CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed (KFUPM) Spring 2004 (Term 032)
Correctness Requirements
CSE555-SqalliTerm Topics (Ch. 6) Correctness criteria Reasoning about behavior Assertions and system invariants Deadlocks and bad cycles Temporal claims
CSE555-SqalliTerm Correctness Criteria What does it mean for a design to be correct (i.e., to validate a design)? A design can be proven correct wrt to specific correctness criteria Logical correctness is concerned primarily with possibilities, not with probabilities Some fairly general correctness criteria: Absence of deadlocks Absence of livelocks No improper terminations Problem: high complexity even with finite state models A design should be provably correct Proving even simple protocol properties, such as absence of deadlocks, is PSPACE hard
CSE555-SqalliTerm Dealing With Complexity Validation methods need to solve complexity problems: Methods should allow correctness analysis of large models Methods should provide techniques for reducing complexity of models (Ch. 8 and 11) Ability to express large models despite complexity depends on a careful choice of correctness criteria PROMELA’s choice of correctness criteria: support several independent levels of complexity Simple and straight-forward requirements are checked independently of the others Example: Absence of deadlocks Slightly more complicated requirements have higher computation cost Example: Absence of livelocks More sophisticated requirements are the most expensive to check Techniques of reducing complexity are applicable here (Ch. 11)
CSE555-SqalliTerm Basic Types of Claims Two types of correctness requirements: Safety: set of properties the system may not violate, i.e., bad things that should be avoided (e.g., invalid end states) Liveness: set of properties the system must satisfy, i.e., good things that capture the required functionality of a system (e.g., non-progress cycles) Function of a verification system Need not, and cannot, determine what is good or bad It can only help the designer to determine what is possible and what is not For a verifier, there are two types of correctness claims Claims about reachable and unreachable states state properties (e.g., system invariant, process assertion) Claims about feasible and infeasible executions (i.e., sequence of states) path properties (finite or infinite (e.g., cyclic))
CSE555-SqalliTerm Reasoning About Behavior Correctness criteria can be formalized as claims about the behavior of a PROMELA validation model Two general types of claims about a given behavior: Inevitable; or Impossible Suffice to support only one type of claim Claim of one type implicitly defines a complementary and equivalent claim of the other type PROMELA’s expression of correctness criteria: Define behaviors that are claimed to be impossible
CSE555-SqalliTerm Reasoning About Behavior (Cont’d) How to state that a given behavior is inevitable: All deviant behaviors are impossible How to express an assertion stating that a condition is invariantly true: Correctness claim: assertion is impossible to be violated
CSE555-SqalliTerm Definition of Terms A state of a validation model is completely defined by: Specification of all values for local and global variables All control flow points of running processes Contents of all message channels An execution sequence: A finite, ordered set of states The behavior of a validation model: Defined completely by the set of all possible execution sequences Model can reach a given state by executing PROMELA statements Model can be placed in a given state by: Assignment of the appropriate values to variables, control flow points, and channels
CSE555-SqalliTerm Valid Execution Sequence Any arbitrary set of states do not necessarily form a valid execution sequence A finite, ordered set of states is valid for a given PROMELA model M if it satisfies two criteria: The first state (state 1) of the sequence is the initial system state of M: All variables initialized to zero All message channels empty Only init process active and set in its initial state If M is placed in state i, there is at least one executable statement that can bring it to the state i+1
CSE555-SqalliTerm Terminating and Cyclic Sequences Terminating: No state occurs more than once in the sequence Model M contains no executable statements when placed in the last state of the sequence Cyclic: All states except for the last one are distinct Last state of the sequence is equal to one of the earlier states Cyclic sequences define potentially infinite executions System behavior of a PROMELA model: Defined by all terminating and cyclic sequences generated by executing this model Set of reachable states of a PROMELA model: The union of all states included in the system behavior
