On the Distributability of Mobile Ambients

by   Kirstin Peters, et al.

Modern society is dependent on distributed software systems and to verify them different modelling languages such as mobile ambients were developed. To analyse the quality of mobile ambients as a good foundational model for distributed computation, we analyse the level of synchronisation between distributed components that they can express. Therefore, we rely on earlier established synchronisation patterns. It turns out that mobile ambients are not fully distributed, because they can express enough synchronisation to express a synchronisation pattern called M. However, they can express strictly less synchronisation than the standard pi-calculus. For this reason, we can show that there is no good and distributability-preserving encoding from the standard pi-calculus into mobile ambients and also no such encoding from mobile ambients into the join-calculus, i.e., the expressive power of mobile ambients is in between these languages. Finally, we discuss how these results can be used to obtain a fully distributed variant of mobile ambients.



There are no comments yet.


page 1

page 2

page 3

page 4


On the Distributability of Mobile Ambients (Technical Report)

Modern society is dependent on distributed software systems and to verif...

Relational Diagrams: a pattern-preserving diagrammatic representation of non-disjunctive Relational Queries

Analyzing relational languages by their logical expressiveness is well u...

Formalizing φ-calculus: a purely object-oriented calculus of decorated objects

Many calculi exist for modelling various features of object-oriented lan...

The C_π-calculus: a Model for Confidential Name Passing

Sharing confidential information in distributed systems is a necessity i...

On the Soundness of Coroutines with Snapshots

Coroutines are a general control flow construct that can eliminate contr...

Modelling Distributed Shape Priors by Gibbs Random Fields of Second Order

We analyse the potential of Gibbs Random Fields for shape prior modellin...

Automata and Fixpoints for Asynchronous Hyperproperties

Hyperproperties have received increasing attention in the last decade du...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Modern society is increasingly dependent on large-scale software systems that are distributed, collaborative, and communication-centred. Most of the existing approaches that analyse the distributability of concurrent systems use special formalisms often equipped with an explicit notion of location, [3] in Petri nets or the distributed [15]. Other approaches implement locations implicitly, as the parallel operator in the that combines different distributed components of a system. In the latter case, we consider distributability and, thus, all possible explicitly-located variants of a calculus.

The [19] is a well-known and frequently used process calculus to model concurrent systems. Therein, intuitively, the degree of distributability corresponds to the number of parallel components that can act independently. Practical experience, though, has shown that it is not possible to implement every term—not even every asynchronous one—in an asynchronous setting while preserving its degree of distributability. To overcome these problems the [18] or the distributed [15] were introduced as models of distributed computation.

To analyse the quality of an approach as a good foundational model for distributed computation, we compare the expressiveness of different such models to their power to express synchronisation between distributed components. Such synchronisations make the implementation of terms in an asynchronous setting difficult and, thus, indicate languages that are not suitable to describe distributed computation. In particular, we try to identify hidden sources of synchronisation, synchronisation that was not intended with the design of the calculus.

Distributability and Synchronisation Patterns.

To analyse the degree of distribution in process calculi and to compare different calculi by their power to express synchronisation, [23, 21] defines a criterion for the preservation of distributability in encodings and introduces synchronisation patterns to describe minimal forms of synchronisation. Process calculi are then separated by their power to express such synchronisation patterns and, thus, by the kinds of synchronisation that they contain. Therefore, we show that no good and distributability-preserving encoding can exist from a calculus with enough synchronisation to express some synchronisation pattern into a calculus that cannot express this pattern. In this sense, synchronisation patterns have two purposes: (1) First, they describe some particular form or level of synchronisation in an abstract and model-independent way. Thereby, they help to spot forms of synchronisation—in particular, forms of synchronisation that were not intended with the design of the respective calculus. (2) Second, they allow to separate calculi along their ability to express the respective pattern and the respective level of synchronisation.



Figure 1: A fully reachable pure in Petri nets (a), the as state in a transition system (b), and the synchronisation pattern in Petri nets (c).

In [23], two synchronisation patterns, the pattern and the pattern , are highlighted. An , as visualised in Figure 1 (a), describes a Petri net that consists of two parallel transitions ( and ) and one transition () that is in conflict with both of the former. In other words, it describes a situation where either two parts of the net can proceed independently or they synchronise to perform a single transition together. [12, 13] states that a Petri net specification can be implemented in an asynchronous, fully distributed setting iff it does not contain a fully reachable pure . Accordingly, they denote such Petri nets as distributable. They also present a description of a fully reachable pure as conditions on a state in a step transition system, as visualized in Figure 1 (b), which allows us to directly use this pattern to reason about process calculi. Note that , , and in Figure 1 (b) are not labels. They serve just to distinguish different steps. Moreover, refer to the parallel execution of and

, given a step semantics. Hence, a process calculus is distributable iff it does not contain a non-local . A is a chain of conflicting and distributable steps as they occur in an that build a circle of odd length. The Figure 

1 (c) nicely illustrates this circle of . There is one consisting of the transitions , , and with their corresponding two places. Another is build by the transitions , , and with their corresponding two places and so on.

These patterns are then used to locate various -like calculi within a hierarchy with respect to the level of synchronisation that can be expressed in these languages. More precisely, [23] shows that (1) the is distributed, because it does not contain either of the two synchronisation patterns, (2) the asynchronous and its extension with separate choice can express the pattern but no pattern , whereas the standard with mixed choice contains ’s and ’s.

Mobile Ambients.

