Reachability Analysis for Spatial Concurrent Constraint Systems with Extrusion

05/18/2018
by   Miguel Romero, et al.
0

Spatial concurrent constraint programming (SCCP) is an algebraic model of spatial modalities in constrained-based process calculi; it can be used to reason about spatial information distributed among the agents of a system. This work presents an executable rewriting logic semantics of SCCP with extrusion (i.e., process mobility) that uses rewriting modulo SMT, a novel technique that combines the power of term rewriting, matching algorithms, and SMT-solving. In this setting, constraints are encoded as formulas in a theory with a satisfaction relation decided by an SMT solver, while the topology of the spatial hierarchy is encoded as part of the term structure of symbolic states. By being executable, the rewriting logic specification offers support for the inherent symbolic and challenging task of reachability analysis in the constrained-based model. The approach is illustrated with examples about the automatic verification of fault-tolerance, consistency, and privacy in distributed spatial and hierarchical systems.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

09/09/2019

A Rewriting Logic Approach to Stochastic and Spatial Constraint System Specification and Verification

This paper addresses the issue of specifying, simulating, and verifying ...
08/16/2019

Modular Verification of Heap Reachability Properties in Separation Logic

The correctness of many algorithms and data structures depends on reacha...
07/09/2020

Symbolic Reachability Analysis of High Dimensional Max-Plus Linear Systems

This work discusses the reachability analysis (RA) of Max-Plus Linear (M...
11/20/2017

SMT Queries Decomposition and Caching in Semi-Symbolic Model Checking

In semi-symbolic (control-explicit data-symbolic) model checking the sta...
11/11/2021

Towards Axiomatic, Hierarchical, and Symbolic Explanation for Deep Models

This paper proposes a hierarchical and symbolic And-Or graph (AOG) to ob...
10/08/2018

Defunctionalization of Higher-Order Constrained Horn Clauses

Building on the successes of satisfiability modulo theories (SMT), Bjørn...
05/15/2017

Constrained Bayesian Networks: Theory, Optimization, and Applications

We develop the theory and practice of an approach to modelling and proba...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The widespread availability of virtualization resources such as container and virtual machine technology are marking a new incarnation of distributed systems. Tasks such as fault-tolerant infrastructure monitoring and delivery of goods in unmanned aerial systems, preventing privacy breaches in social networks and cloud storage by managing information access, and saving lives by controlling and monitoring pace makers are now taking place in the presence of spatial hierarchies. This means that the usual high degree of safety criteria in such systems is now exposed to the presence of hierarchical computation (and sharing) of information among groups of distributed and concurrent agents, which makes it an even more challenging goal for formal modeling and verification purposes.

An interesting step towards mathematically understanding and formally modeling these highly distributed hierarchical systems has been taken by S. Knight et al. [16] and M. Guzmán et al. [14]. They introduce an algebraic model of spatial modalities in constrained-based process calculi where information (e.g., knowledge) can be shared in spatially distributed agents that interact with the global system by launching processes (e.g., programs). The scope of an agent is given by a spatial operator indicating where a process resides within the space structure, where it queries and posts information in the local store. In the end, their proposal offers an algebraic framework to model and reason about important concepts of safety-critical systems such as fault-tolerance, consistency, and privacy within the setting of distributed hierarchical spaces and process extrusion (i.e., mobility).

This work addresses the key issue of automatically verifying reachability properties of distributed hierarchical systems based on the algebraic model of spatially constrained concurrent process with extrusion in [16, 14]. The approach is based on the formal specification of such a model as a theory in rewriting logic [18], a semantic framework unifying a wide range of models of concurrency. The formal specification is executable in Maude [6], thus benefiting from formal analysis techniques and tools such as state-space exploration and automata-based LTL model checking. Safety criteria such as fault-tolerance (e.g., when and how does a local store first become inconsistent?), consistency (e.g., does a fault propagate to the global system?, do two stores have the same information?), and privacy (e.g., does a store ever gain enough information as to reveal private information?) can now be automatically queried in these systems.

The rewriting logic theory introduced in this work supports the constructs of constrained-based process calculi presented in in [16, 14] such as posting and querying information from/to a local store, parallel composition of processes, recursion, and extrusion. The underlying constraint system is materialized with the help of SMT-solving technology. In particular, the constraints are quantifier-free formulas interpreted over the Booleans and integers, and the information entailment in the algebraic model is realized via semantic inference. By following the rewriting modulo SMT approach [23], simulation of the rewrite relation induced by the rewriting logic theory can be performed efficiently using matching and SMT-solving. In this setting, existential reachability queries can be automatically and efficiently performed using existing rewrite-based facilities available from Maude.

Continuing with the effort of putting epistemic concepts in the hands of programmers initiated in [16], a programming language is introduced in this work. This language provides programmers with the building blocks of a language based on the algebraic model of spatial modalities in constrained-based process calculi, with the executable semantics given by rewrite theory above-mentioned. Such a language is accompanied with an open-source graphical environment in which code can be edited and executed.

