Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS236368 Spring.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS236368 Spring."— Presentation transcript:

1 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS236368 Spring 2004 Shmuel Katz The Technion titleBoth on mastertitleBoth on master

2 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 2 Specifying Concurrent Modules Classic paper by Leslie Lamport, ACM TOPLAS, vol. 5, no. 2, 1983 Texual, parametric state machine Insight on overlapping, interference For concrete program unit, like Larch interface, but reactive assumes sequential data structures

3 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 3 Open versus Closed systems A Closed system has all components inside the specification, and a simple interface to an Environment An Open system has “unknown” assignments, messages, events at any time. Much harder to specify and show correct, but sometimes necessary. When do operations take effect?

4 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 4 Overlapping Can Be Tricky Initially x = 0 Execute x := x+1 in parallel with x:= x+2. What are the possible results? The answer can depend on what is considered ‘atomic’ Many systems today have multiple processes (sometimes with time sharing)

5 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 5 Shared Memory Concurrency Multiple processes that change the same variables (operate over the same state) Have to consider what happens DURING an implementation....input/output is not enough. New issues: > waiting, > deadlock, > mutual exclusion, > starvation

6 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 6 Basic set-up Have sets of atomic actions First part--for safety properties Later--temporal logic for liveness Get values of a state from State Functions, that take the state to a value. x:S --> V and at(c) are state functions. Since the domain is always the state, just write f:R where R is the range

7 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 7 Parts of a Spec. State functions f1: R1, f2: R2,... Initial conditions I1, I2,... Properties P1, P2,.... If the initial state satisfies the initial conditions, all subsequent states satisfy the properties Pi, when examined through the state functions f j. If Pi is a regular logic predicate, asserts that it is an invariant of the system.

8 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 8 Other ways of writing Pi A leaves unchanged f when Q >A: a set of actions >f: a state function >Q: a predicate >Means: if a is in A, and Q(s), s---> s’ then f(s ’) = f(s) TOP leaves unchanged stack >TOP is a set of actions, stack is a state function INREAR leaves unchanged front when ~empty

9 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 9 Allowed Changes allowed changes to g1 when Q1 g2 when Q2 A1: R1 --> S1..... Am: Rm --> Sm >gi: state functions, Qi: predicates >Ai: set of actions, Ri: predicate >Si: binary function on s, s’ pairs for any a taking s to s’, if Qi(s) and gi(s’) =/= gi(s), then for some j, a is in Aj, Rj(s), and Sj(s, s’ )

10 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 10 Allowed Changes (cont.) “If it changes, it does so in one of these ways....” Does not force change--for safety only Assume that the condition for activating is made false by the change, so we won ’t just keep repeating the same action. Use f and f’ instead of f(s) and f(s’) Assume gj’ = gj if gj’ is not in Si allowed changes to stack POP: | stack| > 0 --> stack = out’ stack’

11 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 11 Procedures and Parameter Passing Modules with procedures Can have several procedures active at once, but only one copy of each. Parameters are passed in a global variable (on purpose to show problems) SUB is in MOD, calls are from outside MOD SUB.PAR : state function for the parameter at(SUB) = control is at beginning of SUB after(SUB) = control just after last of SUB in(SUB) = control is in SUB (including at the beginning, but NOT the exit point

12 © Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 12 module SQ with sub SQUARE All of SUB with SQUARE substituted state function val: Integer at(SQUARE) ==> val = SQUARE.PAR after(SQUARE) ==> SQUARE.PAR = val unchanged val when in(SQUARE) (Above are safety properties only-- need separate guarantee of progress/ liveness)

Download ppt "© Katz, Spring 2004 CS236368 Formal SpecificationsLecture-- Lamport 1 Lamport ’s State Machines Formal Specifications of Complex Systems CS236368 Spring."

Similar presentations

Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
CS3771 Today: deadlock detection and election algorithms  Previous class Event ordering in distributed systems Various approaches for Mutual Exclusion.

CS3771 Today: deadlock detection and election algorithms  Previous class Event ordering in distributed systems Various approaches for Mutual Exclusion.
 Read about Therac-25 at  [http://www.ddj.com/cpp/184401630]http://www.ddj.com/cpp/184401630  [http://sunnyday.mit.edu/papers/therac.pdf]http://sunnyday.mit.edu/papers/therac.pdf.

 Read about Therac-25 at  [  [
Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CSC321 Concurrent Programming: §3 The Mutual Exclusion Problem 1 Section 3 The Mutual Exclusion Problem.

CSC321 Concurrent Programming: §3 The Mutual Exclusion Problem 1 Section 3 The Mutual Exclusion Problem.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
A Simple Critical Section Protocol There are N concurrent processes P 1,…,P N that share some data. A process accessing the shared data is said to execute.

A Simple Critical Section Protocol There are N concurrent processes P 1,…,P N that share some data. A process accessing the shared data is said to execute.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
Multiprocessor Synchronization Algorithms (20225241) Lecturer: Danny Hendler The Mutual Exclusion problem.

Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.
Concurrent Programming James Adkison 02/28/2008. What is concurrency? “happens-before relation – A happens before B if A and B belong to the same process.

Concurrent Programming James Adkison 02/28/2008. What is concurrency? “happens-before relation – A happens before B if A and B belong to the same process.
CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.

CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.
Sept 2011 1 COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
Chapter 3 The Critical Section Problem

Chapter 3 The Critical Section Problem
Concurrency.

Concurrency.
© Katz, 2007CS236368 Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS236368 Shmuel Katz The Technion.

© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
CS 582 / CMPE 481 Distributed Systems

CS 582 / CMPE 481 Distributed Systems
© Katz, 2003 Formal Specifications of Complex Systems-- Real-time 1 Adding Real-time to Formal Specifications Formal Specifications of Complex Systems.

© Katz, 2003 Formal Specifications of Complex Systems-- Real-time 1 Adding Real-time to Formal Specifications Formal Specifications of Complex Systems.
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.

Similar presentations

Ads by Google