Modelling Concurrent Systems

Notation 2.38. Substatement

Parallelism and Communication 69 from cond cmd– viewed as a location of a program graph – there are two edges: one with the guard x >1 and action y :=x+y leading to exit, and one with the guard true and action x:= 0 yielding the location for the statement y:=x. Since y:=x is deterministic there is a single edge with guard true, action y:=x leading to locationexit.

As another example, consider the statement

loop = do :: x >1 ⇒ y:=x+y :: y < x ⇒ x:= 0; y:=x od

Here, the repetition semantics of the do–od-loop is modeled by returning the control to stmtwhenever the body of the selected alternative has been executed. Thus, from location loop there are three outgoing edges, see Figure 2.22 on page 69. One is labeled with the guard x >1 and action y :=x+y and leads back to location loop. The second edge has the guard y < x and action x := 0 and leads to the statement y := x;loop. The third edge covers the case where the loop terminates. It has the guard¬(x >1)∧ ¬(y < x) and an action without any effect on the variables and leads to location exit.

y:=x;loop loop ¬(x >1)∧ ¬(y < x) exit y < x:x:= 0

true :y:=x

x >1 :y:=x+y

Figure 2.22: Program graph for a loop

The goal is now to formalize the ideas sketched above. We start with a formal definition of substatements ofstmt. Intuitively, these are the potential locations of intermediate states during the execution of stmt.

beingif ::g1⇒stmt1 . . . ::gn⇒stmtn fi we have

sub(cond cmd) = {cond cmd} ∪

1in

sub(stmti).

The substatements of a loop loop given by do :: g1 ⇒ stmt1 . . . :: gn ⇒ stmtn od are defined similarly, but taking into account that control moves back to loop when guarded commands terminate. That is:

sub(loop) =

{loop,exit} ∪

1in

{stmt;loop | stmt ∈sub(stmti)\ {exit} }. For atomic regions let sub(atomic{stmt}) = {atomic{stmt},exit}.

The definition ofsub(loop) relies on the observation that the effect of a loop with a single guarded command, say “do ::g⇒stmt od”, corresponds to the effect of

if g then stmt; do ::g⇒stmt od else skip fi

An analogous characterization applies to loops with two or more guarded commands.

Thus, the definition of the substatements of looprelies on combining the definitions of the sets of substatements for sequential composition and conditional commands.

The formal semantics of nanoPromela programP = [P1|. . .|Pn] where the behavior of the process Pi is specified by a nanoPromela statement is a channel system [PG1|. . .|PG_n] over (Var,Chan) where Var is the set of variables and Chan the set of channels that are declared in P. As mentioned before, a formal syntax for the variable and channel declarations will not be provided, and global and local variables will not be distinguished.

We assume that the set Var of typed variables and the set Chan of channels (together with a classification of the channels into synchronous and FIFO-channels of some capacity cap(·)) are given. Hence, local variable and channel declarations for the processesPi are not considered. It is assumed that they are given by a nanoPromela-statement over some fixed tuple (Var,Chan).

We now provide inference rules for the nanoPromela constructs. The inference rules for the atomic commands (skip, assignment, communication actions) and sequential composition, conditional and repetitive commands give rise to the edges of a “large” program graph where the set of locations agrees with the set of nanoPromela-statements. Thus, the edges have the form

stmt ^g:α→stmt or stmt →^g:comm stmt

where stmt is a nanoPromela statement, stmt a substatement of stmt, and g a guard,α an action, and comm a communication action c?x or c!expr. The subgraph consisting of

Parallelism and Communication 71 the substatements ofPi then yields the program graphPGi of processPi as a component of the program P.

The semantics of the atomic statement skipis given by a single axiom formalizing that the execution of skipterminates in one step without affecting the variables

skip→^{true: id} exit

whereiddenotes an action that does not change the values of the variables, i.e.,Effect(id, η)

=η for all variable evaluationsη. Similarly, the execution of a statement consisting of an assignment x:=expr has the trivial guard and terminates in one step:

x:=expr true : assign(x,expr)

→ exit

where assign(x,expr) denotes the action that changes the value of x according to the assignment x := expr and does not affect the other variables, i.e., if η ∈ Eval(Var) and y ∈Var thenEffect(assign(x,expr), η)(y) = η(y) if y =x and Effect(assign(x,expr), η)(x) is the value ofexpr when evaluated over η. For the communication actions c!expr and c?x the following axioms apply:

c?x ^c?x→ exit c!expr →^c!expr exit

The effect of an atomic region atomic{x1 := expr₁;. . .;xm := expr_m} is the cumulative effect of the assignments xi :=expr_i. It can be defined by the rule:

atomic{x1 :=expr₁;. . .;xm:=expr_m} →^{true :αm} exit where α0 =id,αi =Effect(assign(xi,expr_i),Effect(αi−1, η)) for 1im.

