Concurrent Systems, CSP, and FDR
description
Transcript of Concurrent Systems, CSP, and FDR
Concurrent Systems, CSP, and FDR
Dyke Stiles & Don RiceDyke Stiles & Don Rice
[email protected]@ece.usu.eduhttp://www.engineering.usu.edu/ece/http://www.engineering.usu.edu/ece/
Utah State UniversityUtah State University
June 2002June 2002
2
Why Concurrent Systems Design??
Many systems are naturally concurrent!!Many systems are naturally concurrent!! Better engineering:Better engineering:
Modularity: break into small partsModularity: break into small parts Simplicity: small parts easier!!Simplicity: small parts easier!!
Reliability & Fault ToleranceReliability & Fault Tolerance Speed – on multiple processorsSpeed – on multiple processors
3
What Are Concurrent Systems?Any system where tasks run concurrentlyAny system where tasks run concurrently
time-sliced on one processortime-sliced on one processor and/or on multiple processorsand/or on multiple processors
4
Concurrent Systems
Time-sliced examples:Time-sliced examples: Multiple independent jobsMultiple independent jobs
Operating systemOperating system• comms, I/O, user managementcomms, I/O, user management
Multiple users’ jobsMultiple users’ jobs Multithreading within one jobMultithreading within one job
C++C++JavaJavaC#C#
5
Concurrent Systems
Multiprocessor examples:Multiprocessor examples: Distributed memory (message-Distributed memory (message-
passing) systems (e.g, Intel, NCube)passing) systems (e.g, Intel, NCube) Shared memory systems (e.g., Sun)Shared memory systems (e.g., Sun)
6
Concurrent Systems
Example applicationsExample applications
Numerical computation on Numerical computation on multiprocessorsmultiprocessorstypically regular communication typically regular communication
patternspatternsrelatively easy to handlerelatively easy to handle
7
Concurrent SystemsExample applicationsExample applications
Real-time systems on multiple processorsReal-time systems on multiple processorse.g., flight control, communications routerse.g., flight control, communications routers irregular communication, often in closed irregular communication, often in closed
loopsloopsdifficult to get correctdifficult to get correctmay be prone to deadlock and livelock may be prone to deadlock and livelock
8
Concurrent Systems
Example applicationsExample applicationsSystem routines on one multiprocessor nodeSystem routines on one multiprocessor node
Manage multiple user tasksManage multiple user tasksManage communicationsManage communications
• Route messages between tasks on nodeRoute messages between tasks on node• Route messages to tasks on other nodesRoute messages to tasks on other nodes• Manage multiple links to other nodesManage multiple links to other nodes• Manage I/O, interrupts, etc.Manage I/O, interrupts, etc.
9
Concurrent Systems
Example applicationsExample applications
System routines on one multiprocessor nodeSystem routines on one multiprocessor node
Router
Task Manager
U0 U5
10
Concurrent Systems
Example: complete routing systemExample: complete routing system
11
What Is “difficult” about systems of concurrent interacting tasks? CorrectnessCorrectness DeadlockDeadlock LivelockLivelock
Managing these problems requires some Managing these problems requires some extra effort – but the total effort is extra effort – but the total effort is farfar less and less and the resulting code is the resulting code is farfar more reliable and more reliable and farfar easier to maintain!!!easier to maintain!!!
12
Why is Correctness an Issue?
Multiple processes execute their instructions more or Multiple processes execute their instructions more or less at the same time.less at the same time.
The actual operations may interleave in time in a The actual operations may interleave in time in a great number of ways:great number of ways: For For nn processes with processes with mm instructions, there are instructions, there are
((nmnm)!/()!/(mm!)^!)^nn interleavings. interleavings. Two processes of 10 instructions each have Two processes of 10 instructions each have
184,756 interleavings!!184,756 interleavings!! The number of interleavings is astronomical for The number of interleavings is astronomical for
reasonable programs reasonable programs complete testing is complete testing is notnot possible!!!possible!!!
