Here - University of Michigan

A SPATIAL LOGIC FOR THE HYBRID π-CALCULUS WILLIAM C. ROUNDS

1. Introduction In last year’s HSCC conference, we introduced the Φ-calculus [8], an extension of Milner’s powerful π-calculus, so that concurrent and reconfigurable programs could interact with a (concurrent) continuous environment in the sense in which ordinary hybrid automata do so. In that paper, though, we were concerned only with the operational (hybrid) semantics of such systems, and not with any mechanism for reasoning about them. The present paper addresses this issue. One of the difficulties involved here is that not too many logics have been proposed for reasoning about properties of π-calculus programs themselves. The difficulty has to do with the subtleties of name-passing, and even more, the subtleties of fresh name generation. These mechanisms are crucial in the π-calculus for expressing mobility (more properly, reconfigurability), and protection, which is the ability to create modular subsystems not subject to outside interference. A recent paper by Caires and Cardelli [2] introduces their spatial logic for concurrency, a general logic intended not just as an assertion language for the π-calculus, but for possibly other processalgebraic models which deal with reconfigurability and with protection. Their logic has several attractive features. It has a propositional connective |, so that the formula φ | ψ is satisfied only by a parallel composition of systems P | Q in which P satisfies φ and Q satisfies ψ. (This is the source of the word “spatial”; the connective | refers to a structural property of systems satisfying it.) This connective has a so-called adjoint φ B ψ, which provides the crucial property of assume-guarantee reasoning [5]. A system P satisfies φ B ψ if for any system Q, if Q satisfies φ (assume), then P | Q satisfies ψ (guarantee). The Caires-Cardelli logic also features a “fresh name” quantifier Nx, read “for some/all fresh names x,” which allows for reasoning both about reconfigurability and protection. This quantifier appears in a paper by Gabbay and Pitts [3], who work with Fraenkel-Mostowski techniques, a novel and important set-theoretic approach to the problems arising from changing bound variable names in programs which abstract over these variables. The big advantage to using these techniques is that formal verification by machine is much simpler than in other approaches. Since we are ultimately aiming for at least partial progress in machine verification of hybrid systems, this property seems like a good one to keep. The issues involved in extending the C&C logic to the hybrid π-calculus include (i) finding one or more connectives for dealing with continuous flows over time; (ii) dealing with the passing of continuous names and creation of fresh continuous names; (iii) reformulating the hybrid structural operational semantics within FM set theory (with which the axiom of choice is inconsistent), and (iv) giving a concise Tarski-style semantics for the new logic. The C&C presentation takes many pages, and uses many auxiliary definitions, owing perhaps to their not wanting to use FM set theory itself, but a more traditional presentation. We are able to overcome these problems by reformulating the syntax and semantics of C&C logic directly in FM set theory. We get around issue (iii) because of the way the hybrid π-calculus treats the continuous environment – as a separate component of what we termed an embedded system in [8]. Our connective for continuous flows refers only to the continuous part of the system, with the result that any properties of the continuous system itself that we may need (stability, attractors, etc.), which follow from standard theorems on dynamical systems, can still be assumed to hold even in the new set theory. The C&C logic, and our extension of it, is really a modal logic. Standard interpretations of modal calculi use the idea of Kripke structures; C&C’s logic uses a space of “Psets” as a kind of 1

2

WILLIAM C. ROUNDS

Kripke structure. We elide the interpretation of our formulas in Kripke structures, and instead perform a direct translation of our formulas into formal assertions of FM set theory. The idea comes from the well-known [1] standard translation of modal logic into first-order logic of Kripke structures. We carry this translation one step further – we bypass the Kripke structure stage and translate the modal logic directly into ZFA – the formal language of FM set theory, obtaining a very simple semantics in the Tarski style. Our logic is quite expressive. It subsumes Caires and Cardelli’s logic, which already subsumes the modal µ-calculus [6]. As an example of expressiveness, we show that for a given program, we can construct a formula satisfied by all those hybrid states reachable from a given initial continuous state and with initial discrete state equal to the initial state of the program. The technique of expressing our semantics in ZFA makes such constructions completely natural. As mentioned, the logic includes a capacity for defining “assume-guarantee” reasoning. All of this attests to expressiveness; one can of course argue that the logic is too expressive, in that model-checking will be a very undecidable problem. We concede that this is the case, but we think that the connectives and the quantifiers we introduce can form the material for schematizing classes of special formulas for which model-checking is a viable enterprise. In the present paper, we work in a sublanguage of the Φ-calculus, the physical Φ-calculus. This omits the passing of channel names, but allows the passing of continuous names. It is well able to specify physically reconfigurable systems, and it makes our presentation of formalities much simpler. We organize the paper into 5 sections. Section 2 reviews the physical Φ-calculus, and introduces our running example, the robotic parts carrier - parts-feeder system. Section 3 includes a short introduction to ZFA, taken from the Gabbay-Pitts paper [3]. Section 4 deals with expressing the structural operational semantics (SOS) of the Φ-calculus in ZFA. and how one verifies that the SOS gives a definition of system behavior which is actually definable in ZFA. Finally, Section 5 introduces our logic, gives its model theory, and concludes with an extended example of a spatial formula satisfied by the robotics part carrier. A final part of this section shows how to define reachability. 2. The Physical Φ-Calculus 2.1. Syntax. Let A be a countable set of names a; put A = {a | a ∈ A}, and L = A ∪ A. These names correspond to the “named actions” of an ordinary finite automaton; the overlined names allow participation in reactions (see below). We also have the silent action τ , which represents uncontrollable “internal choice.” Let X be a countable set of environment variable names disjoint from A and let X˙ = {x˙ | x ∈ X } be the “dotted versions” (formal variables for differential equations.) The names in X can be “received” or“sent” from one process to another, and they carry real values. In the definition below, receiving actions are of type (i) and sending actions are of type (ii). Note that the names a now are used as “channels” over which continuous names are sent. An action prefix is an an element of L ∪ {τ }, or is of the form (i) a(x1 , . . . , xn ) for a ∈ L, xi ∈ X ; (ii) the form ah x1 , . . . , xn i for a ∈ L and xi ∈ X , or (iii) in the set E. We let µ range over action prefixes. Definition 2.1. The set of Φ-expressions is given by the following syntax: P ::= M | 0 | (P1 | P2 ) | !P | νaP | νxP M ::= µ.P | M + M Process expressions (P ) can be summations, the null process 0, parallel composition of processes, replicated processes, or processes (νa, νx) in which the names a and x can be “bound”, in effect requiring a fresh substitution of an actual name in order to proceed. Summation expressions (M ) represent a choice of actions followed by a process. A notion of structural congruence ≡ is employed in the π-calculus; this allows us to claim, for example, that + is associative and commutative. (Finite) sums, then, can be written as Σµi .Pi , for example.

