1 / 38

Model Checking Concurrent Systems – An Example: Mutual Exclusion

Model Checking Concurrent Systems – An Example: Mutual Exclusion. Wenhui Zhang http://lcs.ios.ac.cn/~zwh. Contents. Mutual Exclusion. Model Checking. Summary. Contents. Mutual Exclusion. Model Checking. Summary. Example: Mutual Exclusion. Process A. Process B. Non-Critical Region.

gregory-bernard
Download Presentation

Model Checking Concurrent Systems – An Example: Mutual Exclusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking Concurrent Systems – An Example: Mutual Exclusion Wenhui Zhang http://lcs.ios.ac.cn/~zwh

  2. Contents Mutual Exclusion Model Checking Summary

  3. Contents Mutual Exclusion Model Checking Summary

  4. Example: Mutual Exclusion Process A Process B Non-Critical Region Non-Critical Region Critical Region Critical Region 4

  5. Example: Mutual Exclusion Process A Process B Non-Critical Region Non-Critical Region Request for Entering Request for Entering Wait Wait Check for Entering Check for Entering Critical Region Critical Region Exit Exit 5

  6. Design of Mutual Exclusion (Activity) initialization work in NCR work in NCR request request wait wait [else] [else] [condition 1] [condition 2] work in CR work in CR exit exit 6

  7. Design of Mutual Exclusion • Purpose: • ensure that not both processes are working in the critical region (CR) • Mechanism: • use shared variables • y=1: the first process is applying for entering CR or it is in CR • x=1: the second process is applying for entering CR or it is in CR • t=(i-1): the i-th process has priority for entering CR

  8. Design of Mutual Exclusion (State) initialization x:=0;y:=0 work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 8

  9. Design of Mutual Exclusion (State) initialization x:=0;y:=0 Process A Process B work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 9

  10. Correctness of the Design • How do we know that the design is correct?

  11. Combined States of the Two Processes

  12. Correctness of the Design • How do we know that the design is correct? • We have to be sure that the bad state is not reachable in all possible executions of the algorithm • We may use state exploration (model checking) techniques or deductive proof methods

  13. Process States and Variable States (a,b,x,y,t)

  14. The Set of States: S {(a,b,x,y,t) | a,b{NCR,wait,CR} and x,y,t{0,1}}

  15. Transition Relation: R (NCR,b,x,y,t)  (wait,b,x,1,1) (wait,b,0,y,t)  (CR,b,0,y,t) (wait,b,x,y,0)  (CR,b,x,y,0) (wait,b,1,y,1)  (wait,b,1,y,1) (CR,b,x,y,t)  (NCR,b,x,0,t) (a,NCR,x,y,t)  (a,wait,1,y,0) (a,wait,x,1,t)  (a,CR,x,1,t) (a,wait,x,y,1)  (a,CR,x,y,1) (a,wait,x,1,0)  (a,wait,x,1,0) (a,CR,x,y,t)  (a,NCR,0,y,t)

  16. The Set of Initial States: I { (NCR,NCR,0,0,0), (NCR,NCR,0,0,1) }

  17. Fairness F={ ((x=0t=0)a=wait), ((y=0t=1)b=wait), }

  18. Safety Property  = (a=CRb=CR) Is  a safety property?

  19. Expectancy Property  = (a=CRb=CR) Is  an expectancy property?

  20. Contents Mutual Exclusion Model Checking Summary

  21. Modeling and Model Checking • Model Checking with VERDS • http://lcs.ios.ac.cn/~zwh/verds • Input to VERDS • VVM (VERDS verification model) • Modeling Language • VML (VERDS modeling langauge)

  22. State Transition Model Variables: SA: {NCR,wait,CR} SB: {NCR,wait,CR} x: {0,1} y: {0,1} t: {0,1} NCR NCR y=1,t=1 x=1,t=0 wait wait y==0||t==1 x==0||t==0 Initial States SA=NCR SB=NCR x=0 y=0 yes yes no no CR CR y=0 x=0 22

  23. Without Fairness Specifications

  24. Modeling in VML VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); Safety: Mutual exclusion

  25. Modeling in VML MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);

  26. The Complete Model in VML VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0));  MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0);

  27. Verification with VERDS ../verds -ck 1 mutex3.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3.vvm PROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 )) bound = 1 time = 0 ---------- time = 0 bound = 2 time = 0 ---------- time = 0 . . . bound = 6 time = 0 ---------- time = 0 CONCLUSION: TRUE (time=0)

  28. Consider the Expectancy Property VVM VAR x: 0..1; y: 0..1; t: 0..1; INIT x=0; y=0; PROC p0: p0m(); p1: p1m(); SPEC AG(!(p0.a=c0&p1.b=c0)); AF((p0.a=c0)|(p1.b=c0)); Expectancy: Working in critical region

  29. Verification with VERDS ../verds -ck 2 mutex3.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3.vvm PROPERTY: A F ((p0.a = 2 )| (p1.b = 2 )) bound = 1 time = 1 ---------- time = 1 bound = 2 time = 1 ---------- time = 1 bound = 3 time = 1 ---------- time = 1 bound = 4 time = 1 ---------- time = 1 CONCLUSION: FALSE (time=1)

  30. Checking the Model initialization x:=0;y:=0 Process A Process B work in NCR work in NCR y:=1;t:=1 x:=1;t:=0 wait wait [x=1 and t=1] [y=1 and t=0] [x=0 or t=0] [y=0 or t=1] work in CR work in CR y:=0 x:=0 30

  31. With Fairness Specifications

  32. Modified Model (with Fairness) MODULE p0m() VAR a: {n0,w0,c0}; INIT a=n0; TRANS a=n0: (y,t,a):=(1,1,w0); a=w0&(x=0|t=0): (a):=(c0); a=w0&!(x=0|t=0): (a):=(w0); a=c0: (y,a):=(0,n0); FAIRNESS !((x=0|t=0)&(a=w0)); MODULE p1m() VAR b: {n0,w0,c0}; INIT b=n0; TRANS b=n0: (x,t,b):=(1,0,w0); b=w0&(y=0|t=1): (b):=(c0); b=w0&!(y=0|t=1): (b):=(w0); b=c0: (x,b):=(0,n0); FAIRNESS !((y=0|t=1)&(b=w0));

  33. Verification with VERDS ../verds -ck 1 mutex3a.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3a.vvm PROPERTY: A G ! ((p0.a = 2 )& (p1.b = 2 )) bound = 1 time = 0 ---------- time = 0 bound = 2 time = 0 ---------- time = 0 . . . bound = 17 time = 0 ---------- time = 0 CONCLUSION: TRUE (time=0)

  34. Verification with VERDS ../verds -ck 2 mutex3a.vvm VERSION: verds 1.43 - JAN 2013 FILE: mutex3a.vvm PROPERTY: A F ((p0.a = 2 )| (p1.b = 2 )) bound = 1 time = 1 ---------- time = 1 bound = 2 time = 1 ---------- time = 1 . . bound = 26 time = 1 ---------- time = 1 CONCLUSION: TRUE (time=1)

  35. Correctness of the Design • How do we know that the design is correct? • We have to be sure that the bad state is not reachable in all possible executions of the algorithm • We may apply the following techniques: • Modeling (in a language with a formal semantics) • Verification (by model checking) • We have shown that the bad state is not reachable • We have also shown an expectance property holds

  36. Remarks on the Correctness • Only verified against the given properties: • The safety property • The expectancy property • Rely on: • The model • The verification tool • The fairness assumption as a part of the model, for the verification of the response property

  37. Contents Mutual Exclusion Model Checking Summary

  38. Questions?

More Related