Parameterized Programs CS256/Spring 2008 Lecture #09 Zohar Manna - PDF document

Parameterized Programs CS256/Spring 2008 — Lecture #09 Zohar Manna   ℓ 0 : loop forever do     Chapter 2 ℓ 1 : noncritical         Invariance: Applications ℓ 2 : request y   S : :           ℓ 3 : critical          ℓ 4 : release y  P 3 : : [ local y : integer where y = 1; [ S || S || S ] ] (with some renaming of labels of the S ’s.) P 4 : : [ local y : integer where y = 1; [ S || S || S || S ] ] . . . P n : : ? 9-1 9-2 0 ( ¬ ( at − ℓ 3 ∧ at − m 3 ) ∧ ¬ ( at − ℓ 3 ∧ at k 3 ) ∧ 0 ( ¬ ( . . . ) ∧ . . . ∧ ¬ ( . . . )) Mutual exclusion: Syntax Compound statements of variable size P 3 : ¬ ( at − m 3 ∧ at k 3 )) M cooperation: S [ j ] : [ S [1] || . . . || S [ M ] ] j =1 P 4 : M Selection: OR : [ S [1] or . . . or S [ M ] ] j =1 S [ j ] P n : ? S [ j ] is a parameterized statement. We want to deal with these programs, In what ways can j appear in S ? i.e., programs with an arbitrary number of identical components, in a more uniform way. • explicit variable in expression . . . := j + . . . Solution: parametrization • explicit subscript in array x . . . := x [ j ] + . . . or x [ j ] := . . . • implicit subscript of all local variables in S [ j ] z stands for z [ j ] • implicit subscript of all labels in S [ j ] 9-3 9-4 ℓ 3 stands for ℓ 3 [ j ]

Program par-sum-e (Fig. 2.2) (Explicit subscripted parameterized statements Example: Program par-sum (Fig. 2.1) of par-sum ) (parallel sum of squares) M ≥ 1 We write the short version, z = x [1] 2 + x [2] 2 + . . . + x [ M ] 2 but we reason about this one. 9-5 9-6 Parameterized transition systems Array Operations The number M of processes is not fixed, Arrays (explicit or implicit) are treated as so there is an unbounded number of transitions. variables that range over functions: To finitely represent these, we use [1 . . . M ] �→ integers parameterization of transition relations. Example: par-sum Representation of array operations in transition relations: The unbounded number of transitions associated with ℓ 0 are represented by a single transition • Retrieval: y [ k ] relation using parameter j : to retrieve the value of the k th element of ρ ℓ 0 [ j ]: move ( ℓ 0 [ j ] , ℓ 1 [ j ]) ∧ array y y ′ [ j ] = x [ j ] ∧ pres ( { x, z } ) where j = 1 . . . M. • Modification: update ( y, k, e ) the resulting array agrees with y on all i , i � = k , and y [ k ] = e 9-7 9-8

Properties of update Parameterized Programs: Specification update ( y, k, e )[ k ] = e Notation: update ( y, k, e )[ j ] = y [ j ] for j � = k • L i = { j | ℓ i [ j ] ∈ π } ⊆ { 1 , . . . , M } The set of indices of processes that currently 0 ( N i ≥ 0) Example: par-sum reside at ℓ i • N i = | L i | The proper representation of the transition The number of processes currently residing relation for ℓ 0 [ j ] is at ℓ i Example: L i = { 3 , 5 } means ℓ i [3] , ℓ i [5] ∈ π ρ 0 [ j ]: move ( ℓ 0 [ j ] , ℓ 1 [ j ]) ∧ and we have N i = 2 y ′ = update ( y, j, x [ j ]) ∧ Invariant: pres ( { x, z } ) Abbreviations: = L i 1 ∪ L i 2 ∪ . . . ∪ L i k L i 1 ,i 2 ,...,i k L i..j = L i ∪ L i +1 ∪ . . . ∪ L j N i 1 ,i 2 ,...,i k = | L i 1 ,i 2 ,...,i k | N i..j = | L i..j | 9-9 9-10 Parameterized Programs: Specification Program mpx-sem (Fig. 2.3) (Con’d) Example: Program mpx-sem (Fig 2.3) M ≥ 2 (multiple mutual exclusion by semaphores) 0 where � if j < M j + 1 j ⊕ M 1 = ( j mod M ) + 1 = 1 if j = M 0 ( N 3 ≤ 1) Elaboration for M = 2 : Program mpx-sem-2 (Fig 2.4) mutual exclusion: ∀ i, j ∈ [1 ..M ] . i � = j . ¬ ( at − ℓ 3 [ i ] ∧ at − ℓ 3 [ j ]) � �� � ψ abbreviated as i.e., the number of processes simultaneously residing at ℓ 3 is always less than or equal to 1. Note: ¬ ( at − ℓ 3 [ i ] ∧ at − ℓ 3 [ j ]) can be expressed as 9-11 9-12 at − ℓ 3 [ i ] + at − ℓ 3 [ j ] ≤ 1 .

