c laus b rabrand s emantics (q1,’05) s ep 29, 2005 c laus b rabrand © 2005, university of aarhus...
Post on 21-Dec-2015
216 Views
Preview:
TRANSCRIPT
CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005
CLAUS BRABRAND
© 2005, University of Aarhus
[ brabrand@daimi.au.dk ] [ http://www.daimi.au.dk/~brabrand/ ]
SEMANTICS (Q1,’05)
WEEK 5: ”CONCURRENCY AND COMMUNICATION”
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 2 ]
SEP 29, 2005
Course Structure
Introduction [background]: Prerequisitional Math // 1 week
Part I [describe/explain/analyze]: Structural Operational Semantics // 3
weeks
Part II [compare/reason]: Concurrency and Communication (CCS) // 1 week
Part III [compare/prove/apply]: Equivalence and Verification // 1 week
Practice [link to real world]: Imperative Features + Sem in Practice // 1 week
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 3 ]
SEP 29, 2005
Week 5 - Outline
Issues from week 4
Motivation: Concurrency vs. Sequentiality Calculus of Communicating Systems (CCS) Syntax for CCS SOS for CCS A Tale of two Coca-Cola Machines On Equivalences and Congruences
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 4 ]
SEP 29, 2005
“3x3 main issues” from week 4
Class X: 1x. Exam: any programming exercises on the exam ? 2x. Exam: any structural induction exercises on the exam ? 3x. Structural Induction: hard !
Class Y: 1y. Exercises: sometimes hard to see what one is to do ! 2y. Exercises: Would like an example solution to an exercise ! 3y. Side-effects: vs. (?)
Class Z: 1z. Exercise 3: “configurations / transitions” in static semantics !? 2z. Terminology: static semantics type checking ? 3z. Terminology: static vs. dynamic semantics ?
|_ e e’ <e,> <e’,>
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 5 ]
SEP 29, 2005
Mini Project
Mini project (cf.: compulsory programme): When?: 7 days: (Oct 3 -- Oct 10, 2005). What?: covering all topics (so far) Why?: chance to learn, measure, and get feedback Who?: everybody (individually) Amount?: roughly corresponds to an exercise class Form?: written, take-home Grading?: [0-4]-scale ~ [Aims & Goals]; (2+ to pass) Correcting?: your teaching assistants Consequences?: project approved attend exam Help?: TAs will answer un-applied understanding Q’s Re-hand-in? ”Good news”: less exercises for classes those 2 weeks
proportionately smaller
but not own TA!
Oct 107
No
Preliminary exam dates (from Faculty of Science):Wednesday 19/10 @ 12:00 – Friday 21/10 @ 12:00
proportionately “less severe”
5M T O T F L S
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 7 ]
SEP 29, 2005
Concurrency vs. Sequentiality
Sequential programming: Describe computation as a “reduction” of expressions to values Inherently deterministic Termination often desirable Resulting value is of primary interest and focus
Concurrent programming: Describe execution as “process evolution” Describe possible executions (aka. execution traces) Describe possible interactions during execution Describe interaction with an environment Inherently non-deterministic Non-termination often desirable (e.g. Op.Sys., Control sys, Cell-phone, …) Resulting “value” is not (necessarily) interesting
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 8 ]
SEP 29, 2005
Concurrency is much Harder
Harder than sequential programming: Huge number of possible executions Inherently non-deterministic Parallelism conceptually harder
Consequences: Programs are harder to write! Programs are harder to debug! Errors are not always reproducible New kinds of errors possible:
Deadlock, starvation, priority inversion, interference, …
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 9 ]
SEP 29, 2005
Concurrency Problems
Therac-25 Radiation Therapy ’85-’87
Massive overdoses (6 deaths / amputations)!
Mars Pathfinder July ’97
Periodic resets (on mars)!
Windows 95/98 w/ Device Drivers late ’90es
Dysfunction (“blue screen of death”)!
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 10 ]
SEP 29, 2005
Concurrency Problems (cont’d)
Mobile Phones ’00-…
Freeze and odd behaviors (really annoying)!
Cruise Control System Model ’86 [Grady Booch]
Accellerated after car ignition (car crashes)!
…
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 11 ]
SEP 29, 2005
…and what about?
Air Plane Control System
Dysfunction (plane crash)!
Nuclear Powerplant Control System
Core melt-down (“China-syndrome”)!
Projector Temperature Controller
Overheating (Semantics lecture cancellation)! :)
100°C
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 12 ]
SEP 29, 2005
Problem: System Development?
