A verification algorithm for Declarative Concurrent Programming

HAL Id: inria-00081218

https://hal.inria.fr/inria-00081218

Submitted on 22 Jun 2006

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

A verification algorithm for Declarative Concurrent

Programming

Jean Krivine

To cite this version:

Jean Krivine. A verification algorithm for Declarative Concurrent Programming. [Research Report]

2006. �inria-00081218�

inria-00081218, version 1 - 22 Jun 2006

ISSN 0249-6399

a p p o r t

d e r e c h e r c h e

Thème ?

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

A verification algorithm for Declarative Concurrent

Programming

Jean Krivine

N° ????

June 2006

Unité de recherche INRIA Rocquencourt

Domaine de Voluceau, Rocquencourt, BP 105, 78153 Le Chesnay Cedex (France)

Téléphone : +33 1 39 63 55 11 — Télécopie : +33 1 39 63 53 30

Programming

Jean Krivine

Thème? 

ProjetMOSCOVA

Rapportdere her he n°???? June200615pages

Abstra t: A veri ation method for distributed systems based on de oupling forward

andba kwardbehaviourisproposed. Thismethodusesaneventstru turebasedalgorithm

that, given a CCS pro ess, onstru ts its ausal ompression relative to a hoi e of

ob-servablea tions. Verifying theoriginal pro essequipped with distributed ba ktra kingon

non-observablea tions, is equivalent toverifying itsrelative ompression whi h in general

ismu h smaller. We allthismethod De larativeCon urrentProgramming(DCP).

DCP te hnique ompares well with dire t bisimulation based methods. Ben hmarks

forthe lassi diningphilosophersproblemshowthat ausal ompressionis rathere ient

bothtime-andspa e-wise. Stateof theart veri ationtools ansu essfullyhandle more

than 15 agents, whereas they an handle no more than 5 followingthe traditional dire t

method;analtogetherspe ta ularimprovement,sin einthisexamplethespe i ationsize

isexponentialinthenumberof agents.

Con urrente Dé larative

Résumé: Nousproposons uneméthodedevéri ationpourlessystèmesdistribués basé

sur ladistin tionentre omportementavantet arrière d'unsystème transa tionnel. Cette

méthode utilise un algorithme basé sur les stru tures d'événements qui, étant donné un

pro essus CCS, onstruit son système de transition ausal relatifà unensemble d'a tions

observables. Lavéri ationdupro essus CCSd'origine,équipéd'un mé anismederetour

arrière sur les transitions non observables, revient à vérier la orre tion du système de

transitions ausalesdupro essusquiestengénéralbeau ouppluspetit. Cetteméthodeest

appeléeprogrammation on urrentedé larative(PCD).

Lesperforman esdelaPCD omparéesauxperforman esdeste hniquestraditionnelles

debisimulationdonnentdesrésultatsen ourageants. Unban d'essaiutilisantleproblème

lassique du dîner des philosophes montre que la PCD est plus e a e que la méthode

dire te,àlafoisentermedetempsetd'espa ede al ulrequis. Eneet,lesoutilsstandard

debisimulationpeuventvérierdessystèmesallantaudelàde15philosophesdansle asdela

PCD,alorsqu'ilsnepeuventgérerplusde5philosophesave unappro hedeprogrammation

dire te. Cetaméliorationdesperforman esest d'autantplusspe ta ulaire quelataille du

systèmedespé i ationdesphilosophesestexponentielledanslenombred'agents.

Mots- lés : Algèbres de pro essus, transa tions, stru tures d'événements, véri ation,

1 Introdu tion

Ba ktra king is ommonpla e in transa tional systems where dierent omponents, su h

as pro esses a essing a distributed database, need to a quire a resour e simultaneously.

Toensureun onditional orre tnessoftheoverallexe utionof thetransa tion,oneusually

providesa odethatin orporatesexpli ites apesfromthose aseswhereaglobal onsensus

annot be met. Su h an upfront method generates alarge and unstru tured state spa e,

whi h often means veri ation based on proving that the ode is bisimilar to areferen e

spe i ationbe omesunfeasible.

Basedonearlierwork,weproposehereanindire tveri ationmethod,andshowonan

examplethat it anhandle largerspe i ations. Theideaistobreakdownthedistributed

implementation of a given referen e spe i ation in two steps. First, one writes down a

ode whi h is only required to meet a weaker ondition of ausal or forward orre tness

relativetothespe i ation. This onditionisparameterisedbya hoi eofobservablea tions

orrespondingtothea tionsofthespe i ation. Se ond,theobtained odeisequippedwith

a generi form of distributed ba ktra king on non-observable a tions. A general theorem

redu esthe orre tnessofthelatterpartiallyreversible odetothe ausal orre tnessofthe

former[1℄.

Inmany transa tionalexamples,this stru tured programmingmethod works well, and

obtains odes whi h are smaller, and simpler to understand [2℄. It also seems interesting

from a orre tnessperpe tive, sin eoneneverhasto dealwith thefull statespa e, andit

isenoughto onsider themu h smallerstatespa eoftheforward ode ausal ompression

relativeto observablea tions. Thusitobtains odeswhi harealsoeasierto prove orre t.

