1

Semantics Q1 2007

SEMANTICS (Q1,’07)Week 6

Jacob AndersenPhD student

andersen@daimi.au.dk

2

Semantics Q1 2007

Week 6 - Outline• A Tale of Two Coca-Cola Dispensers

• About Equivalences

• Strong + Weak Bisimulation

• Bisimulation Games

• CCS Tools

3

Semantics Q1 2007

CCS Syntax• CCS Syntax:

• “0” // inaction• “.P” // action prefix, Act• “P+P” // non-deterministic choice• “P|P” // parallel composition

• “P\L” // restriction (private name), L ⊆ L• “P[f]” // action relabelling

• “K” // process variable, K K

P ::= 0 | .P | P+P | P|P | P\L | P[f] | K

K1 = P1, K2 = P2, … def def

a: f(a) = f(a)

f() =

f:ActAct

… where

Note: restrictions on f

4

Semantics Q1 2007

SOS for CCS• Structural Operational Semantics:

Q: why (tau) in communication “P|Q” (instead of propagating a or a) ?

~ “the unobservable hand-shake”

[RES][REL]

[COM1] [COM2] [COM3]

[ACT] [SUMj][CON]

5

Semantics Q1 2007

A TALE OF TWO COCA-COLA DISPENSERS

6

Semantics Q1 2007

Once upon a time...• Dispenser:

•

• Dispenser’:• ’’

Would you consider them equal ‘=’ ?

coin . (coke + sprite)

coin.coke + coin.sprite

Would you consider them equivalent ‘’ ?

What does it at all mean for them to be equivalent ‘’ ?!?

7

Semantics Q1 2007

Equal vs. Equivalent• Equal (concrete identity):

• 3 = 3

• Equivalent (abstract):• 3 003

• 310 0x0316 \0038 00112

• 3 three• 3 • 3 1+2• 3 • 3 let n=2 in n*(n-1)+(n-2)

ii=0

2

more abstract

8

Semantics Q1 2007

Trace Equivalence• Definition: Trace Equivalence:

• Two processes P and Q are trace equivalent “tr” iff:» They can produce the same traces:»

• Example:• Traces( )

= { , coin, coin;coke, coin;sprite }

• Traces( )

= { , coin, coin;coke, coin;sprite }

coin . (coke + sprite)

coin.coke + coin.sprite ’’

’’trHence:

Traces(P) = { Act* | Q : P * Q }

9

Semantics Q1 2007

Contextual Composition…?• Recall:

•

•

• "Coke-only-drinker":•

• Contextualcomposition:

coin . (coke + sprite)

coin.coke + coin.sprite ’’

’’tr

What the.. !?

coin . coke . drink

The coke drinkeris certainly able to to distinguish the two dispensers !!

Idea (can we…?):put the two dispensers in acontext where theycan be differentiated !

problematic equality(!)

Trace equivalencecannot distinguish the two dispensers.

10

Semantics Q1 2007

ABOUT EQUIVALENCES

11

Semantics Q1 2007

Purpose of equivalences

• Recall examples from the homepage:• Specification and (model of) program equivalent ?

• Two (models of) programs equivalent ?

12

Semantics Q1 2007

CCS: “Single-Language Formalism”

• CCS is a so-called “Single-lang. formalism”;• i.e. one may specify both:

» implementation ( )» and specification ( )

• We would like to check via some (reasonable) equivalence, R , that:

• “The implementation has the intended behavior”:

» R the spec. and impl. are “equivalent”

IMPL =def ...

SPEC =def ...

IMPLSPEC

13

Semantics Q1 2007

Equivalence “wish list”• …so we would like:

• reflexitivity :» SYS R SYS (same behavior as itself) !

• transitivity (for stepwise modelling/refinement) !!! :» S0 R S1 R ... R Sn R IMPL => S0 R IMPL

• symmetry (just a nice property to have):» S R S’ S’R S

14

Semantics Q1 2007

Def: Equivalence Relation• Let R be a binary relation over set A:

• R A A

• R is an equivalence relation iff:• Reflexive:

»

• Symmetric:»

• Transitive:»

xA: x R x

x,yA: x R y y R x

x,y,zA: x R y y R z x R z

Q: is trace equivalence “tr” an equivalence relation ?

Yes

15

Semantics Q1 2007

Equivalence “wish list” (cont’d)…

• Furthermore, we would like these properties:

• P+Q R Q+P // ‘+’ commutative•(P+Q)+R R P+(Q+R) // ‘+’ associative• P|Q R Q|P // ‘|’ commutative•(P|Q)|R R P|(Q|R) // ‘|’ associative• 0+P R P // ‘0’ is neutral wrt. ‘+’• 0|P R P // ‘0’ is neutral wrt. ‘|’•...

