-
ProofBuddy: A Proof Assistant for Learning and Monitoring
Authors:
Nadine Karsten,
Frederik Krogsdal Jacobsen,
Kim Jana Eiken,
Uwe Nestmann,
Jørgen Villadsen
Abstract:
Proof competence, i.e. the ability to write and check (mathematical) proofs, is an important skill in Computer Science, but for many students it represents a difficult challenge. The main issues are the correct use of formal language and the ascertainment of whether proofs, especially the students' own, are complete and correct. Many authors have suggested using proof assistants to assist in teach…
▽ More
Proof competence, i.e. the ability to write and check (mathematical) proofs, is an important skill in Computer Science, but for many students it represents a difficult challenge. The main issues are the correct use of formal language and the ascertainment of whether proofs, especially the students' own, are complete and correct. Many authors have suggested using proof assistants to assist in teaching proof competence, but the efficacy of the approach is unclear. To improve the state of affairs, we introduce ProofBuddy: a web-based tool using the Isabelle proof assistant which enables researchers to conduct studies of the efficacy of approaches to using proof assistants in education by collecting fine-grained data about the way students interact with proof assistants. We have performed a preliminary usability study of ProofBuddy at the Technical University of Denmark.
△ Less
Submitted 14 August, 2023;
originally announced August 2023.
-
FTMPST: Fault-Tolerant Multiparty Session Types
Authors:
Kirstin Peters,
Uwe Nestmann,
Christoph Wagner
Abstract:
Multiparty session types are designed to abstractly capture the structure of communication protocols and verify behavioural properties. One important such property is progress, i.e., the absence of deadlock. Distributed algorithms often resemble multiparty communication protocols. But proving their properties, in particular termination that is closely related to progress, can be elaborate. Since d…
▽ More
Multiparty session types are designed to abstractly capture the structure of communication protocols and verify behavioural properties. One important such property is progress, i.e., the absence of deadlock. Distributed algorithms often resemble multiparty communication protocols. But proving their properties, in particular termination that is closely related to progress, can be elaborate. Since distributed algorithms are often designed to cope with faults, a first step towards using session types to verify distributed algorithms is to integrate fault-tolerance. We extend multiparty session types to cope with system failures such as unreliable communication and process crashes. Moreover, we augment the semantics of processes by failure patterns that can be used to represent system requirements (as, e.g., failure detectors). To illustrate our approach we analyse a variant of the well-known rotating coordinator algorithm by Chandra and Toueg.
△ Less
Submitted 24 November, 2023; v1 submitted 16 April, 2022;
originally announced April 2022.
-
Deciding All Behavioral Equivalences at Once: A Game for Linear-Time--Branching-Time Spectroscopy
Authors:
Benjamin Bis**,
David N. Jansen,
Uwe Nestmann
Abstract:
We introduce a generalization of the bisimulation game that finds distinguishing Hennessy-Milner logic formulas from every finitary, subformula-closed language in van Glabbeek's linear-time--branching-time spectrum between two finite-state processes. We identify the relevant dimensions that measure expressive power to yield formulas belonging to the coarsest distinguishing behavioral preorders and…
▽ More
We introduce a generalization of the bisimulation game that finds distinguishing Hennessy-Milner logic formulas from every finitary, subformula-closed language in van Glabbeek's linear-time--branching-time spectrum between two finite-state processes. We identify the relevant dimensions that measure expressive power to yield formulas belonging to the coarsest distinguishing behavioral preorders and equivalences; the compared processes are equivalent in each coarser behavioral equivalence from the spectrum. We prove that the induced algorithm can determine the best fit of (in)equivalences for a pair of processes.
△ Less
Submitted 8 August, 2022; v1 submitted 30 September, 2021;
originally announced September 2021.
