CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005

CLAUS BRABRAND

© 2005, University of Aarhus

[ brabrand@daimi.au.dk ] [ http://www.daimi.au.dk/~brabrand/ ]

SEMANTICS (Q1,’05)

WEEK 5: ”CONCURRENCY AND COMMUNICATION”

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 2 ]

SEP 29, 2005

Course Structure

Introduction [background]: Prerequisitional Math // 1 week

Part I [describe/explain/analyze]: Structural Operational Semantics // 3

weeks

Part II [compare/reason]: Concurrency and Communication (CCS) // 1 week

Part III [compare/prove/apply]: Equivalence and Verification // 1 week

Practice [link to real world]: Imperative Features + Sem in Practice // 1 week

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 3 ]

SEP 29, 2005

Week 5 - Outline

Issues from week 4

Motivation: Concurrency vs. Sequentiality Calculus of Communicating Systems (CCS) Syntax for CCS SOS for CCS A Tale of two Coca-Cola Machines On Equivalences and Congruences

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 4 ]

SEP 29, 2005

“3x3 main issues” from week 4

Class X: 1x. Exam: any programming exercises on the exam ? 2x. Exam: any structural induction exercises on the exam ? 3x. Structural Induction: hard !

Class Y: 1y. Exercises: sometimes hard to see what one is to do ! 2y. Exercises: Would like an example solution to an exercise ! 3y. Side-effects: vs. (?)

Class Z: 1z. Exercise 3: “configurations / transitions” in static semantics !? 2z. Terminology: static semantics type checking ? 3z. Terminology: static vs. dynamic semantics ?

|_ e e’ <e,> <e’,>

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 5 ]

SEP 29, 2005

Mini Project

Mini project (cf.: compulsory programme): When?: 7 days: (Oct 3 -- Oct 10, 2005). What?: covering all topics (so far) Why?: chance to learn, measure, and get feedback Who?: everybody (individually) Amount?: roughly corresponds to an exercise class Form?: written, take-home Grading?: [0-4]-scale ~ [Aims & Goals]; (2+ to pass) Correcting?: your teaching assistants Consequences?: project approved attend exam Help?: TAs will answer un-applied understanding Q’s Re-hand-in? ”Good news”: less exercises for classes those 2 weeks

proportionately smaller

but not own TA!

Oct 107

No

Preliminary exam dates (from Faculty of Science):Wednesday 19/10 @ 12:00 – Friday 21/10 @ 12:00

proportionately “less severe”

5M T O T F L S

CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005

CONCURRENCY VS. SEQUENTIALITY

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 7 ]

SEP 29, 2005

Concurrency vs. Sequentiality

Sequential programming: Describe computation as a “reduction” of expressions to values Inherently deterministic Termination often desirable Resulting value is of primary interest and focus

Concurrent programming: Describe execution as “process evolution” Describe possible executions (aka. execution traces) Describe possible interactions during execution Describe interaction with an environment Inherently non-deterministic Non-termination often desirable (e.g. Op.Sys., Control sys, Cell-phone, …) Resulting “value” is not (necessarily) interesting

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 8 ]

SEP 29, 2005

Concurrency is much Harder

Harder than sequential programming: Huge number of possible executions Inherently non-deterministic Parallelism conceptually harder

Consequences: Programs are harder to write! Programs are harder to debug! Errors are not always reproducible New kinds of errors possible:

Deadlock, starvation, priority inversion, interference, …

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 9 ]

SEP 29, 2005

Concurrency Problems

Therac-25 Radiation Therapy ’85-’87

Massive overdoses (6 deaths / amputations)!

Mars Pathfinder July ’97

Periodic resets (on mars)!

Windows 95/98 w/ Device Drivers late ’90es

Dysfunction (“blue screen of death”)!

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 10 ]

SEP 29, 2005

Concurrency Problems (cont’d)

Mobile Phones ’00-…

Freeze and odd behaviors (really annoying)!

Cruise Control System Model ’86 [Grady Booch]

Accellerated after car ignition (car crashes)!

…

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 11 ]

SEP 29, 2005

…and what about?

Air Plane Control System

Dysfunction (plane crash)!

Nuclear Powerplant Control System

Core melt-down (“China-syndrome”)!

Projector Temperature Controller

Overheating (Semantics lecture cancellation)! :)

100°C

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 12 ]

SEP 29, 2005

Problem: System Development?

In the presence of all these errors: deadlock, starvation, priority inversion, interference,

anti-cooperation, un-indended execution traces, un-fairness, …

How to…: 1. …design a system that “works” ? 2. …verify that the system is “safe” ? 3. …verify that the system “meets its specification” ?

