Chapter 8 Asynchronous System Model by Mikhail Nesterenko “Distributed Algorithms” by Nancy A. Lynch

Outline I/O automaton definition examples of I/O automata execution operations on I/O automata –composition –hiding fairness properties and proof methods –invariants –trace properties –compositional reasoning –hierarchical proofs complexity randomization

I/O Automaton Signature Iinput/Output automaton A is a state machine that models a component of a distributed system –the transitions associated with named actions acts(A) main part of I/O automaton is its signature: sig(A) - a description of actions, actions can be input - in(sig(A)) or just in(A) output - out(A) internal actions int(A) sets of actions are disjoint input and output actions are external actions, external signature (external interface) extsig(A) contains external actions only

I/O Automaton Parts signature sig(A) (possibly) infinite set of states states(A) non-empty subset of initial states start(A) a state transition relation trans(A)  states(A)  acts(A)  states(A) –there must be a transition for every state and every input actions (the automata are input-enabled) –a member of trans(A) is transition, an action is enabled at a state if a the corresponding transition is in trans(A) –state is quiescent if only input actions are enabled task partition tasks(A) - a separation of internal and output actions into subset to model different objectives of A

Channel I/O Automaton

Process I/O Automaton

Execution finite (or infinite) sequence s 0,  1  s 1  2  …  r,s r is execution fragment if each (  k  s k  k+1 ) is a transition of A execution is an execution fragment that starts in an initial state a state is reachable if it is a final state of a finite execution of A example: channel automata executions (assuming messages are {1,2} a trace of an execution  of A (denoted trace (  ) or trace(A)) is a projection of the execution on external actions traces(A) - a set of traces of A

Compatible Components allows constructing of complex system out of individual components informally - components are joined, individual component’s actions are executed, when action  is executed by one component, each component with  (the same action) executes it a collection of components is compatible if their signatures are as follows –internal actions of one component are not observable by any other (i.e. the internal actions are disjoint) –only one component controls output (output sets of any two components are disjoint) –each action is contained in finitely many components

Composition A  B is a composition of components A and B given a collection of compatible signatures {S i } i  I the composition S=   I  S i of signatures is defined as follows a composition A=   I  A i of automata is

Exposed outputs Observe that even though some of the inputs (the ones that have corresponding output) of the components are removed from the composition, all outputs of components are outputs of composition this is done to allow convenient composition example component A has output action  while B and C have  as input action –that is  is “broadcast” to both B and C if  is not exposed then ( A  B )  C as well as is not possible

Hidden outputs there is an operation that “hides” the output actions of components by reclassifying them as internal actions (they are not used in further communication and do not appear in traces) if for some signature S, an some subset of output actions   out(S) hiding operation hide  (S) is defined as a new signature S’ such hat: –in(S’)=in(S), out(S’)=out(S)- , and int(S’)=int(S)  –hiding of output actions for an automaton involves hiding of these actions for the automaton’s signature

Example Composition composition of process and channel automata assuming N=3 the transitions are as follows example trace assuming N=2 and the function f is addition

Composition Theorems given an execution ,  |A is the projection (removal) of all the transitions that are not in A

Fairness interesting executions - each components “take fair turns” at performing transitions recall - each automaton is partitioned into tasks informally fairness allows each task to perform one of its actions infinitely often formally, let C be set of tasks and  - an execution fragment,  is fair if –  is finite and C is not enabled in the final state –  is infinite and it contains either infinitely many transitions from C or infinitely many states where all actions of C are disabled fairexec(A) - a set of fair executions of A trace is fair if it is a trace of fair execution fairtrace(A) a set of fair traces of A

Fairness Examples example: channel automata executions (assuming messages are {1,2} fair not fair

Fairness Examples: Clock Automaton executions tick, tick, tick, – fair tick, tick, tick – not fair (no fair finite executions for Clock ) tick, tick, request, tick, tick, clock(4), tick, tick, … - fair tick, tick, request, tick, tick, tick, … - not fair

Fairness Theorem

Invariants Invariant (assertion) for A is a property that is true in all reachable states of A usually proved by induction on the number of steps in the execution can be done by providing a sequence of invariants and proceeding from one to the next –note: “we” tend to think of an invariant as an assertion (predicate) on a state which is less generic than Lynch’s definition

Trace Properties reasoning of the properties of an automaton is done in terms of its traces formally a trace property P is –a signature sig(P) containing no internal actions –a set traces(P) of (finite or infinite) sequences of actions of sig(P) A satisfies trace property P means either of the two –extsig ( A )= sig ( P ) and traces ( A )  traces ( P ) –extsig ( A )= sig ( P ) and fairtraces ( A )  traces(P) in either case the satisfaction intuitively means that the behavior that can be produced by A is permitted by P ; the reverse (completion) is not required

Automata and Trace Properties

Safety Properties P is a trace safety property if –traces(P) is not empty –traces(P) is prefix closed – every prefix of a trace in traces(P) is also in traces(P) intuitively – if nothing “bad” happens in a trace, nothing bad happens in a prefix of the trace –traces(P) is limit-closed – given an infinite sequence of finite sequences      … such that each consequent finite sequence is contains the preceding one as a prefix, the limit of this infinite sequence is also in traces(P) intuitively – if nothing “bad” happens in any of the prefixes then nothing bad happens in the trace itself

Liveness Properties, Theorems P is liveness property if every finite sequence from acts(P) has some extensions in traces(P) –intuitively – an arbitrary prefix can be made “live” and extended to conform to a liveness property Theorem 8.8 if a property is both a liveness and safety property then it contains all possible sequences of actions Theorem 8.9 every property is an intersection of a liveness and safety property

Proof Techniques compositional reasoning – proves properties of the composed automaton on the basis of the properties of the components and composition techniques hierarchical proofs – describe the system in an abstract model and, prove it conforms to a property then move (refine) the abstraction while preserving the property

Indistinguishable Executions, Randomization if  and  ’ are two executions of a composed systems of automata each containing automaton A,  and  ’ are indistinguishable to A provides  |A=  ’|A probabilistic I/O automaton – notion of transition is modified: instead of (s, ,s’), it is (s, ,P) where P is a probability distribution over some set of states