Concurrent Systems, CSP, and FDR

Concurrent Systems, CSP, and FDR

Dyke Stiles & Don RiceDyke Stiles & Don Rice

[email protected]@ece.usu.eduhttp://www.engineering.usu.edu/ece/http://www.engineering.usu.edu/ece/

Utah State UniversityUtah State University

June 2002June 2002

2

Why Concurrent Systems Design??

Many systems are naturally concurrent!!Many systems are naturally concurrent!! Better engineering:Better engineering:

Modularity: break into small partsModularity: break into small parts Simplicity: small parts easier!!Simplicity: small parts easier!!

Reliability & Fault ToleranceReliability & Fault Tolerance Speed – on multiple processorsSpeed – on multiple processors

3

What Are Concurrent Systems?Any system where tasks run concurrentlyAny system where tasks run concurrently

time-sliced on one processortime-sliced on one processor and/or on multiple processorsand/or on multiple processors

4

Concurrent Systems

Time-sliced examples:Time-sliced examples: Multiple independent jobsMultiple independent jobs

Operating systemOperating system• comms, I/O, user managementcomms, I/O, user management

Multiple users’ jobsMultiple users’ jobs Multithreading within one jobMultithreading within one job

C++C++JavaJavaC#C#

5

Concurrent Systems

Multiprocessor examples:Multiprocessor examples: Distributed memory (message-Distributed memory (message-

passing) systems (e.g, Intel, NCube)passing) systems (e.g, Intel, NCube) Shared memory systems (e.g., Sun)Shared memory systems (e.g., Sun)

6

Concurrent Systems

Example applicationsExample applications

Numerical computation on Numerical computation on multiprocessorsmultiprocessorstypically regular communication typically regular communication

patternspatternsrelatively easy to handlerelatively easy to handle

7

Concurrent SystemsExample applicationsExample applications

Real-time systems on multiple processorsReal-time systems on multiple processorse.g., flight control, communications routerse.g., flight control, communications routers irregular communication, often in closed irregular communication, often in closed

loopsloopsdifficult to get correctdifficult to get correctmay be prone to deadlock and livelock may be prone to deadlock and livelock

8

Concurrent Systems

Example applicationsExample applicationsSystem routines on one multiprocessor nodeSystem routines on one multiprocessor node

Manage multiple user tasksManage multiple user tasksManage communicationsManage communications

• Route messages between tasks on nodeRoute messages between tasks on node• Route messages to tasks on other nodesRoute messages to tasks on other nodes• Manage multiple links to other nodesManage multiple links to other nodes• Manage I/O, interrupts, etc.Manage I/O, interrupts, etc.

9

Concurrent Systems

Example applicationsExample applications

System routines on one multiprocessor nodeSystem routines on one multiprocessor node

Router

Task Manager

U0 U5

10

Concurrent Systems

Example: complete routing systemExample: complete routing system

11

What Is “difficult” about systems of concurrent interacting tasks? CorrectnessCorrectness DeadlockDeadlock LivelockLivelock

Managing these problems requires some Managing these problems requires some extra effort – but the total effort is extra effort – but the total effort is farfar less and less and the resulting code is the resulting code is farfar more reliable and more reliable and farfar easier to maintain!!!easier to maintain!!!

12

Why is Correctness an Issue?

Multiple processes execute their instructions more or Multiple processes execute their instructions more or less at the same time.less at the same time.

The actual operations may interleave in time in a The actual operations may interleave in time in a great number of ways:great number of ways: For For nn processes with processes with mm instructions, there are instructions, there are

((nmnm)!/()!/(mm!)^!)^nn interleavings. interleavings. Two processes of 10 instructions each have Two processes of 10 instructions each have

184,756 interleavings!!184,756 interleavings!! The number of interleavings is astronomical for The number of interleavings is astronomical for

reasonable programs reasonable programs complete testing is complete testing is notnot possible!!!possible!!!

