1 Introduction
The widespread availability of virtualization resources such as container and virtual machine technology are marking a new incarnation of distributed systems. Tasks such as faulttolerant infrastructure monitoring and delivery of goods in unmanned aerial systems, preventing privacy breaches in social networks and cloud storage by managing information access, and saving lives by controlling and monitoring pace makers are now taking place in the presence of spatial hierarchies. This means that the usual high degree of safety criteria in such systems is now exposed to the presence of hierarchical computation (and sharing) of information among groups of distributed and concurrent agents, which makes it an even more challenging goal for formal modeling and verification purposes.
An interesting step towards mathematically understanding and formally modeling these highly distributed hierarchical systems has been taken by S. Knight et al. [16] and M. Guzmán et al. [14]. They introduce an algebraic model of spatial modalities in constrainedbased process calculi where information (e.g., knowledge) can be shared in spatially distributed agents that interact with the global system by launching processes (e.g., programs). The scope of an agent is given by a spatial operator indicating where a process resides within the space structure, where it queries and posts information in the local store. In the end, their proposal offers an algebraic framework to model and reason about important concepts of safetycritical systems such as faulttolerance, consistency, and privacy within the setting of distributed hierarchical spaces and process extrusion (i.e., mobility).
This work addresses the key issue of automatically verifying reachability properties of distributed hierarchical systems based on the algebraic model of spatially constrained concurrent process with extrusion in [16, 14]. The approach is based on the formal specification of such a model as a theory in rewriting logic [18], a semantic framework unifying a wide range of models of concurrency. The formal specification is executable in Maude [6], thus benefiting from formal analysis techniques and tools such as statespace exploration and automatabased LTL model checking. Safety criteria such as faulttolerance (e.g., when and how does a local store first become inconsistent?), consistency (e.g., does a fault propagate to the global system?, do two stores have the same information?), and privacy (e.g., does a store ever gain enough information as to reveal private information?) can now be automatically queried in these systems.
The rewriting logic theory introduced in this work supports the constructs of constrainedbased process calculi presented in in [16, 14] such as posting and querying information from/to a local store, parallel composition of processes, recursion, and extrusion. The underlying constraint system is materialized with the help of SMTsolving technology. In particular, the constraints are quantifierfree formulas interpreted over the Booleans and integers, and the information entailment in the algebraic model is realized via semantic inference. By following the rewriting modulo SMT approach [23], simulation of the rewrite relation induced by the rewriting logic theory can be performed efficiently using matching and SMTsolving. In this setting, existential reachability queries can be automatically and efficiently performed using existing rewritebased facilities available from Maude.
Continuing with the effort of putting epistemic concepts in the hands of programmers initiated in [16], a programming language is introduced in this work. This language provides programmers with the building blocks of a language based on the algebraic model of spatial modalities in constrainedbased process calculi, with the executable semantics given by rewrite theory abovementioned. Such a language is accompanied with an opensource graphical environment in which code can be edited and executed.
Outline.
This work is organized as follows. Section 2 presents some preliminaries on concurrent constraint programming, rewriting logic, and SMTsolving. Section 3 overviews spatial concurrent constraint systems with extrusion. Section 4 introduces the rewriting logic semantics of the algebraic model and Section 4 presents the mechanical proofs obtained for ensuring the correctness of the operational semantics of the rewrite theory w.r.t. to its mathematical one. Section 6 explains how existential reachability properties can be automatically proved and examples illustrating such a feature. The language and tool based on the algebraic model are explained in Section 7. Finally, Section 8 concludes the work.
2 Preliminaries
2.1 Concurrent Constraint Programming and Constraint Systems
Concurrent Constraint Programming (CCP) [27, 26, 28] (see a survey in [21]) is a model for concurrency that combines the traditional operational view of process calculi with a declarative view based on logic. This allows CCP benefit from the large set of reasoning techniques of both process calculi and logic. Under this paradigm, the conception of store as valuation in the von Neumann model is replaced by the notion of store as constraint and processes are seen as information transducers.
