ADiscreteGeometricModelofConcurrent ProgramExecution
BernhardM¨oller1(B) ,TonyHoare2 ,MartinE.M¨uller1 ,andGeorgStruth3
1 Institutf¨urInformatik,Universit¨atAugsburg,Augsburg,Germany bernhard.moeller@informatik.uni-augsburg.de 2 MicrosoftResearch,Cambridge,UK 3 DepartmentofComputerScience,TheUniversityofSheffield,Sheffield,UK
Abstract. Atraceoftheexecutionofaconcurrentobject-orientedprogramcanbedisplayedintwo-dimensionsasadiagramofanon-metric finitegeometry.Theactionsofaprogramsarerepresentedbypoints, itsobjectsandthreadsbyverticallines,itstransactionsbyhorizontal lines,itscommunicationsandresourcesharingbyslopingarrows,andits partialtracesbyrectangularfigures.
WeproveinformallythatthegeometrysatisfiesthelawsofConcurrentKleeneAlgebra(CKA);thesedescribeandjustifytheinterleaved implementationofmultithreadedprogramsoncomputersystemswitha lessernumberofconcurrentprocessors.Morefamiliarformsofsemantics (e.g.,verification-orientedandoperational)canbederivedfromCKA. Programsarerepresentedassetsofalltheirpossibletracesofexecution,andnon-determinismisintroducedasunionofthesesets.The geometryisextendedtomultiplelevelsofabstractionandgranularity;a methodcallatahigherlevelcanbemodelledbyaspecificationofthe methodbody,whichisimplementedatalowerlevel.
ThefinalsectiondescribeshowtheaxiomsanddefinitionsofthegeometryhavebeenencodedintheinteractiveprooftoolIsabelle,andreports onprogresstowardsautomaticcheckingoftheproofsinthepaper.
Keywords: ConcurrentKleeneAlgebra · Lawsofprogramming · Trace algebra · Semanticmodels · Refinement · Unifyingtheories
1Introduction
Theintentofthispaperistomakeamodestbutseminalcontributiontowardsan ambitiouslong-termgoal.Thegoalistoprovideasecureconceptualfoundation forthedesign,implementationandeffectiveuseoffutureprogramdebugging tools.Theywillassistinunittesting,componentintegration,andevolutionof concurrentanddistributedsystemssoftwareonanenterprisescale.Suchtools willprovidedifferentialanalysisofchangedcode,generationofeffectivetest cases,run-timedetectionoferrors,andassistanceintheirlocation,diagnosis andcorrection.Theerrorswillincludegenericerrorsdefinedbytheprogramming language(e.g.,overflows),violationofpropertiesexplicitlydefinedasassertions c SpringerInternationalPublishingAG2017 J.P.BowenandH.Zhu(Eds.):UTP2016,LNCS10134,pp.1–25,2017. DOI:10.1007/978-3-319-52228-9 1
orassumptionsintheprogram,aswellasviolationsofbehaviouraldesignpatternsoriginallylaiddownbythesystemarchitect.Thetoolswillcommunicate withtheprogrammingteamsbydisplayinganavigabletraceofeventsleading uptothesuspectedanomalies–atechnologyknownas“time-traveldebugging”.
Ourmodestcontributionistoformaliseadiscretegeometrygoverningdiagramsofprogrambehaviour.Thediagramswillincludeactionsoftheprogram thatarerelevanttoananomaly,aswellascommunicationsandothercausal dependenciesbetweentheactions.
Weprovideanexampleoftheapplicationofthegeometrytoaconcurrent object-orientedprogram.Thesetofallpossibletracesofexecutionofaparticular programisamathematicalformalisation(model)ofitsmeaning.Technically,it isknownasadenotationalsemantics.Weprovethatthissemanticssatisfiesthe star-freelawsofaConcurrentKleeneAlgebra(CKA);thisgivesanalgebraic semanticsthatjustifiesprogramtransformationrulesappliedinoptimisation. Fromthealgebraicsemanticsitispossibletoderiveotherfamiliarandwidely appliedformsofsemantics(e.g.,operationalandverification-oriented).Weoffer thisasevidenceofthepotentialapplicabilityofgeometrytocurrentandfuture programmingpractice.
Furtherevidenceisprovidedbyquotingthemanysourcesofideasthathave beenamalgamatedintoourtheories.Ourgeometricfoundationisinspiredby graphicalresearchtoolsdevelopedandappliedtotheanalysisofrelaxedmemorymodels,[1, 19].Thepatternofhorizontalandverticallinesinourdiagrams istakenfromMessageSequenceCharts(MSC)[8]whicharewidelyusedtoplan andrecordthearchitectureofalarge-scalecomputerapplication.Ourconcept ofatransactionmatchesthetransitionofaPetriNet,[23].OurassertionlanguageforspecificationoftracesisConcurrentSeparationLogic[6, 22],widely usedbyseekersofproofsforconcurrentprograms.Finally,ourmotivationand methodologyarethoseofpastandcurrentresearchintoUnifyingTheoriesof Programming[14].
Summary
InSect. 2 theprimitiveconceptsofourgeometryareenumeratedaspoints, linesandfigures,drawnonatwo-dimensionalsurface.Theverticaldimension representstime,thehorizontalonespace.Actionsofaprogramarerepresented bypoints,objectsbyverticallines,andtransactionsbyhorizontallines.Points occuronlyattheintersectionofaverticalwithahorizontalline.Arrowsare definedassegmentsoflinesbetweentwoneighbouringpointsonaline.Afigure containsasubsetofpoints,anditsperimeteristhesetofarrowswhichconnect itsinternalpointstopointsinitsexternalenvironment.
Afigure(calledatracelet)isatraceofexecutionofsomecomponentofa structuredprogram.Itmaybedecomposedintotwodisjointbutneighbouring subsets p and q intwoways:oneofthem(p; q )representssequentialcomposition, andtheother(p|q )representsconcurrentcomposition.Thearrowsbetween p and q formthecommonpartoftheperimeterthatseparatesthem.Atracelet containingasingletransactioncannotbefurtherdecomposed.
Section 3 introducestheconceptofatraceletasafigurerepresentingtheexecutionofsomenestedcomponentoftheprogramstructure.Typicalcomponents are(p; q )or(p|q ),standingforsequentialorconcurrentcompositionofsubordinatecomponents p and q .Theactionsoftheoriginal(bracketed)traceletmay thenbesplitdisjointlyintoseparatetraceletsfor p andfor q ,whichtherefore sharenoactions.Thearrowsbetweenthemformasharedpartoftheperimeter ofbothofthem.Alinethatpassesthroughallthesharedarrowscanbedrawn horizontallyinthecaseofsequentialityorverticallyinthecaseofconcurrency. Thesplittingprocessmaybecontinueduntileverytraceletcontainsonlyasingle transaction,whichcannotbefurtherdecomposed.Theemptytraceletrepresents executionofanullcommandoftheprogram,whichofcoursedoesnothing.
Section 4 definesapre-orderingrelation p ≤ q betweentracelets.Itmeans that p isapossiblymoreinterleavedversionof q .Iftheconverserelationalso holds,thetwotraceletsareregardedasequal.FromthedefinitionoftheorderingweproveinformallyallthelawsofCKAwhosevariablesrangeoversingle tracelets.Theyareasfollows:
1.Theoperators;and | arebothassociative,andbothhavethenullcommand asunit.
2.Bothoperatorsaremonotonic,forexample p ≤ q implies p; r ≤ q ; r and r ; p ≤ r ; q .
3.Finally,an“interchange”lawexpressesacharacteristicpropertyofinterleaving:(p|q );(p |q ) ≤ (p; p )|(q ; q ).
Inanexampleproofweuseacombinationofalltheselawstoderiveafully interleavedversionofanexampletracelet.
