Lecture 2 Recall A state is an assignment of values to all - - PowerPoint PPT Presentation

Lecture 2

Recall

• A state is an assignment of values to all variables
• A step is a pair of states
• A stu'ering step wrt some variable leaves the variable unchanged
• An ac.on is a predicate over a pair of states
• If x is a variable in the old state, then x’ is the same variable in the new state
• A behavior is an infinite sequence of states (with an ini=al state)
• A specifica.on characterizes the ini=al state and ac=ons

Spec that generates all prime numbers

Spec that generates all prime numbers

• ------------------------------ MODULE prime -------------------------------

EXTENDS Naturals VARIABLE p isPrime(q) == q > 1 /\ \A r \in 2..(q-1): q%r /= 0 TypeInvariant == isPrime(p) Init == p = 2 Next == p' > p /\ isPrime(p') /\ \A q \in (p+1)..(p'-1): ~isPrime(q) Spec == Init /\ [] [Next]_p THEOREM Spec => []TypeInvariant

Some more terms

• A state func.on is a first-order logic expression
• A state predicate is a Boolean state func=on
• A temporal formula is an asser=on about behaviors
• A theorem of a specifica=on is a temporal formula that holds over

every behavior of the specifica=on

• If 𝑇 is a specifica=on and 𝐽 is a predicate and 𝑇 ⇒ ☐𝐽 is a theorem

then we call 𝐽 an invariant of 𝑇.

Temporal Formula

Based on Chapter 8 of Specifying Systems

• A temporal formula 𝐺 assigns a Boolean value to a behavior 𝜏
• 𝜏 ⊨ 𝐺 means that 𝐺 holds over 𝜏
• If 𝑄 is a state predicate, then 𝜏 ⊨ 𝑄 means that 𝑄 holds over the first

state in 𝜏

• If 𝐵 is an ac=on, then 𝜏 ⊨ 𝐵 means that 𝐵 holds over the first

two states in 𝜏

• i.e., the first step in 𝜏 is an 𝐵 step
• note that a state predicate is simply an ac=on without primed variables
• If 𝐵 is an ac=on, then 𝜏 ⊨ 𝐵 2 means that the first step in 𝜏 is an 𝐵

step or a stubering step with respect to 𝑤

☐Always

• 𝜏 ⊨ ☐𝐺 means that 𝐺 holds over every suffix of 𝜏
• More formally
• Let 𝜏45 be 𝜏 with the first 𝑜 states removed
• Then 𝜏 ⊨ ☐𝐺 ≜ ∀𝑜 ∈ ℕ: 𝜏45 ⊨ 𝐺

Boolean combina@ons of temporal formulas

• 𝜏 ⊨ (𝐺 ∧ 𝐻) ≜ 𝜏 ⊨ 𝐺 ∧ 𝜏 ⊨ 𝐻
• 𝜏 ⊨ (𝐺 ∨ 𝐻) ≜ 𝜏 ⊨ 𝐺 ∨ 𝜏 ⊨ 𝐻
• 𝜏 ⊨ ¬𝐺 ≜ ¬ 𝜏 ⊨ 𝐺
• 𝜏 ⊨ 𝐺 ⇒ 𝐻 ≜ (𝜏 ⊨ 𝐺) ⇒ 𝜏 ⊨ 𝐻
• 𝜏 ⊨ (∃𝑠: 𝐺) ≜ ∃𝑠: 𝜏 ⊨ 𝐺
• 𝜏 ⊨ ∀𝑠 𝜗 𝑇: 𝐺 ≜ ∀𝑠 𝜗 𝑇: 𝜏 ⊨ 𝐺

