# Formal Analysis of Web Services Atomic Transaction protocol using SPIN by dffhrtcv3

VIEWS: 0 PAGES: 19

• pg 1
```									Verifying a Wait Free Register
Algorithm Using Assertional
Reasoning

Xu Qiwen
Faculty of Science and Technology
University of Macau
If read and write operations are performed on
the same memory cell at the same time, read
operation may obtain an erroneous value.
Avoiding Race
l   One cell, waiting needed

l   More cells, wait free possible
2 cells, read and write different
written by write)

has been written recently but
Currently not written
Simpson 4 Slot Algorithm
loop                               loop
a-2: Wp = ! r                       b-3:   Rp = l
a-1: Wi = ! Li [ Wp ]               b-2:   r = Rp
a: Cells [ Wp ] [ Wi ] = value     b-1:    Ri = Li [ Rp ]
a+1: Li [ Wp ] = Wi                  b:     y=Cells [ Rp ] [Ri ]
a+2: l = Wp
Recent Work on Verifying
Register Algorithms

Separation Logic. Quite complicated.
Suppose R1(X), W1(X), R2(X), W2(X), are read and
write operations from 2 processors

Consider all execution sequences by interleaving
………….(a:R1(X))…(b:R2(X))………. no conflict
…………. (a:R1(X))...(b:W2(X))………. conflict
…………. (a:W1(X))...(b:R2(X))………. conflict
…………. (a:W1(X))…(b:W2(X))……… conflict
A program is race free if any interleaving of the
operations contains no state in which location variables
of two processors are at a conflicting pair of operations.
Suppose O1(X), O2(Y), are two operations from
2 processors at locations a and b, the location
variables of the two processors areαandβ

For any interleaving of operations
…………. (a:O1(X))… (b:O2(Y))…….
If O1(X) and O2(Y) are read/write, write/write pairs,
then X and Y must be distinct
(α=a Ùβ=b) Þ X¹Y should be an invariant
Assertional Methods

Floyd 1967
Assigning meanings to programs

Hoare Logic 1969
An axiomatic basis for computer programming

{ P[e/x] } x:=e { P }
{ true } x:=1 { x=1 }
{ x=0 } x:=x+1 { x=1 }
{ x>0 } x:=x+1 { x>1 }
Race Freedom for Simpson
Algorithm
a: Cells [ Wp ] [ Wi ] = value
b:   y=Cells [ Rp ] [Ri ]

Invariant (α=a Ùβ=b) Þ ( Wp¹Rp Ú Wi¹Ri )
Verification of Invariant (Global
Method)

init Þ inv
{ inv } Op { inv } for any operation Op

inv is an invariant

This rule cannot be used to prove all invariants.
{ inv } Op { inv } ( we say inductive ) may not hold
for any operation Op, ie, inv may not be inductive.
Verification of Simpson 4 Slot
Algorithm (Global method)
a-2: Wp = ! r                        b-3: Rp = l
a-1: Wi = ! Li [ Wp ]                b-2: r = Rp
a: Cells [ Wp ] [ Wi ] = value       b-1: Ri = Li [ Rp ]
a+1: Li [ Wp ] = Wi                    b: y=Cells [ Rp ] [Ri ]
a+2: l = Wp

α=a Þ ( Wi ¹ Li [ Wp ] )         is invariant,
can be proved by the rule

β=b Þ ( Ri = Li [ Rp ] )         is not invariant

(α=a Ùβ=b) Þ ( Wp¹Rp Ú Wi¹Ri ) are invariants,
β=b Þ ( r = Rp )     but cannot be proved by the rule

inv’ Þ inv
inv’ is an invariant

inv is an invariant           ( Consequence )

inv, inv’ are invariants

inv Ù inv’ is an invariant
Verification of Simpson 4 Slot
Algorithm (Global method)
To prove (α=a Ùβ=b) Þ ( Wp¹Rp Ú Wi¹Ri) invariant,
by using the fact α=a Þ ( Wi ¹ Li [ Wp ] ),
β=b Þ ( r = Rp ) are invariants, it is enough to prove
(α=a Ùβ=b) Þ ( Wp¹r Ú Ri = Li [ Rp ] ) invariant.
Close enough, but still not inductive.

Finally
((α=a-1 Ú α=a) Ùβ=b) Þ ( Wp¹r Ú Ri = Li [ Rp ] )
is inductive.
Verification of Simpson 4 Slot
Algorithm (Assertional Network
Method)

a-2: Wp = ! r                      b-3: Rp = l
a-1: Wi = ! Li [ Wp ]              b-2: r = Rp
{ Wi ¹ Li [ Wp ]                     { r = Rp }
Ù β=b Þ ( Wp¹r Ú Ri = Li [ Rp ] ) }
a: Cells [ Wp ] [ Wi ] = value     b-1: Ri = Li [ Rp ]
a+1: Li [ Wp ] = Wi                 b: y=Cells [ Rp ] [Ri ]
a+2: l = Wp
Owicki & Gries Method

Any triple { p } S { q } in each processor should be correct
just like usual sequential Hoare logic.

For each assertion p in one processor, the execution of any
operation of the other processor will maintain the assertion.
This is called interference freedom. Suppose the other
operation is Op, executed under precondition q, p is
maintained if
{ p Ù q } Op { p }       interference freedom test
Conclusion and Future Work
Traditional assertional methods seem to be
able to verify register algorithm quite well.

Future Work
1) Study more complicated algorithms

2) Verify more properties

Data Freshness
Expressing Data Freshness
counter=0
loop                             loop
counter=counter +1               FinishedW=LastW
a-2: Wp = ! r                     b-3: Rp = l
a-1: Wi = ! Li [ Wp ]             b-2: r = Rp
a: Cells [ Wp ] [ Wi ] = value   b-1: Ri = Li [ Rp ]
C [ Wp ] [ Wi ] = counter     b: y=Cells [ Rp ] [Ri ]
RC=C [ Rp ] [ Ri ]
a+1: Li [ Wp ] = Wi        { RC>=max(LastR,FinishedW) }
a+2: l = Wp                             LastR=RC
LastW=counter
References
R.W. Floyd. Assigning meanings to programs
Proceedings of the Symposium on Applied Math, 1967

C.A.R. Hoare An axiomatic basis for computer
Programming. Communications of the ACM ,
12(1969) 576-580.

L. Lamport. On Interprocess Communication
Part I: Formalism; Part II: Algorithms.
Distributed Computing 1 2(1986), 77-101.
References
H. Simpson. Four-slot fully asychronous
communication mechanism. IEE Proceedings
137 Part E(1) (January 1990), 17-30.

S. Owicki and D. Gries. An Axiomatic Proof
Technique for Parallel Programs I.
Acta Inf. 6: 319-340 (1976)

```
To top