Sequential composition stmt1;stmt2 is defined by two rules that distinguish whether or notstmt1 terminates in one step. If the first step of stmt1 leads to a location (statement) different from exit, then the following rule applies:

stmt1

g:α→stmt₁=exit stmt1;stmt2

g:α→stmt₁;stmt2

If the computation of stmt1 terminates in one step by executing actionα, then control of stmt1;stmt2 moves to stmt2 after executing α:

stmt1

g:α→exit stmt1;stmt2

g:α→stmt2

The effect of a conditional command cond cmd = if ::g1 ⇒stmt1. . . ::gn⇒ stmtnfi is formalized by means of the following rule:

stmt_i ^h:α→stmt_i cond cmd →^gi∧h:α stmt_i

This rule relies on the test-and-set semantics where choosing one of the enabled guarded commands and performing its first action are treated as an atomic step. The blocking of cond cmd when none of its guards is enabled needs no special treatment. The reason is that cond cmd has no other edges than the ones specified by the rule above. Thus, in a global state s=1, . . . , n, η, ξwhere the location i of the ith process is i = cond cmd and all guardsg1, . . . , gn evaluate to false, then there is no action of theith process that is enabled ins. However, actions of other processes might be enabled. Thus, theith process has to wait until the other processes modify the variables appearing ing1, . . . , gnsuch that one or more of the guarded commands gi⇒stmti become enabled.

For loops, sayloop = do ::g1 ⇒stmt1. . .::gn⇒stmtnod, we deal with three rules. The first two rules are similar to the rule for conditional commands, but taking into account that control moves back to loopafter the execution of the selected guarded command has been completed. This corresponds to the following rules:

stmti

h:α→ stmt_i=exit loop →^gi∧h:α stmt_i;loop

stmti

h:α→exit loop →^gi∧h:α loop

If none of the guards g1, . . . , gn holds in the current state then the do–od-loop will be aborted. This is formalized by the following axiom:

loop ^¬→^{g1∧...∧¬gn} exit

Remark 2.39. Test-and-Set Semantics vs. Two-Step Semantics

The rules forif–fi- anddo–od-statements formalize the so-calledtest-and-set semanticsof guarded commands. This means that evaluating guardgi and performing the first step of the selected enabled guarded command gi⇒stmti are performed atomically. In contrast, SPIN’s interpretation of Promela relies on a two-step-semantics where the selection of an enabled guarded command and the execution of its first action are split into two steps.

The rule for a conditional command is formalized by the axiom

if ::g1 ⇒stmt1. . .::gn⇒ stmtnfi →^gi:id stmti

Parallelism and Communication 73 where id is an action symbol for an action that does not affect the variables. Similarly, the first two rules for loops have to be replaced for the two-step semantics by the following rule:

loop →^gi:id stmti;loop The rule for terminating the loop remains unchanged.

As long as we consider the statements in isolation, the test-and-set semantics and the two-step semantics are equal. However, when running several processes in parallel, the interleaving might cause undesired side effects. For example, consider the semaphore-based solution of the mutual exclusion problem, modeled by a nanoPromela program where the behavior of Pi is given by the following nanoPromela-statement:

do:: true⇒ skip;

if ::y >0⇒ y :=y−1;

criti := true fi;

y:=y+ 1 od

The initial value of the semaphore y is zero. Under the two-step semantics the mutual exclusion property is not guaranteed as it allows the processes to verify that the guard y >0 of the if–fi-statement holds, without decreasing the value ofy, and moving control to the assignmenty:=y−1. But from there the processes can enter their critical sections.

However, the protocol works correctly for the test-and-set semantics since then checking y >0 and decreasingy is an atomic step that cannot be interleaved by the actions of the other process.

