Introduction to Process AlgebraIntroduction to Process Algebragg

Korea Advanced Institute of Science and Technology

Weakness on Traditional Validation & Verification (V&V)Weakness on Traditional Validation & Verification (V&V)We have seen tragic accidents due to software andWe have seen tragic accidents due to software and specification bugsThese bugs are hard to find because those bugs occurs g gonly in “exceptional” casesInformal system specification and requirement specification makes automatic analysis infeasible, which results in incomplete coverageTo provide better coverage, we need

Formal requirement specificationFormal system modelFormal system model

OKSystem model

C t

or

Requirement

Model Checking(state exploration)

2

Counter example

Requirement properties

OutlineOutline

Requirement specification problems“ ”( ) fViewpoint on “meaning”(semantics) of

systemyComplexity of a systemF l d li iFormal modeling v.s. programmingIntroduction to process algebrap g

3

Requirement Specification ProblemsRequirement Specification Problems

AmbiguityExpression does not have unique meaning but canExpression does not have unique meaning, but can be interpreted as several different meaning.

• Ex. long type in C programming language

IncompletenessRelevant issues are not addressed , e.g. what to do , gwhen user errors occur or software faults show.

• Ex. Retail chain management software

InconsistencyContradictory requirements in different parts of the

ifi tispecification.

4

Viewpoint on Semantics of a System Viewpoint on Semantics of a System

A system execution isx:0,y:0s0A system execution is

a sequence of states s0s1…

x:0,y:1s10

A state has an environment s:Var-> Val

A t h it

x:1,y:2s2x:5,y:1s11

A system has its semantics as a set of system executions

x:1,y:3

2 4

s3x:5,y:2s12

system executions x:2,y:4s4

x:5,y:3

x:5 y:4

s13x:7,y:3

x:7 y:4

s21

x:5,y:4s14

x:7,y:4s22

5

Complexity of SystemsComplexity of Systems

The complexity of a system is sometimes more accurately expressed using semanticaccurately expressed using semantic viewpoint (# of reachable states) rather than syntactic viewpoint (line # of source code)

the number of different states a system can reachthe number of different states a system can reach• Ex> An integer has 232 (~4000000000) possible values

6

Formal Modeling V.S. ProgrammingFormal Modeling V.S. Programming

Formal Modeling Programming

Static Abstraction High Low

Aspects Level

Development Ti

Short Long

Time

Dynamic Aspects

Executable Yes (model checking)No (theorem proving)

Always

Aspects No (theorem proving)

System Semantics

Mathematically defined Usually given by examples

Environment Semantics (i.e. testbeds)

Mathematically defined Usually given by examples

testbeds)Program State Space

Manageable (i.e. tractable state space)

Unmanageable (i.e. beyond computing power)

7

Validation By exhaustive exploration or deductive proof

By testing (incomplete coverage)

Complex System AttributesComplex System Attributes

You may not need to model a simple system such as + * or HelloWorldsuch as +, , or HelloWorld.However, you must have a scientific way of abstracting/modeling a system with complexabstracting/modeling a system with complex structure, e.g.,

Hi hHierarchyConcurrencyC i tiCommunication

Also, you need to have a systematic way to analyze the correctness of your design

8

Process AlgebraProcess AlgebraA l b i t fA process algebra consists of

a set of operators and syntactic rules for constructing processesa semantic mapping which assigns meaning or interpretation toa semantic mapping which assigns meaning or interpretation to every processa notion of equivalence or partial order between processes

Advantages: A large system can be broken into simpler subsystems and then proved correct in a modular f hifashion.

A hiding or restriction operator allows one to abstract away unnecessary details.unnecessary details.Equality for the process algebra is also a congruence relation; and thus, allows the substitution of one component with another

l t i l tequal component in large systems.

Note that the model is constructed in a component-based way but the analysis is not

9

based way, but the analysis is not.

