an introduction to input/output automata
DESCRIPTION
An Introduction to Input/Output Automata. Qihua Wang. Organization. Overview of the I/O automaton model Composition of I/O automata Fairness Specification Introduction to proof techniques. Overview of the Model. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/1.jpg)
An Introduction to Input/Output Automata
Qihua Wang
![Page 2: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/2.jpg)
Organization
• Overview of the I/O automaton model• Composition of I/O automata• Fairness• Specification• Introduction to proof techniques
![Page 3: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/3.jpg)
Overview of the Model
• Model for discrete event systems consisting of concurrently-operating components– Instead of simply computing some function of their
input and halting, they receive input from and react to their environment.
– Each system component is modeled as an I/O automaton
![Page 4: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/4.jpg)
Overview of the Model
• Distinction between those actions whose performance is under the control of the automaton and those actions whose performance is under the control of its environment.
• An automaton's actions are classified as either `input', `output', or `internal‘.
Automaton EnvironmentOutput
Input
![Page 5: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/5.jpg)
Overview of the Model
• An automaton can establish restrictions on when it will perform an output or internal action, but it is unable to block the performance of an input action.
• “If the environment behaves correctly, then the automaton behaves correctly.”
![Page 6: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/6.jpg)
Overview of the Model
• I/O automata may be nondeterministic• I/O automata can be composed to yield other
I/O automata• Fair execution• A problem to be solved by an I/O automaton
is formalized as an arbitrary set of (finite and infinite) sequences of external actions.
• Solve a problem• Abstraction mapping
![Page 7: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/7.jpg)
Some Uses
• Describe concurrent algorithms• Algorithm correctness proofs• Complexity analysis
![Page 8: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/8.jpg)
The Input/Output Automaton Model
• Interface between the automaton and environment: action signature – in(S), out(S), int(S)
• External actions– ext(S) = in(S) ∪ out(S)
• Locally-controlled actions: – local(S) = out(S) ∪ int(S)
![Page 9: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/9.jpg)
The Input/Output Automaton Model
• Five components:– An action signature sig(A), – A set states(A) of states, – A nonempty set start(A) in states(A) as start
states,– A transition relation steps(A): states(A) × acts(A)
× states(A) with the property that for every state s’ and input action π there is a transition (s’,π, s) in steps(A),
– An equivalence relation part(A) partitioning the set local(A) into at most a countable number of equivalence classes.
![Page 10: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/10.jpg)
The Input/Output Automaton Model
• If (s’,π, s) a step of A, then π is said to be enabled in s’.
• Two fundamental assumptions– Unable to block its input– The performance of an action is
controlled by at most one system component
![Page 11: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/11.jpg)
The Input/Output Automaton Model
• An execution fragment is a finite sequence s0, π1, s1, π2, …… πn, sn or an infinite sequence of A such that (s’i, πi+1, si+1) is a step of A for every i.
• An execution is an execution fragment beginning with a start state. Denoted the set of executions by execs(A), finexecs(A).
![Page 12: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/12.jpg)
The Input/Output Automaton Model
• The schedule of an execution fragment α is the subsequence of α consisting of the actions appearing in α. The set of schedules is denoted by sched(α), finsched(α).
• The behavior of an execution or schedule α of A is the sequence of α consisting of external actions and is denoted by beh(α).
• Event : A particular occurrence of an action
![Page 13: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/13.jpg)
Candy Machine
• The signature of CM-1
• State of CM-1 : variable ‘button-pushed’• Initial state : button_pushed = 0
![Page 14: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/14.jpg)
Candy Machine
• Transition relation for CM-1
![Page 15: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/15.jpg)
Candy Machine
• CM-2 : HEATHBAR action has ‘false ’ as its precondition.
• CM-3 : All the three candy dispensation actions have ‘false’ as their precondition.
![Page 16: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/16.jpg)
Candy Machine
• Customer CUST-1 continues to request candy bars, nondeterministically choose which button to push. The state of CUST-1 consists of one variable ‘waiting’, which takes on values ‘yes’ and ‘no’.
• CUST-2 pushes button 2 repeatedly until the machine dispenses a HEATHBAR, and then pushes button 1 forever. Besides ‘waiting’, CUST-2 has another state variable ‘heathbar_received’.
![Page 17: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/17.jpg)
Candy Machine
• CUST-3 is similar to CUST-1except that it may make a transition to a ‘satiated’ state from which it no longer requests any candy bars.
![Page 18: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/18.jpg)
Composition• Construct an automaton modeling a complex
system by composing automata modeling the simpler system components.
• When compose a collection of automata, identify an output action π of one automaton with the input action π of each automaton having π as an input action
• When one automaton having π as an output action performs π, all automata having π as an action perform π simultaneously (automata not having π as an action do nothing).
![Page 19: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/19.jpg)
Composition• E.g. in the composition of CM-1 and CUST-
1, the output action PUSH1 of the customer with the input action PUSH1 of the candy machine.
