Shared Variables in Stochastic Petri Nets and Process Algebras - Background Material

• Exponential vs. Non-Exponential (General) Distributions

• An exponentional(ly-distributed) duration has the property that for any non-zero time T

• there is non-zero probability that the duration is less than T

• there is non-zero probability that the duration is greater than T

• Not a completely realistic model

• Won’t do for considering hard real-time requirements

•and its preferable to have one model that does performance evaluation and real-time analysis

• Also has memory-less property (and is the only (continuous) one that does)

• The distribution of how long you have to wait for it to complete

•is independent of how long you have already waited

• This has great advantages for analysis method and formal simplicity

• Particularly, interleaving is valid

• Interleaving vs. True-concurrency (in a Process Algebra (PA) )

• P = (1 ; Q) || (2 ; R) …. Q = … …. (; is prefix)

• Interleaved LTS semantics -

• On reaching (Q) || (2 ; R), some time has elapsed due to 1

• So 2 should be different

• For exponential durations can ignore this, so interleaving is valid

• For general case, cannot; so (in principle) need a true-concurrency model

P1

2

(Q) || (2 ; R)

(Q) || ( R)

(1 ; Q) || ( R)

2

1

1

Background Material

• Approachs to General Distributions in PAs

• A. Explicit timers

• Instead of P = (1 ; Q) || (2 ; R)

• You write P = (start(t1,1) ; wait(t1) ; Q) || (start(t2,2) ; wait(t2) ; R)

• giving interleaved LTS -

• B. Implicit timers

• You do write P = (1 ; Q) || (2 ; R)

• but the semantics gives the same LTS as above

• C. True Concurrency

• You do write P = (1 ; Q) || (2 ; R)

• the semantic model is more complex than an interleaved LTS

• Timed Synchronisations

• One atomic element including both synchronising action and duration

• ( a?:1 ; ) || ( a!:2 ; ) has the effect of (:(1# 2) ; )

• stochastic PAs with only exponential durations always have timed synchronisations

• A and B preclude that; C allows it

• Should allow timed synchronisation in a PA with general distributions, because

• should be a straight generalisation of exponential-only PA

• if that’s useful in exponential case, also useful in non-exponential case

start(t1,1)

start(t2,2) start(t1,1)

start(t2,2)

end(t1)

end(t2)

2

Background Material

• Preemption of a generally distributed duration

• P = ( 1 ; P ) + ( 2 ; P )

• After doing 1:

• preemption is re-start 2

• non-preemption would be to continue with old 2

• High Level vs Low Level PA - value-passing

• P(x,y) = (x>y):a?(z) ; P(z,z)

• parameterised agent definitions and input actions, guard

• equivalent to (defined by) its “unfolding” - a family of agent definitions

P0,0 =

P1,0 = a?0 ; P0,0 + a?1 ; P1,1 + …

…

• Generally the HL expression is much smaller than the equivalent LL one

1

2

3

P

Shared Variables in Stochastic Petri Nets and Process Algebras

• Need to do performance evaluation on languages used by Software Engineers, e.g. UML,

• rather than requiring use of specialised models, only usable by specialists

• Need to consider such languages in full generality

• including variables updated by parallel components

• E.g. in UML nested state diagrams -

a? T:=T+D(T*P)>M

(T*P)<=M b?c? P:=P-EQ R S

• Q and S update variables T(emperature) and P(ressure)

• R monitors safety condition and sounds alarm, b!, if violated for duration • Parallelism is not for physical parallelism, but for

• Factoring design -

• Otherwise, replicate R everywhere T or P changes

4

Criteria on a General Approach to PA / PN Semantics

• Generality

• Accommodate non-exponential distributions -

• realism

• hard real-time contraints

• Atomicity - a?(y):y>x: - a conditional timed synchronisation;

•most general distribution PAs can’t do timed synchronisation

• Size is an issue when variables included

• Need a High-level model

• coloured net / value-passing PA

• otherwise model gets very big

• Need a Low-level model also,

• there will be some tools not extended for HL model

• LL model must be consistent with HL model, and not too big

• Compositionality

• Sem(A# B) = Sem(A) ## Sem(B)

