A predicate spatial logic for mobile processes

394    Ser. F Information Sciences 2004 Vol.47 No.3 394—408 A predicate spatial logic for mobile processes LIN Huimin Laboratory for Co...
4 downloads 0 Views 191KB Size
394

   Ser. F Information Sciences 2004 Vol.47 No.3 394—408

A predicate spatial logic for mobile processes LIN Huimin Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100080, China (email: [email protected]) Received December 3, 2003

Abstract A modal logic for describing temporal as well as spatial properties of mobile processes, expressed in the asynchronous -calculus, is presented. The logic has recursive constructs built upon predicate-variables. The semantics of the logic is established and shown to be monotonic, thus guarantees the existence of fixpoints. An algorithm is developed to automatically check if a mobile process has properties described as formulas in the logic. The correctness of the algorithm is proved. Keywords: modal logic, predicate -calculus, model checking, mobile processes, asynchronous -calculus. DOI: 10.1360/02yf0385

1

Introduction

Spatial logics have been recently proposed to describe properties of mobile computation in which processes may evolve not only over time but also over space   . The efforts so far have been mainly focused on mobile ambients  , and the proposed logics lack recursive constructs therefore are unable to express properties for processes with infinite behaviour. Very recently, a spatial logic with recursion was introduced in refs. [4, 5] for the asynchronous -calculus   . Although the logic is first-order, fixpoint formulas are constructed using propositional variables, a feature inherited from propositional -calculus. This disparity makes the semantics developed there rather complicated. In particular the notion of free names of a recursive formula has to rely on a semantic interpretation, thus is not constructive. In this paper we shall present a spatial logic for the asynchronous -calculus which is based on predicates. Predicates are functions from names (representing communication channels). Fixpoint formulas are formed using predicate variables which explicitly take name parameters. As a consequence, the notion of free names of a formula is purely syntactic and computable. Compared with ref. [4] our semantics is much simpler and cleaner. We also investigate model checking problem for such a logic over finite processes. The algorithm we proposed handles both temporal and spatial modalities. It is the first model checking algorithm for a spatial logic for the asynchronous -calculus. The treatment of first-order quantification, in particular the fresh name qualification, relies on the Copyright by Science in China Press 2004

A predicate spatial logic for mobile processes

395

ability to effectively calculate the sets of free names of fixpoint formulas in our predicatebased approach. In the next section we shall briefly recall the syntax and semantics of the asynchronous -calculus. The logic is presented in Section 3, and its semantics described in the section to follow. Section 5 is devoted to the development of a model checking algorithm for the logic. The paper is concluded with Section 6 where related work is also discussed. 2

Asynchronous -calculus

be a countable set of  ranged over by     Let of asynchronous -calculus is given by the following BNF grammar:

  . The language

         

is the inactive process;  is the parallel composition of and ;  is the restriction of  in ;   is input prefixing;  is output which has no continuation;













is replication denoting countably infinite copies of running in parallel. The set of all



processes is denoted by

.

The language has two binding constructs: both restriction  and input 

bind  in . The sets of bond and free names of are denoted by   and  , respectively. Processes which are different only in renaming of bound names are called -equivalent, denoted  . We shall not distinguish between -equivalent processes. Subto . Substitutions are poststitutions, ranged over by  are partial mappings from fixing and bind tighter that any operators in the language. A transposition is a special substitution that swaps only a pair of names. Transpositions will be ranged over by  . For any process and transposition  , we have   . If  is a set of processes then we  to    . let     . We shall abbreviate  



  





Definition 2.1 (Structural congruence). Structural congruence gruence relation on processes generated from the rules listed in fig. 1. Lemma 2.2.

  then   .      

If 



 is the least con-









 



Proof. 

Reduction relation is defined by the rules listed in fig. 2. Some basic properties of reduction are listed in the following proposition:  



Proposition 2.3.

 

Proof.

 

For any processes  and substitution  ,

implies   ; 2. implies   ; 3.  and implies 1.

  









for some

 .

By reduction induction. Straightforward.

www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

396

           

 

 

  

                

                   





 

  



 



  



 



 









  











Fig. 1.

