1 / 15

Program correctness

The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each transition is caused by an action by an eligible process. We reason using interleaving semantics. Program correctness.

jsommer
Download Presentation

Program correctness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The State-transition model The set of global states = s0 x s1 x … x sm {sk is the set of local states of process k} S0  S1  S2  Each transition is caused by an action by an eligible process. We reason using interleaving semantics Program correctness transition state action action action Initial state

  2. Correctness criteria • Safety properties • Bad things never happen • Liveness properties • Good things eventually happen

  3. Testing vs. Proof • Testing: Apply inputs and observe if the outputs satisfy the specifications. Fool proof testing can be painfully slow, even for small systems. Most testing are partial. • Proof: Has a mathematical foundation, and a complete guarantee. Sometimes not scalable.

  4. To test this program, you have to test all possible interleavings. With n processes p0, p1, … pn-1, and m steps per process, the number of interleavings is (n.m)! (m!) n The state explosion problem Testing vs. Proof

  5. Example 1: Mutual Exclusion Process 0Process 1 do true do true  Entry protocol Entry protocol Critical sectionCritical section Exit protocol Exit protocol odod Safety properties (1) There is no deadlock (2) At most one process enters the critical section. Liveness property A process trying to enter the CS must eventually succeed in doing so. (This is also called the progress property)

  6. Exercise program mutex 1 define busy :shared boolean initially busy = false {process 0} {process 1} do true do true  do busy  skip od; do busy  skip od; busy:= true; busy:= true; critical section;critical section busy := false; busy := false {remaining codes} {remaining codes} od od Does this mutual exclusion protocol satisfy liveness and safety properties?

  7. Safety invariants The mutual exclusion problem. Number of processes in the critical section ≤ 1. Producer-consumer problem. 0 ≤ nP - nC ≤ buffer capacity producer consumer buffer Absence of deadlock. (G0  G1  G2 … Gk)  postcondition Partial Correctness. If the program terminates, then the postcondition will hold. It does not say if the program will terminate. (termination is a liveness property). Total correctness = partial correctness + termination.

  8. Color the nodes of a graph so that no two adjacent nodes have the same color. program colorme {for process Pi } define color c  {0, 1, 2, 3} Initially colors are arbitrary doj : j  neighbor(i) :: (c[i] = c[j])  c[i] := c[i] + 2 mod 4 od Is the program partially correct? Does it terminate? Exercise p2 p1 p0 p3

  9. Liveness properties Eventuality is tricky. There is no need to guarantee when the desired thing will happen, as long as it happens.. Some examples • The message will eventually reach the receiver. • The process will eventually enter its critical section. • The faulty process will be eventually be diagnosed • Fairness (if an action will eventually be scheduled) • The program will eventually terminate. Absence of liveness cannot be determined from finite prefix of the computation

  10. define c1, c2 : channel; {init c1 =  c2 =} r, t : integer; {init r = 5, t = 5} {program for T} do t > 0 send msg along c1; t := t -1 2  ¬empty (c2)  rcv msg from c2; t := t +1 od {program for R} 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4  r > 0  send msg along c2; r := r-1 od We want to prove the safety property P: The total number of messages in c1 & c2 is ≤ 10 Proving safety transmitter receiver

  11. Let n1, n2 = # of msg in c1and c2 respectively. We will establish the following invariant: I  (t ≥ 0)  (r ≥ 0)  (n1 + t + n2 + r = 10) (I implies P). Check if I holds after every action. {program for T} do t > 0 send msg along c1; t := t -1 2  ¬empty (c2)  rcv msg from c2; t := t+1 od {program for R} 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4  r > 0  send msg along c2; r := r-1 od Proving safety

  12. S1 S2  S3  S4   f  f  f  f w1 w2 w3 w4 w1, w2, w3, w4  WF WF is a well-founded set whose elements can be ordered by » If there is no infinite chain like w1 » w2 » w3 » w4 .., i.e. f(si) » f(si+1) » f(si+2) .. Proving liveness Global state Global state then the computation will definitely terminate! f is often called a variant function

  13. Proof of liveness: an example Clock phase synchronization System of n clocks ticking at the same rate. Each clock is 3-valued, i,e it ticks as 0, 1, 2, 0, 1, 2… A failure may arbitrarily alter the clock phases. The clocks need to return to the same phase. . 0 1 2 3 n-1

  14. Clock phase synchronization {Program for each clock} (c[k] = phase of clock k, initially arbitrary) do j: j  N(i) :: c[j] = c[i] +1 mod 3  c[i] := c[i] + 2 mod 3  j: j N(i) :: c[j] ≠ c[i] +1 mod 3  c[i] := c[i] + 1 mod 3 od Show that eventually all clocks will return to the same phase (convergence), and continue to be in the same phase (closure) Proof of liveness: an example 0 1 2 3 n-1

  15. Let D = d[0] + d[1] + d[2] + … + d[n-1] d[i] = 0 if no arrow points towards clock i; = i + 1 if a pointing towards clock i; n - i if a  pointing towards clock i; = 1 if both  and point towards clock i. By definition, D ≥ 0. Also, D decreases after every step in the system. So the number of arrows must reduce to 0. Proof of convergence 0 2 2 2 0 1 1 0 1 1 2 2 2 2 2 Understand the game of arrows

More Related