# MPC 2000 Talk

Document Sample

```					On Guarded Commands with Fair Choice                                    Weak and Strong Fairness [e.g. Frances 86]

• The nondeterministic choice in Dijkstra’s guarded commands
Emil Sekerinski                                                           allows an arbitrary selection to be made on every occurrence:

Department of Computing and Software                                             do b f b := true                       (A)
[] b f b := false                     (B)
McMaster University
od
July 2000
If we assume that the choice is (weakly) fair, then action (B) will
be eventually taken and the program will always terminate.
Contents
• Why Fairness                                                          • Weak fairness: An action will be taken provided that it remains
• Defining Fair Choice by Iterations                                      continuously enabled.
• Algebraic Reasoning about Fair Choice
• Verification of Loops with Fair Choice                                • Strong fairness: An action will be taken provided that it is
• Discussion                                                              infinitely often enabled.

1                                                                            2

Fair Choice and Concurrency                                             Predicate Transformers [following Back & Wright 99]

• In the interleaving model, concurrency is expressed through           • Predicate Transformers: functions from postconditions to
nondeterminism. Fairness models “true concurrency” better:              preconditions:

do b f b := true od ||               process A
PΣ       ê Σ f bool                     state predicates
do b f b := false od                 process B                       ∆ŒΩ ê PΩfP∆                             predicate transfomers
=       {definition of ||}
ordered by universal entailment, i.e. for p, q: P Σ, S, T: ∆ Œ Ω:
do b f b := true
[] b f b := false
p≤q      ê ∀σ•pσÞqσ                     entailment
od
S×T      ê ∀q•Sq≤Tq                     refinement

• The motivation for this work arose in the study of object-based
wp (S, q) in Dijkstra’s original notation corresponds to S q.
concurrency.
• Statements: monotonic predicate transformers.

3                                                                            4
Demonic and Angelic Choice                                                   Sequential Composition

• Assume S, T are predicate transformers and, p is a predicate:              • Assume S, T are predicate transformers and q is a predicate:

abort q         ê    false              "worst behavior"                     skip q       ê    q                 identity
magic q         ê    true               "blocking execution"                 (S ; T) q    ê    S (T q)           sequential composition

(S é T) q       ê    (S q) ¦ (T q)      demonic choice
• Monotonic predicate transformers form a monoid with
(S è T) q       ê    (S q) v (T q)      angelic choice                 composition ; and unit skip.

• Monotonic predicate transformers form a complete lattice with              • abort and magic are left zeros of ;.
top magic, bottom abort, meet é, and join è.
• ; distributes over é and è to the left.

5                                                                        6

• Assume p, q are predicates and R: ∆ f P Ω is a relation:                   • Let F be a function from predicate transformers to predicate
transformers. Consider the equation:
[p] q       ê   pÞq                             assumption
X = FX                              fixed point
{p} q       ê   p¦q                             assertion
If F is a monotonic function, then according to Knaster-Tarski
[R] q δ     ê   (∀ ω • R δ ω Þ q ω)             demonic update          solutions X exist, in particular
{R} q δ     ê   (∃ ω • R δ ω ¦ q ω)             angelic update
– a least solution µ F , also written as µ X • F X ,
• Some derived statements:
– a greatest solution ν F , also written as ν X • F X .
