proving liveness properties of concurrent programs susan owlcki & leslie lamport (1982)
DESCRIPTION
Proving Liveness Properties of Concurrent Programs SUSAN OWlCKI & LESLIE LAMPORT (1982). Presented by: Yaniv David Seminar in Distributed Algorithms Spring 2013. Intro. “This paper presents a method for proving properties of concurrent programs ”. - PowerPoint PPT PresentationTRANSCRIPT
Proving Liveness Properties of Concurrent Programs
SUSAN OWlCKI & LESLIE LAMPORT(1982)
Presented by: Yaniv DavidSeminar in Distributed Algorithms Spring 2013
Intro
“While we hope that logicians will find this work interesting, our goal is to define a method that programmers will find useful.”
“This paper presents a method for proving properties of concurrent programs”
AgendaDefinitions & tools:
Safety & Liveness propertiesOur language Intro to temporal logicIntro to proof lattices
Uses:Proving safety propertiesProving liveness properties
“real” example – proving a program which uses Semaphores
Safety properties
Partial correctness ({P}{Q})Absence of deadlockMutual exclusion
Liveness properties
We will want that:Each request for service will eventually be answered.A message will eventually reach its destination.A process will eventually enter its critical section.
We assume that:Termination is not our problem OS scheduling is fair (but we know its not enough)
Our (computer) languageinteger x, y ;a: <x:=O>;b: cobegin c: < y := 0 >; d: cobegin e: < y := 2 * y > coend;
g: while < y = 0 > doh: < x := x + 1> od
coend ;j: < x := 2 * y >;
4 things to note
Our language – program semanticsA Program state - <x = 1, y = 3;ready = {e,g}>
Marked as Si (for some i)
A sequence of program states is a Marked as
Program stateinteger x, y ;a: <x:=O>;b: cobegin c: < y := 0 >; d: cobegin e: < y := 2 * y > coend;
g: while < y = 0 > doh: < x := x + 1> od
coend ;j: < x := 2 * y >;
<x = 1, y = 3;ready = {e,g}>
Execution sequenceinteger x, y ;a: <x:=O>;b: cobegin c: < y := 0 >; d: cobegin e: < y := 2 * y > coend;
g: while < y = 0 > do h: < x := x + 1> od
coend ;j: < x := 2 * y >;
= (2, 7; {a}) (0, 7; (c, g}) = (0, 0; {e, f, g}) = (0, 0; (e, f, h})= (1,0; {e, f , g ) ) = (1, 3; {e,g}); = (1, 6; {g)); = (1, 6; (j}); = = . . . . . (12, 6; {}).σ={𝑠0 ,𝑠1… }
Revisit
Σ
Fairness
Transition
Valid starting
pointDo we have to start from the start?
No! we have “tail closure”
Note – this is an overkill
Lets play a gameinteger x, y ;a: <x:=O>;b: cobegin c: < y := 0 >; d: cobegin e: < y := 2 * y > coend;
g: while < y = 0 > doh: < x := x + 1> od
coend ;j: < x := 2 * y >;
<x=0,y=2,{a,c}>legal?
Temporal logic
Stating program requirementsand a set of rules for reasoning about them
Temporal logic – 2 types
Immediate Assertions - Function from program state (<x,y,ready>) to Bool
Temporal Assertions – Function from execution sequence (, ,…) to Bool
Immediate AssertionsFor values(states):
i.e: Logical operators - ,~, Box = now and foreverDiamond - now or sometime in the future
For control:At A , in A and after A
(huh?)
Control - At statement (just before)
s at A if and only ifIF A is a:(x:=e) THEN aready(s);IF A is a: while (B) do C od THEN a ready(s);IF A is cobegin B1 | . . . | Bn coend
THEN (s at B1) and ... and (s at Bn);IF A is B;C THEN s at B.
Control - In statement
integer x, y ;a: <x:=O>;b: cobegin c: < y := 0 >; d: cobegin e: < y := 2 * y >
f: < y := 4 * y > coend;
g: while < y = 0 > do h: < x := x + 1> od
coend ;j: < x := 2 * y >;
in a at ain g at g at hin d at e at fin b at c in d in g
The immediate assertion in A holds for states where control is at the beginning of A or somewhere inside A.
Control – (immediately )After statements after A if and only if
IF A is the entire program THEN (ready(s) ={})IF B is while(C) do A od THEN s at BIF B is cobegin...|A|.., coend
THEN ( s after B) or([ s in B ) and not ) s in (A;]
IF B isA;C THEN s at C;IF B is C;A THEN s after B.
