Progress - Laws for Convex Refinement - Separating computation and coordination in the design o

6.2 Laws for Convex Refinement

6.2.3 Progress

The convex refinement laws of Section 6.2 depend on properties of the multiset. In some cases, the required properties hold invariantly. More often, these properties do not yet hold at the beginning of execution but are established by execution of one or more preceding schedules.

For example, suppose we want use s′₆⋄

M s to refine s in t;s and the refinement

depends on [[q]]M. Then we need a method for establishing whether execution of t

modifies the multiset such that q holds; i.e. we need to be able to reason about the outcomes of schedule t.

To this end, we instantiate the output function (from Definition 5.4.5) for convex refinement.

Definition 6.2.14 The output function on configurations under convex interference, denoted O⋄P_{, is defined by} Oφ _where _φ ₌ _♦

P = {(M, M′) | hP, Mi

*hP, M′i} (for some simple program P). We write O⋄ _{if the program} _P _{is clear from the context.}

The next lemma provides a method for refining parts of a schedule that appear to the right of a sequential composition (it is a generalization of Lemma 4.3.12 to a setting where “convex” interference is possible).

Lemma 6.2.15 Let P be a simple program. Let s1, s2, t ∈S_L₍_P₎.

If ∀M′ :M′ ∈ O⋄₍_{t, M}_{) :}_s

Proof Let_R =_{(_ht;s1, Mi,ht;s2, Mi)| ∀M′ ∈ O⋄(t, M) :s16⋄M′s2}.

We show that _R is a strong convex simulation.

Suppose _ht;s1, MiRht;s2, Mi and ♦(M, M′). Since ♦ is reflexive and transitive, we get

by Lemma 5.4.6 that O⋄₍_{t, M}′₎_{⊆ O}⋄₍_{t, M}_{). Consider the following cases}

transition

A transition can be derived in the following ways

• by (N5), ift6≡skip, fromht, M′i λ

−→ ht′, M′′i. Then by (N5)ht;s, M′i λ

−→ ht′;s, M′′i. By Lemma 5.4.6 follows _O⋄₍_t′_{, M}′′₎ _{⊆ O}⋄₍_{t, M}′_{). By transitivity of} _⊆ _follows

∀M′ _{∈ O}⋄₍_t′_{, M}′′_{) :}_s

16⋄M′s2. Hence ht′;s′, M′′iRht′;s, M′′i.

• by (N9), ift_≡skip ands16≡skip, fromhs1, M′i

−→ hs′

1, M′′i. Fromt≡skip follows

M′ _{∈ O}⋄₍_{t, M}_{), hence} _s

16⋄M′s2. Then hs2, M′i

−→ hs′

2, M′′i such that s′16⋄M′′s′₂. From t≡skip and the definition ofO⋄_{, follows} _N _{∈ O}⋄₍_{t, M}′′₎ _⇔ _♦₍_M′′_{, N}_{). By}

transition-closedness of 6⋄ follows that ∀N :s′₁6⋄_M′′s′₂ ∧ ♦(M′′, N) ⇒ s′₁6⋄_Ns′₂. Hence ∀N ∈ O⋄₍_{t, M}′′_{) :}_s′

16⋄Ns′2. Thenht;s1′, M′′iRht;s′2, M′′i.

termination

t;s′_≡_skip _implies _t_≡_skip _and _s′_≡_skip _{. From} _t_≡_skip _{follows that} _s′₆⋄

Ms. Then,

froms′_≡_skip _follows _s_≡_skip _{, hence} _t_;_s_≡_skip _.

A method of using Lemma 6.2.15, that will be illustrated in Chapter 7, consists of establishing an intermediate property, say q, that captures those properties of the set of outputs of schedule t that are required for justifying the refinement s16s2. More

precisely, this method proceeds through the following steps

1. Show that the multisets that are output of schedule t satisfy some property, say q. 2. Show thatqis not invalidated by any interference that may occur after termination

of t and before execution of s1 (or s2).

3. Show that if a multiset M satiesfiesq, thens16⋄M s2.

This line of reasoning is formalised by Corollary 6.2.16.

Corollary 6.2.16 Let P be a simple program. Let s1, s2, t ∈S_L₍_P₎.

2. stable q

3. ∀M : [[q]]M ⇒ s16⋄Ms2

then t;s16⋄Mt;s2.

