Rules for arrows
• do not cross a time-boundary backwards• Local arrows are drawn horizontal• They must not cross space boundaries• Non-local arrows are not horizontal• They must not close a cycle.
The State of Memory
• is a map from the identifier of each linewhich crosses a given temporal boundaryto the value which labels the crossing arrow.
Concurrent object behaviour.
• A trace of behaviour of an object is an event chart, containing all the events in which it has engaged, connected by dependency arrows.
• A class is the set of all possible traces of objects of the class (and related objects.
A local object
the red arrows connect actions in the same thread protected from interference by other threads
A shared object
blue arrows connect actionswhich may occur in a different threads(or they may occur in the same thread).
An exclusion semaphore
is released by the same thread that most recently acquired it. A released semaphoremay be acquired by any thread.
with labels
The boxes are labelled to indicate the nature of the actions: enter or exit
exit exitenter enter
with labels
ad
to indicate that the value communicated is the same at both ends of the channel
dispose
disp
alloc
alloc
!3 !7
?3 ?7
=7=3
with a single buffer
ad
which is passed back to outputter for refilling
disp
disp
alloc
alloc
!3 !7
?3 ?7
=7=3
a synchronous channel
ad
no buffering at all. input and output are simultaneous
disp
disp
alloc
alloc
!3 !7
?3 ?7
=7=3
Diagrams in Debugging
• display a trace of concurrent execution• with slices for selected objects• keyed to the text of the program• with dependencies to show sources of error• and consequences of its correction.
PROGRAMS
A program (or an object class) denotes the set of all possible diagrams of execution, on any computer system running in any environment.
Rules for arrows
• do not cross a time-boundary backwards• Local arrows are drawn horizontal• They must not cross space boundaries• Non-local arrows are not horizontal• They must not close a cycle.
Operators
• p;q splits the trace across time, into parts that can be executed at different instants.
• p q splits it across space, into parts that can ∥be executed in different places.
• I describes doing nothing
Sequential Composition
• p;q = p+q if q x p contained in neg(dep*)
• p||q = p+q if p x q contained in neg(red u conv(red))n neg(dep* n conv(dep*)) }
= T otherwise• I = { }
Exchange Axiom
(p q) ; (p’ q’) (p;p’) (q;q’)∥ ∥ ≼ ∥
p’
q’
p
q; ≼
p’
q’
p
q ;
;
note the self-duality of the law
• p q means that p and q perform all the ≼same actions, but p performs more pairs of them sequentially, and q performs more pairs concurrently.
As a result,…• p is more determinate, q is more abstract
Interleaving
• (p q) ; (p’ q’)∥ ∥ ≼ (p;p’) (q;q’)∥
• LHS is an interleaving implementation of the more general concurrency of RHS
• It is the special case when the two RHS ‘;’s happen to be simultaneous
Frame Laws
• (p q) ; (p’ q’)∥ ∥ ≼ (p;p’) (q;q’)∥
• Theorems (frame): 1. (p q) ; q’ p (q;q’)∥ ≼ ∥2. p;(p’ q’) (p;p’) q’∥ ≼ ∥3. p;q’ p q’≼ ∥ and q;p’ p’ q≼ ∥
Proof: substitute for variables of the axiom that are omitted in the theorem
Example
abcd xyzw∥(a;bcd) (xy;zw)∥(a xy) ; (∥ bcd zw)∥
(a x;y) ; (∥ b;cd zw)∥(a x);y ; (∥ b zw) ; ∥ cd
xayzbwcd
A Program
• is the set of all traces that it can evokewhen executed on any computer systemand in any interacting environment.
P;Q = {p;q | p e P & q e Q }P||Q = {p||q | p e P & q e Q }P < Q = all p e P . exists q e Q . p < q
All our laws for ; and || are preserved for sets
The Hoare triple
• Definition: {p} q {r} = p;q r≼– If p describes what has happened so far,– and q is then executed to completion,– the trace of overall execution will be r.
