PROCESO DE CONTRATACIÓN Y EJECUCIÓN

Distributed protocols often exhibit symmetric behavior, e.g., the behavior of the state machines in Peterson’s mutual exclusion algorithm described in Section 1.2.3 exhibits symmetry. To allow the programmer to express such symmetric behavior, we use symmetric types, which are similar to thescalarsetconstruct used in the Murϕmodel checker [ID96].

A symmetric typeT ∈Tis characterized by (1) its name, and (2) its cardinality,|T|, which is a finite natural number. The only operations permitted on values of a symmetric type are comparisons for equality and disequality between two values. Given a collection of state machines parameterized by a set of symmetric types, e.g., the state machinesP₀andP₁in Peterson’s algorithm, the behavior of the system is required to be invariant under permutations (i.e., renaming) of the parameter values.

Given a symmetric typeT, letperm(T)be the set of all permutationsπ_T :T →T, over the symmetric typeT. For ease of notation, we defineπ_T(v) =vfor valuesv /∈T,_i.e., values whose type is notT, provided that the type ofvis not an array or record type. If the type ofvis a record type, thenπ_T(v)is defined as the record value obtained by applyingπ_T on each field ofv. If the type ofvis an array type, whose index type is_notT, thenπ_T(v)is defined as the array value obtained by applyingπT recursively to all the elements ofv. If the type ofvis an array type

whose index type isT, thenπT(v)is defined as the value obtained by first recursively applying

π_T to all the elements ofvand then permuting the array elements themselves according to π_T,_i.e., for allj∈T,π_T(v)[π_T(j)]≡π_T(v[j]). Given the collection of symmetric types in the system,T₁,T₂, . . . ,Tn ∈B, we define the set ofsystem widepermutations,perm(T_B), as the composition of the permutations over the individual types,πT1◦πT2◦ · · · ◦πTn.

esms, esm-sks and messages may be parameterized by a list of parameter variables, each of a symmetric type. The semantics of such parameterization is that there exists one

instance of the object for every possible value that the parameter variables can take. Consider a parameterized messagemhp₁:T₁,p₂:T₂, . . . ,pn:Tni. Herep1,p2, . . . ,pnare parameter

variables which can take values of types T₁,T₂, . . . ,Tn respectively. Then for every possi-

ble list of values hv₁,v₂, . . . ,v_ni_{, where} v_i ∈ T_i, and i ∈ [1,n], there exists an instance

mhp₁7→v₁,p₂7→v₂, . . . ,p_n7→v_ni of the parameterized messagem. The semantics of a parameterizedesmoresm-skare similar, except that the parameter variablesp_iare available for use as read-only variables within the guards and updates of theesmoresm-sk.

Given the set of typesTBan interpretationIis said to be symmetric with respect toTBif and only if for allf_u:d₁,d₂, . . . ,d_n→r∈U, for allπ∈perm(T_B), and for alle₁∈d₁,e₂∈

d₂, . . . ,en ∈dn, we have thatπ(fu(π(e1),π(e2), . . . ,π(en))) ≡fu(e1,e2, . . . ,en). Anesm

oresm-skAis said to be symmetric with respect toT_B, if and only if for any interpretationI such thatIis symmetric with respect toTB, and for allπ∈perm(T_B), every execution ofA underIof the form:

e_,(l₀,σ₀)_−→∗1 _(l

1,σ1)−→ · · ·∗2 ∗n

−→(l_n,σ_n) ∗n+1 −−−→ · · ·

where∗_iis one ofm_i?v_mi orm_i!v_mi or, implies that the_permutedexecution of the form: π(e)_,(π(l₁),π(σ₁))_−−−→π(∗1) (π(l₂),π(σ₂))_{−−−→ · · ·}π(∗2) π(∗n)

−−−−→(π(l_n),π(σ_n)) π(∗n+1) −−−−−→ · · · is also admitted byAunder the same interpretationI. Here π(∗i)

−−−→represents a transition along which the instances of messages parameterized by symmetric types and message payloads are also permuted according to the permutationπ. Further, we also require thateis a weakly (respectively, strongly) fair execution ofAif and only ifπ(e)is a weakly (respectively, strongly) fair execution ofA. In other words, we require the strong and weak fairness assumptions onA to be symmetric as well.

Our framework allows the programmer to describe protocols which are symmetric according to the notion of symmetry just described. We ensure that symmetry breaking constructs are not used by enforcing syntactic restrictions on the description ofesms andesm-sks. This is done in a manner similar to the what has been described in earlier work [ID96]. Further, we also ensure that any interpretationsIthat are generated during the process of synthesis are such that they satisfy the symmetry assumptions made on theesm-sks that they are a part of, as we shall describe in later sections.