CIS 725 Guarded Command Notation

Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean condition + receive statement

Normal form init; do en(a 1 )  a 1 [] en(a 2 )  a 2 : od

The execution of each iteration proceeds as follows: - All guards are first evaluated. - Among all of the true guards, one of them is selected non-deterministically, and the corresponding action is executed. Weak Fairness: If a guard is true and remains true, then it is eventually selected for execution

Token-based system P1: hold1 = false; in_cs1 = false do ? token  hold1 = true [] hold1 /\ not in_cs1  !token; hold1 =false [] hold1  in_cs1 = true [] in_cs1  in_cs1 = false od

Request-based system P1: hold = false; in_cs = false; req_sent = false; req_recd = false do ? token  hold = true [] hold /\ not in_cs /\ req_recd  ! token; hold =false; req_recd = false [] hold /\ not in_cs  in_cs = true [] in_cs  in_cs = false [] not hold  !req; req_sent = true [] ? req  req_recd = true od

Example 2 Three processes A, B and C In each iteration, C sends message for a meeting. A and B non-deterministically send a “yes” or a “no” message If C receives yes from both, it sends a meet message to A and B If C receives a no from anyone, it sends an cancel message to A and B. After sending meet/cancel message, C can send a message for a meeting again.

Example 2 C: recdA = false; recdB = false; next_round = true; start = false; do [] next_round  A ! meeting; B ! meeting; next_round = false [] A ? x  recdA = true [] B ? y  recdB = true [] recdA /\ recdB  if x = yes and y = yes then A ! meet; B ! meet; start = true; else A ! cancel; B ! cancel; recdA = false; recdB = false; next_round = true; [] start  A ! meeting_done; B ! meeting_done; next_round = true; start = false od

Example 2 A: waiting = false do [] ! waiting; C ? meeting  C ! yes; waiting = true [] ! waiting; C ? meeting  C ! no; waiting = true [] waiting; C ? meet  start = true; [] waiting; C ? Cancel  waiting = false [] C ? meeting_done  waiting = false od

Example 2 - Modified A: waiting = false do [] ! waiting; C ? meeting  C ! yes; waiting = true [] ! waiting; C ? meeting  C ! no; waiting = false [] waiting; C ? meet  start = true; [] waiting; C ? Cancel  waiting = false [] C ? meeting_done  waiting = false od

Example 2: Modified C: recdA = false; recdB = false; next_round = true; start = true; do [] next_round  A ! meeting; B ! meeting; next_round = false [] A ? x  recdA = true; if x == no then A ! cancel; B ! cancel; next_round = true; recdA = false [] B ? y  recdB = true; if y == no then A ! cancel; B ! cancel; next_round = true; recdB = false [] recdA /\ recdB  if x = yes and y = yes then A ! meet; B ! meet; start = true; else A ! cancel; B ! cancel; recdA = false; recdB = false; next_round = true; [] start  A ! meeting_done; B ! meeting_done; next_round = true; start = false od

Example 2: Modified C: recdA = 0; recdB = 0; next_round = true; round = 0; start = true; do [] next_round  A ! meeting; B ! meeting; next_round = false [] recA = round /\ A ? x  recdA++; if x == no then B ! cancel; next_round = true; round++ [] recdA < round /\ A ? x  recdA++; [] recdB = round /\ B ? y  recdB++; if y == no then A ! cancel; next_round = true; round++ [] recdB < round /\ B ? x  recdB++; [] recdA /\ recdB  A ! meet; B ! meet; start = true; [] start  A ! meeting_done; B ! meeting_done; next_round = true; start = false; round++ od

Promela Protocol Meta Language Modeling language Verification of the model

Example 1 int state = 1 proctype A() { state == 1  state = state + 1 } proctype B() { state == 1  state = state – 1 } init { run A(); run B() }

Example 2 chan a,b = [3] of {int} proctype A() { int x; x = 1; a ! x; b ? x } proctype B() { int y; a ? y; b ! y + 1} init { run A(); B() }

do :: a > b; x = x + 1 :: a < b; x = x - 1 :: timeout  go to done od; done: y = y + 1

Data types int, bool, bytes, arrays Conditions: a == b, a < b, a <= b, ….. atomic statement atomic { a; b }

Control statements if :: a != b  x = x + 1 :: a == b  x = x - 1 fi if :: a > b; x = x + 1 :: a < b; x = x - 1 :: else x = l fi

do :: a > b; x = x + 1 :: a < b; x = x - 1 :: timeout  go to done od; done: y = y + 1

proctype P1() { int hold, incs; hold = 1; incs = 0; do :: (hold == 1) && incs==0  ch0!token; hold = 0 :: ch1 ? token  hold = 1 :: hold == 1& incs == 0  incs = 1 :: incs == 1  incs = 0 od } init { run P1(); run P2() }

#define token 1 chan ch[2] of {int, int}; proctype P1(int id, int holdvalue) { int myid, other; hold = holdvalue; incs = 0; myid = id; other = (myid + 1) % 2; do :: (hold == 1) && incs==0  ch[myid]!token; hold = 0 :: ch[other] ? Token  hold = 1 :: hold == 1& incs == 0  incs = 1 :: incs == 1  incs = 0 od }

init { run P(0,0), P(1,1) }