ebook img

Finite-state concurrent programs can be expressed pairwise PDF

0.22 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Finite-state concurrent programs can be expressed pairwise

Finite-state concurrent programs can be expressed pairwise Paul C. Attie Department of Computer Science American University of Beirut and Center for Advanced Mathematical Sciences American University of Beirut [email protected] 8 0 February 2, 2008 0 2 Abstract n a Wepresentapairwisenormal form forfinite-statesharedmemoryconcurrentprograms: allvariables J are shared between exactly two processes, and the guards on transitions are conjunctions of conditions 4 over this pairwise shared state. This representation has been used to efficiently (in polynomial time) synthesize and model-check correctness properties of concurrent programs. Our main result is that any ] finite state concurrent program can be transformed into pairwise normal form. Specifically, if Q is an O arbitraryfinite-statesharedmemoryconcurrentprogram,thenthereexistsafinite-statesharedmemory L concurrent program P expressed in pairwise normal form such that P is strongly bisimilar to Q. Our . result is constructive: we give an algorithm for producing P, given Q. s c [ 1 Introduction 1 v 7 The state explosion problem is recognized as a fundamental impediment to the widespread application of 7 mechanical finite-state verification and synthesis methods, in particular, model-checking. The problem is 6 0 particularlyseverewhenconsideringfinite-stateconcurrentprograms,asthe individualprocessesmakingup . such programs may be quite different (no similarity) and may be only loosely coupled (leading to a large 1 number of global states). 0 8 In previous work [1, 2, 5], we have suggested a method of avoiding state-explosion by expressing the 0 synchronizationandcommunicationcodeforeachpairofinteractingprocessesseparatelyfromthatforother : v (evenintersecting)pairs. Inparticular,allsharedvariablesaresharedbyexactlyonepairofprocesses. This i X “pairwisenormalform”enables us,for anyarbitrarilylargeconcurrentprogram,to model-checkcorrectness propertiesfortheconcurrentcompositionsofsmallnumbersofprocesses(sofar2or3)andthenconcludethat r a these propertiesalsohold in the largeprogram. IfP is a concurrentprogramconsistingof K processeseach having O(N) local states, then we can verify the deadlock freedom of P in O(K3N3b) time1 or O(K4N4) time, using either of two conservative tests [5], and we can verify safety and liveness properties of P in O(K2N2) time [1, 2]. Akeyquestionregardingthepairwiseapproachis: doesitgiveupexpressivepower? Thatis,inrequiring synchronization and communication code to be expressed pairwise, do we constrain the set of concurrent programs that can be represented? In this paper, we answer this question in the negative: we show that for any concurrent program Q, we can (constructively) produce a concurrent program P that is in pairwise normal form, and that is strongly bisimilar to Q. Therestofthepaperisasfollows. Section2presentsourmodelofconcurrentcomputationanddefinesthe global state transition diagram of a concurrnt program. Section 3 defines pairwise normal form. Section 4 presents our main result: any finite-state concurrent program can be expressed in pairwise normal form. Section 5 discusses related work, and Section 6 concludes. 1bisthemaximumbranchinginthelocalstatetransitionrelationofasingleprocess 1 2 Technical Preliminaries 2.1 Model of concurrent computation We consider finite-state shared memory concurrent programs of the form P =P k···kP that consist of a 1 K finite number n of fixed sequential processes P ,...,P running in parallel. Each P is a synchronization 1 K i skeleton [11], that is, a directed multigraph where each node is a (local) state of P (also called an i-state i and is labeled by a unique name (s ), and where each arc is labeled with a guarded command [9] B → A i i i consisting of a guard B and corresponding action A . Each node must have at least one outgoing arc, i.e., i i a skeleton