## Concurrency

Massimo Merro

4 December 2017

Massimo Merro Concurrency 1 / 38

### Introduction

Our focus so far has been on the semantics of sequential computations. However, many interesting systems are not sequential!

- hardware is intrisically parallel
- multiple-processor machines
- multi-threading (even on a single processor)
- networked machines
- cyber-physical systems
- IoT devices
- in general, concurrency can increase program performance by scheduling parallel independent tasks on multicore hardware, and can enable responsive user interfaces.

## Challenges in concurrent systems

- the state-space of our systems become *larger*, with the *combinatorial explosion*; with *n* threads, each of which can be in only 2 states, the system has 2<sup>n</sup> states!
- the state-space is not only larger but also more complex
- parallel components sharing resources should access them in mutual exclusion. If this is not done properly those components may suffer deadlock or starvation
- computations become nondeterministic (unless synchrony is imposed),
   as different threads operate at different speeds
- concurrency in programming might induce severe problems such as data races, i.e., concurrent access to shared data by different threads, with consequent unpredictable or erroneous behavior.

Massimo Merro Concurrency 3 / 38

## More challenges

- partial failures (of some process, of some device in a network, or some persistent storage device); need transaction mechanisms
- communication between different environments with different local resources (e.g. different local stores, or libraries); need consistency mechanisms;
- communication between administrative domains with partial trust (or, indeed not trust al all); protection against malicious attack
- dealing with contingent complexity (embedded historical accidents, etc).

### On next slides

**Theme:** as for sequential languages seen up to now, but much more so. Concurrent languages are a complicated world.

**Aim of this lecture:** just to give you a taste of a how relatively simple semantics can be used to express some of the fine distinctions. Primarily

- 1 to boost your intuition on reasoning on concurrent systems
- 2 this can support rigorous proofs about crypto systems, cache-coherency protocols, database transactions, etc.
- **Our Goal:** Define the simplest possible concurrent language and explore a few interesting issues.

## A small concurrent language

linguaggio while originale e aggiungiamo il cost rutto di composizione perallela

```
Booleans
               b \in \mathbb{B} = \{ true, false \}
            n \in \mathbb{N} = \{\ldots, -1, 0, 1, \ldots\}
Integers
           l \in \mathbb{L} = \{l, l_0, l_1, l_2, \ldots\}
Locations
              op ::= + | >
Operations
Expressions e \in Exp ::= n \mid b \mid e \ op \ e \mid if e then e else e
                              l := e \mid !l \mid skip \mid
                              while e 	ext{ do } e 	ext{ } | (e 	ext{ } | e)
                      ::= int | bool | unit |
Types
                                                              proc
                      ::= intref
```

The construct  $e \parallel e$  is called parallel composition.

## Parallel composition: Our Design Choices

- threads don't return a value
- threads are anonymous, i.e. they don't have an identity
- termination of a thread cannot be directly observed withing a program
- processes, in general, are given by a pool of concurrent threads
- threads can't be killed externally.

Massimo Merro Concurrency 7 / 38

## Changes: Typing and operational semantics

$$(T-sq1) \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{unit}} (T-sq2) \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{proc}} \xrightarrow{\Gamma \vdash e_1 : \text{unit } \Gamma \vdash e_2 : \text{unit$$

- $\Gamma \vdash e$ : unit entails e singlethreaded
- $\Gamma \vdash e$ : proc entails e multithreaded

4□ > 4□ > 4□ > 4□ > 4□ > 4□ >

Massimo Merro Concurrency 8 / 38

◆ロ → ◆回 → ◆ 三 → ◆ 三 ・ り へ ○

### As in any concurrent language:

- threads execute asynchronously the semantics allows any interleaving of the reductions of the threads
- all threads can read and write the shared memory
- As a consequence, the Determinacy property does not hold.

