A Symbolic Model for Timed Concurrent Constraint Programming

Transcript

1. A symbolic model for timed concurrent constraint programming LSFA’14 Jaime

   Arias, Michell Guzm´ an and Carlos Olarte Universidade Federal do Rio Grande do Norte. Brasil. September 8, 2014 Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 1 / 30

2. Motivation Concurrent Systems are everywhere: Engineering: Security protocols, service oriented

   computing, mobile computing, synchronous systems. Science: Biological and chemical systems. Arts: Multimedia Interaction. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 2 / 30

3. Motivation Concurrent Systems are everywhere: Engineering: Security protocols, service oriented

   computing, mobile computing, synchronous systems. Science: Biological and chemical systems. Arts: Multimedia Interaction. Models of Concurrency Formal Models to describe and analyze concurrent systems. They must be: Simple. Expressive. Formal. Provide reasoning techniques. Some Examples: CCS [Mil89], the π-calculus [MPW92], CSP [Hoa85], CCP [Sar93]. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 2 / 30

4. Motivation Concurrent Constraint Programming (CCP) A simple and powerful model

   of concurrency tied to logic with very interesting extensions: tcc, tccp,ntcc: Reactive and timed systems [SJG94, dBGM00, NPV02]. lccp: Linearity and resources [FRS01]. soft-ccp : Soft constraints and preferences [BMR06]. cc-pi, utcc: Mobility [BM07, OV08]. eccp and sccp: Epistemic and Spatial reasoning [KPPV12]. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 3 / 30

5. Motivation Concurrent Constraint Programming (CCP) A simple and powerful model

   of concurrency tied to logic with very interesting extensions: tcc, tccp,ntcc: Reactive and timed systems [SJG94, dBGM00, NPV02]. lccp: Linearity and resources [FRS01]. soft-ccp : Soft constraints and preferences [BMR06]. cc-pi, utcc: Mobility [BM07, OV08]. eccp and sccp: Epistemic and Spatial reasoning [KPPV12]. Our goal Verifying properties of systems specified in CCP calculi. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 3 / 30

6. Motivation So far we have many works on verification: Semantics:

   Simple (and beautiful!) closure operator semantics. Connection to Logic: e.g., relating CCP steps and Intuitionistic Linear Logic derivations. Frameworks: Calculus for proving correctness. Static Analysis: Abstract interpretation frameworks. Nevertheless... the automatic verification of CCP programs has received little attention so far. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 4 / 30

7. This talk is about 1 Providing the theoretical and practical

   tools to carry out the verification of ntcc systems [NPV02]. A symbolic model for ntcc processes. 2 Showing a nice characterization of the temporal operators of the calculus. (Least and greatest) fixpoint characterization 3 Proving that the symbolic characterization is sound wrt the operational semantics. 4 Some technicalities on how to adapt our framework to use symbolic model checkers. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 5 / 30

8. Outline 1 CCP calculi 2 Symbolic Model 3 Verification of

   Properties 4 Some Examples 5 Concluding Remarks Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 6 / 30

9. Outline 1 CCP calculi 2 Symbolic Model 3 Verification of

   Properties 4 Some Examples 5 Concluding Remarks Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 7 / 30

10. Concurrent Constraint Programming (CCP) CCP [Sar93] is a Model of

    concurrency that combines the operational view of processes and a declarative one based upon logic. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 8 / 30

11. Concurrent Constraint Programming (CCP) CCP [Sar93] is a Model of

    concurrency that combines the operational view of processes and a declarative one based upon logic. Agents in CCP interact with each other by telling and asking constraints to a global store of partial information. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 8 / 30

12. Concurrent Constraint Programming (CCP) CCP [Sar93] is a Model of

    concurrency that combines the operational view of processes and a declarative one based upon logic. Agents in CCP interact with each other by telling and asking constraints to a global store of partial information. The type of constraints and the entailment relation is given by a Constraint System (e.g. x > 42 |=∆ x > 0). Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 8 / 30

13. Concurrent Constraint Programming (CCP) CCP [Sar93] is a Model of

    concurrency that combines the operational view of processes and a declarative one based upon logic. Agents in CCP interact with each other by telling and asking constraints to a global store of partial information. The type of constraints and the entailment relation is given by a Constraint System (e.g. x > 42 |=∆ x > 0). tell temperature > 42 ask temperature = 50 then P ask 0<temperature<100 then Q temperature=? tell temperature < 70 Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 8 / 30