SPATIAL LOGIC FOR Φ-CALCULUS

3

The above grammar for process expressions is actually a little too oversimplified, and we will revise it presently. In any case, discrete events are possible through a process of rewriting the “current” expression in the context of a continuous environment evolving over real time. This environment also records any values currently assigned to the continuous names, any (coordinatewise) definition of a vector field by means of assigning C 1 functions to dotted continuous names, and a way to specify conditions which must hold for flows of the current vector field to take place. Definition 2.2 (Active environments). An environment consists of: • the state, an element of [V → R] (equivalently RV ), the set of all functions (valuations) from a finite subset V of X to R. We call V the domain of the environment; • the vector field (differential equation): a valuation from V˙ to C 1 [RU ], the set of continuously differentiable functions from RU to R, for a finite set U ⊇ V; • the invariant: a finite collection I of constraints, where each constraint is a map from [W → R] to {0, 1}, for some W ⊆ V. For time-flows to be possible, a system must be in a state satisfying all constraints of the invariant. T • If E is an environment, we write E.state to extract the state, E.vf to extract the vector field, and E.inv to extract the set of invariant predicates. Example 2.3. Here is a sample environment:   (x : 1.5, y : 0) . x˙ : x − y − x3 , y˙ :p x + y − y3) √ E= 2 2 {{(x, y) | (x ≥ 0) ∧ (1 ≤ x + y ≤ 2)}} We have E.state = (x : 1.5, y : 0), E.vf = (x˙ : x − y − x3 , y˙ : x + y − y 3 ), etc. Definition 2.4. An environmental action is a syntactic form α = [ψ → d; G; φ], where the entities d, G, φ are the syntactic forms above. The predicate form ψ is called a guard. Any one or more of these entities, including the guard, can be omitted. If α = [ψ → d; G; φ] we write α.guard = ψ and α.body = (d; G; φ). Environmental actions act indivisibly on a semantic environment (c, F, I) when the guard ψ(c) is true. The expressions d, G, φ are now interpreted as valuations, so that we can specify “updating ” as in the next definition. Definition 2.5 (Effects of environmental actions). • “State-update”: Let c ∈ [Vc → R] and d ∈ [Vd → R]. Then c ↑ d, the result of updating c by d, is the valuation c ↑ d from Vc ∪ Vd to R given by ( c(x) if x ∈ Vc \ Vd ; (c ↑ d)(x) = d(x) otherwise. • “Flow-update”: Let F ∈ [V˙ F → C 1 [RUF ]] and G ∈ [V˙ G → C 1 [RUG ]]. Then ( F (x) ˙ if x ∈ VF \ VG ; (F ↑ G)(x) ˙ = G(x) ˙ otherwise. • “Invariant-update”: Let I be a set of constraints and φ be a constraint with domain dom(φ) = W. Then I ↑ φ is the set K = I \ {φ0 | dom(φ0 ) ∩ W = 6 ∅} ∪ {φ}. • If E = (c; F ; I) and α.body = (d; G; ψ), we put E ↑ α = ((c ↑ d); (F ↑ G); (I ↑ ψ)). Definition 2.6 (Embedded system). An embedded system is a pair (E, P ) where E is an environment and P is a Φ-expression.

4

WILLIAM C. ROUNDS

2.2. Operational semantics. The dynamics of ΦP is defined via structural operational semantics. To express the discrete part of this correctly, we need the notions of abstractions and concretions. This is because environments may flow in a parameterized way, with differing variables participating in a flow at different times. (The robotic feeder-carrier in Example 2.12 illustrates this.) To make these abstract parameters explicit, we have the following definitions. Definition 2.7. (i) ΦP -abstractions are of the form F = (w).P ~ (w ~ an ordered list of variables over X ). (ii) Φ-concretions are of the form K = h ~y i.P , where ~y is over X . An agent is an abstraction or concretion. (iii) The application F @K of a φ-abstraction and concretion is defined as follows: ((w)P ~ )@h ~y i.Q =def ({~y ← w}P ~ | Q) where ~y and w ~ have the same length. In (iii), {~y ← w} ~ denotes the simultaneous substitution of the variables wi for the (bound) variables yi in P . This is a crucial definition, as it allows names to migrate from one process to another, achieving reconfigurability, and we must pay careful attention to it, because substitutions must avoid the problem of “accidental capture” of a name inside a binding prefix. This problem can be completely solved using the Gabbay-Pitts techniques described in the next section. It is now a good time to revise our initial attempt at a grammar for Φ-expressions, and to present one which defines abstractions and concretions at the same time. Definition 2.8. P ranges over processes, F over abstractions, C over concretions, M over sums, α over environmental actions EnvAct, a over A, x, z over X in the following grammar: P ::= M | 0 | (P | P ) | !P | ν(a)P | ν(x)P M ::= τ.P | α.P | aF | aC | M + M F ::= P | (x)F C ::= P | h z iC A term of this grammar is a P, F, M , or C (process, sum, abstraction, or concretion). We must also revise our definition of embedded systems, now allowing pairs (E, F ) and (E, C), where E is an environment, F is an abstraction, and C is a concretion. (Sums are just special cases of processes, so (E, M ) is superfluous.)