Itisonlynaturalthentoask whetherandto whi h extentsu hindire t orre tnessproofs

anbeautomated. Thisisthequestionweaddressinthispaper.

Spe i allyweproposeanalgorithm,whi h,under ertainrathermildassumptionsabout

thesystemofinterest,will omputeits ausal ompressionrelativetoa hoi eofobservables.

Thetrue on urren ysemanti stradition of using event stru tures asanintrinsi pro ess

representation omesto theres ue here. Indeed, eventstru tures providearepresentation

of omputationtra esuptotra eequivalen e,andthereforeredu eredundan yduringthe

sear h ofthe ompression. Besideseventstru tures areuniquely suitedto thehandlingof

ausal relationships between various events triggered by a pro ess [3℄. For these reasons

our pro edure in ludes a translation of the pro ess as a re ursive ow event stru ture,

and omputes the relative ausal ompression on this intermediate representation. The

algorithmalsoreliesona ompa trepresentationofthe oni trelationbetweenevents,and

seemstoperformwellbothspa e-wise,obtainingamu hsmallerstatespa e,andtime-wise.

Ben hmarks given for the lassi al example of the dining philosophers show a signi ant

state ompression,andarelativelylow ostin urredby ompression. Dire tprogramming

generatesastatespa ethatisalreadytoobigforbeing onstru tedbybisimulationveriers

for6agents,whereasourmethod angowellbeyond15.

The languageweuse to formalize on urrentsystems is the Cal ulus of

Communi at-ing Systems (CCS) [4℄. This is a slightly moreexpressive language than basi models of

ommuni atingautomata,inthat pro esses andynami allyfork. Ontheotherhand,this

Pro esses

p, q

::=

a.p

A tion prexing

p | q

Parallel omposition

p + q

Choi e

D(˜

x) := p

Re ursivedenition

(x)p

Namerestri tion

0

Emptypro ess A tions

a

::=

x, y, . . .

Input

¯

x, ¯

y, . . .

Output

τ

Silenta tion Figure1: CCSsyntax

ommuni ationmodel in ludes no name-passing, whi h is asevere limitation in some

ap-pli ations. As is dis ussed further in the on lusion it is possible to adapt the present

development, whi h is largely independent of the hosen ommuni ationmodel, to ri her

languagessu h as

π

- al ulus.

Se tion 2startswith aqui kre allof CCS[4℄. Se tion 3developsitsreversiblevariant

RCCS, together with the entral notionof ausal orre tness, and thefundamental result

onne ting ausal orre tnessofaCCSpro essandfull orre tnessofitsliftingasapartially

reversiblepro essinRCCS[1℄. Therelative ausal ompressionalgorithm,and the

a om-panying veri ation method are explained in Se tion 4. Se tion 5 ompares this method

withthe traditionaldire t method, using thedining philosphersproblem asaben hmark.

The on lusiondis ussesrelatedworkandfurtherdire tions.

2 CCS

2.1 Syntax

CCSpro essesintera tthroughbinary ommuni ationson named hannels: anoutputon

hannel

x

is written

¯

x

, aninput on the same hannel is simply written

x

. The omplete syntaxisgiveninFig1.

Wewrite

P

forthesetofpro esses,

A

forthesetofa tions,and

A

∗

forthefreemonoid

of a tion words. Restri tion

(x)p

binds

x

in

p

and the set of free names of

p

is dened a ordingly. Inare ursivedenition

D(˜

x) := p

freenamesof

p

haveto be

x

˜

.

2.2 Operational semanti s

Alabelled transition system (LTS)isatuple

hS, s, L, →i

where

S

is alled thestatespa e,

s

theinitialstate,

L

theset oflabels,and

→ ⊆ S × L × S

thetransitionrelation. Oneuses

a.p + q →

a

p

(act)

p →

a

p

′

q →

¯

a

q

′

p | q →

τ

p

′

| q

′

(synch)

p →

a

p

′

p | q →

a

p

′

| q

(par)

p →

a

p

′

a 6∈ {x, ¯

x}

(x)p →

a

(x)p

′

(res)

p ≡ p

′

_→

a

q

′

≡ q

p →

a

q

(equiv)

Figure2: CCSlabelledtransitionsystem

the ommonnotation

s →

a

t

, andfor

m = a

1

. . . a

n

∈ A

∗

,

s →

∗

m

t

means

s →

a

1

s

1

, ...,

s

n−1

→

a

n

t

forsomestates

s

1

,...,

s

n−1

.

Theoperationalsemanti sofaCCSterm

p

isgivenbymeansofsu hanLTS

(P, p, A, →)

, written

TS(p)

,where

→

isgivenindu tivelybytherulesinFig 2. Theequivalen erelation

≡

is the lassi al stru tural ongruen efor hoi e and parallel omposition,together with there ursionunfoldingrule

D(˜

x) := p
≡ p

.

2.3 Pro ess equivalen e

Several variantsof observational equivalen efor CCSpro esseshavebeen onsidered. We

use here a variant of weak bisimulation based on the hoi e of a ountable distinguished

subset

K

ofthesetofa tions

A

,whi hwexhereon eandforall. A tionsin

K

are alled observable a tions. The omplement

A \ K

ofnon-observablea tionsisdenoted by

K

c

and

alsotakento be ountable.