13
Correctness
Example: the bank balance problemExample: the bank balance problemATM:ATM:
fetch balancefetch balancebalance = balance – $100balance = balance – $100store balancestore balance
Payroll Computer:Payroll Computer:fetch balancefetch balancebalance = balance + $1000balance = balance + $1000store balancestore balance
14
Bank BalanceOriginal balance = $1000Original balance = $1000
Interleaving 1:Interleaving 1:ATMATM Payroll ComputerPayroll Computer
tt11 fetch $1000fetch $1000tt22 balance = $1000 - $100balance = $1000 - $100tt33 store $900store $900tt44 fetch $900fetch $900tt55 balance = $900 + $1000balance = $900 + $1000tt66 store $1900store $1900
Final balance = $1900: Correct! Final balance = $1900: Correct!
15
Bank BalanceOriginal balance = $1000Original balance = $1000
Interleaving 2:Interleaving 2:ATMATM Payroll ComputerPayroll Computer
tt11 fetch $1000fetch $1000tt22 fetch $1000fetch $1000tt33 balance = $1000 + $1000balance = $1000 + $1000tt44 store $2000store $2000tt55 balance = $1000 - $100balance = $1000 - $100tt66 store $900store $900
Final balance = $900: Final balance = $900: WRONG!WRONG!
16
Bank Balance
Only Only 22 of the of the twentytwenty possible possible interleavings are correct!!interleavings are correct!!
Concurrent systems Concurrent systems mustmust have some have some means of guaranteeing that operations means of guaranteeing that operations in different processes are executed in in different processes are executed in the proper order. the proper order.
17
Deadlock
All processes stopped:All processes stopped:
• often because each is waiting for often because each is waiting for an action of another processan action of another process
• processes cannot proceed until processes cannot proceed until action occursaction occurs
18
Deadlock
Example: Shared ResourceExample: Shared ResourceTwo processes wish to print disk files. Two processes wish to print disk files. Neither can proceed until it controls both the Neither can proceed until it controls both the printer and the disk; one requests the disk printer and the disk; one requests the disk first, the other the printer first:first, the other the printer first:
Proc AProc A Proc BProc Bt1t1 acquire disk acquire diskt2t2 acquire acquire
printerprintert3t3 try to acquire printer try to acquire printer DEADLOCK!!DEADLOCK!!
19
Livelock
Program performs an infinite unbroken Program performs an infinite unbroken sequence of internal actionssequence of internal actions
Refuses (unable) to interact with its Refuses (unable) to interact with its environment.environment.
Outward appearance is similar to deadlock - Outward appearance is similar to deadlock - but the internal causes differ significantly.but the internal causes differ significantly.
Example: two processes get stuck sending Example: two processes get stuck sending error messages to each other. error messages to each other.
20
Concurrent Design Requires:
Means to guarantee correct ordering of Means to guarantee correct ordering of operationsoperations
Protocols to avoid and tools to detectProtocols to avoid and tools to detect DeadlockDeadlock LivelockLivelock
21
Possible Solutions
LocksLocks Mutual Exclusion (mutexes)Mutual Exclusion (mutexes) Critical SectionsCritical Sections SempahoresSempahores
……but these have problems:but these have problems:
22
The problems:
1. It is the responsibility of the user to use 1. It is the responsibility of the user to use the protocols appropriately – or at all!!the protocols appropriately – or at all!!
2. These are 2-part protocols:2. These are 2-part protocols:
claim_mutex claim_mutex update balance update balance release_mutex release_mutex
If either claim or release (or both) is If either claim or release (or both) is skipped, serious problems can arise.skipped, serious problems can arise.
23
A better solution: monitors
True monitors (Hoare 1974) are True monitors (Hoare 1974) are requiredrequired to to access any shared object; this is enforced by access any shared object; this is enforced by the compiler.the compiler.
The monitor protocol requires only a The monitor protocol requires only a singlesingle operation; e.g., operation; e.g., deposit (amount).deposit (amount).
But: monitors are passive, run in the caller’s But: monitors are passive, run in the caller’s thread, and nesting can be complex.thread, and nesting can be complex.
24
CSP: An even better solution
Communicating Sequential Processes (CSP: Hoare Communicating Sequential Processes (CSP: Hoare 1978)1978) Processes interact Processes interact onlyonly via explicit blocking via explicit blocking
events.events. Blocking: Blocking: neitherneither process proceeds until process proceeds until bothboth
processes have reached the event.processes have reached the event. There is absolutely There is absolutely nono use of shared variables use of shared variables
outside of events.outside of events. A single-part protocol.A single-part protocol. Processes run in their own threads.Processes run in their own threads. Can be done - with care – using semaphores, Can be done - with care – using semaphores,
wait, etc.wait, etc.
