algebra of concurrent programming tony hoare cambridge 2011
TRANSCRIPT
Algebra of Concurrent Programming
Tony Hoare
Cambridge 2011
With ideas from
• Ian Wehrman• John Wickerson• Stephan van Staden• Peter O’Hearn• Bernhard Moeller• Georg Struth• Rasmus Petersen• …and others
Subject matter: designs
• variables (p, q, r) stand for computer programs, designs, specifications,…
• they all describe what happens inside/around a computer that executes a given program.
• The program itself is the most precise.• The specification is the most abstract.• Designs come in between.
Examples
• Postcondition:– execution ends with array A sorted
• Conditional correctness:– if execution ends, it ends with A sorted
• Precondition: – execution starts with x even
• Program: x := x+1 – the final value of x one greater than the initial
Examples
• Safety:– There are no buffer overflows
• Termination:– execution is finite (ie., always ends)
• Liveness:– no infinite internal activity (livelock)
• Fairness:– a response is always given to each request
• Probability:– the ration of a’s to b’s tends to 1 with time
Unification
• Same laws apply to programs, designs, specifications
• Same laws apply to many forms of correctness.
• Tools based on the laws serve many purposes.• Distinctions can be drawn later– when the need for them is apparent
Refinement: p ⊑ q
• Everything described by pis also described by q , e.g.,– spec p implies spec q– prog p satisfies spec q– prog p more determinate than prog q
• stepwise development of a spec is– spec ⊒ design ⊒ program
• stepwise analysis of a program is– program ⊑ design ⊑ spec
Various terminologyp ⊑ q
• below• lesser• stronger• lower bound• more precise• …deterministic• included in • antecedent =>
• above• greater• weaker• upper bound• more abstract• ...non-deterministic• containing (sets)• consequent (pred)
Law: ⊑ is a partial order
•⊑ is transitive• p ⊑ r if p ⊑ q and q ⊑ r• needed for stepwise
development/analysis
• ⊑ is antisymmetric • p = r if p ⊑ r and r ⊑ p• needed for abstraction
•⊑ is reflexive– p ⊑ p•for convenience
Binary operator: p ; q
• sequential composition of p and q•each execution of p;q consists of– all events x from an execution of p – and all events y from an execution of q
•subject to ordering constraint, either– strong -- weak– interruptible -- inhibited
alternative constraints on p;q •strong sequence: – all x from p must precede all y from q
•weak sequence: – no y from q can precede any x from p
•interruptible: – other threads may interfere between x and y
•separated: – updates to private variables are protected.
• all our algebraic laws will apply to each alternative
Hoare triple: {p} q {r}
• defined as p;q ⊑ r – starting in the final state of an execution of p,
q ends in the final state of some execution of r– p and r may be arbitrary designs.
•example: {..x+1 ≤ n} x:= x + 1 {..x ≤ n} • where ..b (finally b) describes all executions that
end in a state satisfying a single-state predicate b .
monotonicity
• Law: ( ; is monotonic wrto ⊑) :– p;q ⊑ p’;q if p ⊑ p’ – p;q ⊑ p;q’ if q ⊑ q’– compare: addition of numbers
• Rule (of consequence):– p’ ⊑ p & {p} q {r} & r ⊑ r’ implies {p’} q {r’}
• Rule is interprovable with first law
associativity
• Law (; is associative) :– (p;q);q’ = p;(q;q’)
• Rule (sequential composition):– {p} q {s} & {s} q’ {r} implies {p} q;q’
{r}
• half the law interprovable from rule
Unit(skip):
• a program that does nothing• Law ( is the unit of ;):– p; = p = ;p
• Rule (nullity)– {p} {p}
• a quarter of the law is interprovable from Rule
concurrent composition: p | q
• each execution of (p|q) consists of – all events x of an execution of p,– and all events y of an execution of q
• same laws apply to alternatives:– interleaving: x precedes or follows y– true concurrency: x neither precedes nor
follows y.– separation: x and y independent
• Laws: | is associative, commutative and monotonic
Separation Logic
• Law (locality of ; wrto |):– (s|p) ; q ⊑ s |(p;q) (left locality )– p ; (q|s) ⊑ (p;q) | s (right locality)
• Rule (frame) :– {p} q {r} implies {p|s} q {r|s}
• Rule interprovable with left locality
Concurrency law
• Law (; exchanges with *)– (p|q) ; (p’|q’) ⊑ (p;p’) | (q;q’)– like exchange law of category theory
• Rule (| compositional)– {p} q {r} & {p’} q’ {r’} implies
{p|p’} q|q’ {r|r’}
• Rule interprovable with the law
p|q ; p’|q’
p p’
q’q
by columns
p|q ; p’|q’
⊑p p’
q’qp;p’ | q;q’
by rows
Regular language model
• p, q, r,… are languages– descriptions of execution of fsm.
