Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 --->

Published byNoel Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 --->"— Presentation transcript:

1 Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 ---> S2 ---> Each transition is caused by an action by an eligible process. We reason using interleaving semantics action

2 Correctness criteria Safety properties Bad things never happen Liveness properties Good things eventually happen

3 Testing vs. Proof Testing: Apply inputs and observe if the outputs satisfy the specifications. Fool proof testing can be painfully slow, even for small systems. Most testing are partial. Proof: Has a mathematical foundation, and a complete guarantee. Sometimes not scalable.

4 Testing vs. Proof To test this program, you have to test all possible interleavings. With n processes p 0, p 1, … p n-1, the number of interleavings is (n.m)! (m!) n The state explosion problem p0 p1p2 Step 1 ---- -------- Step 2 ---- -------- … Step m ---- --------

5 Example 1: Mutual Exclusion Process 0Process 1 do true  Entry protocolCritical sectionExit protocolod Safety properties (1) There is no deadlock (2) At most one process enters the critical section. Liveness property A process trying to enter the CS must eventually succeed in doing so. (This is also called the progress property )

6 Exercise define busy :shared Boolean; initially busy = false; { process 0 }{ process 1 } do true  do busy  skip od ; busy:= true; critical section;critical section busy := false;busy := false{remaining codes}od Does this mutual exclusion protocol satisfy liveness and safety properties?

7 Safety invariants { Mutex } The number of processes in the CS ≤ 1 { Bounded capacity channel } 0 ≤ nP - nC ≤ channel capacity { Absence of deadlock }  (G0  G1  G2  …  Gk)  postcondition { Partial Correctness } If the program terminates, then the result will be correct. It does not determine if the program will terminate. (Termination is a liveness property). Total correctness = partial correctness + termination. Safety violation can be determined by examining a finite prefix of the computation.

8 Exercise Graph coloring problem. Color the nodes of a grpah so that no two adjacent nodes have the same color. program colorme {for process P i } define color c  {0, 1, 2, 3} Initially colors may be arbitrary. do  j : j  N(i) :: (c[i] = c[j])  c[i] :=(c[i]+2) mod 4 od Is the program partially correct? Does it terminate? p1 p3 p0 p2

9 Liveness properties Eventuality can be tricky. There is no need to guarantee when the desired thing will happen, as long as it happens.. Examples  The message will eventually reach the receiver.  The process will eventually enter its critical section.  The faulty process will be eventually be diagnosed  Fairness (if an action will eventually be scheduled)  The program will eventually terminate. Absence of liveness cannot be determined from finite prefix of the computation

10 More safety properties Some example are: Buffer should not overflow, i.e. 0 ≤ (in - out) ≤ capacity No deadlock Partial correctness Safety property can be disproved by examining a finite prefix of the computation.

11 Liveness properties Some example are: Progress towards the critical section Reachability Termination Fairness Liveness property cannot be disproved by examining a finite prefix of the computation.

12 Proving safety define c1, c2 : channel; { init c1 =  c2 =  } r, t : integer;{ init r = 5, t = 5} {program for T } 1 do t > 0  send msg along c1; t := t -1 2  ¬empty (c2)  rcv msg from c2; t := t +1 od {program for R } 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4  r > 0  send msg along c2; r := r-1 od We want to prove the safety property P: The total number of messages in c1 & c2 is ≤ 10

13 Proof of safety continued Let n1, n2 = # of msg in c1 and c2 respectively. We will establish the following invariant: I  (t ≥ 0)  (r ≥ 0)  (n1 + t + n2 + r = 10) ( I implies P ). Check if I holds after every action. {program for T } 1 do t > 0  send msg along c1; t := t -1 2  ¬empty (c2)  rcv msg from c2; t := t +1 od {program for R } 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4  r > 0  send msg along c2; r := r-1 od

14 Proving liveness S1  S2  S3  S4   f  f w1w2w3w4 Here, o w1, w2, w3, w4  WF o WF is a well-founded set whose elements can be ordered by » There is no infinite chain like w1 » w2 » w3 » w4.. f(s i ) » f(s i+1 ) » f(s i+2 )..

15 Proof of liveness: an example Clock phase synchronization {Program for each clock} (c[k] = phase of clock k, initially arbitrary) do  j: j  N(i) :: c[j] = c[i] +1 mod 3  c[i] := c[i] + 2 mod 3   j: j  N(i) :: c[j] ≠ c[i] +1 mod 3  c[i] := c[i] + 1 mod 3 od {Show that eventually all clocks will return to the same phase, and continue their synchronization} 0 n-1 3 2 1

16 Understanding convergence Let D = d[0] + d[1] + d[2] + … + d[n-1] d[i] = 0 if no arrow points towards clock i ; = i+1 if a  pointing towards clock i ;  n-i if a  pointing towards clock i ; = 1 if both  and  point towards clock i. By definition, D ≥ 0. Also, D decreases after every step in the system. So the number of arrows must reduce to 0. 02022 11101 2222 2 Understand the game of arrows

Download ppt "Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 --->"

Similar presentations

Model Checking Lecture 1.

Model Checking Lecture 1.
Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.

Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Distributed Computing 5. Snapshot Shmuel Zaks ©

Distributed Computing 5. Snapshot Shmuel Zaks ©
Sept 2011 1 COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©

Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.

Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.
Global State Collection. Global state collection Some applications - computing network topology - termination detection - deadlock detection Chandy-Lamport.

Global State Collection. Global state collection Some applications - computing network topology - termination detection - deadlock detection Chandy-Lamport.
Tele Design of Reactive Systems Summer 2001 Prof. Dr. Stefan Leue Institute for Computer Science Albert-Ludwigs-Universität Freiburg

Tele Design of Reactive Systems Summer 2001 Prof. Dr. Stefan Leue Institute for Computer Science Albert-Ludwigs-Universität Freiburg
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Concurrency in Distributed Systems: Mutual exclusion.

Concurrency in Distributed Systems: Mutual exclusion.
Distributed Computing 5. Snapshot Shmuel Zaks ©

Distributed Computing 5. Snapshot Shmuel Zaks ©
Representing distributed algorithms Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity,

Representing distributed algorithms Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity,

Similar presentations

Ads by Google