CSE555-SqalliTerm State Properties Propositions Correctness claims for PROMELA models can be built up from simple propositions A proposition is a boolean condition on the state of the system A proposition can refer to all the elements of a system state: Local and global variables Control-flow points of arbitrary executing processes Contents of message channels Propositions implicitly define labeling of states In any given state, a proposition is either true or false Correctness criteria can be expressed in terms of states in which a given proposition should hold Specified by assertion statements in PROMELA
CSE555-SqalliTerm Temporal Ordering of Propositions Correctness criteria can be expressed as a temporal ordering of propositions (if more than one proposition is used) Need to specify order in which propositions are required to hold Truth of one proposition follows (immediately or eventually) the truth of another Complementary way to express temporal ordering Define the order in which propositions should never hold Only this alternative is supported in PROMELA Through a language feature called temporal claim
CSE555-SqalliTerm Temporal Claims We need to specify ordering of propositions Semantics of proposition orderings is different from statement orderings in PROMELA A sequential ordering implies that second statement in a process is to be executed after the first one terminates However, in reality we cannot assume relative speed of entities All we can say is that second statement executes eventually after the first one Correctness claims have to be more specific In a temporal claim, a sequential ordering of two propositions defines an immediate consequence
CSE555-SqalliTerm Temporal Claims and Process Types Types of correctness requirements are different for terminating and cyclic sequences Terminating processes An important requirement for terminating sequences is absence of deadlocks Not all terminating sequences correspond to deadlocks Need to express which final state properties make a terminating sequence acceptable as non-deadlocking. Cyclic processes Temporal claims for cyclic sequences need to express general conditions, such as absence of livelocks and non-progress cycles
CSE555-SqalliTerm Assertions Correctness criteria can be expressed as boolean conditions This criteria must be satisfied whenever a process reaches a given state PROMELA uses assert statement for this purpose Syntax of assert statement assert (condition) The condition can be an arbitrary boolean expression This statement is always executable It can be placed anywhere in a PROMELA specification Effect of the assert statement: If the condition is true, the statement has no effect If condition is false in at least one execution sequence, the validity of the statement is violated The PAN run-time flag –A can be used to disable the reporting of assertion violations “ spin –a file_name.pml ” will generate a pan.c file. This file is compiled “ cc –o pan pan.c ” to get the executable used for verification
CSE555-SqalliTerm Assertions: Example In this example, we cannot predict what will be the final value of state 0, 1, or 2 We can try the following correctness criteria: When process of type A completes, value of state must be 2 When process of type B completes, value of state must be 0 Expressed using assert Claims are of course false! Example without assertions Example with assertions C:\Tools\spin>spin state.pml state in A is: 1 spin: line 2 "state.pml", Error: assertion violated spin: text of failed assertion: assert((state==2)) #processes: 3 state = 1 8: proc 2 (B) line 3 "state.pml" (state 3) 8: proc 1 (A) line 2 "state.pml" (state 4) 8: proc 0 (:init:) line 4 "state.pml" (state 3) 3 processes created
CSE555-SqalliTerm System Invariants System invariants are boolean conditions, such that: If they are true in the initial system state, they remain true in all reachable system states This is independent of the execution sequence that leads to each specific state A more general application of assert is to formalize system invariants System invariants can be expressed in a monitor process Example: proctype monitor() { assert (invariant) } This process, after it has been started with a run statement, continues to execute independently of the rest of the system The assert statement is executable once for every system state
CSE555-SqalliTerm System Invariants: Dijkstra’s Semaphore #define p0 #define v1 chan sema[0] of { bit }; proctype dijkstra() {do :: sema!p -> sema?v od } proctype user() {sema?p; /* critical section */ sema!v /* non-critical section */ } init {atomic { run dijkstra(); run user(); run user(); run user(); } Semaphore guarantees mutually exclusive access to critical sections We can modify the above to count the number of user processes in the critical section #define p0 #define v1 chan sema[0] of { bit }; byte count; proctype dijkstra() {do :: sema!p -> sema?v od } proctype user() {sema?p; count = count + 1; skip; /* critical section */ count = count – 1; sema!v skip; /* non-critical section */ } proctype monitor() { assert(count==0 || count==1) } init {atomic { run dijkstra(); run monitor(); run user(); run user(); run user(); }
