Temporal Logic of Actions

Transcription

1 Advanced Topics in Distributed Computing Dominik Grewe Saarland University March 20, 2008

2 Outline Basic Concepts Transition Systems Temporal Operators Fairness Introduction Definitions Example TLC - A Model Checker for TLA +Cal - An Algorithm Language Based on TLA Introduction Example

3 Basic Concepts Transition Systems Interpretations Vocabulary V a countable set of variables Expressions over V: x+y Assertions over V: x>0 Interpretations I An interpretation I I maps a set of variables V V to values. Example for V = {x, y, z}: I = x : 2, y : 8, z : abc

4 Basic Concepts Transition Systems Interpretations An interpretation I satifies an assertion φ iff φ evaluates to true w.r.t. I I = φ Example: I = x : 2, y : 8, z : abc φ := (x < y) (z = abc ) I = φ (I[x] < I[y]) (I[z] = abc ) (2 < 8) ( abc = abc )

5 Basic Concepts Transition Systems Transition Systems A transition system is a quadruple where Π,Σ, T,Θ Π V a set of state variables divided into data variables and control variables Σ a set of states interpretations of Π T a finite set of transitions transition is a function τ : Σ 2 Σ Θ an initial condition assertion specifying the initial states

6 Basic Concepts Transition Systems Transitions A transition τ : Σ 2 Σ is characterized by a transition relation ρ τ (Π,Π ) Example with Π = {x}: x > 0 x = x + 1 s is a τ-successor of s iff s τ(s) τ is enabled iff τ(s)

7 Basic Concepts Transition Systems Transitions a computation is an infinite sequence of states σ : s 0, s 1, s 2,... with s 0 = Θ i τ : s i+1 τ(s i ) implicitly assume idling transition τ I (e.g. to model terminating systems)

8 Basic Concepts Transition Systems Example Π : {x, y} Θ : x = 0 y = 0 τ x : x = x + 1 τ y : y = y + 1 Possible Computations x : 0, y : 0 x : 0, y : 0 x : 0, y : 0 x : 1, y : 0 x : 0, y : 1 x : 0, y : 0 x : 2, y : 0 x : 1, y : 1 x : 0, y : 0 x : 3, y : 0 x : 1, y : 2 x : 0, y :

9 Basic Concepts Temporal Operators Intuition φ Eventually φ: φ φ... φ don t care... φ Always φ: φ φ... φ Next φ: don t care φ don t care... φ U ψ φ Until ψ: φ φ... φ ψ don t care Symmetry φ φ

10 Basic Concepts Temporal Operators Formal Definition Let σ : s 0, s 1,.... Then σ[i] : s i, s i+1,... i 0 Eventually φ σ = φ i 0 : σ[i] = φ Always φ σ = φ i 0 : σ[i] = φ

11 Basic Concepts Temporal Operators Formal Definition Let σ : s 0, s 1,.... Then σ[i] : s i, s i+1,... i 0 Next φ σ = φ σ[1] = φ φ Until ψ σ = φ U ψ i 0 : σ[i] = ψ 0 j < i : σ[j] = φ

12 Basic Concepts Temporal Operators Some Properties Useful expressions infinitely often: eventually always: φ φ Symmetry φ φ φ φ φ φ φ φ

13 Basic Concepts Fairness Motivation Reconsider the example: Π : {x, y} Θ : x = 0 y = 0 τ x : x = x + 1 τ y : y = y + 1 Does it satisfy (x > 0 y > 0)? No! Only taking the idling transition τ i x : 0, y : 0 x : 0, y : 0 x : 0, y : 0 x : 0, y : 0...

