COMP3151/9151 Foundations of Concurrency Lecture 4

Transcription

1 1 COMP3151/9151 Foundations of Concurrency Lecture 4 and Kai Engelhardt CSE, UNSW (and data61) Revision: 1.5 of Date: 2017/08/14 00:35:24 UTC (Credits: parts may be borrowed from M. Ben-Ari, G Andrews, and others)

2 Why Prove? Model checking be it manually on the state diagram or mechanically with spin is restricted to systems with a fixed small number of processes. 1 To prove programs correct even if they are parametric in the number of processes (or buffer places etc), we can hardly use brute force model checking. 2 1 Technically we can deal with process creation, also in spin, but the restriction to relatively small systems remains.

3 3 Safety properties of a system S are often captured conveniently by invariants, i.e., formulae that are true for all reachable states of S. Example In any correct critical section algorithm implementation for spin, the formula (p@csp q@csq) is an invariant. of S are proved by induction over the length of computations of S.

4 4 Inductive proofs of invariants To prove that φ is an invariant of the system S the following must hold. Base cases: φ is true for every initial state of S. Inductive steps: If φ holds is all states of a computation up to the k th, then φ also holds for the k + 1 st. This precisely what we ended up doing for Dekker s algorithm in the Owicki/Gries method!

5 5 Limitations of are good for proving safety properties but insufficient for liveness, for instance eventual entry. Once we add past time temporal operators such as B for weak since and for weak previous every safety property can be expressed as 0φ for some LTL formula φ without future operators.

6 More LTL Sematics With past operators, we need to adapt the previous definition. Definition The satisfaction relation = between σ = (s i ) i N and k N, and LTL formulae is defined inductively by: σ, k = p p s k σ, k = ψ σ, k = ψ σ, k = ψ ψ σ, k = ψ or σ, k = ψ σ, k = 2ψ σ, k + 1 = ψ σ, k = ψ U ψ l k ( σ, l = ψ j (m j < l σ, j = ψ) ) σ, k = ψ k = 0 or σ, k 1 = ψ σ, k = ψ B ψ l k ( (σ, l = ψ) j ( l j k σ, j = ψ )) 6

7 7 More LTL Past Operators and B are a minimal set (just as 2 and U for the future) but for convenience we d add for previous ψ = ψ ` for till now `ψ = φ B false Q for once Qψ = ` ψ S for (strong) since ψ S ψ = ψ B ψ Qψ

8 8 LTL Examples No cause c without effect e: 0(c 1e) or, if the next cause has to wait for the effect to happen: 0(c 2( c) U e) No effect without cause: 0(e Qc)

9 9 To prove progress we use LTL and some of its proof rules. A rule Ben-Ari singles out as particularly helpful for proving simple progress properties is 0φ 1ψ, 1ψ 10φ What does it mean?

10 On Interpretations of LTL Observe that this particular progress rule is only useful when considered in the presence of a program P restricting the states and behaviours considered, and sound in the nowadays less fashionable floating interpretation of temporal logic that evaluates formulas not just over anchored sequences of states but also all of their suffixes. (See [MP92, p. 246, 266] and [Sch97, p. 82]. An early write-up of the various issues appeared as [MP88].) More precisely the rule should read P = 0φ 1ψ, P = 10φ P = 1ψ 10 where P = Φ iff, σ i = Φ for all executions σ of program P and all times i N.

11 11 Floating vs. Anchored In contrast to Ben-Ari, we re going to use an anchored interpretation of LTL where a corresponding sound proof rule would be P 0(0φ 1ψ), P 1ψ P 10φ But how can we refer to the program P in our proofs of the premises of such a rule?

12 12 Weak Fairness Assumptions To prove progress we tend to assume at least weak fairness to ensure processes are not prevented from participating in an execution. In general, we allow adding a set W of weak fairness assumptions to our parallel compositions of transition diagrams. The elements of W are sets of transitions drawn from the same process: W i 2T i. We say that an execution σ of P respects W if, for every w W σ = 0(0 π w enabled(π) 1 π w taken(π)) The assumption baked into our interleaving model is { T i 1 i n }, i.e., processes that aren t stuck must move eventually.

13 13 Classes of Properties The simplest progress properties are of the form 1φ (for some past formula φ). Example Termination The next level is 0(φ 1ψ) (for some past formulae φ and ψ) Example Eventual entry This type is so common and important that we introduce the leads-to notation φ ψ = 0(φ 1ψ).

14 14 Classes of Properties The final class is 01φ 01ψ. Example Whenever I ve watched these TAB ads often enough, I ll go and place a bet.

