History Dependent Automata - CiteSeerX

U NIVERSIT A` DEGLI S TUDI DI P ISA D IPARTIMENTO DI I NFORMATICA

D OTTORATO DI R ICERCA IN I NFORMATICA Universit`a di Pisa

P H .D. T HESIS : TD-5/99

History Dependent Automata M ARCO P ISTORE

March 1999 Addr: Corso Italia 40, 56125 Pisa, Italia Tel: +39-050-887111 — Fax: +39-050-887226 — E-mail: [email protected] http://www.di.unipi.it/˜pistore

Thesis Supervisor: Prof. Ugo Montanari

Abstract In this thesis we present History-Dependent Automata (HD-automata in brief). They are an extension of ordinary automata that overcomes their limitations in dealing with history-dependent formalisms. In a history-dependent formalism the actions that a system can perform carry information generated in the past history of the system. The most interesting example is the -calculus: channel names can be created by some actions and they can then be referenced by successive actions. Other examples are CCS with localities and the history-preserving semantics of Petri nets. Ordinary automata are an unsatisfactory operational model for the history-dependent formalisms: infinite automata are obtained for all the systems with infinite computations, even for very simple ones; moreover, the ordinary definition of bisimulation does not apply in these cases, thus preventing the reusage of standard theories and algorithms. We define three versions of HD-automata, that have different features and different expressive power. We show that HD-automata are an adequate model for the historydependent formalisms by presenting translations of (early, late, open, and asynchronous) -calculus, of CCS with localities, and of Petri nets into HD-automata. Finite HDautomata are obtained for significant classes of systems with infinite computations. Moreover we define HD-bisimulation, both in a set-theoretical way (that is suitable for automatic verification in the case of finite HD-automata) and in a categorical way (via open maps). HD-bisimulation captures the classical definitions of bisimulation on the considered history-dependent formalisms. We also describe HAL, a verification environment for history-dependent systems that is based on HD-automata.

‘I checked it very thoroughly,’ said the computer, ‘and that quite definitely is the answer. I think the problem, to be quite honest with you, is that you’ve never actually known what the question is.’ — DOUGLAS ADAMS, The Hitch Hiker’s Guide to the Galaxy (1979)

Acknowledgments I wish to thank Ugo Montanari, who has been a precious advisor and collaborator in these years. Ugo first introduced me to the theory of concurrency when I was an undergraduate, and since then his hints and technical support have been priceless. Thanks go also to all the colleagues that I had the pleasure to meet in these years, and in particular to Davide Sangiorgi, Gianluigi Ferrari, and Flavio Corradini, that have been precious collaborators and friends. I’ll also thank my room-mates, for the serene and stimulating atmosphere that they were able to create. I thank also my reviewers, Mogens Nielsen and Davide Sangiorgi, as well as Rocco De Nicola and Furio Honsell, for their useful comments, that helped me to improve the contents and the quality of the presentation of the thesis (I let you imagine how it was before : : : ). Last but most important, a big “grazie” goes to my parents, for their patience and encouragement, and to Tiziana, who has given me the serenity and the enthusiasm to work on this thesis.

Contents 1 Introduction 1.1 The -calculus . . . . . . . 1.2 Automata and -calculus . . 1.3 History-dependent automata 1.4 Main results of the thesis . . 1.5 Summary of the thesis . . . 1.6 Origin of the thesis . . . . .

I

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

Preliminaries

1 3 6 8 10 11 13

15

2 Notations 2.1 Structured objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Relations and function . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Substitutions and renaming . . . . . . . . . . . . . . . . . . . . . . . . .

17 17 17 18

3 Ordinary Automata and CCS 3.1 Ordinary automata . . . . . . . . . . . . . . 3.1.1 Bisimulation on automata . . . . . . 3.1.2 Minimal automata . . . . . . . . . . 3.2 CCS . . . . . . . . . . . . . . . . . . . . . . 3.2.1 Representing CCS agents as automata 3.2.2 Weak semantics of CCS . . . . . . . 3.3 Algorithms for checking bisimilarity . . . . . 3.3.1 The “on-the-fly” algorithm . . . . . . 3.3.2 The partition refinement algorithm . . 3.3.3 Comparisons . . . . . . . . . . . . .

. . . . . . . . . .

19 19 20 21 22 23 25 25 25 26 26

4 History-Dependent Calculi 4.1 CCS with value passing . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 CCS with localities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Petri nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29 29 33 36

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

x 5 The -Calculus 5.1 Syntax of -calculus . . . . . 5.2 The early semantics . . . . . . 5.3 The late semantics . . . . . . . 5.4 The open semantics . . . . . . 5.5 The asynchronous -calculus . 5.6 Weak semantics of -calculus

Contents

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

39 39 41 42 44 48 52

II History Dependent Automata

55

6 Basic History Dependent Automata 6.1 HD-automata . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 From CCS with value passing to HD-automata . . . 6.2 Bisimulation on HD-automata . . . . . . . . . . . . . . . . 6.2.1 Basic properties of HD-bisimulation . . . . . . . . . 6.2.2 Global states and global bisimulation . . . . . . . . 6.2.3 Relating VP-CCS bisimulation and HD-bisimulation 6.3 From HD-automata to ordinary automata . . . . . . . . . . . 6.3.1 Active names . . . . . . . . . . . . . . . . . . . . . 6.3.2 Irredundant HD-automata . . . . . . . . . . . . . . 6.3.3 Unfolding HD-automata . . . . . . . . . . . . . . . 6.4 From CCS with localities to HD-automata . . . . . . . . . . 6.5 From Petri nets to HD-automata . . . . . . . . . . . . . . . 6.6 Concluding remarks on HD-automata . . . . . . . . . . . . 6.6.1 Weak semantics . . . . . . . . . . . . . . . . . . . . 6.6.2 Minimization of HD-automata . . . . . . . . . . . .

. . . . . . . . . . . . . . .

57 58 60 63 65 68 73 74 75 80 81 88 91 96 97 99

. . . . . . . . . . . . .

103 106 108 109 112 113 115 118 119 121 122 123 125 131

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

7 History Dependent Automata with Symmetries 7.1 Symmetries on N . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 HDS-automata . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 From -calculus to HDS-automata: early semantics . . . 7.2.2 From -calculus to HDS-automata: late semantics . . . 7.2.3 From Basic HD-automata to HDS-automata . . . . . . . 7.3 Bisimulation on HDS-automata . . . . . . . . . . . . . . . . . . 7.3.1 Basic properties of HDS-bisimulation . . . . . . . . . . 7.3.2 Global states and global bisimulation . . . . . . . . . . 7.3.3 Relating -calculus bisimulation and HDS-bisimulation 7.3.4 Relating HD-bisimulation and HDS-bisimulation . . . . 7.4 Minimizing HDS-automata . . . . . . . . . . . . . . . . . . . . 7.5 From HDS-automata to ordinary automata . . . . . . . . . . . . 7.6 Concluding remarks on HDS-automata . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . .

Contents

xi

8 History Dependent Automata with Negative Transitions 8.1 HDN-automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.1 From -calculus to HDN-automata: the asynchronous semantics 8.2 Bisimulation on HDN-automata . . . . . . . . . . . . . . . . . . . . . 8.2.1 Relating asynchronous bisimulation and HDN-bisimulation . . 8.3 Iterative characterization of HDN-bisimulation . . . . . . . . . . . . . 8.3.1 Redundancy-consistent HDN-automata . . . . . . . . . . . . . 8.3.2 Active names . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3.3 Irredundant HDN-automata . . . . . . . . . . . . . . . . . . . 8.3.4 Algorithmic aspects . . . . . . . . . . . . . . . . . . . . . . . 8.4 From -calculus to HDN-automata: the open semantics . . . . . . . . . 8.4.1 Distributed open bisimulation . . . . . . . . . . . . . . . . . . 8.4.2 Non-redundant transitions . . . . . . . . . . . . . . . . . . . . 8.4.3 The mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.5 From -calculus to HDN-automata: the asynchronous semantics . . . . 8.6 Concluding remarks on HDN-automata . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

III Additional Results 9 A Categorical Approach to HD-Automata 9.1 The categories of HD-automata . . . . . . . . . . . . . 9.1.1 Categories of enriched sets . . . . . . . . . . . 9.1.2 Defining the enriched automata . . . . . . . . 9.2 HD-bisimulations on categories of HD-automata . . . 9.2.1 Open maps and automata . . . . . . . . . . . . 9.2.2 Application to Basic HD-automata . . . . . . . 9.2.3 Application to HD-automata with Symmetries . 9.2.4 Minimal HDS-automata . . . . . . . . . . . . 9.3 Concluding remarks . . . . . . . . . . . . . . . . . . .

133 135 136 137 139 140 141 145 147 148 150 150 152 154 157 164

165 . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

167 167 168 169 170 170 172 175 176 177

10 HAL: A Verification Environment Based on HD-Automata 10.1 System overview . . . . . . . . . . . . . . . . . . . . . 10.2 The algorithms behind HAL . . . . . . . . . . . . . . . 10.3 A case study: the handover protocol . . . . . . . . . . . 10.4 Concluding remarks . . . . . . . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

179 179 182 183 184

11 Conclusions

185

Bibliography

187

List of Figures 1.1 1.2 1.3 1.4

Dynamic reconfiguration of channels in -calculus Name extrusion in -calculus . . . . . . . . . . . . A transition of a HD-automaton . . . . . . . . . . An example of HD-automaton . . . . . . . . . . .

. . . .

4 5 9 9

5.1

A bunch of late input transitions . . . . . . . . . . . . . . . . . . . . . .

44

6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8

A transition t q ! q 0 of a HD-automaton . . . . . . . . A step of bisimulation on HD-automata . . . . . . . . . . A tricky example for concatenation of HD-bisimulations . Active names . . . . . . . . . . . . . . . . . . . . . . . . Two bisimilar nets with different sets of immediate causes Weak transitions of HD-automata . . . . . . . . . . . . . . Weak unfoldings . . . . . . . . . . . . . . . . . . . . . . Two non isomorphic minimal HD-automata . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. 60 . 64 . 68 . 77 . 93 . 98 . 100 . 101

7.1 7.2 7.3 7.4 7.5

Two transitions with infinite repositories . . . . . . . . . Wrong translation from HD-automata to HDS-automata . Correct translation from HD-automata to HDS-automata A step of bisimulation on HDS-automata . . . . . . . . . Active names of HDSu -automata . . . . . . . . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

8.1

Example of non-transitivity of HDN-bisimilarity . . . . . . . . . . . . . 140

:

. . . .

. . . .

. . . .

. . . .

l

. . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

105 113 114 116 127

10.1 The HAL environment: an overview . . . . . . . . . . . . . . . . . . . . 180 10.2 Graphical user interface of HAL: the “agents” mode . . . . . . . . . . . . 181 10.3 Graphical user interface of HAL: the “logic” mode . . . . . . . . . . . . 182

List of Tables 3.1

Operational semantics for CCS . . . . . . . . . . . . . . . . . . . . . . .

23

4.1 4.2

Operational semantics for value passing CCS . . . . . . . . . . . . . . . Location transitions for CCS with localities . . . . . . . . . . . . . . . .

31 35

5.1 5.2 5.3 5.4 5.5

Free and bound names of -calculus actions . . . . . . Early operational semantics of -calculus . . . . . . . Late operational semantics of -calculus . . . . . . . . Open operational semantics of -calculus . . . . . . . Early asynchronous operational semantics of -calculus

. . . . .

41 42 43 45 49

6.1

Relations between VP-CCS labels and labels of HD-automata . . . . . .

62

7.1 7.2 7.3 7.4

The named set of labels for early -calculus . . . . . . . . . . . . . . Relations between early -calculus labels and labels of HDS-automata The named set of labels for late -calculus . . . . . . . . . . . . . . . Relations between late -calculus labels and labels of HDS-automata .

8.1 8.2 8.3

The named set of labels for ground asynchronous -calculus . . . . . . . 136 Relations between ground -calculus labels and labels of HDN-automata 137 Outline of the algorithm for HDN-bisimulation . . . . . . . . . . . . . . 149

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . .

. . . .

110 111 112 113

10.1 HAL: performance issue . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 1 Introduction Process calculi (also called process algebras) are a very powerful formalism for describing concurrent systems, i.e., systems where a number of independent processes act and interact to carry out their tasks. A process calculus is usually defined by a set of basic actions, that are the elementary operations a system can perform, and by a small number of primitive operators that describe how complex systems are built composing simpler ones: classical operators are those for parallel composition, sequentialization and nondeterministic choice. A labelled transition system defines the operational semantics of a process calculus: a transition represents a possible evolution step of the system, and its label describes the action that is performed in the step. Following the SOS paradigm introduced by Plotkin [1981], the labelled transition system is often defined by structural rules. Behavioral equivalences are then defined on the top of the labelled transition system: most famous is bisimulation equivalence [Park 1980; Milner 1980]. A large number of different calculi have been proposed in the literature: CCS [Milner 1980, 1989], CSP [Brookes et al. 1984; Hoare 1985] and ACP [Bergstra and Klop 1984, 1985] are the most well-known. Despite the subtle differences among them, most of the theory can be applied to large families of process calculi. For instance, formats have been introduced for the rules that define the labelled transitions: general results hold for all the process calculi that fit in these formats — see for instance De Simone [1985], Groote and Vaandrager [1992] and Bloom et al. [1995]. Even more interesting, many of the concepts and theoretical results on process calculi are completely independent from the syntax; they depend only on the transitions that a system can perform and do not consider at all the internal structure of the system: this is true in particular for bisimulation equivalence. These concepts and results can be defined, in a syntax-independent way, directly on automata, that are hence a very convenient operational model for process calculi. Automata are also useful from an algorithmic point of view: efficient and practical techniques and tools for verification have been developed for finite-state automata [Inverardi and Priami 1996; Madelaine 1992]. Finite state verification has often been successful in the case of process calculi, differently than in ordinary programming; this happens for

2

Introduction

instance in verification of protocols and hardware components, where the control part and the data part can be often cleanly separated, and the control part is usually both quite complex and finite state. Particularly interesting is also the possibility of associating to each automaton a minimal realization, i.e., a minimal automaton that is equivalent to the original one. This is important both from a practical point of view — smaller state spaces can be obtained — and from a theoretical point of view — equivalent systems give rise to the same (up to isomorphism) minimal realization. Unfortunately, this ideal situation does not apply to all process calculi: in the literature, a large number of enriched process calculi have been defined to overcome the limitations of the classical ones. These enriched calculi are able to represent aspects of a concurrent system — as its performance [Baeten and Bergstra 1991; Aceto and Murphy 1996], or the degree of parallelism that it exhibits [Darondeau and Degano 1989; Degano et al. 1990; Boudol et al. 1993; Montanari and Yankelevich 1995] — that, while clearly relevant, are not represented in the classical process calculi. In other cases, these enriched calculi are more expressive than classical ones, in the sense that they can model new classes of concurrent systems: this is the case, for instance of the mobile systems, i.e., of those systems that have a dynamically changing communication topology [Milner et al. 1992; Milner 1993]. In most of the cases these enriched calculi do not fit into the standard formats and require the development of specialized theories and of refined notions of bisimulation. Often, automata are not a good operational model for them, as they are not able to capture the particular structures that are manipulated by these calculi. As a consequence, infinitestate automata are obtained even for very simple systems. To deal with these enriched calculi, new techniques have been developed, that have a wider application than classical ones. Here we just mention symbolic techniques [Hennessy and Lin 1995] (they give an abstract representation of the behavior of a concurrent system, by allowing variables to appear in the actions), the development of new, richer formats (examples are the format for higher order calculi of Bernstein [1998] and the approach based on “tiles” of Gadducci and Montanari [1998] and Ferrari and Montanari [1998]), and open maps [Joyal et al. 1996] (they are an uniform approach to define bisimulation equivalences for concurrent models presented in a categorical framework). Also the theory presented in this thesis fits in this stream of works. The manifesto is that, if we want to make the operational model more adherent to the enriched process calculi, it is useful to enrich also the operational model. We propose to add to states, transitions and labels of the automata some kind of information, that is used to represented explicitly the particular structures manipulated by the calculi that we will model. In this thesis, this program is applied to a specific family of enriched calculi, that we have called history-dependent calculi. A calculus is history-dependent if the labels of the transitions may carry information generated in the past transitions of the system, expressing in this manner a dependence from them. Clearly, there are enriched calculi that do not fit in the family of history-dependent

1.1 The -calculus

3

calculi; nevertheless, we have identified different classes of calculi that exhibit a historydependent behavior. This is the case, for instance, of process calculi with localities [Boudol et al. 1993; Montanari and Yankelevich 1995], where each transition shows, in addition to an action, also the location in which the action is supposed to happen, and new locations are generated by “fork” transitions. Similarly, in process calculi with causality [Degano et al. 1988; Darondeau and Degano 1989; Degano et al. 1990; Kiehn 1994] each action of an agent depends on the past actions that have enabled it. Another very important example of history-dependent calculus is the -calculus; we give an overview of its main features in the next section.

1.1 The -calculus The -calculus [Milner et al. 1992; Milner 1993] is probably the most paradigmatic example of history-dependent calculus. It is an extension of CCS that has the ability of sending channel names as values in the communications. In the -calculus new channel names can be created by some actions, and they can then be referenced by subsequent actions; it is thus evident the history-dependent nature of this calculus. The name passing ability makes the -calculus very appropriate to describe systems with a dynamically changing interconnection topology, as it happens in the mobile telephone network [Orava and Parrow 1992]. The gain of expressive power due to name passing in not limited to mobile systems, however. Indeed, -calculus has been successfully applied to encode a wide range of formalisms, that include -calculus [Milner 1992; Sangiorgi 1994], concurrent object oriented languages [Walker 1995], and higher order process calculi [Sangiorgi 1993a,b]. The success of -calculus is confirmed by the increasing number of extensions and variants of this language that have been proposed in the literature. Among them, we mention: PICT [Pierce and Turner 1995], a full-fledged concurrent programming language based on the -calculus. The spi-calculus [Abadi and Gordon 1998b], a variant of calculus for analyzing security protocols. And the ambient calculus [Cardelli and Gordon 1998], where mobility is exploited at the level of network domains, rather that at the level of the single channels.1 The formal definition of -calculus is given in Chapter 5. Here we present its features mainly via examples. In Figure 1.1 we represent the classical diagram that is used to exhibit the dynamic reconfiguration of channels in the -calculus. In the starting configuration there are three processes A, B and C . Processes A and B share a channel x, while processes B and C share a channel y . Both the channels are local to the system, i.e., no communications with the external environment can occur on them. The -calculus agent corresponding to the starting configuration is

( y) ( x) A(x) B (x; y) C (y)

()

It is impossible to cite here all the existing works on -calculus and its evolutions: the interested reader can refer to the home page of calculi for mobile processes, at the following URL: http://www.cs.auc.dk/mobility/. 1

4

Introduction

B

B

y

C

x

0

A

y x

C

0

A

Figure 1.1: Dynamic reconfiguration of channels in -calculus.

( )

where operator y is used to restricts the scope of name y , and operator j stands for parallel composition. Notice that process C cannot use channel x, that can be considered a private channel between A and B . This is remarked by the fact that the scope of restriction x contains only processes A and B . Process B , however, can communicate name x to process C , by sending it on channel y . This happens for instance if

( )

B (x; y ) = yx:B 0 (x; y )

and

C (y ) = y (x):C 0 (x; y ):

yx:p performs the output of name x on channel y and then behaves as p. Agent y (x):p performs an input on channel y ; name x is a formal variable: its occurrences in p Agent

are instantiated with the actually received name when the input takes place. In this case the transition

( y) ( x) A(x) B (x; y) C (y) ! ( y) ( x) A(x) B 0(x; y) C 0(x; y)

can happen. Its graphical representation is given in Figure 1.1. Notice that, after the communication has taken place, process C shares channel x and can use it for further communications with A and B . In fact, in the -calculus agent corresponding to the final system the scope of restriction x has been increased and now includes also process C . The possibility of declaring private channels by means of the restriction operator and to communicate them gives a great expressive power to the -calculus. However, it is also responsible of the difficulties that one encounters in trying to extend to the -calculus the standard theoretical and algorithmic results that hold for classical process calculi. These difficulties are already evident in the operational semantics. Following the standard approach for process calculi, the operational semantics of the -calculus is given via labelled transitions, that represent either internal evolutions of the system — this is the case of the transition in Figure 1.1 — or communications with the environment. In fact, let us consider the following -calculus agent, that is a subsystem of agent ():

( )

( x) A(x)jB (x; y) :

()

In this case channel y is not restricted, so global communications can occur on it. In particular, process B can send the private name x on the global channel y . This communication creates a new channel between the agent and the environment: in fact, after

1.1 The -calculus

5

B

B

y

0

y(x)

x A

y x

A

Figure 1.2: Name extrusion in -calculus. the communication the environment shares channel x, that can be used for further global communications. In the -calculus, the mechanism that transforms a local name into a global one is called name extrusion, and is represented by the following bound output transition: x) ( x) A(x) B (x; y) y(! A(x) B 0 (x; y ):

Its graphical representation is given in Figure 1.2. In the transition above we have used x to represent the newly created global channel. However, this choice is arbitrary. In fact, in the -calculus we do not want to distinguish two systems only for the names of their private channels: -calculus agents are defined up to -conversion, so, for instance, agents y A y B x; y and z A z B x; z are equivalent. Hence agent () can also perform the transition

( ) () ( )

( ) () ( )

( x) A(x) B (x; y) y(!z) A(z) B 0 (z; y)

for any name z different from y . We remark that name y cannot be used to denote the newly created channel since this would lead to name clashing: in fact, name y is already used to denote a global channel. In general, name extrusion is represented in the operational semantics of -calculus by means of an infinite bunch of bound output transitions

p

y (z )

! p0, where z is any name that does not appear free in p.