contains no “dead ends.” With each P , we associate a set AP of atomic propositions, and a i i mapping V from local states of P to subsets of AP : V (s ) is the set of atomic propositions that are true i i i i i in s . As P executes transitions and changes its local state, the atomic propositions in AP are updated. i i i Different local states of P have different truth assignments: V (s )6=V (t ) for s 6=t . Atomic propositions i i i i i i i are not shared: AP ∩AP = ∅ when i 6= j. Other processes can read (via guards) but not update the i j atomic propositions in AP . We define the set of all atomic propositions AP =AP ∪···∪AP . There is i 1 K also a set SH = {x ,...,x } of shared variables, which can be read and written by every process. These 1 m are updated by the action A . A global state is a tuple of the form (s ,...,s ,v ,...,v ) where s is the i 1 K 1 m i currentlocalstateofP andv ,...,v isalistgivingthecurrentvaluesofx ,...,x ,respectively. Aguard i 1 m 1 m B is a predicate on global states, and so can reference any atomic proposition and any shared variable. An i action A is any piece of terminating pseudocode that updates the shared variables.2 We write just A for i i true →A and just B for B →skip, where skip is the empty assignment. i i i We model parallelism as usual by the nondeterministic interleaving of the “atomic” transitions of the individualprocessesP . Lets=(s ,...,s ,...,s ,v ,...,v )bethecurrentglobalstate,andletP contain i 1 i K 1 m i an arc from node s to s′ labeled with B → A . We write such an arc as the tuple (s ,B → A ,s′), and i i i i i i i i call it a P -arc from s to s′. We use just arc when P is specified by the context. If B holds in s, then i i i i i a permissible next state is s′ = (s ,...,s′,...,s ,v′,...,v′ ) where v′,...,v′ are the new values for the 1 i K 1 m 1 m sharedvariablesresulting fromaction A . Thus, at eachstep of the computation, a processwith anenabled i arc is nondeterministically selected to be executed next. The transition relation R is the set of all such (s,i,s′). The arc from node s to s′ is enabled in state s. An arc that is not enabled is blocked. Our model i i of computation is a high-atomicity model, since a process P can evaluate the guard B , execute the action i i A , and change its local state, all in one action. i Recall that we define a global state to be a tuple of local states and shared variable values, rather than a “name” together with a labeling function L that gives the associated valuation, A consequence of this definition is that two different global states must differ in either some local state or some shared variable value. Since we require different local states to differ in at least one atomic proposition value, we conclude that two different global states differ in at least one atomic proposition value or one shared variable value. We define the valuation corresponding to a global state s=(s ,...,s ,...,s , 1 i K v ,...,v ) as follows. For an atomic proposition p ∈ AP : s(p ) = true if p ∈ V (s ), and s(p ) = false if 1 m i i i i i i i p 6∈V (s ). Forasharedvariablex , 1≤ℓ≤m: s(x )=v . We define s↾AP tobe the set{p∈AP |s(p)= i i i ℓ ℓ ℓ true} i.e., the set of propositions that are true in state s. s↾AP is essentially the projection of s onto the atomic propositions. Also, s↾i is defined to be s , i.e., the local state of P in s. We also define s↾SH to be i i the set {hp,s(x)i | x ∈ SH}, i.e., the set of all pairs consisting of a shared variable x in SH together with the value that s assigns to x. Let St be a given set of initial states in which computations of P can start. A computation path is a sequence of states whose first state is in St and where eachsuccessive pair of states is related by R. A state is reachable iff it lies on some computation path. Since we must specify the start states St in order for the computationpathsto be well-defined,were-defineournotionofaprogramtobeP =(St,P k···kP ), i.e., 1 K a program consists of the parallel composition of K processes, together with a set St of initial states. For technical convenience, and without loss of generality, we assume that no synchronization skeleton contains a node with a self-loop. The functionality of a self-loop (e.g., a busy wait) can always be achieved 2Wewillonlyusestraight-linecodeinthispaper,soterminationisalwaysguaranteed. 