C LAUS B RABRAND S EMANTICS (Q1,’05) S EP 29, 2005 C LAUS B RABRAND © 2005, University of Aarhus [ ] [ ] S EMANTICS (Q1,’05) W EEK 5: ”CONCURRENCY AND COMMUNICATION”
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 2 ] S EP 29, 2005 Course Structure Introduction [background]: Prerequisitional Math // 1 week Part I [describe/explain/analyze]: Structural Operational Semantics // 3 weeks Part II [compare/reason]: Concurrency and Communication (CCS) // 1 week Part III [compare/prove/apply]: Equivalence and Verification // 1 week Practice [link to real world]: Imperative Features + Sem in Practice // 1 week
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 3 ] S EP 29, 2005 Week 5 - Outline Issues from week 4 Motivation: Concurrency vs. Sequentiality Calculus of Communicating Systems (CCS) Syntax for CCS SOS for CCS A Tale of two Coca-Cola Machines On Equivalences and Congruences
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 4 ] S EP 29, 2005 “3x3 main issues” from week 4 Class X: 1x. Exam: any programming exercises on the exam ? 2x. Exam: any structural induction exercises on the exam ? 3x. Structural Induction: hard ! Class Y: 1y. Exercises: sometimes hard to see what one is to do ! 2y. Exercises: Would like an example solution to an exercise ! 3y. Side-effects: vs. (?) Class Z: 1z. Exercise 3: “configurations / transitions” in static semantics !? 2z. Terminology: static semantics type checking ? 3z. Terminology: static vs. dynamic semantics ? | _ e e’
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 5 ] S EP 29, 2005 Mini Project Mini project ( cf.: compulsory programme ): compulsory programme When?: 7 days: (Oct 3 -- Oct 10, 2005). What?: covering all topics (so far) Why?: chance to learn, measure, and get feedback Who?: everybody (individually) Amount?: roughly corresponds to an exercise class Form?: written, take-home Grading?: [0-4]-scale ~ [ Aims & Goals ]; (2+ to pass) Aims & Goals Correcting?: your teaching assistants Consequences?: project approved attend exam Help?: TAs will answer un-applied understanding Q’s Re-hand-in? ”Good news”: less exercises for classes those 2 weeks proportionately smaller but not own TA! Oct 10 7 No Preliminary exam dates (from Faculty of Science): Wednesday 12:00 – Friday 12:00 proportionately “less severe” 5 M T O T F L S
C LAUS B RABRAND S EMANTICS (Q1,’05) S EP 29, 2005 C ONCURRENCY VS. S EQUENTIALITY
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 7 ] S EP 29, 2005 Concurrency vs. Sequentiality Sequential programming: Describe computation as a “reduction” of expressions to values Inherently deterministic Termination often desirable Resulting value is of primary interest and focus Concurrent programming: Describe execution as “process evolution” Describe possible executions (aka. execution traces) Describe possible interactions during execution Describe interaction with an environment Inherently non-deterministic Non-termination often desirable (e.g. Op.Sys., Control sys, Cell-phone, …) Resulting “value” is not (necessarily) interesting
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 8 ] S EP 29, 2005 Concurrency is much Harder Harder than sequential programming: Huge number of possible executions Inherently non-deterministic Parallelism conceptually harder Consequences: Programs are harder to write! Programs are harder to debug! Errors are not always reproducible New kinds of errors possible: Deadlock, starvation, priority inversion, interference, …
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 9 ] S EP 29, 2005 Concurrency Problems Therac-25 Radiation Therapy ’85-’87 Massive overdoses (6 deaths / amputations)! Mars Pathfinder July ’97 Periodic resets (on mars)! Windows 95/98 w/ Device Drivers late ’90es Dysfunction (“blue screen of death”)!
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 10 ] S EP 29, 2005 Concurrency Problems (cont’d) Mobile Phones ’00-… Freeze and odd behaviors (really annoying)! Cruise Control System Model ’86 [Grady Booch] Accellerated after car ignition (car crashes)! …
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 11 ] S EP 29, 2005 …and what about? Air Plane Control System Dysfunction (plane crash)! Nuclear Powerplant Control System Core melt-down (“China-syndrome”)! Projector Temperature Controller Overheating (Semantics lecture cancellation)! :) 100°C
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 12 ] S EP 29, 2005 Problem: System Development? In the presence of all these errors: deadlock, starvation, priority inversion, interference, anti-cooperation, un-indended execution traces, un-fairness, … How to…: 1. …design a system that “works” ? 2. …verify that the system is “safe” ? 3. …verify that the system “meets its specification” ? …and: What does “works”, “safe”, and “to meet a specification” mean ?!?