In the presence of all these errors: deadlock, starvation, priority inversion, interference,
anti-cooperation, un-indended execution traces, un-fairness, …
How to…: 1. …design a system that “works” ? 2. …verify that the system is “safe” ? 3. …verify that the system “meets its specification” ?
…and: What does “works”, “safe”, and “to meet a specification” mean ?!?
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 13 ]
SEP 29, 2005
Glasses of Abstraction…
It’s Amazing…
See behind concrete details; perceive only what is relevant and at the appropriate
level of abstraction)!
Only$12,95
“See only the relevant!”
“The Glasses of Abstraction”
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 14 ]
SEP 29, 2005
Solution: Formal Modelling
“Semantics comes to the rescue”: Create models (~ architecture, bridge construction, …)
Formal modelling (e.g., CCS) permits: (Offline) Reasoning understanding (Runtime) Testing confidence (C-time) Property Verification safety (C-time) Specification Verification correctness
Note: “Errors are much cheaper to commit in models than in implementations”
“Never send a human to do a machine’s job”-- A.Smith (’99)
auto-mate
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 15 ]
SEP 29, 2005
Methodology: Model-based Design
Design abstract model
Decompose model
Reason/Test/Verify model individual parts and whole
Recompose insights make model safe
Impl. concrete program
concretize
REAL PROBLEM
SAFE MODEL
SAFE PROGRAM
abstract
? ?
?
?
MODEL
testreason
verify
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 16 ]
SEP 29, 2005
CCS: Why a Calculus (pl. Calculi)
Compositional: ||
Break things into (several) smaller things
Algebraic: , , …
Intuitive ideal (also eases automated verification)
Syntactic: and …
Provide basis for programming languages
P | Q P Q
big
P + Q Q + P P | Q Q | P
P P’P | Q P’ | Q
Q Q’P | Q P | Q’[PAR1] [PAR2]
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 17 ]
SEP 29, 2005
Parallel- vs. Concurrent Programming
Strategy: Optimal strategy for a particular goal Use available resources efficiently
Safety: Conceptually independent players Control interaction and “rules”
The Football Match Analogy:“An analogy that one can make is with football*; - the coach of the team is a parallel programmer while - the referee is a concurrent programmer” -- [P.Panangaden, ’96]
The Referee (~ the concurrent programmer):-- Make sure what is happening is a soccer match
The Trainer (~ the parallel programmer):-- Make sure my agents are performing “optimally”
*/ interpret appropriately on either side of the Atlantic
CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005
CALCULUS OF COMMUNICATING SYSTEMS
CCS: Calculus of Communicating Systems
[ Robin Milner, ’89 ]
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 19 ]
SEP 29, 2005
Concurrency and Communication
Concurrency: Parallel processes (construction ‘P|Q’)
Abstract away (physical) processors Abstract away diff. in real- vs pseudo-parallelism
Communication: Process synchronization (aka. hand-shaking)
Abstract away communication protocol Abstract away actual values passed
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 20 ]
SEP 29, 2005
A process modelling a computer scientist:
Interface:
Process name: CS Input action(s): { coffee } Output action(s): { pub, coin }
Behavior of the process described by a CCS program
Process Interface
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 21 ]
SEP 29, 2005
The Inactive Process: “0”
The inactive process: (aka. “the zero process” or “the nil process”)
Performs no action whatsoever!
Note that it offers: the prototypical behavior of a deadlocked process
(that cannot proceed any further in its execution)
Example:
0
0
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 22 ]
SEP 29, 2005
Action Prefixing: “.P”
Action Prefixing: Can perform action, , after which it behaves like
process, P
Example(s):
Match:
Complex match
.P
strike.0
take.strike.0
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 23 ]
SEP 29, 2005
Named Process: “K”
Named Process: Behaves just like the (statically named) process, K
Example(s):
K
Match = strike.0
CokeM = coin.coke.CokeM
def
def
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 24 ]
SEP 29, 2005
Recursive Processes
Recursive Processes (though naming)
Example:
Expanding the definition we get:
Clock = tick.Clockdef
Clock
= tick.Clock
= tick.tick.Clock
= tick.tick.tick. … .tick.Clock
…
…
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 25 ]
SEP 29, 2005
Non-deterministic Choice: “P+Q”
Non-deterministic choice: Non-deterministic choice between processes P and Q
Initially has the capabilities of both P and Q; but performing an action from P, say, will pre-empt further execution of Q.