Outline.

This work is organized as follows. Section 2 presents some preliminaries on concurrent constraint programming, rewriting logic, and SMT-solving. Section 3 overviews spatial concurrent constraint systems with extrusion. Section 4 introduces the rewriting logic semantics of the algebraic model and Section 4 presents the mechanical proofs obtained for ensuring the correctness of the operational semantics of the rewrite theory w.r.t. to its mathematical one. Section 6 explains how existential reachability properties can be automatically proved and examples illustrating such a feature. The language and tool based on the algebraic model are explained in Section 7. Finally, Section 8 concludes the work.

2 Preliminaries

2.1 Concurrent Constraint Programming and Constraint Systems

Concurrent Constraint Programming (CCP[27, 26, 28] (see a survey in [21]) is a model for concurrency that combines the traditional operational view of process calculi with a declarative view based on logic. This allows CCP benefit from the large set of reasoning techniques of both process calculi and logic. Under this paradigm, the conception of store as valuation in the von Neumann model is replaced by the notion of store as constraint and processes are seen as information transducers.

The CCP model of computation makes use of ask and tell operations instead of the classical read and write. An ask operation tests if a given piece of information (i.e., a constraint as in ) can be deduced from the store. The tell operations post constraints in the store, thus augmenting/refining the information in it. A fundamental issue in CCP is then the specification of systems by means of constraints that represent partial information about certain variables. The state of the system is specified by the store (i.e., a constraint) that is monotonically refined by processes adding new information.

The basic constructs (processes) in CCP are: (1) the agent, which posts the constraint to the store, making it available to the other processes. Once a constraint is added, it cannot be removed from the store (i.e., the store grows monotonically). And (2), the ask process , which queries if can be deduced from the information in the current store; if so, the agent behaves like , otherwise, it remains blocked until more information is added to the store. In this way, ask processes define a reactive synchronization mechanism based on entailment of constraints. A basic CCP process language usually adds parallel composition () combining processes concurrently, a hiding operator for local variable definition, and potential infinite computation by means of recursion or replication.

The CCP model is parametric in a constraint system (CS) specifying the structure and interdependencies of the partial information that processes can query (ask) and post (tell) in the shared store. The notion of constraint system can be given by using first-order logic. Given a signature and a first-order theory over , constraints can be thought of as first-order formulae over . The (binary) entailment relation over constraints is defined for any pair of constraints and by iff the implication is valid in . As an example, take the finite domain constraint system (FD) [29] where variables are assumed to range over finite domains and, in addition to equality, it is possible to have predicates (e.g., “”) that restrict the values of a variable to some finite set.

An algebraic representation of CS is used in the present work.

Definition 1 (Constraint Systems)

A constraint system is a complete algebraic lattice . The elements of are called constraints. The symbols , , and are used to denote the least upper bound lub operation, the bottom, and the top element of , respectively.

In Definition 1, a CS is characterized as a complete algebraic lattice. The elements of the lattice, the constraints, represent (partial) information. A constraint can be viewed as an assertion (or a proposition). The lattice order is meant to capture entailment of information: , alternatively written , means that the assertion represents as much information as . Thus may be interpreted as saying that or that can be derived from . The least upper bound lub operator represents join of information and thus is the least element in the underlying lattice above and , asserting that both and hold. The top element represents the lub of all, possibly inconsistent, information, hence it is referred to as . The bottom element represents the empty information.

2.2 Order-sorted Rewriting Logic in a Nutshell

This section presents an overview of rewriting logic and how it can be used to obtain a rewriting logic semantics of a language. The reader is referred to [18, 6] and [20, 25], respectively, for an in-depth treatment of these topics.

Rewriting logic [18] is a general semantic framework that unifies a wide range of models of concurrency. Language specifications can be executed in Maude [6], a high-performance rewriting logic implementation and benefit from a wide set of formal analysis tools available to it, such as an LTL model checker and an inductive theorem prover.

2.2.1 Rewriting Logic.

A rewriting logic specification or rewrite theory is a tuple where:

  • is an order-sorted equational theory with a signature with finite poset of sorts and a set of function symbols typed with sorts in ; is a set of -equations, which are universally quantified Horn clauses with atoms that are -equations with terms of the same sort; is a set of structural axioms (e.g., associativity, commutativity, identity) such that there exists a matching algorithm modulo producing a finite number of -matching substitutions or failing otherwise; and

  • a set of universally quantified conditional rewrite rules of the form

    where are -terms of the same sort and each is a -equality.

