Docstoc

MPC 2000 Talk

Document Sample
MPC 2000 Talk Powered By Docstoc
					On Guarded Commands with Fair Choice                                    Weak and Strong Fairness [e.g. Frances 86]

                                                                        • The nondeterministic choice in Dijkstra’s guarded commands
Emil Sekerinski                                                           allows an arbitrary selection to be made on every occurrence:


Department of Computing and Software                                             do b f b := true                       (A)
                                                                                  [] b f b := false                     (B)
McMaster University
                                                                                 od
Ontario, Canada
July 2000
                                                                           If we assume that the choice is (weakly) fair, then action (B) will
                                                                           be eventually taken and the program will always terminate.
Contents
• Why Fairness                                                          • Weak fairness: An action will be taken provided that it remains
• Defining Fair Choice by Iterations                                      continuously enabled.
• Algebraic Reasoning about Fair Choice
• Verification of Loops with Fair Choice                                • Strong fairness: An action will be taken provided that it is
• Discussion                                                              infinitely often enabled.

                                                                    1                                                                            2




Fair Choice and Concurrency                                             Predicate Transformers [following Back & Wright 99]

• In the interleaving model, concurrency is expressed through           • Predicate Transformers: functions from postconditions to
  nondeterminism. Fairness models “true concurrency” better:              preconditions:

           do b f b := true od ||               process A
                                                                                PΣ       ê Σ f bool                     state predicates
           do b f b := false od                 process B                       ∆ŒΩ ê PΩfP∆                             predicate transfomers
       =       {definition of ||}
                                                                           ordered by universal entailment, i.e. for p, q: P Σ, S, T: ∆ Œ Ω:
           do b f b := true
            [] b f b := false
                                                                                p≤q      ê ∀σ•pσÞqσ                     entailment
           od
                                                                                S×T      ê ∀q•Sq≤Tq                     refinement

• The motivation for this work arose in the study of object-based
                                                                           wp (S, q) in Dijkstra’s original notation corresponds to S q.
  concurrency.
                                                                        • Statements: monotonic predicate transformers.


                                                                    3                                                                            4
Demonic and Angelic Choice                                                   Sequential Composition

• Assume S, T are predicate transformers and, p is a predicate:              • Assume S, T are predicate transformers and q is a predicate:

        abort q         ê    false              "worst behavior"                     skip q       ê    q                 identity
        magic q         ê    true               "blocking execution"                 (S ; T) q    ê    S (T q)           sequential composition

        (S é T) q       ê    (S q) ¦ (T q)      demonic choice
                                                                             • Monotonic predicate transformers form a monoid with
        (S è T) q       ê    (S q) v (T q)      angelic choice                 composition ; and unit skip.

• Monotonic predicate transformers form a complete lattice with              • abort and magic are left zeros of ;.
  top magic, bottom abort, meet é, and join è.
                                                                             • ; distributes over é and è to the left.




                                                                         5                                                                        6




Assertions, Assumptions, Updates                                             Fixed Points

• Assume p, q are predicates and R: ∆ f P Ω is a relation:                   • Let F be a function from predicate transformers to predicate
                                                                               transformers. Consider the equation:
        [p] q       ê   pÞq                             assumption
                                                                                     X = FX                              fixed point
        {p} q       ê   p¦q                             assertion
                                                                                If F is a monotonic function, then according to Knaster-Tarski
        [R] q δ     ê   (∀ ω • R δ ω Þ q ω)             demonic update          solutions X exist, in particular
        {R} q δ     ê   (∃ ω • R δ ω ¦ q ω)             angelic update
                                                                                 – a least solution µ F , also written as µ X • F X ,
• Some derived statements:
                                                                                 – a greatest solution ν F , also written as ν X • F X .
        pfS         ê   [p] ; S                         guarded statement
        if p then S else T ê (p f S) é (¬p f T)         conditional
         x := e ê [R] where                             assignment
              R (x, y) (x', y') = (x' = e) ¦ (y' = y)


                                                                         7                                                                        8
Iterations [Park 80, Aarts et al 95, Back & Wright 99]                    Weak and Strong Iterations

• Iterations of statement S are described as solutions X of (where        • Assume S is a monotonic predicate transformer:
  ; binds tighter than é ):
                                                                                  S ω ê µ X • S ; X é skip              strong iteration
        X = S ; X é skip                                                          S*   ê ν X • S ; X é skip             weak iteration

• For example, for                                                        • Both define a demonically chosen number of repetitions of S:

        S = a := a + 1                                                       – With S ω, the number of repetitions can be infinite, for example
   solutions are:                                                                     (a := a + 1)ω = abort
                                                                                as the least fixed point is given by their demonic choice, and
    – X = skip é a := a + 1 é a := a + 2 é …                                          abort é Q = abort for any Q

