Formal syntax of crypt prob time

PROTOCOLS

3.5 crypt

: Extending crypt with timed and probabilistic

ˆ Lis a finite set of locations andq0is the initial location;

ˆ Pis a set of actions that range overact;

ˆ C is a finite set of clocks;

ˆ ∂:L 7→Φ(C) is a function that assigns location to a formula, called a location invariant, that must hold at a given location;

ˆ κ: L 7→ 2^C is the set of clock resets to be performed at the given locations;

ˆ E⊆ L ×P×Φ(C)× B × L is the set of edges. I writeq^act,φ−→ q⁰ when (q,act, φ,B,q⁰)∈ E, whereact,φare the action and the time constraint defined on the edge, andB is the set of the clocks to be reset atq⁰.

ˆ Π = {π1, . . . , πn} is a finite set of probability distributions. Each πi is a function πi : E 7→ [0,1] for any i = {1,. . . , n}, where πi(g) is the probability of an edge g according to distributionπi, and the sum of the edges from a given locationqis 1.

Let us denote the set of processes incrypt^prob_time by A^prob_time, and let A^q_pt range over processes in A^prob_time. Incrypt^prob_time, each probabilistic timed processA^q_ptcorresponds to a locationqin an automa-ton, such that there is an initial processA^q_pt⁰ for locationq0. The set of actionsP

corresponds to the set of actions known incrypt. The set of clocks to be reset at a given locationq,κ(q), is defined by the correspondingcrypt^prob_timeprocesskCRkA^q_pt. The clock invariant at the locationqcorresponds to the processφ . A^q_pt, and the edge guard can be defined byφ ,→A^q_pt. More specifically,

ˆ Apt can be an extended processAwithout any time construct.

ˆ α^∗≺πAptperforms α^∗ as the first (not timed) action with the distributionπ, at any time, and then it behaves likeApt. Note thatα^∗can beνx.chxi,chui,c(t), and the silent actionτ.

For instance, ifApt isc(t).P, whereP is the plain process incrypt, thenα^∗ isc(t). LetA⁰_pt be the process that we get after performing actionα^∗ inApt. Processα^∗≺πAptcorresponds to the automaton edgeq^α

∗, true

−→_π q⁰, whereα^∗≺_πA_ptandA⁰_ptcorresponds to locationsqand q⁰, respectively.

ˆ φ ,→ A_pt represents a time guard of an action, and says that the first action α^∗ of A_pt is performed if the guard (time constraint)φholds. This process intends to model the edgeq

α^∗,φ

−→π q⁰ in the automaton syntax, where Apt and A⁰_pt correspond to q and q⁰, respectively, such thatA⁰_ptis the process resulted after performing actionα^∗inApt. In the transition, the action α^∗ is performed according to the distribution π. When an action has a time guard true it means that the action can be performed at any time.

ˆ φ . Apt represents a clock invariant over Apt. This process corresponds to the location invariant in an automaton. Like in timed automaton, this means that the system cannot

“stay” in process Apt once time constraint φ becomes invalid. If it cannot move from this process via any transition, then it is a deadlock situation. Invariants can be used to model timeout.

ˆ In the timed process kCRkApt, first, the clocks in the setCR are reset and then it behaves likeAptwith the reset clock values.

ˆ A¹_pt [ ] A²_pt and A¹_pt | A²_pt describe the first-action choice, and the parallel composition of two processes, respectively. ProcessA¹_pt ⊕p A²_pt behaves likeA¹_pt with probability p, and it behaves asA²_ptwith (1−p). A¹_pt[ ]A²_ptcorresponds to a locationqfrom which two edges start, and they are chosen based on the first enable action ofA¹_ptandA²_pt. For parallel composition, I defineA¹_pt|A²_ptas a location, instead of the parallel composition of two automata. Process A¹_pt⊕p A²_ptcorresponds to a locationq from which two edges start: q ^α

∗,φ

−→p q₁ andq ^α

∗,φ

−→1−p

q₂, where q₁ andq₂correspond to A¹_ptandA²_pt, respectively.