Remark 2.40. Generalized Guards

So far we required that the guards in conditional or repetitive commands consist of Boolean conditions on the program variables. However, it is also often useful to ask for interaction facilities in the guards, e.g., to specify that a process has to wait for a certain input along a FIFO-channel by means of a conditional command if :: c?x ⇒ stmtfi. The intuitive meaning of the above statement is that the process has to wait until the buffer for c is nonempty. If so, then it first performs the action c?x and then executes stmt. The use of communication actions in the guards leads to a more general class of program graphs with guards consisting of Boolean conditions on the variables or communication actions.

For the case of an asynchronous channel the rules in Figure 2.20 on page 61 then have to be extended by:

_i→^c?x:α _i ∧ len(ξ(c)) =k >0 ∧ ξ(c) =v1v2. . . v_k . . . , i, . . . , η, ξ−→ ^τ . . . , _i, . . . , η, ξ

where η =Effect(α, η[x:=v1]) andξ[c:=v2. . . vk], and i

c!v:α

→_i ∧ len(ξ(c)) =k <cap(c) ∧ ξ(c) =v1. . . vk

. . . , i, . . . , η, ξ−→ ^τ . . . , _i, . . . , η, ξ where η =Effect(α, η) and ξ[c:=v1. . . vkv].

Another convenient concept is the special guard elsewhich specifies configurations where no other guarded command can be taken. The intuitive semantics of:

if :: g1 ⇒ stmt1

...

:: gn ⇒ stmtn

:: else ⇒ stmt fi

is that the else option is enabled if none of the guards g1, . . . gn evaluates to true. In this case, the execution evolves to a state in which the statement stmt is to be executed.

Here, the g_i’s can be Boolean expressions on the variables or communication guards. For example,

if ::d?x⇒stmt::else⇒x:=x+ 1fi

increases x unless a message is obtained from channel d. The else option used in loops leads to nonterminating behaviors.

Remark 2.41. Atomic Regions

The axiom for atomic regions yields that ifs=1. . . , n, η, ξ is a state in the transition system for the channel system associated with P = [P1|. . .|Pn] and i = atomic{x1 :=

expr₁;. . .;xm := expr_m};. . . then in state s the ith process can perform the sequence of assignments x1 := expr₁;. . .;xm := expr_m in a single transition. With this semantics we abstract from the intermediate states that are passed when having performed the first i assignments (1i < m) and avoid that other processes can interleave their activities with these assignments.

This concept can be generalized for atomic regions atomic{stmt} where the bodystmtis an arbitrary statement. The idea is that any terminating execution of stmt is collapsed into a single transition, leading from a state with location stmt to a state with location exit. For this more general approach, the semantic rule for atomic regions operates on execution sequences in the transition system rather than just edges in the program graph.

This is not problematic as one could provide the meaning of the statements on the level of transition systems rather than program graph level. However, the semantics is less

Parallelism and Communication 75 obvious for, e.g., infinite executions inside atomic regions, synchronous communication actions inside atomic regions and blocking conditional commands inside atomic regions.

One possibility is to insert transitions to a special deadlock state. Another possibility is to work with a semantics that represents also the intermediate steps of an atomic region (but avoids interleaving) and to abort atomic regions as soon as a synchronous communication is required or blocking configurations are reached.

As we mentioned in the beginning of the section, Promela provides many more features than nanoPromela, such as atomic regions with more complex statements than sequences of assignments, arrays and other data types, and dynamic process creation. These concepts will not be explained here and we refer to the literature on the model checker SPIN (see, e.g., [209]).

2.2.6 Synchronous Parallelism

When representing asynchronous systems by transition systems, there are no assumptions concerning the relative velocities of the processors on which the components are executed.

The residence time of the system in a state and the execution time of the actions are completely ignored. For instance, in the example of the two independent traffic lights (see Example 2.17), no assumption has been made concerning the amount of time a light should stay red or green. The only assumption is that both time periods are finite. The concurrent execution of components is time-abstract.

This is opposed to synchronous systems where components evolve in a lock step fashion.

This is a typical computation mechanism in synchronous hardware circuits, for example, where the different components (like adders, inverters, and multiplexers) are connected to a central clock and all perform a (possibly idle) step on each clock pulse. As clock pulses occur periodically with a fixed delay, these pulses may be considered in a discrete manner, and transition systems can be adequately used to describe these synchronous systems.

Synchronous composition of two transition systems is defined as follows.