Let

S

1

= (S

1

, s

1

, A, →)

and

S

2

= (S

2

, s

2

, A, →)

beLTSsbothwithlabelsin

A

,arelation

R

over

S

1

× S

2

is said to be aweak simulation between

S

1

,

S

2

, if

s

1

R s

2

and whenever

p

1

R p

2

: if

p

1

→

a

q

1

,

a ∈ K

c

,then

p

2

→

∗

m

q

2

with

m ∈ (K

c

₎

∗

,and

q

1

R q

2

; if

p

1

→

a

q

1

,

a ∈ K

,then

p

2

→

∗

m

q

2

with

m ∈ (K

c

₎

∗

_a(K

c

₎

∗

,and

q

1

R q

2

.

Theideaisthat

S

2

hastosimulatethebehaviourof

S

1

regardingobservablea tions,but isfreetouseanysequen e ofnonobservableonesin sodoing. Su harelation

R

issaidto beaweak bisimulation ifboth

R

anditsinverse

R

−1

are weaksimulations. Whenthereis

su h arelation,

S

1

and

S

2

aresaidto bebisimilar, andonewrites

S

1

∼ S

2

.

A CCS pro ess

p

is said to be a orre t implementation of a spe i ation LTS

S

, if

TS(p) ∼ S

. Whenthespe i ationis learfromthe ontext,wemaysimplysay

p

is orre t.

Onethingtokeepinmindisthatallthesedenitionsarerelativetoa hoi eof

K

. Usually,

K

istakento be

A \ {τ }

,but thismoreexibledenition willprove onvenient.

3 Reversible CCS

Weturnnowtoaqui kintuitiveintrodu tiontoRCCS.ConsiderthefollowingCCSpro ess:

(x) x | x | ¯

x.¯

x.a.p | ¯

x.¯

x.b.q

(1)

Both subpro esses

a.p

and

b.q

require two ommuni ationson

x

to exe ute, so the whole pro ess may rea h a deadlo ked state

(x) ¯

x.a.p | ¯

x.b.q

where neither

a

nor

b

may be triggered. If the intention is that the system implements the mutual ex lusion pro ess

a.p + b.q

,apossiblexisto givebothsubpro essesthepossibilitytorelease

x

:

(x) x | x | R

p

(x, a) | R

q

(x, a)

(2) with

R

p

(x, a) := ¯

x. τ.(R

p

(x, a) | x) + ¯

x.(τ.(R

p

(x, a) | x | x) + a.p)

.

This examplehelpsin realising twokeythings: rsttheoriginal ode(1) although not

orre t,is partially orre tin thesense that anysu essfula tion

a

or

b

leadstoa orre t state

p

or

q

; se ond the proposed x an be made an instan e of a generi distributed ba ktra king me hanism. The idea of RCCS is to provide su h a me hanism, in a way

thatpartial or ausal orre tness(yet tobedened formally)inCCS, anbeprovedto be

equivalenttofull orre tnessofthesamepro esson elifted toRCCS[5℄.

3.1 Syntax

RCCS forwarda tions are thesamea tionsasCCS, namely

A

. Re allthese aresplit into

K

andits omplement

K

c

. IntheRCCS ontexta tionsin

K

arealso alledirreversible,or sometimes ommit a tions (followingthe transa tion terminology); a tionsin

K

c

are also

alledreversible,sin ethesearetheonesonewantsto ba ktra k. RCCSthereforealso has

ba kwarda tions written

a

−

,with

a ∈ K

c

.

RCCSpro essesare omposed ofthreads oftheform

m ⊲ p

,where

m

isamemory,and

p

isaplainCCSpro ess:

r ::= m ⊲ p | (r | r) | (x)r

Memoriesaresta ksusedtore ordpastintera tions:

m ::=

hθ, a, pi

· m |

h|θ|i

· m |

hi

where

θ

is athread identierdrawn from a ountable set. Open memory elements

hθ, a, pi

areused forreversiblea tionsand ontainathread identier

θ

, thea tion last taken,and thealternativepro essthatwasleftoverbya hoi eifany. Closedmemoryelements

h|θ|i

are usedforirreversiblea tions,andonly ontainanidentier. Theprexrelationonmemories

isdenedas

m ⊑ m

′

ifthereisan

m

′′

su hthat

m

′′

_{· m = m}

′

.

