The Temporal Semantics Of Concurrent Programs

Amir Pnueli (1981)

Presented by: Belgi Amir

Seminar in Distributed Algorithms Designing correct concurrent algorithms

Spring 2013

Lecture outlineGoalA simple model of concurrent programsIntroduction to Temporal logic

Examples A proof systemThe temporal semantics of programsSummary Questions

The notation Giuseppe Peano - One of the founders of

mathematical logic and set theoryOriginally wrote for p is a

consequence of q Backwards: q is a consequence of p denotes

pCq

1858 1932

p q p q

GoalOur goal is: given a program , assign a

temporal formula which is true on all proper execution sequences of

To prove that a program possess a property one have to prove the implication

P(P)WP

P R( )W P R

A simple model of concurrent programsA concurrent program consists of disjoint

processes

Which execute concurrently on processors Under shared memory And a set of initial conditions

n

1 2|| || || nP P P P n

A simple model of concurrent programs – a single processRepresented by a single entry transition graph

A directed labeled graphThe labels of process are denoted by

Edges are labels by commands of the form is a condition, if is missing we interpret it

as true called a guard May be true

is a statement which may be an assignment is the vector of the program

variables may be empty

ic

c

( )y f y

0 1{ , , }i i iL m m

0{ , , }py y y

c

Process graph - Example: 1x

Critical Section 1

0 [x x 1]x

2

1m

3

1m

0

1m 1

1m

x x 1

1P2

2m

3

2m

0

2m 1

2m

x x 1

Critical Section 2

0 [x x 1]x

2P

A simple model of concurrent programsConsider any program which may be run in

parallel with another and contains:1. tests2. Unconditional transfers (go to’s)3. assignments statements

In the graph model: there will be a node for each statement representing the statejust before the execution of this statement

A simple model of concurrent programsCorresponding to each statement which is

the successor of this statementi.e. may be reached by the execution of the

statement We draw an edge from the statement node to

its successor The label of this edge depends on the type of

the statement

A simple model of concurrent programs - testsCase 1: test statements For statements of the form :

l r

m( )p y ~ ( )p y

p(y) l, rif

A simple model of concurrent programs – unconditional transfersCase 2: go to’sFor statements of the form :

l

m

true

lgoto

A simple model of concurrent programs - assignments

Case 3: assignmentFor statements of the form : Explanation with the example :

Where are auxiliary variables local to

'mm

( )iy f y

2 1 3( , )y g y y

1 1[t y ] true 2 3[t y ] true 2 1 2[y g(t , t )] true

1 2,t t iP

A simple model of concurrent programs - synchronization primitivesExamples of synchronization primitives:1.2.3. is represented as

With a corresponding at the end of the block

( ) : 0 [ 1]p x x x x

( ) : 1v x x x with r when B do

0 & [ 1]r B r r 1r r

A simple model of concurrent programs – a single processA state is a pair is a vector of labels is a set of values currently

assigned to the program variables

,m

1 2( , , , )nm m m m

1 2( , , , )p

1 2, , , py y y

Execution sequences (informally)An execution sequence for a program is

any sequence satisfying the following conditions :

1. The initial state is “correct”2. Satisfies the Multiprogramming

assumptionOne processor does one step and updates the

values of the variables accordingly 3. Satisfies the Fair scheduling assumption

If you can exit a node infinitely many times then you will be able to do so

Execution sequencesAn execution sequence for a program is

any sequence satisfying the following conditions :

1. The initial state is where are the entry labels and are the initial values of the y’s

2. Multiprogramming assumption: A successive state is obtained from its predecessor by exactly one processor executing one transition which is enabled.

0 0 0 0 0 01 2 1 2( , , , ), ( , , , )n pm m m

0im

0i

Multiprogramming assumption

If the processor i contains an edge from the node to the node which is labeled by and is true, then is a possible successor of

We allow idling - Every command is considered atomic

… …

im'im ( ) [ ( )]c y y f y

( )c

1 2 1 1( , , , , , , , ),i i i ns m m m m m m

1 2 1 1( , , , , , , , ), ( )i i i ns m m m m m m f

s ss s

Fair scheduling assumption – denotes the exit condition of a node of

process E is the disjunction ( ) of all guards on all edges

departing from

What is in most of the cases ?

