A Framework for Performance Evaluation and Functional Verification in Stochastic Process Algebras

Hossein Hojjat MohammadReza Marjan Sirjani ∗ IPM and University of Tehran, Mousavi IPM and University of Tehran, Tehran, Iran TU/Eindhoven, Eindhoven, Tehran, Iran The Netherlands, and Reykjav´ık University, Reykjav´ık, Iceland

ABSTRACT To make our goals concrete, we would like to translate Despite its relatively short history, a wealth of formalisms a number of SPAs which have similar semantic frameworks exist for algebraic specification of stochastic systems. The (e.g., PEPA [14], MTIPP [13], EMPA [4] and IMC [11]) goal of this paper is to give such formalisms a unifying frame- to a common form in the mCRL2 process algebra (which work for performance evaluation and functional verification. is a classic process algebra [2] enhanced with abstract data To this end, we propose an approach enabling a provably types). Our next milestone is to generate state space using sound transformation from some existing stochastic process the mCRL2 tool-set. Finally, we wish to be able to perform algebras, e.g., PEPA and MTIPP, to a generic form in the various functional- as well as performance-related analyses mCRL2 language. This way, we resolve the semantic dif- on the generated state space using available tools, as well as ferences among different stochastic process algebras them- tools that we develop for this purpose. selves, on one hand, and between stochastic process algebras For the ease of presentation, we shall focus on one of these and classic ones, such as mCRL2, on the other hand. From process algebras, namely PEPA (due to its popularity), in the generic form, one can generate a state space and perform the remainder of this paper and only touch upon the aspects various functional and performance-related analyses, as we in which our approach has to be adapted to fit the other pro- illustrate in this paper. cess algebras listed above. Our prototype implementation currently supports specifications in PEPA and MTIPP and we are currently extending it to support EMPA and IMC. 1 1. INTRODUCTION Related Work. A proposal for unifying performance Compositionality is a very much sought feature in the and functional analysis is put forward in [9] which is closest analysis of systems which is inherent to process algebras to ours. There, the authors use the process algebra LOTOS [2, 15, 16]. Stochastic process algebras (SPAs) [4, 6, 11, 14] together with stochastic gates (basic actions); the LOTOS bring about this useful feature to the field of performance specification is then translated, using CADP toolset, into evaluation. Several SPAs appeared as a result of different de- IMC and various existing as well as newly developed anal- sign decisions in merging stochastic aspects of processes with ysis techniques are introduced on the generated IMC spec- their behavioral aspects: some decided to follow the tradi- ification. Our work can benefit from the latter techniques tion in many timed process algebras and keep the semantics after generating the LTS semantics of stochastic decision of stochastic rates orthogonal to the behavioral semantics processes. As for the former translation (from LOTOS to while others decided to merge the two into a single semantic IMC), our work can be considered complementary to that of model, i.e., a single transition (multi-)relation. Communi- [9]. In [12], in order to combine functional and performance cation and synchronization are central to the semantics of analysis, a new operator, called elapse, is added to the LO- process algebras and defining the semantics of synchroniza- TOS process algebra. We decided to use the syntax of exist- tion for SPAs is yet another point of dispute among them. ing stochastic process algebras rather than adding syntactic Furthermore, different SPAs interpret nondeterminism dif- sugar to mCRL2 for modeling stochastic processes. ferently. Our approach relies essentially on using the equational theory of SPAs in order to resolve their semantic differences ∗The work of M.R. Mousavi has been partially supported by with mCRL2. Sound and complete equational theories are the projects “Unifying Framework for Operational Seman- already developed for MTIPP [13], EMPA [4] and IMC [11]. tics” (nr. 070030041). We are not aware of an existing complete axiomatization for PEPA; in [14], however, a number of sound axioms of PEPA are introduced. All existing axiomatizations of SPAs make use of an axiom scheme called Expansion Theorem which Permission to make digital or hard copies of all or part of this work for stands for an infinite number of axioms (one for each number personal or classroom use is granted without fee provided that copies are of summands as arguments of parallel composition). How- not made or distributed for profit or commercial advantage and that copies ever, we exploit the well-known technique of using auxiliary bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific operators [3] to give PEPA a finite (sound and complete) permission and/or a fee. 1The implementation is available from SAC’08 March 16-20, 2008, Fortaleza, Ceara,´ Brazil ∼ Copyright 2008 ACM 978-1-59593-753-7/08/0003 ...$5.00. http://www.win.tue.nl/ mousavi/spa/.

