Extended Transition Systems for Parametric Bisimulation Paola lnverardi
Corrado Priami
Daniel Yankelevich
I.E.I. - C.N.R. Via S, Maria, 46 1-56100 Pisa mail:
[email protected].~nr.it
U n i v ~ i ~ di Pisa Ditto di Informatiea C.so Italia, 40 1-56100 Pisa email:
[email protected]
Univeffi'si~ di Pisa Dipartimento di Informatica C.~ Italia, 40 1-56100 Pisa mail: daay@ newlorL csc.nesu.edu
1. Introduction In the last years, a wide spectrum of semantic models for concurrency has been developed. Each model deals with different aspects of distributed concurrent systems. Moreover, there is no general accepted model. Indeed, different approaches may be used to specify different properties (or views) of the system. For example, final users of a system may just want to know how the system behaves in terms of its possible temporal sequences of actions, and thus the interleaving semantics [ 14] is suitable for them. On the other hand, designers usually need information about causal and spatial dependencies between events, and thus a truly concurrent semantics is more adequate for them. A formalism able to describe many models in a single framework provides a general basis that perrllits to"
i. classify and compare the descriptive power of such models on f'Lrmgrounds ii. reuse general definitions and results iii. describe different views of a system without changing almost nothing of the underlying theory. These considerations leads to the development of parametric theories [5, 6, 8, 9, 15]. These approaches, starting from a very detailed description of systems given in the SOS style [17], provide abstraction mechanisms to recover many models presented in the literature. The parametric approach of [5, 6] roughly consists of the following four steps. i. Define element,~-y transitions which describe the immediate evolution of the system; ii. Construct computations of the system as paths in the transition system and give them a tree structure by ordering them by prefix; iii. Introduce observations over computations to abstract from unwanted details, and decorate the trees above with observations, thus obtaining observation trees;, iv. Compare observation trees to determine which systems have an equivalent behaviour by means of a bisimulation relation. Following this approach, many semantics can be captured just by slightly changing the observations of the third step (see [15, 20]). An alternative approach [8] take proved transition systems [1] as privileged transition systems, where transitions are labelled with their proofs. Computations are defined as sequences of transitions, and are organized as trees, called proved trees. Their arcs are labelled with (encodings '
Work partially supported by Progetto Finalizzato Sistemi Informatici e Calcolo Parallelo
559
of) the proofs of the transitions and then are observed to recover many semantic models. Classical bisimulation [16] is defined over proved trees for comparing the behaviour of systems. In [9] transition are considered to be terms of an algebra. The description of a system is driven to a tree-structured normal form in an axiomatic way. Also in this case, abstraction mechanisms allows to retrieve many models for the semantics of concurrent systems. All approaches outlined above relies on tree sla'ucmres to describe the behaviour of a system. Thus, they can finitely describe only systems having finite behaviour. This fact is a major drawback to perform bisimulation-based verifications. In fact, most of the approaches to automatic verification uses algorithms which rely on graph representation of the system [10, 13]. Moreover, almost any example of distributed systems has possibly infinite behaviours, and therefore it cannot be checked by using tree-like representations. In this paper we propose a new kind of transition systems, called Extended Transition Systems (ETS), which extend previous approaches that deal with tree-structures to graphs. This model gives a parametric finite representation of a finite state system, by unifying many of the ideas of [5, 6] from one side and of [1, 8] from the other. Indeed, we start from the proved transition system and we label each node n with a regular expression describing all computations from the initial state to n. Hence, the number of the states in our representation does not increase with respect to the original transition system. We define abstraction mechanisms over ETS in order to get different views (observations) of a system. Also, a notion of parametric bisimulation is introduced. Moreover, we show that our parametric bisimulation coincides with the equivalences defined in [5, 6, 8]. We give some results to compute bisimulation for a class of observations, called incremental, and we briefly discus how this approach can be extended to other views. An immediate application of the results of this paper is the extension of parametric tools for verification of concurrent systems like [11 ] also for finite state systems. Indeed, if we apply our approach to a system with finite behaviour, we obtain the structures used by the tool of [11]. The paper is organized as follows. The following section recall the background of parametric theories. In Section 3 the extended transition systems are introduced and a notion of parametric bisimulation is defined over them. Also, we show that our equivalence coincides with the ones of [5, 6, 8]. Finally, Section 4 discusses how regular expressions can be observed.