Calculus of Communicating Systems (CCS)

Developed by R.Milner (Univ. of Cambridge)ACM Turing Award 1991g

Provides many interesting paradigmsEmphasis on communication and concurrency

• Provides compact representation on both communication and concurrency

– Ex> a (receive) and a’ (send)E | ( ll l t )– Ex> | (parallel operator)

Provides observation based abstraction• Hiding internal behaviors using \ (restriction) operator, i.e., g g ( ) p

considering all internal behaviors as an invisible special action

Provides correctness claim based on equivalence• Branching time based equivalence

– Strong equivalence v.s. weak equivalence

10

Overview on Overview on CCS CCS Syntax and Semantics Syntax and Semantics CCS describes a system as a set of communicatingCCS describes a system as a set of communicating Processes Behavior of a process is expressed using actions

Act =input_actions U output_actions U {}Each process is built based on the following 7 operators

Nil (null-ary opeartor): 0Nil (null ary opeartor): 0Prefix: a.P Definition: P = a.b.QChoice: a P + b PChoice: a.P + b.PParallel: P | QRestriction: P \ {a,b}R l b lli P[ /b]Relabelling: P[a/b]

Each operator has a clear formal semantics via inference rules (premises-conclusion rules)( )

Based on these inference rules, a meaning/semantincs of a process is given as a labelled transition system

11

Example of a CCS SystemExample of a CCS SystemA set of actions Act = {a a’ b }A set of actions Act {a,a ,b,}We define a CCS system Sys as

Sys = (a.E + b.0) | a’.FS t f th f ll i 4 tiSys can executes one of the following 4 actions

Sys –a-> E | a’F Sys –a’-> (a.E + b.0)|F a.E –a-> E

Prefixy ( )|

Sys –b-> 0 | a’.FSys - -> E|F

(a E + b 0)) | a’ F –a-> E | a’ FParL

(a.E + b.0)) –a-> E ChoiceL

Sys =(a.E + b.0) | a’.F

(a.E + b.0)) | a .F a > E | a .F

Sys (a.E b.0) | a .Fa a’ b

E | ’ F 0 | ’ F(a E + b 0)|F

E | FE | a’.F 0 | a’.F(a.E + b.0)|F E | F

ab a’

12

a’ 0 | F

Usage of Process AlgebraUsage of Process Algebra

Sequential system v.s. Reactive systemEx1. Mathematical functions with given inputs generate outputs

• Usually no environment consideration and timing considerationconsideration.

Ex2. Ad-hoc On-Demand Vector routing protocol• Should model multiple concurrent nodes (environment)Should model multiple concurrent nodes (environment)• Should model communication among the nodes• Should model timely behavior (e.g. time-out, etc)

Modeling of a complex systemConcurrency => interleaving semanticsConcurrency interleaving semanticsCommunication => synchronizationHierarchy => refinementHierarchy refinement

13

Notations (1/2)Notations (1/2)

A t i d ib d t f i tiA system is described as a set of communicating processes

Each process executes a sequence of actionsActions represents either inputs/outputs or internal

t ti tcomputation steps

A set of actions/events Act = L U L’ U {τ} L ={a,b,…} is a set of names and L’ ={a’,b’,…} is a set of co-names

• a L can be considered as the act of receiving a signal a’ L’ can be considered as the act of emitting a signal• a L’ can be considered as the act of emitting a signal

• τ is a special action to represent internal hidden action

Act – {τ } represents the set of externally visible actions:

14

Act {τ } represents the set of externally visible actions:

Notations (2/2)Notations (2/2)

O ti l (t iti l) ti f CCSOperational (transitional) semantics of CCS processDefine the “execution steps” that processes may engaged inP –a-> P’ holds if a process P is capable of engaging in action a and then behaving like P’

Define –a-> inductively using inference rules for operators• premises

(side condition)-------------- (side condition)conclusion

Example 1:

Q --> Q’ChoiceR ---------------

P Q Q’

Example 2:

Prefix -------------- P –-> PR P+Q --> Q’ .P –-> P

15

Operators for Sequential ProcessOperators for Sequential Process

The idea: 7 elementary ways of producing or putting together labelled transition systemsy

1.Nil 0 No transitions (deadlock)Prefix Prefix

2.Prefix .P ( Act) in.out.0 –in-> out.0 –out-> 0

(empty) in out(empty)Prefix --------------

.P –-> P

in out

3.Defn A = P Buffer = in.out.BufferB ff t B ff B ffBuffer-in->out.Buffer-out->Buffer

in

out

16

Operators for Sequential Process (cont.)Operators for Sequential Process (cont.)

