Charts and nets: States, Messages, and Events Tony Hoare In honour of David Harel ViennaJuly 2014.

Charts and nets:States, Messages, and Events

Tony Hoare

In honour of David HarelVienna July 2014

Eventsbasic actions and method calls

that occur during execution of a program

Event labelsbasic actions and method calls

that occur in the text of the program

x := 9

c ! 9

c ? 9

Space and Time

time

space

where and when an event occurs

Spatial Boundaries

time

space

horizontal, separating concurrent activities

Temporal Boundaries

time

space

vertical, separating sequential activities

Dependenciesan event at the head of an arrowdepends on the event at the tail

Rules for arrows

• do not cross a time-boundary backwards• Local arrows are drawn horizontal• They must not cross space boundaries• Non-local arrows are not horizontal• They must not close a cycle.

Object values

x

y

39

7 4

9 70

7

Object identifiers

x

y

Object values

x

y

39

7 4

9 70

7

Message identifiers

c[26]c[25]

c!

c?

The State of Memory

• is a map from the identifier of each linewhich crosses a given temporal boundaryto the value which labels the crossing arrow.

State of memory

x

y

9

0

{ x = 9, y = 0}

OBJECTS

Concurrent object behaviour.

• A trace of behaviour of an object is an event chart, containing all the events in which it has engaged, connected by dependency arrows.

• A class is the set of all possible traces of objects of the class (and related objects.

A local object

boxes represent actions of the objectarrows connect successive actions

A local object

the red arrows connect actions in the same thread protected from interference by other threads

A shared object

blue arrows connect actionswhich may occur in a different threads(or they may occur in the same thread).

An exclusion semaphore

is released by the same thread that most recently acquired it. A released semaphoremay be acquired by any thread.

with labels

The boxes are labelled to indicate the nature of the actions: enter or exit

exit exitenter enter

Object allocation

has one red output arrowand no red input arrow

alloc

Object disposal

has one red input arrow and no red output arrow

disp

A Communication channelsingle input port and single output port

A shared output portallows multiple outputting threads

with labels

ad

to indicate that the value communicated is the same at both ends of the channel

dispose

disp

alloc

alloc

!3 !7

?3 ?7

=7=3

with a single buffer

ad

which is passed back to outputter for refilling

disp

disp

alloc

alloc

!3 !7

?3 ?7

=7=3

a synchronous channel

ad

no buffering at all. input and output are simultaneous

disp

disp

alloc

alloc

!3 !7

?3 ?7

=7=3

a re-ordering channel…

ad

allows crossing of arrows

disp

disp

alloc

alloc

!3 !7

?7 ?3

=7

=3

…with loss of message

ad disp

disp

alloc

alloc

!7 !3

?7

=7

Diagrams in Debugging

• display a trace of concurrent execution• with slices for selected objects• keyed to the text of the program• with dependencies to show sources of error• and consequences of its correction.

PROGRAMS

A program (or an object class) denotes the set of all possible diagrams of execution, on any computer system running in any environment.

Spatial Boundaries

time

space

horizontal, separating concurrent activities

Temporal Boundaries

time

space

vertical, separating sequential activities

Concurrent Compositionof event charts p, q, r

p

q

r

(p ‖ q)‖ r = p ‖ (q ‖ r)

Sequential composition

(p ; q) ; r = p ; (q ; r)

p q r

Rules for arrows

• do not cross a time-boundary backwards• Local arrows are drawn horizontal• They must not cross space boundaries• Non-local arrows are not horizontal• They must not close a cycle.

A Program Error (race)

Another Program Error (deadlock)

p

Top T

• stands for a trace with programming error• T;p = p;T = p||T

otherwise…..

Operators

• p;q splits the trace across time, into parts that can be executed at different instants.

• p q splits it across space, into parts that can ∥be executed in different places.