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 13 ] S EP 29, 2005 Glasses of Abstraction… It’s Amazing… See behind concrete details; perceive only what is relevant and at the appropriate level of abstraction)! Only $12,95 “See only the relevant!” “ The Glasses of Abstraction ”
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 14 ] S EP 29, 2005 Solution: Formal Modelling “Semantics comes to the rescue”: Create models (~ architecture, bridge construction, …) Formal modelling (e.g., CCS) permits: (Offline) Reasoning understanding (Runtime) Testing confidence (C-time) Property Verification safety (C-time) Specification Verification correctness Note: “Errors are much cheaper to commit in models than in implementations” “Never send a human to do a machine’s job” -- A.Smith (’99) auto- mate
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 15 ] S EP 29, 2005 Methodology: Model-based Design Design abstract model Decompose model Reason/Test/Verify model individual parts and whole Recompose insights make model safe Impl. concrete program concretize REAL PROBLEM SAFE MODEL SAFE PROGRAM abstract ? ? ? ? MODEL test reason verify
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 16 ] S EP 29, 2005 CCS: Why a Calculus (pl. Calculi) Compositional: || Break things into (several) smaller things Algebraic: , , … Intuitive ideal (also eases automated verification) Syntactic: and … Provide basis for programming languages P | QPQ big P + Q Q + P P | Q Q | P P P’ P | Q P’ | Q Q Q’ P | Q P | Q’ [ PAR 1 ] [ PAR 2 ]
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 17 ] S EP 29, 2005 Parallel- vs. Concurrent Programming Strategy: Optimal strategy for a particular goal Use available resources efficiently Safety: Conceptually independent players Control interaction and “rules” The Football Match Analogy: “An analogy that one can make is with football*; - the coach of the team is a parallel programmer while - the referee is a concurrent programmer” -- [P.Panangaden, ’96] The Referee (~ the concurrent programmer): -- Make sure what is happening is a soccer match The Trainer (~ the parallel programmer): -- Make sure my agents are performing “optimally” */ interpret appropriately on either side of the Atlantic
C LAUS B RABRAND S EMANTICS (Q1,’05) S EP 29, 2005 C ALCULUS OF C OMMUNICATING S YSTEMS CCS: Calculus of Communicating Systems [ Robin Milner, ’89 ]
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 19 ] S EP 29, 2005 Concurrency and Communication Concurrency: Parallel processes (construction ‘ P|Q ’) Abstract away (physical) processors Abstract away diff. in real- vs pseudo-parallelism Communication: Process synchronization (aka. hand-shaking) Abstract away communication protocol Abstract away actual values passed
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 20 ] S EP 29, 2005 A process modelling a computer scientist: Interface: Process name:CS Input action(s):{ coffee } Output action(s):{ pub, coin } Behavior of the process described by a CCS program Process Interface
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 21 ] S EP 29, 2005 The Inactive Process: “ 0 ” The inactive process: (aka. “the zero process” or “the nil process”) Performs no action whatsoever! Note that it offers: the prototypical behavior of a deadlocked process (that cannot proceed any further in its execution) Example: 0 0
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 22 ] S EP 29, 2005 Action Prefixing: “ .P ” Action Prefixing: Can perform action, , after which it behaves like process, P Example(s): Match: Complex match .P strike.0 take.strike.0
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 23 ] S EP 29, 2005 Named Process: “ K ” Named Process: Behaves just like the (statically named) process, K Example(s): K Match = strike.0 CokeM = coin.coke.CokeM def
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 24 ] S EP 29, 2005 Recursive Processes Recursive Processes (though naming) Example: Expanding the definition we get: Clock = tick.Clock def Clock = tick.Clock = tick.tick.Clock = tick.tick.tick. ….tick.Clock … …
