IN 315: 4.12.02 Plan • Foilsett 11: Unity: Detection
advertisement
IN 315: 4.12.02
• detection
Foilsett 11: Unity: Detection
Plan
• superposition
• Example of both: “termination detection”
#1 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
Detection
p detects q ≡ (invariant p ⇒ q) ∧ (q 7→ p)
†
Note: partial order:
p detects p
p detects q ∧ q detects r ⇒ p detects r
p detects q ∧ q detects p ⇒ p ⇔ q
FP-detection
p detects q
FP ⇒ p ⇔ q
†
I kompendiet står ikke invariant men dette kan lede til
inkonsistens (som diskutert tidligere).
#2 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
Superposition
Transform an underlying program A with
variables xA by adding new variables xB , and
by adding statements of form
xB := f (xA, xB )
either by modifying any statement S in A to
something of form
S k xB := f (xA, xB )
or extend A to
A[]S 0
where S’ consists of statements of the form
above.
Such a transformation is called superposition,
and is used to introduce program layers.
Unity has a special syntax for this (with a
transform -section).
Superposition theorem
Every (Unity) property of the underlying
program is a property of the
transformed program
i.e. superposition preserves properties!
#3 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
Termination detection example
For a given distributed program D with
channel communication, add a “recording
program” R detecting termination of D, with
read-only-access to variables in D.
D is terminated when all processes are idle
and there is nothing more to receive.
D is any program satisfying:
D1 received ≤ sent (on all channnels)
D2 received, sent is non-decreasing
D3 continue being idle, until receive
D4 cannot send when idle
Note that it is not required that:
• channels are FIFO
• every message will be received
• channels are noise-free
#4 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
Overview and Main Goal
D-variables:
i.q : Bool is process i idle?
c.s : N at number of messages sent on c
c.r : N at number of messages received from c
for all processes i and channels c.
Termination of D:
T ≡ (∀i :: i.q) ∧ ∀c :: c.s = c.r
R-variables:
i.q 0 : Bool last recorded value of i.q
c.s0 : N at last recorded value of c.s
c.r 0 : N at last recorded value of c.r
Recorded termination of D:
T 0 ≡ (∀i :: i.q 0) ∧ ∀c :: c.s0 = c.r0
Prove: “Termination detection theorem”:
T 0 detects T in D[]R
#5 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
Notation
i, j
X, Y, W
Z
X
i.q
X.q
c
c.s
c.r
XY
XY.s
XY.r
ii
M, N, K, L
−
−
−
−
−
−
−
−
−
−
−
−
−
−
processes
sets of processes
the set of all processes
complement, i.e. Z − X
i is idle
all processes in X are idle
channel
number of messages sent on c
number of messages received on c
list of all channels from X to Y
list of c.s for each channel c in XY
list of c.r for each channel c in XY
list of all channels from i
mapping channels to numbers
Note: ii is empty.
Note: i.q, c.s, c.r represent program variables.
#6 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
“List” Notation
M, N, K, L − mapping channels to numbers
L(c)
− the number associated with c
L(XY )
− the list of numbers assoc. with XY
Relations (=, ≥, >) are lifted to lists:
l = l0 − all elements are equal
l ≥ l0 − all elements greater or equal
l > l0 − at least one element is greater
(the others equal)
Abbreviations
XY.(s rel r) denotes XY.s rel XY.r
XY.(s rel L) denotes XY.s rel L(XY )
(X ∪X 0)Y.(...) denotes XY.(...) ∧ X 0Y.(...)
Note:
¬(XY.s = l) 6⇔ (XY.s 6= l)
In the latter all elements must be pairwise
unequal. (Only ⇐ holds)
#7 av 15
IN 315: 4.12.02
Foilsett 11: Unity: Detection
Distributed program D: requirements
D1.
D2.
D3.
D4.
invariant c.s ≥ c.r ≥ 0
stable c.r ≥ m ∧ c.s ≥ n
i.q ∧ ii.r = M unless ii.r > M
i.q ∧ ii.s = N unless ¬i.q ∧ ii.s = N
Note: n, m, N , M are constants.
