Laws for Strong Stateless Refinement

The precongruence of strong stateless refinement entails that the (in)equations it induces may be used in any context, hence can be considered as refinement laws. In this section we present a number of the basic refinement laws. These laws give insight into the algebraic properties of refinement. Furthermore, the laws give rise to an algebraic style of reasoning about schedules.

First, we prove Lemma 4.4.9 which is used in the proofs of the subsequent lemmas. It states that if two terms are related by structural congruence, then their behaviour is strong stateless equivalent.

Lemma 4.4.9 Let s, t∈S. If s≡t then s≃t. Proof By definition s_≃t iff s6t and t6s.

• s≡t ⇒ s6t:

transition If_hs, M_i λ

−→ hs′_{, M}′_{ithen, by (N8) and s ≡t followsht, Mi} λ

−→ hs′_{, M}′_i.

By reflexivity of 6 holds s′ _6s′_.

termination

Ifs _≡skip , then by transitivity of_≡ follows t_≡skip .

• s≡t ⇒ t6s: The proof is analogous to the previous case.

Next, we present the laws grouped per operator. The schedules in these laws range over S.

Laws for Rule Conditional Composition

The first law can be used to move a single rule-conditional out of a parallel composition such that it is scheduled for execution first. The second law is a special case of the first. The fact that sequential composition enforces a more determined ordering on the execution of schedules than parallel composition, has as a consequence that the law for “;” is a congruence, while the case for “k” is a refinement.

Lemma 4.4.10

1. r → (s1kt)[s2kt]6(r → s1[s2])kt

2. r _→ (s1;t)[s2;t]≃(r → s1[s2]);t

Proof

1. transition: There are two possible transitions:

• If_hr _→ (s1kt)[s2kt], Mi σ −→ hs1kt, M′i then, by (N1),_h(r _→ s1[s2])kt, Mi σ −→ hs1kt, M′i. By reflexivity,s1kt6s1kt. • Ifhr → (s1kt)[s2kt], Mi ε −→ hs2kt, Mi then, by (N0),h(r → s1[s2])kt, Mi ε −→ hs2kt, Mi. By reflexivity,s2kt6s2kt.

termination: There are no s1, s2, t1 and t2 such that r → (s1kt)[s2kt]≡skip ,

hence this case holds vacuously. 2. We prove the following cases.

• (r →s1[s2]);t6r → (s1;t)[s2;t]:

transition: There are two possible transitions: – _h(r _→ s1[s2]);t, Mi

ε

−→ hs2;t, Mi, which is derived by (N0) from

hr _→s1[s2], Mi ε −→ hs2, Mi. Then by (N0) we derive hr →(s1;t)[s2;t], Mi ε −→ hs2;t, Mi. By reflexivity,s2;t6s2;t. – h(r → s1[s2]);t, Mi σ

−→ hs1;t, M′i, which is derived by (N1) from

hr →s1[s2], Mi σ −→ hs1, M′i. Then by (N1) we derive hr _→(s1;t)[s2;t], Mi σ −→ hs1;t, M′i. By reflexivity, s1;t6s1;t.

termination: There are no s1, s2 and t such that r → s1[s2];t≡skip , hence

• r _→ (s1;t)[s2;t]6(r → s1[s2]);t: The proof is analogous to the previous case.

Laws for Sequential Composition

The laws from Lemma 4.4.11 show that “;” is a monoid with unit skip. Lemma 4.4.11

1. skip;s≃s

2. s;skip_≃s

3. s1; (s2;s3)≃(s1;s2);s3

Proof

Cases 1 and 3 follow from structural congruence and Lemma 4.4.9. We consider case 2. We have to prove s;skip6sand s6s;skip. We give the details for the former; the proof of the latter is analogous.

Let _R=_{(s;skip, s)_|s_∈S}. We show that_R is a strong stateless simulation. transition

If s6≡skip, then a transition for s;skip can be derived by (N5) from hs, Mi λ

−→ hs′, M′i. By definition of R: (s′;skip, s′)∈ R.

termination

s;skip_≡skip only ifs_≡skip .

Laws for Parallel Composition

The laws for parallel composition follow from structural congruence and Lemma 4.4.9. They show that “_k” is a commutative monoid with unit skip.

Lemma 4.4.12 1. skip_ks_≃s

2. s1ks2 ≃s2ks1

Proof By structural congruence and Lemma 4.4.9.

Distributivity Laws for Parallel and Sequential Composition

The next Lemma yields a general law for the distribution of sequential and parallel composition.