A serious drawback is that infinite-state and infinite-branching transition systems are necessary to represent the behaviors of all the agents that can perform an extrusion, even of very simple ones. Also the definition of bisimulation has to be modified in the -calculus to deal with name extrusion: as we will see in Chapter 5, the clause of bisimulation for the bound output transition is the following: Whenever two agents p and q are equivalent, and agent p performs a bound y(z )

! p0 such that name z does not appear free in q, then y(z ) agent q has to match it with a corresponding transition q ! q 0 and agents output transition p

(x)

p0 and q 0 must be still equivalent.

This is very similar to the classical definition of bisimulation, except for the additional requirement on the freshness of name z . This requirement has to be added to take into

6

Introduction

account the fact that two equivalent agents may have different sets of free names. Consider in fact agents

A(y ) = ( z ) yz:A(y ) ; B (y; x) = ( z ) yz:B (y; x) ; C (y; x) = ( z ) yz:C (y; x) j ( z ) zx:0 : The three agents are equivalent, since all of them perform an infinite sequence of name extrusions on channel y . However, name x can be used as the name of an extruded channel only in agent A. In fact, name x cannot be used in B , since it appears free in this agent, even if only as an unused parameter of the recursive definition. Nor can name x be used in agent C , since also in this case it appears free in the agent, in a deadlocked component (agent z zx:0 is deadlock, since it tries to communicate on a restricted channel). It is important to remark that the requirement on the freshness of the extruded name that appears in clause (x) is not harmless; in fact it prevents the application of standard results for classical bisimulation to the -calculus.

( )(

)

New theoretical and practical techniques have been invented to deal with the particular features of -calculus: for instance, up-to techniques [Sangiorgi 1995] have shown to be a very useful and powerful tool to simplify the proofs. In -calculus, in fact, the proofs are very heavy due to the necessity to deal at every step with the generation of new names, and with the dynamically changing scopes of name restrictions. The up-to techniques of Sangiorgi [1995] — and in particular the up to name substitutions and up to restriction techniques — allows one to push these low level details in the proof method, and to concentrate on the essence of the proof.2 Also symbolic techniques have been applied to the -calculus, both to define new equivalences [Sangiorgi 1996b], and to capture existing ones in this more abstract operational model [Boreale and De Nicola 1996]. There are also a few works that try to use ordinary automata as operational model for -calculus, by managing creation of names in an efficient way. We comment on these works in the next section.

1.2 Automata and -calculus Dam [1997] has shown that, given two -calculus agents whose control part is finite state, a finite set of names is sufficient to represent faithfully all the behaviors of the agents. Once the set of names is fixed, finite-state automata are obtained for the two agents, and bisimulation equivalence can be checked on them. However, due to the existence of equivalent agents with different free names, the set of names can be fixed only for a pair of agents. Therefore, this approach does not associate to an agent an unique automaton: 2

Recently up-to techniques have been exploited successfully also for verification purposes [Hirschkoff 1998a,b].

1.2 Automata and -calculus

7

different automata can be obtained from the same agent, if it is compared with different other agents. Moreover, the bisimulation that is used on these automata has still the additional clause of (x), and this requires to modify the existing algorithms to work on these automata. In Quaglia [1996] and Ferrari et al. [1996] the problem of creating new names is solved by reserving a sequence of names for this purpose, and by picking up the next name in this sequence when a fresh name is required. In this way, a single transition is sufficient to model name creation, and it is guaranteed that two equivalent agents pick up the same names. Moreover, the operational semantics in Quaglia [1996] and Ferrari et al. [1996] is given in one of the standard formats for process calculi, namely (and extension of) the format of De Simone [1985]: in this way, an axiomatization of bisimulation equivalence is obtained for free. A drawback of this approach is that, since a different name is chosen whenever a fresh name has to be created, an infinite number of states is generated in the case of agents with y xy:A y : infinite behaviors. This is the case of the cyclic agent A x

( )=( )

A(x)

x(x0 )

()

x) x (x ) x (x ) ! A(x0 ) x (! A(x1 ) ! A(x2 ) ! A(x3 ) 0

1

1

2

2

3

To obtain finite state automata also for agents with infinite behaviors, it is necessary to allow for the deallocation of the names when they are not more used by the agents. In the ordinary semantics of -calculus, a name is “deallocated” — and can hence be reused to denote a new created channel — when it does not appear anymore in the agent. This policy for deallocating names is not satisfactory: as we have seen, it does not guarantee that equivalent agents deallocate names in a compatible way. A clever policy for deallocating names has been proposed in Montanari and Pistore [1995].3 According to the results of that paper, a name is deallocated when it is not active in the agent, i.e., when the name is not used in the labels of the reachable transitions. Since equivalent agents have the same set of active names, it is safe to choose the first name that is not active when a new name is needed. This approach generates finite-state automata for the class of -calculus agents with a finite control of Dam [1997]. In this case, however, classical bisimulation works on these automata, so that existing theories and tools can be used on them. Unfortunately enough, this approach works only for a subset of -calculus, namely for the -calculus without matching operator. The matching operator x y p is a guard: it enables agent p only if names x and y coincide. This operator is useful in combination y zB y , with input prefixes, to make tests on the received names: agent x y : A y for instance, reads a name from channel x; if the received name y coincides with z , the agent can evolve as A y or as B y , while it can behave only as A y if y 6 z . If the matching operator is allowed, to decide whether a name is active is as difficult as to decide whether two agents are equivalent: so, for instance, in the agents above name z is active

()

3

()

[=℄ ( ) ( )+[ = ℄ ( ) () =

A similar approach was previously used by Jonsson and Parrow [1993] for CCS with value passing.

8

Introduction

()

()

()

()

if and only if agents A y and B y are non equivalent; if A y and B y are equivalent, in fact, the test y z has no effect, and name z is clearly inactive, since it appears only in this test.

[=℄

We conclude this section by observing that, from an algorithmic point of view, the condition on the freshness of the extruded name in (x) is not a problem if on-the-fly verification techniques are used [Fernandez and Mounier 1992]. These techniques operate on pairs of states, by trying to match their transitions; whenever a new name x has to be generated for a pair of agents p; q , it is always possible to take, for instance, the least name that does not appear free in p and q . This idea has been implemented in the Mobility Workbench [Victor and Moller 1994], the first verification environment developed for calculus agents.

( )

1.3 History-dependent automata The discussion of the previous sections emphasizes that names are one of the fundamental elements of the semantics of -calculus — and, more in general, of history-dependent calculi. In ordinary automata, names are represented only in an implicit way, as a syntactical component of the labels, and the classical tools that operate on automata are not suitable to work with names. In this thesis we propose a new operational model for history-dependent calculi: the history-dependent automata, or HD-automata in brief. As ordinary automata, they are composed of states and of labelled transitions between states. To deal with the peculiar nature of history-dependent calculi, however, states and labels are enriched with set of names. In this way, names become an explicit component of the operational model, and the definition of tools that manipulate them becomes easier. If a state of a HD-automaton corresponds to a -calculus agent, then the names associated to that state correspond to the names that appear free in the agent. However, while the free names of the agent have a global identity, so that for instance A w; x; y and A w; y; x are two distinct agents, we assume that the names that appear in the states of the HD-automaton have only a local identity. In this way, the same state can be used to represent both the agents A w; x; y and A w; y; x ; more in general, all the agents that differ only for a renaming can be represented by a single state of a HD-automaton. Due to the local nature of names, along each transition of a HD-automaton the correspondence between the names of the source state and those of the label and of the target state must be represented explicitly. This is done in a graphical way in Figure 1.3 by means of “wires”. We can notice that all the basic operations that can be performed on names are represented in this transition: names 1 and 2 of the source state are deallocated; name 6 of the target state is new; name 7 of the target state finally, corresponds to name 3 of the source. Moreover, names 1 of the source state and 6 of the target state also appear in the label: they are name 4 and 5, respectively. Local names are very useful. First, they allow for a compact representation of the operational behavior of agents by collapsing classes of agents that differ for a renaming into

(

(

)

(

)

(

)

)

1.3 History-dependent automata

9

4 5

1 2 3

6 7

Figure 1.3: A transition of a HD-automaton.

y xw 4 5

4(5)

A(1; 2; 3)

B (6; 7)

1 2 3

6 7

12 11

1112

8 9 10

:B (9; 10)

89

Figure 1.4: An example of HD-automaton. single states. Second and most important, they provide a mechanism for representing the creation of new names: in fact, the problem of choosing a fresh name simply disappears in this context, where names do not have a global identity. As we see in Figure 1.3, the creation of a new name in a transition is modeled by putting a name in the target state that does not correspond to any name of the source state. A computation that is performed on a HD-automaton associates a “history” to each name of the states that are encountered in the computation: the “history” of a name is given by the occurrences of this name in the labels of the past transitions. Clearly, different histories are assigned to a name in a state, if the state is reached after two different computations. Consider for instance the HD-automaton corresponding to agent

A(w; x; y ) = ( z ) wz:B (z; y )

+ :wx:B (x; y);

which is represented in Figure 1.4. Name 6 in the final state has two different histories, depending on the computation that has been followed. If the upper transition is performed,

10

Introduction

then name 6 corresponds to the new name introduced in this transition, i.e., it coincides with name 5 of the label of this transition. If the lower transitions are performed, then name 6 corresponds to name 2 of the initial state (as well as to name 9 of the intermediate state and to name 12 of the label of the leftmost transition). We can think at the history of a name as at the “global identity” of that name: in fact, the history of a name describes precisely the past transitions where that name appeared, and in particular the past transition that generated it. For the names that appear in the initial state of the HD-automaton, the global identity is given explicitly, since they are not created by any transition. This situation is represented in Figure 1.4, where for instance a global name w is assigned to local name of the initial state.

1

1.4 Main results of the thesis In this thesis we define three different families of HD-automata, that have different expressive power.

Basic HD-automata. These are the simplest version that we consider: they are similar to the ones described in Section 1.3. HD-automata with Symmetries. It happens frequently that different names play a symmetric role in the behavior of a history-dependent system; in HD-automata with Symmetries, it is possible to represent explicitly the symmetries that exist between the names in the states of the HD-automata: in this way, the behavior of the system can be represented in a more compact way. Moreover, symmetries are necessary to define minimal HD-automata for each class of equivalent HD-automata. Finally, symmetries are also exploited to declare infinite repositories of indistinguishable names: these repositories are used as inexhaustible sources of fresh names. Multiple repositories are necessary to model those history-dependent formalisms that have different sources of fresh names: this is the case of the -calculus, where fresh names are generated in input and in bound output transitions. HD-automata with Negative Transitions. They extend Basic HD-automata with a new kind of negative transitions, that are used to “cancel” the corresponding positive transitions that start from the same state. That is, if a positive transition and a negative transition with the same label start from the same state of a HD-automaton, then the positive transition is redundant proviso that the two target states are equivalent. Two equivalent systems can have different sets of redundant transitions.

We present examples of translations of history-dependent formalisms into the different families of HD-automata. Namely, CCS with localities [Boudol et al. 1993] and Petri nets with the history-preserving semantics [Goltz and Reisig 1983] are mapped into Basic HDautomata; the early and late -calculus [Milner et al. 1992] are mapped into HD-automata with Symmetries; and the open [Sangiorgi 1995] and the asynchronous [Amadio et al. 1998] -calculus are mapped into HD-automata with Negative Transitions. In all these cases, we show that finite HD-automata are obtained for classes of agents with infinite

1.5 Summary of the thesis

11

behaviors, namely the agents with a finite control. HD-bisimulations are defined for the three families of HD-automata: they capture, on HD-automata, the classical notions of bisimulation that have been defined in the literature for the considered history-dependent formalisms. HD-automata are hence a good operational model for these enriched calculi. We also show that ordinary automata can be obtained from HD-automata, in such a way that bisimilar HD-automata are mapped into bisimilar automata, and finite HDautomata are mapped into finite automata. This mapping, however, is possible only after a pre-processing phase has been performed on the HD-automata. This pre-processing is simple in the case of Basic HD-automata, but is quite complex for the other two families of HD-automata. Furthermore, an alternative presentation of Basic HD-automata and HD-automata with Symmetries is given in a categorical framework. A classical definition of ordinary automata is extended to these families of HD-automata: essentially, the categorical construction is the same, but the base category changes for the three classes of automata. It is the category of sets in the case of ordinary automata, the category of named sets in the case of Basic HD-automata, and the category of named sets with symmetries in the case of HD-automata with Symmetries. HD-bisimulation is recovered in the categorical framework by exploiting open maps bisimulation [Joyal et al. 1996], an uniform approach to define equivalences for concurrent models presented in a categorical framework. An interesting result that holds only for HD-automata with Symmetries is the possibility to define a minimal realization for the classes of bisimilar HD-automata. These minimal HD-automata with Symmetries are defined both in an explicit way, by quotienting a HD-automaton with respect to the greatest HD-bisimulation, and in a categorical way, as the final element of the (sub)category of bisimilar HD-automata. Finally, we show that, in the case of finite HD-automata, bisimulation equivalence can be effectively decided, either directly on the HD-automata or by mapping them on ordinary automata. Decidability results for finite control agents are obtained in this way for CCS with localities and for the early, late and open -calculus, as well as for historypreserving bisimulation on n-safe Petri nets.

1.5 Summary of the thesis The thesis is divided in three parts. In the first one, Preliminaries, we briefly overview existing formalisms that fit in our class of history-dependent calculi. Chapter 2 introduces the mathematical notations used in the thesis. Chapter 3 introduces some of the basic results on ordinary automata, bisimulation equivalence, and CCS [Milner 1980, 1989]. This chapter also describes the basic algorithms for checking bisimulation equivalence of automata. In the other chapters of the thesis we often use concepts and results presented here as a comparison term. Chapter 4 describes some history-dependent calculi. These are a fragment of CCS

12

Introduction

with value passing that consists of data independent programs [Jonsson and Parrow 1993]; and CCS with locality [Boudol et al. 1993], an extension of CCS takes into account the distributed nature of concurrent systems by observing the localities of the system in which the actions happen. We also describe the history-preserving semantics of Petri nets [Goltz and Reisig 1983]: this provides an example of a historydependent formalism outside the field of process calculi. Chapter 5 is entirely devoted to the -calculus [Milner et al. 1992; Milner 1993], the most interesting and complex example of history-dependent calculus that we consider in the thesis. In particular this chapter contains an overview of the different semantics that have been defined for it, and more precisely of the early [Milner et al. 1993], late [Milner et al. 1992], open [Sangiorgi 1995], and asynchronous [Amadio et al. 1998] semantics. The second part, History Dependent Automata, is the central part of the thesis. It introduces the three different notions of HD-automata. Chapter 6 introduces Basic HD-automata, the simplest version of HD-automata: they are very similar to the ones described informally in Section 1.3. All the historydependent calculi presented in Chapter 4 are mapped into Basic HD-automata. In this chapter we also define HD-bisimulation, extending bisimulation on ordinary automata to the case of HD-automata, and we study its basic properties. In particular, we show that it captures the existing notions of bisimulation for history-dependent calculi. Finally, this chapter shows that ordinary automata can be obtained by “unfolding” HD-automata, in such a way that bisimilar HD-automata are mapped into bisimilar automata. Chapter 7 defines a more sophisticated version of HD-automata, namely HD-automata with Symmetries, or HDS-automata in brief. In this case, the set of names that enrich a state, a transition or a label of the HD-automata are defined up to a symmetry, that is up to a group of permutations: the meaning is that the future behavior from a given state is left unchanged by applying any of the permutations associated to that state. The possibility of declaring symmetries among the names that enrich a HD-automaton allows for a compact representation of the behavior of history-dependent agents, that often exhibit such symmetries. Moreover, we show that these symmetries are necessary to have a minimal HD-automaton for each classes of equivalent HD-automata. Maps from early and late -calculus into HDS-automata are defined. Also in this case, HDS-bisimulation captures -calculus bisimulation. Chapter 8 describes a different extension of Basic HD-automata, namely HD-automata with Negative transitions, or HDN-automata in brief. The role of a negative transition is to “cancel” the corresponding positive transitions that start from the same state. That is, if a positive transition and a negative transition with the same

1.6 Origin of the thesis

13

label start from the same state of a HD-automaton, then the positive transition is redundant proviso that the two target states are equivalent. According to HDNbisimulation, only the non-redundant transitions of two equivalent states are required to match. Negative transitions are useful in some history-dependent calculi, where it is not possible to require that two equivalent systems perform the same actions, but only that they perform the same non-redundant actions. This is the case, in particular for the open semantics [Pistore and Sangiorgi 1996] and for the asynchronous semantics [Montanari and Pistore 1999] of -calculus. Chapter 8 defines two mappings from these versions of -calculus into HDN-automata. The last part of the thesis is entitled Additional Results. Chapter 9 presents HD-automata and HD-bisimulation in a categorical framework. A classical categorical definition of ordinary automata is extended to Basic HDautomata (Chapter 6) and to HD-automata with Symmetries (Chapter 7). Open maps bisimulation [Joyal et al. 1996] is used to define HD-bisimulation in this categorical setting. Chapter 10 describes the algorithms that work on HD-automata; it also presents HAL, the Hd-Automata Laboratory [Ferrari et al. 1997a, 1998], a verification environment, based on HD-automata, that performs equivalence and model checking of history-dependent calculi. Chapter 11 collects some concluding remarks and proposes some possible directions of future work. The thesis is completed by the bibliography.

1.6 Origin of the thesis The first, primitive notion of HD-automata appears in Montanari and Pistore [1995] under the name of -automata. In that paper, an algorithm for checking bisimulation equivalence of -calculus agents is described; -automata are used as a compact structure to represent the operational semantics of the agents. Simplified versions of HD-automata also appear in Montanari, Pistore, and Yankelevich [1996] for CCS with localities, in Montanari and Pistore [1997b] for Petri nets, and in Montanari and Pistore [1997a] for a class of partial-order systems, that includes CCS with localities, CCS with causality and Petri nets. This version of HD-automata is similar to the Basic HD-automata that we define in Chapter 6. In Montanari and Pistore [1998] a family of HD-automata is described that is rich enough to capture the early and late semantics of -calculus. This family is more expressive that Basic HD-automata, but it is less expressive than HD-automata with Symmetries: for instance, no minimal HD-automata can be defined in that case. In that paper HDautomata and HD-bisimulation are also defined in a categorical framework: the approach

14

Introduction

is similar to the one that we present in Chapter 9. HD-automata with Negative transitions appear in Montanari and Pistore [1999] as an operational model for the asynchronous -calculus. The idea of negative transitions already appears in Pistore and Sangiorgi [1996], where they are applied to the open semantics of -calculus; in that paper, however, they are defined on ordinary automata rather that on HD-automata. Finally, the verification environment that we describe in Chapter 10 also appears in Ferrari et al. [1997a, 1998].

Part I Preliminaries

Chapter 2 Notations 2.1 Structured objects In this thesis we make an extensive usage of structured objects, i.e., of objects that are defined by a tuple of components. The first example that we encounter are the automata: according to Definition 3.1, an automaton A is a tuple hL; Q; T; s; d; o; q0 i where, for instance, L is the set of labels, T is the set of transitions, and o T ! L is a function that associates a label to each transition. To represent the components of a particular structured objects we will use the name of the object as subscript; so, for instance, TB are the transitions of automaton B and function oB TB ! LB associates a label to each transition of B. Moreover, the subscripts are omitted whenever there is no ambiguity on the referred structured object. In other cases, we simplify the subscripts: so, for instance, if we are considering two automata A1 and A2 , we will simply write T1 and o2 rather than TA1 and oA2 .

