A coalgebraic semantics for causality in Petri nets

In this paper we revisit some pioneering efforts to equip Petri nets with compact operational models for expressing causality. The models we propose have a bisimilarity relation and a minimal representative for each equivalence class, and they can be fully explained as coalgebras on a presheaf category on an index category of partial orders. First, we provide a set-theoretic model in the form of a a causal case graph, that is a labeled transition system where states and transitions represent markings and firings of the net, respectively, and are equipped with causal information. Most importantly, each state has a poset representing causal dependencies among past events. Our first result shows the correspondence with behavior structure semantics as proposed by Trakhtenbrot and Rabinovich. Causal case graphs may be infinitely-branching and have infinitely many states, but we show how they can be refined to get an equivalent finitely-branching model. In it, states are equipped with symmetries, which are essential for the existence of a minimal, often finite-state, model. The next step is constructing a coalgebraic model. We exploit the fact that events can be represented as names, and event generation as name generation. Thus we can apply the Fiore-Turi framework: we model causal relations as a suitable category of posets with action labels, and generation of new events with causal dependencies as an endofunctor on this category. Then we define a well-behaved category of coalgebras. Our coalgebraic model is still infinite-state, but we exploit the equivalence between coalgebras over a class of presheaves and History Dependent automata to derive a compact representation, which is equivalent to our set-theoretical compact model. Remarkably, state reduction is automatically performed along the equivalence.Comment: Accepted by Journal of Logical and Algebraic Methods in Programmin

A Formal Approach to Open Multiparty Interactions

We present a process algebra aimed at describing interactions that are multiparty, i.e. that may involve more than two processes and that are open, i.e. the number of the processes they involve is not fixed or known a priori. Here we focus on the theory of a core version of a process calculus, without message passing, called Core Network Algebra (CNA). In CNA communication actions are given not in terms of channels but in terms of chains of links that record the source and the target ends of each hop of interactions. The operational semantics of our calculus mildly extends the one of CCS. The abstract semantics is given in the style of bisimulation but requires some ingenuity. Remarkably, the abstract semantics is a congruence for all operators of CNA and also with respect to substitutions, which is not the case for strong bisimilarity in CCS. As a motivating and running example, we illustrate the model of a simple software defined network infrastructure.Comment: 62 page

A network-conscious π-calculus and its coalgebraic semantics

Traditional process calculi usually abstract away from network details, modeling only communication over shared channels. They, however, seem inadequate to describe new network architectures, such as Software Defined Networks, where programs are allowed to manipulate the infrastructure. In this paper we present the Network Conscious @p-calculus ( NCPi), a proper extension of the @p-calculus with an explicit notion of network: network links and nodes are represented as names, in full analogy with ordinary @p-calculus names, and observations are routing paths through which data is transported. However, restricted links do not appear in the observations, which thus can possibly be as abstract as in the @p-calculus. Then we construct a presheaf-based coalgebraic semantics for NCPi along the lines of Turi-Plotkin's approach, by indexing processes with the network resources they use: we give a model for observational equivalence in this context, and we prove that it admits an equivalent nominal automaton (HD-automaton), suitable for verification. Finally, we give a concurrent semantics for NCPi where observations are multisets of routing paths. We show that bisimilarity for this semantics is a congruence, and this property holds also for the concurrent version of the @p-calculus

A Network-Aware Process Calculus for Global Computing and its Categorical Framework

