Modelling and Verifying Mobile Systems using -graphs Jol-Alexis - - PowerPoint PPT Presentation
graphs Modelling and Verifying Mobile Systems using -graphs Jol-Alexis Bialkiewicz Joel-Alexis.Bialkiewicz@lip6.fr (joint work with Frdric Peschanski) UPMC Paris Universitas 1 / 26 Outline Introduction Introducing the
Modelling and Verifying Mobile Systems using π-graphs
Joël-Alexis Bialkiewicz
Joel-Alexis.Bialkiewicz@lip6.fr
(joint work with Frédéric Peschanski)
UPMC Paris Universitas
1 / 26
Outline
Introduction Introducing the pi-graphs Graph structures pi-box calculus Formal investigations Basic results Bisimulation framework Verification algorithm Conclusion and future works
2 / 26
Outline
Introduction Introducing the pi-graphs Graph structures pi-box calculus Formal investigations Basic results Bisimulation framework Verification algorithm Conclusion and future works
3 / 26
Concurrent and mobile systems
Concurrent systems
◮ Processor physical limits already brought parallel computing to end-users “The free lunch is over” [Sutter05] ◮ Sequential models no longer expressive enough = ⇒ concurrency unavoidable ◮ Concurrency not new, but harder to model and reason about
About Mobility
◮ Concurrency = ⇒ several entities at once = ⇒ they may move wrt. one another ◮ Mobility : physical but also logical neighbours dynamically changing ◮ Statical approaches lack expressivity, current dynamic ones are complex
Concurrent and Mobile Systems
◮ Programming approaches (CPU-level, programming-language constructs) ◮ Modeling approaches (formalisms, verification tools, abstraction techniques) ◮ Our approach : Modelling is programming (and vice versa, hopefully)
4 / 26
Modeling
Two schools: diagrams and programs
◮ Place-transition nets: “Intuitive”, simulation/verification tools ◮ Process-algebra: Better expressivity, compositionality and more
implementations
Our goals
◮ Hybrid formalism (diagram + corresponding process algebra):
π-graphs
◮ Expressivity, intuitiveness ◮ Implementation and verification tools
5 / 26
Outline
Introduction Introducing the pi-graphs Graph structures pi-box calculus Formal investigations Basic results Bisimulation framework Verification algorithm Conclusion and future works
6 / 26
Introducing the π-graphs
http://www-poleia.lip6.fr/~pesch/pigraphs
A dual formalism
◮ A diagramatic language inspired by P/T nets ◮ A process algebra very close to the π-calculus
A dual characterization
◮ graph rewriting semantics ◮ labelled transition systems (LTS)
7 / 26
The graphical language
Boxes (names) White box (public name) n Black box (private name) Gray box (dynamic name)
n
Empty box (binder) Places (labels and actions) Observation (unmarked)
Silent (internal action) τ Choice
+
Links Output a b Input b Reference/match a b Guard Parallel composition implicit (“disjoint” graphs) Termination (inert) implicit (empty graph)
8 / 26
The graphical language
Boxes (names) White box (public name) n Black box (private name) Gray box (dynamic name)
n
Empty box (binder) Places (labels and actions) Observation (unmarked)
Silent (internal action) τ Choice
+
Links Output a b Input b Reference/match a b Guard Parallel composition implicit (“disjoint” graphs) Termination (inert) implicit (empty graph)
8 / 26
The graphical language
Boxes (names) White box (public name) n Black box (private name) Gray box (dynamic name)
n
Empty box (binder) Places (labels and actions) Observation (unmarked)
Silent (internal action) τ Choice
+
Links Output a b Input b Reference/match a b Guard Parallel composition implicit (“disjoint” graphs) Termination (inert) implicit (empty graph)
8 / 26
The graphical language
Boxes (names) White box (public name) n Black box (private name) Gray box (dynamic name)
n
Empty box (binder) Places (labels and actions) Observation (unmarked)
Silent (internal action) τ Choice
+
Links Output a b Input b Reference/match a b Guard Parallel composition implicit (“disjoint” graphs) Termination (inert) implicit (empty graph)
8 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
1 : νca + νcb νc(x).xνc
9 / 26
Example
a b
+
b 1 : νca + νcb νc(x).xνc
τ
− → 1 : bνc
9 / 26
Example
a b
+
b
1
b
τ
− → 1 : bνc
τ
− → 2 : b ⊳ 1
9 / 26
Example
a b
+
b
1
b
τ
− → 1 : bνc
τ
− → 2 : b ⊳ 1 ǫ − → 0
9 / 26
Compositionality and Scope
Question
What happens when names enter or exit the local system through interaction?
