it is fair to say that ccp provides a unified framework for system analysis. In ccp, however ... systems featuring both probabilistic and non-deterministic behavior.
Non-determinism and Probabilities in Timed Concurrent Constraint Programming? Jorge A. P´erez1 and Camilo Rueda2,3 1
2
Dept. of Computer Science, University of Bologna, Italy Dept. of Science and Engineering of Computing, Universidad Javeriana - Cali, Colombia 3 IRCAM, Paris, France
Abstract. A timed concurrent constraint process calculus with probabilistic and non-deterministic choices is proposed. We outline the rationale of an operational semantics for the calculus. The semantics serves two purposes: it ensures consistent interactions between both kinds of choices, and is indispensable for the definition of logic-based verification capabilities over system specifications.
Motivation. Concurrent constraint programming (ccp) [12] is a model for concurrency in which systems are described by constraints, pieces of partial information that might include explicit quantitative parameters (such as, e.g., x ≤ 42). Processes interact in a shared store; they either add new constraints or synchronize on the already available information. Notably, processes in ccp can be seen, at the same time, as computing agents and logic formulas. This not only constitutes a rather elegant approach for verification; it is fair to say that ccp provides a unified framework for system analysis. In ccp, however, we find that properly taking into account some phenomena is cumbersome. Particularly challenging is the case of uncertain behavior. In areas such as, e.g., computer music [11,10] and systems biology [4], the uncertainty underlying interactions goes way beyond what can be modeled using partial information only. Crucially, many systems featuring uncertain behavior can be described probabilistically. In fact, probability distributions provide intuitive specifications of alternative behaviors, and ease the integration of statistic and empirical data into models. We are interested in the analysis of reactive systems. As such, we restrict ourselves to the realm of timed ccp (tccp) [13]. More precisely, we aim at a tccp approach for systems featuring both probabilistic and non-deterministic behavior. Probabilistic behavior in ccp might both enhance the accuracy of specifications (since, e.g., more empirical information could be considered) and give more significance to verification (as provable properties would involve explicit quantitative information). As for non-determinism, it allows to define compositional models and to abstract away from unimportant details. Also, it is fundamental to faithfully represent the interactions of a system with its environment. Sometimes in literature non-determinism has been represented using probabilistic choices. We do not endorse such an approach: replacing non-deterministic choices with probabilistic ones entails making strong assumptions on interactions and/or conditions that are usually very hard or impossible to predict. Rather, ?
Research partially supported by the COLCIENCIAS project REACT (No. 1251-330-18902) ´ and by the INRIA Equipe Associ´ee FORCES.
2
Jorge A. P´erez and Camilo Rueda
we prefer the idea of specifying probabilistic systems within non-deterministic environments. To illustrate this, consider the analysis of security protocols as in [8]. There, the reactive system (the protocol) can be well described probabilistically, whereas the changing environment (the protocol users) is non-deterministic, as the frequency of the interactions is inherently unpredictable. Similar scenarios arise in very different areas such as interactive music improvisation [10]. Here we propose pntcc, a probabilistic, non-deterministic extension of tcc. To the best of our knowledge, pntcc is the first tccp calculus featuring both kinds of choices. The semantic treatment associated to the interaction of non-determinism and probabilities is more complex than the required by each kind of choice in isolation. pntcc is endowed with an operational semantics based on a probabilistic automaton [14]: it separates the choices made probabilistically by the process from those made non-deterministically under the influence of a scheduler. As a result, the observable behavior of a system given by the semantics —what the environment perceives from its execution— is purely probabilistic; non-determinism is regarded as unobservable. The observable behavior sets the ground for performing model checking processes. In fact, the rationale given by the language and the support provided by the semantics make it possible a natural relation between pntcc and the probabilistic logic PCTL [5]. The relation is based on the fact that the observable behavior of a process can be interpreted as the discrete time Markov chain (DTMC) defining satisfaction in PCTL. Since formulas in PCTL explicitly include a time bound and a probability, model checking for tccp process specifications with quantitative information becomes possible. This approach to process verification is what distinguishes our proposal from similar ccp calculi with explicit time (e.g. [7]), which rely on proof systems. We are not aware of other explicitly timed ccp calculi with quantitative parameters in both models and properties, and with the possibility of model-checking procedures. Moreover, since we advocate a rationale in which verification is an orthogonal concern, we can safely rely on the developed field of probabilistic model checking for this. All in all, by relying on well-established techniques from logic and concurrency theory, we provide the initial foundations for a tccp-based framework for the analysis of reactive systems. Related Work. In [3], ccp [12] and tcc [13] are extended with stochastic choices rather than with probabilistic ones. The untimed ccp language in [9] replaces non-deterministic choices with probabilistic ones; hence, the associated semantics could be seen as a particular case of ours. In [2] it is shown how to extract model checking structures directly from tcc programs. A similar approach is used in sCCP [1], a stochastic ccp language in which discrete and continuous time can be treated only implicitly. (In contrast, pntcc features explicit discrete time.) Model-checking in sCCP relies on an encoding into the input language of the PRISM model checker. Our approach for model checking has to be different —more involved— than those in [2] and [1]: because of non-determinism, we need an additional semantic support to be able to derive a DTMC, and in turn, to perform a model checking process. The language and its semantics. Here we describe the syntax and operational semantics for pntcc. We begin by introducing some notions of (timed) ccp-based calculi.
