1. Tracelets: a Model for the Laws of Concurrent Programming Tony Hoare OxfordFeb 2012

2. Our Universe E is a set of events that can occur in or around a computer during execution of a program – drawn as boxes. D is a set of dependencies between the events – drawn as arrows between boxes – e --> f means f depends on e source, target: D --> E source(d) --> target(d)

3. Labels P are sets of properties of D or E – e.g., the type of command executed – the objects involved in the event – the value of the data transmitted on the arrow labels:E + D --> P – labels(e) are drawn in the box, – labels(d) on top of the arrow

4. A tracelet is a subset of E, denoted by p, q, r. For example: a trace of a single execution of a program or of a single execution of a command or of a single object used in the execution I = { }, the tracelet that contains no event

5. An object is used by a program to store or transmit data – e.g., a variable, a semaphore, a channel, … Its behaviour is modelled by a tracelet – containing some or all events in which it has engaged A trace of a complete program execution – is the union of all the tracelets for every resource that it has used

6. Pictorially νδ ν labels the allocation of an object. δ labels its disposal. All other events of its tracelet lie in between

7. A variable νδ :=4labels an assignment of value 4 =4 labels a fetch of value 4 : =3 :=2 : =4 =4 =3 =2

8. Object names νxνxδxδx may be added to the labels x: =3 x:=2 x: =4 x= 4 x=3 x=2

9. A variable νδ The arrows from each fetch to the next assignment ensures prompt overwriting : =3 :=2 : =4 =4 =3 =2

10. Weak memory νδ … which does not occur in modern weak memories. : =3 :=2 : =4 =4 =3 =2

11. A Semaphore ν δ P is an acquisition of the semaphore V is a release (by the same owner) V P V P

12. A buffered channel ν δ !4labels an output of value 4 ?4 labels an input of value 4 ! =3 !2 !4!4 ?4 ?3 ?2

13. A single-buffered channel δ !3!3 !2 !4!4 ?4 ?3 ?2 Each output depends on prior input of the previous message ν

14. A complete program trace is the union of the tracelets for every command that it contains. The tracelet of a command can be analysed into sub-tracelets for each of its immediate sub-commands. The analysis determines whether the trace is a valid trace for the program.

15. Concurrent Composition p|q = p  q, provided that p  q = { } – otherwise the analysis is invalid, because no event is an execution of two distinct commands. Theorem: | is associative and commutative with unit 

16. Definitions p --> q =  e є p, f є q. e --> f p => q = p = q or p is undefined.

17. Sequential Composition p ; q= p|q provided not q --> p – otherwise the analysis is invalid, because no event in execution of the first command can depend on any event in the execution of the second. Theorem: ; is associative with unit 

18. Example x := 3 x := 4 If x is a shared variable x := 3 ; x:=4=

19. Or, x := 3 x := 4 if blue arrows are equal, x := 3 ; x:=4=

20. Theorems p;q => p|q – Proof: they are equal whenever not q --> p – otherwise, lhs is undefined (p|p’);q=> p|(p’;q) – they are equal when they are both defined – if rhs is undefined, then q --> p’ – which implies that q --> (p’|q), – therefore the lhs is also undefined.

21. Exchange laws p;(q|q’) => (p;q)|q’ – proof similar (p|p’);(q|q’) => (p;q)|(p’;q’) – proof similar All exchange laws are derivable from the last, – by substituting  for p’, or q’, – or for both q and q’

22. Separating concurrency? r = p||q=r = p;q & r = q;p – there is no arrow between p and q BUT – this would prohibit shared variables – p||q <p;q – p ; (q||q’)< (p;q)||q’etc. – the wrong way round! Let’s postpone this problem

23. A command is modelled by the set of tracelets of all its possible executions in all its possible environments.  = { { } } x := 3 = { p | ‘x :=3’ є labels(p)} x := y = { p |  n. {‘x:= n’, ‘y = n’}  labels(p)}

24. Let P, Q, R, be commands P | Q = { (p|q)| p є P & q є Q } P ; Q = { (p;q) | p є P & q є Q } P \/ Q = { r | r є P or r є Q } P  Q =  r. r є P => r є Q All our theorems p => q also hold for P  Q, – because every variable appears exactly once on each side of the inequation.

25. Separation Let L be the set of red arrows – they must not cross thread boundaries Blue arrows must cross thread boundaries Black arrows may cross either boundaries. Definitions of ; and | must be changed to ensure these rules

26. Dependency ordering Let e < f mean that there is a path of arrows from e to f. e <L f means the path consists of red arrows p f, for some e є p, f є q

27. Interfaces of a tracelet p arrows(p) = s(p) u t(p) ins(p) =t(p) - s(p) outs(p) =s(p) - t(p) – where s(p) = {d| source(d) є p} t(p) = {d| target(d) є p}

28. In pictures… outs ins

29. Separating ; p;q= p|q provided that not q < p & outs(p)  L = ins(q)  L – outs(p;q)  L = outs(q)  L – ins(p;q)  L = ins(p)  L Theorem: ; is associative and has unit 

30. Ok is a set of tracelets that are always preferred – e.g., no overflow, no races, no divergence, etc. p => qmeansp = q orp is not defined ornot q є ok  є ok p;q є ok=p є ok & q є ok

31. Separating concurrency e < f= there is a path of red dependencies from e to f p*q є ok=p є ok & q є ok &not p < q & not q < p p*q = p|qif p*q є ok – because that’s the way it will be implemented!

32. Lift to sets P => Q means  p є P. p є ok => p є Q otherwise  q є Q. not q є ok & ins(q) = ins(p)