Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Concurrent Systems – An Example: Mutual Exclusion

Published byYuliani Gunardi Modified over 6 years ago

Similar presentations

Presentation on theme: "Model Checking Concurrent Systems – An Example: Mutual Exclusion"— Presentation transcript:

1 Model Checking Concurrent Systems – An Example: Mutual Exclusion
Wenhui Zhang

2 Contents Mutual Exclusion Model Checking Summary

3 Contents Mutual Exclusion Model Checking Summary

4 Example: Mutual Exclusion
Process A Process B Non-Critical Region Non-Critical Region Critical Region Critical Region 4

5 Example: Mutual Exclusion
Process A Process B Non-Critical Region Non-Critical Region Request for Entering Request for Entering Wait Wait Check for Entering Check for Entering Critical Region Critical Region Exit Exit 5

6 Design of Mutual Exclusion (Activity)
initialization work in NCR work in NCR request request wait wait [else] [else] [condition 1] [condition 2] work in CR work in CR exit exit 6

7 Design of Mutual Exclusion
Purpose: ensure that not both processes are working in the critical region (CR) Mechanism: use shared variables y=1: the first process is applying for entering CR or it is in CR x=1: the second process is applying for entering CR or it is in CR t=(i-1): the i-th process has priority for entering CR

8 Design of Mutual Exclusion (State)
initialization x:=0;y:=0 work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 8

9 Design of Mutual Exclusion (State)
initialization x:=0;y:=0 Process A Process B work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 9

10 Correctness of the Design
How do we know that the design is correct?

11 Combined States of the Two Processes
Process A Process B Remark NCR wait CR Bad state

12 Correctness of the Design
How do we know that the design is correct? We have to be sure that the bad state is not reachable in all possible executions of the algorithm We may use state exploration (model checking) techniques or deductive proof methods

13 Process States and Variable States
Process A Process B x y t NCR 1 wait CR (a,b,x,y,t)

14 The Set of States: S {(a,b,x,y,t) | a,b{NCR,wait,CR} and x,y,t{0,1}}

15 Transition Relation: R
(NCR,b,x,y,t)  (wait,b,x,1,1) (wait,b,0,y,t)  (CR,b,0,y,t) (wait,b,x,y,0)  (CR,b,x,y,0) (wait,b,1,y,1)  (wait,b,1,y,1) (CR,b,x,y,t)  (NCR,b,x,0,t) (a,NCR,x,y,t)  (a,wait,1,y,0) (a,wait,x,1,t)  (a,CR,x,1,t) (a,wait,x,y,1)  (a,CR,x,y,1) (a,wait,x,1,0)  (a,wait,x,1,0) (a,CR,x,y,t)  (a,NCR,0,y,t)

16 The Set of Initial States: I
{ (NCR,NCR,0,0,0), (NCR,NCR,0,0,1) }

17 Fairness F={ ((x=0t=0)a=wait), ((y=0t=1)b=wait), }

18 Safety Property  = (a=CRb=CR) Is  a safety property?

19 Expectancy Property  = (a=CRb=CR) Is  an expectancy property?

20 Contents Mutual Exclusion Model Checking Summary

21 Modeling and Model Checking
Model Checking with VERDS Input to VERDS VVM (VERDS verification model) Modeling Language VML (VERDS modeling langauge)

22 State Transition Model
Variables: SA: {NCR,wait,CR} SB: {NCR,wait,CR} x: {0,1} y: {0,1} t: {0,1} NCR NCR y=1,t=1 x=1,t=0 wait wait x==0||t==0 y==0||t==1 Initial States SA=NCR SB=NCR x=0 y=0 yes yes no no CR CR y=0 x=0 22

23 Without Fairness Specifications

24 Modeling in VML Safety: Mutual exclusion
VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); Safety: Mutual exclusion

25 Modeling in VML MODULE p0m() MODULE p1m() VAR VAR b: {n0,w0,c0};
a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);

26 The Complete Model in VML
VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0));  MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); MODULE p1m() b: {n0,w0,c0}; b=n0; b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);

