Docstoc

Concurrent and Distributed Programming

Document Sample
Concurrent and Distributed Programming Powered By Docstoc
					Concurrent and Distributed
     Programming
         Lecture 3
  Properties of Linear Time Temporal Logic
 holds for a computation iff it holds in the first state

                                                                ...
    

[] holds for a computation iff  holds in all states

                                                                ...
                                                       


 holds for a computation iff  holds in some state

                                                                ...
                                     
  Properties of Linear Time Temporal Logic

[] holds for a computation iff  holds in all states

                                                               ...
                                                

        holds in a state iff  holds in some „later“ state

                                                               ...
                                                        

   think for a moment about []
 Definitions for Linear Time Temporal Logic

   computation             definition: s(i)>s(j) iff i>j



(0) s(0)     s(1)   s(2)   s(3)        s(4)       s(5)     ...

(1)          s(1)   s(2)   s(3)        s(4)       s(5)     ...

(2)                 s(2)   s(3)        s(4)       s(5)     ...

(3)                        s(3)        s(4)       s(5)     ...

 …                                        …
Definitions for Linear Time Temporal Logic
 |=   s(0) |= 
                                         ...
   
 |=   i0. (i) |= 
                                         ...
                             
 |= []  i0. (i) |= 
                                         ...
                                
Definitions for Linear Time Temporal Logic
 |= []

                                            ...
  []

 i0. (i) |= 

                                            ...
                             


    i0. ji. (j) |= 
                                             ...
                                     
               Proof methods
induction, deduction:

       also for potentially infinite state spaces
       do not need to construct the state diagram,
            even if the state diagram is implicitly present

model checking:

       for finite state spaces
                  however: for some classes of infinite models exist
                                         mappings to finite models
       automatic, complete search…
       exponential blow-up, state-space explosion
          Model Checking
state diagram                      property

                                      



                model checker:
                automatic,
                exhausive search



        Yes or No & diagnostic trace
                        Taxonomy
In a formal language:                  In a formal language:
state diagrams...                      Linear time temporal logic
                         satisfies
     BLUEPRINT
                                           PROPERTY
       MODEL
                         models

                                                             fairness,
                                           ABSTRACT          mutex,
     PROMELA                                                 deadlock
      MODEL                                PROPERTY
                                                             safety,
                                                             liveness


                          shows

  IMPLEMENTATION                           BEHAVIOUR

                         Is realized
    e.g. Java program                      global goal
  Model checking, more philosophically
in the end:
  the verification result is only as good as the model
  that is used for verification.

minimalistic point of view:
 model checking is only a debugging technique:

 every error we find by model checking
 & that can be traced back in the original system, is an error.

 if we did not find errors, we still do not know, whether the
 errors were abstracted away when modelling.

way out: systematic modelling,
         make the modelling process explicit
        Taxonomy of concurrent program
                correctness
   In a formal language:                        In a formal language:
   Promela, state diagrams...                   Linear time temporal logic
                                satisfies
        BLUEPRINT
                                                     PROPERTY
          MODEL
                                models


implements       abstracts                    describes        formalizes to


                                 shows

     IMPLEMENTATION                                  BEHAVIOUR
                                Is realized
       e.g. Java program                             global goal
  Model checking with SPIN
Safety properties, reachability properties:

       algorithm traverses the state space


Liveness properties, evaluated on infinite computations

       algorithm for nonemptiness of the intersection
                 of two automata (languages)

message: choose different algorithms for safety
         and liveness properties!
  Model Checking with SPIN

1. Concepts of the modelling language PROMELA

2. How to prove properties

3. Examples
              Promela: Model

A Promela model consists of:
                                     mtype, constants,
                                     typedefs (records)
        type declarations
                                   chan ch = [dim] of {type, …}
                                    asynchronous: dim > 0
                                    rendez-vous:  dim == 0
      channel declarations
                                        - simple vars
                                        - structured vars
   global variable declarations         - vars can be accessed
                                          by all processes

      process declarations        behaviour of the processes:
                                  local variables + statements

         [init process]       initialises variables and
                              starts processes
                  Promela: Model
• Promela model consist of:           mtype = {MSG, ACK};
   – type declarations                chan toS = ...
   – channel declarations             chan toR = ...
                                      bool flag;
   – variable declarations
   – process declarations             proctype Sender() {
   – [init process]                     ...
                                      }        process body

• A Promela model corresponds with    proctype Receiver() {
  a (usually very large, but)           ...
  finite transition system, so        }
    – no unbounded data               init {
    – no unbounded channels             ...
    – no unbounded processes          }        creates processes
    – no unbounded process creation
           Promela: Processes
• A process
   – is defined by a proctype definition
   – executes concurrently with all other processes,
     independently of speed or behaviour
   – communicates with other processes
       • using global (shared) variables
       • using channels
• There may be several processes of the same type.
• Each process has its own local state:
   – process counter (location within the proctype)
   – contents of the local variables
            Promela: Processes
 • A process type (proctype) consist of
    – a name
    – a list of formal parameters
    – local variable declarations
    – body                        formal parameters
                       name

