laws of concurrent system design · laws%of%concurrentsystem% design tony%hoare% microso6%research%...
TRANSCRIPT
![Page 1: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/1.jpg)
Laws of concurrent system design Tony Hoare
Microso6 Research November 26, 2013
Colloquium d’InformaGque UPMC
![Page 2: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/2.jpg)
The Laws: Summary
• What are they? • What do they mean? • Are they useful? • Are they true? • Are they beauGful?
![Page 3: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/3.jpg)
1. The Laws
are algebraic equaGons like 2xpxq + qxq < (p+q) x (p+q)
![Page 4: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/4.jpg)
Variables p, q, r, … • stand for specificaGons/designs/programs
describing all behaviours of a computer that are desired/planned/actual when the program is executed
• a single behaviour is recorded as a set of events, occurring inside or near a computer system while it is execuGng a program
![Page 5: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/5.jpg)
Three operators • then ; sequenGal composiGon • with || concurrent composiGon • skip I does nothing
![Page 6: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/6.jpg)
Their intended meaning • then ; sequenGal composiGon • with || concurrent composiGon • skip I does nothing • p;q describes the behaviour resulGng from
execuGon of p Gll compleGon followed by execuGon of q
• p||q describes their concurrent execuGon p and q start together and finish together
![Page 7: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/7.jpg)
Five Axioms
• assoc p;(q;r) = (p;q);r (also ||) • comm p||q = q||p • unit p||I = p = I||p (also ;)
![Page 8: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/8.jpg)
Reversibility
• assoc p;(q;r) = (p;q);r (also ||) • comm p||q = q||p • unit p||I = p = I||p (also ;)
• swapping the order of operands of ; (or of ||) translates each axiom into itself.
• and each proof into a swapped proof.
![Page 9: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/9.jpg)
Duality
• Metatheorem: (theorems for free) When a theorem is translated by reversing the operands of all ;s the result is also a theorem. • (same for all ||s) • Analogy: many laws of physics remain true when the direcGon of Gme is reversed.
![Page 10: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/10.jpg)
Refinement: p => q
• means every execuGon described by p is also described by q
• in other words, – program p is more predictable and more controllable than program q
– program p meets spec q – design p conforms to design q
![Page 11: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/11.jpg)
Axiom
• => is a parGal order – reflexive p => p – transiGve if p => q & q => r then p => r
• swapping the operands of => translates each axiom into itself • jusGfies duality by order reversal
– if p => q is a theorem proved from these axioms so is q => p
• (later axioms will violate this duality)
![Page 12: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/12.jpg)
Monotonicity
• DefiniGon: an operator • is monotonic if – p => q implies p•r => q•r & r•p => r•q
• Axioms: ; and || are monotonic
• In a theorem, we can replace any subterm of a term on the le6 (right) of => by one that is more (less) refined
![Page 13: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/13.jpg)
Monotonicity
• Metatheorem : Let p => q be a theorem Let F be a formula containing p. Let F’ be a modificaGon of F that just replaces an occurrence of p by q -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ Then F => F’ is also a theorem
![Page 14: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/14.jpg)
Exchange Axiom
• (p||q) ; (p’||q’) => (p;p’) || (q;q’) • LHS describes certain interleavings of RHS
– those where the two RHS ;s are synchronised • implemented by interleaving p with q • followed by an interleaving of q with q’
![Page 15: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/15.jpg)
Exchange Axiom
• (p||q) ; (p’||q’) => (p;p’) || (q;q’) • Theorem (frame): (p||q) ; q’ => p||(q;q’)
– Proof: subsGtute Ι for p’ in exchange axiom
• Theorem: p;q’ => p||q’ – Proof: subsGtute Ι for q
• This axiom is self-‐dual by Gme-‐reversal – but not by order-‐reversal
![Page 16: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/16.jpg)
2. ApplicaGons
to Hoare logic and to Milner transiGons
![Page 17: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/17.jpg)
The laws are useful
• for proof of correctness of programs/designs – by means of Hoare logic – (extended by concurrent separaGon logic) – to describe the structure of proofs
• for design/proof of implementaGons – using Milner transiGons – (extended by sequenGal composiGon) – to describe the steps of execuGon.
![Page 18: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/18.jpg)
The Hoare triple
• DefiniGon: {p} q {r} = p;q => r – If p describes what has happened so far, – and then q is executed to compleGon, – the overall execuGon will saGsfy r.