Section 5 definesaprogramasthefamilyofallitspossibleexecutions.The familyisthereforedownwardclosed,inthatitcontainsallthemoreinterleaved versionsofanytraceletthatitcontains.Anon-deterministicchoicebetween programsissimplythesetunionoftheirtwofamilies.Thisdisjunctionhasall theusualalgebraicproperties:associativity,commutativity,andidempotence;in addition,both;and | distributethroughit.Theunitofdisjunctionistheempty familyoftraces,denotingaprogramwhichhasnoexecutions.Thisisthefate ofaprogramcontainingasyntaxerrororatypeerror,orothererrorswhich thelanguagedefinitionrequirestobedetectedatcompiletime.Section 6 givesa simpler(moreabstract)modelofCKA.Itabstractsfromtheintricatenetwork ofinternalactionsandarrowsofatracelet,anddefinesthetwocomposition operatorssolelyintermsoftheperimetersoftheoperands.Thecommonpart oftheirperimetersisremoved,andtherestformstheperimeteroftheresult ofthecomposition.Thefunctionwhichmapsatracelettoitsperimeterisa homomorphismw.r.t.;and |,andthereforepreservesallthestar-freealgebraic propertiesoftheCKA.Forsomepurposes,thisperimetermodelisanoversimplification,becauseitfailstomodelthephenomenonofdeadlockresulting fromacyclicchainofcausation.Cyclicityisaprogrammingerrorthathalts agroupofthreads,wheneachofthemiswaitingforoccurrenceofactionsof othermembersofthecycle.Thisproblemissolvedbyasecondmodel,which retainstheinternalcausalconnectivitybetweenthearrowsoftheperimeter.This
modelenablesabsenceofdeadlocktobeproved,oratleastdetected.Section 7 reportsearlystepstowardsaformalisationofthegeometricmodelinIsabelle. Sofaritprovidestheconceptsandmechanicalproofsofmostconceptsofthe previoussection.Itgivesasummaryoftheremainingstepstowardsacomplete formalisation.
2PrimitiveConcepts
Wemodelaconcurrentcomputerprogramasthesetofallitspossibleexecutionsonanycomputersystemthatoffersanimplementationofitsprogramming language.Eachexecutionismodelledbyadiscretegeometricdiagramcalleda trace,whichisdrawnonatwo-dimensionalsurface.Thehorizontalaxisrepresentsspatialdistributionoflocationsinthememoryofthecomputersystem. Theverticalaxisrepresentstheintervaloftimeduringwhichtheprogramis executed.
Theprimitivecomponentsofourdiscretegeometryincludeanaloguesofthe points,thelinesandthefiguresfamiliarfromEuclideangeometry.Wehaveno conceptofmeasurementoftimeorofdistanceinspace.Wemaintainadistinction betweenhorizontalandverticalcoordinates;butwheneverconvenient,theyare notdrawnstraight.Labelsmaybeattachedtoacomponent:theydescribeits interpretationintheactualprogramexecution.
Apointrepresentsaprimitiveactionperformedinsideorintheimmediate vicinityofthecomputersystemduringasingleexecutionofthecompleteprogram.Everypointistheuniquememberoftheintersectionofahorizontaland averticalcoordinate;allothersuchintersectionsareempty.
A verticalline isanon-emptysequenceofpointsalongaverticalcoordinate thatrepresentthesequentialbehaviourofanobjectstoredataparticularlocationofthecomputermemory.Thislocationnumberornameservesasalabel uniquetotheline.Typicalobjectsarethreadsor(possiblystructured)variables. Thetopmostpointofthelinerepresentstheprimitiveactionofallocationofthe object(orforkingofathread),anditsbottommostpointrepresentsitsdisposal (orjoinofathread).Theintermediatepointsrepresentthetemporalsequence ofactionsinwhichtheobjectengageswhileitexists.
A horizontalline isanon-emptysequenceofpointsalongahorizontalcoordinatewhoseactionsappeartotakeplacesimultaneouslyasasingletransaction. Itislabelledbyareferencetothebasiccommandintheprogramwhichcalled foritsexecution.Apparentsimultaneitywillbeensuredbydisallowinganystate ofmemorywhichrecordstheperformanceofonlysomeoftheactionsofatransaction,whileomittingtherest.Thisfollowsthefamiliardefinitionofatomicity, withoutplacinganyconstraintonhowitisimplemented.
Afrequenttypeoftransactioncontainsjusttwoactions,onefromthethread issuingtheinstructionthattriggeredtheaction,andtheotherfromanobject (usuallyownedbythatthread)whichperformstheactionrequiredbythe instruction.Atransactioncontainingjustasingleactionofasingleobjectrepresentsanautonomousbehaviouroftheobject.Othertransactionsinvolvemore
thantwoobjects.Forexample,acommunicationonasynchronisedchannel requiressimultaneousactionsofsixobjects:twothreads,anoutputportandan inputportforthechannel,andfinallytwovariableswhichsupplyandreceive thecommunicatedvalue.
Apairofconsecutivepointsonthesamelineiscalledan arrow.Onavertical line,thehigherpointiscalledthesource,andtheloweroneisthetarget.Ona horizontalline,anarrowmaypointeithertotheleftortotheright.Avertical arrowislabelledbythevaluestoredinitslocationofmemoryduringtheinterval betweenitssourceactionanditstargetaction.
Asubsetofhorizontalandverticalarrowsrepresent bufferedcommunications betweenthreads.Ahorizontalcommunicationarrowislabelledbythevalueof themessagecommunicated.Averticalcommunicationarrowconveysownership oftheobjectfromonethreadtoanother.Itisconvenienttodrawcommunication arrowsslopingataslightanglefromtheirnominalorientation.
A tracelet contains,surroundedbyarectangle,thesubsetofthepointsof atracewhichoccurredduringexecutionofasinglesyntacticcomponentofa structuredprogram,i.e.,anodeinitsabstractsyntaxtree(AST).Thismeans thatthecompletetraceisanexecutionoftherootoftheAST;andatypical leafoftheASTisabasiccommandoftheprogramwhoseexecutionisatracelet containingasingletransaction.An emptytracelet (whichwewillcall 1)isan executionofthenullcommand,whichofcoursedoesnothing.
Tosummarisethebasicconceptsofourdiscretegeometry,weintroduce namesforinfinitemathematicaluniverses,containingallconceivableinstances oftheprimitiveconceptsofourgeometry.Let Pt bethesetofallconceivable points;let Vert betheuniverseofallpairsofpointsthatmightfeatureasthe tailortheheadofanarrowinaverticalline.Let Hor bethesetofallpairs ofpointsthatmightfeatureastailandheadofahorizontalarrow.Let Comm bethesetofallcommunicationarrows(oftendrawndiagonally);theyarealso eitherin Vert orin Hor .Define Dep = Vert + Hor ,where+denotestheunionof
Fig.1. Asampletracelet
disjointsets.Itspairsarecalledarrowsordependences,becauseitisimpossible forthetailactionofanarrowtobeperformedbeforeitsheadaction.
Example2.1. Figure 1 showsatypicalsmalltracelet.Itspointsareenclosed inarectangularperimeter.Therearesixverticallines,carryingthelabels c?,t,x,u,y and d!.Eachlabelstandsforthenameorlocationoftheobject whosebehaviourisrecordedinthelabelledline.Alltheverticallines(except x, whichislocaltothistracelet)extendbeyondtherectangle,bothaboveitand belowit.Thelines t and u standforthreads, x and y arevariables, c?isthe inputportofachannel,and d!istheoutputportofadifferentchannel.
Therearealsosevenhorizontallines.Twoofthemextendbeyondtheperimeterofthetracelet,oneontheleftandtheotherontheright.Thethreelines onthelefteachcontainanactionofthethread t,whichissuesthecommand forthetransactiontooccur.Similarly,thefourlinesontherightareexecutions ofcommandsfromthethread u.Theotheractionsineachtransactionareperformedbyobjects(variables)ownedbythethreads: x isownedby t ontheleft andby u ontheright.
Thediagonalarrowinthemiddleofthediagramisaverticalarrowrepresentingtransferofownershipofthevariable x fromthethread t tothethread u.Thediagonalarrowsenteringandleavingtheperimeterontheleftandon therightareinputsandoutputsofvaluesonthebufferedchannels c and d, respectively.
Theexampleshowsatraceofthelifehistoryofthevariable x.Itbeginswith theallocationbyitsinitialowner,thethread t.Thenextactionistheallocation ofaninitialvaluetothenewobject.Thevalueisacquiredbyinputfromchannel c.Thenexttwoactionsareareleaseofownershipby t,anditsacquisitionbythe otherthread u.Thisthreadthenoutputsonchannel d thevalueofthevariable y ,incrementedbythecurrentvalueof x.Finally,thevariable x isdisposedby itscurrentowner.
3TheGeometryofTracelets
Inthissection,alltraceletswillbesubsetsofthepointsofonesingleoverall trace.Recallthateachpointisuniquelylabelledbyitscoordinates.Wecan thereforeidentifyatraceletuniquelywithinitstracebythesetofitspoints.All arrowsthatbeginorendinapointofatraceletareconsideredaspartofthat traceletaswell.Fortraceletsweusevariables p,q,r,....Theexterior p of p is definedasitsrelativecomplement Pt p,containingallpointsnotin p
Let × denotetheCartesianproductoperatorbetweensets,i.e.thesetof pairs(therelation)whichcontainsallmembersofitsfirstoperandpairedwith allmembersofitssecondoperand.Byconvention × bindstighterthanunion andintersection.Theinputarrowsof p are input (p)=df p × p ∩ Dep,andthe outputarrowsare output (p)=df p ×−p ∩ Dep.Wedefinethe perimeter of p as thesetofarrowswhichhaveoneendin p andtheotherendoutsideit;ormore formally, perimeter (p)= input (p)+ output (p).