:

:

2.2 Relations and function A relation R on sets A and B is a subset of A B . If (a; b) 2 R then we also write a R b. In this case, dom(R) = fa j (a; b) 2 Rg is the domain of R and od(R) = fb j (a; b) 2 Rg is its codomain. We denote with R 1 the inverse relation of R; that is, R 1 = f(b; a) j (a; b) 2 Rg B A. If R is a relation on A and B and S is a relation on B and C , then we denote with R; S the concatenation of R and S ; that is, R; S = f(a; ) j (a; b) 2 R and (b; ) 2 Sg A C . Special notations are used for particular classes of relations. We represent with f A ! B a function from set A to set B ; that is, f A B such that for each a 2 A there is exists exactly one a 2 A such that a; b 2 f . We represent with f A ( * B a partial bijection from set A to set B ; that is, f A B such that if a; b ; a0 ; b0 2 f then a a0 iff b b0 .

:

:

( )(

( )

)

=

=

18

Notations

:

We represent with f A ( ! B an injection from set A to set B ; that is, f A B such that for each a 2 A there exists exactly one b 2 B such that a; b 2 f , and for each b 2 B there is at most one a 2 A such that a; b 2 f . We represent with f A * B an inverse injection from set A to set B ; that is, f A B such that for each b 2 B there exists exactly one a 2 A such that a; b 2 f , and for each a 2 A there is at most one b 2 B such that a; b 2 f . We represent with f A ! B a total bijection from set A to set B ; that is, f A B such that for each a 2 A there exists exactly one b 2 B such that a; b 2 f and, conversely, for each b 2 B there exists exactly one a 2 A such that a; b 2 f . We use also on these subclasses the notations that we have introduced on relations to denote domain, codomain, inverse and concatenation.

:

( )

( )

( )

( )

:

( ) ( )

2.3 Substitutions and renaming Let N be a set of names. We denote with ; : : : the substitutions on these names, i.e., ! N. A name a is neutral for a substitution if does not affect x, i.e., for all y 2 N , y x iff y x. A set of names V is neutral for a substitution if all names in V are neutral for . ;::: ;n We denote with fy1=x1 yn=xn g the substitution that maps xi into yi for i and which is the identity on the other names. If X is a term that contains free and bound names, then we denote with X the term obtained from X by replacing its free names according to substitution — alphaconversion is applied silently, if necessary, to avoid name capture. The applications of two substitutions and to term X , where is performed first, is written X. With some abuse of notation, we can see a substitutions in X as a function on the free names of X rather than on N : in fact, X and X 0 coincide whenever and 0 coincide on the free names of X . Therefore, we say that substitution is injective for X if X ! N is an injective function ( X are the free names of X ). We also say that terms X and Y differ for a bijective substitution if there exists some bijective function X ! Y such that Y X . A renaming is a bijective substitution. We denote also the renamings with ; : : : .

; : N

( )=

=

=1

: fn( ) : fn( ) fn( )

fn( )

=

Chapter 3 Ordinary Automata and CCS In this chapter we introduce some of the basic results on automata and CCS. In the following chapters we will often refer to the results presented here to draw a comparison with the results that we derive for history-dependent calculi and HD-automata.

3.1 Ordinary automata Automata have been defined in a large variety of manners. We choose the following definition since it is very natural and since, as we will see, it can be easily modified to define HD-automata. D EFINITION 3.1 ( ORDINARY An automaton A is defined by:

AUTOMATA )

a set L of labels; a set Q of states;

a set T of transitions; two functions s; d transition;

: T ! Q that associate a source and a destination state to each

: T ! L which associates a label to each transition; an initial state q0 2 Q. l Given a transition t 2 T , we write t : q ! q 0 if s(t) = q , d(t) = q 0 and o(t) = l.

a function o

In the following, to represent the components of an automaton we use the notations introduced in Section 2.1. Often labelled transition systems are as operational models in concurrency. The difference with respect to automata is that in a labelled transition system no initial state is specified. An automaton describes the behavior of a single system, and hence the initial state of the automaton corresponds to the starting point of the system; a labelled transition system is used to represent the operational semantics of a whole concurrent formalism,

20

Ordinary Automata and CCS

and hence an initial state cannot be defined. As we will see in Section 3.2.1 in the case of CCS, it is easy to extract an automaton from a labelled transition system, once the initial state is given.

3.1.1 Bisimulation on automata Various notions of behavioral preorders and equivalences have been defined on automata. The most important equivalence is bisimulation equivalence [Park 1980; Milner 1989]. D EFINITION 3.2 ( BISIMULATION ON AUTOMATA ) Let A1 and A2 be two automata on the same set L of labels. A relation R a simulation for A1 and A2 if q1 R q2 implies:

:

for all transitions t1 q1 A2 such that q10 R q20 .

Q1 Q2 is

l l ! q10 of A1 there is some transition t2 : q2 ! q20 of

A relation R Q1 Q2 is a bisimulation for A1 and A2 if both R and R 1 are simulations. Two automata A1 and A2 on the same set of labels are bisimilar, written A1 A2 , if there is some bisimulation R for A1 and A2 such that q01 R q02 . Often, bisimulations are defined as the pre-fixed-points of a functor defined as follows: D EFINITION 3.3 ( BISIMULATION FUNCTOR ) The bisimulation functor for two automata A1 and Q1 Q2 then q1 R q2 if:

( )

for all transitions t1 such that q10 R q20 ;

on relations

A2 is defined as follows: if R

l l : q1 ! q10 of A1 there is some transition t2 : q2 ! q20 of A2

the converse, starting from the transitions of q2 .

By comparing this definition with Definition 3.2, it is clear that relation R is a bisimulation if and only if R R , i.e., if and only if R is a pre-fixed-point of . Functor is monotone for inclusion, so standard results ensure that a largest pre-fixedpoint — that is, a largest bisimulation — exists, and that it is also the largest fixed-point of . If RA1 ;A2 is the largest bisimulation for A1 and A2 , then clearly

( )

RA ;A = (q1 ; q2) j q1 R q2 for some bisimulation R : 1

2

Standard results on monotone functions tell us that RA1 ;A2 can be approximated from above. That is, relation RA1 ;A2 is the limit of a decreasing chain of relations obtained, beginning from the universal relation, by a repeated application of functor . More pre-

3.1 Ordinary automata

21

cisely, the elements of the chain are:

R0A ;A = Q1 Q2 ; RA+1;A = (R ); \ RA ;A = RA ;A 1

2

1

2

1

2

1

nmax for some n 2 TA t . Since (6.58) holds in the source state, it must be

( [ ℄)

( )

( [ ℄)

( [ ℄)

(

( ):( ) )

( )

n 2 (TA [t℄new ):

(6.59)

Moreover, by definition of nk , there must be some m nk such that

m 62 (TA [t℄):

(6.60)

This is absurd, since m nk nmax < n, (6.59) and (6.60) contradict condition C2. Hence, n nmax for each n 2 TA t . Since 0 QA q 0 TA t , this assures that (6.58) holds for q 0 ; 0 . This concludes the proof. 2

(

( [ ℄)

)

( [ ℄)

( [ ℄)

In the case of finitary HD-automata, it is easy to give an implementation of function that satisfies conditions C0, C1 and C2. Assume that for each label l we fix a total order on its names L l : this total order induces a total order on the new names of a ; t , we can associate to the transition t with label l. Now, whenever we compute n-th new name of transition t (i.e., the n-th name in T t new ) the n-th global name that is not already used for the old names of the transitions (i.e., the n-th name not in Q s t ). It is easy to check that all the conditions are satisfied in this way. Given such an implementation of function , it is straightforward to realize, exploiting Definition 6.29, an algorithm that performs the unfolding of a HD-automaton. According to Theorem 6.31, the obtained automata are finite whenever the starting HDautomata are finite; moreover, according to Theorem 6.30, HD-bisimulation on the HDautomata is captured by ordinary bisimulation on the unfoldings. So, we have reduced bisimilarity of HD-automata — and hence of the history-dependent calculi that are mapped in them — to ordinary bisimilarity on ordinary automata. Standard theories and, in particular, standard algorithms can be used now to check bisimilarity (we will comment further on this topic in Chapter 10). However, most of the advantages of HD-automata are lost, after they are mapped on ordinary automata: the unfolding introduces different copies of a state, that differ only for the identity of names; a policy for choosing the new names has to be fixed; and the names become now only a syntactic component of the labels, so that their manipulation becomes difficult.

allo

[℄

allo ( ) [℄

allo

( [ ( )℄)

88

Basic History Dependent Automata

6.4 From CCS with localities to HD-automata In this section we show that HD-automata can be applied to CCS with localities. An introduction to this process calculus can be found in Section 4.2. A first way to represent a location agent with a HD-automaton would be to use states of the automata to represent derivatives of the agent and to associate to a state the location names of the corresponding agent, as we have done in the case of the VP-CCS. This encoding has some advantages w.r.t. the ordinary operational semantics: all the transitions corresponding to different choices in the name for a new locations could be identified. Moreover, the same state of the HD-automaton could be used to represent a whole class of location agents which differ for a renaming of the locations. However, this is not sufficient to obtain finite HD-automata for the class of finitary location agents: whenever the agent can perform infinite computations, the number of location prefixes continues to grow during the computations, thus leading to an infinite number of derivatives, even up to renamings. First of all, we have to avoid this unbounded growth of the location prefixes, i.e., we have to find a way to discard these prefixes. An axiom like

(del) l :: m :: p m :: p would help. However, this axiom is not correct for the location equivalence of Definition 4.4 on page 34, since, for instance,

l :: m :: a:p

! l :: m :: n :: p

a lmn

whereas

m :: a:p mn !a m :: n :: p and the two labels do not correspond; this happens because the whole sequence of locations is observed in the label of a transition. Now we present a slightly different definition of location equivalence in which only the newly created location and its direct parent are observed. It can be shown that this new location equivalence coincides with the classical one, at least for the class of pure CCS agents. D EFINITION 6.32 ( INCREMENTAL LOCATION EQUIVALENCE) A relation R on location agents is an incremental location simulation if p R q implies:

a 0 ! p0, with n 62 lo (p; q), there exists some q vmn ! q with p0 R q 0 ; for each p ! p0 there exists some q ! q 0 with p0 R q 0 . A relation R is a incremental location bisimulation if both R and R 1 are incremental

for each p

a umn

location simulations. Two location agents p and q are incremental location equivalent (written p R q for some location bisimulation R.

p

l q) if

6.4 From CCS with localities to HD-automata

89

P ROPOSITION 6.33 Let p0 and q0 be two pure CCS agents. Then p0 if m p0 l m q0 for some location m.

::

::

::

::

l q0 if and only

P ROOF (S KETCH ). The proof that p0 l q0 implies m p0 l m q0 is easy. In fact, standard results for location bisimilarity ensure that p0 l q0 implies m p0 l m q0 . Moreover, each location bisimulation is by definition also an incremental location bisimulation so m p0 l m q0 . To prove the converse, i.e., that m p0 l m q0 implies p0 l q0 , we show that relation R defined as follows is a location bisimulation:

::

::

::

::

::

::

1 k k qk g ! pk ; l0 :: q0 ! R = f(pn; qn) j pn l qk ; l0 :: p0 !1 !

i with mi 62 lo (pi 1 ; qi 1 ). ! is either ! or uia! mi exploiting standard results for location equivalence, p0 l q0 .

where

i

Hence,

m :: p0

l m :: q0 and, by 2

Del is a correct axiom for this alternative characterization and it allows us, combined with the other equivalences of the structural congruence, to associate to each agent a flat structure of locations. Conceptually, these axioms show that agents can be seen in location semantics as collections (multisets) of sequential sub-agents acting in different locations. This intuitive fact, used in Corradini and De Nicola [1994] to represent location agents, gets, in this way, a formal foundation using simple structural axioms. We denote with the smallest congruence which contains and which respects equivalence del. P ROPOSITION 6.34 By exploiting following form:

, every location agent p can be written in the

p ( 1 ) ( m ) (p0 jl1 :: p1 j jln :: pn ) pi = si1 j jsini where locations li are all distinct and sij are sequential processes. L EMMA 6.35 If p0

p, p l q and q q0 then p0 l q0.

We are ready to map location agents into HD-automata. This mapping is similar to the one defined in the previous section for VP-CCS. In this case, we can assume that the set Lo of locations is used as set N of global names in the HD-automata. We assume to have a function which, given a location agent p, returns a pair q; defined as follows. Agent q is the representative of the class of agents that differ from p only by the structural congruence and by a renaming of the locations. Agent q can be obtained by first transforming p in an agent p0 that is normalized w.r.t. ; for instance, by resorting on Proposition 6.34, we could have

( )

norm

p0 = ( 1 ) ( m ) (l1 :: p1 j jln :: pn ):

90


Then the locations of p0 can be renamed so that li is the i-th location in Lo . The inverse p * q associates a location of p to each location of q , so injective function 1 that p q . When the HD-automaton is built, there is no reason to include all the transitions that differ just in the name assigned to the new location; it is sufficient to use representative a fLo n p g. transitions: a location transition p ! q is representative if m

: lo ( )

lo ( ) ulm

= min

lo ( )

The named set Ll of the labels in the case of CCS with localities is so defined: the set l L coincides with the set of the CCS actions. No name is associated to action , whereas two names nlo and nnew are associated to the visible actions.

D EFINITION 6.36 ( FROM LOCATION AGENTS TO HD- AUTOMATA ) The HD-automaton Alp corresponding to the pure CCS agent p, according to the semantics with localities, is the smallest HD-automaton that satisfies the following rules:

–

norm(m :: p) = (q0 ; 0 ) then: q0 2 Q is the initial state and Q[q0 ℄ = lo (q0 );

let m be a fixed location of Lo ; if

0 is the initial embedding; a if q 2 Q, q ! q 0 is a representative transition and norm(q 0 ) = (q 00 ; ), then: –

ulm

q 00 2 Q and Q[q 00 ℄ = lo (q 00 ); – there is some t 2 T such that T[t℄ = lo (q ) [ fmg; moreover – s(t) = q , d(t) = q 00 , s[t℄ = idlo (q) and d[t℄ = ; – o(t) = a and o[t℄(l) = nlo , o[t℄(m) = nnew ; if q 2 Q, t : q ! q 0 and norm(q 0 ) = (q 00 ; ) then: – q 00 2 Q and Q[q 00 ℄ = lo (q 00 ); – t 2 T and T[t℄ = lo (q ); – s(t) = q , d(t) = q 00 , s[t℄ = idlo (q) and d[t℄ = ; – o(t) = . –

Also in this case the HD-automaton corresponding to location agent p is finite whenever agent p is finitary. T HEOREM 6.37 Given a pure location agent p, the HD-automaton only if p is finitary according to Definition 3.7 on page 24.

Alp is finite if and

The proof is similar to that of Theorem 6.6 on page 62. Two pure agents are location bisimilar if and only if the corresponding HD-automata are bisimilar. T HEOREM 6.38 Let p1 and p2 be two pure CCS agents. Then p1

l p2 iff Alp Alp . 1

2

Like in the case of VP-CCS agents, to prove this result we exploit the global characterization of HD-bisimulation; it is based on the following lemma.

6.5 From Petri nets to HD-automata

91

( )

L EMMA 6.39 Let q; be a global state of the HD-automaton Alp corresponding to a pure location agent p. Then:

! q00 is a location transition with n 62 lo (q), and (q0; 0) = norm(q00 ), then (a;) there is some global transition (t; ) : (q; ) ! (q 0 ; 0 ) of Alp and q 00 = q 0 0 ; and if (t; ) : (q; ) (a;!) (q0; 0) is a global transition of Alp, then there is some location a transition q ! q 0 0 umn

if q

a umn

= [ ℄; , and o[t℄(m) = nlo , o[t℄(n) = nnew . A similar property

where in both cases o t holds for the transitions.

We omit the proof since it is similar to the proof Lemma 6.18 on page 73 for CCS with value passing. It relies on Lemma 4.5 on page 35.

6.5 From Petri nets to HD-automata Now we show that also the history-preserving semantics for Petri nets can be modeled by HD-automata. As we have seen in Section 4.3, the classical definition of historypreserving bisimulation is based on processes. Since processes continue to grow during a computation, to obtain finite HD-automata also for nets with infinite behaviors we propose now an alternative characterization of history-preserving bisimulation on Petri nets, in which part of the past history can be forgotten, like we have done in the previous section for CCS with localities. The first step consists of the definition of configurations, which are suitable to represent in a compact way the relevant part of the past history for generic P/T nets. We also show how processes can be mapped into configurations. D EFINITION 6.40 ( CONFIGURATIONS ) Let N be a P/T net. A configuration for N is a tuple

= (E; ; ), where:

E N is a set of events and E E is a partial ordering for E ; : SN (E [ finitg) ! !. P We require that s2SN (s; e) > 0 for each e 2 E . The initial configuration of net N is configuration 0 (N ) = (;; 0 ; ;), with 0 (s; init) = m0 (s) for all s 2 S . Let = (E; ; ) and 0 = (E 0 ; 0 ; 0 ) be two configurations for N and t 2 T be a

transition of N . If1 :

E 0 E [ feg for some e 62 E ; t 0 0 0 0 = [ (IC ( ! e ) feg) \ (E E ); 1

For simplicity, in this definition we suppose that e 62 E 0 .

(s; e) = 0 if e

62 E and, similarly, (s; e) = 0 if 0

92


(s; e) > 0(s; e) for all s 2 SN and e 2 (E [ finitg), and Pe2(E[finitg) ((s; e) 0 (s; e)) = WN (s; t) for all s 2 S ; 0 (s; e) = WN (t; s) for all s 2 SN ; t t then we write !e 0 , where the set IC ( !e 0 ) of the immediate causes of the

transition is:

t 0 0 IC ( ! e ) = fe 2 E j 9s 2 S : (s; e) < (s; e)g: t 0 ( ! e ) of the maximal causes of the transition contains the elements of t 0 IC ( ! e ) which are maximal w.r.t. . t The transition !e 0 is representative if e = minfN n E g.

The set MC

In a configuration, the set E of events represents the past events which are still referenced. Since we are interested in a partial order semantics, a partial order is defined on E , which represents the causal dependencies between the past events. Function represents the current marking of the net; rather than simply defining how many tokens are in each place of the net, it also remembers which events generated these tokens ( is a special mark used for the tokens in the initial marking). We require that in a configuration only the events are remembered which generated tokens still present in the net. This is important to obtain a finite number of different configurations also for certain classes of nets with infinite behaviors. A transition between two configurations corresponds to the firing of a transition of the net. A new event e is generated: it directly depends on those events of the source configuration which correspond to the tokens consumed by the transition (these events are called the immediate causes of the transition) and the partial order in the destination configuration respects these dependencies. The marking of the destination configuration is obtained from the marking of the source by discarding tokens according to the pre-set of the transition and by adding new tokens according to the post-set (these tokens are associated to the new event e). Events with no tokens in the marking are discarded and do not appear in the destination configuration. It is important to remark that corresponding events of history-preserving bisimilar nets can have different sets of immediate causes. In fact, if we consider the net in Figure 6.5(a), we see that both t1 and t2 are immediate causes of t3 , whereas in the net in Figure 6.5(b) t1 is not a direct cause of t3 . It is possible to prove, instead, that two matching events must have the same sets of maximal causes. In fact, notice that t1 is not a maximal cause of t3 in both nets of our example. The transitions between configurations correspond to firings between the corresponding markings:

init

D EFINITION 6.41 ( FROM CONFIGURATIONS TO MARKINGS) E; ; be a configuration for Let N be a P/T net and let

=(

)

N . The marking m


0123 7654

t1

93

(a)

0123 7654

a 77

t3

0123 7654

t2

a

t1

7 777 7

(b)

0123 7654

77 77 7 0123 7654 b 0123 7654

b

t2

0123 7654

t3

0123 7654

0123 7654

Figure 6.5: Two bisimilar nets with different sets of immediate causes. corresponding to is defined as follows:

m (s) =

X e2E

(s; e) for each s 2 S:

P ROPOSITION 6.42 Let be a process for net N and let m be the corresponding markt t t ing. If !e 0 then m ! m and, conversely, if m ! m0 then there exists some t configuration 0 such that !e 0 and m0 m . 0

=

0

The transitions between configurations correspond also to the transitions between the processes of the net. D EFINITION 6.43 ( FROM PROCESSES TO CONFIGURATIONS) Let N be a P/T net and let C; E; G; p be a process on N . The configuration E 0 ; ; which is defined as follows: corresponding to is

=( ) =( ) E 0 = fe 2 E j Æ \ e 6= ;g and = G E ; (s; e) = jp 1(s) \ Æ \ e j for all s 2 SN and e 2 jp 1(s) \ Æ \ Æj for all s 2 SN . 0

E ; moreover (s; init)

=

Notice that the configuration corresponding to the initial process for N is precisely the initial configuration for N . The following proposition shows that the transitions on configurations exactly match the transitions on processes. P ROPOSITION 6.44 Let be a process for net N and let be the corresponding cont t t figuration. If ! 0 then !e and, conversely, if !e 0 then there exists t some process 0 such that ! 0 and 0 . 0

=

0

Now we introduce an alternative notion of history-preserving bisimulation, which is based on configurations rather than on processes.