2 by using a loop containing two local states. Thus, a transition by P changes the local state of P , and i i therefore the value of at least one atomic proposition in AP . Hence, no global state s has a self loop, i.e., i a transition by some P both starting and finishing in s. i For a local state s , define {|s }| as follows: i i Definition 1 (State-to-Formula Translation) {|s }| =“( p) ∧ ( ¬p)” i ^ ^ p∈Vi(si) p6∈Vi(si) where p ranges over AP . i {|s }| converts a local state s into a propositional formula over AP . i i i If s is a global state and B is a guard, we define s(B) by the usual inductive scheme: s(“x=c”)=true iff s(x) = c, s(B1∧B2) = true iff s(B1) = true and s(B2) = true, s(¬B1) = true iff s(B1) = false. If s(B)=true, we also write s|=B. 2.2 The Global State Transition Diagram of a Concurrent Program Definition 2 (Global state transition diagram) Given a concurrent program P = P k···kP and a 1 K set St of initial global states for P, the globalstate transitiondiagramgeneratedbyP is a Kripke structure M =(St,S,R) given as follows: (1) S is the smallest set of global states satisfying (1.1) St⊆S and (1.2) if there exist s∈S,i∈[K]3, and u such that (s,i,u) is in the next-state relation defined above in Section 2.1, then u∈S, and (2) R is the next-state relation restricted to S. We define strong bisimulation in the standard way. Definition 3 (Strong Bisimulation) Let M =(St,S,R) and M′ =(St′,S′,R′) be two Kripke structures with the same underlying set AP of atomic propositions. A relation B ⊆S×S′ is a strong bisimulation iff: 1. if B(s,s′) then s↾AP =s′↾AP 2. if B(s,s′) and (s,i,u)∈R then ∃u′ :(s′,i,u′)∈R′∧B(u,u′) 3. if B(s,s′) and (s′,i,u′)∈R then ∃u:(s,i,u)∈R∧B(u,u′) We also define ∼ to be the union of all strong bisimulation relations: ∼= {B :B is a strong bisimulation}. S We say that M and M′ are strongly bisimilar, and write M ∼ M′, if and only if there exists a strong bisimulation B such that ∀s∈St,∃s′ ∈St′ :B(s′s′) and ∀s′ ∈St′,∃s∈St:B(s′s′). 3 Pairwise normal form Let ⊕,⊗ be binary infix operators. A general guarded command [2] is either a guarded command as given in Section 2.1 above, or has the form G ⊕G or G ⊗G , where G , G are general guarded commands. 1 2 1 2 1 2 Roughly, the operational semantics of G ⊕G is that either G or G , but not both, can be executed, and 1 2 1 2 the operational semantics of G ⊗G is that both G or G must be executed, that is, the guards of both 1 2 1 2 G and G must hold at the same time, and the bodies of G and G must be executed simultaneously, as 1 2 1 2 a single parallel assignment statement. For the semantics of G ⊗G to be well-defined, there must be no 1 2 conflicting assignments to shared variables in G and G . This will always be the case for the programs we 1 2 consider. We refer the reader to [2] for a comprehensive presentation of general guarded commands. 3Weuse[K]forthesetconsistingofthenaturalnumbers1,...,K. 3 Definition 4 (Pairwise Normal Form) A concurrent program P = P k···kP is in pairwise normal 1 K form iff the following four conditions all hold: 1. every arc a of every process P has the form i i a =(s ,⊗ ⊕ Bj →Aj ,t ), where Bj →Aj is a guarded command, I is an irreflex- i i j∈I(i) ℓ∈{1,...,nj} i,ℓ i,ℓ i i,ℓ i,ℓ ive symmetric relation over [K] that defines a “interconnection” (or “neighbors”) relation amongst processes, and I(i)={j | (i,j)∈I}, 2. variables are shared in a pairwise manner, i.e., for each (i,j) ∈ I, there is some set SH of shared ij variables that are the only variables that can be read and written by both P and P , i j 3. Bj can reference only variables in SH and atomic propositions in AP , and i,ℓ ij j 4. Aj can update only variables in SH . i,ℓ ij For each neighbor P of P , ⊕ Bj → Aj specifies