The CCP model of computation makes use of ask and tell operations instead of the classical read and write. An ask operation tests if a given piece of information (i.e., a constraint as in ) can be deduced from the store. The tell operations post constraints in the store, thus augmenting/refining the information in it. A fundamental issue in CCP is then the specification of systems by means of constraints that represent partial information about certain variables. The state of the system is specified by the store (i.e., a constraint) that is monotonically refined by processes adding new information.
The basic constructs (processes) in CCP are: (1) the agent, which posts the constraint to the store, making it available to the other processes. Once a constraint is added, it cannot be removed from the store (i.e., the store grows monotonically). And (2), the ask process , which queries if can be deduced from the information in the current store; if so, the agent behaves like , otherwise, it remains blocked until more information is added to the store. In this way, ask processes define a reactive synchronization mechanism based on entailment of constraints. A basic CCP process language usually adds parallel composition () combining processes concurrently, a hiding operator for local variable definition, and potential infinite computation by means of recursion or replication.
The CCP model is parametric in a constraint system (CS) specifying the structure and interdependencies of the partial information that processes can query (ask) and post (tell) in the shared store. The notion of constraint system can be given by using firstorder logic. Given a signature and a firstorder theory over , constraints can be thought of as firstorder formulae over . The (binary) entailment relation over constraints is defined for any pair of constraints and by iff the implication is valid in . As an example, take the finite domain constraint system (FD) [29] where variables are assumed to range over finite domains and, in addition to equality, it is possible to have predicates (e.g., “”) that restrict the values of a variable to some finite set.
An algebraic representation of CS is used in the present work.
Definition 1 (Constraint Systems)
A constraint system is a complete algebraic lattice . The elements of are called constraints. The symbols , , and are used to denote the least upper bound lub operation, the bottom, and the top element of , respectively.
In Definition 1, a CS is characterized as a complete algebraic lattice. The elements of the lattice, the constraints, represent (partial) information. A constraint can be viewed as an assertion (or a proposition). The lattice order is meant to capture entailment of information: , alternatively written , means that the assertion represents as much information as . Thus may be interpreted as saying that or that can be derived from . The least upper bound lub operator represents join of information and thus is the least element in the underlying lattice above and , asserting that both and hold. The top element represents the lub of all, possibly inconsistent, information, hence it is referred to as . The bottom element represents the empty information.
2.2 Ordersorted Rewriting Logic in a Nutshell
This section presents an overview of rewriting logic and how it can be used to obtain a rewriting logic semantics of a language. The reader is referred to [18, 6] and [20, 25], respectively, for an indepth treatment of these topics.
Rewriting logic [18] is a general semantic framework that unifies a wide range of models of concurrency. Language specifications can be executed in Maude [6], a highperformance rewriting logic implementation and benefit from a wide set of formal analysis tools available to it, such as an LTL model checker and an inductive theorem prover.
2.2.1 Rewriting Logic.
A rewriting logic specification or rewrite theory is a tuple where:

is an ordersorted equational theory with a signature with finite poset of sorts and a set of function symbols typed with sorts in ; is a set of equations, which are universally quantified Horn clauses with atoms that are equations with terms of the same sort; is a set of structural axioms (e.g., associativity, commutativity, identity) such that there exists a matching algorithm modulo producing a finite number of matching substitutions or failing otherwise; and

a set of universally quantified conditional rewrite rules of the form
where are terms of the same sort and each is a equality.
Given , an indexed family of disjoint variable sets with each countably infinite, the set of terms of sort and the set of ground terms of sort are denoted, respectively, by and ; similarly, and denote, respectively, the set of terms and the set of ground terms. The expressions and denote the corresponding ordersorted term algebras. All ordersorted signatures are assumed preregular [12], i.e., each term has a unique least sort s.t. . It is also assumed that has nonempty sorts, i.e., for each . Manysorted equational logic is the special case of ordersorted equational logic when the subsort relation is restricted to be the identity relation over the sorts.
An equational theory induces the congruence relation on (or simply ) defined for by if and only if , where denotes provability by the deduction rules for ordersorted equational logic in [19]. For the purpose of this paper, such inference rules, which are analogous to those of manysorted equational logic, are even simpler thanks to the assumption that has nonempty sorts, which makes unnecessary the explicit treatment of universal quantifiers. The expressions and (also written and ) denote the quotient algebras induced by on the term algebras and , respectively; is called the initial algebra of .
