or asynchronous. After deriving models for all the functions in the system, we identify a set of ‘top-level’ functions; namely those that are invoked externally (by a network event, timeout, or user call). These fit into the component ClientX described previously, which in turn forms part of the system equation. Other than having the user pick out which are the top-level functions, and how the network and users behave, the system equation can be constructed automatically – the synchronisation sets are just the interfaces we compute in the next section.

5

Functional Modelling

Up to now, we have looked only at how to compose a model of the system from its sequential components. These sequential components correspond to functions in the source code, and we will now describe their abstraction. There are two key ideas involved in this – that of abstracting the control-flow of the program, and that of abstracting the environment of its variables. The steps that we will take can be summarised in four steps. Firstly, we convert the program to an abstract syntax, in Static Single Assignment (SSA) form. From here, we derive the control-flow state space. We define this as the fixed point of a reduction →f , but it can be viewed intuitively in terms of paths on the control-flow graph. Thirdly, we determine the data environment space. We abstract arithmetic 140

Smith

expressions to intervals over the integers, for which considerations of independence are of vital importance. Finally, the PEPA model can be built. This involves determining the probability of moving from one state to another, which is a conditional probability on the data environments of reachable states (in the control-flow). 5.1

Abstract Syntax and SSA

In order to proceed, we first convert the function (written into the subset of C that we defined) into an abstract syntax that will be easier to analyse. A function definition has the form f (X1 , . . . , Xn ) := C, where the body of the function is a command C, defined as follows: C

:= |

skip | return E | X := E | X := g(X1 , . . . , Xn ) C1 ; C2 | (if B then C1 else C2 ) ; Φ | while Φ ; B do C

Here, X are variables (which we limit to integers and booleans), f, g are functions, E are arithmetic expressions, B are boolean expressions, and Φ are sequences of φ-functions, which will shortly be defined. E and B must be linear, so that any P expression E can be written in the form i ai Xi , with constants ai . Since we can convert a C function to this form, we will adopt this syntax from now on. To simplify the analysis of variable dependencies, we convert the function into SSA form [20]. This ensures that each variable is only assigned to (statically) once, so we need not worry about a variable name being reused later, in an independent context. This transformation alters the control-flow graph in two ways. First, at each node in the control-flow graph with more than one incoming edge (a join node), and for each set of conflicting definitions of the same variable, we insert a φ-function, φ(d1 , . . . , dn ), such that φ(d1 , . . . , dn ) = di if the node is reached via the ith in-edge. We then rename all variables so that each is only statically assigned to once. In our abstract language, each node will have at most two in-edges (nested ifstatements have separate join nodes), so the arity of all φ functions will be two. If Φ is a sequence of n φ-functions, X1 := φ(Y1 , Z1 ) ; . . . ; Xn := φ(Yn , Zn ), we define the following projections: ΦL = X1 := Y1 ; . . . ; Xn := Yn ΦR = X1 := Z1 ; . . . ; Xn := Zn 5.2

Control-Flow State Derivation

We can now define a state in our abstract system as a 4-tuple, hL, C, P, U i, consisting of a label L, a command C, a predicate P and an update U . The predicate is a boolean expression on the program variables that is valid on entering the state. The update is a partial finite map from variables to expressions, indicating the change of state that takes place at that node. The command is the remainder of the program, to be executed after leaving the state. To allow us to represent a function by these states, we introduce two more atomic commands; goto and call. The first of these specifies a set of labels, L1 , . . . , Ln , which determine the set of reachable states that may follow. The second encodes the assignment of a variable X to a function call g, followed by a continuation L. 141

Smith

The syntax of commands is extended as follows: C

:=

goto{L1 , . . . , Ln } | call(X, g, L)(E1 , . . . , En )

Finally, we need a notion of environment variable. There is no need for every variable to be represented in the abstract environment, as some will be uniquely determined by the others. If this is the case, we can eliminate the variable by substituting for its definition, hence it will never need to appear in an update U . Informally, a variable is an environment variable if it is an input to the function, the return value of a function call, or if its definition reaches over the backward branch of a loop. Formally, we define a function I : C → X → X, which maps each environment variable onto an equivalence class: I(skip) = {} I(return E) = {} I(X := E) = {} I(X := g(E1 , . . . , En )) = {X 7→ X} I(X1 := φ(X2 , X3 )) = {X1 7→ X1 , X2 7→ X1 , X3 7→ X1 } I((if B then C1 else C2 ) ; Φ) = I(C1 ) ∪ I(C2 ) I(while B do Φ ; C) = I(Φ) ∪ I(C) I(C1 ; C2 ) = I(C1 ) ∪ I(C2 ) I(f (X1 , . . . , Xn ) := C) = {X1 → 7 X1 , . . . , Xn 7→ Xn } ∪ I(C) If X ∈ dom(I(C)) then X is an environment variable in C. Furthermore, if I(C)(X) = I(C)(Y ), then X and Y are the same environment variable. To simplify notation, if we have a function f defined as f (X1 , . . . , Xn ) := C, then we define Vf to be I(f (X1 , . . . , Xn ):=C). In other words, Vf determines the environment variables of the function f . We can now define the state space of an abstract function as the fixed point of a reduction, →f . This reduction takes a 4-tuple, which represents some state in the function’s execution, and partially evaluates the command. In general, this partial evaluation leads to a set of possible states, because the control-flow decisions are not completely determined statically. We define →f as follows, where L′ and L′′ are fresh labels: hL, hL, hL, hL, hL,

C, P, U i (skip) ; C, P, U i (return E) ; C, P, U i (X := E) ; C, P, U i (X := E) ; C, P, U i

hL, (X := g(E1 , . . . , En )) ; C, P, U i

→f →f →f →f →f →f

hL, (if B then C1 else C2 ); Φ ; C3 , P, U i →f hL, (if B then C1 else C2 ) ; Φ, P, U i

→f

hL, (while B do Φ ; C1 ) ; C2 , P, U i

→f

{hL, C, P, U i} if C is atomic (call, goto or return) {hL, C, P, U i} {hL, return E, P, U i} {hL, C{E/X}, P, U i} if X ∈ / dom(Vf ) ˘˙ ¸¯ L, C, P, U {E/V (X)} if X ∈ dom(V)f ) f ( hL, call(X, g, L′ )(E1 , . . . , En ), P, U i , hL′ , C, ⊤, {}i ) ( hL, C1 ; ΦL ; C3 , P ∧ B, U i , hL, C2 ; ΦR ; C3 , P ∧ ¬B, U i ( ) hL, C1 , P ∧ B, U i , hL, C2 , P ∧ ¬B, U i 9 8 > > hL, goto{L′ , L′′ }, P, U i , = < hL′ , C1 ; goto{L′ , L′′ }, P ∧ B, {}i , > > ; : ′′ hL , C2 , ¬B, {}i

142

Smith

Note that we require that a function ends in a return instruction, so all other commands must be followed by another. The only exception to this is a conditional statement, which may appear as the final command if both branches terminate in a return instruction, hence the two cases above. Informally, this reduction is amalgamating sequential states in the concrete control-flow graph, and expanding out conditional statements, so that each abstract state represents a path between two interaction points – namely calling or returning from a function, or reentering a loop. Importantly, in this abstraction, we only have one set of states for the body of a loop. Hence we can only model a loop if the probability of reentering it has a trivial dependency with respect to time (as we will see later). To compute the fixed point of this reduction, we firstly define ⇒f as a reduction over sets of states: t1 →f T1 ... tn →f Tn {t1 , . . . , tn } ⇒f T1 ∪ . . . ∪ Tn Now, the abstract state space S(f ) of a function f is defined as follows: S(f ) = T iff {h0, C, ⊤, {}i} ⇒∗f T ∧ ∀T ′ .T ⇒∗f T ′ ⇒ T ′ = T This fixed-point can be shown to exist by induction on the structure of C, under the assumption that C is well-formed; namely, ∀T. {h0, C, ⊤, {}i} ⇒∗f T ⇒ ∃T ′ .T ⇒f T ′ . We will hereafter refer to S(f ) as the control-flow states of f . 5.3

Data Environments

As it stands, S(f ) is not sufficient to model the state space of the function. This is because the predicate at each state is the weakest condition that must hold, irrespective of how we arrived there. We therefore lose all memory of any stronger conditions that hold due to the particular path that was taken; namely the values of variables that do not affect the local control-flow decision. However, they may well affect future control-flow decisions, or need to be communicated (e.g. as a return value). A further problem with these states is the difficulty in relating the predicates P to one another. To connect the states together probabilistically, we need to determine probabilities of the form Pr(PU′ | P ), where PU′ is the predicate P ′ with its variables updated by U . Essentially, this is the probability of one set of linear constraints holding, given another, which can be difficult to determine. We therefore need to consider a data abstraction, in addition to S(f ). Let Pf be the set of all predicates P in S(f ), expressed in the following normal form, where < ∈ {}:   ! _ ^ X ^  aijk xijk < cij ∧ pj  i

j

j

k

where aijk , cij are rational constants, xijk are integer variables, and pj are boolean P variables (atoms). Now, let Ef be the set of all expressions k ak xk in Pf , represented in vector form, a · x, where x is the image of Vf , expressed as a vector, and 143

