1 / 14

Program correctness

The State-transition model A global states S  s 0 x s 1 x … x s m {s k = set of local states of process k} S0  S1  S2  Each state transition is caused by an action by an eligible process. Program correctness. transition. state. action. action. action.

caitlinr
Download Presentation

Program correctness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The State-transition model A global states Ss0 x s1 x … x sm {sk = set of local states of process k} S0  S1  S2  Each statetransition is caused by an action by an eligible process. Program correctness transition state action action action Initial state We reason using interleaving semantics, and assume that concurrent actions are serialized in an arbitrary order A sample computation (or behavior) is ABGHIFL

  2. Correctness criteria • Safety properties • Bad things never happen • Liveness properties • Good things eventually happen

  3. Testing vs. Proof • Testing: Apply inputs and observe if the outputs satisfy the specifications. Fool proof testing can be painfully slow, even for small systems. Most testing are partial. • Proof: Has a mathematical foundation, and a complete guarantee. Sometimes not scalable.

  4. To test this program, you have to test all possible interleavings. With n processes p0, p1, … pn-1, and m steps per process, the number of interleavings is (n.m)! (m!) n The state explosion problem Testing vs. Proof

  5. Example 1: Mutual Exclusion Process 0Process 1 do true do true  Entry protocol Entry protocol Critical sectionCritical section Exit protocol Exit protocol odod Safety properties (1) There is no deadlock (2) At most one process enters the critical section. Liveness property A process trying to enter the CS must eventually succeed. (This is also called the progress property) CS CS

  6. Exercise program mutex 1 {two process mutual exclusion algorithm: shared memory model} define busy :shared boolean (initially busy = false} {process 0} {process 1} do true do true  do busy  skip od; do busy  skip od; busy:= true; busy:= true; critical section;critical section busy := false; busy := false {remaining codes} {remaining codes} od od Does this mutual exclusion protocol satisfy liveness and safety properties?

  7. Safety invariants Invariant means: something meaningful should always hold Example: Total no. of processes in CS ≤ 1 (mutual exclusion problem) Another safety property is Partial correctnessIt implies that “If the program terminatesthen the postcondition will hold.” Consider the following: do G0  S1 [] G1  S1 [] … [] Gk  Sk od Safety invariant: (G0  G1  G2 … Gk)  postcondition It does not say if the program will terminate. (termination is a liveness property) Total correctness = partial correctness + termination.

  8. Starting from the given initial state, devise an algorithm to color the nodes of the graph using the colors 0 and 1, so that no two adjacent nodes have the same color. program colorme {for process Pi } define color c  {0, 1} Initiallycolors are arbitrary doj : j  neighbor(i) :: (c[i] = c[j])  c[i] := 1 - c[i] od Is the program partially correct?YES (why?) Does it terminate? NO (why?) Exercise 0 0 p1 p2 p0 p3 1 1

  9. Liveness properties Eventuality is tricky. There is no need to guarantee when the desired thing will happen, as long as it happens.. Some examples • The message will eventually reach the receiver. • The process will eventually enter its critical section. • The faulty process will be eventually be diagnosed • Fairness (if an action will eventually be scheduled) • The program will eventually terminate. • The criminal will eventually be caught. Absence of liveness cannot be determined from finite prefix of the computation

  10. define c1, c2 : channel; {init c1 =  c2 =} r, t : integer; {init r = 5, t = 5} {program for T} do t > 0 send msg along c1; t := t -1 2 [] ¬empty (c2)  rcv msg from c2; t := t + 1 od {program for R} 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4 [] r > 0  send msg along c2; r := r-1 od We want to prove the safety property P: P  n1 + n2 ≤ 10 Proving safety n1= # of messages in c1 n2= # of messages in c2 transmitter receiver

  11. n1, n2 = number of messages in c1and c2 respectively. We will establish the following invariant: P  n1 + n2 ≤ 10 Let I  (t ≥ 0)  (r ≥ 0)  (n1 + t + n2 + r = 10) Observe that I ⇒ P). We will show that I holds after every action. {program for T} do t > 0 send msg along c1; t := t -1 ** (t decreases by 1, and n1 increases by 1) [] ¬empty (c2)  rcv msg from c2; t := t+1 ** (t increases by 1, and n2 decreases by 1) od Similar arguments will hold for R too. This shows that I is an invariant, and so P is an invariant. Proving safety Use the method of induction Show that I initially holds, and holds after each action.

  12. S1 S2  S3  S4   f  f  f  f w1 w2 w3 w4 w1, w2, w3, w4  WF WF is a well-founded set whose elements can be totally ordered by » If there is no infinite chain like w1 » w2 » w3 » w4 .., i.e. f(si) » f(si+1) » f(si+2) .. Proving liveness Global state Global state then the computation will definitely terminate! f is called a variant function Finding a variant function is however not easy!

  13. Proof of liveness: an example 0 Clock phase synchronization System of n clocks ticking at the same rate. Each clock is 3-valued, i,e it ticks as 0, 1, 2, 0, 1, 2… A failure may arbitrarily alter the clock phases. The clocks need to return to the same phase. . 1 2 3 n-1

  14. Clock phase synchronization {Program for each clock} (c[k] = phase of clock k, initially arbitrary) do j: j  N(i) :: c[j] = c[i] +1 mod 3  c[i] := c[i] + 2 mod 3 [] j: j N(i) :: c[j] ≠ c[i] +1 mod 3  c[i] := c[i] + 1 mod 3 od Show that eventually all clocks will return to the same phase (convergence), and continue to be in the same phase (closure) Proof of liveness: an example 0 1 2 3 n-1 k: c[k]  {0,1,2}

More Related