A (topmost) rewrite theory is a tuple with top sort State, i.e., no operator in has State as argument sort and each rule satisfies and . A rewrite theory induces a rewrite relation on defined for every by if and only if there is a rule and a substitution satisfying , , and . The tuple is called the initial reachability model of [5].
2.2.2 Admissible Rewrite Theories.
Appropriate requirements are needed to make an equational theory admissible, i.e., executable in rewriting languages such as Maude [6]. In this paper, it is assumed that the equations can be oriented into a set of (possibly conditional) sortdecreasing, operationally terminating, and confluent rewrite rules modulo . The rewrite system is sort decreasing modulo if and only if for each and substitution , if . The system is operationally terminating modulo [8] if and only if there is no infinite wellformed proof tree in (see [17] for terminology and details). Furthermore, is confluent modulo if and only if for all , if and , then there is such that and . The term denotes the canonical form of modulo so that and cannot be further reduced by . Under sortdecreasingness, operational termination, and confluence, the term is unique up to equality.
For a rewrite theory , the rewrite relation is undecidable in general, even if its underlying equational theory is admissible, unless conditions such as coherence [31] are given (i.e, whenever rewriting with can be decomposed into rewriting with and ). A key goal of [23] was to make such a relation both decidable and symbolically executable when is topmost and decomposes as , representing a builtin theory for which formula satisfiability is decidable and has a matching algorithm.
2.2.3 Rewriting Logic Semantics.
The rewriting logic semantics of a language is a rewrite theory where provides a stepbystep formal description of ’s observable runtocompletion mechanisms. The conceptual distinction between equations and rules in has important consequences that are captured by rewriting logic’s abstraction dial [20]. Setting the level of abstraction in which all the interleaving behavior of evaluations in is observable, corresponds to the special case in which the dial is turned down to its minimum position by having . The abstraction dial can also be turned up to its maximal position as the special case in which , thus obtaining an equational semantics of without observable transitions. The rewriting logic semantics presented in this paper is faithful in the sense that such an abstraction dial is set at a position that exactly captures the interleaving behavior of the concurrency model.
2.2.4 Maude.
Maude [6] is a language and system based on rewriting logic. It supports ordersorted equational and rewrite theory specifications in functional and system modules, respectively. Admissibility of functional and system modules can be checked with the help of the Maude Formal Environment (MFE) [10, 9], an executable formal specification in Maude with tools to mechanically verify such properties. The MFE includes the Maude Termination Tool, the Maude Sufficient Completeness Checker, the ChurchRosser Checker, the Coherence Checker, and the Maude Inductive Theorem Prover.
2.3 SMTSolving
Satisfiability Modulo Theories (SMT) studies methods for checking satisfiability of firstorder formulas in specific models. The SMT problem is a decision problem for logical formulas with respect to combinations of background theories expressed in classical firstorder logic with equality. An SMT instance is a formula (typically quantifier free, but not necessarily) in firstorder logic and a model , with the goal of determining if is satisfiable in .
In this work, the representation of the constraint system is based on SMT solving technology. Given an manysorted equational theory and a set of variables over the sorts in , the formulas under consideration are in the set of quantifierfree formulas: each formula being a Boolean combination of equation with variables in (i.e., atoms). The terms in are called builtins and represent the portion of the specification that will be handled by the SMT solver (i.e., semantic data types). In this setting, an SMT instance is a formula and the initial algebra , where is a decidable extension of such that
Many decidable theories of interest are supported by SMT solvers satisfying this requirement (see [23] for details). In this work, the latest alpha release of Maude that integrates Yices2 [11] and CVC4 [3] is used for reachability analysis.
3 Spatial Concurrent Constraint Systems with Extrusion
This section presents the syntax and the structural operational semantics of spatial concurrent constraints systems with extrusion, which is based mainly on [16]. This section also introduces an example to illustrate the main features of the language.
3.1 Spatial Constraint Systems
The authors of [16] extended the notion of CS to account for distributed and multiagent scenarios where agents have their own space for local information and computation.
