1
SEMANTICS (Q1,’07)
Week 6
Jacob Andersen
PhD student
andersen@daimi.au.dk
Semantics Q1 2007
2
Week 6 - Outline
•
•
•
•
•
A Tale of Two Coca-Cola Dispensers
About Equivalences
Strong + Weak Bisimulation
Bisimulation Games
CCS Tools
Semantics Q1 2007
3
CCS Syntax
• CCS Syntax:
P
::=
•
•
•
•
0
|
“0”
“.P”
“P+P”
“P|P”
• “P\L”
• “P[f]”
• “K”
Semantics Q1 2007
.P
|
P+P
|
P|P
|
… where
P\L
|
def
P[f]
|
K
def
K1 = P1, K2 = P2, …
// inaction
// action prefix,   Act
// non-deterministic choice
// parallel composition
// restriction (private name), L ⊆ L
Note: restrictions on f
// action relabelling
f:ActAct
// process variable,
a: f(a) = f(a)
K  K
 f() = 
4
SOS for CCS
• Structural Operational Semantics:
[ACT]
[CON]
[SUMj]
[COM2]
[COM1]
[REL]
[COM3]
[RES]
Q: why  (tau) in communication “P|Q” (instead of propagating a or a) ?
 ~ “the unobservable hand-shake”
Semantics Q1 2007
5
A TALE OF TWO COCA-COLA
DISPENSERS
Semantics Q1 2007
6
Once upon a time...
• Dispenser:
• coin . (coke + sprite)
• Dispenser’:
• coin.coke + coin.sprite
Would you consider them equal ‘=’ ?
Would you consider them equivalent ‘’ ?
What does it at all mean for them to be equivalent ‘’ ?!?
Semantics Q1 2007
’
7
Equal vs. Equivalent
• Equal (concrete identity):
• 3=3
• Equivalent (abstract):
Semantics Q1 2007
3  003
310  0x0316  \0038  00112
3  three
3
3  1+2
2

3  i=0i
3  let n=2 in n*(n-1)+(n-2)
more abstract
•
•
•
•
•
•
•
8
Trace Equivalence
• Definition: Trace Equivalence:
• Two processes P and Q are trace equivalent “tr” iff:
» They can produce the same traces:

» Traces(P) = { Act* |  Q : P *
Q}
• Example:
• Traces( coin . (coke + sprite) )
= { ,
coin,
coin;coke,
coin;sprite }
• Traces( coin.coke + coin.sprite )
= { ,
coin,
coin;coke,
Hence:
Semantics Q1 2007
tr
coin;sprite }
’
’
9
Contextual Composition…?
• Recall:
•
coin . (coke + sprite)
•
coin.coke + coin.sprite
Idea (can we…?):
put the two
dispensers in a
context where they
can be differentiated !
’
• "Coke-only-drinker":
•
• Contextual
composition:
Semantics Q1 2007
Trace equivalence
cannot distinguish
the two dispensers.
coin . coke . drink
What the.. !?
tr
problematic equality(!)
’
The coke drinker
is certainly able to
to distinguish the
two dispensers !!
10
ABOUT EQUIVALENCES
Semantics Q1 2007
11
Purpose of equivalences
• Recall examples from the homepage:
• Specification and (model of) program equivalent ?
• Two (models of) programs equivalent ?
Semantics Q1 2007
12
CCS: “Single-Language Formalism”
• CCS is a so-called “Single-lang. formalism”;
• i.e. one may specify both:
» implementation
» and specification
(
(
IMPL =def ...
SPEC =def ...
)
)
• We would like to check via some
(reasonable) equivalence, R , that:
• “The implementation has the intended behavior”:
»
Semantics Q1 2007
SPEC
R
IMPL
the spec. and impl. are “equivalent”
13
Equivalence “wish list”
• …so we would like:
• reflexitivity :
» SYS R SYS (same behavior as itself) !
• transitivity (for stepwise modelling/refinement) !!! :
» S0 R S1 R
...
R Sn R IMPL => S0 R IMPL
• symmetry (just a nice property to have):
» S R S’  S’R S
Semantics Q1 2007
14
Def: Equivalence Relation
• Let R be a binary relation over set A:
•R  A  A
• R is an equivalence relation iff:
• Reflexive:
» xA:
xR x
• Symmetric:
» x,yA:
xR y  yR x
• Transitive:
» x,y,zA:
xR y
 yR z  xR z
Q: is trace equivalence “tr” an equivalence relation ?
Semantics Q1 2007
Yes 
15
Equivalence “wish list” (cont’d)…
• Furthermore, we would like these
properties:
•
P+Q R
• (P+Q)+R R
•
P|Q R
• (P|Q)|R R
•
0+P R
•
0|P R
• ...
Q+P
P+(Q+R)
Q|P
P|(Q|R)
P
P
// ‘+’ commutative
// ‘+’ associative
// ‘|’ commutative
// ‘|’ associative
// ‘0’ is neutral wrt. ‘+’
// ‘0’ is neutral wrt. ‘|’
Trace equivalence ‘tr’ ?
Semantics Q1 2007
Yes 
16
…and (congruence wrt. CCS)
• Definition: “R ” congruence (wrt. CCS):
• P R Q  C[P] R C[Q] , for all contexts C[]
» “relation is preserved under contextual substitution”
• A context = a process with a gap:
C
:
.[] | []+P | P+[] | []|P | P|[] | [][f] | []\a
• Examples:
•P R
•P R
•P R
•P R
Q
Q
Q
Q