13

Correctness

Example: the bank balance problemExample: the bank balance problemATM:ATM:

fetch balancefetch balancebalance = balance – $100balance = balance – $100store balancestore balance

Payroll Computer:Payroll Computer:fetch balancefetch balancebalance = balance + $1000balance = balance + $1000store balancestore balance

14

Bank BalanceOriginal balance = $1000Original balance = $1000

Interleaving 1:Interleaving 1:ATMATM Payroll ComputerPayroll Computer

tt11 fetch $1000fetch $1000tt22 balance = $1000 - $100balance = $1000 - $100tt33 store $900store $900tt44 fetch $900fetch $900tt55 balance = $900 + $1000balance = $900 + $1000tt66 store $1900store $1900

Final balance = $1900: Correct! Final balance = $1900: Correct!

15

Bank BalanceOriginal balance = $1000Original balance = $1000

Interleaving 2:Interleaving 2:ATMATM Payroll ComputerPayroll Computer

tt11 fetch $1000fetch $1000tt22 fetch $1000fetch $1000tt33 balance = $1000 + $1000balance = $1000 + $1000tt44 store $2000store $2000tt55 balance = $1000 - $100balance = $1000 - $100tt66 store $900store $900

Final balance = $900: Final balance = $900: WRONG!WRONG!

16

Bank Balance

Only Only 22 of the of the twentytwenty possible possible interleavings are correct!!interleavings are correct!!

Concurrent systems Concurrent systems mustmust have some have some means of guaranteeing that operations means of guaranteeing that operations in different processes are executed in in different processes are executed in the proper order. the proper order.

17

Deadlock

All processes stopped:All processes stopped:

• often because each is waiting for often because each is waiting for an action of another processan action of another process

• processes cannot proceed until processes cannot proceed until action occursaction occurs

18

Deadlock

Example: Shared ResourceExample: Shared ResourceTwo processes wish to print disk files. Two processes wish to print disk files. Neither can proceed until it controls both the Neither can proceed until it controls both the printer and the disk; one requests the disk printer and the disk; one requests the disk first, the other the printer first:first, the other the printer first:

Proc AProc A Proc BProc Bt1t1 acquire disk acquire diskt2t2 acquire acquire

printerprintert3t3 try to acquire printer try to acquire printer DEADLOCK!!DEADLOCK!!

19

Livelock

Program performs an infinite unbroken Program performs an infinite unbroken sequence of internal actionssequence of internal actions

Refuses (unable) to interact with its Refuses (unable) to interact with its environment.environment.

Outward appearance is similar to deadlock - Outward appearance is similar to deadlock - but the internal causes differ significantly.but the internal causes differ significantly.

Example: two processes get stuck sending Example: two processes get stuck sending error messages to each other. error messages to each other.

20

Concurrent Design Requires:

Means to guarantee correct ordering of Means to guarantee correct ordering of operationsoperations

Protocols to avoid and tools to detectProtocols to avoid and tools to detect DeadlockDeadlock LivelockLivelock

21

Possible Solutions

LocksLocks Mutual Exclusion (mutexes)Mutual Exclusion (mutexes) Critical SectionsCritical Sections SempahoresSempahores

……but these have problems:but these have problems:

22

The problems:

1. It is the responsibility of the user to use 1. It is the responsibility of the user to use the protocols appropriately – or at all!!the protocols appropriately – or at all!!

2. These are 2-part protocols:2. These are 2-part protocols:

claim_mutex claim_mutex update balance update balance release_mutex release_mutex

If either claim or release (or both) is If either claim or release (or both) is skipped, serious problems can arise.skipped, serious problems can arise.

23

A better solution: monitors

True monitors (Hoare 1974) are True monitors (Hoare 1974) are requiredrequired to to access any shared object; this is enforced by access any shared object; this is enforced by the compiler.the compiler.

The monitor protocol requires only a The monitor protocol requires only a singlesingle operation; e.g., operation; e.g., deposit (amount).deposit (amount).

But: monitors are passive, run in the caller’s But: monitors are passive, run in the caller’s thread, and nesting can be complex.thread, and nesting can be complex.

24

CSP: An even better solution

Communicating Sequential Processes (CSP: Hoare Communicating Sequential Processes (CSP: Hoare 1978)1978) Processes interact Processes interact onlyonly via explicit blocking via explicit blocking

events.events. Blocking: Blocking: neitherneither process proceeds until process proceeds until bothboth

processes have reached the event.processes have reached the event. There is absolutely There is absolutely nono use of shared variables use of shared variables

outside of events.outside of events. A single-part protocol.A single-part protocol. Processes run in their own threads.Processes run in their own threads. Can be done - with care – using semaphores, Can be done - with care – using semaphores,

wait, etc.wait, etc.