…and: What does “works”, “safe”, and “to meet a specification” mean ?!?

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 13 ]

SEP 29, 2005

Glasses of Abstraction…

It’s Amazing…

See behind concrete details; perceive only what is relevant and at the appropriate

level of abstraction)!

Only$12,95

“See only the relevant!”

“The Glasses of Abstraction”

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 14 ]

SEP 29, 2005

Solution: Formal Modelling

“Semantics comes to the rescue”: Create models (~ architecture, bridge construction, …)

Formal modelling (e.g., CCS) permits: (Offline) Reasoning understanding (Runtime) Testing confidence (C-time) Property Verification safety (C-time) Specification Verification correctness

Note: “Errors are much cheaper to commit in models than in implementations”

“Never send a human to do a machine’s job”-- A.Smith (’99)

auto-mate

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 15 ]

SEP 29, 2005

Methodology: Model-based Design

Design abstract model

Decompose model

Reason/Test/Verify model individual parts and whole

Recompose insights make model safe

Impl. concrete program

concretize

REAL PROBLEM

SAFE MODEL

SAFE PROGRAM

abstract

? ?

?

?

MODEL

testreason

verify

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 16 ]

SEP 29, 2005

CCS: Why a Calculus (pl. Calculi)

Compositional: ||

Break things into (several) smaller things

Algebraic: , , …

Intuitive ideal (also eases automated verification)

Syntactic: and …

Provide basis for programming languages

P | Q P Q

big

P + Q Q + P P | Q Q | P

P P’P | Q P’ | Q

Q Q’P | Q P | Q’[PAR1] [PAR2]

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 17 ]

SEP 29, 2005

Parallel- vs. Concurrent Programming

Strategy: Optimal strategy for a particular goal Use available resources efficiently

Safety: Conceptually independent players Control interaction and “rules”

The Football Match Analogy:“An analogy that one can make is with football*; - the coach of the team is a parallel programmer while - the referee is a concurrent programmer” -- [P.Panangaden, ’96]

The Referee (~ the concurrent programmer):-- Make sure what is happening is a soccer match

The Trainer (~ the parallel programmer):-- Make sure my agents are performing “optimally”

*/ interpret appropriately on either side of the Atlantic

CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005

CALCULUS OF COMMUNICATING SYSTEMS

CCS: Calculus of Communicating Systems

[ Robin Milner, ’89 ]

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 19 ]

SEP 29, 2005

Concurrency and Communication

Concurrency: Parallel processes (construction ‘P|Q’)

Abstract away (physical) processors Abstract away diff. in real- vs pseudo-parallelism

Communication: Process synchronization (aka. hand-shaking)

Abstract away communication protocol Abstract away actual values passed

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 20 ]

SEP 29, 2005

A process modelling a computer scientist:

Interface:

Process name: CS Input action(s): { coffee } Output action(s): { pub, coin }

Behavior of the process described by a CCS program

Process Interface

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 21 ]

SEP 29, 2005

The Inactive Process: “0”

The inactive process: (aka. “the zero process” or “the nil process”)

Performs no action whatsoever!

Note that it offers: the prototypical behavior of a deadlocked process

(that cannot proceed any further in its execution)

Example:

0

0

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 22 ]

SEP 29, 2005

Action Prefixing: “.P”

Action Prefixing: Can perform action, , after which it behaves like

process, P

Example(s):

Match:

Complex match

.P

strike.0

take.strike.0

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 23 ]

SEP 29, 2005

Named Process: “K”

Named Process: Behaves just like the (statically named) process, K

Example(s):

K

Match = strike.0

CokeM = coin.coke.CokeM

def

def

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 24 ]

SEP 29, 2005

Recursive Processes

Recursive Processes (though naming)

Example:

Expanding the definition we get:

Clock = tick.Clockdef

Clock

= tick.Clock

= tick.tick.Clock

= tick.tick.tick. … .tick.Clock

…

…

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 25 ]

SEP 29, 2005

Non-deterministic Choice: “P+Q”

Non-deterministic choice: Non-deterministic choice between processes P and Q

Initially has the capabilities of both P and Q; but performing an action from P, say, will pre-empt further execution of Q.