### For instance:

$$\langle l := 1 \parallel l := 2, \; \{l \mapsto 0\} \rangle \Rightarrow \langle \textit{skip} \parallel l := 2, \; \{l \mapsto 1\} \rangle \Rightarrow \langle \textit{skip} \parallel \textit{skip}, \; \{l \mapsto 2\} \rangle \Rightarrow \langle \textit{skip}, \; \{l \mapsto$$

### But also

$$\langle l := 1 \parallel l := 2, \; \{l \mapsto 0\} \rangle \Rightarrow \langle l := 1 \parallel \textit{skip}, \; \{l \mapsto 2\} \rangle \Rightarrow \langle \textit{skip} \parallel \textit{skip}, \; \{l \mapsto 1\} \rangle \Rightarrow \langle \textit{skip}, \; \{l \mapsto$$

### Race conditions

- both 'assignments' and 'dereferencing' are atomic operations: in the previous configuration we can get a store where location l is associated to either 1 or 2. No strange combinations of them.
- However, in  $(1 := e) \parallel e'$  the semantic steps which are necessary to evaluate e and e' can be interleaved
- So, what about the execution of program  $(l := 1 + !l) \parallel (l := 7 + !l)$ ?
- In this case, we can get race conditions, i.e. the output can be something completely unexpected and inconsistent with the intentions of any thread!
- In particular, as decipted at pag. 97 of the notes, there are 3 possible final configurations for  $\langle (1:=1+!!) \mid (1:=7+!!), \{1\mapsto 0\} \rangle$ :

  - **2**  $\langle skip, \{1 \mapsto 7\} \rangle$
  - 3  $\langle skip, \{1 \mapsto 8\} \rangle$
- (1) and (2) are due to "interferences" while executing the assignments; only (3) corresponds to some correct scheduling!

### Morals

- There are too many possible results
- Actually, all the possible executions give rise to to a combinatorial explosion of states
- Drawing state-space diagrams, as done at pag. 97 of Sewell's notes, works only for very little examples: we need better techniques to analyze our concurrent programs!
- Almost centainly you (as the programmer) didn't want all those 3
   outcomes to be possible need better idioms to or constructs for
   programming.

## How do we get anything coherent done?

- need some way(s) to synchronize between threads, so can enforce mutual exclusion for shared data
- Think of Lamport's "Bakery" algorithm for concurrent and distributed systems. Can you code that in our small concurrent language? If not, what would you need in the language?
- though you can depend on built-in support from the scheduler, e.g.
   mutexes or condition variable (or, at the lower level, tas, test-and-set, or cas, compare-and-set).

$$\begin{array}{ll} \textit{Mutex names} & \textit{m} \in \mathbb{M} = \{ m, m_1, \ldots \} \\ \textit{Configurations} & \langle e, s, \mu \rangle, \text{ where } \mu : \mathbb{M} \to \mathbb{B} \text{ is the mutex state} \\ \textit{Expressions} & e \in \textit{Exp} \ldots & e \parallel e & | \text{lock } m & | \text{unlock } m \\ \end{array}$$

### Typing:

$$\frac{-}{\Gamma \vdash lock \ m : unit} \qquad (T-unlock) \ \frac{-}{\Gamma \vdash unlock \ m : unit}$$

### Operational semantics:

$$(lock) \xrightarrow{-} \frac{-}{\langle lock \ m, s, \mu \rangle \rightarrow \langle skip, s, \mu[m \mapsto true] \rangle} \quad \text{if } \neg \mu(m)$$

$$(unlock) \xrightarrow{-} \frac{-}{\langle unlock \ m, s, \mu \rangle \rightarrow \langle skip, s, \mu[m \mapsto false] \rangle}$$

... and adapt all the other rules to extended configurations  $\langle e, s, \mu \rangle$ .

Massimo Merro Concurrency 13 / 38

## Using a Mutex

To avoid race conditions, we can rewrite the previous program as follows:

$$\textit{Prg} \ \stackrel{\mathsf{def}}{=} \ \left( \mathsf{lock} \ m; l := 1 + !l; \mathsf{unlock} \ m \right) \parallel \left( \mathsf{lock} \ m; l := 7 + !l; \mathsf{unlock} \ m \right)$$

Let  $\langle Prg, s_0, \mu_0 \rangle$  be a configuration such that  $s_0 = \{l \mapsto 0\}$  and  $\mu_0$  returns false for any mutex name. Then, for all possible executions traces of the configuration  $\langle Prg, s_0, \mu_0 \rangle$  we will always have

$$\langle Prg, s_0, \mu_0 \rangle \rightarrow^* \langle skip, \{l \mapsto 8\}, \mu_0 \rangle$$

No other final configurations are possible!

