394
Ser. F Information Sciences 2004 Vol.47 No.3 394—408
A predicate spatial logic for mobile processes LIN Huimin Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100080, China (email:
[email protected]) Received December 3, 2003
Abstract A modal logic for describing temporal as well as spatial properties of mobile processes, expressed in the asynchronous -calculus, is presented. The logic has recursive constructs built upon predicate-variables. The semantics of the logic is established and shown to be monotonic, thus guarantees the existence of fixpoints. An algorithm is developed to automatically check if a mobile process has properties described as formulas in the logic. The correctness of the algorithm is proved. Keywords: modal logic, predicate -calculus, model checking, mobile processes, asynchronous -calculus. DOI: 10.1360/02yf0385
1
Introduction
Spatial logics have been recently proposed to describe properties of mobile computation in which processes may evolve not only over time but also over space . The efforts so far have been mainly focused on mobile ambients , and the proposed logics lack recursive constructs therefore are unable to express properties for processes with infinite behaviour. Very recently, a spatial logic with recursion was introduced in refs. [4, 5] for the asynchronous -calculus . Although the logic is first-order, fixpoint formulas are constructed using propositional variables, a feature inherited from propositional -calculus. This disparity makes the semantics developed there rather complicated. In particular the notion of free names of a recursive formula has to rely on a semantic interpretation, thus is not constructive. In this paper we shall present a spatial logic for the asynchronous -calculus which is based on predicates. Predicates are functions from names (representing communication channels). Fixpoint formulas are formed using predicate variables which explicitly take name parameters. As a consequence, the notion of free names of a formula is purely syntactic and computable. Compared with ref. [4] our semantics is much simpler and cleaner. We also investigate model checking problem for such a logic over finite processes. The algorithm we proposed handles both temporal and spatial modalities. It is the first model checking algorithm for a spatial logic for the asynchronous -calculus. The treatment of first-order quantification, in particular the fresh name qualification, relies on the Copyright by Science in China Press 2004
A predicate spatial logic for mobile processes
395
ability to effectively calculate the sets of free names of fixpoint formulas in our predicatebased approach. In the next section we shall briefly recall the syntax and semantics of the asynchronous -calculus. The logic is presented in Section 3, and its semantics described in the section to follow. Section 5 is devoted to the development of a model checking algorithm for the logic. The paper is concluded with Section 6 where related work is also discussed. 2
Asynchronous -calculus
be a countable set of ranged over by Let of asynchronous -calculus is given by the following BNF grammar:
. The language
is the inactive process; is the parallel composition of and ; is the restriction of in ; is input prefixing; is output which has no continuation;
is replication denoting countably infinite copies of running in parallel. The set of all
processes is denoted by
.
The language has two binding constructs: both restriction and input
bind in . The sets of bond and free names of are denoted by and , respectively. Processes which are different only in renaming of bound names are called -equivalent, denoted . We shall not distinguish between -equivalent processes. Subto . Substitutions are poststitutions, ranged over by are partial mappings from fixing and bind tighter that any operators in the language. A transposition is a special substitution that swaps only a pair of names. Transpositions will be ranged over by . For any process and transposition , we have . If is a set of processes then we to . let . We shall abbreviate
Definition 2.1 (Structural congruence). Structural congruence gruence relation on processes generated from the rules listed in fig. 1. Lemma 2.2.
then .
If
is the least con-
Proof.
Reduction relation is defined by the rules listed in fig. 2. Some basic properties of reduction are listed in the following proposition:
Proposition 2.3.
Proof.
For any processes and substitution ,
implies ; 2. implies ; 3. and implies 1.
for some
.
By reduction induction. Straightforward.
www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
396
Fig. 1.
Structural congruence.
Fig. 2. Reduction rules.
3
A predicate -calculus
We assume a countably infinite set of name variables, ranged over by , of predicate variwhich is disjoint from . We also assume a countably infinite set . Each predicate variable has associated with it an arity ables, ranged over by to range over . The set of formulas of which is a natural number. We use the logic is given by the following BNF grammar:
!
N !
¿ !
