Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.

Published byClaribel Simpson Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013."— Presentation transcript:

1 Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013

2 Lecture outline Goal A simple model of concurrent programs Introduction to Temporal logic Examples A proof system The temporal semantics of programs Summary Questions

3 The notation Giuseppe Peano - One of the founders of mathematical logic and set theory Originally wrote for p is a consequence of q Backwards: q is a consequence of p denotes

4 Goal Our goal is: given a program, assign a temporal formula which is true on all proper execution sequences of To prove that a program possess a property one have to prove the implication

5 A simple model of concurrent programs A concurrent program consists of disjoint processes Which execute concurrently on processors Under shared memory And a set of initial conditions

6 A simple model of concurrent programs – a single process Represented by a single entry transition graph A directed labeled graph The labels of process are denoted by Edges are labels by commands of the form is a condition, if is missing we interpret it as true called a guard May be true is a statement which may be an assignment is the vector of the program variables may be empty

7 Process graph - Example Critical Section 1 Critical Section 2

8 A simple model of concurrent programs Consider any program which may be run in parallel with another and contains: 1. tests 2. Unconditional transfers (go to’s) 3. assignments statements In the graph model: there will be a node for each statement representing the state just before the execution of this statement

9 A simple model of concurrent programs Corresponding to each statement which is the successor of this statement i.e. may be reached by the execution of the statement We draw an edge from the statement node to its successor The label of this edge depends on the type of the statement

10 A simple model of concurrent programs - tests Case 1: test statements For statements of the form :

11 A simple model of concurrent programs – unconditional transfers Case 2: go to’s For statements of the form :

12 A simple model of concurrent programs - assignments Case 3: assignment For statements of the form : Explanation with the example : Where are auxiliary variables local to

13 A simple model of concurrent programs - synchronization primitives Examples of synchronization primitives: 1. 2. 3. is represented as With a corresponding at the end of the block

14 A simple model of concurrent programs – a single process A state is a pair is a vector of labels is a set of values currently assigned to the program variables

15 Execution sequences (informally) An execution sequence for a program is any sequence satisfying the following conditions : 1. The initial state is “correct” 2. Satisfies the Multiprogramming assumption One processor does one step and updates the values of the variables accordingly 3. Satisfies the Fair scheduling assumption If you can exit a node infinitely many times then you will be able to do so

16 Execution sequences An execution sequence for a program is any sequence satisfying the following conditions : 1. The initial state is where are the entry labels and are the initial values of the y’s 2. Multiprogramming assumption: A successive state is obtained from its predecessor by exactly one processor executing one transition which is enabled.

17 Multiprogramming assumption If the processor i contains an edge from the node to the node which is labeled by and is true, then is a possible successor of We allow idling - Every command is considered atomic ……

18 Fair scheduling assumption – denotes the exit condition of a node of process E is the disjunction ( ) of all guards on all edges departing from What is in most of the cases ?

19 Fair scheduling assumption A sequence is fair if whenever processor is stuck at then is true only at a finite number of states thereafter negatively: no processor whose exit condition is true infinitely often may be deprived forever

20 Fair scheduling assumption How does the statements on the edges affect the exit condition ? Assignments, tests, go to’s –the exit condition is identically true! For the statements of the other type (with synchronization) - the exit condition can be NOT identically true!

21 Fair scheduling assumption An important note: it is NOT sufficient to require that the processor will eventually be scheduled it might always get scheduled when the condition is false and no transition is possible We will need to express the stronger condition that it will eventually be scheduled when the exit condition is true

22 Temporal logic Used to describe a system of rules for reasoning about propositions qualified in terms of time Something always occurs Something occurs now Something will occur eventually etc.

23 Reasoning about sequences We will talk about an integer like time We will reason about execution sequences which are deterministic Each state having exactly one successor Although that the program generating them is non- deterministic

24 Temporal operators X – the proposition is true in the neXt instant F – the proposition will be true in the Future existential truth G – the proposition will always be true in the future universal truth Stands for Globally

25 Temporal operators neXt: Future: Globally

26 Temporal operators

27 Validity of a temporal formula on a sequence Denote and

28 Validity of a temporal formula on a sequence A formula W is valid if for all sequences Example Some expressions:

29 Examples of expressing properties with Temporal formulas Recall: A state is a pair is a vector of labels In our formulas: If then the proposition will be true in a state if We start off with properties which can be expressed as formulas of the form where contains no temporal operators Those are Invariance properties

30 Partial correctness Consider a single sequential program Entry Exit is a formula specifying the correctness of the program That is: is to hold on termination Partial correctness can be stated as What does this formula does NOT guarantee us ? We can also add an input restriction

