Incremental coinduction for process algebra Andrei Popescu and Elsa - - PowerPoint PPT Presentation

1

Incremental coinduction for process algebra

Andrei Popescu and Elsa Gunter University of Illinois at Urbana-Champaign

2

Context

• Process algebra
• Transition system
• Bisimilarity = notion of process equality
• Interactive proofs of bisimilarity

3

Bisimilarity

• Processes form Act-labeled transition system,

P a→ P’

• Bisimulation: binary relation Θ on Proc, s.t.

for P,Q ∈ Proc and a ∈ Act P Θ Q ∧ P a→ P’

⇓

∃Q’. Q a→ Q’ ∧ P’ Θ Q’ (and the same for Q versus P)

• Bisimilarity, written ≡, is the largest bisimulation

4

A more intuitive description

• f bisimilarity

P ≡ Q iff

• Whenever P a→ P’
• Also Q a→ Q’ for some Q’ such that

P’ ≡ Q’

• Same for Q versus P
• And so on, indefinitely

5

Example – CCS-like calculus

∀ τ ∈ Act, - : Act → Act s.t. a- - = a

• P ::= 0  a . P  P | Q  ! P

P a→ P’ Q a→ Q’ a . P a→ P (Pref) ----------------------(ParL) --------------------- (ParR) P | Q  a→ P’ | Q P | Q a→ P | Q’ P a→ P’ Q a-→ Q’ P a→ P’ P a→ Q’ P a-→ R’

• -----------------------(ParS) ----------------(Repl) ------------------------

(ReplS) P | Q τ→ P’ | Q’ !P a→ !P | P’ !P τ→ !P | Q’ | R’

6

Examples of proof tasks

∀ ∀P, Q. P | Q ≡ Q | P ∀ ∀P, Q, R. (P | Q) | R ≡ P | (Q | R) ∀ ∀P. P | !P ≡ !P

7

Standard interactive bisimilarity proofs

• Goal: prove P ≡ Q
• Formal proof:

– Define a relation Θ – Show P Θ Q – Show Θ bisimulation

8

Standard interactive bisimilarity proofs

• Goal: prove P ≡ Q
• Formal proof:

– Define a relation Θ - this is the “real” proof – Show P Θ Q – Show Θ bisimulation

9

By contrast: intuitive argument for P ≡ Q

Possible continuations of P P a1→ P1’ | a2→ P2’ | … | an→ Pn’ match them (completely) with Possible continuations of Q Q b1→ Q1’ | b2→ Q2’ | … | bm→ Qm’ E.g., ai = bj , and further claim Pi’ ≡ Qj’

10

Intuitive argument for P ≡ Q

• For each match (i,j), do the same for new claim, Pi’ ≡ Qj’
• Until (pattern) repetitions discovered in the tree of claims

P ≡ Q : Pi2’ ≡ Qj2’ : : ... …

• ------------ ------------

Pi1’ ≡ Qj1’ Pi2’ ≡ Qj2’ …

• P ≡ Q

11

Argument built intuitively then fed into the formal proof

∀Θ = The set of all nodes in the “claim tree”

• Prove Θ bisimulation

Thus:

• Gap between intuition and formalities
• No formal support for building the desired

bisimulation incrementally (as in the intuitive argument)

12

Our contribution

• Fill this gap between intuition and

formalities

• Provide a formal system where

– Bisimulations can be built incrementally – Goal-discharging repetitions/circularities are first-class citizens

13

Sample Goals

• 1. Comm: ∀P Q. P | Q ≡ Q | P
• 2. Assoc: ∀P Q R. (P | Q) | R ≡ P | (Q | R)
• 3. ∀P. P | !P ≡ !P

Say we proved 1 and 2, and wish to prove 3

14

Proof

Hypotheses: Comm, Assoc (i.e., lemmas known so far) Conclusion: P | !P ≡ !P

15

Proof

Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Try equational reasoning: Fail

(P | !P ≡ !P does not follow from just Comm, Assoc via the rules of equational logic: Refl, Trans, Cong, Subst)

16

Proof

Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Then unfold P | !P:

• P | !P a→ { P’ | !P, P | (!P | P’) } if P a→P’
• P | !P τ→ { P | (!P | (Q’ | R’)), Q’ | (!P | R’) }

if P a→ Q’ and P a-→ R’

