# Concurrent and Distributed Programming

Document Sample

```					Concurrent and Distributed
Programming
Lecture 3
Properties of Linear Time Temporal Logic
 holds for a computation iff it holds in the first state

...


[] holds for a computation iff  holds in all states

...
                                                   

 holds for a computation iff  holds in some state

...

Properties of Linear Time Temporal Logic

[] holds for a computation iff  holds in all states

...
                                            

 holds in a state iff  holds in some „later“ state

...
                                                     

think for a moment about []
Definitions for Linear Time Temporal Logic

computation             definition: s(i)>s(j) iff i>j

(0) s(0)     s(1)   s(2)   s(3)        s(4)       s(5)     ...

(1)          s(1)   s(2)   s(3)        s(4)       s(5)     ...

(2)                 s(2)   s(3)        s(4)       s(5)     ...

(3)                        s(3)        s(4)       s(5)     ...

…                                        …
Definitions for Linear Time Temporal Logic
 |=   s(0) |= 
...

 |=   i0. (i) |= 
...

 |= []  i0. (i) |= 
...
                             
Definitions for Linear Time Temporal Logic
 |= []

...
[]

 i0. (i) |= 

...
                         

    i0. ji. (j) |= 
...
                                 
Proof methods
induction, deduction:

 also for potentially infinite state spaces
 do not need to construct the state diagram,
even if the state diagram is implicitly present

model checking:

 for finite state spaces
however: for some classes of infinite models exist
mappings to finite models
 automatic, complete search…
 exponential blow-up, state-space explosion
Model Checking
state diagram                      property



model checker:
automatic,
exhausive search

Yes or No & diagnostic trace
Taxonomy
In a formal language:                  In a formal language:
state diagrams...                      Linear time temporal logic
satisfies
BLUEPRINT
PROPERTY
MODEL
models

fairness,
ABSTRACT          mutex,
MODEL                                PROPERTY
safety,
liveness

shows

IMPLEMENTATION                           BEHAVIOUR

Is realized
e.g. Java program                      global goal
Model checking, more philosophically
in the end:
the verification result is only as good as the model
that is used for verification.

minimalistic point of view:
model checking is only a debugging technique:

every error we find by model checking
& that can be traced back in the original system, is an error.

if we did not find errors, we still do not know, whether the
errors were abstracted away when modelling.

way out: systematic modelling,
make the modelling process explicit
Taxonomy of concurrent program
correctness
In a formal language:                        In a formal language:
Promela, state diagrams...                   Linear time temporal logic
satisfies
BLUEPRINT
PROPERTY
MODEL
models

implements       abstracts                    describes        formalizes to

shows

IMPLEMENTATION                                  BEHAVIOUR
Is realized
e.g. Java program                             global goal
Model checking with SPIN
Safety properties, reachability properties:

algorithm traverses the state space

Liveness properties, evaluated on infinite computations

algorithm for nonemptiness of the intersection
of two automata (languages)

message: choose different algorithms for safety
and liveness properties!
Model Checking with SPIN

1. Concepts of the modelling language PROMELA

2. How to prove properties

3. Examples
Promela: Model

A Promela model consists of:
mtype, constants,
typedefs (records)
type declarations
chan ch = [dim] of {type, …}
asynchronous: dim > 0
rendez-vous:  dim == 0
channel declarations
- simple vars
- structured vars
global variable declarations         - vars can be accessed
by all processes

process declarations        behaviour of the processes:
local variables + statements

[init process]       initialises variables and
starts processes
Promela: Model
• Promela model consist of:           mtype = {MSG, ACK};
– type declarations                chan toS = ...
– channel declarations             chan toR = ...
bool flag;
– variable declarations
– process declarations             proctype Sender() {
– [init process]                     ...
}        process body

• A Promela model corresponds with    proctype Receiver() {
a (usually very large, but)           ...
finite transition system, so        }
– no unbounded data               init {
– no unbounded channels             ...
– no unbounded processes          }        creates processes
– no unbounded process creation
Promela: Processes
• A process
– is defined by a proctype definition
– executes concurrently with all other processes,
independently of speed or behaviour
– communicates with other processes
• using global (shared) variables
• using channels
• There may be several processes of the same type.
• Each process has its own local state:
– process counter (location within the proctype)
– contents of the local variables
Promela: Processes
• A process type (proctype) consist of
– a name
– a list of formal parameters
– local variable declarations
– body                        formal parameters
name

proctype Sender(chan in; chan out) {
bit sndB, rcvB;   local variables
do
:: out ! MSG, sndB ->
in ? ACK, rcvB;
body              if
:: sndB == rcvB -> sndB = 1-sndB
:: else -> skip
fi                    The body consist of a
od                          sequence of statements.
}
Promela: Processes
 Process are created using   proctype Foo(byte x) {
...
the run statement (which    }
returns the process id).
 Processes can be created    init {
at any point in the           int pid2 = run Foo(2);
execution (within any         run Foo(27);
}
process).                          number of procs. (opt.)