Trace equivalence ‘tr’ ? Yes

16

Semantics Q1 2007

…and (congruence wrt. CCS)• Definition: “R ” congruence (wrt. CCS):

•P R Q C[P] R C[Q] , for all contexts C[]» “relation is preserved under contextual substitution”

• A context = a process with a gap:

• Examples:•P R Q P+R R Q+R•P R Q P|S R Q|S•P R Q a.P R a.Q•P R Q ((a.P|R)+S)\x R ((a.Q|R)+S)\x

C : .[] | []+P | P+[] | []|P | P|[] | [][f] | []\a

[]+R

[]|S

a.[]

Congruence ‘tr’ ?

17

Semantics Q1 2007

Congruence (cont’d)

• Trace equivalence, ‘tr’, and contexts?• Recall the two Coca-cola machines:

» »

• Now take the “Coke-only drinker”:»

– Although, we have that:

’’tr

What the.. !?

coin . (coke + sprite)

coin.coke + coin.sprite

coin . coke . drink

’’

problematic equality

The coke drinkeris certainly able to to distinguish the two dispensers !!

Idea (can we…?):put the two dispensers in acontext where theycan be differentiated !

18

Semantics Q1 2007

Trace Equiv. ~ DFM Acceptance

• Recall: a deterministic finite automaton, A:• is completely identified by its set of traces: L(A)

• Trace equivalence ~ DFA acceptance:• (without accept states - by construction)

•P tr Q iff they can produce the same tracesThis point of view is totally justified and natural if we view our LTSs as non-deterministic devices that may generate or accept sequences of actions. However, is it still a reasonable one if we view our automata as reactive machines that interact with their environment ?

-- [Aceto, Larsen, Ingólfsdóttir, p. 41]

19

Semantics Q1 2007

STRONG BISIMULATION: (~)

20

Semantics Q1 2007

Def: A Strong Bisimulation• Let (Proc, Act, ) be a LTS

• Def: a bin. rel. R Proc Proc is a strong bisimulation iff whenever (s,t) R : aAct :

• if s s’ then t t’ for some t’ such that (s’,t’) R• if t t’ then s s’ for some s’ such that (s’,t’) R

• Note:• 1. Definition on LTS (not necessarily wrt. processes)• 2. Definition relative to a (SOS) semantics (via LTS)

a

a

a

a

a

Intuition: “Only equate as consistently allowed by the semantics”

21

Semantics Q1 2007

Def: Strongly Bisimilar (~)• A Strong Bisimulation:

• Def: a bin. rel. R Proc Proc is a strong bisimulation iff whenever (s,t) R : aAct :

• if s s’ then t t’ for some t’ such that (s’,t’) R• if t t’ then s s’ for some s’ such that (s’,t’) R

• The Strong Bisimilarity relation (~):

• Def: two (processes) s and t are strongly bisimilar( s ~ t ) iff strong bisimulation R : (s,t) R .

• i.e.

a

a

a

a

‘~’ := {R | R is a strong bisimulation }

22

Semantics Q1 2007

Basic Properties of (~)• Theorem:

• ‘~’ is an equivalence relation (exercise…)

• Theorem:• ‘~’ is the largest strong bisimulation

» i.e. for any bisimulation R we have that: R ‘~’

• Theorem:– s ~ t iff aAct :

• if s s’ then t t’ for some t’ such that s’ ~ t’ • if t t’ then s s’ for some s’ such that s’ ~ t’

a

a

a

a

23

Semantics Q1 2007

How to Prove Strong Bisimilarity ?

• How to prove strong bisimilarity for two processes ?

• i.e. ?:

• Exhibit a (any) bisimulation R , for which:•

– By definition we get that:» since ‘~’ was the largest bisimulation(s,t) R ‘~’

(s,t) R

s ~ t

24

Semantics Q1 2007

Example Proof of Bisimilarity• Example:

• Buffer (capacity 1):

• Buffer (capacity 2):• Show that:

A0 =def in . A1

A1 =def out . A0

B0 =def in . B1

B1 =def in . B2 + out . B0

B2 =def out . B1B0 ~ A0|A0

B0

B1

B2

A0|A0

A1|A0 A0|A1

A1|A1

R = { (B0 , A0|A0) , (B1 , A1|A0) , (B1 , A0|A1) , (B2 , A1|A1) }

25

Semantics Q1 2007

How to Prove Non-Bisimilarity ?• How to prove non-bisimilarity ?

• i.e. ?

• Enumerate all binary relations:• Check that none are bisimulations and contain (p,q)

» However: extremely expensive O(2|p||q|)

• Use “Feynman Problem-Solving Algorithm”:» (1). Write down the problem;

» (2). Think very hard;

» (3). Write down the answer.