-
Taming Concurrency for Verification Using Multiparty Session Types (Technical Report)
Authors:
Kirstin Peters,
Christoph Wagner,
Uwe Nestmann
Abstract:
The additional complexity caused by concurrently communicating processes in distributed systems render the verification of such systems into a very hard problem. Multiparty session types were developed to govern communication and concurrency in distributed systems. As such, they provide an efficient verification method w.r.t. properties about communication and concurrency, like communication safet…
▽ More
The additional complexity caused by concurrently communicating processes in distributed systems render the verification of such systems into a very hard problem. Multiparty session types were developed to govern communication and concurrency in distributed systems. As such, they provide an efficient verification method w.r.t. properties about communication and concurrency, like communication safety or progress. However, they do not support the analysis of properties that require the consideration of concrete runs or concrete values of variables.
We sequentialise well-typed systems of processes guided by the structure of their global type to obtain interaction-free abstractions thereof. Without interaction, concurrency in the system is reduced to sequential and completely independent parallel compositions. In such abstractions, the verification of properties such as e.g. data-based termination that are not covered by multiparty session types, but rely on concrete runs or values of variables, becomes significantly more efficient.
△ Less
Submitted 18 August, 2019;
originally announced August 2019.
-
On the Distributability of Mobile Ambients
Authors:
Kirstin Peters,
Uwe Nestmann
Abstract:
Modern society is dependent on distributed software systems and to verify them different modelling languages such as mobile ambients were developed. To analyse the quality of mobile ambients as a good foundational model for distributed computation, we analyse the level of synchronisation between distributed components that they can express. Therefore, we rely on earlier established synchronisation…
▽ More
Modern society is dependent on distributed software systems and to verify them different modelling languages such as mobile ambients were developed. To analyse the quality of mobile ambients as a good foundational model for distributed computation, we analyse the level of synchronisation between distributed components that they can express. Therefore, we rely on earlier established synchronisation patterns. It turns out that mobile ambients are not fully distributed, because they can express enough synchronisation to express a synchronisation pattern called M. However, they can express strictly less synchronisation than the standard pi-calculus. For this reason, we can show that there is no good and distributability-preserving encoding from the standard pi-calculus into mobile ambients and also no such encoding from mobile ambients into the join-calculus, i.e., the expressive power of mobile ambients is in between these languages. Finally, we discuss how these results can be used to obtain a fully distributed variant of mobile ambients.
△ Less
Submitted 26 August, 2018;
originally announced August 2018.
-
On the Distributability of Mobile Ambients (Technical Report)
Authors:
Kirstin Peters,
Uwe Nestmann
Abstract:
Modern society is dependent on distributed software systems and to verify them different modelling languages such as mobile ambients were developed. To analyse the quality of mobile ambients as a good foundational model for distributed computation, we analyse the level of synchronisation between distributed components that they can express. Therefore, we rely on earlier established synchronisation…
▽ More
Modern society is dependent on distributed software systems and to verify them different modelling languages such as mobile ambients were developed. To analyse the quality of mobile ambients as a good foundational model for distributed computation, we analyse the level of synchronisation between distributed components that they can express. Therefore, we rely on earlier established synchronisation patterns. It turns out that mobile ambients are not fully distributed, because they can express enough synchronisation to express a synchronisation pattern called M. However, they can express strictly less synchronisation than the standard pi-calculus. For this reason, we can show that there is no good and distributability-preserving encoding from the standard pi-calculus into mobile ambients and also no such encoding from mobile ambients into the join-calculus, i.e., the expressive power of mobile ambients is in between these languages. Finally, we discuss how these results can be used to obtain a fully distributed variant of mobile ambients.
△ Less
Submitted 5 August, 2018;
originally announced August 2018.
