Compositionality and Asynchrony Dr. Liam OConnor University of - - PowerPoint PPT Presentation

compositionality and asynchrony dr liam o connor
SMART_READER_LITE
LIVE PREVIEW

Compositionality and Asynchrony Dr. Liam OConnor University of - - PowerPoint PPT Presentation

Feb 25, 2024 1.03k likes •1.39k views

Compositionality Asynchrony Compositionality and Asynchrony Dr. Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Compositionality Asynchrony Where we are at Last lecture, we looked at at proof methods for termination

slide-1
SLIDE 1

Compositionality Asynchrony

Compositionality and Asynchrony

  • Dr. Liam O’Connor

University of Edinburgh LFCS (and UNSW) Term 2 2020

1

slide-2
SLIDE 2

Compositionality Asynchrony

Where we are at

Last lecture, we looked at at proof methods for termination (convergence and deadlock freedom) in sequential, shared-variable concurrent, and message-passing concurrent settings. In this lecture, we will conclude our examination of proof methods for concurrency by examining compositional techniques. We will also discuss how to prove properties of asynchronous systems.

2

slide-3
SLIDE 3

Compositionality Asynchrony

Analysis of AFR and L&G

Both are only applicable to closed systems.

3

slide-4
SLIDE 4

Compositionality Asynchrony

Analysis of AFR and L&G

Both are only applicable to closed systems. That means we always have to reason about the system as a whole, even including users modeled as processes.

4

slide-5
SLIDE 5

Compositionality Asynchrony

Analysis of AFR and L&G

Both are only applicable to closed systems. That means we always have to reason about the system as a whole, even including users modeled as processes. Using these methods, one cannot reason compositionally. Typically, non-compositional proof methods don’t scale and preclude re-use.

5

slide-6
SLIDE 6

Compositionality Asynchrony

Quotes on Compositionality

de Roever et al. A compositional proof method is a method by which the specification of a system can be inferred from the specifications of its constituents, without additional information about their internal structure.

6

slide-7
SLIDE 7

Compositionality Asynchrony

Quotes on Compositionality

de Roever et al. A compositional proof method is a method by which the specification of a system can be inferred from the specifications of its constituents, without additional information about their internal structure.

  • F. B. Schneider, 1994

Compositionality is a red herring.

7

slide-8
SLIDE 8

Compositionality Asynchrony

One more quote

Lamport (1997) – “Composition: a way to make proofs harder” Systems are complicated. We master their complexity by building them from simpler

  • components. This suggests that to master the complexity of reasoning about systems,

we should prove properties of the separate components and then combine those properties to deduce properties of the entire system. In concurrent systems, the

  • bvious choice of component is the process. So, compositional reasoning has come to

mean deducing properties of a system from properties of its processes. I have long felt that this whole approach is rather silly. You don’t design a mutual exclusion algorithm by first designing the individual processes and then hoping that putting them together guarantees mutual exclusion.

8

slide-9
SLIDE 9

Compositionality Asynchrony

Compositionally-Inductive Assertion Network

Key Idea Handle communication with a special logical variable h, containing the history of all communication, i.e. a sequence of pairs of channels and messages C, x.

9

slide-10
SLIDE 10

Compositionality Asynchrony

Compositionally-Inductive Assertion Network

Key Idea Handle communication with a special logical variable h, containing the history of all communication, i.e. a sequence of pairs of channels and messages C, x. A local assertion network Q is compositionally-inductive for a sequential synchronous transition diagram P = (L, T, s, t), written P ⊢ Q, if | = Qℓ ∧ b = ⇒ Qℓ′ ◦ f for each ℓ b;f − − → ℓ′ ∈ T. | = Qℓ ∧ b = ⇒ Qℓ′ ◦ (f ◦ h ← h · C, e), for each ℓ b;C⇐e;f − − − − − → ℓ′ ∈ T. | = Qℓ ∧ b = ⇒ ∀x (Qℓ′ ◦ (f ◦ h ← h · C, x)), for each ℓ b;C⇒x;f − − − − − → ℓ′ ∈ T.

10

slide-11
SLIDE 11

Compositionality Asynchrony

Partial Correctness

Let Q be an assertion network for a process P and Qs and Qt be the assertions at the start and end states. Then by inductivity we have the Basic diagram rule: P ⊢ Q {Qs} P {Qt}

11

slide-12
SLIDE 12

Compositionality Asynchrony

Partial Correctness

Let Q be an assertion network for a process P and Qs and Qt be the assertions at the start and end states. Then by inductivity we have the Basic diagram rule: P ⊢ Q {Qs} P {Qt} We assume the history is empty initially with the Initialization rule: {φ ∧ h = ε} P {ψ} {φ} P {ψ}

12

slide-13
SLIDE 13

Compositionality Asynchrony

Parallel composition rule

Provided ψi only makes assertions about local variables in Pi and those parts of the history that involve channels read from/written to by Pi we get this compositional parallel composition rule: {φ1} P1 {ψ1} {φ2} P2 {ψ2} {φ1 ∧ φ2} P1 P2 {ψ1 ∧ ψ2} Observe that we don’t need to prove anything like interference freedom or generate a proof obligation about each possible communication.