• The occurrence of PUSH1 causes both the candy machine and the customer to perform PUSH1, causing button pushed to be set to 1 in the candy machine's local state, and waiting to be set to `yes' in the customer's local state.
• This synchronization models a form of communication from the customer to the candy machine.
![Page 20: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/20.jpg)
Composition
• A countable collection {Si} of action signatures is said to be strongly compatible if for all i ≠ j, we have1. out(Si) ∩ out(Sj) = Φ,2. int(Si) ∩ acts(Sj) = Φ, and3. No action is contained in infinitely many sets
acts(Si).• A collection of automata are strongly
compatible if their action signatures are strongly compatible
![Page 21: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/21.jpg)
Composition• The composition signature S of a countable collection of
strongly compatible action signatures {Si} is defined to be:
• Internal actions of the components become internal actions of the composition, output actions become output actions, and all other actions become input actions.
![Page 22: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/22.jpg)
Composition
• Automaton composition
– part(A) = ∪part(Ai)
![Page 23: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/23.jpg)
Composition• An execution of a composition induces executions
of the component automata.• Given an execution α = s0 π1 s1 π2 …… of A, let α|Ai
be the sequence obtained by deleting πk sk when πk is not an action of Ai and replacing the remaining sk by sk[i].
![Page 24: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/24.jpg)
Fairness
• The property that infinitely often the component is given the opportunity to perform one of its locally controlled actions– E.g. CUST-4 does not wait for a candy bar before
pressing a button again. One behavior of the composition CM-1∙CUST-4 is the infinite sequence 1111…
– CM-1∙CUST-4 has equivalent classes {S, H, A} and {1, 2}
– Being fair to each component means being fair to each equivalence class of locally controlled actions.
– 11S11S… is a fair behavior of CM-1∙CUST-4
![Page 25: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/25.jpg)
Fairness
• Fair execution: the following condition hold for each equivalence class C:
1. If α is finite, then no action of C is enabled in the final state of α.
2. If α is infinite, then either α contains infinitely many events from C, or α contains infinitely many occurrences of states in which no action of C is enabled.
![Page 26: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/26.jpg)
Problem Specification
• A problem specification is simply a set of allowable `behaviors’.
• The automaton solves the problem in the sense that every `behavior’ it exhibits is a `behavior' allowed by the problem specification.
![Page 27: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/27.jpg)
Problem Specification
• Schedule module H:1. an action signature sig(H), and 2. a set scheds(H) of schedules.
• Fair behaviors• Composition of strongly compatible
schedule modules
![Page 28: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/28.jpg)
Problem Specification
• A problem is simply a schedule module P . • An automaton A solves a problem P if A
and P have the same external action signature and fairbehs(A) fairbehs(P).
• An automaton A implements a problem P if A and P have the same external action signature (that is, the same external interface) and finbehs(A) finbehs(P).
![Page 29: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/29.jpg)
Problem Specification
• Safety properties are informally characterized by the fact that they specify a property that must hold in every state of a computation.
• Liveness properties are informally characterized by the fact that they specify events that must eventually be performed.
![Page 30: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/30.jpg)
Problem Specification
• E.g. SAFE-CM has the same action signature as CM-1, and has as its set of schedules the set of sequences over the symbols 1, 2, S, H, A satisfying the following condition: Every S is immediately preceded by a 1, and every A or H is immediately preceded by a 2.
• Prove that CM-1 is a safe candy machine
![Page 31: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/31.jpg)
Problem Specification
• Define ‘well-formedness’ conditions on the interaction between the machine and its environment
![Page 32: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/32.jpg)
Problem Specification• E.g. Define a sequence of candy machine actions
to be well-formed if it consists of alternating input and output (push and dispensation) actions, starting with an input action.
• LIVE-CM : ‘If the sequence is well-formed, then every 1 event is followed by a later S event, and every 2 event is followed by a later H or A event.’
• CM-3 is not a live candy machine. CM-1 and CM-2 are live candy machines.
![Page 33: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/33.jpg)
Problem Specification
• In general, given an automaton A and a problem P , it is not the case that if A solves P then A implements P , nor is it the case that if A implements P then A solves P .
![Page 34: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/34.jpg)
Proof Techniques
• Modular Decomposition– we reason about the behavior of a composition
by reasoning about the behavior of the component automata individually.
• Hierarchical Decomposition– given automaton solves a second, that the
second solves a third, and so on until the final automaton solves the given problem.
– use possibilities mapping from one automaton to another
![Page 35: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/35.jpg)
Other Application
• Network Resource Allocation• Synchronizers• Communication• Concurrency Control• Shared Atomic Objects• Dataflow• Real-Time Computing
![Page 36: An Introduction to Input/Output Automata](https://reader036.vdocument.in/reader036/viewer/2022062323/56815b0e550346895dc8ba4d/html5/thumbnails/36.jpg)
Thank you!End