On Hierarchical Communication Topologies in the π-calculus Emanuele D’Osualdo1 and C.-H. Luke Ong2 1 TU Kaiserslautern [email protected] 2 University of Oxford [email protected] Abstract. This paper is concerned with the shape invariants satisfied by the communication topology of π-terms, and the automatic inference 6 of these invariants. A π-term P is hierarchical if there is a finite forest 1 such that the communication topology of every term reachable from 0 TP satisfies a -shaped invariant. We design a static analysis to prove a 2 term hierarchTical by means of a novel type system that enjoys decidable r inference.Thesoundnessproofofthetypesystememploysanon-standard p view of π-calculus reactions. The coverability problem for hierarchical A termsisdecidable.Thisisprovedbyshowingthateveryhierarchicalterm is depth-bounded, an undecidable property known in the literature. We 9 thusobtainanexpressivestaticfragmentoftheπ-calculuswithdecidable 1 safety verification problems. ] L P 1 Introduction . s c Concurrency is pervasive in computing. A standard approach is to organise con- [ current software systems as a dynamic collection of processes that communicate 2 by message passing. Because processes may be destroyed or created, the number v of processes in the system changes in the course of the computation, and may 5 be unbounded. Moreover the messages that are exchanged may contain process 2 addresses. Consequently the communication topology of the system—the hyper- 7 graph [19, 18] connecting processes that can communicate directly—evolves over 1 0 time. In particular, the connectivity of a process (i.e. its neighbourhood in this . hypergraph) can change dynamically. The design and analysis of these systems 1 is difficult: the dynamic reconfigurability alone renders verification problems 0 6 undecidable. This paper is concerned with hierarchical systems, a new subclass of 1 concurrent message-passing systems that enjoys decidability of safety verification : problems, thanks to a shape constraint on the communication topology. v i Theπ-calculusofMilner,ParrowandWalker[19]isaprocesscalculusdesigned X to model systems with a dynamic communication topology. In the π-calculus, r processes can be spawned dynamically, and they communicate by exchanging a messagesalongsynchronouschannels.Furthermorechannelnamescanthemselves be created dynamically, and passed as messages, a salient feature known as mobility, as this enables processes to modify their neighbourhood at runtime. Itiswellknownthattheπ-calculusisaTuring-completemodelofcomputation. Verification problems on π-terms are therefore undecidable in general. There are 2 E. D’Osualdo and C.-H. L. Ong howeverusefulfragmentsofthecalculusthatsupportautomaticverification.The most expressive such fragment known to date is the depth-bounded π-calculus of Meyer [12]. Depth boundedness is a constraint on the shape of communication topologies. A π-term is depth-bounded if there is a number k such that every simplepath3 inthecommunicationtopologyofeveryreachableπ-termhaslength bounded by k. Meyer [14] proved that termination and coverability (a class of safety properties) are decidable for depth-bounded terms. Unfortunatelydepthboundednessitselfisanundecidableproperty[14],which is a serious impediment to the practical application of the depth-bounded frag- ment to verification. This paper offers a two-step approach to this problem. First we identify a (still undecidable) subclass of depth-bounded systems, called hierarchical, by a shape constraint on communication topologies (as opposed to numeric, as in the case of depth-boundedness). Secondly, by exploiting this richer structure,wedefineatypesystem,whichinturngivesastatic characterisationof an expressive and practically relevant fragment of the depth-bounded π-calculus. Example 1 (Client-server pattern). To illustrate our approach, consider a simple system implementing a client-server pattern. A server S is a process listening on a channel s which acts as its address. A client C