Lemma 4.4.13 (s1ks3); (s2ks4)6(s1;s2)k(s3;s4)

Proof

Let _R = _{((s1ks3); (s2ks4),(s1;s2)k(s3;s4)) | s1, s2, s3, s4 ∈ S} ∪IdS. We show that

R is a strong stateless simulation. By Proposition 4.4.2(1) follows that Id_S is a strong stateless simulation. We consider the remaining case.

transition

We consider the possible transitions.

• By rule (N5) a transition can be derived from _hs1ks3, Mi

λ

−→ hs′

1ks′3, M′i.

This may in turn be derived in one of the following ways. 1. By (N2) from hs1, Mi λ −→ hs′₁, M′i, hence s′₃ ≡s3. By (N5) we get hs1;s2, Mi λ −→ hs′₁;s2, M′i. By (N2) we infer _h(s1;s2)k(s3;s4), Mi λ −→ h(s′ 1;s2)k(s3;s4), M′i. And ((s′ 1ks3); (s2ks4),(s1′;s2)k(s3;s4))∈ R. 2. By (N2) from hs3, Mi λ −→ hs′ 3, M′i, hence s′1 ≡s1.

The proof is analogous to the previous case. 3. By (N3) from _hs1, Mi λ −→ hs′ 1, M′i and hs3, Mi ε −→ hs′ 3, Mi.

By (N5) we get for the former _hs1;s2, Mi

λ

−→ hs′

1;s2, M′i,

and for the latter _hs3;s4, Mi

ε −→ hs′ 3;s4, Mi. Then by (N3) we obtain h(s1;s2)k(s3;s4), Mi λ −→ h(s′ 1;s2)k(s3′;s4), M′i. Clearly ((s′₁ks′₃); (s2ks4),(s′1;s2)k(s′3;s4))∈ R. 4. By (N3) from _hs1, Mi ε −→ hs′ 1, Mi and hs3, Mi λ −→ hs′ 3, M′i.

The proof is analogous to the previous case. 5. By (N4) from hs1, Mi

σ₁

−→ hs′1, M1i and hs3, Mi

σ₂

−→ hs′3, M2i such that M |=

σ1⋊⋉σ2. The proof is analogous to the previous case where use of (N3) should

• By (N8) and (E1) from (s1ks3)≡skip (hence s1 ≡ skip and s3 ≡ skip), and

hs2ks4, Mi

λ

−→ hs′_{, M}′_{i. From (skip;s}

2)k(skip;s4) ≡ s2ks4 we get by (N8) and

(E1) that _h(skip;s2)k(skip;s4), Mi

λ

−→ hs′_{, M}′_{i. Clearly (s}′_{, s}′_)∈Id

S ⊆ R.

termination

If (s1ks3); (s2ks4)≡skip then si≡skip for all i: 1≤i≤4.

Then also (s1;s2)k(s3;s4)≡skip .

The refinement of Lemma 4.4.13 is represented graphically in Figure 4.4 in confor- mance with the conventions of Figure 4.1 with the exception that here an arrow may denote a sequence of transitions.

refines

Figure 4.4: Refinement of Lemma 4.4.13

The schedule on the right hand side of Lemma 4.4.13 consists of two “threads” s1;s2

and s3;s4 that can proceed independently of each other. For example, the thread s1;s2

may terminate while the other thread is still executing s3. In the schedule on the left

hand side, the semi-colon forces the two threads to synchronize after termination of s1

and s3; i.e. before starting execution of eithers2 or s4.

Corollary 4.4.14 shows some special cases of Lemma 4.4.13. Especially the first of these will turn out to be very useful.

Corollary 4.4.14 1. s1;s26s1ks2

3. (s1ks3);s26(s1;s2)ks3

Proof Take one or two terms of Lemma 4.4.13 equal to skip. Eliminate skip-terms

using Lemma 4.4.11.

Laws for Conditional Composition

In Lemma 4.4.15 we present some basic and distributive laws for the conditional combi- nators. Lemma 4.4.15 1. false ⊲ s[t]≃t 2. true ⊲ s[t]_≃s 3. c ⊲ skip_≃skip 4. c ⊲ (s1ks2)[t1kt2]≃(c ⊲ s1[t1])k(c ⊲ s2[t2]) 5. c ⊲ (s1;s2)[t1;t2]≃(c ⊲ s1[t1]); (c ⊲ s2[t2]) 6. !(c ⊲ s[t])_≃c ⊲(!s)[!t]

Proof By propositional calculus and structural congruence.