       proctype Sender(chan in; chan out) {
           bit sndB, rcvB;   local variables
           do
           :: out ! MSG, sndB ->
                  in ? ACK, rcvB;
body              if
                  :: sndB == rcvB -> sndB = 1-sndB
                  :: else -> skip
                  fi                    The body consist of a
           od                          sequence of statements.
       }
          Promela: Processes
 Process are created using   proctype Foo(byte x) {
                                ...
  the run statement (which    }
  returns the process id).
 Processes can be created    init {
  at any point in the           int pid2 = run Foo(2);
  execution (within any         run Foo(27);
                              }
  process).                          number of procs. (opt.)
 Processes start executing
                              active[3] proctype Bar() {
  after the run statement.      ...
 Processes can also be       }
                                       parameters will be
  created by adding active               initialised to 0
  in front of the proctype
  declaration.
   Promela : Variables and Types
                               Basic types
• Five different (integer)
                                  bit     turn=1;    [0..1]
  basic types.                    bool    flag;      [0..1]
                                  byte    counter;   [0..255]
• Arrays                          short   s;         [-215.. 215 –1]
                                  int     msg;       [-231.. 231 –1]
• Records (structs)
                               Arrays                array indexing
                                  byte a[27];           start at 0
• Type conflicts are              bit flags[4];
  detected
  at runtime .                Typedef (records)
                                  typedef Record {
                                    short f1;
• Default initial value of          byte f2;
                                                      variable
  basic variables (local and      }
                                                     declaration
  global) is 0.                   Record rr;
                                  rr.f1 = ..
 Promela: Variables and Types
• Variables should be              int ii;
                                   bit bb;
  declared.
                                                   assignment =
• Variables can be given a         bb=1;
                                   ii=2;
  value by:
   – Initialisation                short s=-1;        declaration &
                                                      initialisation
   – assignment                    typedef Foo {
                                      bit bb;
   – argument passing                 int ii;
   – message passing               };
                                   Foo f;
     (see communication)           f.bb = 0;
• Variables can be used in         f.ii = -2;
                                                     equality test ==
  expressions.                     ii*s+27 == 23;
                                   printf(“value: %d”, s*s);
    Most arithmetic, relational,
     and logical operators of
      C/Java are supported,
   including bitshift operators.
             Promela : Statements
• The body of a process consists of a sequence of statements.
  A statement is either                   executable/blocked
   – executable: the statement can       depends on the global
     be executed immediately.             state of the system.
   – blocked: the statement cannot be executed.
• An assignment is always executable.
• An expression is also a statement; it is executable if it
  evaluates to non-zero.
     2 < 3          always executable
     x < 27         only executable if value of x is smaller 27
     3 + x          executable if x is not equal to –3
          Promela : Statements
• The skip statement is always executable.
   – “does nothing”, only changes process’ process counter
• A run statement is only executable if a new process can be created
  (remember: the number of processes is bounded).
• A printf statement is always executable (but is not evaluated
  during verification, of course).

    int x;
    proctype Aap()
    {
      int y=1;                  Executable if Noot can
      skip;                         be created…
      run Noot();
      x=2;                        Can only become
      x>2 && y==1;             executable if some other
                               process makes x greater
      skip;
                                       than 2.
    }
            Promela: Statements
• assert(<expr>);
   – The assert-statement is always executable.
   – If <expr> evaluates to zero, SPIN will exit with an error,
     as the <expr> “has been violated”.
   – The assert-statement is often used within Promela
     models, to check whether certain properties are valid in
     a state.

      proctype monitor() {
        assert(n <= 3);
      }

      proctype receiver() {
          ...
          toReceiver ? msg;
          assert(msg != ERROR);
          ...
      }
          Promela: Statements
      if
      :: choice1 -> stat1.1; stat1.2; stat1.3; …
      :: choice2 -> stat2.1; stat2.2; stat2.3; …
      :: …
      :: choicen -> statn.1; statn.2; statn.3; …
      fi;

• If there is at least one choicei (guard) executable, the
  if-statement is executable and SPIN non-
  deterministically chooses one of the executable choices.
• If no choicei is executable, the if-statement is blocked.
• The operator “->” is equivalent to “;”. By convention, it is
  used within if-statements to separate the guards from
  the statements that follow the guards.
             Promela: Statements
if
::   (n % 2 != 0) -> n=1                  • The else guard becomes
::   (n >= 0)     -> n=n-2                  executable if none of the
::
::
     (n % 3 == 0) -> n=3
     else         -> skip
                                            other guards is executable.
fi


 give n a random value
if                                             non-deterministic branching
::   skip   ->   n=0
::   skip   ->   n=1
::   skip   ->   n=2
::   skip   ->   n=3
fi

            skips are redundant, because assignments
               are themselves always executable...
          Promela: Statements
      do
      :: choice1 -> stat1.1; stat1.2; stat1.3; …
      :: choice2 -> stat2.1; stat2.2; stat2.3; …
      :: …
      :: choicen -> statn.1; statn.2; statn.3; …
      od;

• With respect to the choices, a do-statement behaves in
  the same way as an if-statement.
• However, instead of ending the statement at the end of the
  choosen list of statements, a do-statement repeats the
  choice selection.
• The (always executable) break statement exits a do-loop
  statement and transfers control to the end of the loop.
          Promela: Statements
                                               if- and do-statements are
• Example – modelling a traffic light        ordinary Promela statements;
                                                 so they can be nested.
    mtype = { RED, AMBER, GREEN } ;
                mtype (message type) models enumerations in Promela

    active proctype TrafficLight() {
        byte state = GREEN;
        do
        :: (state == GREEN) -> state = AMBER;
        :: (state == AMBER) -> state = RED;
        :: (state == RED)       -> state = GREEN;
        od;
    }                   Note: this do-loop does not contain
                            any non-deterministic choice.
Promela: Interleaving Semantics
• Promela processes execute concurrently.

• Non-deterministic scheduling of the processes.

• Processes are interleaved (statements of different
  processes do not occur at the same time).
   – exception: rendez-vous communication.

• All statements are atomic; each statement is executed
  without interleaving with other processes.

• Each process may have several different possible actions
  enabled at each point of execution.
   – only one choice is made, non-deterministically.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:7/28/2012
language:
pages:36