25

CSP

A A process algebraprocess algebra – –Provides formal (mathematical) means and Provides formal (mathematical) means and CASE tools forCASE tools for

Describing systems of interacting Describing systems of interacting concurrent processesconcurrent processes

Proving properties of concurrent systemsProving properties of concurrent systems• Agreement with specificationsAgreement with specifications• Deadlock freedomDeadlock freedom• Divergence freedomDivergence freedom

26

CSP Design Philosophy

Complex applications are generally Complex applications are generally farfar easier easier to design as systems of to design as systems of many small, simple processes many small, simple processes that interact that interact onlyonly via explicit events. via explicit events.

Unconstrained use of shared memory can Unconstrained use of shared memory can lead to designs that lead to designs that are extremely difficult to implementare extremely difficult to implement are not verifiableare not verifiable

27

CSP Design Example

Virtual Channel SystemVirtual Channel System Two processes must be able to send Two processes must be able to send

identifiable messages over a single wire.identifiable messages over a single wire. Solution: append channel identifier to Solution: append channel identifier to

messages, and wait for ack to control flow.messages, and wait for ack to control flow.

data.i

ack.i

P0

P1

router

28

CSP Design Example

Router: single process designRouter: single process design Software state machineSoftware state machine State variables are the message states:State variables are the message states:

0: waiting to input0: waiting to input1: waiting to send downstream1: waiting to send downstream2: waiting for ack2: waiting for ack

Result: 3 x 3 = 9 state case statementResult: 3 x 3 = 9 state case statement

29

CSP Design Example

Router: single process designRouter: single process design

Example case clause:Example case clause:

(S0 = input0, S1 = input1): Read(channel0, channel1)

If (channel0)

write data.0

S0 = send0;

Else

write data.1

S1 = send1;

30

CSP Design Example

Router: single process designRouter: single process design Nine states – not too bad, but complex Nine states – not too bad, but complex

enough to require care in the enough to require care in the implementation.implementation.

But: if we add another input, it goes to 27 But: if we add another input, it goes to 27 states, and a fourth gives us 81 states!!!states, and a fourth gives us 81 states!!!

What are your odds of getting this right the What are your odds of getting this right the first time?first time?

Would debugging 81 states be much Would debugging 81 states be much fun???fun???

31

CSP Design Example

Router: multiple process designRouter: multiple process design One process to monitor each input One process to monitor each input

and wait for the ack (these are and wait for the ack (these are identical)identical)

One multiplexer process to send the One multiplexer process to send the inputs downstreaminputs downstream

One demultiplexer process to accept One demultiplexer process to accept and distribute the acksand distribute the acks

32

CSP Design Example

Router: multiple process design: block Router: multiple process design: block diagram: 4 small modulesdiagram: 4 small modules

Input 0

Input 1

Mux

DeMux

down

up

33

CSP Design Example

Router: multiple process designRouter: multiple process design

Input process:Input process:

While (true)

read input;

write input to Mux;

wait for ack from DeMux;

34

CSP Design Example


Mux processMux process

While (true)

read (input0.data, input1.data)

if (input0) write data.0

else write data.1;

35

CSP Design Example


DeMux processDeMux process

While (true)

read ack;

if (ack == 0) write ack0

else write ack1;

36

CSP Design Example

Router:multiple process design; SummaryRouter:multiple process design; Summary Three processes – 4 lines each!!Three processes – 4 lines each!! Add another input?Add another input?

Add one input processAdd one input processMux modified to look at 3 inputsMux modified to look at 3 inputsDemux modified to handle 3 different Demux modified to handle 3 different

acksacks Which implementation would you rather Which implementation would you rather

build?build?

37

Formal Methods

Formal methods: mathematical means for Formal methods: mathematical means for designing and proving properties of systems.designing and proving properties of systems.