knows the address of a server and has a private channel c that represents its identity. When the client wants to communicate with the server, it asynchronously sends c along the channel s. Upon receipt of the message, the server acquires knowledge of (the address of) the requesting client; and spawns a process A to answer the client’s request R asynchronously; the answer consists of a new piece of data, represented by a new name d, sent along the channel c. Then the server forgets the identity of the client and reverts to listening for new requests. Since only the requesting client knows c at this point, the server’s answer can only be received by the correct client. Figure 1a shows the communication topology of a server and a client, in the three phases of the protocol. The overall system is composed of an unbounded number of servers and clients, constructed according to the above protocol. The topology of a reachable configuration is depicted in Fig. 1b. While in general the topology of a mobile systemcanbecomearbitrarilycomplex,forsuchcommonpatternsasclient-server, the programmer often has a clear idea of the desired shape of the communication topology: there will be a number of servers, each with its cluster of clients; each clientmayinturnbewaitingtoreceiveanumberofprivatereplies.Thissuggests a hierarchical relationship between the names representing servers, clients and data, although the communication topology itself does not form a tree. T-compatibility and hierarchical terms Recall that in the π-calculus there is an important relation between terms, , called structural congruence, which ≡ equates terms that differ only in irrelevant presentation details, but not in behaviour.Forinstance,thestructuralcongruencelawsforrestrictiontellusthat the order of restrictions is irrelevant—νx.νy.P νy.νx.P—and that the scope ≡ 3 a simple path is a path with no repeating edges. On Hierarchical Communication Topologies in the π-calculus 3 d s c d S C d A s → C ccc ccc AA c c S s R c CCC CCC C d d ···C d d → S s CCC A···A A···A s c d S C A RRR ccc (a) the protocol (b) a reachable configuration (c) forest representation Fig.1. Evolution of the communication topology of a server interacting with a client. R represents a client’s pending request and A a server’s pending answer. of a restriction can be extended to processes that do not refer to the restricted name—i.e., (νx.P) Q νx.(P Q) when x does not occur free in Q—without (cid:107) ≡ (cid:107) altering the meaning of the term. The former law is called exchange, the latter is called scope extrusion. Our first contribution is a formalisation in the π-calculus of the intuitive notion of hierarchy illustrated in Example 1. We shall often speak of the forest representation of a π-term P, forest(P), which is a version of the abstract syntax tree of P that captures the nesting relationship between the active restrictions of the term. (A restriction of a π-term is active if it is not in the scope of a prefix.) Thus the internal nodes of a forest representation are labelled with (active) restriction names, and its leaf nodes are labelled with the sequential subterms. Given a π-term P, we are interested in not just forest(P), but also forest(P ) where P ranges over the structural congruents of P, because these (cid:48) (cid:48) are all behaviourally equivalent representations. See Fig. 4 for an example of the respective forest representations of the structural congruents of a term. In our setting a hierarchy is a finite forest of what we call base types. Given T a finite forest , we say that a term P is -compatible if there is a term P , (cid:48) T T which is structurally congruent to P, such that the parent relation of forest(P ) (cid:48) is consistent with the partial order of . T In Example 1 we would introduce base types srv, cl and data associated with the restrictions νs, νc and νd respectively, and we would like the system to be compatible to the hierarchy = srv cl data, where is the is-parent-of relation. That is, we must be aTble to rep(cid:6)resen(cid:6)t a configuratio(cid:6)n with a forest that, for instance, does not place a server name below a client name nor a client name below another client name. Such a representation is shown in Fig. 1c. In the Example, we want every reachable configuration of the system to be compatible with the hierarchy. We say that a π-term P is hierarchical if there is a hierarchy such that every term reachable from P is -compatible. Thus the T T hierarchy is a shape invariant of the communication topology under reduction. T 4 E. D’Osualdo and C.