CSE555-SqalliTerm Deadlocks Two types of possible execution sequences in a finite state system: Either terminate after a finite number of state transitions; or Cycle back to a previously visited state There are two types of end states that should be distinguished: Expected or proper end states Unexpected end states Error states due to incomplete or inconsistent protocol specifications Deadlock state is only one type of possible error states Example: unspecified receptions Two criteria for the final state of a terminating execution sequence to be considered a proper end-state: Every instantiated process has terminated All message channels are empty
CSE555-SqalliTerm Deadlocks: End-State Labels All processes do not necessarily terminate Some processes may stay alive even after all others terminate Example: server processes In PROMELA, process states can be identified in proctype definitions as proper end-states using end-state labels Exmaple: dijkstra’s algorithm: proctype dijkstra() { end: do :: sema!p -> sema?v od } Process will be considered in a proper end-state when it is in a state labeled end
CSE555-SqalliTerm End-State Labels (Cont’d) More than one proper end-sate within a single proctype are possible All label names must be unique An end-state label is any label with prefix end Examples: enddne, end0, endme, end_of_part_1, end_war etc. Revised first criterion of proper end-state: Every instantiated process has either terminated or reached a state marked as a proper end-state Any final state in a terminating execution sequence that does not satisfy above criteria is classified as an improper end-state An implicit correctness claim for a validation model is that the behaviors they define, do not include any improper end states The PAN run-time flag –E can be used to suppress the reporting of invalid end states (i.e., “ pan –E ”) The PAN run-time option –q means that all message channels must be empty for a system state to be considered valid (in addition to reaching a valid end state).
CSE555-SqalliTerm Bad Cycles Correctness requirements (i.e., properties) of cyclic sequences can be expressed in PROMELA: Non-progress cycles Livelocks Two properties are: No infinite behaviors of only unmarked states System cannot infinitely cycle through unmarked states Marked states are called progress-states Execution sequences violating this correctness claim are called non- progress cycles No infinite behaviors that include marked states Execution sequences violating this claim are called livelocks
CSE555-SqalliTerm Non-Progress Cycles How to claim absence of non-progress cycles? Define the system states within PROMELA model that represent progress Defined through progress-state labels A progress-state label marks a state that must be executed for the protocol to make progress Examples: Delivering data to a receiver Incrementing a sequence number Passing of a semaphore test will show “progress” proctype dijkstra() { end:do :: sema!p -> progress:sema?v od } The passing of the semaphore guard cannot be postponed infinitely long In all infinite executions, the semaphore process reach the progress label infinitely often An automated validator can confirm that this claim cannot be violated More than one progress-state labels are possible: progress0, progressing, progression etc. Use “ cc –DNP –o pan pan.c ” to enable non-progress checking, and “ pan -l ” to search for non-progress cycles
CSE555-SqalliTerm Livelocks Formally expressed as something that cannot happen infinitely often Using acceptance-state labels An acceptance-state marks a state that may not be part of a sequence of states that can be repeated infinitely often. An acceptance-state label start with prefix “accept” Examples: acceptance, accepting, etc. Example: modified proctype dijkstra (): proctype dijkstra() { end: do :: sema!p -> accept:sema?v od } Claim: it is impossible to cycle through a series of p and v operations This claim is false
CSE555-SqalliTerm Temporal Claims So far, we have defined specifications of correctness criteria with: Assertions Three special labels to mark end, progress, and acceptance states Temporal claims define temporal orderings of properties of states We can express claims, such as: Every state in which property P is true is followed by a state in which property Q is true This is expressed as: P -> Q In the above statement, “followed by” has two interpretations: Immediately followed by; or Eventually followed by PROMELA support the second interpretation with the first as a special case