2.3. Dynamics. There are three ways an embedded system can evolve. The first is via a discrete transition involving only the process expression. The second is that the continuous environment can flow on its own according to its current vector field. Finally, via environmental actions, a process expression can remove its action prefix and update the environment all in one step. with We present the rules defining discrete process transitions. These are given in the standard form of transition inference rules, embodying the method of structural operational semantics. A full discussion of them can be found in [8]. Definition 2.9 (Transitions in ΦP ). In these rules, b ∈ A ∪ A, and µ is a b, or τ , or an environmental actionα; g ∈ F , k ∈ C, and H ∈ F ∪ C. Finally, we have elided the symmetric rules

SPATIAL LOGIC FOR Φ-CALCULUS

5

R − par and R − react. b

Act − π : (E, bH) → (E, H) α

Act − α : (E, α.P ) → ((E ↑ α, P ) if α.guard (E.state) is true; µ

(E, M ) → (E 0 , M 0 )

Sum :

µ

(e, M + N ) → (E 0 , M 0 ) b

b

L − React :

(E, Q) → (E, K)

(E, P ) → (E, G) τ

(e, P | Q) → (E, G@K) µ

L − par :

(E, P ) → (E 0 , H) µ

(e, P | Q) → (E 0 , H | Q) µ

Res − pi :

(E, P ) → (E 0 , H) µ

(E, νaP ) → (E 0 , νaH)

if µ ∈ / {a, a}

An embedded system – in particular, the environment component – can evolve over time. This involves flow transition rules. Definition 2.10 (Flow transitions). Let c ∈ [V → R], and suppose that the differential equation F ∈ [V˙ → [U → R]] is closed, i.e., U = V. Then the flow ξ(t, c) of the equation will be defined in some time-interval J = [0, u) of R. We then have the following flow transitions: (1)

t

Sum: ({c, F, I}, Σi µi Pi ) → ({ξ(t, c), F, I}, Σi µi Pi )

provided that for all 0 ≤ s < t: (i) ξ(s, c) is defined and satisfies all constraints in I ; and (ii) no µi is an environmental action ψ → (d; G; φ) with ψ(s) true. Flow transitions are extended to other Φ-expressions by t

(2)

Par:

t

(E, P ) → (E 0 , P )

(E, Q) → (E 0 , Q) t

(E, P | Q) → (E 0 , P | Q) t

(3)

Res:

(E, P ) → (E 0 , P ) t

(E, νaP ) → (E 0 , νaP )

Note that we have “amalgamated” the summands in the Sum rule for brevity. We now consider the operator !P , which the π-calculus regards as “structurally equivalent” to the expression P |!P . That is, !P is always able to spawn a copy of itself to run in parallel with P . The transition rules are simple: When µ is either a π-action or an α-action µ

(E, P |!P ) → (E 0 , Q) µ

(E, !P ) → (E 0 , Q) and the flow transition rule is simply t

(E, P ) → (E 0 , P ) t

(E, !P ) → (E 0 , !P )

.

Finally, we have the environmental restriction operator νxP for x ∈ X . The intent of this operator is to make these variables local to the process P . Definition 2.11. For x ∈ X the operator νxP is called the environmental restriction operator. This operator restricts any e-action mentioning the variable x or x˙ (we call such actions x-actions). The operator νx binds free occurrences of x in P.

6

WILLIAM C. ROUNDS

The hiding effects of this operator are given in the transition rule µ

(E, P ) → (E 0 , Q)

if µ is not an x-action µ (E, νxP ) → (E 0 , νxQ) and the fact that even hidden variables must appear in the global environment by τ

(E, νxP ) → (E, P [x ← w]) (w ∈ X , w not in E and not free in P .) The flow transition rule for the environmental restriction operator is t

Res − x :

(E, P [x ← w]) → (E 0 , P [x ← w]) t

(E, νxP ) → (E 0 , νxP )

(w not in E, not free in P ).

Example 2.12. A parts feeder can be modelled using recursion and the ν operator. The task of this feeder is to produce a never-ending stream of different parts in a factory. The feeder operates by proximity; a robot with position r, 0 < r < 2, is approaching 0 along the x-axis. The parts feeder waits for r to be within some small  of 0, and then produces a new part for the robot. It sends this part out along a channel feed to a controller for both the robot r and the part. We call this recursive process P F . It is actually defined using recursion, though we use a familiar syntactic sugaring for this in place of the official replication operator (for details see [7]).
P F ::= [r ≤ ].νp [p : ; p˙ : 0].feed h p i.[r˙ > 0].P F . The test r ≤  in this process becomes true when the robot gets to exactly  distance of the parts feeder. This triggers a call of the localizing operator νp. This in turn creates a fresh part name, using bound variable conversion to avoid clashes with part names in the environment when the “new” process “decays” at an Env “reaction”. The name of the part is sent to the robot along channel pf . An extra guard [r˙ > 0] is set instantaneously to prevent infinite iteration of the call to P F . Parts start with 0 velocity at position . The robot moving left along the x-axis is operating under a control law that will slow its velocity to almost zero at x = . We assume the robot starts at this position. It initializes a (onedimensional) controller r˙ = fL (r) for this purpose. After picking up the current part, it moves right using another controller which moves it (and the part) back to position r = 2 − , where it drops the part. The code for these two robot motions is LEFT ::= [r˙ : fL (r); {2 −  ≥ r > }].RIGHT . RIGHT ::= feed (p).[(p, ˙ r˙ : fR (p, r); { ≤ r < 2 − }][p˙ = 0].LEFT   r : 0.5 , and the resulting r˙ : fL (r) The whole system can be started in the environment E =  {2 −  ≥ r > } embedded system is (E, LEFT | PF ). The system can evolve, e.g., to (E 0 , LEFT |P F ), where   (r : 2 −  : p1 : 2 − ; p2 : 2 − ) . (p˙1 : 0, p˙2 : 0, r˙ : fL (r)) E0 =  {2 −  ≥ r > } We will see later in detail how this system works. 3. Physical Φ ala Fraenkel-Mostowski We continue to study physical Φ-calculus, in which we can send only continuous names as messages. Our notation conforms to Gabbay-Pitts-Fraenkel-Mostowski set theory. (We call this theory ZFA.) It is standard ZF set theory, without the axiom of choice, and where an infinite set of individual names is added, intuitively to represent those names which can be bound in an expression1. Crucial to this method are the notion of a swap action, and the notions of support 1We actually have two sets X and A of (bindable) atoms, the first for continuous names and the second for discrete

names.