13

slide-14
SLIDE 14

Compositionality Asynchrony

Parallel composition rule

Provided ψi only makes assertions about local variables in Pi and those parts of the history that involve channels read from/written to by Pi we get this compositional parallel composition rule: {φ1} P1 {ψ1} {φ2} P2 {ψ2} {φ1 ∧ φ2} P1 P2 {ψ1 ∧ ψ2} Observe that we don’t need to prove anything like interference freedom or generate a proof obligation about each possible communication. Notation Define h|H as the history h filtered to only contain those pairs C, x where C ∈ H.

14

slide-15
SLIDE 15

Compositionality Asynchrony

Example 2 once more

s1 l1 t1 s2 l2 t2 C ⇐ 1 C ⇐ 2 C ⇒ x C ⇒ x

15

slide-16
SLIDE 16

Compositionality Asynchrony

Example 2 once more

s1 l1 t1 s2 l2 t2 C ⇐ 1 C ⇐ 2 C ⇒ x C ⇒ x h|{C} = ε h|{C} = C, 1 h|{C} = C, 1 · C, 2 h|{C} = ε h|{C} = C, x h|{C} = C, . · C, x

16

slide-17
SLIDE 17

Compositionality Asynchrony

Example 2 once more cont’d

For the two output transitions we need to show | = h|{C} = ε = ⇒ h|{C} = C, 1 ◦ h ← h · C, 1 (1) | = h|{C} = C, 1 = ⇒ h|{C} = C, 1 · C, 2 ◦ h ← h · C, 2 (2) which is obvious; and for the two input transitions | = h|{C} = ε = ⇒ ∀x

  • h|{C} = C, x ◦ h ← h · C, x
  • (3)

| = h|{C} = C, x = ⇒ ∀x

  • h|{C} = C, . · C, x ◦ h ← h · C, x
  • (4)

which also works out nicely.

17

slide-18
SLIDE 18

Compositionality Asynchrony

Example 2 once more cont’d

Using the Basic diagram rule we may now deduce {h|{C} = ε} C ⇐ 1; C ⇐ 2 {h|{C} = C, 1 · C, 2} {h|{C} = ε} C ⇒ x; C ⇒ x {h|{C} = C, . · C, x}

18

slide-19
SLIDE 19

Compositionality Asynchrony

Example 2 once more cont’d

Using the Basic diagram rule we may now deduce {h|{C} = ε} C ⇐ 1; C ⇐ 2 {h|{C} = C, 1 · C, 2} {h|{C} = ε} C ⇒ x; C ⇒ x {h|{C} = C, . · C, x} before applying the parallel composition rule to obtain {h|{C} = ε} P {h|{C} = C, 1 · C, 2 ∧ h|{C} = C, . · C, x}

19

slide-20
SLIDE 20

Compositionality Asynchrony

Example 2 once more cont’d

Using the Basic diagram rule we may now deduce {h|{C} = ε} C ⇐ 1; C ⇐ 2 {h|{C} = C, 1 · C, 2} {h|{C} = ε} C ⇒ x; C ⇒ x {h|{C} = C, . · C, x} before applying the parallel composition rule to obtain {h|{C} = ε} P {h|{C} = C, 1 · C, 2 ∧ h|{C} = C, . · C, x} which implies (via the rule of consequence): {h|{C} = ε} P {x = 2}

20

slide-21
SLIDE 21

Compositionality Asynchrony

Example 2 once more cont’d

Using the Basic diagram rule we may now deduce {h|{C} = ε} C ⇐ 1; C ⇐ 2 {h|{C} = C, 1 · C, 2} {h|{C} = ε} C ⇒ x; C ⇒ x {h|{C} = C, . · C, x} before applying the parallel composition rule to obtain {h|{C} = ε} P {h|{C} = C, 1 · C, 2 ∧ h|{C} = C, . · C, x} which implies (via the rule of consequence): {h|{C} = ε} P {x = 2} and finally the initialisation rule takes us to {True} P {x = 2}

21

slide-22
SLIDE 22

Compositionality Asynchrony

Merge Example

q0 q1 q2 q3 q4 qt inX ⇒ x inY ⇒ y inY ⇒ y x = EOF ∧ x ≤ y; out ⇐ x x = EOF ∧ y ≤ x; out ⇐ y inY ⇒ y inX ⇒ x x = y = EOF

22

slide-23
SLIDE 23

Compositionality Asynchrony

Assertions

Let ˆ θ denote the history sequence θ without channel data — i.e. just messages. Then

  • ur desired postcondition is:

ϕ ≡ ∃αβ. h|{inX} = α · inX, EOF ∧ h|{inY } = β · inY , EOF ∧ (sorted(ˆ α) ∧ sorted(ˆ β) ⇒ h|{out} = sort(ˆ α · ˆ β))

23

slide-24
SLIDE 24

Compositionality Asynchrony

Assertions

Let ˆ θ denote the history sequence θ without channel data — i.e. just messages. Then