Smith

a is a column vector of integers. If there are N unique such expressions, and M variables (i.e. x has dimensionality M × 1), then the M × N matrix A is defined by taking its rows to be the vectors a. To determine the data environment, we need to find a basis for these vectors. Given our assumption that the environment variables have no hidden dependencies between one another (i.e. all dependencies are from conditions within the function in question), the independence of two expressions (in the absence of any other information) corresponds to orthogonality between their a-vectors. Hence, we can determine an optimal basis using Principle Components Analysis (PCA) [12]. This equates to performing singular value decomposition of the matrix A into UΣVT . Here, U is an M × M orthogonal matrix (i.e. its columns form an orthonormal basis), which can be viewed as a linear map from the target basis into the original. Hence UT is a linear map into the target basis:

A′ = UT A = UT UΣVT = ΣVT

Hence A′ is an M × N matrix whose columns represent the same expressions as in A, but in the new basis U. L For each basis vector ui in U, we associate two sets of rationals, sU i and si called the upper and lower closed splittings of ui . These splittings define a finite set of intervals, which will form the abstract data environment of the expression that ui L denotes. For example, if this expression is x − y, and the sets sU i and si are {0, 10} and {10, 11} respectively, then the abstract environment records only whether the value of x − y lies in the interval (−∞, 0], (0, 10), [10, 10], (10, 11) or [11, ∞). More formally, an open interval (x, x) over the rationals denotes the set {q ∈ Q | x < q < x}, where x ∈ Q ∪ {−∞, ∞}. Similarly, a closed interval [x, x] denotes {q ∈ Q | x ≤ q ≤ x}, for x ∈ Q, and the definitions of [x, x) and (x, x] are as S expected. An interval space is a set I of intervals, such that i ∈ I = Q and L ∀i1 , i2 ∈ I.i1 6= i2 ⇒ i1 ∩ i2 = ∅. To construct such an interval space, sU i and si define all the closed interval ends (for the upper and lower bounds on the interval respectively), causing the open ends to follow uniquely. To determine the splittings for each basis, we consider the expressions in e ∈ A′ . For all e of the form a′ ui , then for all conditions e < c, we examine the normalised ′ condition ae′ , i.e. (α, >). When the cooperation set L is empty we use the shorthand notation k. Finally, there is an abstraction operator, hiding, denoted P/L, which allows the type of an activity whose type is in L to be replaced by the distingushed type τ , which denotes a private or hidden activity. The language definition is expressed in [7] via a small-step structured operational semantics which maps a pepa model onto a Continuous-Time Markov Chain (ctmc). The ctmc can then be analysed for both steady state and transient performance measures, using standard techniques. 2.2

The notion of algorithmic skeletons

The skeletal approach to the design of parallel programming systems proposes that the complexity of parallel programming be contained by restricting the mechanisms through which parallelism can be introduced to a small number of architecture independent constructs, originally known as “algorithmic skeletons”. Each skeleton specification captures the logical behaviour of a commonly occurring pattern of parallel computation, while packaging and hiding the details of its concrete implementation. Provision of a skeleton-based programming methodology simultaneously raises the level of abstraction at which the programmer operates and provides the scheduling system with crucial information on the temporal and structural interaction patterns exhibited by the application. Responsibility for exploiting this information passes from programmer to compiler and/or run-time system. To obtain such detailed information from an equivalent ad-hoc message passing program is impossible in the general case. In this paper, we show how the structural information can be used to construct pepa performance models of the application.

3

Expressing workflow systems with skeletons

To automate generation of performance models, a given workflow system must be first expressed in a form which captures its essence. In this paper, we adopt a pattern-oriented approach, which is based on the notion of algorithmic skeletons—a system that was designed to enrich, and simplify, structural development of distributed and parallel applications. It must be understood that although the introduced constructs could be used directly by a human performance modeller, it is meant to be used as an internal interface for generating performance models automatically from distributed skeleton-based applications. To facilitate a thorough treatment of the automation, we will focus on the following three basic skeletons. 6 Pipeline skeleton A pipeline skeleton arranges a set of components sequentially, so that data units entering the pipeline are processed in each of these components in turn (in the order the components are specified) before the final result leaves the pipeline. In our approach to expressing workflow systems, we will use the following construct to specify a pipeline: 6

Extensions to these basic forms are available in the tool: http://groups.inf.ed.ac.uk/enhance/.

169

Yaikhom et al. task1 input stream

task6

task9

task7

task10

task8

task11

task4 task0

task2 task5 task3

task12

output stream

Fig. 1. Dataflow diagram of a workflow system with nested pipelines and task replications.

pipe(); The components contained within a skeleton construct could be either skeleton components (which results in hierarchical nesting), or task components (where the data units are processed). In the latter case, a task component is specified with the following construct: task(, ); Here is the rate at which each of the data units entering the task component is processed—used while modelling the task’s computational performance. Deal skeleton A deal skeleton replicates a given task component in parallel, so that data units entering the deal could be processed by one of the replicated components, before the final result leaves the deal. The task component which receives a given data unit is chosen by a round-robin data distribution policy. We use the following construct to specify a deal: deal(, , ); Farm skeleton A farm skeleton is similar to the deal: a given task component is replicated in parallel so that data units entering the farm are processed by one of the components. The difference, however, is that the process of choosing the task component that should receive a given data unit is unpredictable, being dynamically demand-driven upon completion of earlier computations. The nondeterminism is therefore probabilistic, where the next data unit is sent to one of the succeeding tasks that has completed processing the data units assigned to it previously. We use the following construct to specify a farm: farm(, , ); We shall now illustrate the usage of these constructs by expressing a concrete example. Imagine a workflow system similar to the one shown in Fig. 1. Here, we have a six stage 7 pipeline at the highest level. Some of these stages are task components (for example, stages 1 and 6), while some are hierarchical skeleton nestings (say, for example, stage 2 is a Farm, while stage 3 is a Deal). The skeleton-based expression of the above pipe(6); workflow system is shown on the right. This detask("task", 1.0); scription is hierarchical—each subtree is described farm(3, "task", 3.0); depth-first, left-to-right across the same subtree deal(2, "task", 2.0); level. We proceed to the next subtree in the same farm(3, "task", 3.0); level only after all the previous subtrees have been deal(3, "task", 3.0); described completely; i.e. there are no skeleton task("task", 1.0); nestings with insufficient task assignments. 7

The components of a pipeline are frequently referred to as “stages”.

170

Yaikhom et al.

It may be easier to view the whole exercise as a step-wise refinement of the system description, where we conceive the system at the highest level and proceed with refinements until the lowest level descriptions consist of task components only. pipe

farm

0

1

2

3

deal

4

5

farm

6

7

deal

8

9

10

11

12

Fig. 2. The skeleton hierarchy tree which corresponds to the example workflow system shown in Fig. 1.

In light of the discussions to follow, it would be prudent to mention here that, for every workflow description, a hierarchical tree data structure is maintained by the model generation tool, internally. We shall refer to this data structure as the skeleton hierarchy tree (shown in Fig. 2 for our example workflow system). The skeleton hierarchy tree encapsulates most of the information provided in the description (the overall structural and component details of the system). Additional information is derived from this tree automatically, when needed (for example, the data dependency graph connecting the tasks). We shall now discuss these in detail.

4

Generation of performance models

Generation of pepa performance models, from a given description of a workflow system, can be divided into three phases. In the first phase, the directed acyclic graph (which represents data dependency between task components) is derived from the skeleton hierarchy tree. This graph is then used in the following phases. In the second phase, the process definitions for each of the task components are determined. Finally, in the third phase, the overall system is modelled by combining the task components, and skeletal components, based on their hierarchical organisation. The final phase is important because it completes the performance model by establishing the synchronisation sets, which will be used by the model solver while synchronising task components at different levels of composition. 4.1

Determination of the directed acyclic graph

Let the directed acyclic graph G(T , E), where T is the set of task components and E is the set of directed edges connecting task components, represent the data dependency graph which corresponds to the skeleton hierarchy tree. To derive such a graph from a given skeleton hierarchy tree, we use recursive preorder tree traversal algorithms, described as follows: To every task in T , assign a unique index i, where 0 ≤ i < |T |. We will use the notation ti to mean: “task component with index i,” or sometimes, “task i”. To concretely implement the graph G, associate with every task, ti , two ordered sets of task indices: (1) the source list Si , which gives the set of tasks in T from which 171

Yaikhom et al.

