1 / 24

Chapter 8 Asynchronous System Model

Chapter 8 Asynchronous System Model. “Distributed Algorithms” by Nancy A. Lynch. by Mikhail Nesterenko. Outline. I/O automaton definition examples of I/O automata execution operations on I/O automata composition hiding fairness properties and proof methods invariants trace properties

lewisstephen
Download Presentation

Chapter 8 Asynchronous System Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8Asynchronous System Model “Distributed Algorithms” by Nancy A. Lynch by Mikhail Nesterenko

  2. Outline • I/O automaton definition • examples of I/O automata • execution • operations on I/O automata • composition • hiding • fairness • properties and proof methods • invariants • trace properties • compositional reasoning • hierarchical proofs • complexity • randomization

  3. I/O Automaton Signature • Iinput/Output automaton A is a state machine that models a component of a distributed system • the transitions associated with named actions acts(A) • main part of I/O automaton is its signature: sig(A) - a description of actions, actions can be • input - in(sig(A)) or just in(A) • output - out(A) • internal actions int(A) • sets of actions are disjoint • input and output actions are external actions, external signature (external interface) extsig(A) contains external actions only

  4. I/O Automaton Parts • signature sig(A) • (possibly) infinite set of states states(A) • non-empty subset of initial statesstart(A) • a state transition relation trans(A) states(A)  acts(A)  states(A) • there must be a transition for every state and every input actions (the automata are input-enabled) • a member of trans(A) is transition, an action is enabled at a state if a the corresponding transition is in trans(A) • state is quiescent if only input actions are enabled • task partition tasks(A) - a separation of internal and output actions into subset to model different objectives of A

  5. Channel I/O Automaton

  6. Process I/O Automaton

  7. Execution • finite (or infinite) sequence s0,p1,s1,p2,…, pr,sr is execution fragment if each (pk,sk,pk+1) is a transition of A • execution is an execution fragment that starts in an initial state • a state is reachable if it is a final state of a finite execution of A • example: channel automata executions (assuming messages are {1,2} • a trace of an execution a of A (denoted trace(a) or trace(A)) is a projection of the execution on external actions • traces(A) - a set of traces of A

  8. Compatible Components • allows constructing of complex system out of individual components • informally - components are joined, individual component’s actions are executed, when action p is executed by one component, each component with p (the same action) executes it • a collection of components is compatible if their signatures are as follows • internal actions of one component are not observable by any other (i.e. the internal actions are disjoint) • only one component controls output (output sets of any two components are disjoint) • each action is contained in finitely many components

  9. Composition • given a collection of compatible signatures {Si}iI the composition S=P ISi of signatures is defined as follows • A  B is a composition of components A and B • a composition A=P IAi of automata is

  10. Exposed outputs • Observe that even though some of the inputs (the ones that have corresponding output) of the components are removed from the composition, all outputs of components are outputs of composition • this is done to allow convenient composition • example component A has output action p while B and C have p as input action • that is p is “broadcast” to both B and C • if p is not exposed then (A  B) C as well as is not possible

  11. Hidden outputs • there is an operation that “hides” the output actions of components by reclassifying them as internal actions (they are not used in further communication and do not appear in traces) • if for some signature S, an some subset of output actions Sout(S) hiding operation hideS(S) is defined as a new signature S’ such hat: • in(S’)=in(S), out(S’)=out(S)-S, and int(S’)=int(S)S • hiding of output actions for an automaton involves hiding of these actions for the automaton’s signature

  12. Example Composition • composition of process and channel automataassuming N=3 • the transitions are as follows • example trace assuming N=2 andthe function f is addition

  13. Composition Theorems • given an execution a, a|A is the projection (removal) of all the transitions that are not in A

  14. Fairness • interesting executions - each components “take fair turns” at performing transitions • recall - each automaton is partitioned into tasks • informally fairness allows each task to perform one of its actions infinitely often • formally, let C be set of tasks and a - an execution fragment, a is fair if • a is finite and C is not enabled in the final state • a is infinite and it contains either • infinitely many transitions from C or • infinitely many states where all actions of C are disabled • fairexec(A) - a set of fair executions of A • trace is fair if it is a trace of fair execution • fairtrace(A) a set of fair traces of A

  15. fair not fair not fair Fairness Examples • example: channel automata executions (assuming messages are {1,2}

  16. Fairness Examples: Clock Automaton executions • tick, tick, tick, – fair • tick, tick, tick – not fair (no fair finite executions for Clock) • tick, tick, request, tick, tick, clock(4), tick, tick, … - fair • tick, tick, request, tick, tick, tick, … - not fair

  17. Fairness Theorem

  18. Invariants • Invariant (assertion) for A is a property that is true in all reachable states of A • usually proved by induction on the number of steps in the execution • can be done by providing a sequence of invariants and proceeding from one to the next • note: “we” tend to think of an invariant as an assertion (predicate) on a state which is less generic than Lynch’s definition

  19. Trace Properties • reasoning of the properties of an automaton is done in terms of its traces • formally a trace propertyP is • a signature sig(P) containing no internal actions • a set traces(P) of (finite or infinite) sequences of actions of sig(P) • A satisfies trace property P means either of the two • extsig(A)=sig(P) and traces(A)  traces(P) • extsig(A)=sig(P) and fairtraces(A) traces(P) in either case the satisfaction intuitively means that the behavior that can be produced by A is permitted by P; the reverse (completion) is not required

  20. Automata and Trace Properties

  21. Safety Properties • P is a trace safety property if • traces(P) is not empty • traces(P) is prefix closed – every prefix of a trace in traces(P) is also in traces(P) • intuitively – if nothing “bad” happens in a trace, nothing bad happens in a prefix of the trace • traces(P) is limit-closed – given an infinite sequence of finite sequences b1,b2,… such that each consequent finite sequence is contains the preceding one as a prefix, the limit of this infinite sequence is also in traces(P) • intuitively – if nothing “bad” happens in any of the prefixes then nothing bad happens in the trace itself

  22. Liveness Properties, Theorems • P is liveness property if every finite sequence from acts(P) has some extensions in traces(P) • intuitively – an arbitrary prefix can be made “live” and extended to conform to a liveness property Theorem 8.8 if a property is both a liveness and safety property then it contains all possible sequences of actions Theorem 8.9 every property is an intersection of a liveness and safety property

  23. Proof Techniques • compositional reasoning – proves properties of the composed automaton on the basis of the properties of the components and composition techniques • hierarchical proofs – describe the system in an abstract model and, prove it conforms to a property then move (refine) the abstraction while preserving the property

  24. Indistinguishable Executions,Randomization • if a and a’ are two executions of a composed systems of automata each containing automaton A, a and a’ are indistinguishable to A provides a|A=a’|A • probabilistic I/O automaton – notion of transition is modified: instead of (s,p,s’), it is (s,p,P) where P is a probability distribution over some set of states

More Related