Modeling Software Systems Lecture 2 Book: Chapter 4

Systems of interest Sequential systems. Concurrent systems. 1. Distributive systems. 2. Reactive systems. 3. Embedded systems (software + hardware).

Sequential systems. Perform some computational task. Have some initial condition, e.g.,  0≤i≤n A[i]≥0, A[i] integer. Have some final assertion, e.g.,  0≤i≤n-1 A[i] · A[i+1]. is supposed to terminate.

Concurrent Systems Involve several computation agents. Termination may indicate an abnormal event. May exploit diverse computational power. May involve remote components. May interact with users (Reactive).

Problems in modeling concurrent systems 1. Granularity of transitions (‘atomic transitions’). 2. Representing and specifying concurrency: - Allow one transition at a time. - Allow parallel transitions. - Allow a partial order between events. 3. Assumptions about ‘normal behavior’ of concurrent systems (e.g. ‘fairness’).

1. Granularity & Atomic Transitions Question: Is the statement c:=a+a; equal to c:= 2a; ?

Execute the following when a=0 in two concurrent processes: P1:a=a+1 P2:a=a+1 Result: a=2. Is this always the case? Consider the actual translation: P1:load R1,a inc R1 store R1,a P2:load R2,a inc R2 store R2,a a may be also Granularity & Atomic Transitions

2. Modeling V={v 0,v 1,v 2, …} - a set of variables, over some domain. A state is an assignment of values to the program variables. For example: s= h v 0 =1,v 2 =3,v 3 =7,…,v 18 =2 i The state space of a program is the set of all possible states for it.

2. Modeling p(v 0, v 1, …, v n ) - a parametrized predicate, e.g., (v 0 =v 1 +v 2 ) Æ (v 3 >v 4 ). p(s) is p under the assignment s. Example: modeling the initial condition: A parametrized predicate I. The program can start from states s such that I(s) holds. For example: I(s)=a>b Æ b>c.

Representing transitions Each transition has two parts: The enabling condition: a predicate. The transformation: a multiple assignment. For example: a>b  (c,d):=(d,c) This transition can be executed in states where a>b. The result of executing it is switching the value of c with d.

A transition system A (finite) set of variables V over some given domain. An initial condition I. A (finite) set of transitions T, each transition e  t has an enabling condition e, and a transformation t.

Example V = {a, b, c, d, e}. I = c=a Æ d=b Æ e=0 T = {c>0  (c,e):=(c-1,e+1), d>0  (d,e):=(d-1,e+1)} What does this transition relation do?

The interleaving model An execution is a finite or infinite sequence of states s 0, s 1, s 2, … The initial state satisfies the initial condition, i.e.., I(s 0 ). Moving from one state s i to s i+1 is by executing one transition e  t: e(s i ), i.e.., s i satisfies e. s i+1 is obtained by applying t to s i.

Example S 0 = h a=2, b=1, c=2, d=1, e=0 i (satisfies the initial condition) S 1 = h a=2, b=1, c=1, d=1, e=1 i (first transition executed) S 2 = h a=2, b=1, c=1, d=0, e=2 i (second transition executed) S 3 = h a=2, b=1,c=0, d=0, e=3 i (first transition executed again)

L 0 :While True do NC 0 :wait (Turn=0); CR 0 :Turn=1; endwhile Initially: PC 0 =L 0 Æ PC 1 =L 1 A long example … (Mutual Exclusion) L 1 :While True do NC 1 :wait (Turn=1); CR 1 :Turn=0; endwhile ||

L 0 :While True do NC 0 :wait (Turn=0); CR 0 :Turn=1 endwhile || L 1 :While True do NC 1 :wait (Turn=1); CR 1 :Turn=0 endwhile T 0 : PC 0 =L 0  PC 0 :=NC 0 T 1 : PC 0 =NC 0 Æ Turn=0  PC 0 :=CR 0 T 2 : PC 0 =CR 0  (PC 0,Turn) :=(L 0,1) T 3 : PC 1 =L 1  PC 1 =NC 1 T 4 : PC 1 =NC 1 Æ Turn=1  PC 1 :=CR 1 T 5 : PC 1 =CR 1  (PC 1,Turn) :=(L 1,0) I: PC 0 =L 0 Æ PC 1 =L 1 And here is the transition system… V={PC 0,PC 1,Turn…}

