Download presentation
Presentation is loading. Please wait.
1
Dr. Eng Amr T. Abdel-Hamid
NETW 703 Network Protocols PROTOCOL CORECTNESS Dr. Eng Amr T. Abdel-Hamid Winter 2007 Based on Lectures notes from: * Dr. Igor Potapov, The University of Liverpool * Dr. Junzhao Sun, University of Oulu * Dr. Rachida Dssouli, Dr. Sofiene Tahar, and Dr. Ferhat Kendek Concordia University
2
What is a Concurrent Program?
A sequential program has a single thread of control. A concurrent program has multiple threads of control allowing it perform multiple computations in parallel and to control multiple external activities which occur at the same time. 2/43
3
Is Concurrent Programming Great?
Concurrency is widespread but ERROR PORNE. Therac - 25 computerized radiation therapy machine Concurrent programming errors contributed to accidents causing deaths and serious injuries. Mars Rover Problems with interaction between concurrent tasks caused periodic software resets reducing availability for exploration. 3/43
4
Safety and Liveness properties
Safety (invariant) and Liveness properties Safety property (nothing bad will ever happen). simultaneous access will never be granted to both A and B. If false, can be detected by finite sequences. simultaneous Green light will never exist. Liveness property (something good will eventually happen). Green light will be turned on sometime in the future. 4/43
5
Correctness Properties of the Protocols
Liveness: Freedom from deadlocks Freedom of Starvation Boundedness Freedom from unspecified receptions Freedom from Non-executable States and Transitions Completeness Self-synchronization 5/43
6
Unspecified Reception
There exist a message in the queue, there exist a reception transition but the message in the queue is different from the message expected by the reception transition. The network can not progress further. 6/43
7
Non-executable States and Transitions
If the State will never be executed or become the current state. It is called non-executable state. If a transition will never be executed. It is called non-executable transitions. 7/43
8
Other Protocol Design Errors
Instability or state ambiguity: If an initial state of one protocol entity may coexist with different states of other cooperating entities. The result of such an error is the potential loss of synchronization between the cooperating entities. Unboundedness or overflow: If a protocol state can be reached such that the channel linking any pair of communicating protocol entities contains a number of messages exceeding the predefined capacity for that channel Self-synchronization or self-stabilizing: If a transient error arbitrarily changes the protocol state, a self-stabilizing protocol always returns to a desirable state within a finite number of transitions, and resumes normal operation. 8/43
9
Protocol Design Errors – Deadlock
Both machines are at receiving states and channels are empty. The network can not progress further Receiving state is a state where all its outgoing transition are all receiving transition. It can not move without msg in its incoming channel Livelock (hard to extract) A system is in the livelock (dynamic deadlock) if the processes are exchanging messages that are not useful for providing the service and so not making "effective progress". 9/43
10
Deadlock 10/43
11
Dining Philosophers Five philosophers sit around a circular table. Each philosopher spends his life alternately thinking and eating. In the centre of the table is a large bowl of spaghetti. A philosopher needs two forks to eat a helping of spaghetti. 1 2 3 4 One fork is placed between each pair of philosophers and they agree that each will only use the fork to his immediate right and left. 11/43
12
Dining Philosophers 12/43
13
Dining Philosophers 13/43
14
Philosopher’s lifecycle
A thinking philosopher has no forks. Who needs a fork to think? A thinking philosopher may become hungry (after time t). A hungry philosopher tries to grab the fork to the left and thus becomes hungry philosopher with a left fork. But one fork is not enough: a philosopher starts eating only upon obtaining both forks. The fork to right can be obtained only if it is not being used. After Eating: back to thinking after putting down both forks. 14/43
15
A philosopher's lifecycle
Time t1 Thinking Hungry Left Fork Time t2 Eating HungryWithLeftFork Right Fork 15/43
16
This can lead to deadlock.