-
Dynamic Causality in Event Structures
Authors:
Youssef Arbach,
David S. Karcher,
Kirstin Peters,
Uwe Nestmann
Abstract:
Event Structures (ESs) address the representation of direct relationships between individual events, usually capturing the notions of causality and conflict. Up to now, such relationships have been static, i.e., they cannot change during a system run. Thus, the common ESs only model a static view on systems. We make causality dynamic by allowing causal dependencies between some events to be change…
▽ More
Event Structures (ESs) address the representation of direct relationships between individual events, usually capturing the notions of causality and conflict. Up to now, such relationships have been static, i.e., they cannot change during a system run. Thus, the common ESs only model a static view on systems. We make causality dynamic by allowing causal dependencies between some events to be changed by occurrences of other events. We first model and study the case in which events may entail the removal of causal dependencies, then we consider the addition of causal dependencies, and finally we combine both approaches in the so-called Dynamic Causality ESs. For all three newly defined types of ESs, we study their expressive power in comparison to the well-known Prime ESs, Dual ESs, Extended Bundle ESs, and ESs for Resolvable Conflicts. Interestingly, Dynamic Causality ESs subsume Extended Bundle ESs and Dual ESs but are incomparable with ESs for Resolvable Conflicts.
△ Less
Submitted 26 February, 2018; v1 submitted 9 January, 2018;
originally announced January 2018.
-
Session Types for Link Failures (Technical Report)
Authors:
Manuel Adameit,
Kirstin Peters,
Uwe Nestmann
Abstract:
We strive to use session type technology to prove behavioural properties of fault-tolerant distributed algorithms. Session types are designed to abstractly capture the structure of (even multi-party) communication protocols. The goal of session types is the analysis and verification of the protocols' behavioural properties. One important such property is progress, i.e., the absence of (unintended)…
▽ More
We strive to use session type technology to prove behavioural properties of fault-tolerant distributed algorithms. Session types are designed to abstractly capture the structure of (even multi-party) communication protocols. The goal of session types is the analysis and verification of the protocols' behavioural properties. One important such property is progress, i.e., the absence of (unintended) deadlock. Distributed algorithms often resemble (compositions of) multi-party communication protocols. In contrast to protocols that are typically studied with session types, they are often designed to cope with system failures. An essential behavioural property is (successful) termination, despite failures, but it is often elaborate to prove for distributed algorithms.
We extend multi-party session types (and multi-party session types with nested sessions) by optional blocks that cover a limited class of link and crash failures. This allows us to automatically derive termination of distributed algorithms that come within these limits. To illustrate our approach, we prove termination for an implementation of the *rotating coordinator* Consensus algorithm.
△ Less
Submitted 4 May, 2017; v1 submitted 25 July, 2016;
originally announced July 2016.
-
Encoding CSP into CCS
Authors:
Meike Hatzel,
Christoph Wagner,
Kirstin Peters,
Uwe Nestmann
Abstract:
We study encodings from CSP into asynchronous CCS with name passing and matching, so in fact, the asynchronous pi-calculus. By doing so, we discuss two different ways to map the multi-way synchronisation mechanism of CSP into the two-way synchronisation mechanism of CCS. Both encodings satisfy the criteria of Gorla except for compositionality, as both use an additional top-level context. Following…
▽ More
We study encodings from CSP into asynchronous CCS with name passing and matching, so in fact, the asynchronous pi-calculus. By doing so, we discuss two different ways to map the multi-way synchronisation mechanism of CSP into the two-way synchronisation mechanism of CCS. Both encodings satisfy the criteria of Gorla except for compositionality, as both use an additional top-level context. Following the work of Parrow and Sjödin, the first encoding uses a centralised coordinator and establishes a variant of weak bisimilarity between source terms and their translations. The second encoding is decentralised, and thus more efficient, but ensures only a form of coupled similarity between source terms and their translations.
△ Less
Submitted 26 August, 2015;
originally announced August 2015.
-
Encoding CSP into CCS (Extended Version)
Authors:
Meike Hatzel,
Christoph Wagner,
Kirstin Peters,
Uwe Nestmann
Abstract:
We study encodings from CSP into asynchronous CCS with name passing and matching, so in fact, the asynchronous pi-calculus. By doing so, we discuss two different ways to map the multi-way synchronisation mechanism of CSP into the two-way synchronisation mechanism of CCS. Both encodings satisfy the criteria of Gorla except for compositionality, as both use an additional top-level context. Following…
▽ More
We study encodings from CSP into asynchronous CCS with name passing and matching, so in fact, the asynchronous pi-calculus. By doing so, we discuss two different ways to map the multi-way synchronisation mechanism of CSP into the two-way synchronisation mechanism of CCS. Both encodings satisfy the criteria of Gorla except for compositionality, as both use an additional top-level context. Following the work of Parrow and Sjödin, the first encoding uses a central coordinator and establishes a variant of weak bisimilarity between source terms and their translations. The second encoding is decentralised, and thus more efficient, but ensures only a form of coupled similarity between source terms and their translations.
