Formal Analysis of Web Services Atomic Transaction protocol using SPIN by dffhrtcv3

VIEWS: 0 PAGES: 19

									Verifying a Wait Free Register
Algorithm Using Assertional
Reasoning


                                 Xu Qiwen
        Faculty of Science and Technology
                       University of Macau
Read and Write Conflict (Race)
If read and write operations are performed on
the same memory cell at the same time, read
operation may obtain an erroneous value.
Avoiding Race
l   One cell, waiting needed
                 write         read




l   More cells, wait free possible
                                       2 cells, read and write different
             write               read cells, but read and write have no
                                     relations (read should read values
                                                written by write)


              write            read 4 cells, read can read a cell that
                                     has been written recently but
                                           Currently not written
Simpson 4 Slot Algorithm
Write                              Read
loop                               loop
  a-2: Wp = ! r                       b-3:   Rp = l
  a-1: Wi = ! Li [ Wp ]               b-2:   r = Rp
  a: Cells [ Wp ] [ Wi ] = value     b-1:    Ri = Li [ Rp ]
  a+1: Li [ Wp ] = Wi                  b:     y=Cells [ Rp ] [Ri ]
  a+2: l = Wp
Recent Work on Verifying
Register Algorithms


Separation Logic. Quite complicated.
Model and Reason about Race
Suppose R1(X), W1(X), R2(X), W2(X), are read and
write operations from 2 processors

Consider all execution sequences by interleaving
     ………….(a:R1(X))…(b:R2(X))………. no conflict
     …………. (a:R1(X))...(b:W2(X))………. conflict
     …………. (a:W1(X))...(b:R2(X))………. conflict
     …………. (a:W1(X))…(b:W2(X))……… conflict
A program is race free if any interleaving of the
operations contains no state in which location variables
of two processors are at a conflicting pair of operations.
Model and Reason about Race
Suppose O1(X), O2(Y), are two operations from
2 processors at locations a and b, the location
variables of the two processors areαandβ

For any interleaving of operations
      …………. (a:O1(X))… (b:O2(Y))…….
If O1(X) and O2(Y) are read/write, write/write pairs,
then X and Y must be distinct
   (α=a Ùβ=b) Þ X¹Y should be an invariant
Assertional Methods

Floyd 1967
Assigning meanings to programs

Hoare Logic 1969
An axiomatic basis for computer programming

    { P[e/x] } x:=e { P }
    { true } x:=1 { x=1 }
    { x=0 } x:=x+1 { x=1 }
    { x>0 } x:=x+1 { x>1 }
Race Freedom for Simpson
Algorithm
a: Cells [ Wp ] [ Wi ] = value
                             b:   y=Cells [ Rp ] [Ri ]

Invariant (α=a Ùβ=b) Þ ( Wp¹Rp Ú Wi¹Ri )
Verification of Invariant (Global
Method)

         init Þ inv
         { inv } Op { inv } for any operation Op

         inv is an invariant

This rule cannot be used to prove all invariants.
{ inv } Op { inv } ( we say inductive ) may not hold
for any operation Op, ie, inv may not be inductive.
Verification of Simpson 4 Slot
Algorithm (Global method)
 a-2: Wp = ! r                        b-3: Rp = l
 a-1: Wi = ! Li [ Wp ]                b-2: r = Rp
 a: Cells [ Wp ] [ Wi ] = value       b-1: Ri = Li [ Rp ]
 a+1: Li [ Wp ] = Wi                    b: y=Cells [ Rp ] [Ri ]
 a+2: l = Wp

 α=a Þ ( Wi ¹ Li [ Wp ] )         is invariant,
                                      can be proved by the rule

 β=b Þ ( Ri = Li [ Rp ] )         is not invariant

 (α=a Ùβ=b) Þ ( Wp¹Rp Ú Wi¹Ri ) are invariants,
 β=b Þ ( r = Rp )     but cannot be proved by the rule
Additional Rules

    inv’ Þ inv
    inv’ is an invariant

    inv is an invariant           ( Consequence )


     inv, inv’ are invariants

     inv Ù inv’ is an invariant
 Verification of Simpson 4 Slot
 Algorithm (Global method)
To prove (α=a Ùβ=b) Þ ( Wp¹Rp Ú Wi¹Ri) invariant,
by using the fact α=a Þ ( Wi ¹ Li [ Wp ] ),
β=b Þ ( r = Rp ) are invariants, it is enough to prove
(α=a Ùβ=b) Þ ( Wp¹r Ú Ri = Li [ Rp ] ) invariant.
Close enough, but still not inductive.

Finally
((α=a-1 Ú α=a) Ùβ=b) Þ ( Wp¹r Ú Ri = Li [ Rp ] )
is inductive.
Verification of Simpson 4 Slot
Algorithm (Assertional Network
Method)

a-2: Wp = ! r                      b-3: Rp = l
a-1: Wi = ! Li [ Wp ]              b-2: r = Rp
     { Wi ¹ Li [ Wp ]                     { r = Rp }
      Ù β=b Þ ( Wp¹r Ú Ri = Li [ Rp ] ) }
a: Cells [ Wp ] [ Wi ] = value     b-1: Ri = Li [ Rp ]
a+1: Li [ Wp ] = Wi                 b: y=Cells [ Rp ] [Ri ]
a+2: l = Wp
 Owicki & Gries Method

Any triple { p } S { q } in each processor should be correct
just like usual sequential Hoare logic.

For each assertion p in one processor, the execution of any
operation of the other processor will maintain the assertion.
This is called interference freedom. Suppose the other
operation is Op, executed under precondition q, p is
maintained if
  { p Ù q } Op { p }       interference freedom test
Conclusion and Future Work
Traditional assertional methods seem to be
able to verify register algorithm quite well.

Future Work
1) Study more complicated algorithms

2) Verify more properties

     Data Freshness
Expressing Data Freshness
Write                              Read
counter=0
loop                             loop
  counter=counter +1               FinishedW=LastW
  a-2: Wp = ! r                     b-3: Rp = l
  a-1: Wi = ! Li [ Wp ]             b-2: r = Rp
  a: Cells [ Wp ] [ Wi ] = value   b-1: Ri = Li [ Rp ]
       C [ Wp ] [ Wi ] = counter     b: y=Cells [ Rp ] [Ri ]
                                         RC=C [ Rp ] [ Ri ]
 a+1: Li [ Wp ] = Wi        { RC>=max(LastR,FinishedW) }
 a+2: l = Wp                             LastR=RC
 LastW=counter
References
R.W. Floyd. Assigning meanings to programs
Proceedings of the Symposium on Applied Math, 1967

C.A.R. Hoare An axiomatic basis for computer
Programming. Communications of the ACM ,
12(1969) 576-580.

L. Lamport. On Interprocess Communication
Part I: Formalism; Part II: Algorithms.
Distributed Computing 1 2(1986), 77-101.
 References
H. Simpson. Four-slot fully asychronous
communication mechanism. IEE Proceedings
137 Part E(1) (January 1990), 17-30.

S. Owicki and D. Gries. An Axiomatic Proof
Technique for Parallel Programs I.
Acta Inf. 6: 319-340 (1976)

								
To top