• I describes doing nothing

Sequential Composition

• p;q = p+q if q x p contained in neg(dep*)

• p||q = p+q if p x q contained in neg(red u conv(red))n neg(dep* n conv(dep*)) }

= T otherwise• I = { }

Trace algebra

Refinement ≼

• ≼ is a partial order• Covariance: p q≼ implies

– p;r q;r≼– r;p r;q≼– p r q r∥ ≼ ∥

Exchange Axiom

(p q) ; (p’ q’) (p;p’) (q;q’)∥ ∥ ≼ ∥

p’

q’

p

q; ≼

p’

q’

p

q ;

;

note the self-duality of the law

• p q means that p and q perform all the ≼same actions, but p performs more pairs of them sequentially, and q performs more pairs concurrently.

As a result,…• p is more determinate, q is more abstract

Interleaving

• (p q) ; (p’ q’)∥ ∥ ≼ (p;p’) (q;q’)∥

• LHS is an interleaving implementation of the more general concurrency of RHS

• It is the special case when the two RHS ‘;’s happen to be simultaneous

Frame Laws

• (p q) ; (p’ q’)∥ ∥ ≼ (p;p’) (q;q’)∥

• Theorems (frame): 1. (p q) ; q’ p (q;q’)∥ ≼ ∥2. p;(p’ q’) (p;p’) q’∥ ≼ ∥3. p;q’ p q’≼ ∥ and q;p’ p’ q≼ ∥

Proof: substitute for variables of the axiom that are omitted in the theorem

Example

abcd xyzw∥(a;bcd) (xy;zw)∥(a xy) ; (∥ bcd zw)∥

(a x;y) ; (∥ b;cd zw)∥(a x);y ; (∥ b zw) ; ∥ cd

xayzbwcd

A Program

• is the set of all traces that it can evokewhen executed on any computer systemand in any interacting environment.

P;Q = {p;q | p e P & q e Q }P||Q = {p||q | p e P & q e Q }P < Q = all p e P . exists q e Q . p < q

All our laws for ; and || are preserved for sets

The Hoare triple

• Definition: {p} q {r} = p;q r≼– If p describes what has happened so far,– and q is then executed to completion,– the trace of overall execution will be r.

The Milner transition

• Definition: r >- q -> p = q;p r≼– i.e., the dual of {p} q {r}– r may be executed by first executing q , with p as continuation for later execution.– (maybe there are other ways of executing r)

• Tautology: (q ; p) >- q -> p– (CCS prefix rule)Proof: from reflexivity: q;p q;p ≼

Modularity rules

• {p} q {r} {p’} q’ {r’} Logic {p p’} q q’∥ ∥ {r r’}∥

• r >–q-> p r >-q’-> p’ CCS(r r’) >-(q q’)-> (p p’)∥ ∥ ∥

• In CCS, the rule is restricted – by requiring synchronisation of p and p’ , – e.g. input and output on the same channel.

O’Hearn Frame Rule

{p} q {r}{p f} q {r f}∥ ∥

– adapts a triple to a concurrent environment f– much better than the Hoare rule of adaptation:

{p} q {r} with side-condition

{p&f} q {r&f} – that no variable of f is assigned by q

Milner Frame Rule

r >–q-> p(r f) >–q-> (p f)∥ ∥

– a step q that is possible for a single thread r is still possible when r is executed concurrently with f , which does not change when q happens

Sequential composition

{p} q {s} {s} q’ {r} {p} q;q’ {r}

is equivalent to

p;(q;q’) (p;q);q’≼

Sequential composition

r >–q’-> s s >–q-> p r >–(q’;q)-> pis equivalent to

(q’;q);p q’;(q;p),≼

which is dual to p;(q;q’) (p;q);q’ ≼

Unifying Theories

• The Algebraic Laws of Programmingare strong enough to derive

– A verification logic for program correctness– An operational semantics for programming

language implementation.