94


D EFINITION 6.45 ( INCREMENTAL HISTORY- PRESERVING BISIMULATION) A set R of triples is a incremental history-preserving bisimulation for nets N1 and N2 if:

( 1 ; f; 2) 2 R then 1 is a process of N1, 2 is a configuration of N2 and f : E 1 (* E 2 is a partial correspondence between the events of 1 and 2 ; ( 0 (N1); ;; 0(N2)) 2 R;

whenever

whenever – – –

( 1 ; f; 2) 2 R and 1 t!e 01 then 2 t!e 02 with: f (MC ( 1 t!e 01 )) = MC ( 2 t!e 02 ), l1 (t1 ) = l2 (t2 ), and ( 01; f 0; 02) 2 R, and f 0 = (f [ (e1 ; e2)) \ (E E ); 1

1

2

1

2

1

2

2

0

1

the converse, starting from the transitions of 2 .

0

2

Two nets N1 and N2 are incremental history-preserving bisimilar, written N1 if there is a history-preserving bisimulation for them. P ROPOSITION 6.46 Let

N1 hp N2 .

P ROOF (S KETCH ).

N1 and N2 be two P/T nets. Then N1

hp N2,

hp N2 if and only if

Let R be a history-preserving bisimulation for N1 and N2 ; we show that

R0 = f( 1 ; g; 2 ) j (1; f; 2 ) 2 R; g = f \ (E 1 E 2 )g

is an incremental history-preserving bisimulation. This is sufficient to prove that implies N1 hp N2 . For the converse, let R be an incremental history-preserving bisimulation. Then

N1

hp N2

R0 = f(1 ; f; 2) j( 1 ; g; 2 ) 2 R;

f is an isomorphism for ev(1 ) and ev(2 ); g = f \ (E 1 E 2 )g

is a history-preserving bisimulation. This is sufficient to prove that N1

N2 .

hp N2 implies N1 hp 2

We wold like to remark that configurations and incremental history preserving bisimulation are strongly related to generalized OM-markings and generalized OM-bisimulation defined in Vogler [1995]. Also generalized OM-markings are obtained from processes by discarding most of the past history and by retaining only the information on the events that are still active, and on their causal relation. In that paper, OM-bisimulation is proved decidable for -safe nets. Essentially, what we have done so far in this section is to extend the definitions of Vogler [1995] to the more general case of P/T nets. When a HD-automaton is generated from a net, states of the automaton correspond to configurations of the net. However, to obtain a compact HD-automaton, it is important to identify configurations which are isomorphic.

1

D EFINITION 6.47 ( ISOMORPHIC CONFIGURATIONS) E; ; and 0 E 0 ; 0 ; 0 of a P/T net N are isomorphic if Two configurations there exists some bijective function i E ! E 0 such that:

=(

)

:

=(

)


95

e e0 if and only if i(e) 0 i(e0) for all e; e0 2 E , and (e; s) = 0(i(e); s) for all e 2 E , s 2 SN . We assume to fix a representative for each class of isomorphic configurations and to have such that

0 ; where 0 is the representative of the class of a function configurations isomorphic to and is the bijection between E and E . Let and 0 be two isomorphic configurations and let be the total bijection between E def 0 . and E which corresponds to the isomorphism. Then

norm

norm( ) = (

)

0

0

()=

Now we are ready to show how, given a net, it is possible to build the HD-automaton corresponding to it, by exploiting its behavior on configurations. In this case, the named set Lpn of labels is defined as follows: Lpn f ; k j 2 A t ^ k 2 ! g and the k names n1 ; : : : ; nk ; nnew correspond to ; k for any 2 A t. k have sort , whereas name nnew has sort . The names ni for i

=1

+1

= ( ) ( ) new

old

D EFINITION 6.48 ( FROM P ETRI NETS TO HD- AUTOMATA ) The HD-automaton Apn N that corresponds to the P/T net N is the smallest HD-automaton that satisfies the following rules:

let 0 be the initial configuration for N and

00 2 Q is the initial state and Q[ 00 ℄ = E 0 ; – 0 is the initial embedding; t t if 2 Q, !e 0 is a representative transition, MC ( !e 0 ) = fe1 ; : : : ; ek g, and norm( 0 ) = ( 00 ; ), then: – 00 2 Q and Q[ 00 ℄ = E ; – there is some t 2 T such that T[t℄ = E [ fe0 g, where e0 = minfN n E g; –

( 00; 0 ) = norm( 0); then: 0

00

moreover

s(t) = , d(t) = 00 , s[t℄ = idE and d[t℄ = ; – o(t) = (; k ), where = lN (t); moreover o[t℄(ej ) = nj for j = 1; : : : ; k and o[t℄(e) = nnew . t For each representative transition !e 0 there are in general many transitions in the t HD-automaton, that differ for the order of the elements of MC ( !e 0 ): if k elements t appear in MC ( !e 0 ), then there are k ! ways to assign them to the names n1 ; : : : ; nk –

of the label. We would like to remark that all these different transitions have the same target state, so no grow of the number of states occurs due to this inefficient encoding of the labels. Moreover, it is possible to generate a single transition in the HD-automaton, at the cost of changing slightly the definition of HD-bisimulation, so that two transitions are allowed to match even if their labels differ for a permutation of names n1 ; : : : ; nk . The construction in Definition 6.48 generates finite HD-automata for the finite nets that are n-safe for some n. We emphasize that it is decidable whether a finite P/T net is n-safe for some n. A possible procedure can be found in Valk and Jantzen [1985].

96


T HEOREM 6.49 Given a finite P/T net N , the HD-automaton Apn N is finite if and only if N is n-safe for some n. We show that Apn N has a finite number of states. Since a finite number of steps is possible in a net from a particular marking, also the number of transitions exiting from each state of the HD-automaton has to be finite, which concludes the proof. E; ; of N , where: Each state of Apn N is a configuration

P ROOF.

=(

)

E N and E E is a partial ordering; : S (E [ finitg) ! !. By Proposition 6.42, moreover m is a marking of N which is reachable from the initial marking. Since the net is n-safe for some n, there can be just a finite number of different markings m corresponding to reachable configurations. P Since we require that s2S s; e > , the number of events e 2 E cannot be greater to the total number of the tokens in m , so there is also a bound to the cardinality of E and also the possible partial orders of E are finite. Since we work up to isomorphism of the configurations, 2 this is sufficient to conclude the proof.

( ) 0

Two P/T nets are history-preserving bisimilar if and only if the corresponding HDautomata are bisimilar. T HEOREM 6.50 Let N1 and N2 be two P/T nets. Then N1

pn hp N2 iff Apn N AN . 1

2

To prove this result we exploit the global characterization of HD-bisimulation; it is based on the incremental characterization of history-preserving bisimulation and on the following lemma, which corresponds to Lemma 6.18 in the case of CCS with value passing. L EMMA 6.51 Let P/T net N . Then:

( ; ) be a global state of the HD-automaton ApnN corresponding to a

t 00 0 0 00 0 ( ) ! e and ( ; ) = norm( ), then there is some global transition (t ; ) : ( ; ) (;!) ( 0; 0) of ApnN and 00 = 0( 0); and if (t0; ) : ( ; ) (;!) ( 0 ; 0) is a global transition of Apn N , then there is some t 0 0 ( ) !e ( ) t where in both cases = lN (t) and od() = MC ( !e 0 0 ) [ feg.

if

6.6 Concluding remarks on HD-automata In this chapter we have introduced a basic version of HD-automata that is an adequate operational model for history-dependent calculi as CCS with value passing, CCS with localities and Petri nets. The approach is sufficiently general to be applied also to other formalisms: one example is CCS with causality [Degano et al. 1988; Darondeau and

6.6 Concluding remarks on HD-automata

97

Degano 1989; Kiehn 1994] — the approach of Kiehn [1994], which is similar to the location approach of Section 4.2, is particularly well-suited to be translated to HD-automata. Rather than presenting another encoding, however, we prefer to give the “general receipt” for building HD-automata from a history-dependent formalism.

Identify the “entities” of the formalism that should be mapped into the names of the HD-automata: these are the schematic names for VP-CCS, the locations for CCS with localities, and the events for the history preserving semantics of Petri nets. Define an “incremental” semantics of the formalism that allows for an efficient reusage of the “entities”: this is already done in the ordinary semantics of VP-CCS, since names can be safely discarded during a computation when they do not appear in the destination of a transition; in the case of CCS with localities, we had to define an incremental semantics which allows us to discard locations, and in the case of Petri nets, we had to move from processes to configurations. The obtained semantics should be independent from the particular choice of “entities”, i.e., it should be . possible to work up to renaming and to define an appropriate function Notice that the reusage of “entities” has to be efficient — so that a significant subset of the programs is mapped into finite HD-automata — however, it has not to be optimal: there are the active names to this purpose. Notice also that normally the incremental definition of bisimulation has still to deal explicitly with the creation of new “entities”, to guarantee that these are fresh for both the states in relation. This pjq ” in Definition 6.32. is the role, for instance, of clause “n 62

norm

lo ( )

Define a mapping from the formalism to HD-automata; this mapping should exploit function . A correspondence between the operational semantics of the formalism and the (global) operational semantics of HD-automata is often easy to prove. Therefore the coincidence of the bisimulation semantics is derived. The general results on HD-automata can then be exploited to map the formalism on ordinary automata and to define an effective algorithm for verifying bisimulation equivalence.

norm

6.6.1 Weak semantics So far we have modeled with HD-automata the strong semantics of VP-CCS and of CCS with localities. These process calculi, however, are equipped also with a weak semantics. Fortunately enough, all the theory presented in this chapter can be easily adapted to capture the weak semantics of VP-CCS and of CCS with localities: simply, when building the HD-automaton corresponding to an agent, we have to consider its weak transitions rather than the strong ones. T HEOREM 6.52 Let AW p be the HD-automaton corresponding to a VP-CCS agent p according to the weak semantics, i.e., AW p is built by following Definition 6.4 on page 61, 0 where strong transitions q ! q are replaced by weak transitions q ) q 0 . If the VP-CCS agent p is finitary, then the HD-automaton AW p is finite. W Moreover, let p and q be VP-CCS agents. Then p vp q iff AW p Aq .

=

98


q

q

t

R1

q

q

tq

R3

t

t; t

R2

q

t

0

00

q

q

0

q

q

0

q

00

0

t 0

t; t ; t 0

00

q

00

q

000

t

00

q

000

Figure 6.6: Weak transitions of HD-automata. A similar theorem holds also for CCS with localities. It is possible to build the HD-automaton AW p also starting from Ap , by generating the weak transitions directly on the HD-automaton. Rather than giving a formal definition of how weak transitions are defined on the top of strong ones, we prefer to give a graphical representation of the building rules: these are represented in Figure 6.6. The first two rules are for the transitions, that correspond to a sequence of transitions: rule R1 is for the empty sequence of transitions, while rule R2 shows how this sequence can be extended by adding a new transition. Rule R3 is for the visible transitions: it shows that these can absorb sequences of transitions that precede and follow them. It is possible to prove that equivalent “weak” HD-automata are obtained by using the weak transitions of the calculus, and by first building the “strong” HD-automaton and then generating the weak transitions with the rules in Figure 6.6. Starting from the “weak” HD-automaton, it is possible to apply all the theory of Section 6.3, and hence to define a “weak” ordinary automaton from it. In this way, weak bisimilarity of VP-CCS and of CCS with localities is reduced to ordinary bisimulation on automata. A “weak” ordinary automaton can be obtained for a history-dependent formalism by following a different sequence of steps: it is possible to build the “strong” ordinary automaton from the “strong” HD-automaton, and then to transform this one in a “weak” automaton. These two ways give rise to different, non-equivalent “weak” ordinary automata: to


99

understand why this happen, we can consider the following VP-CCS agent:

p = :(y ):A(y ) + (x):A(x): In Figure 6.7 on the next page we represent graphically the two ways to build the weak automata: here we consider that x is the smallest name, and y is the second one. On the left side we represent the steps from agent p, to the strong HD-automaton, to the strong automaton, to the weak automaton; on the right side, instead, we represent the steps from agent p, to the weak HD-automaton, to the weak automaton. The two weak automata differ in the name that is used in the topmost input transition: in one case this transition is obtained by combining transition with transition x, and name x can be used here, since no names appear in the agent after the transition; in the other case, this transition is build directly by the corresponding transition of the HD-automaton, and in this case name y cannot be used, since it is already used in the starting state. This is another argument in favor of the general mechanism of name allocation of the HD-automata, if compared with the specific policy of name allocation that is necessary to obtain ordinary automata.

6.6.2 Minimization of HD-automata In Section 6.3 we have seen how ordinary automata can be obtained from HD-automata. These ordinary automata can be minimized using the classical techniques on ordinary automata that we have presented in Section 3.1.2. In this way, a canonical ordinary automaton can be associated to each class of equivalent history-dependent systems. A much stronger result would be the possibility to minimize the HD-automata: in this way, a canonical representative could be defined at this more abstract level. Unfortunately enough, this is not possible: in Figure 6.8 on page 101 we show two equivalent HDautomata, that are both minimal, but that are not isomorphic. In each of the HD-automata there is a single state with two names, and two transitions: each transition exhibits in the label one of the two names. The difference between the two HD-automata is that the names are switched along the transitions in HD-automaton B , while they are not in A. Still, the HD-automata are equivalent: their behavior is symmetric w.r.t. the two names; and in fact a bisimulation for these HD-automata is:

R = fhp; Æ; qi; hp; Æ0; qi j Æ(1) = 3; Æ(2) = 4 and Æ0(1) = 4; Æ0(2) = 3g This is precisely the origin of the problem: it is not possible to represent explicitly in a HD-automaton these symmetries between the names of the states. There is no way fhp; Æ; pi j to quotient HD-automaton A with respect to its greatest bisimulation RA Æ ;Æ g, and this makes it impossible to obtain minimal HD-automaton. In the next chapter we define an enhanced version of HD-automata that will solve this problem.

(1) = 2 (2) = 1

=

100


p = :(y):A(y) + x:A(x)

x

Ap

x (x)

Ap )

(

AWp

x unf

(x) (x)

Ap )

(

unf

(y)

W

x

(x)

AWp )

(

unf

Figure 6.7: Weak unfoldings.

x


101

A p

1

2

t1

t1

B q

3

t01

4

t1

Figure 6.8: Two non isomorphic minimal HD-automata.

Chapter 7 History Dependent Automata with Symmetries Basic HD-automata, presented in the previous chapter, have some drawbacks; the most important is that they do not apply in a satisfactory way to the -calculus. The problem is that in the -calculus1 there are two ways to introduce fresh names in an agent: the first is due to name extrusion, and the other is due to the input transitions. As we will see, these two forms of name generation are quite different, and basic HD-automata model excellently name extrusion, but they have difficulties in representing name generation in the input transitions. This can appear surprising, since we have seen in the previous chapter that basic HDautomata can model without difficulties the input transitions of VP-CCS. This happens since in the data-independent fragment of VP-CCS it is sufficient to use a fresh name to represent the value received in an input transition (which is similar to what happens in the -calculus in the case of name extrusion). In the case of -calculus, instead, we have to take into account that the name received in an input transition may be either a name already present in the source agent or a fresh name. Difficulties occur when two equivalent agents have different sets of free names, since they do not agree on which names are “already present in the source” and which names are “fresh”. Consider for instance agents

p = x(y ):A(x; y; z )

(

and

)

q = x(y ):B (x; y; w)

(

)

where we assume that A x; y; z B x; y; w . The two agents are bisimilar, but they have different sets of free names. If we want to map these agents on HD-automata, clearly we do not want to generate all the input transitions: it is sufficient to consider those corresponding to the reception of a name already present in the source state, and one additional transition where a fresh name is received. However, since agents p and q have different sets of free names, this approach leads to different sets of transitions: the transition corresponding to name z is considered only for agent p, while the one corresponding to name Here we consider the early and late semantics of -calculus; the situation in more complex for open and asynchronous semantics, as we will see in Chapter 8. 1

104

History Dependent Automata with Symmetries

w is considered only for q . This problem is not addressed by Basic HD-automata and HD-bisimulation. The necessity to distinguish two types of fresh names in the HD-automata for calculus agents is already recognized in Montanari and Pistore [1998]. There, this distinction is obtained by typing the fresh names introduced in a transition: bound-output-like names are typed new, while fresh-input-like names are typed universal. HD-bisimulation has to be complicated to deal with these two different kinds of fresh names; in fact, to be sure that the two agents p and q above are equivalent, we have to match transition p xz! A x; z; z of agent p against the transition q xy! B x; y; y of q that corresponds to the reception of the universal name. The intuition is that this transition of q corresponds to the reception of any name different from x and w (that are the free names of q ) and should hence be used to match the transition of p for name z . Here we present a generalization of the approach of Montanari and Pistore [1998]. The idea is to extend the sets of names that enrich states, transitions and labels of the HD-automata with name repositories: these are infinite sources, from which it is possible to extract fresh names when needed. Different classes of fresh names are represented by different repositories, and the approach of Montanari and Pistore [1998] can be seen as a particular case, where only two repositories are allowed, one for the universal names and one for the new names. In Figure 7.1 we represent two -calculus transition: the upper corresponds to a bound output, while the lower corresponds to an input transition. Two repositories are present in the states, as well as in the transitions and in the labels: these are named and u in figure. In the case of the bound output transitions, fresh names are taken from the infinite repository . In the case of the input transitions, instead, the fresh names are taken from repository u. As the reader can see in Figure 7.1, repository u is used also as a “drain” for the names that are discarded in a transition. To explain why we use this repository rather that , we have to think at the role that play the two repositories in the -calculus. Names in are used to represent the fresh names that can be generated locally by an agent. Names in u, instead, are those names that can be sent to the agent by the environment: that is, these names represent channels that already exist in the environment, but the agent does not know them. If an agent forgets a name, that name is still available in the environment, and the agent can receive it back in a successive input action. Hence, it is correct to put this names among those that can be received in an input transition. In the Basic HD-automata of Chapter 6, only a finite set of names is associated to a state of a HD-automaton. In the extended model that we are defining, the whole set of names is represented; however, many of these names are indistinguishable and are represented in a compact way by means of the infinite repositories. According to this interpretation, in the case of a -calculus agent the names are dividend in the parts:

(

)

(

)

a finite set of names that appear syntactically in the agent — these appear explicitly in the corresponding state of the HD-automaton; an infinite set of names that exist in the environment, but that are not known by the

105

u u

u

u

u u

u

u

Figure 7.1: Two transitions with infinite repositories.

106

History Dependent Automata with Symmetries agent — these are represented by repository u; an infinite set of names that can be generated locally, when the agent performs a bound output — these are represented by repository .

In this chapter we implement this idea by means of History Dependent Automata with Symmetries, in brief HDS-automata. The names that appear in their states, transitions, and labels are defined up to a symmetry — that is, a set of bijective functions, or permutations, on these names. These symmetries are used to identify the infinite subsets of these names that correspond to the different repositories. The symmetry of a state can be thought as a declaration that the behavior from that state is not altered by applying to the names of the states any of the corresponding permutations. In the case of infinite name repositories, all the names in the same repository are interchangeable, so, in this case the symmetry is used to define an equivalence on the names. Symmetries can be used to represent more complex behaviors, though; for instance, in the case of agent

p = A(w; x; y ) + A(w; y; z ) + A(w; z; x); we can use them to declare that the behavior of agent p is left unchanged by a shift ' ' x h y z : in this way, it is sufficient to represent explicitly only the transition of, say, A w; x; y . Symmetries are also useful for defining minimal HD-automata. We have evidenced in Section 6.6.2 that minimization is not possible in the case of Basic HD-automata, since it is not possible to represent in them the symmetries that exist between the names of the states of the automata. As we will see, minimization is possible in the case of HDSautomata.

(

)

Structure of the chapter. In Section 7.1 we define symmetries on names. Based on them, HDS-automata are defined in Section 7.2; in this section, mappings from the early and late semantics of -calculus into HDS-automata are also provided. Section 7.3 introduces HDS-bisimulation and studies its basic properties. Section 7.4 defines minimization on HDS-automata, while in Section 7.5 (a class of) HDS-automata are mapped to ordinary automata. Section 7.6, finally, discusses some other process calculi that can be represented by means of HDS-automata.

7.1 Symmetries on

N

In this section we define symmetries on names and functions between them. D EFINITION 7.1 ( SYMMETRIES ) Let N be a infinite, denumerable set of names. A symmetry on N that is a group for composition; that is:

idN 2 (i.e., contains the identity bijection);

on N is a set of bijections

7.1 Symmetries on N

107

2 then ; 0 2 (i.e., is closed for composition); if i 2 then there is some i0 2 such that i; i0 = idN (i.e., N if ; 0

inversion).