1 axiomatization. In [4, Section 3], the authors define an in- SOS-style deduction rules. terleaving semantics for EMPA. The method used in [4] for (α,r) defining the interleaving semantics of EMPA resembles our x → y (pre) (c0) 0 0 approach to resolving the semantics of synchronization and (α,r) (α,r) choice in our implementation. (α, r).x → x x0 + x1 → y0 (α,r) (α,r) The rest of this paper is organized as follows. Sections x → y x → y (c1) 1 1 (par0) 0 0 α∈ / L 2 and 3 give, respectively, an overview of our source and (α,r) (α,r) x0 + x1 → y1 x0 £¡ x1 → y0 £¡ x1 target domains, i.e., stochastic process algebras (with a fo- L L (α,r) cus on PEPA) and mCRL2. Section 4 presents our general x1 → y1 (par1) α∈ / L approach and gives a detailed account of its application to (α,r) x0 £¡ x1 → x0 £¡ y1 PEPA by means of a few examples. Section 5 applies our L L (α,r0) (α,r1) method to a case-study and provides a practical view to the x0 → y0 x1 → y1 (par2) α ∈ L application of our approach. Section 6 concludes the paper (α,R) x £¡ x → y £¡ y 0 L 1 0 L 1 and presents directions for ongoing and future research. r0 r1 where R = min(rα(x0), rα(x1)) rα(x0) rα(x1)

(α,r) (α,r) x → y x → y (hid0) α∈ / L (hid1) α ∈ L (α,r) (τ,r) x/L → y x/L → y (α,r) t → y 2. STOCHASTIC PROCESS ALGEBRAS (rec) A := t (α,r) A → y Most deduction rules are standard, i.e., the same as their PA 2.1 PEPA counterparts. The most notable exception is deduction rule (par2) which defines synchronization. In this rule, the rate r0 r1 of the synchronizing action is min(rα(x0), rα(x1)), rα(x0) rα(x1) 2.1.1 Syntax and Semantics where rα(xi), for each i ∈ {0, 1} is the sum of the rates of all enabled α-transitions at the parallel component xi formally The syntax of PEPA processes is given below. defined below [14].

rα(0) = 0 p ::= 0 | (α, r).p | p + p | p £¡ p | p/L | A rα((α, r).x) = r L rα((β, r).x) = 0 rα(x + y) = rα(x) + rα(y) rα(x £¡ y) = rα(x) + rα(y) if α∈ / L In the above syntax, 0 stands for the deadlocking process. L 2 rα(x £¡ y) = min(rα(x), rα(y)) if α ∈ L (α, r).p stands for an action of type α ∈ A whose dura- L tion is determined by an exponentially distributed random rα(x/L) = rα(x) if α∈ / L >0 r (x/L) = 0 if α ∈ L variable with rate r ∈ R followed by process p. There α are weighted passive actions in PEPA which have rates in {n> | n ∈ IN \{0}} (1> is denoted by >). It is assumed 2.1.2 Axiomatization >0 that r < n> for each r ∈ R and n ∈ IN \{0}. Passive ac- Equational theories are powerful tools in process algebraic tions are important in practical applications: they represent formalisms which allow for sound transformations of pro- actions whose rates are unknown or determined by their syn- cesses (w.r.t. a particular notion of equality) without re- chronizing partner. Although we fully treat weighted pas- sorting to their semantics and generating their state space. sive actions in our tool implementation, we do not clutter Given a notion of behavior equality, a set of equations is the presentation in this section by treating them formally. called an axiomatization of a model, or is sound and com- They can be incorporated smoothly without any substantial plete, when one can prove all sound (and only sound) equali- change in the theory. Nondeterministic choice is represented ties from them. We present an axiomatization of the recursion- by + and stands for its general process-algebraic intuition. free subset of PEPA w.r.t. Markovian bisimulation [14, 11] Parallel composition with mandatory (CSP-style) synchro- in this section. To our knowledge, this is the first finite ax- nization among actions in L ⊆ A is denoted by p £¡ p. Ex- L iomatization of PEPA (most of the ingredients were already pression p/L hides actions in L ⊆ A, i.e., renames them present in [14], though).3 Similar axiomatizations exist for to the unobservable action τ ∈ A. A denotes a recursive other SPAs; apart from semantic difference reflected by the variable defined by an equation A := t. axioms, the main subtle difference between our axiomatiza- The semantics of PEPA processes is given by the following tion and those given before is that previous axiomatizations of SPAs [13, 4, 11] were infinite (i.e., used an expansion the- orem) but our axiomatization has the advantage of being finite, thanks to the use of auxiliary left-merge and commu- nication merge operators. We later use this axiomatization 2In the original syntax of PEPA, 0 is not included but 0 can be expressed using the enforced synchronization, e.g, 3 0 0 Our axiomatization is also complete for the linear subset (α, r).P £¡ (β, r ).P , for each α 6= β, is a deadlocking pro- α,β of PEPA (with a proof similar to that of the original one for cess. We included it as a syntactic construct to facilitate CCS [17] and later adapted for SPAs [11]) but we used the axiomatization. recursion-free subset to simplify our proofs.

