1 / 42

Proving Liveness Properties of Concurrent Programs SUSAN OWlCKI & LESLIE LAMPORT (1982)

Proving Liveness Properties of Concurrent Programs SUSAN OWlCKI & LESLIE LAMPORT (1982). Presented by: Yaniv David Seminar in Distributed Algorithms Spring 2013. Intro. “This paper presents a method for proving properties of concurrent programs ”.

rod
Download Presentation

Proving Liveness Properties of Concurrent Programs SUSAN OWlCKI & LESLIE LAMPORT (1982)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proving LivenessPropertiesof Concurrent ProgramsSUSAN OWlCKI & LESLIE LAMPORT(1982) Presented by: Yaniv David Seminar in Distributed Algorithms Spring 2013

  2. Intro “This paper presents a method for provingproperties of concurrent programs” • “While we hope that logicians will find this work interesting, our goal is to define a method that programmers will find useful.”

  3. Agenda • Definitions & tools: • Safety & Liveness properties • Our language • Intro to temporal logic • Intro to proof lattices • Uses: • Proving safety properties • Proving liveness properties • “real” example – proving a program which uses Semaphores

  4. Safety properties • Partial correctness ({P}{Q}) • Absence of deadlock • Mutual exclusion

  5. Liveness properties • We will want that: • Each request for service will eventually be answered. • A message will eventually reach its destination. • A process will eventually enter its critical section. • We assume that: • Termination is not our problem • OS scheduling is fair(but we know its not enough)

  6. Our (computer) language • integer x, y ; • a: <x:=O>; • b: cobegin • c: < y := 0 >; • d: cobegin • e: < y := 2 * y > • coend; • g: while < y = 0 > do • h: < x := x + 1> od • coend; • j: < x := 2 * y >; 4 things to note

  7. Our language – program semantics • A Program state -<x = 1, y = 3;ready = {e,g}> • Marked as Si (for some i) • A sequence of program states is a • Marked as

  8. Program state • integer x, y ; • a: <x:=O>; • b: cobegin • c: < y := 0 >; • d: cobegin • e: < y := 2 * y > • coend; • g: while < y = 0 > do • h: < x := x + 1> od • coend; • j: < x := 2 * y >; • <x = 1, y = 3;ready = {e,g}>

  9. Execution sequence = (2, 7; {a}) (0, 7; (c, g}) = (0, 0; {e, f, g}) =(0, 0; (e, f, h}) = (1,0; {e, f , g ) ) = (1, 3; {e,g}); = (1, 6; {g)); = (1, 6; (j}); • integer x, y ; • a: <x:=O>; • b: cobegin • c: < y := 0 >; • d: cobegin • e: < y := 2 * y > • coend; • g: while < y = 0 > do • h: < x := x + 1> od • coend; • j: < x := 2 * y >; = = . . . . . (12, 6; {}).

  10. Revisit Do we have to start from the start? No! we have “tail closure” Note – this is an overkill

  11. Lets play a game <x=0,y=2,{a,c}> legal? • integer x, y ; • a: <x:=O>; • b: cobegin • c: < y := 0 >; • d: cobegin • e: < y := 2 * y > • coend; • g: while < y = 0 > do • h: < x := x + 1> od • coend; • j: < x := 2 * y >;

  12. Temporal logic Stating program requirements and a set of rules for reasoning about them

  13. Temporal logic – 2 types • Immediate Assertions - Function from program state (<x,y,ready>) to Bool • Temporal Assertions – Function from execution sequence (, ,…) to Bool

  14. Immediate Assertions • For values(states): • i.e: • Logical operators - ,~, • Box = now and forever • Diamond - now or sometime in the future • For control: • At A , in A and after A • (huh?)

  15. Control - At statement (just before) • s at A if and only if • IF A is a:(x:=e) THEN aready(s); • IF A is a: while (B)do C od THEN a ready(s); • IF A is cobeginB1 | . . . | Bncoend THEN (s at B1) and ... and (s at Bn); • IF A is B;C THEN sat B.

  16. Control - In statement The immediate assertion in A holds for states where control is at the beginning of A or somewhere inside A. • integer x, y ; • a: <x:=O>; • b: cobegin • c: < y := 0 >; • d: cobegin • e: < y := 2 * y > • f: < y := 4 * y > • coend; • g: while < y = 0 > do • h: < x := x + 1> od • coend; • j: < x := 2 * y >; in a at a in g at g at h in d at e at f in b at c in d in g

  17. Control – (immediately )After statement • s after A if and only if • IF A is the entire program THEN (ready(s) ={}) • IF B is while(C) do A od THEN sat B • IF B is cobegin...|A|.., coend THEN ( s after B) or [(s in B) and not ( s in A)]; • IF B isA;C THEN sat C; • IF B is C;A THEN safter B.

