Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
Possible World Semantics for Modal Logic
Partial Order Reduction: Main Idea
Models of Concurrency Manna, Pnueli.
Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Vered Gafni – Formal Development of Real Time Systems 1 Statecharts Semantics.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Process Synchronization Continued 7.2 The Critical-Section Problem.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.
Logic Concepts Lecture Module 11.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Ordering and Consistent Cuts Presented By Biswanath Panda.
Discrete Mathematics Lecture 4 Harper Langston New York University.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Describing Syntax and Semantics
Time, Clocks, and the Ordering of Events in a Distributed System Leslie Lamport (1978) Presented by: Yoav Kantor.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
A Brief Summary for Exam 1 Subject Topics Propositional Logic (sections 1.1, 1.2) –Propositions Statement, Truth value, Proposition, Propositional symbol,
MATH 224 – Discrete Mathematics
Concurrency, Mutual Exclusion and Synchronization.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
CSI 3125, Axiomatic Semantics, page 1 Axiomatic semantics The assignment statement Statement composition The "if-then-else" statement The "while" statement.
Boolean Algebra and Computer Logic Mathematical Structures for Computer Science Chapter 7.1 – 7.2 Copyright © 2006 W.H. Freeman & Co.MSCS Slides Boolean.
CS6133 Software Specification and Verification
Pattern-directed inference systems
The Complexity of Distributed Algorithms. Common measures Space complexity How much space is needed per process to run an algorithm? (measured in terms.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Copyright © Cengage Learning. All rights reserved.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Program correctness The State-transition model A global states S  s 0 x s 1 x … x s m {s k = set of local states of process k} S0  S1  S2  Each state.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
Defining Liveness by Bowen Alpern and Fred B. Schneider Presented by Joe Melnyk.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
Hwajung Lee. Well, you need to capture the notions of atomicity, non-determinism, fairness etc. These concepts are not built into languages like JAVA,
Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,
CIS 720 Lecture 5. Techniques to avoid interference Disjoint variables –If the write set of each process is disjoint from the read and write set of other.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
1 Chapter 11 Global Properties (Distributed Termination)
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Agenda  Quick Review  Finish Introduction  Java Threads.
Semaphores Chapter 6. Semaphores are a simple, but successful and widely used, construct.
Introduction to distributed systems description relation to practice variables and communication primitives instructions states, actions and programs synchrony.
Chapter 1 Logic and proofs
Model and complexity Many measures Space complexity Time complexity
Atomicity, Non-determinism, Fairness
Axiomatic semantics Points to discuss: The assignment statement
Programming Languages and Compilers (CS 421)
ITEC452 Distributed Computing Lecture 5 Program Correctness
A Brief Summary for Exam 1
Semaphores Chapter 6.
Concurrency: Mutual Exclusion and Process Synchronization
CIS 720 Lecture 5.
Program correctness Axiomatic semantics
CIS 720 Lecture 5.
COP4020 Programming Languages
Presentation transcript:

Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013

Lecture outline Goal A simple model of concurrent programs Introduction to Temporal logic Examples A proof system The temporal semantics of programs Summary Questions

The notation Giuseppe Peano - One of the founders of mathematical logic and set theory Originally wrote for p is a consequence of q Backwards: q is a consequence of p denotes

Goal Our goal is: given a program, assign a temporal formula which is true on all proper execution sequences of To prove that a program possess a property one have to prove the implication

A simple model of concurrent programs A concurrent program consists of disjoint processes Which execute concurrently on processors Under shared memory And a set of initial conditions

A simple model of concurrent programs – a single process Represented by a single entry transition graph A directed labeled graph The labels of process are denoted by Edges are labels by commands of the form is a condition, if is missing we interpret it as true called a guard May be true is a statement which may be an assignment is the vector of the program variables may be empty

Process graph - Example Critical Section 1 Critical Section 2

A simple model of concurrent programs Consider any program which may be run in parallel with another and contains: 1. tests 2. Unconditional transfers (go to’s) 3. assignments statements In the graph model: there will be a node for each statement representing the state just before the execution of this statement

A simple model of concurrent programs Corresponding to each statement which is the successor of this statement i.e. may be reached by the execution of the statement We draw an edge from the statement node to its successor The label of this edge depends on the type of the statement

A simple model of concurrent programs - tests Case 1: test statements For statements of the form :

A simple model of concurrent programs – unconditional transfers Case 2: go to’s For statements of the form :

A simple model of concurrent programs - assignments Case 3: assignment For statements of the form : Explanation with the example : Where are auxiliary variables local to

A simple model of concurrent programs - synchronization primitives Examples of synchronization primitives: is represented as With a corresponding at the end of the block

A simple model of concurrent programs – a single process A state is a pair is a vector of labels is a set of values currently assigned to the program variables

Execution sequences (informally) An execution sequence for a program is any sequence satisfying the following conditions : 1. The initial state is “correct” 2. Satisfies the Multiprogramming assumption One processor does one step and updates the values of the variables accordingly 3. Satisfies the Fair scheduling assumption If you can exit a node infinitely many times then you will be able to do so

Execution sequences An execution sequence for a program is any sequence satisfying the following conditions : 1. The initial state is where are the entry labels and are the initial values of the y’s 2. Multiprogramming assumption: A successive state is obtained from its predecessor by exactly one processor executing one transition which is enabled.

Multiprogramming assumption If the processor i contains an edge from the node to the node which is labeled by and is true, then is a possible successor of We allow idling - Every command is considered atomic ……

Fair scheduling assumption – denotes the exit condition of a node of process E is the disjunction ( ) of all guards on all edges departing from What is in most of the cases ?