Given , an -indexed family of disjoint variable sets with each countably infinite, the set of terms of sort and the set of ground terms of sort are denoted, respectively, by and ; similarly, and denote, respectively, the set of terms and the set of ground terms. The expressions and denote the corresponding order-sorted -term algebras. All order-sorted signatures are assumed preregular [12], i.e., each -term has a unique least sort s.t. . It is also assumed that has nonempty sorts, i.e., for each . Many-sorted equational logic is the special case of order-sorted equational logic when the subsort relation is restricted to be the identity relation over the sorts.

An equational theory induces the congruence relation on (or simply ) defined for by if and only if , where denotes -provability by the deduction rules for order-sorted equational logic in [19]. For the purpose of this paper, such inference rules, which are analogous to those of many-sorted equational logic, are even simpler thanks to the assumption that has nonempty sorts, which makes unnecessary the explicit treatment of universal quantifiers. The expressions and (also written and ) denote the quotient algebras induced by on the term algebras and , respectively; is called the initial algebra of .

A (topmost) rewrite theory is a tuple with top sort State, i.e., no operator in has State as argument sort and each rule satisfies and . A rewrite theory induces a rewrite relation on defined for every by if and only if there is a rule and a substitution satisfying , , and . The tuple is called the initial reachability model of  [5].

2.2.2 Admissible Rewrite Theories.

Appropriate requirements are needed to make an equational theory admissible, i.e., executable in rewriting languages such as Maude [6]. In this paper, it is assumed that the equations can be oriented into a set of (possibly conditional) sort-decreasing, operationally terminating, and confluent rewrite rules modulo . The rewrite system is sort decreasing modulo if and only if for each and substitution , if . The system is operationally terminating modulo  [8] if and only if there is no infinite well-formed proof tree in (see [17] for terminology and details). Furthermore, is confluent modulo if and only if for all , if and , then there is such that and . The term denotes the -canonical form of modulo so that and cannot be further reduced by . Under sort-decreasingness, operational termination, and confluence, the term is unique up to -equality.

For a rewrite theory , the rewrite relation is undecidable in general, even if its underlying equational theory is admissible, unless conditions such as coherence [31] are given (i.e, whenever rewriting with can be decomposed into rewriting with and ). A key goal of [23] was to make such a relation both decidable and symbolically executable when is topmost and decomposes as , representing a built-in theory for which formula satisfiability is decidable and has a matching algorithm.

2.2.3 Rewriting Logic Semantics.

The rewriting logic semantics of a language is a rewrite theory where provides a step-by-step formal description of ’s observable run-to-completion mechanisms. The conceptual distinction between equations and rules in has important consequences that are captured by rewriting logic’s abstraction dial [20]. Setting the level of abstraction in which all the interleaving behavior of evaluations in is observable, corresponds to the special case in which the dial is turned down to its minimum position by having . The abstraction dial can also be turned up to its maximal position as the special case in which , thus obtaining an equational semantics of without observable transitions. The rewriting logic semantics presented in this paper is faithful in the sense that such an abstraction dial is set at a position that exactly captures the interleaving behavior of the concurrency model.

2.2.4 Maude.

Maude [6] is a language and system based on rewriting logic. It supports order-sorted equational and rewrite theory specifications in functional and system modules, respectively. Admissibility of functional and system modules can be checked with the help of the Maude Formal Environment (MFE) [10, 9], an executable formal specification in Maude with tools to mechanically verify such properties. The MFE includes the Maude Termination Tool, the Maude Sufficient Completeness Checker, the Church-Rosser Checker, the Coherence Checker, and the Maude Inductive Theorem Prover.

2.3 SMT-Solving

Satisfiability Modulo Theories (SMT) studies methods for checking satisfiability of first-order formulas in specific models. The SMT problem is a decision problem for logical formulas with respect to combinations of background theories expressed in classical first-order logic with equality. An SMT instance is a formula (typically quantifier free, but not necessarily) in first-order logic and a model , with the goal of determining if is satisfiable in .

In this work, the representation of the constraint system is based on SMT solving technology. Given an many-sorted equational theory and a set of variables over the sorts in , the formulas under consideration are in the set of quantifier-free -formulas: each formula being a Boolean combination of -equation with variables in (i.e., atoms). The terms in are called built-ins and represent the portion of the specification that will be handled by the SMT solver (i.e., semantic data types). In this setting, an SMT instance is a formula and the initial algebra , where is a decidable extension of such that

Many decidable theories of interest are supported by SMT solvers satisfying this requirement (see [23] for details). In this work, the latest alpha release of Maude that integrates Yices2 [11] and CVC4 [3] is used for reachability analysis.

3 Spatial Concurrent Constraint Systems with Extrusion

This section presents the syntax and the structural operational semantics of spatial concurrent constraints systems with extrusion, which is based mainly on [16]. This section also introduces an example to illustrate the main features of the language.

3.1 Spatial Constraint Systems

The authors of [16] extended the notion of CS to account for distributed and multi-agent scenarios where agents have their own space for local information and computation.

Locality and Nested Spaces.

