Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Specifications for Complex Systems (236368) Tutorial #10

Published byVeronica Gordon Modified over 6 years ago

Similar presentations

Presentation on theme: "Formal Specifications for Complex Systems (236368) Tutorial #10"— Presentation transcript:

1 Formal Specifications for Complex Systems (236368) Tutorial #10
TLA – Temporal Logic of Actions

2 Lossy Channel Example FIFO queue for transmission of messages from Sender to Reciever We have only lossy queues Goal: build a reliable queue using lossy ones Idea: use alternating bit protocol to ensure the messages are still delivered Assumption: there is only one message at a time we try to deliver (i.e., no “messages to be sent” queue) Can be extended to the case with messages queue (used as a module in the solution)

3 Alternating Bit Protocol
reliable queue lossy queue SEND RCV lossy queue

4 no message will be sent till there is some new message
AB-protocol contd. How to pass a value “d”? Initiate sBit = rBit = b; sent = “d” Sender sBit:= “!b” keeps sending “<!b,d>” on msgQ Receiver keeps sending “b” on ackQ When receiver gets “<!b,d>” on msgQ : !b  rBit => it’s a new value rcvd:=“d” rBit := !b Receiver starts sending “!b” on ackQ Eventually, Sender gets “!b” on ackQ !b = sBit => the message has been transmitted If there is a new message to transmit, “e”, sender will start sending <b, e> on msgQ (and make sBit:= “b”) no message will be sent till there is some new message

5 AB-protocol TLA specification (1)
TLA specification consists of: Declarations part variables, constants, modules used Initiation conditions on initial states Actions description: Action  (Enabling conditions  Changes to the state  Unchanged part of the state) Example-specific definitions (macros) Requirements Temporal logic formulas; including Fairness

6 AB-protocol TLA specification (2)
data values that can be sent. MODULE AlternatingBit Extends Naturals, Sequences Constants Data Variables ABInit 

7 AB-protocol TLA specification (3)
//communication on the msg channel: SendNewValue(d)  ReSendMsg  RcvMsg 

8 AB-protocol TLA specification (4)
//communication on the “ack” channel : SendAck  RcvAck  //specification of msgQ and ackQ as lossy queues LoseMsg  Lose(msgQ)  UNCHANGED ackQ LoseMsg  Lose(ackQ)  UNCHANGED msgQ //”macros” ABNext    dData: SendNewValue(d)  ReSendMsg  RcvMsg  SndAck  RcvAck  LoseMsg  LoseAck abvars  <msgQ, ackQ, sBit, sAck, rBit, sent, rcvd> Lose(q) – action of losing message from queue q; leaves unchanged sBit, sAck, rBit, sent, rcvd

9 AB-protocol TLA specification (5)
//Requirements: //liveness condition: ABFairness   WFabvars(ReSendMsg)  WFabvars(SndAck)  SFabvars(RcvMsg)  SFabvars(RcvAck) //complete specification: ABSpec  ABInit  ⃞[ABNext]abvars  ABFairness

10 different from the lecture…
Reliable queue different from the lecture… Goal (reminder): build a reliable queue of one element Need to show: the module we specified provides the functionality of a reliable queue Reliable queue requirements – reminder: Init  [Next]vars  WFvars (Deq) Init  (q =    in = NoMsg  out = NoMsg) vars   in, out, q  Next  Enq  Deq WFvars (Deq)  ( ENABLED [Deq] => Deqvar) Does AB-Module specification imply the requirements? “in”, “out” : in one-element queue, can be identified with sent, rcvd “q”: contains 1 or 0 elements [assumption – one message at a time…] “Enq”: in one-element queue, can be identified with SendNewMsg (first time sending the message) “Deq”: in one-element queue, can be identified with RcvMsg (first time the message is received by the receiver) Init  [Next]vars obviously holds Need to prove: WFvars (Deq) assume fairness when the module is used; prove fairness when implementation is described

11 Reliable queue – correctness
WFvars (Deq)  ( ENABLED [Deq] => Deqvar) Need to restate in terms of our module ENABLED [Deq]  q    As seen in the lecture, q == if sBit  rBit then rq  sq else rq  tail (sq) In our case, rq = “rcvd”, sq = “sent” (1-element or empty queues) q      dData [(sBit  rBit  sent=d)  rcvd=d ]  ENABLED [Deq] = ( dData [(sBit  rBit  sent=d)  rcvd=d]) Meaning of the property to prove: if we try to send a message (sent = d), it will eventually be received (written to rcvd) If we want to send more than one message, we can perform the AB-protocol for each of the messages we want to send…