In the current paper, we use the technique derived in [23] to analyse the degree of distribution in mobile ambients. Mobile ambients were introduced in [5, 6]. Similar to the , mobile ambients were designed as a calculus for distributed systems. But, in contrast to the , they do contain the pattern , as we show in the following. Accordingly, mobile ambients are not fully distributed and their implementation in a fully distributed setting is difficult. Fortunately, the little amount of synchronisation that is contained in mobile ambients is not enough to express the . Thus, mobile ambients are less synchronous than, , the standard pi-calculus. Moreover, the nature of the pattern that we find in mobile ambients tells us what kind of features lead to synchronisation in mobile ambients. More precisely, we show that synchronisation in mobile ambients results from the so-called -actions and the fact that different ambients may share the same name. This observation allows us to discuss ways to obtain a variant of mobile ambients that is free of hidden synchronisations and can, thus, be implemented easily in a distributed setting.


Section 2 introduces process calculi (§ 2.1), mobile ambients (§ 2.2), encodings (§ 2.3), and synchronisation patterns together with some results of [23] (§ 2.4) that are necessary for this paper. In Section 3, we show that mobile ambients can express enough synchronisation to contain pattern and that this implies that there is no good and distributability-preserving encoding from mobile ambients into the . Section 4 analyses the nature of conflicts in mobile ambients that limits the forms of synchronisation they can express. It is shown that mobile ambients do not contain -patterns; this separates them from the standard . The observations on the nature of synchronisation in mobile ambients is then used in Section 5 to discuss ways to obtain a distributed variant of mobile ambients. We conclude with Section 6. The missing proofs can be found in [22].

2 Technical Preliminaries

We start with some general observations on process calculi and the relevant notions that we need for the comparison of process calculi as described in [23]. Then we describe the calculus of mobile ambients as introduced in [5, 6] and “good” encodings as defined in [14]. Finally, we shortly revise the results of [23] that are relevant for our analysis of mobile ambients.

2.1 Process Calculi

A process calculus is a language that consists of a set of process terms (its syntax) and a relation on process terms (its reduction semantics). We often refer to process terms also simply as processes or as terms and use upper case letters to range over them.

Assume a countably-infinite set , whose elements are called names. We use lower case letters to range over names. Let . The syntax of a process calculus is usually defined by a context-free grammar defining operators, functions . An operator of arity , , is a constant. The arguments that are again process terms are called subterms of .

[Subterms] Let be a process calculus and . The set of subterms of is defined recursively as .

With Definition 2.1, every term is a subterm of itself and constants have no further subterms. We add the special constant to each process calculus. Its purpose is to denote success (or successful termination) which allows us to compare the abstract behaviour of terms in different process calculi as described in Section 2.3. Therefore, we require that each language defines a predicate that holds if the term is successful (or has terminated successfully). Usually, this predicate holds if contains an occurrence of that is unguarded (see mobile ambients below).

A scope defines an area in which a particular name is known and can be used. For several reasons, it can be useful to restrict the scope of a name. For instance to forbid interaction between two processes or with an unknown and, hence, potentially untrusted environment. Names whose scope is restricted such that they cannot be used beyond their scope are called bound names. The remaining names are called free names. As ususal, we define three sets of names occurring in a process term: the set of all of ’s names, and its subsets of free names and of bound names. In the case of bound names, their syntactical representation as lower case letters serves as a place holder for any fresh name, any name that does not occur elsewhere in the term. To avoid confusion between free and bound names or different bound names, bound names can be replaced with fresh names by . We write if and differ only by .

We assume that the semantics is given as an operational semantics consisting of inference rules defined on the operators of the language [25]. For many process calculi, the semantics is provided in two forms, as reduction semantics and as labelled transition semantics. We assume that at least the reduction semantics is given as part of the definition, because its treatment is easier in the context of encodings. A single application of the reduction semantics is called a (reduction) step and is written as . If , then is called derivative of . Let (or ) denote the existence (absence) of a step from , and let denote the reflexive and transitive closure of . A sequence of reduction steps is called a reduction. We write if has an infinite sequence of steps and call convergent if . We also use execution to refer to a reduction starting from a particular term. A maximal execution of a process is a reduction starting from that cannot be further extended, that is either infinite or of the form .

We extend the predicate to reachability of success. A term reaches success, written as , if it reaches a derivative that is successful, . We write , if reaches success in every finite maximal execution.

To reason about environments of terms, we use functions on process terms called contexts. More precisely, a context with holes is a function from terms into a term, given , the term is the result of inserting in the corresponding order into the holes of .

We assume the calculi for the standard (with mixed choice) as defined in [19] and its subcalculi the with only separate choice (), there all parts of the same choice construct are either all guarded by an input or all guarded by an output prefix, and the asynchronous () as introduced in [4, 16]. Moreover, we assume the () as introduced in [9].

[Syntax, [23]] The sets of process terms are given by

for some names and a finite index set .

In all languages the empty process is denoted by and defines parallel composition. Within the restriction restricts the scope of the name to the definition of and denotes replication. The process term represents finite guarded choice; as usual, the sum is sometimes written as and abbreviates the empty sum, where . The input prefix is used to describe the ability of receiving the value over link and, analogously, the output prefix describes the ability to send a value over link . The prefix describes the ability to perform an internal, not observable action. The choice operators of and require that all branches of a choice are guarded by one of these prefixes. We omit the match prefix, because it does not influence the results.

In the operator describes an output prefix similar to . A definition defines a new receiver on fresh names, where consists of one or several elementary definitions connected by , potentially joins several reception patterns connected by , and is a process. Note that unifies the concepts of restriction, input prefix, and replication of the .