Each agent has a space function from constraints to constraints (recall that constraints can be viewed as assertions). The function

can be interpreted as an assertion stating that is a piece of information that resides within a space attributed to agent . An alternative epistemic interpretation of is an assertion stating that agent believes or that holds within the space of agent (but it may or may not hold elsewhere). Both interpretations convey the idea that is local to agent . Following this intuition, the assertion

is a hierarchical spatial specification stating that holds within the local space the agent attributes to agent . Nesting of spaces such as in can be of any depth.

Parallel Spaces.

A constraint of the form

can be seen as an assertion specifying that and hold within two parallel/neighboring spaces that belong to agents and . From a computational/concurrency point of view, it is possible to think of as parallel composition; from a logic point of view, corresponds to conjunction.

The notion of an -agent spatial constraint system is formalized in Definition 2.

Definition 2 (Spatial Constraint System [16])

An -agent spatial constraint system -SCS is a CS equipped with self-maps over its set of constraints satisfying for each function :

  1. and

Property S.1 in Definition 2 requires space functions to be strict maps (i.e., bottom preserving) where an empty local space amounts to having no knowledge. Property S.2 states that space functions preserve (finite) lubs, and also allows to join and distribute the local information of any agent Henceforth, given an -SCS , each is thought as the space (or space function) of the agent in . The tuple denotes the corresponding -SCS with space functions Components of an -SCS tuple shall be omitted when they are unnecessary or clear from the context. When is unimportant, -SCS is simply written as SCS.

Extrusion.

Extrusion (i.e., mobility) plays a key role in distributed systems. Following the algebraic approach, it is possible to provide each agent with an extrusion function  [14, 15]. The process within a space context means that the process must be executed outside of agent’s space.

Definition 3 presents the extension of spatial constraint systems with extrusion.

Definition 3 (Spatial Constraint System with Extrusion [14])

An -agent spatial constraint system with extrusion (-SCSE) is an -SCS equipped with self-maps over , written , such that each is the right inverse of .

3.2 Spatial Ccp with Extrusion

The spatial concurrent constraint programming with extrusion (SCCP+E) calculus presented in this section follows the developments of [16] and [14]. The syntax of SCCP+E is parametric on an SCSE and it is presented in Definition 4.

Definition 4 (Sccp+E Processes)

Let be a constraint system, a set of agents, and an infinite countable set of variables. Let be an -SCSE and consider the following EBNF-like syntax:

where , , and . An expression in the above syntax is a process if and only if every variable in occurs in the scope of an expression of the form . The set of processes of SCCP+E is denoted by Proc.

The SCCP+E calculus can be thought of as a shared-spaces model of computation. Each agent has a computational space of the form possibly containing processes and other agents’ spaces. The basic constructs of SCCP+E are tell, ask, and parallel composition, and they are defined as in standard CCP [28]. A process running in an agent adds to its local store , making it available to other processes in the same space. This addition, represented as , is performed even if the resulting constraint is inconsistent. The process running in space may execute if is entailed by , i.e., . The process specifies the parallel execution of processes and ; given , the expression is used as a shorthand for . A construction of the form denotes a process running within the agent ’s space. Any information that produces is available to processes that lie within the same space. The process denotes that process runs outside the space of agent and the information posted by resides in the store of the parent of agent . The behavior of recursive definitions of the form is represented by , i.e., every free occurrence of in is replaced with . In order to make recursive definitions finite, it is necessary for recursion to be guarded by an ask, i.e., every occurrence of in is within the scope of an ask process. Note that the process in a construction of the form is unguarded.

Example 1

Consider the processes and . Consider : by the above intuitions the constraints and are added to store of agent . A similar behavior is achieved by the process , which also produces in the store of agent (note that is equivalent to by Property S.2 in Definition 2). In contrast, the process with , does not necessarily add to the space of agent because is not made available for agent ; likewise in , is not added to the space of agent . Finally, consider . In this case, because of extrusion, both and will be added to store of agent . However, with , results in the space of agent having and , but neither are available for agent . Note that in , the constraint is added to the space of agent , but since cannot be extruded in , is not added to the spaces of or .

Next, the notion of the projection of a spatial constraint for an agent is introduced.

Definition 5 (Views)

The agent ’s view of , denoted as , is given by .

The intuition is that represents all the information the agent may see or have in . For example if then agent sees , so .

3.3 Structural Operational Semantics of Sccp+E

The operational semantics of SCCP+E is defined over configurations. A configuration is a pair of the form , where is a process and is the spatial distribution of information available to it; the set of configurations is denoted by Conf. The structural operational semantics of SCCP+E is captured by the binary transition relation , defined by the rules in Figure 1.

Figure 1: Structural operational semantics of SCCP+E.