10 / 26
Compositionality and Scope
Question
What happens when names enter or exit the local system through interaction?
π-calculus
Depends on the chosen semantic ... (early, late, symbolic, etc.)
10 / 26
Compositionality and Scope
Question
What happens when names enter or exit the local system through interaction?
π-calculus
Depends on the chosen semantic ... (early, late, symbolic, etc.)
π-graphs
logical clocks [Lamport78] and gray boxes (escaped names [Peschanski04])
10 / 26
Open outputs
Question
What is the difference between
◮ Sending a public name over a public channel ◮ Sending a name over a private channel ◮ Sending a private name over a public channel
11 / 26
Open outputs
Question
What is the difference between
◮ Sending a public name over a public channel
◮ The send is performed (simplest case)
◮ Sending a name over a private channel ◮ Sending a private name over a public channel
11 / 26
Open outputs
Question
What is the difference between
◮ Sending a public name over a public channel
◮ The send is performed (simplest case)
◮ Sending a name over a private channel
◮ If no one can receive locally, then cannot send
◮ Sending a private name over a public channel
11 / 26
Open outputs
Question
What is the difference between
◮ Sending a public name over a public channel
◮ The send is performed (simplest case)
◮ Sending a name over a private channel
◮ If no one can receive locally, then cannot send
◮ Sending a private name over a public channel
◮ The sent name escapes its scope ◮ [π-calculus] bound output (HD) ◮ [π-graph] escape label and gray box (not HD) 11 / 26
Open outputs
Question
What is the difference between
◮ Sending a public name over a public channel
◮ The send is performed (simplest case)
◮ Sending a name over a private channel
◮ If no one can receive locally, then cannot send
◮ Sending a private name over a public channel
◮ The sent name escapes its scope ◮ [π-calculus] bound output (HD) ◮ [π-graph] escape label and gray box (not HD)
⇒ Same principle for receiving names from envir. (open inputs)
11 / 26
Open outputs
Question
What is the difference between
◮ Sending a public name over a public channel
◮ The send is performed (simplest case)
◮ Sending a name over a private channel
◮ If no one can receive locally, then cannot send
◮ Sending a private name over a public channel
◮ The sent name escapes its scope ◮ [π-calculus] bound output (HD) ◮ [π-graph] escape label and gray box (not HD)
⇒ Same principle for receiving names from envir. (open inputs) Black box a private “name” only known locally White box a public name statically known everywhere Gray box an escaped name/clock value potentially known by external processes through interaction
11 / 26
Open outputs and logical clocks: example
b 1 : bνc
12 / 26
Open outputs and logical clocks: example
b
1
b
τ
− → 2 : b ⊳ 1
12 / 26
Process-algebra view
π-box calculus
A process algebra similar to the π-calculus but:
◮ For each process term there exists a unique π-graph encoding
(up-to structural congruence)
◮ Graphs as normal forms of terms
Syntax Prefix: π ::= xy | x ⊳ y | x(z) | x ⊲ y | τ Process: P ::= 0 | π.P | P + P′ | P | P′ | [x = y](z) P′ provided x, y ∈ fn(P′) Term: k : P where k ≥ 1 is a logical clock