We denote the set of all the symmetries on N with S ym

is closed for

(N ).

While generic symmetries may appear in the HDS-automata, in most of the examples we use infinite o we introduce some notations for them. n repositories of names. Here ? 8 9 > : = < ; ? 8 9 > : = < ; s s We denote with d1 ; : : : ; dm ; 1 ; : : : ; n the symmetry where d1 ; : : : ; dm are the distinct names and s1 ; : : : ; sn denote the infinite repositories. More precisely, D fd1; : : : ; dmg N is the finite subset of the names that are neutral for the permutations in the symmetry, i.e., name dh for h m is left unchanged by all the symmetries. Names in N n D are split into n infinite sets S1 ; : : : ; Sn , that correspond to the infinite repositories s1 ; : : : ; sn ; all the names in set Si are considered indistinguishable by the symmetry. Clearly, there are infinite many different ways to split set N n D into the n subsets S1 ; : : : ; Sn : here we assume to fix one of these split as the canonical one.2 Therefore, if fS1 ; : : : ; Sn g is the canonical split of N n D in n infinite sets, then

=

=1

n d1 ; : : :

o

; dm ; ?89>s:=1 sn:=s:=k s:=k : = < ; ? 8 9 > : = < ; 7 0 1 6 2 5 0 s s d1 ; d2 ; s 43 . The embedding Let us consider d1 ; d2 ; d3 ; 1 ; 2 and from to 0 that maps distinct names d1 and d2 of into distinct names d01 and d02 of 0 respectively, and all the other names of into repository s0 of 0 is represented as follows:

8 > > d1 > d2 > > > < d3 > > ?89 >: = > s1 > > : ?89 > s:=2 ! > > 7! d02 > > > 7! ?89>s:=01 s:=s:= = f j (d1 ) = d1 ; (d2 ) = d2 ; fd3 g [ 1 [ 2 = s g: 7! ?89>s:=01 > > > ; 0 7! ?89>s:=1

7.2 HDS-automata Now we define named sets with symmetries: they are similar to named sets (Definition 6.1), but in this case the elements are enriched with symmetries on names, rather than by sets of names. Based on named sets with symmetries, we then defined HDS-automata. D EFINITION 7.3 ( NAMED SETS WITH SYMMETRIES ) A named set with symmetries E is a set denoted by E , and a family of symmetries on N , indexed by E , namely fE e 2 S ym N ge2E , or, equivalently E is a map from E to S ym N . Given two named sets with symmetries E and E0 , a named function with symmetries m E ! E0 is a function on the sets m E ! E 0 and a family, indexed by m, of embeddings on symmetries, namely fm e E e ! E0 e0 ghe;e i2m :

( )

[℄

: [ ℄: [ ℄

( )

[℄

:

[ ℄

0

D EFINITION 7.4 (HD- AUTOMATA WITH S YMMETRIES ) A HD-automaton with Symmetries (or HDS-automaton) A is defined by:

a named set with symmetries L of labels;

7.2 HDS-automata

109

a named set with symmetries Q of states;

a named function with symmetries o T ! L, which associates a label to each transition (and embeds the symmetry of the transition into the symmetry of the label);

an initial state q0 2 and an initial embedding f0 global identity to the local names of q0 .

a named set with symmetries T of transitions;

:

a pair of named functions with symmetries s; d T ! Q, which associate to each transition the source and destination states respectively (and embed the symmetry of the transition into the symmetries of the source and of the destination states);

:

Q

: fidN g ! Q[q0 ℄, that gives a

As usual, we exploit the notations described in Section 2.1 to denote the different components of a given HDS-automaton. Moreover, if t be a transition of a HDS-automaton l q , t q 0 and t l, then we write t q ! q0. such that t In the initial embedding, f N g is the symmetry on N that is composed only by the identity permutation. We would like to remark that the initial embedding gives a global meaning to the names of the initial state only up to the symmetries that are defined on these names.

s( ) = d( ) =

id

o( ) =

:

7.2.1 From -calculus to HDS-automata: early semantics Now we map -calculus agents into HDS-automata. In this section we consider the early semantics of this process calculus: we have defined it in Section 5.2. As we have already discussed in the introduction of this chapter, two infinite repositories of names are used in this case. The first one, that we denote with (/.)-*+,, is used for the names that are generated by the agent in the bound output transitions. The other one, denoted with (/.)u-*+, , is used for the names that exist in the environment but that are not known by the agent; fresh names are taken from here in the case of input transitions, and names that are forget in the transitions of the agent are collected in this infinite repository. Now we define the named set with symmetries L of the labels for the -calculus (see also Table 7.1): we have to distinguish between synchronizations, free inputs, free outputs and bound outputs. Thus the set of indexes is

L = ftau; in; in2; out; out2 ; boutg: No distinct name is associated to tau, one distinct name (n) is associated to in2 and out2 and two distinct names (nsub and nobj ) are associated to in, out and bout. In all these labels, then, there are the two infinite repositories (/.)-*+, and (/.)u-*+,. Labels in2 and out2 are used when subject and object names of inputs or free outputs coincide. These special labels are necessary since, according to the definition of HDS-automaton given above, it is not possible to associate the same name of the source state to two different names of the label: according to Definition 7.2, the embeddings on symmetries only allow for bijective correspondences of names.

110


l 2 L L [l℄

in in2 out out2 bout nsub ; nobj ; n; nsub ; nobj ; n; nsub ; nobj ; (/.)-*+,; (/.)u-*+, (/.)-*+,; (/.)u-*+, (/.)-*+,; (/.)u-*+, (/.)-*+,; (/.)u-*+, (/.)-*+,; (/.)u-*+,

tau

fj(/.)-*+,; (/.)u-*+,jg

Table 7.1: The named set of labels for early -calculus. As we have done in Chapter 6 for CCS with value passing and for CCS with localithat, given a -calculus agent p, returns a pair ties, we assume to have a function q; p , where q is the representative of the class of agents differing from p for p ! q is the bijective substitution such that q p . a renaming and We also define representative transitions, so that a single transition is taken from a bunch of bound outputs that differ only for the extruded name, and from a bunch of input transitions that differ in the fresh name that is received from the environment (in the case of the input transitions, all the names that appear in the source state have to be considered as other possible input values).

( ) = norm( )

norm

: fn( )

fn( )

=

D EFINITION 7.5 ( REPRESENTATIVE TRANSITIONS) A -calculus transition p ! q is a representative transition if:

= ; xy, or = x(y) and y = min N n fn(p) , or = xy and y 2 fn(p) [ min N n fn(p) .

Only representative transitions are used when building a HD-automaton from a calculus agent. The following lemma shows that the representative transitions express, up to -conversion, all the behaviors of an agent.

! q, with = xy (resp. = x(y)) be a non-representative calculus transition. Then there is some representative transition p ! q 0 , with 0 = xz (resp. 0 = x(z )) such that q 0 = q fz=y y=z g. Finally, we assume that the set of names N is split in two infinite subsets N and N u : names N are reserved: they are used when a name is created during the bound output L EMMA 7.6 Let

p

0

transition. Hence, we assume that, initially, all the free names of a -calculus agent p are in N u .

D EFINITION 7.7 ( FROM - CALCULUS AGENTS TO HDS- AUTOMATA ) Let p be a -calculus agent with p N u . The HDS-automaton Ap corresponding to p is the smallest HDS-automaton that respects the following rules:

fn( )

if

norm(p) = (q; ) then: – q 2 Q is the initial state and Q[q ℄ = fjn 2 fn(q ); (/.)-*+,; (/.)u-*+, jg;

7.2 HDS-automata

111

xy xx xy xx x(y ) l 2 L tau in in2 out out2 bout 2 = (3) 2 n() = x y x x y x x y 3 = (2) 2 L [l℄ = nsub nobj n nsub nobj n nsub nobj Table 7.2: Relations between early -calculus labels and labels of HDS-automata. – the initial embedding is defined as follows:

f0 =

8 < :

n 7! (n) if n 2 fn(p) n 7! (/.)u-*+, if n 2 N u n fn(p) n 7! (/.)-*+, if n 2 N

9 = ;

2 Q, q ! q0 is a representative transition and norm(q0 ) = (q00; ), then: – q 00 2 Q and Q[q 00 ℄ = fjn 2 fn(q 00 ); (/.)-*+,; (/.)u-*+,jg; – there is some t 2 T such that T[t℄ = n 2 fn(q ) [ n() ; (/.)-*+,; (/.)u-*+, ; moreover

if q

–

–

s(t) = q, d(t) = q00, 9 8 > n 7! n if n 2 fn(q ) > > > > > > > > = > < n 7! (/.)-*+, if = x(y ) and n = y n 7! (/.)-*+, if = xy , y 62 fn(q ) and n = y s[t℄ = u > > > > > (/.)-*+, 7! (/.)-*+, > > > > > : (/.)-*+, 7! (/.)-*+, ; u u 8 9 n 7! (n) if n 2 fn(q 00 ) > > > > > < n 7! (/.)-*+, if n 2 (fn(q ) [ n()) n fn(q 00 ) > = u d[t℄ = (/.)-*+, 7! (/.)-*+, > > > > > > : (/.)-*+, 7! (/.)-*+, ; u u o(t) = l and o[t℄ =

8 n > > > < n > (/.)-*+, > > : (/.)-*+, u

9

> 7 (n) if n 2 n() ! > = 7! (/.)u-*+, if n 2 fn(q) n n() > 7! (/.)-*+, > > > ; 7! (/.)u-*+,

where l and are related to as defined in Table 7.2. Definition 7.7 gives rise in general to infinite HDS-automata. However, there are classes of -calculus agents that generate finite HDS-automata. This is case of finitary -calculus agents: these agents give rise to finite HDS-automata, and the algorithm corresponding to Definition 7.7 always terminates on them.

112


l 2 Ll Ll [l℄

tau instart inend

fj(/.)-*+,; (/.)u-*+,jg

nsub ; (/.)-*+,; (/.)u-*+,

nobj ; (/.)-*+,; (/.)u-*+,

out out2 bout nsub ; nobj ; n; nsub ; nobj ; (/.)-*+,; (/.)u-*+, (/.)-*+,; (/.)u-*+, (/.)-*+,; (/.)u-*+,

Table 7.3: The named set of labels for late -calculus. D EFINITION 7.8 ( FINITARY AGENTS) p of a -calculus agent p is defined by the clauses of The degree of parallelism Definition 3.7 on page 24, with the addition of the following clause for matching:

deg( )

deg([x=y℄p) = deg(p) A -calculus agent p is finitary if T HEOREM 7.9 Let finite. P ROOF.

maxfdeg(p0 ) j p ! !i p0 g < 1. 1

p be a finitary -calculus agent. Then the HD-automaton Ap is

The proof of Theorem 6.6 can be reused, with small changes, also in this case.

2

The same comments that we have done for finitary VP-CCS agents in Section 6.1.1 also hold for the -calculus: in general, it is not decidable whether an agent is finitary; however, there are subclass of finitary agents which can be characterized syntactically. The most well-known is the class of the agents with finite control, i.e., the agents without parallel composition in the body of recursive definitions (see Definition 3.9 on page 24). In this case, in fact, after an initialization phase during which a finite set of processes acting in parallel is created, no new processes can be generated; therefore a finite-control agent is clearly finitary.

7.2.2 From -calculus to HDS-automata: late semantics Here we show how the definitions of the previous section should be modified to deal with the late semantics of -calculus agents within the framework of the HDS-automata. We exploit the characterization of late semantics that has been given in Ferrari et al. [1996] and Quaglia [1996], and that we have reported at the end of Section 5.3. According to it, an input transition is split in two steps: the channel of the communication is announced in the first step, while the value is received in the second:

x(y ):p

z℄ ! y:p [! pfz=yg:

x

On HDS-automata, we have to replace the two labels in and in2 , used for the early in-

[y℄

put actions, with the labels instart and inend , corresponding to the two steps ! and ! respectively; one name nsub is associated to label instart , and one name nobj is associated to label inend . The named set with symmetries Ll of the labels for the late -calculus is hence defined as in Table 7.3. x

7.2 HDS-automata

113

x [y℄ xy xx x(y ) l 2 Ll tau instart inend out out2 bout 2 = (3) 2 n() = x y x y x x y vp 3 = (2) 2 L [l℄ = nsub nobj nsub nobj n nsub nobj Table 7.4: Relations between late -calculus labels and labels of HDS-automata. l

l n

x q1

q1

x

q2

0

q2 0

t1

t2

l

x

q1

q1 0

t1

l

n

x

q2

q2 0

t2

Figure 7.2: Wrong translation from HD-automata to HDS-automata. The definition of representative transitions changes accordingly: all the transitions

[y℄ 0 ! p0 are representative, while a transition p ! p is representative only if y 2 fn(p) [ min N n fn(p) .

p

x

Finally, the mapping from agents to HDS-automata is done as explained in Definition 7.7; only the correspondences between -calculus labels and the labels on the HDSautomaton has to change, according to Table 7.4. Also in the case of the late semantics, the HDS-automata corresponding to agent p is finite whenever agent p is finitary.

7.2.3 From Basic HD-automata to HDS-automata Now we show that Basic HD-automata are just a particular subclass of HDS-automata. To this purpose, we show how a HDS-automaton can be obtained from a HD-automaton. The first idea that comes to mind is to add to all the states, the transitions and the labels of the HD-automaton one infinite repository of names, that would represent all the names that do not appear explicitly in the HD-automaton: an example of such translation is represented in Figure 7.2, where the repository is called (/.)-*+, .

114


l

l x q1

q1

n

x

q2

q1 0

q2 0

t1

t2

! l

! l x !

!

!

q1 0

t1

n !

q2

x ! !

q2 0

t2

Figure 7.3: Correct translation from HD-automata to HDS-automata. Unfortunately, this simple translation is not correct. In fact, at the level of HDautomata, the left and right transitions of Figure 7.2 perform the same action: both of them have label l and generate a new name x in the target state. At the level of the HDSautomata, however, the two transitions have a different meaning: in the left transition, in fact, name x can correspond to any name; in the right transition, it can correspond to any name except name n of the source state. A HDS-automaton with one infinite repository implements a mechanism for generating fresh names that resembles the fresh-input transitions of -calculus, while a HDautomaton implements a mechanism that resembles the bound-output transitions, and, as we have discussed in the introduction of this chapter, the two mechanisms are quite different. To simulate the form of name generation that is realized by the HD-automata, two infinite repositories of names are necessary in the HDS-automata: we denote them with (/.)-*+, and (/.)!-*+, . When a fresh name is generated in a transition of the HD-automaton, then a name is taken from the repository (/.)-*+, in the corresponding transition of the HDS-automaton. Instead, when a name is forgotten in a transition of the HD-automaton, then that name is put into repository (/.)!-*+, in the HDS-automaton. This correct translation is illustrated in Figure 7.3: here the two transitions match also in the case of the HDS-automata, if we assume that name n of the source state of the right transition corresponds in the left transition to a name in repository (/.)!-*+, , that is, if we assume that the left HDS-automaton has already forgotten name n. D EFINITION 7.10 ( FROM HD- AUTOMATA TO HDS- AUTOMATA ) The HDS-automaton B corresponding to HD-automaton A is defined as follows:

7.3 Bisimulation on HDS-automata

115

QB = QA and, for each q 2 QB , QB [q ℄ = fjn 2 Q[q ℄; (/.)-*+, ; (/.)!-*+, jg; TB = TA and, for each t 2 TB , TB [t℄ = fjn 2 T[t℄; (/.)-*+, ; (/.)!-*+, jg; LB = LA and, for each l 2 LB , LB [l℄ = fjn 2 L[l℄; (/.)-*+, ; (/.)!-*+, jg; sB = sA , and, if t 2 TB then

sB [t℄ =

8 n > > > < n (/.)-*+, > > > : (/.)-*+, !

9

7! sA [t℄(n) if n 2 dom(sA [t℄) > > > = otherwise 7! (/.)-*+, 7! (/.)-*+, > > > ; 7! (/.)!-*+,

dB = dA , and, if t 2 TB then 9 8 n 7! d [t℄(n) if n 2 dom(d [t℄) > > A A > > > < n 7! (/.)-*+, > = otherwise ! dB [t℄ = (/.)-*+, 7! (/.)-*+, > > > > > > : (/.)!-*+, 7! (/.)!-*+, ; oB = oA , and, if t 2 TB then 8 9 n 7! o [t℄(n) if n 2 dom(o [t℄) > > A A > > > < n 7! (/.)-*+, > = otherwise ! oB [t℄ = (/.)-*+, 7! (/.)-*+, > > > > > > : (/.)!-*+, 7! (/.)!-*+, ; By exploiting this encoding, all the formalisms that we have mapped into Basic HDautomata in Chapter 6 can be mapped as well into HDS-automata. In the case of the history-preserving semantics of Petri nets, moreover, the possibility of using symmetries in the label is particularly convenient; according to Definition 6.48 on page 95, in fact, each transition on the net configurations is mapped into a set of transitions of the HDautomaton: these transitions differ for a permutation of the names that represent the past causes. By exploiting the symmetries, a single transition is required, where all the names that represent the past clauses are declared indistinguishable.

7.3 Bisimulation on HDS-automata In this section we introduce a notion of bisimulation on HDS-automata and describe some basic properties of this bisimulation. We also show that the definition of bisimulation on early and late -calculus agents is captured exactly by the bisimulation on HDS-automata. Similarly to what happens for HD-bisimulation (Section 6.2), also a HDS-bisimulation is a set of triples of the form hq1 ; Æ; q2 i where q1 and q2 are states of the automata and Æ is a correspondence between the names of the states; in this case, however, the

116


q1

l

q1 0

1 2 t1

Æ

Æ

0

t2 q2 0

q2

l

1 2

l

t2 0

q2

00

Figure 7.4: A step of bisimulation on HDS-automata.

Æ

00


117

:

correspondence between the names in total, i.e., Æ N ! N is a total bijection between the names of q1 and those of q2 . Let us consider the HDS-automata in Figure 7.4. We want to check if states q1 and l q2 are bisimilar via the bijection Æ . State q1 can perform a transition t1 q1 ! q10 . We cannot requite that this transition is matched by a single transition of q2 : in fact, in state q1 there is a symmetry between names and , so, in transition t1 the name in the label can correspond both to name and to name of the source state. In state q2 there is no symmetry between names and , but there are two transitions, that use name and , respectively. We consider bisimilar these two HDS-automata, proviso the target states are bisimilar according to the correspondences Æ 0 and Æ 00 represented in figure; in fact, we do not want to distinguish between the symmetries in the behaviors that are “declared” in the states and those that are implicit in the transitions of the HDS-automaton. So, transition t1 to be matched by the pair of transitions t2 and t02 , one for each of the symmetric behaviors of t1 . This is obtained in the definition of HDS-bisimulation by l requiring that, given transition t1 q1 ! q2 , for each bijection3 1 2 s1 t1 there exist a transition t2 from q2 and a bijection 2 2 s2 t2 so that t1 and t2 match w.r.t. bijections 1 and 2 . This behavior works correctly also in the case of the input transitions in the HDSautomata obtained from -calculus agents. In this case, in fact, if state q1 has a distinct name n that does not appear in state q2 , this name is mapped by Æ in repository (/.)u-*+, of state q2 . The specific transition of q1 that corresponds to the reception of name n is correctly matched in q2 by the “default” transition that corresponds to the reception of a fresh name taken from (/.)u-*+,. In the general case, we have to take into account not only the symmetries of the source state, but also those of the label and of the target state of a transition. So, a matching has l to be found for a transition t1 q1 ! q10 and three bijections 1 2 s1 t1 , 1 2 l1 t1 and 1 2 d1 t1 .

:

1

1

1

2

:

[ ℄

:

[ ℄

2 2

1

2

[ ℄

[ ℄

[ ℄

D EFINITION 7.11 (HDS- BISIMULATION ) Let A1 and A2 be two HDS-automata. A HDS-simulation for A1 and A2 is a set of triples R fhq1 ; Æ; q2i j q1 2 Q1; q2 2 Q2; Æ N ! Ng such that, whenever hq1 ; Æ; q2 i 2 R then:

:

:

[ ℄

for each transition t1 q1 ! q10 in A1 and bijections 1 2 s1 t1 , 1 2 l l1 t1 and 1 2 d1 t1 , there exist some transition t2 q2 ! q20 in A2 and bijections 2 2 s2 t2 , 2 2 l2 t2 and 2 2 d2 t2 , such that 1 Æ 2 1

1 2 1 1 Æ 0 2 1 and hq10 Æ 0 ; q20 i 2 R. l

[ ℄ [ ℄ : () [ ℄ [ ℄ [ ℄ ;; = ; = ; ; A HDS-bisimulation for A1 and A2 is a set of triples R such that R is a HD-simulation for A1 and A2 and R 1 = fhq2 ; Æ 1 ; q1 i j hq1 ; Æ; q2 i 2 Rg is a HD-simulations for A2 and A1 . 3

It is worth remind that, according to Definition 7.2, all the permutations in the symmetry of reflected in the bijections that form the embedding s1 [t1 ℄.

q1

are

118


A HDS-bisimulation for A is a HDS-bisimulation for A and A. The HDS-automata A1 and A2 are HDS-bisimilar (written A1 A2 ) if there exists some HDS-bisimulation for A1 and A2 such that hq01 ; Æ; q02 i 2 R for Æ 01 021 .

