termination dr liam o connor
play

Termination Dr. Liam OConnor University of Edinburgh LFCS (and - PowerPoint PPT Presentation

Termination Deadlock Termination Dr. Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Termination Deadlock Where we are at In the last lecture, we introduced message passing and discuss simple non-compositional proof


  1. Termination Deadlock Termination Dr. Liam O’Connor University of Edinburgh LFCS (and UNSW) Term 2 2020 1

  2. Termination Deadlock Where we are at In the last lecture, we introduced message passing and discuss simple non-compositional proof techniques for synchronous message passing. This lecture, we’ll be looking at proof methods for termination (convergence and deadlock freedom) in sequential, shared-variable concurrent, and message-passing concurrent settings. 2

  3. Termination Deadlock Termination For programs that do terminate, termination is often the most important liveness property. In addition to the typical cause of non-termination for sequential programs, namely divergence , concurrent programs can also deadlock. termination = convergence + deadlock-freedom Definition A program is φ -convergent if it cannot diverge (run forever) when started in an initial state satisfying φ . Instead, it must terminate, or become deadlocked. To prove convergence, we prove that there is a bound on the remaining computation steps from any state that the program reaches. [Is this yet another excuse for maths?] 3

  4. Termination Deadlock Ordered and Wellfounded Sets In maths, this bound condition is formalised by the concept of a wellfounded set . Recall that, on a set W , the binary relation ≺ ⊆ W 2 is a (strict) partial order , if it is irreflexive ( a �≺ a ), asymmetric ( a ≺ b = ⇒ b �≺ a ), and transitive ( a ≺ b ∧ b ≺ c = ⇒ a ≺ c ). Definition Partially ordered set ( W , ≺ ) is wellfounded if every descending sequence � w 0 ≻ w 1 ≻ . . . � in ( W , ≺ ) is finite. Note Realise that infinite ascending sequences are not ruled out. 4

  5. Termination Deadlock WFOs Example (Wellfounded Orders) ( N , < ) is wellfounded.( N , > ) and ( Z , < ) are not wellfounded. Lexicographical order: Given two wellfounded sets, ( W 1 , ≺ 1 ) and ( W 2 , ≺ 2 ), also ( W 1 × W 2 , < lex ) with ( m 1 , n 1 ) < lex ( m 2 , n 2 ) iff ( m 1 ≺ 1 m 2 ) ∨ (( m 1 = m 2 ) ∧ ( n 1 ≺ 2 n 2 )) is wellfounded. Componentwise order: Given a family ( W i , ≺ i ) 1 ≤ i ≤ n of wellfounded sets, ( W 1 × . . . × W n , < cw ) with ( w 1 , . . . , w n ) < cw ( w ′ 1 , . . . , w ′ n ) iff ∃ i . w i ≺ i w ′ i ∧ ∀ k � = i . w k � k w ′ k is wellfounded. 5

  6. Termination Deadlock Floyd’s Wellfoundedness Method Given a transition diagram P = ( L , T , s , t ) and a precondition φ , we can prove φ -convergence of P by: finding an inductive assertion network Q : L → (Σ → B ) and showing that 1 | = φ = ⇒ Q s ; choosing a wellfounded set ( W , ≺ ) and a network ( ρ ℓ ) ℓ ∈ L of partially defined 2 ranking functions from Σ to W such that: Q ℓ implies that ρ ℓ is defined, and b ; f → ℓ ′ ∈ T decreases the ranking function, that is: every transition ℓ − − | = Q ℓ ∧ b = ⇒ ρ ℓ ≻ ( ρ ℓ ′ ◦ f ) 6

  7. Termination Deadlock Example 1 Let Σ = [ { x } → R ]. Observe that ( R , < ) is not wellfounded. Transition system P x ← x − 1 Assertion network Ranking functions x > 0 s x > 0 True ℓ (max( ⌈ x ⌉ , 0) , 1) (max( ⌈ x ⌉ , 0) , 0) x ≤ 0 True t WFO ( N × N , < lex ) (0 , 0) 7