The rules , , and for the basic processes and recursion are the standard ones in CCP. In order to avoid another version of the rule for process , parallel composition is assumed to be (associative and) commutative. The rule is a context-dependent definition for extrusion, i.e., it requires a space process (i.e., with ) and specifies extrusion in the sense explained before. In the rule , represents all the information the agent may see or have in : namely, runs with store , i.e., with the agent’s view of . Also note the information added to by the computation of corresponds to the information added by to the space of agent .

(root)y = 1

(i)x = 3

(j)x > 0

(k)y > 0

(j)y = 3

(k)x = 42

(j)x < 42
Figure 2: A spatial hierarchy of processes.
Example 2

One way of understanding is by considering a constraint as a tree-like structure. Each node in such a tree corresponds to the information (constraint) contained in an agent’s space. Edges in the tree-like structure define the spatial hierarchy of agents. For example, given an appropriate SCSE, Figure 2 corresponds to the following store :

The configuration

is a deadlock, while

by the rules and , using the fact that .

3.4 Example

This section includes an example that will be used throughout the paper. The example models a system where an agent sends messages to other agents through the spatial hierarchy.

As mentioned earlier, a distinctive property about SCCP+E is that it allows to have inconsistent information within spaces; i.e., one agent may have local information and the other some local information such that (e.g., and could be and , respectively). This also means that an agent can send inconsistent information to different agents.

(root)true 

(0)X = 25

(1)true

(0)Y < 5
(a) Initial state.

(root)true

(0)X = 25 

(1)true

(0)Y < 5
(b) Execution in space 0.

(root)true 

(0)X = 25

(1)true

(0)Y < 5
(c) Extrusion from space 0.

(root)true

(0)X = 25

(1)true 

(0)Y < 5
(d) Execution in space 1.

(root)true

(0)X = 25

(1)true 

(0)Y<5 
(e) Parallel execution.

(root)true

(0)X = 25

(1)Z >= 10

(0)Y<5 
(f) Tell execution.

(root)true

(0)X = 25

(1)Z >= 10

(0)Y < 5 
(g) Ask execution.

(root)true

(0)X = 25

(1)Z >= 10 

(0)Y < 5
(h) Extrusion from space 0.

(root)true 

(0)X = 25

(1)Z >= 10

(0)Y < 5
(i) Extrusion from space 1.

(root)true

(0)X = 25 

(1)Z >= 10

(0)Y < 5
(j) Execution in space 0.

(root)true

(0)X = 25

(1)Z >= 10

(0)Y < 5

(2)true 
(k) Execution in space 2.

(root)true

(0)X = 25

(1)Z >= 10

(0)Y < 5

(2)W < Y
(l) Tell execution (final state).
Figure 3: Execution of process and evolution of the SCCP+E system.

As an example of how hierarchical distributed processes evolve with respect to the SCCP+E’s structural operational semantics, consider the sequence of system states depicted in Figure 3. These states (figures 2(a)-2(l)) correspond to a step-by-step execution from the initial configuration (Figure 2(a)), with the process defined as follows:

and where:

4 Rewriting Logic Semantics

The rewriting logic semantics of a language is a rewrite theory where provides a step-by-step formal description of ’s observable run-to-completion mechanisms. The conceptual distinction between equations and rules in has important consequences that are captured by rewriting logic’s abstraction dial [20]. Setting the level of abstraction in which all the interleaving behavior of evaluations in is observable, corresponds to the special case in which the dial is turned down to its minimum position by having . The abstraction dial can also be turned up to its maximal position as the special case in which , thus obtaining an equational semantics of without observable transitions. The rewriting logic semantics sets such an abstraction dial at a position that exactly captures the interleaving behavior of SCCP+E.

This section presents a rewriting logic semantics for SCCP+E in the form of a rewrite theory with topsort Sys. The data types supporting the state structure are defined by the equational theory and the state transitions are axiomatized by the rewrite rules . The constraint system, as detailed later in this section, is materialized by an equational theory of built-ins whose quantifier-free formulas are handled by SMT decision procedures. The complete specification of can be found in Appendix 9.

Figure 4 depicts the module structure of . Maude offers three modes for importing a module, namely, protecting, extending, and including. When a functional module protects a functional module , it means that the data types from are kept the same in (i.e., no junk and no confusion are added to the sorts of ). When a functional module extends a functional module , it means that the data types from can be extended with new terms, but existing terms are not identified (i.e., junk is allowed but confusion is not). When a functional module imports a functional module , it means that the data types from can be extended with new terms and existing terms can be identified (i.e., junk and confusion are allowed). In , modules are imported by protecting (denoted by a triple arrow ) or including (denoted by a single arrow ) submodules. See [6] for details about the three different modes of module importation in Maude.

SCCP

SCCP-STATE

SCCP-SYNTAX

AGENT-ID

INAT

EXT-BOOL

BOOL

BOOL-OPS

TRUTH-VALUE

SMT-UTIL

INTEGER

BOOLEAN

META-LEVEL
Figure 4: Module structure of the rewriting logic semantics of SCCP+E.

