Formal Specifications for Complex Systems (236368) Tutorial #10

Slides:



Advertisements
Similar presentations
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Advertisements

DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 6 Instructor: Haifeng YU.
CIS 725 Data Link Layer. Physical Layer Figure 3-1 B. Forouzan, TCP/IP Protocol Suite.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Ordering and Consistent Cuts Presented By Biswanath Panda.
© Katz, Spring 2007 CS Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS Shmuel.
Aspect-Oriented Software Development (AOSD) Tutorial #10 Interference among Aspects.
© Katz, Spring 2004 CS Formal SpecificationsLecture-- Lamport 1 Lamport (cont.): A Lossy Queue Exactly like a regular one, but with one more allowed.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Temporal Logic of Actions (TLA) Leslie Lamport
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Lecture 13 Synchronization (cont). EECE 411: Design of Distributed Software Applications Logistics Last quiz Max: 69 / Median: 52 / Min: 24 In a box outside.
Aran Bergman, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Recitation 5: Reliable.
Exam Like Problems. Problem 1 You are given a software module which implements consensus between a static group of servers in an unreliable network. The.
Systems of Distributed systems Module 2 - Distributed algorithms Teaching unit 2 – Properties of distributed algorithms Ernesto Damiani University of Bozen.
Lecture 12 Synchronization. EECE 411: Design of Distributed Software Applications Summary so far … A distributed system is: a collection of independent.
Time, Clocks, and the Ordering of Events in a Distributed System Leslie Lamport (1978) Presented by: Yoav Kantor.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
The Transport Layer  introduction  fundamental problems in networking  communicating reliably over an unreliable channel  congestion and flow control.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 11 Data Link Control Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Switching breaks up large collision domains into smaller ones Collision domain is a network segment with two or more devices sharing the same Introduction.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Data Link Layer Part I – Designing Issues and Elementary.
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.
04/06/2016Applied Algorithmics - week101 Dynamic vs. Static Networks  Ideally, we would like distributed algorithms to be: dynamic, i.e., be able to.
CS3505: DATA LINK LAYER. data link layer  phys. layer subject to errors; not reliable; and only moves information as bits, which alone are not meaningful.
CS 395T Game-Based Verification of Contract Signing Protocols.
Network Protocols Network Systems Security Mort Anvari.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
May University of Glasgow Generalising Feature Interactions in Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.
Protocol Specification Prof Pallapa. Venkataram Department of Electrical Communication Engineering Indian Institute of Science Bangalore – , India.
Copyrighted material John Tullis 12/16/2015 page 1 04/08/00 MQ Series Middleware Presentation John Tullis DePaul Instructor
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Hwajung Lee. Mutual Exclusion CS p0 p1 p2 p3 Some applications are: 1. Resource sharing 2. Avoiding concurrent update on shared data 3. Controlling the.
Lecture 7- 1 CS 425/ECE 428/CSE424 Distributed Systems (Fall 2009) Lecture 7 Distributed Mutual Exclusion Section 12.2 Klara Nahrstedt.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Principles of reliable data transfer 0.
Decentralized solution 1
CIS 825 Review session. P1: Assume that processes are arranged in a ring topology. Consider the following modification of the Lamport’s mutual exclusion.
Fault Tolerance (2). Topics r Reliable Group Communication.
Formal Methods Project Design Yuanhui Luo yl3026, Ziwei Zhang zz2282, Yih-Nin Lai yl3030, Zhen Qiu zq2130.
Introduction to AP Notation So far we have discussed the Internet Protocol informally Now, we need to learn about a formal notation, called the Abstract.
Hwajung Lee. Mutual Exclusion CS p0 p1 p2 p3 Some applications are:  Resource sharing  Avoiding concurrent update on shared data  Controlling the.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
EEC 688/788 Secure and Dependable Computing Lecture 10 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
The Transport Layer introduction fundamental problems in networking
PROTOCOL CORRECTNESS Tutorial 3 Theoretical
Synthesis from scenarios and requirements
CMPT 371 Data Communications and Networking
Alternating Bit Protocol
Protocol Basics.
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS
CS412 Introduction to Computer Networking & Telecommunication
ITEC452 Distributed Computing Lecture 5 Program Correctness
Decentralized solution 1
Mutual Exclusion Problem Specifications
Switching Techniques.
Mutual Exclusion CS p0 CS p1 p2 CS CS p3.
EEC 688/788 Secure and Dependable Computing
CSCE 715: Network Systems Security
ITEC452 Distributed Computing Lecture 7 Mutual Exclusion
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
CSCE 715: Network Systems Security
CIS825 Lecture 5 1.
M. Mock and E. Nett and S. Schemmer
Presentation transcript:

Formal Specifications for Complex Systems (236368) Tutorial #10 TLA – Temporal Logic of Actions