As usual, the continuation is often omitted, so becomes . In addition, for simplicity in the presentation of examples, we sometimes omit an action’s object when it does not effectively contribute to the behaviour of a term, is written as or just , and is abbreviated as . Moreover, let abbreviate the term .

The definitions of free and bound names are completely standard, names are bound by restriction and as parameter of input and for all . In the the definition binds for all elementary definitions in and all join pattern in the received variables in the corresponding and the defined variables in .

To compare process terms, process calculi usually come with different well-studied equivalence relations (see [11] for an overview). A special kind of equivalence with great importance to reason about processes are congruences, the closure of an equivalence with respect to contexts. Process calculi usually come with a special congruence called structural congruence. Its main purpose is to equate syntactically different process terms that model quasi-identical behaviour. For the above variants of the we have:

The entanglement of input prefix and restriction within the definition operator of the limits the flexibility of relations defined by sets of equivalence equations. Instead structural congruence is given by an extension of the chemical approach in [2] by the heating and cooling rules. They operate on so-called solutions , where and are multisets. We have (1) , (2) , and (3) , where only elements—separated by commas—that participate in the rule are mentioned and instantiates the defined variables in to distinct fresh names. Then if and differ only by applications of the -rules, if .

The semantics of the above variants of the is given by the axioms

for and , the axioms and for , and the three rules

that hold for all three variants , , and . The operational semantics of is given by the heating and cooling rules (see structural congruence) and the reduction rule , where substitutes the transmitted names for the distinct received variables.

Recursion or replication distinguishes itself from other operators by the fact that (one of) its subterms can be copied within rules of structural congruence in the or by reduction rules in the while the operator itself is usually never removed during reductions. We call such operators and capabilities recurrent. We denote the parts of a term that are removed in reduction steps as capabilities.

2.2 Mobile Ambients

Mobile ambients () were introduced in [5, 6] as a process calculus for distributed systems with mobile computations. They define ambients as bounded places on that computations may happen and that can be moved (with their computations). Their syntax is defined in two stages: the first stage describes ambient processes and the nesting of ambients; the second stage describes the movements of ambients.

[Syntax, [6]] The set of ambient processes is given as

for some names .

The empty process is denoted by and define parallel composition. Restriction restricts the scope of the name to the definition of . Replication provides potentially infinitely many copies of . The describes an ambient in which the process is located. Ambients may exhibit a tree structure induced by the nesting of ambient brackets. The term defines the exercise of capability , which could be either “” to enter ambient , or “” to exit from ambient , or “” to open ambient . As usual, the continuation is often omitted. Moreover, we often abbreviate by and let abbreviate the term .

Restriction is the only binder of mobile ambients, the names are bound by restriction and all names of a process that are not bound by restriction are free. The “” in denotes sequential composition, where the guards the subterm . A subterm of a process is unguarded if it is not hidden behind a guard. As usual, if contains an unguarded occurrence of success.

For mobile ambients, [6] define structural congruence as the least congruence that satisfies the rules of defined above and additionally the rules and if .

The reduction semantics of mobile ambients in [6] consists of the axioms

and the rules:

The first axiom moves an ambient with all its content (except for the consumed -capability) into a sibling ambient with name , where it is composed in parallel to the content of . The second axiom allows an ambient with all its content (except for the consumed -capability) to exit its parent ambient . As result ambient is placed in parallel to . The third axiom dissolves the boundary of an ambient named that is located at the same level as the -capability. The next three rules propagate reduction across scopes, ambient nesting, and parallel composition. By the last rule reductions are defined modulo structural congruence.

Note that [6] explicitly states, that the same name can be used to name different ambients, ambients with separate identities. Moreover, if there are several ambients with the same name at the same hierarchical level all and -capabilities that affect an ambient with this name can chose freely (non-deterministically) between the alternatives.

Following [23], we denote the operator for replication as recurrent, because (in contrast to the other operators) it is itself never removed during reductions. Similarly, we denote an ambient that is not opened or moved in a step as recurrent for this step and, otherwise, as non-recurrent this step. To distinguish between different occurrences of syntactically the same subterm in a term, we assume that all capabilities of processes in the following are implicitly labelled as described in [23].

2.3 Encodings and Quality Criteria

Let and be two process calculi, denoted as source and target language. An encoding from into is a function . We often use to range over and to range over . Encodings often translate single source term steps into a sequence or pomset of target term steps. We call such a sequence or pomset an emulation of the corresponding source term step.

To analyse the quality of encodings and to rule out trivial or meaningless encodings, they are augmented with a set of quality criteria. In order to provide a general framework, Gorla in [14] suggests five criteria well suited for language comparison. They are divided into two structural and three semantic criteria. The structural criteria include (1) compositionalityand (2) name invariance. The semantic criteria include (3) operational correspondence, (4) divergence reflection, and (5) success sensitiveness. It turns out that we do not need the second criterion to derive the separation results of this paper. Thus, we omit it. Note that a behavioural equivalence on the target language is assumed for the definition of name invariance and operational correspondence. Moreover, let be a renaming policy

, a mapping from a name to a vector of names that can be used by encodings to reserve special names, such that no two different names are translated into overlapping vectors of names.

Intuitively, an encoding is compositional if the translation of an operator is the same for all occurrences of that operator in a term. Hence, the translation of that operator can be captured by a context that is allowed in [14] to be parametrised on the free names of the respective source term.

[Compositionality, [14]] The encoding is compositional if, for every operator of and for every subset of names , there exists a context such that, for all and all with , it holds that .

