Decidability Problems for Actor Systems

We introduce a nominal actor-based language and study its expressive power. We have identified the presence/absence of fields as a crucial feature: the dynamic creation of names in combination with fields gives rise to Turing completeness. On the other hand, restricting to stateless actors gives rise to systems for which properties such as termination are decidable. This decidability result still holds for actors with states when the number of actors is bounded and the state is read-only.


Introduction
Since their introduction in [20], actor languages have evolved as a powerful computational model for defining distributed and concurrent systems [2,3].Languages based on actors have been also designed for modelling embedded systems [23,24], wireless sensor networks [11,31], multi-core programming [22], and web services [9,10].The underlying concurrent model of actor languages also forms the basis of the programming languages Erlang [4] and Scala [19] that have recently gained in popularity, in part due to their support for scalable concurrency.
In actor languages [2,20,32], actors use a queue for storing the invocations to their methods in a FIFO manner.The queued invocations are processed sequentially by executing the corresponding method bodies.The encapsulated memory of an actor is represented by a finite number of fields that can be read and set by its methods and as such exist throughout its life time.
In this paper we introduce a nominal actor-based language and study its expressive power.This language, besides dynamic creation of actors, also supports the dynamic creation of variable names that can be stored in fields and communicated in method calls.As such our nominal actor-based language gives rise to unboundedness in (1) internal queues of the actors, (2) dynamic actor creation/activation and (3) dynamic creation of variable names.
Statelessness has recently been adopted as a basic principle of service oriented computing, in particular by RESTful services.Such services are designed to be stateless, and contextual information should be added to messages, so a service can customize replies simply by looking at the received request messages.In service oriented computing read-only fields (which are initialized upon activation) are used to provide configuration/deployment information that distinguishes the distinct instances of the same service.We have identified the presence/absence of fields as a crucial feature of our language: (1) and (3) in combination with fields gives rise to a Turing complete calculus.On the other hand, restricting to stateless actors gives rise to systems for which properties such as termination and process reachability are decidable.In order to preserve this decidability result to actors with states we have to restrict the number of actors to be finite and the state to be read-only.
More specifically, we model a system consisting of finitely many actors with read-only fields as a well-structured transition system [16] -henceforth termination and process reachability are decidable.Further, we show that an abstraction of systems of unboundedly many stateless actors (i.e., actors without fields) which preserves termination and process reachability is also an instance of well-structured transition system.It turns out that, in the context of unbounded actor creation, this restriction to stateless actors is necessary by a reduction to the halting problem for 2 Counter Machines.
To the best of our knowledge, the technique we use to establish the decidability results for the above languages is original since (i ) these systems respectively admit the creation of unboundedly many variables and actor names; (ii ) actors in general are sensitive to the identity of names because of the presence of a name-match operator.In particular, in the case of finitely many actors with read-only fields, we define an equivalence on process instances in terms of renamings of the variables that generate the same partition.This equivalence allows us to compute an upper bound to the instances of method bodies, which is the basic argument for the model being a well-structured transition system.In case of systems with unboundedly many stateless actors, the reasonable extensions of this equivalence on process instances have been unsuccessful because of the required abstraction of the identity of actor names.Therefore we decided to apply our arguments to an abstract operational model where messages may be enqueued in every actor of the same class.The above equivalence can be successfully used in this model, thus yielding again the upper bounds for the number of method body instances.Further, the abstract model still provides enough information to derive decidable properties of the language.Related Works.There exists a vast body of related work on decidability of infinite-state systems (see [1]).However, to the best of our knowledge, the specific characteristics of the pure asynchronous mechanism of queued and dequeued method calls in actor-based languages has not been addressed.It is interesting to observe that the most expressive known fragment of the pi-calculus for which interesting verification problems are still decidable is the depth-bounded fragment [26].In [33] the theory of well-structured transition systems is applied to prove the decidability of coverability problems for bounded depth pi-calculus.Our nominal actor language also features the creation and communication of new names.In our decidable fragments however, differently from the depth-bounded pi-calculus fragment, we do not restrict the creation and communication of names.For instance, in the queue of an actor we might have unboundedly many messages (representing process continuations) where each message shares one name with the previous message in the queue.Decidability of asynchronous communication via a shared data space, read operation and non-blocking test operators on the shared space of the coordination language Linda has been studied in [8].In [5] the authors introduce an algorithm for reachability analysis of multithreaded object-oriented programs.This algorithm requires both a bound on the number of context switches (between the threads) and the visible heap.Further their approach is specific to object-oriented programs and is not applicable to actor-based languages, which are based on a different concurrency model.As another final example, a system composed of finitely many actors can be easily modeled as a communicating finite state machine [6], a formalism that is known to be Turing complete [6,25].However, this modelling does not scale to infinite actors and does not display the execution model of actors.Recent work on actor-based language focusses on deadlock analysis: In [18], a technique for the deadlock analysis has been introduced for a version of Featherweight Java which features asynchronous method invocations and a synchronization mechanism based on futures variables.The approach followed in [15] for detecting deadlock in an actor-like subset of Creol [7] is based on suitable over-approximations.

The language Actor
Four disjoint infinite sets of names are used: actor classes, ranged over by C, D, • • • , method names, ranged over by m, m ′ , n, n ′ , • • • , field names, ranged over by f, g, • • • , and variables, ranged over by x, y, z, • • • .For notational convenience, we use x when we refer to a list of variables x 1 , . . ., x n (and similarly for other kinds of terms).
The syntax of the language Actor uses expressions E and processes P defined by the rules An expression E either denotes a value stored in a field f, or a variable x, or a new actor of class C with fields initialized to the values of E. A process may be either the terminated one, denoted by 0, or a field update (f ← E).P , or the assignment let x = E in P of a value to a variable, or an invocation x!m( E).P of a method m of the actor x with arguments E, or a check [E = E ′ ]P ;P ′ of the identity of expressions with positive and negative continuations, or, finally a nondeterministic process P + P ′ .We never write the tailing 0 in processes; for example (f ← x).0 will be always shortened into (f ← x).We will also shorten [E = E ′ ]P ;0 into [E = E ′ ]P .Following the tradition of process calculi like CCS [27], we model sequences of actions by exploiting the so-called prefix notation (like, e.g., in (f ← E).P ).