SPATIAL LOGIC FOR Φ-CALCULUS

7

and freshness. The support of a set-theoretic object can be defined in general, but in our case these objects are Φ-calculus terms, and continuous environments. The support of a term is the set of free names in it, and the support of an environment is the collection of all variable names mentioned in it. Environments and terms then satisfy an additional axiom of ZFA, namely that for each set-theoretic object, there is a name (atom) not in its support. Two terms are α-equivalent (a standard notion) if their bound names can be inter-converted using a swapping permutation. Thus, the support of an α-equivalence class of processes should be the set of free names occurring in any member of the equivalence class. The idea, then, is to define the set of Φ-expressions modulo α-equivalence directly via a fixed-point definition in ZFA. A grammar in ZFA is in fact a fixpoint definition of the set of process terms as they would be encoded set-theoretically. Here, for example, is part of an inductive definition of the set P of process terms, omitting the clauses for M , F and C: P ::= M + {0} + P × {|} × P + +{!} × P + {ν} × A × P + {ν} × X × P where + is disjoint union. This expresses the set P as the (least) fixedpoint of the operator F (P ) = M + {0} + P × {|} × P + +{!} × P + {ν} × A × P + {ν} × X × P. We now introduce the basic ideas of Gabbay-Pitts [3] and some of their results, specialized to the case of Φ-terms. This topic is fully discussed in [4], with more categorical machinery employed. All references “GP” in the following are to [3]. Definition 3.1 (Swapping). For any atoms a, b let swap(ab)p denote the result of swapping the discrete names a, b in p, and swap(xy)p the result of swapping the continuous names x, y in p. This operation swaps all occurrences of these names, and is easily defined by structural induction using the basic term grammar. Swapping is used to define the notion of support of a Φ-term, of α-equivalence for Φ-terms, and then of atom-abstractions as equivalence classes of α-equivalence. Definition 3.2 (Support). A set w of discrete atoms is said to support a term p if for any permutation π of the set A of discrete atoms, (∀a ∈ w)(π(a) = a) =⇒ π(p) = p where π(p) acts on the finite set of discrete atoms in p as a composition of swaps. A similar definition obtains for the continuous atoms. The pair of finite sets (w, z), w ⊆ A, z ⊆ X , is said to support p if w supports p in the discrete sense, and Z supports p in the continuous sense. There is, in fact, a “least” pair (supp N (p), supp X (p)) jointly supporting any Φ-calculus term p, namely the pair of sets of free discrete (resp. continuous) names occurring in p. The notation a = // p means that a ∈ / supp(p), where context determines which sort of atoms we are discussing. The Fraenkel-Mostowski cumulative hierarchy takes the power set pow (X) of a set X to be the collection of finitely supported subsets of X: for each S ∈ pow (X), there must be a finite set w of atoms supporting S. That is, w must satisfy (∀π) : (∀a ∈ w.π(a) = a) =⇒ {π(x) | x ∈ S} = S. Another way to say this is that the only elements of a power set in this universe are the ones that are finitely supported. For the case of Φ, we can sometimes identify the support of a set S of terms: S Proposition 3.3. Let S be a set of terms. Then (i) p∈S supp(p) is a supporting set for S. (ii) S If p∈S supp(p) is finite, [ supp(S) = supp(p). p∈S

(This proposition applies to either sort of atoms.) The following lemma will also be useful when we consider defining the structural operational semantics of the Φ-calculus in ZFA.

8

WILLIAM C. ROUNDS

Lemma 3.4 (Equivariance). Suppose that for every permutation π fixing every element of the set w, we have π(S) ⊆ S. Then for every permutation fixing w, we have π(S) = S, so that w is a supporting set for S. Definition 3.5 (Fresh quantifier, GP). Let φ(a, −) be a formula of ZFA, with a free variable a over atoms. Then Naφ(a, −) is a formula expressing that {a ∈ A | φ(a, −)} is a cofinite set of atoms. Proposition 3.6 (GP). The relation a = // p, where p is a term, is equivalent to (Nb ∈ A)(swap(ab)p = p). This condition may be taken as the official definition of the freshness relation in general, where p is any finitely supported set-object. Definition 3.7 (α-equivalence [3]). Let x, y (a, b) be continuous (discrete) names. The relation ∼X (∼A ) is defined in ZFA by (x, p) ∼X (y, q) ⇐⇒ Nz(swap(zx)p = swap(zy)q). Proposition 3.8 (GP). (x, p) ∼X (y, q) ⇐⇒ x ∈ X ∧ y ∈ X ∧ q = swap(xy)p ∧ (y = x ∨ y = // p). This is just what is meant by α-equivalence, since q = swap(xy)p ∧ y = // p exactly means that q is obtained from p by replacing the bound name x by a completely fresh name y. Definition 3.9 (Atom-abstractions, GP). (1) Let a ∈ X , and p be a term. The abstraction (x)p is the equivalence class {q | (∃y ∈ X )q = swap(xy)p ∧ (y = x ∨ y = // p). We have, for an atom-abstraction, supp(a)p = supp(p) \ {a}. We may also form, for any set S of terms, the abstraction set (X )S = {(x)p | x ∈ X , p ∈ S}. With these preliminaries in hand, we can now define the set of α-equivalence classes of Φ-terms using a conventional inductive definition. Definition 3.10 (Φ-terms modulo α). P is the set of processes, F abstractions, C concretions, M sums, and EnvAct the set environmental actions in the following definition: P ::= M | 0 | (P | P ) | !P | ν(A)P | ν(X )P M ::= τ.P | EnvAct.P | AF | AC | M + M F ::= P | (X )F C ::= P | h X iC Here we mix the conventional grammar style with abstractions, but as noted above, these productions can all be translated into ZFA. The preceding definition is not yet complete, for we lack a specification of the set EnvAct of environmental actions. This, however, is relatively straightforward once we settle on an appropriate syntax. For simplicity, we consider the usual quantifier-free first-order language of arithmetic over the set X of continuous names. This allows us to form multivariate polynomials and to have expressions comparing the (values of) these polynomials; then to close under the Boolean operations. These expressions are to be used for predicates φ and ψ in environmental actions [ψ → {d, G, φ}]. The only thing left is to specify the form of d and G. Recall that d ∈ RV for some finite subset V of X . This means (since these valuations are to be used in environmental actions) we need a way to specify specific real numbers in a finite way. Any of a host of methods are available, but we will assume that √ numbers are built from the usual numerals and fractions, together with algebraic operations like 2 and so on. It is easy to see that the support of a term is now the set of free names in the term, including names which are free in environmental actions. Abstractions over dotted continuous names are considered to be abstractions over the underlying name.