14. Concurrent Constraint Programming (CCP) CCP [Sar93] is a Model of

    concurrency that combines the operational view of processes and a declarative one based upon logic. Agents in CCP interact with each other by telling and asking constraints to a global store of partial information. The type of constraints and the entailment relation is given by a Constraint System (e.g. x > 42 |=∆ x > 0). ask temperature = 50 then P ask 0<temperature<100 then Q 42 <temperature<70 Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 8 / 30

15. Concurrent Constraint Programming (CCP) CCP [Sar93] is a Model of

    concurrency that combines the operational view of processes and a declarative one based upon logic. Agents in CCP interact with each other by telling and asking constraints to a global store of partial information. The type of constraints and the entailment relation is given by a Constraint System (e.g. x > 42 |=∆ x > 0). ask temperature = 50 then P Q 42 <temperature<70 Remains Blocked Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 8 / 30

16. The tcc Model [SJG94] 1 Receives a stimulus (i.e a

    constraint) from the environment. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 9 / 30

17. The tcc Model [SJG94] 1 Receives a stimulus (i.e a

    constraint) from the environment. 2 Computes a CCP process in the current time-unit and wait for stability. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 9 / 30

18. The tcc Model [SJG94] 1 Receives a stimulus (i.e a

    constraint) from the environment. 2 Computes a CCP process in the current time-unit and wait for stability. 3 Responds with the resulting store. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 9 / 30

19. The tcc Model [SJG94] 1 Receives a stimulus (i.e a

    constraint) from the environment. 2 Computes a CCP process in the current time-unit and wait for stability. 3 Responds with the resulting store. 4 Executes the Residual process in the next time-unit. * Note: Stores are not automatically transferred from a time unit to the next one. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 9 / 30

20. Timed Concurrent Constraint Programming ntcc Syntax P, Q ::= skip

    | tell(c) | j∈J ask cj then Pj | P Q | (local x) P | next P | unless c (next P) | P | !P j∈J ask cj then Pj chooses non-deterministically a Pj s.t. cj can be entailed from the store next P executes process P in the next time unit (unit-delay) unless c (next P) executes P in the next time unit if c cannot be deduced (preemption). P arbitrary long but finite delay for the activation of P (nextnP) !P executes a copy of P in each time-unit (replication) Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 10 / 30

21. Operational Semantics Internal Transitions (X; tell(c), Γ; d) −→ (X;

    Γ; c ∧ d) RT d |= ci , i ∈ J (X; j∈J ask cj then Pj , Γ; d) −→ (X; Pi , Γ; d) RA (X; !P; Γ; d) −→ (X; P, next !P; Γ; d) R2 n ≥ 0 (X; P, Γ; d) −→ (X; next nP, Γ; d) R What we observe during the time-unit Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 11 / 30

22. Operational Semantics Observable Transition (∅; Γ; c) −→∗ (X; Γ

    ; d) −→ Γ (c,∃X.d) = = = =⇒ (local X) F(Γ ) RObs where (Future Function): F( j∈J ask cj then Pj ) = ∅ F(next Q) = F(unless c (next Q)) = Q. What we observe P ≡ P1 (c1,c1 ) = = = =⇒ P2 (c2,c2 ) = = = =⇒ P3 (c3,c3 ) = = = =⇒ · · · and we write P (s,s ) = = = =⇒. io(P) = {(s, s ) | P (s,s ) = = = =⇒} Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 12 / 30

23. The ntcc calculus The Timed Coffee Machine M = !

    ask coin then next tell(coffee) M1 (coin,coin) = = = =⇒ M2 (c,c coffee) = = = =⇒ Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 13 / 30

24. Outline 1 CCP calculi 2 Symbolic Model 3 Verification of

    Properties 4 Some Examples 5 Concluding Remarks Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 14 / 30

25. Symbolic Model Steps 1 Step 1: Give a logical interpretation

    of processes. The interesting cases are those for the timed modalities ! and . 2 Step 2: Perform a fixpoint computation. 3 Step 3: Deal with dead-ends. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 15 / 30

26. Logical Interpretation of Processes ◦0(c0) ∧ ◦1(c1) ∧ · ·

    · ◦n (cn) “c0 is valid in the current state and, after i observable transitions, ci holds. S(tell(c)) = c S( i∈I ask ci then Pi ) = i∈I (¬ci ) ∨ i∈I (ci ∧ S(Pi )) S(P Q) = S(P) ∧ S(Q) S(next P) = ◦(S(P)) S( P) = µY .(S(P) ∨ ◦(Y )) S(!P) = νY .(S(P) ∧ ◦(Y )) Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 16 / 30

