1 / 55

Progress Properties in Asynchronous Systems

This chapter explores progress properties in asynchronous systems, including examples such as starvation freedom, termination, and guaranteed service. It also discusses fairness conditions and the concept of transient predicates.

waltersutton
Télécharger la présentation

Progress Properties in Asynchronous Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6 • Progress Properties – “A Discipline of Multiprogramming” by Jayadev Misra • Refining Liveness – TR 85-650 by Bowen Alpern and Fred B. Schnider, Cornell University Department of Computer Science, February 1985 • Presented by Mark Miyashita • 07-18-2002

  2. Introduction • According to Lamport, progress or liveness property stipulates that “A liveness property is one in which something – good thing - must happen during execution” • Furthermore, a progress or liveness property cannot stipulate that some “good thing” always happens, only that it eventually happens • For instance, “I press the switch and then the light is on” is a progress property – a safety property for this may be expressed as “the light never comes on unless the switch is pressed”

  3. Introduction • Example of progress/liveness properties include starvation freedom, termination, and guaranteed service • Starvation freedom states that a process makes progress infinitely often, the “good thing” is making progress • Termination asserts that a program does not run forever, the “good thing” is completion of the final instruction • Guaranteed service (responsiveness) states that every request for service is satisfied eventually, the “good thing” is receiving service

  4. Introduction • In this chapter, we study progress properties in asynchronous system in the form: once p holds, eventually q will hold in the system – the time duration between the occurrence of p and q is left unspecified • Logical operator transient, ensure (abbreviated to en), and  (lead-to) introduced in this chapter has lower binding power than all arithmetic and predicate calculus operations • p  q en r  s is to be interpreted as • (p  q) en (r  s)

  5. Fairness • Three types of fairness conditions are explained through below program text – minimal progress, weak fairness, and strong fairness • Box Fairness •  :: x:= x + 1 • ||  :: y:= y + 1 • || :: x  y  z := z + 1 • end {Fairness} • A fairness condition constraints the order in which the action , , and  are executed

  6. Minimal progress • An arbitrary non-skip action whose guard is true in the current state is executed repeatedly until all guards are false • From the box Fairness, x+y+z will increase (without bound) eventually under minimal progress because all guards are never false -  and  - and any execution of any action will increase x+y+z • However, neither x, y, nor z is guaranteed to increase -  might be executed indefinitely and preserving the values of x and z • Similarly, no eventual guarantee can be made about x+y ( might execute forever once xy), x+z, or y+z

  7. Minimal progress • Minimal progress is useful in concurrent programs for proving “absence of deadlock” – if there is a hungry philosopher, some philosopher will eat • Minimal progress is not sufficient to guarantee “absence of individual starvation” – even though some philosopher will eat (eating is performed infinitely often), a particular philosopher may stay hungry forever • In program Fairness, the system as a whole makes progress by increasing x+y+z, but no guarantee can be made about the individual variables

  8. Weak Fairness • Each action is executed infinitely often in any execution (no state changes by executing action where its guard is false) • If the guard of an action remains continuously true, then the action is eventually executed effectively • It guarantees that different processes in multiprocess program will be individually allowed to proceed • The actions representing the various processes constitute the program under consideration ( belong to one process,  and  to another

  9. Weak Fairness • In program Fairness, both x and y will increase without bound because each execution of  or  will cause x or y to increase • On the other hand, z can not be asserted that will increase – starting in state x,y=0,0 : execute , , and  in order and repeat forever – whenever  is executed (x=y) and z will never increase • The weak fairness can be used to design starvation-free solution

  10. Strong Fairness • The execution of an action is strongly fair if the guard of the action is true infinitely often, then the action is executed infinitely often • In fairness program, x, y, and z will increase indefinitely because xy is true infinitely often since x and y is incremented asynchronously • A typical example of the application of strong fairness is in implementing a strong semaphore • In this text, strong fairness is not considered in any details

  11. Transient Predicate • A predicate is transient if it is guaranteed to be falsified by execution of single atomic action • The formal definition of transient predicate depends on the form of fairness assumed for program execution • However, other progress operators are defined using transient predicate (their definitions and derived rules) are independent of the underlying fairness • Law of the excluded miracle – the post-condition of an action is false only if the pre-condition is false; in other words, the resulting state of an action is unreachable only if the action is started in an unreachable state • {p} s {false} • ¬p