• General principle

• Needed to have any hope of applying compositional analysis -

• Prop(Sem(A# B)) = Prop(Sem(A)) ### Prop( Sem(B)) max-dur(A ; B) = max-dur(A) + max-dur( B)

• important for large systems and component re-use5

Process Algebra Approaches

• It is a difficulty

• Usual PAs have difficulty with shared variable semantics

• This meets with disbelief - hence this paper, to explore the issue

• Evidence

• The (T)CSP semantics of OCCAM

• valid only if shared variables are read-only

• Milner book on CCS

• Does give a semantics for a language with updateable share variables

• not applicable if language allows waiting for a condition to hold

• Time makes it worse

• Including durations

• increases the difficulty for PAs

• General Distributions

• makes that worse

• presents some issues for a PN solution

6

(T*P)>M

(T*P)<=M b?R

Process Algebra Approaches

• Three classes of solution approaches

• Fully-Parallel (distributed single copies of variables)

• Parallel agents for Q, R and S, and for T and P

• Q, R and S communicating with T and P to read and write variables.

• Milner’s approach

• Semi-Parallel (distributed replicated copies of variables)

• Parallel Agents Q(T,P), R(T,P) and S(T,P)

• Each has own copy of variables

• Each broadcasts new value when it does an update

• Non-Parallel (centralised single copy of variables)

• One global Agent X(Q,R,S,T,P) - Q=1 if Q in state Q1 etc

• Semantics is one massive choice -

• X(Q,R,S,T,P) = … + (Q=2): ; X(3,R,S,T+1,P) + …

• Discard immediately -

• Non-compositional

• LL semantics is big (isomorphic to LTS)

a? T:=T+1(T*P)>M

(T*P)<=M b?c? P:=P-1

Q R SQ1 Q2 Q3 R0

R1

R2S1 S2 S3

7

Process Algebra Approaches - Fully-Parallel

• The Semantic Definitions

• Sem(R) = R0 where

• R0 = get.t(t) ; get.p(p) ; ( (t*p>m):R1

+ (t*p<=m):R0 )

• if Z is immediate, ,

• the immediate loop R0 back to R0 stops the clock

• no timed action can ever happen

• if Z is timed, , then

• this distorts the behaviour

• can construct an example where the reachable states is incorrect

• Claim - this approach cannot give an adequate solution - but let me know if you find one.

8

(T*P)>M

(T*P)<=M b?Q R SR0

R1

R2

R0get.t get.p

R1

If t*p> m fails, must take this branch to allow for updates that make it succeed

Process Algebra Approaches - Fully-Parallel - Counter example for delayed re-test

• Cannot reach Q4 -

• Q is trying to get X=Y to hold for some non-zero duration

• R is thwarting that

• The delayed re-test scheme gives for R

• R1 = get.x(x) ; get.y(y) ; (y=x): ; R2

+ (yx): ; R1

• Can choose as less than , no matter what ’s distribution is, so can get sequence

• R[get.x(x) ; get.y(y) ; (yx)start(] ; Q[Q1 Q2 start() ; end() Q3 Q4] ; R [end(]

X:=Y+1

Q Q1X:=Y

Q2 Q3 RX=Y

Q4

XY

R1X=Y

R2

X:=Y+1 meansexponential delay

Race between and , won by

9

Process Algebra Approaches - Semi-Parallel - The main Example

• C and M are boolean - for two exclusive access resources - true if resource in use (Jobber needs Chisel and Mallet)

• C ⌐ ⌐ is negate C and return that result ⌐ C is return the negation of C

• Q acquires both resources to service request a?; holds them for 1 (service time) ; releases them; waits for 2; repeats.

