Lecture 2 Recall A state is an assignment of values to all - PowerPoint PPT Presentation

Lecture 2

Recall • A state is an assignment of values to all variables • A step is a pair of states • A stu'ering step wrt some variable leaves the variable unchanged • An ac.on is a predicate over a pair of states • If x is a variable in the old state, then x ’ is the same variable in the new state • A behavior is an infinite sequence of states (with an ini=al state) • A specifica.on characterizes the ini=al state and ac=ons

Spec that generates all prime numbers

Spec that generates all prime numbers ------------------------------- MODULE prime ------------------------------- EXTENDS Naturals VARIABLE p isPrime(q) == q > 1 /\ \A r \in 2..(q-1): q%r /= 0 TypeInvariant == isPrime(p) Init == p = 2 Next == p' > p /\ isPrime(p') /\ \A q \in (p+1)..(p'-1): ~isPrime(q) Spec == Init /\ [] [Next]_p THEOREM Spec => []TypeInvariant

Some more terms • A state func.on is a first-order logic expression • A state predicate is a Boolean state func=on • A temporal formula is an asser=on about behaviors • A theorem of a specifica=on is a temporal formula that holds over every behavior of the specifica=on • If 𝑇 is a specifica=on and 𝐽 is a predicate and 𝑇 ⇒ ☐ 𝐽 is a theorem then we call 𝐽 an invariant of 𝑇.

Temporal Formula Based on Chapter 8 of Specifying Systems • A temporal formula 𝐺 assigns a Boolean value to a behavior 𝜏 • 𝜏 ⊨ 𝐺 means that 𝐺 holds over 𝜏 • If 𝑄 is a state predicate, then 𝜏 ⊨ 𝑄 means that 𝑄 holds over the first state in 𝜏 • If 𝐵 is an ac=on, then 𝜏 ⊨ 𝐵 means that 𝐵 holds over the first t wo states in 𝜏 • i.e., the first step in 𝜏 is an 𝐵 step • note that a state predicate is simply an ac=on without primed variables • If 𝐵 is an ac=on, then 𝜏 ⊨ 𝐵 2 means that the first step in 𝜏 is an 𝐵 step or a stubering step with respect to 𝑤

☐ Always • 𝜏 ⊨ ☐ 𝐺 means that 𝐺 holds over every suffix of 𝜏 • More formally • Let 𝜏 45 be 𝜏 with the first 𝑜 states removed • Then 𝜏 ⊨ ☐ 𝐺 ≜ ∀𝑜 ∈ ℕ: 𝜏 45 ⊨ 𝐺

Boolean combina@ons of temporal formulas • 𝜏 ⊨ (𝐺 ∧ 𝐻) ≜ 𝜏 ⊨ 𝐺 ∧ 𝜏 ⊨ 𝐻 • 𝜏 ⊨ (𝐺 ∨ 𝐻) ≜ 𝜏 ⊨ 𝐺 ∨ 𝜏 ⊨ 𝐻 • 𝜏 ⊨ ¬𝐺 ≜ ¬ 𝜏 ⊨ 𝐺 • 𝜏 ⊨ 𝐺 ⇒ 𝐻 ≜ (𝜏 ⊨ 𝐺) ⇒ 𝜏 ⊨ 𝐻 • 𝜏 ⊨ (∃𝑠: 𝐺) ≜ ∃𝑠 : 𝜏 ⊨ 𝐺 • 𝜏 ⊨ ∀𝑠 𝜗 𝑇: 𝐺 ≜ ∀𝑠 𝜗 𝑇 : 𝜏 ⊨ 𝐺 // if 𝑇 is a constant set

Example What is the meaning of 𝜏 ⊨ ☐ ( 𝑦 = 1 ⇒ ☐ 𝑧 > 0 ) ? 𝜏 ⊨ ☐ ( 𝑦 = 1 ⇒ ☐ 𝑧 > 0 ) ≡ ∀𝑜 ∈ ℕ: 𝜏 45 ⊨ ( 𝑦 = 1 ⇒ ☐ 𝑧 > 0 ) ≡ ∀𝑜 ∈ ℕ: (𝜏 45 ⊨ 𝑦 = 1) ⇒ (𝜏 45 ⊨ ☐ 𝑧 > 0 ) ≡ ∀𝑜 ∈ ℕ: (𝜏 45 ⊨ 𝑦 = 1) ⇒ (∀𝑛 ∈ ℕ: 𝜏 45 4M ⊨ 𝑧 > 0 ) If x = 1 in some state, then henceforth y > 0 in all subsequent states Not: once x = 1, x will always be 1. That would be 𝜏 ⊨ ☐ ( 𝑦 = 1 ⇒ ☐ 𝑦 = 1 )