27 Verification with VERDS
../verds -ck 1 mutex3.vvm VERSION: verds JAN 2013 FILE: mutex3.vvm PROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 )) bound = 1 time = time = 0 bound = 2 time = 0 . bound = 6 time = time = 0 CONCLUSION: TRUE (time=0)

28 Consider the Expectancy Property
VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); AF((p0.a=c0)|(p1.b=c0)); Expectancy: Working in critical region

29 Verification with VERDS
../verds -ck 2 mutex3.vvm VERSION: verds JAN 2013 FILE: mutex3.vvm PROPERTY: A F ((p0.a = 2 )| (p1.b = 2 )) bound = 1 time = time = 1 bound = 2 time = 1 bound = 3 time = 1 bound = 4 time = 1 CONCLUSION: FALSE (time=1)

30 Checking the Model Process A Process B initialization x:=0;y:=0
work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 30

31 With Fairness Specifications

32 Modified Model (with Fairness)
 MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); FAIRNESS !((x=0|t=0)&(a=w0)); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0); FAIRNESS !((y=0|t=1)&(b=w0));

33 Verification with VERDS
../verds -ck 1 mutex3a.vvm VERSION: verds JAN 2013 FILE: mutex3a.vvm PROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 )) bound = 1 time = time = 0 bound = 2 time = 0 . bound = 17 time = 0 CONCLUSION: TRUE (time=0)

34 Verification with VERDS
../verds -ck 2 mutex3a.vvm VERSION: verds JAN 2013 FILE: mutex3a.vvm PROPERTY: A F ((p0.a = 2 )| (p1.b = 2 )) bound = 1 time = time = 1 bound = 2 time = 1 . bound = 26 time = time = 1 CONCLUSION: TRUE (time=1)

35 Correctness of the Design
How do we know that the design is correct? We have to be sure that the bad state is not reachable in all possible executions of the algorithm We may apply the following techniques: Modeling (in a language with a formal semantics) Verification (by model checking) We have shown that the bad state is not reachable We have also shown an expectance property holds

36 Remarks on the Correctness
Only verified against the given properties: The safety property The expectancy property Rely on: The model The verification tool The fairness assumption as a part of the model, for the verification of the response property

37 Contents Mutual Exclusion Model Checking Summary

38 Questions?

Download ppt "Model Checking Concurrent Systems – An Example: Mutual Exclusion"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Operating Systems Part III: Process Management (Process Synchronization)

Operating Systems Part III: Process Management (Process Synchronization)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
并发模型的验证 ( 例子 ). 2 互斥协议模型:示意图 x==0||t==0 t0 x=1,t=0 t1 t2 y==0||t==1 t3 x=0 s0 y=1,t=1 s1 s2 s3 y=0 初始状态 s0 t0 x=0 y=0 t=0.

并发模型的验证 ( 例子 ). 2 互斥协议模型:示意图 x==0||t==0 t0 x=1,t=0 t1 t2 y==0||t==1 t3 x=0 s0 y=1,t=1 s1 s2 s3 y=0 初始状态 s0 t0 x=0 y=0 t=0.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Process Synchronization Continued 7.2 The Critical-Section Problem.

Process Synchronization Continued 7.2 The Critical-Section Problem.
Concurrent Programming Problems OS Spring 2011. Concurrency pros and cons Concurrency is good for users –One of the reasons for multiprogramming Working.

Concurrent Programming Problems OS Spring Concurrency pros and cons Concurrency is good for users –One of the reasons for multiprogramming Working.
Previously… Processes –Process States –Context Switching –Process Queues Threads –Thread Mappings Scheduling –FCFS –SJF –Priority scheduling –Round Robin.

Previously… Processes –Process States –Context Switching –Process Queues Threads –Thread Mappings Scheduling –FCFS –SJF –Priority scheduling –Round Robin.
Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
Multiprocessor Synchronization Algorithms (20225241) Lecturer: Danny Hendler The Mutual Exclusion problem.

Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.
Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

Similar presentations

Ads by Google