  • ur desired postcondition is:

ϕ ≡ ∃αβ. h|{inX} = α · inX, EOF ∧ h|{inY } = β · inY , EOF ∧ (sorted(ˆ α) ∧ sorted(ˆ β) ⇒ h|{out} = sort(ˆ α · ˆ β)) Q(q0) ≡ h|{inX,inY ,out} = ε Q(q1) ≡ h|{inX} = inX, x ∧ h{inY ,out} = ε Q(q2) ≡ ∃αβ. h|{inX} = α · inX, x ∧ h|{inY } = β · inY , y ∧ (sorted(ˆ α) ∧ sorted(ˆ β) ⇒ h|{out} = sort(ˆ α · ˆ β)) Q(q3) ≡ ∃αβ. h|{inX} = α ∧ h|{inY } = β · inY , y ∧ (sorted(ˆ α) ∧ sorted(ˆ β) ⇒ h|{out} = sort(ˆ α · ˆ β)) Q(q4) ≡ ∃αβ. h|{inX} = α · inX, x ∧ h|{inY } = β ∧ (sorted(ˆ α) ∧ sorted(ˆ β) ⇒ h|{out} = sort(ˆ α · ˆ β)) Q(qt) ≡ ϕ Inductivity will be informally demonstrated.

24

slide-25
SLIDE 25

Compositionality Asynchrony

Asynchrony

Consider the example of a a process P that sends a file a on the channel C to the process Q which saves it to b. ps pt qs qt a[i] = EOF; C ⇐ a[i]; i ← i + 1 a[i] = EOF; C ⇐ EOF; i ← i + 1 C ⇒ b[j]; j ← j + 1 j > 0 ∧ b[j − 1] = EOF

25

slide-26
SLIDE 26

Compositionality Asynchrony

Asynchrony

Consider the example of a a process P that sends a file a on the channel C to the process Q which saves it to b. ps pt qs qt a[i] = EOF; C ⇐ a[i]; i ← i + 1 a[i] = EOF; C ⇐ EOF; i ← i + 1 C ⇒ b[j]; j ← j + 1 j > 0 ∧ b[j − 1] = EOF How do we verify this if C is asynchronous?

26

slide-27
SLIDE 27

Compositionality Asynchrony

Convert to Synchronous

ps pt qs qt a[i] = EOF; A ⇐ a[i]; i ← i + 1 a[i] = EOF; A ⇐ EOF; i ← i + 1 B ⇒ b[j]; j ← j + 1 j > 0 ∧ b[j − 1] = EOF

slide-28
SLIDE 28

Compositionality Asynchrony

Convert to Synchronous

ps pt qs qt a[i] = EOF; A ⇐ a[i]; i ← i + 1 a[i] = EOF; A ⇐ EOF; i ← i + 1 B ⇒ b[j]; j ← j + 1 j > 0 ∧ b[j − 1] = EOF C A ⇒ x; q ← q · x q = ε; B ⇐ head(q); q ← tail(q)

28

slide-29
SLIDE 29

Compositionality Asynchrony

Compositionally

By adding an extra process with two synchronous channels to explicitly manage the queue, we convert this asynchronous system to a synchronous one. We can now use, AFR, Levin and Gries or the compositional method.

29

slide-30
SLIDE 30

Compositionality Asynchrony

Compositionally

By adding an extra process with two synchronous channels to explicitly manage the queue, we convert this asynchronous system to a synchronous one. We can now use, AFR, Levin and Gries or the compositional method. Using the compositional method, we have the desired postcondition: ∃i. a[i] = EOF ∧ a[0 . . . i] = b[0 . . . i]

30

slide-31
SLIDE 31

Compositionality Asynchrony

Compositionally

By adding an extra process with two synchronous channels to explicitly manage the queue, we convert this asynchronous system to a synchronous one. We can now use, AFR, Levin and Gries or the compositional method. Using the compositional method, we have the desired postcondition: ∃i. a[i] = EOF ∧ a[0 . . . i] = b[0 . . . i] And the following assertion network: Q(ps) ≡ ˆ h|{A} = a[0 . . . i] ∧ EOF / ∈ a[0 . . . i] Q(pt) ≡ ˆ h|{A} = a[0 . . . i] ∧ EOF / ∈ a[0 . . . i − 1] ∧ a[i − 1] = EOF Q(qs) ≡ ˆ h|{B} = b[0 . . . j] Q(qt) ≡ ˆ h|{B} = b[0 . . . j] ∧ b[j − 1] = EOF Q(C) ≡ ˆ h|{A} = ˆ h|{B} · q Proof obligations will be informally described.

31

slide-32
SLIDE 32

Compositionality Asynchrony

What Now?

Next lecture, we’ll take a brief detour into the world of process algebra, a high level formalism for describing concurrent systems. In particular we will examine CCS, but similar principles apply for other formalisms like CSP and ACP. Then, Vladimir will take over for two weeks, discussing distributed algorithms and commitment and consensus topics.

32