pfS         ê   [p] ; S                         guarded statement
if p then S else T ê (p f S) é (¬p f T)         conditional
x := e ê [R] where                             assignment
R (x, y) (x', y') = (x' = e) ¦ (y' = y)

7                                                                        8
Iterations [Park 80, Aarts et al 95, Back & Wright 99]                    Weak and Strong Iterations

• Iterations of statement S are described as solutions X of (where        • Assume S is a monotonic predicate transformer:
; binds tighter than é ):
S ω ê µ X • S ; X é skip              strong iteration
X = S ; X é skip                                                          S*   ê ν X • S ; X é skip             weak iteration

• For example, for                                                        • Both define a demonically chosen number of repetitions of S:

S = a := a + 1                                                       – With S ω, the number of repetitions can be infinite, for example
solutions are:                                                                     (a := a + 1)ω = abort
as the least fixed point is given by their demonic choice, and
– X = skip é a := a + 1 é a := a + 2 é …                                          abort é Q = abort for any Q

– With S *, the number of repetitions is always finite, for example
– X = abort
(a := a + 1)* = skip é a := a + 1 é a := a + 2 é …
as the greatest fixed point is given by their angelic choice, and
abort è Q = Q for any Q
9                                                                      10

Guards and Loops                                                          Loops with Unair and Fair Choice

• Assume S is a predicate transformer:                                    • Loops with unfair and fair choice are given by

grd S        ê     ¬S false            enabledness domain                 do S é T od
do S w T od
Properties:
in a compos itional manner, respectively. To this end, we define:
grd (p f S) =      p ¦ grd S
grd (S é T) =      grd S v grd T
S+       ê S ; S*                     positive weak iteration
+      +
SpT      ê S éT                       ”S box T”
• The do od loop is like strong iteration, except that the loop has
to continue as long as the guard of the body holds:
• Theorem 1. For statements S and T:
ω
do S od      ê     S ; [¬grd S]        loop
do S é T od = do S p T od

11                                                                       12
Fair Choice                                                                         An Unreliable Channel …

• If S is enabled, S behaves as S, otherwise as skip:                               • We require that the channel copies in to out:

S         ê    S é [¬grd S]                   "try S"                                                                          in                       out
out := in                                           channel

• Recalling that S p T ê S+ é T+, we define:                                        • An implementation needs to retransmit the data until it finally
SwT       ê    S + ; T é T+ ; S               fair choice
+     +
var r • r := false ;
SrT       ê    S éT ;S                        left fair choice
do ¬r f out, r := in, true
StT       ê    S + ; T é T+                   right fair choice
r ¬r f skip
od

This implements out := in, provided successful transmission has
a fair chance.

13                                                                                       14

… An Unreliable Channel …                                                           … An Unreliable Channel

• We start with the body of the loop:                                               • We continue:

(¬r f out, r := in, true) r (¬r f skip)                                             var r • r := false ; do ¬r f out, r := in, true r ¬r f skip od
=        «definition of f and skip unit of ;»                                       =        «previous calculation »
(¬r f out, r := in, true) r [¬r]                                                    var r • r := false ; do ¬r f out, r := in, true od
=        «definition of r»                                                          =        «definition of do od and ¬grd (¬r f out, r := in, true) = r»
(¬r f out, r := in, true)+ é [¬r]+ ; (¬r f out, r := in, true)                     var r • r := false ; (¬r f out, r := in, true)ω ; [r]
=        «for any S: S+ = S ; S* and S* = S ; S* é skip»                            =        «for any S: S* = S ; S* é skip and simplification»
(¬r f out, r := in, true) é [¬r] ; (¬r f out, r := in, true)                        var r • r := false ; ((¬r f out, r := in, true) é skip) ; [r]
=        «definition of S and simplification of grd»                                =        «; distributes over é and definition of f»
(¬r f out, r := in, true) é [¬r] ; ((¬r f out, r := in, true) é [r])                var r • (r := false ; [¬r] ; out, r := in, true ; [r]) é (r := false ; skip ; [r])
=        «; distributes over é and [¬r] ; [r] = magic»                              =         «simplification»
(¬r f out, r := in, true) é [¬r] ; (¬r f out, r := in, true)                        var r • r := false ; out, r := in, true
=        « for any p: [p] ; [p] = [p] and é idempotent»                             =        «simplification»
out := in
¬r f out, r := in, true

15                                                                                       16
Unfair Choice is Refined by Fair Choice                              A Round Robin Scheduler

• Theorem 2. For statements S and T:                                 • We schedule statements S and T:
– If S is enabled, we execute it and continue with T, if possible.
do S é T od × do S r T od                                      – Otherwise, if S is not enabled we continue with T:

• Theorem 3. For statements S and T:                                          S :: T   ê     S ; T é [¬grd S] ; T    "S then T"

do S é T od × do S w T od                                        Note that grd (S :: T) = grd S v grd T.

Proof Outlines. By Theorem 1 this is equivalent to                • Theorem 4. For statements S and T:
do S p T od × do S r T od
do S r T od × do S :: T od
do S p T od × do S w T od
which then reduces to
(S p T)ω × (S r T)ω
(S p T)ω × (S w T)ω
respectively, which holds by straightforward calculations.