Non-determinism and Probabilities in Timed Concurrent Constraint Programming
3
A constraint system formalizes the interdependencies between constraints. It is given by a pair (Σ, ∆) where Σ is a signature of function and predicate symbols, and ∆ is a decidable theory over Σ. Given a constraint system (Σ, ∆), let L be its underlying first-order language, with variables x, y, . . ., and the set of logic symbols ¬, ∧, ∨, ⇒, ∃, ∀, true and false. The set of constraints (with elements c, d, . . . ) are formulas over L. We say that c entails d in ∆, written c |= d, iff c ⇒ d is true in all models of ∆. The relation |= is assumed to be decidable. Time is assumed to be divided into units. In a given time unit, a process P gets an input (a constraint) c from the environment, it executes with this input as the initial store and when it reaches its resting point it outputs the resulting store d to the environment. The resting point determines a residual process Q to be executed in the next time unit. Information is not automatically transferred from one time unit to another. Syntax. Processes in pntcc are built from constraints some underlying constraint system by the following syntax: P, Q ::= skip | tell(c) |
X
when ci do Pi
|
i∈I
M
when ci do (Pi , ai ) | P k Q | local x in P
i∈I
| next (P ) | unless c next (P ) | !P The upper line describes untimed ccp processes, whose action takes place during a single time unit. skip does nothing. tell(c) adds constraint c to the current store, thus making it available to other processes. In ccp, a positive ask when c do P checks if the current store is strong enough to entailP the guard c; if so, it behaves like P . In pntcc, given a finite set of indices I, process i∈I when ci do Pi generalizes positive asks as a non-deterministic choice: a process Pj (j ∈ I) whose guard cj is entailed from the current store is scheduled for execution; the chosen process precludes the others. Process P k Q describes the concurrent operation of P and Q, possibly “communicating” via the common store. Hiding on a variable x is enforced by process local x in P : it behaves like P , except that all the information on the x produced by P can only be seen by P and the information L on x produced by other processes cannot be seen by P . In the probabilistic choice i∈I when ci do (Pi , ai ), I is a finite set of indices, and for every P ai ∈ R(0,1] , i∈I ai = 1. Each ai represents the probability of scheduling process Pi for execution. The collection of all ai thus represents a probability distribution. The guards that can be entailed from the current store determine a subset of enabled processes, which are used to determine an eventual normalization of the ai s. In the current time unit, the summation probabilistically chooses one of the enabled process according to the distribution defined by the (possibly normalized) ai s. The chosen alternative, if any, precludes the others. If no choice is possible then the summation is precluded. We sometimes use “⊕” to denote binary probabilistic sums. Constructs in the lower line allow processes to have effect along the time units. next (P ) schedules P for execution in the next time unit; it is thus a one-unit delay. Process unless c next (P ) is similar: P will be activated only if c cannot be inferred from the current store. It can be seen as (weak) time-outs: it waits one time unit for a piece of information c to be present and if it is not, it triggers activity in the next time unit. The replication operator ! represents infinite behavior: !P represents P k next (P ) k next2 P k . . ., i.e. unboundedly many copies of P but one at a time.