The two assignments will be executed one after the other in mutual exclusion.

Note that the two assignments *commute*, so we end up in the same final state whichever got the lock first.

( □ ▶ ( 戸 ▶ ( 豆 ▶ ( 豆 ▶ ( 豆 ♥) へ ⊙ Massimo Merro Concurrency 14 / 38

### **Deadlocks**

The construct lock m can block if the the mutex m has already been locked by another thread. So, if we use (at least) two mutexes we can easily deadlock!

### Consider

```
\begin{array}{ll} \textit{e} = & \text{(lock } m_1; \text{lock } m_2; l_1 := !l_2; \text{unlock } m_1; \text{unlock } m_2) \\ \parallel & \text{(lock } m_2; \text{lock } m_1; l_2 := !l_1; \text{unlock } m_2; \text{unlock } m_1) \end{array}
```

... and we don't want deadlocks!

Massimo Merro Concurrency 15 / 38

## Language Properties

- Obviously, we don't have Determinacy anymore
- Type preservation is still valid
- Typing and type inferences is scarcely changed
- Very fancy type systems can be used to enforce locking disciplines
- Progress in general is not valid unless we adopt a type system to enforce a locking discipline. In that case, we would have deadlock-freedom for free. This has an influence on our notions of semantic equivalence.

## Semantic equivalences on concurrent programs

Since deadlocking processes are not ruled out anymore by our type system, we have to revisit our semantic equivalences

Let's amend the typed equivalences seen for sequential computations.

Trace equivalence  $\simeq_{\Gamma}$ 

 $e_1 \simeq_{\Gamma} e_2$  iff for all mutex states  $\mu$  and all stores s, s.t. dom( $\Gamma$ )  $\subseteq$  dom(s), we have  $\Gamma \vdash e_1 : T_1$ ,  $\Gamma \vdash e_2 : T_2$ ,  $T_1$ ,  $T_2 \in \{\text{unit, proc}\}$ , and

- $\langle e_1, s, \mu \rangle \rightarrow^* \langle e_1', s', \mu' \rangle$  implies  $\exists e_2'. \langle e_2, s, \mu \rangle \rightarrow^* \langle e_2', s', \mu' \rangle$
- $\bullet \ \langle e_2, s, \mu \rangle \to^* \langle e_2', s', \mu' \rangle \text{ implies } \exists e_1'. \langle e_1, s, \mu \rangle \to^* \langle e_1', s', \mu' \rangle.$

Notice that now we consider also partial traces and not only those leading to final configurations.

## Example (1)

$$P_1 = ((\text{lock m}; l := 3) || (\text{lock m}; l := 4))$$
  
 $Q_1 = \text{lock m}; (l := 3 || l := 4)$ 

- Is  $P_1 \simeq_{\Gamma} Q_1$ , for  $\Gamma = \{1 : intref\}$ ? Yes, it is!
- Is  $C[P_1] \simeq_{\Gamma'} C[Q_1]$ , for any well-typed context  $C[\cdot]$ ? No, it isn't!.
- Consider the context  $C[\cdot]$  defined as follows:

$$[\cdot] \ \ \big| \ \ \big( \mathrm{x}_1 := !l; \mathrm{x}_2 := !l; \mathrm{if} \ !\mathrm{x}_2 = !\mathrm{x}_1 + 1 \ \mathrm{then} \ \mathrm{r} := 1 \ \mathrm{else} \ \mathrm{r} := 0 \big)$$

- Then  $\langle C[Q_1], s, \mu \rangle \rightarrow^* \langle skip, s' \mu' \rangle$ , with s(l)=s(r)=0,  $\mu(m)=false$ , s'(l)=4, s'(r)=1 and  $\mu'(m)=true$ .
- But, there is no trace  $\langle C[P_1], s, \mu \rangle \to^* \langle \dots, s'', \mu'' \rangle$ , with s' = s'' and  $\mu' = \mu''!$  This is because  $P_1$  can "touch" location 1 only once!
- However,  $C[\cdot]$  is not "fair" because it does not acquire the mutex before accessing location 1. Any "fair" distinguishing context?