 



Structural congruence.

  



  

 



  





    



Fig. 2. Reduction rules.

3

A predicate -calculus





We assume a countably infinite set of name variables, ranged over by    , of predicate variwhich is disjoint from . We also assume a countably infinite set . Each predicate variable has associated with it an arity ables, ranged over by    to range over . The set of formulas of which is a natural number. We use   the logic is given by the following BNF grammar:



 !





             N      !







        ¿   ! 



  



There are two kinds of formulas: propositions () and predicates (! ). For propositions, we have the usual logical connectives   , as well as the first-order universal quantifier from predicate calculus. We also have operators which allow us to talk about the structures of processes: is satisfied by any process which is structurally congruent



Copyright by Science in China Press 2004

A predicate spatial logic for mobile processes



397

to ;  is satisfied by any process which can be decomposed into two processes, one satisfying  and the other satisfying ; is the adjunct of : a process satisfies  if whenever satisfies  then satisfies ;   allows one to “reveal” a private name: satisfies   if it is structurally congruent to  for some satisfying ; is : satisfies   if  satisfies ;   is satisfied by any The adjunct of process which is structurally congruent to   ; There is also a fresh name quantifier:

satisfies N  if for some name  fresh with respect to both and , i.e.  does not occur free in either or , has property . The combination of fresh name quantification and revelation gives us the power to talk about name restriction: satisfies N   if has the form  for some satisfying . Finally, we have a standard and satisfies . next-time modality: satisfies  if it has a reduction



£







£





¿



Fixpoints formulas reside in the world of predicates. A predicate is either a predicate variable  , an abstraction  , or a greatest fixpoint  ! . The arity of a predicate ! is defined thus: the arity of  if ! has the form  or  ! , or the length of   if ! has . the form 



Both the universal quantification  and fresh name quantification N bind  with  binds every variable in   with scope . In  ! the predscope ; the abstraction  icate variable  is bound with scope ! . These introduce the notions of bound and free name variables as well as bound and free predicate variables in the usual way. The set of free names and free name variables of formula  are denoted by  and " , respectively. Formulas that do not have free name variables are called name-closed. Likewise, formulas that do not have free predicate variables are called predicate-closed. Note that a name-closed formula may still have free names. When forming an abstraction   it is always required that   is a vector of distinct name variables,   and "   , i.e. abstractions are completely name-closed, in the sense that they have neither free name variables nor free names. As a consequence, all predicates are completely name-closed. Because of this the free names and free name variables of an  are solely determined by the parameter part . application ! 



Formulas that are different only in renaming of bound variables are called -equivalent, and will be identified. We extend the notion of substitution to allow not only names but also name variables to be replaced by names. Thus substitutions are partial mappings from to which are identity on . We shall regard    as , the outcome  by   in . of capture-avoiding substitution of 





£

Negation is a negative operator. For each , can be regarded as a unary operator which is also negative. Let #/ #!  denote the set of free predicate variables which occur under an even number of negative operators in /! , and $% /$% !  denote the set of free predicate variables which occur under an odd number of negative www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

398

operators in /! . A recursive formula  ! is well-formed if the arity of  is equal to that of ! , ! is completely name-closed, and $% !   . A formula is well-formed if every recursive subformula of it is well-formed. We shall only consider well-formed formulas in this paper. 4

Satisfaction

Semantics will be given to name-closed formulas which may contain free predicate variables. To interpret them we need predicate valuations. A predicate valuation " is   , of arity  , a function "    . The a mapping assigning to each   . For each , let   % if and only modification of " at  by  is denoted by "      %  for any  . Then       is a complete lattice, with if   meet  and join  . We shall omit the superscript  and simply write  and when no confusion may arise.











 







 



The denotation of formulas is defined in fig. 3, where a proposition is interpreted as an   . element of  and a predicate with arity  as an element in the function space  We shall write   to mean  . If  is a closed formula then  does not depend on any valuation and we shall omit the subscript " .







A basic property of the semantics is monotonicity which guarantees the existence of fixpoints: Theorem 4.1.