The first semantic criterion is operational correspondence. It consists of a soundness and a completeness condition. Completeness requires that every computation of a source term can be emulated by its translation. Soundness requires that every computation of a target term corresponds to some computation of the corresponding source term.

[Operational Correspondence, [14]] The encoding satisfies operational correspondence if it satisfies:

Completeness: For all , it holds .
Soundness: For all , there exists an such that and .

The definition of operational correspondence relies on the equivalence to get rid of junk possibly left over within computations of target terms. Sometimes, we refer to the completeness criterion of operational correspondence as operational completeness and, accordingly, for the soundness criterion as operational soundness.

The next criterion concerns the role of infinite computations in encodings.

[Divergence Reflection, [14]] The encoding reflects divergence if, for every source term , implies .

The last criterion links the behaviour of source terms to the behaviour of their encodings. With Gorla [14], we assume a success operator as part of the syntax of both the source and the target language. Since cannot be further reduced and , the semantics and structural congruence of a process calculus are not affected by this additional constant operator. We choose may-testing to test for the reachability of success, . However, this choice is not crucial. An encoding preserves the abstract behaviour of the source term if it and its encoding answer the tests for success in exactly the same way.

[Success Sensitiveness, [14]] The encoding is success-sensitive if, for every source term , iff .

This criterion only links the behaviours of source terms and their literal translations, but not of their derivatives. To do so, Gorla relates success sensitiveness and operational correspondence by requiring that the equivalence on the target language never relates two processes with different success behaviours.

[Success Respecting, [14]] is success respecting if, for every and with and , it holds that .

By [14] a “good” equivalence is often defined in the form of a barbed equivalence (as described e.g. in [20]) or can be derived directly from the reduction semantics and is often a congruence, at least with respect to parallel composition. For the separation results presented in this paper, we require only that is a success respecting reduction bisimulation.

[(Weak) Reduction Bisimulation] The equivalence is a (weak) reduction bisimulation if, for every such that , for all there exists a such that and .

Note that the best known encoding from the asynchronous into the in [9] is not compositional, but consists of an inner, compositional encoding surrounded by a fixed context—the implementation of so-called firewalls—that is parametrised on the free names of the source term. In order to capture this and similar encodings and as done in [23] we relax the definition of compositionality in our notion of a good encoding.

[Good Encoding] We consider an encoding to be good if it is (1) either compositional or consists of an inner, compositional encoding surrounded by a fixed context that can be parametrised on the free names of the source term, (2) satisfies operational correspondence, (3) reflects divergence, and (4) is success-sensitive. Moreover we require that the equivalence is a success respecting (weak) reduction bisimulation.

In this case a good encoding respects also the ability to reach success in all finite maximal executions.

[[24]] For all success respecting reduction bisimulations and all convergent target terms such that , it holds iff .

Then success sensitiveness preserves the ability to reach success in all finite maximal executions.

[[24]] For all operationally sound, divergence reflecting, and success-sensitive encodings with respect to some success respecting equivalence and for all convergent source terms , if then .

2.4 Distributability and Synchronisation Pattern

Intuitively, a distribution of a process means the extraction (or: separation) of its (sequential) components and their association to different locations. However, not all process calculi in the literature—as the standard in [19]—consider locations explicitly. For the calculi without an explicit notion of location [23] defines a general notion of distributability that focuses on the possible division of a process term into components. Accordingly, a process is distributable into , if we find some distribution that extracts from within onto different locations.

[Distributability, [23]] Let be a process calculus, be its structural congruence, and . is distributable into if there exists such that

  1. for all , contains at least one capability or constant different from and is an unguarded subterm of or, in case is given by a chemical approach, for some multisets ,

  2. in there are no two occurrences of the same capability, no label occurs twice, and

  3. each guarded subterm and each constant (different from ) of is a subterm of at least one of the terms .

The degree of distributability of is the maximal number of distributable subterms of .

Accordingly, a pi-term is distributable into if . The -term is distributable into and , but also into , , , and , because .

Mobile ambients come with an explicit notion of locations: ambients. A term of is distributable into pairwise intersected subsets of its outermost ambients. Applying the Definition 2.4 results into exactly these distributable components. Because of the rule , the replication of an ambient, by or , is a distributable recurrent operation.

Preservation of distributability means that the target term is at least as distributable as the source term.

[Preservation of Distributability, [23]] An encoding preserves distributability if for every and for all terms that are distributable within there are some that are distributable within such that for all .

In essence, this requirement is a distributability-enhanced adaptation of operational completeness. It respects both the intuition on distribution as separation on different locations—an encoded source term is at least as distributable as the source term itself—as well as the intuition on distribution as independence of processes and their executions—implemented by .

If a single process—of an arbitrary process calculus—can perform two different steps, steps on capabilities with different labels, then we call these steps alternative to each other. Two alternative steps can either be in conflict or not; in the latter case, it is possible to perform both of them in parallel, according to some assumed step semantics.

[Distributable Steps, [23]] Let be a process calculus and a process. Two alternative steps of are in conflict, if performing one step disables the other step, if both reduce the same not recurrent capability. Otherwise they are parallel. Two parallel steps of are distributable, if each recurrent capability reduced by both steps is distributable, else the steps are local.

Remember that the “same” means “with the same label”, in the two steps that open one of the ambients are in conflict but can perform two parallel steps—using different -capabilities and ambients—to open both ambients .

Next we define parallel and distributable sequences of steps.

[Distributable Executions, [23]] Let be a process calculus, , and let and denote two executions of . and are in conflict, if a step of and a step of are in conflict, else and are parallel. Two parallel sequences of steps and are distributable, if each pair of a step of and a step of is distributable.

