Operational Semantics of Process Monitors

# Operational Semantics of Process Monitors

## Abstract

is a specification language for runtime monitors that can directly express concurrency in a bottom-up manner that composes the system from simpler, interacting components. It includes constructs to explicitly flag failures to the monitor, which unlike deadlocks and livelocks in conventional process algebras, propagate globally and aborts the whole system’s execution. Although has a trace semantics along with an implementation demonstrating acceptable performance, it lacks an operational semantics. An operational semantics is not only more accessible than trace semantics but also indispensable for ensuring the correctness of the implementation. Furthermore, a process algebra like admits multiple denotational semantics appropriate for different purposes, and an operational semantics is the basis for justifying such semantics’ integrity and relevance. In this paper, we develop an SOS-style operational semantics for , which properly accounts for explicit failures and will serve as a basis for further study of its properties, its optimization, and its use in runtime verification.

Isobe-san: ack or coauthor? He’s OK with either.

Negative operational semantics (which has premises saying certain transitions don’t exist) would be necessary if we use a fail action. That’s awkward.

It’s NOT okay to remove the epsilon from [|e -> P|] because synchronization can block the emission of e, making this subterm equivalent in that context to STOP.

Doomed might be better defined inductively as the set of terms that tau-transitions to FAIL, and has no other transitions.

Coinduction is strictly necessary. Roscoe defines it by first defining on individual strings, but at that granularity, you can’t tell if a trace is terminated by STOP or by FAIL. Where is coinduction used in my proof?

Can sequencing be implemented by / translated to other primitives?

No need for hd, because the equation with hd only applies when T1 and T2 are both nonempty, in which case the extra epsilon doesn’t hurt. In fact, with tick removed, the epsilon cap T1 cap T2 is also redundant.

• Focus / problem to be solved: Define an operational semantics for CSPe.

• Importance: Gives more accessible presentation of semantics. More directly tied to implementation. Gives reference point for defining various semantics that may be appropriate in different settings.

• Method(s): Define transition relation in SOS format, prove that it induces the previously given denotational semantics.

• Context: Previously proposed CSPe with denotational but no operational. Lots of semantics proposed for CSP, but to our knowledge no explicit handling of failures.

• Results: Developed operational semantics.

• Unique contribution: An operational semantics that captures the notion of failure, distinct from deadlock and livelock.

• Possible applications: A basis for assessing integrity of various denotational semantics. Basis for implementation.

## 1Introduction

Specification-based runtime monitoring [5] checks a program’s execution trace against a formal specification. Often more rigorous than testing due to the presence of a formal specification, this technique is also computationally much cheaper than formal verification methods like model checking, as it only needs to look at concrete program runs with instrumentation. [10] is a language based on Hoare’s Communicating Sequential Processes [6] for developing the formal specification. Unlike many other languages in this niche, can directly express concurrency. Moreover, it builds up the specification in a bottom-up manner by composing smaller, interacting components, helping to model complex behavior.

’s main appeal as a specification language, compared to plain CSP, is a construct that signals a global failure, aborting all processes in the model at once. This construct can be used like assert(false) in C or Java, allowing to code invariants that mark some states as (should-be) unreachable. By contrast, deadlocks and livelocks, the conventional notions of failure in CSP, affect only the deadlocked or livelocked process(es). These failures are thus very difficult to propagate into a failure for the entire system, as desired for assertion failures. However, the semantics of how propagates throughout the model requires special treatment. Because the propagation preempts all other activities, normal execution rules must apply only when is not currently propagating. This is a negative constraint, which is generally problematic [4].

While earlier work [10] demonstrated a trace semantics and a reasonably efficient implementation for , an operational semantics has been lacking. Developing an operational semantics is highly desirable for several reasons. Firstly, though a trace semantics more naturally defines the set of behaviors (i.e. traces) that comply with a specification, an operational semantics more directly defines the implementation. Secondly, process algebras admit multiple denotational semantics capturing different aspects of operationally defined behavior [3]. Investigating the full spectrum of such semantics requires an operational semantics. Finally, an operational semantics provides a more accessible presentation of the semantics than denotational semantics.