= ;

R is a HDS-bisimulation for A1 and A2, and a pair of transitions t1 in A1 and t2 in A2 satisfy condition () in definition above holds, then we write, with a light abuse of notation, that ht1 ; ; t2 i 2 R, where = 1 ; Æ ; 2 1 . If

7.3.1 Basic properties of HDS-bisimulation In this section we present some basic properties of HDS-bisimulations. First of all, similarly to HD-bisimulations (Section 6.2.1), also HDS-bisimulations are closes w.r.t. union and concatenation. P ROPOSITION 7.12 SLet fRi j i 2 I g be a (finite or infinite) set of HDS-bisimulations for A1 and A2 . Then i2I Ri is a HDS-bisimulation for A1 and A2 . If R is a HDS-bisimulation for A1 and A2 and S is a HDS-bisimulations for A2 and A3 then R _ S is a HDS-bisimulation for A1 and A3 , where:

R _ S def = fhq1 ; (Æ; Æ0); q3 i j hq1 ; Æ; q2i 2 R; hq2; Æ0; q3 i 2 Sg:

As a consequence, greatest HDS-bisimulations exist: we denote with RA1 ;A2 the greatest HD-bisimulation for A1 and A2 , and with RA the greatest HD-bisimulation for A. Moreover, relation is an equivalence on HDS-automata. In the case of HDS-bisimulation, operator b has no meaning: the name correspondence in a triple of a HDS-bisimulation is a total bijection, and it is not possible to extend it to new pairs of names. In the case of HDS-bisimulations, however, a new operator can be defined, that closes a bisimulation w.r.t. all the symmetries that are present in the states of the HDS-automata. P ROPOSITION 7.13 If R is a HDS-bisimulation for bisimulation for A1 and A2 , where:

A1 and A2 then Re is a HDS-

Re def = fhq1; Æ0; q2i j hq1; Æ; q2 i 2 R; Æ0 = 1 ; Æ; 2 and 1 2 Q1[q1 ℄; 2 2 Q2[q2 ℄g:

e is a HDS-simulation whenever R is a HDS-simulation. We prove that R 0 e , hq1 ; Æ; q2 i 2 R with e . Then, by definition of R Assume hq1 ; Æ ; q2 i 2 R

P ROOF.

Æ 0 = 1 ; Æ ; 2

(7.1)

2 Q1[q1℄ and 2 2 Q2[q2℄. Let t1 : q1 ! q10 and 01 2 s1 [t1 ℄, 1 2 o1 [t1 ℄, 1 2 d1 [t1 ℄. for some 1

l

Now, let

1 def = 01 ; 1:

(7.2)


119

Then, according to definition of embedding on symmetries, 1

2 s1[t1 ℄.

Since hq1 ; Æ; q2 i 2 R and R is a HDS-bisimulation, then there exist t2

2 2 o2 t2 , 2 2 d2 t2 such that

[ ℄ [ ℄ 1 ; Æ; 2 1 = 1 ; 2 1 = 1 ; Æ00 ; 2 1

l 0 : q2 ! q2 and 2 2 s2 [t2 ℄,

and hq10 ; Æ 00 ; q20 i 2 R. Moreover, let

02 def = 2 ; 2 :

(7.3)

Then, exploiting (7.2), (7.1) and (7.3) to 1

01 ; Æ0 ; 02 1 = 1 ; 2 1 :

; Æ; 2 1 = 1 ; 2 1 we obtain

e , so hq 0 ; Æ 00 ; q 0 i 2 R implies hq 0 ; Æ 00 ; q 0 i 2 R e . This proves that t2 is a good Moreover, R R 1 2 1 2 e matching transition for t1 also for relation R. e is a HDS-simulation whenever R is a HDS-simulation. To prove This concludes the proof that R e that R1 is a HDS-bisimulation whenever R is a HDS-bisimulation it is sufficient to notice that Re Rg1. 2

=

7.3.2 Global states and global bisimulation Now we define global bisimulation on HDS-automata; the intuition is similar to the one applied in Section 6.2.2 for HD-automata: we enrich states and transitions with a mapping from their local names into the global names. D EFINITION 7.14 ( GLOBAL STATES AND GLOBAL TRANSITIONS) A global state of a HDS-automaton A is a pair g q; , where q 2 Q and N ! N . The set of all the global states of A is denoted by G. t; , where t 2 T and N ! N . The set of all the A global transition is a pair u global transitions of A is denoted by U .

=( )

:

=( )

:

(l;) l :q ! q 0 then we write (t; ) : (q; ) ! (q 0 ; 0 ), where = 1 ; , = 1 ; and 0 = 1 ; for some 2 s[t℄, 2 o[t℄ and 2 d[t℄.

If t

We remark that this definition is different in many aspects from the definition of global states and global transitions on Basic HD-automata (Definition 6.15 on page 69). First of all, global states and global transitions are not named sets with symmetries: it is meaningless to define symmetries on global names, since this is contrary to the intuition that global names, differently from local names, have a precise identity. Global states and global transitions can be seen better as a convenient notation: this interpretation is enforced by the fact that different repositories, labels and targets can be assigned to the same global transi-

( )

( ):(

) (l; ) (

)

( ):(

) (l; ) (

)

tion t; : in fact, it holds that t; q; 1 ! q 0 ; 10 and t; q; 2 ! q 0 ; 20 whenever 1 and 2 differ for a permutation in the symmetry of q (and similarly for the labels and the targets). Now we give the definition of global bisimulation on HDS-automata. 1

2

120


D EFINITION 7.15 ( GLOBAL BISIMULATION) Let A1 and A2 be two HDS-automata. A global simulation for A1 and R G1 G2 such that whenever g1 R g2 then: for all u1 g10 R g20 .

A2 is a relation

k : g1 k! g10 in U1 with there exist some u2 : g2 ! g20 such that

A global bisimulation for A1 and A2 is a relation R G1 G2 such that R is a global simulation for A1 and A2 and R 1 is a global simulation for A2 and A1 . The HDS-automata A1 and A2 are global-bisimilar iff there exists some global bisimulation for A1 and A2 such that q01 ; 01 R q02 ; 02 for each 01 2 f01 and 02 2 f02 .

(

) (

)

In the definition of global bisimulation for Basic HD-automata, clause “U1 [u1 ℄new \ G2 [g2 ℄ = ;” was added to guarantee the freshness for of the new names introduced in a

transition. This clause is not necessary in the case of HDS-automata, since the mechanism of infinite repositories is sufficient to guarantee the correspondence of the new names. P ROPOSITION 7.16 Two HDS-automata are HDS-bisimilar iff they are global bisimilar. P ROOF.

We show that if R is a HDS-bisimulation then

R0 def = fh(q1 ; 2 ); (q2 ; 2 )i j hq1;(1 ; 2 1 ); q2i 2 Rg is a global bisimulation, and, conversely, that it R0 is a global R def = fhq1 ;(1 ; 2 1 ); q2 i j (q1 ; 2) R0 (q2; 2 )g is a HDS-bisimulation. We proof only the first implication: the second can be recovered easily by reverting the steps of the proof. Assume that q1 ; 1 R0 q2 ; 2 . By definition of global bisimulation, we want to prove that (l;) (l;) for each t1 ; 1 q1 ; 1 ! q10 ; 10 there is some t2 ; 2 q2 ; 2 ! q20 ; 20 such that q10 ; 10 R0 q20 ; 20 . l By definition of global transitions this corresponds to prove that for each t1 q1 ! q10 , 1 2 l q20 , 2 2 s2 t2 , 2 2 d2 t2 , 2 2 o2 t2 s1 t1 , 1 2 d1 t1 , 1 2 o1 t1 there exist t2 q2 ! such that

(

( ):( ) ( )

(

[ ℄

[ ℄

)

( )

) (

)

[ ℄

(

:

):(

)

[ ℄

1 1 ; 1 ; 1 = = 2 1 ; 2 ; 2 and (q10 ; 10 ) R0 (q20 ; 20 ) with 10 = 1 1 ; 1 ; 1 and 20 = 2 1 ; 2 ; 2 :

(

:

)

[ ℄

[ ℄

(7.4)

(7.5)

Now, (7.4) and (7.5) are equivalent to require that

1 ; Æ ; 2 1 = 1 ; 2 1 = 1 ; Æ 0 ; 2 1 def def for Æ = 1 ; 2 1 and Æ 0 = 10 ; 20 1 .

That is, it is equivalent to require that transitions

R.

t1 and t2 match according to HDS-bisimulation

2


121

7.3.3 Relating -calculus bisimulation and HDS-bisimulation Now we show that two -calculus agents are bisimilar, according to the early and late semantics, if and only if the corresponding HDS-automata are bisimilar. T HEOREM 7.17 Let A1 and A2 be the HDS-automata that correspond to -calculus agents p1 and p2 , according the early semantics. Then p1 e p2 iff A1 A2 . l Let Al 1 and A2 be the HDS-automata that correspond to -calculus agents p1 and p2 , l according the late semantics. Then p1 l p2 iff Al 1 A2 . P ROOF. We only prove one case of the “if” implication for the early semantics. The other cases are similar. We show that, if R is a HDS-bisimulation for A1 and A2 , then

R0 = fhp1 1; p2 2i j 1; 2 : N ! N ; hp1; (1 ; 2 1 ); p2 i 2 Rg

is a -calculus bisimulation. Assume p1 R0 p2 . Then hq1 ; 1 2 1 ; q2 i 2 Rg and p1 q1 1 , p2 q2 2 . Assume q1 ! q10 with \ q1 jq2 ;. Then we want to prove that 0 0 0 q1 R q2 . xy We only consider the input transition; so q1 ! q10 . We distinguish five cases:

( ; ) bn( ) fn(

1. 2. 3. 4. 5.

=

)=

=

! q20 and

q2

x 6= y, y 2 fn(q1 ) and y 2 fn(q2 ); x 6= y, y 2 fn(q1 ) and y 62 fn(q2 ); x 6= y, y 62 fn(q1 ) and y 2 fn(q2 ); x 6= y, y 62 fn(q1 ) and y 62 fn(q2 );

x = y (hence y 2 fn(q1 ) and y 2 fn(q2 )).

We consider case 1: the other cases are similar. xy ab Since 1 is a bijection on N , q1 ! q10 implies p1 ! p01 with x

= 1(a), y = 1 (b) and

q10 = p01 1 :

(7.6)

fn( )

:

Clearly, b 2 p1 , so p1 ab! p01 is a representative transition. By Definition 7.7, t1 p1 is a transition of A1 , where p01 p001 ; 100 . Let us fix any 1 2 s1 t1 , 1 2 o1 t1 and 1 2 d1 t1 . in Then there are some t2 p2 ! p002 , 2 2 s2 t2 , 2 2 o2 t2 , and 2 2 d2 t2 , such that

[ ℄ :

norm( ) = ( [ ℄

)

[ ℄ 1 ;(1 ; 2 1 ); 2 1 = 1 ; 2 1 = 1 ; Æ0 ; 2 1

[ ℄

[ ℄

[ ℄

(7.7)

and hp001 ; Æ 0 ; p002 i 2 R for some Æ 0 .

t2 : p2 in! p002 , there must be some representative (p002 ; 200) = norm(p02 ). Now, since

! p001

in

transition

p2

! p02 such that

d

122


Then q2

! q20 , where w = 2 ( ), z = 2(d) and

wz

q20 = p02 2 :

(7.8)

w = x. In fact, 1 (a) = nsub = 2 ( ). By applying (7.7) this implies 1 (1 (a)) = 2 (2 ( )). However, since a 2 fn(p1 ), by constriction 1 (a) = a. Similarly, 2 ( ) = . So, x = 1 (a) = 2 ( ) = w. Analogously, y = z holds. It remains to show that q10 R0 q20 . To this purpose, we show that q10 = p001 10 and q20 = p002 20 (7.9) for some 10 and 20 such that 10 ; 20 1 = Æ 0 . Then, q10 R0 q20 derives. by definition of R0 , from hp001 ; Æ0 ; p002 i 2 R. def def Let 10 = 100 1 ; 1 and 20 = Æ 0 1 ; 10 . Then, clearly, 10 ; 20 1 = Æ 0 . Now we show that

Now we show that (7.9) holds. First of all,

q10 = p01 = p001 100 11

by (7.6) since

norm(p01 ) = (p001 ; 100);

which proves the first equivalence of (7.6). For the second equivalence, we observe that

q20 = p02 2 = p002 200 12

by (7.8)

norm(p02 ) = (p002 ; 200): 1 (n)) for each n 2 fn(p00 ). 2

since

( )= (

It is hence sufficient to prove that 20 n 2 200 By definition of 10 and of 20 , this amounts to require that

1 (100 1 (Æ0 1 (n))) = 2 (200 1 (n)):

(7.10)

def = 100 1(Æ0 1(n)). Then we can rewrite (7.10) as follows: 2 1 (1 (m)) = 200 1 (Æ0 (100 (m))): This is a consequence of 1 ;(1 ; 2 1 ); 2 1 = 1 ; Æ 0 ; 2 1 , since by construction idfn(p1 ) 100 1 , and similarly for 2 and 2 . Let m

0

This completes the proof of case 1.

(7.11)

1 , 2

7.3.4 Relating HD-bisimulation and HDS-bisimulation In Section 7.2.3 we have seen a mapping from HD-automata to HDS-automata. Here we show that, according to this map, HDS-bisimilar HDS-automata are associated to, and only to, HD-bisimilar HD-automata. T HEOREM 7.18 Let A1 and A2 be two Basic HD-automata, and let B1 and B2 be the corresponding HDS-automata, according to Definition 7.10. Then A1 A2 if and only if B1 B2 .

7.4 Minimizing HDS-automata

123

7.4 Minimizing HDS-automata In this section we show that, given a HDS-automaton A, it is possible to minimize it, i.e., to define a HDS-automaton Amin that is bisimilar to A and that is “minimal” in the class of HDS-automata bisimilar to A — we define below what is the meaning of “minimal”. We begin by describing the fine structure of RA . First of all, relation RA is closed for concatenation, so it defines a partition on the states Q of A; that is, relation A is an equivalence, where

p A q

hp; Æ; qi 2 RA for some Æ. Consider two states p; q 2 Q, and let A (p; q ) be the set of correspondences that exist, according to RA , between the names of p and of q : A(p; q) = fÆ j hp; Æ; qi 2 RA g: The following proposition shows that: 1. A (q; q ) is a permutation group on N and iff

[℄

( ) ( ) ( ) ( ) ( ) P ROPOSITION 7.19 Let A be a HD-automaton. Then: 1. A (q; q ) is a permutation group on N such that Q[q ℄ A (q; q ); 2. if Æ 2 A (p; q ) then A (p; q ) = fÆ ; Æ 0 j Æ 0 2 A (q; q )g = fÆ 0 ; Æ j Æ 0 2 A (p; p)g; 3. if p A q and Æ 2 A (p; q ), then A (q; q ) = fÆ 1 ; ; Æ j 2 A (p; p)g.

Q q is a subgroup of A q; q ; that 2. A p; q can be recovered, starting from any of its elements, say Æ , by composing Æ with all the elements of A q; q ; and that 3. if two state p and q are equivalent, then A p; p are A q; q are isomorphic.

P ROOF.

( ) id ( ) ( ) ( ) ; ( ) ( ) ( ) Assume 2 Q[q ℄. Since idN 2 A (q; q ) and idN 2 Q[q ℄, then by Proposition 7.13 = ;idN ;idN 2 A (q; q). Let Æ 2 A (p; q ). By Proposition 7.12, if Æ 0 2 A (q; q ) then Æ ; Æ 0 2 A (p; q ). This proves that A (p; q ) fÆ 0 ; Æ j Æ 0 2 A (p; p)g. Conversely, assume Æ 00 2 A (p; q ). By symmetry of RA , Æ 1 2 A (q; p). Hence, by def setting Æ 0 = Æ 1 ; Æ 00 we obtain Æ 0 2 A (q; q ). Clearly, Æ 00 = Æ ; Æ 0 by Proposition 7.13. This proves that A (p; q ) fÆ 0 ; Æ j Æ 0 2 A (p; p)g. Let Æ 2 A (p; q ) (set A (p; q ) is not empty since p q ). Then Æ 1 2 A (q; p) by

1. The proof that A q; q is a permutation group is easy: clearly N 2 A q; q ; moreover, if 2 A q; q and 0 2 A q; q then 0 2 A q; q by Proposition 7.12. Finally, if 2 A q; q then 1 2 A q; q since RA is symmetric.

2.

3.

symmetry of RA .

2 A (q; q) then def = Æ; 0 ; Æ 1 2 A (p; p) by Proposition 7.12. def Conversely, if 2 A (p; p) then 0 = Æ 1 ; ; Æ 2 A (p; p). If 0

124


2 Also the transitions can be partitioned in a similar fashion. So, on the transitions we define

t A t0

ht; ; t0i 2 RA for some .

iff

This relation turns out to be an equivalence. Moreover, by defining

A(t; t0 ) = f j ht; ; t0i 2 RA g; the results of Proposition 8.17 also hold for transitions. Now we are ready to define the minimal HDS-automaton corresponding to a given HDS-automaton A. It is obtained by replacing each class of equivalent states and transitions of A with a single state or transition. The symmetries associated to them are those defined by A : these, in fact, express all the symmetries that exist between the names, not only those “declared” in HDS-automaton A. In the definition of the minimal HDS-automaton, we denote with q the equivalence classes of the states w.r.t. A ; that is, q fq0 j q A q0g. We also assume that a canonical representative is defined for any such class, and we denote with bq the canonical representative of class q ; that is, bq 2 q and whenever q A q 0 then bq bq0 . Similar notations are used for the transitions.

[℄

[℄ =

A

A

A

=

[℄

A

A

[℄

A

A

A

D EFINITION 7.20 ( MINIMAL HDS- AUTOMATON ) The minimal HDS-automaton Amin for A is defined as follows:

Lmin = L and Lmin[l℄ = L[l℄ for each l 2 Lmin; Qmin = fbq j q 2 Qg and Qmin[q℄ = A (q; q) for each q 2 Qmin; Tmin = fbt j t 2 Tg and Tmin[t℄ = A (t; t) for each t 2 Tmin; lmin(t) = l(t) for each t 2 Tmin; moreover lmin[t℄ = l[t℄; smin(t) = bs(t) for each t 2 T min; moreover smin[t℄ = j = 0; 00 for 0 2 s(t) and 00 2 A (s(t); bs(t) ) ; dmin(t) = bd(t) for each t 2 T min; moreover dmin[t℄ = j = 0; 00 for 0 2 d(t) and 00 2 A (d(t); bd(t) ) ; q0 min = bq0 and f0 min = j = 0 ; 00 for 0 2 f0 and 00 2 A (q0 ; qmin0 ) . P ROPOSITION 7.21 Let A and B be two HDS-automata. Then A B if and only if Amin and Bmin are isomorphic.

A

A

A

A

A

A

A

P ROOF. Let us consider the HDS-automaton states and transitions of A and B . Consider RA℄B . Clearly,

RA℄B = RA [ RB [ RA;B [ RB;A:

A ℄ B, obtained by taking the disjoint union of

7.5 From HDS-automata to ordinary automata

125

Since HDS-automata A and B are reachable, it is easy to show that, for each qa 2 QA there is some qb 2 QB such that Take now bqa bqa for each qa 2 QA, and bqb bqa for each qa 2 QA such that qa A℄B qb , and similarly for the transitions. Then it is immediate to prove that A ℄ B min and Amin are isomorphic. Analogously, also A ℄ B min and Bmin are isomorphic. This concludes the proof. 2 A℄B

(

)

=

A

A℄B

(

=

A

)

P ROPOSITION 7.22 Let A and be a HDS-automaton. Then A Amin. P ROOF.