The operation let x = E in P is a binder of the occurrences of the variable x in the process P that are not already bound by a nested let operation of x; the occurrences of x in E are free.Let free(P ) be the set of variables of P that are not bound.As usual, we identify processes P and P ′ that are equal up-to alpha-conversion of bound names, written P = α P ′ .The substitution operation P [ y / x ] returns the process P where the free occurrences of x are replaced by y.The substitution operation P [ y / x ] returns the process P where the free occurrences of x are simultaneously replaced by y.In case, alpha-renaming is required for avoiding name clashes.For example In the following examples and encodings we shorten let x = f in x!m( E).P into f!m( E).P (we have preferred the simpler syntax to ease the descriptions).
A program is a main process P and a finite set of actor class definitions C.m( x) = P C,m , where P C,m may contain the special variable this (which can be seen as an implicit formal parameter of each method).In the following we restrict to programs that are (1) unambiguous, namely, every pair C, m has at most one definition; (2) correct, namely, let fields(•) be a map that associates a tuple of field names to every actor class.Then, (i ) in every expression new C( E), the length of the tuples E and fields(C) are the same; (ii ) in every definition C.m( x) = P C,m , the field names occurring in P C,m are in the tuple fields(C).In this paper, we abstract from types and type-correctness because we are only interested in expressive power issues.However, it is straightforward to equip the above language with a type discipline.

2.1.
Examples.To illustrate the features of the actor language we discuss four examples.
Example 2.1.The merger service is an application that forwards to a back office server the values carried by two invocations of clients to methods first and second .The merger freezes the forward as long as there is no invocation of either first or second -in the process calculi community, the merger is modelled by a join pattern [17].In our actor language the merger is modelled by a class actor Merger with six fields: t and f storing the values true and false, respectively; fst and snd storing true or false according to the method first and second have been invoked or not, respectively; g storing the argument of the invocation; srv storing the actor name of the back office server.
The class actor Merger includes the following three methods: The method init manifests a basic feature of our actor language: the creation of new variables.In particular, tt and ff are free variables in the method definition of init.When init will be invoked, they will be replaced by two different fresh variables (said in pi-calculus jargon [28], we are assuming an implicit (ν tt, ff )-at the beginning of the method body).
These variables are stored in the fields t and f, respectively and they will be used to update the fields fst and snd appropriately .The merger forwards two messages to the server, which is stored in the field srv.These messages have been received through invocations of first and second.No forward occurs if one of the two methods has not been invoked.In particular, first (the method second behaves in a similar way) performs the forward if second has been evaluated and its message has not been already forwarded (field snd equal to tt); in this case the parameter of the invocation of second has been stored into g.Otherwise, if there is no previous invocation to first, still to be forwarded, (field fst equal to ff ) then fst is set to tt and the parameter stored into g.There is a possibility that first is evaluated and a previous evaluation of first has still to be forwarded (field fst equal to tt).In this case, the invocation is bounced back (it is enqueued in the actor queue -see the operational semantics).
Example 2.2.As a second example we model the OpenID authentication protocol [30].Three actors are considered: a client, a server, and an authProvider.The client sends a login request to the server.The server generates two secure tokens clientToken and authToken, used for secure communication with the client and the authProvider, respectively, and then sends the two tokens to the corresponding actors.Subsequently, the client sends an authentication message to the authProvider that (after checking the correctness of the username and password) communicates to the server whether the authentication succeeds or fails.In the following, we abstract from the management of username and password and we simply assume that they are stored in the fields u and p of the client when it sends the authenticate message to the authServer.A.open(server , cToken, aToken) = (server ← server ).(ctoken ← cToken).
(atoken ← aToken) A.authenticate(u, p, cToken) = [ctoken = cT oken] server!succeeds(atoken); server!fails(atoken)The main program that instantiates the client, the server and the authProvider is as follows: let client = new C in let server = new S in let authProvider = new A in client!init(server ).server !init(authProvider ) Example 2.3.We illustrate the modeling of a register that stores natural numbers and supports the operations of increment and decrement, when its value is positive.In the absence of data-types in our nominal actor language, we model a register by an actor and implement the value of the register by the number of invocations of the method item stored in its queue.Below we describe the corresponding class R, assuming a class Ctrl which encodes the control of the register machine.When an operation is performed, the register replies with an invocation run(pc, tt, ff ), where pc is a suitable continuation.The continuation is unique when the increment is invoked; the decrement has two possible continuations: a positive one, in case of success, and a negative one (the register was 0, no decrement is performed).
// R has a field called dec, Ctrl is an actor in the context R.inc(pc, tt, ff Method inc simply gives rise to the storage of a new message item and a trigger of the continuation.Executing a message item, amounts to bouncing the invocation back if the value of the field dec is false.In this case the invocation is enqueued again.Otherwise the invocations is "consumed" because there was a pending decrement to perform (see below) and dec is set to true (indicating that there is no pending decrement anymore).Method dec is the tricky one: it sets dec to true and add an invocation of checkzero (we are assuming that the register queue always contains at most one invocation of dec).That is, we are postponing the triggering of the continuation to the evaluation of checkzero that will occur after the evaluation of any other method in the queue of the register.When checkzero will be evaluated either (i) the dec field is true, this means that the register did not contained any item message -its value was 0 -and the continuation pc ′ is triggered; or (ii) the dec field is false, that is the register has been decremented and the continuation pc is triggered.A refinement of the above register is used in Theorem 3.2 to demonstrate the Turing completeness of a sublanguage of Actor.