Proof By Lemma 6.2.15.

For establishing the first premisse of Corollary 6.2.16, we are faced with the task of determining whether, given some initial multiset M, condition q holds after execution of t under all possible interferences by some simple program. Although is possible to establish such properties using simulations, this is not an ideal technique because it incites operational reasoning which is relatively error-prone. As alternative methods for reasoning about progress of schedules, we may resort to Lemma 3.3.31. This lemma shows that the properties which hold at termination of most general schedules can be derived in a syntactical manner.

However, Lemma 3.3.31 does not take interference into account. Example 6.2.17 illustrates that due to this omission, this method does not carry over to situations where interference is possible (as is the case for convex refinement).

Example 6.2.17 Let P be a simple program. Let S= !(b r1 → Skr2 → S) such that

L(S)∢_L(P). Execution of S starts in some multiset M. Because S is a most general schedule, the following properties hold for any configuration _hs, M′_i _that _h_{S, M}_i _evolves

into

1. s is of the form (r1 → S)a1k(r2 → S)a2kSk

2. if k = 0, then ai = 0 implies [[†ri]]M′ for i: 1≤i≤2

Assume that the system arrives at a schedule s _≡ r1 → S (hence a1 = 1, a2 = 0

and k= 0). Then, from property 2 follows [[†r2]]M′. Now, suppose that an in-

terference ♦P(M′, M′′) takes place which changes the multiset M′ into M′′ such

that [[♮r2]]M′′ and [[†r1]]M′′. Then, by (N0), the following transition can be made

hr1 → S, M′′i

−→ hskip, M′′_i_{. Thus, the most general schedule}_S _{terminates in a multiset}

M′′ _{which does not satisfy} _†_r

1∧ †r2.

This example shows that the relation between the form of the schedule and the disabled- ness of its rules no longer holds if the multiset is susceptible to arbitrary interference. In particular this relation does not hold at termination while this is assumed by the method of Lemma 3.3.31.

The harm seems to come from the fact that the interference may invalidate the relation between the form of the schedule and the disabledness of its rules. Lemma 6.2.18 shows that this relation can be retained by requiring that the disabledness of the rules may not be invalidated by interference.

Lemma 6.2.18 LetP be a simple program. LetS= !(b r1 → Sk . . . krn → S)for n≥1

such that _L(S)∢_L(P). If _∀i : 1 _≤ i _≤ n : stable _†ri, then ∀M′ : M′ ∈ O⋄(S, M) :

[[(_∀i: 1_≤i_≤n:_†ri)]]M′.

Proof IfM′ _{∈ O}⋄₍_{S, M}_{), then there is a sequence of transitions and interferences from}

hS, M_i to _hskip, M′_i_{. Hence, in this sequence, every rewrite rule} _r

i must have executed

and failed at least once. Hence, for all i, there is a multiset in this sequence such that

†ri. By stable †ri follows that†ri continues to hold from this stage of execution onward.

Hence for the multisetM′ from the final configuration holds ∀i: 1≤i≤n: [[†ri]]M′.

Using Lemma 6.2.18 we obtain Theorem 6.2.19 as a special case of Lemma 6.2.15. Theorem 6.2.19 Let P be a simple program. Let S= !(b r1 → Sk . . . krn → S) for

n≥1 where L(S)∢L(P). If 1. _∀i: 1_≤i_≤n : stable _†ri

2. [[_∀i: 1_≤i_≤n :_†ri]]M ⇒ s16⋄Ms2

then S;s16⋄MS;s2

Proof From Lemma 6.2.15 and Lemma 6.2.18.

The conclusion of Theorem 6.2.19 can be generalized toS;u;s′₆⋄

MS;u;s providedq

is stable underu. This is necessarily so ifuis a proper schedule ofP (i.e. _L(u)∢_L(P)). We have seen how properties that are established by a schedule on the left hand side of a sequential composition may be used for justifying refinements of a schedule on the right hand side of that composition. Besides sequential composition, the rule-conditional “r → ..[..]” construct also imposes a strict precedence ordering on the execution of rewrite rules. Next, we present a lemma that enables us to prove refinements using properties that can be derived from the execution of a single rewrite rule.