25
CSP
A A process algebraprocess algebra – –Provides formal (mathematical) means and Provides formal (mathematical) means and CASE tools forCASE tools for
Describing systems of interacting Describing systems of interacting concurrent processesconcurrent processes
Proving properties of concurrent systemsProving properties of concurrent systems• Agreement with specificationsAgreement with specifications• Deadlock freedomDeadlock freedom• Divergence freedomDivergence freedom
26
CSP Design Philosophy
Complex applications are generally Complex applications are generally farfar easier easier to design as systems of to design as systems of many small, simple processes many small, simple processes that interact that interact onlyonly via explicit events. via explicit events.
Unconstrained use of shared memory can Unconstrained use of shared memory can lead to designs that lead to designs that are extremely difficult to implementare extremely difficult to implement are not verifiableare not verifiable
27
CSP Design Example
Virtual Channel SystemVirtual Channel System Two processes must be able to send Two processes must be able to send
identifiable messages over a single wire.identifiable messages over a single wire. Solution: append channel identifier to Solution: append channel identifier to
messages, and wait for ack to control flow.messages, and wait for ack to control flow.
data.i
ack.i
P0
P1
router
28
CSP Design Example
Router: single process designRouter: single process design Software state machineSoftware state machine State variables are the message states:State variables are the message states:
0: waiting to input0: waiting to input1: waiting to send downstream1: waiting to send downstream2: waiting for ack2: waiting for ack
Result: 3 x 3 = 9 state case statementResult: 3 x 3 = 9 state case statement
29
CSP Design Example
Router: single process designRouter: single process design
Example case clause:Example case clause:
(S0 = input0, S1 = input1): Read(channel0, channel1)
If (channel0)
write data.0
S0 = send0;
Else
write data.1
S1 = send1;
30
CSP Design Example
Router: single process designRouter: single process design Nine states – not too bad, but complex Nine states – not too bad, but complex
enough to require care in the enough to require care in the implementation.implementation.
But: if we add another input, it goes to 27 But: if we add another input, it goes to 27 states, and a fourth gives us 81 states!!!states, and a fourth gives us 81 states!!!
What are your odds of getting this right the What are your odds of getting this right the first time?first time?
Would debugging 81 states be much Would debugging 81 states be much fun???fun???
31
CSP Design Example
Router: multiple process designRouter: multiple process design One process to monitor each input One process to monitor each input
and wait for the ack (these are and wait for the ack (these are identical)identical)
One multiplexer process to send the One multiplexer process to send the inputs downstreaminputs downstream
One demultiplexer process to accept One demultiplexer process to accept and distribute the acksand distribute the acks
32
CSP Design Example
Router: multiple process design: block Router: multiple process design: block diagram: 4 small modulesdiagram: 4 small modules
Input 0
Input 1
Mux
DeMux
down
up
33
CSP Design Example
Router: multiple process designRouter: multiple process design
Input process:Input process:
While (true)
read input;
write input to Mux;
wait for ack from DeMux;
34
CSP Design Example
Router: multiple process designRouter: multiple process design
Mux processMux process
While (true)
read (input0.data, input1.data)
if (input0) write data.0
else write data.1;
35
CSP Design Example
Router: multiple process designRouter: multiple process design
DeMux processDeMux process
While (true)
read ack;
if (ack == 0) write ack0
else write ack1;
36
CSP Design Example
Router:multiple process design; SummaryRouter:multiple process design; Summary Three processes – 4 lines each!!Three processes – 4 lines each!! Add another input?Add another input?
Add one input processAdd one input processMux modified to look at 3 inputsMux modified to look at 3 inputsDemux modified to handle 3 different Demux modified to handle 3 different
acksacks Which implementation would you rather Which implementation would you rather
build?build?
37
Formal Methods
Formal methods: mathematical means for Formal methods: mathematical means for designing and proving properties of systems.designing and proving properties of systems.
