Charts and nets: States, Messages, and Events Tony Hoare In honour of David Harel ViennaJuly 2014

Events basic actions and method calls that occur during execution of a program

Event labels basic actions and method calls that occur in the text of the program x := 9 c ! 9 c ? 9

Space and Time time space where and when an event occurs

Spatial Boundaries time space horizontal, separating concurrent activities

Temporal Boundaries time space vertical, separating sequential activities

Dependencies an event at the head of an arrow depends on the event at the tail

Rules for arrows do not cross a time-boundary backwards Local arrows are drawn horizontal They must not cross space boundaries Non-local arrows are not horizontal They must not close a cycle.

Object values x y

Object identifiers x y

Object values x y

Message identifiers c[26] c[25] c! c?

The State of Memory is a map from the identifier of each line which crosses a given temporal boundary to the value which labels the crossing arrow.

State of memory x y 9 0 { x = 9, y = 0}

OBJECTS

Concurrent object behaviour. A trace of behaviour of an object is an event chart, containing all the events in which it has engaged, connected by dependency arrows. A class is the set of all possible traces of objects of the class (and related objects.

A local object boxes represent actions of the object arrows connect successive actions

A local object the red arrows connect actions in the same thread protected from interference by other threads

A shared object blue arrows connect actions which may occur in a different threads (or they may occur in the same thread).

An exclusion semaphore is released by the same thread that most recently acquired it. A released semaphore may be acquired by any thread.

with labels The boxes are labelled to indicate the nature of the actions: enter or exit exit enter

Object allocation has one red output arrow and no red input arrow alloc

Object disposal has one red input arrow and no red output arrow disp

A Communication channel single input port and single output port

A shared output port allows multiple outputting threads

with labels ad to indicate that the value communicated is the same at both ends of the channel dispose disp alloc !3 !7 ?3 ?7 =7 =3

with a single buffer ad which is passed back to outputter for refilling disp alloc !3 !7 ?3 ?7 =7 =3

a synchronous channel ad no buffering at all. input and output are simultaneous disp alloc !3 !7 ?3 ?7 =7 =3

a re-ordering channel… ad allows crossing of arrows disp alloc !3 !7 ?7 ?3 =7 =3

…with loss of message ad disp alloc !7 !3 ?7 =7

Diagrams in Debugging display a trace of concurrent execution with slices for selected objects keyed to the text of the program with dependencies to show sources of error and consequences of its correction.

PROGRAMS A program (or an object class) denotes the set of all possible diagrams of execution, on any computer system running in any environment.

Spatial Boundaries time space horizontal, separating concurrent activities

Temporal Boundaries time space vertical, separating sequential activities

Concurrent Composition of event charts p, q, r p q r (p ‖ q)‖ r = p ‖ (q ‖ r)

Sequential composition (p ; q) ; r = p ; (q ; r) pq r

Rules for arrows do not cross a time-boundary backwards Local arrows are drawn horizontal They must not cross space boundaries Non-local arrows are not horizontal They must not close a cycle.

A Program Error (race)

Another Program Error (deadlock) p

Top T stands for a trace with programming error T;p = p;T = p||T otherwise…..

Operators p;q splits the trace across time, into parts that can be executed at different instants. p ∥ q splits it across space, into parts that can be executed in different places. I describes doing nothing

Sequential Composition p;q = p+q if q x p contained in neg(dep*) p||q = p+q if p x q contained in neg(red u conv(red)) n neg(dep* n conv(dep*)) } = T otherwise I={ }

Trace algebra

Refinement ≼ ≼ is a partial order Covariance: p ≼ qimplies – p;r ≼ q;r – r;p ≼ r;q – p ∥ r ≼ q ∥ r

Exchange Axiom (p ∥ q) ; (p’ ∥ q’) ≼ (p;p’) ∥ (q;q’) p’ q’ p q ; ≼ p’ q’ p q ; ; note the self-duality of the law

p ≼ q means that p and q perform all the same actions, but p performs more pairs of them sequentially, and q performs more pairs concurrently. As a result,… p is more determinate, q is more abstract

Interleaving (p ∥ q) ; (p’ ∥ q’) ≼ (p;p’) ∥ (q;q’) LHS is an interleaving implementation of the more general concurrency of RHS It is the special case when the two RHS ‘;’s happen to be simultaneous

Frame Laws (p ∥ q) ; (p’ ∥ q’) ≼ (p;p’) ∥ (q;q’) Theorems (frame): 1.(p ∥ q) ; q’ ≼ p ∥ (q;q’) 2.p;(p’ ∥ q’) ≼ (p;p’) ∥ q’ 3.p;q’ ≼ p ∥ q’and q;p’ ≼ p’ ∥ q Proof: substitute  for variables of the axiom that are omitted in the theorem

Example abcd ∥ xyzw (a;bcd) ∥ (xy;zw) (a ∥ xy) ; (bcd ∥ zw) (a ∥ x;y) ; (b;cd ∥ zw) (a ∥ x);y ; (b ∥ zw) ; cd xayzbwcd

A Program is the set of all traces that it can evoke when executed on any computer system and in any interacting environment. P;Q = {p;q | p e P & q e Q } P||Q = {p||q | p e P & q e Q } P < Q = all p e P. exists q e Q. p < q All our laws for ; and || are preserved for sets

The Hoare triple Definition: {p} q {r} = p;q ≼ r – If p describes what has happened so far, – and q is then executed to completion, – the trace of overall execution will be r.