Lemma 6.2.20 Let P be a simple program. Let r be a rule such that L(r)∢L(P). Let s, t ∈S_L₍_P₎. If ∀M′ :M′ ∈ O⋄₍_{r, M}_{) :}_s′₆⋄

1. r _→ s′_[_t_]₆⋄ Mr → s[t] 2. r → t[s′_]₆⋄ Mr → t[s] Proof 1. Let _R = _{(_hr _→ s′_[_t_]_{, M}_i_,_h_r _→_s_[_t_]_{, M}_i₎_{| ∀}_M′ _{∈ O}⋄₍_{r, M}_{) :}_s′₆⋄ M′s)} ∪ {(hs′_{, M}_i_,_h_{s, M}_i₎_|_s′₆⋄ Ms}

We show that R is a strong convex simulation. By definition of 6⋄

M follows that the second component is a strong convex simu-

lation. We consider the remaining component.

Assume ♦(M, M′_{). By Lemma 5.4.6 follows that}_O⋄₍_{r, M}′₎_{⊆ O}⋄₍_{r, M}_).

transition

Suppose _hr _→s′_[_t_]_{, M}′_i λ

−→ hu, M′′_i_{, hence} _M′′ _{∈ O}⋄₍_{r, M}′_{). By transitivity of} _⊆

follows M′′ _{∈ O}⋄₍_{r, M}_{). This transition can be derived by}

• (N0), then λ=ε, M′′₌_M′ _and _u₌_t_{. Then}_h_r _→_s_[_t_]_{, M}′_i ε

−→ ht, M′_i_.

By reflexivity of 6⋄ _follows_t₆⋄

M′t, hence (ht, M′i,ht, M′i)∈ R.

• (N1), then λ=σ and u=s′_{. Then, by (N1),} _h_r _→ _s_[_t_]_{, M}′_i σ

−→ hs, M′′_i_.

From M′′ _{∈ O}⋄₍_{r, M}_{) follows} _s′₆⋄

M′′s, hence (hs′, M′′i,hs, M′′i)∈ R. termination Holds vacuously.

2. Analogous to case 1.

Analogous to Corollary 6.2.16, Lemma 6.2.20 may be applied using an intermediate property q. This is described by Corollary 6.2.21.

Corollary 6.2.21 Let P be a simple program. Let r be a rule such that L(r)∢L(P). Let s, t _∈S_L₍_P₎. If

1. ∀M′ :M′ ∈ O⋄₍_{r, M}_{) : [[}_q_]]_M′

2. stable q

3. ∀M : [[q]]M ⇒ s′6⋄_Ms

1. r _→ s′_[_t_]₆⋄

Mr → s[t]

2. r _→ t[s′_]₆⋄

Mr → t[s]

Proof By Lemma 6.2.20.

Lemma 6.2.22 generalises Lemma 6.2.20 to deal with equivalent schedules.

Lemma 6.2.22 Let P be a simple program. Let r be a rule such that L(r)∢L(P). Let s, t ∈S_L₍_P₎. If ∀M′ :M′ ∈ O⋄₍_{r, M}_{) :}_s′₌⋄ Ms, then 1. r _→ s′_[_t_{] =}⋄ Mr → s[t] 2. r → t[s′_{] =}⋄ Mr → t[s]

Proof From Lemma 6.2.20 and =⋄

M = 6⋄M ∩ 6⋄M−1.

These results enable us to prove refinements which deal with rewrite rules that disable their own execution (as promised at the end of Section 6.2). First, we consider the case that a rule is invariably disabled. Then, we prove the case that a rule disables its own subsequent successful execution.

Lemma 6.2.23 Let P be a simple program. Let S= !(b r _→ S) where _L(r)∢_L(P). If 1. [[†r]]M 2. stable _†r then skip_≃⋄_M S. Proof skip ≃⋄ M (E8) and Lemma 5.3.7 !skip ≃⋄ M Corollary 6.2.4 !r _→ S ≃⋄ M Lemma 5.6.1, def. S S

Lemma 6.2.24 Let P be a simple program. Let S= !(b r _→ S) where _L(r)∢_L(P). If 1. ∀M′ :M′ ∈ O⋄₍_{r, M}_{) : [[}_†_r_]]_M′ 2. stable †r then r.⋄ M S. Proof r → skip ≃⋄ M Lemmas 6.2.22 and 6.2.23 r → S .⋄ M s.⋄!s !(r _→ S) ≃⋄ M Lemma 5.6.1, def. S S

6.3 Concluding Remarks

Based on insights from the generic theory from Chapter 5, we developed in this chapter a new precongruent notion of refinement, called convex refinement. The basic idea behind this notion is to approximate the interference that a schedule may experience by the rewrites that the program for which the schedule is designed may make. This ensures that all safety properties that a program satisfies, also hold throughout execution of a schedule (for this program). Hence, these program properties can be used for proving convex refinements of schedules. Since it is considerably easier to establish properties of programs compared to properties of schedules, this reduces the complexity of reasoning about refinement.