Such techniques have been in use for Such techniques have been in use for decades in decades in Analog electronicsAnalog electronics
Filter design: passband, roll-off, etcFilter design: passband, roll-off, etcControls: response time, phase Controls: response time, phase
characteristicscharacteristics
38
Formal Methods
Digital designDigital designLogic minimizationLogic minimizationLogical description to gate designLogical description to gate designFormal language description of Formal language description of
algorithm to VLSI masksalgorithm to VLSI masks
(e.g., floating-point processor (e.g., floating-point processor design)design)
39
Formal Methods
Two methods of formal design:Two methods of formal design:
1. 1. DeriveDerive a design from the a design from the specifications.specifications.
2. 2. AssumeAssume a design and prove that it a design and prove that it meets the specifications.meets the specifications.
40
CSP
CSP: deals CSP: deals onlyonly with interactions with interactions between processes.between processes.
CSP: does CSP: does notnot deal (easily) with the deal (easily) with the internal behavior of processes.internal behavior of processes.
Hence other software engineering Hence other software engineering techniques must be used to develop & techniques must be used to develop & verify the internal workings of verify the internal workings of processes.processes.
41
CSP
The two components of CSP systems:The two components of CSP systems: ProcessesProcesses: indicated by upper-case: : indicated by upper-case:
PP,, Q Q,, R R,, … … EventsEvents: indicated by lower-case: : indicated by lower-case: aa,, b b,,
cc,, … …
42
CSP
Example: a process Example: a process PP engages in events engages in events aa,, b b,, c c,, a a,, and then and then STOPSTOPs:s:
P = a P = a b b c c a a STOP STOP
““” ” is the is the prefixprefix operator; operator;
STOPSTOP is a special process that never is a special process that never engages in any event.engages in any event.
43
CSP Example
A practical example: a simple pop machine A practical example: a simple pop machine accepts a coin, returns a can of pop, and then accepts a coin, returns a can of pop, and then repeats:repeats: PM = coin PM = coin pop pop PM PM Note the recursive definition - which is Note the recursive definition - which is
acceptable; substituting the acceptable; substituting the rhsrhs for the for the occurrence of occurrence of PM PM in the in the rhsrhs, we get, we get
PM = coin PM = coin pop pop coin coin pop pop PM PM (RT processes are often non-terminating.)(RT processes are often non-terminating.)
44
CSP Example
The router:The router:
ch0toMux0
ack1
In0
ch1 In1
Mux
DeMux
ack0
down
up
toMux1
45
The router processes: Input
In0 = In0 = ch0?x ch0?x toMux0!x toMux0!x
ack0 ack0 In0 In0
toMux0
ack0ch0 In0
46
The router processes: Mux
Mux = Mux = toMux0?x toMux0?x down!x.0 down!x.0 Mux Mux
toMux1?x toMux1?x down!x.1 down!x.1
MuxMux
down
toMux0
toMux1Mux
47
The router processes: DeMux
DeMux = DeMux = up?x up?x
(ack0 (ack0 x == 0x == 0 ack1) ack1) DeMux DeMux
up
ack0
ack1
DeMux
48
CSP
Example: the process graph of a data Example: the process graph of a data acquisition system (NB: no arrows...):acquisition system (NB: no arrows...):
DataSampler
DataAq
DataStore
data_ready
get_data send_data
49
CSP
DataAq: waits until it is notified by the DataAq: waits until it is notified by the sampler that data is ready, then gets and sampler that data is ready, then gets and transforms the data, sends it on to be stored, transforms the data, sends it on to be stored, and repeats: and repeats: DataAq = data_ready DataAq = data_ready get_data get_data
send_data send_data DataAq DataAq Note that the transform is an internal process Note that the transform is an internal process
and is not visible; and is not visible; data_ready, get_data, data_ready, get_data, andand send_datasend_data are events engaged in with other are events engaged in with other processes.processes.