△ Less
Submitted 5 August, 2015;
originally announced August 2015.
-
Dynamic Causality in Event Structures (Technical Report)
Authors:
Youssef Arbach,
David Karcher,
Kirstin Peters,
Uwe Nestmann
Abstract:
In [1] we present an extension of Prime Event Structures by a mechanism to express dynamicity in the causal relation. More precisely we add the possibility that the occurrence of an event can add or remove causal dependencies between events and analyse the expressive power of the resulting Event Structures w.r.t. to some well-known Event Structures from the literature. This technical report contai…
▽ More
In [1] we present an extension of Prime Event Structures by a mechanism to express dynamicity in the causal relation. More precisely we add the possibility that the occurrence of an event can add or remove causal dependencies between events and analyse the expressive power of the resulting Event Structures w.r.t. to some well-known Event Structures from the literature. This technical report contains some additional information and the missing proofs of [1].
△ Less
Submitted 2 April, 2015;
originally announced April 2015.
-
States in Process Calculi
Authors:
Christoph Wagner,
Uwe Nestmann
Abstract:
Formal reasoning about distributed algorithms (like Consensus) typically requires to analyze global states in a traditional state-based style. This is in contrast to the traditional action-based reasoning of process calculi. Nevertheless, we use domain-specific variants of the latter, as they are convenient modeling languages in which the local code of processes can be programmed explicitly, with…
▽ More
Formal reasoning about distributed algorithms (like Consensus) typically requires to analyze global states in a traditional state-based style. This is in contrast to the traditional action-based reasoning of process calculi. Nevertheless, we use domain-specific variants of the latter, as they are convenient modeling languages in which the local code of processes can be programmed explicitly, with the local state information usually managed via parameter lists of process constants. However, domain-specific process calculi are often equipped with (unlabeled) reduction semantics, building upon a rich and convenient notion of structural congruence. Unfortunately, the price for this convenience is that the analysis is cumbersome: the set of reachable states is modulo structural congruence, and the processes' state information is very hard to identify. We extract from congruence classes of reachable states individual state-informative representatives that we supply with a proper formal semantics. As a result, we can now freely switch between the process calculus terms and their representatives, and we can use the stateful representatives to perform assertional reasoning on process calculus models.
△ Less
Submitted 6 August, 2014;
originally announced August 2014.
-
Matching in the Pi-Calculus
Authors:
Kirstin Peters,
Tsvetelina Yonova-Karbe,
Uwe Nestmann
Abstract:
We study whether, in the pi-calculus, the match prefix-a conditional operator testing two names for (syntactic) equality-is expressible via the other operators. Previously, Carbone and Maffeis proved that matching is not expressible this way under rather strong requirements (preservation and reflection of observables). Later on, Gorla developed a by now widely-tested set of criteria for encodings…
▽ More
We study whether, in the pi-calculus, the match prefix-a conditional operator testing two names for (syntactic) equality-is expressible via the other operators. Previously, Carbone and Maffeis proved that matching is not expressible this way under rather strong requirements (preservation and reflection of observables). Later on, Gorla developed a by now widely-tested set of criteria for encodings that allows much more freedom (e.g. instead of direct translations of observables it allows comparison of calculi with respect to reachability of successful states). In this paper, we offer a considerably stronger separation result on the non-expressibility of matching using only Gorla's relaxed requirements.
△ Less
Submitted 6 August, 2014;
originally announced August 2014.
