Presentation is loading. Please wait.

Presentation is loading. Please wait.

Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying Event-based Fairness Enhanced Systems Jun SUN, Yang.

Published byAllen Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying Event-based Fairness Enhanced Systems Jun SUN, Yang."— Presentation transcript:

1 Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying Event-based Fairness Enhanced Systems Jun SUN, Yang LIU, Jin Song DONG and Hai H. WANG

2 Specifying and Verifying Event-based Fairness Enhanced Systems 2 ICFEM 2008 Outline Why do we need fairness? Event-based systems Fair events annotations Verification –On-the-fly verification algorithm –Partial order reduction Process Analysis Toolkit (PAT) Experiments Conclusion and Future Works

3 Specifying and Verifying Event-based Fairness Enhanced Systems 3 ICFEM 2008 Why do we need fairness? Critical systems requires safety and liveness properties –Safety: bad things never happen –Liveness: good things eventually happen Fairness is important –It is important in the system specification Something is enabled sufficiently often, it must eventually happen –No liveness property is true without fairness! the default fairness: a system must always eventually make some progress enabled processes/choices can not be infinitely ignored.

4 Specifying and Verifying Event-based Fairness Enhanced Systems 4 ICFEM 2008 Weak Fairness vs. Strong Fairness Weak fairness –The weak fairness wf(e) asserts that if an event e eventually becomes enabled forever, infinitely many occurrences of the event must be observed. Strong fairness –The strong fairness sf(e) asserts that if e is infinitely often enabled (or in other words, repeatedly enabled), infinitely many occurrences of the event must be observed. Strong fairness  Weak fairness

5 Specifying and Verifying Event-based Fairness Enhanced Systems 5 ICFEM 2008 How to verify fair systems? Current approaches –State fairness assumptions as premises of the liveness properties. Experiments using SPIN 4.6 -Weak fairness option in SPIN. -Model fairness using global accepting states (or in the form of justice/compassion condition).

6 Specifying and Verifying Event-based Fairness Enhanced Systems 6 ICFEM 2008 Event-based systems Syntax –where b is a Boolean expression, –X is a set of events and e is an event. Note that e could be an abstract event (single or compound) or an assignment (e.g., x := x + 1). –Variables –Process parameters Example: dining philosopher

7 Specifying and Verifying Event-based Fairness Enhanced Systems 7 ICFEM 2008 Naïve Approach –C1 states that each philosopher must always eventually get his first fork. –C2 states that one of the philosopher (in this case, the1 st ) must eventually put down a fork. College(5) |= [] <>eat.0? 3 Possible Counterexamples

8 Specifying and Verifying Event-based Fairness Enhanced Systems 8 ICFEM 2008 How to verify fair systems? Current approaches –State fairness assumptions as premises of the liveness properties. Experiments using SPIN 4.6 -Weak fairness option in SPIN. -Model fairness using global accepting states (or in the form of justice/compassion condition).

9 Specifying and Verifying Event-based Fairness Enhanced Systems 9 ICFEM 2008 Event-based Fairness Annotations

10 Specifying and Verifying Event-based Fairness Enhanced Systems 10 ICFEM 2008 Enabledness and Readiness

11 Specifying and Verifying Event-based Fairness Enhanced Systems 11 ICFEM 2008 Weak fair example

12 Specifying and Verifying Event-based Fairness Enhanced Systems 12 ICFEM 2008 Weak live example Model checking []<>eat.0 against lCollege(5) returns true. –Initially, wl (get.i.(i + 1)%N) is ready and therefore by definition, it must be engaged (since it is not possible to make it not ready). –Once get.i.(i+1)%N is engaged, wl (put.i.(i+1)%N) becomes ready and thus the system is forced to execute until it is engaged. For the same reason, wl (put.i.i) must be engaged afterwards. –Once put.i.i is engaged, wl (get.i.(i+1)%N) becomes ready again. Therefore, the system is forced to execute infinitely and fairly.