Massimo Merro Concurrency 18 / 38

## Example (2)

### Suppose we can type the following programs:

```
P_2 = ((lock m; 1 := 3; unlock m) || (lock m; 1 := 4; unlock m))

Q_2 = lock m; (1 := 3 || unlock m; lock m || 1 := 4); unlock m

R_2 = lock m; (1 := 3 || unlock m || lock m || 1 := 4); unlock m
```

### In these 3 programs the critical assignments to 1 are fully locked.

- Is  $P_2 \simeq_{\Gamma} Q_2 \simeq_{\Gamma} R_2$ , for  $\Gamma = \{l_0 : \text{intref}, l : \text{intref}\}$ ? Yes, it is.
- Is  $C[P_2] \simeq_{\Gamma} C[Q_2]$ , for any "fair" context  $C[\cdot]$ ? No, it isn't!
- Consider the "fair" context  $C[\cdot]$  defined as follows:

[·] 
$$\|$$
 (lock m;  $x_1$ :=!l;  $x_2$ :=!l; (if ! $x_2$  = ! $x_1$ +1 then r:=1 else r:=0); unlock m)

- Then  $\langle C[Q_2], s, \mu \rangle \rightarrow^* \langle \dots, s' \mu' \rangle$ , with s(l)=s(r)=0,  $\mu(m)=false$ , s'(l)=4, s'(r)=1 and  $\mu'(m)=true$ .
- But there is no trace s.t.  $\langle C[P_2], s, \mu \rangle \rightarrow^* \langle \dots, s', \mu' \rangle$ .

Massimo Merro Concurrency 19 / 38

So...

- It is not considering "fair" contexts that we fix the problem!
- What is the problem?  $\simeq_{\Gamma}$  is not preserved by parallel contexts!
- Why? Because trace equivalence forgets about intermediate states!

Moral: Parallel contexts have a stronger distinghishing power because they have more chances to create interferences.

 That's why it is much more difficult to write correct concurrent programs: when you add parallel threads a correct sequential program may go wrong!

## Trace Congruence: a much finer semantic equivalence

### Trace congruence $\cong_{\Gamma}$

Define  $e_1 \cong_{\Gamma} e_2$  to hold iff for all mutex states  $\mu$  and all stores s, such that  $\mathsf{dom}(\Gamma) \subseteq \mathsf{dom}(s)$ , we have  $\Gamma \vdash e_1 : T_1, \ \Gamma \vdash e_2 : T_2$ ,  $T_1, T_2 \in \{\mathsf{unit}, \mathsf{proc}\}$  and

- $\langle e_1, s, \mu \rangle \rightarrow^* \langle e'_1, s', \mu' \rangle$  implies  $\exists e'_2. \langle e_2, s, \mu \rangle \rightarrow^* \langle e'_2, s', \mu' \rangle$
- $\langle e_2, s, \mu \rangle \rightarrow^* \langle e_2', s', \mu' \rangle$  implies  $\exists e_1' . \langle e_1, s, \mu \rangle \rightarrow^* \langle e_1', s', \mu' \rangle$
- if  $e_1 \cong_{\Gamma} e_2$  then for any expression e such that  $\Gamma' \vdash e_1 \parallel e$ : proc and  $\Gamma' \vdash e_2 \parallel e$ : proc, for some  $\Gamma'$ , then  $e_1 \parallel e \cong_{\Gamma'} e_2 \parallel e$ .

By definition, the relation  $\cong_{\Gamma}$  is preserved by parallel contexts!

$$P_1 \not\cong_{\Gamma} Q_1$$

$$P_2 \not\cong_{\Gamma} Q_2$$

◆ロト ◆御 ト ◆ 注 ト ◆ 注 ・ り へ ②

21 / 38

## What about bi-similarity for concurrent programs?

We adapt the definitions to the current setting with mutexes:

### **Similarity**

We say that  $e_1$  is simulated by  $e_2$ , written  $e_1 \sqsubseteq_{\Gamma} e_2$ , iff

- $\bullet$   $\Gamma \vdash e_1 : T_1$  and  $\Gamma \vdash e_2 : T_2$ , with  $T_1, T_2 \in \{\text{unit}, \text{proc}\}\$
- for any  $\mu$  and s with dom( $\Gamma$ )  $\subseteq$  dom(s), if  $\langle e_1, s, \mu \rangle \rightarrow \langle e'_1, s', \mu' \rangle$  then there is  $e'_2$  such that  $\langle e_2, s, \mu \rangle \rightarrow^* \langle e'_2, s' \mu' \rangle$ , with  $e'_1 \sqsubseteq_{\Gamma} e'_2$ .