Algorithm 1 GS(node): Generate source lists from the skeleton hierarchy tree n := node.nchildren // Number of children nodes node.slist := parent.slist // Inherit source list from parent node node.stype := parent.stype // Inherit source pattern type for i := 0 to (n − 1) do GS(node.childi ) // Recursively generate children source lists if node.type is task then // Node is a task component v := {x : where x = node.index} if parent.type is deal or farm then // Parent is a replicable skeleton tempnode := v else parent.slist := v parent.stype := pipe // Update source pattern type else if node.type is pipe then // Node is a pipeline skeleton if parent.type deal or farm then // Pipeline within replicable tempnode := node.slist else parent.slist := node.slist parent.stype := node.type // Update source pattern type else if node.type deal or farm then // Node is a replicable skeleton S m := n−1 i=0 tempi // Merge temporary lists on children if parent.type deal or farm then // Replicable within replicable tempnode := m else parent.slist := m parent.stype := node.type // Update source pattern type task i can receive data; (2) the destination list Di , which gives the set of tasks to which task i can send data. They are formally defined as follows: Si = {j : (tj , ti ) ∈ E, i 6= j} and Di = {j : (ti , tj ) ∈ E, i 6= j}. When it is clear from the context which task we are referring to, we may choose to drop the subscripts in Si and Di . It is important to note here that these sets only list all the possible predecessors (or successors) of a task—the effective set with which the task eventually communicates is determined from these sets by applying the corresponding source (or destination) manner of interaction, which we will be discussing shortly. For example, given a pipeline containing two consecutive deals, the general case is that all the tasks in the first deal will be in the source list for the second deal. However, if the deals are of the same size, then in fact, a task in the second deal will only ever receive data from the task in the first deal which has the same intra-deal sibling rank (the effective set is therefore a singleton set). It can be observed that these two sets, in combination with the task set T , completely define the directed acyclic graph G. We therefore use recursive tree traversal algorithms to generate these sets from the skeleton hierarchy tree. In Algorithm 1, we show the process by which the source lists are derived from the skeleton hierarchy tree. In this algorithm, each node maintains the following data: 172

Yaikhom et al. Send(β(D), d0 )

2

1

0

d0 = Compute(d)

Receive(α(S), d)

Fig. 3. The transition diagram which gives the sequence of generic activities that are performed by any one of the tasks in the workflow system. During model generation, these activities are specialised based on the manner in which the task interacts with its predecessors and successors.

a pointer to its parent node in the skeleton hierarchy tree, parent; the number of its children nodes, nchildren; the list of task indices, slist, that is available to this node as sources (in fact, this is what the algorithm will determine); the source pattern type, stype; the type of node, type (this could be a skeleton node or a task node, see Fig. 2). In addition to these, each node also maintains a temporary list, temp, which is used by its parent node while finalising the parent’s source list. Note here that for some skeleton nodes where replication of tasks are involved, the source list on these nodes cannot be finalised until all of its child subtrees have also finalised their source lists. A similar algorithm is used to derive the destination lists. 4.2

Modelling the task components

In general, a task component in a workflow system is a process which repeatedly undergoes the transitions: receive → compute → send. Depending on the higher-level structure containing the task, these three basic activities are specialised accordingly. In some cases, for example, some of these activities are skipped (as in producer tasks, which does not perform receive activities; or consumer tasks, where send activities are never performed). As noted in Section 4.1, when a task communicates with other tasks, the tasks with which the communications are performed are based on an effective subset of S (or D), determined by the manner of interaction. This manner of interaction is based on the skeleton preceding (or succeeding) this task. It is easier to define this manner of interaction as a function over the source (or destination) list, which chooses task indices from the corresponding list, thus establishing the effective subset for the current communication. In essence, this function therefore outlines for each task how the task should interact with the remaining tasks in the skeleton hierarchy tree: the source function defining how data should be received; the destination function, how data should be sent. The manner of interaction for a given task correspond to the location of the task within the skeleton hierarchy tree. As we can see in Algorithm 1, the source pattern type (stype), is set with respect to the skeleton components containing the task; the destination pattern type is set similarly. If we respectively represent the source and destination interaction functions with α and β, we can summarise a task as shown in Fig. 3. From this abstract representation, it is clear that the pepa process definition of a task component is determined by the subsets α(S) and β(D); and the relationship between α and β, as required by the transition receive → compute → send. Since tasks can have different α and β, we have to determine process definition templates for all the possible pattern combinations. Let 173

Yaikhom et al.

us represent, for brevity, such combinations with {α(S) → ti → β(D)}; meaning, “task i receives data based on the source function α; and sends data based on the destination function β”. When either of the functions are not defined (as discussed at the beginning of this section), we represent this with a ∗ (as in {∗ → ti → β(D)} for a producer task). Furthermore, since enumerating all the cases can be quite involving, we shall condense the case investigations further by making some observations on the relationship between the different interaction functions (based on the definition of the skeleton constructs, see Section 3). These observations are: (a) the Deal interaction function is a special case of the Farm, where probabilistic non-determinism in the Farm is removed by enforcing a round-robin data distribution policy. (b) the Pipeline interaction function is a special case of the Deal, where the source (or destination) list is a singleton set. Based on the later observation, discussion of cases involving the Pipeline will be ignored, since it is covered in the cases with Deal. We will, however, cover the combinations of Deal and Farm interaction functions. Case {∗ → ti → Deal(D)} In this case, ti is a producer task. This task produces data units, which are then sent to one of the tasks in D, chosen according to the round-robin policy. The corresponding pepa process definition, where n = |D| and λi is the computational activity associated with ti , is expressed as follows: def

ti = (λi , >).(movei0 , >).(λi , >).(movei1 , >). · · · .(λi , >).(movei(n−1) , >).ti ; Here moveij represents communication of data from task i to the jth task in D. We choose this notation instead of, say sendij , because these activities will be used again later when we define the synchronisation sets. If the latter notation was adopted, we are required to define a system for matching up corresponding sendij and receiveji pairs (which is, in fact, unnecessary). Case {Deal(S) → ti → ∗} In this case, ti is a consumer task. The task receives data units from one of the tasks in S, which it then consumes. By following a notation similar to the previous case, we have the following process definition: def

ti = (move0i , >).(λi , >).(move1i , >).(λi , >). · · · .(move(n−1)i , >).(λi , >).ti ; Here n = |S|, the number of task indices in the source list. Based on arguments similar to the one used in the previous case, we use moveji to represent communication of data from the jth task in S to task i. Case {Deal(S) → ti → Deal(D)} In this case, ti is an intermediate task: data units received from one of the tasks in S is processed, and the result is sent to one of the tasks in D. In each instance of the send and receive communications, the effective task is chosen independently based on the round-robin distribution policy. When the cardinalities of the source and destination lists are the same, p = |S| = |D|, the process definition is simple, as shown below: def

ti = (move0i , >).(λi , >).(movei0 , >). (move1i , >).(λi , >).(movei1 , >). ··· (move(p−1)i , >).(λi , >).(movei(p−1) , >).ti ; 174

Yaikhom et al.

When |S| = 6 |D|, however, there exists no immediate correspondence between the source and destination tasks. It is therefore necessary to resolve this mismatch until we find a repeatable sequence of activities. If we define periodicity, p, as the number of distinct receive → compute → send transitions after which the repetition ensues, it is easy to see that the periodicity is the least common multiple of |S| and |D|. Based on this, we have the following process definition: def

ti = (movexi , >).(λi , >).(moveiy , >). · · · (repeat p times, incrementing k in every iteration).ti ; where 0 ≤ k < p, x = k mod |S| and y = k mod |D|. When |S| = 3 and |D| = 2, for example, the steady-state activity sequence is 3 r1 4

s1

λ

2 r0

s0

λ

r2

s1

λ

λ s0

r2

λ

s1

r0

5

λ

s0

1

r1

0

which gives the following process definition: def

ti = (move0i , >).(λi , >).(movei0 , >).(move1i , >).(λi , >).(movei1 , >). (move2i , >).(λi , >).(movei0 , >).(move0i , >).(λi , >).(movei1 , >). (move1i , >).(λi , >).(movei0 , >).(move2i , >).(λi , >).(movei1 , >).ti ; The above three cases can be used to completely define task components with any combination of Pipeline and Deal. We shall now extend this by introducing cases which account for the non-determinism associated with a Farm skeleton. Case {∗ → ti → F arm(D)} In this case, the task is a producer. The main difference, however, is the non-determinism, which we capture with the choice(+) operator of pepa. This is shown in the following process definition: def

ti = (λi , >).t0i ; def

t0i = (movei0 , >).ti + (movei1 , >).ti + · · · + (movei(n−1) , >).ti ; where n = |D|. After a data unit has been produced, it is sent to any one of the tasks in D, which brings back the task to the data production state. Case {F arm(S) → ti → ∗} In this case, the task is a consumer. The process definition is similar to the previous case, as shown in the following definition: def

ti = (move0i , >).t0i + (move1i , >).t0i + · · · + (move(n−1)i , >).t0i ; def

t0i = (λi , >).ti ; where n = |S|. After a data unit has been received from any one of the tasks in S, it is consumed; consequently bringing the task back to the receiving state. Case {F arm(S) → ti → F arm(D)} In this case, ti is an intermediate task. The process definition for such tasks can be achieved by combining the previous two cases, as shown in the following: 175