// if 𝑇 is a constant set

Example

What is the meaning of 𝜏 ⊨ ☐( 𝑦 = 1 ⇒ ☐ 𝑧 > 0 ) ? 𝜏 ⊨ ☐( 𝑦 = 1 ⇒ ☐ 𝑧 > 0 ) ≡ ∀𝑜 ∈ ℕ: 𝜏45 ⊨ ( 𝑦 = 1 ⇒ ☐ 𝑧 > 0 ) ≡ ∀𝑜 ∈ ℕ: (𝜏45 ⊨ 𝑦 = 1) ⇒ (𝜏45 ⊨ ☐ 𝑧 > 0 ) ≡ ∀𝑜 ∈ ℕ: (𝜏45 ⊨ 𝑦 = 1) ⇒ (∀𝑛 ∈ ℕ: 𝜏45 4M ⊨ 𝑧 > 0 ) If x = 1 in some state, then henceforth y > 0 in all subsequent states Not: once x = 1, x will always be 1. That would be 𝜏 ⊨ ☐( 𝑦 = 1 ⇒ ☐ 𝑦 = 1 )

Not every temporal formula is a TLA+ formula

• TLA+ formulas are temporal formulas that are invariant under stu'ering
• They hold even if you add or remove stubering steps
• Examples
• 𝑄 if 𝑄 is a state predicate
• ☐𝑄 if 𝑄 is a state predicate
• ☐ 𝐵 2 if 𝐵 is an ac=on and 𝑤 is a state variable (or even state func=on)
• But not
• 𝑦N = 𝑦 + 1

not sa=sfied by 𝑦 = 1 ⟶ 𝑦 = 1 ⟶ 𝑦 = 2

• 𝑦N = 𝑦 + 1 R

sa=sfied by 𝑦 = 1 ⟶ 𝑦 = 1 ⟶ 𝑦 = 3 but not by 𝑦 = 1 ⟶ 𝑦 = 3

• Yet ☐ 𝑦N = 𝑦 + 1

R is a TLA+ formula!

HourClock revisi@ed

Module HourClock

• Variable 𝒊𝒔
• HCini ≜ ℎ𝑠 ∈ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
• HCnxt ≜ ℎ𝑠′ = ℎ𝑠 mod 12 + 1
• HC ≜ HCini ⋀ ◻[HCnxt]bc

ℎ𝑠 is a parameter of the specifica=on HourClock

Eventually F

◇𝐺 ≜ ¬☐¬𝐺 𝜏 ⊨ ◇𝐺 ≡ 𝜏 ⊨ ¬☐¬𝐺 ≡ ¬(𝜏 ⊨ ☐¬𝐺) ≡ ¬(∀𝑜 ∈ ℕ: 𝜏45 ⊨ ¬𝐺) ≡ ¬(∀𝑜 ∈ ℕ: ¬(𝜏45 ⊨ 𝐺)) ≡ ∃𝑜 ∈ ℕ: (𝜏45 ⊨ 𝐺)

Eventually an 𝐵 step occurs…

◇ 𝐵 2 ≜ ¬☐ ¬𝐵 2 𝜏 ⊨ ◇ 𝐵 2 ≡ 𝜏 ⊨ ¬☐ ¬𝐵 2 ≡ ¬(𝜏 ⊨ ☐ ¬𝐵 2) ≡ ¬(∀𝑜 ∈ ℕ: 𝜏45 ⊨ ¬𝐵 2) ≡ ¬(∀𝑜 ∈ ℕ: 𝜏45 ⊨ (¬𝐵 ∨ 𝑤N = 𝑤)) ≡ ∃𝑜 ∈ ℕ: 𝜏45 ⊨ 𝐵 ∧ 𝑤N ≠ 𝑤

HourClock with liveness

clock that never stops

Module HourClock

• Variable ℎ𝑠
• HCini ≜ ℎ𝑠 ∈ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
• HCnxt ≜ ℎ𝑠′ = ℎ𝑠 mod 12 + 1
• HC ≜ HCini ⋀ ◻[HCnxt]bc
• LiveHC ≜ HC ⋀ ☐(◇ HCnxt bc)

