380 likes | 478 Views
Model Checking Concurrent Systems – An Example: Mutual Exclusion. Wenhui Zhang http://lcs.ios.ac.cn/~zwh. Contents. Mutual Exclusion. Model Checking. Summary. Contents. Mutual Exclusion. Model Checking. Summary. Example: Mutual Exclusion. Process A. Process B. Non-Critical Region.
E N D
Model Checking Concurrent Systems – An Example: Mutual Exclusion Wenhui Zhang http://lcs.ios.ac.cn/~zwh
Contents Mutual Exclusion Model Checking Summary
Contents Mutual Exclusion Model Checking Summary
Example: Mutual Exclusion Process A Process B Non-Critical Region Non-Critical Region Critical Region Critical Region 4
Example: Mutual Exclusion Process A Process B Non-Critical Region Non-Critical Region Request for Entering Request for Entering Wait Wait Check for Entering Check for Entering Critical Region Critical Region Exit Exit 5
Design of Mutual Exclusion (Activity) initialization work in NCR work in NCR request request wait wait [else] [else] [condition 1] [condition 2] work in CR work in CR exit exit 6
Design of Mutual Exclusion • Purpose: • ensure that not both processes are working in the critical region (CR) • Mechanism: • use shared variables • y=1: the first process is applying for entering CR or it is in CR • x=1: the second process is applying for entering CR or it is in CR • t=(i-1): the i-th process has priority for entering CR
Design of Mutual Exclusion (State) initialization x:=0;y:=0 work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 8
Design of Mutual Exclusion (State) initialization x:=0;y:=0 Process A Process B work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 9
Correctness of the Design • How do we know that the design is correct?
Correctness of the Design • How do we know that the design is correct? • We have to be sure that the bad state is not reachable in all possible executions of the algorithm • We may use state exploration (model checking) techniques or deductive proof methods
Process States and Variable States (a,b,x,y,t)
The Set of States: S {(a,b,x,y,t) | a,b{NCR,wait,CR} and x,y,t{0,1}}
Transition Relation: R (NCR,b,x,y,t) (wait,b,x,1,1) (wait,b,0,y,t) (CR,b,0,y,t) (wait,b,x,y,0) (CR,b,x,y,0) (wait,b,1,y,1) (wait,b,1,y,1) (CR,b,x,y,t) (NCR,b,x,0,t) (a,NCR,x,y,t) (a,wait,1,y,0) (a,wait,x,1,t) (a,CR,x,1,t) (a,wait,x,y,1) (a,CR,x,y,1) (a,wait,x,1,0) (a,wait,x,1,0) (a,CR,x,y,t) (a,NCR,0,y,t)
The Set of Initial States: I { (NCR,NCR,0,0,0), (NCR,NCR,0,0,1) }
Fairness F={ ((x=0t=0)a=wait), ((y=0t=1)b=wait), }
Safety Property = (a=CRb=CR) Is a safety property?
Expectancy Property = (a=CRb=CR) Is an expectancy property?
Contents Mutual Exclusion Model Checking Summary
Modeling and Model Checking • Model Checking with VERDS • http://lcs.ios.ac.cn/~zwh/verds • Input to VERDS • VVM (VERDS verification model) • Modeling Language • VML (VERDS modeling langauge)
State Transition Model Variables: SA: {NCR,wait,CR} SB: {NCR,wait,CR} x: {0,1} y: {0,1} t: {0,1} NCR NCR y=1,t=1 x=1,t=0 wait wait y==0||t==1 x==0||t==0 Initial States SA=NCR SB=NCR x=0 y=0 yes yes no no CR CR y=0 x=0 22
Modeling in VML VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); Safety: Mutual exclusion
Modeling in VML MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);
The Complete Model in VML VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);
Verification with VERDS ../verds -ck 1 mutex3.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3.vvm PROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 )) bound = 1 time = 0 ---------- time = 0 bound = 2 time = 0 ---------- time = 0 . . . bound = 6 time = 0 ---------- time = 0 CONCLUSION: TRUE (time=0)
Consider the Expectancy Property VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); AF((p0.a=c0)|(p1.b=c0)); Expectancy: Working in critical region
Verification with VERDS ../verds -ck 2 mutex3.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3.vvm PROPERTY: A F ((p0.a = 2 )| (p1.b = 2 )) bound = 1 time = 1 ---------- time = 1 bound = 2 time = 1 ---------- time = 1 bound = 3 time = 1 ---------- time = 1 bound = 4 time = 1 ---------- time = 1 CONCLUSION: FALSE (time=1)
Checking the Model initialization x:=0;y:=0 Process A Process B work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 30
Modified Model (with Fairness) MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); FAIRNESS !((x=0|t=0)&(a=w0)); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0); FAIRNESS !((y=0|t=1)&(b=w0));
Verification with VERDS ../verds -ck 1 mutex3a.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3a.vvm PROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 )) bound = 1 time = 0 ---------- time = 0 bound = 2 time = 0 ---------- time = 0 . . . bound = 17 time = 0 ---------- time = 0 CONCLUSION: TRUE (time=0)
Verification with VERDS ../verds -ck 2 mutex3a.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3a.vvm PROPERTY: A F ((p0.a = 2 )| (p1.b = 2 )) bound = 1 time = 1 ---------- time = 1 bound = 2 time = 1 ---------- time = 1 . . bound = 26 time = 1 ---------- time = 1 CONCLUSION: TRUE (time=1)
Correctness of the Design • How do we know that the design is correct? • We have to be sure that the bad state is not reachable in all possible executions of the algorithm • We may apply the following techniques: • Modeling (in a language with a formal semantics) • Verification (by model checking) • We have shown that the bad state is not reachable • We have also shown an expectance property holds
Remarks on the Correctness • Only verified against the given properties: • The safety property • The expectancy property • Rely on: • The model • The verification tool • The fairness assumption as a part of the model, for the verification of the response property
Contents Mutual Exclusion Model Checking Summary