14 Basic Concepts Fairness Definitions Weak Fairness (Justice) If a transition is continually enabled, it is taken infinitely often. Enabled(τ) Taken(τ) Enabled(τ) Taken(τ)

15 Basic Concepts Fairness Definitions Strong Fairness (Compassion) If a transition is infinitely often enabled, it is taken infinitely often. Enabled(τ) Taken(τ) Enabled(τ) Taken(τ)

16 Basic Concepts Fairness Weak vs. Strong Fairness Any computation satisfying a strong fairness condition also satifies the corresponding weak fairness condition: ( Enabled(τ) Taken(τ)) ( Enabled(τ) Taken(τ)) because φ φ

17 Basic Concepts Fairness Adding Fairness to our Example Since both transitions τ x and τ y are always enabled Enabled(τ x ) = Enabled(τ y ) = true weak fairness is enough to exclude computations where (x > 0 y > 0) doesn t hold. Actually, for all n 0, it holds (x > n) (y > n)

18 Introduction Basic Facts Developed by Lesley Lamport (Microsoft Research) Specify (concurrent) systems with logical formulas Proof properties of specifications Modular specifications Extension: TLA +

19 Definitions Basic Definitions State Functions nonboolean expressions built from variables and constants State Predicates boolean expressions containing variables and constants Actions boolean expressions formed from variables, primed variables and constants

20 Definitions Temporal Operators F (Eventually F ), G (Always G) common temporal operators F G F leads to G equivalent to (F G) Unchangedf f = f Example: Unchanged x, y (x = x) (y = y)

21 Definitions Additional Operators Stuttering In TLA, there is no implicit idling transition, but there is a special operator to explicitly express stuttering: Progress [A] f A (f = f) To express progress, a new operator is introduced: A f A (f f)

22 Definitions Fairness To express fairness in TLA, there are special operators: Weak Fairness WF f (A) ( A f ) ( Enabled A f ) Strong Fairness SF f (A) ( A f ) ( Enabled A f )

23 Example Example revisited in TLA Init Φ M x M y = (x = 0) (y = 0) = (x = x + 1) (y = y) = (y = y + 1) (x = x) M = M x M y Φ = Init Φ [M] x,y WF x,y (M x ) WF x,y (M y )

24 Example Example revisited in TLA EXTENDS N aturals VARIABLES x, y MODULE Counter Init Φ = (x = 0) (y = 0) M x = (x = x + 1) (y = y) M y = (y = y + 1) (x = x) M = M x M y Φ = Init Φ [M] x,y WF x,y (M x ) WF x,y (M y )

25 TLC - A Model Checker for TLA The TLC Model Checker designed and implemented by Yuan Yu can handle specifications of the form Init [Next] vars Temporal checks for deadlocks, expressed by (ENABLED N ext) can check various types of properties (e.g. invariants) builds a state graph to proof or disproof properties

26 TLC - A Model Checker for TLA Exploring the state graph 1. compute the set of states satisfying the initial condition 2. compute for each state the successor states according to the next-state action state space has to be finite

27 TLC - A Model Checker for TLA Another Example - Mutual Exclusion Init Next i,1 Next i,2 Next i,3... MutExSpec = sem = 1 pc 1 = acq pc 2 = acq = pc i = acq sem > 0 pc i = crit sem = sem 1 pc 1 i = pc 1 i = pc i = crit pc i = rel sem = sem pc 1 i = pc 1 i = pc i = rel pc i = acq =... sem = sem + 1 pc 1 i = pc 1 i = Init [Next] vars SF vars (Next 1 ) SF vars (Next 2 )

28 TLC - A Model Checker for TLA The state graph 1, acq, acq 0, crit, acq 0, acq, crit 0, rel, acq 0, acq, rel

29 +Cal - An Algorithm Language Based on TLA Introduction Basic Facts a language for writing (concurrent) algorithms can be automatically translated to TLA can be model-checked (using TLC) uses labels to break a sequence of statements into atomic steps two syntaxes: c-syntax (c-like) p-syntax (prolix)

30 +Cal - An Algorithm Language Based on TLA Example Fast Mutual Exclusion (pseudo code)

31 +Cal - An Algorithm Language Based on TLA Example Fast Mutual Exclusion (+CAL)

32 Conclusion Conclusion TLA Specify (concurrent) systems with logical formulas Automatically proof properties of specifications Model Checker TLC Modular design +CAL Algorithm language for writing (concurrent) algorithms Goal: Combine precision of programming languages with readability of pseudo code Automatic Translations to TLA Model-Checking