Yaikhom et al. def

ti = (move0i , >).(λi , >).t0i + · · · + (move(x−1)i , >).(λi , >).t0i ; def

t0i = (movei0 , >).ti + (movei1 , >).ti + · · · + (movei(y−1) , >).ti ; where, x = |S| and y = |D|. Data units are received from any one of the tasks in S, processed, and the result sent to any one of the tasks in D. Case {Deal(S) → ti → F arm(D)} In this case, ti is an intermediate task. What is unique about this task is that for every data received in round-robin fashion, the processed result is sent probabilistically to one of the tasks that has completed processing the job assigned to it previously. It is important to note here that since the source function preceding this task is a Deal, task i must receive the next data according to round-robin fashion, as it can be inferred that the tasks in S received their data in round-robin fashion. Once the data has been received and processed, the result is sent to a Farm; hence, a choice composition is used while dispatching the results, as shown in the following process definition: def

ti = (move0i , >).(λi , >).t0i ; def

t0i = (movei0 , >).t1i + (movei1 , >).t1i + · · · + (movei(y−1) , >).t1i ; ··· x−1 def ti = (move(x−1)i , >).(λi , >).txi ; def

txi = (movei0 , >).ti + (movei1 , >).ti + · · · + (movei(y−1) , >).ti ; where x = |S| − 1 and y = |D|. Case {F arm(S) → ti → Deal(D)} This case is similar to the previous, except for the reversal in the placement of the choice composition. We therefore have the following process definition: def

ti = (move0i , >).t0i + (move1i , >).t0i + · · · + (move(x−1)i , >).t0i ; def

t0i = (λi , >).(movei0 , >).t1i ; ··· def ty−1 = (move0i , >).tyi + (move1i , >).tyi + · · · + (move(x−1)i , >).tyi ; i tyi = (λi , >).(moveiy , >).ti ; def

where x = |S| and y = |D| − 1. In Algorithm 2, we incorporate all of the above cases in order to generate the process * Pipe Deal Farm definition for each of the tasks in the skele* 0 1 2 3 Pipe 4 5 6 7 ton hierarchy tree. For simplicity of repreDeal 8 9 10 11 sentation, a case number is assigned to each 12 13 14 15 Farm of these cases, as shown in the table on the righthand side. Here, the columns list destination patterns; whereas, the rows enumerate source patterns. Furthermore, in Algorithm 2, the expression S(j) gives the mth task index in S, where m = j mod |S|; the corresponding expression for the destination list, D(j), is defined similarly. We use the interface Output: to emit segments of the generated process definition. For every invocation to this interface, all the characters immediately following this, until the end of line, are emitted as part of the process 176

Yaikhom et al.

Algorithm 2 GP (i): Generate process definition for task i def

Output: ti = l :=lcm(|S|, |D|) // Least common multiple, or sum if either is zero if case is 1 or 2 then // Predecessor ∗, successor Pipe or Deal for 0 ≤ j < l do Output: (λi , >).(movei,D(j) , >). else if case is 4 or 8 then // Predecessor Pipe or Deal, successor ∗ for 0 ≤ j < l do Output: (moveS(j),i , >).(λi , >). else if case is 5, 6, 9 or 10 then // Predecessor and successor Pipe or Deal for 0 ≤ j < l do Output: (moveS(j),i , >).(λi , >).(movei,D(j) , >). else if case is 3 then // Predecessor ∗, successor Farm def Output: (λi , >).t0i ; t0i = (movei,D(0) , >).ti for 1 ≤ j < |D| − 1 do Output: +(movei,D(j) , >). if (|D| > 1) ∧ (j < |D| − 1) then Output: ti else if case is 12 then // Predecessor Farm, successor ∗ Output: (moveS(0),i , >).t0i for 1 ≤ j < |S| do Output: +(moveS(j),i , >).t0i def

Output: ; t0i = (λi , >). else if case is 7 or 11 then // Predecessor Pipe or Deal, successor Farm for 0 ≤ j < |S| do def Output: (moveS(j),i , >).(λi , >).tji ; tji = (movei,D(0) , >). if j < |S| − 1 then Output: tj+1 i else Output: ti for 1 ≤ k < |D| do Output: +(movei,D(k) , >). if j < |S| − 1 then Output: tj+1 i else if j < |D| − 1 then Output: ti else if case is 13 or 14 then // Predecessor Farm, successor Pipe or Deal for 0 ≤ j < |D| − 1, initialise x = 0 and increment by 2 in each step do Output: (moveS(0),i , >).txi for 1 ≤ k < |S| do Output: +(moveS(k),i , >).txi def

Output: ; txi = (λi , >).(movei,D(j) , >). def

if j < |D| − 1 then Output: tx+1 ; tx+1 = i i else if case is 15 then // Both predecessor and successor Farm Output: (moveS(0),i , >).(λi , >).t0i for 1 ≤ j < |S| do Output: +(moveS(j),i , >).(λi , >).t0i def

Output: ; t0i = (movei,D(0) , >). for 1 ≤ j < |D| do Output: ti + (movei,D(j) , >). Output: ti ; 177

Yaikhom et al.

Algorithm 3 GM (node, nchild): Generate system model i := node.index r := node.rank // Node rank among siblings if node.type is task then Output: ti if r < nchild − 1 then if parent.type 6= (deal or farm) then Output where L = {movei,j : j = Di (k), 0 ≤ k < |Di |} L else Output: || else Output: ( for 0 ≤ j < node.nchild do GM (childj , node.nchild)// Recursively model subtree Output: ) if r < nchild − 1 then if parent.type 6= (deal or farm) then Output where L L = {movex,y : y = Di (j), x = Sy (k), 0 ≤ j < |Di |, 0 ≤ k < |Sy |} else Output: || definition. Also note that the order in which Output: is invoked is significant to the validity of the generated process definition. To generate all the process definitions of all the tasks in the skeleton hierarchy tree, we traverse the hierarchy tree and invoke Algorithm 2 for all the nodes which is a task node. Once this is done, we have completed the second phase of performance model generation. We therefore proceed with the final phase where we define the synchronisation sets. Before we proceed, it will be worth recalling that the moveij and moveji activities, which correspond to the communications between tasks, will be used while defining these synchronisation sets. 4.3

Modelling the system

All the process definitions generated at the end of the second phase only model the performance of each task component, independently of the others. Since the workflow system is a cooperative manifestation of these tasks, these tasks must be synchronised accordingly with respect to the level of hierarchical composition. This is done in the final phase of model generation, which we shall now discuss. At every level of the skeleton hierarchy tree, each subtree corresponds to a closed sub-system where only the boundary task components on either side interacts with their adjacent sibling subtrees. The task components which are inside this sub-system (the intermediate components) are synchronised with other task components within the same sub-system—there is no cross-boundary synchronisation. Hence, the final phase of model generation proceeds by defining synchronisation sets between adjacent sub-trees in each level of the hierarchy tree; which are refined repeatedly until all the task components are synchronised. 178

Yaikhom et al. // Computation rates. Processor_0 = (comp_0, Processor_1 = (comp_1, Processor_2 = (comp_2, Processor_3 = (comp_3, Processor_4 = (comp_4,

1.0).Processor_0; 3.0).Processor_1; 1.0).Processor_2; 2.0).Processor_3; 1.0).Processor_4;

// Communication rates. Network = (move_0_1, 1.0).Network + (move_1_2, 1.0).Network + (move_2_3, 1.0).Network + (move_3_4, 1.0).Network; // Task t_0 = t_01 = t_1 = t_2 = t_3 = t_4 =

definitions. (comp_0, infty).t_01; (move_0_1, infty).t_0; (move_0_1, infty).(comp_1, (move_1_2, infty).(comp_2, (move_2_3, infty).(comp_3, (move_3_4, infty).(comp_4,

infty).(move_1_2, infty).t_1; infty).(move_2_3, infty).t_2; infty).(move_3_4, infty).t_3; infty).t_4;

// System model. Network(t_0 t_1 t_2 t_3 t_4)(Processor_0 || Processor_1 || Processor_2 || Processor_3 || Processor_4) // Throughput expression. T1 = 1.0 * {** || (t_01 || t_1 || ** || ** || **) || (** || ** || ** || ** || **)};

Fig. 4. Example pepa performance model generated automatically from a skeleton expression.