Lossy Channel Example FIFO queue for transmission of messages from Sender to Reciever We have only lossy queues Goal: build a reliable queue using lossy ones Idea: use alternating bit protocol to ensure the messages are still delivered Assumption: there is only one message at a time we try to deliver (i.e., no “messages to be sent” queue) Can be extended to the case with messages queue (used as a module in the solution)

Alternating Bit Protocol reliable queue lossy queue SEND RCV lossy queue

no message will be sent till there is some new message AB-protocol contd. How to pass a value “d”? Initiate sBit = rBit = b; sent = “d” Sender sBit:= “!b” keeps sending “<!b,d>” on msgQ Receiver keeps sending “b” on ackQ When receiver gets “<!b,d>” on msgQ : !b  rBit => it’s a new value rcvd:=“d” rBit := !b Receiver starts sending “!b” on ackQ Eventually, Sender gets “!b” on ackQ !b = sBit => the message has been transmitted If there is a new message to transmit, “e”, sender will start sending <b, e> on msgQ (and make sBit:= “b”) no message will be sent till there is some new message

AB-protocol TLA specification (1) TLA specification consists of: Declarations part variables, constants, modules used Initiation conditions on initial states Actions description: Action  (Enabling conditions  Changes to the state  Unchanged part of the state) Example-specific definitions (macros) Requirements Temporal logic formulas; including Fairness

AB-protocol TLA specification (2) data values that can be sent. MODULE AlternatingBit Extends Naturals, Sequences Constants Data Variables ABInit 

AB-protocol TLA specification (3) //communication on the msg channel: SendNewValue(d)  ReSendMsg  RcvMsg 

AB-protocol TLA specification (4) //communication on the “ack” channel : SendAck  RcvAck  //specification of msgQ and ackQ as lossy queues LoseMsg  Lose(msgQ)  UNCHANGED ackQ LoseMsg  Lose(ackQ)  UNCHANGED msgQ //”macros” ABNext    dData: SendNewValue(d)  ReSendMsg  RcvMsg  SndAck  RcvAck  LoseMsg  LoseAck abvars  <msgQ, ackQ, sBit, sAck, rBit, sent, rcvd> Lose(q) – action of losing message from queue q; leaves unchanged sBit, sAck, rBit, sent, rcvd

AB-protocol TLA specification (5) //Requirements: //liveness condition: ABFairness   WFabvars(ReSendMsg)  WFabvars(SndAck)  SFabvars(RcvMsg)  SFabvars(RcvAck) //complete specification: ABSpec  ABInit  ⃞[ABNext]abvars  ABFairness

different from the lecture… Reliable queue different from the lecture… Goal (reminder): build a reliable queue of one element Need to show: the module we specified provides the functionality of a reliable queue Reliable queue requirements – reminder: Init  [Next]vars  WFvars (Deq) Init  (q =    in = NoMsg  out = NoMsg) vars   in, out, q  Next  Enq  Deq WFvars (Deq)  ( ENABLED [Deq] => Deqvar) Does AB-Module specification imply the requirements? “in”, “out” : in one-element queue, can be identified with sent, rcvd “q”: contains 1 or 0 elements [assumption – one message at a time…] “Enq”: in one-element queue, can be identified with SendNewMsg (first time sending the message) “Deq”: in one-element queue, can be identified with RcvMsg (first time the message is received by the receiver) Init  [Next]vars obviously holds Need to prove: WFvars (Deq) assume fairness when the module is used; prove fairness when implementation is described

Reliable queue – correctness WFvars (Deq)  ( ENABLED [Deq] => Deqvar) Need to restate in terms of our module ENABLED [Deq]  q    As seen in the lecture, q == if sBit  rBit then rq  sq else rq  tail (sq) In our case, rq = “rcvd”, sq = “sent” (1-element or empty queues) q      dData [(sBit  rBit  sent=d)  rcvd=d ]  ENABLED [Deq] = ( dData [(sBit  rBit  sent=d)  rcvd=d]) Meaning of the property to prove: if we try to send a message (sent = d), it will eventually be received (written to rcvd) If we want to send more than one message, we can perform the AB-protocol for each of the messages we want to send…

Reliable queue – correctness (2) to prove WFvars (Deq)  ( ENABLED [Deq] => Deqvar) Deqvar  RcvMsgabvar   (msgQ’ = Tail(msgQ)  rBit’ = Head(msgQ)[1]  rcvd’ = Head(msgQ)[2]  UNCHANGED <ackQ, sBit, sAck, sent>) Need to prove: ( dData [(sBit  rBit  sent=d)  rcvd=d ]) ⇒  (msgQ’ = Tail(msgQ)  rBit’ = Head(msgQ)[1] That is: [(sBit  rBit  sent=d)] ⇒  (msgQ’ =    rBit’ = sBit  rcvd’ = d  UNCHANGED <…>) Use: actions definitions; fairness properties Exists a tool for automatic proofs … If (d=rcvd), no more proof needed: RcvMsg was done => ignore this part Head(msgQ) = <sBit, d> Tail(msgQ) =   WFabvar(ReSendMsg), SFabvar(RcvMsg)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.