-
Matching in the Pi-Calculus (Technical Report)
Authors:
Kirstin Peters,
Tsvetelina Yonova-Karbe,
Uwe Nestmann
Abstract:
We study whether, in the pi-calculus, the match prefix---a conditional operator testing two names for (syntactic) equality---is expressible via the other operators. Previously, Carbone and Maffeis proved that matching is not expressible this way under rather strong requirements (preservation and reflection of observables). Later on, Gorla developed a by now widely-tested set of criteria for encodi…
▽ More
We study whether, in the pi-calculus, the match prefix---a conditional operator testing two names for (syntactic) equality---is expressible via the other operators. Previously, Carbone and Maffeis proved that matching is not expressible this way under rather strong requirements (preservation and reflection of observables). Later on, Gorla developed a by now widely-tested set of criteria for encodings that allows much more freedom (e.g. instead of direct translations of observables it allows comparison of calculi with respect to reachability of successful states). In this paper, we offer a considerably stronger separation result on the non-expressibility of matching using only Gorla's relaxed requirements.
△ Less
Submitted 23 July, 2014;
originally announced July 2014.
-
Enforcing Operational Properties including Blockfreeness for Deterministic Pushdown Automata
Authors:
Sven Schneider,
Uwe Nestmann
Abstract:
We present an algorithm which modifies a deterministic pushdown automaton (DPDA) such that (i) the marked language is preserved, (ii) lifelocks are removed, (iii) deadlocks are removed, (iv) all states and edges are accessible, and (v) operational blockfreeness is established (i.e., coaccessibility in the sense that every initial derivation can be continued to a marking configuration). This proble…
▽ More
We present an algorithm which modifies a deterministic pushdown automaton (DPDA) such that (i) the marked language is preserved, (ii) lifelocks are removed, (iii) deadlocks are removed, (iv) all states and edges are accessible, and (v) operational blockfreeness is established (i.e., coaccessibility in the sense that every initial derivation can be continued to a marking configuration). This problem can be trivially solved for deterministic finite automata (DFA) but is not solvable for standard petri net classes. The algorithm is required for an operational extension of the supervisory control problem (SCP) to the situation where the specification in modeled by a DPDA.
△ Less
Submitted 21 March, 2014; v1 submitted 20 March, 2014;
originally announced March 2014.
-
Adding Priority to Event Structures
Authors:
Youssef Arbach,
Kirstin Peters,
Uwe Nestmann
Abstract:
Event Structures (ESs) are mainly concerned with the representation of causal relationships between events, usually accompanied by other event relations capturing conflicts and disabling. Among the most prominent variants of ESs are Prime ESs, Bundle ESs, Stable ESs, and Dual ESs, which differ in their causality models and event relations. Yet, some application domains require further kinds of rel…
▽ More
Event Structures (ESs) are mainly concerned with the representation of causal relationships between events, usually accompanied by other event relations capturing conflicts and disabling. Among the most prominent variants of ESs are Prime ESs, Bundle ESs, Stable ESs, and Dual ESs, which differ in their causality models and event relations. Yet, some application domains require further kinds of relations between events. Here, we add the possibility to express priority relationships among events.
We exemplify our approach on Prime, Bundle, Extended Bundle, and Dual ESs. Technically, we enhance these variants in the same way. For each variant, we then study the interference between priority and the other event relations. From this, we extract the redundant priority pairs-notably differing for the types of ESs-that enable us to provide a comparison between the extensions. We also exhibit that priority considerably complicates the definition of partial orders in ESs.
△ Less
Submitted 28 July, 2013;
originally announced July 2013.
-
Is it a "Good" Encoding of Mixed Choice? (Technical Report)
Authors:
Kirstin Peters,
Uwe Nestmann
Abstract:
This technical report contains the proofs to the lemmata and theorems of [PN12] as well as some additional material. As main contributions [PN12] presents an encoding of mixed choice in the context of the pi-calculus and a criterion to measure whether the degree of distribution in process networks is preserved.
This technical report contains the proofs to the lemmata and theorems of [PN12] as well as some additional material. As main contributions [PN12] presents an encoding of mixed choice in the context of the pi-calculus and a criterion to measure whether the degree of distribution in process networks is preserved.