Such techniques have been in use for Such techniques have been in use for decades in decades in Analog electronicsAnalog electronics

Filter design: passband, roll-off, etcFilter design: passband, roll-off, etcControls: response time, phase Controls: response time, phase

characteristicscharacteristics

38

Formal Methods

Digital designDigital designLogic minimizationLogic minimizationLogical description to gate designLogical description to gate designFormal language description of Formal language description of

algorithm to VLSI masksalgorithm to VLSI masks

(e.g., floating-point processor (e.g., floating-point processor design)design)

39

Formal Methods

Two methods of formal design:Two methods of formal design:

1. 1. DeriveDerive a design from the a design from the specifications.specifications.

2. 2. AssumeAssume a design and prove that it a design and prove that it meets the specifications.meets the specifications.

40

CSP

CSP: deals CSP: deals onlyonly with interactions with interactions between processes.between processes.

CSP: does CSP: does notnot deal (easily) with the deal (easily) with the internal behavior of processes.internal behavior of processes.

Hence other software engineering Hence other software engineering techniques must be used to develop & techniques must be used to develop & verify the internal workings of verify the internal workings of processes.processes.

41

CSP

The two components of CSP systems:The two components of CSP systems: ProcessesProcesses: indicated by upper-case: : indicated by upper-case:

PP,, Q Q,, R R,, … … EventsEvents: indicated by lower-case: : indicated by lower-case: aa,, b b,,

cc,, … …

42

CSP

Example: a process Example: a process PP engages in events engages in events aa,, b b,, c c,, a a,, and then and then STOPSTOPs:s:

P = a P = a b b c c a a STOP STOP

““” ” is the is the prefixprefix operator; operator;

STOPSTOP is a special process that never is a special process that never engages in any event.engages in any event.

43

CSP Example

A practical example: a simple pop machine A practical example: a simple pop machine accepts a coin, returns a can of pop, and then accepts a coin, returns a can of pop, and then repeats:repeats: PM = coin PM = coin pop pop PM PM Note the recursive definition - which is Note the recursive definition - which is

acceptable; substituting the acceptable; substituting the rhsrhs for the for the occurrence of occurrence of PM PM in the in the rhsrhs, we get, we get

PM = coin PM = coin pop pop coin coin pop pop PM PM (RT processes are often non-terminating.)(RT processes are often non-terminating.)

44

CSP Example

The router:The router:

ch0toMux0

ack1

In0

ch1 In1

Mux

DeMux

ack0

down

up

toMux1

45

The router processes: Input

In0 = In0 = ch0?x ch0?x toMux0!x toMux0!x

ack0 ack0 In0 In0

toMux0

ack0ch0 In0

46

The router processes: Mux

Mux = Mux = toMux0?x toMux0?x down!x.0 down!x.0 Mux Mux

toMux1?x toMux1?x down!x.1 down!x.1

MuxMux

down

toMux0

toMux1Mux

47

The router processes: DeMux

DeMux = DeMux = up?x up?x

(ack0 (ack0 x == 0x == 0 ack1) ack1) DeMux DeMux

up

ack0

ack1

DeMux

48

CSP

Example: the process graph of a data Example: the process graph of a data acquisition system (NB: no arrows...):acquisition system (NB: no arrows...):

DataSampler

DataAq

DataStore

data_ready

get_data send_data

49

CSP

DataAq: waits until it is notified by the DataAq: waits until it is notified by the sampler that data is ready, then gets and sampler that data is ready, then gets and transforms the data, sends it on to be stored, transforms the data, sends it on to be stored, and repeats: and repeats: DataAq = data_ready DataAq = data_ready get_data get_data

send_data send_data DataAq DataAq Note that the transform is an internal process Note that the transform is an internal process

and is not visible; and is not visible; data_ready, get_data, data_ready, get_data, andand send_datasend_data are events engaged in with other are events engaged in with other processes.processes.

50

CSP

The data sampling process would The data sampling process would engage in the events engage in the events data_readydata_ready and and get_dataget_data::

DataSampler = data_ready DataSampler = data_ready get_data get_data DataSampler DataSampler

Data store engages only in Data store engages only in send_datasend_data::

DataStore = send_data DataStore = send_data DataStore DataStore

51

CSP

We thus have three processes, each of which has We thus have three processes, each of which has an an alphabetalphabet of events in which it can engage: of events in which it can engage: DataSamplerDataSampler: : ASa = ASa = {{data_ready, data_ready,

get_dataget_data}} DataAqDataAq: : ADA = ADA = {{data_ready, get_data, data_ready, get_data,

send_datasend_data}} DataStore: ASt = DataStore: ASt = {{send_datasend_data}}

The entire alphabet of the composite process is The entire alphabet of the composite process is denoted by denoted by . .