2 to resolve the semantics of synchronization and choice and The following lemma states that our definition of rate (as transform PEPA processes to our common stochastic form. well as the old definition in [14] given before) are in keeping First we give the finite axiomatization for sequential non- with our axiomatization of PEPA. deterministic PEPA processes, i.e., processes comprising pre-

fixing and choice. lemma 1 If E ` p = q, then rα(p) = rα(q) for each pro- cesses p and q and each basic action α. x + y = y + x (x + y) + z = x + (y + z) Moreover, we prove that our axiomatization is indeed sound (α, r).x + (α, r).x = (α, 2r).x and complete. x + 0 = x theorem 2 Let E be the union of the three sets of equations Next, we axiomatize the hiding operator and recursion, us- given above. E is a finite axiomatization for PEPA. ing the following four axioms. Proof Sketch. Soundness proof is straightforward yet labo- (α, r).x/L = (τ, r).(x/L)(α ∈ L) rious and proceeds by giving, for each axiom, a bisimulation (α, r).x/L = (α, r).(x/L)(α∈ / L) relation, relating left- and right-hand-side of all instances of (x + y)/L = (x/L) + (y/L) equations. A = t (A := t) For the completeness proof, we first focus on the nonde- Following the tradition in other process algebras, we feel terministic sequential subset of PEPA. Then, for processes the need to add two auxiliary operators, £ and  , called containing hiding and parallel composition, we show that L L left-merge and communication-merge, respectively, in order using axioms as rewrite rules, one can eliminate these op- to finitely axiomatize parallel composition in PEPA. The erators. Thus, for each two PEPA processes p and q such 0 0 semantics of these two operators are defined below. that p ↔ q, there exists PEPA processes p and q such that E ` p = p0, E ` q = q0 and p0 and q0 are nondeterministic (α,r) (α,r ) (α,r ) x → y x →0 y x →1 y sequential processes, i.e., do not contain hiding and parallel 0 0 α∈ / L 0 0 1 1 α ∈ L, (α,r) (α,R) composition. Once we prove completeness for the nondeter- x0 £ x1 → y0 £¡ x1 x0  x1 → y0 £¡ y1 L L L L ministic sequential subset, it follows (from soundness) that p ↔ p0 ↔ q0 ↔ q and (from the completeness of the subset) where R is defined in the semantics of parallel composition. 0 0 0 0 Intuitively, the left-merge £ behaves the same as parallel that E ` p = q . Further, from E ` p = p and E ` q = q, L composition £¡ but it forces the first transition to be of we conclude that E ` p = q which was to be proven. l type α∈ / L and to be taken from its left-hand-side argument For the completeness proof of the nondeterministic se- (or otherwise deadlocks). Communication merge  forces quential subset, we show that each process p in this sub- L the first action to be of type α ∈ L and to be the result Pset is provably equal (using E) to a process of the form of a synchronization in which both the left- and the right- i∈I (ai, ri).pi in which for all i, j ∈ I if i 6= j then ai 6= aj hand-side parameters take part. After performing such an or it does not hold that pi ↔ pj . This holds by a simple action, communication merge continues as a parallel com- induction on the structure of p. Then, for each two processes pPand q such that p ↔ q, position. We believe, following the well-known results for 0 0 Pthere exists two processes p ≡ i∈I (ai, ri).pi and q ≡ untimed [18] and timed [1] PAs, that PEPA (without the 0 0 above-mentioned auxiliary operators) is not finitely axiom- j∈J (aj , rj ).qj such that E ` p = p and E ` q = q and atizable. The following equations complete the axiomatiza- thus, by soundness, p ↔ p0 ↔ q0 ↔ q. It follows from the tion of PEPA by axiomatizing parallel composition. semantics of nondeterministic choice that for each process p0 P (a,r) of the form (a , r ).p , if p → p0, then a = a , r = r x £¡ y = x  y + x £ y + y £ x i∈I i i i j j L L L L and p0 ≡ p for some j ∈ I. We have that p0 ↔ q0 and x £¡ (y £¡ z) = (x £¡ y) £¡ z j L L L L 0 0 furthermore for each i, i ∈ I (and j, j ∈ J), if ai = ai0 , then (α, r0).x  (α, r1).y = (α, R).(x £¡ y)(α ∈ L) L L 0 0  it does not hold that pi ↔ pi (qj ↔ qj ); hence {(ai, ri).pi | (α, r).x y = 0 (α∈ / L) 0 0 L i ∈ I} = {(aj , rj ).qj | j ∈ J} and thus, E ` p = q . It x  y = y  x 0 0 L L follows thus from E ` p = p and E ` q = q that E ` p = q. x  (y  z) = (x  y)  z L L L L  (α, r).x £ y = (α, r).(x £¡ y)(α∈ / L) L L As already mentioned in the proof sketch, using the equa- (α, r).x £ y = 0 (α ∈ L) L tions in E as rewrite rules (from left to right), we can rewriteP (x + y) £ z = (x £ z) + (y £ z) L L L PEPA processes into a head normal form of the form 0  x = 0 i∈I L (ai, ri).Pi in which for all i, j ∈ I if i 6= j then ai 6= aj or x £ 0 = x L Pi ≡/Pj where ≡/ denotes syntactic inequality. This will 0 £ x = 0 L form the basis of our common stochastic form presented in where, R is defined in the semantics of parallel composition Section 4.2. and rα(x) (in the definition of R) for the newly introduced 2.2 MTIPP left-merge and communication merge is given by the follow- ing equations. Similar to PEPA, Markovian Processes for Timed Interac- tion (MTIPP) basic actions are represented with (a, λ). The r (x £ y) = r (x) if α∈ / L α L a main difference between MTIPP and PEPA is in the seman- r (x £ y) = 0 if α ∈ L tics of synchronization; namely, in MTIPP the rate of the α L r (x  y) = 0 if α∈ / L result of synchronization (which is, as well, in the CSP-style) α L r (x  y) = min(r (x), r (y)) if α ∈ L is the product of the rates. Our approach is applicable, and α L α α