17                                                                        18

A Prioritizing Scheduler                                             Verification of Loops

• We schedule statements S and T:                                    • Let W be a well-founded set and let rw for w e W be a collection
– If S is enabled, we execute it.                                    of ranked predicates. Typically, a ranked predicate is the
– Otherwise, only if S is not enabled, we continue with T:           conjunction of an invariant I and variant t:

S // T   ê    S é [¬grd S] ; T        "S else T"                      rw = I ¦ (t = w)

Let r<w be true if a predicate with lower rank than rw is true:
Note that grd (S // T) = grd S v grd T.
r<w = (∃ v < w • rv)
• Theorem 4. For statements S and T:
• Theorem 6. Let S be a statement and rw for w e W a collection
do S r T od × do S // T od
of ranked predicates. Then

(∀ w e W • rw ≤ S r<w) Þ
r ≤ do S od (r ¦ ¬grd S)

where r = (∃ w • rw ) .
19                                                                        20
Verification of Loops with Unfair and Fair Choice                          Discussion …

• Let S be a statement and rw for w e W a collection of ranked             • [Park 80] uses least as well as greatest fixed points for the “fair
predicates. Let g = grd S v grd T.                                         merge” of sequences.

• Dijkstra’s calculus has earlier been extended by fair choice:
• Theorem 7.

(∀ w e W • (rw ≤ S r<w ) ¦ (rw ≤ T r<w )) Þ                            – [Morris 90] relies on temporal predicate transformers and
on substitution of fair choice by angelic choice, basically
r ≤ do S é T od (r ¦ ¬g)                                             leading to strong fairness.

• Theorem 8.
– [Broy & Nelson 94] define do S w T od similarly, except that
(∀ w e W • (rw ≤ S r<w ) ¦ (rw ≤ T ((rw ¦ grd S) v r<w )) Þ              S + is defined by ∇ modeling fair parallel execution; this
relies on wp as well as wlp and two ordering relations.
r ≤ do S r T od (r ¦ ¬g)
– [Wabenhorst 96] extends action systems by explicitly
specifying unfair sequences, allowing a wider range of
fairness constraints to be expressed, in a different style.
21                                                                       22

… Discussion                                                               Fairness and Unbounded Nondeterminism

• The point of this approach is to treat fairness in an algebraic          • Including fair choice allows expressing unbounded
style. A number of issues have been left out:                              nondeterminism:

– Theorem 8 can we weakened by allowing the fair                                  var b : bool •
statement to be “helpful” only in some states, e.g. as in                       b := true ; x := 0 ;
[Back & Xu 1998] for action systems;                                            do b f x := x + 1
[] b f b := false
– Generalization to more than 2 fair statements;                                  od
=
– Extension to strong fairness and other forms of fairness;                          e
x :e nat

• All results do not rely on conjunctivity, i.e. do not exclude            • We define statements by predicate transformers, and allow
angelic nondeterminism, which can be used for modeling                     unbounded demonic as well as angelic nondeterminism.
interactive systems. The results carry over to that setting.

23                                                                       24
A Theorem about S p T …                                                  … A Theorem about S p T

• Theorem 1. For statements S and T:                                          (S é T)ω × (S+ é T+)ω
=      «for any S: (S+)ω = Sω»
do S é T od = do S p T od
((S é T)+)ω × (S+ é T+)ω
Ü      «monotonicity of S ω»
Proof. We first note that:
(S é T)+ × S+ é T+
+   +          +         +
grd (S p T) = grd (S é T ) = grd S v grd T = grd S v grd T           =        «lattice property»
((S é T)+ × S+) ¦ ((S é T)+ × T+)
By definition of do od we have to show:                                   =        «monotonicity of S+»
(S é T × S) ¦ (S é T × T)
(S é T)ω ; [¬grd (S é T)] = (S p T)ω ; [¬grd (S p T)]
=   true
Ü       «as grd (S é T) = grd S v grd T = grd (S p T)»
(S é T)ω = (S p T)ω                                                    (S+ é T+)ω × (S é T)ω
=       «definition of p»                                                Ü      «for any S: S+ × S, monotonicity of Sω»
(S é T)ω = (S+ é T+)ω                                                    (S é T)ω × (S é T)ω
=   true
We show this by mutual refinement.                                25                                                       26

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 3 posted: 3/25/2010 language: English pages: 7