Example:
P+Q
Disp = coin.(coke.Disp + sprite.Disp)def
coke
spriteor
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 26 ]
SEP 29, 2005
Parallel Composition: “P|Q”
Parallel Composition: Any independent interleavings of processes P and Q
Also: may communicate (hand-shake): process P using input action, a; process Q corresponding output action, a (or vice versa)
Example: Student: Coke Machine:
P|Q
Stud = read.coin.coke.Studdef
CokeM = coin.coke.CokeMdef
CokeM | Stud
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 27 ]
SEP 29, 2005
Parallel Composition (cont’d)
Stud | CokeM
(Stud | CokeM) | Stud
(Stud | CokeM) | CokeM
Stud CokeM
[ << ? >> ]
[ << ? >> ]
read
coke
coin
coin
coke
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 28 ]
SEP 29, 2005
Restriction: “P\a”
Restriction (private name): Behaves just like P, except cannot make a or a actions
(except within P) Reminiscent of local variables (in private scope)
Example:
P\a
(Stud | CokeM) \ coin \ coke
((Stud | CokeM) \ coin \ coke) | Stud
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 29 ]
SEP 29, 2005
Action Relabelling: “P[f]”
Action Relabelling: Behaves like P, except that actions are renamed
according to action renaming function, f Permits parameterized reuse of processes
Examples:
P[f]
VendingMachine = coin.item.VendingMachine
CokeMachine = VendingMachine[coke/item]
MarsMachine = VendingMachine[mars/item]
def
Note: relabel inputs to inputs (and corresponding outputs to outputs)
def
def
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 31 ]
SEP 29, 2005
Input, output (and internal) action
Actions: Set of Channel Names (input) Set of Channel Co-Names (output) Special silent (invisible/internal) action
tau
Note: inputs and outputs are complementary: Communication: hand-shake on a and a only (no values)
Metavariables:
a A
a A
a = a
a L = A A
Act = L { }
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 32 ]
SEP 29, 2005
CCS Syntax
CCS Syntax:
“0” // inaction “.P” // action prefix “P+P” // non-deterministic choice “P|P” // parallel composition “P\a” // restriction (private name) “P[f]” // action relabelling “K” // process variable
P ::= 0 | .P | P+P | P|P | P\a | P[f] | K
X = P, Y = Q, … def def
a: f(a) = f(a) f() =
f:ActAct
… where
Note: restrictions on f
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 33 ]
SEP 29, 2005
Alternative Syntax
Alternative Syntax (that we will use): Abbreviate inaction termination:
P for P.0 // obvious from context
Parameterized sum: iI Pi for P0 + P1 + … + Pn
Inactive process (as empty sum): iØ Pi for 0
Restriction (by set): P \ L for P \ a1 \ … \ an L={a1,…,an}
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 34 ]
SEP 29, 2005
Algebraic Operator Precedence
1. Restriction and relabelling “P\L” “P[f]” 2. Action prefixing “.P” 3. Parallel composition “P|Q” 4. Summation “P+Q”
Q: How is “R+a.P|b.Q\L” then to be read ?
A: “R+((a.P)|(b.(Q\L)))” !
tightest
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 36 ]
SEP 29, 2005
SOS for CCS
Structural Operational Semantics:
Q: why (tau) in communication “P|Q” (instead of propagating a or a) ?
~ “the unobservable hand-shake”
[RES][REN]
[COM1] [COM2] [COM3]
[ACT] [SUM][DEF]
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 37 ]
SEP 29, 2005
Example Derivation
Assume:
Consider:
A = a.A
(b.0|(A|a.0))[c/a]
def
(b.0 | (A | a.0)) [c/a] (b.0 | (A | a.0)) [c/a]
(b.0 | (A | a.0)) (b.0 | (A | a.0))[REN]
(A | a.0) (A | a.0)[COM2]
A A
a.A A
[COM1]
[DEF]
[ACT]
A = a.Adef
c
a
a
a
a
[RES][REN]
[COM1] [COM2] [COM3]
[ACT] [SUM][DEF]
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 38 ]
SEP 29, 2005
Transition Diagram
Transition Diagram: A visualization of a Labelled Transition System:
Configurations annotated with processes (e.g. ) Transitions annotated with actions (e.g. )
a.0 | a.0
0 | a.0 a.0 | 0
0 | 0
a a
aa
a.0 | 0
a
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 39 ]
SEP 29, 2005
Example: Mutual Exclusion
Example: Mutual exclusion
Q: How are enters and exits related ?