52

CSP

The entire data acquisition system would be The entire data acquisition system would be indicated by the indicated by the alphabetized parallel alphabetized parallel composition of the three processes:composition of the three processes:

DAS = DataSample DAS = DataSample ASaASaADAADA DataAq DataAq ADAADAAStASt

DataStoreDataStore Two processes running in alphabetized Two processes running in alphabetized

parallel with each other must agree parallel with each other must agree (synchronize) on events which are common (synchronize) on events which are common to their alphabets.to their alphabets.

53

CSP Details: Trace Semantics

TracesTraces The The tracestraces of a process of a process is the set of all is the set of all

possible sequences of events in which possible sequences of events in which it can engage. it can engage.

The traces of The traces of Data_Store Data_Store areare simple:simple: {{<>, <send_data><>, <send_data>nn, , 00 n n }}<> is the empty trace<> is the empty trace..

54

CSP Details

TracesTraces

DataAqDataAq can have engaged in can have engaged in nono events, or any combination of the events, or any combination of the events events data_ready, get_data, data_ready, get_data, and and send_datasend_data in the in the proper orderproper order::

55

CSP Details

Traces of Traces of DataAq:DataAq:

traces(DataAq) = traces(DataAq) = {{<><>,, <data_ready> <data_ready>,, <data_ready, get_data><data_ready, get_data>,, <data_ready<data_ready,, get_data get_data,, send_data> send_data>nn,, <data_ready<data_ready,, get_data, send_data> get_data, send_data>n n ^ ^ <data_ready><data_ready>,, <data_ready, <data_ready, get_data, send_data>get_data, send_data>nn ^ ^ <data_ready<data_ready,, get_data> get_data>,, 0 0 n n }}

56

CSP Details

Traces specify formally what a process Traces specify formally what a process cancan do - if it does anything at all.do - if it does anything at all.

This is a This is a safetysafety property: the trace property: the trace specification should not allow any specification should not allow any unacceptable operations (e.g., we would not unacceptable operations (e.g., we would not want to allow two stores without an want to allow two stores without an intervening new sample; thus intervening new sample; thus <...send_data, <...send_data, send_data...>send_data...> is ruled out. is ruled out.

57

CSP Details

Traces do not Traces do not forceforce a process do a process do anything. anything.

We force action by We force action by limitinglimiting what a what a process can process can refuserefuse to do. This is a to do. This is a livenessliveness property. property.

58

CSP Details: Failures Semantics

refusal setrefusal set: a set of events which a : a set of events which a process can refuse to engage in process can refuse to engage in regardless of how long they are offered.regardless of how long they are offered.

E.g., the refusal set of E.g., the refusal set of DataAqDataAq after it after it has engaged in has engaged in data_readydata_ready is is {{data_ready, send_datadata_ready, send_data}}..

59

CSP Details

Refusals can be shown nicely on the Refusals can be shown nicely on the transition diagram of transition diagram of DataAqDataAq::

data_ready get_data

send_data

{get_data, send_data}

{data_ready, send_data}

{data_ready, get_data}

60

CSP Details: failures semantics

A A failurefailure is a pair ( is a pair (s, Xs, X), where ), where ss is a is a trace and trace and XX is the set of events that are is the set of events that are refused after that trace.refused after that trace.

We force a process to do the right We force a process to do the right things by specifying the acceptable things by specifying the acceptable failures - thus failures - thus limitinglimiting the failures it can the failures it can exhibit.exhibit.

61

CSP Details

FailuresFailures

E.g., E.g., DataAqDataAq cannot fail to accept a cannot fail to accept a new new data_readydata_ready event after a event after a complete cycle; its failures complete cycle; its failures cannotcannot contain (<contain (<data_ready, get_data, data_ready, get_data, send_data>send_data>nn,, {{data_readydata_ready}).}).