4.Choice P + Q BadBuf = in.(.0 + out.BadBuf)

f fPrefix

BadBuf –in-> .0 + out.BadBuf

> 0 or out > BadBuf

P -->P’ ChoiceL ----------------

P+Q --> P’

Q Q’

ChoiceL ChoiceR

--> 0 or –out-> BadBuf

out

Q --> Q’ChoiceR ---------------

P+Q --> Q’

in

Obs: No priorities between ’s, a’s or a’s !May use notation to comactly represent sequentialMay use notation to comactly represent sequential

process

Ii

ii PP .

17

Ii

Example: Boolean BufferExample: Boolean Buffer of Size 2of Size 2

Action and Process Def.in0 :0 is coming as inputin1 :1 is coming as inputout0 :0 is going out as output

Buf2 = in0.Buf20 + in1.Buf21

Buf20 = out0.Buf2 +0 g g p

out1 :1 is going out as output

Buf2 : Empty 2-place buffer

in0.Buf200 + in1.Buf201

Buf21 = out1.Buf2 +2 2Buf : Empty 2 place buffer

Buf20 : 2-place buffer holding 0 Buf201: 2-place buffer holding

0 at head and 1 at tail

in0.Buf210 + in1.Buf211

Buf200 = out0.Buf200 at head and 1 at tail

Buf201 = out0.Buf21

Buf210 = out1.Buf201 0input output 10 1 0

Buf211 = out1.Buf21Buf201

18

Operators for Concurrent ProcessOperators for Concurrent ProcessBuf1 = in.comm’.Buf15 C iti 1 1Buf2 = comm.out.Buf2Buf = Buf1 | Buf2 Buf

5. CompositionP -->P’

ParL ------------------- P Buf-in-> comm’.Buf1 | Buf2 - > Buf1 | out.Buf2

ParL P|Q --> P’|Q

Q --> Q’ParR ------------------

P|Q > P|Q’

ParL

Par

Par 1 2 -out-> Buf1 | Buf2

Buf

P|Q --> P|Q

P-a->P’, Q–a’->Q’Par --------------------------

ParR

Buf-comm-> Buf1 | out.Buf2-out-> Buf1 | Buf2

P|Q --> P’|Q’ ParR

ParR

comm’.Buf1|Buf2

icomm’ out

Buf=Buf1|Buf2 comm’.Buf1|out.Buf2in comm

commout

in

’

19Buf1|out.Buf2

out comm’

Operators for Concurrent Process (cont.)Operators for Concurrent Process (cont.)

Buf1 = in.comm.Buf1B f ’ t B f

6. Restriction P\LBuf2 = comm’.out.Buf2Buf=(Buf1 | Buf2)\{comm}P -->P’

Res ------------------- LUL’ P\L --> P’\L

Buf-in-> (comm.Buf1 | Buf2)\{comm}

> (Buf | out Buf )\{comm}

comm.Buf1|Buf2

--> (Buf1 | out.Buf2)\{comm}-out-> (Buf1 | Buf2)\{comm}Buf=Buf1|Buf2

in

Buf -comm’-> Buf1 | out.Buf2

Buf1|out.Buf2out

(Buf1 | Buf2)\{comm} : a design for buffer with separated input/output ports ReqBuf = in.out.ReqBuf : a requirement for buffer design(Buf1 | Buf2)\{comm} == ReqBuf means that buffer design satisfies the requirement

20

(Buf1 | Buf2)\{comm} == ReqBuf means that buffer design satisfies the requirement

Operators for Concurrent Process (cont.)Operators for Concurrent Process (cont.)