We use Algorithm 3 to perform this final phase. In this algorithm, we use depth-first preorder tree traversal again. Since the synchronisation set between two subtrees can be expressed with respect to one of these subtrees, we choose a forward expression approach where the synchronisation set for a subtree is determined after the sub-system which corresponds to that subtree has been synchronised. We can see this in the algorithm: whenever the node is a task, we emit that task, and generate the synchronisation sets with which this task synchronises with all its successor tasks; when the node is a skeleton component, we generate the synchronisation set by accounting for the tasks on the “send” boundary of this sub-system, which interacts with the tasks on the “receive” boundary of the succeeding sub-tree. Introducing computation and communication rates The model which we have generated so far is incomplete in two ways. Although we have the task definitions and the structure of their interactions, both computation and communication rates are passive. Since active rates are necessary while performing synchronisation, we complete the model by introducing the relevant active rates to the model. Since the model generation method developed here is aimed primarily towards distributed applications, the following discussion will focus on this context. In a distributed system, the principal factor which determines the task rate is the rate of the processing element to which the task is assigned for execution (for example, the cpu frequency). On the other hand, the inter-task communication rates are determined primarily by the communication latencies of the underlying network connecting these processing elements. Hence, to complete the model, we introduce two sections into the model. Based on the rate of the processing element, µ, the task rate associated with the computational activity, λ, is introduced as a preamble: def

P rocessor0 = (λ0 , µ0 ).P rocessor0 ;

def

P rocessor1 = (λ1 , µ1 ).P rocessor1 ; 179

···

Yaikhom et al. 250

uniform bottleneck

Throughput

200 150 100 50 0 100

150

200

250

300 Rate

350

400

450

500

Fig. 5. The effect of bottleneck stages on the performance of a pipeline. Here, we have a pipeline with three stages. The job processing rates of all the stages, except for the middle stage is increased uniformly. The job processing rate of the middle stage is maintained at a constant value of 50 jobs per unit time.

Note here that the computational activity, λi , must be the same as it is used in the definition of task i. Similarly, we introduce the communication rates by adding a section which is determined from an adjacency matrix representing the communication latencies. Again, the moveij activities used here must match the ones in the task definitions. For an example performance model, see Fig. 4. 4.4

Analysis of performance results

We will now discuss a numerical analysis of performance results which demonstrates practical advantages of the generated models as compared to naive systems without automated performance modelling support. In these analysis, we draw heavily on one practical application of the automatic model generation approach: dynamic scheduling of tasks in parallel and distributed applications [9][10]. When viewed from a higher-level abstraction, most parallel and distributed applications can be considered as workflow systems where groups of instructions form a task, which is then scheduled to different processors. In general, the highest-level structure of these systems often forms a Pipeline. In Fig. 5, we plot the predicted performance of a pipeline application with five stages 8 . The performance is measured in throughput, where throughput at steady state is the expected number of completed jobs per unit time. As we can see, the throughput of the pipeline increases linearly as long as the rates at which data units are processed by each of the stages increases uniformly. However, when some stages of the pipeline become a bottleneck (in Fig. 5, we have made the middle stage a bottleneck, with its task rate kept at a constant value of 50) it is often the case that the overall performance of the pipeline degrades, staying almost at the same level (since, the throughput is determined by the worst performing task) even when the rates of the other stages are increased. This shows that in order to improve the overall performance of Pipeline application, we must 8

To focus our analysis on the task rates, we have set the same communication rates for all the inter-task communications. This is necessary in order to minimise the effect of the communications on the relative throughputs while we contrast the performance that is achieved due to different task rates.

180

Yaikhom et al. 140

bottleneck 2 deals 3 deals 2 farms 3 farms

Throughput

120 100 80 60 40 20 100

150 200 250 300 350 400 450 Rate (rate of the middle stage is fixed at 50)

500

Fig. 6. The effect of the bottleneck stage in Fig. 5 is reduced by replicating the bottleneck task. The replication is done in two ways by using a Deal and a Farm. The number of replicated tasks are also varied (2 and 3 replications).

ensure uniform task rates. One way of ensuring uniformity of task rates is the replication of the worst performing task so that multiple tasks of the same kind can share the load. As we have discussed in Section 3, this could be done in two ways. First, we use a Deal where the bottleneck stage is replicated in a manner so that data is processed in round-robin fashion. Second, we use a Farm where the data distribution is not fixed, but probabilistic. In Fig. 6, we show the throughputs for five variations of the replication: (1) the Pipeline application with a middle stage bottleneck (same as shown in Fig. 5); (2) the case when the middle task is replicated twice as a Deal, (3) thrice as a Deal ; (4) the case when the middle task is replicated twice as a Farm, (5) thrice as a Farm. As we can see, the performance of the pipeline improves when the bottleneck stage is replicated. We also see that the throughput depends on the number of replications in relation to the degree of deviation of the rate of the bottleneck stage from the rate of the others; i.e., the throughput increases more sharply when the combined rate of the replicated tasks is closer to the rate of the others, than it does when the uniform rate is higher than the combined rate. This can be seen in the saturation curve as we proceed towards higher uniform rates in the other stages. We also notice that the throughputs of the Farm based replications are higher than those of the Deal replications. This, we believe, is a consequence of the strict roundrobin policy that is imposed on the Deal replications; whereas, the policy for the Farm replications is determined responsively based on the given rates.

5

Conclusion

In this paper, we have discussed an automated approach which generates pepa performance models from skeleton-based workflow systems. The approach rely on a pattern-oriented hierarchical expression scheme, where the workflow system is derived from a skeleton-based parallel or distributed application. Such automatic approaches are important in systems where the model must be updated regularly, 181

Yaikhom et al.

and dynamically, depending on the current state of the resources. We have demonstrated in a practical setting the advantages of the generated models by contrasting the performances achieved through various task replication schemes.

References [1] M. Aldinucci and M. Danelutto. Algorithmic Skeletons Meeting Grids. Parallel Computing, 32(78):449–462, 2006. [2] F.A. Rabhi and S. Gorlatch, editors. Patterns and Skeletons for Parallel and Distributed Computing. Springer Verlag, ISBN 1-85233-506-8, 2003. [3] A. Benoit, M. Cole, S. Gilmore, and J. Hillston. Flexible Skeletal Programming with eSkel. In Euro-Par 2005, LNCS 3848, pages 761–770, 2005. [4] OASIS WSBPL Technical Committee. Web Services Business Process Execution Language Version 2.0. http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html, January 2007. [5] C. Gomes, O. Rana, and J. Cunha. Extending Grid-based Workflow Tools with Patterns/Operators. To appear in Int. Journal of High Performance Computing Applications, 2007. [6] M. Cole. Algorithmic Skeletons: Structured Management of Parallel Computation. Cambridge, Massachusetts, 1989.

MIT Press,

[7] J. Hillston. A Compositional Approach to Performance Modelling. Cambridge University Press, 1996. [8] M. Cole. Bringing Skeletons Out of the Closet: A Pragmatic Manifesto for Skeletal Parallel Programming. Parallel Computing, 30(3):389–406, March 2004. [9] G. Yaikhom, M. Cole, and S. Gilmore. Combining Measurement and Stochastic Modelling to Enhance Scheduling Decisions for a Parallel Mean Value Analysis Algorithm. In V. Alexandrov, D. van Albada, P. Sloot, and J. Dongarra, editors, Intl. Conf. on Computational Science (ICCS 2006), volume 3992 of LNCS, pages 929–936. Springer, April 2006. [10] A. Benoit, M. Cole, S. Gilmore, and J. Hillston. Scheduling skeleton-based grid applications using PEPA and NWS. The Computer Journal, 48(3):369–378, 2005.

182


Distributed Liveness and Timers for Mobile Processes (Extended Abstract)

Martin Berger

Nobuko Yoshida

Abstract We propose a typing system for the timed distributed π-calculus and study applications to distributed liveness in the presence of message loss. The typing rules clarify the role of timers as an interface between affine and linear channels for guaranteeing distributed liveness. As applications of our types, we study a class of simple distribution algorithms that take processes running at one location, and distribute them, while preserving failure-free behaviour. Finally, we add message-loss probability to our model and derive quantitative bounds for simple processes which recover message loss by timers. Keywords: Distributed Systems, Concurrency, Types, Interaction, Names, Information Flow, Message Loss, Timers, Liveness, Linearity, Affinity

Distributed systems (DS) are characterised by asynchronous communication between sites in the presence of partial failure [3]. Message loss is an example of partial failure. Due to partial failure, invoking a remote service in a DS may not yield a result, even when that service itself works fine. This may cause an invoker to “hang forever”, unable to progress. This paper investigates typing systems for DS with particular focus on type-based progress guarantees, also called liveness. Liveness is informally understood as any property stating that something “good” will eventually happen [1], and is distinguished from safety properties, which talk about “bad” things not happening. In sequential languages liveness is often formalised as termination, but in DS this identification is unsuitable, because such systems often contain nonterminating subcomponents (e.g. webservers). Instead, and following [7], we understand liveness for DS in a channel based manner: a system is live at channel x, if an output can eventually happen at x. Clearly DS, constructed naively, cannot guarantee liveness at channels, because if a system part waits for a message that has been lost on the network, it may never be able to unblock some channels for further actions. This is unfortunate, not only because liveness at a channel is a powerful property for system verification, but because the computations typically executed remotely in DS tend to be simple and terminating (e.g. a DNS query). Hence failure is often the sole reason for lacking liveness. Users of DS, to regain liveness after a failure, habitually abort distributed invocations that do not respond within some expected timeframe. In programming languages that offer timers as language primitives, liveness can be recovered in the same way with a timed abort: when a remote service is invoked, a timer awaiting the response is started locally. Should no reply arrive in This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs

Berger and Yoshida

time, waiting is abandoned and a timeout triggered, which restarts the (local) computation, thus preserving liveness in the presence of remote failure. This suggests to use types for guaranteeing that each remote invocation is guarded by a timer, so as to ensure liveness in the presence of failures. The present work investigates typed-based liveness guarantees at channels for idealised DS. We use a variant of the timed, distributed π-calculus [2] as underlying formalism, where failure is modelled as message-loss, possible only in communication between sites. The calculus distinguishes between processes and networks. The former are processes of the asynchronous π-calculus with an added timer thx(v).P, ˜ Qi, which, if it is not stopped within t units of time (one reduction step counts as a time-unit) evolves into Q; it can be stopped by interaction, as formalised by the leftmost of the following three new/updated rules for networks. − xhyi ˜ | thx(v).P, ˜ Qi → P[y/ ˜ v] ˜

P→Q P|R → Q|φ(R)

− P −→ φ(P)

In the two other rules, we use a timestepper φ which steps each timer not under a prefix by one tick: φ(1hx(y).P, ˜ Qi) = Q, φ(t+1hx(y).P, ˜ Qi) = thx(y).P, ˜ Qi, φ(P|Q) = φ(P)|φ(Q) ... All other rules are unchanged. Networks, ranged over by M, N, ..., are either sites [P] (also called locations) with P a process, or of the form M|N, (νx)M. We have the following reduction rules. P→Q [P] → [Q]

a∈ / fin(P) [P|ahvi] ˜ → [φ(P)]

− [P | ahyi] ˜ | [x(v).Q ˜ | R] → [φ(P)] | [Q[y/ ˜ v] ˜ | φ(R)]

M → M′ M|N → M ′ |N

M→N (νx)M → (νx)N

The second rule from the left formalises message loss, and fin(P) computes P’s free input names. Our approach is flexible in that semantic variants (e.g. adding progress assumptions, or timer synchronisation at the network level, or message-loss probabilities) are easily implemented. To study this calculus and the associated liveness issues, we adapt the linear-affine typing system for the π-calculus [5] to the present timed distributed π-calculus. This system classified channels as either linear, affine or replicated. This typing system has proven a versatile tool for the syntactic abstraction of simple, yet important behavioural properties in a straightforward, unified framework. Adapting this typing system to proper DS with failures and timing opens the door to type-based program construction and verification of DS with realistic language primitives (e.g. written in Java or ML) running at individual locations. It also facilitates the integration of various levels of computation ranging from very low-level code, high-level functional and object-oriented languages, to concurrency and distribution. The adaption of this typing discipline to a distributed setting is smooth: no new types are introduced, and no existing rules modified. We only add typing rules for timers and locations (and allow more weakening). To demonstrate the benefits of our typing system we formalise distributed liveness as local liveness at linear channels in each site, generalising the identification of liveness with linearity investigated in [7]. Local liveness at x means that within each site, an output can eventually happen at each linear channel. We prove that each typable network has distributed liveness. Type-based liveness guarantees greatly enhance our ability to construct DS in a methodical manner. Secondly, we consider distributing programs by type-based analysis: we show how to construct functions dist(·) such that [P|Q] behaves similarly to [dist(P)] | [dist(Q)] for a reasonably large class of programs. Local liveness is preserved by the translation. Finally, we use the typing system to add message loss probabilities in a consistent way, and we derive quantitative bounds 184

Berger and Yoshida

for timed, remote server invocation. Again, distributed liveness is not affected by this extension.

A Typing System for Distributed Liveness Our typing system is that of [5] with additional rules, and assigns to each free name in a process or network a channel type. In addition, some causality between channels is recorded. We outline the formal definitions of the types and typing systems. Detailed definitions are in the full version of this paper. We use the following action modes (ranged over p, p′ , ...) which prescribe different modes of interaction at each channel. We have modes: ↓l (linear input), ↑l (linear output), ↓a (affine input), ↑a (affine output), !l (linear server), ?l (client request to !l ), !a (affine server), ?a (client request to !a ). Types are then given by the grammar τ ::= (˜τ) p | l. In types, τ˜ is a vector of types and τ p indicates the (outermost) mode of τ. l indicates that a channel is no longer available for further composition with the outside; The l-mode at x indicates that the process x.0 | x cannot be composed with any process that has x as a free name. We also assume that replicated affine inputs carry a unique affine output (and vice versa). This condition ensures that an invocation at linear replication will eventually terminate, firing the associated linear output. We write md(τ) for the outermost mode of τ. The dual of τ, written τ, is the result of dualising all action modes. Then we define the least commutative partial operation, ⊙, which control the composition of channels as: (1) τ? ⊙ τ? = τ? and τ! ⊙ τ? = τ! ; (2) τ↑ ⊙ τ↓ =l. An action type, denoted A, B, . . ., is a finite directed graph with nodes of the form x : τ, such that no names occur twice; and causality edge x : τ → y : τ′ is of the form: (1) from a linear input ↓l to a linear output ↑l or (2) from a linear replication !l to linear client output ?l . A dualises all types in A. We write A(x) for the channel type assigned to x occurring in A. The partial operator A ⊙ B is defined iff channel types with common names compose and the adjoined graph does not have a cycle. Typing guarantees: (i) For each replicated linear name there is a unique replicated linear input with zero or more dual outputs (likewise for affine replicated names). (ii) For each linear name there is a unique linear input and a unique linear output (same for affine names). (iii) Linear channels have no circular dependency. (iv) Affine input channels cannot prefix linear output channels. ˜ can only travel between locations if neither a nor v, ˜ nor any of the names (v) Outputs ahvi they carry hereditarily, are linear. For example, under (i) above, b.a | ! b.c is untypable because b is associated to two replicators, but b.a | b | ! c.b is typable since, while output at b appears twice, replicated input at b appears only once. The typing discipline ensuring just (i, ii) is called affine, while one which ensures (i, ii, iii) is called linear. Affinity denotes possibly diverging behaviour in which a question is given an answer at most once. Linearity denotes terminating behaviour where invocations are always answerd precisely once. In replicated channels, linearity essentially means convergence while affinity means potential divergence. Note that linearity means more than termination. It indicates that a process always returns an answer when invoked. This we call liveness. Hence, to integrate linearity with affinity, we must impose 185

Berger and Yoshida

(iv). Due to inter-site message-loss, linear names should never travel between locations, leading to constraint (v). To formalise this, we say type τ is distributable if τ does not contain either linear input or linear output in its subexpressions. An environment A is distributable if A(x) is distributable for all x. Every network will have a distributable type. But does not guarantee liveness at the reply channels of remote calls. Our solution is to use timers to relax the typing system: in tha(x).P, ˜ Qi, we know that either a(x).P ˜ or Q will be executed. Hence, if x(v).P ˜ and Q suppress the same linear names, which we can easily check by typing, these linear names will come out eventually, either by stopping the timer with a message to a that arrives early enough, or through timeout. This works even if a is an affine name when typing a(x).P. ˜ Hence timers enable us to convert a linear input a(x).P. ˜ into an affine input on a in tha(x).P, ˜ Qi. We now list the key the new typing rules that are added to those in [5] (no existing rule needs change). T IMER

x(y).P ˜ ⊢A Q⊢A t hx(y).P, ˜ Qi ⊢ A

T IMERla L OC P ⊢ A

x(y).P ˜ ⊢ (x :(˜τ)↓l →A),B Q ⊢ x :(˜τ)↓a ,A,B t hx(y).P, ˜ Qi ⊢ x :(˜τ)↓a ,A,B A distributable [P] ⊢net A

is standard. [T IMERla] allows to suppress linear names by an affine input. Our aim is to ensure distributed liveness, i.e. “the invoker of a service will always be able to push the computation forward”, either be continuing with the received result (P) or by dealing with a timeout-induced failure (Q). Note that message passing between location is done only by affine names or affine replicated names (since only they can be lost), while liveness comes from linearity. [T IMERla ] reconciles affinity and linearity by typing P as a linear input with type A, then convert the linear input to an affine one in the conclusion. Notice that we cannot apply the same trick for Q since after t timesteps, Q is started and might wait for the message at x forever. Then by [L OC ], we convert a process P of distributable type to the network level. This way linear names can safely be suppressed by affine names. This subtle mix of affinity and linearity is impossible without timers. [T IMER ]

Applications We continue with three examples of using our typing system to derive significant results in a straightforward manner. Applications (1): Distributed Liveness. In [7], liveness based on linear channels was introduces. We show that this definition generalises smoothly to DS. Write P ⇓a if there ˜ ˜ R, v˜ such that P → ˜ ˜ with a ∈ / {b}. exist b, → (νb)(R | ahvi) •

(local liveness) A is closed if md(A(x)) ∈ {!a , !l , l} for all x. Suppose P ⊢ A, a : τ with A closed and md(τ) =↑l . Then we say P satisfies liveness at a if whenever P → → P′ , P′ ⇓a .

•

(distributed liveness) We say network N satisfies distributed liveness, if, for all P such that N ≡ (νa)([P ˜ | Q] | M) and P ⊢ A, a : τi with A closed and md(τ) =↑l , P has a local liveness at a.