CSE555-SqalliTerm Temporal Claims (Cont’d) Two problems in specifying temporal claims P -> Q : Temporal claims should express orderings of properties that are impossible, just like other correctness criteria Temporal claims are defined on complete execution sequences Even if a prefix of the sequence is irrelevant, it must be represented as a trivially true sequence of propositions Example: never { do :: skip :: break od -> P -> !Q } Independent of initial sequence of events, it is impossible for a state in which property P is true to be followed by a state in which property Q is false Claim is matched if and when claim body terminates and corresponding correctness property is violated Thus, PROMELA notation for temporal claims is: never { … } A never claim is normally used to specify either finite or infinite system behavior that should never occur
CSE555-SqalliTerm Example: Temporal Claims We want to express the temporal property that condition1 can never remain true infinitely long We need a representation of all behaviors, such that condition1 may be false initially It becomes true eventually It remains true Expressed in PROMELA as follows: never { do :: skip :: condition1 -> break od; accept: do :: condition1 od } If and when the acceptance cycle is detected, claim is matched and corresponding correctness property is violated (livelock)
CSE555-SqalliTerm Example: Temporal Claims (Cont’d) Another claim (perhaps an erroneous version of previous) can be expressed as follows: never { do :: skip :: condition1 -> break od; accept: condition1 } Claim has just two state transitions after condition1 becomes true: This claim is completely matched if there is at least one execution sequence in which condition1 holds in two subsequent states For the first version, it would be an error (a livelock) if the machine can stay in the accept state infinitely long. For the second version, it would be an error if the terminal state is reachable
CSE555-SqalliTerm Specifying Temporal Claims Body of a temporal claim is similar to a proctype body, except for one difference: Every statement inside a temporal claim is interpreted as a condition These should be free of side-effects PROMELA statements with side-effects are: assignments, assertions, sends, receives, and printf statements. A temporal claim is matched if: An undesirable/illegal behavior can be realized Thus, correctness claim is violated Application of temporal claims: Most useful ones combine temporal claims with acceptance labels Two ways to match a temporal claim depending on undesirable behavior Undesirable behavior can define: A terminating sequence; or A cyclic execution sequence (livelock)
CSE555-SqalliTerm Specifying Temporal Claims (Cont’d) For a terminating execution sequence, a temporal claim is matched only when it can terminate (reaches the closing curly brace) The claim can be violated if the closing curly brace of the PROMELA body of the claim is reachable. For a cyclic execution sequence, the claim is matched only when an explicit acceptance cycle exists. To check a cyclic temporal claim, acceptance labels should only occur within the claim and not elsewhere in the PROMELA code. A combination of never claim with accept labels can express the absence of non-progress cycles Thus, temporal claims are more general than progress-state labels However, cost (complexity) of validation with progress-state labels is smaller There are easier ways to express never claims Spin’s built-in translator from formulae in linear temporal logic (LTL) to never claims (less expressive than never claims) The timeline editor, a graphical tool, converts timeline descriptions into never claims (less expressive than LTL formula)
CSE555-SqalliTerm trace Assertion Expresses a correctness requirement on existing behavior in the remainder of the system Expresses properties of message channels Formalizes statements about valid and invalid sequence of operations that processes can perform on message channels All channel names referenced in a trace assertion must be global All message fields must be global or mtype constants. Example: trace { do :: q1!a; q2?b od } Send operations on channel q1 alternate with receive operations on channel q2 All send operations on q1 are exclusively messages of type a All receive operations on q2 are exclusively messages of type b Must always be deterministic Cannot contain random receive, sorted send, or channel poll operations No data objects can be declared or referred to inside a trace assertion Don’t care values for specific message fields can be specified with the predefined write-only variable _ (i.e., the underscore symbol) notrace assertion is also supported, but rarely used Specifies a sequence of events that should not occur in an execution
CSE555-SqalliTerm Tracing Verification Errors When the verifier finds an error it writes a complete trace for the error execution into a file called file_name.pml.trail Using this file, we can reproduce the error trail with spin’s guided simulation option: “ spin –t –p file_name.pml ”