D3 and D4 can be reformulated as
{i.q ∧ ii.r = M } S {ii.r > M ∨ i.q ∧ ii.r = M }
{i.q ∧ ii.s = N } S {ii.s = N }
Note: channels need not be FIFO, and
messages may get lost or distorted.
Bounded buffers may result in deadlocks not
captured by “idleness”, i.e. we will not be able
to detect such deadlocks.
#8 av 15
Foilsett 11: Unity: Detection
X.q ∧ ZX.(r = L) ∧ XZ.(s = L) unless ZX.(r > L) ∧ XZ.(s = L)
Distributed program: lemma D5
Case X 0 = X ∪ {i}: Must prove: D5[X := X 0] assuming D5 (IH).
D3 and D4 give (D5’): i.q ∧ Zi.(r = L) ∧ iZ.(s = L) unless
i.q ∧ XZ.(s = L) ∧ Zi.(r > L) ∨ ¬i.q ∧ XZ.(s = L) ∧ Zi.(r > L)
i.e.
i.q ∧ Zi.(r = L) ∧ iZ.(s = L) unless XZ.(s = L) ∧ Zi.(r > L)
IH and D5’ gives P unless Q where P is: X.q ∧ ZX.(r = L) ∧ XZ.(s = L)
∧ i.q ∧ Zi.(r = L0) ∧ iZ.(s = L0)
same as:
X 0.q ∧ ZX 0.(r = L00) ∧ X 0Z.(s = L00)
since (X ∪ Y )Z.rel = XZ.rel ∧ Y Z.rel.
Q is: ZX 0.r > L00 ∧ X 0Z.s = L00 ∨ X.q ∧ ZX.r = L = XZ.s ∧ Zi.r > L0 = iZ.s
∨i.q ∧ ZX.r > L = XZ.s ∧ Zi.r > L0 = iZ.s
implying ZX 0.(r > L00) ∧ X 0Z.(s = L00)
#9 av 15
Proof by induction on X:
Case X is empty: Must prove true unless true. Trivial.
Note: internal channels in X have s = r.
D5.
IN 315: 4.12.02
Z.q ∧ ZZ.(s = r)
#10 av 15
Proof
D5[X:=Z]: Z.q ∧ ZZ.(r = L) ∧ ZZ.(s = L) unless ZZ.(r > L) ∧ ZZ.(s = L)
Behind unless, we get
ZZ.(r > s)
but D1 says
ZZ.(s ≥ r).
Thus:
Z.q ∧ ZZ.(r = L) ∧ ZZ.(s = L) unless f alse.
Note: This implies that no variable can change!
stable T ∧ ZZ.(s = L)
Prove that T is stable :
D6.
Foilsett 11: Unity: Detection
Distributed program: termination (D6)
is expressing that D has terminated.
T.
IN 315: 4.12.02
The Recording Program, R
Foilsett 11: Unity: Detection
invariant T 0 ⇒ T in D[]R
The termination detection theorem:
T 0 ≡ Z.q 0 ∧ ZZ.(s0 = r 0)
Let T 0 denote T with all program variables primed:
#11 av 15
Note: all data associated with exactly one process is read simultaneously
into local R-variables (the primed ones).
program R
declare i.q 0 : boolean; c.s0, c.r0 : natural − all i and c
initially < i :: i.q 0 = f alse > < c :: c.r0 = c.s0 = 0 >
assign
< []i :: i.q 0 := i.q
< c ∈ ii :: c.s0 := c.s >
< c ∈ ii :: c.r0 := c.r >>
end
IN 315: 4.12.02
Proof of the termination detection theorem
Foilsett 11: Unity: Detection
Stable in D, invariant in R. Obvious.
DR4. invariant c.s ≥ c.s0 ≥ 0 in D[]R
invariant c.r ≥ c.r0 ≥ 0 in D[]R
Additional lemma:
#12 av 15
DR2. stable X.q 0 ∧ XX.(s0 = r 0) ∧ XX.(r = r0) ⇒
X.q ∧ XX.(s = r) ∧ XX.(s = s0) in D
DR3. invariant X.q 0 ∧ XX.(s0 = r 0) ∧ XX.(r = r0) ⇒
X.q ∧ XX.(s = r) ∧ XX.(s = s0) in R
Stableness in D by DR2, invariant in R by DR3:
Replacing X by Z gives: invariant T 0 ⇒ T in D[]R, since Z is empty.