SPATIAL LOGIC FOR Φ-CALCULUS

9

4. Structural operational semantics We reconsider our structural operational semantics in the light of ZFA, where we now have atom-abstractions and α-equivalence for free. We have to show that the sets and relations given by structural rules are in fact definable in ZFA: they must be sets with finite support. The key to doing this is the equivariance property, Lemma 3.4; we apply it by showing that whenever we swap atoms uniformly in both the antecedent and consequent of an SOS rule, we get another instance of the rule. We consider first how to model environments and environmental updates. Recalling Definition 2.2, notice that environments are semantic objects; the value of a state can be a vector of irrational numbers. However, we can still regard a valuation into R as an ZFA-set, because it is just a mapping from a finite set of atoms into the pure set R. Any permutation of all the continuous names will give us another valuation, in the following sense: let c be a valuation in RV . For a permutation π, of X , let π · c be the valuation from π(V) = {π(v) | v ∈ V} to R given by π · c(π(v)) = c(v). The situation with respect to the differential equation is a bit different, because here we have a mapping f from “dotted variables” into C 1 [RU ]. We want to permute variables in the set U this time; any such permutation will map V ⊆ U to π(V) = {π(v) | v ∈ V}. So, given f , and a permutation π of X , let π(f ) be the valuation from π(V)) to C 1 [Rπ(U) ] given by π(f )(π · c)) = f (c), where π · c ∈ π(U) is defined just above2 For the invariant we apply the same scheme, permuting the individual predicates, which are of course valuations into {0, 1}. Lastly, for an environment e and permutation π, let π · e be the result of applying the same π in all three components of e. This makes the space of environments into a set invariant under swapping. Furthermore, an embedded system (e, p) is an FM-object with finite support. We now consider the structural operational semantics of the Φ-calculus proper, done in ZFAstyle. For lack of space, we treat only flow transitions; the treatment of commitment rules is very similar. Once again, in the following, e is an environment having a closed differential equation with flow ξ(s, x) out of the state x, such that for a given time t, we have that for all 0 ≤ s < t, ξ(s, x) is defined and in the invariant set I. In addition e0 is like e but with x changed to ξ(t, x), and α is an environmental action. Env:

t

(e, α.p) → (e0 , e.p) where α.guard (ψ(ξ(s, x))) is false for all 0 ≤ s < t. π:

t

(e, a.F ) → (e0 , a.F ) t

Par:

t

(e, p) → (e0 , p)

(e, q) → (e0 , q) t

(e, p | q) → (e0 , p | q) t

Res-x:

(e, p[x ← w]) → (e0 , p[x ← w]) t

(e, νxp) → (e0 , νxp) provided w is not free in p and not mentioned in e. t

We want to express the relation (e, p) → (e0 , p) as a ternary relation in FM-set theory. It is defined via structural induction on α-equivalence classes of terms, which means we have to be sure that this method works. To this end, let ES be the space of embedded systems. Notice right away that this is a set all of whose elements have finite support. Let Flow be the desired relation on ES × R+ × ES that we are trying to define. In ZFA it must be a relation with finite support as a subset of the obvious powerset. It will be given as the 2All of this boils down to the fact that x˙ = F (x) is the same dynamic system as y˙ = F (y).

10

WILLIAM C. ROUNDS

least fixpoint of a continuous operator Ff l on relations; each flow rule contributes a clause in the definition of Ff l . Consider first the rules with empty antecedents; for example, the Env rule t

(e, α.p) → (e0 , α.p) This rule contributes all those triples ((e, α.p), t, (e0 , α.p)) to the relation Flow such that the guard ψ(s, x) of e is false for all 0 ≤ s < t. This (constant) relation is of finite support, because swapping atoms in a triple of the relation gives us another triple in the relation. Each other empty-antecedent rules similarly contributes another constant relation; and all of these rules together contribute the union R0 of these constant relations, which is a disjoint union, and so of finite support (in fact the support is ∅). To see how the other flow rules contribute to the definition of the operator Ff l , consider t

Par:

t

(e, p) → (e0 , p)

and

(e, q) → (e0 , q) t

(e, p | q) → (e0 , p | q) t

Res-x:

(e, p[x ← w]) → (e0 , p[x ← w])