The next laws may be used to eliminate or combine conditionals. Lemma 4.4.16

1. c ⊲ s[t]≃c ⊲ s[¬c ⊲ t] 2. c ⊲ s[t]≃(c ⊲ s)k(¬c ⊲ t)

3. c ⊲ (r → s[t])≃c ⊲ (r → c ⊲ s[t]) 4. (c1∧c2) ⊲ s[t]≃c1 ⊲ (c2 ⊲ s[t])[t]

Proof By propositional calculus and structural congruence.

Next, we investigate how the conditional c ⊲ ..[..] can be combined with the rule conditional r →..[..]. Lemma 4.4.17 describes a refinement which is based on the idea

that the conditionc can be used to test whether or not a rewrite rule rcan be executed successfully We use fail to denote a rewrite rule that never succeeds (can only make

ε-transitions). We can think of it as being defined as fail=b x _→ m _⇐ false. For any rule

r holds fail∢r, hence fail is a lower bound for the set of multiset rewrite rules ordered by the strengthening relation ∢.

In the following laws, we use c⇒ ¬b to mean: for all valuations v, c[x :=

v] _{⇒ ¬}b[x:=v].

Lemma 4.4.17 Letr =x_7→m _⇐ b. Ifc _{⇒ ¬}b, thenc ⊲ (fail;s2)[t]≃c ⊲ (r → s1[s2])[t].

Proof Consider the following cases

• c= false: then by structural congruence and Lemma 4.4.9 c ⊲ (fail;s2)[t]≃t and

c ⊲ (r _→ s1[s2])[t]≃t. By reflexivity t≃t.

• c=true: then by structural congruence and Lemma 4.4.9 c ⊲ (fail;s2)[t]≃fail;s2

and c ⊲ (r _→ s1[s2])[t]≃r →s1[s2].

Forfail;s2, we infer by (N0) and (N5),hfail;s2, Mi

ε −→ hs2, Mi. From c⇒ ¬b follows by (N0), hr → s1[s2], Mi ε −→ hs2, Mi. By reflexivity s2≃s2.

Corollary 4.4.18 fail;t_≃fail _→ s[t]

Proof Follows as a special case from Lemma 4.4.17 by taking c=true. Execution of fail never changes the input-output behaviour of a schedule (or pro- gram). Hence it can always be omitted. This could be formally justified if skip6fail would be a strong stateless refinement. However, this is not the case because the left hand side and the right hand side make a different number of transitions. Weak statebased refinement does not distinguish between differing numbers of ε-transition. In Section 4.4.3 we will develop the weak variant of stateless refinement and present the laws that it induces (which resolve the above issue).

Laws for Replication

In this section we will uncover the algebraic properties that characterize replication. The first two laws follow straightforwardly from the operational semantics.

Lemma 4.4.19 s6!s. Proof transition: Supposehs, Mi λ −→ hs′, M′i. Then by (N6) we infer h!s, Mi λ −→ hs′, M′i. By reflexivity of 6 follows s′6s′.

termination: By (E8), s_≡skip implies !s_≡skip .

Lemma 4.4.20 s_k!s6!s Proof transition: Supposehsk!s, Mi λ −→ hs′, M′i. Then by (N7) we inferh!s, Mi λ −→ hs′, M′i. By reflexivity of 6 follows s′6s′.

termination: s_k!s_≡skip only if s_≡skip , then by (E8) !s_≡skip . Recall that sk _{stands for k ≥ 0 copies of schedule s composed in parallel. Using}

the above we formally justify, by Corollary 4.4.21, the intuition that “!s” stands for an arbitrary number of copies of “s” composed in parallel.

Corollary 4.4.21 For all k _≥1 :sk_6!s

Proof By induction on k. • k = 1: By Lemma 4.4.19 followss6!s. • k >1: sk ≃ definition sk s_ksk−1 6 induction hypothesis sk!s 6 Lemma 4.4.20 !s An important property of replication is its idempotence. As a stepping stone to the general result, we first prove the following simpler case.

Proof

Let _R = _{(t_k(!s_k!s), t_k!s) _| s, t _∈ S} ∪Id_S. We prove that _R is a strong stateless simulation by induction on the depth of the inference. We will use the following property of R

If (s1, s2)∈ R and t∈S, then (tks1, tks2)∈ R (∗)

From Proposition 4.4.2.1 follows that Id_S is a strong stateless simulation. We consider the remaining case.

transition A transition for t_k(!s_k!s) can be derived in the following ways 1. From (N2) by ht, Mi λ

−→ ht′, M′i. Then by (N2) also htk!s, Mi λ

−→ ht′k!s, M′i. Clearly (t′k(!sk!s), t′k!s)∈ R.

2. From (N2) by h!sk!s, Mi λ

−→ hs′, M′i. This transition can in turn be derived in five ways. Two of these are symmetric, hence we only need to consider three.