27. Results Theorem (Termination) Let P be a process and S(P)

    = F(X1 , ..., Xn) be a formula where the variables X1 , .., Xn occur in F preceded by either µ or ν. The fixpoint of F can be reached in a finite number of steps. Theorem (Correctness) Let P be a process, F a solution for the equation S(P) and L be the LTS L(F). Consider an infinite sequence of constraints π. Then, π is a path in L iff P (π,π) = = = =⇒. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 17 / 30

28. Outline 1 CCP calculi 2 Symbolic Model 3 Verification of

    Properties 4 Some Examples 5 Concluding Remarks Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 18 / 30

29. The Language of Properties CLTL [NPV02] F ::= · true

    | · false | c | F · ∧ F | F · ∨ F | · ¬F | ◦ F | 3F | 2F Liveness: 3c: the system eventually outputs the constraint c. Safety: 2c: c holds in all execution. Nice things 1 F is LTL satisfiable iff F is CLTL satisfiable [Val05]. 2 Model checking for LTL can be reduced to the symbolic MC of Computation Tree Logic (CTL) [CGH97]. 3 CLTL formulas can be efficiently represented as Difference Decision Diagrams (DDD). Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 19 / 30

30. The Algorithm Given a process P and a CLTL property

    φ: 1. Obtain the model M of the process P. 2. Compute the tableau for the (negated) formula ψ = ¬(φ ∧ 2 · ¬false). 3. Build the set F with all the fairness constraints, i.e., all the subformulas in ψ containing the U operator. 4. Obtain the product P between M and T . 5. Apply the CTL symbolic model checking algorithm with fairness constraints F over the symbolic product P and the property Etrue. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 20 / 30

31. Outline 1 CCP calculi 2 Symbolic Model 3 Verification of

    Properties 4 Some Examples 5 Concluding Remarks Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 21 / 30

32. Some Examples Tool1 implemented in Ocaml Input : File with

    a ntcc process. Output : PDF file with the generated Labelled Transition System. L A TEX file with the formula of the symbolic model. Model for NuSMV2 symbolic model checker. symbolicMC-NTCC file.ntcc 1http://www.labri.fr/perso/jarias/symbolicMC 2http://nusmv.fbk.eu Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 22 / 30

33. Some Examples (! tell(c)) Figure : Input file with the

    ntcc process {(c1) ∧ ◦1(c1)} ∨ {(c1) ∧ ◦1(true) ∧ ◦2(c1)} ∨ {(c1) ∧ ◦1(true) ∧ ◦2(true) ∧ ◦3(c1)} ∨ {(true) ∧ ◦1(c1)} ∨ {(true) ∧ ◦1(c1) ∧ ◦2(c1)} ∨ {(true) ∧ ◦1(c1) ∧ ◦2(true) ∧ ◦3(c1)} ∨ {(true) ∧ ◦1(c1) ∧ ◦2(c1)} ∨ {(true) ∧ ◦1(true) ∧ ◦2(c1)} ∨ {(true) ∧ ◦1(true) ∧ ◦2(c1) ∧ ◦3(c1)} Figure : Symbolic model c1 true Figure : LTS Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 23 / 30

34. Some Examples (! tell(c)) MODULE main VAR c : boolean;

    FAIRNESS c = TRUE ASSIGN init(c) := {TRUE , FALSE }; next(c) := case c = FALSE : {TRUE , FALSE }; c = TRUE : {TRUE , FALSE }; esac; Figure : NuSMV file >> NuSMV -int example.smv NuSMV > go NuSMV > check_ltlspec -p "G (c)" -- specification G c is false -- as demonstrated by the following execution sequence Trace Description : LTL Counterexample Trace Type: Counterexample -> State: 1.1 <- c = FALSE -- Loop starts here -> State: 1.2 <- c = TRUE -> State: 1.3 <- c = TRUE Figure : Proving LTL Properties Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 24 / 30

35. Some Examples Control System Input : ! (When signal :

    Next (Tell (on)) || Unless signal : Next Tell (off)) Output : on2 signal1 ^ off2 signal1 ¬signal1 signal1 ^ on2 ¬signal1 ^ off2 NuSMV > check_ltlspec -p "G (signal = TRUE -> X on = TRUE )" -- specification G (signal = TRUE -> X on = TRUE) is true NuSMV > check_ltlspec -p "G (signal = TRUE -> G on = TRUE )" -- specification G (signal = TRUE -> G on = TRUE) is false -- as demonstrated by the ... -> State: 1.1 <- signal = TRUE off = FALSE on = FALSE -> State: 1.2 <- signal = FALSE on = TRUE -- Loop starts here -> State: 1.3 <- off = TRUE on = FALSE Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 25 / 30