. t (e, νxp) → (e0 , νxp) It is clear that swapping atoms uniformly in both of the antecedents and the consequent of the Par rule gives us another instance of the rule. Consider then for a given set of tuples S the operator F (S) = S ∪ {((e, p | q), t, (e0 , p | q)) | ((e, p), t, (e0 , p)) and ((e, q), t, (e0 , q)) ∈ S). If S has finite support, then by Lemma 3.4, so does F (S). For the Res-x rule, our operator is G(S) = {S ∪ {((e, νx p), t, (e0 , νx p)) | Nw(swap(xw)((e, p), t, (e0 , p)) ∈ S)}. this immediately gives a definition of G(S) in ZFA; and the support of G(S) is the same as the support of S. The Res − x rule is treated similarly, resulting in an operator H. We put Ff l (S) = R0 ∪ F (S) ∪ G(S) ∪ H(S), which is easily shown to be a monotonic operator on the power set of ES × R+ × ES . The least fixpoint of this operator is the flow relation we desire. This completes the structural operational semantics of the physical Φ-calculus. 5. Spatial Logic 5.1. Syntax and semantics. We first need to make a distinction between individual atoms (names) and variables ranging over these names, because we wish in our spatial logic to quantify over names. Thus, variables over X , A will be in VX , VA respectively. We will continue to use, however, the symbols a, b, x, y, . . . for these variables, as implicitly these symbols are formal variables over atoms in ZFA anyway. When we refer to individual names, we will subscript these symbols as a0 , x1 , etc. X, Y ∈ VP will be used for variables whose values are (finitely supported) sets of processes. We are going to define “modal” formulas which will be satisfied by embedded systems (E, P ). To give the semantics of these formulas, we simply translate them into formulas of ZFA having two free variables e and p. The syntax is presented in Figure 1 and the translation semantics in Figure 2. Some remarks are in order about our syntax and semantics. • The syntax includes new types of variables: over environments and over continuous names Each of these types is well-defined in ZFA by what we have said in Section 2. • The base logic has formulas φb , typically Boolean combinations of open formulas involving inequalities on variables for continuous names and over specific continuous names themselves. An unusual consequence of our rules is that a formula ∃x(x ≤ 1), where x is a variable over continuous names, does not quantify over real values of the variable x, because x varies over names. This formula then states that there is a name in the environment whose current value is ≤ 1. This formula would be true in an environment where y0 = 1,

SPATIAL LOGIC FOR Φ-CALCULUS

11

a, b ∈ VA

(Variables over discrete names)

a0 , b0 ∈ A

(Discrete names)

x, y ∈ VX

(Variables over continuous names)

e, f ∈ VE

(Variables over environments)

x0 , y0 ∈ X

(Continuous names)

α ∈ EnvAct

(Environmental action)

X, Y, Z ∈ VP

(PSet variables)

S, T ∈ VS

(Embedded system set variables) A, B, C ::= ff

(False)

φb

(Base continuous formula)

A∧B

(Conjunction)

¬A

(Negation)

0

(Void)

A|B

(Tensor)

ABB

(Assume-guarantee)

ν{x, a}A

(Revelation of continuous or discrete name)

A  {x, a}

(Hiding continuous or discrete name)

ah x iA

(Message)

α.A

(Environmental action)

∀{x, a}.A

(Universal quantifying over names)

N{x, a}.A

(Fresh name quantification)

∆

(Invariant violation)

♦A

(Can react)

h iA

(Can flow)

X

(PSet variable)

S

(ES set variable)

∀X.A

(Universal PSet quantification)

∀S.A

(Universal ES quantification)

Figure 1. Formulas of hybrid spatial logic. The expression {x, a} means that the relevant operator can occur with either a continuous name or a discrete name. A name constant can of course be substituted for any free occurrence of a name variable.

where y0 is a particular name. One could of course quantify over the values of these particular names in the usual way, but we have chosen to omit this here. • h iA indicates that the environment can flow for some positive amount of time until the formula A becomes true in the new environment. It is because this modal operator is the only one referencing the actual flow of a differential equation that we can ensure that no contradictions arise with the Axiom of Choice in our logic. Because the flows of an equation with given variables are definable in pure set theory without atoms, any results proved for them will continue to hold in the setting of ZFA. • The formula ∆ indicates in a particular environment that the boundary of an invariant region (there could be several, as the invariant is a set of predicates) has been reached. • Notice that ∃ and N quantifications bind names in both the environment and in the process.

12

WILLIAM C. ROUNDS

ff∗ (e, p) = ff; φb (e, p) = φb (e.state) (A ∧ B)∗ (e, p) = A∗ (e, p) ∧ B ∗ (e, p); (¬A)∗ (e, p) = (e, p) ∈ ES ) ∧ ¬A∗ (e, p) 0∗ (e, p) = (p = 0); (A | B)∗ (e, p) = ∃q, r.(p = (q | r) ∧ A∗ (e, q) ∧ B ∗ (e, r)); (A B B)∗ (e, p) = ∀q.(A∗ (e, q) → B ∗ (e, p | q)); (νaA)∗ (e, p) = ∃q.(p = νxq ∧ A∗ (e, q)) (similar for νxA); (A  a)∗ (e, p) = A∗ (e, νap) (similar for A  x); (ah x iA)∗ (e, p) = ∃q.(p = ah x i.q ∧ A∗ (e, q)); (α.A)∗ (e, p) = ∃q.(p = α.q ∧ (ψ(e.state) → A∗ (e ↑ α, q))); (Nx.A)∗ (e, p) = Nx.A∗ (e, p) (similar for Na.A); (∀x.A)∗ (e, p) = ∀x.A∗ (e, p) (similar for ∀a.A); ∆∗ (e, p) = ¬(e.state |= e.inv ); τ

(♦A)∗ (e, p) = ∃q.(p →= q ∧ A∗ (e, q)); t

(h iA)∗ (e, p) = ∃e0 , t > 0.((e, p) → (e0 , p) ∧ A∗ (e0 , p)); (X)∗ (e, p) = X ∈ powP ∧ p ∈ X; S ∗ (e, p) = (e, p) ∈ S ∧ S ∈ powES ; (∀X.A)∗ (e, p) = (∀X ∈ powP )A∗ (e, p); (∀S.A)∗ (e, p) = (∀S ∈ powES )A∗ (e, p).

