Models for AXML
Keeping Decidability in Mind.
AXML (on 1 peer)
last@FBI
L.Burrows
felony
killer
age
last@FBI
M.Scoffield
35
invoc. of
service =
rewriting
rule
L.Burrows
felony
killer
age
M.Scoffield
35
EFP
last@FBI: query last felonies of name_of_a_child, and append it under felony
- Confluence: does asking first Scoffield or Burrows result in same doc?
Yes
- Termination: Is there no infinite sequence of fireable services?
No
- Reachability: Can some configuration be reached/be subsumed?
???
Positive AXML
Positive AXML: If a service invocation is possible some day, it is possible forever.
=> Services can only add, never delete. Services cannot stop.
Ex:
last@FBI: query last felonies of name_of_a_child, and append it under felony
Non Positive:
last@FBI can also delete felony from revised trials.
Confluence: does asking first Scoffield or Burrows result in same doc?
Always Yes
- Termination: Is there no infinite sequence of fireable services?
Always No
- Reachability: Can some configuration be reached/be subsumed?
???
“Positive” Termination
document A ´ B if exists 2 child-consistent mappings from A to B and from B to A.
last@FBI
Ex:
L.Burrows
felony
age
last@FBI
L.Burrows
M.Scoffield
35
killer
´
felony
killer
age
M.Scoffield
35
killer
Positive Termination:
Is any infinite sequence of service invocation ultimately document-class constant?
For Positive Systems: Decidable if simple queries (no tree variables in queries)
else Undecidable
Ex simple queries:
last@FBI: last felonies of name_of_a_child is a list
Over Positivity?
Positive AXML: Services can only add, never delete. Services cannot stop.
What if a service can stop?
request
request
running
stopped
-Termination/Confluence becomes non trivial, interesting under simple queries
-Tennis Court example revisited:
Federer
leaveF1
request
manager
playF2
Field1: book
Field2: free
Field1: book
Field2: book
Federer-F2
Rulez for Services
FieldX,Y: ..: if son inactive & query PlayerX(request/active),
then close and open state with FieldY booked(PlayerX-FieldY)
Request: if query manager(X(Federer-FX/active)), close and open playFX
PlayerX-FieldY: if query PlayerX(PlayFieldY), close
PlayFY: if query manager(active(PlayerX-FieldZ/inactive)), close and open leaveFY
(or if Z \neq Y, we are talking about another field)
FieldX,Y: ..: if son inactive & query PlayerX(LeaveY/active),
then close and open state with FieldY free(FreePlayerX-FieldY)
leaveFY: if query manager(active(FreePlayerX-FieldZ/inactive)),close and open request
(or if Z \neq Y, we are talking about another field)
Over Positivity?
Federer
playF1
request
manager
playF2
Field1: book
Field2: free
Field1: book
Field2: book
Federer-F2
A service can create new services/data as brother/son.
A service is the only one that can decide to close itself.
Query can know state of services (but no tree variable)
A service should have a knowledge of its neighborhood
More distributed Fields
Fields act independently, can book themselves if find a request
(2 can be booked for the same player!)
Roland Garros
Federer
request
Play
Leave
S Lenglen
S Lenglen
S.Lenglen
Booked
Federer
Free
Central
Booked
Federer
Free
More distributed Fields
Free: if query PlayerX(Request/active), close and open Booked(playerX).
PlayerX(Request): if query RG(FieldY(Booked/active(PlayerX))),
then close and open Play(FieldY).
Play(FieldY): close and open Leave(FieldY).
FieldY(Booked(PlayerX)): if query PlayerX is active in Leave
or Play(FieldZ), Z  Y then close and open Free.
PlayerX(Leave(FieldY)) : if query RG(FieldY) is not active in Play(PlayerX),
then close and open Play(FieldY).
(Finite number of possibilities, hence a negative test is possible)
How soon comes Undecidability?
Result: Simulation of a deterministic 2 counters machine, with
A service can create new services/data as brother/son.
A service is the only one that can decide to close itself.