  12. Transient Predicate • Minimal progress – definition • Consider a program in which action і is of the form gіsі. Predicate p is transient if both of the following conditions holds: • Whenever p holds, some action has a true guard: • p  { і :: gі} • Executing any non-skip action that has a true guard in a state p holds falsifies p: • { і :: {p  gі} sі {¬p}} • Note that without the requirement of every non-skip action with true guard falsify p, execution may consist of actions that never falsify p

  13. Transient Predicate Minimal progress – definition Use example of Fairness program, we can show that for every integer k, transient x+y+z=k by showing two conditions from the definition of transient under minimal progress 1 x+y+z=k  true 2 {x+y+z=k} x:=x+1 {x+y+zk} {x+y+z=k} y:=y+1 {x+y+zk} {x+y+z=k  xy} z:=z+1 {x+y+zk}

  14. Transient Predicate Minimal progress Similarly, x=y is transient 1 x=y  true 2 {x=y} x:=x+1 {xy} {x=y} y:=y+1 {xy} {x=y  xy} z:=z+1 {xy} However, for any integer k, transient x=k does not hold 1 x=k  true 2 {x=k} x:=x+1 {xk} {x=k} y:=y+1 {xk} - does not hold {x=k  xy} z:=z+1 {xk} – does not hold

  15. Transient Predicate Weak fairness – definition It is sufficient to show a single action falsify the predicate as oppose to minimal progress where a transient predicate is falsified by every enabled action must be shown transient p  { t :: {p} t {¬p}} where t is over all actions in the system If t is of the form g  s, then {p} t {¬p} is shown by p  q and {p} t {¬p}

  16. Transient Predicate Weak fairness For any integer k, x=k, y=k, x+y=k, y+z=k, x+z=k, x+y+z=k can be shown as transient For instance, {x=k} t {xk} holds for action t (or ) of x:=x+1 However, as stated earlier, predicate z=k can not be shown transient because only action that modifies z is  :: x  y  z := z + 1 and this action does not satisfy {z=k}  {zk}

  17. Minimal Progress vs. Weak Fairness • Any predicate that is transient under weak fairness is transient under strong fairness • A same result does not hold for minimal progress and weak fairness •  :: b  t:= false • ||  :: ¬b  t:= false • Under minimal progress t is transient • It can not be shown that t is transient under weak fairness because there is no action  such that {t}{¬t} holds

  18. Derived rules • Two derived rules about transient predicate that hold under either minimal progress or weak fairness • These rules are used in proving derived rules for leads-to and not for establishing properties of program • The only predicate that is both stable and transient is false (stable p  transient q)  q • (strengthening) transient p transient (p  q)

  19. Derived rules Proof of (stable p  transient q)  q (minimal progress) For any action gіsі: {p  gі} sі {p} ,stable p {p  gі} sі {p} ,transient p {p  gі} sі {false} ,conjunction of the above two {p  gі} ,law of the excluded miracle p  gі ,simplify p  { і :: gі} ,conjoin over all і p  { і :: gі} ,definition of transient p p ,conjoin the above two

  20. Derived rules Proof of (stable p  transient q)  q (weak fairness) From the definition of transient p, there is an action t such that {p} t{p} ,transient p {p} t{p} ,stable p {p} t{false} ,conjunction of the above two p ,law of the excluded miracle

  21. Derived rules Proof of strengthening rule (minimal progress) p  { і :: gі} ,transient p p  q  { і :: gі} ,predicate calculus For an action with guard gі and body sі {p  gі} sі {p} ,transient p {p  q  gі } sі {p  q} ,strengthen lhs, weaken rhs transient {p  q}

  22. Derived rules Proof of strengthening rule (weak fairness) There is an action t such that {p} t {p} ,transient p {p  q} t{p  q} ,strengthen lhs, weaken rhs transient {p  q}

  23. ensures • “ensures” which is abbreviated en is used to define primary operator leads-to • The definition of p en q is • p en q  (p q co p  q)  transient (p  q) • From the co-property in the above definition, once p holds, then it will continue to hold as long as q does not • However, note that once p holds, q holds eventually • Start with state where p holds and q does not • Because p  q is transient, it is eventually falsified • From the co-property, whenever p  q is falsified, p  q holds • Thus, whenever p  q is falsified, (p q) (p  q), q holds

  24. Leads-to • The informal meaning of p  q (p leads-to q) is “if p holds at any point in the computation, q will hold eventually” • Unlike for en, there is no guarantee that p remains true until q holds • The definition of p  q is given by a set of inference rules • (basis) p en q • p  q • (transitivity) p  q, q  r • p  r • (disjunction) {p : pS: p  q} for any set of predicates S • {p : pS: p}  q