Two executions of a term are distributable iff is distributable into two subterms such that each performs one of these executions. Hence, an operationally complete encoding is distributability-preserving only if it preserves the distributability of sequences of source term steps.

[Distributability-Preservation, [23]] An operationally complete encoding that preserves distributability also preserves distributability of executions, for all source terms and all sets of pairwise distributable executions of , there exists an emulation of each execution in this set such that all these emulations are pairwise distributable in .

As described in the introduction, we consider a process calculus is distributable iff it does not contain a non-local .

[Synchronisation Pattern , [23]] Let be a process calculus and such that:

  1. can perform at least three alternative steps , , and such that , , and are pairwise different.

  2. The steps and are parallel in .

  3. But is in conflict with both and .

In this case, we denote the process as . If the steps and are distributable in , then we call the non-local. Otherwise, the is called local.

As shown in [23], all in the () are local but the asynchronous () contains the non-local : with , where the steps , , and are the reduction of the first out- and input, the first input and the second output, and the second out- and input, respectively. Because of that, there is no good and distributability-preserving encoding from into . To further distinguish different variants of the , [23] introduces a second synchronisation pattern called . Interestingly, it reflects a well-known standard problem in the area of distributed systems, namely the problem of the dining philosophers [8].

[Synchronisation Pattern , [23]] Let be a process calculus and such that:

  1. can perform at least five alternative reduction steps for such that the are pairwise different.

  2. The steps , , , , and form a circle such that is in conflict with , is in conflict with , is in conflict with , is in conflict with , and is in conflict with . Finally,

  3. every pair of steps in that is not in conflict due to the previous condition is parallel in .

In this case, we denote the process as . The synchronisation pattern is visualised by the Petri net in Figure 1 (c). If all pairs of parallel steps in are distributable in , then we call the non-local. Otherwise, it is called local.

Note that we need at least four steps in this cycle, to have two steps that are distributable, and a cycle of odd degree to distinguish different variants of the . Accordingly, the is the smallest structure with these requirements. To see the connection with the dining philosophers problem, consider the places in Figure 1 (c) as the chopsticks of the philosophers, as resources, and the transitions as eating operations, as steps consuming resources. Each step needs mutually exclusive access to two resources and each resource is shared among two subprocesses. If both resources are allocated simultaneously, eventually exactly two steps are performed.

[23] then shows that the asynchronous () and also the with separate choice () do not contain the pattern , whereas the standard () with mixed choice has .

[Non-Local in ] Consider a term such that

for some . Then, can perform the steps , …, , where the step is a communication on channel . By Definition 2.4, is a non-local .

Actually, the above term is a in CCS with mixed choice, because for this counterexample the communication of values was not relevant. Adding (unused) values to the communication prefixes is straight forward. By using the -pattern as counterexample, [23, 24] shows that there is no good and distributability-preserving encoding from into (or ).

3 Mobile Ambients are not Distributable

Similar to the , mobile ambients were designed in order to be distributed (or distributable), where ambients were introduced as an explicit representation of locations. But in opposite to the there are non-local in mobile ambients, some form of synchronisation between ambients. [Non-Local in Mobile Ambients.] Consider the -term

with . can perform modulo structural congruence the steps

  • :

  • :

  • :

Here, the steps and compete for the non-recurrent -capability. The steps and compete for the right ambient that is non-recurrent in both steps. Hence, both of these pairs of steps are in conflict, while the pair of steps and is distributable. Thus is a non-local .

Similar to the proof, that there is no good and distributability-preserving encoding from into , we use this as a counterexample to show that there is no good and distributability-preserving encoding from into . Therefore, we instantiate the processes , , and such that the conflicting step can be distinguished by success from the distributable steps and . We choose , , and , such that reaches success iff the steps and are performed. [Counterexample] The non-local

reaches success iff performs both of the distributable steps and , where

  • : with and ,

  • : with and , and

  • : with and .

Any good encoding that preserves distributability has to translate such that the emulations of the steps and are again distributable. However, the encoding can translate these two steps into sequences of steps, which allows to emulate the conflicts with the emulation of by two different distributable steps. We show that every distributability-preserving encoding has to distribute and, afterwards, that this distribution of violates the criteria of a good encoding.

Every encoding that is good and distributability-preserving has to split up the conflict in of with and such that there exists a maximal execution in in which is emulated but not , and vice versa.

In [23] we show a similar result for all encodings from into (Lemma 4 in [23]) using a counterexample E1. Since the counterexample in is in its properties very similar to the counterexample E1 of [23], the proof of Lemma 3 is exactly the same as the proof of Lemma 4 in [23] as presented in [24]. The main idea of this proof is as follows: Any good encoding that preserves distributability has to translate such that the emulations of the steps and are again distributable. Moreover any good encoding has to translate the conflicts between and as well as between and into conflicts between the respective emulations. This either leads to a non-local again or it results into an emulation of with at least two steps such that the conflicts with the emulation of are emulated by two different steps. Next we show that this distribution of the conflict violates the criteria of a good encoding with respect to the considered source language, our counterexample and an adaptation of this example.

Also the proof that there is no good and distributability-preserving encoding from into is very similar to the proof for the non-existence of such an encoding from into in [23, 24].

There is no good and distributability-preserving encoding from into .


Assume the opposite. Then there is a good and distributability-preserving encoding of . By the proof of Lemma 3, there is a maximal execution of in that but not is emulated or vice versa. Since and and because of success sensitiveness, the corresponding emulation leads to success. So there is an execution such that the emulation of leads to success without the emulation of or vice versa. Let us assume that but not is emulated. The other case is similar.