-H. L. Ong a a a b b b ≡ → S R S R S0 R0 Fig.2. Standard view of π-calculus reactions It is instructive to express depth boundedness as a constraint on forest representation: a term P is depth-bounded if there is a constant k such that every term reachable from P has a structurally congruent P whereby forest(P ) (cid:48) (cid:48) has height bounded by k. It is straightforward to see that hierarchical terms are depth-bounded; the converse is however not true. A type system for hierarchical terms Whilemembershipofthehierarchical fragment is undecidable, by exploiting the forest structure, we have devised a novel type system that guarantees the invariance of -compatibility under T reduction. Furthermore type inference is decidable, so that the type system can beusedtoinferahierarchy withrespecttowhichtheinputtermishierarchical. T To the best of our knowledge, our type system is the first that can infer a shape invariant of the communication topology of a system. The typing rules that ensure invariance of -compatibility under reduction T arise from a new perspective of the π-calculus reaction, one that allows compati- bility to a given hierarchy to be tracked more readily. Suppose we are presented with a -compatible term P =C[S,R] where C[-,-] is the reaction context, and T the two processes S =a b .S and R=a(x).R are ready to communicate over (cid:48) (cid:48) (cid:104) (cid:105) a channel a. After sending the message b, S continues as the process S , while (cid:48) upon receipt of b, R binds x to b and continues as R =R[b/x]. Schematically, (cid:48)(cid:48) (cid:48) the traditional understanding of this transaction is: first extrude the scope of b to include R, then let them react, as shown in Fig. 2. Instead, we seek to implement the reaction without scope extrusion: after the message is transmitted, the sender continues in-place as S , while R is split in (cid:48) (cid:48)(cid:48) two parts R R , one that uses the message (the migratable part) and one that does nom(cid:48)ti.gA(cid:107)s sh¬(cid:48)omwign in Fig. 3, the migratable part of R , R , is “installed” (cid:48)(cid:48) m(cid:48) ig under b so that it can make use of the acquired name, while the non-migratable one, R , can simply continue in-place. (cid:48)mig Cru¬cially,thereactioncontext,C[-,-],isleftunchanged.Thismeansthatifthe startingtermis -compatible,thereactioncontextofthereactum is -compatible T T as well. We can then focus on imposing constraints on the use of names of R (cid:48) so that the migration does not result in R escaping the scope of previously m(cid:48) ig bound names. By using these ideas, our type system is able to statically accept π-calculus encodings of such system as that discussed in Example 1. The type system can be used, not just to check that a given is respected by the behaviour of a T term, but also to infer a suitable when it exists. Once typability of a term T On Hierarchical Communication Topologies in the π-calculus 5 a a b b → R0 S R S0 mig R0 mig ¬ Fig.3. -compatibility preserving reaction T is established, safety properties such as unreachability of error states, mutual exclusionorboundsonmailboxes,canbeverifiedalgorithmically.Forinstance,in Example 1, a coverability check can prove that each client can have at most one reply pending in its mailbox. To prove such a property, one needs to construct an argument that reasons about dynamically created names with a high degree of precision. This is something that counter