1. Suppose 

 (b) !  ! 2. Suppose   #  (a)   (b) !  !

(a)     



  



  





  



and 



and 

 $% ! 

. Then 



 % implies

 # ! 

. Then 



 % implies

,





  





  





  





  

Proof.









 $% 

.

See the appendix.

Corollary 4.2.

 !  is the greatest fixpoint of the functional & ! 





   

.

Let  be the arity of ! . Since  occurs positively in ! , by Theorem 4.1   & !     is a monotonic function over the complete lattice      ,   therefore, by Knaster-Tarski theorem, it admits the greatest fixpoint given by !     . Proof.

This corollary justifies the fixpoint unfolding rule:  !





   

!   ! .

Now we set to establish some important results concerning fresh names. A name is Copyright by Science in China Press 2004

A predicate spatial logic for mobile processes

399

fresh with respect to a process and a proposition  if it is not free in and . Since

and  have only a finite number of free names, there are co-finitely many fresh names with respect to them. Intuitively, a role played by a fresh name in determining a relationship between and  should equally be played by any other fresh name, because they have the same status with respect to and . As a consequence, in order to check if  , one need to examine only a finite number of names, namely the free names of and , plus a fresh name, although there are infinitely many names. This is an advantage of working with name-based calculi such as the -calculus and the mobile ambients.



    

































N 

     







                                                  for some   Ì 

  

     £         ¿   

 









!        ! 















Ë   







!   "   &      ! 

  















 







   





   



Fig. 3. Denotation of (name-closed) formulas.

It turns out that transpositions are a useful instrument in proving properties concerning fresh names.



   is  -preserving Let  be a transposition. A function        for any  . A valuation " is  -preserving if "   is  if   preserving for any  .

Definition 4.3.

Lemma 4.4. 1.

 







Suppose " is  -preserving. Then

  .

 



2. !  is  -preserving. www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

400

Proof.

See the appendix.

According to the semantics of the fresh name quantification, satisfies N  if there is a fresh name  such that satisfies . Since  is not free in either or , this particular choice of  should not matter: any other name  with     should equally do. Thus the semantics of N  can also be characterised “universally”:



Proposition 4.5

(Gabbay-Pitts property).

1.   for some      iff   for every     such that    is preserved by " on '" . 



2. For closed formula N 

  .





N  iff



 for every 







Proof. Since 2 is a direct corollary of 1, we only need to prove 1. The “if” direction is trivial. For the “only if” direction, suppose  for some    . -preserving on '" , we have For any  such that     and " is 

 









    Lemma 4.4 





        . Since     ,    . According to the semantics of , to check if   requires to instantiate

Since



      

  



 , 

    . Therefore















 











 

 with every name. However, as the following proposition demonstrates, it is sufficient to consider only the free names of and , plus one fresh name. This finite characterisation will be exploited in the model checking algorithm in Section 5. Proposition 4.6

Suppose 

    . Then   







 .



iff



Ì    





The “only if” direction is trivial. For the “if” direction, assume

 for any . This is immediate if      , we show

     . Now suppose      . By the same argument as in the “only if” part of the proof of Proposition 4.5, we can establish      . Since  ,     .  . Therefore  . Since    , 



Proof.















  

  



In the remainder of this section we list a few operators which are definable in the logic. The definitions of  ,  and are standard:

 













      





We extend negation to abstractions by letting Copyright by Science in China Press 2004





  

 

    



 . Then the least fix-

  

A predicate spatial logic for mobile processes

401

point can be defined:

 !





  !

¿ is ¾ : ¾  ¿ . Now the “sometime” and “anytime” modalities: ¿    ¿  ¾    ¾  where  is not free in . Let be the reflexive and transitive closure of . It is easy to check that  ¿ if and only if for some  , and  ¾ if and only if whenever then  . 

The dual of

























Combining fresh name quantification with revelation enables to talk about “hidden  names”: let H   N  . Then one can check that  H  if and only if

 and  . Note that  is a “private”name of .