Example 2.4.In Sections 4 and 5 we will respectively prove decidability results for two fragments of our actor language: in the first fragment only the main program can create new actors (so boundedly many actors can be created) and fields are read-only, while in the second fragment actors have an empty state.To illustrate these two fragments we show how they can be used to model a system in which n workers are used to execute n distinct tasks indicated by a client.
In the fragment with bounded actors and read-only fields the model can be described by considering a class C for the client with an init method responsible for invoking the task manager, passing him the description of the n tasks to be executed: The task manager is an instance of a class providing a method called tasksExec able to pass to the workers the description of their relative tasks: Finally, a worker is an instance of a class W with one method exec able to execute the passed task (we leave this method unspecified): // W has no fields and one method exec(p) The main program first instantiates the workers, then the task manager by storing in its state the reference to the workers, and finally the client; after the init method of the client is invoked passing him a reference to the task manager: In the fragment with stateless actors we present an alternative specification of the system in which the classes for the client and the workers are as above, while the task manager is defined as follows: Upon reception of the n tasks to be executed, the task manager passes the task descriptions to the method nextTask.This method instantiates one new worker, passes to it the corresponding task, and then recursively invokes itself to continue with worker instantiations.In order to execute exactly n recursive calls, n + 1 additional parameters are considered: in the first call all such parameters are distinct excluding the first and the last one, at every call the parameters are circularly shifted, and when the first two parameters coincide the chain of calls is terminated.
2.2.The operational semantics.The operational semantics of the language Actor will use an infinite set of actor names, ranged over A, B, • • • .This set is partitioned by the actor classes in such a way that every partition retains infinitely many actor names.We write A ∈ C to say that A belongs to the partition of C. In the following, the (run-time) expressions will also include actor names and, with an abuse of notation, this extended set of expressions will be ranged over by E. The set of terms that are variables or actor names, called values, will be addressed by U , V , • • • .Similarly for processes that, at run-time, may also have actor names.The extended set will be addressed by P .We notice that free(P ), when P belongs to this extended set, may returns variables and actor names.We will also apply free(•) to tuples of (extended) expressions: free( E) returns the set of variables and actor names in E.
The semantics is defined in terms of a transition relation S −→ S ′ , where S, S ′ , called configurations, are sets of terms A ⊲ (P, ϕ, q) with A being an actor name, ϕ, the state of A, being a map from fields(C) to values, where A ∈ C, and q being a queue of terms m( U ).The empty queue will be denoted with ε.Configurations contain at most one A ⊲ (P, ϕ, q) for each actor name A. As usual, let −→ * be the transitive closure of −→ and The operational semantics of Actor is defined in Table 2, where the evaluation function E ϕ U ; S is used (defined in Table 1).This function takes an expression E and a store ϕ and returns a value U and a possibly empty configuration S of terms A ⊲ (0, ϕ, ε).These terms represent actors created during the evaluation -the names A are fresh -and ϕ records the initial values of the fields of A. The auxiliary function fresh(•) used in the evaluation function takes a class actor and returns an actor name of that class that is fresh.In order to have a finitely branching transition system (see the remark at the end of this section), we assume actor names in classes are totally ordered and fresh(C) always returns the first unused name of the class C. In this way, fresh names are selected in a deterministic manner.
The same auxiliary function is used in rule (inst) on a tuple of variables.In this case it returns a tuple of the same length of variables that are fresh.Also in this case, we assume a total order of variables and fresh( x), where x has length n, returns the least n unused variables.For notational convenience, we always omit the standard curly brackets in the set notation and we use ", " both to separate elements inside sequences and for set union (the actual meaning is made clear by the context).
The initial configuration of a program with main process P is ℵ ⊲ (P, ∅, ε), where ℵ is a name of the root, an actor of a class without fields and methods.We assume that the class of ℵ does not belong to the classes of the program.Note that the root actor is guaranteed to terminate because its queue remains empty (no method invocation may be enqueued) and the main process (as any other one) terminates.
We finally remark that transition systems of the language Actor are finitely branching (every state has a finite number of successor states) because the choices of fresh actor names (in the evaluation of new C) and of fresh variables (in the instantiation of the bodies of methods) are deterministic.
2.3.Relevant sublanguages.We will consider the following fragments of Actor whose relevance has been already discussed in the Introduction: Actor ba is the sublanguage where the new expression only occurs in the main process (the number of actor names that it is possible to create is bounded).Actor ro is the sublanguage without the field update operation (f ← E) (fields are read-only as they cannot be modified after the initialization).Actor ro ba is the intersection of Actor ba and Actor ro .Actor sl is the sublanguage with classes without fields (objects are stateless). (upd) A In this section we establish the main undecidability results for the actor language in Section 2.
In particular, we will prove the undecidability of termination and process reachability.
Definition 3.1.Consider an actor program.The termination problem is to decide whether it has no infinite computation; the process reachability problem is to decide, given a process P , whether there exists a computation of the program traversing a configuration having a term A ⊲ (P ′ , ϕ, q) with P ′ being equal to P up-to renaming of variables and actor names.
We will use a reduction technique from a Turing-complete model to our actor model.In particular, the Turing-complete models we consider are the 2 Counter Machines (2CMs) [29] and a faulty variation of them.A 2CM is a machine with two registers R 1 and R 2 holding arbitrary large natural numbers and a program P consisting of a finite sequence of numbered instructions of the following type: • j : Inc(R i ): increments R i and goes to the instruction j + 1; • j : DecJump(R i , l): if the content of R i is not zero, then decreases it by 1 and goes to the instruction j + 1, otherwise jumps to the instruction l; • j : Halt: stops the computation and returns the value in the register R 1 .A state of the machine is given by a tuple (i, v 1 , v 2 ) where i indicates the next instruction to execute (the program counter) and v 1 and v 2 are the contents of the two registers.The user has to provide the initial state of the machine.The transition relation of the 2CM will be denoted by =⇒.