£
There are two kinds of formulas: propositions () and predicates (! ). For propositions, we have the usual logical connectives , as well as the first-order universal quantifier from predicate calculus. We also have operators which allow us to talk about the structures of processes: is satisfied by any process which is structurally congruent
Copyright by Science in China Press 2004
A predicate spatial logic for mobile processes
397
to ; is satisfied by any process which can be decomposed into two processes, one satisfying and the other satisfying ; is the adjunct of : a process satisfies if whenever satisfies then satisfies ; allows one to “reveal” a private name: satisfies if it is structurally congruent to for some satisfying ; is : satisfies if satisfies ; is satisfied by any The adjunct of process which is structurally congruent to ; There is also a fresh name quantifier:
satisfies N if for some name fresh with respect to both and , i.e. does not occur free in either or , has property . The combination of fresh name quantification and revelation gives us the power to talk about name restriction: satisfies N if has the form for some satisfying . Finally, we have a standard and satisfies . next-time modality: satisfies if it has a reduction
£
£
¿
Fixpoints formulas reside in the world of predicates. A predicate is either a predicate variable , an abstraction , or a greatest fixpoint ! . The arity of a predicate ! is defined thus: the arity of if ! has the form or ! , or the length of if ! has . the form
Both the universal quantification and fresh name quantification N bind with binds every variable in with scope . In ! the predscope ; the abstraction icate variable is bound with scope ! . These introduce the notions of bound and free name variables as well as bound and free predicate variables in the usual way. The set of free names and free name variables of formula are denoted by and " , respectively. Formulas that do not have free name variables are called name-closed. Likewise, formulas that do not have free predicate variables are called predicate-closed. Note that a name-closed formula may still have free names. When forming an abstraction it is always required that is a vector of distinct name variables, and " , i.e. abstractions are completely name-closed, in the sense that they have neither free name variables nor free names. As a consequence, all predicates are completely name-closed. Because of this the free names and free name variables of an are solely determined by the parameter part . application !
Formulas that are different only in renaming of bound variables are called -equivalent, and will be identified. We extend the notion of substitution to allow not only names but also name variables to be replaced by names. Thus substitutions are partial mappings from to which are identity on . We shall regard as , the outcome by in . of capture-avoiding substitution of
£
Negation is a negative operator. For each , can be regarded as a unary operator which is also negative. Let #/ #! denote the set of free predicate variables which occur under an even number of negative operators in /! , and $% /$% ! denote the set of free predicate variables which occur under an odd number of negative www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
398
operators in /! . A recursive formula ! is well-formed if the arity of is equal to that of ! , ! is completely name-closed, and $% ! . A formula is well-formed if every recursive subformula of it is well-formed. We shall only consider well-formed formulas in this paper. 4
Satisfaction
Semantics will be given to name-closed formulas which may contain free predicate variables. To interpret them we need predicate valuations. A predicate valuation " is , of arity , a function " . The a mapping assigning to each . For each , let % if and only modification of " at by is denoted by " % for any . Then is a complete lattice, with if meet and join . We shall omit the superscript and simply write and when no confusion may arise.
The denotation of formulas is defined in fig. 3, where a proposition is interpreted as an . element of and a predicate with arity as an element in the function space We shall write to mean . If is a closed formula then does not depend on any valuation and we shall omit the subscript " .
A basic property of the semantics is monotonicity which guarantees the existence of fixpoints: Theorem 4.1.
1. Suppose
(b) ! ! 2. Suppose # (a) (b) ! !
(a)
and
and
$% !
. Then
% implies
# !
. Then
% implies
,
Proof.
$%
.
See the appendix.
Corollary 4.2.
! is the greatest fixpoint of the functional & !
.
Let be the arity of ! . Since occurs positively in ! , by Theorem 4.1 & ! is a monotonic function over the complete lattice , therefore, by Knaster-Tarski theorem, it admits the greatest fixpoint given by ! . Proof.
This corollary justifies the fixpoint unfolding rule: !
! ! .
Now we set to establish some important results concerning fresh names. A name is Copyright by Science in China Press 2004
A predicate spatial logic for mobile processes
399
fresh with respect to a process and a proposition if it is not free in and . Since
and have only a finite number of free names, there are co-finitely many fresh names with respect to them. Intuitively, a role played by a fresh name in determining a relationship between and should equally be played by any other fresh name, because they have the same status with respect to and . As a consequence, in order to check if , one need to examine only a finite number of names, namely the free names of and , plus a fresh name, although there are infinitely many names. This is an advantage of working with name-based calculi such as the -calculus and the mobile ambients.
N
for some Ì
£ ¿
! !
Ë
! " & !