Locality and Nested Spaces.
Each agent has a space function from constraints to constraints (recall that constraints can be viewed as assertions). The function
can be interpreted as an assertion stating that is a piece of information that resides within a space attributed to agent . An alternative epistemic interpretation of is an assertion stating that agent believes or that holds within the space of agent (but it may or may not hold elsewhere). Both interpretations convey the idea that is local to agent . Following this intuition, the assertion
is a hierarchical spatial specification stating that holds within the local space the agent attributes to agent . Nesting of spaces such as in can be of any depth.
Parallel Spaces.
A constraint of the form
can be seen as an assertion specifying that and hold within two parallel/neighboring spaces that belong to agents and . From a computational/concurrency point of view, it is possible to think of as parallel composition; from a logic point of view, corresponds to conjunction.
The notion of an agent spatial constraint system is formalized in Definition 2.
Definition 2 (Spatial Constraint System [16])
An agent spatial constraint system SCS is a CS equipped with selfmaps over its set of constraints satisfying for each function :

and

Property S.1 in Definition 2 requires space functions to be strict maps (i.e., bottom preserving) where an empty local space amounts to having no knowledge. Property S.2 states that space functions preserve (finite) lubs, and also allows to join and distribute the local information of any agent Henceforth, given an SCS , each is thought as the space (or space function) of the agent in . The tuple denotes the corresponding SCS with space functions Components of an SCS tuple shall be omitted when they are unnecessary or clear from the context. When is unimportant, SCS is simply written as SCS.
Extrusion.
Extrusion (i.e., mobility) plays a key role in distributed systems. Following the algebraic approach, it is possible to provide each agent with an extrusion function [14, 15]. The process within a space context means that the process must be executed outside of agent’s space.
Definition 3 presents the extension of spatial constraint systems with extrusion.
Definition 3 (Spatial Constraint System with Extrusion [14])
An agent spatial constraint system with extrusion (SCSE) is an SCS equipped with selfmaps over , written , such that each is the right inverse of .
3.2 Spatial Ccp with Extrusion
The spatial concurrent constraint programming with extrusion (SCCP+E) calculus presented in this section follows the developments of [16] and [14]. The syntax of SCCP+E is parametric on an SCSE and it is presented in Definition 4.
Definition 4 (Sccp+E Processes)
Let be a constraint system, a set of agents, and an infinite countable set of variables. Let be an SCSE and consider the following EBNFlike syntax:
where , , and . An expression in the above syntax is a process if and only if every variable in occurs in the scope of an expression of the form . The set of processes of SCCP+E is denoted by Proc.
The SCCP+E calculus can be thought of as a sharedspaces model of computation. Each agent has a computational space of the form possibly containing processes and other agents’ spaces. The basic constructs of SCCP+E are tell, ask, and parallel composition, and they are defined as in standard CCP [28]. A process running in an agent adds to its local store , making it available to other processes in the same space. This addition, represented as , is performed even if the resulting constraint is inconsistent. The process running in space may execute if is entailed by , i.e., . The process specifies the parallel execution of processes and ; given , the expression is used as a shorthand for . A construction of the form denotes a process running within the agent ’s space. Any information that produces is available to processes that lie within the same space. The process denotes that process runs outside the space of agent and the information posted by resides in the store of the parent of agent . The behavior of recursive definitions of the form is represented by , i.e., every free occurrence of in is replaced with . In order to make recursive definitions finite, it is necessary for recursion to be guarded by an ask, i.e., every occurrence of in is within the scope of an ask process. Note that the process in a construction of the form is unguarded.
Example 1
Consider the processes and . Consider : by the above intuitions the constraints and are added to store of agent . A similar behavior is achieved by the process , which also produces in the store of agent (note that is equivalent to by Property S.2 in Definition 2). In contrast, the process with , does not necessarily add to the space of agent because is not made available for agent ; likewise in , is not added to the space of agent . Finally, consider . In this case, because of extrusion, both and will be added to store of agent . However, with , results in the space of agent having and , but neither are available for agent . Note that in , the constraint is added to the space of agent , but since cannot be extruded in , is not added to the spaces of or .
