Program correctness

1
Program correctness

• The State-transition model
• The set of global states
• so x s1 x x sm
• sk is the set of local states of process k
• S0 ---gt S1 ---gt S2 ---gt
• Each transition is caused by an action by an
  eligible process.
• We reason using interleaving semantics

action
action
action
2
Correctness criteria

• Safety properties
• Bad things never happen
• Liveness properties
• Good things eventually happen

3
Testing vs. Proof
Testing Apply inputs and observe if the outputs
satisfy the specifications. Fool proof testing
can be painfully slow, even for small systems.
Most testing are partial. Proof Has a
mathematical foundation, and a complete
guarantee. Sometimes not scalable.
4
Testing vs. Proof

• To test this program, you have to test all
  possible interleavings. With n processes p0, p1,
  pn-1, the number of interleavings is
• (n.m)!
• (m!) n
• The state explosion problem

• p0 p1 p2
• Step 1 ---- ---- ----
• Step 2 ---- ---- ----
• Step m ---- ---- ----

5
Example 1 Mutual Exclusion

• Process 0 Process 1
• do true ? do true ?
• Entry protocol Entry protocol
• Critical section Critical section
• Exit protocol Exit protocol
• od od
• Safety properties
• (1) There is no deadlock
• (2) At most one process enters the critical
  section.
• Liveness property
• A process trying to enter the CS must eventually
  succeed in doing so.
• (This is also called the progress property)

6
Exercise

• define busy shared Boolean
• initially busy false
• process 0 process 1
• do true ? do true ?
• do busy ? skip od do busy ? skip od
• busy true busy true
• critical section critical section
• busy false busy false
• remaining codes remaining codes
• od od
• Does this mutual exclusion protocol satisfy
  liveness and safety properties?

7
Safety invariants

• Mutex The number of processes in the CS 1
• Bounded capacity channel 0 nP - nC channel
  capacity
• Absence of deadlock ?(G0?G1?G2??Gk)?
  postcondition
• Partial Correctness If the program terminates,
  then the result will be correct. It does not
  determine if the program will terminate.
  (Termination is a liveness property).
• Total correctness partial correctness
  termination.
• Safety violation can be determined by examining
  a finite prefix of the computation.

8
Exercise

• Graph coloring problem.
• Color the nodes of a grpah so that no
• two adjacent nodes have the same color.
• program colorme for process Pi
• define color c ? 0, 1, 2, 3
• Initially colors may be arbitrary.
• do ?j j ? N(i) (ci cj) ? ci
  (ci2) mod 4
• od
• Is the program partially correct?
• Does it terminate?

p2
p1
p0
p3
9
Liveness properties

• Eventuality can be tricky. There is no need to
  guarantee when
• the desired thing will happen, as long as it
  happens..
• Examples
• The message will eventually reach the receiver.
• The process will eventually enter its critical
  section.
• The faulty process will be eventually be
  diagnosed
• Fairness (if an action will eventually be
  scheduled)
• The program will eventually terminate.
• Absence of liveness cannot be determined from
  finite prefix of the computation

10
More safety properties

• Some example are
• Buffer should not overflow, i.e. 0 (in - out)
  capacity
• No deadlock
• Partial correctness
• Safety property can be disproved by
• examining a finite prefix of the computation.

11
Liveness properties

• Some example are
• Progress towards the critical section
• Reachability
• Termination
• Fairness
• Liveness property cannot be disproved by
  examining a finite prefix of the computation.

12
Proving safety

• define c1, c2 channel init c1 ??? c2 ??
• r, t integerinit r 5, t 5
• program for T
• do t gt 0? send msg along c1 t t -1
• 2 ? empty (c2) ? rcv msg from c2 t t 1
• od
• program for R
• 3 do empty (c1) ? rcv msg from c1 r r1
• 4 ? r gt 0 ? send msg along c2 r r-1
• od
• We want to prove the safety property P
• The total number of messages in c1 c2 is 10

13
Proof of safety continued

• Let n1, n2 of msg in c1and c2 respectively.
• We will establish the following invariant
• I ? (t 0) ? (r 0) ? (n1 t n2 r 10)
• (I implies P). Check if I holds after every
  action.
• program for T
• do t gt 0? send msg along c1 t t -1
• 2 ? empty (c2) ? rcv msg from c2 t t 1
• od
• program for R
• 3 do empty (c1) ? rcv msg from c1 r r1
• 4 ? r gt 0 ? send msg along c2 r r-1
• od

14
Proving liveness

• S1? S2 ? S3 ? S4 ?
• ? f ? f ? f ? f
• w1 w2 w3 w4
• Here,
• w1, w2, w3, w4 ? WF
• WF is a well-founded set whose elements can be
  ordered by

• There is no infinite
• chain like
• w1 w2 w3 w4 ..
• f(si) f(si1) f(si2) ..

15
Proof of liveness an example

• Clock phase synchronization
• Program for each clock
• (ck phase of clock k, initially arbitrary)
• do ? j j ? N(i) cj ci 1 mod 3 ? ci
  ci 2 mod 3
• ? ? j j ??N(i) cj ? ci 1 mod 3 ?
  ci ci 1 mod 3
• od
• Show that eventually all clocks will return
• to the same phase, and continue their
• synchronization

0
1
2
3
n-1
16
Understanding convergence

• Let D d0 d1 d2 dn-1
• di 0 if no arrow points towards clock i
• i1 if a ???pointing towards clock i
• ??n-i if a ??? pointing towards clock i
• 1 if both ? and ??point towards
• clock i.
• By definition, D 0. Also, D decreases after
  every step in the system. So the number of arrows
  must reduce to 0.

0
2
0
2
2
1
1
1
0
1
2
2
2
2
2
Understand the game of arrows