                                                                             – With S *, the number of repetitions is always finite, for example
    – X = abort
                                                                                     (a := a + 1)* = skip é a := a + 1 é a := a + 2 é …
                                                                                as the greatest fixed point is given by their angelic choice, and
                                                                                      abort è Q = Q for any Q
                                                                      9                                                                      10




Guards and Loops                                                          Loops with Unair and Fair Choice

• Assume S is a predicate transformer:                                    • Loops with unfair and fair choice are given by

        grd S        ê     ¬S false            enabledness domain                 do S é T od
                                                                                  do S w T od
   Properties:
                                                                            in a compos itional manner, respectively. To this end, we define:
        grd (p f S) =      p ¦ grd S
        grd (S é T) =      grd S v grd T
                                                                                  S+       ê S ; S*                     positive weak iteration
                                                                                               +      +
                                                                                  SpT      ê S éT                       ”S box T”
• The do od loop is like strong iteration, except that the loop has
  to continue as long as the guard of the body holds:
                                                                          • Theorem 1. For statements S and T:
                            ω
        do S od      ê     S ; [¬grd S]        loop
                                                                                  do S é T od = do S p T od



                                                                    11                                                                       12
Fair Choice                                                                         An Unreliable Channel …

• If S is enabled, S behaves as S, otherwise as skip:                               • We require that the channel copies in to out:

        S         ê    S é [¬grd S]                   "try S"                                                                          in                       out
                                                                                            out := in                                           channel

• Recalling that S p T ê S+ é T+, we define:                                        • An implementation needs to retransmit the data until it finally
                                                                                      is received:
        SwT       ê    S + ; T é T+ ; S               fair choice
                        +     +
                                                                                            var r • r := false ;
        SrT       ê    S éT ;S                        left fair choice
                                                                                            do ¬r f out, r := in, true
        StT       ê    S + ; T é T+                   right fair choice
                                                                                             r ¬r f skip
                                                                                            od

                                                                                       This implements out := in, provided successful transmission has
                                                                                       a fair chance.



                                                                               13                                                                                       14




… An Unreliable Channel …                                                           … An Unreliable Channel

• We start with the body of the loop:                                               • We continue:

        (¬r f out, r := in, true) r (¬r f skip)                                             var r • r := false ; do ¬r f out, r := in, true r ¬r f skip od
    =        «definition of f and skip unit of ;»                                       =        «previous calculation »
        (¬r f out, r := in, true) r [¬r]                                                    var r • r := false ; do ¬r f out, r := in, true od
    =        «definition of r»                                                          =        «definition of do od and ¬grd (¬r f out, r := in, true) = r»
         (¬r f out, r := in, true)+ é [¬r]+ ; (¬r f out, r := in, true)                     var r • r := false ; (¬r f out, r := in, true)ω ; [r]
    =        «for any S: S+ = S ; S* and S* = S ; S* é skip»                            =        «for any S: S* = S ; S* é skip and simplification»
        (¬r f out, r := in, true) é [¬r] ; (¬r f out, r := in, true)                        var r • r := false ; ((¬r f out, r := in, true) é skip) ; [r]
    =        «definition of S and simplification of grd»                                =        «; distributes over é and definition of f»
        (¬r f out, r := in, true) é [¬r] ; ((¬r f out, r := in, true) é [r])                var r • (r := false ; [¬r] ; out, r := in, true ; [r]) é (r := false ; skip ; [r])
    =        «; distributes over é and [¬r] ; [r] = magic»                              =         «simplification»
        (¬r f out, r := in, true) é [¬r] ; (¬r f out, r := in, true)                        var r • r := false ; out, r := in, true
    =        « for any p: [p] ; [p] = [p] and é idempotent»                             =        «simplification»
                                                                                            out := in
        ¬r f out, r := in, true

                                                                               15                                                                                       16
Unfair Choice is Refined by Fair Choice                              A Round Robin Scheduler

• Theorem 2. For statements S and T:                                 • We schedule statements S and T:
                                                                       – If S is enabled, we execute it and continue with T, if possible.
        do S é T od × do S r T od                                      – Otherwise, if S is not enabled we continue with T:

• Theorem 3. For statements S and T:                                          S :: T   ê     S ; T é [¬grd S] ; T    "S then T"

        do S é T od × do S w T od                                        Note that grd (S :: T) = grd S v grd T.