13 / 26
Operational semantics
Principles
π-graphs semantics through graph rewrites π-box semantics through labelled transition systems (LTS)
14 / 26
Operational semantics
Principles
π-graphs semantics through graph rewrites π-box semantics through labelled transition systems (LTS)
Example: open output
π-box x ∈ Priv y ∈ Priv k : xy.P
τ
− → k + 1 : x ⊳ k.P{k/y}
π-graphs k: x
τ
− → k+1:
k
clr(x) = b
14 / 26
Outline
Introduction Introducing the pi-graphs Graph structures pi-box calculus Formal investigations Basic results Bisimulation framework Verification algorithm Conclusion and future works
15 / 26
Encoding/Decoding of π-graphs
Decoding
There exists a function D from π-graphs to π-box terms such that: ∀(G, H), D(G) = D(H) = ⇒ G =G H
Encoding
There exists a function E from π-box terms to π-graphs such that: ∀(P, Q), E(P) = E(Q) = ⇒ P ≡ Q
16 / 26
Structural congruence vs. Graph isomorphism
Lemma (Consistency)
◮ ∀G, E(D(G)) =G G ◮ ∀P, D(E(P)) ≡ P
with
◮ =G π-graph isomorphism (up-to γ rules) ◮ ≡ π-box structural congruence (“trivial” equalities)
17 / 26
Structural congruence vs. Graph isomorphism
Lemma (Consistency)
◮ ∀G, E(D(G)) =G G ◮ ∀P, D(E(P)) ≡ P
with
◮ =G π-graph isomorphism (up-to γ rules) ◮ ≡ π-box structural congruence (“trivial” equalities)
In practice
Verifying P ≡ Q in our tool:
◮ encode P and Q to π-graphs G and H (“true” normal forms) ◮ check G =G H
17 / 26
Rewrite and marking vs. transition
Marking
The marking of a graph G is
◮ c ⊲ a if an input place is marked ◮ c ⊳ a if an output place is marked
Remark: there may be at most 1 place marked (> 1 = ⇒ true concurrency)
18 / 26
Rewrite and marking vs. transition
Marking
The marking of a graph G is
◮ c ⊲ a if an input place is marked ◮ c ⊳ a if an output place is marked
Remark: there may be at most 1 place marked (> 1 = ⇒ true concurrency)
Transitions vs. graph rewrites
π-box if P
α
− → Q π-graph then E(P) ǫ − →
∗ τ
− → E(Q) and mark(E(Q)) = α
18 / 26
Rewrite and marking vs. transition
Marking
The marking of a graph G is
◮ c ⊲ a if an input place is marked ◮ c ⊳ a if an output place is marked
Remark: there may be at most 1 place marked (> 1 = ⇒ true concurrency)
Transitions vs. graph rewrites
π-box if P
α
− → Q π-graph then E(P) ǫ − →
∗ τ
− → E(Q) and mark(E(Q)) = α
Graph rewrites vs. transitions
π-graph if G
ǫ
− →
∗ τ
− → H and mark(H) = α π-box then D(G) α − → D(H)
18 / 26
Bisimilarities
π-box bisimilarity
∼b is the largest symmetric relation such that P ∼b Q iff: ∀α, P
α
− → P′, ∃Q′, Q
α
− → Q′ ∧ P′ ∼b Q′
19 / 26
Bisimilarities
π-box bisimilarity
∼b is the largest symmetric relation such that P ∼b Q iff: ∀α, P
α
− → P′, ∃Q′, Q
α
− → Q′ ∧ P′ ∼b Q′
π-graph bisimilarity
∼g is the largest symmetric relation such that G ∼h H iff: ∀α, G
ǫ
− →
∗ τ
− → G ′ ∧ mark(G ′) = α, ∃H′, H
ǫ
− →
∗ τ
− → H′, mark(H′) = α ∧G ′ ∼g H′
19 / 26
Verification algorithm
Theorem
◮ G ∼g H iff D(G) ∼b D(H) ◮ P ∼b Q iff E(P) ∼g E(Q)
20 / 26
Verification algorithm
Theorem
◮ G ∼g H iff D(G) ∼b D(H) ◮ P ∼b Q iff E(P) ∼g E(Q)
Algorithm
Verifying P ∼b Q in our tool:
◮ Encode P and Q as G and H ◮ Compute the LTS through graph rewrites exploration ◮ Apply standard bisimulation checking algorithm
