Document Sample

On Guarded Commands with Fair Choice Weak and Strong Fairness [e.g. Frances 86] • The nondeterministic choice in Dijkstra’s guarded commands Emil Sekerinski allows an arbitrary selection to be made on every occurrence: Department of Computing and Software do b f b := true (A) [] b f b := false (B) McMaster University od Ontario, Canada July 2000 If we assume that the choice is (weakly) fair, then action (B) will be eventually taken and the program will always terminate. Contents • Why Fairness • Weak fairness: An action will be taken provided that it remains • Defining Fair Choice by Iterations continuously enabled. • Algebraic Reasoning about Fair Choice • Verification of Loops with Fair Choice • Strong fairness: An action will be taken provided that it is • Discussion infinitely often enabled. 1 2 Fair Choice and Concurrency Predicate Transformers [following Back & Wright 99] • In the interleaving model, concurrency is expressed through • Predicate Transformers: functions from postconditions to nondeterminism. Fairness models “true concurrency” better: preconditions: do b f b := true od || process A PΣ ê Σ f bool state predicates do b f b := false od process B ∆ŒΩ ê PΩfP∆ predicate transfomers = {definition of ||} ordered by universal entailment, i.e. for p, q: P Σ, S, T: ∆ Œ Ω: do b f b := true [] b f b := false p≤q ê ∀σ•pσÞqσ entailment od S×T ê ∀q•Sq≤Tq refinement • The motivation for this work arose in the study of object-based wp (S, q) in Dijkstra’s original notation corresponds to S q. concurrency. • Statements: monotonic predicate transformers. 3 4 Demonic and Angelic Choice Sequential Composition • Assume S, T are predicate transformers and, p is a predicate: • Assume S, T are predicate transformers and q is a predicate: abort q ê false "worst behavior" skip q ê q identity magic q ê true "blocking execution" (S ; T) q ê S (T q) sequential composition (S é T) q ê (S q) ¦ (T q) demonic choice • Monotonic predicate transformers form a monoid with (S è T) q ê (S q) v (T q) angelic choice composition ; and unit skip. • Monotonic predicate transformers form a complete lattice with • abort and magic are left zeros of ;. top magic, bottom abort, meet é, and join è. • ; distributes over é and è to the left. 5 6 Assertions, Assumptions, Updates Fixed Points • Assume p, q are predicates and R: ∆ f P Ω is a relation: • Let F be a function from predicate transformers to predicate transformers. Consider the equation: [p] q ê pÞq assumption X = FX fixed point {p} q ê p¦q assertion If F is a monotonic function, then according to Knaster-Tarski [R] q δ ê (∀ ω • R δ ω Þ q ω) demonic update solutions X exist, in particular {R} q δ ê (∃ ω • R δ ω ¦ q ω) angelic update – a least solution µ F , also written as µ X • F X , • Some derived statements: – a greatest solution ν F , also written as ν X • F X . pfS ê [p] ; S guarded statement if p then S else T ê (p f S) é (¬p f T) conditional x := e ê [R] where assignment R (x, y) (x', y') = (x' = e) ¦ (y' = y) 7 8 Iterations [Park 80, Aarts et al 95, Back & Wright 99] Weak and Strong Iterations • Iterations of statement S are described as solutions X of (where • Assume S is a monotonic predicate transformer: ; binds tighter than é ): S ω ê µ X • S ; X é skip strong iteration X = S ; X é skip S* ê ν X • S ; X é skip weak iteration • For example, for • Both define a demonically chosen number of repetitions of S: S = a := a + 1 – With S ω, the number of repetitions can be infinite, for example solutions are: (a := a + 1)ω = abort as the least fixed point