Modelling Concurrent Systems

Definition 2.26. Handshaking (Synchronous Message Passing)

• interleaving forα /∈H:

s1 −−→α 1 s₁ s1, s2 −−→ ^α s₁, s2

s2 −−→α 2 s₂ s1, s2 −−→ ^α s1, s₂

• handshaking forα∈H:

s1 −−→α ¹ s₁ ∧ s2−−→α ² s₂ s1, s2 −−→ ^α s₁, s₂

Figure 2.11: Rules for handshaking.

whereas according to the latter type processes “communicate” via shared variables. In this subsection, we consider a mechanism by which concurrent processes interact via hand- shaking. The term “handshaking” means that concurrent processes that want to interact have to do this in a synchronous fashion. That is to say, processes can interact only if they are both participating in this interaction at the same time—they “shake hands”.

Information that is exchanged during handshaking can be of various nature, ranging from the value of a simple integer, to complex data structures such as arrays or records. In the sequel, we do not dwell upon the content of the exchanged messages. Instead, an abstract view is adopted and only communication (also called synchronization) actions are considered that represent the occurrence of a handshake and not the content.

To do so, a set H of handshake actions is distinguished with τ ∈ H. Only if both participating processes are ready to execute the same handshake action, can message passing take place. All actions outside H (i.e., actions in Act\H) are independent and therefore can be executed autonomously in an interleaved fashion.

Parallelism and Communication 49 Remark 2.27. Empty Set of Handshake Actions

When the set H of handshake actions is empty, all actions of the participating processes can take place autonomously, i.e., in this special case, handshaking reduces to interleaving

TS1 _∅TS2 = TS1 ||| TS2.

The operator H defines the handshaking between two transition systems. Handshaking is commutative, but not associative in general. That is, in general we have

TS1 H (TS2 H TS3) = (TS1 H TS2) H TS3 forH=H.

However, for a fixed set H of handshake actions over which all processes synchronize, the operator H is associative. Let

TS = TS1 H TS2 H . . . H TSn,

denote the parallel composition of transition systemsTS1through TSnwhereH⊆Act1 ∩ . . . ∩Actn is a subset of the set of actions Acti of all transition systems. This form of multiway handshaking is appropriate to model broadcasting, a communication form in which a process can transmit a datum to several other processes simultaneously.

In many cases, processes communicate in a pairwise fashion over their common actions.

LetTS1. . .TSndenote the parallel composition ofTS1throughTSn(withn >0) where TSi and TSj (0 < i=j n) synchronize over the set of actions Hi,j =Acti∩Actj such that Hi,j ∩Actk =∅ for k /∈ {i, j}. It is assumed that τ ∈ Hi,j. The formal definition of TS1. . .TS_n is analogous to Definition 2.26. The state space ofTS1. . .TS_nresults from the Cartesian product of the state spaces ofTSi. The transition relation→is defined by the following rules:

• forα∈Acti\(

0<jn

i=j

Hi,j) and 0< in:

si −−→α i s_i

s1, . . . , s_i, . . . , s_n −−→ ^α s1, . . . , s_i, . . . s_n

• forα∈Hi,j and 0< i < jn:

si −−→α i s_i ∧ sj −−→α j s_j

s1, . . . , s_i, . . . , s_j, . . . , s_n −−→ ^α s1, . . . , s_i, . . . , s_j, . . . , s_n

According to the first rule, components can execute actions that are not subject to hand- shaking in a completely autonomous manner as in interleaving. The second rule states that processes TSi and TSj (i=j) have to perform every handshaking action in Acti∩Actj

together. These rules are in fact just generalizations of those given in Figure 2.11.

Example 2.28. Mutual Exclusion by Means of an Arbiter

An alternative solution to the mutual exclusion problem between processes P1 and P2

(as before) is to model the binary semaphore that regulates access to the critical section by a separate parallel process that interacts with P1 and P2 by means of handshaking.

For simplicity, we ignore the waiting phase and assume thatPi simply alternates infinitely often between noncritical and critical sections. Assume (much simplified) transition system representations TS1 and TS2 with just two states: criti and noncriti. The new process, named Arbiter, mimics a binary semaphore (see Figure 2.12). P1 and P2 communicate with theArbitervia handshaking over the setH={request,rel}. Accordingly, the actions request(requesting to access the critical section) andrel(to leave the critical section) have to be executed synchronously with the Arbiter. The complete system

TSArb = (TS1 |||TS2) Arbiter

guarantees mutual exclusion since there are no states of TSArb where both P1 andP2 are in their critical section (see bottom part of Figure 2.12). Note that in the initial state of TS1|||TS2, the Arbiterdetermines which process will enter the critical section next.

Example 2.29. Booking System

Consider a (strongly simplified) booking system at a cashier of a supermarket. The system consists of three processes: the bar code reader BCR, the actual booking program BP, and the printer Printer. The bar code reader reads a bar code and communicates the data of the just scanned product to the booking program. On receiving such data, the booking program transmits the price of the article to the printer that prints the article Id together with the price on the receipt. The interactions between the bar code reader and the booking program, and between the booking program and the printer is performed by handshaking. Each process consist of just two states, named 0 and 1 (see Figure 2.13 for the transitions systems of BCR,BP, and Printer).

The complete system is given by:

BCR BP Printer.