• Or…

s ~ t

26

Semantics Q1 2007

(~) BISIMULATION GAMES

27

Semantics Q1 2007

The (Strong) Bisimulation Game• Let (Proc, Act, ) be a LTS and s,t Proc

• Define 2-player game: [ attacker v defender ]• The game is played in “rounds” and the configurations

of the game are (Proc Proc);» The game starts (first round) in (s,t) Proc Proc

• Intuition (objectives):• The defender wants to show that:• The attacker wants to show that:

a

s ~ t

s ~ t

Cf. the note onSI proofs section6 (p. 4).

28

Semantics Q1 2007

Rules of the Bisimulation Game• In round k the players change the current

configuration (sk,tk) as follows:• First, the attacker chooses:

» 1) one of the processes (e.g. tk); i.e., left or right;

» 2) a legal action from that process: a Act;

» 3) a legal transition according to the LTS: tk tk+1

• Then, the defender chooses:» -) a “counter-move” using same action, a: sk sk+1

• (sk+1,tk+1) becomes the next round’s configuration…

• Winning:• If one player (only) cannot move, the other player wins• If the game is infinite (repeats configuration), the defender wins

a

a

29

Semantics Q1 2007

Game Characterization of (~)• Theorem:

• States (processes) s and t are not strongly bisimilar iff the attacker has a universal winning strategy

• States (processes) s and t are strongly bisimilar iff the defender has a universal winning strategy

• (s ~ t) basically means that: “the ‘perfect attacker’ always wins”

• (s ~ t) basically means that:“the ‘perfect defender’ always wins”

30

Semantics Q1 2007

Let’s Play…• Let’s play…:

•~ / ~ ? show of hands…

~ ’’?

coin . (coke + sprite) coin.coke + coin.sprite ’’

coincoincoin’’

spritespritecoke

coke

31

Semantics Q1 2007

Another Game…• Are the following two LTS(/processes) s and t strongly bisimilar: s ~ t ?

• There’s a universal attack strategy hence, they are not strongly bisimilar : s ~ t

32

Semantics Q1 2007

(~) CONGRUENCE

33

Semantics Q1 2007

(~) is a Congruence for CCS • Theorem:

• Let P and Q be processes such that P ~ Q; then:.P ~ .Q Act» P+R ~ Q+R R Proc» R+P ~ R+Q R Proc» P|R ~ Q|R R Proc» R|P ~ R|Q R Proc» P[f] ~ Q[f] f : P(Act) P(Act) relabellings» P\a ~ Q\a a Act \ { }

• i.e. ‘~’ is a congruence for CCS

34

Semantics Q1 2007

Other Properties of (~)• The following properties hold P, Q, R:

• P+Q ~ Q+P // ‘+’ commutative •(P+Q)+R ~ P+(Q+R) // ‘+’ associative• P|Q ~ Q|P // ‘|’ commutative•(P|Q)|R ~ P|(Q|R) // ‘|’ associative• P+0 ~ P // ‘0’ neutral wrt. ‘+’• P|0 ~ P // ‘0’ neutral wrt. ‘|’•...

35

Semantics Q1 2007

Summary: Strong Bisimilarity (~)• Properties of (~):

• an equivalence relation:» reflexive, symmetric, and transitive

• the largest strong bisimulation:» for proving bisimilarity (exhibit a bisimulation)

• strong bisimulation game:» for proving non-bisimilarity (winning attack strategy)

• a congruence:» P ~ Q => C[P] ~ C[Q]

• obeys the following algebraic laws:» ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, …

should we look any further ?!?

36

Semantics Q1 2007

WEAK BISIMULATION: ()

37

Semantics Q1 2007

Problems with Internal Actions: ‘’

• Q: a.τ.0 ~ a.0 ?• How would you show this?

• Problem ‘~’ does not:• abstract away from internal actions

• Example:Disp =def coin . (coke.Disp + sprite.Disp)Stud =def study . coin . coke . Stud

Impl =def (Disp | Stud) \ {coin,coke}

Spec =def study . Spec

Impl ~ Spec?

38

Semantics Q1 2007

Can we just erase tau-actions?• Consider:

• However, notice:

• i.e. we cannot simply erase tau-actions!