  25. Example of specification with Leads-to • Note that the substitution axiom can be applied to the progress properties as well (invariant can be replaced by true and vice versa) • In following examples, variables x and y are integer and S and T are finite sets of integers • A hungry philosopher eats. Let h and e denote particular philosopher is hungry or eating • h  e • Variable x changes eventually. For every integer m, • x = m  x  m equivalently true  x  m

  26. Example of specification with Leads-to 3. Variable x grows without bound. For every integer m, true  x > m abbreviation for {m:: true  x > m} 4. Every integer is eventually added to S. For every integer m, true  m  S 5. If values of x and y are different in any state, at least one of these variables will change eventually x,y=m,n  m  n  (x,y=m,n), for all m and n, or {m,n : m  n : x,y=m,n  (x,y=m,n)}

  27. Example of specification with Leads-to 6. Every element common to S and T is eventually removed from both sets m  (S  T)  m  (S  T) 7. Predicate p holds infinitely often true  p or p  p 8. If from one point in the execution p remains true forever, q holds eventually (eventually either p is false or q is true) true  p  q 9. A given program terminates initial conditions  FP

  28. Lightweight rules (implication) p  q p  q Deduce from implication, for any predicate p, p  p and false  q (lhs strengthening, rhs weakening) p  q p’  p  q p  q  q’ (disjunction) { і :: pi qi} { і :: pi}  { і :: qi} {cancellation) p  q  r, r  s p  q  s

  29. Proofs of the Lightweight rules (implication) p  q p  q Proof: p  ¬q  false ,from the premise p  q p ¬q co p  q ,false co r for any r transient p ¬q ,false is transient p en q ,definition of en from above two p  q ,from basis inference rule for 

  30. Proofs of the Lightweight rules (lhs strengthening, rhs weakening) p  q p’  p  q p  q  q’ Proof: p’  p  p ,implication rule p  q ,premise p’  p  q ,transitivity on above two Similarly, p  q  q’ from p  q and q  q  q’

  31. Proofs of the Lightweight rules (disjunction) { і :: pi qi} { і :: pi}  { і :: qi} If the range of qualification for і is empty, false  false follows from the implication rule. If the range of і is nonempty, { і :: pi qi} ,premise { і :: pi { і :: qi} ,weaken rhs the result follows by applying disjunction inference rule

  32. Proofs of the Lightweight rules {cancellation) p  q  r, r  s p  q  s Proof: r  s ,premise q  q ,implication q  r  q  s ,disjunction p  q  r ,premise p  q  s ,transitivity on above two

  33. Heavyweight rules {Impossibility} p  false ¬p A state in which false holds is reachable only from an unreachable state {Progress-Safety-Progress} p  q, r co s p s  (q  r)  (¬r  s) Structure a progress proof as a safety proof – establishing r co s – and progress proof – establishing p  q – which are then combined p s  (q  r)(¬r  s)

  34. Heavyweight rules • {Induction} Let M be a total function from program states to set W. Also, let (W, <) be well-founded set. Variable m in the premise ranges over W. Predicates p and q does not contain free occurrences of variable m. • {m::p M = m  (p  M < m)  q} • p  q • Function M is called variant function or metric • The premise says that any state in which p holds, eventually a state is reached where p still holds and the metric has a lower value, or q is established

  35. Heavyweight rules • {Completion} Let pі and qі be predicates where і ranges over a finite set. • { і :: • pі  qі b • qі co qі  b } • { і ::pі}  { і :: qі}  b • This rule is to take conjunction of progress properties: there is no conjunction rule for  analogous to the rule for co-properties

  36. Proof of the Heavyweight rules {Impossibility} p  false ¬p Basis: p en q ,premise stable p  transient q ,definition of p en false ¬p ,derived rule Transitivity: there is a predicate r such that pr and rfalse ¬r ,induction hypothesis on rfalse p  false ,from pr and ¬r ¬p ,induction hypothesis

  37. Proof of the Heavyweight rules {Impossibility} Disjunction: there is a set of predicate S such that rfalse for every r  S and p { r :: r  S: r}. For every r in S, r  false ,premise ¬r ,induction hypothesis ¬p ,from p { r :: r  S: false}

  38. Proof of the Heavyweight rules {PSP} p  q, r co s p s  (q  r)  (¬r  s) Basis: p en q ,premises p ¬q co p  q ,definition of en r co s ,premises p¬qr co (ps)(qs) ,conjunction of above two p¬qr co (ps)(q(r(¬rs))) ,weaken rhs p¬qr co (ps)(qr)(¬rs) ,weaken rhs transient p ¬q ,premises p en q transient p¬qr ,strengthen above ps en (qr)(¬rs) ,definition of en (rs) ps  (qr)(¬rs) ,basis rule for 