36. Some Examples Asynchronous Behavior Input : *(Tell (error)) || !(When

    error : !(Tell (stop))) Output : ¬error1 error1 ^ stop1 ¬error1 ^ stop1 NuSMV > check_ltlspec -p "G (error = TRUE -> G (stop = TRUE))" -- specification G (error = TRUE -> G stop = TRUE) is true Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 26 / 30

37. Some Examples (Rhythm Patterns) Rhythm Patterns Symbolic Model: {(beat1) ∧

    (start1) ∧ ◦3(beat4) ∧ ◦5(beat6) ∧ ◦7(beat8) ∧ ◦9(beat10) ∧ ◦11(beat12) ∧ ◦14(beat15) ∧ ◦16(beat17) ∧ ◦18(beat19) ∧ ◦20(beat21) ∧ ◦22(beat23) ∧ ◦12(stop13) ∧ ◦23(true) ∧ ◦24(true)} Verification of some properties: NuSMV > check_ltlspec -p "G !( beat = TRUE & stop = TRUE)" -- specification G !( beat = TRUE & stop = TRUE) is true Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 27 / 30

38. Outline 1 CCP calculi 2 Symbolic Model 3 Verification of

    Properties 4 Some Examples 5 Concluding Remarks Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 28 / 30

39. Concluding Remarks We propose a symbolic model for ntcc processes.

    Such symbolic model can be used as input to a symbolic model checking algorithm. Hence we can automatically verify properties of ntcc systems. We plan to... Abstract the constraint system (symbolic-Abstract MC). Implement “hacks” to improve the performance of our tool. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 29 / 30

40. Thank you! Carlos Olarte (UFRN) Model Checking for CCP September

    8, 2014 30 / 30

41. J.A. Bergstra and J.W. Klop. Algebra of communicating processes with

    abstraction. Theoretical Computer Science, 37(1):77–121, 1985. Maria Grazia Buscemi and Ugo Montanari. Cc-pi: A constraint-based language for specifying service level agreements. In Rocco De Nicola, editor, ESOP, volume 4421 of Lecture Notes in Computer Science, pages 18–32. Springer, 2007. Stefano Bistarelli, Ugo Montanari, and Francesca Rossi. Soft concurrent constraint programming. ACM Trans. Comput. Log., 7(3):563–589, 2006. Edmund M Clarke, Orna Grumberg, and Kiyoharu Hamaguchi. Another look at ltl model checking. Formal Methods in System Design, 10(1):47–71, 1997. Frank S. de Boer, Maurizio Gabbrielli, and Maria Chiara Meo. A timed concurrent constraint language. Inf. Comput., 161(1), 2000. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 30 / 30

42. Francois Fages, Paul Ruet, and Sylvain Soliman. Linear concurrent constraint

    programming: Operational and phase semantics. Information and Computation, 165, 2001. C. A. R. Hoare. Communications Sequential Processes. Prentice-Hall, Englewood Cliffs (NJ), USA, 1985. Sophia Knight, Catuscia Palamidessi, Prakash Panangaden, and Frank D. Valencia. Spatial and epistemic modalities in constraint-based process calculi. In Maciej Koutny and Irek Ulidowski, editors, CONCUR, volume 7454 of Lecture Notes in Computer Science, pages 317–332. Springer, 2012. R. Milner. Communication and Concurrency. International Series in Computer Science. Prentice Hall, 1989. SU Fisher Research 511/24. R. Milner, J. Parrow, and D. Walker. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 30 / 30

43. A calculus of mobile processes, Parts I and II. Journal

    of Information and Computation, 100, September 1992. M. Nielsen, C. Palamidessi, and F.D. Valencia. Temporal concurrent constraint programming: Denotation, logic and applications. Nordic Journal of Computing, 9(1), 2002. Carlos Olarte and Frank D. Valencia. Universal concurrent constraint programing: Symbolic semantics and applications to security. In Proc. of SAC 2008. ACM, 2008. Vijay A. Saraswat. Concurrent Constraint Programming. MIT Press, 1993. Vijay Saraswat, Radha Jagadeesan, and Vineet Gupta. Foundations of timed concurrent constraint programming. In Proc. of LICS’94. IEEE CS, 1994. Frank D. Valencia. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 30 / 30

44. Decidability of infinite-state timed ccp processes and first-order ltl. Theor.

    Comput. Sci., 330(3):577–607, 2005. Carlos Olarte (UFRN) Model Checking for CCP September 8, 2014 30 / 30