AsmentionedinExample 2.1,atracelet p isdrawnasarectanglewhich enclosesallthepointsin p,andexcludesallpointsin p.Thatrectangledoes notpassthroughanyofthesepoints;itpassesjustoncethrougheachofthe perimeterarrows.
Note(forinterest)thattheboundingrectangleisaclosedcurvethatsatisfies ananalogueoftheJordanCurvetheorem.Defineacontinuouslineasafinite non-repeatingsequenceofarrows,inwhichthesourceortargetofeacharrowis alsothetargetorsourceofoneofitspairofneighbourswithinthesequence,or ofitsonlyneighbourinthecaseofendpointofthechain.Everychainofarrows fromoneendpointinsidetherectangletoanotherendpointoutsideitmustcross atleastonerectangleedge.Thisisprovedbyasimpleinductiononthelength ofthechain.
Theperimeterofarectangleispartitionedintoitsfouredges.Ahorizontal edgedoesnotcontainanyhorizontalarrows,unlesstheyare(sloping)communicationarrows.Similarly,averticaledgedoesnotcontainanyverticalarrows unlesstheyaretransfersofownership(alsosloping).Indrawingaperimeter,the topandbottomedgesarehorizontalandtheleftandrightedgesarevertical.
Eachhorizontaledgeoftheperimeterdefinesthestateofpartofthememory ofthecomputersystemattherelevanttimecoordinate.Itisknowninseparation logicasastatelet.Thetopedgedefinestheinitialstatethatispassedtothe traceletwhenitstarts,andthebottomedgeispassedasthefinalstateon completionofexecution.
The content ofthememoryateachhorizontaledgeisdefinedbythelabels onthearrowsthatpassthroughtheedge.Itisdefinedinthestandardwayas apartialfunctionwhichmapsthelocationofeacharrowcrossingtheedge(say l1 ,l2 ,...)tothevalue(say v1 ,v2 ,...)whichlabelsthatarrow.Thefunctionis writteninthenotationofseparationlogic.Theinfixbinaryoperator ∗ stands forthedisjointunionofthefunctionsoneithersideofit.Thefunction(l → v ) isasingletonfunction,whosewholedomainisthesingleton {l } andwhichmaps l to v .Thevalueofthewholestateletiswrittenintheform
Inseparationlogic,thisformulaisinterpretedasanassertionthatthevalueof l1 is v1 ,andthevalueof l2 is v2 ,etc.
Thecontentofaverticaledgeofatraceletisdefinedsimilarly.Butfirst, wemustsupplydistinctnamesforallthemessagesthatcrosstheedge.Inthe caseofacommunicationchannel,weusethechannelnamesubscriptedbythe indexofthemessageinthesequenceofallmessagespassedonthechannel,for example:(c4 → 12).
Thespecificationofatraceletcontainstheformulaforallfouredgesofits perimeter.TheformulaforFig. 1 iswrittenonseparatelinesforeachedge.
(y → 3) ∗ (c?,d!,t,u → )attheTop (d27 → 12)ontheRight (y → 4) ∗ (c?,d!,t,u → )ontheBottom (c9 → 8)ontheLeft
Thefirstlinestatesthattheinitialvalueof y is3,andthattheothernamed objectshavebeenallocated.Thesecondlinesaysthat(say)the27thmessage sentonchannel d was12.Thethirdlinegivesthefinalvalueof y ,andstates thattheotherobjectsarestillallocated.Thefourthlinestatesthatchannel c receivedthevalue8asthe9thmessage.
3.1SequentialandConcurrentComposition
Ourdefinitionofthe;and | operatorswillbeunconventional.Insteadofdefining howtwotraceletscanbecomposedtogivetherequiredresult,wedescribehow theresultcanbedecomposedtogivethetraceletsofitsparts.Itseemstobe easiertolearnfirsthowtotakesomethingapart,andhowtoputittogether later.
ConsideranodeoftheprogramASTlabeledbytheoperatorofsequential composition.Let r bethetraceletfortheconsiderednode,andlet p and q bethe traceletsforitstwoimmediateoffspringinthecorrespondingAST.Wedescribe thissituationbytheequation r = p ; q .Nowdrawahorizontalcoordinateinternal totherectanglefor r ,withallpointsin p aboveit,andallpointsin q belowit. Thediagram(seeFig. 2)makesitclearthattherectanglefor p sharesitstop edgewith r ,anditsbottomedgewith q ;similarly,thebottomedgeof q isshared withthatof r .Theleftandrightedgesof r aresplitintotwodisjointparts,and thetwotoppartsareassignedto p andthelowerpartsto q .
Adefiningfeatureofsequentialcompositionisthatanimplementationcan executeitbycompletingtheexecutionofitfirstoperandbeforestartingexecutionofthesecondoperand.Thiswouldbeimpossibleifanyactionofthefirst operandweredependentonanyactionofthesecondoperand.Sothedrawing ofahorizontaledgeissubjecttotheconstraintthatnoarrowshouldpointfrom itssecondoperandtoitsfirst.Thatisassuredbythefactthatahorizontal edgecontainsonlyverticalandslopinghorizontalarrows,andtheyallpoint downwards.
Thepracticalconsequenceofthisconstraintisthatisimpossibletoviolate theatomicityofatransaction,exceptatoneofitsslopingarrows.Memoryis representedbyahorizontaledge;soanymemorythatrecordstheresultofthe
Fig.2. Sequentialcomposition
actionatoneendofanon-slopinghorizontalarrowmustalsorecordtheaction attheotherend.Otherwisetheconstraintisviolated.
Fig.3. Concurrentcomposition
Asimilardiagramcanbedrawnforconcurrentcomposition(seeFig. 3),with anewverticaledgeinsteadofahorizontalone.Itleadstoasimilarpatternof sharingofleftandrightverticaledges,andasimilarsplittingofthetopand bottomhorizontaledges.Again,theverticaledgecancontainonlyhorizontal andslopingarrowspointingfromlefttoright.
Thepracticalconsequenceofthisconstraintisthatnoobjectcanbeowned bymorethanonethreadatanyonetime.Theonlywaythatanobjectcanbe sharedbetweentwothreadsisbypassingownershipbetweenthembymeansa slopingverticalarrow.Inaconventionalviewofsharing,ownershipispassed betweeneverypairofitsactions.Suchanobjectisrepresentedgeometricallyby averticalline,allofwhosearrowsaresloping.
Ifanyoftheconstraintsdescribedaboveareviolated,wesimplysaythatthe diagramfor p; q orfor p|q isundefined;itisjustnotatracelet.Acompositionis alsoundefinedifthevalueswhichlabelanyarrowintheedgedifferinthetwo operands.Furtherreasonsfortheundefinednessoftransactionsthatexecuted basiccommandsaregiveninthedefinitionofthesecommands,whichshouldbe giveninthedefinitionofanyparticularprogramminglanguage.Furtherpursuit ofthistopicisbeyondthescopeofthispaper.
Summary. Tosummariseandcomplementourdecompositionaldefinitionsof theoperators,wegiveabottom-upformalpresentationofsomeofthedetails. Westartwithadiagrammaticpresentation.Figures 2 and 3 showexplicitlythe patternofarrowsthatcrosstheinternalandexternaledgesofatraceletsplit horizontallyorvertically.Eacharrowofthefiguresrepresentsa(maybeempty) setofarrowsinadiagram.Arrowsetsthatmustbeemptyaresimplynotshown. Weusetheconventionthathorizontalarrowsleavetheirrectanglethroughthe rightedge,andenteritthroughtheleftedge.
Theequationsgivenbelowarederivedbystudyingthefigures.Let T (p)be thesetofarrowscrossingthetopedgeof p,andlet B (p),L(p),and R(p)be definedsimilarlyasthebottom,leftandrightedges.ThenFig. 3 showsthat
T (p | q )= T (p)+ T (q ),B (p | q )= B (p)+ B (q ).
Thedisjointunionistheseparatingconjunctionthatdefinestheinitialand thefinalstatesof p | q :wehave B (p) ∩ T (q )= {} = T (p) ∩ B (q ).Thereareno verticalarrowsbetween p and q .Thismeansthatnostateofmemoryispassed betweenthem: L(p | q )=(L(p) R(q ))+(L(q ) R(p))
Thehorizontalinputsof p aretakeneitherfromthehorizontalinputsof q or fromtheenvironmentof p | q (butnotboth);andsimilarlyforthehorizontal inputsof q .Theequationfor R(p | q )issimilar,with L and R interchanged.