  39. Proof of the Heavyweight rules transitivity: There is a predicate b such that p  b and b  q b s  (q  r)  (¬r  s) ,induction on b  q and r co s b r  (q  r)  (¬r  s) ,strengthen lhs using r  s p s  (b  r)  (¬r  s) ,induction on p  b and r co s p s  (q  r)  (¬r  s) ,cancellation on above two

  40. Proof of the Heavyweight rules disjunction: There is a set S of predicates such that b  q for every b in S and p  { b : b S : b}. For b in S, b  q ,premise r co s ,premise b s  (q  r)  (¬r  s) ,induction hypothesis { b : b S : b s}  (q  r)  (¬r  s) ,disjunction { b : b S : b} s  (q  r)  (¬r  s) ,predicate calculus p s  (q  r)  (¬r  s) ,p  { b : b S : b}

  41. Algorithm to compute Max of numbers • As described in section 5.5.1, consider the algorithm for computing the maximum of a nonempty set S of numbers • Recall that v is the variable in which the maximum is computed and m is any integer • initially v = - (ND1) • v = m co v = m  (v  S  v > m) (ND2) • We discussed safety property • invariant v  M (ND3) • where M is the maximum in S i.e., M = (max x : x  S : x) • In this chapter, we will consider progress properties, for all m, • m  S  v  m (ND4) • which states that eventually v is at least m for any m in S and establish that v will eventually equal M

  42. Algorithm to compute Max of numbers Proof of true  v = m m  S  v  m ,(ND4) M  S  v  M ,instantiating m by M true  v  M ,substitution axiom on lhs M  S  true true  v = M ,conjoin invariant (ND3) with rhs

  43. Token Ring • From 5.5.3, deduced mutual exclusion (safety property) from below • initiallyei p = I (TR0) • eicoei ti (TR1) • ti co ti  hi(TR2) • hicohi ei (TR3) • hi p  ico hi(TR4) • p = i co p = i   ei (TR5) • In this chapter, it establish the absence of starvation

  44. Token Ring • First requirement is that a hungry token holder transit to eating • hi  p = і  ei (TR6) • Second requirement is that the token to move from current token holder to its right neighbor (doe not require to go directory from і to і’) • p = і  p = і’ (TR7) • The ultimate goal is to establish absence of starvation for process j, 0  j  N, written as • hi  ei (TR8) • To prove (TR8), take an arbitrary j, 0  j  N and show that j eventually holds token true  p = j (TR9)

  45. Token Ring • The proof of (TR9) is by induction over (TR7) and define notation total order  over the processes • Let j be the highest process in the ordering and the processes and the processes become successively smaller clockwise along the ring from j • .. і’  і …  j’  j • Formally і’  і for all process indices і where і’  j

  46. Proof of starvation freedom Proof of (TR9 – eventually j holds token) true  p = j p = і  p  і, for all і where і’  j ,from (TR7) p = і  p = j, for all і where і’ = j ,from (TR7) { і :: p = і  p  і  p = j} ,from above two true  p = j ,induction ( total order on processes)

  47. Proof of starvation freedom Proof of (TR8 – absence of starvation) hi  ei hi co hi  ei ,from (TR3) using j for і true  p = j ,from (TR9) hi  (hi  p = j)  ei ,PSP using (¬hi ei)  ei hi  p = j  ei ,from (TR6) using j for і hi  ei ,cancellation on above two

  48. Strong Fairness • Let x and y be the number of times that the two processes successfully complete P-operations •  grants the semaphore to the x-process,  to y-process, and  implements V-operations •  :: s  s, x:= false, x + 1 • ||  ::s  s, y:= false, y + 1 • || :: s := true • Under weak fairness, x+y increases without bound but can not claim the same for either x or y

  49. Strong Fairness • Impose strong fairness for action  - if guard of  is infinitely often true, then  is effectively executed infinitely often • Assume weak fairness for remaining actions • Goal is to show that x increases without bound under strong fairness • For any integer k, the strong fairness conditions below can be added as a property of program • (true  s )  (x = k  x = x + 1) • Regard the system consisting of the program with weak fairness and property above

  50. Strong Fairness We can show that for any integer m, true  x > m Proof : true en s ,from the program text true  s ,basis rule of  x = k  x = k + 1,using strong fairness condition true  x > m ,induction on integer However, this result is incomplete ! Consider next example

More Related