• S is analogous - Q and S compete for the resources

• R monitors resource usage - if either resource is in use for period 5, it sends a message

The 6 and are to add challenge - race between exponential and non-exponential

• Semantic Definition - Sem(QRS) = Sem(Q) || Sem(R) || Sem(S)

• Sem(Q) = Q0(f,f), where … Q1(c,m) = (⌐c⌐m):a? ; C!(⌐c ) ; M!(⌐m) ; Q2(⌐c , ⌐m)

<+ (C?(c) ; Q1(c,m) + M?(m) ; Q1(c,m) )

• Sem(S) = S0(f,f), where … S1(c,m) = (⌐c⌐m):c? ; C!(⌐c ) ; M!(⌐m) ; Q2(⌐c , ⌐m)

<+ (C?(c) ; Q1(c,m) + M?(m) ; Q1(c,m) )

Receiving an update, C?(c), must be prioritised, <+, otherwise we can get -

Q[(⌐c⌐m)a?] ; S [(⌐c⌐m)c?] - both believe they have acquired exclusive use of the resources

and have committed to that by a? and c?

Q

Q1

Q2

1

Q3

C:= ⌐C, M:= ⌐M2

Q4

C ⌐ ⌐M ⌐ ⌐ : a?

b!R

R1 C M : 5R26

R4

R3 S

S1

S2

3

S3

C:= ⌐C, M:= ⌐M4

S4

C ⌐ ⌐M ⌐ ⌐ : c?

10

Process Algebra Approaches - Semi-Parallel - The Problems

• Needing Prioritsed Choice

• Needing to have prioritisation between immediate actions is an embarrassment from a theoretical perspective, because

• Introduces inconsistency between interleaving and true-concurrency semantics

• There is concurrent enabling of the resource acquisition in Q and the resoource acquisition in S

• So in a true-concurrency semantics both can happen, where as in the interleaved semantics only one can

• And non-exponential timed synchronisation needs a true concurrency semantics

• There can be spurious preemption of delays -

• Sem(R) = R0(f,f), where … R1(c,m) = (c m ):5 ; R2(c, m)

+ (C?(c) ; R1(c,m) + M?(m) ; R1(c,m) )

• There must be the option of receiving the update - otherwise

• updater is blocked until 5 is finished

• a change invalidating the (c m ) condition is lost

• If the change does not invalidate the (c m ) condition, the 5 delay is preempted spuriously

• The LL semantics is inordinately large - C*DV - exponential in number of variables

Q

Q1

Q2

1

Q3

C:=⌐C, M:= ⌐M2

Q4

C ⌐ ⌐M ⌐ ⌐ : a?

b!R

R1 C M : 5R26

R4

R3 S

S1

S2

3

S3

C:=⌐C, M:= ⌐M4

S4

C ⌐ ⌐M ⌐ ⌐ : c?

11

Preemption Policies

• What happens when we preempt

• Assume prd of standard classification- when an active duration is preempted, next time round we start it again, with re-selection from its distribution.

• When do we preempt - new classification; which of the following rules is included

• A enabled timed transition, t, is preempted by (reading/doing X below)

• TS - The system reaching a Tangible State in which t is not enabled

• VS - The system reaching any (tangible or Vanishing) State in which t is not enabled

• TT - (TS or) The occurrence of a Timed Transition which is in conflict with t

• VT - The occurrence of any (timed or immediate/Vanishing) Transition which is in conflict with t.

• Implies structure means possible policies are - {TS}, {VS}, {TT}, {VS,TT}, {VT}

TS TT

VS VT

tX

v uTS

tX

v uVS

t X

v VT

t XTT

TS = (fix(Y=(t ; )+(a? ; u ; Y)) || (v ; a! ; ))\{a} VS = (fix(Y=(t ; )+(a? ; ; Y)) || (v ; a! ; ))\{a}

TT = fix(Y=(t ; )+(X ; Y) VT = (fix(Y=(t ; )+(a? ; Y)) || (v ; a! ; ))\{a}

12

implies

• For net or PA expression, should have VT equivalent VS

• should make no difference by introducing transition u - not in conflict, immediate, silent

• so really VS implies VT; policies are TS, TT, VT

t

Xv uTS

t

Xv uVS

t X

v VT

t XTT

TS = (fix(Y=(t ; )+(a? ; u ; Y)) || (v ; a! ; ))\{a} VS = (fix(Y=(t ; )+(a? ; ; Y)) || (v ; a! ; ))\{a}