50
CSP
The data sampling process would The data sampling process would engage in the events engage in the events data_readydata_ready and and get_dataget_data::
DataSampler = data_ready DataSampler = data_ready get_data get_data DataSampler DataSampler
Data store engages only in Data store engages only in send_datasend_data::
DataStore = send_data DataStore = send_data DataStore DataStore
51
CSP
We thus have three processes, each of which has We thus have three processes, each of which has an an alphabetalphabet of events in which it can engage: of events in which it can engage: DataSamplerDataSampler: : ASa = ASa = {{data_ready, data_ready,
get_dataget_data}} DataAqDataAq: : ADA = ADA = {{data_ready, get_data, data_ready, get_data,
send_datasend_data}} DataStore: ASt = DataStore: ASt = {{send_datasend_data}}
The entire alphabet of the composite process is The entire alphabet of the composite process is denoted by denoted by . .
52
CSP
The entire data acquisition system would be The entire data acquisition system would be indicated by the indicated by the alphabetized parallel alphabetized parallel composition of the three processes:composition of the three processes:
DAS = DataSample DAS = DataSample ASaASaADAADA DataAq DataAq ADAADAAStASt
DataStoreDataStore Two processes running in alphabetized Two processes running in alphabetized
parallel with each other must agree parallel with each other must agree (synchronize) on events which are common (synchronize) on events which are common to their alphabets.to their alphabets.
53
CSP Details: Trace Semantics
TracesTraces The The tracestraces of a process of a process is the set of all is the set of all
possible sequences of events in which possible sequences of events in which it can engage. it can engage.
The traces of The traces of Data_Store Data_Store areare simple:simple: {{<>, <send_data><>, <send_data>nn, , 00 n n }}<> is the empty trace<> is the empty trace..
54
CSP Details
TracesTraces
DataAqDataAq can have engaged in can have engaged in nono events, or any combination of the events, or any combination of the events events data_ready, get_data, data_ready, get_data, and and send_datasend_data in the in the proper orderproper order::
55
CSP Details
Traces of Traces of DataAq:DataAq:
traces(DataAq) = traces(DataAq) = {{<><>,, <data_ready> <data_ready>,, <data_ready, get_data><data_ready, get_data>,, <data_ready<data_ready,, get_data get_data,, send_data> send_data>nn,, <data_ready<data_ready,, get_data, send_data> get_data, send_data>n n ^ ^ <data_ready><data_ready>,, <data_ready, <data_ready, get_data, send_data>get_data, send_data>nn ^ ^ <data_ready<data_ready,, get_data> get_data>,, 0 0 n n }}
56
CSP Details
Traces specify formally what a process Traces specify formally what a process cancan do - if it does anything at all.do - if it does anything at all.
This is a This is a safetysafety property: the trace property: the trace specification should not allow any specification should not allow any unacceptable operations (e.g., we would not unacceptable operations (e.g., we would not want to allow two stores without an want to allow two stores without an intervening new sample; thus intervening new sample; thus <...send_data, <...send_data, send_data...>send_data...> is ruled out. is ruled out.
57
CSP Details
Traces do not Traces do not forceforce a process do a process do anything. anything.
We force action by We force action by limitinglimiting what a what a process can process can refuserefuse to do. This is a to do. This is a livenessliveness property. property.
58
CSP Details: Failures Semantics
refusal setrefusal set: a set of events which a : a set of events which a process can refuse to engage in process can refuse to engage in regardless of how long they are offered.regardless of how long they are offered.
E.g., the refusal set of E.g., the refusal set of DataAqDataAq after it after it has engaged in has engaged in data_readydata_ready is is {{data_ready, send_datadata_ready, send_data}}..
59
CSP Details
Refusals can be shown nicely on the Refusals can be shown nicely on the transition diagram of transition diagram of DataAqDataAq::
data_ready get_data
send_data
{get_data, send_data}
{data_ready, send_data}
{data_ready, get_data}
60
CSP Details: failures semantics
A A failurefailure is a pair ( is a pair (s, Xs, X), where ), where ss is a is a trace and trace and XX is the set of events that are is the set of events that are refused after that trace.refused after that trace.
We force a process to do the right We force a process to do the right things by specifying the acceptable things by specifying the acceptable failures - thus failures - thus limitinglimiting the failures it can the failures it can exhibit.exhibit.
61
CSP Details
FailuresFailures
E.g., E.g., DataAqDataAq cannot fail to accept a cannot fail to accept a new new data_readydata_ready event after a event after a complete cycle; its failures complete cycle; its failures cannotcannot contain (<contain (<data_ready, get_data, data_ready, get_data, send_data>send_data>nn,, {{data_readydata_ready}).}).