Dnasty =def coin.coke.Dnasty + coin.Dnasty

Stud =def study . coin . coke . Stud

Impl =def (Disp | Stud) \ {coin,coke}

(coin.coke.Dnasty+coin.Dnasty | coin.coke.Stud) \ …

(coke.Dnasty | coke.Stud) \ … (Dnasty | coke.Stud) \ …

39

Semantics Q1 2007

Define Weak Transition Relation• Def: the “weak transition relation”: ‘’

• e.g., P Q iff P … P’ Q’ … Q

– Means that we can perform an action, a, by:» first, “eating” any number of tau actions:» then, performing the a action;» last, “eating” any number of tau actions:

• This “eating” is precisely what will give the abstraction!

aa

:

( ‘’ )* o ‘’ o ( ‘’ )* , if ( ‘’ )* , if =

40

Semantics Q1 2007

Def: A Weak Bisimulation• Let (Proc, Act, ) be a LTS

• Def: a bin. rel. R Proc Proc is a weak bisimulation iff whenever (s,t) R : aAct :

• if s s’ then t t’ for some t’ such that (s’,t’) R• if t t’ then s s’ for some s’ such that (s’,t’) R

• Note:• 1. Definition on LTS (not necessarily wrt. processes)• 2. Definition relative to a (SOS) semantics (via LTS)

a

a

a

a

a

Intuition: “Only equate as consistently allowed by the semantics; …abstracting away from tau actions”

41

Semantics Q1 2007

Def: Weakly Bisimilar ()• A Weak Bisimulation:

• Def: a bin. rel. R Proc Proc is a weak bisimulation iff whenever (s,t) R : aAct :

• if s s’ then t t’ for some t’ such that (s’,t’) R• if t t’ then s s’ for some s’ such that (s’,t’) R

• The Weak Bisimilarity relation ():

• Def: two (processes) s and t are weakly bisimilar( s t ) iff weak bisimulation R : (s,t) R .

• i.e.

a

a

a

a

‘’ := {R | R is a weak bisimulation }

42

Semantics Q1 2007

Example (from earlier)• Example (from earlier):

• 1. Does it hold?• 2. How would you show this?

Disp =def coin . (coke.Disp + sprite.Disp)Stud =def study . coin . coke . Stud

Impl =def (Disp | Stud)\{coin,coke,sprite}

Spec =def study . Spec

Impl Spec?

43

Semantics Q1 2007

() BISIMULATION GAMES

44

Semantics Q1 2007

Weak Game Characterization• Let (Proc, Act, ) be a LTS and s,t Proc

• The game is “similar” except:• The defender may now use the ‘’ relation

» …and thus abstract away from -actions

• The attacker still uses: ‘’

• Theorem ():•s t iff winning attack strategy•s t iff winning defensive strategy

a

a

a

45

Semantics Q1 2007

Let’s Play…• Example:

•a..0 a.0 ?» How would you show this?

• Example’:•0 .0 ?•a.0 + 0 a.0 + .0 ?

• Any remarks?!?• Any consequences of the above?

yes

no

Thus “” not a congruence(!); due to ( P+[])

yes

46

Semantics Q1 2007

Summary: Weak Bisimilarity ()• Properties of ():

• an equivalence relation:» reflexive, symmetric, and transitive

• the largest weak bisimulation:» for proving bisimilarity (exhibit a bisimulation)

• weak bisimulation game:» for proving non-bisimilarity (winning attack strategy)

• not a congruence:» P Q => C[P] C[Q]

• obeys the following algebraic laws:» ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, …

• abstracts away from internal tau-actions

47

Semantics Q1 2007

():“Fair Abstraction from Divergence”• Consider:

•A =def a.0 + .B

•B =def b.0 + .A– Note that:

» A B a.0 + b.0 !!!

• ..and even:•Div =def .Div

» 0 Div !!!

• Intuition: “Fair Abstraction from Divergence”: “assumes processes (eventually) escape from loops”

48

Semantics Q1 2007

CCS TOOLS

49

Semantics Q1 2007

Example: A Protocol

• Implementation:»

• Specification:»

• Verification:» and what does that mean?

Pspec =def acc . del . Pspec

Pimpl =def ( Send | Med | Rec ) \ LL = {send,error,trans,ack}

accept deliver

Pspec ~ Pimpl Pspec Pimpl? ?

sender receiver

(transport)medium

50

Semantics Q1 2007

The Concurrency Workbench• CWB:

• Recommendation: try it out (before the exam)!

Command: eq(Spec,Impl); // weak bisimilarityCWB’s answer

Command: strongeq(Spec,Impl); // strong bisimilarityCWB’s answer

51

Semantics Q1 2007

The Bisimulation Game Game

• The Bisimulation Game Game®

• Special Family Edition (w/ TV cables & remote control)» Beat your sister at Process Algebra simulation…

“Special Family Edition!”

“The Bisimulation Game”

Only$31,95

The

Bisimulation

Game

[ http://www.brics.dk/bisim/ ]

52

Semantics Q1 2007

"Three minutes paper"• Please spend three minutes writing down the

most important things that you have learned today (now).

After 1 dayAfter 1 week

After 3 weeksAfter 2 weeks

Right away

53

Semantics Q1 2007

Next week: Program Equivalence,

Imperative Blocks, Implementation, and other

Semantic formalisms

Any Questions?

Thanks to Jiří Srba for inspiration to many of the slides