4.1 The Constraint System

The materialization of the constraint system in uses SMT solving technology. Given a many-sorted (i.e., order-sorted without sort structure) equational theory and a set of variables over the sorts in , the formulas under consideration are in the set of quantifier-free -formulas: each formula being a Boolean combination of -equation with variables in (i.e., atoms). The terms in are called built-ins and represent the portion of the specification that will be handled by the SMT solver (i.e., semantic data types). Thus, an SMT instance is a formula and the initial algebra , where is a decidable extension of (typically by adding some inductive consequences and, perhaps, some extra symbols) such that

Many decidable theories of interest are supported by SMT solvers satisfying this requirement (see [23] for details).

The INTEGER module implements the equational theory of built-ins and the sort Boolean defines the data type used to represent the constraints. The topmost concurrent transitions in are then symbolic rewrite steps of state terms with subterms in the set of -terms of sort Sys with variables over the built-in sorts in .

Lemma 1

The pair is a constraint system, where are the variables ranging over the sorts Boolean and Integer.

The elements in are equivalence classes of quantifier-free -formulas of sort Boolean modulo semantic equivalence in (this technicality guarantees, e.g., the uniqueness of least upper bounds). Therefore, by an abuse of notation, the constraint system has quantifier-free -formulas of sort Boolean as the constraints and the inverse of the semantic validity relation , w.r.t. the initial model , as the entailment relation.

In order to use as the underlying constraint system, relies on the current version of Maude that is integrated with the CVC4 [3] and Yices2 [11] SMT solvers. The SMT-UTIL module encapsulates this integration, which requires the reflective capabilities of Maude available from the META-LEVEL module. The function entails implements the semantic validity relation (w.r.t. ) using the auxiliary functions check-sat and check-unsat (observe that the sort Boolean is different to the usual sort Bool for Boolean terms in Maude):

1   op entails     : Boolean Boolean -> Bool .
2   op check-sat   : Boolean -> Bool .
3   op check-unsat : Boolean -> Bool .
4   eq check-sat(B)
5   = metaCheck([’INTEGER], upTerm(B)) .
6   eq check-unsat(B)
7   = not(check-sat(B)) .
8   eq entails(C1, C2)
9   = check-unsat(C1 and not(C2)) .

The function invocation check-sat(B) evaluates to true iff B is satisfiable; alternatively, it evaluates to false if B is unsatisfiable or if the SMT solver times out. The function invocation check-unsat(B) returns true iff B is unsatisfiable. Note that if the constraints are decidable, then check-unsat is not only sound but complete. More precisely, if is a finite subset of decidable constraints in and is also a decidable constraint in , then the following equivalence holds:

4.2 System States

At the top level, the system is represented by the top sort Sys defined in SCCP-STATE:

1   sort Sys .
2   op {_} : Cnf -> Sys [ctor] .

The argument of a state is the configuration of objects representing the setup of the agents and processes in the system. Sort Cnf is that of configuration of agents in an object-like notation. More precisely, sort Cnf represents multisets of terms of sort Obj, with set union denoted by juxtaposition. An object is by itself a configuration of objects, namely, the singleton one; constant mt denotes the empty configuration and it is the identity of the union operator. There are two types of objects: process objects and store objects. Process and stores objects are represented by triples [_,_,_] (as Obj). The first two arguments of both a process and a store object are its type (either process or store, as Cid) and its identifier (as Aid). The third argument of a process object is the program it is executing (as SCCPCmd) and the third argument of a store object is a formula representing the constraint of its corresponding agent (as Boolean).

1   sorts Cid Obj Cnf .
2   subsorts Obj < Cnf .
3   ops store process : -> Cid .
4   op [_,_,_] : Cid Aid Boolean -> Obj [ctor] .
5   op [_,_,_] : Cid Aid SCCPCmd -> Obj [ctor] .
6   op mt : -> Cnf [ctor] .
7   op __ : Cnf Cnf -> Cnf [ctor assoc comm id: mt] .
8   op {_} : Cnf -> Sys [ctor] .

The idea is that in any observable state there can be many process objects executing in an agent’s space but there must be exactly one store object per agent (i.e., space). More precisely, in an observable state, each agent’s space is represented by a set of terms: some encoding the state of execution of all its processes and exactly one object representing its local store.

Process and store objects use a qualified name (sort Aid) identifying to which agent’s space they belong; this sort is defined in module AGENT-ID. Natural numbers (sort iNat), in Peano notation and with an equality enrichment [13], are used to specify agents’ identifiers. The hierarchical structure of spaces is modeled as a tree-like structure where the root space is identified by the constant root. Any other qualified name corresponds to a dot-separated list of agent identifiers, arranged from left to right. That is, 3 . 1 . root denotes that agent 3 is within the space of agent 1, which in turn is within the top level of root.

