program correctness the state-transition model the set of global states = so x s1 x … x sm {sk is...
TRANSCRIPT
Program correctness
The State-transition modelThe set of global states =
so x s1 x … x sm{sk is the set of local states of
process k}
S0 ---> S1 ---> S2 --->
Each transition is caused by an action by an eligible process.
We reason using interleaving semantics
A B
C D E
F
G H I
J K
L
action
action
action
Correctness criteria
Safety properties• Bad things never happen
Liveness properties• Good things eventually happen
Testing vs. Proof
Testing: Apply inputs and observe if the
outputs satisfy the specifications. Fool proof
testing can be painfully slow, even for small
systems. Most testing are partial.
Proof: Has a mathematical foundation, and a
complete guarantee. Sometimes not
scalable.
Testing vs. Proof
To test this program, you have to test all possible interleavings. With n processes p0, p1, … pn-1, the number of interleavings is
(n.m)!
(m!) n
The state explosion problem
p0 p1 p2
Step 1 ---- ---- ----Step 2 ---- ---- ----…Step m ---- ---- ----
Example 1: Mutual Exclusion
Process 0 Process 1do true do true
Entry protocol Entry protocolCritical section Critical sectionExit protocol Exit protocol
od odSafety properties (1) There is no deadlock (2) At most one process enters the critical section.Liveness property A process trying to enter the CS must eventually succeed in doing so. (This is also called the progress property)
Exercisedefine busy :shared Boolean;
initially busy = false;{process 0} {process 1}do true do true
do busy skip od; do busy skip od;busy:= true; busy:= true;critical section; critical sectionbusy := false; busy := false{remaining codes} {remaining codes}
od od
Does this mutual exclusion protocol satisfy liveness and safety properties?
Safety invariants {Mutex} The number of processes in the CS ≤ 1
{Bounded capacity channel} 0 ≤ nP - nC ≤ channel capacity {Absence of deadlock} (G0G1G2…Gk) postcondition
{Partial Correctness} If the program terminates, then the result will be correct. It
does not determine if the program will terminate. (Termination is a liveness
property).
Total correctness = partial correctness + termination.
Safety violation can be determined by examining a finite prefix of the computation.
ExerciseGraph coloring problem. Color the nodes of a grpah so that no two adjacent nodes have the same color.
program colorme {for process Pi }
define color c {0, 1, 2, 3}
Initially colors may be arbitrary.
do j : j N(i) :: (c[i] = c[j]) c[i] :=(c[i]+2) mod 4
od
Is the program partially correct?Does it terminate?
p1
p3
p0
p2
Liveness propertiesEventuality can be tricky. There is no need to guarantee when
the desired thing will happen, as long as it happens..
Examples The message will eventually reach the receiver. The process will eventually enter its critical section. The faulty process will be eventually be diagnosed Fairness (if an action will eventually be scheduled) The program will eventually terminate.
Absence of liveness cannot be determined from finite prefix of the computation
More safety properties
Some example are: Buffer should not overflow, i.e. 0 ≤ (in - out) ≤
capacity No deadlock Partial correctness
Safety property can be disproved by examining a finite prefix of the computation.
Liveness properties
Some example are: Progress towards the critical section Reachability Termination Fairness
Liveness property cannot be disproved by examining a finite prefix of the computation.
Proving safety
define c1, c2 : channel; {init c1 = c2 =}r, t : integer;{init r = 5, t = 5}
{program for T} 1 do t > 0 send msg along c1; t := t -12 ¬empty (c2) rcv msg from c2; t := t +1
od
{program for R} 3 do ¬empty (c1) rcv msg from c1; r := r+14 r > 0 send msg along c2; r := r-1
od
We want to prove the safety property P:
The total number of messages in c1 & c2 is ≤ 10
T R
c1
c2
Proof of safety continued
Let n1, n2 = # of msg in c1and c2 respectively.We will establish the following invariant:
I (t ≥ 0) (r ≥ 0) (n1 + t + n2 + r = 10)(I implies P). Check if I holds after every action.
{program for T} 1 do t > 0 send msg along c1; t := t -12 ¬empty (c2) rcv msg from c2; t := t +1
od
{program for R} 3 do ¬empty (c1) rcv msg from c1; r := r+14 r > 0 send msg along c2; r := r-1
od
T R
c1
c2
Proving liveness
S1 S2 S3 S4 f f f f
w1 w2 w3 w4
Here,o w1, w2, w3, w4 WFo WF is a well-founded set whose
elements can be ordered by »
There is no infinite
chain like
w1 » w2 » w3 » w4 ..
f(si) » f(si+1) » f(si+2) ..
Proof of liveness: an exampleClock phase synchronization
{Program for each clock}(c[k] = phase of clock k, initially arbitrary)
do j: j N(i) :: c[j] = c[i] +1 mod 3 c[i] := c[i] + 2 mod 3
j: j N(i) :: c[j] ≠ c[i] +1 mod 3 c[i] := c[i] + 1 mod 3
od{Show that eventually all clocks will return to the same phase, and continue their synchronization}
0
n-1
3
2
1
Understanding convergenceLet D = d[0] + d[1] + d[2] + … + d[n-1]
d[i] = 0 if no arrow points towards clock i;= i+1 if a pointing towards clock i; n-i if a pointing towards clock i;= 1 if both and point towards clock i.
By definition, D ≥ 0. Also, D decreases after
every step in the system. So the number
of arrows must reduce to 0.
0 2 02 2
1 1 10 1
2 2 22 2
Understand the game of arrows