The proof consists in showing that R is a HDS-bisimulation for A and Amin, where

R = fhq; Æ; bq i j Æ 2 A(q; bq )g: We omit the details of the proof, however, since the fact that A and Amin are bisimilar is shown in Chapter 9 in a categorical framework (Theorem 9.14 on page 177). 2

The obtained HDS-automaton Amin is minimal since it has the minimum number of states and of transitions among the HDS-automata that are bisimilar to A; moreover, it has the maximum set of symmetries in these states and transitions. Notice that increasing the symmetries in states and transitions is considered a step toward minimization: in fact, if larger symmetries are present, then a smaller number of transitions is sufficient to represent the same behaviors. If we collapse further states and transitions of Amin, or if we enlarge symmetries of its states and transitions, a non-equivalent HDS-automaton is obtained: this is a consequence of Proposition 7.21.

7.5 From HDS-automata to ordinary automata To have a characterization of HDS-bisimulation in terms of classical bisimulation on ordinary automata, it is sufficient to exploit global states and global transitions: in fact, global bisimulation coincides with classical bisimulation on global transitions. In this way, however, the obtained automata are infinite essentially for every HDS-automaton. In this section we want to map HDS-automata to ordinary automata, so that finite automata are obtained for finite HDS-automata. Unfortunately, we are not able to define this map in the general case: in fact, symmetries can be used to represent many different phenomena: for instance, an infinite repository can be split in two during a transition; or, conversely, two distinct repositories can be merged; or two repositories can be declared to be symmetric, i.e., the behavior of the system does not change if all the names of one repository are exchanged with all the names of the other repository; or, finally, it is possible to have infinite repositories of repositories : : : All these phenomena can be represented by means of symmetries on N , even if it may be difficult to find any practical application for them. It is difficult to encode all these different phenomena in a generic mapping from HDS-automata to ordinary automata. Hence, we have to restrict to a subclass of the HDS-automata: here we choose the class of the HDS-automata that we have used to model -calculus agents. We call them

126


HDSu -automata, from the names of the infinite repositories that compare in their states, transitions and labels. D EFINITION 7.23 (HDSu - AUTOMATA ) A HDS-automaton A is a HDSu -automaton if:

each state, transition and label of the HDS-automaton is enriched by two infinite repositories (/.)-*+, and (/.)u-*+, and by a finite set of distinct names; no symmetries exist between the distinct names;

[℄ [℄

embeddings s t , o t and (/.)u-*+, into repository (/.)u-*+, ;

[℄

embeddings o t and repository (/.)u-*+,;

d[t℄ map repository (/.)-*+, into repository (/.)-*+, and repository

d[t℄ map a distinct name of t either in a distinct name or into

[℄

if embedding s t maps a distinct name n of t into repositories (/.)-*+, or (/.)u-*+,, then embedding l t maps n into a distinct name of the label (observation condition).

[℄

For HDSu -automata we use the following notations:

Q[q℄dist denotes the distinct names of state q; T[t℄dist and L[l℄dist are defined similarly; s[t℄dist : T[t℄dist * Q[q℄dist embeds the distinct names of q into the distinct names l of t : q ! q 0 according to s[t℄; embeddings d[t℄dist : T[t℄dist * Q[q 0 ℄dist and o[t℄dist : T[t℄dist * L[l℄dist are defined similarly.

[℄

Notice that embedding s t can map a distinct name of t into a distinct name, or into repository (/.)u-*+, , or also into repository (/.)-*+, of the source state. Embeddings l t and d t , instead, cannot map distinct names of t into repository (/.)-*+,. Notice also that we impose the observation condition to HDSu -automata: all the fresh names introduced in a transition have to appear explicitly in the label. Clearly, all the HDS-automata that correspond to -calculus agents are HDSu -automata. Also the HDS-automata obtained from Basic HD-automata fall in this class: in this case, (/.)-*+, and (/.)u-*+, correspond to repositories (/.)-*+, and (/.)!-*+, respectively.

[℄

[℄

Now we show that it is possible to distinguish, among the distinct names of a HDSu automaton, the active and the inactive names. This is similar to what we have done in Section 6.3.1 for basic HD-automata; in that case, a name is inactive if it can be removed from the HD-automaton without affecting its behavior. In the case of the HDSu -automata, the intuition is the same: a name is inactive if it can be forgotten without affecting the behavior. In this case, however, the fact that a name is forgotten is modeled by embedding it into the infinite repository (/.)u-*+,, rather than by removing; in fact, we have seen that in the HDSu -automata repository (/.)u-*+, plays the role of the drain for unused names. D EFINITION 7.24 ( ACTIVE NAMES ) Let A be a HDSu -automaton and q a state of A. Distinct name n in state q is inactive if it can be exchanged with any name of infinite repository (/.)u-*+,, i.e., if there exists some name


127

u

u

u

u

n

u

u

u

u

u

u

u

Figure 7.5: Active names of HDSu -automata.

m 2 (/.)u-*+, such that hq; Æ(n;m) ; q i 2 RA , where 8 > : x

= =

if x n if x m otherwise

A name is active if it is not inactive. The active names of a state q of A are denoted by

Q[q ℄a tive .

Notice that the alternative characterizations of active names given in Proposition 6.21 for Basic HD-automata do not hold in the case of HDSu -automata: it is not possible to characterize the active names as the names that appear in the labels. This is clear from Figure 7.5: the only distinct name n in the initial state is inactive, since it can be exchanged with any name of repository (/.)u-*+, without modifying the behavior. However, if we remove the lower transition with label , name n becomes active, since action can now be executed only if a name different from n is observed in action . So, the fact that n is active or not depends on the presence of a transition , where no names appear in the label. The inactive names of a state could be merged into repository (/.)u-*+,. In doing so, however, some of the transitions that leave the state must be removed: these are the transitions

128


that use in the label a distinct name the disappears from the source state. Let us consider the HDNu -automaton of Figure 7.5; we have seen that name n is inactive in the initial state. If we merge it into repository (/.)u-*+,, then we have to remove the lower transition, that observes name n in the label. This transition is absorbed by the upper one, where the observed name is picked up from repository (/.)u-*+, . According to the following definition, a transition is active if all the distinct names of the source state that are observen in the label are active. D EFINITION 7.25 ( ACTIVE TRANSITIONS ) l A transition t q ! q 0 of a HDSu -automaton A is active if for all n 2 L l dist

s[t℄dist

: o[t℄dist1 (n) 2 Q[q ℄dist

implies

s[t℄dist

[℄ o[t℄dist1 (n) 2 Q[q ℄a tive :

We denote with Ta tive the active transitions of A. l If t q ! q 0 2 Ta tive is an active transition of A, then the active names of t are defined as follows:

:

1 (L[l℄dist ): T[t℄a tive = s[t℄dist1 (Q[q ℄a tive ) [ o[t℄a tive Similarly to what we did in Section 6.3.2 for basic HD-automata, now we define irredundant HDSu -automata: these are obtained by discarding the inactive transitions and by merging the inactive names of states and transitions into the infinite repository (/.)u-*+,. D EFINITION 7.26 ( IRREDUNDANT HDSu - AUTOMATA ) Let A be a HDSu -automaton. The irredundant version of Airr such that:

A is the HDSu-automaton

Lirr = L; Qirr = Q and, for each q 2 Q, Qirr[q℄ = fjn 2 Q[q℄a tive ; (/.)-*+,; (/.)u-*+,jg; in particular,

q0irr = q0 ; Tirr = Ta tive and, for each t 2 T , Tirr[t℄ = fjn 2 T[t℄a tive ; (/.)-*+,; (/.)u-*+,jg; sirr, dirr and lirr are the opportune restrictions of the corresponding named functions with symmetries in A.

An HDSu -automaton A is irredundant if A

= Airr.

P ROPOSITION 7.27 Let A be a HDSu -automaton. Then A Airr. All the distinct names (and the transitions) that appear in an irredundant HDSu automaton are active. There, we can give an alternative characterization of HDS-bisimulation for them: according to this alternative characterization, if hq1 ; Æ; q2 i 2 R for some HDS-bisimulation R, then Æ defines a total correspondence between the distinct names of q1 and those of q2 . P ROPOSITION 7.28 Two irredundant HDSu -automata A1 and A2 are HDS-bisimilar if and only if there exist some set of triples R fhq1 ; Æ; q2 i j q1 2 Q1 ; q2 2 Q2 ; Æ Q1 q1 ! Q2 q2 g such that:

[ ℄

[ ℄

:


129

hq01 ; Æ0; q02 i 2 R, where Æ0 = 01 ; 021 for some 01 2 f01 and 02 2 f02; l l for each t1 : q1 ! q10 in A1 there exist some t2 : q2 ! q20 in A2 , some : T1 [t1 ℄ ! T2 [t2 ℄ , some u : T1 [t1 ℄u ! T2 [t2 ℄u , and some : T1 [t1 ℄ ! T2 [t2 ℄ such that:

= s1 [t1 ℄; Æ ; s2 [t2 ℄ 1 [ [ u, – o1 [t1 ℄ = ; o2 [t2 ℄, – hq10 ; Æ 0 ; q20 i 2 R where Æ 0 = d1 [t1 ℄ 1 ; ; d2 [t2 ℄; the converse, starting from the transitions of q2 .

–

We remark that the alternative characterization given in Proposition 7.28 for HDSbisimulation on irredundant HDSu -automata is very similar to the alternative characterization given in Proposition 6.28 on page 81 for HD-bisimulation of irredundant HDautomata. Now we define function that maps HDSu -automata to ordinary automata: also on basic HD-automata (Definition 6.29 on in this case, the similarities with function page 81) are very strong.

unf

unf

D EFINITION 7.29 ( UNFOLDING ) The unfolding corresponding to the HDSu -automaton A is the ordinary automaton Aunf defined as follows:

( )

states Qunf have the form q; , where q is a state of A and a global meaning to the distinct names of q ;

( )

: Q[q℄dist (! N gives

similarly, transitions Tunf have the form t; , where t is a state of T t dist (! N gives a global meaning to the distinct names of t;

[℄

(

)

A and :

: [℄ [℄

labels Lunf have the form l; ; ; u , where l is a label of A and L l dist ( !N gives global meaning to the distinct names of l; moreover ; u L l dist denote the two kinds of fresh names introduced by the transition;

= hq0A ; 0A i 2 QU , where 0A : Q[q℄dist (! N is so ( )= (m) = n; l whenever (q; ) 2 Qunf , t : q ! q 0 is a transition of A and = allo (t; ), then (q0; 0) 2 Qunf and (t; ) 2 Tunf , with – sunf (t; ) = (q; ), 1 ; ; – dunf (t; ) = (q 0 ; 0 ) where 0 = d[t℄dist – ounf (t; ) = (l; ; ; u), where = o[t℄dist1 ; , = n 2 L[l℄dist j s[t℄(l[t℄dist1 (n)) 2 (/.)-*+, , and u = n 2 L[l℄dist j s[t℄(l[t℄dist1 (n)) 2 (/.)u-*+, .

the initial state of U is q0unf m if f0A defined: 0A n

130


The two components (/.)-*+, and (/.)u-*+, of the labels are necessary to identify the fresh names that are introduced in a transition, and to distinguish whether they are taken from repository (/.)-*+, (i.e., they are bound-output like names) or from (/.)u-*+, (i.e., they are fresh-input like names). in the definition above plays the same role as in Definition 6.29 on Function page 81. Now we revise the properties that should hold for to guarantee that bisimu ilar ordinary automata are obtained from bisimilar HDS -automata, and that finite-state automata are obtained for finite HDSu -automata. Condition D0 guarantees that the global meanings assigned to the names in a transition respect the global meanings of the corresponding names in the source state: it is intended that any interesting implementation of function must satisfy this condition.

allo

allo

allo

D0 If

= allo (t; ) then = s[t℄dist1 ; .

Condition D1 corresponds to condition C1 of Section 6.3.3: it guarantees that bisimilar ordinary automata are obtained from bisimilar irredundant HDSu -automata. l = allo (t1 ; 1) and 2 = allo (t2; 2 ) for a pair of transitions t1 : q1 ! q10 l : q2 ! q20 such that o[t1 ℄dist1 ; s[t1 ℄dist ; 1 = o[t2 ℄dist1 ; s[t2 ℄dist ; 2

D1 If 1 and t2

then we require that

o[t1 ℄dist1 ; 1 = o[t2 ℄dist1 ; 2 :

allo

T HEOREM 7.30 Assume that function satisfies conditions D0 and D1. u Let A and B be two irredundant HDS -automata. Then A B if and only if Bunf .

Aunf

P ROOF. This proof is similar to the proof of Theorem 6.30: it exploits the following alternative characterization of HDS-bisimulation on irredundant HDSu -automata given in Proposition 7.28.

2

Condition D2 corresponds to condition C2 of Section 6.3.3: it guarantees that finite ordinary automata are obtained from finite HDSu -automata. l = allo (t; ) for some transition t : q ! q 0 , then we require that, for any name n 62 (T[t℄dist ) and for any m 2 (T[t℄dist ) n (Q[q ℄dist ), n < m.

D2 If

allo

T HEOREM 7.31 Assume that function satisfies conditions D0 and D2. Let A be a finite HDSu -automaton. Then the ordinary automaton Aunf is finite. P ROOF.

This proof is similar to the proof of Theorem 6.31.

2

7.6 Concluding remarks on HDS-automata

131

7.6 Concluding remarks on HDS-automata In this chapter we have presented HDS-automata, by allowing symmetries to be defined on the names that enrich states transitions and labels. We have seen that the symmetries give a rich expressive power to HDS-automata: their main advantages with respect to basic HD-automata are the ability to represent the early and late semantics of -calculus, and that existence of minimal realizations. Clearly, other process calculi can be mapped into HDS-automata: this is the case, for instance, of the weak versions of early and late -calculus semantics. These can be built by exploiting the weak -calculus transitions, as defined in Section 5.6. In Sangiorgi [1996a] a localities semantics is proposed for the -calculus: the approach is very similar to the one described in Section 4.2 for CCS. Sangiorgi [1996a] also shows that it is possible to “codify” the location semantics into the -calculus: there exists a fully abstract mapping from the -calculus with localities to the bare -calculus. In Boreale and Sangiorgi [1998] similar results were obtained for the -calculus with causality. The usage of names in the -calculus is, hence, general enough to represent the tree-like structure of localities and the partial order structure of the causes. However, the encodings defined in Sangiorgi [1996a] and in Boreale and Sangiorgi [1998] do not preserve finitary agents: the obtained agents are not finitary whenever the starting agents can perform infinite computations. HDS-automata can be exploited also to capture the localities and the causal semantics of -calculus. In the case of the localities semantics, for instance, it is sufficient to combine the techniques described in Section 7.2.1 and in Section 6.4. The obtained HDSautomata have four infinite repositories; two of them are the repositories (/.)-*+, and (/.)u-*+, that are necessary to deal with -calculus names; the other two repositories are used as source and drain for the localities: they play the same role of repositories (/.)-*+, and (/.)!-*+, in Section 7.2.3. It is difficult to compare the approach of [Sangiorgi 1996a] and [Boreale and Sangiorgi 1998] and the approach based on HDS-automata that we have just sketched, since they are quite different and have also different aims: so, for instance, the translations of [Sangiorgi 1996a] and [Boreale and Sangiorgi 1998] are syntactic (and hence they always terminate), while our translations generate an operational model for the agents (and hence they terminate only for certain classes of agents). Nevertheless, in our opinion the fact that the obtained HDS-automata are finite whenever the starting -calculus agents are finitary shows that HDS-automata offer more freedom in handling names than -calculus. HDS-automata are not sufficient to deal with the open and asynchronous semantics of -calculus. As we have seen in Sections 5.4 and 5.5, open and asynchronous bisimulations are very specialized versions of bisimulation, and HDS-automata do not have the features for capturing them. In the next chapter we present a different version of HD-automata, that are able to deal also with these semantics of -calculus.

Chapter 8 History Dependent Automata with Negative Transitions Basic HD-automata and HD-automata with Symmetries are not suitable for the asynchronous and the open semantics of -calculus. In this chapter we define a different family of HD-automata that can be successfully applied also to these semantics: they are the History Dependent Automata with Negative transitions, or HDN-automata in brief. In the case of the (ground) asynchronous semantics, the definition of bisimulation exhibits, besides the usual problem of generating fresh names, some very specific features. According to Definition 5.9 on page 51, given two equivalent -calculus agents p and q , x(y)

an input transition p ! p0 can be matched in q by a transition q ! q 0 , proviso that the agents p0 and q 0 jxy are equivalent. The particularities of this definition of bisimulation are evident. First of all, a transition with label x y is matched by a transition with a completely different label . Moreover, the bisimulation game restarts from agents p0 and q 0 jxy , and component xy of the second agent depends on the input transition performed by the first agent. This is a problem if we want to generate a HD-automaton for agent q : in fact, to be sure that all the agents that are reached in a bisimulation game are represented in the HD-automaton, we should consider agents q 0 jxy for all names x and y . The alternative characterization of asynchronous bisimulation given by g -bisimulation (Definition 5.11 on page 51) can seem even more particular: in fact, according to it,

()

x(y)

4

transition p ! p0 can be matched by a transition p ! p00 of agent p itself, proviso that p0 and p00 jxy are equivalent. This alternative characterization, however, has an important advantage on classical definition of asynchronous bisimulation: agent p00 jxy does not depend on the behavior of q . So, if we want to generate the HD-automaton corresponding

x(y)

to agent p, agent p00 jxy has to be considered only if p ! p0 and p ! p00 . Still, in g -bisimulation two transitions with completely different labels x y and may be matched and some manipulation on the target agent p0 is necessary to obtain agent p0 jxy and continue the bisimulation game. This problem can be avoided by introducing

4

()

x(y)

! p0 and p ! x(y) 00 p jxy . So, 4g p00 , then we say that p can perform a fictitious negative transition p negative transitions. Whenever agent p can perform two transitions

p

134

History Dependent Automata with Negative Transitions

bisimulation can be rewritten by requiring that if p R q and p y) 0 either q x(! q such that p0 R q 0 ,

x(y)

! p0 then or p x(y) p00 such that p0 R p00.

In this case, only transitions with the same label are matched, and the target states are not manipulated in the bisimulation game. If the second condition holds, then we say that transition p

! p0 is redundant, and that negative transition p x(y) p00 hides it.

x(y)

Negative transitions allows us to rewrite the very specific asynchronous bisimulation in a more general format, that can be applied also to other contexts. And in fact, negative transitions can be also applied to open bisimulation. This is not surprising, since the idea of redundant transitions has been already applied to open semantics in Pistore and Sangiorgi [1996]. According to open bisimulation (Definition 5.4 on page 46), transition

(N;)

p

(M;) 0 ! p is

matched by transition q ! q 0 if condition M is logically stronger than N , and if, under condition M , the labels and are equal and the target agents p0 and q 0 are equivalent. For instance, the two agents

p = x(y ):zy:0 + [w=z ℄x(y ):wy:0 ([w=z℄;x(y))

and

q = x(y ):zy:0 (;;x(y))

are open bisimilar: transition p ! wy:0 is matched by transition q ! zy:0, for under the condition w z the two target agents are bisimilar (in this case, they are syntactically equal).

[ =℄

([w=z℄;x(y)) ! wy:0 can be considered redundant, however, since it is covered (;;x(y))

Transition p

by transition p ! zy:0, that has a logically weaker condition. In Pistore and Sangiorgi [1996] redundant transitions are exploited to guarantee that two matching transitions have the same label: in fact, this is true once the redundant transitions have been removed. In that paper, also the other particularities of open bisimulation are addressed. First of all, a “distributed” version of open semantics is defined: according to it, open bisimulation is not an indexed relation, as it happens in the classical definition of open bisimulation; rather, the distinctions are moved into the states of the transition system. Also the problem of generating fresh names is addressed; in that paper, however, names with global identities are used, and technical difficulties arise due to the well-known problems in the choice of fresh names. In this chapter we exploit the idea of negative transitions in the context of HD-automata: we define HDN-automata by extending with negative transitions the Basic HDautomata. HDN-automata combine the capabilities of HD-automata to represent the creations of fresh names and the expressive power of negative transitions. They are able to represent the ground asynchronous semantics and the open semantics of -calculus. The problems in the generation of fresh names, that arise in Pistore and Sangiorgi [1996] due to the usage of global names, disappear here due to the features of HDN-automata.

8.1 HDN-automata

135

Structure of the chapter. In Section 8.1 we define HDN-automata, by adding negative transitions to Basic HD-automata. HDN-bisimulation is introduced in Section 8.2, and its properties are studied; an alternative, iterative characterization of HDN-bisimulation is described in Section 8.3. Sections 8.5 and 8.4 present the mappings from the ground asynchronous and from the open semantics of -calculus into HDN-automata. Some concluding remarks appear in Section 8.6.

