Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam O’Connor University of Edinburgh LFCS (and UNSW) Term 2 2020 1
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Where we are at In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes. We also introduced the SPIN model checking tool for rigorous analysis of candidate solutions. In this lecture, we will introduce a formal proof method for verifying safety properties, and apply it to a new kind of critical section solution that relies on hardware support. 2
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; ℓ 0 A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do ⊤ ; i ← 0 s ← s + i ; L is a set of locations i ← i + 1 (program counter values). ℓ 1 od s ∈ L is a entry location . t ∈ L is a exit location . i � = N ; s ← s + i s ← 0 T is a set of transitions . ℓ 3 g ; f A transition is written as ℓ i − − → ℓ j where: ℓ 2 i ← i + 1 ℓ i and ℓ j are locations. g is a guard Σ → B i = N ℓ 4 f is a state update Σ → Σ. 3
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram ( L , T , s , t ): Associate with each location ℓ ∈ L an assertion Q ( ℓ ) : Σ → B . 1 Prove that this assertion network is inductive , that is: For each transition in T 2 g ; f − − → ℓ j show that: ℓ i Q ( ℓ i ) ∧ g ⇒ Q ( ℓ j ) ◦ f Show that ϕ ⇒ Q ( s ) and Q ( t ) ⇒ ψ . 3 Liam will now demonstrate on the previous example 4
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Adding Concurrency i � = N ; n ← x i = N Parallel Composition p 1 p 0 p 2 x , i ← n + 1 , i + 1 Given two processes P and Q with i � = N ; n ← x transition diagrams ( L P , T P , s P , t P ) and i = N q 1 p 1 q 1 p 0 q 1 p 2 q 1 ( L Q , T Q , s Q , t Q ), the parallel composition x , j ← m − 1 , j + 1 x , j ← m − 1 , j + 1 x , j ← m − 1 , j + 1 x , j ← m − 1 , j + 1 x , i ← n + 1 , i + 1 of P and Q , written P � Q is defined as j � = N ; m ← x j � = N ; m ← x j � = N ; m ← x j � = N ; m ← x ( L , T , s , t ) where: L = L P × L Q s = s P s Q i � = N ; n ← x i = N t = t P t Q q 0 p 1 q 0 p 0 q 0 p 2 q 0 g ; f g ; f j = N j = N j = N x , i ← n + 1 , i + 1 j = N p i q i − − → p j q i ∈ T if p i − − → p j ∈ T P i � = N ; n ← x g ; f g ; f i = N q 2 p 1 q 2 p 0 q 2 p 2 q 2 p i q i − − → p i q j ∈ T if q i − − → q j ∈ T Q x , i ← n + 1 , i + 1 5
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions State Space Explosion If we were SPIN, we would immediately begin exhaustively analysing this large diagram. But human brains don’t have that much storage space. Problem Then number of locations and transitions grows exponentially as the number of processes increases. We can only use Floyd’s method directly on the parallel composition (product) diagram in the most basic examples. Our Solution We will instead use a method that allows us to define only inductive assertion networks for P and Q individually, and, by proving some non-interference properties derive an inductive network for P � Q automatically. This means we won’t have to draw that large product diagram! 6
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Owicki-Gries Method Steps To show { ϕ } P � Q { ψ } : Define local assertion networks 1 P and Q for both processes. i � = N ; n ← x Show that they’re inductive. i = N p 1 p 0 p 2 For each location p ∈ L P , show 2 that P ( p ) is not falsified by any x , i ← n + 1 , i + 1 transition of Q . That is, for g ; f → q ′ ∈ T Q : each q − − P ( p ) ∧ Q ( q ) ∧ g ⇒ P ( p ) ◦ f j � = N ; m ← x j = N Vice versa for Q . 3 q 1 q 0 q 2 Show that ϕ ⇒ P ( s P ) ∧ Q ( s Q ) 4 x , j ← m − 1 , j + 1 and P ( t P ) ∧ Q ( t Q ) ⇒ ψ . 7
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions How does it help? The Owicki-Gries method generalises to n processes just by requiring more interference freedom obligations. Derived Assertion Network The automatic assertion network we get for the parallel composition from the Owicki-Gries method is the conjunction of the local assertions at each of the component states. Given k transitions and m locations per process, using Floyd’s method on the parallel composition of n processes requires us to do 2 + n · k · m n − 1 proofs! The Owicki-Gries method reduces that to 2 + n · k · (1 + ( n − 1) · m ) — merely quadratic in n . 8
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Proving Mutual Exclusion The Owicki-Gries method can be used to prove properties like Mutual Exclusion. How? Don’t have a postcondition. Instead make the assertions at the critical sections contradictory – so that they cannot be true simultaneously. Caution : Ensure that each transition does not violate the limited critical reference rule! Manna-Pnueli Algorithm integer wantp, wantq ← 0 , 0 forever do forever do p 1 non-critical section q 1 non-critical section p 2 if wantq = − 1 q 2 if wantp = − 1 then wantp ← − 1 then wantq ← 1 else wantp ← 1 else wantq ← − 1 p 3 await wantq � = wantp q 3 await wantq � = − wantp p 4 critical section q 4 critical section p 5 wantp ← 0 q 5 wantq ← 0 Note: The p 2 and q 2 steps are one atomic step! 9
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Machine Instructions What about if we had a single machine instruction to swap two values atomically, XC ? bit common ← 1 bit tp ← 0 bit tq ← 0 forever do forever do p 1 non-critical section q 1 non-critical section repeat repeat p 2 XC (tp , common) q 2 XC (tq , common); p 3 until tp = 1 q 3 until tq = 1 p 4 critical section q 4 critical section p 5 XC (tp , common) q 5 XC (tq , common) 10
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions One Big Invariant Imagine assertion network(s) where every assertion is the same: An invariant. Benefit: We don’t need to prove interference freedom — the local verification conditions already show that the invariant is preserved. Example (Exchange-based Critical Section Solution) Using assertions about the program counters, we can craft an invariant for the XC example! I ≡ (common ⊕ tp ⊕ tq) = 1 ∧ ( P @ p 4 ⇒ tp = 1) ∧ ( Q @ q 4 ⇒ tq = 1) Where ⊕ is exclusive or ( xor ). Note that this is false at p 4 q 4 . So if this invariant is preserved we have mutex. Lets prove mutual exclusion for XC ! 11
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions What now? You now have all you need to complete Assignment 0 (warm-up), due next Thursday. I have posted some Promela exercises about XC style solutions we will discuss next week (also due next Thursday). Next week: We will examine some more sophisticated critical section solutions for n processes. We may also learn about semaphores , time permitting!. 12
Recommend
More recommend