Greedy Philosophers A greedy philosopher never puts down a fork until (s)he has eaten and starts thinking. This can lead to deadlock. 16/43
17
Generous Philosophers
A generous philosopher does not insist on following a successful philosophical life. After picking up the left fork, but finding that the right fork is not available, a generous philosopher drops the left fork and goes back to think some more. So if all philosophers are generous, then there is no deadlock. 17/43
18
A Generous philosopher's lifecycle
Time t1 Thinking Hungry No Right Fork Left Fork Time t2 Eating HungryWithLeftFork Right Fork Starvation is possible. 18/43
19
Dijkstra's Solution One solution is to order the forks and require the philosophers to pick up the forks in increasing order. label the philosophers P1, P2, P3, P4, and P5 label the forks F1, F2, F3, F4, and F5. Each philosopher must pick up forks in a prescribed order and cannot pick up a fork another philosopher already has. Upon acquiring two forks, a philosopher may eat. Philosophers P1 through P4 follow the rule that Px must pick up fork Fx first and then may pick up fork Fx+1. Philosopher P5 follows a slightly different rule, picking up fork F1 before picking up fork F5. If P5 followed the same rule as the others, F5 would come before F1. This change in behavior for P5 creates an asymmetry that prevents deadlock. 19/43
20
Dijkstra's philosopher's lifecycle
Thinking Hungry HungryWithLeftFork Eating Time t1 Left Fork Right Fork Time t2 Thinking Hungry HungryWithLeftFork Eating Time t1 Left Fork Right Fork Time t2 Thinking Hungry HungryWithLeftFork Eating Time t1 Left Fork Right Fork Time t2 Thinking Hungry HungryWithLeftFork Eating Time t1 Left Fork Right Fork Time t2 20/43
21
A 5th philosopher's lifecycle
Time t1 Thinking Hungry Right Fork Time t2 Eating HungryWithLeftFork Left Fork 21/43
22
Reachability Analysis
Reachability Analysis is a global state exploration process that Starts from the initial global state, and recursively explores all possible transitions that lead to new global states The result is a reachability graph, which captures all possible states A global state <S,C> is said to be reachable from the initial global state <S0,C0>, denoted <S0,C0> =>*<S,C>, IFF (if and only if): There exists an execution path consisting of the interleaving of message receptions and transmissions that takes the system of communicating processes from the initial global state <S0,C0> to <S,C> 22/43
23
Global State In CFSMs A global state of a system, is a pair of <S,C>, where S=(s1,s2,…sn), si – current states of processes Pi, C=> current contents of the channels cij linking the processes Pi and Pj A global state is a snapshot of the overall system state The initial global state composition is a pair <S,C> in which Each si of S is the initial states in its respective processes Pi All channels are empty, i.e. cij = 23/43
24
Reachability Graph (Tree)
Nodes represents regular global states Directed arc, connecting two nodes or states <S1,C1> and <S2,C2>, corresponds to a transition in one of the communicating processes Root of the Tree corresponds to the initial state <S0,C0> A path in the Tree corresponds to an execution sequence of the interleaved receptions and transmissions, and it represents the reachability of the last state in the path from the initial state of the path The expansion of the tree from a particular node stops if one of the following conditions is satisfied: the node already exist in the tree the node correspond to a deadlock state an unspecified reception error is detected at the node the node corresponds to a final state 24/43
25
Global State In CFSMs The next global state is obtained as: <S,C>=><S’,C’>, if there exit a transition that can be executed. Two cases are possible: There exist a transition for a process where the message x can be sent, There exist a reception transition of a message x for a process and a message x is in the input queue of a process 25/43
26
Reachability Analysis Process
Starting from initial global state, where channels are empty and machines at their initial states Explore all possible reachable state by firing all the possible transitions (and generating global states) from any given reachable state. All deadlock and unspecified reception errors will be captured and marked as individual global state By examining the number of messages in the channels we can design the buffer size for the protocol Can detect non-executable states and transitions by marking those states that are touched and transitions that are fired during the reachability analysis 26/43
27
Reachability Analysis Example 1
27/43
28
Reachability Analysis Example 2
28/43
29
Example 3 Perform the reachability analysis on the Network (M, N)
What sizes of buffers are needed for the two FIFO channels? Are there non-executable states or transitions? N M 1 1 +A +A -A -A -R -R +R +R 2 3 2 3 29/43
30
Example 3 Solution “Machine:” is used to specify which machine fires the transition One unspecified reception (see gs4) Both channels need buffer size of 2 (see gs8 and gs9) No non-executable states and transitions 30/43
31
Reachability Analysis
Advantages: Easily automated Many logical errors can be detected by only examining individual global states in the reachability graph Disadvantages: State space explosion problem Does not work on unbounded protocols Many relationships among the protocol state variables, expressing the desirable logical correctness properties of the protocol are not apparent from simply traversing the reachability graph 31/43
32
Other Techniques Full search is simplest but for small class of protocols Controlled partial search tries to optimize the quality of analysis Depth-bounds, place a bound on the length of the execution sequences Scatter searches, executions are selected that lead closer to potential deadlock states Guided searches, a dynamically evaluated cost function as state selection criterion Probabilistic searches, successor states are explored in decreasing order of their probability of occurrence Partial orders, based on the definition of a heuristic for fair or maximum progress state exploration Random simulation is for systems of even complexity Explore the state space with a random simulation or “random walk” 32/43
33
Petri Nets Testing Reachability
“Can we reach one particular state from another?” Boundedness “Will a storage place overflow?” Liveness “Will the system die in a particular state?” 33/43
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.