Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Shared Variable Proof Methods, Hardware-Assisted Critical Sections Dr. Liam O’Connor University of Edinburgh LFCS (and UNSW) Term 2 2020 1
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Where we are at In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes. 2
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Where we are at In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes. We also introduced the SPIN model checking tool for rigorous analysis of candidate solutions. 3
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Where we are at In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes. We also introduced the SPIN model checking tool for rigorous analysis of candidate solutions. In this lecture, we will introduce a formal proof method for verifying safety properties, and apply it to a new kind of critical section solution that relies on hardware support. 4
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition A transition diagram is a tuple ( L , T , s , t ) where: L is a set of locations (program counter values). s ∈ L is a entry location . t ∈ L is a exit location . T is a set of transitions .
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition A transition diagram is a tuple ( L , T , s , t ) where: L is a set of locations (program counter values). s ∈ L is a entry location . t ∈ L is a exit location . T is a set of transitions . g ; f A transition is written as ℓ i − − → ℓ j where: ℓ i and ℓ j are locations. g is a guard Σ → B f is a state update Σ → Σ. 7
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do s ← s + i ; L is a set of locations i ← i + 1 (program counter values). od s ∈ L is a entry location . t ∈ L is a exit location . T is a set of transitions . g ; f A transition is written as ℓ i − − → ℓ j where: ℓ i and ℓ j are locations. g is a guard Σ → B f is a state update Σ → Σ. 8
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; ℓ 0 A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do s ← s + i ; L is a set of locations i ← i + 1 (program counter values). od s ∈ L is a entry location . t ∈ L is a exit location . T is a set of transitions . g ; f A transition is written as ℓ i − − → ℓ j where: ℓ i and ℓ j are locations. g is a guard Σ → B f is a state update Σ → Σ. 9
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; ℓ 0 A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do ⊤ ; i ← 0 s ← s + i ; L is a set of locations i ← i + 1 (program counter values). ℓ 1 od s ∈ L is a entry location . t ∈ L is a exit location . T is a set of transitions . g ; f A transition is written as ℓ i − − → ℓ j where: ℓ i and ℓ j are locations. g is a guard Σ → B f is a state update Σ → Σ. 10
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; ℓ 0 A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do ⊤ ; i ← 0 s ← s + i ; L is a set of locations i ← i + 1 (program counter values). ℓ 1 od s ∈ L is a entry location . t ∈ L is a exit location . s ← 0 T is a set of transitions . g ; f A transition is written as ℓ i − − → ℓ j where: ℓ 2 ℓ i and ℓ j are locations. g is a guard Σ → B f is a state update Σ → Σ. 11
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; ℓ 0 A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do ⊤ ; i ← 0 s ← s + i ; L is a set of locations i ← i + 1 (program counter values). ℓ 1 od s ∈ L is a entry location . t ∈ L is a exit location . i � = N ; s ← s + i s ← 0 T is a set of transitions . ℓ 3 g ; f A transition is written as ℓ i − − → ℓ j where: ℓ 2 i ← i + 1 ℓ i and ℓ j are locations. g is a guard Σ → B f is a state update Σ → Σ. 12
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Transition Diagrams Definition i ← 0; ℓ 0 A transition diagram is a tuple ( L , T , s , t ) s ← 0; where: while i � = N do ⊤ ; i ← 0 s ← s + i ; L is a set of locations i ← i + 1 (program counter values). ℓ 1 od s ∈ L is a entry location . t ∈ L is a exit location . i � = N ; s ← s + i s ← 0 T is a set of transitions . ℓ 3 g ; f A transition is written as ℓ i − − → ℓ j where: ℓ 2 i ← i + 1 ℓ i and ℓ j are locations. g is a guard Σ → B i = N ℓ 4 f is a state update Σ → Σ. 13
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } 14
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . 15
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram ( L , T , s , t ): 16
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram ( L , T , s , t ): Associate with each location ℓ ∈ L an assertion Q ( ℓ ) : Σ → B . 1 17
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram ( L , T , s , t ): Associate with each location ℓ ∈ L an assertion Q ( ℓ ) : Σ → B . 1 Prove that this assertion network is inductive , that is: For each transition in T 2 g ; f − − → ℓ j show that: ℓ i Q ( ℓ i ) ∧ g ⇒ Q ( ℓ j ) ◦ f 18
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram ( L , T , s , t ): Associate with each location ℓ ∈ L an assertion Q ( ℓ ) : Σ → B . 1 Prove that this assertion network is inductive , that is: For each transition in T 2 g ; f − − → ℓ j show that: ℓ i Q ( ℓ i ) ∧ g ⇒ Q ( ℓ j ) ◦ f Show that ϕ ⇒ Q ( s ) and Q ( t ) ⇒ ψ . 3 19
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Floyd Verification Recall the definition of a Hoare triple for partial correctness : { ϕ } P { ψ } This states that if the program P successfully executes from a starting state satisfying ϕ , the result state will satisfy ψ . Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram ( L , T , s , t ): Associate with each location ℓ ∈ L an assertion Q ( ℓ ) : Σ → B . 1 Prove that this assertion network is inductive , that is: For each transition in T 2 g ; f − − → ℓ j show that: ℓ i Q ( ℓ i ) ∧ g ⇒ Q ( ℓ j ) ◦ f Show that ϕ ⇒ Q ( s ) and Q ( t ) ⇒ ψ . 3 Liam will now demonstrate on the previous example 20
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Adding Concurrency i � = N ; n ← x i = N p 1 p 0 p 2 x , i ← n + 1 , i + 1 21
Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions Adding Concurrency i � = N ; n ← x i = N p 1 p 0 p 2 x , i ← n + 1 , i + 1 q 1 x , j ← m − 1 , j + 1 j � = N ; m ← x q 0 j = N q 2 22
Recommend
More recommend