Pro esses are onsidered up to the usual ongruen efor parallel omposition together

withthefollowingspe i rules:

m ⊲ D(˜

x) := p

≡ m ⊲ p

m ⊲ (p | q)

≡ (m ⊲ p) | (m ⊲ q)

m ⊲ (x)p

≡ (x)(m ⊲ p)

if

x 6∈ m

a ∈ K

c

_{θ 6∈ m}

m ⊲ a.p + q →

θ

a hθ, a, qi

· m ⊲ p

(act)

a ∈ K

c

hθ, a, qi

· m ⊲ p →

θ

_a

−

m ⊲ a.p + q

(act

∗

₎

a ∈ K

θ 6∈ m

m ⊲ k.p + q →

θ

k h|θ|i

· m ⊲ p

(commit)

r →

Θ

a

r

′

θ 6∈ s

r | s →

Θ

a

r

′

| s

(par)

r →

Θ

a

r

′

s →

Θ

¯

a

s

′

r | s →

Θ

τ

r

′

| s

′

(synch)

r →

Θ

a

r

′

a 6= x, ¯

x

(x)r →

Θ

a

r

′

(res)

r ≡ r

′

_→

Θ

a

s

′

≡ s

r →

Θ

a

s

(equiv)

Figure3: RCCSlabelledtransitionsystem

Any CCS pro ess

p

an be lifted to RCCS with an empty memory

ℓ(p) :=

hi

⊲ p

, and onversely,thereisanaturalforgetfulmap

ϕ

erasingmemoriesandmappingba kRCCSto CCS.Clearly

ϕ(ℓ(p)) = p

. Whenwewanttoinsist thattheliftoperationis parameterised bytheset

K

,wewrite

ℓ

K

(p)

.

3.2 Operational semanti s

Theoperationalsemanti sofRCCSisalsogivenasanLTSwithtransitionsgivenindu tively

bytherulesinFig 3. Inthe ontextualrules

Θ

standseither for

θ

or

θ

−

. Thefreshnessof

thethread identier

θ

isguaranteedbytheside onditions

θ 6∈ m

in the(a t)and( ommit) rules,and

θ 6∈ s

in the(par) rule. Theuse ofsu hidentiersmakesthepresentationgiven heresomewhat simplerthan the earlier one[1℄. Note that ba ktra kingas dened in the

operationalsemanti sis abinary ommuni ationme hanismofexa tlythesamenature as

usual forward ommuni ation. However,sin e threads are requiredto ba ktra kwith the

exa t samethread with whi h they ommuni ated earlier, ba ktra k an be shown to be

onuent,at leastforthosepro essesthatarerea hablefrom theliftingofaCCSpro ess.

The( ommit)ruleusesa losedmemoryelement

h|θ|i

· m

indi atingthattheinformation ontainedin

m

isnolongerneeded,sin ebydenition a tionsin

K

arenotba ktra kable. Supposing

r

is a pro ess where any re ursive pro ess denition is guarded by a ommit, anassumptiontowhi hwewill returnlater on,thisbounds thetotalsize ofopenmemory

elementsinanypro essrea hablefrom

r

.

3.3 The fundamental property

Thequestionisnowtoseewhetheritispossibletoobtaina hara terisationofthebehaviour

of a lifted pro ess

ℓ

K

(p)

solely in terms of

p

. Intuitively,

ℓ

K

(p)

being

p

enri hed with ame hanismfor es aping omputations not leadingto any observable a tions, one might

think that

ℓ

K

(p)

isbisimilartothetransition systemgeneratedbythose tra esof

p

whi h leadto anobservablea tion. Thisisalmosttrue.

Togivea pre ise statement, we need rst a few notations and denitions. An RCCS

transitionasdenedaboveisfullydes ribedbyatuple

t = hr, a, Θ, r

′

_i

where

r

isthesour e of

t

,

r

′

itstarget,

a

itslabeland

Θ

itsidentier. If

a ∈ K

wesaythat

t

isa ommittransition, otherwiseitisareversible transition. If

Θ = θ

(

Θ = θ

−

)wesay

t

isforward (ba kward). A tra e isasequen eof omposabletransitions,andwewrite

r →

∗

σ

s

(

p →

∗

σ

q

)whenever

σ

is anRCCS(CCS)tra ewithsour e

r

(

p

)andtarget

s

(

q

). A tra eissaidtobeforwardifit ontainsonlyforwardtransitions.

Analandkeyingredientisthenotionof ausalitybetweentransitionsinagivenforward

tra e. ForCCSthis isusuallydened usingthe so- alledproofterms[6℄,but one analso

useRCCSmemories.

Thesetofmemoriesinvolvedinaforwardtransition

t = hr, a, θ, r

′

_i

isdenedas

µ(t) :=

{m ∈ r | ∃a, q :

hθ, a, qi

.m ∈ r

′

}

; thisiseither asingleton, ifno ommuni ationhappened,or

atwoelementsset,ifsomedid.

Denition1(Causality) Let

σ : t

1

; . . . ; t

n

beaforwardRCCStra e:



t

i

and

t

j

with

i < j

,arein dire t ausalityrelation,written

t

i

<

1

t

j

ifthereis

m ∈ µ(t

i

)

,

m

′

_{∈ µ(t}

j

)

su hthat

m < m

′

;onesays that

t

i

auses

t

j

,written

t

i

< t

j

,if

t

i

<

∗

1

t

j

.



σ

issaid tobe ausaliffor alltransitions

t

i

with

i < n

,

t

i

< t

n

;itissaidtobe

k

- ausal if itis ausal, itslasttransition

t

n

is labelled with

k ∈ K

,andall pre eding transitions are labelledin

K

c

.