n alternatives Bj → Aj , 1 ≤ ℓ ≤ n for the j i ℓ∈[1:n] i,ℓ i,ℓ i,ℓ i,ℓ interactionbetweenP andP as P transitions froms to t . P must execute such aninteractionwith each i j i i i i of its neighbors in order to transition from s to t . We emphasize that I is not necessarily the set of all i i pairs, i.e., there can be processes that do not directly interact by reading each others atomic propositions or reading/writingpairwise shared variables. We do not assume, unless otherwise stated, that processes are isomorphic, or “similar.” WeuseasuperscriptI toindicatetherelationI,e.g.,processPI,andPi-arcaI. WedefineaI.start=s , i I i i i aI.guard = Bj , and aI.guard = a .guard . If PI = PI k...kPI is a concurrent i j Wℓ∈{1,...,nj} i,ℓ i Vj∈I(i) i j 1 K program with interconnection relation I, then we call PI an I-system. For the special case when I = {(i,j) | i,j ∈[K],i6=j}, i.e., I is the complete interconnection relation, we omit the superscript I. Inpairwisenormalform,thesynchronizationcodeforPI withoneofitsneighborsPI (i.e.,⊕ Bj → i j ℓ∈{1,...,nj} i,ℓ Aj )isexpressedseparatelyfromthesynchronizationcodeforPI withanotherneighborPI (i.e.,⊕ Bk → i,ℓ i k ℓ∈{1,...,nk} i,ℓ Ak ) We can exploit this property to define “subsystems” of an I-system P as follows. Let J ⊆ I and i,ℓ range(J) = {i | ∃j : (i,j) ∈ J}. If aI is a arc of PI then define aJ = (s ,⊗ ⊕ Bj → Aj ,t ). i i i i j∈J(i) ℓ∈[n] i,ℓ i,ℓ i Then the J-system PJ is PJ k ... k PJ where {j ,...,j } = range(J) and PJ consists of the arcs j1 jn 1 n j {aJ | aI is a arc of PI}. Intuitively, a J-system consists of the processes in range(J), where each pro- i I j cess contains only the synchronization code needed for its J-neighbors, rather than its I-neighbors. If J = {{i,j}} for some i,j then P is a pair-system, and if J = {{i,j},{j,k}} for some i,j,k then P is a J J triple-system. For J ⊆ I, M = (St ,S ,R ) is the GSTD of PJ as defined in Section 2.1, and a global J J J J state of PJ is a J-state. If J ={{i,j}},then we write M =(St ,S ,R ) instead of M =(St ,S ,R ). ij ij ij ij J J J J In [1, 2, 4] we give, in pairwise normal form, solutions to many well-known problems, such as dining philosophers, drinking philosophers, mutual exclusion, k-out-of-n mutual exclusion, two-phase commit, and replicateddataservers. Weconjecturethatanyfinite-stateconcurrentprogramcanberewritten(uptostrong bisimilation) in pairwise normal form. The restriction to pairwise normal form enables us to mechanically verify certain correctness properties very efficiently. Recall that K is the number of processes, b is the maximum branching in the local state transitionrelationof a single process,and N is the size of the largest process. Then, safety and liveness properties that can be expressed over pairs of processes can be verified in time O(K2N2) by model-checking pair-systems, [1, 2], and deadlock-freedom can be verified in time in O(K3N3b) or O(K4N4) using either of two conservative tests [5], which in turn operate by model checking triple-systems. Exhaustive state-space enumeration would of course require O(NK) time. 4 The Pairwise Expressiveness Result Let Q = (St ,Q k···kQ ) be an arbitrary finite-state shared memory concurrent program as defined in Q 1 K Section2.1above,witheachprocessQ havinganassociatedsetAP ofatomicpropositionsandwithshared i i variablesx ,...,x . The transformationofQ to pairwisenormalformproceedsin three phases,asgivenin 1 m the sequel. 4 TRANSFORM(M ,M′ ) Q Q St′ :=St ; S′ :=S ; R′ :=R ; Q Q Q Q Q Q repeat until there is no change in M′ Q let s be a state in M′ such that |in procs(s)|>1; Q forall i∈in procs(s) do create a new marked state si such that si↾AP =s↾AP, si↾SH=s↾SH if s∈St then St′ ←St′ ∪{si} endif; Q Q Q S′ ←S′ ∪{si}; Q Q forall j,u:(s,j,u)∈R do R′ ←R′ ∪{(si,j,u)} endfor; Q Q Q forall u:(u,i,s)∈R do R′ ←R′ ∪{(u,i,si)} endfor; Q Q Q St′ ←St′ −{s}; Q Q S′ ←S′ −{s}; Q Q remove all transitions incident on s from R′ Q endfor endrepeat Figure 1: Transformation of M so that all incoming transitions are labeled with the same process