0 ( N 3 ≤ 1 Parameterized Programs: Verification Program mpx-sem-2 (Fig. 2.4) Objective: prove { ϕ } τ [ i ] { ϕ } in a uniform way for all i ∈ [1 ..M ] Example: Program mpx-sem (Fig 2.3) M ≥ 2 Prove mutual exclusion: ) � �� � ϕ The assertion ϕ is not inductive, therefore we prove the invariance of ϕ 1 : ∀ j . y [ j ] ≥ 0 M � � � ϕ 2 : N 3 , 4 + y [ j ] = 1 j =1 where N 3 , 4 = Number of processes currently residing at ℓ 3 or at ℓ 4 9-13 9-14 Example: Program mpx-sem (Con’t) B2: The only transitions that interfere Example: Program mpx-sem (Con’t) with ϕ 1 are τ ℓ 2 [ i ] and τ ℓ 4 [ i ] . Then ϕ can be deducted by monotonicity: 0 ( ∀ j . y [ j ] ≥ 0 ϕ 1 ∧ ϕ 2 → N 3 ≤ 1 ρ ℓ 2 [ i ]: move ( ℓ 2 [ i ] , ℓ 3 [ i ]) ∧ y [ i ] > 0 ∧ � �� � ϕ y ′ = update ( y, i, y [ i ] − 1) since ρ ℓ 4 [ i ]: move ( ℓ 4 [ i ] , ℓ 0 [ i ]) ∧ M � y ′ = update ( y, i ⊕ M 1 , y [ i ⊕ M 1] + 1) N 3 ≤ N 3 , 4 = 1 − y [ j ] ≤ 1 j =1 ϕ 2 ϕ 1 ρ ℓ 2 [ i ] implies y [ i ] > 0 ∧ y ′ [ i ] = y [ i ] − 1 ∧ ∀ j . j � = i . y ′ [ j ] = y [ j ] • Proof of ) � �� � ϕ 1 ρ ℓ 4 [ i ] implies B1: y ′ [ i ⊕ M 1] = y [ i ⊕ M 1] + 1 ∧ . . . ∧ y [1] = 1 ∧ ( ∀ j . 2 ≤ j ≤ M . y [ j ] = 0) � �� � ∀ j ( j � = i ⊕ M 1) y ′ [ j ] = y [ j ] Θ → ∀ j . y [ j ] ≥ 0 � �� � ϕ 1 We therefore have � � Note: ∀ j . y [ j ] ≥ 0 stands for ∀ j.i ≤ j ≤ M . y [ j ] ≥ 0 ρ ℓ 2 [ i ] → ∀ j . y ′ [ j ] ≥ 0 ∀ j . y [ j ] ≥ 0 ∧ ρ ℓ 4 [ i ] � �� � � �� � 9-15 9-16 ϕ 1 ϕ ′ 1