8.1 HDN-automata Now we define History Dependent Automata with Negative transitions, or HDN-automata in brief: they extend Basic HD-automata (Definition 6.2) with a new component T, that is the named set of negative transitions. Clearly, a source state, a label, and a destination state are assigned to each negative transition. We assume, without loss of generality, that T and T are disjoint named sets (i.e., the underlying sets T and T are disjoint), and we write T ℄ T for the union of the two named sets. D EFINITION 8.1 (HDN- AUTOMATON ) A History Dependent Automaton with Negative transitions (HDN-automaton in brief) A is defined by:

a named set L of labels;

a named function o T ℄ T ! L, which associates a label to each positive and negative transition (and embeds the names of the label in the names of the transition);

an initial state q0 2 Q and an initial embedding 0 Q q0 ( ! N of the local names of q0 into the infinite, denumerable set N of global names.

a named set Q of states; a named set T of (positive) transitions; a named set T of negative transitions;

:

a pair of named functions s; d T ℄ T ! Q, which associate to each positive and negative transition the source and destination states respectively (and embed the names of the source and of the destination states in the names of the transition);

:

: [ ℄

[℄

dom( [ ℄)

[℄

=

[ ℄ j n 62

We require that T t new o t for each t 2 T , where T t new fn 2 T t s t g are the new names of a positive transition t. Similarly, we require that T t new o t for each t 2 T , where T t new T t j n 62 s t g are the new names of a negative transition t.

dom( [ ℄) [℄

dom( [ ℄)

[℄

dom( [ ℄)

[℄

s( ) = d( ) =

= fn 2

o( ) =

If t is a positive transition of a HDN-automaton such that t q , t q 0 and t l, l 0 l q. then we write t q ! q 0 . If t is a negative transition, instead, we write t q Notice that Basic HD-automata are the subclass of HDN-automata with an empty set of negative transitions.

:

:

136


l 2 Lg tau in out out2 bout Lg [l℄ nsub ; nobj nsub ; nobj n nsub ; nobj Table 8.1: The named set of labels for ground asynchronous -calculus.

8.1.1 From -calculus to HDN-automata: the asynchronous semantics To exemplify the features of HDN-automata we define now a mapping from asynchronous -calculus agents to HDN-automata. We only consider -calculus agents without matching, so that we can use the ground characterization of asynchronous bisimulation (Definition 5.11). In Section 8.5 we present a different, more efficient encoding of the asynchronous -calculus into HDN-automata. In Section 8.6 we comment on how to extend these encodings to the asynchronous -calculus with matching operator. The named set Lg of the labels for the ground asynchronous -calculus is represented and representative transitions are defined in the usual way: in Table 8.1. Function we refer to Section 7.2.1 for the exact definitions. As we have discussed in the introduction of this chapter, in the case of the asyn-

norm

chronous -calculus a negative transition q q 0 , q ! q 00 and q 000 q 00 jxy .

=

x(y)

q 000 is taken into account whenever q

x(y)

!

D EFINITION 8.2 ( FROM ASYNCHRONOUS - CALCULUS TO HDN- AUTOMATA ) The HDN-automaton Ag p corresponding to -calculus agent p according to the ground asynchronous semantics is the smallest HDN-automaton that satisfies the following rules: follows:

if

norm(p) = (p0; 0) then: – p0 2 Q is the initial state and Q[p0 ℄ = fn(p0 );

0 is the initial embedding; if q 2 Q, q ! q 0 is a representative transition and norm(q 0 ) = (q 00 ; ), then: – q 00 2 Q and Q[q 00 ℄ = fn(q 00 ); – there is some t 2 T such that T[t℄ = fn(q ) [ bn(); moreover – s(t) = q , d(t) = q 00 , s[t℄ = idfn(q) and d[t℄ = ; – o(t) = l and o[t℄ = are related to as defined in Table 8.2; x(y) if q 2 Q, q ! q 0 and q ! q 00 are representative transitions and norm(q 00 jxy ) = (q000 ; ), then: – q 000 2 Q and Q[q 000 ℄ = fn(q 000 ); – there is some t 2 T such that T[t℄ = fn(q ) [ fy g; moreover – s(t) = q , d(t) = q 000 , s[t℄ = idfn(q) and d[t℄ = ; –

8.2 Bisimulation on HDN-automata

137

x(y ) xy xx x(y ) l 2 Lg tau in out out2 bout 2 = (3) 2 n() x y x y x x y g 3 = (2) 2 L [l℄ nsub nobj nsub nobj n nsub nobj Table 8.2: Relations between ground -calculus labels and labels of HDN-automata. –

o(t) = l and o[t℄ = are related to = x(y ) as defined in Table 8.2.

Also for this mapping, whenever agent

p is finitary, the obtained HDN-automaton

Agp is finite. However, as we will see in more detail in Section 8.5, in the case of asynchronous -calculus, the finitary agents essentially coincide with the agents that cannot perform infinite computations. This is due to the asynchronous nature of the output particles, that, when activated, are simply put in parallel with the rest of the agent, and hence participate to the degree of parallelism of the system. So, for instance, if we consider the finite-control agents, the requirement that no parallel composition appears in the recursive definitions implies that no output particles can appear in the recursive definitions. This is clearly a too strong requirement; in Section 8.5 we present an alternative mapping of the asynchronous -calculus into HDN-automata that addresses, at least in part, this problem.

8.2 Bisimulation on HDN-automata In this section we define bisimulation on HDN-automata and study their properties. HDNbisimulation is a refinement of HD-bisimulation that deals with the negative transitions. As in the case of HD-bisimulation, a HDN-bisimulation is a set of triples hq1 ; Æ; q2 i, where q1 and q2 are states of the HDN-automaton and Æ Q q1 (* Q q2 is a partial correspondence between their names. l Whenever state q1 performs a transition t1 q1 ! q10 , one of the following alternatives must hold:

: [ ℄

[ ℄

:

either transition t1 is redundant, i.e., there is some negative transition t01 of q1 that matches t1 ; or there is some positive transition t2

: q1

l

q10

l : q2 ! q20 of q2 that matches t1 ;

in both cases, two matching transitions are defined as for HD-bisimulation in Section 6.2. D EFINITION 8.3 ( REDUNDANT TRANSITIONS) Let A be a HDN-automaton and let R fhq1 ; Æ; q2 i

j q1 2 Q; q2 2 Q; Æ : Q[q1℄ (* l q 0 is Q[q2 ℄g be a symmetric set of triples on a HDN-automaton A. Transition t : q ! l redundant for R, written t : q ! q 0 2 red[R℄, if there exist some negative transition t0 : q l q 00 , some : T[t℄new ! T[t0 ℄new , and some : T[t℄ (* T[t0 ℄ such that: = s[t℄; s[t0 ℄ 1 [ ,

138


o[t℄ = ; o[t0℄, hq0; Æ0; q00i 2 R for some Æ0 d[t℄ 1 ; ; d[t0℄. l If transition q ! q 0 is not redundant for R, then we say that it is irredundant for R and l we write q ! q 0 62 red[R℄. D EFINITION 8.4 (HDN- BISIMULATION ) Let A be a HDN-automaton. A HDN-bisimulation for A is a symmetric set of triples R fhq1; Æ; q2 i j q1 2 Q; q2 2 Q; Æ Q q1 (* Q q2 g such that, whenever hq1; Æ; q2 i 2 R then:

: [ ℄

[ ℄

l l : q1 ! q10 62 red[R℄ there exist some t2 : q2 ! : T[t1 ℄new ! T[t2 ℄new , and some : T[t1 ℄ (* T[t2 ℄ such that: = s[t1 ℄; Æ; s[t2 ℄ 1 [ , o[t1℄ = ; o[t2℄, hq10 ; Æ0; q20 i 2 R for some Æ0 d[t1 ℄ 1; ; d[t2℄.

for each t1

q20 , some

The definition of bisimulation that we have given for HDN-automata differs from the bisimulations for Basic HD-automata and for HDS-automata that we have given in the previous chapters, since it takes into account a single HDN-automaton, rather than two of them. This is necessary, since the identification of the redundant transitions requires that states of the same HDS-automaton are checked for bisimilarity. Now we are going to define when two HDN-automata are bisimilar. D EFINITION 8.5 (HDN- BISIMILARITY) Let A1 and A2 be two HDN-automata. Then we denote with A1 ℄ A2 the automaton obtained by taking the disjoint union of A1 and A2 , and whose initial state coincides with the initial state of A1 .1 Then HDN-automata A1 and A2 are HDN-bisimilar (written A1 A2 ) if there exists some HD-bisimulation for A1 ℄ A2 such that hq01 ; Æ; q02 i 2 R for some Æ 01 021 .

;

Notice that, according to Definition 8.4, it is possible to match an irredundant transition t1 of q1 with a redundant transition t2 of q2 . In Section 8.3 we will discuss the reasons of this asymmetry in the definition of HDN-bisimulation. Clearly, in the case of HDN-automata with empty sets of negative transitions, no transition can be redundant, so HDN-bisimulation coincides with HD-bisimulation. Therefore, HDN-automata are a conservative extension of Basic HD-automata. P ROPOSITION 8.6 Let fRi j i 2 I g be a (finite or infinite) set of HDN-bisimulations S for A. Then also i2I Ri is a HDN-bisimulation for A. b is a HDN-bisimulation for A, where: If R is a HDN-bisimulation for A and then R

Rb def = fhq1; Æ0; q2i j hq1; Æ; q2 i 2 R; Æ Æ0 g:

Clearly, it is not important which state is chosen as the initial state of A1 ℄ A2 ; here we have chosen to use q01 only to define univocally HDN-automaton A1 ℄ A2 . 1

8.2 Bisimulation on HDN-automata

139

b ; then hq1 ; Æ ; q2 i 2 R for some Æ Æ . Suppose hq1 ; Æ; q2 i 2 R l Rb we can find a matching transition We have to show that for each t1 q1 ! q10 62 l 0 l 0 t2 q2 ! q2 . We notice that, since clearly R Rb , then t1 q1 ! q1 62 R. 2 Then the proof proceed as for Proposition 6.13.

P ROOF.

:

:

red[ ℄ :

red[ ℄

According to this proposition, the union of HDN-bisimulations is still a HDN-bisimulation. So we can define the greatest HDN-bisimulation RA for a HDN-automaton A as the union of all the HDN-bisimulation for A. Also, whenever two states of a HDN-automaton are equivalent via some partial correspondence Æ of their names, they are also equivalent for all the correspondences Æ 0 obtained by extending Æ to new pairs of names. We have already presented similar closure properties for HD-bisimulation in Section 6.2.1. There we have shown that RA is closed also for concatenation and, as a consequence, that HD-bisimilarity is an equivalence on Basic HD-automata. Unfortunately, this property does not hold for HDN-automata. We will investigate deeper on this problem in Section 8.3.

8.2.1 Relating asynchronous bisimulation and HDN-bisimulation The following theorem shows that HDN-bisimulation captures exactly ground asynchronous bisimulation. T HEOREM 8.7 Let p1 and p2 be two asynchronous -calculus agents without matching g operator. Then p1 g p2 iff Ag p1 Ap2 . P ROOF. To prove this theorem it is very useful to define global states and global transitions on HDN-automata. In this case, we have both positive and negative global transitions. The named set of global state and the named set of (positive) global transitions of a HDNautomaton A are defined as in Definition 6.15; negative global transitions are defined like the positive ones, taking of course t 2 T rather than t 2 T . Positive global transitions are repre(l;) q; ! q0 ; 0 , while negative global transitions are represented as t; sented as t; (l;) 0 0 q; q ; . k Given a relation R on global states, a global transition u g ! g 0 is redundant for R if there is k 00 some negative global transition u0 g g such that g0 R g00 . Global simulation R is defined by requiring that whenever g1 R g2 then:

( )

( ):( ) ( )

(

)

:

( ):

:

u1 : g1 k! g10 62 red[R℄ with U1 [u1 ℄new \ G2 [g2 ℄ u2 : g2 k! g20 such that g10 R g20 .

for all

= ; there exists some

Global bisimulation is defined, as usual, by requiring that both R and R 1 are global simulations. Exploiting global bisimulation, the proof of this theorem is similar to the proof of Theorem 6.19. It relies on the following correspondence results between the global transitions of Ag p and the transitions of agent p. Namely, let q; be a global state of the HDN-automaton Ag p corresponding to an asynchronous -calculus agent p. Then:

( )

140


l

q2

q1

q2

q3

00

t2 0

l

t1 q1 0

l

t2 q2 0

A

B

C

Figure 8.1: Example of non-transitivity of HDN-bisimilarity.

! q00 is a -calculus transition with bn() \ fn(q) = ;, then there is some global (l;) transition (t; ) : (q; ) ! (q 0 ; 0 ) of Ag p ; and

if q

(l;) if t; q; ! q0 ; 0 is a global transition of transition q ! q 0 0 ;

( ):( )

where in both cases q 00

(

)

Ag p , then there is some -calculus

q00 and (l; ) are related to as in Table 8.2. Moreover,

x(y)

! q00 and q ! q000 are -calculus transitions with y 62 fn(q), then there is some (l;) 0 0 negative global transition (t; ) : (q; ) (q ; ) of Ag p ; and

if q

if

(t; ) : (q; ) (l;) (q0; 0 ) is a negative global transition of Ag p , then there are some

-calculus transitions q

where in both cases q 000 jxy

x(y)

! q00 and q ! q000 .

q00 and (l; ) are related to = x(y) as in Table 8.2.

2

8.3 Iterative characterization of HDN-bisimulation HDN-bisimilarity, as it has been defined in Definition 8.4, has a serious drawback: it is not transitive. Consider in fact the very simple HDN-automata that appear in Figure 8.1, where no names are associated to states, transitions and labels. It holds that A B (since the two HDN-automata have the same positive transitions) and that B C (since the only positive transition of B is clearly redundant). It is not true, however, that A C , since C is not able to match the transition of A. This is clearly an important problem, since we are interested in defining behavioral equivalences on concurrent systems. In this section we identify a class of HDN-automata for whom HDN-bisimulation is transitive. As we will see, all the classes of HDN-automata that we define in this chapter for -calculus agents belong to this class.

8.3 Iterative characterization of HDN-bisimulation

141

In the definition of HDN-bisimulation, when a bisimulation step is performed for two states q1 and q2 , it is required that a irredundant transition of q1 is matched by a transition of q2 : we do not require, however, that this transition of q2 is irredundant. It is this asymmetry in the definition of HDN-bisimulation than produces a non-transitive bisimilarity relation; in fact, the problem with the HDN-automata of Figure 8.1 is precisely that the irredundant transition of A is matched by a redundant transition of B . We could think to modify Definition 8.4, so that irredundant transitions of q1 are l matched by irredundant transitions of q2 , i.e., we could require that for each t1 q1 ! l q10 62 R there exist some t2 q2 ! q20 62 R such that the opportune name cor respondences hold. We call HDN -bisimulation this modified version of HDN-bisimulation. HDN -bisimulation is strictly stronger than the original HDN-bisimulation: in fact HDN-automata A and B of Figure 8.1 are equivalent according to the latter, but not according to the former. The modified version could seem preferable, since it solves the problem of transitivity of HDN-bisimilarity. Unfortunately, HDN -bisimulation has problems that are even more serious than those of HDN-bisimulation: the union of HDN -bisimulations is not necessary a HDN -bisimulation and, as a consequence, it is not possible to define the greatest HDN -bisimulation. In fact, let us consider HDN-automata A and B of Figure 8.1, and let R fhq1; ;; q2i; hq10 ; ;; q20 ig and S fhq20 ; ;; q200ig. Then R is a HDNbisimulation, since transition t2 q2 ! q20 is irredundant with respect to R. Also S is a HDN -bisimulation, since it relates two states that cannot perform any transition. However, R [ S is not a HDN -bisimulation: transition t2 is redundant for R [ S and cannot be used to match transition t1 . Hence, both HDN-bisimulation and HDN -bisimulation have advantages and drawbacks. Now we show that the advantages of the two approaches can coexist for a subclass of HDN-automata.

red[ ℄

:

=

:

red[ ℄

=

:

8.3.1 Redundancy-consistent HDN-automata As we have seen in Section 3.1.1, bisimulations can be characterized as the pre-fixedpoints of a monotone functor on relations. This is also the case for HD-bisimulations. In the following definition we introduce two functors that correspond to HDN- and HDN bisimulations.

D EFINITION 8.8 ( FUNCTOR A ) Let A be a HDN-automaton. Functor A (respectively A ) on symmetric set of triples R is defined as follows: hq1 ; Æ; q2 i 2 A R (respectively hq1 ; Æ; q2 i 2 A R ) if and only if:

( )

( )

l l : q1 ! q10 62 red[R℄ there exist some t2 : q2 ! q20 (respectively some l ! q20 62 red[R℄), some : T1 [t1 ℄new ! T2 [t2 ℄new , and some : T1 [t1 ℄ (*

for each t1

t2 : q2 T2 [t2 ℄ such that:

142

History Dependent Automata with Negative Transitions = s1 [t1 ℄; Æ ; s2 [t2 ℄ 1 [ , – o1 [t1 ℄ = ; o2 [t2 ℄, – hq10 ; Æ 0 ; q20 i 2 R for some Æ 0 d1 [t1 ℄ 1 ; ; d2 [t2 ℄;

–

the converse, starting with the irredundant transitions of q2 .

Clearly, HDN-bisimulations on HDN-automaton A are pre-fixed-points of functor A , i.e., symmetric sets of triples R such that R A R . Similarly, HDN -bisimulations of A are pre-fixed-points of functor A .

( )

P ROPOSITION 8.9 Functor A is monotone. Moreover, if HDN-automaton A is finitebranching, then functor A is continuous.

P ROOF. The proof that A is monotone is easy. Now we prove that A is continuous, i.e., that if fRi gi2! is a decreasing chain of triples the \ R \ A i i i A Ri . Inclusion A \i Ri \i A Ri is a consequence of monotonicity. Now we prove the converse inclusion. Assume hq1 ; Æ; q2 i 2 A Ri for all i 2 ! . We should prove that hq1 ; Æ; q2 i 2 A \i Ri . l \iRi . Now we show that there is some i0 2 ! such that t1 62 Ri0 . Let t1 q1 ! q10 62 l 0 In fact, by contradiction, assume that a covering negative transition t1i q1 q1i can be found for each i 2 ! . Since HDN-automaton A is finite-branching, there is a finite number of negative l 00 q1 such that tqi t01 for an infinite transitions with source q1 . So, there must be some t01 q1 0 sequence of indexes i 2 ! . Therefore t1 is covered by t1 for an infinite sequence of Ri . Since i0 i implies Ri Ri , if t01 covers t1 for Ri , it also does for each Ri , with i0 < i. So, t01 covers t1 for all Ri , hence also for \i Ri , i.e., t1 is redundant for \iRi , which is absurd. Ri0 . But then t1 62 Ri for all i i0 . So, there is some i0 2 ! such that t1 62 As a consequence, for each i i0 there is a matching transition t2i . By reasoning as above for the negative transitions, since A is finite-branching, there must be a t2 equivalent to t1 for all i 2 ! . Hence t2 is equivalent to t1 also for \i Ri . 2

= ( )

( ) ( ) red[ ℄

:

(

:

:

) red[ ℄

=

0

0

red[ ℄

red[ ℄

An important consequence of this proposition in that the greatest HDN-bisimulation on A exists and can be obtained by iterating functor A starting from the universal relation.

C OROLLARY 8.10 Let follows:

A be a HDN-automaton, and let chain fRA g be defined as

R0A = hp; Æ; qi j p; q 2 Q and Æ : Q[p℄ (* Q[q℄ ; RA+1 = (RA ); \ RA = RA for a limit ordinal :

=

History Dependent Automata - CiteSeerX

History Dependent Automata - CiteSeerX

Suggest Documents

Automata for Context-Dependent Connectors

Formalizing Automata Theory I: Finite Automata - CiteSeerX

Cellular Automata Machines - CiteSeerX

Generalized Directable Automata - CiteSeerX

Geographic Automata Systems - CiteSeerX

Cellular Automata Machines - CiteSeerX

O Automata - CiteSeerX

Generalized Directable Automata - CiteSeerX

Universality and Cellular Automata - CiteSeerX

Cellular Automata modelling paradigm - CiteSeerX

Universality and Cellular Automata - CiteSeerX

Implementing Realistic Asynchronous Automata - CiteSeerX

Quantum-dot Cellular Automata - CiteSeerX

A History-Dependent Access Control Mechanism Using ... - CiteSeerX

Dependent Interviewing and Seam Effects in Work History ... - CiteSeerX

Automata-Based Programming and Automata

History-dependent friction and slow slip from time-dependent

A Brief History of Cellular Automata - School of Mathematical ...

pdf-10112\fidelios-automata-an-adventure-in-alternate-history-the ...

computer-aided design of mechanical automata ... - CiteSeerX

Cellular Automata: Algorithms and Applications - CiteSeerX

Distributed Simulation with Cellular Automata - CiteSeerX

AUTOMATA WITH NESTED PEBBLES CAPTURE FIRST ... - CiteSeerX

Stochastic Automata-based Estimators for Adaptively ... - CiteSeerX