compositionality and asynchrony dr liam o connor
play

Compositionality and Asynchrony Dr. Liam OConnor University of - PowerPoint PPT Presentation

Compositionality Asynchrony Compositionality and Asynchrony Dr. Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Compositionality Asynchrony Where we are at Last lecture, we looked at at proof methods for termination


  1. Compositionality Asynchrony Compositionality and Asynchrony Dr. Liam O’Connor University of Edinburgh LFCS (and UNSW) Term 2 2020 1

  2. Compositionality Asynchrony Where we are at Last lecture, we looked at at proof methods for termination (convergence and deadlock freedom) in sequential, shared-variable concurrent, and message-passing concurrent settings. In this lecture, we will conclude our examination of proof methods for concurrency by examining compositional techniques. We will also discuss how to prove properties of asynchronous systems. 2

  3. Compositionality Asynchrony Analysis of AFR and L&G Both are only applicable to closed systems. 3

  4. Compositionality Asynchrony Analysis of AFR and L&G Both are only applicable to closed systems. That means we always have to reason about the system as a whole, even including users modeled as processes. 4

  5. Compositionality Asynchrony Analysis of AFR and L&G Both are only applicable to closed systems. That means we always have to reason about the system as a whole, even including users modeled as processes. Using these methods, one cannot reason compositionally . Typically, non-compositional proof methods don’t scale and preclude re-use. 5

  6. Compositionality Asynchrony Quotes on Compositionality de Roever et al. A compositional proof method is a method by which the specification of a system can be inferred from the specifications of its constituents, without additional information about their internal structure. 6

  7. Compositionality Asynchrony Quotes on Compositionality de Roever et al. A compositional proof method is a method by which the specification of a system can be inferred from the specifications of its constituents, without additional information about their internal structure. F. B. Schneider, 1994 Compositionality is a red herring. 7

  8. Compositionality Asynchrony One more quote Lamport (1997) – “Composition: a way to make proofs harder” Systems are complicated. We master their complexity by building them from simpler components. This suggests that to master the complexity of reasoning about systems, we should prove properties of the separate components and then combine those properties to deduce properties of the entire system. In concurrent systems, the obvious choice of component is the process. So, compositional reasoning has come to mean deducing properties of a system from properties of its processes. I have long felt that this whole approach is rather silly. You don’t design a mutual exclusion algorithm by first designing the individual processes and then hoping that putting them together guarantees mutual exclusion. 8

  9. Compositionality Asynchrony Compositionally-Inductive Assertion Network Key Idea Handle communication with a special logical variable h , containing the history of all communication, i.e. a sequence of pairs of channels and messages � C , x � . 9

  10. Compositionality Asynchrony Compositionally-Inductive Assertion Network Key Idea Handle communication with a special logical variable h , containing the history of all communication, i.e. a sequence of pairs of channels and messages � C , x � . A local assertion network Q is compositionally-inductive for a sequential synchronous transition diagram P = ( L , T , s , t ), written P ⊢ Q , if ⇒ Q ℓ ′ ◦ f for each ℓ b ; f → ℓ ′ ∈ T . | = Q ℓ ∧ b = − − ⇒ Q ℓ ′ ◦ ( f ◦ � h ← h · � C , e � � ), for each ℓ b ; C ⇐ e ; f → ℓ ′ ∈ T . | = Q ℓ ∧ b = − − − − − ⇒ ∀ x ( Q ℓ ′ ◦ ( f ◦ � h ← h · � C , x � � )), for each ℓ b ; C ⇒ x ; f → ℓ ′ ∈ T . | = Q ℓ ∧ b = − − − − − 10

  11. Compositionality Asynchrony Partial Correctness Let Q be an assertion network for a process P and Q s and Q t be the assertions at the start and end states. Then by inductivity we have the Basic diagram rule : P ⊢ Q { Q s } P { Q t } 11

  12. Compositionality Asynchrony Partial Correctness Let Q be an assertion network for a process P and Q s and Q t be the assertions at the start and end states. Then by inductivity we have the Basic diagram rule : P ⊢ Q { Q s } P { Q t } We assume the history is empty initially with the Initialization rule : { φ ∧ h = ε } P { ψ } { φ } P { ψ } 12

  13. Compositionality Asynchrony Parallel composition rule Provided ψ i only makes assertions about local variables in P i and those parts of the history that involve channels read from/written to by P i we get this compositional parallel composition rule : { φ 1 } P 1 { ψ 1 } { φ 2 } P 2 { ψ 2 } { φ 1 ∧ φ 2 } P 1 � P 2 { ψ 1 ∧ ψ 2 } Observe that we don’t need to prove anything like interference freedom or generate a proof obligation about each possible communication. 13