62
CSP Details
tracestraces::specify what specify what cancan be done be done
failuresfailures::specify allowed failuresspecify allowed failures
Together, these guarantee that the Together, these guarantee that the appropriate things appropriate things willwill be done. be done.
We have only to prevent deadlock and We have only to prevent deadlock and livelock...livelock...
63
CSP Details
Deadlock freedom:Deadlock freedom:
A system is deadlock free if, after any A system is deadlock free if, after any possible trace, it cannot refuse the possible trace, it cannot refuse the entire alphabet entire alphabet : :
s . s . ((ss, , ) ) failuresfailures((DASDAS))
64
CSP Details
Livelock (divergence) freedom:Livelock (divergence) freedom: divergencesdivergences of a process: of a process:
the set of traces after which the process the set of traces after which the process can enter an unending series of internal can enter an unending series of internal actions.actions.
A system is divergence free if there are A system is divergence free if there are nono traces after which it can diverge:traces after which it can diverge:
divergencesdivergences((DASDAS)) = = {}{}
65
CSP Details
A complete specification:A complete specification: Acceptable tracesAcceptable traces Acceptable failuresAcceptable failures Deadlock freedomDeadlock freedom Divergence freedomDivergence freedom
These properties can be checked by These properties can be checked by rigorous CASE tools – from FSE Ltd.rigorous CASE tools – from FSE Ltd.
66
CSP Details
RefinementRefinement A specification is often a process that exhibits all A specification is often a process that exhibits all
acceptable implementations - which may be acceptable implementations - which may be overkill, but easy to state.overkill, but easy to state.
Implementation Implementation Q refinesQ refines specification specification PP ( (PP QQ) ) if:if:QQ satisfies the properties of satisfies the properties of PP::
• the traces of the traces of QQ are included in the traces of are included in the traces of PP;;
• the failures of the failures of QQ are included in the failures are included in the failures of of PP..
67
CSP Details
Refinement of a design problem:Refinement of a design problem: Initial specification: Initial specification:
very general (often highly parallel) very general (often highly parallel) correctness easy to verify.correctness easy to verify.
CASE tools:CASE tools:verify that a particular implementation verify that a particular implementation (whose correctness may not be obvious) (whose correctness may not be obvious) properly refines the original properly refines the original specification.specification.
68
CSP Details
Algebraic manipulationsAlgebraic manipulations Objects and operations within CSP form a Objects and operations within CSP form a
rigorous algebra.rigorous algebra. Algebraic manipulations:Algebraic manipulations:
demonstrate the equivalence of demonstrate the equivalence of processesprocesses
transform processes into ones that may transform processes into ones that may be implemented more efficiently.be implemented more efficiently.
69
CSP Details
Algebraic manipulations: simple lawsAlgebraic manipulations: simple laws Alphabetized parallel composition Alphabetized parallel composition
obeys commutative lawsobeys commutative laws
P P AABB QQ = = QQ BBAA PP and associative lawsand associative laws
(P (P AABB QQ) ) BBCC RR = = P P AABB ( (QQ BBCC RR ) ) and many, many more...and many, many more...
70
CSP Details
Algebraic manipulations: step lawsAlgebraic manipulations: step laws
StepStep laws: laws:
convert parallel implementations convert parallel implementations into equivalent sequential (single-into equivalent sequential (single-thread) implementations:thread) implementations:
71
CSP Details
Step law example:Step law example:Assume Assume P =P = ? ?xx::A A P’ P’ and and Q = yQ = y::B B Q’ Q’
P P AABB QQ = ? = ?xx:(:(A A BB)) P’ P’ AABB Q’Q’
xx ( (A A B B)) P’ P’ AABB QQ
xx A A P P AABB Q‘Q‘
Repeated application results in a Repeated application results in a sequence sequence of of events.events.
72
CSP Details
SequentializationSequentialization The parallel composition of the The parallel composition of the DataAqDataAq and and
DataStoreDataStore can be sequentialized - which may can be sequentialized - which may be more efficient on a single processor:be more efficient on a single processor:
DataAq DataAq ADAADAAStASt DataStore = DaDst = DataStore = DaDst = data_ready data_ready get_data get_data send_data send_data DaDstDaDst
The CASE tools will verify that the sequential The CASE tools will verify that the sequential version refines the concurrent version. version refines the concurrent version.
