Title: Program correctness
1Program correctness
- The State-transition model
- The set of global states
- s0 x s1 x x sm
- sk is the set of local states of process k
- S0 ? S1 ? S2 ?
- Each transition is caused by an action by an
eligible process. - We reason using interleaving semantics
transition
state
action
action
action
Initial state
2Correctness criteria
- Safety properties
- Bad things never happen
- Liveness properties
- Good things eventually happen
3Testing vs. Proof
Testing Apply inputs and observe if the outputs
satisfy the specifications. Fool proof testing
can be painfully slow, even for small systems.
Most testing are partial. Proof Has a
mathematical foundation, and a complete
guarantee. Sometimes not scalable.
4Testing vs. Proof
- To test this program, you have to test all
possible interleavings. With n processes p0, p1,
pn-1, and m steps per process, the number of
interleavings is - (n.m)!
- (m!) n
- The state explosion problem
5Example 1 Mutual Exclusion
- Process 0 Process 1
- do true ? do true ?
- Entry protocol Entry protocol
- Critical section Critical section
- Exit protocol Exit protocol
- od od
- Safety properties
- (1) There is no deadlock
- (2) At most one process enters the critical
section. - Liveness property
- A process trying to enter the CS must eventually
succeed in doing so. - (This is also called the progress property)
6Exercise
- program mutex 1
- define busy shared boolean
- initially busy false
-
- process 0 process 1
- do true ? do true ?
- do busy ? skip od do busy ? skip od
- busy true busy true
- critical section critical section
- busy false busy false
- remaining codes remaining codes
- od od
- Does this mutual exclusion protocol satisfy
liveness and safety properties?
7Safety invariants
The mutual exclusion problem. Number of processes
in the critical section 1.
Producer-consumer problem. 0 nP - nC buffer
capacity
producer
consumer
buffer
Absence of deadlock. ?(G0 ? G1 ? G2 ?? Gk) ?
postcondition
Partial Correctness. If the program terminates,
then the postcondition will hold. It does not
say if the program will terminate. (termination
is a liveness property). Total correctness
partial correctness termination.
8Exercise
- Color the nodes of a graph so that no
- two adjacent nodes have the same color.
- program colorme for process Pi
- define color c ? 0, 1, 2, 3
- Initially colors are arbitrary
- do ?j j ? neighbor(i) (ci cj) ?
- ci ci 2 mod 4
- od
- Is the program partially correct?
- Does it terminate?
p2
p1
p0
p3
9Liveness properties
- Eventuality is tricky. There is no need to
guarantee when - the desired thing will happen, as long as it
happens.. - Some examples
- The message will eventually reach the receiver.
- The process will eventually enter its critical
section. - The faulty process will be eventually be
diagnosed - Fairness (if an action will eventually be
scheduled) - The program will eventually terminate.
- Absence of liveness cannot be determined from
finite prefix of the computation
10Proving safety
- define c1, c2 channel init c1 ??? c2 ??
- r, t integer init r 5, t 5
- program for T
- do t gt 0? send msg along c1 t t -1
- 2 ? empty (c2) ? rcv msg from c2 t t 1
- od
- program for R
- 3 do empty (c1) ? rcv msg from c1 r r1
- 4 ? r gt 0 ? send msg along c2 r r-1
- od
- We want to prove the safety property P
- The total number of messages in c1 c2 is 10
transmitter
receiver
11Proving safety
- Let n1, n2 of msg in c1and c2 respectively.
- We will establish the following invariant
- I ? (t 0) ? (r 0) ? (n1 t n2 r 10)
- (I implies P). Check if I holds after every
action. - program for T
- do t gt 0? send msg along c1 t t -1
- 2 ? empty (c2) ? rcv msg from c2 t t1
- od
- program for R
- 3 do empty (c1) ? rcv msg from c1 r r1
- 4 ? r gt 0 ? send msg along c2 r r-1
- od
12Proving liveness
Global state
Global state
- If there is no infinite chain like
-
- w1 w2 w3 w4 .., i.e.
- f(si) f(si1) f(si2) ..
- S1? S2 ? S3 ? S4 ?
- ? f ? f ? f ? f
- w1 w2 w3 w4
- w1, w2, w3, w4 ? WF
- WF is a well-founded set whose elements can be
ordered by
then the computation will definitely terminate!
f is often called a variant function
13Proof of liveness an example
Clock phase synchronization System of n clocks
ticking at the same rate. Each clock is
3-valued, i,e it ticks as 0, 1, 2, 0, 1, 2 A
failure may arbitrarily alter the clock
phases. The clocks need to return to the same
phase. .
0
1
2
3
n-1
14Proof of liveness an example
- Clock phase synchronization
- Program for each clock
- (ck phase of clock k, initially arbitrary)
- do ? j j ? N(i) cj ci 1 mod 3 ? ci
ci 2 mod 3 - ? ? j j ??N(i) cj ? ci 1 mod 3 ?
ci ci 1 mod 3 - od
- Show that eventually all clocks will return
- to the same phase (convergence), and
- continue to be in the same phase (closure)
0
1
2
3
n-1
15Proof of convergence
- Let D d0 d1 d2 dn-1
- di 0 if no arrow points towards clock i
- i 1 if a ???pointing towards clock i
- ??n - i if a ??? pointing towards clock i
- 1 if both ? and ??point towards
- clock i.
- By definition, D 0.
- Also, D decreases after every step in the
system. So the number of arrows must reduce to 0. -
0
2
0
2
2
1
1
1
0
1
2
2
2
2
2
Understand the game of arrows