  14. Compositionality Asynchrony Parallel composition rule Provided ψ i only makes assertions about local variables in P i and those parts of the history that involve channels read from/written to by P i we get this compositional parallel composition rule : { φ 1 } P 1 { ψ 1 } { φ 2 } P 2 { ψ 2 } { φ 1 ∧ φ 2 } P 1 � P 2 { ψ 1 ∧ ψ 2 } Observe that we don’t need to prove anything like interference freedom or generate a proof obligation about each possible communication. Notation Define h | H as the history h filtered to only contain those pairs � C , x � where C ∈ H . 14

  15. Compositionality Asynchrony Example 2 once more C ⇐ 1 C ⇐ 2 s 1 l 1 t 1 C ⇒ x C ⇒ x s 2 t 2 l 2 15

  16. Compositionality Asynchrony Example 2 once more C ⇐ 1 C ⇐ 2 s 1 l 1 t 1 h | { C } = ε h | { C } = � C , 1 � h | { C } = � C , 1 � · � C , 2 � C ⇒ x C ⇒ x s 2 t 2 l 2 h | { C } = ε h | { C } = � C , x � h | { C } = � C , . � · � C , x � 16

  17. Compositionality Asynchrony Example 2 once more cont’d For the two output transitions we need to show | = h | { C } = ε = ⇒ h | { C } = � C , 1 � ◦ � h ← h · � C , 1 � � (1) | = h | { C } = � C , 1 � = ⇒ h | { C } = � C , 1 � · � C , 2 � ◦ � h ← h · � C , 2 � � (2) which is obvious; and for the two input transitions � � | = h | { C } = ε = ⇒ ∀ x h | { C } = � C , x � ◦ � h ← h · � C , x � � (3) � � | = h | { C } = � C , x � = ⇒ ∀ x h | { C } = � C , . � · � C , x � ◦ � h ← h · � C , x � � (4) which also works out nicely. 17

  18. Compositionality Asynchrony Example 2 once more cont’d Using the Basic diagram rule we may now deduce { h | { C } = ε } C ⇐ 1; C ⇐ 2 { h | { C } = � C , 1 � · � C , 2 �} { h | { C } = ε } C ⇒ x ; C ⇒ x { h | { C } = � C , . � · � C , x �} 18

  19. Compositionality Asynchrony Example 2 once more cont’d Using the Basic diagram rule we may now deduce { h | { C } = ε } C ⇐ 1; C ⇐ 2 { h | { C } = � C , 1 � · � C , 2 �} { h | { C } = ε } C ⇒ x ; C ⇒ x { h | { C } = � C , . � · � C , x �} before applying the parallel composition rule to obtain { h | { C } = ε } P { h | { C } = � C , 1 � · � C , 2 � ∧ h | { C } = � C , . � · � C , x �} 19

  20. Compositionality Asynchrony Example 2 once more cont’d Using the Basic diagram rule we may now deduce { h | { C } = ε } C ⇐ 1; C ⇐ 2 { h | { C } = � C , 1 � · � C , 2 �} { h | { C } = ε } C ⇒ x ; C ⇒ x { h | { C } = � C , . � · � C , x �} before applying the parallel composition rule to obtain { h | { C } = ε } P { h | { C } = � C , 1 � · � C , 2 � ∧ h | { C } = � C , . � · � C , x �} which implies (via the rule of consequence): { h | { C } = ε } P { x = 2 } 20

  21. Compositionality Asynchrony Example 2 once more cont’d Using the Basic diagram rule we may now deduce { h | { C } = ε } C ⇐ 1; C ⇐ 2 { h | { C } = � C , 1 � · � C , 2 �} { h | { C } = ε } C ⇒ x ; C ⇒ x { h | { C } = � C , . � · � C , x �} before applying the parallel composition rule to obtain { h | { C } = ε } P { h | { C } = � C , 1 � · � C , 2 � ∧ h | { C } = � C , . � · � C , x �} which implies (via the rule of consequence): { h | { C } = ε } P { x = 2 } and finally the initialisation rule takes us to { True } P { x = 2 } 21

  22. Compositionality Asynchrony Merge Example q 3 x � = EOF ∧ x ≤ y ; out ⇐ x inX ⇒ x inY ⇒ y inY ⇒ y x = y = EOF inX ⇒ x q 0 q 1 q 2 q t x � = EOF ∧ y ≤ x ; out ⇐ y inY ⇒ y q 4 22

  23. Compositionality Asynchrony Assertions Let ˆ θ denote the history sequence θ without channel data — i.e. just messages. Then our desired postcondition is: ϕ ≡ ∃ αβ. h | { inX } = α · � inX , EOF � ∧ h | { inY } = β · � inY , EOF � α ) ∧ sorted (ˆ α · ˆ ∧ ( sorted (ˆ β ) ⇒ h | { out } = sort (ˆ β )) 23

Recommend


More recommend