Notethedashedcurvedarrowfrom R(q )to L(p).Since p isontheleftof q ,thearrowfrom p to q cannotbedrawnasastraightlineintwodimensions whileobservingtheaboveconvention.Onecouldimaginethatitwasdrawnon thebackofthepaperonwhichthediagramisdrawn.Oronecouldmaintain auniformleft-to-rightdirectionofhorizontalarrowsbyimaginingthewhole diagramdrawnonthecurvedsurfaceofacylinder.
Figure 2 showsthegraphforsequentialcomposition.ItdiffersfromFig. 3 intwoways.Firstly,thecurvedarrowisremoved,becauseitwouldviolate ourintendedmeaningofsequentialcomposition.Itwouldactuallypreventan implementationofsequentialcompositionfromexecutingthewholeof p before startingtheexecutionof q .Secondly,anewinternalarrowisintroducedtostand forthetransmissionofthestateofmemoryonterminationof p andinitiation of q .Thatissurelyanotherpartofourintentionwhenusingsemicolon.
Derivationoftheequationsforsequentialcompositionfromthisdiagramis leftasanexercise.
3.2Quadrangulation
Wenowdescribeaprocessforsplittingacompletetraceortraceletintoallits componenttracelets,sothatitmatchestheASToftheprogramwhoseexecution itrepresents.Thesplittingdescribedabovefor p ; q or p | q isrepeatedon p andon q ,andthenrepeatedlyonthesmallertraceletsthatresultfromearliersplittings. Onceatracelethasbeensplititcannotbesplitagainasawhole—onlyits partsmightbesplitfurther.Thereforenoarrowcanbesplitmorethanonce byahorizontaloraverticaledge.Byanalogywiththefamiliartriangulationof figuresinEuclideangeometry,wecalltheprocess quadrangulation.Theprocess is complete whenallsplittablearrowshavebeensplitexactlyonce.
Thecompletelyquadrangulatedtraceletisatreewhichexactlymatchesthe ASTofitsprogram.Thepointsofeachtraceletinitarethedisjointunionof thepointsofeachofitsoffspring.Soanytraceletincludesallpointsofany ofitsdescendants,andisincludedamongthepointsofallitsancestors.Itis helpfultousethetextoftheprogramitselfasalinearrepresentationforthe wholequadrangulatedtracelet.Typicalexamplesofsuchtermsare p | (q | r ) and(p | q );(p | q ),where p,q,... arevariablesstandingforfurtherdescendant tracelets,or(inthecaseofaleaf)thecorrespondingbasiccommandofthe program.
Example3.1. Figures 4 and 5 showtheresultofthefirstthreestepsintwo differentquadrangulationsofthetraceletshowninFig. 1.Toavoiddistraction, thelabelsthatareirrelevanttoourcurrentpurposeshavebeenremoved.The titlesonthefiguresaretheformulaethatdescribethequadrangulations.They usebracketingtoindicatetheorderinwhichthesplitsweremade.
InFig. 4 thefirstsplitishorizontalandthenexttwoarevertical,whereasin Fig. 5 thisorderisreversed.
Otherwise,thefiguresareverysimilar.Allthepointsandarrowsinternalto eachoftherectangles p,p ,q,q areidenticalonbothfigures,andalltheinternal arrowsandsplitswithinthemarethesame.Theonlydifferenceisatthecentre ofthediagram,wheretheslopingcommunicationarrowissplithorizontallyin Fig. 4,whereasithasbeensplitverticallyinFig. 5.
4AlgebraofTracelets
Inthissection,wewillcontinuetousethesinglewordtraceletforaquadrangulatedtracelet.Ouralgebraisapre-orderalgebra,inthesensethatitusesa
Fig.4. TraceletfromFig. 1 splitas(p|q );(p ; q )
Fig.5. TraceletfromFig. 1 splitas(p; p )|(q ; q )
pre-orderrelation ≤ (i.e.,areflexiveandtransitiverelation),inplaceofthemore usualequalitysymbol=betweentheleftandrighthandsidesofanequation. Inanorderalgebra,ananalogueofequalityisre-introducedasanequivalence, againwrittenas=,definedastheconjunctionof ≤ anditsconverse.Inour geometry,theordering p ≤ q betweentracelets p,q hasaninformallyexpressed meaningthat p representsamoresequentialexecutionthantheonerepresented by q orequivalentlythat q ismoreconcurrentthan p.
Toformalisethisintuitivedefinition,wedefine V (p)asthesetofallsloping arrowscrossingaverticaledgeinternalto p.Then
V (1)= {},
V (p ; q )= V (p)+ V (q )
V (p | q )= V (p)+ V (q )+(p × q + q × p) ∩ Hor .
Similarequationsaresatisfiedby H (p),thesetofallslopingarrowscrossing horizontaledgesin p:
H (1)= {}
H (p ; q )= H (p)+ H (q )+ p × q ∩ Vert
H (p | q )= H (p)+ H (q )
Everyinternalslopingarrowof p maybein V (p)or H (p),butneverinboth.If p iscompletelyquadrangulatedthenthesets V (p)and H (q )arecomplementsof eachotherrelativetotheset Comm ∩ p × p ofallslopingarrowswithin p.Hence, if p and q arecompletequadrangulationswithidenticalunderlyingtraceletsthen bycontrapositionitfollowsthat
V (p) ⊆ V (q ) ⇐⇒ H (q ) ⊆ H (p).
Foranunsplittracelet, V and H return {}.
Wedefinetherelation p ≤ q intwoclauses.Thefirstrequiresthat p and q areentirelyequalastracelets;onlytheirquadrangulationscandiffer.Hence thetwotraceletshavethesameactions,andthesameinternalarrows,withthe sameorientationsandthesamelabels.Inparticular,allthearrowsnotsplitby thequadrangulationsmatchexactlyin p and q .Thesecondclauserequiresthat V (p)iscontainedin V (q )and H (q )iscontainedin H (p).Bytheaboveremark, if V (p)and H (p)aswellas V (q )and H (q )arerelativecomplements(which holds,inparticular,forcompletequadrangulations p,q )thenwemayuseeither alternativeatconvenience.Thedefinitionallowsaslopingarrowthatcrossesa horizontaledgein p tocrossaverticaledgein q .Becausesetinclusionisapartial order,soistherelation ≤
Example4.1. Let r and r bethequadrangulationsinFigs. 4 and 5,respectively,andlet a betheonlydiagonalarrowthere.Thenwehave V (r )= {} and H (r )= {a},whereas V (r )= {a} and H (r )= {}.Sincethereisexaclythe communicationarrow a inboth r and r , V (r )and H (r )aswellas V (r )and H (r )arerelativecomplementsofeachother.Accordingtotheremarksabove andinExample 3.1 therefore r ≤ r .Belowwewillseethatthisisaspecial instanceofagenerallaw.
Fromthedefinitionwewillnowderiveasetofalgebraiclawsgoverning sequentialandconcurrentcomposition;theyarethebasiclawsofaConcurrent KleeneAlgebra(CKA)[17].Forsimplicity,werestrictourselvesheretocompletequadrangulations.Thisallowsusineachcasetochoosethesimplerofthe equationsfor V and H .Thereisatreatmentofthegeneralcasewhichwillbe presentedinafollow-uppaper.
Theorem4.2(example). p ; q ≤ p | q and q ; p ≤ p | q .
Proof. V (p ; q )= V (q ; p)= V (p)+ V (q ) ⊆ V (p | q ),bythedefinitionof V
Thistheoremjustifiestheimplementationoftheconcurrentcompositionby executingtheoperandsineitherorder.Howeverthejustificationisvoidinthe casethatthelefthandsideisundefined.Theexistenceofdependencesbetween oneoperandandtheotherwillmakeoneorbothoftheinterleavingsvoid. Notethatbothinterleavingsof p | q arebelowitintheordering,butthat | is notitselfcommutative.Thusourmodeldoesnotsatisfythestandarddefinition ofsequentialconsistency,thatconcurrencyisanon-deterministicchoiceofall itspossibleinterleavings.Anasymmetricexampleofconcurrencyisthechaining operator >> ofCSPwhichallowscommunicationonlyfromlefttoright.
Theorem4.3(unit). p | 1 = p = 1 | p (andthesamefor;).
Proof. V (p | 1)= V (p)+ V (1)+ p ×{}∩ Hor ∩ Comm = V (p).Thesecondand thirdtermsontherhsarebothempty.Inwords:therearenopointsin 1,and thereforenoarrowcancrossits(invisible)perimeter.
Theorem4.4(association). p | (q | r )=(p | q ) | r (andthesamefor;).
Proof. H (rhs)= H (p | q )+ H (r )= H (p)+ H (q )+ H (r )= H (p)+ H (q | r )= H (lhs).