(a) By (N2) from h!s, Mi λ

−→ hs′′_{, M}′_{i. This can be derived in two ways.}

i. By (N6) from _hs, M_i λ −→ hs′′_{, M}′_{i, hence s}′ _{= s}′′_{k!s. Then,} by (N2), we derive _hs_k!s, M_{i−→ h}λ s′′_{k!s, M}′_{i. By (N7) we infer} h!s, M_{i−→ h}λ s′′_{k!s, M}′_{i. Hence by (N2) htk!s, Mi} λ −→ ht_ks′′_{k!s, M}′_i. Clearly (t_ks′′_{k!s, tks}′′_k!s)∈Id S⊆ R. ii. By (N7) from hsk!s, Mi λ −→ hs′′, M′i, hence s′ = s′′k!s. By (N2) we infer _hs_k!s_k!s, M_i λ

−→ hs′′_{k!s, M}′_{i. The derivation for this transition is}

shorter than the derivation of the transition we want to prove the proposi- tion for, hence by the induction hypothesis we get_hs_k!s, M_{i−→ h}λ s′′′_{, M}′_i

such that (s′′_{k!s, s}′′′_{) ∈ R. By (N7) also h!s, Mi} λ

−→ hs′′′_{, M}′_{i. By (N2)}

ht_k!s, M_{i−→ h}λ t_ks′′′_{, M}′_{i. From (s}′′_{k!s, s}′′′_{) ∈ R follows by (*) that}

(tks′′_{k!s, tks}′′′_{)∈ R.}

(b) By (N3) from _h!s, M_{i−→ h}λ s′′_{, M}′_{i and h!s, Mi} ε

−→ hs′′′_{, Mi. The proof pro-}

ceeds, analogously to the previous case, by induction on the depth of the inference (where (N3) is used in place of (N2)).

(c) By (N4) from_h!s, M_i σ1

−→ hs1, M1i, andh!s, Mi

σ₂

−→ hs2, M2iwhereM |=σ1⋊⋉σ2.

3. By (N3) from _ht, M_{i−→ h}λ t′_{, M}′_{iand h!sk!s, Mi} ε

−→ hs′_{, Mi.}

The proof is analogous to the case 2.

4. By (N3) from _ht, M_{i−→ h}ε t′_{, Mi and h!sk!s, Mi} λ

−→ hs′_{, M}′_i.

The proof is analogous to the case 2. 5. By (N4) from ht, Mi σ1 −→ ht′_{, M} 1i and h!sk!s, Mi σ2 −→ hs′_{, M} 2i

such that M |=σ1⋊⋉σ2. The proof is analogous to the case 2.

termination

tk!sk!s≡skip only ift≡skip and !s≡skip , hencetk!s≡skip .

Corollary 4.4.23 1. _∀k :k _≥1 : (!s)k_6!s 2. _∀k :k _≥1 :sk_k!s6!s Proof 1. By induction on k. • k= 1: By reflexivity of 6 follows !s6!s. • k >1: (!s)k ≃ definition tk !sk(!s)k−1 6 induction hypothesis !sk!s 6 Lemma 4.4.22 !s

2. Assume k _≥1. We calculate as follows.

sk_k!s 6 Lemma 4.4.19 (!s)k_k!s ≃ definition of sk+1 (!s)k+1 6 case 1 !s

Finally we prove that replication is idempotent.

Lemma 4.4.24 !(!s)6!s

Proof

Let_R=_{(t_k!(!s), t_k!s)_|s, t _∈S}∪Id_S. We show that_Ris a strong stateless simulation up-to 6. We will use the following property ofR:

If (s1, s2)∈ 6R6 and t∈S, then (tks1, tks2)∈ 6R6 (*)

From Proposition 4.4.2.1 follows that Id_S is a strong stateless simulation. By reflexiv- ity of 6 follows that Id_S is a strong stateless simulation up-to 6. We consider the remaining case.

transition

We proceed by induction on the depth of the derivation of htk!(!s), Mi λ

−→ ht′ks′, M′i. This transition can be derived in the following ways.

1. By (N2) from ht, Mi λ

−→ ht′, M′i. Then by (N2)htk!s, Mi λ

−→ ht′k!s, M′i. Clearly (t′_{k!(!s), t}′_{k!s)∈ 6R6 .}

2. By (N2) from _h!(!s), M_{i−→ h}λ s′_{, M}′_{i. This transition can be derived in two ways:}

(a) By (N6) from h!s, Mi λ

−→ hs′, M′i. Then by (N2) htk!s, Mi λ

−→ htks′, M′i. And (t′ks′, t′ks′)∈Id_S⊆ 6_R6 .