# Bisimilarity De più forte

We say that  $e_1$  is bisimilar to  $e_2$ , written  $e_1 \approx_{\Gamma} e_2$ , iff

- $\bullet$   $\Gamma \vdash e_1 : T_1$  and  $\Gamma \vdash e_2 : T_2$ , with  $T_1, T_2 \in \{\text{unit}, \text{proc}\}$
- for any  $\mu$  and s with dom( $\Gamma$ )  $\subseteq$  dom(s), if  $\langle e_1, s, \mu \rangle \rightarrow \langle e'_1, s', \mu' \rangle$  then there is  $e'_2$  such that  $\langle e_2, s, \mu \rangle \rightarrow^* \langle e'_2, s', \mu' \rangle$ , with  $e'_1 \approx_{\Gamma} e'_2$
- for any  $\mu$  and s with dom( $\Gamma$ )  $\subseteq$  dom(s), if  $\langle e_2, s, \mu \rangle \rightarrow \langle e'_2, s', \mu' \rangle$  then there is  $e'_1$  such that  $\langle e_1, s, \mu \rangle \rightarrow^* \langle e'_1, s', \mu' \rangle$ , with  $e'_1 \approx_{\Gamma} e'_2$ .



Now, if you consider the processes of the previous examples:

$$P_1 \sqsubseteq_{\Gamma} Q_1$$
 $Q_1 \not\sqsubseteq_{\Gamma} P_1$ 
 $P_2 \sqsubseteq_{\Gamma} Q_2$ 
 $Q_2 \not\sqsubseteq_{\Gamma} P_2$ 
 $Q_2 \approx_{\Gamma} R_2$ 

Unlike  $\simeq_{\Gamma}$ , both  $\sqsubseteq_{\Gamma}$  and  $\approx_{\Gamma}$  can observe changes at intermediate states! In general,  $P \sqsubseteq_{\Gamma} Q$  and  $Q \sqsubseteq_{\Gamma} P$  does not imply  $P \approx_{\Gamma} Q!$  Can you find two programs P and Q where this happens? Is the relation  $\sqsubseteq_{\Gamma}$  a congruence? Yes, it is!. Why? Because  $\sqsubseteq_{\Gamma}$  is much sharper when observing processes.

Massimo Merro Concurrency 23 / 38

## On the power of bi-similarity

### Similarity and Bisimilarity are preserved by parallel contexts

• If  $e_1 \sqsubseteq_{\Gamma} e_2$  then for any expression e, such that  $\Gamma' \vdash e_1 \parallel e$ : proc and  $\Gamma' \vdash e_2 \parallel e$ : proc, for some  $\Gamma'$ , it holds that

$$e_1 \parallel e \sqsubseteq_{\Gamma} e_2 \parallel e$$
.

• If  $e_1 \approx_{\Gamma} e_2$  then for any expression e, such that  $\Gamma' \vdash e_1 \parallel e$ : proc and  $\Gamma' \vdash e_2 \parallel e$ : proc, for some  $\Gamma'$ , it holds that

$$e_1 \parallel e \approx_{\Gamma} e_2 \parallel e$$
 .



attacco lollera Non influenza Sistema

(ロ) (리) (토) (토) (토) (의(O)

## Conditional critical regions

- We have seen that communication between parallel threads is via the store
- In concurrent programs it is very difficult to limit interferences on it
- Many real concurrent programming languages have constructs for alleviating these problems: semaphores, locks, critical regions, etc
- We have seen how to enrich our language with a simple form of locks
- Here we examine a higher-level construct for conditional critical regions

  Costrutto di plio livello de vude permetre di un processo e a await e1 protect e2 end
- The intuition is that this command may only be executed when the boolean expression  $e_1$  is true, and the entire command  $e_2$  is to be executed to completion without interruption or interference.