TT = fix(Y=(t ; )+(X ; Y) VT = (fix(Y=(t ; )+(a? ; Y)) || (v ; a! ; ))\{a}

Preemption Policies in PA

VT = (fix(Y=(t ; )+(a? ; Y)) || (v ; a! ; ))\{a}

VT’ = (fix(Y=(t ; )+(a? ; fix(Y=(t ; )+(a? ; Y)) )) || (v ; a! ; ))\{a}

Equivalent: can replace agent variable by its definition - fundamental to PA approach

Second one can’t be a continuation of the first - must start a new duration in VT’, so also must in VT

• In a PA preemption policy must be VT• Because there is no fixed structure - + discards everything of the non-chosen branch • In nets can have more choice about preemption policy

13

Semantics using HL Composable Nets

• Coloured Place has tokens which carry values - C and M have boolean-valued tokens

• Arc from coloured place has (set of) variables - bound to the values of token(s) used in a transition firing

• Transition has guard using the arc variables - fires only for tokens that make guard true

• Arc to coloured place has (multi-set) of expressions - defining value(s) of tokens produced in transition firing

• Interface place, C or M, fuses with matching places in composed nets

• Interface (synchronising) transition, a?, fuses with matching transitions in composed nets

Q

Q1

Q2

1

Q3

C:=⌐C, M:= ⌐M2

Q4

C ⌐ ⌐M ⌐ ⌐ : a?

b!R

R1 C M : 5R26

R4

R3 S

S1

S2

3

S3

C:=⌐C, M:= ⌐M4

S4

C ⌐ ⌐M ⌐ ⌐ : c?

Q1

⌐c⌐m⌐:a?

Q2

t1Q3

C

c ⌐c

m ⌐m

M

Sem(Q)Sem(R)

C

cc

mm

M

t5 c m

R1

v6R4 w R3

R2b!

• A very direct and intuitively appealing semantics-

• one place for every state/variable

• one transition for every transition

• with arcs for-

• its pre-/post-state

• the variables it uses

14

Preemption Policies in (Composable) Nets to Obtain Intuitively Correct Semantics

• Presume the required semantics for R is - b! happens if there is a 5 period during which ( C is true or M is true)

• Can’t have TT - if we had another copy of R, one’s 5 would preempt the other’s. So can’t have VT

• So, policy is TS - an instantaneous switch for Q having resources to S having resources is not seen by R

• Model is:

• “race” with instantaneous state change when winner fires

• vanishing states are unreal

Q

Q1

Q2

1

Q3

C:=⌐C, M:= ⌐M2

Q4

C ⌐ ⌐M ⌐ ⌐ : a?

b!R

R1 C M : 5R26

R4

R3 S

S1

S2

3

S3

C:=⌐C, M:= ⌐M4

S4

C ⌐ ⌐M ⌐ ⌐ : c?

Q1

⌐c⌐m:a?

Q2

t1Q3

C

c ⌐c

m ⌐m

M

Sem(Q)Sem(R)

C

cc

mm

M

t5 c m

R1

v6R4 w R3

R2b!

15

Unfolding the Coloured Net Semantics

• For coloured place, C, get set {Cf, Ct} comprising one plain place for each possible value

• For each transition, t5:(c m), get one for each combination of arc parameter values giving guard true

• with arcs to corresponding places

• N and LL(N) should always give the same behaviour - behaviour of LL(N) can be taken as defining behaviour of N

• In HL net, if: {C=t , M=t} at first and after some time this instantaneously changes to {C=t , M=f}

• t5:(c m) has continuous enabling through this change, so its duration - 5 does not re-start

• (if we don’t have VT preemption policy)

• In LL net, this change disables middle t5, and starts an enabling of bottom t5 - 5 does re-start

• To fix this HL/LL inconsistency require tags, the t - transitions with the same tag are “really” the same transition

• There is a more complex semantics (see paper) which deals with lack of tags and different preemption policy

• But still requires not VT policy

Sem(R)

C

cc

mm

M

t5 c m

R1

v6R4 w R3

R2b!

Cf t5

t5

t5Mf

CtMt

R1

R2

b!

LL(Sem(R))

v6R4 w R3

16

Q

Q1. . .

C ⌐ ⌐M ⌐ ⌐ : a?