• Example: p and r may be ‘asserGons’,
– describing all execuGons that leave the machine in a state saGsfying a given Boolean predicate.
![Page 19: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/19.jpg)
The rule of composiGon
• DefiniGon: {p} q {r} = p;q => r • Theorem: {p} q {s} {s} q’ {r} {p} q;q’ {r}
![Page 20: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/20.jpg)
Proof
• DefiniGon: {p} q {r} = p;q => r • expanding the definiGon: p;q => s s;q’ => r p;q;q’ => r
because ; is monotonic and associaGve
![Page 21: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/21.jpg)
The rule of consequence
• Theorem p’ => p {p} q {r} r => r’ {p’} q {r’}
Proof: monotonicity and transiGvity
![Page 22: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/22.jpg)
Modularity rule for ||
• in concurrent separaGon logic
{p} q {r} {p’} q’ {r’} {p||p’} (q||q’) {r||r’}
– permits modular proof of concurrent programs.
• it is equivalent to the exchange law
![Page 23: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/23.jpg)
Modularity rule implies Exchange law
• By reflexivity: p;q => p;q and p’;q’ => p’;q’ • take these as antecedents of modularity rule
– replacing r, r’ by p;q and p;q’ , • A6er the same subsGtuGon, the conclusion of the modularity rule gives
(p||p’) ; (q||q’) => (p;q) || (p’;q’) – which is the Exchange law
![Page 24: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/24.jpg)
Exchange law implies modularity
• Assume: p;q => r and p’;q’ => r’ • monotonicity of || gives
(p;q) || (p’;q’) => r|| r’ • the Exchange law says
(p||p’) ; (q||q’) => (p;q) || (p’;q’) • by transiGvity:
(p||p’) ; (q||q’) => r||r’ which is the conclusion of the modularity rule
![Page 25: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/25.jpg)
Frame Rules
{p} q {r} {p||f} q {r||f}
– adapts a triple to a concurrent environment f – proof: from frame theorem
{p} q {r}__
{f;p} q {f;r} – proof: mon, assoc of ;
![Page 26: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/26.jpg)
The Milner triple: r -‐ q -‐> p
• defined as q;p => r – (the Gme reversal of {p} q {r})
• r may be executed by first execuGng q – with p as conGnuaGon for later execuGon. – maybe there are other ways of execuGng r
• Tautology: (q ; p) – q -‐> p (CCS) • Proof: from reflexivity: q;p => q;p
![Page 27: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/27.jpg)
Technical ObjecGon
• Originally, Hoare restricted q to be a program, and p , r to be state descripGons
• Originally, Milner restricted p and r to be programs, and q to be an atomic acGon.
• These restricGons are useful in applicaGon. • And so is their removal in theory
– (provided that the axioms are sGll consistent).
![Page 28: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/28.jpg)
SequenGal composiGon
{p} q’ {s} {s} q {r} {p} q’;q {r}
r –q-‐> s s –q’-‐> p
r –(q;q’)-‐> p Proof: by Gme-‐reversal of the Hoare rule
![Page 29: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/29.jpg)
Concurrency in CCS
r –p-‐> q r’ -‐p’-‐> q’ (r||r’) -‐(p||p’)-‐> (q||q’)
Proof: by Gme-‐reversal of the modularity rule
• In Milner’s CCS, the rule is applied only if p and p’ are synchronised, e.g., input and output on the same channel.
![Page 30: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/30.jpg)
Frame Rules
r –q-‐> p (r||f) –q-‐> (p||f)
– a step q possible for a single thread r is sGll possible when r is executed concurrently with f
r –q-‐> p (r;f) –q-‐>(p;f)
– operaGonal definiGon of ;
![Page 31: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/31.jpg)
The internal step
• r -‐> p = def. p => r – (the order reversal of refinement)
• implementaGon may make a refinement step – reducing the range of subsequent behaviours
![Page 32: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/32.jpg)
Rule of consequence
• p => p’ {p’} q {r’} r’ => r {p} q {r}
• r -‐> r’ r’ –q-‐> p’ p’ -‐> p r –q-‐> p
• Each rule is the dual of the other – by order reversal and Gme reversal
![Page 33: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/33.jpg)
Axioms proved from calculi
from Hoare • p ; (q\/r) => p;q \/ p;r • p;r \/ q;r => (p\/q) ; r
from Milner • (p\/q) ; r => (p;r) \/ (q;r) • p;q \/ p;r => p ; (q\/r)
from both • p ; (q;r) => (p;q) ; r • (p;q) ; r => p ; (q;r) • exchange law
![Page 34: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/34.jpg)
Message • Both the Hoare and Milner rules are derived from the same
algebra of programming.