5





Model checking

This section is devoted to developing a model checking algorithm for the proposed logic. Since having either the replication in the calculus or composition adjunct in the logic will lead to undecidability in model checking, we shall restrict to the -free subset of the calculus and the -free fragment of the logic.

£

 

A process is guarded if it is either an output   or an input  . A process  where   ! ( ) is in normal form if it either is or has the form  are different names and is a parallel composition of guarded processes. A normal form   is a strict normal form if    for any ! ( ).



 

 



Lemma 5.1. Any -free process can be effectively transformed into a strict normal form which is structurally congruent to . Proof. By renaming we may assume all bound names in are pairwise distinct and different from any free names. We first show that can be effectively transformed into a normal form, by induction on the structure of .







. Then is already in normal form.



 . By the induction hypothesis,

and  have normal forms. If one of the normal forms is then is structurally congruent to the other by StrParNil;    and     where  and  are Otherwise let        ,     guarded. By assumption we have    

     . Therefore, by StrResPar,     and  

      which is in normal form. 



























     



. By the induction hypothesis, has a normal form By assumption          . Therefore, by StrResRes,













      .      







www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

402

which is in normal form.









 . is already in normal form. . is already in normal form.

By repeatedly applying Lemma 2.2, which is an effective process, to the normal form of we can transform it into a strict normal form. We denote the formal form and the strict formal form of by    and    , re then we write  for any      . spectively. If      

     Proposition 5.2. 1.   if and only if either  

     and      or  and    .  2. For any process , the set     is computable. Proof. 1. By comparing the normal forms of and . The “  and   





 











 









 ” part is justified by Lemma 2.2.

2. Because the process of transforming into     is effective.

     then we shall abbreviate      to $ . If *       ) then we shall abbreviate      to  . In particular, if $ and * then $

and 

. The symbol  stands for disjoint union. Proposition 5.3 Suppose 

$ 

. Then   if and $ $ , * * * , it holds only if for some $  $ and *  * such that $ $ 

and  $ 

. that  If $







!

















 







 ½

 

 $ $



Corollary 5.4. 2. 

  .













 



















 ¾

 $   $  $ * * * , we have





 



 ½





 ¾



  





if and only if 



1. It is decidable if

2. It is decidable if

 .

Use Lemma 5.1. We have

       .







1. For any process ,    is computable.



Proposition 5.5.

Proof.







Writing +,#'  for the set 







By induction on the structure of .

Proof.

$  















and



 





for some  











.

iff    



and

  iff

The model checking algorithm is presented in fig. 4, where each call of function newname returns a fresh name (i.e. a name not used before). Copyright by Science in China Press 2004

A predicate spatial logic for mobile processes

403

£

Theorem 5.6. For any -free process and -free formula , ways terminates and it returns true if and only if  .



   al-

Proof. Since is finite, termination is guaranteed. For correctness, we examine each case according to the structure of the formula. The cases for          and  follow directly the semantic definition of fig. 3. Case   !   is justified by Corollary 4.2, case   by Proposition 4.6, case N  by by Corollary 5.4. Proposition 4.5, case   by Proposition 5.2, and case 



    



    

  

 

    

 

    

     

   N      



       





   



                        ½      ¾   

Î ¾

Ï

µ

 ´µ

 ´ µ

           

                       

Ï 

¼

    

                ¼         

Ï

Fig. 4.

6



 

´ ½

    

              ¿ 



¿

The model checking algorithm.

Conclusion and comparison with related work

We have presented a predicate-based modal logic for the asynchronous -calculus. It has modalities for describing temporal as well as spatial properties of mobile processes. Besides the usual first-order quantification, it has also fresh name quantification which is useful for expressing secret connections between concurrent computing agents. We also proposed an algorithm for model checking finite processes against formulas without composition adjunct. As mentioned in the Introduction, a similar logic was proposed in ref. [4]. The main difference between our work and that of Caires and Cardeli lies in the way recursive formulas are constructed. Despite the fact that the logic is first order, ref. [4] employs propositional variables to form fixpoint formulas. In such a setting, propositional variables stand for formulas which may contain free names, but the variables, being propositional, do not have such names. This mismatch causes complications. For instance, in our logic the to recursive predicate   N   is interpreted as a single function from www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