For encodings with respect to the relaxed definition of compositionality in Definition 2.3, there exists a context —the combination of the surrounding context and the context introduced by compositionality (Definition 2.3)—such that , where with and . Let . Since , also has to be translated by the same context, . and differ only by a capability necessary for step , but step and are still possible. We conclude, that if reaches some without the emulation of , then reaches at least some state such that . Hence, but which contradicts success sensitiveness. ∎

Note that the only differences in the proof above and the proof for the the non-existence of a good and distributability-preserving encoding from into in [24] are the due to the different counterexample and the corresponding choice of its adaptation with .

4 Conflicts in Mobile Ambients

Both of the above-defined synchronisation patterns rely on the notion of conflict. In mobile ambients, the same ambient can be considered as recurrent in one step, but non-recurrent in another step. This fact, the existence of operators that are recurrent for some but non-recurrent for other steps, distinguishes mobile ambients from all other calculi considered in [23] and generates a new notion of conflict. [Asymmetric Conflict] Consider the mobile ambient term:

can perform two alternative steps

  • with and

  • with

that both use the ambient (but no other operator is used in both steps). In , the ambient is a recurrent capability but in the ambient is moved and, thus, is non-recurrent. Accordingly, disables , , but not vice versa, can perform the step such that . Accordingly, we denote a conflict as symmetric if the steps compete for an operator that is non-recurrent in both, if both steps disable the respective other step, and otherwise as asymmetric. The example above can be extended to a cyclic structure of odd degree. The term

even satisfies Definition 2.4, it describes a non-local , if we were to relax in the required conflicts in Definition 2.4 by requiring only asymmetric conflicts. However, because of the asymmetric conflicts within this structure, it can be encoded much more easily than a with symmetric conflicts. This is also reflected by the fact that in the proofs for the separation result between and in [23] we have to rely on the mutually exclusive nature of the conflicts in the of the counterexample . Accordingly, we cannot use an or a with asymmetric conflicts to derive separation results as done above. Instead, we show that, despite of the with asymmetric conflicts, mobile ambients can be separated from by the synchronisation pattern , because they cannot express a with symmetric conflicts.

It turns out that the symmetric conflict in the pattern of the step with and as given in Example 3 can only be expressed with an -action.

Let be an . Then one of the two conflicts is asymmetric or the step reduces an -action.

Since the synchronisation pattern consists of several cyclic overlapping , all five steps of a in mobile ambients have to reduce an -capability or at least one of the conflicts is asymmetric. However, five steps on -capabilities cannot be combined in a cycle of odd degree. Thus, in all -like structures there is at least one asymmetric conflict. But there are no (without asymmetric conflicts) in mobile ambients.

For all -like structures one of the conflicts in that exist according to Definition 2.4 is asymmetric.

A with an asymmetric conflict cannot be extended to a that can be used as counterexample similarly to in [23, 24]. The proof to separate from and in [23, 24] exploits the fact that every maximal execution of contains exactly two distributable steps of the five alternative steps that form the . But, if we replace a conflict in the by an asymmetric conflict, then three steps are possible in one execution.

All -like structures have an execution that executes three of the five alternative steps that exist according to Definition 2.4.


By Lemma 4, all in mobile ambients have an asymmetric conflict. Thus, whenever some is such that for all the term is a except for asymmetric conflicts, then there is a maximal execution of that contains three steps of the set : the two steps that are related by the asymmetric conflict (executing first the step that is not in conflict to the other and then the one-sided conflicting step) and the step that is in parallel to both of the former neighbouring steps. ∎

To show that there is no good and distributability-preserving encoding from into we proceed as in [23, 24]. First, we observe that every conflict in our counterexample has to be translated into conflicts of the respective emulations in mobile ambients.

Any good and distributability-preserving encoding has to translate the conflicts in into conflicts of the corresponding emulations.

The proof of this Lemma is exactly the same as the proof for the corresponding Lemma for encodings from into in [24] but using the lemmas above, because this proof relies on the encodability criteria and the abstract notion of conflicts that is the same for and . Note that this proof assumes an encoding that satisfies compositionality as defined in Definition 2.3, but, as already stated in [23], it also holds in case of the relaxed version of compositionality that is used here. Then, similar to Lemma 3, we show that each good encoding of the counterexample requires that a conflict has to be distributed.

Any good and distributability-preserving encoding has to split up at least one of the conflicts in (or in ) such that there exists a maximal execution of that emulates only one source term step, unguards exactly one of the five holes.

Again, the above proof is in its main idea similar to the respective proof of the corresponding result for encodings from into in [24]. However, since that proof depends on the expressive power of the considered target language to reason about the properties of the counterexample, we have to adapt it to mobile ambients. Finally, we show again that this distribution of the conflict rules out the possibility of a good and distributability-preserving encoding.

There is no good and distributability-preserving encoding from into .

The proof of this Theorem very closely follows the proof of the corresponding Theorem for encodings from into in [24]. It picks the maximal execution of the translation that unguards—according to Lemma 4—only one hole by emulating only one step of . Then, we can choose such that , where is one of the two steps that is parallel to , and for all other cases. Accordingly, for the result of the step , we have , by doing next, but , because of success in the respective other step that can be executed after . However, the maximal execution of that unguards only and emulates only cannot have the same behaviour success. After emulating we reach a term that cannot offer the possibility to reach success (without the emulation of another source term step) as well as to deadlock without reaching success. This violates our requirements on good encodings.