1   sorts iZero iNzNat iNat Aid .
2   subsort iZero iNzNat < iNat .
3   op root : -> Aid .
4   op _._ : iNat Aid -> Aid .
5   op 0 : -> iZero [ctor] .
6   op s_ : iNat -> iNzNat [ctor] .
7   op _~_ : iNat iNat -> Bool [comm] .

The processes in SCCP+E are modeled as commands (sort SCCPCmd) as defined in the module SCCP-SYNTAX:

1   op 0 : -> SCCPCmd .
2   op tell_ : Boolean -> SCCPCmd .
3   op ask_->_ : Boolean SCCPCmd -> SCCPCmd .
4   op _||_ : SCCPCmd SCCPCmd -> SCCPCmd [assoc comm gather (e E) ] .
5   op <_>[_] : iNat SCCPCmd -> SCCPCmd .
6   op rec(_,_) : iNat SCCPCmd -> SCCPCmd .
7   op xtr(_,_) : iNat SCCPCmd -> SCCPCmd .
8   op v(_) : iNat -> SCCPCmd .

The argument of a tell_ command is a formula (as Boolean), namely, the formula to be added to the corresponding store. The ask_->_ command has a formula (as Boolean) and a program (as SCCPCmd) as arguments, denoting that if the given formula is entailed by the corresponding store, then the process is to be executed next. Both arguments of the _||_ command are processes (as SCCPCmd). The arguments of the <_>[_], rec(_,_), and xtr(_,_) commands are a natural number (representing the identifier of a descendant, a variable, and the identifier of the ancestor, respectively) and a command to be executed. Note that the syntax of each command is very close to the actual syntax in the SCCP+E model, e.g., constructs of the form and in SCCP+E are represented in the syntax of SCCPCmd by terms of the form P || Q and <i>[P], respectively.

Example 3

Using the functional module SCCP-STATE, the SCCP+E space structure in Example 2(a) can be represented as follows:

1  { [store, root, true]
2    [store, 0 . root, X:Integer === 25]
3    [store, s 0 . root, true]
4    [store, 0 . s 0 . root, Y:Integer < 5] }

4.3 Auxiliary Operations

There are three auxiliary operations defined in the semantics. They are used to verify whether a condition is satisfied by the system before a transition happens and for replacing terms for the recursion command.

The function symbol is-prefix? is defined in AGENT-ID to verify recursively whether an agent is descendant of other agent based on its Aid. For instance, 1 . 2 is descendant of 2 because 2 is prefix of 1 . 2. By definition, root is prefix of every agent. The equations defining the is-prefix? function evaluate to true if the first argument is a prefix of the second one; otherwise, it is false.

1   op is-prefix? : Aid Aid -> Bool .
2   eq is-prefix?(root, L)
3   = true .
4   eq is-prefix?(N . L, root)
5   = false .
6   eq is-prefix?(N0 . L0, N1 . L1)
7   = (N0 . L0 ~ N1 . L1) or-else is-prefix?(N0 . L0, L1) .

Some commands in SCCP+E require that a store exists in the system. For that reason the exists-store? function symbol is defined in module SCCP-STATE: it is used to look within a configuration of agents (as Cnf) for a store with an given Aid. The equation defining exists-store? evaluate to true if the store exists; otherwise, it is false.

1   op exists-store? : Cnf Aid -> Bool .
2   eq exists-store?(mt, L)
3   = false .
4   eq exists-store?( [process, L0, C0] X, L)
5   = exists-store?(X,L) .
6   eq exists-store?( [store, L0, B0] X, L)
7   = (L0 ~ L) or-else exists-store?(X, L) .

Finally, the recursion construct in SCCP+E means that every free occurrence of in is replaced with . For this reason, the replace function symbol is defined as follows: given a program , a variable identifier (as iNat), and a program , every free occurrence of in is substituted by .

1   op replace : SCCPCmd iNat SCCPCmd -> SCCPCmd .
2   eq replace( 0, N, C )
3   = 0 .
4   eq replace( tell B, N, C )
5   = tell B .
6   eq replace( ask B -> C0, N, C )
7   = ask B -> replace( C0, N, C ) ..
8   eq replace( C0 || C1, N, C )
9   = replace( C0, N, C ) || replace( C1, N, C ) .
10   eq replace( < N0 >[ C0 ], N, C )
11   = < N0 >[ replace( C0, N, C ) ] .
12   eq replace( rec( N0, C0 ), N, C )
13   = rec( N0, C0 ) .
14   eq replace( xtr( N0, C0 ), N, C )
15   = xtr( N0, replace( C0, N, C ) ) .
16   eq replace( v(N0), N, C )
17   =  if (N0 ~ N) then C else v(N0) fi .

4.4 System Transitions

The state transitions in comprise both invisible (given by equations) and observable (given by rules) transitions.