404

, while in ref. [4] it has to be implemented as a family of propositions   N  , where  is a propositional variable, one for each name . Furthermore, in the subformula N  , the propositional variable  stands for the entire formula, hence implicitly contains name  free, thus in the denotation of N  ,  should not be instantiated with . But  does not syntactically occur in N  . To remedy this ref. [4] developed a machinery of property sets, to be used as legal denotations of formulas. Thus an interpretation of a formula is not just a set of processes (as standard in modal logics for processes), but rather a “property set” which is a set of processes (which satisfy the formula) equipped with a finite set of names (to serve as “free names” of this particular interpretation). In our approach this complication has been avoided because our logic is predicate-based, hence name parameters of recursive formulas present explicitly in syntax. On the semantics side we live comfortably in the world of functions. Having a purely syntactical and effective notion of free names also facilitates the development of model checking algorithms, a subject not touched in ref. [4]. 



As for other related work, we mention refs. [8, 9] which discuss model checking for finite spatial logics for the Ambient Calculus. A model checking algorithm is presented.  for a traditional modal logic (without spatial modalities) for the synchronous -calculus.

Appendix Proofs of Theorem 4.1 and Lemma 4.4 Proof of Theorem 4.1. By mutual induction on the structures of  and ! . Most cases are straightforward, and we only examine the non-trivial cases below.

   £ - . Then   $% - and   # . 1. Assume   % and let   . Suppose  . Hence   induction hypothesis 1(),  . Therefore   induction hypothesis 1(),   













  









  





  

. By     By     .



  

2. Symmetrical.

 

.

1. Assume 

 % and let 

. Then

     . By induction hypothesis 1(),     . 



   



 

 for some  . Hence

 







   

2. Symmetrical.

   ¿

.

1. Assume 



% and let

Copyright by Science in China Press 2004







   

. Then

for some

A predicate spatial logic for mobile processes

405



. By induction hypothesis 1(a),     . 



  





  



. Hence

2. Symmetrical.

   

.







1. Assume  % and let     . Then      for any . By induction hypothesis 1(a),    . Hence    .





2. Symmetrical.

   N

.

1. Assume 

 % and let 

. Then for some 

    . By induction hypothesis 1(a),

Hence    .







   



    

  







,     . 



2. Symmetrical.

 !

.







% . By Induction hypothesis 1(b), !     !     . 1. Assume  Hence      !      !        



2. Symmetrical.

 !   . 



1. Assume 

! 



 %. For any , 

    

  !    









induction hypothesis 1(a)



   



Hence !    

   

   

! 

   

.

2. Symmetrical.

 !   .. Then   $% . . 1. Assume   % . If   then the result is immediate. Now assume 









By definition,

! 



   

! 



   

 

/  /  /  / 

.



.



    

.



    

www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

406







For any , let

!     , i.e.

/  for some / s.t. / .     . By induction hypothesis 1(b),

.



.  .  .

. Therefore  !  . It follows !  . Since  is arbitrary, we conclude 

    



    

    

    



Hence / .     that !          !     !     .





   

2. Symmetrical. The remaining cases are similar and omitted. 

Lemma A1. Given a transposition  and a function   thus:          for any . Then 













, define  

1.   is  -preserving. 2. If 

 % and % is  -preserving then   %.

Proof.



1. For ant ,

 





                     







2. For any , since  % ,   %  and    preserving, %    %    % . Hence

  





 



%  . Since % is  -

      %   %   %   %  % 

Proof of Lemma 4.4. By mutual induction on the structures of  and ! . Instead   , because the other direction of of the equality in 1, we shall prove   inclusion follows immediately from this: If   , then      !   ,       . For the same reason it suffices to prove !    for any , in 2. We only examine the non-trivial cases.









    - . Let    . Then    , i.e.     for some and  such that  and   - . By induction hypothesis 1,   and   - . Hence        -  . 