Theprooffor;issimilar,using V insteadof H
Theorem4.5(monotonicity). If p ≤ q then p ; r ≤ q ; r (andthesamefor |).
Proof. Assume V (p) ⊆ V (q ).Then,bymonotonicityof+andthehypothesis, V (p ; r )= V (p)+ V (r ) ⊆ V (q )+ V (r ).
Theprooffor | uses H insteadof V .
Theorem4.6(interchange). (p | q );(p | q ) ≤ (p ; p ) | (q ; q )
Proof. Let K = V (p)+ V (q )+ V (p )+ V (q ).Then V (lhs)= K +(p × q + p × q ) ∩ Hor ∩ Comm ⊆ K +(p + p ) × (q + q ) ∩ Hor ∩ Comm = V (rhs), because × distributesthrough+.
Corollary4.7(frame). (p | q ); p ≤ (p ; p ) | q and p ;(p | q ) ≤ (p ; p ) | q .
Proof. Forthefirstlawsubstitute 1 for q .Bytheunitlaw,theoccurrencesof 1 canbecancelled.Thesecondlawfollowssymmetrically.
NotethatTheorem 4.2 followsbysetting p =1andsubstituting q for q in thesecondlawandbysetting p =1andsubstituting p for p inthefirstlaw.
Thepurposeofalgebraiclawsistopermitanimplementationtoreplace thetextofasubmittedprogrambyanothertextderivedfromitbyalgebraic reasoning.Thehopeisthattheexecutedcodewillbebetteradaptedtothe structureandthedetailofthecapabilitiesoftheexecutinghardware.Such transformationsmaybemadebyacompilerorbyaninstructionpipelineinthe hardwareofacomputerchip.
Forexample,supposetheexecutingcomputersystemhaslessprocessorsthan thenumberofthreadsinitiatedbytherunningprogram.Inthiscase,concurrencyhastobereplacedbyinterleaving(time-sharing),inwhichanexecution ofseveralthreadsmaybeaninterleavingoftheirseparatesequentialtraces.In fact,repeatedapplicationofallthelawsprovedabovecangeneratearbitrary interleavedexecutionsofanypair(orgroup)ofconcurrentprogram.
Thisisdemonstratedbyanexampleofafullyalgebraicproof.Toavoid clutter,semicolonsareomittedexceptwhentheyarenecessarytoindicatehow theinterchangelawistobeapplied.Also,theuseofmonotonicityremainstacit.
abcd | xyzw
= {[(assoc;)]}
(a ; bcd) | (xy ; zw )
≥{[(interchange)]}
(a | xy );(bcd | zw )
≥{[(assoc;)]}
a | (x ; y );(b ; cd | zw )
≥{[(frame)]}
(a | x); y ;(b | zw ); cd
≥{[(Theorem4.2)]} axybzwcd.
Interleavingisintroducedbyeachstepthatusestheinterchangelaworits corollary.Thepositionofthesemicolonindicatesaschedulingdecisionthat thetwosemicolonsontherhsofthelawwillbereachedsimultaneouslybyboth threads,atexactlythemomentwhenthelhsreachesitssinglesemicolon.Differentschedulingdecisionswouldusedifferentassociationsateachstep,and therebygenerateallpossibledifferentinterleavings.
5FromTraceletstoPrograms:Lifting
Sofarwehavedealtwithsingletracelets.A program isidentifiedbyandwith thesetofallpossibletraceletsofitsexecution,whichiswhatwewillexplore
next.Thissectionexplainshowalltheoperatorsdefinedontraceletscanbe liftedtosetsoftraceletsinsuchawaythatallthelawsprovenforoperatorson traceletsarepreserved.
5.1ElementwiseLifting
Wedonotconsiderarbitrarysetsoftracelets.Rather,weadoptadownward closureconditionwhichensuresthatarelation ≤ betweenprogramscanbe definedassimplesetinclusion.Aset P oftraceletsis downwardclosed w.r.t.the pre-order ≤ if p ∈ P and p ≤ p imply p ∈ P aswell.Downwardclosurecodifies ourintentionthatanyprogramthatcanvalidlybeexecutedconcurrentlycan alsobevalidlyexecutedmoresequentially.
If ◦ isabinary,possiblypartial,operatorontraceletsthenits elementwise lifting toprograms P,P isdefinedasthedownwardclosureofthesetofall definedcompositionsbetween P and P ,i.e.,thesetofalltracelets q suchthere are p ∈ P and p ∈ P withdefined p ◦ p and q ≤ p ◦ p .
Sincewedonotonlyuseequationallawsbutalsoinequationalones,wehave todefinearelation ≤ betweenprogramsifwewanttoliftlawstoprograms. Whileitisclearwhatequalitymeansforsets,thereareseveralwaystoextend apre-orderlike ≤ tosets.Wechoosethefollowingdefinition: P ≤ P holdsiff everytraceletin P isbelowsometraceletin P .Fordownwardclosedsets(and henceprograms) ≤ coincideswithinclusion ⊆.Thismeansthatwecanuseordinaryuniontointroducenon-deterministicchoiceintoouralgebraofprograms, anddefineitassetunion.Furthermore,itmeansthatanimplementationcan makeanarbitrarychoicefromanynon-deterministicvariantsallowedbytheprogramunderexecution,givingourintendedinterpretationofnon-determinisma demonicflavour.
Let T,T betermsinvolvingvariablesandoperatorsontracelets,andconsider theinequationallaw T ≤ T .Asufficientconditionforliftingthislawfrom traceletstoprogramsis linearity,viz.thateveryvariableoccursatmostonce onbothsidesofthelawandthatallvariablesinthelefthandside T also occurintherighthandside T .Examplesaretheframeandexchangelaws.For equationsasufficientconditionis bilinearity,meaningthatbothinequationsthat constituteanequationarelinear.Examplesareassociativity,commutativityand neutrality;acounterexampleisdistributivity.Themainresultisasfollows.
Theorem5.1. Ifalinearlaw T ≤ T holdsfortraceletsthenitalsoholdswhen allvariablesin T,T areinterpretedasvariablesforprogramsandtheoperators areinterpretedastheelementwiseliftingsofthecorrespondingtraceoperators.
Adetailedproofforgeneralpre-orderscanbefoundin[18].Thetechnique isclassicalinmathematics;forrelatedresultsseeamongothers[10, 11](and also[4]forasurvey).
Weillustratethegistoftheproofforthecaseofthelaw P ; P ≤ P | P liftedfromTheorem 4.2.Assume r ∈ P ; P .Bytheabovedefinitionthereare p ∈ P,p ∈ P suchthat r ≤ p ; p .Sincetheframelawholdsatthetracelevel,
wehave p ; p ≤ p | p .Moreover, p | p isinthesetofall |-combinationsoftraces from P withtracesfrom P andhencealsoinitsdownwardclosure P | P ,so thatwearedone.
5.2Errors,RecursionandIteration
Therearefurtherusefulconsequencesofourdefinitionofprograms.Theset P ofallprogramsformsacompletelatticew.r.t.theinclusionordering;ithas beencalledthe Hoarepowerdomain inthetheoryofdenotationalsemantics (e.g.[5, 20, 24]).
Theleastelementof P istheemptyprogram ∅ whichcanalsoserveasanerror element,modellingacompletelyfaultymodulewithoutanysensibletracelet.A moredetailed,elementwise,errorhandlingisalreadycontainedinthedefinition oftheelementwiseliftingofoperators:allerroneous,undefinedcombinationsof traceletsareruledoutfromthecombinationofthecontainingprograms.This wasalreadystatedinSect. 3.1.
Thegreatestelementof P istheprogram U consistingofalltracelets.Infimumandsupremumin P coincidewithintersectionandunion,sincedownward closedsetsarealsoclosedundertheseoperations.
Thereforewecandefine(unbounded)choicebetweenaset Q⊆P ofprograms as
Q =df ∪Q withbinarychoiceasthespecialcase
P P =df P ∪ P .
Theliftedversionsofmonotonictraceletoperatorsaremonotonicagain (see[18]),butevendistributethrougharbitrarychoicesbetweenprograms.
Monotonicityoftheliftedoperators,togetherwithcompletenessofthelattice ofprogramsandtheTarski-Knasterfixedpointtheorem,guaranteesthatrecursionequationshaveleastandgreatestsolutions.Moreprecisely,let f : P→P beamonotonicfunction.Then f hasaleastfixedpoint μf andagreatestfixed point νf ,givenbythefollowingformulas:
μf = ∩ {P | f (P ) ⊆ P },νf = ∪ {P | P ⊆ f (P )}.