An essential aspect of distributed systems is resource management, concerning how resources can be accessed and allocated. This aspect should also be taken into account when modeling and verifying such systems. A class of formalisms with the desired features are nominal calculi: they represent resources as atomic objects called names and have linguistic constructs to express creation of new resources. The paradigmatic nominal calculus is the π-calculus, which is well-studied and comes with models and logics. The first objective of this thesis is devising a natural and seamless extension of the π-calculus where resources are network nodes and links. The motivation is provided by a recent, successful networking paradigm called Software Defined Networks, which allows the network structure to be manipulated at runtime via software. We devise a new calculus called Network Conscious π-calculus (NCPi), where resources, namely nodes and links, are represented as names, following the π-calculus guidelines. This allows NCPi to reuse the π-calculus name-handling machinery. The semantics allows observing end-to-end routing behavior, in the form of routing paths through the network. As in the π-calculus, bisimilarity is not closed under input prefix. Interestingly, closure under parallel composition does not hold either. Taking the greatest bisimulation closed under all renamings solves the issue only for the input prefix. We conjecture that such closure yields a full congruence for the subcalculus with only guarded sums. We introduce an extension of NCPi (κNCPi) with some features that makes it closer to real-life routing. Most importantly, we add concurrency, i.e. multiple paths can be observed at the same time. Unlike the sequential version, bisimilarity is a congruence from the very beginning, due to the richer observations, so κNCPi can be considered the “right” version of NCPi when compositionality is needed. This extended calculus is used to model the peer- to-peer architecture Pastry. The second objective is constructing a convenient operational model for NCPi. We consider coalgebras, that are categorical representation of system. Coalgebras have been studied in full generality, regardless of the specific structure of systems, and algorithms and logics have been developed for them. This allows for the application of general results and techniques to a variety of systems. The main difficulty in the coalgebraic treatment of nominal calculi is the presence of name binding: it introduces α-conversion and makes SOS rules and bisimulations non-standard. The consequence is that coalgebras on sets are not able to capture these notions. The idea of the seminal paper by Fiore and Turi is resorting to coalgebras on presheaves, i.e. functors C → Set. Intuitively, presheaves allow associating to collections of names, seen as objects of C, the set of processes using those names. Fresh names generation strategies can be formalized as endofunctors on C, which are lifted to presheaves in a standard way and used to model name binding. Within this framework, a coalgebra for the π-calculus transition system is constructed: the benefit is that ordinary coalgebraic bisimulations for such coalgebra are π-calculus bisimulations. Moreover, Fiore and Turi show a technique to obtain a new coalgebra whose bisimilarity is closed under all renamings. This relation is a congruence for the π-calculus. Presheaves come with a rich theory that can help deriving new results, but coalgebras on presheaves are impractical to implement: the state space can be infinite, for instance when a process recursively creates names. However, if we restrict to a class of presheaves (according to Ciancia et al.), coalgebras admit a concrete implementation in terms of HD-automata, that are finite-state automata suitable for verification. In this thesis we adapt and extend Fiore-Turi’s approach to cope with network resources. First we provide a coalgebraic semantics for NCPi whose bisimulations are bisimulations in the NCPi sense. Then we compute coalgebras and equivalences that are closed under all renamings. The greatest such equivalence is a congruence w.r.t. the input prefix and we conjecture that, for the NCPi with only guarded sums, it is a congruence also w.r.t. parallel composition. We show that this construction applies a form of saturation. Then we prove the existence of a HD-automaton for NCPi. The treatment of network resources is non-trivial and paves the way to modeling other calculi with complex resources

Session-based concurrency, declaratively

Session-based concurrency is a type-based approach to the analysis of message-passing programs. These programs may be specified in an operational or declarative style: the former defines how interactions are properly structured; the latter defines governing conditions for correct interaction

Session-based concurrency: between operational and declarative views

Communication-based software is ubiquitous nowadays. From e-banking to e-shopping, online activities often involve message exchanges between software components. These interactions are often governed by protocols that explicitly describe the sequences of communication actions that should be executed by each component. Crucially, these protocols are not isolated from a program’s context: external conditions such as timing constraints or exceptional events that occur during execution can affect message exchanges. As an additional difficulty, individual components are typically developed in different programming languages. In this setting, certifying that a program conforms to its intended protocols is challenging. A widely studied program verification technique uses behavioral type systems, which exploit abstract representations of these protocols to check that the program executes communication actions as intended. Unfortunately, the abstractions offered by behavioral type systems may neglect the influence that external conditions have on the program. This thesis addresses this issue by considering programming languages with declarative features, in which the governing conditions of the program can be adequately described. Our work develops correct translations between programming languages to show that languages with declarative features can indeed articulate a unified view of communication-based programs. Specifically, these translations demonstrate that the operational features of communication-based programs can be correctly represented by languages with declarative features. An additional contribution is a hybrid language that combines the best of both worlds, enabling the analysis of operational and declarative features in communication-based programs

Formal aspects of component software

This is the pre-proceedings of 6th International Workshop on Formal Aspects of Component Software (FACS'09)