3 currently implemented, to MTIPP with a marginal change which models stochastic processes as classic processes is ei- concerning the semantics of synchronization. ther bound for failure or has to resort to restrictions on / manual manipulations of the stochastic process as we illus- 2.3 IMC trate later. IMC is a conservative extension of classical process alge- The summarized syntax of mCRL2 processes is given be- bras which separates action transitions from rate transitions. low. Consequently, IMC simplifies the semantics of synchroniza- tion by allowing only for plain actions to synchronize (rate p ::= a(d1, . . . , dn) | τ | δ | p+p | pP·p | p k p | τI (p) | transitions interleave). Another major semantic difference ∂H (p) | ∇V (p) | ΓC (p) | p | c → p  p between IMC and other SPAs is that in IMC actions are d:D nondeterministic just like in classical process algebras and A basic action a of a process may have a number of argu- the internal action is considered instantaneous and thus is ments d1, . . . , dn. These arguments correspond to the data given priority when composed nondeterministically with a elements. Action τ (which does not take any parameter) stochastic rate (i.e., the stochastic rate will never get the denotes an internal action. Process δ denotes the deadlock chance to spend time since the internal action will be taken process in which no further transition is possible. Non- immediately). Both these semantic differences can be taken deterministic choice between two processes is denoted by care of by using our common form for SPAs and rewriting the “+” operator. Processes can be composed sequentially IMC into this form using its axioms as rewrite rules. and in parallel by means of “·” and “k”. The abstraction operator τI (p) renames actions in I into τ and thus makes 2.4 EMPA them invisible. To enforce synchronization, the encapsula- Extended Markovian Process Algebra (EMPA) [4] differs tion operator ∂H (p) specifies the set of actions H which are from PEPA in the following points. not allowed to occur. Conversely, the allow operator ∇V (p) indicates the actions that are only allowed to occur. To show 1. EMPA has prioritized weighted immediate actions, de- possible communications in a system and the resulting ac- noted by (a, ∞l,w) and passive actions, denoted by tions, communication operator ΓC (p) is used. The elements (a, ∗). of set C are of the form a1 | a2 | · · · | an → c (for n ≥ 0), which intuitively means that action c is the result of the 2. The semantics of synchronization in EMPA is different. multi-party synchronization of actions a1, a2, ..., and an. EMPA only allows for synchronization when at most There are a number of built-in data types in mCRL2, such one party is active and then the rate of a synchroniza- as (unbounded) integers, (uncountable) reals, lists, sets and tion is defined as the maximum of the normalized rates functions which are quite useful for our implementation. of synchronizing actions. The mCRL2 tool-set contains tools for state space gener- 3. EMPA has a class of relabeling operators, denoted by ation, reduction, analysis and visualization. Furthermore, it P [φ], which is parameterized by a relabeling function can be smoothly integrated with the CADP tool-set [8]. For φ : A → A. our case-study, we used the state space generation and visu- alization facilities of mCRL2. For performance analysis, we For our approach to be applicable to EMPA, we need to integrated mCRL2 with Matlab and for functional analysis, resolve the different types of choice as defined by priorities. we used CADP. (CADP provides some tools for state space Moreover, we have to adapt our semantics of synchroniza- reduction and steady-state and transient-state analysis of tion to fit that of EMPA. Based on the axiom systems and stochastic systems, as well.) the recipe given in [4, Section 3], we expect no theoretical challenges in this regard. There, the authors define a proce- 4. UNIFYING FRAMEWORK dure which resolves the semantics of choice and parallelism and defines a multiset of pairs of actions and process: the 4.1 General Approach action to be performed and the trailing process (which is ba- Our goal is to transform stochastic processes into a com- sically the same as our common stochastic form for PEPA). mon form which can in turn be used for state space genera- There is a well-known problem concerning the congruence tion and verification as well as performance evaluation. The of Markovian bisimulation for EMPA which can be solved main obstacles in achieving this goal are listed below. by restricting its syntax or focusing on a semantic subset. 1. Classic PAs use transition relations, i.e., for each label l and each two states s and s0, there is at most one 3. MCRL2 transition labeled l from s to s0. However, some SPAs mCRL2 is a successor of µCRL, and extends it by includ- [4, 11] allow for multiple transitions from s to s0 labeled ing features such as true concurrency (in terms of multi- with l. actions), real time, higher-order functions and concrete data Moreover, different SPAs use different semantic frame- types. The specification formalism µCRL, in turn, extends works. Some use labels combining actions and rates the Algebra of Communicating Processes (ACP) [2] with [14, 4], others separate action-labeled transitions from abstract data types. We refer to [10] for a more elaborate rate- (probability-)labeled transitions [11]. description of mCRL2 features. The choice of mCRL2 as our target framework is motivated by the presence of ab- 2. The semantics of synchronization in classic PAs is to- stract data types as a first-class entity in mCRL2. As we tally different from their SPA counterparts. When tak- show in the next section, to our understanding, the only ing the relevant notions of behavioral equality into ac- general and plausible solution for the unifying framework is count, even nondeterministic choice gets a different in- to model stochastic processes as data types; the approach terpretation in SPAs as opposed to PAs. For example,

