Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.

Slides:



Advertisements
Similar presentations
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Advertisements

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Part 3: Safety and liveness
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CSC321 Concurrent Programming: §3 The Mutual Exclusion Problem 1 Section 3 The Mutual Exclusion Problem.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Process Synchronization Continued 7.2 The Critical-Section Problem.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Critical Section chapter3.
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Safety and Liveness. Defining Programs Variables with respective domain –State space of the program Program actions –Guarded commands Program computation.
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.
Tele Design of Reactive Systems Summer 2001 Prof. Dr. Stefan Leue Institute for Computer Science Albert-Ludwigs-Universität Freiburg
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.
CS5371 Theory of Computation
Bakery Algorithm - Proof
Modeling Software Systems Lecture 2 Book: Chapter 4.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Concurrency in Distributed Systems: Mutual exclusion.
Describing Syntax and Semantics
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Representing distributed algorithms Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity,
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,
Defining Programs, Specifications, fault-tolerance, etc.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.
The Complexity of Distributed Algorithms. Common measures Space complexity How much space is needed per process to run an algorithm? (measured in terms.
Chapter 5: Sequences, Mathematical Induction, and Recursion 5.5 Application: Correctness of Algorithms 1 [P]rogramming reliability – must be an activity.
DISTRIBUTED ALGORITHMS AND SYSTEMS Spring 2014 Prof. Jennifer Welch CSCE
Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 --->
CS294, Yelick Consensus revisited, p1 CS Consensus Revisited
Program correctness The State-transition model A global states S  s 0 x s 1 x … x s m {s k = set of local states of process k} S0  S1  S2  Each state.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
Recognizing safety and liveness Presented by Qian Huang.
Defining Liveness by Bowen Alpern and Fred B. Schneider Presented by Joe Melnyk.
More on Correctness. Prime Factorization Problem: Write a program that computes all the prime factors of a given number Solution (Idea): Factors are less.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
Hwajung Lee. Well, you need to capture the notions of atomicity, non-determinism, fairness etc. These concepts are not built into languages like JAVA,
Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,
CS 542: Topics in Distributed Systems Self-Stabilization.
CIS 720 Lecture 5. Techniques to avoid interference Disjoint variables –If the write set of each process is disjoint from the read and write set of other.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
1 Distributed Vertex Coloring. 2 Vertex Coloring: each vertex is assigned a color.
Model Checking Lecture 1: Specification Tom Henzinger.
Agenda  Quick Review  Finish Introduction  Java Threads.
Introduction to distributed systems description relation to practice variables and communication primitives instructions states, actions and programs synchrony.
6.852: Distributed Algorithms Spring, 2008 Class 14.
Copyright © Cengage Learning. All rights reserved.
Atomicity, Non-determinism, Fairness
Programming Languages 2nd edition Tucker and Noonan
CS60002: Distributed Systems
ITEC452 Distributed Computing Lecture 5 Program Correctness
Abstraction.
CIS 720 Lecture 5.
CIS 720 Lecture 5.
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Program Correctness

The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using it. This guarantee must hold as long as every hardware and software component works according to specifications.

History of Distributed System Computation that begins from the initial state A and ends in the final state L. Each arc corresponds to an atomic action that causes a state transition. In each of the states B and G, there are two possible actions: the choice may be either data-dependent, or due to the non- determinism of the scheduler(s). The history can be represented as the set of the following three state sequences {ABCDEFL, ABGHIFL, ABGJKIFL}. If a computation does no terminate, then some of the behaviors can be infinite.

State Transitions

It is tempting to prove correctness by enumerating all possible interleavings of atomic actions and testing or reasoning about each of these behaviors. Because of the explosive growth in the number of such behaviors, this approach soon turns out to be impractical—at least for nontrivial distributed systems. For example, with n processes each executing a sequence of m atomic actions, the total number of possible interleavings is (nm)!/(m!)n Even for modest values of m and n, this is a very large number. Therefore, to exhaustively test even a small system, one can easily exceed the computing capacity available with today’s largest and fastest computers.

