Computing the Control Flow - Symbolic SOS Transition Rules: The Control Flow Predicates

4.5 Symbolic SOS Transition Rules: The Control Flow Predicates

4.5.1 Computing the Control Flow

In the following, we simply list the primitive recursive definitions of the men- tioned control flow predicates. We start with the definition of inst_~(S)which is given below:

Definition 4.4 (Instantaneous Execution). Given a Quartz statement S, the

following recursively defined formula inst_~(S)holds iff S instantaneously termi- nates:

• inst_~(x=τ ) :≡ inst_~(next(x)=τ ) :⇔ true

• inst_~(assume(σ)) :⇔ inst_~(assert(σ)) :⇔ true • inst_~(nothing) :⇔ true

• inst_~(`:pause) :⇔ false • inst_~(if(σ) S1 else S2) :⇔

  ~(σ) ∧ inst~(S1) ∨ ¬~(σ) ∧ inst~(S2)∨ inst_~(S1) ∧ inst~(S2)  

• inst_~(S1; S2) :⇔ inst~(S1) ∧ inst~(S2)

• inst_~(S1k S2) :⇔ inst~(S1) ∧ inst~(S2)

• inst_~(do S while(σ)) :⇔ inst~(S)

• inst_~({α x; S}) :⇔ inst~(S)

• inst_~([weak] abort S when(σ)) :⇔ inst_~(S)

• inst_~_{([weak] immediate abort S when(σ)) :⇔ ~(σ) ∨ inst}_~(S) • inst_~([weak] suspend S when(σ)) :⇔ inst_~(S)

• inst_~_{(`:[weak] immediate suspend S when(σ)) :⇔ ¬~(σ) ∧ inst}_~(S) Note that a statement can be instantaneous for a certain environment and may consume time for another one. For example, for the following statement S if(x) { `:pause; emit y1; } else emit y2;

we compute inst_~(S)as x ∧ false ∨ ¬x ∧ true ∨ false ∧ true, and hence, equivalent to ¬x. Thus, the statement can be instantaneous iff the current value of x is false.

As can be seen, only the conditions σ of if-statements, and the immediate preemption statements determine whether a statement is instantaneously executed. For all the other statements, the instantaneity does not dependent on the current environment.

Using inst_~(S), we next define enter_~(S)for a Quartz statement S, which describes the set of all transitions that enter S from outside.

Definition 4.5 (Entering Statements). Given a Quartz statement S, the fol-

lowing recursively defined formula enter_~(S)describes which control flow loca- tions are activated by entering a statement S:

• enter_~(x=τ ) :⇔ enter~(next(x)=τ ) :⇔ false

• enter_~(assume(σ)) :⇔ enter~(assert(σ)) :⇔ false

• enter_~(nothing) :⇔ false • enter_~(`:pause) :⇔ next(`) • enter_~(if(σ) S1 else S2) :⇔

enter_~(S1) ∧ ¬next(in (S2)) ∧ ~(σ)∨

enter_~(S2) ∧ ¬next(in (S1)) ∧ ¬~(σ)

• enter_~(S1; S2) :⇔

enter_~(S1) ∧ ¬next(in (S2))∨

enter_~(S2) ∧ ¬next(in (S1)) ∧ inst~(S1)

• enter_~(S1k S2) :⇔





enter_~(S2) ∧ inst~(S1) ∧ ¬next(in (S1))∨

enter_~(S1) ∧ inst~(S2) ∧ ¬next(in (S2))∨

enter_~(S1) ∧ enter_~(S2)





• enter_~(do S while(σ)) :⇔ enter_~(S) • enter_~({α x; S}) :⇔ enter_~(S)

• enter_~(during S1 do S2) :⇔ enter~(S1) ∧ ¬in (S2)

• enter_~([weak] abort S when(σ)) :⇔ enter~(S)

• enter_~_{([weak] immediate abort S when(σ)) :⇔ ¬~(σ) ∧ enter}_~(S)

• enter_~(`:[weak] immediate suspend S when(σ)) :⇔ ¬~(σ) ∧ enter~(S) ∧ ¬next(`)∨

~(σ) ∧ ¬in (S) ∧ next(`)

For example, for the previously considered statement, we obtain the enter formula next(`) ∧ ¬false ∧ x ∨ ¬next(`) ∧ false ∧ ¬x, i.e., the formula next(`) ∧ x. Hence, if x is true, then the control flow location ` will be active at the next point of time, otherwise it location of the statement is active, since its execution is then instantaneous.

Again, only the conditions σ of if-statements, and the immediate preemption statements determine the direction of the control flow at starting time. For all the other statements, the initial control flow does not dependent on the current environment.