abstraction and uniform abstractions based methods have great difficulty attaining. Our type system is (necessarily) incomplete in that there are depth-bounded, or even hierarchical, systems that cannot be typed. The class of π-terms that can be typed is non-trivial, and includes terms which generate an unbounded number of names and exhibit mobility. Outline. In Section 2 we review the π-calculus, depth-bounded terms, and related technical preliminaries. In Section 3 we introduce -compatibility and the T hierarchical terms. We present our type system in Section 4. Section 5 discusses soundness of the type system. In Section 6 we give a type inference algorithm; and in Section 7 we present results on expressivity and discuss applications. We conclude with relatedand future workin Sections 8 and 9.All missing definitions and proofs can be found in Appendix. 2 The π-calculus and the depth-bounded fragment 2.1 Syntax and semantics We use a π-calculus with guarded replication to express recursion [16]. Fix a universe of names representing channels and messages. The syntax is defined N by the grammar: P,Q::=0 νx.P P P M !M process 1 2 P (cid:51) | | (cid:107) | | M ::=M +M π.P choice | π ::=a(x) a b τ prefix | (cid:104) (cid:105) | Definition 1. Structural congruence, , is the least relation that respects α- ≡ conversion of bound names, and is associative and commutative with respect to + 6 E. D’Osualdo and C.-H. L. Ong (choice) and (parallel composition) with 0 as the neutral element, and satisfies (cid:107) laws for restriction: νa.0 0 and νa.νb.P νb.νa.P, and ≡ ≡ !P P !P Replication ≡ (cid:107) P νa.Q νa.(P Q) (if a fn(P)) Scope Extrusion (cid:107) ≡ (cid:107) (cid:54)∈ In P =π.Q, we call Q the continuation of P and will often omit Q altogether whenQ=0.Inatermνx.P wewilloccasionallyrefertoP asthescope ofx.The name x is bound in both νx.P, and in a(x).P. We will write fn(P), bn(P) and bn (P) for the set of free, bound and restriction-bound names in P, respectively. ν A sub-term is active if it is not under a prefix. A name is active when it is bound byanactiverestriction.Wewriteact (P)forthesetofactivenamesofP.Terms ν of the form M and !M are called sequential. We write for the set of sequential S terms, act (P) for the set of active sequential processes of P, and Pi for the S parallel composition of i copies of P. Intuitively, a sequential process acts like a thread running finite-control sequential code. A term τ.(P Q) is the equivalent of spawning a process (cid:107) Q and continuing as P—although in this context the rˆoles of P and Q are interchangeable. Interaction is by synchronous communication over channels. An input prefix a(x) is a blocking receive on the channel a binding the variable x to the message. An output prefix a b is a blocking send of the message b (cid:104) (cid:105) along the channel a; here b is itself the name of a channel that can be used subsequently for further communication: an essential feature for mobility. A non-blocking send can be simulated by spawning a new process doing a blocking send. Restrictions are used to make a channel name private. A replication !(π.P) can be understood as having a server that can spawn a new copy of P whenever a process tries to communicate with it. In other words it behaves like an infinite parallel composition (π.P π.P ). (cid:107) (cid:107)··· For conciseness, we assume channels are unary (the extension to the polyadic caseisstraightforward).Incontrasttoprocesscalculiwithoutmobility,replication andsystemsoftailrecursiveequationsareequivalentmethodsofdefiningrecursive processes in the π-calculus [17, Section 3.1]. We rely on the following mild assumption, that the choice of names is unam- biguous, especially when selecting a representative for a congruence class: Name Uniqueness Assumption. Each name in P is bound at most once and fn(P) bn(P)= . ∩ ∅ Normal Form. The notion of hierarchy, which is central to this paper, and the associated type system depend heavily on structural congruence. These are criteria