Module Channel with Liveness

Send(d) ≜ 𝑑ℎ𝑏𝑜.rdy = 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Init ≜ 𝑑ℎ𝑏𝑜.val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜.rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜.ack = 𝑑ℎ𝑏𝑜.rdy TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init⋀ ◻[Next]vbw5 R𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜.rdy ≠ 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Variable 𝑑ℎ𝑏𝑜 Constant 𝐸𝑏𝑢𝑏 𝑀𝑗𝑤𝑓𝑇𝑞𝑓𝑑 ≜ 𝑇𝑞𝑓𝑑 ⋀ ☐(◇⟨𝑂𝑓𝑦𝑢⟩vbw5) ???

Module Channel with Liveness

Send(d) ≜ 𝑑ℎ𝑏𝑜.rdy = 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Init ≜ 𝑑ℎ𝑏𝑜.val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜.rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜.ack = 𝑑ℎ𝑏𝑜.rdy TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init⋀ ◻[Next]vbw5 R𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜.rdy ≠ 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Variable 𝑑ℎ𝑏𝑜 Constant 𝐸𝑏𝑢𝑏 𝑀𝑗𝑤𝑓𝑇𝑞𝑓𝑑 ≜ 𝑇𝑞𝑓𝑑 ⋀ ☐(◇⟨𝑂𝑓𝑦𝑢⟩vbw5) ??? Too Strong --- If nothing to send that should be ok

Module Channel with Liveness

Send(d) ≜ 𝑑ℎ𝑏𝑜.rdy = 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Init ≜ 𝑑ℎ𝑏𝑜.val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜.rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜.ack = 𝑑ℎ𝑏𝑜.rdy TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init⋀ ◻[Next]vbw5 R𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜.rdy ≠ 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Variable 𝑑ℎ𝑏𝑜 Constant 𝐸𝑏𝑢𝑏 𝑀𝑗𝑤𝑓𝑇𝑞𝑓𝑑 ≜ 𝑇𝑞𝑓𝑑 ⋀ ☐(𝑑ℎ𝑏𝑜. rdy ≠ 𝑑ℎ𝑏𝑜. ack ⇒ ◇⟨𝑆ecv⟩vbw5)

Weak Fairness as a liveness condi@on

• ENABLED ⟨𝐵⟩2 means ac=on A is possible in some state
• State predicate conjuncts all hold
• 𝑋𝐺

2 𝐵 ≜ ☐(☐ENABLED 𝐵 2 ⇒ ◇⟨𝐵⟩2)

• HourClock:

𝑋𝐺

bc(𝐼𝐷𝑜𝑦𝑢)

• Channel:

𝑋𝐺

bc(𝑆𝑓𝑑𝑤)

(surprising) Weak Fairness equivalence

• 𝑋𝐺

2 𝐵 ≜ ☐(☐ENABLED 𝐵 2 ⇒ ◇ 𝐵 2

≡ ☐◇ ¬ENABLED 𝐵 2 ∨ ☐◇⟨𝐵⟩2 ≡ ◇☐ ENABLED 𝐵 2 ⇒ ☐◇ 𝐵 2

• Always, if 𝐵 is enabled forever, then an 𝐵 step eventually occurs
• 𝐵 if infinitely oken disabled or infinitely many 𝐵 steps occur
• If 𝐵 is eventually enabled forever then infinitely many 𝐵 steps occur

Strong Fairness

• 𝑇𝐺

2 𝐵 ≜ ◇☐ ¬ENABLED 𝐵 2 ∨ ☐◇⟨𝐵⟩2

≡ ☐◇ ENABLED 𝐵 2 ⇒ ☐◇ 𝐵 2

• 𝐵 is eventually disabled forever or infinitely many 𝐵 steps occur
• If 𝐵 is infinitely oken enabled then infinitely many 𝐵 steps occur

𝑇𝐺

2 𝐵 : an 𝐵 step must occur if 𝐵 is con=nually enabled

𝑋𝐺

2 𝐵 : an 𝐵 step must occur if 𝐵 is con=nuously enabled

As always, be'er to make the weaker assump.on if you can

How important is liveness?