17

Parenthesis – unfold automatically

• Compose primitive rules of the system

until atomic assumptions are reached

• Side-conditions are composed accordingly

P a-→ R’

• ---------------------(Repl)

P a→ Q’ !P a-→ !P | R’

• ----------------------------------------------(ParS)

P | !P τ→ Q’ | (!P | R’)

18

Back to Proof

Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Then unfold P | !P and !P:

• P | !P a→ { P’ | !P, P | (!P | P’) } if P a→ P’
• P | !P τ→ { P | (!P | (Q’ | R’)), Q’ | (!P | R’) }

if P –a→ Q’ and P a-→ R’

• !P a→ { !P | P’ } if P a→ P’
• !P τ→ { !P | (Q’ | R’) } if P a→ Q’ and P a-→ R’

19

Proof

Hypotheses: Comm, Assoc Conclusion: P | !P ≡ !P Then unfold P | !P and !P:

• P | !P a→ { P’ | !P, P | (!P | P’) } if P a→ P’
• P | !P τ→ { P | (!P | (Q’ | R’)), Q’ | (!P | R’) }

if P –a→ Q’ and P a-→ R’

• !P a→ { !P | P’ } if P a→ P’
• !P τ→ { !P | (Q’ | R’) } if P –a→ Q’ and P a-→ R’

From matching if-hypotheses and action labels,

• btain 4 new “claims”…

20

Proof

Hypotheses: Comm, Assoc Conclusions: 1. P’ | !P ≡ !P | P’ 2. P | (!P | P’) ≡ !P | P’ 3. P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) 4. Q’ | (!P | R’) ≡ !P | (Q’ | R’) ... “claims” becoming new conclusions in the goal

21

Proof

Hypotheses: Comm, Assoc, P | !P ≡ !P Conclusions: 1. P’ | !P ≡ !P | P’ 2. P | (!P | P’) ≡ !P | P’ 3. P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) 4. Q’ | (!P | R’) ≡ !P | (Q’ | R’) Also, previous conclusion becomes hypothesis! (to watch for possible “repetition of the claims”)

22

Proof

Hypotheses: Comm, Assoc, P | !P ≡ !P Conclusions: 1. P’ | !P ≡ !P | P’ 2. P | (!P | P’) ≡ !P | P’ 3. P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) 4. Q’ | (!P | R’) ≡ !P | (Q’ | R’) All 4 conclusions discharged by equational reasoning from hypotheses. q.e.d.

23

The formal proof in our system

P | !P ≡ !P |-- P’ | !P ≡ !P | P’ (by EqL)

P | !P ≡ !P |-- P | (!P | P’) ≡ !P | P’ (by EqL) P | !P ≡ !P |-- P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) (by EqL) P | !P ≡ !P |-- Q’ | (!P | R’) ≡ !P | (Q’ | R’) (by EqL)

• ---------------------------------------------(apply Unfold)

|-- P | !P ≡ !P (Omiting the reference to lemmas Comm, Assoc)

24

The formal proof in our system

∀ P. P | !P ≡ !P |-- ∀ P P’. P | (!P | P’) ≡ !P | P’

Valid inference in Equational Logic (and in FOL)

25

Soundness of our proof system

Indeed, the relation Θ =

{ (P | !P, !P) . P ∈ Proc} ∪ { ( P’ | !P, !P | P’ ) . P, P’ ∈ Proc} ∪ { ( P | (!P | P’), !P | P’ ) . P, P’ ∈ Proc} ∪ { ( P | (!P | (Q’ | R’)), !P | (Q’ | R’) ) . P, Q’, R’ ∈ Proc} ∪ { ( Q’ | (!P | R’), !P | (Q’ | R’) ) . P, Q’, R’ ∈ Proc} turns out to be a bisimulation up to bisimilarity and arbitrary contexts (Davide Sangiorgi)

26

Scope

• Process algebra by de Simone SOS rules

X1 a1,1→ Y1,1 … X1 a1,n1→ Y1,n1 . . . Xk ak,1→ Yk,1 … Xk ak,nk→ Yk,nk

• -------------------------------------------------- [ ϕ (b,…,ai,j ,…) ]

f(X1,…,Xk) b→ T(…,Xi,…,Yi,j ,…) (the Xis distinct, the Yi,js distinct and fresh)