△ Less
Submitted 6 January, 2012;
originally announced January 2012.
-
Synchrony vs Causality in the Asynchronous Pi-Calculus
Authors:
Kirstin Peters,
Jens-Wolfhard Schicke,
Uwe Nestmann
Abstract:
We study the relation between process calculi that differ in their either synchronous or asynchronous interaction mechanism. Concretely, we are interested in the conditions under which synchronous interaction can be implemented using just asynchronous interactions in the pi-calculus. We assume a number of minimal conditions referring to the work of Gorla: a "good" encoding must be compositional a…
▽ More
We study the relation between process calculi that differ in their either synchronous or asynchronous interaction mechanism. Concretely, we are interested in the conditions under which synchronous interaction can be implemented using just asynchronous interactions in the pi-calculus. We assume a number of minimal conditions referring to the work of Gorla: a "good" encoding must be compositional and preserve and reflect computations, deadlocks, divergence, and success. Under these conditions, we show that it is not possible to encode synchronous interactions without introducing additional causal dependencies in the translation.
△ Less
Submitted 22 August, 2011;
originally announced August 2011.
-
Breaking Symmetries
Authors:
Kirstin Peters,
Uwe Nestmann
Abstract:
A well-known result by Palamidessi tells us that \pimix (the π-calculus with mixed choice) is more expressive than \pisep (its subset with only separate choice). The proof of this result argues with their different expressive power concerning leader election in symmetric networks. Later on, Gorla offered an arguably simpler proof that, instead of leader election in symmetric networks, employed the…
▽ More
A well-known result by Palamidessi tells us that \pimix (the π-calculus with mixed choice) is more expressive than \pisep (its subset with only separate choice). The proof of this result argues with their different expressive power concerning leader election in symmetric networks. Later on, Gorla offered an arguably simpler proof that, instead of leader election in symmetric networks, employed the reducibility of incestual processes (mixed choices that include both enabled senders and receivers for the same channel) when running two copies in parallel. In both proofs, the role of breaking (initial) symmetries is more or less apparent. In this paper, we shed more light on this role by re-proving the above result - based on a proper formalization of what it means to break symmetries without referring to another layer of the distinguishing problem domain of leader election. Both Palamidessi and Gorla rephrased their results by stating that there is no uniform and reasonable encoding from \pimix into \pisep. We indicate how the respective proofs can be adapted and exhibit the consequences of varying notions of uniformity and reasonableness. In each case, the ability to break initial symmetries turns out to be essential.
△ Less
Submitted 29 November, 2010;
originally announced November 2010.
-
Breaking Symmetries
Authors:
Kirstin Peters,
Uwe Nestmann
Abstract:
A well-known result by Palamidessi tells us that πmix (the π-calculus with mixed choice) is more expressive than πsep (its subset with only separate choice). The proof of this result argues with their different expressive power concerning leader election in symmetric networks. Later on, Gorla of- fered an arguably simpler proof that, instead of leader election in symmetric networks, employed the r…
▽ More
A well-known result by Palamidessi tells us that πmix (the π-calculus with mixed choice) is more expressive than πsep (its subset with only separate choice). The proof of this result argues with their different expressive power concerning leader election in symmetric networks. Later on, Gorla of- fered an arguably simpler proof that, instead of leader election in symmetric networks, employed the reducibility of "incestual" processes (mixed choices that include both enabled senders and receivers for the same channel) when running two copies in parallel. In both proofs, the role of breaking (ini- tial) symmetries is more or less apparent. In this paper, we shed more light on this role by re-proving the above result-based on a proper formalization of what it means to break symmetries-without referring to another layer of the distinguishing problem domain of leader election.
Both Palamidessi and Gorla rephrased their results by stating that there is no uniform and reason- able encoding from πmix into πsep . We indicate how the respective proofs can be adapted and exhibit the consequences of varying notions of uniformity and reasonableness. In each case, the ability to break initial symmetries turns out to be essential.
△ Less
Submitted 23 July, 2010;
originally announced July 2010.