We have derived a number of new refinement laws which allow the specialization of rewrite rules based on properties of the multiset and laws which enable the introduction of parallel and sequential loop structures. The collection of convex laws is not aimed to be complete. The laws can be extended as the need arises.

Convex refinement has in common with statebased refinement that it allows properties of the multiset to be used for proving refinements. Additionally, it shares with stateless refinement that it is a precongruence. Consequently, its refinements may be

used in a modular way. Hence, convex refinement combines the useful features from the other notions of refinement. Illustrations of the use of convex refinement are presented in Chapter 7.

Convex refinement is the last variant of a refinement relation that we develop in this thesis. We next discuss how the notions of refinement that we have presented relate to each other. To start, the following table gives an overview of the notions of refinement and how they can be instantiated from generic refinement.

generic simulation (M, M′₎_∈_{Φ iff} _{precongruence history preserving}

stateless simulation true yes no

metric simulation T(M′₎_≤_T₍_M₎ _yes _no

convex simulation _hP, M_i σ *hP, M′i yes yes

statebased simulation M′ =M no yes

Theorem 5.2.13 shows that these refinement relations are order by subset inclusion of the interference parameter. Additionally, Theorem 5.5.18 proves that the strong notions of refinement are contained in the corresponding weak notions. Combining these results yields an ordering on the notions of refinement that is depicted by Figure 6.1.

Figure 6.1: Lattice of Notions of Refinement Next, we discuss why these inclusions are strict.

The fact the inclusion of strong refinement in weak refinement is strict follows from Lemma 4.4.35. This lemma provides an example of a weak stateless refinement which is not a strong stateless refinement.

The containment of stateless refinement within convex refinement and convex refinement within statebased refinement follows from Theorem 5.2.13. The fact that these inclusions are strict follows from the following refinement. hfail,{}i6⋄hadd,{}i is a strong convex refinement, but not a strong stateless refinement.

Finally, we consider convex and statebased refinement.

Consider the sorting program swapand a multisetM =_{(1, C),(2, A),(3, B)_}which represents the sequence _hC, A, B_i. Let swap_k,l be the a strengthening of swap defined by

swap_k,l = (i, x),(j, y)7→(i, y),(j, x)⇐ i < j∧i=k∧j =l∧x > y

Then hswap1,2;swap2,3, Mi≦hswap1,2 → swap2,3, Mi is a strong statebased refinement

7 Case Studies

In this chapter we will illustrate the method of program design proposed in the previous chapters by considering a number of case studies.

The problems we study cover diverse applications in computing science: Summation is an elementary problem that is used as an introductory case study. Sorting and computing primes are well-known problems that are widely used for illustrating formal methods of program development. As more advanced cases we discuss a combinatorial problem: computing the shortest paths to some node in a graph, and a problem from scientific computing: solving triangular systems of linear equations.

For each case study we proceed through the following series of steps. 1. We start with a brief description of the problem under study.

2. Next, we present a Gamma program for the problem at hand and address its correctness. The correctness of a Gamma program may either follow by construction if the method from [12] is followed. Alternatively, the programming logic described in Chapter 2 may be used for a-posteri verification of the program’s correctness. 3. Subsequently, we construct the most general schedule for the Gamma program.

This schedule serves as an initial specification of the coordination strategy for the Gamma program.

4. One or more avenues for deriving coordination strategies by successive stepwise refinement from the most general schedule are investigated.

5. At the end of each case study, the relationship between the coordination strategies that have been derived is discussed as well as the strengths and weaknesses of the methods used for their derivation.

7.1 Summation

As a gentle introduction to the method of derivation, we start with a straightforward example: summation. The Gamma program for summation consists of the following rewrite rule

add=b x, y_7→x+y

A correctness proof of this program can be found in [24].

In document Separating computation and coordination in the design of parallel and distributed programs (Page 166-177)