Oneextendsthis terminologytoCCS tra esbysayingaCCS tra e

p →

∗

σ

p

′

is ausal,ifit liftsto a ausal tra e

ℓ

K

(p) →

∗

σ

′

r

′

with

ϕ(r

′

_{) = p}

′

.

Withthenotionof ausaltra einpla e,we andenethe ausal ompressionofapro ess

p

relativeto

K

.

Denition2(Relative ausal ompression) Let

p

be a CCS pro ess, its ausal om-pressionrelativeto

K

, written

CTS

K

(p)

, is the LTS

hP, p, K, →

→i

where

→

→

k

is denedas

q →

→

k

q

′

if

q →

∗

σ

q

′

for some

k

- ausal tra e

σ

.

Wearenowready to statethetheorem that hara terizesthe behaviourof

ℓ

K

(p)

interms ofthesimplerpro ess

p

.

Theorem1(Fundamentalproperty [1℄) Let

TS

K

(p) := hR, ℓ

K

(p), A, →i

be the LTS asso iatedtothe lift

ℓ

K

(p)

,

TS

K

(p) ∼ CTS

K

(p)

.

As saidabove,it isnot truethat

TS

K

(p)

isbisimilarto the transitionsystemof tra esof

p

leadingto observablea tions, onehasto be arefulto restri tto ausaltra es. A trivial butusefulrephrasingofthisresultis:

Corollary1 Let

p

be a CCS pro ess, and

S

be its spe i ation, if

CTS

K

(p) ∼ S

then

ℓ

K

(p) ∼ S

.

Inwords,this saysthatto he kthe orre tnessof

ℓ

K

(p)

withrespe tto

S

, itisenoughto he kthe orre tnessof

CTS

K

(p)

.

Ifonegoesba ktotheexampleatthebeginningofthisse tion,thissaysthat

ℓ

{a,b}

((x) x |

x | ¯

x.¯

x.a.p | ¯

x.¯

x.b.q
)

is equivalent to

a.p + b.q

, as soon as the ausal ompression of

p = (x) x | x | ¯

x.¯

x.a.p | ¯

x.¯

x.b.q

relative to

{a, b}

is. This is easily seen in this exam-ple,andin fa t,asoftenin pra ti e,

CTS

K

(p)

and

S

turnouttobeequal.

The interest of this fundamental property lies in the fa t that the ausal ompression

relativeto

K

,

CTS

K

(p)

,issigni antlysmallerthan thepartially reversiblepro ess

ℓ

K

(p)

. A natural question is therefore, given a pro ess

p

, to ompute

CTS

K

(p)

. By nding an e ient way to do this, onewould obtain an e ient veri ation pro edure. This is the

obje tofthenextse tion.

4 Causal ompression

Arstideatoextra tthe ausaltransitionsystemofapro ess

p

istousetheLTSgenerated by

ℓ(p)

and s reen o non ausal tra es. One annot know howeverwhether atra e an beextendedintoa

k

- ausalformuntila ommitisee tivelytaken,andsu hanapproa h wouldlikelyleadtobothsuperuous(be auselotsoftra eswillnotbe ausal)andredundant

(be auseoftra eequivalen e) omputations. Amoreastuteapproa histolookonlyattra es

thatwill eventuallybein a

k

- ausalform. This requiresabottomupviewoftra eswhere onestartsfrom ommits inside aterm, andthen re onstru ts ausaltra estriggeringthis

ommitby onsumingitsprede essorsin everypossibleway.

However,thereisnoneedtoworkdire tlyinthesyntax,andeventstru tures[3℄provide

exa tlywhatisneededhere: atruly on urrentsemanti sthatabstra tsfromthe

interleav-ingof on urrenttransitions, andmoreimportantlyanexpli itnotionof ausality. Among

the various types of event stru tures the most often onsidered are prime ones, be ause

onsistentruns anbesimply hara terized. Yettheyleadto quitelargedatastru tures. 1

Ouralgorithm usesinsteadow eventstru tures(FES)[6,7,8℄. Ontheonehand,thereis

asimpleindu tivetranslationof CCStermsintoFESs that in ursno omputational ost;

ontheotherhand,FESarealgorithmi ally onvenient ompa tformsofeventstru tures.

Werstexplainhowtoextra tthe ausal ompression

CTS

K

(p)

fromthetranslationof

p

intoanFES.Thenwedis uss omputationalissuessu hashowtomakethisanalgorithm, andhowsomeoftheapparent omputational osts anbe ir umventedatthelevelofthe

implementation.

4.1 Flow event stru tures

A(labelled)oweventstru tureisatuple

E = hE, ≺, #, λi

where 

E

isasetofevents,



≺ ⊆ E × E

istheow relation whi hhastobeirreexive,

1

Spe i allyinprimeeventstru ture ausesof aneventmustbeuniquelydetermined,andthisfor es

dupli ationofthefutureofaneventea htimeitisengagedinasyn hronization.

α

1

c

#

α

¯

#

#

(α

2

,

α)

¯

#

α

2

#

(α

1

,

α)

¯

Figure4: FESrepresentationof

p := α.c.α.0 | ¯

α.0

. Eventsarenamedaftertheirlabelswhen thesearenotambiguous.