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 25 ] S EP 29, 2005 Non-deterministic Choice: “ P+Q ” Non-deterministic choice: Non-deterministic choice between processes P and Q Initially has the capabilities of both P and Q ; but performing an action from P, say, will pre-empt further execution of Q. Example: P+Q Disp = coin.(coke.Disp + sprite.Disp) def coke sprite or
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 26 ] S EP 29, 2005 Parallel Composition: “ P|Q ” Parallel Composition: Any independent interleavings of processes P and Q Also: may communicate (hand-shake): process P using input action, a; process Q corresponding output action, a (or vice versa) Example: Student: Coke Machine: P|Q Stud = read.coin.coke.Stud def CokeM = coin.coke.CokeM def CokeM | Stud
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 27 ] S EP 29, 2005 Parallel Composition (cont’d) Stud | CokeM (Stud | CokeM) | Stud (Stud | CokeM) | CokeM StudCokeM [ > ] read coke coin coke
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 28 ] S EP 29, 2005 Restriction: “ P\a ” Restriction (private name): Behaves just like P, except cannot make a or a actions (except within P ) Reminiscent of local variables (in private scope) Example: P\a (Stud | CokeM) \ coin \ coke ((Stud | CokeM) \ coin \ coke) | Stud
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 29 ] S EP 29, 2005 Action Relabelling: “ P[f] ” Action Relabelling: Behaves like P, except that actions are renamed according to action renaming function, f Permits parameterized reuse of processes Examples: P[f] VendingMachine = coin.item.VendingMachine CokeMachine = VendingMachine[coke/item] MarsMachine = VendingMachine[mars/item] def Note: relabel inputs to inputs (and corresponding outputs to outputs) def
C LAUS B RABRAND S EMANTICS (Q1,’05) S EP 29, 2005 S YNTAX FOR CCS
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 31 ] S EP 29, 2005 Input, output (and internal) action Actions: Set of Channel Names (input) Set of Channel Co-Names (output) Special silent (invisible/internal) action tau Note: inputs and outputs are complementary: Communication: hand-shake on a and a only (no values) Metavariables: a A a = a a L = A A Act = L { }
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 32 ] S EP 29, 2005 CCS Syntax CCS Syntax: “0”// inaction “ .P ”// action prefix “ P+P ”// non-deterministic choice “ P|P ”// parallel composition “ P\a ”// restriction (private name) “ P[f] ”// action relabelling “ K ”// process variable P ::= 0 | .P | P+P | P|P | P\a | P[f] | K X = P, Y = Q, … def a: f(a) = f(a) f( ) = f:Act Act … where Note: restrictions on f
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 33 ] S EP 29, 2005 Alternative Syntax Alternative Syntax (that we will use): Abbreviate inaction termination: P for P.0 // obvious from context Parameterized sum: i I P i for P 0 + P 1 + … + P n Inactive process (as empty sum): i Ø P i for 0 Restriction (by set): P \ L for P \ a 1 \ … \ a n L={a 1,…,a n }
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 34 ] S EP 29, 2005 Algebraic Operator Precedence 1. Restriction and relabelling “ P\L ” “ P[f] ” 2. Action prefixing “ .P ” 3. Parallel composition “ P|Q ” 4. Summation “ P+Q ” Q: How is “ R+a.P|b.Q\L ” then to be read ? A: “ R+((a.P)|(b.(Q\L))) ” ! tightest
C LAUS B RABRAND S EMANTICS (Q1,’05) S EP 29, 2005 SOS FOR CCS
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 36 ] S EP 29, 2005 SOS for CCS Structural Operational Semantics: Q: why (tau) in communication “ P|Q ” (instead of propagating a or a ) ? ~ “the unobservable hand-shake” [ RES ] [ REN ] [ COM 1 ] [ COM 2 ] [ COM 3 ] [ ACT ] [ SUM ][ DEF ]
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 37 ] S EP 29, 2005 Example Derivation Assume: Consider: A = a.A (b.0|(A|a.0))[c/a] def (b.0 | (A | a.0)) [c/a] (b.0 | (A | a.0)) [c/a] (b.0 | (A | a.0)) (b.0 | (A | a.0)) [ REN ] (A | a.0) (A | a.0) [ COM 2 ] A A a.A A [ COM 1 ] [ DEF ] [ ACT ] A = a.A def c a a a a [ RES ] [ REN ] [ COM 1 ] [ COM 2 ][ COM 3 ] [ ACT ] [ SUM ][ DEF ]
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 38 ] S EP 29, 2005 Transition Diagram Transition Diagram: A visualization of a Labelled Transition System: Configurations annotated with processes (e.g. ) Transitions annotated with actions (e.g. ) a.0 | a.0 0 | a.0a.0 | 0 0 | 0 a a a a a.0 | 0 a