• p ⊑ q is inclusion of languages• p;q is (lifted) concatenation of strings– i.e., {st| s ∊ p & t ∊ q}
• p|q is (lifted) interleaving of strings• = {< >} (only the empty string)• “c” = {<c>} (only the string “c”)
Left locality
•Theorem: (s|p) ; q ⊑ s | (p;q)•Proof:
in lhs: s interleaves with just p , and all of q comes at the end.
in rhs: s interleaves with all of p;qso lhs is a special case of rhs
• p s s ; q q q ⊑ p s q s q q
Exchange
• Theorem: (p|q) ; (p’|q’) ⊑ (p;p’) | (q;q’)– in lhs: all of p and q comes before
all of p’ and q’ .– in rhs: end of p may interleave with q’
or start of p’ with qthe lhs is a special case of the rhs.
p q p ; q’ p’ q’ ⊑ p q q’ p p’ q’
Conclusion
• regular expressions satisfy all our laws for ⊑ , ; , and |
• and for other operators introduced later
Part 2. More Program Control Structures
• Non-determinism, intersection• Iteration, recursion, fixed points• Subroutines, contracts, transactions• Basic commands
Subject matter
• variables (p, q, r) stand for programs, designs, specifications,…
• they are all descriptions of what happens inside and around a computer that is executing a program.
• the differences between programs and specs are often defined from their syntax.
Specification syntax includes
• disjunction (or, ⊔) to express abstraction, or to keep options open
– ‘it may be painted green or blue’• conjunction (and, ⊓) combines requirements– it must be cheaper than x and faster than y
• negation (not) for safety and security– it must not explode
• implication (contracts)– if the user observes the protocol, so will the system
Program syntax excludes
• disjunction– non-deterministic programs difficult to test
• conjunction– inefficient to find a computation satisfying both
• negation– incomputable
• implication– which side of contract?
programs include
• sequential composition (;)• concurrent composition (|)• interrupts• iteration, recursion• contracts (declarations)• transactions• assignments, inputs, outputs, jumps,…
• So include these in our specifications!
Bottom
•An unimplementable specification – like the false predicate
•A program that has no execution– the compiler stops it from running
•Define as least solution of: _ ⊑ _ • Theorem: ⊑ r– satisfies every spec, – but cannot be run (Dijkstra’s miracle)
Algebra of
• Law ( is the zero of ;) :– ; p = = p ;
• Theorem : {p} {q}• Quarter of law provable from
theorem
Top ⊤
• a vacuous specification,– satisfied by anything, – like the predicate true
• a program with an error– for which the programmer is responsible– e.g., subscript error, violation of
contract…
• define ⊤ as greatest solution of: _ ⊑ _
Algebra of ⊤
• Law: none• Theorem: none– you can’t prove a program with this
error– it might admit a virus!
• A debugging implementation may supply useful laws for ⊤
Non-determinism (or): p ⊔ q
• describes all executions that either satisfy p or satisfy q .
• The choice is not (yet) determined.• It may be determined later– in development of the design– or in writing the program– or by the compiler – or even at run time
lub (join): ⊔
• Define p⊔q as least solution ofp ⊑ _ & q ⊑ _
• Theorem– p ⊑ r & q ⊑ r iff p⊔q ⊑ r
• Theorem– ⊔ is associative, commutative,
monotonic, idempotent and increasing– it has unit ⊥ and zero ⊤
glb (meet): ⊓
• Define p⊓q as greatest solution of_ ⊑ p & _ ⊑ q
Distribution
• Law ( ; distributive through ⊔ )– p ; (q⊔q’) = p;q ⊔ p;q’– (q⊔q’) ; p = q;p ⊔ q’;p
• Rule (non-determinism)– {p} q {r} & {p} q’ {r} implies {p}
q⊔q’ {r}– i.e., to prove something of q⊔q’ prove the same thing of both q and q’
• quarter of law interprovable with rule
Conditional: p if b else p’• Define p ⊰b⊱ p’ as
b.. ⊓ p ⊔ not(b).. ⊓ p’– where b.. describes all executions that
begin in a state satisfying b .
