Chapter 8Asynchronous System Model

by Mikhail Nesterenko

“Distributed Algorithms”by Nancy A. Lynch

Outline• I/O automaton definition• examples of I/O automata• execution• operations on I/O automata

– composition– hiding

• fairness• properties and proof methods

– invariants– trace properties– compositional reasoning– hierarchical proofs

• complexity• randomization

I/O Automaton Signature• Iinput/Output automaton A is a state machine that models a

component of a distributed system– the transitions associated with named actions acts(A)

• main part of I/O automaton is its signature: sig(A) - a description of actions, actions can be

• input - in(sig(A)) or just in(A)• output - out(A)• internal actions int(A)

• sets of actions are disjoint• input and output actions are external actions, external signature

(external interface) extsig(A) contains external actions only

I/O Automaton Parts• signature sig(A)• (possibly) infinite set of states states(A)• non-empty subset of initial states start(A)• a state transition relation trans(A) states(A) acts(A) states(A)

– there must be a transition for every state and every input actions (the automata are input-enabled)

– a member of trans(A) is transition, an action is enabled at a state if a the corresponding transition is in trans(A)

– state is quiescent if only input actions are enabled• task partition tasks(A) - a separation of internal and output actions

into subset to model different objectives of A

Channel I/O Automaton

Process I/O Automaton

Execution• finite (or infinite) sequence s0,1s12…r,sr is execution fragment if

each (kskk+1) is a transition of A• execution is an execution fragment that starts in an initial state• a state is reachable if it is a final state of a finite execution of A• example: channel automata executions (assuming messages are

{1,2}

• a trace of an execution of A (denoted trace() or trace(A)) is a projection of the execution on external actions

• traces(A) - a set of traces of A

Compatible Components• allows constructing of complex system out of individual

components• informally - components are joined, individual component’s

actions are executed, when action is executed by one component, each component with (the same action) executes it

• a collection of components is compatible if their signatures are as follows– internal actions of one component are not observable by any

other (i.e. the internal actions are disjoint)– only one component controls output (output sets of any two

components are disjoint)– each action is contained in finitely many components

Composition

• A B is a composition of components A and B

• given a collection of compatible signatures {Si}iI the composition S=ISi of signatures is defined as follows

• a composition A=IAi of automata is

Exposed outputs• Observe that even though some of the inputs (the ones that have

corresponding output) of the components are removed from the composition, all outputs of components are outputs of composition

• this is done to allow convenient composition• example component A has output action while B and C have

as input action– that is is “broadcast” to both B and C

• if is not exposed then (A B) C as well as is not possible

Hidden outputs• there is an operation that “hides” the output actions of

components by reclassifying them as internal actions (they are not used in further communication and do not appear in traces)

• if for some signature S, an some subset of output actions out(S) hiding operation hide(S) is defined as a new signature S’ such hat:– in(S’)=in(S), out(S’)=out(S)-, and int(S’)=int(S)– hiding of output actions for an automaton involves hiding of

these actions for the automaton’s signature

Example Composition• composition of process and channel automata

assuming N=3• the transitions are as follows

• example trace assuming N=2 andthe function f is addition

Composition Theorems• given an execution , |A is the projection (removal) of all the

transitions that are not in A

Fairness• interesting executions - each components “take fair turns” at

performing transitions• recall - each automaton is partitioned into tasks• informally fairness allows each task to perform one of its actions

infinitely often• formally, let C be set of tasks and - an execution fragment, is

fair if– is finite and C is not enabled in the final state– is infinite and it contains either

• infinitely many transitions from C or • infinitely many states where all actions of C are disabled

• fairexec(A) - a set of fair executions of A• trace is fair if it is a trace of fair execution• fairtrace(A) a set of fair traces of A

Fairness Examples• example: channel automata executions (assuming messages are

{1,2}

fair

not fair

not fair

Fairness Examples: Clock Automaton

executions• tick, tick, tick, – fair• tick, tick, tick – not fair (no fair finite executions for Clock)• tick, tick, request, tick, tick, clock(4), tick, tick, … - fair• tick, tick, request, tick, tick, tick, … - not fair

Fairness Theorem

Invariants• Invariant (assertion) for A is a property that is true in all reachable

states of A• usually proved by induction on the number of steps in the

execution• can be done by providing a sequence of invariants and

proceeding from one to the next– note: “we” tend to think of an invariant as an assertion

(predicate) on a state which is less generic than Lynch’s definition

Trace Properties• reasoning of the properties of an automaton is done in terms of its

traces• formally a trace property P is

– a signature sig(P) containing no internal actions– a set traces(P) of (finite or infinite) sequences of actions of

sig(P)• A satisfies trace property P means either of the two

– extsig(A)=sig(P) and traces(A) traces(P)– extsig(A)=sig(P) and fairtraces(A) traces(P)in either case the satisfaction intuitively means that the behavior

that can be produced by A is permitted by P; the reverse (completion) is not required

Automata and Trace Properties

Safety Properties• P is a trace safety property if

– traces(P) is not empty– traces(P) is prefix closed – every prefix of a trace in traces(P) is

also in traces(P)• intuitively – if nothing “bad” happens in a trace, nothing bad

happens in a prefix of the trace – traces(P) is limit-closed – given an infinite sequence of finite

sequences … such that each consequent finite sequence is contains the preceding one as a prefix, the limit of this infinite sequence is also in traces(P)

• intuitively – if nothing “bad” happens in any of the prefixes then nothing bad happens in the trace itself

Liveness Properties, Theorems• P is liveness property if every finite sequence from acts(P) has

some extensions in traces(P)– intuitively – an arbitrary prefix can be made “live” and

extended to conform to a liveness propertyTheorem 8.8 if a property is both a liveness and safety property then

it contains all possible sequences of actionsTheorem 8.9 every property is an intersection of a liveness and

safety property

Proof Techniques• compositional reasoning – proves properties of the composed

automaton on the basis of the properties of the components and composition techniques

• hierarchical proofs – describe the system in an abstract model and, prove it conforms to a property then move (refine) the abstraction while preserving the property

Indistinguishable Executions,Randomization

• if and ’ are two executions of a composed systems of automata each containing automaton A, and ’ are indistinguishable to A provides |A=’|A

• probabilistic I/O automaton – notion of transition is modified: instead of (s,,s’), it is (s,,P) where P is a probability distribution over some set of states