4 mCRL2 ADT State Space Analysis Tools SPAs this approach is to write an mCRL2 process context CPEPA[ ]

PEPA Process PEPA PEPA Axioms LTS CADP such that for each PEPA process p, when CPEPA[p] is fed Function Defs. into the mCRL2 tool-set generates the state space as of p ac-

Common cording to the PEPA semantics is generated. This way, by MTIPP Stochastic MTIPP Process Function Defs. Markov Chain MATLAB Form writing different process contexts CTIPP [ ], CIMC [ ], etc., TIPP Axioms one can perform functional and performance verification on different SPA processes using the state space generated by Stoch. LTS Vis. Toolkit the mCRL2 tool-set. However, this approach is also bound for failure since in many process algebras, such as PEPA and TIPP, C[(α, r).0 £¡ (α, r).0] has a totally different state space from C[(α, r).0 {α} £¡ ((α, r).0+(α, r).0)], i.e., C can distinguish between two Figure 1: A Schematic View of Our Approach {α} strongly bisimilar processes. Thus, C is not implementable in mCRL2 (and in general in classic PAs). in PAs for all relevant notions of behavioral equality we have p+p = p, while in SPAs this equality is usually 4.2 Common Stochastic Form (CSF) unsound. In this section, we define the Common Stochastic Form (CSF) which can accommodate semantics of different SPAs Furthermore, different SPAs use different semantics despite their very different semantics. A term in the CSF for synchronization; some only allow for hand-shaking P is of the form P = i∈I (ai, ri).Pi where ai ∈ {α, τ, Nil | synchronization among action-based transitions (thus, >0 rates play no role in synchronization), others define α ∈ A} and ri ∈ R ∪ B, where B = {n> | n ∈ IN}. synchronization only between active and passive pro- Furthermore, it should satisfy the following constraints.

cesses and thus the rate of the outcome is determined 1. For each i, j ∈ I with i 6= j, it should hold that ai 6= aj by the rate of the active party, the third class allow or Pi ≡/Pj . for synchronization among (several) active processes. Even within the third category, there is no consensus 2. If for some i ∈ I, ai = τ, then for no j ∈ J, aj = Nil. as for the rate of the synchronized action; some define 3. If for some i ∈ I, ai = Nil, then for all j ∈ I such that it as the product of the rates, others use more compli- aj ∈ A ∪ {τ}, rj ∈ B. cated calculations essentially taking the minimum of the rates [5]. Apart from α and τ which represent basic and internal ac- tion types, respectively, Nil represents the empty action To deal with these challenges, we define SPAs as Ab- type which is used to model rate transitions, such as those stract Data Types in mCRL2. Then, we use sound axioms in IMC. If the rate is set to >, then the action is pas- in each SPA to resolve parallel composition (and nondeter- sive/instantaneous. Weighted passive actions with rates n> ministic choice to the extent needed). Thus, we implement are used to give different probabilities to the choices among the axioms of concurrency in each SPA as rewrite theories different instantaneous actions. which turn parallel processes into nondeterministic sequen- The first constraint given above forces the rewriting step tial ones. Furthermore, we resolve nondeterminism among to aggregate all rates among identical processes. In partic- identical processes by summing up the rates of correspond- ular, it disallows terms of the form (a, r).P + (a, r).P which ing identical actions. Finally, for each SPA, we write a sim- is deemed equal to (a, r).P by mCRL2 (and all other classic ple interpreter in mCRL2 that takes the SPA process and a process algebras for that matter) while they are interpreted linear mCRL2 process (i.e., nondeterministic choice among as (a, 2r).P by stochastic process algebras. The second con- different sequential processes). This last step enables us to straint disallows implicit race condition among internal ac- generate a state space from the SPA process automatically. tions and stochastic transitions and it forces this race to be Further, we can use several existing tools as well as the tools resolved in the rewriting step. Finally, the third constraint presented in this paper, to analyze the generated state space. prevents the strange mixture of pure action and rate tran- A schematic view of our approach is given in Figure 1. sitions, on one hand, and pairs of action and rates, on the An alternative approach to ours would be to translate other hand. PEPA processes into mCRL2 processes. This approach is taken in [9] for the process algebra LOTOS (as the target of 4.3 Application to PEPA the translation). Due to the semantic differences mentioned Using ANTLR compiler generator, we wrote a parsers for above, a structural and semantic preserving transformation PEPA which automatically generates an mCRL2 specifica- from SPAs to PAs is very challenging, if not impossible. For tion in which PEPA processes (including their recursive def- the very reason, in [9], the authors had to restrict the syntax initions) are defined as Abstract Data Types. Furthermore, of their source stochastic specifications in order to prevent axiomatization of PEPA is included in the generated code as multi-transitions. Furthermore in [9], the synchronization a set of rewrite rules (defined in terms of a function named of rates is not considered which is inherited from the IMC hnfrewrite). This function calculates the rates of synchroniz- setting. The same comment holds for implementing PEPA ing actions and eliminates multi-transitions with the same processes as real-time mCRL2 processes. labels to equivalent processes. Moreover, an mCRL2 pro- Another possible approach, which we tried, is to define a cess is defined which given a finite PEPA process (with only PA process (for each SPA) which can interact with stochas- guarded recursion) in as its arguments, generates its state tic processes and interpret their behavior (according to the space. Thus, using mCRL2 tool-set one can generate the semantics of SPA). Consider PEPA, for example; the goal of state space of the PEPA model.