• For example consider the program:

$$\textit{Prg}_1 \ \stackrel{\mathsf{def}}{=} \ l := 0 \ \| \ (\mathsf{await} \ !l = 0 \ \mathsf{protect} \ l := 1; l := !l + 1 \ \mathsf{end})$$

- This is a deterministic program; if it is executed in a state s, with  $s(1) \neq 0$ , then it will terminate and the only possible terminal state is  $s[1 \mapsto 2]$ .
- As another example consider the more involved program:

$$\begin{array}{ll} \textit{Prg}_2 & \stackrel{\mathsf{def}}{=} & (\mathsf{await\ true\ protect}\ l_1 := 1; l_1 := !l_0 + 1\ \mathsf{end}) \\ & \parallel \\ & (\mathsf{await\ true\ protect}\ l_0 := 2; l_0 := !l_1 + 1\ \mathsf{end}) \end{array}$$

• The two guards, set to true, are vacuous, so which protected command is executed first is chosen non-deterministically.

Massimo Merro Concurrency 26 / 38

### Language:

Configurations 
$$\langle e, s \rangle$$
, as before

Expressions 
$$e \in Exp$$
 ::= ...  $| e | | e |$  await  $e$  protect  $e$  end

### Typing:

(T-await) 
$$\frac{\Gamma \vdash e_1 : \mathsf{bool} \quad \Gamma \vdash e_2 : \mathsf{unit}}{\Gamma \vdash \mathsf{await} \ e_1 \ \mathsf{protect} \ e_2 \ \mathsf{end} : \mathsf{unit}}$$

### Operational semantics:

(await) 
$$\frac{\langle e_1, s \rangle \to^* \langle true, s' \rangle \quad \langle e_2, s' \rangle \to^* \langle skip, s'' \rangle}{\langle await \ e_1 \ protect \ e_2 \ end, s \rangle \to \langle skip, s'' \rangle}$$

This is a kind of test-and-set command: whenever the guard  $e_1$  evaluates to true the command  $e_2$  can be executed atomically, in just one step!

◆ロト・◆ラト・モー モー・シュー そう へつ Massimo Merro Concurrency 27 / 38

### It is easy to see that

await 
$$true$$
 protect  $(l := !l + 1; l := !l - 1)$  end  $\approx_{\Gamma}$  await  $false$  protect  $(l := !l + 1; l := !l - 1)$  end  $\approx_{\Gamma}$  await  $e$  protect  $(l := !l + 1; l := !l - 1)$  end  $\approx_{\Gamma}$   $skip$ 

### for any expression e such that

- $\Gamma \vdash e$ : bool
- *e* does not modify the store.

Massimo Merro Concurrency 28 / 38

## Example

### Let us consider the following programs:

```
P_{\Lambda} \stackrel{\text{def}}{=} l_0 := 0:
              (await !l_0 = 0 protect (l := 1; l_0 := 1) end)
              (await !l_0 = 0 protect (l := 0; l_0 := 1) end)
     \stackrel{\text{def}}{=} l_0 := 0; (l := 0; l_0 := 1 \parallel l := 1; l_0 := 1)
Supponendo di poter tipare il seguente processo:
    \stackrel{\text{def}}{=} l_0 := 0;

ho_{\text{a simple } 0.} (await !l_0=0 protect (l:=0;l_0:=1 \parallel l:=1;l_0:=1) end)
● P4 Er Q4 DQ4 non simolaly
```

### Nondeterministic choice

Let us suppose to enrich our language with the following construct:

Configurations 
$$\langle e,s \rangle$$
, as before  $e \in Exp ::= \dots \mid e+e$ 

Typing:

(T-choice) 
$$\frac{\Gamma \vdash e_1 : \mathsf{unit} \quad \Gamma \vdash e_2 : \mathsf{unit}}{\Gamma \vdash e_1 + e_2 : \mathsf{unit}}$$