Withouroperator;thiscanbeusedtodefinetheKleenestar(seee.g.[7]),i.e., unboundedfinitesequentialiteration,ofaprogram P as P ∗ =df μfP ,where fP (X )=df skip (P ; X ), where skip =df {1} istheidleprogram.Since fP ,bytheaboveremark,distributesthrougharbitrarychoicesbetweenprograms,itisevencontinuousand Kleene’sfixedpointtheoremtellsusthat P ∗ = μfP hastheiterativerepresentation
whichtransformsintothewellknownrepresentationofstar,viz.
∗ = ∪{P i | i ∈ IN}
with P 0 =df skip and P i+1 =df P ; P i
Infiniteiteration P ω canbedefinedasthegreatestfixedpoint νgP where gP (X )=df P ; X.
Alongthesamelines,unboundedfiniteandinfiniteconcurrentiterationofa programcanbedefined.Forfurtherformsofiterationwereferto[18].
Weconcludethissectionwithabriefdescriptionhowpre-post-condition semanticscanbeintegratedintoourapproach.Asin[17]onecandefine,for programs P,P and Q,theHoaretriple P { {Q} } P ⇐⇒df P ; Q ⊆ P .
Itexpressesthat,afteranytraceletin“pre-history” P ,executionof Q isguaranteedtoyieldanoveralltraceletin P .FromthisonecanderivethestandardpropertiesofHoarelogicandseparationlogic;forfurtherdetailswerefer to[15, 17].
6InterfacesandSpecifications
Wenowdealwith specifications thatabstract,toacertainextent,fromthe interiorarrowsoftraceletsbutpreservetheirinterfaces,i.e.,theirperimeters.For thisanalysisthedistinctionbetweenhorizontalandverticalarrowsisinessential; weonlyreasonabouttheoveralldependencerelation Dep.
6.1TwoTypesofSpecifications
Afirst,quiteradical,abstractionreducesatraceletjusttoitsperimeterthat describestheinteractionofthetraceletwithitsenvironment.Itpresentsapure black-boxviewofthetracelet.
Thisabstractioncanbeformalisedasfollows.The inputpointsin (p)of p are theendpointsoftheinputarrowsto p,whilethe outputpointsout (p)of p are thestartingpointsoftheoutputarrowsof p.Nowthesetofpointsof perspec (p) is in (p) ∪ out (p),whileitsarrowsetisgivenby perimeter (p).Thisimplies perimeter (perspec (p))= perimeter (p) (2)
Asecond,morerefined,abstraction connspec (p)of p recordsconnectionsin theformofdependencesbetweeninputandoutputpointsof p.Itcanbedrawn asatraceletcontainingonlychainswithatmostthreearrows,namelyaninput, anoutputandpossiblyanintermediatearrow.Ifpresent,thelatterrecordsthe existenceofadirectorindirectdependencebetweenitssourceandtargetwithin p;however,thewholechainofintermediateinternalpointsisomitted.
P
Thisabstractionallowsananalysiswhichoftheinputarrowsareactuallyusefulinthatthey“contribute”totheoutputs.Inputarrowsthatarenotconnected toanyoutputarrowscould,togetherwiththeinternalarrowchainsemanating fromthem,besafelyremovedwithoutaffectingtheobservablebehaviourofthe tracelet.Theywill,inside p,leadtoendpointsor,inthecaseofdeadlock,to cyclesofpointsthatdonothaveoutgoingarrowstopointsoutsidethecycles; thereforetheycannotcontributetovaluesinlabelsofoutputarrowsfrom p.
Thesetofpointsof connspec (p)isagain in (p) ∪ out (p).Thearrowsof connspec (p)aretheinputandoutputarrowsof p plusaset Depp offresharrows foreachpairin in (p) × out (p) ∩ Dep+ p ,where Depp =df p × p ∩ Dep isthe localdependencerelationfor p.Usingtransitiveratherthanreflexivetransitive closureensuresthatapoint e in in (p) ∩ out (p)doesnotreceiveanextraarrow (e,e)in connspec (p).Thistakescareofsingletontraceletsoftheform −→ [ •−→ ] (wherethebracketsindicatetherectanglearoundthetracelet).
Fortracelet p wehavethedecomposition
arrows (p)= perimeter (p)+ Depp , whereagain+denotesdisjointunion.
Bothspecificationfunctions s ∈{perspec , connspec } areidempotent,i.e., satisfy s(s(p))= s(p).
6.2Specificationand(De-)Composition
Tomakesuchabstractionsusefulfortheanalysisoflargertracelets,theyhaveto behavewellw.r.t.compositionordecompositionoftracelets.Wewillnowshow thatthisisindeedthecase.
Forthisweuseageneric(de)compositionoperator ◦ likein[18].Fortracelets p,p withdisjointpointsets, p ◦ p =df (p + p ,arrows(p) ∪ arrows (p )).
Bothoperators | and;fromSect. 3.1 canbeseenasinstancesof ◦,sincethey administerthearrowsinvolvedinpreciselythatway.
Theorem6.1. Forbothspecificationfunctions s ∈{perspec , connspec } wehave thehomomorphicequation
s(p ◦ q )= s(s(p) ◦ s(q )).
Theequationishomomorphicinthefollowingsense.Onecandefineanew operator ◦ onspecificationtracelets r,t by r ◦ t =df s(r ◦ t).Then s(p ◦ q )= s(p) ◦ s(q ).
Wepresentthegistoftheproof;fulldetailscanbefoundinthetechnical report[16].Automatedproofsofsomepartsareunderway,seeSect. 7.
Firstweestablishthebehaviourofperimeterandlocaldependenceoncomposedtracelets:
perimeter (p ◦ p )=(perimeter (p) ∪ perimeter (p )) intf (p,p ), Depp◦p = Depp ∪ Depp ∪ intf (p,p ), (3)
where intf (p,p )=df arrows (p) ∩ arrows (p )istheinterfacebetween p and p Using(2)weobtain,moreover,
intf (perspec (p), perspec (p ))= intf (p,p ). (4)
Withthehelpofthesepropertieseasycalculationsshowthat s = perspec satisfies thehomomorphicequationofTheorem 6.1.
Forthespecificationoperator connspec itsufficestoconsiderthelocaldependencerelationsofthetraceletsonbothsidesofthehomomorphicequations,since theirperimeterscoincidebythehomomorphicpropertyof perspec anyway.This alsoimpliesthattheanalogueof(4)holdsfor connspec aswell:
intf (connspec (p), connspec (p ))= intf (p,p )
Forthelocaldependencesweproceedintwosteps.First,wehavethefollowingproperties.
Lemma6.2. Set ˆ p =df connspec (p) andlikewisefor p
1. Dep ˆ p◦ ˆ p = Dep ˆ p ∪ Dep ˆ p ∪ intf (p,p )
2. Depconnspec (ˆ p◦p ) ⊆ Depconnspec (p◦p )
Thecalculationsarenottoohard.However,showingthereverseinclusion Depconnspec (p◦p ) ⊆ Depconnspec (ˆ p◦ ˆ p ) ismuchmorelaborious.Usingthedefinitionsthisspellsoutto (Depp ∪ Depp ∪
, (5) where in =df in (p) ∪ in (p ), out =df out (p) ∪ out (p )and C =df intf (p,p ).
Letusfirstgiveanintuitiveideawhy(5)holds.Considerevent-disjoint tracelets p,p andevents e ∈ in (p),e ∈ out (p )suchthat(e,e ) ∈ (Depp ∪ Depp ∪ C)+ .Consideranarbitrarypath P from e to e within p + p .According to(3)wecangroup P intomaximalpieceswhosearrowsarepurelywithin Depp , purelywithin Depp orconsistonlyof“bridging”arrowsin C.InFig. 6,piecesof thefirstkindareindicatedbydottedarrows,whileinterfaceandbridgingarrows havesolidlines.
Thereasonisthatarrowsfrom Depp cannotconnectdirectlywiththosefrom Depp ,becausetheirendpointslieindisjointeventsets.Theycanonlyconnect via“bridges”in C.Noweachofthemaximalpieceswithin Depp or Depp canbe contractedtoasingle Dep+ p or Dep+ p edge,asisdoneby connspec .Bymaximality theyhavetostartandendineventsin in (p) ∪ out (p)or in (p ) ∪ out (p ),resp.,
Fig.6. Connectionpathsinacomposition
whichmakestheircontractionsbelongto Dep ˆ p or Dep ˆ p ,resp.Thereforeitdoes notmatterifwecontractacompositiontraceletdirectlyorfirstcontractthe maximalpathpiecesinitscomponentsandthencontracttheresultfurther.