5 task(2) 5 7

) ) 8 u 8 ( se ( te ( te a 2 a d ) d p p u u task(2) 2 6 task(3)

(3) u u s s e e ( (2 task 2 ) ) task(3) 0 3 sort task(2) task(3) ) ) 8 u 8 Action = struct p_tau | p_update | p_task | p_use; ( s ( te e te a (2 a d ) d p p u u RecursiveVars = struct p_Resource | 4 1 p_Process1 | p_Process2 | p_start; task(2) DelayAction = struct delayaction( p_act : Action, p_rate : Rate); Rate = struct num( r:Nat) | Figure 2: State space of a simple PEPA process infty( w:Nat) | infinity; PepaProcess = struct p_nil?is_nil | For example, consider the following simple PEPA process p_recvar( rv:RecursiveVars)?is_recvar | (an extended version of the example in [14, Section 3.5.7]). p_prefix( d:DelayAction, p:PepaProcess)?is_prefix |

P rocess1 = (use, 2).(task, 2).P rocess1; ... P rocess2 = (use, 2).(task, 3).P rocess2; map Resource = (use, 6).(update, 8).Resource; definition : RecursiveVars -> PepaProcess; £¡ eqn Start = (P rocess1 £¡ P rocess2) Resource; {use} definition( p_Process1) = Process Start (which is by default assumed to be the start- p_prefix( delayaction(p_use,num(2)), ing recursive definition in our implementation) models two p_prefix( delayaction(p_task,num(2)), processes, called P rocess1 and P rocess2 which compete with p_recvar( p_Process1))); each other to get hold of the only available resource by syn- ... chronizing on action type use. The only difference among map the two processes is that P rocess1 is somewhat faster and apparentrate : PepaProcess # Action -> Rate; after obtaining the resource usually waits for a shorter pe- riod before it requests the resource again. A summary of the eqn mCRL2 code generated for this process is given in Figure 3. apparentrate( p_prefix( a, p), b) = In this code, the PEPA processes are defined using the sort if( p_act(a) == b, p_rate(a), num(0)); PepaProcess. Using the map definition, each recursive ... variable of the original program is mapped to a PEPA Pro- sort cess. The aim of the map hnfrew is to rewrite each PEPA Summand = struct summand( p_delayaction : DelayAction, process into its head normal form (hnf). The mCRL2 pro- p_process : PepaProcess); cess Exec, executes an hnf (i.e., a PEPA process rewritten map into its head normal form) by producing the actions of the hnfrew : PepaProcess -> Hnf; form mcrl act parameterized by the corresponding PEPA eqn action type and rate, which are visible in the output state hnfrew( p_nil) = []; space. In the initial process, Exec is called by the hnf of the hnfrew( p_prefix( a, p)) = [summand( a, p)]; p start process. hnfrew( p_choice( p, p_nil)) = hnfrew(p); We implemented a simple program in Matlab which takes hnfrew( p_choice( p1, p2)) = the generated state space, produces its rate matrix (by tak- p_union( hnfrew( p1), hnfrew( p2)); ing the underlying Markov Chain) and calculates steady- ... state probabilities of states based from the generated ma- act trix. mcrl_act : Action # Rate; The mCRL2 tool-set generated the state space depicted proc in Figure 2 for this code. Furthermore, we analyzed the Exec( hnf : Hnf) = sum i : Nat. ( i < #hnf) -> steady-state probabilities of this state space using our Mat- mcrl_act( p_act(p_delayaction( hnf.i)), lab program which resulted in the following probabilities. p_rate(p_delayaction( hnf.i))). Exec( hnfrew( p_process( hnf.i))); State 0 1 2 3 4 5 6 7 init Prob. 0.30 0.08 0.07 0.22 0.04 0.14 0.06 0.09 Exec( hnfrew( p_recvar(p_start) )); One can use our implementation to project on the func- tional aspects of the processes (thus, generate an LTS with action types and no rates) and use the CADP tool-set for Figure 3: mCRL2 spec. of a PEPA process functional analysis. Furthermore, one could abstract from different actions, reduce the state space and use the visual- ization toolkit (e.g., FSM View, ltsview, ltsgraph and Dia- Graphica tools) to scrutinize different functional aspects of the system. We illustrate some of these possibilities on the case study presented in the next section.