index. Q 4.1 Phase One First, we generate M , the GSTD of Q, as given by Definition 2. By construction of Definition 2, all states Q in M are reachable. We then execute the algorithm given in Figure 1 on M which transforms M intro Q Q Q a Kripke structure M′ = (St′ ,S′ ,R′ ) which is bisimilar to M and which has the property that all Q Q Q Q Q incoming transitions into a state are labeledwith the same process index. This is notstrictly necessary,but significantly simplifies the transformation to pairwise normal form. Define in procs(s) = {i ∈ [K] | ∃s′ : (s′,i,s)∈ R }. We also introduce a new shared variable in whose Q value in a state s will be the process index that labels the transitions incoming into s. Proposition 1 Procedure TRANSFORM terminates. Proof. Each iteration of the repeat loop (line 2) reduces the number of states s such that |in procs(s)|>1 by one. Since M′ is initially set to M , which is finite, this cannot go on forever. 2 Q Q Proposition 2 M′ ∼M is a loop invariant of the repeat loop (line 2) of TRANSFORM. Q Q Proof of Proposition 2. Proof. Let n be the number of iterations that the repeat loop executes. Let 0 Mn = (Stn,Sn,Rn) be the value of M′ at the end of the n’th iteration, (for all n ≤ n ) with M0 being Q 0 the initial value M . We will also use the superscript n for states in Mn, when needed. We show that Q ∀n:0<n≤n :Mn−1 ∼Mn. 0 Consider the n’th iteration of the repeat loop. In this iteration, Mn results from Mn−1 by deleting some state s and adding some states si1...siℓ, where {i1,...iℓ} = in procs(s). Since each of si1...siℓ have the same successor states as s, and agree with s on the values of all atomic propositions, we have s ∼ si1,...,s ∼ siℓ. Let u be an arbitrary predecessor of s in Mn−1, i.e., (un−1,j,s) ∈ Rn−1, where un−1 indicates the occurrence of u in Mn−1. At the end of the iteration, we have (un,j,sj) ∈ Rn. Since s ∼ sj, we have un−1 ∼ un, i.e., the occurrence of u in Mn−1 is bisimilar to the occurrence of u in Mn. Since all other states in Mn−1 and Mn have an unchanged set of successors, we conclude that Mn−1 ∼Mn. By a straightforwardinduction on n, and using the transitivity of ∼, we canshow that ∀n:0<n≤n : 0 M0 ∼Mn. Thus M0 =Mn0. Now M =M0 and M′ =Mn0, and the proposition is established. 2 Q Q 5 Proposition 3 Upon termination of procedure TRANSFORM, (1) M′ ∼M , and Q Q (2) every state s in M′ satisfies |in procs(s)|≤1. Q Proof. (1)followsfromProposition2. (2)followsimmediatelyfominspectingline2ofprocedureTRANSFORM. 2 For all s∈S′ such that |in procs(s)|=1, define in(s) to be the unique i such that ∃s′ :(s′,i,s)∈R′ . Q Q Proposition 4 UponterminationofprocedureTRANSFORM,foranytwostatess,uinM′ ,s↾AP 6=u↾AP Q or s↾SH=6 u↾SH or in(s)6=in(u). Proof. Immediate by construction of procedure TRANSFORM. 2 4.2 Phase Two We exploit the unique incoming process index property of M′ to extracta programP =(St ,P k···kP ) Q P 1 K from M′ such that P is bisimilar to Q = (St ,Q k···kQ ) and P is in pairwise normal form. The Q Q 1 K interconnection relation I for P is the complete relation, and so we omit the superscripts I on P and P . P i operates by emulating the execution of Q. In the sequel, let i,j,k implicitly range over [K], with possible further restriction, e.g., i 6= j. With each process P we associate the following state variables, with the i indicated access permissions and purpose • The atomic propositions in AP . These are written by P and read by all processes. For each i i process P , these enable P to emulate the local state of Q , which is defined by the same set AP of i i i i atomic propositions. • A shared variable xi for every x ∈ SH and j ∈ [K]. These are written by P and read by P . ij i j These enable P to emulate the updates that Q makes to x. When P is the last process to have i i i executed, any other process P will read xi to find the correct emulated value of x, since this value j ij will have been computed by P and stored in xi for all j ∈[K]. For technical convenience, we admit i ij xi . We select some ℓ ∈ [K]−{i} arbitrarily