model checking concurrent systems – an example: mutual exclusion
DESCRIPTION
Model Checking Concurrent Systems – An Example: Mutual Exclusion. Wenhui Zhang http://lcs.ios.ac.cn/~zwh. Contents. Mutual Exclusion. Model Checking. Summary. Contents. Mutual Exclusion. Model Checking. Summary. Example: Mutual Exclusion. Process A. Process B. Non-Critical Region. - PowerPoint PPT PresentationTRANSCRIPT
Model Checking Concurrent Systems – An Example: Mutual Exclusion
Wenhui Zhanghttp://lcs.ios.ac.cn/~zwh
Contents
Mutual Exclusion
Model Checking
Summary
Contents
Mutual Exclusion
Model Checking
Summary
4
Example: Mutual Exclusion
Non-Critical Region
Critical Region
Process A
Non-Critical Region
Critical Region
Process B
5
Example: Mutual Exclusion
Request for Entering
Non-Critical Region
Wait
Check for Entering
Critical Region
Exit
Process A
Request for Entering
Non-Critical Region
Wait
Check for Entering
Critical Region
Exit
Process B
6
Design of Mutual Exclusion (Activity)
request
exit
work in CR
wait
[condition 1]
[else]
work in NCR
initialization
request
exit
work in CR
wait
[condition 2]
[else]
work in NCR
Design of Mutual Exclusion
• Purpose: – ensure that not both processes are working in the
critical region (CR)
• Mechanism: – use shared variables– y=1: the first process is applying for entering CR or
it is in CR– x=1: the second process is applying for entering
CR or it is in CR– t=(i-1): the i-th process has priority for entering CR
8
Design of Mutual Exclusion (State)
work in CR
wait
[x=0 or t=0]
[x=1 and t=1]
work in NCR
initialization
work in CR
wait
work in NCR
[y=0 or t=1]
[y=1 and t=0]
x:=0;y:=0
y:=1;t:=1 x:=1;t:=0
x:=0y:=0
9
Design of Mutual Exclusion (State)
work in CR
wait
[x=0 or t=0]
[x=1 and t=1]
work in NCR
initialization
work in CR
wait
work in NCR
[y=0 or t=1]
[y=1 and t=0]
Process A Process B
x:=0;y:=0
y:=1;t:=1 x:=1;t:=0
x:=0y:=0
Correctness of the Design
• How do we know that the design is correct?
Combined States of the Two Processes
Process A Process B RemarkNCR NCRNCR waitNCR CRwait NCRwait waitwait CRCR NCRCR waitCR CR Bad state
Correctness of the Design
• How do we know that the design is correct? – We have to be sure that the bad state is not
reachable in all possible executions of the algorithm
– We may use state exploration (model checking) techniques or deductive proof methods
Process States and Variable States
Process A Process B x y t
NCR NCR 1 1 1
wait wait 0 0 0
CR CR
(a,b,x,y,t)
The Set of States: S
{(a,b,x,y,t) | a,b{NCR,wait,CR} and x,y,t{0,1}}
Transition Relation: R(NCR,b,x,y,t) (wait,b,x,1,1)(wait,b,0,y,t) (CR,b,0,y,t)(wait,b,x,y,0) (CR,b,x,y,0)(wait,b,1,y,1) (wait,b,1,y,1)(CR,b,x,y,t) (NCR,b,x,0,t)
(a,NCR,x,y,t) (a,wait,1,y,0)(a,wait,x,1,t) (a,CR,x,1,t)(a,wait,x,y,1) (a,CR,x,y,1)(a,wait,x,1,0) (a,wait,x,1,0)(a,CR,x,y,t) (a,NCR,0,y,t)
The Set of Initial States: I
{ (NCR,NCR,0,0,0), (NCR,NCR,0,0,1) }
Fairness
F={((x=0t=0)a=wait),((y=0t=1)b=wait),
}
Safety Property
= (a=CRb=CR)
Is a safety property?
Expectancy Property
= (a=CRb=CR)
Is an expectancy property?