[]+R
P+R R Q+R
P|S R Q|S
[]|S
a.P R a.Q
a.[]
((a.P|R)+S)\x R ((a.Q|R)+S)\x
Congruence ‘tr’ ?
Semantics Q1 2007
17
Congruence (cont’d)
• Trace equivalence, ‘tr’, and contexts?
• Recall the two Coca-cola machines:
» coin . (coke + sprite)
» coin.coke + coin.sprite
’
• Now take the “Coke-only drinker”:
Idea (can we…?):
put the two
dispensers in a
context where they
can be differentiated !
» coin . coke . drink
– Although, we have that:
What the.. !?
tr
problematic equality
Semantics Q1 2007
’
The coke drinker
is certainly able to
to distinguish the
two dispensers !!
18
Trace Equiv. ~ DFM Acceptance
• Recall: a deterministic finite automaton, A:
• is completely identified by its set of traces: L(A)
• Trace equivalence ~ DFA acceptance:
• (without accept states - by construction)
• P tr Q iff they can produce the same traces
This point of view is totally justified and natural if we view our LTSs as nondeterministic devices that may generate or accept sequences of actions.
However, is it still a reasonable one if we view our automata as reactive
machines that interact with their environment ?
-- [Aceto, Larsen, Ingólfsdóttir, p. 41]
Semantics Q1 2007
19
STRONG BISIMULATION: (~)
Semantics Q1 2007
20
Def: A Strong Bisimulation
a
• Let (Proc, Act, )
be a LTS
• Def: a bin. rel. R  Proc  Proc is a strong
bisimulation iff whenever (s,t)  R : aAct :
• if s
• if t
a s’ then t 
a t’ for some t’ such that (s’,t’)  R

a t’ then s 
a s’ for some s’ such that (s’,t’)  R

• Note:
• 1. Definition on LTS (not necessarily wrt. processes)
• 2. Definition relative to a (SOS) semantics (via LTS)
Intuition: “Only equate as consistently allowed by the semantics”
Semantics Q1 2007
21
Def: Strongly Bisimilar (~)
• A Strong Bisimulation:
• Def: a bin. rel. R  Proc  Proc is a strong
bisimulation iff whenever (s,t)  R : aAct :
• if s
• if t
a s’ then t 
a t’ for some t’ such that (s’,t’)  R