• Theorem. p ⊰b⊱ p’ is associative, idempotent, distributive, and– p ⊰b⊱ q = q ⊰not(b)⊱ p (skew
symm)– (p ⊰b⊱ p’ ) ⊰c⊱ (q ⊰b⊱ q’) =
(p ⊰c⊱ q) ⊰b⊱ (p’ ⊰c⊱ q’) (exchange)
Transaction
• Defined as (p ⊓..b) ⊔ (q ⊓..c)– where ..b describes all executions that
end satisfying single-state predicate b .
• Implementation:– execute p first– test the condition b afterwards– terminate if b is true– backtrack on failure of b– and try alternative q with condition c.
Transaction (realistic)
• Let r describe the non-failing executions of a transaction t .– r is known when execution of t is complete.– any successful execution of t is committed – a single failed execution of t is undone, – and q is done instead.
• Define: (t if r else q) = t if t ⊑ r
= (t ⊓ r) ⊔ q otherwise
Contracts
• Let q be the body of a subroutine• Let s be its specification• Let (q .. s) assert that q meets s• Programmer error (⊤) if not so • Caller of subroutine may assume
that s describes all its calls• Implementation may just execute q
Least upper bound
• Let S be an arbitrary set of designs
•Define ⊔S as least solution of
∀s∊ S . s ⊑ _ – ( ∀s∊ S . s ⊑ r ) ⇒ ⊔S ⊑ r (all r)
• everything is an upper bound of { } ,
so ⊔ { } = – a case where ⊔S ∉ S
similarly
• ⊓S is greatest lower bound of S
• ⊓ { } = ⊤
Subroutine with contract: q .. s
• Define (q..s) as glb of the setq ⊑ _ & _ ⊑ s
• Theorem: (q.. s) = q if q ⊑ s = ⊤ otherwise
Iteration (Kleene *)
• q* is least solution of – (ɛ ⊔ (q; _) ) ⊑ _
• q* =def ⊔{s| (ɛ ⊔ q; s) ⊑ s} – ɛ ⊔ q; q* ⊑ q* – ɛ ⊔ q; q’ ⊑ q’ implies q* ⊑ q’
– q* = ⊔ {qⁿ | n ∊ Nat} (continuity)
• Rule (invariance):– {p}q*{p} if {p}q{p}
Infinite replication
• !p is the greatest solution of _ ⊑ p|_– as in the pi calculus
• all executions of !p are infinite– or possibly empty
Recursion
• Let F(_) be a monotonic function between programs.
• Theorem: all functions defined by monotonic operators are monotonic.
• μF is strongest solution of F(_) ⊑ _• νF is weakest solution of _ ⊑ F(_)• Theorem (Knaster-Tarski): These
solutions exist.
Basic statements/assertions
• skip • bottom • top ⊤• assignment: x := e(x)• assertion: assert b• assumption: assume b• finally ..b• initially b..
more
• assign thru pointer: [a] := e• output: c!e• input: c?x• points to: a|-> e– a |-> _ =def exists v . a|-> v
• throw, catch• alloc, dispose
Laws(examples)
• assume b =def b..⊓• assert b =def b..⊓ ⊔ not(b).. • x:=e(x) ; x:=f(x) = x :=
f(e(x))– in a sequential language
more
• (p|-> _ ); [p] := e ⊑ p|-> e– in separation logic
• c!e | c?x = x := e– in CSP but not in CCS or Pi
• throw x ; (catch x; p) = p
Part 3Unifying Semantic Theories
• Six familiar semantic definition styles. • Their derivation from the algebra• and vice versa.
operational rules
algebraic laws
deduction rules
Hoare Triple
• a method for program verification• {p} q {r} ≝ p;q ⊑ r– one way of achieving r
is by first doing p and then doing q
• Theorem (sequential composition):– {p} q {s} & {s} q’ {r} implies {p}
q;q’ {r}– proved by associativity
Plotkin reduction
• a method for program execution• <p , q> -> r =def p ; q ⊒ r– if p describes state before execution of q
then r describes a possible final state, eg.