The faulty variation of the 2CM we use are the "two Faulty Towers Machine" (2FTM, for short) [12].These machines have two faulty registers R 1 and R 2 holding either arbitrary large natural numbers or the faulty value ⊥.The program of a 2FTM is a finite sequence of numbered instructions that are the same of those in 2CMs.However, in contrast with 2CMs, 2FTMs from a state (i, v 1 , v 2 ) may nondeterministically evolve into a faulty state (i, ⊥, v 2 ) or (i, v 1 , ⊥) or (i, ⊥, ⊥).If an instruction i is an Inc/DecJump that refers to the register R 1 (respectively, R 2 ) then (i, ⊥, v) (respectively, (i, v, ⊥)) evolves to (0, ⊥, v) (respectively, (0, v, ⊥)).In 2FTMs, the instruction numbered 0 is always assumed to be Halt.Let =⇒ F be the transition relation of the 2FTMs.
By definition, every 2CM program with a 0-numbered instruction Halt is a 2FTM program and conversely.If we restrict to 2CM with a 0-numbered instruction Halt, it is easy to verify that every such machine has an infinite computation with a 2CM-semantics if and only if it has an infinite computation with a 2FTM-semantics.Similarly for instruction reachability, if we consider any non 0-numbered instruction.

3.1.
The language Actor ba .We encode the value n stored in a register as n messages (of the same type) that are enqueued in an actor -see Figure 1.Namely, let R 1 and R 2 be two actors of class R and let the number of messages item in R 1 and R 2 be their value.
The instruction Inc is implemented by inserting one item message in the queue of the corresponding register.In our formalism, this is done by invoking the method item whose execution has two possible outcomes: (i) the invocation is enqueued again; (ii) the invocation is discarded because we are in the presence of a residual of a DecJump operation, as described next.R // R has fields dec, ctr, loop and stop The main process is Figure 1: Encoding a 2FTM in Actor ba (" " denotes an irrelevant initialization parameter) In case (i), to avoid an infinite sequence of item dequeues and enqueues, we introduce fields stop and loop which are initialized to false and set to true by the bottom method in case the queue contains only item messages.This has as effect that the stored item messages are subsequently purged from the queue of the register.Note that differently from the example in Section 2 we have encoded the boolean values as fields (so that we do not need to pass them around).
In case (ii), registers have a field dec that is set to tt by a decjump method execution.This field means that the actual decrement of the register is delayed to the next execution of checkzero.Since in (ii) item is not enqueued, then the register is actually decremented and the field dec is set to ff .When checkzero will be executed, since dec = ff then the next instruction of the 2CM is simulated.On the contrary, when checkzero is executed with dec = tt then the decrement has not been performed (the register is 0) and the simulation jumps.
The Halt instruction is simulated by invoking a method halt that does nothing.As in the examples of Section 2, booleans are implemented by two variables -see the method Ctrl.init -that are distributed during the invocations.With a similar machinery, in the actor class Ctrl, the labels of the instructions are represented by the variables x 1 , • • • , x n , which are stored in the fields stm 1 , . . ., stm n of Ctrl .Theorem 3.2.Termination and process reachability are undecidable in Actor ba .
The undecidability of termination in Actor ba follows by the property that a 2FTM diverges if and only if the corresponding actor program has an infinite computation.As regards process reachability, we need a smooth refinement of the encoding in Figure 1 where the Halt instruction is simulated by a specific process.
Proof.Let us assume to have a fixed 2FTM and let [[Instruction i ]] i,tt,ff be defined in Figure 1.Let also , where P is the main process in Figure 1.Then we demonstrate the following properties: ] tt,ff has an infinite computation then the computation has infinitely many configurations like 2 ) is a computation with every intermediate configuration having the process of the actor C equal to 0 then there are two computations ]] tt ,ff where the actor C never moves such that . The proof of ( 1) is a straightforward case analysis on the type of instruction i.
The proof of (2) uses an argument by contradiction.Assume that there are finitely many configurations like 3.1.Then, there is an infinite suffix of this computation in which the actor C does not perform actions.This means that at least one actor R i performs infinitely many actions by executing the methods item and bottom.But this is not possible because bottom blocks the actor if it is invoked twice without executing update actions on the register in between.
The proof of (3) simply considers two possible cases: either some fields stop is set to tt during the computation or not.In the first case the corresponding register of the 2FTM enters a faulty state ⊥.In the second case the instruction has been correctly executed.
The property (1) guarantees that if a 2FTM has an infinite computation then also the corresponding encoding has an infinite computation.The opposite follows from (1) and ( 2): if the encoding has an infinite computation, it traverses infinitely many configurations representing configurations of the corresponding 2FTM, thus it also has an infinite computation.The undecidability result can be easily extended to the process reachability problem.It suffices to modify the process modeling an Halt (not numbered with 0) by replacing this!halt () with a process Q different from all the other processes in Figure 1.We have that Q is reachable if and only if the 2CM with the same program of the given 2FTM terminates.

3.2.
The language Actor ro .We show that Actor ro is Turing-complete by means of an encoding of a 2CM -see Figure 2. In this encoding the two registers are represented by two disjoint stacks of actors linked by the next field.The top elements of the two stacks are passed as parameters r 1 and r 2 of the run method of the controller.As before, this actor encodes the control of the 2CM.
The instruction Inc is implemented by pushing an element on top of the corresponding stack.This element is an actor of class R storing in its field the old pointer of the stack.The new pointer, i.e. the new actor name, is passed to the next invocation of the run method.
The instruction DecJump is implemented by popping the corresponding stack.In particular, the method run of the controller is invoked with the field next of the register being decreased.This pop operation is performed provided the register that is argument of run is different from nil.Otherwise a jump is performed.Note that the other top of the stack r j (i = j) and the next instruction to be executed are simply passed around and therefore they do not need to be stored in updatable fields.Theorem 3.3.Termination and process reachability are undecidable in Actor ro .