# ⊆ E × E

isthe oni t relation whi hissymmetri ,

and

λ : E → A

alabellingfun tion.

Theideaisthat theowrelationgivesallimmediatepossible ausesofanevent,whilethe

oni trelationindi atesa oni ting hoi ebetweentwoevents.

Denition3 Let

E = hE, ≺, #, λi

beanFES,aset

X ⊆ E

isa ongurationof

E

,written

X ∈ C(E)

,if itis:

 oni t free:

# ∩ (X × X) = ∅

,  y lefree:

≺

∗

_/X

isapartial order,

 and left- losedupto oni ts: if

e ∈ X

andthere is

d ∈ E

su h that

d ≺ e

then either

d ∈ X

orthereexists

f ∈ X

su hthat

f ≺ e

and

f #d

.

Thelast two onditionsarethepri etopayforworkingwithFESs,andarenotneededfor

prime ones. The rst onewill requiresome optimised stru turingof the oni t relation,

we'llreturntothispointsoon.

A onguration

X

in

E

with

e ∈ X

is

e

-minimal if

∀e

′

_{∈ X : e}

′

_≺

∗

_e

. The set of

e

-minimal ongurationsisdenoted by

ChE, ei

.

There isan easyindu tive translation

u

unfoldinganyCCS pro essintoaFES [6℄, where events orrespond to ommuni ations, and ongurationsare those subsetsof events that

atra e an trigger. Wewillnotre all herethis translation,andonlygiveanexample(see

Fig.4). The orre tnessof

u

isgivenbythefollowingrepresentationtheorem:

Theorem2([7℄) Let

p

be a CCSpro ess,and

T

≃

(p)

stand for the tra es of

p

quotiented bytra eequivalen e, then

(T

≃

(p), ≤)

and

(C(u(p)), ⊆)

areisomorphi .

One andeneatransition systemoutofan FES.Todothis, wedene

E|X

, theresidual of

E

bya onguration

X

in

C(E)

.

Denition4(Residual) Let

E = hE, ≺, #, λi

beanFES,

X

bea onguration of

E

,and dene

X

#

:= {e ∈ E | ∃e

′

_{∈ X : e}

′

_#e}

. The residual of

E

by

X

is

E|X := hE

′

_{, ≺}

′

_{, #}

′

_i

where:

E

′

_{:= E \ (X ∪ X}

#

)

≺

′

:=≺ ∩ (E

′

× E

′

)

#

′

:= # ∩ (E

′

× E

′

)

TheLTSasso iatedto

E = hE, ≺, #, λi

hasinitialstate

E

,andtransitionrelationgivenby

E

′

_→

X

E

′′

if

X ∈ C(E

′

₎

and

E

′′

_{= E}

′

_|X

.

It is herethat our reframingof the ompression questionin termsof event stru tures

pays o, sin e to obtain the ausal ompression of the transition system above, all one

hasto dois to restri tlabels to

e

-minimal ongurationssu hthat

λ(e) ∈ K

. The ausal LTS asso iatedto

E

,written

CTS

K

(E)

, hasinitialstate

E

,andtransitionrelationgivenby

E

′

_→

_→

k

E

′′

ifthere isanevent

e ∈ E

′

su h that

E

′

_→

X

E

′′

with

X ∈ ChE

′

_{, ei}

and

λ(e) ∈ K

.

Asa onsequen eoftherepresentationtheoremonegets:

Lemma1 Let

p

beaCCSpro ess,then

CTS

K

(p)

and

CTS

K

(u(p))

areisomorphi . Atthatpoint,wehaveanequivalentdenitionof

CTS

K

(p)

intermsoftheFES

u(p)

,andit remainstosee howone anturn thisdenition intoanalgorithm. Thisiswhat wedis uss

now.

4.2 Algorithmi dis ussion

First, the unfolding

u(p)

is in general an innite obje t even if we restri t to nite state pro esses. Tokeep with nite internal data stru tures, we requireea h re ursive pro ess

denition to beguardedby a ommit a tion. This seems areasonable onstraint,in that

there isapriori noreasonto modelatransa tional me hanismwith apro ess that allows

inniteforwardin on lusivetra es.

To ompute

CTS

K

(u(p))

,weuseinsteadof

u

,apartialunfolding

u

fin

that oin ideswith

u

ex eptitdoesnotunfoldanyre ursivedenition. The onstraintaboveensuresthatevery ommit

k

thatisrea hablebyasingle ausaltransition anbeseenbythispartialunfolding. Onlyafter triggeringtheevent orrespondingto

k

,are there ursive allsguardedby

k

(if any) unfolded, and their translations by

u

fin

added to the residual of the obtained event

stru ture. One then he ks whether the obtained residual event stru ture is isomorphi

withsomeobtainedpreviously,andaddsittothestatespa eifnot. Givenapro ess

p

,the algorithmto ompute

CTS

K

(u(p))

pro eedsasfollows:

0.

E = hE, ≺, #, λi := u

fin

_(p)

1. Forall

e ∈ E

su hthat

λ(e) ∈ K

, omputethe

e

-minimal ongurations

X

e

∈ ChE, ei

.

2. For ea h su h

X

e

build the residual

E|X

e

, with re ursive denitions guarded by

e

unfoldedusing

u

fin

.