PROTOCOLS

ˆ Xptis a process variable to which one of the timed processesφ ,→Apt,φ . Apt,kCRkAptcan be bound. Note that this differs from [50], as for my problem, I restrict process variables (Xpt) to be only those processes that have time constructs defined on it. The reason is that I want to avoid the recursive process invocation for extended processes, which may lead to an infinite invocation cycle (e.g., A ={t/x} | A, where the process variable is bounded to A), hence it is not well-defined.

Definition 12. I extend the definition of free and bound variables in Section 3.4 with the set of clock variables. The set of free variables and bound variables of Apt, denoted by f vc(Apt) and bvc(Apt), respectively, are as follows:

ˆ f vc(φ ,→Apt) =clock(φ) ∪f vc(Apt): Edge guards contains free clock variables.

ˆ f vc(φ . Apt) =clock(φ)∪f vc(Apt): Invariant contains free clock variables.

ˆ bvc(kCRkApt) = bvc(Apt)∪CR: Clocks to be reset are bound clock variables.

ˆ f vc(A¹_pt[ ]A²_pt) =f vc(A¹_pt)∪f vc(A²_pt);bvc(A¹_pt[ ]A²_pt) =bvc(A¹_pt)∪bvc(A²_pt).

ˆ f vc(A¹_pt|A²_pt) =f vc(A¹_pt)∪ f vc(A²_pt);bvc(A¹_pt|A²_pt) =bvc(A¹_pt)∪bvc(A²_pt).

ˆ f vc(A¹_pt⊕pA²_pt) =f vc(A¹_pt)∪ f vc(A²_pt);bvc(A¹_pt⊕pA²_pt) =bvc(A¹_pt)∪bvc(A²_pt).

The free and bound clock variables of choices and parallel composition are the union of the free and bound clock variables of each process. The reason that the set of clock variables is divided into bound and free parts is to avoid conflicts of clock valuations. For instance, let us consider the processxc ≤8 . (kxck Apt), in which the clockxc is reset, and this affects the invariantxc ≤8.

Further, in the parallel composition (kxck Apt)|(xc≤8. A⁰_pt) the clock variablexc is the shared variable of the two processes, however, the reset ofxc affects the behavior of process (xc ≤8) . A⁰_pt. This is undesirable since the operational semantics of a process also depends on the behavior of the environment (which is hard to control).

Hence, I define the notion of processes with non-conflict of clock variables, using the following inductive definition and the predicatencv:

——————————————————————————————————————————

1. ncv(A); 2. ncv(X_pt); 3. ncv(α^∗≺_π A_pt) iffncv(A_pt); 4. ncv(kC_RkA_pt) iffncv(A_pt);

5. ncv(φ ,→Apt); 6. ncv(φ . Apt): in both cases, iffncv(Apt)∧(clock(φ)∩κ(Apt) =∅)

——————————————————————————————————————————

Rule 1 holds because an extended processA does not include any clock variable. Rule 2 says that the recursive process invocation of plain processes is non-conflict because a plain process does not contain clock variables. Rule 3 comes from the fact that actionα^∗ is free from clock variables. Rule 4 says that if clock resettings are placed outside (outermost) all invariants and guard constructs then they do not cause conflict. Rules 5 and 6 say that if guard and invariant constructs are placed outside then their clock variables cannot be reset withinAptto avoid conflict.

For the full list ofncv rules please my report [Th12 , 2013].

In the following, for eachcrypt^prob_timeprocess I add rules that associate each process to the invari-ant and resetting functions∂ andκ, respectively. Note that I only give the two most important rules in this dissertation, the full list can be found in [Th12 , 2013].

——————————————————————————————————————————

rk. κ(kCRk Apt) = CR ∪κ(Apt); ri. ∂ (φ . Apt) =∂ (Apt)∧φ.

——————————————————————————————————————————

Rulerk says that the set of clocks to be reset inκ(kCRkApt) isCRand the clock resets occur in Apt; and ruleri says that the invariant of processφ . Aptis the intersection ofφand the invariant predicate inApt.