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 39 ] S EP 29, 2005 Example: Mutual Exclusion Example: Mutual exclusion Q: How are enters and exits related ? Mutex = (User | Sema) \ p \ v User = p.enter.exit.v.User Sema = p.v.Sema def System = (User | Sema | User’) \ p \ v def User’ = User[enter’/enter,exit’/exit] def // critical region semaphore
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 40 ] S EP 29, 2005 Modelling: Level of Abstraction Consider a client/server system: Extremely abstract (high level of abstraction): Appropriate (level of abstraction) for … : Extremely concrete (low level of abstraction): Universe = event.Universe def NAND_Gate =... Transistor =... Accumulator = Client =... def Server = request.process.reply.Server Client = calc.request.wait.reply.Client Database =... higher level of abstraction def
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 41 ] S EP 29, 2005 Concurrency Workbench [ Concurrency Workbench ]Concurrency Workbench P testing (interactive simulation) verification (via logic formulae) dump transition graph (NFA) ... [ ]
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 42 ] S EP 29, 2005 CCS Visualizer [ CCS Visualizer ]CCS Visualizer [ ]
C LAUS B RABRAND S EMANTICS (Q1,’05) S EP 29, 2005 A T ALE OF TWO C OCA -C OLA M ACHINES Keywords: - equality - equivalence (equivalence relations) - congruence
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 44 ] S EP 29, 2005 Two Dispensers Dispenser: Dispenser’: ’ ’ Would you consider them equal ‘=’ ? coin. (coke + sprite) coin.coke + coin.sprite Would you consider them equivalent ‘ ’ ? What does it mean for them to be equivalent ‘ ’ ?
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 45 ] S EP 29, 2005 Equal vs. Equivalent Equal (concrete): 3 = 3 Equivalent (abstract): 3 0x03 16 \003 8 three 3 3 let n=2 in n*(n-1)+(n-2) i i i=0 2 more abstract
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 46 ] S EP 29, 2005 Trace Equivalence Definition: Trace Equivalence: Two processes P and Q are trace equivalent “ tr ” iff: They can produce the same traces [formal def in Notes] Example: Traces( ) = { , coin, coin;coke, coin;sprite } Traces( ) = { , coin, coin;coke, coin;sprite } coin. (coke + sprite) coin.coke + coin.sprite Q: equivalence relation ? ’ ’ ’ ’ tr Hence:
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 47 ] S EP 29, 2005 Def: Equivalence Relation Let R be a binary relation over set A: R A A R is an equivalence relation iff: Reflexive: Symmetric: Transitive: x A: x R x x,y A: x R y x R y x,y,z A: x R y y R z x R z Q: is trace equivalence “ tr ” an equivalence relation ?
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 48 ] S EP 29, 2005 Expected Equivalences “ R ” Expected Equivalences “ R ”: P+Q R Q+P // ‘ + ’ commutative (P+Q)+R R P+(Q+R) // ‘ + ’ associative i.e. order on ‘+’ irrellevant; we could write: P+Q+R P|Q R Q|P // ‘ | ’ commutative (P|Q)|R R P|(Q|R) // ‘ | ’ associative i.e., order on ‘ | ’ irrellevant; we could write: P|Q|R P+P R P // idempotent wrt. ‘ + ’ 0|P R P // ‘ 0 ’ is neutral wrt. ‘ | ’ P\x R P, x names( P ) // useless restriction... just like just like Q: does trace equivalence “ tr ” preserve these ?
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 49 ] S EP 29, 2005 Contextual Composition…? Recall: Coke-only(!) drinker: Contextual composition: coin. (coke + sprite) coin.coke + coin.sprite ’ ’ ’ ’ tr What the.. !? coin. coke. drink The coke drinker is certainly able to to distinguish the two dispensers !! Idea (can we…?): put the two dispensers in a context where they can be differentiated ! problematic equality
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 50 ] S EP 29, 2005 Def: Congruence Definition: “ R ” congrucence: P R Q => C[P] R C[Q], for all contexts C[] “relation is preserved under contextual substitution” A context = a process with a gap: Examples: P R Q P+R R Q+R P R Q P|S R P|S P R Q a.P R a.Q P R Q ((a.P|R)+S)\x R ((a.Q|R)+S)\x []+R []|S a.[] ? C : .[] | []+P | P+[] | []|P | P|[] | [][f] | []\a
C LAUS B RABRAND © S EMANTICS (Q1,’05) [ 51 ] S EP 29, 2005 Solution: Next Week… Define strong “bisimulation” P ~ Q The strong bisimulation is a congruence ! Investigate a weak form of bisimulation: P Q Game characterization of bisimulation [we’ll play it! ] Investigate a logic that characterizes bisimulation: (i.e., P bisim Q : P | - Q | - )[if time]