Not every temporal formula is a TLA+ formula • TLA+ formulas are temporal formulas that are invariant under stu'ering • They hold even if you add or remove stubering steps • Examples • 𝑄 if 𝑄 is a state predicate • ☐ 𝑄 if 𝑄 is a state predicate • ☐ 𝐵 2 if 𝐵 is an ac=on and 𝑤 is a state variable (or even state func=on) • But not • 𝑦 N = 𝑦 + 1 not sa=sfied by 𝑦 = 1 ⟶ 𝑦 = 1 ⟶ 𝑦 = 2 • 𝑦 N = 𝑦 + 1 R sa=sfied by 𝑦 = 1 ⟶ 𝑦 = 1 ⟶ 𝑦 = 3 but not by 𝑦 = 1 ⟶ 𝑦 = 3 • Yet ☐ 𝑦 N = 𝑦 + 1 R is a TLA+ formula!

HourClock revisi@ed Module HourClock ℎ𝑠 is a parameter of the specifica=on HourClock • Variable 𝒊𝒔 • HCini ≜ ℎ𝑠 ∈ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 • HCnxt ≜ ℎ𝑠′ = ℎ𝑠 mod 12 + 1 • HC ≜ HCini ⋀ ◻ [HCnxt] bc

Eventually F ◇ 𝐺 ≜ ¬ ☐ ¬𝐺 𝜏 ⊨ ◇ 𝐺 ≡ 𝜏 ⊨ ¬ ☐ ¬𝐺 ≡ ¬ ( 𝜏 ⊨ ☐ ¬𝐺 ) ≡ ¬ ( ∀𝑜 ∈ ℕ: 𝜏 45 ⊨ ¬𝐺 ) ≡ ¬ ( ∀𝑜 ∈ ℕ: ¬ ( 𝜏 45 ⊨ 𝐺 )) ≡ ∃𝑜 ∈ ℕ: ( 𝜏 45 ⊨ 𝐺 )

Eventually an 𝐵 step occurs… ◇ 𝐵 2 ≜ ¬ ☐ ¬𝐵 2 𝜏 ⊨ ◇ 𝐵 2 ≡ 𝜏 ⊨ ¬ ☐ ¬𝐵 2 ≡ ¬ ( 𝜏 ⊨ ☐ ¬𝐵 2 ) ≡ ¬ ( ∀𝑜 ∈ ℕ: 𝜏 45 ⊨ ¬𝐵 2 ) ≡ ¬ ( ∀𝑜 ∈ ℕ: 𝜏 45 ⊨ (¬𝐵 ∨ 𝑤 N = 𝑤) ) ≡ ∃𝑜 ∈ ℕ: 𝜏 45 ⊨ 𝐵 ∧ 𝑤 N ≠ 𝑤

HourClock with liveness clock that never stops Module HourClock • Variable ℎ𝑠 • HCini ≜ ℎ𝑠 ∈ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 • HCnxt ≜ ℎ𝑠′ = ℎ𝑠 mod 12 + 1 • HC ≜ HCini ⋀ ◻ [HCnxt] bc • LiveHC ≜ HC ⋀ ☐ ( ◇ HCnxt bc )

Module Channel with Liveness Constant 𝐸𝑏𝑢𝑏 V ariable 𝑑ℎ𝑏𝑜 TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Init ≜ 𝑑ℎ𝑏𝑜. val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜. rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜. ack = 𝑑ℎ𝑏𝑜. rdy Send(d) ≜ 𝑑ℎ𝑏𝑜. rdy = 𝑑ℎ𝑏𝑜. ack ∧ chan ’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] R 𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜. rdy ≠ 𝑑ℎ𝑏𝑜. ack ∧ chan ’ = [ 𝑤𝑏 l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init ⋀ ◻ [ Next ] vbw5 𝑀𝑗𝑤𝑓𝑇𝑞𝑓𝑑 ≜ 𝑇𝑞𝑓𝑑 ⋀ ☐ ( ◇ ⟨𝑂𝑓𝑦𝑢⟩ vbw5 ) ???

Module Channel with Liveness Constant 𝐸𝑏𝑢𝑏 V ariable 𝑑ℎ𝑏𝑜 TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Init ≜ 𝑑ℎ𝑏𝑜. val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜. rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜. ack = 𝑑ℎ𝑏𝑜. rdy Send(d) ≜ 𝑑ℎ𝑏𝑜. rdy = 𝑑ℎ𝑏𝑜. ack ∧ chan ’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] R 𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜. rdy ≠ 𝑑ℎ𝑏𝑜. ack ∧ chan ’ = Too Strong --- If nothing [ 𝑤𝑏 l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] to send that should be ok Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init ⋀ ◻ [ Next ] vbw5 𝑀𝑗𝑤𝑓𝑇𝑞𝑓𝑑 ≜ 𝑇𝑞𝑓𝑑 ⋀ ☐ ( ◇ ⟨𝑂𝑓𝑦𝑢⟩ vbw5 ) ???