Theformalproofusesregularalgebratogoodadvantage;wedenoterelational compositionbyjuxtaposition.Wehavetodealwiththesubexpression(Depp ∪ Depp ∪ C)+ occurringinthelefthandsideof(5),whereweknowfromthe definitionsof Depp , Depp and E ∩ E = ∅ that Depp Depp = ∅ = Depp Depp .We abstractabitandshowthefollowingproperties.
Lemma6.3. Considerrelations R,S,T .
1. (R ∪ S )+ = R+ ∪ R∗ (SR∗ )+ .
2.If RS = ∅ = SR then (R ∪ S )+
3.If RS = ∅ = SR then (R ∪ S ∪ T )+ = R+
S +
D (TD )+ ,where D =df R∗ ∪ S ∗ .
Fortheexpressionoccurringinthelefthandsideof(5)weobtainfromPart 3 (Depp ∪ Depp ∪ C)+ = Dep+ p ∪ Dep + p ∪ D (CD )+ , (6) where D = Dep∗ p ∪ Dep ∗ p .Thisistheformalcounterpartoftheabove-mentioned pathdecomposition.
Fromthis,furtherintensiveuseofregularalgebrafinallyleadstoaproofof (5),whichestablishesTheorem 6.1 for s = connspec .
7VerificationToolDevelopment
Forpracticalusesofthegeometricmodelinverifyingconcurrentprograms,tool supportismandatory.Thissectionoutlinesexemplarilyhowthiscanbeachieved byformalisingtheCKAsexhibitedinSect. 4 togetherwiththemodelofSect. 6 inaninteractivetheoremprover.Isabelle/HOL[21]isusedasanexample.
Another random document with no related content on Scribd:
Ruth and I stood on the front porch for awhile in the moonlight, gazing out over our once-peaceful little world.
"Harry, what will become of him?"
"I don't know.... He'll have to decide for himself. He became a man tonight, you know. I'd like him to stay, but I imagine he'll want to go to Earth. He's got a mind that just won't stop. The best thing we can do is try to teach him the things he'll need to survive in that cock-eyed world, and turn him loose. It's no good trying to hang onto your kids once they're grown up, Mommy."
She shivered a little and moved closer to me. "I suppose you're right. I think I know now why mothers hate to see their children grow up."
I put my arm around her and gave her an affectionate squeeze. "He'll be all right.... You know, in a way I'm almost glad this happened. Maybe—just maybe—Adam has given us the answer Maybe the thing to do is not to keep them Kids all their lives, but to let them grow up more slowly, in their own time instead of to some prescribed formula. The world has kept getting more complicated all the time, and a kid just can't grow up in it as easily as before."
When we were in bed, just before I put out the light, I said, "I guess I can answer your question now, Mommy. I don't still think these twenty years were wasted. If I had it to do over again, I'd still want to be Daddy of Fairyland."
CHAPTER V
The next morning at breakfast time I went upstairs and knocked on the door of Adam's room. He called to me to come in and I opened the door then stopped, one foot over the threshold.
Across the room, admiring his bewhiskered face in the mirror, was Santa Claus!
"Ho-ho-ho!" he boomed, in a perfect imitation of my own Santavoice. "Merry Christmas, Daddy!" He tugged at the beard and there
was the grinning face of Adam-Two. "I found it in the closet," he said. "Do I look the part?"
I laughed. "For a minute I thought you were the real thing."
He looked away. "I—I guess you know I'll want to go to Earth to live."
I nodded. "It will be pretty rough at first. You realize that?"
"Yes, I expect it will.... Daddy, I'm sorry I messed up Christmas for the Kids yesterday. I'd kind of like to make up for it by playing Santa for them today. Will you stand by me in case some smarty-pants tries to snatch my beard off?"
I grinned at him, but I didn't say anything because I discovered there was a strange kind of lump in my throat.
"I was thinking, too," he went on, "that maybe I could come back with the supply ship each Christmas and—and do the same thing, if you'd like me to."
I cleared my throat. "That—that would be fine, Adam."
He hesitated again, then blurted, "It isn't right, you know. Fairyland, I mean. It isn't fair to kids not to let them grow up. And it isn't the answer to all the things you told me are wrong about the world."
"I know, Adam. I know."
"Sooner or later they'll realize that, on Earth."
"I think they already have," I said.
He scratched his chin under the beard. "Then some day they might decide to close Fairyland, mightn't they? So I was thinking, maybe each Christmastime you and Mommy could choose two or three of the older Kids and sort of get them ready for the world. The way you did me. Then I could take them back to Earth with me, and help them get started. You could tell the other Kids they went to live with Santa Claus."
I stared at him in amazement. This—this Kid, I couldn't think of him any other way—yesterday had been little more than a juvenile delinquent. Today he was a mature, thinking adult who in a few
sparse words had provided the answer to the question that had been gnawing at me for two weeks: what was to become of Fairyland?
I felt the way a father must feel when he suddenly realizes his boy has grown up, and has turned out all right. Kind of proud, and more than a little grateful.
I gripped Adam's hand. "Son, you've got yourself a deal! Come along and let's surprise the Kids!"
We went down the stairs arm in arm, and I called to Ruth: "Hey, Mommy! Guess what. There really is a Santa Claus, after all!"
*** END OF THE PROJECT GUTENBERG EBOOK FAIRYLAND PLANET ***
Updated editions will replace the previous one—the old editions will be renamed.
Creating the works from print editions not protected by U.S. copyright law means that no one owns a United States copyright in these works, so the Foundation (and you!) can copy and distribute it in the United States without permission and without paying copyright royalties. Special rules, set forth in the General Terms of Use part of this license, apply to copying and distributing Project Gutenberg™ electronic works to protect the PROJECT GUTENBERG™ concept and trademark. Project Gutenberg is a registered trademark, and may not be used if you charge for an eBook, except by following the terms of the trademark license, including paying royalties for use of the Project Gutenberg trademark. If you do not charge anything for copies of this eBook, complying with the trademark license is very easy. You may use this eBook for nearly any purpose such as creation of derivative works, reports, performances and research. Project Gutenberg eBooks may be modified and printed and given away—you may do practically ANYTHING in the United States with eBooks not protected by U.S. copyright law. Redistribution is subject to the trademark license, especially commercial redistribution.
START: FULL LICENSE
THE FULL PROJECT GUTENBERG LICENSE
PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK
To protect the Project Gutenberg™ mission of promoting the free distribution of electronic works, by using or distributing this work (or any other work associated in any way with the phrase “Project Gutenberg”), you agree to comply with all the terms of the Full Project Gutenberg™ License available with this file or online at www.gutenberg.org/license.
Section 1. General Terms of Use and Redistributing Project Gutenberg™ electronic works
1.A. By reading or using any part of this Project Gutenberg™ electronic work, you indicate that you have read, understand, agree to and accept all the terms of this license and intellectual property (trademark/copyright) agreement. If you do not agree to abide by all the terms of this agreement, you must cease using and return or destroy all copies of Project Gutenberg™ electronic works in your possession. If you paid a fee for obtaining a copy of or access to a Project Gutenberg™ electronic work and you do not agree to be bound by the terms of this agreement, you may obtain a refund from the person or entity to whom you paid the fee as set forth in paragraph 1.E.8.
1.B. “Project Gutenberg” is a registered trademark. It may only be used on or associated in any way with an electronic work by people who agree to be bound by the terms of this agreement. There are a few things that you can do with most Project Gutenberg™ electronic works even without complying with the full terms of this agreement. See paragraph 1.C below. There are a lot of things you can do with Project Gutenberg™ electronic works if you follow the terms of this agreement and help preserve free future access to Project Gutenberg™ electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the Foundation” or PGLAF), owns a compilation copyright in the collection of Project Gutenberg™ electronic works. Nearly all the individual works in the collection are in the public domain in the United States. If an individual work is unprotected by copyright law in the United States and you are located in the United States, we do not claim a right to prevent you from copying, distributing, performing, displaying or creating derivative works based on the work as long as all references to Project Gutenberg are removed. Of course, we hope that you will support the Project Gutenberg™ mission of promoting free access to electronic works by freely sharing Project Gutenberg™ works in compliance with the terms of this agreement for keeping the Project Gutenberg™ name associated with the work. You can easily comply with the terms of this agreement by keeping this work in the same format with its attached full Project Gutenberg™ License when you share it without charge with others.
1.D. The copyright laws of the place where you are located also govern what you can do with this work. Copyright laws in most countries are in a constant state of change. If you are outside the United States, check the laws of your country in addition to the terms of this agreement before downloading, copying, displaying, performing, distributing or creating derivative works based on this work or any other Project Gutenberg™ work. The Foundation makes no representations concerning the copyright status of any work in any country other than the United States.