E m i

mm

1 1c

2 2c

3 3c

1 2 3E c c c E

Fair scheduling assumptionA sequence is fair if whenever processor is

stuck at then is true only at a finite number of states thereafter

negatively: no processor whose exit condition is true infinitely often may be deprived forever

i mE

Fair scheduling assumptionHow does the statements on the edges affect

the exit condition ? Assignments, tests, go to’s –the exit

condition is identically true!For the statements of the other type (with

synchronization) - the exit condition can be NOT identically true!

Fair scheduling assumptionAn important note: it is NOT sufficient to

require that the processor will eventually be scheduledit might always get scheduled when the

condition is false and no transition is possibleWe will need to express the stronger

condition that it will eventually be scheduled when the exit condition is true

Temporal logicUsed to describe a system of rules for

reasoning about propositions qualified in terms of time Something always occurs Something occurs nowSomething will occur eventually etc.

Reasoning about sequencesWe will talk about an integer like timeWe will reason about execution sequences

which are deterministicEach state having exactly one successorAlthough that the program generating them is

non- deterministic

Temporal operators X – the proposition is true in the neXt instant F – the proposition will be true in the Future

existential truth G – the proposition will always be true in the

future universal truthStands for Globally

Temporal operators neXt:

Future:

Globally

Temporal operators

Validity of a temporal formula on a sequenceDenote and

0

1 2 1 2

1

1. | iff |2. | iff | or |3. | ~ iff |4. | iff |5. | iff 0 : |6. | iff 0 : |

i

i

p s pW W W WW WXW WGW i WFW i W

0 1, , s s 1 , ,i i is s

Validity of a temporal formula on a sequenceA formula W is valid if for all sequences

Example Some expressions:

, | W ~ (~ )Fp G p

( )

( & ~ )

p FqG p FqFGpF p X p

Examples of expressing properties with Temporal formulasRecall:A state is a pair is a vector of labels In our formulas: If then the

proposition will be true in a state if We start off with properties which can be

expressed as formulas of the form where contains no temporal operators Those are Invariance properties

im L ms

,m

1 2( , , , )nm m m m

im m

GW W

Partial correctnessConsider a single sequential program

EntryExit is a formula specifying the correctness of

the program That is: is to hold on termination

Partial correctness can be stated as

What does this formula does NOT guarantee us ? We can also add an input restriction

0mem

0 (& )em G m

( )eG m

Clean behaviorFor every instruction we can write a

condition which ensure a lawful termination of the instructionExamples:

If the instruction contains division - we include a claim that the divisor does not equal to zero

If the instruction contains array reference - we include a claim that the subscript expression is within the array bounds

- The legality condition for the statement departing from

Clean behavior can be stated as

i im ( )

i

ii L iG m

Mutual ExclusionAssume contain a critical section

For simplicity assume they consists of the single nodes

To claim that the critical sections are never simultaneously accessed we write

1 2,P P

1 1 2 2,m L m L

1 2~ ( )&G m m

Deadlock FreedomDeadlock – all processors are locked and

none can moveIn our model – we can only get stuck in a

node if the exit condition is not identically true

Let be any set of nodes with exit conditions none of which is identically trueThe statement that deadlock never occurs atcan be stated asWhat can we do to exclude deadlock (not only

for a given set of nodes) ?

1, , nm m

1, nE E

1, , nm m

1 2 1 2& & )&( n nG m m m E E E

Temporal formulas: Now A bit more complicated onesWe now advance to a class of properties

which require a more complicated expressions

Expressible by expressions of the types:1 2W FW

1 2( )G W FW

Total correctness Same setting as the partial correctness:

a single sequential programEntryExit is a formula specifying the correctness of

the program That is: is to hold on termination

expresses the initial input restrictionsTotal correctness with respect to

can be expressed asCompare it to partial correctness:

0mem

( , )

0 (& )&em F m 0 (& )em G m

AccessibilityIn the context of critical sections Expressing that if a process wishes to enter

its critical section he will be granted permission to do so

m – a location (node) just before the entrance to the critical section Of a process showing its wish to enter the

critical sectionm’ – a location inside the critical sectionThe property of accessibility is ( )G m Fm

ResponsivenessSuppose we receives requests from many

external agentsFor example: A Client-Server model

A request from agent i is signaled by a variable tuning true

The program deals with the request (for example it allocates the resource) and signals that the request to agent i has been granted by setting a variable to true

Responsiveness can be expressed as

ir

ig

( )i iG r Fg

Coming up: A proof system!We saw that the Temporal Logic language

is useful for expressing and formulating interesting properties

We now present an axiomatic system in which we can prove these properties

The system DX - AxiomsAxioms:

1

2

3

4

5

6

7

: ( ) ( ):: (~ ) ~: ( ) ( )::: ( ) ( )

A G p q Gp GqA Gp pA X p XpA X p q Xp XqA Gp XpA Gp XGpA G p Xp p Gp

The system DX – Inference rulesInference rules:R1: (TAU) if is an instance of a classical

tautology then R2: (MP) If and thenR3: (GEN) If then

A

( )A BA

A BA GA

The temporal semantics of programsConsider a node in any of the processes

The exit condition:

m...

km

1m

.