DR1. invariant X.q 0 ∧ XX.(s0 = r 0) ∧ XX.(r = r0) ⇒
X.q ∧ XX.(s = r) ∧ XX.(s = s0) in D[]R
IN 315: 4.12.02
Foilsett 11: Unity: Detection
#13 av 15
Proof of DR2
X.q ∧ ZX.(r = L) ∧ XZ.(s = L) unless ZX.(r > L) ∧ XZ.(s = L)
D5
Precondition reduces to:
X.q ∧ XX.(s = r) ∧ XX.(r = L) ∧ XX.r = L ∧ XX.s = L
by simplification
X.q ∧ XX.(s = r) ∧ XX.r = L ∧ XX.s = L
since XX.s = L
Postcondition implies: XX.r > L
stable XX.r > L
stable Precondition ∨XX.r > L
since A unless B and stable B gives stable A ∨ B
X.q ∧ XX.(s = r) ∧ XX.r = L ∧ XX.s = L ∨ XX.r > L
X.q ∧ XX.(s = r) ∧ XX.r = r0 ∧ XX.s = s0 ∨ XX.r > r0
replacing: XX.L := r 0; XX.L := s0
stable ¬(X.q 0 ∧ XX.(s0 = r 0))
constant in D
stable X.q 0 ∧ XX.(s0 = r 0) ∧ ¬XX.r > r0 ⇒
by disjunction
X.q ∧ XX.(s = r) ∧ XX.r = r0 ∧ XX.s = s0
simplify ¬XX.r > r0 to XX.r = r0 by DR4.
IN 315: 4.12.02
Liveness properties
stable T ∧ i.u in D
T T ensures ∧ i.u in R
T T ensures ∧ i.u in D[]R
stable T in R
stable i.u in R
stable T ∧ i.u in R
stable T ∧ i.u in D[]R
T 7→ ∀i :: T ∧ i.u in D[]R
T 7→ T ∧ ∀i :: i.u in D[]R
Proof of DR5:
D8.
Define: i.u ≡ i.q = i.q 0 ∧ ii.(r = r0) ∧ ii.(s = s0)
Note: (T ∧ ∀i :: i.u) ⇒ T 0
DR5. T 7→ T 0 in D[]R
IN 315: 4.12.02
#14 av 15
stable in D by D8
completion theorem
follows
directly from R
T stable in D (D6)
constant
directly from R
Foilsett 11: Unity: Detection
Proof of D8
Foilsett 11: Unity: Detection
stable T ∧ (i.q = i.q 0) ∧ ii.(r = r0) ∧ ii.(s = s0) in D
stable
stable
stable
stable
stable
stable
#15 av 15
T ∧ ZZ.(s = L)
by D6
T ∧ Zi.(s = L) ∧ iZ.(s = L) ∧ Y Y.(s = L)
Z = Y ∪ {i}
T ∧ Zi.(s = L) ∧ iZ.(s = L)
by disjunction over all Y Y.L
constant in D
i.q 0
by simple conjunction
T ∧ i.q 0 ∧ Zi.(s = L) ∧ iZ.(s = L)
T ∧ (i.q = i.q 0) ∧ Zi.(r = L) ∧ iZ.(s = L)
since T ∧ i.q 0 ⇔ T ∧ (i.q = i.q 0)
and T ∧ Zi.(s = L) ⇔ T ∧ Zi.(r = L)
stable T ∧ (i.q = i.q 0) ∧ Zi.(r = r 0) ∧ iZ.(s = s0)
replacing Zi.L, iZ.L by the D-constants Zi.r0, iZ.s0
Replace Zi by ii, and iZ by ii.
Proof: Stableness is in D.
Define: Zi ≡ Z − {i}
D8.
IN 315: 4.12.02