2. Background In this section we briefly recall the basic notions of the parametric theory based on observation trees [5, 6], on proved transition systems [1] and on proved trees [8]. We recall the basic definitions of those theories by considering systems specified in the well-known Calculus of Communicating Systems (cos) [14]. Definition 2.1 (ccs) Let A be a set of names (ranged over by a, 13. . . . ). Let - be an involution on A, and call complementary names the elements of the set A'. Then A = A u A- is the set of labels (ranged over by X) and A = A u {x} is the set of actions (ranged over by It). The set T of closed CCS terms is expressed by the following BNF-grammar: t ::= nil I x I }.t.t I (t I t) I (t + t) I t"~aI tie] I rec x.t with the restriction that the term t in rec x.t is well-guarded, and where r is a relabelling function preserving 't and -. 0
560
In order to have a very concrete model for the description of distributed concurrent systems, the operational semantics of c c s is given in the s o s style [17] through the proved transition system (ITS) [1]. The transitions of ITS are labelled by encodings of their goofs. More precisely, we consider a variant of the Boudol' and Castetlani's ITS, where the representation of synchronizations requires two rules for restriction as in [8]. Moreover, a rule for relabelling is introduced. First, we define the alphabet for the labelling of transitions, and then we report the proved transition system. Definition 2.2 (Proof Terms) L e t O ~ {11o,II1, +o, +l, ~ , r *, The set of proof terms is O = {O~ I ~e A} u {~,OoX, 01X'>I ;~e A}, ranged over by 0.
0
Definition 2.3 (Proved Transition System, PTS [11) The proved transition system ITS = ('7;, O, _ 0 ~ ) , where "/" is the set of COS terms, O is the set of proof terms and the transition relation _ 0 ~ ~ "/'x O x 'Tis def'med by the following axiom and rules:
Act
V..t-V,.--~ t
Sum
Rel
t _ o ~ t'
t _ o ~ t'
t + t" - + o O - ) t'
t" + t -+10--9 t'
t _ o ~ t'
t[r _r Res
t'[r
t - o l x ~ t' , I.t ~ {(z, cx-}
t',a _',uo~-~ t",a t _o~
Asyn
t'
to-O~
t'
t" I t -II10~ t" I t'
t'~ tl -Olg-'-~ t'1
to I q _,ooX, oiX-,.-.~
Rec
t',o. -',~O,Oo, 0~,-o t',a t _o~
t I t" -II0O.-.~t' I t"
Syn
t - o , o o, e t , ~ t'
t'oI t' x
tire* x.t/x] _ 0 ~ t' re. x.t _ 0 ~ t'
0
As it is already noted by Boudol and Castellani, it is immediate to recover the classical labelled transition system of CCS [14] from the above one. It is sufficient to delete the proof part of the labels of the transitions. We def'me the operational meaning of each Cos term t as the portion of the PTS that is generated by the term t, denoted by [tim. Alternatively, the operational meaning of a CCS term t can be defined as the unfolding from t of the proved transition system as in [8]. The obtained tree is called proved tree and it is denoted by [t]pt. Example 2.1 (Operational Construction of Proved Transition Systems) Consider the CCs term t = rec x. ct.lLx I rec x. ~,.x. The ITs generated by the operational rules of Definition 2.3 is illustrated in Figure 2.1. 0
561
[k,•lIft Fig. 2.1 -
Provedtrmfidon system generatedby the tema
rec x. ot.lLx I rec x. ",/.x
The definition of proved trees follows, assuming the standard syntax for trees as summations. Definition 2.4 (Proved Tree) The proved tree of a CCS term t is [flit = Tie I 0i'[ti]pt, where, Vi ~ I, t -0i---) ti is a transition of the proved transition system. In the sequel, isomorphic trees will be identified. The set of proved trees generated by CCS terms will be denoted by PT. 0 Given a tree, an arc is uniquely determined by its label and its depth. Indeed, proved trees cannot be simplified applying the axiom x+x -- x, stating idempotencc of summation, as tag +0 is different from +1- Therefore, in the formal summation ZiGt 0i-[ti]pt , Vi,j~ I, i,j, we have 0i;~ Oj. Note also that the set I is always finite, i.e. the trees are finitely branching, because CCS terms are guarded. Now, we define computations as sequences of transitions, i.e. paths in the PTS. Definition 2.5 (Computations) Let [t]pts be the proved transition system generated by t and let to-0.-> h be a transition of [t]p~. Then, to is called the source of the transition and t t its target. The set C of computations of [t]r~ is given by all sequences t - 0 o ~ t t - 0 t ~ t2 - 0 2 ~ t3 -0y-.-~ starting from t and such that the target of any transition coincides with the source of the next one. In the sequel, we use the notation t ---'~-> t 3, where ~ = 00;0t;02 ranges over C. The empty computation is denoted by e. Recall that the operator ";" is used for the sequential composition of transitions. Also, source and target are extended in the obvious way to computations. 