.

.

1 1( )c y f y

( )k kc y f y

1 2 kE c c c

iP

Clauses definitions (1)For a node we define :

m...

km

1m

.

.

.

1 1( )c y f y

( )k kc y f y

m1: [ ( )]k i

m i i iN m c Xm Xy f y

Clauses definitions (2)Fair scheduling:

Exit node – a node with no outgoing transitions

If is an exit node then, by definition, and is identically trueallowing execution of the relevant program to

remain at the exit node

1: ~ [ ( )]km i iF Gm GF c

m E falsemF

NotationFor formulas :

claims that exactly one of the is true, while the others are false

1 2, , , kw w w

1

1k

ii

w

1 2, , , kw w w

Clauses definitions (3)Consider process with label set : Recall:

The expression

expresses the situation that process is active

That is: some transition in it is taking place

jP jL

: 1j

j mm L

A N

1: [ ( )]k im i i iN m c Xm Xy f y

jP

Clauses definitions (4-6)The expression

Expresses the situation that process is idleNow define

: ( ) 1j

jm L

I m Xm

jP

:j

j mm L

B F :: 1

j

jm L

E m

Clauses definitions (7)Consider now a complete program

Define first1 2|| || || nP P P P

1: &nj jI I y Xy

Defining W(P)Assume that the initial labels in all

programs are

And that the initial values of the variables are

0 0 0 01 2, , , nm m m m

y

Defining W(P)The formula expressing the semantics of the

program is: 0( ) : & ( )W P m y

Defining W(P)The formula expressing the semantics of the

program is:

- is active - if all processes are idle then the values of the

variables remain

0( ) : & ( )W P m y

11

1 1& ( ) &n

nj j j j

j

G A I A I

jA jPI

Defining W(P)The formula expressing the semantics of the program is:

- is active - if all processes are idle then the values of the variables

remain - Fair scheduling -Exactly one location proposition is true at any

0( ) : & ( )W P m y

11

1 1& ( ) &n

nj j j j

j

G A I A I

1& &nj j jB E

jA jP

jBjE

I

A note about idling Our semantics allows instants of complete

inaction or idling. Why ?

A note about idling Our semantics allows instants of complete

inaction or idling. Why ?necessary in order to accommodate

terminating programs and incorrect programs which may inadvertently lead to deadlocks

Even though a program is incorrect it should still have some execution sequences

However, the fair scheduling clause will prevent endless idling while there is still some possible action in one of the processes

Proving AccessibilityWe wish to prove that when gets to it

will eventually arrive at It suffices to prove we never get stuck at

That is: ProvingWe assume

And get a contradictionto

: 1x

Critical Section 1

0 [x x 1]x

2

1m

3

1m

0

1m 1

1m

x x 1

1P2

2m

3

2m

0

2m 1

2m

x x 1

Critical Section 2

0 [x x 1]x

2P

1P21m3

1m21m

21~ ( )G m

21 &( ( ))G m W P

(P)W

Proving Accessibility21

3 31 2

3 02 2

32

3 32 1

2 31 1

3 22 1

21

2 21 1

21

1:

2 : ( 1)

3: ( 0)

4 : ( 0)

5 : ~ ~ ( 1)

6 : ~

7 : ~ ( 1)

8 : ( 0)

9 : [ ( 0)]

10

&

&

&

&

&: ( 0)

Gm

G m m x

m F m x

m F x

m m x

m m

m m x

m F x

Gm Gm GF x

Gm GF x

: 1x

Critical Section 1

0 [x x 1]x

2

1m

3

1m

0

1m 1

1m

x x 1

1P2

2m

3

2m

0

2m 1

2m

x x 1

Critical Section 2

0 [x x 1]x

2P

Summary Today we saw:A model of concurrent programsTemporal logic – which provided us a

language for expressing temporal claims A proof system - which provided us a way of

proving properties about concurrent programs

Questions?