Note further that we have to explicitly encode that when entering a substatement of an if-statement or a sequence that no location of the other substatement is active at the next point of time. We will therefore start to establish the invariant that of if-statements and sequences, at most one substatement is

active. We do the same for the during statement, but since inst_~(S2)must be

statically true, this can also be neglected. However, the exclusiveness has to be added for the immediate suspension statements.

We proceed with the definition of term (S) that describes the set of transitions where the control flow leaves a statement S. For this reason, we assume that the control flow already rests somewhere inside S and now wants to leave S.

Definition 4.6 (Termination of Statements). Given a Quartz statement S, the

following recursively defined formula term (S) describes all situations, where the control flow leaves S:

• term (x=τ ) :⇔ term (next(x)=τ ) :⇔ false

• term (assume(σ)) :⇔ term (assert(σ)) :⇔ false

• term (nothing) :⇔ false

• term (`:pause) :⇔ `

• term (if(σ) S1 else S2) :⇔

term (S1)∧¬in (S2)∨

term (S2)∧¬in (S1)

• term (S1; S2) :⇔

term (S1)∧¬in (S2)∧ inst~0(S2) ∨

term (S2)∧¬in (S1) • term (S1k S2) :⇔   term (S1) ∧ ¬in (S2) ∨ term (S2) ∧ ¬in (S1) ∨ term (S1) ∧ term (S2)  

• term (do S while(σ)) :⇔ ¬σ ∧ term (S)

• term ({α x; S}) :⇔ term (S)

• term (during S1 do S2) :⇔ term (S1)

• term ([weak] abort S when(σ)) :⇔ in (S) ∧ σ ∨ term (S)

• term ([weak] immediate abort S when(σ)) :⇔ in (S) ∧ σ ∨ term (S)

• term (`:[weak] immediate suspend S when(σ)) :⇔ ¬σ ∧ `∧¬in (S)∧ inst~0(S) ∨

¬σ∧¬`∧ term (S)

As can be seen, term (S) is false whenever the control flow is currently not inside S. Hence, term (S) is false for the instantaneous atomic statements. For the same reason, we can easily prove that term (S) → in (S) holds. However, as term (S) does only depend on the current values of the input, local, output, and location variables, it does not impose any restrictions on the next values of the location variables. Hence, it may be the case that some of the locations of S may be active at the next macro step, even though term (S) holds. This may happen due to a surrounding loop whose loop body terminates and is re-entered at the same macro step.

Note that the definition of term (S) invokes some calls to inst_~(S)that we endowed with the initial incarnation level function 0 that maps every variable to zero. This is done since the micro steps encoded by term (S) start from somewhere inside S, i.e., in the depth of S.

In case of the termination of sequences and if-statements we have added the redundant terms that when a substatement terminates then the other substatement is currently not active. Since we establish the invariant that at most one of the substatements of sequences and if-statements can be active at a point of time, this can be safely removed.

Finally, we define the control flow predicate move (S) that encodes all internal moves, i.e., transitions from somewhere inside S to possibly different locations inside S. To this end, move (S) combines some of the micro steps encoded in inst_~(S), enter_~(S), and term (S). However, for the definition of the internal moves of the suspension statements, we need to say also that the current control flow is frozen, i.e., that the same control flow locations are active at the next point of time. This is formalized by the predicate stutter (S) that is defined as stutter (S) :⇔V

`∈lbls(S)` = next(`).

Definition 4.7 (Internal Moves). Given a Quartz statement S, the following

recursively defined formula move (S) describes all conditions where the control flow moves inside S:

• move (x=τ ) :⇔ move (next(x)=τ ) :⇔ false

• move (assume(σ)) :⇔ move (assert(σ)) :⇔ false

• move (nothing) :⇔ false

• move (`:pause) :⇔ false

• move (if(σ) S1 else S2) :⇔

move (S1) ∧ ¬in (S2) ∧ ¬next(in (S2))∨

move (S2) ∧ ¬in (S1) ∧ ¬next(in (S1))

• move (S1; S2) :⇔





move (S1) ∧ ¬in (S2) ∧ ¬next(in (S2))∨

move (S2) ∧ ¬in (S1) ∧ ¬next(in (S1))∨

term (S1) ∧ ¬next(in (S1)) ∧ ¬in (S2) ∧ enter~0(S2)



• move (S1k S2) :⇔      

move (S1) ∧ ¬in (S2) ∧ ¬next(in (S2))∨

move (S2) ∧ ¬in (S1) ∧ ¬next(in (S1))∨

move (S1) ∧ move (S2) ∨

move (S1) ∧ term (S2) ∧ ¬next(in (S2))∨

move (S2) ∧ term (S1) ∧ ¬next(in (S1))

     

• move (do S while(σ)) :⇔ move (S) ∨ term (S) ∧ σ ∧ enter_~0(S)

• move ({α x; S}) :⇔ move (S)