### 1.1Contributions

In this paper, after reviewing the syntax and trace semantics of (), we present the following contributions.

• We define an operational semantics in SOS format [8], which properly captures the propagation of while avoiding the complexities of rules with negative premises ().

• We prove that the operational semantics induces the previously published trace semantics ().

• We discuss possible some perturbations to the trace semantics, whose

## 2Syntax and Trace Semantics of CSPE

This section reviews the syntax and trace semantics of . presents the syntax. A term represents a process, which is an entity that successively emits events drawn from an alphabet . Terms are built from the terminating term, the deadlocked term, the failing term, prefix (which emits one event chosen from an event set), sequencing, external choice, and parallel composition with synchronization on an event set. Prefix and parallel composition take a set of events , which is the set of events that can be emitted in the case of prefix, the following constructs, with the following intuitive meanings. An event set can be specified by any computable function parametrized by the ’s bound by surrounding prefix operators.

In this short paper, we omit recursion and the terminating action in the interest of conciseness. This paper’s focus is on analyzing , and complicates the presentation substantially without adding anything of conceptual significance. Recursion seems to be similar, though it is still under investigation.

presents the trace semantics. A trace is a (possibly empty) sequence of events, and is the set of all traces. The concatenation of traces and is written . A trace set is any prefix-closed set of traces, which can be empty, unlike in conventional process algebras. The trace semantics of assigns to each term a trace set , which is intuitively the set of traces can emit.

The semantic map uses some operations on trace sets. If is a trace set, prepends to all members of and adjoins , while discards all traces in that do not start with and drops the leading from all remaining traces. The operator is defined by . Though significantly simplified, these equations are equivalent to the ones found in [10] modulo the absence of . In [10], this operator was defined “coinductively”, which was correct but misleading. Formally, by the Knaster-Tarski Theorem, the defining equations and have a greatest solution in the complete lattice of total binary functions on ordered by point-wise inclusion, which was taken to be . However, if and are any two solutions of these equations, then for any and , every trace in is also in , by straightforward induction on the trace’s length. Thus, the solution is unique, and is this unique solution.

## 3Operational Semantics

This section presents the operational semantics. The semantics is given in , which defines internal transitions between terms. Some transitions do not emit events but instead emit the silent action . A visible transition happens when internally transitions to in zero or more steps, and the non- actions it emits along the way forms .

The main challenge in this semantics is capturing the propagation of . For example, in , the must not be allowed to keep emitting events, for then could do so indefinitely, withholding the propagation of . Instead, should kill all processes including , transitioning the whole term to . To achieve this effect, the usual rule that allows the left operand to transition must apply only when the right operand is not failing. This constraint is tricky to capture because it is a negative constraint.

In our semantics, the constraint is captured by the viability annotation . This annotation restricts the range of the metavariable to exclude doomed terms, i.e. terms for which transitioning to has become inevitable and are now propagating within themselves. These annotations are placed so that when a term is doomed, rules that propagate become the only applicable ones, thus forcing the propagation to take place.

## 4Correspondence Between the Semantics

This section establishes a correspondence between the two semantics: a process’ denotation is precisely the set of traces it can emit, up to but not including any transitions that doom the process. This means that the monitor comparing a system to can declare a failure as soon as the system’s trace strays out of .

A special case of this theorem is particularly illuminating: the doomed set is precisely the set of terms with empty trace sets, corresponding to the fact that doomed terms silently transition to .

Furthermore, trace sets faithfully follow non-silent transitions, in that the traces which follow an event in are precisely the traces of terms that follow after a sequence of transitions that emit .

is a straightforward consequence of these facts.

We show by induction on . For the base case, by . If , then , and if , then can only transition inside as noted in the proof of . For the inductive step, breaks down as , and . By , this is equivalent to having and for some , which by inductive hypothesis is equivalent to .