 





Copyright by Science in China Press 2004













  





A predicate spatial logic for mobile processes

407

   £- . Let    . Then    , i.e. for any       . Hence - . Let   . Then, by induction hypothesis 1,    . Therefore       - . So   -  . By   - induction hypothesis 1 again,   - . It follows that  









 























 







  .









 



    . Let    . Then    , i.e.    for some  . So    . By induction hypothesis 1,    . Hence

         .    ¿ . Let    . Then   ¿ . So there is such that

 and  . By Proposition 2.3,

   . By induction  . Hence  ¿  ¿  . hypothesis 1,       . Let    . Then    , i.e.    , or   , for any . For any , let   . Then   . By equally,        . induction hypothesis 1,     . Hence       N . Then   N  . Let     and    .  for some Write for  . Then   and   . So        . Let be a name such that          .  . Write  for   . Since     ,  Then      

      . By induction hypothesis 1,

     . By induction    . Hence









 







 













 







 





  

   



















  





 













  















 







  





 



























 



   

















  

 







 

 







  



















 











 

 

hypothesis 1 again,

              Since  N    , we conclude  N    . 







 !



. Then   !  . By induction hypothesis 2, !  is  -preserving. So !    !   . Therefore    !    !     !      









! 











. For any ,

! 



   

     !   



Induction hypothesis



" 



 



"  



 !  .. Then   $% . . To show !   !  let  !   . Then    for some  such that   . 



 











 





 



for any ,    and 

www.scichina.com

    Information Sciences 2004 Vol.47 No.3 394—408

408

  . Therefore there is    such that   . Let  be as defined in Lemma A1. Then    and  is  -preserving. By Theorem 4.1,   .  .  . Since "    is  -preserving, .  is  . Now  -preserving by induction hypothesis 2. By Lemma A1,   .

          . Hence  !   .









  

 







 







 







The remaining cases are similar and omitted. Acknowledgements This work was supported by research grants from the National Natural Science Foundation of China and the Chinese Academy of Sciences.

References 1. Cardelli, L., Gordon, A., Anytime, Anywhere: Modal logics for mobile ambients, in Proceedings of POPL’2000, ACM Press, Jan. 2000, 365—377. 2. Cardelli, L., Gordon, A., Logical properties of name restriction, in Proceedings of the 5th International Conference on Typed Lambda Calculi and Applications, LNCS 2044, Berlin: Springer-Verlag, 2001, 46—60. 3. Cardelli, L., Gordon, A., Mobile ambients, Theoretical Computer Science, Elsevier, 2000, 240: 177—213. 4. Caires, L., Cardeli, L., A spatial logic for concurrency (Part I), in Proceedings of the 4th International Conference on Theoretical Aspects of Computer Science (TACS 2001), LNCS 2215, Berlin: Springer-Verlag, 2001, 1—37. 5. Caires, L., Cardeli, L., A spatial Logic for concurrency (Part II), in Proceedings of the 13th International Conference on Concurrency Theory (CONCUR 2002), LNCS 2421, Berlin: Springer-Verlag, 2002, 209—225. 6. Honda, K., Tokoro, M., On asynchronous communication semantics, in M. Tokoro, O. Nierstrasz and P. Wegner (eds.), in Proceedings of International Conference on Object-Based Concurrent Computing, LNCS 612, Berlin: Springer-Verlag, 1992, 21—51. 7. Boudol, G., Asynchrony and the -calculus, Rapport de Recherche 1702, INRIA Sofia-Antipolis, May 1992. 8. Charatonik, W., Talbot, J. -M., The decidability of model checking mobile ambients, in Proceedings of the 15th Annual Conf. of European Association for Computer Science Logic, LNCS 2142, Berlin: Springer-Verlag, 2001, 339—354. 9. Charatonik, W., Dal Zilio, S., Gordon, A. et al., The Complexity of model checking ambients, in Proceedings of the 4th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 2001), F. Honsell, M. Miculan (eds.), LNCS 2030, Berlin: Springer-Verlag, 2001, 152—167. 10. Dam, M., Model checking mobile processes, Information and Computation, Academic Press, 1996, 129: 25— 51.

Copyright by Science in China Press 2004