Termination Deadlock Termination Dr. Liam O’Connor University of Edinburgh LFCS (and UNSW) Term 2 2020 1
Termination Deadlock Where we are at In the last lecture, we introduced message passing and discuss simple non-compositional proof techniques for synchronous message passing. This lecture, we’ll be looking at proof methods for termination (convergence and deadlock freedom) in sequential, shared-variable concurrent, and message-passing concurrent settings. 2
Termination Deadlock Termination For programs that do terminate, termination is often the most important liveness property. In addition to the typical cause of non-termination for sequential programs, namely divergence , concurrent programs can also deadlock. termination = convergence + deadlock-freedom Definition A program is φ -convergent if it cannot diverge (run forever) when started in an initial state satisfying φ . Instead, it must terminate, or become deadlocked. To prove convergence, we prove that there is a bound on the remaining computation steps from any state that the program reaches. 3
Termination Deadlock Termination For programs that do terminate, termination is often the most important liveness property. In addition to the typical cause of non-termination for sequential programs, namely divergence , concurrent programs can also deadlock. termination = convergence + deadlock-freedom Definition A program is φ -convergent if it cannot diverge (run forever) when started in an initial state satisfying φ . Instead, it must terminate, or become deadlocked. To prove convergence, we prove that there is a bound on the remaining computation steps from any state that the program reaches. [Is this yet another excuse for maths?] 4
Termination Deadlock Ordered and Wellfounded Sets In maths, this bound condition is formalised by the concept of a wellfounded set . Recall that, on a set W , the binary relation ≺ ⊆ W 2 is a (strict) partial order , if it is irreflexive ( a �≺ a ), asymmetric ( a ≺ b = ⇒ b �≺ a ), and transitive ( a ≺ b ∧ b ≺ c = ⇒ a ≺ c ). Definition Partially ordered set ( W , ≺ ) is wellfounded if every descending sequence � w 0 ≻ w 1 ≻ . . . � in ( W , ≺ ) is finite. Note Realise that infinite ascending sequences are not ruled out. 5
Termination Deadlock WFOs Example (Wellfounded Orders) ( N , < ) is wellfounded. 6
Termination Deadlock WFOs Example (Wellfounded Orders) ( N , < ) is wellfounded.( N , > ) and ( Z , < ) are not wellfounded. 7
Termination Deadlock WFOs Example (Wellfounded Orders) ( N , < ) is wellfounded.( N , > ) and ( Z , < ) are not wellfounded. Lexicographical order: Given two wellfounded sets, ( W 1 , ≺ 1 ) and ( W 2 , ≺ 2 ), also ( W 1 × W 2 , < lex ) with ( m 1 , n 1 ) < lex ( m 2 , n 2 ) iff ( m 1 ≺ 1 m 2 ) ∨ (( m 1 = m 2 ) ∧ ( n 1 ≺ 2 n 2 )) is wellfounded. 8
Termination Deadlock WFOs Example (Wellfounded Orders) ( N , < ) is wellfounded.( N , > ) and ( Z , < ) are not wellfounded. Lexicographical order: Given two wellfounded sets, ( W 1 , ≺ 1 ) and ( W 2 , ≺ 2 ), also ( W 1 × W 2 , < lex ) with ( m 1 , n 1 ) < lex ( m 2 , n 2 ) iff ( m 1 ≺ 1 m 2 ) ∨ (( m 1 = m 2 ) ∧ ( n 1 ≺ 2 n 2 )) is wellfounded. Componentwise order: Given a family ( W i , ≺ i ) 1 ≤ i ≤ n of wellfounded sets, ( W 1 × . . . × W n , < cw ) with ( w 1 , . . . , w n ) < cw ( w ′ 1 , . . . , w ′ n ) iff ∃ i . w i ≺ i w ′ i ∧ ∀ k � = i . w k � k w ′ k is wellfounded. 9
Termination Deadlock Floyd’s Wellfoundedness Method Given a transition diagram P = ( L , T , s , t ) and a precondition φ , we can prove φ -convergence of P by: finding an inductive assertion network Q : L → (Σ → B ) and showing that 1 | = φ = ⇒ Q s ; 10
Termination Deadlock Floyd’s Wellfoundedness Method Given a transition diagram P = ( L , T , s , t ) and a precondition φ , we can prove φ -convergence of P by: finding an inductive assertion network Q : L → (Σ → B ) and showing that 1 | = φ = ⇒ Q s ; choosing a wellfounded set ( W , ≺ ) and a network ( ρ ℓ ) ℓ ∈ L of partially defined 2 ranking functions from Σ to W such that: Q ℓ implies that ρ ℓ is defined, and b ; f → ℓ ′ ∈ T decreases the ranking function, that is: every transition ℓ − − | = Q ℓ ∧ b = ⇒ ρ ℓ ≻ ( ρ ℓ ′ ◦ f ) 11
Termination Deadlock Example 1 Let Σ = [ { x } → R ]. Observe that ( R , < ) is not wellfounded. Transition system P x ← x − 1 x > 0 s ℓ x ≤ 0 t 12