Operational semantics:

$$\begin{array}{c} (\mathsf{ChoiceL}) \xrightarrow{\begin{array}{c} \langle e_1,s \rangle \rightarrow \langle e'_1,s' \rangle \\ \hline \langle e_1+e_2,s \rangle \rightarrow \langle e'_1,s' \rangle \end{array}} \\ (\mathsf{ChoiceR}) \xrightarrow{\begin{array}{c} \langle e_2,s \rangle \rightarrow \langle e'_2,s' \rangle \\ \hline \langle e_1+e_2s \rangle \rightarrow \langle e'_2,s' \rangle \end{array}} \\ \end{array} \\ \begin{array}{c} (\mathsf{ChoiceR}) \xrightarrow{\begin{array}{c} \langle e_2,s \rangle \rightarrow \langle e'_2,s' \rangle \\ \hline \langle e_1+e_2s \rangle \rightarrow \langle e'_2,s' \rangle \end{array}} \end{array}$$

This construct chooses nondeterministically one branch or the other; once a branch is chosen the other one is discarded!

Massimo Merro Concurrency 30 / 38



## True and false algebraic laws

$$\mathbf{Q}$$
  $e \approx_{\Gamma} skip; e$ 

**3** 
$$e_1 + e_2 \sqsubseteq_{\Gamma} (skip; e_1) + e_2$$

**4** 
$$e_1 + e_2 \supseteq_{\Gamma} (skip; e_1) + e_2$$

**6** 
$$e_1 + e_2 \not\approx_{\Gamma} (skip; e_1) + e_2$$

**6** 
$$e_1 + e_2 \sqsubseteq_{\Gamma} (skip; e_1) + (skip; e_2)$$

$$0 e_1 + e_2 \supseteq_{\Gamma} (skip; e_1) + (skip; e_2)$$

**3** 
$$e_1 + e_2 \not\approx_{\Gamma} (skip; e_1) + (skip; e_2)$$

Massimo Merro Concurrency 31 / 38



Analizziamo la 1ª coppia

1.1 La P=e4+e2 -> e'=P' e4-> e'=P' e4-> e4 e no applicatio la (choice L). Come viaponde Q? Allors Q = skip; enter -en = Q' con (P/Q) & R

1.2 (2) P= e+e2 - e2'= P' perché e2 - e2' e no applicato la (choice R). Cosa risponde Q?

Allora Q = skip e++e2 >e,'=Q', con (p',Q') & G

4 e4+e2 = skiρ; e4+e2 R= { (Pa) } UTS

e. = e := 1 e, = e := 2

1) La Q = Skip; e4+e2 - e4 = P, per una applicacione delle segole. Por simulare Q?

Allors P→"P=P' con (Q', P') ∈ R 2) La Q=skip; en+ez -> ez', applicando la (choice R). No allora Q=en+ez -> ez'=Q,

applicando la (choice R) con (Q',p') e ld c (R)

@ Analizziamo la 2ª coppia

2.1 Sa e, - e, per quolche e, Allors e, + e, - e, applicando la (choice L) con (e, e, ') E ld = B



## Example: When execution order is important

Consider the following algebraic law:

$$l := 1 \parallel m := 2 \approx_{\Gamma} (l := 1; m := 2) + (m := 2; l := 1)$$

Can we generalise this law as follows?

$$e_1 \parallel e_2 \approx_{\Gamma} (e_1; e_2) + (e_2; e_1)$$
 $e_1 \parallel e_0; w = 2$ 

for arbitrary expressions  $e_1$  and  $e_2$ ?

$$e_{1} = 0; m = 2$$
 $e_{2} = 3; m = 4$ 

Non vale in openerale wa solo su certe condizioni

◆ロト ◆部 ▶ ◆ 恵 ト ◆ 恵 ・ か Q ○

Massimo Merro Concurrency 32 / 38



## Example: On Bisimulation

### Let

• 
$$e_1 \stackrel{\text{def}}{=} (l := 1) + (l := 1; m := 2)$$

• 
$$e_2 \stackrel{\text{def}}{=} 1 := 1; m := 2$$

which of the following statements is true?

- $e_1 \sqsubseteq_{\Gamma} e_2$  se cologone le si multicioni i nesticambi i nestici non
- e<sub>1</sub> ⊒<sub>Γ</sub> e<sub>2</sub> Sempre role la bisimulazione
- e1 ≈ r e2.