a t’ then s 
a s’ for some s’ such that (s’,t’)  R

• The Strong Bisimilarity relation (~):
• Def: two (processes) s and t are strongly bisimilar
( s ~ t ) iff  strong bisimulation R : (s,t)  R .
• i.e. ‘~’ := {R | R is a strong bisimulation }
Semantics Q1 2007
22
Basic Properties of (~)
• Theorem:
• ‘~’ is an equivalence relation
(exercise…)
• Theorem:
• ‘~’ is the largest strong bisimulation
» i.e. for any bisimulation R we have that: R  ‘~’
• Theorem:
– s ~ t iff
• if s
• if t
Semantics Q1 2007
aAct :
a s’ then t 
a t’ for some t’ such that s’ ~ t’

a t’ then s 
a s’ for some s’ such that s’ ~ t’

23
How to Prove Strong Bisimilarity ?
• How to prove strong bisimilarity for two
processes ?
• i.e. s ~ t ?:
• Exhibit a (any) bisimulation R , for which:
• (s,t)  R
– By definition we get that:
» (s,t)  R  ‘~’ since ‘~’ was the largest bisimulation
Semantics Q1 2007
24
Example Proof of Bisimilarity
• Example:
• Buffer (capacity 1):
• Buffer (capacity 2):
• Show that: B0 ~ A0|A0
A0
A1
=def
=def
in . A1
out . A0
B0
B1
B2
=def
=def
=def
in . B1
in . B2 + out . B0
out . B1
R = { (B0 , A0|A0) , (B1 , A1|A0) , (B1 , A0|A1) , (B2 , A1|A1) }
B0
B1
B2
Semantics Q1 2007
A0|A0
A1|A0
A0|A1
A1|A1
25
How to Prove Non-Bisimilarity ?
• How to prove non-bisimilarity ?
• i.e. s ~ t
?
• Enumerate all binary relations:
• Check that none are bisimulations and contain (p,q)
» However: extremely expensive O(2|p||q|)
• Use “Feynman Problem-Solving Algorithm”:
» (1). Write down the problem;
» (2). Think very hard;
» (3). Write down the answer. 
• Or…
Semantics Q1 2007
26
(~) BISIMULATION GAMES
Semantics Q1 2007
27
The (Strong) Bisimulation Game
a
• Let (Proc, Act, )
be a LTS and s,t  Proc
• Define 2-player game: [ attacker v defender ]
• The game is played in “rounds” and the configurations
of the game are (Proc  Proc);
» The game starts (first round) in (s,t)  Proc  Proc
• Intuition (objectives):
• The defender wants to show that: s ~ t
• The attacker wants to show that: s ~ t
Semantics Q1 2007
Cf. the note on
SI proofs section
6 (p. 4).
28
Rules of the Bisimulation Game
• In round k the players change the current
configuration (sk,tk) as follows:
• First, the attacker chooses:
» 1) one of the processes (e.g. tk); i.e., left or right;
» 2) a legal action from that process: a  Act;
a t
» 3) a legal transition according to the LTS: tk 
k+1
• Then, the defender chooses:
» -) a “counter-move” using same action, a:
a s
sk 
k+1
• (sk+1,tk+1) becomes the next round’s configuration…
• Winning:
• If one player (only) cannot move, the other player wins
• If the game is infinite (repeats configuration), the defender wins
Semantics Q1 2007
29
Game Characterization of (~)
• Theorem:
• States (processes) s and t are not strongly bisimilar
iff the attacker has a universal winning strategy
• States (processes) s and t are strongly bisimilar
iff the defender has a universal winning strategy
• (s ~ t) basically means that:
“the ‘perfect attacker’ always wins”
• (s ~ t) basically means that:
“the ‘perfect defender’ always wins”
Semantics Q1 2007
30
•
Let’s Play…
?
’
Let’s play…:
~
coin . (coke + sprite)
’
coin
coke
coin.coke + coin.sprite
coin
sprite
coke
•~ / ~ ? show of hands…
Semantics Q1 2007
coin
sprite
’
31
Another Game…
• Are the following two LTS(/processes)
s and t strongly bisimilar: s ~ t ?
• There’s a universal attack strategy 
hence, they are not strongly bisimilar : s ~ t
Semantics Q1 2007
32
(~) CONGRUENCE
Semantics Q1 2007
33
(~) is a Congruence for CCS
• Theorem:
• Let P and Q be processes such that P ~ Q; then:
» .P ~ .Q
» P+R ~ Q+R
» R+P ~ R+Q
» P|R ~ Q|R
» R|P ~ R|Q
» P[f] ~ Q[f]
» P\a ~ Q\a
  Act
R  Proc
R  Proc
R  Proc
R  Proc
f : P(Act)  P(Act) relabellings
a  Act \ {  }
• i.e. ‘~’ is a congruence for CCS
Semantics Q1 2007
34
Other Properties of (~)
• The following properties hold P, Q, R:
•
P+Q
• (P+Q)+R
•
P|Q
• (P|Q)|R
•
P+0
•
P|0
• ...
Semantics Q1 2007
~
~
~
~
~
~
Q+P
P+(Q+R)
Q|P
P|(Q|R)
P
P
// ‘+’ commutative
// ‘+’ associative
// ‘|’ commutative
// ‘|’ associative
// ‘0’ neutral wrt. ‘+’
// ‘0’ neutral wrt. ‘|’
35
Summary: Strong Bisimilarity (~)
• Properties of (~):
• an equivalence relation:
» reflexive, symmetric, and transitive
• the largest strong bisimulation:
» for proving bisimilarity (exhibit a bisimulation)
• strong bisimulation game:
» for proving non-bisimilarity (winning attack strategy)
• a congruence:
» P ~ Q => C[P] ~ C[Q]
• obeys the following algebraic laws:
» ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, …
Semantics Q1 2007
should we look any further ?!?
36
WEAK BISIMULATION: ()
Semantics Q1 2007
37
Problems with Internal Actions: ‘’
• Q: a.τ.0 ~ a.0 ?
• How would you show this?
• Problem ‘~’ does not:
• abstract away from internal actions
• Example:
Disp =def coin . (coke.Disp + sprite.Disp)
Stud =def study . coin . coke . Stud
Impl =def (Disp | Stud) \ {coin,coke}
Semantics Q1 2007
Spec =def study . Spec
? Spec
Impl ~
38
Can we just erase tau-actions?
• Consider:
Dnasty =def coin.coke.Dnasty + coin.Dnasty
Stud =def study . coin . coke . Stud
Impl =def (Disp | Stud) \ {coin,coke}
• However, notice:
(coin.coke.Dnasty+coin.Dnasty | coin.coke.Stud) \ …