 Processes start executing
active[3] proctype Bar() {
after the run statement.      ...
 Processes can also be       }
parameters will be
created by adding active               initialised to 0
in front of the proctype
declaration.
Promela : Variables and Types
Basic types
• Five different (integer)
bit     turn=1;    [0..1]
basic types.                    bool    flag;      [0..1]
byte    counter;   [0..255]
• Arrays                          short   s;         [-215.. 215 –1]
int     msg;       [-231.. 231 –1]
• Records (structs)
Arrays                array indexing
byte a[27];           start at 0
• Type conflicts are              bit flags[4];
detected
at runtime .                Typedef (records)
typedef Record {
short f1;
• Default initial value of          byte f2;
variable
basic variables (local and      }
declaration
global) is 0.                   Record rr;
rr.f1 = ..
Promela: Variables and Types
• Variables should be              int ii;
bit bb;
declared.
assignment =
• Variables can be given a         bb=1;
ii=2;
value by:
– Initialisation                short s=-1;        declaration &
initialisation
– assignment                    typedef Foo {
bit bb;
– argument passing                 int ii;
– message passing               };
Foo f;
(see communication)           f.bb = 0;
• Variables can be used in         f.ii = -2;
equality test ==
expressions.                     ii*s+27 == 23;
printf(“value: %d”, s*s);
Most arithmetic, relational,
and logical operators of
C/Java are supported,
including bitshift operators.
Promela : Statements
• The body of a process consists of a sequence of statements.
A statement is either                   executable/blocked
– executable: the statement can       depends on the global
be executed immediately.             state of the system.
– blocked: the statement cannot be executed.
• An assignment is always executable.
• An expression is also a statement; it is executable if it
evaluates to non-zero.
2 < 3          always executable
x < 27         only executable if value of x is smaller 27
3 + x          executable if x is not equal to –3
Promela : Statements
• The skip statement is always executable.
– “does nothing”, only changes process’ process counter
• A run statement is only executable if a new process can be created
(remember: the number of processes is bounded).
• A printf statement is always executable (but is not evaluated
during verification, of course).

int x;
proctype Aap()
{
int y=1;                  Executable if Noot can
skip;                         be created…
run Noot();
x=2;                        Can only become
x>2 && y==1;             executable if some other
process makes x greater
skip;
than 2.
}
Promela: Statements
• assert(<expr>);
– The assert-statement is always executable.
– If <expr> evaluates to zero, SPIN will exit with an error,
as the <expr> “has been violated”.
– The assert-statement is often used within Promela
models, to check whether certain properties are valid in
a state.

proctype monitor() {
assert(n <= 3);
}

...
assert(msg != ERROR);
...
}
Promela: Statements
if
:: choice1 -> stat1.1; stat1.2; stat1.3; …
:: choice2 -> stat2.1; stat2.2; stat2.3; …
:: …
:: choicen -> statn.1; statn.2; statn.3; …
fi;

• If there is at least one choicei (guard) executable, the
if-statement is executable and SPIN non-
deterministically chooses one of the executable choices.
• If no choicei is executable, the if-statement is blocked.
• The operator “->” is equivalent to “;”. By convention, it is
used within if-statements to separate the guards from
the statements that follow the guards.
Promela: Statements
if
::   (n % 2 != 0) -> n=1                  • The else guard becomes
::   (n >= 0)     -> n=n-2                  executable if none of the
::
::
(n % 3 == 0) -> n=3
else         -> skip
other guards is executable.
fi

give n a random value
if                                             non-deterministic branching
::   skip   ->   n=0
::   skip   ->   n=1
::   skip   ->   n=2
::   skip   ->   n=3
fi

skips are redundant, because assignments
are themselves always executable...
Promela: Statements
do
:: choice1 -> stat1.1; stat1.2; stat1.3; …
:: choice2 -> stat2.1; stat2.2; stat2.3; …
:: …
:: choicen -> statn.1; statn.2; statn.3; …
od;

• With respect to the choices, a do-statement behaves in
the same way as an if-statement.
• However, instead of ending the statement at the end of the
choosen list of statements, a do-statement repeats the
choice selection.
• The (always executable) break statement exits a do-loop
statement and transfers control to the end of the loop.
Promela: Statements
if- and do-statements are
• Example – modelling a traffic light        ordinary Promela statements;
so they can be nested.
mtype = { RED, AMBER, GREEN } ;
mtype (message type) models enumerations in Promela

active proctype TrafficLight() {
byte state = GREEN;
do
:: (state == GREEN) -> state = AMBER;
:: (state == AMBER) -> state = RED;
:: (state == RED)       -> state = GREEN;
od;
}                   Note: this do-loop does not contain
any non-deterministic choice.
Promela: Interleaving Semantics
• Promela processes execute concurrently.

• Non-deterministic scheduling of the processes.

• Processes are interleaved (statements of different
processes do not occur at the same time).
– exception: rendez-vous communication.

• All statements are atomic; each statement is executed
without interleaving with other processes.

• Each process may have several different possible actions
enabled at each point of execution.
– only one choice is made, non-deterministically.

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 4 posted: 7/28/2012 language: pages: 36