Fig. 3. Denotation of (name-closed) formulas.
It turns out that transpositions are a useful instrument in proving properties concerning fresh names.
is -preserving Let be a transposition. A function for any . A valuation " is -preserving if " is if preserving for any .
Definition 4.3.
Lemma 4.4. 1.
Suppose " is -preserving. Then
.
2. ! is -preserving. www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
400
Proof.
See the appendix.
According to the semantics of the fresh name quantification, satisfies N if there is a fresh name such that satisfies . Since is not free in either or , this particular choice of should not matter: any other name with should equally do. Thus the semantics of N can also be characterised “universally”:
Proposition 4.5
(Gabbay-Pitts property).
1. for some iff for every such that is preserved by " on '" .
2. For closed formula N
.
N iff
for every
Proof. Since 2 is a direct corollary of 1, we only need to prove 1. The “if” direction is trivial. For the “only if” direction, suppose for some . -preserving on '" , we have For any such that and " is
Lemma 4.4
. Since , . According to the semantics of , to check if requires to instantiate
Since
,
. Therefore
with every name. However, as the following proposition demonstrates, it is sufficient to consider only the free names of and , plus one fresh name. This finite characterisation will be exploited in the model checking algorithm in Section 5. Proposition 4.6
Suppose
. Then
.
iff
Ì
The “only if” direction is trivial. For the “if” direction, assume
for any . This is immediate if , we show
. Now suppose . By the same argument as in the “only if” part of the proof of Proposition 4.5, we can establish . Since , . . Therefore . Since ,
Proof.
In the remainder of this section we list a few operators which are definable in the logic. The definitions of , and are standard:
We extend negation to abstractions by letting Copyright by Science in China Press 2004
. Then the least fix-
A predicate spatial logic for mobile processes
401
point can be defined:
!
!
¿ is ¾ : ¾ ¿ . Now the “sometime” and “anytime” modalities: ¿ ¿ ¾ ¾ where is not free in . Let be the reflexive and transitive closure of . It is easy to check that ¿ if and only if for some , and ¾ if and only if whenever then .
The dual of
Combining fresh name quantification with revelation enables to talk about “hidden names”: let H N . Then one can check that H if and only if
and . Note that is a “private”name of .
5
Model checking
This section is devoted to developing a model checking algorithm for the proposed logic. Since having either the replication in the calculus or composition adjunct in the logic will lead to undecidability in model checking, we shall restrict to the -free subset of the calculus and the -free fragment of the logic.
£
A process is guarded if it is either an output or an input . A process where ! ( ) is in normal form if it either is or has the form are different names and is a parallel composition of guarded processes. A normal form is a strict normal form if for any ! ( ).
Lemma 5.1. Any -free process can be effectively transformed into a strict normal form which is structurally congruent to . Proof. By renaming we may assume all bound names in are pairwise distinct and different from any free names. We first show that can be effectively transformed into a normal form, by induction on the structure of .
. Then is already in normal form.
. By the induction hypothesis,
and have normal forms. If one of the normal forms is then is structurally congruent to the other by StrParNil; and where and are Otherwise let , guarded. By assumption we have
. Therefore, by StrResPar, and
which is in normal form.
. By the induction hypothesis, has a normal form By assumption . Therefore, by StrResRes,
.
www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
402
which is in normal form.
. is already in normal form. . is already in normal form.
By repeatedly applying Lemma 2.2, which is an effective process, to the normal form of we can transform it into a strict normal form. We denote the formal form and the strict formal form of by and , re then we write for any . spectively. If
Proposition 5.2. 1. if and only if either
and or and . 2. For any process , the set is computable. Proof. 1. By comparing the normal forms of and . The “ and
” part is justified by Lemma 2.2.
2. Because the process of transforming into is effective.
then we shall abbreviate to $ . If * ) then we shall abbreviate to . In particular, if $ and * then $
and
. The symbol stands for disjoint union. Proposition 5.3 Suppose
$
. Then if and $ $ , * * * , it holds only if for some $ $ and * * such that $ $
and $
. that If $
!
½
$ $
Corollary 5.4. 2.
.
¾
$ $ $ * * * , we have
½
¾
if and only if
1. It is decidable if
2. It is decidable if
.
Use Lemma 5.1. We have
.
1. For any process , is computable.
Proposition 5.5.
Proof.
Writing +,#' for the set
By induction on the structure of .
Proof.