0 Alternatively to proved trees, a tree-like structure may be generated by ordering by prefix all computations outgoing from a starting state (corresponding to an agen0 as the basic model of concurrent distributed systems. These structures are called observable trees [6]. Roughly speaking, an observable tree generated by an agent t is a tree, the nodes of which are the computations of t. The formal definition is the following. Definition 2.6 (Observable Trees) Let t be a COS term and let N = {9 1t ---'~=> t t with t I a reachable state of [t]~} u {~} be the set of all computations with source t and leading to any reachable state of [tim. Let ~ be an ordering relation over N such that 9' ~re ~" iff ~" = ~ ' with ~ possibly empty, ~, ~', ~" ~ N. Then, the observable tree generated by t is [t]oT = ,N, _ t' and ~i is a computation in [t]pts} of all computations that have as target the considered node. In order to define bisimulations on ETS we represent the set C(t') as an ordered
565
summation of regular expressions R = Y.i ri, where each ri does not contain +. Indeed, in the comparison step of the bisimulation it is necessary to correctly augment the two computations that are currently compared. Hence, we implicitly assume an ordering (from left to right) on the arcs outgoing from nodes of ETSs. By convention, any node is uniquely identified by a string of integers. For instance, the suing 1.2.1 denotes the first node of the second son of the root. This avoids possible shuffles of computations that could result in the equivalence of agents which are not. We are now able to define the extended transition systems. Definition 3.2 (Extended Transition System) Let t be a c c s term and [t]pts its corresponding PTS. The extended transition system (ETS) originated by t and denoted by [t]eu is obtained by labelling any node f of [t]pts with R = Zi ri, i.e., the ordered summation of regular expressions over the alphabet of proof terms representing the computations from t to t'. The regular expressions in Rare denoted as r[k], where k = hi.j, h i is the ordered position of the i th immediate predecessor ti of t' with respect to the initial node and j is the position of t' among all the nodes generated from ti. O Note that given a finite state proved transition system, the corresponding extended transition system can be constructed by using an algorithm which generates a regular expression from an automata. We use as automata the proved transition system originated by a CCS term and as language the proofs of transitions. The regular expression that we associate to a node t' is the one obtained by choosing it as acceptance state of the automata. This approach is very similar to ideas of path expressions [18], where regular expressions are used to describe all paths between two nodes of a directed graph. An algorithm to construct path expressions is presented in [19]. The next step introduces the notion of bisimulation over the ETS. Note that differently from Definition 3.1, the following definition provides an effective checking algorithm when dealing with f'mite state systems. In fact, in this case the number of nodes to be examined is finite as well as the size of their labels. Definition 3.3 (Parametric Bisimulation on Extended Transition Systems) Let [t]ets and [t']ets be two ETS, and let O be an observation function. Given two nodes t I and t' 1 of [tiers and [t']ets, let ~i ri and r.j r'j be their corresponding labels. Then, a relation R, on the nodes of the transition systems is a strong parametric bisimulation iff whenever (t 1, t'l, rs[h], r'l[k]) e R, 9
9
tro--->t 2 implies that there exist t'2 labelled by K2 such that t'l-0'~t'2, O (r2[s]) = O (r'2[q]) and (t2, t'2, r2[s], r'2[q] ) e R,, where r2[s] and r'2Iq] are such that s = h.x and q = k.y, with x, y the positions of t2 and t'2 among all the nodes generated from their inamediate predecessors, respectively; t ' l - 0 ' ~ t ' 2 implies that there exist t 2 labelled by ~ such that t l - o ~ t 2, O (r2[s]) = O (r'2[q]) and (t 2, t'2, r2[s], r'2[q]) e R,, where r2[s] and r'2[q] are such that s = h.x and q = k.y, with x, y the positions of t 2 and t'2 among all the nodes generated from their immediate predecessors, respectively;
Analogously, the relation R, on the nodes of the transition systems is a weak parametric bisi-
mulation iff whenever (tl, t'l, r[h], r'[k]) e R, 9
tl-o--->t 2 implies that there exist t'2 labelled by R'2 such that t'l=o'=>t'2, O (r2[s]) = O (r'2[q]) and (t2, f2, r2[s], r'2[q]) e R,, where r2[s] and r'2[q] are such that s = h.x and q =
566
9
k.y, with x, y the positions of t2 and t'2 among all the nodes generated from their immediate predecessors, respectively; t ' t - o ' ~ t ' 2 implies that there exist t2 labelled by ~. such that tl=a=_>t2, O (r2[s]) = O (r'2[q]) and (t2, t'2, rz[s], r'2[q]) e R,, where r2[s] and r'2[q] are are such that s = h.x and q = k.y, with x, y the positions of t2 and t'2 among all the nodes generated from their immediate predecessors, respectively.