73
CSP Tools
ProBEProBE
Process Behaviour ExplorerProcess Behaviour ExplorerAllows manual stepping through a CSP Allows manual stepping through a CSP
descriptiondescriptionShows events acceptable at each stateShows events acceptable at each stateRecords tracesRecords tracesAllows manual check against Allows manual check against
specificationsspecifications
74
CSP Tools
FDR (a model checker)FDR (a model checker)Failures-Divergences-RefinementFailures-Divergences-Refinement
Mathematically tests for:Mathematically tests for:• Refinement of one process against Refinement of one process against
anotheranother–TracesTraces–FailuresFailures–DivergencesDivergences
• Deadlock freedomDeadlock freedom• Divergence freedomDivergence freedom
75
CSP Compatibility
““My work group uses the (Yourdon, My work group uses the (Yourdon, Booch, UML, PowerBuilder, Delphi… Booch, UML, PowerBuilder, Delphi… software development system); can I software development system); can I still use CSP?”still use CSP?”
Certainly – CSP can be used Certainly – CSP can be used whereverwherever you design with processes that interact you design with processes that interact onlyonly via CSP-style explicit events. via CSP-style explicit events.
76
CSP Compatibility
““CSP seems to be based on message passing;CSP seems to be based on message passing;
Can I use it with locks, critical sections,Can I use it with locks, critical sections,
semaphores, mutexes and/or monitors???”semaphores, mutexes and/or monitors???”
Absolutely! As long as your processes interactAbsolutely! As long as your processes interact
onlyonly via explicit locks, mutexes, etc., CSP can via explicit locks, mutexes, etc., CSP can
describe them – and prove them.describe them – and prove them.
77
Mutex
CSP Modeling of shared-memory CSP Modeling of shared-memory primitives:primitives:
MutexMutex
claim mutex1;claim mutex1;
modify shared variable;modify shared variable;
release mutex1;release mutex1;
78
Mutex
A CSP mutex process:A CSP mutex process:
Mutex1 = Mutex1 = claim claim release release Mutex1 Mutex1
The process will not allow a second claim The process will not allow a second claim until a prior claim has been followed by a until a prior claim has been followed by a release.release.
79
Mutex
Weaknesses:Weaknesses: Compiler Compiler does not requiredoes not require use of mutex to use of mutex to
access shared variables.access shared variables. A process may neglect to release the A process may neglect to release the
mutex, thus holding up further (proper) mutex, thus holding up further (proper) accesses.accesses.
80
Mutex
A better version that allows only the process A better version that allows only the process making the claim to complete the release:making the claim to complete the release:
RMutex = RMutex =
claim?ProcID claim?ProcID release!ProcID release!ProcID
RmutexRmutex
81
Mutex
Use of the better mutex:Use of the better mutex:
Proc 29:Proc 29:
claim!29;claim!29;
modify shared variable;modify shared variable;
release?29;release?29;
82
But the CSP way is still better:
The “shared” variable is modifiable The “shared” variable is modifiable onlyonly by a single process:by a single process:
Robust(x) = Robust(x) =
ModifyX?y ModifyX?y Robust(x + y) Robust(x + y)
83
Semaphores
Definitions Definitions
((x;x;: operation x is atomic): operation x is atomic)
Claim semaphore s:Claim semaphore s:
P(s): P(s): await (s > 0) s = s – 1;await (s > 0) s = s – 1;
Release semaphore s:Release semaphore s:
V(s): V(s): s = s + 1;s = s + 1;
84
Semaphores
A semaphore process (initialized to s = 1):A semaphore process (initialized to s = 1):
SemA SemA = SemA1(1)= SemA1(1)
SemA1(s) SemA1(s) = =
(pA (pA SemA1(s-1)) SemA1(s-1)) s > 0 s > 0 STOP STOP
[][](vA (vA SemA1(s + 1)) SemA1(s + 1))
85
Summary 1
Thirty+ years of experience shows thatThirty+ years of experience shows that Complex applications are generally Complex applications are generally farfar
easier to design as systems of easier to design as systems of many (2 – 2000) small, simple many (2 – 2000) small, simple
processes processes that interact that interact onlyonly via explicit events. via explicit events.