Behavioural Types: from Theory to Tools

This book presents research produced by members of COST Action IC1201: Behavioural Types for Reliable Large-Scale Software Systems (BETTY), a European research network that was funded from October 2012 to October 2016. The technical theme of BETTY was the use of behavioural type systems in programming languages, to specify and verify properties of programs beyond the traditional use of type systems to describe data processing. A significant area within behavioural types is session types, which concerns the use of type-theoretic techniques to describe communication protocols so that static typechecking or dynamic monitoring can verify that protocols are implemented correctly. This is closely related to the topic of choreography, in which system design starts from a description of the overall communication flows. Another area is behavioural contracts, which describe the obligations of interacting agents in a way that enables blame to be attributed to the agent responsible for failed interaction. Type-theoretic techniques can also be used to analyse potential deadlocks due to cyclic dependencies between inter-process interactions. BETTY was organised into four Working Groups: (1) Foundations; (2) Security; (3) Programming Languages; (4) Tools and Applications. Working Groups 1–3 produced “state-of-the-art reports”, which originally intended to take snapshots of the field at the time the network started, but grew into substantial survey articles including much research carried out during the network [1–3]. The situation for Working Group 4 was different. When the network started, the community had produced relatively few implementations of programming languages or tools. One of the aims of the network was to encourage more implementation work, and this was a great success. The community as a whole has developed a greater interest in putting theoretical ideas into practice. The sixteen chapters in this book describe systems that were either completely developed, or substantially extended, during BETTY. The total of 41 co-authors represents a significant proportion of the active participants in the network (around 120 people who attended at least one meeting). The book is a report on the new state of the art created by BETTY in xv xvi Preface the area of Working Group 4, and the title “Behavioural Types: from Theory to Tools” summarises the trajectory of the community during the last four years. The book begins with two tutorials by Atzei et al. on contract-oriented design of distributed systems. Chapter 1 introduces the CO2 contract specifi- cation language and the Diogenes toolchain. Chapter 2 describes how timing constraints can be incorporated into the framework and checked with the CO2 middleware. Part of the CO2 middleware is a monitoring system, and the theme of monitoring continues in the next two chapters. In Chapter 3, Attard et al. present detectEr, a runtime monitoring tool for Erlang programs that allows correctness properties to be expressed in Hennessy-Milner logic. In Chapter 4, which is the first chapter about session types, Neykova and Yoshida describe a runtime verification framework for Python programs. Communication protocols are specified in the Scribble language, which is based on multiparty session types. The next three chapters deal with choreographic programming. In Chap- ter 5, Debois and Hildebrandt present a toolset for working with dynamic condition response (DCR) graphs, which are a graphical formalism for choreography. Chapter 6, by Lange et al., continues the graphical theme with ChorGram, a tool for synthesising global graphical choreographies from collections of communicating finite-state automata. Giallorenzo et al., in Chapter 7, consider runtime adaptation. They describe AIOCJ, a choreographic programming language in which runtime adaptation is supported with a guarantee that it doesn’t introduce deadlocks or races. Deadlock analysis is important in other settings too, and there are two more chapters about it. In Chapter 8, Padovani describes the Hypha tool, which uses a type-based approach to check deadlock-freedom and lock-freedom of systems modelled in a form of pi-calculus. In Chapter 9, Garcia and Laneve present a tool for analysing deadlocks in Java programs; this tool, called JaDA, is based on a behavioural type system. The next three chapters report on projects that have added session types to functional programming languages in order to support typechecking of communication-based code. In Chapter 10, Orchard and Yoshida describe an implementation of session types in Haskell, and survey several approaches to typechecking the linearity conditions required for safe session implemen- tation. In Chapter 11, Melgratti and Padovani describe an implementation of session types in OCaml. Their system uses runtime linearity checking. In Chapter 12, Lindley and Morris describe an extension of the web programming language Links with session types; their work contrasts with the previous two chapters in being less constrained by an existing language design. Continuing the theme of session types in programming languages, the next two chapters describe two approaches based on Java. Hu’s work, presented in Chapter 13, starts with the Scribble description of a multiparty session type and generates an API in the form of a collection of Java classes, each class containing the communication methods that are available in a particular state of the protocol. Dardha et al., in Chapter 14, also start with a Scribble specification. Their StMungo tool generates an API as a single class with an associated typestate specification to constrain sequences of method calls. Code that uses the API can be checked for correctness with the Mungo typechecker. Finally, there are two chapters about programming with the MPI libraries. Chapter 15, by Ng and Yoshida, uses an extension of Scribble, called Pabble, to describe protocols that parametric in the number of runtime roles. From a Pabble specification they generate C code that uses MPI for communication and is guaranteed correct by construction. Chapter 16, by Ng et al., describes the ParTypes framework for analysing existing C+MPI programs with respect to protocols defined in an extension of Scribble. We hope that the book will serve a useful purpose as a report on the activities of COST Action IC1201 and as a survey of programming languages and tools based on behavioural types