5 Distributing Mobile Ambients

Theorem 3 shows that mobile ambients are not as distributable as the . Nonetheless, [10] presents an encoding from into in order to build a distributed implementation of mobile ambients in Jocaml ([7]). Let us consider what this encoding does with our counterexample for the non-existence of a good and distributability-preserving encoding from into . The encoding in [10] translates each ambient into a single unique join definition. Then it splits , , and -actions into respective subactions that are controlled by the join definition that represents the parent ambient in the source. Therefore, to perform the emulations of the distributed steps and of , the respective parts of the implementation first have to register their desire to do these steps with their parent join definition. Unfortunately, as each join definition is a single location, these two steps interact with the same join definition, so they cannot be considered as distributed. Accordingly, the encoding presented in [10] is not distributability-preserving in our sense, because the emulations of and are synchronised.

Indeed, the authors of [10] already state that the explicit control of subactions by the translation of the parent ambient introduces some form of synchronisation. However, they claim that the form of synchronisation introduced by the presented encoding is less crucial than, , a centralised solution. Our results support the quality of their solution, by proving that no good and fully distributability-preserving encoding from into exists. So, a bit of synchronisation is indeed necessary. But, our results also suggest possible ways to circumvent the problems in the distribution of mobile ambients altogether by proposing small alterations of the source calculus itself in order to prevent -patterns from the outset.

By Lemma 4, all in mobile ambients rely on a conflict with an -action that addresses two different ambients with the same name. A natural solution to circumvent this problem is to avoid different ambients with the same name. By Lemma 4, mobile ambients with unique ambient names cannot express the pattern .

There are no in mobile ambients, where all ambient names are unique.

Without such an as counterexample, our proof of Theorem 3 would no longer work. Instead, we can show that there is then no good and distributability-preserving encoding from into , by using the example of an in of [23] as counterexample and following a similar proof strategy as for the separation result between and .

If mobile ambients forbid for ambients with the same name, then there is no good and distributability-preserving encoding from into .

The proof of the above claim relies of the formalisation of the requirement that no two different ambients have the same name in the definition of the calculus. More precisely, we need to adapt the proof that every good and distributability-perserving encoding has to split up the conflict in the of with and to the target language with unique ambient names. Since there are several different ways to implement this requirement in the syntax of mobile ambients, we do not formally prove the above claim here. However, we expect that this proof would exploit the same strategy as in [24] and require only small adaptations due to the definition of the calculus.

Actually, the possibility to have different ambients with the same name was already identified as problematic in the encoding of [10]. To circumvent this problem, the encoding introduces unique identifiers for all ambients and one of the reasons for the interaction with the respective translation of the parent ambient to control the translations of ambient actions is that these translations of parent ambients keep the knowledge about the unique identifiers of their children. Thus, forbidding different ambients with the same name not only allows for completely distributed implementations of the calculus but also significantly simplifies translations that follow the strategy of [10].

To obtain strategies to implement this requirement, we can have a look at other distributed calculi with unique location names. The ([9]) ensures the uniqueness of its locations by combining input prefixes with restriction in join definitions. Thus, every join definition, location, introduces its own name space. Interaction is limited to such restricted names with a clear and unique destination. The advantage is that the uniqueness of location names is ensured by definition; the disadvantage is that some forms of interaction—a two-way handshake—are syntactically more difficult due to these sharp restriction borders. The distributed ([15]) has a flat structure of locations and ensures uniqueness by the structural congruence rule that unifies different parts of a location. However, adding such a rule to mobile ambients requires a non-trivial adaptation of the semantics, because the , , and -actions would need to first collect all ambient parts that are possibly dispersed over the term structure before they can proceed. Moreover, following this approach would not completely rule out different ambients with the same name but only different such ambients in the same parent ambient (or at top-level). This is, however, sufficient to ensure that there are no .

6 Conclusions

We proved that there is no good and distributability-preserving encoding from mobile ambients () into the () and neither from the standard with mixed choice () into mobile ambients. Note that these results stay valid also for the extension of with communication prefixes as described in [5, 6], because these communications are local steps that cannot be in conflict to steps with , , or -actions. Thus, all conflicts added by the extension with communication primitives are local and not relevant for the preservation of distributability. Consequently, by extending the results of [23], we place mobile ambients on the same level as the with separate choice () and the asynchronous () above and below . As visualized in Figure 2, mobile ambients contain non-local but cannot express a non-local without asymmetric conflicts.

Figure 2: Distributability in Pi-like Calculi.

Asymmetric conflicts, as present in mobile ambients, constitute a variant of conflicts that turns out to be not as crucial for distributed implementations as the standard symmetric conflicts that we usually find in calculi. Nonetheless, the existence of non-local make fully distributed implementations of mobile ambients difficult—as already observed in [10]. However, since the reason for these difficulties is now clearly captured in a simple synchronisation pattern, we can more easily derive strategies to adapt mobile ambients to a distributed calculus without such problems.

Interestingly, the extension of mobile ambients into mobile safe ambients in [17] does not solve this problem. The main idea of safe ambients is that actions require an explicit agreement on this action by both participating ambients. Therefore, safe ambients augment the respective target ambient of an action  with a matching complementary action . This extension, however does neither change the power to express the pattern nor the asymmetric nature of conflicts with steps that do not rely on an -action. In fact, the in mobile ambients, the pattern , becomes

in safe ambients. This term is again an sharing the kind of steps and properties of . Thus, we obtain the same separation result as in Theorem 3 with safe ambients using the above counterexample. Moreover, since safe ambients do also not contain , also Theorem 4 stays valid for safe ambients.

