1 Rendez-Vous Logical extension of chan buffer = [N] of byte is chan port = [0] of byte Channel port is a rendez-vous port (binary handshake). Two processes,

Slides:

Advertisements

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

EEE 435 Principles of Operating Systems Interprocess Communication Pt II (Modern Operating Systems 2.3)

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

תרגול 9 META LABELS. Basic types of claims State properties.

CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

Intertask Communication and Synchronization In this context, the terms “task” and “process” are used interchangeably.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};

Informationsteknologi Wednesday, September 26, 2007 Computer Systems/Operating Systems - Class 91 Today’s class Mutual exclusion and synchronization 

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

Enforcing Mutual Exclusion, Semaphores. Four different approaches Hardware support Disable interrupts Special instructions Software-defined approaches.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

CS 584. A Parallel Programming Model We need abstractions to make it simple. The programming model needs to fit our parallel machine model. Abstractions.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 5: Some PROMELA examples.

5.6 Semaphores Semaphores –Software construct that can be used to enforce mutual exclusion –Contains a protected variable Can be accessed only via wait.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

5.6.2 Thread Synchronization with Semaphores Semaphores can be used to notify other threads that events have occurred –Producer-consumer relationship Producer.

Concurrency: Mutual Exclusion, Synchronization, Deadlock, and Starvation in Representative Operating Systems.

Semaphores CSCI 444/544 Operating Systems Fall 2008.

1/26/2007CSCI 315 Operating Systems Design1 Processes Notice: The slides for this lecture have been largely based on those accompanying the textbook Operating.

Comparative Programming Languages hussein suleman uct csc304s 2003.

Chapter 3: Processes. 3.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 3: Processes Process Concept Process Scheduling Operations.

Chapter 3: Processes Process Concept Process Scheduling Operations on Processes Interprocess Communication Examples of IPC Systems Communication in Client-Server.

Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.

Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.

FTP Client Application CSC 8560 Brian Jorgage 4/27/2004.

Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.

Processes. Chapter 3: Processes Process Concept Process Scheduling Operations on Processes Cooperating Processes Interprocess Communication Communication.

Radu Iosif Introduction to SPIN Radu Iosif

CS212: OPERATING SYSTEM Lecture 2: Process 1. Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 3: Process-Concept.

Synchronization Methods in Message Passing Model.

Lecture 8 Page 1 CS 111 Online Other Important Synchronization Primitives Semaphores Mutexes Monitors.

Temporal Logic Model-checking with SPIN

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 4: Processes Process Concept Process Scheduling Operations on Processes Cooperating.

The Spin Model Checker : Part I Moonzoo Kim KAIST.

COMP1321 Digital Infrastructures Richard Henson November 2015.

13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.

Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.

Alternating Bit Protocol Protocol for simplex data-transfer channel: data flows from sender to receiver control flows in both directions the transfer medium.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

1 Pass the Parcel /* Pass the parcel in Promela */ /* passing is not atomic */ /* communication is asynchronous */ /* Muffy Calder, November 2000 */ mtype.

Operating System Concepts and Techniques Lecture 14 Interprocess communication-3 M. Naghibzadeh Reference M. Naghibzadeh, Operating System Concepts and.

3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process Termination Process executes last statement and asks the operating.

Semaphores Chapter 6. Semaphores are a simple, but successful and widely used, construct.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

November COMP60621 Designing for Parallelism Lecture 14 Deadlock + Channels in Promela John Gurd, Graham Riley Centre for Novel Computing School.

Semaphores Synchronization tool (provided by the OS) that does not require busy waiting. Logically, a semaphore S is an integer variable that, apart from.

Formal verification in SPIN

CSE 503 – Software Engineering

Other Important Synchronization Primitives

COMP60611 Fundamentals of Parallel and Distributed Systems

Blocking / Non-Blocking Send and Receive Operations

Transactional Memory Semaphores, monitors, and conditional critical regions all suffer from limitations based on lock semantics Naïve synchronization may.

The Spin Model Checker - Advanced Features

Operating System Concepts

CIS 720 Mutual Exclusion 2.

Computer Science & Engineering Electrical Engineering

An explicit state model checker

A Refinement Calculus for Promela

Window Management in TCP

The Spin Model Checker - Advanced Features

CIS 720 Mutual Exclusion 2.

CSE 503 – Software Engineering

Presentation transcript:

1 Rendez-Vous Logical extension of chan buffer = [N] of byte is chan port = [0] of byte Channel port is a rendez-vous port (binary handshake). Two processes, a sender and receiver, can synchronise e.g. port!2 is blocked until there is a corresponding port?msg ready to execute then both will synchronise.

2 Dijkstra’s Semaphore using Rendez-vous #define p 0 #define q 1 chan sema = [0] of {bit}; proctype semaphore() { byte count = 1; do :: (count == 1) -> sema!p; count = 0 :: (count == 0) -> sema?v; count = 1 od } proctype user() { do :: sema?p; /* critical section */ sema!v /* non-critical section */ od } init { run semaphore(); run user(); run user(); run user() } 1,2,3,1,2,3,1,2,3,... 1,2,3,3,2,1,1,2,3,3,2,1, … 1,1,1,1,1,1,1,1,1,... etc.

3 Synchronous vs Asynchronous Communication #define msgtype … chan name = [x] of {byte,byte} proctype A() { name!msgtype(124); name!msgtype(121) } proctype B() { byte state; name?state } init { atomic {run A(); run B()}} /* created at the same time */ Behaviour x==0 A and B will synch on transfer of 124, then A will block. x == 1 A can send 124, then blocks until B reads it. A can then send 121. Both processes complete, but 121 is still on name. x >= 2 A can complete without B ever starting.

4 An Interesting Way to Compute the Factorial Function Proctype fact(int n; chan p) /* calculate factorial n, communicating result via p */ {chan child = [1] of {int}; /* for result from fact n-1 */ int result; if :: (n p!1 :: (n>=2) -> run fact(n-1, child); child?result; p!(n*result) fi } init /* factorial 5 */ { chan result = [1] of {int}; int answer; run fact(5, result); result?answer; printf(“result is “%d\n”, result) }

5 Assertions Assertions are statements about the program state that can be embedded in the program. assert (condition) E.g. assert (state == 1) assert (x >= y) Extremely useful! For run-time behavioural audit program invariants But be careful, assertions abort the program if the condition evaluates to 0, i.e. it is false.

6 Assertions Common ways to use assertions: idle: assert(arm == up); ….. receiver: assert (full(inchannel)); parcel == 0; ….. sender: assert (empty(outchannel)); parcel == 1;... inchannel?x; assert x == last_value + 1; …..

7 Factorial Function Proctype fact(int n; chan p) /* calculate factorial n, communicating result via p */ {chan child = [1] of {int}; /* for result from fact n-1 */ int result; if :: (n p!1 :: (n>=2) -> assert (empty child); run fact(n-1, child); assert (full(child)); child?result; p!(n*result) fi (assert full(p)) } init /* factorial 5 */ { chan result = [1] of int; int answer; run fact(5, result); answer?result; assert( result == 120); printf(“result is “%d\n”, result) }