Testing vs. Proof Testing: Apply inputs and observe if the outputs satisfy the specifications. Fool proof testing can be painfully slow, even for small systems. Most testing are partial. Proof: Has a mathematical foundation, and is a complete guarantee. Sometimes not scalable.

Testing vs. Proof To test this program, you have to test all possible interleavings. With n processes p 0, p 1, … p n-1, and m steps per process, the number of interleavings is (n.m)! (m!) n The state explosion problem p0p1p2p3 step1 step2 step3

Correctness criteria Safety properties Bad things never happen Example :1. Consider the history shown in Figure and let a safety property be specified by the statement: the value of a certain variable temperature should never exceed 100.Thus, if we find that in state G temperature = 107, then we immediately conclude that the safety property is violated — we need not wait for what will happen to temperature after state G 2. Mutual exclusion Here, a safety property is: at most one process can be inside its critical section. Accordingly, the safety invariant can be written as Ncs ≤1 where Ncs is the number of processes in the critical section at any time.

Example: Mutual Exclusion Process 0Process 1 do true  Entry protocol Critical section Exit protocol od Safety properties (1) There is no deadlock (2) At most one process is in its critical section. Liveness property A process trying to enter the CS must eventually succeed. (This is also called the progress property ) CS

Safety invariants Invariant means: something meaningful should always hold Example: Total no. of processes in CS ≤ 1 (mutual exclusion problem) Another safety property is Partial correctness. It implies that “If the program terminates then the postcondition will hold.” Consider the following : Safety invariant:  (G0  G1  G2  …  Gk)  postcondition It does not say if the program will terminate. (termination is a liveness property) Total correctness = partial correctness + termination. do G0  S1 [] G1  S1 [] … [] Gk  Sk od

Consider a system of four processes P0 through P3 as shown in Figure. Each process has a color c represented by an integer from the set {0,1,2,3}. We will represent the color of a process Pi by the symbol c[i]. The objective is to devise an algorithm, so that regardless of the initial colors of the different processes, the system eventually reaches a configuration where no two adjacent processes have the same color.

An Infinite Behavior of the system

Let N(i) denote the set of neighbors of process Pi. We propose the following program for every process Pi to get the job done: program colorme {for process Pi } do ∃ j:j ∈ N(i) :: (c[i] = c[j]) ➔ c[i] := (c[i] + 2) mod 4 od Is the program partially correct? we conclude that if the program terminates, then the following condition holds: ∀ i, j: j ∈ N(i) :: c[i] != c[j]) By definition, this is the desired postcondition. So the system is partially correct. However, it is easy to find out that the program may not terminate. Consider the initial state A in which the system returns to the starting state A without ever satisfying the desired postcondition. Therefore, the program is partially correct, but not totally correct. Note that it is possible for this program to reach termination if the schedulers choose an alternate sequence of action.

Liveness properties Good things eventually happen. Eventuality is tricky. There is no need to guarantee when the desired thing will happen, as long as it happens.. The criminal will eventually be caught Some examples  The message will eventually reach the receiver.  The process will eventually enter its critical section.  The faulty process will be eventually be diagnosed  Fairness (if an action will eventually be scheduled)  The program will eventually terminate.  The criminal will eventually be caught. Absence of liveness cannot be determined from finite prefix of the computation

Example of liveness properties : Progress: Progress toward the critical section Fairness: Fairness is a liveness property, since it determines whether the scheduler will schedule an action in a finite time. Reachability: Given a distributed system with an initial state S0, does there exist a finite behavior that changes the system state to St. If so, then St is said to be reachable from S0. Reachability is a liveness property Termination. Program termination is a liveness property.

Correctness Proofs The set of possible behaviors of a distributed system can be very large, and testing is not a feasible way of demonstrating the correctness of nontrivial system. Some form of mathematical reasoning or methods like proof by induction or proof by contradiction are widely applicable. The techniques for proving safety properties are thus different from the techniques for proving liveness properties. We particularly focus on the following four topics: Assertional methods of proving safety properties Use of well-founded sets for proving liveness properties Programming logic Predicate transformers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.