  Se whe labe is interesticuramente whose is interesticuramente.

←□▶ ←□▶ ← 필 ▶ ← 필 → り

Massimo Merro Concurrency 33 / 38

## An encoding of nondeterministic choice

Question: Is  $e_1 + e_2$  a primitive construct or it can be codified?

Massimo Merro Concurrency 34 / 38

## An encoding of nondeterministic choice

Question: Is  $e_1 + e_2$  a primitive construct or it can be codified? Let us try to encode nondeterministic choice using parallel composition, locations and the construct for critical regions:

Said in other words: does our implementation of nondeterministic choice satisfy its specification, or... something close to it? Actually:

- $e_1 \uplus e_2 \supseteq_{\Gamma} e_1 + e_2$
- $e_1 \uplus e_2 \sqsubseteq_{\Gamma} e_1 + e_2$
- $\bullet \ e_1 \uplus e_2 \not\approx_{\mathsf{\Gamma}} e_1 + e_2$
- $e_1 \uplus e_2 \approx_{\Gamma} (skip; e_1) + (skip; e_2).$

◆□▶ ◆□▶ ◆■▶ ◆■▶ ● からの

Massimo Merro Concurrency 34 / 38

## Persistent behaviours (1)

We know that when we write  $e_1$ ;  $e_2$  we have to execute  $e_1$  first, and only when  $e_1$  has been completed we can execute  $e_2$ .

However, how can we write in our language a program that repeats subsequently the same program e?

### Proposal:

$$RepSeq(e) \stackrel{\text{def}}{=} let S : (unit \rightarrow unit) \rightarrow (unit \rightarrow unit)$$

$$= (fn f : unit \rightarrow unit \Rightarrow (fn x : unit \Rightarrow x; (f x)))$$
in fix.  $Se$ 

Suppose to have a CBN semantics!

Massimo Merro Concurrency 35 / 38

## Persistent behaviours (2)

What about a program that forks an arbitrary number of threads e?

$$e \parallel e \parallel e \parallel e \parallel \dots$$

Proposal:

$$RepPar(e) \stackrel{\text{def}}{=} let P : (unit \rightarrow unit) \rightarrow (unit \rightarrow unit)$$

$$= (fn f : unit \rightarrow unit \Rightarrow (fn x : unit \Rightarrow x \parallel (f x)))$$

$$in fix.P e$$

Again suppose to have a CBN semantics!

Massimo Merro Concurrency 36 / 38

## Data race and critical regions (1)

During the execution of the program RepSeq(l := !l + 1) the value associated to the location l increases monotonically:

$$l := !l + 1; l := !l + 1; l := !l + 1; ...$$

Whereas during the execution of the program RepPar(l := !l + 1) the value associated to the location l may increase or decrease.

$$l := !l + 1 \parallel l := !l + 1 \parallel l := !l + 1 \parallel \dots$$

This is because this program suffers of data races at locations /.

Actually:

Actually:

- $RepSeq(l := !l + 1) \sqsubseteq_{\Gamma} RepPar(l := !l + 1)$
- $RepSeq(l := !l + 1) \not\supseteq_{\Gamma} RepPar(l := !l + 1)$

Massimo Merro Concurrency 37 / 38

## Data races and critical regions (2)

Any way to avoid those data races maintaining concurrency? Proposal:

```
\begin{array}{ll} \textit{AwtPar}(e) & \stackrel{\mathsf{def}}{=} \\ \textbf{let } \textit{A} : (\mathsf{unit} \to \mathsf{unit}) \to (\mathsf{unit} \to \mathsf{unit}) \\ &= (\mathsf{fn} \; f : \mathsf{unit} \to \mathsf{unit} \Rightarrow (\mathsf{fn} \; x : \mathsf{unit} \Rightarrow \mathsf{await} \; \textit{true} \; \mathsf{protect} \; x \; \mathsf{end} \; \| \; (f \; x))) \\ \textbf{in } \; \mathsf{fix}. \textit{A} \; e \end{array}
```

Now, it is possible to prove that

$$RepSeq(l := !l + 1) \approx_{\Gamma} AwtPar(l := !l + 1).$$

Massimo Merro Concurrency 38 / 38