$
and
for some
.
iff
and
iff
The model checking algorithm is presented in fig. 4, where each call of function newname returns a fresh name (i.e. a name not used before). Copyright by Science in China Press 2004
A predicate spatial logic for mobile processes
403
£
Theorem 5.6. For any -free process and -free formula , ways terminates and it returns true if and only if .
al-
Proof. Since is finite, termination is guaranteed. For correctness, we examine each case according to the structure of the formula. The cases for and follow directly the semantic definition of fig. 3. Case ! is justified by Corollary 4.2, case by Proposition 4.6, case N by by Corollary 5.4. Proposition 4.5, case by Proposition 5.2, and case
N
½ ¾
Î ¾
Ï
µ
´µ
´ µ
Ï
¼
¼
Ï
Fig. 4.
6
´ ½
¿
¿
The model checking algorithm.
Conclusion and comparison with related work
We have presented a predicate-based modal logic for the asynchronous -calculus. It has modalities for describing temporal as well as spatial properties of mobile processes. Besides the usual first-order quantification, it has also fresh name quantification which is useful for expressing secret connections between concurrent computing agents. We also proposed an algorithm for model checking finite processes against formulas without composition adjunct. As mentioned in the Introduction, a similar logic was proposed in ref. [4]. The main difference between our work and that of Caires and Cardeli lies in the way recursive formulas are constructed. Despite the fact that the logic is first order, ref. [4] employs propositional variables to form fixpoint formulas. In such a setting, propositional variables stand for formulas which may contain free names, but the variables, being propositional, do not have such names. This mismatch causes complications. For instance, in our logic the to recursive predicate N is interpreted as a single function from www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
404
, while in ref. [4] it has to be implemented as a family of propositions N , where is a propositional variable, one for each name . Furthermore, in the subformula N , the propositional variable stands for the entire formula, hence implicitly contains name free, thus in the denotation of N , should not be instantiated with . But does not syntactically occur in N . To remedy this ref. [4] developed a machinery of property sets, to be used as legal denotations of formulas. Thus an interpretation of a formula is not just a set of processes (as standard in modal logics for processes), but rather a “property set” which is a set of processes (which satisfy the formula) equipped with a finite set of names (to serve as “free names” of this particular interpretation). In our approach this complication has been avoided because our logic is predicate-based, hence name parameters of recursive formulas present explicitly in syntax. On the semantics side we live comfortably in the world of functions. Having a purely syntactical and effective notion of free names also facilitates the development of model checking algorithms, a subject not touched in ref. [4].
As for other related work, we mention refs. [8, 9] which discuss model checking for finite spatial logics for the Ambient Calculus. A model checking algorithm is presented. for a traditional modal logic (without spatial modalities) for the synchronous -calculus.
Appendix Proofs of Theorem 4.1 and Lemma 4.4 Proof of Theorem 4.1. By mutual induction on the structures of and ! . Most cases are straightforward, and we only examine the non-trivial cases below.
£ - . Then $% - and # . 1. Assume % and let . Suppose . Hence induction hypothesis 1(), . Therefore induction hypothesis 1(),
. By By .
2. Symmetrical.
.
1. Assume
% and let
. Then
. By induction hypothesis 1(), .
for some . Hence
2. Symmetrical.
¿
.
1. Assume
% and let
Copyright by Science in China Press 2004
. Then
for some
A predicate spatial logic for mobile processes
405
. By induction hypothesis 1(a), .
. Hence
2. Symmetrical.
.
1. Assume % and let . Then for any . By induction hypothesis 1(a), . Hence .
2. Symmetrical.
N
.
1. Assume
% and let
. Then for some
. By induction hypothesis 1(a),
Hence .
, .
2. Symmetrical.
!
.
% . By Induction hypothesis 1(b), ! ! . 1. Assume Hence ! !
2. Symmetrical.
! .
1. Assume
!
%. For any ,
!
induction hypothesis 1(a)
Hence !
!
.
2. Symmetrical.
! .. Then $% . . 1. Assume % . If then the result is immediate. Now assume
By definition,
!
!
/ / / /
.
.
.
www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
406
For any , let
! , i.e.
/ for some / s.t. / . . By induction hypothesis 1(b),
.
. . .
. Therefore ! . It follows ! . Since is arbitrary, we conclude
Hence / . that ! ! ! .