The Milner transition
• Definition: r >- q -> p = q;p r≼– i.e., the dual of {p} q {r}– r may be executed by first executing q , with p as continuation for later execution.– (maybe there are other ways of executing r)
• Tautology: (q ; p) >- q -> p– (CCS prefix rule)Proof: from reflexivity: q;p q;p ≼
Modularity rules
• {p} q {r} {p’} q’ {r’} Logic {p p’} q q’∥ ∥ {r r’}∥
• r >–q-> p r >-q’-> p’ CCS(r r’) >-(q q’)-> (p p’)∥ ∥ ∥
• In CCS, the rule is restricted – by requiring synchronisation of p and p’ , – e.g. input and output on the same channel.
O’Hearn Frame Rule
{p} q {r}{p f} q {r f}∥ ∥
– adapts a triple to a concurrent environment f– much better than the Hoare rule of adaptation:
{p} q {r} with side-condition
{p&f} q {r&f} – that no variable of f is assigned by q
Milner Frame Rule
r >–q-> p(r f) >–q-> (p f)∥ ∥
– a step q that is possible for a single thread r is still possible when r is executed concurrently with f , which does not change when q happens
Sequential composition
r >–q’-> s s >–q-> p r >–(q’;q)-> pis equivalent to
(q’;q);p q’;(q;p),≼
which is dual to p;(q;q’) (p;q);q’ ≼
Unifying Theories
• The Algebraic Laws of Programmingare strong enough to derive
– A verification logic for program correctness– An operational semantics for programming
language implementation.
• Many laws can be derived from the other two forms of semantics
labelled with values
ack= 3
:= 3 := 7
=: 3
=: 3
=: 3
:=k assigns a constant k=:k fetches a value k=k points to a value kack sync signal
and by reference to object
ack= 3
[37] := 3 [37]:= 7
[37]=:3
[37]=:3
[37]=:3
[v]:=k assigns to location v =k communication of k[v]=:k fetches value from v ack prevents further reads of previous assignment
or to a variable named x
ack=3
x:= 3 x:= 7
x=:3
x=:3
x=:3
:=k assigns a constant k=:k fetches a value k=k communicates kack sync signal
Concurrent object behaviour
• is modelled by an acyclic directed graph• with boxes representing event occurrences• and arrows recording dependency• and labels on both boxes and arrows.
Examples
• Objects: allocation, ownership, disposal.• Semaphores: exclusion, signalling.• Channels: buffering, synchrony, overtaking.• Variables: locality, sharing.
Weakly consistent memory
as implemented in multi-core architecture,is more complicated to define… and even more complicated to use!
Weak memory (no ack)
:=:= 3
=:3
=:3
=: 3=: 7
a fence needs ack signals from earlier assignments
:= 7fence
Weak memory (with fence)
:=:= 3
=:3
=:3
=: 3 =: 7
so the 3 and the 7 must be fetched in the right order
:= 7fence
Events and atomic actions
• Each occurrence of an event in the trace of program execution belongs to the trace of exactly one resource (thread, variable, channel,…)
• Atomic actions are groups of synchronised events, including exactly one from the thread which invoked the action, and one (or more) from every resource used by it.
Summary
• occurrence nets are adequate to describe the dynamic behaviour
of many kinds of concurrent object
Fundamental Theorem
• Boxed Petri nets are a model of Concurrent Kleene Algebra
Tony Hoare, Bernhard Moeller, Georg Struth, Ian Wehrman, Concurrent Kleene Algebra and its Foundations, J. Log. Algebr. Program. 80(6): 266-296(2011).
Hoare Logic
• Let P{Q}R = (P;Q) => R
• Theorem: The structural rules of separation logic are valid in the net model– Ian Wehrman, C.A.R.Hoare, Peter O’Hearn:
Graphical Models of Separation Logic. Inf Process. Lett. (IPL) 109(17):1001-1004 (2009)
• Proof: by a short algebraic calculation
Process Algebra
• Let P –Q-> R = R => Q;P= P{Q}R !
• Theorem: The transition rules of operational semantics are valid in the net model.– C.A.R.Hoare, A.Hussain, B.Moeller, P.W. O’Hearn,
R.L. Petersen, G. Struth. On Locality and the Exchange Law for Concurrent Processes. CONCUR 2011:250-264.
• Proof: by a short algebraic calculation.