62

CSP Details

tracestraces::specify what specify what cancan be done be done

failuresfailures::specify allowed failuresspecify allowed failures

Together, these guarantee that the Together, these guarantee that the appropriate things appropriate things willwill be done. be done.

We have only to prevent deadlock and We have only to prevent deadlock and livelock...livelock...

63

CSP Details

Deadlock freedom:Deadlock freedom:

A system is deadlock free if, after any A system is deadlock free if, after any possible trace, it cannot refuse the possible trace, it cannot refuse the entire alphabet entire alphabet : :

s . s . ((ss, , ) ) failuresfailures((DASDAS))

64

CSP Details

Livelock (divergence) freedom:Livelock (divergence) freedom: divergencesdivergences of a process: of a process:

the set of traces after which the process the set of traces after which the process can enter an unending series of internal can enter an unending series of internal actions.actions.

A system is divergence free if there are A system is divergence free if there are nono traces after which it can diverge:traces after which it can diverge:

divergencesdivergences((DASDAS)) = = {}{}

65

CSP Details

A complete specification:A complete specification: Acceptable tracesAcceptable traces Acceptable failuresAcceptable failures Deadlock freedomDeadlock freedom Divergence freedomDivergence freedom

These properties can be checked by These properties can be checked by rigorous CASE tools – from FSE Ltd.rigorous CASE tools – from FSE Ltd.

66

CSP Details

RefinementRefinement A specification is often a process that exhibits all A specification is often a process that exhibits all

acceptable implementations - which may be acceptable implementations - which may be overkill, but easy to state.overkill, but easy to state.

Implementation Implementation Q refinesQ refines specification specification PP ( (PP QQ) ) if:if:QQ satisfies the properties of satisfies the properties of PP::

• the traces of the traces of QQ are included in the traces of are included in the traces of PP;;

• the failures of the failures of QQ are included in the failures are included in the failures of of PP..

67

CSP Details

Refinement of a design problem:Refinement of a design problem: Initial specification: Initial specification:

very general (often highly parallel) very general (often highly parallel) correctness easy to verify.correctness easy to verify.

CASE tools:CASE tools:verify that a particular implementation verify that a particular implementation (whose correctness may not be obvious) (whose correctness may not be obvious) properly refines the original properly refines the original specification.specification.

68

CSP Details

Algebraic manipulationsAlgebraic manipulations Objects and operations within CSP form a Objects and operations within CSP form a

rigorous algebra.rigorous algebra. Algebraic manipulations:Algebraic manipulations:

demonstrate the equivalence of demonstrate the equivalence of processesprocesses

transform processes into ones that may transform processes into ones that may be implemented more efficiently.be implemented more efficiently.

69

CSP Details

Algebraic manipulations: simple lawsAlgebraic manipulations: simple laws Alphabetized parallel composition Alphabetized parallel composition

obeys commutative lawsobeys commutative laws

P P AABB QQ = = QQ BBAA PP and associative lawsand associative laws

(P (P AABB QQ) ) BBCC RR = = P P AABB ( (QQ BBCC RR ) ) and many, many more...and many, many more...

70

CSP Details

Algebraic manipulations: step lawsAlgebraic manipulations: step laws

StepStep laws: laws:

convert parallel implementations convert parallel implementations into equivalent sequential (single-into equivalent sequential (single-thread) implementations:thread) implementations:

71

CSP Details

Step law example:Step law example:Assume Assume P =P = ? ?xx::A A P’ P’ and and Q = yQ = y::B B Q’ Q’

P P AABB QQ = ? = ?xx:(:(A A BB)) P’ P’ AABB Q’Q’

xx ( (A A B B)) P’ P’ AABB QQ

xx A A P P AABB Q‘Q‘

Repeated application results in a Repeated application results in a sequence sequence of of events.events.

72

CSP Details

SequentializationSequentialization The parallel composition of the The parallel composition of the DataAqDataAq and and

DataStoreDataStore can be sequentialized - which may can be sequentialized - which may be more efficient on a single processor:be more efficient on a single processor:

DataAq DataAq ADAADAAStASt DataStore = DaDst = DataStore = DaDst = data_ready data_ready get_data get_data send_data send_data DaDstDaDst

The CASE tools will verify that the sequential The CASE tools will verify that the sequential version refines the concurrent version. version refines the concurrent version.