Fair scheduling assumption A sequence is fair if whenever processor is stuck at then is true only at a finite number of states thereafter negatively: no processor whose exit condition is true infinitely often may be deprived forever

Fair scheduling assumption How does the statements on the edges affect the exit condition ? Assignments, tests, go to’s –the exit condition is identically true! For the statements of the other type (with synchronization) - the exit condition can be NOT identically true!

Fair scheduling assumption An important note: it is NOT sufficient to require that the processor will eventually be scheduled it might always get scheduled when the condition is false and no transition is possible We will need to express the stronger condition that it will eventually be scheduled when the exit condition is true

Temporal logic Used to describe a system of rules for reasoning about propositions qualified in terms of time Something always occurs Something occurs now Something will occur eventually etc.

Reasoning about sequences We will talk about an integer like time We will reason about execution sequences which are deterministic Each state having exactly one successor Although that the program generating them is non- deterministic

Temporal operators X – the proposition is true in the neXt instant F – the proposition will be true in the Future existential truth G – the proposition will always be true in the future universal truth Stands for Globally

Temporal operators neXt: Future: Globally

Temporal operators

Validity of a temporal formula on a sequence Denote and

Validity of a temporal formula on a sequence A formula W is valid if for all sequences Example Some expressions:

Examples of expressing properties with Temporal formulas Recall: A state is a pair is a vector of labels In our formulas: If then the proposition will be true in a state if We start off with properties which can be expressed as formulas of the form where contains no temporal operators Those are Invariance properties

Partial correctness Consider a single sequential program Entry Exit is a formula specifying the correctness of the program That is: is to hold on termination Partial correctness can be stated as What does this formula does NOT guarantee us ? We can also add an input restriction

Clean behavior For every instruction we can write a condition which ensure a lawful termination of the instruction Examples: If the instruction contains division - we include a claim that the divisor does not equal to zero If the instruction contains array reference - we include a claim that the subscript expression is within the array bounds - The legality condition for the statement departing from Clean behavior can be stated as

Mutual Exclusion Assume contain a critical section For simplicity assume they consists of the single nodes To claim that the critical sections are never simultaneously accessed we write

Deadlock Freedom Deadlock – all processors are locked and none can move In our model – we can only get stuck in a node if the exit condition is not identically true Let be any set of nodes with exit conditions none of which is identically true The statement that deadlock never occurs at can be stated as What can we do to exclude deadlock (not only for a given set of nodes) ?

Temporal formulas: Now A bit more complicated ones We now advance to a class of properties which require a more complicated expressions Expressible by expressions of the types:

Total correctness Same setting as the partial correctness: a single sequential program Entry Exit is a formula specifying the correctness of the program That is: is to hold on termination expresses the initial input restrictions Total correctness with respect to can be expressed as Compare it to partial correctness:

Accessibility In the context of critical sections Expressing that if a process wishes to enter its critical section he will be granted permission to do so m – a location (node) just before the entrance to the critical section Of a process showing its wish to enter the critical section m’ – a location inside the critical section The property of accessibility is

Responsiveness Suppose we receives requests from many external agents For example: A Client-Server model A request from agent i is signaled by a variable tuning true The program deals with the request (for example it allocates the resource) and signals that the request to agent i has been granted by setting a variable to true Responsiveness can be expressed as

Coming up: A proof system! We saw that the Temporal Logic language is useful for expressing and formulating interesting properties We now present an axiomatic system in which we can prove these properties

The system DX - Axioms Axioms:

The system DX – Inference rules Inference rules: R1: (TAU) if is an instance of a classical tautology then R2: (MP) If and then R3: (GEN) If then

The temporal semantics of programs Consider a node in any of the processes The exit condition:

Clauses definitions (1) For a node we define :

Clauses definitions (2) Fair scheduling: Exit node – a node with no outgoing transitions If is an exit node then, by definition, and is identically true allowing execution of the relevant program to remain at the exit node

Notation For formulas : claims that exactly one of the is true, while the others are false

Clauses definitions (3) Consider process with label set : Recall: The expression expresses the situation that process is active That is: some transition in it is taking place

Clauses definitions (4-6) The expression Expresses the situation that process is idle Now define

Clauses definitions (7) Consider now a complete program Define first

Defining W(P) Assume that the initial labels in all programs are And that the initial values of the variables are

Defining W(P) The formula expressing the semantics of the program is:

Defining W(P) The formula expressing the semantics of the program is: - is active - if all processes are idle then the values of the variables remain

Defining W(P) The formula expressing the semantics of the program is: - is active - if all processes are idle then the values of the variables remain - Fair scheduling -Exactly one location proposition is true at any

A note about idling Our semantics allows instants of complete inaction or idling. Why ?

A note about idling Our semantics allows instants of complete inaction or idling. Why ? necessary in order to accommodate terminating programs and incorrect programs which may inadvertently lead to deadlocks Even though a program is incorrect it should still have some execution sequences However, the fair scheduling clause will prevent endless idling while there is still some possible action in one of the processes

Proving Accessibility We wish to prove that when gets to it will eventually arrive at It suffices to prove we never get stuck at That is: Proving We assume And get a contradiction to Critical Section 1 Critical Section 2

Proving Accessibility Critical Section 1 Critical Section 2

Summary Today we saw: A model of concurrent programs Temporal logic – which provided us a language for expressing temporal claims A proof system - which provided us a way of proving properties about concurrent programs

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.