The state space Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,L 1 Turn=1 L 0,CR 1 Turn=1 NC 0,CR 1 Turn=1 NC 0,NC 1 Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=0 NC 0,L 1 Turn=1 L 0,NC 1 Turn=1 NC 0,L 1 Turn=1 L 0,L 1

Specification with Temporal Logic (informal) First order logic or propositional assertions describe a state. Some temporal operators: } p means p will happen eventually. ð p means p will happen always. p ppppppp

More temporal logic We can construct more complicated formulas: ð} p -- It is always the case that p will happen again in the future. } p Æ } q -- Both p and q will happen in the future, the order between them not determined. The property must hold for all the executions of the program.

Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,L 1 Turn=1 L 0,CR 1 Turn=1 NC 0,CR 1 Turn=1 NC 0,NC 1 Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=0 NC 0,L 1 Turn=1 L 0,NC 1 Turn=1 NC 0,L 1 Turn=1 L 0,L 1 “Mutual exclusion is preserved” (Safety) ð ¬(PC 0 =CR 0 Æ PC 1 =CR 1 )

Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,L 1 Turn=1 L 0,CR 1 Turn=1 NC 0,CR 1 Turn=1 NC 0,NC 1 Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=0 NC 0,L 1 Turn=1 L 0,NC 1 Turn=1 NC 0,L 1 Turn=1 L 0,L 1 “The processes switch turns” (Liveness) ð ((Turn=0 ) } Turn=1) Æ (Turn=1 ) } Turn = 0))

Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=1 L 0,CR 1 Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=1 L 0,NC 1 In the interleaving semantics we consider all possible traces…

Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=1 L 0,CR 1 Turn=1 L 0,NC 1 Turn=0 L 0,L 1 Turn=0 L 0,NC 1 … In this case this the computation is:

An infinite unfolding of the automaton represents all interleavings Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=0 NC 0,L 1 Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,L 1 Turn=1 L 0,NC 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,NC 1 Turn=0 CR 0,NC 1

Alternative: Partial Order Semantics Sometimes called “real concurrency”. There is no total order between events. More intuitive. Closer to the actual behavior of the system. May make verification easier Partial order: (S, <), where < is Transitive: x<y Æ y<z  x<z. Antisymmetric: for no x, y, x x. Antireflexive: for no x, x<x.

Bank Example Two branches, initially $1M each. In one branch: deposit, $2M. In another branch: robbery. How to model the system?

Global state space $1M, $1M $3M, $0M $1M, $0M$3M, $1M deposit robbery

Should we invest in this bank? $1M, $1M $3M, $0M $1M, $0M$3M, $1M deposit robbery Invest! Do not Invest! Invest!

Partial Order Description $1M $3M$0M $1M depositrobbery

Constructing global states $1M $3M$0M $1M depositrobbery

Modeling with partial orders m0:x:=x+1 m1:ch!xn1:y:=y+z n0:ch?z P1P2 n0 m1 PC 1 =m0,x=0 PC 1 =m0,x=2 PC 1 =m0,x=1 PC 1 =m1,x=1 PC 1 =m1,x=2 PC 2 =n0,y=0,z=0 PC 2 =n0,y=1,z=1 PC 2 =n1,y=0,z=1 PC 2 =n1,y=1,z=2 Initially: x=0 Local variables frequently do not affect properties- disregard their order !

Linearizations n0 m1 PC 1 =m0,x=0 PC 1 =m0,x=2 PC 1 =m0,x=1 PC 1 =m1,x=1 PC 1 =m1,x=2 PC 2 =n0,y=0,z=0 PC 2 =n0,y=1,z=1 PC 2 =n1,y=0,z=1 PC 2 =n1,y=1,z=2 pc 1 xpc 2 yz s0s0 m0m0 0n0n0 00 s1s1 m1m1 1n0n0 00 s2s2 m0m0 1n1n1 01 s3s3 m1m1 2n1n1 01 s4s4 m1m1 2n0n0 11 s5s5 m0m0 2n1n1 12 …