The most obvious way to obtain a fully distributed variant of mobile ambients is to ensure uniqueness of ambient names. As a consequence, actions of mobile ambients have a clear and unique destination. Note that, having clear and unique destinations for all actions that travel location borders is also crucial for the distributability of other calculi such as the or the distributed . Such unique destinations significantly limit the possibility of conflicts and ensure that all remaining conflicts of the language are local. As a consequence, distributed implementations of such languages do not need to introduce synchronisations and, thus, do not change their semantics. Hence, keeping the destinations for all actions that travel location borders unique, is a good strategy to build distributed calculi in general.


  • [1]
  • [2] G. Berry & G. Boudol (1990): The Chemical Abstract Machine. In: Proc. of POPL, SIGPLAN-SIGACT, pp. 81–94, doi:10.1145/96709.96717.
  • [3] E. Best & P. Darondeau (2011): Petri Net Distributability. In: Proc. of PSI, LNCS 7162.
  • [4] G. Boudol (1992): Asynchrony and the -calculus (note). Note, INRIA.
  • [5] L. Cardelli & A.D. Gordon (1998): Mobile ambients. In: Proc. of FoSSaCS, LNCS 1378, pp. 140–155, doi:10.1007/BFb0053547.
  • [6] L. Cardelli & A.D. Gordon (2000): Mobile ambients. Theoretical Computer Science 240(1), pp. 177–213, doi:10.1016/S0304-3975(99)00231-5.
  • [7] S. Conchon & F. Le Fessant (1999): Jocaml: mobile agents for Objective-Caml. In: Proc. of ASA/MA, IEEE, pp. 22–29, doi:10.1109/ASAMA.1999.805390.
  • [8] E.W. Dijkstra (1971): Hierarchical Ordering of Sequential Processes. Acta Informatica 1(2), pp. 115–138, doi:10.1007/BF00289519.
  • [9] C. Fournet & G. Gonthier (1996): The Reflexive CHAM and the Join-Calculus. In: Proc. of POPL, SIGPLAN-SIGACT, pp. 372–385, doi:10.1145/237721.237805.
  • [10] C. Fournet, J.-J. Lévy & A. Schmitt (2000): An Asynchronous, Distributed Implementation of Mobile Ambients. In: Proc. of TCS, LNCS 1872, pp. 348–364, doi:10.1007/3-540-44929-9_26.
  • [11] R. van Glabbeek (2001): The Linear Time – Branching Time Spectrum I: The Semantics of Concrete, Sequential Processes. Handbook of Process Algebra, pp. 3–99.
  • [12] R. van Glabbeek, U. Goltz & J.-W. Schicke (2008): On Synchronous and Asynchronous Interaction in Distributed Systems. In: Proc. of MFCS, LNCS 5162, pp. 16–35, doi:10.1007/978-3-540-85238-4.
  • [13] R. van Glabbeek, U. Goltz & J.-W. Schicke-Uffmann (2012): On Distributability of Petri Nets. In: Proc. of FoSSaCS, LNCS 7213, pp. 331–345, doi:10.1007/978-3-642-28729-9_22.
  • [14] D. Gorla (2010): Towards a Unified Approach to Encodability and Separation Results for Process Calculi. Information and Computation 208(9), pp. 1031–1053, doi:10.1016/j.ic.2010.05.002.
  • [15] M. Hennessy (2007): A Distributed Pi-Calculus. Cambridge University Press, doi:10.1017/CBO9780511611063.
  • [16] K. Honda & M. Tokoro (1991): An Object Calculus for Asynchronous Communication. In: Proc. of ECOOP, LNCS 512, pp. 133–147, doi:10.1007/BFb0057011.
  • [17] F. Levi & D. Sangiorgi (2003): Mobile Safe Ambients. In: Proc. of TOPLAS, 25, ACM, pp. 1–69, doi:10.1145/596980.596981.
  • [18] J.-J. Lévy (1997): Some Results in the Join-Calculus. In: Theoretical Aspects of Computer Software, LNCS 1281, pp. 233–249, doi:10.1007/BFb0014554.
  • [19] R. Milner, J. Parrow & D. Walker (1992): A Calculus of Mobile Processes, Part I and II. Information and Computation 100(1), pp. 1–77, doi:10.1016/0890-5401(92)90008-4, 10.1016/0890-5401(92)90009-5.
  • [20] R. Milner & D. Sangiorgi (1992): Barbed Bisimulation. In: Proc. of ICALP, LNCS 623, pp. 685–695, doi:10.1007/3-540-55719-9_114.
  • [21] K. Peters (2012): Translational Expressiveness. Ph.D. thesis, TU Berlin, doi:10.14279/depositonce-3416.
  • [22] K. Peters & U. Nestmann (2018): On the Distributability of Mobile Ambients (Technical Report). Technical Report, TU Berlin, https://arxiv.org.
  • [23] K. Peters, U. Nestmann & U. Goltz (2013): On Distributability in Process Calculi. In: Proc. of ESOP, LNCS 7792, pp. 310–329, doi:10.1007/978-3-642-37036-6_18.
  • [24] K. Peters, U. Nestmann & U. Goltz (2013): On Distributability in Process Calculi (Appendix). Technical Report, TU Berlin. http://www.mtv.tu-berlin.de/fileadmin/a3435/pubs/distProcCal.pdf.
  • [25] G.D. Plotkin (2004): A structural approach to operational semantics. Journal of Logic and Algebraic Programming 60, pp. 17–140. [An earlier version of this paper was published as technical report at Aarhus University in 1981.].