13 Specifying and Verifying Event-based Fairness Enhanced Systems 13 ICFEM 2008 Verification Verification under fairness = fair loop searching = fair Strongly Connected Components (SCC) searching

14 Specifying and Verifying Event-based Fairness Enhanced Systems 14 ICFEM 2008 Verification: Algorithm On-the-fly model checking based on Tarjan’s algorithm (1972) for identifying SCC. –Iterative version –Keep searching until it is not SCC anymore. A counterexample is a fair loop which fails the property.

15 Specifying and Verifying Event-based Fairness Enhanced Systems 15 ICFEM 2008 Partial Order Reduction The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily. Allowing all possible orderings is a potential cause of the state explosion problem. We incorporate the partial order reduction into model checking algorithms –Only expend a subset of enabled events –Taking care of properties, shared variables and fairness annotations.

16 Specifying and Verifying Event-based Fairness Enhanced Systems Process-level Fairness Event annotation is to difficult! Process-level weak fairness –Each process must make infinite progress if always possible. –e.g., supported by SPIN Process-level strong local fairness –Each process must make infinite progress if repeated possible. –e.g., supported by CHESS Process-level strong global fairness –If a step is infinitely often enabled, it must be taken infinitely. []<> (s –a  s’ is enabled) => []<> (s –a-> s’) is engaged

17 Specifying and Verifying Event-based Fairness Enhanced Systems 17 ICFEM 2008 Process Analysis Toolkit PAT: a toolkit for automatically analyzing event-based concurrent systems, possibly under fairness. –System Modeling (CSP with variables) –Visualized simulation with animations –Model checking Deadlock Reachability LTL (with fairness assumptions) Refinement checking (vs. FDR) Website: http://pat.comp.nus.edu.sg/

18 Specifying and Verifying Event-based Fairness Enhanced Systems 18 ICFEM 2008 Process Analysis Toolkit (GUI)

19 Specifying and Verifying Event-based Fairness Enhanced Systems 19 ICFEM 2008 Experiments 1

20 Specifying and Verifying Event-based Fairness Enhanced Systems Experiments 2: vs SPIN

21 Specifying and Verifying Event-based Fairness Enhanced Systems Experiments 3: vs FDR

22 Specifying and Verifying Event-based Fairness Enhanced Systems 22 ICFEM 2008 Conclusion Embed the different fairness into events of system Develop an on-the-fly model checking algorithm with effective reduction techniques Develop a toolset to realize the algorithms –PAT: Modeling, Simulation and Verification

23 Specifying and Verifying Event-based Fairness Enhanced Systems 23 ICFEM 2008 On-going and future works Refinement under fairness Multi-threads model checking Timing Other domains and languages: web services Applications –Leader election algorithms –Security protocols

24 Specifying and Verifying Event-based Fairness Enhanced Systems 24 ICFEM 2008 Thank You

Download ppt "Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying Event-based Fairness Enhanced Systems Jun SUN, Yang."

Similar presentations

Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking and Testing combined

Model Checking and Testing combined
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Part 3: Safety and liveness

Part 3: Safety and liveness
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Sept 2011 1 COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Process Analysis Toolkit PAT is A SPIN-like self-contained environment for system specification, visualized simulation and automated verification. PAT.

Process Analysis Toolkit PAT is A SPIN-like self-contained environment for system specification, visualized simulation and automated verification. PAT.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Towards a Model Checker for NesC and Wireless Sensor Networks Manchun Zheng 1, Jun Sun 2, Yang Liu 1, Jin Song Dong 1, and Yu Gu 2 1 National University.

Towards a Model Checker for NesC and Wireless Sensor Networks Manchun Zheng 1, Jun Sun 2, Yang Liu 1, Jin Song Dong 1, and Yu Gu 2 1 National University.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Similar presentations

Ads by Google