Mutex = (User | Sema) \ p \ v
User = p.enter.exit.v.User
Sema = p.v.Semadef
def
def
System = (User | Sema | User’) \ p \ vdef
User’ = User[enter’/enter,exit’/exit]def
// critical region
semaphore
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 40 ]
SEP 29, 2005
Modelling: Level of Abstraction
Consider a client/server system:
Extremely abstract (high level of abstraction):
Appropriate (level of abstraction) for … :
Extremely concrete (low level of abstraction):
Universe = event.Universedef
NAND_Gate = ...Transistor = ...Accumulator = ......Client = ...
def
def
def
Server = request.process.reply.ServerClient = calc.request.wait.reply.ClientDatabase = ...
high
er le
vel o
f ab
stra
ctio
n
def
def
def
def
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 41 ]
SEP 29, 2005
Concurrency Workbench
[ Concurrency Workbench ]
P
testing (interactive simulation) verification (via logic formulae) dump transition graph (NFA) ...
[ http://homepages.inf.ed.ac.uk/perdita/cwb/summary.html ]
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 42 ]
SEP 29, 2005
CCS Visualizer
[ CCS Visualizer ]
[ http://www.brics.dk/~brabrand/semantics/visualizer.html ]
CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005
A TALE OF TWO COCA-COLA MACHINES
Keywords:
- equality - equivalence (equivalence relations) - congruence
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 44 ]
SEP 29, 2005
Two Dispensers
Dispenser:
Dispenser’: ’’
Would you consider them equal ‘=’ ?
coin . (coke + sprite)
coin.coke + coin.sprite
Would you consider them equivalent ‘’ ?
What does it mean for them to be equivalent ‘’ ?
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 45 ]
SEP 29, 2005
Equal vs. Equivalent
Equal (concrete): 3 = 3
Equivalent (abstract): 3 003 310 0x0316 \0038 00112
3 three 3 3 1+2 3 3 let n=2 in n*(n-1)+(n-2)
ii=0
2
more abstract
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 46 ]
SEP 29, 2005
Trace Equivalence
Definition: Trace Equivalence: Two processes P and Q are trace equivalent “tr” iff:
They can produce the same traces [formal def in Notes]
Example: Traces( )
= { , coin, coin;coke, coin;sprite }
Traces( )
= { , coin, coin;coke, coin;sprite }
coin . (coke + sprite)
coin.coke + coin.sprite
Q: equivalence relation ?
’’’’trHence:
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 47 ]
SEP 29, 2005
Def: Equivalence Relation
Let R be a binary relation over set A: R A A
R is an equivalence relation iff: Reflexive:
Symmetric:
Transitive:
xA: x R x
x,yA: x R y x R y
x,y,zA: x R y y R z x R z
Q: is trace equivalence “tr” an equivalence relation ?
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 48 ]
SEP 29, 2005
Expected Equivalences “R ”
Expected Equivalences “R ”: P+Q R Q+P // ‘+’ commutative (P+Q)+R R P+(Q+R) // ‘+’ associative
i.e. order on ‘+’ irrellevant; we could write: P+Q+R P|Q R Q|P // ‘|’ commutative (P|Q)|R R P|(Q|R) // ‘|’ associative
i.e., order on ‘|’ irrellevant; we could write: P|Q|R P+P R P // idempotent wrt. ‘+’ 0|P R P // ‘0’ is neutral wrt. ‘|’ P\x R P , x names(P) // useless restriction ...
just like1+2+3
just like1+2+3
Q: does trace equivalence “tr” preserve these ?
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 49 ]
SEP 29, 2005
Contextual Composition…?
Recall:
Coke-only(!) drinker:
Contextualcomposition:
coin . (coke + sprite)
coin.coke + coin.sprite ’’
’’tr
What the.. !?
coin . coke . drink
The coke drinkeris certainly able to to distinguish the two dispensers !!
Idea (can we…?):put the two dispensers in acontext where theycan be differentiated !
problematic equality
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 50 ]
SEP 29, 2005
Def: Congruence
Definition: “R ” congrucence: P R Q => C[P] R C[Q] , for all contexts C[]
“relation is preserved under contextual substitution”
A context = a process with a gap:
Examples: P R Q P+R R Q+R P R Q P|S R P|S P R Q a.P R a.Q P R Q ((a.P|R)+S)\x R ((a.Q|R)+S)\x
[]+R
[]|S
a.[]
?
C : .[] | []+P | P+[] | []|P | P|[] | [][f] | []\a
CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 51 ]
SEP 29, 2005
Solution: Next Week…
Define strong “bisimulation” P ~ Q
The strong bisimulation is a congruence !
Investigate a weak form of bisimulation: P Q
Game characterization of bisimulation [we’ll play it! ]
Investigate a logic that characterizes bisimulation: (i.e., P bisim Q : P |- Q |- ) [if time]
top related