1. Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition is caused by an action by an eligible process. action state Initial state transition We reason using interleaving semantics, and assume that concurrent actions are serialized in an arbitrary order A sample computation (or behavior) is ABGHIFL

2. Correctness criteria Safety properties Bad things never happen Liveness properties Good things eventually happen

3. Testing vs. Proof Testing: Apply inputs and observe if the outputs satisfy the specifications. Fool proof testing can be painfully slow, even for small systems. Most testing are partial. Proof: Has a mathematical foundation, and is a complete guarantee. Sometimes not scalable.

4. Testing vs. Proof To test this program, you have to test all possible interleavings. With n processes p 0, p 1, … p n-1, and m steps per process, the number of interleavings is (n.m)! (m!) n The state explosion problem p0p1p2p3 step1 step2 step3

5. Example: Mutual Exclusion Process 0Process 1 do true  Entry protocol Critical section Exit protocol od Safety properties (1) There is no deadlock (2) At most one process is in its critical section. Liveness property A process trying to enter the CS must eventually succeed. (This is also called the progress property ) CS

6. Exercise program mutex 1 {two process mutual exclusion algorithm: shared memory model} define busy : shared boolean (initially busy = false} { process 0 }{ process 1 } do true  do busy  skip od ; busy:= true; critical section;critical section busy := false;busy := false{remaining codes}od Does this mutual exclusion protocol satisfy liveness and safety properties?

7. Safety invariants Invariant means: something meaningful should always hold Example: Total no. of processes in CS ≤ 1 (mutual exclusion problem) Another safety property is Partial correctness. It implies that “If the program terminates then the postcondition will hold.” Consider the following : Safety invariant:  (G0  G1  G2  …  Gk)  postcondition It does not say if the program will terminate. (termination is a liveness property) Total correctness = partial correctness + termination. do G0  S1 [] G1  S1 [] … [] Gk  Sk od

8. Exercise Starting from the given initial state, devise an algorithm to color the nodes of the graph using the colors 0 and 1, so that no two adjacent nodes have the same color. program colorme {for process P i } define color c  {0, 1} Initially colors are arbitrary do  j : j  neighbor(i) :: (c[i] = c[j])  c[i] := 1 - c[i] od Is the program partially correct ? YES (why?) Does it terminate ? NO (why?) p1 p3p0 p2 00 1 1

9. Liveness properties Eventuality is tricky. There is no need to guarantee when the desired thing will happen, as long as it happens.. Some examples  The message will eventually reach the receiver.  The process will eventually enter its critical section.  The faulty process will be eventually be diagnosed  Fairness (if an action will eventually be scheduled)  The program will eventually terminate.  The criminal will eventually be caught. Absence of liveness cannot be determined from finite prefix of the computation

10. Proving safety define c1, c2 : channel; { init c1 =  c2 =  } r, t : integer; { init r = 5, t = 5} {program for T } 1 do t > 0  send msg along c1; t := t -1 2[] ¬empty (c2)  rcv msg from c2; t := t + 1 od {program for R } 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4[] r > 0  send msg along c2; r := r-1 od We want to prove the safety property P: P  n1 + n2 ≤ 10 transmitter receiver n1= # of messages in c1 n2= # of messages in c2

11. Proving safety n1, n2 = # of messages in c1 and c2 respectively. We will establish the following invariant: I  (t ≥ 0)  (r ≥ 0)  (n1 + t + n2 + r = 10) ( I ⇒ P ). Check if I holds after every action. {program for T } 1 do t > 0  send msg along c1; t := t -1 2[] ¬empty (c2)  rcv msg from c2; t := t+1 od {program for R } 3 do ¬empty (c1)  rcv msg from c1; r := r+1 4[] r > 0  send msg along c2; r := r-1 od Use the method of induction Show that I initially holds, and holds after each action.

12. Proving liveness S1  S2  S3  S4   f  f w1w2w3w4 o w1, w2, w3, w4  WF o WF is a well-founded set whose elements can be ordered by » If there is no infinite chain like w1 » w2 » w3 » w4.., i.e. f(s i ) » f(s i+1 ) » f(s i+2 ).. Global state then the computation will definitely terminate! f is called a variant functionExample?