Proof.It is easy to verify that if a 2CM has a computation The configurations G i only contain register terms r⊲(0, [next → r ′ ], ε) and represent garbage (they are inactive).
In contrast with Theorem 3.2, the converse implication (every computation of the Actor ro program in Figure 2 may be split in subcomputations of finite lengths that correspond to 2CM transitions) is not difficult because the program of Figure 2 is deterministic.
The above correspondence guarantees that the computation of the actor system terminates if and only if a Halt instruction is reached.The undecidability of process reachability is proved by using the same arguments of Theorem 3.2.

Decidability results for Actor ro ba
We demonstrate that programs in Actor ro ba are well-structured transition systems [1,16].This will allow us to decide a number of properties, such as termination.We begin with some background on well-structured transition systems.
A reflective and transitive relation is called quasi-ordering.A well-quasi-ordering is a quasi-ordering (X, ≤) such that, for every infinite sequence x 1 , x 2 , x 3 , • • • , there exist i, j with i < j and x i ≤ x j .Definition 4.1.A well-structured transition system is a finitely branching transition system (S, −→, ) where is a quasi-ordering relation on states such that (1) is a well-quasi-ordering (2) is upward compatible with −→, i.e., for every S 1 S ′ 1 and S 1 −→ S 2 , there exists S ′ 1 −→ * S ′ 2 such that S 2 S ′ 2 .Given a state s of a well-structured transition system, Pred (s) denotes the set of immediate predecessors of s (i.e., Pred (s) = {s ′ | s ′ −→ s}) while ↑ s denotes the set of states greater than s (i.e., ↑ s = {s ′ | s s ′ }).With abuse of notation we will denote with Pred ( ) also its natural extension to sets of states.
According to the theory of well-structured transition systems [1,16], we have that several properties are decidable for such transition systems (under some conditions discussed below).We will consider the following properties.
Figure 2: Encoding a 2CM in Actor ro Definition 4.2.Consider a well-structured transition system (S, −→, ).Given S ∈ S the termination problem is to decide whether S has an infinite computation; the control-state reachability problem is to decide, given T ∈ S, whether there is T ′ T such that S −→ * T ′ .
In well-structured transition systems termination is decidable when the transition relation −→ and the ordering are effectively computable.When it is also possible to effectively compute a finite-basis for the set of states Pred (↑ s) we have that control-state reachability is decidable as well.
In the following we assume given an actor program with its main process and its set of actor class definitions.The first relation we convey is • = that relates renamings, ranged over by ρ, ρ ′ , . . .that are functions mapping variables that are not free in the main process into either actor names or variables.Let ) is an actor name or a free variable of the main process Namely, two renamings are in the relation • = if they identify the same variables, regardless the value they associate when such a value is a variable.For example, [x → y, y → z] In general, if ρ and ρ ′ are injective renamings that always return variables then ρ ).From this also follows that the above renamings do not change the main process (because they do not apply to its free variables).
Let dom(ρ) be the domain of the renaming ρ.We denote by P ρ the result of P [ ρ( x) / x ], where x = x 1 , • • • , x n is a tuple containing the variables in dom(ρ) (without repetitions) and ρ( x Next, let ≃ be the least relation on terms m(U 1 , • • • , U n ) and on processes such that For example, it is easy to verify that m(x, y) ≃ m(x ′ , y ′ ) and that The rationale behind ≃ is that it identifies processes that "behave in similar ways", namely they enqueue "similar invocations" in the same actor queue.Method invocations m(U Proof.We demonstrate the lemma for processes, the argument is similar for method invocations.So, let P be a process.It is possible to count the number of renamings ρ on free(P ) that are different according to • =.In fact, the values of renamings on variables that are different from free(P ) do not play any role in the definition of T .
The basic remark is that a renaming ρ generates a partition of the set free(P ): two variables x and y are in the same partition if and only if ρ(x) = ρ(y).If we restrict to renamings that map variables to variables (and not actor names), then they are different according to • = if they yield different partitions.The number of such renaming is the Bell number of the cardinality of free(P ), let it be Bell(κ), where κ is the cardinality of free(P ).In addition, in our case, renamings may map a variable to an actor name into a finite set {A 1 , • • • , A ℓ }.In this case the identity of the actor name is relevant.If κ ≥ ℓ then The well-quasi-ordering relation on configurations relies on an (almost standard) embedding relation ≤ on queues (except the part about ≃, it is the one in [16]): Then, let It is worth noticing that the relation constraints corresponding elements A ⊲ (P, ϕ, q) and A ⊲ (P ′ , ϕ, q ′ ) to have the same states.In fact these states are defined by the main process using either its free variables or the actor names that it has created.For this reason there are finitely many of them and the relation is parametric with respect to them.
Theorem 4.4.Let (S, −→) be a transition system of a program of Actor ro ba .Then (S, −→ , ) is a well-structured transition system.
Proof. ( 1) is a well-quasi-ordering.To prove that is a well-quasi-ordering, we reason by contradiction.Let S 1 , S 2 , S 3 , • • • be an infinite sequence of states in S such that, for every i < j, S i S j .Let y 1 ,• • • ,y m be a sequence of variables not free in the main process.Consider: The set subterms(C) is finite, but all the -possibly infinitely many-processes that can be executed (or the messages that can be received) by an actor of class C are renamings P ρ (or m( y)ρ) of these terms.Notice that by Lemma 4.3, the number of terms P ρ (and m( y)ρ) which are different according to ≃ is finite as well.It is thus possible to extract a subsequence • • • such that, for every A, in the elements A ⊲ (P A i j ρ i j , ϕ A i j , q A i j ) and A⊲(P A i k ρ i k , ϕ A i k , q A i k ) of S i j and S i k , respectively, we have that P A i j ρ i j ≃ P A i k ρ i k .Moreover, as we are considering Actor ro ba the actor state cannot be modified, hence ϕ A i j = ϕ A i k .As we are considering Actor ro ba , the set of actor is bound.Let A 1 , • • • , A ℓ be such actor names.Due to the above arguments, the sequence S i 1 , S i 2 , S i 3 , • • • may be represented as a sequence of tuples of queues: , where ⊑ ℓ is the coordinatewise order defined by (≤ is the above embedding relation).