  8. Termination Deadlock x > 0 transition s − − → ℓ : | = True ∧ x > 0 = ⇒ (max( ⌈ x ⌉ , 0) , 1) > lex ((max( ⌈ x ⌉ , 0) , 0) ◦ id) ⇐ | = ( ⌈ x ⌉ , 1) > lex ( ⌈ x ⌉ , 0) ∧ (0 , 1) > lex (0 , 0) .- transition ℓ x ← x − 1 − − − − → s : | = x > 0 ∧ True = ⇒ (max( ⌈ x ⌉ , 0) , 0) > lex ((max( ⌈ x ⌉ , 0) , 1) ◦ � x ← x − 1 � ) ⇐ | = x > 0 = ⇒ ⌈ x ⌉ > ⌈ x − 1 ⌉ ≥ 0 .- x ≤ 0 transition s − − → t : | = True ∧ x ≤ 0 = ⇒ (max( ⌈ x ⌉ , 0) , 1) > lex (0 , 0) ⇐ | = (0 , 1) > lex (0 , 0) .- . . . shows that P is True -convergent. 8

  9. Termination Deadlock Soundness & Completeness Theorem Floyd’s method is sound, that is, it indeed establishes φ -convergence. 9

  10. Termination Deadlock Theorem Floyd’s method is semantically complete, that is, if P is φ -convergent, then there exist assertion and ranking function networks satisfying the verification conditions for proving convergence. Note Recall that one might have to add auxiliary variables to the transition system to be able to express assertions. Without them, the method is not complete! “semantically” means that we do not care about in what language to express the assertions and ranking functions. You may call this cheating. 10

  11. Termination Deadlock Simplifying the Method We can base convergence proofs on ranking functions only. Although this results in a superficially simpler method, applying it is by no means simpler than Floyd’s. Given a transition diagram P = ( L , T , s , t ) and a precondition φ , we can prove φ -convergence of P by choosing a wellfounded set ( W , ≺ ) and a network ( ρ ℓ ) ℓ ∈ L of partially defined ranking functions from Σ to W such that: For all σ ∈ Σ, if σ | = φ , then ρ s is defined, and 1 every transition ℓ b ; f → ℓ ′ ∈ T decreases the ranking function, that is, if σ | − − = b and 2 ρ ℓ is defined, then ρ ℓ ′ ( f ( σ )) is defined and ρ ℓ ( σ ) ≻ ρ ℓ ′ ( f ( σ )). 11

  12. Termination Deadlock Example 1 again Transition system x ← x − 1 Ranking functions x > 0 s ℓ (max( ⌈ x ⌉ , 0) , 1) x ≤ 0 (max( ⌈ x ⌉ , 0) , 0) only def for x > 0 !! t (0 , 0) 12

  13. Termination Deadlock Shared Variables Question How can we extend Floyd’s method for proving φ -convergence to shared-variable concurrent programs P = P 1 � . . . � P n ? Answer (simplistic): Construct product transition system, use Floyd’s method on that. This leads to the usual problem with exponentially growing numbers of locations, ranking functions, and thus verification conditions. Answer (better); Find a proof principle relating to Floyd’s method as the Owicki/Gries method relates to the inductive assertion method applied to the product transition system (parallel composition as defined in lecture 4). 13

  14. Termination Deadlock Local Method for Proving φ -Convergence Suppose that for each P i = ( L i , T i , s i , t i ) we’ve found a local assertion network ( Q ℓ ) ℓ ∈ L i , a wellfounded set ( W i , ≺ i ), and a network ( ρ ℓ ) ℓ ∈ L i of partial ranking functions. (As usual, we assume that the state transformations have been augmented with assignments to auxiliary variables if that is needed.) 14