Example:

P+Q

Disp = coin.(coke.Disp + sprite.Disp)def

coke

spriteor

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 26 ]

SEP 29, 2005

Parallel Composition: “P|Q”

Parallel Composition: Any independent interleavings of processes P and Q

Also: may communicate (hand-shake): process P using input action, a; process Q corresponding output action, a (or vice versa)

Example: Student: Coke Machine:

P|Q

Stud = read.coin.coke.Studdef

CokeM = coin.coke.CokeMdef

CokeM | Stud

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 27 ]

SEP 29, 2005

Parallel Composition (cont’d)

Stud | CokeM

(Stud | CokeM) | Stud

(Stud | CokeM) | CokeM

Stud CokeM

[ << ? >> ]

[ << ? >> ]

read

coke

coin

coin

coke

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 28 ]

SEP 29, 2005

Restriction: “P\a”

Restriction (private name): Behaves just like P, except cannot make a or a actions

(except within P) Reminiscent of local variables (in private scope)

Example:

P\a

(Stud | CokeM) \ coin \ coke

((Stud | CokeM) \ coin \ coke) | Stud

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 29 ]

SEP 29, 2005

Action Relabelling: “P[f]”

Action Relabelling: Behaves like P, except that actions are renamed

according to action renaming function, f Permits parameterized reuse of processes

Examples:

P[f]

VendingMachine = coin.item.VendingMachine

CokeMachine = VendingMachine[coke/item]

MarsMachine = VendingMachine[mars/item]

def

Note: relabel inputs to inputs (and corresponding outputs to outputs)

def

def

CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005

SYNTAX FOR CCS

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 31 ]

SEP 29, 2005

Input, output (and internal) action

Actions: Set of Channel Names (input) Set of Channel Co-Names (output) Special silent (invisible/internal) action

tau

Note: inputs and outputs are complementary: Communication: hand-shake on a and a only (no values)

Metavariables:

a A

a A

a = a

a L = A A

Act = L { }

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 32 ]

SEP 29, 2005

CCS Syntax

CCS Syntax:

“0” // inaction “.P” // action prefix “P+P” // non-deterministic choice “P|P” // parallel composition “P\a” // restriction (private name) “P[f]” // action relabelling “K” // process variable

P ::= 0 | .P | P+P | P|P | P\a | P[f] | K

X = P, Y = Q, … def def

a: f(a) = f(a) f() =

f:ActAct

… where

Note: restrictions on f

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 33 ]

SEP 29, 2005

Alternative Syntax

Alternative Syntax (that we will use): Abbreviate inaction termination:

P for P.0 // obvious from context

Parameterized sum: iI Pi for P0 + P1 + … + Pn

Inactive process (as empty sum): iØ Pi for 0

Restriction (by set): P \ L for P \ a1 \ … \ an L={a1,…,an}

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 34 ]

SEP 29, 2005

Algebraic Operator Precedence

1. Restriction and relabelling “P\L” “P[f]” 2. Action prefixing “.P” 3. Parallel composition “P|Q” 4. Summation “P+Q”

Q: How is “R+a.P|b.Q\L” then to be read ?

A: “R+((a.P)|(b.(Q\L)))” !

tightest

CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005

SOS FOR CCS

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 36 ]

SEP 29, 2005

SOS for CCS

Structural Operational Semantics:

Q: why (tau) in communication “P|Q” (instead of propagating a or a) ?

~ “the unobservable hand-shake”

[RES][REN]

[COM1] [COM2] [COM3]

[ACT] [SUM][DEF]

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 37 ]

SEP 29, 2005

Example Derivation

Assume:

Consider:

A = a.A

(b.0|(A|a.0))[c/a]

def

(b.0 | (A | a.0)) [c/a] (b.0 | (A | a.0)) [c/a]

(b.0 | (A | a.0)) (b.0 | (A | a.0))[REN]

(A | a.0) (A | a.0)[COM2]

A A

a.A A

[COM1]

[DEF]

[ACT]

A = a.Adef

c

a

a

a

a

[RES][REN]

[COM1] [COM2] [COM3]

[ACT] [SUM][DEF]

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 38 ]

SEP 29, 2005

Transition Diagram

Transition Diagram: A visualization of a Labelled Transition System:

Configurations annotated with processes (e.g. ) Transitions annotated with actions (e.g. )

a.0 | a.0

0 | a.0 a.0 | 0

0 | 0

a a

aa

a.0 | 0

a

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 39 ]

SEP 29, 2005

Example: Mutual Exclusion

Example: Mutual exclusion

Q: How are enters and exits related ?