is given by their demonic choice, and – X = skip é a := a + 1 é a := a + 2 é … abort é Q = abort for any Q – With S *, the number of repetitions is always finite, for example – X = abort (a := a + 1)* = skip é a := a + 1 é a := a + 2 é … as the greatest fixed point is given by their angelic choice, and abort è Q = Q for any Q 9 10 Guards and Loops Loops with Unair and Fair Choice • Assume S is a predicate transformer: • Loops with unfair and fair choice are given by grd S ê ¬S false enabledness domain do S é T od do S w T od Properties: in a compos itional manner, respectively. To this end, we define: grd (p f S) = p ¦ grd S grd (S é T) = grd S v grd T S+ ê S ; S* positive weak iteration + + SpT ê S éT ”S box T” • The do od loop is like strong iteration, except that the loop has to continue as long as the guard of the body holds: • Theorem 1. For statements S and T: ω do S od ê S ; [¬grd S] loop do S é T od = do S p T od 11 12 Fair Choice An Unreliable Channel … • If S is enabled, S behaves as S, otherwise as skip: • We require that the channel copies in to out: S ê S é [¬grd S] "try S" in out out := in channel • Recalling that S p T ê S+ é T+, we define: • An implementation needs to retransmit the data until it finally is received: SwT ê S + ; T é T+ ; S fair choice + + var r • r := false ; SrT ê S éT ;S left fair choice do ¬r f out, r := in, true StT ê S + ; T é T+ right fair choice r ¬r f skip od This implements out := in, provided successful transmission has a fair chance. 13 14 … An Unreliable Channel … … An Unreliable Channel • We start with the body of the loop: • We continue: (¬r f out, r := in, true) r (¬r f skip) var r • r := false ; do ¬r f out, r := in, true r ¬r f skip od = «definition of f and skip unit of ;» = «previous calculation » (¬r f out, r := in, true) r [¬r] var r • r := false ; do ¬r f out, r := in, true od = «definition of r» = «definition of do od and ¬grd (¬r f out, r := in, true) = r» (¬r f out, r := in, true)+ é [¬r]+ ; (¬r f out, r := in, true) var r • r := false ; (¬r f out, r := in, true)ω ; [r] = «for any S: S+ = S ; S* and S* = S ; S* é skip» = «for any S: S* = S ; S* é skip and simplification» (¬r f out, r := in, true) é [¬r] ; (¬r f out, r := in, true) var r • r := false ; ((¬r f out, r := in, true) é skip) ; [r] = «definition of S and simplification of grd» = «; distributes over é and definition of f» (¬r f out, r := in, true) é [¬r] ; ((¬r f out, r := in, true) é [r]) var r • (r := false ; [¬r] ; out, r := in, true ; [r]) é (r := false ; skip ; [r]) = «; distributes over é and [¬r] ; [r] = magic» = «simplification» (¬r f out, r := in, true) é [¬r] ; (¬r f out, r := in, true) var r • r := false ; out, r := in, true = « for any p: [p] ; [p] = [p] and é idempotent» = «simplification» out := in ¬r f out, r := in, true 15 16 Unfair Choice is Refined by Fair Choice A Round Robin Scheduler • Theorem 2. For statements S and T: • We schedule statements S and T: – If S is enabled, we execute it and continue with T, if possible. do S é T od × do S r T od – Otherwise, if S is not enabled we continue with T: • Theorem 3. For statements S and T: S :: T ê S ; T é [¬grd S] ; T "S then T" do S é T od × do S w T od Note that grd (S :: T) = grd S v grd T. Proof Outlines. By Theorem 1 this is equivalent to • Theorem 4. For statements S and T: do S p T od × do S r T od do S r T od × do S :: T od do S p T od × do S w T od which then reduces to (S p T)ω × (S r T)ω (S p T)ω × (S w T)ω respectively, which holds by straightforward calculations. 