Module Channel with Liveness Constant 𝐸𝑏𝑢𝑏 V ariable 𝑑ℎ𝑏𝑜 TypeInvariant ≜ 𝑑ℎ𝑏𝑜 ∈ 𝑤𝑏𝑚: 𝐸𝑏𝑢𝑏, 𝑠𝑒𝑧: 0,1 , 𝑏𝑑𝑙: {0,1} Init ≜ 𝑑ℎ𝑏𝑜. val ∈ 𝐸𝑏𝑢𝑏 ∧ 𝑑ℎ𝑏𝑜. rdy ∈ 0, 1 ∧ 𝑑ℎ𝑏𝑜. ack = 𝑑ℎ𝑏𝑜. rdy Send(d) ≜ 𝑑ℎ𝑏𝑜. rdy = 𝑑ℎ𝑏𝑜. ack ∧ chan ’ = [ 𝑤𝑏𝑚 ⟼ 𝑒, 𝑠𝑒𝑧 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] R 𝑓𝑑𝑤 ≜ 𝑑ℎ𝑏𝑜. rdy ≠ 𝑑ℎ𝑏𝑜. ack ∧ chan ’ = [ 𝑤𝑏 l ⟼ 𝑑ℎ𝑏𝑜. 𝑤𝑏𝑚, 𝑠𝑒𝑧 ⟼ 𝑑ℎ𝑏𝑜. 𝑠𝑒𝑧, 𝑏𝑑𝑙 ⟼ 1 − 𝑑ℎ𝑏𝑜. 𝑏𝑑𝑙 ] Next ≜ ∃𝑒 ∈ 𝐸𝑏𝑢𝑏: 𝑇𝑓𝑜𝑒 𝑒 ∨ Recv Spec ≜ Init ⋀ ◻ [ Next ] vbw5 𝑀𝑗𝑤𝑓𝑇𝑞𝑓𝑑 ≜ 𝑇𝑞𝑓𝑑 ⋀ ☐ (𝑑ℎ𝑏𝑜. rdy ≠ 𝑑ℎ𝑏𝑜. ack ⇒ ◇ ⟨𝑆ecv⟩ vbw5 )

Weak Fairness as a liveness condi@on • ENABLED ⟨𝐵⟩ 2 means ac=on A is possible in some state • State predicate conjuncts all hold 2 𝐵 ≜ ☐ ( ☐ ENABLED 𝐵 2 ⇒ ◇ ⟨𝐵⟩ 2 ) • 𝑋𝐺 • HourClock: 𝑋𝐺 bc ( 𝐼𝐷𝑜𝑦𝑢 ) • Channel: 𝑋𝐺 bc ( 𝑆𝑓𝑑𝑤 )

(surprising) Weak Fairness equivalence 2 𝐵 ≜ ☐ ( ☐ ENABLED 𝐵 2 ⇒ ◇ 𝐵 2 • 𝑋𝐺 ≡ ☐◇ ¬ ENABLED 𝐵 2 ∨ ☐◇ ⟨𝐵⟩ 2 ≡ ◇☐ ENABLED 𝐵 2 ⇒ ☐◇ 𝐵 2 • Always, if 𝐵 is enabled forever, then an 𝐵 step eventually occurs • 𝐵 if infinitely oken disabled or infinitely many 𝐵 steps occur • If 𝐵 is eventually enabled forever then infinitely many 𝐵 steps occur

Strong Fairness 2 𝐵 ≜ ◇☐ ¬ ENABLED 𝐵 2 ∨ ☐◇ ⟨𝐵⟩ 2 • 𝑇𝐺 ≡ ☐◇ ENABLED 𝐵 2 ⇒ ☐◇ 𝐵 2 • 𝐵 is eventually disabled forever or infinitely many 𝐵 steps occur • If 𝐵 is infinitely oken enabled then infinitely many 𝐵 steps occur 𝑇𝐺 2 𝐵 : an 𝐵 step must occur if 𝐵 is con=nually enabled 𝑋𝐺 2 𝐵 : an 𝐵 step must occur if 𝐵 is con=nuously enabled As always, be'er to make the weaker assump.on if you can

How important is liveness? • Liveness rules out behaviors that have only stubering steps • Add non-triviality of a specifica=on • In prac=ce, “eventual” is oken not good enough • Instead, need to specify performance requirements • Service Level Objec=ves (SLOs) • Usually done quite informally

A “FIFO” (async buffered FIFO channel) Chapter 4 from Specifying Systems channels in out Sender buffer Receiver environment