The Milner transition Definition: r >- q -> p = q;p ≼ r – i.e., the dual of {p} q {r} – r may be executed by first executing q, with p as continuation for later execution. – (maybe there are other ways of executing r) Tautology: (q ; p) >- q -> p – (CCS prefix rule) Proof: from reflexivity: q;p ≼ q;p

Modularity rules {p} q {r} {p’} q’ {r’}Logic {p ∥ p’} q ∥ q’{r ∥ r’} r >–q-> pr >-q’-> p’ CCS (r ∥ r’) >-(q ∥ q’)-> (p ∥ p’) In CCS, the rule is restricted – by requiring synchronisation of p and p’, – e.g. input and output on the same channel.

O’Hearn Frame Rule {p} q {r} {p ∥ f} q {r ∥ f} – adapts a triple to a concurrent environment f – much better than the Hoare rule of adaptation: {p} q {r} with side-condition {p&f} q {r&f} – that no variable of f is assigned by q

Milner Frame Rule r >–q-> p (r ∥ f) >–q-> (p ∥ f) – a step q that is possible for a single thread r is still possible when r is executed concurrently with f, which does not change when q happens

Sequential composition {p} q {s} {s} q’ {r} {p} q;q’ {r} is equivalent to p;(q;q’) ≼ (p;q);q’

Sequential composition r >–q’-> s s >–q-> p r >–(q’;q)-> p is equivalent to (q’;q);p ≼ q’;(q;p), which is dual to p;(q;q’) ≼ (p;q);q’

Unifying Theories The Algebraic Laws of Programming are strong enough to derive – A verification logic for program correctness – An operational semantics for programming language implementation. Many laws can be derived from the other two forms of semantics

Summary so far… Process Calculus Verification Logic & Algebraic Laws Denotational Model

Assignments and fetches := =:

labelled with values ack= 3 := 3 := 7 =: 3 :=kassigns a constant k =:kfetches a value k =kpoints to a value k acksync signal

and by reference to object ack = 3 [37] := 3 [37]:= 7 [37]=:3 [v]:=kassigns to location v =kcommunication of k [v]=:kfetches value from v ackprevents further reads of previous assignment

or to a variable named x ack =3 x:= 3 x:= 7 x=:3 :=kassigns a constant k =:kfetches a value k =kcommunicates k acksync signal

fetching by another thread ack =3 x:= 3 x:= 7 x=:3

A variable alloc disp := =: leaving out colours & some labels

Execution as Petri net begin end := =:

Token move begin end := =:

Token split begin end :=3:= =:

Concurrency begin end := =:

Synchronisation begin end := =:

Token reconstitution begin end := =:

Concurrent object behaviour is modelled by an acyclic directed graph with boxes representing event occurrences and arrows recording dependency and labels on both boxes and arrows.

Examples Objects: allocation, ownership, disposal. Semaphores: exclusion, signalling. Channels: buffering, synchrony, overtaking. Variables: locality, sharing.

Weakly consistent memory as implemented in multi-core architecture, is more complicated to define … and even more complicated to use!

Weak memory (no ack) := := 3 =:3 =: 7 Any past value may be delivered at any later time := 7

Weak memory (no ack) := := 3 =:3 =: 7 a fence needs ack signals from earlier assignments := 7 fence

Weak memory (with fence) := := 3 =:3 =: 7 this cycle is impossible, := 7 fence

Weak memory (with fence) := := 3 =:3 =: 7 so the 3 and the 7 must be fetched in the right order := 7 fence

x =:3 y=:4 x := 7 An atomic event:

x = :3 y=: 4 x := 7 (atomic) x := 3 x := 17 ack y := 4y := 18

Threads fork alloc disp alloc join alloc disp fork join

Events and atomic actions Each occurrence of an event in the trace of program execution belongs to the trace of exactly one resource (thread, variable, channel,…) Atomic actions are groups of synchronised events, including exactly one from the thread which invoked the action, and one (or more) from every resource used by it.

Summary occurrence nets are adequate to describe the dynamic behaviour of many kinds of concurrent object

Fundamental Theorem Boxed Petri nets are a model of Concurrent Kleene Algebra Tony Hoare, Bernhard Moeller, Georg Struth, Ian Wehrman, Concurrent Kleene Algebra and its Foundations, J. Log. Algebr. Program. 80(6): (2011).

Hoare Logic Let P{Q}R = (P;Q) => R Theorem: The structural rules of separation logic are valid in the net model – Ian Wehrman, C.A.R.Hoare, Peter O’Hearn: Graphical Models of Separation Logic. Inf Process. Lett. (IPL) 109(17): (2009) Proof: by a short algebraic calculation

Process Algebra Let P –Q-> R=R => Q;P =P{Q}R! Theorem: The transition rules of operational semantics are valid in the net model. – C.A.R.Hoare, A.Hussain, B.Moeller, P.W. O’Hearn, R.L. Petersen, G. Struth. On Locality and the Exchange Law for Concurrent Processes. CONCUR 2011: Proof: by a short algebraic calculation.

Acknowledgements Lucia Pomello, Matthew Parkinson, Philippa Gardiner, Hongseok Yang, John Wickerson, Thomas Dinsdale-Young Georg Struth, Bernhard Moeller, Rasmus Petersen, Peter O’Hearn