Next, the notion of the projection of a spatial constraint for an agent is introduced.
Definition 5 (Views)
The agent ’s view of , denoted as , is given by .
The intuition is that represents all the information the agent may see or have in . For example if then agent sees , so .
3.3 Structural Operational Semantics of Sccp+E
The operational semantics of SCCP+E is defined over configurations. A configuration is a pair of the form , where is a process and is the spatial distribution of information available to it; the set of configurations is denoted by Conf. The structural operational semantics of SCCP+E is captured by the binary transition relation , defined by the rules in Figure 1.
The rules , , and for the basic processes and recursion are the standard ones in CCP. In order to avoid another version of the rule for process , parallel composition is assumed to be (associative and) commutative. The rule is a contextdependent definition for extrusion, i.e., it requires a space process (i.e., with ) and specifies extrusion in the sense explained before. In the rule , represents all the information the agent may see or have in : namely, runs with store , i.e., with the agent’s view of . Also note the information added to by the computation of corresponds to the information added by to the space of agent .
Example 2
One way of understanding is by considering a constraint as a treelike structure. Each node in such a tree corresponds to the information (constraint) contained in an agent’s space. Edges in the treelike structure define the spatial hierarchy of agents. For example, given an appropriate SCSE, Figure 2 corresponds to the following store :
The configuration
is a deadlock, while
by the rules and , using the fact that .
3.4 Example
This section includes an example that will be used throughout the paper. The example models a system where an agent sends messages to other agents through the spatial hierarchy.
As mentioned earlier, a distinctive property about SCCP+E is that it allows to have inconsistent information within spaces; i.e., one agent may have local information and the other some local information such that (e.g., and could be and , respectively). This also means that an agent can send inconsistent information to different agents.
As an example of how hierarchical distributed processes evolve with respect to the SCCP+E’s structural operational semantics, consider the sequence of system states depicted in Figure 3. These states (figures 2(a)2(l)) correspond to a stepbystep execution from the initial configuration (Figure 2(a)), with the process defined as follows:
and where:
4 Rewriting Logic Semantics
The rewriting logic semantics of a language is a rewrite theory where provides a stepbystep formal description of ’s observable runtocompletion mechanisms. The conceptual distinction between equations and rules in has important consequences that are captured by rewriting logic’s abstraction dial [20]. Setting the level of abstraction in which all the interleaving behavior of evaluations in is observable, corresponds to the special case in which the dial is turned down to its minimum position by having . The abstraction dial can also be turned up to its maximal position as the special case in which , thus obtaining an equational semantics of without observable transitions. The rewriting logic semantics sets such an abstraction dial at a position that exactly captures the interleaving behavior of SCCP+E.
This section presents a rewriting logic semantics for SCCP+E in the form of a rewrite theory with topsort Sys. The data types supporting the state structure are defined by the equational theory and the state transitions are axiomatized by the rewrite rules . The constraint system, as detailed later in this section, is materialized by an equational theory of builtins whose quantifierfree formulas are handled by SMT decision procedures. The complete specification of can be found in Appendix 9.
Figure 4 depicts the module structure of . Maude offers three modes for importing a module, namely, protecting, extending, and including. When a functional module protects a functional module , it means that the data types from are kept the same in (i.e., no junk and no confusion are added to the sorts of ). When a functional module extends a functional module , it means that the data types from can be extended with new terms, but existing terms are not identified (i.e., junk is allowed but confusion is not). When a functional module imports a functional module , it means that the data types from can be extended with new terms and existing terms can be identified (i.e., junk and confusion are allowed). In , modules are imported by protecting (denoted by a triple arrow ) or including (denoted by a single arrow ) submodules. See [6] for details about the three different modes of module importation in Maude.
4.1 The Constraint System
The materialization of the constraint system in uses SMT solving technology. Given a manysorted (i.e., ordersorted without sort structure) equational theory and a set of variables over the sorts in , the formulas under consideration are in the set of quantifierfree formulas: each formula being a Boolean combination of equation with variables in (i.e., atoms). The terms in are called builtins and represent the portion of the specification that will be handled by the SMT solver (i.e., semantic data types). Thus, an SMT instance is a formula and the initial algebra , where is a decidable extension of (typically by adding some inductive consequences and, perhaps, some extra symbols) such that
Many decidable theories of interest are supported by SMT solvers satisfying this requirement (see [23] for details).