27

Isabelle formalization

• Have formalized the proof system and

proved its soundness in Isabelle/HOL

• Potential to become an a priori formally

certified tool

• Need to write some custom Isabelle

tactics to make it into a real tool

28

Credits

• Robert de Simone, 1985:

identify an amenable SOS format

• Davide Sangiorgi, 1998:

“up to” techniques for bisimilarity proofs

• Grigore Rosu and Joseph Goguen, 2000:

circular coinduction in hidden logic, applicable to deterministic systems (such as streams)

29

Conclusions

• Gap between

– formal support for interactive bisimilarity proofs – intuitive means of building the required bisimulation

• Filled this gap by incremental proof system

– Based on equational logic – Featuring circularities as first-class citizens – Applicable to a large class of process algebras – Formalized in Isabelle/HOL

30

Future work

• Isabelle formalization into user-friendly

tool

• Extend the scope

– Laxer SOS formats – Syntax with bindings (Pi-calculus)

31

Extra slides – More on the soundness of our proof system

32

The retract operator

Retr : Rel (Proc) → Rel (Proc) Retr Θ = {(P,Q). ∀a P’. P a→ P’ ⇓ ∃Q’. Q a→ Q’ ∧ (P’,Q’) ∈ Θ and similarly for Q versus P} (Retr Θ contains all pairs “retracted back” from Θ) Θ bisimulation means Θ ⊆ Retr Θ

33

Recall our formal proof

P | !P ≡ !P |-- P’ | !P ≡ !P | P’ (by EqL)

P | !P ≡ !P |-- P | (!P | P’) ≡ !P | P’ (by EqL) P | !P ≡ !P |-- P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) (by EqL) P | !P ≡ !P |-- Q’ | (!P | R’) ≡ !P | (Q’ | R’) (by EqL)

• ----------------------------------------------(apply Unfold)

|-- P | !P ≡ !P (Omiting the reference to lemmas Comm, Assoc)

34

Explantion in terms of more primitive proof rules

Let Θ = { (P | !P, !P). P ∈ Proc} Need to show Θ ⊆ ≡ i.e., Θ ⊆ CongCl ({} ∪ ≡), written {} |-- Θ Would suffice that: Θ bisimulation, i.e., Θ ⊆ Retr Θ But this requirement may be too harsh. Instead, defer the goal by interpolating relation Θ’ s.t. Θ ⊆ Retr Θ’ , The new goal becomes Θ’ ⊆ CongCl (Θ ∪ ≡), written Θ |-- Θ’ .

35

Rules in a more primitive system

• The interpolation rule:

Θ ⊆ Retr Θ’ Θ |-- Θ’

• -------------------------------- (Interp)

{} |-- Θ More generally: Θ ⊆ Retr Θ’ Θ ∪ Θ’’ |-- Θ’

• --------------------------------------- (Interp)

Θ’’ |-- Θ

• The split rule:

Θ |-- Θ’ Θ |-- Θ’’

• ------------------------------- (Split)

Θ |-- Θ’ ∪ Θ’’

36

Obtain the higher-level proof rule

• Natural interpolants Θ ⊆ Retr Θ’ obtained automatically

by syntactic analysis of the SOS rules.

• E.g., for Θ = { (P | !P, !P). P ∈ Proc},

take Θ’ to be { ( P’ | !P, !P | P’ ) . P ∈ Proc} ∪ { ( P | (!P | P’), !P | P’ ) . P ∈ Proc} ∪ { ( P | (!P | (Q’ | R’)), !P | (Q’ | R’) ) . P,Q ∈ Proc} ∪ { ( Q’ | (!P | R’), !P | (Q’ | R’) ) . P,Q ∈ Proc}

• Then the Split rule splits the 4 ∪-components into

separate goals

37

Hence the higher-level proof rule

P | !P ≡ !P |-- P’ | !P ≡ !P | P’ P | !P ≡ !P |-- P | (!P | P’) ≡ !P | P’ P | !P ≡ !P |-- P | (!P | (Q’ | R’)) ≡ !P | (Q’ | R’) P | !P ≡ !P |-- Q’ | (!P | R’) ≡ !P | (Q’ | R’)

• ------------------------------------------------------(Unfold)

|-- P | !P ≡ !P