• Liveness rules out behaviors that have only stubering steps
• Add non-triviality of a specifica=on
• In prac=ce, “eventual” is oken not good enough
• Instead, need to specify performance requirements
• Service Level Objec=ves (SLOs)
• Usually done quite informally

A “FIFO” (async buffered FIFO channel)

Chapter 4 from Specifying Systems

Sender buffer Receiver in

• ut

channels environment

Module Channel

Send(d) ≜ 𝑑ℎ𝑏𝑜.rdy = 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Init ≜ 𝑑ℎ𝑏𝑜.val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜.rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜.ack = 𝑑ℎ𝑏𝑜.rdy TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init⋀ ◻[Next]vbw5 R𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜.rdy ≠ 𝑑ℎ𝑏𝑜.ack ∧ chan’ = [ 𝑤𝑏l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] V𝐛𝐬𝐣𝐛𝐜𝐦𝐟 𝒅𝒊𝒃𝒐 Constant 𝑬𝒃𝒖𝒃

Instan@a@ng a Channel

𝐽𝑜𝐷ℎ𝑏𝑜 ≜ INSTANCE 𝐷ℎ𝑏𝑜𝑜𝑓𝑚 WITH 𝐸𝑏𝑢𝑏 ← 𝑁𝑓𝑡𝑡𝑏𝑕𝑓, 𝑑ℎ𝑏𝑜 ← 𝑗𝑜 TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} InChan!TypeInvariant ≡ 𝑗𝑜 ∈ 𝑤𝑏𝑚: 𝑁𝑓𝑡𝑡𝑏𝑕𝑓, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1}

Instan.a.on is Subs.tu.on!

Parametrized Instan@a@on

(not parameterized instan@a@on J)

𝐽𝑜𝐷ℎ𝑏𝑜 ≜ INSTANCE 𝐷ℎ𝑏𝑜𝑜𝑓𝑚 WITH 𝐸𝑏𝑢𝑏 ← 𝑁𝑓𝑡𝑡𝑏𝑕𝑓, 𝑑ℎ𝑏𝑜 ← 𝑗𝑜 TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Chan(in)!TypeInvariant ≡ 𝑗𝑜 ∈ 𝑤𝑏𝑚: 𝑁𝑓𝑡𝑡𝑏𝑕𝑓, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} 𝐷ℎ𝑏𝑜(𝑑ℎ) ≜ INSTANCE 𝐷ℎ𝑏𝑜𝑜𝑓𝑚 WITH 𝐸𝑏𝑢𝑏 ← 𝑁𝑓𝑡𝑡𝑏𝑕𝑓, 𝑑ℎ𝑏𝑜 ← 𝑑ℎ

Internal (= Non-Interface) Variables

buffer in

• ut

There is no q here But there is a q here Not incorrect, but don’t really want q to be a specifica=on parameter

Hiding Internal Variables

Hiding Internal Variables

Not the normal existen=al quan=fier!!! In temporal logic, this means that for every state in a behavior, there is a value for q that makes Inner(q)!Spec true

• PreYy. Now for something cool!
• Suppose we wanted to implemented a bounded buffer
• That is, ◻𝑚𝑓𝑜 𝑟 ≤ 𝑂 for some constant 𝑂 > 0
• The only place where q is extended is in BufRcv

• PreYy. Now for something cool!
• Suppose we wanted to implemented a bounded buffer
• That is, ◻𝑚𝑓𝑜 𝑟 ≤ 𝑂 for some constant 𝑂 > 0
• The only place where q is extended is in BufRcv

∧ 𝑚𝑓𝑜 𝑟 < 𝑂

Even cooler (but tricky)

If it is a BufRcv step, then 𝑚𝑓𝑜 𝑟 < 𝑂

Even cooler (but tricky)