4
Jorge A. P´erez and Camilo Rueda
Probabilistic Eventuality. By exploiting the encoding of recursion in [7], pntcc allows to define a parameterizable form of probabilistic eventuality. This operator may come in handy to express the influence the passage of time has on the eventual execution of a process. It integrates the partial information on process occurrence as probability distributions. def
S TARf (P, r) = (P, r) ⊕ (next S TARf (P, f (r)), 1 − r). We assume S TARf (P, r) is defined over a sufficiently large (yet finite) subset of the reals in (0, 1]. It depends on two parameters, r and f . The first stands for the current probability of executing P : the closer to 1 r is, the greater the probability of executing P will be. Conversely, 1−r denotes the probability of delaying P ’s execution. Function f governs the execution of P by modifying r in each recursive call. Semantics. An informal description of an operational semantics for pntcc follows. We consider configurations of the form hP, ci, where P is a process and c is a constraint representing a store. The semantics considers two transition relations: one internal —meant to be hidden to the environment—, and an observable one that serves as an “interface” between the process and its environment. Internal transitions describe activity within a time unit, considering both non-deterministic and probabilistic behavior. As in [6], the internal transitions within a time unit are defined over a probabilistic automaton [14]. Roughly, a probabilistic automaton differs from an ordinary one only in the transition relation, which allows non-deterministic choices to take place before performing the probabilistic choice that determines the state to be reached. Here, the states of the automaton correspond to configurations. Every sequence of internal transitions is influenced by a particular scheduler. The scheduler solves the non-deterministic choices within the time unit, and by doing so, confines non-deterministic choices to internal computations. We thus obtain that only probabilistic behavior can be observed along time. An observable transition defines the smallest account of observable behavior. It assumes a sequence of internal transitions leading to a state where no further compuhc,d,ai
tation is possible (quiescence). It is denoted by P ======⇒Sj R, with the following intuitive meaning: in one time unit, under the influence of scheduler Sj , configuration hP, ci can evolve to configuration hR, di with probability a. The explicit reference to the scheduler becomes relevant when one considers that what can be observed from a process execution might differ depending on the particular scheduler. Observable Behavior for Verification. We now sketch the relation between pntcc processes and the temporal logic PCTL [5]. We claim that the observable behavior of a process corresponds to the discrete time Markov chain upon which satisfaction in PCTL is defined. PCTL allows to reason about properties such as “after a request, a task will be accomplished within 5 minutes with a probability of at least 95%”. Such statements, so-called soft deadlines, explicitly define both a probability and a time bound. Unlike hard deadlines, soft deadlines are meant to characterize systems in which a failure does not imply catastrophic consequences.
Non-determinism and Probabilities in Timed Concurrent Constraint Programming
5
Formulas in PCTL are interpreted over models that are discrete time Markov chains (DTMCs). A DTMC is composed of a finite set of states, a transition probability function, and a labeling function assigning atomic propositions to states. In a DTMC each transition is considered to require one time unit. To go from the observable behavior of a process to the DTMC underlying satisfaction in PCTL, all that is required is to give structure to the derivatives that can be observed from a process execution along time. The set of such derivatives, called alternatives, gives a one-step account of all the possibilities for observable behavior. They allow to articulate the notion of observable sequences, the description of one of the possible computations possible starting in a given configuration, along the time units. The observable sequences originating in a given process represent the confinement of non-deterministic behavior to the scheduler used over internal evolutions. This rˆole of schedulers allows to interpret the observable behavior of a process as a DTMC. Indeed, given a process P , it is not difficult to think of a correspondence between states and all the possible configurations reachable from hP, truei through observable sequences. The transitions of the DTMC can be obtained from the alternatives of each derivative of P . Notice that, in this setting, an observable sequence would then correspond to a particular path of the DTMC. Finally, we can assume a labeling function that relates states with the store of the given configuration.
References 1. L. Bortolussi. Constraint-based approaches to stochastic dynamics of biological systems. PhD thesis, University of Udine, 2007. 2. M. Falaschi, A. Policriti, and A. Villanueva. Modeling concurrent systems specified in a temporal concurrent constraint language. ENTCS, 48:197–210, 2001. 3. V. Gupta, R. Jagadeesan, and V. Saraswat. Probabilistic concurrent constraint programming. In CONCUR ’97, volume 1243 of LNCS, pages 243–257. Springer-Verlag, 1997. 4. J. Guti´errez, J. A. P´erez, C. Rueda, and F. Valencia. Timed Concurrent Constraint Programming for Analysing Biological Systems. ENTCS, 171(2):117–137, 2007. 5. H. Hansson and B. Jonsson. A Logic for Reasoning about Time and Reliability. Formal Aspects of Computing, 6(5):512–535, 1994. 6. O. M. Herescu and C. Palamidessi. Probabilistic asynchronous π-calculus. In Proc. of FOSSACS 2000, volume 1784 of LNCS, pages 146–160. Springer, 2000. 7. M. Nielsen, C. Palamidessi, and F. Valencia. Temporal concurrent constraint programming: Denotation, logic and applications. Nordic Journal of Computing, 9(2):145–188, 2002. 8. C. Palamidessi. Probabilistic and nondeterministic aspects of anonymity. ENTCS, 155:33– 42, 2006. 9. A. D. Pierro and H. Wiklicky. An operational semantics for probabilistic concurrent constraint programming. In Proc. of ICCL, pages 174–183. IEEE, 1998. 10. C. Rueda, G. Assayag, and S. Dubnov. A Concurrent Constraints Factor Oracle Model for Music Improvisation. In Proc. of CLEI’06, 2006. 11. C. Rueda and F. Valencia. On validity in modelization of musical problems by ccp. Soft Computing, 8(9):641–648, 2004. 12. V. Saraswat. Concurrent Constraint Programming. The MIT Press, Cambridge, MA, 1993. 13. V. Saraswat, R. Jagadeesan, and V. Gupta. Foundations of timed concurrent constraint programming. In Proc. of LICS. IEEE, 1994. 14. R. Segala. Modeling and Verification of Randomized Distributed Real-Time Systems. PhD thesis, MIT, 1995.