20 / 26
Comparisons
Other verification environments for the π-calculus
Mobility workbench open bisimulation [Victor94] ⇒ state explosion (permutations of closed free names) HAL HD-automata [Montanari95] ⇒ state explosion (unfolding HD to plain automata)
21 / 26
Comparisons
Other verification environments for the π-calculus
Mobility workbench open bisimulation [Victor94] ⇒ state explosion (permutations of closed free names) HAL HD-automata [Montanari95] ⇒ state explosion (unfolding HD to plain automata) Conjecture
◮ our tool is more efficient (standard bisimulation)
21 / 26
Comparisons
Other verification environments for the π-calculus
Mobility workbench open bisimulation [Victor94] ⇒ state explosion (permutations of closed free names) HAL HD-automata [Montanari95] ⇒ state explosion (unfolding HD to plain automata) Conjecture
◮ our tool is more efficient (standard bisimulation)
Todo
◮ need to compare worst-case complexities ◮ need to compare in practice
21 / 26
Outline
Introduction Introducing the pi-graphs Graph structures pi-box calculus Formal investigations Basic results Bisimulation framework Verification algorithm Conclusion and future works
22 / 26
Things done
◮ Basic model ◮ A tool: π-graph eXplorer
⇒ http://www-poleia.lip6.fr/~pesch/pigraphs/
◮ Finitary π-graphs with recursion ◮ π-box Encoding/Decoding ◮ structural congruence ◮ interactive rewriting ◮ LTS generation/minimization ◮ Bisimulation (backtrack, Paige-Tarjan)
◮ This paper and its technical report companion
23 / 26
Ongoing and future work
Theory variations on a thema (joint work)
◮ Non-finitary π-graphs ◮ Static π-graphs and iterators ◮ Computed clocks ◮ Compositional π-graphs
(b(x).xa cd
[b=c]τ
− − − − → da)
◮ True concurrency (polyadic marking)
Practice Our tool
◮ Iterators ◮ Bisimulation-based algorithms (weak*,weak,etc.) ◮ Temporal and Spatial logics (µ-calculus, etc.) ◮ Comparisons with other verifiers
24 / 26
25 / 26
Bibliography
[Sutter05] Herb Sutter. The free lunch is over: a fundamental turn toward concurrency in software. Dr. Dobbs Journal, March 2005. [Milner99] Robin Milner. Communicating and Mobile Systems: The π-Calculus. Cambridge University Press, 1999. [Peschanski04] Frederic Peschanski. On Linear Time and Congruence in Channel-Passing Calculi. Communicating Process Architectures (CPA’04). IOS Press, 2004. [Peschanski06] Frederic Peschanski and Samuel Hym. A Stackless Virtual Machine for a π-calculus. Virtual Execution Environments (VEE’06). ACM Press 2006. [Lamport78] Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM vol. 21 num. 7. ACM Press 1978. [Victor94] Björn Victor and Faron Moller. The Mobility Workbench — A Tool for the π-Calculus. CAV’94. LNCS 818. Springer 1994. [Montanari95] Ugo Montanari and Marco Pistore. Checking Bisimilarity for Finitary pi-Calculus. Concur’95. LNCS 962. Springer 1995. [Busi04] Nadia Busi et al. Comparing recursion, replication, and iteration in process calculi. ICALP’04. LNCS 3143. Springer 2004. [Devillers04] Raymond Devillers et al. Modelling mobility in high-level Petri nets. ACSD’07. IEEE 2007. [Gaducci07] Fabio Gadducci. Graph rewriting for the π-calculus. MSCS vol. 17. Cambridge University Press 2007.
26 / 26