Mutex = (User | Sema) \ p \ v

User = p.enter.exit.v.User

Sema = p.v.Semadef

def

def

System = (User | Sema | User’) \ p \ vdef

User’ = User[enter’/enter,exit’/exit]def

// critical region

semaphore

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 40 ]

SEP 29, 2005

Modelling: Level of Abstraction

Consider a client/server system:

Extremely abstract (high level of abstraction):

Appropriate (level of abstraction) for … :

Extremely concrete (low level of abstraction):

Universe = event.Universedef

NAND_Gate = ...Transistor = ...Accumulator = ......Client = ...

def

def

def

Server = request.process.reply.ServerClient = calc.request.wait.reply.ClientDatabase = ...

high

er le

vel o

f ab

stra

ctio

n

def

def

def

def

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 41 ]

SEP 29, 2005

Concurrency Workbench

[ Concurrency Workbench ]

P

testing (interactive simulation) verification (via logic formulae) dump transition graph (NFA) ...

[ http://homepages.inf.ed.ac.uk/perdita/cwb/summary.html ]

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 42 ]

SEP 29, 2005

CCS Visualizer

[ CCS Visualizer ]

[ http://www.brics.dk/~brabrand/semantics/visualizer.html ]

CLAUS BRABRAND SEMANTICS (Q1,’05) SEP 29, 2005

A TALE OF TWO COCA-COLA MACHINES

Keywords:

- equality - equivalence (equivalence relations) - congruence

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 44 ]

SEP 29, 2005

Two Dispensers

Dispenser:

Dispenser’: ’’

Would you consider them equal ‘=’ ?

coin . (coke + sprite)

coin.coke + coin.sprite

Would you consider them equivalent ‘’ ?

What does it mean for them to be equivalent ‘’ ?

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 45 ]

SEP 29, 2005

Equal vs. Equivalent

Equal (concrete): 3 = 3

Equivalent (abstract): 3 003 310 0x0316 \0038 00112

3 three 3 3 1+2 3 3 let n=2 in n*(n-1)+(n-2)

ii=0

2

more abstract

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 46 ]

SEP 29, 2005

Trace Equivalence

Definition: Trace Equivalence: Two processes P and Q are trace equivalent “tr” iff:

They can produce the same traces [formal def in Notes]

Example: Traces( )

= { , coin, coin;coke, coin;sprite }

Traces( )

= { , coin, coin;coke, coin;sprite }

coin . (coke + sprite)

coin.coke + coin.sprite

Q: equivalence relation ?

’’’’trHence:

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 47 ]

SEP 29, 2005

Def: Equivalence Relation

Let R be a binary relation over set A: R A A

R is an equivalence relation iff: Reflexive:

Symmetric:

Transitive:

xA: x R x

x,yA: x R y x R y

x,y,zA: x R y y R z x R z

Q: is trace equivalence “tr” an equivalence relation ?

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 48 ]

SEP 29, 2005

Expected Equivalences “R ”

Expected Equivalences “R ”: P+Q R Q+P // ‘+’ commutative (P+Q)+R R P+(Q+R) // ‘+’ associative

i.e. order on ‘+’ irrellevant; we could write: P+Q+R P|Q R Q|P // ‘|’ commutative (P|Q)|R R P|(Q|R) // ‘|’ associative

i.e., order on ‘|’ irrellevant; we could write: P|Q|R P+P R P // idempotent wrt. ‘+’ 0|P R P // ‘0’ is neutral wrt. ‘|’ P\x R P , x names(P) // useless restriction ...

just like1+2+3

just like1+2+3

Q: does trace equivalence “tr” preserve these ?

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 49 ]

SEP 29, 2005

Contextual Composition…?

Recall:

Coke-only(!) drinker:

Contextualcomposition:

coin . (coke + sprite)

coin.coke + coin.sprite ’’

’’tr

What the.. !?

coin . coke . drink

The coke drinkeris certainly able to to distinguish the two dispensers !!

Idea (can we…?):put the two dispensers in acontext where theycan be differentiated !

problematic equality

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 50 ]

SEP 29, 2005

Def: Congruence

Definition: “R ” congrucence: P R Q => C[P] R C[Q] , for all contexts C[]

“relation is preserved under contextual substitution”

A context = a process with a gap:

Examples: P R Q P+R R Q+R P R Q P|S R P|S P R Q a.P R a.Q P R Q ((a.P|R)+S)\x R ((a.Q|R)+S)\x

[]+R

[]|S

a.[]

?

C : .[] | []+P | P+[] | []|P | P|[] | [][f] | []\a

CLAUS BRABRAND © SEMANTICS (Q1,’05)[ 51 ]

SEP 29, 2005

Solution: Next Week…

Define strong “bisimulation” P ~ Q

The strong bisimulation is a congruence !

Investigate a weak form of bisimulation: P Q

Game characterization of bisimulation [we’ll play it! ]

Investigate a logic that characterizes bisimulation: (i.e., P bisim Q : P |- Q |- ) [if time]