## 5Related Works

Cite Groote, summarize general problem with negative constraints.

It is known that negative premises break the congruential nature of some bisimulations. Bisimulations generally correspond to different denotational semantics, and their failing to be congruences means the corresponding denotational semantics fails to be compositional. Some special cases are well-behaved, including Groote’s txnty/tytnt format and Roscoe’s Pri. Roscoe shows Pri admits translation to CSP, so all of CSP’s models apply. We encode it with syntactic restriction, widely employed in CBV. It has the advantage of making the rules essentially positive, so we expect good behavior.

The main issue with semantics is the propagation of , which entails the negative constraint that normal computation rules apply only if -propagation rules do not. Negative premises of the form come quite naturally as a means for codifying such constraints, but negative premises are generally quite problematic. A transition relation satisfying negative rules may be not-existent, or non-unique, with no obvious guiding principle (such as minimality) in choosing the “right” one. Some formats do guarantee well-definedness, such as GSOS with the witnessing constraint [2] and ntyft/ntyxt [4]. But even then, negative rules tend to betray desirable properties such as compositionality of some forms of bisimulation [1].

Our approach exploits the fact that we only have a very specific negative constraint – the absence of doomed subprocesses – and encodes it with a restriction on the range of metavariables in transition rules. With trick, we manage to avoid negative premises altogether, essentially turning the system into a positive one. This approach is very commonly employed, e.g. in reduction rules for the call-by-value calculus [7], where the argument in a function application should be evaluated only if the function expression cannot be evaluated any further.

We identify -induced failures by transitions into , but an alternative approach would be to have emit a special event , just as termination is signalled by . Though we have not pursued this idea in detail, the central concern there will be to give higher priority than all other events. Prioritized transition also involves a negative constraint but is known to be quite well-behaved, being translatable to plain CSP [9]. At the moment, it is not clear if propagation can be translated to the prioritized-transition primitive in [9].

## 6Conclusion

We gave an operational semantics for that adequately captures the behavior of , the global failure operator, with positive operational rules. This semantics induces the previously defined trace semantics. As noted in the introduction, this development enables studies of other types of denotational semantics, while informing the implementation. An interesting direction of future work is to see if can be specified by priorities, and if that approach yields better-behaved semantics.

### Acknowledgment

The authors would like to thank Yoshinao Isobe for comments on an earlier draft of this paper and stimulating discussions.

### References

1. Bloom, B.: Structural operational semantics for weak bisimulations. Theoretical Computer Science 146(1), 25–68 (1995)
2. Bloom, B., Istrail, S., Meyer, A.R.: Bisimulation can’t be traced. Journal of the ACM 42(1), 232–268 (1995)
3. van Glabbeek, R.J.: The linear time - branching time spectrum I. The semantics of concrete, sequential processes, chap. 1, pp. 3–100. Elsevier (2001)
4. Groote, J.F.: Transition system specifications with negative premises. Theoretical Computer Science 118(2), 263 – 299 (1993)
5. Havelund, K., Reger, G.: Specification of parametric monitors, pp. 151–189. Springer Fachmedien Wiesbaden, Wiesbaden (2015)
6. Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall, Inc., Upper Saddle River, NJ, USA (1985)
7. Mitchell, J.C.: Foundations for Programming Languages. MIT Press (1996)
8. Plotkin, G.D.: A structural approach to operational semantics. The Journal of Logic and Algebraic Programming 60, 17–139 (2004)
9. Roscoe, A.: The expressiveness of CSP with priority. Electronic Notes in Theoretical Computer Science 319, 387 – 401 (2015)
10. Yamagata, Y., Artho, C., Hagiya, M., Inoue, J., Ma, L., Tanabe, Y., Yamamoto, M.: Runtime Monitoring for Concurrent Systems, pp. 386–403. Springer International Publishing, Cham (2016)
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minumum 40 characters