12 Reliable queue – correctness (2)
to prove WFvars (Deq)  ( ENABLED [Deq] => Deqvar) Deqvar  RcvMsgabvar   (msgQ’ = Tail(msgQ)  rBit’ = Head(msgQ)[1]  rcvd’ = Head(msgQ)[2]  UNCHANGED <ackQ, sBit, sAck, sent>) Need to prove: ( dData [(sBit  rBit  sent=d)  rcvd=d ]) ⇒  (msgQ’ = Tail(msgQ)  rBit’ = Head(msgQ)[1] That is: [(sBit  rBit  sent=d)] ⇒  (msgQ’ =    rBit’ = sBit  rcvd’ = d  UNCHANGED <…>) Use: actions definitions; fairness properties Exists a tool for automatic proofs … If (d=rcvd), no more proof needed: RcvMsg was done => ignore this part Head(msgQ) = <sBit, d> Tail(msgQ) =   WFabvar(ReSendMsg), SFabvar(RcvMsg)

Download ppt "Formal Specifications for Complex Systems (236368) Tutorial #10"

Similar presentations

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.

DISTRIBUTED SYSTEMS II FAULT-TOLERANT BROADCAST Prof Philippas Tsigas Distributed Computing and Systems Research Group.
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 6 Instructor: Haifeng YU.

CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 6 Instructor: Haifeng YU.
CIS 725 Data Link Layer. Physical Layer Figure 3-1 B. Forouzan, TCP/IP Protocol Suite.

CIS 725 Data Link Layer. Physical Layer Figure 3-1 B. Forouzan, TCP/IP Protocol Suite.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.
© Katz, Spring 2007 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS236368 Shmuel.

© Katz, Spring 2007 CS Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS Shmuel.
Aspect-Oriented Software Development (AOSD) Tutorial #10 Interference among Aspects.

Aspect-Oriented Software Development (AOSD) Tutorial #10 Interference among Aspects.
© Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport (cont.): A Lossy Queue Exactly like a regular one, but with one more allowed.

© Katz, Spring 2004 CS Formal SpecificationsLecture-- Lamport 1 Lamport (cont.): A Lossy Queue Exactly like a regular one, but with one more allowed.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Temporal Logic of Actions (TLA) Leslie Lamport

Temporal Logic of Actions (TLA) Leslie Lamport
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Lecture 13 Synchronization (cont). EECE 411: Design of Distributed Software Applications Logistics Last quiz Max: 69 / Median: 52 / Min: 24 In a box outside.

Lecture 13 Synchronization (cont). EECE 411: Design of Distributed Software Applications Logistics Last quiz Max: 69 / Median: 52 / Min: 24 In a box outside.
Aran Bergman, Principles of Reliable Distributed Systems, Technion EE, Spring 2004 1 Principles of Reliable Distributed Systems Recitation 5: Reliable.

Aran Bergman, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Recitation 5: Reliable.
Exam Like Problems. Problem 1 You are given a software module which implements consensus between a static group of servers in an unreliable network. The.

Exam Like Problems. Problem 1 You are given a software module which implements consensus between a static group of servers in an unreliable network. The.
Systems of Distributed systems Module 2 - Distributed algorithms Teaching unit 2 – Properties of distributed algorithms Ernesto Damiani University of Bozen.

Systems of Distributed systems Module 2 - Distributed algorithms Teaching unit 2 – Properties of distributed algorithms Ernesto Damiani University of Bozen.
Lecture 12 Synchronization. EECE 411: Design of Distributed Software Applications Summary so far … A distributed system is: a collection of independent.

Lecture 12 Synchronization. EECE 411: Design of Distributed Software Applications Summary so far … A distributed system is: a collection of independent.
Time, Clocks, and the Ordering of Events in a Distributed System Leslie Lamport (1978) Presented by: Yoav Kantor.

Time, Clocks, and the Ordering of Events in a Distributed System Leslie Lamport (1978) Presented by: Yoav Kantor.

Similar presentations

Ads by Google