and define xi to be shared pairwise between P and P . ii ii i ℓ This is needed to conform technically to Definition 4. P will not actually reference xi . ℓ ii • A timestamp tj for every j ∈[K]. Thesearewritten andreadby P only. Timestamps havevalues i i in {0,1,2}. We define orderings < , > on timestamps as follows [8]: 0< 1, 1< 2, and 2< 0, and o o o o o t > t′ iff t′ < t. Note that < is not transitive. The purpose of tj and ti is to enable the pair of o o o i j processes P and P to establish an ordering between themselves by computing tj < ti. If tj > ti, i j i o j i o j then P executed a transition more recently than P , and vice-versa. The timestamp ti is unused, so i j i we do not worry about initializing it, or what is value is in general. • A timestamp vector tvi for every j ∈ [K]. A K-tuple whose value is maintained equal to ij ht1,...,tKi. ItiswrittenbyP andreadbyP andP . ItspurposeistoallowP tocommunicatetoP i i i i j i j the values of P ’s timestamps w.r.t. all other processes. By reading all tvi , i∈[K]−{j}, process P i ij j cancorrectlyinfertheindexofthelastprocesstoexecute. ThisallowsP toreadthecorrectemulated j valuesofallsharedvariables. We usetvi .k to denote the k’thelementoftvi ,whichis the value oftk. ij ij i Fortechnicalconvenience,we admit tvi. We select someℓ∈[K]−{i}arbitrarilyanddefinetvi to be ii ii shared pairwise between P and P . This is needed to conform technically to Definition 4. P will not i ℓ ℓ actually reference tvi . ii For all the above, the order of subscripts does not matter, e.g., tvi and tvi are the same variable, etc. ij ji The essence of the emulation is to deal correctly with the shared variables. This depends upon every process being able to compute the index of the last process to execute, as described above. Define the 6 auxiliary(“ghost”)variablelast tobetheindexofthelastprocesstomakeatransition. Asdescribedabove, every process P can compute the value of last (last is not explicitly implemented, since doing so would j violate pairwise normal form). Then, Pj reads the variable xllaasstt,j that it shares with Plast to find an up to date value for the variable x in Q. Together with the unique incoming process index property of M′ , Q this allows P to accurately determine the currently simulated global state of M′ . P can then update its j Q j associated shared variables and atomic propositions to accurately emulate a transition in M′ . Q Let M be the GSTD of P, as given by Definition 2. We will define P =(St ,P k···kP ) so that M′ P P 1 K Q and M are bisimilar. P We start with St . For each initial state u of M′ , we create a corresponding initial state r ∈ St so P 0 Q 0 P that: r ↾AP =u ↾AP 0 0 r (xi )=u (x) Vx∈SH,i,j 0 ij 0 Now for the bisimulationbetween M′ andM to workproperly,we will requirethat in(u)=s(last), where Q P u,s are bisimilar states of M′ , M , respectively. It is possible, however, that some initial state u of M′ Q P 0 Q does not have an incoming transition, and so in(u ) is undefined. We deal with this as follows. 0 Callaninitialstate(ofeitherM′ orM )thatdoesnothaveanincomingtransitionasource state. Since Q P we defined the corresponding r above so that xi has the correct value (namely u (x)) for all i,j, we can 0 ij 0 let any process be the “last”, as determined by the timestamps. Thus, for a source state u in M′ and its 0 Q corresponding source state r in M , we set: 0 P 1 if i=1∧j 6=1 r (tj)= 0 if i6=1∧j =1 0 i  X if i6=1∧j 6=1  whereX denotesa “don’tcare,”i.e.,anyvalue in {0,1,2}canbe used. This hasthe effect ofmakingP the 1 “last” process to have executed in a source state, i.e., setting r (last)=1. We now extend the definition of 0 in tosourcestatesbydefiningin(u )=1foreverysourcestateu ∈St′ . Togetherwiththefactthatstates 0 0 Q in M′ are uniquely determined by the atomic proposition and shared variable values, this automatically Q takes care of the bisimulation matching between source states in M′ and source states in M , without the Q P need for an extra case analysis. Note also that in(u) is now defined for all states u in M′ . Q For an initial state u of M′ that is not a source state, and its corresponding initial state r in M , we 0 Q 0 P set: 1 if i=in(u )∧j 6=in(u ) 0 0 r (tj)= 0 if i6=in(u )∧j =in(u ) 0 i  0 0 X if i6=in(u )∧j 6=in(u ) 0 0  where again X means “don’t care.” This has the effect of setting r (last)=in(u ), as required. 