The transition system of the overall system is depicted in Figure 2.14 on page 52. The initial global state of this system is 0,0,0, or in short, 000. In global state 010, e.g., the

Parallelism and Communication 51

T1 T2 Arbiter :

unlock

lock noncrit₁noncrit₂

crit₁noncrit₂ noncrit₁crit₂

T₁ T₂: Arbiter:

crit₁crit₂

request

release

noncrit₁noncrit₂unlock

crit₁noncrit₂lock noncrit₁crit₂lock request

request

release release

Figure 2.12: Mutual exclusion using handshaking with arbiter process.

nondeterminism stands for the concurrent execution of the actions scanning the bar code and the synchronous transfer of the price to the printer.

Example 2.30. Railroad Crossing

For a railroad crossing a control system needs to be developed that on receipt of a signal indicating that a train is approaching closes the gates, and only opens these gates after the train has sent a signal indicating that it crossed the road. The requirement that should be met by the control system is that the gates are always closed when the train is crossing the road. The complete system consists of the three components Train,Gate, andController:

Train Gate Controller.

Figure 2.15 depicts the transition systems of these components from left (modeling the Train) to right (modeling the Gate). For simplicity, it is assumed that all trains pass the relevant track section in the same direction—from left to right. The states of the transition system for theTrainhave the following intuitive meaning: in statefar the train is not close to the crossing, in state near it is approaching the crossing and has just sent a signal to notify this, and in state in it is at the crossing. The states of theGate have the obvious interpretation. The state changes of the Controller stand for handshaking with

0

1 store scan

0

1

store prt cmd

0

1

prt cmd print

Figure 2.13: The components of the book keeping example.

100 000 001

101

010

110 111 011

scan print print scan

store print

prt cmd scan

print store

scan prt cmd

Figure 2.14: Transition system representation of the booking system.

the trains (via the actions approach and exit) and the Gate (via the actions lower and raise via which theController causes the gate to close or to open, respectively).

Figure 2.16 (above) illustrates the transition system of the overall system. A closer in- spection of this transition system reveals that the system suffers from a design flaw. This can be seen from the following initial execution fragment:

far,0,up−−−−−−→ ^approach near,1,up−−−−→ ^enter in,1,up

in which the gate is about to close, while the train is (already) at the crossing. The nondeterminism in global state near,1,upstands for concurrency: the train approaches the crossing, while the gate is being closed. In fact, the basic concept of the design is correct if and only if closing the gate does not take more time than the train needs to get to the crossing once it signals—“I am approaching”. Such real-time constraints cannot be formulated by the concepts introduced so far. The interleaving representation for parallel systems is completely time-abstract. In Chapter 9, concepts and techniques will be introduced to specify and verify such real-time aspects.

Parallelism and Communication 53

far near

in approach

enter exit

0

1 3

2 approach

lower exit

raise up

down lower raise

Train Controller Gate

Figure 2.15: The components of the railroad crossing.

2.2.4 Channel Systems

This section introduces channel systems, parallel systems where processes communicate via so-called channels, i.e., first-in, first-out buffers that may contain messages. We con- sider channel systems that are closed. That is to say, processes may communicate with other processes in the system (via channels), but not with processes outside the system.

Channel systems are popular for describing communication protocols and form the basis of Promela, the input language of the Spinmodel checker.

Intuitively, a channel system consists of n (data-dependent) processes P1 through P_n. Each Pi is specified by a program graph PGi which is extended with communication actions. Transitions of these program graphs are either the usual conditional transitions (labeled with guards and actions) as before, or one of the communication actions with their respective intuitive meaning:

c!v transmit the valuev along channelc,

c?x receive a message via channelc and assign it to variable x.

When considering channel cas buffer, the communication action c!v puts value v (at the rear of) the buffer whereas c?x retrieves an element from (the front of) the buffer while assigning it tox. It is assumed implicitly that variablex is of the right type, i.e., it has a type that is compatible to that of the messages that are put into channel c. Let

Comm =

c!v, c?x | c∈Chan, v∈dom(c), x∈Var with dom(x)⊇dom(c)

denote the set of communication actions whereChanis a finite set of channels with typical element c.

far,0,up

near,0,up

far,1,up near,1,up

in,1,up

far,2,down near,2,down

in,2,down

far,3,down

near,3,down

in,3,down

approach

approach

approach enter

enter

enter

exit

exit

exit

lower lower

lower

raise

approach

in,0,up enter exit

raise

exit

Figure 2.16: Transition system for the railroad crossing.

Parallelism and Communication 55 A channelchas a (finite or infinite)capacity indicating the maximum number of messages it can store, and a type (ordomain) specifying the type of messages that can be transmitted over c. Each channel c has a capacity cap(c) ∈ IN∪ { ∞ }, and a domain dom(c). For a channel c that can only transfer bits, dom(c) = {0,1}. If complete texts (of maximum length of 200, say) need to be transmitted over channel c, then another type of channel has to be used such thatdom(c) = Σ²⁰⁰, where Σ is the alphabet that forms the basis of the texts, e.g., Σ is the set of all letters and special characters used in German texts.

The capacity of a channel defines the size of the corresponding buffer, i.e., the number of messages not yet read that can be stored in the buffer. When cap(c)∈IN, c is a channel with finite capacity; cap(c) = ∞ indicates that c has an infinite capacity. Note that the special casecap(c) = 0 is permitted. In this case, channelchasnobuffer. Communication via such a channel c corresponds to handshaking (simultaneous transmission and receipt, i.e., synchronous message passing) plus the exchange of some data. When cap(c) > 0, there is a “delay” between the transmission and the receipt of a message, i.e., sending and reading of the same message take place at different moments. This is called asynchronous message passing. Sending and reading a message from a channel with a nonzero capacity can never appear simultaneously. By means of channel systems, both synchronous and asynchronous message passing can thus be modeled.

Definition 2.31. Channel System