Tracelets:a Model for the

Laws of Concurrent Programming

Tony Hoare

Oxford Feb 2012

Our Universe

• E is a set of events that can occur in or around a computer during execution of a program– drawn as boxes.

• D is a set of dependencies between the events– drawn as arrows between boxes– e --> f means f depends on e

• source, target: D --> E• source(d) --> target(d)

Labels

• P are sets of properties of D or E– e.g., the type of command executed– the objects involved in the event– the value of the data transmitted on the arrow

• labels:E + D --> P– labels(e) are drawn in the box, – labels(d) on top of the arrow

A tracelet

is a subset of E , denoted by p, q, r . For example:• a trace of a single execution of a program• or of a single execution of a command • or of a single object used in the execution• I = { }, the tracelet that contains no event

An object

• is used by a program to store or transmit data– e.g., a variable, a semaphore, a channel, …

• Its behaviour is modelled by a tracelet – containing some or all events

in which it has engaged• A trace of a complete program execution– is the union of all the tracelets

for every resource that it has used

Pictorially

ν δ

ν labels the allocation of an object.δ labels its disposal.

All other events of its tracelet lie in between

A variable

ν δ

:=4 labels an assignment of value 4=4 labels a fetch of value 4

:=3:=2:=4

=4 =3=2

=2

Object names

νx δx

may be added to the labels

x:=3x:=2x:=4

x= 4 x=3x=2

x=2

A variable

ν δ

The arrows from each fetch to the next assignment ensures prompt overwriting

:=3:=2:=4

=4 =3=2

=2

Weak memory

ν δ

… which does not occur in modern weak memories.

:=3:=2:=4

=4 =3=2

=2

A Semaphore

ν

δ

• P is an acquisition of the semaphore• V is a release (by the same owner)

V P V

P

A buffered channel

ν δ

!4 labels an output of value 4?4 labels an input of value 4

!=3!2!4

?4 ?3?2

A single-buffered channel

δ!3!2!4

?4 ?3?2

Each output depends on prior input of the previous message

ν

A complete program trace

is the union of the tracelets for every command that it contains. • The tracelet of a command can be analysed

into sub-tracelets for each of its immediate sub-commands.

• The analysis determines whether the trace is a valid trace for the program.

Concurrent Composition

• p|q = p q, provided that p q = { }– otherwise the analysis is invalid, because no event

is an execution of two distinct commands.

• Theorem: | is associative and commutative with unit

Definitions

• p --> q = e є p, f є q . e --> f

• p => q = p = q or p is undefined.

Sequential Composition

• p ; q = p|q provided not q --> p– otherwise the analysis is invalid, because no event

in execution of the first command can depend on any event in the execution of the second.

• Theorem:; is associative with unit

Example

x := 3

x := 4

If x is a shared variable

x := 3 ; x:=4 =

Or,

x := 3 x := 4

if blue arrows are equal,x := 3 ; x:=4 =

Theorems• p;q => p|q– Proof: they are equal whenever not q --> p– otherwise, lhs is undefined

• (p|p’);q => p|(p’;q)– they are equal when they are both defined– if rhs is undefined, then q --> p’– which implies that q --> (p’|q), – therefore the lhs is also undefined.

Exchange laws

• p;(q|q’) => (p;q)|q’– proof similar

• (p|p’);(q|q’) => (p;q)|(p’;q’)– proof similar

• All exchange laws are derivable from the last,– by substituting for p’, or q’,– or for both q and q’

Separating concurrency?

• r = p||q = r = p;q & r = q;p– there is no arrow between p and q

• BUT– this would prohibit shared variables– p||q < p;q– p ; (q||q’) < (p;q)||q’ etc.– the wrong way round!

• Let’s postpone this problem

A command

• is modelled by the set of tracelets of all its possible executions in all its possible environments.

• = { { } }• x := 3 = { p | ‘x :=3’ є labels(p)}• x := y = { p | n. {‘x:= n’, ‘y = n’} labels(p)}

Let P, Q, R, be commands

• P | Q = { (p|q)| p є P & q є Q }• P ; Q = { (p;q) | p є P & q є Q }• P \/ Q = { r | r є P or r є Q }• P Q = r . r є P => r є Q

All our theorems p => q also hold for P Q,– because every variable appears exactly once on

each side of the inequation.

Separation

• Let L be the set of red arrows– they must not cross thread boundaries

• Blue arrows must cross thread boundaries• Black arrows may cross either boundaries.

• Definitions of ; and | must be changed to ensure these rules

Dependency ordering

• Let e < f mean that there is a path of arrows from e to f .

• e <L f means the path consists of red arrows• p <L q means e --> f, for some e є p , f є q

Interfaces of a tracelet p

• arrows(p) = s(p) u t(p)• ins(p) = t(p) - s(p)• outs(p) = s(p) - t(p)

– where s(p) = {d| source(d) є p} t(p) = {d| target(d) є p}

In pictures…

outs

ins

Separating ;

• p;q = p|q provided that not q < p & outs(p) L = ins(q) L

– outs(p;q) L = outs(q) L– ins(p;q) L = ins(p) L

• Theorem:; is associative and has unit

Ok

is a set of tracelets that are always preferred – e.g., no overflow, no races, no divergence, etc.

• p => q means p = q or p is not defined or not q є ok

• є ok• p;q є ok = p є ok & q є ok

Separating concurrency

• e < f = there is a path of red dependencies from e to f

• p*q є ok = p є ok & q є ok & not p < q & not q < p

• p*q = p|qif p*q є ok– because that’s the way it will be implemented!

Lift to sets

• P => Q means p є P. p є ok => p є Q otherwise q є Q . not q є ok

& ins(q) = ins(p)