2. Symmetrical. The remaining cases are similar and omitted.
Lemma A1. Given a transposition and a function thus: for any . Then
, define
1. is -preserving. 2. If
% and % is -preserving then %.
Proof.
1. For ant ,
2. For any , since % , % and preserving, % % % . Hence
% . Since % is -
% % % % %
Proof of Lemma 4.4. By mutual induction on the structures of and ! . Instead , because the other direction of of the equality in 1, we shall prove inclusion follows immediately from this: If , then ! , . For the same reason it suffices to prove ! for any , in 2. We only examine the non-trivial cases.
- . Let . Then , i.e. for some and such that and - . By induction hypothesis 1, and - . Hence - .
Copyright by Science in China Press 2004
A predicate spatial logic for mobile processes
407
£- . Let . Then , i.e. for any . Hence - . Let . Then, by induction hypothesis 1, . Therefore - . So - . By - induction hypothesis 1 again, - . It follows that
.
. Let . Then , i.e. for some . So . By induction hypothesis 1, . Hence
. ¿ . Let . Then ¿ . So there is such that
and . By Proposition 2.3,
. By induction . Hence ¿ ¿ . hypothesis 1, . Let . Then , i.e. , or , for any . For any , let . Then . By equally, . induction hypothesis 1, . Hence N . Then N . Let and . for some Write for . Then and . So . Let be a name such that . . Write for . Since , Then
. By induction hypothesis 1,
. By induction . Hence
hypothesis 1 again,
Since N , we conclude N .
!
. Then ! . By induction hypothesis 2, ! is -preserving. So ! ! . Therefore ! ! !
!
. For any ,
!
!
Induction hypothesis
"
"
! .. Then $% . . To show ! ! let ! . Then for some such that .
for any , and
www.scichina.com
Information Sciences 2004 Vol.47 No.3 394—408
408
. Therefore there is such that . Let be as defined in Lemma A1. Then and is -preserving. By Theorem 4.1, . . . Since " is -preserving, . is . Now -preserving by induction hypothesis 2. By Lemma A1, .
. Hence ! .
The remaining cases are similar and omitted. Acknowledgements This work was supported by research grants from the National Natural Science Foundation of China and the Chinese Academy of Sciences.
References 1. Cardelli, L., Gordon, A., Anytime, Anywhere: Modal logics for mobile ambients, in Proceedings of POPL’2000, ACM Press, Jan. 2000, 365—377. 2. Cardelli, L., Gordon, A., Logical properties of name restriction, in Proceedings of the 5th International Conference on Typed Lambda Calculi and Applications, LNCS 2044, Berlin: Springer-Verlag, 2001, 46—60. 3. Cardelli, L., Gordon, A., Mobile ambients, Theoretical Computer Science, Elsevier, 2000, 240: 177—213. 4. Caires, L., Cardeli, L., A spatial logic for concurrency (Part I), in Proceedings of the 4th International Conference on Theoretical Aspects of Computer Science (TACS 2001), LNCS 2215, Berlin: Springer-Verlag, 2001, 1—37. 5. Caires, L., Cardeli, L., A spatial Logic for concurrency (Part II), in Proceedings of the 13th International Conference on Concurrency Theory (CONCUR 2002), LNCS 2421, Berlin: Springer-Verlag, 2002, 209—225. 6. Honda, K., Tokoro, M., On asynchronous communication semantics, in M. Tokoro, O. Nierstrasz and P. Wegner (eds.), in Proceedings of International Conference on Object-Based Concurrent Computing, LNCS 612, Berlin: Springer-Verlag, 1992, 21—51. 7. Boudol, G., Asynchrony and the -calculus, Rapport de Recherche 1702, INRIA Sofia-Antipolis, May 1992. 8. Charatonik, W., Talbot, J. -M., The decidability of model checking mobile ambients, in Proceedings of the 15th Annual Conf. of European Association for Computer Science Logic, LNCS 2142, Berlin: Springer-Verlag, 2001, 339—354. 9. Charatonik, W., Dal Zilio, S., Gordon, A. et al., The Complexity of model checking ambients, in Proceedings of the 4th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 2001), F. Honsell, M. Miculan (eds.), LNCS 2030, Berlin: Springer-Verlag, 2001, 152—167. 10. Dam, M., Model checking mobile processes, Information and Computation, Academic Press, 1996, 129: 25— 51.
Copyright by Science in China Press 2004