• The algebra is simpler than each of the calculi,
• and stronger than both of them combined.
• Deduc=ve and opera=onal seman=cs are mutually consistent, provided the laws are true
![Page 35: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/35.jpg)
3. The laws are true
of a realisGc mathemaGcal model of real program behaviour
![Page 36: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/36.jpg)
Behaviours
• are sets of events – occurring in and around a computer – that is execuGng a program
• Let Ev be the set of all occurrences – of all such events – that ever were, or ever could be
![Page 37: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/37.jpg)
Happens before (!)
• Let e, f, g є Ev (sets of event occurrences).
• e ! f is intended to mean (your choice of) :
– “the occurrence e is an immediate and necessary cause of the occurrence f ”
– “the occurrence f directly depends (depended) on the occurrence e ”
– “e happens before f ” “f happens a6er e ”
![Page 38: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/38.jpg)
Examples: software
• nth output ! nth input (on a reliable channel)
• nth V (acquire) ! nth P (release)
(on an exclusion semaphore)
• nth assignment ! read of the nth value assigned
(to a variable in memory)
• read of nth value ! (n + 1)st assignment (in strong memory)
![Page 39: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/39.jpg)
Precedes/follows
• Define < as (!)*
– the reflexive transiGve closure of !
– Define > as <° (the converse of <)
• Examples:
– allocaGon of a resource < every use of it
– disposal of a resource > every use of it
![Page 40: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/40.jpg)
Interpretations
• e < f & f < e means – e and f are (parts of) the same atomic acGon
• not e < f & not f < e means – e and f are independent of each other
– their execuGons may overlap in Gme,
– or one may complete before the other starts
![Page 41: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/41.jpg)
Cartesian product
• Let p, q, r ⊆ Ev
– behaviours are sets of event occurrences
• Define p × q = {(e,f) | e ∈ p & f ∈ q } – the Cartesian product
• Theorem: p × (q ∪ r) = p×q ∪ p×r
(q ∪ r) × p = q×p ∪ r×p
![Page 42: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/42.jpg)
Composition
• Let p, q, r ⊆ Ev (behaviours)
• Let seq ⊆ Ev × Ev (arbitrary relaGon) • Define p;q = p ∪ q if p × q ⊆ seq
& p, q are defined – and is undefined otherwise
• Define p ⊑ q as p = q or p is undefined Theorem: ; is monotonic wrto <
![Page 43: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/43.jpg)
Theorem: (p ; q) ; r = p ; (q ; r)
• Proof: when they are both defined, each side is equal to ( p ∪ q ∪ r ).
• We sGll need to prove that LHS is defined iff ant RHS is defined.
![Page 44: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/44.jpg)
Theorem: (p ; q) ; r = p ; (q ; r)
LHS is defined iff (by definiGon of ;)
p × q ⊆ seq & (p ∪ q) × r ⊆ seq
iff p × q ⊆ seq & p × r ⊆ seq & q × r ⊆ seq (*) iff p × (q ∪ r) ⊆ seq & q × r ⊆ seq (*)
iff RHS is defined
*(by × distrib ∪)
![Page 45: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/45.jpg)
Sequential composition (strong)
• Define seq = < • Then p;q is (strong) sequenGal composiGon
• means that p must finish before q starts – every event in p comes before every event in p
• Example: Ev is NN < is numerical < – {1, 7, 19} ; {21, 32} = {1, 7, 19, 21, 32}
– {1, 7, 19} ; {19, 32} is undefined
![Page 46: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/46.jpg)
Sequential composition (weak)
• Define seq = not >
• Then p;q is (weak) sequenGal composiGon
• means that p can finish before q starts
– no event in q comes before any event in p
– but q can o6en start before end of p,
provided the exchanged events are independent.