We are finally reduced to an infinite sequence of tuples of queues such that every tuple cannot be in relation according to ⊑ ℓ with any of the subsequent ones.This fact contradicts the Higman's Lemma [21]: if (X, ≤) is a well-quasi-ordering and (X * , ≤ * ) is the set of finite X-sequences ordered by the embedding relation ≤ * defined using ≤ as pointwise ordering, then (X * , ≤ * ) is a well-quasi-ordering.More precisely, the contradictions follows from the following consequence of the Higman's Lemma: • if X is a finite set and (X * , ≤) is the set of finite X-sequences ordered by the embedding relation, then (X * , ≤) is a well-quasi-ordering. and from the following statement is upward compatible with −→.A state ϕ is normed, if, for every field f, ϕ(f) is either a free variable in the main process or an actor name.A configuration is normed if the states of the actors are normed.We observe that the initial configuration is normed.We also let ( E)ρ ≃ ( E)ρ ′ whenever ρ (exp-ii) if E (respectively P ) only contain free variables in the main process and actor names then E ≃ E ′ (respectively P ≃ P ′ ) implies E = E ′ (respectively P = α P ′ ) and E ∅ U ; S implies that U contain free variables in the main process and actor names and S is normed.(exp-i) is proved by induction on the hight of the proof-tree of E ϕ U ; ∅.There are two basic cases: (1) E = U and (2) E = f.As regards ( 1), E ′ = U ′ and the property is immediate by the hypothesis that E ≃ E ′ .As regards ( 2), henceforth the property (because E ′ is evaluated in the state ϕ as well).There is one inductive case (because the case of new is not possible, otherwise S cannot be empty), which is immediate.
(exp-ii) is an immediate consequence of the definition of Let S 1 −→ S 2 .We demonstrate that (i) if S 1 is normed then S 2 is normed as well (this means that the transition system (S, −→) of a program of Actor ro ba has normed configurations because the initial state is normed); (ii) if S 1 S ′ 1 then there exists S ′ 1 −→ * S ′ 2 such that S 2 S ′ 2 .As regards (i), it follows by remarking that in programs of Actor ro ba , there is no field update and the unique process that may create states is the one of ℵ (the main process).Then (i) derives from the property (exp-ii).
As regards (ii), its proof is a case analysis on the proof-tree of S 1 −→ S 2 where the cases correspond to the unique rule appearing in the tree that is not an instance of (context).
without loss of generality, we are assuming the two bound variables are the same) and q ≤ q ′ .There are two subcases: (1.1)A = ℵ and (1.2) A = ℵ.In (1.1),By (exp-ii), this is possible provided E = E ′ and P = α P ′ .It is easy to verify that S ′ 1 −→ S ′ 2 and S 2 S ′ 2 because their unique difference with S 1 and S ′ 1 is due to the two processes P and P ′ .In (1.2), S 3 = ∅ because no new can occur in E. Additionally, by definition of ≃, E ≃ E ′ and P ≃ P ′ .Let E ′ ϕ U ′ , ∅.By (exp-i) we have U ≃ U ′ and it is easy to verify that P and S 2 S ′ 2 because their unique difference with S 1 and S ′ 1 is due to the two processes We notice that the well-structured transition system (S, −→, ) has decidable algorithms for computing and for computing the next states.Then decidability of termination directly follows from the above mentioned results of the theory of well-structured transition systems that we have previously recalled.Theorem 4.5.In programs of Actor ro ba the termination problem is decidable.We now move to the definition of an appropriate algorithm for the computation of a finite basis for the predecessors of a given configuration, so to conclude also the decidability of control-state reachability.
Lemma 4.6.Let (S, −→, ) be a well-structured transition system of a program in Actor ro ba , and let S ∈ S. Then there is a finite set X ⊆ Pred (S) such that, for every S ′ ∈ Pred (S), there is T ∈ X with T S ′ .X can be effectively computed.
Proof.We show how to compute X .Let S = A ⊲ (P, ϕ, q), S ′ .The predecessor processes of P are the following ones: (i ) let x = E in P ′ , with P = P ′ [ U / x ], for some U and some x; (vii ) P is an instance of a method body of the actor class of A. If A is of actor class C then we take all the method bodies of C with a suffix matching one of the cases (i )-(vi ) above (in this case, the expressions in (ii ) are either variables or actor names).If A = ℵ then we look for a matching suffix of the main process.The above six cases are demonstrated in the presence of such suffixes.
It is worth noticing that the language Actor also owns the more classical diamond property: if in a configuration there are two transitions inferred by two distinct actors, then it is possible to perform them in any order reaching the same configurations up-to bijective renaming.We omit the formalization of this property since it is not needed in the rest of the paper.
Corollary 4.9.The process reachability problem is decidable in Actor ro ba .Proof.In order to verify whether a configuration A ⊲ (P ′ , ϕ, q), S is reachable with P ′ equal to P up-to renaming of variables and actor names, we proceed as follows.
First, by Proposition 4.8 it is not restrictive to consider the set of configurations T reachable by completely executing the actor ℵ only.The cardinality of T is bounded by 2 k , where k is the maximal nesting of + in the main process.If one of the processes in the configurations reached by executing ℵ is equal to P , up-to renaming of variables and actor names, then we are done.Otherwise, let u be the free variables in the main process.For each of T = ℵ ⊲ (0, ∅, ε), A 1 ⊲ (0, ϕ 1 , q 1 ), • • • , A ℓ ⊲ (0, ϕ ℓ , q ℓ ) in T , we check control-state reachability from T to at least one of the states in the following finite set: We conclude this section by recalling that we have already proved the undecidability of termination in programs with unboundedly many actors and read-only fields.Note that if we remove from Actor ro ba the constraint on bounded actor names then the relation is no longer a well-quasi-ordering.Consider, for instance, an actor (with empty state) having a method that first creates a new instance of the same class and then invokes on this new instance the same method.Among the reachable configurations it is possible to select a sequence S 1 , S 2 , S 3 , • • • such that the configuration S n is defined as follows: It is easy to see that, for every i < j, S i S j .