17 18 A Prioritizing Scheduler Verification of Loops • We schedule statements S and T: • Let W be a well-founded set and let rw for w e W be a collection – If S is enabled, we execute it. of ranked predicates. Typically, a ranked predicate is the – Otherwise, only if S is not enabled, we continue with T: conjunction of an invariant I and variant t: S // T ê S é [¬grd S] ; T "S else T" rw = I ¦ (t = w) Let r<w be true if a predicate with lower rank than rw is true: Note that grd (S // T) = grd S v grd T. r<w = (∃ v < w • rv) • Theorem 4. For statements S and T: • Theorem 6. Let S be a statement and rw for w e W a collection do S r T od × do S // T od of ranked predicates. Then (∀ w e W • rw ≤ S r<w) Þ r ≤ do S od (r ¦ ¬grd S) where r = (∃ w • rw ) . 19 20 Verification of Loops with Unfair and Fair Choice Discussion … • Let S be a statement and rw for w e W a collection of ranked • [Park 80] uses least as well as greatest fixed points for the “fair predicates. Let g = grd S v grd T. merge” of sequences. • Dijkstra’s calculus has earlier been extended by fair choice: • Theorem 7. (∀ w e W • (rw ≤ S r<w ) ¦ (rw ≤ T r<w )) Þ – [Morris 90] relies on temporal predicate transformers and on substitution of fair choice by angelic choice, basically r ≤ do S é T od (r ¦ ¬g) leading to strong fairness. • Theorem 8. – [Broy & Nelson 94] define do S w T od similarly, except that (∀ w e W • (rw ≤ S r<w ) ¦ (rw ≤ T ((rw ¦ grd S) v r<w )) Þ S + is defined by ∇ modeling fair parallel execution; this relies on wp as well as wlp and two ordering relations. r ≤ do S r T od (r ¦ ¬g) – [Wabenhorst 96] extends action systems by explicitly specifying unfair sequences, allowing a wider range of fairness constraints to be expressed, in a different style. 21 22 … Discussion Fairness and Unbounded Nondeterminism • The point of this approach is to treat fairness in an algebraic • Including fair choice allows expressing unbounded style. A number of issues have been left out: nondeterminism: – Theorem 8 can we weakened by allowing the fair var b : bool • statement to be “helpful” only in some states, e.g. as in b := true ; x := 0 ; [Back & Xu 1998] for action systems; do b f x := x + 1 [] b f b := false – Generalization to more than 2 fair statements; od = – Extension to strong fairness and other forms of fairness; e x :e nat • All results do not rely on conjunctivity, i.e. do not exclude • We define statements by predicate transformers, and allow angelic nondeterminism, which can be used for modeling unbounded demonic as well as angelic nondeterminism. interactive systems. The results carry over to that setting. 23 24 A Theorem about S p T … … A Theorem about S p T • Theorem 1. For statements S and T: (S é T)ω × (S+ é T+)ω = «for any S: (S+)ω = Sω» do S é T od = do S p T od ((S é T)+)ω × (S+ é T+)ω Ü «monotonicity of S ω» Proof. We first note that: (S é T)+ × S+ é T+ + + + + grd (S p T) = grd (S é T ) = grd S v grd T = grd S v grd T = «lattice property» ((S é T)+ × S+) ¦ ((S é T)+ × T+) By definition of do od we have to show: = «monotonicity of S+» (S é T × S) ¦ (S é T × T) (S é T)ω ; [¬grd (S é T)] = (S p T)ω ; [¬grd (S p T)] = true Ü «as grd (S é T) = grd S v grd T = grd (S p T)» (S é T)ω = (S p T)ω (S+ é T+)ω × (S é T)ω = «definition of p» Ü «for any S: S+ × S, monotonicity of Sω» (S é T)ω = (S+ é T+)ω (S é T)ω × (S é T)ω = true We show this by mutual refinement. 25 26

DOCUMENT INFO

Shared By:

Categories:

Tags:

Stats:

views: | 3 |

posted: | 3/25/2010 |

language: | English |

pages: | 7 |

OTHER DOCS BY akgame

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.