that, given a structure on names, require the existence of a specific representative of the structural congruence class exhibiting certain properties. However, we cannot assume the input term is presented as that representative; evenworse,whenthestructureonnamesisnotfixed(forexample,wheninferring types) we cannot fix a representative and be sure that it will witness the desired properties. Thus, in both the semantics and the type system, we manipulate On Hierarchical Communication Topologies in the π-calculus 7 a neutral type of representative called normal form, which is a variant of the standard form [19]. In this way we are not distracted by the particular syntactic representation we are presented with. We say that a term P is in normal form (P ) if it is in standard form nf ∈P and each of its inactive subterms is also in normal form. Formally, normal forms are defined by the grammar N ::=νx . νx .(A A ) nf 1 n 1 m P (cid:51) ··· (cid:107)···(cid:107) A::=π .N + +π .N !(π .N + +π .N ) 1 1 n n 1 1 n n ··· | ··· where the sequences x ...x and A ...A may be empty; when they are both 1 n 1 m empty the normal form is the term 0. We further assume w.l.o.g. that normal forms satisfy Name Uniqueness. Given a finite set of indexes I = i ,...,i we 1 n (cid:81) { (cid:80) } write A for (A A ), which is 0 when I is empty; and π .N i I i i1 (cid:107)···(cid:107) in i I i i for (π .N∈ + +π .N ). This notation is justified by commutativ∈ity and i1 i1 ··· in in associativity of the parallel and choice operators. Thanks to the structural laws of restriction, we also write νX.P where X = x ,...,x , or νx x x .P, 1 n 1 2 n { } ··· for νx . νx .P; or just P when X is empty. When X and Y are disjoint sets 1 n ··· of names, we use juxtaposition for union. EveryprocessP isstructurallycongruenttoaprocessinnormalform.The ∈P function nf: , defined in Appendix, extracts, from a term, a structurally nf P →P congruent normal form. GivenaprocessP withnormalformνX.(cid:81) A ,thecommunicationtopology4 i I i of P, written P , is defined as the labelled∈hypergraph with X as hyperedges and I as nodesG,(cid:74)ea(cid:75)ch labelled with the corresponding A . An hyperedge x X is i ∈ connected with i just if x fn(A ). i ∈ Semantics. We are interested in the reduction semantics of a π-term, which can be described using the following rule. Definition 2 (Semanticsofπ-calculus).Theoperationalsemanticsofaterm P is defined by the (pointed) transition system ( , ,P ) on π-terms, where 0 0 ∈P P → P is the initial term, and the transition relation, 2, is defined by P Q 0 →⊆P → if either (i) to (iv) hold, or (v) and (vi) hold, where (i) P νW.(S R C) , nf ≡ (cid:107) (cid:107) ∈P (ii) S =(a b .νY .S )+M , (v) P νW.(τ.νY.P C) , s (cid:48) s (cid:48) nf (cid:104) (cid:105) ≡ (cid:107) ∈P (iii) R=(a(x).νY .R)+M , (vi) Q νWY.(P C). r (cid:48) r (cid:48) ≡ (cid:107) (iv) Q νWY Y .(S R[b/x] C), s r (cid:48) (cid:48) ≡ (cid:107) (cid:107) We define the set of reachable terms from P as Reach(P) := Q P Q , ∗ { | → } writing to mean the reflexive, transitive closure of . We refer to the ∗ → → restrictions, νY , νY and νY, as the restrictions activated by the transition s r P Q. → Noticethattheuseofstructuralcongruenceinthedefinitionof takesunfolding → replication into account. 4 This definition arises from the “flow graphs” of [19]; see e.g. [14, p. 175] for a formal definition. 8 E. D’Osualdo and C.-H. L. Ong Example 2 (Client-server). We can model a variation of the client-server pattern sketched in the introduction, with the term νsc.P where P = !S !C !M, (cid:107) (cid:107) S =s(x).νd.x d , C =c(m).(s m m(y).c m ) and M =τ.