Decidability results for Actor sl
We prove that in Actor sl termination and process reachability are decidable, too.As discussed at the end of Section 4, the ordering defined for Actor ro ba is not appropriate for Actor sl because in the latter it is possible to dynamically produce unboundedly many actors.Therefore, in order to compute an upper bound to the instances of method bodies, which is the basic argument for the model of Section 4 to be a well-structured transition system, we need to abstract from the identity of these names -as we have done with variables.However, in case of actor names, the abstractions we have devised all break the delivering of messages.Therefore we decided to apply our arguments to an abstraction of the operational model where the delivery of messages is inexact: it may be enqueued in every actor of the same class.Yet, this abstract model allows us to derive decidability of termination and process reachability for the original language.
In order to formalize the correspondence between the concrete and the abstract operational semantics, we need to add decorations to processes and transitions at the concrete level.Such decorations are used to keep track of the causal dependencies among processes.The decorated syntax adds a sequence of natural numbers in front of the process of an actor, namely, we use A ⊲ (σ : P, ∅, q) where σ has the following meaning: if σ = σ ′ • n, then σ ′ The decorated evaluation relation E d U ; S: The decorated transition relation S σ −→ S ′ : A ∈ C C.m( x) = P y = free(P ) \ x y ′ = fresh( y) A ⊲ (σ ′ : 0, ∅, m( U , σ) • q) identifies the action of emission of the message that caused the method instantiation from which P was generated, and n is a counter indicating that P is actually generated by the method instantiation after n steps.Notice that for the main process executed by the actor ℵ the sequence σ ′ is empty, and that when a method is instantiated the counter n is initialized A ∈ C C.m( x) = P y = free(P ) \ x y ′ = fresh( y) Table 4: Abstract transition rules for method invocations and instantiations to 0. In order to transfer the sequence from the message emitter to the receiving actor, we add σ at the end of messages.Namely, messages are now denoted with m( U , σ).The decorated operational semantics S α −→ S ′ is defined in Table 3, where the label α can be either a sequence σ or a pair σ|m( U , A) where the second element identifies the message issued during the transition.The decorated operational semantics increments the last number of the sequence of a process every time it performs an action, adds to messages the current sequence of the emitter, and use the sequences inside messages to initialize the sequence of the method instantiations (by extending it with 0).
It is trivial to see that the operational semantics in Table 3 and the decorated semantics coincide, in the sense that given one configuration S 1 of Actor sl we have S 1 −→ S 2 if and only if there exist a label α and two decorations S ′ 1 and S ′ 2 of S 1 and S 2 , respectively, such that S ′ 1 α −→ S ′ 2 .As discussed at the beginning of this Section, we need a more abstract semantics with inexact message deliveries.This is obtained by changing the operational semantics in Table 3 by decoupling the evaluation of the body of a method from the actor name of that method.Let S α −→ a S ′ be the abstract transition relation defined as S α −→ S ′ in Table 3 except the two rules (invk-s d ) and (invk d ) for method invocation and the rule (inst d ) for the instantiation of method bodies, which are replaced by those in Table 4.In the abstract transition relation, a message is added in a queue of an actor nondeterministically selected among those belonging to the same class of the target actor.The item m( U , σ) is enqueued with an additional argument -the actor name of the target actor.This additional argument is used when the method body is instantiated.In fact it replaces the variable this, thus making the execution of a body invariant regardless the actor that actually performs it.
As an example, consider the task manager specified in Actor sl in the Example 2.4.Also under the abstract semantics n distinct workers are instantiated, but it is possible for two distinct tasks to be delivered to the same worker.
We now introduce few notations: -Let Ω() be a map from "concrete" to "abstract" configurations: given a configuration S, we denote with Ω(S) the configuration obtained from S by replacing each of its actors As a direct consequence we have that the abstract semantics preserves both termination and control-state reachability.It remains to prove that termination and process reachability is decidable for the abstract semantics.To this aim, we consider a transition system −→ a obtained by removing the labels from the transitions α −→ a .On this transition system we define a as a variant of the ordering defined in the previous section in such a way that (S, −→ a , a ) turns out to be a well-structured transition system (for configurations of stateless programs).Let: -Let ≤ a be the following relation on message queues: -Let a be the ordering: Next, we observe that Lemma 4.3 can be adapted to the case of unbounded actors by using ≃ a instead of ≃.Namely, let T be either a process or a method invocation Proceeding as in the proof of Lemma 4.3, we prove that T is finite.
Theorem 5.2.Given a stateless program S we have that (S, −→ a , a ) is a well-structured transition system.
Proof.The proof is as in Theorem 4.4 with few differences that are discussed below.
In part (1) the unique difference is in the last part where the coordinatewise order ⊑ ℓ on sequences (of length ℓ) of queues of terms is used.As we now consider configurations with an unbounded number of actors, instead of configurations with a bounded number ℓ of actors, we need to resort to the embedding ⊑ a defined as follows: The final contradiction of part (1) is now reached by observing that by Highman's lemma, also ⊑ a is a well-quasi-ordering, as a consequence of the well-quasi-ordering ≤ a .