Figure 2. Translation of Φ-formulas into ZFA. p ranges over the process set P and e over environments. We present an extended example of the logic in the next subsection. This example uses the Env commitment rule, and also uses “input-prefixing”. These will be common examples, so we propose two new derived syntactic forms to account for their effects: • In the case of the Env commitment rule τ

(e, νxp) → (e, p[w/x]) (w ∈ X , w not mentioned in e and not free in p) we propose a new “generate” quantifier Gx.A = Nx.(♦A). This says that a fresh name (both in environment and process) can be generated, and then the system can silently evolve to one satisfying A. • We define a derived “input prefix” connective a(x).A = Nx∀X.(ah x i.X B ♦(A | X)). This holds of a process P (and environment E) if for any name x and any process which is willing to output a fresh x on channel a and have a continuation Q satisfying an arbitrary X, then there is a reaction after which P | Q (and environment E) satisfies A | X. 5.2. An extended example: the robot carrier. First recall Example 2.12:
PF ::= [r ≤ ].νp [p : ; p˙ : 0].feed h p i.[r˙ > 0].PF ; . LEFT ::= [r˙ = fL (r); {2 −  ≥ r > }].RIGHT . . RIGHT ::= feed (p).[(p, ˙ r) ˙ = fR (p, r); { ≤ r < 2 − }][r ≥ 2 −  → p˙ = 0].LEFT We truncate this system so that the robot makes only a pass to the left and then a pass to the right, and then terminates. We also truncate the parts feeder so that it generates just one

SPATIAL LOGIC FOR Φ-CALCULUS

13

part. This is because we want to ignore recursion and fixpoints, in order to illustrate the other constructions. Thus we redefine
PF ::= [r ≤ ].νp α2(p).feed h p i[r˙ > 0].PF ; LEFT ::= α4.RIGHT ; RIGHT ::= feed (p).α5(p).α6(p).0 where α2(p) α4 α5(p) α6(p)

= = = =

. . [p = ; p˙ = 0]; . [r˙ = fL (r); IL ]; . [(p, ˙ r) ˙ = fR (p, r); IR ]; . [r ≥ 2 −  → p˙ = 0].

Here IL and IR denote the two invariants {2 −  ≥ r > } and { ≤ r < 2 − } respectively. The evolution of the system starting from (E0 , LEFT | PF ), where E0 is the initial environment 

 r : 0.5  r˙ : fL (r)  , IL is displayed in the following table.

1 r : 0.5 ´ @r˙ : fL (r)A , RIGHT | PF IL 0

`

E0 , LEFT | PF

α4

´

`

→

1 r: where E1 = @r˙ : fL (r)A IL 0

t1

`

→ [r≤]

` ` ´´ E , RIGHT | νp α2.feed h p i.[r˙ > 0].0 ` 1 ´ E1 , RIGHT | α2(w1 ).feed h w1 i.[r˙ > 0].0

→ τ →

α2(w1 )

→ τ

→ α5(w1 )

→

[r>0] ˙

E1 , RIGHT | PF

´

`

´ E2 , feed (p).α5(p).α6(p).0 | feed h w1 i.[r˙ > 0].0 `

´ E2 , α5(w1 ).e6(w1 ).0 | [r˙ > 0].0 `

´ E3 , α6(w1 ).0 | [r˙ > 0].0

→

`

´ E3 , α6(w1 ).0 | 0

t

`

´ E4 , α6(w1 ).0 | 0

2 →

α6(w1 )

→

by definition of PF by 0 Env 1 w1 : , r :  where E2 = @w˙1 : 0, r˙ : fL (r)A IR by React 0 1 w1 : ; r :  ˙ : fR (w1 , r)A) where E3 = @(w˙1 , r) IR (now the 0 test [r˙ > 0] is true) 1 w1 : 2 − ; r : 2 −  ˙ : fR (w1 , r) A where E4 = @ (w˙1 , r) IR

0 1 ` w1 : 2 − ; r : 2 −  ´ @ w˙1 : 0, r˙ : fR (r) A , 0 IR

We now write a spatial formula A which is true of (E0 , LEFT | PF ) where E0 is the initial environment   r : 0.5  r˙ : fL (r)  . IL

14

WILLIAM C. ROUNDS

The formula looks remarkably like the system itself, illustrating the spatiality idea. A = ALEFT | APF ; ALEFT = α4.h iARIGHT ; ARIGHT = feed (p)(α5(p).h iα6(p).0) = Np.∀X.(feed h p i.X B ♦(α5(p)h iα6(p).0 | X)); APF = h i[r ≤ ].Gp.(α2(p).feed h p i.[r˙ > 0].0) Now we are going to show that (E0 , LEFT | PF ) satisfies the formula A; in other words, that this particular embedded system model-checks. The work is displayed in the next table, which was constructed from the bottom row upwards. Transition `

E0 , LEFT | PF t

1 →

[r≤]

→ τ →

α2(w1 )

→ τ →

α5(w1 )

→

[r>0] ˙

→ t2 →

α6(w1 )

→

´

New 0 Embedded 1 System r : 0.5 ` ´ α4 @r˙ : fL (r)A , RIGHT | PF → IL ` ´ E1 , RIGHT | PF ´´ ` ` E1 , RIGHT | νp α2(p).feed h p i.[r˙ > 0].0 ` ´ E1 , RIGHT | α2(w1 ).feed h w1 i.[r˙ > 0].0 ` ´ E , RIGHT | feed h w1 i.[r˙ > 0].0 ` 2 ´ E2 , α5(w1 ).α6(w1 ).0 | [r˙ > 0].0 ` ´ E3 , α6(w1 ).0 | [r˙ > 0].0 ` ´ E3 , α6(w1 ).0 | 0 ` ´ E4 , α6(w1 ).0 | 1 0 0 ´ ` w1 : 2 − ; r : 2 −  @ w˙1 : 0, r˙ : fR (r) A , 0 | 0 IR

Formula Satisfied h iARIGHT | AP F ARIGHT | [r ≤ ].Gp.α2(p).feed h p i[r˙ > 0].0 ARIGHT | Gp.α2(p).feed h p i[r˙ > 0].0 ARIGHT | α2(w1 ).feed h w1 i[r˙ > 0].0 ARIGHT | feed h w1 i[r˙ > 0].0 α5(w1 ).h i(α6(w1 ).0) | [r˙ > 0].0 h i(α6(w1 ).0) | [r˙ > 0].0 h i(α6(w1 ).0) | 0 (α6(w1 ).0) | 0 0|0