–<..(x2 = 18) , x := x+1> -> ..(x = 37)
• Theorem (sequential composition):• <p, q> -> s & <s, q’> -> r
implies <p, q;q’> r
Milner transition
• method of execution for processes• p – q -> r ≝ p ⊒ q;r– one of the ways of executing p is by
first executing q and then executing r .– e.g., (x := x+3) –(x:=x+1)-> (x:=x+2)
• Theorem (sequential composition):– p –q-> s & s –q’-> r => p –(q;q’)-> r
(big-step rule for ; )
partial correctness
• describes what may happen• p[q]r =def p ⊑ q;r– if p describes a state before execution of
q, then execution of q may achieve r
• Theorem (sequential composition):• p [q] s & s [q’] r implies p [q;q’] r• useful if r describes error states, and q
describes initial states from which a test execution of q may end in error.
Summary
• {p} q {r} =def p;q ⊑ r– Hoare triple
• <p,q>->r =def p;q ⊒ r– Plotkin reduction
• p –q->r =def p ⊒ q;r–Milner transition
• p [q] r =def p ⊑ q;r– test generation
Sequential composition
• Law: ; is associative• Theorem: sequence rule is valid for all four
triples.
• the Law is provable from the conjunction of all of them
Skip
• Law: p ; = p = ; p
• Theorems: {p} {p} p [] p
p − → p <p, > –>p
• Law follows from conjunction of all four theorems
Left distribution ; through ⊔
• Law: p;(q ⊔ q’) = p;q ⊔ p;q’ • Theorems:– {p} (q⊔q’) {r} if {p}q{r} and {p}q’{r} – <p,q⊔q’>-> r if <p,q>-> r or <p, q’>-> r – p [q⊔q’] r if p [q] r or p [q’] r – p -(q⊔q’)-> r if p –q->r and p -q’->r
(not used in CCS)
• law provable from either and rule together with either or rule.
locality and frame
• left locality (s|p) ; q ⊑ s | (p;q)• Hoare frame: {p} q {r} ⇒ {s|p} q {s|r}
• right locality p ; (q|s) ⊑ (p;q) | s• Milner frame: p -q-> r ⇒(p|s) - q-> (r|s)
• Full locality requires both frame rules
Separation logic
•Exchange law: – (p | p’) ; (q| q’) (p ; q) | (p’;q’)
•Theorems– {p} q {r} & {p’} q’ {r’} ⇒ {p|p’} q|q’ {r|
r’}– p -q -> r & p’–q’-> r’ => p|p’ –q|q’-> r|r’
• the law is provable from either theorem• For the other two triples, the rules are
equivalent to the converse exchange law.
usual restrictions on triples
• in {p} q {r} , p and r are of form ..b, ..c
• in p [q] r , p and r are of form b.., c..• in <p,q>->r, p and r are of form ..b, ..c• in p –q->r, p and r are programs • in p –q->r (small step), q is atomic • (in all cases, q is a program)
• all laws are valid without these restrictions
Weakest precondition (-;)
•(q -; r) =def the weakest solution of ( _ ;q ⊆ r)
– the same as Dijkstra’s wp(q, r)– for backward development of programs
Weakest precondition (-;)
• Law (-; adjoint to ;)– p ⊑ q -; r iff p;q ⊑ r (galois)
• Theorem– (q -; r) ; q ⊑ r– p ⊑ q -; (p ; q)
• Law provable from the theorems– cf. (r div q) q ≤ r– r ≤ (rq) div q
Theorems
• q’ ⊑ q & r ⊑ r’ => q-;r ⊑ q’-;r’• (q;q’)-;r ⊑ q-;(q’-;r)• q-;r ⊑ (q;s) -; (r;s)
Specification statement (;-)
•(p ;- r) =def the weakest solution of ( p ; _ ⊆ r)
– Back/Morgan’s specification statement– for stepwise refinement of designs– same as p⇝r in RGSep– same as (requires p; ensures r) in VCC
Law of consequence
Frame laws
Part 4Denotational Models
A model is a mathematical structure that satisfies the axioms of an algebra, and realistically describes a useful application, for example, program execution.
Modelsdenotational models
algebraic laws
Some Standard Models:
• Boolean algebra( {0,1}, ≤, , , (1 - _) )
• predicate algebra (Frege, Heyting)– (ℙS,├, , , (S - _), => , ∃, ∀)
• regular expressions (Kleene):– (ℙA*, ⊆, ∪, ; , ɛ , {<a>} , | )
• binary relations (Tarski):– (ℙ(SS), ⊆, ∪, ∩, ; , Id , not(_), converse(_))
• algebra of designs is a superset of these
Model: (EV, EX, PR)
• EV is an underlying set of events (x, y, ..) that can occur in any execution of any program
• EX are executions (e, f,…), modelled as sets of events
• PR are designs (p, q, r,…), modelled as sets of executions.