The INTEGER module implements the equational theory of builtins and the sort Boolean defines the data type used to represent the constraints. The topmost concurrent transitions in are then symbolic rewrite steps of state terms with subterms in the set of terms of sort Sys with variables over the builtin sorts in .
Lemma 1
The pair is a constraint system, where are the variables ranging over the sorts Boolean and Integer.
The elements in are equivalence classes of quantifierfree formulas of sort Boolean modulo semantic equivalence in (this technicality guarantees, e.g., the uniqueness of least upper bounds). Therefore, by an abuse of notation, the constraint system has quantifierfree formulas of sort Boolean as the constraints and the inverse of the semantic validity relation , w.r.t. the initial model , as the entailment relation.
In order to use as the underlying constraint system, relies on the current version of Maude that is integrated with the CVC4 [3] and Yices2 [11] SMT solvers. The SMTUTIL module encapsulates this integration, which requires the reflective capabilities of Maude available from the METALEVEL module. The function entails implements the semantic validity relation (w.r.t. ) using the auxiliary functions checksat and checkunsat (observe that the sort Boolean is different to the usual sort Bool for Boolean terms in Maude):
The function invocation checksat(B) evaluates to true iff B is satisfiable; alternatively, it evaluates to false if B is unsatisfiable or if the SMT solver times out. The function invocation checkunsat(B) returns true iff B is unsatisfiable. Note that if the constraints are decidable, then checkunsat is not only sound but complete. More precisely, if is a finite subset of decidable constraints in and is also a decidable constraint in , then the following equivalence holds:
4.2 System States
At the top level, the system is represented by the top sort Sys defined in SCCPSTATE:
The argument of a state is the configuration of objects representing the setup of the agents and processes in the system. Sort Cnf is that of configuration of agents in an objectlike notation. More precisely, sort Cnf represents multisets of terms of sort Obj, with set union denoted by juxtaposition. An object is by itself a configuration of objects, namely, the singleton one; constant mt denotes the empty configuration and it is the identity of the union operator. There are two types of objects: process objects and store objects. Process and stores objects are represented by triples [_,_,_] (as Obj). The first two arguments of both a process and a store object are its type (either process or store, as Cid) and its identifier (as Aid). The third argument of a process object is the program it is executing (as SCCPCmd) and the third argument of a store object is a formula representing the constraint of its corresponding agent (as Boolean).
The idea is that in any observable state there can be many process objects executing in an agent’s space but there must be exactly one store object per agent (i.e., space). More precisely, in an observable state, each agent’s space is represented by a set of terms: some encoding the state of execution of all its processes and exactly one object representing its local store.
Process and store objects use a qualified name (sort Aid) identifying to which agent’s space they belong; this sort is defined in module AGENTID. Natural numbers (sort iNat), in Peano notation and with an equality enrichment [13], are used to specify agents’ identifiers. The hierarchical structure of spaces is modeled as a treelike structure where the root space is identified by the constant root. Any other qualified name corresponds to a dotseparated list of agent identifiers, arranged from left to right. That is, 3 . 1 . root denotes that agent 3 is within the space of agent 1, which in turn is within the top level of root.
The processes in SCCP+E are modeled as commands (sort SCCPCmd) as defined in the module SCCPSYNTAX:
The argument of a tell_ command is a formula (as Boolean), namely, the formula to be added to the corresponding store. The ask_>_ command has a formula (as Boolean) and a program (as SCCPCmd) as arguments, denoting that if the given formula is entailed by the corresponding store, then the process is to be executed next. Both arguments of the __ command are processes (as SCCPCmd). The arguments of the <_>[_], rec(_,_), and xtr(_,_) commands are a natural number (representing the identifier of a descendant, a variable, and the identifier of the ancestor, respectively) and a command to be executed. Note that the syntax of each command is very close to the actual syntax in the SCCP+E model, e.g., constructs of the form and in SCCP+E are represented in the syntax of SCCPCmd by terms of the form P  Q and <i>[P], respectively.