  18. Temporal Assertions • if and only if P • Can we build a dimond from a box? • Yes - • iff; • Same for And and Not

  19. If-then relations with temporal • (in the paper ) • P is false in first state, or Q is true in all states • ) (another name for this is…) • ) =>

  20. Some Theorems • TL3: • TL6: • TL7(transitivity): • ) • TL9:

  21. Proof latice Visual way to prove with temporal logic

  22. Example of proof latice (full definition in the paper) Notice – single entry single exit

  23. Expended & Abbreviated

  24. Safety “something bad never happens”

  25. What is safe? • Revisit partial correctness : • What more could we want? • Mutual exclusion

  26. Mutual exclusion • booleanP1,P2 ; • c: cobegin • al : <Pl := true>; • b1 : if <~P2> then CS1 : do_somthings_1 fi • ; • a2 : <P2:= true>; • b2 : if <~P1> then CS2 : do_somthings_2 fi • coend What should our term be? at What should our invariant be?

  27. Liveness Something good eventually does happen

  28. Express progress with axioms • ATOMIC ASSIGNMENT AXIOM: For any atomic assignment statement S:at S after S • while CONTROL FLOW AXIOM: For the statement w: while (b) do s: S od, at w (at s V after w)

  29. Control flow rules • CONCATENATION CONTROL FLOW – For the statement S ; T • cobeginCONTROL FLOW – For the statement c: cobegin S ;T coend

  30. Combine values with control rules boolean p ; integer x ; a: cobegin b: <p := false> ; c: while <p> do d: <x := x+1> od coend ATOMIC STATEMENT RULE - For any atomic statement <S> :

  31. Extend to non-atomic ATOMIC STATEMENT RULE - For any atomic statement <S> : GENERAL STATEMENT RULE:

  32. SYNCHRONIZATION PRIMITIVES We will see the fair semaphore

  33. Fair semaphore actions • OPERATION AXIOMS For the statement l: <Signal(s) >: • Safety: Signal(s){Q} • Liveness: • As known – this will always terminates • OPERATION AXIOMS For the statement l: <Wait(s) >: • Safety: Wait(s){Q s 0}. • Liveness: • This might not terminate, so all the previous axioms about progress don’t hold, but we defined when

  34. (maybe) Un-fair semaphore actions • OPERATION AXIOMS For the statement l: <Wait(s)>: • Safety: Wait(s){Q} • Liveness: • As known – this will always terminates • OPERATION AXIOMS For the statement l: <Signal(s)>: • Safety: Signal(s){Q s 0}. • Liveness: • This might not terminate, so all the previous axioms about progress don’t hold, but we defined when

  35. Simple example • semaphore s ; • ao: < s := 1 > ; • cobegin • w1: while < true > • do • NC1 : noncritical section 1; • a1 : < Wait(s)> ; • CS1 : critical section 1 ; • d1: < Signal(s) >; • od • ; • w2: while < true > • do • NC2 : noncritical section 2 ; • a2 : < Wait(s)> ; • CS2 : critical section 2 ; • d2 : < Signal(s)>; • Od • coend

  36. Simple example proof • = #() • #() number of processes i such that is true

  37. Simple example – Safety (first) • semaphore s ; • a0: < s := 1 > ; • cobegin • w1: while < true > • do • NC1 : noncritical section 1; • a1 : < Wait(s)> ; • CS1 : critical section 1 ; • d1: < Signal(s) >; • od • ; • w2: while < true > • do • NC2 : noncritical section 2 ; • a2 : < Wait(s)> ; • CS2 : critical section 2 ; • d2 : < Signal(s)>; • Od • coend = #()

  38. Simple example proof - liveness • = #() • #() number of processes i such that is true

  39. Simple example – Safety (first) = #() • semaphore s ; • a0: < s := 1 > ; • cobegin • w1: while < true > • do • NC1 : noncritical section 1; • a1 : < Wait(s)> ; • CS1 : critical section 1 ; • d1: < Signal(s) >; • od • ; • w2: while < true > • do • NC2 : noncritical section 2 ; • a2 : < Wait(s)> ; • CS2 : critical section 2 ; • d2 : < Signal(s)>; • Od • coend

  40. AN (extended) EXAMPLE: MUTUAL EXCLUSION Not today! (you are free to review it yourself)

  41. CONCLUSION • We learned some useful tools: • Temporal logic • Proof Lattices • We have considered two kinds of correctness properties for concurrent programs: • Safety properties- stating that some assertion always holds. • Livenessproperties - stating that some assertion will eventually hold. • A note about Man VS Machine

  42. <EOF>Questions?

More Related