Linearizations pc 1 xpc 2 yz s0s0 m0m0 0n0n0 00 s1s1 m1m1 1n0n0 00 s2s2 m0m0 1n1n1 01 s3s3 m0m0 1n0n0 11 s4s4 m1m1 2n0n0 11 s5s5 m0m0 2n1n1 12 … n0 m1 PC 1 =m0,x=0 PC 1 =m0,x=2 PC 1 =m0,x=1 PC 1 =m1,x=1 PC 1 =m1,x=2 PC 2 =n0,y=0,z=0 PC 2 =n0,y=1,z=1 PC 2 =n1,y=0,z=1 PC 2 =n1,y=1,z=2

Bank with one teller $1M $3M $0M $1M deposit robbery deposit $1.1M $3.1M deposit

Partial order execution 1 $1M $3M $0M $1M deposit robbery $3.1M deposit

Partial order execution 2 $1M $0M $1M robbery deposit $1.1M $3.1M deposit

3. Modeling assumptions on concurrency Restriction on the set of ‘legal’ sequences. if some transition is enabled infinitely often, then it will be executed (in other words, the program is ‘fair’).

P1 L 0 :x:=1 P2 R 0 :while y=0 do [:: z:=z+1 :: if x=1 then y:=1] end while I: x=0 Æ y=0 Æ z=0 Æ PC 1 =L 0 Æ PC 2 =R 0 Termination? Termination of P1? Both of these are enabled No fairness? Nothing guaranteed With fairness? P1 and P2 terminate.

L 0 :While True do NC 0 :wait (Turn=0); CR 0 :Turn=1 endwhile || L 1 :While True do NC 1 :wait (Turn=1); CR 1 :Turn=0 endwhile T 0 : PC 0 =L 0  PC 0 :=NC 0 T 1 : PC 0 =NC 0 Æ Turn=0  PC 0 :=CR 0 T1’:PC 0 =NC 0 Æ Turn=1  PC 0 :=NC 0 T 2 : PC 0 =CR 0  (PC 0,Turn) :=(L 0,1) T 3 : PC 1 =L 1  PC 1 =NC 1 T 4 : PC 1 =NC 1 Æ Turn=1  PC 1 :=CR 1 T4’:PC 1 =NC 1 Æ Turn=0  PC 1 :=N1 T 5 : PC 1 =CR 1  (PC 1,Turn) :=(L 1,0) I: PC 0 =L 0 Æ PC 1 =L 1 V={PC 0,PC 1,Turn…} 3. Assumptions (fairness)

L 0 :While True do NC 0 :wait(Turn=0); CR 0 :Turn=1 endwhile || L 1 :While True do NC 1 :wait(Turn=1); CR 1 :Turn=0 endwhile T0:PC 0 =L 0  PC 0 :=NC 0 T1:PC 0 =NC 0 Æ Turn=0  PC 0 :=CR 0 T1’:PC 0 =NC 0 Æ Turn=1  PC 0 :=NC 0 T2:PC 0 =CR 0  (PC 0,Turn) :=(L 0,1) T3:PC 1 ==L 1  PC 1 =NC 1 T4:PC 1 =NC 1 Æ Turn=1  PC 1 :=CR 1 T4’:PC 1 =NC 1 Æ Turn=0  PC 1 :=N1 T5:PC 1 =CR 1  (PC 1,Turn) :=(L 1,0) Initially: PC 0 =L 0 Æ PC 1 =L 1 3. Assumptions (fairness)

ð (Turn=0 )} Turn=1) Turn=0 CR 0,NC 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,L 1 Turn=1 L 0,CR 1 Turn=1 NC 0,CR 1 Turn=1 NC 0,NC 1 Turn=0 L 0,L 1 Turn=0 L 0,NC 1 Turn=0 NC 0,L 1 Turn=1 L 0,NC 1 Turn=1 NC 0,L 1 Turn=1 L 0,L 1

Hierarchy of fairness assumptions Strong transition weak process weak transition Strong process φψ If φ holds then also ψ. If a sequence is fair w.r.t. φ it is also fair w.r.t. Ψ. A system which assumes φ has no more executions than one assuming Ψ