Program correctness - PowerPoint PPT Presentation

About This Presentation
Title:

Program correctness

Description:

Title: Concurrent Reading and Writing using Mobile Agents Author: Sukumar Ghosh Last modified by: Sukumar Ghosh Created Date: 11/1/2002 2:53:35 AM – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 16
Provided by: Sukuma8
Category:

less

Transcript and Presenter's Notes

Title: Program correctness


1
Program correctness
  • The State-transition model
  • The set of global states
  • s0 x s1 x x sm
  • sk is the set of local states of process k
  • S0 ? S1 ? S2 ?
  • Each transition is caused by an action by an
    eligible process.
  • We reason using interleaving semantics

transition
state
action
action
action
Initial state
2
Correctness criteria
  • Safety properties
  • Bad things never happen
  • Liveness properties
  • Good things eventually happen

3
Testing vs. Proof
Testing Apply inputs and observe if the outputs
satisfy the specifications. Fool proof testing
can be painfully slow, even for small systems.
Most testing are partial. Proof Has a
mathematical foundation, and a complete
guarantee. Sometimes not scalable.
4
Testing vs. Proof
  • To test this program, you have to test all
    possible interleavings. With n processes p0, p1,
    pn-1, and m steps per process, the number of
    interleavings is
  • (n.m)!
  • (m!) n
  • The state explosion problem

p0 p1 p2 p3
step1 step1 step1 step1
step2 step2 step2 step2
step3 step3 step3 step3
5
Example 1 Mutual Exclusion
  • Process 0 Process 1
  • do true ? do true ?
  • Entry protocol Entry protocol
  • Critical section Critical section
  • Exit protocol Exit protocol
  • od od
  • Safety properties
  • (1) There is no deadlock
  • (2) At most one process enters the critical
    section.
  • Liveness property
  • A process trying to enter the CS must eventually
    succeed.
  • (This is also called the progress property)

CS
CS
6
Exercise
  • program mutex 1
  • two process mutual exclusion algorithm shared
    memory model
  • define busy shared boolean (initially busy
    false
  • process 0 process 1
  • do true ? do true ?
  • do busy ? skip od do busy ? skip od
  • busy true busy true
  • critical section critical section
  • busy false busy false
  • remaining codes remaining codes
  • od od
  • Does this mutual exclusion protocol satisfy
    liveness and safety properties?

7
Safety invariants
Invariant means something should always hold The
mutual exclusion problem. Total no. of processes
in CS 1.
Producer-consumer problem. 0 nP - nC buffer
capacity (nP no. of items produced, nC no. of
items consumed)
producer
consumer
buffer
?(G0 ? G1 ? G2 ?? Gk) ? postcondition
Partial Correctness. If the program terminates,
then the postcondition will hold. It does not
say if the program will terminate. (termination
is a liveness property). (So, what is the
invariant here?) Total correctness partial
correctness termination.
8
Exercise
  • Color the nodes of a graph so that no
  • two adjacent nodes have the same color.
  • program colorme for process Pi
  • define color c ? 0, 1
  • Initially colors are arbitrary
  • do ?j j ? neighbor(i) (ci cj) ?
  • ci 1 - ci
  • od
  • Is the program partially correct? YES (why?)
  • Does it terminate? NO (why?)

0
0
p1
p2
p3
p0
1
1
9
Liveness properties
  • Eventuality is tricky. There is no need to
    guarantee when
  • the desired thing will happen, as long as it
    happens..
  • Some examples
  • The message will eventually reach the receiver.
  • The process will eventually enter its critical
    section.
  • The faulty process will be eventually be
    diagnosed
  • Fairness (if an action will eventually be
    scheduled)
  • The program will eventually terminate.
  • Absence of liveness cannot be determined from
    finite prefix
  • of the computation

10
Proving safety
n1 of messages in c1 n2 of messages in c2
  • define c1, c2 channel init c1 ??? c2 ??
  • r, t integer init r 5, t 5
  • program for T
  • do t gt 0? send msg along c1 t t -1
  • 2 ? empty (c2) ? rcv msg from c2 t t 1
  • od
  • program for R
  • 3 do empty (c1) ? rcv msg from c1 r r1
  • 4 ? r gt 0 ? send msg along c2 r r-1
  • od
  • We want to prove the safety property P
  • P ? n1 n2 10

transmitter
receiver
11
Proving safety
  • n1, n2 of msg in c1and c2 respectively.
  • We will establish the following invariant
  • I ? (t 0) ? (r 0) ? (n1 t n2 r 10)
  • (I implies P). Check if I holds after every
    action.
  • program for T
  • do t gt 0? send msg along c1 t t -1
  • 2 ? empty (c2) ? rcv msg from c2 t t1
  • od
  • program for R
  • 3 do empty (c1) ? rcv msg from c1 r r1
  • 4 ? r gt 0 ? send msg along c2 r r-1
  • od

Use the method of induction
12
Proving liveness
Global state
Global state
  • If there is no infinite chain like
  • w1 w2 w3 w4 .., i.e.
  • f(si) f(si1) f(si2) ..
  • S1? S2 ? S3 ? S4 ?
  • ? f ? f ? f ? f
  • w1 w2 w3 w4
  • w1, w2, w3, w4 ? WF
  • WF is a well-founded set whose elements can be
    ordered by

then the computation will definitely terminate!
f is called a variant function
Example?
13
Proof of liveness an example
0
Clock phase synchronization System of n clocks
ticking at the same rate. Each clock is
3-valued, i,e it ticks as 0, 1, 2, 0, 1, 2 A
failure may arbitrarily alter the clock
phases. The clocks need to return to the same
phase. .
1
2
3
n-1
14
Proof of liveness an example
ck ? 0.1.2
  • Clock phase synchronization
  • Program for each clock
  • (ck phase of clock k, initially arbitrary)
  • do ? j j ? N(i) cj ci 1 mod 3 ? ci
    ci 2 mod 3
  • ? ? j j ??N(i) cj ? ci 1 mod 3 ?
    ci ci 1 mod 3
  • od
  • Show that eventually all clocks will return
  • to the same phase (convergence), and
  • continue to be in the same phase (closure)

0
1
2
3
n-1
15
Proof of convergence
  • Let D d0 d1 d2 dn-1
  • di 0 if no arrow points towards clock i
  • i 1 if a ???pointing towards clock i
  • ??n - i if a ??? pointing towards clock i
  • 1 if both ? and ??point towards
  • clock i.
  • By definition, D 0.
  • Also, D decreases after every step in the
    system. So the number of arrows must reduce to 0.

0
2
0
2
2
1
1
1
0
1
2
2
2
2
2
Understand the game of arrows
Write a Comment
User Comments (0)
About PowerShow.com