Chapter 8Asynchronous System Model

by Mikhail Nesterenko

“Distributed Algorithms”

by Nancy A. Lynch

Outline• I/O automaton definition

• examples of I/O automata

• execution

• operations on I/O automata

– composition

– hiding

• fairness

• properties and proof methods

– invariants

– trace properties

– compositional reasoning

– hierarchical proofs

• complexity

• randomization

I/O Automaton Signature

• Iinput/Output automaton A is a state machine that models a component of a distributed system– the transitions associated with named actions acts(A)

• main part of I/O automaton is its signature: sig(A) - a description of actions, actions can be

• input - in(sig(A)) or just in(A)

• output - out(A)

• interan actions int(A)

• sets of actions are disjoint• input and output actions are external actions, external signature

(external interface) extsig(A) contains external actions only

I/O Automaton Parts

• signature sig(A)

• (possibly) infinite set of states states(A)

• non-empty subset of initial states start(A)

• a state transition relation trans(A) states(A) acts(A) states(A) – there must be a transition for every state and every input

actions (the automata are input-enabled)– a member of trans(A) is transition, an action is enabled at a

state if a the corresponding transition is in trans(A) – state is quiescent if only input actions are enabled

• task partition tasks(A) - a separation of internal and output actions into subset to model different objectives of A

Channel I/O Automaton

Process I/O Automaton

Execution

• finite (or infinite) sequence s0,1s12…r,sr is execution fragment if each (kskk+1) is a transition of A

• execution is an execution fragment that starts in an initial state• a state is reachable if it is a final state of a finite execution of A• example: channel automata executions (assuming messages are

{1,2}

• a trace of an execution of A (denoted trace() or trace(A)) is a projection of the execution on external actions

• traces(A) - a set of traces of A

Compatible Components• allows constructing of complex system out of individual

components• informally - components are joined, individual component’s

actions are executed, when action is executed by one component, each component with (the same action) executes it

• a collection of components is compatible if their signatures is as follows– internal actions of one component are not observable by any

other (i.e. the internal actions are disjoint)– only one component controls output (output sets of any two

components are disjoint)– each action is contained in finitely many components

Composition

• A B is a composition of components A and B

• given a collection of compatible signatures {Si}iI the composition S=ISi of signatures is defined as follows

• a composition A=IAi of automata is

Exposed outputs

• Observe that even though some of the inputs (the ones that have corresponding output) of the components are removed from the composition, all outputs of components are outputs of composition

• this is done to allow convenient composition• example component A has output action while B and C have

as input action– that is is “broadcast” to both B and C

• if is not exposed then (A B) C as well as is not possible

Hidden outputs

• there is an operation that “hides” the output actions of components by reclassifying them as internal actions (they are not used in further communication and do not appear in traces)

• if for some signature S, an some subset of output actions out(S) hiding operation hide(S) is defined as a new signature S’ such hat:– in(S’)=in(S), out(S’)=out(S)-, and int(S’)=int(S)– hiding of output actions for an automaton involves hiding of

these actions for the automaton’s signature

Example Composition• composition of process and channel automata

assuming N=3

• the transitions are as follows

• example trace assuming N=2 andthe function f is addition

Composition Theorems

• given an execution , |A is the projection (removal) of all the transitions that are not in A

Fairness• interesting executions - each components “take fair turns” at

performing transitions• recall - each automaton is partitioned into tasks• informally fairness allows each task to perform one of its actions

infinitely often• formally, let C be set of tasks and - an execution fragment, is

fair if– is finite and C is not enabled in the final state– is infinite and it contains either

• infinitely many transitions from C or • infinitely many states where all actions of C are disabled

• fairexec(A) - a set of fair executions of A• trace is fair if it is a trace of fair execution• fairtrace(A) a set of fair traces of A

Fairness Examples

• example: channel automata executions (assuming messages are {1,2}

fair

not fair

not fair

Fairness Examples: Clock Automaton

executions• tick, tick, tick, – fair• tick, tick, tick – not fair (no fair finite executions for Clock)• tick, tick, request, tick, tick, clock(4), tick, tick, … - fair• tick, tick, request, tick, tick, tick, … - not fair

Fairness Theorem

Invariants

• Invariant (assertion) for A is a property that is true in all reachable states of A

• usually proved by induction on the number of steps in the execution

• can be done by providing a sequence of invariants and proceeding from one to the next– note: “we” tend to think of an invariant as an assertion

(predicate) on a state which is less generic than Lynch’s definition

Trace Properties

• reasoning of the properties of an automaton is done in terms of its traces

• formally a trace property P is– a signature sig(P) containing no internal actions– a set traces(P) of (finite or infinite) sequences of actions of

sig(P)

• A satisfies trace property P means either of the two– extsig(A)=sig(P) and traces(A) traces(P)– extsig(A)=sig(P) and fairtraces(A) traces(P)

in either case the satisfaction intuitively means that the behavior that can be produced by A is permitted by P; the reverse (completion) is not required

Automata and Trace Properties

Safety Properties

• blah