Set concepts
• ⊑ is (set inclusion)• ⊔ is (set union) • ⊓ is (intersection of sets)• is { } (the empty set)• ⊤ is EV (the universal set)
With (|)
• p | q = {e ∪ f | e ε p & f ε q & e∩f = { } }
– each execution of p|q is the disjoint union of an execution of p and an execution of q
– p|q contains all such disjoint unions
• | generalises many binary operators
Introducing time
• TIM is a set of times for events– partially ordered by ≤
•Let when : EV -> TIM – map each event to its time of occurrence.
Definition of <
•x < y =def not(when(y) ≤ when(x))– x < y & y < x means that x and y occur ‘in
true concurrency’.
• e < f =def ∀x,y . x∊e & y∊f => x < y– no event of f occurs before an event of e– hence e<f implies ef = { }
•If ≤ is a total order, – there is no concurrency, – executions are time-ordered strings
Sequential composition (then)
• p ; q = {ef | e∊p & f∊q & e<f}
• special case: if ≤ is a total order, – e < f means that ef is concatenation
(e⋅f) of strings– ; is the composition of regular
expressions
Theorems
• These definitions of ; and | satisfy the locality and exchange laws.
•(s|p) ; q ⊑ s |(p;q)•(p|q) ; (p’|q’) ⊑ (p;p’) | (q;q’)– Proof: the lhs describes fewer
interleavings than the rhs.
• special case: regular expressions satisfy all our laws for ⊑ , ⊔ , ; , and |
Disjoint concurrency (||)
• p||q =def (p ; q) (q ; p)– all events of p concurrent with all of q .– no interaction is possible between them.
• Theorems: (p||q) ; r p || (q ; r) (p||q) ; (p’||q’) (p;p’) || (q;q’)
– Proof: the rhs has more disjointness constraints than the lhs .
– the wrong way round!
• So make the programmer responsible for disjointness, using interfaces!
Interfaces
• Let q be the body of a subroutine• Let s be its specification• Let (q .. s) assert that q is correct • Caller may assume s• Implementer may execute q
Solution
• p*q =def (p|q .. p||q) = p|q if p|q ⊑ p||q
⊤ otherwise – programmer is responsible for absence
of interaction between p and q .
• Theorem: ; and * satisfy locality and exchange.– Proof: in cases where lhs ≠ rhs, rhs =
⊤
Problem
• ; is almost useless in the presence of arbitrary interleaving (interference).
• It is hard to prove disjointness of p||q• We need a more complex model– which constrains the places at which a
program may make changes.
Separation
• PL is the set of places at which an event can occur
• each place is ‘owned’ by one thread,– no other thread can act there.
• Let where:EV -> PL map each event to its place of occurrence.
• where(e) =def {where(x) | x ∊ e }
Separation principle
• events at different places are concurrent
• events at the same place are totally ordered in time
• ∀x,y ∊ EV . where(x) = where(y) iff x≤y or y≤x
Picture
time
space
Theorem
• p || q = {ef | e ∊ p & f ∊ q& where(e) where(f) =
{ } }• proved from separation principle
Convexity Principle
• Each execution contains every event that occurs between any of its events.
• ∀e ∊ EX , y ∊ EV. ∀x, z ∊ e .when(x) ≤ when(y) ≤ when(z) => y ∊ e – no event from elsewhere can interfere
between any two events of an execution
A convex execution of p;q
time
space
p q
A non-convex ‘execution’ of p;q
time
space
p q
Conclusion:in Praise of Algebra
• Reusable• Modular• Incremental• Unifying
• Discriminative• Computational• Comprehensible• Abstract
• Beautiful!
Algebra likes pairs
• Algebra chooses as primitives– operators with two operands + , – predicates with two places = , – laws with two operators & v , + – algebras with two components rings
Tuples
• Tuples are defined in terms of pairs.– Hoare triples– Plotkin triples– Jones quintuples – seventeentuples …
Semantic Links
deductions transitions
denotations
algebra
Increments
algebra
Filling the gaps
algebra