A Spatial Logic for the Hybrid p-Calculus

In last year’s HSCC conference, we introduced the Φ-calculus [8], an extension of Milner’s powerful π-calculus, so that concurrent and reconfigurable programs could interact with a (concurrent) continuous environment in the sense in which ordinary hybrid automata do so. In that paper, though, we were concerned only with the operational (hybrid) semantics of such systems, and not with any mechanism for reasoning about them. The present paper addresses this issue. One of the difficulties involved here is that not too many logics have been proposed for reasoning about properties of π-calculus programs themselves. The difficulty has to do with the subtleties of name-passing, and even more, the subtleties of fresh name generation. These mechanisms are crucial in the π-calculus for expressing mobility (more properly, reconfigurability), and protection, which is the ability to create modular subsystems not subject to outside interference. A recent paper by Caires and Cardelli [2] introduces their spatial logic for concurrency, a general logic intended not just as an assertion language for the π-calculus, but for possibly other processalgebraic models which deal with reconfigurability and with protection. Their logic has several attractive features. It has a propositional connective |, so that the formula φ | ψ is satisfied only by a parallel composition of systems P | Q in which P satisfies φ and Q satisfies ψ. (This is the source of the word “spatial”; the connective | refers to a structural property of systems satisfying it.) This connective has a so-called adjoint φB ψ, which provides the crucial property of assume-guarantee reasoning [5]. A system P satisfies φB ψ if for any system Q, if Q satisfies φ (assume), then P | Q satisfies ψ (guarantee). The Caires-Cardelli logic also features a “fresh name” quantifier Nx, read “for some/all fresh names x,” which allows for reasoning both about reconfigurability and protection. This quantifier appears in a paper by Gabbay and Pitts [3], who work with Fraenkel-Mostowski techniques, a novel and important set-theoretic approach to the problems arising from changing bound variable names in programs which abstract over these variables. The big advantage to using these techniques is that formal verification by machine is much simpler than in other approaches. Since we are ultimately aiming for at least partial progress in machine verification of hybrid systems, this property seems like a good one to keep. The issues involved in extending the C&C logic to the hybrid π-calculus include (i) finding one or more connectives for dealing with continuous flows over time; (ii) dealing with the passing of continuous names and creation of fresh continuous names; (iii) reformulating the hybrid structural operational semantics within FM set theory (with which the axiom of choice is inconsistent), and (iv) giving a concise Tarski-style semantics for the new logic. The C&C presentation takes many pages, and uses many auxiliary definitions, owing perhaps to their not wanting to use FM set theory itself, but a more traditional presentation. We are able to overcome these problems by reformulating the syntax and semantics of C&C logic directly in FM set theory. We get around issue (iii) because of the way the hybrid π-calculus treats the continuous environment – as a separate component of what we termed an embedded system in [8]. Our connective for continuous flows refers only to the continuous part of the system, with the result that any properties of the continuous system itself that we may need (stability, attractors, etc.), which follow from standard theorems on dynamical systems, can still be assumed to hold even in the new set theory. The C&C logic, and our extension of it, is really a modal logic. Standard interpretations of modal calculi use the idea of Kripke structures; C&C’s logic uses a space of “Psets” as a kind of