• Many laws can be derived from the other two forms of semantics

Summary so far…

Process Calculus

Verification Logic

&

Algebraic Laws

Denotational Model

Assignments and fetches

:= :=

=:

=:

=:

labelled with values

ack= 3

:= 3 := 7

=: 3

=: 3

=: 3

:=k assigns a constant k=:k fetches a value k=k points to a value kack sync signal

and by reference to object

ack= 3

[37] := 3 [37]:= 7

[37]=:3

[37]=:3

[37]=:3

[v]:=k assigns to location v =k communication of k[v]=:k fetches value from v ack prevents further reads of previous assignment

or to a variable named x

ack=3

x:= 3 x:= 7

x=:3

x=:3

x=:3

:=k assigns a constant k=:k fetches a value k=k communicates kack sync signal

fetching by another thread

ack=3

x:= 3 x:= 7

x=:3

x=:3

x=:3

A variable

alloc disp:= := :=

=:

=:

=: =:

leaving out colours & some labels

Execution as Petri net

begin end:= := :=

=:

=:

=: =:

Token move

begin end:= := :=

=:

=:

=: =:

Token split

begin end:=3 := :=

=:

=:

=: =:

Concurrency

begin end:= := :=

=:

=:

=: =:

Synchronisation

begin end:= := :=

=:

=:

=: =:

Token reconstitution

begin end:= := :=

=:

=:

=: =:

Concurrent object behaviour

• is modelled by an acyclic directed graph• with boxes representing event occurrences• and arrows recording dependency• and labels on both boxes and arrows.

Examples

• Objects: allocation, ownership, disposal.• Semaphores: exclusion, signalling.• Channels: buffering, synchrony, overtaking.• Variables: locality, sharing.

Weakly consistent memory

as implemented in multi-core architecture,is more complicated to define… and even more complicated to use!

Weak memory (no ack)

:=:= 3

=:3

=:3

=: 3=: 7

Any past value may be delivered at any later time

:= 7

Weak memory (no ack)

:=:= 3

=:3

=:3

=: 3=: 7

a fence needs ack signals from earlier assignments

:= 7fence

Weak memory (with fence)

:=:= 3

=:3

=:3

=: 3=: 7

this cycle is impossible,

:= 7fence

Weak memory (with fence)

:=:= 3

=:3

=:3

=: 3 =: 7

so the 3 and the 7 must be fetched in the right order

:= 7fence

x =:3 y=:4 x := 7

An atomic event: <x := x + y>

x = :3 y=: 4

x := 7

<x := x + y> (atomic)

x := 3 x := 17

ackack

y := 4 y := 18

Threads

forkalloc disp

alloc

joinalloc

disp

fork

join

Events and atomic actions

• Each occurrence of an event in the trace of program execution belongs to the trace of exactly one resource (thread, variable, channel,…)

• Atomic actions are groups of synchronised events, including exactly one from the thread which invoked the action, and one (or more) from every resource used by it.

Summary

• occurrence nets are adequate to describe the dynamic behaviour

of many kinds of concurrent object

Fundamental Theorem

• Boxed Petri nets are a model of Concurrent Kleene Algebra

Tony Hoare, Bernhard Moeller, Georg Struth, Ian Wehrman, Concurrent Kleene Algebra and its Foundations, J. Log. Algebr. Program. 80(6): 266-296(2011).

Hoare Logic

• Let P{Q}R = (P;Q) => R

• Theorem: The structural rules of separation logic are valid in the net model– Ian Wehrman, C.A.R.Hoare, Peter O’Hearn:

Graphical Models of Separation Logic. Inf Process. Lett. (IPL) 109(17):1001-1004 (2009)

• Proof: by a short algebraic calculation

Process Algebra

• Let P –Q-> R = R => Q;P= P{Q}R !

• Theorem: The transition rules of operational semantics are valid in the net model.– C.A.R.Hoare, A.Hussain, B.Moeller, P.W. O’Hearn,

R.L. Petersen, G. Struth. On Locality and the Exchange Law for Concurrent Processes. CONCUR 2011:250-264.

• Proof: by a short algebraic calculation.

Acknowledgements

Lucia Pomello, Matthew Parkinson, Philippa Gardiner, Hongseok Yang,John Wickerson, Thomas Dinsdale-YoungGeorg Struth, Bernhard Moeller, Rasmus Petersen, Peter O’Hearn