νm.c m . The term (cid:104) (cid:105) (cid:104) (cid:105)(cid:107) (cid:104) (cid:105) (cid:104) (cid:105) !S represents a server listening to a port s for a client’s requests. A request is a channel x that the client sends to the server for exchanging the response. After receiving x the server creates a new name d and sends it over x. The term !M creates unboundedly many clients, each with its own private mailbox m. A client on a mailbox m repeatedly sends requests to the server and concurrently waits for the answer on the mailbox before recursing. In the following examples, we use CCS-style nullary channels, which can be understoodasashorthand:c.P :=c(x).P andc.P :=νx.c x .P wherex fn(P). (cid:104) (cid:105) (cid:54)∈ Example 3 (Resettable counter). A counter with reset is a process reacting to messages on three channels inc, dec and rst. An inc message increases the value of the counter, a dec message decreases it or causes a deadlock if the counter is zero, and a rst message resets the counter to zero. This behaviour is exhibited (cid:0) (cid:0) (cid:1)(cid:1) by the process C = ! p (t). inc .(t p t )+dec .(t.p t )+rst .(νt .p t ) . i i i (cid:107) i(cid:104) (cid:105) i i(cid:104) (cid:105) i (cid:48)i i(cid:104) (cid:48)i(cid:105) Here, the number of processes t in parallel with p t represents the current value i (cid:0) (cid:104) (cid:105) (cid:1) of the counter i. A system νp t .(C p t ) νp t .(C p t ) can for 1 1 1 1 1 2 2 2 2 2 (cid:107) (cid:104) (cid:105) (cid:107) (cid:107) (cid:104) (cid:105) instancesimulateatwo-countermachinewhenputinparallelwithafinitecontrol process sending signals along the channels inc , dec and rst . i i i Example 4 (Unbounded ring). Let R = νm.νs .(M m s s ), S = !(s.n) 0 0 0 (cid:0) (cid:1) (cid:107) (cid:104) (cid:105) (cid:107) and M =! m(n).s .νs.(S m s s) . The term R implements an unboundedly 0 (cid:107) (cid:104) (cid:105)(cid:107) growing ring. It initialises the ring with a single “master” node pointing at itself (s ) as the next in the ring. The term M, implementing the master node’s 0 behaviour,waitsons andreactstoasignalbycreatinganewslavewithaddress 0 s connected with the previous next slave n. A slave S simply propagates the signals on its channel to the next in the ring. 2.2 Forest representation of terms In the technical developement of our ideas, we will manipulate the structure of terms in non-trivial ways. When reasoning about these manipulations, a term is bestviewedasaforestrepresenting(therelevantpartof)itsabstractsyntaxtree. Since we only aim to capture the active portion of the term, the active sequential subterms are the leaves of its forest view. Parallel composition corresponds to (unordered) branching, and names introduced by restriction are represented by internal (non-leaf) nodes. A forest is a simple, acyclic, directed graph, f = (N , ), where the edge f f relation n n means “n is the parent of n ”. We w(cid:6)rite and < for 1 f 2 1 2 f f the reflexive(cid:6)transitive and the transitive closure of respectiv≤ely. A path is a f sequence of nodes, n ... n , such that for each i <(cid:6)k, n n . Henceforth 1 k i f i+1 we drop the subscript f from , and < (as there is n(cid:6)o risk of confusion), f f f and assume that all forests are(cid:6)fin≤ite. Thus every node has a unique path to a root (and that root is unique). On Hierarchical Communication Topologies in the π-calculus 9 1 2 3 4 5 a c a a c b c b a A1 b A1 b A3 A2 a A3 c A1 b A3 A2 c A4 A2 A4 A1 A4 A A A A A A A 1 2 3 4 2 4 3 Fig.4. Examples of forests in P where P =νabc.(A A A A ), A =a(x), 1 2 3 4 1 A =b(x), A =c(x) and A =Fa(cid:74) b(cid:75). (cid:107) (cid:107) (cid:107) 2 3 4 (cid:104) (cid:105) AnL-labelledforest isapairϕ=(f ,(cid:96) )wheref isaforestand(cid:96) : N L ϕ ϕ ϕ ϕ ϕ → is a labelling function on nodes. Given a path n ...n of f , its trace is the 1 k ϕ induced sequence (cid:96) (n )...