73

CSP Tools

ProBEProBE

Process Behaviour ExplorerProcess Behaviour ExplorerAllows manual stepping through a CSP Allows manual stepping through a CSP

descriptiondescriptionShows events acceptable at each stateShows events acceptable at each stateRecords tracesRecords tracesAllows manual check against Allows manual check against

specificationsspecifications

74

CSP Tools

FDR (a model checker)FDR (a model checker)Failures-Divergences-RefinementFailures-Divergences-Refinement

Mathematically tests for:Mathematically tests for:• Refinement of one process against Refinement of one process against

anotheranother–TracesTraces–FailuresFailures–DivergencesDivergences

• Deadlock freedomDeadlock freedom• Divergence freedomDivergence freedom

75

CSP Compatibility

““My work group uses the (Yourdon, My work group uses the (Yourdon, Booch, UML, PowerBuilder, Delphi… Booch, UML, PowerBuilder, Delphi… software development system); can I software development system); can I still use CSP?”still use CSP?”

Certainly – CSP can be used Certainly – CSP can be used whereverwherever you design with processes that interact you design with processes that interact onlyonly via CSP-style explicit events. via CSP-style explicit events.

76

CSP Compatibility

““CSP seems to be based on message passing;CSP seems to be based on message passing;

Can I use it with locks, critical sections,Can I use it with locks, critical sections,

semaphores, mutexes and/or monitors???”semaphores, mutexes and/or monitors???”

Absolutely! As long as your processes interactAbsolutely! As long as your processes interact

onlyonly via explicit locks, mutexes, etc., CSP can via explicit locks, mutexes, etc., CSP can

describe them – and prove them.describe them – and prove them.

77

Mutex

CSP Modeling of shared-memory CSP Modeling of shared-memory primitives:primitives:

MutexMutex

claim mutex1;claim mutex1;

modify shared variable;modify shared variable;

release mutex1;release mutex1;

78

Mutex

A CSP mutex process:A CSP mutex process:

Mutex1 = Mutex1 = claim claim release release Mutex1 Mutex1

The process will not allow a second claim The process will not allow a second claim until a prior claim has been followed by a until a prior claim has been followed by a release.release.

79

Mutex

Weaknesses:Weaknesses: Compiler Compiler does not requiredoes not require use of mutex to use of mutex to

access shared variables.access shared variables. A process may neglect to release the A process may neglect to release the

mutex, thus holding up further (proper) mutex, thus holding up further (proper) accesses.accesses.

80

Mutex

A better version that allows only the process A better version that allows only the process making the claim to complete the release:making the claim to complete the release:

RMutex = RMutex =

claim?ProcID claim?ProcID release!ProcID release!ProcID

RmutexRmutex

81

Mutex

Use of the better mutex:Use of the better mutex:

Proc 29:Proc 29:

claim!29;claim!29;

modify shared variable;modify shared variable;

release?29;release?29;

82

But the CSP way is still better:

The “shared” variable is modifiable The “shared” variable is modifiable onlyonly by a single process:by a single process:

Robust(x) = Robust(x) =

ModifyX?y ModifyX?y Robust(x + y) Robust(x + y)

83

Semaphores

Definitions Definitions

((x;x;: operation x is atomic): operation x is atomic)

Claim semaphore s:Claim semaphore s:

P(s): P(s): await (s > 0) s = s – 1;await (s > 0) s = s – 1;

Release semaphore s:Release semaphore s:

V(s): V(s): s = s + 1;s = s + 1;

84

Semaphores

A semaphore process (initialized to s = 1):A semaphore process (initialized to s = 1):

SemA SemA = SemA1(1)= SemA1(1)

SemA1(s) SemA1(s) = =

(pA (pA SemA1(s-1)) SemA1(s-1)) s > 0 s > 0 STOP STOP

[][](vA (vA SemA1(s + 1)) SemA1(s + 1))

85

Summary 1

Thirty+ years of experience shows thatThirty+ years of experience shows that Complex applications are generally Complex applications are generally farfar

easier to design as systems of easier to design as systems of many (2 – 2000) small, simple many (2 – 2000) small, simple

processes processes that interact that interact onlyonly via explicit events. via explicit events.