0   ρ ℓ 4 [ i ] implies: M �  = 1) • Proof of ( N 3 , 4 + y [ j ]  N ′ 3 , 4 = N 3 , 4 − 1 j =1 � �� �     ϕ 2 M M � � y ′ [ i ]  =  + 1 y [ i ]   B1: j =1 j =1    π = { ℓ 0 [1] , . . . , ℓ 0 [ M ] } ∧  Therefore y [1] = 1 ∧ ( ∀ j . 2 ≤ j ≤ M . y [ j ] = 0)   � � M � �� � ρ ℓ 2 [ i ] � Θ  = 1 N 3 , 4 + y [ i ] ∧  ρ ℓ 4 [ i ]   M j =1 �  = 1 � �� � → N 3 , 4 + y [ j ]  ϕ 2 j =1   M � �� � � → N ′ y ′ [ i ]  = 1 ϕ 2 3 , 4 +  j =1 � �� � ϕ ′ 2 B2: Verification conditions: ρ ℓ 2 [ i ] implies: N ′ 3 , 4 = N 3 , 4 + 1     M M � � y ′ [ i ]  =  − 1 y [ i ]   j =1 j =1 9-17 9-18 Parameterized Programs: Examples 0 Example: readers-writers (Fig 2.11) (readers-writers with generalized semaphores) Program read-write (Fig. 2.11) where request ( y, c ) = � await y ≥ c ; y := y − c � release ( y, c ) = � y := y + c � ∀ i, j ∈ [1 ..M ] . i � = j . at − ℓ 6 [ i ] → ¬ ( at − ℓ 6 [ j ] ∨ at − ℓ 3 [ j ]) � �� � ψ • ϕ 1 and ϕ 2 are inductive ϕ 1 : y ≥ 0 0 ϕ 2 : N 3 , 4 + M · N 6 , 7 + y = M • Therefore N 6 , 7 > 0 → ( N 6 , 7 = 1 ∧ N 3 , 4 = 0) ϕ 1 , ϕ 2 Thus, ψ 9-19 9-20

P 4 c c 5 4 Example: The Dining Philosophers Problem Dining philosophers setup (Fig. 2.14) P P 5 3 (multiple resource allocation) Fig 2.14 c 6 c 3 • M philosophers are seated at a round table • Each philosopher alternates between a “thinking” phase and “eating” phase P P 6 2 c c 1 2 • M chopsticks, one between every two P 1 philosophers • A philosopher needs 2 chopsticks (left & right) to eat 9-21 9-22 Program dine (Fig. 2.15) (A simple solution to the dining philosophers problem) Program dine (Fig. 2.15) Philosopher P i - process P [ i ] “thinking” phase - noncritical “eating” phase - critical For philosopher j , • c [ j ] represents availability of left chopstick ( c [ j ] = 1 iff chopstick is available) • c [ j ⊕ M 1] .............right chopstick ✬✩ ✬✩ ✬✩ ✤✜ ✤✜ ✤✜ ✣✢ ✣✢ ✣✢ ✫✪ ✫✪ ✫✪ c [ j ] c [ j ⊕ M 1] P j − 1 P j P j ⊕ M 1 9-23 9-24

0 Specification: Chopstick Exclusion ∀ j ∈ [1 ..M ] . ¬ ( at − ℓ 4 [ j ] ∧ at − ℓ 4 [ j ⊕ M 1]) � �� � Problem: possible deadlock (“starvation”) ψ Mutual exclusion between every two adjacent philoso- P [1] ℓ 2 : request c [1] ; ℓ 3 : request c [2] phers . ↑ Proof: . • ϕ 0 and ϕ 1 are inductive . ϕ 0 : ∀ j ∈ [1 ..M ] . c [ j ] ≥ 0 P [ M ] ℓ 2 : request c [ M ] ; ℓ 3 : request c [1] ↑ ϕ 1 : ∀ j ∈ [1 ..M ] . at − ℓ 4 .. 6 [ j ] + at − ℓ 3 .. 5 [ j ⊕ M 1] + c [ j ⊕ M 1] = 1 ✬✩ ✬✩ ✬✩ ✛✘ ✛✘ ✛✘ • Then, ✚✙ ✚✙ ✚✙ ✫✪ ✫✪ ✫✪ at − ℓ 4 [ j ] + at − ℓ 4 [ j ⊕ M 1] c [ M ] c [1] c [2] P M P 1 P 2 ≤ at − ℓ 4 ·· 6 [ j ] + at − ℓ 3 ·· 5 [ j ⊕ M 1] ✚ ✙ ✚ ✙ ✚ ✙ ✻ ✻ ✻ = 1 − c [ j ⊕ M 1] ≤ 1 ϕ 1 ϕ 0 Chopstick Exclusion OK 9-25 9-26 P 4 c 5 c 4 P P 5 3 Solution: One Philosopher Excluded Two-room philosopher’s world (Fig. 2.18) (keeping the symmetry) c 3 c 6 P P 6 2 • Two-room philosophers’ world (Fig 2.18) c c 1 2 P 1 Philosophers are “thinking” at the library “eating” at the dining hall When a philosopher finishes “eating” Library he returns to the library to “think” • Program dine-excl (Fig 2.17) Additional semaphore variable r “door keeper” (initally r = M − 1 ) No more than M − 1 philosophers are admitted to the dining hall at the same time. 9-27 9-28