• move (during S1 do S2) :⇔ move (S1)

• move ([weak] abort S when(σ)) :⇔ ¬σ ∧ move (S)

• move ([weak] immediate abort S when(σ)) :⇔ ¬σ ∧ move (S)

• move ([weak] suspend S when(σ))

:⇔ σ ∧ in (S) ∧ stutter (S) ∨ ¬σ ∧ move (S)

• move (`:[weak] immediate suspend S when(σ))

:⇔ 

  

σ ∧ ` ∧ ¬in (S) ∧ next(`) ∧ ¬next(in (S))∨ σ ∧ ¬` ∧ in (S) ∧ ¬next(`) ∧ stutter (S) ∨ ¬σ ∧ ` ∧ ¬in (S) ∧ ¬next(`) ∧ enter_~0(S) ∨

¬σ ∧ ¬` ∧ move (S) ∧ ¬next(`)



  

Note that we always require in the definition of move (S) that the control flow is currently already somewhere inside S and will also be somewhere inside S at the next point of time. It is therefore important that our definition explicitly defines that the moves predicate will not activate threads where the control flow is currently not located in. In particular, this assures that only one of the two statements S1and S2will be active in the conditional, the sequential, and

the immediate suspension statement.

The relations inst_~(S), enter_~(S), term (S) and move (S) define the micro steps that need to be considered for a definition of the entire control flow of a statement S. We will now define the control flow automaton in a symbolic form in that we combine these predicates.

To this end, we have to solve a further technical problem: We assume that at the initial point of time, the control flow is not yet in the statement, but intends to enter it. However, if the statement will finally terminate, then the control flow will also be outside the statement without the intention to enter it again. For this reason, we have to distinguish between the starting state and the termination state. To this end, we introduce a further location st that is used to start the execution of the process when there is no control flow active in it. This location is called the initial location or the boot location.

In the definition of the control flow automaton below, we formalize that the initial location st holds exactly at the initial point of time. The definition of the control flow automaton is then as follows:

Definition 4.8 (Control Flow with Initial Location). Given a Quartz state-

ment S, and a the initial location st that does not occur in S, we define the set of initial states and the transition relation of the control flow automaton of S by the following formulas Icf(st, S)and Rcf(st, S):

Icf(st, S) :⇔ st ∧ ¬in (S) Rcf(st, S) :⇔    

st ∧ ¬in (S) ∧ inst_~₀(S) ∧ ¬next(in (S))∨ st ∧ ¬in (S) ∧ enter_~₀(S) ∨

¬st ∧ move (S) ∨

¬st ∧ (¬in (S) ∨ term (S)) ∧ ¬next(in (S)) 

  

∧ next(st)

The control flow automaton is therefore a finite state machine whose states are encoded by the state variables {st} ∪ lbls (S). Transitions are labeled by conditions that are all encoded in the transition relation Rcf(st, S). The au-

tomaton has only a single initial state, namely the one encoded by Icf(st, S).

Starting from there, there are two possibilities: Either S can be instantaneous, which is described in the first disjunct of Rcf(st, S), or the control flow can en-

ter S which is described in the second disjunct. Once inside S, we may follow internal transitions (third disjunct), or the control flow might leave S (fourth disjunct). Once outside the statement, it will never be re-entered, since the initial location is false after the initial point of time.

To prove the equivalence with the hardware circuits as described in Chap- ter 6, it is necessary to obtain a more flexible definition of the control flow in that the statement may be restarted after it has already been executed. To be more precise, the statement may be restarted when it either terminates or when there is not yet a control flow active in it. To this end, we do not use a initial location, but rather view st to be an external signal that controls the initial start as well as a later restart (that is required for the verification of loops):

Definition 4.9 (Control Flow with Start Signal). Given a Quartz statement

S, and a start signal st that does not occur in S, we define the set of initial states and the transition relation of the control flow automaton of S by the following formulas Icf(st, S)and Rcf(st, S): Icf(st, S) :⇔ ¬in (S) Rcf(st, S) :⇔    

(¬in (S) ∨ term (S)) ∧ st ∧ inst_~₀(S) ∧ ¬next(in (S))∨ (¬in (S) ∨ term (S)) ∧ st ∧ enter_~₀(S) ∨

(¬in (S) ∨ term (S)) ∧ ¬st ∧ ¬next(in (S))∨ move (S)



  

Let us call a statement startable if ¬in (S) ∨ term (S) holds. Note that the start signal st is only respected when the statement is startable, that is, an already active statement S is not restarted unless it terminates. If it currently terminates, it may be restarted at the same instant of time.

Using the HOL theorem prover we have proved a couple of simple properties of the control flow predicates. These properties are important for any kind of formal reasoning about programs, in particular, they could be important for automatic proof procedures. The most important properties are summarized in the following lemma.