Distributed liveness says that outputs can always eventually happen at linear channels, even when such channels are hidden (which is required at the network level to achieve distributability). Our definition generalises [7] by “looking under ν-binders” at each location. That such a straightforward, type-based extension of as important a concept as liveness to DS is possible, demonstrates the power of our approach to typing. 186

Berger and Yoshida

Theorem 1 For all N such that N ⊢ A, N satisfies the distributed liveness. Applications (2): Distributing Processes. Now we apply the typing system to the problem of taking a computation distributing it. Ideally, we would like to have a function, called distributor dist(·) such that [P | Q] ≃ [dist(P)] | [dist(Q)] for some suitable equivalence ≃. Such a distributor would divide the construction of DS into parts: one where functionality is considered assuming no failures, and a second phase where failures are taken into consideration (possibly constrained by probabilities, see below). Alas that is impossible in general: messages between P and Q in [P | Q] cannot get lost, in contradistinction to [dist(P)] | [dist(Q)]. Furthermore, timing is different: P’s time-consumption inevitably affects Q’s active timers in [dist(P) | dist(Q)] but not in the distributed version. Both expressivity chasms suggest to be more modest and instead of considering arbitrary P and Q, to restrict attention to distributing timer-free P and Q only. Furthermore, we don’t require that [P | Q] and [dist(Q)] | [dist(P)] be contextually indistinguishable. Instead [P | Q] should just be able to simulate [dist(P)] | [dist(Q)]’s error-free behaviour and vice versa. The typing system is of great help when constructing such dist(·) because it tells us which channels might be used between P and Q in a fairly precise way: even if [P|Q] is typable, [P]|[Q] might not be, due to linear channels between P and Q. These channels need their type changed. The idea behind our axiomatisation of distributors is that each dist(·) would take linear and affine inputs x(v).P ˜ ′ between P and Q, as determined by typing, and t convert then into timed affine inputs hx(v).P ˜ ′ , Ri, thus preserving linearity locally. For all other cases, distributors should be compositional. Theorem 2 Let dist(·) be a distributor meeting the axiomatisation. Then, assuming typability, [P | Q] and [dist(P)] | [dist(Q)] have the same error-free and timeout-free behaviour. Applications (3): Quantitative Reasoning. Our calculus is well-suited to quantitative analysis of DS because probabilistic extensions of the underlying π-calculus have been investigated [4]. In addition, the typing system imposes constraints on behaviour, which have enabled event structure semantics of π-calculus and hence λ-calculus [6]. These generalisations can mostly be carried over to our setting essentially unchanged. As an example, consider the remote invoker def

an hvi; ˜ th(x).P, ˜ Qi = Qn

with

def

def

Q0 = Q, Qk+1 = ak+1 hvi; ˜ th(x).P, ˜ Qk i

which tries to invoke a server at a, and repeats this invocation up to n times, if a reply doesn’t come back within t units of time. If we assume that the probability of message loss is 0 < p ≤ 1 (other forms of non-determinism remain unconstrained), and we impose progress requirements (i.e. the rule P → φ(P) can be used in a location if no other rule is applicable), then we can show that the probability that (νa)([!a(v).v] | [an hvi; th().b, ...i]) is indistinguishable from [b] converges to 1 exponentially quickly as n move to infinity. In such quantitative analyses, the typing discipline plays a key role, because it constrains process behaviour in significant ways, hence probabilities can be assigned easily, which facilitates analysis.

187

Berger and Yoshida

References [1] Alpern, B. and F. B. Schneider, Defining liveness, Technical report, Cornell University, Ithaca, NY, USA (1984). [2] Berger, M. and K. Honda, The Two-Phase Commit Protocol in an Extended π-Calculus, ENTCS 39 (2000). [3] Coulouris, G., J. Dollimore and T. Kindberg, “Distributed Systems, Concepts and Design,” Addison-Wesley, 2001. [4] Herescu, O. M. and C. Palamidessi, Probabilistic Asynchronous π-Calculus, in: Proc. FOSSACS, 2000, pp. 146–160. [5] Honda, K. and N. Yoshida, A uniform type structure for secure information flow, in: POPL’02 (2002), pp. 81–92, full version to appear in ACM TOPLAS. [6] Varacca, D. and N. Yoshida, Typed Event Structures and the π-Calculus, ENTCS 158 (2006), pp. 373–397. [7] Yoshida, N., Type-based liveness guarantee in the presence of nontermination and nond eterminism, in: PPL ’03, Proc. of JSST Workshop Programming and Program Language (2002), pp. 32–46.

188


Stochastic Ambient Logic Maria Grazia Vigliotti

1 ,2

Department of Computing Imperial College London,United Kingdom

Abstract We introduce the Stochastic Ambient Logic which extends the Ambient Logic with the probability operator and the steady state operator. The logic is useful for specifying properties of the Stochastic Mobile Ambients [12]. Keywords: Process algebra, Markov chains, Stochastic modelling

1

Introduction

In this paper we will present an extension of Mobile Ambients MA with continuous time delays and probabilities, where the underlying model is Markovian. We call this calculus Stochastic Mobile Ambients (SMA). This paper is a continuation of previous work [12], where we presented the semantics in terms of labelled transition system and we defined a strong Markovian bisimulation. In the current paper, however, we define the semantics based on the reduction relation and we extend the Ambient Logic [3] with the probability operator and the steady state operator. We call this logic Stochastic Ambient Logic (SAL). SMA is a standard extension of MA [5,9,8]. We augment the prefix of the capabilities with a rate name r as in [8] i.e. in (n, r), out (n, r), open (n, r) so that different transitions of the same process remain distinct. To each rate name r, a rate λ ∈ R is associated via a function. In this way, we make sure that each transition in the calculus is delayed by a random amount of time sampled from the negative exponential distribution. To each ambient a function f is associated that influences the rate of the computation, i.e. n[P ]f . This means that we can regard each ambient as running at a particular speed. The Stochastic Ambient Logic allows to express property on the SMA. 1 2

Supported by the EPSRC grant SPARTACOS Email: [email protected]


Vigliotti

We consider the logic without the constructors for dealing with hidden names, however our work could be easily extended to include the full Ambient Logic [4]. Our work on the logic can be used to express properties on other Ambient Calculus dialects [6] and to express properties on biological modelling [10].

2

Stochastic Mobile Ambients

We assume the existence of a set of names N ranged over by a, n, m, . . ., and a set of rate names R ranged over by r, r ′ , r ′′ , . . .. Moreover, we assume that the above sets are mutually disjoint. Definition 2.1 The set of process terms of SMA is given by the following syntax: P, Q ::= 0 P | i∈I Mi Pi

nil local sum

| n[P ]f

stochastic ambient

| P |Q

composition

| (νn)P

restriction

| (fix A = P )

recursion

| A

identifier

where I is a set of indexes and M stands for the capabilities defined by the following grammar: M, N ::= in (n, r)

enter capability

| out (n, r)

exit capability

| open (n, r)

open capability

P Nil represents the inactive process; Local sum i∈I Mi .Pi represents the standard choice; we assume the existence of a binding function ℓ : R → R such that in the prefixes M.P it is possible to extract via ℓ the rate of the random delays of the transitions. Each name rate is unique in each prefix of a given process. Given P a set of indexes I and a permutation p, we write p(i)∈I Mp(i) .Pp (i) to represent a reordering of terms of the summation. Stochastic ambient n[P ]f is composed of the name of the ambient n, the active process P , and the function f : R → R. Parallel composition P | Q means that P and Q are running in parallel. Restriction of the name n, (νn)P , makes that name private and unique to P . Recursion (fix A = P ) models infinite behaviour. We define here semantics in terms of a reduction relation. The main reason for working on reduction semantics is that labelled semantics for MA is very complicated [12], and reduction semantics provides a means to deal with computation in a simpler way. We present the reduction semantics in line with previous work on MA [3], since it also adapts well to the work on the logic. 190

Vigliotti

P |0≡P

(Struct Par Zero)

P |Q≡Q|P

(Struct Par Comm)

(P | Q) | R ≡ P | (Q | R)

(Struct Par Assc)

(νn)0 ≡ 0

(Struct Restr Zero)

(νm)(νn)P ≡ (νn)(νm)P

(Struct Restr Comm)

(νn)(P | Q) ≡ P | (νn)Q if n ∈ / fn(P )

(Struct Restr Par)

(νm)n[P ]f ≡ n[(νm)P ]f if n 6= m P P i∈I Mi .Pi ≡ p(i)∈I Mp(i) .Pp(i)

(Struct Restr Amb)

(fix A = P ) ≡ P {A/(fix A = P )}

(Struct Fix Rec)

(Struct Choice)

Fig. 1. Structural congruence

(red in)

m[in (n, r).P + S | Q]f | n[R]f

′

r

(red out)

n[m[out (n, r).P + S | Q]f | R]f

′

r

P

r

P′

P |R

r

P′ | R

P n[P ]f

r

open (n, r).P + S | n[P ]f

(red open)

r

(red par)

n[P ′ ]f

m[P | Q]f | n[R]f

r

P′

(νn)P

r

(νn)P ′

P ≡ P′

r

Q′ ≡ Q

P

r

Q

(red amb)

