------------------------------------------------------- Lecture of Jan 27, CS 6110, Fall 2011 ------------------------------------------------------- * Reinforce Floyd-Hoare Logic - Some loop invariant examples * On Correctness assertions - Hoare axioms, Pre/post - Local assertions - Invariants - Safety assertions - Liveness assertions * Show some simple locking protocols - first incorrect (lock1) - second incorrect (lock2) - Peterson's * Modeling for correctness - What are we modeling? . Bubble sort > you can atomize things more, as we care only about the final answer . Mutex routines > don't atomize excessively - else you don't observe anything! - How to create models? . MWGC > Simple sweet model . Lamport's Bakery > model "as usual," but not losing atomicity . Bakery's extra credit > Read/write overlap can produce "garbage values" + how to model it? > Process failure does not foul up protocol + how to model it? + failed processes produce "0" for their flag ------------------------------------------------------- Now for the details! ------------------------------------------------------- Ex-17 p33 Gordon: {M >= 0} BEGIN X := 0; for N := 1 until M do X := X+N; END {X=(M*(M+1)) / 2} ------------------------------------------------------- Draw a flowchart { M >= 0 } X := 0 | v N := 1 | o A << N > M >> --T---> { X = M.(M+1)/2 } | F | X := X + N | v N := N + 1 | v goto A LI at A : X = ...?... N N - 1 / 2 ------------------------------------------------------- Ex-28 p33 Gordon: {X=x & Y=y} BEGIN S := 0; REPEAT R := 0; REPEAT S := S+1; R := R+1 UNTIL R=Y; X := X-1; UNTIL X=0; END {S = x * y } -- here is the Floyd proof { X=x and Y=y } -- for termination, need x>0 also, right? but Floyd's approach is for partial correctness, i.e., ignoring termination | v S:= 0 | o B | v R:= 0 | v | o A | | I1c | S:=S+1 | | I1b | v R:=R+1 | | I1a | v << R = Y >> --F--> goto A | X:=X-1 | | I1d | v << X = 0 >> --F--> goto B | T | v { S = x * y } S builds up as a stair-case. LI at I1c is S-R = y.(x-X) Also note that y=Y in the whole program Prove that this is an LI I1: S = R + y.(x-X) I1a: R != Y => S = R + y.(x-X) I1b: R+1 != Y => S = R+1 + y.(x-X) I1c: R+1 != Y => S+1 = R+1 + y.(x-X) Now we can show that I1 => I1c i.e. S=R+Y.(x-X), R+1 != Y -------------------------------------------- S+1 = R+1 + Y.(x-X) This is fine. Now consider the outer path. I1d: x != 0 => S = y * (x-X) I1e: x-1 != 0 => S = y * (x-X+1) I1a: R=Y & x-1 != 0 => S = y * (x-X+1) I1b: R+1=Y & x-1 != 0 => S = y * (x-X+1) I1c: R+1=Y & x-1 != 0 => S+1 = y * (x-X+1) Show S = R + y.(x-X) , y=Y , R+1=Y , x-1 != 0 implies S+1 = y * (x-X+1) easy. ------------------------------------------------------- Now study the locking protocols from Herlihy and Shavit Then study Peterson's protocol Then see how Peterson's protocol is encoded in Murphi You will have to similarly encode Bakery in Murphi ------------------------------------------------------- ------------------------------------------------------------------------- -- Copyright (C) 1992, 1993, 1994, 1995 by the Board of Trustees of -- Leland Stanford Junior University. -- -- This description is provided to serve as an example of the use -- of the Murphi description language and verifier, and as a benchmark -- example for other verification efforts. -- -- License to use, copy, modify, sell and/or distribute this description -- and its documentation any purpose is hereby granted without royalty, -- subject to the following terms and conditions, provided -- -- 1. The above copyright notice and this permission notice must -- appear in all copies of this description. -- -- 2. The Murphi group at Stanford University must be acknowledged -- in any publication describing work that makes use of this example. -- -- Nobody vouches for the accuracy or usefulness of this description -- for any purpose. ------------------------------------------------------------------------- ------------------------------------------------------------------------- -- Engineer: C. Norris Ip -- -- File: 2_peterson.m -- -- Content: Peterson's algorithm (mutual exclusion for 2-processes) -- -- Summary of result: -- 1) No bug is discovered -- 2) Details of result can be found at the end of this file. -- -- References: -- Peterson, G.L., Myths about the mutual exclusion problem, -- Information processing letters, Vol 12, No 3, 1981. -- -- Date created: 28 Oct 92 -- Last Modified: 17 Feb 93 -- ------------------------------------------------------------------------- Const N: 2; -- and two only Type pid: Scalarset(N); label_t: Enum{L0, -- : non critical section; Q1 := true; L1, -- : turn := 1; L2, -- : wait until not Q2 or turn = 2 L3, -- : critical section L4 -- : Q1:= false; }; Var P: Array [ pid ] Of label_t; Q: Array [ pid ] Of boolean; turn: pid; Ruleset i: pid Do Rule "execute assign Qi true" P[i] = L0 ==> Begin Q[i] := true; P[i] := L1; End; Rule "execute assign turn i" P[i] = L1 ==> Begin turn := i; P[i] := L2; End; Ruleset j: pid Do Rule "execute wait until" P[i] = L2 & j != i ==> Begin If ( !Q[j] | turn = j ) Then P[i] := L3; End; --If End; End; --Ruleset Rule "execute critical section" P[i] = L3 ==> Begin P[i] := L4; End; Rule "execute assign Qi false" P[i] = L4 ==> Begin Q[i] := false; P[i] := L0; End; Startstate Begin For k:pid Do P[k] := L0; Q[k] := false; End; --For turn := i; End; End; --Ruleset Invariant "mutual exclusion" ! Exists i1: pid Do Exists i2: pid Do ( i1 != i2 & P[i1] = L3 -- critical & P[i2] = L3 -- critical ) End --exists End; --Exists /****************** Summary of Result (using release 2.3): 1) 2 processes breath-first search 9 bits (2 bytes) per state 26 states 52 rules fired 0.1s in sun sparc 2 station ******************/