Termination Deadlock Example 1 Let Σ = [ { x } → R ]. Observe that ( R , < ) is not wellfounded. Transition system P x ← x − 1 Assertion network x > 0 s x > 0 True ℓ x ≤ 0 True t 13
Termination Deadlock Example 1 Let Σ = [ { x } → R ]. Observe that ( R , < ) is not wellfounded. Transition system P x ← x − 1 Assertion network Ranking functions x > 0 s x > 0 True ℓ (max( ⌈ x ⌉ , 0) , 1) (max( ⌈ x ⌉ , 0) , 0) x ≤ 0 True t WFO ( N × N , < lex ) (0 , 0) 14
Termination Deadlock x > 0 transition s − − → ℓ : | = True ∧ x > 0 = ⇒ (max( ⌈ x ⌉ , 0) , 1) > lex ((max( ⌈ x ⌉ , 0) , 0) ◦ id) ⇐ | = ( ⌈ x ⌉ , 1) > lex ( ⌈ x ⌉ , 0) ∧ (0 , 1) > lex (0 , 0) .- transition ℓ x ← x − 1 − − − − → s : | = x > 0 ∧ True = ⇒ (max( ⌈ x ⌉ , 0) , 0) > lex ((max( ⌈ x ⌉ , 0) , 1) ◦ � x ← x − 1 � ) ⇐ | = x > 0 = ⇒ ⌈ x ⌉ > ⌈ x − 1 ⌉ ≥ 0 .- x ≤ 0 transition s − − → t : | = True ∧ x ≤ 0 = ⇒ (max( ⌈ x ⌉ , 0) , 1) > lex (0 , 0) ⇐ | = (0 , 1) > lex (0 , 0) .- . . . shows that P is True -convergent. 15
Termination Deadlock Soundness & Completeness Theorem Floyd’s method is sound, that is, it indeed establishes φ -convergence. 16
Termination Deadlock Theorem Floyd’s method is semantically complete, that is, if P is φ -convergent, then there exist assertion and ranking function networks satisfying the verification conditions for proving convergence. Note Recall that one might have to add auxiliary variables to the transition system to be able to express assertions. Without them, the method is not complete! “semantically” means that we do not care about in what language to express the assertions and ranking functions. You may call this cheating. 17
Termination Deadlock Simplifying the Method We can base convergence proofs on ranking functions only. Although this results in a superficially simpler method, applying it is by no means simpler than Floyd’s. Given a transition diagram P = ( L , T , s , t ) and a precondition φ , we can prove φ -convergence of P by choosing a wellfounded set ( W , ≺ ) and a network ( ρ ℓ ) ℓ ∈ L of partially defined ranking functions from Σ to W such that: For all σ ∈ Σ, if σ | = φ , then ρ s is defined, and 1 every transition ℓ b ; f → ℓ ′ ∈ T decreases the ranking function, that is, if σ | − − = b and 2 ρ ℓ is defined, then ρ ℓ ′ ( f ( σ )) is defined and ρ ℓ ( σ ) ≻ ρ ℓ ′ ( f ( σ )). 18
Termination Deadlock Example 1 again Transition system x ← x − 1 x > 0 s ℓ x ≤ 0 t 19
Termination Deadlock Example 1 again Transition system x ← x − 1 Ranking functions x > 0 s ℓ (max( ⌈ x ⌉ , 0) , 1) x ≤ 0 (max( ⌈ x ⌉ , 0) , 0) t (0 , 0) 20
Termination Deadlock Example 1 again Transition system x ← x − 1 Ranking functions x > 0 s ℓ (max( ⌈ x ⌉ , 0) , 1) x ≤ 0 (max( ⌈ x ⌉ , 0) , 0) only def for x > 0 !! t (0 , 0) 21
Termination Deadlock Shared Variables Question How can we extend Floyd’s method for proving φ -convergence to shared-variable concurrent programs P = P 1 � . . . � P n ? 22
Termination Deadlock Shared Variables Question How can we extend Floyd’s method for proving φ -convergence to shared-variable concurrent programs P = P 1 � . . . � P n ? Answer (simplistic): Construct product transition system, use Floyd’s method on that. 23
Termination Deadlock Shared Variables Question How can we extend Floyd’s method for proving φ -convergence to shared-variable concurrent programs P = P 1 � . . . � P n ? Answer (simplistic): Construct product transition system, use Floyd’s method on that. This leads to the usual problem with exponentially growing numbers of locations, ranking functions, and thus verification conditions. 24
Termination Deadlock Shared Variables Question How can we extend Floyd’s method for proving φ -convergence to shared-variable concurrent programs P = P 1 � . . . � P n ? Answer (simplistic): Construct product transition system, use Floyd’s method on that. This leads to the usual problem with exponentially growing numbers of locations, ranking functions, and thus verification conditions. Answer (better); Find a proof principle relating to Floyd’s method as the Owicki/Gries method relates to the inductive assertion method applied to the product transition system (parallel composition as defined in lecture 4). 25
Recommend
More recommend