Temporal Assertions
if and only if P
Can we build a dimond from a box?Yes -
iff ;Same for And and Not
If-then relations with temporal
(in the paper )P is false in first state, or Q is true in all states
) (another name for this is…)) =>
Some Theorems
TL3: TL6: TL7(transitivity):
)TL9:
Proof latice
Visual way to prove with temporal logic
Example of proof latice
Notice – single entry single exit(full definition in the paper)
Expended & Abbreviated
Safety
“something bad never happens”
What is safe?
Revisit partial correctness :
What more could we want?Mutual exclusion
Mutual exclusion
boolean P1,P2 ;c: cobegin al : <Pl := true>; b1 : if <~P2> then CS1 : do_somthings_1 fi; a2 : <P2:= true>; b2 : if <~P1> then CS2 : do_somthings_2 ficoend
What should our term be?
at What should our invariant be?
¿
Liveness
Something good eventually does happen
Express progress with axioms
ATOMIC ASSIGNMENT AXIOM: For any atomic assignment statement S:at S after Swhile CONTROL FLOW AXIOM:
For the statement w: while (b) do s: S od, at w (at s V after w)
Control flow rulesCONCATENATION CONTROL FLOW –
For the statement S ; T
cobegin CONTROL FLOW – For the statement c: cobegin S ;T coend
Combine values with control rules boolean p ; integer x ;a: cobegin
b: <p := false>;
c: while <p> do d: <x := x+1> odcoend
ATOMIC STATEMENT RULE - For any atomic statement <S> :
Extend to non-atomic
ATOMIC STATEMENT RULE - For any atomic statement <S> :
GENERAL STATEMENT RULE:
SYNCHRONIZATION PRIMITIVES
We will see the fair semaphore
Fair semaphore actionsOPERATION AXIOMS For the statement l: < Signal(s) >:
Safety: Signal(s) {Q}Liveness: As known – this will always terminates
OPERATION AXIOMS For the statement l: < Wait(s) >:Safety: Wait(s) {Q s 0}.Liveness: This might not terminate, so all the previous axioms about progress don’t hold, but we defined when
(maybe )Un-fair semaphore actionsOPERATION AXIOMS For the statement l: < Wait(s)>:
Safety: Wait(s) {Q}Liveness: As known – this will always terminates
OPERATION AXIOMS For the statement l: < Signal(s)>:Safety: Signal(s) {Q s 0}.Liveness: This might not terminate, so all the previous axioms about progress don’t hold, but we defined when
Simple examplesemaphore s ;ao: < s := 1 > ;cobegin
w1: while < true >do
NC1 : noncritical section 1;a1 : < Wait(s)> ;CS1 : critical section 1 ;d1: < Signal(s) >;
od;
w2: while < true >do
NC2 : noncritical section 2 ;a2 : < Wait(s)> ;CS2 : critical section 2 ;d2 : < Signal(s)>;
Odcoend
Simple example proof
= #() #() number of processes i such that is true
Simple example – Safety (first)semaphore s ;a0: < s := 1 > ;cobegin
w1: while < true >do
NC1 : noncritical section 1;a1 : < Wait(s)> ;CS1 : critical section 1 ;d1: < Signal(s) >;
od;
w2: while < true >do
NC2 : noncritical section 2 ;a2 : < Wait(s)> ;CS2 : critical section 2 ;d2 : < Signal(s)>;
Odcoend = #()
𝑎𝑡 𝑎 0→□ (𝐼 )
Simple example proof - liveness
= #() #() number of processes i such that is true
Simple example – Safety (first)semaphore s ;a0: < s := 1 > ;cobegin w1: while < true > do NC1 : noncritical section 1; a1 : < Wait(s)> ; CS1 : critical section 1 ; d1: < Signal(s) >;od; w2: while < true > do NC2 : noncritical section 2 ; a2 : < Wait(s)> ; CS2 : critical section 2 ; d2 : < Signal(s)>; Odcoend
= #()
(𝑎𝑡 𝑎 0⋀ □ ◊ 𝑖𝑛𝐶𝑆2)→(𝑎𝑡 𝑎1⋀⇝𝐶𝑆1)
AN (extended) EXAMPLE: MUTUAL EXCLUSION
Not today! (you are free to review it yourself)
CONCLUSIONWe learned some useful tools:
Temporal logicProof Lattices
We have considered two kinds of correctness properties for concurrent programs:
Safety properties - stating that some assertion always holds.Liveness properties - stating that some assertion will eventually hold.
A note about Man VS Machine
<EOF>
Questions?