6 5. CASE STUDY

5.1 Informal Explanation 1 To illustrate our method, we specify an abstract PEPA 0.9 model of a multichannel random access scheme, in the spirit 0.8 of OFDMA, as described in [7]. We perform various func- 0.7 tional and performance-related analyses on this specifica- 0.6 0 0.5 5 tion. In OFDMA a given channel is divided into many par- 20 18 16 14 10 12 10 probability of not colliding (on one channel) 8 15 allel subchannels and hence, multiple symbols are sent in 6 4 sending rate response rate 2 0 20 parallel. When two users simultaneously send packets to a subchannel their packets collide and get lost. After ex- (a) periencing a collision in a subchannel, the clients have to back-off. Several collision resolution schemes exists for such 1.3 networks. In the approach proposed in [7, Section III.A], af- 1.2 ter experiencing a collision, the client chooses another sub- 1.1 1 channel and retries the transmission immediately. Next, we 0.9 give an abstract PEPA model of this protocol. 0.8 20

15 response rate 5.2 The PEPA Model prob. with nondet. choice / det. 10

In our PEPA specification, we have two main subsystems: 5 0 4 2 8 6 12 10 subchannel and client. The former is the description of a 0 16 14 20 18 sending rate single subchannel in the system, and the latter specifies the behavior of a user. (b)

Client. The clients request permission for sending their packet Figure 4: (a) Collision probabilities and (b) Nonde- with rate rsnd. If no collision is detected they transmit their terministic vs. deterministic back-off mechanisms. data with the rate specified by the subchannel. Upon de- tecting a collision, they nondeterministically choose a sub- channel and retry the transmission. The PEPA model for each client i is defined as follows. service (by subchannels). The following table shows the size P of the generated state space for various number of clients Sendi = j∈J (reqj , rsnd).Chani,j ; and subchannels (the size of state space is oblivious to the Chani,j = (Psrvj , >).Sendi + (colj , rinst).Backi,j ; stochastic rates). Backi,j = j0∈J−{j}(reqj0 , rinst).Chani,j0 ; Apart from nondeterministic back-off mechanism specified above, we specified and analyzed a deterministic back-off Subch. / Clients 1 2 3 4 5 6 mechanism in which the next subchannel (using a modulo 1 2 9 30 83 218 553 counter) is chosen for retransmission. 2 3 35 231 1191 5713 25971 Since PEPA does not support immediate actions, we use 3 4 67 712 5866 42784 295330 the rate rinst which represents a huge number (2000 in our implementation) to model the rate of immediate actions for retrying another subchannel. Figure 5.(a) depicts the state space for 5 clients and 2 subchannels as visualized by the FSM View tool. The red transitions denote a collision. Subchannel. Subchannels (frequencies) receive transmis- sion requests from clients and either transmit the pack- ets successfully or upon receiving another, i.e., a colliding, Functional Analysis. The specification is checked auto- transmission request report a collision to clients. matically to be deadlock free while generating the state space by the mCRL2 tool-set. Furthermore, we use the F reqj = (reqj , >).((srvj , rsrv).F reqj + CADP toolkit to model check the underlying LTS for the fol- (reqj , >).(colj , rinst).(colj , rinst).F reqj ); lowing properties specified in the µ-calculus. The first prop- erty asserts that after each request, client 1 either receives an acknowledgement that the transmission is successful or is in- System. The system comprises the parallel composition of ∗ ∗ formed about a collision. [> .req1,1] < (not req1,1) .(srv1 or col1) > n subchannels and m clients and is defined as follows. > The result of model-checking shows that the aforemen-

start = (F req0 £¡ ... £¡ F reqn−1) tioned property indeed holds. However, the following prop- ∅ ∅ £¡ erty does not hold in the system with 2 subchannels and 4 req0,...,reqn−1,srv0,...,srvn−1,col0,...,coln−1 clients; it asserts that each path starting with a request will ∗ (Send0 £¡ ... £¡ Sendm−1) ∅ ∅ lead to a service action. [> .req1,1]µX.(< srv1 > true and < not srv1 > X) The reason for the above property to be in- 5.3 Transformations and Analysis valid is that there is an infinite path in which all requests on We generated the state space of this case-study by varying channel 1 collide and thus no successful transmission hap- several parameters such as the number of clients and sub- pens on this channel. Next, we analyze the probability of channels and the rates of sending packets (by clients) and collision by varying different parameters of the system.