In part (2) the unique difference is for the monotonicity transitions due to rules (invka) and (invk-sa).The greater configuration is guaranteed to have a program ready to perform a corresponding method invocation, but this could be addressed to a different actor.In fact, the ordering a does not preserve actor names as it was for in the proof of Theorem 4.4.But a preserves at least actor classes.As the abstract transition system −→ a allows a term m( U , σ, A) to be introduced in the queue of any of the actor belonging to the same class of A, the method invocation executed by the greater configuration can be introduced in the queue of the actor corresponding to the target of the method invocation executed by the smaller configuration.
In the light of the results on well-structured transition systems recalled at the beginning of Section 4, this theorem proves the decidability of termination for the abstract semantics.To prove the decidability of process reachability we need to prove that a finite basis for predecessors is effectively computable.Lemma 5.3.Let (S, −→ a , a ) be a well-structured transition system of a program in Actor sl , and let S ∈ S. Then there is a finite set X such that, for every S ′ a S and S ′′ ∈ Pred (S ′ ), there is T ∈ X with T a S ′′ .X can be effectively computed.
Proof.The computation of X must extend the construction presented in the proof of Lemma 4.6 in two ways.
The first extension derives from the fact that, differently from the ordering considered in Lemma 4.6, if S a S ′ it could be possible for S ′ to have strictly more actors than S. In these case, it is possible that the predecessor differs from its successor S ′ for actors that are not present in S. We can cope with this problem by applying the procedure described in the proof of Lemma 4.6 not only to the configuration S, but to all the configurations that can be obtained by extending S with one or two additional actors belonging to one of the finite classes of the considered program.In fact, at most two actors are modified by one transition.Each of these additional actors executes a process obtained by applying a renaming ρ to a suffix of one of the method definitions of the corresponding class.As observed above, there are finitely many processes that can be obtained up-to ≃ a .Finally, the additional actors have a queue including at most one method invocation (in fact, at most one message can be consumed in one transition).Also in this case, by considering the method definitions of the actor class, it is easy to see that there are finitely many different method invocations up-to ≃ a .
The second extension is trivial and deals with the fact that in the abstract semantics a method invocations can be introduced in the queue of any of the actors belonging to the same class of the expected target actor.So the procedure of the proof of Lemma 4.6 for computing X must be extended to consider also this kind of transitions.
From Theorem 5.2, this last Lemma and the results on well-structured transition systems recalled at the beginning of Section 4, we can conclude that also control-state reachability, besides termination as already commented above, is decidable for the abstract semantics.From Proposition 5.1 we have already concluded that the abstract semantics preserves termination and control-state reachability w.r.t. the concrete semantics.Hence, we have that termination and control-state reachability are decidable for stateless actor program.
The decidability of control-state reachability entails the decidability of process reachability.In fact, given a process P , the reachability of a configuration A ⊲ (P ′ , ϕ, q), S with P ′ equal to P up-to renaming of variables and actor names can be solved in the abstract transition system simply by checking the control-state reachability of at least one of the following states.Let C 1 , . . ., C n be the actor classes of the considered actor system and let A 1 , • • • , A n be such that A i ∈ C i .We consider the following finite set of states: in the class C i and it is equal to P up-to renaming }

Conclusions
To the best of our knowledge this paper contains a first systematic study on the computational power of Actor-based languages.We have focussed on the pure asynchronous FIFO queueing and dequeuing of method calls between actors in the context of a nominal calculus which features the dynamic creation of variable names that can be passed around.The results proved in this paper can be summarized as follows: • we identified two small but Turing powerful fragments of our Actor language: the fragment in which only boundedly many actors can be created, and the fragment in which fields cannot be updated; • we have proved that the fragment obtained as intersection of the two above sublanguages is not Turing complete, as properties like termination and control-state reachability turn out to be decidable; • if Actors are stateless, the language has decidable termination and control-state reachability even if we consider unboundedly many Actors.We conclude by mentioning relevant lines for future research.Recent work have identified more expressive Actor interaction mechanisms based an asynchronous method calls implemented by means of the so-called future variables [14]: we plan to investigate the impact of this Actor-based synchronization mechanism on our (un)decidability results.We also plan to extend our study of expressiveness to primitives like the release statements in [7].These statements support the so-called cooperative shceduling of method invocations: method executions can release the control of the Actor in such a way that other method executions can be instantiated or resumed.

•
= ρ ′ .The requirements of • = are stronger for actor names: in this case the two renamings should be identical.By definition, renamings in relation according to • = never apply to free variables of the main process.This because these variables are possibly stored in fields of actors and their renaming might change the behaviours of actors in a way that breaks the upward compatibility of the following relation and −→ (c.f.proof of Theorem 4.4, part is an upper bound to the different renamings according • =.If κ < ℓ then the upper bound is (ℓ!/κ! + 1) × Bell(κ).In any case the number of different renamings according to • = is finite.Henceforth the set T is finite as well.

Lemma 4 .
6 and the above mentioned results on well-structured transition systems allow us to decide the control-state reachability problem.Theorem 4.7.In programs of Actor ro ba the control-state reachability problem is decidable.Proof.Let ↑ S = {S ′ ∈ S | S S ′ }.Let also Pred (↑ S) = {T | T −→ S ′ and S ′ S}.By definition of , Pred (↑ S) ⊆ Pred (S).Therefore ↑ Pred (↑ S) ⊆ ↑ Pred (S) ⊆ ↑ X , where X is the finite set of Lemma 4.6 that is effectively computable.Next we discuss the process reachability problem -see Definition 3.1 -in Actor ro ba .To this aim, we use a simpler version of the (classical) diamond property.

Table 2 :
The transition relation S −→ S ′ 3. Undecidability results for Actor ba and Actor ro suffix of the body of m i in C i , where A i ∈ C i , formal parameters and free variables of m i are x i and y i U i is a tuple in {A 1 , . . ., A ℓ , u, z} ( z, z 1 , • • • , z ℓ are fresh) there exists 1 ≤ j ≤ ℓ such that Q j is equal to P up-to renaming } Then the corollary follows by Theorem 4.7.

Table 3 :
The decorated operational semantics of the language Actor sl