Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.

Published byWesley Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using."— Presentation transcript:

1 Program Correctness

2 The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using it. This guarantee must hold as long as every hardware and software component works according to specifications.

3 History of Distributed System Computation that begins from the initial state A and ends in the final state L. Each arc corresponds to an atomic action that causes a state transition. In each of the states B and G, there are two possible actions: the choice may be either data-dependent, or due to the non- determinism of the scheduler(s). The history can be represented as the set of the following three state sequences {ABCDEFL, ABGHIFL, ABGJKIFL}. If a computation does no terminate, then some of the behaviors can be infinite.

4 State Transitions

5 It is tempting to prove correctness by enumerating all possible interleavings of atomic actions and testing or reasoning about each of these behaviors. Because of the explosive growth in the number of such behaviors, this approach soon turns out to be impractical—at least for nontrivial distributed systems. For example, with n processes each executing a sequence of m atomic actions, the total number of possible interleavings is (nm)!/(m!)n Even for modest values of m and n, this is a very large number. Therefore, to exhaustively test even a small system, one can easily exceed the computing capacity available with today’s largest and fastest computers.

6 Testing vs. Proof Testing: Apply inputs and observe if the outputs satisfy the specifications. Fool proof testing can be painfully slow, even for small systems. Most testing are partial. Proof: Has a mathematical foundation, and is a complete guarantee. Sometimes not scalable.

7 Testing vs. Proof To test this program, you have to test all possible interleavings. With n processes p 0, p 1, … p n-1, and m steps per process, the number of interleavings is (n.m)! (m!) n The state explosion problem p0p1p2p3 step1 step2 step3

8 Correctness criteria Safety properties Bad things never happen Example :1. Consider the history shown in Figure and let a safety property be specified by the statement: the value of a certain variable temperature should never exceed 100.Thus, if we find that in state G temperature = 107, then we immediately conclude that the safety property is violated — we need not wait for what will happen to temperature after state G 2. Mutual exclusion Here, a safety property is: at most one process can be inside its critical section. Accordingly, the safety invariant can be written as Ncs ≤1 where Ncs is the number of processes in the critical section at any time.

9 Example: Mutual Exclusion Process 0Process 1 do true  Entry protocol Critical section Exit protocol od Safety properties (1) There is no deadlock (2) At most one process is in its critical section. Liveness property A process trying to enter the CS must eventually succeed. (This is also called the progress property ) CS

10 Safety invariants Invariant means: something meaningful should always hold Example: Total no. of processes in CS ≤ 1 (mutual exclusion problem) Another safety property is Partial correctness. It implies that “If the program terminates then the postcondition will hold.” Consider the following : Safety invariant:  (G0  G1  G2  …  Gk)  postcondition It does not say if the program will terminate. (termination is a liveness property) Total correctness = partial correctness + termination. do G0  S1 [] G1  S1 [] … [] Gk  Sk od

11 Consider a system of four processes P0 through P3 as shown in Figure. Each process has a color c represented by an integer from the set {0,1,2,3}. We will represent the color of a process Pi by the symbol c[i]. The objective is to devise an algorithm, so that regardless of the initial colors of the different processes, the system eventually reaches a configuration where no two adjacent processes have the same color.

12 An Infinite Behavior of the system

13 Let N(i) denote the set of neighbors of process Pi. We propose the following program for every process Pi to get the job done: program colorme {for process Pi } do ∃ j:j ∈ N(i) :: (c[i] = c[j]) ➔ c[i] := (c[i] + 2) mod 4 od Is the program partially correct? we conclude that if the program terminates, then the following condition holds: ∀ i, j: j ∈ N(i) :: c[i] != c[j]) By definition, this is the desired postcondition. So the system is partially correct. However, it is easy to find out that the program may not terminate. Consider the initial state A in which the system returns to the starting state A without ever satisfying the desired postcondition. Therefore, the program is partially correct, but not totally correct. Note that it is possible for this program to reach termination if the schedulers choose an alternate sequence of action.

14 Liveness properties Good things eventually happen. Eventuality is tricky. There is no need to guarantee when the desired thing will happen, as long as it happens.. The criminal will eventually be caught Some examples  The message will eventually reach the receiver.  The process will eventually enter its critical section.  The faulty process will be eventually be diagnosed  Fairness (if an action will eventually be scheduled)  The program will eventually terminate.  The criminal will eventually be caught. Absence of liveness cannot be determined from finite prefix of the computation

15 Example of liveness properties : Progress: Progress toward the critical section Fairness: Fairness is a liveness property, since it determines whether the scheduler will schedule an action in a finite time. Reachability: Given a distributed system with an initial state S0, does there exist a finite behavior that changes the system state to St. If so, then St is said to be reachable from S0. Reachability is a liveness property Termination. Program termination is a liveness property.

16 Correctness Proofs The set of possible behaviors of a distributed system can be very large, and testing is not a feasible way of demonstrating the correctness of nontrivial system. Some form of mathematical reasoning or methods like proof by induction or proof by contradiction are widely applicable. The techniques for proving safety properties are thus different from the techniques for proving liveness properties. We particularly focus on the following four topics: Assertional methods of proving safety properties Use of well-founded sets for proving liveness properties Programming logic Predicate transformers

Download ppt "Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using."

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Part 3: Safety and liveness

Part 3: Safety and liveness
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CSC321 Concurrent Programming: §3 The Mutual Exclusion Problem 1 Section 3 The Mutual Exclusion Problem.

CSC321 Concurrent Programming: §3 The Mutual Exclusion Problem 1 Section 3 The Mutual Exclusion Problem.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Process Synchronization Continued 7.2 The Critical-Section Problem.

Process Synchronization Continued 7.2 The Critical-Section Problem.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.

Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.

Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Critical Section chapter3.

Critical Section chapter3.
Sept 2011 1 COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.

Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Safety and Liveness. Defining Programs Variables with respective domain –State space of the program Program actions –Guarded commands Program computation.

Safety and Liveness. Defining Programs Variables with respective domain –State space of the program Program actions –Guarded commands Program computation.
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.

Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.

Similar presentations

Ads by Google