7 Michel Reniers and Jan Friso Groote are acknowledged.

7. REFERENCES [1] L. Aceto, A. Ingolfsdottir, and M. Mousavi. Impossibility results for the equational theory of timed ccs. In Proceedings of CALCO’07, LNCS, Springer, 2007. [2] J.C.M. Baeten and W. P. Weijland. Process Algebra. Cambrdige, 1990. [3] J. A. Bergstra and J.W. Klop. Process algebra for (a) synchronous communication. I&C, 60(1-3):109–137, 1984. 0.5 0.45 [4] M. Bernardo and R. Gorrieri. A tutorial on EMPA: A 0.4 Channel theory of concurrent processes with nondeterminism, e 0.35 n O 0.3 priorities, probabilities and time. TCS, 202(1-2):1–54, on 0.25 0.2 2 Freq 1998. (and Corigendum, TCS, 254(1-2):691–694, 0.15 3 Freq Probabilty

0.1 2001.) 0.05 lision l 0 [5] E. Brinksma, H. Hermanns. Process Algebra and Co 0 5 10 15 20 25 Markov Chains. vol. 2090 of LNCS, pages 183–231, Response Rate Springer, 2001. [6] P. Buchholz. On a markovian process algebra. (b) Technical Report 500, Fachbereich Informatik, Universit¨atDortmund, 1994. Figure 5: (a) Visualized state space and (b) Collision probabilities with 2 vs. 3 subchannels [7] Y.-J. Choi, S. Park and S. Bahk Multichannel random access in OFDMA wireless networks. IEEE J. on Selected Areas in Communications, 24(3):603–613, Performance Evaluation. In the setting with 4 clients and 2006. 2 subchannels, we calculated the sum of steady state proba- [8] J.-C. Fernandez, H. Garavel, A. Kerbrat, L. Mounier, bilities of states in which no collision occurs in one subchan- R. Mateescu, and M. Sighireanu. CADP - a protocol nel (i.e., a reward model in which all states with at least one validation and verification toolbox. In Proceedings of collision in a specific subchannel are assigned reward value CAV’96, vol. 1102 of LNCS, pages 437–440. Springer, 0 and all other states are assigned 1); the result is shown 1996. in the diagram of Figure 4.(a). This diagram shows that [9] H. Garavel and H. Hermanns. On combining the probability of not colliding on a subchannel increases functional verification and performance evaluation exponentially with the increase in the response rates and using CADP. In Proceedings of FME’02, vol. 2391 of decrease in sending rates. Figure 4.(b) shows the ratio of LNCS, pages 410–429. Springer, 2002. the probabilities of collision avoidance in a subchannel for [10] J. F. Groote, A. Mathijssen, M. Reniers, Y. Usenko, the nondeterministic back-off scheme vs. the deterministic and M. van Weerdenburg. The formal specification (choose next) one. It shows that in networks with a high- language mCRL2. In Proceedings of the Dagstuhl load (with greater sending rates), the deterministic scheme Seminar, 2007. Avilable from www.mcrl2.org. works better while the probability is higher with the non- [11] H. Hermanns. Interactive Markov Chains: The Quest deterministic scheme when there is little traffic in the net- for Quantified Quality, vol. 2428 of LNCS. Springer, work (with lesser sending rates). Figure 5 gives a compari- 2002. son of collision probabilities between the cases in which the [12] H. Hermanns and J.-P. Katoen. Automated service capability is divided into two or three subchannels. compositional Markov chain generation for a plain-old In this experiment, the system comprises 4 clients, rsnd = 2 telephone system, SCP. 36:97–127, 2000. and rinst = 200. [13] H. Hermanns and M. Rettelbach. Syntax, semantics, equivalence, and axioms for MTIPP. Technical Report 10/94, Friedrich-Alexender-Universit¨at, 6. CONCLUSIONS Erlangen-N¨urnberg, 1994. In this paper, we introduced a general approach for trans- [14] J. Hillston. A Compositional Approach to Performance lating a number of Stochastic Process Algebras (SPAs) into Modelling. Cambridge, 1996. the process algebra mCRL2. We implemented this approach [15] C.A.R. Hoare. Communicating Sequential Processes. for two typical examples of such SPAs, namely PEPA and Prentice Hall, 1985. MTIPP. We further implemented Matlab scripts to calculate [16] R. Milner. A Calculus of Communicating Systems, steady-state probabilities and reward models for the under- vol. 92 of LNCS. Springer, 1980. lying Markov chains of generated state spaces. We are currently extending the implementation to SPAs [17] R. Milner. A complete inference system for a class of such as EMPA and IMC. We plan to investigate the applica- regular behaviours. JCSS, 28:439–466, 1984. tion of visualization techniques that, by incorporating rates, [18] F. Moller The Importance of the Left Merge Operator give us more insight about stochastic LTSs. in Process Algebras. In Proceedings of ICALP’90, vol. Acknowledgements. Useful comments of Holger Hermanns, 443 of LNCS, pages 752–764, Springer, 1990.

8