4.3 Auxiliary Operations
There are three auxiliary operations defined in the semantics. They are used to verify whether a condition is satisfied by the system before a transition happens and for replacing terms for the recursion command.
The function symbol isprefix? is defined in AGENTID to verify recursively whether an agent is descendant of other agent based on its Aid. For instance, 1 . 2 is descendant of 2 because 2 is prefix of 1 . 2. By definition, root is prefix of every agent. The equations defining the isprefix? function evaluate to true if the first argument is a prefix of the second one; otherwise, it is false.
Some commands in SCCP+E require that a store exists in the system. For that reason the existsstore? function symbol is defined in module SCCPSTATE: it is used to look within a configuration of agents (as Cnf) for a store with an given Aid. The equation defining existsstore? evaluate to true if the store exists; otherwise, it is false.
Finally, the recursion construct in SCCP+E means that every free occurrence of in is replaced with . For this reason, the replace function symbol is defined as follows: given a program , a variable identifier (as iNat), and a program , every free occurrence of in is substituted by .
4.4 System Transitions
The state transitions in comprise both invisible (given by equations) and observable (given by rules) transitions.
There are two types of invisible transitions that are specified with the help of equations. Namely, one to remove a 0 process from a configuration and another one to join the contents of two stores of the same space (i.e., two stores with the same Aid). The latter type of transition is important especially because when a new process is spawned in a agent’s space, a store with the empty constraint (i.e., true) is created for that space. If such space existed before, then the idea is that the newly created store is subsumed by the existing one (variable L is of sort Aid, X of sort Cnf, and of sort Boolean):
There are six rules capturing the concurrent observable behavior in the specification (variable L is of sort Aid, X of sort Cnf, of sort Boolean, of sort SCCPCmd, and N of sort iNat).
Rule [tell] implements the semantics of a process executing a tell command by posting the given constraint in the local store and by transforming such a process to the nil process. Rule [ask] executes command C1 when the guard B1 in ask B1 > C1 holds: that is, when B1 is entailed by the local store B0. Rule [parallel] implements the semantics for parallel composition of process by spawning the two process in the current space. Rule [space] creates a new space denoted by N0 . L0 (as Aid) with an empty store (i.e., true) and starts the execution of program C0 within the space. Rule [recursion] defines the semantics of a process executing a rec command by using the aforementioned auxiliary function replace. Rule [extrusion] executes process C0 in the parent space of the agent and transitions the xtr process to the nil process. Note that recursion command can lead to nontermination. It is common in SCCP+E to guard such commands with an ask in order to tame the potential nontermination.
Example 4
Using the functional module SCCPSYNTAX, the process in Figure 3 can be represented as follows:
If this command is executed in the space of agent 0 . root from the initial state in Example 3 (and depicted in Figure 2(a)), it leads to the state
which corresponds to the final state depicted in Figure 2(l).
Theorem 4.1
If and are configurations of SCCP+E with underlying constraint system restricted to decidable formulas, then
where and are an encoding of the corresponding configurations in the syntax of .
Proof
The proof follows by structural induction on the and relations. ∎
5 Admissibility
This section presents a map that results in a rewrite theory , equivalent in terms of admissibility to (introduced in Section 4) under some reasonable assumptions, but in which dependencies to nonalgebraic data types such as terms over the builtins or at the metalevel in have been removed. This section also presents proofs of admissibility of the rewrite theory . Such proofs are obtained mechanically using the Maude Formal Environment (MFE) [9, 10] and establish the correspondence (i.e., soundness and completeness) between the mathematical and operational semantics of . The specification can be found in Appendix 10
The map consists of the following items, which make the specification amenable to mechanical verification in the MFE:

Changing the sort Bool in TRUTHVALUE to the sort iBool in the module ITRUTHVALUE and adjusting the specification to account for this new definition of Boolean values.

Removing all dependencies in SMTUTIL of the module METALEVEL.

Introducing a custom ifthenelsefi function symbol in SCCPSYNTAX and adjusting the definition of the auxiliary function symbol replace to use this new version instead.
The module structure of the resulting specification
Comments
There are no comments yet.