(cid:96) (n ). By abuse of language, a trace is an element ϕ 1 ϕ k of L which is the trace of some path in the forest. ∗ WedefineL-labelledforestsinductivelyfromtheemptyforest( , ).Wewrite ∅ ∅ ϕ ϕ for the disjoint union of forests ϕ and ϕ , and l[ϕ] for the forest with a 1 2 1 2 (cid:93) single root, which is labelled with l L, and whose children are the respective ∈ roots of the forest ϕ. Since the choice of the set of nodes is irrelevant, we will always interpret equality between forests up to isomorphism (i.e. a bijection on nodes respecting parent and labeling). Definition 3 (Forest representation). We represent the structural congru- ence class of a term P with the set of labelled forests P := forest(Q) Q P with labels in a∈ctP(P) act (P) where forest(Q) isFd(cid:74)efi(cid:75)ned {as | ν ≡ } (cid:93) S ( , ) if Q=0 Q∅[(∅, )] if Q is sequential forest(Q):= ∅ ∅ fxo[rfoesrte(sQt(Q)(cid:48))]forest(Q ) iiff QQ==νQx.Q(cid:48)Q 1 2 1 2 (cid:93) (cid:107) Note that leaves (and only leaves) are labelled with sequential processes. The restriction height, height (forest(P)), is the length of the longest path ν formed of nodes labelled with names in forest(P). In Fig. 4 we show some of the possible forest representations of an example term. 2.3 Depth-bounded terms Definition 4 (Depth-bounded term [12]). The nesting of restrictions of a term is given by the function nest (M):=nest (!M):=nest (0):=0 ν ν ν nest (νx.P):=1+nest (P) ν ν nest (P Q):=max(nest (P),nest (Q)). ν ν ν (cid:107) 10 E. D’Osualdo and C.-H. L. Ong The depth of a term is defined as the minimal nesting of restrictions in its congruence class, depth(P):=min nest (Q) P Q . A term P is depth- ν bounded if there exists k N such{that for e|ach≡Q }Reach(P), d∈epPth(Q) k. ∈ ∈ ≤ We write for the set of terms with bounded depth. db P Notice that nest is not an invariant of structural congruence, whereas depth ν and depth-boundedness are. Example 5. Consider the congruent terms P and Q (cid:0) (cid:1) (cid:0) (cid:1) P =νa.νb.νc. a(x) b c c(y) νa.a(x) νc. (νb.b c ) c(y) =Q (cid:107) (cid:104) (cid:105)(cid:107) ≡ (cid:107) (cid:104) (cid:105) (cid:107) We have nest (P)=3 and nest (Q)=2; but depth(P)=depth(Q)=2. ν ν It is straightforward to see that the nesting of restrictions of a term coincides with the height of its forest representation, i.e., for every P , nest (P) = ν ∈ P height (forest(P)). ν Example 6 (Depth-bounded term). The term in Example 2 is depth-bounded: all the reachable terms are congruent to terms of the form Q =νsc.(cid:0)P Ni Reqj Ansk(cid:1) ijk (cid:107) (cid:107) (cid:107) for some i,j,k N where N = νm.c m , Req = νm.(s m m(y).c m ) and ∈ (cid:104) (cid:105) (cid:104) (cid:105) (cid:107) (cid:104) (cid:105) Ans =νm.(νd.m d m(y).c m ). For any i,j,k, nest (Q ) 4. ν ijk (cid:104) (cid:105)(cid:107) (cid:104) (cid:105) ≤ Example 7 (Depth-unbounded term). Consider the term in Example 4 and the following run: R νms .(M νs .(!(s .s ) m s s )) ∗ 0 1 1 0 1 1 → (cid:107) (cid:107) (cid:104) (cid:105)(cid:107) νms .(M νs .(!(s .s ) νs .(!(s .s ) m s s ))) ... ∗ 0 1 1 0 2 2 1 2 2 ∗ → (cid:107) (cid:107) (cid:107) (cid:104) (cid:105)(cid:107) → The scopes of s , s , s and the rest of the instantiations of νs are inextricably 0 1 2 nested, thus R has unbounded depth: for each n 1, a term with depth n is ≥ reachable. Depth boundedness is a semantic notion. Because the definition is a universal quantification over reachable terms, analysis of depth boundedness is difficult. Indeed the membership problem is undecidable [14]. In the communication topology interpretation, depth has a tight relationship with the maximum length of the simple paths. A path v e v ...v e v in P is simple if it does not 1 1 2 n n n+1 repeathyper-edges,i.e.,e =e foralli=j.AtermGis(cid:74)de(cid:75)pth-boundedifandonly i j (cid:54) (cid:54) if there exists a bound on the length of the simple paths of the communication topology of each reachable term [12]. This allows terms to grow unboundedly in breadth, i.e., the degree of hyper-edges in the communication topology. (cid:81) AtermP isembeddable inatermQ,writtenP Q,ifP νX. A and Q νXY.((cid:81) A R) for some term R(cid:22). In [12] t≡he termie∈mIbeid∈diPnngf ≡ i I i (cid:107) ∈Pnf ordering, ,isshow∈ntobebothasimulationrelationonπ-terms,andaneffective (cid:22) well-quasi ordering on depth-bounded terms. This makes the transition system (Reach(P)/ , / ,P) a well-structured transition system (WSTS) [7, 1] under ≡ → ≡ the term embedding ordering. Consequently a number of verification problems are decidable for terms in . db P