Careless use of shared memory can lead Careless use of shared memory can lead to designs that to designs that are extremely difficult to implementare extremely difficult to implementare not verifiableare not verifiableare wrong!are wrong!

86

Summary 2

CSP + Tools:CSP + Tools: Clean, simple specification of concurrent Clean, simple specification of concurrent

systemssystems Rigorous verification against specificationsRigorous verification against specifications Proof of deadlock and livelock freedomProof of deadlock and livelock freedom Verifiable conversion between concurrent Verifiable conversion between concurrent

and single-threaded implementationsand single-threaded implementations Works with Works with anyany process-oriented process-oriented

development system.development system.

87

CSP Applications

Real-time & embedded systemsReal-time & embedded systems Communications managementCommunications management Communications security protocolsCommunications security protocols Digital design – from gate-level through Digital design – from gate-level through

FPGAs to multiple systems on a chipFPGAs to multiple systems on a chip Parallel numerical applicationsParallel numerical applications Algorithm developmentAlgorithm development

88

Related USU Projects

Creation of Java code directly from CSPCreation of Java code directly from CSPE.g., the simple routerE.g., the simple router

Automatic conversion of CSP from Automatic conversion of CSP from parallel to sequentialparallel to sequential

Compilation of Java to VHDL/FPGACompilation of Java to VHDL/FPGA Automatic generation of Automatic generation of

JCSP/CTJ/CCSP directly from CSPJCSP/CTJ/CCSP directly from CSP Analysis of internet protocolsAnalysis of internet protocols

89

Courses: ECE 5740ECE 5740

Concurrent Programming (under Win32)Concurrent Programming (under Win32) FallFall

ECE 6750ECE 6750 Concurrent Systems Engineering I (CSP I; Java)Concurrent Systems Engineering I (CSP I; Java) SpringSpring

ECE 7710ECE 7710 Concurrent Systems Engineering II (CSP II; Java, C)Concurrent Systems Engineering II (CSP II; Java, C) Add real-time specificationsAdd real-time specifications Alternate Fall (next: 2002)Alternate Fall (next: 2002)

ECE 6760ECE 6760 Fault Tolerant SystemsFault Tolerant Systems Alternates with 7710Alternates with 7710

90

Remember:

Breaking a project into many small, Breaking a project into many small, interacting modules leads to an easier and interacting modules leads to an easier and more robust design.more robust design.

There There isis added overhead required to manage added overhead required to manage the interaction – the interaction – butbut::

the total time to the final solution will be the total time to the final solution will be farfar less and the result will be less and the result will be farfar better! better!

The solutions have been known for decades The solutions have been known for decades – and now there are CASE tools for support.– and now there are CASE tools for support.

91

References Per Brinch Hansen, Java's insecure parallelism, Per Brinch Hansen, Java's insecure parallelism, ACM SIGPLAN ACM SIGPLAN

NoticesNotices 34(4), pp. 38-45, April 1999. 34(4), pp. 38-45, April 1999. C. A. Hoare, Communicating sequential processes, C. A. Hoare, Communicating sequential processes, CACMCACM, 21(8), pp. , 21(8), pp.

666-677, August 1978. 666-677, August 1978. C. A. Hoare, C. A. Hoare, Communicating Sequential ProcessesCommunicating Sequential Processes, Prentice-Hall, , Prentice-Hall,

London, 1985.London, 1985. A. W. Roscoe, A. W. Roscoe, The Theory and Practice of ConcurrencyThe Theory and Practice of Concurrency, Prentice-, Prentice-

Hall, London, 1998.Hall, London, 1998. Steve Schneider, Steve Schneider, Concurrency and Real-time SystemsConcurrency and Real-time Systems, Wiley, , Wiley,

Chichester, 2000.Chichester, 2000. Gregory R. Andrews, Gregory R. Andrews, Foundations of Multithreaded, Parallel, and Foundations of Multithreaded, Parallel, and

Distributed ProgrammingDistributed Programming, Addison Wesley, New York, 2000., Addison Wesley, New York, 2000.

Concurrent Systems, CSP, and FDR

Documents

Transcript of Concurrent Systems, CSP, and FDR