Careless use of shared memory can lead Careless use of shared memory can lead to designs that to designs that are extremely difficult to implementare extremely difficult to implementare not verifiableare not verifiableare wrong!are wrong!
86
Summary 2
CSP + Tools:CSP + Tools: Clean, simple specification of concurrent Clean, simple specification of concurrent
systemssystems Rigorous verification against specificationsRigorous verification against specifications Proof of deadlock and livelock freedomProof of deadlock and livelock freedom Verifiable conversion between concurrent Verifiable conversion between concurrent
and single-threaded implementationsand single-threaded implementations Works with Works with anyany process-oriented process-oriented
development system.development system.
87
CSP Applications
Real-time & embedded systemsReal-time & embedded systems Communications managementCommunications management Communications security protocolsCommunications security protocols Digital design – from gate-level through Digital design – from gate-level through
FPGAs to multiple systems on a chipFPGAs to multiple systems on a chip Parallel numerical applicationsParallel numerical applications Algorithm developmentAlgorithm development
88
Related USU Projects
Creation of Java code directly from CSPCreation of Java code directly from CSPE.g., the simple routerE.g., the simple router
Automatic conversion of CSP from Automatic conversion of CSP from parallel to sequentialparallel to sequential
Compilation of Java to VHDL/FPGACompilation of Java to VHDL/FPGA Automatic generation of Automatic generation of
JCSP/CTJ/CCSP directly from CSPJCSP/CTJ/CCSP directly from CSP Analysis of internet protocolsAnalysis of internet protocols
89
Courses: ECE 5740ECE 5740
Concurrent Programming (under Win32)Concurrent Programming (under Win32) FallFall
ECE 6750ECE 6750 Concurrent Systems Engineering I (CSP I; Java)Concurrent Systems Engineering I (CSP I; Java) SpringSpring
ECE 7710ECE 7710 Concurrent Systems Engineering II (CSP II; Java, C)Concurrent Systems Engineering II (CSP II; Java, C) Add real-time specificationsAdd real-time specifications Alternate Fall (next: 2002)Alternate Fall (next: 2002)
ECE 6760ECE 6760 Fault Tolerant SystemsFault Tolerant Systems Alternates with 7710Alternates with 7710
90
Remember:
Breaking a project into many small, Breaking a project into many small, interacting modules leads to an easier and interacting modules leads to an easier and more robust design.more robust design.
There There isis added overhead required to manage added overhead required to manage the interaction – the interaction – butbut::
the total time to the final solution will be the total time to the final solution will be farfar less and the result will be less and the result will be farfar better! better!
The solutions have been known for decades The solutions have been known for decades – and now there are CASE tools for support.– and now there are CASE tools for support.
91
References Per Brinch Hansen, Java's insecure parallelism, Per Brinch Hansen, Java's insecure parallelism, ACM SIGPLAN ACM SIGPLAN
NoticesNotices 34(4), pp. 38-45, April 1999. 34(4), pp. 38-45, April 1999. C. A. Hoare, Communicating sequential processes, C. A. Hoare, Communicating sequential processes, CACMCACM, 21(8), pp. , 21(8), pp.
666-677, August 1978. 666-677, August 1978. C. A. Hoare, C. A. Hoare, Communicating Sequential ProcessesCommunicating Sequential Processes, Prentice-Hall, , Prentice-Hall,
London, 1985.London, 1985. A. W. Roscoe, A. W. Roscoe, The Theory and Practice of ConcurrencyThe Theory and Practice of Concurrency, Prentice-, Prentice-
Hall, London, 1998.Hall, London, 1998. Steve Schneider, Steve Schneider, Concurrency and Real-time SystemsConcurrency and Real-time Systems, Wiley, , Wiley,
Chichester, 2000.Chichester, 2000. Gregory R. Andrews, Gregory R. Andrews, Foundations of Multithreaded, Parallel, and Foundations of Multithreaded, Parallel, and
Distributed ProgrammingDistributed Programming, Addison Wesley, New York, 2000., Addison Wesley, New York, 2000.