  15. Termination Deadlock Prove that the assertions and ranking functions are locally consistent , i.e., that ρ ℓ 1 is defined whenever Q ℓ is true. Prove local correctness of every P i , i.e., for ℓ b ; f → ℓ ′ ∈ T i : − − 2 | = Q ℓ ∧ b = ⇒ Q ℓ ′ ◦ f ⇒ ρ ℓ ≻ i ( ρ ℓ ′ ◦ f ) | = Q ℓ ∧ b = Prove interference freedom for both local networks, i.e., for ℓ b ; f → ℓ ′ ∈ T i and − − 3 ℓ ′′ ∈ L k , for k � = i : | = Q ℓ ∧ Q ℓ ′′ ∧ b = ⇒ Q ℓ ′′ ◦ f = Q ℓ ∧ Q ℓ ′′ ∧ b = ⇒ ρ ℓ ′′ � k ( ρ ℓ ′′ ◦ f ) | Prove | = φ = ⇒ � i Q s i . 4 15

  16. Termination Deadlock Example 2 Let Σ = [ { x } → N ]. Again, show True -convergence. P 1 : WFO ( N × N , < lex ) P 2 : WFO ( N , < ) x > 0; x ← x − 1 s 1 s 2 ℓ 1 1 ( x , 1) ( x , 2) x ≤ 0 x ← 0 x = 0 x = 0 t 1 t 2 (0 , 0) 0 The resulting 8 + 9 proof obligations are easily checked. 16

  17. Termination Deadlock Soundness & Completeness Theorem The local method is again sound and semantically complete (with auxiliary variables). Again, we could “simplify” the method by omitting the assertion network. This requires to carefully define the respective domains of the ranking functions — in fact, one is typically forced to establish that the domains of the ranking functions form an inductive assertion network. So, why bother? 17

  18. Termination Deadlock Convergence ` a la AFR I To prove that a synchronous transition diagram P = P 1 � . . . � P n (where the P i = ( L i , T i , s i , t i ) with the usual restrictions) is φ -convergent, omit the last point from the AFR method and then choose WFO’s ( W i , ≺ i ) and networks ( ρ ℓ ) ℓ ∈ L i of local ranking functions only involving P i ’s variables and prove that 1 both networks are locally consistent: for all states σ 1 σ | = Q ℓ = ⇒ ρ ℓ ( σ ) ∈ W i . for all internal ℓ b ; f → ℓ ′ ∈ T i : − − 2 | = Q ℓ ∧ b = ⇒ ρ ℓ ≻ i ( ρ ℓ ′ ◦ f ) 18

  19. Termination Deadlock Convergence ` a la AFR II local ranking functions cooperate , namely, for every matching pair 3 b ; C ⇐ e ; f b ′ ; C ⇒ x ; f ′ → ℓ 2 ∈ L i and ℓ ′ → ℓ ′ ℓ 1 − − − − − − − − − − − 2 ∈ L k , with i � = k show: 1 1 ∧ b ∧ b ′ = | = I ∧ Q ℓ 1 ∧ Q ℓ ′ ⇒ (( ρ ℓ 1 , ρ ℓ ′ 1 ) > cw ( ρ ℓ 2 ◦ g , ρ ℓ ′ 2 ◦ g )) , where g = f ◦ f ′ ◦ � x ← e � . 1 In fact, the first two are the same as for Owicki/Gries. 19

  20. Termination Deadlock Example 4 Let Σ = [ { x , y } → R ]. Precondition: y ∈ N . WFO ( N 3 , < lex ) P 1 : P 2 : WFO ( N , < ) (0 , x , 1) x > 0; x ← x − 1 ℓ ′ s 2 ℓ 1 1 1 x ∈ N x ∈ N x ≤ 0 (0 , x , 2) C ⇐ y C ⇒ x s 1 (1 , 0 , 0) t 1 t 2 0 (0 , 0 , 0) 20

Recommend


More recommend