15 15 How does all that relate to our programs? In the context of our CS solutions and with weak fairness, assignment statements must progress eventually. Critical sections progress by assumption but non-critical sections need not. Control statements (if, while, await) can be trickier but can be handled. Next we ll see how.

16 16 Proof Rules for : LTL Part Let us focus on the leads-to properties. Before looking at program-dependent rules, we note some logical rules for. φ φ φ ψ, ψ ρ φ ρ φ ρ, ψ ρ (φ ψ) ρ rflx trns disj

17 17 Proof Rules for : Program Part For the following, suppose we ve found an assertion network Q that satisfies all the conditions of an Owicki/Gries-style proof of {pre} P {post}. Let us abuse that notation for a set T T of transitions: {p} T {q} = l c f l T (0(Q l c p q f )) even for past formulae p and q. The simplest rule lets us deduce progress when that s the only thing that can happen in a single step: 0(p (q φ)), {p} T {q}, 0(φ enabled(t )) p q 1-resp This doesn t even use weak fairness beyond someone has to move if that s possible.

18 Proof Rules for : Program Part Suppose we can identify a set H of helpful transitions that all establish the goal q and become enabled when p occurs, then the following rule can be used: H W, 0(p q φ), {φ} T \ H {φ q} {φ} H {q}, 0(φ enabled(h)) p q W-resp (There s a variant with strong fairness assumptions for H and a weakened last premiss of the form φ (q enabled(h)).) 18

19 19 After One Step 0(p q), q r, 0(r t) p t Let δ : Σ A where (A, ) is a well-founded relation RM 0(p q φ), 0(φ δ A), (φ (δ = α)) q (φ δ α) p q Well

20 20 Revisiting pre φ, {φ} T {φ} 0φ Inv

21 21 Example: Dekker s Algorithm p p: p 1 wp := F p 9 t := 2 p 2 wp := T wq p 3 p 8 t = 1 t = 1 wq p 6 wp := F p 5 t = 2 p 4

22 22 Example: Dekker s Algorithm q q: q 1 wq := F q 9 t := 1 q 2 wq := T wp q 3 q 8 t = 2 t = 2 wp q 6 wq := F q 5 t = 1 q 4

23 Example: Dekker s Algorithm Invariant The single difference compared to notes 3 is highlighted in red: t {1, 2} (1) wp, wq B (2) wp p 3..5,8,9 (3) wq q 3..5,8,9 (4) p 8,9 q 8,9 (5) q 8,9 p 8,9 (6) p 9 t = 2 (7) q 9 t = 1 (8) cp p, cp q {1, 2, 3, 4, 5, 6, 8, 9} (9) 23 With pre = (t {1, 2} p 1 q 1 ) and φ = 9 i=1 (i) we see that the rule Inv mimics Owicki/Gries in the presence of an invariant such as ours.

24 24 Example: Dekker s Algorithm Ev. Entry The desired property is expressed as p 2 p 8 (10) Let us first collect some 1-step progress properties for p that can all be shown P-valid with the rule 1-resp. p 3 t = 1 p 8 (p 4 t = 1) (11) p 3 t = 2 p 8 p 4 (12) p 4 t = 1 p 3 t = 1 (13) p 4 t = 2 p 5 (p 3 t = 1) (14) p 5 p 6 (15) p 6 t = 1 p 2 t = 1 (16) p 2 t = 1 p 3 t = 1 (17) p 8 p 9 (18) p 9 p 1 (19)

25 25 More of the same: p 6 q 4 t = 2 p 6 q 6 t = 2 (20) p 6 q 5 t = 2 p 6 q 6 t = 2 (21) p 6 q 6 t = 2 p 6 q 2 t = 2 (22) p 6 q 2 t = 2 p 6 q 3 t = 2 (23) p 6 q 3 t = 2 p 6 q 8 t = 1 (24) p 6 q 8 t = 2 p 6 q 9 t = 1 (25) We can summarise these to p 6 q 2..8 t = 2 p 6 q 9 t = 1 (26) We still need to argue why p 6 t = 2 q 1.

26 26 Last steps Another P-valid invariant is p 6 t = 2 (t = 2 S (p 3 wq)) (27) which allows us to deduce that q cannot be at q 1 (and not at q 9 either by φ).

27 27 Bibliography Zohar Manna and Amir Pnueli. The anchored version of the temporal framework. In J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics and Models of Concurrency, volume 354 of LNCS, pages , Zohar Manna and Amir Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specification. Springer-Verlag, Fred B. Schneider. On Concurrent Programming. Springer-Verlag, 1997.