0 0 For all initial states r ∈St , whether thay are source states or not, we set the timestamp vector values 0 P so that: r (tvi .k)=r (tk) i,j,k 0 ij 0 i V For each transition (u,i,v) in M′ , we generate a single arc ARCu,v in P as follows. ARCu,v starts in Q i i i local state u↾i of P and ends in local state v↾i of P . Let in(u) = c. Then the guard Bu,v of ARCu,v is i i i i defined as follows: Bu,v =d=f (last =c) ∧ {|u↾j}| ∧ ( xc =u(x)) i Vj6=i Vx∈SH ci The first conjunct checks that the last process that executed is the process with index in(u). The second 7 step(t,t′) Precondition: 0≤t,t′ ≤2, that is, t,t′ are timestamp values if t> t′ then return(t) o else if t=0∧t′ =1 then return(2) endif; if t=1∧t′ =2 then return(0) endif; if t=2∧t′ =0 then return(1) endif; endif Figure 2: The step procedure. conjunct checks that all atomic propositions have the values assigned to them by global state u. The third conjunct checks that all shared variables have the values assigned to them by global state u. The action Au,v of ARCu,v is defined to be i i k tj :=step(tj,tvi .j); j6=i i i ji k tvi :=ht1,...,tKi; j ij i i k xi :=v(x) j,x∈SH ij where step(t,t′) is given in Figure 2. This cannot be factored into pairwise actions Aj because all the tj i,m i are used to update all the tvi . The solution is to make the tj part of the local state of P . We do this in ij i i phase 3 below. For now, we show that program P with the arcs given by ARCu,v =(u↾i,Bu,v →Au,v,v↾i) i i i is bisimilar to program Q. Proposition 5 The following are invariants of P: 1. tvi .k =tk Vi,j,k6=i ij i 2. ((last =i) ≡ tj > ti) Vi Vj6=i i o j 3. xi =xi i,j,k ij ik V Proof. By construction of P: St is defined so that the initial states all satisfy the above, and the actions P Au,v of every process P of P are defined so that their execution preserves the above. 2 i i Definition 5 Define ⊲⊳ ⊆S′ ×S as follows. For u∈S′ , r ∈S , u⊲⊳r iff: Q P Q P 1. u↾AP =r↾AP 2. in(u)=r(last) 3. r(last)=k ⇒( u(x)=r(xk )) Vx∈SH,k Vi ki Theorem 6 ⊲⊳ is a strong bisimulation Proof of Theorem 6. Proof. Let u ∈ S′ , r ∈ S , and u⊲⊳r. We must show that all three clauses of Q P Definition 3 hold, that is: 8 1. if u⊲⊳r then u↾AP =r↾AP 2. if u⊲⊳r and (u,i,v)∈R then ∃s:(r,i,s)∈R ∧v⊲⊳s Q P 3. if u⊲⊳r and (r,i,s)∈R then ∃v :(u,i,v)∈R ∧v⊲⊳s P Q Clause 1 holds by virtue of clause 1 of Definition 5. Proof of clause 2. Assume (u,i,v) ∈ R , and let in(u) = c. We show that there exists s such that Q (r,i,s)∈R andv⊲⊳s. By our constructionofP above,the transition(u,i,v)generates the arcARCu,v in P i P . By definition, the guard Bu,v of ARCu,v is i i i (last =c ∧ {|u↾j}| ∧ ( xc =u(x))). (a) Vj6=i Vx∈SH ci Now by Definition 5 and u⊲⊳r, we have in(u) = r(last). Hence r |= last = c. Also by Definition 5 and u⊲⊳r, we have u↾AP = r↾AP. Hence r |= {|u↾j}|. Again by Definition 5 and u⊲⊳r, we have r(last)=c⇒u(x)=r(xc . Hence u(Vx)j6==i r(xc ). And so r |=( xc =u(x)). Vx∈SH ci Vx∈SH, ci Vx∈SH cj Since r satisfies all three conjuncts of (a), it follows that the guard of ARCu,v is true in state r, and i therefore ARCu,v is enabled in r. By Proposition 5 and inspection of the action Au,v of ARCu,v, executing i i i of ARCu,v leads to a state s such that i s(last)=i and s↾AP =v↾AP and ( xi =v(x)). j ij V By Definition 5, we have v⊲⊳s, as required. Proof of clause 3. Assume (r,i,s)∈R . We show that there exists v such that (u,i,v)∈R and v⊲⊳s. P Q By our construction of P above, the transition (r,i,s) results from executing an arc ARCw,v in P , i i for some w,v. Let in(w) = c. By definition of ARCw,v, we have r |= {|w↾j}|, and also r↾i = w↾i. Hence, by the definition of {|w}| (Definition 1), r↾AP i= w↾AP. Also byVdje6=fiinition of