1.E. Unless you have removed all references to Project Gutenberg:
1.E.1. The following sentence, with active links to, or other immediate access to, the full Project Gutenberg™ License must appear prominently whenever any copy of a Project Gutenberg™ work (any work on which the phrase “Project Gutenberg” appears, or with which the phrase “Project
Gutenberg” is associated) is accessed, displayed, performed, viewed, copied or distributed:
This eBook is for the use of anyone anywhere in the United States and most other parts of the world at no cost and with almost no restrictions whatsoever. You may copy it, give it away or re-use it under the terms of the Project Gutenberg License included with this eBook or online at www.gutenberg.org. If you are not located in the United States, you will have to check the laws of the country where you are located before using this eBook.
1.E.2. If an individual Project Gutenberg™ electronic work is derived from texts not protected by U.S. copyright law (does not contain a notice indicating that it is posted with permission of the copyright holder), the work can be copied and distributed to anyone in the United States without paying any fees or charges. If you are redistributing or providing access to a work with the phrase “Project Gutenberg” associated with or appearing on the work, you must comply either with the requirements of paragraphs 1.E.1 through 1.E.7 or obtain permission for the use of the work and the Project Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.
1.E.3. If an individual Project Gutenberg™ electronic work is posted with the permission of the copyright holder, your use and distribution must comply with both paragraphs 1.E.1 through 1.E.7 and any additional terms imposed by the copyright holder. Additional terms will be linked to the Project Gutenberg™ License for all works posted with the permission of the copyright holder found at the beginning of this work.
1.E.4. Do not unlink or detach or remove the full Project Gutenberg™ License terms from this work, or any files containing a part of this work or any other work associated with Project Gutenberg™.
1.E.5. Do not copy, display, perform, distribute or redistribute this electronic work, or any part of this electronic work, without prominently displaying the sentence set forth in paragraph 1.E.1 with active links or immediate access to the full terms of the Project Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary, compressed, marked up, nonproprietary or proprietary form, including any word processing or hypertext form. However, if you provide access to or distribute copies of a Project Gutenberg™ work in a format other than “Plain Vanilla ASCII” or other format used in the official version posted on the official Project Gutenberg™ website (www.gutenberg.org), you must, at no additional cost, fee or expense to the user, provide a copy, a means of exporting a copy, or a means of obtaining a copy upon request, of the work in its original “Plain Vanilla ASCII” or other form. Any alternate format must include the full Project Gutenberg™ License as specified in paragraph 1.E.1.
1.E.7. Do not charge a fee for access to, viewing, displaying, performing, copying or distributing any Project Gutenberg™ works unless you comply with paragraph 1.E.8 or 1.E.9.
1.E.8. You may charge a reasonable fee for copies of or providing access to or distributing Project Gutenberg™ electronic works provided that:
• You pay a royalty fee of 20% of the gross profits you derive from the use of Project Gutenberg™ works calculated using the method you already use to calculate your applicable taxes. The fee is owed to the owner of the Project Gutenberg™ trademark, but he has agreed to donate royalties under this paragraph to the Project Gutenberg Literary Archive Foundation. Royalty payments must be paid within 60 days following each date on which you prepare (or are legally required to prepare) your periodic tax returns. Royalty payments should be clearly marked as such and sent to the Project Gutenberg Literary Archive Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive Foundation.”
• You provide a full refund of any money paid by a user who notifies you in writing (or by e-mail) within 30 days of receipt that s/he does not agree to the terms of the full Project Gutenberg™ License. You must require such a user to return or destroy all copies of the works possessed in a physical medium and discontinue all use of and all access to other copies of Project Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of any money paid for a work or a replacement copy, if a defect in the electronic work is discovered and reported to you within 90 days of receipt of the work.
• You comply with all other terms of this agreement for free distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™ electronic work or group of works on different terms than are set forth in this agreement, you must obtain permission in writing from the Project Gutenberg Literary Archive Foundation, the manager of the Project Gutenberg™ trademark. Contact the Foundation as set forth in Section 3 below.
1.F.
1.F.1. Project Gutenberg volunteers and employees expend considerable effort to identify, do copyright research on, transcribe and proofread works not protected by U.S. copyright law in creating the Project Gutenberg™ collection. Despite these efforts, Project Gutenberg™ electronic works, and the medium on which they may be stored, may contain “Defects,” such as, but not limited to, incomplete, inaccurate or corrupt data, transcription errors, a copyright or other intellectual property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or cannot be read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGESExcept for the “Right of Replacement or Refund” described in paragraph 1.F.3, the Project Gutenberg Literary Archive Foundation, the owner of the Project Gutenberg™ trademark, and any other party distributing a Project Gutenberg™ electronic work under this agreement, disclaim all liability to you for damages, costs and expenses, including legal fees. YOU AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you discover a defect in this electronic work within 90 days of receiving it, you can receive a refund of the money (if any) you paid for it by sending a written explanation to the person you received the work from. If you received the work on a physical medium, you must return the medium with your written explanation. The person or entity that provided you with the defective work may elect to provide a replacement copy in lieu of a refund. If you received the work electronically, the person or entity providing it to you may choose to give you a second opportunity to receive the work electronically in lieu of a refund. If the second copy is also defective, you may demand a refund in writing without further opportunities to fix the problem.
1.F.4. Except for the limited right of replacement or refund set forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied warranties or the exclusion or limitation of certain types of damages. If any disclaimer or limitation set forth in this agreement violates the law of the state applicable to this agreement, the agreement shall be interpreted to make the maximum disclaimer or limitation permitted by the applicable state law. The invalidity or unenforceability of any provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the Foundation, the trademark owner, any agent or employee of the Foundation, anyone providing copies of Project Gutenberg™ electronic works in accordance with this agreement, and any volunteers associated with the production, promotion and distribution of Project Gutenberg™ electronic works, harmless from all liability, costs and expenses, including legal fees, that arise directly or indirectly from any of the following which you do or cause to occur: (a) distribution of this or any Project Gutenberg™ work, (b) alteration, modification, or additions or deletions to any Project Gutenberg™ work, and (c) any Defect you cause.
Section 2. Information about the Mission of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of electronic works in formats readable by the widest variety of computers including obsolete, old, middle-aged and new computers. It exists because of the efforts of hundreds of volunteers and donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™ collection will remain freely available for generations to come. In 2001, the Project Gutenberg Literary Archive Foundation was created to provide a secure and permanent future for Project Gutenberg™ and future generations. To learn more about the Project Gutenberg Literary Archive Foundation and how your efforts and donations can help, see Sections 3 and 4 and the Foundation information page at www.gutenberg.org.
Section 3. Information about the Project Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a nonprofit 501(c)(3) educational corporation organized under the laws of the state of Mississippi and granted tax exempt status by the Internal Revenue Service. The Foundation’s EIN or federal tax identification number is 64-6221541. Contributions to the Project Gutenberg Literary Archive Foundation are tax deductible to the full extent permitted by U.S. federal laws and your state’s laws.
The Foundation’s business office is located at 809 North 1500 West, Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up to date contact information can be found at the Foundation’s website and official page at www.gutenberg.org/contact
Section 4. Information about Donations to the Project Gutenberg Literary Archive Foundation
Project Gutenberg™ depends upon and cannot survive without widespread public support and donations to carry out its mission of increasing the number of public domain and licensed works that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated equipment. Many small donations ($1 to $5,000) are particularly important to maintaining tax exempt status with the IRS.
The Foundation is committed to complying with the laws regulating charities and charitable donations in all 50 states of the United States. Compliance requirements are not uniform and it takes a considerable effort, much paperwork and many fees to meet and keep up with these requirements. We do not solicit donations in locations where we have not received written confirmation of compliance. To SEND DONATIONS or determine the status of compliance for any particular state visit www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states where we have not met the solicitation requirements, we know of no prohibition against accepting unsolicited donations from donors in such states who approach us with offers to donate.
International donations are gratefully accepted, but we cannot make any statements concerning tax treatment of donations received from outside the United States. U.S. laws alone swamp our small staff.
Please check the Project Gutenberg web pages for current donation methods and addresses. Donations are accepted in a number of other ways including checks, online payments and credit card donations. To donate, please visit: www.gutenberg.org/donate.
Section 5. General Information About Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project Gutenberg™ concept of a library of electronic works that could be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of volunteer support.
Project Gutenberg™ eBooks are often created from several printed editions, all of which are confirmed as not protected by copyright in the U.S. unless a copyright notice is included. Thus, we do not necessarily keep eBooks in compliance with any particular paper edition.
Most people start at our website which has the main PG search facility: www.gutenberg.org.
This website includes information about Project Gutenberg™, including how to make donations to the Project Gutenberg Literary Archive Foundation, how to help produce our new eBooks, and how to subscribe to our email newsletter to hear about new eBooks.