3. Addthetransitions

E →

→

k

E|X

e

totheCTSunder onstru tion.

4. Forea h residual

E|X

e

notisomorphi to any previousone, set

E := E|X

e

and goto step1.

Bytherepresentationtheorem,thisalgorithmwillterminate assoonas

CTS

K

(p)

isnite. Inpra ti emostoftheisomorphismtests anbeavoidedbyusingaquitedis riminative

equality test between FES signatures whi h is linear in the number of events. Another

e ien yproblemonehastodealwithistheinternalrepresentationofthe oni trelation

(whi h is involved in step 1 be ause of the oni t-free ondition on ongurations). In

prime eventstru tures oni tis inheritedby ausality,that is tosayif

e#e

′

and

e

′

_{≺ e}

′′

, then

e#e

′′

. Hen e arather ompa t way to represent oni t is to keeponly

(e, e

′

_{) ∈ #}

and dedu e when needed that

e#e

′′

by heredity. We have found that a similar ompa t

stru ture,whi hwe alla oni ttree anbeusedforFESs. Coni ttreesarebuiltduring

pro esspartialunfoldings, andresultin atypi allylogarithmi ally ompa trepresentation

of oni t, for a low omputational ost. An example of a oni t tree is given Fig. 5:

oni ts is predi ated of intervals, and

[n − m]#[n

′

_{− m}

′

_]

means that any pair of events

indexedwithin

{n, . . . , m} × {n

′

_{, . . . , m}

′

_}

isin oni t. [0-4℄ [0-3℄ [4℄ # [1℄ [2℄ #

Figure5: Coni ttreeof

a

3

.(b

0

| c

2

+ d

1

) + e

4

5 Causal module and tests

The relative ompression algorithm wasimplemented asan O aml [9℄ library Causal [10℄.

Havingalibraryinsteadofanindependenttoolallowstousetheunderlyinglanguagethat

oersmore onstru tionprimitivesthan CCS. Any interestingen oding needsparametri

pro essdenitionsinordertodenesystemswithvaryingnumberofagents,andourmodule

oerssimpleCCSpro ess onstru tors,sothatonehasarealprogramminglanguagetobuild

largepro esses.

5.1 Ben hmark

To get a sense of how well our veri ation te hnique performs ompared with a straight

bisimulationbasedveri ation,weranseveraltests 2

usingen odingsofthedining

philoso-phersproblem. Thistimelessexampleofdistributed onsensusinvolves

n

philosopherseating togetheraroundatable. Ea hofthemneedstwo hopsti kstostarteating,andhastoshare

them with his neighbours. Whena philosopherhas eaten, he releaseshis hopsti ks after

awhileandgoesba kto theinitialstate. Inthepartial implementation, say

p

part

,on e a 2

TestsweremadewithanIntelPentium4CPU3.20GHzwith1GBofRAM.

philosophertakesa hopsti kheneverputsitba kunlesshehassu essfullyeaten. Inthe

fully orre tone,say

p

full

,hemayrelease hopsti ksatanytime(thusavoidingdeadlo ks). TheCCSpro esses

p

part

and

p

full

for

n = 2

orrespondroughlytotheearlierexamples(1) and(2). (See[1℄forageneraldenitionanddetailedstudy.)

There are two main reasons for taking the dining philosophers example. First it is a

paradigmati example of distributed onsensus, so the way to solve it without a ess to

thes heduler (by adding additionalsemaphores forinstan e) has to involveba ktra king.

Se ond, it turns out that the numberof possible states of the spe i ation is given by a

Fibona isequen e 3

S(1) = 1 S(2) = 3 S(n + 1) = S(n) + S(n − 1)

Thisis onvenientinthatitgivesasimplemeansto omparethetimeof omputationwith

the size of the spe i ation state spa e. Verifying orre tness of

p

full

using the Mobility Workben h(MWB)[11℄(seeFig.6) provedtobeimpossiblebeyond

5

philosophers(around

0

20

40

60

80

100

120

140

160

180

200

2

3

4

5

6

7

8

9

10

11

Time(se .) Numberofstates

Memoryswaplimit b ona i Mob.workb en h

Figure6: Dire tbisimulationtestfor

p

full

.

160

spe i ationstates)be auseofmemorylimitations. ByusingrsttheCausalmodule(see Fig.7)toextra tthe ausaltransitionsystemof

p

part

, we ouldverifyupto

19

philosophers (around

15, 000

spe i ationstates)withinatimewhi hstayedroughlyproportionaltothe numberofstates. Sin e

CTS(p

part

)

isin this aseequalto thespe i ation,theremaining partofthe orre tnessprooftakesnegligibletime(MWB needs

0.4s

for

10

philosophers).

6 Con lusion

Wehaveproposedamethod fortheveri ationofdistributed systemswhi h usesan

algo-rithmofrelative ausal ompression. Themethod doesnotalwaysapply: thepro ess one

wantstoverifymustuseageneri ba ktra kingme hanism. Thismayseemalimitation,but

itoften obtainsamu h simpler ode,and manyexamplesof distributed transa tions lend

3

ThankstoHubertKrivine(LPTMS)forshowingusthisni eresult.