ARCw,v, we have i r(last)=in(w)=c∧( r(xc )=w(x)). Hence: Vx∈SH ci r(last)=in(w)=c and r↾AP =w↾AP and ( r(xc )=w(x)). (b) Vx∈SH ci Since u⊲⊳r, we have r(last)=in(u) and u↾AP =r↾AP and ( r(xlast )=u(x)). Vx∈SH last,i From (b), r(last)=c. Hence r(last)=in(u) and u↾AP =r↾AP and ( r(xc )=u(x)). (c) Vx∈SH ci From (b,c) we have in(w)=in(u) and w↾AP =u↾AP and ( w(x)=u(x)). (d) Vx∈SH Since all global states differ in either some atomic proposition or some shared variable, or some incoming transition, by Proposition 4, we conclude from (d) that w=u. ByProposition5andinspectionoftheactionAu,v ofARCu,v,executingARCu,v canonlyleadtoastate i i i s such that s(last)=i and s↾AP =v↾AP and ( xi =v(x)). j ij V By Definition 5, we have v⊲⊳s, as required. 2 9 Corollary 7 M′ ∼M . Q P Proof. From Definition 5 and our definition of the initial states of P, we see that for every initial state u 0 of M′ , there exists an initial state r of M such that u ⊲⊳r , and vice-versa. The result then follows from Q 0 P 0 0 Theorem 6 and Definition 3. 2 4.3 Phase Three WenowexpressARCu,v inaformthatcomplieswithDefinition4,thatis,as⊗ ⊕ Bj →Aj , i j∈I(i) ℓ∈{1,...,nj} i,ℓ i,ℓ where Bj can reference only variables in SH and atomic propositions in AP , and Aj can update only i,ℓ ij j i,ℓ variables in SH . Recall that ARCu,v =(u↾i,Bu,v →Au,v,v↾i). For the rest of this section, let in(u)=c. ij i i i First consider Bu,v. By definition Bu,v = (last = c) ∧ {|u↾j}| ∧ ( xc = u(x)). Now {|u↾j}| is a i i Vj6=i Vx∈SH ci propositionalformulaoverAP ,andso {|u↾j}| isa conjunctionofpropositionalformulaeoverAP ,and so it poses no problem. Likewijse, since (Vj6=i xc =u(x)) is a conjunction over pairwise shared varijables, Vx∈SH ci it also is unproblematic. last =c is not in the pairwise form givenabove since it refers to the ghostvariable last. Note that in(u) is a constant, and so is not problematic in this regard. Now last = c checks that the last process to execute is P . In terms of timestamps, it is equivalent to c tj > tc, i.e., P has executed more recently than all other processes. However, the timstamps tc are Vj6=c c o j c j inaccessible to P , and the tj are accessible to P only in the special case that c = i, which does not hold i c i generally. The purpose of the timestamp vectors is precisely to deal with this problem. Recall that tvc .j is ci maintained equal to tj, and tvj .c is maintained equal to tc. Hence, we replace last =c by the equivalent c ji j tvc.j > tvj .c. (*) Vj6=c ci o ji which moreovercan be evaluated by P , since it refers only to timestamp vectors that are accessible to P . i i Now the expressiontvc .j > tvj .c refers to tvc, which is sharedby P and P , and tvj , which is shared ci o ji ci c i ji by P and P . Thus it is not in pairwise form. We fix this as follows. tvc.j > tvj .c is equivalent to j i ci o ji (tvc .j = 0∧tvj .c =1)∨(tvc.j =1∧tvj .c =2)∨(tvc .j = 2∧tvj .c =0), by definition of > . Hence, (∗) ci ji ci ji ci ji o is equivalent to (tvc .j =0∧tvj .c=1)∨(tvc.j =1∧tvj .c=2)∨(tvc .j =2∧tvj .c=0). Vj6=c ci ji ci ji ci ji This formula has length in O(K). We convert this to disjunctive normal form, resulting in a formula of length in O(exp(K)). Let the result be D ∨...∨D for some n. Each D , 1 ≤ m ≤ n is a conjunction 1 n m of literals, where each literal has one of the forms (tvc .j op ts), (tvj .c op ts), where op ∈ {=,6=}, and ci ji ts∈{0,1,2}. Specifically, D =LITc(tvc .j)∧ LITj(tvj .c), m m ci Vj6∈{c,i} m ji where LITc(tvc .j) is a conjunction of literals of the form tvc.j op ts, and LITc(tvj .c) is a conjunction of m ci ci m ji literals of the form tvj .c op ts. Moreover,since logical equivalence to (*) has been maintained, we have ji (D ∨...∨D )≡(last =c). 1 n For m∈{1,...,n}, define: Bu,v(m) =d=f D ∧ {|u↾j}| ∧ ( xc =u(x)) i m Vj6=i Vx∈SH ci whereweabusenotationbyusingBu,v asthenameforthe “array”ofguardsBu,v(m), andalsoasthename i i for the guard of ARCu,v, as defined above. The use of the index (m) will always disambiguate these two i uses. 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.