![Page 47: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/47.jpg)
Concurrent Composition
Define par = Ev x Ev
Note: seq ⊆ par = par° (converse)
Theorem: pxq ⊆ par
Define p||q = p ∪ q
Theorem: || is associaGve and commutaGve.
and saGsfies exchange law with ; (weak)
![Page 48: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/48.jpg)
Examples
• Example: Ev is NN
– {1, 7, 19} ; {21, 32} = {1, 7, 19, 21, 32}
– {1, 7, 19} ; {19, 32} is undefined
– {1, 7, 19}||{3, 10, 32} = {1, 3, 7, 10, 19, 32}
![Page 49: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/49.jpg)
• Proof: when LHS is defined, it equals RHS q ∪ r ∪ q’ ∪ r’
(q || q’) ; (r || r’) => (q ; r ) || (q’ ; r’)
![Page 50: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/50.jpg)
LHS defined iff q × q’ ⊆ par & r × r’ ⊆ par
& (q ∪ q’) × (r ∪ r’) ⊆ seq
implies q’ × r’ ∪ q × r ∪ q’ × r ∪ q × r’ ⊆ seq
implies q’ × r’ ⊆ seq & q × r ⊆ seq
& (q ∪ r) × (q’ ∪ r’) ⊆ par
implies RHS defined.
(q || q’) ; (r || r’) => (q ; r ) || (q’ ; r’)
![Page 51: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/51.jpg)
4. The laws are useful
![Page 52: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/52.jpg)
Tools for So6ware Engineering
VerificaGon CompilaGon
TesGng
![Page 53: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/53.jpg)
based on semanGcs
VerificaGon deducGve (Hoare)
CompilaGon operaGonal (Milner)
TesGng denotaGonal (Scow)
![Page 54: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/54.jpg)
Laws prove consistency
VerificaGon deducGve
CompilaGon operaGonal
TesGng denotaGonal
Laws
![Page 55: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/55.jpg)
5. Conclusion
![Page 56: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/56.jpg)
The Laws
• The laws are useful – they shorten formulae, theorems, proofs – they prove consistency of proof rules
with the implementaGon
• The laws are true – of specificaGons, designs, products – hardware/so6ware/the real world
• The laws are beauGful
![Page 57: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/57.jpg)
Isaac Newton
CommunicaGon with Richard Gregory (1694) “Our specious algebra [the infinitesimal calculus] is fit enough to find out [is ok as a heurisGc], but enGrely unfit to consign to wriGng and commit to posterity.”
![Page 58: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/58.jpg)
Bertrand Russell
• The method of postulaGon has many advantages. They are the same as the advantages of the6 over honest toil.
IntroducGon to MathemaGcal Philosophy.
![Page 59: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/59.jpg)
Go|ried Leibnitz
• Calculemus.
![Page 60: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/60.jpg)
Examples: hardware
• a rising edge ! next falling edge on same wire
• a rising edge ! rising edge on another wire
![Page 61: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/61.jpg)
Example: Petri nets e ! f’ & f’ ! g
e ! f & f ! g
e f
g f’
![Page 62: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/62.jpg)
Message sequence chart
sql app net
![Page 63: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/63.jpg)
AddiGonal operators
• p \/ q describes all traces of p and all of q – describes opGons in design – choice (non-‐determinism) in execuGon
• p /\ q describes all traces of both p and q – conjuncGon of requirements (aspects) in design – lock-‐step concurrency in execuGon
![Page 64: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/64.jpg)
Axioms
• \/ is the disjuncGon and /\ is the conjuncGon of a Boolean Algebra (even with negaGon).
• Axiom: ; and || distribute through \/ – which validates reasoning by cases – and implementaGon by non-‐determinisGc selecGon
![Page 65: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/65.jpg)
Choice
• {p} q {r} {p} q’ {r} {p} (q \/ q’) {r}
– both choices must be correct – proof: distribuGon of ; through \/
___r –q-‐> p____ (r \/ r’) –q-‐> p
– only one of the alternaGves is executed – proof: r => r \/ r’
![Page 66: Laws of concurrent system design · Laws%of%concurrentsystem% design Tony%Hoare% Microso6%Research% November26,2013 % Colloquium d’Informaque % %UPMC%](https://reader034.vdocuments.us/reader034/viewer/2022042100/5e7d310812e56a510352ed32/html5/thumbnails/66.jpg)
Axioms proved from calculi
from Hoare • p ; (q\/r) => p;q \/ p;r • p;r \/ q;r => (p\/q) ; r
from Milner • (p\/q) ; r => (p;r) \/ (q;r) • p;q \/ p;r => p ; (q\/r)
from both • p ; (q;r) => (p;q) ; r • (p;q) ; r => p ; (q;r) • exchange law