(coke.Dnasty | coke.Stud) \ …

(Dnasty | coke.Stud) \ …
• i.e. we cannot simply erase tau-actions!
Semantics Q1 2007
39
Define Weak Transition Relation

• Def: the “weak transition relation”: ‘’


:



( ‘’ )* o ‘’ o ( ‘’ )*
 )*
( ‘’
, if   
, if  = 
a
a Q’ 
 …
 …
 P’ 
 Q
• e.g., P 
Q iff P 
– Means that we can perform an action, a, by:
» first, “eating” any number of tau actions:
» then, performing the a action;
» last, “eating” any number of tau actions:


• This “eating” is precisely what will give the abstraction!
Semantics Q1 2007
40
Def: A Weak Bisimulation
a
• Let (Proc, Act, )
be a LTS
• Def: a bin. rel. R  Proc  Proc is a weak
bisimulation iff whenever (s,t)  R : aAct :
• if s
• if t
a
a s’ then t 

t’ for some t’ such that (s’,t’)  R
a
a t’ then s 

s’ for some s’ such that (s’,t’)  R
• Note:
• 1. Definition on LTS (not necessarily wrt. processes)
• 2. Definition relative to a (SOS) semantics (via LTS)
Intuition: “Only equate as consistently allowed by the semantics;
…abstracting away from tau actions”
Semantics Q1 2007
41
Def: Weakly Bisimilar ()
• A Weak Bisimulation:
• Def: a bin. rel. R  Proc  Proc is a weak
bisimulation iff whenever (s,t)  R : aAct :
• if s
• if t
a
a s’ then t  t’ for some t’ such that (s’,t’)  R