0

5000

10000

15000

20000

25000

2

4

6

8

10

12

14

16

18

20

22

Numberofstates Time(se .)

Memoryswaplimit Causal b ona i

Figure7: Relative ausal ompressionusing theCausalmodule.

themselves naturallyto this onstraint. When themethod doesapply, however,it proves

veryee tiveas wehaveshownin thediningphilosophersexample.

Statespa eexplosioninautomatedbisimulationproofsisawellknownphenomenon,and

tra e ompression te hniqueshavebeenproposed to avoid theredundan y reatedbythe

interleavingof transitions [6, 12℄, and used in model- he kingappli ations [13, 14℄. These

ompressions preservebisimilarity, whereas ourdoesnot, and is of a ompletely dierent

nature. Besides, andbe auseour algorithm usesevent stru tures, wealso ash in on this

lassi alkindof ompression.

There is noreasonwhy thisveri ationmethod should belimitedto CCS. Other

on- urrent models anbeequipped with ba ktra king, and forwardand ba kwardaspe ts of

orre tness anbesplitthereaswell. Re entworkextendsthe on eptofpartiallyreversible

omputations to various pro ess algebras[15℄, and it is possibleto dene an analogueof

RCCS for the

π

- al ulus. New advan es in event stru ture semanti s for

π

- al ulus [16℄ mightallowtoextendthe ausal ompressionalgorithm,so asto overtheimportant ase

ofname-passing al uli.

Referen es

[1℄ Vin entDanosandJeanKrivine.Transa tionsinRCCS. InPro eedingsofCONCUR'05:16

th

InternationalConferen e onCon urren yTheory,volume3653 ofLNCS,2005.

[2℄ Vin ent Danos, JeanKrivine, and Fabien Tarissan. Self assemblingtrees. InPro eedings of

the

7

th

International onferen eonArti ialEvolution (EA'05),2005. Toappear.

[3℄ GlynnWinskel. Eventstru turesemanti sforCCSand relatedlanguages. InPro eedings of

9thICALP,volume140,pages561576,1982.

[4℄ RobinMilner. Communi ation andCon urren y. InternationalSeriesonComputerS ien e.

Prenti eHall,1989.

[5℄ Vin entDanosandJeanKrivine. Reversible ommuni atingsystems.InPro eedingsof

CON-CUR'04: 15

th

InternationalConferen eonCon urren yTheory,volume3170ofLNCS,pages

292307,2004.

[6℄ GérardBoudolandIlariaCastellani. Permutationoftransitions: Aneventstru turesemanti s

forCCSandSCCS. InLinearTime,Bran hingTimeandPartialOrderinLogi sandModels

forCon urren y,volume354ofLNCS,pages411427,1989.

[7℄ GérardBoudol. Floweventstru turesandownets. InPro eedingsofLITPSprings hoolon

Semanti sofSystemsofCon urrentPro esses, volume469ofLNCS,pages6295,1990.

[8℄ RobvanGlabeekandUrsulaGoltz.Well-behavedoweventstru turesforparallel omposition

anda tionrenement. Theoreti alComputerS ien e,311(1-3):463478,2003.

[9℄ TheO amlprogramminglanguage. Availableathttp:// aml.inria.fr.

[10℄ Causal  o aml module for ausality analysis of CCS pro esses. Available at

http://pauilla .inria.fr/

∼

krivine.

[11℄ Björn Vi tor and Faron Moller. The Mobility Workben h a tool for the

π

- al ulus. In Pro eedings of CAV'94: Computer-Aided Veri ation, volume 818 of LNCS, pages 428440,

1994.

[12℄ Patri eGodefroidandPierreWolper. Usingpartialordersforthee ientveri ationof

dead-lo k freedomand safety properties. InPro eedings of CAV'91: Computer-aided veri ation,

volume575ofLNCS,pages332342,1991.

[13℄ AlessandroBian hi, Stefano Colu ini,Pierpaolo Degano, and CorradoPriami. An e ient

verier of truly on urrent properties. In Pro eedings of Parallel Computing Te hnologies,

volume964ofLNCS,pages3650,1995.

[14℄ Tony Andrews,Shaz Qadeer, SriramK.Rajamani, Jakob Rehof, and Yi henXie. Zing: A

model he kerfor on urrentsoftware. InPro eedingsofCAV'04: Computer-aidedveri ation,

volume3114 ofLNCS,pages484487,2004.

[15℄ IainPhillips andIrekUlidowski. Reversing algebrai pro ess al uli. InPro eedings of

FOS-SAC'06,LNCS,2006. Toappear.

[16℄ DanieleVara aandNobukoYoshida. Typedeventstru turesandthe

π

- al ulus.In Pro eed-ingsofMFPSXXII,2006. Toappear.

Unité de recherche INRIA Rocquencourt

Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)

Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes

4, rue Jacques Monod - 91893 ORSAY Cedex (France)

Unité de recherche INRIA Lorraine : LORIA, Technopôle de Nancy-Brabois - Campus scientifique

615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)

Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)

Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)

Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)

Éditeur

INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)

http://www.inria.fr