Lemma 4.10 (Properties of Control Flow Predicates). For any Quartz state-

• enter_~(S) → next(in (S)) • enter_~(S) → ¬inst_~(S) • term (S) → in (S)

• move (S) → in (S) ∧ next(in (S))

• move (S) → ¬term (S)

• stutter (S) → (in (S) ↔ next(in (S))) • ¬in (S) → (stutter (S) = ¬next(in (S)))

The transition relation for the control flow has been given in a disjunctive form above which is convenient to split the different possible transitions into meaningful cases. Using the above properties, it is possible to prove the equivalence of this transition relation to a conjunctive form, which convenient in the dual cases. For example, if Rcf(st, S)appears as an assumption in a goal

to be proved, then one can obtain the same meaningful case distinctions by the conjunctive version of the control flow below.

Lemma 4.11 (Conjunctive Form of Control Flow Transition Relation). For

any Quartz statement S and the start signal st, the transition relation Rcf(st, S) of the control flow of S is equivalent to the following formula:



  

((¬in (S) ∨ term (S)) ∧ st ∧ inst_~(S) → ¬next(in (S))) ∧ ((¬in (S) ∨ term (S)) ∧ st ∧ ¬inst_~(S) → enter_~(S)) ∧ ((¬in (S) ∨ term (S)) ∧ ¬st → ¬next(in (S))) ∧ (in (S) ∧ ¬term (S) → move (S))



  

For the proof of the above lemma, we have to recall that for sequences, if- statements and immediate suspensions, at most one substatement may be active. Hence, for S ≡ if σ then S1 else S2 end or S ≡ S1; S2, we can

derive from the assumption in (S), and the fact that the transition relation Rcf(st, S)always holds, that in (S1) 6= in (S2)holds.

Using these facts, it is even possible to prove a recursive computation schema for the transition relation as shown in the following theorem. Note, however, that we still need the definitions of the control flow predicates in (S), inst_~(S), and term (S) for this purpose. However, we can avoid the computation of enter_~(S)and move (S):

Theorem 4.12 (Recursive Definition of Control Flow). For any Quartz state-

ment S, the transition relation Rcf(~, st, S) can be recursively computed accord- ing by the following laws (starting with ~ = 0), provided that the assumption

st → ¬in (S) ∨ term (S)holds, i.e., that statements are only started when they are not active or are currently terminating:

• Rcf(~, st, x=τ ) ⇔ Rcf(~, st, next(x)=τ ) ⇔ true

• Rcf(~, st, assume(σ)) ⇔ Rcf(~, st, assert(σ)) ⇔ true

• Rcf(~, st, nothing) ⇔ true

• Rcf(~, st, if(σ) S1 else S2) ⇔   Rcf(~, st ∧ ~(σ), S1) ∧ Rcf(~, st ∧ ¬~(σ), S2) ∧ (in (S1) → ¬in (S2))   • Rcf(~, st, {S1; S2}) ⇔   Rcf(~, st, S1) ∧ Rcf(~, st ∧ inst~(S1) ∨ term (S1) , S2) ∧ (in (S1) → ¬in (S2))   • Rcf(~, st, {S1k S2}) ⇔ (Rcf(~, st, S1) ∧ Rcf(~, st, S2)) • Rcf(~, st, do S while(σ)) ⇔ Rcf(~, st ∨ ~(σ) ∧ term (S) , S) ∧ (σ ∧ term (S) → ¬inst_~(S)) • Rcf(~, st, {α x; S }) ⇔ Rcf(~0, st, S), where ~0 := [~]~(x )+1 x • Rcf(~, st, during S1 do S2) ⇔ Rcf(~, st, S)

• Rcf(~, st, [weak] abort S when(σ))

⇔     Rcf(st, S) ∧ (in (S) ∧ next(in (S)) → ¬σ) ∨ in (S) ∧ σ ∧ st ∧ inst_~(S) ∧ ¬next(in (S))∨ in (S) ∧ σ ∧ st ∧ enter_~(S) ∨ in (S) ∧ σ ∧ ¬st ∧ ¬next(in (S))    

• Rcf(~, st, [weak] immediate abort S when(σ))

• Rcf(~, st, [weak] suspend S when(σ))

⇔ Rcf(st, S) ∧ (in (S) → ¬σ) ∨ (in (S) ∧ σ ∧ stutter (S))

• Rcf(~, st, [weak] immediate suspend S when(σ))

The above recursive formulation of the control flow is almost half the way towards the synthesis of hardware circuits. The differences are only that the hardware synthesis will generate the same control flow as a conjunction of transition equations of the location variables. Moreover, the hardware synthesis maintains inputs for maintaining surrounding preemption statements.

In document The Synchronous Programming Language Quartz (Page 114-121)