′

′

P |Q

P

P′

f (r)

n[m[P | Q]f | R]f

(red restr)

(red cong)

Fig. 2. Reduction Relation

Definition 2.2 The Structural Congruence Relation over the SMA is the smallest relation satisfying the equations in Figure 1. Definition 2.3 The reduction relation ⊆ SMA × R × SMA is the smallest relation satisfying the set of rules in Figure 2. To the reduction relation we can associate a transition relation →′ SMA × R+ × df P r ′ ℓ(r) or if SMA such that if P r P ′ then P λ(P,P ′ ) ′ P ′ where λ(P,P ′ ) = P P df P f (r) λ(P,P ′ ) ′ ′ ′ P P then P P where λ(P,P ′ ) = f (r) ′ f (ℓ(r)). We will show how P

P

to associate a Markov Chain to each process in SMA. Definition 2.4 An unlabelled Markov chain (MC) M is a pair M = hS, →i where S is a set of states, and → ⊂ S × R+ × S is the transition relation. 191

Vigliotti

We shall assume that any MC is finite i.e. has finite number of states and it is finitely branching. We let s, s′ . . . range over S. The transition s λ s′ denotes the system moving from state s to state s′ after a random delay determined from df P the negative exponential distribution with rate λ. We write R(s, s′ ) = λ ′λ s

s

(s 6= s′ ) to denote the cumulative rate of moving from state s to state s′ ; we write df P df E(s) = s′ ∈S R(s, s′ ) the total rate of possible transition from state s and p(s, s′ ) = R(s, s′ )/E(s) as the probability of changing state. An absorbing state s i such that E(s) = 0 and p(s, s′ ) = 0. In this paper we considering only finite state SMA, and df

we can regard this calculus as an unlabelled Markov chain MSMA = hSMA,

3

i.

Probabilistic Ambient Logic

In this section we will extend the Ambient Logic [3,4] to the stochastic setting. We take the standard approach (see CSL [1,2]) and replace the some time operator 3φ with a probabilistically quantified version of the form IP⊲⊳p (3φ) where ⊲⊳ ∈ {} and p ∈ [0, 1] and we introduce the standard steady state operator S⊲⊳p (φ). In the following we have not considered the logical operators that deal with hidden names [4] in order to keep the presentation simple. The syntax of the Probabilistic Ambient Logic (SAL) is defined below. Definition 3.1 The set of logical formulae of the Ambient Logic, written PAL, is the smallest set defined below: φ, ψ ::= T | ¬φ | φ ∨ ψ | 0 | n[φ] | φ | ψ | ◊ φ | φ@n | φ ⊲ ψ IP⊲⊳ (3φ) S⊲⊳ (φ)

probabilistic operator steady state operator

The first three connectives are standard in propositional logic. The remaining connectives are tailored to express properties about ambient processes relative to both time and space. n[φ] expresses that here and now there is an ambient called n inside which φ holds. ◊ φ expresses that some where, i.e. after traversing down through a number of ambients, φ holds. φ@n expresses that in context n, i.e. after being placed inside the ambient n, φ holds. φ ⊲ ψ expresses that ψ holds in in any context satisfying φ. Intuitively, process satisfies such a formula IP⊲⊳p (3φ) if the probability of reaching a process satisfying the formula φ satisfies the condition ⊲⊳ p. Similarly a process satisfies the formula S⊲⊳p (φ) if the steady-state probability of a set of states satisfying φ meets the bound of p Definition 3.2 Let P ∈ SMA. The process P ′ is a step away from P , written P ↓ P ′ iff ∃n, P ′′ such that P ≡ n[P ′ ]f | P ′′ . We write ↓∗ for the reflexive and transitive closure of the ↓ relation. Definition 3.3 Let M be a Markov Chain. An infinite path π over SMA is a df sequence π = s0 t0 s1 t1 s2 t2 · · · ti si+1 · · · such that ∀i that i ≥ 0 si ∈ S ti ∈ R+ and R(si , si+i ) > 0. We write π(i) for the ith state in the path π and 192

Vigliotti

P |= T

iff always

P |= ¬φ

iff not P |= φ

P |= φ ∨ ψ

iff P |= φ

P |= 0

iff P ≡ 0

P |= n[φ]

iff there exists P ′

P |= φ | ψ

iff there exist P ′ , P ′′ such that P ≡ P ′ | P ′′ and P ′ |= φ and P ′ |= ψ

P |= ◊ φ

iff there exists P ′ such that P ↓∗ P ′ and P ′ |= φ

P |= φ@n

iff n[P ]f |= φ

P |= φ ⊲ ψ

iff for all P ′ if P ′ |= φ then P | P ′ |= ψ

or

P |= ψ

such that

P ≡ n[P ′ ]f and P ′ |= φ

P |= IP⊲⊳p (3φ) iff Prob({π ∈ Path(P ) : π |= 3φ}) ⊲⊳ p P |= S⊲⊳p (φ)

iff limt→∞ Prob({π ∈ Path(P ) : π(t) |= φ}) ⊲⊳ p where π |= 3φ iff

∃i π(i) |= φ.

Fig. 3. Stochastic Ambient Logic

∆(π, i) = ti is the time spent in state si . For t ∈ R and i the smallest index such P that t ≤ 0≤j≤i tj we let π(t) = π(i). Finite paths are defined similarly with an ending state being absorbing. The set of paths (finite and infinite) starting in s is denoted by Path(s). A Borel space can be defined over Path(s) together with the associated probability measure Prob. Definition 3.4 The satisfaction relation |=: SMA × SAL, written P |= φ is the smallest relation defined in Figure 3. It has been shown [7,11] that the equivalence relation induced by the ambient logic roughly coincides with structural congruence - for the finite fragment of Mobile Ambients. We leave to future investigation to show whether this still hold in the SAL.

4

Conclusions

As future work is concerned we envisage to show that the current reduction semantics and the labelled semantics defined in [12] coincide. We also aim to apply both the Stochastic Ambient Calculus and the Stochastic Ambient logic to modelling and verification queuing models. Acknowledgements We gratefully acknowledge M. Kwiatkowska, G. Norman and D. Parker from the University of Birmingham and the AESOP group at Imperial College of London for 193

Vigliotti

useful discussions.

References [1] A. Aziz, K. Sanwal, V. Singhal, and R. Brayton. Verifying continuous time Markov chains. In R. Alur and T. Henzinger, editors, Proc. 8th International Conference on Computer Aided Verification (CAV’96), volume 1102 of LNCS, pages 269–276. Springer, 1996. [2] C. Baier, B. Haverkort, H. Hermanns, and J.-P. Katoen. Model-checking algorithms for continuous-time Markov chains. IEEE Transactions on Software Engineering, 29(6):524–541, 2003. [3] L. Cardelli and A. Gordon. Anytime, anywhere. modal logic for mobile ambients. In Proc. 27th ACM Symp. Principles of Programming Languages (POPL’00), pages 365–377. ACM Press, 2000. [4] L. Cardelli and A. Gordon. Logical properties of name restriction. In S. Abramsky, editor, Proc. 5th Int. Conf. Typed Lambda Calculi and Applications (TLCA’01), volume 2044 of Lecture Notes in Computer Science, pages 46–60. Springer-Verlag, 2001. [5] J. Hillston. A Compositional Approach to Performance Modelling. Cambridge University Press, 1996. [6] F. Levi and D. Sangiorgi. Controlling interference for ambients. In Proc. 28th ACM Symp. Principles of Programming Languages (POPL’01), pages 352–364. ACM Press, 2000. ´ Lozes. Expressivit´ [7] E. e des logiques spatiales. Th` ese de doctorat, Laboratoire de l’Informatique du Parall´ elisme, ENS Lyon, France, 2004. [8] R. De Nicola, J.-P. Katoen, D. Latella, and M. Massink. Towards a logic for performance and mobility. In A. Cerone and H. Wiklicky, editors, Proc. 3rd Workshop Quantitative Aspects of Programming Languages (QAPL 2005), volume 153 (issue 2) of Electronic Notes in Theoretical Computer Science, pages 161–175. Elsevier, 2006. [9] C. Priami. A stochastic π-calculus. The Computer Journal, 38(7):578–589, 1995. [10] A. Regev, E. Panina, W. Silverman, L. Cardelli, and E. Shapiro. Bioambients: an abstraction for biological compartments. Theoretical Computer Science, 325(1):141–167, 2004. [11] D. Sangiorgi. Extensionality and intensionality of the ambient logics. In Proc. 28th ACM Symp. Principles of Programming Languages (POPL’01), pages 4–13. ACM Press, 2000. [12] M. Vigliotti and P. Harrison. Stochastic mobile ambients. In A. Di Pierro and H. Wiklicky, editors, Proc. 4th Int. Workshop Quantitative Aspects of Programming Languages (QAPL 2006), volume 164 (issue 3) of Electronic Notes in Theoretical Computer Science, pages 169–186. Elsevier, 2006.

194