CONCURRENCY, INTUITION AND FORMAL VERIFICATION: YES, WE CAN! - - PowerPoint PPT Presentation

CONCURRENCY, INTUITION AND FORMAL VERIFICATION: YES, WE CAN! BEN-ARI’S TWIN-PROCESS CONUNDRUM

MATT PEDERSEN & PETER WELCH

Communicating Process Architectures 2017 Fringe

The Problem

¨ Professor Ben-Ari used the problem for a decade

(described in “A model checking primer”)

The Problem

¨ 2 Processes P and Q run concurrently ¨ Both update a shared variable n (initially 0) ten

• times. Each update is as follows:

¤ Read n ¤ Increment it locally ¤ Write n back

Pseudo Code

integer n = 0; process P integer regP = 0; do 10 times load n into regP increment regP store regP into n end process Q integer regQ = 0; do 10 times load n into regQ increment regQ store regQ into n end

Possible values for n?

The Problem

¨ Professor Ben-Ari used the problem for a decade ¨ Told his students the value would be between 10

and 20

The Problem

¨ Professor Ben-Ari used the problem for a decade. ¨ Told his students the value would be between 10

and 20.

¨ One day a student of his got the value 9 ! ¨ Actually any number between 2 and 20 is possible.

What do we do now?

¨ Start by proving that we can get 2, and how.

Problem CSP FDR Trace Assertion

A CSP Model

¨ Channels:

channel load, store : {0..20}
 channel kill

¨ Increment function:

inc (x) = 
 if x >= 20 then 
 20 
 else 
 x + 1

A CSP Model

¨ The process itself (P and Q):

P = ; x:<0..9> @ load ? n à 
 store ! inc (n) à 
 SKIP

A CSP Model

¨ A process representing n:

Var (n) =
 store ? x à Var (x)
 []
 load ! n à Var (n)
 []
 kill à SKIP -- terminate

A CSP Model

¨ A checking process

PP_check =
 (P ||| P);
 load ? n à
 if n == 2 then STOP
 else kill -> SKIP

A CSP Model

¨ The entire system:

System =
 PP_check
 [| {| load, store, kill |} |]
 Var (0)

Analysis of the Model

PP_check =
 (P ||| P);
 load ? n à
 if n == 2 then STOP
 else kill -> SKIP

¨ If this process always terminates the value of n

cannot be 2.

¨ assert SKIP [FD= System \ Events


checks if System always terminates.

Analysis of the Model

Trace leading to n=2

Time P Q n Load 0 1 Load 0 2 Store 1 1 3 Load 1 1 4 Store 2 2 5-16 … 2-8 17 Load 8 8 18 Store 9 9 19 Store 1 1 20 Load 1 1 21 Load 1 1 22 Store 2 2 23-36 … 2-9 37 Load 9 9 38 Store 10 10 39 Store 2 2

Aside

¨ Did the STOP cause lack of termination?

PP_check =
 (P ||| P);
 load ? n à
 if n == 2 then STOP
 else kill -> SKIP

Aside

¨ Did the STOP cause lack of termination? ¨ Consider this:

PP_no_check = (P ||| P); 
 kill à SKIP

¨ Terminates just fine

Correct Behaviour

¨ Introduce a mutex:

channel wait, signal
 
 Mutex =
 wait à signal à Mutex
 []
 kill à SKIP

Add use of mutex to P process

¨ Introduce the mutex into the P process (now called

P’): P’ = ; x:<0..9> @
 wait à
 load ? N à store ! inc (n) à
 signal à SKIP

Wire up the system

¨ Lets wire it all up (2 processes and a check):

PP_check’ = (P’ ||| P’);
 load ? n à
 if n != 20 then STOP
 else kill à SKIP


Wire up the system

¨ Wire up the entire system and add the mutex:

SYSTEM’ =
 PP_check’
 [| {| load, store, kill |} |]
 Var (0)
 
 SAFE_SYSTEM =
 SYSTEM’
 [| {| wait, signal, kill |} |]
 Mutex

FDR check the SAFE_SYSTEM

¨ Check if the SAFE_SYSTEM terminates:

assert SKIP [FD= SAFE_SYSTEM \ Events

¨ It does!

¤ 20 is the only value the variable can have upon termination.

• ccam-pi demo