31 Clean behavior For every instruction we can write a condition which ensure a lawful termination of the instruction Examples: If the instruction contains division - we include a claim that the divisor does not equal to zero If the instruction contains array reference - we include a claim that the subscript expression is within the array bounds - The legality condition for the statement departing from Clean behavior can be stated as

32 Mutual Exclusion Assume contain a critical section For simplicity assume they consists of the single nodes To claim that the critical sections are never simultaneously accessed we write

33 Deadlock Freedom Deadlock – all processors are locked and none can move In our model – we can only get stuck in a node if the exit condition is not identically true Let be any set of nodes with exit conditions none of which is identically true The statement that deadlock never occurs at can be stated as What can we do to exclude deadlock (not only for a given set of nodes) ?

34 Temporal formulas: Now A bit more complicated ones We now advance to a class of properties which require a more complicated expressions Expressible by expressions of the types:

35 Total correctness Same setting as the partial correctness: a single sequential program Entry Exit is a formula specifying the correctness of the program That is: is to hold on termination expresses the initial input restrictions Total correctness with respect to can be expressed as Compare it to partial correctness:

36 Accessibility In the context of critical sections Expressing that if a process wishes to enter its critical section he will be granted permission to do so m – a location (node) just before the entrance to the critical section Of a process showing its wish to enter the critical section m’ – a location inside the critical section The property of accessibility is

37 Responsiveness Suppose we receives requests from many external agents For example: A Client-Server model A request from agent i is signaled by a variable tuning true The program deals with the request (for example it allocates the resource) and signals that the request to agent i has been granted by setting a variable to true Responsiveness can be expressed as

38 Coming up: A proof system! We saw that the Temporal Logic language is useful for expressing and formulating interesting properties We now present an axiomatic system in which we can prove these properties

39 The system DX - Axioms Axioms:

40 The system DX – Inference rules Inference rules: R1: (TAU) if is an instance of a classical tautology then R2: (MP) If and then R3: (GEN) If then

41 The temporal semantics of programs Consider a node in any of the processes The exit condition:

42 Clauses definitions (1) For a node we define :

43 Clauses definitions (2) Fair scheduling: Exit node – a node with no outgoing transitions If is an exit node then, by definition, and is identically true allowing execution of the relevant program to remain at the exit node

44 Notation For formulas : claims that exactly one of the is true, while the others are false

45 Clauses definitions (3) Consider process with label set : Recall: The expression expresses the situation that process is active That is: some transition in it is taking place

46 Clauses definitions (4-6) The expression Expresses the situation that process is idle Now define

47 Clauses definitions (7) Consider now a complete program Define first

48 Defining W(P) Assume that the initial labels in all programs are And that the initial values of the variables are

49 Defining W(P) The formula expressing the semantics of the program is:

50 Defining W(P) The formula expressing the semantics of the program is: - is active - if all processes are idle then the values of the variables remain

51 Defining W(P) The formula expressing the semantics of the program is: - is active - if all processes are idle then the values of the variables remain - Fair scheduling -Exactly one location proposition is true at any

52 A note about idling Our semantics allows instants of complete inaction or idling. Why ?

53 A note about idling Our semantics allows instants of complete inaction or idling. Why ? necessary in order to accommodate terminating programs and incorrect programs which may inadvertently lead to deadlocks Even though a program is incorrect it should still have some execution sequences However, the fair scheduling clause will prevent endless idling while there is still some possible action in one of the processes

54 Proving Accessibility We wish to prove that when gets to it will eventually arrive at It suffices to prove we never get stuck at That is: Proving We assume And get a contradiction to Critical Section 1 Critical Section 2

55 Proving Accessibility Critical Section 1 Critical Section 2

56 Summary Today we saw: A model of concurrent programs Temporal logic – which provided us a language for expressing temporal claims A proof system - which provided us a way of proving properties about concurrent programs

57 Questions ?

Download ppt "Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.

Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
Possible World Semantics for Modal Logic

Possible World Semantics for Modal Logic
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Vered Gafni – Formal Development of Real Time Systems 1 Statecharts Semantics.

Vered Gafni – Formal Development of Real Time Systems 1 Statecharts Semantics.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Process Synchronization Continued 7.2 The Critical-Section Problem.

Process Synchronization Continued 7.2 The Critical-Section Problem.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.

Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.

CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.
Logic Concepts Lecture Module 11.

Logic Concepts Lecture Module 11.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.

Similar presentations

Ads by Google