(b) By (N7) from h!sk!(!s), Mi λ

−→ hs′, M′i. By the induction hypothesis follows

h!sk!s, Mi λ

−→ hs′′, M′i such that (s′, s′′) ∈ 6_R6. From Corollary 4.4.22 follows _h!s, M_i λ

−→ hs′′′_{, M}′_{i such that s}′′_6s′′′_{. By transitivity of 6 follows}

that (s′_{, s}′′′_{) ∈ 6R6 . By (N2) follows htk!s, Mi} λ

−→ ht_ks′′′_{, M}′_{i. From}

(s′_{, s}′′′_{)∈ 6R6 and (*) follows (tks}′_{, tks}′′′_{)∈ 6R6 .}

3. By (N3) from ht, Mi λ

−→ ht′, M′i and h!(!s), Mi ε

−→ hs′, Mi. For the latter tran- sition follows, analogous to case 2, that h!s, Mi ε

−→ hs′′, Mi such that (s′, s′′) ∈

6_R6 . From (N3) then follows _ht_k!s, M_i λ

−→ ht′_ks′′_{, M}′_{i and by (*) we con-}

clude (t′_ks′_{, t}′_ks′′_{)∈ 6R6 .}

4. By (N3) from ht, Mi ε

−→ ht′_{, Mi and h!(!s), Mi} λ

−→ hs′_{, M}′_i.

5. By (N4) from _ht, M_i σ1 −→ ht′_{, M} 1i and h!(!s), Mi σ₂ −→ hs′_{, M} 2i where M |= σ1⋊⋉σ2.

The proof is analogous to the case 3. termination

t_k!(!s) _≡ skip only if t _≡ skip and !(!s) _≡ skip. From the latter follows by (E8) that

!s_≡skip , hence t_k!s_≡skip.

Lemma 4.4.25 !(!s)_≃!s

Proof

• !s6!(!s): follows from Lemma 4.4.19.

• !(!s)6!s: follows from Lemma 4.4.24.

The next lemma proves a refinement concerning distributivity of replication over parallel composition.

Lemma 4.4.26 !(s1ks2)6(!s1)k(!s2)

Proof Let R = {(tk!(s1ks2), tk(!s1)k(!s2)) | t, s1, s2 ∈ S} ∪ IdS. We show that

R is a strong stateless simulation up-to 6. We will use that R satisfies the following property

If (s1, s2)∈ 6R6 and t∈S, then (tks1, tks2)∈ 6R6 (*)

From Proposition 4.4.2.1 follows that Id_S is a strong stateless simulation. By reflexiv- ity of 6 follows that Id_S is a strong stateless simulation up-to 6. We consider the remaining case.

transition

By induction on the depth of the inference. 1. By (N2) fromht, Mi λ −→ ht′, M′i. Then by (N2)htk!s1k!s2, Mi λ −→ ht′k!s1k!s2, M′i. Clearly (t′k!(s1ks2), t′k(!s1)k(!s2)∈ 6R6 . 2. By (N2) fromh!(s1ks2), Mi λ

−→ hs′, M′i. This transition can be derived in 2 ways. (a) by (N6) from hs1ks2, Mi

λ

−→ hs′_{, M}′_{i. Transitions for s}

1ks2 can be derived

i. By (N2) from _hs1, Mi λ −→ hs′ 1, M′i hence h!(s1ks2), Mi λ −→ hs′ 1ks2, M′i.

By (N6) we infer from the former _h!s1, Mi

λ −→ hs′ 1, M′i. By (N2) we obtain _ht_k!s1k!s2, Mi λ −→ ht_ks′ 1k!s2, M′i. Because s26!s2 and (tks′ 1ks2, tks′1ks2)∈ R we have (tks1′ ks2, tks′1k!s2)∈ 6R6 .

ii. By (N3) from transitions hs1, Mi

λ −→ hs′ 1, M′i and hs2, Mi ε −→ hs′ 2, Mi, henceh!(s1ks2), Mi λ −→ hs′₁ks′₂, M′i. By (N6) we inferh!s1, Mi λ −→ hs′₁, M′i and h!s2, Mi ε −→ hs′₂, Mi. By (N3) we get h!s1k!s2, Mi λ −→ hs′₁ks′₂, M′i. By (N2) we obtain _ht_k!s1k!s2, Mi λ −→ ht_ks′ 1ks′2, M′i. By reflexivity of 6 and Id_{S⊆ R} follows (t_ks′

In document Separating computation and coordination in the design of parallel and distributed programs (Page 86-100)