Query can know state of services (but no tree variable)
A service should have a knowledge of its 1-neighborhood.
Either non bounded depth or ordered trees (brother-successor)
Trivial: If depth 1 (word) and unordered trees, decidable (subclass of PN)
(Problem : simulating zero-test/unnexistence test.
Nota, easily undecidable with order on rules/optimisations)
Simulating 2 counters machine
Result: Simulation of a deterministic 2 counters (C,D) machine
We use 4 pseudo counters (C0,C1,D0,D1), and phases i,j  {0,1}, and states E
In phase i, Ci is the current counter and Ci+1 is the temporary/next counter
C0 = …$ XX YY
C0 = …$ XX X Y
C1 = …$ Z T
C1 = …$ Z T
X/Z = closed services
Y/T = open services
X/Y = copy
Z/T = paste
C0 = …$ XXX Y
C1 = …$ ZZ T
Simulating 2 counters Machine
We need a parity-bit k
C0 = …$ X0X1 Y0Y1
C0 = …$ X0X1 X0 Y1
C1 = …$ Z0 T1
C1 = …$ Z0 T1
Xk+1Yk : if query Zk Tk+1 then close
C0 = …$ X0X1X0 Y1
Tk : if query Xk+1 Yk then close and open Tk
C1 = …$ Z0Z1T0
Simulating 2 counters machine
We also need a coup-bit l  {0,1}:
at phase i, Ci on coup l copies on Ci+1 at coup i+l
C0 = 0 .. 0 $1 .. 1$ … $ l .. l
i=1
i =0
C1 = 0 .. 0 $1 .. 1$ … $ l’ ..l’
Old values
Current counter
We cannot mess a couter in coup l with a counter in coup l+1
and we cannot mess a with a wrong state E = (q0,0,0) … (q,i,j).
Old states
current state
4 Rewriting rulez
i: counter for Ci, k phase-bit, l coup-bit, X/Y copy, Z/T paste, p/q states
Xi,k-1,l T Yi,k,l : query (p,i’,j’) (q,i,j) and Zi,k-1,l+i X Ti,k,l+i and q concerns C
then close.
Zi+1,k-1,l Y Ti+1,k,l : query (p,i’,j’) (q,i,j) and Xi,k-1,l+i T Yi,k,l+i, q concerns C
then close and create Yi+1,k,l Ti+1,k+1,l.
Zi+1,k-1,l Y Ti+1,k,l : query (p,i’,j’) (q,i,j) and Xi,k-1,l+i T Yi,k,l+i$ q concerns C
then close and create Yi+1,k,l$ Ti+1,k+1,l . (decrement : create $ Ti+1,k+1,l )
(q,i,j) : query X$Ti,0,l and $Ti+1,0,l+i, q concerns C
then close and create (succ(q),i+1,j).
How soon comes Undecidability?
Result: Simulation of a deterministic 2 counters machine, with
non bounded depth, create sons
bounded depth, ordered, create brothers
machine
machine
D1
D0
(q,i,j)
C1
C0
C0
C1
D0
(q,i,j)
D1
How soon comes Undecidability?
Result: exact class-reachability undecidable for
A service can create services/data as cousin
(or can close another service, take common ancestor).
A service can close itself.
Query can know state of services (but no tree variable)
Bounded-depth and unordered trees.
machine
C0
C0
C1
Tokens
(C0+nZero)
C0 creates data nZero, or create data Zero. Token can copy to cousin with data nZero.
C0 can close anytime and open fresh C0 (with opposite bit).
Token open under closed service is a proof of bad simulation (tested by reachable class)
Over Positivity vs Workflow
Petri Net community sees workflow as acyclic PN.
Problem: Simulate more than one place in the pre of a transition.
A1
B1

t
A2
B2
Query
Bt or B2...
(not …B1)
A0
B0
A1
B1
At
Bt
A2
Query
At or A2...
B2 (not …A1)
A3
Reachability simulation for acyclic PN (may introduce deadlock)
Works also for safe PN (may introduce exponential blow-up)