Finally, [tins and [t']et~are bisimilar iff for all r[i] in the label of t there exists r'[k] in the label of t' such that (t, t', r[i], r'[k]) e R,, and viceversa. As usual, we take the congruences induced by the largest above relations, and denote them again by ...p and ~'r,. 0 Note that the above definition of parametric bisimulation deals with the observation of a regular expression. This topic is the argument of the next section. The soundness of Definition 3.3 is guaranteed by the following theorem. Theorem 3.2 (Soundness of Parametric Bisimulation on ETS) Given two CCS terms t and t', [t]ets ~p [t']cts iff [t]pts ~ [t']pts. Outline of the arc;of'. Given a node ti of [tins, the regular expression ~i associated to ti is a finite representation of all computations from t to ti. Hence, a step of comparison in ETS corresponds to many (possibly infinite) steps of comparison in PTS. Moreover, the assumption that the labels of the nodes in the ETSs are ordered summations assures that different computations are not shuffled during the bisimulation process. Hence, a comparison step in Eq'S corresponds to all and only the steps in PTS. The proof carries on as follow: if [t]~ ---p[t']ns there exists a bisimulation R such that [t]m R [t']ets. Starting from R a bisimulation R' can then be defined such that [t]pts R' [t']pts. The same applies by first assuming It]ira =p [t']~. 0 4. O b s e r v a t i o n s
and Regular
Languages
In this section we discuss the problem of dealing with the equivalence of labels in E'rSs. Indeed, since the labels to be compared in the ETS are regular expressions that in general describe an infinite set of computations, we want to determine if the (possibly infinite) set of observations of two labels are the same or not. More precisely, if O is the obvious extension of an observation function to sets, we want to know if O (P0 = O (~), where R and N are the regular expressions labelling two nodes of an ETS. As a fn'st result, we report the following fact. Fact 4.1 (Languages and Observations) Let R and ~'.be two regular expressions, and let L(PO and L(~O be the languages denoted by R and ~, respectively. Then, L (90 = L (~.) implies O (90 = O (~3. 0 Clearly, the above fact gives a sufficient condition for checking equivalences by using wellknown techniques from formal languages theory. There are cases when the languages of two regular expressions are not equal, but their observations in a particular model coincide. In order to deal with these cases we distinguish observations in incremental and non-incremental, according to [6]. Definition 4.1 (Incremental Observations) Let ~l, ~'l, ~,2,~,'2be computations and let O be an observation function. Then, O is called in-
567
cremental if O ([1) = O ([']) and O ([z) = O (['~ imply O (~1"['0 = O ([2"['2), w h e r e - denote concatenation of computations. 0 For any incremental observation O it is very easy to translate the structure of regular expression of computations into observations. More precisely, we have the following lemma. L e m m a 4.1 (Languagesand Incremental Observations) Let O be an incremental observation function and let O (90 = ~ and O (~) = ~-1" Then, O (~) =
o(~3 ifand only if :.(~) = L (~). Proo:. Since 0 prescrves the constructors of regular expressions +,., and * (see Dcfinition 4.1), it is possible to concatenate observations and to compute finiteiterationsof them from a basic value. Hence, the observation of a regular expression is itselfa regular expression on a diffcrcnt alphabet. Finally, two regular expressions are equivalent if their languages are equal. 0 E x a m p l e 4.1 (Observing Extended Transition Systems) Consider the CC$ term t = rec x. ct.15.x I rec x. ?.x, whose FTS is illustrated in Figure 2.1. The corresponding ETS is reported in Figure 4.1(a). Also, consider the CC$ term t' = rec x. (?.x + ct.(rec y. (?.y + ILx))). The ETS of t' is shown in Figure 4.1(b). Clearly, It] and It'] are not bisimilar in any observation that distinguishes the parallel composition from interleaving and nondeterminism. Hence, let O be the classical interleaving observation function, that is incremental. We have O (((111?)*.(Iloa.(1117)*.11o13)*)*)= O (((+o?)*.(+lCt.(+0?)*.+ll3)*)*) = (T*.(ct.7*.13)*) * and also O ((lllT)*.lloot.(lllT)*.(llol3.(lllT)*.lloct.(lllT)*)*) = 7*.ct.7*.(ILT*.a.?*)* = O ((+o?)*.+lct.(+07)*.(+]lL(+oT)*.+]ct.(+oT)*)*). Thus, by application of Lemma 4.1 the bisimulation that proves the equivalence of t and t' is the following { (P, q, ((lllY)*.(lloct.(lllY)*.llo[3)*)*, ((+ou (rp', q', ((lllT)*.ll0ct.(lllY)*.(llolL(lllT)*.lloct.(lllT)*)*,