Looking at the top line of the table, we see that the initial embedded system satisfies ALEFT | APF = A. Some remarks are in order about the two lines containing τ -transitions. The first line corresponds to the generation of the fresh name w1 , according to the Env rule. We know (even by inspection) that (E1 , α2(w1 ).feed h w1 i.[

r˙ > 0].0) satisfies α2(w1 ).feed h w1 i[r˙ > 0].0, and therefore satisfies ♦(α2(w1 ).feed h w1 i[r˙ > 0].0), where w1 is fresh that (E1 , νp α2(p).feed h p i.[r˙ > 0].0 in both E1 and the restricted process. Therefore E1 together with the restricted process satisfy Gp.α2(p).feed h p i.[r˙ > 0].0, and this justifies the right hand side of the spatial formula displayed on the line just before the first τ -transition. The second τ -transition corresponds to a reaction. Consider the line just before, where we claim that
E2 , RIGHT | feed h w1 i.[r˙ > 0].0 satisfies ARIGHT | feed h w1 i[r˙ > 0].0. Writing out ARIGHT in full, we have the formula Np.∀X.(feed h p i.X B ♦(α5(p)h iα6(p).0 | X)) | feed h w1 i[r˙ > 0].0. This is a good example of assume-guarantee reasoning. First, the environment does not play a role in this argument until the end, so we drop mention of it until then. Second, we know from the React rule that any process of the form feed (p).Q(p), when combined in parallel with a process of the form feed h w1 iR, will satisfy ♦(A | X) for any formula A and any actual (definable) set of processes X0 , provided there is a fresh w1 such that Q{p ← w1 } satisfies A and R is in X0 . Writing out the process RIGHT = feed (p).α5(p).α6(p).0, we take Q(p) in this instance to be α5(p).α6(p).0. We then choose X0 to be the set of processes satisfying [r˙ > 0].0 in the current environment E2 . (These will be all processes (structurally congruent to) the form [r˙ > 0].0, because this test is not

SPATIAL LOGIC FOR Φ-CALCULUS

15

met in E2 .) This implies that feed h w1 i[r˙ > 0].0 is a valid instance of the “assume” part feed h p i.X of the B operator, so that we have guaranteed Q(w1 ) | [r˙ > 0].0, as claimed. To add recursion to this example (and get a formula satisfied by the original parts feeder, we redefine ALEFT (S) and APF (T ), where S and T are embedded system set variables, as follows: ALEFT (S) = α4.h i.f eed(p)(α5(p).h iα6(p).S) APF (T ) = h i[r ≤ ].Gp.α2(p).f eedh p i.[r˙ > 0]h iT. Then we put A = (νS)(νT )(ALEFT (S) | APF (T )). This formula, however, does not mention the status of the parts drop at the end of the robot cycle. So here we introduce base formulas into APF which refer to the environment: APF (T ) = h i[r ≤ ].Gp.α2(p).f eedh p i.[r˙ > 0]h i(p = 2 −  ∧ p˙ = 0 ∧ T ). The name p is bound in the base formulas by Gp. This means that on unfolding the recursive formula, the next generated p will be a fresh one; the formula thus expresses that more and more parts accumulate in the drop. 5.3. Reachability. We conclude the paper by showing how to extend our logic so that it can express the important property of reachability. The formula expressing this is a recursive one over an embedded system set variable S. Reach(e, p) = µS.(S ∨ (♦S) ∨ (h iS) ∨ ∃α.(ψα (e.state) ∧ α.S)) where α has guard ψα . This formula says (recursively) that a state is reachable if it occurs now, or there is a silent transition to a reachable state (i.e., the result of a reaction), or there is a flow transition to a reachable state, or there is an enabled environmental action, the result of which is a reachable state. The formula is temporarily outside of our present logic, because we have not allowed the quantification ∃α over environmental actions. We can circumvent the problem, though, if we can tailor a specification formula to a given process expression; in that case, there are only finitely many environmental actions mentioned in the expression, so we can replace the existential quantification ∃α with a finite disjunction of formulas in each of which there is a particular α mentioned. References [1] Patrick Blackburn, Maarten de Rijke, and Yde Venema. Modal Logic, volume 53 of Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 2001. [2] Luis Caires and Luca Cardelli. A spatial logic for concurrency (part I). In Proceedings, Theoretical Aspects of Computer Software; 4th International Symposium, Sendai, Japan, 2001. To appear in I & C special issue on TACS’01. [3] M. J. Gabbay and A. M. Pitts. A new approach to abstract syntax with variable binding. Formal Aspects of Computing, 13:341–363, 2001. [4] Murdoch J. Gabbay. Theory and models of the π-calculus using Fraenkel Mostowski Generalised. Submitted to the commemorative volume for 35 years of Automath, F. Kamareddine (ed.)., September 2002. [5] Thomas A. Henzinger, Shaz Qadeer, and Sriram K. Rajamani. Decomposing refinement proofs using assumeguarantee reasoning. In Proceedings of the International Conference on Computer-Aided Design (ICCAD), pages 245–252. IEEE Computer Society Press, 2000. [6] D. Kozen. Results on the propositional mu-calculus. Theoretical Computer Science, 27, 1983. [7] Robin Milner. Communicating and Mobile Systems: the π-calculus. Cambridge University Press, 1999. [8] W. Rounds and H. Song. The Φ-calculus - a language for distributed control of reconfigurable embedded systems. In Hybrid Systems: Computation and control, LNCS 2263, pages 435–449, Prague, Czech Republic, 2003. SpringerVerlag. CSE Division, EECS Department, University of Michigan, Ann Arbor, MI 48109, USA, University of Cambridge Computer Laboratory, Cambridge, CB3 0FD, UK E-mail address: [email protected]