Contents
Mutual Exclusion
Model Checking
Summary
Modeling and Model Checking
• Model Checking with VERDS– http://lcs.ios.ac.cn/~zwh/verds
• Input to VERDS – VVM (VERDS verification model)
• Modeling Language– VML (VERDS modeling langauge)
x==0||t==0
22
State Transition Model
NCR
x=1,t=0
wait
CR
y==0||t==1
x=0
NCR
y=1,t=1
wait
CR
y=0
Initial States
SA=NCRSB=NCR
x=0y=0
Variables:
SA: {NCR,wait,CR}
SB: {NCR,wait,CR}
x: {0,1}y: {0,1}t: {0,1}
nono
yes yes
Without Fairness Specifications
Modeling in VMLVVMVAR x: 0..1; y: 0..1; t: 0..1;INIT
x=0; y=0;
PROC p0: p0m(); p1: p1m();
SPEC AG(!(p0.a=c0&p1.b=c0));
Safety: Mutual exclusion
Modeling in VML MODULE p0m()VAR a: {n0,w0,c0};INIT a=n0;TRANS a=n0:
(y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0);
MODULE p1m()VAR b: {n0,w0,c0};INIT b=n0;TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);
The Complete Model in VMLVVMVAR x: 0..1; y: 0..1; t: 0..1;INIT x=0; y=0;PROC p0: p0m(); p1: p1m();
SPEC AG(!(p0.a=c0&p1.b=c0));
MODULE p0m()VAR a: {n0,w0,c0};INIT a=n0;TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0);
MODULE p1m()VAR b: {n0,w0,c0};INIT b=n0;TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);
Verification with VERDS../verds -ck 1 mutex3.vvmVERSION: verds 1.43 - JAN 2013FILE: mutex3.vvmPROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 ))bound = 1 time = 0---------- time = 0bound = 2 time = 0---------- time = 0...bound = 6 time = 0---------- time = 0CONCLUSION: TRUE (time=0)
Consider the Expectancy PropertyVVMVAR x: 0..1; y: 0..1; t: 0..1;INIT
x=0; y=0;
PROC p0: p0m(); p1: p1m();
SPEC AG(!(p0.a=c0&p1.b=c0)); AF((p0.a=c0)|(p1.b=c0));
Expectancy:Working in critical region
Verification with VERDS../verds -ck 2 mutex3.vvmVERSION: verds 1.43 - JAN 2013FILE: mutex3.vvmPROPERTY: A F ((p0.a = 2 )| (p1.b = 2 ))bound = 1 time = 1---------- time = 1bound = 2 time = 1---------- time = 1bound = 3 time = 1---------- time = 1bound = 4 time = 1---------- time = 1CONCLUSION: FALSE (time=1)
30
Checking the Model
work in CR
wait
[x=0 or t=0]
[x=1 and t=1]
work in NCR
initialization
work in CR
wait
work in NCR
[y=0 or t=1]
[y=1 and t=0]
Process A Process B
x:=0;y:=0
y:=1;t:=1 x:=1;t:=0
x:=0y:=0
With Fairness Specifications
Modified Model (with Fairness) MODULE p0m()VAR a: {n0,w0,c0};INIT a=n0;TRANS a=n0:
(y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0);
FAIRNESS !((x=0|t=0)&(a=w0));
MODULE p1m()VAR b: {n0,w0,c0};INIT b=n0;TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);
FAIRNESS !((y=0|t=1)&(b=w0));
Verification with VERDS../verds -ck 1 mutex3a.vvmVERSION: verds 1.43 - JAN 2013FILE: mutex3a.vvmPROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 ))bound = 1 time = 0---------- time = 0bound = 2 time = 0---------- time = 0...bound = 17 time = 0---------- time = 0CONCLUSION: TRUE (time=0)
Verification with VERDS../verds -ck 2 mutex3a.vvmVERSION: verds 1.43 - JAN 2013FILE: mutex3a.vvmPROPERTY: A F ((p0.a = 2 )| (p1.b = 2 ))bound = 1 time = 1---------- time = 1bound = 2 time = 1---------- time = 1..bound = 26 time = 1---------- time = 1CONCLUSION: TRUE (time=1)
Correctness of the Design
• How do we know that the design is correct? – We have to be sure that the bad state is not
reachable in all possible executions of the algorithm– We may apply the following techniques:
• Modeling (in a language with a formal semantics)• Verification (by model checking)
– We have shown that the bad state is not reachable – We have also shown an expectance property holds
Remarks on the Correctness
• Only verified against the given properties:– The safety property– The expectancy property
• Rely on:– The model– The verification tool– The fairness assumption as a part of the model,
for the verification of the response property
Contents
Mutual Exclusion
Model Checking
Summary
Questions?