7. Relabelling P[f] Buf = in.out.BufBuf = Buf[comm/out]Buf1 = Buf[comm/out]

= in.comm.Buf1

P -->P’ Rel -------------------

P[f] –f()-> P’[f]

Buf2 = Buf[comm’/in]= comm’.out.Buf22

Relabelling function f must preserve complements:g p pf(a’) = f(a)’

Relabelling function often given by nameRelabelling function often given by name substitution as above

21

Example: 2Example: 2--way Buffersway Buffers

1-place 2-way buffer:Bufab = a+.b ’.Bufab + b+.a ’.Bufab Bufb =Bufab a+.b- .Bufab b+.a- .Bufab

LTS:

Bufbc Bufab[c+/b+,c-/b-,b-/a+,b+/a-]

(Obs:simultaneous substitution!)

Sys = (Bufab | Bufbc)\{b+,b-}a+ b-’

a-’ b+ a+ b-’ b- c-’

b-’.Bufaba

b-’a-’ b+ b+’ c+

But what’s wrong? In other words, Sys == Bufac?

Bufab

a-’.Bufab

a+b+

a-’

Deadlock occurs

22

Summary of CCS SemanticsSummary of CCS Semantics

Act --------------.P –-> P

P >P’

in.P -in-> P

Q >Q’P -->P ChoiceL ----------------

P+Q --> P’

P >P’

in.P + out.Q -in-> P or –out-> QQ -->Q

ChoiceR ----------------P+Q --> Q’

Q -->Q’P -->P’ ParL -------------------

P|Q --> P’|Q

P-a->P’, Q–a’->Q’

in.P|in’.Q -in->P|in’.Q or –in’-> in.P|QQ -->Q

ParR -------------------P|Q --> P|Q’

P a P , Q a QPar --------------------------

P|Q --> P’|Q’ in.P | in’.Q --> P|Q

P -->P’ Res ------------------- L U L’

P\L --> P’\L (in.P | in’.Q)\{in} --> (P|Q)\{in} only

P -->P’ Rel -------------------

P[f] –f()-> P’[f] in.P [out/in] -out-> P[out/in]

23

Inference of Process Execution Inference of Process Execution

Proof of ((a.E + b.0)| a’.F)\{a} --> (E|F)\{a}

Act ------------------

ChoiceL -------------------------- Act ------------------

ct

a.E –a-> E

Par -------------------------------------------------------

L

(a.E + b.0) -a-> E a’.F –a’-> F

Res ---------------------------------------------(a.E + b.0)| a’.F --> (E|F)

((a.E + b.0)| a’.F)\{a} --> (E|F)\{a}

24

ExercisesExercises

Derive following process execution from the inference rulesinference rules

(a.E + b.0) | a’.F –a-> E | a’.F(a E + b 0) | a’ F a’ > (a E + b 0) | F(a.E + b.0) | a .F –a -> (a.E + b.0) | F(a.E + b.0) | a’.F –b-> 0 | a’.F((a E + b 0) | a’ F)\{a} b > (0 |a’ F)\{a}((a.E + b.0) | a .F)\{a} –b-> (0 |a .F)\{a}

Draw corresponding labeled transition diagrams(a.E + b.0) | a’.F ((a.E + b.0) | a’.F)\{a}A = a.c’.A, B = c.b’.B

• A|B, (A|B)\{c}

25

Prefix

ProofsProofs

(a.E + b.0)) –a-> E ChoiceL

a.E –a-> E Prefix

Proof 1Proof 1

(a.E + b.0) | a’.F –a-> E | a’.FParL

( ))

Prefix a’.F –a’-> FProof 2Proof 2

(a.E + b.0) | a’.F –a’-> (a.E + b.0) | FParR

Ch ib.0 –b-> 0

PrefixProof 3Proof 3

(a.E + b.0) | a’.F –b-> 0 | a’.FParL

(a.E + b.0) –b-> 0 ChoiceR

26

(a.E + b.0) | a .F b > 0 | a .F

Labeled Transition SystemsLabeled Transition Systems

(a.E + b.0) | a’.FProof 1Proof 1

Proof 2Proof 2

a a’ b

E | a’.F

Proof 1Proof 1

0 | a’.Fa.E + b.0|F

Proof 3Proof 3

E | F| ||

a’ 0 | Fab a’

a 0 | F

((a.E + b.0) | a’.F)\{a}b

(0 | a’.F)\{a} (E | F)\{a}

27