   Proof Outlines. By Theorem 1 this is equivalent to                • Theorem 4. For statements S and T:
        do S p T od × do S r T od
                                                                              do S r T od × do S :: T od
       do S p T od × do S w T od
   which then reduces to
       (S p T)ω × (S r T)ω
        (S p T)ω × (S w T)ω
   respectively, which holds by straightforward calculations.
                                                                17                                                                        18




A Prioritizing Scheduler                                             Verification of Loops

• We schedule statements S and T:                                    • Let W be a well-founded set and let rw for w e W be a collection
  – If S is enabled, we execute it.                                    of ranked predicates. Typically, a ranked predicate is the
  – Otherwise, only if S is not enabled, we continue with T:           conjunction of an invariant I and variant t:

        S // T   ê    S é [¬grd S] ; T        "S else T"                      rw = I ¦ (t = w)

                                                                        Let r<w be true if a predicate with lower rank than rw is true:
   Note that grd (S // T) = grd S v grd T.
                                                                              r<w = (∃ v < w • rv)
• Theorem 4. For statements S and T:
                                                                     • Theorem 6. Let S be a statement and rw for w e W a collection
        do S r T od × do S // T od
                                                                       of ranked predicates. Then

                                                                              (∀ w e W • rw ≤ S r<w) Þ
                                                                                   r ≤ do S od (r ¦ ¬grd S)

                                                                        where r = (∃ w • rw ) .
                                                                19                                                                        20
Verification of Loops with Unfair and Fair Choice                          Discussion …

• Let S be a statement and rw for w e W a collection of ranked             • [Park 80] uses least as well as greatest fixed points for the “fair
  predicates. Let g = grd S v grd T.                                         merge” of sequences.

                                                                           • Dijkstra’s calculus has earlier been extended by fair choice:
• Theorem 7.

        (∀ w e W • (rw ≤ S r<w ) ¦ (rw ≤ T r<w )) Þ                            – [Morris 90] relies on temporal predicate transformers and
                                                                                 on substitution of fair choice by angelic choice, basically
            r ≤ do S é T od (r ¦ ¬g)                                             leading to strong fairness.

• Theorem 8.
                                                                               – [Broy & Nelson 94] define do S w T od similarly, except that
        (∀ w e W • (rw ≤ S r<w ) ¦ (rw ≤ T ((rw ¦ grd S) v r<w )) Þ              S + is defined by ∇ modeling fair parallel execution; this
                                                                                 relies on wp as well as wlp and two ordering relations.
            r ≤ do S r T od (r ¦ ¬g)
                                                                               – [Wabenhorst 96] extends action systems by explicitly
                                                                                 specifying unfair sequences, allowing a wider range of
                                                                                 fairness constraints to be expressed, in a different style.
                                                                      21                                                                       22




… Discussion                                                               Fairness and Unbounded Nondeterminism

• The point of this approach is to treat fairness in an algebraic          • Including fair choice allows expressing unbounded
  style. A number of issues have been left out:                              nondeterminism:

    – Theorem 8 can we weakened by allowing the fair                                  var b : bool •
      statement to be “helpful” only in some states, e.g. as in                       b := true ; x := 0 ;
      [Back & Xu 1998] for action systems;                                            do b f x := x + 1
                                                                                       [] b f b := false
    – Generalization to more than 2 fair statements;                                  od
                                                                                  =
    – Extension to strong fairness and other forms of fairness;                          e
                                                                                      x :e nat

• All results do not rely on conjunctivity, i.e. do not exclude            • We define statements by predicate transformers, and allow
  angelic nondeterminism, which can be used for modeling                     unbounded demonic as well as angelic nondeterminism.
  interactive systems. The results carry over to that setting.


                                                                      23                                                                       24
A Theorem about S p T …                                                  … A Theorem about S p T

• Theorem 1. For statements S and T:                                          (S é T)ω × (S+ é T+)ω
                                                                            =      «for any S: (S+)ω = Sω»
       do S é T od = do S p T od
                                                                              ((S é T)+)ω × (S+ é T+)ω
                                                                            Ü      «monotonicity of S ω»
  Proof. We first note that:
                                                                                (S é T)+ × S+ é T+
                               +   +          +         +
       grd (S p T) = grd (S é T ) = grd S v grd T = grd S v grd T           =        «lattice property»
                                                                                ((S é T)+ × S+) ¦ ((S é T)+ × T+)
  By definition of do od we have to show:                                   =        «monotonicity of S+»
                                                                                (S é T × S) ¦ (S é T × T)
       (S é T)ω ; [¬grd (S é T)] = (S p T)ω ; [¬grd (S p T)]
                                                                            =   true
   Ü       «as grd (S é T) = grd S v grd T = grd (S p T)»
       (S é T)ω = (S p T)ω                                                    (S+ é T+)ω × (S é T)ω
   =       «definition of p»                                                Ü      «for any S: S+ × S, monotonicity of Sω»
       (S é T)ω = (S+ é T+)ω                                                    (S é T)ω × (S é T)ω
                                                                            =   true
  We show this by mutual refinement.                                25                                                       26

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:3/25/2010
language:English
pages:7