Q2

Structured and Un-structured Behaviour Atoms

N{Q2}

a?

Cf

Mf

CtMt

Q1

Q2

{Cf, Mf}/a?,0/{Ct, Mt}

a?

Cf

Mf

CtMt

Q1

Q2

• Basic Problem with using usual PA for semantics

• This transition atomically depends on three independent external conditions

• offering of a! C false M false

• In usual LTS behaviour model the behaviour atom has no structure

• So can only directly express one external dependency

• Behaviour Atom for Composable Nets

• Can define net composition at net level

• define how to make the composed net (fusions)

• give usual global firing rule for behaviour

• Or on behaviour level (as for PAs) - compositional behavioural model

• A (Petri) LTS as behaviour of a component net

• Behaviour inference rules, to obtain behaviour of composed net

• Behaviour atom is, e.g. {Cf, Mf}/a?,0/{Ct, Mt}

I / a, d / O

• I, O - multi-set of interface places - input/output tokens

• a, d - as for usual stochastic PA - action, delay

• Sub-structure gives direct expression of multi-dependency

• makes formulation of semantics easy

a?Q1 Q2

N{Q1}

LL(Sem(Q))= N

17

Towards a Petri PA• The Net Composition Operator

• Composable nets have a single all-swinging all-dancing combinator

• Multiplicative transition fusion for synchronisation

• Potentially four different synchronisations between a? and a!

• for N a!s and M a?s - N*M synchronisations

• one fused transition for each possible synchronisation

• Multiplicative place fusion for shared state

• E is entry place - start with one token on each

• Parallel composition gives multiple entry places - E is a place label

• Choice composition gives one fused E place for each required conflict

• Firing one initial transition in left net must disable all initial transitions of right net

• Disadvantages

• The inference rule for this combinator is quite complex,

• particularly to accommodate non-injective place labelling

• Patterns such as Parallel, Sequence, Choice may be useful in compostional analysis, but these are not directly apparent in the composition structure

• General expression of mutually recursive definitions is hard in Petri nets -

• P = a.1! ; (P[a.na.(n+1)] || P[a.na.(n+1)] )

• finite PA expression for which net is infinite

• if environment offers only a.1? … a.4? - actual behaviour is finite

. . .

E E

a!1

a!2

. . .

. . .

E E

a?y:y=c

a?y

. . .

C

c

C

18

Towards a Petri PA• The Best of Both Worlds

• Use the Petri LTS as compositional behaviour model

• Have combinators as close as possible to usual PA combinators

• Now have two forms of conflict

• named place (C)

• choice (E)

• can have

• PA preemption rule (VT) for choice

• PN (TS) rule for named place

• can have marking-dependent distributions

• can add in enabler arcs, I / a, d / O becomes E / I / a, d / O

{C(c)}/a!/{C(c)}:(c=0) || {C(c)}/a?/{C(c)}:(c=0)

has problem that synchronisation must sum Input and Outputs

becomes {C(c)}/{ }/a!/{ }:(c=0) || {C(c)}{ }/a?/{ }:(c=0)

• can similarly add in inhibitor arcs

• can do the PN way of compact LL representation of a queue or buffer

• a place with on plain token for each queued item

• LL PA representation is infinite

. . .

E E

a!1

a!2

. . .

. . .

E E

a?y:y=c

a?y

. . .

C

c

C

(… || …) + ( … || … ; {C(c)}/a?(y),0/{C(c)}:(y=c) ; … )

19

Q b!R

R1 C M : 5R26

R4

R3 S

Petri PA Semantics of the example

. . . g!

h!

R5

. . .

. . .Sem(Q,R,S) = Sem(Q)|| Sem(R) || Sem(S)

Sem(R) = R1 in {R1=Sem(R1), R5=Sem(R5), …}

Sem(R1) = {C(c),M(m)}/{}/,5/{}:(c m) ; {}/{}/b!,0/{} ; R1

+ {}/{}/,6/{} ; {}/{}/g!,0/{} ; R5

...

Sequence is prefix

Alternatives is choice

Parallel is parallel

Unrestricted flow-graph structure is recursive definitions

20

21