((+o,t)*.+la.(+or)*.(+t P.(+o~,)*.+lcc.(+o,/)*)*) }. Note that in this example instead of using ordered summations of regular expressions to label the nodes of the ETS, we use a single expression because the two transition systems to be checked have the same structure, hence it is correct to use the well-known law for regular expressions (e I
+ e2)* = (el*~*)*
0
r162II~)'c lloO.II~ v')'~ B~)*
r162
p)'3 q
IIoI~ k
[l~a
)+O'y
+IB
[~.,~fl uir ( II fr)*lloar II]~)" (lloP Oilfr)" Iloa( il fr~ )" (a)
l+o'r C§
+~ a r
r247p ~o.r? +~ a ~o.r)* ) * Co)
Figure 4.1 - ETS of t = rec x. vt.13.xI rec x. T.x (a) and of t' = tee x. (u + a.(rec y. (7.Y+ l&x))) Co). For non-incremental observations, the situation is more complex. Indeed, these observations do not preserve the structure of computations and therefore Lemma 4.1 does not apply. In order
568
to cope with this problem, we decompose any non-incremental observation into an incremental one and an abstraction function f. Thus, we use Lemma 4.1 for the incremental component of the observation and then we apply f during the comparison steps. The existence of the decomposition is ensured by the following fact. Fact 4.2 (Decomposition of non-incremental Observations) Let O be a non-incremental observation function. There exists an incremental observation function Of and an abstraction function f such that O=f.Cl, where, denotes function composition. 0 In the following example we show how it is possible to obtain a non-incremental observation like partial orders from a more concrete and incremental one like spatial histories [9] (also called concurrent histories in [7]). Example 4.2 (Decomposition of non-incremental observations) Consider the COS term t = (or.nil I "/.('t.nil + ILnil))[r + &nil where r is such that r = ~t. A possible computation of t is ~ = +0r r 0111+tlL If ~ is observed as a spatial history, we get the representation of Figure 4.2(a). The right partial order observation of ~ is represented in Figure 4.2(b). The two structures are almost the same, it is easy to define an abstraction function f that simply discards the initial and final nodes of the spatial history to get the corresponding partial order. 0 I~
iiI
i MI
(~)
Figure 4.2 - Spatial History and Paaial Order of the computation ~ = +0r
~lllY r
+ 113.
Finally, note that if we consider a term with finite behaviour, the language associated to each node of the extended transition system is described by a summation of regular expressions that represents Finite languages. In other words, any node is labelled by the tree of computations (represented as formal summation) leading to it and therefore it can be observed with incremental and also non incremental observations as done in [8, 15]. As an example consider the proved transition system originated by the CCS term t = c~.~.&nil + y.&nil and depicted in Figure 4.3. The regular expression attached to the final state of [t]pts is R= +0a.136+ +1"/6.
+l.f 4
Figure 4.3 - Proved Transition System originated by the term u..~.&nil + y.&nil
569
5. C o n c l u s i o n s In this work we have defined a parametric model for describing the semantics of finite states systems. It relies on the parametric theories of observation trees [5, 6] and proved trees [8]. A notion of parametric bisimulation is introduced over extended transition systems and it is shown that this equivalence coincide with the ones already presented in literature. The results presented in this paper are fundamental for a practical use of a parametric theory in automatic verification of systems. Following the definitions given above, it is immediate to derive an algorithm for parametric bisimulation when incremental observations are considered. The extension to other observations is under development following the approach of decomposing any non-incremental observation into an incremental one and an abstraction function. The basic idea is use standard techniques from fix-point theory to prove properties on regular languages that may permit to make this decomposition effective. References [1] Boudol, G., Castellanio I., A non.interleaving semantics for CCS based on proved transitions, Fundamenta Informatieae, XI (4), 1988, 433 - 452. [2] Boudol, G., CasteUani, I., Hennessy, M., Kiehn, A., A Theory of Processes with Localities, in Prec. CONCUR'92, LNCS, Springer-Verlag, 1992. [3] Darondeau, Ph., Degano, P., Causal Trees, in Prec. ICALP '89, LNCS 372, 1989, 234 - 248. [4] l:k:gano, P., De Nicola, R., Montanari, U., On the Operational Semantics of Distributed Concurrent Systems, in Pro