There are two types of invisible transitions that are specified with the help of equations. Namely, one to remove a 0 process from a configuration and another one to join the contents of two stores of the same space (i.e., two stores with the same Aid). The latter type of transition is important especially because when a new process is spawned in a agent’s space, a store with the empty constraint (i.e., true) is created for that space. If such space existed before, then the idea is that the newly created store is subsumed by the existing one (variable L is of sort Aid, X of sort Cnf, and of sort Boolean):

1   eq { [ process, L0, 0 ] X }
2   = { mt X } .
3   eq [ store, L0, B0 ] [ store, L0, B1 ]
4   = [ store, L0, B0 and B1 ] .

There are six rules capturing the concurrent observable behavior in the specification (variable L is of sort Aid, X of sort Cnf, of sort Boolean, of sort SCCPCmd, and N of sort iNat).

1   rl [tell] :
2     { [ store, L0, B0 ] [process, L0, tell B1 ] X }
3  => { [ store, L0, B0 and B1 ] [ process, L0, 0 ] X } .
4
5  crl [ask] :
6     { [ store, L0, B0 ] [ process, L0, ask B1  -> C1 ] X }
7  => { [ store, L0, B0 ] [ process, L0, C1 ] X }
8   if entails(B0, B1) .
9
10   rl [parallel] :
11     { [ process, L0, C0 || C1 ] X }
12  => { [ process, L0, C0 ] [ process, L0, C1 ] X } .
13
14   rl [space] :
15     { [ store, L0, B0 ] [ process, L0, < N0 >[ C0 ] ] X }
16  => { [ store, L0, B0 ] [ process, L0, 0 ] [ process, N0 . L0, C0]
17       [ store, N0 . L0, true ] X } .
18
19   rl [recursion]:
20     { [ process, L0, rec( N0, C0 ) ] X }
21  => { [ process, L0, replace( C0, N0, rec( N0, C0 ) ) ] X } .
22
23   rl [extrusion]:
24     { [ process, N0 . L0, xtr( N0, C0 ) ] X }
25  => { [ process, N0 . L0, 0 ] [ process, L0, C0 ] X } .

Rule [tell] implements the semantics of a process executing a tell command by posting the given constraint in the local store and by transforming such a process to the nil process. Rule [ask] executes command C1 when the guard B1 in ask B1 -> C1 holds: that is, when B1 is entailed by the local store B0. Rule [parallel] implements the semantics for parallel composition of process by spawning the two process in the current space. Rule [space] creates a new space denoted by N0 . L0 (as Aid) with an empty store (i.e., true) and starts the execution of program C0 within the space. Rule [recursion] defines the semantics of a process executing a rec command by using the aforementioned auxiliary function replace. Rule [extrusion] executes process C0 in the parent space of the agent and transitions the xtr process to the nil process. Note that recursion command can lead to non-termination. It is common in SCCP+E to guard such commands with an ask in order to tame the potential non-termination.

Example 4

Using the functional module SCCP-SYNTAX, the process in Figure 3 can be represented as follows:

1  xtr(0,< s 0 >[tell (Z:Integer >= 10) || < 0 >[ask Y:Integer < 20 ->
2        xtr(0,xtr(s 0,< 0 >[< s s 0 >[tell (W:Integer <
3        Y:Integer)]]))]])

If this command is executed in the space of agent 0 . root from the initial state in Example 3 (and depicted in Figure 2(a)), it leads to the state

1  { [store, root, true]
2    [store, 0 . root, X:Integer === 25]
3    [store, s 0 . root, Z:Integer >= 10]
4    [store, s s 0 . 0 . root, W:Integer < Y:Integer]
5    [store, 0 . s 0 . root, Y:Integer < 5] }

which corresponds to the final state depicted in Figure 2(l).

Theorem 4.1

If and are configurations of SCCP+E with underlying constraint system restricted to decidable formulas, then

where and are an encoding of the corresponding configurations in the syntax of .

Proof

The proof follows by structural induction on the and relations. ∎

5 Admissibility

This section presents a map that results in a rewrite theory , equivalent in terms of admissibility to (introduced in Section 4) under some reasonable assumptions, but in which dependencies to non-algebraic data types such as terms over the built-ins or at the meta-level in have been removed. This section also presents proofs of admissibility of the rewrite theory . Such proofs are obtained mechanically using the Maude Formal Environment (MFE) [9, 10] and establish the correspondence (i.e., soundness and completeness) between the mathematical and operational semantics of . The specification can be found in Appendix 10

The map consists of the following items, which make the specification amenable to mechanical verification in the MFE:

  • Changing the sort Bool in TRUTH-VALUE to the sort iBool in the module ITRUTH-VALUE and adjusting the specification to account for this new definition of Boolean values.

  • Removing all dependencies in SMT-UTIL of the module META-LEVEL.

  • Introducing a custom if-then-else-fi function symbol in SCCP-SYNTAX and adjusting the definition of the auxiliary function symbol replace to use this new version instead.

The module structure of the resulting specification