a
a t’ then s 

s’ for some s’ such that (s’,t’)  R
• The Weak Bisimilarity relation ():
• Def: two (processes) s and t are weakly bisimilar
( s  t ) iff  weak bisimulation R : (s,t)  R .
• i.e. ‘’ := {R | R is a weak bisimulation }
Semantics Q1 2007
42
Example (from earlier)
• Example (from earlier):
Disp =def coin . (coke.Disp + sprite.Disp)
Stud =def study . coin . coke . Stud
Impl =def (Disp | Stud)\{coin,coke,sprite}
• 1. Does it hold?
• 2. How would you show this?
Semantics Q1 2007
Spec =def study . Spec
Impl ?
 Spec
43
() BISIMULATION GAMES
Semantics Q1 2007
44
Weak Game Characterization
a
• Let (Proc, Act, )
be a LTS and s,t  Proc
• The game is “similar” except:
a
• The defender may now use the ‘’
relation
» …and thus abstract away from -actions
a
• The attacker still uses: ‘’
• Theorem ():
• s  t iff  winning attack strategy
• s  t iff  winning defensive strategy
Semantics Q1 2007
45
Let’s Play…
• Example:
• a..0  a.0 ?
yes 
» How would you show this?
• Example’:
• 0  .0 ?
• a.0 + 0  a.0 + .0 ?
yes 
no 
• Any remarks?!?
• Any consequences of the above?
Thus “” not a congruence(!); due to ( P+[])
Semantics Q1 2007
46
Summary: Weak Bisimilarity ()
• Properties of ():
• an equivalence relation:
» reflexive, symmetric, and transitive
• the largest weak bisimulation:
» for proving bisimilarity (exhibit a bisimulation)
• weak bisimulation game:
» for proving non-bisimilarity (winning attack strategy)
• not a congruence:
» P  Q => C[P]  C[Q]
• obeys the following algebraic laws:
» ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, …
• abstracts away from internal tau-actions
Semantics Q1 2007
47
():“Fair Abstraction from Divergence”
• Consider:
• A =def a.0 + .B
• B =def b.0 + .A
– Note that:
» A  B  a.0 + b.0
!!!
• ..and even:
• Div =def .Div
» 0  Div
!!!
• Intuition: “Fair Abstraction from Divergence”:
»  “assumes processes (eventually) escape from loops”
Semantics Q1 2007
48
CCS TOOLS
Semantics Q1 2007
49
Example: A Protocol
sender
receiver
(transport)
medium
• Implementation:
»Pimpl =def ( Send | Med | Rec ) \ L
L = {send,error,trans,ack}
• Specification:
»Pspec =def acc . del . Pspec
• Verification:
accept deliver
» Pspec ?
~ Pimpl
Semantics Q1 2007
Pspec ?
 Pimpl
and what does that mean?
50
The Concurrency Workbench
• CWB:
Command: eq(Spec,Impl);
CWB’s answer
// weak bisimilarity
Command: strongeq(Spec,Impl);
CWB’s answer
// strong bisimilarity
• Recommendation: try it out (before the
exam)!
Semantics Q1 2007
51
The Bisimulation Game Game
“The Bisimulation Game”
Only
$31,95
“Special Family Edition!”
• The Bisimulation Game Game®
• Special Family Edition (w/ TV cables & remote control)
» Beat your sister at Process Algebra simulation…
[ http://www.brics.dk/bisim/ ]
Semantics Q1 2007
52
"Three minutes paper"
• Please spend three minutes writing down the
most important things that you have learned
today (now).
Right away
After 1 day
After 1 week
After 2 weeks
Semantics Q1 2007
After 3 weeks
53
Next week:
Program Equivalence,
Imperative Blocks,
Implementation, and other
Semantic formalisms
Any Questions?
Thanks to Jiří Srba
for inspiration to many of the slides
Semantics Q1 2007